From 983e313e11fc19f2314aec9538ab337ec204a2b8 Mon Sep 17 00:00:00 2001 From: Joakim Repomaa Date: Thu, 6 Feb 2025 11:40:51 +0200 Subject: [PATCH] freun.dev add snips --- flake.lock | 18 ++++++------- flake.nix | 37 ++++++++++++++------------ home/common/default.nix | 3 ++- home/default.nix | 4 +-- hosts/freun.dev/services.nix | 1 + hosts/freun.dev/snips.nix | 50 ++++++++++++++++++++++++++++++++++++ 6 files changed, 84 insertions(+), 29 deletions(-) create mode 100644 hosts/freun.dev/snips.nix diff --git a/flake.lock b/flake.lock index f9c3b16..b2ef397 100644 --- a/flake.lock +++ b/flake.lock @@ -362,11 +362,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1738471961, - "narHash": "sha256-cgXDFrplNGs7bCVzXhRofjD8oJYqqXGcmUzXjHmip6Y=", + "lastModified": 1738816619, + "narHash": "sha256-5yRlg48XmpcX5b5HesdGMOte+YuCy9rzQkJz+imcu6I=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "537286c3c59b40311e5418a180b38034661d2536", + "rev": "2eccff41bab80839b1d25b303b53d339fbb07087", "type": "github" }, "original": { @@ -428,11 +428,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1738410390, - "narHash": "sha256-xvTo0Aw0+veek7hvEVLzErmJyQkEcRk6PSR4zsRQFEc=", + "lastModified": 1738680400, + "narHash": "sha256-ooLh+XW8jfa+91F1nhf9OF7qhuA/y1ChLx6lXDNeY5U=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3a228057f5b619feb3186e986dbe76278d707b6e", + "rev": "799ba5bffed04ced7067a91798353d360788b30d", "type": "github" }, "original": { @@ -491,11 +491,11 @@ }, "nixpkgs_5": { "locked": { - "lastModified": 1738435198, - "narHash": "sha256-5+Hmo4nbqw8FrW85FlNm4IIrRnZ7bn0cmXlScNsNRLo=", + "lastModified": 1738702386, + "narHash": "sha256-nJj8f78AYAxl/zqLiFGXn5Im1qjFKU8yBPKoWEeZN5M=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "f6687779bf4c396250831aa5a32cbfeb85bb07a3", + "rev": "030ba1976b7c0e1a67d9716b17308ccdab5b381e", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index feaa4bd..8e1f080 100644 --- a/flake.nix +++ b/flake.nix @@ -44,25 +44,28 @@ }; ksoloti-pr.url = "github:repomaa/nixpkgs/pkg/ksoloti"; }; - outputs = { nixpkgs, ... }@inputs: { - nixosConfigurations = { - freun-dev = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = { inherit inputs; }; - modules = [ ./modules ./hosts/freun.dev ]; - }; + outputs = { nixpkgs, ... }@inputs: + let + bin.sshPort = 2222; + specialArgs = { inherit inputs bin; }; + system = "x86_64-linux"; + in + { + nixosConfigurations = { + freun-dev = nixpkgs.lib.nixosSystem { + inherit system specialArgs; + modules = [ ./modules ./hosts/freun.dev ]; + }; - radish = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = { inherit inputs; }; - modules = [ ./modules ./hosts/radish ]; - }; + radish = nixpkgs.lib.nixosSystem { + inherit system specialArgs; + modules = [ ./modules ./hosts/radish ]; + }; - apu = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = { inherit inputs; }; - modules = [ ./modules ./hosts/apu ]; + apu = nixpkgs.lib.nixosSystem { + inherit system specialArgs; + modules = [ ./modules ./hosts/apu ]; + }; }; }; - }; } diff --git a/home/common/default.nix b/home/common/default.nix index b23fbc9..5879238 100644 --- a/home/common/default.nix +++ b/home/common/default.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, bin, ... }: { nixpkgs.config.allowUnfree = true; imports = [ ../gnome ../custom-programs ./neovim ]; @@ -236,6 +236,7 @@ hostname = "apu.tempel-vibes.ts.net"; user = "root"; }; + "bin.freun.dev".port = bin.sshPort; }; }; spotify-player = { diff --git a/home/default.nix b/home/default.nix index 3c96f1c..fa804a1 100644 --- a/home/default.nix +++ b/home/default.nix @@ -1,11 +1,11 @@ -{ inputs, ... }: +{ inputs, bin, ... }: { home-manager = { users = { jokke = import ./jokke; moco = import ./moco; }; - extraSpecialArgs = { inherit inputs; }; + extraSpecialArgs = { inherit inputs bin; }; sharedModules = [ (import ./common) ]; useUserPackages = true; useGlobalPkgs = true; diff --git a/hosts/freun.dev/services.nix b/hosts/freun.dev/services.nix index ae0db3c..c9557c2 100644 --- a/hosts/freun.dev/services.nix +++ b/hosts/freun.dev/services.nix @@ -41,5 +41,6 @@ ./tailscale.nix ./workout-tracker.nix ./gotosocial.nix + ./snips.nix ]; } diff --git a/hosts/freun.dev/snips.nix b/hosts/freun.dev/snips.nix new file mode 100644 index 0000000..2597d59 --- /dev/null +++ b/hosts/freun.dev/snips.nix @@ -0,0 +1,50 @@ +{ pkgs, bin, ... }: +let + fqdn = "bin.freun.dev"; + port = 3600; + sshPort = bin.sshPort; + authorizedKeys = pkgs.writeTextFile { + name = "authorized_keys"; + text = '' + ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLIUkESu5NnBi1M0+ZjYrkp6/rIFuwc3aguspf98jmOydNce6l65cnS3GRzc9oWx4lu11ahi87ZuE+pYV+gaHm4= + ''; + }; +in +{ + nixpkgs.config.snips-sh.withTensorflow = true; + + systemd.services.snips = { + enable = true; + description = "Snips pastebin"; + environment = { + SNIPS_HTTP_INTERNAL = "http://127.0.0.1:${toString port}"; + SNIPS_HTTP_EXTERNAL = "https://${fqdn}"; + SNIPS_SSH_INTERNAL = "ssh://0.0.0.0:${toString sshPort}"; + SNIPS_SSH_EXTERNAL = "ssh://${fqdn}:${toString sshPort}"; + SNIPS_HOST_KEY_PATH = "/var/lib/snips/keys/snips"; + SNIPS_DB_FILEPATH = "/var/lib/snips/snips.db"; + SNIPS_SSH_AUTHORIZEDKEYSPATH = authorizedKeys; + }; + serviceConfig = { + EnvironmentFile = "/var/secrets/snips.env"; + StateDirectory = "snips"; + ExecStart = "${pkgs.snips-sh}/bin/snips.sh"; + WorkingDirectory = "/var/lib/snips"; + ConfigurationDirectory = "snips"; + DynamicUser = true; + }; + wantedBy = [ "multi-user.target" ]; + confinement = { + enable = true; + packages = [ authorizedKeys ]; + }; + }; + + services.caddy.virtualHosts = { + "${fqdn}".extraConfig = '' + reverse_proxy localhost:${toString port} + ''; + }; + + networking.firewall.allowedTCPPorts = [ sshPort ]; +}