titaniumtown/server-config
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: titaniumtown:1403c9d3bc6b15aa90df0a91ce83cb7cd0663312
Branches Tags
titaniumtown:main
titaniumtown:final-before-unify
..
compare: titaniumtown:edecc30423fda2c54cc441a49123c2221cf23d85
Branches Tags
titaniumtown:main
titaniumtown:final-before-unify

3 Commits
1403c9d3bc ... edecc30423

Author SHA1 Message Date
primary
edecc30423 archive: repo moved to titaniumtown/nixos 2026-04-18 01:42:08 -04:00
primary
96a0162b4e age-secrets: add git-crypt-key-nixos (pre-unify cutover) 
Additive. The new unified nixos repo (projects/nixos/) uses a fresh git-crypt
key so we can retire the two per-repo keys later. Deploying this change alone
makes /run/agenix/git-crypt-key-nixos available on muffin; the nixos CI's
git-crypt unlock step can then succeed once the new repo lands on Gitea.
 2026-04-18 01:19:17 -04:00
Simon Gardling
4bc5d57fa6 jellyfin: restartTriggers on webhook plugin so install runs at activation 
The jellyfin-webhook-install oneshot has 'wantedBy = jellyfin.service',
which only runs it when jellyfin (re)starts. On first rollout to a host
where jellyfin is already running, the unit gets added but never fires,
leaving the Webhook plugin files absent -- jellyfin-webhook-configure
then gets 404 from /Plugins/$GUID/Configuration and deploy-rs rolls back.

Pinning jellyfin.restartTriggers to the plugin package + install script
forces a restart whenever either derivation changes, which pulls install
in via the existing before/wantedBy chain.
 2026-04-17 22:08:29 -04:00
4 changed files with 23 additions and 1 deletions
Expand all files Collapse all files

0
README.md Normal file
View File

9
modules/age-secrets.nix
View File

@@ -168,6 +168,15 @@
group = "gitea-runner"; group = "gitea-runner";
}; };
# Git-crypt symmetric key for the new unified nixos repo (Phase 5 of the unify migration).
# Added additively here so muffin can decrypt nixos's secrets once Phase 6 cuts CI over.
git-crypt-key-nixos = {
file = ../secrets/git-crypt-key-nixos.age;
mode = "0400";
owner = "gitea-runner";
group = "gitea-runner";
};
# Gitea Actions runner registration token # Gitea Actions runner registration token
gitea-runner-token = { gitea-runner-token = {
file = ../secrets/gitea-runner-token.age; file = ../secrets/gitea-runner-token.age;

BIN
secrets/git-crypt-key-nixos.age Normal file
View File

Binary file not shown.

15
services/jellyfin/jellyfin-qbittorrent-monitor.nix
View File

@@ -13,7 +13,13 @@ in
lib.mkIf config.services.jellyfin.enable { lib.mkIf config.services.jellyfin.enable {
# Materialise the Jellyfin Webhook plugin into Jellyfin's plugins dir before # Materialise the Jellyfin Webhook plugin into Jellyfin's plugins dir before
# Jellyfin starts. Jellyfin rewrites meta.json at runtime, so a read-only # Jellyfin starts. Jellyfin rewrites meta.json at runtime, so a read-only
# nix-store symlink would EACCES we copy instead. # nix-store symlink would EACCES -- we copy instead.
#
# `wantedBy = [ "jellyfin.service" ]` alone is insufficient on initial rollout:
# if jellyfin is already running at activation time, systemd won't start the
# oneshot until the next jellyfin restart. `restartTriggers` on jellyfin pinned
# to the plugin package + install script forces that restart whenever either
# changes, which invokes this unit via the `before`/`wantedBy` chain.
systemd.services.jellyfin-webhook-install = { systemd.services.jellyfin-webhook-install = {
before = [ "jellyfin.service" ]; before = [ "jellyfin.service" ];
wantedBy = [ "jellyfin.service" ]; wantedBy = [ "jellyfin.service" ];
@@ -28,6 +34,13 @@ lib.mkIf config.services.jellyfin.enable {
}; };
}; };
systemd.services.jellyfin.restartTriggers = [
webhookPlugin.package
(webhookPlugin.mkInstallScript {
pluginsDir = "${config.services.jellyfin.dataDir}/plugins";
})
];
# After Jellyfin starts, POST the plugin configuration so the webhook # After Jellyfin starts, POST the plugin configuration so the webhook
# targets the monitor's receiver. Idempotent; runs on every boot. # targets the monitor's receiver. Idempotent; runs on every boot.
systemd.services.jellyfin-webhook-configure = { systemd.services.jellyfin-webhook-configure = {