From 793866e621aa3e9bcc14148f0cee58e20070764f Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 9 Mar 2026 11:34:06 +0100 Subject: [PATCH 1/3] Refactor var generation and update service configs - Refactor var generation scripts to use _rotate helper - Update Glance service URLs to use configured ports - Set static password hash for qBittorrent in Servarr config - Update Caddy plugin hash - Remove oauth_auto_login from Grafana config - Add shared pwgen script for password generation --- .just/vars.just | 19 ++++++++++++------- .../nixos/services/media/glance/default.nix | 10 +++++----- .../nixos/services/media/servarr/default.nix | 5 ++++- .../services/networking/caddy/default.nix | 2 +- .../observability/grafana/default.nix | 1 - script/.shared/pwgen | 3 +++ 6 files changed, 25 insertions(+), 15 deletions(-) create mode 100644 script/.shared/pwgen diff --git a/.just/vars.just b/.just/vars.just index 7f464fb..62a8bd9 100644 --- a/.just/vars.just +++ b/.just/vars.just @@ -36,20 +36,25 @@ remove machine key: echo "Done" -[doc('Remove var by {key} for {machine}')] +[doc('Generate var values for {machine}')] [script] generate machine: for key in $(nix eval --apply 'builtins.attrNames' --json ..#nixosConfigurations.{{ machine }}.config.sops.secrets | jq -r '.[]'); do - # Skip if there's no script - [ -f "{{ justfile_directory() }}/script/$key" ] || continue - # Skip if we already have a value - [ $(just vars get {{ machine }} "$key" | jq -r) ] && continue + [ $(just vars get "{{ machine }}" "$key" | jq -r) ] && continue - echo "Executing script for $key" - just vars set {{ machine }} "$key" "$(cd -- "$(dirname "{{ justfile_directory() }}/script/$key")" && source "./$(basename $key)")" + just _rotate "{{ machine }}" "$key" done +[doc('Regenerate var values for {machine}')] +[script] +_rotate machine key: + # Exit if there's no script + [ -f "{{ justfile_directory() }}/script/{{ key }}" ] || exit + + echo "Executing script for {{ key }}" + just vars set "{{ machine }}" "{{ key }}" "$(cd -- "$(dirname "{{ justfile_directory() }}/script/{{ key }}")" && source "./$(basename "{{ key }}")")" + [script] check: cd .. diff --git a/modules/nixos/services/media/glance/default.nix b/modules/nixos/services/media/glance/default.nix index 6af52ef..c9da350 100644 --- a/modules/nixos/services/media/glance/default.nix +++ b/modules/nixos/services/media/glance/default.nix @@ -100,22 +100,22 @@ in { } { title = "Radarr"; - url = "http://${config.networking.hostName}:2001"; + url = "http://${config.networking.hostName}:${builtins.toString config.services.radarr.settings.server.port}"; icon = "sh:radarr"; } { title = "Sonarr"; - url = "http://${config.networking.hostName}:2002"; + url = "http://${config.networking.hostName}:${builtins.toString config.services.sonarr.settings.server.port}"; icon = "sh:sonarr"; } { title = "Lidarr"; - url = "http://${config.networking.hostName}:2003"; + url = "http://${config.networking.hostName}:${builtins.toString config.services.lidarr.settings.server.port}"; icon = "sh:lidarr"; } { title = "Prowlarr"; - url = "http://${config.networking.hostName}:2004"; + url = "http://${config.networking.hostName}:${builtins.toString config.services.prowlarr.settings.server.port}"; icon = "sh:prowlarr"; } { @@ -125,7 +125,7 @@ in { } { title = "SABnzbd"; - url = "http://${config.networking.hostName}:8080"; + url = "http://${config.networking.hostName}:${builtins.toString config.services.sabnzbd.settings.misc.port}"; icon = "sh:sabnzbd"; } ]; diff --git a/modules/nixos/services/media/servarr/default.nix b/modules/nixos/services/media/servarr/default.nix index f868313..6953421 100644 --- a/modules/nixos/services/media/servarr/default.nix +++ b/modules/nixos/services/media/servarr/default.nix @@ -85,8 +85,11 @@ in { LegalNotice.Accepted = true; Prefecences.WebUI = { + AlternativeUIEnabled = true; + RootFolder = "''${pkgs.vuetorrent}/share/vuetorrent"; + Username = "admin"; - Password_PBKDF2 = config.sops.secrets."qbittorrent/password_hash".path; + Password_PBKDF2 = "@ByteArray(Yhyk8fzgSHuKcgcmIxhYzg==:9njltqI5znb98+n+eOqUvpe4xYj6Dcub994o2fe9kpTa1fczMdHf/fNoifLaGmEf69xkTNSztEuh6BqcR4/CbQ==)"; #config.sops.secrets."qbittorrent/password_hash".path; }; }; diff --git a/modules/nixos/services/networking/caddy/default.nix b/modules/nixos/services/networking/caddy/default.nix index f17c737..4cab016 100644 --- a/modules/nixos/services/networking/caddy/default.nix +++ b/modules/nixos/services/networking/caddy/default.nix @@ -29,7 +29,7 @@ in { package = pkgs.caddy.withPlugins { plugins = ["github.com/corazawaf/coraza-caddy/v2@v2.1.0"]; - hash = "sha256-AdL/LFKXbWmCsJ/xZWZmYBnw57c7sS6s1miR3sSx1Ow="; + hash = "sha256-rsDnTunR8C7hVOX5aKcba+iFYHbpWek65DZgbMxOdTs="; }; virtualHosts = diff --git a/modules/nixos/services/observability/grafana/default.nix b/modules/nixos/services/observability/grafana/default.nix index e2040d4..a867351 100644 --- a/modules/nixos/services/observability/grafana/default.nix +++ b/modules/nixos/services/observability/grafana/default.nix @@ -36,7 +36,6 @@ in { auth = { disable_login_form = false; - oauth_auto_login = true; }; "auth.basic".enable = false; diff --git a/script/.shared/pwgen b/script/.shared/pwgen new file mode 100644 index 0000000..85fc69f --- /dev/null +++ b/script/.shared/pwgen @@ -0,0 +1,3 @@ +#!/bin/bash + +pwgen -s 128 1 From 5b844aab8d76969079dbd43cbc89c53ed58e48d2 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 23 Mar 2026 08:24:31 +0100 Subject: [PATCH 2/3] . --- .../nixos/services/media/glance/default.nix | 6 +++ .../services/networking/wireguard/default.nix | 47 +++++++++++++++++++ 2 files changed, 53 insertions(+) create mode 100644 modules/nixos/services/networking/wireguard/default.nix diff --git a/modules/nixos/services/media/glance/default.nix b/modules/nixos/services/media/glance/default.nix index c9da350..ec6e851 100644 --- a/modules/nixos/services/media/glance/default.nix +++ b/modules/nixos/services/media/glance/default.nix @@ -13,6 +13,12 @@ in { }; config = mkIf cfg.enable { + ${namespace}.services.networking.caddy.hosts = { + "https://${config.networking.hostName}:443" = '' + reverse_proxy http://[::]:2000 + ''; + }; + services.glance = { enable = true; openFirewall = true; diff --git a/modules/nixos/services/networking/wireguard/default.nix b/modules/nixos/services/networking/wireguard/default.nix new file mode 100644 index 0000000..92bd803 --- /dev/null +++ b/modules/nixos/services/networking/wireguard/default.nix @@ -0,0 +1,47 @@ +{ + config, + pkgs, + lib, + namespace, + ... +}: let + inherit (builtins) length; + inherit (lib) mkIf mkEnableOption mkOption types attrNames attrsToList listToAttrs; + + cfg = config.${namespace}.services.networking.wireguard; + hasPeers = (cfg.peer |> attrNames |> length) > 0; +in { + options.${namespace}.services.networking.wireguard = { + # enable = mkEnableOption "enable wireguard" // {default = true;}; + + peer = mkOption { + type = types.attrsOf (types.submodule { + options = { + port = mkOption { + type = types.port; + description = ''''; + }; + + address = mkOption { + type = types.listOf types.str; + default = []; + description = ''''; + }; + }; + }); + }; + }; + + config = mkIf hasPeers { + networking.firewall.allowedUDPPorts = cfg.peer |> lib.attrValues |> lib.map (p: p.port); + networking.wq-quick = { + # enable = cfg.enable; + + interfaces = + cfg.peer + |> attrsToList + |> imap0 (i: { name, value }: (namevaluepair "wg${i}" (value // { })); + |> listToAttrs + }; + }; +} From 4fd0b16db0fab33baab4dc403b867b893878ab60 Mon Sep 17 00:00:00 2001 From: chris Date: Mon, 23 Mar 2026 08:46:20 +0000 Subject: [PATCH 3/3] chore: update dependencies --- flake.lock | 50 +++++++++++++++++++++++++------------------------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/flake.lock b/flake.lock index 4cc9f95..e2ef3a5 100644 --- a/flake.lock +++ b/flake.lock @@ -83,11 +83,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1774174479, - "narHash": "sha256-6stwl7hiMK6Jvn11cBnw3TutkVSdPp1ILh+93aWVImA=", - "rev": "a50863e540a43fc0617ecbf8adada90af3899f57", + "lastModified": 1774210137, + "narHash": "sha256-QaPn/8NlrXd6jd8S9+KV2pYsGNZ8KWU5+jv2/QtRlUw=", + "rev": "1862f2641e54a51755b0b9acb907d01f6b324b2a", "type": "tarball", - "url": "https://git.clan.lol/api/v1/repos/clan/clan-core/archive/a50863e540a43fc0617ecbf8adada90af3899f57.tar.gz" + "url": "https://git.clan.lol/api/v1/repos/clan/clan-core/archive/1862f2641e54a51755b0b9acb907d01f6b324b2a.tar.gz" }, "original": { "type": "tarball", @@ -184,11 +184,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1774163246, - "narHash": "sha256-gzlqyLjP44LWraUd3Zn4xrQKOtK+zcBJ77pnsSUsxcM=", + "lastModified": 1774250935, + "narHash": "sha256-mWID0WFgTnd9hbEeaPNX+YYWF70JN3r7zBouEqERJOE=", "owner": "nix-community", "repo": "fenix", - "rev": "4cd28929c68cae521589bc21958d3793904ed1e2", + "rev": "64d7705e8c37d650cfb1aa99c24a8ce46597f29e", "type": "github" }, "original": { @@ -571,11 +571,11 @@ ] }, "locked": { - "lastModified": 1774135471, - "narHash": "sha256-TVeIGOxnfSPM6JvkRkXHpJECnj1OG2dXkWMSA4elzzQ=", + "lastModified": 1774210133, + "narHash": "sha256-yeiWCY9aAUUJ3ebMVjs0UZXRnT5x90MCtpbpOWiXrvM=", "owner": "nix-community", "repo": "home-manager", - "rev": "856b01ebd1de3f53c3929ce8082d9d67d799d816", + "rev": "c6fe2944ad9f2444b2d767c4a5edee7c166e8a95", "type": "github" }, "original": { @@ -980,11 +980,11 @@ }, "nixpkgs_5": { "locked": { - "lastModified": 1774192834, - "narHash": "sha256-Ro1L12XoZiA63+JOskKf/w49v8K8hQDkEvNqem7nnik=", + "lastModified": 1774253681, + "narHash": "sha256-U3LMRHov4wQ4olZq/zvf94Qf7oL6W11fjvZGvWg3gZc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "116515096225d29ffa1b6d576dd04b93941fe591", + "rev": "16b430b0e3a5233df0444f14928af915555308ac", "type": "github" }, "original": { @@ -1028,11 +1028,11 @@ }, "nixpkgs_8": { "locked": { - "lastModified": 1773821835, - "narHash": "sha256-TJ3lSQtW0E2JrznGVm8hOQGVpXjJyXY2guAxku2O9A4=", + "lastModified": 1774106199, + "narHash": "sha256-US5Tda2sKmjrg2lNHQL3jRQ6p96cgfWh3J1QBliQ8Ws=", "owner": "nixos", "repo": "nixpkgs", - "rev": "b40629efe5d6ec48dd1efba650c797ddbd39ace0", + "rev": "6c9a78c09ff4d6c21d0319114873508a6ec01655", "type": "github" }, "original": { @@ -1093,11 +1093,11 @@ "systems": "systems_4" }, "locked": { - "lastModified": 1774134539, - "narHash": "sha256-VTbmIpAP4OlM76uwUUezfewBUsrfWk2l3H2QaTY6QLc=", + "lastModified": 1774224548, + "narHash": "sha256-g45WZAZHNc7wJBkK4IdB5dq0Bh0JE7G0gcY2H5DFi44=", "owner": "notashelf", "repo": "nvf", - "rev": "85ca579065a079ee9ee603339668c7c16b61c4f7", + "rev": "edfb73fa4ced576f587d259a70a513b4152f8cea", "type": "github" }, "original": { @@ -1158,11 +1158,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1774097238, - "narHash": "sha256-hcujm/qEX4RUybdBCrQKdQNqTRYDItmnbjJRP5ky5vc=", + "lastModified": 1774221325, + "narHash": "sha256-aEIdkqB8gtQZtEbogdUb5iyfcZpKIlD3FkG8ANu73/I=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "76de1de27c0ca1329bc41324edab22c82d69e779", + "rev": "b42b63f390a4dab14e6efa34a70e67f5b087cc62", "type": "github" }, "original": { @@ -1502,11 +1502,11 @@ ] }, "locked": { - "lastModified": 1774155194, - "narHash": "sha256-0+8XV5WPO5Ie8hBcEEpPoR7mCqUmMnVZFiu6DQIxIE0=", + "lastModified": 1774242250, + "narHash": "sha256-pchbnY7KVnH26g4O3LZO8vpshInqNj937gAqlPob1Mk=", "owner": "0xc000022070", "repo": "zen-browser-flake", - "rev": "56e6e71b465967758ff4db948ff943cb8ea31ca4", + "rev": "f19c3e6683c2d2f3fcfcb88fb691931a104bc47c", "type": "github" }, "original": {