From ca6c67a65e216677f8bc1e793cdaf7069c3a34f3 Mon Sep 17 00:00:00 2001 From: teidesu Date: Sat, 9 Nov 2024 00:07:34 +0300 Subject: [PATCH] chore: cleanup + pds bump + tei.pet --- hosts/koi/containers/kanidm/note.md | 22 +++++++ hosts/koi/containers/pds/default.nix | 2 +- hosts/koi/containers/teisu.nix | 11 ++++ hosts/koi/services/coredns.nix | 14 ++--- hosts/koi/services/nginx.nix | 10 ++++ hosts/koi/services/terraria.nix | 84 ++++++++++++++++++++++++++- secrets/authentik-env.age | Bin 561 -> 0 bytes 7 files changed, 133 insertions(+), 10 deletions(-) create mode 100644 hosts/koi/containers/kanidm/note.md delete mode 100644 secrets/authentik-env.age diff --git a/hosts/koi/containers/kanidm/note.md b/hosts/koi/containers/kanidm/note.md new file mode 100644 index 0000000..6fc45eb --- /dev/null +++ b/hosts/koi/containers/kanidm/note.md @@ -0,0 +1,22 @@ +notes for self: + +## creating an oauth2 app: + +```bash +kanidm system oauth2 create myapp myapp_display_name https://url.to.app +kanidm system oauth2 warning-insecure-client-disable-pkce myapp # optional, for oauth2-proxy +kanidm system oauth2 prefer-short-username myapp # optional +kanidm system oauth2 show-basic-secret myapp +kanidm system oauth2 add-redirect-url myapp https://url.to.app/oauth2/callback # the default path for oauth2-proxy + +# adding users to the app +kanidm group create myapp_users +kanidm group add-members myapp_users teidesu +kanidm system oauth2 update-scope-map myapp myapp_users email openid profile +``` + +## oauth2 proxy env: +```bash +OAUTH2_PROXY_COOKIE_SECRET=... +OAUTH2_PROXY_CLIENT_SECRET=... +``` \ No newline at end of file diff --git a/hosts/koi/containers/pds/default.nix b/hosts/koi/containers/pds/default.nix index 118a0df..a6074c4 100644 --- a/hosts/koi/containers/pds/default.nix +++ b/hosts/koi/containers/pds/default.nix @@ -20,7 +20,7 @@ in { }; virtualisation.oci-containers.containers.bluesky-pds = { - image = "ghcr.io/bluesky-social/pds:sha-94a80820872510e65cb8e62e5a78aa6a8d9ad6c9"; + image = "ghcr.io/bluesky-social/pds:sha-b595125a28368fa52d12d3b6ca265c1bea06977f"; volumes = [ "/srv/bluesky-pds/data:/pds" "/mnt/puffer/bluesky-pds:/blobstore" diff --git a/hosts/koi/containers/teisu.nix b/hosts/koi/containers/teisu.nix index 9deba5c..8208e30 100644 --- a/hosts/koi/containers/teisu.nix +++ b/hosts/koi/containers/teisu.nix @@ -71,4 +71,15 @@ in { locations."/keys@ssh" = serveWithTextPlain; locations."/keys@git" = serveWithTextPlain; }; + + services.nginx.virtualHosts."tei.pet" = { + forceSSL = true; + useACMEHost = "tei.pet"; + + locations."/" = { + extraConfig = '' + return 301 https://tei.su$request_uri; + ''; + }; + }; } \ No newline at end of file diff --git a/hosts/koi/services/coredns.nix b/hosts/koi/services/coredns.nix index 02aeda9..58dd3eb 100644 --- a/hosts/koi/services/coredns.nix +++ b/hosts/koi/services/coredns.nix @@ -31,14 +31,14 @@ in services.coredns = { enable = true; config = '' - (local_only) { - acl { - allow net 127.0.0.0/8 # localhost - allow net 172.16.0.0/12 # docker - allow net 10.42.0.0/24 # nixos containers - block - } + (local_only) { + acl { + allow net 127.0.0.0/8 # localhost + allow net 172.16.0.0/12 # docker + allow net 10.42.0.0/24 # nixos containers + block } + } .:53 { cache diff --git a/hosts/koi/services/nginx.nix b/hosts/koi/services/nginx.nix index 22c0315..e03ae3d 100644 --- a/hosts/koi/services/nginx.nix +++ b/hosts/koi/services/nginx.nix @@ -92,6 +92,16 @@ in { "CLOUDFLARE_API_KEY_FILE" = config.age.secrets.cloudflare-token.path; }; }; + security.acme.certs."tei.pet" = { + email = "alina@tei.su"; + group = "nginx"; + dnsProvider = "cloudflare"; + extraDomainNames = [ "*.tei.pet" ]; + credentialFiles = { + "CLOUDFLARE_EMAIL_FILE" = config.age.secrets.cloudflare-email.path; + "CLOUDFLARE_API_KEY_FILE" = config.age.secrets.cloudflare-token.path; + }; + }; networking.firewall.allowedTCPPorts = [ 80 443 ]; } diff --git a/hosts/koi/services/terraria.nix b/hosts/koi/services/terraria.nix index db7b232..4bd95f3 100644 --- a/hosts/koi/services/terraria.nix +++ b/hosts/koi/services/terraria.nix @@ -1,5 +1,6 @@ -{ - services.terraria = { +{ config, lib, pkgs, ... }: +let + cfg = { enable = true; maxPlayers = 10; port = 7777; @@ -7,5 +8,84 @@ noUPnP = true; openFirewall = true; worldPath = "/srv/terraria/world.wld"; + dataDir = "/var/lib/terraria"; + password = null; + banListPath = null; + secure = false; + autoCreatedWorldSize = "medium"; + }; + + worldSizeMap = { small = 1; medium = 2; large = 3; }; + valFlag = name: val: lib.optionalString (val != null) "-${name} \"${lib.escape ["\\" "\""] (toString val)}\""; + boolFlag = name: val: lib.optionalString val "-${name}"; + flags = [ + (valFlag "port" cfg.port) + (valFlag "maxPlayers" cfg.maxPlayers) + (valFlag "password" cfg.password) + (valFlag "motd" cfg.messageOfTheDay) + (valFlag "world" cfg.worldPath) + (valFlag "autocreate" (builtins.getAttr cfg.autoCreatedWorldSize worldSizeMap)) + (valFlag "banlist" cfg.banListPath) + (boolFlag "secure" cfg.secure) + (boolFlag "noupnp" cfg.noUPnP) + ]; + + tmuxCmd = "${lib.getExe pkgs.tmux} -S ${lib.escapeShellArg cfg.dataDir}/terraria.sock"; + + stopScript = pkgs.writeShellScript "terraria-stop" '' + if ! [ -d "/proc/$1" ]; then + exit 0 + fi + + log=$(${tmuxCmd} capture-pane -p) + echo "$log" > /tmp/terraria-stop.log + lastline=$(echo "$log" | grep . | tail -n1) + + # If the service is not configured to auto-start a world, it will show the world selection prompt + # If the last non-empty line on-screen starts with "Choose World", we know the prompt is open + if [[ "$lastline" =~ ^'Choose World' ]]; then + # In this case, nothing needs to be saved, so we can kill the process + ${tmuxCmd} kill-session + else + # Otherwise, we send the `exit` command + ${tmuxCmd} send-keys Enter exit Enter + fi + + # Wait for the process to stop + tail --pid="$1" -f /dev/null + ''; +in +{ + users.users.terraria = { + description = "Terraria server service user"; + group = "terraria"; + home = cfg.dataDir; + createHome = true; + uid = config.ids.uids.terraria; + }; + + users.groups.terraria = { + gid = config.ids.gids.terraria; + }; + + systemd.services.terraria = { + description = "Terraria Server Service"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + serviceConfig = { + User = "root"; + Group = "root"; + # Type = "forking"; + GuessMainPID = true; + # UMask = 007; + ExecStart = "${pkgs.terraria-server}/bin/TerrariaServer ${lib.concatStringsSep " " flags}"; + ExecStop = "kill -SIGINT $MAINPID"; + }; + }; + + networking.firewall = lib.mkIf cfg.openFirewall { + allowedTCPPorts = [ cfg.port ]; + allowedUDPPorts = [ cfg.port ]; }; } \ No newline at end of file diff --git a/secrets/authentik-env.age b/secrets/authentik-env.age deleted file mode 100644 index e2ca917e1f8d9e3c65b14494cd99b29b2b4c9fe5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 561 zcmV-10?z$mXJsvAZewzJaCB*JZZ2( zb9!tqIC@W4D{3$~Yer}^Yj;mcYcEDxIdFGvYEV*3bxJZ%Vr*+KM{5dJR%>Hpd3R+r zYvcM1GxmGY%1*eW8)2 z?()PDb>;yCD(n1+WxxE3{w&8#+_u!uEU0M`h2m9wT22mBhte?{e%qE}$Z!U^5Am?3 zhB$BBLmbdve zt3fgJk0pgEi*OGV7=loPuC=cE&VXpw{iJCc1Y!sngZ${=PxXoj5k@RaShqT8Rn9Jn zF&{z%G9%Nh_UkYO-h;