feat: add utility functions
This commit is contained in:
parent
ca71ddac8c
commit
b8d7062228
12 changed files with 177 additions and 156 deletions
|
@ -2,6 +2,7 @@
|
|||
lib,
|
||||
pkgs,
|
||||
config,
|
||||
_utils,
|
||||
nixpkgs,
|
||||
agenix,
|
||||
home-manager,
|
||||
|
@ -9,6 +10,8 @@
|
|||
}: let
|
||||
username = "leo";
|
||||
stateVersion = "23.11";
|
||||
|
||||
rootPassword = _utils.setupSingleSecret config "rootPassword" {};
|
||||
in {
|
||||
imports = [
|
||||
agenix.nixosModules.default
|
||||
|
@ -16,6 +19,8 @@ in {
|
|||
|
||||
(lib.mkAliasOptionModule ["hm"] ["home-manager" "users" username])
|
||||
|
||||
rootPassword.generate
|
||||
|
||||
../programs/fish.nix
|
||||
../programs/git.nix
|
||||
../programs/rust.nix
|
||||
|
@ -26,7 +31,6 @@ in {
|
|||
identityPaths = ["/etc/age/key"];
|
||||
|
||||
secrets = {
|
||||
rootPassword.file = ../secrets/${config.networking.hostName}/rootPassword.age;
|
||||
userPassword.file = ../secrets/userPassword.age;
|
||||
tailscaleKey.file = ../secrets/tailscaleKey.age;
|
||||
};
|
||||
|
@ -174,7 +178,7 @@ in {
|
|||
|
||||
root = {
|
||||
shell = pkgs.fish;
|
||||
hashedPasswordFile = config.age.secrets.rootPassword.path;
|
||||
hashedPasswordFile = rootPassword.path;
|
||||
};
|
||||
};
|
||||
|
||||
|
|
56
global/utils.nix
Normal file
56
global/utils.nix
Normal file
|
@ -0,0 +1,56 @@
|
|||
{lib, ...}: {
|
||||
setupSecrets = _config: {
|
||||
secrets,
|
||||
extra ? {},
|
||||
}: let
|
||||
inherit (_config.networking) hostName;
|
||||
in {
|
||||
generate = {age.secrets = lib.genAttrs secrets (name: extra // {file = ../secrets/${hostName}/${name}.age;});};
|
||||
get = name: _config.age.secrets.${name}.path;
|
||||
};
|
||||
|
||||
setupSingleSecret = _config: name: extra: let
|
||||
inherit (_config.networking) hostName;
|
||||
in {
|
||||
generate = {age.secrets.${name} = extra // {file = ../secrets/${hostName}/${name}.age;};};
|
||||
inherit (_config.age.secrets.${name}) path;
|
||||
};
|
||||
|
||||
mkMinecraftServer = _config: {
|
||||
name,
|
||||
port,
|
||||
remotePort,
|
||||
tag ? "java21",
|
||||
dataDir ? "/var/lib/${name}",
|
||||
memory ? "4G",
|
||||
env ? {},
|
||||
envFiles ? [],
|
||||
extraPorts ? [],
|
||||
}: let
|
||||
inherit (_config.virtualisation.oci-containers) backend;
|
||||
in {
|
||||
virtualisation.oci-containers.containers.${name} = {
|
||||
image = "itzg/minecraft-server:${tag}";
|
||||
ports = ["${builtins.toString port}:25565"] ++ extraPorts;
|
||||
volumes = ["${dataDir}:/data"];
|
||||
environmentFiles = envFiles;
|
||||
environment =
|
||||
{
|
||||
EULA = "true";
|
||||
MEMORY = memory;
|
||||
}
|
||||
// env;
|
||||
};
|
||||
|
||||
services.frp.settings.proxies = [
|
||||
{
|
||||
inherit name remotePort;
|
||||
type = "tcp";
|
||||
localIp = "127.0.0.1";
|
||||
localPort = port;
|
||||
}
|
||||
];
|
||||
|
||||
systemd.services."${backend}-${name}".serviceConfig.TimeoutSec = "300";
|
||||
};
|
||||
}
|
|
@ -3,6 +3,8 @@
|
|||
inputs,
|
||||
...
|
||||
}: let
|
||||
_utils = import ../global/utils.nix {inherit lib;};
|
||||
|
||||
toSystem = name: {
|
||||
role,
|
||||
system,
|
||||
|
@ -19,7 +21,7 @@
|
|||
{networking.hostName = name;}
|
||||
];
|
||||
|
||||
specialArgs = inputs;
|
||||
specialArgs = inputs // {inherit _utils;};
|
||||
};
|
||||
in {
|
||||
flake.nixosConfigurations = lib.mapAttrs toSystem {
|
||||
|
|
|
@ -1,22 +1,24 @@
|
|||
{
|
||||
lib,
|
||||
pkgs,
|
||||
config,
|
||||
pkgs, # required for fudgeMyShitIn
|
||||
_utils,
|
||||
...
|
||||
} @ args: let
|
||||
}: let
|
||||
tunnelId = "57f51ad7-25a0-45f3-b113-0b6ae0b2c3e5";
|
||||
|
||||
secretsPath = ../../secrets/etna;
|
||||
mkSecrets = builtins.mapAttrs (name: value: value // {file = "${secretsPath}/${name}.age";});
|
||||
mkSecret = name: other: mkSecrets {${name} = other;};
|
||||
|
||||
fudgeMyShitIn = builtins.map (file: import file (args // {inherit mkSecret mkSecrets;}));
|
||||
frpSecret = _utils.setupSingleSecret config "frpToken" {};
|
||||
cfTunnelSecret = _utils.setupSingleSecret config "tunnelCreds" {
|
||||
owner = "cloudflared";
|
||||
group = "cloudflared";
|
||||
};
|
||||
in {
|
||||
imports =
|
||||
[
|
||||
imports = [
|
||||
(lib.mkAliasOptionModule ["cfTunnels"] ["services" "cloudflared" "tunnels" tunnelId "ingress"])
|
||||
]
|
||||
++ fudgeMyShitIn [
|
||||
|
||||
frpSecret.generate
|
||||
cfTunnelSecret.generate
|
||||
|
||||
./minecraft.nix
|
||||
./dendrite.nix
|
||||
./nextcloud.nix
|
||||
|
@ -28,15 +30,6 @@ in {
|
|||
./metrics.nix
|
||||
];
|
||||
|
||||
age.secrets = mkSecrets {
|
||||
tunnelCreds = {
|
||||
owner = "cloudflared";
|
||||
group = "cloudflared";
|
||||
};
|
||||
|
||||
frpToken = {};
|
||||
};
|
||||
|
||||
boot = {
|
||||
kernelPackages = lib.mkForce pkgs.linuxPackages_6_1;
|
||||
loader.systemd-boot.enable = true;
|
||||
|
@ -68,11 +61,11 @@ in {
|
|||
cloudflared = {
|
||||
enable = true;
|
||||
tunnels.${tunnelId} = {
|
||||
credentialsFile = config.age.secrets.tunnelCreds.path;
|
||||
credentialsFile = cfTunnelSecret.path;
|
||||
default = "http_status:404";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.frp.serviceConfig.EnvironmentFile = config.age.secrets.frpToken.path;
|
||||
systemd.services.frp.serviceConfig.EnvironmentFile = frpSecret.path;
|
||||
}
|
||||
|
|
|
@ -1,9 +1,12 @@
|
|||
{
|
||||
config,
|
||||
mkSecret,
|
||||
_utils,
|
||||
...
|
||||
}: {
|
||||
age.secrets = mkSecret "dendriteKey" {};
|
||||
}: let
|
||||
secretKey = _utils.setupSingleSecret config "dendriteKey" {};
|
||||
in {
|
||||
imports = [secretKey.generate];
|
||||
|
||||
cfTunnels."m.uku.moe" = "http://localhost:80";
|
||||
|
||||
systemd.services.dendrite = {
|
||||
|
@ -22,7 +25,7 @@
|
|||
in {
|
||||
enable = true;
|
||||
httpPort = 8008;
|
||||
loadCredential = ["private_key:${config.age.secrets.dendriteKey.path}"];
|
||||
loadCredential = ["private_key:${secretKey.path}"];
|
||||
|
||||
settings = {
|
||||
global = {
|
||||
|
|
|
@ -1,14 +1,16 @@
|
|||
{
|
||||
config,
|
||||
mkSecret,
|
||||
_utils,
|
||||
...
|
||||
}: {
|
||||
cfTunnels."git.uku3lig.net" = "http://localhost:3000";
|
||||
|
||||
age.secrets = mkSecret "turnstileSecret" {
|
||||
}: let
|
||||
turnstileSecret = _utils.setupSingleSecret config "turnstileSecret" {
|
||||
owner = "forgejo";
|
||||
group = "forgejo";
|
||||
};
|
||||
in {
|
||||
imports = [turnstileSecret.generate];
|
||||
|
||||
cfTunnels."git.uku3lig.net" = "http://localhost:3000";
|
||||
|
||||
services = {
|
||||
forgejo = {
|
||||
|
@ -20,7 +22,7 @@
|
|||
};
|
||||
|
||||
secrets = {
|
||||
service.CF_TURNSTILE_SECRET = config.age.secrets.turnstileSecret.path;
|
||||
service.CF_TURNSTILE_SECRET = turnstileSecret.path;
|
||||
};
|
||||
|
||||
settings = {
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{...}: {
|
||||
{
|
||||
cfTunnels."grafana.uku3lig.net" = "http://localhost:2432";
|
||||
|
||||
services.grafana = {
|
||||
|
|
|
@ -2,66 +2,48 @@
|
|||
lib,
|
||||
pkgs,
|
||||
config,
|
||||
mkSecret,
|
||||
_utils,
|
||||
...
|
||||
}: let
|
||||
inherit (config.virtualisation.oci-containers) backend;
|
||||
|
||||
mkMinecraftServer = name: {
|
||||
port,
|
||||
remotePort,
|
||||
tag ? "java21",
|
||||
dataDir ? "/var/lib/${name}",
|
||||
memory ? "4G",
|
||||
env ? {},
|
||||
extraPorts ? [],
|
||||
}: {
|
||||
virtualisation.oci-containers.containers.${name} = {
|
||||
image = "itzg/minecraft-server:${tag}";
|
||||
ports = ["${builtins.toString port}:25565"] ++ extraPorts;
|
||||
volumes = ["${dataDir}:/data"];
|
||||
environmentFiles = [config.age.secrets.minecraftEnv.path];
|
||||
environment =
|
||||
{
|
||||
EULA = "true";
|
||||
MEMORY = memory;
|
||||
}
|
||||
// env;
|
||||
secret = _utils.setupSingleSecret config "minecraftEnv" {};
|
||||
|
||||
atm9 = _utils.mkMinecraftServer config {
|
||||
name = "atm9";
|
||||
port = 25565;
|
||||
remotePort = 6004;
|
||||
tag = "java17";
|
||||
memory = "8G";
|
||||
envFiles = [secret.path];
|
||||
env = {
|
||||
USE_AIKAR_FLAGS = "true";
|
||||
MOD_PLATFORM = "AUTO_CURSEFORGE";
|
||||
CF_SLUG = "all-the-mods-9";
|
||||
CF_FILE_ID = "5458414";
|
||||
};
|
||||
};
|
||||
|
||||
services.frp.settings.proxies = [
|
||||
{
|
||||
inherit name remotePort;
|
||||
type = "tcp";
|
||||
localIp = "127.0.0.1";
|
||||
localPort = port;
|
||||
}
|
||||
lynn = _utils.mkMinecraftServer config {
|
||||
name = "lynn";
|
||||
port = 25567;
|
||||
remotePort = 6002;
|
||||
memory = "4G";
|
||||
envFiles = [secret.path];
|
||||
env = {
|
||||
USE_AIKAR_FLAGS = "true";
|
||||
TYPE = "MODRINTH";
|
||||
MODRINTH_MODPACK = "https://modrinth.com/modpack/adrenaserver/version/1.6.0+1.20.6.fabric";
|
||||
};
|
||||
};
|
||||
in {
|
||||
imports = [
|
||||
secret.generate
|
||||
|
||||
atm9
|
||||
lynn
|
||||
];
|
||||
|
||||
systemd.services."${backend}-${name}".serviceConfig.TimeoutSec = "300";
|
||||
};
|
||||
|
||||
recursiveMerge = attrList:
|
||||
with lib; let
|
||||
f = attrPath:
|
||||
zipAttrsWith (
|
||||
n: values:
|
||||
if tail values == []
|
||||
then head values
|
||||
else if all isList values
|
||||
then unique (concatLists values)
|
||||
else if all isAttrs values
|
||||
then f (attrPath ++ [n]) values
|
||||
else last values
|
||||
);
|
||||
in
|
||||
f [] attrList;
|
||||
|
||||
mkMinecraftServers = attrs: recursiveMerge (lib.mapAttrsToList mkMinecraftServer attrs);
|
||||
in
|
||||
lib.recursiveUpdate {
|
||||
age.secrets = mkSecret "minecraftEnv" {};
|
||||
|
||||
virtualisation.oci-containers.backend = "docker";
|
||||
|
||||
systemd.services.restart-minecraft-servers = {
|
||||
|
@ -81,28 +63,3 @@ in
|
|||
};
|
||||
};
|
||||
}
|
||||
(mkMinecraftServers {
|
||||
atm9 = {
|
||||
port = 25565;
|
||||
remotePort = 6004;
|
||||
tag = "java17";
|
||||
memory = "8G";
|
||||
env = {
|
||||
USE_AIKAR_FLAGS = "true";
|
||||
MOD_PLATFORM = "AUTO_CURSEFORGE";
|
||||
CF_SLUG = "all-the-mods-9";
|
||||
CF_FILE_ID = "5458414";
|
||||
};
|
||||
};
|
||||
|
||||
lynn = {
|
||||
port = 25567;
|
||||
remotePort = 6002;
|
||||
memory = "4G";
|
||||
env = {
|
||||
USE_AIKAR_FLAGS = "true";
|
||||
TYPE = "MODRINTH";
|
||||
MODRINTH_MODPACK = "https://modrinth.com/modpack/adrenaserver/version/1.6.0+1.20.6.fabric";
|
||||
};
|
||||
};
|
||||
})
|
||||
|
|
|
@ -1,14 +1,17 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
mkSecret,
|
||||
config,
|
||||
_utils,
|
||||
...
|
||||
}: {
|
||||
age.secrets = mkSecret "nextcloudAdminPass" {
|
||||
}: let
|
||||
adminPass = _utils.setupSingleSecret config "nextcloudAdminPass" {
|
||||
owner = config.users.users.nextcloud.name;
|
||||
group = config.users.users.nextcloud.name;
|
||||
};
|
||||
in {
|
||||
imports = [adminPass.generate];
|
||||
|
||||
# nextcloud generates nginx config
|
||||
cfTunnels."cloud.uku3lig.net" = "http://localhost:80";
|
||||
|
||||
services.nextcloud = {
|
||||
|
@ -22,7 +25,7 @@
|
|||
configureRedis = true;
|
||||
|
||||
config = {
|
||||
adminpassFile = config.age.secrets.nextcloudAdminPass.path;
|
||||
adminpassFile = adminPass.path;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
_: {
|
||||
{
|
||||
cfTunnels."uku.moe" = "http://localhost:8081";
|
||||
|
||||
virtualisation.oci-containers.containers.shlink = {
|
||||
|
|
|
@ -1,31 +1,32 @@
|
|||
{
|
||||
config,
|
||||
mkSecrets,
|
||||
_utils,
|
||||
api-rs,
|
||||
ukubot-rs,
|
||||
...
|
||||
}: {
|
||||
}: let
|
||||
secrets = _utils.setupSecrets config {
|
||||
secrets = ["apiRsEnv" "ukubotRsEnv"];
|
||||
};
|
||||
in {
|
||||
imports = [
|
||||
api-rs.nixosModules.default
|
||||
ukubot-rs.nixosModules.default
|
||||
];
|
||||
|
||||
age.secrets = mkSecrets {
|
||||
apiRsEnv = {};
|
||||
ukubotRsEnv = {};
|
||||
};
|
||||
secrets.generate
|
||||
];
|
||||
|
||||
cfTunnels."api.uku3lig.net" = "http://localhost:5000";
|
||||
|
||||
services = {
|
||||
api-rs = {
|
||||
enable = true;
|
||||
environmentFile = config.age.secrets.apiRsEnv.path;
|
||||
environmentFile = secrets.get "apiRsEnv";
|
||||
};
|
||||
|
||||
ukubot-rs = {
|
||||
enable = true;
|
||||
environmentFile = config.age.secrets.ukubotRsEnv.path;
|
||||
environmentFile = secrets.get "ukubotRsEnv";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
_: {
|
||||
{
|
||||
cfTunnels."bw.uku3lig.net" = "http://localhost:8222";
|
||||
|
||||
services.vaultwarden = {
|
||||
|
|
Loading…
Reference in a new issue