moving syncplay to tewi

nixos/systems/daiyousei.nix

@@ -9,7 +9,6 @@
     services.murmur-ldap
     services.prosody
     services.synapse
-    services.syncplay
     services.filehost
     services.keycloak
     services.openldap

nixos/systems/tewi/nixos.nix

@@ -27,6 +27,7 @@ in {
     (modulesPath + "/installer/scan/not-detected.nix")
     hardware.local
     services.access
+    services.syncplay
     nixos.arc
     nixos.sops
     inputs.systemd2mqtt.nixosModules.default

nixos/systems/tewi/secrets.yaml

@@ -9,6 +9,7 @@ openscsi-config: ENC[AES256_GCM,data:pLfiDNSx3ghibiWgfV8vXqgXHJaA7dYwl7Tlqs11+XO
 systemd2mqtt-env: ENC[AES256_GCM,data:Zo3+acCcMWgai2ERKbmOlI0hvdkOlNviBqeLb1ALuA==,iv:NxXBDCEevBRqMDY9/3z/Uq2+vENswkYTgTa82wKc32U=,tag:01WUphYRJrwmHv9HE4ac8w==,type:str]
 z2m-secret: ENC[AES256_GCM,data:SCxz8nbB/QhfPcAzSEDHMpiQnjv+j0xLtg/20qf5ZEe3P5YRaiKXMSqdw6MX7uQtGh8T44raEgS8PFuGKXY423GV/MNPSzMl16DLBwU5P7TL6lYT97uVYRIqWMKqtPy/1f155743wH8HsJvslmg=,iv:Yw9dvH1dBq+vxHvKm0eeHlqVHRdUuzL71mDTbIF7DDg=,tag:bCiDNSwq7P21TwblvVGq6A==,type:str]
 deluge-auth: ENC[AES256_GCM,data:qJP/CztnN7RV4Z3pP+jbH1B0zzBm8oa3n3X0pecEVe7UI3+NOSwFaQCBD7Q7JDxzh+qTNdQ/wWi7w0XJDG+aRIikgDG28S9RjdPL/w==,iv:GUEwmuk3JWMgsXsDgDrObW657WcN6wcYAsgXhK4Dvx0=,tag:vZMQ67j5kWBWOa6ZqCaQHw==,type:str]
+syncplay-env: ENC[AES256_GCM,data:MzL/Q4ihwVX+QgdWl20PfpCP8hiPd3uc00FuTJ+gsVN7EJOoDlTyA2pgfw75eklQgWa0r9T+3u3gigo7jxrBqmgD2oYDFrZNKrHyrXlxALQ=,iv:AO7hcXucPqJkCa3u3Y7nrgfIsw9f8fbWBc5g7Kb77cM=,tag:G+URgzoVrwiS6TjEgRy9rg==,type:str]
 ha-secrets: ENC[AES256_GCM,data:sw+sxrDyNIOAkHSA2fPLqtHR32iKIaZDdgJ1ZcQTeOqlgdZDhK5XzXiBkpZBTwKswUc2UPDOANsn+YRusX2tUvLYjdxZz4jIBKJuaW3aEtOcxjmG55KYxHmTzSbR4IhpuZ+1wDhvp4UiUqyD273Lt6LTFDmohZAVqwxJc2k4YTZJXiofVf8ywcXPMcS+zIMxb5nBX9EJqgJ80pnBI8vZeCg4pFv/Ux2OoS+PTnkYHnsywf57NA23YcKqnsbJoZwi3e4ooM2erygv0DuoP7QBnBdEf5RKSziECDTDPUFQVNYIOEAgJIYOD/GtZmWMx4SadsmrgTB1RqtAdPnvuuD3jLYW20zci8CxmI4F/h/+8lxUH/TGiG2bUmPYvwTE1eW1cLK91XhxXp6ORyWMGYcR98ryGL00ctD/BaZLdk7FYbQMTF2y2vx5vWAABTnYLsv6H9csmD4O7OeNkd9k+YQB/atENAXRgIiGDvkkbNoRkRU5SzIIHGcjjU7GC6hT+LDportPuhUW+g6KJj0ENOCI0yXNkIfa6LXAJcCmdovJCIbdw1HCGHuu+dc5rSWueiOWo+2rr8loytZTTMwevTaldfrNyu42K+bZI2BkPdXzkPQDeV8y5PmfnXfdXthmmnZbYRyVYUd1OH9L,iv:zxpazCPJTWmuw7/BNj90G89aGyk3fCqBB+RCyKW6QwY=,tag:5zSnrZOxo8G2Wg4LNtEsaQ==,type:str]
 cloudflared-tunnel-apartment: ENC[AES256_GCM,data:r3NbCbdA9sGqjhij/lUFqszpLvtzP9xasQ+LfCc4UPkt767/rjMrls496k59fLuh5iovHq4U6IXhdFica/gg0KdVR++osbXDZe0NlD3H54zQsqLNTlceU3SOok7HfwUcsmtYAsTN7u+SIv5bXJsdfqS7SYbCi9624Gz8xk0BU9rDkI4pXt9FA+4kVhgArSH7NbcgZ6oo4sOn6G1SsK5OzAb1BLOC4g==,iv:3KOU5jTUqD434GckPXV8teiThfagIinEGGZrVSR17xk=,tag:GKoO1904PxwUAkyY3X9S7Q==,type:str]
 ha-integration: ENC[AES256_GCM,data:iW/hnCuXWKeZ43CNf2KKISPY1N2uqHHGQcCpfBojN4kTCi6VvsAZveUS8v28SrrPsh/2+vXoj1STj+N4COkFn7NANP6q946H7VaEgOTBvf9wykJ+WGYDMUgd8Ce8yLjnJpf+q6Rm5BHWMBrE53bB6YCbU9CIOCFF1mm4b6SXdJSuK0DOXZjsoYAc2TjHFb3K3/+74YRiRLgGSnE7MT8sPQ3Bojg9VRNFDZbxRejRjwDGZlRIHM/imeoTSwsWB/sLryR1HKEvyXSWy7MG0v2YqyAloxa/4uFpOdQ37NG4tegzCYwdybnEdW2wv+bZXfDq/csAIpRIyegpkjZeAhfAA5LptYaXxdzFhtFS6NJ6ROW+scbOhS0snoOrg7CqiiB8Y7ad6VFco6dJKCdr+A/92pH3y/+gq6LxOOpIxzbnqkIDV41VVRK61tHafZsXEMXkyRCPbYuVIcVlK4xuw3OryzfUUTW0UFUm0qgIP04L6bI0Zay2NYxL42T7DgLbeddOBEYvBJefQVS1Yk/Q7ql9gnj4EsFMbvKGANhT182kkwKGN+kbVW3Gh63kploRB6AOjGJe+2+2zZnJrKBot+AHJ0Fj8e3n00kvXQtYccVsvD1NREABg0O6xtTjgUoPw+C0lbRgoh/mouyny6f+1jSUF9xDIU8M8YUHOku/VtmSxrMGc5HDPeGjSs/0IMzJJXbt3x9if2Db4zW50XbGFkZDEceJwqulqR7ca0BKeUPUurYnCqh7YGTPe1zc+xkH6Ew/KWlH6bY/YC1hL1fqlqWVWktW3StwAOIzZoytvjtdxifc7Gy4YPKzOi4njLbyvyB+lRMkzvBfyVguGyHvpGbSSog6lxUTmbOqDbl3qCRY2ZJXcuBza6e90Qf1GF1oGjrOIVfNAmJCz7BaNfjtKIc8asql36pRzjFXwPlbfgNHXjQEAUAqiAEyabhaCnqZVbhk0i8PrT/jrHCj/COXgHUT8As3t1Tmipcel7OwqiE23lpTp//bQ4dRuVs59RzyElaLsj9cehiEzIys0bzlPDmQzbgxw48yKRhtrwkY5J0zPWe7OkrFwkbLHfNFisU4qPvoTwOIMvCjTHdMZZ3TrXeuEPH3gEkIYeItd0o7NyJ0FekK1N9YLN6r0lWKHhWvz/dOaR2RRb22bsO24gn12xXHb0idEQ6D+AQxSLywW6DKjb6ZBAihZd9dJ3fIYcaB81C8W7dJ5o0J060MVX/ngRpB0Us916BBUoXRT3/7HbXen+Bn3i87fSXdFStXUXPwnNLATVOOKcq++h9we1yScPdVg2IWPGmryc6RoS1PjKGzlUE5XAXQKuyGbZQtgqV9Da5wktWkJFeZpuP9oQzC+37AP9fZM3BZHGK1siZ5USPbxwwszWWn0lHDdmQyor/IhKSBVh+4CkqOY0SV/P73OzhfyS+JtcBIrTJgMWHPOc5jsSf+5l904XhApg7KYxYwZHaDrbooG+YXu5eZ8QSqz04BmG6ErgQZ3f29mg6e7OT1Ikt2Q1M7MePSnSMZuvQKJ4dVYwFmo1nO0HnkObA6rMPd7XVUYDmWOyzUcRUBukU2w0XfHELLzid0odLHZsXCH+RTaRoXvwXVz1eRWu5guzeafsxDpTW5Z/AqR785jYGgL116sGSJ5806p01IqDBg0aS+oEtSpfaXw1AZXT4GkxoQM3vAUeRAc+B/twtjJ38UFMisWXBbss4Q6wxRcXFzNtSkZMchUfGS4XMJ43FajrHlFKG9uZQ4G7IXYbliFkjZ5F2zwXr3sDsVFxeYIuws1yYCEYFtisduad6kOnZCTQjAMw1YYKtTM7TYeMt4TNutR+AAOqGMx0p11lZmAFYRlsoqGs+by+vC8BO1gCkAcr7s8MAoh5CuG56zs16gnSRlMbQAciIjaRptKkYh+zLEXYI9kmMlr3hWQYlHNtBtU6w2+n+1y7EYlh+PiFB+xrGJisgPePfx7+VqEH3UiPVVv8bAN9Mh0RwjaOGXAYMEgsN1smhsKm1h0K3Z8tcZUx/OJFHgHDo3bi0eE3REz/Mxh56PVx/1vhpGj9TGZuanynEP5q7iYh3ETYBHdK89we4uw4tEkDnt9JRXNuofYmXyw44AbO8UNMy6jt/2Joc55egSU5oiexrLVUSQaM3vVdvfz4u7Whv1O31hRPt8hDccHM6KSFkXRLmI3m02vKQs7gEqjjZH+6sOI1ciY8LcmePzFefVG/xGRlH9yPpV1bDUdxBgpSFT8N9Xm+yqBKhuwT0MUhUoEpaiZht7iDPMshXXX3j80TO1csgD8gWY4L9YPTgHngRtLS+LZfdlDb9gvgJ7WwD6i3r/X4lLvLy2fKplSbCHJprlGY4YJWnmVJyFGOShPm0yOkZgBgfKT6CeoeTL+h+tGWuML1+Tbt0p6QRNP9djhoznMPMVxLWOZXa7Sbnb6PurddDG7eKPyadasc174BqdWNPzlu+nAQV8s6UlB8y9hmjqevpx+HAwbMWhIFtsuXAxS7jMe7FsQyjf0I7YUySS4sCH+1vsFpZDTxjPmatGT5g1vJAMKBfXEpMuR3KQpIftVrON/Wp+rS2kpSCpcPt6+8g8FMP1/OVM6B2Kmj4LeZvS1LHp8FktQrPXav3i8aIpjEstsCPWFJTgBEjuUxGmodks+Zo64R1XxhtAQzXmwUltGRpx3aCiDoDP94uKicEY/+k60ucECLx3sQEcpu6nE53JEELveAHVgwIyXLmik/MclvaZMZu5kjh8QaiPEzL1/r1trYVQiJ63IHpriDThRQqnFSYiQ74BJnheXsU/5mlUUwNT+TinsiwP8JCarTm0XyXrHYW7KxJW7ZXud9Sc7/bYrkQ4hvtz+XtFpZs7UHmHjBDF0DHqHPxUdudKV548tyh2Uc8LwzNgRCXrFswUme/dVTcGGRHZPIgO8P9SBvPbakyN8Xjpm7CC+bGEl3jV4DfMfXH79Y25mlw4s8nbi06mpYp1T938jfrVIgE7Tvp3C+miLblKbwA14IYI3ZiLwiea+Nb36/jkG198yZfsmkqqPZPMMq9+kkA3NEWk+BlPA3m75mCltCXJY6BMrFVQWVMiwroQ8aq4medx1Nsc6w==,iv:tRzbBW/YFMp2vw26M9ediGY49GuxvyV2ijZ1W7mjURQ=,tag:L4ACYnVzdarztrjlsX3cAQ==,type:str]
@@ -37,8 +38,8 @@ sops:
             VndVTG0zQWhsUHcwTkFjK2ZPdzRPUUEKJ3flgZ6/s+TjlFgzsANYaOFiEPQuE4zR
             7npNUDFLe26Q32G3j/lLSBzZZfKoOC5SOSp9TB8eWMYSxfNnXEIu0g==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-03-25T21:52:55Z"
-    mac: ENC[AES256_GCM,data:vDdOOYfVqbNXoO9AI4u8qaB/51lJS3yB2y0isrlKk4ANbJXb511LRjjCLiEsbLauqQH9y2b+bGfFBL/+2psyji8IuADJg/bMBdgXpCi407QP4Bn36weaPR55tqNtg6XHHL7LqBeinhrVslRo9H8T3Dl5jKwD2wAwwkAsthmgVyI=,iv:HbUVA5F3xAGJCfVwdAbQqYyiQQTdzk6M5HHKkJkLo5k=,tag:BoDWnEBMRa93coRJwe4tbg==,type:str]
+    lastmodified: "2023-04-10T16:20:24Z"
+    mac: ENC[AES256_GCM,data:FgF+SPVTRFeYmxehsBGDdCtcPjVpUyZETv4FVBBE6qbrxRt9LNtkLEZdZl8bXjcH0qAcAu5OACXLuU5hnsIlbvpE9WUzJTs/WnPKYSPttVdqjH7GbsxBVI16I9JQDIzaKYARw4QoD1kVaROQd/0XJgfM0GAqN1xUV2tgfo3voAU=,iv:NVtLoj1YThBB5AWQHSTKkMJoy1yr4zpdbeeKvDIY2x8=,tag:S/OPVRMExteyKaY4Rye7iA==,type:str]
     pgp:
         - created_at: "2023-03-10T17:06:53Z"
           enc: |

services/syncplay.nix

@@ -1,25 +1,25 @@
-{ config, lib, pkgs, tf, ... }:
+{ config, lib, pkgs, utils, ... }:
 
 with lib;
 
-{
+let
+  cfg = config.services.syncplay;
+  args = [
+    "--disable-ready"
+    "--port" cfg.port
+  ] ++ optionals (cfg.certDir != null) [ "--tls" cfg.certDir ];
 
-  secrets.variables =
-    let
-      fieldAdapt = field: if field == "pass" then "password" else field;
-    in
-    mapListToAttrs
-      (field:
-        nameValuePair "syncplay-${field}" {
-          path = "services/media/syncplay";
-          field = fieldAdapt field;
-        }) [ "pass" "salt" ];
+in {
+  sops.secrets.syncplay-env.owner = cfg.user;
 
+  users.users.${cfg.user} = {
+    inherit (cfg) group;
+    isSystemUser = true;
+    home = "/var/lib/syncplay";
+  };
+  users.groups.${cfg.group} = { };
 
-  users.users.syncplay = { isSystemUser = true; group = "domain-auth"; };
-  users.groups."domain-auth".members = [ "syncplay" ];
-
-  networks.internet.tcp = [ 8999 ];
+  networks.internet.tcp = [ cfg.port ];
 
   domains.kittywitch-syncplay = {
     network = "internet";
@@ -27,39 +27,23 @@ with lib;
     domain = "sync";
   };
 
-  secrets.files.syncplay-env = {
-    text = ''
-      SYNCPLAY_PASSWORD=${tf.variables.syncplay-pass.ref}
-      SYNCPLAY_SALT=${tf.variables.syncplay-salt.ref}
-    '';
-    owner = "syncplay";
-    group = "domain-auth";
-  };
-
-  systemd.tmpfiles.rules = [
-    "d /var/lib/syncplay 0711 syncplay domain-auth 90"
-  ];
-
   networks.internet = {
     extra_domains = [
       "sync.kittywit.ch"
     ];
   };
 
-  systemd.services.syncplay = {
-    description = "Syncplay Service";
-    wantedBy = singleton "multi-user.target";
-    after = singleton "network-online.target";
-    preStart = ''
-    cp ${config.networks.internet.cert_path} /var/lib/syncplay/fullchain.pem
-    cp ${config.networks.internet.key_path} /var/lib/syncplay/privkey.pem
-    '';
+  services.syncplay = {
+    enable = true;
+    user = "syncplay";
+  };
+  systemd.services.syncplay = mkIf cfg.enable {
     serviceConfig = {
-      EnvironmentFile = config.secrets.files.syncplay-env.path;
-      ExecStart =
-        "${pkgs.syncplay}/bin/syncplay-server --port 8999 --tls /var/lib/syncplay --disable-ready";
-      User = "syncplay";
-      Group = "domain-auth";
+      StateDirectory = "syncplay";
+      EnvironmentFile = singleton config.sops.secrets.syncplay-env.path;
+      ExecStart = mkForce [
+        "${pkgs.syncplay-nogui}/bin/syncplay-server ${utils.escapeSystemdExecArgs args}"
+      ];
     };
   };
 }