added unpackerr and pushover scripts

nixos/hosts/shadowfax/config/sops-secrets.nix

@@ -84,7 +84,13 @@
       mode = "400";
       restartUnits = [ "sonarr.service" ];
     };
-    # # Radarr
+    "arr/sonarr/extraEnvVars" = {
+      sopsFile = ../secrets.sops.yaml;
+      owner = "sonarr";
+      mode = "400";
+      restartUnits = [ "sonarr.service" ];
+    };
+    # Radarr
     "arr/radarr/apiKey" = {
       sopsFile = ../secrets.sops.yaml;
       owner = "radarr";
@@ -115,5 +121,18 @@
       mode = "400";
       restartUnits = [ "radarr.service" ];
     };
+    "arr/radarr/extraEnvVars" = {
+      sopsFile = ../secrets.sops.yaml;
+      owner = "radarr";
+      mode = "400";
+      restartUnits = [ "radarr.service" ];
+    };
+    # Unpackerr
+    "arr/unpackerr/extraEnvVars" = {
+      sopsFile = ../secrets.sops.yaml;
+      owner = "unpackerr";
+      mode = "400";
+      restartUnits = [ "unpackerr.service" ];
+    };
   };
 }

nixos/hosts/shadowfax/default.nix

@@ -4,28 +4,55 @@
   inputs,
   pkgs,
   ...
-}:
+}: let
-let
+  sanoidConfig = import ./config/sanoid.nix {};
-  sanoidConfig = import ./config/sanoid.nix { };
   disks = import ./config/disks.nix;
-  smartdDevices = map (device: { inherit device; }) disks;
+  smartdDevices = map (device: {inherit device;}) disks;
-in
+  pushoverNotify = pkgs.writeShellApplication {
-{
+    name = "pushover-notify";
+
+    runtimeInputs = with pkgs; [
+      curl
+      jo
+      jq
+    ];
+
+    excludeShellChecks = ["SC2154"];
+
+    text = ''
+      ${builtins.readFile ./scripts/pushover-notify.sh}
+    '';
+  };
+  refreshSeries = pkgs.writeShellApplication {
+    name = "refresh-series";
+
+    runtimeInputs = with pkgs; [
+      curl
+      jq
+    ];
+
+    excludeShellChecks = ["SC2154"];
+
+    text = ''
+      ${builtins.readFile ./scripts/refresh-series.sh}
+    '';
+  };
+in {
   imports = [
     inputs.disko.nixosModules.disko
     (import ../../profiles/disko-nixos.nix {
-      disks = [ "/dev/sda|/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_500GB_S58SNM0W406409E" ];
+      disks = ["/dev/sda|/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_500GB_S58SNM0W406409E"];
     })
     inputs.nix-minecraft.nixosModules.minecraft-servers
   ];
 
   boot = {
     initrd = {
-      kernelModules = [ "nfs" ];
+      kernelModules = ["nfs"];
-      supportedFilesystems = [ "nfs" ];
+      supportedFilesystems = ["nfs"];
     };
 
-    binfmt.emulatedSystems = [ "aarch64-linux" ]; # Enabled for arm compilation
+    binfmt.emulatedSystems = ["aarch64-linux"]; # Enabled for arm compilation
 
     kernelModules = [
       "vfio"
@@ -33,11 +60,11 @@ in
       "vfio_pci"
       "vfio_virqfd"
     ];
-    extraModulePackages = [ ];
+    extraModulePackages = [];
-    kernelParams = [ "zfs.zfs_arc_max=107374182400" ]; # 100GB
+    kernelParams = ["zfs.zfs_arc_max=107374182400"]; # 100GB
   };
 
-  swapDevices = [ ];
+  swapDevices = [];
 
   hardware = {
     cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
@@ -47,7 +74,7 @@ in
     nvidia-container-toolkit.enable = true;
   };
 
-  users.users.root.openssh.authorizedKeys.keys = [ ];
+  users.users.root.openssh.authorizedKeys.keys = [];
   # Network settings
   networking = {
     hostName = "shadowfax";
@@ -72,6 +99,7 @@ in
     };
   };
 
+  # System packages
   environment.systemPackages = with pkgs; [
     libva-utils # to view graphics capabilities
     greetd.tuigreet
@@ -87,7 +115,11 @@ in
     wlogout
     # fun
     fastfetch
+    # Scripts
+    pushoverNotify
+    refreshSeries
   ];
+
   programs = {
     # 1Password cli
     _1password.enable = true;
@@ -135,7 +167,7 @@ in
     # Minio
     minio = {
       enable = true;
-      dataDir = [ "/eru/minio" ];
+      dataDir = ["/eru/minio"];
       rootCredentialsFile = config.sops.secrets."minio".path;
     };
 
@@ -162,7 +194,7 @@ in
     # Soft Serve - SSH git server
     soft-serve = {
       enable = true;
-      settings = import ./config/soft-serve.nix { };
+      settings = import ./config/soft-serve.nix {};
     };
 
     sunshine = {
@@ -182,7 +214,7 @@ in
     # VSCode Compatibility Settings
     vscode-server.enable = true;
 
-    xserver.videoDrivers = [ "nvidia" ];
+    xserver.videoDrivers = ["nvidia"];
     greetd = {
       enable = true;
       vt = 3;
@@ -196,7 +228,7 @@ in
   };
 
   # sops
-  sops = import ./config/sops-secrets.nix { };
+  sops = import ./config/sops-secrets.nix {};
 
   # System settings and services.
   mySystem = {
@@ -237,6 +269,7 @@ in
         enable = true;
         package = pkgs.unstable.radarr;
         dataDir = "/nahar/radarr";
+        extraEnvVarFile = config.sops.secrets."arr/radarr/extraEnvVars".path;
         moviesDir = "/moria/media/Movies";
         user = "radarr";
         group = "kah";
@@ -257,12 +290,13 @@ in
         enable = true;
         package = pkgs.unstable.sonarr;
         dataDir = "/nahar/sonarr";
+        extraEnvVarFile = config.sops.secrets."arr/sonarr/extraEnvVars".path;
         tvDir = "/moria/media/TV";
         user = "sonarr";
         group = "kah";
         port = 8989;
         openFirewall = true;
-        hardening = true;
+        hardening = false;
         apiKeyFile = config.sops.secrets."arr/sonarr/apiKey".path;
         db = {
           enable = true;
@@ -278,12 +312,22 @@ in
         package = pkgs.unstable.sabnzbd;
         configFile = "/nahar/sabnzbd/sabnzbd.ini";
         port = 8457;
+        user = "sabnzbd";
+        group = "kah";
         # Security hardening.
         dataDir = "/nahar/sabnzbd";
         downloadsDir = "/eru/media/sabnzbd";
         hardening = true;
         openFirewall = true;
       };
+      unpackerr = {
+        enable = true;
+        package = pkgs.unstable.unpackerr;
+        configFile = "/tmp/unpackerr/config.yaml";
+        extraEnvVarsFile = config.sops.secrets."arr/unpackerr/extraEnvVars".path;
+        user = "unpackerr";
+        group = "kah";
+      };
       # Sanoid
       sanoid = {
         enable = true;
@@ -310,7 +354,9 @@ in
       # qBittorrent
       qbittorrent = {
         enable = true;
-        package = pkgs.unstable.qbittorrent.override { guiSupport = false; };
+        package = pkgs.unstable.qbittorrent.override {guiSupport = false;};
+        user = "qbittorrent";
+        group = "kah";
         dataDir = "/nahar/qbittorrent";
         downloadsDir = "/eru/media/qb/downloads";
         webuiPort = 8456;
@@ -331,9 +377,9 @@ in
     system = {
       incus = {
         enable = true;
-        preseed = import ./config/incus-preseed.nix { };
+        preseed = import ./config/incus-preseed.nix {};
       };
-      motd.networkInterfaces = [ "bond0" ];
+      motd.networkInterfaces = ["bond0"];
       nfs.enable = true;
       zfs.enable = true;
       zfs.mountPoolsAtBoot = [

nixos/hosts/shadowfax/scripts/pushover-notify.sh

@@ -0,0 +1,89 @@
+# shellcheck disable=SC2154,2148
+
+# User defined variables for pushover
+PUSHOVER_USER_KEY="${PUSHOVER_USER_KEY:-required}"
+PUSHOVER_TOKEN="${PUSHOVER_TOKEN:-required}"
+PUSHOVER_PRIORITY="${PUSHOVER_PRIORITY:-"-2"}"
+PUSHOVER_TITLE="${sonarr_eventtype} - Title unset"
+PUSHOVER_MESSAGE="${sonarr_eventtype} - Message unset"
+PUSHOVER_URL="${sonarr_eventtype} - url unset"
+PUSHOVER_URL_TITLE="${sonarr_eventtype} - url title unset"
+
+if [[ "${sonarr_eventtype:-}" == "Test" ]]; then
+  PUSHOVER_PRIORITY="1"
+  printf -v PUSHOVER_TITLE \
+    "Test Notification"
+  printf -v PUSHOVER_MESSAGE \
+    "Howdy this is a test notification from %s" \
+    "${sonarr_instancename:-Sonarr}"
+  printf -v PUSHOVER_URL \
+    "%s" \
+    "${sonarr_applicationurl:-localhost}"
+  printf -v PUSHOVER_URL_TITLE \
+    "Open %s" \
+    "${sonarr_instancename:-Sonarr}"
+fi
+
+if [[ "${sonarr_eventtype:-}" == "Download" ]]; then
+  printf -v PUSHOVER_TITLE \
+    "Episode %s" \
+    "$([[ "${sonarr_isupgrade}" == "True" ]] && echo "Upgraded" || echo "Downloaded")"
+  printf -v PUSHOVER_MESSAGE \
+    "<b>%s (S%02dE%02d)</b><small>\n%s</small><small>\n\n<b>Quality:</b> %s</small><small>\n<b>Client:</b> %s</small>" \
+    "${sonarr_series_title}" \
+    "${sonarr_episodefile_seasonnumber}" \
+    "${sonarr_episodefile_episodenumbers}" \
+    "${sonarr_episodefile_episodetitles}" \
+    "${sonarr_episodefile_quality:-Unknown}" \
+    "${sonarr_download_client:-Unknown}"
+  printf -v PUSHOVER_URL \
+    "%s/series/%s" \
+    "${sonarr_applicationurl:-localhost}" \
+    "${sonarr_series_titleslug}"
+  printf -v PUSHOVER_URL_TITLE \
+    "View series in %s" \
+    "${sonarr_instancename:-Sonarr}"
+fi
+
+if [[ "${sonarr_eventtype:-}" == "ManualInteractionRequired" ]]; then
+  PUSHOVER_PRIORITY="1"
+  printf -v PUSHOVER_TITLE \
+    "Episode import requires intervention"
+  printf -v PUSHOVER_MESSAGE \
+    "<b>%s</b><small>\n<b>Client:</b> %s</small>" \
+    "${sonarr_series_title}" \
+    "${sonarr_download_client:-Unknown}"
+  printf -v PUSHOVER_URL \
+    "%s/activity/queue" \
+    "${sonarr_applicationurl:-localhost}"
+  printf -v PUSHOVER_URL_TITLE \
+    "View queue in %s" \
+    "${sonarr_instancename:-Sonarr}"
+fi
+
+json_data=$(
+  jo \
+    token="${PUSHOVER_TOKEN}" \
+    user="${PUSHOVER_USER_KEY}" \
+    title="${PUSHOVER_TITLE}" \
+    message="${PUSHOVER_MESSAGE}" \
+    url="${PUSHOVER_URL}" \
+    url_title="${PUSHOVER_URL_TITLE}" \
+    priority="${PUSHOVER_PRIORITY}" \
+    html="1"
+)
+
+status_code=$(
+  curl \
+    --silent \
+    --write-out "%{http_code}" \
+    --output /dev/null \
+    --request POST \
+    --header "Content-Type: application/json" \
+    --data-binary "${json_data}" \
+    "https://api.pushover.net/1/messages.json"
+)
+
+printf "pushover notification returned with HTTP status code %s and payload: %s\n" \
+  "${status_code}" \
+  "$(echo "${json_data}" | jq --compact-output)" >&2

nixos/hosts/shadowfax/scripts/refresh-series.sh

@@ -0,0 +1,19 @@
+# shellcheck disable=SC2154,2148
+
+CURL_CMD=(curl -fsSL --header "X-Api-Key: ${SONARR__AUTH__APIKEY:-}")
+SONARR_API_URL="http://localhost:${SONARR__SERVER__PORT:-}/api/v3"
+
+if [[ "${sonarr_eventtype:-}" == "Grab" ]]; then
+  tba=$("${CURL_CMD[@]}" "${SONARR_API_URL}/episode?seriesId=${sonarr_series_id:-}" | jq --raw-output '
+        [.[] | select((.title == "TBA") or (.title == "TBD"))] | length
+    ')
+
+  if ((tba > 0)); then
+    echo "INFO: Refreshing series ${sonarr_series_id:-} due to TBA/TBD episodes found"
+    "${CURL_CMD[@]}" \
+      --request POST \
+      --header "Content-Type: application/json" \
+      --data-binary '{"name": "RefreshSeries", "seriesId": '"${sonarr_series_id:-}"'}' \
+      "${SONARR_API_URL}/command" &>/dev/null
+  fi
+fi

nixos/hosts/shadowfax/secrets.sops.yaml

@@ -9,6 +9,8 @@ minio: ENC[AES256_GCM,data:IJTwUJOC84a5n798fTDlwRzVc8p5zRiccjdoNTPCNlls0RAyGllij
 postgres:
     host: ENC[AES256_GCM,data:fd0SCRhtJWA=,iv:KNSZ2iaCum+0AlDlgrH5VAVj7D1RRJSSFGEw0eYi5+4=,tag:Gs5HHPN9SeDm+CIzD7GPXQ==,type:str]
     port: ENC[AES256_GCM,data:Z0fHNA==,iv:otbEsYxhJ6/YR+A5oRx3Dwrqk6T6BL9OGka5yu1H+HA=,tag:T+KW8DaRJ8NN7k1mIMn6QA==,type:int]
+pushover:
+    userKey: ENC[AES256_GCM,data:RYn9OCGaEgu/41kMolmqjYtr8FRmyEOvNStk+7Uz1A==,iv:L4pJJxGPhrmGSJdRDIP/OONibHvIP8KUdXwED29kTJ8=,tag:6TxYaUA6QA1NroBXhQHRlQ==,type:str]
 arr:
     prowlarr:
         apiKey: ENC[AES256_GCM,data:qxm2yp8ReuMgQ0155mKBAWickKusOaa/FeoIopj9l1Z3,iv:pAeDxK6CGap4fKU5xQ5hZR9It6/1uo27dKZBi5Bl3rc=,tag:HZl914AfFU4D5J7cDS3I1g==,type:str]
@@ -24,6 +26,7 @@ arr:
             dbName: ENC[AES256_GCM,data:Um9YpALoU7qQfTo=,iv:q0IVjaxyaG8MWAxp43kZjHIBm6dWv37maykSfhAxe1M=,tag:NLqIikfWculCeuoRqPHc8Q==,type:str]
             user: ENC[AES256_GCM,data:Vd68IvZs,iv:DYT3PudE94JZZTZHzV8QgRYADtThZhxTjFJByLcZP1c=,tag:pX1ZNC+M9Jm+PlQ22BZMRw==,type:str]
             password: ENC[AES256_GCM,data:XOrycMom2utnefraGPoAq7xtP6yfSzTb8g==,iv:WQInK+bJuDNI9uN/GeQ2Fb1Mmlux6+lXwkGS1ZEh+kQ=,tag:DGqLerxomCVfVv15Gt3b8A==,type:str]
+        extraEnvVars: ENC[AES256_GCM,data:KnZSJ2YbNLawSzrj7syx0cfAFseHbgjGvjpB7yWajXfCIy+CV800z9YU2SVO2kV6b+9OrmyKKFFbM5ac4cWnc5Pcx8TUxfiAuL5RSi6ZTmUrZUA7Zqx5UDTHwXgvhDI=,iv:TX8sFk7uc1TYG/gkuA9plGZlhP25WuczEXd+QKsPi4c=,tag:zhVeZxrTgcv+Y2OP8I+k5g==,type:str]
     radarr:
         apiKey: ENC[AES256_GCM,data:Qcfzr12aftnS+b3pDHHnfOya1+vlyVaoNCPLzJ9xv5Pv,iv:9M33sfqZPzeghxmBtYk3LgsfbInC7sPSQGuYFJiydh4=,tag:lSmi6Do64sarG15q6+yuQw==,type:str]
         postgres:
@@ -31,6 +34,9 @@ arr:
             dbName: ENC[AES256_GCM,data:zC4j0VJJpWWT0XY=,iv:ITupnWLgvI2wAPnkD826S77BMELDqRWZKax51SVkBgA=,tag:L7YXfoxAhi94ssBoE35Aug==,type:str]
             user: ENC[AES256_GCM,data:jaYUWAzQ,iv:ayEutHFPyZ7CN3inTqmgPmintR8qE8HfatvzCx7VXnA=,tag:3Ou0JRzpcihL0AWcC0pC5w==,type:str]
             password: ENC[AES256_GCM,data:XcS9H5L+ikA2KflepKrBHVlBjKwB0Vu8mw==,iv:lSpoEiCqOpP3p1T7bBH8F9YiSf2kwQQC+FQPuaKojnE=,tag:ScV/E6JeomQlfp35NIrh1g==,type:str]
+        extraEnvVars: ENC[AES256_GCM,data:hQlXQD4Zb3HnXfOZsX5PpxxyIzpYjqFletRiGRUWpICCEIcbsEK6WN8VtCaH+lpVqcVOpLUSSX1jILEwn4H483JyPk9EI04tIGBgq+svUOg7PZhc7zLllczMKN+BcdY=,iv:OyeAYXln8Dm1WvrrySkYXk+XC7kcwHFUSamIBdCTHRY=,tag:OGsR6IfBJF5Ki6VG15iyUw==,type:str]
+    unpackerr:
+        extraEnvVars: ENC[AES256_GCM,data:UT6HLaEKGEHggZx8Ict23OOLlRppErCnIDA16CleMFe33/IHyyp8El8aBNCq5A/1+NIGN5aZat2El562QAcZBVITa9ffmmtXqnDsheaRo+nDSPR5mGqh39uoKWIy2eSO5nv3rD0jN08MFYjxZNti/k0p0JIDMYN5shnVLiwO7krLs3Z6m+sZntg6euCWnHJMM2p3v38bffUzbZWrD1hEKaOUofOhTL0rDUiiysCawMZvJx6zXgfyO6DeUdwlYIxlg0mZ8SkmDRoFDPYrI40tIA+oSScJhJkDgoNPPJVEuGu6vVMPgqkAWUSucVGeiYVati2PsBJHn9wori2GWRTY0n7mjQKe8cz3nPIKQFWYLRWDZ9UBBvh05bYLa54+C4mGczFFPZra/DDoR2i9gzCXxjhRmt2Qs+g0RqefJTq5W2qQKRLj9PKFr02GuOY=,iv:pmOkkfFd4eGRCburRz6rgqqAFQJhPgjuUKn23ipLg3E=,tag:heZtewMOnnMxE5qSVEiI0Q==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -109,8 +115,8 @@ sops:
             aVlOSHhFb2I5UnYwVytyQzlWTXBDYUUKdQKilmfJ1F7UYKtQV9zV95FcRIK17p4M
             vGvu/pGJ32tH8xI7cNs9I5Hmg9c5wOam21W1FDk+VlJ/ClXqQzS0MA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-02-03T20:15:40Z"
+    lastmodified: "2025-02-04T04:28:14Z"
-    mac: ENC[AES256_GCM,data:V7XiBqYsWk3kEoGeM6aOfZk6DaSwZAPc2kCt25n0y5eDKeLaxp6P/gwiquNjnvKmftRAbK0IK7TXxrg4+oEaJzLccAHqc5ch+4oJpWJIC6XlcksYc4JH8K1pzzPKHCW70w0sVghUmaNE/cNaglNgj+0JG9gseC1PKx9vyxFzfAM=,iv:McVZQTSvLugOd/2OMLIDfVuNDdHETF92TCkw7+o0sQg=,tag:peILXXpBChxEa1yRXVgsJw==,type:str]
+    mac: ENC[AES256_GCM,data:7y38SzT51EOTx83lEJugW5XmsgGa00yemYIE5IRLasqwiSGSWHTt3iZy/2FLNXbFIqiz+O1K3xajstOF4ijvpYmP6Tu3rCh/4gxChqcokP6kxsI6b4nKp6ZkC/eZpoevFQmYHYqJU4b9iOQT9QZqdzwCIxOVRNZDAAc8u1SeBsg=,iv:7ni7qo6Xojs5MlOZBMLnnEKnDqdNDp9Ms/D9JMoRnm0=,tag:1/wqZh0igzhFyqdBxemntA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.4

nixos/modules/nixos/services/default.nix

@@ -18,6 +18,7 @@
     ./sanoid
     ./sonarr
     ./syncthing
+    ./unpackerr
     ./zfs-nightly-snap
   ];
 }

nixos/modules/nixos/services/prowlarr/default.nix

@@ -5,7 +5,8 @@
   utils,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.mySystem.services.prowlarr;
   dbOptions = {
     options = {
@@ -50,11 +51,12 @@ with lib; let
       };
     };
   };
-in {
+in
+{
   options.mySystem.services.prowlarr = {
     enable = mkEnableOption "Prowlarr";
 
-    package = mkPackageOption pkgs "prowlarr" {};
+    package = mkPackageOption pkgs "prowlarr" { };
 
     user = mkOption {
       type = types.str;
@@ -105,6 +107,22 @@ in {
       description = "API key for Prowlarr from a file (mutually exclusive with apiKey)";
     };
 
+    extraEnvVars = mkOption {
+      type = types.attrs;
+      default = { };
+      example = {
+        MY_VAR = "my value";
+      };
+      description = "Extra environment variables for Prowlarr.";
+    };
+
+    extraEnvVarFile = mkOption {
+      type = lib.types.nullOr lib.types.path;
+      default = null;
+      example = "/run/secrets/prowlarr_extra_env";
+      description = "Extra environment file for Prowlarr.";
+    };
+
     db = mkOption {
       type = types.submodule dbOptions;
       example = {
@@ -141,7 +159,7 @@ in {
         "network.target"
         "nss-lookup.target"
       ];
-      wantedBy = ["multi-user.target"];
+      wantedBy = [ "multi-user.target" ];
       environment = lib.mkMerge [
         {
           PROWLARR__APP__INSTANCENAME = "Prowlarr";
@@ -157,6 +175,7 @@ in {
           PROWLARR__POSTGRES__PORT = toString cfg.db.port;
           PROWLARR__POSTGRES__MAINDB = cfg.db.dbname;
         })
+        cfg.extraEnvVars
       ];
 
       serviceConfig = lib.mkMerge [
@@ -178,8 +197,8 @@ in {
           RestartSec = 5;
         }
         (lib.mkIf cfg.hardening {
-          CapabilityBoundingSet = [""];
+          CapabilityBoundingSet = [ "" ];
-          DeviceAllow = [""];
+          DeviceAllow = [ "" ];
           DevicePolicy = "closed";
           LockPersonality = true;
           # Needs access to .Net CLR memory space.
@@ -249,16 +268,19 @@ in {
             chown ${cfg.user}:${cfg.group} /run/prowlarr/secrets.env
           ''}";
 
-          EnvironmentFile = ["-/run/prowlarr/secrets.env"];
+          EnvironmentFile = (
+            [ "-/run/prowlarr/secrets.env" ]
+            ++ lib.optional (cfg.extraEnvVarFile != null && cfg.extraEnvVarFile != "") cfg.extraEnvVarFile
+          );
         })
       ];
     };
 
     networking.firewall = mkIf cfg.openFirewall {
-      allowedTCPPorts = [cfg.port];
+      allowedTCPPorts = [ cfg.port ];
     };
 
-    users.groups.${cfg.group} = {};
+    users.groups.${cfg.group} = { };
     users.users = mkIf (cfg.user == "prowlarr") {
       prowlarr = {
         inherit (cfg) group;

nixos/modules/nixos/services/radarr/default.nix

@@ -125,6 +125,22 @@ in
       };
       description = "Database settings for radarr.";
     };
+
+    extraEnvVars = mkOption {
+      type = types.attrs;
+      default = { };
+      example = {
+        MY_VAR = "my value";
+      };
+      description = "Extra environment variables for radarr.";
+    };
+
+    extraEnvVarFile = mkOption {
+      type = lib.types.nullOr lib.types.path;
+      default = null;
+      example = "/run/secrets/radarr_extra_env";
+      description = "Extra environment file for Radarr.";
+    };
   };
 
   config = mkIf cfg.enable {
@@ -169,6 +185,7 @@ in
           RADARR__POSTGRES__PORT = toString cfg.db.port;
           RADARR__POSTGRES__MAINDB = cfg.db.dbname;
         })
+        cfg.extraEnvVars
       ];
 
       serviceConfig = lib.mkMerge [
@@ -262,7 +279,10 @@ in
             chown ${cfg.user}:${cfg.group} /run/radarr/secrets.env
           ''}";
 
-          EnvironmentFile = [ "-/run/radarr/secrets.env" ];
+          EnvironmentFile = (
+            [ "-/run/radarr/secrets.env" ]
+            ++ lib.optional (cfg.extraEnvVarFile != null && cfg.extraEnvVarFile != "") cfg.extraEnvVarFile
+          );
         })
       ];
     };

nixos/modules/nixos/services/sonarr/default.nix

@@ -113,6 +113,22 @@ in
       description = "API key for sonarr from a file (mutually exclusive with apiKey)";
     };
 
+    extraEnvVars = mkOption {
+      type = types.attrs;
+      default = { };
+      example = {
+        MY_VAR = "my value";
+      };
+      description = "Extra environment variables for sonarr.";
+    };
+
+    extraEnvVarFile = mkOption {
+      type = lib.types.nullOr lib.types.path;
+      default = null;
+      example = "/run/secrets/sonarr_extra_env";
+      description = "Extra environment file for Sonarr.";
+    };
+
     db = mkOption {
       type = types.submodule dbOptions;
       example = {
@@ -169,6 +185,7 @@ in
           SONARR__POSTGRES__PORT = toString cfg.db.port;
           SONARR__POSTGRES__MAINDB = cfg.db.dbname;
         })
+        cfg.extraEnvVars
       ];
 
       serviceConfig = lib.mkMerge [
@@ -263,7 +280,10 @@ in
             chown ${cfg.user}:${cfg.group} /run/sonarr/secrets.env
           ''}";
 
-          EnvironmentFile = [ "-/run/sonarr/secrets.env" ];
+          EnvironmentFile = (
+            [ "-/run/sonarr/secrets.env" ]
+            ++ lib.optional (cfg.extraEnvVarFile != null && cfg.extraEnvVarFile != "") cfg.extraEnvVarFile
+          );
         })
       ];
     };

nixos/modules/nixos/services/unpackerr/default.nix

@@ -0,0 +1,75 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+
+with lib;
+
+let
+  cfg = config.mySystem.services.unpackerr;
+in
+{
+  options.mySystem.services.unpackerr = {
+    enable = mkEnableOption "Unpackerr";
+
+    package = mkPackageOption pkgs "unpackerr" { };
+
+    user = mkOption {
+      type = types.str;
+      default = "unpackerr";
+      description = "User account under which Unpackerr runs.";
+    };
+
+    group = mkOption {
+      type = types.str;
+      default = "unpackerr";
+      description = "Group under which Unpackerr runs.";
+    };
+
+    configFile = mkOption {
+      type = types.path;
+      default = "/var/lib/unpackerr/config.yaml";
+      description = "Configuration file used by Unpackerr.";
+    };
+
+    extraEnvVarsFile = mkOption {
+      type = types.nullOr types.path;
+      default = null;
+      example = "/run/secrets/unpackerr_extra_env";
+      description = "Extra environment file for Unpackerr.";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    users.groups.${cfg.group} = { };
+    users.users = mkIf (cfg.user == "unpackerr") {
+      unpackerr = {
+        inherit (cfg) group;
+        isSystemUser = true;
+      };
+    };
+
+    systemd.services.unpackerr = {
+      description = "Unpackerr service";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        User = cfg.user;
+        Group = cfg.group;
+        ExecStart = lib.mkForce (
+          lib.concatStringsSep " " [
+            "${cfg.package}/bin/unpackerr"
+            "--config"
+            "${cfg.configFile}"
+          ]
+        );
+
+        EnvironmentFile = lib.optional (
+          cfg.extraEnvVarsFile != null && cfg.extraEnvVarsFile != ""
+        ) cfg.extraEnvVarsFile;
+      };
+    };
+  };
+}