301 lines
8.2 KiB
Nix
301 lines
8.2 KiB
Nix
{ config, pkgs, ... }:
|
|
let
|
|
cids = import ./staticids.nix;
|
|
networkPrefix = config.networkPrefix;
|
|
|
|
# FileBot post-processing script
|
|
filebotScript = pkgs.writeShellScript "filebot-process.sh" ''
|
|
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
# FileBot AMC script for automated media organization
|
|
# Arguments: $1 = download directory (passed by pyload)
|
|
|
|
DOWNLOAD_DIR="''${1:-/downloads}"
|
|
OUTPUT_DIR="/multimedia"
|
|
LOG_FILE="/var/lib/filebot/amc.log"
|
|
EXCLUDE_LIST="/var/lib/filebot/amc-exclude-list.txt"
|
|
|
|
# Ensure log directory exists
|
|
mkdir -p "$(dirname "$LOG_FILE")"
|
|
touch "$EXCLUDE_LIST"
|
|
|
|
echo "$(date): Starting FileBot processing for: $DOWNLOAD_DIR" >> "$LOG_FILE"
|
|
|
|
# Run FileBot AMC script
|
|
${pkgs.filebot}/bin/filebot \
|
|
-script fn:amc \
|
|
--output "$OUTPUT_DIR" \
|
|
--action move \
|
|
--conflict auto \
|
|
-non-strict \
|
|
--log-file "$LOG_FILE" \
|
|
--def \
|
|
excludeList="$EXCLUDE_LIST" \
|
|
movieFormat="$OUTPUT_DIR/movies/{n} ({y})/{n} ({y}) - {vf}" \
|
|
seriesFormat="$OUTPUT_DIR/tv-shows/{n}/Season {s.pad(2)}/{n} - {s00e00} - {t}" \
|
|
ut_dir="$DOWNLOAD_DIR" \
|
|
ut_kind=multi \
|
|
clean=y \
|
|
skipExtract=y
|
|
|
|
# Clean up empty directories
|
|
find "$DOWNLOAD_DIR" -type d -empty -delete 2>/dev/null || true
|
|
|
|
echo "$(date): FileBot processing completed" >> "$LOG_FILE"
|
|
'';
|
|
|
|
pyloadUser = {
|
|
isSystemUser = true;
|
|
uid = cids.uids.pyload;
|
|
group = "pyload";
|
|
home = "/var/lib/pyload";
|
|
createHome = true;
|
|
};
|
|
pyloadGroup = {
|
|
gid = cids.gids.pyload;
|
|
};
|
|
|
|
jellyfinUser = {
|
|
isSystemUser = true;
|
|
uid = cids.uids.jellyfin;
|
|
group = "jellyfin";
|
|
home = "/var/lib/jellyfin";
|
|
createHome = true;
|
|
extraGroups = [ "render" "video" ];
|
|
};
|
|
jellyfinGroup = {
|
|
gid = cids.gids.jellyfin;
|
|
};
|
|
|
|
filebotUser = {
|
|
isSystemUser = true;
|
|
uid = cids.uids.filebot;
|
|
group = "filebot";
|
|
home = "/var/lib/filebot";
|
|
createHome = true;
|
|
extraGroups = [ "pyload" "jellyfin" ]; # Access to both download and media directories
|
|
};
|
|
filebotGroup = {
|
|
gid = cids.gids.filebot;
|
|
};
|
|
in
|
|
{
|
|
users.users.pyload = pyloadUser;
|
|
users.groups.pyload = pyloadGroup;
|
|
users.users.jellyfin = jellyfinUser;
|
|
users.groups.jellyfin = jellyfinGroup;
|
|
users.users.filebot = filebotUser;
|
|
users.groups.filebot = filebotGroup;
|
|
|
|
# Create the directory structure on the host
|
|
systemd.tmpfiles.rules = [
|
|
"d /var/lib/downloads 0755 pyload pyload - -"
|
|
"d /var/lib/multimedia 0775 root jellyfin - -"
|
|
"d /var/lib/multimedia/movies 0775 jellyfin jellyfin - -"
|
|
"d /var/lib/multimedia/tv-shows 0775 jellyfin jellyfin - -"
|
|
"d /var/lib/multimedia/music 0755 jellyfin jellyfin - -"
|
|
"d /var/lib/jellyfin 0755 jellyfin jellyfin - -"
|
|
"d /var/lib/filebot 0755 filebot filebot - -"
|
|
];
|
|
|
|
# FileBot license secret
|
|
sops.secrets.filebot-license = {
|
|
mode = "0440";
|
|
owner = config.users.users.root.name;
|
|
group = config.users.groups.root.name;
|
|
};
|
|
|
|
containers.pyload = {
|
|
autoStart = true;
|
|
ephemeral = false;
|
|
privateNetwork = true;
|
|
hostBridge = "server";
|
|
hostAddress = "${networkPrefix}.97.1";
|
|
localAddress = "${networkPrefix}.97.11/24";
|
|
|
|
# GPU device passthrough for hardware transcoding
|
|
allowedDevices = [
|
|
{
|
|
modifier = "rwm";
|
|
node = "/dev/dri/card0";
|
|
}
|
|
{
|
|
modifier = "rwm";
|
|
node = "/dev/dri/renderD128";
|
|
}
|
|
];
|
|
|
|
bindMounts = {
|
|
"/dev/dri" = {
|
|
hostPath = "/dev/dri";
|
|
isReadOnly = false;
|
|
};
|
|
"/run/opengl-driver" = {
|
|
hostPath = "/run/opengl-driver";
|
|
isReadOnly = true;
|
|
};
|
|
"/nix/store" = {
|
|
hostPath = "/nix/store";
|
|
isReadOnly = true;
|
|
};
|
|
"/var/lib/pyload" = {
|
|
hostPath = "/var/lib/pyload";
|
|
isReadOnly = false;
|
|
};
|
|
"/var/lib/jellyfin" = {
|
|
hostPath = "/var/lib/jellyfin";
|
|
isReadOnly = false;
|
|
};
|
|
"/downloads" = {
|
|
hostPath = "/var/lib/downloads";
|
|
isReadOnly = false;
|
|
};
|
|
"/multimedia" = {
|
|
hostPath = "/var/lib/multimedia";
|
|
isReadOnly = false;
|
|
};
|
|
"/var/lib/filebot" = {
|
|
hostPath = "/var/lib/filebot";
|
|
isReadOnly = false;
|
|
};
|
|
"/var/lib/filebot/license.psm" = {
|
|
hostPath = config.sops.secrets.filebot-license.path;
|
|
isReadOnly = true;
|
|
};
|
|
};
|
|
|
|
config = { lib, config, pkgs, ... }: {
|
|
nixpkgs.overlays = [
|
|
(import ../utils/overlays/packages.nix)
|
|
];
|
|
|
|
|
|
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
|
|
"unrar"
|
|
"filebot"
|
|
];
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
unrar # Required for RAR archive extraction
|
|
filebot # Automated media file organization
|
|
];
|
|
|
|
# Intel graphics support for hardware transcoding
|
|
hardware.graphics = {
|
|
enable = true;
|
|
extraPackages = with pkgs; [
|
|
intel-media-driver
|
|
vpl-gpu-rt
|
|
intel-compute-runtime
|
|
];
|
|
};
|
|
|
|
# Set VA-API driver to iHD (modern Intel driver for N100)
|
|
environment.sessionVariables = {
|
|
LIBVA_DRIVER_NAME = "iHD";
|
|
};
|
|
|
|
networking = {
|
|
hostName = "pyload";
|
|
useHostResolvConf = false;
|
|
defaultGateway = {
|
|
address = "${networkPrefix}.97.1";
|
|
interface = "eth0";
|
|
};
|
|
nameservers = [ "${networkPrefix}.97.1" ];
|
|
firewall.enable = false;
|
|
};
|
|
|
|
services.pyload = {
|
|
enable = true;
|
|
downloadDirectory = "/downloads";
|
|
listenAddress = "0.0.0.0";
|
|
port = 8000;
|
|
};
|
|
|
|
services.jellyfin = {
|
|
enable = true;
|
|
openFirewall = true;
|
|
};
|
|
|
|
# Override systemd hardening for GPU access
|
|
systemd.services.jellyfin = {
|
|
serviceConfig = {
|
|
PrivateUsers = lib.mkForce false; # Disable user namespacing - breaks GPU device access
|
|
DeviceAllow = [
|
|
"/dev/dri/card0 rw"
|
|
"/dev/dri/renderD128 rw"
|
|
];
|
|
SupplementaryGroups = [ "render" "video" ]; # Critical: Explicit group membership for GPU access
|
|
};
|
|
environment = {
|
|
LIBVA_DRIVER_NAME = "iHD"; # Ensure service sees this variable
|
|
};
|
|
};
|
|
|
|
# Disable SSL certificate verification
|
|
systemd.services.pyload = {
|
|
environment = {
|
|
PYLOAD__GENERAL__SSL_VERIFY = "0";
|
|
|
|
# Enable ExtractArchive plugin
|
|
PYLOAD__EXTRACTARCHIVE__ENABLED = "1";
|
|
PYLOAD__EXTRACTARCHIVE__DELETE = "1";
|
|
PYLOAD__EXTRACTARCHIVE__DELTOTRASH = "0";
|
|
PYLOAD__EXTRACTARCHIVE__REPAIR = "1";
|
|
PYLOAD__EXTRACTARCHIVE__RECURSIVE = "1";
|
|
PYLOAD__EXTRACTARCHIVE__FULLPATH = "1";
|
|
};
|
|
|
|
# Bind-mount DNS configuration files and system tools into the chroot
|
|
serviceConfig = {
|
|
BindReadOnlyPaths = [
|
|
"/etc/resolv.conf"
|
|
"/etc/nsswitch.conf"
|
|
"/etc/hosts"
|
|
"/etc/ssl"
|
|
"/etc/static/ssl"
|
|
# Make all system packages (including unrar and filebot) accessible
|
|
"/run/current-system/sw/bin"
|
|
];
|
|
};
|
|
};
|
|
|
|
# FileBot processing service
|
|
systemd.services.filebot-process = {
|
|
description = "FileBot media file processing";
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
User = "filebot";
|
|
Group = "filebot";
|
|
ExecStart = "${filebotScript}";
|
|
};
|
|
};
|
|
|
|
# Watch for completed downloads and trigger FileBot
|
|
systemd.paths.filebot-watch = {
|
|
description = "Watch for completed downloads";
|
|
wantedBy = [ "multi-user.target" ];
|
|
pathConfig = {
|
|
PathModified = "/downloads";
|
|
Unit = "filebot-process.service";
|
|
};
|
|
};
|
|
|
|
# Ensure render/video groups exist with consistent GIDs for GPU access
|
|
users.groups.render = { gid = 303; };
|
|
users.groups.video = { gid = 26; };
|
|
|
|
users.users.pyload = pyloadUser;
|
|
users.groups.pyload = pyloadGroup;
|
|
users.users.jellyfin = jellyfinUser;
|
|
users.groups.jellyfin = jellyfinGroup;
|
|
users.users.filebot = filebotUser;
|
|
users.groups.filebot = filebotGroup;
|
|
|
|
system.stateVersion = "24.05";
|
|
};
|
|
};
|
|
}
|