gerg-l/nixos
1
0
Fork 0
mirror of https://github.com/Gerg-L/nixos.git synced 2025-12-10 00:43:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

vocard: use DynamicUsers

Browse source
This commit is contained in:
Gerg-L 2025-03-02 18:14:25 -05:00
parent 7a2e6450d2
commit af91541557
Signed by: gerg-l
SSH key fingerprint: SHA256:FPYDHIkvMocr4wdmZXpgpJjsb2Tw6rASs2ISPbOb0KI
7 changed files with 111 additions and 117 deletions
Download patch file Download diff file Expand all files Collapse all files

34
nixosConfigurations/gerg-desktop/services/vocard/application.yml
View file

@ -12,41 +12,32 @@ plugins:
# The clients to use for track loading. See below for a list of valid clients. # The clients to use for track loading. See below for a list of valid clients.
# Clients are queried in the order they are given (so the first client is queried first and so on...) # Clients are queried in the order they are given (so the first client is queried first and so on...)
clients: clients:
- MUSIC
- TVHTML5EMBEDDED - TVHTML5EMBEDDED
- TV
- ANDROID_VR
- WEB
- WEBEMBEDDED
oauth: oauth:
enabled: true enabled: true
refreshToken: "@refresh_token@" # Set with env vars
# name: # Name of the plugin #refreshToken: ""
# some_key: some_value # Some key-value pair for the plugin
# another_key: another_value
lavalink: lavalink:
plugins: plugins:
- dependency: "dev.lavalink.youtube:youtube-plugin:1.11.5" - dependency: "dev.lavalink.youtube:youtube-plugin:1.11.5"
snapshot: false snapshot: false
# setting "enabled: true" is the bare minimum to get OAuth working. # setting "enabled: true" is the bare minimum to get OAuth working.
enabled: true enabled: true
# - dependency: "com.github.example:example-plugin:1.0.0" # required, the coordinates of your plugin
# repository: "https://maven.example.com/releases" # optional, defaults to the Lavalink releases repository by default # Set with env vars
# snapshot: false # optional, defaults to false, used to tell Lavalink to use the snapshot repository instead of the release repository #pluginsDir: ""
# pluginsDir: "./plugins" # optional, defaults to "./plugins"
# defaultPluginRepository: "https://maven.lavalink.dev/releases" # optional, defaults to the Lavalink release repository
# defaultPluginSnapshotRepository: "https://maven.lavalink.dev/snapshots" # optional, defaults to the Lavalink snapshot repository
server: server:
password: "@password@"
# Set with env vars
#password: ""
sources: sources:
# The default Youtube source is now deprecated and won't receive further updates. Please use https://github.com/lavalink-devs/youtube-source#plugin instead.
youtube: false youtube: false
bandcamp: true bandcamp: true
soundcloud: true soundcloud: true
twitch: true twitch: true
vimeo: true vimeo: true
nico: true nico: true
http: true # warning: keeping HTTP enabled without a proxy configured could expose your server's IP address. http: true
local: false local: false
filters: # All filters are enabled by default filters: # All filters are enabled by default
volume: true volume: true
@ -95,14 +86,10 @@ metrics:
sentry: sentry:
dsn: "" dsn: ""
environment: "" environment: ""
# tags:
# some_key: some_value
# another_key: another_value
logging: logging:
file: file:
path: ./logs/ path: null
level: level:
root: INFO root: INFO
lavalink: INFO lavalink: INFO
@ -116,7 +103,6 @@ logging:
includePayload: true includePayload: true
maxPayloadLength: 10000 maxPayloadLength: 10000
logback: logback:
rollingpolicy: rollingpolicy:
max-file-size: 1GB max-file-size: 1GB

13
nixosConfigurations/gerg-desktop/services/vocard/secrets.yaml
View file

@ -1,11 +1,10 @@
vocard: vocard:
token: ENC[AES256_GCM,data:CCu4yOw4Fvwyx0KkYIikiz3VY2xTPbBx1q92W7FBTp+5fU+UP7yuAwZMWWZtzKdEyypzlk5uJ4tJRwUHqq62EnJqYj4wCVcr,iv:/Nxr9QPjEa67Xxn+tz3TRrcNG+cqEPVsqdjjxLp7R+k=,tag:LcVRrGorxvljJqpgs2bSoA==,type:str] token: ENC[AES256_GCM,data:aNRKBA94pqMCsRypIiVEmNMQK6cKCWa7pHC8dNpYSYGrn58i5PF+ByoR0k6AgGagBCtp//1fb9JzDHHLBKEbx5DH8J3B/D+F,iv:65zw7RZbFPvvBxz09OTnAci/dugbEvNj48ObxpYcmLE=,tag:Kcx0X+6mtm50S51c06oJ8g==,type:str]
client_id: ENC[AES256_GCM,data:yd9vcUVxMpAKiPzl1hDI9EJhzA==,iv:dzB8ls0k5kWd+qtbSAkSfAXO0dxIUwdjppGYMkc+OHg=,tag:l1M4XTs79fszfNcFXSzVVg==,type:str] client_id: ENC[AES256_GCM,data:E490VeSSfy4q7Ztc+7mng3LcAg==,iv:iLLhg7/okFFFGNSOPH7JmOGeMjcjzk1AdtkhgZbGx9Y=,tag:gWKPUjlqVTKqOzzdFHP+FQ==,type:str]
spotify_client_id: ENC[AES256_GCM,data:uwqtWL7JZnN6FsPfTxtBjEgjE7qwGcKbDnloO6SNWs4=,iv:HMZ42J2oXavE4NZCmP1MUVZ+s9Px4XBDRWIbCcl6dYs=,tag:iO8hn8mlNGS1dcLBwwl/AQ==,type:str] spotify_client_id: ENC[AES256_GCM,data:uwqtWL7JZnN6FsPfTxtBjEgjE7qwGcKbDnloO6SNWs4=,iv:HMZ42J2oXavE4NZCmP1MUVZ+s9Px4XBDRWIbCcl6dYs=,tag:iO8hn8mlNGS1dcLBwwl/AQ==,type:str]
spotify_client_secret: ENC[AES256_GCM,data:YnfLj7RPTaucpZCqnel2gStd8oBcbWnL4/+KnkyT4u0=,iv:W6gXch7jH5jFp0PJy0LZ7vq1yCtO1NLbCTR3N6r47nQ=,tag:ct5Y786N6qVkZCts6pZniQ==,type:str] spotify_client_secret: ENC[AES256_GCM,data:YnfLj7RPTaucpZCqnel2gStd8oBcbWnL4/+KnkyT4u0=,iv:W6gXch7jH5jFp0PJy0LZ7vq1yCtO1NLbCTR3N6r47nQ=,tag:ct5Y786N6qVkZCts6pZniQ==,type:str]
lavalink: password: ENC[AES256_GCM,data:7yGTh6LPtoZvJgSvLvbZQ5Gx0Xw=,iv:UKy14fJZhn5EwtMxd6vZ5X55Tk3iOW7UUF9GVXyhup8=,tag:bKoNLltZQPgmT2mv7kDSQw==,type:str]
refresh_token: ENC[AES256_GCM,data:xiPmWhJTQ4OBIeB98t8qtDVQ7e/KVcThTmw5KE0VCIPfm6g7sOzXt7f91nSXX3wBvmy3tX+xii9/rp4dAg3b3/NYL4uHnLsKjM1wGTSH+KuCkbmJZDNYEk2OMSOlAK2x0yAMvpFB,iv:IdITL9x+yfVzf9yqDgJPUBok0Zn/CtN0CVF4AGIcgj8=,tag:DvQChj3Mng47LvNBYd6NAg==,type:str] lavalink: ENC[AES256_GCM,data:Ub5baoxk8fOtchrOKR1YRwgrv/ja8e/9BY1Qaf+njDnvATSrRTcsvNZYU+YZb7OnJjfGRC5qytZo7T0ZBqHSFEdqvZToBHj0nVDTrXnbCm5o+NLKegCkofMG0c3D7JOB6lsc/0zBh8DF+i2M/Z5PNfmeE5Woe8Ev4gZEKyXQmFswULC5tsUqtnf7itQinf+FPDYqKA8Fi90JRWADt/XM1xRRZ4k5QthJ3kIQjYLa4+EOiSTAwIGxAvljl8c=,iv:cdpyakU0/eolOnamevITA4CKpNkU8lRYsOYFOUW8mO8=,tag:dT5lGvsUZDO5Esjyrn77Dg==,type:str]
password: ENC[AES256_GCM,data:boIoVKGcXWAaKx6rOH1w1awTGfc=,iv:mX8WaaeeQXqyVuM5oA5tUUG7h7C0rV9QAVoHW/InyPc=,tag:Q/P3T5o1CMlbxe+UWyOP3A==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -21,8 +20,8 @@ sops:
WC9NVmdtWjlWSWN6dUwwMFdPRmpxWG8Ka0i27kBbA4p835RWsEPIghFTwxo4elOz WC9NVmdtWjlWSWN6dUwwMFdPRmpxWG8Ka0i27kBbA4p835RWsEPIghFTwxo4elOz
PL0TnuMNnl66TJiD0x6oRMn8tb6wQIAqGxBt9Jb2lj24eXCtzfGbEg== PL0TnuMNnl66TJiD0x6oRMn8tb6wQIAqGxBt9Jb2lj24eXCtzfGbEg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-02-26T22:57:12Z" lastmodified: "2025-03-02T22:44:35Z"
mac: ENC[AES256_GCM,data:mb/kTo9zPyLbDJlvh6+P9GTzTVzVt7RMBnzS/qMDUvUR9OAP+zSt1Vf80oXnO3WqRncgRrIi1k3oKeipKHdTxmzXae+jefh7oOMGCeXI51IlnOhkA0MBgrN/jSMwEinYmqDGemzB7ff9quATtm8N/SoxepkR1ddikgEX6Zfr0mw=,iv:yTm2at3lgb1uWCsETw/XpDdrfKv5/8b1oxU2Eq89tbk=,tag:AP8vrUHejq2gsnkSBWHKyA==,type:str] mac: ENC[AES256_GCM,data:dwm0LX9/56Vy2r962RrQx+NNUoTBOs80Jvo25+ZKnixZUPuUdeNS0VXdFRMXLQiUEBzTIBhfVYOzAjSq3XwFvR1q+sQyYizmCLowHnPcicu/0j9qlNRtIItMRk21LMwytG57OgRFLs1RGnvhAYanLyGrqm2mHUWlKKd6C8BdgiE=,iv:UBIYoZyMp2A1hKiWd9+akuxnnAg/TTHYSaiWkInso0I=,tag:Mcfykfj9aKzpf47Pr2XExw==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.4 version: 3.9.4

138
nixosConfigurations/gerg-desktop/services/vocard/vocard.nix
View file

@ -6,82 +6,66 @@
{ {
sops = { sops = {
secrets = secrets =
builtins.mapAttrs {
( lavalink = {
_: v: sopsFile = ./secrets.yaml;
v restartUnits = [
// { "vocard.service"
sopsFile = ./secrets.yaml; "lavalink.service"
} ];
)
{
"vocard/token" = { };
"vocard/client_id" = { };
"vocard/spotify_client_id" = { };
"vocard/spotify_client_secret" = { };
"lavalink/refresh_token" = { };
"lavalink/password" = { };
}; };
templates = {
vocard = {
path = "/persist/services/vocard/settings.json";
restartUnits = [
"vocard.service"
"lavalink.service"
];
content =
builtins.replaceStrings
[
"@token@"
"@client_id@"
"@spotify_client_id@"
"@spotify_client_secret@"
"@password@"
]
[
config.sops.placeholder."vocard/token"
config.sops.placeholder."vocard/client_id"
config.sops.placeholder."vocard/spotify_client_id"
config.sops.placeholder."vocard/spotify_client_secret"
config.sops.placeholder."lavalink/password"
] }
(builtins.readFile ./settings.json); // builtins.listToAttrs (
}; map
(x: {
name = "vocard/${x}";
value.sopsFile = ./secrets.yaml;
})
[
"token"
"client_id"
"spotify_client_id"
"spotify_client_secret"
"password"
]
);
lavalink = { templates.vocard = {
path = "/persist/services/lavalink/application.yml"; restartUnits = [
restartUnits = [ "vocard.service"
"vocard.service" "lavalink.service"
"lavalink.service" ];
]; content =
content = builtins.replaceStrings
builtins.replaceStrings [
[ "@token@"
"@refresh_token@" "@client_id@"
"@password@" "@spotify_client_id@"
] "@spotify_client_secret@"
[ "@password@"
config.sops.placeholder."lavalink/refresh_token" ]
config.sops.placeholder."lavalink/password" (builtins.attrValues {
] inherit (config.sops.placeholder)
(builtins.readFile ./application.yml); "vocard/token"
}; "vocard/client_id"
"vocard/spotify_client_id"
"vocard/spotify_client_secret"
"vocard/password"
;
})
(builtins.readFile ./settings.json);
}; };
}; };
systemd.tmpfiles.rules = [
"d /persist/services/vocard - - - - -"
"d /persist/services/lavalink - - - - -"
];
systemd.services = { systemd.services = {
vocard = { vocard = {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
wants = [
bindsTo = [ "lavalink.service" ];
requires = [
"network-online.target" "network-online.target"
"lavalink.service"
"ferretdb.service" "ferretdb.service"
]; ];
after = [ after = [
@ -92,7 +76,8 @@
]; ];
serviceConfig = { serviceConfig = {
ExecStart = lib.getExe self'.packages.vocard; ExecStart = lib.getExe self'.packages.vocard;
WorkingDirectory = "/persist/services/vocard"; DynamicUser = true;
LoadCredential = "settings.json:${config.sops.templates.vocard.path}";
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "30s"; RestartSec = "30s";
}; };
@ -104,9 +89,13 @@
"syslog.target" "syslog.target"
"network-online.target" "network-online.target"
]; ];
environment.LAVALINK_PLUGINS_DIR = self'.packages.lavalinkPlugins;
serviceConfig = { serviceConfig = {
ExecStart = lib.getExe self'.packages.lavalink; ExecStart = "${lib.getExe self'.packages.lavalink} --spring.config.location='file:${./application.yml}'";
WorkingDirectory = "/persist/services/lavalink"; DynamicUser = true;
EnvironmentFile = config.sops.secrets.lavalink.path;
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "30s"; RestartSec = "30s";
}; };
@ -114,4 +103,15 @@
}; };
services.ferretdb.enable = true; services.ferretdb.enable = true;
systemd.mounts = [
{
what = "/persist/services/ferretdb";
where = "/var/lib/private/ferretdb";
wantedBy = [ "ferretdb.service" ];
bindsTo = [ "ferretdb.service" ];
type = "none";
options = "bind";
}
];
} }

13
packages/lavalink/package.nix
View file

@ -14,24 +14,17 @@ stdenvNoCC.mkDerivation (finalAttrs: {
hash = "sha256-G4a9ltPq/L0vcazTQjStTlOOtwrBi37bYUNQHy5CV9Y="; hash = "sha256-G4a9ltPq/L0vcazTQjStTlOOtwrBi37bYUNQHy5CV9Y=";
}; };
plugin = fetchurl {
url = "https://github.com/lavalink-devs/youtube-source/releases/download/1.11.5/youtube-plugin-1.11.5.jar";
hash = "sha256-Zz4S5mWcsVFWGmN41L34GqZeCOswt/CAn+1PN1XJtbk=";
};
dontUnpack = true; dontUnpack = true;
nativeBuildInputs = [ makeBinaryWrapper ]; nativeBuildInputs = [ makeBinaryWrapper ];
buildCommand = '' buildCommand = ''
install -Dm644 "$src" "$out/lib/Lavalink.jar" install -Dm644 "$src" "$out/lib/Lavalink.jar"
install -Dm644 "$plugin" "$out/plugins/youtube-plugin.jar"
mkdir -p $out/bin mkdir -p "$out/bin"
makeWrapper ${lib.getExe zulu17} $out/bin/lavalink \ makeWrapper '${lib.getExe zulu17}' "$out/bin/lavalink" \
--add-flags "-jar -Xmx4G $out/lib/Lavalink.jar" --add-flags "-jar $out/lib/Lavalink.jar"
''; '';
meta.mainProgram = "lavalink"; meta.mainProgram = "lavalink";
}) })

13
packages/lavalinkPlugins/package.nix Normal file
View file

@ -0,0 +1,13 @@
{
fetchurl,
linkFarm,
}:
linkFarm "lavalinkPlugins" [
{
name = "youtube-plugin-1.11.5.jar";
path = fetchurl {
url = "https://github.com/lavalink-devs/youtube-source/releases/download/1.11.5/youtube-plugin-1.11.5.jar";
hash = "sha256-Zz4S5mWcsVFWGmN41L34GqZeCOswt/CAn+1PN1XJtbk=";
};
}
]

2
packages/vocard/package.nix
View file

@ -38,7 +38,7 @@ stdenv.mkDerivation {
runHook postBuild runHook postBuild
''; '';
patches = [ ./use_cwd.patch ]; patches = [ ./useLoadCredential.patch ];
nativeBuildInputs = [ nativeBuildInputs = [
makeBinaryWrapper makeBinaryWrapper

15
packages/vocard/use_cwd.patch → packages/vocard/useLoadCredential.patch
View file

@ -1,5 +1,6 @@
diff --git a/function.py b/function.py diff --git a/function.py b/function.py
index 6e09f5e..f0f6a11 100644 index 6e09f5e..0c8bfa4 100644
--- a/function.py --- a/function.py
+++ b/function.py +++ b/function.py
@@ -18,7 +18,7 @@ from motor.motor_asyncio import ( @@ -18,7 +18,7 @@ from motor.motor_asyncio import (
@ -7,7 +8,7 @@ index 6e09f5e..f0f6a11 100644
ROOT_DIR = os.path.dirname(os.path.abspath(__file__)) ROOT_DIR = os.path.dirname(os.path.abspath(__file__))
-if not os.path.exists(os.path.join(ROOT_DIR, "settings.json")): -if not os.path.exists(os.path.join(ROOT_DIR, "settings.json")):
+if not os.path.exists(os.path.join(os.getcwd(), "settings.json")): +if not os.path.exists(os.path.join(os.getenv("CREDENTIALS_DIRECTORY"), "settings.json")):
raise Exception("Settings file not set!") raise Exception("Settings file not set!")
#--------------- Cache Var --------------- #--------------- Cache Var ---------------
@ -57,19 +58,21 @@ index 6e09f5e..f0f6a11 100644
if len(keys) == 1: if len(keys) == 1:
return LANGS.get(lang, {}).get(keys[0], "Language pack not found!") return LANGS.get(lang, {}).get(keys[0], "Language pack not found!")
diff --git a/main.py b/main.py diff --git a/main.py b/main.py
index e2c6b9e..4ff7de6 100644 index e2c6b9e..98dc34b 100644
--- a/main.py --- a/main.py
+++ b/main.py +++ b/main.py
@@ -81,12 +81,6 @@ class Vocard(commands.Bot): @@ -80,13 +80,7 @@ class Vocard(commands.Bot):
await self.ipc.connect()
except Exception as e: except Exception as e:
func.logger.error(f"Cannot connected to dashboard! - Reason: {e}") func.logger.error(f"Cannot connected to dashboard! - Reason: {e}")
-
- if not func.settings.version or func.settings.version != update.__version__: - if not func.settings.version or func.settings.version != update.__version__:
- func.update_json("settings.json", new_data={"version": update.__version__}) - func.update_json("settings.json", new_data={"version": update.__version__})
- -
- await self.tree.set_translator(Translator()) - await self.tree.set_translator(Translator())
- await self.tree.sync() - await self.tree.sync()
- -
+ await self.tree.sync()
async def on_ready(self): async def on_ready(self):
func.logger.info("------------------") func.logger.info("------------------")
func.logger.info(f"Logging As {self.user}") func.logger.info(f"Logging As {self.user}")
@ -78,7 +81,7 @@ index e2c6b9e..4ff7de6 100644
# Loading settings and logger # Loading settings and logger
-func.settings = Settings(func.open_json("settings.json")) -func.settings = Settings(func.open_json("settings.json"))
+func.settings = Settings(func.open_json(os.path.join(os.getcwd(),"settings.json"))) +func.settings = Settings(func.open_json(os.path.join(os.getenv("CREDENTIALS_DIRECTORY"),"settings.json")))
LOG_SETTINGS = func.settings.logging LOG_SETTINGS = func.settings.logging
if (LOG_FILE := LOG_SETTINGS.get("file", {})).get("enable", True): if (LOG_FILE := LOG_SETTINGS.get("file", {})).get("enable", True):