feat: add utility functions

2024-07-29 10:58:43 +02:00 · 2024-07-29 10:58:43 +02:00 · b8d7062228
commit b8d7062228
parent ca71ddac8c
12 changed files with 177 additions and 156 deletions
--- a/configs/common.nix
+++ b/configs/common.nix
@ -2,6 +2,7 @@
  lib,
  pkgs,
  config,
+  _utils,
  nixpkgs,
  agenix,
  home-manager,
@ -9,6 +10,8 @@
 }: let
  username = "leo";
  stateVersion = "23.11";
+
+  rootPassword = _utils.setupSingleSecret config "rootPassword" {};
 in {
  imports = [
    agenix.nixosModules.default
@ -16,6 +19,8 @@ in {

    (lib.mkAliasOptionModule ["hm"] ["home-manager" "users" username])

+    rootPassword.generate
+
    ../programs/fish.nix
    ../programs/git.nix
    ../programs/rust.nix
@ -26,7 +31,6 @@ in {
    identityPaths = ["/etc/age/key"];

    secrets = {
-      rootPassword.file = ../secrets/${config.networking.hostName}/rootPassword.age;
      userPassword.file = ../secrets/userPassword.age;
      tailscaleKey.file = ../secrets/tailscaleKey.age;
    };
@ -174,7 +178,7 @@ in {

    root = {
      shell = pkgs.fish;
-      hashedPasswordFile = config.age.secrets.rootPassword.path;
+      hashedPasswordFile = rootPassword.path;
    };
  };

--- a/global/utils.nix
+++ b/global/utils.nix
@ -0,0 +1,56 @@
+{lib, ...}: {
+  setupSecrets = _config: {
+    secrets,
+    extra ? {},
+  }: let
+    inherit (_config.networking) hostName;
+  in {
+    generate = {age.secrets = lib.genAttrs secrets (name: extra // {file = ../secrets/${hostName}/${name}.age;});};
+    get = name: _config.age.secrets.${name}.path;
+  };
+
+  setupSingleSecret = _config: name: extra: let
+    inherit (_config.networking) hostName;
+  in {
+    generate = {age.secrets.${name} = extra // {file = ../secrets/${hostName}/${name}.age;};};
+    inherit (_config.age.secrets.${name}) path;
+  };
+
+  mkMinecraftServer = _config: {
+    name,
+    port,
+    remotePort,
+    tag ? "java21",
+    dataDir ? "/var/lib/${name}",
+    memory ? "4G",
+    env ? {},
+    envFiles ? [],
+    extraPorts ? [],
+  }: let
+    inherit (_config.virtualisation.oci-containers) backend;
+  in {
+    virtualisation.oci-containers.containers.${name} = {
+      image = "itzg/minecraft-server:${tag}";
+      ports = ["${builtins.toString port}:25565"] ++ extraPorts;
+      volumes = ["${dataDir}:/data"];
+      environmentFiles = envFiles;
+      environment =
+        {
+          EULA = "true";
+          MEMORY = memory;
+        }
+        // env;
+    };
+
+    services.frp.settings.proxies = [
+      {
+        inherit name remotePort;
+        type = "tcp";
+        localIp = "127.0.0.1";
+        localPort = port;
+      }
+    ];
+
+    systemd.services."${backend}-${name}".serviceConfig.TimeoutSec = "300";
+  };
+}
--- a/systems/default.nix
+++ b/systems/default.nix
@ -3,6 +3,8 @@
  inputs,
  ...
 }: let
+  _utils = import ../global/utils.nix {inherit lib;};
+
  toSystem = name: {
    role,
    system,
@ -19,7 +21,7 @@
        {networking.hostName = name;}
      ];

-      specialArgs = inputs;
+      specialArgs = inputs // {inherit _utils;};
    };
 in {
  flake.nixosConfigurations = lib.mapAttrs toSystem {
--- a/systems/etna/default.nix
+++ b/systems/etna/default.nix
@ -1,41 +1,34 @@
 {
  lib,
+  pkgs,
  config,
-  pkgs, # required for fudgeMyShitIn
+  _utils,
  ...
-} @ args: let
+}: let
  tunnelId = "57f51ad7-25a0-45f3-b113-0b6ae0b2c3e5";

-  secretsPath = ../../secrets/etna;
-  mkSecrets = builtins.mapAttrs (name: value: value // {file = "${secretsPath}/${name}.age";});
-  mkSecret = name: other: mkSecrets {${name} = other;};
-
-  fudgeMyShitIn = builtins.map (file: import file (args // {inherit mkSecret mkSecrets;}));
-in {
-  imports =
-    [
-      (lib.mkAliasOptionModule ["cfTunnels"] ["services" "cloudflared" "tunnels" tunnelId "ingress"])
-    ]
-    ++ fudgeMyShitIn [
-      ./minecraft.nix
-      ./dendrite.nix
-      ./nextcloud.nix
-      ./reposilite.nix
-      ./uku.nix
-      ./vaultwarden.nix
-      ./forgejo.nix
-      ./shlink.nix
-      ./metrics.nix
-    ];
-
-  age.secrets = mkSecrets {
-    tunnelCreds = {
-      owner = "cloudflared";
-      group = "cloudflared";
-    };
-
-    frpToken = {};
+  frpSecret = _utils.setupSingleSecret config "frpToken" {};
+  cfTunnelSecret = _utils.setupSingleSecret config "tunnelCreds" {
+    owner = "cloudflared";
+    group = "cloudflared";
  };
+in {
+  imports = [
+    (lib.mkAliasOptionModule ["cfTunnels"] ["services" "cloudflared" "tunnels" tunnelId "ingress"])
+
+    frpSecret.generate
+    cfTunnelSecret.generate
+
+    ./minecraft.nix
+    ./dendrite.nix
+    ./nextcloud.nix
+    ./reposilite.nix
+    ./uku.nix
+    ./vaultwarden.nix
+    ./forgejo.nix
+    ./shlink.nix
+    ./metrics.nix
+  ];

  boot = {
    kernelPackages = lib.mkForce pkgs.linuxPackages_6_1;
@ -68,11 +61,11 @@ in {
    cloudflared = {
      enable = true;
      tunnels.${tunnelId} = {
-        credentialsFile = config.age.secrets.tunnelCreds.path;
+        credentialsFile = cfTunnelSecret.path;
        default = "http_status:404";
      };
    };
  };

-  systemd.services.frp.serviceConfig.EnvironmentFile = config.age.secrets.frpToken.path;
+  systemd.services.frp.serviceConfig.EnvironmentFile = frpSecret.path;
 }
--- a/systems/etna/dendrite.nix
+++ b/systems/etna/dendrite.nix
@ -1,9 +1,12 @@
 {
  config,
-  mkSecret,
+  _utils,
  ...
-}: {
-  age.secrets = mkSecret "dendriteKey" {};
+}: let
+  secretKey = _utils.setupSingleSecret config "dendriteKey" {};
+in {
+  imports = [secretKey.generate];
+
  cfTunnels."m.uku.moe" = "http://localhost:80";

  systemd.services.dendrite = {
@ -22,7 +25,7 @@
    in {
      enable = true;
      httpPort = 8008;
-      loadCredential = ["private_key:${config.age.secrets.dendriteKey.path}"];
+      loadCredential = ["private_key:${secretKey.path}"];

      settings = {
        global = {
--- a/systems/etna/forgejo.nix
+++ b/systems/etna/forgejo.nix
@ -1,14 +1,16 @@
 {
  config,
-  mkSecret,
+  _utils,
  ...
-}: {
-  cfTunnels."git.uku3lig.net" = "http://localhost:3000";
-
-  age.secrets = mkSecret "turnstileSecret" {
+}: let
+  turnstileSecret = _utils.setupSingleSecret config "turnstileSecret" {
    owner = "forgejo";
    group = "forgejo";
  };
+in {
+  imports = [turnstileSecret.generate];
+
+  cfTunnels."git.uku3lig.net" = "http://localhost:3000";

  services = {
    forgejo = {
@ -20,7 +22,7 @@
      };

      secrets = {
-        service.CF_TURNSTILE_SECRET = config.age.secrets.turnstileSecret.path;
+        service.CF_TURNSTILE_SECRET = turnstileSecret.path;
      };

      settings = {
--- a/systems/etna/metrics.nix
+++ b/systems/etna/metrics.nix
@ -1,4 +1,4 @@
-{...}: {
+{
  cfTunnels."grafana.uku3lig.net" = "http://localhost:2432";

  services.grafana = {
--- a/systems/etna/minecraft.nix
+++ b/systems/etna/minecraft.nix
@ -2,107 +2,64 @@
  lib,
  pkgs,
  config,
-  mkSecret,
+  _utils,
  ...
 }: let
  inherit (config.virtualisation.oci-containers) backend;

-  mkMinecraftServer = name: {
-    port,
-    remotePort,
-    tag ? "java21",
-    dataDir ? "/var/lib/${name}",
-    memory ? "4G",
-    env ? {},
-    extraPorts ? [],
-  }: {
-    virtualisation.oci-containers.containers.${name} = {
-      image = "itzg/minecraft-server:${tag}";
-      ports = ["${builtins.toString port}:25565"] ++ extraPorts;
-      volumes = ["${dataDir}:/data"];
-      environmentFiles = [config.age.secrets.minecraftEnv.path];
-      environment =
-        {
-          EULA = "true";
-          MEMORY = memory;
-        }
-        // env;
+  secret = _utils.setupSingleSecret config "minecraftEnv" {};
+
+  atm9 = _utils.mkMinecraftServer config {
+    name = "atm9";
+    port = 25565;
+    remotePort = 6004;
+    tag = "java17";
+    memory = "8G";
+    envFiles = [secret.path];
+    env = {
+      USE_AIKAR_FLAGS = "true";
+      MOD_PLATFORM = "AUTO_CURSEFORGE";
+      CF_SLUG = "all-the-mods-9";
+      CF_FILE_ID = "5458414";
    };
-
-    services.frp.settings.proxies = [
-      {
-        inherit name remotePort;
-        type = "tcp";
-        localIp = "127.0.0.1";
-        localPort = port;
-      }
-    ];
-
-    systemd.services."${backend}-${name}".serviceConfig.TimeoutSec = "300";
  };

-  recursiveMerge = attrList:
-    with lib; let
-      f = attrPath:
-        zipAttrsWith (
-          n: values:
-            if tail values == []
-            then head values
-            else if all isList values
-            then unique (concatLists values)
-            else if all isAttrs values
-            then f (attrPath ++ [n]) values
-            else last values
-        );
-    in
-      f [] attrList;
-
-  mkMinecraftServers = attrs: recursiveMerge (lib.mapAttrsToList mkMinecraftServer attrs);
-in
-  lib.recursiveUpdate {
-    age.secrets = mkSecret "minecraftEnv" {};
-
-    virtualisation.oci-containers.backend = "docker";
-
-    systemd.services.restart-minecraft-servers = {
-      wantedBy = ["multi-user.target"];
-      script = ''
-        ${lib.getExe' pkgs.systemd "systemctl"} restart ${backend}-*.service
-      '';
-      serviceConfig.Type = "oneshot";
+  lynn = _utils.mkMinecraftServer config {
+    name = "lynn";
+    port = 25567;
+    remotePort = 6002;
+    memory = "4G";
+    envFiles = [secret.path];
+    env = {
+      USE_AIKAR_FLAGS = "true";
+      TYPE = "MODRINTH";
+      MODRINTH_MODPACK = "https://modrinth.com/modpack/adrenaserver/version/1.6.0+1.20.6.fabric";
    };
+  };
+in {
+  imports = [
+    secret.generate

-    systemd.timers.restart-minecraft-servers = {
-      wantedBy = ["timers.target"];
-      timerConfig = {
-        OnCalendar = "*-*-* 05:00:00";
-        Persistent = true;
-        Unit = "restart-minecraft-servers.service";
-      };
-    };
-  }
-  (mkMinecraftServers {
-    atm9 = {
-      port = 25565;
-      remotePort = 6004;
-      tag = "java17";
-      memory = "8G";
-      env = {
-        USE_AIKAR_FLAGS = "true";
-        MOD_PLATFORM = "AUTO_CURSEFORGE";
-        CF_SLUG = "all-the-mods-9";
-        CF_FILE_ID = "5458414";
-      };
-    };
+    atm9
+    lynn
+  ];

-    lynn = {
-      port = 25567;
-      remotePort = 6002;
-      memory = "4G";
-      env = {
-        USE_AIKAR_FLAGS = "true";
-        TYPE = "MODRINTH";
-        MODRINTH_MODPACK = "https://modrinth.com/modpack/adrenaserver/version/1.6.0+1.20.6.fabric";
-      };
+  virtualisation.oci-containers.backend = "docker";
+
+  systemd.services.restart-minecraft-servers = {
+    wantedBy = ["multi-user.target"];
+    script = ''
+      ${lib.getExe' pkgs.systemd "systemctl"} restart ${backend}-*.service
+    '';
+    serviceConfig.Type = "oneshot";
+  };
+
+  systemd.timers.restart-minecraft-servers = {
+    wantedBy = ["timers.target"];
+    timerConfig = {
+      OnCalendar = "*-*-* 05:00:00";
+      Persistent = true;
+      Unit = "restart-minecraft-servers.service";
    };
-  })
+  };
+}
--- a/systems/etna/nextcloud.nix
+++ b/systems/etna/nextcloud.nix
@ -1,14 +1,17 @@
 {
-  config,
  pkgs,
-  mkSecret,
+  config,
+  _utils,
  ...
-}: {
-  age.secrets = mkSecret "nextcloudAdminPass" {
+}: let
+  adminPass = _utils.setupSingleSecret config "nextcloudAdminPass" {
    owner = config.users.users.nextcloud.name;
    group = config.users.users.nextcloud.name;
  };
+in {
+  imports = [adminPass.generate];

+  # nextcloud generates nginx config
  cfTunnels."cloud.uku3lig.net" = "http://localhost:80";

  services.nextcloud = {
@ -22,7 +25,7 @@
    configureRedis = true;

    config = {
-      adminpassFile = config.age.secrets.nextcloudAdminPass.path;
+      adminpassFile = adminPass.path;
    };
  };
 }
--- a/systems/etna/shlink.nix
+++ b/systems/etna/shlink.nix
@ -1,4 +1,4 @@
-_: {
+{
  cfTunnels."uku.moe" = "http://localhost:8081";

  virtualisation.oci-containers.containers.shlink = {
--- a/systems/etna/uku.nix
+++ b/systems/etna/uku.nix
@ -1,31 +1,32 @@
 {
  config,
-  mkSecrets,
+  _utils,
  api-rs,
  ukubot-rs,
  ...
-}: {
+}: let
+  secrets = _utils.setupSecrets config {
+    secrets = ["apiRsEnv" "ukubotRsEnv"];
+  };
+in {
  imports = [
    api-rs.nixosModules.default
    ukubot-rs.nixosModules.default
-  ];

-  age.secrets = mkSecrets {
-    apiRsEnv = {};
-    ukubotRsEnv = {};
-  };
+    secrets.generate
+  ];

  cfTunnels."api.uku3lig.net" = "http://localhost:5000";

  services = {
    api-rs = {
      enable = true;
-      environmentFile = config.age.secrets.apiRsEnv.path;
+      environmentFile = secrets.get "apiRsEnv";
    };

    ukubot-rs = {
      enable = true;
-      environmentFile = config.age.secrets.ukubotRsEnv.path;
+      environmentFile = secrets.get "ukubotRsEnv";
    };
  };
 }
--- a/systems/etna/vaultwarden.nix
+++ b/systems/etna/vaultwarden.nix
@ -1,4 +1,4 @@
-_: {
+{
  cfTunnels."bw.uku3lig.net" = "http://localhost:8222";

  services.vaultwarden = {