Set up torrenting and the arr suite on the NAS

.sops.yaml

@@ -39,3 +39,9 @@ creation_rules:
         - *joonas
         age:
         - *thebes
+  - path_regex: hosts/thebes/recyclarr_secrets$
+    key_groups:
+      - pgp:
+        - *joonas
+        age:
+        - *thebes

hosts/thebes/default.nix

@@ -14,24 +14,32 @@
     ])
     (with self.nixosModules; [
       locale
-      tailscale
       systemd-boot
     ])
     inputs.disko.nixosModules.disko
     inputs.sops-nix.nixosModules.sops
+    inputs.nixarr.nixosModules.default
     ./disk-config.nix
   ];
 
   networking.hostName = "thebes";
-  networking.useDHCP = true;
   nixpkgs.hostPlatform = "x86_64-linux";
   system.stateVersion = "24.11";
 
   sops = {
     defaultSopsFile = ./secrets.yaml;
-    secrets = { };
+    secrets = {
+      "wireguard.conf".owner = "root";
+      recyclarr-secrets = {
+        format = "binary";
+        sopsFile = ./recyclarr_secrets;
+        path = "/var/lib/recyclarr/secrets.yml";
+      };
+    };
   };
 
+  # HARDWARE
+
   boot.initrd.availableKernelModules = [
     "xhci_pci"
     "ahci"
@@ -43,16 +51,34 @@
 
   boot.kernelModules = [ "kvm-intel" ];
 
-  environment.systemPackages = with pkgs; [
-    mergerfs
-    smartmontools
-  ];
+  networking.useDHCP = true;
+
+  # enable vaapi on OS-level
+  nixpkgs.config.packageOverrides = pkgs: {
+    vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
+  };
+
+  # hardware acceleration
+  hardware.graphics = {
+    enable = true;
+    extraPackages = with pkgs; [
+      intel-media-driver
+      intel-vaapi-driver
+      vaapiVdpau
+      intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in)
+      vpl-gpu-rt # QSV on 11th gen or newer
+      intel-media-sdk # QSV up to 11th gen
+    ];
+  };
 
   # MOUNTS
 
   systemd.tmpfiles.rules = [
     "d /data 0755 root root"
     "d /srv/nfs 0775 nfs users"
+    "d '${config.nixarr.mediaDir}/torrents'             0755 torrenter media - -"
+    "d '${config.nixarr.mediaDir}/torrents/.incomplete' 0755 torrenter media - -"
+    "d '${config.nixarr.mediaDir}/torrents/.watch'      0755 torrenter media - -"
   ];
 
   fileSystems = {
@@ -73,16 +99,16 @@
       device = "/mnt/disk*";
       fsType = "fuse.mergerfs";
       options = [
-        "cache.files=partial"
+        "cache.files=full" # required for deluge to work
         "dropcacheonclose=true"
         "category.create=mfs"
-        "func.getattr=newest"
+        "func.getattr=newest" # required for jellyfin to find new files
       ];
     };
 
-    # Bind mount /data into /srv/nfs
+    # Bind mount /data/share into /srv/nfs
     "/srv/nfs" = {
-      device = "/data";
+      device = "/data/share";
       options = [ "bind" ];
     };
   };
@@ -128,4 +154,122 @@
   };
 
   services.vnstat.enable = true;
+
+  # The *arr suite
+  nixarr = {
+    enable = true;
+    mediaDir = "/data/media";
+    stateDir = "/var/lib/nixarr";
+
+    jellyfin.enable = true; # 8096
+    # https://github.com/NixOS/nixpkgs/issues/353600
+    jellyfin.package = inputs.nixpkgs-old.legacyPackages.${pkgs.system}.jellyfin;
+
+    prowlarr.enable = true; # 9696
+    radarr.enable = true; # 7878
+    sonarr.enable = true; # 8989
+    readarr.enable = true; # 8787
+    bazarr.enable = true; # 6767
+  };
+
+  users.groups = {
+    torrenter = { };
+    cross-seed = { };
+  };
+
+  users.users.torrenter = {
+    isSystemUser = true;
+    group = "torrenter";
+  };
+
+  # set up vpn confinement namespace
+  vpnNamespaces.wg = {
+    enable = true;
+    wireguardConfigFile = config.sops.secrets."wireguard.conf".path;
+
+    portMappings = [
+      {
+        from = config.services.deluge.web.port;
+        to = config.services.deluge.web.port;
+      }
+    ];
+    openVPNPorts = [
+      {
+        port = 41886;
+        protocol = "both";
+      }
+    ];
+    accessibleFrom = [
+      "192.168.1.0/24"
+      "10.0.0.0/8"
+      "127.0.0.1"
+    ];
+  };
+
+  # map local port to the vpn port so it's accessible
+  services.nginx = {
+    enable = true;
+    virtualHosts."127.0.0.1:${toString config.services.deluge.web.port}" = {
+      listen = [
+        {
+          addr = "0.0.0.0";
+          inherit (config.services.deluge.web) port;
+        }
+      ];
+      locations."/" = {
+        recommendedProxySettings = true;
+        proxyWebsockets = true;
+        proxyPass = "http://${config.vpnNamespaces.wg.namespaceAddress}:${toString config.services.deluge.web.port}";
+      };
+    };
+  };
+
+  # use deluge torrent client
+  services.deluge = {
+    enable = true;
+    user = "torrenter";
+    group = "media";
+    web = {
+      enable = true;
+      openFirewall = true;
+      port = 8112;
+    };
+  };
+
+  # run deluge daemon inside the vpn
+  systemd.services.deluged.vpnConfinement = {
+    enable = true;
+    vpnNamespace = "wg";
+  };
+
+  # run deluge web ui inside the vpn.
+  # while this doesn't matter for privacy, 
+  # it's required so the web ui can find the daemon
+  systemd.services.delugeweb.vpnConfinement = {
+    enable = true;
+    vpnNamespace = "wg";
+  };
+
+  # recyclarr is used to set up quality profiles
+  systemd.services.recyclarr = {
+    wantedBy = [ "multi-user.target" ];
+    requires = [
+      "radarr.service"
+      "sonarr.service"
+    ];
+    serviceConfig = {
+      type = "oneshot";
+    };
+    script = "${lib.getExe pkgs.recyclarr} sync --config ${./recyclarr.yml} --app-data /var/lib/recyclarr";
+  };
+
+  # PACKAGES
+
+  environment.systemPackages = with pkgs; [
+    mergerfs
+    smartmontools
+    wireguard-tools
+    intel-gpu-tools
+    qbittorrent-nox
+  ];
 }

hosts/thebes/recyclarr.yml

@@ -0,0 +1,156 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/recyclarr/recyclarr/master/schemas/config-schema.json
+
+sonarr:
+  series:
+    base_url: http://localhost:8989
+    api_key: !secret sonarr_apikey
+
+    quality_definition:
+        type: series
+    include:
+        - template: sonarr-quality-definition-series
+        - template: sonarr-v4-quality-profile-anime
+        - template: sonarr-v4-custom-formats-anime
+        - template: sonarr-v4-quality-profile-web-2160p
+        - template: sonarr-v4-custom-formats-web-2160p
+    quality_profiles:
+        - name: WEB-2160p
+          qualities:
+            - name: WEB 2160p
+              qualities:
+                - WEBDL-2160p
+                - WEBRip-2160p
+            - name: WEB 1080p
+              qualities:
+                - WEBDL-1080p
+                - WEBRip-1080p
+    custom_formats:
+        # =================================
+        # Remux-1080p - Anime
+        # =================================
+        - trash_ids:
+            # Uncensored
+            - 026d5aadd1a6b4e550b134cb6c72b3ca
+            # 10bit
+            - b2550eb333d27b75833e25b8c2557b38
+            # Anime Dual Audio
+            - 418f50b10f1907201b6cfdf881f467b7
+          assign_scores_to:
+            - name: Remux-1080p - Anime
+              score: 10
+        # =================================
+        # WEB-2160p
+        # =================================
+        # Optional
+        - trash_ids:
+            # Bad Dual Groups
+            - 32b367365729d530ca1c124a0b180c64
+            # DV (WEBDL)
+            - 9b27ab6498ec0f31a3353992e19434ca
+            # No-RlsGroup
+            - 82d40da2bc6923f41e14394075dd4b03
+          assign_scores_to:
+            - name: WEB-2160p
+
+radarr:
+  movies:
+    base_url: http://localhost:7878
+    api_key: !secret radarr_apikey
+
+    quality_profiles:
+      - name: SQP-1 (1080p)
+        min_format_score: 10
+      - name: SQP-1 (2160p)
+      # Uncomment the below line if you don't have access to top-tier indexers
+        min_format_score: 10
+
+    include:
+      # Comment out any of the following includes to disable them
+      - template: radarr-quality-definition-sqp-streaming
+
+      - template: radarr-quality-profile-sqp-1-1080p
+      - template: radarr-custom-formats-sqp-1-1080p
+
+      - template: radarr-quality-profile-sqp-1-2160p-default
+      - template: radarr-custom-formats-sqp-1-2160p
+
+    custom_formats:
+    # 1080p
+      - trash_ids:
+      # Uncomment any of the next six lines to prefer these movie versions
+          # - 570bc9ebecd92723d2d21500f4be314c # Remaster
+          # - eca37840c13c6ef2dd0262b141a5482f # 4K Remaster
+          # - e0c07d59beb37348e975a930d5e50319 # Criterion Collection
+          # - 9d27d9d2181838f76dee150882bdc58c # Masters of Cinema
+          # - db9b4c4b53d312a3ca5f1378f6440fc9 # Vinegar Syndrome
+          # - 957d0f44b592285f26449575e8b1167e # Special Edition
+      # Uncomment the next line if you prefer WEBDL with IMAX Enhanced to BHDStudio
+          # - 9f6cbff8cfe4ebbc1bde14c7b7bec0de # IMAX Enhanced
+
+      # Optional - uncomment any of the following if you want them added to your profile
+          # - b6832f586342ef70d9c128d40c07b872 # Bad Dual Groups
+          # - 90cedc1fea7ea5d11298bebd3d1d3223 # EVO (no WEBDL)
+          # - ae9b7c9ebde1f3bd336a8cbd1ec4c5e5 # No-RlsGroup
+          # - 7357cf5161efbf8c4d5d0c30b4815ee2 # Obfuscated
+          # - 5c44f52a8714fdd79bb4d98e2673be1f # Retags
+          # - f537cf427b64c38c8e36298f657e4828 # Scene
+        assign_scores_to:
+          - name: SQP-1 (1080p)
+      - trash_ids:
+          - dc98083864ea246d05a42df0d05f81cc # x265 (HD)
+        assign_scores_to:
+          - name: SQP-1 (1080p)
+
+
+    # 4K
+      - trash_ids:
+      # Uncomment any of the next six lines to prefer these movie versions
+          # - 570bc9ebecd92723d2d21500f4be314c # Remaster
+          # - eca37840c13c6ef2dd0262b141a5482f # 4K Remaster
+          # - e0c07d59beb37348e975a930d5e50319 # Criterion Collection
+          # - 9d27d9d2181838f76dee150882bdc58c # Masters of Cinema
+          # - db9b4c4b53d312a3ca5f1378f6440fc9 # Vinegar Syndrome
+          # - 957d0f44b592285f26449575e8b1167e # Special Edition
+      # Uncomment the next line if you prefer 1080p/2160p WEBDL with IMAX Enhanced
+          # - 9f6cbff8cfe4ebbc1bde14c7b7bec0de # IMAX Enhanced
+        assign_scores_to:
+          - name: SQP-1 (2160p)
+
+      # Unwanted
+      - trash_ids:
+      # Uncomment the next six lines to block all x265 HD releases
+          # - 839bea857ed2c0a8e084f3cbdbd65ecb # x265 (no HDR/DV)
+        # assign_scores_to:
+          # - name: SQP-1 (2160p)
+            # score: 0
+      # - trash_ids:
+          # - dc98083864ea246d05a42df0d05f81cc # x265 (HD)
+        assign_scores_to:
+          - name: SQP-1 (2160p)
+
+      # Optional
+      - trash_ids:
+          # Uncomment the next two lines if you have a setup that supports HDR10+
+          # - b17886cb4158d9fea189859409975758 # HDR10+ Boost
+          # - 55a5b50cb416dea5a50c4955896217ab # DV HDR10+ Boost
+
+          # Uncomment any of the following optional custom formats if you want them to be added to
+          # the quality profile
+          # - b6832f586342ef70d9c128d40c07b872 # Bad Dual Groups
+          # - 90cedc1fea7ea5d11298bebd3d1d3223 # EVO (no WEBDL)
+          # - ae9b7c9ebde1f3bd336a8cbd1ec4c5e5 # No-RlsGroup
+          # - 7357cf5161efbf8c4d5d0c30b4815ee2 # Obfuscated
+          # - 5c44f52a8714fdd79bb4d98e2673be1f # Retags
+          # - f537cf427b64c38c8e36298f657e4828 # Scene
+        assign_scores_to:
+          - name: SQP-1 (2160p)
+
+      # Optional SDR
+      # Only ever use ONE of the following custom formats:
+      # SDR - block ALL SDR releases
+      # SDR (no WEBDL) - block UHD/4k Remux and Bluray encode SDR releases, but allow SDR WEB
+      - trash_ids:
+          - 9c38ebb7384dada637be8899efa68e6f # SDR
+          # - 25c12f78430a3a23413652cbd1d48d77 # SDR (no WEBDL)
+        assign_scores_to:
+          - name: SQP-1 (2160p)