add slskd, config.mailserver -> services.mailserver, fix gotosocial backups

2023-09-08 21:29:08 +01:00 · 2023-09-08 21:29:08 +01:00 · 9b75a69bd4
parent 798d976733
commit 9b75a69bd4
19 changed files with 514 additions and 30 deletions
--- a/hosts/hetzner-vm/containers/mail/modules/mailserver/default.nix
+++ b/hosts/hetzner-vm/containers/mail/modules/mailserver/default.nix
@ -4,9 +4,9 @@
  ...
 }:
 with lib; let
-  cfg = config.mailserver;
+  cfg = config.services.mailserver;
 in {
-  options.mailserver = {
+  options.services.mailserver = {
    enable = mkEnableOption "mailserver";

    fqdn = mkOption {type = types.str;};
--- a/hosts/hetzner-vm/containers/mail/modules/mailserver/dovecot.nix
+++ b/hosts/hetzner-vm/containers/mail/modules/mailserver/dovecot.nix
@ -4,7 +4,7 @@
  lib,
  ...
 }: let
-  mail_config = config.mailserver;
+  mail_config = config.services.mailserver;

  vmail_config = mail_config.vmail_config;

--- a/hosts/hetzner-vm/containers/mail/modules/mailserver/firewall.nix
+++ b/hosts/hetzner-vm/containers/mail/modules/mailserver/firewall.nix
@ -3,7 +3,7 @@
  config,
  ...
 }: let
-  mail_config = config.mailserver;
+  mail_config = config.services.mailserver;
 in {
  config = lib.mkIf mail_config.enable {
    networking.firewall = {
--- a/hosts/hetzner-vm/containers/mail/modules/mailserver/opendkim.nix
+++ b/hosts/hetzner-vm/containers/mail/modules/mailserver/opendkim.nix
@ -5,7 +5,7 @@
  ...
 }:
 with lib; let
-  mail_config = config.mailserver;
+  mail_config = config.services.mailserver;
  dkimUser = config.services.opendkim.user;
  dkimGroup = config.services.opendkim.group;

--- a/hosts/hetzner-vm/containers/mail/modules/mailserver/postfix.nix
+++ b/hosts/hetzner-vm/containers/mail/modules/mailserver/postfix.nix
@ -4,7 +4,7 @@
  lib,
  ...
 }: let
-  mail_config = config.mailserver;
+  mail_config = config.services.mailserver;
  submissionHeaderCleanupRules = pkgs.writeText "submission_header_cleanup_rules" ''
    /^Received:/            IGNORE
    /^X-Originating-IP:/    IGNORE
--- a/hosts/hetzner-vm/containers/mail/modules/mailserver/rspamd.nix
+++ b/hosts/hetzner-vm/containers/mail/modules/mailserver/rspamd.nix
@ -3,7 +3,7 @@
  lib,
  ...
 }: let
-  mail_config = config.mailserver;
+  mail_config = config.services.mailserver;

  postfixCfg = config.services.postfix;
  rspamdCfg = config.services.rspamd;
--- a/hosts/hetzner-vm/containers/mail/modules/mailserver/ssl.nix
+++ b/hosts/hetzner-vm/containers/mail/modules/mailserver/ssl.nix
@ -3,7 +3,7 @@
  lib,
  ...
 }: let
-  mail_config = config.mailserver;
+  mail_config = config.services.mailserver;
  acmeRoot = "/var/lib/acme/acme-challenge";
 in {
  config = lib.mkIf (mail_config.enable && mail_config.ssl_config.useACME) {
--- a/hosts/hetzner-vm/containers/mail/modules/mailserver/vmail.nix
+++ b/hosts/hetzner-vm/containers/mail/modules/mailserver/vmail.nix
@ -4,7 +4,7 @@
  lib,
  ...
 }: let
-  mail_config = config.mailserver;
+  mail_config = config.services.mailserver;

  vmail_config = mail_config.vmail_config;
  vmail_user = vmail_config.user;
--- a/hosts/hetzner-vm/containers/mail/modules/mailserver/webmail.nix
+++ b/hosts/hetzner-vm/containers/mail/modules/mailserver/webmail.nix
@ -3,7 +3,7 @@
  lib,
  ...
 }: let
-  mail_config = config.mailserver;
+  mail_config = config.services.mailserver;
 in {
  config = lib.mkIf (mail_config.enable && mail_config.enable_roundcube) {
    services.roundcube = {
--- a/hosts/hetzner-vm/containers/mail/profiles/mailserver.nix
+++ b/hosts/hetzner-vm/containers/mail/profiles/mailserver.nix
@ -1,7 +1,11 @@
-{host_secrets, ...}: let
+{
+  pkgs,
+  host_secrets,
+  ...
+}: let
  secrets = host_secrets;
 in {
-  config.mailserver = {
+  services.mailserver = {
    enable = true;
    fqdn = "mail.owo.monster";
    domains = ["owo.monster"];
@ -56,15 +60,23 @@ in {
    };
  };

-  config.systemd.tmpfiles.rules = [
+  systemd.tmpfiles.rules = [
    "d /var/sockets - nginx nginx"
  ];

-  config.systemd.services.nginx.serviceConfig.ReadWritePaths = [
+  systemd.services.nginx.serviceConfig.ReadWritePaths = [
    "/var/sockets"
  ];

-  config.services.nginx.virtualHosts."mail.owo.monster" = {
+  services.roundcube = {
+    package = pkgs.roundcube.withPlugins (plugins:
+      with pkgs.roundcubePlugins; [
+        persistent_login
+      ]);
+    plugins = ["persistent_login"];
+  };
+
+  services.nginx.virtualHosts."mail.owo.monster" = {
    listen = [
      {
        addr = "127.0.0.1";
--- a/hosts/hetzner-vm/containers/mail/profiles/restic.nix
+++ b/hosts/hetzner-vm/containers/mail/profiles/restic.nix
@ -6,7 +6,7 @@
  ...
 }: let
  secrets = host_secrets;
-  mail_config = config.mailserver;
+  mail_config = config.services.mailserver;
  backupPrepareCommand = "${
    (pkgs.writeShellScriptBin "backupPrepareCommand" ''
      systemctl start postgresqlBackup-roundcube --wait
--- a/hosts/hetzner-vm/containers/music/data/ports.nix
+++ b/hosts/hetzner-vm/containers/music/data/ports.nix
@ -4,4 +4,6 @@
  mpd-opus-medium = 4243;
  mpd-opus-high = 4244;
  mpd-flac = 4245;
+  slskd = 5000;
+  slskd-web = 5001;
 }
--- a/hosts/hetzner-vm/containers/music/music.nix
+++ b/hosts/hetzner-vm/containers/music/music.nix
@ -16,8 +16,12 @@
 in {
  networking.nat.forwardPorts = [
    {
-      sourcePort = 6600;
-      destination = "${containerIP}\:6600";
+      sourcePort = ports.mpd;
+      destination = "${containerIP}\:${toString ports.mpd}";
+    }
+    {
+      sourcePort = ports.slskd;
+      destination = "${containerIP}\:${toString ports.slskd}";
    }
  ];

@ -26,13 +30,16 @@ in {
    privateNetwork = true;
    hostAddress = hostIP;
    localAddress = containerIP;
-    bindMounts = lib.mkMerge (lib.forEach ["mpd_control_password"] (secret_name: let
-      path = "${secrets.${secret_name}.path}";
-    in {
-      "${path}" = {
-        hostPath = "${path}";
-      };
-    }));
+    bindMounts = lib.mkMerge (lib.forEach [
+        "mpd_control_password"
+        "slskd_env"
+      ] (secret_name: let
+        path = "${secrets.${secret_name}.path}";
+      in {
+        "${path}" = {
+          hostPath = "${path}";
+        };
+      }));

    config = {
      config,
@ -51,6 +58,7 @@ in {
          inputs.home-manager-unstable.nixosModules.home-manager

          profiles.sshd
+          profiles.nginx

          modules.nixos.secrets

@ -59,6 +67,7 @@ in {
        ++ (with hosts.hetzner-vm.containers.music; [
          profiles.music-sync
          profiles.mpd
+          profiles.soulseek
        ]);

      # For Shared Secrets
@ -84,6 +93,15 @@ in {
    };
  };

+  services.nginx.virtualHosts."soulseek.owo.monster" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://${containerIP}:${toString ports.slskd-web}";
+      proxyWebsockets = true;
+    };
+  };
+
  services.nginx.virtualHosts."stream.owo.monster" = let
    extraConfig = ''
      auth_basic "Music Password";
@ -117,5 +135,8 @@ in {
    gid = config.ids.gids.mpd;
  };

-  networking.firewall.allowedTCPPorts = [6600];
+  networking.firewall.allowedTCPPorts = with ports; [
+    mpd
+    slskd
+  ];
 }
--- a/hosts/hetzner-vm/containers/music/profiles/soulseek.nix
+++ b/hosts/hetzner-vm/containers/music/profiles/soulseek.nix
@ -0,0 +1,43 @@
+{
+  lib,
+  host_secrets,
+  ...
+}: let
+  ports = import ../data/ports.nix {};
+  secrets = host_secrets;
+
+  inherit (lib.modules) mkForce;
+in {
+  services.slskd = {
+    enable = true;
+    openFirewall = true;
+    environmentFile = secrets.slskd_env.path;
+    settings = {
+      remote_configuration = false;
+      remote_file_management = true;
+      soulseek = {
+        username = "chaoticryptidz";
+        description = "chaos's soulseek";
+        listen_port = ports.slskd;
+      };
+      web = {
+        port = ports.slskd-web;
+        authentication = {
+          username = "chaos";
+        };
+      };
+      shares.directories = [
+        "/Music"
+      ];
+    };
+    nginx = {
+      enable = true; # I don't think this is even cheked
+      domainName = "soulseek.owo.monster";
+    };
+  };
+
+  services.nginx.virtualHosts."soulseek.owo.monster" = {
+    forceSSL = mkForce false;
+    enableACME = mkForce false;
+  };
+}
--- a/hosts/hetzner-vm/containers/social/profiles/backups.nix
+++ b/hosts/hetzner-vm/containers/social/profiles/backups.nix
@ -38,7 +38,7 @@
  }/bin/backupPrepareCommand";

  backupCleanupCommand = "${(pkgs.writeShellScriptBin "backupCleanupCommand" ''
-    rm /var/lib/gotosocial/gts-export.json
+    rm /var/lib/gotosocial/gts-export.json || true
  '')}/bin/backupCleanupCommand";
 in {
  environment.systemPackages = with pkgs; [
--- a/hosts/hetzner-vm/hetzner-vm.nix
+++ b/hosts/hetzner-vm/hetzner-vm.nix
@ -42,7 +42,7 @@
        echo "Host: "
        systemctl --failed
        ${lib.concatStringsSep "\n" (lib.forEach (lib.attrNames config.containers) (name: ''
-          echo "Container: "
+          echo "Container: ${name}"
          systemctl -M ${name} --failed
        ''))}
      '')
--- a/hosts/hetzner-vm/secrets.nix
+++ b/hosts/hetzner-vm/secrets.nix
@ -60,6 +60,15 @@
          htpasswd -bc $secretFile "$username" "$password" 2>/dev/null
        '';
      };
+      slskd_env = {
+        fetchScript = ''
+          soulseek_password=$(simple_get "/passwords/soulseek" .password)
+          slskd_password=$(simple_get "/passwords/slskd" .password)
+          echo > $secretFile
+          echo "SLSKD_SLSK_PASSWORD=$soulseek_password" >> $secretFile
+          echo "SLSKD_PASSWORD=$slskd_password" >> $secretFile
+        '';
+      };

      # Container: mail
      mail_restic_password = {
--- a/392
+++ b/392
@ -0,0 +1,392 @@
+[1mdiff --git a/hosts/hetzner-vm/containers/mail/modules/mailserver/default.nix b/hosts/hetzner-vm/containers/mail/modules/mailserver/default.nix[m
+[1mindex 0e9f1da..73979dd 100644[m
+[1m--- a/hosts/hetzner-vm/containers/mail/modules/mailserver/default.nix[m
+[1m+++ b/hosts/hetzner-vm/containers/mail/modules/mailserver/default.nix[m
+[36m@@ -4,9 +4,9 @@[m
+   ...[m
+ }:[m
+ with lib; let[m
+[31m-  cfg = config.mailserver;[m
+[32m+[m[32m  cfg = config.services.mailserver;[m
+ in {[m
+[31m-  options.mailserver = {[m
+[32m+[m[32m  options.services.mailserver = {[m
+     enable = mkEnableOption "mailserver";[m
+ [m
+     fqdn = mkOption {type = types.str;};[m
+[1mdiff --git a/hosts/hetzner-vm/containers/mail/modules/mailserver/dovecot.nix b/hosts/hetzner-vm/containers/mail/modules/mailserver/dovecot.nix[m
+[1mindex ef5f01d..d306611 100644[m
+[1m--- a/hosts/hetzner-vm/containers/mail/modules/mailserver/dovecot.nix[m
+[1m+++ b/hosts/hetzner-vm/containers/mail/modules/mailserver/dovecot.nix[m
+[36m@@ -4,7 +4,7 @@[m
+   lib,[m
+   ...[m
+ }: let[m
+[31m-  mail_config = config.mailserver;[m
+[32m+[m[32m  mail_config = config.services.mailserver;[m
+ [m
+   vmail_config = mail_config.vmail_config;[m
+ [m
+[1mdiff --git a/hosts/hetzner-vm/containers/mail/modules/mailserver/firewall.nix b/hosts/hetzner-vm/containers/mail/modules/mailserver/firewall.nix[m
+[1mindex 6c69bb3..0602a9a 100644[m
+[1m--- a/hosts/hetzner-vm/containers/mail/modules/mailserver/firewall.nix[m
+[1m+++ b/hosts/hetzner-vm/containers/mail/modules/mailserver/firewall.nix[m
+[36m@@ -3,7 +3,7 @@[m
+   config,[m
+   ...[m
+ }: let[m
+[31m-  mail_config = config.mailserver;[m
+[32m+[m[32m  mail_config = config.services.mailserver;[m
+ in {[m
+   config = lib.mkIf mail_config.enable {[m
+     networking.firewall = {[m
+[1mdiff --git a/hosts/hetzner-vm/containers/mail/modules/mailserver/opendkim.nix b/hosts/hetzner-vm/containers/mail/modules/mailserver/opendkim.nix[m
+[1mindex 3297ee5..32e2481 100644[m
+[1m--- a/hosts/hetzner-vm/containers/mail/modules/mailserver/opendkim.nix[m
+[1m+++ b/hosts/hetzner-vm/containers/mail/modules/mailserver/opendkim.nix[m
+[36m@@ -5,7 +5,7 @@[m
+   ...[m
+ }:[m
+ with lib; let[m
+[31m-  mail_config = config.mailserver;[m
+[32m+[m[32m  mail_config = config.services.mailserver;[m
+   dkimUser = config.services.opendkim.user;[m
+   dkimGroup = config.services.opendkim.group;[m
+ [m
+[1mdiff --git a/hosts/hetzner-vm/containers/mail/modules/mailserver/postfix.nix b/hosts/hetzner-vm/containers/mail/modules/mailserver/postfix.nix[m
+[1mindex 8599bbf..b795a26 100644[m
+[1m--- a/hosts/hetzner-vm/containers/mail/modules/mailserver/postfix.nix[m
+[1m+++ b/hosts/hetzner-vm/containers/mail/modules/mailserver/postfix.nix[m
+[36m@@ -4,7 +4,7 @@[m
+   lib,[m
+   ...[m
+ }: let[m
+[31m-  mail_config = config.mailserver;[m
+[32m+[m[32m  mail_config = config.services.mailserver;[m
+   submissionHeaderCleanupRules = pkgs.writeText "submission_header_cleanup_rules" ''[m
+     /^Received:/            IGNORE[m
+     /^X-Originating-IP:/    IGNORE[m
+[1mdiff --git a/hosts/hetzner-vm/containers/mail/modules/mailserver/rspamd.nix b/hosts/hetzner-vm/containers/mail/modules/mailserver/rspamd.nix[m
+[1mindex 5df6349..be9ae1e 100644[m
+[1m--- a/hosts/hetzner-vm/containers/mail/modules/mailserver/rspamd.nix[m
+[1m+++ b/hosts/hetzner-vm/containers/mail/modules/mailserver/rspamd.nix[m
+[36m@@ -3,7 +3,7 @@[m
+   lib,[m
+   ...[m
+ }: let[m
+[31m-  mail_config = config.mailserver;[m
+[32m+[m[32m  mail_config = config.services.mailserver;[m
+ [m
+   postfixCfg = config.services.postfix;[m
+   rspamdCfg = config.services.rspamd;[m
+[1mdiff --git a/hosts/hetzner-vm/containers/mail/modules/mailserver/ssl.nix b/hosts/hetzner-vm/containers/mail/modules/mailserver/ssl.nix[m
+[1mindex f0f26bd..c7d7a61 100644[m
+[1m--- a/hosts/hetzner-vm/containers/mail/modules/mailserver/ssl.nix[m
+[1m+++ b/hosts/hetzner-vm/containers/mail/modules/mailserver/ssl.nix[m
+[36m@@ -3,7 +3,7 @@[m
+   lib,[m
+   ...[m
+ }: let[m
+[31m-  mail_config = config.mailserver;[m
+[32m+[m[32m  mail_config = config.services.mailserver;[m
+   acmeRoot = "/var/lib/acme/acme-challenge";[m
+ in {[m
+   config = lib.mkIf (mail_config.enable && mail_config.ssl_config.useACME) {[m
+[1mdiff --git a/hosts/hetzner-vm/containers/mail/modules/mailserver/vmail.nix b/hosts/hetzner-vm/containers/mail/modules/mailserver/vmail.nix[m
+[1mindex 90ee44f..44a4e42 100644[m
+[1m--- a/hosts/hetzner-vm/containers/mail/modules/mailserver/vmail.nix[m
+[1m+++ b/hosts/hetzner-vm/containers/mail/modules/mailserver/vmail.nix[m
+[36m@@ -4,7 +4,7 @@[m
+   lib,[m
+   ...[m
+ }: let[m
+[31m-  mail_config = config.mailserver;[m
+[32m+[m[32m  mail_config = config.services.mailserver;[m
+ [m
+   vmail_config = mail_config.vmail_config;[m
+   vmail_user = vmail_config.user;[m
+[1mdiff --git a/hosts/hetzner-vm/containers/mail/modules/mailserver/webmail.nix b/hosts/hetzner-vm/containers/mail/modules/mailserver/webmail.nix[m
+[1mindex 8230c64..e38e194 100644[m
+[1m--- a/hosts/hetzner-vm/containers/mail/modules/mailserver/webmail.nix[m
+[1m+++ b/hosts/hetzner-vm/containers/mail/modules/mailserver/webmail.nix[m
+[36m@@ -3,7 +3,7 @@[m
+   lib,[m
+   ...[m
+ }: let[m
+[31m-  mail_config = config.mailserver;[m
+[32m+[m[32m  mail_config = config.services.mailserver;[m
+ in {[m
+   config = lib.mkIf (mail_config.enable && mail_config.enable_roundcube) {[m
+     services.roundcube = {[m
+[1mdiff --git a/hosts/hetzner-vm/containers/mail/profiles/mailserver.nix b/hosts/hetzner-vm/containers/mail/profiles/mailserver.nix[m
+[1mindex bed2716..3fd9bbf 100644[m
+[1m--- a/hosts/hetzner-vm/containers/mail/profiles/mailserver.nix[m
+[1m+++ b/hosts/hetzner-vm/containers/mail/profiles/mailserver.nix[m
+[36m@@ -1,7 +1,11 @@[m
+[31m-{host_secrets, ...}: let[m
+[32m+[m[32m{[m
+[32m+[m[32m  pkgs,[m
+[32m+[m[32m  host_secrets,[m
+[32m+[m[32m  ...[m
+[32m+[m[32m}: let[m
+   secrets = host_secrets;[m
+ in {[m
+[31m-  config.mailserver = {[m
+[32m+[m[32m  services.mailserver = {[m
+     enable = true;[m
+     fqdn = "mail.owo.monster";[m
+     domains = ["owo.monster"];[m
+[36m@@ -56,15 +60,23 @@[m [min {[m
+     };[m
+   };[m
+ [m
+[31m-  config.systemd.tmpfiles.rules = [[m
+[32m+[m[32m  systemd.tmpfiles.rules = [[m
+     "d /var/sockets - nginx nginx"[m
+   ];[m
+ [m
+[31m-  config.systemd.services.nginx.serviceConfig.ReadWritePaths = [[m
+[32m+[m[32m  systemd.services.nginx.serviceConfig.ReadWritePaths = [[m
+     "/var/sockets"[m
+   ];[m
+ [m
+[31m-  config.services.nginx.virtualHosts."mail.owo.monster" = {[m
+[32m+[m[32m  services.roundcube = {[m
+[32m+[m[32m    package = pkgs.roundcube.withPlugins (plugins:[m
+[32m+[m[32m      with pkgs.roundcubePlugins; [[m
+[32m+[m[32m        persistent_login[m
+[32m+[m[32m      ]);[m
+[32m+[m[32m    plugins = ["persistent_login"];[m
+[32m+[m[32m  };[m
+[32m+[m
+[32m+[m[32m  services.nginx.virtualHosts."mail.owo.monster" = {[m
+     listen = [[m
+       {[m
+         addr = "127.0.0.1";[m
+[1mdiff --git a/hosts/hetzner-vm/containers/mail/profiles/restic.nix b/hosts/hetzner-vm/containers/mail/profiles/restic.nix[m
+[1mindex 18ac0ef..d66cb66 100644[m
+[1m--- a/hosts/hetzner-vm/containers/mail/profiles/restic.nix[m
+[1m+++ b/hosts/hetzner-vm/containers/mail/profiles/restic.nix[m
+[36m@@ -6,7 +6,7 @@[m
+   ...[m
+ }: let[m
+   secrets = host_secrets;[m
+[31m-  mail_config = config.mailserver;[m
+[32m+[m[32m  mail_config = config.services.mailserver;[m
+   backupPrepareCommand = "${[m
+     (pkgs.writeShellScriptBin "backupPrepareCommand" ''[m
+       systemctl start postgresqlBackup-roundcube --wait[m
+[1mdiff --git a/hosts/hetzner-vm/containers/music/data/ports.nix b/hosts/hetzner-vm/containers/music/data/ports.nix[m
+[1mindex 4fdaed1..4209c4b 100644[m
+[1m--- a/hosts/hetzner-vm/containers/music/data/ports.nix[m
+[1m+++ b/hosts/hetzner-vm/containers/music/data/ports.nix[m
+[36m@@ -4,4 +4,5 @@[m
+   mpd-opus-medium = 4243;[m
+   mpd-opus-high = 4244;[m
+   mpd-flac = 4245;[m
+[32m+[m[32m  skskd = 5000;[m
+ }[m
+[1mdiff --git a/hosts/hetzner-vm/containers/music/music.nix b/hosts/hetzner-vm/containers/music/music.nix[m
+[1mindex b199191..44e403d 100644[m
+[1m--- a/hosts/hetzner-vm/containers/music/music.nix[m
+[1m+++ b/hosts/hetzner-vm/containers/music/music.nix[m
+[36m@@ -11,13 +11,22 @@[m
+ [m
+   # Using secrets from Host[m
+   secrets = config.services.secrets.secrets;[m
+[32m+[m[32m  containerName = "music";[m
+[32m+[m
+[32m+[m[32m  socketPathFor = ([m
+[32m+[m[32m    name: "/var/lib/nixos-containers/${containerName}/var/sockets/${name}.sock"[m
+[32m+[m[32m  );[m
+ [m
+   ports = import ./data/ports.nix {};[m
+ in {[m
+   networking.nat.forwardPorts = [[m
+     {[m
+[31m-      sourcePort = 6600;[m
+[31m-      destination = "${containerIP}\:6600";[m
+[32m+[m[32m      sourcePort = ports.mpd;[m
+[32m+[m[32m      destination = "${containerIP}\:${toString ports.mpd}";[m
+[32m+[m[32m    }[m
+[32m+[m[32m    {[m
+[32m+[m[32m      sourcePort = ports.slskd;[m
+[32m+[m[32m      destination = "${containerIP}\:${toString ports.slskd}";[m
+     }[m
+   ];[m
+ [m
+[36m@@ -26,13 +35,16 @@[m [min {[m
+     privateNetwork = true;[m
+     hostAddress = hostIP;[m
+     localAddress = containerIP;[m
+[31m-    bindMounts = lib.mkMerge (lib.forEach ["mpd_control_password"] (secret_name: let[m
+[31m-      path = "${secrets.${secret_name}.path}";[m
+[31m-    in {[m
+[31m-      "${path}" = {[m
+[31m-        hostPath = "${path}";[m
+[31m-      };[m
+[31m-    }));[m
+[32m+[m[32m    bindMounts = lib.mkMerge (lib.forEach [[m
+[32m+[m[32m        "mpd_control_password"[m
+[32m+[m[32m        "slskd_env"[m
+[32m+[m[32m      ] (secret_name: let[m
+[32m+[m[32m        path = "${secrets.${secret_name}.path}";[m
+[32m+[m[32m      in {[m
+[32m+[m[32m        "${path}" = {[m
+[32m+[m[32m          hostPath = "${path}";[m
+[32m+[m[32m        };[m
+[32m+[m[32m      }));[m
+ [m
+     config = {[m
+       config,[m
+[36m@@ -51,6 +63,7 @@[m [min {[m
+           inputs.home-manager-unstable.nixosModules.home-manager[m
+ [m
+           profiles.sshd[m
+[32m+[m[32m          profiles.nginx[m
+ [m
+           modules.nixos.secrets[m
+ [m
+[36m@@ -59,6 +72,7 @@[m [min {[m
+         ++ (with hosts.hetzner-vm.containers.music; [[m
+           profiles.music-sync[m
+           profiles.mpd[m
+[32m+[m[32m          profiles.soulseek[m
+         ]);[m
+ [m
+       # For Shared Secrets[m
+[36m@@ -84,6 +98,14 @@[m [min {[m
+     };[m
+   };[m
+ [m
+[32m+[m[32m  services.nginx.virtualHosts."soulseek.owo.monster" = {[m
+[32m+[m[32m    forceSSL = true;[m
+[32m+[m[32m    enableACME = true;[m
+[32m+[m[32m    locations."/" = {[m
+[32m+[m[32m      proxyPass = "http://${containerIP}:80";[m
+[32m+[m[32m    };[m
+[32m+[m[32m  };[m
+[32m+[m
+   services.nginx.virtualHosts."stream.owo.monster" = let[m
+     extraConfig = ''[m
+       auth_basic "Music Password";[m
+[36m@@ -117,5 +139,8 @@[m [min {[m
+     gid = config.ids.gids.mpd;[m
+   };[m
+ [m
+[31m-  networking.firewall.allowedTCPPorts = [6600];[m
+[32m+[m[32m  networking.firewall.allowedTCPPorts = with ports; [[m
+[32m+[m[32m    mpd[m
+[32m+[m[32m    slskd[m
+[32m+[m[32m  ];[m
+ }[m
+[1mdiff --git a/hosts/hetzner-vm/containers/music/profiles/soulseek.nix b/hosts/hetzner-vm/containers/music/profiles/soulseek.nix[m
+[1mnew file mode 100644[m
+[1mindex 0000000..d7906eb[m
+[1m--- /dev/null[m
+[1m+++ b/hosts/hetzner-vm/containers/music/profiles/soulseek.nix[m
+[36m@@ -0,0 +1,40 @@[m
+[32m+[m[32m{[m
+[32m+[m[32m  lib,[m
+[32m+[m[32m  host_secrets,[m
+[32m+[m[32m  ...[m
+[32m+[m[32m}: let[m
+[32m+[m[32m  ports = import ../data/ports.nix {};[m
+[32m+[m[32m  secrets = host_secrets;[m
+[32m+[m
+[32m+[m[32m  inherit (lib.modules) mkForce;[m
+[32m+[m[32min {[m
+[32m+[m[32m  services.slskd = {[m
+[32m+[m[32m    enable = true;[m
+[32m+[m[32m    openFirewall = true;[m
+[32m+[m[32m    environmentFile = secrets.slskd_env.path;[m
+[32m+[m[32m    settings = {[m
+[32m+[m[32m      remote_configuration = false;[m
+[32m+[m[32m      remote_file_management = true;[m
+[32m+[m[32m      soulseek = {[m
+[32m+[m[32m        username = "chaoticryptidz";[m
+[32m+[m[32m        description = "chaos's soulseek";[m
+[32m+[m[32m        listen_port = ports.slskd;[m
+[32m+[m[32m      };[m
+[32m+[m[32m      web.authentication = {[m
+[32m+[m[32m        username = "chaos";[m
+[32m+[m[32m      };[m
+[32m+[m[32m      shares.directories = [[m
+[32m+[m[32m        "/Music"[m
+[32m+[m[32m      ];[m
+[32m+[m[32m    };[m
+[32m+[m[32m    nginx = {[m
+[32m+[m[32m      enable = true; # I don't think this is even cheked[m
+[32m+[m[32m      domainName = "soulseek.owo.monster";[m
+[32m+[m[32m    };[m
+[32m+[m[32m  };[m
+[32m+[m
+[32m+[m[32m  services.nginx.virtualHosts."soulseek.owo.monster" = {[m
+[32m+[m[32m    forceSSL = mkForce false;[m
+[32m+[m[32m    enableACME = mkForce false;[m
+[32m+[m[32m  };[m
+[32m+[m[32m}[m
+[1mdiff --git a/hosts/hetzner-vm/containers/social/profiles/backups.nix b/hosts/hetzner-vm/containers/social/profiles/backups.nix[m
+[1mindex 4d5346b..5e70ca1 100644[m
+[1m--- a/hosts/hetzner-vm/containers/social/profiles/backups.nix[m
+[1m+++ b/hosts/hetzner-vm/containers/social/profiles/backups.nix[m
+[36m@@ -38,7 +38,7 @@[m
+   }/bin/backupPrepareCommand";[m
+ [m
+   backupCleanupCommand = "${(pkgs.writeShellScriptBin "backupCleanupCommand" ''[m
+[31m-    rm /var/lib/gotosocial/gts-export.json[m
+[32m+[m[32m    rm /var/lib/gotosocial/gts-export.json || true[m
+   '')}/bin/backupCleanupCommand";[m
+ in {[m
+   environment.systemPackages = with pkgs; [[m
+[1mdiff --git a/hosts/hetzner-vm/hetzner-vm.nix b/hosts/hetzner-vm/hetzner-vm.nix[m
+[1mindex 7924a9b..a45dc1f 100644[m
+[1m--- a/hosts/hetzner-vm/hetzner-vm.nix[m
+[1m+++ b/hosts/hetzner-vm/hetzner-vm.nix[m
+[36m@@ -42,7 +42,7 @@[m
+         echo "Host: "[m
+         systemctl --failed[m
+         ${lib.concatStringsSep "\n" (lib.forEach (lib.attrNames config.containers) (name: ''[m
+[31m-          echo "Container: "[m
+[32m+[m[32m          echo "Container: ${name}"[m
+           systemctl -M ${name} --failed[m
+         ''))}[m
+       '')[m
+[1mdiff --git a/hosts/hetzner-vm/secrets.nix b/hosts/hetzner-vm/secrets.nix[m
+[1mindex 30e3f97..98a1ab4 100644[m
+[1m--- a/hosts/hetzner-vm/secrets.nix[m
+[1m+++ b/hosts/hetzner-vm/secrets.nix[m
+[36m@@ -60,6 +60,15 @@[m
+           htpasswd -bc $secretFile "$username" "$password" 2>/dev/null[m
+         '';[m
+       };[m
+[32m+[m[32m      slskd_env = {[m
+[32m+[m[32m        fetchScript = ''[m
+[32m+[m[32m          soulseek_password=$(simple_get "/passwords/soulseek" .password)[m
+[32m+[m[32m          slskd_password=$(simple_get "/passwords/slskd" .password)[m
+[32m+[m[32m          echo > $secretFile[m
+[32m+[m[32m          echo "SLSKD_SLSK_PASSWORD=$soulseek_password" >> $secretFile[m
+[32m+[m[32m          echo "SLSKD_PASSWORD=$slskd_password" >> $secretFile[m
+[32m+[m[32m        '';[m
+[32m+[m[32m      };[m
+ [m
+       # Container: mail[m
+       mail_restic_password = {[m
+[1mdiff --git a/profiles/gui/base/default.nix b/profiles/gui/base/default.nix[m
+[1mindex 5563f5b..0786b5b 100644[m
+[1m--- a/profiles/gui/base/default.nix[m
+[1m+++ b/profiles/gui/base/default.nix[m
+[36m@@ -1,6 +1,11 @@[m
+[31m-{pkgs, lib, config, ...}: let [m
+[32m+[m[32m{[m
+[32m+[m[32m  pkgs,[m
+[32m+[m[32m  lib,[m
+[32m+[m[32m  config,[m
+[32m+[m[32m  ...[m
+[32m+[m[32m}: let[m
+   inherit (lib.modules) mkIf;[m
+[31m-  [m
+[32m+[m
+   networkManagerEnabled = config.networking.networkmanager.enable;[m
+ in {[m
+   environment.systemPackages = with pkgs; [[m
--- a/profiles/gui/base/default.nix
+++ b/profiles/gui/base/default.nix
@ -1,6 +1,11 @@
-{pkgs, lib, config, ...}: let 
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}: let
  inherit (lib.modules) mkIf;
-  
+
  networkManagerEnabled = config.networking.networkmanager.enable;
 in {
  environment.systemPackages = with pkgs; [