diff --git a/hosts/hetzner-arm/containers/music/data/ports.nix b/hosts/hetzner-arm/containers/music/data/ports.nix deleted file mode 100644 index 0d595c3..0000000 --- a/hosts/hetzner-arm/containers/music/data/ports.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ - mpd = 6600; - mpd-opus-low = 4242; - mpd-opus-medium = 4243; - mpd-opus-high = 4244; - mpd-flac = 4245; -} diff --git a/hosts/hetzner-arm/containers/music/default.nix b/hosts/hetzner-arm/containers/music/default.nix deleted file mode 100644 index 6118f52..0000000 --- a/hosts/hetzner-arm/containers/music/default.nix +++ /dev/null @@ -1,125 +0,0 @@ -{ - self, - hostPath, - tree, - lib, - inputs, - pkgs, - config, - ... -}: let - inherit (lib.modules) mkMerge; - inherit (lib.lists) forEach; - - containerName = "music"; - - containerAddresses = import "${hostPath}/data/containerAddresses.nix"; - - hostIP = containerAddresses.host; - containerIP = containerAddresses.containers.${containerName}; - - ports = import ./data/ports.nix; - - # these secrets should probs be in host but im lazy - containerSecrets = config.containers.${containerName}.config.services.secrets.secrets; - pathInContainer = path: "/var/lib/nixos-containers/${containerName}" + path; -in { - containers.music = { - autoStart = true; - privateNetwork = true; - hostAddress = hostIP; - localAddress = containerIP; - - specialArgs = { - inherit inputs; - inherit tree; - inherit self; - inherit hostPath; - }; - - bindMounts = { - "/dev/fuse" = { - hostPath = "/dev/fuse"; - isReadOnly = false; - }; - }; - - allowedDevices = [ - { - modifier = "rwm"; - node = "/dev/fuse"; - } - { - modifier = "rwm"; - node = "/dev/mapper/control"; - } - ]; - - config = {...}: { - nixpkgs.pkgs = pkgs; - - imports = with tree; - [ - presets.nixos.containerBase - - profiles.nginx - profiles.firewallAllow.httpCommon - - ./secrets.nix - ] - ++ (with hosts.hetzner-arm.containers.music.profiles; [ - mpd - ]); - - home-manager.users.root.imports = with tree; [home.apps.musicutil]; - - networking.firewall.allowedTCPPorts = with ports; [ - mpd - mpd-opus-low - mpd-opus-medium - mpd-opus-high - mpd-flac - ]; - - home-manager.users.root.home.stateVersion = "24.05"; - system.stateVersion = "24.05"; - }; - }; - - services.nginx.virtualHosts."mpd.owo.monster" = let - extraConfig = '' - auth_basic "Music Password"; - auth_basic_user_file ${pathInContainer containerSecrets.music_stream_passwd.path}; - ''; - in { - forceSSL = true; - enableACME = true; - locations = mkMerge [ - { - "/flac" = { - proxyPass = "http://${containerIP}:${toString ports.mpd-flac}"; - inherit extraConfig; - }; - } - (mkMerge (forEach ["low" "medium" "high"] (quality: { - "/opus-${quality}" = { - proxyPass = "http://${containerIP}:${toString ports."mpd-opus-${quality}"}"; - inherit extraConfig; - }; - }))) - ]; - }; - - networking = { - nat.forwardPorts = [ - { - sourcePort = ports.mpd; - destination = "${containerIP}\:${toString ports.mpd}"; - } - ]; - - firewall.allowedTCPPorts = with ports; [ - mpd - ]; - }; -} diff --git a/hosts/hetzner-arm/containers/music/secrets.nix b/hosts/hetzner-arm/containers/music/secrets.nix deleted file mode 100644 index 6973de4..0000000 --- a/hosts/hetzner-arm/containers/music/secrets.nix +++ /dev/null @@ -1,42 +0,0 @@ -{pkgs, ...}: { - services.secrets = { - enable = true; - - vaultLogin = { - enable = true; - loginUsername = "hetzner-arm-container-music"; - }; - - requiredVaultPaths = [ - "api-keys/data/mpd" - "api-keys/data/music-stream" - ]; - - packages = with pkgs; [ - apacheHttpd - ]; - - secrets = { - vault_password = { - manual = true; - }; - - mpd_control_password = { - user = "mpd"; - group = "mpd"; - fetchScript = '' - simple_get "/api-keys/mpd" .password > "$secretFile" - ''; - }; - music_stream_passwd = { - user = "nginx"; - group = "nginx"; - fetchScript = '' - username=$(simple_get "/api-keys/music-stream" .username) - password=$(simple_get "/api-keys/music-stream" .password) - htpasswd -bc "$secretFile" "$username" "$password" 2>/dev/null - ''; - }; - }; - }; -} diff --git a/hosts/hetzner-arm/hetzner-arm.nix b/hosts/hetzner-arm/hetzner-arm.nix index 9bf6992..a8264f9 100644 --- a/hosts/hetzner-arm/hetzner-arm.nix +++ b/hosts/hetzner-arm/hetzner-arm.nix @@ -26,12 +26,12 @@ in { "jellyfin" #"grocy" "vault" - "music" ] (name: ./containers + "/${name}")) ++ (with hosts.hetzner-arm.profiles; [ staticSites gotosocial forgejo + mpd restic ]); diff --git a/hosts/hetzner-arm/profiles/forgejo.nix b/hosts/hetzner-arm/profiles/forgejo.nix index 44cf057..d014933 100644 --- a/hosts/hetzner-arm/profiles/forgejo.nix +++ b/hosts/hetzner-arm/profiles/forgejo.nix @@ -81,4 +81,8 @@ locations."/".proxyPass = "http://unix:/var/sockets/forgejo/forgejo.sock"; }; }; + + networking.firewall.allowedTCPPorts = with ports; [ + 2222 + ]; } diff --git a/hosts/hetzner-arm/containers/music/profiles/mpd.nix b/hosts/hetzner-arm/profiles/mpd.nix similarity index 69% rename from hosts/hetzner-arm/containers/music/profiles/mpd.nix rename to hosts/hetzner-arm/profiles/mpd.nix index 5c2fcf8..8508f5c 100644 --- a/hosts/hetzner-arm/containers/music/profiles/mpd.nix +++ b/hosts/hetzner-arm/profiles/mpd.nix @@ -7,7 +7,14 @@ inherit (lib.strings) concatStringsSep; inherit (lib.lists) forEach; - ports = import ../data/ports.nix; + ports = { + mpd = 6600; + mpd-opus-low = 4242; + mpd-opus-medium = 4243; + mpd-opus-high = 4244; + mpd-flac = 4245; + }; + inherit (config.services.secrets) secrets; in { environment.systemPackages = with pkgs; [ @@ -85,4 +92,32 @@ in { } ''; }; + + services.nginx.virtualHosts."mpd.owo.monster" = let + extraConfig = '' + auth_basic "Music Password"; + auth_basic_user_file ${secrets.music_stream_passwd.path}; + ''; + in { + forceSSL = true; + enableACME = true; + locations = mkMerge [ + { + "/flac" = { + proxyPass = "http://127.0.0.1:${toString ports.mpd-flac}"; + inherit extraConfig; + }; + } + (mkMerge (forEach ["low" "medium" "high"] (quality: { + "/opus-${quality}" = { + proxyPass = "http://127.0.0.1:${toString ports."mpd-opus-${quality}"}"; + inherit extraConfig; + }; + }))) + ]; + }; + + networking.firewall.allowedTCPPorts = with ports; [ + mpd + ]; } diff --git a/hosts/hetzner-arm/secrets.nix b/hosts/hetzner-arm/secrets.nix index c50cd98..760a868 100644 --- a/hosts/hetzner-arm/secrets.nix +++ b/hosts/hetzner-arm/secrets.nix @@ -1,4 +1,4 @@ -{...}: { +{pkgs, ...}: { services.secrets = { enable = true; @@ -7,6 +7,10 @@ loginUsername = "hetzner-arm"; }; + packages = with pkgs; [ + apacheHttpd + ]; + requiredVaultPaths = [ "private-public-keys/data/ssh/root@hetzner-arm" "private-public-keys/data/ssh/root@hetzner-arm-decrypt" @@ -17,6 +21,9 @@ "api-keys/data/chaos_mail/gotosocial" "private-public-keys/data/restic/Forgejo" + + "api-keys/data/mpd" + "api-keys/data/music-stream" ]; secrets = { @@ -80,6 +87,24 @@ simple_get "/private-public-keys/restic/Forgejo" .password > "$secretFile" ''; }; + + mpd_control_password = { + user = "mpd"; + group = "mpd"; + fetchScript = '' + simple_get "/api-keys/mpd" .password > "$secretFile" + ''; + }; + + music_stream_passwd = { + user = "nginx"; + group = "nginx"; + fetchScript = '' + username=$(simple_get "/api-keys/music-stream" .username) + password=$(simple_get "/api-keys/music-stream" .password) + htpasswd -bc "$secretFile" "$username" "$password" 2>/dev/null + ''; + }; }; }; }