gerg-l/nixos
1
0
Fork 0
mirror of https://github.com/Gerg-L/nixos.git synced 2025-12-10 00:43:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Compare commits

base: gerg-l:89988727c3e51c7fafcf4d7c55a380ac6871c221
Branches Tags
gerg-l:master
..
compare: gerg-l:c7c87ec8b259c49b52ac0c88979e3336d82a50ec
Branches Tags
gerg-l:master

5 commits
89988727c3 ... c7c87ec8b2

Author SHA1 Message Date
Gerg-L
c7c87ec8b2
port magic 2025-03-02 22:49:05 -05:00
Gerg-L
7dad855bd8
bad replaceStrings 2025-03-02 19:21:50 -05:00
Gerg-L
af91541557
vocard: use DynamicUsers 2025-03-02 18:14:36 -05:00
Gerg-L
7a2e6450d2
remove duplicate secrets 2025-03-02 18:14:36 -05:00
Gerg-L
90251b932e
update nix 2025-03-02 18:14:36 -05:00
17 changed files with 260 additions and 198 deletions
Download patch file Download diff file Expand all files Collapse all files

14
flake.lock generated
View file

@ -452,16 +452,16 @@
"nixpkgs-regression": "nixpkgs-regression"
},
"locked": {
"lastModified": 1736798728,
"narHash": "sha256-Em+CXWHBgLG2m106Hs11FmVlsCr3ZQedTosJvRF2gnE=",
"lastModified": 1740601978,
"narHash": "sha256-b70oopwDPaHiddorJIvI8H50yTXOd04noGZVp3YPHbM=",
"owner": "NixOS",
"repo": "nix",
"rev": "2cb0ddfe4eb216fab6d826c1056743c152722720",
"rev": "31923aaac0358336442244ec6baf8f6517463afd",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "2cb0ddfe4eb216fab6d826c1056743c152722720",
"ref": "31923aaac0358336442244ec6baf8f6517463afd",
"repo": "nix",
"type": "github"
}
@ -647,11 +647,11 @@
"systems": "systems"
},
"locked": {
"lastModified": 1740880178,
"narHash": "sha256-NBPrFkKsTB/C8L6JDeC6p5Dxek/NMtcCRWYkafsyL38=",
"lastModified": 1740960270,
"narHash": "sha256-JsNqwyqD2I/5h0KJ5ntrvULJpFgJdJb9jHNFucCLXJw=",
"owner": "Gerg-L",
"repo": "nvim-flake",
"rev": "b7488d039a8c63b7015c67f026da0564ae54b833",
"rev": "57f3e79cf0330cb4db3c1c612307dddd84c05a42",
"type": "github"
},
"original": {

2
flake.nix
View file

@ -24,7 +24,7 @@
type = "github";
owner = "NixOS";
repo = "nix";
ref = "2cb0ddfe4eb216fab6d826c1056743c152722720";
ref = "31923aaac0358336442244ec6baf8f6517463afd";
inputs.nixpkgs.follows = "stable";
};
#other

5
nixosConfigurations/gerg-desktop/secrets.yaml
View file

@ -1,5 +1,4 @@
cloudflare: ENC[AES256_GCM,data:RZ+Smjn1nvnkxYAF56fEcBsFvO3YY+FWJ8wb0c72sxQleRjy9tVp7yDr9gRfUg3G,iv:mGaFxKFLrIouNhyqq/nBKaKub1WfekcCeHVLASQpBCs=,tag:xKl5EHR9g7d4pJkt49BLyw==,type:str]
discordenv: ENC[AES256_GCM,data:GQVGLVlIutSEyCZYiGfc2ON4yOfCtKEApRYLHn98xKaflEQtgbhF62vwzKCc9hYEoqHH8L5wF1shqD0qJqVjJSwpVqiMJnWg7UMhxJ+sf+6QKkcrcy9W3oZx3YPd2PrbjaZTBpM1fq+Ccs/6zrs3WIZhR6At7qwnuSm+XjOFHsFwamqgrikhzgWzdrPXysiYMYglQ4IxjuJbgMbW+v/9qvfzf1DUIVpbFYHpUgOko1pR362YBe8yxv1arWJzejzxX/6TG3TLoyaa3H0lA+ch9LMp0cy9x2A2E1WufuC+tbXITNiHVWPlUUf233g=,iv:HWY/PXuVOyMNAiPdv1G0ysGcbdbk3YgCVp3eNkkdTl4=,tag:RhSH0KsppNCX0TcjZFttLQ==,type:str]
reboot_token: ENC[AES256_GCM,data:/3QP30OUZsFaagj9Ljde1jz5nxZA6jp6/B6pmlponepRy3uZJ2jlaYQ3EBDiv5L413ecfWePAeWlX07eZ08JIRdoO5Ky52LM1+nPHMJFXzQ0h2onz4RVQAM=,iv:qiRk93LM7+3QmW27ItoWYGo7PLlu/hpprcPdnOaCBdw=,tag:X9kEov2FOrsIqkkStLegPw==,type:str]
searxngenv: ENC[AES256_GCM,data:HtH4KxXWoQEJp88Bgfhfj5Y4Up+inHu8mnVtay64XvCRpVKHF/kceC3XwT9C3IdXpQ==,iv:iXK8hOFoEnM5wFUZhC8IOdHzPhwPDHtTL8MmS5FSlns=,tag:TZHTB7ia5Qq2f2fETJOpEA==,type:str]
minifluxenv: ENC[AES256_GCM,data:wgz6sxSbbjXrgBAak0Q0TlvG78+JHPpiPtcbqGo9HpSF3qY78edECCDB3qqIaynxdhI4,iv:mbsr+OG8fE5MggmC+TNkLmhhDNGvJo+uelNRo/rMLoo=,tag:xN+FbNHZIVCruQh23aMt5g==,type:str]
@ -23,8 +22,8 @@ sops:
dGhDRXRTWE9xSGtxQU80RVpuL1A5MkEKxAxC/wDkq+6hM8eXkWd/RBDNIUtGYnPy
MvVxB6dkj+S11oRcMpdFqiM9jSzz/gYecB2tfuDgj+UX/VAzSkvPxA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-02-25T22:55:01Z"
mac: ENC[AES256_GCM,data:/TumMnTtiarcoWQmqXMJ1tJ8TBIJ37+E3V+aAQkGVGmOHcA1HaG8cf2LC2yDaDMD8H+mLXqNgw9iU22ZiXopIAmzP+wRRkkVnE61RpI8BFnW25guUE1h3j109rKV94j9fem/ejzqAIh3d1CcewULokOTD6TtS2QCMKZLhSVShp0=,iv:UvAZDLzrA+HGTFdNwZoB5K30tNwJDXBDJN/ZP/tllcA=,tag:2H5EST0cPEMXCIwz4i0Aag==,type:str]
lastmodified: "2025-02-26T23:23:36Z"
mac: ENC[AES256_GCM,data:rUuzMNzXf2rgmT7t4eNXnVDtA4izwbc+8wvMztu5gvymJNBGf2B+uvFzEZMqMA+gmdqwX4B51K2oTYe7GU3EAgjp+7709hy4Dzs0vILebJn6ijO3AVHLEWLE7ia0cao6wAzKv6qtlyvAb1TvyTgtJpM+LCsuOkEItPJxoEDGlzc=,iv:rYlkNXaz/mk7WBYm27y/+eqJAThZ/pcjW6bMuTjTIZ4=,tag:end6/klu3sW9PuTIbWxZmw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4

13
nixosConfigurations/gerg-desktop/services/forgejo.nix
View file

@ -1,5 +1,9 @@
{ config }:
let
link = config.local.links.forgejo;
in
{
local.links.forgejo = { };
users = {
groups.${config.services.forgejo.group} = { };
users = {
@ -10,7 +14,6 @@
openssh.authorizedKeys.keys = [ config.local.keys.gerg_gerg-desktop ];
};
${config.services.nginx.user}.extraGroups = [ config.services.forgejo.group ];
};
};
services.forgejo = {
@ -22,9 +25,8 @@
DOMAIN = "git.gerg-l.com";
ROOT_URL = "https://git.gerg-l.com/";
LANDING_PAGE = "/explore/repos";
HTTP_ADDR = "/run/forgejo/forgejo.sock";
PROTOCOL = "http+unix";
UNIX_SOCKET_PERMISSION = "660";
HTTP_ADDR = link.ipv4;
HTTP_PORT = link.port;
};
ui.DEFAULT_THEME = "forgejo-dark";
service.DISABLE_REGISTRATION = true;
@ -35,6 +37,5 @@
};
};
local.nginx.proxyVhosts."git.gerg-l.com" =
"http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}";
local.nginx.proxyVhosts."git.gerg-l.com" = link.url;
}

12
nixosConfigurations/gerg-desktop/services/immich.nix
View file

@ -1,11 +1,11 @@
{ config, ... }:
let
cfg = config.services.immich;
link = config.local.links.immich;
in
{
systemd.tmpfiles.rules =
[ "d ${cfg.mediaLocation} - ${cfg.user} ${cfg.group} - -" ];
local.links.immich = { };
systemd.tmpfiles.rules = [ "d ${cfg.mediaLocation} - ${cfg.user} ${cfg.group} - -" ];
users.users.${cfg.user}.extraGroups = [ "postgres" ];
services.immich = {
@ -18,9 +18,9 @@ in
mediaLocation = "/persist/services/immich";
machine-learning.enable = true;
settings = null;
port = 2283;
host = "0.0.0.0";
inherit (link) port;
host = link.ipv4;
};
local.nginx.proxyVhosts."photos.gerg-l.com" = "http://localhost:${toString cfg.port}";
local.nginx.proxyVhosts."photos.gerg-l.com" = link.url;
}

16
nixosConfigurations/gerg-desktop/services/miniflux.nix
View file

@ -1,15 +1,19 @@
{
config,
lib,
}:
let
link = config.local.links.miniflux;
in
{
local.links.miniflux = { };
sops.secrets.minifluxenv = { };
services.miniflux = {
enable = true;
config = {
BASE_URL = "https://flux.gerg-l.com";
LISTEN_ADDR = "/run/miniflux/miniflux.sock";
LISTEN_ADDR = link.tuple;
};
adminCredentialsFile = config.sops.secrets.minifluxenv.path;
createDatabaseLocally = true;
@ -28,11 +32,5 @@
};
};
systemd.services.miniflux.serviceConfig = {
RuntimeDirectoryMode = lib.mkForce "0770";
DynamicUser = lib.mkForce false;
};
local.nginx.proxyVhosts."flux.gerg-l.com" =
"http://unix:${config.services.miniflux.config.LISTEN_ADDR}";
local.nginx.proxyVhosts."flux.gerg-l.com" = link.url;
}

55
nixosConfigurations/gerg-desktop/services/nix-serve.nix
View file

@ -1,29 +1,23 @@
{
config,
pkgs,
lib,
}:
let
link = config.local.links.nix-serve;
in
{
sops.secrets.store_key.owner = "nix-serve";
local.links.nix-serve = { };
sops.secrets.store_key = { };
users = {
groups = {
builder = { };
nix-serve = { };
};
users = {
${config.services.nginx.user}.extraGroups = [ "nix-serve" ];
builder = {
groups.builder = { };
users.builder = {
isSystemUser = true;
openssh.authorizedKeys.keys = [ config.local.keys.root_media-laptop ];
group = "builder";
shell = pkgs.bashInteractive;
};
nix-serve = {
isSystemUser = true;
group = "nix-serve";
};
};
};
services.openssh.extraConfig = ''
@ -38,37 +32,18 @@
nix.settings = {
trusted-users = [ "builder" ];
allowed-users = [ "nix-serve" ];
keep-outputs = true;
keep-derivations = true;
secret-key-files = config.sops.secrets.store_key.path;
};
systemd.services.nix-serve = {
description = "nix-serve binary cache server";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
path = [
config.nix.package
pkgs.bzip2
];
serviceConfig = {
ExecStart = "${lib.getExe pkgs.nix-serve-ng} --socket /run/nix-serve/nix-serve.sock";
Restart = "always";
RestartSec = "5s";
User = "nix-serve";
Group = "nix-serve";
RuntimeDirectory = "nix-serve";
UMask = "0117";
services.nix-serve = {
enable = true;
inherit (link) port;
package = pkgs.nix-serve-ng;
bindAddress = link.ipv4;
secretKeyFile = config.sops.secrets.store_key.path;
};
environment = {
NIX_REMOTE = "daemon";
NIX_SECRET_KEY_FILE = config.sops.secrets.store_key.path;
};
};
local.nginx.proxyVhosts."cache.gerg-l.com" = "http://unix:/run/nix-serve/nix-serve.sock";
local.nginx.proxyVhosts."cache.gerg-l.com" = link.url;
}

10
nixosConfigurations/gerg-desktop/services/searxng.nix
View file

@ -1,5 +1,10 @@
{ config, pkgs }:
let
link = config.local.links.searx;
in
{
local.links.searx = { };
sops.secrets.searxngenv = { };
users.users.${config.services.nginx.user}.extraGroups = [ "searx" ];
services.searx = {
@ -7,8 +12,7 @@
package = pkgs.searxng;
runInUwsgi = true;
uwsgiConfig = {
socket = "/run/searx/searx.sock";
chmod-socket = "660";
http = link.tuple;
disable-logging = true;
};
environmentFile = config.sops.secrets.searxngenv.path;
@ -37,7 +41,7 @@
};
local.nginx.defaultVhosts."search.gerg-l.com" = {
locations."/".extraConfig = "uwsgi_pass unix:${config.services.searx.uwsgiConfig.socket};";
locations."/".proxyPass = link.url;
extraConfig = "access_log off;";
};
}

34
nixosConfigurations/gerg-desktop/services/vocard/application.yml
View file

@ -12,41 +12,32 @@ plugins:
# The clients to use for track loading. See below for a list of valid clients.
# Clients are queried in the order they are given (so the first client is queried first and so on...)
clients:
- MUSIC
- TVHTML5EMBEDDED
- TV
- ANDROID_VR
- WEB
- WEBEMBEDDED
oauth:
enabled: true
refreshToken: "@refresh_token@"
# name: # Name of the plugin
# some_key: some_value # Some key-value pair for the plugin
# another_key: another_value
# Set with env vars
#refreshToken: ""
lavalink:
plugins:
- dependency: "dev.lavalink.youtube:youtube-plugin:1.11.5"
snapshot: false
# setting "enabled: true" is the bare minimum to get OAuth working.
enabled: true
# - dependency: "com.github.example:example-plugin:1.0.0" # required, the coordinates of your plugin
# repository: "https://maven.example.com/releases" # optional, defaults to the Lavalink releases repository by default
# snapshot: false # optional, defaults to false, used to tell Lavalink to use the snapshot repository instead of the release repository
# pluginsDir: "./plugins" # optional, defaults to "./plugins"
# defaultPluginRepository: "https://maven.lavalink.dev/releases" # optional, defaults to the Lavalink release repository
# defaultPluginSnapshotRepository: "https://maven.lavalink.dev/snapshots" # optional, defaults to the Lavalink snapshot repository
# Set with env vars
#pluginsDir: ""
server:
password: "@password@"
# Set with env vars
#password: ""
sources:
# The default Youtube source is now deprecated and won't receive further updates. Please use https://github.com/lavalink-devs/youtube-source#plugin instead.
youtube: false
bandcamp: true
soundcloud: true
twitch: true
vimeo: true
nico: true
http: true # warning: keeping HTTP enabled without a proxy configured could expose your server's IP address.
http: true
local: false
filters: # All filters are enabled by default
volume: true
@ -95,14 +86,10 @@ metrics:
sentry:
dsn: ""
environment: ""
# tags:
# some_key: some_value
# another_key: another_value
logging:
file:
path: ./logs/
path: null
level:
root: INFO
lavalink: INFO
@ -116,7 +103,6 @@ logging:
includePayload: true
maxPayloadLength: 10000
logback:
rollingpolicy:
max-file-size: 1GB

13
nixosConfigurations/gerg-desktop/services/vocard/secrets.yaml
View file

@ -1,11 +1,10 @@
vocard:
token: ENC[AES256_GCM,data:CCu4yOw4Fvwyx0KkYIikiz3VY2xTPbBx1q92W7FBTp+5fU+UP7yuAwZMWWZtzKdEyypzlk5uJ4tJRwUHqq62EnJqYj4wCVcr,iv:/Nxr9QPjEa67Xxn+tz3TRrcNG+cqEPVsqdjjxLp7R+k=,tag:LcVRrGorxvljJqpgs2bSoA==,type:str]
client_id: ENC[AES256_GCM,data:yd9vcUVxMpAKiPzl1hDI9EJhzA==,iv:dzB8ls0k5kWd+qtbSAkSfAXO0dxIUwdjppGYMkc+OHg=,tag:l1M4XTs79fszfNcFXSzVVg==,type:str]
token: ENC[AES256_GCM,data:aNRKBA94pqMCsRypIiVEmNMQK6cKCWa7pHC8dNpYSYGrn58i5PF+ByoR0k6AgGagBCtp//1fb9JzDHHLBKEbx5DH8J3B/D+F,iv:65zw7RZbFPvvBxz09OTnAci/dugbEvNj48ObxpYcmLE=,tag:Kcx0X+6mtm50S51c06oJ8g==,type:str]
client_id: ENC[AES256_GCM,data:E490VeSSfy4q7Ztc+7mng3LcAg==,iv:iLLhg7/okFFFGNSOPH7JmOGeMjcjzk1AdtkhgZbGx9Y=,tag:gWKPUjlqVTKqOzzdFHP+FQ==,type:str]
spotify_client_id: ENC[AES256_GCM,data:uwqtWL7JZnN6FsPfTxtBjEgjE7qwGcKbDnloO6SNWs4=,iv:HMZ42J2oXavE4NZCmP1MUVZ+s9Px4XBDRWIbCcl6dYs=,tag:iO8hn8mlNGS1dcLBwwl/AQ==,type:str]
spotify_client_secret: ENC[AES256_GCM,data:YnfLj7RPTaucpZCqnel2gStd8oBcbWnL4/+KnkyT4u0=,iv:W6gXch7jH5jFp0PJy0LZ7vq1yCtO1NLbCTR3N6r47nQ=,tag:ct5Y786N6qVkZCts6pZniQ==,type:str]
lavalink:
refresh_token: ENC[AES256_GCM,data:xiPmWhJTQ4OBIeB98t8qtDVQ7e/KVcThTmw5KE0VCIPfm6g7sOzXt7f91nSXX3wBvmy3tX+xii9/rp4dAg3b3/NYL4uHnLsKjM1wGTSH+KuCkbmJZDNYEk2OMSOlAK2x0yAMvpFB,iv:IdITL9x+yfVzf9yqDgJPUBok0Zn/CtN0CVF4AGIcgj8=,tag:DvQChj3Mng47LvNBYd6NAg==,type:str]
password: ENC[AES256_GCM,data:boIoVKGcXWAaKx6rOH1w1awTGfc=,iv:mX8WaaeeQXqyVuM5oA5tUUG7h7C0rV9QAVoHW/InyPc=,tag:Q/P3T5o1CMlbxe+UWyOP3A==,type:str]
password: ENC[AES256_GCM,data:7yGTh6LPtoZvJgSvLvbZQ5Gx0Xw=,iv:UKy14fJZhn5EwtMxd6vZ5X55Tk3iOW7UUF9GVXyhup8=,tag:bKoNLltZQPgmT2mv7kDSQw==,type:str]
lavalink: ENC[AES256_GCM,data:Ub5baoxk8fOtchrOKR1YRwgrv/ja8e/9BY1Qaf+njDnvATSrRTcsvNZYU+YZb7OnJjfGRC5qytZo7T0ZBqHSFEdqvZToBHj0nVDTrXnbCm5o+NLKegCkofMG0c3D7JOB6lsc/0zBh8DF+i2M/Z5PNfmeE5Woe8Ev4gZEKyXQmFswULC5tsUqtnf7itQinf+FPDYqKA8Fi90JRWADt/XM1xRRZ4k5QthJ3kIQjYLa4+EOiSTAwIGxAvljl8c=,iv:cdpyakU0/eolOnamevITA4CKpNkU8lRYsOYFOUW8mO8=,tag:dT5lGvsUZDO5Esjyrn77Dg==,type:str]
sops:
kms: []
gcp_kms: []
@ -21,8 +20,8 @@ sops:
WC9NVmdtWjlWSWN6dUwwMFdPRmpxWG8Ka0i27kBbA4p835RWsEPIghFTwxo4elOz
PL0TnuMNnl66TJiD0x6oRMn8tb6wQIAqGxBt9Jb2lj24eXCtzfGbEg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-02-26T22:57:12Z"
mac: ENC[AES256_GCM,data:mb/kTo9zPyLbDJlvh6+P9GTzTVzVt7RMBnzS/qMDUvUR9OAP+zSt1Vf80oXnO3WqRncgRrIi1k3oKeipKHdTxmzXae+jefh7oOMGCeXI51IlnOhkA0MBgrN/jSMwEinYmqDGemzB7ff9quATtm8N/SoxepkR1ddikgEX6Zfr0mw=,iv:yTm2at3lgb1uWCsETw/XpDdrfKv5/8b1oxU2Eq89tbk=,tag:AP8vrUHejq2gsnkSBWHKyA==,type:str]
lastmodified: "2025-03-03T00:10:49Z"
mac: ENC[AES256_GCM,data:41um/6Fa0HqCVO/qj7/geUXWWOlXFZFt552W/T/hlsiUoebyPa4RgGVPcs332vuP+bgb4ELeJ0bsVqUFTtEbkfjaij9HT+BZIhImu8ZGKs/ZNkofw1s6h+kIVH4uf/sXYqMEATfHhSFqEoWsGsuL57i4llKzPBqsSyhdB4FeXDs=,iv:T3mt5lZmIT208gaCywsiuZ+Le/3BSDLL2UDxLExsEwE=,tag:jfpFXmcRNzJZCSAdZB4K7g==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4

110
nixosConfigurations/gerg-desktop/services/vocard/vocard.nix
View file

@ -6,26 +6,32 @@
{
sops = {
secrets =
builtins.mapAttrs
(
_: v:
v
// {
sopsFile = ./secrets.yaml;
}
)
{
"vocard/token" = { };
"vocard/client_id" = { };
"vocard/spotify_client_id" = { };
"vocard/spotify_client_secret" = { };
"lavalink/refresh_token" = { };
"lavalink/password" = { };
lavalink = {
sopsFile = ./secrets.yaml;
restartUnits = [
"vocard.service"
"lavalink.service"
];
};
templates = {
vocard = {
path = "/persist/services/vocard/settings.json";
}
// builtins.listToAttrs (
map
(x: {
name = "vocard/${x}";
value.sopsFile = ./secrets.yaml;
})
[
"token"
"client_id"
"spotify_client_id"
"spotify_client_secret"
"password"
]
);
templates.vocard = {
restartUnits = [
"vocard.service"
"lavalink.service"
@ -39,49 +45,25 @@
"@spotify_client_secret@"
"@password@"
]
[
config.sops.placeholder."vocard/token"
config.sops.placeholder."vocard/client_id"
config.sops.placeholder."vocard/spotify_client_id"
config.sops.placeholder."vocard/spotify_client_secret"
config.sops.placeholder."lavalink/password"
]
(map (x: config.sops.placeholder.${x}) [
"vocard/token"
"vocard/client_id"
"vocard/spotify_client_id"
"vocard/spotify_client_secret"
"vocard/password"
])
(builtins.readFile ./settings.json);
};
lavalink = {
path = "/persist/services/lavalink/application.yml";
restartUnits = [
"vocard.service"
"lavalink.service"
];
content =
builtins.replaceStrings
[
"@refresh_token@"
"@password@"
]
[
config.sops.placeholder."lavalink/refresh_token"
config.sops.placeholder."lavalink/password"
]
(builtins.readFile ./application.yml);
};
};
};
systemd.tmpfiles.rules = [
"d /persist/services/vocard - - - - -"
"d /persist/services/lavalink - - - - -"
];
systemd.services = {
vocard = {
wantedBy = [ "multi-user.target" ];
wants = [
bindsTo = [ "lavalink.service" ];
requires = [
"network-online.target"
"lavalink.service"
"ferretdb.service"
];
after = [
@ -92,7 +74,8 @@
];
serviceConfig = {
ExecStart = lib.getExe self'.packages.vocard;
WorkingDirectory = "/persist/services/vocard";
DynamicUser = true;
LoadCredential = "settings.json:${config.sops.templates.vocard.path}";
Restart = "on-failure";
RestartSec = "30s";
};
@ -104,9 +87,13 @@
"syslog.target"
"network-online.target"
];
environment.LAVALINK_PLUGINS_DIR = self'.packages.lavalinkPlugins;
serviceConfig = {
ExecStart = lib.getExe self'.packages.lavalink;
WorkingDirectory = "/persist/services/lavalink";
ExecStart = "${lib.getExe self'.packages.lavalink} --spring.config.location='file:${./application.yml}'";
DynamicUser = true;
EnvironmentFile = config.sops.secrets.lavalink.path;
Restart = "on-failure";
RestartSec = "30s";
};
@ -114,4 +101,15 @@
};
services.ferretdb.enable = true;
systemd.mounts = [
{
what = "/persist/services/ferretdb";
where = "/var/lib/private/ferretdb";
wantedBy = [ "ferretdb.service" ];
bindsTo = [ "ferretdb.service" ];
type = "none";
options = "bind";
}
];
}

1
nixosModules/nix.nix
View file

@ -59,7 +59,6 @@
#
#allow-import-from-derivation = false;
trusted-users = [ "root" ];
allowed-users = [ "@wheel" ];
use-xdg-base-directories = true;
auto-allocate-uids = true;
};

94
nixosModules/portMagic.nix Normal file
View file

@ -0,0 +1,94 @@
{ lib, ... }:
{
options.local.links = lib.mkOption {
type = lib.types.attrsOf (
lib.types.submodule (
{
config,
name,
...
}:
let
portHash = lib.flip lib.pipe [
(builtins.hashString "md5")
(builtins.substring 0 7)
(hash: (fromTOML "v=0x${hash}").v)
(lib.flip lib.mod config.reservedPorts.amount)
(builtins.add config.reservedPorts.start)
];
in
{
options = {
ipv4 = lib.mkOption {
type = lib.types.str;
default = "127.0.0.1";
description = "The IPv4 address.";
};
hostname = lib.mkOption {
type = lib.types.str;
description = "The hostname.";
};
port = lib.mkOption {
type = lib.types.int;
description = "The TCP or UDP port.";
};
portStr = lib.mkOption {
type = lib.types.str;
description = "The TCP or UDP port, as a string.";
};
reservedPorts = {
amount = lib.mkOption {
type = lib.types.int;
default = 10000;
description = "Amount of ports to reserve at most.";
};
start = lib.mkOption {
type = lib.types.int;
default = 30000;
description = "Starting point for reserved ports.";
};
};
protocol = lib.mkOption {
type = lib.types.str;
default = "http";
description = "The protocol in URL scheme name format.";
};
path = lib.mkOption {
type = lib.types.nullOr lib.types.path;
default = null;
description = "The resource path.";
};
url = lib.mkOption {
type = lib.types.str;
description = "The URL.";
};
tuple = lib.mkOption {
type = lib.types.str;
description = "The hostname:port tuple.";
};
extra = lib.mkOption {
type = lib.types.attrs;
description = "Arbitrary extra data.";
};
};
config = lib.mkIf true {
hostname = lib.mkDefault config.ipv4;
port = lib.mkDefault (portHash "${config.hostname}:${name}");
portStr = toString config.port;
tuple = "${config.hostname}:${config.portStr}";
url = "${config.protocol}://${config.hostname}:${config.portStr}${
if config.path == null then "" else config.path
}";
};
}
)
);
description = "Port Magic links.";
default = { };
};
}

13
packages/lavalink/package.nix
View file

@ -14,24 +14,17 @@ stdenvNoCC.mkDerivation (finalAttrs: {
hash = "sha256-G4a9ltPq/L0vcazTQjStTlOOtwrBi37bYUNQHy5CV9Y=";
};
plugin = fetchurl {
url = "https://github.com/lavalink-devs/youtube-source/releases/download/1.11.5/youtube-plugin-1.11.5.jar";
hash = "sha256-Zz4S5mWcsVFWGmN41L34GqZeCOswt/CAn+1PN1XJtbk=";
};
dontUnpack = true;
nativeBuildInputs = [ makeBinaryWrapper ];
buildCommand = ''
install -Dm644 "$src" "$out/lib/Lavalink.jar"
install -Dm644 "$plugin" "$out/plugins/youtube-plugin.jar"
mkdir -p $out/bin
makeWrapper ${lib.getExe zulu17} $out/bin/lavalink \
--add-flags "-jar -Xmx4G $out/lib/Lavalink.jar"
mkdir -p "$out/bin"
makeWrapper '${lib.getExe zulu17}' "$out/bin/lavalink" \
--add-flags "-jar $out/lib/Lavalink.jar"
'';
meta.mainProgram = "lavalink";
})

13
packages/lavalinkPlugins/package.nix Normal file
View file

@ -0,0 +1,13 @@
{
fetchurl,
linkFarm,
}:
linkFarm "lavalinkPlugins" [
{
name = "youtube-plugin-1.11.5.jar";
path = fetchurl {
url = "https://github.com/lavalink-devs/youtube-source/releases/download/1.11.5/youtube-plugin-1.11.5.jar";
hash = "sha256-Zz4S5mWcsVFWGmN41L34GqZeCOswt/CAn+1PN1XJtbk=";
};
}
]

2
packages/vocard/package.nix
View file

@ -38,7 +38,7 @@ stdenv.mkDerivation {
runHook postBuild
'';
patches = [ ./use_cwd.patch ];
patches = [ ./useLoadCredential.patch ];
nativeBuildInputs = [
makeBinaryWrapper

15
packages/vocard/use_cwd.patch → packages/vocard/useLoadCredential.patch
View file

@ -1,5 +1,6 @@
diff --git a/function.py b/function.py
index 6e09f5e..f0f6a11 100644
index 6e09f5e..0c8bfa4 100644
--- a/function.py
+++ b/function.py
@@ -18,7 +18,7 @@ from motor.motor_asyncio import (
@ -7,7 +8,7 @@ index 6e09f5e..f0f6a11 100644
ROOT_DIR = os.path.dirname(os.path.abspath(__file__))
-if not os.path.exists(os.path.join(ROOT_DIR, "settings.json")):
+if not os.path.exists(os.path.join(os.getcwd(), "settings.json")):
+if not os.path.exists(os.path.join(os.getenv("CREDENTIALS_DIRECTORY"), "settings.json")):
raise Exception("Settings file not set!")
#--------------- Cache Var ---------------
@ -57,19 +58,21 @@ index 6e09f5e..f0f6a11 100644
if len(keys) == 1:
return LANGS.get(lang, {}).get(keys[0], "Language pack not found!")
diff --git a/main.py b/main.py
index e2c6b9e..4ff7de6 100644
index e2c6b9e..98dc34b 100644
--- a/main.py
+++ b/main.py
@@ -81,12 +81,6 @@ class Vocard(commands.Bot):
@@ -80,13 +80,7 @@ class Vocard(commands.Bot):
await self.ipc.connect()
except Exception as e:
func.logger.error(f"Cannot connected to dashboard! - Reason: {e}")
-
- if not func.settings.version or func.settings.version != update.__version__:
- func.update_json("settings.json", new_data={"version": update.__version__})
-
- await self.tree.set_translator(Translator())
- await self.tree.sync()
-
+ await self.tree.sync()
async def on_ready(self):
func.logger.info("------------------")
func.logger.info(f"Logging As {self.user}")
@ -78,7 +81,7 @@ index e2c6b9e..4ff7de6 100644
# Loading settings and logger
-func.settings = Settings(func.open_json("settings.json"))
+func.settings = Settings(func.open_json(os.path.join(os.getcwd(),"settings.json")))
+func.settings = Settings(func.open_json(os.path.join(os.getenv("CREDENTIALS_DIRECTORY"),"settings.json")))
LOG_SETTINGS = func.settings.logging
if (LOG_FILE := LOG_SETTINGS.get("file", {})).get("enable", True):