move mpd to host

2024-07-20 13:11:15 +01:00 · 2024-07-20 13:11:15 +01:00 · fd55b8ff6e
parent b80228d8af
commit fd55b8ff6e
7 changed files with 67 additions and 177 deletions
--- a/hosts/hetzner-arm/containers/music/data/ports.nix
+++ b/hosts/hetzner-arm/containers/music/data/ports.nix
@ -1,7 +0,0 @@
-{
-  mpd = 6600;
-  mpd-opus-low = 4242;
-  mpd-opus-medium = 4243;
-  mpd-opus-high = 4244;
-  mpd-flac = 4245;
-}
--- a/hosts/hetzner-arm/containers/music/default.nix
+++ b/hosts/hetzner-arm/containers/music/default.nix
@ -1,125 +0,0 @@
-{
-  self,
-  hostPath,
-  tree,
-  lib,
-  inputs,
-  pkgs,
-  config,
-  ...
-}: let
-  inherit (lib.modules) mkMerge;
-  inherit (lib.lists) forEach;
-
-  containerName = "music";
-
-  containerAddresses = import "${hostPath}/data/containerAddresses.nix";
-
-  hostIP = containerAddresses.host;
-  containerIP = containerAddresses.containers.${containerName};
-
-  ports = import ./data/ports.nix;
-
-  # these secrets should probs be in host but im lazy
-  containerSecrets = config.containers.${containerName}.config.services.secrets.secrets;
-  pathInContainer = path: "/var/lib/nixos-containers/${containerName}" + path;
-in {
-  containers.music = {
-    autoStart = true;
-    privateNetwork = true;
-    hostAddress = hostIP;
-    localAddress = containerIP;
-
-    specialArgs = {
-      inherit inputs;
-      inherit tree;
-      inherit self;
-      inherit hostPath;
-    };
-
-    bindMounts = {
-      "/dev/fuse" = {
-        hostPath = "/dev/fuse";
-        isReadOnly = false;
-      };
-    };
-
-    allowedDevices = [
-      {
-        modifier = "rwm";
-        node = "/dev/fuse";
-      }
-      {
-        modifier = "rwm";
-        node = "/dev/mapper/control";
-      }
-    ];
-
-    config = {...}: {
-      nixpkgs.pkgs = pkgs;
-
-      imports = with tree;
-        [
-          presets.nixos.containerBase
-
-          profiles.nginx
-          profiles.firewallAllow.httpCommon
-
-          ./secrets.nix
-        ]
-        ++ (with hosts.hetzner-arm.containers.music.profiles; [
-          mpd
-        ]);
-
-      home-manager.users.root.imports = with tree; [home.apps.musicutil];
-
-      networking.firewall.allowedTCPPorts = with ports; [
-        mpd
-        mpd-opus-low
-        mpd-opus-medium
-        mpd-opus-high
-        mpd-flac
-      ];
-
-      home-manager.users.root.home.stateVersion = "24.05";
-      system.stateVersion = "24.05";
-    };
-  };
-
-  services.nginx.virtualHosts."mpd.owo.monster" = let
-    extraConfig = ''
-      auth_basic "Music Password";
-      auth_basic_user_file ${pathInContainer containerSecrets.music_stream_passwd.path};
-    '';
-  in {
-    forceSSL = true;
-    enableACME = true;
-    locations = mkMerge [
-      {
-        "/flac" = {
-          proxyPass = "http://${containerIP}:${toString ports.mpd-flac}";
-          inherit extraConfig;
-        };
-      }
-      (mkMerge (forEach ["low" "medium" "high"] (quality: {
-        "/opus-${quality}" = {
-          proxyPass = "http://${containerIP}:${toString ports."mpd-opus-${quality}"}";
-          inherit extraConfig;
-        };
-      })))
-    ];
-  };
-
-  networking = {
-    nat.forwardPorts = [
-      {
-        sourcePort = ports.mpd;
-        destination = "${containerIP}\:${toString ports.mpd}";
-      }
-    ];
-
-    firewall.allowedTCPPorts = with ports; [
-      mpd
-    ];
-  };
-}
--- a/hosts/hetzner-arm/containers/music/secrets.nix
+++ b/hosts/hetzner-arm/containers/music/secrets.nix
@ -1,42 +0,0 @@
-{pkgs, ...}: {
-  services.secrets = {
-    enable = true;
-
-    vaultLogin = {
-      enable = true;
-      loginUsername = "hetzner-arm-container-music";
-    };
-
-    requiredVaultPaths = [
-      "api-keys/data/mpd"
-      "api-keys/data/music-stream"
-    ];
-
-    packages = with pkgs; [
-      apacheHttpd
-    ];
-
-    secrets = {
-      vault_password = {
-        manual = true;
-      };
-
-      mpd_control_password = {
-        user = "mpd";
-        group = "mpd";
-        fetchScript = ''
-          simple_get "/api-keys/mpd" .password > "$secretFile"
-        '';
-      };
-      music_stream_passwd = {
-        user = "nginx";
-        group = "nginx";
-        fetchScript = ''
-          username=$(simple_get "/api-keys/music-stream" .username)
-          password=$(simple_get "/api-keys/music-stream" .password)
-          htpasswd -bc "$secretFile" "$username" "$password" 2>/dev/null
-        '';
-      };
-    };
-  };
-}
--- a/hosts/hetzner-arm/hetzner-arm.nix
+++ b/hosts/hetzner-arm/hetzner-arm.nix
@ -26,12 +26,12 @@ in {
      "jellyfin"
      #"grocy"
      "vault"
-      "music"
    ] (name: ./containers + "/${name}"))
    ++ (with hosts.hetzner-arm.profiles; [
      staticSites
      gotosocial
      forgejo
+      mpd
      restic
    ]);

--- a/hosts/hetzner-arm/profiles/forgejo.nix
+++ b/hosts/hetzner-arm/profiles/forgejo.nix
@ -81,4 +81,8 @@
      locations."/".proxyPass = "http://unix:/var/sockets/forgejo/forgejo.sock";
    };
  };
+
+  networking.firewall.allowedTCPPorts = with ports; [
+    2222
+  ];
 }
--- a/hosts/hetzner-arm/containers/music/profiles/mpd.nix
+++ b/hosts/hetzner-arm/containers/music/profiles/mpd.nix
@ -7,7 +7,14 @@
  inherit (lib.strings) concatStringsSep;
  inherit (lib.lists) forEach;

-  ports = import ../data/ports.nix;
+  ports = {
+    mpd = 6600;
+    mpd-opus-low = 4242;
+    mpd-opus-medium = 4243;
+    mpd-opus-high = 4244;
+    mpd-flac = 4245;
+  };
+
  inherit (config.services.secrets) secrets;
 in {
  environment.systemPackages = with pkgs; [
@ -85,4 +92,32 @@ in {
        }
      '';
  };
+
+  services.nginx.virtualHosts."mpd.owo.monster" = let
+    extraConfig = ''
+      auth_basic "Music Password";
+      auth_basic_user_file ${secrets.music_stream_passwd.path};
+    '';
+  in {
+    forceSSL = true;
+    enableACME = true;
+    locations = mkMerge [
+      {
+        "/flac" = {
+          proxyPass = "http://127.0.0.1:${toString ports.mpd-flac}";
+          inherit extraConfig;
+        };
+      }
+      (mkMerge (forEach ["low" "medium" "high"] (quality: {
+        "/opus-${quality}" = {
+          proxyPass = "http://127.0.0.1:${toString ports."mpd-opus-${quality}"}";
+          inherit extraConfig;
+        };
+      })))
+    ];
+  };
+
+  networking.firewall.allowedTCPPorts = with ports; [
+    mpd
+  ];
 }
--- a/hosts/hetzner-arm/secrets.nix
+++ b/hosts/hetzner-arm/secrets.nix
@ -1,4 +1,4 @@
-{...}: {
+{pkgs, ...}: {
  services.secrets = {
    enable = true;

@ -7,6 +7,10 @@
      loginUsername = "hetzner-arm";
    };

+    packages = with pkgs; [
+      apacheHttpd
+    ];
+
    requiredVaultPaths = [
      "private-public-keys/data/ssh/root@hetzner-arm"
      "private-public-keys/data/ssh/root@hetzner-arm-decrypt"
@ -17,6 +21,9 @@
      "api-keys/data/chaos_mail/gotosocial"

      "private-public-keys/data/restic/Forgejo"
+
+      "api-keys/data/mpd"
+      "api-keys/data/music-stream"
    ];

    secrets = {
@ -80,6 +87,24 @@
          simple_get "/private-public-keys/restic/Forgejo" .password > "$secretFile"
        '';
      };
+
+      mpd_control_password = {
+        user = "mpd";
+        group = "mpd";
+        fetchScript = ''
+          simple_get "/api-keys/mpd" .password > "$secretFile"
+        '';
+      };
+
+      music_stream_passwd = {
+        user = "nginx";
+        group = "nginx";
+        fetchScript = ''
+          username=$(simple_get "/api-keys/music-stream" .username)
+          password=$(simple_get "/api-keys/music-stream" .password)
+          htpasswd -bc "$secretFile" "$username" "$password" 2>/dev/null
+        '';
+      };
    };
  };
 }