Single secret files for all arr services

2025-09-14 12:57:38 +02:00 · 2025-09-14 12:57:38 +02:00 · c505db0d60
commit c505db0d60
parent 758d01f8e2
12 changed files with 58 additions and 140 deletions
--- a/hosts/arr/default.nix
+++ b/hosts/arr/default.nix
@ -10,6 +10,7 @@ in
 {

  age.secrets = {
+    arr-secrets.file = ../../secrets/arr-secrets.age;
    tailscale-authKey.file = ../../secrets/tailscale-authKey.age;
  };

@ -38,7 +39,10 @@ in
    };

    services.media-mgr = {
-      programs.enable = true;
+      programs = {
+        enable = true;
+        commonSecretsFile = config.age.secrets.arr-secrets.path;
+      };
    };

    virtualisation = {
--- a/hosts/metrics/default.nix
+++ b/hosts/metrics/default.nix
@ -11,6 +11,7 @@ in
 {

  age.secrets = {
+    exportarr-secrets.file = ../../secrets/exportarr-secrets.age;
    tailscale-authKey.file = ../../secrets/tailscale-authKey.age;
    grafana-admin-pwd = {
      file = ../../secrets/grafana-admin-pwd.age;
@ -29,7 +30,11 @@ in
    };

    services.media-mgr = {
-      exportMetrics.enable = true;
+      exportMetrics = {
+        enable = true;
+        apiKeyFile = config.age.secrets.exportarr-secrets.path;
+      };
+      proxy.host = p.hosts.arr;
    };

    monitoring = {
--- a/modules/services/media-mgr.nix
+++ b/modules/services/media-mgr.nix
@ -9,22 +9,30 @@ with lib;

 let
  cfg = config.my.services.media-mgr;
-
-  lidarrPort = toString 8686;
-  radarrPort = toString 7878;
-  sonarrPort = toString 8989;
-  readarrPort = toString 8787;
-  prowlarrPort = toString 9696;
 in
 {
  options.my.services.media-mgr = {

    programs = {
      enable = lib.mkEnableOption "Enable the download manager stack";
+      commonSecretsFile = lib.mkOption {
+        default = "";
+        type = lib.types.path;
+        description = ''
+          Path to the file containing secrets in common between Arr
+        '';
+      };
    };

    exportMetrics = {
      enable = lib.mkEnableOption "Enable monitoring for the download manager stack";
+      apiKeyFile = lib.mkOption {
+        default = "";
+        type = lib.types.path;
+        description = ''
+          Path to the file containing the Arr secrets API key (look also commonSecretsFile)
+        '';
+      };
    };

    proxy = {
@ -61,30 +69,35 @@ in
        prowlarr = {
          enable = true;
          openFirewall = true;
+          environmentFiles = [ cfg.programs.commonSecretsFile ];
        };

        # Movies
        radarr = {
          enable = true;
          openFirewall = true;
+          environmentFiles = [ cfg.programs.commonSecretsFile ];
        };

        # TV Shows
        sonarr = {
          enable = true;
          openFirewall = true;
+          environmentFiles = [ cfg.programs.commonSecretsFile ];
        };

        # Music
        lidarr = {
          enable = true;
          openFirewall = true;
+          environmentFiles = [ cfg.programs.commonSecretsFile ];
        };

        # E-books
        readarr = {
          enable = true;
          openFirewall = true;
+          environmentFiles = [ cfg.programs.commonSecretsFile ];
        };

        # Subtitles
@ -109,23 +122,23 @@ in
    (lib.mkIf cfg.proxy.enable {
      services.caddy = with cfg.proxy; {
        virtualHosts."prowlarr.ts.${domain}".extraConfig = ''
-          reverse_proxy http://${host}:${prowlarrPort}
+          reverse_proxy http://${host}:${toString config.services.prowlarr.settings.server.port}
          import cloudflare_${domain}
        '';
        virtualHosts."radarr.ts.${domain}".extraConfig = ''
-          reverse_proxy http://${host}:${radarrPort}
+          reverse_proxy http://${host}:${toString config.services.radarr.settings.server.port}
          import cloudflare_${domain}
        '';
        virtualHosts."sonarr.ts.${domain}".extraConfig = ''
-          reverse_proxy http://${host}:${sonarrPort}
+          reverse_proxy http://${host}:${toString config.services.sonarr.settings.server.port}
          import cloudflare_${domain}
        '';
        virtualHosts."lidarr.ts.${domain}".extraConfig = ''
-          reverse_proxy http://${host}:${lidarrPort}
+          reverse_proxy http://${host}:${toString config.services.lidarr.settings.server.port}
          import cloudflare_${domain}
        '';
        virtualHosts."readarr.ts.${domain}".extraConfig = ''
-          reverse_proxy http://${host}:${readarrPort}
+          reverse_proxy http://${host}:${toString config.services.readarr.settings.server.port}
          import cloudflare_${domain}
        '';
        virtualHosts."bazarr.ts.${domain}".extraConfig = ''
@ -148,110 +161,46 @@ in
        isSystemUser = true;
      };

-      age.secrets = {
-        prowlarr-apiKey = {
-          file = ../../secrets/prowlarr-apiKey.age;
-          owner = "exportarr";
-          group = "exportarr";
-          mode = "770";
-        };
-      };
-      age.secrets = {
-        radarr-apiKey = {
-          file = ../../secrets/radarr-apiKey.age;
-          owner = "exportarr";
-          group = "exportarr";
-          mode = "770";
-        };
-      };
-      age.secrets = {
-        sonarr-apiKey = {
-          file = ../../secrets/sonarr-apiKey.age;
-          owner = "exportarr";
-          group = "exportarr";
-          mode = "770";
-        };
-      };
-      age.secrets = {
-        lidarr-apiKey = {
-          file = ../../secrets/lidarr-apiKey.age;
-          owner = "exportarr";
-          group = "exportarr";
-          mode = "770";
-        };
-      };
-      age.secrets = {
-        readarr-apiKey = {
-          file = ../../secrets/readarr-apiKey.age;
-          owner = "exportarr";
-          group = "exportarr";
-          mode = "770";
-        };
-      };
-      age.secrets = {
-        bazarr-apiKey = {
-          file = ../../secrets/bazarr-apiKey.age;
-          owner = "exportarr";
-          group = "exportarr";
-          mode = "770";
-        };
-      };
-
-      systemd.services = {
-        prometheus-exportarr-prowlarr-exporter.serviceConfig.EnvironmentFile =
-          config.age.secrets.prowlarr-apiKey.path;
-        prometheus-exportarr-radarr-exporter.serviceConfig.EnvironmentFile =
-          config.age.secrets.radarr-apiKey.path;
-        prometheus-exportarr-sonarr-exporter.serviceConfig.EnvironmentFile =
-          config.age.secrets.sonarr-apiKey.path;
-        prometheus-exportarr-lidarr-exporter.serviceConfig.EnvironmentFile =
-          config.age.secrets.lidarr-apiKey.path;
-        prometheus-exportarr-readarr-exporter.serviceConfig.EnvironmentFile =
-          config.age.secrets.readarr-apiKey.path;
-        prometheus-exportarr-bazarr-exporter.serviceConfig.EnvironmentFile =
-          config.age.secrets.bazarr-apiKey.path;
-      };
-
      services.prometheus.exporters = with cfg.proxy; {
        exportarr-prowlarr = {
          enable = true;
-          url = "http://${host}:${prowlarrPort}";
+          url = "http://${host}:${toString config.services.prowlarr.settings.server.port}";
          port = 9701;
          user = "exportarr";
          group = "exportarr";
-          apiKeyFile = config.age.secrets.prowlarr-apiKey.path;
+          apiKeyFile = cfg.exportMetrics.apiKeyFile;
        };
        exportarr-radarr = {
          enable = true;
-          url = "http://${host}:${radarrPort}";
+          url = "http://${host}:${toString config.services.radarr.settings.server.port}";
          port = 9702;
          user = "exportarr";
          group = "exportarr";
-          apiKeyFile = config.age.secrets.radarr-apiKey.path;
+          apiKeyFile = cfg.exportMetrics.apiKeyFile;
        };
        exportarr-sonarr = {
          enable = true;
-          url = "http://${host}:${sonarrPort}";
+          url = "http://${host}:${toString config.services.sonarr.settings.server.port}";
          port = 9703;
          user = "exportarr";
          group = "exportarr";
-          apiKeyFile = config.age.secrets.sonarr-apiKey.path;
+          apiKeyFile = cfg.exportMetrics.apiKeyFile;
        };
        exportarr-lidarr = {
          enable = true;
-          url = "http://${host}:${lidarrPort}";
+          url = "http://${host}:${toString config.services.lidarr.settings.server.port}";
          port = 9704;
          user = "exportarr";
          group = "exportarr";
-          apiKeyFile = config.age.secrets.lidarr-apiKey.path;
+          apiKeyFile = cfg.exportMetrics.apiKeyFile;
        };
        exportarr-readarr = {
          enable = true;
-          url = "http://${host}:${readarrPort}";
+          url = "http://${host}:${toString config.services.readarr.settings.server.port}";
          port = 9705;
          user = "exportarr";
          group = "exportarr";
-          apiKeyFile = config.age.secrets.readarr-apiKey.path;
+          apiKeyFile = cfg.exportMetrics.apiKeyFile;
        };
        exportarr-bazarr = {
          enable = true;
@ -259,7 +208,7 @@ in
          port = 9706;
          user = "exportarr";
          group = "exportarr";
-          apiKeyFile = config.age.secrets.bazarr-apiKey.path;
+          apiKeyFile = cfg.exportMetrics.apiKeyFile;
        };
      };
    })
--- a/secrets.nix
+++ b/secrets.nix
@ -6,12 +6,8 @@ let
    cloudflare-tegola-apiKey = [ machines.caddy ];
    cloudflare-pasetto-apiKey = [ machines.caddy ];
    ddclient = [ machines.caddy ];
-    prowlarr-apiKey = [ machines.metrics ];
-    radarr-apiKey = [ machines.metrics ];
-    sonarr-apiKey = [ machines.metrics ];
-    lidarr-apiKey = [ machines.metrics ];
-    readarr-apiKey = [ machines.metrics ];
-    bazarr-apiKey = [ machines.metrics ];
+    arr-secrets = [ machines.arr ];
+    exportarr-secrets = [ machines.metrics ];
    grafana-admin-pwd = [ machines.metrics ];
    grafana-secret-auth = [ machines.metrics ];
    nextcloud-admin-pwd = [ machines.nextcloud ];
--- a/secrets/arr-secrets.age
+++ b/secrets/arr-secrets.age
--- a/secrets/bazarr-apiKey.age
+++ b/secrets/bazarr-apiKey.age
@ -1,9 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 xSWWeQ 5/maoctCMEQwCFW0kUKrarTEMzdR7YPuM2BmjfZwfXA
-cKzan7OSHvlDfGWzLHGJTqouZo2AerCRWOYXzZsKoEQ
-> ssh-ed25519 uqg2jw 8pGRSjHvscTyPA71Q3BKldyh48Ruh6fMdF6qrnIrFTw
-YB7UBaqZbtOOnnURqLYios+bPzhVAimJQctRx6DzINc
-> ssh-ed25519 Si3UKw WsXXKWTLRmfl4uvUZFRGIh8FoKINUt1OyRDU8Pq8hCU
-XOadS4pkqmSmoeqE7TsHkMxn8IPJHglCWFAo9q0VwHA
--- WVdWjMUJQq22gNNo0/E2vl6LxxXyOzpljk3H/GFrLhY
-ñ[ž=Ú´·ëPó¿±žnI JpX”ƒÙ•òGpkí>QÏ<02>ÞÌ
--- a/secrets/exportarr-secrets.age
+++ b/secrets/exportarr-secrets.age
@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 xSWWeQ cG7Gobz1cgBDjO7/kyX/H6XQtOTxmXPCoSLM6Jr9QlE
+9fmN3TfotEx87OnwEZlzah8/oiFY8RHIe3G5lrXcr0
+-> ssh-ed25519 uqg2jw 8RaNucp/HR5Ez7o+ftKkof8q1EeCNJIgfshlIO2/Mlo
+DchXy7bX3/Jk8R6Ynar0nN8pLcSMcDfOO1A0Jv9aNLU
+-> ssh-ed25519 Si3UKw MYS2JuTnKU4nU2JheBPO/AwhRg+tRQRtu2hOjMrbFiE
+JWRDWEDl7KsYvcxxj3hFboqOwD5spvC5l4raJJcfqo8
+--- FX27pGNIab8Md1sTAlX2Dm/50WZns8MWGiNnRX5pkHI
+#ùŽºÇe;ã³c›ˆ®y
+ˆÊ—l5<EFBFBD>ªÅ½<C385>Ý0ÂŸçf%8.;~¿Š.?;±ì‹›ßá^!`Bi·Ñ7%	!zƒ
--- a/secrets/lidarr-apiKey.age
+++ b/secrets/lidarr-apiKey.age
@ -1,10 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 xSWWeQ Shs6s/Vgw6angcDwgHiupl8KRU0qdWT0BxsFvLGuMEM
-7+ArocvM12aeQPSoZb9FpCvHABs+GZkJYxakRKk0r/o
-> ssh-ed25519 uqg2jw mVSNIQ2gWm81HWmjJF+M9L2D4OaoqUXg++TKXkh7Zzk
-4skDLZo1Mj8GDaJjJqtiNBaEVUj208AWJOFyDkejNFg
-> ssh-ed25519 Si3UKw CsTGPGo2A7PrRS+RneCPkp+gtkEalQdIshZlGZbE/jQ
-/X5RioN6r9Op/tPy0YLxLYM30JOapSYDYInwRxTs/pY
--- xxc/j3e/6BVFET/M1IkR7QjfAPg5rJrTfBSNDYYIxsQ
-
-rÌ±Y‘e5WéçòÉ»ŒTãâ!k©î.Ë¨qÅ$Pyý@qûX½ŸžÜñcõC2øµF½O&àú@W<>öå÷mA”±æÆÀ
--- a/secrets/prowlarr-apiKey.age
+++ b/secrets/prowlarr-apiKey.age
@ -1,9 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 xSWWeQ YbWAE91jQYNnWmOVj1myjMyOjl3Th/pf1h1Q6v2iazQ
-myC83E4fxF+RIpFsFkIVqjDxrmGdlUNPEAXSihphwPw
-> ssh-ed25519 uqg2jw ZgTMJnn49jIafSH7XOi5d7UWppnYS9XWghOZ+sI1eR0
-WjWZYAdaP4k962ivCLp8Sz8V9VjR6r/FYIN6stXXR0w
-> ssh-ed25519 Si3UKw BNhSVVNRmYwVla3r1h79WEjDDSQ6jj3ey1LjcDhEECc
-P5OZ3OFjembFEMkhIDzbu1+tCT8dODhb/5wKH91jB24
--- rGcX/jc5u5MjxfI+rJrmsLDeX8eOUxXzf0rOdjDi9bs
-Wˆò»äéˆéZO,"åQ<C3A5><51>µ³;ÁÁ@%
~i2Y²ÛÄ4*îÑãVô~‚dP|¬ÅÒ\Ü}©Å	ð¡d(úu4±CÏüLmØ-,h
--- a/secrets/radarr-apiKey.age
+++ b/secrets/radarr-apiKey.age
--- a/secrets/readarr-apiKey.age
+++ b/secrets/readarr-apiKey.age
@ -1,9 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 xSWWeQ 4vR8Yqu9eMHRUBAp/qvBKYJPzTZ1dBG2U8Z64wr1dTg
-cPiI2RL/4nxHN6EBDFbAFE2E2HQTqNT8Tl1SSlhUdbw
-> ssh-ed25519 uqg2jw KK7idheg8KlmnNBhBkav93ODPNpPg0XyeGYjJHDmXWk
-Mp+76AvDb9u+iS5V0jJep6pPPhzDGbLtRp2dBZC1UNg
-> ssh-ed25519 Si3UKw tXgHWn2I7Rl3AjT8iELBJ/wmZp0GyjapKbKEOexHQC4
-/UNkPcFzoQBjYglFULjZbl02NHWPJC5UYrkHewy4tnk
--- jna1OGludEsQChWuBVCi+YsxEec3jDpj+jSTezToi60
-µú‡ðB/"]°YwbjEÔÊ½ß¼Y:`¥—‡j¥„#"”=Ð<óÐí£öBÇàßg$•Ì=ækÎ‰¡ä9T¸f8í
¶
--- a/secrets/sonarr-apiKey.age
+++ b/secrets/sonarr-apiKey.age
@ -1,9 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 xSWWeQ dcQp5hk2FVTNBt8KM0QlF9wfd7iV9BcJDWTjH6sJT30
-Tlxi6qqrsApOigOTvQ7ww0JbfIHe9yEscydh6uQwSWY
-> ssh-ed25519 uqg2jw fRMpsodBqJpYNaZAdVliclA0J3FgCue794fKTkzLZ0w
-nUfk6PxJSI2Dox/bLoCbTA7LHJJo2gmPm3lWPMIbUYU
-> ssh-ed25519 Si3UKw mgGlxiZLNoc+/Fl+L+5WRb6WL8IC4lpy9nr0suF7FGc
-eJov8KWS6f+8jwNf5t0bKwAmbZIv2YPiJv77EnCLR+M
--- FLrvJOrt3DNhaV/oT69e3WRILx6Z5k8gmcJ2M/7f6iA
-×½>Å˜Êq»$V”üÑ<C3BC>í¸ ZzVÔÔ%M/ÎehÖóHØ„Úu¶ëÒùôuÎ:ÈBÖKáízSRdÎ¾øÐ³øtÈè_