chore: cleanup + pds bump + tei.pet

hosts/koi/containers/kanidm/note.md

@@ -0,0 +1,22 @@
+notes for self:
+
+## creating an oauth2 app:
+
+```bash
+kanidm system oauth2 create myapp myapp_display_name https://url.to.app
+kanidm system oauth2 warning-insecure-client-disable-pkce myapp # optional, for oauth2-proxy
+kanidm system oauth2 prefer-short-username myapp # optional
+kanidm system oauth2 show-basic-secret myapp
+kanidm system oauth2 add-redirect-url myapp https://url.to.app/oauth2/callback # the default path for oauth2-proxy
+
+# adding users to the app
+kanidm group create myapp_users
+kanidm group add-members myapp_users teidesu
+kanidm system oauth2 update-scope-map myapp myapp_users email openid profile
+```
+
+## oauth2 proxy env:
+```bash
+OAUTH2_PROXY_COOKIE_SECRET=...
+OAUTH2_PROXY_CLIENT_SECRET=...
+```

hosts/koi/containers/pds/default.nix

@@ -20,7 +20,7 @@ in {
   };
 
   virtualisation.oci-containers.containers.bluesky-pds = {
-    image = "ghcr.io/bluesky-social/pds:sha-94a80820872510e65cb8e62e5a78aa6a8d9ad6c9";
+    image = "ghcr.io/bluesky-social/pds:sha-b595125a28368fa52d12d3b6ca265c1bea06977f";
     volumes = [
       "/srv/bluesky-pds/data:/pds"
       "/mnt/puffer/bluesky-pds:/blobstore"

hosts/koi/containers/teisu.nix

@@ -71,4 +71,15 @@ in {
     locations."/keys@ssh" = serveWithTextPlain;
     locations."/keys@git" = serveWithTextPlain;
   };
+
+  services.nginx.virtualHosts."tei.pet" = {
+    forceSSL = true;
+    useACMEHost = "tei.pet";
+
+    locations."/" = {
+      extraConfig = ''
+        return 301 https://tei.su$request_uri;
+      '';
+    };
+  };
 }

hosts/koi/services/coredns.nix

@@ -31,14 +31,14 @@ in
   services.coredns = {
     enable = true;
     config = ''
-        (local_only) {
+      (local_only) {
-          acl {
+        acl {
-            allow net 127.0.0.0/8 # localhost
+          allow net 127.0.0.0/8 # localhost
-            allow net 172.16.0.0/12 # docker
+          allow net 172.16.0.0/12 # docker
-            allow net 10.42.0.0/24 # nixos containers
+          allow net 10.42.0.0/24 # nixos containers
-            block
+          block
-          }
         }
+      }
 
       .:53 {
         cache

hosts/koi/services/nginx.nix

@@ -92,6 +92,16 @@ in {
       "CLOUDFLARE_API_KEY_FILE" = config.age.secrets.cloudflare-token.path;
     };
   };
+  security.acme.certs."tei.pet" = {
+    email = "alina@tei.su";
+    group = "nginx";
+    dnsProvider = "cloudflare";
+    extraDomainNames = [ "*.tei.pet" ];
+    credentialFiles = {
+      "CLOUDFLARE_EMAIL_FILE" = config.age.secrets.cloudflare-email.path;
+      "CLOUDFLARE_API_KEY_FILE" = config.age.secrets.cloudflare-token.path;
+    };
+  };
 
   networking.firewall.allowedTCPPorts = [ 80 443 ];
 }

hosts/koi/services/terraria.nix

@@ -1,5 +1,6 @@
-{
+{ config, lib, pkgs, ... }:
-  services.terraria = {
+let
+  cfg = {
     enable = true;
     maxPlayers = 10;
     port = 7777;
@@ -7,5 +8,84 @@
     noUPnP = true;
     openFirewall = true;
     worldPath = "/srv/terraria/world.wld";
+    dataDir = "/var/lib/terraria";
+    password = null;
+    banListPath = null;
+    secure = false;
+    autoCreatedWorldSize = "medium";
+  };
+
+  worldSizeMap = { small = 1; medium = 2; large = 3; };
+  valFlag = name: val: lib.optionalString (val != null) "-${name} \"${lib.escape ["\\" "\""] (toString val)}\"";
+  boolFlag = name: val: lib.optionalString val "-${name}";
+  flags = [
+    (valFlag "port" cfg.port)
+    (valFlag "maxPlayers" cfg.maxPlayers)
+    (valFlag "password" cfg.password)
+    (valFlag "motd" cfg.messageOfTheDay)
+    (valFlag "world" cfg.worldPath)
+    (valFlag "autocreate" (builtins.getAttr cfg.autoCreatedWorldSize worldSizeMap))
+    (valFlag "banlist" cfg.banListPath)
+    (boolFlag "secure" cfg.secure)
+    (boolFlag "noupnp" cfg.noUPnP)
+  ];
+
+  tmuxCmd = "${lib.getExe pkgs.tmux} -S ${lib.escapeShellArg cfg.dataDir}/terraria.sock";
+
+  stopScript = pkgs.writeShellScript "terraria-stop" ''
+    if ! [ -d "/proc/$1" ]; then
+      exit 0
+    fi
+    
+    log=$(${tmuxCmd} capture-pane -p)
+    echo "$log" > /tmp/terraria-stop.log
+    lastline=$(echo "$log" | grep . | tail -n1)
+
+    # If the service is not configured to auto-start a world, it will show the world selection prompt
+    # If the last non-empty line on-screen starts with "Choose World", we know the prompt is open
+    if [[ "$lastline" =~ ^'Choose World' ]]; then
+      # In this case, nothing needs to be saved, so we can kill the process
+      ${tmuxCmd} kill-session
+    else
+      # Otherwise, we send the `exit` command
+      ${tmuxCmd} send-keys Enter exit Enter
+    fi
+
+    # Wait for the process to stop
+    tail --pid="$1" -f /dev/null
+  '';
+in
+{
+  users.users.terraria = {
+    description = "Terraria server service user";
+    group       = "terraria";
+    home        = cfg.dataDir;
+    createHome  = true;
+    uid         = config.ids.uids.terraria;
+  };
+
+  users.groups.terraria = {
+    gid = config.ids.gids.terraria;
+  };
+
+  systemd.services.terraria = {
+    description   = "Terraria Server Service";
+    wantedBy      = [ "multi-user.target" ];
+    after         = [ "network.target" ];
+
+    serviceConfig = {
+      User    = "root";
+      Group = "root";
+      # Type = "forking";
+      GuessMainPID = true;
+      # UMask = 007;
+      ExecStart = "${pkgs.terraria-server}/bin/TerrariaServer ${lib.concatStringsSep " " flags}";
+      ExecStop = "kill -SIGINT $MAINPID";
+    };
+  };
+
+  networking.firewall = lib.mkIf cfg.openFirewall {
+    allowedTCPPorts = [ cfg.port ];
+    allowedUDPPorts = [ cfg.port ];
   };
 }