fix backup and authelia rules for arr suite

modules/arr.nix

@@ -63,64 +63,95 @@ in
 {
   options.shb.arr = lib.listToAttrs (lib.mapAttrsToList appOption apps);
 
-  config = {
+  config = lib.mkMerge ([
-    # Listens on port 7878
+    {
-    services.radarr = lib.mkIf cfg.radarr.enable {
+      # Listens on port 7878
-      enable = true;
+      services.radarr = lib.mkIf cfg.radarr.enable {
-      dataDir = "/var/lib/radarr";
+        enable = true;
-    };
+        dataDir = "/var/lib/radarr";
+      };
+      users.users.radarr = {
+        extraGroups = [ "media" ];
+      };
 
-    # Listens on port 8989
+      # Listens on port 8989
-    services.sonarr = lib.mkIf cfg.sonarr.enable {
+      services.sonarr = lib.mkIf cfg.sonarr.enable {
-      enable = true;
+        enable = true;
-      dataDir = "/var/lib/sonarr";
+        dataDir = "/var/lib/sonarr";
-    };
+      };
+      users.users.sonarr = {
+        extraGroups = [ "media" ];
+      };
 
-    services.bazarr = lib.mkIf cfg.bazarr.enable {
+      services.bazarr = lib.mkIf cfg.bazarr.enable {
-      enable = true;
+        enable = true;
-      listenPort = cfg.bazarr.port;
+        listenPort = cfg.bazarr.port;
-    };
+      };
 
-    # Listens on port 8787
+      # Listens on port 8787
-    services.readarr = lib.mkIf cfg.readarr.enable {
+      services.readarr = lib.mkIf cfg.readarr.enable {
-      enable = true;
+        enable = true;
-      dataDir = "/var/lib/readarr";
+        dataDir = "/var/lib/readarr";
-    };
+      };
 
-    # Listens on port 8686
+      # Listens on port 8686
-    services.lidarr = lib.mkIf cfg.lidarr.enable {
+      services.lidarr = lib.mkIf cfg.lidarr.enable {
-      enable = true;
+        enable = true;
-      dataDir = "/var/lib/lidarr";
+        dataDir = "/var/lib/lidarr";
-    };
+      };
 
-    shb.nginx.autheliaProtect =
+      shb.nginx.autheliaProtect =
-      let
+        let
-        appProtectConfig = name: _defaults:
+          appProtectConfig = name: _defaults:
-          let
+            let
-            c = cfg.${name};
+              c = cfg.${name};
-          in
+            in
-            {
+              {
-              inherit (c) subdomain domain oidcEndpoint;
+                inherit (c) subdomain domain oidcEndpoint;
-              upstream = "http://127.0.0.1:${toString c.port}";
+                upstream = "http://127.0.0.1:${toString c.port}";
-              autheliaRule = {
+                autheliaRules = [
-                domain = "${c.subdomain}.${c.domain}";
+                  {
-                policy = "two_factor";
+                    domain = "${c.subdomain}.${c.domain}";
-                subject = ["group:arr_user"];
+                    policy = "bypass";
+                    resources = [
+                      "^/api.*"
+                    ];
+                  }
+                  {
+                    domain = "${c.subdomain}.${c.domain}";
+                    policy = "two_factor";
+                    subject = ["group:arr_user"];
+                  }
+                ];
               };
-            };
+        in
-      in
+          lib.mapAttrsToList appProtectConfig apps;
-        lib.mapAttrsToList appProtectConfig apps;
 
-    shb.backup.instances =
+      shb.backup.instances =
-      let
+        let
-        backupConfig = name: _defaults: {
+          backupConfig = name: _defaults: {
-          ${name} = {
+            ${name} = {
-            sourceDirectories = [
+              sourceDirectories = [
-              config.shb.arr.${name}.dataDir
+                config.shb.arr.${name}.dataDir
-            ];
+              ];
+              excludePatterns = [".db-shm" ".db-wal" ".mono"];
+            };
           };
-        };
+        in
-      in
+          lib.mkMerge (lib.mapAttrsToList backupConfig apps);
-        lib.mkMerge (lib.mapAttrsToList backupConfig apps);
+
-  };
+    }
+  ] ++ map (name: {
+    systemd.tmpfiles.rules = lib.mkIf (lib.hasAttr "dataDir" config.services.${name}) [
+      "d '${config.services.${name}.dataDir}' 0750 ${config.services.${name}.user} ${config.services.${name}.group} - -"
+    ];
+    users.groups.${name} = {
+      members = [ "backup" ];
+    };
+    systemd.services.${name}.serviceConfig = {
+      # Setup permissions needed for backups, as the backup user is member of the jellyfin group.
+      UMask = lib.mkForce "0027";
+      StateDirectoryMode = lib.mkForce "0750";
+    };
+  }) (lib.attrNames apps));
 }

modules/deluge.nix

@@ -114,11 +114,11 @@ in
       {
         inherit (cfg) subdomain domain oidcEndpoint;
         upstream = "http://127.0.0.1:${toString config.services.deluge.web.port}";
-        autheliaRule = {
+        autheliaRules = [{
           domain = fqdn;
           policy = "two_factor";
           subject = ["group:deluge_user"];
-        };
+        }];
       }
     ];
 

modules/nginx.nix

@@ -31,13 +31,13 @@ let
         example = "http://127.0.0.1:1234";
       };
 
-      autheliaRule = lib.mkOption {
+      autheliaRules = lib.mkOption {
-        type = lib.types.attrsOf lib.types.anything;
+        type = lib.types.listOf (lib.types.attrsOf lib.types.anything);
         description = "Authelia rule configuration";
-        example = lib.literalExpression ''{
+        example = lib.literalExpression ''[{
         policy = "two_factor";
         subject = ["group:service_user"];
-        }'';
+        }]'';
       };
     };
   };
@@ -173,8 +173,8 @@ in
 
     shb.authelia.rules =
       let
-        authConfig = c: c.autheliaRule // { domain = fqdn c; };
+        authConfig = c: map (r: r // { domain = fqdn c; }) c.autheliaRules;
       in
-        map authConfig cfg.autheliaProtect;
+        lib.flatten (map authConfig cfg.autheliaProtect);
   };
 }