services: disable built-in auth on *arr stack; update readme
Radarr, Sonarr, Prowlarr, and Bazarr now patch their auth setting to None on every service start — auth is handled by Authelia at the proxy. Also updates readme with missing services, settings files, and flake inputs added since the last readme refresh. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
ad7a45d143
commit
5eeab405c0
5 changed files with 49 additions and 4 deletions
19
readme.md
19
readme.md
|
|
@ -30,26 +30,35 @@ Flake-based NixOS configuration for three machines, built and deployed directly
|
||||||
│ ├── FredOS-Macbook.nix # Broadcom WiFi, Intel GPU, Bluetooth, filesystems, bootloader, hostname
|
│ ├── FredOS-Macbook.nix # Broadcom WiFi, Intel GPU, Bluetooth, filesystems, bootloader, hostname
|
||||||
│ └── FredOS-Mediaserver.nix # Intel CPU, data disks, mergerfs pool, GRUB, hostname
|
│ └── FredOS-Mediaserver.nix # Intel CPU, data disks, mergerfs pool, GRUB, hostname
|
||||||
├── services
|
├── services
|
||||||
|
│ ├── adguard.nix # Network-wide DNS ad blocking
|
||||||
│ ├── arr-interconnect.nix # Cross-service API key wiring for *arr apps
|
│ ├── arr-interconnect.nix # Cross-service API key wiring for *arr apps
|
||||||
│ ├── authelia.nix # SSO/2FA gateway (protects homepage & camera)
|
│ ├── authelia.nix # SSO/2FA gateway (protects homepage & camera)
|
||||||
│ ├── bazarr.nix # Subtitle management
|
│ ├── bazarr.nix # Subtitle management
|
||||||
│ ├── cloudflare-ddns.nix # Cloudflare dynamic DNS
|
│ ├── cloudflare-ddns.nix # Cloudflare dynamic DNS
|
||||||
│ ├── fail2ban.nix # Intrusion prevention (SSH, nginx, Authelia, *arr, etc.)
|
│ ├── code-server.nix # Browser-based VS Code IDE
|
||||||
│ ├── game-servers.nix # Game server definitions
|
│ ├── crowdsec.nix # Intrusion prevention / bouncer
|
||||||
|
│ ├── dr-server.nix # Disaster recovery / backup service
|
||||||
|
│ ├── forgejo-runner.nix # CI/CD runner for Forgejo
|
||||||
|
│ ├── game-servers.nix # Dockerised game servers (7 Days to Die)
|
||||||
│ ├── go2rtc.nix # Camera/RTSP streaming
|
│ ├── go2rtc.nix # Camera/RTSP streaming
|
||||||
│ ├── homepage.nix # Homepage dashboard with auto-extracted API keys
|
│ ├── homepage.nix # Homepage dashboard with auto-extracted API keys
|
||||||
│ ├── jellyfin.nix # Media server
|
│ ├── jellyfin.nix # Media server
|
||||||
│ ├── nginx.nix # Reverse proxy + ACME wildcard cert via Cloudflare DNS-01
|
│ ├── nginx.nix # Reverse proxy + ACME wildcard cert via Cloudflare DNS-01
|
||||||
|
│ ├── profilarr.nix # Quality profile manager for *arr apps
|
||||||
│ ├── prowlarr.nix # Indexer manager
|
│ ├── prowlarr.nix # Indexer manager
|
||||||
│ ├── qbittorrent-nox.nix # Torrent client
|
│ ├── qbittorrent-nox.nix # Torrent client
|
||||||
│ ├── radarr.nix # Movie management
|
│ ├── radarr.nix # Movie management
|
||||||
|
│ ├── router.nix # Mediaserver as home router (NAT, DHCP, nftables)
|
||||||
|
│ ├── sabnzbd.nix # Usenet downloader
|
||||||
│ ├── server-permissions.nix # File/dir permission setup
|
│ ├── server-permissions.nix # File/dir permission setup
|
||||||
│ └── sonarr.nix # TV management
|
│ └── sonarr.nix # TV management
|
||||||
├── settings
|
├── settings
|
||||||
│ ├── audio.nix # PipeWire / audio config
|
│ ├── audio.nix # PipeWire / audio config
|
||||||
│ ├── gnome.nix # GNOME desktop settings
|
│ ├── gnome.nix # GNOME desktop settings
|
||||||
|
│ ├── hyprland.nix # Hyprland Wayland compositor config
|
||||||
│ ├── locale.nix # Locale, timezone, keyboard
|
│ ├── locale.nix # Locale, timezone, keyboard
|
||||||
│ ├── shell.nix # Fish shell, powerline prompt, fastfetch, nerd fonts
|
│ ├── shell.nix # Fish shell, powerline prompt, fastfetch, nerd fonts
|
||||||
|
│ ├── stylix.nix # Unified colour theming (wallpaper-derived palette)
|
||||||
│ └── users.nix # User accounts
|
│ └── users.nix # User accounts
|
||||||
├── walls # Wallpapers
|
├── walls # Wallpapers
|
||||||
├── common.nix # Shared config imported by all hosts
|
├── common.nix # Shared config imported by all hosts
|
||||||
|
|
@ -159,9 +168,13 @@ After this succeeds, the plain `update` alias works from then on.
|
||||||
| Input | Source |
|
| Input | Source |
|
||||||
|---|---|
|
|---|---|
|
||||||
| nixpkgs | `github:NixOS/nixpkgs/nixos-unstable` |
|
| nixpkgs | `github:NixOS/nixpkgs/nixos-unstable` |
|
||||||
| home-manager | `github:nix-community/home-manager` |
|
| nixpkgs-stable | `github:NixOS/nixpkgs/nixos-25.11` |
|
||||||
|
| home-manager-stable | `github:nix-community/home-manager/release-25.11` |
|
||||||
| zen-browser | `github:0xc000022070/zen-browser-flake` |
|
| zen-browser | `github:0xc000022070/zen-browser-flake` |
|
||||||
| nix-cachyos-kernel | `github:xddxdd/nix-cachyos-kernel/release` |
|
| nix-cachyos-kernel | `github:xddxdd/nix-cachyos-kernel/release` |
|
||||||
|
| proton-cachyos-nix | `github:powerofthe69/proton-cachyos-nix` |
|
||||||
|
| hyprland | `github:hyprwm/Hyprland` |
|
||||||
|
| stylix | `github:nix-community/stylix/release-25.11` |
|
||||||
|
|
||||||
## Mediaserver secrets
|
## Mediaserver secrets
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -12,6 +12,14 @@
|
||||||
group = "media";
|
group = "media";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Disable built-in auth — Authelia handles it at the reverse proxy
|
||||||
|
systemd.services.bazarr.preStart = lib.mkAfter ''
|
||||||
|
config_file="/var/lib/bazarr/config/config.ini"
|
||||||
|
if [ -f "$config_file" ]; then
|
||||||
|
sed -i 's/^type = .*/type = none/' "$config_file"
|
||||||
|
fi
|
||||||
|
'';
|
||||||
|
|
||||||
# Ensure subtitles written by bazarr are group-writable
|
# Ensure subtitles written by bazarr are group-writable
|
||||||
systemd.services.bazarr.serviceConfig.UMask = lib.mkForce "0002";
|
systemd.services.bazarr.serviceConfig.UMask = lib.mkForce "0002";
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -3,7 +3,15 @@
|
||||||
{
|
{
|
||||||
config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {
|
config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {
|
||||||
|
|
||||||
# Sonarr
|
# Disable built-in auth — Authelia handles it at the reverse proxy
|
||||||
|
systemd.services.prowlarr.preStart = lib.mkAfter ''
|
||||||
|
config_file="/var/lib/prowlarr/config.xml"
|
||||||
|
if [ -f "$config_file" ]; then
|
||||||
|
sed -i 's|<AuthenticationMethod>.*</AuthenticationMethod>|<AuthenticationMethod>None</AuthenticationMethod>|' "$config_file"
|
||||||
|
fi
|
||||||
|
'';
|
||||||
|
|
||||||
|
# Prowlarr
|
||||||
services.prowlarr = {
|
services.prowlarr = {
|
||||||
enable = true;
|
enable = true;
|
||||||
openFirewall = true;
|
openFirewall = true;
|
||||||
|
|
|
||||||
|
|
@ -12,6 +12,14 @@
|
||||||
group = "media";
|
group = "media";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Disable built-in auth — Authelia handles it at the reverse proxy
|
||||||
|
systemd.services.radarr.preStart = lib.mkAfter ''
|
||||||
|
config_file="/var/lib/radarr/config.xml"
|
||||||
|
if [ -f "$config_file" ]; then
|
||||||
|
sed -i 's|<AuthenticationMethod>.*</AuthenticationMethod>|<AuthenticationMethod>None</AuthenticationMethod>|' "$config_file"
|
||||||
|
fi
|
||||||
|
'';
|
||||||
|
|
||||||
# Ensure files created by radarr are group-writable
|
# Ensure files created by radarr are group-writable
|
||||||
systemd.services.radarr.serviceConfig.UMask = lib.mkForce "0002";
|
systemd.services.radarr.serviceConfig.UMask = lib.mkForce "0002";
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -12,6 +12,14 @@
|
||||||
group = "media";
|
group = "media";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Disable built-in auth — Authelia handles it at the reverse proxy
|
||||||
|
systemd.services.sonarr.preStart = lib.mkAfter ''
|
||||||
|
config_file="/var/lib/sonarr/config.xml"
|
||||||
|
if [ -f "$config_file" ]; then
|
||||||
|
sed -i 's|<AuthenticationMethod>.*</AuthenticationMethod>|<AuthenticationMethod>None</AuthenticationMethod>|' "$config_file"
|
||||||
|
fi
|
||||||
|
'';
|
||||||
|
|
||||||
# Ensure files created by sonarr are group-writable
|
# Ensure files created by sonarr are group-writable
|
||||||
systemd.services.sonarr.serviceConfig.UMask = lib.mkForce "0002";
|
systemd.services.sonarr.serviceConfig.UMask = lib.mkForce "0002";
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue