From 86e540b35d9eceb93d8cd42a7875956d87f33c98 Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Thu, 2 Oct 2025 14:07:46 -0600 Subject: [PATCH] properly set unpackerr and stash secrets --- dotfiles/unpackerr.conf | 222 -------------------------------- modules/servers/qbittorrent.nix | 41 +++--- modules/servers/stash.nix | 6 +- secrets/env.yaml | 8 +- secrets/secrets.yaml | 18 +-- 5 files changed, 38 insertions(+), 257 deletions(-) delete mode 100644 dotfiles/unpackerr.conf diff --git a/dotfiles/unpackerr.conf b/dotfiles/unpackerr.conf deleted file mode 100644 index bf92678..0000000 --- a/dotfiles/unpackerr.conf +++ /dev/null @@ -1,222 +0,0 @@ -## Unpackerr Example Configuration File ## -## The following values are application defaults. ## -## Environment Variables may override all values. ## -#################################################### - -# [true/false] Turn on debug messages in the output. Do not wrap this in quotes. -# Recommend trying this so you know what it looks like. I personally leave it on. -debug = false - -# Disable writing messages to stdout. This silences the app. You should set a log -# file below if you set this to true. Recommended when starting with systemctl. -quiet = false - -# Setting activity to true will silence all app queue log lines with only zeros. -# Set this to true when you want less log spam. -activity = false - -# The application queue data is logged on an interval. Adjust that interval with this setting. -# Default is a minute. 2m, 5m, 10m, 30m, 1h are also perfectly acceptable. -log_queues = "1m" - -# Write messages to a log file. This is the same data that is normally output to stdout. -# This setting is great for Docker users that want to export their logs to a file. -# The alternative is to use syslog to log the output of the application to a file. -# Default is no log file; this is unset. log_files=0 turns off auto-rotation. -# Default files is 10 and size(mb) is 10 Megabytes; both doubled if debug is true. -#log_file = '/downloads/unpackerr.log' -log_files = 10 -log_file_mb = 10 - -# How often to poll sonarr and radarr. -# Recommend 1m-5m. Uses Go Duration. -interval = "5m" - -# How long an item must be queued (download complete) before extraction will start. -# One minute is the historic default and works well. Set higher if your downloads -# take longer to finalize (or transfer locally). Uses Go Duration. -start_delay = "1m" - -# How long to wait before removing the history for a failed extraction. -# Once the history is deleted the item will be recognized as new and -# extraction will start again. Uses Go Duration. -retry_delay = "5m" - -# How many files may be extracted in parallel. 1 works fine. -# Do not wrap the number in quotes. Raise this only if you have fast disks and CPU. -parallel = 1 - -# Use these configurations to control the file modes used for newly extracted -# files and folders. Recommend 0644/0755 or 0666/0777. -file_mode = "0664" -dir_mode = "0775" - -[webserver] -## The web server currently only supports metrics; set this to true if you wish to use it. - metrics = false -## This may be set to a port or an ip:port to bind a specific IP. 0.0.0.0 binds ALL IPs. - listen_addr = "0.0.0.0:5656" -## Recommend setting a log file for HTTP requests. Otherwise, they go with other logs. - log_file = "" -## This app automatically rotates logs. Set these to the size and number to keep. - log_files = 10 - log_file_mb = 10 -## Set both of these to valid file paths to enable HTTPS/TLS. - ssl_cert_file = "" - ssl_key_file = "" -## Base URL from which to serve content. - urlbase = "/" -## Upstreams should be set to the IP or CIDR of your trusted upstream proxy. -## Setting this correctly allows X-Forwarded-For to be used in logs. -## In the future it may control auth proxy trust. Must be a list of strings. - upstreams = [ ] # example: upstreams = [ "127.0.0.1/32", "10.1.2.0/24" ] - -##-Notes-#######-READ THIS!!!-################################################## -## The following sections can be repeated if you have more than one Sonarr, ## -## Radarr or Lidarr, Readarr, Folder, Webhook, or Command Hook. ## -## You MUST uncomment the [[header]] and api_key at a minimum for Starr apps. ## -## ALL LINES BEGINNING WITH A HASH # ARE IGNORED ## -## REMOVE THE HASH # FROM CONFIG LINES YOU WANT TO CHANGE ## -################################################################################ - -[[sonarr]] -url = "http://localhost:8989" -api_key = "52869fe7bec4482dafb21c4053fe71e4" -## File system path where downloaded Sonarr items are located. -paths = ['/srv/pool/multimedia/downloads/torrent'] -## Default protocols is torrent. Alternative: "torrent,usenet" -protocols = "torrent" -## How long to wait for a reply from the backend. -timeout = "10s" -## How long to wait after import before deleting the extracted items. -delete_delay = "5m" -## If you use this app with NZB you may wish to delete archives after extraction. -## General recommendation is: do not enable this for torrent use. -## Setting this to true deletes the entire original download folder after import. -# delete_orig = false -## If you use Syncthing, setting this to true will make unpackerr wait for syncs to finish. -# syncthing = false - -[[radarr]] -url = "http://127.0.0.1:7878" -api_key = "a987ac45ca2c47bc88e762031ea33296" -## File system path where downloaded Radarr items are located. -paths = ['/srv/pool/multimedia/downloads/torrent'] -## Default protocols is torrents. Alternative: "torrent,usenet" -protocols = "torrent" -## How long to wait for a reply from the backend. -timeout = "10s" -## How long to wait after import before deleting the extracted items. -delete_delay = "5m" -## If you use this app with NZB you may wish to delete archives after extraction. -## General recommendation is: do not enable this for torrent use. -## Setting this to true deletes the entire original download folder after import. -# delete_orig = false -## If you use Syncthing, setting this to true will make unpackerr wait for syncs to finish. -# syncthing = false - -#[[lidarr]] -# url = "http://127.0.0.1:8686" -# api_key = "0123456789abcdef0123456789abcdef" -## File system path where downloaded Lidarr items are located. -# paths = ['/downloads'] -## Default protocols is torrent. Alternative: "torrent,usenet" -# protocols = "torrent" -## How long to wait for a reply from the backend. -# timeout = "10s" -## How long to wait after import before deleting the extracted items. -# delete_delay = "5m" -## If you use this app with NZB you may wish to delete archives after extraction. -## General recommendation is: do not enable this for torrent use. -## Setting this to true deletes the entire original download folder after import. -# delete_orig = false -## If you use Syncthing, setting this to true will make unpackerr wait for syncs to finish. -# syncthing = false - -#[[readarr]] -# url = "http://127.0.0.1:8787" -# api_key = "0123456789abcdef0123456789abc" -## File system path where downloaded Readarr items are located. -# paths = ['/downloads'] -## Default protocols is torrent. Alternative: "torrent,usenet" -# protocols = "torrent" -## How long to wait for a reply from the backend. -# timeout = "10s" -## How long to wait after import before deleting the extracted items. -# delete_delay = "5m" -## If you use this app with NZB you may wish to delete archives after extraction. -## General recommendation is: do not enable this for torrent use. -## Setting this to true deletes the entire original download folder after import. -# delete_orig = false -## If you use Syncthing, setting this to true will make unpackerr wait for syncs to finish. -# syncthing = false - - -################################################################################## -### ### STOP HERE ### STOP HERE ### STOP HERE ### STOP HERE #### STOP HERE ### # -### Only using Starr apps? The things above. The below configs are OPTIONAL. ### # -################################################################################## - -##-Folders-####################################################################### -## This application can also watch folders for things to extract. If you copy a ## -## subfolder into a watched folder (defined below) any extractable items in the ## -## folder will be decompressed. This has nothing to do with Starr applications. ## -################################################################################## -#[[folder]] -# path = '/some/folder/to/watch' -## Path to extract files to. The default (leaving this blank) is the same as `path` (above). -# extract_path = "" -## Delete extracted or original files this long after extraction. -## The default is 0. Set to 0 to disable all deletes. Uncomment it to enable deletes. Uses Go Duration. -# delete_after = "10m" -## Delete extracted files after successful extraction? true/false, no quotes. Honors delete_after. -# delete_files = false -## Delete original items after successful extraction? true/false, no quotes. Honors delete_after. -# delete_original = false -## Disable extraction log (unpackerred.txt) file creation? true/false, no quotes. -# disable_log = false -## Move extracted files into original folder? If false, files go into an _unpackerred folder. -# move_back = false -## Set this to true if you want this app to extract ISO files with .iso extension. -# extract_isos = false - - -################ -### Webhooks ### -################ -# Sends a webhook when an extraction queues, starts, finishes, and/or is deleted. -# Created to integrate with notifiarr.com. -# Also works natively with Discord.com, Telegram.org, and Slack.com webhooks. -# Can possibly be used with other services by providing a custom template_path. -###### Don't forget to uncomment [[webhook]] and url at a minimum !!!! -#[[webhook]] -# url = "https://notifiarr.com/api/v1/notification/unpackerr/api_key_from_notifiarr_com" -# name = "" # Set this to hide the URL in logs. -# silent = false # do not log success (less log spam) -# events = [0] # list of event ids to include, 0 == all. -## Advanced Optional Webhook Configuration -# nickname = "" # Used in Discord and Slack templates as bot name, in Telegram as chat_id. -# channel = "" # Also passed into templates. Used in Slack templates for destination channel. -# exclude = [] # list of apps to exclude, ie. ["radarr", "lidarr"] -# template_path = "" # Override internal webhook template for discord.com or other hooks. -# template = "" # Override automatic template detection. Values: notifiarr, discord, telegram, gotify, pushover, slack -# ignore_ssl = false # Set this to true to ignore the SSL certificate on the server. -# timeout = "10s" # You can adjust how long to wait for a server response. -# content_type = "application/json" # If your custom template uses another MIME type, set this. - - -##################### -### Command Hooks ### -##################### -# Executes a script or command when an extraction queues, starts, finishes, and/or is deleted. -# All data is passed in as environment variables. Try /usr/bin/env to see what variables are available. -###### Don't forget to uncomment [[cmdhook]] and url at a minimum !!!! -#[[cmdhook]] -# command = '/my/cool/app' # Path to command or script. -# shell = false # Runs the command inside /bin/sh ('nix) or cmd.exe (Windows). -# name = "" # Provide an optional name for logging. -# silent = false # Hides command output from logs. -# events = [0] # list of event ids to include, 0 == all. -## Optional Command Hook Configuration -# exclude = [] # list of apps to exclude, ie. ["radarr", "lidarr"] -# timeout = "10s" # You can adjust how long to wait for a server response. diff --git a/modules/servers/qbittorrent.nix b/modules/servers/qbittorrent.nix index 4b8f0e7..d9d144f 100644 --- a/modules/servers/qbittorrent.nix +++ b/modules/servers/qbittorrent.nix @@ -49,14 +49,7 @@ in }; }; config = lib.mkIf (config.my.servers.qbittorrent.enable && config.my.secureHost) { - home-manager.users.jawz = { - xdg = { - dataFile.vuetorrent.source = vuetorrent; - configFile."unpackerr.conf" = lib.mkIf config.my.servers.unpackerr.enable { - source = ../../dotfiles/unpackerr.conf; - }; - }; - }; + home-manager.users.jawz.xdg.dataFile.vuetorrent.source = vuetorrent; sops.secrets = let mkQbitSecret = file: mode: { @@ -66,19 +59,23 @@ in owner = config.users.users.jawz.name; path = "/home/jawz/.config/qBittorrent/ssl/${file}"; }; + mkUnpackerrSecret = { + sopsFile = ../../secrets/secrets.yaml; + owner = config.users.users.jawz.name; + }; in { "certificates/qbit_cert" = mkQbitSecret "server.crt" "0644"; "certificates/qbit_key" = mkQbitSecret "server.key" "0600"; + "unpackerr/sonarr-api" = mkUnpackerrSecret; + "unpackerr/radarr-api" = mkUnpackerrSecret; }; systemd = { packages = [ pkgs.qbittorrent-nox ]; - services = { - "qbittorrent-nox@jawz" = { - enable = true; - overrideStrategy = "asDropin"; - wantedBy = [ "multi-user.target" ]; - }; + services."qbittorrent-nox@jawz" = { + enable = true; + overrideStrategy = "asDropin"; + wantedBy = [ "multi-user.target" ]; }; user = { services = { @@ -93,7 +90,7 @@ in { Restart = "on-failure"; RestartSec = 30; - ExecStart = "${qbit_manageEnv}/bin/python ${env}/qbit_manage.py -r -c ${env}/config.yml"; + ExecStart = "${qbit_manageEnv}/bin/python ${env}/qbit_manage.py -r -c ~/.config/qbit_manage/config.yml"; }; }; unpackerr = lib.mkIf config.my.servers.unpackerr.enable { @@ -101,12 +98,20 @@ in restartIfChanged = true; description = "Run unpackerr"; wantedBy = [ "default.target" ]; + environment = { + UN_FILE_MODE = "0664"; + UN_DIR_MODE = "0775"; + UN_SONARR_0_URL = config.my.servers.sonarr.local; + UN_SONARR_0_API_KEY = "filepath:${config.sops.secrets."unpackerr/sonarr-api".path}"; + UN_SONARR_0_PATHS = "/srv/pool/multimedia/downloads/torrent"; + UN_RADARR_0_URL = config.my.servers.radarr.local; + UN_RADARR_0_API_KEY = "filepath:${config.sops.secrets."unpackerr/radarr-api".path}"; + UN_RADARR_0_PATHS = "/srv/pool/multimedia/downloads/torrent"; + }; serviceConfig = { Restart = "on-failure"; RestartSec = 30; - ExecStart = '' - ${pkgs.unpackerr}/bin/unpackerr \ - -c /home/jawz/.config/unpackerr.conf''; + ExecStart = "${pkgs.unpackerr}/bin/unpackerr"; }; }; }; diff --git a/modules/servers/stash.nix b/modules/servers/stash.nix index ac4e804..979a771 100644 --- a/modules/servers/stash.nix +++ b/modules/servers/stash.nix @@ -7,9 +7,9 @@ in options.my.servers.stash = setup.mkOptions "stash" "xxx" 9999; config = lib.mkIf (cfg.enable && config.my.secureHost) { sops.secrets = { - "stash/password".sopsFile = ../../secrets/env.yaml; - "stash/jwt".sopsFile = ../../secrets/env.yaml; - "stash/session".sopsFile = ../../secrets/env.yaml; + "stash/password".sopsFile = ../../secrets/secrets.yaml; + "stash/jwt".sopsFile = ../../secrets/secrets.yaml; + "stash/session".sopsFile = ../../secrets/secrets.yaml; }; services.stash = { inherit (cfg) enable; diff --git a/secrets/env.yaml b/secrets/env.yaml index a7512ff..120911c 100644 --- a/secrets/env.yaml +++ b/secrets/env.yaml @@ -1,7 +1,3 @@ -stash: - password: ENC[AES256_GCM,data:DVtKQmtOQA/jS3ZncbuPKMukJyo=,iv:FSLl4Qbq58X0WNjqz8LLOW6XpBQxE5W7L9yOTBQkBOA=,tag:Qun+5Vf193Qt8n+Yp9lBJg==,type:str] - jwt: ENC[AES256_GCM,data:C1RcyQn3j5LaCSDGPjBAm6RYsqvVn1HIFxxBP4FNx7NVCroju4VEtkV98Ve0D6Z60L3mB1yOqi8OrEgXNJv+vw==,iv:t8pmLzXwg1g9kkiL98ql9YLaSitaXoJiiLiUf3G1cWk=,tag:D3mdFIe3m3219E4V8yhmpg==,type:str] - session: ENC[AES256_GCM,data:ifUXaGIO7xKPgtTVEeERx0OyBDni2eoWo7dFxazQ4W2DBrnzQfJ7Plqt8EYLhQQRP4I6e33+oEKNzpuiG+XJCw==,iv:AOI0lMcTT02GpOCQuX74hPBKth3WdFN2W2wlqKgrKJM=,tag:1I+brf4G2oKE7o2E90q/CQ==,type:str] gitea: ENC[AES256_GCM,data:8o+U4qFdyIhCPNlYyflQIuLHsQHtbT6G/a0OyCUeg9DtIeABXNVFhiy4iFRuIF0=,iv:AYwqDRNML1XuzwQnD4VmI4rKWYfTJjOjibrAbI5qgcA=,tag:UPL3UlETdkoFXLihEIGcSw==,type:str] shiori: ENC[AES256_GCM,data:tV7+1GusZvcli8dM86xOD71dc2mzcyfQwMeTh//LDb0=,iv:ED9wR6QjQgwd9Ll/UC5FK3CyYK3b0RniC/D6Y0nGEOI=,tag:X/aopMc2vhnRW2iTphFflQ==,type:str] flame: ENC[AES256_GCM,data:XsYRsA2xs+juWje2Od2Yl2xIvU0OS8xMrtwtcK/0NyyRrg==,iv:FR8lHsNQNCaOy4P+7BsIjNCz+H38i5RlwLYQ4fpB2+w=,tag:61EV7H04pcr1bSX4nSvlpw==,type:str] @@ -52,7 +48,7 @@ sops: QXRUYWtGcWZCVW11U3VYRktuUjlCbDgKsTK4WhUza/JuoDTU3uATa6fq/8eYzxtb 9BUK1ddzx9Mghea9XBMS17YGtGmW800OsLBomb3SINnOFvejcnKf8Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-09-28T03:54:20Z" - mac: ENC[AES256_GCM,data:nPA5SF8fw+x0t5O1aqR7bZk2dpSjf37KKWJ976vx+TjaxWDz8DQVBUNuQmy6d3uX0TT6ysmsA8S4VqjgyRKli1vdEXWXPyULyUwPv3jtR4/NS2hnFabglOn0BhjfNrcArUkdyaQBm02Y96u2XIa0LcCyPOpJauIl5SbSSHaULQs=,iv:Qh7p70oFZbp4mAzDX87hkbPW22S4SoTY/CDzJabQQ0M=,tag:2YGmN2E3y1dcqW5M8WDvUQ==,type:str] + lastmodified: "2025-10-02T19:58:54Z" + mac: ENC[AES256_GCM,data:xplk6z63m35V1IL/PpvnjNU1+bUrrplGg60SufnGV6307V520Ajo63dKkQ5yMuiGq/JQETc+sdm9GLQrmOflwhl92YwK2+/11MlMp0vMkC91mAJsobLUmNt3WXVml54CiCbvH+c8fH0T0pIaLGK3MxSRFX//hrfLjSCAvwQagsE=,iv:oE6g0WPM4Rf3YrdgkIdE8qWfiWQxbZ62Axa56ZQYWSA=,tag:QMaWvCD3sbHTv1NFctIBZA==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2 diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index d2d9ffe..d1437bc 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -7,11 +7,14 @@ resilio: user: ENC[AES256_GCM,data:31s2ihj2cN9C5Lyr2w==,iv:2MzKiRoDosawbeQ04LUKbfbSVFUUD6uUYynB6B0WNWw=,tag:GR0lXvLZAPof6WE3Verimg==,type:str] password: ENC[AES256_GCM,data:codFGm4O9QkI2+hbrVK3UqwFWETXyfl9y3Q5lY6UfnIRe/IqWG8Ibly1BUlh7OjKIepXm6m35e6QPioVSiUT5Ll1SIE=,iv:QWqKyKrvm2y2UM2Ir1COxjV0jgU8jTeu9ehnyeXTwCE=,tag:Xtr+r7EphaiLjGwK5gmsMQ==,type:str] kavita-token: ENC[AES256_GCM,data:kt3bTZNf4S7sKfbxzXc4Q+9yTPFTKzvEaR+mysBhhdnht+FuN9o9i9liqy2pKvB7WQmPnjQ/aYEYkcPSPg0NC5NwE7lNY7kUJtyHzYm2wkKqkkDIc/aI+dHhtX1SBF99ZpWEhmgnIA2HtCpYXUjkl4pUTKgNi0cn+bb1NULMY0zHyF2f7faOOKTWatQEuG1ZvBpiNIbPbsMznfdrWe9VEKrdtMg8IkK138Cn+EOSu0mCHdU=,iv:NCjegkB9/O6xq3fdWqhyVJy5YetqIpcDmD0yyBh3XXQ=,tag:IiqZY0mhqyUHJ61DRNHPlw==,type:str] +stash: + password: ENC[AES256_GCM,data:ZYwrETIJ1K5RJePR9TvmPdVHpZY=,iv:nqIvm5MkSmZxgSLUpZC0Iq2QOp4lU9rh9wtE8FhO7a0=,tag:YIlj9iPGjDVewgtjq0tdag==,type:str] + jwt: ENC[AES256_GCM,data:qwv1UMpUPf/qYMtMpRikSCgpqtWphhM6+P+lg9FFxRwPIYXQDG/VIL4KNPwORFi9eMjSfDRhyh7kKHZFr9zs0w==,iv:bPo3oG7RIUjUlakOvI1FKnraB/jUTRWCDdP1eBHVdl8=,tag:S1WFJlxt0QeG5+pLHrprPg==,type:str] + session: ENC[AES256_GCM,data:R9WX7w05qb2tqh0oe2QSvzgkSgt7TxLw8yf7WQHmlavPXzTewO7M3MqDdmDPIirLhkcg13UjzlCZR6SFHd6ARg==,iv:qvtKJiady1fDlxH5LsfOtQ5gNhn2qr2DLtkRlglNwyw=,tag:iQQuwZyyzSzwIov1mSox6g==,type:str] +unpackerr: + sonarr-api: ENC[AES256_GCM,data:74/aSs7Q2tcDh9hPGm88h2hIneOcJ+P9HaCqoeuL6FQ=,iv:1AOpCii7ED1EyOFNCzvgRp5tR2ic1U6oRi7yg0hUcLk=,tag:k1miUivDQPxRgBWhXi9f+w==,type:str] + radarr-api: ENC[AES256_GCM,data:bZiJNk/ewREIBss+z4daVwL1UyI4rt8GxVmC/bpTNvc=,iv:li2kMzOgdWtLLr4l244P082Z0jwDB2aEC6iRYt3o/HY=,tag:mi9SY/pT2qTIzR/ngp8bGg==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age1lufn6t35gs4wgevyr2gud4eec7lvkn7pgnnv4tja64ww3hef7gqq8fas37 enc: | @@ -49,8 +52,7 @@ sops: RmRyZldlMjUwMEdUUEpDS2JSa2tDTTAKp/pT+0cNnCuKVL+Z0fEMiw1PL9PB/nSM QWVTo0Mt8Y6X0Xt0EAi9G5AYxADZ/mmEWPxB7RFgVAiMKtor5Gy1zw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-06-29T21:27:25Z" - mac: ENC[AES256_GCM,data:ZmUuxDXxfr6eJcjoC0F2A/JnU+/33jWXjCRWvkWZfduxFayF8bRZNOLgTzXeV//TGNEY38ba/VsTDqOiu0YWRFE7VaQd8xk9uKmzeCi8Djv2fI+TAwXUorrZJ2bUJQ/WCCm7hOQ2OEE1c7icr6YsPTtYC652Itm10FF4PrF+VpI=,iv:vKC/B0cfODXMZ1l2wA0iUaxwZgDwjKPVBekmc/6lSvU=,tag:tE3dmwDjtEEBTPtNM01JQA==,type:str] - pgp: [] + lastmodified: "2025-10-02T20:02:38Z" + mac: ENC[AES256_GCM,data:DnbkeF+evVTMhYTg3OU528cRQ+jBiUl7Q7JZxyGRL6USjB2OdIRxqnnCH8L36K2hSAIkKQ/kojyJs+8Pgkx5uD/qsCbGlNT9pSBU1qPdSBxqJsVPxHZmkuf/QxGtE4pgV/50xJMrVyzAetWPZuxcYVfWAPszxDZcR5XDuD+Yjk4=,iv:i2Vt6nv6etIgaaoxsbVlxEnIhIx4adOQZFeyGM/4Saw=,tag:jugPmHU78lap7Hy7RJd9pg==,type:str] unencrypted_suffix: _unencrypted - version: 3.8.1 + version: 3.10.2