pazpi/nix
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

Single secret files for all arr services

Browse source
This commit is contained in:
pazpi 2025-09-14 12:57:38 +02:00
parent 758d01f8e2
commit c505db0d60
12 changed files with 58 additions and 140 deletions
Download patch file Download diff file Expand all files Collapse all files

6
hosts/arr/default.nix
View file

@ -10,6 +10,7 @@ in
{ {
age.secrets = { age.secrets = {
arr-secrets.file = ../../secrets/arr-secrets.age;
tailscale-authKey.file = ../../secrets/tailscale-authKey.age; tailscale-authKey.file = ../../secrets/tailscale-authKey.age;
}; };
@ -38,7 +39,10 @@ in
}; };
services.media-mgr = { services.media-mgr = {
programs.enable = true; programs = {
enable = true;
commonSecretsFile = config.age.secrets.arr-secrets.path;
};
}; };
virtualisation = { virtualisation = {

7
hosts/metrics/default.nix
View file

@ -11,6 +11,7 @@ in
{ {
age.secrets = { age.secrets = {
exportarr-secrets.file = ../../secrets/exportarr-secrets.age;
tailscale-authKey.file = ../../secrets/tailscale-authKey.age; tailscale-authKey.file = ../../secrets/tailscale-authKey.age;
grafana-admin-pwd = { grafana-admin-pwd = {
file = ../../secrets/grafana-admin-pwd.age; file = ../../secrets/grafana-admin-pwd.age;
@ -29,7 +30,11 @@ in
}; };
services.media-mgr = { services.media-mgr = {
exportMetrics.enable = true; exportMetrics = {
enable = true;
apiKeyFile = config.age.secrets.exportarr-secrets.path;
};
proxy.host = p.hosts.arr;
}; };
monitoring = { monitoring = {

121
modules/services/media-mgr.nix
View file

@ -9,22 +9,30 @@ with lib;
let let
cfg = config.my.services.media-mgr; cfg = config.my.services.media-mgr;
lidarrPort = toString 8686;
radarrPort = toString 7878;
sonarrPort = toString 8989;
readarrPort = toString 8787;
prowlarrPort = toString 9696;
in in
{ {
options.my.services.media-mgr = { options.my.services.media-mgr = {
programs = { programs = {
enable = lib.mkEnableOption "Enable the download manager stack"; enable = lib.mkEnableOption "Enable the download manager stack";
commonSecretsFile = lib.mkOption {
default = "";
type = lib.types.path;
description = ''
Path to the file containing secrets in common between Arr
'';
};
}; };
exportMetrics = { exportMetrics = {
enable = lib.mkEnableOption "Enable monitoring for the download manager stack"; enable = lib.mkEnableOption "Enable monitoring for the download manager stack";
apiKeyFile = lib.mkOption {
default = "";
type = lib.types.path;
description = ''
Path to the file containing the Arr secrets API key (look also commonSecretsFile)
'';
};
}; };
proxy = { proxy = {
@ -61,30 +69,35 @@ in
prowlarr = { prowlarr = {
enable = true; enable = true;
openFirewall = true; openFirewall = true;
environmentFiles = [ cfg.programs.commonSecretsFile ];
}; };
# Movies # Movies
radarr = { radarr = {
enable = true; enable = true;
openFirewall = true; openFirewall = true;
environmentFiles = [ cfg.programs.commonSecretsFile ];
}; };
# TV Shows # TV Shows
sonarr = { sonarr = {
enable = true; enable = true;
openFirewall = true; openFirewall = true;
environmentFiles = [ cfg.programs.commonSecretsFile ];
}; };
# Music # Music
lidarr = { lidarr = {
enable = true; enable = true;
openFirewall = true; openFirewall = true;
environmentFiles = [ cfg.programs.commonSecretsFile ];
}; };
# E-books # E-books
readarr = { readarr = {
enable = true; enable = true;
openFirewall = true; openFirewall = true;
environmentFiles = [ cfg.programs.commonSecretsFile ];
}; };
# Subtitles # Subtitles
@ -109,23 +122,23 @@ in
(lib.mkIf cfg.proxy.enable { (lib.mkIf cfg.proxy.enable {
services.caddy = with cfg.proxy; { services.caddy = with cfg.proxy; {
virtualHosts."prowlarr.ts.${domain}".extraConfig = '' virtualHosts."prowlarr.ts.${domain}".extraConfig = ''
reverse_proxy http://${host}:${prowlarrPort} reverse_proxy http://${host}:${toString config.services.prowlarr.settings.server.port}
import cloudflare_${domain} import cloudflare_${domain}
''; '';
virtualHosts."radarr.ts.${domain}".extraConfig = '' virtualHosts."radarr.ts.${domain}".extraConfig = ''
reverse_proxy http://${host}:${radarrPort} reverse_proxy http://${host}:${toString config.services.radarr.settings.server.port}
import cloudflare_${domain} import cloudflare_${domain}
''; '';
virtualHosts."sonarr.ts.${domain}".extraConfig = '' virtualHosts."sonarr.ts.${domain}".extraConfig = ''
reverse_proxy http://${host}:${sonarrPort} reverse_proxy http://${host}:${toString config.services.sonarr.settings.server.port}
import cloudflare_${domain} import cloudflare_${domain}
''; '';
virtualHosts."lidarr.ts.${domain}".extraConfig = '' virtualHosts."lidarr.ts.${domain}".extraConfig = ''
reverse_proxy http://${host}:${lidarrPort} reverse_proxy http://${host}:${toString config.services.lidarr.settings.server.port}
import cloudflare_${domain} import cloudflare_${domain}
''; '';
virtualHosts."readarr.ts.${domain}".extraConfig = '' virtualHosts."readarr.ts.${domain}".extraConfig = ''
reverse_proxy http://${host}:${readarrPort} reverse_proxy http://${host}:${toString config.services.readarr.settings.server.port}
import cloudflare_${domain} import cloudflare_${domain}
''; '';
virtualHosts."bazarr.ts.${domain}".extraConfig = '' virtualHosts."bazarr.ts.${domain}".extraConfig = ''
@ -148,110 +161,46 @@ in
isSystemUser = true; isSystemUser = true;
}; };
age.secrets = {
prowlarr-apiKey = {
file = ../../secrets/prowlarr-apiKey.age;
owner = "exportarr";
group = "exportarr";
mode = "770";
};
};
age.secrets = {
radarr-apiKey = {
file = ../../secrets/radarr-apiKey.age;
owner = "exportarr";
group = "exportarr";
mode = "770";
};
};
age.secrets = {
sonarr-apiKey = {
file = ../../secrets/sonarr-apiKey.age;
owner = "exportarr";
group = "exportarr";
mode = "770";
};
};
age.secrets = {
lidarr-apiKey = {
file = ../../secrets/lidarr-apiKey.age;
owner = "exportarr";
group = "exportarr";
mode = "770";
};
};
age.secrets = {
readarr-apiKey = {
file = ../../secrets/readarr-apiKey.age;
owner = "exportarr";
group = "exportarr";
mode = "770";
};
};
age.secrets = {
bazarr-apiKey = {
file = ../../secrets/bazarr-apiKey.age;
owner = "exportarr";
group = "exportarr";
mode = "770";
};
};
systemd.services = {
prometheus-exportarr-prowlarr-exporter.serviceConfig.EnvironmentFile =
config.age.secrets.prowlarr-apiKey.path;
prometheus-exportarr-radarr-exporter.serviceConfig.EnvironmentFile =
config.age.secrets.radarr-apiKey.path;
prometheus-exportarr-sonarr-exporter.serviceConfig.EnvironmentFile =
config.age.secrets.sonarr-apiKey.path;
prometheus-exportarr-lidarr-exporter.serviceConfig.EnvironmentFile =
config.age.secrets.lidarr-apiKey.path;
prometheus-exportarr-readarr-exporter.serviceConfig.EnvironmentFile =
config.age.secrets.readarr-apiKey.path;
prometheus-exportarr-bazarr-exporter.serviceConfig.EnvironmentFile =
config.age.secrets.bazarr-apiKey.path;
};
services.prometheus.exporters = with cfg.proxy; { services.prometheus.exporters = with cfg.proxy; {
exportarr-prowlarr = { exportarr-prowlarr = {
enable = true; enable = true;
url = "http://${host}:${prowlarrPort}"; url = "http://${host}:${toString config.services.prowlarr.settings.server.port}";
port = 9701; port = 9701;
user = "exportarr"; user = "exportarr";
group = "exportarr"; group = "exportarr";
apiKeyFile = config.age.secrets.prowlarr-apiKey.path; apiKeyFile = cfg.exportMetrics.apiKeyFile;
}; };
exportarr-radarr = { exportarr-radarr = {
enable = true; enable = true;
url = "http://${host}:${radarrPort}"; url = "http://${host}:${toString config.services.radarr.settings.server.port}";
port = 9702; port = 9702;
user = "exportarr"; user = "exportarr";
group = "exportarr"; group = "exportarr";
apiKeyFile = config.age.secrets.radarr-apiKey.path; apiKeyFile = cfg.exportMetrics.apiKeyFile;
}; };
exportarr-sonarr = { exportarr-sonarr = {
enable = true; enable = true;
url = "http://${host}:${sonarrPort}"; url = "http://${host}:${toString config.services.sonarr.settings.server.port}";
port = 9703; port = 9703;
user = "exportarr"; user = "exportarr";
group = "exportarr"; group = "exportarr";
apiKeyFile = config.age.secrets.sonarr-apiKey.path; apiKeyFile = cfg.exportMetrics.apiKeyFile;
}; };
exportarr-lidarr = { exportarr-lidarr = {
enable = true; enable = true;
url = "http://${host}:${lidarrPort}"; url = "http://${host}:${toString config.services.lidarr.settings.server.port}";
port = 9704; port = 9704;
user = "exportarr"; user = "exportarr";
group = "exportarr"; group = "exportarr";
apiKeyFile = config.age.secrets.lidarr-apiKey.path; apiKeyFile = cfg.exportMetrics.apiKeyFile;
}; };
exportarr-readarr = { exportarr-readarr = {
enable = true; enable = true;
url = "http://${host}:${readarrPort}"; url = "http://${host}:${toString config.services.readarr.settings.server.port}";
port = 9705; port = 9705;
user = "exportarr"; user = "exportarr";
group = "exportarr"; group = "exportarr";
apiKeyFile = config.age.secrets.readarr-apiKey.path; apiKeyFile = cfg.exportMetrics.apiKeyFile;
}; };
exportarr-bazarr = { exportarr-bazarr = {
enable = true; enable = true;
@ -259,7 +208,7 @@ in
port = 9706; port = 9706;
user = "exportarr"; user = "exportarr";
group = "exportarr"; group = "exportarr";
apiKeyFile = config.age.secrets.bazarr-apiKey.path; apiKeyFile = cfg.exportMetrics.apiKeyFile;
}; };
}; };
}) })

8
secrets.nix
View file

@ -6,12 +6,8 @@ let
cloudflare-tegola-apiKey = [ machines.caddy ]; cloudflare-tegola-apiKey = [ machines.caddy ];
cloudflare-pasetto-apiKey = [ machines.caddy ]; cloudflare-pasetto-apiKey = [ machines.caddy ];
ddclient = [ machines.caddy ]; ddclient = [ machines.caddy ];
prowlarr-apiKey = [ machines.metrics ]; arr-secrets = [ machines.arr ];
radarr-apiKey = [ machines.metrics ]; exportarr-secrets = [ machines.metrics ];
sonarr-apiKey = [ machines.metrics ];
lidarr-apiKey = [ machines.metrics ];
readarr-apiKey = [ machines.metrics ];
bazarr-apiKey = [ machines.metrics ];
grafana-admin-pwd = [ machines.metrics ]; grafana-admin-pwd = [ machines.metrics ];
grafana-secret-auth = [ machines.metrics ]; grafana-secret-auth = [ machines.metrics ];
nextcloud-admin-pwd = [ machines.nextcloud ]; nextcloud-admin-pwd = [ machines.nextcloud ];

BIN
secrets/arr-secrets.age Normal file
View file

Binary file not shown.

9
secrets/bazarr-apiKey.age
View file

@ -1,9 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 xSWWeQ 5/maoctCMEQwCFW0kUKrarTEMzdR7YPuM2BmjfZwfXA
cKzan7OSHvlDfGWzLHGJTqouZo2AerCRWOYXzZsKoEQ
-> ssh-ed25519 uqg2jw 8pGRSjHvscTyPA71Q3BKldyh48Ruh6fMdF6qrnIrFTw
YB7UBaqZbtOOnnURqLYios+bPzhVAimJQctRx6DzINc
-> ssh-ed25519 Si3UKw WsXXKWTLRmfl4uvUZFRGIh8FoKINUt1OyRDU8Pq8hCU
XOadS4pkqmSmoeqE7TsHkMxn8IPJHglCWFAo9q0VwHA
--- WVdWjMUJQq22gNNo0/E2vl6LxxXyOzpljk3H/GFrLhY
ñ[ž=Ú´·ëP󿱞nI JpX”ƒÙ•òGpkí> <02>ÞÌ

10
secrets/exportarr-secrets.age Normal file
View file

@ -0,0 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 xSWWeQ cG7Gobz1cgBDjO7/kyX/H6XQtOTxmXPCoSLM6Jr9QlE
+9fmN3TfotEx87OnwEZlzah8/oiFY8RHIe3G5lrXcr0
-> ssh-ed25519 uqg2jw 8RaNucp/HR5Ez7o+ftKkof8q1EeCNJIgfshlIO2/Mlo
DchXy7bX3/Jk8R6Ynar0nN8pLcSMcDfOO1A0Jv9aNLU
-> ssh-ed25519 Si3UKw MYS2JuTnKU4nU2JheBPO/AwhRg+tRQRtu2hOjMrbFiE
JWRDWEDl7KsYvcxxj3hFboqOwD5spvC5l4raJJcfqo8
--- FX27pGNIab8Md1sTAlX2Dm/50WZns8MWGiNnRX5pkHI
#ùŽºÇe;ã³cˆ®y
ˆÊ—l5<EFBFBD>ªÅ½<C385>Ý0Ÿçf%8.;~¿Š.?;±ì‹›ßá^!`Bi·Ñ7% !zƒ

10
secrets/lidarr-apiKey.age
View file

@ -1,10 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 xSWWeQ Shs6s/Vgw6angcDwgHiupl8KRU0qdWT0BxsFvLGuMEM
7+ArocvM12aeQPSoZb9FpCvHABs+GZkJYxakRKk0r/o
-> ssh-ed25519 uqg2jw mVSNIQ2gWm81HWmjJF+M9L2D4OaoqUXg++TKXkh7Zzk
4skDLZo1Mj8GDaJjJqtiNBaEVUj208AWJOFyDkejNFg
-> ssh-ed25519 Si3UKw CsTGPGo2A7PrRS+RneCPkp+gtkEalQdIshZlGZbE/jQ
/X5RioN6r9Op/tPy0YLxLYM30JOapSYDYInwRxTs/pY
--- xxc/j3e/6BVFET/M1IkR7QjfAPg5rJrTfBSNDYYIxsQ
±Ye5WéçòÉ»ŒTãâ!k©î.˨qÅ$Pyý@qûX½ŸžÜñcõC2øµF½O&àú@W<>öå÷mA”±æÆÀ

9
secrets/prowlarr-apiKey.age
View file

@ -1,9 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 xSWWeQ YbWAE91jQYNnWmOVj1myjMyOjl3Th/pf1h1Q6v2iazQ
myC83E4fxF+RIpFsFkIVqjDxrmGdlUNPEAXSihphwPw
-> ssh-ed25519 uqg2jw ZgTMJnn49jIafSH7XOi5d7UWppnYS9XWghOZ+sI1eR0
WjWZYAdaP4k962ivCLp8Sz8V9VjR6r/FYIN6stXXR0w
-> ssh-ed25519 Si3UKw BNhSVVNRmYwVla3r1h79WEjDDSQ6jj3ey1LjcDhEECc
P5OZ3OFjembFEMkhIDzbu1+tCT8dODhb/5wKH91jB24
--- rGcX/jc5u5MjxfI+rJrmsLDeX8eOUxXzf0rOdjDi9bs
Wˆò»äéˆéZO,"åQ<C3A5><51>µ³;ÁÁ@% ~i2Y²ÛÄ4*îÑãVô~dP|¬ÅÒ\Ü}©Å ð¡d(úu4±CÏüLmØ-,h

BIN
secrets/radarr-apiKey.age
View file

Binary file not shown.

9
secrets/readarr-apiKey.age
View file

@ -1,9 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 xSWWeQ 4vR8Yqu9eMHRUBAp/qvBKYJPzTZ1dBG2U8Z64wr1dTg
cPiI2RL/4nxHN6EBDFbAFE2E2HQTqNT8Tl1SSlhUdbw
-> ssh-ed25519 uqg2jw KK7idheg8KlmnNBhBkav93ODPNpPg0XyeGYjJHDmXWk
Mp+76AvDb9u+iS5V0jJep6pPPhzDGbLtRp2dBZC1UNg
-> ssh-ed25519 Si3UKw tXgHWn2I7Rl3AjT8iELBJ/wmZp0GyjapKbKEOexHQC4
/UNkPcFzoQBjYglFULjZbl02NHWPJC5UYrkHewy4tnk
--- jna1OGludEsQChWuBVCi+YsxEec3jDpj+jSTezToi60
µú‡ðB/"]°YwbjEÔʽß¼Y:`¥—‡j¥„#"”<óÐí£ö­BÇàßg$•Ì=ækΉ¡ä9T¸f8í ¶

9
secrets/sonarr-apiKey.age
View file

@ -1,9 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 xSWWeQ dcQp5hk2FVTNBt8KM0QlF9wfd7iV9BcJDWTjH6sJT30
Tlxi6qqrsApOigOTvQ7ww0JbfIHe9yEscydh6uQwSWY
-> ssh-ed25519 uqg2jw fRMpsodBqJpYNaZAdVliclA0J3FgCue794fKTkzLZ0w
nUfk6PxJSI2Dox/bLoCbTA7LHJJo2gmPm3lWPMIbUYU
-> ssh-ed25519 Si3UKw mgGlxiZLNoc+/Fl+L+5WRb6WL8IC4lpy9nr0suF7FGc
eJov8KWS6f+8jwNf5t0bKwAmbZIv2YPiJv77EnCLR+M
--- FLrvJOrt3DNhaV/oT69e3WRILx6Z5k8gmcJ2M/7f6iA
×½>ŘÊq»$V”üÑ<C3BC>í¸ ZzVÔÔ%M/ÎehÖóHØ„Úu¶ëÒùôuÎ:ÈBÖKáízSRdξøгøtÈè_