diff --git a/nixos/services/arr.nix b/nixos/services/arr.nix index 833614f..e4c344e 100644 --- a/nixos/services/arr.nix +++ b/nixos/services/arr.nix @@ -1,20 +1,20 @@ -{config, lib, user, ...}: let +{ + config, + lib, + user, + ... +}: let inherit (config) sops; inherit (sops) templates placeholder; in { - nixpkgs.config.permittedInsecurePackages = [ - "aspnetcore-runtime-6.0.36" - "aspnetcore-runtime-wrapped-6.0.36" - "dotnet-sdk-6.0.428" - "dotnet-sdk-wrapped-6.0.428" - ]; users.users.${user}.extraGroups = ["media"]; users.groups.media = { gid = 979; }; - services.jackett = { + services.prowlarr = { enable = true; }; + services.flaresolverr.enable = true; services.lidarr = { enable = true; group = "media"; @@ -27,21 +27,13 @@ in { enable = true; group = "media"; }; + services.bazarr = { + enable = true; + group = "media"; + }; services.jellyseerr.enable = true; - sops.secrets.sonarr-sslkey = { - sopsFile = ../../certs/alpine.prawn-justice.ts.net.key; - format = "binary"; - owner = "nginx"; - }; - # this was fun to figure out, but pointless atm. - services.nginx.virtualHosts."alpine.prawn-justice.ts.net" = { - forceSSL = true; - sslCertificateKey = config.sops.secrets.sonarr-sslkey.path; - sslCertificate = ../../certs/alpine.prawn-justice.ts.net.crt; - }; # probably easier if i just put this in a nixos-container virtualisation.oci-containers.containers.transmission = { - autoStart = false; image = "docker.io/haugene/transmission-openvpn:5.3.2"; ports = ["9091:9091"]; volumes = [ @@ -49,7 +41,7 @@ in { "/home/tristan/pods/transmission/config:/config" "/mnt/storage/media/unsorted:/data/completed" ]; - environmentFiles = [ templates."transmission/env".path ]; + environmentFiles = [templates."transmission/env".path]; environment = { PUID = "1000"; PGID = toString config.users.groups.media.gid; @@ -79,4 +71,43 @@ in { OPENVPN_PASSWORD=${placeholder."transmission/auth/OPENVPN_PASSWORD"} ''; }; + + sops.secrets."sonarr/api_key" = {}; + sops.secrets."radarr/api_key" = {}; + sops.secrets."prowlarr/api_key" = {}; + services.prometheus.exporters.exportarr-sonarr = { + enable = true; + url = "http://localhost:${toString config.services.sonarr.settings.server.port}/sonarr"; + port = 9708; + apiKeyFile = config.sops.secrets."sonarr/api_key".path; + }; + services.prometheus.exporters.exportarr-radarr = { + enable = true; + url = "http://localhost:${toString config.services.radarr.settings.server.port}"; + port = 9709; + apiKeyFile = config.sops.secrets."radarr/api_key".path; + }; + services.prometheus.exporters.exportarr-prowlarr = { + enable = true; + url = "http://localhost:${toString config.services.prowlarr.settings.server.port}"; + port = 9710; + apiKeyFile = config.sops.secrets."prowlarr/api_key".path; + }; + services.prometheus = { + enable = true; + scrapeConfigs = [ + { + job_name = "exportarr"; + static_configs = [ + { + targets = [ + "localhost:${toString config.services.prometheus.exporters.exportarr-radarr.port}" + "localhost:${toString config.services.prometheus.exporters.exportarr-sonarr.port}" + "localhost:${toString config.services.prometheus.exporters.exportarr-prowlarr.port}" + ]; + } + ]; + } + ]; + }; } diff --git a/nixos/services/prometheus.nix b/nixos/services/prometheus.nix index 8581e70..bae5c9f 100644 --- a/nixos/services/prometheus.nix +++ b/nixos/services/prometheus.nix @@ -29,28 +29,34 @@ in { ]; rules = [ (builtins.toJSON { - groups = [{ - name = "node"; - rules = [ - { - alert = "io error"; - expr = ''node_filesystem_device_error{device_error!="permission denied"} > 0''; - } - { - alert = "disk full"; - expr = ''node_filesystem_avail_bytes{fstype=~"ext4|btrfs"} < ${toString (50 * 1024 * 1024 * 1024)}''; - } - ]; - }]; + groups = [ + { + name = "node"; + rules = [ + { + alert = "io error"; + expr = ''node_filesystem_device_error{device_error!="permission denied"} > 0''; + } + { + alert = "disk full"; + expr = ''node_filesystem_avail_bytes{fstype=~"ext4|btrfs"} < ${toString (50 * 1024 * 1024 * 1024)}''; + } + ]; + } + ]; }) ]; - alertmanagers = [ { - static_configs = [ { - targets = [ - "localhost:9093" + alertmanagers = [ + { + static_configs = [ + { + targets = [ + "localhost:9093" + ]; + } ]; - } ]; - } ]; + } + ]; exporters = { postgres = { enable = true; @@ -58,39 +64,35 @@ in { }; }; alertmanager = { - enable = true; + enable = false; configuration = { - receivers = [{ - name = "ntfy"; - webhook_configs = [{ - url = "http://localhost${config.services.ntfy-sh.settings.listen-http}/alert/trigger"; - }]; - }]; route = { - receiver = "ntfy"; - # routes = [{ - # matchers = [ - # ''node_filesystem_device_error != 0'' - # ]; - # }]; + receiver = "alertmanager-ntfy"; + routes = [{ + matchers = [ + ''node_filesystem_device_error != 0'' + ]; + }]; + }; + }; + }; + alertmanager-ntfy = { + enable = false; + settings = { + ntfy = { + baseurl = "https://up.tristans.cloud"; + notification = { + topic = "alert"; + }; }; }; }; - # alertmanager-ntfy = { - # enable = true; - # settings = { - # ntfy = { - # baseurl = "https://up.tristans.cloud"; - # notification = { - # topic = "alert"; - # }; - # }; - # }; - # }; }; - services.grafana.provision.datasources.settings.datasources = [{ - name = "Prometheus"; - type = "prometheus"; - url = "http://localhost:${toString prometheus.port}"; - }]; + services.grafana.provision.datasources.settings.datasources = [ + { + name = "Prometheus"; + type = "prometheus"; + url = "http://localhost:${toString prometheus.port}"; + } + ]; } diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index 7ef2c52..8af60d8 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -33,11 +33,13 @@ transmission: OPENVPN_USERNAME: ENC[AES256_GCM,data:RQ+hGLE6YEgN/aaa2TLpkg==,iv:oG794WxGe0t1ZI0PyC45ZgCPA0Ar2m/dSVDdMYBKJvY=,tag:CGnEu8ds0s4aH4ImCrNWNQ==,type:str] OPENVPN_PASSWORD: ENC[AES256_GCM,data:Jw==,iv:uGAaXFWfpSaeqY7yC9cR9iqblH3E3hudnrnIlOvdRCg=,tag:P1XJ2SBY82z9YZP9J/n5SA==,type:str] namecheap: ENC[AES256_GCM,data:PTEQK8+G1FfmvRk9IxrAZjCAhiKdV0AA+JxaJRZvbHU=,iv:xTrJzPooM0xzs9xgkNGWKRzRHeIIhMGa8EYW2/41ZvA=,tag:KHdLKuip439QNeAiBwreqg==,type:str] +sonarr: + api_key: ENC[AES256_GCM,data:mBq+ndbhDtErh/sytTybutes7btHMIkg6wT9C7t4M9I=,iv:JicYavIQJpnmYbFpO+AVOTwrp2DeOB5xWBROwSYNF4Y=,tag:xmlaKpdn8A9s/HpdsBR+0g==,type:str] +radarr: + api_key: ENC[AES256_GCM,data:iHDX/wLjde/6dj6+ORJaAnFCzXn82DXUWy3yh6fkmiQ=,iv:NcgRPa6Cy9tKLKYJ4OGr2cdW5smvpHbiXtBYJlEqOfw=,tag:BJ1YeMLXrhuDrZKsB5Z4YQ==,type:str] +prowlarr: + api_key: ENC[AES256_GCM,data:p1KRHilxv8qSy8NEKQlBy8ppXDxmQDeZXAzRYyc7psA=,iv:HyK3YEKLvE01fLCkxR89G96uViAegIPi7Xb43mFeWlQ=,tag:B8pNOT9+2rPUqVL+rTDRHg==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age106vffwu4y8cx90y0rtzajgpafl8jq7ty5hf6pur2gjsuq3g2lf5qjmdq0q enc: | @@ -48,8 +50,7 @@ sops: S3ZwcHhkdEEvY0pINDloand5S0NycHcKEpIt5EeIKhLQK7f74sWVN/x5gzh/Jq7x UUN5QtysRbWVGnWRxdNB8LIMjDJY9jRojycdQfSNebaz5ZLjEp8dZQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-01-18T02:00:29Z" - mac: ENC[AES256_GCM,data:x3J0tRfNynM2qlB4YUUAUMYI/94opN1kJ1j0kOyeZ1GZHx+EA4dQZif4nPQOERo+5xRt8C4YXVDZEnCjD1TpQE6LYik0n0iY+84sY5fSr2SYiXzq2P72Tk7BzBklI9/zjndeJLJbydTJDMzOCvdEWIfHYZsHODnKXBO9pYwjAqU=,iv:z+QD93t72S2w0CqMV5sQk9oK9LMnQAxyaiExmqEcSp0=,tag:dbtyHUQ+n2EQvHEkQa7zrw==,type:str] - pgp: [] + lastmodified: "2025-08-19T18:47:49Z" + mac: ENC[AES256_GCM,data:xgsPA3TDBZ4C6aQVYoamOz2fi2iEaiUtT2eOFUnldBB4Wt+YNM4b4RVavXnlND1vOat9FtRzjmvI1rlkxoPV95tZz4B4QDfH/LUBWCwiOnZdLwrd4W0VWJLSxcX/hAmZ7qnGMpA7/G/0d45A2y0yMHJ3KGfqTsCikE/MPwrQbkg=,iv:1GEIIYygolYOGfS2LG1CmZCnacLaeOfBw+TGeh713DQ=,tag:E7mrU7xK2Zppq9QCwKdveQ==,type:str] unencrypted_suffix: _unencrypted - version: 3.9.2 + version: 3.10.2