switch to cap based home configs

2026-01-20 16:57:10 +01:00 · 2026-01-20 16:57:10 +01:00 · 49b6f5bde0
commit 49b6f5bde0
parent 50ee9aac83
64 changed files with 2064 additions and 1779 deletions
--- a/hosts/fili/services/media/autobrr.nix
+++ b/hosts/fili/services/media/autobrr.nix
@ -0,0 +1,54 @@
+{ config, secrets, ... }:
+{
+  sops.secrets.autobrr = {
+    sopsFile = "${secrets}/autobrr.yaml";
+    key = "key";
+    format = "yaml";
+  };
+
+  services.nginx = {
+    virtualHosts."autobrr.donsz.nl" = {
+      forceSSL = true;
+      http2 = true;
+      enableACME = true;
+
+      locations."/" = {
+        proxyPass = "http://${config.services.autobrr.settings.host}:${toString config.services.autobrr.settings.port}";
+      };
+    };
+  };
+
+  # oauth access to the service
+  services.oauth2-proxy.nginx.virtualHosts."autobrr.donsz.nl" = {
+    allowed_groups = [ "torrent" ];
+  };
+
+  # vpnNamespaces.mullvad.portMappings = [
+  #   {
+  #     from = config.services.autobrr.settings.port;
+  #     to = config.services.autobrr.settings.port;
+  #   }
+  # ];
+  # vpnNamespaces.mullvad.openVPNPorts = [
+  #   {
+  #     # irc port
+  #     port = 7021;
+  #     protocol = "both";
+  #   }
+  # ];
+  # systemd.services.autobrr.vpnConfinement = {
+  #   enable = true;
+  #   vpnNamespace = "mullvad";
+  # };
+
+  services.autobrr = {
+    enable = true;
+    settings = {
+      logLevel = "DEBUG";
+      checkForUpdates = false;
+      host = "localhost";
+      port = 11012;
+    };
+    secretFile = config.sops.secrets.autobrr.path;
+  };
+}
--- a/hosts/fili/services/media/default.nix
+++ b/hosts/fili/services/media/default.nix
@ -0,0 +1,12 @@
+_: {
+  imports = [
+    ./overseerr.nix
+    ./radarr.nix
+    ./sonarr.nix
+    ./torrent.nix
+    ./jackett.nix
+    ./jellyfin.nix
+    ./autobrr.nix
+    ./vpn.nix
+  ];
+}
--- a/hosts/fili/services/media/jackett.nix
+++ b/hosts/fili/services/media/jackett.nix
@ -0,0 +1,36 @@
+{ config, ... }:
+{
+  services.nginx = {
+    virtualHosts."jackett.donsz.nl" = {
+      forceSSL = true;
+      http2 = true;
+      enableACME = true;
+
+      locations."/" = {
+        proxyPass = "http://localhost:${toString config.services.jackett.port}";
+      };
+    };
+  };
+
+  # vpnNamespaces.mullvad.portMappings = [
+  #   {
+  #     from = config.services.jackett.port;
+  #     to = config.services.jackett.port;
+  #   }
+  # ];
+  # systemd.services.autobrr.vpnConfinement = {
+  #   enable = true;
+  #   vpnNamespace = "mullvad";
+  # };
+
+  services.oauth2-proxy.nginx.virtualHosts."jackett.donsz.nl" = {
+    allowed_groups = [ "torrent" ];
+  };
+
+  services.jackett = {
+    enable = true;
+    group = "jellyfin";
+    user = "jellyfin";
+    port = 11013;
+  };
+}
--- a/hosts/fili/services/media/jellyfin.nix
+++ b/hosts/fili/services/media/jellyfin.nix
@ -0,0 +1,150 @@
+{
+  pkgs,
+  config,
+  ...
+}:
+let
+  jellyfin-config = ''
+
+    {
+      "includeCorsCredentials": false,
+      "multiserver": false,
+      "themes": [
+        {
+          "name": "Apple TV",
+          "id": "appletv",
+          "color": "#bcbcbc"
+        }, {
+          "name": "Blue Radiance",
+          "id": "blueradiance",
+          "color": "#011432"
+        }, {
+          "name": "Dark",
+          "id": "dark",
+          "color": "#202020",
+          "default": true
+        }, {
+          "name": "Light",
+          "id": "light",
+          "color": "#303030"
+        }, {
+          "name": "Purple Haze",
+          "id": "purplehaze",
+          "color": "#000420"
+        }, {
+          "name": "WMC",
+          "id": "wmc",
+          "color": "#0c2450"
+        }
+      ],
+      "menuLinks": [
+          {
+              "name": "Link SSO Account",
+              "icon": "add_link",
+              "url": "https://media.donsz.nl/SSOViews/linking"
+          }
+      ],
+      "servers": [],
+      "plugins": [
+        "playAccessValidation/plugin",
+        "experimentalWarnings/plugin",
+        "htmlAudioPlayer/plugin",
+        "htmlVideoPlayer/plugin",
+        "photoPlayer/plugin",
+        "comicsPlayer/plugin",
+        "bookPlayer/plugin",
+        "youtubePlayer/plugin",
+        "backdropScreensaver/plugin",
+        "pdfPlayer/plugin",
+        "logoScreensaver/plugin",
+        "sessionPlayer/plugin",
+        "chromecastPlayer/plugin",
+        "syncPlay/plugin"
+      ]
+    }
+
+  '';
+in
+{
+  environment.systemPackages = [
+    pkgs.jellyfin
+    pkgs.jellyfin-web
+    pkgs.jellyfin-ffmpeg
+  ];
+
+  services.nginx.virtualHosts."media.donsz.nl" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://localhost:8096";
+      extraConfig = ''
+        proxy_buffering off;
+      '';
+    };
+    locations."/socket" = {
+      inherit (config.services.nginx.virtualHosts."media.donsz.nl".locations."/")
+        proxyPass
+        ;
+      proxyWebsockets = true;
+    };
+  };
+
+  users.groups.jellyfin = { };
+  users.users.jellyfin = {
+    isSystemUser = true;
+    group = "jellyfin";
+
+    extraGroups = [ "storage" ];
+  };
+
+  services.nginx.virtualHosts."media.donsz.nl".locations."/web/config.json".extraConfig = ''
+    add_header Content-Type application/json;
+    add_header Access-Control-Allow-Origin *;
+    return 200 '${jellyfin-config}';
+  '';
+
+  services.jellyfin = {
+    enable = true;
+    openFirewall = true;
+    user = "jellyfin";
+    group = "jellyfin";
+  };
+
+  # Only set this if you're using intel-vaapi-driver (see below):
+  nixpkgs.config.packageOverrides = pkgs: {
+    intel-vaapi-driver = pkgs.intel-vaapi-driver.override { enableHybridCodec = true; };
+  };
+
+  systemd.services.jellyfin.environment.LIBVA_DRIVER_NAME = "iHD"; # or i965, see below
+  environment.sessionVariables = {
+    LIBVA_DRIVER_NAME = "iHD";
+  }; # ditto
+
+  hardware.graphics = {
+    enable = true;
+
+    extraPackages = with pkgs; [
+      intel-ocl
+      intel-media-driver
+      # intel-media-sdk
+    ];
+  };
+
+  # hardware.graphics = {
+  #   enable = true;
+  #   package = pkgs.intel-media-driver;
+  # };
+  # systemd.services.jellyfin = {
+  #   # if EncoderAppPath is manually set in the web UI, it can never be updated through --ffmpeg
+  #   preStart = "test ! -e /var/lib/jellyfin/config/encoding.xml || sed -i '/<EncoderAppPath>/d' /var/lib/jellyfin/config/encoding.xml";
+  #   serviceConfig = {
+  #     # allow access to GPUs for hardware transcoding
+  #     DeviceAllow = lib.mkForce "char-drm";
+  #     BindPaths = lib.mkForce "/dev/dri";
+  #     # to allow restarting from web ui
+  #     Restart = lib.mkForce "always";
+
+  #     Slice = "mediaplayback.slice";
+  #   };
+  # };
+}
--- a/hosts/fili/services/media/overseerr.nix
+++ b/hosts/fili/services/media/overseerr.nix
@ -0,0 +1,27 @@
+{ ... }:
+let
+  port = 11002;
+in
+{
+  services.nginx.virtualHosts."req.donsz.nl" = {
+    forceSSL = true;
+    http2 = true;
+    enableACME = true;
+
+    locations."/" = {
+      proxyPass = "http://[::1]:${toString port}";
+    };
+  };
+
+  virtualisation.oci-containers.containers = {
+    overseerr = {
+      image = "ghcr.io/fallenbagel/jellyseerr:preview-seerr";
+      environment = {
+      };
+      extraOptions = [ "--network=host" ];
+      volumes = [
+        "/var/lib/microvms/rr/storage/data/overseerr:/app/config"
+      ];
+    };
+  };
+}
--- a/hosts/fili/services/media/radarr.nix
+++ b/hosts/fili/services/media/radarr.nix
@ -0,0 +1,29 @@
+{ pkgs, ... }:
+{
+  services.nginx = {
+    virtualHosts."radarr.donsz.nl" = {
+      forceSSL = true;
+      http2 = true;
+      enableACME = true;
+
+      locations."/" = {
+        proxyPass = "http://[::1]:7878";
+      };
+    };
+  };
+  services.oauth2-proxy.nginx.virtualHosts."radarr.donsz.nl" = {
+    allowed_groups = [ "torrent" ];
+  };
+
+  services.radarr = {
+    enable = true;
+    group = "jellyfin";
+    user = "jellyfin";
+
+    environmentFiles = [
+      (pkgs.writeText "env" ''
+        RADARR__AUTH__METHOD="External"
+      '')
+    ];
+  };
+}
--- a/hosts/fili/services/media/sonarr.nix
+++ b/hosts/fili/services/media/sonarr.nix
@ -0,0 +1,29 @@
+{ pkgs, ... }:
+{
+  services.nginx = {
+    virtualHosts."sonarr.donsz.nl" = {
+      forceSSL = true;
+      http2 = true;
+      enableACME = true;
+
+      locations."/" = {
+        proxyPass = "http://[::1]:8989";
+      };
+    };
+  };
+  services.oauth2-proxy.nginx.virtualHosts."sonarr.donsz.nl" = {
+    allowed_groups = [ "torrent" ];
+  };
+
+  services.sonarr = {
+    enable = true;
+    group = "jellyfin";
+    user = "jellyfin";
+
+    environmentFiles = [
+      (pkgs.writeText "env" ''
+        SONARR__AUTH__METHOD="External"
+      '')
+    ];
+  };
+}
--- a/hosts/fili/services/media/torrent.nix
+++ b/hosts/fili/services/media/torrent.nix
@ -0,0 +1,73 @@
+{ pkgs, ... }:
+{
+  vpnNamespaces.mullvad.portMappings = [
+    {
+      from = 9091;
+      to = 9091;
+    } # UI Port.
+    {
+      from = 5432;
+      to = 5432;
+    } # DB Port.
+  ];
+  vpnNamespaces.mullvad.openVPNPorts = [
+    {
+      port = 50909;
+      protocol = "both";
+    }
+  ];
+
+  services.nginx = {
+    virtualHosts."dl.donsz.nl" = {
+      forceSSL = true;
+      http2 = true;
+      enableACME = true;
+
+      locations."/" = {
+        proxyPass = "http://192.168.15.1:9091";
+      };
+    };
+  };
+  services.oauth2-proxy.nginx.virtualHosts."dl.donsz.nl" = {
+    allowed_groups = [ "torrent" ];
+  };
+
+  systemd.services.transmission.vpnConfinement = {
+    enable = true;
+    vpnNamespace = "mullvad";
+  };
+
+  services.transmission = {
+    enable = true;
+    package = pkgs.transmission_4;
+    webHome = pkgs.stdenv.mkDerivation {
+      name = "flood-modified";
+      version = "1.0";
+      src = pkgs.flood-for-transmission;
+      installPhase = ''
+        mkdir -p $out
+        cp -r ./* $out
+        cp ./config.json.defaults $out/config.json
+      '';
+    };
+    home = "/var/lib/transmission";
+    user = "jellyfin";
+    group = "jellyfin";
+
+    settings = {
+      download-dir = "/storage/storage/torrents";
+      incomplete-dir-enabled = false;
+      incomplete-dir = "/storage/storage/torrents";
+
+      rpc-bind-address = "192.168.15.1";
+      rpc-host-whitelist-enabled = false;
+      rpc-whitelist-enabled = false;
+
+      rpc-port = 9091;
+
+      peer-port = 50909;
+      cache-size-mb = 2048;
+      preallocation = 1;
+    };
+  };
+}
--- a/hosts/fili/services/media/vpn.nix
+++ b/hosts/fili/services/media/vpn.nix
@ -0,0 +1,16 @@
+{ config, secrets, ... }:
+{
+  sops.secrets.mullvad = {
+    sopsFile = "${secrets}/mullvad.yaml";
+    owner = "root";
+    format = "yaml";
+  };
+
+  vpnNamespaces.mullvad = {
+    enable = true;
+    wireguardConfigFile = config.sops.secrets.mullvad.path;
+    accessibleFrom = [
+      "192.168.0.0/16"
+    ];
+  };
+}