Nixarr - Option Documentation

nixarr.enable

Whether or not to enable the nixarr module. Has the following features:

It is possible, but not recommended, to run the “*Arrs” behind a VPN, because it can cause rate limiting issues. Generally, you should use VPN on transmission and maybe jellyfin, depending on your setup.

The following services are supported:

Remember to read the options.

Type: boolean

Default: 
  false
Example: 
  true

nixarr.bazarr.enable

Whether or not to enable the Bazarr service.

Required options: nixarr.enable

Type: boolean

Default: 
  false
Example: 
  true

nixarr.bazarr.openFirewall

Open firewall for Bazarr

Type: boolean

Default: 
  !nixarr.bazarr.vpn.enable
Example: 
  true

nixarr.bazarr.stateDir

The location of the state directory for the Bazarr service.

Warning: Setting this to any path, where the subpath is not owned by root, will fail! For example:

  stateDir = /home/user/nixarr/.state/bazarr

Is not supported, because /home/user is owned by user.

Type: path

Default: 
  "${nixarr.stateDir}/bazarr"
Example: 
  "/nixarr/.state/bazarr"

nixarr.bazarr.vpn.enable

Required options: nixarr.vpn.enable

Route Bazarr traffic through the VPN.

Type: boolean

Default: 
  false
Example: 
  true

nixarr.ddns.njalla.enable

Required options:

Whether or not to enable DDNS for a Njalla domain.

Type: boolean

Default: 
  false
Example: 
  true

nixarr.ddns.njalla.keysFile

A path to a JSON-file containing key value pairs of domains and keys.

To get the keys, create a dynamic njalla record. Upon creation you should see something like the following command suggested:

  curl "https://njal.la/update/?h=jellyfin.example.com&k=zeubesojOLgC2eJC&auto"

Then the JSON-file you pass here should contain:

  {
    "jellyfin.example.com": "zeubesojOLgC2eJC"
  }

You can, of course, add more key-value pairs than just one.

Type: null or path

Default: 
  null
Example: 
  "/data/.secret/njalla/keys-file.json"

nixarr.ddns.njalla.vpn.enable

Required options:

Whether or not to enable DDNS over VPN for a Njalla domain. Setting this will point to the public ip of your VPN. Useful if you’re running services over VPN and want a domain that points to the corresponding ip.

Note: You can enable both this and the regular njalla DDNS service.

Type: boolean

Default: 
  false
Example: 
  true

nixarr.ddns.njalla.vpn.keysFile

See nixarr.ddns.njalla.keysFile

Type: null or path

Default: 
  null
Example: 
  "/data/.secret/njalla/keys-file.json"

nixarr.jellyfin.enable

Whether or not to enable the Jellyfin service.

Required options: nixarr.enable

Type: boolean

Default: 
  false
Example: 
  true

nixarr.jellyfin.expose.https.enable

Required options:

Conflicting options: nixarr.jellyfin.vpn.enable

Expose the Jellyfin web service to the internet with https support, allowing anyone to access it.

Warning: Do not enable this without setting up Jellyfin authentication through localhost first!

Type: boolean

Default: 
  false
Example: 
  true

nixarr.jellyfin.expose.https.acmeMail

The ACME mail required for the letsencrypt bot.

Type: null or string

Default: 
  null
Example: 
  "mail@example.com"

nixarr.jellyfin.expose.https.domainName

The domain name to host Jellyfin on.

Type: null or string

Default: 
  null
Example: 
  "jellyfin.example.com"

nixarr.jellyfin.expose.https.upnp.enable

Whether to enable UPNP to try to open ports 80 and 443 on your router…

Type: boolean

Default: 
  false
Example: 
  true

nixarr.jellyfin.expose.vpn.enable

Required options:

Expose the Jellyfin web service to the internet, allowing anyone to access it.

Warning: Do not enable this without setting up Jellyfin authentication through localhost first!

Type: boolean

Default: 
  false
Example: 
  true

nixarr.jellyfin.expose.vpn.accessibleFrom

The IP or domain that Jellyfin should be able to be accessed from.

Type: null or string

Default: 
  null
Example: 
  "jellyfin.airvpn.org"

nixarr.jellyfin.expose.vpn.port

The port to access jellyfin on. Get this port from your VPN provider.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 
  null
Example: 
  12345

nixarr.jellyfin.openFirewall

Open firewall for Jellyfin

Type: boolean

Default: 
  !nixarr.jellyfin.vpn.enable
Example: 
  true

nixarr.jellyfin.stateDir

The location of the state directory for the Jellyfin service.

Warning: Setting this to any path, where the subpath is not owned by root, will fail! For example:

  stateDir = /home/user/nixarr/.state/jellyfin

Is not supported, because /home/user is owned by user.

Type: path

Default: 
  "${nixarr.stateDir}/jellyfin"
Example: 
  "/nixarr/.state/jellyfin"

nixarr.jellyfin.vpn.enable

Required options: nixarr.vpn.enable

Conflicting options: nixarr.jellyfin.expose.https.enable

Route Jellyfin traffic through the VPN.

Type: boolean

Default: 
  false
Example: 
  true

nixarr.lidarr.enable

Whether or not to enable the Lidarr service.

Required options: nixarr.enable

Type: boolean

Default: 
  false
Example: 
  true

nixarr.lidarr.openFirewall

Open firewall for Lidarr

Type: boolean

Default: 
  !nixarr.lidarr.vpn.enable
Example: 
  true

nixarr.lidarr.stateDir

The location of the state directory for the Lidarr service.

Warning: Setting this to any path, where the subpath is not owned by root, will fail! For example:

  stateDir = /home/user/nixarr/.state/lidarr

Is not supported, because /home/user is owned by user.

Type: path

Default: 
  "${nixarr.stateDir}/lidarr"
Example: 
  "/nixarr/.state/lidarr"

nixarr.lidarr.vpn.enable

Required options: nixarr.vpn.enable

Route Lidarr traffic through the VPN.

Type: boolean

Default: 
  false
Example: 
  true

nixarr.mediaDir

The location of the media directory for the services.

Warning: Setting this to any path, where the subpath is not owned by root, will fail! For example:

  mediaDir = /home/user/nixarr

Is not supported, because /home/user is owned by user.

Type: path

Default: 
  "/data/media"
Example: 
  "/nixarr"

nixarr.mediaUsers

Extra users to add to the media group.

Type: list of string

Default: 
  [ ]
Example: 
  [
    "user"
  ]

nixarr.openssh.expose.vpn.enable

Required options:

Run the openssh service through a vpn, exposing it to the internet.

Warning: This lets anyone on the internet connect through SSH, make sure the SSH configuration is secure! Disallowing password authentication and only allowing SSH-keys is considered secure.

Note: This option does not enable the SSHD service you still need to setup sshd in your nixos configuration, fx:

  services.openssh = {
    enable = true;
    settings.PasswordAuthentication = false;
    # Get this port from your VPN provider
    ports [ 12345 ];
  };

  users.extraUsers.username.openssh.authorizedKeys.keyFiles = [
    ./path/to/public/key/machine.pub
  ];

Then replace username with your username and the keyFiles path to a ssh public key file from the machine that you want to have access. Don’t use password authentication as it is insecure!

Type: boolean

Default: 
  false
Example: 
  true

nixarr.prowlarr.enable

Whether or not to enable the Prowlarr service.

Required options: nixarr.enable

Type: boolean

Default: 
  false
Example: 
  true

nixarr.prowlarr.openFirewall

Open firewall for Prowlarr

Type: boolean

Default: 
  !nixarr.prowlarr.vpn.enable
Example: 
  true

nixarr.prowlarr.stateDir

The location of the state directory for the Prowlarr service.

Warning: Setting this to any path, where the subpath is not owned by root, will fail! For example:

  stateDir = /home/user/nixarr/.state/prowlarr

Is not supported, because /home/user is owned by user.

Type: path

Default: 
  "${nixarr.stateDir}/prowlarr"
Example: 
  "/nixarr/.state/prowlarr"

nixarr.prowlarr.vpn.enable

Required options: nixarr.vpn.enable

Route Prowlarr traffic through the VPN.

Type: boolean

Default: 
  false
Example: 
  true

nixarr.radarr.enable

Whether or not to enable the Radarr service.

Required options: nixarr.enable

Type: boolean

Default: 
  false
Example: 
  true

nixarr.radarr.openFirewall

Open firewall for Radarr

Type: boolean

Default: 
  !nixarr.radarr.vpn.enable
Example: 
  true

nixarr.radarr.stateDir

The location of the state directory for the Radarr service.

Warning: Setting this to any path, where the subpath is not owned by root, will fail! For example:

  stateDir = /home/user/nixarr/.state/radarr

Is not supported, because /home/user is owned by user.

Type: path

Default: 
  "${nixarr.stateDir}/radarr"
Example: 
  "/nixarr/.state/radarr"

nixarr.radarr.vpn.enable

Required options: nixarr.vpn.enable

Route Radarr traffic through the VPN.

Type: boolean

Default: 
  false
Example: 
  true

nixarr.readarr.enable

Whether or not to enable the Readarr service.

Required options: nixarr.enable

Type: boolean

Default: 
  false
Example: 
  true

nixarr.readarr.openFirewall

Open firewall for Readarr

Type: boolean

Default: 
  !nixarr.readarr.vpn.enable
Example: 
  true

nixarr.readarr.stateDir

The location of the state directory for the Readarr service.

Warning: Setting this to any path, where the subpath is not owned by root, will fail! For example:

  stateDir = /home/user/nixarr/.state/readarr

Is not supported, because /home/user is owned by user.

Type: path

Default: 
  "${nixarr.stateDir}/readarr"
Example: 
  "/nixarr/.state/readarr"

nixarr.readarr.vpn.enable

Required options: nixarr.vpn.enable

Route Readarr traffic through the VPN.

Type: boolean

Default: 
  false
Example: 
  true

nixarr.sabnzbd.enable

Whether to enable Enable the SABnzbd service…

Type: boolean

Default: 
  false
Example: 
  true

nixarr.sabnzbd.guiPort

The port that SABnzbd’s GUI will listen on for incomming connections.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 
  8080
Example: 
  9999

nixarr.sabnzbd.openFirewall

Open firewall for SABnzbd

Type: boolean

Default: 
  !nixarr.sabnzbd.vpn.enable
Example: 
  true

nixarr.sabnzbd.stateDir

The location of the state directory for the SABnzbd service.

Warning: Setting this to any path, where the subpath is not owned by root, will fail! For example:

  stateDir = /home/user/nixarr/.state/sabnzbd

Is not supported, because /home/user is owned by user.

Type: path

Default: 
  "${nixarr.stateDir}/sabnzbd"
Example: 
  "/nixarr/.state/sabnzbd"

nixarr.sabnzbd.vpn.enable

Required options: nixarr.vpn.enable

Route SABnzbd traffic through the VPN.

Type: boolean

Default: 
  false
Example: 
  true

nixarr.sabnzbd.whitelistHostnames

A list that specifies what URLs that are allowed to represent your SABnzbd instance.

Note: If you see an error message like this when trying to connect to SABnzbd from another device:

  Refused connection with hostname "your.hostname.com"

Then you should add your hostname (“hostname.com” above) to this list.

SABnzbd only allows connections matching these URLs in order to prevent DNS hijacking. See https://sabnzbd.org/wiki/extra/hostname-check.html for more info.

Type: list of string

Default: 
  [ config.networking.hostName ]
Example: 
  [ "mediaserv" "media.example.com" ]

nixarr.sabnzbd.whitelistRanges

A list of IP ranges that will be allowed to connect to SABnzbd’s web GUI. This only needs to be set if SABnzbd needs to be accessed from another machine besides its host.

Type: list of string

Default: 
  [ ]
Example: 
  "[ \"192.168.1.0/24\" \"10.0.0.0/23\" ]"

nixarr.sonarr.enable

Whether or not to enable the Sonarr service.

Required options: nixarr.enable

Type: boolean

Default: 
  false
Example: 
  true

nixarr.sonarr.openFirewall

Open firewall for Sonarr

Type: boolean

Default: 
  !nixarr.sonarr.vpn.enable
Example: 
  true

nixarr.sonarr.stateDir

The location of the state directory for the Sonarr service.

Warning: Setting this to any path, where the subpath is not owned by root, will fail! For example:

  stateDir = /home/user/nixarr/.state/sonarr

Is not supported, because /home/user is owned by user.

Type: path

Default: 
  "${nixarr.stateDir}/sonarr"
Example: 
  "/nixarr/.state/sonarr"

nixarr.sonarr.vpn.enable

Required options: nixarr.vpn.enable

Route Sonarr traffic through the VPN.

Type: boolean

Default: 
  false
Example: 
  true

nixarr.stateDir

The location of the state directory for the services.

Warning: Setting this to any path, where the subpath is not owned by root, will fail! For example:

  stateDir = /home/user/nixarr/.state

Is not supported, because /home/user is owned by user.

Type: path

Default: 
  "/data/.state/nixarr"
Example: 
  "/nixarr/.state"

nixarr.transmission.enable

Whether or not to enable the Transmission service.

Required options: nixarr.enable

Type: boolean

Default: 
  false
Example: 
  true

nixarr.transmission.credentialsFile

Path to a JSON file to be merged with the settings. Useful to merge a file which is better kept out of the Nix store to set secret config parameters like rpc-password.

Type: path

Default: 
  "/dev/null"
Example: 
  "/var/lib/secrets/transmission/settings.json"

nixarr.transmission.extraAllowedIps

Extra IP addresses allowed to access the Transmission RPC. By default 192.168.* and 127.0.0.1 (localhost) are allowed, but if your local network has a weird ip for some reason, you can add it here.

Type: list of string

Default: 
  [ ]
Example: 
  [
    "10.19.5.10"
  ]

nixarr.transmission.extraSettings

Extra config settings for the Transmission service.

See the services.transmission.settings nixos options in the relevant section of the configuration.nix manual or on search.nixos.org.

Type: attribute set

Default: 
  { }
Example: 
  {
    trash-original-torrent-files = true;
  }

nixarr.transmission.flood.enable

Whether to enable the flood web-UI for the transmission web-UI…

Type: boolean

Default: 
  false
Example: 
  true

nixarr.transmission.messageLevel

Sets the message level of transmission.

Type: one of “none”, “critical”, “error”, “warn”, “info”, “debug”, “trace”

Default: 
  "warn"
Example: 
  "debug"

nixarr.transmission.openFirewall

Open firewall for peer-port and rpc-port.

Type: boolean

Default: 
  !nixarr.transmission.vpn.enable
Example: 
  true

nixarr.transmission.peerPort

Transmission peer traffic port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 
  50000
Example: 
  12345

nixarr.transmission.privateTrackers.cross-seed.enable

Required options: nixarr.prowlarr.enable

Whether or not to enable the cross-seed service.

Type: boolean

Default: 
  false
Example: 
  true

nixarr.transmission.privateTrackers.cross-seed.extraSettings

Extra settings for the cross-seed service, see the cross-seed options documentation

Type: attribute set

Default: 
  { }
Example: 
  {
    delay = 20;
    port = 3000;
  }

nixarr.transmission.privateTrackers.cross-seed.indexIds

List of indexer-ids, from prowlarr. These are from the RSS links for the indexers, located by the “radio” or “RSS” logo on the right of the indexer, you’ll see the links have the form:

http://localhost:9696/1/api?apikey=aaaaaaaaaaaaa

Then the id needed here is the 1.

Type: list of signed integer

Default: 
  [ ]
Example: 
  [
    1
    3
    7
  ]

nixarr.transmission.privateTrackers.cross-seed.stateDir

The location of the state directory for the cross-seed service.

Warning: Setting this to any path, where the subpath is not owned by root, will fail! For example:

  stateDir = /home/user/nixarr/.state/cross-seed

Is not supported, because /home/user is owned by user.

Type: path

Default: 
  "${nixarr.stateDir}/cross-seed"
Example: 
  "/nixarr/.state/cross-seed"

nixarr.transmission.privateTrackers.disableDhtPex

Disable pex and dht, which is required for some private trackers.

You don’t want to enable this unless a private tracker requires you to, and some don’t. All torrents from private trackers are set as “private”, and this automatically disables dht and pex for that torrent, so it shouldn’t even be a necessary rule to have, but I don’t make their rules ¯\(ツ)/¯.

Type: boolean

Default: 
  false
Example: 
  true

nixarr.transmission.stateDir

The location of the state directory for the Transmission service.

Warning: Setting this to any path, where the subpath is not owned by root, will fail! For example:

  stateDir = /home/user/nixarr/.state/transmission

Is not supported, because /home/user is owned by user.

Type: path

Default: 
  "${nixarr.stateDir}/transmission"
Example: 
  "/nixarr/.state/transmission"

nixarr.transmission.uiPort

Transmission web-UI port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 
  9091
Example: 
  12345

nixarr.transmission.vpn.enable

Required options: nixarr.vpn.enable

Route Transmission traffic through the VPN.

Type: boolean

Default: 
  false
Example: 
  true

nixarr.vpn.enable

Required options: nixarr.vpn.wgConf

Whether or not to enable VPN support for the services that nixarr supports.

Type: boolean

Default: 
  false
Example: 
  true

nixarr.vpn.openTcpPorts

What TCP ports to allow traffic from. You might need this if you’re port forwarding on your VPN provider and you’re setting up services not covered in by this module that uses the VPN.

Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 
  [ ]
Example: 
  [
    46382
    38473
  ]

nixarr.vpn.openUdpPorts

What UDP ports to allow traffic from. You might need this if you’re port forwarding on your VPN provider and you’re setting up services not covered in by this module that uses the VPN.

Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 
  [ ]
Example: 
  [
    46382
    38473
  ]

nixarr.vpn.vpnTestService.enable

Whether to enable the vpn test service. Useful for testing DNS leaks or if the VPN port forwarding works correctly. .

Type: boolean

Default: 
  false
Example: 
  true

nixarr.vpn.vpnTestService.port

The port that netcat listens to on the vpn test service. If set to null, then netcat will not be started.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 
  null
Example: 
  58403

nixarr.vpn.wgConf

The path to the wireguard configuration file.

Type: null or path

Default: 
  null
Example: 
  "/data/.secret/vpn/wg.conf"