+3

lily/config.nix

··· 23 23 ../modules/services/caddy 24 24 ../modules/services/caddy/atproto-did.nix 25 25 ../modules/services/caddy/cp-certs.nix 26 26 + ../modules/services/caddy/jellyfin.nix 26 27 ../modules/services/caddy/mumble.nix 27 28 ../modules/services/caddy/nextcloud.nix 28 29 ../modules/services/caddy/pds.nix ··· 36 37 ../modules/services/caddy/websites/pink-meyou.nix 37 38 ../modules/services/caddy/websites/pink-yemou.nix 38 39 40 40 + ../modules/services/arr.nix 41 41 + ../modules/services/jellyfin.nix 39 42 ../modules/services/murmur.nix 40 43 ../modules/services/nextcloud.nix 41 44 ../modules/services/openssh.nix

+59

modules/services/arr.nix

··· 1 1 + { config, ... }: 2 2 + { 3 3 + environment.persistence."/data/persistent".directories = [ 4 4 + # NOTE: Prowlarr isn't here since it uses /var/lib/private/prowlarr as its directory regardless and this directory 5 5 + # is already in nixos-impermanence 6 6 + { 7 7 + directory = "/var/lib/radarr"; 8 8 + mode = "0700"; 9 9 + user = config.services.radarr.user; 10 10 + group = config.services.radarr.group; 11 11 + } 12 12 + { 13 13 + directory = "/var/lib/sonarr"; 14 14 + mode = "0700"; 15 15 + user = config.services.sonarr.user; 16 16 + group = config.services.sonarr.group; 17 17 + } 18 18 + ]; 19 19 + 20 20 + sops = { 21 21 + secrets = { 22 22 + "prowlarr-apikey" = { }; 23 23 + "radarr-apikey" = { }; 24 24 + "sonarr-apikey" = { }; 25 25 + }; 26 26 + templates = { 27 27 + prowlarr-env.content = "PROWLARR__AUTH__APIKEY=${config.sops.placeholder."prowlarr-apikey"}"; 28 28 + radarr-env.content = "RADARR__AUTH__APIKEY=${config.sops.placeholder."radarr-apikey"}"; 29 29 + sonarr-env.content = "SONARR__AUTH__APIKEY=${config.sops.placeholder."sonarr-apikey"}"; 30 30 + }; 31 31 + }; 32 32 + 33 33 + networking.firewall.interfaces.${config.services.netbird.clients.homelab.interface}.allowedTCPPorts = [ 34 34 + config.services.prowlarr.settings.server.port 35 35 + config.services.radarr.settings.server.port 36 36 + config.services.sonarr.settings.server.port 37 37 + ]; 38 38 + 39 39 + services = { 40 40 + flaresolverr.enable = true; 41 41 + prowlarr = { 42 42 + enable = true; 43 43 + environmentFiles = [ config.sops.templates.prowlarr-env.path ]; 44 44 + settings.log.level = "info"; 45 45 + }; 46 46 + radarr = { 47 47 + enable = true; 48 48 + environmentFiles = [ config.sops.templates.radarr-env.path ]; 49 49 + settings.log.level = "info"; 50 50 + }; 51 51 + sonarr = { 52 52 + enable = true; 53 53 + environmentFiles = [ config.sops.templates.sonarr-env.path ]; 54 54 + settings.log.level = "info"; 55 55 + }; 56 56 + }; 57 57 + 58 58 + systemd.services.flaresolverr.serviceConfig.RestrictAddressFamilies = [ "~AF_INET6" ]; 59 59 + }

+7

modules/services/caddy/jellyfin.nix

··· 1 1 + { ... }: 2 2 + { 3 3 + services.caddy.virtualHosts."jellyfin.lilac.pink".extraConfig = '' 4 4 + encode 5 5 + reverse_proxy [::1]:8096 6 6 + ''; 7 7 + }

+35

modules/services/jellyfin.nix

··· 1 1 + { pkgs, ... }: 2 2 + { 3 3 + imports = [ ../unfree.nix ]; 4 4 + 5 5 + environment.persistence."/data/persistent".directories = [ 6 6 + { 7 7 + directory = "/var/cache/jellyfin"; 8 8 + mode = "0700"; 9 9 + user = "jellyfin"; 10 10 + group = "jellyfin"; 11 11 + } 12 12 + { 13 13 + directory = "/var/lib/jellyfin"; 14 14 + mode = "0700"; 15 15 + user = "jellyfin"; 16 16 + group = "jellyfin"; 17 17 + } 18 18 + ]; 19 19 + 20 20 + hardware.graphics = { 21 21 + enable = true; 22 22 + extraPackages = with pkgs; [ 23 23 + intel-compute-runtime 24 24 + intel-media-driver 25 25 + vpl-gpu-rt 26 26 + ]; 27 27 + }; 28 28 + 29 29 + users.users.jellyfin.extraGroups = [ 30 30 + "render" 31 31 + "video" 32 32 + ]; 33 33 + 34 34 + services.jellyfin.enable = true; 35 35 + }

+4 -2

secrets/lily.yaml

··· 15 15 private-key: ENC[AES256_GCM,data:TH+OewaIzba5Ysyu0tHiS8LnftPB1dJt+BDvkgA7l0PnbBjPt4HCwib+Vjo=,iv:AGQ2S7Sjl6SD/SzsX8bv9yavlPOlgwxuR56VBovt5vE=,tag:pT/C5u81Ws0+DbO+ffW4SQ==,type:str] 16 16 public-key: ENC[AES256_GCM,data:RIh3I7STHUx+N8sBSW9z1b1CTPIflDBNY4TqWRpNPAn9SJIB76UrVXVYzC4=,iv:QT4a+JHK6TN6BWQlv/d26Yx/fH+S3T9G8RnYgWCHlkY=,tag:YRqXSXCuDyfy71bczyfMjg==,type:str] 17 17 radarr-apikey: ENC[AES256_GCM,data:7FLygsV20gXqnT/T7fxW8kajcDN6OiA/LIIrYUYx8y8=,iv:YreEg2rnm+ghAH3FiabqdRx7lYfZLO6uEhKqDAA4gA4=,tag:n/xCQAHF1b5a0lIfkfI3CQ==,type:str] 18 18 + sonarr-apikey: ENC[AES256_GCM,data:CTmGQN0k2iQknPOSxfyckBemY1Bp1SPLeHTuUBwxH6E=,iv:gtQ0hZQ+YKEYDEDOyQUG58xAxyjSHZU9CVanyh/1bL8=,tag:cRPIb9nUZYxvtFnoqAxwRQ==,type:str] 19 19 + prowlarr-apikey: ENC[AES256_GCM,data:w5pQjQed4qbqLWI4STNvqCi6p0VMy8LvzenPsKZRMmk=,iv:BbZGwTUjFh3XI47mUi3ctZhvQsqhD65HNiXJlrcTL0o=,tag:UWCn3Zy49AC0/O0nsAOLnw==,type:str] 18 20 sops: 19 21 age: 20 22 - recipient: age1amaa55e7nusv904a9ucfvtnjlw4srtet42suehey6u3yc4t2xc5sdldepj ··· 26 28 cHlWQjF3ZkU5NUs0Y1hodUlabkxpdzAK91EV34EhJMrxxdVrRCwZlGKuRs7AU7v3 27 29 dU8XRhjAzJs2Vu5UnCVOGB5Zl6w7FkXICYY0IP2dA0b477dI5rXNBg== 28 30 -----END AGE ENCRYPTED FILE----- 29 29 - lastmodified: "2025-11-06T18:29:46Z" 30 30 - mac: ENC[AES256_GCM,data:p5JjCTx4iqsXO/5bAKixr1sgxFoXodt7uoFDXMAKB3Yxq49xENZVL5S9ZbpwMmUB6Cl8LbMHMoAtrB6ab5LMYEKnGOSPVNilzJmSs18itHloel25wck++sO2589JkO55Ic781H5wDD7L7EifuRbDx3i4U3DgxOP1soTcQTpflzo=,iv:ukTDYeOuogWzbuXo9z+ClcwSfLRoVoJ2lvOmO2gjPyw=,tag:piR0FhjJqAzMkaZgiBFbDQ==,type:str] 31 31 + lastmodified: "2025-12-07T06:49:15Z" 32 32 + mac: ENC[AES256_GCM,data:ptj1uTNOu6g1VykpoeoltS0L6di8dVvVzXeIY7LEvCvqo+u74DlGQXJPvpVZPif3t9tHg65aqJShQeu461AMZBbCDOzImTMY23KABpBCaXvN8C+krTynPMan3C1fHrJmHFOXXFBT4V5ecdowopIdybUsoJ3H18jPZ629VngPgjE=,iv:q9+6Aa6LYg3TeRZZf0kRr3ssNB2igMhLg6MweDbQv3A=,tag:Lb7E/RT/tPJE1TyQf6dnyA==,type:str] 31 33 unencrypted_suffix: _unencrypted 32 34 version: 3.11.0