From 4998a3c0d8cf02fcd0a592908993e2bac1c68e93 Mon Sep 17 00:00:00 2001
From: Daniel Kempkens <daniel+git@kempkens.io>
Date: Fri, 28 Apr 2023 00:05:07 +0200
Subject: [PATCH] mediaserver: Add mounts to systemd units

---
 container/tubearchivist/default.nix           |  15 ++++-
 secret/container/additional-media/default.nix | Bin 1873 -> 2050 bytes
 system/nixos/aria2.nix                        |  53 ++++++++++--------
 system/nixos/jellyfin.nix                     |  16 ++++++
 system/nixos/radarr.nix                       |  28 +++++----
 system/nixos/sabnzbd.nix                      |  39 +++++++------
 system/nixos/sonarr.nix                       |  30 ++++++----
 7 files changed, 117 insertions(+), 64 deletions(-)

diff --git a/container/tubearchivist/default.nix b/container/tubearchivist/default.nix
index 5e570fd..c409c58 100644
--- a/container/tubearchivist/default.nix
+++ b/container/tubearchivist/default.nix
@@ -35,9 +35,18 @@
     };
   };
 
-  systemd.services.podman-tubearchivist.serviceConfig = {
-    TimeoutStopSec = lib.mkForce 30;
-  };
+  systemd.services.podman-tubearchivist =
+    let
+      mounts = [ "mnt-media-YTDL.mount" ];
+    in
+    {
+      requires = mounts;
+      after = lib.mkMerge mounts;
+
+      serviceConfig = {
+        TimeoutStopSec = lib.mkForce 30;
+      };
+    };
 
   systemd.services.podman-archivist-redis.serviceConfig = {
     TimeoutStopSec = lib.mkForce 30;
diff --git a/secret/container/additional-media/default.nix b/secret/container/additional-media/default.nix
index 9416298e2c2a241976205ae5cd71db3d7c88c01f..49a043bfc3f52c29f03912ff27fd08503b7a05a5 100644
GIT binary patch
literal 2050
zcmV+d2>tf}M@dveQdv+`0I>cvmA=049<I7)>ldqQb+FMM;lx}q&L4{0dNtv7P${TA
z76eC23W~!7Bmd^GI|gnv)^NS<Y}Es-;D+l|K4x>=?Uq76NEuS`y`Bo)?}-i=u*Vr1
zecW*rz@|Esh|onQW-E(J2Z@>NQOV@&b<p1S`Rp}G*NP1cSl}TJ@$d7tPI&pkc!n)|
z0TOe<Vhae>RoNi>{{tF@8wPsqaPd6ehtzr!+Fh#QQzf$!;z=~hkvTSj;*W}udjxHL
z^58PiA!;aU*1lA+;vtk|A2F5+_9z+;;zs-CXp@vAD@*3;fmj9b`^P1@oC#QlTEG#?
zA>Jat_o2HUnXsU2FNcJ0mt4N9q(uSo1`U~G9s$=i_hcYjc^!k?LcDWhhNHfY&X|}o
zp9ZQ6`<(Z_B2&QtgH+VVKhH3g!h6W8iu$kKQWAro1^u>a%7@j@`ah8jxUR(-_y*N@
zRJf{A15xzP9L}f(vPteKesW04h>@NdoXiopK0xp0_?8jY!nG(1{@~>ylc)^qaWWQ{
zN`OWa86#?77e8{~vv!zqX`k<MjeG_F`i^CxrBI}39c_Xuu2(bkVVEj$gO%x<)IA=w
zma4khQq}X%f&GMHau22kyFQu|-UHE~cYJp_-x4e5%<um6v%ZOWK?td=I$1G<PdEt$
zLxT4vR{?<iZL4yA_FW+Fs7H^4&Jc`pS8G0(6Co_DG<h~<8kIbTTXss2!12CnL=~<>
z<q8>{V>Z$nHy@M~=&ii-5q_s-0J5Rm@kH$Yu#N$?B~aMxc3=I(F^AyG`^4=|Mm+SP
z8{fFRNq)jbr}?g8)f;<*(A6pTxuzXa)LX`~hbAx>jm2kT+1>1_prZXwN2dXd+H!#^
z2|kr%Xh0sCdt`=!T9;72@VVd<LK{r$OuQasGPZa@6XT7t<CVJkLv2GIXE5bZSU)bF
zHGpu}sI9+FL}8#A#HSz_(iUyEc-(}%d_c4LE@lXMGkWAlx)h>|gD{C8;+bYj^kt??
zpcB!0?Q!K&T5Y(fO26v*->X)&Q~DSJ?zc#IyWiuJJW6~9Xrg0buvjtDZNMq(1J#k^
z-P%*R4EnW1l^Ubm(-22c9_$7ms8AaK;Omv_5%8EFN$PrnqLAeM%v2K^`v8NPgdNJj
z7U^Dc3qj-$VR5>A8GZ=CX8`XL0m-6<hG8og_qEu8F|B|WowaX_j{SkuWdUGJG_(UQ
z;LXuy51q&JMokj5v@ytN82$VW97c6}jRYGX69OSq;?5~qsaN9nO<4yV6^zX48Omjv
zlel)BPUC1{!9~mFqnJ*M$2I~A$O+&kG?q-A|KFhoCN2=!sR?rTiA^gq>aGuyx05Sy
z$`!Z7>}S>GPOQHI`ezmU`%&*^J&%glAl=b35uhffkX{bYZmp0cy<R}$!jLv_EPeY4
zh-~qcSO@PA81~MDS!F_Us>sbPASk-jJ<;YhG5I9wf_e5aUvSFjq&y-}*H*2~@;Y~<
zyd)fuVl3#_#-#@bUtk61@|a7o{>CmvE(#;agF>2aOcp>}{T)rE8hVm?*j!57N;h&P
zfzu|~;6@zxz8%H)uCNCcT~Wljs6c`_rYjHJ)u=Y2&4U0#8lB&RY?kIKy9TR(Y^;RH
zcv!N4>}fmdXo}p!5;<lEw%irtPX|p^0W%f8%sLo@vaQ9pb2cSlcpvcwG9sMZj|^qt
zg3+DTBM4J{Hu#py@BfvND5Ik5bi}=$(@=NZ2C#X)w*D*DHXP#%NatN~I1qb|-gK`2
zzoGnOr_Q1OBq`-#P`Kg;m;9n0t{+Mq0M6A7))#256OBf=DUC*vkD~t1yPdLwR%(9v
zxgNe6{7M0mVQl%EnwSe<LLcC2*;lx=as&Qm8)o5NG}d`VL~&DFUNtf0dY}-Au%dGZ
zdZa~DMk*1NOue&=2fioXipVxV$~tp|)o9}55s2?JjAH(?_^aa<z%_N3PWL<azV(#n
zqL<N|xb&GPtml^RI#`CGR!d+$vDCdKzv>e9Pxjab&h-7FG0uM;F|U*l?)HzseKHIh
zL=CPh)<q%V-PMiQpArYwg+fs@dO85@>Voff>VR1S7@(lEHIkCs&m$-}X~_)&H&l7C
zeSb4dl^0j?+J^~$txL$a&`lr6g4jm{D+WNYHu3dDEJ0=i!?=Gl|H9i7R)h^4i027N
zT3TW-Kwpw;2h1imsi<AX*h!+qh}L)ld-mZDrE&GLQSz=Bw9nlUvjv0X<*db(h*{Ew
z3uJvuJOEZ33dGzO#J_!LbsF-LW*8Z@T4Vx3JV~|TG`g+8FGRf2`_rs_V11#!#;iu;
zRB1frPq6Rn-Y*zwVh@dtCPqXW9VXoRFG#b&WgQ>)zlBAsriS$Q3EbIrJ`$D7!?R#s
zC7TjfH3wfStIjF^Y3rNLh%JC-`wq$Fs6dO;%Zb<(o(&bBfF@lLt>`wLmn4Ko#n9z*
zGlxI#`Q?x33axG04?iq;DDz&7lbqd~K1eGjP521@S-)QGF6r%sxtCYnbj{1?@c04c
zghSYfzW_rm8V%am)?pc)Ak;50v&z)!hdbb0-`QT21j^B**|OFQgqwwuq#fx2(*h|;
zZ2H4mt+|O^Q4MqLlkva>kGwwljsrx~T<l<v6_dyuBzr5y@3|l{XhRY@VoX36!ju@u
g?yg9!f*wO==MSAc$PVA$s$Weu$oIpWNLRiU+l<Wong9R*

literal 1873
zcmV-X2d?-4M@dveQdv+`0108ZY}6@sOfHt(LG%Tk@MzyD@RNa#t8+JuhG$|rIFKi4
zaLO1CQRRnLkcolTYZ(G`OO5CQL@`S#Y8;XFY$#HQzZ7n>sGpv&ByjWqGvY8$s{fE2
zT0*FRtwe2+1FJ9C`{t|k*68-SuG0<Xjq!Ha@$!m9wS!p-s!bSm(T#~WlaC3NZC+S=
z)q}M)pUFw6ZW3>?lbRD~OMZ?Tcp{#p%n>At5x3Laf$X8;t*wh)hjG~&0#SI+#THsY
zh?+64W%h3O-GeoFP$MVf-1Up!1<Sj|iEnP_`V{bQkSQwOUZ%2xc6)_d?J5--RJ1Tz
z-XsM~jB2~Fuzaxpju=b_f0FNxG=Dw1(+L#%Kkl-w5!el{OGKhxg;`<B;c*OO5DI|}
zX$+Y+YHlF(&;%7?r+?T~BJ@iNr)_GjQ)1akf9%+hOiL;GKYHct`$f~O4{HjLQhPIj
zO)%8qPf`~^j;N!XD;+eENmk?>AiFf0CGn)Ok1ku@6_3o>jQ1sA@9(%P-SBU-8>82#
zi$cVE3nm?~vzn|p{j0lN@vh|bQ)QjT8I;@(vP_T?3=f|c4JNY#I*!EpK72QS|2!aR
zX#t;%pl?tEcL5+mM}u8#Uy=WkO!W<`x8K&7g2*7cL7!_iZNS*pbX7OIvy84%8;ney
z-v4*S;25aVxf0Xiwd>UL3rt}l>$HAw<yOP3XakG6Pk729P0_#@E^Un0;DDn2c_FW6
zB_ml~VMD-{!Cp$HV&f%mc67B2T99Nv--zwfNNHVS=*jNv6*w8!$~FIMX~gd}$Apzp
zBZ1K<{4YlTB$7c~g-j0S_s~aEWM+`_pf6pMKCV?XGj^3Jp!M8a6ze`2f|8W=xDiCV
zH~j5AU>fySUe0xVF$4%ucW*P6$=>{;#gSuU`>`-S4DACM=c=zH;fXY;9wUQP8(uh^
z(?{OA!3+VY<Grv{@NO##n+$gQtaHrV$+%DUU^{Tx1xYo<n=m*=T>gkbJ*^-ag`X9M
z&b>H8U~+UjB9RpSG{1=*sdxUi`G+WWnFSYI1g!VA@}CX#$1oxN96C=gU~t2?))nR>
zBFER{<p5e0#gHBpxVCp%E*nl;^No#}J}lA>PmDJ|5S>0x`v}nEG}?4P;jgyH+SZpP
zB%{PuQzq>ZUq@QLSPn{~LgrDjBi5&Bc4kov#^mt5fExJJhvV-K#QQvOgi}toRFF-H
zS5{^C48xxeGM?yX%L7x=Ar7MK&PDD^H}W6m820Xs;?<yYt?!}Ky<d%;vZC+Ka{4#F
zVz8yt9lKa>&LfTsM5kR0QC&yQ{2q*$;ON4p&ran3L}MPX&w{a|^S>GTP?V09jNtjC
z^UU>PeYZ;2DaOipAl^k0F+X@L6jC8YMEn>$@R|je<I~IiUhY<dr+%E8EIl)iyAz+=
zb}x=mFPMC;yo3NPK=Chpd6x-y%RqD^#DaR)I5mtIefFEbTr@7Z5p{{jdmQ_$vQt;A
zY-;Zgu48=mzBpO0!mTwW>MZ5fMT?I+>~EB))g5vudd+A!pJeNv{J|j&j7P6~m%jEP
zhf%A}zJ61k+UH6|&P|DkmCjlqsqRQI>GJx2-qTfBZt`iaSb@j=eND39KW%PH;J``R
zmSwhB$(d~5z(Bco8ZhZw3-Ze;k9RksXn&v~6O#!&=92M<(HP<)X&XN4{jx0Q*?Xz8
zO+F(a4ut`m?Fu1-wBWA<u13K>x)Em);tLs0ok)65&{Bm(3gmMIwl-Q4<KlVq=^ZTs
zEq#@=a`Z_jt3jj1rC*1x`7&+~nn7{etOHMA8)WMgCses)OBy?;o{qcg1HryS|3)rd
zITH)8DVz<y5T1FA3Qke3MeW#R<j53tB;jB%z;&fNQO;29!1BBd=_}woA*V?bON>+y
z`<G;rDp=FgxwkJBupy^SBQy;)z|RGU4~YjaUeShDsuVJ&c~;?vcYJ&8?JA({xPv0v
z`(LKFaS~Vc)2>>V5*rvP%A38Zk3Xjeo!Owf1>OM%cJ-}l7Y;ie?0Es6@aOQJFFa~>
zqDQe0;{Qh=SrE{x%f^VjkVHx?p`gHe$o3~k)aboTt{4&aCW;pG4!v_(7Cx3>ba`=h
z(5mA(Ng|Eo<yx)_9Q_22i55%iYfvdmg|%OOBOb|cmsBfZIe5O@mW?~qarBL*sebWL
zMAT@h3h)W6=>tLT_Q3-NW2{`3MRGjRpyBeNFQlp(7~ri7O7USfGgDK0TjB&Y>2l`Q
zKZ`b4aDbRNlF$=PiTw)jre_OQiY%pT#L2c>4JyXO+F_hDqHD<#V;Dgh{)LON{mHn%
z40fU~@RLn3L741<%WeU;!2P-Q@;1;|kOL>bpy_0%!4tB#`ACNR&GHV%n9pa-QoN5K
zk{A#;-|8aM`r_{?10m9C{FAOXVRepU%dhDsP)9xoEAY&{>Gz1_pyWCs^F5{4EmV4f
Ls)H(yMj$R^c^ROG

diff --git a/system/nixos/aria2.nix b/system/nixos/aria2.nix
index dfb917b..72e5cd4 100644
--- a/system/nixos/aria2.nix
+++ b/system/nixos/aria2.nix
@@ -7,33 +7,38 @@ let
 in
 {
   # The nix-provided options force a aria2-user to a certain degree
-  systemd.services.aria2 = {
-    description = "aria2 Service";
-    bindsTo = [ "wg.service" ];
-    after = [ "wg.service" ];
-    wantedBy = [ "multi-user.target" ];
+  systemd.services.aria2 =
+    let
+      mounts = [ "mnt-downloads.mount" ];
+    in
+    {
+      description = "aria2 Service";
+      requires = mounts;
+      bindsTo = [ "wg.service" ];
+      after = [ "wg.service" ] ++ mounts;
+      wantedBy = [ "multi-user.target" ];
 
-    preStart = ''
-      if [[ ! -e "${sessionFile}" ]]
-      then
-        touch "${sessionFile}"
-      fi
-      cp -f "${config.age.secrets.aria2-config.path}" "${settingsDir}/aria2.conf"
-    '';
+      preStart = ''
+        if [[ ! -e "${sessionFile}" ]]
+        then
+          touch "${sessionFile}"
+        fi
+        cp -f "${config.age.secrets.aria2-config.path}" "${settingsDir}/aria2.conf"
+      '';
 
-    serviceConfig = {
-      Restart = "on-abort";
-      ExecStart = "${pkgs.aria2}/bin/aria2c --enable-rpc --conf-path=${settingsDir}/aria2.conf --save-session=${sessionFile}";
-      ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
-      User = "media_user";
-      Group = "media_group";
-      NetworkNamespacePath = "/var/run/netns/wg";
-      BindReadOnlyPaths = [
-        "/etc/netns/wg/resolv.conf:/etc/resolv.conf:norbind"
-        "/etc/netns/wg/nsswitch.conf:/etc/nsswitch.conf:norbind"
-      ];
+      serviceConfig = {
+        Restart = "on-abort";
+        ExecStart = "${pkgs.aria2}/bin/aria2c --enable-rpc --conf-path=${settingsDir}/aria2.conf --save-session=${sessionFile}";
+        ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+        User = "media_user";
+        Group = "media_group";
+        NetworkNamespacePath = "/var/run/netns/wg";
+        BindReadOnlyPaths = [
+          "/etc/netns/wg/resolv.conf:/etc/resolv.conf:norbind"
+          "/etc/netns/wg/nsswitch.conf:/etc/nsswitch.conf:norbind"
+        ];
+      };
     };
-  };
 
   services.nginx.virtualHosts."aria.internal.kempkens.network" = {
     quic = true;
diff --git a/system/nixos/jellyfin.nix b/system/nixos/jellyfin.nix
index a1fdc07..01a6fb5 100644
--- a/system/nixos/jellyfin.nix
+++ b/system/nixos/jellyfin.nix
@@ -8,6 +8,22 @@
     openFirewall = false;
   };
 
+  systemd.services.jellyfin =
+    let
+      mounts = [
+        "mnt-media-TV\\x20Shows.mount"
+        "mnt-media-Documentaries.mount"
+        "mnt-media-Anime.mount"
+        "mnt-media-Movies.mount"
+        "mnt-media-Deutsche\\x20Serien.mount"
+        "mnt-media-Deutsche\\x20Filme.mount"
+      ];
+    in
+    {
+      requires = mounts;
+      after = lib.mkMerge mounts;
+    };
+
   services.nginx.virtualHosts."jellyfin.internal.kempkens.network" = {
     listen = [
       {
diff --git a/system/nixos/radarr.nix b/system/nixos/radarr.nix
index e7cc99a..69f3dad 100644
--- a/system/nixos/radarr.nix
+++ b/system/nixos/radarr.nix
@@ -8,18 +8,26 @@
     openFirewall = false;
   };
 
-  systemd.services.radarr = {
-    bindsTo = [ "wg.service" ];
-    after = lib.mkForce [ "wg.service" ];
-
-    serviceConfig = {
-      NetworkNamespacePath = "/var/run/netns/wg";
-      BindReadOnlyPaths = [
-        "/etc/netns/wg/resolv.conf:/etc/resolv.conf:norbind"
-        "/etc/netns/wg/nsswitch.conf:/etc/nsswitch.conf:norbind"
+  systemd.services.radarr =
+    let
+      mounts = [
+        "mnt-media-Movies.mount"
+        "mnt-downloads.mount"
       ];
+    in
+    {
+      requires = mounts;
+      bindsTo = [ "wg.service" ];
+      after = lib.mkForce ([ "wg.service" ] ++ mounts);
+
+      serviceConfig = {
+        NetworkNamespacePath = "/var/run/netns/wg";
+        BindReadOnlyPaths = [
+          "/etc/netns/wg/resolv.conf:/etc/resolv.conf:norbind"
+          "/etc/netns/wg/nsswitch.conf:/etc/nsswitch.conf:norbind"
+        ];
+      };
     };
-  };
 
   services.nginx.virtualHosts."radarr.internal.kempkens.network" = {
     quic = true;
diff --git a/system/nixos/sabnzbd.nix b/system/nixos/sabnzbd.nix
index 85b5be3..223e00f 100644
--- a/system/nixos/sabnzbd.nix
+++ b/system/nixos/sabnzbd.nix
@@ -2,25 +2,30 @@
 
 {
   # The nix-provided options force a sabnzbd-user to a certain degree
-  systemd.services.sabnzbd = {
-    description = "sabnzbd server";
-    bindsTo = [ "wg.service" ];
-    after = [ "wg.service" ];
-    wantedBy = [ "multi-user.target" ];
+  systemd.services.sabnzbd =
+    let
+      mounts = [ "mnt-downloads.mount" ];
+    in
+    {
+      description = "sabnzbd server";
+      requires = mounts;
+      bindsTo = [ "wg.service" ];
+      after = [ "wg.service" ] ++ mounts;
+      wantedBy = [ "multi-user.target" ];
 
-    serviceConfig = {
-      Type = "forking";
-      GuessMainPID = "no";
-      User = "media_user";
-      Group = "media_group";
-      NetworkNamespacePath = "/var/run/netns/wg";
-      BindReadOnlyPaths = [
-        "/etc/netns/wg/resolv.conf:/etc/resolv.conf:norbind"
-        "/etc/netns/wg/nsswitch.conf:/etc/nsswitch.conf:norbind"
-      ];
-      ExecStart = "${pkgs.sabnzbd}/bin/sabnzbd -d -f /var/lib/sabnzbd/sabnzbd.ini";
+      serviceConfig = {
+        Type = "forking";
+        GuessMainPID = "no";
+        User = "media_user";
+        Group = "media_group";
+        NetworkNamespacePath = "/var/run/netns/wg";
+        BindReadOnlyPaths = [
+          "/etc/netns/wg/resolv.conf:/etc/resolv.conf:norbind"
+          "/etc/netns/wg/nsswitch.conf:/etc/nsswitch.conf:norbind"
+        ];
+        ExecStart = "${pkgs.sabnzbd}/bin/sabnzbd -d -f /var/lib/sabnzbd/sabnzbd.ini";
+      };
     };
-  };
 
   services.nginx.virtualHosts."sabnzbd.internal.kempkens.network" = {
     quic = true;
diff --git a/system/nixos/sonarr.nix b/system/nixos/sonarr.nix
index 4c45fbe..7c3ce44 100644
--- a/system/nixos/sonarr.nix
+++ b/system/nixos/sonarr.nix
@@ -8,18 +8,28 @@
     openFirewall = false;
   };
 
-  systemd.services.sonarr = {
-    bindsTo = [ "wg.service" ];
-    after = lib.mkForce [ "wg.service" ];
-
-    serviceConfig = {
-      NetworkNamespacePath = "/var/run/netns/wg";
-      BindReadOnlyPaths = [
-        "/etc/netns/wg/resolv.conf:/etc/resolv.conf:norbind"
-        "/etc/netns/wg/nsswitch.conf:/etc/nsswitch.conf:norbind"
+  systemd.services.sonarr =
+    let
+      mounts = [
+        "mnt-media-TV\\x20Shows.mount"
+        "mnt-media-Documentaries.mount"
+        "mnt-media-Anime.mount"
+        "mnt-downloads.mount"
       ];
+    in
+    {
+      requires = mounts;
+      bindsTo = [ "wg.service" ];
+      after = lib.mkForce ([ "wg.service" ] ++ mounts);
+
+      serviceConfig = {
+        NetworkNamespacePath = "/var/run/netns/wg";
+        BindReadOnlyPaths = [
+          "/etc/netns/wg/resolv.conf:/etc/resolv.conf:norbind"
+          "/etc/netns/wg/nsswitch.conf:/etc/nsswitch.conf:norbind"
+        ];
+      };
     };
-  };
 
   services.nginx.virtualHosts."sonarr.internal.kempkens.network" = {
     quic = true;