add arr stack (sonarr, radarr, bazarr, prowlarr, jellyseerr)

2026-02-18 03:06:06 -05:00
parent 9b715ba110
commit e77a6cbfcf
7 changed files with 218 additions and 0 deletions
--- a/configuration.nix
+++ b/configuration.nix
@@ -32,6 +32,12 @@
    ./services/jellyfin-qbittorrent-monitor.nix
    ./services/bitmagnet.nix

+    ./services/prowlarr.nix
+    ./services/sonarr.nix
+    ./services/radarr.nix
+    ./services/bazarr.nix
+    ./services/jellyseerr.nix
+
    ./services/soulseek.nix

    ./services/ups.nix
@@ -192,6 +198,7 @@
    hostName = hostname;
    hostId = "0f712d56";
    firewall.enable = true;
+    firewall.trustedInterfaces = [ "wg-br" ];
    useDHCP = false;
    enableIPv6 = false;

--- a/flake.nix
+++ b/flake.nix
@@ -125,6 +125,11 @@
          ntfy = 2586;
          livekit = 7880;
          lk_jwt = 8081;
+          prowlarr = 9696;
+          sonarr = 8989;
+          radarr = 7878;
+          bazarr = 6767;
+          jellyseerr = 5055;
        };

        https = {
@@ -193,6 +198,31 @@
          signalBackupDir = "/${zpool_ssds}/bak/signal";
          grayjayBackupDir = "/${zpool_ssds}/bak/grayjay";
        };
+
+        sonarr = {
+          dataDir = services_dir + "/sonarr";
+        };
+
+        radarr = {
+          dataDir = services_dir + "/radarr";
+        };
+
+        prowlarr = {
+          dataDir = services_dir + "/prowlarr";
+        };
+
+        bazarr = {
+          dataDir = services_dir + "/bazarr";
+        };
+
+        jellyseerr = {
+          configDir = services_dir + "/jellyseerr";
+        };
+
+        media = {
+          moviesDir = torrents_path + "/media/movies";
+          tvDir = torrents_path + "/media/tv";
+        };
      };

      pkgs = import nixpkgs {
--- a/services/bazarr.nix
+++ b/services/bazarr.nix
@@ -0,0 +1,34 @@
+{
+  pkgs,
+  config,
+  service_configs,
+  lib,
+  ...
+}:
+{
+  imports = [
+    (lib.serviceMountWithZpool "bazarr" service_configs.zpool_ssds [
+      service_configs.bazarr.dataDir
+    ])
+    (lib.serviceMountWithZpool "bazarr" service_configs.zpool_hdds [
+      service_configs.torrents_path
+    ])
+    (lib.serviceFilePerms "bazarr" [
+      "Z ${service_configs.bazarr.dataDir} 0700 ${config.services.bazarr.user} ${config.services.bazarr.group}"
+    ])
+  ];
+
+  services.bazarr = {
+    enable = true;
+    listenPort = service_configs.ports.bazarr;
+  };
+
+  services.caddy.virtualHosts."bazarr.${service_configs.https.domain}".extraConfig = ''
+    import ${config.age.secrets.caddy_auth.path}
+    reverse_proxy :${builtins.toString service_configs.ports.bazarr}
+  '';
+
+  users.users.${config.services.bazarr.user}.extraGroups = [
+    service_configs.media_group
+  ];
+}
--- a/services/jellyseerr.nix
+++ b/services/jellyseerr.nix
@@ -0,0 +1,43 @@
+{
+  pkgs,
+  config,
+  service_configs,
+  lib,
+  ...
+}:
+{
+  imports = [
+    (lib.serviceMountWithZpool "jellyseerr" service_configs.zpool_ssds [
+      service_configs.jellyseerr.configDir
+    ])
+    (lib.serviceFilePerms "jellyseerr" [
+      "Z ${service_configs.jellyseerr.configDir} 0700 jellyseerr jellyseerr"
+    ])
+  ];
+
+  services.jellyseerr = {
+    enable = true;
+    port = service_configs.ports.jellyseerr;
+    configDir = service_configs.jellyseerr.configDir;
+  };
+
+  systemd.services.jellyseerr.serviceConfig = {
+    DynamicUser = lib.mkForce false;
+    User = "jellyseerr";
+    Group = "jellyseerr";
+    ReadWritePaths = [ service_configs.jellyseerr.configDir ];
+  };
+
+  users.users.jellyseerr = {
+    isSystemUser = true;
+    group = "jellyseerr";
+    home = service_configs.jellyseerr.configDir;
+  };
+
+  users.groups.jellyseerr = { };
+
+  services.caddy.virtualHosts."jellyseerr.${service_configs.https.domain}".extraConfig = ''
+    import ${config.age.secrets.caddy_auth.path}
+    reverse_proxy :${builtins.toString service_configs.ports.jellyseerr}
+  '';
+}
--- a/services/prowlarr.nix
+++ b/services/prowlarr.nix
@@ -0,0 +1,26 @@
+{
+  pkgs,
+  service_configs,
+  config,
+  lib,
+  ...
+}:
+{
+  imports = [
+    (lib.serviceMountWithZpool "prowlarr" service_configs.zpool_ssds [
+      service_configs.prowlarr.dataDir
+    ])
+    (lib.vpnNamespaceOpenPort service_configs.ports.prowlarr "prowlarr")
+  ];
+
+  services.prowlarr = {
+    enable = true;
+    dataDir = service_configs.prowlarr.dataDir;
+    settings.server.port = service_configs.ports.prowlarr;
+  };
+
+  services.caddy.virtualHosts."prowlarr.${service_configs.https.domain}".extraConfig = ''
+    import ${config.age.secrets.caddy_auth.path}
+    reverse_proxy ${config.vpnNamespaces.wg.namespaceAddress}:${builtins.toString service_configs.ports.prowlarr}
+  '';
+}
--- a/services/radarr.nix
+++ b/services/radarr.nix
@@ -0,0 +1,36 @@
+{
+  pkgs,
+  config,
+  service_configs,
+  lib,
+  ...
+}:
+{
+  imports = [
+    (lib.serviceMountWithZpool "radarr" service_configs.zpool_ssds [
+      service_configs.radarr.dataDir
+    ])
+    (lib.serviceMountWithZpool "radarr" service_configs.zpool_hdds [
+      service_configs.torrents_path
+    ])
+    (lib.serviceFilePerms "radarr" [
+      "Z ${service_configs.radarr.dataDir} 0700 ${config.services.radarr.user} ${config.services.radarr.group}"
+    ])
+  ];
+
+  services.radarr = {
+    enable = true;
+    dataDir = service_configs.radarr.dataDir;
+    settings.server.port = service_configs.ports.radarr;
+    settings.update.mechanism = "external";
+  };
+
+  services.caddy.virtualHosts."radarr.${service_configs.https.domain}".extraConfig = ''
+    import ${config.age.secrets.caddy_auth.path}
+    reverse_proxy :${builtins.toString service_configs.ports.radarr}
+  '';
+
+  users.users.${config.services.radarr.user}.extraGroups = [
+    service_configs.media_group
+  ];
+}
--- a/services/sonarr.nix
+++ b/services/sonarr.nix
@@ -0,0 +1,42 @@
+{
+  pkgs,
+  config,
+  service_configs,
+  lib,
+  ...
+}:
+{
+  imports = [
+    (lib.serviceMountWithZpool "sonarr" service_configs.zpool_ssds [
+      service_configs.sonarr.dataDir
+    ])
+    (lib.serviceMountWithZpool "sonarr" service_configs.zpool_hdds [
+      service_configs.torrents_path
+    ])
+    (lib.serviceFilePerms "sonarr" [
+      "Z ${service_configs.sonarr.dataDir} 0700 ${config.services.sonarr.user} ${config.services.sonarr.group}"
+    ])
+  ];
+
+  systemd.tmpfiles.rules = [
+    "d /torrents/media 2775 root ${service_configs.media_group} -"
+    "d ${service_configs.media.tvDir} 2775 root ${service_configs.media_group} -"
+    "d ${service_configs.media.moviesDir} 2775 root ${service_configs.media_group} -"
+  ];
+
+  services.sonarr = {
+    enable = true;
+    dataDir = service_configs.sonarr.dataDir;
+    settings.server.port = service_configs.ports.sonarr;
+    settings.update.mechanism = "external";
+  };
+
+  services.caddy.virtualHosts."sonarr.${service_configs.https.domain}".extraConfig = ''
+    import ${config.age.secrets.caddy_auth.path}
+    reverse_proxy :${builtins.toString service_configs.ports.sonarr}
+  '';
+
+  users.users.${config.services.sonarr.user}.extraGroups = [
+    service_configs.media_group
+  ];
+}