diff --git a/hosts/arr/default.nix b/hosts/arr/default.nix index 7f62044..b1a3923 100644 --- a/hosts/arr/default.nix +++ b/hosts/arr/default.nix @@ -10,6 +10,7 @@ in { age.secrets = { + arr-secrets.file = ../../secrets/arr-secrets.age; tailscale-authKey.file = ../../secrets/tailscale-authKey.age; }; @@ -38,7 +39,10 @@ in }; services.media-mgr = { - programs.enable = true; + programs = { + enable = true; + commonSecretsFile = config.age.secrets.arr-secrets.path; + }; }; virtualisation = { diff --git a/hosts/metrics/default.nix b/hosts/metrics/default.nix index f4e3fc3..359609f 100644 --- a/hosts/metrics/default.nix +++ b/hosts/metrics/default.nix @@ -11,6 +11,7 @@ in { age.secrets = { + exportarr-secrets.file = ../../secrets/exportarr-secrets.age; tailscale-authKey.file = ../../secrets/tailscale-authKey.age; grafana-admin-pwd = { file = ../../secrets/grafana-admin-pwd.age; @@ -29,7 +30,11 @@ in }; services.media-mgr = { - exportMetrics.enable = true; + exportMetrics = { + enable = true; + apiKeyFile = config.age.secrets.exportarr-secrets.path; + }; + proxy.host = p.hosts.arr; }; monitoring = { diff --git a/modules/services/media-mgr.nix b/modules/services/media-mgr.nix index 39d6fae..e94bd75 100644 --- a/modules/services/media-mgr.nix +++ b/modules/services/media-mgr.nix @@ -9,22 +9,30 @@ with lib; let cfg = config.my.services.media-mgr; - - lidarrPort = toString 8686; - radarrPort = toString 7878; - sonarrPort = toString 8989; - readarrPort = toString 8787; - prowlarrPort = toString 9696; in { options.my.services.media-mgr = { programs = { enable = lib.mkEnableOption "Enable the download manager stack"; + commonSecretsFile = lib.mkOption { + default = ""; + type = lib.types.path; + description = '' + Path to the file containing secrets in common between Arr + ''; + }; }; exportMetrics = { enable = lib.mkEnableOption "Enable monitoring for the download manager stack"; + apiKeyFile = lib.mkOption { + default = ""; + type = lib.types.path; + description = '' + Path to the file containing the Arr secrets API key (look also commonSecretsFile) + ''; + }; }; proxy = { @@ -61,30 +69,35 @@ in prowlarr = { enable = true; openFirewall = true; + environmentFiles = [ cfg.programs.commonSecretsFile ]; }; # Movies radarr = { enable = true; openFirewall = true; + environmentFiles = [ cfg.programs.commonSecretsFile ]; }; # TV Shows sonarr = { enable = true; openFirewall = true; + environmentFiles = [ cfg.programs.commonSecretsFile ]; }; # Music lidarr = { enable = true; openFirewall = true; + environmentFiles = [ cfg.programs.commonSecretsFile ]; }; # E-books readarr = { enable = true; openFirewall = true; + environmentFiles = [ cfg.programs.commonSecretsFile ]; }; # Subtitles @@ -109,23 +122,23 @@ in (lib.mkIf cfg.proxy.enable { services.caddy = with cfg.proxy; { virtualHosts."prowlarr.ts.${domain}".extraConfig = '' - reverse_proxy http://${host}:${prowlarrPort} + reverse_proxy http://${host}:${toString config.services.prowlarr.settings.server.port} import cloudflare_${domain} ''; virtualHosts."radarr.ts.${domain}".extraConfig = '' - reverse_proxy http://${host}:${radarrPort} + reverse_proxy http://${host}:${toString config.services.radarr.settings.server.port} import cloudflare_${domain} ''; virtualHosts."sonarr.ts.${domain}".extraConfig = '' - reverse_proxy http://${host}:${sonarrPort} + reverse_proxy http://${host}:${toString config.services.sonarr.settings.server.port} import cloudflare_${domain} ''; virtualHosts."lidarr.ts.${domain}".extraConfig = '' - reverse_proxy http://${host}:${lidarrPort} + reverse_proxy http://${host}:${toString config.services.lidarr.settings.server.port} import cloudflare_${domain} ''; virtualHosts."readarr.ts.${domain}".extraConfig = '' - reverse_proxy http://${host}:${readarrPort} + reverse_proxy http://${host}:${toString config.services.readarr.settings.server.port} import cloudflare_${domain} ''; virtualHosts."bazarr.ts.${domain}".extraConfig = '' @@ -148,110 +161,46 @@ in isSystemUser = true; }; - age.secrets = { - prowlarr-apiKey = { - file = ../../secrets/prowlarr-apiKey.age; - owner = "exportarr"; - group = "exportarr"; - mode = "770"; - }; - }; - age.secrets = { - radarr-apiKey = { - file = ../../secrets/radarr-apiKey.age; - owner = "exportarr"; - group = "exportarr"; - mode = "770"; - }; - }; - age.secrets = { - sonarr-apiKey = { - file = ../../secrets/sonarr-apiKey.age; - owner = "exportarr"; - group = "exportarr"; - mode = "770"; - }; - }; - age.secrets = { - lidarr-apiKey = { - file = ../../secrets/lidarr-apiKey.age; - owner = "exportarr"; - group = "exportarr"; - mode = "770"; - }; - }; - age.secrets = { - readarr-apiKey = { - file = ../../secrets/readarr-apiKey.age; - owner = "exportarr"; - group = "exportarr"; - mode = "770"; - }; - }; - age.secrets = { - bazarr-apiKey = { - file = ../../secrets/bazarr-apiKey.age; - owner = "exportarr"; - group = "exportarr"; - mode = "770"; - }; - }; - - systemd.services = { - prometheus-exportarr-prowlarr-exporter.serviceConfig.EnvironmentFile = - config.age.secrets.prowlarr-apiKey.path; - prometheus-exportarr-radarr-exporter.serviceConfig.EnvironmentFile = - config.age.secrets.radarr-apiKey.path; - prometheus-exportarr-sonarr-exporter.serviceConfig.EnvironmentFile = - config.age.secrets.sonarr-apiKey.path; - prometheus-exportarr-lidarr-exporter.serviceConfig.EnvironmentFile = - config.age.secrets.lidarr-apiKey.path; - prometheus-exportarr-readarr-exporter.serviceConfig.EnvironmentFile = - config.age.secrets.readarr-apiKey.path; - prometheus-exportarr-bazarr-exporter.serviceConfig.EnvironmentFile = - config.age.secrets.bazarr-apiKey.path; - }; - services.prometheus.exporters = with cfg.proxy; { exportarr-prowlarr = { enable = true; - url = "http://${host}:${prowlarrPort}"; + url = "http://${host}:${toString config.services.prowlarr.settings.server.port}"; port = 9701; user = "exportarr"; group = "exportarr"; - apiKeyFile = config.age.secrets.prowlarr-apiKey.path; + apiKeyFile = cfg.exportMetrics.apiKeyFile; }; exportarr-radarr = { enable = true; - url = "http://${host}:${radarrPort}"; + url = "http://${host}:${toString config.services.radarr.settings.server.port}"; port = 9702; user = "exportarr"; group = "exportarr"; - apiKeyFile = config.age.secrets.radarr-apiKey.path; + apiKeyFile = cfg.exportMetrics.apiKeyFile; }; exportarr-sonarr = { enable = true; - url = "http://${host}:${sonarrPort}"; + url = "http://${host}:${toString config.services.sonarr.settings.server.port}"; port = 9703; user = "exportarr"; group = "exportarr"; - apiKeyFile = config.age.secrets.sonarr-apiKey.path; + apiKeyFile = cfg.exportMetrics.apiKeyFile; }; exportarr-lidarr = { enable = true; - url = "http://${host}:${lidarrPort}"; + url = "http://${host}:${toString config.services.lidarr.settings.server.port}"; port = 9704; user = "exportarr"; group = "exportarr"; - apiKeyFile = config.age.secrets.lidarr-apiKey.path; + apiKeyFile = cfg.exportMetrics.apiKeyFile; }; exportarr-readarr = { enable = true; - url = "http://${host}:${readarrPort}"; + url = "http://${host}:${toString config.services.readarr.settings.server.port}"; port = 9705; user = "exportarr"; group = "exportarr"; - apiKeyFile = config.age.secrets.readarr-apiKey.path; + apiKeyFile = cfg.exportMetrics.apiKeyFile; }; exportarr-bazarr = { enable = true; @@ -259,7 +208,7 @@ in port = 9706; user = "exportarr"; group = "exportarr"; - apiKeyFile = config.age.secrets.bazarr-apiKey.path; + apiKeyFile = cfg.exportMetrics.apiKeyFile; }; }; }) diff --git a/secrets.nix b/secrets.nix index 0a1f972..6db6926 100644 --- a/secrets.nix +++ b/secrets.nix @@ -6,12 +6,8 @@ let cloudflare-tegola-apiKey = [ machines.caddy ]; cloudflare-pasetto-apiKey = [ machines.caddy ]; ddclient = [ machines.caddy ]; - prowlarr-apiKey = [ machines.metrics ]; - radarr-apiKey = [ machines.metrics ]; - sonarr-apiKey = [ machines.metrics ]; - lidarr-apiKey = [ machines.metrics ]; - readarr-apiKey = [ machines.metrics ]; - bazarr-apiKey = [ machines.metrics ]; + arr-secrets = [ machines.arr ]; + exportarr-secrets = [ machines.metrics ]; grafana-admin-pwd = [ machines.metrics ]; grafana-secret-auth = [ machines.metrics ]; nextcloud-admin-pwd = [ machines.nextcloud ]; diff --git a/secrets/arr-secrets.age b/secrets/arr-secrets.age new file mode 100644 index 0000000..ba35859 Binary files /dev/null and b/secrets/arr-secrets.age differ diff --git a/secrets/bazarr-apiKey.age b/secrets/bazarr-apiKey.age deleted file mode 100644 index fb02388..0000000 --- a/secrets/bazarr-apiKey.age +++ /dev/null @@ -1,9 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 xSWWeQ 5/maoctCMEQwCFW0kUKrarTEMzdR7YPuM2BmjfZwfXA -cKzan7OSHvlDfGWzLHGJTqouZo2AerCRWOYXzZsKoEQ --> ssh-ed25519 uqg2jw 8pGRSjHvscTyPA71Q3BKldyh48Ruh6fMdF6qrnIrFTw -YB7UBaqZbtOOnnURqLYios+bPzhVAimJQctRx6DzINc --> ssh-ed25519 Si3UKw WsXXKWTLRmfl4uvUZFRGIh8FoKINUt1OyRDU8Pq8hCU -XOadS4pkqmSmoeqE7TsHkMxn8IPJHglCWFAo9q0VwHA ---- WVdWjMUJQq22gNNo0/E2vl6LxxXyOzpljk3H/GFrLhY -[=ڴP󿱞nIJpXGpk>Q  \ No newline at end of file diff --git a/secrets/exportarr-secrets.age b/secrets/exportarr-secrets.age new file mode 100644 index 0000000..4f24134 --- /dev/null +++ b/secrets/exportarr-secrets.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 xSWWeQ cG7Gobz1cgBDjO7/kyX/H6XQtOTxmXPCoSLM6Jr9QlE ++9fmN3TfotEx87OnwEZlzah8/oiFY8RHIe3G5lrXcr0 +-> ssh-ed25519 uqg2jw 8RaNucp/HR5Ez7o+ftKkof8q1EeCNJIgfshlIO2/Mlo +DchXy7bX3/Jk8R6Ynar0nN8pLcSMcDfOO1A0Jv9aNLU +-> ssh-ed25519 Si3UKw MYS2JuTnKU4nU2JheBPO/AwhRg+tRQRtu2hOjMrbFiE +JWRDWEDl7KsYvcxxj3hFboqOwD5spvC5l4raJJcfqo8 +--- FX27pGNIab8Md1sTAlX2Dm/50WZns8MWGiNnRX5pkHI +#e;cy +ʗl5Ž0Ÿf%8.;~.?;싛^!`Bi7% !z \ No newline at end of file diff --git a/secrets/lidarr-apiKey.age b/secrets/lidarr-apiKey.age deleted file mode 100644 index c97c6d4..0000000 --- a/secrets/lidarr-apiKey.age +++ /dev/null @@ -1,10 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 xSWWeQ Shs6s/Vgw6angcDwgHiupl8KRU0qdWT0BxsFvLGuMEM -7+ArocvM12aeQPSoZb9FpCvHABs+GZkJYxakRKk0r/o --> ssh-ed25519 uqg2jw mVSNIQ2gWm81HWmjJF+M9L2D4OaoqUXg++TKXkh7Zzk -4skDLZo1Mj8GDaJjJqtiNBaEVUj208AWJOFyDkejNFg --> ssh-ed25519 Si3UKw CsTGPGo2A7PrRS+RneCPkp+gtkEalQdIshZlGZbE/jQ -/X5RioN6r9Op/tPy0YLxLYM30JOapSYDYInwRxTs/pY ---- xxc/j3e/6BVFET/M1IkR7QjfAPg5rJrTfBSNDYYIxsQ - -rYe5WɻT!k.˨q$Py@qXcC2FO&@WmA \ No newline at end of file diff --git a/secrets/prowlarr-apiKey.age b/secrets/prowlarr-apiKey.age deleted file mode 100644 index 100aee9..0000000 --- a/secrets/prowlarr-apiKey.age +++ /dev/null @@ -1,9 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 xSWWeQ YbWAE91jQYNnWmOVj1myjMyOjl3Th/pf1h1Q6v2iazQ -myC83E4fxF+RIpFsFkIVqjDxrmGdlUNPEAXSihphwPw --> ssh-ed25519 uqg2jw ZgTMJnn49jIafSH7XOi5d7UWppnYS9XWghOZ+sI1eR0 -WjWZYAdaP4k962ivCLp8Sz8V9VjR6r/FYIN6stXXR0w --> ssh-ed25519 Si3UKw BNhSVVNRmYwVla3r1h79WEjDDSQ6jj3ey1LjcDhEECc -P5OZ3OFjembFEMkhIDzbu1+tCT8dODhb/5wKH91jB24 ---- rGcX/jc5u5MjxfI+rJrmsLDeX8eOUxXzf0rOdjDi9bs -WZO,"Q;@% ~i2Y4*V~dP|\} d(u4CLm-,h \ No newline at end of file diff --git a/secrets/radarr-apiKey.age b/secrets/radarr-apiKey.age deleted file mode 100644 index 4d1a04e..0000000 Binary files a/secrets/radarr-apiKey.age and /dev/null differ diff --git a/secrets/readarr-apiKey.age b/secrets/readarr-apiKey.age deleted file mode 100644 index af0b8b1..0000000 --- a/secrets/readarr-apiKey.age +++ /dev/null @@ -1,9 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 xSWWeQ 4vR8Yqu9eMHRUBAp/qvBKYJPzTZ1dBG2U8Z64wr1dTg -cPiI2RL/4nxHN6EBDFbAFE2E2HQTqNT8Tl1SSlhUdbw --> ssh-ed25519 uqg2jw KK7idheg8KlmnNBhBkav93ODPNpPg0XyeGYjJHDmXWk -Mp+76AvDb9u+iS5V0jJep6pPPhzDGbLtRp2dBZC1UNg --> ssh-ed25519 Si3UKw tXgHWn2I7Rl3AjT8iELBJ/wmZp0GyjapKbKEOexHQC4 -/UNkPcFzoQBjYglFULjZbl02NHWPJC5UYrkHewy4tnk ---- jna1OGludEsQChWuBVCi+YsxEec3jDpj+jSTezToi60 -B/"]YwbjEʽ߼Y:`j#"=<Bg$=kΉ9Tf8 \ No newline at end of file diff --git a/secrets/sonarr-apiKey.age b/secrets/sonarr-apiKey.age deleted file mode 100644 index 76ae6ef..0000000 --- a/secrets/sonarr-apiKey.age +++ /dev/null @@ -1,9 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 xSWWeQ dcQp5hk2FVTNBt8KM0QlF9wfd7iV9BcJDWTjH6sJT30 -Tlxi6qqrsApOigOTvQ7ww0JbfIHe9yEscydh6uQwSWY --> ssh-ed25519 uqg2jw fRMpsodBqJpYNaZAdVliclA0J3FgCue794fKTkzLZ0w -nUfk6PxJSI2Dox/bLoCbTA7LHJJo2gmPm3lWPMIbUYU --> ssh-ed25519 Si3UKw mgGlxiZLNoc+/Fl+L+5WRb6WL8IC4lpy9nr0suF7FGc -eJov8KWS6f+8jwNf5t0bKwAmbZIv2YPiJv77EnCLR+M ---- FLrvJOrt3DNhaV/oT69e3WRILx6Z5k8gmcJ2M/7f6iA -׽>Řq$Vѐ ZzV%M/ehH؄uu:BKzSRdξгt_ \ No newline at end of file