From 4e9ef9dc4f7df619478012bd5c813050417f8567 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 4 Mar 2026 09:29:36 +0100 Subject: [PATCH 01/13] Refactor Caddy config into networking.caddy module Move Caddy configuration from individual services to a shared networking.caddy module. Update service modules and system config to use the new interface. Remove redundant user definitions and old Caddy config blocks. --- .../authentication/authelia/default.nix | 84 ++++----- .../authentication/zitadel/default.nix | 37 ++-- .../services/communication/matrix/default.nix | 138 +++++++-------- .../services/development/forgejo/default.nix | 29 ++-- .../nixos/services/media/jellyfin/default.nix | 17 +- .../services/media/nextcloud/default.nix | 29 ++-- .../services/networking/caddy/default.nix | 40 +++++ .../services/security/vaultwarden/default.nix | 35 ++-- packages/studio/default.nix | 164 +++++++++--------- systems/x86_64-linux/ulmo/default.nix | 21 ++- 10 files changed, 308 insertions(+), 286 deletions(-) create mode 100644 modules/nixos/services/networking/caddy/default.nix diff --git a/modules/nixos/services/authentication/authelia/default.nix b/modules/nixos/services/authentication/authelia/default.nix index 9990003..7aea103 100644 --- a/modules/nixos/services/authentication/authelia/default.nix +++ b/modules/nixos/services/authentication/authelia/default.nix @@ -1,16 +1,36 @@ -{ config, lib, pkgs, namespace, ... }: -let +{ + config, + lib, + pkgs, + namespace, + ... +}: let inherit (lib) mkIf mkEnableOption; user = "authelia-testing"; cfg = config.${namespace}.services.authentication.authelia; -in -{ +in { options.${namespace}.services.authentication.authelia = { enable = mkEnableOption "Authelia"; }; config = mkIf cfg.enable { + ${namespace}.services.networking.caddy = { + hosts = { + "auth.kruining.eu".extraConfig = '' + reverse_proxy http://127.0.0.1:9091 + ''; + }; + extraConfig = '' + (auth) { + forward_auth http://127.0.0.1:9091 { + uri /api/authz/forward-auth + copy_headers Remote-User Remote-Groups Remote-Email Remote-Name + } + } + ''; + }; + environment.systemPackages = with pkgs; [ authelia ]; @@ -112,8 +132,8 @@ in authorization_policy = "one_factor"; userinfo_signed_response_alg = "none"; consent_mode = "implicit"; - scopes = [ "openid" "profile" "groups" ]; - redirect_uris = [ "https://jellyfin.kruining.eu/sso/OID/redirect/authelia" ]; + scopes = ["openid" "profile" "groups"]; + redirect_uris = ["https://jellyfin.kruining.eu/sso/OID/redirect/authelia"]; } { client_id = "streamarr"; @@ -127,8 +147,8 @@ in authorization_policy = "one_factor"; userinfo_signed_response_alg = "none"; consent_mode = "implicit"; - scopes = [ "offline_access" "openid" "email" "picture" "profile" "groups" ]; - redirect_uris = [ "http://localhost:3000/api/auth/oauth2/callback/authelia" ]; + scopes = ["offline_access" "openid" "email" "picture" "profile" "groups"]; + redirect_uris = ["http://localhost:3000/api/auth/oauth2/callback/authelia"]; } { client_id = "forgejo"; @@ -142,10 +162,10 @@ in authorization_policy = "one_factor"; userinfo_signed_response_alg = "none"; consent_mode = "implicit"; - scopes = [ "offline_access" "openid" "email" "picture" "profile" "groups" ]; - response_types = [ "code" ]; - grant_types = [ "authorization_code" ]; - redirect_uris = [ "http://localhost:5002/user/oauth2/authelia/callback" ]; + scopes = ["offline_access" "openid" "email" "picture" "profile" "groups"]; + response_types = ["code"]; + grant_types = ["authorization_code"]; + redirect_uris = ["http://localhost:5002/user/oauth2/authelia/callback"]; } ]; }; @@ -195,48 +215,8 @@ in - jellyfin-users - admin - dev - - jacqueline: - disabled: false - displayname: Jacqueline Bevers - password: $argon2id$v=19$m=65536,t=3,p=4$XgN8yEJV+syAE5yeos3HsA$SlN+j/lJfxJ5VxLu2CdrwowlCiWQNNGhIrSyDpohq18 - groups: - - jellyfin-users - - martijn: - disabled: false - displayname: Martijn Kruining - password: $argon2id$v=19$m=65536,t=3,p=4$XgN8yEJV+syAE5yeos3HsA$SlN+j/lJfxJ5VxLu2CdrwowlCiWQNNGhIrSyDpohq18 - groups: - - jellyfin-users - - andrea: - disabled: false - displayname: Andrea Kruining - password: $argon2id$v=19$m=65536,t=3,p=4$XgN8yEJV+syAE5yeos3HsA$SlN+j/lJfxJ5VxLu2CdrwowlCiWQNNGhIrSyDpohq18 - groups: - - jellyfin-users ''; }; }; - - services.caddy = { - enable = true; - virtualHosts = { - "auth.kruining.eu".extraConfig = '' - reverse_proxy http://127.0.0.1:9091 - ''; - }; - extraConfig = '' - (auth) { - forward_auth http://127.0.0.1:9091 { - uri /api/authz/forward-auth - copy_headers Remote-User Remote-Groups Remote-Email Remote-Name - } - } - ''; - }; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; }; } diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index aaf64f6..082330e 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -537,7 +537,25 @@ in }; in mkIf cfg.enable { - ${namespace}.services.persistance.postgresql.enable = true; + ${namespace}.services = { + persistance.postgresql.enable = true; + + networking.caddy = { + hosts = { + "auth.kruining.eu" = '' + reverse_proxy h2c://::1:9092 + ''; + }; + extraConfig = '' + (auth) { + forward_auth h2c://::1:9092 { + uri /api/authz/forward-auth + copy_headers Remote-User Remote-Groups Remote-Email Remote-Name + } + } + ''; + }; + }; environment.systemPackages = with pkgs; [ zitadel @@ -678,23 +696,6 @@ in } ]; }; - - caddy = { - enable = true; - virtualHosts = { - "auth.kruining.eu".extraConfig = '' - reverse_proxy h2c://::1:9092 - ''; - }; - extraConfig = '' - (auth) { - forward_auth h2c://::1:9092 { - uri /api/authz/forward-auth - copy_headers Remote-User Remote-Groups Remote-Email Remote-Name - } - } - ''; - }; }; networking.firewall.allowedTCPPorts = [ 80 443 ]; diff --git a/modules/nixos/services/communication/matrix/default.nix b/modules/nixos/services/communication/matrix/default.nix index 8bb79fe..21fe777 100644 --- a/modules/nixos/services/communication/matrix/default.nix +++ b/modules/nixos/services/communication/matrix/default.nix @@ -25,6 +25,75 @@ in { ${namespace}.services = { persistance.postgresql.enable = true; # virtualisation.podman.enable = true; + + networking.caddy = { + # globalConfig = '' + # layer4 { + # 127.0.0.1:4004 + # route { + # proxy { + # upstream synapse:4004 + # } + # } + # } + # 127.0.0.1:4005 + # route { + # proxy { + # upstream synapse:4005 + # } + # } + # } + # } + # ''; + hosts = let + server = { + "m.server" = "${fqn}:443"; + }; + client = { + "m.homeserver".base_url = "https://${fqn}"; + "m.identity_server".base_url = "https://auth.${domain}"; + "org.matrix.msc3575.proxy".url = "https://${domain}"; + "org.matrix.msc4143.rtc_foci" = [ + { + type = "livekit"; + livekit_service_url = "https://${domain}/livekit/jwt"; + } + ]; + }; + in { + "${domain}, darkch.at" = '' + # Route for lk-jwt-service + handle /livekit/jwt* { + uri strip_prefix /livekit/jwt + reverse_proxy http://[::1]:${toString config.services.lk-jwt-service.port} { + header_up Host {host} + header_up X-Forwarded-Server {host} + header_up X-Real-IP {remote_host} + header_up X-Forwarded-For {remote_host} + } + } + + handle_path /livekit/sfu* { + reverse_proxy http://[::1]:${toString config.services.livekit.settings.port} { + header_up Host {host} + header_up X-Forwarded-Server {host} + header_up X-Real-IP {remote_host} + header_up X-Forwarded-For {remote_host} + } + } + + header /.well-known/matrix/* Content-Type application/json + header /.well-known/matrix/* Access-Control-Allow-Origin * + respond /.well-known/matrix/server `${toJSON server}` + respond /.well-known/matrix/client `${toJSON client}` + ''; + + "${fqn}" = '' + reverse_proxy /_matrix/* http://::1:${toString port} + reverse_proxy /_synapse/client/* http://::1:${toString port} + ''; + }; + }; }; services = { @@ -197,75 +266,6 @@ in { ]; }; - caddy = { - enable = true; - # globalConfig = '' - # layer4 { - # 127.0.0.1:4004 - # route { - # proxy { - # upstream synapse:4004 - # } - # } - # } - # 127.0.0.1:4005 - # route { - # proxy { - # upstream synapse:4005 - # } - # } - # } - # } - # ''; - virtualHosts = let - server = { - "m.server" = "${fqn}:443"; - }; - client = { - "m.homeserver".base_url = "https://${fqn}"; - "m.identity_server".base_url = "https://auth.${domain}"; - "org.matrix.msc3575.proxy".url = "https://${domain}"; - "org.matrix.msc4143.rtc_foci" = [ - { - type = "livekit"; - livekit_service_url = "https://${domain}/livekit/jwt"; - } - ]; - }; - in { - "${domain}, darkch.at".extraConfig = '' - # Route for lk-jwt-service - handle /livekit/jwt* { - uri strip_prefix /livekit/jwt - reverse_proxy http://[::1]:${toString config.services.lk-jwt-service.port} { - header_up Host {host} - header_up X-Forwarded-Server {host} - header_up X-Real-IP {remote_host} - header_up X-Forwarded-For {remote_host} - } - } - - handle_path /livekit/sfu* { - reverse_proxy http://[::1]:${toString config.services.livekit.settings.port} { - header_up Host {host} - header_up X-Forwarded-Server {host} - header_up X-Real-IP {remote_host} - header_up X-Forwarded-For {remote_host} - } - } - - header /.well-known/matrix/* Content-Type application/json - header /.well-known/matrix/* Access-Control-Allow-Origin * - respond /.well-known/matrix/server `${toJSON server}` - respond /.well-known/matrix/client `${toJSON client}` - ''; - "${fqn}".extraConfig = '' - reverse_proxy /_matrix/* http://::1:${toString port} - reverse_proxy /_synapse/client/* http://::1:${toString port} - ''; - }; - }; - livekit = { enable = true; openFirewall = true; diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index dfae9f0..f190b0c 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -28,6 +28,20 @@ in { ${namespace}.services = { persistance.postgresql.enable = true; virtualisation.podman.enable = true; + + networking.caddy = { + hosts = { + "${domain}" = '' + # import auth + + # stupid dumb way to prevent the login page and go to zitadel instead + # be aware that this does not disable local login at all! + # rewrite /user/login /user/oauth2/Zitadel + + reverse_proxy http://127.0.0.1:${toString cfg.port} + ''; + }; + }; }; environment.systemPackages = with pkgs; [forgejo]; @@ -168,21 +182,6 @@ in { }; }; }; - - caddy = { - enable = true; - virtualHosts = { - "${domain}".extraConfig = '' - # import auth - - # stupid dumb way to prevent the login page and go to zitadel instead - # be aware that this does not disable local login at all! - # rewrite /user/login /user/oauth2/Zitadel - - reverse_proxy http://127.0.0.1:${toString cfg.port} - ''; - }; - }; }; users = { diff --git a/modules/nixos/services/media/jellyfin/default.nix b/modules/nixos/services/media/jellyfin/default.nix index d4323f3..de19896 100644 --- a/modules/nixos/services/media/jellyfin/default.nix +++ b/modules/nixos/services/media/jellyfin/default.nix @@ -17,6 +17,14 @@ in { }; config = mkIf cfg.enable { + ${namespace}.services.networking.caddy = { + hosts = { + "jellyfin.kruining.eu" = '' + reverse_proxy http://[::1]:8096 + ''; + }; + }; + environment.systemPackages = with pkgs; [ jellyfin jellyfin-web @@ -34,15 +42,6 @@ in { user = "media"; group = "media"; }; - - caddy = { - enable = true; - virtualHosts = { - "jellyfin.kruining.eu".extraConfig = '' - reverse_proxy http://[::1]:8096 - ''; - }; - }; }; systemd.services.jellyfin.serviceConfig.killSignal = lib.mkForce "SIGKILL"; diff --git a/modules/nixos/services/media/nextcloud/default.nix b/modules/nixos/services/media/nextcloud/default.nix index 14d6863..06904c6 100644 --- a/modules/nixos/services/media/nextcloud/default.nix +++ b/modules/nixos/services/media/nextcloud/default.nix @@ -1,11 +1,15 @@ -{ config, lib, pkgs, namespace, ... }: -let +{ + config, + lib, + pkgs, + namespace, + ... +}: let inherit (lib) mkIf mkEnableOption mkOption; inherit (lib.types) str; cfg = config.${namespace}.services.media.nextcloud; -in -{ +in { options.${namespace}.services.media.nextcloud = { enable = mkEnableOption "Nextcloud"; @@ -21,6 +25,14 @@ in }; config = mkIf cfg.enable { + ${namespace}.services.networking.caddy = { + hosts."cloud.kruining.eu" = '' + php_fastcgi unix//run/phpfpm/nextcloud.sock { + env front_controller_active true + } + ''; + }; + users = { users.${cfg.user} = { isSystemUser = true; @@ -75,14 +87,5 @@ in # startServices = true; # }; - - services.caddy = { - enable = true; - virtualHosts."cloud.kruining.eu".extraConfig = '' - php_fastcgi unix//run/phpfpm/nextcloud.sock { - env front_controller_active true - } - ''; - }; }; } diff --git a/modules/nixos/services/networking/caddy/default.nix b/modules/nixos/services/networking/caddy/default.nix new file mode 100644 index 0000000..b70f7ae --- /dev/null +++ b/modules/nixos/services/networking/caddy/default.nix @@ -0,0 +1,40 @@ +{ + config, + pkgs, + lib, + namespace, + ... +}: let + inherit (builtins) length; + inherit (lib) mkIf mkEnableOption mkOption types attrNames mapAttrs; + + cfg = config.${namespace}.services.networking.caddy; + hasHosts = (cfg.hosts |> attrNames |> length) > 0; +in { + options.${namespace}.services.networking.caddy = { + enable = mkEnableOption "enable caddy" // {default = true;}; + + hosts = mkOption { + type = types.attrsOf types.str; + }; + + extraConfig = mkOption { + type = types.str; + }; + }; + + config = mkIf hasHosts { + services.caddy = { + enable = cfg.enable; + + package = pkgs.caddy.withPlugins { + plugins = ["https://github.com/corazawaf/coraza-caddy@2.1.0"]; + hash = lib.fakeHash; + }; + + virtualHosts = + cfg.hosts + |> mapAttrs (host: extraConfig: {inherit extraConfig;}); + }; + }; +} diff --git a/modules/nixos/services/security/vaultwarden/default.nix b/modules/nixos/services/security/vaultwarden/default.nix index 07f7058..7dce380 100644 --- a/modules/nixos/services/security/vaultwarden/default.nix +++ b/modules/nixos/services/security/vaultwarden/default.nix @@ -91,6 +91,22 @@ in { }; config = mkIf cfg.enable { + ${namespace}.services.networking.caddy.hosts = { + "vault.kruining.eu" = '' + encode zstd gzip + + handle_path /admin { + respond 401 { + close + } + } + + reverse_proxy http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT} { + header_up X-Real-IP {remote_host} + } + ''; + }; + systemd.tmpfiles.rules = [ "d '/var/lib/vaultwarden' 0700 vaultwarden vaultwarden - -" ]; @@ -150,25 +166,6 @@ in { } ]; }; - - caddy = { - enable = true; - virtualHosts = { - "vault.kruining.eu".extraConfig = '' - encode zstd gzip - - handle_path /admin { - respond 401 { - close - } - } - - reverse_proxy http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT} { - header_up X-Real-IP {remote_host} - } - ''; - }; - }; }; sops = { diff --git a/packages/studio/default.nix b/packages/studio/default.nix index 84610a3..1e6b457 100644 --- a/packages/studio/default.nix +++ b/packages/studio/default.nix @@ -1,105 +1,109 @@ -{ pkgs, inputs }: let +{ + pkgs, + inputs, +}: let inherit (builtins) fetchurl; - inherit (pkgs) makeDesktopItem copyDesktopItems wineWowPackages; + inherit (pkgs) makeDesktopItem copyDesktopItems wineWow64Packages; inherit (inputs.erosanix.lib.x86_64-linux) mkWindowsAppNoCC makeDesktopIcon copyDesktopIcons; - wine = wineWowPackages.base; -in mkWindowsAppNoCC rec { - inherit wine; + wine = wineWow64Packages.base; +in + mkWindowsAppNoCC rec { + inherit wine; - pname = "studio"; - version = "2.25.4"; + pname = "studio"; + version = "2.25.4"; - src = fetchurl { - url = "https://studio.download.bricklink.info/Studio2.0+EarlyAccess/Archive/2.25.12_1/Studio+2.0+EarlyAccess.exe"; - sha256 = "sha256:1xl3zvzkzr64zphk7rnpfx3whhbaykzw06m3nd5dc12r2p4sdh3v"; - }; + src = fetchurl { + url = "https://studio.download.bricklink.info/Studio2.0+EarlyAccess/Archive/2.25.12_1/Studio+2.0+EarlyAccess.exe"; + sha256 = "sha256:1xl3zvzkzr64zphk7rnpfx3whhbaykzw06m3nd5dc12r2p4sdh3v"; + }; - enableMonoBootPrompt = false; - dontUnpack = true; + enableMonoBootPrompt = false; + dontUnpack = true; - wineArch = "win64"; - enableInstallNotification = true; + wineArch = "win64"; + enableInstallNotification = true; - fileMap = { - "$HOME/.config/${pname}/Stud.io" = "drive_c/users/$USER/AppData/Local/Stud.io"; - "$HOME/.config/${pname}/Bricklink" = "drive_c/users/$USER/AppData/LocalLow/Bricklink"; - }; + fileMap = { + "$HOME/.config/${pname}/Stud.io" = "drive_c/users/$USER/AppData/Local/Stud.io"; + "$HOME/.config/${pname}/Bricklink" = "drive_c/users/$USER/AppData/LocalLow/Bricklink"; + }; - fileMapDuringAppInstall = false; + fileMapDuringAppInstall = false; - persistRegistry = false; - persistRuntimeLayer = true; - inputHashMethod = "version"; + persistRegistry = false; + persistRuntimeLayer = true; + inputHashMethod = "version"; - # Can be used to precisely select the Direct3D implementation. - # - # | enableVulkan | rendererOverride | Direct3D implementation | - # |--------------|------------------|-------------------------| - # | false | null | OpenGL | - # | true | null | Vulkan (DXVK) | - # | * | dxvk-vulkan | Vulkan (DXVK) | - # | * | wine-opengl | OpenGL | - # | * | wine-vulkan | Vulkan (VKD3D) | - enableVulkan = false; - rendererOverride = null; + # Can be used to precisely select the Direct3D implementation. + # + # | enableVulkan | rendererOverride | Direct3D implementation | + # |--------------|------------------|-------------------------| + # | false | null | OpenGL | + # | true | null | Vulkan (DXVK) | + # | * | dxvk-vulkan | Vulkan (DXVK) | + # | * | wine-opengl | OpenGL | + # | * | wine-vulkan | Vulkan (VKD3D) | + enableVulkan = false; + rendererOverride = null; - enableHUD = false; + enableHUD = false; - enabledWineSymlinks = { }; - graphicsDriver = "auto"; - inhibitIdle = false; + enabledWineSymlinks = {}; + graphicsDriver = "auto"; + inhibitIdle = false; - nativeBuildInputs = [ copyDesktopIcons copyDesktopItems ]; + nativeBuildInputs = [copyDesktopIcons copyDesktopItems]; - winAppInstall = '' - wine64 ${src} + winAppInstall = '' + wine64 ${src} - wineserver -W - wine64 reg add 'HKEY_CURRENT_USER\Software\Wine\X11 Driver' /t REG_SZ /v UseTakeFocus /d N /f - ''; + wineserver -W + wine64 reg add 'HKEY_CURRENT_USER\Software\Wine\X11 Driver' /t REG_SZ /v UseTakeFocus /d N /f + ''; - winAppPreRun = '' - wineserver -W - wine64 reg add 'HKEY_CURRENT_USER\Software\Wine\X11 Driver' /t REG_SZ /v UseTakeFocus /d N /f - ''; + winAppPreRun = '' + wineserver -W + wine64 reg add 'HKEY_CURRENT_USER\Software\Wine\X11 Driver' /t REG_SZ /v UseTakeFocus /d N /f + ''; - winAppRun = '' - wine64 "$WINEPREFIX/drive_c/Program Files/Studio 2.0/Studio.exe" "$ARGS" - ''; + winAppRun = '' + wine64 "$WINEPREFIX/drive_c/Program Files/Studio 2.0/Studio.exe" "$ARGS" + ''; - winAppPostRun = ""; - installPhase = '' - runHook preInstall + winAppPostRun = ""; + installPhase = '' + runHook preInstall - ln -s $out/bin/.launcher $out/bin/${pname} + ln -s $out/bin/.launcher $out/bin/${pname} - runHook postInstall - ''; + runHook postInstall + ''; - desktopItems = [ - (makeDesktopItem { - mimeTypes = []; + desktopItems = [ + (makeDesktopItem { + mimeTypes = []; + name = pname; + exec = pname; + icon = pname; + desktopName = "Bricklink studio"; + genericName = "Lego creation app"; + categories = []; + }) + ]; + + desktopIcon = makeDesktopIcon { name = pname; - exec = pname; - icon = pname; - desktopName = "Bricklink studio"; - genericName = "Lego creation app"; - categories = []; - }) - ]; + src = ./studio.png; + }; - desktopIcon = makeDesktopIcon { - name = pname; - src = ./studio.png; - }; - - meta = { - description = "App for creating lego builds"; - homepage = "https://www.bricklink.com/v3/studio/main.page"; - license = ""; - maintainers = []; - platforms = [ "x86_64-linux" ]; - }; -} + meta = { + description = "App for creating lego builds"; + homepage = "https://www.bricklink.com/v3/studio/main.page"; + license = ""; + maintainers = []; + platforms = ["x86_64-linux"]; + }; + } diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 7440933..43a5760 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -27,17 +27,6 @@ }; }; - # Expose amarht cloud stuff like this until I have a proper solution - services.caddy.virtualHosts = { - "auth.amarth.cloud".extraConfig = '' - reverse_proxy http://192.168.1.223:9092 - ''; - - "amarth.cloud".extraConfig = '' - reverse_proxy http://192.168.1.223:8080 - ''; - }; - # virtualisation = { # containers.enable = true; # podman = { @@ -204,6 +193,16 @@ development.forgejo.enable = true; networking.ssh.enable = true; + networking.caddy.hosts = { + # Expose amarht cloud stuff like this until I have a proper solution + "auth.amarth.cloud" = '' + reverse_proxy http://192.168.1.223:9092 + ''; + + "amarth.cloud" = '' + reverse_proxy http://192.168.1.223:8080 + ''; + }; media.enable = true; media.glance.enable = true; From e69a7a86698a05fb2045a3f5d3af78f383d946f1 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 4 Mar 2026 09:55:43 +0100 Subject: [PATCH 02/13] Update machine docstring --- .just/machine.just | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.just/machine.just b/.just/machine.just index 8d0d37f..cf1c8f7 100644 --- a/.just/machine.just +++ b/.just/machine.just @@ -4,7 +4,7 @@ @list: ls -1 ../systems/x86_64-linux/ -[doc('Update the target machine')] +[doc('Update target machine')] [no-exit-message] @update machine: cd .. && just vars _check {{ machine }} From a97c244c4f94c4643a2aad4914c1f7490fb64ffa Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 4 Mar 2026 10:43:57 +0100 Subject: [PATCH 03/13] Update Caddy plugin source and clear hash in config --- modules/nixos/services/networking/caddy/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/nixos/services/networking/caddy/default.nix b/modules/nixos/services/networking/caddy/default.nix index b70f7ae..2274efa 100644 --- a/modules/nixos/services/networking/caddy/default.nix +++ b/modules/nixos/services/networking/caddy/default.nix @@ -28,8 +28,8 @@ in { enable = cfg.enable; package = pkgs.caddy.withPlugins { - plugins = ["https://github.com/corazawaf/coraza-caddy@2.1.0"]; - hash = lib.fakeHash; + plugins = ["github.com/corazawaf/coraza-caddy/v2@2.1.0"]; + hash = ""; }; virtualHosts = From 95ae5b8b836132315654a36ec41f95fe7188014f Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 4 Mar 2026 10:44:11 +0100 Subject: [PATCH 04/13] Refactor sabnzbd config to use settings and secretFiles Switch sabnzbd configuration to use the settings and secretFiles options instead of a static config file. Add support for nzbkey secret. Update sops template to include nzb_key and remove duplicated server and misc settings. --- .../nixos/services/media/servarr/default.nix | 49 +++++++++---------- 1 file changed, 24 insertions(+), 25 deletions(-) diff --git a/modules/nixos/services/media/servarr/default.nix b/modules/nixos/services/media/servarr/default.nix index bc911f7..e64c6fe 100644 --- a/modules/nixos/services/media/servarr/default.nix +++ b/modules/nixos/services/media/servarr/default.nix @@ -98,8 +98,28 @@ in { sabnzbd = { enable = true; openFirewall = true; - configFile = "/var/media/sabnzbd/config.ini"; - # configFile = config.sops.templates."sabnzbd/config.ini".path; + + secretFiles = [ + config.sops.templates."sabnzbd/config.ini".path + ]; + + settings = { + misc = { + port = 2009; + + download_dir = "/var/media/downloads/incomplete"; + complete_dir = "/var/media/downloads/done"; + }; + + servers = { + "news.sunnyusenet.com" = { + displayname = "news.sunnyusenet.com"; + host = "news.sunnyusenet.com"; + port = 563; + timeout = 60; + }; + }; + }; user = "sabnzbd"; group = "media"; @@ -402,6 +422,7 @@ in { secrets = { "qbittorrent/password" = {}; "sabnzbd/apikey" = {}; + "sabnzbd/nzbkey" = {}; "sabnzbd/sunnyweb/username" = {}; "sabnzbd/sunnyweb/password" = {}; }; @@ -428,36 +449,14 @@ in { group = "media"; mode = "0660"; content = '' - __version__ = 19 - __encoding__ = utf-8 [misc] - download_dir = /var/media/downloads/incomplete - complete_dir = /var/media/downloads/done api_key = ${config.sops.placeholder."sabnzbd/apikey"} - log_dir = logs + nzb_key = ${config.sops.placeholder."sabnzbd/nzbkey"} [servers] [[news.sunnyusenet.com]] - name = news.sunnyusenet.com - displayname = news.sunnyusenet.com - host = news.sunnyusenet.com - port = 563 - timeout = 60 username = ${config.sops.placeholder."sabnzbd/sunnyweb/username"} password = ${config.sops.placeholder."sabnzbd/sunnyweb/password"} - connections = 8 - ssl = 1 - ssl_verify = 3 - ssl_ciphers = "" - enable = 1 - required = 0 - optional = 0 - retention = 0 - expire_date = "" - quota = "" - usage_at_start = 0 - priority = 1 - notes = "" ''; }; }; From 3ae310f2e19da24ad27a0fc0194bb424dd3c0674 Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 4 Mar 2026 09:45:12 +0000 Subject: [PATCH 05/13] chore(secrets): set secret "sabnzbd/nzbkey" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 729bed1..026b948 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -35,6 +35,7 @@ sabnzbd: password: ENC[AES256_GCM,data:flw8AahqO1Mx,iv:Qhu8iVWMzzqy18y8dj3aHoBnSZatm74/tYvZ456l2sA=,tag:sCYBdw7kD0zJZFFr5EyPIQ==,type:str] username: ENC[AES256_GCM,data:IboJ8WDWuVNgvrk7c3V8I5S6Xg==,iv:BRohMuQFQz2S+HFasIaok6npT3C5v/SlhAhbLQXfB0s=,tag:M3/u0WBQ3AufHqe4DCtsrA==,type:str] apikey: ENC[AES256_GCM,data:j5sPXKbBhMdNHOuoTfZ+c8nGu5JameOgK2z428iLdP01Hi6MvHVaN8Zs8YxMoSBtOjdtIEC8MS+3m1S1rU/P4pCRfZpK5ua1DBHq4l0xROUqokFWjDcAmJJv3pYXl0cQxQcGKQ==,iv:v5hu3gmO1Zn1FfXkHLPGN9f7JOcQjzoQahdqJwfM+xY=,tag:uI1LFcTgcyRgAaTJ1kzKow==,type:str] + nzbkey: ENC[AES256_GCM,data:tGFnZ24XNI7U8pVYq45ENSVTeVkkcWfT5/NewqSJ3sm7Bexxml/PFTMBIl+97mWzNMMFklBurX/115P06NHCj1mxEvIjIc1bF4yuYhZFdSTlqRVWaESE/Ei7gke758FCt37N43wADgaKj4i5jizDHJMIbaw8ncP3qBSCy1F4BAU=,iv:RA+3oYGhVLBG+ikHMwBG3t2iN15lGsncdmlkfF6vJhY=,tag:6FNM18KCSzzpIXYDpQfHSg==,type:str] whisparr: apikey: ENC[AES256_GCM,data:kIGCsd4mszm90PoQMzlSEBKw9Ow0GvP1qdLtwXYKkAb6b65l89v8lMWJ2X1MyD2gJX+P+Bv1F/2BSjUFXErq/UYnp4dAjwKi/ezGCbhjMutDM1FvwFWEHRnR3gjd9uXPWJ8Xhg==,iv:98aPQlcZHJovpnzACDs6RtKblLnHg6wyi+Er5DAowj8=,tag:Tl8jz/pWYWAtBCfoztKdyw==,type:str] coturn: @@ -59,7 +60,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-02-25T07:35:41Z" - mac: ENC[AES256_GCM,data:UKAWLSj/OpyCGj1U9rhCX2rQr5E2CXodU+Z5RZddTdFis1+1opw7GLr+2s4OTRbREdZsNP3JSoXycgCssf4na88p/PTZh/VUa9ymbRr9eTacJq6ZkqRC5J8WyDK6gI+Qv4gv5CxdxZd92vUa4uXlwrZ4VsYepvrrkatCe9YTA9w=,iv:dkm+hkdyzJsIXp4uB36wYa/uzl8VA7LwhmvQT3hQlog=,tag:zHxeEze6RVfTCcduVkwuoQ==,type:str] + lastmodified: "2026-03-04T09:45:11Z" + mac: ENC[AES256_GCM,data:MHxByUlNdiK5/knEtWjHcCN6dpZ8x7h62d2TCCSOnFYGs2RbOmKbh6jsslVg2rVpapF/P8ZysAg2lRCSjils1csoFI3fclgXJtxG0g24v2OtpN2Ny0tLixNVGi++PxFayZUsjfBMh/cHIJgstieSFTR3vl7/SMvo5HsxHBvPhmE=,iv:v9HD9QrQSABnYJd/YtGIOwBP5tT3FL9QUoogl7m/7bI=,tag:+L0rljfs6LDkX6/SYzDt4Q==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 9b2bc8e6047c68cb7ddbdb133abf927ec07faebc Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 5 Mar 2026 08:24:46 +0000 Subject: [PATCH 06/13] chore(secrets): set secret "qbittorrent/password" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 026b948..fe42e2d 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -25,7 +25,7 @@ mydia: guardian_secret: ENC[AES256_GCM,data:OjnNFSHlecL+qXwlhTm++itRM6ga5E5KrSJxbgIUpbMEkIWgu3xhRtnPdipXbedgall0XdO/s+jnWCagZX94BA==,iv:DukdKvm9vey8BWUiml20tgA/Vji1XVX4+sUPge9nTk0=,tag:q3HdvgUYqR0APiaFz0ul5Q==,type:str] qbittorrent: password_hash: ENC[AES256_GCM,data:yCfCslj01wtfwzzPOGlwA6wLLf+EUuEweYa3ZxvDtd/VGMxuV38quV+ob1Of+W0UH3+U4Qmgh4BK3I3IJZuKOvNdkZ0i81YBwW6cgvZUmnxwh8wokpNzxCKbYk5nF7y7SaGEdzQLvV7ad3fNMJsQ+s2zCsKWbm+j8Bwgq0E=,iv:IIktPS9pYXaYPzH0r4wrkp31CpunKnr70Ainu6hOeWY=,tag:bYCfhDfIwiQZ1tKAvITewQ==,type:str] - password: ENC[AES256_GCM,data:UepYY6UjJV/jo2aXTOEnKRtsjSqOSYPQlKlrAa7rf9rdnt2UXGjCkvN+A72pICuIBCAmhXZBAUMvmWTV9trk6NREHe0cY1xTC7pNv3x9TM/ZQmH498pbT/95pYAKwouHp9heJQ==,iv:FzjF+xPoaOp+gplxpz940V2dkWSTWe8dWUxexCoxxHc=,tag:TDZsboq9fEmmBrwJN/HTpQ==,type:str] + password: ENC[AES256_GCM,data:0UlgUE3IGShKbP6XdLQ6JCIjvyK7RwzRMP8mN4f2dUUQHXV1b0C2NGk4cy9YLKR7kBicbX0OojKV2k6766tjBHFeHUOfIPEoTv1VpRyoVwe6PQKThHLe4xK+kbWKq+9QXA1IaPr+KDw5odIusBCNPJbrGUOGjK2ROR7jWvWUdLw=,iv:LaQGvFXXNiS20nOj6n9OpUJ5miaDJ5t3zArhYCluGxY=,tag:kIYOVh8H4iGUyiDX8CT2FQ==,type:str] grafana: oidc_id: ENC[AES256_GCM,data:NVdIgCQ6nz4BSUDJYCKyILtK,iv:tcljy9PzC/yyd7TSdngyJt+uh60uXi2PKu47czErbaQ=,tag:zE4q3dD4UQaHIpGeZ1L48Q==,type:str] oidc_secret: ENC[AES256_GCM,data:b7qILK9ZHW2khtM1Hl/KdjCv3Wq6eOo2Ym/cbjcMB8/3Hn2UelpP4K4lFyiV3bn1/GF6Jl5Z7A0EwMybOx0InA==,iv:3HL/7BiyObwT8DmFxzNPI9CdmCH/4j/4oc9x7qBE1k0=,tag:dBhcq1zLKy6N+jp/v42R4A==,type:str] @@ -60,7 +60,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-03-04T09:45:11Z" - mac: ENC[AES256_GCM,data:MHxByUlNdiK5/knEtWjHcCN6dpZ8x7h62d2TCCSOnFYGs2RbOmKbh6jsslVg2rVpapF/P8ZysAg2lRCSjils1csoFI3fclgXJtxG0g24v2OtpN2Ny0tLixNVGi++PxFayZUsjfBMh/cHIJgstieSFTR3vl7/SMvo5HsxHBvPhmE=,iv:v9HD9QrQSABnYJd/YtGIOwBP5tT3FL9QUoogl7m/7bI=,tag:+L0rljfs6LDkX6/SYzDt4Q==,type:str] + lastmodified: "2026-03-05T08:24:45Z" + mac: ENC[AES256_GCM,data:fSys6LGZsgYyaF0MOL3pQzJwD4D+R/26Lk1rbgVwza9xuBY1xWXM8h1Uz9nbLjyOQ9gbFGiNCpX0+g1lxRY5jNdCYChVt0ubFNMFBGGRH4ASRDkPe+Y+7b/l9V7tMV5A4rOrJ0A3ur9FMnYptpdniCjb7Uyvp5yJr6fZYf4kAJA=,iv:no77DeCBgY+jhfUjAfU9PuOYZdmIF7bwnVJ/9nlRRAs=,tag:fLe6cEnw7Fazquk2VrjDig==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From fb8ead924a8214e273e980ae6d4b250341011e2c Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 5 Mar 2026 08:25:19 +0000 Subject: [PATCH 07/13] chore(secrets): set secret "qbittorrent/password_hash" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index fe42e2d..a30b644 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -24,7 +24,7 @@ mydia: secret_key_base: ENC[AES256_GCM,data:yG7HJ5r74Qtxbeyf8F6dA0uHv2pQ8YAJKlKiKjS+m24JRvJWQaTThJ+c5HbuUa6R3e9XtVHchhlVPkF0Is/b+g==,iv:v65xdRr4JdKZmBtjZ08/J3LLqnphSGt9QfVPNQ2x/xg=,tag:n7tD2dhr4IJn1LWM9WW8UA==,type:str] guardian_secret: ENC[AES256_GCM,data:OjnNFSHlecL+qXwlhTm++itRM6ga5E5KrSJxbgIUpbMEkIWgu3xhRtnPdipXbedgall0XdO/s+jnWCagZX94BA==,iv:DukdKvm9vey8BWUiml20tgA/Vji1XVX4+sUPge9nTk0=,tag:q3HdvgUYqR0APiaFz0ul5Q==,type:str] qbittorrent: - password_hash: ENC[AES256_GCM,data:yCfCslj01wtfwzzPOGlwA6wLLf+EUuEweYa3ZxvDtd/VGMxuV38quV+ob1Of+W0UH3+U4Qmgh4BK3I3IJZuKOvNdkZ0i81YBwW6cgvZUmnxwh8wokpNzxCKbYk5nF7y7SaGEdzQLvV7ad3fNMJsQ+s2zCsKWbm+j8Bwgq0E=,iv:IIktPS9pYXaYPzH0r4wrkp31CpunKnr70Ainu6hOeWY=,tag:bYCfhDfIwiQZ1tKAvITewQ==,type:str] + password_hash: ENC[AES256_GCM,data:A0X1YubbL7rbZV2vPCOY0cv3Imy3r+EY9CNWzJiiLril/EXlZlUC+vB2O/c2oK/lhrQc/OUG0Zejwzkitujnk9qkIpfUZh52D5ehSK5DYiedevpCtCFC4Uu16vxyZJVxCbU5Hj9Lbu+2MOdPFD7Fgk4K1E9TpNDuncaKCNI=,iv:dxA0t80pW+5KeNGtDCCEy9AlsCD+HqiTYo2smYJnkqw=,tag:9o1+rgwX9mfyuQ7YTAMLPQ==,type:str] password: ENC[AES256_GCM,data:0UlgUE3IGShKbP6XdLQ6JCIjvyK7RwzRMP8mN4f2dUUQHXV1b0C2NGk4cy9YLKR7kBicbX0OojKV2k6766tjBHFeHUOfIPEoTv1VpRyoVwe6PQKThHLe4xK+kbWKq+9QXA1IaPr+KDw5odIusBCNPJbrGUOGjK2ROR7jWvWUdLw=,iv:LaQGvFXXNiS20nOj6n9OpUJ5miaDJ5t3zArhYCluGxY=,tag:kIYOVh8H4iGUyiDX8CT2FQ==,type:str] grafana: oidc_id: ENC[AES256_GCM,data:NVdIgCQ6nz4BSUDJYCKyILtK,iv:tcljy9PzC/yyd7TSdngyJt+uh60uXi2PKu47czErbaQ=,tag:zE4q3dD4UQaHIpGeZ1L48Q==,type:str] @@ -60,7 +60,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-03-05T08:24:45Z" - mac: ENC[AES256_GCM,data:fSys6LGZsgYyaF0MOL3pQzJwD4D+R/26Lk1rbgVwza9xuBY1xWXM8h1Uz9nbLjyOQ9gbFGiNCpX0+g1lxRY5jNdCYChVt0ubFNMFBGGRH4ASRDkPe+Y+7b/l9V7tMV5A4rOrJ0A3ur9FMnYptpdniCjb7Uyvp5yJr6fZYf4kAJA=,iv:no77DeCBgY+jhfUjAfU9PuOYZdmIF7bwnVJ/9nlRRAs=,tag:fLe6cEnw7Fazquk2VrjDig==,type:str] + lastmodified: "2026-03-05T08:25:18Z" + mac: ENC[AES256_GCM,data:pg9M9RtPFezugxTgIQnmxBl2pjNJIJNOuvO+xTJ2jZIiZy4nRTdpnQmNzJtKKS3RN2wA+Ji18qilGL3L5Gy9K8YXa8dCnHZRd+BftBFxlTDUkZGUR34sDA8ljQmZ2ii+nqEocuLaYiY3qyiYyY5Fe2lJATpmQFNoWErQ2f1tNKk=,iv:YpPubbl+7PCLCotifbiAiSpVFyhz4poheY/Zc+bnLQI=,tag:qHMl9q/71XxEUDhtZpVV1Q==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 939cab4383fcd7ce1ccd82d77469a79a528b2aa5 Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 5 Mar 2026 10:32:25 +0000 Subject: [PATCH 08/13] chore(secrets): set secret "qbittorrent/password_hash" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index a30b644..5b235d4 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -24,7 +24,7 @@ mydia: secret_key_base: ENC[AES256_GCM,data:yG7HJ5r74Qtxbeyf8F6dA0uHv2pQ8YAJKlKiKjS+m24JRvJWQaTThJ+c5HbuUa6R3e9XtVHchhlVPkF0Is/b+g==,iv:v65xdRr4JdKZmBtjZ08/J3LLqnphSGt9QfVPNQ2x/xg=,tag:n7tD2dhr4IJn1LWM9WW8UA==,type:str] guardian_secret: ENC[AES256_GCM,data:OjnNFSHlecL+qXwlhTm++itRM6ga5E5KrSJxbgIUpbMEkIWgu3xhRtnPdipXbedgall0XdO/s+jnWCagZX94BA==,iv:DukdKvm9vey8BWUiml20tgA/Vji1XVX4+sUPge9nTk0=,tag:q3HdvgUYqR0APiaFz0ul5Q==,type:str] qbittorrent: - password_hash: ENC[AES256_GCM,data:A0X1YubbL7rbZV2vPCOY0cv3Imy3r+EY9CNWzJiiLril/EXlZlUC+vB2O/c2oK/lhrQc/OUG0Zejwzkitujnk9qkIpfUZh52D5ehSK5DYiedevpCtCFC4Uu16vxyZJVxCbU5Hj9Lbu+2MOdPFD7Fgk4K1E9TpNDuncaKCNI=,iv:dxA0t80pW+5KeNGtDCCEy9AlsCD+HqiTYo2smYJnkqw=,tag:9o1+rgwX9mfyuQ7YTAMLPQ==,type:str] + password_hash: ENC[AES256_GCM,data:XPax8MLYtyRRBUIcH2Q36VSGh+0mtdt1GBAWnKsacOS0q1vIVaqek64w7Dcav/y1vNtIC6NeE1odCO1UvY8Ed+Y/NDVWSc3L1Sh0ZhcwgF9kqywQ5bBDmIHWF7Mcx+f7MHKjbWtycJGBObRYZnqEs4qeO8gaJUSfz0J2iUM=,iv:86kwmRSOusePAUISxrinoGaSJfAr3cSryM6A3gQBKG4=,tag:WNmVWBTv+vT1hfsKvhzoOg==,type:str] password: ENC[AES256_GCM,data:0UlgUE3IGShKbP6XdLQ6JCIjvyK7RwzRMP8mN4f2dUUQHXV1b0C2NGk4cy9YLKR7kBicbX0OojKV2k6766tjBHFeHUOfIPEoTv1VpRyoVwe6PQKThHLe4xK+kbWKq+9QXA1IaPr+KDw5odIusBCNPJbrGUOGjK2ROR7jWvWUdLw=,iv:LaQGvFXXNiS20nOj6n9OpUJ5miaDJ5t3zArhYCluGxY=,tag:kIYOVh8H4iGUyiDX8CT2FQ==,type:str] grafana: oidc_id: ENC[AES256_GCM,data:NVdIgCQ6nz4BSUDJYCKyILtK,iv:tcljy9PzC/yyd7TSdngyJt+uh60uXi2PKu47czErbaQ=,tag:zE4q3dD4UQaHIpGeZ1L48Q==,type:str] @@ -60,7 +60,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-03-05T08:25:18Z" - mac: ENC[AES256_GCM,data:pg9M9RtPFezugxTgIQnmxBl2pjNJIJNOuvO+xTJ2jZIiZy4nRTdpnQmNzJtKKS3RN2wA+Ji18qilGL3L5Gy9K8YXa8dCnHZRd+BftBFxlTDUkZGUR34sDA8ljQmZ2ii+nqEocuLaYiY3qyiYyY5Fe2lJATpmQFNoWErQ2f1tNKk=,iv:YpPubbl+7PCLCotifbiAiSpVFyhz4poheY/Zc+bnLQI=,tag:qHMl9q/71XxEUDhtZpVV1Q==,type:str] + lastmodified: "2026-03-05T10:32:25Z" + mac: ENC[AES256_GCM,data:Z73v4OqURDMyr8ZXs9SeZsjjY8BpH5T/E4fOJE0CAb13l0SD0MyPv7H7vZdhtiOftMk+LxxH48MaAjyC+7RQwJExA17hA+ZDcDT3JtnxX+35aBaZVPspKKHip5LXN1J2z32gcgW1+9qXhahP0H9RtkxckDSEL7zzyvM4Zji14j8=,iv:UbIqup450wzoAf1faDQfL39Emi97FZ54ZpIcqfe9dhs=,tag:hw2kpKQmR2I3kNK8N5QX/Q==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From d0b3a0f27cc58cd7bc186f09aaef9d03b66dfecc Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 5 Mar 2026 10:34:54 +0000 Subject: [PATCH 09/13] chore(secrets): removed secret "qbittorrent" from machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 5b235d4..4ca8a76 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -23,9 +23,6 @@ mydia: oidc_secret: ENC[AES256_GCM,data:PgI4hmP/3wt9uj+1QvCYcT8Wav0hgCRADouzWM3V695SSfXfbwDgez8tA/tm1/1jymAU2F2sZH8G2hZ1cdHyHQ==,iv:h3o3jsTmnoNE3+mGX12J3ZU0/6PlQNjdndEvaj/czj0=,tag:p3+p4E8fBtR7a8UpM8cUsg==,type:str] secret_key_base: ENC[AES256_GCM,data:yG7HJ5r74Qtxbeyf8F6dA0uHv2pQ8YAJKlKiKjS+m24JRvJWQaTThJ+c5HbuUa6R3e9XtVHchhlVPkF0Is/b+g==,iv:v65xdRr4JdKZmBtjZ08/J3LLqnphSGt9QfVPNQ2x/xg=,tag:n7tD2dhr4IJn1LWM9WW8UA==,type:str] guardian_secret: ENC[AES256_GCM,data:OjnNFSHlecL+qXwlhTm++itRM6ga5E5KrSJxbgIUpbMEkIWgu3xhRtnPdipXbedgall0XdO/s+jnWCagZX94BA==,iv:DukdKvm9vey8BWUiml20tgA/Vji1XVX4+sUPge9nTk0=,tag:q3HdvgUYqR0APiaFz0ul5Q==,type:str] -qbittorrent: - password_hash: ENC[AES256_GCM,data:XPax8MLYtyRRBUIcH2Q36VSGh+0mtdt1GBAWnKsacOS0q1vIVaqek64w7Dcav/y1vNtIC6NeE1odCO1UvY8Ed+Y/NDVWSc3L1Sh0ZhcwgF9kqywQ5bBDmIHWF7Mcx+f7MHKjbWtycJGBObRYZnqEs4qeO8gaJUSfz0J2iUM=,iv:86kwmRSOusePAUISxrinoGaSJfAr3cSryM6A3gQBKG4=,tag:WNmVWBTv+vT1hfsKvhzoOg==,type:str] - password: ENC[AES256_GCM,data:0UlgUE3IGShKbP6XdLQ6JCIjvyK7RwzRMP8mN4f2dUUQHXV1b0C2NGk4cy9YLKR7kBicbX0OojKV2k6766tjBHFeHUOfIPEoTv1VpRyoVwe6PQKThHLe4xK+kbWKq+9QXA1IaPr+KDw5odIusBCNPJbrGUOGjK2ROR7jWvWUdLw=,iv:LaQGvFXXNiS20nOj6n9OpUJ5miaDJ5t3zArhYCluGxY=,tag:kIYOVh8H4iGUyiDX8CT2FQ==,type:str] grafana: oidc_id: ENC[AES256_GCM,data:NVdIgCQ6nz4BSUDJYCKyILtK,iv:tcljy9PzC/yyd7TSdngyJt+uh60uXi2PKu47czErbaQ=,tag:zE4q3dD4UQaHIpGeZ1L48Q==,type:str] oidc_secret: ENC[AES256_GCM,data:b7qILK9ZHW2khtM1Hl/KdjCv3Wq6eOo2Ym/cbjcMB8/3Hn2UelpP4K4lFyiV3bn1/GF6Jl5Z7A0EwMybOx0InA==,iv:3HL/7BiyObwT8DmFxzNPI9CdmCH/4j/4oc9x7qBE1k0=,tag:dBhcq1zLKy6N+jp/v42R4A==,type:str] @@ -60,7 +57,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-03-05T10:32:25Z" - mac: ENC[AES256_GCM,data:Z73v4OqURDMyr8ZXs9SeZsjjY8BpH5T/E4fOJE0CAb13l0SD0MyPv7H7vZdhtiOftMk+LxxH48MaAjyC+7RQwJExA17hA+ZDcDT3JtnxX+35aBaZVPspKKHip5LXN1J2z32gcgW1+9qXhahP0H9RtkxckDSEL7zzyvM4Zji14j8=,iv:UbIqup450wzoAf1faDQfL39Emi97FZ54ZpIcqfe9dhs=,tag:hw2kpKQmR2I3kNK8N5QX/Q==,type:str] + lastmodified: "2026-03-05T10:34:53Z" + mac: ENC[AES256_GCM,data:l4TrQsZuFAF4Z5INhuTOB7GbFCKZroLIe4mewK4xkAHgFg8/euvxpjb5iGIP4G8gT/GtxDEx7hPea6rHS7plCEStX7+r6vNBNRIYxoOBjqPTCvA6kfO/kvMQLQKI9KaoVhWt41jM25WB6L27gMtHQXQbBaOojYXXPC0OiSf05d0=,iv:wJQEYuKe9SODI66MffST9FL6CaXIq5+DelVR/D4wqQM=,tag:xbFx85ghCR4rRaSTc3lGQg==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 2c7890152b87464151eb5969b0e823aec6d8a029 Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 5 Mar 2026 10:38:18 +0000 Subject: [PATCH 10/13] chore(secrets): set secret "qbittorrent/password" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 4ca8a76..e661d8d 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -37,6 +37,8 @@ whisparr: apikey: ENC[AES256_GCM,data:kIGCsd4mszm90PoQMzlSEBKw9Ow0GvP1qdLtwXYKkAb6b65l89v8lMWJ2X1MyD2gJX+P+Bv1F/2BSjUFXErq/UYnp4dAjwKi/ezGCbhjMutDM1FvwFWEHRnR3gjd9uXPWJ8Xhg==,iv:98aPQlcZHJovpnzACDs6RtKblLnHg6wyi+Er5DAowj8=,tag:Tl8jz/pWYWAtBCfoztKdyw==,type:str] coturn: secret: ENC[AES256_GCM,data:5RmLZ7vQIAvIzvax8oNJkImQ6vXR+MZ2eqxaBJCBlccnFC1rP16/6UtausXVf0eWysw+fpMW5yEmUtAdyxQoPiBCK8lziAZBdkekQnAvFouBaWy8WIZt6XRa71P4xDCDGudpMiGwGGNt+R9yylez+azaLrLyJM3481RPohDMoOM=,iv:2P83lgxGtHwYr+ApAdHopVfRWagxWlC+nt53API/SiQ=,tag:Qv+A03BE1QvEqJMtORiQVA==,type:str] +qbittorrent: + password: ENC[AES256_GCM,data:LIDxh0Ni0JgQGWFix/Ihw7IlUPgzMhrMlWNP5LKkAnEM6EoqA9kFwiPeizB0CZ20+vSqRiL9fikBf8qGLA17L7AKh8I4OTFDlpKpMRtRlMq9S5UBEyOqtOMcvkCSf6/qGoORd1KJSlaitZk47SYRuccOpy/2vAvbMRdLm0SYEqc=,iv:tQdN1N9kXoq7OZbR2eYyy50FltsMAAUI4Lr7U4/SpJE=,tag:3ZOLvjHXD7i7WFy1/Ggqtg==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -57,7 +59,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-03-05T10:34:53Z" - mac: ENC[AES256_GCM,data:l4TrQsZuFAF4Z5INhuTOB7GbFCKZroLIe4mewK4xkAHgFg8/euvxpjb5iGIP4G8gT/GtxDEx7hPea6rHS7plCEStX7+r6vNBNRIYxoOBjqPTCvA6kfO/kvMQLQKI9KaoVhWt41jM25WB6L27gMtHQXQbBaOojYXXPC0OiSf05d0=,iv:wJQEYuKe9SODI66MffST9FL6CaXIq5+DelVR/D4wqQM=,tag:xbFx85ghCR4rRaSTc3lGQg==,type:str] + lastmodified: "2026-03-05T10:38:18Z" + mac: ENC[AES256_GCM,data:NO8bgiwHyBOIS59XpwSQPUfIOLzcJeXmoUeXk2HI3HWUsZsGwYEilob73cLY74DiW/L6JmMpEAXNGSlyCigNqDREYTm3pFKVDnOAU3CfPxn9q0mmhQLNSXP4CbKKfegOky2QmU85mLhl53vY+WheWxT4hD6oam8Z5cCm1B4J4Yg=,iv:gxZyF/GxDg4q/J8mtV+nBHFNqh4LKTWJ3j/GjxE6YUE=,tag:9t5T/vbT8dvJq7VhvMjwpw==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 13ca5cadd42aea85fe83f90cc8fb7afe0c9d1395 Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 5 Mar 2026 10:38:20 +0000 Subject: [PATCH 11/13] chore(secrets): set secret "qbittorrent/password_hash" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index e661d8d..005042c 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -39,6 +39,7 @@ coturn: secret: ENC[AES256_GCM,data:5RmLZ7vQIAvIzvax8oNJkImQ6vXR+MZ2eqxaBJCBlccnFC1rP16/6UtausXVf0eWysw+fpMW5yEmUtAdyxQoPiBCK8lziAZBdkekQnAvFouBaWy8WIZt6XRa71P4xDCDGudpMiGwGGNt+R9yylez+azaLrLyJM3481RPohDMoOM=,iv:2P83lgxGtHwYr+ApAdHopVfRWagxWlC+nt53API/SiQ=,tag:Qv+A03BE1QvEqJMtORiQVA==,type:str] qbittorrent: password: ENC[AES256_GCM,data:LIDxh0Ni0JgQGWFix/Ihw7IlUPgzMhrMlWNP5LKkAnEM6EoqA9kFwiPeizB0CZ20+vSqRiL9fikBf8qGLA17L7AKh8I4OTFDlpKpMRtRlMq9S5UBEyOqtOMcvkCSf6/qGoORd1KJSlaitZk47SYRuccOpy/2vAvbMRdLm0SYEqc=,iv:tQdN1N9kXoq7OZbR2eYyy50FltsMAAUI4Lr7U4/SpJE=,tag:3ZOLvjHXD7i7WFy1/Ggqtg==,type:str] + password_hash: ENC[AES256_GCM,data:urufJbSErLqPdU6jLLZk+27fe4k+cKLXcGRGSqroUDdGMzDnhSF+ZWuPxwDlJQR3ws2GnuiEASncwNO/SALKXFDk2V2gsKJ4hsjyiIbsqCwSEFB/XMY0nY/x0xrcIfMVE0HdrNYeQ3zT01Z5jQpSd7wo2M63LaULL/Av498=,iv:tnUVhOgrImKa6iii2hJZn5LKrySM5v47B2zDZMgmUow=,tag:g3xa/4Z+t1Q9Wnd4XzefLg==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -59,7 +60,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-03-05T10:38:18Z" - mac: ENC[AES256_GCM,data:NO8bgiwHyBOIS59XpwSQPUfIOLzcJeXmoUeXk2HI3HWUsZsGwYEilob73cLY74DiW/L6JmMpEAXNGSlyCigNqDREYTm3pFKVDnOAU3CfPxn9q0mmhQLNSXP4CbKKfegOky2QmU85mLhl53vY+WheWxT4hD6oam8Z5cCm1B4J4Yg=,iv:gxZyF/GxDg4q/J8mtV+nBHFNqh4LKTWJ3j/GjxE6YUE=,tag:9t5T/vbT8dvJq7VhvMjwpw==,type:str] + lastmodified: "2026-03-05T10:38:19Z" + mac: ENC[AES256_GCM,data:gS6YTRTl6UdOC7Afrj1LrkgA7MWRLF0HNWytfzhkvThLW+JJrHPEhvWiYrsPW1Bm6o2JkKqVP5HfzcuGNIHJySkEQ4HV02BbibtMNiUKqk+voATsWOpo6957bwRJaTbvDvxmzIQ38TSUoj/pt8Z8WTl0hSPAlqNlWYffXX0y8K4=,iv:53R2bKYKiHJi9DTecg7hiuGNb3Kj9rA2U/oPJ+AFO5I=,tag:5uqvmEJCaCS/yNqyt/FPZg==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From a5de9aea3755c5eb9d5529030e460ff0ea0bf32f Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 5 Mar 2026 11:39:41 +0100 Subject: [PATCH 12/13] feat: add poor mans version of clan vars --- .just/vars.just | 18 ++++++++++++++++-- script/qbittorrent/hash.py | 19 +++++++++++++++++++ script/qbittorrent/password | 3 +++ script/qbittorrent/password_hash | 3 +++ 4 files changed, 41 insertions(+), 2 deletions(-) create mode 100644 script/qbittorrent/hash.py create mode 100644 script/qbittorrent/password create mode 100644 script/qbittorrent/password_hash diff --git a/.just/vars.just b/.just/vars.just index 2c16d1b..7f464fb 100644 --- a/.just/vars.just +++ b/.just/vars.just @@ -1,7 +1,7 @@ set unstable := true set quiet := true -base_path := invocation_directory() / "systems/x86_64-linux" +base_path := justfile_directory() + "/systems/x86_64-linux" _default: just --list vars @@ -25,7 +25,7 @@ edit machine: [doc('Get var by {key} from {machine}')] get machine key: - sops decrypt {{ base_path }}/{{ machine }}/secrets.yml | yq ".$(echo "{{ key }}" | sed -E 's/\//./g')" + sops decrypt {{ base_path }}/{{ machine }}/secrets.yml | yq ".$(echo "{{ key }}" | sed -E 's/\//./g') // \"\"" [doc('Remove var by {key} for {machine}')] remove machine key: @@ -36,6 +36,20 @@ remove machine key: echo "Done" +[doc('Remove var by {key} for {machine}')] +[script] +generate machine: + for key in $(nix eval --apply 'builtins.attrNames' --json ..#nixosConfigurations.{{ machine }}.config.sops.secrets | jq -r '.[]'); do + # Skip if there's no script + [ -f "{{ justfile_directory() }}/script/$key" ] || continue + + # Skip if we already have a value + [ $(just vars get {{ machine }} "$key" | jq -r) ] && continue + + echo "Executing script for $key" + just vars set {{ machine }} "$key" "$(cd -- "$(dirname "{{ justfile_directory() }}/script/$key")" && source "./$(basename $key)")" + done + [script] check: cd .. diff --git a/script/qbittorrent/hash.py b/script/qbittorrent/hash.py new file mode 100644 index 0000000..a92343f --- /dev/null +++ b/script/qbittorrent/hash.py @@ -0,0 +1,19 @@ +#!/usr/bin/bash + +import base64 +import hashlib +import sys +import uuid + +password = sys.argv[1] +salt = uuid.uuid4() +salt_bytes = salt.bytes + +password = str.encode(password) +hashed_password = hashlib.pbkdf2_hmac("sha512", password, salt_bytes, 100000, dklen=64) +b64_salt = base64.b64encode(salt_bytes).decode("utf-8") +b64_password = base64.b64encode(hashed_password).decode("utf-8") +password_string = "@ByteArray({salt}:{password})".format( + salt=b64_salt, password=b64_password +) +print(password_string) diff --git a/script/qbittorrent/password b/script/qbittorrent/password new file mode 100644 index 0000000..85fc69f --- /dev/null +++ b/script/qbittorrent/password @@ -0,0 +1,3 @@ +#!/bin/bash + +pwgen -s 128 1 diff --git a/script/qbittorrent/password_hash b/script/qbittorrent/password_hash new file mode 100644 index 0000000..86ba315 --- /dev/null +++ b/script/qbittorrent/password_hash @@ -0,0 +1,3 @@ +#!/bin/bash + +python ./hash.py "$(just vars get ulmo qbittorrent/password | jq -r)" From 8d46d0d60b1f06ed7510e83e4117e1ab99674417 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 5 Mar 2026 11:40:40 +0100 Subject: [PATCH 13/13] Update service configs and secrets handling - Add restartUnits and ownership to Matrix and Servarr secrets - Use sops secret for qbittorrent password hash - Refactor Cardigann indexer config in Servarr - Update Caddy plugin version and hash - Add debug output to machine update justfile --- .just/machine.just | 2 + .../services/communication/matrix/default.nix | 14 +- .../nixos/services/media/servarr/default.nix | 137 ++++++++++++++---- .../services/networking/caddy/default.nix | 4 +- 4 files changed, 126 insertions(+), 31 deletions(-) diff --git a/.just/machine.just b/.just/machine.just index cf1c8f7..420197a 100644 --- a/.just/machine.just +++ b/.just/machine.just @@ -7,6 +7,8 @@ [doc('Update target machine')] [no-exit-message] @update machine: + echo "Checking vars" cd .. && just vars _check {{ machine }} + echo "" just assert '-d "../systems/x86_64-linux/{{ machine }}"' "Machine {{ machine }} does not exist, must be one of: $(ls ../systems/x86_64-linux/ | sed ':a;N;$!ba;s/\n/, /g')" nixos-rebuild switch -L --sudo --target-host {{ machine }} --build-host {{ machine }} --flake ..#{{ machine }} --log-format internal-json -v |& nom --json diff --git a/modules/nixos/services/communication/matrix/default.nix b/modules/nixos/services/communication/matrix/default.nix index 21fe777..f20e1ac 100644 --- a/modules/nixos/services/communication/matrix/default.nix +++ b/modules/nixos/services/communication/matrix/default.nix @@ -370,9 +370,17 @@ in { sops = { secrets = { - "synapse/oidc_id" = {}; - "synapse/oidc_secret" = {}; - "coturn/secret" = {}; + "synapse/oidc_id" = { + restartUnits = ["synapse-matrix.service"]; + }; + "synapse/oidc_secret" = { + restartUnits = ["synapse-matrix.service"]; + }; + "coturn/secret" = { + owner = config.systemd.services.coturn.serviceConfig.User; + group = config.systemd.services.coturn.serviceConfig.Group; + restartUnits = ["coturn.service"]; + }; }; templates = { diff --git a/modules/nixos/services/media/servarr/default.nix b/modules/nixos/services/media/servarr/default.nix index e64c6fe..f868313 100644 --- a/modules/nixos/services/media/servarr/default.nix +++ b/modules/nixos/services/media/servarr/default.nix @@ -86,7 +86,7 @@ in { Prefecences.WebUI = { Username = "admin"; - Password_PBKDF2 = "@ByteArray(JpfX3wSUcMolUFD+8AD67w==:fr5kmc6sK9xsCfGW6HkPX2K1lPYHL6g2ncLLwuOVmjphmxkwBJ8pi/XQDsDWzyM/MRh5zPhUld2Xqn8o7BWv3Q==)"; + Password_PBKDF2 = config.sops.secrets."qbittorrent/password_hash".path; }; }; @@ -94,11 +94,13 @@ in { group = "media"; }; - # port is harcoded in nixpkgs module sabnzbd = { enable = true; openFirewall = true; + allowConfigWrite = false; + configFile = lib.mkForce null; + secretFiles = [ config.sops.templates."sabnzbd/config.ini".path ]; @@ -113,6 +115,7 @@ in { servers = { "news.sunnyusenet.com" = { + name = "news.sunnyusenet.com"; displayname = "news.sunnyusenet.com"; host = "news.sunnyusenet.com"; port = 563; @@ -227,7 +230,6 @@ in { host = "localhost"; username = "admin"; password = lib.tfRef "var.qbittorrent_api_key"; - # password = "poChieN5feeph0igeaCadeJ9Xux0ohmuy6ruH5ieThaPheib3iuzoo0ahw1aiceif1feegioh9Aimau0pai5thoh5ieH0aechohw"; url_base = "/"; port = 2008; }; @@ -270,47 +272,126 @@ in { priority = 1; name = "Nyaa"; - implementation = "nyaa"; - config_contract = "nyaa_settings"; + implementation = "Cardigann"; + config_contract = "CardigannSettings"; protocol = "torrent"; fields = [ { - name = "targetType"; - value = ""; + name = "definitionFile"; + text_value = "nyaasi"; + } + { + name = "baseSettings.limitsUnit"; + number_value = 0; + } + { + name = "torrentBaseSettings.preferMagnetUrl"; + bool_value = false; + } + { + name = "prefer_magnet_links"; + bool_value = true; + } + { + name = "sonarr_compatibility"; + bool_value = false; + } + { + name = "strip_s01"; + bool_value = false; + } + { + name = "radarr_compatibility"; + bool_value = false; + } + { + name = "filter-id"; + number_value = 0; + } + { + name = "cat-id"; + number_value = 0; + } + { + name = "sort"; + number_value = 0; + } + { + name = "type"; + number_value = 1; } ]; }; - "nzbgeek" = { - enable = true; + # "_1337x" = { + # enable = true; - app_profile_id = 2; - priority = 1; + # app_profile_id = 1; + # priority = 1; - name = "NZBgeek"; - implementation = "nzbgeek"; - config_contract = "nzbgeek_settings"; - protocol = "torrent"; + # name = "1337x"; + # implementation = "Cardigann"; + # config_contract = "CardigannSettings"; + # protocol = "torrent"; + # tags = [1]; - fields = [ - ]; - }; + # fields = [ + # { + # name = "definitionFile"; + # text_value = "1337x"; + # } + # { + # name = "baseSettings.limitsUnit"; + # number_value = 0; + # } + # { + # name = "torrentBaseSettings.preferMagnetUrl"; + # bool_value = false; + # } + # { + # name = "disablesort"; + # bool_value = false; + # } + # { + # name = "sort"; + # number_value = 2; + # } + # { + # name = "type"; + # number_value = 1; + # } + # ]; + # }; # "nzbgeek" = { # enable = true; - # app_profile_id = 1; + # app_profile_id = 2; + # priority = 1; + # name = "NZBgeek"; - # implementation = "nzbgeek"; - # config_contract = "nzbgeek_settings"; - # protocol = "torrent"; + # implementation = "Newznab"; + # config_contract = "NewznabSettings"; + # protocol = "usenet"; # fields = [ - # # { - # # name = ""; - # # value = ""; - # # } + # { + # name = "baseUrl"; + # text_value = "https://api.nzbgeek.info"; + # } + # { + # name = "apiPath"; + # text_value = "/api"; + # } + # { + # name = "apiKey"; + # text_value = "__TODO_API_KEY_SECRET__"; + # } + # { + # name = "baseSettings.limitsUnit"; + # number_value = 5; + # } # ]; # }; }; @@ -421,6 +502,10 @@ in { { secrets = { "qbittorrent/password" = {}; + "qbittorrent/password_hash" = { + owner = "qbittorrent"; + group = "media"; + }; "sabnzbd/apikey" = {}; "sabnzbd/nzbkey" = {}; "sabnzbd/sunnyweb/username" = {}; diff --git a/modules/nixos/services/networking/caddy/default.nix b/modules/nixos/services/networking/caddy/default.nix index 2274efa..f17c737 100644 --- a/modules/nixos/services/networking/caddy/default.nix +++ b/modules/nixos/services/networking/caddy/default.nix @@ -28,8 +28,8 @@ in { enable = cfg.enable; package = pkgs.caddy.withPlugins { - plugins = ["github.com/corazawaf/coraza-caddy/v2@2.1.0"]; - hash = ""; + plugins = ["github.com/corazawaf/coraza-caddy/v2@v2.1.0"]; + hash = "sha256-AdL/LFKXbWmCsJ/xZWZmYBnw57c7sS6s1miR3sSx1Ow="; }; virtualHosts =