gerg-l/nixos
1
0
Fork 0
mirror of https://github.com/Gerg-L/nixos.git synced 2025-12-10 00:43:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

vocard: use DynamicUsers

Browse source
This commit is contained in:
Gerg-L 2025-03-02 18:14:25 -05:00
parent 7a2e6450d2
commit af91541557
Signed by: gerg-l
SSH key fingerprint: SHA256:FPYDHIkvMocr4wdmZXpgpJjsb2Tw6rASs2ISPbOb0KI
7 changed files with 111 additions and 117 deletions
Download patch file Download diff file Expand all files Collapse all files

34
nixosConfigurations/gerg-desktop/services/vocard/application.yml
View file

@ -12,41 +12,32 @@ plugins:
# The clients to use for track loading. See below for a list of valid clients.
# Clients are queried in the order they are given (so the first client is queried first and so on...)
clients:
- MUSIC
- TVHTML5EMBEDDED
- TV
- ANDROID_VR
- WEB
- WEBEMBEDDED
oauth:
enabled: true
refreshToken: "@refresh_token@"
# name: # Name of the plugin
# some_key: some_value # Some key-value pair for the plugin
# another_key: another_value
# Set with env vars
#refreshToken: ""
lavalink:
plugins:
- dependency: "dev.lavalink.youtube:youtube-plugin:1.11.5"
snapshot: false
# setting "enabled: true" is the bare minimum to get OAuth working.
enabled: true
# - dependency: "com.github.example:example-plugin:1.0.0" # required, the coordinates of your plugin
# repository: "https://maven.example.com/releases" # optional, defaults to the Lavalink releases repository by default
# snapshot: false # optional, defaults to false, used to tell Lavalink to use the snapshot repository instead of the release repository
# pluginsDir: "./plugins" # optional, defaults to "./plugins"
# defaultPluginRepository: "https://maven.lavalink.dev/releases" # optional, defaults to the Lavalink release repository
# defaultPluginSnapshotRepository: "https://maven.lavalink.dev/snapshots" # optional, defaults to the Lavalink snapshot repository
# Set with env vars
#pluginsDir: ""
server:
password: "@password@"
# Set with env vars
#password: ""
sources:
# The default Youtube source is now deprecated and won't receive further updates. Please use https://github.com/lavalink-devs/youtube-source#plugin instead.
youtube: false
bandcamp: true
soundcloud: true
twitch: true
vimeo: true
nico: true
http: true # warning: keeping HTTP enabled without a proxy configured could expose your server's IP address.
http: true
local: false
filters: # All filters are enabled by default
volume: true
@ -95,14 +86,10 @@ metrics:
sentry:
dsn: ""
environment: ""
# tags:
# some_key: some_value
# another_key: another_value
logging:
file:
path: ./logs/
path: null
level:
root: INFO
lavalink: INFO
@ -116,7 +103,6 @@ logging:
includePayload: true
maxPayloadLength: 10000
logback:
rollingpolicy:
max-file-size: 1GB

13
nixosConfigurations/gerg-desktop/services/vocard/secrets.yaml
View file

@ -1,11 +1,10 @@
vocard:
token: ENC[AES256_GCM,data:CCu4yOw4Fvwyx0KkYIikiz3VY2xTPbBx1q92W7FBTp+5fU+UP7yuAwZMWWZtzKdEyypzlk5uJ4tJRwUHqq62EnJqYj4wCVcr,iv:/Nxr9QPjEa67Xxn+tz3TRrcNG+cqEPVsqdjjxLp7R+k=,tag:LcVRrGorxvljJqpgs2bSoA==,type:str]
client_id: ENC[AES256_GCM,data:yd9vcUVxMpAKiPzl1hDI9EJhzA==,iv:dzB8ls0k5kWd+qtbSAkSfAXO0dxIUwdjppGYMkc+OHg=,tag:l1M4XTs79fszfNcFXSzVVg==,type:str]
token: ENC[AES256_GCM,data:aNRKBA94pqMCsRypIiVEmNMQK6cKCWa7pHC8dNpYSYGrn58i5PF+ByoR0k6AgGagBCtp//1fb9JzDHHLBKEbx5DH8J3B/D+F,iv:65zw7RZbFPvvBxz09OTnAci/dugbEvNj48ObxpYcmLE=,tag:Kcx0X+6mtm50S51c06oJ8g==,type:str]
client_id: ENC[AES256_GCM,data:E490VeSSfy4q7Ztc+7mng3LcAg==,iv:iLLhg7/okFFFGNSOPH7JmOGeMjcjzk1AdtkhgZbGx9Y=,tag:gWKPUjlqVTKqOzzdFHP+FQ==,type:str]
spotify_client_id: ENC[AES256_GCM,data:uwqtWL7JZnN6FsPfTxtBjEgjE7qwGcKbDnloO6SNWs4=,iv:HMZ42J2oXavE4NZCmP1MUVZ+s9Px4XBDRWIbCcl6dYs=,tag:iO8hn8mlNGS1dcLBwwl/AQ==,type:str]
spotify_client_secret: ENC[AES256_GCM,data:YnfLj7RPTaucpZCqnel2gStd8oBcbWnL4/+KnkyT4u0=,iv:W6gXch7jH5jFp0PJy0LZ7vq1yCtO1NLbCTR3N6r47nQ=,tag:ct5Y786N6qVkZCts6pZniQ==,type:str]
lavalink:
refresh_token: ENC[AES256_GCM,data:xiPmWhJTQ4OBIeB98t8qtDVQ7e/KVcThTmw5KE0VCIPfm6g7sOzXt7f91nSXX3wBvmy3tX+xii9/rp4dAg3b3/NYL4uHnLsKjM1wGTSH+KuCkbmJZDNYEk2OMSOlAK2x0yAMvpFB,iv:IdITL9x+yfVzf9yqDgJPUBok0Zn/CtN0CVF4AGIcgj8=,tag:DvQChj3Mng47LvNBYd6NAg==,type:str]
password: ENC[AES256_GCM,data:boIoVKGcXWAaKx6rOH1w1awTGfc=,iv:mX8WaaeeQXqyVuM5oA5tUUG7h7C0rV9QAVoHW/InyPc=,tag:Q/P3T5o1CMlbxe+UWyOP3A==,type:str]
password: ENC[AES256_GCM,data:7yGTh6LPtoZvJgSvLvbZQ5Gx0Xw=,iv:UKy14fJZhn5EwtMxd6vZ5X55Tk3iOW7UUF9GVXyhup8=,tag:bKoNLltZQPgmT2mv7kDSQw==,type:str]
lavalink: ENC[AES256_GCM,data:Ub5baoxk8fOtchrOKR1YRwgrv/ja8e/9BY1Qaf+njDnvATSrRTcsvNZYU+YZb7OnJjfGRC5qytZo7T0ZBqHSFEdqvZToBHj0nVDTrXnbCm5o+NLKegCkofMG0c3D7JOB6lsc/0zBh8DF+i2M/Z5PNfmeE5Woe8Ev4gZEKyXQmFswULC5tsUqtnf7itQinf+FPDYqKA8Fi90JRWADt/XM1xRRZ4k5QthJ3kIQjYLa4+EOiSTAwIGxAvljl8c=,iv:cdpyakU0/eolOnamevITA4CKpNkU8lRYsOYFOUW8mO8=,tag:dT5lGvsUZDO5Esjyrn77Dg==,type:str]
sops:
kms: []
gcp_kms: []
@ -21,8 +20,8 @@ sops:
WC9NVmdtWjlWSWN6dUwwMFdPRmpxWG8Ka0i27kBbA4p835RWsEPIghFTwxo4elOz
PL0TnuMNnl66TJiD0x6oRMn8tb6wQIAqGxBt9Jb2lj24eXCtzfGbEg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-02-26T22:57:12Z"
mac: ENC[AES256_GCM,data:mb/kTo9zPyLbDJlvh6+P9GTzTVzVt7RMBnzS/qMDUvUR9OAP+zSt1Vf80oXnO3WqRncgRrIi1k3oKeipKHdTxmzXae+jefh7oOMGCeXI51IlnOhkA0MBgrN/jSMwEinYmqDGemzB7ff9quATtm8N/SoxepkR1ddikgEX6Zfr0mw=,iv:yTm2at3lgb1uWCsETw/XpDdrfKv5/8b1oxU2Eq89tbk=,tag:AP8vrUHejq2gsnkSBWHKyA==,type:str]
lastmodified: "2025-03-02T22:44:35Z"
mac: ENC[AES256_GCM,data:dwm0LX9/56Vy2r962RrQx+NNUoTBOs80Jvo25+ZKnixZUPuUdeNS0VXdFRMXLQiUEBzTIBhfVYOzAjSq3XwFvR1q+sQyYizmCLowHnPcicu/0j9qlNRtIItMRk21LMwytG57OgRFLs1RGnvhAYanLyGrqm2mHUWlKKd6C8BdgiE=,iv:UBIYoZyMp2A1hKiWd9+akuxnnAg/TTHYSaiWkInso0I=,tag:Mcfykfj9aKzpf47Pr2XExw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4

138
nixosConfigurations/gerg-desktop/services/vocard/vocard.nix
View file

@ -6,82 +6,66 @@
{
sops = {
secrets =
builtins.mapAttrs
(
_: v:
v
// {
sopsFile = ./secrets.yaml;
}
)
{
"vocard/token" = { };
"vocard/client_id" = { };
"vocard/spotify_client_id" = { };
"vocard/spotify_client_secret" = { };
"lavalink/refresh_token" = { };
"lavalink/password" = { };
{
lavalink = {
sopsFile = ./secrets.yaml;
restartUnits = [
"vocard.service"
"lavalink.service"
];
};
templates = {
vocard = {
path = "/persist/services/vocard/settings.json";
restartUnits = [
"vocard.service"
"lavalink.service"
];
content =
builtins.replaceStrings
[
"@token@"
"@client_id@"
"@spotify_client_id@"
"@spotify_client_secret@"
"@password@"
]
[
config.sops.placeholder."vocard/token"
config.sops.placeholder."vocard/client_id"
config.sops.placeholder."vocard/spotify_client_id"
config.sops.placeholder."vocard/spotify_client_secret"
config.sops.placeholder."lavalink/password"
]
(builtins.readFile ./settings.json);
};
}
// builtins.listToAttrs (
map
(x: {
name = "vocard/${x}";
value.sopsFile = ./secrets.yaml;
})
[
"token"
"client_id"
"spotify_client_id"
"spotify_client_secret"
"password"
]
);
lavalink = {
path = "/persist/services/lavalink/application.yml";
restartUnits = [
"vocard.service"
"lavalink.service"
];
content =
builtins.replaceStrings
[
"@refresh_token@"
"@password@"
]
[
config.sops.placeholder."lavalink/refresh_token"
config.sops.placeholder."lavalink/password"
]
(builtins.readFile ./application.yml);
};
templates.vocard = {
restartUnits = [
"vocard.service"
"lavalink.service"
];
content =
builtins.replaceStrings
[
"@token@"
"@client_id@"
"@spotify_client_id@"
"@spotify_client_secret@"
"@password@"
]
(builtins.attrValues {
inherit (config.sops.placeholder)
"vocard/token"
"vocard/client_id"
"vocard/spotify_client_id"
"vocard/spotify_client_secret"
"vocard/password"
;
})
(builtins.readFile ./settings.json);
};
};
systemd.tmpfiles.rules = [
"d /persist/services/vocard - - - - -"
"d /persist/services/lavalink - - - - -"
];
systemd.services = {
vocard = {
wantedBy = [ "multi-user.target" ];
wants = [
bindsTo = [ "lavalink.service" ];
requires = [
"network-online.target"
"lavalink.service"
"ferretdb.service"
];
after = [
@ -92,7 +76,8 @@
];
serviceConfig = {
ExecStart = lib.getExe self'.packages.vocard;
WorkingDirectory = "/persist/services/vocard";
DynamicUser = true;
LoadCredential = "settings.json:${config.sops.templates.vocard.path}";
Restart = "on-failure";
RestartSec = "30s";
};
@ -104,9 +89,13 @@
"syslog.target"
"network-online.target"
];
environment.LAVALINK_PLUGINS_DIR = self'.packages.lavalinkPlugins;
serviceConfig = {
ExecStart = lib.getExe self'.packages.lavalink;
WorkingDirectory = "/persist/services/lavalink";
ExecStart = "${lib.getExe self'.packages.lavalink} --spring.config.location='file:${./application.yml}'";
DynamicUser = true;
EnvironmentFile = config.sops.secrets.lavalink.path;
Restart = "on-failure";
RestartSec = "30s";
};
@ -114,4 +103,15 @@
};
services.ferretdb.enable = true;
systemd.mounts = [
{
what = "/persist/services/ferretdb";
where = "/var/lib/private/ferretdb";
wantedBy = [ "ferretdb.service" ];
bindsTo = [ "ferretdb.service" ];
type = "none";
options = "bind";
}
];
}