chris/sneeuwvlok
chris/sneeuwvlok
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: chris:f210c5b5adb44405826e6330eba088e1d4b7f18e
Branches Tags
chris:main
chris:feature/convex
chris:feature/nix-anywhere
...
compare: chris:4624b0b0f7037da54c00b7d1bdf68653c0ee8ea8
Branches Tags
chris:main
chris:feature/convex
chris:feature/nix-anywhere

4 commits
f210c5b5ad ... 4624b0b0f7

Author SHA1 Message Date
Chris Kruining
4624b0b0f7
wip: setting up download clients in the arr stack
Some checks failed
Test action / kaas (push) Failing after 0s
Details
2025-12-09 16:18:09 +01:00
Chris Kruining
6af9101a13
feat: add oidc from sops for grafana 2025-12-09 16:17:26 +01:00
chris
f295f0fc48 chore(secrets): set secret "grafana/oidc_secret" for machine "ulmo" 2025-12-09 14:53:26 +00:00
chris
03e8fea254 chore(secrets): set secret "grafana/oidc_id" for machine "ulmo" 2025-12-09 14:53:08 +00:00
5 changed files with 83 additions and 37 deletions
Download patch file Download diff file Expand all files Collapse all files

20
modules/nixos/services/media/default.nix
View file

@ -106,25 +106,5 @@ in {
}; };
systemd.services.jellyfin.serviceConfig.killSignal = lib.mkForce "SIGKILL"; systemd.services.jellyfin.serviceConfig.killSignal = lib.mkForce "SIGKILL";
sops = {
secrets = {
# "qbittorrent/password" = {};
"qbittorrent/password_hash" = {};
};
templates = {
"qbittorrent/password.conf" = {
owner = cfg.user;
group = cfg.group;
restartUnits = ["qbittorrent.service"];
path = "${config.services.qbittorrent.profileDir}/qBittorrent/config/password.conf";
content = ''
[Preferences]
WebUI\Password_PBKDF2="${config.sops.placeholder."qbittorrent/password_hash"}"
'';
};
};
};
}; };
} }

54
modules/nixos/services/media/servarr/default.nix
View file

@ -72,10 +72,8 @@ in {
group = "media"; group = "media";
}); });
})) }))
|> lib.mkMerge |> lib.concat [
|> (set: {
set
// {
qbittorrent = { qbittorrent = {
enable = true; enable = true;
openFirewall = true; openFirewall = true;
@ -86,6 +84,7 @@ in {
Prefecences.WebUI = { Prefecences.WebUI = {
Username = "admin"; Username = "admin";
Password_PBKDF2 = "@ByteArray(JpfX3wSUcMolUFD+8AD67w==:fr5kmc6sK9xsCfGW6HkPX2K1lPYHL6g2ncLLwuOVmjphmxkwBJ8pi/XQDsDWzyM/MRh5zPhUld2Xqn8o7BWv3Q==)";
}; };
}; };
@ -97,7 +96,7 @@ in {
sabnzbd = { sabnzbd = {
enable = true; enable = true;
openFirewall = true; openFirewall = true;
configFile = "${cfg.path}/sabnzbd/config.ini"; configFile = config.sops.templates."sabnzbd/config.ini".path;
user = "sabnzbd"; user = "sabnzbd";
group = "media"; group = "media";
@ -113,7 +112,9 @@ in {
ensureDBOwnership = true; ensureDBOwnership = true;
}); });
}; };
}); }
]
|> lib.mkMerge;
systemd.services = systemd.services =
cfg cfg
@ -125,6 +126,8 @@ in {
... ...
}: (mkIf enable { }: (mkIf enable {
"${service}ApplyTerraform" = let "${service}ApplyTerraform" = let
config' = config;
terraformConfiguration = inputs.terranix.lib.terranixConfiguration { terraformConfiguration = inputs.terranix.lib.terranixConfiguration {
inherit system; inherit system;
@ -168,6 +171,30 @@ in {
|> lib.imap (i: f: lib.nameValuePair "local${toString i}" {path = f;}) |> lib.imap (i: f: lib.nameValuePair "local${toString i}" {path = f;})
|> lib.listToAttrs |> lib.listToAttrs
); );
"${service}_download_client_qbittorrent" = mkIf (lib.elem service ["radarr" "sonarr" "lidarr" "whisparr"]) {
"main" = {
name = "qBittorrent";
enable = true;
priority = 1;
host = "localhost";
username = "admin";
password = "poChieN5feeph0igeaCadeJ9Xux0ohmuy6ruH5ieThaPheib3iuzoo0ahw1aiceif1feegioh9Aimau0pai5thoh5ieH0aechohw";
url_base = "/";
port = 2008;
};
};
# "${service}_download_client_sabnzbd" = mkIf (lib.elem service ["radarr" "sonarr" "lidarr" "whisparr"]) {
# "main" = {
# name = "SABnzbd";
# enable = true;
# priority = 1;
# host = "localhost";
# url_base = "/";
# port = 8080;
# };
# };
}; };
}; };
}) })
@ -204,7 +231,7 @@ in {
cp -f ${terraformConfiguration} config.tf.json cp -f ${terraformConfiguration} config.tf.json
# Initialize OpenTofu # Initialize OpenTofu
${lib.getExe pkgs.opentofu} init -upgrade ${lib.getExe pkgs.opentofu} init
# Run the infrastructure code # Run the infrastructure code
${lib.getExe pkgs.opentofu} \ ${lib.getExe pkgs.opentofu} \
@ -272,6 +299,19 @@ in {
}; };
}; };
})) }))
|> lib.concat [
{
templates = {
"sabnzbd/config.ini" = {
owner = "sabnzbd";
group = "media";
content = ''
'';
};
};
}
]
|> lib.mkMerge; |> lib.mkMerge;
}; };
} }

33
modules/nixos/services/observability/grafana/default.nix
View file

@ -1,5 +1,10 @@
{ pkgs, config, lib, namespace, ... }: {
let pkgs,
config,
lib,
namespace,
...
}: let
inherit (lib.modules) mkIf; inherit (lib.modules) mkIf;
inherit (lib.options) mkEnableOption; inherit (lib.options) mkEnableOption;
@ -7,8 +12,7 @@ let
db_user = "grafana"; db_user = "grafana";
db_name = "grafana"; db_name = "grafana";
in in {
{
options.${namespace}.services.observability.grafana = { options.${namespace}.services.observability.grafana = {
enable = mkEnableOption "enable Grafana"; enable = mkEnableOption "enable Grafana";
}; };
@ -35,8 +39,8 @@ in
"auth.generic_oauth" = { "auth.generic_oauth" = {
enable = true; enable = true;
name = "Zitadel"; name = "Zitadel";
client_id = "334170712283611395"; client_id = "$__file{${config.sops.secrets."grafana/oidc_id".path}}";
client_secret = "AFjypmURdladmQn1gz2Ke0Ta5LQXapnuKkALVZ43riCL4qWicgV2Z6RlwpoWBZg1"; client_secret = "$__file{${config.sops.secrets."grafana/oidc_secret".path}}";
scopes = "openid email profile offline_access urn:zitadel:iam:org:project:roles"; scopes = "openid email profile offline_access urn:zitadel:iam:org:project:roles";
email_attribute_path = "email"; email_attribute_path = "email";
login_attribute_path = "username"; login_attribute_path = "username";
@ -64,7 +68,7 @@ in
allow_sign_up = false; allow_sign_up = false;
allow_org_create = false; allow_org_create = false;
viewers_can_edit = false; viewers_can_edit = false;
default_theme = "system"; default_theme = "system";
}; };
@ -115,7 +119,7 @@ in
postgresql = { postgresql = {
enable = true; enable = true;
ensureDatabases = [ db_name ]; ensureDatabases = [db_name];
ensureUsers = [ ensureUsers = [
{ {
name = db_user; name = db_user;
@ -126,5 +130,18 @@ in
}; };
environment.etc."/grafana/dashboards/default.json".source = ./dashboards/default.json; environment.etc."/grafana/dashboards/default.json".source = ./dashboards/default.json;
sops = {
secrets = {
"grafana/oidc_id" = {
owner = "grafana";
group = "grafana";
};
"grafana/oidc_secret" = {
owner = "grafana";
group = "grafana";
};
};
};
}; };
} }

6
systems/x86_64-linux/ulmo/default.nix
View file

@ -118,6 +118,12 @@
grantTypes = ["authorizationCode"]; grantTypes = ["authorizationCode"];
responseTypes = ["code"]; responseTypes = ["code"];
}; };
grafana = {
redirectUris = ["http://localhost:9001/login/generic_oauth"];
grantTypes = ["authorizationCode"];
responseTypes = ["code"];
};
}; };
}; };
}; };

7
systems/x86_64-linux/ulmo/secrets.yml
View file

@ -27,6 +27,9 @@ mydia:
qbittorrent: qbittorrent:
password_hash: ENC[AES256_GCM,data:QWuQYmfBn9eLDYztH7TmQvw74MvmzCQ98OlBtyjm1Icr2c63epRuHWzQbm+Q+1jrCSiQreOB3ZyjLzkeV6SlLonryUSD71uBWVwctgPXO0XDrxE1Vi6dkiwC3TF65JTMDhyjDLEj1YkiMP25Fz5NidJTP/r9GlXTfM7gjWo=,iv:bpgL5IoAv+1PUtgNIjLcbzN8C9z55ndypz4LEELAhLc=,tag:VB+XTCwLeIEYKnOr/0f7zA==,type:str] password_hash: ENC[AES256_GCM,data:QWuQYmfBn9eLDYztH7TmQvw74MvmzCQ98OlBtyjm1Icr2c63epRuHWzQbm+Q+1jrCSiQreOB3ZyjLzkeV6SlLonryUSD71uBWVwctgPXO0XDrxE1Vi6dkiwC3TF65JTMDhyjDLEj1YkiMP25Fz5NidJTP/r9GlXTfM7gjWo=,iv:bpgL5IoAv+1PUtgNIjLcbzN8C9z55ndypz4LEELAhLc=,tag:VB+XTCwLeIEYKnOr/0f7zA==,type:str]
password: ENC[AES256_GCM,data:UepYY6UjJV/jo2aXTOEnKRtsjSqOSYPQlKlrAa7rf9rdnt2UXGjCkvN+A72pICuIBCAmhXZBAUMvmWTV9trk6NREHe0cY1xTC7pNv3x9TM/ZQmH498pbT/95pYAKwouHp9heJQ==,iv:FzjF+xPoaOp+gplxpz940V2dkWSTWe8dWUxexCoxxHc=,tag:TDZsboq9fEmmBrwJN/HTpQ==,type:str] password: ENC[AES256_GCM,data:UepYY6UjJV/jo2aXTOEnKRtsjSqOSYPQlKlrAa7rf9rdnt2UXGjCkvN+A72pICuIBCAmhXZBAUMvmWTV9trk6NREHe0cY1xTC7pNv3x9TM/ZQmH498pbT/95pYAKwouHp9heJQ==,iv:FzjF+xPoaOp+gplxpz940V2dkWSTWe8dWUxexCoxxHc=,tag:TDZsboq9fEmmBrwJN/HTpQ==,type:str]
grafana:
oidc_id: ENC[AES256_GCM,data:NVdIgCQ6nz4BSUDJYCKyILtK,iv:tcljy9PzC/yyd7TSdngyJt+uh60uXi2PKu47czErbaQ=,tag:zE4q3dD4UQaHIpGeZ1L48Q==,type:str]
oidc_secret: ENC[AES256_GCM,data:b7qILK9ZHW2khtM1Hl/KdjCv3Wq6eOo2Ym/cbjcMB8/3Hn2UelpP4K4lFyiV3bn1/GF6Jl5Z7A0EwMybOx0InA==,iv:3HL/7BiyObwT8DmFxzNPI9CdmCH/4j/4oc9x7qBE1k0=,tag:dBhcq1zLKy6N+jp/v42R4A==,type:str]
sops: sops:
age: age:
- recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq
@ -47,7 +50,7 @@ sops:
TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb
Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-12-04T11:24:52Z" lastmodified: "2025-12-09T14:53:25Z"
mac: ENC[AES256_GCM,data:jIgkl1lcVDSlKqJs9fjaHUAZsGL+22T86/qqKyDziHl0+VU763Ezwm8P+la+55jIIT2zLhFcUjhn2BabBi90OeEPztAC4rGpZj6+ZZ0GDCj/JhjPAAo3LgAKOCG0Xgf8MZWr/rXd6bLhW7Qj36PMJnap26rjEiUZeSvpWS2dz8g=,iv:CDx8fBI9Dl1uwrbMD1fa7/h3C7haK3xZxJI59mtL1LA=,tag:2UDRFJoevGEBKZA/9eUiOw==,type:str] mac: ENC[AES256_GCM,data:bb6YXIClIRCEyvQEYQpuzjqSgAvcHr0Avb0t+HSIoIY69cnCojNxb1cN53b0HBV69qOiXgKlXcQrI4ry2qokfRbAAlp9w5g978+E3fnlefBxGY2wHEeJZL/27BXq7nEfvdepcLVM+o5PMn0iiYUR42OYJkXxAHXqhYNdt9kWjMM=,iv:QfIB9WckrxK2YXMTNVWgUjt6F+QG96KzUlwlYPM5WBc=,tag:X69yLpEsu//3HgtSuHoQig==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.11.0 version: 3.11.0