karaolidis/nix
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update

Browse Source 
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
This commit is contained in:
Nick Karaolidis
2025-07-13 23:33:27 +01:00
parent 8f965bbede
commit 184aa4da8f
160 changed files with 742 additions and 1586 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
hosts/jupiter/users/nick/configs/console/btop/default.nix
View File

@@ -1,7 +1,4 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ user, home }:
{ lib, ... }:
{
home-manager.users.${user}.programs.btop.settings.disks_filter =

5
hosts/jupiter/users/nick/configs/console/podman/default.nix
View File

@@ -1,7 +1,4 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ user, home }:
{ config, pkgs, ... }:
let
hmConfig = config.home-manager.users.${user};

1
hosts/jupiter/users/nick/default.nix
View File

@@ -52,6 +52,7 @@ in
hashedPasswordFile = config.sops.secrets."${user}-password".path;
extraGroups = [
"wheel"
"networkmanager"
"storage"
];
linger = true;

5
hosts/jupiter/users/storm/configs/console/btop/default.nix
View File

@@ -1,7 +1,4 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ user, home }:
{ lib, ... }:
{
home-manager.users.${user}.programs.btop.settings.disks_filter =

37
hosts/jupiter/users/storm/configs/console/podman/authelia/default.nix
View File

@@ -1,7 +1,4 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ user, home }:
{
config,
inputs,
@@ -182,18 +179,17 @@ in
];
};
unitConfig =
let
dependencies = [
"${containers.authelia-postgresql._serviceName}.service"
"${containers.authelia-redis._serviceName}.service"
"sops-nix.service"
];
in
{
After = dependencies;
Requires = dependencies;
};
unitConfig = {
After = [
"${containers.authelia-postgresql._serviceName}.service"
"${containers.authelia-redis._serviceName}.service"
"sops-nix.service"
];
Requires = [
"${containers.authelia-postgresql._serviceName}.service"
"${containers.authelia-redis._serviceName}.service"
];
};
};
authelia-postgresql = {
@@ -208,14 +204,7 @@ in
environmentFiles = [ hmConfig.sops.templates.authelia-postgresql-env.path ];
};
unitConfig =
let
dependencies = [ "sops-nix.service" ];
in
{
After = dependencies;
Requires = dependencies;
};
unitConfig.After = [ "sops-nix.service" ];
};
authelia-redis.containerConfig = {

5
hosts/jupiter/users/storm/configs/console/podman/default.nix
View File

@@ -1,7 +1,4 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ user, home }:
{ config, pkgs, ... }:
let
hmConfig = config.home-manager.users.${user};

32
hosts/jupiter/users/storm/configs/console/podman/gitea/default.nix
View File

@@ -1,7 +1,4 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ user, home }:
{
config,
inputs,
@@ -237,17 +234,13 @@ in
];
};
unitConfig =
let
dependencies = [
"${containers.gitea-postgresql._serviceName}.service"
"sops-nix.service"
];
in
{
After = dependencies;
Requires = dependencies;
};
unitConfig = {
After = [
"${containers.gitea-postgresql._serviceName}.service"
"sops-nix.service"
];
Requires = [ "${containers.gitea-postgresql._serviceName}.service" ];
};
};
gitea-postgresql = {
@@ -262,14 +255,7 @@ in
environmentFiles = [ hmConfig.sops.templates.gitea-postgresql-env.path ];
};
unitConfig =
let
dependencies = [ "sops-nix.service" ];
in
{
After = dependencies;
Requires = dependencies;
};
unitConfig.After = [ "sops-nix.service" ];
};
authelia.containerConfig.volumes = [

14
hosts/jupiter/users/storm/configs/console/podman/grafana/default.nix
View File

@@ -1,7 +1,4 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ user, home }:
{
config,
inputs,
@@ -139,14 +136,7 @@ in
];
};
unitConfig =
let
dependencies = [ "sops-nix.service" ];
in
{
After = dependencies;
Requires = dependencies;
};
unitConfig.After = [ "sops-nix.service" ];
};
grafana-image-renderer.containerConfig = {

146
hosts/jupiter/users/storm/configs/console/podman/media/arr/default.nix Normal file
View File

@@ -0,0 +1,146 @@
{ user, home }:
{
config,
inputs,
pkgs,
system,
...
}:
let
selfPkgs = inputs.self.packages.${system};
hmConfig = config.home-manager.users.${user};
inherit (hmConfig.virtualisation.quadlet) containers volumes networks;
mkApp = type: name: shortName: urlBase: mediaFolderBase: {
inherit
type
name
shortName
urlBase
mediaFolderBase
;
};
arrs = [
(mkApp "radarr" "Radarr" "radarr" "/manage/films" "/films")
(mkApp "radarr" "Radarr (UHD)" "radarr-uhd" "/manage/films/uhd" "/films")
(mkApp "radarr" "Radarr (Anime)" "radarr-anime" "/manage/anime/films" "/anime/films")
(mkApp "sonarr" "Sonarr" "sonarr" "/manage/shows" "/shows")
(mkApp "sonarr" "Sonarr (UHD)" "sonarr-uhd" "/manage/shows/uhd" "/shows")
(mkApp "sonarr" "Sonarr (Anime)" "sonarr-anime" "/manage/anime/shows" "/anime/shows")
];
arrMapping = {
radarr = {
port = 7878;
prowlarr = {
implementation = "Radarr";
configContract = "RadarrSettings";
};
};
sonarr = {
port = 8989;
prowlarr = {
implementation = "Sonarr";
configContract = "SonarrSettings";
};
};
};
in
{
imports = [
(import ./prowlarr {
inherit
user
home
arrs
arrMapping
;
})
(import ./recyclarr {
inherit
user
home
arrs
arrMapping
;
})
];
home-manager.users.${user} = {
sops = {
secrets = builtins.listToAttrs (
builtins.map (arr: {
name = "${arr.shortName}/apiKey";
value.sopsFile = ../../../../../../../secrets/secrets.yaml;
}) arrs
);
templates = builtins.listToAttrs (
builtins.map (arr: {
name = "${arr.shortName}-env";
value.content = ''
API_KEY=${hmConfig.sops.placeholder."${arr.shortName}/apiKey"}
'';
}) arrs
);
};
virtualisation.quadlet = {
volumes = builtins.listToAttrs (
builtins.map (arr: {
name = arr.shortName;
value = { };
}) arrs
);
containers = builtins.listToAttrs (
builtins.map (arr: {
name = arr.shortName;
value = {
containerConfig = {
image = "docker-archive:${selfPkgs."docker-${arr.type}"}";
networks = [
networks.media.ref
networks.transmission.ref
networks.traefik.ref
];
volumes =
let
setup = pkgs.writeTextFile {
name = "setup.sh";
executable = true;
text = builtins.readFile ./${arr.type}/setup.sh;
};
in
[
"${setup}:/etc/${arr.type}/setup.sh:ro"
"${volumes.${arr.shortName}.ref}:/var/lib/${arr.type}"
"/mnt/storage/private/storm/containers/storage/volumes/transmission-data/_data:/var/lib/transmission"
"/mnt/storage/private/storm/containers/storage/volumes/media/_data:/var/lib/media"
];
environments = {
INSTANCE_NAME = arr.name;
URL_BASE = arr.urlBase;
ROOT_FOLDER = "/var/lib/media${arr.mediaFolderBase}";
DOWNLOAD_CATEGORY = arr.shortName;
};
environmentFiles = [ hmConfig.sops.templates."${arr.shortName}-env".path ];
labels = [
"traefik.enable=true"
"traefik.http.routers.${arr.shortName}.rule=Host(`media.karaolidis.com`) && PathPrefix(`${arr.urlBase}`)"
"traefik.http.routers.${arr.shortName}.middlewares=authelia@docker"
];
};
unitConfig.After = [
"${containers.transmission._serviceName}.service"
"sops-nix.service"
];
};
}) arrs
);
};
};
}

121
hosts/jupiter/users/storm/configs/console/podman/media/arr/prowlarr/default.nix Normal file
View File

@@ -0,0 +1,121 @@
{
user,
home,
arrs,
arrMapping,
}:
{
config,
inputs,
pkgs,
system,
...
}:
let
selfPkgs = inputs.self.packages.${system};
hmConfig = config.home-manager.users.${user};
inherit (hmConfig.virtualisation.quadlet) containers volumes networks;
in
{
home-manager.users.${user} = {
sops = {
secrets."prowlarr/apiKey".sopsFile = ../../../../../../../../secrets/secrets.yaml;
templates =
{
prowlarr-env.content = ''
API_KEY=${hmConfig.sops.placeholder."prowlarr/apiKey"}
'';
}
// builtins.listToAttrs (
builtins.map (arr: {
name = "prowlarr-${arr.shortName}";
value.content = builtins.readFile (
(pkgs.formats.json { }).generate "${arr.shortName}.json" {
enable = true;
name = arr.name;
inherit (arrMapping.${arr.type}.prowlarr) implementation configContract;
syncLevel = "fullSync";
fields = [
{
name = "prowlarrUrl";
value = "http://prowlarr:9696";
}
{
name = "baseUrl";
value = "http://${arr.shortName}:${builtins.toString arrMapping.${arr.type}.port}";
}
{
name = "apiKey";
value = hmConfig.sops.placeholder."${arr.shortName}/apiKey";
}
];
}
);
}) arrs
);
};
virtualisation.quadlet = {
networks.flaresolverr = { };
volumes.prowlarr = { };
containers = (
let
arrServices = builtins.map (arr: "${containers.${arr.shortName}._serviceName}.service") arrs;
in
{
flaresolverr.containerConfig = {
image = "docker-archive:${selfPkgs.docker-flaresolverr}";
networks = [ networks.flaresolverr.ref ];
};
prowlarr = {
containerConfig = {
image = "docker-archive:${selfPkgs.docker-prowlarr}";
networks = [
networks.media.ref
networks.transmission.ref
networks.flaresolverr.ref
networks.traefik.ref
];
volumes =
let
setup = pkgs.writeTextFile {
name = "setup.sh";
executable = true;
text = builtins.readFile ./setup.sh;
};
in
[
"${setup}:/etc/prowlarr/setup.sh:ro"
"${./indexers}:/etc/prowlarr/indexers:ro"
"${volumes.prowlarr.ref}:/var/lib/prowlarr"
]
++ builtins.map (
arr:
"${
hmConfig.sops.templates."prowlarr-${arr.shortName}".path
}:/etc/prowlarr/apps/${arr.shortName}.json:ro"
) arrs;
environments.URL_BASE = "/manage/indexers";
environmentFiles = [ hmConfig.sops.templates.prowlarr-env.path ];
labels = [
"traefik.enable=true"
"traefik.http.routers.prowlarr.rule=Host(`media.karaolidis.com`) && PathPrefix(`/manage/indexers`)"
"traefik.http.routers.prowlarr.middlewares=authelia@docker"
];
};
unitConfig.After = [
"${containers.transmission._serviceName}.service"
"${containers.flaresolverr._serviceName}.service"
"sops-nix.service"
] ++ arrServices;
};
}
);
};
};
}

0
hosts/jupiter/users/storm/configs/console/podman/media/prowlarr/indexers/1337x.json → hosts/jupiter/users/storm/configs/console/podman/media/arr/prowlarr/indexers/1337x.json
View File

0
hosts/jupiter/users/storm/configs/console/podman/media/prowlarr/indexers/Internet Archive.json → hosts/jupiter/users/storm/configs/console/podman/media/arr/prowlarr/indexers/Internet Archive.json
View File

0
hosts/jupiter/users/storm/configs/console/podman/media/prowlarr/indexers/LimeTorrents.json → hosts/jupiter/users/storm/configs/console/podman/media/arr/prowlarr/indexers/LimeTorrents.json
View File

0
hosts/jupiter/users/storm/configs/console/podman/media/prowlarr/indexers/Nyaa.si.json → hosts/jupiter/users/storm/configs/console/podman/media/arr/prowlarr/indexers/Nyaa.si.json
View File

0
hosts/jupiter/users/storm/configs/console/podman/media/prowlarr/indexers/The Pirate Bay.json → hosts/jupiter/users/storm/configs/console/podman/media/arr/prowlarr/indexers/The Pirate Bay.json
View File

0
hosts/jupiter/users/storm/configs/console/podman/media/prowlarr/indexers/TheRARBG.json → hosts/jupiter/users/storm/configs/console/podman/media/arr/prowlarr/indexers/TheRARBG.json
View File

0
hosts/jupiter/users/storm/configs/console/podman/media/prowlarr/indexers/Torlock.json → hosts/jupiter/users/storm/configs/console/podman/media/arr/prowlarr/indexers/Torlock.json
View File

0
hosts/jupiter/users/storm/configs/console/podman/media/prowlarr/indexers/Torrent Download.json → hosts/jupiter/users/storm/configs/console/podman/media/arr/prowlarr/indexers/Torrent Download.json
View File

0
hosts/jupiter/users/storm/configs/console/podman/media/prowlarr/indexers/Torrent Downloads.json → hosts/jupiter/users/storm/configs/console/podman/media/arr/prowlarr/indexers/Torrent Downloads.json
View File

0
hosts/jupiter/users/storm/configs/console/podman/media/prowlarr/indexers/YourBittorent.json → hosts/jupiter/users/storm/configs/console/podman/media/arr/prowlarr/indexers/YourBittorent.json
View File

0
hosts/jupiter/users/storm/configs/console/podman/media/prowlarr/indexers/kickasstorrents.to.json → hosts/jupiter/users/storm/configs/console/podman/media/arr/prowlarr/indexers/kickasstorrents.to.json
View File

0
hosts/jupiter/users/storm/configs/console/podman/media/prowlarr/indexers/kickasstorrents.ws.json → hosts/jupiter/users/storm/configs/console/podman/media/arr/prowlarr/indexers/kickasstorrents.ws.json
View File

0
hosts/jupiter/users/storm/configs/console/podman/media/prowlarr/setup.sh → hosts/jupiter/users/storm/configs/console/podman/media/arr/prowlarr/setup.sh
View File

0
hosts/jupiter/users/storm/configs/console/podman/media/radarr/setup.sh → hosts/jupiter/users/storm/configs/console/podman/media/arr/radarr/setup.sh
View File

0
hosts/jupiter/users/storm/configs/console/podman/media/recyclarr/radarr-anime.nix → hosts/jupiter/users/storm/configs/console/podman/media/arr/recyclarr/apps/radarr-anime.nix
View File

0
hosts/jupiter/users/storm/configs/console/podman/media/recyclarr/radarr-uhd.nix → hosts/jupiter/users/storm/configs/console/podman/media/arr/recyclarr/apps/radarr-uhd.nix
View File

0
hosts/jupiter/users/storm/configs/console/podman/media/recyclarr/radarr.nix → hosts/jupiter/users/storm/configs/console/podman/media/arr/recyclarr/apps/radarr.nix
View File

0
hosts/jupiter/users/storm/configs/console/podman/media/recyclarr/sonarr-anime.nix → hosts/jupiter/users/storm/configs/console/podman/media/arr/recyclarr/apps/sonarr-anime.nix
View File

0
hosts/jupiter/users/storm/configs/console/podman/media/recyclarr/sonarr-uhd.nix → hosts/jupiter/users/storm/configs/console/podman/media/arr/recyclarr/apps/sonarr-uhd.nix
View File

0
hosts/jupiter/users/storm/configs/console/podman/media/recyclarr/sonarr.nix → hosts/jupiter/users/storm/configs/console/podman/media/arr/recyclarr/apps/sonarr.nix
View File

60
hosts/jupiter/users/storm/configs/console/podman/media/arr/recyclarr/default.nix Normal file
View File

@@ -0,0 +1,60 @@
{
user,
home,
arrs,
arrMapping,
}:
{
config,
inputs,
pkgs,
system,
...
}:
let
selfPkgs = inputs.self.packages.${system};
hmConfig = config.home-manager.users.${user};
inherit (hmConfig.virtualisation.quadlet) containers networks;
in
{
home-manager.users.${user} = {
sops.templates = builtins.listToAttrs (
builtins.map (arr: {
name = "recyclarr-${arr.shortName}";
value.content = builtins.readFile (
(pkgs.formats.yaml { }).generate "${arr.shortName}.yaml" (
import ./apps/${arr.shortName}.nix {
base_url = "http://${arr.shortName}:${
builtins.toString arrMapping.${arr.type}.port
}${arr.urlBase}/";
api_key = hmConfig.sops.placeholder."${arr.shortName}/apiKey";
}
)
);
}) arrs
);
virtualisation.quadlet.containers = (
let
arrServices = builtins.map (arr: "${containers.${arr.shortName}._serviceName}.service") arrs;
in
{
# FIXME: https://recyclarr.dev/wiki/behavior/quality-profiles/#language
recyclarr = {
containerConfig = {
image = "docker-archive:${selfPkgs.docker-recyclarr}";
networks = [ networks.media.ref ];
volumes = builtins.map (
arr:
"${
hmConfig.sops.templates."recyclarr-${arr.shortName}".path
}:/var/lib/recyclarr/configs/${arr.shortName}.yaml:ro"
) arrs;
};
unitConfig.After = [ "sops-nix.service" ] ++ arrServices;
};
}
);
};
}

2
hosts/jupiter/users/storm/configs/console/podman/media/sonarr/setup.sh → hosts/jupiter/users/storm/configs/console/podman/media/arr/sonarr/setup.sh
View File

@@ -5,7 +5,7 @@ DOWNLOAD_CATEGORY="${DOWNLOAD_CATEGORY:-sonarr}"
mkdir -p "/var/lib/transmission/$DOWNLOAD_CATEGORY"
{
curl -sf --retry 10 "$HOST/api/v3/downloadclient?forceSave=true" \
curl -sf --retry 5 "$HOST/api/v3/downloadclient?forceSave=true" \
-X POST \
-H 'Content-Type: application/json' \
-H "X-Api-Key: $API_KEY" \

407
hosts/jupiter/users/storm/configs/console/podman/media/default.nix
View File

@@ -1,59 +1,11 @@
{ user, home }:
{ ... }:
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{
config,
inputs,
pkgs,
system,
...
}:
let
selfPkgs = inputs.self.packages.${system};
hmConfig = config.home-manager.users.${user};
inherit (hmConfig.virtualisation.quadlet) containers volumes networks;
jellyfinAutheliaClientId = "59TRpNutxEeRRCAZbDsK7rsnrA5NC69HAdAO45CEfc740xl4hgIacDy2u03oiFc89Exb67udBQvmfwxgeAQtJPiNAJxA5OzGmdQf";
mkApp = type: name: shortName: urlBase: mediaFolderBase: {
inherit
type
name
shortName
urlBase
mediaFolderBase
;
};
arrs = [
(mkApp "radarr" "Radarr" "radarr" "/manage/films" "/films")
(mkApp "radarr" "Radarr (UHD)" "radarr-uhd" "/manage/films/uhd" "/films")
(mkApp "radarr" "Radarr (Anime)" "radarr-anime" "/manage/anime/films" "/anime/films")
(mkApp "sonarr" "Sonarr" "sonarr" "/manage/shows" "/shows")
(mkApp "sonarr" "Sonarr (UHD)" "sonarr-uhd" "/manage/shows/uhd" "/shows")
(mkApp "sonarr" "Sonarr (Anime)" "sonarr-anime" "/manage/anime/shows" "/anime/shows")
imports = [
(import ./jellyfin { inherit user home; })
(import ./arr { inherit user home; })
];
arrMapping = {
radarr = {
port = 7878;
prowlarr = {
implementation = "Radarr";
configContract = "RadarrSettings";
};
};
sonarr = {
port = 8989;
prowlarr = {
implementation = "Sonarr";
configContract = "SonarrSettings";
};
};
};
in
{
home-manager.users.${user} = {
systemd.user.tmpfiles.rules = [
"d /mnt/storage/private/storm/containers/storage/volumes/media/_data 700 storm storm"
@@ -63,353 +15,6 @@ in
"d /mnt/storage/private/storm/containers/storage/volumes/media/_data/anime/shows 755 storm storm"
];
sops = {
secrets =
{
"jellyfin/admin".sopsFile = ../../../../../../secrets/secrets.yaml;
"jellyfin/authelia/password".sopsFile = ../../../../../../secrets/secrets.yaml;
"jellyfin/authelia/digest".sopsFile = ../../../../../../secrets/secrets.yaml;
"prowlarr/apiKey".sopsFile = ../../../../../../secrets/secrets.yaml;
}
// builtins.listToAttrs (
builtins.map (arr: {
name = "${arr.shortName}/apiKey";
value.sopsFile = ../../../../../../secrets/secrets.yaml;
}) arrs
);
templates =
{
jellyfin-env.content = ''
JELLYFIN_ADMIN_PASSWORD=${hmConfig.sops.placeholder."jellyfin/admin"}
JELLYFIN_OIDC_SECRET=${hmConfig.sops.placeholder."jellyfin/authelia/password"}
'';
authelia-jellyfin.content = builtins.readFile (
(pkgs.formats.yaml { }).generate "jellyfin.yaml" {
identity_providers.oidc = {
authorization_policies.jellyfin = {
default_policy = "deny";
rules = [
{
policy = "one_factor";
subject = "group:jellyfin";
}
];
};
clients = [
{
client_id = jellyfinAutheliaClientId;
client_name = "Jellyfin";
client_secret = hmConfig.sops.placeholder."jellyfin/authelia/digest";
redirect_uris = [ "https://media.karaolidis.com/sso/OID/redirect/authelia" ];
authorization_policy = "jellyfin";
require_pkce = true;
pkce_challenge_method = "S256";
scopes = [
"openid"
"profile"
"groups"
];
token_endpoint_auth_method = "client_secret_post";
}
];
};
}
);
prowlarr-env.content = ''
API_KEY=${hmConfig.sops.placeholder."prowlarr/apiKey"}
'';
}
// builtins.listToAttrs (
builtins.map (arr: {
name = "${arr.shortName}-env";
value.content = ''
API_KEY=${hmConfig.sops.placeholder."${arr.shortName}/apiKey"}
'';
}) arrs
)
// builtins.listToAttrs (
builtins.map (arr: {
name = "prowlarr-${arr.shortName}";
value.content = builtins.readFile (
(pkgs.formats.json { }).generate "${arr.shortName}.json" {
enable = true;
name = arr.name;
inherit (arrMapping.${arr.type}.prowlarr) implementation configContract;
syncLevel = "fullSync";
fields = [
{
name = "prowlarrUrl";
value = "http://prowlarr:9696";
}
{
name = "baseUrl";
value = "http://${arr.shortName}:${builtins.toString arrMapping.${arr.type}.port}";
}
{
name = "apiKey";
value = hmConfig.sops.placeholder."${arr.shortName}/apiKey";
}
];
}
);
}) arrs
)
// builtins.listToAttrs (
builtins.map (arr: {
name = "recyclarr-${arr.shortName}";
value.content = builtins.readFile (
(pkgs.formats.yaml { }).generate "${arr.shortName}.yaml" (
import ./recyclarr/${arr.shortName}.nix {
base_url = "http://${arr.shortName}:${
builtins.toString arrMapping.${arr.type}.port
}${arr.urlBase}/";
api_key = hmConfig.sops.placeholder."${arr.shortName}/apiKey";
}
)
);
}) arrs
);
};
virtualisation.quadlet = {
networks = {
media = { };
jellyfin = { };
flaresolverr = { };
};
volumes =
{
jellyfin-config = { };
jellyfin-data = { };
jellyfin-log = { };
jellyfin-cache = { };
prowlarr = { };
}
// builtins.listToAttrs (
builtins.map (arr: {
name = arr.shortName;
value = { };
}) arrs
);
containers =
{
jellyfin = {
containerConfig = {
image = "docker-archive:${selfPkgs.docker-jellyfin}";
networks = [
networks.jellyfin.ref
networks.traefik.ref
];
volumes =
let
setup = pkgs.writeTextFile {
name = "setup.sh";
executable = true;
text = builtins.readFile ./jellyfin/setup.sh;
};
in
[
"/mnt/storage/private/storm/containers/storage/volumes/media/_data:/var/lib/media"
"${setup}:/etc/jellyfin/setup.sh:ro"
"${./jellyfin/libraries}:/etc/jellyfin/libraries:ro"
"${volumes.jellyfin-config.ref}:/etc/jellyfin"
"${volumes.jellyfin-data.ref}:/var/lib/jellyfin"
"${volumes.jellyfin-log.ref}:/var/log/jellyfin"
"${volumes.jellyfin-cache.ref}:/tmp/jellyfin"
];
environments.JELLYFIN_OIDC_CLIENT_ID = jellyfinAutheliaClientId;
environmentFiles = [ hmConfig.sops.templates.jellyfin-env.path ];
labels = [
"traefik.enable=true"
"traefik.http.routers.jellyfin.rule=Host(`media.karaolidis.com`)"
];
podmanArgs = [ "--cdi-spec-dir=/run/cdi" ];
devices = [ "nvidia.com/gpu=all" ];
};
unitConfig =
let
dependencies = [ "sops-nix.service" ];
in
{
After = dependencies;
Requires = dependencies;
};
};
}
// (
let
arrServices = builtins.map (arr: "${containers.${arr.shortName}._serviceName}.service") arrs;
in
{
flaresolverr.containerConfig = {
image = "docker-archive:${selfPkgs.docker-flaresolverr}";
networks = [ networks.flaresolverr.ref ];
};
prowlarr = {
containerConfig = {
image = "docker-archive:${selfPkgs.docker-prowlarr}";
networks = [
networks.media.ref
networks.transmission.ref
networks.flaresolverr.ref
networks.traefik.ref
];
volumes =
let
setup = pkgs.writeTextFile {
name = "setup.sh";
executable = true;
text = builtins.readFile ./prowlarr/setup.sh;
};
in
[
"${setup}:/etc/prowlarr/setup.sh:ro"
"${./prowlarr/indexers}:/etc/prowlarr/indexers:ro"
"${volumes.prowlarr.ref}:/var/lib/prowlarr"
]
++ builtins.map (
arr:
"${
hmConfig.sops.templates."prowlarr-${arr.shortName}".path
}:/etc/prowlarr/apps/${arr.shortName}.json:ro"
) arrs;
environments.URL_BASE = "/manage/indexers";
environmentFiles = [ hmConfig.sops.templates.prowlarr-env.path ];
labels = [
"traefik.enable=true"
"traefik.http.routers.prowlarr.rule=Host(`media.karaolidis.com`) && PathPrefix(`/manage/indexers`)"
"traefik.http.routers.prowlarr.middlewares=authelia@docker"
];
};
unitConfig =
let
dependencies = [ "sops-nix.service" ];
in
{
After =
dependencies
++ [
"${containers.transmission._serviceName}.service"
"${containers.flaresolverr._serviceName}.service"
]
++ arrServices;
Requires = dependencies;
};
};
# FIXME: https://recyclarr.dev/wiki/behavior/quality-profiles/#language
recyclarr = {
containerConfig = {
image = "docker-archive:${selfPkgs.docker-recyclarr}";
networks = [ networks.media.ref ];
volumes = builtins.map (
arr:
"${
hmConfig.sops.templates."recyclarr-${arr.shortName}".path
}:/var/lib/recyclarr/configs/${arr.shortName}.yaml:ro"
) arrs;
};
unitConfig =
let
dependencies = [ "sops-nix.service" ];
in
{
After = dependencies ++ arrServices;
Requires = dependencies;
};
};
}
)
// builtins.listToAttrs (
builtins.map (arr: {
name = arr.shortName;
value = {
containerConfig = {
image = "docker-archive:${selfPkgs."docker-${arr.type}"}";
networks = [
networks.media.ref
networks.transmission.ref
networks.traefik.ref
];
volumes =
let
setup = pkgs.writeTextFile {
name = "setup.sh";
executable = true;
text = builtins.readFile ./${arr.type}/setup.sh;
};
in
[
"${setup}:/etc/${arr.type}/setup.sh:ro"
"${volumes.${arr.shortName}.ref}:/var/lib/${arr.type}"
"/mnt/storage/private/storm/containers/storage/volumes/transmission-data/_data:/var/lib/transmission"
"/mnt/storage/private/storm/containers/storage/volumes/media/_data:/var/lib/media"
];
environments = {
INSTANCE_NAME = arr.name;
URL_BASE = arr.urlBase;
ROOT_FOLDER = "/var/lib/media${arr.mediaFolderBase}";
DOWNLOAD_CATEGORY = arr.shortName;
};
environmentFiles = [ hmConfig.sops.templates."${arr.shortName}-env".path ];
labels = [
"traefik.enable=true"
"traefik.http.routers.${arr.shortName}.rule=Host(`media.karaolidis.com`) && PathPrefix(`${arr.urlBase}`)"
"traefik.http.routers.${arr.shortName}.middlewares=authelia@docker"
];
};
unitConfig =
let
dependencies = [ "sops-nix.service" ];
in
{
After = dependencies ++ [ "${containers.transmission._serviceName}.service" ];
Requires = dependencies;
};
};
}) arrs
)
// {
authelia.containerConfig.volumes =
let
mediaConfig = (pkgs.formats.yaml { }).generate "media.yaml" {
access_control.rules = [
{
domain = "media.karaolidis.com";
policy = "one_factor";
resources = [ "^/manage([/?].*)?$" ];
subject = [ "group:media" ];
}
{
domain = "media.karaolidis.com";
policy = "deny";
resources = [ "^/manage([/?].*)?$" ];
}
{
domain = "media.karaolidis.com";
policy = "bypass";
}
];
};
in
[
"${mediaConfig}:/etc/authelia/conf.d/media.yaml:ro"
"${hmConfig.sops.templates.authelia-jellyfin.path}:/etc/authelia/conf.d/jellyfin.yaml:ro"
];
};
};
virtualisation.quadlet.networks.media = { };
};
}

144
hosts/jupiter/users/storm/configs/console/podman/media/jellyfin/default.nix Normal file
View File

@@ -0,0 +1,144 @@
{ user, home }:
{
config,
inputs,
pkgs,
system,
...
}:
let
selfPkgs = inputs.self.packages.${system};
hmConfig = config.home-manager.users.${user};
inherit (hmConfig.virtualisation.quadlet) volumes networks;
jellyfinAutheliaClientId = "59TRpNutxEeRRCAZbDsK7rsnrA5NC69HAdAO45CEfc740xl4hgIacDy2u03oiFc89Exb67udBQvmfwxgeAQtJPiNAJxA5OzGmdQf";
in
{
home-manager.users.${user} = {
sops = {
secrets = {
"jellyfin/admin".sopsFile = ../../../../../../../secrets/secrets.yaml;
"jellyfin/authelia/password".sopsFile = ../../../../../../../secrets/secrets.yaml;
"jellyfin/authelia/digest".sopsFile = ../../../../../../../secrets/secrets.yaml;
};
templates = {
jellyfin-env.content = ''
JELLYFIN_ADMIN_PASSWORD=${hmConfig.sops.placeholder."jellyfin/admin"}
JELLYFIN_OIDC_SECRET=${hmConfig.sops.placeholder."jellyfin/authelia/password"}
'';
authelia-jellyfin.content = builtins.readFile (
(pkgs.formats.yaml { }).generate "jellyfin.yaml" {
identity_providers.oidc = {
authorization_policies.jellyfin = {
default_policy = "deny";
rules = [
{
policy = "one_factor";
subject = "group:jellyfin";
}
];
};
clients = [
{
client_id = jellyfinAutheliaClientId;
client_name = "Jellyfin";
client_secret = hmConfig.sops.placeholder."jellyfin/authelia/digest";
redirect_uris = [ "https://media.karaolidis.com/sso/OID/redirect/authelia" ];
authorization_policy = "jellyfin";
require_pkce = true;
pkce_challenge_method = "S256";
scopes = [
"openid"
"profile"
"groups"
];
token_endpoint_auth_method = "client_secret_post";
}
];
};
}
);
};
};
virtualisation.quadlet = {
networks.jellyfin = { };
volumes = {
jellyfin-config = { };
jellyfin-data = { };
jellyfin-log = { };
jellyfin-cache = { };
};
containers = {
jellyfin = {
containerConfig = {
image = "docker-archive:${selfPkgs.docker-jellyfin}";
networks = [
networks.jellyfin.ref
networks.traefik.ref
];
volumes =
let
setup = pkgs.writeTextFile {
name = "setup.sh";
executable = true;
text = builtins.readFile ./setup.sh;
};
in
[
"/mnt/storage/private/storm/containers/storage/volumes/media/_data:/var/lib/media"
"${setup}:/etc/jellyfin/setup.sh:ro"
"${./libraries}:/etc/jellyfin/libraries:ro"
"${volumes.jellyfin-config.ref}:/etc/jellyfin"
"${volumes.jellyfin-data.ref}:/var/lib/jellyfin"
"${volumes.jellyfin-log.ref}:/var/log/jellyfin"
"${volumes.jellyfin-cache.ref}:/tmp/jellyfin"
];
environments.JELLYFIN_OIDC_CLIENT_ID = jellyfinAutheliaClientId;
environmentFiles = [ hmConfig.sops.templates.jellyfin-env.path ];
labels = [
"traefik.enable=true"
"traefik.http.routers.jellyfin.rule=Host(`media.karaolidis.com`)"
];
podmanArgs = [ "--cdi-spec-dir=/run/cdi" ];
devices = [ "nvidia.com/gpu=all" ];
};
unitConfig.After = [ "sops-nix.service" ];
};
authelia.containerConfig.volumes =
let
mediaConfig = (pkgs.formats.yaml { }).generate "media.yaml" {
access_control.rules = [
{
domain = "media.karaolidis.com";
policy = "one_factor";
resources = [ "^/manage([/?].*)?$" ];
subject = [ "group:media" ];
}
{
domain = "media.karaolidis.com";
policy = "deny";
resources = [ "^/manage([/?].*)?$" ];
}
{
domain = "media.karaolidis.com";
policy = "bypass";
}
];
};
in
[
"${mediaConfig}:/etc/authelia/conf.d/media.yaml:ro"
"${hmConfig.sops.templates.authelia-jellyfin.path}:/etc/authelia/conf.d/jellyfin.yaml:ro"
];
};
};
};
}

32
hosts/jupiter/users/storm/configs/console/podman/nextcloud/default.nix
View File

@@ -1,7 +1,4 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ user, home }:
{
config,
inputs,
@@ -201,17 +198,13 @@ in
];
};
unitConfig =
let
dependencies = [
"${containers.nextcloud-postgresql._serviceName}.service"
"sops-nix.service"
];
in
{
After = dependencies;
Requires = dependencies;
};
unitConfig = {
After = [
"${containers.nextcloud-postgresql._serviceName}.service"
"sops-nix.service"
];
Requires = [ "${containers.nextcloud-postgresql._serviceName}.service" ];
};
};
nextcloud-postgresql = {
@@ -226,14 +219,7 @@ in
environmentFiles = [ hmConfig.sops.templates.nextcloud-postgresql-env.path ];
};
unitConfig =
let
dependencies = [ "sops-nix.service" ];
in
{
After = dependencies;
Requires = dependencies;
};
unitConfig.After = [ "sops-nix.service" ];
};
authelia.containerConfig.volumes = [

14
hosts/jupiter/users/storm/configs/console/podman/ntfy/default.nix
View File

@@ -1,7 +1,4 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ user, home }:
{
config,
inputs,
@@ -119,14 +116,7 @@ in
];
};
unitConfig =
let
dependencies = [ "sops-nix.service" ];
in
{
After = dependencies;
Requires = dependencies;
};
unitConfig.After = [ "sops-nix.service" ];
};
prometheus.containerConfig.volumes =

37
hosts/jupiter/users/storm/configs/console/podman/outline/default.nix
View File

@@ -1,7 +1,4 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ user, home }:
{
config,
inputs,
@@ -131,18 +128,17 @@ in
];
};
unitConfig =
let
dependencies = [
"${containers.outline-postgresql._serviceName}.service"
"${containers.outline-redis._serviceName}.service"
"sops-nix.service"
];
in
{
After = dependencies;
Requires = dependencies;
};
unitConfig = {
After = [
"${containers.outline-postgresql._serviceName}.service"
"${containers.outline-redis._serviceName}.service"
"sops-nix.service"
];
Requires = [
"${containers.outline-postgresql._serviceName}.service"
"${containers.outline-redis._serviceName}.service"
];
};
};
outline-postgresql = {
@@ -157,14 +153,7 @@ in
environmentFiles = [ hmConfig.sops.templates.outline-postgresql-env.path ];
};
unitConfig =
let
dependencies = [ "sops-nix.service" ];
in
{
After = dependencies;
Requires = dependencies;
};
unitConfig.After = [ "sops-nix.service" ];
};
outline-redis.containerConfig = {

5
hosts/jupiter/users/storm/configs/console/podman/prometheus/default.nix
View File

@@ -1,7 +1,4 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ user, home }:
{
config,
inputs,

41
hosts/jupiter/users/storm/configs/console/podman/shlink/default.nix
View File

@@ -1,7 +1,4 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ user, home }:
{
config,
inputs,
@@ -80,17 +77,13 @@ in
];
};
unitConfig =
let
dependencies = [
"${containers.shlink-postgresql._serviceName}.service"
"sops-nix.service"
];
in
{
After = dependencies;
Requires = dependencies;
};
unitConfig = {
After = [
"${containers.shlink-postgresql._serviceName}.service"
"sops-nix.service"
];
Requires = [ "${containers.shlink-postgresql._serviceName}.service" ];
};
};
shlink-web-client = {
@@ -111,14 +104,7 @@ in
];
};
unitConfig =
let
dependencies = [ "sops-nix.service" ];
in
{
After = dependencies;
Requires = dependencies;
};
unitConfig.After = [ "sops-nix.service" ];
};
shlink-postgresql = {
@@ -133,14 +119,7 @@ in
environmentFiles = [ hmConfig.sops.templates.shlink-postgresql-env.path ];
};
unitConfig =
let
dependencies = [ "sops-nix.service" ];
in
{
After = dependencies;
Requires = dependencies;
};
unitConfig.After = [ "sops-nix.service" ];
};
authelia.containerConfig.volumes =

14
hosts/jupiter/users/storm/configs/console/podman/sish/default.nix
View File

@@ -1,7 +1,4 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ user, home }:
{
config,
inputs,
@@ -65,14 +62,7 @@ in
];
};
unitConfig =
let
dependencies = [ "sops-nix.service" ];
in
{
After = dependencies;
Requires = dependencies;
};
unitConfig.After = [ "sops-nix.service" ];
};
};
};

31
hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix
View File

@@ -1,7 +1,4 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ user, home }:
{
config,
inputs,
@@ -118,20 +115,18 @@ in
"traefik-https.socket"
];
unitConfig =
let
dependencies = [
"traefik-http.socket"
"traefik-https.socket"
"${containers.authelia._serviceName}.service"
"sops-nix.service"
];
in
{
After = dependencies;
Requires = dependencies;
};
unitConfig = {
After = [
"traefik-http.socket"
"traefik-https.socket"
"${containers.authelia._serviceName}.service"
"sops-nix.service"
];
Requires = [
"traefik-http.socket"
"traefik-https.socket"
];
};
};
authelia.containerConfig.volumes =

14
hosts/jupiter/users/storm/configs/console/podman/transmission/default.nix
View File

@@ -1,7 +1,4 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ user, home }:
{
config,
inputs,
@@ -61,14 +58,7 @@ in
];
};
unitConfig =
let
dependencies = [ "sops-nix.service" ];
in
{
After = dependencies;
Requires = dependencies;
};
unitConfig.After = [ "sops-nix.service" ];
};
authelia.containerConfig.volumes =

32
hosts/jupiter/users/storm/configs/console/podman/vaultwarden/default.nix
View File

@@ -1,7 +1,4 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ user, home }:
{
config,
inputs,
@@ -123,17 +120,13 @@ in
];
};
unitConfig =
let
dependencies = [
"${containers.vaultwarden-postgresql._serviceName}.service"
"sops-nix.service"
];
in
{
After = dependencies;
Requires = dependencies;
};
unitConfig = {
After = [
"${containers.vaultwarden-postgresql._serviceName}.service"
"sops-nix.service"
];
Requires = [ "${containers.vaultwarden-postgresql._serviceName}.service" ];
};
};
vaultwarden-postgresql = {
@@ -148,14 +141,7 @@ in
environmentFiles = [ hmConfig.sops.templates.vaultwarden-postgresql-env.path ];
};
unitConfig =
let
dependencies = [ "sops-nix.service" ];
in
{
After = dependencies;
Requires = dependencies;
};
unitConfig.After = [ "sops-nix.service" ];
};
authelia.containerConfig.volumes = [

5
hosts/jupiter/users/storm/configs/console/podman/whoami/default.nix
View File

@@ -1,7 +1,4 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ user, home }:
{
config,
inputs,

1
hosts/jupiter/users/storm/default.nix
View File

@@ -40,6 +40,7 @@ in
hashedPasswordFile = config.sops.secrets."${user}-password".path;
extraGroups = [
"wheel"
"networkmanager"
"storage"
];
linger = true;