diff --git a/system/hosts/mediaserver.nix b/system/hosts/mediaserver.nix index 7cc832e..4cdcb87 100644 --- a/system/hosts/mediaserver.nix +++ b/system/hosts/mediaserver.nix @@ -22,6 +22,7 @@ in ../nixos/wireguard-netns.nix ../nixos/prowlarr.nix ../nixos/sabnzbd.nix + ../nixos/sonarr.nix ]; system.stateVersion = "22.11"; diff --git a/system/nixos/sonarr.nix b/system/nixos/sonarr.nix new file mode 100644 index 0000000..55e98fc --- /dev/null +++ b/system/nixos/sonarr.nix @@ -0,0 +1,53 @@ +{ pkgs, lib, ... }: + +{ + services.sonarr = { + enable = true; + user = "media_user"; + group = "media_group"; + openFirewall = false; + }; + + systemd.services.sonarr = { + bindsTo = [ "wg.service" ]; + after = lib.mkForce [ "wg.service" ]; + + serviceConfig = { + NetworkNamespacePath = "/var/run/netns/wg"; + }; + }; + + systemd.services.socat-sonarr = { + description = "socat exposes sonarr"; + bindsTo = [ "wg.service" ]; + requires = [ "sonarr.service" ]; + after = [ "wg.service" ]; + + serviceConfig = { + Type = "simple"; + RuntimeDirectory = "socat-sonarr"; + DynamicUser = true; + UMask = "000"; + NetworkNamespacePath = "/var/run/netns/wg"; + ExecStart = "${pkgs.socat}/bin/socat -d -d UNIX-LISTEN:/run/socat-sonarr/sonarr.sock,unlink-early,fork TCP4:127.0.0.1:8989"; + Restart = "on-failure"; + }; + }; + + services.nginx.virtualHosts."sonarr.internal.kempkens.network" = { + quic = true; + http3 = true; + + onlySSL = true; + useACMEHost = "internal.kempkens.network"; + + extraConfig = '' + client_max_body_size 32m; + ''; + + locations."/" = { + recommendedProxySettings = true; + proxyPass = "http://unix:/run/socat-sonarr/sonarr.sock:/"; + }; + }; +}