diff --git a/modules/homelab/services/arr/prowlarr/default.nix b/modules/homelab/services/arr/prowlarr/default.nix new file mode 100644 index 0000000..78e1065 --- /dev/null +++ b/modules/homelab/services/arr/prowlarr/default.nix @@ -0,0 +1,77 @@ +{ pkgs, config, lib, ... }: + +let + cfg = config.modules.services.prowlarr; + ids = 2004; + default_port = 9696; + data_dir = "/var/lib/prowlarr"; +in +{ + options.modules.services.prowlarr = { + enable = lib.mkEnableOption "enables prowlarr"; + + # set port options + port = lib.mkOption { + type = lib.types.int; + default = cfg.default_port; + description = "set port for prowlarr (default: ${toString default_port}"; + }; + + backup = lib.mkOption { + type = lib.types.bool; + default = true; + description = "enable backups for prowlarr"; + }; + }; + + config = lib.mkIf cfg.enable { + + # declare prowlarr group + users.groups.prowlarr = { gid = ids; }; + + # declare prowlarr user + users.users.prowlarr = { + description = "prowlarr server user"; + uid = ids; + isSystemUser = true; + home = "/var/lib/prowlarr"; + createHome = true; + group = "prowlarr"; + extraGroups = [ "media" ]; + }; + + # enable the prowlarr service + services.prowlarr = { + enable = true; + openFirewall = true; + user = "prowlarr"; + group = "prowlarr"; + dataDir = data_dir; + settings = { + server.port = cfg.port; + }; + }; + + # override umask to make permissions work out + systemd.services.prowlarr.serviceConfig = { UMask = lib.mkForce "0007"; }; + +# # open firewall +# networking.firewall.allowedTCPPorts = [ cfg.port ]; + + # internal reverse proxy entry + services.nginx.virtualHosts."prowlarr.snowbelle.lan" = { + enableACME = false; + forceSSL = true; + sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path; + sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString cfg.port}"; + }; + }; + + }; + + # add to backups + modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ]; + }; +}