From 1bd0191b9911c639e234e821873197afe2c1c76a Mon Sep 17 00:00:00 2001
From: uttarayan21 <email@uttarayan.me>
Date: Tue, 15 Jul 2025 03:29:19 +0530
Subject: [PATCH] feat: deploy prowlarr in remote machine

but reverse proxy it from the local machine over tailscale
---
 nixos/mirai/services/default.nix  |  1 +
 nixos/mirai/services/prowlarr.nix | 10 ++++++++++
 nixos/ryu/configuration.nix       |  7 -------
 nixos/ryu/services/default.nix    |  2 ++
 nixos/ryu/services/dnscrypt.nix   | 30 ++++++++++++++++++++++++++++++
 nixos/ryu/services/resolved.nix   |  9 +++++++++
 nixos/tsuba/services/default.nix  |  5 ++---
 nixos/tsuba/services/deluge.nix   |  1 +
 nixos/tsuba/services/dnscrypt.nix | 25 +++++++++++++++++++++++++
 nixos/tsuba/services/resolved.nix |  9 +++++++++
 nixos/tsuba/services/servarr.nix  | 10 +++++-----
 11 files changed, 94 insertions(+), 15 deletions(-)
 create mode 100644 nixos/mirai/services/prowlarr.nix
 create mode 100644 nixos/ryu/services/dnscrypt.nix
 create mode 100644 nixos/ryu/services/resolved.nix
 create mode 100644 nixos/tsuba/services/dnscrypt.nix
 create mode 100644 nixos/tsuba/services/resolved.nix

diff --git a/nixos/mirai/services/default.nix b/nixos/mirai/services/default.nix
index 1003767b..2cbaa02e 100644
--- a/nixos/mirai/services/default.nix
+++ b/nixos/mirai/services/default.nix
@@ -11,6 +11,7 @@
     ./nextcloud.nix
     ./tailscale.nix
     ./zerotier.nix
+    ./prowlarr.nix
 
     # ./home-assistant.nix
     # ./jellyfin.nix
diff --git a/nixos/mirai/services/prowlarr.nix b/nixos/mirai/services/prowlarr.nix
new file mode 100644
index 00000000..5ad5760b
--- /dev/null
+++ b/nixos/mirai/services/prowlarr.nix
@@ -0,0 +1,10 @@
+{...}: {
+  services = {
+    prowlarr = {
+      enable = true;
+    };
+    flaresolverr = {
+      enable = true;
+    };
+  };
+}
diff --git a/nixos/ryu/configuration.nix b/nixos/ryu/configuration.nix
index a48a5642..a83d752d 100644
--- a/nixos/ryu/configuration.nix
+++ b/nixos/ryu/configuration.nix
@@ -118,13 +118,6 @@
   users.groups.media = {};
 
   services = {
-    resolved = {
-      enable = true;
-      dnssec = "true";
-      domains = ["~."];
-      fallbackDns = ["1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one"];
-      dnsovertls = "true";
-    };
     devmon.enable = true;
     gvfs.enable = true;
     udisks2.enable = true;
diff --git a/nixos/ryu/services/default.nix b/nixos/ryu/services/default.nix
index 55e60e9c..534b21bf 100644
--- a/nixos/ryu/services/default.nix
+++ b/nixos/ryu/services/default.nix
@@ -9,6 +9,8 @@
     ./mullvad.nix
     ./openrgb.nix
     ./command-runner.nix
+    ./resolved.nix
+    # ./dnscrypt.nix
   ];
   services = {
     # hardware.openrgb.enable = true;
diff --git a/nixos/ryu/services/dnscrypt.nix b/nixos/ryu/services/dnscrypt.nix
new file mode 100644
index 00000000..6a316065
--- /dev/null
+++ b/nixos/ryu/services/dnscrypt.nix
@@ -0,0 +1,30 @@
+{config, ...}: {
+  networking = {
+    search = ["lemur-newton.ts.net"];
+    dhcpcd.extraConfig = "nohook resolv.conf";
+    networkmanager.dns = "none";
+  };
+  services.resolved.enable = false;
+  services.dnscrypt-proxy2 = {
+    enable = true;
+    # Settings reference:
+    # https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
+    settings = {
+      ipv6_servers = true;
+      require_dnssec = true;
+      # Add this to test if dnscrypt-proxy is actually used to resolve DNS requests
+      # query_log.file = "/var/log/dnscrypt-proxy/query.log";
+      sources.public-resolvers = {
+        urls = [
+          "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
+          "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
+        ];
+        cache_file = "/var/cache/dnscrypt-proxy/public-resolvers.md";
+        minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
+      };
+
+      # You can choose a specific set of servers from https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md
+      server_names = ["cloudflare-security"];
+    };
+  };
+}
diff --git a/nixos/ryu/services/resolved.nix b/nixos/ryu/services/resolved.nix
new file mode 100644
index 00000000..f5bf04cc
--- /dev/null
+++ b/nixos/ryu/services/resolved.nix
@@ -0,0 +1,9 @@
+{...}: {
+  services.resolved = {
+    enable = true;
+    dnssec = "true";
+    domains = ["~." "lemur-newton.ts.net"];
+    fallbackDns = ["1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one"];
+    dnsovertls = "true";
+  };
+}
diff --git a/nixos/tsuba/services/default.nix b/nixos/tsuba/services/default.nix
index 02414ba8..5642890e 100644
--- a/nixos/tsuba/services/default.nix
+++ b/nixos/tsuba/services/default.nix
@@ -5,10 +5,9 @@
     ./jellyfin.nix
     ./caddy.nix
     ./servarr.nix
-    # ./sonarr.nix
-    # ./radarr.nix
-    # ./prowlarr.nix
     ./deluge.nix
     ./homeassistant.nix
+    # ./dnscrypt.nix
+    ./resolved.nix
   ];
 }
diff --git a/nixos/tsuba/services/deluge.nix b/nixos/tsuba/services/deluge.nix
index 2db4b792..430512b4 100644
--- a/nixos/tsuba/services/deluge.nix
+++ b/nixos/tsuba/services/deluge.nix
@@ -3,6 +3,7 @@
     deluge = {
       enable = true;
       web.enable = true;
+      group = "media";
     };
     caddy = {
       virtualHosts."deluge.tsuba.darksailor.dev".extraConfig = ''
diff --git a/nixos/tsuba/services/dnscrypt.nix b/nixos/tsuba/services/dnscrypt.nix
new file mode 100644
index 00000000..ea70d447
--- /dev/null
+++ b/nixos/tsuba/services/dnscrypt.nix
@@ -0,0 +1,25 @@
+{config, ...}: {
+  networking = {
+    dhcpcd.extraConfig = "nohook resolv.conf";
+    networkmanager.dns = "none";
+  };
+  services.resolved.enable = false;
+  services.dnscrypt-proxy2 = {
+    enable = true;
+    settings = {
+      ipv6_servers = true;
+      require_dnssec = true;
+      sources.public-resolvers = {
+        urls = [
+          "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
+          "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
+        ];
+        cache_file = "/var/cache/dnscrypt-proxy/public-resolvers.md";
+        minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
+      };
+
+      # You can choose a specific set of servers from https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md
+      server_names = ["cloudflare-security"];
+    };
+  };
+}
diff --git a/nixos/tsuba/services/resolved.nix b/nixos/tsuba/services/resolved.nix
new file mode 100644
index 00000000..f5bf04cc
--- /dev/null
+++ b/nixos/tsuba/services/resolved.nix
@@ -0,0 +1,9 @@
+{...}: {
+  services.resolved = {
+    enable = true;
+    dnssec = "true";
+    domains = ["~." "lemur-newton.ts.net"];
+    fallbackDns = ["1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one"];
+    dnsovertls = "true";
+  };
+}
diff --git a/nixos/tsuba/services/servarr.nix b/nixos/tsuba/services/servarr.nix
index 5c452d03..8f7c9053 100644
--- a/nixos/tsuba/services/servarr.nix
+++ b/nixos/tsuba/services/servarr.nix
@@ -22,10 +22,10 @@ in {
       package = unstablePkgs.radarr;
       group = "media";
     };
-    prowlarr = {
-      enable = true;
-      package = unstablePkgs.prowlarr;
-    };
+    # prowlarr = {
+    #   enable = true;
+    #   package = unstablePkgs.prowlarr;
+    # };
     caddy.virtualHosts = {
       "sonarr.tsuba.darksailor.dev".extraConfig = ''
         import hetzner
@@ -37,7 +37,7 @@ in {
       '';
       "prowlarr.tsuba.darksailor.dev".extraConfig = ''
         import hetzner
-        reverse_proxy localhost:${builtins.toString config.services.prowlarr.settings.server.port}
+        reverse_proxy mirai.darksailor.dev:9696
       '';
     };
   };