properly set unpackerr and stash secrets

modules/servers/qbittorrent.nix

@@ -49,14 +49,7 @@ in
     };
   };
   config = lib.mkIf (config.my.servers.qbittorrent.enable && config.my.secureHost) {
-    home-manager.users.jawz = {
-      xdg = {
-        dataFile.vuetorrent.source = vuetorrent;
-        configFile."unpackerr.conf" = lib.mkIf config.my.servers.unpackerr.enable {
-          source = ../../dotfiles/unpackerr.conf;
-        };
-      };
-    };
+    home-manager.users.jawz.xdg.dataFile.vuetorrent.source = vuetorrent;
     sops.secrets =
       let
         mkQbitSecret = file: mode: {
@@ -66,19 +59,23 @@ in
           owner = config.users.users.jawz.name;
           path = "/home/jawz/.config/qBittorrent/ssl/${file}";
         };
+        mkUnpackerrSecret = {
+          sopsFile = ../../secrets/secrets.yaml;
+          owner = config.users.users.jawz.name;
+        };
       in
       {
         "certificates/qbit_cert" = mkQbitSecret "server.crt" "0644";
         "certificates/qbit_key" = mkQbitSecret "server.key" "0600";
+        "unpackerr/sonarr-api" = mkUnpackerrSecret;
+        "unpackerr/radarr-api" = mkUnpackerrSecret;
       };
     systemd = {
       packages = [ pkgs.qbittorrent-nox ];
-      services = {
-        "qbittorrent-nox@jawz" = {
-          enable = true;
-          overrideStrategy = "asDropin";
-          wantedBy = [ "multi-user.target" ];
-        };
+      services."qbittorrent-nox@jawz" = {
+        enable = true;
+        overrideStrategy = "asDropin";
+        wantedBy = [ "multi-user.target" ];
       };
       user = {
         services = {
@@ -93,7 +90,7 @@ in
               {
                 Restart = "on-failure";
                 RestartSec = 30;
-                ExecStart = "${qbit_manageEnv}/bin/python ${env}/qbit_manage.py -r -c ${env}/config.yml";
+                ExecStart = "${qbit_manageEnv}/bin/python ${env}/qbit_manage.py -r -c ~/.config/qbit_manage/config.yml";
               };
           };
           unpackerr = lib.mkIf config.my.servers.unpackerr.enable {
@@ -101,12 +98,20 @@ in
             restartIfChanged = true;
             description = "Run unpackerr";
             wantedBy = [ "default.target" ];
+            environment = {
+              UN_FILE_MODE = "0664";
+              UN_DIR_MODE = "0775";
+              UN_SONARR_0_URL = config.my.servers.sonarr.local;
+              UN_SONARR_0_API_KEY = "filepath:${config.sops.secrets."unpackerr/sonarr-api".path}";
+              UN_SONARR_0_PATHS = "/srv/pool/multimedia/downloads/torrent";
+              UN_RADARR_0_URL = config.my.servers.radarr.local;
+              UN_RADARR_0_API_KEY = "filepath:${config.sops.secrets."unpackerr/radarr-api".path}";
+              UN_RADARR_0_PATHS = "/srv/pool/multimedia/downloads/torrent";
+            };
             serviceConfig = {
               Restart = "on-failure";
               RestartSec = 30;
-              ExecStart = ''
-                ${pkgs.unpackerr}/bin/unpackerr \
-                -c /home/jawz/.config/unpackerr.conf'';
+              ExecStart = "${pkgs.unpackerr}/bin/unpackerr";
             };
           };
         };

modules/servers/stash.nix

@@ -7,9 +7,9 @@ in
   options.my.servers.stash = setup.mkOptions "stash" "xxx" 9999;
   config = lib.mkIf (cfg.enable && config.my.secureHost) {
     sops.secrets = {
-      "stash/password".sopsFile = ../../secrets/env.yaml;
-      "stash/jwt".sopsFile = ../../secrets/env.yaml;
-      "stash/session".sopsFile = ../../secrets/env.yaml;
+      "stash/password".sopsFile = ../../secrets/secrets.yaml;
+      "stash/jwt".sopsFile = ../../secrets/secrets.yaml;
+      "stash/session".sopsFile = ../../secrets/secrets.yaml;
     };
     services.stash = {
       inherit (cfg) enable;