fix(net): trust wg-br bridge for VPN namespace->host traffic

Allows VPN-confined services (Prowlarr) to reach host-network services (Sonarr, Radarr) via the namespace bridge interface. Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
fix(media): add ReadWritePaths for jellyseerr ProtectSystem=strict
2026-02-18 15:54:06 -05:00 · 2026-02-18 15:32:05 -05:00 · 2026-02-18 15:28:41 -05:00 · 2026-02-18 03:06:06 -05:00
4 changed files with 1 additions and 45 deletions
--- a/configuration.nix
+++ b/configuration.nix
@@ -37,7 +37,6 @@
    ./services/radarr.nix
    ./services/bazarr.nix
    ./services/jellyseerr.nix
    ./services/recyclarr.nix
    ./services/soulseek.nix
--- a/flake.nix
+++ b/flake.nix
@@ -219,10 +219,6 @@
          configDir = services_dir + "/jellyseerr";
        };
        recyclarr = {
          dataDir = services_dir + "/recyclarr";
        };
        media = {
          moviesDir = torrents_path + "/media/movies";
          tvDir = torrents_path + "/media/tv";
--- a/services/jellyseerr.nix
+++ b/services/jellyseerr.nix
@@ -37,7 +37,7 @@
  users.groups.jellyseerr = { };
  services.caddy.virtualHosts."jellyseerr.${service_configs.https.domain}".extraConfig = ''
-    # import ${config.age.secrets.caddy_auth.path}
+    import ${config.age.secrets.caddy_auth.path}
    reverse_proxy :${builtins.toString service_configs.ports.jellyseerr}
  '';
 }
--- a/services/recyclarr.nix
+++ b/services/recyclarr.nix
@@ -1,39 +0,0 @@
 {
  pkgs,
  config,
  service_configs,
  lib,
  ...
 }:
 {
  imports = [
    (lib.serviceMountWithZpool "recyclarr" service_configs.zpool_ssds [
      service_configs.recyclarr.dataDir
    ])
  ];
  systemd.tmpfiles.rules = [
    "d ${service_configs.recyclarr.dataDir} 0755 root root -"
    "d ${service_configs.recyclarr.dataDir}/data 0755 root root -"
  ];
  systemd.services.recyclarr = {
    description = "Recyclarr TRaSH Guides Sync";
    after = [ "network-online.target" "radarr.service" "sonarr.service" ];
    wants = [ "network-online.target" ];
    serviceConfig = {
      Type = "oneshot";
      ExecStart = "${pkgs.recyclarr}/bin/recyclarr sync --config ${service_configs.recyclarr.dataDir}/recyclarr.yml --app-data ${service_configs.recyclarr.dataDir}/data";
    };
  };
  systemd.timers.recyclarr = {
    description = "Run Recyclarr daily";
    wantedBy = [ "timers.target" ];
    timerConfig = {
      OnCalendar = "daily";
      Persistent = true;
      RandomizedDelaySec = "1h";
    };
  };
 }
Author	SHA1	Message	Date
Simon Gardling	5709333bcb	fix(net): trust wg-br bridge for VPN namespace->host traffic Allows VPN-confined services (Prowlarr) to reach host-network services (Sonarr, Radarr) via the namespace bridge interface. Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>	2026-02-18 15:54:06 -05:00
Simon Gardling	eb88e7af38	fix(media): add ReadWritePaths for jellyseerr ProtectSystem=strict The upstream module sets ProtectSystem=strict which makes the entire filesystem read-only. ReadWritePaths is needed to allow the static jellyseerr user to write to the ZFS-backed configDir. Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>	2026-02-18 15:32:05 -05:00
Simon Gardling	4e19e67356	fix(media): resolve arr stack deployment failures - prowlarr: remove serviceFilePerms (DynamicUser has no static user) - sonarr/radarr: move media dir creation to system-level tmpfiles rules to avoid unsafe path transition from /torrents (qbittorrent:media) - jellyseerr: override DynamicUser=false, create static user/group, use serviceFilePerms for ZFS-backed configDir permissions Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>	2026-02-18 15:28:41 -05:00
Simon Gardling	f6804a76b2	feat(media): add arr stack (sonarr, radarr, bazarr, prowlarr, jellyseerr)	2026-02-18 03:06:06 -05:00