Log DIMM temperatures on each check run

StartLimitBurst counts all starts (including successes), so the timer
was getting blocked after ~15 min. Replace with a JSON counter file
that resets on success and daily, only triggering OnFailure alerts for
the first 3 failures per day.

common/network/pia-vpn/vpn-container.nix

@@ -228,44 +228,73 @@ in
           };
 
           # Periodic VPN connectivity check — fails if VPN or internet is down,
-          # triggering ntfy alert via the OnFailure drop-in
+          # triggering ntfy alert via the OnFailure drop-in.
+          # Tracks failures with a counter file so only the first 3 failures per
+          # day trigger an alert (subsequent failures exit 0 to suppress noise).
           systemd.services.pia-vpn-check = {
             description = "Check PIA VPN connectivity";
             after = [ "pia-vpn-setup.service" ];
             requires = [ "pia-vpn-setup.service" ];
 
-            path = with pkgs; [ wireguard-tools iputils coreutils gawk ];
+            path = with pkgs; [ wireguard-tools iputils coreutils gawk jq ];
-
-            unitConfig = {
-              StartLimitBurst = 3;
-              StartLimitIntervalSec = "1d";
-            };
 
             serviceConfig.Type = "oneshot";
 
             script = ''
               set -euo pipefail
 
-              # Check that WireGuard has a peer with a recent handshake (within 3 minutes)
+              COUNTER_FILE="/var/lib/pia-vpn/check-fail-count.json"
-              handshake=$(wg show ${cfg.interfaceName} latest-handshakes | awk '{print $2}')
+              MAX_ALERTS=3
-              if [ -z "$handshake" ] || [ "$handshake" -eq 0 ]; then
+
-                echo "No WireGuard handshake recorded" >&2
+              check_vpn() {
-                exit 1
+                # Check that WireGuard has a peer with a recent handshake (within 3 minutes)
-              fi
+                handshake=$(wg show ${cfg.interfaceName} latest-handshakes | awk '{print $2}')
-              now=$(date +%s)
+                if [ -z "$handshake" ] || [ "$handshake" -eq 0 ]; then
-              age=$((now - handshake))
+                  echo "No WireGuard handshake recorded" >&2
-              if [ "$age" -gt 180 ]; then
+                  return 1
-                echo "WireGuard handshake is stale (''${age}s ago)" >&2
+                fi
-                exit 1
+                now=$(date +%s)
+                age=$((now - handshake))
+                if [ "$age" -gt 180 ]; then
+                  echo "WireGuard handshake is stale (''${age}s ago)" >&2
+                  return 1
+                fi
+
+                # Verify internet connectivity through VPN tunnel
+                if ! ping -c1 -W10 1.1.1.1 >/dev/null 2>&1; then
+                  echo "Cannot reach internet through VPN" >&2
+                  return 1
+                fi
+
+                echo "PIA VPN connectivity OK (handshake ''${age}s ago)"
+                return 0
+              }
+
+              if check_vpn; then
+                rm -f "$COUNTER_FILE"
+                exit 0
               fi
 
-              # Verify internet connectivity through VPN tunnel
+              # Failed — read and update counter (reset if from a previous day)
-              if ! ping -c1 -W10 1.1.1.1 >/dev/null 2>&1; then
+              today=$(date +%Y-%m-%d)
-                echo "Cannot reach internet through VPN" >&2
+              count=0
-                exit 1
+              if [ -f "$COUNTER_FILE" ]; then
+                stored=$(jq -r '.date // ""' "$COUNTER_FILE")
+                if [ "$stored" = "$today" ]; then
+                  count=$(jq -r '.count // 0' "$COUNTER_FILE")
+                fi
               fi
+              count=$((count + 1))
+              jq -n --arg date "$today" --argjson count "$count" \
+                '{"date": $date, "count": $count}' > "$COUNTER_FILE"
 
-              echo "PIA VPN connectivity OK (handshake ''${age}s ago)"
+              if [ "$count" -le "$MAX_ALERTS" ]; then
+                echo "Failure $count/$MAX_ALERTS today — alerting" >&2
+                exit 1
+              else
+                echo "Failure $count today — suppressing alert (already sent $MAX_ALERTS)" >&2
+                exit 0
+              fi
             '';
           };
 

common/ntfy/dimm-temp.nix

@@ -9,6 +9,7 @@ let
 
     threshold=55
     hot=""
+    summary=""
 
     while IFS= read -r line; do
       case "$line" in
@@ -18,6 +19,7 @@ let
         *temp1_input:*)
           temp="''${line##*: }"
           whole="''${temp%%.*}"
+          summary="''${summary:+$summary, }$chip: ''${temp}°C"
           if [ "$whole" -ge "$threshold" ]; then
             hot="$hot"$'\n'"  $chip: ''${temp}°C"
           fi
@@ -25,6 +27,8 @@ let
       esac
     done < <(sensors -u 'spd5118-*' 2>/dev/null)
 
+    echo "$summary"
+
     if [ -n "$hot" ]; then
       message="DIMM temperature above ''${threshold}°C on ${config.networking.hostName}:$hot"
 

machines/storage/s0/default.nix

@@ -143,30 +143,6 @@
         services.lidarr.enable = true;
         services.lidarr.user = "public_data";
         services.lidarr.group = "public_data";
-        services.recyclarr = {
-          enable = true;
-          configuration = {
-            radarr.radarr_main = {
-              api_key = {
-                _secret = "/run/credentials/recyclarr.service/radarr-api-key";
-              };
-              base_url = "http://localhost:7878";
-              quality_definition.type = "movie";
-            };
-            sonarr.sonarr_main = {
-              api_key = {
-                _secret = "/run/credentials/recyclarr.service/sonarr-api-key";
-              };
-              base_url = "http://localhost:8989";
-              quality_definition.type = "series";
-            };
-          };
-        };
-
-        systemd.services.recyclarr.serviceConfig.LoadCredential = [
-          "radarr-api-key:/run/agenix/radarr-api-key"
-          "sonarr-api-key:/run/agenix/sonarr-api-key"
-        ];
 
         users.groups.public_data.gid = 994;
         users.users.public_data = {
@@ -177,8 +153,6 @@
       };
     };
   };
-  age.secrets.radarr-api-key.file = ../../../secrets/radarr-api-key.age;
-  age.secrets.sonarr-api-key.file = ../../../secrets/sonarr-api-key.age;
 
   # jellyfin
   # jellyfin cannot run in the vpn container and use hardware encoding

secrets/radarr-api-key.age

@@ -1,11 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 hPp1nw gfVRDt7ReEnz10WvPa8UfBBnsRsiw7sxxXQMuXRnCVs
-slBNX9Yc1qSu1P5ioNDNLPd97NGE/LWPS/A+u9QGo4E
--> ssh-ed25519 ZDy34A e5MSY5qDP6WuEgbiK0p5esMQJBb3ScVpb15Ff8sTQgQ
-9nsimoUQncnbfiu13AnFWZXcpaiySUYdS1eH5O/3Fgg
--> ssh-ed25519 w3nu8g op1KSUhJgM6w/nlaUssQDiraQpVzgnWd//JMu2vFgms
-KvEaJfsB7Qkf+PnzFJdZ3wAxm2qj23IS8RRxyuGN2G4
--> ssh-ed25519 evqvfg 9L6pFuqkcChZq/W4zkATXm1Y76SEK+S4SyaiSlJd+C4
-j/UWJvo4Cr/UDfaN2milpJ6rU0w1EWdTAzV3SlrCcW8
---- bdG4zC5dx6cSPetH3DNeHEk6EYCJ5TXGrn8OhUMknNU
-/¶ø+ÏpñR[¤àJ-*‚@ÌÿŸx0Ú©ò-ä.*&T·™~-i	2€eƒ¡`@ëQ8š<l™àQK0AÕ§

secrets/secrets.nix

@@ -63,8 +63,4 @@ with roles;
 
   # zigbee2mqtt secrets
   "zigbee2mqtt.yaml.age".publicKeys = zigbee;
-
-  # Sonarr and Radarr secrets
-  "radarr-api-key.age".publicKeys = media-server;
-  "sonarr-api-key.age".publicKeys = media-server;
 }