From e4d8129873eea165fb90453014b7b5fcb1a02881 Mon Sep 17 00:00:00 2001
From: Felix Buehler <account@buehler.rocks>
Date: Tue, 25 Jul 2023 22:20:49 +0200
Subject: [PATCH] service/exportarr: fix apikey

---
 machines/serverle/secrets.yaml         | 10 +++++++--
 machines/serverle/services.nix         |  6 ++++++
 modules/services/bazarr/default.nix    |  5 -----
 modules/services/exportarr/default.nix | 29 ++++++++++++++++++++------
 modules/services/prowlarr/default.nix  | 20 ++++++++++++++++++
 modules/services/radarr/default.nix    | 20 ++++++++++++++++++
 modules/services/sonarr/default.nix    | 20 ++++++++++++++++++
 7 files changed, 97 insertions(+), 13 deletions(-)

diff --git a/machines/serverle/secrets.yaml b/machines/serverle/secrets.yaml
index b435e7d..24e1c67 100644
--- a/machines/serverle/secrets.yaml
+++ b/machines/serverle/secrets.yaml
@@ -18,6 +18,12 @@ acme:
     inwx: ENC[AES256_GCM,data:yf1Xi0YOSUMfTd91NCjMUD7uMPzFjK7wfsxnDeIXBfd1U0hopemF6KBDYVLIP7NrTDz+wGWCqvgO3w8FjfWjCgtcqw==,iv:4HOFyvuhCDTSFGgEqbdVmC8pDpf/CpapDaSUwwRZOGI=,tag:ynQxQS1VzpqCJZOfUP0Bwg==,type:str]
 dyndns:
     password: ENC[AES256_GCM,data:WsgT4Un6/yirszfONzhYQDT66arEdmzkeA==,iv:9IbyEwX8DvJMfW3XaUaObmsD8mZCr1eQo7MglGn8dl0=,tag:XM0Qf4KbdkercBvpEwJdtg==,type:str]
+radarr:
+    apikey: ENC[AES256_GCM,data:vyv5PRvNhJ0MxszGa0dQPIhlPdDqEV1Vm0QRCPKmY6k=,iv:tY159K+FqR6eqHYPR6uEveD7V8QZDJidxT0ms81kEew=,tag:tX1fA6BLHq3b4AwfD8L1Ag==,type:str]
+sonarr:
+    apikey: ENC[AES256_GCM,data:gnqWrd3FAqR49Q3LJfVk0DtSa9Oo5qR8BguI7qhF62Q=,iv:mmSHSV74EHtsor3xBU5HL7DtVXk3SKu5KjV2DglWgNI=,tag:1jlDMaYp2zu4B1EpfeL9nQ==,type:str]
+prowlarr:
+    apikey: ENC[AES256_GCM,data:5H3aZEaa7trPgwo7CKnryhMUdZ+UP+a9UBNbeLNHqxk=,iv:OE5/q4HRIhoB/ZK4ic2nC63t5nNyJi2AZsP4JYuxaW0=,tag:l5IFkGCmam+f3dFgKM1Rwg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -42,8 +48,8 @@ sops:
             a1BjcjVaM01UV0o5bTFTVTE5QUZKMmsKPAGYDf1FVtp4+Z/KUrI6z0aZYEwN1DYa
             jKtA1IUXrmdaRllN0SfC+YjMXTk7IoJvrjagCv9Zo0zEKasfO8PL4g==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-06-04T14:25:20Z"
-    mac: ENC[AES256_GCM,data:vHbLSsIFoathXRhvEIlJZyPQr/nKguel72hiaCP0Z/jjrtr+2imFWTPzi4BxRIHJwybITh59ytxDBm3cxXuN0GbBsSVHjYAp5oLqiQHWyjWQsJpE8ITP/0W61lNGeVAzixntgz/QJKqavXs0duEDSqqw+7+fULo6Xzx794vnY1M=,iv:MTpTnDRRhPnV2e6xX42juXciWIbYtbIzy6GC+aYj9Gc=,tag:8e3uGqwW2CZnrQartHb5DQ==,type:str]
+    lastmodified: "2023-07-25T19:49:06Z"
+    mac: ENC[AES256_GCM,data:YJDe8T2DljJZX80Q5dMgh5nn+oNO5f9lU8KxbjtfMdXsu5aFCB/IykSMXLO9Yji4QeUMdiTsmAhDl+xWonK7BjDorNF7Culq3zo/g36WkAekGFlgp4i0lnHf182noX46sApwFDj9gRx+Ozhn/BsoVADhNkOfP91XJH09UOLyHxM=,iv:qWnS2m9ifuLKdX2+7b053/OHNgIjb9GK7EIft00Qu7E=,tag:XAtQdRP5pEP3xYoGLqbnNA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.3
diff --git a/machines/serverle/services.nix b/machines/serverle/services.nix
index 851c1ce..ed820a4 100644
--- a/machines/serverle/services.nix
+++ b/machines/serverle/services.nix
@@ -11,6 +11,9 @@ in
   sops.secrets."sso/auth-key" = { };
   sops.secrets."sso/felix/password-hash" = { };
   sops.secrets."sso/felix/totp-secret" = { };
+  sops.secrets."prowlarr/apikey" = { };
+  sops.secrets."radarr/apikey" = { };
+  sops.secrets."sonarr/apikey" = { };
 
   # List services that you want to enable:
   my.services = {
@@ -32,12 +35,15 @@ in
 
     prowlarr = {
       enable = true;
+      apiKeyFile = secrets."prowlarr/apikey".path;
     };
     radarr = {
       enable = true;
+      apiKeyFile = secrets."radarr/apikey".path;
     };
     sonarr = {
       enable = true;
+      apiKeyFile = secrets."sonarr/apikey".path;
     };
     bazarr = {
       enable = true;
diff --git a/modules/services/bazarr/default.nix b/modules/services/bazarr/default.nix
index fcbbe57..44a7b4d 100644
--- a/modules/services/bazarr/default.nix
+++ b/modules/services/bazarr/default.nix
@@ -26,11 +26,6 @@ in
       }
     ];
 
-    my.services.exportarr.bazarr = {
-      port = port + 1;
-      url = "http://127.0.0.1:${toString port}";
-    };
-
     webapps.apps.bazarr = {
       dashboard = {
         name = "Subtitles";
diff --git a/modules/services/exportarr/default.nix b/modules/services/exportarr/default.nix
index 28c7995..d87bdcb 100644
--- a/modules/services/exportarr/default.nix
+++ b/modules/services/exportarr/default.nix
@@ -4,16 +4,17 @@ let
 
   mkExportarrService = name: conf:
     let
-      exportarrEnvironment = {
+      exportarrEnvironment = (
+        lib.mapAttrs (_: toString) conf.environment
+      ) // {
         PORT = toString conf.port;
         URL = conf.url;
-      } // (
-        lib.mapAttrs (_: toString) conf.environment
-      );
+        API_KEY_FILE = lib.mkIf (conf.apiKeyFile != null) "%d/api-key";
+      };
     in
     lib.nameValuePair "exportarr-${name}" {
       description = "Exportarr Service ${name}";
-      script = ''exec ${conf.package}/bin/exportarr "$@"'';
+      script = ''exec ${conf.package}/bin/exportarr ${name} "$@"'';
       serviceConfig = {
         Restart = "on-failure";
         User = "exportarr-${name}";
@@ -23,6 +24,9 @@ let
         WorkingDirectory = "/var/lib/exportarr-${name}";
         RuntimeDirectory = "exportarr-${name}";
 
+        LoadCredential = lib.optionalString (conf.apiKeyFile != null)
+          "api-key:${conf.apiKeyFile}";
+
         CapabilityBoundingSet = "";
         LockPersonality = true;
         PrivateDevices = true;
@@ -88,6 +92,14 @@ in
             '';
           };
 
+          apiKeyFile = lib.mkOption {
+            type = lib.types.nullOr lib.types.path;
+            default = null;
+            description = lib.mdDoc ''
+              File containing the api-key.
+            '';
+          };
+
           package = lib.mkPackageOptionMD pkgs "exportarr" { };
 
           environment = lib.mkOption {
@@ -97,7 +109,6 @@ in
               See [the configuration guide](https://github.com/onedr0p/exportarr#configuration) for available options.
             '';
             example = {
-              API_KEY_FILE = "/run/secrets/exportarr";
               PROWLARR__BACKFILL = true;
             };
           };
@@ -107,6 +118,12 @@ in
   };
 
   config = lib.mkIf (cfg != { }) {
+    assertions = lib.mapAttrsToList
+      (name: config: {
+        assertion = builtins.elem name [ "sonarr" "radarr" "lidarr" "prowlarr" "readarr" "sabnzbd" ];
+        message = "exportarr does not support this service.";
+      })
+      cfg;
     systemd.services = lib.mapAttrs' mkExportarrService cfg;
   };
 }
diff --git a/modules/services/prowlarr/default.nix b/modules/services/prowlarr/default.nix
index 5038655..548b8c9 100644
--- a/modules/services/prowlarr/default.nix
+++ b/modules/services/prowlarr/default.nix
@@ -8,6 +8,13 @@ in
 {
   options.my.services.prowlarr = with lib; {
     enable = mkEnableOption "Prowlarr for indexing";
+
+    apiKeyFile = lib.mkOption {
+      type = lib.types.path;
+      description = lib.mdDoc ''
+        File containing the api-key.
+      '';
+    };
   };
 
   config = lib.mkIf cfg.enable {
@@ -39,8 +46,21 @@ in
     my.services.exportarr.prowlarr = {
       port = port + 1;
       url = "http://127.0.0.1:${toString port}";
+      apiKeyFile = cfg.apiKeyFile;
     };
 
+    services.prometheus.scrapeConfigs = [
+      {
+        job_name = "prowlarr";
+        static_configs = [{
+          targets = [ "127.0.0.1:${toString port + 1}" ];
+          labels = {
+            instance = config.networking.hostName;
+          };
+        }];
+      }
+    ];
+
     webapps.apps.prowlarr = {
       dashboard = {
         name = "Indexer";
diff --git a/modules/services/radarr/default.nix b/modules/services/radarr/default.nix
index a9912ac..ef56b21 100644
--- a/modules/services/radarr/default.nix
+++ b/modules/services/radarr/default.nix
@@ -8,6 +8,13 @@ in
 {
   options.my.services.radarr = with lib; {
     enable = mkEnableOption "Sonarr for films management";
+
+    apiKeyFile = lib.mkOption {
+      type = lib.types.path;
+      description = lib.mdDoc ''
+        File containing the api-key.
+      '';
+    };
   };
 
   config = lib.mkIf cfg.enable {
@@ -29,8 +36,21 @@ in
     my.services.exportarr.radarr = {
       port = port + 1;
       url = "http://127.0.0.1:${toString port}";
+      apiKeyFile = cfg.apiKeyFile;
     };
 
+    services.prometheus.scrapeConfigs = [
+      {
+        job_name = "radarr";
+        static_configs = [{
+          targets = [ "127.0.0.1:${toString port + 1}" ];
+          labels = {
+            instance = config.networking.hostName;
+          };
+        }];
+      }
+    ];
+
     webapps.apps.radarr = {
       dashboard = {
         name = "Movies";
diff --git a/modules/services/sonarr/default.nix b/modules/services/sonarr/default.nix
index 063f798..ce20e60 100644
--- a/modules/services/sonarr/default.nix
+++ b/modules/services/sonarr/default.nix
@@ -8,6 +8,13 @@ in
 {
   options.my.services.sonarr = with lib; {
     enable = mkEnableOption "Sonarr for series management";
+
+    apiKeyFile = lib.mkOption {
+      type = lib.types.path;
+      description = lib.mdDoc ''
+        File containing the api-key.
+      '';
+    };
   };
 
   config = lib.mkIf cfg.enable {
@@ -29,8 +36,21 @@ in
     my.services.exportarr.sonarr = {
       port = port + 1;
       url = "http://127.0.0.1:${toString port}";
+      apiKeyFile = cfg.apiKeyFile;
     };
 
+    services.prometheus.scrapeConfigs = [
+      {
+        job_name = "sonarr";
+        static_configs = [{
+          targets = [ "127.0.0.1:${toString port + 1}" ];
+          labels = {
+            instance = config.networking.hostName;
+          };
+        }];
+      }
+    ];
+
     webapps.apps.sonarr = {
       dashboard = {
         name = "Series";