The jellyfin-webhook-install oneshot has 'wantedBy = jellyfin.service',
which only runs it when jellyfin (re)starts. On first rollout to a host
where jellyfin is already running, the unit gets added but never fires,
leaving the Webhook plugin files absent -- jellyfin-webhook-configure
then gets 404 from /Plugins/$GUID/Configuration and deploy-rs rolls back.
Pinning jellyfin.restartTriggers to the plugin package + install script
forces a restart whenever either derivation changes, which pulls install
in via the existing before/wantedBy chain.
Build and Deploy / deploy (push) Successful in 1m47s
Prowlarr runs in the wg VPN namespace; Sonarr/Radarr run in the host
namespace. Configuring the Prowlarr sync with prowlarrUrl=localhost:9696
made Sonarr/Radarr try to connect to their own localhost, where
Prowlarr does not exist — the host netns. Every indexer sync emitted
'Prowlarr URL is invalid' with Connection refused (localhost:9696).
Use vpnNamespaces.wg.namespaceAddress (192.168.15.1) so host-netns
clients hit the wg-side veth where Prowlarr is listening.
Also re-enables healthChecks on prowlarr-init: the /applications/testall
endpoint now validates clean (manually verified via API).
Build and Deploy / deploy (push) Successful in 2m43s
Pin <Port>, <BindAddress>, and <EnableSsl> in each arr service's
config.xml through arr-init's new configXml option. A preStart hook
ensures these elements exist before the service reads its config,
fixing the recurring Prowlarr bug where <Port> was absent from
config.xml and the service would run without binding any socket.
Updates arr-init lock to 6dde2a3.
Build and Deploy / deploy (push) Successful in 2m59s
Disable health checks on Prowlarr -- the synced-app testall endpoint
requires Sonarr/Radarr to reverse-connect to prowlarrUrl, which is
unreachable across the wg namespace boundary.
Also add networkNamespaceService = "wg" for the new configurable
namespace service dependency (replaces old hardcoded wg.service).
Build and Deploy / deploy (push) Successful in 2m42s
Grafana 12 expects Prometheus annotation queries wrapped in a 'target'
object with datasource, expr, refId, and range fields. The previous
format had expr/step as top-level fields which Grafana silently ignored.
Build and Deploy / deploy (push) Failing after 31m3s
Build Caddy with the caddy-dns/njalla plugin to enable DNS-01 ACME
challenges. This issues a single wildcard certificate for
*.sigkill.computer instead of per-subdomain certificates, reducing
Let's Encrypt API calls and certificate management overhead.
Add ddns-updater service (nixpkgs services.ddns-updater) configured
with Njalla provider to automatically update DNS records when the
server's public IP changes.
The custom disk-usage-collector shell script + minutely timer is replaced
by prometheus-zfs-exporter (pdf/zfs_exporter, packaged in nixpkgs as
services.prometheus.exporters.zfs). The exporter provides pool capacity
metrics (allocated/free/size) natively.
Partition metrics (/boot, /persistent, /nix) now use node_exporter's
built-in filesystem collector (node_filesystem_*_bytes) which already
runs and collects these metrics.
Also fixes a latent race condition in serviceMountWithZpool: the -mounts
service now orders after zfs-mount.service (which runs 'zfs mount -a'),
not just after pool import. Without this, the mount check could run
before datasets are actually mounted.
