refactor: split module.nix into per-service modules
Replace the 1301-line monolithic module.nix with focused modules:
- modules/servarr.nix (Sonarr/Radarr/Prowlarr)
- modules/bazarr.nix (Bazarr provider connections)
- modules/jellyseerr.nix (Jellyseerr quality profiles)
- modules/default.nix (import aggregator)
Python scripts (from prior commit) are referenced as standalone
files via PYTHONPATH, with config passed as a JSON file argument.
New options:
- Add bindAddress option to all services (default 127.0.0.1)
- Replace hardcoded wg.service dependency with configurable
networkNamespaceService option
- Add systemd hardening: PrivateTmp, NoNewPrivileges, ProtectHome,
ProtectKernelTunables/Modules, ProtectControlGroups,
RestrictSUIDSGID, SystemCallArchitectures=native
Test updates:
- Extract mock qBittorrent/SABnzbd servers into tests/lib/mocks.nix
- Fix duplicate wait_for_unit calls in integration test
Simon Gardling
948c9e3a38