61 lines
1.6 KiB
Nix
61 lines
1.6 KiB
Nix
{
|
|
pkgs,
|
|
service_configs,
|
|
eth_interface,
|
|
config,
|
|
...
|
|
}:
|
|
{
|
|
# network namespace that is proxied through mullvad
|
|
vpnNamespaces.wg = {
|
|
enable = true;
|
|
wireguardConfigFile = config.age.secrets.wg0-conf.path;
|
|
accessibleFrom = [
|
|
# "192.168.0.0/24"
|
|
];
|
|
};
|
|
|
|
systemd.services."jellyfin-qbittorrent-monitor" = {
|
|
description = "Monitor Jellyfin streaming and control qBittorrent rate limits";
|
|
after = [
|
|
"network.target"
|
|
"jellyfin.service"
|
|
"qbittorrent.service"
|
|
"agenix.service"
|
|
];
|
|
requires = [ "agenix.service" ];
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
serviceConfig = {
|
|
Type = "simple";
|
|
ExecStart = pkgs.writeShellScript "jellyfin-monitor-start" ''
|
|
export JELLYFIN_API_KEY=$(cat ${config.age.secrets.jellyfin-api-key.path})
|
|
exec ${
|
|
pkgs.python3.withPackages (ps: with ps; [ requests ])
|
|
}/bin/python ${./jellyfin-qbittorrent-monitor.py}
|
|
'';
|
|
Restart = "always";
|
|
RestartSec = "10s";
|
|
|
|
# Security hardening
|
|
DynamicUser = true;
|
|
NoNewPrivileges = true;
|
|
ProtectSystem = "strict";
|
|
ProtectHome = true;
|
|
ProtectKernelTunables = true;
|
|
ProtectKernelModules = true;
|
|
ProtectControlGroups = true;
|
|
MemoryDenyWriteExecute = true;
|
|
RestrictRealtime = true;
|
|
RestrictSUIDSGID = true;
|
|
RemoveIPC = true;
|
|
};
|
|
|
|
environment = {
|
|
JELLYFIN_URL = "http://localhost:${builtins.toString service_configs.ports.jellyfin}";
|
|
QBITTORRENT_URL = "http://${service_configs.https.wg_ip}:${builtins.toString service_configs.ports.torrent}";
|
|
CHECK_INTERVAL = "30";
|
|
};
|
|
};
|
|
}
|