refactor: split module.nix into per-service modules

Replace the 1301-line monolithic module.nix with focused modules:
- modules/servarr.nix  (Sonarr/Radarr/Prowlarr)
- modules/bazarr.nix   (Bazarr provider connections)
- modules/jellyseerr.nix (Jellyseerr quality profiles)
- modules/default.nix  (import aggregator)

Python scripts (from prior commit) are referenced as standalone
files via PYTHONPATH, with config passed as a JSON file argument.

New options and behavioral changes:
- Add bindAddress option to all services (default 127.0.0.1)
- Change healthChecks default from false to true
- Replace hardcoded wg.service dependency with configurable
  networkNamespaceService option
- Add systemd hardening: PrivateTmp, NoNewPrivileges, ProtectHome,
  ProtectKernelTunables/Modules, ProtectControlGroups,
  RestrictSUIDSGID, SystemCallArchitectures=native

Test updates:
- Extract mock qBittorrent/SABnzbd servers into tests/lib/mocks.nix
- Add healthChecks=false to tests not exercising health checks
- Fix duplicate wait_for_unit calls in integration test

This commit is contained in:

Simon Gardling

2026-04-16 16:34:04 -04:00

parent b464a8cea2

commit f86a5f1b39

14 changed files with 942 additions and 1689 deletions

									
										8

modules/default.nix
									
										Normal file
									
												View File
												
				@@ -0,0 +1,8 @@

				{ ... }:

				{

				  imports = [

				    ./servarr.nix

				    ./bazarr.nix

				    ./jellyseerr.nix

				  ];

				}

refactor: split module.nix into per-service modules

8 modules/default.nix Normal file Unescape Escape View File

8

modules/default.nix Normal file

View File