nixos/hosts/fw/modules/pyload/pyload.nix

{ pkgs, lib, ... }:
{
  environment.systemPackages = with pkgs; [
    unrar    # Required for RAR archive extraction
    p7zip    # Required for 7z and other archive formats
  ];

  services.pyload = {
    enable = true;
    downloadDirectory = "/downloads";
    listenAddress = "0.0.0.0";
    port = 8000;
  };

  # Configure pyload service
  systemd.services.pyload = {
    # Add extraction tools to service PATH
    path = with pkgs; [
      unrar    # For RAR extraction
      p7zip    # For 7z extraction
    ];

    environment = {
      # Disable SSL certificate verification
      PYLOAD__GENERAL__SSL_VERIFY = "0";

      # Download speed limiting (150 Mbit/s = 19200 KiB/s)
      PYLOAD__DOWNLOAD__LIMIT_SPEED = "1";
      PYLOAD__DOWNLOAD__MAX_SPEED = "19200";

      # Enable ExtractArchive plugin
      PYLOAD__EXTRACTARCHIVE__ENABLED = "1";
      PYLOAD__EXTRACTARCHIVE__DELETE = "1";
      PYLOAD__EXTRACTARCHIVE__DELTOTRASH = "0";
      PYLOAD__EXTRACTARCHIVE__REPAIR = "1";
      PYLOAD__EXTRACTARCHIVE__RECURSIVE = "1";
      PYLOAD__EXTRACTARCHIVE__FULLPATH = "1";

      # Enable ExternalScripts plugin for hooks
      PYLOAD__EXTERNALSCRIPTS__ENABLED = "1";
      PYLOAD__EXTERNALSCRIPTS__UNLOCK = "1";  # Run hooks asynchronously
    };

    # Bind-mount DNS configuration files into the chroot
    serviceConfig = {
      BindReadOnlyPaths = [
        "/etc/resolv.conf"
        "/etc/nsswitch.conf"
        "/etc/hosts"
        "/etc/ssl"
        "/etc/static/ssl"
      ];
      # Bind mount multimedia directory as writable for FileBot hook scripts
      BindPaths = [ "/multimedia" ];

      # Override SystemCallFilter to allow @resources syscalls
      # FileBot (Java) needs resource management syscalls like setpriority
      # during cleanup operations. Still block privileged syscalls for security.
      # Use mkForce to completely replace the NixOS module's default filter.
      SystemCallFilter = lib.mkForce [
        "@system-service"
        "@resources"       # Explicitly allow resource management syscalls
        "~@privileged"     # Still block privileged operations
        "fchown"           # Re-allow fchown for FileBot file operations
        "fchown32"         # 32-bit compatibility
      ];
    };
  };
}