1
0
Fork 0

fix backup and authelia rules for arr suite

This commit is contained in:
ibizaman 2023-09-26 20:13:08 -07:00
parent fda0daf6d3
commit e2b69a36f7
3 changed files with 91 additions and 60 deletions

View file

@ -63,64 +63,95 @@ in
{
options.shb.arr = lib.listToAttrs (lib.mapAttrsToList appOption apps);
config = {
# Listens on port 7878
services.radarr = lib.mkIf cfg.radarr.enable {
enable = true;
dataDir = "/var/lib/radarr";
};
config = lib.mkMerge ([
{
# Listens on port 7878
services.radarr = lib.mkIf cfg.radarr.enable {
enable = true;
dataDir = "/var/lib/radarr";
};
users.users.radarr = {
extraGroups = [ "media" ];
};
# Listens on port 8989
services.sonarr = lib.mkIf cfg.sonarr.enable {
enable = true;
dataDir = "/var/lib/sonarr";
};
# Listens on port 8989
services.sonarr = lib.mkIf cfg.sonarr.enable {
enable = true;
dataDir = "/var/lib/sonarr";
};
users.users.sonarr = {
extraGroups = [ "media" ];
};
services.bazarr = lib.mkIf cfg.bazarr.enable {
enable = true;
listenPort = cfg.bazarr.port;
};
services.bazarr = lib.mkIf cfg.bazarr.enable {
enable = true;
listenPort = cfg.bazarr.port;
};
# Listens on port 8787
services.readarr = lib.mkIf cfg.readarr.enable {
enable = true;
dataDir = "/var/lib/readarr";
};
# Listens on port 8787
services.readarr = lib.mkIf cfg.readarr.enable {
enable = true;
dataDir = "/var/lib/readarr";
};
# Listens on port 8686
services.lidarr = lib.mkIf cfg.lidarr.enable {
enable = true;
dataDir = "/var/lib/lidarr";
};
# Listens on port 8686
services.lidarr = lib.mkIf cfg.lidarr.enable {
enable = true;
dataDir = "/var/lib/lidarr";
};
shb.nginx.autheliaProtect =
let
appProtectConfig = name: _defaults:
let
c = cfg.${name};
in
{
inherit (c) subdomain domain oidcEndpoint;
upstream = "http://127.0.0.1:${toString c.port}";
autheliaRule = {
domain = "${c.subdomain}.${c.domain}";
policy = "two_factor";
subject = ["group:arr_user"];
shb.nginx.autheliaProtect =
let
appProtectConfig = name: _defaults:
let
c = cfg.${name};
in
{
inherit (c) subdomain domain oidcEndpoint;
upstream = "http://127.0.0.1:${toString c.port}";
autheliaRules = [
{
domain = "${c.subdomain}.${c.domain}";
policy = "bypass";
resources = [
"^/api.*"
];
}
{
domain = "${c.subdomain}.${c.domain}";
policy = "two_factor";
subject = ["group:arr_user"];
}
];
};
};
in
lib.mapAttrsToList appProtectConfig apps;
in
lib.mapAttrsToList appProtectConfig apps;
shb.backup.instances =
let
backupConfig = name: _defaults: {
${name} = {
sourceDirectories = [
config.shb.arr.${name}.dataDir
];
shb.backup.instances =
let
backupConfig = name: _defaults: {
${name} = {
sourceDirectories = [
config.shb.arr.${name}.dataDir
];
excludePatterns = [".db-shm" ".db-wal" ".mono"];
};
};
};
in
lib.mkMerge (lib.mapAttrsToList backupConfig apps);
};
in
lib.mkMerge (lib.mapAttrsToList backupConfig apps);
}
] ++ map (name: {
systemd.tmpfiles.rules = lib.mkIf (lib.hasAttr "dataDir" config.services.${name}) [
"d '${config.services.${name}.dataDir}' 0750 ${config.services.${name}.user} ${config.services.${name}.group} - -"
];
users.groups.${name} = {
members = [ "backup" ];
};
systemd.services.${name}.serviceConfig = {
# Setup permissions needed for backups, as the backup user is member of the jellyfin group.
UMask = lib.mkForce "0027";
StateDirectoryMode = lib.mkForce "0750";
};
}) (lib.attrNames apps));
}

View file

@ -114,11 +114,11 @@ in
{
inherit (cfg) subdomain domain oidcEndpoint;
upstream = "http://127.0.0.1:${toString config.services.deluge.web.port}";
autheliaRule = {
autheliaRules = [{
domain = fqdn;
policy = "two_factor";
subject = ["group:deluge_user"];
};
}];
}
];

View file

@ -31,13 +31,13 @@ let
example = "http://127.0.0.1:1234";
};
autheliaRule = lib.mkOption {
type = lib.types.attrsOf lib.types.anything;
autheliaRules = lib.mkOption {
type = lib.types.listOf (lib.types.attrsOf lib.types.anything);
description = "Authelia rule configuration";
example = lib.literalExpression ''{
example = lib.literalExpression ''[{
policy = "two_factor";
subject = ["group:service_user"];
}'';
}]'';
};
};
};
@ -173,8 +173,8 @@ in
shb.authelia.rules =
let
authConfig = c: c.autheliaRule // { domain = fqdn c; };
authConfig = c: map (r: r // { domain = fqdn c; }) c.autheliaRules;
in
map authConfig cfg.autheliaProtect;
lib.flatten (map authConfig cfg.autheliaProtect);
};
}