Add lidarr and transmission to dalinar

Add lidarr container with tailscale on dalinar
Enable immich on dalinar
2025-04-03 22:43:24 +02:00 · 2025-04-01 22:06:50 +02:00 · 2025-04-01 19:47:07 +02:00 · 2025-03-30 19:18:56 +02:00 · 2025-03-30 18:46:08 +02:00 · 2025-03-28 23:30:56 +01:00
6 changed files with 172 additions and 8 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -6,3 +6,7 @@ creation_rules:
      - age:
        - *admin
        - age1y5lmqqzpapjmtxzvsmf6a9cchhhpq05uwdlqv2q6yz9kkx3s6ars6szsc7
+  - path_regex: hosts/lift/secrets.yaml
+    key_groups:
+      - age:
+        - *admin
--- a/flake.nix
+++ b/flake.nix
@ -40,6 +40,7 @@
        lift = nixpkgs.lib.nixosSystem {
          inherit system;
          modules = [
+            sops-nix.nixosModules.sops
            ./hosts/lift
          ];
        };
--- a/hosts/dalinar/default.nix
+++ b/hosts/dalinar/default.nix
@ -46,7 +46,8 @@
    firewall = {
      enable = true;
      allowedUDPPorts = [ 53 ];
-      allowedTCPPorts = [ 80 443];
+      allowedTCPPorts = [ 80 443 ];
+      trustedInterfaces = [ "tailscale0" ];
    };
    # head -c4 /dev/urandom | od -A none -t x4
    # Required for ZFS, see https://openzfs.github.io/openzfs-docs/Getting%20Started/NixOS/index.html
@ -81,6 +82,14 @@
  sops.templates."searx-env".content = ''
    SEARX_SECRET_KEY=${config.sops.placeholder."searx/secret_key"}
  '';
+  sops.secrets."transmission_rpc/user" = { };
+  sops.secrets."transmission_rpc/password" = { };
+  sops.templates."transmission-secrets.json".content = ''
+  {
+    "rpc-username": "${config.sops.placeholder."transmission_rpc/user"}",
+    "rpc-password": "${config.sops.placeholder."transmission_rpc/password"}"
+  }
+  '';


  i18n.defaultLocale = "en_US.UTF-8";
@ -92,6 +101,10 @@
  users.mutableUsers = false;
  # mkpasswd -m sha512crypt <password>
  users.users.root.hashedPassword = "$6$JdgM.TQt0/0988od$yPVgGZ5zu6HjG.sVjzEWJBm4L7XEReuplrqLRekPq/GrAyk5GrFmPM9hdzrmD28PDX9AtxaClYM5emsJ75YfJ0";
+  users.users.sambauser = {
+    isNormalUser = true;
+    createHome = false;
+  };

  environment.systemPackages = with pkgs; [
    ethtool
@ -119,6 +132,34 @@

  services.zfs.autoScrub.enable = true;

+  services.samba = {
+    enable = true;
+    openFirewall = true;
+    settings = {
+      global = {
+        security = "user";
+        workgroup = "WORKGROUP";
+        "server string" = "smbnix";
+        "netbios name" = "smbnix";
+        "hosts allow" = "100. 172.16.0. 127.0.0.1 localhost";
+        "hosts deny" = "0.0.0.0/0";
+        "guest account" = "nobody";
+        "map to guest" = "bad user";
+      };
+      media = {
+        path = "/storage/encrypted/media/";
+        browseable = "yes";
+        writeable = "yes";
+        "read only" = "no";
+        "guest ok" = "no";
+        "create mask" = "0644";
+        "directory mask" = "0755";
+        "force user" = config.services.jellyfin.user;
+        "force group" = config.services.jellyfin.group;
+      };
+    };
+  };
+
  services.unbound = {
    enable = true;
    settings = {
@ -184,10 +225,8 @@

  services.immich = {
    enable = true;
-    host = "0.0.0.0";
-    openFirewall = true;
    machine-learning.enable = false;
-    # TODO set data dir
+    mediaLocation = "/storage/encrypted/photos/";
  };

  services.prometheus = {
@ -236,6 +275,10 @@
    adminCredentialsFile = config.sops.templates."miniflux-admin-credentials".path;
  };

+  services.jellyfin = {
+    enable = true;
+  };
+
  services.caddy = {
    enable = true;
    environmentFile = config.sops.templates."caddy-global-conf".path;
@ -266,12 +309,32 @@
          reverse_proxy ${config.containers.searx.localAddress}:${builtins.toString config.containers.searx.config.services.searx.settings.server.port}
        '';
      };
+      "https://lidarr.dalinar.home.johannes-rothe.de" = {
+        extraConfig = ''
+          reverse_proxy lidarr:${builtins.toString config.containers.lidarr.config.services.lidarr.settings.server.port}
+        '';
+      };
+      "https://transmission.dalinar.home.johannes-rothe.de" = {
+        extraConfig = ''
+          reverse_proxy lidarr:${builtins.toString config.containers.lidarr.config.services.transmission.settings.rpc-port}
+        '';
+      };
+      "https://jellyfin.dalinar.home.johannes-rothe.de" = {
+        extraConfig = ''
+          reverse_proxy localhost:8096
+        '';
+      };
+      "https://immich.dalinar.home.johannes-rothe.de" = {
+        extraConfig = ''
+          reverse_proxy localhost:${toString config.services.immich.port}
+        '';
+      };
    };
  };

  networking.nat = {
    enable = true;
-    internalInterfaces = [ "ve-searx" ];
+    internalInterfaces = [ "ve-*" ];
    externalInterface = "eno1";
  };

@ -279,6 +342,7 @@
    autoStart = true;
    ephemeral = true;
    privateNetwork = true;
+    # privateUsers = "pick";
    hostAddress = "192.168.100.2";
    localAddress = "192.168.100.3";
    bindMounts."/run/secrets/searx-env" = {
@ -300,6 +364,55 @@
    };
  };

+  containers.lidarr = {
+    autoStart = true;
+    privateNetwork = true;
+    enableTun = true;
+    hostAddress = "192.168.100.4";
+    localAddress = "192.168.100.5";
+    bindMounts."/run/secrets/tranmission.json" = {
+      isReadOnly = true;
+      hostPath = config.sops.templates."transmission-secrets.json".path;
+    };
+    config = { pkgs, ... }: {
+      system.stateVersion = "24.11";
+      networking.useHostResolvConf = lib.mkForce false;
+      # Required workaround for tailscale exit nodes, see https://nixos.wiki/wiki/Tailscale
+      networking.firewall.checkReversePath = "loose";
+      networking.nftables.enable = true;
+      services.resolved.enable = true;
+
+      # Tailscale is also used for local connectivity, since the exit node for
+      # some reason prevents local access
+      services.tailscale.enable = true;
+
+      services.transmission = {
+        enable = true;
+        openRPCPort = true;
+        credentialsFile = "/run/secrets/tranmission.json";
+        settings = {
+          rpc-port = 9091;
+          rpc-bind-address = "0.0.0.0";
+          rpc-whitelist-enabled = false;
+          rpc-authentication-required = true;
+        };
+        webHome = pkgs.flood-for-transmission;
+      };
+      # https://github.com/NixOS/nixpkgs/issues/258793
+      systemd.services.transmission.serviceConfig = {
+        RootDirectoryStartOnly = lib.mkForce false;
+        RootDirectory = lib.mkForce "";
+        PrivateMounts = lib.mkForce false;
+        PrivateUsers = lib.mkForce false;
+      };
+
+      services.lidarr = {
+        enable = true;
+        openFirewall = true;
+      };
+    };
+  };
+
  system.stateVersion = "24.11"; # Don't change

 }
--- a/hosts/dalinar/secrets.yaml
+++ b/hosts/dalinar/secrets.yaml
@ -5,6 +5,9 @@ caddy:
    ionos_dns_api_key: ENC[AES256_GCM,data:boZTsuMbYRHk16VAjPu1pw6Z/dRw8PCCb0VT5KKwiofq6FydBhZ7pLEpHy/q8UfZB0AEUtKNXxrTa8R1WFFAGwad9JqC49DBNxnhxT7yDppu1x8fI0s7U5AYZHIDekTXw22N5EmUT1zzMoFPogHkLr+JPiSGVSM=,iv:pg/RlPFOanMVjaMAu4DSXC/cLgPA6quSs4e4Z50Iyf0=,tag:83md4Psn21z3HtBL0cQIyA==,type:str]
 searx:
    secret_key: ENC[AES256_GCM,data:N8rfDlmDGltQOc+dcdCP0ghGMbEcdZWmoeH2tQTphKGLKg==,iv:JMUcI3ln2rm09FSy6A382soh6oaSvOCCfq1LeeyoE9g=,tag:z5fqLlLVmRpgvMUM2NI0RA==,type:str]
+transmission_rpc:
+    user: ENC[AES256_GCM,data:w+gjEQ==,iv:Qyp2zvUBagrMMdUMN6ghIZuGxSMEvhh2/JPXtRtBJ7Q=,tag:6rOt4Goc7n0nrIycdbquhw==,type:str]
+    password: ENC[AES256_GCM,data:SUTKckSWqW94eshNkysVfA==,iv:WtuyR7Y9a7lyaZ9AbJyTiVVYVbJUsxHqtRU/5T1aO/E=,tag:eyveY9/aA1EQ2JXU2NrDYg==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -29,8 +32,8 @@ sops:
            SVMwSGwwWVo1RzZnSjB6Z0MraTBHZ00KiHCJ8M3xQ8+YH5+aOy3th5fYTEavHqa0
            bbzATd2uRW8K+RSW3NFpN2AMtn9GCGt6Hsw0kezhiBN8qZ4tneKxJg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-03-24T21:54:24Z"
-    mac: ENC[AES256_GCM,data:ptQt4xit3quAJ+S+BQe2vzZz7JcfTxs5Z3kMwb6TuL7f0uX6Cr/h6HEJOu4ERIgN2hFzScDSdwW6/0XW4IepdUxTIVW5TPMpxf9QrlhBRJd8hd41jHywEubN2bvSe/a3Nm1og5v603X0/jlyqLzhOFBZCYjEKVEL7c0fWyneo+U=,iv:AkK3hPgHwCdyOmyRxzL8X5Vud38H6N+2J/XHV08klFQ=,tag:IdngdAUy7ylWIjkgMLeAJg==,type:str]
+    lastmodified: "2025-04-03T20:18:45Z"
+    mac: ENC[AES256_GCM,data:OM78015iecHNG3p5m0CCe+76dkKo7wBe+i7Crl/A58K0bomDKm8jys2yDXJU1udEaJBwhQTUadIaPFHPyMhegPrnfAMcInUQP6aD9SQVAOByi1T/BrFvT0hQClKzskSEeGwnUb+hJYSMkojhkzx5MvEnX9WDdVfAKgHbj4+QxCM=,iv:F8h2gv7F998Lh3FAXEzedsFNRDxD8bzdShTVVwLzKSU=,tag:x44SQkD4PnGhVaIx1XlBug==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.4
--- a/hosts/lift/configuration.nix
+++ b/hosts/lift/configuration.nix
@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:

 {
  # Bootloader.
@ -22,6 +22,25 @@
  systemd.network.wait-online.enable = false;
  boot.initrd.systemd.network.wait-online.enable = false;

+  sops.defaultSopsFile = ./secrets.yaml;
+  sops.age.sshKeyPaths = [];
+  sops.age.keyFile = "/home/rothe/.config/sops/age/keys.txt";
+  sops.secrets."samba/user" = { };
+  sops.secrets."samba/password" = { };
+  sops.templates.sambacreds.content = ''
+    username=${config.sops.placeholder."samba/user"}
+    password=${config.sops.placeholder."samba/password"}
+  '';
+
+  fileSystems."/mnt/media" = {
+    device = "//dalinar.home.johannes-rothe.de/media";
+    fsType = "cifs";
+    options = let
+      # this line prevents hanging on network split
+      automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
+
+    in ["${automount_opts},credentials=${config.sops.templates.sambacreds.path},uid=1000,gid=100"];
+  };

  # bluetooth
  hardware.bluetooth.enable = true;
@ -29,6 +48,7 @@
  environment.systemPackages = with pkgs; [
    avrdude
    cryptsetup
+    cifs-utils
    ffmpeg
    fzf
    gammastep
--- a/hosts/lift/secrets.yaml
+++ b/hosts/lift/secrets.yaml
@ -0,0 +1,23 @@
+samba:
+    user: ENC[AES256_GCM,data:gxlxZYtLyom7,iv:wCNASjPzkcf0IPV1Hy5PF5fznTbs1blG3CIRK2D30Yw=,tag:q1uaEx/raTxR5XKEhBYqHw==,type:str]
+    password: ENC[AES256_GCM,data:SNyQ6MFZkq7Vik2kzuJXgA==,iv:dc9HMgDd/xH6EXjM55QxKJGkT9/nOtU4a1/sCLFvstM=,tag:b5HBuhuANo63OgMkeuEMdQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1xy66lg9eh572ge0y7zzh34f78s8l9hnkxhg3r4gn98ph95mz25tszgerul
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZdnFSRUlYWDNoc2h4RGdS
+            TEN3TlpiWkVZaHFyWXJLSE9nRjBEd243RWh3CmtBd3dyYzlVTzJHMUdyYjNVQTk1
+            WVdTajg4b2JMRWlwNXhhOEtUTTRmdFkKLS0tIEJqakloNHNlQlgwRVNMT2lQWWlh
+            ejY4UDlFZlYvak5kZmM2Ylp3dkJHNk0KE8hC2CybCA8YJ5F4hv/szIOcn1XXp8+a
+            c62iDMBYWV6TjzQSqYryDoejj9eE/fnbSRoj632MUbZzu87toCj/pw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-03-30T16:45:13Z"
+    mac: ENC[AES256_GCM,data:O0JI59PeSgb/49EMTIcjALXBhN6sK6CTKwqvlU6PPcCz02ibiuivQD1ow8lAP67GaCzOlNOuDdtr0rTx6cuc7BuPGsfD/MGjw+Aw2OS57fPRUyGVMKLIXgpCOaakXTkfKwDSqjTgtrPdgqVyQgJB1osRR5ji2nAj1Cmk3/JEqPA=,iv:mbUrOBkyb+M7cxW971gnCLyaABYLnHMjrJlxy+lW5Jo=,tag:7asKES378gynGN4Bqjsw0A==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4
Author	SHA1	Message	Date
Johannes Rothe	057f4fa040	Add lidarr and transmission to dalinar	2025-04-03 22:43:24 +02:00
Johannes Rothe	dc582e9b4c	Add lidarr container with tailscale on dalinar	2025-04-01 22:06:50 +02:00
Johannes Rothe	8915a27cea	Enable immich on dalinar	2025-04-01 19:47:07 +02:00
Johannes Rothe	8e304f189a	Mount dalinar media on lift	2025-03-30 19:18:56 +02:00
Johannes Rothe	7773a20fb4	Enable samba on dalinar	2025-03-30 18:46:08 +02:00
Johannes Rothe	489888ac83	Enable jellyfin on dalinar	2025-03-28 23:30:56 +01:00
Johannes Rothe	c2328f08d0	Trust tailscale interface and all containers	2025-03-26 22:48:12 +01:00