update secrets, cleanup

2025-01-22 17:52:48 -06:00
parent fe0916e255
commit a6ec7beff9
8 changed files with 51 additions and 49 deletions
--- a/hosts/nas/apps/arrs/default.nix
+++ b/hosts/nas/apps/arrs/default.nix
@@ -1,7 +1,6 @@
 {
  config,
  pkgs,
-  lib,
  ...
 }:

@@ -9,6 +8,7 @@ let
  radarrPort = 7878;
  sonarrPort = 8989;
  sabnzbdPort = 8280;
+  delugePort = 8112;
  jackettPort = 9117;
  radarrDataDir = "/var/lib/radarr";
  downloadDir = "/downloads";
@@ -19,8 +19,11 @@ let
  mediaDir = "/media";
  arrUserId = config.users.users.nix-apps.uid;
  arrGroupId = config.users.groups.jallen-nas.gid;
-  sonarrPkg = pkgs.stable.sonarr;
+  radarrPkg = pkgs.unstable.radarr;
+  sonarrPkg = pkgs.unstable.sonarr;
+  delugePkg = pkgs.unstable.deluge;
  jackettPkg = pkgs.unstable.jackett;
+  sabnzbdPkg = pkgs.unstable.sabnzbd;
 in
 {
  nixpkgs.config.permittedInsecurePackages = [
@@ -38,7 +41,6 @@ in

    config =
      {
-        config,
        pkgs,
        lib,
        ...
@@ -59,6 +61,7 @@ in
          user = "arrs";
          group = "media";
          dataDir = radarrDataDir;
+          package = radarrPkg;
        };

        # Enable Sonarr service
@@ -68,7 +71,7 @@ in
          user = "arrs";
          group = "media";
          dataDir = sonarrDataDir;
-          # package = sonarrPkg;
+          package = sonarrPkg;
        };

        # Enable Sabnzbd service
@@ -78,6 +81,7 @@ in
          user = "arrs";
          group = "media";
          configFile = "${sabnzbdConfig}/sabnzbd.ini";
+          package = sabnzbdPkg;
        };

        services.deluge = {
@@ -86,6 +90,7 @@ in
          group = "media";
          openFirewall = true;
          dataDir = "/media";
+          package = delugePkg;
          web = {
            enable = true;
            port = 8112;
@@ -225,11 +230,11 @@ in
      }
      {
        destination = "10.0.1.51:8112";
-        sourcePort = 8112;
+        sourcePort = delugePort;
      }
      {
        destination = "10.0.1.51:9117";
-        sourcePort = 9117;
+        sourcePort = jackettPort;
      }
    ];
  };
--- a/hosts/nas/apps/jellyseerr/default.nix
+++ b/hosts/nas/apps/jellyseerr/default.nix
@@ -1,9 +1,4 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}:
+{ ... }:

 let
  jellyseerrPort = 5055;
@@ -27,8 +22,6 @@ in

    config =
      {
-        config,
-        pkgs,
        lib,
        ...
      }:
--- a/hosts/nas/apps/ollama/default.nix
+++ b/hosts/nas/apps/ollama/default.nix
@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ config, ... }:
 {
  services.ollama = {
    enable = true;
@@ -16,9 +16,8 @@
    port = 8888;
    openFirewall = true;
    # stateDir = "/media/nas/ssd/nix-app-data/open-webui";
+    environmentFile = config.sops.secrets."jallen-nas/open-webui".path;
    environment = {
-      OAUTH_CLIENT_ID = "P4YrtPrdwoQkwYs4e5AHQx7xiz4FV6OpT24rjqXa";
-      OAUTH_CLIENT_SECRET = "XpZ1Y9RUMD6FVxBSxg8evHkRYuSUJ3saN99uCFfeNo4Z8vrmnqZBHJQzSSCFig1fgqEYCr3SmcOvCHGHUsz9FJT2aZFlZxKv6bZZpuMQYASHiQtuX2pTVEspiNab3129";
      OPENID_PROVIDER_URL = "https://authentik.mjallen.dev/application/o/chat/.well-known/openid-configuration";
      OPENID_PROVIDER_NAME = "authentik";
      ENABLE_OAUTH_SIGNUP = "true";
--- a/hosts/nas/apps/paperless/default.nix
+++ b/hosts/nas/apps/paperless/default.nix
@@ -1,14 +1,15 @@
 {
  config,
  pkgs,
-  lib,
  ...
 }:
 let
  paperlessPort = 28981;
  paperlessUserId = config.users.users.nix-apps.uid;
  paperlessGroupId = config.users.groups.jallen-nas.gid;
-  passwordFile = config.sops.secrets."jallen-nas/admin_password".path;
+  paperlessSecret = config.sops.templates."paperless-secret".content;
+  clientId = config.sops.templates."paperless-client-id".content;
+  clientSecret = config.sops.templates."paperless-client-secret".content;
  paperlessPkg = pkgs.stable.paperless-ngx;
 in
 {
@@ -22,8 +23,6 @@ in

    config =
      {
-        config,
-        pkgs,
        lib,
        ...
      }:
@@ -38,10 +37,10 @@ in
          passwordFile = "/var/lib/paperless/paperless-password";
          settings = {
            PAPERLESS_URL = "https://paperless.jallen.dev";
-            PAPERLESS_SECRET = "Luciferthecat03092024";
+            PAPERLESS_SECRET = paperlessSecret;
            PAPERLESS_ENABLE_ALLAUTH = true;
            PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect";
-            PAPERLESS_SOCIALACCOUNT_PROVIDERS = ''{"openid_connect":{"OAUTH_PKCE_ENABLED":true,"APPS":[{"provider_id":"authentik","name":"authentik","client_id":"OZhMnBUxwJvpjkUhs4ISgA0iAWA7etgTXaohLCED","secret":"UrwdWObeyoEI1AogXcjV8SwYsJ585Wkh5YxDH5wFPXZxp8IVV9QNsn32PIAv6h9BdjaiiMrOFayaW3uXyZYg71olG5OQ1qGaD6WYn0EijYBwxoEuvp7LIdMJ4lImhVR1","settings":{"server_url":"https://authentik.mjallen.dev/application/o/paperless/.well-known/openid-configuration"}}]}}'';
+            PAPERLESS_SOCIALACCOUNT_PROVIDERS = ''{"openid_connect":{"OAUTH_PKCE_ENABLED":true,"APPS":[{"provider_id":"authentik","name":"authentik","client_id":"${clientId}","secret":"${clientSecret}","settings":{"server_url":"https://authentik.mjallen.dev/application/o/paperless/.well-known/openid-configuration"}}]}}'';
          };
        };

@@ -88,10 +87,6 @@ in
        hostPath = "/media/nas/ssd/nix-app-data/paperless";
        isReadOnly = false;
      };
-      # "/run/keys/paperless-password" = {
-      #   hostPath = passwordFile;
-      #   isReadOnly = true;
-      # };
    };
  };

--- a/hosts/nas/networking.nix
+++ b/hosts/nas/networking.nix
@@ -1,17 +1,11 @@
-{ config, pkgs, ... }:
+{ ... }:
 let
  hostname = "jallen-nas";
-  ipAddress = "10.0.1.18";
-  ipAddress2 = "10.0.1.19";
-  gateway = "10.0.1.1";
  ports = [
    9000 # authentik
    2342 # grafana
    51820 # wireguard
  ];
-
-  wireguard-private = config.sops.secrets."jallen-nas/wireguard/private".path;
-  wireguard-public = "r03IJPnTaSNmhVYIdQr+TGasox6NAUrgW8ycm/sac08=";
 in
 {
  # Networking configs
--- a/hosts/nas/services.nix
+++ b/hosts/nas/services.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ pkgs, ... }:
 let
  enableDisplayManager = true;
 in
--- a/hosts/nas/sops.nix
+++ b/hosts/nas/sops.nix
@@ -34,14 +34,14 @@
    restartUnits = [ "podman-nextcloud.service" ];
  };

-  sops.secrets."jallen-nas/manyfold/secretkeybase" = {
-    restartUnits = [ "podman-manyfold.service" ];
-  };
-
  sops.templates."nextcloud-smtp".content = ''
    ${config.sops.secrets."jallen-nas/nextcloud/smtppassword".path}
  '';

+  sops.secrets."jallen-nas/manyfold/secretkeybase" = {
+    restartUnits = [ "podman-manyfold.service" ];
+  };
+
  sops.secrets."jallen-nas/immich/db-password" = {
    restartUnits = [ "podman-immich-postgres.service" ];
  };
@@ -61,16 +61,27 @@
    restartUnits = [ "podman-immich-server.service" ];
  };

-  sops.secrets."jallen-nas/wireguard/private" = {
-    # restartUnits = [ "podman-immich-server.service" ];
+  sops.secrets."jallen-nas/open-webui" = {
+    restartUnits = [ "open-webui.service" ];
  };

-  sops.secrets."jallen-nas/wireguard/public" = {
-    # restartUnits = [ "podman-immich-server.service" ];
+  sops.secrets."jallen-nas/paperless/secret" = {
+    restartUnits = [ "container@paperless.service" ];
  };
-
-  sops.templates."wireguard-public".content = ''
-    "${config.sops.placeholder."jallen-nas/wireguard/public"}"
+  sops.templates."paperless-secret".content = ''
+    ${config.sops.secrets."jallen-nas/paperless/secret".path}
+  '';
+  sops.secrets."jallen-nas/paperless/authentik-client-id" = {
+    restartUnits = [ "container@paperless.service" ];
+  };
+  sops.templates."paperless-client-id".content = ''
+    ${config.sops.secrets."jallen-nas/paperless/authentik-client-id".path}
+  '';
+  sops.secrets."jallen-nas/paperless/authentik-client-secret" = {
+    restartUnits = [ "container@paperless.service" ];
+  };
+  sops.templates."paperless-client-secret".content = ''
+    ${config.sops.secrets."jallen-nas/paperless/authentik-client-secret".path}
  '';

  # Permission modes are in octal representation (same as chmod),