mirror of
https://github.com/Gerg-L/nixos.git
synced 2025-12-10 08:53:56 -05:00
168 lines
3.9 KiB
Nix
168 lines
3.9 KiB
Nix
{
|
|
self',
|
|
lib,
|
|
config,
|
|
pkgs,
|
|
}:
|
|
let
|
|
link = config.local.links.lavalink;
|
|
ferretLink = config.local.links.ferretdb;
|
|
in
|
|
{
|
|
local.links = {
|
|
lavalink = { };
|
|
ferretdb.protocol = "mongodb";
|
|
};
|
|
|
|
sops = {
|
|
secrets = {
|
|
ferretdb = { };
|
|
lavalink = {
|
|
sopsFile = ./secrets.yaml;
|
|
restartUnits = [
|
|
"vocard.service"
|
|
"lavalink.service"
|
|
];
|
|
};
|
|
|
|
}
|
|
// builtins.listToAttrs (
|
|
map
|
|
(x: {
|
|
name = "vocard/${x}";
|
|
value.sopsFile = ./secrets.yaml;
|
|
})
|
|
[
|
|
"token"
|
|
"client_id"
|
|
"spotify_client_id"
|
|
"spotify_client_secret"
|
|
"password"
|
|
]
|
|
);
|
|
|
|
templates.vocard = {
|
|
restartUnits = [
|
|
"vocard.service"
|
|
"lavalink.service"
|
|
];
|
|
content = builtins.toJSON (
|
|
import ./_settings.nix {
|
|
inherit link ferretLink;
|
|
p = config.sops.placeholder;
|
|
}
|
|
);
|
|
};
|
|
};
|
|
|
|
systemd.services = {
|
|
vocard = {
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
bindsTo = [ "lavalink.service" ];
|
|
|
|
requires = [
|
|
"network-online.target"
|
|
"ferretdb.service"
|
|
];
|
|
after = [
|
|
"syslog.target"
|
|
"network-online.target"
|
|
"lavalink.service"
|
|
"ferretdb.service"
|
|
];
|
|
serviceConfig = {
|
|
ExecStart = lib.getExe self'.packages.vocard;
|
|
DynamicUser = true;
|
|
LoadCredential = "settings.json:${config.sops.templates.vocard.path}";
|
|
Restart = "on-failure";
|
|
RestartSec = "30s";
|
|
};
|
|
};
|
|
|
|
lavalink = {
|
|
wants = [ "network-online.target" ];
|
|
after = [
|
|
"syslog.target"
|
|
"network-online.target"
|
|
];
|
|
|
|
serviceConfig = {
|
|
ExecStart = lib.getExe self'.packages.lavalink;
|
|
WorkingDirectory = lib.pipe ./_application.nix [
|
|
(lib.flip import {
|
|
inherit link;
|
|
inherit (self'.packages) lavalinkPlugins;
|
|
})
|
|
builtins.toJSON
|
|
(pkgs.writeTextDir "application.yml")
|
|
];
|
|
DynamicUser = true;
|
|
EnvironmentFile = config.sops.secrets.lavalink.path;
|
|
Restart = "on-failure";
|
|
RestartSec = "30s";
|
|
};
|
|
};
|
|
};
|
|
|
|
services.postgresql = {
|
|
ensureDatabases = [ "ferretdb" ];
|
|
ensureUsers = [
|
|
{
|
|
name = "ferretdb";
|
|
ensureDBOwnership = true;
|
|
}
|
|
];
|
|
};
|
|
|
|
systemd.services.ferretdb = {
|
|
description = "FerretDB";
|
|
after = [ "network.target" ];
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
environment = {
|
|
FERRETDB_HANDLER = "pg";
|
|
FERRETDB_LISTEN_ADDR = ferretLink.tuple;
|
|
};
|
|
|
|
serviceConfig = {
|
|
ExecStart =
|
|
let
|
|
dbLink = config.local.links.postgresql;
|
|
in
|
|
"${lib.getExe pkgs.ferretdb} --debug-addr='-' --telemetry='disable' --postgresql-url=\"postgres:///ferretdb?user=ferretdb&host=${dbLink.hostname}&port=${dbLink.portStr}&passfile=\${CREDENTIALS_DIRECTORY}/password\"";
|
|
Type = "simple";
|
|
StateDirectory = "ferretdb";
|
|
WorkingDirectory = "%S/ferretdb";
|
|
LoadCredential = "password:${config.sops.secrets.ferretdb.path}";
|
|
Restart = "on-failure";
|
|
ProtectHome = true;
|
|
ProtectSystem = "strict";
|
|
PrivateTmp = true;
|
|
PrivateDevices = true;
|
|
ProtectHostname = true;
|
|
ProtectClock = true;
|
|
ProtectKernelTunables = true;
|
|
ProtectKernelModules = true;
|
|
ProtectKernelLogs = true;
|
|
ProtectControlGroups = true;
|
|
NoNewPrivileges = true;
|
|
RestrictRealtime = true;
|
|
RestrictSUIDSGID = true;
|
|
RemoveIPC = true;
|
|
PrivateMounts = true;
|
|
DynamicUser = true;
|
|
};
|
|
};
|
|
|
|
systemd.mounts = [
|
|
{
|
|
what = "/persist/services/ferretdb";
|
|
where = "/var/lib/private/ferretdb";
|
|
wantedBy = [ "ferretdb.service" ];
|
|
bindsTo = [ "ferretdb.service" ];
|
|
type = "none";
|
|
options = "bind";
|
|
}
|
|
];
|
|
}
|