add various plex/arr services, remove nix-serve, add lynis config

Signed-off-by: ahuston-0 <aliceghuston@gmail.com>
2025-05-05 17:17:31 -04:00 · 2025-05-05 17:17:31 -04:00 · 91a92f82a5
commit 91a92f82a5
parent 36479499d6
7 changed files with 87 additions and 23 deletions
--- a/systems/artemision/configuration.nix
+++ b/systems/artemision/configuration.nix
@ -60,12 +60,13 @@

    fwupd = {
      enable = true;
-      package =
-        (import (builtins.fetchTarball {
-          url = "https://github.com/NixOS/nixpkgs/archive/bb2009ca185d97813e75736c2b8d1d8bb81bde05.tar.gz";
-          sha256 = "sha256:003qcrsq5g5lggfrpq31gcvj82lb065xvr7bpfa8ddsw8x4dnysk";
-        }) { inherit (pkgs) system; }).fwupd;
+      # package =
+      #   (import (builtins.fetchTarball {
+      #     url = "https://github.com/NixOS/nixpkgs/archive/bb2009ca185d97813e75736c2b8d1d8bb81bde05.tar.gz";
+      #     sha256 = "sha256:003qcrsq5g5lggfrpq31gcvj82lb065xvr7bpfa8ddsw8x4dnysk";
+      #   }) { inherit (pkgs) system; }).fwupd;
    };
+    mullvad-vpn.enable = true;

    fprintd.enable = lib.mkForce false;
    openssh.enable = lib.mkForce false;
--- a/systems/palatine-hill/configuration.nix
+++ b/systems/palatine-hill/configuration.nix
@ -17,6 +17,7 @@
    ./minio.nix
    ./networking.nix
    ./nextcloud.nix
+    ./plex
    ./postgresql.nix
    ./samba.nix
    ./zfs.nix
@ -57,16 +58,37 @@
    };
  };

-  environment.systemPackages = with pkgs; [
-    chromedriver
-    chromium
-    docker-compose
-    intel-gpu-tools
-    jellyfin-ffmpeg
-    jq
-    yt-dlp
-    yq
-  ];
+  environment = {
+    systemPackages = with pkgs; [
+      chromedriver
+      chromium
+      docker-compose
+      filebot
+      intel-gpu-tools
+      jellyfin-ffmpeg
+      jq
+      yt-dlp
+      yq
+    ];
+    etc = {
+      # Creates /etc/lynis/custom.prf
+      "lynis/custom.prf" = {
+        text = ''
+          skip-test=BANN-7126
+          skip-test=BANN-7130
+          skip-test=DEB-0520
+          skip-test=DEB-0810
+          skip-test=FIRE-4513
+          skip-test=HRDN-7222
+          skip-test=KRNL-5820
+          skip-test=LOGG-2190
+          skip-test=LYNIS
+          skip-test=TOOL-5002
+        '';
+        mode = "0440";
+      };
+    };
+  };

  services = {
    samba.enable = true;
--- a/systems/palatine-hill/docker/torr.nix
+++ b/systems/palatine-hill/docker/torr.nix
@ -45,7 +45,7 @@ in
      ];
    };
    delugeVPN = delugeBase // {
-      image = "binhex/arch-delugevpn";
+      image = "binhex/arch-delugevpn:latest";
      extraOptions = [
        "--privileged=true"
        "--sysctl"
@ -57,13 +57,14 @@ in
        VPN_PROV = "custom";
        ENABLE_PRIVOXY = "yes";
        LAN_NETWORK = "192.168.0.0/16";
-        NAME_SERVERS = "194.242.2.9";
+        #NAME_SERVERS = "194.242.2.9";
+        NAME_SERVERS = "9.9.9.9";
        # note, delete /config/perms.txt to force a bulk permissions update

      };
      volumes = [
        "${delugevpn_path}/config:/config"
-        "${delugevpn_path}/data:/data"
+        "${deluge_path}/data:/data" # use common torrent path yuck
        "/etc/localtime:/etc/localtime:ro"
      ];
      ports = [
@ -71,6 +72,9 @@ in
        "8119:8118"
        "39275:39275"
        "39275:39275/udp"
+        "48346:48346"
+        "48346:48346/udp"
+
      ];
    };
  };
--- a/systems/palatine-hill/hydra.nix
+++ b/systems/palatine-hill/hydra.nix
@ -82,10 +82,10 @@ in
      '';
    };

-    nix-serve = {
-      enable = true;
-      secretKeyFile = config.sops.secrets."nix-serve/secret-key".path;
-    };
+    # nix-serve = {
+    #   enable = true;
+    #   secretKeyFile = config.sops.secrets."nix-serve/secret-key".path;
+    # };
    prometheus = {
      enable = true;
      webExternalUrl = "https://prom.alicehuston.xyz";
@ -134,7 +134,7 @@ in
  sops = {
    secrets = {
      "hydra/environment".owner = "hydra";
-      "nix-serve/secret-key".owner = "root";
+      # "nix-serve/secret-key".owner = "root";
      "alice/gha-hydra-token" = {
        sopsFile = ../../users/alice/secrets.yaml;
        owner = "hydra";
--- a/systems/palatine-hill/plex/default.nix
+++ b/systems/palatine-hill/plex/default.nix
@ -0,0 +1,28 @@
+{
+  pkgs,
+  ...
+}:
+let
+  vars = import ../vars.nix;
+in
+{
+  services.plex = {
+    enable = true;
+    dataDir = vars.primary_plex;
+  };
+  systemd.services.plex_permission = {
+    description = "maintains plex permissions";
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = "${pkgs.bash}/bin/bash ${./plex_permission.sh}";
+    };
+  };
+  systemd.timers.plex_permission = {
+    wantedBy = [ "timers.target" ];
+    timerConfig = {
+      OnBootSec = "1h";
+      OnCalendar = "daily 03:00";
+      Unit = "plex_permission.service";
+    };
+  };
+}
--- a/systems/palatine-hill/plex/plex_permission.sh
+++ b/systems/palatine-hill/plex/plex_permission.sh
@ -0,0 +1,7 @@
+#!/bin/bash
+
+plex_dir="/ZFS/ZFS-primary/plex"
+
+chown docker-service:users -R "$plex_dir"
+find "$plex_dir" -type f -exec chmod 664 {} \;
+find "$plex_dir" -type d -exec chmod 775 {} \;
--- a/systems/palatine-hill/vars.nix
+++ b/systems/palatine-hill/vars.nix
@ -17,4 +17,6 @@ rec {
  primary_nextcloud = "${zfs_primary}/nextcloud";
  primary_redis = "${zfs_primary}/redis";
  primary_torr = "${zfs_primary}/torr";
+  primary_plex = "${zfs_primary}/plex";
+  primary_plex_storage = "${zfs_primary}/plex_storage";
 }