From b8d70622285811ff4b40ce09140d08c956b7d331 Mon Sep 17 00:00:00 2001 From: uku Date: Mon, 29 Jul 2024 10:58:43 +0200 Subject: [PATCH] feat: add utility functions --- configs/common.nix | 8 +- global/utils.nix | 56 ++++++++++++++ systems/default.nix | 4 +- systems/etna/default.nix | 59 +++++++-------- systems/etna/dendrite.nix | 11 ++- systems/etna/forgejo.nix | 14 ++-- systems/etna/metrics.nix | 2 +- systems/etna/minecraft.nix | 143 ++++++++++++----------------------- systems/etna/nextcloud.nix | 13 ++-- systems/etna/shlink.nix | 2 +- systems/etna/uku.nix | 19 ++--- systems/etna/vaultwarden.nix | 2 +- 12 files changed, 177 insertions(+), 156 deletions(-) create mode 100644 global/utils.nix diff --git a/configs/common.nix b/configs/common.nix index 488919a..32ce54e 100644 --- a/configs/common.nix +++ b/configs/common.nix @@ -2,6 +2,7 @@ lib, pkgs, config, + _utils, nixpkgs, agenix, home-manager, @@ -9,6 +10,8 @@ }: let username = "leo"; stateVersion = "23.11"; + + rootPassword = _utils.setupSingleSecret config "rootPassword" {}; in { imports = [ agenix.nixosModules.default @@ -16,6 +19,8 @@ in { (lib.mkAliasOptionModule ["hm"] ["home-manager" "users" username]) + rootPassword.generate + ../programs/fish.nix ../programs/git.nix ../programs/rust.nix @@ -26,7 +31,6 @@ in { identityPaths = ["/etc/age/key"]; secrets = { - rootPassword.file = ../secrets/${config.networking.hostName}/rootPassword.age; userPassword.file = ../secrets/userPassword.age; tailscaleKey.file = ../secrets/tailscaleKey.age; }; @@ -174,7 +178,7 @@ in { root = { shell = pkgs.fish; - hashedPasswordFile = config.age.secrets.rootPassword.path; + hashedPasswordFile = rootPassword.path; }; }; diff --git a/global/utils.nix b/global/utils.nix new file mode 100644 index 0000000..7b46df8 --- /dev/null +++ b/global/utils.nix @@ -0,0 +1,56 @@ +{lib, ...}: { + setupSecrets = _config: { + secrets, + extra ? {}, + }: let + inherit (_config.networking) hostName; + in { + generate = {age.secrets = lib.genAttrs secrets (name: extra // {file = ../secrets/${hostName}/${name}.age;});}; + get = name: _config.age.secrets.${name}.path; + }; + + setupSingleSecret = _config: name: extra: let + inherit (_config.networking) hostName; + in { + generate = {age.secrets.${name} = extra // {file = ../secrets/${hostName}/${name}.age;};}; + inherit (_config.age.secrets.${name}) path; + }; + + mkMinecraftServer = _config: { + name, + port, + remotePort, + tag ? "java21", + dataDir ? "/var/lib/${name}", + memory ? "4G", + env ? {}, + envFiles ? [], + extraPorts ? [], + }: let + inherit (_config.virtualisation.oci-containers) backend; + in { + virtualisation.oci-containers.containers.${name} = { + image = "itzg/minecraft-server:${tag}"; + ports = ["${builtins.toString port}:25565"] ++ extraPorts; + volumes = ["${dataDir}:/data"]; + environmentFiles = envFiles; + environment = + { + EULA = "true"; + MEMORY = memory; + } + // env; + }; + + services.frp.settings.proxies = [ + { + inherit name remotePort; + type = "tcp"; + localIp = "127.0.0.1"; + localPort = port; + } + ]; + + systemd.services."${backend}-${name}".serviceConfig.TimeoutSec = "300"; + }; +} diff --git a/systems/default.nix b/systems/default.nix index 19cd98e..51181cd 100644 --- a/systems/default.nix +++ b/systems/default.nix @@ -3,6 +3,8 @@ inputs, ... }: let + _utils = import ../global/utils.nix {inherit lib;}; + toSystem = name: { role, system, @@ -19,7 +21,7 @@ {networking.hostName = name;} ]; - specialArgs = inputs; + specialArgs = inputs // {inherit _utils;}; }; in { flake.nixosConfigurations = lib.mapAttrs toSystem { diff --git a/systems/etna/default.nix b/systems/etna/default.nix index 9a739f9..49124db 100644 --- a/systems/etna/default.nix +++ b/systems/etna/default.nix @@ -1,41 +1,34 @@ { lib, + pkgs, config, - pkgs, # required for fudgeMyShitIn + _utils, ... -} @ args: let +}: let tunnelId = "57f51ad7-25a0-45f3-b113-0b6ae0b2c3e5"; - secretsPath = ../../secrets/etna; - mkSecrets = builtins.mapAttrs (name: value: value // {file = "${secretsPath}/${name}.age";}); - mkSecret = name: other: mkSecrets {${name} = other;}; - - fudgeMyShitIn = builtins.map (file: import file (args // {inherit mkSecret mkSecrets;})); -in { - imports = - [ - (lib.mkAliasOptionModule ["cfTunnels"] ["services" "cloudflared" "tunnels" tunnelId "ingress"]) - ] - ++ fudgeMyShitIn [ - ./minecraft.nix - ./dendrite.nix - ./nextcloud.nix - ./reposilite.nix - ./uku.nix - ./vaultwarden.nix - ./forgejo.nix - ./shlink.nix - ./metrics.nix - ]; - - age.secrets = mkSecrets { - tunnelCreds = { - owner = "cloudflared"; - group = "cloudflared"; - }; - - frpToken = {}; + frpSecret = _utils.setupSingleSecret config "frpToken" {}; + cfTunnelSecret = _utils.setupSingleSecret config "tunnelCreds" { + owner = "cloudflared"; + group = "cloudflared"; }; +in { + imports = [ + (lib.mkAliasOptionModule ["cfTunnels"] ["services" "cloudflared" "tunnels" tunnelId "ingress"]) + + frpSecret.generate + cfTunnelSecret.generate + + ./minecraft.nix + ./dendrite.nix + ./nextcloud.nix + ./reposilite.nix + ./uku.nix + ./vaultwarden.nix + ./forgejo.nix + ./shlink.nix + ./metrics.nix + ]; boot = { kernelPackages = lib.mkForce pkgs.linuxPackages_6_1; @@ -68,11 +61,11 @@ in { cloudflared = { enable = true; tunnels.${tunnelId} = { - credentialsFile = config.age.secrets.tunnelCreds.path; + credentialsFile = cfTunnelSecret.path; default = "http_status:404"; }; }; }; - systemd.services.frp.serviceConfig.EnvironmentFile = config.age.secrets.frpToken.path; + systemd.services.frp.serviceConfig.EnvironmentFile = frpSecret.path; } diff --git a/systems/etna/dendrite.nix b/systems/etna/dendrite.nix index f08e248..689c955 100644 --- a/systems/etna/dendrite.nix +++ b/systems/etna/dendrite.nix @@ -1,9 +1,12 @@ { config, - mkSecret, + _utils, ... -}: { - age.secrets = mkSecret "dendriteKey" {}; +}: let + secretKey = _utils.setupSingleSecret config "dendriteKey" {}; +in { + imports = [secretKey.generate]; + cfTunnels."m.uku.moe" = "http://localhost:80"; systemd.services.dendrite = { @@ -22,7 +25,7 @@ in { enable = true; httpPort = 8008; - loadCredential = ["private_key:${config.age.secrets.dendriteKey.path}"]; + loadCredential = ["private_key:${secretKey.path}"]; settings = { global = { diff --git a/systems/etna/forgejo.nix b/systems/etna/forgejo.nix index 51eea66..170fb8e 100644 --- a/systems/etna/forgejo.nix +++ b/systems/etna/forgejo.nix @@ -1,14 +1,16 @@ { config, - mkSecret, + _utils, ... -}: { - cfTunnels."git.uku3lig.net" = "http://localhost:3000"; - - age.secrets = mkSecret "turnstileSecret" { +}: let + turnstileSecret = _utils.setupSingleSecret config "turnstileSecret" { owner = "forgejo"; group = "forgejo"; }; +in { + imports = [turnstileSecret.generate]; + + cfTunnels."git.uku3lig.net" = "http://localhost:3000"; services = { forgejo = { @@ -20,7 +22,7 @@ }; secrets = { - service.CF_TURNSTILE_SECRET = config.age.secrets.turnstileSecret.path; + service.CF_TURNSTILE_SECRET = turnstileSecret.path; }; settings = { diff --git a/systems/etna/metrics.nix b/systems/etna/metrics.nix index 0a1fd15..078563a 100644 --- a/systems/etna/metrics.nix +++ b/systems/etna/metrics.nix @@ -1,4 +1,4 @@ -{...}: { +{ cfTunnels."grafana.uku3lig.net" = "http://localhost:2432"; services.grafana = { diff --git a/systems/etna/minecraft.nix b/systems/etna/minecraft.nix index 02e446e..ffc16e2 100644 --- a/systems/etna/minecraft.nix +++ b/systems/etna/minecraft.nix @@ -2,107 +2,64 @@ lib, pkgs, config, - mkSecret, + _utils, ... }: let inherit (config.virtualisation.oci-containers) backend; - mkMinecraftServer = name: { - port, - remotePort, - tag ? "java21", - dataDir ? "/var/lib/${name}", - memory ? "4G", - env ? {}, - extraPorts ? [], - }: { - virtualisation.oci-containers.containers.${name} = { - image = "itzg/minecraft-server:${tag}"; - ports = ["${builtins.toString port}:25565"] ++ extraPorts; - volumes = ["${dataDir}:/data"]; - environmentFiles = [config.age.secrets.minecraftEnv.path]; - environment = - { - EULA = "true"; - MEMORY = memory; - } - // env; + secret = _utils.setupSingleSecret config "minecraftEnv" {}; + + atm9 = _utils.mkMinecraftServer config { + name = "atm9"; + port = 25565; + remotePort = 6004; + tag = "java17"; + memory = "8G"; + envFiles = [secret.path]; + env = { + USE_AIKAR_FLAGS = "true"; + MOD_PLATFORM = "AUTO_CURSEFORGE"; + CF_SLUG = "all-the-mods-9"; + CF_FILE_ID = "5458414"; }; - - services.frp.settings.proxies = [ - { - inherit name remotePort; - type = "tcp"; - localIp = "127.0.0.1"; - localPort = port; - } - ]; - - systemd.services."${backend}-${name}".serviceConfig.TimeoutSec = "300"; }; - recursiveMerge = attrList: - with lib; let - f = attrPath: - zipAttrsWith ( - n: values: - if tail values == [] - then head values - else if all isList values - then unique (concatLists values) - else if all isAttrs values - then f (attrPath ++ [n]) values - else last values - ); - in - f [] attrList; - - mkMinecraftServers = attrs: recursiveMerge (lib.mapAttrsToList mkMinecraftServer attrs); -in - lib.recursiveUpdate { - age.secrets = mkSecret "minecraftEnv" {}; - - virtualisation.oci-containers.backend = "docker"; - - systemd.services.restart-minecraft-servers = { - wantedBy = ["multi-user.target"]; - script = '' - ${lib.getExe' pkgs.systemd "systemctl"} restart ${backend}-*.service - ''; - serviceConfig.Type = "oneshot"; + lynn = _utils.mkMinecraftServer config { + name = "lynn"; + port = 25567; + remotePort = 6002; + memory = "4G"; + envFiles = [secret.path]; + env = { + USE_AIKAR_FLAGS = "true"; + TYPE = "MODRINTH"; + MODRINTH_MODPACK = "https://modrinth.com/modpack/adrenaserver/version/1.6.0+1.20.6.fabric"; }; + }; +in { + imports = [ + secret.generate - systemd.timers.restart-minecraft-servers = { - wantedBy = ["timers.target"]; - timerConfig = { - OnCalendar = "*-*-* 05:00:00"; - Persistent = true; - Unit = "restart-minecraft-servers.service"; - }; - }; - } - (mkMinecraftServers { - atm9 = { - port = 25565; - remotePort = 6004; - tag = "java17"; - memory = "8G"; - env = { - USE_AIKAR_FLAGS = "true"; - MOD_PLATFORM = "AUTO_CURSEFORGE"; - CF_SLUG = "all-the-mods-9"; - CF_FILE_ID = "5458414"; - }; - }; + atm9 + lynn + ]; - lynn = { - port = 25567; - remotePort = 6002; - memory = "4G"; - env = { - USE_AIKAR_FLAGS = "true"; - TYPE = "MODRINTH"; - MODRINTH_MODPACK = "https://modrinth.com/modpack/adrenaserver/version/1.6.0+1.20.6.fabric"; - }; + virtualisation.oci-containers.backend = "docker"; + + systemd.services.restart-minecraft-servers = { + wantedBy = ["multi-user.target"]; + script = '' + ${lib.getExe' pkgs.systemd "systemctl"} restart ${backend}-*.service + ''; + serviceConfig.Type = "oneshot"; + }; + + systemd.timers.restart-minecraft-servers = { + wantedBy = ["timers.target"]; + timerConfig = { + OnCalendar = "*-*-* 05:00:00"; + Persistent = true; + Unit = "restart-minecraft-servers.service"; }; - }) + }; +} diff --git a/systems/etna/nextcloud.nix b/systems/etna/nextcloud.nix index 083dde4..fe30223 100644 --- a/systems/etna/nextcloud.nix +++ b/systems/etna/nextcloud.nix @@ -1,14 +1,17 @@ { - config, pkgs, - mkSecret, + config, + _utils, ... -}: { - age.secrets = mkSecret "nextcloudAdminPass" { +}: let + adminPass = _utils.setupSingleSecret config "nextcloudAdminPass" { owner = config.users.users.nextcloud.name; group = config.users.users.nextcloud.name; }; +in { + imports = [adminPass.generate]; + # nextcloud generates nginx config cfTunnels."cloud.uku3lig.net" = "http://localhost:80"; services.nextcloud = { @@ -22,7 +25,7 @@ configureRedis = true; config = { - adminpassFile = config.age.secrets.nextcloudAdminPass.path; + adminpassFile = adminPass.path; }; }; } diff --git a/systems/etna/shlink.nix b/systems/etna/shlink.nix index de61ad1..62b4a54 100644 --- a/systems/etna/shlink.nix +++ b/systems/etna/shlink.nix @@ -1,4 +1,4 @@ -_: { +{ cfTunnels."uku.moe" = "http://localhost:8081"; virtualisation.oci-containers.containers.shlink = { diff --git a/systems/etna/uku.nix b/systems/etna/uku.nix index a61a6e1..ed0e3ad 100644 --- a/systems/etna/uku.nix +++ b/systems/etna/uku.nix @@ -1,31 +1,32 @@ { config, - mkSecrets, + _utils, api-rs, ukubot-rs, ... -}: { +}: let + secrets = _utils.setupSecrets config { + secrets = ["apiRsEnv" "ukubotRsEnv"]; + }; +in { imports = [ api-rs.nixosModules.default ukubot-rs.nixosModules.default - ]; - age.secrets = mkSecrets { - apiRsEnv = {}; - ukubotRsEnv = {}; - }; + secrets.generate + ]; cfTunnels."api.uku3lig.net" = "http://localhost:5000"; services = { api-rs = { enable = true; - environmentFile = config.age.secrets.apiRsEnv.path; + environmentFile = secrets.get "apiRsEnv"; }; ukubot-rs = { enable = true; - environmentFile = config.age.secrets.ukubotRsEnv.path; + environmentFile = secrets.get "ukubotRsEnv"; }; }; } diff --git a/systems/etna/vaultwarden.nix b/systems/etna/vaultwarden.nix index 3c26987..ed28c09 100644 --- a/systems/etna/vaultwarden.nix +++ b/systems/etna/vaultwarden.nix @@ -1,4 +1,4 @@ -_: { +{ cfTunnels."bw.uku3lig.net" = "http://localhost:8222"; services.vaultwarden = {