lytedev/nix
1
0
Fork 1
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Save beefcake

Browse source
This commit is contained in:
Daniel Flanagan 2024-02-16 16:52:58 -06:00
parent e702bc16d5
commit 014ed7f199
Signed by: lytedev
GPG key ID: 5B2020A0F9921EF4
3 changed files with 132 additions and 94 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

40
flake.lock
View file

@ -285,6 +285,22 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-stable": {
"locked": {
"lastModified": 1708105575,
"narHash": "sha256-sS4AItZeUnAei6v8FqxNlm+/27MPlfoGym/TZP0rmH0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "1d1817869c47682a6bee85b5b0a6537b6c0fba26",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1707956935, "lastModified": 1707956935,
@ -301,6 +317,22 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_3": {
"locked": {
"lastModified": 1708093448,
"narHash": "sha256-gohEm3/NVyu7WINFhRf83yJH8UM2ie/KY9Iw3VN6fiE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "c7763249f02b7786b4ca36e13a4d7365cfba162f",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"api-lyte-dev": "api-lyte-dev", "api-lyte-dev": "api-lyte-dev",
@ -357,12 +389,8 @@
}, },
"sops-nix": { "sops-nix": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": "nixpkgs_3",
"nixpkgs" "nixpkgs-stable": "nixpkgs-stable"
],
"nixpkgs-stable": [
"nixpkgs"
]
}, },
"locked": { "locked": {
"lastModified": 1707842202, "lastModified": 1707842202,

8
nixos/base.nix
View file

@ -1,4 +1,8 @@
{outputs, ...}: { {
config,
outputs,
...
}: {
# a minimal, familiar setup that I can bootstrap atop # a minimal, familiar setup that I can bootstrap atop
imports = with outputs.nixosModules; [ imports = with outputs.nixosModules; [
# may need to be tweaked based on the machine's paritioning scheme # may need to be tweaked based on the machine's paritioning scheme
@ -7,6 +11,8 @@
wifi wifi
]; ];
networking.hostName = config.home-manager.users.daniel.home.username;
# TODO: may not work for non-UEFI? # TODO: may not work for non-UEFI?
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
} }

178
nixos/beefcake.nix
View file

@ -8,20 +8,23 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x01 0x00
sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00 sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
*/ */
{ {
inputs, # inputs,
outputs, # outputs,
config, # config,
pkgs, pkgs,
... ...
}: let }: let
inherit (pkgs) system; inherit (pkgs) system;
in { in {
imports = with outputs.nixosModules; [ imports =
intel [
fonts # so that it gets cached to the nix store ../modules/nixos/intel.nix
inputs.api-lyte-dev.nixosModules.${system}.api-lyte-dev ../modules/nixos/fonts.nix
# inputs.nix-minecraft.nixosModules.minecraft-servers ]
]; ++ [
# inputs.api-lyte-dev.nixosModules.${system}.api-lyte-dev
# inputs.nix-minecraft.nixosModules.minecraft-servers
];
nixpkgs.overlays = [ nixpkgs.overlays = [
# inputs.nix-minecraft.overlay # inputs.nix-minecraft.overlay
@ -57,16 +60,16 @@ in {
secretKeyFile = "/var/cache-priv-key.pem"; secretKeyFile = "/var/cache-priv-key.pem";
}; };
services.api-lyte-dev = rec { # services.api-lyte-dev = rec {
enable = true; # enable = true;
port = 5757; # port = 5757;
stateDir = "/var/lib/api-lyte-dev"; # stateDir = "/var/lib/api-lyte-dev";
configFile = config.sops.secrets."api.lyte.dev".path; # # configFile = config.sops.secrets."api.lyte.dev".path;
user = "api-lyte-dev"; # user = "api-lyte-dev";
group = user; # group = user;
}; # };
systemd.services.api-lyte-dev.environment.LOG_LEVEL = "debug"; # systemd.services.api-lyte-dev.environment.LOG_LEVEL = "debug";
sops = { sops = {
defaultSopsFile = ../secrets/beefcake/secrets.yml; defaultSopsFile = ../secrets/beefcake/secrets.yml;
@ -99,33 +102,33 @@ in {
# "myservice/my_subdir/my_secret" = { }; # "myservice/my_subdir/my_secret" = { };
"api.lyte.dev" = { "api.lyte.dev" = {
path = "${config.services.api-lyte-dev.stateDir}/secrets.json"; # path = "${config.services.api-lyte-dev.stateDir}/secrets.json";
# TODO: would be cool to assert that it's correctly-formatted JSON? probably should be done in a pre-commit hook? # TODO: would be cool to assert that it's correctly-formatted JSON? probably should be done in a pre-commit hook?
mode = "0440"; mode = "0440";
owner = config.services.api-lyte-dev.user; # owner = config.services.api-lyte-dev.user;
group = config.services.api-lyte-dev.group; # group = config.services.api-lyte-dev.group;
}; };
"jland.env" = { "jland.env" = {
path = "/var/lib/jland/jland.env"; path = "/var/lib/jland/jland.env";
# TODO: would be cool to assert that it's correctly-formatted JSON? probably should be done in a pre-commit hook? # TODO: would be cool to assert that it's correctly-formatted JSON? probably should be done in a pre-commit hook?
mode = "0440"; mode = "0440";
owner = config.users.users.jland.name; # owner = config.users.users.jland.name;
group = config.users.groups.jland.name; # group = config.users.groups.jland.name;
}; };
plausible-admin-password = { plausible-admin-password = {
# TODO: path = "${config.systemd.services.plausible.serviceConfig.WorkingDirectory}/plausible-admin-password.txt"; # TODO: path = "${config.systemd.services.plausible.serviceConfig.WorkingDirectory}/plausible-admin-password.txt";
path = "/var/lib/plausible/plausible-admin-password"; path = "/var/lib/plausible/plausible-admin-password";
mode = "0440"; mode = "0440";
owner = config.systemd.services.plausible.serviceConfig.User; # owner = config.systemd.services.plausible.serviceConfig.User;
group = config.systemd.services.plausible.serviceConfig.Group; # group = config.systemd.services.plausible.serviceConfig.Group;
}; };
plausible-secret-key-base = { plausible-secret-key-base = {
path = "/var/lib/plausible/plausible-secret-key-base"; path = "/var/lib/plausible/plausible-secret-key-base";
mode = "0440"; mode = "0440";
owner = config.systemd.services.plausible.serviceConfig.User; # owner = config.systemd.services.plausible.serviceConfig.User;
group = config.systemd.services.plausible.serviceConfig.Group; # group = config.systemd.services.plausible.serviceConfig.Group;
}; };
nextcloud-admin-password = { nextcloud-admin-password = {
path = "/var/lib/nextcloud/admin-password"; path = "/var/lib/nextcloud/admin-password";
@ -187,7 +190,7 @@ in {
users.users.lytedev = { users.users.lytedev = {
# for running my services and applications and stuff # for running my services and applications and stuff
isNormalUser = true; isNormalUser = true;
openssh.authorizedKeys.keys = config.users.users.daniel.openssh.authorizedKeys.keys; # openssh.authorizedKeys.keys = config.users.users.daniel.openssh.authorizedKeys.keys;
group = "lytedev"; group = "lytedev";
}; };
@ -214,7 +217,8 @@ in {
[ [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJbPqzKB09U+i4Kqu136yOjflLZ/J7pYsNulTAd4x903 root@chromebox.h.lyte.dev" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJbPqzKB09U+i4Kqu136yOjflLZ/J7pYsNulTAd4x903 root@chromebox.h.lyte.dev"
] ]
++ config.users.users.daniel.openssh.authorizedKeys.keys; # ++ config.users.users.daniel.openssh.authorizedKeys.keys;
;
}; };
users.users.guest = { users.users.guest = {
@ -281,72 +285,72 @@ in {
# TODO: there are some hardcoded ports here! # TODO: there are some hardcoded ports here!
# https://github.com/NixOS/nixpkgs/blob/04af42f3b31dba0ef742d254456dc4c14eedac86/nixos/modules/services/misc/lidarr.nix#L72 # https://github.com/NixOS/nixpkgs/blob/04af42f3b31dba0ef742d254456dc4c14eedac86/nixos/modules/services/misc/lidarr.nix#L72
# TODO: customize the files.lyte.dev template? # TODO: customize the files.lyte.dev template?
configFile = pkgs.writeText "Caddyfile" '' # configFile = pkgs.writeText "Caddyfile" ''
video.lyte.dev { # video.lyte.dev {
reverse_proxy :8096 # reverse_proxy :8096
} # }
dev.h.lyte.dev { # dev.h.lyte.dev {
reverse_proxy :8000 # reverse_proxy :8000
} # }
# lidarr.h.lyte.dev { # # lidarr.h.lyte.dev {
# reverse_proxy :8686 # # reverse_proxy :8686
# } # # }
# radarr.h.lyte.dev { # # radarr.h.lyte.dev {
# reverse_proxy :7878 # # reverse_proxy :7878
# } # # }
# sonarr.h.lyte.dev { # # sonarr.h.lyte.dev {
# reverse_proxy :8989 # # reverse_proxy :8989
# } # # }
# bazarr.h.lyte.dev { # # bazarr.h.lyte.dev {
# reverse_proxy :${toString config.services.bazarr.listenPort} # # reverse_proxy :$${toString config.services.bazarr.listenPort}
# } # # }
bw.lyte.dev { # bw.lyte.dev {
reverse_proxy :${toString config.services.vaultwarden.config.ROCKET_PORT} # reverse_proxy :${toString config.services.vaultwarden.config.ROCKET_PORT}
} # }
api.lyte.dev { # api.lyte.dev {
reverse_proxy :${toString config.services.api-lyte-dev.port} # reverse_proxy :${toString config.services.api-lyte-dev.port}
} # }
a.lyte.dev { # a.lyte.dev {
reverse_proxy :${toString config.services.plausible.server.port} # reverse_proxy :${toString config.services.plausible.server.port}
} # }
nextcloud.lyte.dev { # nextcloud.lyte.dev {
reverse_proxy :${toString 9999} # reverse_proxy :${toString 9999}
} # }
git.lyte.dev { # git.lyte.dev {
reverse_proxy :${toString config.services.gitea.settings.server.HTTP_PORT} # reverse_proxy :${toString config.services.gitea.settings.server.HTTP_PORT}
} # }
files.lyte.dev { # files.lyte.dev {
file_server browse { # file_server browse {
# browse template # # browse template
# hide .* # # hide .*
root /storage/files.lyte.dev # root /storage/files.lyte.dev
} # }
} # }
nix.h.lyte.dev { # nix.h.lyte.dev {
reverse_proxy :${toString config.services.nix-serve.port} # reverse_proxy :${toString config.services.nix-serve.port}
} # }
# proxy everything else to chromebox # # proxy everything else to chromebox
:80 { # :80 {
reverse_proxy 10.0.0.5:80 # reverse_proxy 10.0.0.5:80
} # }
:443 { # :443 {
reverse_proxy 10.0.0.5:443 # reverse_proxy 10.0.0.5:443
} # }
''; # '';
}; };
services.vaultwarden = { services.vaultwarden = {
@ -426,12 +430,12 @@ in {
baseUrl = "http://beefcake.hare-cod.ts.net:8899"; baseUrl = "http://beefcake.hare-cod.ts.net:8899";
disableRegistration = true; disableRegistration = true;
port = 8899; port = 8899;
secretKeybaseFile = config.sops.secrets.plausible-secret-key-base.path; # secretKeybaseFile = config.sops.secrets.plausible-secret-key-base.path;
}; };
adminUser = { adminUser = {
activate = false; activate = false;
email = "daniel@lyte.dev"; email = "daniel@lyte.dev";
passwordFile = config.sops.secrets.plausible-admin-password.path; # passwordFile = config.sops.secrets.plausible-admin-password.path;
}; };
}; };
@ -696,15 +700,15 @@ in {
# sending commands: https://docker-minecraft-server.readthedocs.io/en/latest/commands/ # sending commands: https://docker-minecraft-server.readthedocs.io/en/latest/commands/
image = "docker.io/itzg/minecraft-server"; image = "docker.io/itzg/minecraft-server";
user = "${toString config.users.users.jland.uid}:${toString config.users.groups.jland.gid}"; # user = "${toString config.users.users.jland.uid}:${toString config.users.groups.jland.gid}";
extraOptions = [ extraOptions = [
"--tty" "--tty"
"--interactive" "--interactive"
]; ];
environment = { environment = {
EULA = "true"; EULA = "true";
UID = toString config.users.users.jland.uid; # UID = toString config.users.users.jland.uid;
GID = toString config.users.groups.jland.gid; # GID = toString config.users.groups.jland.gid;
STOP_SERVER_ANNOUNCE_DELAY = "20"; STOP_SERVER_ANNOUNCE_DELAY = "20";
TZ = "America/Chicago"; TZ = "America/Chicago";
VERSION = "1.20.1"; VERSION = "1.20.1";
@ -731,7 +735,7 @@ in {
# https://docker-minecraft-server.readthedocs.io/en/latest/misc/autopause-autostop/autopause/ # https://docker-minecraft-server.readthedocs.io/en/latest/misc/autopause-autostop/autopause/
}; };
environmentFiles = [ environmentFiles = [
config.sops.secrets."jland.env".path # config.sops.secrets."jland.env".path
]; ];
ports = ["26965:25565"]; ports = ["26965:25565"];
volumes = [ volumes = [