refactor: split module.nix into per-service modules

Replace the 1301-line monolithic module.nix with focused modules:
- modules/servarr.nix  (Sonarr/Radarr/Prowlarr)
- modules/bazarr.nix   (Bazarr provider connections)
- modules/jellyseerr.nix (Jellyseerr quality profiles)
- modules/default.nix  (import aggregator)

Python scripts (from prior commit) are referenced as standalone
files via PYTHONPATH, with config passed as a JSON file argument.

New options and behavioral changes:
- Add bindAddress option to all services (default 127.0.0.1)
- Change healthChecks default from false to true
- Replace hardcoded wg.service dependency with configurable
  networkNamespaceService option
- Add systemd hardening: PrivateTmp, NoNewPrivileges, ProtectHome,
  ProtectKernelTunables/Modules, ProtectControlGroups,
  RestrictSUIDSGID, SystemCallArchitectures=native

Test updates:
- Extract mock qBittorrent/SABnzbd servers into tests/lib/mocks.nix
- Add healthChecks=false to tests not exercising health checks
- Fix duplicate wait_for_unit calls in integration test

This commit is contained in:

Simon Gardling

2026-04-16 16:34:04 -04:00

parent b464a8cea2

commit f86a5f1b39

14 changed files with 942 additions and 1689 deletions

									
										1

tests/error-handling.nix
									
												View File
												
				@@ -26,6 +26,7 @@ pkgs.testers.runNixOSTest {

				      # The dataDir points to a non-existent config.xml

				      services.arrInit.sonarr = {

				        enable = true;

				        healthChecks = false;

				        serviceName = "sonarr";

				        dataDir = "/var/lib/nonexistent";

				        port = 8989;

refactor: split module.nix into per-service modules

1 tests/error-handling.nix Unescape Escape View File

1

tests/error-handling.nix

View File