overseerr: init at 1.33.2

[caarlos0]

Description of changes

First time packaging a node app, based myself more or less on jellyseerr (which is a fork of overseerr).

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 24.05 Release Notes (or backporting 23.05 and 23.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[h7x4]

Haven't looked to closely yet, but maybe there's something to take away from #232915?

Closes #135885

[h7x4]

What's going on here? Does it expect read and write config in libexec?

In that case, I think it would warrant patching the package. Packages are supposed to be usable outside of nixos as well, and I wouldn't really consider packages that requires bindmounts into the nix store to be in a working condition.

[caarlos0]

It's been a while and I don't remember it that well, but I think it does require writing to that dir, yes.

It seems like we can set a CONFIG_DIRECTORY environment variable... what's the recommended thing to do here? Ask the user where to put it?

[fsnkty]

lib.mdDoc is now just an alias and can be safely entirely removed here.
see d36f950 and #237557

[eclairevoyant]

@ofborg eval

[eclairevoyant]

In addition to the feedback below, please rebase into 2 commits, one which adds the package, and a second which adds the module.

Additionally for the second commit, would be good to have the following:

Added a release notes entry if adding a new NixOS module

[eclairevoyant]

On second reading, the previous feedback re: mdDoc and mkEnableOption may have been confusing - providing what I was looking for here.

stale review

[caarlos0]

I think all the points were addressed... I can rebase on master if you think it's good to go...

[caarlos0]

I think all the points were addressed... I can rebase on master if you think it's good to go...

[fsnkty]

I think all the points were addressed... I can rebase on master if you think it's good to go...

it won't be merged regardless if there's a merge conflict right? seems like it'd be a good idea to solve preemptively regardless

[caarlos0]

fair, done @nu-nu-ko

[jf-uu]

I ended up adding dataDir and user/group options in my local version of this - it'd be nice to see these supported:

--- /dev/fd/63	2024-09-09 21:03:59.746049505 +0100
+++ modules/services/misc/overseerr.nix	2024-09-09 21:03:58.179092709 +0100
@@ -18,21 +18,44 @@
       default = 5055;
       description = ''The port which the Overseerr web UI should listen to.'';
     };
+
+    dataDir = lib.mkOption {
+      type = lib.types.str;
+      default = "/var/lib/overseerr";
+      description = lib.mdDoc "The directory where Overseerr stores its data files.";
+    };
+
+    user = lib.mkOption {
+      type = lib.types.str;
+      default = "overseerr";
+      description = lib.mdDoc "User account under which Overseerr runs.";
+    };
+
+    group = lib.mkOption {
+      type = lib.types.str;
+      default = "overseerr";
+      description = lib.mdDoc "Group under which Overseerr runs.";
+    };
   };
 
   config = lib.mkIf cfg.enable {
+    systemd.tmpfiles.settings."10-overseerr".${cfg.dataDir}.d = {
+      inherit (cfg) user group;
+      mode = "0700";
+    };
+
     systemd.services.overseerr = {
       description = "Request management and media discovery tool for the Plex ecosystem";
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
-      environment.PORT = toString cfg.port;
+      environment = {
+        CONFIG_DIRECTORY = cfg.dataDir;
+        PORT = toString cfg.port;
+      };
       serviceConfig = {
         Type = "exec";
-        StateDirectory = "overseerr";
         WorkingDirectory = "${cfg.package}/libexec/overseerr/deps/overseerr";
-        DynamicUser = true;
         ExecStart = lib.getExe cfg.package;
-        BindPaths = [ "/var/lib/overseerr/:${cfg.package}/libexec/overseerr/deps/overseerr/config/" ];
         Restart = "on-failure";
         ProtectHome = true;
         ProtectSystem = "strict";
@@ -49,11 +72,26 @@
         RestrictSUIDSGID = true;
         RemoveIPC = true;
         PrivateMounts = true;
+        ReadWritePaths = [ cfg.dataDir ];
+        User = cfg.user;
+        Group = cfg.group;
       };
     };
 
     networking.firewall = lib.mkIf cfg.openFirewall {
       allowedTCPPorts = [ cfg.port ];
     };
+
+    users.users = lib.mkIf (cfg.user == "overseerr") {
+      overseerr = {
+        group = cfg.group;
+        home = cfg.dataDir;
+        uid = config.ids.uids.overseerr;
+      };
+    };
+
+    users.groups = lib.mkIf (cfg.group == "overseerr") {
+      overseerr.gid = config.ids.gids.overseerr;
+    };
   };
 }