From 8d46d0d60b1f06ed7510e83e4117e1ab99674417 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 5 Mar 2026 11:40:40 +0100 Subject: [PATCH] Update service configs and secrets handling - Add restartUnits and ownership to Matrix and Servarr secrets - Use sops secret for qbittorrent password hash - Refactor Cardigann indexer config in Servarr - Update Caddy plugin version and hash - Add debug output to machine update justfile --- .just/machine.just | 2 + .../services/communication/matrix/default.nix | 14 +- .../nixos/services/media/servarr/default.nix | 137 ++++++++++++++---- .../services/networking/caddy/default.nix | 4 +- 4 files changed, 126 insertions(+), 31 deletions(-) diff --git a/.just/machine.just b/.just/machine.just index cf1c8f7..420197a 100644 --- a/.just/machine.just +++ b/.just/machine.just @@ -7,6 +7,8 @@ [doc('Update target machine')] [no-exit-message] @update machine: + echo "Checking vars" cd .. && just vars _check {{ machine }} + echo "" just assert '-d "../systems/x86_64-linux/{{ machine }}"' "Machine {{ machine }} does not exist, must be one of: $(ls ../systems/x86_64-linux/ | sed ':a;N;$!ba;s/\n/, /g')" nixos-rebuild switch -L --sudo --target-host {{ machine }} --build-host {{ machine }} --flake ..#{{ machine }} --log-format internal-json -v |& nom --json diff --git a/modules/nixos/services/communication/matrix/default.nix b/modules/nixos/services/communication/matrix/default.nix index 21fe777..f20e1ac 100644 --- a/modules/nixos/services/communication/matrix/default.nix +++ b/modules/nixos/services/communication/matrix/default.nix @@ -370,9 +370,17 @@ in { sops = { secrets = { - "synapse/oidc_id" = {}; - "synapse/oidc_secret" = {}; - "coturn/secret" = {}; + "synapse/oidc_id" = { + restartUnits = ["synapse-matrix.service"]; + }; + "synapse/oidc_secret" = { + restartUnits = ["synapse-matrix.service"]; + }; + "coturn/secret" = { + owner = config.systemd.services.coturn.serviceConfig.User; + group = config.systemd.services.coturn.serviceConfig.Group; + restartUnits = ["coturn.service"]; + }; }; templates = { diff --git a/modules/nixos/services/media/servarr/default.nix b/modules/nixos/services/media/servarr/default.nix index e64c6fe..f868313 100644 --- a/modules/nixos/services/media/servarr/default.nix +++ b/modules/nixos/services/media/servarr/default.nix @@ -86,7 +86,7 @@ in { Prefecences.WebUI = { Username = "admin"; - Password_PBKDF2 = "@ByteArray(JpfX3wSUcMolUFD+8AD67w==:fr5kmc6sK9xsCfGW6HkPX2K1lPYHL6g2ncLLwuOVmjphmxkwBJ8pi/XQDsDWzyM/MRh5zPhUld2Xqn8o7BWv3Q==)"; + Password_PBKDF2 = config.sops.secrets."qbittorrent/password_hash".path; }; }; @@ -94,11 +94,13 @@ in { group = "media"; }; - # port is harcoded in nixpkgs module sabnzbd = { enable = true; openFirewall = true; + allowConfigWrite = false; + configFile = lib.mkForce null; + secretFiles = [ config.sops.templates."sabnzbd/config.ini".path ]; @@ -113,6 +115,7 @@ in { servers = { "news.sunnyusenet.com" = { + name = "news.sunnyusenet.com"; displayname = "news.sunnyusenet.com"; host = "news.sunnyusenet.com"; port = 563; @@ -227,7 +230,6 @@ in { host = "localhost"; username = "admin"; password = lib.tfRef "var.qbittorrent_api_key"; - # password = "poChieN5feeph0igeaCadeJ9Xux0ohmuy6ruH5ieThaPheib3iuzoo0ahw1aiceif1feegioh9Aimau0pai5thoh5ieH0aechohw"; url_base = "/"; port = 2008; }; @@ -270,47 +272,126 @@ in { priority = 1; name = "Nyaa"; - implementation = "nyaa"; - config_contract = "nyaa_settings"; + implementation = "Cardigann"; + config_contract = "CardigannSettings"; protocol = "torrent"; fields = [ { - name = "targetType"; - value = ""; + name = "definitionFile"; + text_value = "nyaasi"; + } + { + name = "baseSettings.limitsUnit"; + number_value = 0; + } + { + name = "torrentBaseSettings.preferMagnetUrl"; + bool_value = false; + } + { + name = "prefer_magnet_links"; + bool_value = true; + } + { + name = "sonarr_compatibility"; + bool_value = false; + } + { + name = "strip_s01"; + bool_value = false; + } + { + name = "radarr_compatibility"; + bool_value = false; + } + { + name = "filter-id"; + number_value = 0; + } + { + name = "cat-id"; + number_value = 0; + } + { + name = "sort"; + number_value = 0; + } + { + name = "type"; + number_value = 1; } ]; }; - "nzbgeek" = { - enable = true; + # "_1337x" = { + # enable = true; - app_profile_id = 2; - priority = 1; + # app_profile_id = 1; + # priority = 1; - name = "NZBgeek"; - implementation = "nzbgeek"; - config_contract = "nzbgeek_settings"; - protocol = "torrent"; + # name = "1337x"; + # implementation = "Cardigann"; + # config_contract = "CardigannSettings"; + # protocol = "torrent"; + # tags = [1]; - fields = [ - ]; - }; + # fields = [ + # { + # name = "definitionFile"; + # text_value = "1337x"; + # } + # { + # name = "baseSettings.limitsUnit"; + # number_value = 0; + # } + # { + # name = "torrentBaseSettings.preferMagnetUrl"; + # bool_value = false; + # } + # { + # name = "disablesort"; + # bool_value = false; + # } + # { + # name = "sort"; + # number_value = 2; + # } + # { + # name = "type"; + # number_value = 1; + # } + # ]; + # }; # "nzbgeek" = { # enable = true; - # app_profile_id = 1; + # app_profile_id = 2; + # priority = 1; + # name = "NZBgeek"; - # implementation = "nzbgeek"; - # config_contract = "nzbgeek_settings"; - # protocol = "torrent"; + # implementation = "Newznab"; + # config_contract = "NewznabSettings"; + # protocol = "usenet"; # fields = [ - # # { - # # name = ""; - # # value = ""; - # # } + # { + # name = "baseUrl"; + # text_value = "https://api.nzbgeek.info"; + # } + # { + # name = "apiPath"; + # text_value = "/api"; + # } + # { + # name = "apiKey"; + # text_value = "__TODO_API_KEY_SECRET__"; + # } + # { + # name = "baseSettings.limitsUnit"; + # number_value = 5; + # } # ]; # }; }; @@ -421,6 +502,10 @@ in { { secrets = { "qbittorrent/password" = {}; + "qbittorrent/password_hash" = { + owner = "qbittorrent"; + group = "media"; + }; "sabnzbd/apikey" = {}; "sabnzbd/nzbkey" = {}; "sabnzbd/sunnyweb/username" = {}; diff --git a/modules/nixos/services/networking/caddy/default.nix b/modules/nixos/services/networking/caddy/default.nix index 2274efa..f17c737 100644 --- a/modules/nixos/services/networking/caddy/default.nix +++ b/modules/nixos/services/networking/caddy/default.nix @@ -28,8 +28,8 @@ in { enable = cfg.enable; package = pkgs.caddy.withPlugins { - plugins = ["github.com/corazawaf/coraza-caddy/v2@2.1.0"]; - hash = ""; + plugins = ["github.com/corazawaf/coraza-caddy/v2@v2.1.0"]; + hash = "sha256-AdL/LFKXbWmCsJ/xZWZmYBnw57c7sS6s1miR3sSx1Ow="; }; virtualHosts =