pyrox.dev
1{ config, pkgs, lib, ... }:
2
3with lib;
4
5let cfg = config.services.nzbhydra2;
6
7in {
8 options = {
9 services.nzbhydra2 = {
10 enable = mkEnableOption (lib.mdDoc "NZBHydra2");
11
12 dataDir = mkOption {
13 type = types.str;
14 default = "/var/lib/nzbhydra2";
15 description = lib.mdDoc "The directory where NZBHydra2 stores its data files.";
16 };
17
18 openFirewall = mkOption {
19 type = types.bool;
20 default = false;
21 description =
22 lib.mdDoc "Open ports in the firewall for the NZBHydra2 web interface.";
23 };
24
25 package = mkOption {
26 type = types.package;
27 default = pkgs.nzbhydra2;
28 defaultText = literalExpression "pkgs.nzbhydra2";
29 description = lib.mdDoc "NZBHydra2 package to use.";
30 };
31 };
32 };
33
34 config = mkIf cfg.enable {
35 systemd.tmpfiles.rules =
36 [ "d '${cfg.dataDir}' 0700 nzbhydra2 nzbhydra2 - -" ];
37
38 systemd.services.nzbhydra2 = {
39 description = "NZBHydra2";
40 after = [ "network.target" ];
41 wantedBy = [ "multi-user.target" ];
42
43 serviceConfig = {
44 Type = "simple";
45 User = "nzbhydra2";
46 Group = "nzbhydra2";
47 ExecStart =
48 "${cfg.package}/bin/nzbhydra2 --nobrowser --datafolder '${cfg.dataDir}'";
49 Restart = "on-failure";
50 # Hardening
51 NoNewPrivileges = true;
52 PrivateTmp = true;
53 PrivateDevices = true;
54 DevicePolicy = "closed";
55 ProtectSystem = "strict";
56 ReadWritePaths = cfg.dataDir;
57 ProtectHome = "read-only";
58 ProtectControlGroups = true;
59 ProtectKernelModules = true;
60 ProtectKernelTunables = true;
61 RestrictAddressFamilies ="AF_UNIX AF_INET AF_INET6 AF_NETLINK";
62 RestrictNamespaces = true;
63 RestrictRealtime = true;
64 RestrictSUIDSGID = true;
65 LockPersonality = true;
66 };
67 };
68
69 networking.firewall = mkIf cfg.openFirewall { allowedTCPPorts = [ 5076 ]; };
70
71 users.users.nzbhydra2 = {
72 group = "nzbhydra2";
73 isSystemUser = true;
74 };
75
76 users.groups.nzbhydra2 = {};
77 };
78}