plasmagoat/homelab
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

auth machine

Browse source
This commit is contained in:
plasmagoat 2025-07-16 02:10:31 +02:00
parent 98dce86882
commit 851a9e18db
34 changed files with 2383 additions and 99 deletions
Download patch file Download diff file Expand all files Collapse all files

44
nixos/hosts/media/exportarr.nix
View file

@ -1,44 +0,0 @@
{config, ...}: {
services.prometheus.exporters.exportarr-sonarr = {
enable = true;
url = "http://media.lab:8989";
port = 9707;
openFirewall = true;
apiKeyFile = config.sops.secrets.sonarr-api-key.path;
};
services.prometheus.exporters.exportarr-readarr = {
enable = true;
url = "http://media.lab:8787";
port = 9708;
openFirewall = true;
apiKeyFile = config.sops.secrets.readarr-api-key.path;
};
services.prometheus.exporters.exportarr-radarr = {
enable = true;
url = "http://media.lab:7878";
port = 9709;
openFirewall = true;
apiKeyFile = config.sops.secrets.radarr-api-key.path;
};
services.prometheus.exporters.exportarr-prowlarr = {
enable = true;
url = "http://media.lab:9696";
port = 9710;
openFirewall = true;
apiKeyFile = config.sops.secrets.prowlarr-api-key.path;
};
services.prometheus.exporters.exportarr-lidarr = {
enable = true;
url = "http://media.lab:8686";
port = 9711;
openFirewall = true;
apiKeyFile = config.sops.secrets.lidarr-api-key.path;
};
services.prometheus.exporters.exportarr-bazarr = {
enable = true;
url = "http://media.lab:6767";
port = 9712;
openFirewall = true;
apiKeyFile = config.sops.secrets.bazarr-api-key.path;
};
}

3
nixos/hosts/media/host.nix
View file

@ -5,8 +5,7 @@
./networking.nix
./storage.nix
./nixarr.nix
./exportarr.nix
./jellyfin-exporter.nix
./sops.nix
./modules/monitoring.nix
];
}

8
nixos/hosts/media/jellyfin-exporter.nix
View file

@ -1,8 +0,0 @@
{config, ...}: {
services.prometheus.exporters.json = {
enable = true;
configFile = config.sops.secrets.jellyfin-exporter-config.path;
openFirewall = true;
user = "jellyfin";
};
}

98
nixos/hosts/media/lib/api-keys.nix Normal file
View file

@ -0,0 +1,98 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.nixarr;
# Helper to create API key extraction for a service
mkApiKeyExtractor = serviceName: serviceConfig: {
description = "Extract ${serviceName} API key";
after = ["${serviceName}.service"];
requires = ["${serviceName}.service"];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
# Use DynamicUser if the parent service does
DynamicUser = serviceConfig.serviceConfig.DynamicUser or false;
# Only set User if not using DynamicUser
${
if !(serviceConfig.serviceConfig.DynamicUser or false)
then "User"
else null
} =
serviceConfig.user or null;
Group = "${serviceName}-api";
UMask = "0027"; # Results in 0640 permissions
ExecStartPre = [
"${pkgs.coreutils}/bin/mkdir -p ${cfg.stateDir}/api-keys"
"${pkgs.coreutils}/bin/chown root:${serviceName}-api ${cfg.stateDir}/api-keys"
"${pkgs.coreutils}/bin/chmod 750 ${cfg.stateDir}/api-keys"
# Wait for config file to exist
"${pkgs.bash}/bin/bash -c 'while [ ! -f ${serviceConfig.stateDir}/config.xml ]; do sleep 1; done'"
];
# Bazarr api key is located a different place...
ExecStart = pkgs.writeShellScript "extract-${serviceName}-api-key" ''
${pkgs.dasel}/bin/dasel -f "${serviceConfig.stateDir}/config.xml" \
-s ".Config.ApiKey" | tr -d '\n\r' > "${cfg.stateDir}/api-keys/${serviceName}.key"
chown $USER:${serviceName}-api "${cfg.stateDir}/api-keys/${serviceName}.key"
'';
};
};
in {
config = mkIf cfg.enable {
# Create per-service API key groups
users.groups = mkMerge [
(mkIf cfg.sonarr.enable {sonarr-api = {};})
(mkIf cfg.radarr.enable {radarr-api = {};})
(mkIf cfg.lidarr.enable {lidarr-api = {};})
(mkIf cfg.readarr.enable {readarr-api = {};})
(mkIf cfg.prowlarr.enable {prowlarr-api = {};})
# (mkIf cfg.bazarr.enable {bazarr-api = {};})
];
# Add services that need API keys to their respective groups
users.users = mkMerge [
# Static users
(mkIf cfg.transmission.enable {
transmission.extraGroups = optional cfg.prowlarr.enable "prowlarr-api";
})
(mkIf cfg.transmission.privateTrackers.cross-seed.enable {
cross-seed.extraGroups = optional cfg.prowlarr.enable "prowlarr-api";
})
];
# Add api groups to services with DynamicUser
systemd.services = mkMerge [
(mkIf cfg.sonarr.enable {sonarr.serviceConfig.SupplementaryGroups = ["sonarr-api"];})
(mkIf cfg.radarr.enable {radarr.serviceConfig.SupplementaryGroups = ["radarr-api"];})
(mkIf cfg.lidarr.enable {lidarr.serviceConfig.SupplementaryGroups = ["lidarr-api"];})
(mkIf cfg.readarr.enable {readarr.serviceConfig.SupplementaryGroups = ["readarr-api"];})
(mkIf cfg.prowlarr.enable {prowlarr.serviceConfig.SupplementaryGroups = ["prowlarr-api"];})
# (mkIf cfg.bazarr.enable {bazarr.serviceConfig.SupplementaryGroups = ["bazarr-api"];})
(mkIf cfg.recyclarr.enable {
recyclarr.serviceConfig.SupplementaryGroups =
(optional cfg.sonarr.enable "sonarr-api")
++ (optional cfg.radarr.enable "radarr-api");
})
# Create API key extractors for enabled services
(mkIf cfg.sonarr.enable {"sonarr-api-key" = mkApiKeyExtractor "sonarr" cfg.sonarr;})
(mkIf cfg.radarr.enable {"radarr-api-key" = mkApiKeyExtractor "radarr" cfg.radarr;})
(mkIf cfg.lidarr.enable {"lidarr-api-key" = mkApiKeyExtractor "lidarr" cfg.lidarr;})
(mkIf cfg.readarr.enable {"readarr-api-key" = mkApiKeyExtractor "readarr" cfg.readarr;})
(mkIf cfg.prowlarr.enable {"prowlarr-api-key" = mkApiKeyExtractor "prowlarr" cfg.prowlarr;})
# (mkIf cfg.bazarr.enable {"bazarr-api-key" = mkApiKeyExtractor "bazarr" cfg.bazarr;})
];
# Create the api-keys directory
systemd.tmpfiles.rules = [
"d ${cfg.stateDir}/api-keys 0750 root root - -"
];
};
}

266
nixos/hosts/media/modules/monitoring.nix Normal file
View file

@ -0,0 +1,266 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.nixarr;
# Helper to determine if an exporter should be enabled
shouldEnableExporter = service:
cfg.${service}.enable
&& (cfg.${service}.exporter.enable == null || cfg.${service}.exporter.enable);
in {
imports = [../lib/api-keys.nix];
options = {
nixarr = {
exporters = {
enable = mkEnableOption "Enable Prometheus exporters for all supported nixarr services";
};
sonarr.exporter = {
enable = mkOption {
type = types.nullOr types.bool;
default = null;
description = ''
Whether to enable the Sonarr Prometheus exporter.
- null: enable if exporters.enable is true and sonarr service is enabled (default)
- true: force enable if exporters.enable is true
- false: always disable
'';
};
port = mkOption {
type = types.port;
default = 9707;
description = "Port for Sonarr metrics";
};
listenAddr = mkOption {
type = types.str;
default = "0.0.0.0";
description = ''
Address for Sonarr exporter to listen on.
'';
};
};
radarr.exporter = {
enable = mkOption {
type = types.nullOr types.bool;
default = null;
description = ''
Whether to enable the Radarr Prometheus exporter.
- null: enable if exporters.enable is true and radarr service is enabled (default)
- true: force enable if exporters.enable is true
- false: always disable
'';
};
port = mkOption {
type = types.port;
default = 9708;
description = "Port for Radarr metrics";
};
listenAddr = mkOption {
type = types.str;
default = "0.0.0.0";
description = ''
Address for Radarr exporter to listen on.
'';
};
};
lidarr.exporter = {
enable = mkOption {
type = types.nullOr types.bool;
default = null;
description = ''
Whether to enable the Lidarr Prometheus exporter.
- null: enable if exporters.enable is true and lidarr service is enabled (default)
- true: force enable if exporters.enable is true
- false: always disable
'';
};
port = mkOption {
type = types.port;
default = 9709;
description = "Port for Lidarr metrics";
};
listenAddr = mkOption {
type = types.str;
default = "0.0.0.0";
description = ''
Address for Lidarr exporter to listen on.
'';
};
};
readarr.exporter = {
enable = mkOption {
type = types.nullOr types.bool;
default = null;
description = ''
Whether to enable the Readarr Prometheus exporter.
- null: enable if exporters.enable is true and readarr service is enabled (default)
- true: force enable if exporters.enable is true
- false: always disable
'';
};
port = mkOption {
type = types.port;
default = 9710;
description = "Port for Readarr metrics";
};
listenAddr = mkOption {
type = types.str;
default = "0.0.0.0";
description = ''
Address for Readarr exporter to listen on.
'';
};
};
prowlarr.exporter = {
enable = mkOption {
type = types.nullOr types.bool;
default = null;
description = ''
Whether to enable the Prowlarr Prometheus exporter.
- null: enable if exporters.enable is true and prowlarr service is enabled (default)
- true: force enable if exporters.enable is true
- false: always disable
'';
};
port = mkOption {
type = types.port;
default = 9711;
description = "Port for Prowlarr metrics";
};
listenAddr = mkOption {
type = types.str;
default = "0.0.0.0";
description = ''
Address for Prowlarr exporter to listen on.
'';
};
};
bazarr.exporter = {
enable = mkOption {
type = types.nullOr types.bool;
default = null;
description = ''
Whether to enable the Bazarr Prometheus exporter.
- null: enable if exporters.enable is true and bazarr service is enabled (default)
- true: force enable if exporters.enable is true
- false: always disable
'';
};
port = mkOption {
type = types.port;
default = 9712;
description = "Port for Bazarr metrics";
};
listenAddr = mkOption {
type = types.str;
default = "0.0.0.0";
description = ''
Address for Bazarr exporter to listen on.
'';
};
};
};
};
config = mkIf (cfg.enable && cfg.exporters.enable) {
# Configure Prometheus exporters
services.prometheus = {
exporters = {
# Enable exportarr for each supported service if it's enabled
exportarr-sonarr = mkIf (shouldEnableExporter "sonarr") {
enable = true;
url = "http://127.0.0.1:8989";
apiKeyFile = "${cfg.stateDir}/api-keys/sonarr.key";
port = cfg.sonarr.exporter.port;
listenAddress = cfg.sonarr.exporter.listenAddr;
openFirewall = true;
};
exportarr-radarr = mkIf (shouldEnableExporter "radarr") {
enable = true;
url = "http://127.0.0.1:7878";
apiKeyFile = "${cfg.stateDir}/api-keys/radarr.key";
port = cfg.radarr.exporter.port;
listenAddress = cfg.radarr.exporter.listenAddr;
openFirewall = true;
};
exportarr-lidarr = mkIf (shouldEnableExporter "lidarr") {
enable = true;
url = "http://127.0.0.1:8686";
apiKeyFile = "${cfg.stateDir}/api-keys/lidarr.key";
port = cfg.lidarr.exporter.port;
listenAddress = cfg.lidarr.exporter.listenAddr;
openFirewall = true;
};
exportarr-readarr = mkIf (shouldEnableExporter "readarr") {
enable = true;
url = "http://127.0.0.1:8787";
apiKeyFile = "${cfg.stateDir}/api-keys/readarr.key";
port = cfg.readarr.exporter.port;
listenAddress = cfg.readarr.exporter.listenAddr;
openFirewall = true;
};
exportarr-prowlarr = mkIf (shouldEnableExporter "prowlarr") {
enable = true;
url = "http://127.0.0.1:9696";
apiKeyFile = "${cfg.stateDir}/api-keys/prowlarr.key";
port = cfg.prowlarr.exporter.port;
listenAddress = cfg.prowlarr.exporter.listenAddr;
openFirewall = true;
};
# exportarr-bazarr = mkIf (shouldEnableExporter "bazarr") {
# enable = true;
# url = "http://127.0.0.1:6767";
# apiKeyFile = "${cfg.stateDir}/api-keys/bazarr.key";
# port = cfg.bazarr.exporter.port; # 9712;
# openFirewall = true;
# };
};
};
# Add systemd services for VPN-confined exporters
systemd.services = mkMerge [
{
"prometheus-exportarr-sonarr-exporter" = mkIf (shouldEnableExporter "sonarr") {
after = ["sonarr-api-key.service"];
requires = ["sonarr-api-key.service"];
serviceConfig.SupplementaryGroups = ["sonarr-api"];
};
"prometheus-exportarr-radarr-exporter" = mkIf (shouldEnableExporter "radarr") {
after = ["radarr-api-key.service"];
requires = ["radarr-api-key.service"];
serviceConfig.SupplementaryGroups = ["radarr-api"];
};
"prometheus-exportarr-lidarr-exporter" = mkIf (shouldEnableExporter "lidarr") {
after = ["lidarr-api-key.service"];
requires = ["lidarr-api-key.service"];
serviceConfig.SupplementaryGroups = ["lidarr-api"];
};
"prometheus-exportarr-readarr-exporter" = mkIf (shouldEnableExporter "readarr") {
after = ["readarr-api-key.service"];
requires = ["readarr-api-key.service"];
serviceConfig.SupplementaryGroups = ["readarr-api"];
};
"prometheus-exportarr-prowlarr-exporter" = mkIf (shouldEnableExporter "prowlarr") {
after = ["prowlarr-api-key.service"];
requires = ["prowlarr-api-key.service"];
serviceConfig.SupplementaryGroups = ["prowlarr-api"];
};
# "prometheus-exportarr-bazarr-exporter" = mkIf (shouldEnableExporter "bazarr") {
# after = ["bazarr-api-key.service"];
# requires = ["bazarr-api-key.service"];
# serviceConfig.SupplementaryGroups = ["bazarr-api"];
# };
}
];
};
}

6
nixos/hosts/media/nixarr.nix
View file

@ -1,4 +1,8 @@
{config, ...}: {
services.sonarr.settings = {
auth.method = "External";
};
nixarr = {
enable = true;
# These two values are also the default, but you can set them to whatever
@ -34,6 +38,8 @@
sonarr.enable = true;
jellyseerr.enable = true;
exporters.enable = true;
recyclarr = {
enable = true;
configFile = ./recyclarr.yml;

30
nixos/hosts/media/sops.nix
View file

@ -4,36 +4,6 @@
mode = "0440";
};
sops.secrets.sonarr-api-key = {
sopsFile = ../../secrets/nixarr/secrets.yml;
mode = "0440";
};
sops.secrets.radarr-api-key = {
sopsFile = ../../secrets/nixarr/secrets.yml;
mode = "0440";
};
sops.secrets.readarr-api-key = {
sopsFile = ../../secrets/nixarr/secrets.yml;
mode = "0440";
};
sops.secrets.bazarr-api-key = {
sopsFile = ../../secrets/nixarr/secrets.yml;
mode = "0440";
};
sops.secrets.lidarr-api-key = {
sopsFile = ../../secrets/nixarr/secrets.yml;
mode = "0440";
};
sops.secrets.prowlarr-api-key = {
sopsFile = ../../secrets/nixarr/secrets.yml;
mode = "0440";
};
sops.secrets.jellyfin-exporter-config = {
sopsFile = ../../secrets/nixarr/secrets.yml;
owner = "jellyfin";

40
nixos/hosts/media/storage.nix
View file

@ -6,18 +6,52 @@
fileSystems."/data/media/library/shows" = {
device = "192.168.1.226:/volume1/Media/TV Shows";
fsType = "nfs4";
options = ["x-systemd.automount" "noatime" "_netdev"];
options = [
"x-systemd.automount" # Automount on first access
"noatime" # Don't update access times (performance)
"_netdev" # This is a network device; wait for network
"defaults" # Standard default options
"rw" # Read/write access
"hard" # Hard mount (retry indefinitely on error)
];
};
fileSystems."/data/media/library/movies" = {
device = "192.168.1.226:/volume1/Media/Movies";
fsType = "nfs4";
options = ["x-systemd.automount" "noatime" "_netdev"];
options = [
"x-systemd.automount" # Automount on first access
"noatime" # Don't update access times (performance)
"_netdev" # This is a network device; wait for network
"defaults" # Standard default options
"rw" # Read/write access
"hard" # Hard mount (retry indefinitely on error)
];
};
fileSystems."/data/media/torrents" = {
device = "192.168.1.226:/volume1/data/torrents";
fsType = "nfs4";
options = ["x-systemd.automount" "noatime" "_netdev"];
options = [
"x-systemd.automount" # Automount on first access
"noatime" # Don't update access times (performance)
"_netdev" # This is a network device; wait for network
"defaults" # Standard default options
"rw" # Read/write access
"hard" # Hard mount (retry indefinitely on error)
];
};
systemd.services = {
# jellyfin = {
# requires = ["data-media-library-movies.mount" "data-media-library-shows.mount"];
# after = ["data-media-library-movies.mount" "data-media-library-shows.mount"];
# onFailure = ["data-media-library-movies.mount" "data-media-library-shows.mount"];
# };
# transmission = {
# requires = ["data-media-torrents.mount"];
# after = ["data-media-torrents.mount"];
# onFailure = ["data-media-torrents.mount"];
# };
};
}