This brings `prowlarr` in line with how `sonarr` and `radarr` are
set up, which (among other things) lets users use `services.prowlarr.settings`
to e.g. configure Postgres or URL base.
- Remove handling of dynamic users
- Split out "which file to wait for" and "how to read that file", per
service
- Rely on `systemd.tmpfiles` to make dirs with the right permissions
- Remove per-service group membership changes; those will be easier to
reason about in each service's *.nix file
- Fix API key service user reference (torrenter -> transmission)
- Remove duplicate vpnNamespaces.wg definition
- Add proper enable option to wireguard exporter for consistency
- Make wireguard exporter port mappings conditional
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Add a new test that validates VPN namespace isolation for Nixarr services.
The test uses a 3-VM topology to ensure that transmission traffic is properly
confined to the VPN tunnel and includes:
- IPv4 and IPv6 traffic routing verification
- DNS leak detection using tcpdump and static DNS entries
- Traffic leak prevention when VPN fails
- Port forwarding from external clients
- Service recovery after VPN reconnection
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Add a test that validates file permissions, ownership, and service access
for key Nixarr services. The test verifies:
- Users and groups exist with correct membership
- Directory ownership matches expected patterns
- Services can write/read files in media directories
- Cross-seed can access transmission state
- fix-permissions command works correctly
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
rasmus-kirk