overseerr: init at 1.33.2

nixos/doc/manual/release-notes/rl-2405.section.md

@@ -19,8 +19,9 @@ In addition to numerous new and upgraded packages, this release has the followin
 - The default kernel package has been updated from 6.1 to 6.6. All supported kernels remain available.
 
 - NixOS now installs a stub ELF loader that prints an informative error message when users attempt to run binaries not made for NixOS.
-   - This can be disabled through the `environment.stub-ld.enable` option.
-   - If you use `programs.nix-ld.enable`, no changes are needed. The stub will be disabled automatically.
+
+  - This can be disabled through the `environment.stub-ld.enable` option.
+  - If you use `programs.nix-ld.enable`, no changes are needed. The stub will be disabled automatically.
 
 - On flake-based NixOS configurations using `nixpkgs.lib.nixosSystem`, NixOS will automatically set `NIX_PATH` and the system-wide flake registry (`/etc/nix/registry.json`) to point `<nixpkgs>` and the unqualified flake path `nixpkgs` to the version of nixpkgs used to build the system.
 
@@ -33,9 +34,9 @@ In addition to numerous new and upgraded packages, this release has the followin
 - Julia environments can now be built with arbitrary packages from the ecosystem using the `.withPackages` function. For example: `julia.withPackages ["Plots"]`.
 
 - The PipeWire and WirePlumber modules have removed support for using
-`environment.etc."pipewire/..."` and `environment.etc."wireplumber/..."`.
-Use `services.pipewire.extraConfig` or `services.pipewire.configPackages` for PipeWire and
-`services.pipewire.wireplumber.configPackages` for WirePlumber instead."
+  `environment.etc."pipewire/..."` and `environment.etc."wireplumber/..."`.
+  Use `services.pipewire.extraConfig` or `services.pipewire.configPackages` for PipeWire and
+  `services.pipewire.wireplumber.configPackages` for WirePlumber instead."
 
 - `teleport` has been upgraded from major version 14 to major version 15.
   Refer to upstream [upgrade instructions](https://goteleport.com/docs/management/operations/upgrading/)
@@ -63,6 +64,7 @@ Use `services.pipewire.extraConfig` or `services.pipewire.configPackages` for Pi
   without perl). Previously, the NixOS activation depended on two perl scripts
   which can now be replaced via an opt-in mechanism. To make your system
   perlless, you can use the new perlless profile:
+
   ```nix
   { modulesPath, ... }: {
     imports = [ "${modulesPath}/profiles/perlless.nix" ];
@@ -127,7 +129,7 @@ Use `services.pipewire.extraConfig` or `services.pipewire.configPackages` for Pi
 - [db-rest](https://github.com/derhuerst/db-rest), a wrapper around Deutsche Bahn's internal API for public transport data. Available as [services.db-rest](#opt-services.db-rest.enable).
 
 - [Anki Sync Server](https://docs.ankiweb.net/sync-server.html), the official sync server built into recent versions of Anki. Available as [services.anki-sync-server](#opt-services.anki-sync-server.enable).
-The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been marked deprecated and will be dropped after 24.05 due to lack of maintenance of the anki-sync-server softwares.
+  The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been marked deprecated and will be dropped after 24.05 due to lack of maintenance of the anki-sync-server softwares.
 
 - [mautrix-meta](https://github.com/mautrix/meta), a Matrix <-> Facebook and Matrix <-> Instagram hybrid puppeting/relaybot bridge. Available as services.mautrix-meta
 
@@ -193,6 +195,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 
 - [prometheus-nats-exporter](https://github.com/nats-io/prometheus-nats-exporter), a Prometheus exporter for NATS. Available as [services.prometheus.exporters.nats](#opt-services.prometheus.exporters.nats.enable).
 
+- [Overseerr](https://overseerr.dev), a request management and media discovery tool for the Plex ecosystem. Available as [services.overseerr](#opt-services.overseerr.enable).
+
 ## Backward Incompatibilities {#sec-release-24.05-incompatibilities}
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
@@ -253,7 +257,7 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
   This was done so that secrets aren't stored in the world-readable nix store.
   To migrate, you will have create a file with the same exact string, and change
   your module options to point to that file. For example, `services.aria2.rpcSecret =
-  "mysecret"` becomes `services.aria2.rpcSecretFile = "/path/to/secret_file"`
+"mysecret"` becomes `services.aria2.rpcSecretFile = "/path/to/secret_file"`
   where the file `secret_file` contains the string `mysecret`.
 
 - `openssh`, `openssh_hpn` and `openssh_gssapi` are now compiled without support for the DSA signature algorithm as it is being deprecated upstream. Users still relying on DSA keys should consider upgrading
@@ -284,10 +288,12 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
     (azure-cli.withExtensions [ azure-cli.extensions.aks-preview ]);
   ];
   ```
+
   To make the `azure-cli` immutable and prevent clashes in case `azure-cli` is also installed via other package managers, some configuration files were moved into the derivation.
   This can be disabled by overriding `withImmutableConfig = false` when building `azure-cli`.
 
 - `services.frp.settings` now generates the frp configuration file in TOML format as [recommended by upstream](https://github.com/fatedier/frp#configuration-files), instead of the legacy INI format. This has also introduced other changes in the configuration file structure and options.
+
   - The `settings.common` section in the configuration is no longer valid and all the options form inside it now goes directly under `settings`.
   - The `_` separating words in the configuration options is removed so the options are now in camel case. For example: `server_addr` becomes `serverAddr`, `server_port` becomes `serverPort` etc.
   - Proxies are now defined with a new option `settings.proxies` which takes a list of proxies.
@@ -324,6 +330,7 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 - The `kanata` package has been updated to v1.5.0, which includes [breaking changes](https://github.com/jtroo/kanata/releases/tag/v1.5.0).
 
 - The `craftos-pc` package has been updated to v2.8, which includes [breaking changes](https://github.com/MCJack123/craftos2/releases/tag/v2.8).
+
   - Files are now handled in binary mode; this could break programs with embedded UTF-8 characters.
   - The ROM was updated to match ComputerCraft version v1.109.2.
   - The bundled Lua was updated to Lua v5.2, which includes breaking changes. See the [Lua manual](https://www.lua.org/manual/5.2/manual.html#8) for more information.
@@ -332,6 +339,7 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 - The `gtest` package has been updated past v1.13.0, which requires C++14 or higher.
 
 - The latest available version of Nextcloud is v28 (available as `pkgs.nextcloud28`). The installation logic is as follows:
+
   - If [`services.nextcloud.package`](#opt-services.nextcloud.package) is specified explicitly, this package will be installed (**recommended**)
   - If [`system.stateVersion`](#opt-system.stateVersion) is >=24.05, `pkgs.nextcloud28` will be installed by default.
   - If [`system.stateVersion`](#opt-system.stateVersion) is >=23.11, `pkgs.nextcloud27` will be installed by default.
@@ -385,8 +393,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
   Configurations with `system.stateVersion` 23.11 or earlier, default to the old stateDirectory until the 24.11 release and must either set the option explicitly or move the data to the new directory.
 
 - `xfsprogs` was updated to version 6.6.0, which enables reverse mapping (rmapbt) and large extent counts (nrext64) by default.
-   Support for these features was added in kernel 4.9 and 5.19 and nrext64 was deemed stable in kernel 6.5.
-   Format your filesystems with `mkfs.xfs -i nrext64=0`, if they need to be readable by GRUB2 before 2.12 or kernels older than 5.19.
+  Support for these features was added in kernel 4.9 and 5.19 and nrext64 was deemed stable in kernel 6.5.
+  Format your filesystems with `mkfs.xfs -i nrext64=0`, if they need to be readable by GRUB2 before 2.12 or kernels older than 5.19.
 
 - `networking.iproute2.enable` now does not set `environment.etc."iproute2/rt_tables".text`.
 
@@ -455,7 +463,7 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
   This has the further implication that the `livebook` service configuration has changed:
 
 - The `erlang_node_short_name`, `erlang_node_name`, `port` and `options` configuration parameters are gone, and have been replaced with an `environment` parameter.
-    Use the appropriate [environment variables](https://hexdocs.pm/livebook/readme.html#environment-variables) inside `environment` to configure the service instead.
+  Use the appropriate [environment variables](https://hexdocs.pm/livebook/readme.html#environment-variables) inside `environment` to configure the service instead.
 
 - `akkoma` now requires explicitly setting the base URL for uploaded media (`settings."Pleroma.Upload".base_url`), as well as for the media proxy if enabled (`settings."Media"`).
   This is recommended to be a separate (sub)domain to the one Akkoma is hosted at.
@@ -475,6 +483,7 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 - Cinnamon has been updated to 6.0. Please beware that the [Wayland session](https://blog.linuxmint.com/?p=4591) is still experimental in this release and could potentially [affect Xorg sessions](https://blog.linuxmint.com/?p=4639). We suggest a reboot when switching between sessions.
 
 - MATE has been updated to 1.28.
+
   - To properly support panel plugins built with Wayland (in-process) support, we are introducing `services.xserver.desktopManager.mate.extraPanelApplets` option, please use that for installing panel applets.
   - Similarly, please use `services.xserver.desktopManager.mate.extraCajaExtensions` option for installing Caja extensions.
   - To use the Wayland session, enable `services.xserver.desktopManager.mate.enableWaylandSession`. This is opt-in for now as it is in early stage and introduces a new set of Wayfire closure. Due to [known issues with LightDM](https://github.com/canonical/lightdm/issues/63), we suggest using SDDM for display manager.
@@ -486,7 +495,7 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 - `boot.loader.systemd-boot` will now verify that `efiSysMountPoint` (and `xbootldrMountPoint` if configured) are mounted partitions.
 
 - `services.postgresql.extraPlugins` changed its type from just a list of packages to also a function that returns such a list.
-  For example a config line like ``services.postgresql.extraPlugins = with pkgs.postgresql_11.pkgs; [ postgis ];`` is recommended to be changed to ``services.postgresql.extraPlugins = ps: with ps; [ postgis ];``;
+  For example a config line like `services.postgresql.extraPlugins = with pkgs.postgresql_11.pkgs; [ postgis ];` is recommended to be changed to `services.postgresql.extraPlugins = ps: with ps; [ postgis ];`;
 
 - The Matrix homeserver [Synapse](https://element-hq.github.io/synapse/) module now supports configuring UNIX domain socket [listeners](#opt-services.matrix-synapse.settings.listeners) through the `path` option.
   The default replication worker on the main instance has been migrated away from TCP sockets to UNIX domain sockets.
@@ -516,6 +525,7 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 - The EC2 image module now enables the [Amazon SSM Agent](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html) by default.
 
 - The following options of the Nextcloud module were moved into [`services.nextcloud.settings`](#opt-services.nextcloud.settings) and renamed to match the name from Nextcloud's `config.php`:
+
   - `logLevel` -> [`loglevel`](#opt-services.nextcloud.settings.loglevel),
   - `logType` -> [`log_type`](#opt-services.nextcloud.settings.log_type),
   - `defaultPhoneRegion` -> [`default_phone_region`](#opt-services.nextcloud.settings.default_phone_region),
@@ -567,7 +577,7 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 - The source of the `mockgen` package has changed to the [go.uber.org/mock](https://github.com/uber-go/mock) fork because [the original repository is no longer maintained](https://github.com/golang/mock#gomock).
 
 - `security.pam.enableSSHAgentAuth` was renamed to `security.pam.sshAgentAuth.enable` and an `authorizedKeysFiles`
-  option was added, to control which `authorized_keys` files are trusted.  It defaults to the previous behaviour,
+  option was added, to control which `authorized_keys` files are trusted. It defaults to the previous behaviour,
   **which is insecure**: see [#31611](https://github.com/NixOS/nixpkgs/issues/31611).
 
 - [](#opt-boot.kernel.sysctl._net.core.wmem_max_) changed from a string to an integer because of the addition of a custom merge option (taking the highest value defined to avoid conflicts between 2 services trying to set that value), just as [](#opt-boot.kernel.sysctl._net.core.rmem_max_) since 22.11.
@@ -593,6 +603,7 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 - `services.soju` now has a wrapper for the `sojuctl` command, pointed at the service config file. It also has the new option `adminSocket.enable`, which creates a unix admin socket at `/run/soju/admin`.
 
 - Gitea 1.21 upgrade has several breaking changes, including:
+
   - Custom themes and other assets that were previously stored in `custom/public/*` now belong in `custom/public/assets/*`
   - New instances of Gitea using MySQL now ignore the `[database].CHARSET` config option and always use the `utf8mb4` charset, existing instances should migrate via the `gitea doctor convert` CLI command.
 

nixos/modules/module-list.nix

@@ -766,6 +766,7 @@
   ./services/misc/persistent-evdev.nix
   ./services/misc/pinnwand.nix
   ./services/misc/plex.nix
+  ./services/misc/overseerr.nix
   ./services/misc/plikd.nix
   ./services/misc/podgrab.nix
   ./services/misc/polaris.nix

nixos/modules/services/misc/overseerr.nix

@@ -0,0 +1,59 @@
+{ config, pkgs, lib, ... }:
+
+let
+  cfg = config.services.overseerr;
+in
+{
+  meta.maintainers = [ lib.maintainers.caarlos0 ];
+
+  options.services.overseerr = {
+    enable = lib.mkEnableOption "Overseerr, a request management and media discovery tool for the Plex ecosystem";
+
+    package = lib.mkPackageOption pkgs "overseerr" { };
+
+    openFirewall = lib.mkEnableOption "opening a port in the firewall for the Overseerr web interface";
+
+    port = lib.mkOption {
+      type = lib.types.port;
+      default = 5055;
+      description = ''The port which the Overseerr web UI should listen to.'';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.overseerr = {
+      description = "Request management and media discovery tool for the Plex ecosystem";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      environment.PORT = toString cfg.port;
+      serviceConfig = {
+        Type = "exec";
+        StateDirectory = "overseerr";
+        WorkingDirectory = "${cfg.package}/libexec/overseerr/deps/overseerr";
+        DynamicUser = true;
+        ExecStart = lib.getExe cfg.package;
+        BindPaths = [ "/var/lib/overseerr/:${cfg.package}/libexec/overseerr/deps/overseerr/config/" ];
+        Restart = "on-failure";
+        ProtectHome = true;
+        ProtectSystem = "strict";
+        PrivateTmp = true;
+        PrivateDevices = true;
+        ProtectHostname = true;
+        ProtectClock = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        NoNewPrivileges = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        RemoveIPC = true;
+        PrivateMounts = true;
+      };
+    };
+
+    networking.firewall = lib.mkIf cfg.openFirewall {
+      allowedTCPPorts = [ cfg.port ];
+    };
+  };
+}

pkgs/by-name/ov/overseerr/package.nix

@@ -0,0 +1,78 @@
+{ lib
+, mkYarnPackage
+, fetchFromGitHub
+, fetchYarnDeps
+, nodejs
+, python3
+, makeWrapper
+}:
+
+mkYarnPackage rec {
+  pname = "overseerr";
+  version = "1.33.2";
+
+  src = fetchFromGitHub {
+    owner = "sct";
+    repo = "overseerr";
+    rev = "v${version}";
+    hash = "sha256-xDzWyU4f56+0Tpk87LpH6zXtxmRxVMCKySCY6WD5go0=";
+  };
+
+
+  offlineCache = fetchYarnDeps {
+    yarnLock = "${src}/yarn.lock";
+    hash = "sha256-SZwhC6djgU5qshtDhQnkz/INeklp/c+BKjn7ao0r5IE=";
+  };
+
+  env = {
+    CYPRESS_INSTALL_BINARY = 0; # cypress tries to download binaries otherwise
+  };
+
+  nativeBuildInputs = [ nodejs makeWrapper ];
+
+  # Fixes "SQLite package has not been found installed" at launch
+  pkgConfig.sqlite3 = {
+    nativeBuildInputs = [ nodejs.pkgs.node-pre-gyp python3 ];
+    postInstall = ''
+      export CPPFLAGS="-I${nodejs}/include/node"
+      node-pre-gyp install --prefer-offline --build-from-source --nodedir=${nodejs}/include/node
+      rm -r build-tmp-napi-v6
+    '';
+  };
+
+  # Fixes MODULE_NOT_FOUND at launch.
+  pkgConfig.bcrypt = {
+    nativeBuildInputs = [ nodejs.pkgs.node-pre-gyp python3 ];
+    postInstall = ''
+      export CPPFLAGS="-I${nodejs}/include/node"
+      node-pre-gyp install --prefer-offline --build-from-source --nodedir=${nodejs}/include/node
+    '';
+  };
+
+  postInstall = ''
+    makeWrapper '${nodejs}/bin/node' "$out/bin/overseerr" \
+      --add-flags "$out/libexec/overseerr/deps/overseerr/dist/index.js" \
+      --set NODE_ENV production
+  '';
+
+  buildPhase = ''
+    runHook preBuild
+    shopt -s dotglob
+    pushd deps/overseerr
+    rm -rf config/
+    yarn --offline build
+    rm -rf .next/cache
+    popd
+    runHook postBuild
+  '';
+
+  distPhase = "true";
+
+  meta = {
+    description = "Request management and media discovery tool for the Plex ecosystem";
+    homepage = "https://github.com/sct/overseerr";
+    license = lib.licenses.mit;
+    mainProgram = "overseerr";
+    maintainers = with lib.maintainers; [ caarlos0 ];
+  };
+}