Nixos Modules - Options Documentation

nixarr.enable

Whether or not to enable the nixarr module. Has the following features:

• Run services through a VPN: You can run any service that this module supports through a VPN, fx nixarr.transmission.vpn.enable = true;
• Automatic Directories, Users and Permissions: The module automatically creates directories and users for your media library. It also sets sane permissions.
• State Management: All services support state management and all state that they manage is located by default in /data/.state/nixarr/*
• Optional Automatic Port Forwarding: This module has a UPNP support that lets services request ports from your router automatically, if you enable it.

It is possible, but not recommended, to run the “*Arrs” behind a VPN, because it can cause rate limiting issues. Generally, you should use VPN on transmission and maybe jellyfin, depending on your setup.

The following services are supported:

• Jellyfin
• Jellyseerr
• Bazarr
• Lidarr
• Prowlarr
• Radarr
• Readarr
• Sonarr
• Transmission
• SABnzbd

Remember to read the options.

Warning: The Jellyseerr module currently does not work on nixos 24.11. You will have to update to the unstable branch in order for it to work.

Type: boolean

  false

  true

nixarr.bazarr.enable

Whether or not to enable the Bazarr service.

Required options: nixarr.enable

Type: boolean

  false

  true

nixarr.bazarr.package

The bazarr package to use.

Type: package

  pkgs.bazarr

nixarr.bazarr.openFirewall

Open firewall for Bazarr

Type: boolean

  !nixarr.bazarr.vpn.enable

  true

nixarr.bazarr.stateDir

The location of the state directory for the Bazarr service.

Warning: Setting this to any path, where the subpath is not owned by root, will fail! For example:

  stateDir = /home/user/nixarr/.state/bazarr

Is not supported, because /home/user is owned by user.

Type: path

  "${nixarr.stateDir}/bazarr"

  "/nixarr/.state/bazarr"

nixarr.bazarr.vpn.enable

Required options: nixarr.vpn.enable

Route Bazarr traffic through the VPN.

Type: boolean

  false

  true

nixarr.ddns.njalla.enable

Required options:

• nixarr.enable
• nixarr.ddns.njalla.keysFile

Whether or not to enable DDNS for a Njalla domain.

Type: boolean

  false

  true

nixarr.ddns.njalla.keysFile

A path to a JSON-file containing key value pairs of domains and keys.

To get the keys, create a dynamic njalla record. Upon creation you should see something like the following command suggested:

  curl "https://njal.la/update/?h=jellyfin.example.com&k=zeubesojOLgC2eJC&auto"

Then the JSON-file you pass here should contain:

  {
    "jellyfin.example.com": "zeubesojOLgC2eJC"
  }

You can, of course, add more key-value pairs than just one.

Type: null or path

  null

  "/data/.secret/njalla/keys-file.json"

nixarr.ddns.njalla.vpn.enable

Required options:

• nixarr.enable
• nixarr.ddns.njalla.keysFile
• nixarr.vpn.enable

Whether or not to enable DDNS over VPN for a Njalla domain. Setting this will point to the public ip of your VPN. Useful if you’re running services over VPN and want a domain that points to the corresponding ip.

Note: You can enable both this and the regular njalla DDNS service.

Type: boolean

  false

  true

nixarr.ddns.njalla.vpn.keysFile

See nixarr.ddns.njalla.keysFile

Type: null or path

  null

  "/data/.secret/njalla/keys-file.json"

nixarr.jellyfin.enable

Whether or not to enable the Jellyfin service.

Required options: nixarr.enable

Type: boolean

  false

  true

nixarr.jellyfin.package

The jellyfin package to use.

Type: package

  pkgs.jellyfin

nixarr.jellyfin.expose.https.enable

Required options:

• nixarr.jellyfin.expose.https.acmeMail
• nixarr.jellyfin.expose.https.domainName

Conflicting options: nixarr.jellyfin.vpn.enable

Expose the Jellyfin web service to the internet with https support, allowing anyone to access it.

Warning: Do not enable this without setting up Jellyfin authentication through localhost first!

Type: boolean

  false

  true

nixarr.jellyfin.expose.https.acmeMail

The ACME mail required for the letsencrypt bot.

Type: null or string

  null

  "mail@example.com"

nixarr.jellyfin.expose.https.domainName

The domain name to host Jellyfin on.

Type: null or string

  null

  "jellyfin.example.com"

nixarr.jellyfin.expose.https.upnp.enable

Whether to enable UPNP to try to open ports 80 and 443 on your router…

Type: boolean

  false

  true

nixarr.jellyfin.openFirewall

Open firewall for Jellyfin

Type: boolean

  !nixarr.jellyfin.vpn.enable

  true

nixarr.jellyfin.stateDir

The location of the state directory for the Jellyfin service.

Warning: Setting this to any path, where the subpath is not owned by root, will fail! For example:

  stateDir = /home/user/nixarr/.state/jellyfin

Is not supported, because /home/user is owned by user.

Type: path

  "${nixarr.stateDir}/jellyfin"

  "/nixarr/.state/jellyfin"

nixarr.jellyfin.vpn.enable

Required options: nixarr.vpn.enable

Conflicting options: nixarr.jellyfin.expose.https.enable

Route Jellyfin traffic through the VPN.

Type: boolean

  false

  true

nixarr.jellyseerr.enable

Whether or not to enable the Jellyseerr service.

Required options: nixarr.enable

Type: boolean

  false

  true

nixarr.jellyseerr.package

The jellyseerr package to use.

Type: package

  pkgs.jellyseerr

nixarr.jellyseerr.openFirewall

Open firewall for Jellyseerr

Type: boolean

  !nixarr.jellyseerr.vpn.enable

  true

nixarr.jellyseerr.port

Jellyseerr web-UI port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

  5055

  12345

nixarr.jellyseerr.stateDir

The location of the state directory for the Jellyseerr service.

Warning: Setting this to any path, where the subpath is not owned by root, will fail! For example:

  stateDir = /home/user/nixarr/.state/jellyseerr

Is not supported, because /home/user is owned by user.

Type: path

  "${nixarr.stateDir}/jellyseerr"

  "/nixarr/.state/jellyseerr"

nixarr.jellyseerr.vpn.enable

Required options: nixarr.vpn.enable

Route Jellyseerr traffic through the VPN.

Type: boolean

  false

  true

nixarr.lidarr.enable

Whether or not to enable the Lidarr service.

Required options: nixarr.enable

Type: boolean

  false

  true

nixarr.lidarr.package

The lidarr package to use.

Type: package

  pkgs.lidarr

nixarr.lidarr.openFirewall

Open firewall for Lidarr

Type: boolean

  !nixarr.lidarr.vpn.enable

  true

nixarr.lidarr.stateDir

The location of the state directory for the Lidarr service.

Warning: Setting this to any path, where the subpath is not owned by root, will fail! For example:

  stateDir = /home/user/nixarr/.state/lidarr

Is not supported, because /home/user is owned by user.

Type: path

  "${nixarr.stateDir}/lidarr"

  "/nixarr/.state/lidarr"

nixarr.lidarr.vpn.enable

Required options: nixarr.vpn.enable

Route Lidarr traffic through the VPN.

Type: boolean

  false

  true

nixarr.mediaDir

The location of the media directory for the services.

Warning: Setting this to any path, where the subpath is not owned by root, will fail! For example:

  mediaDir = /home/user/nixarr

Is not supported, because /home/user is owned by user.

Type: path

  "/data/media"

  "/nixarr"

nixarr.mediaUsers

Extra users to add to the media group.

Type: list of string

  [ ]

  [
    "user"
  ]

nixarr.openssh.expose.vpn.enable

Required options:

• nixarr.vpn.enable
• nixarr.enable

Run the openssh service through a vpn, exposing it to the internet.

Warning: This lets anyone on the internet connect through SSH, make sure the SSH configuration is secure! Disallowing password authentication and only allowing SSH-keys is considered secure.

Note: This option does not enable the SSHD service you still need to setup sshd in your nixos configuration, fx:

  services.openssh = {
    enable = true;
    settings.PasswordAuthentication = false;
    # Get this port from your VPN provider
    ports [ 12345 ];
  };

  users.extraUsers.username.openssh.authorizedKeys.keyFiles = [
    ./path/to/public/key/machine.pub
  ];

Then replace username with your username and the keyFiles path to a ssh public key file from the machine that you want to have access. Don’t use password authentication as it is insecure!

Type: boolean

  false

  true

nixarr.prowlarr.enable

Whether or not to enable the Prowlarr service.

Required options: nixarr.enable

Type: boolean

  false

  true

nixarr.prowlarr.package

The prowlarr package to use.

Type: package

  pkgs.prowlarr

nixarr.prowlarr.openFirewall

Open firewall for Prowlarr

Type: boolean

  !nixarr.prowlarr.vpn.enable

  true

nixarr.prowlarr.stateDir

The location of the state directory for the Prowlarr service.

Warning: Setting this to any path, where the subpath is not owned by root, will fail! For example:

  stateDir = /home/user/nixarr/.state/prowlarr

Is not supported, because /home/user is owned by user.

Type: path

  "${nixarr.stateDir}/prowlarr"

  "/nixarr/.state/prowlarr"

nixarr.prowlarr.vpn.enable

Required options: nixarr.vpn.enable

Route Prowlarr traffic through the VPN.

Type: boolean

  false

  true

nixarr.radarr.enable

Whether or not to enable the Radarr service.

Required options: nixarr.enable

Type: boolean

  false

  true

nixarr.radarr.package

The radarr package to use.

Type: package

  pkgs.radarr

nixarr.radarr.openFirewall

Open firewall for Radarr

Type: boolean

  !nixarr.radarr.vpn.enable

  true

nixarr.radarr.stateDir

The location of the state directory for the Radarr service.

Warning: Setting this to any path, where the subpath is not owned by root, will fail! For example:

  stateDir = /home/user/nixarr/.state/radarr

Is not supported, because /home/user is owned by user.

Type: path

  "${nixarr.stateDir}/radarr"

  "/nixarr/.state/radarr"

nixarr.radarr.vpn.enable

Required options: nixarr.vpn.enable

Route Radarr traffic through the VPN.

Type: boolean

  false

  true

nixarr.readarr.enable

Whether or not to enable the Readarr service.

Required options: nixarr.enable

Type: boolean

  false

  true

nixarr.readarr.package

The readarr package to use.

Type: package

  pkgs.readarr

nixarr.readarr.openFirewall

Open firewall for Readarr

Type: boolean

  !nixarr.readarr.vpn.enable

  true

nixarr.readarr.stateDir

The location of the state directory for the Readarr service.

Warning: Setting this to any path, where the subpath is not owned by root, will fail! For example:

  stateDir = /home/user/nixarr/.state/readarr

Is not supported, because /home/user is owned by user.

Type: path

  "${nixarr.stateDir}/readarr"

  "/nixarr/.state/readarr"

nixarr.readarr.vpn.enable

Required options: nixarr.vpn.enable

Route Readarr traffic through the VPN.

Type: boolean

  false

  true

nixarr.sabnzbd.enable

Whether to enable Enable the SABnzbd service…

Type: boolean

  false

  true

nixarr.sabnzbd.package

The sabnzbd package to use.

Type: package

  pkgs.sabnzbd

nixarr.sabnzbd.guiPort

The port that SABnzbd’s GUI will listen on for incomming connections.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

  8080

  9999

nixarr.sabnzbd.openFirewall

Open firewall for SABnzbd

Type: boolean

  !nixarr.sabnzbd.vpn.enable

  true

nixarr.sabnzbd.stateDir

The location of the state directory for the SABnzbd service.

Warning: Setting this to any path, where the subpath is not owned by root, will fail! For example:

  stateDir = /home/user/nixarr/.state/sabnzbd

Is not supported, because /home/user is owned by user.

Type: path

  "${nixarr.stateDir}/sabnzbd"

  "/nixarr/.state/sabnzbd"

nixarr.sabnzbd.vpn.enable

Required options: nixarr.vpn.enable

Route SABnzbd traffic through the VPN.

Type: boolean

  false

  true

nixarr.sabnzbd.whitelistHostnames

A list that specifies what URLs that are allowed to represent your SABnzbd instance.

Note: If you see an error message like this when trying to connect to SABnzbd from another device:

  Refused connection with hostname "your.hostname.com"

Then you should add your hostname (“hostname.com” above) to this list.

SABnzbd only allows connections matching these URLs in order to prevent DNS hijacking. See https://sabnzbd.org/wiki/extra/hostname-check.html for more info.

Type: list of string

  [ config.networking.hostName ]

  [ "mediaserv" "media.example.com" ]

nixarr.sabnzbd.whitelistRanges

A list of IP ranges that will be allowed to connect to SABnzbd’s web GUI. This only needs to be set if SABnzbd needs to be accessed from another machine besides its host.

Type: list of string

  [ ]

  "[ \"192.168.1.0/24\" \"10.0.0.0/23\" ]"

nixarr.sonarr.enable

Whether or not to enable the Sonarr service.

Required options: nixarr.enable

Type: boolean

  false

  true

nixarr.sonarr.package

The sonarr package to use.

Type: package

  pkgs.sonarr

nixarr.sonarr.openFirewall

Open firewall for Sonarr

Type: boolean

  !nixarr.sonarr.vpn.enable

  true

nixarr.sonarr.stateDir

The location of the state directory for the Sonarr service.

Warning: Setting this to any path, where the subpath is not owned by root, will fail! For example:

  stateDir = /home/user/nixarr/.state/sonarr

Is not supported, because /home/user is owned by user.

Type: path

  "${nixarr.stateDir}/sonarr"

  "/nixarr/.state/sonarr"

nixarr.sonarr.vpn.enable

Required options: nixarr.vpn.enable

Route Sonarr traffic through the VPN.

Type: boolean

  false

  true

nixarr.stateDir

The location of the state directory for the services.

Warning: Setting this to any path, where the subpath is not owned by root, will fail! For example:

  stateDir = /home/user/nixarr/.state

Is not supported, because /home/user is owned by user.

Type: path

  "/data/.state/nixarr"

  "/nixarr/.state"

nixarr.transmission.enable

Whether or not to enable the Transmission service.

Required options: nixarr.enable

Type: boolean

  false

  true

nixarr.transmission.package

The transmission_4 package to use.

Type: package

  pkgs.transmission_4

nixarr.transmission.credentialsFile

Path to a JSON file to be merged with the settings. Useful to merge a file which is better kept out of the Nix store to set secret config parameters like rpc-password.

Type: path

  "/dev/null"

  "/var/lib/secrets/transmission/settings.json"

nixarr.transmission.extraAllowedIps

Extra IP addresses allowed to access the Transmission RPC. By default 192.168.* and 127.0.0.1 (localhost) are allowed, but if your local network has a weird ip for some reason, you can add it here.

Type: list of string

  [ ]

  [
    "10.19.5.10"
  ]

nixarr.transmission.extraSettings

Extra config settings for the Transmission service.

See the services.transmission.settings nixos options in the relevant section of the configuration.nix manual or on search.nixos.org.

Type: attribute set

  { }

  {
    trash-original-torrent-files = true;
  }

nixarr.transmission.flood.enable

Whether to enable the flood web-UI for the transmission web-UI…

Type: boolean

  false

  true

nixarr.transmission.messageLevel

Sets the message level of transmission.

Type: one of “none”, “critical”, “error”, “warn”, “info”, “debug”, “trace”

  "warn"

  "debug"

nixarr.transmission.openFirewall

Open firewall for peer-port and rpc-port.

Type: boolean

  !nixarr.transmission.vpn.enable

  true

nixarr.transmission.peerPort

Transmission peer traffic port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

  50000

  12345

nixarr.transmission.privateTrackers.cross-seed.enable

Required options: nixarr.prowlarr.enable

Whether or not to enable the cross-seed service.

Type: boolean

  false

  true

nixarr.transmission.privateTrackers.cross-seed.extraSettings

Extra settings for the cross-seed service, see the cross-seed options documentation

Type: attribute set

  { }

  {
    delay = 20;
    port = 3000;
  }

nixarr.transmission.privateTrackers.cross-seed.indexIds

List of indexer-ids, from prowlarr. These are from the RSS links for the indexers, located by the “radio” or “RSS” logo on the right of the indexer, you’ll see the links have the form:

http://localhost:9696/1/api?apikey=aaaaaaaaaaaaa

Then the id needed here is the 1.

Type: list of signed integer

  [ ]

  [
    1
    3
    7
  ]

nixarr.transmission.privateTrackers.cross-seed.stateDir

The location of the state directory for the cross-seed service.

Warning: Setting this to any path, where the subpath is not owned by root, will fail! For example:

  stateDir = /home/user/nixarr/.state/cross-seed

Is not supported, because /home/user is owned by user.

Type: path

  "${nixarr.stateDir}/cross-seed"

  "/nixarr/.state/cross-seed"

nixarr.transmission.privateTrackers.disableDhtPex

Disable pex and dht, which is required for some private trackers.

You don’t want to enable this unless a private tracker requires you to, and some don’t. All torrents from private trackers are set as “private”, and this automatically disables dht and pex for that torrent, so it shouldn’t even be a necessary rule to have, but I don’t make their rules ¯\(ツ)/¯.

Type: boolean

  false

  true

nixarr.transmission.stateDir

The location of the state directory for the Transmission service.

Warning: Setting this to any path, where the subpath is not owned by root, will fail! For example:

  stateDir = /home/user/nixarr/.state/transmission

Is not supported, because /home/user is owned by user.

Type: path

  "${nixarr.stateDir}/transmission"

  "/nixarr/.state/transmission"

nixarr.transmission.uiPort

Transmission web-UI port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

  9091

  12345

nixarr.transmission.vpn.enable

Required options: nixarr.vpn.enable

Route Transmission traffic through the VPN.

Type: boolean

  false

  true

nixarr.vpn.enable

Required options: nixarr.vpn.wgConf

Whether or not to enable VPN support for the services that nixarr supports.

Type: boolean

  false

  true

nixarr.vpn.openTcpPorts

What TCP ports to allow traffic from. You might need this if you’re port forwarding on your VPN provider and you’re setting up services not covered in by this module that uses the VPN.

Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)

  [ ]

  [
    46382
    38473
  ]

nixarr.vpn.openUdpPorts

What UDP ports to allow traffic from. You might need this if you’re port forwarding on your VPN provider and you’re setting up services not covered in by this module that uses the VPN.

Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)

  [ ]

  [
    46382
    38473
  ]

nixarr.vpn.vpnTestService.enable

Whether to enable the vpn test service. Useful for testing DNS leaks or if the VPN port forwarding works correctly. .

Type: boolean

  false

  true

nixarr.vpn.vpnTestService.port

The port that netcat listens to on the vpn test service. If set to null, then netcat will not be started.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

  null

  58403

nixarr.vpn.wgConf

The path to the wireguard configuration file.

Type: null or path

  null

  "/data/.secret/vpn/wg.conf"

util-nixarr.services.bazarr.enable

Whether to enable bazarr, a subtitle manager for Sonarr and Radarr.

Type: boolean

  false

  true

util-nixarr.services.bazarr.package

The bazarr package to use.

Type: package

  pkgs.bazarr

util-nixarr.services.bazarr.dataDir

State directory for bazarr

Type: path

  "/var/lib/bazarr"

util-nixarr.services.bazarr.group

Group under which bazarr runs.

Type: string

  "bazarr"

util-nixarr.services.bazarr.listenPort

Port on which the bazarr web interface should listen

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

  6767

util-nixarr.services.bazarr.openFirewall

Open ports in the firewall for the bazarr web interface.

Type: boolean

  false

util-nixarr.services.bazarr.user

User account under which bazarr runs.

Type: string

  "bazarr"

util-nixarr.services.cross-seed.enable

Whether to enable cross-seed.

Type: boolean

  false

  true

util-nixarr.services.cross-seed.credentialsFile

Secret options to be merged into the cross-seed config

Type: path

  "/run/secrets/cross-seed/credentialsFile.json"

util-nixarr.services.cross-seed.dataDir

The cross-seed dataDir

Type: path

  "/var/lib/cross-seed"

util-nixarr.services.cross-seed.group

Group under which cross-seed runs.

Type: string

  "cross-seed"

util-nixarr.services.cross-seed.settings

Settings for cross-seed

Type: attribute set

  { }

  ''
    {
      delay = 10;
    }
  ''

util-nixarr.services.cross-seed.user

User account under which cross-seed runs.

Type: string

  "cross-seed"

util-nixarr.services.jellyseerr.enable

Whether to enable Jellyseerr.

Type: boolean

  false

  true

util-nixarr.services.jellyseerr.package

The jellyseerr package to use.

Type: package

  pkgs.jellyseerr

util-nixarr.services.jellyseerr.configDir

The directory where Jellyseerr stores its config data.

Type: string

  "/var/lib/jellyseerr"

util-nixarr.services.jellyseerr.group

Group under which Jellyseerr runs.

Type: string

  "jellyseerr"

util-nixarr.services.jellyseerr.openFirewall

Open ports in the firewall for the Jellyseerr web interface.

Type: boolean

  false

util-nixarr.services.jellyseerr.port

The port which the Jellyseerr web UI should listen to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

  5055

util-nixarr.services.jellyseerr.user

User account under which Jellyseerr runs.

Type: string

  "jellyseerr"

util-nixarr.services.prowlarr.enable

Whether to enable Prowlarr.

Type: boolean

  false

  true

util-nixarr.services.prowlarr.package

The prowlarr package to use.

Type: package

  pkgs.prowlarr

util-nixarr.services.prowlarr.dataDir

The directory where Prowlarr stores its data files.

Type: string

  "/var/lib/prowlarr"

util-nixarr.services.prowlarr.group

Group under which Prowlarr runs.

Type: string

  "prowlarr"

util-nixarr.services.prowlarr.openFirewall

Open ports in the firewall for the Prowlarr web interface.

Type: boolean

  false

util-nixarr.services.prowlarr.user

User account under which Prowlarr runs.

Type: string

  "prowlarr"

util-nixarr.upnp.enable

Whether to enable Enable port forwarding using UPNP…

Type: boolean

  false

  true

util-nixarr.upnp.openTcpPorts

What TCP ports to open using UPNP.

Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)

  [ ]

  [
    46382
    38473
  ]

util-nixarr.upnp.openUdpPorts

What UDP ports to open using UPNP.

Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)

  [ ]

  [
    46382
    38473
  ]