diff --git a/modules/nixos/services/media/default.nix b/modules/nixos/services/media/default.nix index d257aea..79d2307 100644 --- a/modules/nixos/services/media/default.nix +++ b/modules/nixos/services/media/default.nix @@ -106,25 +106,5 @@ in { }; systemd.services.jellyfin.serviceConfig.killSignal = lib.mkForce "SIGKILL"; - - sops = { - secrets = { - # "qbittorrent/password" = {}; - "qbittorrent/password_hash" = {}; - }; - - templates = { - "qbittorrent/password.conf" = { - owner = cfg.user; - group = cfg.group; - restartUnits = ["qbittorrent.service"]; - path = "${config.services.qbittorrent.profileDir}/qBittorrent/config/password.conf"; - content = '' - [Preferences] - WebUI\Password_PBKDF2="${config.sops.placeholder."qbittorrent/password_hash"}" - ''; - }; - }; - }; }; } diff --git a/modules/nixos/services/media/servarr/default.nix b/modules/nixos/services/media/servarr/default.nix index 373e09b..c09e66f 100644 --- a/modules/nixos/services/media/servarr/default.nix +++ b/modules/nixos/services/media/servarr/default.nix @@ -72,10 +72,8 @@ in { group = "media"; }); })) - |> lib.mkMerge - |> (set: - set - // { + |> lib.concat [ + { qbittorrent = { enable = true; openFirewall = true; @@ -86,6 +84,7 @@ in { Prefecences.WebUI = { Username = "admin"; + Password_PBKDF2 = "@ByteArray(JpfX3wSUcMolUFD+8AD67w==:fr5kmc6sK9xsCfGW6HkPX2K1lPYHL6g2ncLLwuOVmjphmxkwBJ8pi/XQDsDWzyM/MRh5zPhUld2Xqn8o7BWv3Q==)"; }; }; @@ -97,7 +96,7 @@ in { sabnzbd = { enable = true; openFirewall = true; - configFile = "${cfg.path}/sabnzbd/config.ini"; + configFile = config.sops.templates."sabnzbd/config.ini".path; user = "sabnzbd"; group = "media"; @@ -113,7 +112,9 @@ in { ensureDBOwnership = true; }); }; - }); + } + ] + |> lib.mkMerge; systemd.services = cfg @@ -125,6 +126,8 @@ in { ... }: (mkIf enable { "${service}ApplyTerraform" = let + config' = config; + terraformConfiguration = inputs.terranix.lib.terranixConfiguration { inherit system; @@ -168,6 +171,30 @@ in { |> lib.imap (i: f: lib.nameValuePair "local${toString i}" {path = f;}) |> lib.listToAttrs ); + + "${service}_download_client_qbittorrent" = mkIf (lib.elem service ["radarr" "sonarr" "lidarr" "whisparr"]) { + "main" = { + name = "qBittorrent"; + enable = true; + priority = 1; + host = "localhost"; + username = "admin"; + password = "poChieN5feeph0igeaCadeJ9Xux0ohmuy6ruH5ieThaPheib3iuzoo0ahw1aiceif1feegioh9Aimau0pai5thoh5ieH0aechohw"; + url_base = "/"; + port = 2008; + }; + }; + + # "${service}_download_client_sabnzbd" = mkIf (lib.elem service ["radarr" "sonarr" "lidarr" "whisparr"]) { + # "main" = { + # name = "SABnzbd"; + # enable = true; + # priority = 1; + # host = "localhost"; + # url_base = "/"; + # port = 8080; + # }; + # }; }; }; }) @@ -204,7 +231,7 @@ in { cp -f ${terraformConfiguration} config.tf.json # Initialize OpenTofu - ${lib.getExe pkgs.opentofu} init -upgrade + ${lib.getExe pkgs.opentofu} init # Run the infrastructure code ${lib.getExe pkgs.opentofu} \ @@ -272,6 +299,19 @@ in { }; }; })) + |> lib.concat [ + { + templates = { + "sabnzbd/config.ini" = { + owner = "sabnzbd"; + group = "media"; + content = '' + + ''; + }; + }; + } + ] |> lib.mkMerge; }; } diff --git a/modules/nixos/services/observability/grafana/default.nix b/modules/nixos/services/observability/grafana/default.nix index 6503493..05d3570 100644 --- a/modules/nixos/services/observability/grafana/default.nix +++ b/modules/nixos/services/observability/grafana/default.nix @@ -1,5 +1,10 @@ -{ pkgs, config, lib, namespace, ... }: -let +{ + pkgs, + config, + lib, + namespace, + ... +}: let inherit (lib.modules) mkIf; inherit (lib.options) mkEnableOption; @@ -7,8 +12,7 @@ let db_user = "grafana"; db_name = "grafana"; -in -{ +in { options.${namespace}.services.observability.grafana = { enable = mkEnableOption "enable Grafana"; }; @@ -35,8 +39,8 @@ in "auth.generic_oauth" = { enable = true; name = "Zitadel"; - client_id = "334170712283611395"; - client_secret = "AFjypmURdladmQn1gz2Ke0Ta5LQXapnuKkALVZ43riCL4qWicgV2Z6RlwpoWBZg1"; + client_id = "$__file{${config.sops.secrets."grafana/oidc_id".path}}"; + client_secret = "$__file{${config.sops.secrets."grafana/oidc_secret".path}}"; scopes = "openid email profile offline_access urn:zitadel:iam:org:project:roles"; email_attribute_path = "email"; login_attribute_path = "username"; @@ -64,7 +68,7 @@ in allow_sign_up = false; allow_org_create = false; viewers_can_edit = false; - + default_theme = "system"; }; @@ -115,7 +119,7 @@ in postgresql = { enable = true; - ensureDatabases = [ db_name ]; + ensureDatabases = [db_name]; ensureUsers = [ { name = db_user; @@ -126,5 +130,18 @@ in }; environment.etc."/grafana/dashboards/default.json".source = ./dashboards/default.json; + + sops = { + secrets = { + "grafana/oidc_id" = { + owner = "grafana"; + group = "grafana"; + }; + "grafana/oidc_secret" = { + owner = "grafana"; + group = "grafana"; + }; + }; + }; }; } diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 9d12de8..e661dd8 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -118,6 +118,12 @@ grantTypes = ["authorizationCode"]; responseTypes = ["code"]; }; + + grafana = { + redirectUris = ["http://localhost:9001/login/generic_oauth"]; + grantTypes = ["authorizationCode"]; + responseTypes = ["code"]; + }; }; }; }; diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 086d86d..745479d 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -27,6 +27,9 @@ mydia: qbittorrent: password_hash: ENC[AES256_GCM,data:QWuQYmfBn9eLDYztH7TmQvw74MvmzCQ98OlBtyjm1Icr2c63epRuHWzQbm+Q+1jrCSiQreOB3ZyjLzkeV6SlLonryUSD71uBWVwctgPXO0XDrxE1Vi6dkiwC3TF65JTMDhyjDLEj1YkiMP25Fz5NidJTP/r9GlXTfM7gjWo=,iv:bpgL5IoAv+1PUtgNIjLcbzN8C9z55ndypz4LEELAhLc=,tag:VB+XTCwLeIEYKnOr/0f7zA==,type:str] password: ENC[AES256_GCM,data:UepYY6UjJV/jo2aXTOEnKRtsjSqOSYPQlKlrAa7rf9rdnt2UXGjCkvN+A72pICuIBCAmhXZBAUMvmWTV9trk6NREHe0cY1xTC7pNv3x9TM/ZQmH498pbT/95pYAKwouHp9heJQ==,iv:FzjF+xPoaOp+gplxpz940V2dkWSTWe8dWUxexCoxxHc=,tag:TDZsboq9fEmmBrwJN/HTpQ==,type:str] +grafana: + oidc_id: ENC[AES256_GCM,data:NVdIgCQ6nz4BSUDJYCKyILtK,iv:tcljy9PzC/yyd7TSdngyJt+uh60uXi2PKu47czErbaQ=,tag:zE4q3dD4UQaHIpGeZ1L48Q==,type:str] + oidc_secret: ENC[AES256_GCM,data:b7qILK9ZHW2khtM1Hl/KdjCv3Wq6eOo2Ym/cbjcMB8/3Hn2UelpP4K4lFyiV3bn1/GF6Jl5Z7A0EwMybOx0InA==,iv:3HL/7BiyObwT8DmFxzNPI9CdmCH/4j/4oc9x7qBE1k0=,tag:dBhcq1zLKy6N+jp/v42R4A==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -47,7 +50,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-04T11:24:52Z" - mac: ENC[AES256_GCM,data:jIgkl1lcVDSlKqJs9fjaHUAZsGL+22T86/qqKyDziHl0+VU763Ezwm8P+la+55jIIT2zLhFcUjhn2BabBi90OeEPztAC4rGpZj6+ZZ0GDCj/JhjPAAo3LgAKOCG0Xgf8MZWr/rXd6bLhW7Qj36PMJnap26rjEiUZeSvpWS2dz8g=,iv:CDx8fBI9Dl1uwrbMD1fa7/h3C7haK3xZxJI59mtL1LA=,tag:2UDRFJoevGEBKZA/9eUiOw==,type:str] + lastmodified: "2025-12-09T14:53:25Z" + mac: ENC[AES256_GCM,data:bb6YXIClIRCEyvQEYQpuzjqSgAvcHr0Avb0t+HSIoIY69cnCojNxb1cN53b0HBV69qOiXgKlXcQrI4ry2qokfRbAAlp9w5g978+E3fnlefBxGY2wHEeJZL/27BXq7nEfvdepcLVM+o5PMn0iiYUR42OYJkXxAHXqhYNdt9kWjMM=,iv:QfIB9WckrxK2YXMTNVWgUjt6F+QG96KzUlwlYPM5WBc=,tag:X69yLpEsu//3HgtSuHoQig==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0