freun.dev add snips

2025-02-06 11:40:51 +02:00
parent f1d5a4b2f2
commit 983e313e11
6 changed files with 84 additions and 29 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -362,11 +362,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1738471961,
-        "narHash": "sha256-cgXDFrplNGs7bCVzXhRofjD8oJYqqXGcmUzXjHmip6Y=",
+        "lastModified": 1738816619,
+        "narHash": "sha256-5yRlg48XmpcX5b5HesdGMOte+YuCy9rzQkJz+imcu6I=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "537286c3c59b40311e5418a180b38034661d2536",
+        "rev": "2eccff41bab80839b1d25b303b53d339fbb07087",
        "type": "github"
      },
      "original": {
@@ -428,11 +428,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1738410390,
-        "narHash": "sha256-xvTo0Aw0+veek7hvEVLzErmJyQkEcRk6PSR4zsRQFEc=",
+        "lastModified": 1738680400,
+        "narHash": "sha256-ooLh+XW8jfa+91F1nhf9OF7qhuA/y1ChLx6lXDNeY5U=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "3a228057f5b619feb3186e986dbe76278d707b6e",
+        "rev": "799ba5bffed04ced7067a91798353d360788b30d",
        "type": "github"
      },
      "original": {
@@ -491,11 +491,11 @@
    },
    "nixpkgs_5": {
      "locked": {
-        "lastModified": 1738435198,
-        "narHash": "sha256-5+Hmo4nbqw8FrW85FlNm4IIrRnZ7bn0cmXlScNsNRLo=",
+        "lastModified": 1738702386,
+        "narHash": "sha256-nJj8f78AYAxl/zqLiFGXn5Im1qjFKU8yBPKoWEeZN5M=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "f6687779bf4c396250831aa5a32cbfeb85bb07a3",
+        "rev": "030ba1976b7c0e1a67d9716b17308ccdab5b381e",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -44,25 +44,28 @@
    };
    ksoloti-pr.url = "github:repomaa/nixpkgs/pkg/ksoloti";
  };
-  outputs = { nixpkgs, ... }@inputs: {
-    nixosConfigurations = {
-      freun-dev = nixpkgs.lib.nixosSystem {
-        system = "x86_64-linux";
-        specialArgs = { inherit inputs; };
-        modules = [ ./modules ./hosts/freun.dev ];
-      };
+  outputs = { nixpkgs, ... }@inputs:
+    let
+      bin.sshPort = 2222;
+      specialArgs = { inherit inputs bin; };
+      system = "x86_64-linux";
+    in
+    {
+      nixosConfigurations = {
+        freun-dev = nixpkgs.lib.nixosSystem {
+          inherit system specialArgs;
+          modules = [ ./modules ./hosts/freun.dev ];
+        };

-      radish = nixpkgs.lib.nixosSystem {
-        system = "x86_64-linux";
-        specialArgs = { inherit inputs; };
-        modules = [ ./modules ./hosts/radish ];
-      };
+        radish = nixpkgs.lib.nixosSystem {
+          inherit system specialArgs;
+          modules = [ ./modules ./hosts/radish ];
+        };

-      apu = nixpkgs.lib.nixosSystem {
-        system = "x86_64-linux";
-        specialArgs = { inherit inputs; };
-        modules = [ ./modules ./hosts/apu ];
+        apu = nixpkgs.lib.nixosSystem {
+          inherit system specialArgs;
+          modules = [ ./modules ./hosts/apu ];
+        };
      };
    };
-  };
 }
--- a/home/common/default.nix
+++ b/home/common/default.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, bin, ... }:
 {
  nixpkgs.config.allowUnfree = true;
  imports = [ ../gnome ../custom-programs ./neovim ];
@@ -236,6 +236,7 @@
          hostname = "apu.tempel-vibes.ts.net";
          user = "root";
        };
+        "bin.freun.dev".port = bin.sshPort;
      };
    };
    spotify-player = {
--- a/home/default.nix
+++ b/home/default.nix
@@ -1,11 +1,11 @@
-{ inputs, ... }:
+{ inputs, bin, ... }:
 {
  home-manager = {
    users = {
      jokke = import ./jokke;
      moco = import ./moco;
    };
-    extraSpecialArgs = { inherit inputs; };
+    extraSpecialArgs = { inherit inputs bin; };
    sharedModules = [ (import ./common) ];
    useUserPackages = true;
    useGlobalPkgs = true;
--- a/hosts/freun.dev/services.nix
+++ b/hosts/freun.dev/services.nix
@@ -41,5 +41,6 @@
    ./tailscale.nix
    ./workout-tracker.nix
    ./gotosocial.nix
+    ./snips.nix
  ];
 }
--- a/hosts/freun.dev/snips.nix
+++ b/hosts/freun.dev/snips.nix
@@ -0,0 +1,50 @@
+{ pkgs, bin, ... }:
+let
+  fqdn = "bin.freun.dev";
+  port = 3600;
+  sshPort = bin.sshPort;
+  authorizedKeys = pkgs.writeTextFile {
+    name = "authorized_keys";
+    text = ''
+      ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLIUkESu5NnBi1M0+ZjYrkp6/rIFuwc3aguspf98jmOydNce6l65cnS3GRzc9oWx4lu11ahi87ZuE+pYV+gaHm4=
+    '';
+  };
+in
+{
+  nixpkgs.config.snips-sh.withTensorflow = true;
+
+  systemd.services.snips = {
+    enable = true;
+    description = "Snips pastebin";
+    environment = {
+      SNIPS_HTTP_INTERNAL = "http://127.0.0.1:${toString port}";
+      SNIPS_HTTP_EXTERNAL = "https://${fqdn}";
+      SNIPS_SSH_INTERNAL = "ssh://0.0.0.0:${toString sshPort}";
+      SNIPS_SSH_EXTERNAL = "ssh://${fqdn}:${toString sshPort}";
+      SNIPS_HOST_KEY_PATH = "/var/lib/snips/keys/snips";
+      SNIPS_DB_FILEPATH = "/var/lib/snips/snips.db";
+      SNIPS_SSH_AUTHORIZEDKEYSPATH = authorizedKeys;
+    };
+    serviceConfig = {
+      EnvironmentFile = "/var/secrets/snips.env";
+      StateDirectory = "snips";
+      ExecStart = "${pkgs.snips-sh}/bin/snips.sh";
+      WorkingDirectory = "/var/lib/snips";
+      ConfigurationDirectory = "snips";
+      DynamicUser = true;
+    };
+    wantedBy = [ "multi-user.target" ];
+    confinement = {
+      enable = true;
+      packages = [ authorizedKeys ];
+    };
+  };
+
+  services.caddy.virtualHosts = {
+    "${fqdn}".extraConfig = ''
+      reverse_proxy localhost:${toString port}
+    '';
+  };
+
+  networking.firewall.allowedTCPPorts = [ sshPort ];
+}