chris/sneeuwvlok
chris/sneeuwvlok
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update service configs and secrets handling
Some checks failed
Test action / kaas (push) Failing after 1s
Details

Browse source 
- Add restartUnits and ownership to Matrix and Servarr secrets
- Use sops secret for qbittorrent password hash
- Refactor Cardigann indexer config in Servarr
- Update Caddy plugin version and hash
- Add debug output to machine update justfile
This commit is contained in:
Chris Kruining 2026-03-05 11:40:40 +01:00
parent a5de9aea37
commit 8d46d0d60b
No known key found for this signature in database
GPG key ID: EB894A3560CCCAD2
4 changed files with 126 additions and 31 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.just/machine.just
View file

@ -7,6 +7,8 @@
[doc('Update target machine')] [doc('Update target machine')]
[no-exit-message] [no-exit-message]
@update machine: @update machine:
echo "Checking vars"
cd .. && just vars _check {{ machine }} cd .. && just vars _check {{ machine }}
echo ""
just assert '-d "../systems/x86_64-linux/{{ machine }}"' "Machine {{ machine }} does not exist, must be one of: $(ls ../systems/x86_64-linux/ | sed ':a;N;$!ba;s/\n/, /g')" just assert '-d "../systems/x86_64-linux/{{ machine }}"' "Machine {{ machine }} does not exist, must be one of: $(ls ../systems/x86_64-linux/ | sed ':a;N;$!ba;s/\n/, /g')"
nixos-rebuild switch -L --sudo --target-host {{ machine }} --build-host {{ machine }} --flake ..#{{ machine }} --log-format internal-json -v |& nom --json nixos-rebuild switch -L --sudo --target-host {{ machine }} --build-host {{ machine }} --flake ..#{{ machine }} --log-format internal-json -v |& nom --json

14
modules/nixos/services/communication/matrix/default.nix
View file

@ -370,9 +370,17 @@ in {
sops = { sops = {
secrets = { secrets = {
"synapse/oidc_id" = {}; "synapse/oidc_id" = {
"synapse/oidc_secret" = {}; restartUnits = ["synapse-matrix.service"];
"coturn/secret" = {}; };
"synapse/oidc_secret" = {
restartUnits = ["synapse-matrix.service"];
};
"coturn/secret" = {
owner = config.systemd.services.coturn.serviceConfig.User;
group = config.systemd.services.coturn.serviceConfig.Group;
restartUnits = ["coturn.service"];
};
}; };
templates = { templates = {

137
modules/nixos/services/media/servarr/default.nix
View file

@ -86,7 +86,7 @@ in {
Prefecences.WebUI = { Prefecences.WebUI = {
Username = "admin"; Username = "admin";
Password_PBKDF2 = "@ByteArray(JpfX3wSUcMolUFD+8AD67w==:fr5kmc6sK9xsCfGW6HkPX2K1lPYHL6g2ncLLwuOVmjphmxkwBJ8pi/XQDsDWzyM/MRh5zPhUld2Xqn8o7BWv3Q==)"; Password_PBKDF2 = config.sops.secrets."qbittorrent/password_hash".path;
}; };
}; };
@ -94,11 +94,13 @@ in {
group = "media"; group = "media";
}; };
# port is harcoded in nixpkgs module
sabnzbd = { sabnzbd = {
enable = true; enable = true;
openFirewall = true; openFirewall = true;
allowConfigWrite = false;
configFile = lib.mkForce null;
secretFiles = [ secretFiles = [
config.sops.templates."sabnzbd/config.ini".path config.sops.templates."sabnzbd/config.ini".path
]; ];
@ -113,6 +115,7 @@ in {
servers = { servers = {
"news.sunnyusenet.com" = { "news.sunnyusenet.com" = {
name = "news.sunnyusenet.com";
displayname = "news.sunnyusenet.com"; displayname = "news.sunnyusenet.com";
host = "news.sunnyusenet.com"; host = "news.sunnyusenet.com";
port = 563; port = 563;
@ -227,7 +230,6 @@ in {
host = "localhost"; host = "localhost";
username = "admin"; username = "admin";
password = lib.tfRef "var.qbittorrent_api_key"; password = lib.tfRef "var.qbittorrent_api_key";
# password = "poChieN5feeph0igeaCadeJ9Xux0ohmuy6ruH5ieThaPheib3iuzoo0ahw1aiceif1feegioh9Aimau0pai5thoh5ieH0aechohw";
url_base = "/"; url_base = "/";
port = 2008; port = 2008;
}; };
@ -270,47 +272,126 @@ in {
priority = 1; priority = 1;
name = "Nyaa"; name = "Nyaa";
implementation = "nyaa"; implementation = "Cardigann";
config_contract = "nyaa_settings"; config_contract = "CardigannSettings";
protocol = "torrent"; protocol = "torrent";
fields = [ fields = [
{ {
name = "targetType"; name = "definitionFile";
value = ""; text_value = "nyaasi";
}
{
name = "baseSettings.limitsUnit";
number_value = 0;
}
{
name = "torrentBaseSettings.preferMagnetUrl";
bool_value = false;
}
{
name = "prefer_magnet_links";
bool_value = true;
}
{
name = "sonarr_compatibility";
bool_value = false;
}
{
name = "strip_s01";
bool_value = false;
}
{
name = "radarr_compatibility";
bool_value = false;
}
{
name = "filter-id";
number_value = 0;
}
{
name = "cat-id";
number_value = 0;
}
{
name = "sort";
number_value = 0;
}
{
name = "type";
number_value = 1;
} }
]; ];
}; };
"nzbgeek" = { # "_1337x" = {
enable = true; # enable = true;
app_profile_id = 2; # app_profile_id = 1;
priority = 1; # priority = 1;
name = "NZBgeek"; # name = "1337x";
implementation = "nzbgeek"; # implementation = "Cardigann";
config_contract = "nzbgeek_settings"; # config_contract = "CardigannSettings";
protocol = "torrent"; # protocol = "torrent";
# tags = [1];
fields = [ # fields = [
]; # {
}; # name = "definitionFile";
# text_value = "1337x";
# }
# {
# name = "baseSettings.limitsUnit";
# number_value = 0;
# }
# {
# name = "torrentBaseSettings.preferMagnetUrl";
# bool_value = false;
# }
# {
# name = "disablesort";
# bool_value = false;
# }
# {
# name = "sort";
# number_value = 2;
# }
# {
# name = "type";
# number_value = 1;
# }
# ];
# };
# "nzbgeek" = { # "nzbgeek" = {
# enable = true; # enable = true;
# app_profile_id = 1; # app_profile_id = 2;
# priority = 1;
# name = "NZBgeek"; # name = "NZBgeek";
# implementation = "nzbgeek"; # implementation = "Newznab";
# config_contract = "nzbgeek_settings"; # config_contract = "NewznabSettings";
# protocol = "torrent"; # protocol = "usenet";
# fields = [ # fields = [
# # { # {
# # name = ""; # name = "baseUrl";
# # value = ""; # text_value = "https://api.nzbgeek.info";
# # } # }
# {
# name = "apiPath";
# text_value = "/api";
# }
# {
# name = "apiKey";
# text_value = "__TODO_API_KEY_SECRET__";
# }
# {
# name = "baseSettings.limitsUnit";
# number_value = 5;
# }
# ]; # ];
# }; # };
}; };
@ -421,6 +502,10 @@ in {
{ {
secrets = { secrets = {
"qbittorrent/password" = {}; "qbittorrent/password" = {};
"qbittorrent/password_hash" = {
owner = "qbittorrent";
group = "media";
};
"sabnzbd/apikey" = {}; "sabnzbd/apikey" = {};
"sabnzbd/nzbkey" = {}; "sabnzbd/nzbkey" = {};
"sabnzbd/sunnyweb/username" = {}; "sabnzbd/sunnyweb/username" = {};

4
modules/nixos/services/networking/caddy/default.nix
View file

@ -28,8 +28,8 @@ in {
enable = cfg.enable; enable = cfg.enable;
package = pkgs.caddy.withPlugins { package = pkgs.caddy.withPlugins {
plugins = ["github.com/corazawaf/coraza-caddy/v2@2.1.0"]; plugins = ["github.com/corazawaf/coraza-caddy/v2@v2.1.0"];
hash = ""; hash = "sha256-AdL/LFKXbWmCsJ/xZWZmYBnw57c7sS6s1miR3sSx1Ow=";
}; };
virtualHosts = virtualHosts =