diff --git a/flake.lock b/flake.lock index 9cd2b76b..db034308 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1725134751, - "narHash": "sha256-yzASTNj/pXP1DQurf50a/1M5kevI70TwhUGhYPlX3BA=", + "lastModified": 1725576462, + "narHash": "sha256-yQwN6aO63V7TlFohZ2y1HqbRiA787W4MEbE4FqcC4vQ=", "owner": "arcnmx", "repo": "nixexprs", - "rev": "7b85606acedd55b167016dc08a331ffece563dab", + "rev": "02731f711e232ef0ffa5d7707b1a91a7dfb0cdb8", "type": "github" }, "original": { @@ -160,11 +160,11 @@ ] }, "locked": { - "lastModified": 1725180166, - "narHash": "sha256-fzssXuGR/mCeGbzM1ExaTqDz7QDGta3WA4jJsZyRruo=", + "lastModified": 1725694918, + "narHash": "sha256-+HsjshXpqNiJHLaJaK0JnIicJ/a1NquKcfn4YZ3ILgg=", "owner": "nix-community", "repo": "home-manager", - "rev": "471e3eb0a114265bcd62d11d58ba8d3421ee68eb", + "rev": "aaebdea769a5c10f1c6e50ebdf5924c1a13f0cda", "type": "github" }, "original": { @@ -190,11 +190,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1725103162, - "narHash": "sha256-Ym04C5+qovuQDYL/rKWSR+WESseQBbNAe5DsXNx5trY=", + "lastModified": 1725634671, + "narHash": "sha256-v3rIhsJBOMLR8e/RNWxr828tB+WywYIoajrZKFM+0Gg=", "owner": "nixos", "repo": "nixpkgs", - "rev": "12228ff1752d7b7624a54e9c1af4b222b3c1073b", + "rev": "574d1eac1c200690e27b8eb4e24887f8df7ac27c", "type": "github" }, "original": { @@ -267,11 +267,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1725201042, - "narHash": "sha256-lj5pxOwidP0W//E7IvyhbhXrnEUW99I07+QpERnzTS4=", + "lastModified": 1725540166, + "narHash": "sha256-htc9rsTMSAY5ek+DB3tpntdD/es0eam2hJgO92bWSys=", "owner": "Mic92", "repo": "sops-nix", - "rev": "5db5921e40ae382d6716dce591ea23b0a39d96f7", + "rev": "d9d781523a1463965cd1e1333a306e70d9feff07", "type": "github" }, "original": { diff --git a/modules/nixos/syncplay.nix b/modules/nixos/syncplay.nix index 6de87a37..228a9be5 100644 --- a/modules/nixos/syncplay.nix +++ b/modules/nixos/syncplay.nix @@ -7,51 +7,14 @@ }: let inherit (gensokyo-zone.lib) mkAlmostOptionDefault; inherit (lib.options) mkOption; - inherit (lib.modules) mkIf mkMerge; + inherit (lib.modules) mkIf; cfg = config.services.syncplay; - acme = config.security.acme.certs.${cfg.useACMECert}; - acmeDir = acme.directory; in { options.services.syncplay = with lib.types; { openFirewall = mkOption { type = bool; default = false; }; - useACMECert = mkOption { - type = nullOr str; - default = null; - }; - }; - - config.services.syncplay = { - certDir = let - certDir = pkgs.linkFarm "syncplay-certs" [ - { - name = "privkey.pem"; - path = "${acmeDir}/key.pem"; - } - rec { - name = "cert.pem"; - path = "${acmeDir}/${name}"; - } - rec { - name = "chain.pem"; - path = "${acmeDir}/${name}"; - } - ]; - in - mkIf (cfg.useACMECert != null) (mkAlmostOptionDefault certDir); - }; - - config.users = mkIf cfg.enable { - users.syncplay = mkIf (cfg.user == "syncplay") { - group = mkAlmostOptionDefault cfg.group; - isSystemUser = true; - home = mkAlmostOptionDefault "/var/lib/syncplay"; - }; - groups.syncplay = - mkIf (cfg.group == "syncplay") { - }; }; config.networking.firewall = mkIf cfg.enable { @@ -59,23 +22,14 @@ in { }; config.systemd.services.syncplay = mkIf cfg.enable { - wants = mkIf (cfg.useACMECert != null) ["acme-finished-${cfg.useACMECert}.target"]; - after = mkIf (cfg.useACMECert != null) ["acme-${cfg.useACMECert}.service"]; + wants = mkIf (cfg.useACMEHost != null) ["acme-finished-${cfg.useACMEHost}.target"]; + after = mkIf (cfg.useACMEHost != null) ["acme-selfsigned-${cfg.useACMEHost}.service"]; confinement = { enable = mkAlmostOptionDefault true; packages = config.systemd.services.syncplay.path; }; path = mkIf (cfg.passwordFile != null || cfg.saltFile != null) [pkgs.coreutils]; serviceConfig = { - StateDirectory = mkAlmostOptionDefault "syncplay"; - BindReadOnlyPaths = mkMerge [ - (mkIf (cfg.useACMECert != null) [ - "${acmeDir}" - ]) - (mkIf (cfg.certDir != null) [ - "${cfg.certDir}" - ]) - ]; NoNewPrivileges = true; PrivateDevices = true; PrivateMounts = true; diff --git a/nixos/k8s.nix b/nixos/k8s.nix index 9cafd437..10e13335 100644 --- a/nixos/k8s.nix +++ b/nixos/k8s.nix @@ -55,7 +55,7 @@ in { }; kubelet = { extraOpts = "--fail-swap-on=false"; - clusterDns = "10.43.0.2"; + clusterDns = ["10.43.0.2"]; }; }; diff --git a/nixos/syncplay.nix b/nixos/syncplay.nix index a203dbe6..59795a71 100644 --- a/nixos/syncplay.nix +++ b/nixos/syncplay.nix @@ -8,14 +8,13 @@ in { sops.secrets = let sopsFile = mkDefault ./secrets/syncplay.yaml; - owner = cfg.user; in mkIf cfg.enable { syncplay-password = { - inherit sopsFile owner; + inherit sopsFile; }; syncplay-salt = { - inherit sopsFile owner; + inherit sopsFile; }; }; @@ -24,8 +23,6 @@ in { extraArgs = [ "--disable-ready" ]; - user = mkDefault "syncplay"; - group = mkDefault "syncplay"; saltFile = mkDefault config.sops.secrets.syncplay-salt.path; passwordFile = mkDefault config.sops.secrets.syncplay-password.path; }; diff --git a/systems/hakurei/nixos.nix b/systems/hakurei/nixos.nix index 3d733243..fc64d25a 100644 --- a/systems/hakurei/nixos.nix +++ b/systems/hakurei/nixos.nix @@ -106,7 +106,6 @@ in { ]; }; syncplay = { - inherit (syncplay) group; domain = "syncplay.${config.networking.domain}"; extraDomainNames = [ "syncplay.local.${config.networking.domain}" @@ -425,7 +424,7 @@ in { }; services.syncplay = { openFirewall = true; - useACMECert = "syncplay"; + useACMEHost = "syncplay"; }; services.tailscale.advertiseExitNode = true;