From 6247b140bc9f8991d733c4f90429c4e7eb0b9344 Mon Sep 17 00:00:00 2001
From: gilgamezh <mail@gilgamezh.me>
Date: Fri, 5 Jun 2026 09:16:34 +0200
Subject: [PATCH] feat(nzbget): inject newshosting creds from usenet-creds
 secret

Reuse the existing nzbget chart as the usenet downloader. Newshosting
username/password come from the out-of-band `usenet-creds` Opaque secret
(same pattern as gluetun-wireguard), exposed as env and referenced in
nzbget.conf via ${NEWSHOSTING_USER}/${NEWSHOSTING_PASS} so no plaintext
provider password lands in the config file.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 helm-values/nzbget_values.yaml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/helm-values/nzbget_values.yaml b/helm-values/nzbget_values.yaml
index 2d17f4b..e52e620 100644
--- a/helm-values/nzbget_values.yaml
+++ b/helm-values/nzbget_values.yaml
@@ -22,6 +22,20 @@ env:
     value: "http://gluetun.default.svc.cluster.local:8888"
   - name: NO_PROXY
     value: "localhost,127.0.0.1,.svc,.cluster.local"
+  # Newshosting usenet provider credentials, sourced from the out-of-band
+  # `usenet-creds` Secret (not in git, same pattern as gluetun-wireguard).
+  # Referenced in nzbget.conf as ${NEWSHOSTING_USER} / ${NEWSHOSTING_PASS}
+  # so the password never lives in plaintext in the config file.
+  - name: NEWSHOSTING_USER
+    valueFrom:
+      secretKeyRef:
+        name: usenet-creds
+        key: NEWSHOSTING_USER
+  - name: NEWSHOSTING_PASS
+    valueFrom:
+      secretKeyRef:
+        name: usenet-creds
+        key: NEWSHOSTING_PASS
 
 service:
   type: ClusterIP