chore: cleanup + pds bump + tei.pet

2024-11-09 00:07:34 +03:00 · 2024-11-09 00:07:34 +03:00 · ca6c67a65e
commit ca6c67a65e
parent a259e63be9
7 changed files with 133 additions and 10 deletions
--- a/hosts/koi/containers/kanidm/note.md
+++ b/hosts/koi/containers/kanidm/note.md
@ -0,0 +1,22 @@
 notes for self:
 ## creating an oauth2 app:
 ```bash
 kanidm system oauth2 create myapp myapp_display_name https://url.to.app
 kanidm system oauth2 warning-insecure-client-disable-pkce myapp # optional, for oauth2-proxy
 kanidm system oauth2 prefer-short-username myapp # optional
 kanidm system oauth2 show-basic-secret myapp
 kanidm system oauth2 add-redirect-url myapp https://url.to.app/oauth2/callback # the default path for oauth2-proxy
 # adding users to the app
 kanidm group create myapp_users
 kanidm group add-members myapp_users teidesu
 kanidm system oauth2 update-scope-map myapp myapp_users email openid profile
 ```
 ## oauth2 proxy env:
 ```bash
 OAUTH2_PROXY_COOKIE_SECRET=...
 OAUTH2_PROXY_CLIENT_SECRET=...
 ```
--- a/hosts/koi/containers/pds/default.nix
+++ b/hosts/koi/containers/pds/default.nix
@ -20,7 +20,7 @@ in {
  };
  virtualisation.oci-containers.containers.bluesky-pds = {
-    image = "ghcr.io/bluesky-social/pds:sha-94a80820872510e65cb8e62e5a78aa6a8d9ad6c9";
+    image = "ghcr.io/bluesky-social/pds:sha-b595125a28368fa52d12d3b6ca265c1bea06977f";
    volumes = [
      "/srv/bluesky-pds/data:/pds"
      "/mnt/puffer/bluesky-pds:/blobstore"
--- a/hosts/koi/containers/teisu.nix
+++ b/hosts/koi/containers/teisu.nix
@ -71,4 +71,15 @@ in {
    locations."/keys@ssh" = serveWithTextPlain;
    locations."/keys@git" = serveWithTextPlain;
  };
  services.nginx.virtualHosts."tei.pet" = {
    forceSSL = true;
    useACMEHost = "tei.pet";
    locations."/" = {
      extraConfig = ''
        return 301 https://tei.su$request_uri;
      '';
    };
  };
 }
--- a/hosts/koi/services/nginx.nix
+++ b/hosts/koi/services/nginx.nix
@ -92,6 +92,16 @@ in {
      "CLOUDFLARE_API_KEY_FILE" = config.age.secrets.cloudflare-token.path;
    };
  };
  security.acme.certs."tei.pet" = {
    email = "alina@tei.su";
    group = "nginx";
    dnsProvider = "cloudflare";
    extraDomainNames = [ "*.tei.pet" ];
    credentialFiles = {
      "CLOUDFLARE_EMAIL_FILE" = config.age.secrets.cloudflare-email.path;
      "CLOUDFLARE_API_KEY_FILE" = config.age.secrets.cloudflare-token.path;
    };
  };
  networking.firewall.allowedTCPPorts = [ 80 443 ];
 }
--- a/hosts/koi/services/terraria.nix
+++ b/hosts/koi/services/terraria.nix
@ -1,5 +1,6 @@
-{
+{ config, lib, pkgs, ... }:
-  services.terraria = {
+let
  cfg = {
    enable = true;
    maxPlayers = 10;
    port = 7777;
@ -7,5 +8,84 @@
    noUPnP = true;
    openFirewall = true;
    worldPath = "/srv/terraria/world.wld";
    dataDir = "/var/lib/terraria";
    password = null;
    banListPath = null;
    secure = false;
    autoCreatedWorldSize = "medium";
  };
  worldSizeMap = { small = 1; medium = 2; large = 3; };
  valFlag = name: val: lib.optionalString (val != null) "-${name} \"${lib.escape ["\\" "\""] (toString val)}\"";
  boolFlag = name: val: lib.optionalString val "-${name}";
  flags = [
    (valFlag "port" cfg.port)
    (valFlag "maxPlayers" cfg.maxPlayers)
    (valFlag "password" cfg.password)
    (valFlag "motd" cfg.messageOfTheDay)
    (valFlag "world" cfg.worldPath)
    (valFlag "autocreate" (builtins.getAttr cfg.autoCreatedWorldSize worldSizeMap))
    (valFlag "banlist" cfg.banListPath)
    (boolFlag "secure" cfg.secure)
    (boolFlag "noupnp" cfg.noUPnP)
  ];
  tmuxCmd = "${lib.getExe pkgs.tmux} -S ${lib.escapeShellArg cfg.dataDir}/terraria.sock";
  stopScript = pkgs.writeShellScript "terraria-stop" ''
    if ! [ -d "/proc/$1" ]; then
      exit 0
    fi
    log=$(${tmuxCmd} capture-pane -p)
    echo "$log" > /tmp/terraria-stop.log
    lastline=$(echo "$log" | grep . | tail -n1)
    # If the service is not configured to auto-start a world, it will show the world selection prompt
    # If the last non-empty line on-screen starts with "Choose World", we know the prompt is open
    if [[ "$lastline" =~ ^'Choose World' ]]; then
      # In this case, nothing needs to be saved, so we can kill the process
      ${tmuxCmd} kill-session
    else
      # Otherwise, we send the `exit` command
      ${tmuxCmd} send-keys Enter exit Enter
    fi
    # Wait for the process to stop
    tail --pid="$1" -f /dev/null
  '';
 in
 {
  users.users.terraria = {
    description = "Terraria server service user";
    group       = "terraria";
    home        = cfg.dataDir;
    createHome  = true;
    uid         = config.ids.uids.terraria;
  };
  users.groups.terraria = {
    gid = config.ids.gids.terraria;
  };
  systemd.services.terraria = {
    description   = "Terraria Server Service";
    wantedBy      = [ "multi-user.target" ];
    after         = [ "network.target" ];
    serviceConfig = {
      User    = "root";
      Group = "root";
      # Type = "forking";
      GuessMainPID = true;
      # UMask = 007;
      ExecStart = "${pkgs.terraria-server}/bin/TerrariaServer ${lib.concatStringsSep " " flags}";
      ExecStop = "kill -SIGINT $MAINPID";
    };
  };
  networking.firewall = lib.mkIf cfg.openFirewall {
    allowedTCPPorts = [ cfg.port ];
    allowedUDPPorts = [ cfg.port ];
  };
 }
--- a/secrets/authentik-env.age
+++ b/secrets/authentik-env.age