automated: Update flake.lock

Auto-generated by [update.yml][1] with the help of [create-pull-request][2]. [1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/flake-update.yml [2]: https://forgejo.stefka.eu/jiriks74/create-pull-request
2025-12-25 12:09:10 +00:00
5 changed files with 64 additions and 106 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -242,11 +242,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1766682973,
-        "narHash": "sha256-GKO35onS711ThCxwWcfuvbIBKXwriahGqs+WZuJ3v9E=",
+        "lastModified": 1766553851,
+        "narHash": "sha256-hHKQhHkXxuPJwLkI8wdu826GLV5AcuW9/HVdc9eBnTU=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "91cdb0e2d574c64fae80d221f4bf09d5592e9ec2",
+        "rev": "7eca7f7081036a7b740090994c9ec543927f89a7",
        "type": "github"
      },
      "original": {
@@ -502,11 +502,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1766651565,
-        "narHash": "sha256-QEhk0eXgyIqTpJ/ehZKg9IKS7EtlWxF3N7DXy42zPfU=",
+        "lastModified": 1766309749,
+        "narHash": "sha256-3xY8CZ4rSnQ0NqGhMKAy5vgC+2IVK0NoVEzDoOh4DA4=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "3e2499d5539c16d0d173ba53552a4ff8547f4539",
+        "rev": "a6531044f6d0bef691ea18d4d4ce44d0daa6e816",
        "type": "github"
      },
      "original": {
@@ -596,11 +596,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1766717007,
-        "narHash": "sha256-ZjLiHCHgoH2maP5ZAKn0anrHymbjGOS5/PZqfJUK8Ik=",
+        "lastModified": 1766630657,
+        "narHash": "sha256-wW15buPGU29v0XuAmDkc30+d5j4Tmg/V8AkpHH+hDWY=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "a18efe8a9112175e43397cf870fb6bc1ca480548",
+        "rev": "3bf67c5e473f29ca79ff15904f3072d87cf6d087",
        "type": "github"
      },
      "original": {
--- a/systems/palatine-hill/docker/arr.nix
+++ b/systems/palatine-hill/docker/arr.nix
@@ -11,7 +11,7 @@ let
      ctype = lib.strings.toUpper container_type;
    in
    {
-      "${ctype}__POSTGRES__HOST" = "/var/run/postgresql";
+      "${ctype}__POSTGRES__HOST" = "host.docker.internal";
      "${ctype}__POSTGRES__PORT" = toString config.services.postgresql.settings.port;
    };
 in
@@ -54,7 +54,7 @@ in
        PUID = "600";
        PGID = "100";
        TZ = "America/New_York";
-        POSTGRES_HOST = "/var/run/postgresql";
+        POSTGRES_HOST = "host.docker.internal";
        POSTGRES_PORT = toString config.services.postgresql.settings.port;
      };
      environmentFiles = [
@@ -63,10 +63,10 @@ in
      volumes = [
        "${vars.primary_docker}/bazarr:/config"
        "${vars.primary_plex_storage}/data:/data"
-        "/var/run/postgresql:/var/run/postgresql"
      ];
      extraOptions = [
        "--network=arrnet"
+        "--add-host=host.docker.internal:host-gateway"
      ];
      autoStart = true;
    };
@@ -86,12 +86,10 @@ in
      ];
      extraOptions = [
        "--network=arrnet"
-      ];
-      volumes = [
-        "${vars.primary_docker}/prowlarr:/config"

-        "/var/run/postgresql:/var/run/postgresql"
+        "--add-host=host.docker.internal:host-gateway"
      ];
+      volumes = [ "${vars.primary_docker}/prowlarr:/config" ];
      autoStart = true;
    };
    radarr = {
@@ -111,10 +109,10 @@ in
      volumes = [
        "${vars.primary_docker}/radarr:/config"
        "${vars.primary_plex_storage}/data:/data"
-        "/var/run/postgresql:/var/run/postgresql"
      ];
      extraOptions = [
        "--network=arrnet"
+        "--add-host=host.docker.internal:host-gateway"
      ];
      autoStart = true;
    };
@@ -135,10 +133,10 @@ in
      volumes = [
        "${vars.primary_docker}/sonarr:/config"
        "${vars.primary_plex_storage}/data:/data"
-        "/var/run/postgresql:/var/run/postgresql"
      ];
      extraOptions = [
        "--network=arrnet"
+        "--add-host=host.docker.internal:host-gateway"
      ];
      autoStart = true;
    };
@@ -159,10 +157,11 @@ in
      volumes = [
        "${vars.primary_docker}/lidarr:/config"
        "${vars.primary_plex_storage}/data:/data"
-        "/var/run/postgresql:/var/run/postgresql"
      ];
      extraOptions = [
        "--network=arrnet"
+        "--add-host=host.docker.internal:host-gateway"
+
      ];
      autoStart = true;
    };
@@ -177,7 +176,6 @@ in
      volumes = [
        "${vars.primary_docker}/unpackerr:/config"
        "${vars.primary_plex_storage}:/data"
-        "/var/run/postgresql:/var/run/postgresql"
      ];
      extraOptions = [ "--network=arrnet" ];
      autoStart = true;
@@ -195,7 +193,6 @@ in
      volumes = [
        "${vars.primary_docker}/notifiarr:/config"
        "${vars.primary_plex_storage}:/data"
-        "/var/run/postgresql:/var/run/postgresql"
      ];
      extraOptions = [ "--network=arrnet" ];
      autoStart = true;
@@ -209,20 +206,18 @@ in
        PGID = "100";
        TZ = "America/New_York";
        DB_TYPE = "postgres";
-        DB_HOST = "/var/run/postgresql";
+        DB_HOST = "host.docker.internal";
        DB_PORT = toString config.services.postgresql.settings.port;
      };
      environmentFiles = [
        config.sops.secrets."docker/jellyseerr".path
      ];
-      volumes = [
-        "${vars.primary_docker}/overseerr:/config"
-        "/var/run/postgresql:/var/run/postgresql"
-      ];
+      volumes = [ "${vars.primary_docker}/overseerr:/config" ];
      # TODO: remove ports later since this is going through web
      extraOptions = [
        "--network=arrnet"
        "--network=haproxy-net"
+        "--add-host=host.docker.internal:host-gateway"
        # "--health-cmd \"wget --no-verbose --tries 1 --spider http://localhost:5055/api/v1/status || exit 1\""
        # "--health-start-period 20s"
        # "--health-timeout 3s"
@@ -240,34 +235,13 @@ in

  sops = {
    secrets = {
-      "docker/notifiarr" = {
-        owner = "docker-service";
-        restartUnits = [ "docker-notifiarr.service" ];
-      };
-      "docker/bazarr" = {
-        owner = "docker-service";
-        restartUnits = [ "docker-bazarr.service" ];
-      };
-      "docker/prowlarr" = {
-        owner = "docker-service";
-        restartUnits = [ "docker-prowlarr.service" ];
-      };
-      "docker/radarr" = {
-        owner = "docker-service";
-        restartUnits = [ "docker-radarr.service" ];
-      };
-      "docker/sonarr" = {
-        owner = "docker-service";
-        restartUnits = [ "docker-sonarr.service" ];
-      };
-      "docker/lidarr" = {
-        owner = "docker-service";
-        restartUnits = [ "docker-lidarr.service" ];
-      };
-      "docker/jellyseerr" = {
-        owner = "docker-service";
-        restartUnits = [ "docker-jellyseerr.service" ];
-      };
+      "docker/notifiarr".owner = "docker-service";
+      "docker/bazarr".owner = "docker-service";
+      "docker/prowlarr".owner = "docker-service";
+      "docker/radarr".owner = "docker-service";
+      "docker/sonarr".owner = "docker-service";
+      "docker/lidarr".owner = "docker-service";
+      "docker/jellyseerr".owner = "docker-service";
    };
  };
 }
--- a/systems/palatine-hill/firewall.nix
+++ b/systems/palatine-hill/firewall.nix
@@ -1,51 +1,41 @@
 { ... }:

 {
-  networking.firewall = {
+  networking.firewall.allowedTCPPorts = [
+    # qbit
+    8081
+    8082
+    8443

-    extraCommands = "
-      iptables -I nixos-fw 1 -i br+ -j ACCEPT
-    ";
+    # hydra
+    3000

-    extraStopCommands = "
-      iptables -D nixos-fw -i br+ -j ACCEPT
-    ";
+    # minio
+    8500
+    8501

-    trustedInterfaces = [ "br+" ];
+    # gitea
+    2222
+    2223
+    8088

-    allowedTCPPorts = [
-      # qbit
-      8081
-      8082
-      8443
+    # attic
+    8183

-      # hydra
-      3000
+    # collabora
+    9980

-      # minio
-      8500
-      8501
+    # arr
+    6767
+    9696
+    7878
+    8989
+    8686
+    8787
+    5055

-      # gitea
-      2222
-      2223
-      8088
+    # temp postgres
+    5432
+  ];

-      # attic
-      8183
-
-      # collabora
-      9980
-
-      # arr
-      6767
-      9696
-      7878
-      8989
-      8686
-      8787
-      5055
-    ];
-
-  };
 }
--- a/systems/palatine-hill/postgresql.nix
+++ b/systems/palatine-hill/postgresql.nix
@@ -29,12 +29,6 @@ in
           # Let other names login as themselves
           superuser_map      /^(.*)$   \1
      '';
-      authentication = ''
-        local  bazarr  bazarr  scram-sha-256
-        local  /.*arr-main  /.*arr  scram-sha-256
-        local  /.*arr-log  /.*arr  scram-sha-256
-        local  jellyseerr  jellyseerr  scram-sha-256
-      '';

      # initialScript = config.sops.secrets."postgres/init".path;
      ensureDatabases = [
--- a/systems/palatine-hill/secrets.yaml
+++ b/systems/palatine-hill/secrets.yaml
@@ -27,11 +27,11 @@ docker:
    protonvpn-start-script: ENC[AES256_GCM,data:ZnlDpCLdILHXSUCI6itWkqO4y75Lwjj7qT1DBkfueLneQOaQ0JhuE2FbOOajkmI046nP9fMrJbu3g4QZHsq1g8yqGU1wb0OOT+eS9+M92Md29B4NnUdwnVAO6/RzvRKXP2tsQ4iprx9An+BEFwZYD6WG6DQc6NjJVSgRcYvfH9rQey2VdwLysNsgFCs8eC6QgikqBpeg4eOIvDDNbdXPKkW+ZPph9xpzGkcFIMwlX5esg0n7qyUoMvWwBn4avC46U5erOw0fNajY60ri9sm5Afht6LZrFal71Hx/K9/5EXBp9dD4teLO2Ew0CQX0i94pKCuR207l9868s7Ao3udLp4wbiLnXoRKq+w==,iv:qR0kNYpb50NXEqSksvHBPAaRG51RKCsSwTq32nosxzo=,tag:+xRQyuWi4Ja/N9lcd11oJA==,type:str]
    notifiarr: ENC[AES256_GCM,data:XxVEhp4Rei6mRcdSSooRnofuVNZDalVhDYiVUmvQUr8QihrVRMKRE9Kpl5PGWUBw,iv:urMLaUf3XUjMks2vk0E7iRUU3mLHBiMAiwtQgmWQq20=,tag:dHdTOyC/ukd71UlYEI5fWw==,type:str]
    bazarr: ENC[AES256_GCM,data:x+JdRCl3x3OM3lWmgcWikJSEnh5c5He5HmuLzCGAQ8zUXMi2Z3Kf6LzL+aoqtCBu3rabYZmQSLBoDm9CPkk=,iv:7e+3w46RUD2/OSlwrEe7BRxUqPPdt5+obIjQA8pr3xY=,tag:rHSijp/tcf/SGp5y4kJ0cw==,type:str]
-    prowlarr: ENC[AES256_GCM,data:hr3hYwRw0+/UD8anqZQjGy7rPkV2pad4Xi5FdXSf3Ftd1/jwlYfMqhqgEngFX30LLMWvJvjeu1TkTNzSEwI6ZCPdefNVYYwWavtm+XcBVxffGvFZ,iv:EXW48288IcCeGs/vP4tkAI4dxQAOh92Na43q/9cyuSc=,tag:pnYR26MDd82DjeUPdwCoUw==,type:str]
-    radarr: ENC[AES256_GCM,data:qCfoeEHb0ng5GhaY3QZiFvLVb25ZHNmgT0bRqEjBcelyP2819zCL7LxUPr08FxivEYZiAMFVleRozL8NMg6O5fh+2BatcYOfyh99zxIC,iv:HV3gTTnrjtab7x4Be+7hSe+nrD6BnPAmZBsHzi9Fujg=,tag:O6x0FDlasuJSRrGL/9SwpQ==,type:str]
-    sonarr: ENC[AES256_GCM,data:X/hM31ZyHybvy2eQzVnmq8CH1AqBgz1pxq7tKC4lZB3ryAbnEIJksffem8+35tWt/0r5cEH4aaIKD1kS7Q+Ma+8JrRLcWkt6CZq/wspz,iv:44FfdVpQCposXshzNe5DXAxExeQzjVKhkZaVbgKo8KU=,tag:WIWWUt1XBngUTwwqhCrcNw==,type:str]
-    lidarr: ENC[AES256_GCM,data:xERBECneutNUMZRrHukp8CaNrpI7SXUB16zUkauNP2+wto3eIc/K+2nMCkbwSC9AKlSjnUGSiORmAWn/jofTAuEzQljkCR1XCSkJRMmL,iv:iKf4fZtCfdjT/KuMFK5VFoLAV+Lll8uJowe9Q4cHyYw=,tag:xzmATTkrYRYm9Mw23zEO5g==,type:str]
-    jellyseerr: ENC[AES256_GCM,data:7dDfHFp8+WbJqrf7Ms/gmfroBePwegXh5CXn5FcOz8IEK7rTvr9KZfz9x/1BwdD8,iv:ZPi3OcMfH76A08piKY4P7hFbeMyouwBoeN5oL3ExzKU=,tag:oOZ37dy/y+DFqNRfAHexvQ==,type:str]
+    prowlarr: ENC[AES256_GCM,data:AyOaj1nYCxeycBgp5sfNKz3A158FuXVg0DCoLrOE9YnUIAjo+5PW9HMdpCEiK0OfgoMPcUZNZowLYYY0goxwC+4+tB87TnBz2YpXTX8L7YO2JA+g7hA=,iv:IaZxKl5ypdIQ4f4SAHQtaUC20lbYL1b7mptu/FVB6k4=,tag:A9eQI9gG7wkSEPt6Mdg3Zw==,type:str]
+    radarr: ENC[AES256_GCM,data:vqjqRsDjFm30yMrzWsWC6prYSEUQ+4v0hlDqJ6FS39hNFaGtGAsulUWv9MAJ11xI9CLsjjQUtpQ5KlRkYlHo5FnzeXCpK05ewkhYyqa7NKE=,iv:sKdxA5AtxpFpuiUYpz3NW2Fjc+ZKFmiJqibdQ3P6pVg=,tag:tDlJpApk4g6SYFzyn8Z/HA==,type:str]
+    sonarr: ENC[AES256_GCM,data:IooG9LDXpdbQcknriSdowPwNv++yfj54mko49rtm4B8IVEV30B5o8iZhGXmSgpLsH9QtP/PmkuczjiiwlPI2QM5iRxpjUz2456a1hi61/uY=,iv:/PagjmFtJgkYKFPmZD5qI8DzdiuUIX8m0lapdZBXUus=,tag:Ppew0fepqgnhvTorwalhEw==,type:str]
+    lidarr: ENC[AES256_GCM,data:9YtVafa4/SQ78+DJ52emGyLHCWpJpnhc+2DwGBQ0uhFiee7ZRFy+O0kHPPyNly8sgP9UOZt+53D4sAv9S8hOCnJTAbHiNnzTbjQmZtnvgnc=,iv:dlF5wtcphEhg5jxb8YSIF9/2Vj1KY10Vza/OGK1jXRM=,tag:8qmdQjRv30VqRReOzr6UEA==,type:str]
+    jellyseerr: ENC[AES256_GCM,data:eKZo7Yw6j0qeyHidHu3R+2yZrHOMlM/O2VTY0CF/AUzm21LNO5UDItORoBCJfPvpnbA=,iv:jVJ77jXNwCEPRWKgKP8E7SrxdS0RFa486nq6cMkqvMc=,tag:Bndao3nx18nmJ1yaXLmWIg==,type:str]
 acme:
    bunny: ENC[AES256_GCM,data:P2yROVUga9mORcq8VR/l0i4/2Vod1zvlYq+ZJLLNKow0SpblkwQX/i1ucQYAOkTTRddN+3C+t0zj1rMWkdLoaLjEUJJi3VsSxi+chV2FFiVKFQGEcg24,iv:aQvGgGLsgRGoEmwTgZHR8Jm/MYxmGtVTT/fZKaTLeMs=,tag:m3ssF4O8qs4yxvMu6yUcjw==,type:str]
    dnsimple: ENC[AES256_GCM,data:37FKyBibFtXZgI4EduJQ0z8F+shBc5Q6YlLa3YkVPh9XuJVS20eybi75bfJxiozcZ9d+YRaqcbkBQCSdFOCotDU=,iv:oq3JjqbfAm2C4jcL1lvUb2EOmnwlR07vPoO8H0BmydQ=,tag:E3NO/jMElL6Q817666gIyg==,type:str]
@@ -50,8 +50,8 @@ sops:
            cXNZWmZqd0R0SmhINExscHBKWmxvblUKEFEQvt/zQFARba4S8vHz/1SoKdKg69At
            LZ58XQGOmlGbBhPr7EzYQ2XSY4flWbnnD174cmCR8DNFm15DsNA5fw==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-12-25T17:45:31Z"
-    mac: ENC[AES256_GCM,data:lVRqQWnO1RvmoW13/xCpP2SvibccRWwmr1Gyj6EgrE+V+Iu1bfnZRkTkHiFIQqQLQgCy2qBiSHeZF/dNERe83eEwpXgRQAduarpE/qL8K1mxcwf5HMMYACjlNfsL/I1/TCJrJ7DZBxI4neRLetc5OpScVXqHj1neOodD/g8n+ls=,iv:+gZpo0I2NVYz24o42mUW/OkfONqNSjgaJeKeFdKx7dg=,tag:EJnpiotQuBKth21mdhvjZQ==,type:str]
+    lastmodified: "2025-12-24T03:17:22Z"
+    mac: ENC[AES256_GCM,data:TreH0Z2S91ZyMreMSv0AIFJs1lrOCqTrsKHY2MrU0O+wdJlCdn4ggVGlS9L+oGpZ8fXoUcLdMvc0M3wCFZauM86SVMW+BDiPp93P6JLX8mDlLJPE1tfsw6ueaeKZJIhlbnlLSWHjNBrkybuT11HxXAjJIHav1Jf0S42lIMhq1Tc=,iv:ajcZxYvsMGmauj37MIJjWvzqlLAeqBiPbuqof2suTPU=,tag:7vQ4LnoHTrdUxnmhRgUANA==,type:str]
    pgp:
        - created_at: "2024-11-28T18:56:39Z"
          enc: |-