6 files changed, 252 insertions, 0 deletions

diff --git a/modules/nixosModules/server/arr.nix b/modules/nixosModules/server/arr.nix
new file mode 100644
index 0000000..40261ef
--- /dev/null
+++ b/modules/nixosModules/server/arr.nix
@@ -0,0 +1,74 @@
+{self, ...}: {
+  flake.nixosModules.arr = {
+    pkgs,
+    config,
+    lib,
+    ...
+  }: let
+    cfg = config.hostOptions.server;
+  in {
+    imports = [
+      self.nixosModules.hostOptions
+    ];
+
+    services.radarr = {
+      enable = true;
+      openFirewall = false;
+      dataDir = "${cfg.dataPath}/arr/radarr/";
+      settings.server = {
+        bindAddress = "*";
+        port = 7878;
+      };
+    };
+
+    services.lidarr = {
+      enable = true;
+      openFirewall = false;
+      dataDir = "${cfg.dataPath}/arr/lidarr/";
+      settings.server = {
+        bindAddress = "*";
+        port = 8686;
+      };
+    };
+
+    services.sonarr = {
+      enable = true;
+      openFirewall = false;
+      dataDir = "${cfg.dataPath}/arr/sonarr/";
+      settings.server = {
+        bindAddress = "*";
+        port = 8989;
+      };
+    };
+
+    services.prowlarr = {
+      enable = true;
+      openFirewall = false;
+      dataDir = "${cfg.dataPath}/arr/prowlarr/";
+      settings.server = {
+        bindAddress = "*";
+        port = 9696;
+      };
+    };
+
+    users.users.prowlarr = {
+      isSystemUser = true;
+      group = "prowlarr";
+    };
+    users.groups.prowlarr = {};
+    systemd.services.prowlarr.serviceConfig = {
+      DynamicUser = lib.mkForce false;
+      User = lib.mkForce "prowlarr";
+      Group = lib.mkForce "prowlarr";
+      ReadWritePaths = ["${cfg.dataPath}/arr/prowlarr/"];
+      ExecStart = lib.mkForce "${pkgs.prowlarr}/bin/Prowlarr -nobrowser -data=${cfg.dataPath}/arr/prowlarr";
+    };
+
+    services.flaresolverr.enable = true;
+
+    users.groups.arr = {};
+    users.users.radarr.extraGroups = ["arr"];
+    users.users.lidarr.extraGroups = ["arr"];
+    users.users.sonarr.extraGroups = ["arr"];
+  };
+}
diff --git a/modules/nixosModules/server/cgit.nix b/modules/nixosModules/server/cgit.nix
new file mode 100644
index 0000000..09a5829
--- /dev/null
+++ b/modules/nixosModules/server/cgit.nix
@@ -0,0 +1,57 @@
+{
+  self,
+  lib,
+  ...
+}: {
+  flake.nixosModules.cgit = {
+    config,
+    pkgs,
+    ...
+  }: let
+    cfg = config.hostOptions.server;
+  in {
+    imports = [
+      self.nixosModules.hostOptions
+      self.nixosModules.nginx
+    ];
+
+    users.users.git = {
+      isSystemUser = true;
+      group = "git";
+      home = "${cfg.dataPath}/git";
+      createHome = true;
+      shell = "${pkgs.git}/bin/git-shell";
+      openssh.authorizedKeys.keys = cfg.sshKeys;
+    };
+    users.groups.git = {};
+
+    services.cgit."git.${cfg.domain}" = {
+      enable = true;
+
+      user = "git";
+      group = "git";
+
+      scanPath = "${cfg.dataPath}/git";
+
+      settings = {
+        enable-index-owner = false;
+        enable-commit-graph = 1;
+        enable-log-filecount = 1;
+        enable-log-linecount = 1;
+        clone-url = "https://git.${cfg.domain}/$CGIT_REPO_URL ssh://git@git.${cfg.domain}:${cfg.dataPath}/git/$CGIT_REPO_URL";
+        source-filter = "${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py";
+        about-filter = "${pkgs.cgit}/lib/cgit/filters/about-formatting.sh";
+      };
+
+      gitHttpBackend = {
+        enable = true;
+        checkExportOkFiles = false;
+      };
+    };
+
+    services.nginx.virtualHosts."git.${cfg.domain}" = {
+      enableACME = true;
+      forceSSL = true;
+    };
+  };
+}
diff --git a/modules/nixosModules/server/default.nix b/modules/nixosModules/server/default.nix
new file mode 100644
index 0000000..c9bbfa9
--- /dev/null
+++ b/modules/nixosModules/server/default.nix
@@ -0,0 +1,12 @@
+{ self, inputs, ... }:
+{
+  flake.nixosModules.server = {
+    imports = [
+      self.nixosModules.arr
+      self.nixosModules.cgit
+      self.nixosModules.jellyfin
+      self.nixosModules.nginx
+      self.nixosModules.radicale
+    ];
+  };
+}
diff --git a/modules/nixosModules/server/jellyfin.nix b/modules/nixosModules/server/jellyfin.nix
new file mode 100644
index 0000000..431022d
--- /dev/null
+++ b/modules/nixosModules/server/jellyfin.nix
@@ -0,0 +1,44 @@
+{
+  self,
+  lib,
+  ...
+}: {
+  flake.nixosModules.jellyfin = {
+    config,
+    pkgs,
+    ...
+  }: let
+    cfg = config.hostOptions.server;
+  in {
+    imports = [
+      self.nixosModules.hostOptions
+      self.nixosModules.nginx
+    ];
+
+    services.jellyfin = {
+      enable = true;
+      openFirewall = false;
+      dataDir = "${cfg.dataPath}/jellyfin/";
+      hardwareAcceleration = {
+        enable = true;
+        device = lib.mkDefault "/dev/dri/renderD128";
+      };
+    };
+
+    # transcoding
+    users.users.jellyfin.extraGroups = ["video" "render"];
+    environment.systemPackages = with pkgs; [jellyfin-ffmpeg];
+
+    services.nginx.virtualHosts."jellyfin.${cfg.domain}" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:8096";
+        proxyWebsockets = true;
+        extraConfig = ''
+          proxy_buffering off;
+        '';
+      };
+    };
+  };
+}
diff --git a/modules/nixosModules/server/nginx.nix b/modules/nixosModules/server/nginx.nix
new file mode 100644
index 0000000..9d014b0
--- /dev/null
+++ b/modules/nixosModules/server/nginx.nix
@@ -0,0 +1,20 @@
+{self, ...}: {
+  flake.nixosModules.nginx = {config, ...}: {
+    imports = [
+      self.nixosModules.hostOptions
+    ];
+
+    services.nginx = {
+      enable = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      recommendedGzipSettings = true;
+      recommendedOptimization = true;
+    };
+
+    security.acme = {
+      enable = true;
+      defaults.email = config.hostOptions.user.email;
+    };
+  };
+}
diff --git a/modules/nixosModules/server/radicale.nix b/modules/nixosModules/server/radicale.nix
new file mode 100644
index 0000000..7f62b70
--- /dev/null
+++ b/modules/nixosModules/server/radicale.nix
@@ -0,0 +1,45 @@
+{
+  self,
+  lib,
+  ...
+}: {
+  flake.nixosModules.radicale = {config, ...}: let
+    cfg = config.hostOptions.server;
+  in {
+    imports = [
+      self.nixosModules.hostOptions
+      self.nixosModules.nginx
+    ];
+
+    services.radicale = {
+      enable = true;
+      settings = {
+        server.hosts = ["127.0.0.1:5232"];
+        auth = {
+          type = "htpasswd";
+          htpasswd_filename = "${cfg.dataPath}/radicale/users";
+          htpasswd_encryption = "autodetect";
+        };
+        storage.filesystem_folder = "${cfg.dataPath}/radicale/calendars/";
+      };
+    };
+
+    users.users.radicale = {
+      isSystemUser = true;
+      group = "radicale";
+    };
+    users.groups.radicale = {};
+    systemd.services.radicale.serviceConfig = {
+      DynamicUser = lib.mkForce false;
+      User = lib.mkForce "radicale";
+      Group = lib.mkForce "radicale";
+      ReadWritePaths = ["${cfg.dataPath}/arr/radicale/"];
+    };
+
+    services.nginx.virtualHosts."radicale.${cfg.domain}" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/".proxyPass = "http://127.0.0.1:5232";
+    };
+  };
+}