chore(syncplay): move to hakurei

2026-02-09 12:29:19 -08:00 · 2024-06-23 15:49:17 -07:00 · 2024-06-23 15:49:17 -07:00 · 47d830eaed
commit 47d830eaed
parent ed909897b3
8 changed files with 151 additions and 37 deletions
--- a/modules/nixos/syncplay.nix
+++ b/modules/nixos/syncplay.nix
@ -0,0 +1,81 @@
+{
+  pkgs,
+  config,
+  gensokyo-zone,
+  lib,
+  ...
+}: let
+  inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
+  inherit (lib.options) mkOption;
+  inherit (lib.modules) mkIf mkMerge;
+  cfg = config.services.syncplay;
+  acme = config.security.acme.certs.${cfg.useACMECert};
+  acmeDir = acme.directory;
+in {
+  options.services.syncplay = with lib.types; {
+    openFirewall = mkOption {
+      type = bool;
+      default = false;
+    };
+    useACMECert = mkOption {
+      type = nullOr str;
+      default = null;
+    };
+  };
+
+  config.services.syncplay = {
+    certDir = let
+      certDir = pkgs.linkFarm "syncplay-certs" [
+        {
+          name = "privkey.pem";
+          path = "${acmeDir}/key.pem";
+        }
+        rec {
+          name = "cert.pem";
+          path = "${acmeDir}/${name}";
+        }
+        rec {
+          name = "chain.pem";
+          path = "${acmeDir}/${name}";
+        }
+      ];
+    in
+      mkIf (cfg.useACMECert != null) (mkAlmostOptionDefault certDir);
+  };
+
+  config.users = mkIf cfg.enable {
+    users.syncplay = mkIf (cfg.user == "syncplay") {
+      group = mkAlmostOptionDefault cfg.group;
+      isSystemUser = true;
+      home = mkAlmostOptionDefault "/var/lib/syncplay";
+    };
+    groups.syncplay =
+      mkIf (cfg.group == "syncplay") {
+      };
+  };
+
+  config.networking.firewall = mkIf cfg.enable {
+    allowedTCPPorts = mkIf cfg.openFirewall [cfg.port];
+  };
+
+  config.systemd.services.syncplay = mkIf cfg.enable {
+    wants = mkIf (cfg.useACMECert != null) ["acme-finished-${cfg.useACMECert}.target"];
+    after = mkIf (cfg.useACMECert != null) ["acme-${cfg.useACMECert}.service"];
+    confinement = {
+      enable = mkAlmostOptionDefault true;
+      packages = config.systemd.services.syncplay.path;
+    };
+    path = mkIf (cfg.passwordFile != null || cfg.saltFile != null) [pkgs.coreutils];
+    serviceConfig = {
+      StateDirectory = mkAlmostOptionDefault "syncplay";
+      BindReadOnlyPaths = mkMerge [
+        (mkIf (cfg.useACMECert != null) [
+          "${acmeDir}"
+        ])
+        (mkIf (cfg.certDir != null) [
+          "${cfg.certDir}"
+        ])
+      ];
+    };
+  };
+}
--- a/modules/system/exports/syncplay.nix
+++ b/modules/system/exports/syncplay.nix
@ -0,0 +1,25 @@
+{
+  lib,
+  gensokyo-zone,
+  ...
+}: let
+  inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
+  inherit (lib.modules) mkIf;
+in {
+  config.exports.services.syncplay = {config, ...}: {
+    displayName = mkAlmostOptionDefault "Syncplay";
+    nixos = {
+      serviceAttr = "syncplay";
+      assertions = mkIf config.enable [
+        (nixosConfig: {
+          assertion = config.ports.default.port == nixosConfig.services.syncplay.port;
+          message = "port mismatch";
+        })
+      ];
+    };
+    ports.default = {
+      port = mkAlmostOptionDefault 8999;
+      protocol = "tcp";
+    };
+  };
+}