refactor: split module.nix into per-service modules

Replace the 1301-line monolithic module.nix with focused modules: - modules/servarr.nix (Sonarr/Radarr/Prowlarr) - modules/bazarr.nix (Bazarr provider connections) - modules/jellyseerr.nix (Jellyseerr quality profiles) - modules/default.nix (import aggregator) Python scripts (from prior commit) are referenced as standalone files via PYTHONPATH, with config passed as a JSON file argument. New options and behavioral changes: - Add bindAddress option to all services (default 127.0.0.1) - Change healthChecks default from false to true - Replace hardcoded wg.service dependency with configurable networkNamespaceService option - Add systemd hardening: PrivateTmp, NoNewPrivileges, ProtectHome, ProtectKernelTunables/Modules, ProtectControlGroups, RestrictSUIDSGID, SystemCallArchitectures=native Test updates: - Extract mock qBittorrent/SABnzbd servers into tests/lib/mocks.nix - Add healthChecks=false to tests not exercising health checks - Fix duplicate wait_for_unit calls in integration test
2026-04-16 16:34:04 -04:00
parent b464a8cea2
commit f86a5f1b39
14 changed files with 942 additions and 1689 deletions
--- a/tests/partial-config.nix
+++ b/tests/partial-config.nix
@@ -9,6 +9,9 @@ pkgs.testers.runNixOSTest {

  nodes.machine =
    { pkgs, lib, ... }:
+    let
+      mocks = import ./lib/mocks.nix { inherit pkgs; };
+    in
    {
      imports = [ self.nixosModules.default ];

@@ -22,71 +25,7 @@ pkgs.testers.runNixOSTest {
        gnugrep
      ];

-      systemd.services.mock-qbittorrent =
-        let
-          mockQbitScript = pkgs.writeScript "mock-qbittorrent.py" ''
-            import json
-            from http.server import HTTPServer, BaseHTTPRequestHandler
-            from urllib.parse import parse_qs, urlparse
-
-
-            CATEGORIES = {}
-
-
-            class QBitMock(BaseHTTPRequestHandler):
-                def _respond(self, code=200, body=b"Ok.", content_type="text/plain"):
-                    self.send_response(code)
-                    self.send_header("Content-Type", content_type)
-                    self.send_header("Set-Cookie", "SID=mock_session_id; Path=/")
-                    self.end_headers()
-                    self.wfile.write(body if isinstance(body, bytes) else body.encode())
-
-                def do_GET(self):
-                    path = self.path.split("?")[0]
-                    if path == "/api/v2/app/webapiVersion":
-                        self._respond(body=b"2.9.3")
-                    elif path == "/api/v2/app/version":
-                        self._respond(body=b"v5.0.0")
-                    elif path == "/api/v2/torrents/info":
-                        self._respond(body=b"[]", content_type="application/json")
-                    elif path == "/api/v2/torrents/categories":
-                        body = json.dumps(CATEGORIES).encode()
-                        self._respond(body=body, content_type="application/json")
-                    elif path == "/api/v2/app/preferences":
-                        body = json.dumps({"save_path": "/tmp"}).encode()
-                        self._respond(body=body, content_type="application/json")
-                    else:
-                        self._respond()
-
-                def do_POST(self):
-                    content_length = int(self.headers.get("Content-Length", 0))
-                    body = self.rfile.read(content_length).decode()
-                    path = urlparse(self.path).path
-                    query = parse_qs(urlparse(self.path).query)
-                    form = parse_qs(body)
-                    params = {**query, **form}
-                    if path == "/api/v2/torrents/createCategory":
-                        name = params.get("category", [""])[0]
-                        save_path = params.get("savePath", params.get("save_path", [""]))[0] or "/downloads"
-                        if name:
-                            CATEGORIES[name] = {"name": name, "savePath": save_path}
-                    self._respond()
-
-                def log_message(self, format, *args):
-                    pass
-
-
-            HTTPServer(("0.0.0.0", 6011), QBitMock).serve_forever()
-          '';
-        in
-        {
-          description = "Mock qBittorrent API";
-          wantedBy = [ "multi-user.target" ];
-          serviceConfig = {
-            ExecStart = "${pkgs.python3}/bin/python3 ${mockQbitScript}";
-            Type = "simple";
-          };
-        };
+      systemd.services.mock-qbittorrent = mocks.mkMockQbittorrent { };

      systemd.tmpfiles.rules = [
        "d /media/tv 0755 sonarr sonarr -"
@@ -111,6 +50,7 @@ pkgs.testers.runNixOSTest {
      # Test 1: Only rootFolders (no downloadClients)
      services.arrInit.sonarr = {
        enable = true;
+        healthChecks = false;
        serviceName = "sonarr";
        dataDir = "/var/lib/sonarr/.config/NzbDrone";
        port = 8989;
@@ -122,6 +62,7 @@ pkgs.testers.runNixOSTest {
      # Test 2: Only downloadClients (no rootFolders)
      services.arrInit.radarr = {
        enable = true;
+        healthChecks = false;
        serviceName = "radarr";
        dataDir = "/var/lib/radarr/.config/Radarr";
        port = 7878;
@@ -146,6 +87,7 @@ pkgs.testers.runNixOSTest {
      # Test 3: Only syncedApps (Prowlarr)
      services.arrInit.prowlarr = {
        enable = true;
+        healthChecks = false;
        serviceName = "prowlarr";
        dataDir = "/var/lib/prowlarr";
        port = 9696;