From 6876b8b8d7d4271930144abf89ec6cfc1c28f2f6 Mon Sep 17 00:00:00 2001
From: Jamie Magee <jamie.magee@gmail.com>
Date: Sun, 4 Oct 2020 16:04:55 +0200
Subject: [PATCH 1/2] nzbhydra2: init at 3.8.0

---
 pkgs/servers/nzbhydra2/default.nix | 32 ++++++++++++++++++++++++++++++
 pkgs/top-level/all-packages.nix    |  2 ++
 2 files changed, 34 insertions(+)
 create mode 100644 pkgs/servers/nzbhydra2/default.nix

diff --git a/pkgs/servers/nzbhydra2/default.nix b/pkgs/servers/nzbhydra2/default.nix
new file mode 100644
index 00000000000..3ba758c1088
--- /dev/null
+++ b/pkgs/servers/nzbhydra2/default.nix
@@ -0,0 +1,32 @@
+{ lib, stdenv, fetchzip, makeWrapper, jre, python3, unzip }:
+
+stdenv.mkDerivation rec {
+  pname = "nzbhydra2";
+  version = "3.8.0";
+
+  src = fetchzip {
+    url = "https://github.com/theotherp/${pname}/releases/download/v${version}/${pname}-${version}-linux.zip";
+    sha512 = "1gybricq26hixr5cmw1iwyax7h17d0n5wqzhrx727xda1x35jfjp5ynjdkxzysbfhs1za6vy54bpm0sda4nkrh16p0xqnz3nsd4hvzh";
+    stripRoot = false;
+  };
+
+  nativeBuildInputs = [ jre makeWrapper unzip ];
+
+  installPhase = ''
+    install -d -m 755 "$out/lib/${pname}"
+    cp -dpr --no-preserve=ownership "lib" "readme.md" "$out/lib/nzbhydra2"
+    install -D -m 755 "nzbhydra2wrapperPy3.py" "$out/lib/nzbhydra2/nzbhydra2wrapperPy3.py"
+
+    makeWrapper ${python3}/bin/python $out/bin/nzbhydra2 \
+      --add-flags "$out/lib/nzbhydra2/nzbhydra2wrapperPy3.py" \
+      --prefix PATH ":" ${jre}/bin
+  '';
+
+  meta = with stdenv.lib; {
+    description = "Usenet meta search";
+    homepage = "https://github.com/theotherp/nzbhydra2";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ jamiemagee ];
+    platforms = with platforms; linux;
+  };
+}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 2dbbdf21354..711d480049d 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -6177,6 +6177,8 @@ in
 
   nzbget = callPackage ../tools/networking/nzbget { };
 
+  nzbhydra2 = callPackage ../servers/nzbhydra2 { };
+
   oathToolkit = callPackage ../tools/security/oath-toolkit { };
 
   obex_data_server = callPackage ../tools/bluetooth/obex-data-server { };

From feb63511c63768f67847c89e924a95b77802d6ee Mon Sep 17 00:00:00 2001
From: Jamie Magee <jamie.magee@gmail.com>
Date: Sun, 4 Oct 2020 16:06:53 +0200
Subject: [PATCH 2/2] nixos/nzbhydra2: init

---
 nixos/modules/module-list.nix             |  1 +
 nixos/modules/services/misc/nzbhydra2.nix | 78 +++++++++++++++++++++++
 nixos/tests/all-tests.nix                 |  1 +
 nixos/tests/nzbhydra2.nix                 | 17 +++++
 4 files changed, 97 insertions(+)
 create mode 100644 nixos/modules/services/misc/nzbhydra2.nix
 create mode 100644 nixos/tests/nzbhydra2.nix

diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index 213048da500..8c09283f7a2 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -489,6 +489,7 @@
   ./services/misc/nix-ssh-serve.nix
   ./services/misc/novacomd.nix
   ./services/misc/nzbget.nix
+  ./services/misc/nzbhydra2.nix
   ./services/misc/octoprint.nix
   ./services/misc/osrm.nix
   ./services/misc/packagekit.nix
diff --git a/nixos/modules/services/misc/nzbhydra2.nix b/nixos/modules/services/misc/nzbhydra2.nix
new file mode 100644
index 00000000000..c396b4b8f6e
--- /dev/null
+++ b/nixos/modules/services/misc/nzbhydra2.nix
@@ -0,0 +1,78 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+
+let cfg = config.services.nzbhydra2;
+
+in {
+  options = {
+    services.nzbhydra2 = {
+      enable = mkEnableOption "NZBHydra2";
+
+      dataDir = mkOption {
+        type = types.str;
+        default = "/var/lib/nzbhydra2";
+        description = "The directory where NZBHydra2 stores its data files.";
+      };
+
+      openFirewall = mkOption {
+        type = types.bool;
+        default = false;
+        description =
+          "Open ports in the firewall for the NZBHydra2 web interface.";
+      };
+
+      package = mkOption {
+        type = types.package;
+        default = pkgs.nzbhydra2;
+        defaultText = "pkgs.nzbhydra2";
+        description = "NZBHydra2 package to use.";
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.tmpfiles.rules =
+      [ "d '${cfg.dataDir}' 0700 nzbhydra2 nzbhydra2 - -" ];
+
+    systemd.services.nzbhydra2 = {
+      description = "NZBHydra2";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+
+      serviceConfig = {
+        Type = "simple";
+        User = "nzbhydra2";
+        Group = "nzbhydra2";
+        ExecStart =
+          "${cfg.package}/bin/nzbhydra2 --nobrowser --datafolder '${cfg.dataDir}'";
+        Restart = "on-failure";
+        # Hardening
+        NoNewPrivileges = true;
+        PrivateTmp = true;
+        PrivateDevices = true;
+        DevicePolicy = "closed";
+        ProtectSystem = "strict";
+        ReadWritePaths = cfg.dataDir;
+        ProtectHome = "read-only";
+        ProtectControlGroups = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        RestrictAddressFamilies ="AF_UNIX AF_INET AF_INET6 AF_NETLINK";
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        LockPersonality = true;
+      };
+    };
+
+    networking.firewall = mkIf cfg.openFirewall { allowedTCPPorts = [ 5076 ]; };
+
+    users.users.nzbhydra2 = {
+      group = "nzbhydra2";
+      isSystemUser = true;
+    };
+
+    users.groups.nzbhydra2 = {};
+  };
+}
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index e2328608703..f1ca1dfe02e 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -273,6 +273,7 @@ in
   novacomd = handleTestOn ["x86_64-linux"] ./novacomd.nix {};
   nsd = handleTest ./nsd.nix {};
   nzbget = handleTest ./nzbget.nix {};
+  nzbhydra2 = handleTest ./nzbhydra2.nix {};
   oh-my-zsh = handleTest ./oh-my-zsh.nix {};
   openarena = handleTest ./openarena.nix {};
   openldap = handleTest ./openldap.nix {};
diff --git a/nixos/tests/nzbhydra2.nix b/nixos/tests/nzbhydra2.nix
new file mode 100644
index 00000000000..c82c756c3a1
--- /dev/null
+++ b/nixos/tests/nzbhydra2.nix
@@ -0,0 +1,17 @@
+import ./make-test-python.nix ({ lib, ... }:
+
+  with lib;
+
+  {
+    name = "nzbhydra2";
+    meta.maintainers = with maintainers; [ jamiemagee ];
+
+    nodes.machine = { pkgs, ... }: { services.nzbhydra2.enable = true; };
+
+    testScript = ''
+      machine.start()
+      machine.wait_for_unit("nzbhydra2.service")
+      machine.wait_for_open_port(5076)
+      machine.succeed("curl --fail http://localhost:5076/")
+    '';
+  })