From 91a92f82a50ba36c3de48d00e5fbcadba4efd670 Mon Sep 17 00:00:00 2001 From: ahuston-0 Date: Mon, 5 May 2025 17:17:31 -0400 Subject: [PATCH] add various plex/arr services, remove nix-serve, add lynis config Signed-off-by: ahuston-0 --- systems/artemision/configuration.nix | 11 ++--- systems/palatine-hill/configuration.nix | 42 ++++++++++++++----- systems/palatine-hill/docker/torr.nix | 10 +++-- systems/palatine-hill/hydra.nix | 10 ++--- systems/palatine-hill/plex/default.nix | 28 +++++++++++++ systems/palatine-hill/plex/plex_permission.sh | 7 ++++ systems/palatine-hill/vars.nix | 2 + 7 files changed, 87 insertions(+), 23 deletions(-) create mode 100644 systems/palatine-hill/plex/default.nix create mode 100644 systems/palatine-hill/plex/plex_permission.sh diff --git a/systems/artemision/configuration.nix b/systems/artemision/configuration.nix index 72dcc48..0e32712 100644 --- a/systems/artemision/configuration.nix +++ b/systems/artemision/configuration.nix @@ -60,12 +60,13 @@ fwupd = { enable = true; - package = - (import (builtins.fetchTarball { - url = "https://github.com/NixOS/nixpkgs/archive/bb2009ca185d97813e75736c2b8d1d8bb81bde05.tar.gz"; - sha256 = "sha256:003qcrsq5g5lggfrpq31gcvj82lb065xvr7bpfa8ddsw8x4dnysk"; - }) { inherit (pkgs) system; }).fwupd; + # package = + # (import (builtins.fetchTarball { + # url = "https://github.com/NixOS/nixpkgs/archive/bb2009ca185d97813e75736c2b8d1d8bb81bde05.tar.gz"; + # sha256 = "sha256:003qcrsq5g5lggfrpq31gcvj82lb065xvr7bpfa8ddsw8x4dnysk"; + # }) { inherit (pkgs) system; }).fwupd; }; + mullvad-vpn.enable = true; fprintd.enable = lib.mkForce false; openssh.enable = lib.mkForce false; diff --git a/systems/palatine-hill/configuration.nix b/systems/palatine-hill/configuration.nix index 4281bd6..1089a89 100644 --- a/systems/palatine-hill/configuration.nix +++ b/systems/palatine-hill/configuration.nix @@ -17,6 +17,7 @@ ./minio.nix ./networking.nix ./nextcloud.nix + ./plex ./postgresql.nix ./samba.nix ./zfs.nix @@ -57,16 +58,37 @@ }; }; - environment.systemPackages = with pkgs; [ - chromedriver - chromium - docker-compose - intel-gpu-tools - jellyfin-ffmpeg - jq - yt-dlp - yq - ]; + environment = { + systemPackages = with pkgs; [ + chromedriver + chromium + docker-compose + filebot + intel-gpu-tools + jellyfin-ffmpeg + jq + yt-dlp + yq + ]; + etc = { + # Creates /etc/lynis/custom.prf + "lynis/custom.prf" = { + text = '' + skip-test=BANN-7126 + skip-test=BANN-7130 + skip-test=DEB-0520 + skip-test=DEB-0810 + skip-test=FIRE-4513 + skip-test=HRDN-7222 + skip-test=KRNL-5820 + skip-test=LOGG-2190 + skip-test=LYNIS + skip-test=TOOL-5002 + ''; + mode = "0440"; + }; + }; + }; services = { samba.enable = true; diff --git a/systems/palatine-hill/docker/torr.nix b/systems/palatine-hill/docker/torr.nix index 6fe0352..87a17a4 100644 --- a/systems/palatine-hill/docker/torr.nix +++ b/systems/palatine-hill/docker/torr.nix @@ -45,7 +45,7 @@ in ]; }; delugeVPN = delugeBase // { - image = "binhex/arch-delugevpn"; + image = "binhex/arch-delugevpn:latest"; extraOptions = [ "--privileged=true" "--sysctl" @@ -57,13 +57,14 @@ in VPN_PROV = "custom"; ENABLE_PRIVOXY = "yes"; LAN_NETWORK = "192.168.0.0/16"; - NAME_SERVERS = "194.242.2.9"; + #NAME_SERVERS = "194.242.2.9"; + NAME_SERVERS = "9.9.9.9"; # note, delete /config/perms.txt to force a bulk permissions update }; volumes = [ "${delugevpn_path}/config:/config" - "${delugevpn_path}/data:/data" + "${deluge_path}/data:/data" # use common torrent path yuck "/etc/localtime:/etc/localtime:ro" ]; ports = [ @@ -71,6 +72,9 @@ in "8119:8118" "39275:39275" "39275:39275/udp" + "48346:48346" + "48346:48346/udp" + ]; }; }; diff --git a/systems/palatine-hill/hydra.nix b/systems/palatine-hill/hydra.nix index a9c92d8..d265715 100644 --- a/systems/palatine-hill/hydra.nix +++ b/systems/palatine-hill/hydra.nix @@ -82,10 +82,10 @@ in ''; }; - nix-serve = { - enable = true; - secretKeyFile = config.sops.secrets."nix-serve/secret-key".path; - }; + # nix-serve = { + # enable = true; + # secretKeyFile = config.sops.secrets."nix-serve/secret-key".path; + # }; prometheus = { enable = true; webExternalUrl = "https://prom.alicehuston.xyz"; @@ -134,7 +134,7 @@ in sops = { secrets = { "hydra/environment".owner = "hydra"; - "nix-serve/secret-key".owner = "root"; + # "nix-serve/secret-key".owner = "root"; "alice/gha-hydra-token" = { sopsFile = ../../users/alice/secrets.yaml; owner = "hydra"; diff --git a/systems/palatine-hill/plex/default.nix b/systems/palatine-hill/plex/default.nix new file mode 100644 index 0000000..95d2a1f --- /dev/null +++ b/systems/palatine-hill/plex/default.nix @@ -0,0 +1,28 @@ +{ + pkgs, + ... +}: +let + vars = import ../vars.nix; +in +{ + services.plex = { + enable = true; + dataDir = vars.primary_plex; + }; + systemd.services.plex_permission = { + description = "maintains plex permissions"; + serviceConfig = { + Type = "oneshot"; + ExecStart = "${pkgs.bash}/bin/bash ${./plex_permission.sh}"; + }; + }; + systemd.timers.plex_permission = { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnBootSec = "1h"; + OnCalendar = "daily 03:00"; + Unit = "plex_permission.service"; + }; + }; +} diff --git a/systems/palatine-hill/plex/plex_permission.sh b/systems/palatine-hill/plex/plex_permission.sh new file mode 100644 index 0000000..bbea0a1 --- /dev/null +++ b/systems/palatine-hill/plex/plex_permission.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +plex_dir="/ZFS/ZFS-primary/plex" + +chown docker-service:users -R "$plex_dir" +find "$plex_dir" -type f -exec chmod 664 {} \; +find "$plex_dir" -type d -exec chmod 775 {} \; diff --git a/systems/palatine-hill/vars.nix b/systems/palatine-hill/vars.nix index 9b06ade..8566078 100644 --- a/systems/palatine-hill/vars.nix +++ b/systems/palatine-hill/vars.nix @@ -17,4 +17,6 @@ rec { primary_nextcloud = "${zfs_primary}/nextcloud"; primary_redis = "${zfs_primary}/redis"; primary_torr = "${zfs_primary}/torr"; + primary_plex = "${zfs_primary}/plex"; + primary_plex_storage = "${zfs_primary}/plex_storage"; }