From 4bad4e4a7cff019d605b9bcde20487b14580c0db Mon Sep 17 00:00:00 2001 From: Malte Tammena Date: Wed, 14 Feb 2024 22:06:21 +0100 Subject: [PATCH] chore(faunus-ater): cleaup media related services --- hosts/faunus-ater/default.nix | 27 +----- hosts/faunus-ater/modules/media.nix | 124 +++++++++++++++++++++++++ secrets/hosts/faunus-ater/secrets.yaml | 8 +- secrets/pub/downloadarr-tammena-me.crt | 12 +++ secrets/pub/radarr-tammena-me.crt | 12 +++ secrets/pub/sonarr-tammena-me.crt | 12 +++ secrets/pub/webdav-tammena-me.crt | 12 +++ 7 files changed, 183 insertions(+), 24 deletions(-) create mode 100644 hosts/faunus-ater/modules/media.nix create mode 100644 secrets/pub/downloadarr-tammena-me.crt create mode 100644 secrets/pub/radarr-tammena-me.crt create mode 100644 secrets/pub/sonarr-tammena-me.crt create mode 100644 secrets/pub/webdav-tammena-me.crt diff --git a/hosts/faunus-ater/default.nix b/hosts/faunus-ater/default.nix index 2a11022..36ceb43 100644 --- a/hosts/faunus-ater/default.nix +++ b/hosts/faunus-ater/default.nix @@ -16,6 +16,7 @@ in { ./modules/hydra.nix ./modules/komga.nix ./modules/mealie.nix + ./modules/media.nix ./modules/nix-serve.nix ./modules/paperless.nix ./modules/photoprism.nix @@ -77,6 +78,10 @@ in { repository = "s3:https://s3.tammena.me/archive/dirty.bak"; timerConfig.OnCalendar = "daily"; paths = lib.singleton "/data/dirty"; + exclude = [ + "/data/dirty/sabnzbd" + "/data/dirty/support" + ]; pruneOpts = [ "--keep-daily 1" "--keep-weekly 1" @@ -87,28 +92,6 @@ in { }; }; - users.groups.media = {}; - - services.radarr = { - enable = true; - dataDir = "/data/dirty/radarr"; - openFirewall = true; - }; - users.users.radarr.group = lib.mkForce "media"; - - services.sonarr = { - enable = true; - dataDir = "/data/dirty/sonarr"; - openFirewall = true; - }; - users.users.sonarr.group = lib.mkForce "media"; - - services.sabnzbd = { - enable = true; - }; - networking.firewall.allowedTCPPorts = [8080]; - users.users.sabnzbd.group = lib.mkForce "media"; - # === RUNTIME SECRETS === sops.defaultSopsFile = ../../secrets/hosts/faunus-ater/secrets.yaml; sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; diff --git a/hosts/faunus-ater/modules/media.nix b/hosts/faunus-ater/modules/media.nix new file mode 100644 index 0000000..bd07d73 --- /dev/null +++ b/hosts/faunus-ater/modules/media.nix @@ -0,0 +1,124 @@ +{ + pkgs, + lib, + config, + ... +}: let + webdavPort = 4918; +in { + # User and group that owns all media-related files + users.users.media = { + uid = 981; + isSystemUser = true; + group = "media"; + }; + users.groups.media = { + gid = 978; + }; + + # Radarr for the movies + services.radarr = { + enable = true; + dataDir = "/data/dirty/radarr"; + openFirewall = true; + }; + users.users.radarr.group = lib.mkForce "media"; + + # Sonarr for the series + services.sonarr = { + enable = true; + dataDir = "/data/dirty/sonarr"; + openFirewall = true; + }; + users.users.sonarr.group = lib.mkForce "media"; + + # Sabnzbd for usenet + services.sabnzbd = { + enable = true; + }; + users.users.sabnzbd.group = lib.mkForce "media"; + + # Webdav to allow remote access + services.webdav-server-rs = { + enable = true; + group = "media"; + settings = { + server.listen = ["0.0.0.0:${builtins.toString webdavPort}" "[::]:${builtins.toString webdavPort}"]; + location = [ + { + route = ["/*path"]; + directory = "/data/media"; + handler = "filesystem"; + methods = ["webdav-ro"]; + autoindex = true; + auth = "false"; + } + ]; + }; + }; + + systemd.services.fix-media-permissions = { + enable = true; + description = "Fix media permissions and ownership"; + wantedBy = ["multi-user.target"]; + serviceConfig = { + Type = "simple"; + ExecStart = "chown -R media:media /data/media && chmod -R g+rw,o-rwx /data/media"; + WorkingDirectory = "/data/media"; + Restart = "always"; + }; + }; + + # Configure nginx reverse proxy + services.nginx.virtualHosts = let + withPreset = domain: + lib.recursiveUpdate { + addSSL = true; + sslTrustedCertificate = pkgs.writeText "ca.crt" (builtins.readFile ../../../secrets/ca.crt); + sslCertificateKey = config.sops.secrets."certificate-key-${domain}-tammena-me".path; + sslCertificate = pkgs.writeText "${domain}-tammena-me.crt" (builtins.readFile ../../../secrets/pub/${domain}-tammena-me.crt); + + serverAliases = [ + "${domain}.home" + ]; + }; + in { + "radarr.tammena.me" = withPreset "radarr" { + locations."/" = { + proxyPass = "http://127.0.0.1:7878"; + proxyWebsockets = true; + }; + }; + "sonarr.tammena.me" = withPreset "sonarr" { + locations."/" = { + proxyPass = "http://127.0.0.1:8989"; + proxyWebsockets = true; + }; + }; + "downloadarr.tammena.me" = withPreset "downloadarr" { + locations."/" = { + proxyPass = "http://127.0.0.1:8080"; + proxyWebsockets = true; + }; + }; + "webdav.tammena.me" = withPreset "webdav" { + locations."/" = { + proxyPass = "http://127.0.0.1:${builtins.toString webdavPort}"; + proxyWebsockets = true; + }; + }; + }; + + # Secrets + sops.secrets = let + conf = { + owner = config.users.users.nginx.name; + mode = "0400"; + }; + in { + certificate-key-radarr-tammena-me = conf; + certificate-key-sonarr-tammena-me = conf; + certificate-key-downloadarr-tammena-me = conf; + certificate-key-webdav-tammena-me = conf; + }; +} diff --git a/secrets/hosts/faunus-ater/secrets.yaml b/secrets/hosts/faunus-ater/secrets.yaml index 512afc7..6a6f629 100644 --- a/secrets/hosts/faunus-ater/secrets.yaml +++ b/secrets/hosts/faunus-ater/secrets.yaml @@ -18,6 +18,10 @@ certificate-key-cache-tammena-me: ENC[AES256_GCM,data:ieanG2LnohzctjLggzx1b1IVcx certificate-key-git-new-tammena-me: ENC[AES256_GCM,data:q7Qe3944XnHTzoFOfB6A7dnkYBBdVEF7f95u1wT2Xc1zXiQ3pSG/pzXc6FzM8uJGz0jGFfkD+BUII6PdXeEK1cMKCecEmAv2iQNz0BCwF0FkY4EQ3rlSokFvbbWu34W8NTnoT47KXBu/19DqGZOcODVWJkOJg3WMTm9tAy+sR3xn0MKPknU0Uhz9eOkZagYpwdyNj8coQhd8LCktKx85991MjnwcFOe3lzaYU97/7buDXUmzx51N1ztxR9ZNnTLjqKUtK+T+8uF9Z/+sSq6/40l4YaztMN8G44UFAAsiMRvKOx5w/gGaDeNSm+S5lPegcAo9vsUJCoOmOhN91KQPVFWri45yW0G5h+BIXgLzQQvKAIv+8CQwYYxYi5THyWffbAljIme4F3Otbse3J84=,iv:rbET3RxtYRKAeJFDsqPG/+j4VXU7kn39CVaREGsFI5A=,tag:2itjKPHUvt0B6Yt20LhRZA==,type:str] certificate-key-sea-tammena-me: ENC[AES256_GCM,data:OXDpH/4nh0y4IGw7KxI/NAFf0U0/dKHWJDKUGCnK/REx6A+HONH0LJ0eacH4eDMU6YUHOd/5qgzCOWx3bFb4pt0j6jAW2mED76r8+n8ojmyYslo1rnJhJcrCNetPRHRgqDoI3PZqqISMfqZ7eJ8XmuyET/HVxsL8h2IA3jTa6e9P8BRjcQREkzAuomzn4s97xu8jT9exmEzN8AxrovSBju9CkSOk/WJcaDP9B1JNCKRCRwj5OfvJVMtMvDw0FdTM6hC883NGSr6dsklS8Zee3LGBoeZm+3X725WamvC4YSeHyVVljDVWQhGu82QzljOq/Im82gwmVljslI+lcLP9rsStiztZC7BY3uWG/Hp9cZuBVNhL4gTgLQzMHkbAQ9zvBlyu9k7NlG+Gs4R6bZk=,iv:WU42jGKUakz5LnCWMIDsHDfTqiukVRWPczNl3SaXKRQ=,tag:WX38fXZvcXLYvd+QwN8Www==,type:str] certificate-key-s3-tammena-me: ENC[AES256_GCM,data:JtR5CaUgJCkHJafMnVwDhYNM+y/jnwNjXJV7c5QqRErTqLrRImUa/TALMAs+CnUqSQmDY+35kqp7LFrwQzEwc4dXyfKtEeE795HOP/hL2G2EpW8WiJMLE0ai/EZz9ZEiF++V72rtQRdf03OgrS2n/gNHDL2unEi34rNkFTmUXG3BCfpIBP6GqRGvOdAd97dQBHB/XHF5Xd9GFWuU7LW0RfstB8D+C9Q/JngXvEX6XDPodNzXaQVoI+uMqHaJLMUhYhgnoSiWFK4IYVLxhsRKYdSO4ysTkEkp+oGTE3mgwpxaAqNANKkaFuvCYjDwJSsE84MkoRRVcpFbwh3OsuFs0PmiO1zI1DjyrjwahD9JrCX8w/4xyuijIK+jehaOhK8ZKcDd3+9iIMq0F5ZjVKY=,iv:KuKYtzb55ABgnJ4ad4amww6Phcbe7K20df94LqPKToE=,tag:S4hh2ionWvrhuBS3pGPXdg==,type:str] +certificate-key-radarr-tammena-me: ENC[AES256_GCM,data:tfe+NM6amAYW/cBHSSIxsUFVVhfjNOoiHk46l9z9P7XfjPVsusR9BdSOzwvkVdb/3LqlFILUTsbndmx+eGD5psPj6GCBpgN5hsW62ii3HBtf24Q1fUBOvFyMbiN4qKLYx2CvOj80FxYods3+W5ebYWXmPoqcgyRG2sZNlCJcwRdtfPzoupe9e7D2azo3bR3xHjbhndbvyZ9zd7BWYiR6w70D1SZ8VapJv7vw809rlx5r+adYzXRFNcoRUTV1mqkjdGZFb6O83WAwT/BIaHOXQ+NFMTuO5A1KtCBGQ6fccDcge2dORMrw9P4ff/Y+YWsKN0cle3xrO7WorEdw+MFuqhXfvw9wQGFJfSrRH/dBcD4v0LZA57SbUqvjFkHhA+0CHoKvf1TTaSwsx7DiqRY=,iv:hC3X7kFAKdZtyPc+pJ8n27R2qktIKI1kQlwc19BbvZ0=,tag:tFaFAwVFsZaXoIMw5CLPYw==,type:str] +certificate-key-sonarr-tammena-me: ENC[AES256_GCM,data:WmzTf2ywMCWx6SrnOJFSgEwy8WCJKZtCynMea7cPFzHxMDbgvJmBjsoXVs06mdFx5UbHGMy9+mCCoz+AIDhzrGV27u0zrxzpxZirQk4fEY/7E6/JwOe8PHFp1T5E7JskM+zRrbSOppUR0dlp18raHu7XXPTKPrYHSwjpJzUjxjHeKY+YRaCBM/ayplskDzvK7ZNtJPt95DUYECXBBPNakFEt+oKpgCGAd3zpBWb/VfoEgePMMuSrIUWQxthQVWUAn74+Ceo2Ht19W/Fi8MDL21KFTxd3UTdEU9R2OzTDOY8twHQhDtnPEa3BgRr3u3AEs1px93GSytVSFTvmbHBhp94rZLaxippm74p1zN1uf4qQha3Hi/yH5snUxZLOhbn6gRrsGV5DF8YUvr88kZ4=,iv:K5mZURc5wF8aph1SO9TRutVrvxKMnEjOPAp/cBhyHxQ=,tag:jIY9XcCe00benmXK7Ubxaw==,type:str] +certificate-key-downloadarr-tammena-me: ENC[AES256_GCM,data:BqXzsbgq1Ir9jNFONg4YjDYjpfu5fa3/ZyE+NutU60gc9SBTPam/uT70ml65QS6OoKSw5cz/z1YjowUpfXIKuasMe2VVFPreHEMwV0vKRHOXvSIrJS58YEDKQYi1ROgfZz5JPkbvtdsOLPdEmYuBKqcLuVZg69IzoRFWi47Guiwlj3hwL40AHrOOZC0YZdb749LqrveuuO2qImku4Bl4hDn0px5nVm56AZKuqhgxWeN9gQNoFIT+1bIG+3WN04/vijP2ect/OtHs+6MSNtnZ+ayNm6Y6ilSIEnJsW4+jyefv/GEPQmXN3oQnIBcyvVXjmgmIT5aQbU6B6uMOFtmDy8qfoGrAGcPYPq2DRln79hUGzqTcwOjpTQ2jr0eAqqBj30GSR8MgrIKCz7tOaN4=,iv:OLST42go9AxZ2PvcWp5oNIrhDBkLYeKvZukF5saLzrQ=,tag:R9gmKx7un3531uc8PM0gtg==,type:str] +certificate-key-webdav-tammena-me: ENC[AES256_GCM,data:XdX1uSK5H/8SnqrLraTEY++2a5YUy5H67XM+7ap2F7Y6bShxHWTUrb0MK/d/ZX5SM9F1NCchPyJPeI2gFCqxVWkFmvt6b4q3TyleLX3LCAHHcESvwc3HCNiMs4ceFPlHheJRzc5dExoGFZ34ARYd2zaIPvWVcsN06XhaoShjVUEcD7EOrzZL57GTS6Gx2RbTfXn/eqXS8wWpFSIZiGk7ZLJYjyS29+NUIQue/UZU4ygbmZfMe5tDDshRxA0gVg7RVBVF5hcyaanSDZ5OIVPXC+NdbpNKOKcFCJJp47ZZvqBcYoKNCEmvS6gt8j22MqbFCE5Kgb1fe9b/vqSikDDoWygQdXhopX6jPKBGbLCNltnGwhs8xFeoU1INDAKOTqbC7hoT90QZwzIQMCxPIkQ=,iv:Fz2uYJnE2Y5cBzqDuKfAKRiHS7grN9QMEI0ZJdBO/2c=,tag:p+gBcWuOpNy0/IsUmRpEuQ==,type:str] sops: kms: [] gcp_kms: [] @@ -33,8 +37,8 @@ sops: ZzFxdmlXaTRCY2tUZndBSDlNeUVROVUKH1CxbcdwHR3ELn9YlGvO6YbGGg++wGZv 97ez/ErXEOq/6IF6HzV3I9BsVV4WCJI2VTP8Lbiwt59qg5riH7CGJQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-02-03T21:51:12Z" - mac: ENC[AES256_GCM,data:2t8P8TWN8nre0EcI0JFeyyl83b06p/qvJ2XE1R1ZuM7tqAZ5jTz9p4h/jfMrB+99xF5oITRfcfPm8V074JlLmCWY1Cw+KISUaRIBSJA4VUFS8vRdeN3pcyr6VyaNJi3bE2ifSImbaDElSk7qqiWygyUQ+mpTVZRu4S8GzGnMlM4=,iv:6X61PrN2wmk96w/3whl3YOBRTCJFnwd4fZMm5VObUP4=,tag:DeVPUDdEgYpV2F0wG/pdPw==,type:str] + lastmodified: "2024-02-14T19:58:57Z" + mac: ENC[AES256_GCM,data:whz4sDU2krj59xgnFTgGgM81so7FJL2oiMaDvd/hij1/oZfCExkrxtbn5LkL8qC1bjtvxGIm/JZOTVWdcTi1hWqkOCmEEKMjRqz80B9vEc+RU8z0PnWV4Kw/TMYtfejyGjbimBcwRYOkqMa8QpmrN+GAPxvqHwSWwp0rCnIMSLg=,iv:4lJthEOjh3AVTl4NegSp6q0Xr4zSHRfMxbIi8qpCoPY=,tag:YHYn1y+mXaQUaU4X6IRbwA==,type:str] pgp: - created_at: "2023-11-06T16:58:30Z" enc: | diff --git a/secrets/pub/downloadarr-tammena-me.crt b/secrets/pub/downloadarr-tammena-me.crt new file mode 100644 index 0000000..a079d8e --- /dev/null +++ b/secrets/pub/downloadarr-tammena-me.crt @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBwzCCAWmgAwIBAgIUSoxKFhpY+VGuCWj9qm7qlzjJzL0wCgYIKoZIzj0EAwIw +FTETMBEGA1UEAwwKTXkgSG9tZSBDQTAeFw0yNDAyMTQxOTU4MjZaFw0yNTAyMTMx +OTU4MjZaMBExDzANBgNVBAMMBiouaG9tZTBZMBMGByqGSM49AgEGCCqGSM49AwEH +A0IABLAEUT0xA+ntRpFvBDBU9dpBsw/QzMt8kSJPq6d8oSDH8pzEekN0uB08Wwsv +Yfa9kEV3ZUDeQv7sZ5m3kL1upTSjgZowgZcwCwYDVR0PBAQDAgXgMBMGA1UdJQQM +MAoGCCsGAQUFBwMBMDMGA1UdEQQsMCqCFmRvd25sb2FkYXJyLnRhbW1lbmEubWWC +EGRvd25sb2FkYXJyLmhvbWUwHQYDVR0OBBYEFH8s4HQx3eBOG9IG9BE6vpvFD03h +MB8GA1UdIwQYMBaAFAD63A/bJrL4LdckOxmyIq1lmU+rMAoGCCqGSM49BAMCA0gA +MEUCIG+mGyVxMsxB6Mix4o+EFz/lzr/HPcWxBc6u46wYe/ZbAiEAsQU0q4VdlDXt +JrvY3yHuvGUr4GawWRrK3CcqoSBWBxs= +-----END CERTIFICATE----- diff --git a/secrets/pub/radarr-tammena-me.crt b/secrets/pub/radarr-tammena-me.crt new file mode 100644 index 0000000..0b151bc --- /dev/null +++ b/secrets/pub/radarr-tammena-me.crt @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBuTCCAV+gAwIBAgIURXN2OooE9eoH6xGSURIfIk/f2IswCgYIKoZIzj0EAwIw +FTETMBEGA1UEAwwKTXkgSG9tZSBDQTAeFw0yNDAyMTQxOTU3NDNaFw0yNTAyMTMx +OTU3NDNaMBExDzANBgNVBAMMBiouaG9tZTBZMBMGByqGSM49AgEGCCqGSM49AwEH +A0IABNRtzObAIgnUvjd2Zov7HB945axUwKi8wPF/T9VdTxMONtTlev+BuXe5koWg +Q3eVEaBlHcNIJ5o+05ADuor866CjgZAwgY0wCwYDVR0PBAQDAgXgMBMGA1UdJQQM +MAoGCCsGAQUFBwMBMCkGA1UdEQQiMCCCEXJhZGFyci50YW1tZW5hLm1lggtyYWRh +cnIuaG9tZTAdBgNVHQ4EFgQU5w6u9YNWgecvosbHFiKjhySX04kwHwYDVR0jBBgw +FoAUAPrcD9smsvgt1yQ7GbIirWWZT6swCgYIKoZIzj0EAwIDSAAwRQIgFUMJIBoT +V5iOxsNjjMrkeoDxouao981UPX+YaZml1dICIQDJKhhIQsiQ5Uo3NW+850l+DXbh +KVkZfXHicM9w/ch2Mg== +-----END CERTIFICATE----- diff --git a/secrets/pub/sonarr-tammena-me.crt b/secrets/pub/sonarr-tammena-me.crt new file mode 100644 index 0000000..2d1005e --- /dev/null +++ b/secrets/pub/sonarr-tammena-me.crt @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBuTCCAV+gAwIBAgIUJN/8AWA73ShfrprLZGITXppM3UkwCgYIKoZIzj0EAwIw +FTETMBEGA1UEAwwKTXkgSG9tZSBDQTAeFw0yNDAyMTQxOTU3NTVaFw0yNTAyMTMx +OTU3NTVaMBExDzANBgNVBAMMBiouaG9tZTBZMBMGByqGSM49AgEGCCqGSM49AwEH +A0IABD1hRNrqtgucT8kdYLRxgk2hUKCVA7/HheoHCHtBIIDbTPbC/7tiEYrMd2Rh ++KdNnbzcrUOvy5uCRaMMBlgGmwujgZAwgY0wCwYDVR0PBAQDAgXgMBMGA1UdJQQM +MAoGCCsGAQUFBwMBMCkGA1UdEQQiMCCCEXNvbmFyci50YW1tZW5hLm1lggtzb25h +cnIuaG9tZTAdBgNVHQ4EFgQUL7+M0buDgYhFF72bApsRZ56ylNMwHwYDVR0jBBgw +FoAUAPrcD9smsvgt1yQ7GbIirWWZT6swCgYIKoZIzj0EAwIDSAAwRQIgZqkrrJAU +hl5I05D3lBH81RtzXRlbVV+Ozn/0bwWVo7ACIQD4Zwkcx2kgbV2mnG+Wr+Za6CVm +VBWDmNGBRUifiismbg== +-----END CERTIFICATE----- diff --git a/secrets/pub/webdav-tammena-me.crt b/secrets/pub/webdav-tammena-me.crt new file mode 100644 index 0000000..56c2587 --- /dev/null +++ b/secrets/pub/webdav-tammena-me.crt @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBuTCCAV+gAwIBAgIUb+NHRZVtmKOK7iPSGfrcqwmWYQgwCgYIKoZIzj0EAwIw +FTETMBEGA1UEAwwKTXkgSG9tZSBDQTAeFw0yNDAyMTQxOTU4NTZaFw0yNTAyMTMx +OTU4NTZaMBExDzANBgNVBAMMBiouaG9tZTBZMBMGByqGSM49AgEGCCqGSM49AwEH +A0IABH/TTHf2/WEo8tkJUNRn2sORJ6dFUjUQzqN7cvIdtvIpMcT//EX7FEd0P/ks +fHQTLSemQXQ6o0xewSxCIC9R8eejgZAwgY0wCwYDVR0PBAQDAgXgMBMGA1UdJQQM +MAoGCCsGAQUFBwMBMCkGA1UdEQQiMCCCEXdlYmRhdi50YW1tZW5hLm1lggt3ZWJk +YXYuaG9tZTAdBgNVHQ4EFgQU0/3nZzlhnBPCN1QO+1Q1NUjBWz8wHwYDVR0jBBgw +FoAUAPrcD9smsvgt1yQ7GbIirWWZT6swCgYIKoZIzj0EAwIDSAAwRQIhAJlLhIjN +I2GKLRkv7X20vS5ShE+n2Q2ANmymFqyqbTUhAiA0yJAyKoSiyv1RN2Ggsd7VxxyO +3+Y6UuYu/nn/Sc9S2w== +-----END CERTIFICATE-----