helvetica/puter
1
0
Fork 0
Code Activity

stuff

Browse source
This commit is contained in:
Lukas Wurzinger 2025-05-18 16:51:40 +02:00
parent e945e5c24b
commit b9db4fa6c0
No known key found for this signature in database
4 changed files with 10 additions and 217 deletions
Download patch file Download diff file Expand all files Collapse all files

9
hosts/abacus/forgejo.nix
View file

@ -64,23 +64,20 @@ in
secrets.mailer.PASSWD = secrets.forgejo-mailer.path;
};
# TODO
systemd.services.forgejo.preStart = lib.getExe (
pkgs.writeShellApplication {
name = "forgejo-init-admin";
runtimeInputs = [
cfg.package
];
text =
let
forgejoExe = lib.getExe cfg.package;
passwordFile = secrets.forgejo-admin.path;
in
''
admins=$(gitea admin user list --admin | wc --lines)
admins=$(${forgejoExe} admin user list --admin | wc --lines)
admins=$((admins - 1))
if ((admins < 1)); then
gitea admin user create \
${forgejoExe} admin user create \
--admin \
--email helvetica@helveticanonstandard.net \
--username helvetica \

4
hosts/abacus/vaultwarden.nix
View file

@ -4,9 +4,11 @@
...
}:
let
virtualHostName = "vault.wrz.one";
virtualHostName = "vault.helveticanonstandard.net";
in
{
# TODO: tailscale
age.secrets = lib.mkSecrets { vaultwarden = { }; };
services.vaultwarden = {

6
hosts/vessel/musicomp.nix
View file

@ -20,7 +20,9 @@
inhibitsSleep = true;
post =
let
remoteDir = self.nixosConfigurations.abacus.config.services.navidrome.settings.MusicFolder;
abacusConfig = self.nixosConfigurations.abacus.config;
remoteDir = abacusConfig.services.navidrome.settings.MusicFolder;
remoteDomain = abacusConfig.networking.domain;
package = pkgs.writeShellApplication {
name = "sync";
runtimeInputs = [
@ -36,7 +38,7 @@
--mkpath \
--verbose --verbose \
--rsh 'ssh -i /etc/ssh/ssh_host_ed25519_key -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null' \
/srv/void/compmusic/ root@wrz.one:${lib.escapeShellArg remoteDir}
/srv/void/compmusic/ root@${lib.escapeShellArg remoteDomain}:${lib.escapeShellArg remoteDir}/
'';
};
in

208
modules/rsync.nix
View file

@ -1,208 +0,0 @@
{
config,
lib,
pkgs,
utils,
...
}:
let
cfg = config.services.rsync;
inherit (lib) types;
inherit (utils.systemdUtils.unitOptions) unitOption;
settingsToShell = lib.cli.toGNUCommandLineShell {
mkOptionName = k: "--${k}";
};
settingsType =
let
simples = [
types.bool
types.str
types.int
types.float
];
in
types.attrsOf (
types.oneOf (
simples
++ [
(types.listOf (types.oneOf simples))
]
)
);
in
{
options.services.rsync = {
enable = lib.mkEnableOption "periodic directory syncing via rsync";
package = lib.mkPackageOption pkgs "rsync" { };
# commonSettings = lib.mkOption {
# type = settingsType;
# default = { };
# example = {
# archive = true;
# update = true;
# delete = true;
# mkpath = true;
# };
# description = ''
# Common arguments to pass to the rsync command.
# '';
# };
jobs = lib.mkOption {
description = ''
Synchronization jobs to run.
'';
default = { };
type = types.attrsOf (
types.submodule {
options = {
sources = lib.mkOption {
type = types.listOf types.str;
example = [
"/srv/src1/"
"/srv/src2/"
];
description = ''
Source directories.
'';
};
destination = lib.mkOption {
type = types.str;
example = "/srv/dst/";
description = ''
Destination directory.
'';
};
settings = lib.mkOption {
type = settingsType;
default = { };
example = {
verbose = true;
};
description = ''
Extra arguments to pass to the rsync command.
'';
};
user = lib.mkOption {
type = types.str;
default = "root";
description = ''
The name of an existing user account under which the rsync process should run.
'';
};
group = lib.mkOption {
type = types.str;
default = "root";
description = ''
The name of an existing user group under which the rsync process should run.
'';
};
timerConfig = lib.mkOption {
type = lib.types.nullOr (lib.types.attrsOf unitOption);
default = {
OnCalendar = "daily";
Persistent = true;
};
description = ''
When to run the job.
'';
};
inhibit = lib.mkOption {
default = [ ];
type = types.listOf types.str;
example = [
"sleep"
];
description = ''
Run the rsync process with an inhibition lock taken;
see {manpage}`systemd-inhibit(1)` for a list of possible operations.
'';
};
};
}
);
};
};
config = lib.mkIf cfg.enable {
assertions = [
{
assertion = lib.all (job: job.sources != [ ]) (lib.attrValues cfg.jobs);
message = ''
At least one source directory must be provided to rsync.
'';
}
];
systemd = lib.mkMerge (
lib.mapAttrsToList (
jobName: job:
let
systemdName = "rsync-job-${jobName}";
description = "Directory syncing via rsync job ${jobName}";
in
{
timers.${systemdName} = {
wantedBy = [
"timers.target"
];
inherit description;
inherit (job) timerConfig;
};
services.${systemdName} = {
inherit description;
serviceConfig = {
Type = "oneshot";
User = job.user;
Group = job.group;
NoNewPrivileges = true;
PrivateDevices = true;
ProtectSystem = "full";
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
MemoryDenyWriteExecute = true;
LockPersonality = true;
};
script =
let
settingsShell = settingsToShell job.settings;
inhibitString = lib.concatStringsSep ":" job.inhibit;
in
''
${
lib.optionalString (job.inhibit != [ ]) ''
${lib.getExe' config.systemd.package "systemd-inhibit"} \
--mode block \
--who ${lib.escapeShellArg description} \
--what ${lib.escapeShellArg inhibitString} \
--why ${lib.escapeShellArg "Scheduled rsync job ${jobName}"} \
-- \
''
} \
${lib.getExe cfg.package} ${settingsShell} -- \
${lib.escapeShellArgs job.sources} \
${lib.escapeShellArg job.destination}
'';
};
}
) cfg.jobs
);
};
meta.maintainers = [
lib.maintainers.lukaswrz
];
}