feat: add *arr (#61)
* feat: add cockpit to all servers * hacing * feat: *arr bones * feat: add docker versioning --------- Co-authored-by: Truxnell <9149206+truxnell@users.noreply.github.com>
This commit is contained in:
parent
14e1aa9300
commit
c4e7e0215b
21 changed files with 891 additions and 35 deletions
13
.github/renovate.json5
vendored
13
.github/renovate.json5
vendored
|
@ -3,6 +3,7 @@
|
|||
"extends": [
|
||||
"github>truxnell/renovate-config",
|
||||
"github>truxnell/renovate-config:automerge-github-actions",
|
||||
"github>truxnell/nix-config//.github/renovate/autoMerge.json5",
|
||||
],
|
||||
|
||||
"gitAuthor": "Trux-Bot <19149206+trux-bot[bot]@users.noreply.github.com>",
|
||||
|
@ -13,7 +14,19 @@
|
|||
"nix": {
|
||||
"enabled": "true"
|
||||
},
|
||||
|
||||
"lockFileMaintenance": {
|
||||
"enabled": "true"
|
||||
},
|
||||
|
||||
{
|
||||
"regexManagers": [
|
||||
{
|
||||
fileMatch: ["^.*\\.nix$"],
|
||||
matchStrings: [
|
||||
'image *= *"(?<depName>[^"]+):(?<currentValue>[^"]+)(@(?<currentDigest>sha256:[a-f0-9]+))?";',
|
||||
],
|
||||
datasourceTemplate: "docker",
|
||||
}
|
||||
],
|
||||
}
|
17
.github/renovate/autoMerge.json5
vendored
Normal file
17
.github/renovate/autoMerge.json5
vendored
Normal file
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
packageRules: [
|
||||
// auto update all up to major
|
||||
{
|
||||
matchDatasources: ['docker'],
|
||||
automerge: "true",
|
||||
matchUpdateTypes: [ 'minor', 'patch', 'digest'],
|
||||
matchPackageNames: [
|
||||
'onedr0p/sonarr',
|
||||
'onedr0p/readarr',
|
||||
'onedr0p/radarr',
|
||||
'onedr0p/lidarr',
|
||||
'onedr0p/prowlarr',
|
||||
],
|
||||
},
|
||||
],
|
||||
}
|
10
docs/vm/k8s.md
Normal file
10
docs/vm/k8s.md
Normal file
|
@ -0,0 +1,10 @@
|
|||
Removed complexity
|
||||
|
||||
- external secrets -> bog standard sops
|
||||
- HA file storage -> standard file system
|
||||
- HA database cluster -> nixos standard cluster
|
||||
- Database user operator -> nixos standard ensure_users
|
||||
- Database permissions operator -> why even??
|
||||
- secrets reloader -> sops restart_unit
|
||||
- easier managment, all services run through systemd for consistency, cockpit makes viewing logs/pod console etc easy.
|
||||
|
|
@ -36,8 +36,8 @@
|
|||
definedAliases = [ "@nhmo" ];
|
||||
};
|
||||
"NixOS Wiki" = {
|
||||
urls = [{ template = "https://nixos.wiki/index.php?search={searchTerms}"; }];
|
||||
iconUpdateURL = "https://nixos.wiki/favicon.png";
|
||||
urls = [{ template = "https://wiki.nixos.org/w/index.php?search={searchTerms}"; }];
|
||||
iconUpdateURL = "https://wiki.nixos.org/favicon.ico";
|
||||
updateInterval = 24 * 60 * 60 * 1000; # every day
|
||||
definedAliases = [ "@nw" ];
|
||||
};
|
||||
|
@ -47,6 +47,12 @@
|
|||
updateInterval = 24 * 60 * 60 * 1000; # every day
|
||||
definedAliases = [ "@ks" ];
|
||||
};
|
||||
"Github Code Search" = {
|
||||
urls = [{ template = "https://github.com/search?type=code&q={searchTerms}"; }];
|
||||
iconUpdateURL = "https://github.githubassets.com/favicons/favicon-dark.svg";
|
||||
updateInterval = 24 * 60 * 60 * 1000; # every day
|
||||
definedAliases = [ "@gs" ];
|
||||
};
|
||||
|
||||
# "Searx" = {
|
||||
# urls = [{ template = "https://searx.trux.dev/?q={searchTerms}"; }];
|
||||
|
|
|
@ -13,11 +13,14 @@
|
|||
|
||||
mySystem.services = {
|
||||
openssh.enable = true;
|
||||
cockpit.enable = true;
|
||||
podman.enable = true;
|
||||
traefik.enable = true;
|
||||
sonarr.enable = true;
|
||||
homepage.enable = true;
|
||||
sonarr.enable = true;
|
||||
radarr.enable = true;
|
||||
lidarr.enable = true;
|
||||
readarr.enable = true;
|
||||
|
||||
};
|
||||
mySystem.nfs.nas.enable = true;
|
||||
|
||||
|
@ -40,7 +43,7 @@
|
|||
};
|
||||
};
|
||||
|
||||
networking.hostName = "shodan"; # Define your hostname.
|
||||
networking.hostName = "shodan1"; # Define your hostname.
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
|
||||
fileSystems."/" =
|
||||
|
|
|
@ -1,5 +1,9 @@
|
|||
{
|
||||
imports = [
|
||||
./sonarr
|
||||
./radarr
|
||||
./lidarr
|
||||
./readarr
|
||||
./prowlarr
|
||||
];
|
||||
}
|
||||
|
|
79
nixos/modules/nixos/services/arr/lidarr/default.nix
Normal file
79
nixos/modules/nixos/services/arr/lidarr/default.nix
Normal file
|
@ -0,0 +1,79 @@
|
|||
{ lib
|
||||
, config
|
||||
, pkgs
|
||||
, ...
|
||||
}:
|
||||
with lib;
|
||||
let
|
||||
app = "lidarr";
|
||||
image = "ghcr.io/onedr0p/lidarr@sha256:6b9564037159c2b90f32a2ee34683275783a4b8eff4b609e2d2b1c0654c94bac";
|
||||
user = "568"; #string
|
||||
group = "568"; #string
|
||||
port = 8686; #int
|
||||
cfg = config.mySystem.services.sonarr;
|
||||
persistentFolder = "${config.mySystem.persistentFolder}/${app}";
|
||||
in
|
||||
{
|
||||
options.mySystem.services.${app} =
|
||||
{
|
||||
enable = mkEnableOption "${app}";
|
||||
addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; };
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
# ensure folder exist and has correct owner/group
|
||||
systemd.tmpfiles.rules = [
|
||||
"d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period
|
||||
];
|
||||
|
||||
sops.secrets."services/${app}/env" = {
|
||||
|
||||
# configure secret for forwarding rules
|
||||
sopsFile = ./secrets.sops.yaml;
|
||||
owner = config.users.users.kah.name;
|
||||
inherit (config.users.users.kah) group;
|
||||
restartUnits = [ "podman-${app}.service" ];
|
||||
};
|
||||
|
||||
virtualisation.oci-containers.containers.${app} = {
|
||||
image = "${image}";
|
||||
user = "${user}:${group}";
|
||||
environment = {
|
||||
PUSHOVER_DEBUG = "false";
|
||||
PUSHOVER_APP_URL = "${app}.${config.networking.domain}";
|
||||
LIDARR__INSTANCE_NAME = "Lidarr";
|
||||
LIDARR__APPLICATION_URL = "https://${app}.${config.networking.domain}";
|
||||
LIDARR__LOG_LEVEL = "info";
|
||||
};
|
||||
environmentFiles = [ config.sops.secrets."services/${app}/env".path ];
|
||||
volumes = [
|
||||
"${persistentFolder}:/config:rw"
|
||||
"/mnt/nas/natflix:/media:rw"
|
||||
"/etc/localtime:/etc/localtime:ro"
|
||||
];
|
||||
labels = {
|
||||
"traefik.enable" = "true";
|
||||
"traefik.http.routers.${app}.entrypoints" = "websecure";
|
||||
"traefik.http.routers.${app}.middlewares" = "local-only@file";
|
||||
"traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}";
|
||||
|
||||
};
|
||||
};
|
||||
|
||||
mySystem.services.homepage.media-services = [
|
||||
{
|
||||
Lidarr = {
|
||||
icon = "${app}.png";
|
||||
href = "https://${app}.${config.networking.domain}";
|
||||
description = "Music management";
|
||||
container = "${app}";
|
||||
widget = {
|
||||
type = "${app}";
|
||||
url = "http://${app}:${toString port}";
|
||||
key = "{{HOMEPAGE_VAR_LIDARR__API_KEY}}";
|
||||
};
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
}
|
59
nixos/modules/nixos/services/arr/lidarr/secrets.sops.yaml
Normal file
59
nixos/modules/nixos/services/arr/lidarr/secrets.sops.yaml
Normal file
|
@ -0,0 +1,59 @@
|
|||
services:
|
||||
lidarr:
|
||||
env: ENC[AES256_GCM,data:+Ja2gz7l5bueQJdMxtsF2o2rXtnPfsj9xfANoZ7T2wI4vf/VQRcHFG8IFvpJWr03kr+4iIK7BlSqE+o5CqL7pZLPbC6FW0mnqFKXUpZZxctPlrDXPHLR6UcnDbvJjNgSF4O+nLz0yzUFV28/C0I=,iv:j+q/uM16sxffCaKZHeXD957J8mFG6sLUL8vBwwO7/mE=,tag:QPDD6WiRTLrXtUeNytYGew==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4bW9rRnF5TzBBQUdSdy9q
|
||||
NExkZjdUWFI4VkFDUHF2REFQaXg4SGppUkcwCk12NW05NVUwaHBkNVdJRHA4L3Qw
|
||||
d0VtVkVmdmJpRDJCOHBIU1lHNVFpT1UKLS0tIGhVQlVibk1aOEc2YnBCM3RXVHQ2
|
||||
MUt0TzZTeXE3RkZBM0RBRkFkWkFYRTgKPQrxDiWBOyAIZpgLzHViMJGg4o+P/PlZ
|
||||
pCj3n5C1z4lZgaWU+oE70a3r2CXg0toaG0Lg9lq7hh5pQV+KfLcO8g==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3eWVSejhCcmhUT1hGZHlK
|
||||
SVVUbmJ3UlVJT1k5azA3TkNsdDZCNWZQK0N3CnBYWUFWcXdSamhDT2pXTUFsZFIr
|
||||
akgxSkZtRE44eW0yQlFGc0U5RWUxdjQKLS0tIExDdXBhSGh0dDM5ZnFNTzdmdVNj
|
||||
MUY5UlFuNitiR08xeW9EZ09ZNThnQ1UKC+O/NlGD6ZdWAdJAAMyamGUJi8M6LhW2
|
||||
2CRjIhXpfhiG4vjbgP5Xs6JXXYfiF7mFN6W3VZAZ/B4aO/S+BEVYoA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2Z1BYNDBVRjJDanVFNHMx
|
||||
aUpXZW8wdGdDVkVQdXVRVnd0aFRLTnZuVUdFCmZJei84bVUyOFA5S2JaOVpLMVM2
|
||||
T3B1YnNCcmNEV2s5WC9CRCtqd0pITTgKLS0tIHFmcjlmSjhXaWl2U09ralVjZzZE
|
||||
ZW5LaVhIVUNlN09aUVN0eGZvRU1TUGMKxQXeVgv5pwTTSM+b5YV0Clys/z6spAd6
|
||||
E8X0l9Q8QfKTw4JHhKZvVYtPQ/oKCqex7ez5WpARcOOcZmHojwuXdg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzZmYzZElqQ0xBYmdrMHdD
|
||||
dUVlTXlrVXJnNmNBZTZQMEdvYmwwMVIva2pvClZLU1pPV0xUVFZGQ0t5TGI5Mkhw
|
||||
SE0wUWg2OWFnUTdBVEkzcTVOZWZFbWMKLS0tIEVCU2VnR3lIQXpqTnh0eHJzejEz
|
||||
SzgxZG9TU1BsdVZlU1h5MkNyNG9ZaDgKGndrjZxBKRcvrLkPpE2cHCOGye3a6ek9
|
||||
EmLowxl4EQ+pQqbukteFBfSlrs/302FfNrzL7cP4p2jzrCiT1RtHTw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlRlIyYnlxRmZYSzlhUzNX
|
||||
am9iS3h5TVJ5TWhraVYrWU9ETHdGMUpJZEIwCjBmQ3FMZHJFcjg0SXM1Q1FybXZq
|
||||
azVCL25XVXpHd01wbzRHMTN4QVd3N0UKLS0tIEFIc2dNNjErZFoxdzNDcEo4VE9B
|
||||
NVJrMEs2Q09aQlphYXdaelluYjgveUUKJndBGHWzTUoexspNKF29jlaBgEruu/ee
|
||||
acxnf1IGetFRKVNRu9mBPxAoMo+21Qi61E0/gdGaXWGmK2HEwSCaSA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-04-07T01:10:07Z"
|
||||
mac: ENC[AES256_GCM,data:3WmOa5i4eB5L88TjzLhJG6tHF4/ecwZQHE1aC4b737nJjFw4F7tWMtHECIPHjRXM8wTie/FZgIQA4AHQS8WxLMILWkiSHVAei0jYWUQLie6R1qvcZu6NdSg22Co368pSBaEkDy+jy1uXmhTGOcAWYivKdhLyuVyr+jVO7W0B600=,iv:MFHlY+iRxS9udlgZSRSr/06BHnhfLXcIhYlDY3RUpRc=,tag:u7FnVRGcK6Y3Zoh3h2fEjw==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
78
nixos/modules/nixos/services/arr/prowlarr/default.nix
Normal file
78
nixos/modules/nixos/services/arr/prowlarr/default.nix
Normal file
|
@ -0,0 +1,78 @@
|
|||
{ lib
|
||||
, config
|
||||
, pkgs
|
||||
, ...
|
||||
}:
|
||||
with lib;
|
||||
let
|
||||
app = "prowlarr";
|
||||
image = "ghcr.io/onedr0p/prowlarr@sha256:7f90035619b4dbff6bff985181275300cd999be5d4f03fcaf359ef7068fc5e5e";
|
||||
user = "568"; #string
|
||||
group = "568"; #string
|
||||
port = 9696; #int
|
||||
cfg = config.mySystem.services.sonarr;
|
||||
persistentFolder = "${config.mySystem.persistentFolder}/${app}";
|
||||
in
|
||||
{
|
||||
options.mySystem.services.${app} =
|
||||
{
|
||||
enable = mkEnableOption "${app}";
|
||||
addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; };
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
# ensure folder exist and has correct owner/group
|
||||
systemd.tmpfiles.rules = [
|
||||
"d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period
|
||||
];
|
||||
|
||||
sops.secrets."services/${app}/env" = {
|
||||
|
||||
# configure secret for forwarding rules
|
||||
sopsFile = ./secrets.sops.yaml;
|
||||
owner = config.users.users.kah.name;
|
||||
inherit (config.users.users.kah) group;
|
||||
restartUnits = [ "podman-${app}.service" ];
|
||||
};
|
||||
|
||||
virtualisation.oci-containers.containers.${app} = {
|
||||
image = "${image}";
|
||||
user = "${user}:${group}";
|
||||
environment = {
|
||||
PUSHOVER_DEBUG = "false";
|
||||
PUSHOVER_APP_URL = "${app}.${config.networking.domain}";
|
||||
PROWLARR__INSTANCE_NAME = "Prowlarr";
|
||||
PROWLARR__APPLICATION_URL = "https://${app}.${config.networking.domain}";
|
||||
PROWLARR__LOG_LEVEL = "info";
|
||||
};
|
||||
environmentFiles = [ config.sops.secrets."services/${app}/env".path ];
|
||||
volumes = [
|
||||
"${persistentFolder}:/config:rw"
|
||||
"/etc/localtime:/etc/localtime:ro"
|
||||
];
|
||||
labels = {
|
||||
"traefik.enable" = "true";
|
||||
"traefik.http.routers.${app}.entrypoints" = "websecure";
|
||||
"traefik.http.routers.${app}.middlewares" = "local-only@file";
|
||||
"traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}";
|
||||
|
||||
};
|
||||
};
|
||||
|
||||
mySystem.services.homepage.media-services = [
|
||||
{
|
||||
Prowlarr = {
|
||||
icon = "${app}.png";
|
||||
href = "https://${app}.${config.networking.domain}";
|
||||
description = "Content locator";
|
||||
container = "${app}";
|
||||
widget = {
|
||||
type = "${app}";
|
||||
url = "http://${app}:${toString port}";
|
||||
key = "{{HOMEPAGE_VAR_PROWLARR__API_KEY}}";
|
||||
};
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
}
|
59
nixos/modules/nixos/services/arr/prowlarr/secrets.sops.yaml
Normal file
59
nixos/modules/nixos/services/arr/prowlarr/secrets.sops.yaml
Normal file
|
@ -0,0 +1,59 @@
|
|||
services:
|
||||
prowlarr:
|
||||
env: ENC[AES256_GCM,data:NvGX3+harRQfv0x5L/6QznuIyu6su08EkD1btg2mZmemcxndZSVb+5odFZIDnoCsSUSMlxfZXHn2gOHB+7ePpHlVYy3/MZZTbn8I/nxVaAOPKYCJ7KXG5eKp7uEk+ZqEwIeMTI1MKekhCCwm43Ndn+oD,iv:uFpbHQMocdzFe+HQPEmC9Cz2hWOuL6TLi4Or94EzEIY=,tag:xeDbq4Ab5UuQQYa0kUnbig==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhSUwrZFliUC8wV1NKbm94
|
||||
U0VmR2t2VndWUFRjMzVOcitHZXJlZ2ZDVDI4ClpieVJnR044N0JEcVgvcU8rcDlB
|
||||
ZG5VbVhpOXVaYXpoMERkYnVjbkhWWEEKLS0tIEhXUGt2SnBVSmNtdEdibm9TbEx4
|
||||
YnIrdkpGMGFYUXViQnE2Z0VlQVlHVVUKdh4QPZmkOUHY0nhZTgQHN/Is/OaHUKdB
|
||||
fwPX5XltwaIgUCzKOJ18dOx24CA+xajvpRGDY5vdK6cN8N1lDnYPpw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiTDUySUpRbXBNOVlNSGNu
|
||||
NTY1Q3Ntd1pWaDVnMzQ4MW94QXN6T3dQb1J3CkNIRnBINmNsRWt3OGFlR056Nk02
|
||||
MEZlejIya2N6RUE2TlJtRkI3QTFTQlEKLS0tIGlneU1RSXBRdlhHMFFESU9wcE5W
|
||||
YTlwU2srUjAySDI4TGt0bDlBT2VLL1kK8PJnEGhGAjDjQYBuPhS9NWsHg31ddkpq
|
||||
UrC/SDONnawAVqC0djWkv2w71rHPh41GIFCW3V/IFS8vxQLSMiBo5w==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqUFp3MXFkVHU5dTdhcndG
|
||||
aGdLWHY2Ti9ES0hjeWc2VXFTcXdPSWZrN25zCno2Snc1LzBTdC8zTS9lQSsrSmwz
|
||||
d0VTb1Z6V0RxLzFzcEM4ZXEzZVpoSEkKLS0tIExvT2pKbzhaMUJaRHZoNlZpTXJY
|
||||
eE5zVUhBblNFQ1RDVzl5K3VFaVMxRDAKuNxtVAqjbxaLJPr7LXKRj0Pt/gh8++Fp
|
||||
AmYw0AVp/GMikWPCWVoCGiLr6svmNtbY0Q0B6KcN1N615G6AbrsoVg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBicTlKS0FhRHRRRXNuMURH
|
||||
UnN6QUhZUFNjSlRLRzJEYmU2cDAxdHhaQndZClRVR0p2UFBTdVNDUVhnSE1KSEQ3
|
||||
elNJeDdhK3lBb0xPK2daMmVBWUtMamMKLS0tIFZWeU9wdDErby90S2VFUHcrYjIx
|
||||
MlVtM1dqSmdaTWZtdjZMcmd2aEhCN2cKYbzlgLrLhoGutJ6PPgALF9O1Pe5zZrfB
|
||||
RCciStCtTO0Geloxf7YqelPW3D3crSSCmf4Yq4VTMnLccudGNRgaLA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvOXNBN3MrajlTa1cxZ05y
|
||||
MWx4TW40c3dabzZtZjErU0JzVUR4S2p4VVRjCkxkRjJNODI0M0pkYXBIQ1RxcFZY
|
||||
OVhra0NmNnRkb1VOTHJMaDFVR0RuR28KLS0tIFlLNFk4MSt1M1UwL0tnRzRkYk00
|
||||
YTAwcUlzMGRDMldCYjUwM2lZYS9YOWcKdgArTqnH04EMDc8s4q8eIoAlRbD7hsYj
|
||||
RJNesG9wKZlrGOlDydOX7CD7hyrVRH1CrhMIAzWggu5dy8Bl9Mbe4w==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-04-07T03:01:12Z"
|
||||
mac: ENC[AES256_GCM,data:ec1pzZ90D5jkY8jPDyDNyMxTovZqSjYBUryllybBPZwn08EeMPya/08+/mo3kqwgT4bVIFnEe/Fwk1ofEiz1G0YppcA4F43Rv0O7wGyTgRUKJ1sDuAcUvnvS/WSbG3POKibGcsu8v7wqDt9/JdFjoCfsurx+Ze17T9V+ZmYSQWo=,iv:oq55QVt2rMwCK8IPLNbUx5cs2sLAgWIp6/wb4faMpPU=,tag:rlmhn6XU7qgp58WpRlTwvA==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
79
nixos/modules/nixos/services/arr/radarr/default.nix
Normal file
79
nixos/modules/nixos/services/arr/radarr/default.nix
Normal file
|
@ -0,0 +1,79 @@
|
|||
{ lib
|
||||
, config
|
||||
, pkgs
|
||||
, ...
|
||||
}:
|
||||
with lib;
|
||||
let
|
||||
app = "radarr";
|
||||
image = "ghcr.io/onedr0p/radarr@sha256:2de39930de91ae698f9461bb959d93b9d59610f88e0c026e96bc5d9c99aeea89";
|
||||
user = "568"; #string
|
||||
group = "568"; #string
|
||||
port = 7878; #int
|
||||
cfg = config.mySystem.services.sonarr;
|
||||
persistentFolder = "${config.mySystem.persistentFolder}/${app}";
|
||||
in
|
||||
{
|
||||
options.mySystem.services.${app} =
|
||||
{
|
||||
enable = mkEnableOption "${app}";
|
||||
addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; };
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
# ensure folder exist and has correct owner/group
|
||||
systemd.tmpfiles.rules = [
|
||||
"d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period
|
||||
];
|
||||
|
||||
sops.secrets."services/${app}/env" = {
|
||||
|
||||
# configure secret for forwarding rules
|
||||
sopsFile = ./secrets.sops.yaml;
|
||||
owner = config.users.users.kah.name;
|
||||
inherit (config.users.users.kah) group;
|
||||
restartUnits = [ "podman-${app}.service" ];
|
||||
};
|
||||
|
||||
virtualisation.oci-containers.containers.${app} = {
|
||||
image = "${image}";
|
||||
user = "${user}:${group}";
|
||||
environment = {
|
||||
PUSHOVER_DEBUG = "false";
|
||||
PUSHOVER_APP_URL = "${app}.${config.networking.domain}";
|
||||
RADARR__INSTANCE_NAME = "Radarr";
|
||||
RADARR__APPLICATION_URL = "https://${app}.${config.networking.domain}";
|
||||
RADARR__LOG_LEVEL = "info";
|
||||
};
|
||||
environmentFiles = [ config.sops.secrets."services/${app}/env".path ];
|
||||
volumes = [
|
||||
"${persistentFolder}:/config:rw"
|
||||
"/mnt/nas/natflix/series:/media:rw"
|
||||
"/etc/localtime:/etc/localtime:ro"
|
||||
];
|
||||
labels = {
|
||||
"traefik.enable" = "true";
|
||||
"traefik.http.routers.${app}.entrypoints" = "websecure";
|
||||
"traefik.http.routers.${app}.middlewares" = "local-only@file";
|
||||
"traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}";
|
||||
|
||||
};
|
||||
};
|
||||
|
||||
mySystem.services.homepage.media-services = [
|
||||
{
|
||||
Radarr = {
|
||||
icon = "${app}.png";
|
||||
href = "https://${app}.${config.networking.domain}";
|
||||
description = "Movie management";
|
||||
container = "${app}";
|
||||
widget = {
|
||||
type = "${app}";
|
||||
url = "http://${app}:${toString port}";
|
||||
key = "{{HOMEPAGE_VAR_RADARR__API_KEY}}";
|
||||
};
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
}
|
59
nixos/modules/nixos/services/arr/radarr/secrets.sops.yaml
Normal file
59
nixos/modules/nixos/services/arr/radarr/secrets.sops.yaml
Normal file
|
@ -0,0 +1,59 @@
|
|||
services:
|
||||
radarr:
|
||||
env: ENC[AES256_GCM,data:Sup7QbkSx/m7KlXToXmd50pewu9Ofjz+mfhVWuDdLm0P3Z1mjNOwVEuvJPmgzj6xth2/nMxtStb+0HTxzPnPVx3pfVxM/AAUPNryvK4xPmhr2ROyJ6sdUFwCzv0QmT+mS1mYy4GJ6ms/6is5agViRdKu+uoTMI5ogb2L2UJR9D6S1V/VH/OuPr/KNcFQF+f1uuo76h42pCuagJ+Biek6Mr9qoLNAUA63+PkWuRkZs9XZxTSTmF38AdOXJhU+RF7HV7WCtNQhQvVIRmRO0wSm,iv:mbmOxJusIfhoQkT2B+etQh8afYFpLP+nRfKJnR212yE=,tag:huIYNNzZFR8oDzX3FM2SZQ==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyL0VUU1FrUGhsZ3RvTFQw
|
||||
RVBLTXdMTEtUc0twalVUUTM5b0dnRU1WUWpFCjBNeG5zU1NUU1BkRGo5MWFESEg1
|
||||
bTNmc2VFbHJXM1pKbkpTUzVHWmJSaTgKLS0tIGsydXlwRHpVeVE3VlZvbVdYNWps
|
||||
L0hlSDVPQXlES1ZwQWxaYXlkaHhCeGMKKKzYAzrByU7kx2FaroGt1G7HJpmfxZ/4
|
||||
m1q//Leo6qttDeLod8ZrZR+nCjx2LzqWiMFatEpirgUU1SxVYLsN0Q==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxZ2RKTUtYZW56cU91UHM4
|
||||
NkJ5dnJjU1pjV09kUUtxOHU3dlJhMXkycFU0CmVWSCtJUHc2WkJyTDQ1c0J0dVBK
|
||||
SFY5bmtpQWNTRXgvMi9RTWJCNXlJZkkKLS0tIFk5Wmk3Sy9ucjl1YVMwL3BSVCtF
|
||||
aWxGNWtxZmJuR0RCRmFTdUs0c0xaR1kKEzEzyrAzLm812z7lqGMXY7hxX2zSanah
|
||||
Z4+3X44basjM8FTI6CvZAFqtpouv5o4QAerggCZatQV2DEs+6iAvLw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwT3RtQk1uMjBIWnlMdEt2
|
||||
MXJNMEhPVDc0bGxEb0tXY1JpWS9wQ3pKV0JJCnBqcUNJOUMyYVhJdGh5YzBuY0FC
|
||||
eEhlZFRiK0NIcnhJZVA0Q2J6bytXNk0KLS0tIDlVSEd3NHFNakdqeEpwRC96M0lB
|
||||
Ym95TkpWVS9JY1JjL0F1dUF1QkhDbHMKvBOtjm/T+s9xjPhSzicL5yAGg66qQGnf
|
||||
7HJVClweQ343WwIw8lO2/GM3CVaU20Q/UibaBYszUTNyNbQSFv5Sow==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjcFVmMEdaN0oycG9sdk1m
|
||||
bjdBem5lQVB4bEM4TmM0QnpPK3p4RldDT25VCmV6YVdoR2NnNEx4WC9kdzRySWl6
|
||||
amxJeTNTRmdjZEJVc05UWnFDdDJ4UkkKLS0tIER1dmFGdmVPWHhXUUJ1Ym96NU9K
|
||||
aE9NS04yblVQNmVxNFlVRFZlRnkyRDgK+/uf5R1GT5bFkSSsYx5R6aehDcyapsz0
|
||||
1uzffKV95MSo0I2ZqZDJgJPqsh23IxhzBJKsFhCw233bIaOaCSApuA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxcXFxc1o4OVZqbVBkWW9S
|
||||
d1FMY3Nma3VVNS9kQ2E2NHo2VXdlQS9jWVFzCkUrV3c3d3RkclZLaktuWG0yTitx
|
||||
OVVkQm9uaEFmMVFhYW92SlJKTlA0bVEKLS0tIG5PZm9NTjF6blR6TzhDOS94ck5N
|
||||
S1doVkdGQjIzNmtTQkp0VHJoSWp3czAK1NPIYn78CEqiLk7cZKoZU2RPeS0hZImd
|
||||
Sj7V+yVS0zZvLnHVhHcOIOGuVIAhsxNZgQ2Wd4sT2GaueUS3dRVhyw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-04-07T00:54:00Z"
|
||||
mac: ENC[AES256_GCM,data:Ale1C+ow3OyKdgyyVBSco6mmK/o+wbSUFOzW7QScn8v80itwe42rLqGHdcTrrfxONVY0hrYBbaTA9dbRekNUa04goZbzyzrVYHAfdqf9qw7ugFLazeL3GA4hHUdkmfCtYEhjqK3Y3Ef88i1uysvJWfBlm/ayE8N2mv17CRxl8cA=,iv:bY6/ih+Boc1oY1NpLOnd1RLZxASD/vbom/sirb8ktao=,tag:GU+nM1Oncx3j0x9UXJ784w==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
77
nixos/modules/nixos/services/arr/readarr/default.nix
Normal file
77
nixos/modules/nixos/services/arr/readarr/default.nix
Normal file
|
@ -0,0 +1,77 @@
|
|||
{ lib
|
||||
, config
|
||||
, pkgs
|
||||
, ...
|
||||
}:
|
||||
with lib;
|
||||
let
|
||||
app = "readarr";
|
||||
image = "ghcr.io/onedr0p/readarr-nightly@sha256:dd429811956178223ca7db1699f4ce03641edfa39ea8a1436a33272618278ade";
|
||||
user = "568"; #string
|
||||
group = "568"; #string
|
||||
port = 8787; #int
|
||||
cfg = config.mySystem.services.sonarr;
|
||||
persistentFolder = "${config.mySystem.persistentFolder}/${app}";
|
||||
in
|
||||
{
|
||||
options.mySystem.services.${app} =
|
||||
{
|
||||
enable = mkEnableOption "${app}";
|
||||
addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; };
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
# ensure folder exist and has correct owner/group
|
||||
systemd.tmpfiles.rules = [
|
||||
"d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period
|
||||
];
|
||||
|
||||
sops.secrets."services/${app}/env" = {
|
||||
|
||||
# configure secret for forwarding rules
|
||||
sopsFile = ./secrets.sops.yaml;
|
||||
owner = config.users.users.kah.name;
|
||||
inherit (config.users.users.kah) group;
|
||||
restartUnits = [ "podman-${app}.service" ];
|
||||
};
|
||||
|
||||
virtualisation.oci-containers.containers.${app} = {
|
||||
image = "${image}";
|
||||
user = "${user}:${group}";
|
||||
environment = {
|
||||
READARR__INSTANCE_NAME = "Lidarr";
|
||||
READARR__APPLICATION_URL = "https://${app}.${config.networking.domain}";
|
||||
READARR__LOG_LEVEL = "info";
|
||||
};
|
||||
environmentFiles = [ config.sops.secrets."services/${app}/env".path ];
|
||||
volumes = [
|
||||
"${persistentFolder}:/config:rw"
|
||||
"/mnt/nas/natflix:/media:rw"
|
||||
"/etc/localtime:/etc/localtime:ro"
|
||||
];
|
||||
labels = {
|
||||
"traefik.enable" = "true";
|
||||
"traefik.http.routers.${app}.entrypoints" = "websecure";
|
||||
"traefik.http.routers.${app}.middlewares" = "local-only@file";
|
||||
"traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}";
|
||||
|
||||
};
|
||||
};
|
||||
|
||||
mySystem.services.homepage.media-services = [
|
||||
{
|
||||
Readar = {
|
||||
icon = "${app}.png";
|
||||
href = "https://${app}.${config.networking.domain}";
|
||||
description = "Book management";
|
||||
container = "${app}";
|
||||
widget = {
|
||||
type = "${app}";
|
||||
url = "http://${app}:${toString port}";
|
||||
key = "{{HOMEPAGE_VAR_READARR__API_KEY}}";
|
||||
};
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
}
|
59
nixos/modules/nixos/services/arr/readarr/secrets.sops.yaml
Normal file
59
nixos/modules/nixos/services/arr/readarr/secrets.sops.yaml
Normal file
|
@ -0,0 +1,59 @@
|
|||
services:
|
||||
readarr:
|
||||
env: ENC[AES256_GCM,data:/nOtTAhPSy3jlzZb3CmmOOyyhoxH8wgF7/sOlQxWP6FC6+lDH/DhibckUVHscwNAlwSIT4MeuLaE2vyeNUOSwhx5WwxGXvqQFjXRv0hkIPcHpWriJmuc44c7rHga+sCDpQNGPCLRbEmcYvTpm403cA==,iv:G0Elt5Oe0yGzVCoLkKUKp5QexziHzOIZO/AUqx13JE4=,tag:Ue9xgKJ4QyDs2445y9/xtg==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2d1V3dC9oWFR2RUV4RXFo
|
||||
ZEw1QmlMc1VXc2hZTTFFK3d1TEtiSXJtcTFjCjFTMHpkK1Q2TFlTbFZEdjQ1RlVs
|
||||
K3dsOGhLN011eXBEV21vckZRdHRsWVEKLS0tIDNQRDRxTHI3SjBkZGxGQmdoOWg0
|
||||
TlUzeDRwNUppSHpSSHNnWkJKYS8vSU0KyIu/ttRKDqQ3mKtk1AyCDnL5ZwydMv/9
|
||||
Mc9we7EXPzbGkOoGVNzFH+sP1GZM4k9f5wQ8OgiseVKTwzuHzqaFYg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNZW94S2VxL0QwN2gweThB
|
||||
YUNhall0bFZvTm02ZHkwYXhRb0E1bTc0OEhVCnBtQ2FhSTZabmJzMm1RUzE4VzlE
|
||||
MmJ1aEFMRUxwUTcwWVVGOXBXa05QNW8KLS0tIHJ3VjlDVzUremhkd25lM2IrR2tH
|
||||
dlkxVkpnUFZTYTd0cDR6bTBCR1VzSUkKlUGI4JKzdWdvJuYSc8PeR3qEA3OXG7w3
|
||||
Jv42OCDczivOR69E8ZBIU+dS+1XrLNgGxN7xSGFpHnz0ZgaZWYow/w==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLeG83T1RXckYralg3SzJP
|
||||
QmVYa3lkZittTFJFSDBBRmdrQWFHNE5PTkdFCjcvK1J5SGhYVVlHM2xMempCMHVV
|
||||
Mzh4eGR0QzZwMjZycFV4cGdJQ09RUzAKLS0tIFJGMnNQcW16eFhWeXY5V3dOUDV0
|
||||
WUhuQUZDbGU3V3JIeXpxVytuUy9PNjgKy9Y/XkjkDX3ypVSWZhfACkXQdjz2Qm8N
|
||||
4Am69qQRvOCnnFuw30RftgJSRvs1X7dTnvUKwCcweUiCAL+o2R/q6A==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6TWRLQzNGTHJZM0lzRkVx
|
||||
OG9vdS9wc0VsYTRoR2FRM1dWdXREZ1RjK1M0CnczVjI1a0lNTVpCbmZMR0FmRDFS
|
||||
aGpuQzdyMkc2WW1BWkp2ODFhc1JUcGMKLS0tIGNyOXd6a1dqdHRKUEJEOE1UNjBr
|
||||
aU9EeWg4Rm9sbTdrWGZ4cmNMUVI3a3MKhUyeqGGZPxcHUCXVNAAcZtx35vzFmunQ
|
||||
fTNNnoI6CM0Xmwznlp0576s3qmjbXMc5+Wm9Ni4tLnBrnyl/Y4oijg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0Z1doS3pjc0FaczdudDBp
|
||||
Ykx4aGl0YVZUUmoxNUs2aWpieFZlQ0dYN0VNClZQQkF2QWtyeVpta2VBbEpMZjVZ
|
||||
T3hrU2ozbE10M3c2ejlta2tNNEhBYWMKLS0tIHlGeVNnRmNiUzhKYmpUWG8xbDVo
|
||||
V0JjaGpDTXpsSE5Ldm13N3N1UU9zRE0Ky8tp8tJkgwyLNBvnOM+puMy2+46Khf7n
|
||||
LzxXw/7ZJnIPsYywXPj7IdeMha9nvXow8zpSriI52ecOmJZxSbkLeg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-04-07T01:10:50Z"
|
||||
mac: ENC[AES256_GCM,data:8Cx1SzSIeNSYGCyOsPCkaWv/Z8A4t8a+o1UDYnf4KsuysH8NolDMZWziMiPnzKpWLMNBo6qzJfaDfm2b6MyvEsLRue1Z5iAuNIlMOWYeVkeQu9ZDPOOYuEqxCMmRLOpHdsQh9G++bcGzNjZoFOKMkh4uCCQrboohFGO38WEWnHY=,iv:hPbqJSYvPb1npIIyc4a92YytDMRm7c9pgPv3j6TvxoQ=,tag:1s3Jxup2X/gWAinn12Rxzg==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
|
@ -5,46 +5,76 @@
|
|||
}:
|
||||
with lib;
|
||||
let
|
||||
app = "sonarr";
|
||||
image = "ghcr.io/onedr0p/sonarr@sha256:04d8e198752b67df3f95c46144b507f437e7669f0088e7d2bbedf0e762606655";
|
||||
port = 8989;
|
||||
cfg = config.mySystem.services.sonarr;
|
||||
persistentFolder = "${config.mySystem.persistentFolder}/sonarr";
|
||||
user = "568"; #string
|
||||
group = "568"; #string
|
||||
port = 8989; #int
|
||||
cfg = config.mySystem.services.${app};
|
||||
persistentFolder = "${config.mySystem.persistentFolder}/${app}";
|
||||
containerPersistentFolder = "/config";
|
||||
in
|
||||
{
|
||||
options.mySystem.services.sonarr.enable = mkEnableOption "Sonarr";
|
||||
options.mySystem.services.${app} =
|
||||
{
|
||||
enable = mkEnableOption "${app}";
|
||||
addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; };
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
# ensure folder exist and has correct owner/group
|
||||
systemd.tmpfiles.rules = [
|
||||
"d ${persistentFolder} 0755 568 568 -" #The - disables automatic cleanup, so the file wont be removed after a period
|
||||
"d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period
|
||||
];
|
||||
|
||||
virtualisation.oci-containers.containers.sonarr = {
|
||||
image = "${image}";
|
||||
user = "568:568";
|
||||
environment = {
|
||||
UMASK = "002";
|
||||
sops.secrets."services/${app}/env" = {
|
||||
|
||||
# configure secret for forwarding rules
|
||||
sopsFile = ./secrets.sops.yaml;
|
||||
owner = config.users.users.kah.name;
|
||||
inherit (config.users.users.kah) group;
|
||||
restartUnits = [ "podman-${app}.service" ];
|
||||
};
|
||||
|
||||
virtualisation.oci-containers.containers.${app} = {
|
||||
image = "${image}";
|
||||
user = "${user}:${group}";
|
||||
environment = {
|
||||
PUSHOVER_DEBUG = "false";
|
||||
PUSHOVER_APP_URL = "${app}.${config.networking.domain}";
|
||||
SONARR__INSTANCE_NAME = "Radarr";
|
||||
SONARR__APPLICATION_URL = "https://${app}.${config.networking.domain}";
|
||||
SONARR__LOG_LEVEL = "info";
|
||||
};
|
||||
environmentFiles = [ config.sops.secrets."services/${app}/env".path ];
|
||||
volumes = [
|
||||
"${persistentFolder}:/config:rw"
|
||||
"/mnt/nas/natflix/series:/media:rw"
|
||||
"${persistentFolder}:${containerPersistentFolder}:rw"
|
||||
"/mnt/nas/natflix:/media:rw"
|
||||
"/etc/localtime:/etc/localtime:ro"
|
||||
];
|
||||
labels = {
|
||||
"traefik.enable" = "true";
|
||||
"traefik.http.routers.sonarr.entrypoints" = "websecure";
|
||||
"traefik.http.routers.sonarr.middlewares" = "local-only@file";
|
||||
"traefik.http.services.sonarr.loadbalancer.server.port" = "${toString port}";
|
||||
"traefik.http.routers.${app}.entrypoints" = "websecure";
|
||||
"traefik.http.routers.${app}.middlewares" = "local-only@file";
|
||||
"traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}";
|
||||
|
||||
"homepage.group" = "Media";
|
||||
"homepage.name" = "Sonarr";
|
||||
"homepage.icon" = "sonarr.png";
|
||||
"homepage.href" = "https://sonarr.${config.networking.domain}";
|
||||
"homepage.description" = "Series manager";
|
||||
# "homepage.weight" = -70000;
|
||||
"homepage.widget.type" = "sonarr";
|
||||
"homepage.widget.url" = "https://sonarr.${config.networking.domain}";
|
||||
};
|
||||
};
|
||||
|
||||
mySystem.services.homepage.media-services = [
|
||||
{
|
||||
Sonarr = {
|
||||
icon = "${app}.png";
|
||||
href = "https://${app}.${config.networking.domain}";
|
||||
description = "TV show management";
|
||||
container = "${app}";
|
||||
widget = {
|
||||
type = "${app}";
|
||||
url = "http://${app}:${toString port}";
|
||||
key = "{{HOMEPAGE_VAR_SONARR__API_KEY}}";
|
||||
};
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
59
nixos/modules/nixos/services/arr/sonarr/secrets.sops.yaml
Normal file
59
nixos/modules/nixos/services/arr/sonarr/secrets.sops.yaml
Normal file
|
@ -0,0 +1,59 @@
|
|||
services:
|
||||
sonarr:
|
||||
env: ENC[AES256_GCM,data:Lg92wQkiBY5gBZ2+ckLs7EBPo/0fEwqhEvnWcnU5quUMNlJeWnjWFqU8qu1TaW0Vmux/A/QgIJAiYgWnbQuD9benOR2swkt4+DazSeC+35VQOTbegVDrH4wiJikTHTtoKpgSKHLBQAy113jaDL/RBFRpsSjsXEsGGu+G+GZ1MFcW5hRbYam1o62NqOAG66efcIGXv8T+sD0ouLcN2g9ZjU2QqUqJqsGBtg1d0SIVj9bNW2vUHHmMtIQBTxfR6S5V3tzqjP2EfzaT/gDSPPJg,iv:e9/vpvTFDixP07fVXutIhJcAg8Qb9d7fVJNmn+XhMjU=,tag:7MAF0kHvcf5VDUMCpJATVA==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvYTlNSGpIclBoWVlWWDBz
|
||||
ckVZQWdndVBreDRXV3k1UDhxR0Y4R1J5blNBCmh0RmtwbzMrcGxLL1FoQVBjSVUy
|
||||
QUxPUXJmaFYxRXFFb0lTQ2JHd3M3aFUKLS0tIEZ6UWJOVXp1VE1XTnhzQVhGT2RS
|
||||
MVhTTE1JbU5rZnZjUFI2NDNkRUEvY0EKxglGGpDa8xY9w9VKayRF2Oqjv+UhDiLY
|
||||
3uPQWLasVcQviZE7AqG5n8azLTaX5DEoAOVFDCnhJYjU9NatXhcutw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkdU84WkVMVWl2UXQ2WHN3
|
||||
ZE1IbENMU0JlN0pPMTZSeHFPdW5mN1NhcUVRCkovcEJSNm9FWU9LdWk2aWRMbzJO
|
||||
b3VoM0F5VWxSU2I1UU9lblMreXNvcjQKLS0tIG9hSVk4RzRzbVgyektXQ1lkcGF6
|
||||
Q1FLdWZGOUFqWm9Hc0NDVUFFczlXYXcKxxWKSOrDUGld40zvDzsmMBOAexWoijDN
|
||||
tBxJteEnSbTd+s93MDfuM+axeNR5Ak4+f/pEoLho5xjjn8f/fdlebA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVdGV5ZU1ZSFNvaHpGRUFs
|
||||
cWRkVWlMZUZrbDNLSlJJSUpZVkhKUHI3OVdnCk1pckRmbWJNMkdvOXZscE1sMFcw
|
||||
QktRU0Foa2hNTU9tcUN0UmM0Y0h2TU0KLS0tIDY1c2lVb1Bnd1c0d1Y3NVMrYmVZ
|
||||
UXJFb294d1Bqc3E0SUFjWmFqSjdka28K2cEgMCIxpzGe2Z1rgaWq+rWXKJvfsTi9
|
||||
PFWywF6/E+9Egwrh98FspQAzYP/7zl+N8gjR5Pa+Scx2D2iOizXWfg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKallmeUFQMmRvNFZRbnho
|
||||
SVYzYit2TWFSRnV6dVNjUzlSQ0ZhTEJUNEhjCmFmaEsvMkpPQVZBN0FLVVp1dzgv
|
||||
Ym56YzhwcWdkNlVSbHA4cnQ2T2VVeXMKLS0tIENqdXZCaFNrZVpFVUIrakpsY1ZP
|
||||
QUxPS3lqcTBISnByTXVWcWdtZWYwNXMK8FRzmS0q2l6MWUu0YreaqEnKKW085j4s
|
||||
f1oTHPpErwPLuh3hUciUPFe5Mbm3zSdjBsGyQtxPF6xLtw8dFaDYBA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaTXg2S2R2M2tHYmllUXFZ
|
||||
NkZzcTdRaU5RM29RQkdEQnpNWXowZUFoR3hZCm1TclN2K0FoQktVTzg4YkkyRUhC
|
||||
NXRybXE5Ym1XYjF3cG53RitvK3VTR1kKLS0tIGtkZXFLWmJiRG81M2RyYzdXZUEx
|
||||
M2tqQVZaUmNVbm9YZys0NUNpSk4vN3cKpkL37l/i3VD6zhWHK/ROvcvmCBQfifuw
|
||||
EFYI+F+BTjkoptqIVFCDbATRrqSfOqsYPmEg5lM0e3Oul+vT++e0/g==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-04-06T21:26:23Z"
|
||||
mac: ENC[AES256_GCM,data:ITWKix2aNhXzzzZTvq2sBPXO3Phvr+lS83fSwEbH7FTowD7uScxqAF4PMJ+txAfIpmZiaD5vXIK98YU9HOWRFUoOiYxdwVwfOiX63mB0JKj5jLHHeIe6bMaWfudITlIL9an6YO/qyUww9OVXaxYEmwOJI4W+HnMLbYLf5lGboEo=,iv:i8dddSV2W9FifN+ktwGsaYRRnK4UJtrG7g6LpWPtgu4=,tag:acP4YvJarHLCZUJ3dCFuOQ==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
|
@ -11,11 +11,32 @@ in
|
|||
{
|
||||
options.mySystem.services.cockpit.enable = mkEnableOption "Cockpit";
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
services.cockpit.enable = true;
|
||||
services.cockpit.openFirewall = true;
|
||||
config.services.cockpit = mkIf cfg.enable {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
package = pkgs.cockpit.overrideAttrs (old: {
|
||||
# remove packagekit and selinux, don't work on NixOS
|
||||
postBuild = ''
|
||||
${old.postBuild}
|
||||
|
||||
rm -rf \
|
||||
dist/packagekit \
|
||||
dist/selinux
|
||||
'';
|
||||
});
|
||||
};
|
||||
|
||||
config.environment = mkIf cfg.enable {
|
||||
systemPackages = with pkgs;
|
||||
[
|
||||
(mkIf config.virtualisation.podman.enable nur.repos.procyon.cockpit-podman) # only if server runs pods
|
||||
|
||||
# nur.repos.dukzcry.cockpit-machines # TODO enable with virtualisation on server
|
||||
# nur.repos.dukzcry.libvirt-dbus # TODO enable with virtualisation on server
|
||||
# pkgs.virt-manager # TODO enable with virtualisation on server
|
||||
];
|
||||
|
||||
|
||||
|
||||
};
|
||||
}
|
||||
|
|
|
@ -13,12 +13,121 @@ let
|
|||
persistentFolder = "${config.mySystem.persistentFolder}/${app}";
|
||||
|
||||
cfg = config.mySystem.services.homepage;
|
||||
|
||||
settings = {
|
||||
# title = "Hades";
|
||||
# theme = "dark";
|
||||
# color = "slate";
|
||||
showStats = true;
|
||||
};
|
||||
settingsFile = builtins.toFile "homepage-settings.yaml" (builtins.toJSON settings);
|
||||
|
||||
bookmarks = [
|
||||
{
|
||||
Administration = [
|
||||
{ Source = [{ icon = "github.png"; href = "https://github.com/truxnell/nix-config"; }]; }
|
||||
{ Cloudflare = [{ icon = "cloudflare.png"; href = "https://dash.cloudflare.com/"; }]; }
|
||||
];
|
||||
}
|
||||
{
|
||||
Development = [
|
||||
{ CyberChef = [{ icon = "cyberchef.png"; href = "https://gchq.github.io/CyberChef/"; }]; }
|
||||
{ "Nix Options Search" = [{ abbr = "NS"; href = "https://search.nixos.org/packages"; }]; }
|
||||
{ "Doppler Secrets" = [{ abbr = "DP"; href = "https://dashboard.doppler.com"; }]; }
|
||||
{ "onedr0p Containers" = [{ abbr = "OC"; href = "https://github.com/onedr0p/containers"; }]; }
|
||||
{ "bjw-s Containers" = [{ abbr = "BC"; href = "https://github.com/bjw-s/container-images"; }]; }
|
||||
|
||||
];
|
||||
}
|
||||
];
|
||||
bookmarksFile = builtins.toFile "homepage-bookmarks.yaml" (builtins.toJSON bookmarks);
|
||||
|
||||
widgets = [
|
||||
{
|
||||
resources = {
|
||||
cpu = true;
|
||||
memory = true;
|
||||
cputemp = true;
|
||||
uptime = true;
|
||||
disk = "/";
|
||||
units = "metric";
|
||||
# label = "system";
|
||||
};
|
||||
}
|
||||
{
|
||||
search = {
|
||||
provider = "duckduckgo";
|
||||
target = "_blank";
|
||||
};
|
||||
}
|
||||
];
|
||||
widgetsFile = builtins.toFile "homepage-widgets.yaml" (builtins.toJSON widgets);
|
||||
|
||||
services = [
|
||||
{ Infrastructure = cfg.infrastructure-services; }
|
||||
{ Home = cfg.home-services; }
|
||||
{ Media = cfg.media-services; }
|
||||
];
|
||||
servicesFile = builtins.toFile "homepage-config.yaml" (builtins.toJSON services);
|
||||
in
|
||||
{
|
||||
options.mySystem.services.homepage.enable = mkEnableOption "Homepage dashboard";
|
||||
options.mySystem.services.homepage = {
|
||||
enable = mkEnableOption "Homepage dashboard";
|
||||
infrastructure-services = lib.mkOption {
|
||||
type = lib.types.listOf lib.types.attrs;
|
||||
description = "Services to add to the infrastructure column";
|
||||
default = [ ];
|
||||
};
|
||||
home-services = lib.mkOption {
|
||||
type = lib.types.listOf lib.types.attrs;
|
||||
description = "Services to add to the infrastructure column";
|
||||
default = [ ];
|
||||
};
|
||||
media-services = lib.mkOption {
|
||||
type = lib.types.listOf lib.types.attrs;
|
||||
description = "Services to add to the infrastructure column";
|
||||
default = [ ];
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
sops.secrets."services/sonarr/env" = {
|
||||
# configure secret for forwarding rules
|
||||
sopsFile = ../arr/sonarr/secrets.sops.yaml;
|
||||
owner = "kah";
|
||||
group = "kah";
|
||||
restartUnits = [ "podman-${app}.service" ];
|
||||
};
|
||||
sops.secrets."services/radarr/env" = {
|
||||
# configure secret for forwarding rules
|
||||
sopsFile = ../arr/radarr/secrets.sops.yaml;
|
||||
owner = "kah";
|
||||
group = "kah";
|
||||
restartUnits = [ "podman-${app}.service" ];
|
||||
};
|
||||
sops.secrets."services/lidarr/env" = {
|
||||
# configure secret for forwarding rules
|
||||
sopsFile = ../arr/lidarr/secrets.sops.yaml;
|
||||
owner = "kah";
|
||||
group = "kah";
|
||||
restartUnits = [ "podman-${app}.service" ];
|
||||
};
|
||||
sops.secrets."services/readarr/env" = {
|
||||
# configure secret for forwarding rules
|
||||
sopsFile = ../arr/readarr/secrets.sops.yaml;
|
||||
owner = "kah";
|
||||
group = "kah";
|
||||
restartUnits = [ "podman-${app}.service" ];
|
||||
};
|
||||
sops.secrets."services/prowlarr/env" = {
|
||||
# configure secret for forwarding rules
|
||||
sopsFile = ../arr/prowlarr/secrets.sops.yaml;
|
||||
owner = "kah";
|
||||
group = "kah";
|
||||
restartUnits = [ "podman-${app}.service" ];
|
||||
};
|
||||
|
||||
# ensure folder exist and has correct owner/group
|
||||
systemd.tmpfiles.rules = [
|
||||
"d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period
|
||||
|
@ -27,23 +136,43 @@ in
|
|||
virtualisation.oci-containers.containers.${app} = {
|
||||
image = "${image}";
|
||||
user = "${user}:${group}";
|
||||
|
||||
environment = {
|
||||
UMASK = "002";
|
||||
PUID = "${user}";
|
||||
PGID = "${group}";
|
||||
};
|
||||
|
||||
environmentFiles = [
|
||||
config.sops.secrets."services/sonarr/env".path
|
||||
config.sops.secrets."services/radarr/env".path
|
||||
config.sops.secrets."services/readarr/env".path
|
||||
config.sops.secrets."services/lidarr/env".path
|
||||
config.sops.secrets."services/prowlarr/env".path
|
||||
];
|
||||
|
||||
labels = {
|
||||
"traefik.enable" = "true";
|
||||
"traefik.http.routers.${app}.entrypoints" = "websecure";
|
||||
"traefik.http.routers.${app}.middlewares" = "local-only@file";
|
||||
"traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}";
|
||||
};
|
||||
# mount socket for service discovery.
|
||||
# not using docker socket for discovery, just
|
||||
# building up the apps from a shared key
|
||||
# this is a bit more tedious, but more secure
|
||||
# from not exposing docker socet and makes it
|
||||
# easier to have/move services between hosts
|
||||
volumes = [
|
||||
"${persistentFolder}:/app/config:rw"
|
||||
"/var/run/podman/podman.sock:/var/run/docker.sock:ro" # TODO abstract out podman/docker socket
|
||||
"/etc/localtime:/etc/localtime:ro"
|
||||
"${persistentFolder}:/app/config/logs:rw"
|
||||
"${settingsFile}:/app/config/settings.yaml"
|
||||
"${servicesFile}:/app/config/services.yaml"
|
||||
"${bookmarksFile}:/app/config/bookmarks.yaml"
|
||||
"${widgetsFile}:/app/config/widgets.yaml"
|
||||
|
||||
];
|
||||
|
||||
};
|
||||
|
||||
};
|
||||
}
|
||||
|
|
|
@ -18,6 +18,12 @@ in
|
|||
|
||||
dockerCompat = true;
|
||||
extraPackages = [ pkgs.zfs ];
|
||||
|
||||
# regular cleanup
|
||||
autoPrune.enable = true;
|
||||
autoPrune.dates = "weekly";
|
||||
|
||||
# and add dns
|
||||
defaultNetwork.settings = {
|
||||
dns_enabled = true;
|
||||
};
|
||||
|
@ -27,7 +33,14 @@ in
|
|||
};
|
||||
networking.firewall.interfaces.podman0.allowedUDPPorts = [ 53 ];
|
||||
|
||||
# extra user for containers
|
||||
users.users.kah = {
|
||||
|
||||
uid = 568;
|
||||
group = "kah";
|
||||
|
||||
};
|
||||
users.groups.kah = { };
|
||||
};
|
||||
|
||||
}
|
||||
|
|
|
@ -14,6 +14,7 @@ with lib;
|
|||
mySystem.services.promMonitoring.enable = true;
|
||||
mySystem.services.rebootRequiredCheck.enable = true;
|
||||
mySystem.security.wheelNeedsSudoPassword = false;
|
||||
mySystem.services.cockpit.enable = true;
|
||||
|
||||
nix.settings = {
|
||||
# TODO factor out into mySystem
|
||||
|
|
|
@ -15,6 +15,7 @@ with config;
|
|||
# Lets see if fish everywhere is OK on the pi's
|
||||
# TODO decide if i drop to bash on pis?
|
||||
shell.fish.enable = true;
|
||||
services.cockpit.enable = true;
|
||||
|
||||
nfs.nas.enable = true;
|
||||
};
|
||||
|
|
Reference in a new issue