Bump Server1.Connections 30->50 for headroom (Newshosting cap is 100, but
TLS-on-arm overhead makes maxing it counterproductive). Add global
ArticleCache=700 (MB RAM buffer, within the 2Gi limit) and WriteBuffer=1024
(KB/conn) to reduce write thrash on the contended SSD, which is the more
likely throughput ceiling than connection count at our ~100-300 Mbit line.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
nzbget does not expand OS env vars in nzbget.conf (its ${...} only
references other nzbget options), so the previous secretKeyRef-as-env
approach left the literal ${NEWSHOSTING_USER} in the config and auth
failed with 400 DENIED.
Add initContainers support to the chart and an init step that seds the
Server1 (newshosting) block into nzbget.conf on every start: non-secret
settings in git, username/password from the usenet-creds Secret. Rotating
the secret + restarting re-renders the creds; no password lands in git.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Reuse the existing nzbget chart as the usenet downloader. Newshosting
username/password come from the out-of-band `usenet-creds` Opaque secret
(same pattern as gluetun-wireguard), exposed as env and referenced in
nzbget.conf via ${NEWSHOSTING_USER}/${NEWSHOSTING_PASS} so no plaintext
provider password lands in the config file.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
gilgamezh