chris/sneeuwvlok
chris/sneeuwvlok
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update service configs and secrets handling
Some checks failed
Test action / kaas (push) Failing after 1s
Details

Browse source 
- Add restartUnits and ownership to Matrix and Servarr secrets
- Use sops secret for qbittorrent password hash
- Refactor Cardigann indexer config in Servarr
- Update Caddy plugin version and hash
- Add debug output to machine update justfile
This commit is contained in:
Chris Kruining 2026-03-05 11:40:40 +01:00
parent a5de9aea37
commit 8d46d0d60b
No known key found for this signature in database
GPG key ID: EB894A3560CCCAD2
4 changed files with 126 additions and 31 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.just/machine.just
View file

@ -7,6 +7,8 @@
[doc('Update target machine')]
[no-exit-message]
@update machine:
echo "Checking vars"
cd .. && just vars _check {{ machine }}
echo ""
just assert '-d "../systems/x86_64-linux/{{ machine }}"' "Machine {{ machine }} does not exist, must be one of: $(ls ../systems/x86_64-linux/ | sed ':a;N;$!ba;s/\n/, /g')"
nixos-rebuild switch -L --sudo --target-host {{ machine }} --build-host {{ machine }} --flake ..#{{ machine }} --log-format internal-json -v |& nom --json

14
modules/nixos/services/communication/matrix/default.nix
View file

@ -370,9 +370,17 @@ in {
sops = {
secrets = {
"synapse/oidc_id" = {};
"synapse/oidc_secret" = {};
"coturn/secret" = {};
"synapse/oidc_id" = {
restartUnits = ["synapse-matrix.service"];
};
"synapse/oidc_secret" = {
restartUnits = ["synapse-matrix.service"];
};
"coturn/secret" = {
owner = config.systemd.services.coturn.serviceConfig.User;
group = config.systemd.services.coturn.serviceConfig.Group;
restartUnits = ["coturn.service"];
};
};
templates = {

137
modules/nixos/services/media/servarr/default.nix
View file

@ -86,7 +86,7 @@ in {
Prefecences.WebUI = {
Username = "admin";
Password_PBKDF2 = "@ByteArray(JpfX3wSUcMolUFD+8AD67w==:fr5kmc6sK9xsCfGW6HkPX2K1lPYHL6g2ncLLwuOVmjphmxkwBJ8pi/XQDsDWzyM/MRh5zPhUld2Xqn8o7BWv3Q==)";
Password_PBKDF2 = config.sops.secrets."qbittorrent/password_hash".path;
};
};
@ -94,11 +94,13 @@ in {
group = "media";
};
# port is harcoded in nixpkgs module
sabnzbd = {
enable = true;
openFirewall = true;
allowConfigWrite = false;
configFile = lib.mkForce null;
secretFiles = [
config.sops.templates."sabnzbd/config.ini".path
];
@ -113,6 +115,7 @@ in {
servers = {
"news.sunnyusenet.com" = {
name = "news.sunnyusenet.com";
displayname = "news.sunnyusenet.com";
host = "news.sunnyusenet.com";
port = 563;
@ -227,7 +230,6 @@ in {
host = "localhost";
username = "admin";
password = lib.tfRef "var.qbittorrent_api_key";
# password = "poChieN5feeph0igeaCadeJ9Xux0ohmuy6ruH5ieThaPheib3iuzoo0ahw1aiceif1feegioh9Aimau0pai5thoh5ieH0aechohw";
url_base = "/";
port = 2008;
};
@ -270,47 +272,126 @@ in {
priority = 1;
name = "Nyaa";
implementation = "nyaa";
config_contract = "nyaa_settings";
implementation = "Cardigann";
config_contract = "CardigannSettings";
protocol = "torrent";
fields = [
{
name = "targetType";
value = "";
name = "definitionFile";
text_value = "nyaasi";
}
{
name = "baseSettings.limitsUnit";
number_value = 0;
}
{
name = "torrentBaseSettings.preferMagnetUrl";
bool_value = false;
}
{
name = "prefer_magnet_links";
bool_value = true;
}
{
name = "sonarr_compatibility";
bool_value = false;
}
{
name = "strip_s01";
bool_value = false;
}
{
name = "radarr_compatibility";
bool_value = false;
}
{
name = "filter-id";
number_value = 0;
}
{
name = "cat-id";
number_value = 0;
}
{
name = "sort";
number_value = 0;
}
{
name = "type";
number_value = 1;
}
];
};
"nzbgeek" = {
enable = true;
# "_1337x" = {
# enable = true;
app_profile_id = 2;
priority = 1;
# app_profile_id = 1;
# priority = 1;
name = "NZBgeek";
implementation = "nzbgeek";
config_contract = "nzbgeek_settings";
protocol = "torrent";
# name = "1337x";
# implementation = "Cardigann";
# config_contract = "CardigannSettings";
# protocol = "torrent";
# tags = [1];
fields = [
];
};
# fields = [
# {
# name = "definitionFile";
# text_value = "1337x";
# }
# {
# name = "baseSettings.limitsUnit";
# number_value = 0;
# }
# {
# name = "torrentBaseSettings.preferMagnetUrl";
# bool_value = false;
# }
# {
# name = "disablesort";
# bool_value = false;
# }
# {
# name = "sort";
# number_value = 2;
# }
# {
# name = "type";
# number_value = 1;
# }
# ];
# };
# "nzbgeek" = {
# enable = true;
# app_profile_id = 1;
# app_profile_id = 2;
# priority = 1;
# name = "NZBgeek";
# implementation = "nzbgeek";
# config_contract = "nzbgeek_settings";
# protocol = "torrent";
# implementation = "Newznab";
# config_contract = "NewznabSettings";
# protocol = "usenet";
# fields = [
# # {
# # name = "";
# # value = "";
# # }
# {
# name = "baseUrl";
# text_value = "https://api.nzbgeek.info";
# }
# {
# name = "apiPath";
# text_value = "/api";
# }
# {
# name = "apiKey";
# text_value = "__TODO_API_KEY_SECRET__";
# }
# {
# name = "baseSettings.limitsUnit";
# number_value = 5;
# }
# ];
# };
};
@ -421,6 +502,10 @@ in {
{
secrets = {
"qbittorrent/password" = {};
"qbittorrent/password_hash" = {
owner = "qbittorrent";
group = "media";
};
"sabnzbd/apikey" = {};
"sabnzbd/nzbkey" = {};
"sabnzbd/sunnyweb/username" = {};

4
modules/nixos/services/networking/caddy/default.nix
View file

@ -28,8 +28,8 @@ in {
enable = cfg.enable;
package = pkgs.caddy.withPlugins {
plugins = ["github.com/corazawaf/coraza-caddy/v2@2.1.0"];
hash = "";
plugins = ["github.com/corazawaf/coraza-caddy/v2@v2.1.0"];
hash = "sha256-AdL/LFKXbWmCsJ/xZWZmYBnw57c7sS6s1miR3sSx1Ow=";
};
virtualHosts =