From a22c34716e6f7ffdae0036c4e654f6487ce1561f Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sun, 5 Jan 2025 00:17:35 +0100 Subject: [PATCH] Run all nixng containers under particular user/group --- modules/media.nix | 11 ++++++----- nixng-configurations/default.nix | 1 + nixng-modules/bazarr.nix | 19 +++++++++++++++++++ nixng-modules/default.nix | 1 + nixng-modules/ids.nix | 21 +++++++++++++++++++++ nixng-modules/jellyseerr.nix | 16 ++++++++++++++++ nixng-modules/prowlarr.nix | 15 +++++++++++++++ nixng-modules/radarr.nix | 15 +++++++++++++++ nixng-modules/radicale.nix | 26 ++++++++------------------ nixng-modules/sonarr.nix | 15 +++++++++++++++ 10 files changed, 117 insertions(+), 23 deletions(-) create mode 100644 nixng-modules/ids.nix diff --git a/modules/media.nix b/modules/media.nix index 3b4be3e..1cb753a 100644 --- a/modules/media.nix +++ b/modules/media.nix @@ -186,7 +186,8 @@ }; securityContext = { - fsGroup = 0; + # TODO: don't hardcode this + fsGroup = 409; fsGroupChangePolicy = "OnRootMismatch"; }; }; @@ -244,7 +245,7 @@ }; securityContext = { - fsGroup = 1000; + fsGroup = 410; fsGroupChangePolicy = "OnRootMismatch"; }; }; @@ -295,7 +296,7 @@ }; securityContext = { - fsGroup = 1000; + fsGroup = 413; fsGroupChangePolicy = "OnRootMismatch"; }; }; @@ -353,7 +354,7 @@ }; securityContext = { - fsGroup = 1000; + fsGroup = 411; fsGroupChangePolicy = "OnRootMismatch"; }; }; @@ -411,7 +412,7 @@ }; securityContext = { - fsGroup = 1000; + fsGroup = 412; fsGroupChangePolicy = "OnRootMismatch"; }; }; diff --git a/nixng-configurations/default.nix b/nixng-configurations/default.nix index 9b2a803..c42e58e 100644 --- a/nixng-configurations/default.nix +++ b/nixng-configurations/default.nix @@ -36,6 +36,7 @@ in { }; extraModules = [ + self.nixngModules.ids self.nixngModules.bazarr self.nixngModules.radicale self.nixngModules.jellyseerr diff --git a/nixng-modules/bazarr.nix b/nixng-modules/bazarr.nix index 4620479..e063d18 100644 --- a/nixng-modules/bazarr.nix +++ b/nixng-modules/bazarr.nix @@ -1,29 +1,48 @@ { lib, + nglib, config, pkgs, ... }: let cfg = config.services.bazarr; + cfgInit = config.init.services.bazarr; in { options.services.bazarr = { enable = lib.mkEnableOption "bazarr"; package = lib.mkPackageOption pkgs "bazarr" {}; + configDir = lib.mkOption { description = "Where Bazarr's configuration files are stored."; type = lib.types.str; default = "/config"; }; }; + config = lib.mkIf cfg.enable { init.services.bazarr = { enabled = true; + user = lib.mkDefault "bazarr"; + group = lib.mkDefault "bazarr"; + script = pkgs.writeShellScript "bazarr-run" '' ${lib.getExe cfg.package} \ --no-update \ --config '${cfg.configDir}' ''; }; + environment.systemPackages = [cfg.package]; + + users.users.${cfgInit.user} = nglib.mkDefaultRec { + description = "bazarr"; + group = cfgInit.group; + createHome = false; + home = "/var/empty"; + useDefaultShell = true; + uid = config.ids.uids.bazarr; + }; + + users.groups.${cfgInit.group} = nglib.mkDefaultRec {gid = config.ids.gids.bazarr;}; }; } diff --git a/nixng-modules/default.nix b/nixng-modules/default.nix index e39eca0..c2dcd85 100644 --- a/nixng-modules/default.nix +++ b/nixng-modules/default.nix @@ -6,5 +6,6 @@ radarr = import ./radarr.nix; sonarr = import ./sonarr.nix; prowlarr = import ./prowlarr.nix; + ids = import ./ids.nix; }; } diff --git a/nixng-modules/ids.nix b/nixng-modules/ids.nix new file mode 100644 index 0000000..fa4e1fe --- /dev/null +++ b/nixng-modules/ids.nix @@ -0,0 +1,21 @@ +{...}: { + ids = { + uids = { + radicale = 408; + jellyseerr = 409; + radarr = 410; + sonarr = 411; + bazarr = 412; + prowlarr = 413; + }; + + gids = { + radicale = 408; + jellyseerr = 409; + radarr = 410; + sonarr = 411; + bazarr = 412; + prowlarr = 413; + }; + }; +} diff --git a/nixng-modules/jellyseerr.nix b/nixng-modules/jellyseerr.nix index c9179c6..cfe64b1 100644 --- a/nixng-modules/jellyseerr.nix +++ b/nixng-modules/jellyseerr.nix @@ -1,10 +1,12 @@ { lib, + nglib, pkgs, config, ... }: let cfg = config.services.jellyseerr; + cfgInit = config.init.services.jellyseerr; in { options.services.jellyseerr = { enable = lib.mkEnableOption "jellyseerr"; @@ -33,14 +35,28 @@ in { init.services.jellyseerr = { enabled = true; script = lib.getExe cfg.package; + user = lib.mkDefault "jellyseerr"; + group = lib.mkDefault "jellyseerr"; }; environment = { systemPackages = [cfg.package]; + variables = { PORT = builtins.toString cfg.port; CONFIG_DIRECTORY = cfg.configDir; }; }; + + users.users.${cfgInit.user} = nglib.mkDefaultRec { + description = "jellyseerr"; + group = cfgInit.group; + createHome = false; + home = "/var/empty"; + useDefaultShell = true; + uid = config.ids.uids.jellyseerr; + }; + + users.groups.${cfgInit.group} = nglib.mkDefaultRec {gid = config.ids.gids.jellyseerr;}; }; } diff --git a/nixng-modules/prowlarr.nix b/nixng-modules/prowlarr.nix index e8f9677..4a8fc29 100644 --- a/nixng-modules/prowlarr.nix +++ b/nixng-modules/prowlarr.nix @@ -1,10 +1,12 @@ { pkgs, lib, + nglib, config, ... }: let cfg = config.services.prowlarr; + cfgInit = config.init.services.prowlarr; in { options.services.prowlarr = { enable = lib.mkEnableOption "prowlarr"; @@ -20,6 +22,8 @@ in { config = lib.mkIf cfg.enable { init.services.prowlarr = { enabled = true; + user = lib.mkDefault "prowlarr"; + group = lib.mkDefault "prowlarr"; script = pkgs.writeShellScript "prowlarr-run" '' ${lib.getExe cfg.package} \ @@ -29,5 +33,16 @@ in { }; environment.systemPackages = [cfg.package]; + + users.users.${cfgInit.user} = nglib.mkDefaultRec { + description = "prowlarr"; + group = cfgInit.group; + createHome = false; + home = "/var/empty"; + useDefaultShell = true; + uid = config.ids.uids.prowlarr; + }; + + users.groups.${cfgInit.group} = nglib.mkDefaultRec {gid = config.ids.gids.prowlarr;}; }; } diff --git a/nixng-modules/radarr.nix b/nixng-modules/radarr.nix index aa6af40..4b9fe56 100644 --- a/nixng-modules/radarr.nix +++ b/nixng-modules/radarr.nix @@ -1,10 +1,12 @@ { config, lib, + nglib, pkgs, ... }: let cfg = config.services.radarr; + cfgInit = config.init.services.radarr; in { options.services.radarr = { enable = lib.mkEnableOption "radarr"; @@ -20,6 +22,8 @@ in { config = lib.mkIf cfg.enable { init.services.radarr = { enabled = true; + user = lib.mkDefault "radarr"; + group = lib.mkDefault "radarr"; script = pkgs.writeShellScript "radarr-run.sh" '' ${lib.getExe cfg.package} -nobrowser -data='${cfg.dataDir}' @@ -27,5 +31,16 @@ in { }; environment.systemPackages = [cfg.package]; + + users.users.${cfgInit.user} = nglib.mkDefaultRec { + description = "radarr"; + group = cfgInit.group; + createHome = false; + home = "/var/empty"; + useDefaultShell = true; + uid = config.ids.uids.radarr; + }; + + users.groups.${cfgInit.group} = nglib.mkDefaultRec {gid = config.ids.gids.radarr;}; }; } diff --git a/nixng-modules/radicale.nix b/nixng-modules/radicale.nix index 996788c..80dd38a 100644 --- a/nixng-modules/radicale.nix +++ b/nixng-modules/radicale.nix @@ -6,6 +6,7 @@ ... }: let cfg = config.services.radicale; + cfgInit = config.init.services.radicale; settingsFormat = pkgs.formats.ini { listToValue = lib.concatMapStringsSep ", " (lib.generators.mkValueStringDefault {}); @@ -14,23 +15,16 @@ in { options.services.radicale = { enable = lib.mkEnableOption "radicale"; package = lib.mkPackageOption pkgs "radicale" {}; - user = lib.mkOption { - description = "radicale user"; - type = lib.types.str; - default = "radicale"; - }; - group = lib.mkOption { - description = "radicale group"; - type = lib.types.str; - default = "radicale"; - }; + settings = lib.mkOption { type = settingsFormat.type; default = {}; + description = '' Configuration for Radicale. See . ''; + example = lib.literalExpression '' server = { hosts = [ "0.0.0.0:5232" "[::]:5232" ]; @@ -46,6 +40,7 @@ in { ''; }; }; + config = lib.mkIf cfg.enable (let configFile = settingsFormat.generate "radicale.ini" cfg.settings; in { @@ -62,20 +57,15 @@ in { environment.systemPackages = [cfg.package]; - users.users.${cfg.user} = nglib.mkDefaultRec { + users.users.${cfgInit.user} = nglib.mkDefaultRec { description = "radicale"; - group = cfg.group; + group = cfgInit.group; createHome = false; home = "/var/empty"; useDefaultShell = true; uid = config.ids.uids.radicale; }; - users.groups.${cfg.group} = nglib.mkDefaultRec {gid = config.ids.gids.radicale;}; - - ids = { - uids.radicale = 408; - gids.radicale = 408; - }; + users.groups.${cfgInit.group} = nglib.mkDefaultRec {gid = config.ids.gids.radicale;}; }); } diff --git a/nixng-modules/sonarr.nix b/nixng-modules/sonarr.nix index 5ebff69..47dc581 100644 --- a/nixng-modules/sonarr.nix +++ b/nixng-modules/sonarr.nix @@ -1,10 +1,12 @@ { lib, + nglib, config, pkgs, ... }: let cfg = config.services.sonarr; + cfgInit = config.init.services.sonarr; in { options.services.sonarr = { enable = lib.mkEnableOption "sonarr"; @@ -20,6 +22,8 @@ in { config = lib.mkIf cfg.enable { init.services.sonarr = { enabled = true; + user = lib.mkDefault "sonarr"; + group = lib.mkDefault "sonarr"; script = pkgs.writeShellScript "sonarr-run" '' ${lib.getExe cfg.package} -nobrowser -data=${cfg.dataDir} @@ -27,5 +31,16 @@ in { }; environment.systemPackages = [cfg.package]; + + users.users.${cfgInit.user} = nglib.mkDefaultRec { + description = "sonarr"; + group = cfgInit.group; + createHome = false; + home = "/var/empty"; + useDefaultShell = true; + uid = config.ids.uids.sonarr; + }; + + users.groups.${cfgInit.group} = nglib.mkDefaultRec {gid = config.ids.gids.sonarr;}; }; }