From 9677f19430030ef8a91b441126cb2aa7a1f190f8 Mon Sep 17 00:00:00 2001
From: Julien Malka <julien.malka@me.com>
Date: Tue, 28 Dec 2021 22:02:24 +0100
Subject: [PATCH] Refactoring of the mediaserver module

---
 modules/jackett/default.nix      |  2 ++
 modules/jellyfin/default.nix     |  4 ++--
 modules/mediaserver/default.nix  | 21 ++++++++++++++++-----
 modules/radarr/default.nix       |  7 ++-----
 modules/sonarr/default.nix       |  4 ++--
 modules/transmission/default.nix | 20 ++++++++++++++------
 secrets/transmission-login       | 28 ++++++++++++++++++++++++++++
 7 files changed, 66 insertions(+), 20 deletions(-)
 create mode 100644 secrets/transmission-login

diff --git a/modules/jackett/default.nix b/modules/jackett/default.nix
index 42700ca..9e665c0 100644
--- a/modules/jackett/default.nix
+++ b/modules/jackett/default.nix
@@ -17,6 +17,8 @@ in {
     mkMerge [{ 
     services.jackett = {
       enable = true;
+      user = "mediaserver";
+      group = "mediaserver";
     };
   } 
 
diff --git a/modules/jellyfin/default.nix b/modules/jellyfin/default.nix
index 8429677..d8684a9 100644
--- a/modules/jellyfin/default.nix
+++ b/modules/jellyfin/default.nix
@@ -17,10 +17,10 @@ in {
     mkMerge [{ 
     services.jellyfin = {
       enable = true;
-      group = "tv";
+      user = "mediaserver";
+      group = "mediaserver";
       package = pkgs.jellyfin; 
     };
-    users.groups.tv = { name = "tv"; };
   } 
 
     (mkIf cfg.nginx.enable {
diff --git a/modules/mediaserver/default.nix b/modules/mediaserver/default.nix
index 072e6a3..1d432ff 100644
--- a/modules/mediaserver/default.nix
+++ b/modules/mediaserver/default.nix
@@ -9,6 +9,17 @@ in {
 
   config = mkIf cfg.enable {
 
+    users.users.mediaserver = {
+      name = "mediaserver";
+      isNormalUser = true;
+      home = "/home/mediaserver";
+      group = config.users.groups.mediaserver.name;
+    };
+
+    users.groups.mediaserver = {
+      name = "mediaserver";
+    };
+
 
     luj.sonarr = {
       enable = true;
@@ -34,11 +45,11 @@ in {
       nginx.subdomain = "jackett";
     };
 
-    #luj.transmission = {
-    #  enable = true;
-    #  nginx.enable = true;
-    #  nginx.subdomain = "downloads";
-    #};
+    luj.transmission = {
+      enable = true;
+      nginx.enable = true;
+      nginx.subdomain = "downloads";
+    };
   };
 
 }
diff --git a/modules/radarr/default.nix b/modules/radarr/default.nix
index bbb4980..adcf204 100644
--- a/modules/radarr/default.nix
+++ b/modules/radarr/default.nix
@@ -17,12 +17,9 @@ in {
     mkMerge [{ 
     services.radarr = {
       enable = true;
-      #user = "transmission";
-      #group = "transmission";
-      #dataDir = "/var/lib/sonarr/.config/NzbDrone";
-      group = "tv";
+      user = "mediaserver";
+      group = "mediaserver";
     };
-    users.groups.tv = { name = "tv"; };
   } 
 
     (mkIf cfg.nginx.enable {
diff --git a/modules/sonarr/default.nix b/modules/sonarr/default.nix
index 3ab7c46..e01e83a 100644
--- a/modules/sonarr/default.nix
+++ b/modules/sonarr/default.nix
@@ -17,9 +17,9 @@ in {
     mkMerge [{ 
     services.sonarr = {
       enable = true;
-      group = "tv";
+      user = "mediaserver";
+      group = "mediaserver";
     };
-    users.groups.tv = { name = "tv"; };
   } 
 
     (mkIf cfg.nginx.enable {
diff --git a/modules/transmission/default.nix b/modules/transmission/default.nix
index 34219f0..59620c0 100644
--- a/modules/transmission/default.nix
+++ b/modules/transmission/default.nix
@@ -15,19 +15,27 @@ in {
 
   config = mkIf cfg.enable (
     mkMerge [{ 
+
+
+    sops.secrets.transmission = {
+      owner = "mediaserver";
+      format = "binary";
+      sopsFile = ../../secrets/transmission-login;
+    };
+
     services.transmission = {
       enable = true;
-      group = "tv";
-      downloadDirPermissions = "774";
+      user = "mediaserver";
+      group = "mediaserver";
+      credentialsFile = "/run/secrets/transmission";
+      downloadDirPermissions = "770";
       settings = {
         rpc-port = 9091;
-        download-dir = "/home/transmission/Downloads/";
-        incomplete-dir = "/home/transmission/Incomplete/";
+        download-dir = "/home/mediaserver/downloads/complete/";
+        incomplete-dir = "/home/mediaserver/downloads/incomplete/";
         incomplete-dir-enable = true;
       };
-
     };
-    users.groups.tv = { name = "tv"; };
   } 
 
     (mkIf cfg.nginx.enable {
diff --git a/secrets/transmission-login b/secrets/transmission-login
new file mode 100644
index 0000000..8be1430
--- /dev/null
+++ b/secrets/transmission-login
@@ -0,0 +1,28 @@
+{
+	"data": "ENC[AES256_GCM,data:tJ8zWg2FfY6ev30elQS7wBN6S+FApZuSaIE7n2eKV4X3mG7plSk23JOt7OFRGEuSXkZr36sYSDUrLtTeo/XxRX7gS0veGAGOA/fRy0wxzeEhF7Y46vBwoR7SlZKhq7JMj2i8pSxqLw==,iv:4JhKg8T8OtZnKYklnv54EdwPkat66FD2ITLumslaX50=,tag:V82TuiOe0oeITfgMpXvbmw==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1ac9aek30209ppmxxxpfc65wet344u57pdy3zmk3whjlta38m6q9s9m666g",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrU2V3ZGR5Y1JQTzQ3R01T\nbVIySFREVGNoNkhhaVh6VitGUmhQbUtJZFJJClYzWHNsaXBGaXRWU3dNRlMxVGc3\naWl1Qi9WNE0xdzBqVHViNXR0RXM5SmsKLS0tIHN2Qk1NMkVjeFkyb0dsSFJEeG13\nSWkrRzc1TGE4OU9CZm8xYkZCbE5lY0EKrqGWXN6Y3zynH9bKR1zWRkfI1773UimZ\nSU5GersCjVp8+piaXh+ND+Ap5fK3jFQffyOfjnWqA7Gd68/s0wYQgw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age162v5365xrnzm9tlxy4w3e6fqds7k3h029qezvl73z6rs5skcn9hs7vml45",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxc0hVcTIvaGJWdXpQbjZ2\nbGE0L2lEVndNNjl3bWptSHRES0xrckZHQjJVCkNqWnJta0YzQkJpdE5yYk5lZGlk\nQ3MyUVpOUnJRYU5EQUExY1NUQ0NId0EKLS0tIDdqU296WktvdWJCNyt2elZIWUJ2\nMVBzblVhaVRmQmFVampUTUZCZFJOck0K8v78vUJP/3IsC1uxFhRIGnpgqNHaxRzM\n6GDRz2Wlba2Rw9u6oPGO4CRcrDgWvqy7RVvBPH3BUushtn3n4DoS7g==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age14shnplzdf2uatzd7wkvnquqw00zjfly3404ak5lqevajanzdw5qqedjw0y",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtQkt4QnlvcStIY2hDempP\nZk1iNWtDVU5rWFhETmQwd2hIWEdGN0xXS0VrCklUWjE1V1kwMG5sTGtHSXhTekJR\nZ1cvb3ZQaDlzbTdaSy9sY2djdXlMWUEKLS0tIFVpSEZFK0lITk5aK1F5d1NGTTds\nRXk0Lzk4OHpJM0JpUUxiS0gxUjJxZGcKsxqtORcKKEQLloQR7RimSnCQarxsKzc7\n/z13NijN6GDq6JG6looMFCUo9hesrbzUdMKM1JQS9R5lqJ66GFV9Nw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2021-12-28T18:04:27Z",
+		"mac": "ENC[AES256_GCM,data:GzwQN4qwYOzqbSaxbx2eRs5AccKw0z69KFwtnERCBulB7rqUlvsX40Ri+8mN9mRUsBKBVBvHpXf5YU3fpDGETeaOzOfcg2EFLGqrEhEFzaAGNzY2wMDTv1p8I5Pn4daOJL+ti9Wip4AVg9GVqrjffzNLqE3KaI7JVeJwm8zhxKY=,iv:s/AwoLj791GmuuviqO2WCNflH1A1dtPD68AvY400+xc=,tag:sYZ08vNO7MGzel0KMKZODw==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.1"
+	}
+}
\ No newline at end of file