fujin/nixarr
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: introduce central api key extraction service generator

Browse Source
This commit is contained in:
Simon Elsbrock
2025-03-22 23:07:58 +01:00
committed by Edward Pierzchalski
parent c6cd890fa0
commit 127764a06d
1 changed files with 79 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
nixarr/lib/api-keys.nix
+79
View File
@@ -0,0 +1,79 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.nixarr;
# Helper to create API key extraction for a service
mkApiKeyExtractor = serviceName: serviceConfig: {
description = "Extract ${serviceName} API key";
after = ["${serviceName}.service"];
requires = ["${serviceName}.service"];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
# Use DynamicUser if the parent service does
DynamicUser = serviceConfig.serviceConfig.DynamicUser or false;
# Only set User if not using DynamicUser
${
if !(serviceConfig.serviceConfig.DynamicUser or false)
then "User"
else null
} =
serviceConfig.user or null;
Group = "api-keys";
UMask = "0027"; # Results in 0640 permissions
ExecStartPre = [
"${pkgs.coreutils}/bin/mkdir -p ${cfg.stateDir}/api-keys"
"${pkgs.coreutils}/bin/chown root:api-keys ${cfg.stateDir}/api-keys"
"${pkgs.coreutils}/bin/chmod 750 ${cfg.stateDir}/api-keys"
# Wait for config file to exist
"${pkgs.bash}/bin/bash -c 'while [ ! -f ${serviceConfig.stateDir}/config.xml ]; do sleep 1; done'"
];
ExecStart = pkgs.writeShellScript "extract-${serviceName}-api-key" ''
${pkgs.dasel}/bin/dasel -f "${serviceConfig.stateDir}/config.xml" \
-s ".Config.ApiKey" | tr -d '\n\r' > "${cfg.stateDir}/api-keys/${serviceName}.key"
chown $USER:api-keys "${cfg.stateDir}/api-keys/${serviceName}.key"
'';
};
};
in {
config = mkIf cfg.enable {
users.groups.api-keys = {};
# Ensure all services that need API keys are in the group
users.users = mkMerge [
# Static users
(mkIf cfg.transmission.enable {torrenter.extraGroups = ["api-keys"];})
(mkIf cfg.transmission.privateTrackers.cross-seed.enable {cross-seed.extraGroups = ["api-keys"];})
];
# Add api-keys group to services with DynamicUser
systemd.services = mkMerge [
(mkIf cfg.sonarr.enable {sonarr.serviceConfig.SupplementaryGroups = ["api-keys"];})
(mkIf cfg.radarr.enable {radarr.serviceConfig.SupplementaryGroups = ["api-keys"];})
(mkIf cfg.lidarr.enable {lidarr.serviceConfig.SupplementaryGroups = ["api-keys"];})
(mkIf cfg.readarr.enable {readarr.serviceConfig.SupplementaryGroups = ["api-keys"];})
(mkIf cfg.prowlarr.enable {prowlarr.serviceConfig.SupplementaryGroups = ["api-keys"];})
(mkIf cfg.recyclarr.enable {recyclarr.serviceConfig.SupplementaryGroups = ["api-keys"];})
# Create API key extractors for enabled services
(mkIf cfg.sonarr.enable {"sonarr-api-key" = mkApiKeyExtractor "sonarr" cfg.sonarr;})
(mkIf cfg.radarr.enable {"radarr-api-key" = mkApiKeyExtractor "radarr" cfg.radarr;})
(mkIf cfg.lidarr.enable {"lidarr-api-key" = mkApiKeyExtractor "lidarr" cfg.lidarr;})
(mkIf cfg.readarr.enable {"readarr-api-key" = mkApiKeyExtractor "readarr" cfg.readarr;})
(mkIf cfg.prowlarr.enable {"prowlarr-api-key" = mkApiKeyExtractor "prowlarr" cfg.prowlarr;})
];
# Create the api-keys directory
systemd.tmpfiles.rules = [
"d ${cfg.stateDir}/api-keys 0750 root api-keys - -"
];
};
}