services: disable built-in auth on *arr stack; update readme
Radarr, Sonarr, Prowlarr, and Bazarr now patch their auth setting to None on every service start — auth is handled by Authelia at the proxy. Also updates readme with missing services, settings files, and flake inputs added since the last readme refresh. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
ad7a45d143
commit
5eeab405c0
5 changed files with 49 additions and 4 deletions
19
readme.md
19
readme.md
|
|
@ -30,26 +30,35 @@ Flake-based NixOS configuration for three machines, built and deployed directly
|
|||
│ ├── FredOS-Macbook.nix # Broadcom WiFi, Intel GPU, Bluetooth, filesystems, bootloader, hostname
|
||||
│ └── FredOS-Mediaserver.nix # Intel CPU, data disks, mergerfs pool, GRUB, hostname
|
||||
├── services
|
||||
│ ├── adguard.nix # Network-wide DNS ad blocking
|
||||
│ ├── arr-interconnect.nix # Cross-service API key wiring for *arr apps
|
||||
│ ├── authelia.nix # SSO/2FA gateway (protects homepage & camera)
|
||||
│ ├── bazarr.nix # Subtitle management
|
||||
│ ├── cloudflare-ddns.nix # Cloudflare dynamic DNS
|
||||
│ ├── fail2ban.nix # Intrusion prevention (SSH, nginx, Authelia, *arr, etc.)
|
||||
│ ├── game-servers.nix # Game server definitions
|
||||
│ ├── code-server.nix # Browser-based VS Code IDE
|
||||
│ ├── crowdsec.nix # Intrusion prevention / bouncer
|
||||
│ ├── dr-server.nix # Disaster recovery / backup service
|
||||
│ ├── forgejo-runner.nix # CI/CD runner for Forgejo
|
||||
│ ├── game-servers.nix # Dockerised game servers (7 Days to Die)
|
||||
│ ├── go2rtc.nix # Camera/RTSP streaming
|
||||
│ ├── homepage.nix # Homepage dashboard with auto-extracted API keys
|
||||
│ ├── jellyfin.nix # Media server
|
||||
│ ├── nginx.nix # Reverse proxy + ACME wildcard cert via Cloudflare DNS-01
|
||||
│ ├── profilarr.nix # Quality profile manager for *arr apps
|
||||
│ ├── prowlarr.nix # Indexer manager
|
||||
│ ├── qbittorrent-nox.nix # Torrent client
|
||||
│ ├── radarr.nix # Movie management
|
||||
│ ├── router.nix # Mediaserver as home router (NAT, DHCP, nftables)
|
||||
│ ├── sabnzbd.nix # Usenet downloader
|
||||
│ ├── server-permissions.nix # File/dir permission setup
|
||||
│ └── sonarr.nix # TV management
|
||||
├── settings
|
||||
│ ├── audio.nix # PipeWire / audio config
|
||||
│ ├── gnome.nix # GNOME desktop settings
|
||||
│ ├── hyprland.nix # Hyprland Wayland compositor config
|
||||
│ ├── locale.nix # Locale, timezone, keyboard
|
||||
│ ├── shell.nix # Fish shell, powerline prompt, fastfetch, nerd fonts
|
||||
│ ├── stylix.nix # Unified colour theming (wallpaper-derived palette)
|
||||
│ └── users.nix # User accounts
|
||||
├── walls # Wallpapers
|
||||
├── common.nix # Shared config imported by all hosts
|
||||
|
|
@ -159,9 +168,13 @@ After this succeeds, the plain `update` alias works from then on.
|
|||
| Input | Source |
|
||||
|---|---|
|
||||
| nixpkgs | `github:NixOS/nixpkgs/nixos-unstable` |
|
||||
| home-manager | `github:nix-community/home-manager` |
|
||||
| nixpkgs-stable | `github:NixOS/nixpkgs/nixos-25.11` |
|
||||
| home-manager-stable | `github:nix-community/home-manager/release-25.11` |
|
||||
| zen-browser | `github:0xc000022070/zen-browser-flake` |
|
||||
| nix-cachyos-kernel | `github:xddxdd/nix-cachyos-kernel/release` |
|
||||
| proton-cachyos-nix | `github:powerofthe69/proton-cachyos-nix` |
|
||||
| hyprland | `github:hyprwm/Hyprland` |
|
||||
| stylix | `github:nix-community/stylix/release-25.11` |
|
||||
|
||||
## Mediaserver secrets
|
||||
|
||||
|
|
|
|||
|
|
@ -12,6 +12,14 @@
|
|||
group = "media";
|
||||
};
|
||||
|
||||
# Disable built-in auth — Authelia handles it at the reverse proxy
|
||||
systemd.services.bazarr.preStart = lib.mkAfter ''
|
||||
config_file="/var/lib/bazarr/config/config.ini"
|
||||
if [ -f "$config_file" ]; then
|
||||
sed -i 's/^type = .*/type = none/' "$config_file"
|
||||
fi
|
||||
'';
|
||||
|
||||
# Ensure subtitles written by bazarr are group-writable
|
||||
systemd.services.bazarr.serviceConfig.UMask = lib.mkForce "0002";
|
||||
|
||||
|
|
|
|||
|
|
@ -3,7 +3,15 @@
|
|||
{
|
||||
config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {
|
||||
|
||||
# Sonarr
|
||||
# Disable built-in auth — Authelia handles it at the reverse proxy
|
||||
systemd.services.prowlarr.preStart = lib.mkAfter ''
|
||||
config_file="/var/lib/prowlarr/config.xml"
|
||||
if [ -f "$config_file" ]; then
|
||||
sed -i 's|<AuthenticationMethod>.*</AuthenticationMethod>|<AuthenticationMethod>None</AuthenticationMethod>|' "$config_file"
|
||||
fi
|
||||
'';
|
||||
|
||||
# Prowlarr
|
||||
services.prowlarr = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
|
|
|
|||
|
|
@ -12,6 +12,14 @@
|
|||
group = "media";
|
||||
};
|
||||
|
||||
# Disable built-in auth — Authelia handles it at the reverse proxy
|
||||
systemd.services.radarr.preStart = lib.mkAfter ''
|
||||
config_file="/var/lib/radarr/config.xml"
|
||||
if [ -f "$config_file" ]; then
|
||||
sed -i 's|<AuthenticationMethod>.*</AuthenticationMethod>|<AuthenticationMethod>None</AuthenticationMethod>|' "$config_file"
|
||||
fi
|
||||
'';
|
||||
|
||||
# Ensure files created by radarr are group-writable
|
||||
systemd.services.radarr.serviceConfig.UMask = lib.mkForce "0002";
|
||||
|
||||
|
|
|
|||
|
|
@ -12,6 +12,14 @@
|
|||
group = "media";
|
||||
};
|
||||
|
||||
# Disable built-in auth — Authelia handles it at the reverse proxy
|
||||
systemd.services.sonarr.preStart = lib.mkAfter ''
|
||||
config_file="/var/lib/sonarr/config.xml"
|
||||
if [ -f "$config_file" ]; then
|
||||
sed -i 's|<AuthenticationMethod>.*</AuthenticationMethod>|<AuthenticationMethod>None</AuthenticationMethod>|' "$config_file"
|
||||
fi
|
||||
'';
|
||||
|
||||
# Ensure files created by sonarr are group-writable
|
||||
systemd.services.sonarr.serviceConfig.UMask = lib.mkForce "0002";
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue