From e2b69a36f700a29cecbbd058e4ac12eb01fb3a4d Mon Sep 17 00:00:00 2001 From: ibizaman Date: Tue, 26 Sep 2023 20:13:08 -0700 Subject: [PATCH] fix backup and authelia rules for arr suite --- modules/arr.nix | 135 ++++++++++++++++++++++++++++----------------- modules/deluge.nix | 4 +- modules/nginx.nix | 12 ++-- 3 files changed, 91 insertions(+), 60 deletions(-) diff --git a/modules/arr.nix b/modules/arr.nix index 7d9cdd4..1524d27 100644 --- a/modules/arr.nix +++ b/modules/arr.nix @@ -63,64 +63,95 @@ in { options.shb.arr = lib.listToAttrs (lib.mapAttrsToList appOption apps); - config = { - # Listens on port 7878 - services.radarr = lib.mkIf cfg.radarr.enable { - enable = true; - dataDir = "/var/lib/radarr"; - }; + config = lib.mkMerge ([ + { + # Listens on port 7878 + services.radarr = lib.mkIf cfg.radarr.enable { + enable = true; + dataDir = "/var/lib/radarr"; + }; + users.users.radarr = { + extraGroups = [ "media" ]; + }; - # Listens on port 8989 - services.sonarr = lib.mkIf cfg.sonarr.enable { - enable = true; - dataDir = "/var/lib/sonarr"; - }; + # Listens on port 8989 + services.sonarr = lib.mkIf cfg.sonarr.enable { + enable = true; + dataDir = "/var/lib/sonarr"; + }; + users.users.sonarr = { + extraGroups = [ "media" ]; + }; - services.bazarr = lib.mkIf cfg.bazarr.enable { - enable = true; - listenPort = cfg.bazarr.port; - }; + services.bazarr = lib.mkIf cfg.bazarr.enable { + enable = true; + listenPort = cfg.bazarr.port; + }; - # Listens on port 8787 - services.readarr = lib.mkIf cfg.readarr.enable { - enable = true; - dataDir = "/var/lib/readarr"; - }; + # Listens on port 8787 + services.readarr = lib.mkIf cfg.readarr.enable { + enable = true; + dataDir = "/var/lib/readarr"; + }; - # Listens on port 8686 - services.lidarr = lib.mkIf cfg.lidarr.enable { - enable = true; - dataDir = "/var/lib/lidarr"; - }; + # Listens on port 8686 + services.lidarr = lib.mkIf cfg.lidarr.enable { + enable = true; + dataDir = "/var/lib/lidarr"; + }; - shb.nginx.autheliaProtect = - let - appProtectConfig = name: _defaults: - let - c = cfg.${name}; - in - { - inherit (c) subdomain domain oidcEndpoint; - upstream = "http://127.0.0.1:${toString c.port}"; - autheliaRule = { - domain = "${c.subdomain}.${c.domain}"; - policy = "two_factor"; - subject = ["group:arr_user"]; + shb.nginx.autheliaProtect = + let + appProtectConfig = name: _defaults: + let + c = cfg.${name}; + in + { + inherit (c) subdomain domain oidcEndpoint; + upstream = "http://127.0.0.1:${toString c.port}"; + autheliaRules = [ + { + domain = "${c.subdomain}.${c.domain}"; + policy = "bypass"; + resources = [ + "^/api.*" + ]; + } + { + domain = "${c.subdomain}.${c.domain}"; + policy = "two_factor"; + subject = ["group:arr_user"]; + } + ]; }; - }; - in - lib.mapAttrsToList appProtectConfig apps; + in + lib.mapAttrsToList appProtectConfig apps; - shb.backup.instances = - let - backupConfig = name: _defaults: { - ${name} = { - sourceDirectories = [ - config.shb.arr.${name}.dataDir - ]; + shb.backup.instances = + let + backupConfig = name: _defaults: { + ${name} = { + sourceDirectories = [ + config.shb.arr.${name}.dataDir + ]; + excludePatterns = [".db-shm" ".db-wal" ".mono"]; + }; }; - }; - in - lib.mkMerge (lib.mapAttrsToList backupConfig apps); - }; + in + lib.mkMerge (lib.mapAttrsToList backupConfig apps); + + } + ] ++ map (name: { + systemd.tmpfiles.rules = lib.mkIf (lib.hasAttr "dataDir" config.services.${name}) [ + "d '${config.services.${name}.dataDir}' 0750 ${config.services.${name}.user} ${config.services.${name}.group} - -" + ]; + users.groups.${name} = { + members = [ "backup" ]; + }; + systemd.services.${name}.serviceConfig = { + # Setup permissions needed for backups, as the backup user is member of the jellyfin group. + UMask = lib.mkForce "0027"; + StateDirectoryMode = lib.mkForce "0750"; + }; + }) (lib.attrNames apps)); } diff --git a/modules/deluge.nix b/modules/deluge.nix index aa962bb..4c01f5f 100644 --- a/modules/deluge.nix +++ b/modules/deluge.nix @@ -114,11 +114,11 @@ in { inherit (cfg) subdomain domain oidcEndpoint; upstream = "http://127.0.0.1:${toString config.services.deluge.web.port}"; - autheliaRule = { + autheliaRules = [{ domain = fqdn; policy = "two_factor"; subject = ["group:deluge_user"]; - }; + }]; } ]; diff --git a/modules/nginx.nix b/modules/nginx.nix index 5a22c62..b9728ab 100644 --- a/modules/nginx.nix +++ b/modules/nginx.nix @@ -31,13 +31,13 @@ let example = "http://127.0.0.1:1234"; }; - autheliaRule = lib.mkOption { - type = lib.types.attrsOf lib.types.anything; + autheliaRules = lib.mkOption { + type = lib.types.listOf (lib.types.attrsOf lib.types.anything); description = "Authelia rule configuration"; - example = lib.literalExpression ''{ + example = lib.literalExpression ''[{ policy = "two_factor"; subject = ["group:service_user"]; - }''; + }]''; }; }; }; @@ -173,8 +173,8 @@ in shb.authelia.rules = let - authConfig = c: c.autheliaRule // { domain = fqdn c; }; + authConfig = c: map (r: r // { domain = fqdn c; }) c.autheliaRules; in - map authConfig cfg.autheliaProtect; + lib.flatten (map authConfig cfg.autheliaProtect); }; }