mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

move arrs into nix container

Browse Source
This commit is contained in:
mjallen18
2024-11-30 14:35:53 -06:00
parent b7c85a7a56
commit f33d690145
32 changed files with 901 additions and 1087 deletions
Download Patch File Download Diff File Expand all files Collapse all files

163
modules/apps/arrs/default.nix Normal file
View File

@@ -0,0 +1,163 @@
{ config, pkgs, lib, ... }:
let
radarrPort = 7878;
sonarrPort = 8989;
sabnzbdPort = 8080;
radarrDataDir = "/var/lib/radarr";
downloadDir = "/downloads";
incompleteDir = "/downloads-incomplete";
sonarrDataDir = "/var/lib/sonarr";
sabnzbdConfig = "/var/lib/sabnzbd";
mediaDir = "/media";
arrUserId = config.users.users.nix-apps.uid;
arrGroupId = config.users.groups.jallen-nas.gid;
in
{
containers.arrs = {
autoStart = true;
privateNetwork = true;
hostAddress = "10.0.1.18";
localAddress = "10.0.1.51";
config = { config, pkgs, lib, ... }: {
nixpkgs.config.allowUnfree = true;
# Enable radarr service
services.radarr = {
enable = true;
openFirewall = true;
user = "arrs";
group = "media";
dataDir = radarrDataDir;
};
# Enable Sonarr service
services.sonarr = {
enable = true;
openFirewall = true;
user = "arrs";
group = "media";
dataDir = sonarrDataDir;
};
# Enable Sabnzbd service
services.sabnzbd = {
enable = true;
openFirewall = true;
user = "arrs";
group = "media";
configFile = "${sabnzbdConfig}/sabnzbd.ini";
};
# Create required users and groups
users.users.arrs = {
isSystemUser = true;
uid = lib.mkForce arrUserId;
group = "media";
extraGroups = [ "downloads" ];
};
users.groups = {
media = { gid = lib.mkForce arrGroupId; };
downloads = {};
};
# System packages
environment.systemPackages = with pkgs; [
sqlite
mono
mediainfo
protonvpn-cli
];
# Create and set permissions for required directories
system.activationScripts.radarr-dirs = ''
mkdir -p ${radarrDataDir}
mkdir -p ${sonarrDataDir}
mkdir -p ${sabnzbdConfig}
mkdir -p ${downloadDir}
mkdir -p ${incompleteDir}
mkdir -p ${mediaDir}
chown -R arrs:media ${radarrDataDir}
chown -R arrs:media ${sonarrDataDir}
chown -R arrs:media ${sabnzbdConfig}
chown -R arrs:media ${downloadDir}
chown -R arrs:media ${incompleteDir}
chown -R arrs:media ${mediaDir}
chmod -R 775 ${radarrDataDir}
chmod -R 775 ${sonarrDataDir}
chmod -R 775 ${sabnzbdConfig}
chmod -R 775 ${downloadDir}
chmod -R 775 ${incompleteDir}
chmod -R 775 ${mediaDir}
'';
networking = {
firewall = {
enable = true;
allowedTCPPorts = [ radarrPort sonarrPort sabnzbdPort ];
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
system.stateVersion = "23.11";
};
# Bind mount directories from host
bindMounts = {
"${radarrDataDir}" = {
hostPath = "/media/nas/ssd/nix-app-data/radarr";
isReadOnly = false;
};
"${sonarrDataDir}" = {
hostPath = "/media/nas/ssd/nix-app-data/sonarr";
isReadOnly = false;
};
"${sabnzbdConfig}" = {
hostPath = "/media/nas/ssd/nix-app-data/sabnzbd";
isReadOnly = false;
};
"${downloadDir}" = {
hostPath = "/media/nas/ssd/ssd_app_data/downloads";
isReadOnly = false;
};
"${incompleteDir}" = {
hostPath = "/media/nas/ssd/ssd_app_data/downloads-incomplete";
isReadOnly = false;
};
"/media/movies" = {
hostPath = "/media/nas/main/movies";
isReadOnly = false;
};
"/media/tv" = {
hostPath = "/media/nas/main/tv";
isReadOnly = false;
};
};
};
networking.nat = {
forwardPorts = [
{
destination = "10.0.1.51:7878";
sourcePort = radarrPort;
}
{
destination = "10.0.1.51:8989";
sourcePort = sonarrPort;
}
{
destination = "10.0.1.51:8080";
sourcePort = sabnzbdPort;
}
];
};
}

25
modules/apps/beszel-agent/default.nix
View File

@@ -1,25 +0,0 @@
{ lib, config, ... }:
with lib;
let
cfg = config.nas-apps.beszel-agent;
in
{
imports = [ ./options.nix ];
config = mkIf cfg.enable {
virtualisation.oci-containers.containers."${cfg.name}" = {
autoStart = cfg.autoStart;
image = cfg.image;
ports = [ "${cfg.port}:45876" ];
volumes = [ "${cfg.podmanSock}:/var/run/docker.sock:ro" ];
environment = {
PORT = cfg.port;
KEY = cfg.key;
FILESYSTEM = cfg.fileSystem;
PUID = cfg.puid;
PGID = cfg.pgid;
TZ = cfg.timeZone;
};
};
};
}

57
modules/apps/beszel-agent/options.nix
View File

@@ -1,57 +0,0 @@
{ lib, ... }:
with lib;
{
options.nas-apps.beszel-agent = {
enable = mkEnableOption "beszel agent docker service";
autoStart = mkOption {
type = types.bool;
default = true;
};
port = mkOption {
type = types.str;
default = "45876";
};
name = mkOption {
type = types.str;
default = "beszel-agent";
};
image = mkOption {
type = types.str;
default = "henrygd/beszel-agent";
};
podmanSock = mkOption {
type = types.str;
default = "/var/run/podman/podman.sock";
};
key = mkOption {
type = types.str;
default = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBIxbgq3dHkhhmmydqgT1DQCAEEUdZ2V0RjzmxtyJo9w";
};
fileSystem = mkOption {
type = types.str;
default = "/dev/mapper/hdd1";
};
puid = mkOption {
type = types.str;
default = "911";
};
pgid = mkOption {
type = types.str;
default = "1000";
};
timeZone = mkOption {
type = types.str;
default = "America/Chicago";
};
};
}

22
modules/apps/beszel/default.nix
View File

@@ -1,22 +0,0 @@
{ lib, config, ... }:
with lib;
let
cfg = config.nas-apps.beszel;
in
{
imports = [ ./options.nix ];
config = mkIf cfg.enable {
virtualisation.oci-containers.containers."${cfg.name}" = {
autoStart = cfg.autoStart;
image = cfg.image;
ports = [ "${cfg.httpPort}:8090" ];
volumes = [ "${cfg.configPath}:/beszel_data" ];
environment = {
PUID = cfg.puid;
PGID = cfg.pgid;
TZ = cfg.timeZone;
};
};
};
}

47
modules/apps/beszel/options.nix
View File

@@ -1,47 +0,0 @@
{ lib, ... }:
with lib;
{
options.nas-apps.beszel = {
enable = mkEnableOption "beszel docker service";
autoStart = mkOption {
type = types.bool;
default = true;
};
httpPort = mkOption {
type = types.str;
default = "8090";
};
name = mkOption {
type = types.str;
default = "beszel";
};
image = mkOption {
type = types.str;
default = "henrygd/beszel";
};
configPath = mkOption {
type = types.str;
default = "/media/nas/ssd/nix-app-data/beszel";
};
puid = mkOption {
type = types.str;
default = "911";
};
pgid = mkOption {
type = types.str;
default = "1000";
};
timeZone = mkOption {
type = types.str;
default = "America/Chicago";
};
};
}

43
modules/apps/caddy/custom-caddy.nix Normal file
View File

@@ -0,0 +1,43 @@
{
pkgs,
config,
plugins,
stdenv,
lib,
...
}:
stdenv.mkDerivation rec {
pname = "caddy";
# https://github.com/NixOS/nixpkgs/issues/113520
version = "2.7.6";
dontUnpack = true;
nativeBuildInputs = [
pkgs.git
pkgs.go
pkgs.xcaddy
];
configurePhase = ''
export GOCACHE=$TMPDIR/go-cache
export GOPATH="$TMPDIR/go"
'';
buildPhase =
let
pluginArgs = lib.concatMapStringsSep " " (plugin: "--with ${plugin}") plugins;
in
''
runHook preBuild
${pkgs.xcaddy}/bin/xcaddy build "v${version}" ${pluginArgs}
runHook postBuild
'';
installPhase = ''
runHook preInstall
mkdir -p $out/bin
mv caddy $out/bin
runHook postInstall
'';
}

231
modules/apps/caddy/default.nix Normal file
View File

@@ -0,0 +1,231 @@
{ config, pkgs, ... }:
{
# Enable containers
containers.caddy = {
autoStart = true;
privateNetwork = true;
hostAddress = "10.0.1.18";
localAddress = "10.0.2.1";
config =
{ config, pkgs, ... }:
{
nixpkgs.overlays = [
(
_final: prev:
let
plugins = [ "github.com/caddy-dns/cloudflare" ];
goImports = prev.lib.flip prev.lib.concatMapStrings plugins (pkg: " _ \"${pkg}\"\n");
goGets = prev.lib.flip prev.lib.concatMapStrings plugins (pkg: "go get ${pkg}\n ");
main = ''
package main
import (
caddycmd "github.com/caddyserver/caddy/v2/cmd"
_ "github.com/caddyserver/caddy/v2/modules/standard"
${goImports}
)
func main() {
caddycmd.Main()
}
'';
in
{
caddy-cloudflare = prev.buildGoModule {
pname = "caddy-cloudflare";
version = prev.caddy.version;
runVend = true;
subPackages = [ "cmd/caddy" ];
src = prev.caddy.src;
vendorHash = "sha256-fTcMtg5GGEgclIwJCav0jjWpqT+nKw2OF1Ow0MEEitk=";
overrideModAttrs = (
_: {
preBuild = ''
echo '${main}' > cmd/caddy/main.go
${goGets}
'';
postInstall = "cp go.sum go.mod $out/ && ls $out/";
}
);
postPatch = ''
echo '${main}' > cmd/caddy/main.go
cat cmd/caddy/main.go
'';
postConfigure = ''
cp vendor/go.sum ./
cp vendor/go.mod ./
'';
meta = with prev.lib; {
homepage = "https://caddyserver.com";
description = "Fast, cross-platform HTTP/2 web server with automatic HTTPS";
license = licenses.asl20;
maintainers = with maintainers; [
Br1ght0ne
techknowlogick
];
};
};
}
)
];
systemd.services.caddy.serviceConfig.AmbientCapabilities = "CAP_NET_BIND_SERVICE";
# Caddy web server
services.caddy = {
enable = true;
email = "jalle008@proton.me";
enableReload = true;
package = pkgs.caddy-cloudflare;
adapter = "''"; # Required to enable JSON
# virtualHosts = {
# }
configFile = pkgs.writeText "Caddyfile" (
builtins.toJSON {
apps.http.servers.main = {
listen = [ ":443" ];
routes = [
{
match = [ { host = [ "authentik.mjallen.dev" ]; } ];
handle = [
{
handler = "reverse_proxy";
upstreams = [ { dial = "http://10.0.1.18:9000"; } ];
}
];
}
];
};
apps.tls.automation.policies = [
{
issuers = [
{
module = "acme";
challenges = {
dns = {
provider = {
name = "cloudflare";
api_token = "{env.CLOUDFLARE_API_TOKEN}";
};
resolvers = [ "1.1.1.1" ];
};
};
}
];
}
];
}
);
# configFile = pkgs.writeText "Caddyfile" ''
# apps.tls.automation.policies = [{
# issuers = [{
# module = "acme";
# challenges = {
# dns = {
# provider = {
# name = "cloudflare";
# api_token = "{env.CLOUDFLARE_API_TOKEN}";
# };
# resolvers = [ "1.1.1.1" ];
# };
# };
# }];
# # Wildcard certificate for all subdomains
# *.mjallen.dev {
# tls {
# dns cloudflare {env.CLOUDFLARE_API_TOKEN}
# }
# }
# :80 {
# respond "Hello from Caddy!"
# }
# :443 {
# respond "Hello from Caddy!"
# }
# authentik.mjallen.dev {
# reverse_proxy 10.0.1.18:9000
# }
# '';
};
# Environment variable for DNS challenge
environment.etc."caddy/cloudflare.env" = {
mode = "0600";
text = ''
CLOUDFLARE_API_TOKEN=HYhx7cN6e-O6QQJNKd9g7RpgvCzY-aegOPU2iQwB
'';
};
# Fail2Ban configuration
environment.etc."fail2ban/filter.d/caddy.local" = {
mode = "0644";
text = ''
[Definition]
failregex = ^<HOST> .* "(GET|POST|PUT|DELETE|HEAD|OPTIONS) .* HTTP/\d\.\d" (4\d{2}|5\d{2})
ignoreregex =
'';
};
services.fail2ban = {
enable = true;
jails = {
caddy = {
settings = {
filter = "caddy";
logpath = "/var/log/caddy/access.log";
maxretry = 5;
bantime = "30m";
};
};
};
};
# Ensure logging for Caddy
services.caddy.logDir = "/var/log/caddy";
# Open necessary firewall ports
networking.firewall = {
enable = true;
allowedTCPPorts = [
80
443
];
};
# Install additional packages if needed
environment.systemPackages = with pkgs; [
caddy
fail2ban
];
system.stateVersion = "23.11";
};
};
networking.nat = {
forwardPorts = [
{
destination = "10.0.2.1:80";
sourcePort = 80;
}
{
destination = "10.0.2.1:443";
sourcePort = 443;
}
];
};
}

4
modules/apps/collabora/default.nix
View File

@@ -26,8 +26,8 @@ in
username = cfg.username;
# password = cfg.password; # get from env file
domain = "office.mjallen.dev";
aliasgroup1 = "https://cloud\.mjallen\.dev:443";
aliasgroup2 = "https://cloud\.mjallen\.dev:443";
aliasgroup1 = "https://cloud.mjallen.dev:443";
aliasgroup2 = "https://cloud.mjallen.dev:443";
# DONT_GEN_SSL_CERT = cfg.dontGenSslCert;
server_name = cfg.serverName;
dictionaries = cfg.dictionaries;

4
modules/apps/free-games-claimer/default.nix
View File

@@ -11,9 +11,7 @@ in
autoStart = cfg.autoStart;
image = cfg.image;
ports = [ "${cfg.httpPort}:6080" ];
volumes = [
"${cfg.dataPath}:/fgc/data"
];
volumes = [ "${cfg.dataPath}:/fgc/data" ];
environment = {
PUID = cfg.puid;
PGID = cfg.pgid;

168
modules/apps/immich/default.nix
View File

@@ -1,168 +0,0 @@
{ lib, config, pkgs, ... }:
with lib;
let
cfg = config.nas-apps.immich;
in
{
imports = [ ./options.nix ];
config = mkIf cfg.enable {
virtualisation.oci-containers.containers."immich-machine-learning" = {
image = "ghcr.io/immich-app/immich-machine-learning:pr-12826-cuda";
volumes = [
"/media/nas/ssd/nix-app-data/immich/model-cache:/cache:rw"
];
log-driver = "journald";
extraOptions = [
"--network-alias=immich-machine-learning"
"--device=nvidia.com/gpu=0"
];
ports = [
"3003:3003"
];
environment = {
PUID = "911";
PGID = "1000";
};
};
systemd.services."podman-immich-machine-learning" = {
serviceConfig = {
Restart = lib.mkOverride 500 "always";
};
partOf = [
"podman-compose-immich-root.target"
];
wantedBy = [
"podman-compose-immich-root.target"
];
};
virtualisation.oci-containers.containers."immich-postgres" = {
image = "docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0";
environment = {
"POSTGRES_INITDB_ARGS" = "--data-checksums";
PUID = "911";
PGID = "1000";
};
environmentFiles = [
config.sops.secrets."jallen-nas/immich/db-password".path
config.sops.secrets."jallen-nas/immich/db-name".path
config.sops.secrets."jallen-nas/immich/db-user".path
];
volumes = [
"/media/nas/ssd/nix-app-data/immich/postgres:/var/lib/postgresql/data:rw"
];
ports = [
"5433:5432"
];
cmd = [ "postgres" "-c" "shared_preload_libraries=vectors.so" "-c" "search_path=\"$user\", public, vectors" "-c" "logging_collector=on" "-c" "max_wal_size=2GB" "-c" "shared_buffers=512MB" "-c" "wal_compression=on" ];
log-driver = "journald";
extraOptions = [
"--health-cmd=pg_isready --dbname=$DB_DATABASE_NAME --username=$DB_USERNAME || exit 1; Chksum=\"$(psql --dbname=$DB_DATABASE_NAME --username=$DB_USERNAME --tuples-only --no-align --command='SELECT COALESCE(SUM(checksum_failures), 0) FROM pg_stat_database')\"; echo \"checksum failure count is $Chksum\"; [ \"$Chksum\" = '0' ] || exit 1"
"--health-interval=5m0s"
"--health-start-period=5m0s"
"--network-alias=database"
];
};
systemd.services."podman-immich-postgres" = {
serviceConfig = {
Restart = lib.mkOverride 500 "always";
};
partOf = [
"podman-compose-immich-root.target"
];
wantedBy = [
"podman-compose-immich-root.target"
];
};
virtualisation.oci-containers.containers."immich-redis" = {
image = "docker.io/redis:6.2-alpine@sha256:2d1463258f2764328496376f5d965f20c6a67f66ea2b06dc42af351f75248792";
log-driver = "journald";
extraOptions = [
"--health-cmd=redis-cli ping || exit 1"
"--network-alias=redis"
];
ports = [
"6381:6379"
];
environment = {
PUID = "911";
PGID = "1000";
};
};
systemd.services."podman-immich-redis" = {
serviceConfig = {
Restart = lib.mkOverride 500 "always";
};
partOf = [
"podman-compose-immich-root.target"
];
wantedBy = [
"podman-compose-immich-root.target"
];
};
virtualisation.oci-containers.containers."immich-server" = {
image = "ghcr.io/imagegenius/immich:latest";
volumes = [
"/media/nas/ssd/nix-app-data/immich/upload:/usr/src/app/upload:rw"
"/media/nas/ssd/nix-app-data/immich/config:/config"
"/media/nas/main/photos:/photos"
"/media/nas/ssd/nix-app-data/immich/libraries:/libraries"
"/etc/localtime:/etc/localtime:ro"
];
ports = [
"5555:8080/tcp"
];
dependsOn = [
"immich-postgres"
"immich-redis"
];
log-driver = "journald";
extraOptions = [
"--network-alias=immich-server"
"--device=nvidia.com/gpu=0"
];
environment = {
PUID = "911";
PGID = "1000";
DB_HOSTNAME = "10.0.1.18";
DB_PORT = "5433";
REDIS_HOSTNAME = "10.0.1.18";
REDIS_PORT = "6381";
};
environmentFiles = [
config.sops.secrets."jallen-nas/immich/server-db-password".path
config.sops.secrets."jallen-nas/immich/server-db-name".path
config.sops.secrets."jallen-nas/immich/server-db-user".path
];
};
systemd.services."podman-immich-server" = {
serviceConfig = {
Restart = lib.mkOverride 500 "always";
};
partOf = [
"podman-compose-immich-root.target"
];
wantedBy = [
"podman-compose-immich-root.target"
];
};
# Root service
# When started, this will automatically create all resources and start
# the containers. When stopped, this will teardown all resources.
systemd.targets."podman-compose-immich-root" = {
unitConfig = {
Description = "Root target generated by compose2nix.";
};
wantedBy = [ "multi-user.target" ];
};
};
}

7
modules/apps/immich/options.nix
View File

@@ -1,7 +0,0 @@
{ lib, ... }:
with lib;
{
options.nas-apps.immich = {
enable = mkEnableOption "immich docker service";
};
}

168
modules/apps/jellyfin/jellyfin.nix Normal file
View File

@@ -0,0 +1,168 @@
{
config,
pkgs,
lib,
...
}:
# let
# jellyfinPort = 8096;
# jellyfinUserId = config.users.users.nix-apps.uid;
# jellyfinGroupId = config.users.groups.jallen-nas.gid;
# package = pkgs.jellyfin;
# in {
# containers.jellyfin = {
# autoStart = true;
# privateNetwork = true;
# hostAddress = "10.0.1.18";
# localAddress = "10.0.2.25";
# config = { config, pkgs, lib, ... }: {
# # Enable jellyfin service
# nixpkgs.config.allowUnfree = true;
# hardware = {
# # Nvidia
# nvidia = {
# package = config.boot.kernelPackages.nvidiaPackages.latest;
# # Modesetting is required.
# modesetting.enable = true;
# # Nvidia power management. Experimental, and can cause sleep/suspend to fail.
# powerManagement.enable = true;
# # Fine-grained power management. Turns off GPU when not in use.
# # Experimental and only works on modern Nvidia GPUs (Turing or newer).
# powerManagement.finegrained = false;
# # Use the NVidia open source kernel module (not to be confused with the
# # independent third-party "nouveau" open source driver).
# # Support is limited to the Turing and later architectures. Full list of
# # supported GPUs is at:
# # https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus
# # Only available from driver 515.43.04+
# # Currently alpha-quality/buggy, so false is currently the recommended setting.
# open = true;
# # Enable the Nvidia settings menu,
# # accessible via `nvidia-settings`.
# nvidiaSettings = true;
# };
# # Enable graphics
# graphics = {
# enable = true;
# enable32Bit = true;
# };
# };
# # Services configs
# services.xserver = {
# # Load nvidia driver for Xorg and Wayland
# videoDrivers = [ "nvidia" ];
# };
# services.jellyfin = {
# enable = true;
# openFirewall = true;
# user = "jellyfin";
# group = "media";
# dataDir = "/data";
# configDir = "/config";
# # cacheDir = "/cache";
# };
# # Create required users and groups
# users.users.jellyfin = {
# isSystemUser = true;
# uid = lib.mkForce jellyfinUserId;
# group = "media";
# extraGroups = [ "downloads" ];
# };
# users.groups = {
# media = { gid = lib.mkForce jellyfinGroupId; };
# downloads = { };
# };
# networking = {
# firewall = {
# enable = true;
# allowedTCPPorts = [ jellyfinPort ];
# };
# # Use systemd-resolved inside the container
# # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
# useHostResolvConf = lib.mkForce false;
# };
# # System packages
# environment.systemPackages = with pkgs; [
# sqlite
# mono
# mediainfo
# # ffmpeg
# # nvidiaPackages.gpu
# # nvidiaPackages.nvidia-settings
# # nvidiaPackages.nvidia-x11
# ];
# services.resolved.enable = true;
# system.stateVersion = "23.11";
# };
# # Bind mount directories from host
# bindMounts = {
# "/data" = {
# hostPath = "/media/nas/ssd/nix-app-data/jellyfin";
# isReadOnly = false;
# };
# "/tv" = {
# hostPath = "/media/nas/main/tv";
# isReadOnly = false;
# };
# "/movies" = {
# hostPath = "/media/nas/main/movies";
# isReadOnly = false;
# };
# "/dev/nvidia0" = { hostPath = "/dev/nvidia0"; }; # GPU device
# "/dev/nvidiactl" = { hostPath = "/dev/nvidiactl"; }; # NVIDIA control
# "/dev/nvidia-modeset" = { hostPath = "/dev/nvidia-modeset"; }; # modesetting
# };
# # allowedDevices = [
# # {
# # modifier = "rw";
# # node = "/dev/nvidia0";
# # }
# # {
# # modifier = "rw";
# # node = "/dev/nvidiactl";
# # }
# # {
# # modifier = "rw";
# # node = "/dev/nvidia-modeset";
# # }
# # {
# # modifier = "rw";
# # node = "/dev/nvidia-uvm";
# # }
# # {
# # modifier = "rw";
# # node = "/dev/nvidia-uvm-tools";
# # }
# # ];
# };
# networking.nat = {
# forwardPorts = [{
# destination = "10.0.2.25:8096";
# sourcePort = jellyfinPort;
# }];
# };
# }
{
services.jellyfin = {
enable = true;
openFirewall = true;
user = "nix-apps";
group = "jallen-nas";
dataDir = "/media/nas/ssd/nix-app-data/jellyfin";
# cacheDir = "/cache";
};
}

54
modules/apps/jellyseerr/jellyseerr.nix
View File

@@ -1,4 +1,9 @@
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}:
let
jellyseerrPort = 5055;
@@ -17,29 +22,36 @@ in
localAddress = "10.0.1.52";
hostAddress6 = "fc00::1";
localAddress6 = "fc00::4";
config = { config, pkgs, lib, ... }: {
# Enable jellyseerr service
services.jellyseerr = {
enable = true;
port = jellyseerrPort;
# package = package;
openFirewall = true;
};
networking = {
firewall = {
config =
{
config,
pkgs,
lib,
...
}:
{
# Enable jellyseerr service
services.jellyseerr = {
enable = true;
allowedTCPPorts = [ jellyseerrPort ];
port = jellyseerrPort;
# package = package;
openFirewall = true;
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
networking = {
firewall = {
enable = true;
allowedTCPPorts = [ jellyseerrPort ];
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
system.stateVersion = "23.11";
};
services.resolved.enable = true;
system.stateVersion = "23.11";
};
};
networking.nat = {
@@ -50,4 +62,4 @@ in
}
];
};
}
}

26
modules/apps/mealie/default.nix
View File

@@ -1,26 +0,0 @@
{ lib, config, ... }:
with lib;
let
cfg = config.nas-apps.mealie;
in
{
imports = [ ./options.nix ];
config = mkIf cfg.enable {
virtualisation.oci-containers.containers."${cfg.name}" = {
autoStart = cfg.autoStart;
image = cfg.image;
ports = [ "${cfg.port}:9000" ];
volumes = [ "${cfg.dataPath}:/app/data" ];
environment = {
PUID = cfg.puid;
PGID = cfg.pgid;
TZ = cfg.timeZone;
ALLOW_SIGNUP = cfg.allowSignup;
MAX_WORKERS = cfg.maxWorkers;
MAX_CONCURRENCY = cfg.maxConcurrency;
BASE_URL = cfg.baseUrl;
};
};
};
}

67
modules/apps/mealie/options.nix
View File

@@ -1,67 +0,0 @@
{ lib, ... }:
with lib;
{
options.nas-apps.mealie = {
enable = mkEnableOption "mealie docker service";
autoStart = mkOption {
type = types.bool;
default = true;
};
port = mkOption {
type = types.str;
default = "9000";
};
name = mkOption {
type = types.str;
default = "mealie";
};
image = mkOption {
type = types.str;
default = "ghcr.io/mealie-recipes/mealie";
};
dataPath = mkOption {
type = types.str;
default = "/media/nas/ssd/nix-app-data/mealie";
};
puid = mkOption {
type = types.str;
default = "911";
};
pgid = mkOption {
type = types.str;
default = "1000";
};
timeZone = mkOption {
type = types.str;
default = "America/Chicago";
};
maxWorkers = mkOption {
type = types.str;
default = "1";
};
maxConcurrency = mkOption {
type = types.str;
default = "1";
};
baseUrl = mkOption {
type = types.str;
default = "";
};
allowSignup = mkOption {
type = types.str;
default = "true";
};
};
}

32
modules/apps/orca-slicer/default.nix
View File

@@ -1,32 +0,0 @@
{ lib, config, ... }:
with lib;
let
cfg = config.nas-apps.orca-slicer;
in
{
imports = [ ./options.nix ];
config = mkIf cfg.enable {
virtualisation.oci-containers.containers."${cfg.name}" = {
autoStart = cfg.autoStart;
image = cfg.image;
extraOptions = [ "--device=nvidia.com/gpu=0" ];
ports = [
"${cfg.httpPort}:3000"
"${cfg.httpsPort}:3001"
];
volumes = [
"${cfg.configPath}:/config"
"${cfg.dataPath}:/data"
];
environment = {
PUID = cfg.puid;
PGID = cfg.pgid;
TZ = cfg.timeZone;
TITLE = "orca-slicer";
DRINODE = "/dev/dri/renderD128";
NO_DECOR = "1";
};
};
};
}

57
modules/apps/orca-slicer/options.nix
View File

@@ -1,57 +0,0 @@
{ lib, ... }:
with lib;
{
options.nas-apps.orca-slicer = {
enable = mkEnableOption "orca slicer docker service";
autoStart = mkOption {
type = types.bool;
default = true;
};
httpPort = mkOption {
type = types.str;
default = "3000";
};
httpsPort = mkOption {
type = types.str;
default = "3001";
};
name = mkOption {
type = types.str;
default = "orca-slicer";
};
image = mkOption {
type = types.str;
default = "linuxserver/orcaslicer";
};
configPath = mkOption {
type = types.str;
default = "/media/nas/ssd/ssd_app_data/orca-slicer";
};
dataPath = mkOption {
type = types.str;
default = "/media/nas/main/3d_printer";
};
puid = mkOption {
type = types.str;
default = "911";
};
pgid = mkOption {
type = types.str;
default = "1000";
};
timeZone = mkOption {
type = types.str;
default = "America/Chicago";
};
};
}

116
modules/apps/paperless/default.nix
View File

@@ -1,4 +1,9 @@
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}:
let
paperlessPort = 28981;
@@ -14,59 +19,68 @@ in
localAddress = "10.0.1.20";
hostAddress6 = "fc00::1";
localAddress6 = "fc00::20";
config = { config, pkgs, lib, ... }: {
# Enable paperless service
services.paperless = {
enable = true;
port = paperlessPort;
user = "paperless";
address = "0.0.0.0";
passwordFile = "/var/lib/paperless/paperless-password";
# settings = {
# PAPERLESS_APPS="allauth.socialaccount.providers.openid_connect";
# PAPERLESS_SOCIALACCOUNT_PROVIDERS = {
# "openid_connect" = {
# "OAUTH_PKCE_ENABLED":true,
# "APPS":[
# {"provider_id":"authentik","name":"Authentik","client_id":"<Client ID>","secret":<Client Secret>","settings":{"server_url":"https://authentik.mjallen.dev/application/o/paperless/.well-known/openid-configuration"}}]}}
# }
};
# Create required users and groups
users.groups = {
documents = { gid = lib.mkForce paperlessGroupId; };
};
users.users.paperless = {
isSystemUser = true;
uid = lib.mkForce paperlessUserId;
group = lib.mkForce "documents";
};
# Create and set permissions for required directories
system.activationScripts.paperless-dirs = ''
mkdir -p /var/lib/paperless
chown -R paperless:documents /var/lib/paperless
chmod -R 775 /var/lib/paperless
'';
networking = {
firewall = {
config =
{
config,
pkgs,
lib,
...
}:
{
# Enable paperless service
services.paperless = {
enable = true;
allowedTCPPorts = [ paperlessPort ];
port = paperlessPort;
user = "paperless";
address = "0.0.0.0";
passwordFile = "/var/lib/paperless/paperless-password";
# settings = {
# PAPERLESS_APPS="allauth.socialaccount.providers.openid_connect";
# PAPERLESS_SOCIALACCOUNT_PROVIDERS = {
# "openid_connect" = {
# "OAUTH_PKCE_ENABLED":true,
# "APPS":[
# {"provider_id":"authentik","name":"Authentik","client_id":"<Client ID>","secret":<Client Secret>","settings":{"server_url":"https://authentik.mjallen.dev/application/o/paperless/.well-known/openid-configuration"}}]}}
# }
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
# Create required users and groups
users.groups = {
documents = {
gid = lib.mkForce paperlessGroupId;
};
};
users.users.paperless = {
isSystemUser = true;
uid = lib.mkForce paperlessUserId;
group = lib.mkForce "documents";
};
# Create and set permissions for required directories
system.activationScripts.paperless-dirs = ''
mkdir -p /var/lib/paperless
chown -R paperless:documents /var/lib/paperless
chmod -R 775 /var/lib/paperless
'';
networking = {
firewall = {
enable = true;
allowedTCPPorts = [ paperlessPort ];
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
system.stateVersion = "23.11";
};
services.resolved.enable = true;
system.stateVersion = "23.11";
};
# Bind mount directories from host
bindMounts = {
@@ -89,4 +103,4 @@ in
}
];
};
}
}

26
modules/apps/radarr/default.nix
View File

@@ -1,26 +0,0 @@
{ lib, config, ... }:
with lib;
let
cfg = config.nas-apps.radarr;
in
{
imports = [ ./options.nix ];
config = mkIf cfg.enable {
virtualisation.oci-containers.containers."${cfg.name}" = {
autoStart = cfg.autoStart;
image = cfg.image;
ports = [ "${cfg.port}:7878" ];
volumes = [
"${cfg.configPath}:/config"
"${cfg.moviesPath}:/movies"
"${cfg.downloadsPath}:/downloads"
];
environment = {
PUID = cfg.puid;
PGID = cfg.pgid;
TZ = cfg.timeZone;
};
};
};
}

57
modules/apps/radarr/options.nix
View File

@@ -1,57 +0,0 @@
{ lib, ... }:
with lib;
{
options.nas-apps.radarr = {
enable = mkEnableOption "radarr docker service";
autoStart = mkOption {
type = types.bool;
default = true;
};
port = mkOption {
type = types.str;
default = "7878";
};
name = mkOption {
type = types.str;
default = "radarr";
};
image = mkOption {
type = types.str;
default = "linuxserver/radarr";
};
configPath = mkOption {
type = types.str;
default = "/media/nas/ssd/ssd_app_data/radarr";
};
moviesPath = mkOption {
type = types.str;
default = "/media/nas/main/movies";
};
downloadsPath = mkOption {
type = types.str;
default = "/media/nas/ssd/ssd_app_data/downloads";
};
puid = mkOption {
type = types.str;
default = "911";
};
pgid = mkOption {
type = types.str;
default = "1000";
};
timeZone = mkOption {
type = types.str;
default = "America/Chicago";
};
};
}

106
modules/apps/radarr/radarr.nix
View File

@@ -1,106 +0,0 @@
{ config, pkgs, lib, ... }:
let
radarrPort = 7878;
dataDir = "/var/lib/radarr";
downloadDir = "/downloads";
mediaDir = "/media";
radarrUserId = config.users.users.nix-apps.uid;
radarrGroupId = config.users.groups.jallen-nas.gid;
package = pkgs.radarr;
in
{
containers.radarr = {
autoStart = true;
privateNetwork = true;
hostAddress = "10.0.1.18";
localAddress = "10.0.1.51";
hostAddress6 = "fc00::1";
localAddress6 = "fc00::3";
config = { config, pkgs, lib, ... }: {
# Enable radarr service
services.radarr = {
enable = true;
user = "radarr";
group = "media";
dataDir = dataDir;
package = package;
};
# Create required users and groups
users.users.radarr = {
isSystemUser = true;
uid = lib.mkForce radarrUserId;
group = "media";
extraGroups = [ "downloads" ];
};
users.groups = {
media = { gid = lib.mkForce radarrGroupId; };
downloads = {};
};
# System packages
environment.systemPackages = with pkgs; [
sqlite
mono
mediainfo
];
# Create and set permissions for required directories
system.activationScripts.radarr-dirs = ''
mkdir -p ${dataDir}
mkdir -p ${downloadDir}
mkdir -p ${mediaDir}
chown -R radarr:media ${dataDir}
chown -R radarr:media ${downloadDir}
chown -R radarr:media ${mediaDir}
chmod -R 775 ${dataDir}
chmod -R 775 ${downloadDir}
chmod -R 775 ${mediaDir}
'';
networking = {
firewall = {
enable = true;
allowedTCPPorts = [ radarrPort ];
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
system.stateVersion = "23.11";
};
# Bind mount directories from host
bindMounts = {
"/var/lib/radarr" = {
hostPath = "/media/nas/ssd/nix-app-data/radarr";
isReadOnly = false;
};
"/downloads" = {
hostPath = "/media/nas/ssd/ssd_app_data/downloads";
isReadOnly = false;
};
"/media" = {
hostPath = "/media/nas/main/movies";
isReadOnly = false;
};
};
};
networking.nat = {
forwardPorts = [
{
destination = "10.0.1.51:7878";
sourcePort = radarrPort;
}
];
};
}

57
modules/apps/sabnzbd/sabnzbd.nix Normal file
View File

@@ -0,0 +1,57 @@
{
config,
pkgs,
lib,
...
}:
let
sabnzbdPort = 8080;
dataDir = "/var/lib/sabnzbd";
downloadDir = "/downloads";
mediaDir = "/media";
sabnzbdUserId = config.users.users.nix-apps.uid;
sabnzbdGroupId = config.users.groups.jallen-nas.gid;
package = pkgs.sabnzbd;
in
{
containers.sabnzbd = {
autoStart = true;
privateNetwork = true;
hostAddress = "10.0.1.18";
localAddress = "10.0.2.20";
config =
{
config,
pkgs,
lib,
...
}:
{
# Enable sabnzbd service
services.sabnzbd = {
enable = true;
openFirewall = true;
};
networking = {
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
system.stateVersion = "23.11";
};
};
networking.nat = {
forwardPorts = [
{
destination = "10.0.2.20:8080";
sourcePort = sabnzbdPort;
}
];
};
}

204
modules/apps/sonarr/sonarr.nix
View File

@@ -1,104 +1,118 @@
{ config, pkgs, lib, ... }:
# {
# config,
# pkgs,
# lib,
# ...
# }:
let
sonarrPort = 8989;
dataDir = "/var/lib/sonarr";
downloadDir = "/downloads";
mediaDir = "/media";
sonarrUserId = config.users.users.nix-apps.uid;
sonarrGroupId = config.users.groups.jallen-nas.gid;
in
{
containers.sonarr = {
autoStart = true;
privateNetwork = true;
hostAddress = "10.0.1.18";
localAddress = "10.0.1.50";
hostAddress6 = "fc00::1";
localAddress6 = "fc00::2";
config = { config, pkgs, lib, ... }: {
# Enable Sonarr service
services.sonarr = {
enable = true;
user = "sonarr";
group = "media";
dataDir = dataDir;
};
# let
# sonarrPort = 8989;
# dataDir = "/var/lib/sonarr";
# downloadDir = "/downloads";
# mediaDir = "/media";
# sonarrUserId = config.users.users.nix-apps.uid;
# sonarrGroupId = config.users.groups.jallen-nas.gid;
# in
# {
# containers.sonarr = {
# autoStart = true;
# privateNetwork = true;
# hostAddress = "10.0.1.18";
# localAddress = "10.0.1.50";
# hostAddress6 = "fc00::1";
# localAddress6 = "fc00::2";
# Create required users and groups
users.users.sonarr = {
isSystemUser = true;
uid = lib.mkForce sonarrUserId;
group = "media";
extraGroups = [ "downloads" ];
};
# config =
# {
# config,
# pkgs,
# lib,
# ...
# }:
# {
# # Enable Sonarr service
# services.sonarr = {
# enable = true;
# user = "sonarr";
# group = "media";
# dataDir = dataDir;
# };
users.groups = {
media = { gid = lib.mkForce sonarrGroupId; };
downloads = {};
};
# # Create required users and groups
# users.users.sonarr = {
# isSystemUser = true;
# uid = lib.mkForce sonarrUserId;
# group = "media";
# extraGroups = [ "downloads" ];
# };
# System packages
environment.systemPackages = with pkgs; [
sqlite
mono
mediainfo
];
# users.groups = {
# media = {
# gid = lib.mkForce sonarrGroupId;
# };
# downloads = { };
# };
# Create and set permissions for required directories
system.activationScripts.sonarr-dirs = ''
mkdir -p ${dataDir}
mkdir -p ${downloadDir}
mkdir -p ${mediaDir}
# # System packages
# environment.systemPackages = with pkgs; [
# sqlite
# mono
# mediainfo
# ];
chown -R sonarr:media ${dataDir}
chown -R sonarr:media ${downloadDir}
chown -R sonarr:media ${mediaDir}
chmod -R 775 ${dataDir}
chmod -R 775 ${downloadDir}
chmod -R 775 ${mediaDir}
'';
# # Create and set permissions for required directories
# system.activationScripts.sonarr-dirs = ''
# mkdir -p ${dataDir}
# mkdir -p ${downloadDir}
# mkdir -p ${mediaDir}
networking = {
firewall = {
enable = true;
allowedTCPPorts = [ sonarrPort ];
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
system.stateVersion = "23.11";
};
# chown -R sonarr:media ${dataDir}
# chown -R sonarr:media ${downloadDir}
# chown -R sonarr:media ${mediaDir}
# Bind mount directories from host
bindMounts = {
"/var/lib/sonarr" = {
hostPath = "/media/nas/ssd/nix-app-data/sonarr";
isReadOnly = false;
};
"/downloads" = {
hostPath = "/media/nas/ssd/ssd_app_data/downloads";
isReadOnly = false;
};
"/media" = {
hostPath = "/media/nas/main/tv";
isReadOnly = false;
};
};
};
# chmod -R 775 ${dataDir}
# chmod -R 775 ${downloadDir}
# chmod -R 775 ${mediaDir}
networking.nat = {
forwardPorts = [
{
destination = "10.0.1.50:8989";
sourcePort = 8989;
}
];
};
}
# '';
# networking = {
# firewall = {
# enable = true;
# allowedTCPPorts = [ sonarrPort ];
# };
# # Use systemd-resolved inside the container
# # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
# useHostResolvConf = lib.mkForce false;
# };
# services.resolved.enable = true;
# system.stateVersion = "23.11";
# };
# # Bind mount directories from host
# bindMounts = {
# "/var/lib/sonarr" = {
# hostPath = "/media/nas/ssd/nix-app-data/sonarr";
# isReadOnly = false;
# };
# "/downloads" = {
# hostPath = "/media/nas/ssd/ssd_app_data/downloads";
# isReadOnly = false;
# };
# "/media" = {
# hostPath = "/media/nas/main/tv";
# isReadOnly = false;
# };
# };
# };
# networking.nat = {
# forwardPorts = [
# {
# destination = "10.0.1.50:8989";
# sourcePort = 8989;
# }
# ];
# };
# }

26
modules/apps/vscode/default.nix
View File

@@ -1,26 +0,0 @@
{ lib, config, ... }:
with lib;
let
cfg = config.nas-apps.vscode;
in
{
imports = [ ./options.nix ];
config = mkIf cfg.enable {
virtualisation.oci-containers.containers."${cfg.name}" = {
autoStart = cfg.autoStart;
image = cfg.image;
ports = [ "${cfg.port}:8443" ];
volumes = [
"${cfg.configPath}:/config"
"/media/nas/ssd/ssd_app_data:/ssd_app_data"
"/home/admin/nix-config:/nix-config"
];
environment = {
PUID = cfg.puid;
PGID = cfg.pgid;
TZ = cfg.timeZone;
};
};
};
}

47
modules/apps/vscode/options.nix
View File

@@ -1,47 +0,0 @@
{ lib, ... }:
with lib;
{
options.nas-apps.vscode = {
enable = mkEnableOption "vscode docker service";
autoStart = mkOption {
type = types.bool;
default = true;
};
port = mkOption {
type = types.str;
default = "8443";
};
name = mkOption {
type = types.str;
default = "vscode";
};
image = mkOption {
type = types.str;
default = "linuxserver/code-server";
};
configPath = mkOption {
type = types.str;
default = "/media/nas/ssd/ssd_app_data/vscode";
};
puid = mkOption {
type = types.str;
default = "911";
};
pgid = mkOption {
type = types.str;
default = "1000";
};
timeZone = mkOption {
type = types.str;
default = "America/Chicago";
};
};
}

26
modules/apps/wireguard/default.nix
View File

@@ -1,26 +0,0 @@
{ lib, config, ... }:
with lib;
let
cfg = config.nas-apps.wireguard;
in
{
imports = [ ./options.nix ];
config = mkIf cfg.enable {
virtualisation.oci-containers.containers."${cfg.name}" = {
autoStart = cfg.autoStart;
image = cfg.image;
ports = [ "${cfg.port}:51820/udp" ];
extraOptions = [
"--cap-add=NET_ADMIN"
"--sysctl=\"net.ipv4.conf.all.src_valid_mark=1\""
];
volumes = [ "${cfg.configPath}:/config" ];
environment = {
PUID = cfg.puid;
PGID = cfg.pgid;
TZ = cfg.timeZone;
};
};
};
}

47
modules/apps/wireguard/options.nix
View File

@@ -1,47 +0,0 @@
{ lib, ... }:
with lib;
{
options.nas-apps.wireguard = {
enable = mkEnableOption "wireguard docker service";
autoStart = mkOption {
type = types.bool;
default = true;
};
port = mkOption {
type = types.str;
default = "51820";
};
name = mkOption {
type = types.str;
default = "wireguard";
};
image = mkOption {
type = types.str;
default = "lscr.io/linuxserver/wireguard";
};
configPath = mkOption {
type = types.str;
default = "/media/nas/ssd/nix-app-data/wireguard";
};
puid = mkOption {
type = types.str;
default = "911";
};
pgid = mkOption {
type = types.str;
default = "1000";
};
timeZone = mkOption {
type = types.str;
default = "America/Chicago";
};
};
}