Save beefcake
This commit is contained in:
parent
e702bc16d5
commit
014ed7f199
GPG key ID:
5B2020A0F9921EF4
3 changed files with 132 additions and 94 deletions
40
flake.lock
40
flake.lock
|
|
@ -285,6 +285,22 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-stable": {
|
||||
"locked": {
|
||||
"lastModified": 1708105575,
|
||||
"narHash": "sha256-sS4AItZeUnAei6v8FqxNlm+/27MPlfoGym/TZP0rmH0=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "1d1817869c47682a6bee85b5b0a6537b6c0fba26",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "release-23.11",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_2": {
|
||||
"locked": {
|
||||
"lastModified": 1707956935,
|
||||
|
|
@ -301,6 +317,22 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_3": {
|
||||
"locked": {
|
||||
"lastModified": 1708093448,
|
||||
"narHash": "sha256-gohEm3/NVyu7WINFhRf83yJH8UM2ie/KY9Iw3VN6fiE=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "c7763249f02b7786b4ca36e13a4d7365cfba162f",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixpkgs-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"api-lyte-dev": "api-lyte-dev",
|
||||
|
|
@ -357,12 +389,8 @@
|
|||
},
|
||||
"sops-nix": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"nixpkgs-stable": [
|
||||
"nixpkgs"
|
||||
]
|
||||
"nixpkgs": "nixpkgs_3",
|
||||
"nixpkgs-stable": "nixpkgs-stable"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1707842202,
|
||||
|
|
|
|||
|
|
@ -1,4 +1,8 @@
|
|||
{outputs, ...}: {
|
||||
{
|
||||
config,
|
||||
outputs,
|
||||
...
|
||||
}: {
|
||||
# a minimal, familiar setup that I can bootstrap atop
|
||||
imports = with outputs.nixosModules; [
|
||||
# may need to be tweaked based on the machine's paritioning scheme
|
||||
|
|
@ -7,6 +11,8 @@
|
|||
wifi
|
||||
];
|
||||
|
||||
networking.hostName = config.home-manager.users.daniel.home.username;
|
||||
|
||||
# TODO: may not work for non-UEFI?
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -8,20 +8,23 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x01 0x00
|
|||
sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
|
||||
*/
|
||||
{
|
||||
inputs,
|
||||
outputs,
|
||||
config,
|
||||
# inputs,
|
||||
# outputs,
|
||||
# config,
|
||||
pkgs,
|
||||
...
|
||||
}: let
|
||||
inherit (pkgs) system;
|
||||
in {
|
||||
imports = with outputs.nixosModules; [
|
||||
intel
|
||||
fonts # so that it gets cached to the nix store
|
||||
inputs.api-lyte-dev.nixosModules.${system}.api-lyte-dev
|
||||
# inputs.nix-minecraft.nixosModules.minecraft-servers
|
||||
];
|
||||
imports =
|
||||
[
|
||||
../modules/nixos/intel.nix
|
||||
../modules/nixos/fonts.nix
|
||||
]
|
||||
++ [
|
||||
# inputs.api-lyte-dev.nixosModules.${system}.api-lyte-dev
|
||||
# inputs.nix-minecraft.nixosModules.minecraft-servers
|
||||
];
|
||||
|
||||
nixpkgs.overlays = [
|
||||
# inputs.nix-minecraft.overlay
|
||||
|
|
@ -57,16 +60,16 @@ in {
|
|||
secretKeyFile = "/var/cache-priv-key.pem";
|
||||
};
|
||||
|
||||
services.api-lyte-dev = rec {
|
||||
enable = true;
|
||||
port = 5757;
|
||||
stateDir = "/var/lib/api-lyte-dev";
|
||||
configFile = config.sops.secrets."api.lyte.dev".path;
|
||||
user = "api-lyte-dev";
|
||||
group = user;
|
||||
};
|
||||
# services.api-lyte-dev = rec {
|
||||
# enable = true;
|
||||
# port = 5757;
|
||||
# stateDir = "/var/lib/api-lyte-dev";
|
||||
# # configFile = config.sops.secrets."api.lyte.dev".path;
|
||||
# user = "api-lyte-dev";
|
||||
# group = user;
|
||||
# };
|
||||
|
||||
systemd.services.api-lyte-dev.environment.LOG_LEVEL = "debug";
|
||||
# systemd.services.api-lyte-dev.environment.LOG_LEVEL = "debug";
|
||||
|
||||
sops = {
|
||||
defaultSopsFile = ../secrets/beefcake/secrets.yml;
|
||||
|
|
@ -99,33 +102,33 @@ in {
|
|||
# "myservice/my_subdir/my_secret" = { };
|
||||
|
||||
"api.lyte.dev" = {
|
||||
path = "${config.services.api-lyte-dev.stateDir}/secrets.json";
|
||||
# path = "${config.services.api-lyte-dev.stateDir}/secrets.json";
|
||||
# TODO: would be cool to assert that it's correctly-formatted JSON? probably should be done in a pre-commit hook?
|
||||
mode = "0440";
|
||||
owner = config.services.api-lyte-dev.user;
|
||||
group = config.services.api-lyte-dev.group;
|
||||
# owner = config.services.api-lyte-dev.user;
|
||||
# group = config.services.api-lyte-dev.group;
|
||||
};
|
||||
|
||||
"jland.env" = {
|
||||
path = "/var/lib/jland/jland.env";
|
||||
# TODO: would be cool to assert that it's correctly-formatted JSON? probably should be done in a pre-commit hook?
|
||||
mode = "0440";
|
||||
owner = config.users.users.jland.name;
|
||||
group = config.users.groups.jland.name;
|
||||
# owner = config.users.users.jland.name;
|
||||
# group = config.users.groups.jland.name;
|
||||
};
|
||||
|
||||
plausible-admin-password = {
|
||||
# TODO: path = "${config.systemd.services.plausible.serviceConfig.WorkingDirectory}/plausible-admin-password.txt";
|
||||
path = "/var/lib/plausible/plausible-admin-password";
|
||||
mode = "0440";
|
||||
owner = config.systemd.services.plausible.serviceConfig.User;
|
||||
group = config.systemd.services.plausible.serviceConfig.Group;
|
||||
# owner = config.systemd.services.plausible.serviceConfig.User;
|
||||
# group = config.systemd.services.plausible.serviceConfig.Group;
|
||||
};
|
||||
plausible-secret-key-base = {
|
||||
path = "/var/lib/plausible/plausible-secret-key-base";
|
||||
mode = "0440";
|
||||
owner = config.systemd.services.plausible.serviceConfig.User;
|
||||
group = config.systemd.services.plausible.serviceConfig.Group;
|
||||
# owner = config.systemd.services.plausible.serviceConfig.User;
|
||||
# group = config.systemd.services.plausible.serviceConfig.Group;
|
||||
};
|
||||
nextcloud-admin-password = {
|
||||
path = "/var/lib/nextcloud/admin-password";
|
||||
|
|
@ -187,7 +190,7 @@ in {
|
|||
users.users.lytedev = {
|
||||
# for running my services and applications and stuff
|
||||
isNormalUser = true;
|
||||
openssh.authorizedKeys.keys = config.users.users.daniel.openssh.authorizedKeys.keys;
|
||||
# openssh.authorizedKeys.keys = config.users.users.daniel.openssh.authorizedKeys.keys;
|
||||
group = "lytedev";
|
||||
};
|
||||
|
||||
|
|
@ -214,7 +217,8 @@ in {
|
|||
[
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJbPqzKB09U+i4Kqu136yOjflLZ/J7pYsNulTAd4x903 root@chromebox.h.lyte.dev"
|
||||
]
|
||||
++ config.users.users.daniel.openssh.authorizedKeys.keys;
|
||||
# ++ config.users.users.daniel.openssh.authorizedKeys.keys;
|
||||
;
|
||||
};
|
||||
|
||||
users.users.guest = {
|
||||
|
|
@ -281,72 +285,72 @@ in {
|
|||
# TODO: there are some hardcoded ports here!
|
||||
# https://github.com/NixOS/nixpkgs/blob/04af42f3b31dba0ef742d254456dc4c14eedac86/nixos/modules/services/misc/lidarr.nix#L72
|
||||
# TODO: customize the files.lyte.dev template?
|
||||
configFile = pkgs.writeText "Caddyfile" ''
|
||||
video.lyte.dev {
|
||||
reverse_proxy :8096
|
||||
}
|
||||
# configFile = pkgs.writeText "Caddyfile" ''
|
||||
# video.lyte.dev {
|
||||
# reverse_proxy :8096
|
||||
# }
|
||||
|
||||
dev.h.lyte.dev {
|
||||
reverse_proxy :8000
|
||||
}
|
||||
# dev.h.lyte.dev {
|
||||
# reverse_proxy :8000
|
||||
# }
|
||||
|
||||
# lidarr.h.lyte.dev {
|
||||
# reverse_proxy :8686
|
||||
# }
|
||||
# # lidarr.h.lyte.dev {
|
||||
# # reverse_proxy :8686
|
||||
# # }
|
||||
|
||||
# radarr.h.lyte.dev {
|
||||
# reverse_proxy :7878
|
||||
# }
|
||||
# # radarr.h.lyte.dev {
|
||||
# # reverse_proxy :7878
|
||||
# # }
|
||||
|
||||
# sonarr.h.lyte.dev {
|
||||
# reverse_proxy :8989
|
||||
# }
|
||||
# # sonarr.h.lyte.dev {
|
||||
# # reverse_proxy :8989
|
||||
# # }
|
||||
|
||||
# bazarr.h.lyte.dev {
|
||||
# reverse_proxy :${toString config.services.bazarr.listenPort}
|
||||
# }
|
||||
# # bazarr.h.lyte.dev {
|
||||
# # reverse_proxy :$${toString config.services.bazarr.listenPort}
|
||||
# # }
|
||||
|
||||
bw.lyte.dev {
|
||||
reverse_proxy :${toString config.services.vaultwarden.config.ROCKET_PORT}
|
||||
}
|
||||
# bw.lyte.dev {
|
||||
# reverse_proxy :${toString config.services.vaultwarden.config.ROCKET_PORT}
|
||||
# }
|
||||
|
||||
api.lyte.dev {
|
||||
reverse_proxy :${toString config.services.api-lyte-dev.port}
|
||||
}
|
||||
# api.lyte.dev {
|
||||
# reverse_proxy :${toString config.services.api-lyte-dev.port}
|
||||
# }
|
||||
|
||||
a.lyte.dev {
|
||||
reverse_proxy :${toString config.services.plausible.server.port}
|
||||
}
|
||||
# a.lyte.dev {
|
||||
# reverse_proxy :${toString config.services.plausible.server.port}
|
||||
# }
|
||||
|
||||
nextcloud.lyte.dev {
|
||||
reverse_proxy :${toString 9999}
|
||||
}
|
||||
# nextcloud.lyte.dev {
|
||||
# reverse_proxy :${toString 9999}
|
||||
# }
|
||||
|
||||
git.lyte.dev {
|
||||
reverse_proxy :${toString config.services.gitea.settings.server.HTTP_PORT}
|
||||
}
|
||||
# git.lyte.dev {
|
||||
# reverse_proxy :${toString config.services.gitea.settings.server.HTTP_PORT}
|
||||
# }
|
||||
|
||||
files.lyte.dev {
|
||||
file_server browse {
|
||||
# browse template
|
||||
# hide .*
|
||||
root /storage/files.lyte.dev
|
||||
}
|
||||
}
|
||||
# files.lyte.dev {
|
||||
# file_server browse {
|
||||
# # browse template
|
||||
# # hide .*
|
||||
# root /storage/files.lyte.dev
|
||||
# }
|
||||
# }
|
||||
|
||||
nix.h.lyte.dev {
|
||||
reverse_proxy :${toString config.services.nix-serve.port}
|
||||
}
|
||||
# nix.h.lyte.dev {
|
||||
# reverse_proxy :${toString config.services.nix-serve.port}
|
||||
# }
|
||||
|
||||
# proxy everything else to chromebox
|
||||
:80 {
|
||||
reverse_proxy 10.0.0.5:80
|
||||
}
|
||||
# # proxy everything else to chromebox
|
||||
# :80 {
|
||||
# reverse_proxy 10.0.0.5:80
|
||||
# }
|
||||
|
||||
:443 {
|
||||
reverse_proxy 10.0.0.5:443
|
||||
}
|
||||
'';
|
||||
# :443 {
|
||||
# reverse_proxy 10.0.0.5:443
|
||||
# }
|
||||
# '';
|
||||
};
|
||||
|
||||
services.vaultwarden = {
|
||||
|
|
@ -426,12 +430,12 @@ in {
|
|||
baseUrl = "http://beefcake.hare-cod.ts.net:8899";
|
||||
disableRegistration = true;
|
||||
port = 8899;
|
||||
secretKeybaseFile = config.sops.secrets.plausible-secret-key-base.path;
|
||||
# secretKeybaseFile = config.sops.secrets.plausible-secret-key-base.path;
|
||||
};
|
||||
adminUser = {
|
||||
activate = false;
|
||||
email = "daniel@lyte.dev";
|
||||
passwordFile = config.sops.secrets.plausible-admin-password.path;
|
||||
# passwordFile = config.sops.secrets.plausible-admin-password.path;
|
||||
};
|
||||
};
|
||||
|
||||
|
|
@ -696,15 +700,15 @@ in {
|
|||
|
||||
# sending commands: https://docker-minecraft-server.readthedocs.io/en/latest/commands/
|
||||
image = "docker.io/itzg/minecraft-server";
|
||||
user = "${toString config.users.users.jland.uid}:${toString config.users.groups.jland.gid}";
|
||||
# user = "${toString config.users.users.jland.uid}:${toString config.users.groups.jland.gid}";
|
||||
extraOptions = [
|
||||
"--tty"
|
||||
"--interactive"
|
||||
];
|
||||
environment = {
|
||||
EULA = "true";
|
||||
UID = toString config.users.users.jland.uid;
|
||||
GID = toString config.users.groups.jland.gid;
|
||||
# UID = toString config.users.users.jland.uid;
|
||||
# GID = toString config.users.groups.jland.gid;
|
||||
STOP_SERVER_ANNOUNCE_DELAY = "20";
|
||||
TZ = "America/Chicago";
|
||||
VERSION = "1.20.1";
|
||||
|
|
@ -731,7 +735,7 @@ in {
|
|||
# https://docker-minecraft-server.readthedocs.io/en/latest/misc/autopause-autostop/autopause/
|
||||
};
|
||||
environmentFiles = [
|
||||
config.sops.secrets."jland.env".path
|
||||
# config.sops.secrets."jland.env".path
|
||||
];
|
||||
ports = ["26965:25565"];
|
||||
volumes = [
|
||||
|
|
|
|||
Loading…
Reference in a new issue