fix backup and authelia rules for arr suite
This commit is contained in:
parent
fda0daf6d3
commit
e2b69a36f7
3 changed files with 91 additions and 60 deletions
135
modules/arr.nix
135
modules/arr.nix
|
@ -63,64 +63,95 @@ in
|
|||
{
|
||||
options.shb.arr = lib.listToAttrs (lib.mapAttrsToList appOption apps);
|
||||
|
||||
config = {
|
||||
# Listens on port 7878
|
||||
services.radarr = lib.mkIf cfg.radarr.enable {
|
||||
enable = true;
|
||||
dataDir = "/var/lib/radarr";
|
||||
};
|
||||
config = lib.mkMerge ([
|
||||
{
|
||||
# Listens on port 7878
|
||||
services.radarr = lib.mkIf cfg.radarr.enable {
|
||||
enable = true;
|
||||
dataDir = "/var/lib/radarr";
|
||||
};
|
||||
users.users.radarr = {
|
||||
extraGroups = [ "media" ];
|
||||
};
|
||||
|
||||
# Listens on port 8989
|
||||
services.sonarr = lib.mkIf cfg.sonarr.enable {
|
||||
enable = true;
|
||||
dataDir = "/var/lib/sonarr";
|
||||
};
|
||||
# Listens on port 8989
|
||||
services.sonarr = lib.mkIf cfg.sonarr.enable {
|
||||
enable = true;
|
||||
dataDir = "/var/lib/sonarr";
|
||||
};
|
||||
users.users.sonarr = {
|
||||
extraGroups = [ "media" ];
|
||||
};
|
||||
|
||||
services.bazarr = lib.mkIf cfg.bazarr.enable {
|
||||
enable = true;
|
||||
listenPort = cfg.bazarr.port;
|
||||
};
|
||||
services.bazarr = lib.mkIf cfg.bazarr.enable {
|
||||
enable = true;
|
||||
listenPort = cfg.bazarr.port;
|
||||
};
|
||||
|
||||
# Listens on port 8787
|
||||
services.readarr = lib.mkIf cfg.readarr.enable {
|
||||
enable = true;
|
||||
dataDir = "/var/lib/readarr";
|
||||
};
|
||||
# Listens on port 8787
|
||||
services.readarr = lib.mkIf cfg.readarr.enable {
|
||||
enable = true;
|
||||
dataDir = "/var/lib/readarr";
|
||||
};
|
||||
|
||||
# Listens on port 8686
|
||||
services.lidarr = lib.mkIf cfg.lidarr.enable {
|
||||
enable = true;
|
||||
dataDir = "/var/lib/lidarr";
|
||||
};
|
||||
# Listens on port 8686
|
||||
services.lidarr = lib.mkIf cfg.lidarr.enable {
|
||||
enable = true;
|
||||
dataDir = "/var/lib/lidarr";
|
||||
};
|
||||
|
||||
shb.nginx.autheliaProtect =
|
||||
let
|
||||
appProtectConfig = name: _defaults:
|
||||
let
|
||||
c = cfg.${name};
|
||||
in
|
||||
{
|
||||
inherit (c) subdomain domain oidcEndpoint;
|
||||
upstream = "http://127.0.0.1:${toString c.port}";
|
||||
autheliaRule = {
|
||||
domain = "${c.subdomain}.${c.domain}";
|
||||
policy = "two_factor";
|
||||
subject = ["group:arr_user"];
|
||||
shb.nginx.autheliaProtect =
|
||||
let
|
||||
appProtectConfig = name: _defaults:
|
||||
let
|
||||
c = cfg.${name};
|
||||
in
|
||||
{
|
||||
inherit (c) subdomain domain oidcEndpoint;
|
||||
upstream = "http://127.0.0.1:${toString c.port}";
|
||||
autheliaRules = [
|
||||
{
|
||||
domain = "${c.subdomain}.${c.domain}";
|
||||
policy = "bypass";
|
||||
resources = [
|
||||
"^/api.*"
|
||||
];
|
||||
}
|
||||
{
|
||||
domain = "${c.subdomain}.${c.domain}";
|
||||
policy = "two_factor";
|
||||
subject = ["group:arr_user"];
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
in
|
||||
lib.mapAttrsToList appProtectConfig apps;
|
||||
in
|
||||
lib.mapAttrsToList appProtectConfig apps;
|
||||
|
||||
shb.backup.instances =
|
||||
let
|
||||
backupConfig = name: _defaults: {
|
||||
${name} = {
|
||||
sourceDirectories = [
|
||||
config.shb.arr.${name}.dataDir
|
||||
];
|
||||
shb.backup.instances =
|
||||
let
|
||||
backupConfig = name: _defaults: {
|
||||
${name} = {
|
||||
sourceDirectories = [
|
||||
config.shb.arr.${name}.dataDir
|
||||
];
|
||||
excludePatterns = [".db-shm" ".db-wal" ".mono"];
|
||||
};
|
||||
};
|
||||
};
|
||||
in
|
||||
lib.mkMerge (lib.mapAttrsToList backupConfig apps);
|
||||
};
|
||||
in
|
||||
lib.mkMerge (lib.mapAttrsToList backupConfig apps);
|
||||
|
||||
}
|
||||
] ++ map (name: {
|
||||
systemd.tmpfiles.rules = lib.mkIf (lib.hasAttr "dataDir" config.services.${name}) [
|
||||
"d '${config.services.${name}.dataDir}' 0750 ${config.services.${name}.user} ${config.services.${name}.group} - -"
|
||||
];
|
||||
users.groups.${name} = {
|
||||
members = [ "backup" ];
|
||||
};
|
||||
systemd.services.${name}.serviceConfig = {
|
||||
# Setup permissions needed for backups, as the backup user is member of the jellyfin group.
|
||||
UMask = lib.mkForce "0027";
|
||||
StateDirectoryMode = lib.mkForce "0750";
|
||||
};
|
||||
}) (lib.attrNames apps));
|
||||
}
|
||||
|
|
|
@ -114,11 +114,11 @@ in
|
|||
{
|
||||
inherit (cfg) subdomain domain oidcEndpoint;
|
||||
upstream = "http://127.0.0.1:${toString config.services.deluge.web.port}";
|
||||
autheliaRule = {
|
||||
autheliaRules = [{
|
||||
domain = fqdn;
|
||||
policy = "two_factor";
|
||||
subject = ["group:deluge_user"];
|
||||
};
|
||||
}];
|
||||
}
|
||||
];
|
||||
|
||||
|
|
|
@ -31,13 +31,13 @@ let
|
|||
example = "http://127.0.0.1:1234";
|
||||
};
|
||||
|
||||
autheliaRule = lib.mkOption {
|
||||
type = lib.types.attrsOf lib.types.anything;
|
||||
autheliaRules = lib.mkOption {
|
||||
type = lib.types.listOf (lib.types.attrsOf lib.types.anything);
|
||||
description = "Authelia rule configuration";
|
||||
example = lib.literalExpression ''{
|
||||
example = lib.literalExpression ''[{
|
||||
policy = "two_factor";
|
||||
subject = ["group:service_user"];
|
||||
}'';
|
||||
}]'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
@ -173,8 +173,8 @@ in
|
|||
|
||||
shb.authelia.rules =
|
||||
let
|
||||
authConfig = c: c.autheliaRule // { domain = fqdn c; };
|
||||
authConfig = c: map (r: r // { domain = fqdn c; }) c.autheliaRules;
|
||||
in
|
||||
map authConfig cfg.autheliaProtect;
|
||||
lib.flatten (map authConfig cfg.autheliaProtect);
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue