home/kubernetes-deployments
2
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

Run all nixng containers under particular user/group

Browse source
This commit is contained in:
Pim Kunis 2025-01-05 00:17:35 +01:00
parent fe960448c6
commit a22c34716e
10 changed files with 117 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
modules/media.nix
View file

@ -186,7 +186,8 @@
}; };
securityContext = { securityContext = {
fsGroup = 0; # TODO: don't hardcode this
fsGroup = 409;
fsGroupChangePolicy = "OnRootMismatch"; fsGroupChangePolicy = "OnRootMismatch";
}; };
}; };
@ -244,7 +245,7 @@
}; };
securityContext = { securityContext = {
fsGroup = 1000; fsGroup = 410;
fsGroupChangePolicy = "OnRootMismatch"; fsGroupChangePolicy = "OnRootMismatch";
}; };
}; };
@ -295,7 +296,7 @@
}; };
securityContext = { securityContext = {
fsGroup = 1000; fsGroup = 413;
fsGroupChangePolicy = "OnRootMismatch"; fsGroupChangePolicy = "OnRootMismatch";
}; };
}; };
@ -353,7 +354,7 @@
}; };
securityContext = { securityContext = {
fsGroup = 1000; fsGroup = 411;
fsGroupChangePolicy = "OnRootMismatch"; fsGroupChangePolicy = "OnRootMismatch";
}; };
}; };
@ -411,7 +412,7 @@
}; };
securityContext = { securityContext = {
fsGroup = 1000; fsGroup = 412;
fsGroupChangePolicy = "OnRootMismatch"; fsGroupChangePolicy = "OnRootMismatch";
}; };
}; };

1
nixng-configurations/default.nix
View file

@ -36,6 +36,7 @@ in {
}; };
extraModules = [ extraModules = [
self.nixngModules.ids
self.nixngModules.bazarr self.nixngModules.bazarr
self.nixngModules.radicale self.nixngModules.radicale
self.nixngModules.jellyseerr self.nixngModules.jellyseerr

19
nixng-modules/bazarr.nix
View file

@ -1,29 +1,48 @@
{ {
lib, lib,
nglib,
config, config,
pkgs, pkgs,
... ...
}: let }: let
cfg = config.services.bazarr; cfg = config.services.bazarr;
cfgInit = config.init.services.bazarr;
in { in {
options.services.bazarr = { options.services.bazarr = {
enable = lib.mkEnableOption "bazarr"; enable = lib.mkEnableOption "bazarr";
package = lib.mkPackageOption pkgs "bazarr" {}; package = lib.mkPackageOption pkgs "bazarr" {};
configDir = lib.mkOption { configDir = lib.mkOption {
description = "Where Bazarr's configuration files are stored."; description = "Where Bazarr's configuration files are stored.";
type = lib.types.str; type = lib.types.str;
default = "/config"; default = "/config";
}; };
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
init.services.bazarr = { init.services.bazarr = {
enabled = true; enabled = true;
user = lib.mkDefault "bazarr";
group = lib.mkDefault "bazarr";
script = pkgs.writeShellScript "bazarr-run" '' script = pkgs.writeShellScript "bazarr-run" ''
${lib.getExe cfg.package} \ ${lib.getExe cfg.package} \
--no-update \ --no-update \
--config '${cfg.configDir}' --config '${cfg.configDir}'
''; '';
}; };
environment.systemPackages = [cfg.package]; environment.systemPackages = [cfg.package];
users.users.${cfgInit.user} = nglib.mkDefaultRec {
description = "bazarr";
group = cfgInit.group;
createHome = false;
home = "/var/empty";
useDefaultShell = true;
uid = config.ids.uids.bazarr;
};
users.groups.${cfgInit.group} = nglib.mkDefaultRec {gid = config.ids.gids.bazarr;};
}; };
} }

1
nixng-modules/default.nix
View file

@ -6,5 +6,6 @@
radarr = import ./radarr.nix; radarr = import ./radarr.nix;
sonarr = import ./sonarr.nix; sonarr = import ./sonarr.nix;
prowlarr = import ./prowlarr.nix; prowlarr = import ./prowlarr.nix;
ids = import ./ids.nix;
}; };
} }

21
nixng-modules/ids.nix Normal file
View file

@ -0,0 +1,21 @@
{...}: {
ids = {
uids = {
radicale = 408;
jellyseerr = 409;
radarr = 410;
sonarr = 411;
bazarr = 412;
prowlarr = 413;
};
gids = {
radicale = 408;
jellyseerr = 409;
radarr = 410;
sonarr = 411;
bazarr = 412;
prowlarr = 413;
};
};
}

16
nixng-modules/jellyseerr.nix
View file

@ -1,10 +1,12 @@
{ {
lib, lib,
nglib,
pkgs, pkgs,
config, config,
... ...
}: let }: let
cfg = config.services.jellyseerr; cfg = config.services.jellyseerr;
cfgInit = config.init.services.jellyseerr;
in { in {
options.services.jellyseerr = { options.services.jellyseerr = {
enable = lib.mkEnableOption "jellyseerr"; enable = lib.mkEnableOption "jellyseerr";
@ -33,14 +35,28 @@ in {
init.services.jellyseerr = { init.services.jellyseerr = {
enabled = true; enabled = true;
script = lib.getExe cfg.package; script = lib.getExe cfg.package;
user = lib.mkDefault "jellyseerr";
group = lib.mkDefault "jellyseerr";
}; };
environment = { environment = {
systemPackages = [cfg.package]; systemPackages = [cfg.package];
variables = { variables = {
PORT = builtins.toString cfg.port; PORT = builtins.toString cfg.port;
CONFIG_DIRECTORY = cfg.configDir; CONFIG_DIRECTORY = cfg.configDir;
}; };
}; };
users.users.${cfgInit.user} = nglib.mkDefaultRec {
description = "jellyseerr";
group = cfgInit.group;
createHome = false;
home = "/var/empty";
useDefaultShell = true;
uid = config.ids.uids.jellyseerr;
};
users.groups.${cfgInit.group} = nglib.mkDefaultRec {gid = config.ids.gids.jellyseerr;};
}; };
} }

15
nixng-modules/prowlarr.nix
View file

@ -1,10 +1,12 @@
{ {
pkgs, pkgs,
lib, lib,
nglib,
config, config,
... ...
}: let }: let
cfg = config.services.prowlarr; cfg = config.services.prowlarr;
cfgInit = config.init.services.prowlarr;
in { in {
options.services.prowlarr = { options.services.prowlarr = {
enable = lib.mkEnableOption "prowlarr"; enable = lib.mkEnableOption "prowlarr";
@ -20,6 +22,8 @@ in {
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
init.services.prowlarr = { init.services.prowlarr = {
enabled = true; enabled = true;
user = lib.mkDefault "prowlarr";
group = lib.mkDefault "prowlarr";
script = pkgs.writeShellScript "prowlarr-run" '' script = pkgs.writeShellScript "prowlarr-run" ''
${lib.getExe cfg.package} \ ${lib.getExe cfg.package} \
@ -29,5 +33,16 @@ in {
}; };
environment.systemPackages = [cfg.package]; environment.systemPackages = [cfg.package];
users.users.${cfgInit.user} = nglib.mkDefaultRec {
description = "prowlarr";
group = cfgInit.group;
createHome = false;
home = "/var/empty";
useDefaultShell = true;
uid = config.ids.uids.prowlarr;
};
users.groups.${cfgInit.group} = nglib.mkDefaultRec {gid = config.ids.gids.prowlarr;};
}; };
} }

15
nixng-modules/radarr.nix
View file

@ -1,10 +1,12 @@
{ {
config, config,
lib, lib,
nglib,
pkgs, pkgs,
... ...
}: let }: let
cfg = config.services.radarr; cfg = config.services.radarr;
cfgInit = config.init.services.radarr;
in { in {
options.services.radarr = { options.services.radarr = {
enable = lib.mkEnableOption "radarr"; enable = lib.mkEnableOption "radarr";
@ -20,6 +22,8 @@ in {
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
init.services.radarr = { init.services.radarr = {
enabled = true; enabled = true;
user = lib.mkDefault "radarr";
group = lib.mkDefault "radarr";
script = pkgs.writeShellScript "radarr-run.sh" '' script = pkgs.writeShellScript "radarr-run.sh" ''
${lib.getExe cfg.package} -nobrowser -data='${cfg.dataDir}' ${lib.getExe cfg.package} -nobrowser -data='${cfg.dataDir}'
@ -27,5 +31,16 @@ in {
}; };
environment.systemPackages = [cfg.package]; environment.systemPackages = [cfg.package];
users.users.${cfgInit.user} = nglib.mkDefaultRec {
description = "radarr";
group = cfgInit.group;
createHome = false;
home = "/var/empty";
useDefaultShell = true;
uid = config.ids.uids.radarr;
};
users.groups.${cfgInit.group} = nglib.mkDefaultRec {gid = config.ids.gids.radarr;};
}; };
} }

26
nixng-modules/radicale.nix
View file

@ -6,6 +6,7 @@
... ...
}: let }: let
cfg = config.services.radicale; cfg = config.services.radicale;
cfgInit = config.init.services.radicale;
settingsFormat = pkgs.formats.ini { settingsFormat = pkgs.formats.ini {
listToValue = lib.concatMapStringsSep ", " (lib.generators.mkValueStringDefault {}); listToValue = lib.concatMapStringsSep ", " (lib.generators.mkValueStringDefault {});
@ -14,23 +15,16 @@ in {
options.services.radicale = { options.services.radicale = {
enable = lib.mkEnableOption "radicale"; enable = lib.mkEnableOption "radicale";
package = lib.mkPackageOption pkgs "radicale" {}; package = lib.mkPackageOption pkgs "radicale" {};
user = lib.mkOption {
description = "radicale user";
type = lib.types.str;
default = "radicale";
};
group = lib.mkOption {
description = "radicale group";
type = lib.types.str;
default = "radicale";
};
settings = lib.mkOption { settings = lib.mkOption {
type = settingsFormat.type; type = settingsFormat.type;
default = {}; default = {};
description = '' description = ''
Configuration for Radicale. See Configuration for Radicale. See
<https://radicale.org/v3.html#configuration>. <https://radicale.org/v3.html#configuration>.
''; '';
example = lib.literalExpression '' example = lib.literalExpression ''
server = { server = {
hosts = [ "0.0.0.0:5232" "[::]:5232" ]; hosts = [ "0.0.0.0:5232" "[::]:5232" ];
@ -46,6 +40,7 @@ in {
''; '';
}; };
}; };
config = lib.mkIf cfg.enable (let config = lib.mkIf cfg.enable (let
configFile = settingsFormat.generate "radicale.ini" cfg.settings; configFile = settingsFormat.generate "radicale.ini" cfg.settings;
in { in {
@ -62,20 +57,15 @@ in {
environment.systemPackages = [cfg.package]; environment.systemPackages = [cfg.package];
users.users.${cfg.user} = nglib.mkDefaultRec { users.users.${cfgInit.user} = nglib.mkDefaultRec {
description = "radicale"; description = "radicale";
group = cfg.group; group = cfgInit.group;
createHome = false; createHome = false;
home = "/var/empty"; home = "/var/empty";
useDefaultShell = true; useDefaultShell = true;
uid = config.ids.uids.radicale; uid = config.ids.uids.radicale;
}; };
users.groups.${cfg.group} = nglib.mkDefaultRec {gid = config.ids.gids.radicale;}; users.groups.${cfgInit.group} = nglib.mkDefaultRec {gid = config.ids.gids.radicale;};
ids = {
uids.radicale = 408;
gids.radicale = 408;
};
}); });
} }

15
nixng-modules/sonarr.nix
View file

@ -1,10 +1,12 @@
{ {
lib, lib,
nglib,
config, config,
pkgs, pkgs,
... ...
}: let }: let
cfg = config.services.sonarr; cfg = config.services.sonarr;
cfgInit = config.init.services.sonarr;
in { in {
options.services.sonarr = { options.services.sonarr = {
enable = lib.mkEnableOption "sonarr"; enable = lib.mkEnableOption "sonarr";
@ -20,6 +22,8 @@ in {
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
init.services.sonarr = { init.services.sonarr = {
enabled = true; enabled = true;
user = lib.mkDefault "sonarr";
group = lib.mkDefault "sonarr";
script = pkgs.writeShellScript "sonarr-run" '' script = pkgs.writeShellScript "sonarr-run" ''
${lib.getExe cfg.package} -nobrowser -data=${cfg.dataDir} ${lib.getExe cfg.package} -nobrowser -data=${cfg.dataDir}
@ -27,5 +31,16 @@ in {
}; };
environment.systemPackages = [cfg.package]; environment.systemPackages = [cfg.package];
users.users.${cfgInit.user} = nglib.mkDefaultRec {
description = "sonarr";
group = cfgInit.group;
createHome = false;
home = "/var/empty";
useDefaultShell = true;
uid = config.ids.uids.sonarr;
};
users.groups.${cfgInit.group} = nglib.mkDefaultRec {gid = config.ids.gids.sonarr;};
}; };
} }