From abdc88b3a0fcf2ac60393aa0707da246a8784a52 Mon Sep 17 00:00:00 2001 From: ahuston-0 Date: Thu, 25 Dec 2025 01:01:38 -0500 Subject: [PATCH 1/8] password/fw issue --- systems/palatine-hill/firewall.nix | 71 ++++++++++++++++++------------ systems/palatine-hill/secrets.yaml | 12 ++--- 2 files changed, 48 insertions(+), 35 deletions(-) diff --git a/systems/palatine-hill/firewall.nix b/systems/palatine-hill/firewall.nix index 366673f..0b47f86 100644 --- a/systems/palatine-hill/firewall.nix +++ b/systems/palatine-hill/firewall.nix @@ -1,41 +1,54 @@ { ... }: { - networking.firewall.allowedTCPPorts = [ - # qbit - 8081 - 8082 - 8443 + networking.firewall = { - # hydra - 3000 + extraCommands = " + iptables -I nixos-fw 1 -i br+ -j ACCEPT + "; - # minio - 8500 - 8501 + extraStopCommands = " + iptables -D nixos-fw -i br+ -j ACCEPT + "; - # gitea - 2222 - 2223 - 8088 + trustedInterfaces = [ "br+" ]; - # attic - 8183 + allowedTCPPorts = [ + # qbit + 8081 + 8082 + 8443 - # collabora - 9980 + # hydra + 3000 - # arr - 6767 - 9696 - 7878 - 8989 - 8686 - 8787 - 5055 + # minio + 8500 + 8501 - # temp postgres - 5432 - ]; + # gitea + 2222 + 2223 + 8088 + # attic + 8183 + + # collabora + 9980 + + # arr + 6767 + 9696 + 7878 + 8989 + 8686 + 8787 + 5055 + + # temp postgres + 5432 + ]; + + }; } diff --git a/systems/palatine-hill/secrets.yaml b/systems/palatine-hill/secrets.yaml index 4b62a3e..3005b7b 100644 --- a/systems/palatine-hill/secrets.yaml +++ b/systems/palatine-hill/secrets.yaml @@ -27,10 +27,10 @@ docker: protonvpn-start-script: ENC[AES256_GCM,data:ZnlDpCLdILHXSUCI6itWkqO4y75Lwjj7qT1DBkfueLneQOaQ0JhuE2FbOOajkmI046nP9fMrJbu3g4QZHsq1g8yqGU1wb0OOT+eS9+M92Md29B4NnUdwnVAO6/RzvRKXP2tsQ4iprx9An+BEFwZYD6WG6DQc6NjJVSgRcYvfH9rQey2VdwLysNsgFCs8eC6QgikqBpeg4eOIvDDNbdXPKkW+ZPph9xpzGkcFIMwlX5esg0n7qyUoMvWwBn4avC46U5erOw0fNajY60ri9sm5Afht6LZrFal71Hx/K9/5EXBp9dD4teLO2Ew0CQX0i94pKCuR207l9868s7Ao3udLp4wbiLnXoRKq+w==,iv:qR0kNYpb50NXEqSksvHBPAaRG51RKCsSwTq32nosxzo=,tag:+xRQyuWi4Ja/N9lcd11oJA==,type:str] notifiarr: ENC[AES256_GCM,data:XxVEhp4Rei6mRcdSSooRnofuVNZDalVhDYiVUmvQUr8QihrVRMKRE9Kpl5PGWUBw,iv:urMLaUf3XUjMks2vk0E7iRUU3mLHBiMAiwtQgmWQq20=,tag:dHdTOyC/ukd71UlYEI5fWw==,type:str] bazarr: ENC[AES256_GCM,data:x+JdRCl3x3OM3lWmgcWikJSEnh5c5He5HmuLzCGAQ8zUXMi2Z3Kf6LzL+aoqtCBu3rabYZmQSLBoDm9CPkk=,iv:7e+3w46RUD2/OSlwrEe7BRxUqPPdt5+obIjQA8pr3xY=,tag:rHSijp/tcf/SGp5y4kJ0cw==,type:str] - prowlarr: ENC[AES256_GCM,data:AyOaj1nYCxeycBgp5sfNKz3A158FuXVg0DCoLrOE9YnUIAjo+5PW9HMdpCEiK0OfgoMPcUZNZowLYYY0goxwC+4+tB87TnBz2YpXTX8L7YO2JA+g7hA=,iv:IaZxKl5ypdIQ4f4SAHQtaUC20lbYL1b7mptu/FVB6k4=,tag:A9eQI9gG7wkSEPt6Mdg3Zw==,type:str] - radarr: ENC[AES256_GCM,data:vqjqRsDjFm30yMrzWsWC6prYSEUQ+4v0hlDqJ6FS39hNFaGtGAsulUWv9MAJ11xI9CLsjjQUtpQ5KlRkYlHo5FnzeXCpK05ewkhYyqa7NKE=,iv:sKdxA5AtxpFpuiUYpz3NW2Fjc+ZKFmiJqibdQ3P6pVg=,tag:tDlJpApk4g6SYFzyn8Z/HA==,type:str] - sonarr: ENC[AES256_GCM,data:IooG9LDXpdbQcknriSdowPwNv++yfj54mko49rtm4B8IVEV30B5o8iZhGXmSgpLsH9QtP/PmkuczjiiwlPI2QM5iRxpjUz2456a1hi61/uY=,iv:/PagjmFtJgkYKFPmZD5qI8DzdiuUIX8m0lapdZBXUus=,tag:Ppew0fepqgnhvTorwalhEw==,type:str] - lidarr: ENC[AES256_GCM,data:9YtVafa4/SQ78+DJ52emGyLHCWpJpnhc+2DwGBQ0uhFiee7ZRFy+O0kHPPyNly8sgP9UOZt+53D4sAv9S8hOCnJTAbHiNnzTbjQmZtnvgnc=,iv:dlF5wtcphEhg5jxb8YSIF9/2Vj1KY10Vza/OGK1jXRM=,tag:8qmdQjRv30VqRReOzr6UEA==,type:str] + prowlarr: ENC[AES256_GCM,data:fc4Dw6U9IjoDSXIAFNqtsFKZGFSkfiRhc96WyDYZg10KRcASZBEhLUWNSTgA0FnPOu7QINjIdSZrnTUbG7tEU/UfcnHISXiQwlaPzT8R+F/XSJOjSrg=,iv:XQ6WJZHkyzDIMgu1VL3UB//+vVP4xI5ruLf199pOqd4=,tag:Cv2YtzqrmHbn4y2AD4rF2A==,type:str] + radarr: ENC[AES256_GCM,data:gdk15Sj8ZVxxz9dLtBzNTIXtpVxSL4cFm+7PSso4C2p+qucxbRxGYlvJKzi7bnL6fH8cwLh1lGSS+jqFzPa0GhIlW7DvyKywuZqmngSm8ys=,iv:qMTdgb1BqY3ZyGbsk+OhyfSooqducnpRRBioxw4RME0=,tag:0BCneime1bM3gqE5tObm/Q==,type:str] + sonarr: ENC[AES256_GCM,data:lbDFJU8QyMwCt7L4gl1g+ESWix81tyCHOlbSwRM+S1huGo3mpFdabpA+QTOGE7KwUr144uMmNgHXc97RCePELnAWoQmRG6VYP3zITVS5GrU=,iv:jPODdbCExANoiBQrpE+i1AzpIQKucpgQglTKA5qpJsE=,tag:TiXiC4RGfR9xfJJKm/Gp+g==,type:str] + lidarr: ENC[AES256_GCM,data:C1zKtt2oFIZMhGSqdDUcByECrORoboDrMrWxE2Pm0bI60X6fnFhl3x9HTlJlxXnifT+Ec0n+PoKsuTbmIHGIJmjHlj5EHRxteAHpTNP0qC8=,iv:6Nw6CXCuf1kfvTnGx5uZm1hL5rM3JWIM+WQXClkBQBc=,tag:Ym/CBv2zpu6VspUE7ZF8ZA==,type:str] jellyseerr: ENC[AES256_GCM,data:eKZo7Yw6j0qeyHidHu3R+2yZrHOMlM/O2VTY0CF/AUzm21LNO5UDItORoBCJfPvpnbA=,iv:jVJ77jXNwCEPRWKgKP8E7SrxdS0RFa486nq6cMkqvMc=,tag:Bndao3nx18nmJ1yaXLmWIg==,type:str] acme: bunny: ENC[AES256_GCM,data:P2yROVUga9mORcq8VR/l0i4/2Vod1zvlYq+ZJLLNKow0SpblkwQX/i1ucQYAOkTTRddN+3C+t0zj1rMWkdLoaLjEUJJi3VsSxi+chV2FFiVKFQGEcg24,iv:aQvGgGLsgRGoEmwTgZHR8Jm/MYxmGtVTT/fZKaTLeMs=,tag:m3ssF4O8qs4yxvMu6yUcjw==,type:str] @@ -50,8 +50,8 @@ sops: cXNZWmZqd0R0SmhINExscHBKWmxvblUKEFEQvt/zQFARba4S8vHz/1SoKdKg69At LZ58XQGOmlGbBhPr7EzYQ2XSY4flWbnnD174cmCR8DNFm15DsNA5fw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-24T03:17:22Z" - mac: ENC[AES256_GCM,data:TreH0Z2S91ZyMreMSv0AIFJs1lrOCqTrsKHY2MrU0O+wdJlCdn4ggVGlS9L+oGpZ8fXoUcLdMvc0M3wCFZauM86SVMW+BDiPp93P6JLX8mDlLJPE1tfsw6ueaeKZJIhlbnlLSWHjNBrkybuT11HxXAjJIHav1Jf0S42lIMhq1Tc=,iv:ajcZxYvsMGmauj37MIJjWvzqlLAeqBiPbuqof2suTPU=,tag:7vQ4LnoHTrdUxnmhRgUANA==,type:str] + lastmodified: "2025-12-25T05:59:07Z" + mac: ENC[AES256_GCM,data:+WYmAwItp+NAZk1oyXFj8F7GPQSbzKxam0L1jWLTjbefkCZH7CujGbS/fUEsKz7wKqcti6jq7oRMtd8Qh8lmk0Gj3cn1kduNmRSJfvZP0ZKke8ojv5sW/H4B5fPSsck1ZhEPXzb+Uak7QqrHQQZ1fFdMQqTO7tVHK4q4lYdjQzc=,iv:zHsIIv4jlMZ1yhjISAw1hkgnDHWOqNqxRptgvAWBBhw=,tag:R49lPYiWtADnHkGiCVdffw==,type:str] pgp: - created_at: "2024-11-28T18:56:39Z" enc: |- From 570cb3033ea550312ec8a79c28fdae9a49f1a379 Mon Sep 17 00:00:00 2001 From: ahuston-0 Date: Thu, 25 Dec 2025 01:01:38 -0500 Subject: [PATCH 2/8] password/fw issue --- systems/palatine-hill/docker/arr.nix | 35 ++++++++++++++++++++++------ 1 file changed, 28 insertions(+), 7 deletions(-) diff --git a/systems/palatine-hill/docker/arr.nix b/systems/palatine-hill/docker/arr.nix index 2afe63f..0b06c6e 100644 --- a/systems/palatine-hill/docker/arr.nix +++ b/systems/palatine-hill/docker/arr.nix @@ -235,13 +235,34 @@ in sops = { secrets = { - "docker/notifiarr".owner = "docker-service"; - "docker/bazarr".owner = "docker-service"; - "docker/prowlarr".owner = "docker-service"; - "docker/radarr".owner = "docker-service"; - "docker/sonarr".owner = "docker-service"; - "docker/lidarr".owner = "docker-service"; - "docker/jellyseerr".owner = "docker-service"; + "docker/notifiarr" = { + owner = "docker-service"; + restartUnits = "docker-notifiarr.service"; + }; + "docker/bazarr" = { + owner = "docker-service"; + restartUnits = "docker-bazarr.service"; + }; + "docker/prowlarr" = { + owner = "docker-service"; + restartUnits = "docker-prowlarr.service"; + }; + "docker/radarr" = { + owner = "docker-service"; + restartUnits = "docker-radarr.service"; + }; + "docker/sonarr" = { + owner = "docker-service"; + restartUnits = "docker-sonarr.service"; + }; + "docker/lidarr" = { + owner = "docker-service"; + restartUnits = "docker-lidarr.service"; + }; + "docker/jellyseerr" = { + owner = "docker-service"; + restartUnits = "docker-jellyseerr.service"; + }; }; }; } From 7ef516d2bf7c3472339cca6d0a09ff7cc1fc1fa5 Mon Sep 17 00:00:00 2001 From: ahuston-0 Date: Thu, 25 Dec 2025 01:54:13 -0500 Subject: [PATCH 3/8] restart units --- systems/palatine-hill/docker/arr.nix | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/systems/palatine-hill/docker/arr.nix b/systems/palatine-hill/docker/arr.nix index 0b06c6e..f257c78 100644 --- a/systems/palatine-hill/docker/arr.nix +++ b/systems/palatine-hill/docker/arr.nix @@ -237,31 +237,31 @@ in secrets = { "docker/notifiarr" = { owner = "docker-service"; - restartUnits = "docker-notifiarr.service"; + restartUnits = [ "docker-notifiarr.service" ]; }; "docker/bazarr" = { owner = "docker-service"; - restartUnits = "docker-bazarr.service"; + restartUnits = [ "docker-bazarr.service" ]; }; "docker/prowlarr" = { owner = "docker-service"; - restartUnits = "docker-prowlarr.service"; + restartUnits = [ "docker-prowlarr.service" ]; }; "docker/radarr" = { owner = "docker-service"; - restartUnits = "docker-radarr.service"; + restartUnits = [ "docker-radarr.service" ]; }; "docker/sonarr" = { owner = "docker-service"; - restartUnits = "docker-sonarr.service"; + restartUnits = [ "docker-sonarr.service" ]; }; "docker/lidarr" = { owner = "docker-service"; - restartUnits = "docker-lidarr.service"; + restartUnits = [ "docker-lidarr.service" ]; }; "docker/jellyseerr" = { owner = "docker-service"; - restartUnits = "docker-jellyseerr.service"; + restartUnits = [ "docker-jellyseerr.service" ]; }; }; }; From d7aae917d3c072d0330cd03c30f9965f384dcf2e Mon Sep 17 00:00:00 2001 From: ahuston-0 Date: Thu, 25 Dec 2025 01:56:34 -0500 Subject: [PATCH 4/8] restart units --- systems/palatine-hill/secrets.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/systems/palatine-hill/secrets.yaml b/systems/palatine-hill/secrets.yaml index 3005b7b..1866802 100644 --- a/systems/palatine-hill/secrets.yaml +++ b/systems/palatine-hill/secrets.yaml @@ -27,10 +27,10 @@ docker: protonvpn-start-script: ENC[AES256_GCM,data:ZnlDpCLdILHXSUCI6itWkqO4y75Lwjj7qT1DBkfueLneQOaQ0JhuE2FbOOajkmI046nP9fMrJbu3g4QZHsq1g8yqGU1wb0OOT+eS9+M92Md29B4NnUdwnVAO6/RzvRKXP2tsQ4iprx9An+BEFwZYD6WG6DQc6NjJVSgRcYvfH9rQey2VdwLysNsgFCs8eC6QgikqBpeg4eOIvDDNbdXPKkW+ZPph9xpzGkcFIMwlX5esg0n7qyUoMvWwBn4avC46U5erOw0fNajY60ri9sm5Afht6LZrFal71Hx/K9/5EXBp9dD4teLO2Ew0CQX0i94pKCuR207l9868s7Ao3udLp4wbiLnXoRKq+w==,iv:qR0kNYpb50NXEqSksvHBPAaRG51RKCsSwTq32nosxzo=,tag:+xRQyuWi4Ja/N9lcd11oJA==,type:str] notifiarr: ENC[AES256_GCM,data:XxVEhp4Rei6mRcdSSooRnofuVNZDalVhDYiVUmvQUr8QihrVRMKRE9Kpl5PGWUBw,iv:urMLaUf3XUjMks2vk0E7iRUU3mLHBiMAiwtQgmWQq20=,tag:dHdTOyC/ukd71UlYEI5fWw==,type:str] bazarr: ENC[AES256_GCM,data:x+JdRCl3x3OM3lWmgcWikJSEnh5c5He5HmuLzCGAQ8zUXMi2Z3Kf6LzL+aoqtCBu3rabYZmQSLBoDm9CPkk=,iv:7e+3w46RUD2/OSlwrEe7BRxUqPPdt5+obIjQA8pr3xY=,tag:rHSijp/tcf/SGp5y4kJ0cw==,type:str] - prowlarr: ENC[AES256_GCM,data:fc4Dw6U9IjoDSXIAFNqtsFKZGFSkfiRhc96WyDYZg10KRcASZBEhLUWNSTgA0FnPOu7QINjIdSZrnTUbG7tEU/UfcnHISXiQwlaPzT8R+F/XSJOjSrg=,iv:XQ6WJZHkyzDIMgu1VL3UB//+vVP4xI5ruLf199pOqd4=,tag:Cv2YtzqrmHbn4y2AD4rF2A==,type:str] - radarr: ENC[AES256_GCM,data:gdk15Sj8ZVxxz9dLtBzNTIXtpVxSL4cFm+7PSso4C2p+qucxbRxGYlvJKzi7bnL6fH8cwLh1lGSS+jqFzPa0GhIlW7DvyKywuZqmngSm8ys=,iv:qMTdgb1BqY3ZyGbsk+OhyfSooqducnpRRBioxw4RME0=,tag:0BCneime1bM3gqE5tObm/Q==,type:str] - sonarr: ENC[AES256_GCM,data:lbDFJU8QyMwCt7L4gl1g+ESWix81tyCHOlbSwRM+S1huGo3mpFdabpA+QTOGE7KwUr144uMmNgHXc97RCePELnAWoQmRG6VYP3zITVS5GrU=,iv:jPODdbCExANoiBQrpE+i1AzpIQKucpgQglTKA5qpJsE=,tag:TiXiC4RGfR9xfJJKm/Gp+g==,type:str] - lidarr: ENC[AES256_GCM,data:C1zKtt2oFIZMhGSqdDUcByECrORoboDrMrWxE2Pm0bI60X6fnFhl3x9HTlJlxXnifT+Ec0n+PoKsuTbmIHGIJmjHlj5EHRxteAHpTNP0qC8=,iv:6Nw6CXCuf1kfvTnGx5uZm1hL5rM3JWIM+WQXClkBQBc=,tag:Ym/CBv2zpu6VspUE7ZF8ZA==,type:str] + prowlarr: ENC[AES256_GCM,data:hr3hYwRw0+/UD8anqZQjGy7rPkV2pad4Xi5FdXSf3Ftd1/jwlYfMqhqgEngFX30LLMWvJvjeu1TkTNzSEwI6ZCPdefNVYYwWavtm+XcBVxffGvFZ,iv:EXW48288IcCeGs/vP4tkAI4dxQAOh92Na43q/9cyuSc=,tag:pnYR26MDd82DjeUPdwCoUw==,type:str] + radarr: ENC[AES256_GCM,data:qCfoeEHb0ng5GhaY3QZiFvLVb25ZHNmgT0bRqEjBcelyP2819zCL7LxUPr08FxivEYZiAMFVleRozL8NMg6O5fh+2BatcYOfyh99zxIC,iv:HV3gTTnrjtab7x4Be+7hSe+nrD6BnPAmZBsHzi9Fujg=,tag:O6x0FDlasuJSRrGL/9SwpQ==,type:str] + sonarr: ENC[AES256_GCM,data:X/hM31ZyHybvy2eQzVnmq8CH1AqBgz1pxq7tKC4lZB3ryAbnEIJksffem8+35tWt/0r5cEH4aaIKD1kS7Q+Ma+8JrRLcWkt6CZq/wspz,iv:44FfdVpQCposXshzNe5DXAxExeQzjVKhkZaVbgKo8KU=,tag:WIWWUt1XBngUTwwqhCrcNw==,type:str] + lidarr: ENC[AES256_GCM,data:xERBECneutNUMZRrHukp8CaNrpI7SXUB16zUkauNP2+wto3eIc/K+2nMCkbwSC9AKlSjnUGSiORmAWn/jofTAuEzQljkCR1XCSkJRMmL,iv:iKf4fZtCfdjT/KuMFK5VFoLAV+Lll8uJowe9Q4cHyYw=,tag:xzmATTkrYRYm9Mw23zEO5g==,type:str] jellyseerr: ENC[AES256_GCM,data:eKZo7Yw6j0qeyHidHu3R+2yZrHOMlM/O2VTY0CF/AUzm21LNO5UDItORoBCJfPvpnbA=,iv:jVJ77jXNwCEPRWKgKP8E7SrxdS0RFa486nq6cMkqvMc=,tag:Bndao3nx18nmJ1yaXLmWIg==,type:str] acme: bunny: ENC[AES256_GCM,data:P2yROVUga9mORcq8VR/l0i4/2Vod1zvlYq+ZJLLNKow0SpblkwQX/i1ucQYAOkTTRddN+3C+t0zj1rMWkdLoaLjEUJJi3VsSxi+chV2FFiVKFQGEcg24,iv:aQvGgGLsgRGoEmwTgZHR8Jm/MYxmGtVTT/fZKaTLeMs=,tag:m3ssF4O8qs4yxvMu6yUcjw==,type:str] @@ -50,8 +50,8 @@ sops: cXNZWmZqd0R0SmhINExscHBKWmxvblUKEFEQvt/zQFARba4S8vHz/1SoKdKg69At LZ58XQGOmlGbBhPr7EzYQ2XSY4flWbnnD174cmCR8DNFm15DsNA5fw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-25T05:59:07Z" - mac: ENC[AES256_GCM,data:+WYmAwItp+NAZk1oyXFj8F7GPQSbzKxam0L1jWLTjbefkCZH7CujGbS/fUEsKz7wKqcti6jq7oRMtd8Qh8lmk0Gj3cn1kduNmRSJfvZP0ZKke8ojv5sW/H4B5fPSsck1ZhEPXzb+Uak7QqrHQQZ1fFdMQqTO7tVHK4q4lYdjQzc=,iv:zHsIIv4jlMZ1yhjISAw1hkgnDHWOqNqxRptgvAWBBhw=,tag:R49lPYiWtADnHkGiCVdffw==,type:str] + lastmodified: "2025-12-25T06:56:31Z" + mac: ENC[AES256_GCM,data:LPL+Ykf189C3PDn+KgS7YEXX++bMreTdh/ACfEgWaNsNRAO9vT9S7y3nzLe3H3IRqp8c/ljvcS0p3IkePt73QcnOaD3PMfW2G0YOmeNXvcpl5CXq8sSXLXSpy7RX18xijt/vsoZg5S5PmSjUMSnE7+dhGpgWLlliIJJjuQVlvek=,iv:XqUCrYFhqi1NBZja6Q3opiisqmoz1eMml9L9lY0IF5E=,tag:hTWsxKxjD7cYbDQ1wnZVRA==,type:str] pgp: - created_at: "2024-11-28T18:56:39Z" enc: |- From eeb9b33101d06419cb3bf8ccd456461f5a57dfe0 Mon Sep 17 00:00:00 2001 From: ahuston-0 Date: Thu, 25 Dec 2025 12:27:26 -0500 Subject: [PATCH 5/8] change to socket connections --- systems/palatine-hill/docker/arr.nix | 31 ++++++++++++++++------------ 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/systems/palatine-hill/docker/arr.nix b/systems/palatine-hill/docker/arr.nix index f257c78..0e61e7c 100644 --- a/systems/palatine-hill/docker/arr.nix +++ b/systems/palatine-hill/docker/arr.nix @@ -11,7 +11,7 @@ let ctype = lib.strings.toUpper container_type; in { - "${ctype}__POSTGRES__HOST" = "host.docker.internal"; + "${ctype}__POSTGRES__HOST" = "/var/run/postgresql"; "${ctype}__POSTGRES__PORT" = toString config.services.postgresql.settings.port; }; in @@ -54,7 +54,7 @@ in PUID = "600"; PGID = "100"; TZ = "America/New_York"; - POSTGRES_HOST = "host.docker.internal"; + POSTGRES_HOST = "/var/run/postgresql"; POSTGRES_PORT = toString config.services.postgresql.settings.port; }; environmentFiles = [ @@ -63,10 +63,10 @@ in volumes = [ "${vars.primary_docker}/bazarr:/config" "${vars.primary_plex_storage}/data:/data" + "/var/run/postgresql:/var/run/postgresql" ]; extraOptions = [ "--network=arrnet" - "--add-host=host.docker.internal:host-gateway" ]; autoStart = true; }; @@ -86,10 +86,12 @@ in ]; extraOptions = [ "--network=arrnet" - - "--add-host=host.docker.internal:host-gateway" ]; - volumes = [ "${vars.primary_docker}/prowlarr:/config" ]; + volumes = [ + "${vars.primary_docker}/prowlarr:/config" + + "/var/run/postgresql:/var/run/postgresql" + ]; autoStart = true; }; radarr = { @@ -109,10 +111,10 @@ in volumes = [ "${vars.primary_docker}/radarr:/config" "${vars.primary_plex_storage}/data:/data" + "/var/run/postgresql:/var/run/postgresql" ]; extraOptions = [ "--network=arrnet" - "--add-host=host.docker.internal:host-gateway" ]; autoStart = true; }; @@ -133,10 +135,10 @@ in volumes = [ "${vars.primary_docker}/sonarr:/config" "${vars.primary_plex_storage}/data:/data" + "/var/run/postgresql:/var/run/postgresql" ]; extraOptions = [ "--network=arrnet" - "--add-host=host.docker.internal:host-gateway" ]; autoStart = true; }; @@ -157,11 +159,10 @@ in volumes = [ "${vars.primary_docker}/lidarr:/config" "${vars.primary_plex_storage}/data:/data" + "/var/run/postgresql:/var/run/postgresql" ]; extraOptions = [ "--network=arrnet" - "--add-host=host.docker.internal:host-gateway" - ]; autoStart = true; }; @@ -176,6 +177,7 @@ in volumes = [ "${vars.primary_docker}/unpackerr:/config" "${vars.primary_plex_storage}:/data" + "/var/run/postgresql:/var/run/postgresql" ]; extraOptions = [ "--network=arrnet" ]; autoStart = true; @@ -193,6 +195,7 @@ in volumes = [ "${vars.primary_docker}/notifiarr:/config" "${vars.primary_plex_storage}:/data" + "/var/run/postgresql:/var/run/postgresql" ]; extraOptions = [ "--network=arrnet" ]; autoStart = true; @@ -206,18 +209,20 @@ in PGID = "100"; TZ = "America/New_York"; DB_TYPE = "postgres"; - DB_HOST = "host.docker.internal"; + DB_HOST = "/var/run/postgresql"; DB_PORT = toString config.services.postgresql.settings.port; }; environmentFiles = [ config.sops.secrets."docker/jellyseerr".path ]; - volumes = [ "${vars.primary_docker}/overseerr:/config" ]; + volumes = [ + "${vars.primary_docker}/overseerr:/config" + "/var/run/postgresql:/var/run/postgresql" + ]; # TODO: remove ports later since this is going through web extraOptions = [ "--network=arrnet" "--network=haproxy-net" - "--add-host=host.docker.internal:host-gateway" # "--health-cmd \"wget --no-verbose --tries 1 --spider http://localhost:5055/api/v1/status || exit 1\"" # "--health-start-period 20s" # "--health-timeout 3s" From ba9ae1d48a73f542aaa8a08434a393fde89d2c86 Mon Sep 17 00:00:00 2001 From: ahuston-0 Date: Thu, 25 Dec 2025 12:40:29 -0500 Subject: [PATCH 6/8] add hba map --- systems/palatine-hill/postgresql.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/systems/palatine-hill/postgresql.nix b/systems/palatine-hill/postgresql.nix index 22d6d64..0e5dc45 100644 --- a/systems/palatine-hill/postgresql.nix +++ b/systems/palatine-hill/postgresql.nix @@ -29,6 +29,12 @@ in # Let other names login as themselves superuser_map /^(.*)$ \1 ''; + authentication = '' + local bazarr bazarr scram-sha-256 + local /.*arr-main /.*arr scram-sha-256 + local /.*arr-log /.*arr scram-sha-256 + local jellyseerr jellyseerr scram-sha-256 + ''; # initialScript = config.sops.secrets."postgres/init".path; ensureDatabases = [ From e6fa868437344135a4fe7df3cedfc4338eb4086d Mon Sep 17 00:00:00 2001 From: ahuston-0 Date: Thu, 25 Dec 2025 12:45:39 -0500 Subject: [PATCH 7/8] jellyseerr fix --- systems/palatine-hill/secrets.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/systems/palatine-hill/secrets.yaml b/systems/palatine-hill/secrets.yaml index 1866802..4a9b034 100644 --- a/systems/palatine-hill/secrets.yaml +++ b/systems/palatine-hill/secrets.yaml @@ -31,7 +31,7 @@ docker: radarr: ENC[AES256_GCM,data:qCfoeEHb0ng5GhaY3QZiFvLVb25ZHNmgT0bRqEjBcelyP2819zCL7LxUPr08FxivEYZiAMFVleRozL8NMg6O5fh+2BatcYOfyh99zxIC,iv:HV3gTTnrjtab7x4Be+7hSe+nrD6BnPAmZBsHzi9Fujg=,tag:O6x0FDlasuJSRrGL/9SwpQ==,type:str] sonarr: ENC[AES256_GCM,data:X/hM31ZyHybvy2eQzVnmq8CH1AqBgz1pxq7tKC4lZB3ryAbnEIJksffem8+35tWt/0r5cEH4aaIKD1kS7Q+Ma+8JrRLcWkt6CZq/wspz,iv:44FfdVpQCposXshzNe5DXAxExeQzjVKhkZaVbgKo8KU=,tag:WIWWUt1XBngUTwwqhCrcNw==,type:str] lidarr: ENC[AES256_GCM,data:xERBECneutNUMZRrHukp8CaNrpI7SXUB16zUkauNP2+wto3eIc/K+2nMCkbwSC9AKlSjnUGSiORmAWn/jofTAuEzQljkCR1XCSkJRMmL,iv:iKf4fZtCfdjT/KuMFK5VFoLAV+Lll8uJowe9Q4cHyYw=,tag:xzmATTkrYRYm9Mw23zEO5g==,type:str] - jellyseerr: ENC[AES256_GCM,data:eKZo7Yw6j0qeyHidHu3R+2yZrHOMlM/O2VTY0CF/AUzm21LNO5UDItORoBCJfPvpnbA=,iv:jVJ77jXNwCEPRWKgKP8E7SrxdS0RFa486nq6cMkqvMc=,tag:Bndao3nx18nmJ1yaXLmWIg==,type:str] + jellyseerr: ENC[AES256_GCM,data:7dDfHFp8+WbJqrf7Ms/gmfroBePwegXh5CXn5FcOz8IEK7rTvr9KZfz9x/1BwdD8,iv:ZPi3OcMfH76A08piKY4P7hFbeMyouwBoeN5oL3ExzKU=,tag:oOZ37dy/y+DFqNRfAHexvQ==,type:str] acme: bunny: ENC[AES256_GCM,data:P2yROVUga9mORcq8VR/l0i4/2Vod1zvlYq+ZJLLNKow0SpblkwQX/i1ucQYAOkTTRddN+3C+t0zj1rMWkdLoaLjEUJJi3VsSxi+chV2FFiVKFQGEcg24,iv:aQvGgGLsgRGoEmwTgZHR8Jm/MYxmGtVTT/fZKaTLeMs=,tag:m3ssF4O8qs4yxvMu6yUcjw==,type:str] dnsimple: ENC[AES256_GCM,data:37FKyBibFtXZgI4EduJQ0z8F+shBc5Q6YlLa3YkVPh9XuJVS20eybi75bfJxiozcZ9d+YRaqcbkBQCSdFOCotDU=,iv:oq3JjqbfAm2C4jcL1lvUb2EOmnwlR07vPoO8H0BmydQ=,tag:E3NO/jMElL6Q817666gIyg==,type:str] @@ -50,8 +50,8 @@ sops: cXNZWmZqd0R0SmhINExscHBKWmxvblUKEFEQvt/zQFARba4S8vHz/1SoKdKg69At LZ58XQGOmlGbBhPr7EzYQ2XSY4flWbnnD174cmCR8DNFm15DsNA5fw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-25T06:56:31Z" - mac: ENC[AES256_GCM,data:LPL+Ykf189C3PDn+KgS7YEXX++bMreTdh/ACfEgWaNsNRAO9vT9S7y3nzLe3H3IRqp8c/ljvcS0p3IkePt73QcnOaD3PMfW2G0YOmeNXvcpl5CXq8sSXLXSpy7RX18xijt/vsoZg5S5PmSjUMSnE7+dhGpgWLlliIJJjuQVlvek=,iv:XqUCrYFhqi1NBZja6Q3opiisqmoz1eMml9L9lY0IF5E=,tag:hTWsxKxjD7cYbDQ1wnZVRA==,type:str] + lastmodified: "2025-12-25T17:45:31Z" + mac: ENC[AES256_GCM,data:lVRqQWnO1RvmoW13/xCpP2SvibccRWwmr1Gyj6EgrE+V+Iu1bfnZRkTkHiFIQqQLQgCy2qBiSHeZF/dNERe83eEwpXgRQAduarpE/qL8K1mxcwf5HMMYACjlNfsL/I1/TCJrJ7DZBxI4neRLetc5OpScVXqHj1neOodD/g8n+ls=,iv:+gZpo0I2NVYz24o42mUW/OkfONqNSjgaJeKeFdKx7dg=,tag:EJnpiotQuBKth21mdhvjZQ==,type:str] pgp: - created_at: "2024-11-28T18:56:39Z" enc: |- From b08aed8fb2320b61ac0dd518f04f5be4c4b8bec0 Mon Sep 17 00:00:00 2001 From: ahuston-0 Date: Thu, 25 Dec 2025 13:50:01 -0500 Subject: [PATCH 8/8] remove postgres from firewall --- systems/palatine-hill/firewall.nix | 3 --- 1 file changed, 3 deletions(-) diff --git a/systems/palatine-hill/firewall.nix b/systems/palatine-hill/firewall.nix index 0b47f86..3a0cacf 100644 --- a/systems/palatine-hill/firewall.nix +++ b/systems/palatine-hill/firewall.nix @@ -45,9 +45,6 @@ 8686 8787 5055 - - # temp postgres - 5432 ]; };