diff --git a/flake.lock b/flake.lock index 8fa97e8..9e3a236 100644 --- a/flake.lock +++ b/flake.lock @@ -452,16 +452,16 @@ "nixpkgs-regression": "nixpkgs-regression" }, "locked": { - "lastModified": 1740601978, - "narHash": "sha256-b70oopwDPaHiddorJIvI8H50yTXOd04noGZVp3YPHbM=", + "lastModified": 1736798728, + "narHash": "sha256-Em+CXWHBgLG2m106Hs11FmVlsCr3ZQedTosJvRF2gnE=", "owner": "NixOS", "repo": "nix", - "rev": "31923aaac0358336442244ec6baf8f6517463afd", + "rev": "2cb0ddfe4eb216fab6d826c1056743c152722720", "type": "github" }, "original": { "owner": "NixOS", - "ref": "31923aaac0358336442244ec6baf8f6517463afd", + "ref": "2cb0ddfe4eb216fab6d826c1056743c152722720", "repo": "nix", "type": "github" } @@ -647,11 +647,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1740960270, - "narHash": "sha256-JsNqwyqD2I/5h0KJ5ntrvULJpFgJdJb9jHNFucCLXJw=", + "lastModified": 1740880178, + "narHash": "sha256-NBPrFkKsTB/C8L6JDeC6p5Dxek/NMtcCRWYkafsyL38=", "owner": "Gerg-L", "repo": "nvim-flake", - "rev": "57f3e79cf0330cb4db3c1c612307dddd84c05a42", + "rev": "b7488d039a8c63b7015c67f026da0564ae54b833", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 444672d..707c73a 100644 --- a/flake.nix +++ b/flake.nix @@ -24,7 +24,7 @@ type = "github"; owner = "NixOS"; repo = "nix"; - ref = "31923aaac0358336442244ec6baf8f6517463afd"; + ref = "2cb0ddfe4eb216fab6d826c1056743c152722720"; inputs.nixpkgs.follows = "stable"; }; #other diff --git a/nixosConfigurations/gerg-desktop/secrets.yaml b/nixosConfigurations/gerg-desktop/secrets.yaml index 489f244..0bf9159 100644 --- a/nixosConfigurations/gerg-desktop/secrets.yaml +++ b/nixosConfigurations/gerg-desktop/secrets.yaml @@ -1,4 +1,5 @@ cloudflare: ENC[AES256_GCM,data:RZ+Smjn1nvnkxYAF56fEcBsFvO3YY+FWJ8wb0c72sxQleRjy9tVp7yDr9gRfUg3G,iv:mGaFxKFLrIouNhyqq/nBKaKub1WfekcCeHVLASQpBCs=,tag:xKl5EHR9g7d4pJkt49BLyw==,type:str] +discordenv: ENC[AES256_GCM,data:GQVGLVlIutSEyCZYiGfc2ON4yOfCtKEApRYLHn98xKaflEQtgbhF62vwzKCc9hYEoqHH8L5wF1shqD0qJqVjJSwpVqiMJnWg7UMhxJ+sf+6QKkcrcy9W3oZx3YPd2PrbjaZTBpM1fq+Ccs/6zrs3WIZhR6At7qwnuSm+XjOFHsFwamqgrikhzgWzdrPXysiYMYglQ4IxjuJbgMbW+v/9qvfzf1DUIVpbFYHpUgOko1pR362YBe8yxv1arWJzejzxX/6TG3TLoyaa3H0lA+ch9LMp0cy9x2A2E1WufuC+tbXITNiHVWPlUUf233g=,iv:HWY/PXuVOyMNAiPdv1G0ysGcbdbk3YgCVp3eNkkdTl4=,tag:RhSH0KsppNCX0TcjZFttLQ==,type:str] reboot_token: ENC[AES256_GCM,data:/3QP30OUZsFaagj9Ljde1jz5nxZA6jp6/B6pmlponepRy3uZJ2jlaYQ3EBDiv5L413ecfWePAeWlX07eZ08JIRdoO5Ky52LM1+nPHMJFXzQ0h2onz4RVQAM=,iv:qiRk93LM7+3QmW27ItoWYGo7PLlu/hpprcPdnOaCBdw=,tag:X9kEov2FOrsIqkkStLegPw==,type:str] searxngenv: ENC[AES256_GCM,data:HtH4KxXWoQEJp88Bgfhfj5Y4Up+inHu8mnVtay64XvCRpVKHF/kceC3XwT9C3IdXpQ==,iv:iXK8hOFoEnM5wFUZhC8IOdHzPhwPDHtTL8MmS5FSlns=,tag:TZHTB7ia5Qq2f2fETJOpEA==,type:str] minifluxenv: ENC[AES256_GCM,data:wgz6sxSbbjXrgBAak0Q0TlvG78+JHPpiPtcbqGo9HpSF3qY78edECCDB3qqIaynxdhI4,iv:mbsr+OG8fE5MggmC+TNkLmhhDNGvJo+uelNRo/rMLoo=,tag:xN+FbNHZIVCruQh23aMt5g==,type:str] @@ -22,8 +23,8 @@ sops: dGhDRXRTWE9xSGtxQU80RVpuL1A5MkEKxAxC/wDkq+6hM8eXkWd/RBDNIUtGYnPy MvVxB6dkj+S11oRcMpdFqiM9jSzz/gYecB2tfuDgj+UX/VAzSkvPxA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-02-26T23:23:36Z" - mac: ENC[AES256_GCM,data:rUuzMNzXf2rgmT7t4eNXnVDtA4izwbc+8wvMztu5gvymJNBGf2B+uvFzEZMqMA+gmdqwX4B51K2oTYe7GU3EAgjp+7709hy4Dzs0vILebJn6ijO3AVHLEWLE7ia0cao6wAzKv6qtlyvAb1TvyTgtJpM+LCsuOkEItPJxoEDGlzc=,iv:rYlkNXaz/mk7WBYm27y/+eqJAThZ/pcjW6bMuTjTIZ4=,tag:end6/klu3sW9PuTIbWxZmw==,type:str] + lastmodified: "2025-02-25T22:55:01Z" + mac: ENC[AES256_GCM,data:/TumMnTtiarcoWQmqXMJ1tJ8TBIJ37+E3V+aAQkGVGmOHcA1HaG8cf2LC2yDaDMD8H+mLXqNgw9iU22ZiXopIAmzP+wRRkkVnE61RpI8BFnW25guUE1h3j109rKV94j9fem/ejzqAIh3d1CcewULokOTD6TtS2QCMKZLhSVShp0=,iv:UvAZDLzrA+HGTFdNwZoB5K30tNwJDXBDJN/ZP/tllcA=,tag:2H5EST0cPEMXCIwz4i0Aag==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.4 diff --git a/nixosConfigurations/gerg-desktop/services/forgejo.nix b/nixosConfigurations/gerg-desktop/services/forgejo.nix index aa21d13..5595c58 100644 --- a/nixosConfigurations/gerg-desktop/services/forgejo.nix +++ b/nixosConfigurations/gerg-desktop/services/forgejo.nix @@ -1,9 +1,5 @@ { config }: -let - link = config.local.links.forgejo; -in { - local.links.forgejo = { }; users = { groups.${config.services.forgejo.group} = { }; users = { @@ -14,6 +10,7 @@ in openssh.authorizedKeys.keys = [ config.local.keys.gerg_gerg-desktop ]; }; + ${config.services.nginx.user}.extraGroups = [ config.services.forgejo.group ]; }; }; services.forgejo = { @@ -25,8 +22,9 @@ in DOMAIN = "git.gerg-l.com"; ROOT_URL = "https://git.gerg-l.com/"; LANDING_PAGE = "/explore/repos"; - HTTP_ADDR = link.ipv4; - HTTP_PORT = link.port; + HTTP_ADDR = "/run/forgejo/forgejo.sock"; + PROTOCOL = "http+unix"; + UNIX_SOCKET_PERMISSION = "660"; }; ui.DEFAULT_THEME = "forgejo-dark"; service.DISABLE_REGISTRATION = true; @@ -37,5 +35,6 @@ in }; }; - local.nginx.proxyVhosts."git.gerg-l.com" = link.url; + local.nginx.proxyVhosts."git.gerg-l.com" = + "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}"; } diff --git a/nixosConfigurations/gerg-desktop/services/immich.nix b/nixosConfigurations/gerg-desktop/services/immich.nix index dca391f..62b9719 100644 --- a/nixosConfigurations/gerg-desktop/services/immich.nix +++ b/nixosConfigurations/gerg-desktop/services/immich.nix @@ -1,11 +1,11 @@ { config, ... }: let cfg = config.services.immich; - link = config.local.links.immich; in { - local.links.immich = { }; - systemd.tmpfiles.rules = [ "d ${cfg.mediaLocation} - ${cfg.user} ${cfg.group} - -" ]; + systemd.tmpfiles.rules = + + [ "d ${cfg.mediaLocation} - ${cfg.user} ${cfg.group} - -" ]; users.users.${cfg.user}.extraGroups = [ "postgres" ]; services.immich = { @@ -18,9 +18,9 @@ in mediaLocation = "/persist/services/immich"; machine-learning.enable = true; settings = null; - inherit (link) port; - host = link.ipv4; + port = 2283; + host = "0.0.0.0"; }; - local.nginx.proxyVhosts."photos.gerg-l.com" = link.url; + local.nginx.proxyVhosts."photos.gerg-l.com" = "http://localhost:${toString cfg.port}"; } diff --git a/nixosConfigurations/gerg-desktop/services/miniflux.nix b/nixosConfigurations/gerg-desktop/services/miniflux.nix index c9351f9..aaa50d9 100644 --- a/nixosConfigurations/gerg-desktop/services/miniflux.nix +++ b/nixosConfigurations/gerg-desktop/services/miniflux.nix @@ -1,19 +1,15 @@ { config, + lib, }: -let - link = config.local.links.miniflux; -in { - local.links.miniflux = { }; - sops.secrets.minifluxenv = { }; services.miniflux = { enable = true; config = { BASE_URL = "https://flux.gerg-l.com"; - LISTEN_ADDR = link.tuple; + LISTEN_ADDR = "/run/miniflux/miniflux.sock"; }; adminCredentialsFile = config.sops.secrets.minifluxenv.path; createDatabaseLocally = true; @@ -32,5 +28,11 @@ in }; }; - local.nginx.proxyVhosts."flux.gerg-l.com" = link.url; + systemd.services.miniflux.serviceConfig = { + RuntimeDirectoryMode = lib.mkForce "0770"; + DynamicUser = lib.mkForce false; + }; + + local.nginx.proxyVhosts."flux.gerg-l.com" = + "http://unix:${config.services.miniflux.config.LISTEN_ADDR}"; } diff --git a/nixosConfigurations/gerg-desktop/services/nix-serve.nix b/nixosConfigurations/gerg-desktop/services/nix-serve.nix index ea45303..4b6eff1 100644 --- a/nixosConfigurations/gerg-desktop/services/nix-serve.nix +++ b/nixosConfigurations/gerg-desktop/services/nix-serve.nix @@ -1,22 +1,28 @@ { config, pkgs, + lib, }: -let - link = config.local.links.nix-serve; -in { - local.links.nix-serve = { }; - - sops.secrets.store_key = { }; + sops.secrets.store_key.owner = "nix-serve"; users = { - groups.builder = { }; - users.builder = { - isSystemUser = true; - openssh.authorizedKeys.keys = [ config.local.keys.root_media-laptop ]; - group = "builder"; - shell = pkgs.bashInteractive; + groups = { + builder = { }; + nix-serve = { }; + }; + users = { + ${config.services.nginx.user}.extraGroups = [ "nix-serve" ]; + builder = { + isSystemUser = true; + openssh.authorizedKeys.keys = [ config.local.keys.root_media-laptop ]; + group = "builder"; + shell = pkgs.bashInteractive; + }; + nix-serve = { + isSystemUser = true; + group = "nix-serve"; + }; }; }; @@ -32,18 +38,37 @@ in nix.settings = { trusted-users = [ "builder" ]; + allowed-users = [ "nix-serve" ]; keep-outputs = true; keep-derivations = true; secret-key-files = config.sops.secrets.store_key.path; }; - services.nix-serve = { - enable = true; - inherit (link) port; - package = pkgs.nix-serve-ng; - bindAddress = link.ipv4; - secretKeyFile = config.sops.secrets.store_key.path; - }; + systemd.services.nix-serve = { + description = "nix-serve binary cache server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; - local.nginx.proxyVhosts."cache.gerg-l.com" = link.url; + path = [ + config.nix.package + pkgs.bzip2 + ]; + + serviceConfig = { + ExecStart = "${lib.getExe pkgs.nix-serve-ng} --socket /run/nix-serve/nix-serve.sock"; + Restart = "always"; + RestartSec = "5s"; + User = "nix-serve"; + Group = "nix-serve"; + RuntimeDirectory = "nix-serve"; + UMask = "0117"; + }; + + environment = { + NIX_REMOTE = "daemon"; + NIX_SECRET_KEY_FILE = config.sops.secrets.store_key.path; + }; + + }; + local.nginx.proxyVhosts."cache.gerg-l.com" = "http://unix:/run/nix-serve/nix-serve.sock"; } diff --git a/nixosConfigurations/gerg-desktop/services/searxng.nix b/nixosConfigurations/gerg-desktop/services/searxng.nix index a84806a..4fcc4c2 100644 --- a/nixosConfigurations/gerg-desktop/services/searxng.nix +++ b/nixosConfigurations/gerg-desktop/services/searxng.nix @@ -1,10 +1,5 @@ { config, pkgs }: -let - link = config.local.links.searx; -in { - local.links.searx = { }; - sops.secrets.searxngenv = { }; users.users.${config.services.nginx.user}.extraGroups = [ "searx" ]; services.searx = { @@ -12,7 +7,8 @@ in package = pkgs.searxng; runInUwsgi = true; uwsgiConfig = { - http = link.tuple; + socket = "/run/searx/searx.sock"; + chmod-socket = "660"; disable-logging = true; }; environmentFile = config.sops.secrets.searxngenv.path; @@ -41,7 +37,7 @@ in }; local.nginx.defaultVhosts."search.gerg-l.com" = { - locations."/".proxyPass = link.url; + locations."/".extraConfig = "uwsgi_pass unix:${config.services.searx.uwsgiConfig.socket};"; extraConfig = "access_log off;"; }; } diff --git a/nixosConfigurations/gerg-desktop/services/vocard/application.yml b/nixosConfigurations/gerg-desktop/services/vocard/application.yml index 92ce11b..f10a688 100644 --- a/nixosConfigurations/gerg-desktop/services/vocard/application.yml +++ b/nixosConfigurations/gerg-desktop/services/vocard/application.yml @@ -12,32 +12,41 @@ plugins: # The clients to use for track loading. See below for a list of valid clients. # Clients are queried in the order they are given (so the first client is queried first and so on...) clients: + - MUSIC - TVHTML5EMBEDDED + - TV + - ANDROID_VR + - WEB + - WEBEMBEDDED oauth: enabled: true - # Set with env vars - #refreshToken: "" + refreshToken: "@refresh_token@" +# name: # Name of the plugin +# some_key: some_value # Some key-value pair for the plugin +# another_key: another_value lavalink: plugins: - dependency: "dev.lavalink.youtube:youtube-plugin:1.11.5" snapshot: false # setting "enabled: true" is the bare minimum to get OAuth working. enabled: true - - # Set with env vars - #pluginsDir: "" +# - dependency: "com.github.example:example-plugin:1.0.0" # required, the coordinates of your plugin +# repository: "https://maven.example.com/releases" # optional, defaults to the Lavalink releases repository by default +# snapshot: false # optional, defaults to false, used to tell Lavalink to use the snapshot repository instead of the release repository +# pluginsDir: "./plugins" # optional, defaults to "./plugins" +# defaultPluginRepository: "https://maven.lavalink.dev/releases" # optional, defaults to the Lavalink release repository +# defaultPluginSnapshotRepository: "https://maven.lavalink.dev/snapshots" # optional, defaults to the Lavalink snapshot repository server: - - # Set with env vars - #password: "" + password: "@password@" sources: + # The default Youtube source is now deprecated and won't receive further updates. Please use https://github.com/lavalink-devs/youtube-source#plugin instead. youtube: false bandcamp: true soundcloud: true twitch: true vimeo: true nico: true - http: true + http: true # warning: keeping HTTP enabled without a proxy configured could expose your server's IP address. local: false filters: # All filters are enabled by default volume: true @@ -86,10 +95,14 @@ metrics: sentry: dsn: "" environment: "" +# tags: +# some_key: some_value +# another_key: another_value logging: file: - path: null + path: ./logs/ + level: root: INFO lavalink: INFO @@ -103,6 +116,7 @@ logging: includePayload: true maxPayloadLength: 10000 + logback: rollingpolicy: max-file-size: 1GB diff --git a/nixosConfigurations/gerg-desktop/services/vocard/secrets.yaml b/nixosConfigurations/gerg-desktop/services/vocard/secrets.yaml index 1ad9001..1bcc7a4 100644 --- a/nixosConfigurations/gerg-desktop/services/vocard/secrets.yaml +++ b/nixosConfigurations/gerg-desktop/services/vocard/secrets.yaml @@ -1,10 +1,11 @@ vocard: - token: ENC[AES256_GCM,data:aNRKBA94pqMCsRypIiVEmNMQK6cKCWa7pHC8dNpYSYGrn58i5PF+ByoR0k6AgGagBCtp//1fb9JzDHHLBKEbx5DH8J3B/D+F,iv:65zw7RZbFPvvBxz09OTnAci/dugbEvNj48ObxpYcmLE=,tag:Kcx0X+6mtm50S51c06oJ8g==,type:str] - client_id: ENC[AES256_GCM,data:E490VeSSfy4q7Ztc+7mng3LcAg==,iv:iLLhg7/okFFFGNSOPH7JmOGeMjcjzk1AdtkhgZbGx9Y=,tag:gWKPUjlqVTKqOzzdFHP+FQ==,type:str] + token: ENC[AES256_GCM,data:CCu4yOw4Fvwyx0KkYIikiz3VY2xTPbBx1q92W7FBTp+5fU+UP7yuAwZMWWZtzKdEyypzlk5uJ4tJRwUHqq62EnJqYj4wCVcr,iv:/Nxr9QPjEa67Xxn+tz3TRrcNG+cqEPVsqdjjxLp7R+k=,tag:LcVRrGorxvljJqpgs2bSoA==,type:str] + client_id: ENC[AES256_GCM,data:yd9vcUVxMpAKiPzl1hDI9EJhzA==,iv:dzB8ls0k5kWd+qtbSAkSfAXO0dxIUwdjppGYMkc+OHg=,tag:l1M4XTs79fszfNcFXSzVVg==,type:str] spotify_client_id: ENC[AES256_GCM,data:uwqtWL7JZnN6FsPfTxtBjEgjE7qwGcKbDnloO6SNWs4=,iv:HMZ42J2oXavE4NZCmP1MUVZ+s9Px4XBDRWIbCcl6dYs=,tag:iO8hn8mlNGS1dcLBwwl/AQ==,type:str] spotify_client_secret: ENC[AES256_GCM,data:YnfLj7RPTaucpZCqnel2gStd8oBcbWnL4/+KnkyT4u0=,iv:W6gXch7jH5jFp0PJy0LZ7vq1yCtO1NLbCTR3N6r47nQ=,tag:ct5Y786N6qVkZCts6pZniQ==,type:str] - password: ENC[AES256_GCM,data:7yGTh6LPtoZvJgSvLvbZQ5Gx0Xw=,iv:UKy14fJZhn5EwtMxd6vZ5X55Tk3iOW7UUF9GVXyhup8=,tag:bKoNLltZQPgmT2mv7kDSQw==,type:str] -lavalink: ENC[AES256_GCM,data:Ub5baoxk8fOtchrOKR1YRwgrv/ja8e/9BY1Qaf+njDnvATSrRTcsvNZYU+YZb7OnJjfGRC5qytZo7T0ZBqHSFEdqvZToBHj0nVDTrXnbCm5o+NLKegCkofMG0c3D7JOB6lsc/0zBh8DF+i2M/Z5PNfmeE5Woe8Ev4gZEKyXQmFswULC5tsUqtnf7itQinf+FPDYqKA8Fi90JRWADt/XM1xRRZ4k5QthJ3kIQjYLa4+EOiSTAwIGxAvljl8c=,iv:cdpyakU0/eolOnamevITA4CKpNkU8lRYsOYFOUW8mO8=,tag:dT5lGvsUZDO5Esjyrn77Dg==,type:str] +lavalink: + refresh_token: ENC[AES256_GCM,data:xiPmWhJTQ4OBIeB98t8qtDVQ7e/KVcThTmw5KE0VCIPfm6g7sOzXt7f91nSXX3wBvmy3tX+xii9/rp4dAg3b3/NYL4uHnLsKjM1wGTSH+KuCkbmJZDNYEk2OMSOlAK2x0yAMvpFB,iv:IdITL9x+yfVzf9yqDgJPUBok0Zn/CtN0CVF4AGIcgj8=,tag:DvQChj3Mng47LvNBYd6NAg==,type:str] + password: ENC[AES256_GCM,data:boIoVKGcXWAaKx6rOH1w1awTGfc=,iv:mX8WaaeeQXqyVuM5oA5tUUG7h7C0rV9QAVoHW/InyPc=,tag:Q/P3T5o1CMlbxe+UWyOP3A==,type:str] sops: kms: [] gcp_kms: [] @@ -20,8 +21,8 @@ sops: WC9NVmdtWjlWSWN6dUwwMFdPRmpxWG8Ka0i27kBbA4p835RWsEPIghFTwxo4elOz PL0TnuMNnl66TJiD0x6oRMn8tb6wQIAqGxBt9Jb2lj24eXCtzfGbEg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-03-03T00:10:49Z" - mac: ENC[AES256_GCM,data:41um/6Fa0HqCVO/qj7/geUXWWOlXFZFt552W/T/hlsiUoebyPa4RgGVPcs332vuP+bgb4ELeJ0bsVqUFTtEbkfjaij9HT+BZIhImu8ZGKs/ZNkofw1s6h+kIVH4uf/sXYqMEATfHhSFqEoWsGsuL57i4llKzPBqsSyhdB4FeXDs=,iv:T3mt5lZmIT208gaCywsiuZ+Le/3BSDLL2UDxLExsEwE=,tag:jfpFXmcRNzJZCSAdZB4K7g==,type:str] + lastmodified: "2025-02-26T22:57:12Z" + mac: ENC[AES256_GCM,data:mb/kTo9zPyLbDJlvh6+P9GTzTVzVt7RMBnzS/qMDUvUR9OAP+zSt1Vf80oXnO3WqRncgRrIi1k3oKeipKHdTxmzXae+jefh7oOMGCeXI51IlnOhkA0MBgrN/jSMwEinYmqDGemzB7ff9quATtm8N/SoxepkR1ddikgEX6Zfr0mw=,iv:yTm2at3lgb1uWCsETw/XpDdrfKv5/8b1oxU2Eq89tbk=,tag:AP8vrUHejq2gsnkSBWHKyA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.4 diff --git a/nixosConfigurations/gerg-desktop/services/vocard/vocard.nix b/nixosConfigurations/gerg-desktop/services/vocard/vocard.nix index db2ef35..3062f6b 100644 --- a/nixosConfigurations/gerg-desktop/services/vocard/vocard.nix +++ b/nixosConfigurations/gerg-desktop/services/vocard/vocard.nix @@ -6,64 +6,82 @@ { sops = { secrets = - { - lavalink = { - sopsFile = ./secrets.yaml; - restartUnits = [ - "vocard.service" - "lavalink.service" - ]; + builtins.mapAttrs + ( + _: v: + v + // { + sopsFile = ./secrets.yaml; + } + ) + { + "vocard/token" = { }; + "vocard/client_id" = { }; + "vocard/spotify_client_id" = { }; + "vocard/spotify_client_secret" = { }; + "lavalink/refresh_token" = { }; + "lavalink/password" = { }; + }; + templates = { + vocard = { + path = "/persist/services/vocard/settings.json"; + restartUnits = [ + "vocard.service" + "lavalink.service" + ]; + content = + builtins.replaceStrings + [ + "@token@" + "@client_id@" + "@spotify_client_id@" + "@spotify_client_secret@" + "@password@" + ] + [ + config.sops.placeholder."vocard/token" + config.sops.placeholder."vocard/client_id" + config.sops.placeholder."vocard/spotify_client_id" + config.sops.placeholder."vocard/spotify_client_secret" + config.sops.placeholder."lavalink/password" - } - // builtins.listToAttrs ( - map - (x: { - name = "vocard/${x}"; - value.sopsFile = ./secrets.yaml; - }) - [ - "token" - "client_id" - "spotify_client_id" - "spotify_client_secret" - "password" - ] - ); + ] + (builtins.readFile ./settings.json); + }; - templates.vocard = { - restartUnits = [ - "vocard.service" - "lavalink.service" - ]; - content = - builtins.replaceStrings - [ - "@token@" - "@client_id@" - "@spotify_client_id@" - "@spotify_client_secret@" - "@password@" - ] - (map (x: config.sops.placeholder.${x}) [ - "vocard/token" - "vocard/client_id" - "vocard/spotify_client_id" - "vocard/spotify_client_secret" - "vocard/password" - ]) - (builtins.readFile ./settings.json); + lavalink = { + path = "/persist/services/lavalink/application.yml"; + restartUnits = [ + "vocard.service" + "lavalink.service" + ]; + content = + builtins.replaceStrings + [ + "@refresh_token@" + "@password@" + ] + [ + config.sops.placeholder."lavalink/refresh_token" + config.sops.placeholder."lavalink/password" + ] + (builtins.readFile ./application.yml); + }; }; }; + systemd.tmpfiles.rules = [ + "d /persist/services/vocard - - - - -" + "d /persist/services/lavalink - - - - -" + ]; + systemd.services = { vocard = { wantedBy = [ "multi-user.target" ]; - - bindsTo = [ "lavalink.service" ]; - - requires = [ + wants = [ "network-online.target" + "lavalink.service" "ferretdb.service" ]; after = [ @@ -74,8 +92,7 @@ ]; serviceConfig = { ExecStart = lib.getExe self'.packages.vocard; - DynamicUser = true; - LoadCredential = "settings.json:${config.sops.templates.vocard.path}"; + WorkingDirectory = "/persist/services/vocard"; Restart = "on-failure"; RestartSec = "30s"; }; @@ -87,13 +104,9 @@ "syslog.target" "network-online.target" ]; - - environment.LAVALINK_PLUGINS_DIR = self'.packages.lavalinkPlugins; - serviceConfig = { - ExecStart = "${lib.getExe self'.packages.lavalink} --spring.config.location='file:${./application.yml}'"; - DynamicUser = true; - EnvironmentFile = config.sops.secrets.lavalink.path; + ExecStart = lib.getExe self'.packages.lavalink; + WorkingDirectory = "/persist/services/lavalink"; Restart = "on-failure"; RestartSec = "30s"; }; @@ -101,15 +114,4 @@ }; services.ferretdb.enable = true; - - systemd.mounts = [ - { - what = "/persist/services/ferretdb"; - where = "/var/lib/private/ferretdb"; - wantedBy = [ "ferretdb.service" ]; - bindsTo = [ "ferretdb.service" ]; - type = "none"; - options = "bind"; - } - ]; } diff --git a/nixosModules/nix.nix b/nixosModules/nix.nix index 3a46f85..b1ec9d4 100644 --- a/nixosModules/nix.nix +++ b/nixosModules/nix.nix @@ -59,6 +59,7 @@ # #allow-import-from-derivation = false; trusted-users = [ "root" ]; + allowed-users = [ "@wheel" ]; use-xdg-base-directories = true; auto-allocate-uids = true; }; diff --git a/nixosModules/portMagic.nix b/nixosModules/portMagic.nix deleted file mode 100644 index 4ea5c80..0000000 --- a/nixosModules/portMagic.nix +++ /dev/null @@ -1,94 +0,0 @@ -{ lib, ... }: -{ - options.local.links = lib.mkOption { - type = lib.types.attrsOf ( - lib.types.submodule ( - { - config, - name, - ... - }: - - let - portHash = lib.flip lib.pipe [ - (builtins.hashString "md5") - (builtins.substring 0 7) - (hash: (fromTOML "v=0x${hash}").v) - (lib.flip lib.mod config.reservedPorts.amount) - (builtins.add config.reservedPorts.start) - ]; - in - - { - options = { - ipv4 = lib.mkOption { - type = lib.types.str; - default = "127.0.0.1"; - description = "The IPv4 address."; - }; - hostname = lib.mkOption { - type = lib.types.str; - description = "The hostname."; - }; - - port = lib.mkOption { - type = lib.types.int; - description = "The TCP or UDP port."; - }; - portStr = lib.mkOption { - type = lib.types.str; - description = "The TCP or UDP port, as a string."; - }; - reservedPorts = { - amount = lib.mkOption { - type = lib.types.int; - default = 10000; - description = "Amount of ports to reserve at most."; - }; - start = lib.mkOption { - type = lib.types.int; - default = 30000; - description = "Starting point for reserved ports."; - }; - }; - - protocol = lib.mkOption { - type = lib.types.str; - default = "http"; - description = "The protocol in URL scheme name format."; - }; - path = lib.mkOption { - type = lib.types.nullOr lib.types.path; - default = null; - description = "The resource path."; - }; - url = lib.mkOption { - type = lib.types.str; - description = "The URL."; - }; - tuple = lib.mkOption { - type = lib.types.str; - description = "The hostname:port tuple."; - }; - extra = lib.mkOption { - type = lib.types.attrs; - description = "Arbitrary extra data."; - }; - }; - config = lib.mkIf true { - hostname = lib.mkDefault config.ipv4; - port = lib.mkDefault (portHash "${config.hostname}:${name}"); - portStr = toString config.port; - tuple = "${config.hostname}:${config.portStr}"; - url = "${config.protocol}://${config.hostname}:${config.portStr}${ - if config.path == null then "" else config.path - }"; - }; - } - ) - - ); - description = "Port Magic links."; - default = { }; - }; -} diff --git a/packages/lavalink/package.nix b/packages/lavalink/package.nix index 64104ea..301cae8 100644 --- a/packages/lavalink/package.nix +++ b/packages/lavalink/package.nix @@ -14,17 +14,24 @@ stdenvNoCC.mkDerivation (finalAttrs: { hash = "sha256-G4a9ltPq/L0vcazTQjStTlOOtwrBi37bYUNQHy5CV9Y="; }; + plugin = fetchurl { + url = "https://github.com/lavalink-devs/youtube-source/releases/download/1.11.5/youtube-plugin-1.11.5.jar"; + hash = "sha256-Zz4S5mWcsVFWGmN41L34GqZeCOswt/CAn+1PN1XJtbk="; + }; + dontUnpack = true; nativeBuildInputs = [ makeBinaryWrapper ]; buildCommand = '' install -Dm644 "$src" "$out/lib/Lavalink.jar" + install -Dm644 "$plugin" "$out/plugins/youtube-plugin.jar" - mkdir -p "$out/bin" - makeWrapper '${lib.getExe zulu17}' "$out/bin/lavalink" \ - --add-flags "-jar $out/lib/Lavalink.jar" + mkdir -p $out/bin + makeWrapper ${lib.getExe zulu17} $out/bin/lavalink \ + --add-flags "-jar -Xmx4G $out/lib/Lavalink.jar" ''; meta.mainProgram = "lavalink"; + }) diff --git a/packages/lavalinkPlugins/package.nix b/packages/lavalinkPlugins/package.nix deleted file mode 100644 index acb8327..0000000 --- a/packages/lavalinkPlugins/package.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ - fetchurl, - linkFarm, -}: -linkFarm "lavalinkPlugins" [ - { - name = "youtube-plugin-1.11.5.jar"; - path = fetchurl { - url = "https://github.com/lavalink-devs/youtube-source/releases/download/1.11.5/youtube-plugin-1.11.5.jar"; - hash = "sha256-Zz4S5mWcsVFWGmN41L34GqZeCOswt/CAn+1PN1XJtbk="; - }; - } -] diff --git a/packages/vocard/package.nix b/packages/vocard/package.nix index 3f07993..5dc17c5 100644 --- a/packages/vocard/package.nix +++ b/packages/vocard/package.nix @@ -38,7 +38,7 @@ stdenv.mkDerivation { runHook postBuild ''; - patches = [ ./useLoadCredential.patch ]; + patches = [ ./use_cwd.patch ]; nativeBuildInputs = [ makeBinaryWrapper diff --git a/packages/vocard/useLoadCredential.patch b/packages/vocard/use_cwd.patch similarity index 89% rename from packages/vocard/useLoadCredential.patch rename to packages/vocard/use_cwd.patch index 32c90f4..84617ca 100644 --- a/packages/vocard/useLoadCredential.patch +++ b/packages/vocard/use_cwd.patch @@ -1,6 +1,5 @@ - diff --git a/function.py b/function.py -index 6e09f5e..0c8bfa4 100644 +index 6e09f5e..f0f6a11 100644 --- a/function.py +++ b/function.py @@ -18,7 +18,7 @@ from motor.motor_asyncio import ( @@ -8,7 +7,7 @@ index 6e09f5e..0c8bfa4 100644 ROOT_DIR = os.path.dirname(os.path.abspath(__file__)) -if not os.path.exists(os.path.join(ROOT_DIR, "settings.json")): -+if not os.path.exists(os.path.join(os.getenv("CREDENTIALS_DIRECTORY"), "settings.json")): ++if not os.path.exists(os.path.join(os.getcwd(), "settings.json")): raise Exception("Settings file not set!") #--------------- Cache Var --------------- @@ -58,21 +57,19 @@ index 6e09f5e..0c8bfa4 100644 if len(keys) == 1: return LANGS.get(lang, {}).get(keys[0], "Language pack not found!") diff --git a/main.py b/main.py -index e2c6b9e..98dc34b 100644 +index e2c6b9e..4ff7de6 100644 --- a/main.py +++ b/main.py -@@ -80,13 +80,7 @@ class Vocard(commands.Bot): - await self.ipc.connect() +@@ -81,12 +81,6 @@ class Vocard(commands.Bot): except Exception as e: func.logger.error(f"Cannot connected to dashboard! - Reason: {e}") -- + - if not func.settings.version or func.settings.version != update.__version__: - func.update_json("settings.json", new_data={"version": update.__version__}) - - await self.tree.set_translator(Translator()) - await self.tree.sync() - -+ await self.tree.sync() async def on_ready(self): func.logger.info("------------------") func.logger.info(f"Logging As {self.user}") @@ -81,7 +78,7 @@ index e2c6b9e..98dc34b 100644 # Loading settings and logger -func.settings = Settings(func.open_json("settings.json")) -+func.settings = Settings(func.open_json(os.path.join(os.getenv("CREDENTIALS_DIRECTORY"),"settings.json"))) ++func.settings = Settings(func.open_json(os.path.join(os.getcwd(),"settings.json"))) LOG_SETTINGS = func.settings.logging if (LOG_FILE := LOG_SETTINGS.get("file", {})).get("enable", True):