gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 04:19:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

chore(syncplay): move to hakurei

Browse source
This commit is contained in:
arcnmx 2024-06-23 15:49:17 -07:00
parent ed909897b3
commit 47d830eaed
8 changed files with 151 additions and 37 deletions
Download patch file Download diff file Expand all files Collapse all files

81
modules/nixos/syncplay.nix Normal file
View file

@ -0,0 +1,81 @@
{
pkgs,
config,
gensokyo-zone,
lib,
...
}: let
inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
inherit (lib.options) mkOption;
inherit (lib.modules) mkIf mkMerge;
cfg = config.services.syncplay;
acme = config.security.acme.certs.${cfg.useACMECert};
acmeDir = acme.directory;
in {
options.services.syncplay = with lib.types; {
openFirewall = mkOption {
type = bool;
default = false;
};
useACMECert = mkOption {
type = nullOr str;
default = null;
};
};
config.services.syncplay = {
certDir = let
certDir = pkgs.linkFarm "syncplay-certs" [
{
name = "privkey.pem";
path = "${acmeDir}/key.pem";
}
rec {
name = "cert.pem";
path = "${acmeDir}/${name}";
}
rec {
name = "chain.pem";
path = "${acmeDir}/${name}";
}
];
in
mkIf (cfg.useACMECert != null) (mkAlmostOptionDefault certDir);
};
config.users = mkIf cfg.enable {
users.syncplay = mkIf (cfg.user == "syncplay") {
group = mkAlmostOptionDefault cfg.group;
isSystemUser = true;
home = mkAlmostOptionDefault "/var/lib/syncplay";
};
groups.syncplay =
mkIf (cfg.group == "syncplay") {
};
};
config.networking.firewall = mkIf cfg.enable {
allowedTCPPorts = mkIf cfg.openFirewall [cfg.port];
};
config.systemd.services.syncplay = mkIf cfg.enable {
wants = mkIf (cfg.useACMECert != null) ["acme-finished-${cfg.useACMECert}.target"];
after = mkIf (cfg.useACMECert != null) ["acme-${cfg.useACMECert}.service"];
confinement = {
enable = mkAlmostOptionDefault true;
packages = config.systemd.services.syncplay.path;
};
path = mkIf (cfg.passwordFile != null || cfg.saltFile != null) [pkgs.coreutils];
serviceConfig = {
StateDirectory = mkAlmostOptionDefault "syncplay";
BindReadOnlyPaths = mkMerge [
(mkIf (cfg.useACMECert != null) [
"${acmeDir}"
])
(mkIf (cfg.certDir != null) [
"${cfg.certDir}"
])
];
};
};
}

25
modules/system/exports/syncplay.nix Normal file
View file

@ -0,0 +1,25 @@
{
lib,
gensokyo-zone,
...
}: let
inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
inherit (lib.modules) mkIf;
in {
config.exports.services.syncplay = {config, ...}: {
displayName = mkAlmostOptionDefault "Syncplay";
nixos = {
serviceAttr = "syncplay";
assertions = mkIf config.enable [
(nixosConfig: {
assertion = config.ports.default.port == nixosConfig.services.syncplay.port;
message = "port mismatch";
})
];
};
ports.default = {
port = mkAlmostOptionDefault 8999;
protocol = "tcp";
};
};
}

7
nixos/secrets/syncplay.yaml
View file

@ -1,4 +1,5 @@
syncplay-env: ENC[AES256_GCM,data:2u4RT6hJYuDhvRbYVO5t0T0EDnW8QUNdM2krbuJ5WBqKXfTXlIjLb5Bynt5J3/mSSp9DRCggqtXvZaUTxr4Oia5HIms4mxBkUrfareaRNm0=,iv:+IWjGtsmSUfw1wNpSSFA7Kvnhv+lG1F9a6T6N+QLAq8=,tag:ucEwim9yePrgEZOqQKsL2Q==,type:str]
syncplay-password: ENC[AES256_GCM,data:ZfzBG7SAV3cHoEHRYxqn5dshxP6DZAlXCCDPPYeo1g7aGWghqevotxWw,iv:BQ+V6ZLE/BmY4CfqM+CA+EpkNUx8lzbKzhuJp1J3n60=,tag:ABmwK8y2qwcnCE55CBVeEQ==,type:str]
syncplay-salt: ENC[AES256_GCM,data:rMxqzmJURbz+prQBwUMoCfOKOPWAxRsowkFrFjZ1ZWVZmvo/Td7kcpzACSlf/al6SSiI/367NBw/bmfyFH5G3w==,iv:zGGPzAOZL3fYRfREpPDxgoZmbyX1LDFSBCaryhTYyP4=,tag:GHATSzdorg9fcuLfy/lPMA==,type:str]
sops:
shamir_threshold: 1
kms: []
@ -33,8 +34,8 @@ sops:
QXlqSjU2N3ZvUmlYTXgwNWlJSHhPaVUKmSWxiM269wNw5VBh/OcHa6y21navnYIG
1hLHyeJFNXmCX/4+gTxjphcUaWc0zYx8duH63L66CTtCK/RT+Kdchg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-16T19:11:23Z"
mac: ENC[AES256_GCM,data:mev1gtAUq0ujMdYVz4ipkGeyPn/rtLJZx993CVQRxTLVNOIdFkvJlbUwuSKWdZ29r1EdQgqDc7OoPekYfdO/7aMa/AyFoL1e/ohzD1mklGZLTP4YLB3/jB8fkqZUZXCdWtA2Ej1sRlBY2bUZx9rL/FpG9OyWA8zOlItReAEhDPM=,iv:rLXIGy4kY+tMHX6OHFE2DGtFU6niFUFCk/+CadXFP2w=,tag:j0GR5K4yxMQwVUyXCEyJrA==,type:str]
lastmodified: "2024-06-23T22:38:07Z"
mac: ENC[AES256_GCM,data:pHo5NfYGHV9WEp3SC8uG8M4XKS0qApgWbad9uF9LeANaZw1dDjlGUOVFjnwuXqFBUPT5lPjqxnavgllM8wZjyrIjD4j6QDjsMYmzKfqf1VmZG6TDG75u1VLBlrXQpDqzYzm3ioq2bZISkHkurVaQtY/HSZGOGm1Ltiy6MHySbiA=,iv:ezlHpCHifphzbmPjkvPhl5x2bxOldnRtX+KcP9GUbhI=,tag:Zzpz4wQGv0vti13p09A0vw==,type:str]
pgp:
- created_at: "2024-01-19T19:08:56Z"
enc: |-

55
nixos/syncplay.nix
View file

@ -1,45 +1,36 @@
{
config,
lib,
pkgs,
utils,
...
}:
with lib; let
}: let
inherit (lib.modules) mkIf mkDefault;
cfg = config.services.syncplay;
args =
[
"--disable-ready"
"--port"
cfg.port
]
++ optionals (cfg.certDir != null) ["--tls" cfg.certDir];
in {
sops.secrets.syncplay-env = {
sops.secrets = let
sopsFile = mkDefault ./secrets/syncplay.yaml;
owner = cfg.user;
};
users.users.${cfg.user} = {
inherit (cfg) group;
isSystemUser = true;
home = "/var/lib/syncplay";
};
users.groups.${cfg.group} = {};
networking.firewall.interfaces.local.allowedTCPPorts = [cfg.port];
in
mkIf cfg.enable {
syncplay-password = {
inherit sopsFile owner;
};
syncplay-salt = {
inherit sopsFile owner;
};
};
services.syncplay = {
enable = true;
user = "syncplay";
enable = mkDefault true;
extraArgs = [
"--disable-ready"
];
user = mkDefault "syncplay";
group = mkDefault "syncplay";
saltFile = mkDefault config.sops.secrets.syncplay-salt.path;
passwordFile = mkDefault config.sops.secrets.syncplay-password.path;
};
systemd.services.syncplay = mkIf cfg.enable {
serviceConfig = {
StateDirectory = "syncplay";
EnvironmentFile = singleton config.sops.secrets.syncplay-env.path;
ExecStart = mkForce [
"${pkgs.syncplay-nogui}/bin/syncplay-server ${utils.escapeSystemdExecArgs args}"
];
};
networking.firewall = mkIf (cfg.enable && !cfg.openFirewall) {
interfaces.local.allowedTCPPorts = [cfg.port];
};
}

1
systems/hakurei/default.nix
View file

@ -20,6 +20,7 @@
services = {
tailscale.enable = true;
samba.enable = true;
syncplay.enable = true;
vouch-proxy = {
enable = true;
displayName = "Vouch Proxy/local";

16
systems/hakurei/nixos.nix
View file

@ -6,7 +6,7 @@
...
}: let
inherit (lib.modules) mkIf mkMerge;
inherit (config.services) nginx;
inherit (config.services) nginx syncplay;
inherit (nginx) virtualHosts;
hassVouch = false;
in {
@ -53,6 +53,7 @@ in {
nixos.access.invidious
nixos.wake-chen
nixos.samba
nixos.syncplay
./reisen-ssh.nix
];
@ -109,6 +110,15 @@ in {
(mkIf config.services.tailscale.enable "smb.tail.${config.networking.domain}")
];
};
syncplay = {
inherit (syncplay) group;
domain = "syncplay.${config.networking.domain}";
extraDomainNames = [
"syncplay.local.${config.networking.domain}"
"syncplay.int.${config.networking.domain}"
(mkIf config.services.tailscale.enable "syncplay.tail.${config.networking.domain}")
];
};
sso = {
inherit (nginx) group;
domain = virtualHosts.keycloak.serverName;
@ -400,6 +410,10 @@ in {
services.samba.tls = {
useACMECert = "samba";
};
services.syncplay = {
openFirewall = true;
useACMECert = "syncplay";
};
services.tailscale.advertiseExitNode = true;

1
systems/tei/nixos.nix
View file

@ -23,7 +23,6 @@ in {
nixos.access.nfandroidtv
nixos.home-assistant
nixos.zigbee2mqtt
nixos.syncplay
nixos.grocy
nixos.barcodebuddy
./cloudflared.nix

2
tf/cloudflare_records.tf
View file

@ -34,6 +34,7 @@ module "hakurei_system_records" {
"z2m",
"grocy",
"bbuddy",
"syncplay",
"yt",
]
global_subdomains = [
@ -46,6 +47,7 @@ module "hakurei_system_records" {
"mqtt",
"kitchen",
"webrx",
"syncplay",
"yt",
]
}