fix(nzbget): render newshosting creds via init container

nzbget does not expand OS env vars in nzbget.conf (its ${...} only
references other nzbget options), so the previous secretKeyRef-as-env
approach left the literal ${NEWSHOSTING_USER} in the config and auth
failed with 400 DENIED.

Add initContainers support to the chart and an init step that seds the
Server1 (newshosting) block into nzbget.conf on every start: non-secret
settings in git, username/password from the usenet-creds Secret. Rotating
the secret + restarting re-renders the creds; no password lands in git.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

custom_helm_charts/nzbget/templates/deployment.yaml

@@ -21,6 +21,10 @@ spec:
     spec:
       volumes:
 {{ toYaml .Values.volumes | indent 6 }}
+    {{- with .Values.initContainers }}
+      initContainers:
+{{ toYaml . | indent 8 }}
+    {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"

helm-values/nzbget_values.yaml

@@ -22,10 +22,35 @@ env:
     value: "http://gluetun.default.svc.cluster.local:8888"
   - name: NO_PROXY
     value: "localhost,127.0.0.1,.svc,.cluster.local"
-  # Newshosting usenet provider credentials, sourced from the out-of-band
+
-  # `usenet-creds` Secret (not in git, same pattern as gluetun-wireguard).
+# nzbget cannot read server credentials from environment variables (its
-  # Referenced in nzbget.conf as ${NEWSHOSTING_USER} / ${NEWSHOSTING_PASS}
+# ${...} config syntax only references other nzbget options, not env). So an
-  # so the password never lives in plaintext in the config file.
+# init container renders the Server1 (newshosting) block into nzbget.conf on
+# every start: the non-secret settings live here in git, while the username
+# and password come from the out-of-band `usenet-creds` Secret (same pattern
+# as gluetun-wireguard — secret not committed). Rotating the secret + a pod
+# restart re-renders the creds. No provider password is ever stored in git.
+initContainers:
+  - name: render-newshosting
+    image: lscr.io/linuxserver/nzbget:latest
+    command:
+      - sh
+      - -c
+      - |
+        f=/config/nzbget.conf
+        [ -f "$f" ] || { echo "nzbget.conf absent; main container will seed defaults"; exit 0; }
+        sed -i \
+          -e "s|^Server1.Active=.*|Server1.Active=yes|" \
+          -e "s|^Server1.Name=.*|Server1.Name=newshosting|" \
+          -e "s|^Server1.Host=.*|Server1.Host=news.newshosting.com|" \
+          -e "s|^Server1.Port=.*|Server1.Port=563|" \
+          -e "s|^Server1.Encryption=.*|Server1.Encryption=yes|" \
+          -e "s|^Server1.Connections=.*|Server1.Connections=30|" \
+          -e "s|^Server1.Username=.*|Server1.Username=${NEWSHOSTING_USER}|" \
+          -e "s|^Server1.Password=.*|Server1.Password=${NEWSHOSTING_PASS}|" \
+          "$f"
+        echo "rendered newshosting Server1 block into nzbget.conf"
+    env:
       - name: NEWSHOSTING_USER
         valueFrom:
           secretKeyRef:
@@ -36,6 +61,10 @@ env:
           secretKeyRef:
             name: usenet-creds
             key: NEWSHOSTING_PASS
+    volumeMounts:
+      - name: plex-data
+        mountPath: /config
+        subPath: configs/nzbget
 
 service:
   type: ClusterIP