From 74dff8996d2ddd06b601d161e6122a82adeb08a1 Mon Sep 17 00:00:00 2001 From: chaos Date: Sat, 25 May 2024 21:10:26 +0100 Subject: [PATCH] remove quassel, update stateVersion, move to new server, some tidying --- data/serverIPs.nix | 6 +- home/musicLibrary.nix | 25 +- .../hetzner-arm/containers/caldav/default.nix | 4 +- .../containers/forgejo/default.nix | 4 +- .../hetzner-arm/containers/grocy/default.nix | 4 +- .../containers/jellyfin/default.nix | 4 +- hosts/hetzner-arm/containers/mail/default.nix | 4 +- .../hetzner-arm/containers/music/default.nix | 11 +- .../containers/music/modules/mpd-fork.nix | 268 ------------------ .../containers/music/profiles/mpd.nix | 49 +++- .../containers/music/profiles/musicMount.nix | 70 ----- .../containers/owncast/default.nix | 4 +- .../containers/postgresql/default.nix | 4 +- .../postgresql/profiles/postgres.nix | 6 - .../containers/postgresql/profiles/restic.nix | 2 - .../containers/quassel/default.nix | 56 ---- .../containers/quassel/profiles/quassel.nix | 6 - .../containers/quassel/profiles/restic.nix | 37 --- .../containers/quassel/secrets.nix | 37 --- hosts/hetzner-arm/containers/rss/default.nix | 4 +- .../hetzner-arm/containers/social/default.nix | 4 +- .../containers/storage/data/ports.nix | 17 +- .../containers/storage/default.nix | 5 +- .../storage/profiles/rcloneServe.nix | 10 - .../storage/profiles/rcloneSync.nix | 2 +- .../containers/storage/secrets.nix | 9 - .../containers/vault-ca/default.nix | 4 +- hosts/hetzner-arm/data/containerAddresses.nix | 17 +- hosts/hetzner-arm/hetzner-arm.nix | 36 ++- hosts/lappy-surface/lappy-surface.nix | 6 +- .../profiles/music-player-target.nix | 2 +- hosts/lappy-t495/lappy-t495.nix | 6 +- hosts/nixos.nix | 4 +- hosts/raspberry/raspberry.nix | 4 +- hosts/wsl/wsl.nix | 6 +- outputs.nix | 2 +- overlay/default.nix | 43 +-- profiles/serverExtras.nix | 32 +++ 38 files changed, 186 insertions(+), 628 deletions(-) delete mode 100644 hosts/hetzner-arm/containers/music/modules/mpd-fork.nix delete mode 100644 hosts/hetzner-arm/containers/music/profiles/musicMount.nix delete mode 100644 hosts/hetzner-arm/containers/quassel/default.nix delete mode 100644 hosts/hetzner-arm/containers/quassel/profiles/quassel.nix delete mode 100644 hosts/hetzner-arm/containers/quassel/profiles/restic.nix delete mode 100644 hosts/hetzner-arm/containers/quassel/secrets.nix diff --git a/data/serverIPs.nix b/data/serverIPs.nix index 70d448f..3f47067 100644 --- a/data/serverIPs.nix +++ b/data/serverIPs.nix @@ -3,12 +3,8 @@ rec { ipv4 = "65.21.145.62"; ipv6 = "2a01:4f9:c012:9dbf::1"; }; - "hetzner-arm-new" = { - ipv4 = "65.21.0.145"; - ipv6 = "2a01:4f9:c012:9b6b::1"; - }; "vault" = { ipv4 = "65.21.0.145"; ipv6 = "2a01:4f9:c012:9b6b::1"; }; -} \ No newline at end of file +} diff --git a/home/musicLibrary.nix b/home/musicLibrary.nix index 709b531..e01eb13 100644 --- a/home/musicLibrary.nix +++ b/home/musicLibrary.nix @@ -44,23 +44,17 @@ in { ''; }; - home.file."Music/music-sync.sh" = { + home.file."Music/music-gen-listing.sh" = { executable = true; text = '' #!/usr/bin/env bash - SCRIPT_DIR=$( cd -- "$( dirname -- "''${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) - cd "''${SCRIPT_DIR}" - - rclone sync -P . Storage:Music --exclude "/*.sh" - restic-music backup $(fd -t d --max-depth=1 && fd -t f --max-depth=1) + TMPDIR=$(mktemp -d) TITLE="chaos's Music Library" DESCRIPTION="A listing of all music we listen to and have downloaded/brought" LINK_BASE="https://storage-http.owo.monster/Music" - TMPDIR=$(mktemp -d) - musicutil genhtml . "$TMPDIR" --title "$TITLE" --description "$DESCRIPTION" --link-base="$LINK_BASE" pushd "$TMPDIR" @@ -79,6 +73,21 @@ in { ''; }; + home.file."Music/music-sync.sh" = { + executable = true; + text = '' + #!/usr/bin/env bash + + SCRIPT_DIR=$( cd -- "$( dirname -- "''${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) + cd "''${SCRIPT_DIR}" + + rclone sync -P . Storage:Music --exclude "/*.sh" + restic-music backup $(fd -t d --max-depth=1 && fd -t f --max-depth=1) + + bash $HOME/Music/music-gen-listing.sh + ''; + }; + home.file."Music/music-download.sh" = { executable = true; text = '' diff --git a/hosts/hetzner-arm/containers/caldav/default.nix b/hosts/hetzner-arm/containers/caldav/default.nix index 3317bc8..9f183e7 100644 --- a/hosts/hetzner-arm/containers/caldav/default.nix +++ b/hosts/hetzner-arm/containers/caldav/default.nix @@ -39,8 +39,8 @@ in { networking.firewall.allowedTCPPorts = [5232]; - home-manager.users.root.home.stateVersion = "23.05"; - system.stateVersion = "23.05"; + home-manager.users.root.home.stateVersion = "24.05"; + system.stateVersion = "24.05"; }; }; diff --git a/hosts/hetzner-arm/containers/forgejo/default.nix b/hosts/hetzner-arm/containers/forgejo/default.nix index aaa7b1f..2b4e252 100644 --- a/hosts/hetzner-arm/containers/forgejo/default.nix +++ b/hosts/hetzner-arm/containers/forgejo/default.nix @@ -45,8 +45,8 @@ in { networking.firewall.allowedTCPPorts = [2222]; - home-manager.users.root.home.stateVersion = "23.05"; - system.stateVersion = "23.05"; + home-manager.users.root.home.stateVersion = "24.05"; + system.stateVersion = "24.05"; }; }; diff --git a/hosts/hetzner-arm/containers/grocy/default.nix b/hosts/hetzner-arm/containers/grocy/default.nix index acfa4bd..6d8000a 100644 --- a/hosts/hetzner-arm/containers/grocy/default.nix +++ b/hosts/hetzner-arm/containers/grocy/default.nix @@ -42,8 +42,8 @@ in { networking.firewall.allowedTCPPorts = [80]; - home-manager.users.root.home.stateVersion = "23.05"; - system.stateVersion = "23.05"; + home-manager.users.root.home.stateVersion = "24.05"; + system.stateVersion = "24.05"; }; }; diff --git a/hosts/hetzner-arm/containers/jellyfin/default.nix b/hosts/hetzner-arm/containers/jellyfin/default.nix index 2a08baa..2fd20cc 100644 --- a/hosts/hetzner-arm/containers/jellyfin/default.nix +++ b/hosts/hetzner-arm/containers/jellyfin/default.nix @@ -60,8 +60,8 @@ in { restic ]); - home-manager.users.root.home.stateVersion = "23.05"; - system.stateVersion = "23.05"; + home-manager.users.root.home.stateVersion = "24.05"; + system.stateVersion = "24.05"; }; }; diff --git a/hosts/hetzner-arm/containers/mail/default.nix b/hosts/hetzner-arm/containers/mail/default.nix index 317a3db..cb07f8f 100644 --- a/hosts/hetzner-arm/containers/mail/default.nix +++ b/hosts/hetzner-arm/containers/mail/default.nix @@ -72,8 +72,8 @@ in { enable = mkForce false; }; - home-manager.users.root.home.stateVersion = "23.05"; - system.stateVersion = "23.05"; + home-manager.users.root.home.stateVersion = "24.05"; + system.stateVersion = "24.05"; }; }; diff --git a/hosts/hetzner-arm/containers/music/default.nix b/hosts/hetzner-arm/containers/music/default.nix index 54ef7fd..6118f52 100644 --- a/hosts/hetzner-arm/containers/music/default.nix +++ b/hosts/hetzner-arm/containers/music/default.nix @@ -24,12 +24,6 @@ containerSecrets = config.containers.${containerName}.config.services.secrets.secrets; pathInContainer = path: "/var/lib/nixos-containers/${containerName}" + path; in { - nixpkgs.overlays = [ - (final: _prev: { - mpd = final.mpd-headless; - }) - ]; - containers.music = { autoStart = true; privateNetwork = true; @@ -75,7 +69,6 @@ in { ] ++ (with hosts.hetzner-arm.containers.music.profiles; [ mpd - #musicMount ]); home-manager.users.root.imports = with tree; [home.apps.musicutil]; @@ -88,8 +81,8 @@ in { mpd-flac ]; - home-manager.users.root.home.stateVersion = "23.05"; - system.stateVersion = "23.05"; + home-manager.users.root.home.stateVersion = "24.05"; + system.stateVersion = "24.05"; }; }; diff --git a/hosts/hetzner-arm/containers/music/modules/mpd-fork.nix b/hosts/hetzner-arm/containers/music/modules/mpd-fork.nix deleted file mode 100644 index 4f74bb3..0000000 --- a/hosts/hetzner-arm/containers/music/modules/mpd-fork.nix +++ /dev/null @@ -1,268 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: -with lib; let - name = "mpd"; - - uid = config.ids.uids.mpd; - gid = config.ids.gids.mpd; - cfg = config.services.mpd-fork; - - credentialsPlaceholder = creds: let - placeholders = - imap0 - (i: c: ''password "{{password-${toString i}}}@${concatStringsSep "," c.permissions}"'') - creds; - in - concatStringsSep "\n" placeholders; - - mpdConf = pkgs.writeText "mpd.conf" '' - # This file was automatically generated by NixOS. Edit mpd's configuration - # via NixOS' configuration.nix, as this file will be rewritten upon mpd's - # restart. - - music_directory "${cfg.musicDirectory}" - playlist_directory "${cfg.playlistDirectory}" - ${lib.optionalString (cfg.dbFile != null) '' - db_file "${cfg.dbFile}" - ''} - state_file "${cfg.dataDir}/state" - sticker_file "${cfg.dataDir}/sticker.sql" - - ${optionalString (cfg.network.listenAddress != "any") ''bind_to_address "${cfg.network.listenAddress}"''} - ${optionalString (cfg.network.port != 6600) ''port "${toString cfg.network.port}"''} - ${optionalString cfg.fluidsynth '' - decoder { - plugin "fluidsynth" - soundfont "${pkgs.soundfont-fluid}/share/soundfonts/FluidR3_GM2-2.sf2" - } - ''} - - ${optionalString (cfg.credentials != []) (credentialsPlaceholder cfg.credentials)} - - ${cfg.extraConfig} - ''; -in { - ###### interface - - options = { - services.mpd-fork = { - enable = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc '' - Whether to enable MPD, the music player daemon. - ''; - }; - - package = mkPackageOption pkgs "mpd" {}; - - startWhenNeeded = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc '' - If set, {command}`mpd` is socket-activated; that - is, instead of having it permanently running as a daemon, - systemd will start it on the first incoming connection. - ''; - }; - - musicDirectory = mkOption { - type = with types; either path (strMatching "(http|https|nfs|smb)://.+"); - default = "${cfg.dataDir}/music"; - defaultText = literalExpression ''"''${dataDir}/music"''; - description = lib.mdDoc '' - The directory or NFS/SMB network share where MPD reads music from. If left - as the default value this directory will automatically be created before - the MPD server starts, otherwise the sysadmin is responsible for ensuring - the directory exists with appropriate ownership and permissions. - ''; - }; - - playlistDirectory = mkOption { - type = types.path; - default = "${cfg.dataDir}/playlists"; - defaultText = literalExpression ''"''${dataDir}/playlists"''; - description = lib.mdDoc '' - The directory where MPD stores playlists. If left as the default value - this directory will automatically be created before the MPD server starts, - otherwise the sysadmin is responsible for ensuring the directory exists - with appropriate ownership and permissions. - ''; - }; - - extraConfig = mkOption { - type = types.lines; - default = ""; - description = lib.mdDoc '' - Extra directives added to to the end of MPD's configuration file, - mpd.conf. Basic configuration like file location and uid/gid - is added automatically to the beginning of the file. For available - options see {manpage}`mpd.conf(5)`. - ''; - }; - - dataDir = mkOption { - type = types.path; - default = "/var/lib/${name}"; - description = lib.mdDoc '' - The directory where MPD stores its state, tag cache, playlists etc. If - left as the default value this directory will automatically be created - before the MPD server starts, otherwise the sysadmin is responsible for - ensuring the directory exists with appropriate ownership and permissions. - ''; - }; - - user = mkOption { - type = types.str; - default = name; - description = lib.mdDoc "User account under which MPD runs."; - }; - - group = mkOption { - type = types.str; - default = name; - description = lib.mdDoc "Group account under which MPD runs."; - }; - - network = { - listenAddress = mkOption { - type = types.str; - default = "127.0.0.1"; - example = "any"; - description = lib.mdDoc '' - The address for the daemon to listen on. - Use `any` to listen on all addresses. - ''; - }; - - port = mkOption { - type = types.port; - default = 6600; - description = lib.mdDoc '' - This setting is the TCP port that is desired for the daemon to get assigned - to. - ''; - }; - }; - - dbFile = mkOption { - type = types.nullOr types.str; - default = "${cfg.dataDir}/tag_cache"; - defaultText = literalExpression ''"''${dataDir}/tag_cache"''; - description = lib.mdDoc '' - The path to MPD's database. If set to `null` the - parameter is omitted from the configuration. - ''; - }; - - credentials = mkOption { - type = types.listOf (types.submodule { - options = { - passwordFile = mkOption { - type = types.path; - description = lib.mdDoc '' - Path to file containing the password. - ''; - }; - permissions = let - perms = ["read" "add" "control" "admin"]; - in - mkOption { - type = types.listOf (types.enum perms); - default = ["read"]; - description = lib.mdDoc '' - List of permissions that are granted with this password. - Permissions can be "${concatStringsSep "\", \"" perms}". - ''; - }; - }; - }); - description = lib.mdDoc '' - Credentials and permissions for accessing the mpd server. - ''; - default = []; - example = [ - { - passwordFile = "/var/lib/secrets/mpd_readonly_password"; - permissions = ["read"]; - } - { - passwordFile = "/var/lib/secrets/mpd_admin_password"; - permissions = ["read" "add" "control" "admin"]; - } - ]; - }; - - fluidsynth = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc '' - If set, add fluidsynth soundfont and configure the plugin. - ''; - }; - }; - }; - - ###### implementation - - config = mkIf cfg.enable { - # install mpd units - systemd.packages = [cfg.package]; - - systemd.sockets.mpd = mkIf cfg.startWhenNeeded { - wantedBy = ["sockets.target"]; - listenStreams = [ - "" # Note: this is needed to override the upstream unit - ( - if pkgs.lib.hasPrefix "/" cfg.network.listenAddress - then cfg.network.listenAddress - else "${optionalString (cfg.network.listenAddress != "any") "${cfg.network.listenAddress}:"}${toString cfg.network.port}" - ) - ]; - }; - - systemd.services.mpd = { - wantedBy = optional (!cfg.startWhenNeeded) "multi-user.target"; - - preStart = - '' - set -euo pipefail - install -m 600 ${mpdConf} /run/mpd/mpd.conf - '' - + optionalString (cfg.credentials != []) - (concatStringsSep "\n" - (imap0 - (i: c: ''${pkgs.replace-secret}/bin/replace-secret '{{password-${toString i}}}' '${c.passwordFile}' /run/mpd/mpd.conf'') - cfg.credentials)); - - serviceConfig = { - User = "${cfg.user}"; - # Note: the first "" overrides the ExecStart from the upstream unit - ExecStart = ["" "${cfg.package}/bin/mpd --systemd /run/mpd/mpd.conf"]; - RuntimeDirectory = "mpd"; - StateDirectory = - optionals (cfg.dataDir == "/var/lib/${name}") [name] - ++ optionals (cfg.playlistDirectory == "/var/lib/${name}/playlists") [name "${name}/playlists"] - ++ optionals (cfg.musicDirectory == "/var/lib/${name}/music") [name "${name}/music"]; - }; - }; - - users.users = optionalAttrs (cfg.user == name) { - "${name}" = { - inherit uid; - inherit (cfg) group; - extraGroups = ["audio"]; - description = "Music Player Daemon user"; - home = "${cfg.dataDir}"; - }; - }; - - users.groups = optionalAttrs (cfg.group == name) { - "${name}".gid = gid; - }; - }; -} diff --git a/hosts/hetzner-arm/containers/music/profiles/mpd.nix b/hosts/hetzner-arm/containers/music/profiles/mpd.nix index 5339928..28d943c 100644 --- a/hosts/hetzner-arm/containers/music/profiles/mpd.nix +++ b/hosts/hetzner-arm/containers/music/profiles/mpd.nix @@ -14,10 +14,16 @@ in { mpc_cli ]; + systemd.tmpfiles.rules = [ + "d /var/lib/mpd - mpd mpd" + "d /var/lib/mpd/state - mpd mpd" + ]; + services.mpd = { enable = true; network.listenAddress = "0.0.0.0"; - musicDirectory = "/Music"; + musicDirectory = "nfs://127.0.0.1:2049/?version=3"; + dbFile = null; credentials = [ { passwordFile = "${secrets.mpd_control_password.path}"; @@ -70,4 +76,45 @@ in { } ''; }; + + systemd.services.mpd = { + wants = ["rclone-serve-nfs-music.service"]; + after = ["rclone-serve-nfs-music.service"]; + }; + + systemd.tmpfiles.rules = [ + "d /caches - root root" + "d /caches/music_serve - mpd mpd" + ]; + + services.rclone-serve = { + enable = true; + remotes = [ + { + id = "main"; + remote = "Music:"; + type = "nfs"; + user = "mpd"; + serviceConfig = { + before = ["mpd.service"]; + partOf = ["mpd.service"]; + }; + extraArgs = let + rcloneConfig = builtins.toFile "rclone.conf" '' + [Music] + type = webdav + url = https://storage-webdav.owo.monster/MusicRO/ + vendor = other + ''; + in [ + "--addr=127.0.0.1:2049" + "--config=${rcloneConfig}" + "--cache-dir=/caches/music_serve" + "--vfs-cache-max-age=7d" + "--vfs-cache-max-size=4g" + "--vfs-cache-mode=full" + ]; + } + ]; + }; } diff --git a/hosts/hetzner-arm/containers/music/profiles/musicMount.nix b/hosts/hetzner-arm/containers/music/profiles/musicMount.nix deleted file mode 100644 index 7deae05..0000000 --- a/hosts/hetzner-arm/containers/music/profiles/musicMount.nix +++ /dev/null @@ -1,70 +0,0 @@ -{ - pkgs, - config, - ... -}: let - inherit (pkgs) writeShellScriptBin; - inherit (builtins) toFile; - - rcloneConfig = toFile "rclone.conf" '' - [Music] - type = webdav - url = https://storage-webdav.owo.monster/MusicRO/ - vendor = other - ''; - - mountMusic = pkgs.writeShellScriptBin "mount-music" '' - umount -flR /Music || true - rclone --config ${rcloneConfig} mount Music: /Music \ - --allow-other \ - --uid=${toString config.users.users.mpd.uid} \ - --gid=${toString config.users.groups.mpd.gid} \ - --fast-list \ - --umask=666 \ - --cache-dir=/root/.cache/music-mount \ - --dir-cache-time=60m \ - --vfs-cache-mode=full \ - --vfs-cache-max-size=2g \ - --vfs-cache-max-age=7d \ - --log-level=INFO "$@" - ''; -in { - environment.systemPackages = with pkgs; [ - rclone - (writeShellScriptBin "rclone-music" '' - rclone --config ${rcloneConfig} "$@" - '') - fuse - fuse3 - mountMusic - ]; - - programs.fuse.userAllowOther = true; - - systemd.services.music-mount = { - wantedBy = ["mpd.service"]; - partOf = ["mpd.service"]; - path = with pkgs; [ - fuse - fuse3 - rclone - util-linux - ]; - serviceConfig.ExecStart = "${mountMusic}/bin/mount-music --syslog"; - }; - - systemd.tmpfiles.rules = [ - "d /Music - mpd mpd" - - "d /root/.cache - root root" - "d /root/.cache/music-mount - root root" - ]; - - systemd.services.mpd = { - wants = ["music-mount.service"]; - after = ["music-mount.service"]; - serviceConfig = { - ReadOnlyPaths = "/Music"; - }; - }; -} diff --git a/hosts/hetzner-arm/containers/owncast/default.nix b/hosts/hetzner-arm/containers/owncast/default.nix index eced22e..e4e8096 100644 --- a/hosts/hetzner-arm/containers/owncast/default.nix +++ b/hosts/hetzner-arm/containers/owncast/default.nix @@ -45,8 +45,8 @@ in { 8080 ]; - home-manager.users.root.home.stateVersion = "23.05"; - system.stateVersion = "23.05"; + home-manager.users.root.home.stateVersion = "24.05"; + system.stateVersion = "24.05"; }; }; diff --git a/hosts/hetzner-arm/containers/postgresql/default.nix b/hosts/hetzner-arm/containers/postgresql/default.nix index 0f13382..d358595 100644 --- a/hosts/hetzner-arm/containers/postgresql/default.nix +++ b/hosts/hetzner-arm/containers/postgresql/default.nix @@ -39,8 +39,8 @@ in { networking.firewall.allowedTCPPorts = [5432]; - home-manager.users.root.home.stateVersion = "23.05"; - system.stateVersion = "23.05"; + home-manager.users.root.home.stateVersion = "24.05"; + system.stateVersion = "24.05"; }; }; } diff --git a/hosts/hetzner-arm/containers/postgresql/profiles/postgres.nix b/hosts/hetzner-arm/containers/postgresql/profiles/postgres.nix index d46032b..e1888c3 100644 --- a/hosts/hetzner-arm/containers/postgresql/profiles/postgres.nix +++ b/hosts/hetzner-arm/containers/postgresql/profiles/postgres.nix @@ -8,23 +8,17 @@ in { enableTCPIP = true; ensureDatabases = [ "gotosocial" - "quassel" ]; ensureUsers = [ { name = "gotosocial"; ensureDBOwnership = true; } - { - name = "quassel"; - ensureDBOwnership = true; - } ]; # If the host is a local container then use the container's IP # otherwise use the host's IP authentication = '' host gotosocial gotosocial ${localContainersAddresses.containers."social"}/32 trust - host quassel quassel ${localContainersAddresses.containers."quassel"}/32 trust ''; }; } diff --git a/hosts/hetzner-arm/containers/postgresql/profiles/restic.nix b/hosts/hetzner-arm/containers/postgresql/profiles/restic.nix index 710d4a8..81f5fa5 100644 --- a/hosts/hetzner-arm/containers/postgresql/profiles/restic.nix +++ b/hosts/hetzner-arm/containers/postgresql/profiles/restic.nix @@ -10,7 +10,6 @@ backupPrepareCommand = "${ (pkgs.writeShellScriptBin "backupPrepareCommand" '' systemctl start remotePostgreSQLBackup-gotosocial --wait - systemctl start remotePostgreSQLBackup-quassel --wait '') }/bin/backupPrepareCommand"; in { @@ -47,7 +46,6 @@ in { backupUser = "postgres"; databases = [ "gotosocial" - "quassel" ]; }; } diff --git a/hosts/hetzner-arm/containers/quassel/default.nix b/hosts/hetzner-arm/containers/quassel/default.nix deleted file mode 100644 index 984a974..0000000 --- a/hosts/hetzner-arm/containers/quassel/default.nix +++ /dev/null @@ -1,56 +0,0 @@ -{ - self, - hostPath, - tree, - inputs, - config, - pkgs, - ... -}: let - containerAddresses = import "${hostPath}/data/containerAddresses.nix"; - hostIP = containerAddresses.host; - containerIP = containerAddresses.containers.quassel; -in { - containers.quassel = { - autoStart = true; - privateNetwork = true; - hostAddress = hostIP; - localAddress = containerIP; - - specialArgs = { - inherit inputs; - inherit tree; - inherit self; - inherit hostPath; - }; - - config = {...}: { - nixpkgs.pkgs = pkgs; - - imports = with tree; - [ - presets.nixos.containerBase - - ./secrets.nix - ] - ++ (with hosts.hetzner-arm.containers.quassel.profiles; [ - quassel - restic - ]); - - networking.firewall.allowedTCPPorts = [4242]; - - home-manager.users.root.home.stateVersion = "23.05"; - system.stateVersion = "23.05"; - }; - }; - - networking.nat.forwardPorts = [ - { - sourcePort = 4242; - destination = "${containerIP}\:4242"; - } - ]; - - networking.firewall.allowedTCPPorts = [4242]; -} diff --git a/hosts/hetzner-arm/containers/quassel/profiles/quassel.nix b/hosts/hetzner-arm/containers/quassel/profiles/quassel.nix deleted file mode 100644 index 6bd6c38..0000000 --- a/hosts/hetzner-arm/containers/quassel/profiles/quassel.nix +++ /dev/null @@ -1,6 +0,0 @@ -{...}: { - services.quassel = { - enable = true; - interfaces = ["0.0.0.0"]; - }; -} diff --git a/hosts/hetzner-arm/containers/quassel/profiles/restic.nix b/hosts/hetzner-arm/containers/quassel/profiles/restic.nix deleted file mode 100644 index ec742f2..0000000 --- a/hosts/hetzner-arm/containers/quassel/profiles/restic.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ - self, - pkgs, - config, - ... -}: let - backupSchedules = import "${self}/data/backupSchedules.nix"; - inherit (config.services.secrets) secrets; -in { - environment.systemPackages = with pkgs; [ - restic - (pkgs.writeShellScriptBin "restic-quassel" '' - env \ - RESTIC_PASSWORD_FILE=${secrets.restic_password.path} \ - $(cat ${secrets.restic_env.path}) \ - ${pkgs.restic}/bin/restic $@ - '') - ]; - - services.restic.backups.quassel = { - user = "root"; - paths = [ - # it's only backing up initial setup / credentials - # so no matter what DB is restored to it should work - "/home/quassel/.config/quassel-irc.org" - ]; - - # repository is overrided in environmentFile to contain auth - # make sure to keep up to date when changing repository - repository = "rest:https://storage-restic.owo.monster/Quassel"; - passwordFile = "${secrets.restic_password.path}"; - environmentFile = "${secrets.restic_env.path}"; - - pruneOpts = ["--keep-last 5"]; - timerConfig = backupSchedules.restic.low; - }; -} diff --git a/hosts/hetzner-arm/containers/quassel/secrets.nix b/hosts/hetzner-arm/containers/quassel/secrets.nix deleted file mode 100644 index 126d8fe..0000000 --- a/hosts/hetzner-arm/containers/quassel/secrets.nix +++ /dev/null @@ -1,37 +0,0 @@ -{...}: { - services.secrets = { - enable = true; - - vaultLogin = { - enable = true; - loginUsername = "hetzner-arm-container-quassel"; - }; - - autoSecrets = { - enable = true; - }; - - requiredVaultPaths = [ - "api-keys/data/storage/restic/Quassel" - "private-public-keys/data/restic/Quassel" - ]; - - secrets = { - vault_password = { - manual = true; - }; - - restic_password = { - fetchScript = '' - simple_get "/private-public-keys/restic/Quassel" .password > "$secretFile" - ''; - }; - restic_env = { - fetchScript = '' - RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Quassel" .restic) - echo "RESTIC_REPOSITORY=rest:https://restic:$RESTIC_PASSWORD@storage-restic.owo.monster/Quassel" > "$secretFile" - ''; - }; - }; - }; -} diff --git a/hosts/hetzner-arm/containers/rss/default.nix b/hosts/hetzner-arm/containers/rss/default.nix index 0b94b6d..96d0336 100644 --- a/hosts/hetzner-arm/containers/rss/default.nix +++ b/hosts/hetzner-arm/containers/rss/default.nix @@ -39,8 +39,8 @@ in { networking.firewall.allowedTCPPorts = [80]; - home-manager.users.root.home.stateVersion = "23.05"; - system.stateVersion = "23.05"; + home-manager.users.root.home.stateVersion = "24.05"; + system.stateVersion = "24.05"; }; }; diff --git a/hosts/hetzner-arm/containers/social/default.nix b/hosts/hetzner-arm/containers/social/default.nix index 83c543a..154e102 100644 --- a/hosts/hetzner-arm/containers/social/default.nix +++ b/hosts/hetzner-arm/containers/social/default.nix @@ -42,8 +42,8 @@ in { allowedTCPPorts = [8080]; }; - home-manager.users.root.home.stateVersion = "23.05"; - system.stateVersion = "23.05"; + home-manager.users.root.home.stateVersion = "24.05"; + system.stateVersion = "24.05"; }; }; diff --git a/hosts/hetzner-arm/containers/storage/data/ports.nix b/hosts/hetzner-arm/containers/storage/data/ports.nix index 2e4cf75..6d920df 100644 --- a/hosts/hetzner-arm/containers/storage/data/ports.nix +++ b/hosts/hetzner-arm/containers/storage/data/ports.nix @@ -14,15 +14,14 @@ in { restic_music = restic + 0; restic_vault = restic + 1; restic_social = restic + 2; - restic_quassel = restic + 3; - restic_postgresql = restic + 4; - restic_mail = restic + 5; - restic_forgejo = restic + 6; - restic_caldav = restic + 7; - restic_owncast = restic + 8; - restic_jellyfin = restic + 9; - restic_grocy = restic + 10; - restic_lappy_t495 = restic + 11; + restic_postgresql = restic + 3; + restic_mail = restic + 4; + restic_forgejo = restic + 5; + restic_caldav = restic + 6; + restic_owncast = restic + 7; + restic_jellyfin = restic + 8; + restic_grocy = restic + 9; + restic_lappy_t495 = restic + 10; http_music = http + 0; http_public = http + 1; diff --git a/hosts/hetzner-arm/containers/storage/default.nix b/hosts/hetzner-arm/containers/storage/default.nix index cff3f6f..524c516 100644 --- a/hosts/hetzner-arm/containers/storage/default.nix +++ b/hosts/hetzner-arm/containers/storage/default.nix @@ -76,8 +76,8 @@ in { allowedTCPPorts = attrValues ports; }; - home-manager.users.root.home.stateVersion = "23.05"; - system.stateVersion = "23.05"; + home-manager.users.root.home.stateVersion = "24.05"; + system.stateVersion = "24.05"; }; }; @@ -118,7 +118,6 @@ in { "/Music/".proxyPass = "http://${containerIP}:${toString ports.restic_music}"; "/Vault/".proxyPass = "http://${containerIP}:${toString ports.restic_vault}"; "/Social/".proxyPass = "http://${containerIP}:${toString ports.restic_social}"; - "/Quassel/".proxyPass = "http://${containerIP}:${toString ports.restic_quassel}"; "/PostgreSQL/".proxyPass = "http://${containerIP}:${toString ports.restic_postgresql}"; "/Mail/".proxyPass = "http://${containerIP}:${toString ports.restic_mail}"; "/Forgejo/".proxyPass = "http://${containerIP}:${toString ports.restic_forgejo}"; diff --git a/hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix b/hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix index b08b46d..9426ba4 100644 --- a/hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix +++ b/hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix @@ -163,16 +163,6 @@ in { "--baseurl=/Social/" ]; } - { - id = "restic-quassel"; - remote = "StorageBox:Backups/Restic/Quassel"; - type = "restic"; - extraArgs = [ - "--addr=0.0.0.0:${toString ports.restic_quassel}" - "--htpasswd=${secrets.restic_quassel_htpasswd.path}" - "--baseurl=/Quassel/" - ]; - } { id = "restic-postgresql"; remote = "StorageBox:Backups/Restic/PostgreSQL"; diff --git a/hosts/hetzner-arm/containers/storage/profiles/rcloneSync.nix b/hosts/hetzner-arm/containers/storage/profiles/rcloneSync.nix index 24e26d2..f407193 100644 --- a/hosts/hetzner-arm/containers/storage/profiles/rcloneSync.nix +++ b/hosts/hetzner-arm/containers/storage/profiles/rcloneSync.nix @@ -50,7 +50,7 @@ in { { source = "StorageBox:Notes"; dest = "B2-Chaos-Notes:"; - id = "chaos_notes_public"; + id = "chaos_notes"; } # Pheonix System's B2 { diff --git a/hosts/hetzner-arm/containers/storage/secrets.nix b/hosts/hetzner-arm/containers/storage/secrets.nix index 9a963d0..11529c5 100644 --- a/hosts/hetzner-arm/containers/storage/secrets.nix +++ b/hosts/hetzner-arm/containers/storage/secrets.nix @@ -29,7 +29,6 @@ "api-keys/data/storage/restic/Music" "api-keys/data/storage/restic/Vault" "api-keys/data/storage/restic/Social" - "api-keys/data/storage/restic/Quassel" "api-keys/data/storage/restic/PostgreSQL" "api-keys/data/storage/restic/Mail" "api-keys/data/storage/restic/Forgejo" @@ -131,14 +130,6 @@ ''; }; - restic_quassel_htpasswd = { - user = "storage"; - group = "storage"; - fetchScript = '' - simple_get_htpasswd "/api-keys/storage/restic/Quassel" "$secretFile" - ''; - }; - restic_postgresql_htpasswd = { user = "storage"; group = "storage"; diff --git a/hosts/hetzner-arm/containers/vault-ca/default.nix b/hosts/hetzner-arm/containers/vault-ca/default.nix index 4400c1a..6f71dc7 100644 --- a/hosts/hetzner-arm/containers/vault-ca/default.nix +++ b/hosts/hetzner-arm/containers/vault-ca/default.nix @@ -41,8 +41,8 @@ in { networking.firewall.allowedTCPPorts = [8200 8443]; - home-manager.users.root.home.stateVersion = "23.05"; - system.stateVersion = "23.05"; + home-manager.users.root.home.stateVersion = "24.05"; + system.stateVersion = "24.05"; }; }; diff --git a/hosts/hetzner-arm/data/containerAddresses.nix b/hosts/hetzner-arm/data/containerAddresses.nix index 32ca546..a1d6cc3 100644 --- a/hosts/hetzner-arm/data/containerAddresses.nix +++ b/hosts/hetzner-arm/data/containerAddresses.nix @@ -4,14 +4,13 @@ storage = "10.0.1.2"; social = "10.0.1.3"; music = "10.0.1.4"; - quassel = "10.0.1.5"; - forgejo = "10.0.1.6"; - postgresql = "10.0.1.7"; - caldav = "10.0.1.8"; - owncast = "10.0.1.9"; - jellyfin = "10.0.1.10"; - grocy = "10.0.1.11"; - rss = "10.0.1.12"; - vault-ca = "10.0.1.13"; + forgejo = "10.0.1.5"; + postgresql = "10.0.1.6"; + caldav = "10.0.1.7"; + owncast = "10.0.1.8"; + jellyfin = "10.0.1.9"; + grocy = "10.0.1.10"; + rss = "10.0.1.11"; + vault-ca = "10.0.1.12"; }; } diff --git a/hosts/hetzner-arm/hetzner-arm.nix b/hosts/hetzner-arm/hetzner-arm.nix index accbf4c..58d688f 100644 --- a/hosts/hetzner-arm/hetzner-arm.nix +++ b/hosts/hetzner-arm/hetzner-arm.nix @@ -14,7 +14,7 @@ in { profiles.nginx profiles.firewallAllow.httpCommon - profiles.chaosInternalWireGuard + # profiles.chaosInternalWireGuard ./hardware.nix ./secrets.nix @@ -22,22 +22,44 @@ in { ++ (forEach [ "social" "storage" - "music" - "quassel" "postgresql" "mail" "forgejo" "caldav" - "owncast" "jellyfin" "grocy" - #"rss" "vault-ca" + "music" + # "owncast" + # TODO: "rss" ] (name: ./containers + "/${name}")) ++ (with hosts.hetzner-arm.profiles; [ staticSites ]); + # TODO: environment.noXlibs = true; + + nixpkgs.overlays = [ + (_final: prev: { + # So we don't need to build all Vault + # when we already are using vault-bin on this server + vault = prev.vault-bin; + + # Have no need for HW Accel, hoping it works with this + jellyfin-ffmpeg = prev.ffmpeg_6-headless; + + ffmpeg = prev.ffmpeg-headless; + ffmpeg_4 = prev.ffmpeg_4-headless; + ffmpeg_5 = prev.ffmpeg_5-headless; + ffmpeg_6 = prev.ffmpeg_6-headless; + ffmpeg_7 = prev.ffmpeg_7-headless; + + mpd = prev.mpd-headless; + }) + ]; + + # TODO: system.forbiddenDependenciesRegexes = ["libX11*"]; + # For Containers networking.nat = { enable = true; @@ -47,6 +69,6 @@ in { networking.hostName = "hetzner-arm"; - home-manager.users.root.home.stateVersion = "23.05"; - system.stateVersion = "23.05"; + home-manager.users.root.home.stateVersion = "24.05"; + system.stateVersion = "24.05"; } diff --git a/hosts/lappy-surface/lappy-surface.nix b/hosts/lappy-surface/lappy-surface.nix index c30e1b5..0f867e3 100644 --- a/hosts/lappy-surface/lappy-surface.nix +++ b/hosts/lappy-surface/lappy-surface.nix @@ -19,7 +19,7 @@ home-manager.users.root = { imports = with tree; [home.base]; - home.stateVersion = "23.05"; + home.stateVersion = "24.05"; }; home-manager.users.chaos = { @@ -35,7 +35,7 @@ home.programming.languages.rust home.programming.languages.nix ]; - home.stateVersion = "23.05"; + home.stateVersion = "24.05"; }; networking.firewall.enable = true; @@ -46,5 +46,5 @@ networking.hostName = "lappy-surface"; time.timeZone = "Europe/London"; - system.stateVersion = "23.05"; + system.stateVersion = "24.05"; } diff --git a/hosts/lappy-surface/profiles/music-player-target.nix b/hosts/lappy-surface/profiles/music-player-target.nix index aaa07fa..5d69e45 100644 --- a/hosts/lappy-surface/profiles/music-player-target.nix +++ b/hosts/lappy-surface/profiles/music-player-target.nix @@ -52,7 +52,7 @@ in { imports = with tree; [ home.base ]; - home.stateVersion = "23.05"; + home.stateVersion = "24.05"; }; systemd.services."music-player" = { diff --git a/hosts/lappy-t495/lappy-t495.nix b/hosts/lappy-t495/lappy-t495.nix index 02cb8a2..1928d2b 100644 --- a/hosts/lappy-t495/lappy-t495.nix +++ b/hosts/lappy-t495/lappy-t495.nix @@ -21,7 +21,7 @@ home-manager.users.root = { imports = with tree; [home.base]; - home.stateVersion = "23.05"; + home.stateVersion = "24.05"; }; home-manager.users.chaos = { @@ -39,7 +39,7 @@ home.gaming.platforms.steam ]; - home.stateVersion = "23.05"; + home.stateVersion = "24.05"; }; networking.firewall.enable = true; @@ -50,5 +50,5 @@ networking.hostName = "lappy-t495"; time.timeZone = "Europe/London"; - system.stateVersion = "23.05"; + system.stateVersion = "24.05"; } diff --git a/hosts/nixos.nix b/hosts/nixos.nix index b03cb8c..0aa9576 100644 --- a/hosts/nixos.nix +++ b/hosts/nixos.nix @@ -62,7 +62,7 @@ }) ]; }; -in { +in rec { lappy-t495 = nixosUnstableSystem { specialArgs = defaultSpecialArgs @@ -77,7 +77,7 @@ in { specialArgs = defaultSpecialArgs // { - hostPath = ./lappy-surfacr; + hostPath = ./lappy-surface; }; system = "x86_64-linux"; modules = defaultModules ++ [./lappy-surface/lappy-surface.nix ./lappy-surface/hardware.nix]; diff --git a/hosts/raspberry/raspberry.nix b/hosts/raspberry/raspberry.nix index aa1a82f..f71ce80 100644 --- a/hosts/raspberry/raspberry.nix +++ b/hosts/raspberry/raspberry.nix @@ -23,6 +23,6 @@ networking.hostName = "raspberry"; time.timeZone = "Europe/London"; - home-manager.users.root.home.stateVersion = "23.05"; - system.stateVersion = "23.05"; + home-manager.users.root.home.stateVersion = "24.05"; + system.stateVersion = "24.05"; } diff --git a/hosts/wsl/wsl.nix b/hosts/wsl/wsl.nix index 13b0fef..c34a69f 100644 --- a/hosts/wsl/wsl.nix +++ b/hosts/wsl/wsl.nix @@ -11,15 +11,15 @@ ]; home-manager.users.root = { - home.stateVersion = "23.05"; + home.stateVersion = "24.05"; }; home-manager.users.chaos = { - home.stateVersion = "23.05"; + home.stateVersion = "24.05"; }; networking.hostName = "wsl"; time.timeZone = "Europe/London"; - system.stateVersion = "23.05"; + system.stateVersion = "24.05"; } diff --git a/outputs.nix b/outputs.nix index 52583bd..3ac6da8 100644 --- a/outputs.nix +++ b/outputs.nix @@ -54,7 +54,7 @@ in packages = { inherit (pkgs) comic-code comic-sans; inherit (pkgs) mk-enc-usb mk-encrypted-drive mk-raspberry-ext-drive; - inherit (pkgs) gotosocial mpd-headless owncast; + inherit (pkgs) gotosocial mpd-headless; inherit (pkgs) kitty-terminfo; }; } diff --git a/overlay/default.nix b/overlay/default.nix index c83b4a6..5fded06 100644 --- a/overlay/default.nix +++ b/overlay/default.nix @@ -39,46 +39,9 @@ final: prev: rec { "systemd" "syslog" "io_uring" + "curl" + "nfs" + "webdav" ]; }; - - owncast = - (prev.owncast.override { - ffmpeg = final.ffmpeg_6-headless; - }) - .overrideAttrs (_old: {doCheck = false;}); - - gotosocial = prev.gotosocial.overrideAttrs (_old: let - owner = "superseriousbusiness"; - repo = "gotosocial"; - - version = "0.15.0"; - source-hash = "sha256-z0iETddkw4C2R6ig9ZO8MTvhuWnmQ37/6q3oZ4WAzd4="; - web-assets-hash = "sha256-vrSdFIdBcfj6+sxtvv1s/Mu85I1mKxjyUYS902oLKk4="; - - web-assets = final.fetchurl { - url = "https://github.com/${owner}/${repo}/releases/download/v${version}/${repo}_${version}_web-assets.tar.gz"; - hash = web-assets-hash; - }; - in { - inherit version; - - src = final.fetchFromGitHub { - inherit owner repo; - rev = "refs/tags/v${version}"; - hash = source-hash; - }; - - passthru.web-assets = web-assets; - - ldflags = ["-s" "-w" "-X main.Version=${version}"]; - - doCheck = false; - - postInstall = '' - tar xf ${web-assets} - mkdir -p $out/share/gotosocial - mv web $out/share/gotosocial/ - ''; - }); } diff --git a/profiles/serverExtras.nix b/profiles/serverExtras.nix index 530a046..69c0548 100644 --- a/profiles/serverExtras.nix +++ b/profiles/serverExtras.nix @@ -17,12 +17,36 @@ in { environment.systemPackages = [ + (writeShellScriptBin "server-extras-info" '' + ${pkgs.bat}/bin/bat -l markdown ${builtins.toFile "server-extras-info.md" '' + # Available Commands: + - journalctl-vaccum-all + Vaccums host and all container systemd journals + - journalctl-vaccum-host + Vaccums systemd journal on host + - journalctl-vaccum-`$name` + Vaccums systemd journal on a specific container + - journalctl-container-`$name` + journalctl but for a specific container + - systemctl-container-`$name` + systemctl but for a specific container + - systemctl-list-failed-all + Lists all failed units in host and containers + - restart-service-all + Restarts a service on host and all containers + - shell-enter-`$name` + Opens an interactive shell with container + ''} + '') (writeShellScriptBin "journalctl-vaccum-all" '' journalctl --vacuum-size=${vaccumSize} ${concatStringsSep "\n" (forEach containerNames (name: '' journalctl --vacuum-size=${vaccumSize} --root /var/lib/nixos-containers/${name} ''))} '') + (writeShellScriptBin "journalctl-vaccum-host" '' + journalctl --vacuum-size=${vaccumSize} + '') (writeShellScriptBin "systemctl-list-failed-all" '' echo "Host: " systemctl --failed @@ -31,6 +55,14 @@ in { systemctl -M ${name} --failed ''))} '') + (writeShellScriptBin "restart-service-all" '' + echo "Host: " + systemctl restart $@ + ${concatStringsSep "\n" (forEach containerNames (name: '' + echo "Container: ${name}" + systemctl -M ${name} restart $@ + ''))} + '') ] ++ forEach containerNames (name: (writeShellScriptBin "journalctl-vaccum-${name}" '' journalctl --vacuum-size=${vaccumSize} --root /var/lib/nixos-containers/${name}