diff --git a/machines/NixOS-CT/default.nix b/machines/NixOS-CT/default.nix index cb18b77..89a3ad8 100644 --- a/machines/NixOS-CT/default.nix +++ b/machines/NixOS-CT/default.nix @@ -12,6 +12,8 @@ roundcube seafile vaultwarden + + media-stack ]; deviceSpecific.devInfo = { diff --git a/profiles/servers/media-stack/bazarr.nix b/profiles/servers/media-stack/bazarr.nix new file mode 100644 index 0000000..8bad096 --- /dev/null +++ b/profiles/servers/media-stack/bazarr.nix @@ -0,0 +1,20 @@ +{ config, lib, pkgs, ... }: { + virtualisation.oci-containers.containers.bazarr = { + autoStart = true; + environment = { + PUID = "1015"; + PGID = "1005"; + UMASK = "002"; + TZ = "Europe/Moscow"; + }; + extraOptions = [ + "--network=media" + ]; + image = "cr.hotio.dev/hotio/bazarr:release-1.0.3"; + volumes = [ + "/etc/localtime:/etc/localtime:ro" + "/media/configs/bazarr/config:/config" + "/media/data:/data" + ]; + }; +} \ No newline at end of file diff --git a/profiles/servers/media-stack/caddy.nix b/profiles/servers/media-stack/caddy.nix new file mode 100644 index 0000000..401f5d9 --- /dev/null +++ b/profiles/servers/media-stack/caddy.nix @@ -0,0 +1,59 @@ +{ config, lib, pkgs, ... }: +let + caddyconf = pkgs.writeText "Caddyfile" '' + { + auto_https off + http_port 8080 + log { + output file /config/logs/access.log + } + } + jellyfin.ataraxiadev.com:8080 { + reverse_proxy jellyfin:8096 + } + radarr.ataraxiadev.com:8080 { + reverse_proxy radarr:7878 + } + qbit.ataraxiadev.com:8080 { + reverse_proxy qbittorrent:8080 + } + prowlarr.ataraxiadev.com:8080 { + reverse_proxy prowlarr:9696 + } + sonarr.ataraxiadev.com:8080 { + reverse_proxy sonarr-anime:8989 + } + sonarrtv.ataraxiadev.com:8080 { + reverse_proxy sonarr-tv:8989 + } + organizr.ataraxiadev.com:8080 { + reverse_proxy organizr:80 + } + lidarr.ataraxiadev.com:8080 { + reverse_proxy lidarr:8686 + } + bazarr.ataraxiadev.com:8080 { + reverse_proxy bazarr:6767 + } + ''; +in { + virtualisation.oci-containers.containers.media-caddy = { + autoStart = true; + environment = { + PUID = "1009"; + PGID = "1005"; + UMASK = "002"; + TZ = "Europe/Moscow"; + }; + extraOptions = [ + "--network=media" + ]; + ports = [ "127.0.0.1:8100:8080" ]; + image = "cr.hotio.dev/hotio/caddy:release-2.4.6"; + volumes = [ + "/etc/localtime:/etc/localtime:ro" + "/media/configs/caddy/config:/config" + "${caddyconf}:/config/Caddyfile" + ]; + }; +} \ No newline at end of file diff --git a/profiles/servers/media-stack/default.nix b/profiles/servers/media-stack/default.nix new file mode 100644 index 0000000..a23ccd4 --- /dev/null +++ b/profiles/servers/media-stack/default.nix @@ -0,0 +1,55 @@ +{ config, pkgs, ... }: +with config.virtualisation.oci-containers; { + imports = [ + ./caddy.nix + ./prowlarr.nix + ./qbittorrent.nix + ./jellyfin.nix + ./radarr.nix + ./lidarr.nix + ./sonarr.nix + ./organizr.nix + ./bazarr.nix + ]; + + secrets.xray-config = { + services = [ "${backend}-xray.service" ]; + }; + + virtualisation.oci-containers.containers.xray = { + autoStart = true; + environment = { + TZ = "Europe/Moscow"; + }; + extraOptions = [ + "--network=media" + ]; + image = "teddysun/xray:1.5.4"; + volumes = [ + "/etc/localtime:/etc/localtime:ro" + "${config.secrets.xray-config.decrypted}:/etc/xray/config.json" + ]; + }; + + systemd.services.create-media-network = { + serviceConfig.Type = "oneshot"; + wantedBy = [ + "${backend}-jellyfin.service" + "${backend}-radarr.service" + "${backend}-media-caddy.service" + "${backend}-qbittorrent.service" + "${backend}-prowlarr.service" + "${backend}-xray.service" + "${backend}-sonarr-tv.service" + "${backend}-sonarr-anime.service" + "${backend}-organizr.service" + "${backend}-lidarr.service" + "${backend}-bazarr.service" + ]; + script = '' + ${pkgs.docker}/bin/docker network inspect media || \ + ${pkgs.docker}/bin/docker network create -d bridge media + exit 0 + ''; + }; +} \ No newline at end of file diff --git a/profiles/servers/media-stack/jellyfin.nix b/profiles/servers/media-stack/jellyfin.nix new file mode 100644 index 0000000..a0e1cff --- /dev/null +++ b/profiles/servers/media-stack/jellyfin.nix @@ -0,0 +1,20 @@ +{ config, lib, pkgs, ... }: { + virtualisation.oci-containers.containers.jellyfin = { + autoStart = true; + environment = { + PUID = "1010"; + PGID = "1005"; + UMASK = "002"; + TZ = "Europe/Moscow"; + }; + extraOptions = [ + "--network=media" + ]; + image = "cr.hotio.dev/hotio/jellyfin:release-10.7.7-1"; + volumes = [ + "/etc/localtime:/etc/localtime:ro" + "/media/configs/jellyfin/config:/config" + "/media/data/media:/data/media" + ]; + }; +} \ No newline at end of file diff --git a/profiles/servers/media-stack/lidarr.nix b/profiles/servers/media-stack/lidarr.nix new file mode 100644 index 0000000..52d7d5a --- /dev/null +++ b/profiles/servers/media-stack/lidarr.nix @@ -0,0 +1,20 @@ +{ config, lib, pkgs, ... }: { + virtualisation.oci-containers.containers.lidarr = { + autoStart = true; + environment = { + PUID = "1014"; + PGID = "1005"; + UMASK = "002"; + TZ = "Europe/Moscow"; + }; + extraOptions = [ + "--network=media" + ]; + image = "cr.hotio.dev/hotio/lidarr:release-0.8.1.2135"; + volumes = [ + "/etc/localtime:/etc/localtime:ro" + "/media/configs/lidarr/config:/config" + "/media/data:/data" + ]; + }; +} \ No newline at end of file diff --git a/profiles/servers/media-stack/organizr.nix b/profiles/servers/media-stack/organizr.nix new file mode 100644 index 0000000..761d2d1 --- /dev/null +++ b/profiles/servers/media-stack/organizr.nix @@ -0,0 +1,19 @@ +{ config, lib, pkgs, ... }: { + virtualisation.oci-containers.containers.organizr = { + autoStart = true; + environment = { + PUID = "1017"; + PGID = "1005"; + UMASK = "002"; + TZ = "Europe/Moscow"; + }; + extraOptions = [ + "--network=media" + ]; + image = "organizr/organizr"; + volumes = [ + "/etc/localtime:/etc/localtime:ro" + "/media/configs/organizr/config:/config" + ]; + }; +} \ No newline at end of file diff --git a/profiles/servers/media-stack/prowlarr.nix b/profiles/servers/media-stack/prowlarr.nix new file mode 100644 index 0000000..c9baa3a --- /dev/null +++ b/profiles/servers/media-stack/prowlarr.nix @@ -0,0 +1,20 @@ +{ config, lib, pkgs, ... }: { + virtualisation.oci-containers.containers.prowlarr = { + autoStart = true; + environment = { + PUID = "1016"; + PGID = "1005"; + UMASK = "002"; + TZ = "Europe/Moscow"; + }; + extraOptions = [ + "--network=media" + ]; + image = "cr.hotio.dev/hotio/prowlarr:testing-0.2.0.1448"; + volumes = [ + "/etc/localtime:/etc/localtime:ro" + "/media/configs/prowlarr/config:/config" + "/media/data/torrents:/data/torrents" + ]; + }; +} \ No newline at end of file diff --git a/profiles/servers/media-stack/qbittorrent.nix b/profiles/servers/media-stack/qbittorrent.nix new file mode 100644 index 0000000..09b6d84 --- /dev/null +++ b/profiles/servers/media-stack/qbittorrent.nix @@ -0,0 +1,20 @@ +{ config, lib, pkgs, ... }: { + virtualisation.oci-containers.containers.qbittorrent = { + autoStart = true; + environment = { + PUID = "1018"; + PGID = "1005"; + UMASK = "002"; + TZ = "Europe/Moscow"; + }; + extraOptions = [ + "--network=media" + ]; + image = "cr.hotio.dev/hotio/qbittorrent:release-4.4.1"; + volumes = [ + "/etc/localtime:/etc/localtime:ro" + "/media/configs/qbittorrent/config:/config" + "/media/data/torrents:/data/torrents" + ]; + }; +} \ No newline at end of file diff --git a/profiles/servers/media-stack/radarr.nix b/profiles/servers/media-stack/radarr.nix new file mode 100644 index 0000000..5fed579 --- /dev/null +++ b/profiles/servers/media-stack/radarr.nix @@ -0,0 +1,20 @@ +{ config, lib, pkgs, ... }: { + virtualisation.oci-containers.containers.radarr = { + autoStart = true; + environment = { + PUID = "1011"; + PGID = "1005"; + UMASK = "002"; + TZ = "Europe/Moscow"; + }; + extraOptions = [ + "--network=media" + ]; + image = "cr.hotio.dev/hotio/radarr:release-4.0.5.5981"; + volumes = [ + "/etc/localtime:/etc/localtime:ro" + "/media/configs/radarr/config:/config" + "/media/data:/data" + ]; + }; +} \ No newline at end of file diff --git a/profiles/servers/media-stack/sonarr.nix b/profiles/servers/media-stack/sonarr.nix new file mode 100644 index 0000000..fd911fe --- /dev/null +++ b/profiles/servers/media-stack/sonarr.nix @@ -0,0 +1,39 @@ +{ config, lib, pkgs, ... }: { + virtualisation.oci-containers.containers.sonarr-anime = { + autoStart = true; + environment = { + PUID = "1012"; + PGID = "1005"; + UMASK = "002"; + TZ = "Europe/Moscow"; + }; + extraOptions = [ + "--network=media" + ]; + image = "cr.hotio.dev/hotio/sonarr:release-3.0.7.1477"; + volumes = [ + "/etc/localtime:/etc/localtime:ro" + "/media/configs/sonarr-anime/config:/config" + "/media/data:/data" + ]; + }; + + virtualisation.oci-containers.containers.sonarr-tv = { + autoStart = true; + environment = { + PUID = "1013"; + PGID = "1005"; + UMASK = "002"; + TZ = "Europe/Moscow"; + }; + extraOptions = [ + "--network=media" + ]; + image = "cr.hotio.dev/hotio/sonarr:release-3.0.7.1477"; + volumes = [ + "/etc/localtime:/etc/localtime:ro" + "/media/configs/sonarr-tv/config:/config" + "/media/data:/data" + ]; + }; +} \ No newline at end of file diff --git a/profiles/servers/nginx.nix b/profiles/servers/nginx.nix index 683182c..3ddad27 100644 --- a/profiles/servers/nginx.nix +++ b/profiles/servers/nginx.nix @@ -1,7 +1,10 @@ { config, lib, pkgs, ... }: { security.acme = { acceptTerms = true; + # defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; # staging + defaults.server = "https://acme-v02.api.letsencrypt.org/directory"; # production defaults.email = "ataraxiadev@ataraxiadev.com"; + defaults.renewInterval = "weekly"; certs = { "ataraxiadev.com" = { webroot = "/var/lib/acme/acme-challenge"; @@ -18,6 +21,15 @@ "code.ataraxiadev.com" "file.ataraxiadev.com" "webmail.ataraxiadev.com" + "jellyfin.ataraxiadev.com" + "radarr.ataraxiadev.com" + "qbit.ataraxiadev.com" + "prowlarr.ataraxiadev.com" + "sonarr.ataraxiadev.com" + "sonarrtv.ataraxiadev.com" + "organizr.ataraxiadev.com" + "lidarr.ataraxiadev.com" + "bazarr.ataraxiadev.com" ]; }; }; @@ -30,6 +42,11 @@ recommendedGzipSettings = true; recommendedTlsSettings = true; clientMaxBodySize = "250m"; + commonHttpConfig = '' + proxy_hide_header X-Frame-Options; + proxy_hide_header content-security-policy; + add_header X-Frame-Options "ALLOW-FROM https://organizr.ataraxiadev.com"; + ''; virtualHosts = let default = { useACMEHost = "ataraxiadev.com"; @@ -49,7 +66,7 @@ hardened = { extraConfig = '' add_header X-XSS-Protection "1; mode=block"; - add_header X-Frame-Options "SAMEORIGIN"; + # add_header X-Frame-Options "SAMEORIGIN"; add_header X-Robots-Tag "none"; add_header Referrer-Policy "strict-origin-when-cross-origin"; add_header X-Content-Type-Options "nosniff"; @@ -97,42 +114,74 @@ "startpage.ataraxiadev.com" = { locations."/" = { root = "/srv/http/startpage.ataraxiadev.com/"; - extraConfig = '' - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag "none"; - add_header Referrer-Policy "strict-origin-when-cross-origin"; - add_header X-Content-Type-Options "nosniff"; - ''; + # extraConfig = '' + # add_header X-XSS-Protection "1; mode=block"; + # add_header X-Robots-Tag "none"; + # add_header Referrer-Policy "strict-origin-when-cross-origin"; + # add_header X-Content-Type-Options "nosniff"; + # ''; }; } // default; "vw.ataraxiadev.com" = { locations."/" = { proxyPass = "http://localhost:8812"; - } // proxySettings // hardened; + } // proxySettings; locations."/notifications/hub" = { proxyPass = "http://localhost:3012"; proxyWebsockets = true; - } // proxySettings // hardened; + } // proxySettings; locations."/notifications/hub/negotiate" = { proxyPass = "http://localhost:8812"; - } // proxySettings // hardened; + } // proxySettings; } // default; "code.ataraxiadev.com" = { locations."/" = { proxyPass = "http://localhost:6000"; - } // proxySettings // hardened; + } // proxySettings; } // default; "file.ataraxiadev.com" = { locations."/" = { - proxyPass = "http://localhost:8088/"; - } // proxySettings // hardened; + proxyPass = "http://localhost:8088"; + } // proxySettings; } // default; "webmail.ataraxiadev.com" = { locations."/" = { extraConfig = '' client_max_body_size 30M; ''; - } // hardened; + } // proxySettings; + } // default; + "media-stack" = { + serverAliases = [ + "jellyfin.ataraxiadev.com" + "radarr.ataraxiadev.com" + "qbit.ataraxiadev.com" + "prowlarr.ataraxiadev.com" + "sonarr.ataraxiadev.com" + "sonarrtv.ataraxiadev.com" + "organizr.ataraxiadev.com" + "lidarr.ataraxiadev.com" + "bazarr.ataraxiadev.com" + ]; + locations."/" = { + proxyPass = "http://localhost:8100"; + proxyWebsockets = true; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + proxy_buffer_size 128k; + proxy_buffers 4 256k; + proxy_busy_buffers_size 256k; + send_timeout 15m; + proxy_connect_timeout 600; + proxy_send_timeout 600; + proxy_read_timeout 15m; + ''; + }; } // default; }; };