services: disable built-in auth on *arr stack; update readme

Radarr, Sonarr, Prowlarr, and Bazarr now patch their auth setting to
None on every service start — auth is handled by Authelia at the proxy.

Also updates readme with missing services, settings files, and flake
inputs added since the last readme refresh.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
rope 2026-05-16 12:27:19 +01:00
parent ad7a45d143
commit 5eeab405c0
5 changed files with 49 additions and 4 deletions

View file

@ -30,26 +30,35 @@ Flake-based NixOS configuration for three machines, built and deployed directly
│ ├── FredOS-Macbook.nix # Broadcom WiFi, Intel GPU, Bluetooth, filesystems, bootloader, hostname
│ └── FredOS-Mediaserver.nix # Intel CPU, data disks, mergerfs pool, GRUB, hostname
├── services
│ ├── adguard.nix # Network-wide DNS ad blocking
│ ├── arr-interconnect.nix # Cross-service API key wiring for *arr apps
│ ├── authelia.nix # SSO/2FA gateway (protects homepage & camera)
│ ├── bazarr.nix # Subtitle management
│ ├── cloudflare-ddns.nix # Cloudflare dynamic DNS
│ ├── fail2ban.nix # Intrusion prevention (SSH, nginx, Authelia, *arr, etc.)
│ ├── game-servers.nix # Game server definitions
│ ├── code-server.nix # Browser-based VS Code IDE
│ ├── crowdsec.nix # Intrusion prevention / bouncer
│ ├── dr-server.nix # Disaster recovery / backup service
│ ├── forgejo-runner.nix # CI/CD runner for Forgejo
│ ├── game-servers.nix # Dockerised game servers (7 Days to Die)
│ ├── go2rtc.nix # Camera/RTSP streaming
│ ├── homepage.nix # Homepage dashboard with auto-extracted API keys
│ ├── jellyfin.nix # Media server
│ ├── nginx.nix # Reverse proxy + ACME wildcard cert via Cloudflare DNS-01
│ ├── profilarr.nix # Quality profile manager for *arr apps
│ ├── prowlarr.nix # Indexer manager
│ ├── qbittorrent-nox.nix # Torrent client
│ ├── radarr.nix # Movie management
│ ├── router.nix # Mediaserver as home router (NAT, DHCP, nftables)
│ ├── sabnzbd.nix # Usenet downloader
│ ├── server-permissions.nix # File/dir permission setup
│ └── sonarr.nix # TV management
├── settings
│ ├── audio.nix # PipeWire / audio config
│ ├── gnome.nix # GNOME desktop settings
│ ├── hyprland.nix # Hyprland Wayland compositor config
│ ├── locale.nix # Locale, timezone, keyboard
│ ├── shell.nix # Fish shell, powerline prompt, fastfetch, nerd fonts
│ ├── stylix.nix # Unified colour theming (wallpaper-derived palette)
│ └── users.nix # User accounts
├── walls # Wallpapers
├── common.nix # Shared config imported by all hosts
@ -159,9 +168,13 @@ After this succeeds, the plain `update` alias works from then on.
| Input | Source |
|---|---|
| nixpkgs | `github:NixOS/nixpkgs/nixos-unstable` |
| home-manager | `github:nix-community/home-manager` |
| nixpkgs-stable | `github:NixOS/nixpkgs/nixos-25.11` |
| home-manager-stable | `github:nix-community/home-manager/release-25.11` |
| zen-browser | `github:0xc000022070/zen-browser-flake` |
| nix-cachyos-kernel | `github:xddxdd/nix-cachyos-kernel/release` |
| proton-cachyos-nix | `github:powerofthe69/proton-cachyos-nix` |
| hyprland | `github:hyprwm/Hyprland` |
| stylix | `github:nix-community/stylix/release-25.11` |
## Mediaserver secrets

View file

@ -12,6 +12,14 @@
group = "media";
};
# Disable built-in auth — Authelia handles it at the reverse proxy
systemd.services.bazarr.preStart = lib.mkAfter ''
config_file="/var/lib/bazarr/config/config.ini"
if [ -f "$config_file" ]; then
sed -i 's/^type = .*/type = none/' "$config_file"
fi
'';
# Ensure subtitles written by bazarr are group-writable
systemd.services.bazarr.serviceConfig.UMask = lib.mkForce "0002";

View file

@ -3,7 +3,15 @@
{
config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {
# Sonarr
# Disable built-in auth — Authelia handles it at the reverse proxy
systemd.services.prowlarr.preStart = lib.mkAfter ''
config_file="/var/lib/prowlarr/config.xml"
if [ -f "$config_file" ]; then
sed -i 's|<AuthenticationMethod>.*</AuthenticationMethod>|<AuthenticationMethod>None</AuthenticationMethod>|' "$config_file"
fi
'';
# Prowlarr
services.prowlarr = {
enable = true;
openFirewall = true;

View file

@ -12,6 +12,14 @@
group = "media";
};
# Disable built-in auth — Authelia handles it at the reverse proxy
systemd.services.radarr.preStart = lib.mkAfter ''
config_file="/var/lib/radarr/config.xml"
if [ -f "$config_file" ]; then
sed -i 's|<AuthenticationMethod>.*</AuthenticationMethod>|<AuthenticationMethod>None</AuthenticationMethod>|' "$config_file"
fi
'';
# Ensure files created by radarr are group-writable
systemd.services.radarr.serviceConfig.UMask = lib.mkForce "0002";

View file

@ -12,6 +12,14 @@
group = "media";
};
# Disable built-in auth — Authelia handles it at the reverse proxy
systemd.services.sonarr.preStart = lib.mkAfter ''
config_file="/var/lib/sonarr/config.xml"
if [ -f "$config_file" ]; then
sed -i 's|<AuthenticationMethod>.*</AuthenticationMethod>|<AuthenticationMethod>None</AuthenticationMethod>|' "$config_file"
fi
'';
# Ensure files created by sonarr are group-writable
systemd.services.sonarr.serviceConfig.UMask = lib.mkForce "0002";