feat: add *arr (#61)

* feat: add cockpit to all servers * hacing * feat: *arr bones * feat: add docker versioning --------- Co-authored-by: Truxnell <9149206+truxnell@users.noreply.github.com>
2024-04-07 14:05:51 +10:00 · 2024-04-07 14:05:51 +10:00 · c4e7e0215b
commit c4e7e0215b
parent 14e1aa9300
21 changed files with 891 additions and 35 deletions
--- a/.github/renovate.json5
+++ b/.github/renovate.json5
@ -3,6 +3,7 @@
    "extends": [
      "github>truxnell/renovate-config",
      "github>truxnell/renovate-config:automerge-github-actions",
+      "github>truxnell/nix-config//.github/renovate/autoMerge.json5",
    ],

    "gitAuthor": "Trux-Bot <19149206+trux-bot[bot]@users.noreply.github.com>",
@ -13,7 +14,19 @@
    "nix": {
        "enabled": "true"
    },
+   
    "lockFileMaintenance": {
        "enabled": "true"
    },
+   
+    {
+    "regexManagers": [
+    {
+      fileMatch: ["^.*\\.nix$"],
+      matchStrings: [
+        'image *= *"(?<depName>[^"]+):(?<currentValue>[^"]+)(@(?<currentDigest>sha256:[a-f0-9]+))?";',
+      ],
+      datasourceTemplate: "docker",
+    }
+  ],
 }
--- a/.github/renovate/autoMerge.json5
+++ b/.github/renovate/autoMerge.json5
@ -0,0 +1,17 @@
+{
+  packageRules: [
+    // auto update all up to major
+    {
+      matchDatasources: ['docker'],
+      automerge: "true",
+      matchUpdateTypes: [ 'minor', 'patch', 'digest'],
+      matchPackageNames: [
+        'onedr0p/sonarr',
+        'onedr0p/readarr',
+        'onedr0p/radarr',
+        'onedr0p/lidarr',
+        'onedr0p/prowlarr',
+      ],
+    },
+  ],
+}
--- a/docs/vm/k8s.md
+++ b/docs/vm/k8s.md
@ -0,0 +1,10 @@
+Removed complexity
+
+- external secrets -> bog standard sops
+- HA file storage -> standard file system
+- HA database cluster -> nixos standard cluster
+- Database user operator -> nixos standard ensure_users
+- Database permissions operator -> why even??
+- secrets reloader -> sops restart_unit
+- easier managment, all services run through systemd for consistency, cockpit makes viewing logs/pod console etc easy.
+
--- a/nixos/home/modules/programs/browsers/firefox/search.nix
+++ b/nixos/home/modules/programs/browsers/firefox/search.nix
@ -36,8 +36,8 @@
      definedAliases = [ "@nhmo" ];
    };
    "NixOS Wiki" = {
-      urls = [{ template = "https://nixos.wiki/index.php?search={searchTerms}"; }];
-      iconUpdateURL = "https://nixos.wiki/favicon.png";
+      urls = [{ template = "https://wiki.nixos.org/w/index.php?search={searchTerms}"; }];
+      iconUpdateURL = "https://wiki.nixos.org/favicon.ico";
      updateInterval = 24 * 60 * 60 * 1000; # every day
      definedAliases = [ "@nw" ];
    };
@ -47,6 +47,12 @@
      updateInterval = 24 * 60 * 60 * 1000; # every day
      definedAliases = [ "@ks" ];
    };
+    "Github Code Search" = {
+      urls = [{ template = "https://github.com/search?type=code&q={searchTerms}"; }];
+      iconUpdateURL = "https://github.githubassets.com/favicons/favicon-dark.svg";
+      updateInterval = 24 * 60 * 60 * 1000; # every day
+      definedAliases = [ "@gs" ];
+    };

    # "Searx" = {
    #   urls = [{ template = "https://searx.trux.dev/?q={searchTerms}"; }];
--- a/nixos/hosts/shodan/default.nix
+++ b/nixos/hosts/shodan/default.nix
@ -13,11 +13,14 @@

  mySystem.services = {
    openssh.enable = true;
-    cockpit.enable = true;
    podman.enable = true;
    traefik.enable = true;
-    sonarr.enable = true;
    homepage.enable = true;
+    sonarr.enable = true;
+    radarr.enable = true;
+    lidarr.enable = true;
+    readarr.enable = true;
+
  };
  mySystem.nfs.nas.enable = true;

@ -40,7 +43,7 @@
    };
  };

-  networking.hostName = "shodan"; # Define your hostname.
+  networking.hostName = "shodan1"; # Define your hostname.
  networking.useDHCP = lib.mkDefault true;

  fileSystems."/" =
--- a/nixos/modules/nixos/services/arr/default.nix
+++ b/nixos/modules/nixos/services/arr/default.nix
@ -1,5 +1,9 @@
 {
  imports = [
    ./sonarr
+    ./radarr
+    ./lidarr
+    ./readarr
+    ./prowlarr
  ];
 }
--- a/nixos/modules/nixos/services/arr/lidarr/default.nix
+++ b/nixos/modules/nixos/services/arr/lidarr/default.nix
@ -0,0 +1,79 @@
+{ lib
+, config
+, pkgs
+, ...
+}:
+with lib;
+let
+  app = "lidarr";
+  image = "ghcr.io/onedr0p/lidarr@sha256:6b9564037159c2b90f32a2ee34683275783a4b8eff4b609e2d2b1c0654c94bac";
+  user = "568"; #string
+  group = "568"; #string
+  port = 8686; #int
+  cfg = config.mySystem.services.sonarr;
+  persistentFolder = "${config.mySystem.persistentFolder}/${app}";
+in
+{
+  options.mySystem.services.${app} =
+    {
+      enable = mkEnableOption "${app}";
+      addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; };
+    };
+
+  config = mkIf cfg.enable {
+    # ensure folder exist and has correct owner/group
+    systemd.tmpfiles.rules = [
+      "d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period
+    ];
+
+    sops.secrets."services/${app}/env" = {
+
+      # configure secret for forwarding rules
+      sopsFile = ./secrets.sops.yaml;
+      owner = config.users.users.kah.name;
+      inherit (config.users.users.kah) group;
+      restartUnits = [ "podman-${app}.service" ];
+    };
+
+    virtualisation.oci-containers.containers.${app} = {
+      image = "${image}";
+      user = "${user}:${group}";
+      environment = {
+        PUSHOVER_DEBUG = "false";
+        PUSHOVER_APP_URL = "${app}.${config.networking.domain}";
+        LIDARR__INSTANCE_NAME = "Lidarr";
+        LIDARR__APPLICATION_URL = "https://${app}.${config.networking.domain}";
+        LIDARR__LOG_LEVEL = "info";
+      };
+      environmentFiles = [ config.sops.secrets."services/${app}/env".path ];
+      volumes = [
+        "${persistentFolder}:/config:rw"
+        "/mnt/nas/natflix:/media:rw"
+        "/etc/localtime:/etc/localtime:ro"
+      ];
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.${app}.entrypoints" = "websecure";
+        "traefik.http.routers.${app}.middlewares" = "local-only@file";
+        "traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}";
+
+      };
+    };
+
+    mySystem.services.homepage.media-services = [
+      {
+        Lidarr = {
+          icon = "${app}.png";
+          href = "https://${app}.${config.networking.domain}";
+          description = "Music management";
+          container = "${app}";
+          widget = {
+            type = "${app}";
+            url = "http://${app}:${toString port}";
+            key = "{{HOMEPAGE_VAR_LIDARR__API_KEY}}";
+          };
+        };
+      }
+    ];
+  };
+}
--- a/nixos/modules/nixos/services/arr/lidarr/secrets.sops.yaml
+++ b/nixos/modules/nixos/services/arr/lidarr/secrets.sops.yaml
@ -0,0 +1,59 @@
+services:
+    lidarr:
+        env: ENC[AES256_GCM,data:+Ja2gz7l5bueQJdMxtsF2o2rXtnPfsj9xfANoZ7T2wI4vf/VQRcHFG8IFvpJWr03kr+4iIK7BlSqE+o5CqL7pZLPbC6FW0mnqFKXUpZZxctPlrDXPHLR6UcnDbvJjNgSF4O+nLz0yzUFV28/C0I=,iv:j+q/uM16sxffCaKZHeXD957J8mFG6sLUL8vBwwO7/mE=,tag:QPDD6WiRTLrXtUeNytYGew==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4bW9rRnF5TzBBQUdSdy9q
+            NExkZjdUWFI4VkFDUHF2REFQaXg4SGppUkcwCk12NW05NVUwaHBkNVdJRHA4L3Qw
+            d0VtVkVmdmJpRDJCOHBIU1lHNVFpT1UKLS0tIGhVQlVibk1aOEc2YnBCM3RXVHQ2
+            MUt0TzZTeXE3RkZBM0RBRkFkWkFYRTgKPQrxDiWBOyAIZpgLzHViMJGg4o+P/PlZ
+            pCj3n5C1z4lZgaWU+oE70a3r2CXg0toaG0Lg9lq7hh5pQV+KfLcO8g==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3eWVSejhCcmhUT1hGZHlK
+            SVVUbmJ3UlVJT1k5azA3TkNsdDZCNWZQK0N3CnBYWUFWcXdSamhDT2pXTUFsZFIr
+            akgxSkZtRE44eW0yQlFGc0U5RWUxdjQKLS0tIExDdXBhSGh0dDM5ZnFNTzdmdVNj
+            MUY5UlFuNitiR08xeW9EZ09ZNThnQ1UKC+O/NlGD6ZdWAdJAAMyamGUJi8M6LhW2
+            2CRjIhXpfhiG4vjbgP5Xs6JXXYfiF7mFN6W3VZAZ/B4aO/S+BEVYoA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2Z1BYNDBVRjJDanVFNHMx
+            aUpXZW8wdGdDVkVQdXVRVnd0aFRLTnZuVUdFCmZJei84bVUyOFA5S2JaOVpLMVM2
+            T3B1YnNCcmNEV2s5WC9CRCtqd0pITTgKLS0tIHFmcjlmSjhXaWl2U09ralVjZzZE
+            ZW5LaVhIVUNlN09aUVN0eGZvRU1TUGMKxQXeVgv5pwTTSM+b5YV0Clys/z6spAd6
+            E8X0l9Q8QfKTw4JHhKZvVYtPQ/oKCqex7ez5WpARcOOcZmHojwuXdg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzZmYzZElqQ0xBYmdrMHdD
+            dUVlTXlrVXJnNmNBZTZQMEdvYmwwMVIva2pvClZLU1pPV0xUVFZGQ0t5TGI5Mkhw
+            SE0wUWg2OWFnUTdBVEkzcTVOZWZFbWMKLS0tIEVCU2VnR3lIQXpqTnh0eHJzejEz
+            SzgxZG9TU1BsdVZlU1h5MkNyNG9ZaDgKGndrjZxBKRcvrLkPpE2cHCOGye3a6ek9
+            EmLowxl4EQ+pQqbukteFBfSlrs/302FfNrzL7cP4p2jzrCiT1RtHTw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlRlIyYnlxRmZYSzlhUzNX
+            am9iS3h5TVJ5TWhraVYrWU9ETHdGMUpJZEIwCjBmQ3FMZHJFcjg0SXM1Q1FybXZq
+            azVCL25XVXpHd01wbzRHMTN4QVd3N0UKLS0tIEFIc2dNNjErZFoxdzNDcEo4VE9B
+            NVJrMEs2Q09aQlphYXdaelluYjgveUUKJndBGHWzTUoexspNKF29jlaBgEruu/ee
+            acxnf1IGetFRKVNRu9mBPxAoMo+21Qi61E0/gdGaXWGmK2HEwSCaSA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-04-07T01:10:07Z"
+    mac: ENC[AES256_GCM,data:3WmOa5i4eB5L88TjzLhJG6tHF4/ecwZQHE1aC4b737nJjFw4F7tWMtHECIPHjRXM8wTie/FZgIQA4AHQS8WxLMILWkiSHVAei0jYWUQLie6R1qvcZu6NdSg22Co368pSBaEkDy+jy1uXmhTGOcAWYivKdhLyuVyr+jVO7W0B600=,iv:MFHlY+iRxS9udlgZSRSr/06BHnhfLXcIhYlDY3RUpRc=,tag:u7FnVRGcK6Y3Zoh3h2fEjw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
--- a/nixos/modules/nixos/services/arr/prowlarr/default.nix
+++ b/nixos/modules/nixos/services/arr/prowlarr/default.nix
@ -0,0 +1,78 @@
+{ lib
+, config
+, pkgs
+, ...
+}:
+with lib;
+let
+  app = "prowlarr";
+  image = "ghcr.io/onedr0p/prowlarr@sha256:7f90035619b4dbff6bff985181275300cd999be5d4f03fcaf359ef7068fc5e5e";
+  user = "568"; #string
+  group = "568"; #string
+  port = 9696; #int
+  cfg = config.mySystem.services.sonarr;
+  persistentFolder = "${config.mySystem.persistentFolder}/${app}";
+in
+{
+  options.mySystem.services.${app} =
+    {
+      enable = mkEnableOption "${app}";
+      addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; };
+    };
+
+  config = mkIf cfg.enable {
+    # ensure folder exist and has correct owner/group
+    systemd.tmpfiles.rules = [
+      "d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period
+    ];
+
+    sops.secrets."services/${app}/env" = {
+
+      # configure secret for forwarding rules
+      sopsFile = ./secrets.sops.yaml;
+      owner = config.users.users.kah.name;
+      inherit (config.users.users.kah) group;
+      restartUnits = [ "podman-${app}.service" ];
+    };
+
+    virtualisation.oci-containers.containers.${app} = {
+      image = "${image}";
+      user = "${user}:${group}";
+      environment = {
+        PUSHOVER_DEBUG = "false";
+        PUSHOVER_APP_URL = "${app}.${config.networking.domain}";
+        PROWLARR__INSTANCE_NAME = "Prowlarr";
+        PROWLARR__APPLICATION_URL = "https://${app}.${config.networking.domain}";
+        PROWLARR__LOG_LEVEL = "info";
+      };
+      environmentFiles = [ config.sops.secrets."services/${app}/env".path ];
+      volumes = [
+        "${persistentFolder}:/config:rw"
+        "/etc/localtime:/etc/localtime:ro"
+      ];
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.${app}.entrypoints" = "websecure";
+        "traefik.http.routers.${app}.middlewares" = "local-only@file";
+        "traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}";
+
+      };
+    };
+
+    mySystem.services.homepage.media-services = [
+      {
+        Prowlarr = {
+          icon = "${app}.png";
+          href = "https://${app}.${config.networking.domain}";
+          description = "Content locator";
+          container = "${app}";
+          widget = {
+            type = "${app}";
+            url = "http://${app}:${toString port}";
+            key = "{{HOMEPAGE_VAR_PROWLARR__API_KEY}}";
+          };
+        };
+      }
+    ];
+  };
+}
--- a/nixos/modules/nixos/services/arr/prowlarr/secrets.sops.yaml
+++ b/nixos/modules/nixos/services/arr/prowlarr/secrets.sops.yaml
@ -0,0 +1,59 @@
+services:
+    prowlarr:
+        env: ENC[AES256_GCM,data:NvGX3+harRQfv0x5L/6QznuIyu6su08EkD1btg2mZmemcxndZSVb+5odFZIDnoCsSUSMlxfZXHn2gOHB+7ePpHlVYy3/MZZTbn8I/nxVaAOPKYCJ7KXG5eKp7uEk+ZqEwIeMTI1MKekhCCwm43Ndn+oD,iv:uFpbHQMocdzFe+HQPEmC9Cz2hWOuL6TLi4Or94EzEIY=,tag:xeDbq4Ab5UuQQYa0kUnbig==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhSUwrZFliUC8wV1NKbm94
+            U0VmR2t2VndWUFRjMzVOcitHZXJlZ2ZDVDI4ClpieVJnR044N0JEcVgvcU8rcDlB
+            ZG5VbVhpOXVaYXpoMERkYnVjbkhWWEEKLS0tIEhXUGt2SnBVSmNtdEdibm9TbEx4
+            YnIrdkpGMGFYUXViQnE2Z0VlQVlHVVUKdh4QPZmkOUHY0nhZTgQHN/Is/OaHUKdB
+            fwPX5XltwaIgUCzKOJ18dOx24CA+xajvpRGDY5vdK6cN8N1lDnYPpw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiTDUySUpRbXBNOVlNSGNu
+            NTY1Q3Ntd1pWaDVnMzQ4MW94QXN6T3dQb1J3CkNIRnBINmNsRWt3OGFlR056Nk02
+            MEZlejIya2N6RUE2TlJtRkI3QTFTQlEKLS0tIGlneU1RSXBRdlhHMFFESU9wcE5W
+            YTlwU2srUjAySDI4TGt0bDlBT2VLL1kK8PJnEGhGAjDjQYBuPhS9NWsHg31ddkpq
+            UrC/SDONnawAVqC0djWkv2w71rHPh41GIFCW3V/IFS8vxQLSMiBo5w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqUFp3MXFkVHU5dTdhcndG
+            aGdLWHY2Ti9ES0hjeWc2VXFTcXdPSWZrN25zCno2Snc1LzBTdC8zTS9lQSsrSmwz
+            d0VTb1Z6V0RxLzFzcEM4ZXEzZVpoSEkKLS0tIExvT2pKbzhaMUJaRHZoNlZpTXJY
+            eE5zVUhBblNFQ1RDVzl5K3VFaVMxRDAKuNxtVAqjbxaLJPr7LXKRj0Pt/gh8++Fp
+            AmYw0AVp/GMikWPCWVoCGiLr6svmNtbY0Q0B6KcN1N615G6AbrsoVg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBicTlKS0FhRHRRRXNuMURH
+            UnN6QUhZUFNjSlRLRzJEYmU2cDAxdHhaQndZClRVR0p2UFBTdVNDUVhnSE1KSEQ3
+            elNJeDdhK3lBb0xPK2daMmVBWUtMamMKLS0tIFZWeU9wdDErby90S2VFUHcrYjIx
+            MlVtM1dqSmdaTWZtdjZMcmd2aEhCN2cKYbzlgLrLhoGutJ6PPgALF9O1Pe5zZrfB
+            RCciStCtTO0Geloxf7YqelPW3D3crSSCmf4Yq4VTMnLccudGNRgaLA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvOXNBN3MrajlTa1cxZ05y
+            MWx4TW40c3dabzZtZjErU0JzVUR4S2p4VVRjCkxkRjJNODI0M0pkYXBIQ1RxcFZY
+            OVhra0NmNnRkb1VOTHJMaDFVR0RuR28KLS0tIFlLNFk4MSt1M1UwL0tnRzRkYk00
+            YTAwcUlzMGRDMldCYjUwM2lZYS9YOWcKdgArTqnH04EMDc8s4q8eIoAlRbD7hsYj
+            RJNesG9wKZlrGOlDydOX7CD7hyrVRH1CrhMIAzWggu5dy8Bl9Mbe4w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-04-07T03:01:12Z"
+    mac: ENC[AES256_GCM,data:ec1pzZ90D5jkY8jPDyDNyMxTovZqSjYBUryllybBPZwn08EeMPya/08+/mo3kqwgT4bVIFnEe/Fwk1ofEiz1G0YppcA4F43Rv0O7wGyTgRUKJ1sDuAcUvnvS/WSbG3POKibGcsu8v7wqDt9/JdFjoCfsurx+Ze17T9V+ZmYSQWo=,iv:oq55QVt2rMwCK8IPLNbUx5cs2sLAgWIp6/wb4faMpPU=,tag:rlmhn6XU7qgp58WpRlTwvA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
--- a/nixos/modules/nixos/services/arr/radarr/default.nix
+++ b/nixos/modules/nixos/services/arr/radarr/default.nix
@ -0,0 +1,79 @@
+{ lib
+, config
+, pkgs
+, ...
+}:
+with lib;
+let
+  app = "radarr";
+  image = "ghcr.io/onedr0p/radarr@sha256:2de39930de91ae698f9461bb959d93b9d59610f88e0c026e96bc5d9c99aeea89";
+  user = "568"; #string
+  group = "568"; #string
+  port = 7878; #int
+  cfg = config.mySystem.services.sonarr;
+  persistentFolder = "${config.mySystem.persistentFolder}/${app}";
+in
+{
+  options.mySystem.services.${app} =
+    {
+      enable = mkEnableOption "${app}";
+      addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; };
+    };
+
+  config = mkIf cfg.enable {
+    # ensure folder exist and has correct owner/group
+    systemd.tmpfiles.rules = [
+      "d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period
+    ];
+
+    sops.secrets."services/${app}/env" = {
+
+      # configure secret for forwarding rules
+      sopsFile = ./secrets.sops.yaml;
+      owner = config.users.users.kah.name;
+      inherit (config.users.users.kah) group;
+      restartUnits = [ "podman-${app}.service" ];
+    };
+
+    virtualisation.oci-containers.containers.${app} = {
+      image = "${image}";
+      user = "${user}:${group}";
+      environment = {
+        PUSHOVER_DEBUG = "false";
+        PUSHOVER_APP_URL = "${app}.${config.networking.domain}";
+        RADARR__INSTANCE_NAME = "Radarr";
+        RADARR__APPLICATION_URL = "https://${app}.${config.networking.domain}";
+        RADARR__LOG_LEVEL = "info";
+      };
+      environmentFiles = [ config.sops.secrets."services/${app}/env".path ];
+      volumes = [
+        "${persistentFolder}:/config:rw"
+        "/mnt/nas/natflix/series:/media:rw"
+        "/etc/localtime:/etc/localtime:ro"
+      ];
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.${app}.entrypoints" = "websecure";
+        "traefik.http.routers.${app}.middlewares" = "local-only@file";
+        "traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}";
+
+      };
+    };
+
+    mySystem.services.homepage.media-services = [
+      {
+        Radarr = {
+          icon = "${app}.png";
+          href = "https://${app}.${config.networking.domain}";
+          description = "Movie management";
+          container = "${app}";
+          widget = {
+            type = "${app}";
+            url = "http://${app}:${toString port}";
+            key = "{{HOMEPAGE_VAR_RADARR__API_KEY}}";
+          };
+        };
+      }
+    ];
+  };
+}
--- a/nixos/modules/nixos/services/arr/radarr/secrets.sops.yaml
+++ b/nixos/modules/nixos/services/arr/radarr/secrets.sops.yaml
@ -0,0 +1,59 @@
+services:
+    radarr:
+        env: ENC[AES256_GCM,data:Sup7QbkSx/m7KlXToXmd50pewu9Ofjz+mfhVWuDdLm0P3Z1mjNOwVEuvJPmgzj6xth2/nMxtStb+0HTxzPnPVx3pfVxM/AAUPNryvK4xPmhr2ROyJ6sdUFwCzv0QmT+mS1mYy4GJ6ms/6is5agViRdKu+uoTMI5ogb2L2UJR9D6S1V/VH/OuPr/KNcFQF+f1uuo76h42pCuagJ+Biek6Mr9qoLNAUA63+PkWuRkZs9XZxTSTmF38AdOXJhU+RF7HV7WCtNQhQvVIRmRO0wSm,iv:mbmOxJusIfhoQkT2B+etQh8afYFpLP+nRfKJnR212yE=,tag:huIYNNzZFR8oDzX3FM2SZQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyL0VUU1FrUGhsZ3RvTFQw
+            RVBLTXdMTEtUc0twalVUUTM5b0dnRU1WUWpFCjBNeG5zU1NUU1BkRGo5MWFESEg1
+            bTNmc2VFbHJXM1pKbkpTUzVHWmJSaTgKLS0tIGsydXlwRHpVeVE3VlZvbVdYNWps
+            L0hlSDVPQXlES1ZwQWxaYXlkaHhCeGMKKKzYAzrByU7kx2FaroGt1G7HJpmfxZ/4
+            m1q//Leo6qttDeLod8ZrZR+nCjx2LzqWiMFatEpirgUU1SxVYLsN0Q==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxZ2RKTUtYZW56cU91UHM4
+            NkJ5dnJjU1pjV09kUUtxOHU3dlJhMXkycFU0CmVWSCtJUHc2WkJyTDQ1c0J0dVBK
+            SFY5bmtpQWNTRXgvMi9RTWJCNXlJZkkKLS0tIFk5Wmk3Sy9ucjl1YVMwL3BSVCtF
+            aWxGNWtxZmJuR0RCRmFTdUs0c0xaR1kKEzEzyrAzLm812z7lqGMXY7hxX2zSanah
+            Z4+3X44basjM8FTI6CvZAFqtpouv5o4QAerggCZatQV2DEs+6iAvLw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwT3RtQk1uMjBIWnlMdEt2
+            MXJNMEhPVDc0bGxEb0tXY1JpWS9wQ3pKV0JJCnBqcUNJOUMyYVhJdGh5YzBuY0FC
+            eEhlZFRiK0NIcnhJZVA0Q2J6bytXNk0KLS0tIDlVSEd3NHFNakdqeEpwRC96M0lB
+            Ym95TkpWVS9JY1JjL0F1dUF1QkhDbHMKvBOtjm/T+s9xjPhSzicL5yAGg66qQGnf
+            7HJVClweQ343WwIw8lO2/GM3CVaU20Q/UibaBYszUTNyNbQSFv5Sow==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjcFVmMEdaN0oycG9sdk1m
+            bjdBem5lQVB4bEM4TmM0QnpPK3p4RldDT25VCmV6YVdoR2NnNEx4WC9kdzRySWl6
+            amxJeTNTRmdjZEJVc05UWnFDdDJ4UkkKLS0tIER1dmFGdmVPWHhXUUJ1Ym96NU9K
+            aE9NS04yblVQNmVxNFlVRFZlRnkyRDgK+/uf5R1GT5bFkSSsYx5R6aehDcyapsz0
+            1uzffKV95MSo0I2ZqZDJgJPqsh23IxhzBJKsFhCw233bIaOaCSApuA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxcXFxc1o4OVZqbVBkWW9S
+            d1FMY3Nma3VVNS9kQ2E2NHo2VXdlQS9jWVFzCkUrV3c3d3RkclZLaktuWG0yTitx
+            OVVkQm9uaEFmMVFhYW92SlJKTlA0bVEKLS0tIG5PZm9NTjF6blR6TzhDOS94ck5N
+            S1doVkdGQjIzNmtTQkp0VHJoSWp3czAK1NPIYn78CEqiLk7cZKoZU2RPeS0hZImd
+            Sj7V+yVS0zZvLnHVhHcOIOGuVIAhsxNZgQ2Wd4sT2GaueUS3dRVhyw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-04-07T00:54:00Z"
+    mac: ENC[AES256_GCM,data:Ale1C+ow3OyKdgyyVBSco6mmK/o+wbSUFOzW7QScn8v80itwe42rLqGHdcTrrfxONVY0hrYBbaTA9dbRekNUa04goZbzyzrVYHAfdqf9qw7ugFLazeL3GA4hHUdkmfCtYEhjqK3Y3Ef88i1uysvJWfBlm/ayE8N2mv17CRxl8cA=,iv:bY6/ih+Boc1oY1NpLOnd1RLZxASD/vbom/sirb8ktao=,tag:GU+nM1Oncx3j0x9UXJ784w==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
--- a/nixos/modules/nixos/services/arr/readarr/default.nix
+++ b/nixos/modules/nixos/services/arr/readarr/default.nix
@ -0,0 +1,77 @@
+{ lib
+, config
+, pkgs
+, ...
+}:
+with lib;
+let
+  app = "readarr";
+  image = "ghcr.io/onedr0p/readarr-nightly@sha256:dd429811956178223ca7db1699f4ce03641edfa39ea8a1436a33272618278ade";
+  user = "568"; #string
+  group = "568"; #string
+  port = 8787; #int
+  cfg = config.mySystem.services.sonarr;
+  persistentFolder = "${config.mySystem.persistentFolder}/${app}";
+in
+{
+  options.mySystem.services.${app} =
+    {
+      enable = mkEnableOption "${app}";
+      addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; };
+    };
+
+  config = mkIf cfg.enable {
+    # ensure folder exist and has correct owner/group
+    systemd.tmpfiles.rules = [
+      "d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period
+    ];
+
+    sops.secrets."services/${app}/env" = {
+
+      # configure secret for forwarding rules
+      sopsFile = ./secrets.sops.yaml;
+      owner = config.users.users.kah.name;
+      inherit (config.users.users.kah) group;
+      restartUnits = [ "podman-${app}.service" ];
+    };
+
+    virtualisation.oci-containers.containers.${app} = {
+      image = "${image}";
+      user = "${user}:${group}";
+      environment = {
+        READARR__INSTANCE_NAME = "Lidarr";
+        READARR__APPLICATION_URL = "https://${app}.${config.networking.domain}";
+        READARR__LOG_LEVEL = "info";
+      };
+      environmentFiles = [ config.sops.secrets."services/${app}/env".path ];
+      volumes = [
+        "${persistentFolder}:/config:rw"
+        "/mnt/nas/natflix:/media:rw"
+        "/etc/localtime:/etc/localtime:ro"
+      ];
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.${app}.entrypoints" = "websecure";
+        "traefik.http.routers.${app}.middlewares" = "local-only@file";
+        "traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}";
+
+      };
+    };
+
+    mySystem.services.homepage.media-services = [
+      {
+        Readar = {
+          icon = "${app}.png";
+          href = "https://${app}.${config.networking.domain}";
+          description = "Book management";
+          container = "${app}";
+          widget = {
+            type = "${app}";
+            url = "http://${app}:${toString port}";
+            key = "{{HOMEPAGE_VAR_READARR__API_KEY}}";
+          };
+        };
+      }
+    ];
+  };
+}
--- a/nixos/modules/nixos/services/arr/readarr/secrets.sops.yaml
+++ b/nixos/modules/nixos/services/arr/readarr/secrets.sops.yaml
@ -0,0 +1,59 @@
+services:
+    readarr:
+        env: ENC[AES256_GCM,data:/nOtTAhPSy3jlzZb3CmmOOyyhoxH8wgF7/sOlQxWP6FC6+lDH/DhibckUVHscwNAlwSIT4MeuLaE2vyeNUOSwhx5WwxGXvqQFjXRv0hkIPcHpWriJmuc44c7rHga+sCDpQNGPCLRbEmcYvTpm403cA==,iv:G0Elt5Oe0yGzVCoLkKUKp5QexziHzOIZO/AUqx13JE4=,tag:Ue9xgKJ4QyDs2445y9/xtg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2d1V3dC9oWFR2RUV4RXFo
+            ZEw1QmlMc1VXc2hZTTFFK3d1TEtiSXJtcTFjCjFTMHpkK1Q2TFlTbFZEdjQ1RlVs
+            K3dsOGhLN011eXBEV21vckZRdHRsWVEKLS0tIDNQRDRxTHI3SjBkZGxGQmdoOWg0
+            TlUzeDRwNUppSHpSSHNnWkJKYS8vSU0KyIu/ttRKDqQ3mKtk1AyCDnL5ZwydMv/9
+            Mc9we7EXPzbGkOoGVNzFH+sP1GZM4k9f5wQ8OgiseVKTwzuHzqaFYg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNZW94S2VxL0QwN2gweThB
+            YUNhall0bFZvTm02ZHkwYXhRb0E1bTc0OEhVCnBtQ2FhSTZabmJzMm1RUzE4VzlE
+            MmJ1aEFMRUxwUTcwWVVGOXBXa05QNW8KLS0tIHJ3VjlDVzUremhkd25lM2IrR2tH
+            dlkxVkpnUFZTYTd0cDR6bTBCR1VzSUkKlUGI4JKzdWdvJuYSc8PeR3qEA3OXG7w3
+            Jv42OCDczivOR69E8ZBIU+dS+1XrLNgGxN7xSGFpHnz0ZgaZWYow/w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLeG83T1RXckYralg3SzJP
+            QmVYa3lkZittTFJFSDBBRmdrQWFHNE5PTkdFCjcvK1J5SGhYVVlHM2xMempCMHVV
+            Mzh4eGR0QzZwMjZycFV4cGdJQ09RUzAKLS0tIFJGMnNQcW16eFhWeXY5V3dOUDV0
+            WUhuQUZDbGU3V3JIeXpxVytuUy9PNjgKy9Y/XkjkDX3ypVSWZhfACkXQdjz2Qm8N
+            4Am69qQRvOCnnFuw30RftgJSRvs1X7dTnvUKwCcweUiCAL+o2R/q6A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6TWRLQzNGTHJZM0lzRkVx
+            OG9vdS9wc0VsYTRoR2FRM1dWdXREZ1RjK1M0CnczVjI1a0lNTVpCbmZMR0FmRDFS
+            aGpuQzdyMkc2WW1BWkp2ODFhc1JUcGMKLS0tIGNyOXd6a1dqdHRKUEJEOE1UNjBr
+            aU9EeWg4Rm9sbTdrWGZ4cmNMUVI3a3MKhUyeqGGZPxcHUCXVNAAcZtx35vzFmunQ
+            fTNNnoI6CM0Xmwznlp0576s3qmjbXMc5+Wm9Ni4tLnBrnyl/Y4oijg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0Z1doS3pjc0FaczdudDBp
+            Ykx4aGl0YVZUUmoxNUs2aWpieFZlQ0dYN0VNClZQQkF2QWtyeVpta2VBbEpMZjVZ
+            T3hrU2ozbE10M3c2ejlta2tNNEhBYWMKLS0tIHlGeVNnRmNiUzhKYmpUWG8xbDVo
+            V0JjaGpDTXpsSE5Ldm13N3N1UU9zRE0Ky8tp8tJkgwyLNBvnOM+puMy2+46Khf7n
+            LzxXw/7ZJnIPsYywXPj7IdeMha9nvXow8zpSriI52ecOmJZxSbkLeg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-04-07T01:10:50Z"
+    mac: ENC[AES256_GCM,data:8Cx1SzSIeNSYGCyOsPCkaWv/Z8A4t8a+o1UDYnf4KsuysH8NolDMZWziMiPnzKpWLMNBo6qzJfaDfm2b6MyvEsLRue1Z5iAuNIlMOWYeVkeQu9ZDPOOYuEqxCMmRLOpHdsQh9G++bcGzNjZoFOKMkh4uCCQrboohFGO38WEWnHY=,iv:hPbqJSYvPb1npIIyc4a92YytDMRm7c9pgPv3j6TvxoQ=,tag:1s3Jxup2X/gWAinn12Rxzg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
--- a/nixos/modules/nixos/services/arr/sonarr/default.nix
+++ b/nixos/modules/nixos/services/arr/sonarr/default.nix
@ -5,46 +5,76 @@
 }:
 with lib;
 let
+  app = "sonarr";
  image = "ghcr.io/onedr0p/sonarr@sha256:04d8e198752b67df3f95c46144b507f437e7669f0088e7d2bbedf0e762606655";
-  port = 8989;
-  cfg = config.mySystem.services.sonarr;
-  persistentFolder = "${config.mySystem.persistentFolder}/sonarr";
+  user = "568"; #string
+  group = "568"; #string
+  port = 8989; #int
+  cfg = config.mySystem.services.${app};
+  persistentFolder = "${config.mySystem.persistentFolder}/${app}";
+  containerPersistentFolder = "/config";
 in
 {
-  options.mySystem.services.sonarr.enable = mkEnableOption "Sonarr";
+  options.mySystem.services.${app} =
+    {
+      enable = mkEnableOption "${app}";
+      addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; };
+    };

  config = mkIf cfg.enable {
    # ensure folder exist and has correct owner/group
    systemd.tmpfiles.rules = [
-      "d ${persistentFolder} 0755 568 568 -" #The - disables automatic cleanup, so the file wont be removed after a period
+      "d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period
    ];

-    virtualisation.oci-containers.containers.sonarr = {
-      image = "${image}";
-      user = "568:568";
-      environment = {
-        UMASK = "002";
+    sops.secrets."services/${app}/env" = {
+
+      # configure secret for forwarding rules
+      sopsFile = ./secrets.sops.yaml;
+      owner = config.users.users.kah.name;
+      inherit (config.users.users.kah) group;
+      restartUnits = [ "podman-${app}.service" ];
    };
+
+    virtualisation.oci-containers.containers.${app} = {
+      image = "${image}";
+      user = "${user}:${group}";
+      environment = {
+        PUSHOVER_DEBUG = "false";
+        PUSHOVER_APP_URL = "${app}.${config.networking.domain}";
+        SONARR__INSTANCE_NAME = "Radarr";
+        SONARR__APPLICATION_URL = "https://${app}.${config.networking.domain}";
+        SONARR__LOG_LEVEL = "info";
+      };
+      environmentFiles = [ config.sops.secrets."services/${app}/env".path ];
      volumes = [
-        "${persistentFolder}:/config:rw"
-        "/mnt/nas/natflix/series:/media:rw"
+        "${persistentFolder}:${containerPersistentFolder}:rw"
+        "/mnt/nas/natflix:/media:rw"
        "/etc/localtime:/etc/localtime:ro"
      ];
      labels = {
        "traefik.enable" = "true";
-        "traefik.http.routers.sonarr.entrypoints" = "websecure";
-        "traefik.http.routers.sonarr.middlewares" = "local-only@file";
-        "traefik.http.services.sonarr.loadbalancer.server.port" = "${toString port}";
+        "traefik.http.routers.${app}.entrypoints" = "websecure";
+        "traefik.http.routers.${app}.middlewares" = "local-only@file";
+        "traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}";

-        "homepage.group" = "Media";
-        "homepage.name" = "Sonarr";
-        "homepage.icon" = "sonarr.png";
-        "homepage.href" = "https://sonarr.${config.networking.domain}";
-        "homepage.description" = "Series manager";
-        # "homepage.weight" = -70000;
-        "homepage.widget.type" = "sonarr";
-        "homepage.widget.url" = "https://sonarr.${config.networking.domain}";
      };
    };
+
+    mySystem.services.homepage.media-services = [
+      {
+        Sonarr = {
+          icon = "${app}.png";
+          href = "https://${app}.${config.networking.domain}";
+          description = "TV show management";
+          container = "${app}";
+          widget = {
+            type = "${app}";
+            url = "http://${app}:${toString port}";
+            key = "{{HOMEPAGE_VAR_SONARR__API_KEY}}";
+          };
+        };
+      }
+    ];
  };
 }
--- a/nixos/modules/nixos/services/arr/sonarr/secrets.sops.yaml
+++ b/nixos/modules/nixos/services/arr/sonarr/secrets.sops.yaml
@ -0,0 +1,59 @@
+services:
+    sonarr:
+        env: ENC[AES256_GCM,data:Lg92wQkiBY5gBZ2+ckLs7EBPo/0fEwqhEvnWcnU5quUMNlJeWnjWFqU8qu1TaW0Vmux/A/QgIJAiYgWnbQuD9benOR2swkt4+DazSeC+35VQOTbegVDrH4wiJikTHTtoKpgSKHLBQAy113jaDL/RBFRpsSjsXEsGGu+G+GZ1MFcW5hRbYam1o62NqOAG66efcIGXv8T+sD0ouLcN2g9ZjU2QqUqJqsGBtg1d0SIVj9bNW2vUHHmMtIQBTxfR6S5V3tzqjP2EfzaT/gDSPPJg,iv:e9/vpvTFDixP07fVXutIhJcAg8Qb9d7fVJNmn+XhMjU=,tag:7MAF0kHvcf5VDUMCpJATVA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvYTlNSGpIclBoWVlWWDBz
+            ckVZQWdndVBreDRXV3k1UDhxR0Y4R1J5blNBCmh0RmtwbzMrcGxLL1FoQVBjSVUy
+            QUxPUXJmaFYxRXFFb0lTQ2JHd3M3aFUKLS0tIEZ6UWJOVXp1VE1XTnhzQVhGT2RS
+            MVhTTE1JbU5rZnZjUFI2NDNkRUEvY0EKxglGGpDa8xY9w9VKayRF2Oqjv+UhDiLY
+            3uPQWLasVcQviZE7AqG5n8azLTaX5DEoAOVFDCnhJYjU9NatXhcutw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkdU84WkVMVWl2UXQ2WHN3
+            ZE1IbENMU0JlN0pPMTZSeHFPdW5mN1NhcUVRCkovcEJSNm9FWU9LdWk2aWRMbzJO
+            b3VoM0F5VWxSU2I1UU9lblMreXNvcjQKLS0tIG9hSVk4RzRzbVgyektXQ1lkcGF6
+            Q1FLdWZGOUFqWm9Hc0NDVUFFczlXYXcKxxWKSOrDUGld40zvDzsmMBOAexWoijDN
+            tBxJteEnSbTd+s93MDfuM+axeNR5Ak4+f/pEoLho5xjjn8f/fdlebA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVdGV5ZU1ZSFNvaHpGRUFs
+            cWRkVWlMZUZrbDNLSlJJSUpZVkhKUHI3OVdnCk1pckRmbWJNMkdvOXZscE1sMFcw
+            QktRU0Foa2hNTU9tcUN0UmM0Y0h2TU0KLS0tIDY1c2lVb1Bnd1c0d1Y3NVMrYmVZ
+            UXJFb294d1Bqc3E0SUFjWmFqSjdka28K2cEgMCIxpzGe2Z1rgaWq+rWXKJvfsTi9
+            PFWywF6/E+9Egwrh98FspQAzYP/7zl+N8gjR5Pa+Scx2D2iOizXWfg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKallmeUFQMmRvNFZRbnho
+            SVYzYit2TWFSRnV6dVNjUzlSQ0ZhTEJUNEhjCmFmaEsvMkpPQVZBN0FLVVp1dzgv
+            Ym56YzhwcWdkNlVSbHA4cnQ2T2VVeXMKLS0tIENqdXZCaFNrZVpFVUIrakpsY1ZP
+            QUxPS3lqcTBISnByTXVWcWdtZWYwNXMK8FRzmS0q2l6MWUu0YreaqEnKKW085j4s
+            f1oTHPpErwPLuh3hUciUPFe5Mbm3zSdjBsGyQtxPF6xLtw8dFaDYBA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaTXg2S2R2M2tHYmllUXFZ
+            NkZzcTdRaU5RM29RQkdEQnpNWXowZUFoR3hZCm1TclN2K0FoQktVTzg4YkkyRUhC
+            NXRybXE5Ym1XYjF3cG53RitvK3VTR1kKLS0tIGtkZXFLWmJiRG81M2RyYzdXZUEx
+            M2tqQVZaUmNVbm9YZys0NUNpSk4vN3cKpkL37l/i3VD6zhWHK/ROvcvmCBQfifuw
+            EFYI+F+BTjkoptqIVFCDbATRrqSfOqsYPmEg5lM0e3Oul+vT++e0/g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-04-06T21:26:23Z"
+    mac: ENC[AES256_GCM,data:ITWKix2aNhXzzzZTvq2sBPXO3Phvr+lS83fSwEbH7FTowD7uScxqAF4PMJ+txAfIpmZiaD5vXIK98YU9HOWRFUoOiYxdwVwfOiX63mB0JKj5jLHHeIe6bMaWfudITlIL9an6YO/qyUww9OVXaxYEmwOJI4W+HnMLbYLf5lGboEo=,iv:i8dddSV2W9FifN+ktwGsaYRRnK4UJtrG7g6LpWPtgu4=,tag:acP4YvJarHLCZUJ3dCFuOQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
--- a/nixos/modules/nixos/services/cockpit/default.nix
+++ b/nixos/modules/nixos/services/cockpit/default.nix
@ -11,11 +11,32 @@ in
 {
  options.mySystem.services.cockpit.enable = mkEnableOption "Cockpit";

-  config = mkIf cfg.enable {
-    services.cockpit.enable = true;
-    services.cockpit.openFirewall = true;
+  config.services.cockpit = mkIf cfg.enable {
+    enable = true;
+    openFirewall = true;
+    package = pkgs.cockpit.overrideAttrs (old: {
+      # remove packagekit and selinux, don't work on NixOS
+      postBuild = ''
+        ${old.postBuild}

+        rm -rf \
+          dist/packagekit \
+          dist/selinux
+      '';
+    });
  };

+  config.environment = mkIf cfg.enable {
+    systemPackages = with pkgs;
+      [
+        (mkIf config.virtualisation.podman.enable nur.repos.procyon.cockpit-podman) # only if server runs pods

+        # nur.repos.dukzcry.cockpit-machines # TODO enable with virtualisation on server
+        # nur.repos.dukzcry.libvirt-dbus # TODO enable with virtualisation on server
+        # pkgs.virt-manager # TODO enable with virtualisation on server
+      ];
+
+
+
+  };
 }
--- a/nixos/modules/nixos/services/homepage/default.nix
+++ b/nixos/modules/nixos/services/homepage/default.nix
@ -13,12 +13,121 @@ let
  persistentFolder = "${config.mySystem.persistentFolder}/${app}";

  cfg = config.mySystem.services.homepage;
+
+  settings = {
+    # title = "Hades";
+    # theme = "dark";
+    # color = "slate";
+    showStats = true;
+  };
+  settingsFile = builtins.toFile "homepage-settings.yaml" (builtins.toJSON settings);
+
+  bookmarks = [
+    {
+      Administration = [
+        { Source = [{ icon = "github.png"; href = "https://github.com/truxnell/nix-config"; }]; }
+        { Cloudflare = [{ icon = "cloudflare.png"; href = "https://dash.cloudflare.com/"; }]; }
+      ];
+    }
+    {
+      Development = [
+        { CyberChef = [{ icon = "cyberchef.png"; href = "https://gchq.github.io/CyberChef/"; }]; }
+        { "Nix Options Search" = [{ abbr = "NS"; href = "https://search.nixos.org/packages"; }]; }
+        { "Doppler Secrets" = [{ abbr = "DP"; href = "https://dashboard.doppler.com"; }]; }
+        { "onedr0p Containers" = [{ abbr = "OC"; href = "https://github.com/onedr0p/containers"; }]; }
+        { "bjw-s Containers" = [{ abbr = "BC"; href = "https://github.com/bjw-s/container-images"; }]; }
+
+      ];
+    }
+  ];
+  bookmarksFile = builtins.toFile "homepage-bookmarks.yaml" (builtins.toJSON bookmarks);
+
+  widgets = [
+    {
+      resources = {
+        cpu = true;
+        memory = true;
+        cputemp = true;
+        uptime = true;
+        disk = "/";
+        units = "metric";
+        # label = "system";
+      };
+    }
+    {
+      search = {
+        provider = "duckduckgo";
+        target = "_blank";
+      };
+    }
+  ];
+  widgetsFile = builtins.toFile "homepage-widgets.yaml" (builtins.toJSON widgets);
+
+  services = [
+    { Infrastructure = cfg.infrastructure-services; }
+    { Home = cfg.home-services; }
+    { Media = cfg.media-services; }
+  ];
+  servicesFile = builtins.toFile "homepage-config.yaml" (builtins.toJSON services);
 in
 {
-  options.mySystem.services.homepage.enable = mkEnableOption "Homepage dashboard";
+  options.mySystem.services.homepage = {
+    enable = mkEnableOption "Homepage dashboard";
+    infrastructure-services = lib.mkOption {
+      type = lib.types.listOf lib.types.attrs;
+      description = "Services to add to the infrastructure column";
+      default = [ ];
+    };
+    home-services = lib.mkOption {
+      type = lib.types.listOf lib.types.attrs;
+      description = "Services to add to the infrastructure column";
+      default = [ ];
+    };
+    media-services = lib.mkOption {
+      type = lib.types.listOf lib.types.attrs;
+      description = "Services to add to the infrastructure column";
+      default = [ ];
+    };
+  };

  config = mkIf cfg.enable {

+    sops.secrets."services/sonarr/env" = {
+      # configure secret for forwarding rules
+      sopsFile = ../arr/sonarr/secrets.sops.yaml;
+      owner = "kah";
+      group = "kah";
+      restartUnits = [ "podman-${app}.service" ];
+    };
+    sops.secrets."services/radarr/env" = {
+      # configure secret for forwarding rules
+      sopsFile = ../arr/radarr/secrets.sops.yaml;
+      owner = "kah";
+      group = "kah";
+      restartUnits = [ "podman-${app}.service" ];
+    };
+    sops.secrets."services/lidarr/env" = {
+      # configure secret for forwarding rules
+      sopsFile = ../arr/lidarr/secrets.sops.yaml;
+      owner = "kah";
+      group = "kah";
+      restartUnits = [ "podman-${app}.service" ];
+    };
+    sops.secrets."services/readarr/env" = {
+      # configure secret for forwarding rules
+      sopsFile = ../arr/readarr/secrets.sops.yaml;
+      owner = "kah";
+      group = "kah";
+      restartUnits = [ "podman-${app}.service" ];
+    };
+    sops.secrets."services/prowlarr/env" = {
+      # configure secret for forwarding rules
+      sopsFile = ../arr/prowlarr/secrets.sops.yaml;
+      owner = "kah";
+      group = "kah";
+      restartUnits = [ "podman-${app}.service" ];
+    };
+
    # ensure folder exist and has correct owner/group
    systemd.tmpfiles.rules = [
      "d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period
@ -27,23 +136,43 @@ in
    virtualisation.oci-containers.containers.${app} = {
      image = "${image}";
      user = "${user}:${group}";
+
      environment = {
        UMASK = "002";
        PUID = "${user}";
        PGID = "${group}";
      };
+
+      environmentFiles = [
+        config.sops.secrets."services/sonarr/env".path
+        config.sops.secrets."services/radarr/env".path
+        config.sops.secrets."services/readarr/env".path
+        config.sops.secrets."services/lidarr/env".path
+        config.sops.secrets."services/prowlarr/env".path
+      ];
+
      labels = {
        "traefik.enable" = "true";
        "traefik.http.routers.${app}.entrypoints" = "websecure";
        "traefik.http.routers.${app}.middlewares" = "local-only@file";
        "traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}";
      };
-      # mount socket for service discovery.
+      # not using docker socket for discovery, just
+      # building up the apps from a shared key
+      # this is a bit more tedious, but more secure
+      # from not exposing docker socet and makes it 
+      # easier to have/move services between hosts
      volumes = [
-        "${persistentFolder}:/app/config:rw"
-        "/var/run/podman/podman.sock:/var/run/docker.sock:ro" # TODO abstract out podman/docker socket
+        "/etc/localtime:/etc/localtime:ro"
+        "${persistentFolder}:/app/config/logs:rw"
+        "${settingsFile}:/app/config/settings.yaml"
+        "${servicesFile}:/app/config/services.yaml"
+        "${bookmarksFile}:/app/config/bookmarks.yaml"
+        "${widgetsFile}:/app/config/widgets.yaml"
+
      ];

    };
+
  };
 }
--- a/nixos/modules/nixos/services/podman/default.nix
+++ b/nixos/modules/nixos/services/podman/default.nix
@ -18,6 +18,12 @@ in

        dockerCompat = true;
        extraPackages = [ pkgs.zfs ];
+
+        # regular cleanup
+        autoPrune.enable = true;
+        autoPrune.dates = "weekly";
+
+        # and add dns
        defaultNetwork.settings = {
          dns_enabled = true;
        };
@ -27,7 +33,14 @@ in
      };
      networking.firewall.interfaces.podman0.allowedUDPPorts = [ 53 ];

+      # extra user for containers
+      users.users.kah = {

+        uid = 568;
+        group = "kah";
+
+      };
+      users.groups.kah = { };
    };

 }
--- a/nixos/profiles/role-server.nix
+++ b/nixos/profiles/role-server.nix
@ -14,6 +14,7 @@ with lib;
    mySystem.services.promMonitoring.enable = true;
    mySystem.services.rebootRequiredCheck.enable = true;
    mySystem.security.wheelNeedsSudoPassword = false;
+    mySystem.services.cockpit.enable = true;

    nix.settings = {
      # TODO factor out into mySystem
--- a/nixos/profiles/role-worstation.nix
+++ b/nixos/profiles/role-worstation.nix
@ -15,6 +15,7 @@ with config;
    # Lets see if fish everywhere is OK on the pi's
    # TODO decide if i drop to bash on pis?
    shell.fish.enable = true;
+    services.cockpit.enable = true;

    nfs.nas.enable = true;
  };