chore: cleanup + pds bump + tei.pet

2024-11-09 00:07:34 +03:00 · 2024-11-09 00:07:34 +03:00 · ca6c67a65e
commit ca6c67a65e
parent a259e63be9
7 changed files with 133 additions and 10 deletions
--- a/hosts/koi/containers/kanidm/note.md
+++ b/hosts/koi/containers/kanidm/note.md
@ -0,0 +1,22 @@
+notes for self:
+
+## creating an oauth2 app:
+
+```bash
+kanidm system oauth2 create myapp myapp_display_name https://url.to.app
+kanidm system oauth2 warning-insecure-client-disable-pkce myapp # optional, for oauth2-proxy
+kanidm system oauth2 prefer-short-username myapp # optional
+kanidm system oauth2 show-basic-secret myapp
+kanidm system oauth2 add-redirect-url myapp https://url.to.app/oauth2/callback # the default path for oauth2-proxy
+
+# adding users to the app
+kanidm group create myapp_users
+kanidm group add-members myapp_users teidesu
+kanidm system oauth2 update-scope-map myapp myapp_users email openid profile
+```
+
+## oauth2 proxy env:
+```bash
+OAUTH2_PROXY_COOKIE_SECRET=...
+OAUTH2_PROXY_CLIENT_SECRET=...
+```
--- a/hosts/koi/containers/pds/default.nix
+++ b/hosts/koi/containers/pds/default.nix
@ -20,7 +20,7 @@ in {
  };

  virtualisation.oci-containers.containers.bluesky-pds = {
-    image = "ghcr.io/bluesky-social/pds:sha-94a80820872510e65cb8e62e5a78aa6a8d9ad6c9";
+    image = "ghcr.io/bluesky-social/pds:sha-b595125a28368fa52d12d3b6ca265c1bea06977f";
    volumes = [
      "/srv/bluesky-pds/data:/pds"
      "/mnt/puffer/bluesky-pds:/blobstore"
--- a/hosts/koi/containers/teisu.nix
+++ b/hosts/koi/containers/teisu.nix
@ -71,4 +71,15 @@ in {
    locations."/keys@ssh" = serveWithTextPlain;
    locations."/keys@git" = serveWithTextPlain;
  };
+
+  services.nginx.virtualHosts."tei.pet" = {
+    forceSSL = true;
+    useACMEHost = "tei.pet";
+
+    locations."/" = {
+      extraConfig = ''
+        return 301 https://tei.su$request_uri;
+      '';
+    };
+  };
 }
--- a/hosts/koi/services/nginx.nix
+++ b/hosts/koi/services/nginx.nix
@ -92,6 +92,16 @@ in {
      "CLOUDFLARE_API_KEY_FILE" = config.age.secrets.cloudflare-token.path;
    };
  };
+  security.acme.certs."tei.pet" = {
+    email = "alina@tei.su";
+    group = "nginx";
+    dnsProvider = "cloudflare";
+    extraDomainNames = [ "*.tei.pet" ];
+    credentialFiles = {
+      "CLOUDFLARE_EMAIL_FILE" = config.age.secrets.cloudflare-email.path;
+      "CLOUDFLARE_API_KEY_FILE" = config.age.secrets.cloudflare-token.path;
+    };
+  };

  networking.firewall.allowedTCPPorts = [ 80 443 ];
 }
--- a/hosts/koi/services/terraria.nix
+++ b/hosts/koi/services/terraria.nix
@ -1,5 +1,6 @@
-{
-  services.terraria = {
+{ config, lib, pkgs, ... }:
+let
+  cfg = {
    enable = true;
    maxPlayers = 10;
    port = 7777;
@ -7,5 +8,84 @@
    noUPnP = true;
    openFirewall = true;
    worldPath = "/srv/terraria/world.wld";
+    dataDir = "/var/lib/terraria";
+    password = null;
+    banListPath = null;
+    secure = false;
+    autoCreatedWorldSize = "medium";
+  };
+
+  worldSizeMap = { small = 1; medium = 2; large = 3; };
+  valFlag = name: val: lib.optionalString (val != null) "-${name} \"${lib.escape ["\\" "\""] (toString val)}\"";
+  boolFlag = name: val: lib.optionalString val "-${name}";
+  flags = [
+    (valFlag "port" cfg.port)
+    (valFlag "maxPlayers" cfg.maxPlayers)
+    (valFlag "password" cfg.password)
+    (valFlag "motd" cfg.messageOfTheDay)
+    (valFlag "world" cfg.worldPath)
+    (valFlag "autocreate" (builtins.getAttr cfg.autoCreatedWorldSize worldSizeMap))
+    (valFlag "banlist" cfg.banListPath)
+    (boolFlag "secure" cfg.secure)
+    (boolFlag "noupnp" cfg.noUPnP)
+  ];
+
+  tmuxCmd = "${lib.getExe pkgs.tmux} -S ${lib.escapeShellArg cfg.dataDir}/terraria.sock";
+
+  stopScript = pkgs.writeShellScript "terraria-stop" ''
+    if ! [ -d "/proc/$1" ]; then
+      exit 0
+    fi
+    
+    log=$(${tmuxCmd} capture-pane -p)
+    echo "$log" > /tmp/terraria-stop.log
+    lastline=$(echo "$log" | grep . | tail -n1)
+
+    # If the service is not configured to auto-start a world, it will show the world selection prompt
+    # If the last non-empty line on-screen starts with "Choose World", we know the prompt is open
+    if [[ "$lastline" =~ ^'Choose World' ]]; then
+      # In this case, nothing needs to be saved, so we can kill the process
+      ${tmuxCmd} kill-session
+    else
+      # Otherwise, we send the `exit` command
+      ${tmuxCmd} send-keys Enter exit Enter
+    fi
+
+    # Wait for the process to stop
+    tail --pid="$1" -f /dev/null
+  '';
+in
+{
+  users.users.terraria = {
+    description = "Terraria server service user";
+    group       = "terraria";
+    home        = cfg.dataDir;
+    createHome  = true;
+    uid         = config.ids.uids.terraria;
+  };
+
+  users.groups.terraria = {
+    gid = config.ids.gids.terraria;
+  };
+
+  systemd.services.terraria = {
+    description   = "Terraria Server Service";
+    wantedBy      = [ "multi-user.target" ];
+    after         = [ "network.target" ];
+
+    serviceConfig = {
+      User    = "root";
+      Group = "root";
+      # Type = "forking";
+      GuessMainPID = true;
+      # UMask = 007;
+      ExecStart = "${pkgs.terraria-server}/bin/TerrariaServer ${lib.concatStringsSep " " flags}";
+      ExecStop = "kill -SIGINT $MAINPID";
+    };
+  };
+
+  networking.firewall = lib.mkIf cfg.openFirewall {
+    allowedTCPPorts = [ cfg.port ];
+    allowedUDPPorts = [ cfg.port ];
  };
 }
--- a/secrets/authentik-env.age
+++ b/secrets/authentik-env.age