From 0dc05deed4d1365676cb030d95e2ec1c24f24341 Mon Sep 17 00:00:00 2001 From: Truxnell <9149206+truxnell@users.noreply.github.com> Date: Thu, 25 Apr 2024 09:23:29 +1000 Subject: [PATCH] fix: factorio --- nixos/hosts/durandal/default.nix | 12 ---- nixos/hosts/shodan/default.nix | 2 +- nixos/lib/default.nix | 6 +- .../nixos/containers/factorio/default.nix | 15 ++++ .../containers/factorio/secret.sops.yaml | 68 +++++++++++++++++++ .../modules/nixos/containers/plex/default.nix | 2 +- .../nixos/containers/redlib/default.nix | 4 +- 7 files changed, 90 insertions(+), 19 deletions(-) create mode 100644 nixos/modules/nixos/containers/factorio/secret.sops.yaml diff --git a/nixos/hosts/durandal/default.nix b/nixos/hosts/durandal/default.nix index 7c3b9f8..646cd72 100644 --- a/nixos/hosts/durandal/default.nix +++ b/nixos/hosts/durandal/default.nix @@ -12,18 +12,6 @@ podman.enable = true; traefik.enable = true; - gatus.enable = true; - homepage.enable = true; - # backrest.enable = true; - - plex.enable = true; - tautulli.enable = true; - syncthing.enable = true; - searxng.enable = true; - factorio.freight-forwarding.enable = true; # the factory must grow - whoogle.enable = true; - - redlib.enable = true; }; diff --git a/nixos/hosts/shodan/default.nix b/nixos/hosts/shodan/default.nix index e11468c..bbaafcd 100644 --- a/nixos/hosts/shodan/default.nix +++ b/nixos/hosts/shodan/default.nix @@ -32,7 +32,7 @@ mySystem.system.motd.networkInterfaces = [ "enp1s0" ]; mySystem.nasFolder = "/mnt/nas"; - mySystem.system.resticBackup.local.location = "/tank/backup/nixos/nixos"; + mySystem.system.resticBackup.local.location = "/mnt/nas/backup/nixos/nixos"; boot = { diff --git a/nixos/lib/default.nix b/nixos/lib/default.nix index b6a170d..f4d1324 100644 --- a/nixos/lib/default.nix +++ b/nixos/lib/default.nix @@ -36,9 +36,9 @@ rec { containerExtraOptions = [ ] ++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "privileged" ] false options) [ "--privileged" ] ++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "readOnly" ] false options) [ "--read-only" ] - ++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "tmpfs" ] false options) [ (map (folders: "--tmpfs ${folders}") tmpfsFolders) ] - ++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "noNewPrivileges" ] false options) [ "--security-opt no-new-privileges" ] - ++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "dropAll" ] false options) [ "--cap-drop ALL" ] + ++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "tmpfs" ] false options) [ (map (folders: "--tmpfs=${folders}") tmpfsFolders) ] + ++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "noNewPrivileges" ] false options) [ "--security-opt=no-new-privileges" ] + ++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "dropAll" ] false options) [ "--cap-drop=ALL" ] ; diff --git a/nixos/modules/nixos/containers/factorio/default.nix b/nixos/modules/nixos/containers/factorio/default.nix index 6184c79..7976c25 100644 --- a/nixos/modules/nixos/containers/factorio/default.nix +++ b/nixos/modules/nixos/containers/factorio/default.nix @@ -33,6 +33,14 @@ in "d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period ]; + sops.secrets."services/${app}/env" = { + sopsFile = ./secrets.sops.yaml; + owner = user; + group = group; + restartUnits = [ "podman-${app}.service" ]; + }; + + virtualisation.oci-containers.containers."${app}-${instance}" = { image = "${image}"; user = "${user}:${group}"; @@ -40,6 +48,13 @@ in "${persistentFolder}:/factorio:rw" "/etc/localtime:/etc/localtime:ro" ]; + environment = + { + UPDATE_MODS_ON_START = "false"; + PORT = "34203"; + RCON_PORT = "27019"; + }; + environmentFiles = [ config.sops.secrets."services/${app}/env".path ]; ports = [ (builtins.toString port) ]; # expose port labels = lib.myLib.mkTraefikLabels { name = app; diff --git a/nixos/modules/nixos/containers/factorio/secret.sops.yaml b/nixos/modules/nixos/containers/factorio/secret.sops.yaml new file mode 100644 index 0000000..69f1204 --- /dev/null +++ b/nixos/modules/nixos/containers/factorio/secret.sops.yaml @@ -0,0 +1,68 @@ +services: + factorio: + env: ENC[AES256_GCM,data:mk/GJ725TxKJkNBa0T8YGOpxjthJwZLln5UQW/paElh/8FPt+WrfA3+V7Withu877Fi8jiyn+Pyq+k2mgkaQKtmcog==,iv:kxoD+Xi89Df+pBeIHlwkszbtdxUz5etHYD6rn9uLNxg=,tag:YK0EZ1bKM8AamskktTIDBQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvZUxEZnBzdlBoZ245WDZD + ZXlrd2RCblR4MEo3NWE2Zk82dHBvemVYNUU4CjBCeWVsZnd6T1g0M2hqaDVWYnJX + NFNZNnRmRG9FSm56M0pXN2ljNUlHRWcKLS0tIEFmc2tlY09Qa3A3cXJxaURRNytD + UFBKWTlxYkgvUFZVckpoZHdPYUx2RTAKxz904To3LFDsiKdSM5kZylwx/lXooECm + WX5439E01p/UPqDnvOjc+5wa4Ynu5XCW5DleTdUFw2fjUrb9yg6Z6Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByenI1WktwWWhhdkdxWDFp + Nm1HTGE5U3VRUEYxSFdEOE5XSm1oMThVK0hzCitDSkptSTd4Y3dRTXlxMnJ1eWdH + d1pLNUI2T3FLWWlVSEJmb3BzRTFDTXMKLS0tIGcyWG5OSmhKZmJ6VFlJUlE4Nit2 + MDlkQy9NZEg5WWtseTJFdHU1UWpvZkkKsc+vbn/lkzWtSKEvg4xSgDHM7vblgNAa + cbF4+JaMgVsyNox9kuoslzhQoE7eftcBolgRq9m1qhCUfqUhmgsS8A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3Vm5UejU3bjU2MmR0bDIw + dkw3UG1jdzFwTHVGTVYrRjFNUU5GSmdkcEgwCnk0aTh3QjVWUTMzdFI1UC9XaElk + SWtIRktBc2lGOW9jdDBBcmJOSm5qRDgKLS0tIEJSUlY5dFYvcVVEdjl6bHNvazkx + QlFkUlpWRHQyanZEQmJtczRra01ibTAKR80FHc37Dnjo6zrnJHkSpYvGv9W/k4nx + vPXsNki4q6WJKec+4jebJgdoXeT1ztk1HcZquIUiNkpkx8rMrtnrMQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZTlU3OVcxUnFEMmRyeHlX + UUtxK1RRM3ZubThkejdMVjRqQVp5K1o4N2ljCk9ZVk1RZmEwNXBMTitZa2NmZ1Y0 + U2ZqdE81WEhzSHByN2FQMTN2M240bDAKLS0tIDVFOEhwL1I3NnRRTTBqZ1UxbEg3 + M0paRmNFa3pYakFRRkxtdVAvWk5PT0UKP4nQCuFT2EiLkZUzu/XWj6+v7bdWFj4o + 4oQ4bmv+hTklYb9KOl3XM089z4ixtgJeGWzUiV3Omqt3sorbG8wOBw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ekt5xz7u2xgdzgsrffhd9x22n80cn4thxd8zxjy2ey5vq3ca7gnqz25g5r + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMOG5yMVBnSTRLckxXcFVp + cHMwcGtleGhPalROVzlIeXN0QUFqcG9YZDNZCnhSRjI2SUdqWk5KaVg5eXJZQjh2 + ME5iUGNLeUxhbkc3YjczN1lmKzFGa28KLS0tIDBIYXkwSGVhVU12eDJ4Mk1ZUFk0 + ZVNoUnlwRDhTM1NvZUVYUW5OWm9HdGMKZHO7ouk5xDWfSBeBLAVIYTQc4Zzp2CC8 + Mxz8Sc7cIxBPb1qtYQud9pg6fxYNhvbZdwL60p6vRT/KegEmPyEgog== + -----END AGE ENCRYPTED FILE----- + - recipient: age1jpeh4s553taxkyxhzlshzqjfrtvmmp5lw0hmpgn3mdnmgzku332qe082dl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPaXZjb283SjFaZDBOQ1Vs + S1dEWm13dUFyWm1yUnRmaHdRUndDK3paaFI0CmxpcjJIdDZVR203WUg3dWpjbERu + OFZmVGw5Z3BYQVBBQ2VKK2M4RGgwNjAKLS0tIFFGa3V3cUU1N0RyRStJSlNkdzdV + QUx5MEkxM2h2S1FucjBhNkFVWDZnQW8Kj/iJslXSS/I019/JjdXYZsCjMHCc6drH + 0kXZL4itv8pjlVGDcGZXAHiDG4+LP4pI6hx8AElTZTk+9umMtaADzg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-24T23:21:20Z" + mac: ENC[AES256_GCM,data:lhS6GQLcCUwfmoSa81vN4EkouILMAAJ1sEc/laaUAQVb3Od2olVcJnXa8wJNaqRAhK9+3B2sJ44sjg6QojU1ROqHvfr5x+rnokws2ax3ikTMZThtBeR2srj+OnvbS/Enai3MHH16bQBKmbyHCk4oHnkr7mgMkGjks1uT8pFJwuk=,iv:aZ70kTNPV/JuD4PjlB/wecCv1ynoQQ6VQ9Ob4eu2jlg=,tag:xBZHz2hm+BRfpUK5+25GQA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/nixos/modules/nixos/containers/plex/default.nix b/nixos/modules/nixos/containers/plex/default.nix index a00ecee..de56caf 100644 --- a/nixos/modules/nixos/containers/plex/default.nix +++ b/nixos/modules/nixos/containers/plex/default.nix @@ -41,7 +41,7 @@ in "/etc/localtime:/etc/localtime:ro" ]; environment = { - PLEX_ADVERTISE_URL = "https://10.8.20.44:32400,https://${app}.${config.mySystem.domain}:443"; # TODO var ip + PLEX_ADVERTISE_URL = "https://10.8.20.42:32400,https://${app}.${config.mySystem.domain}:443"; # TODO var ip }; ports = [ "${builtins.toString port}:${builtins.toString port}" ]; # expose port labels = lib.myLib.mkTraefikLabels { diff --git a/nixos/modules/nixos/containers/redlib/default.nix b/nixos/modules/nixos/containers/redlib/default.nix index fd39bb5..85f243e 100644 --- a/nixos/modules/nixos/containers/redlib/default.nix +++ b/nixos/modules/nixos/containers/redlib/default.nix @@ -12,7 +12,7 @@ in # fuck /u/spez config = - myLib.mkService + mkIf cfg.enable (myLib.mkService { app = "Redlib"; description = "Reddit alternate frontend"; @@ -37,7 +37,7 @@ in dropAll = true; }; }; - }; + }); # mkService # app: App Name, string, required # appUrl: App url, string, default "https://APP.DOMAIN"