jahanson/nix-config-tn
Archived
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

fix: factorio

Browse source
This commit is contained in:
Truxnell 2024-04-25 09:23:29 +10:00
parent 3134dd1fb8
commit 0dc05deed4
7 changed files with 90 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
nixos/hosts/durandal/default.nix
View file

@ -12,18 +12,6 @@
podman.enable = true; podman.enable = true;
traefik.enable = true; traefik.enable = true;
gatus.enable = true;
homepage.enable = true;
# backrest.enable = true;
plex.enable = true;
tautulli.enable = true;
syncthing.enable = true;
searxng.enable = true;
factorio.freight-forwarding.enable = true; # the factory must grow
whoogle.enable = true;
redlib.enable = true;
}; };

2
nixos/hosts/shodan/default.nix
View file

@ -32,7 +32,7 @@
mySystem.system.motd.networkInterfaces = [ "enp1s0" ]; mySystem.system.motd.networkInterfaces = [ "enp1s0" ];
mySystem.nasFolder = "/mnt/nas"; mySystem.nasFolder = "/mnt/nas";
mySystem.system.resticBackup.local.location = "/tank/backup/nixos/nixos"; mySystem.system.resticBackup.local.location = "/mnt/nas/backup/nixos/nixos";
boot = { boot = {

6
nixos/lib/default.nix
View file

@ -36,9 +36,9 @@ rec {
containerExtraOptions = [ ] containerExtraOptions = [ ]
++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "privileged" ] false options) [ "--privileged" ] ++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "privileged" ] false options) [ "--privileged" ]
++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "readOnly" ] false options) [ "--read-only" ] ++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "readOnly" ] false options) [ "--read-only" ]
++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "tmpfs" ] false options) [ (map (folders: "--tmpfs ${folders}") tmpfsFolders) ] ++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "tmpfs" ] false options) [ (map (folders: "--tmpfs=${folders}") tmpfsFolders) ]
++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "noNewPrivileges" ] false options) [ "--security-opt no-new-privileges" ] ++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "noNewPrivileges" ] false options) [ "--security-opt=no-new-privileges" ]
++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "dropAll" ] false options) [ "--cap-drop ALL" ] ++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "dropAll" ] false options) [ "--cap-drop=ALL" ]
; ;

15
nixos/modules/nixos/containers/factorio/default.nix
View file

@ -33,6 +33,14 @@ in
"d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period "d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period
]; ];
sops.secrets."services/${app}/env" = {
sopsFile = ./secrets.sops.yaml;
owner = user;
group = group;
restartUnits = [ "podman-${app}.service" ];
};
virtualisation.oci-containers.containers."${app}-${instance}" = { virtualisation.oci-containers.containers."${app}-${instance}" = {
image = "${image}"; image = "${image}";
user = "${user}:${group}"; user = "${user}:${group}";
@ -40,6 +48,13 @@ in
"${persistentFolder}:/factorio:rw" "${persistentFolder}:/factorio:rw"
"/etc/localtime:/etc/localtime:ro" "/etc/localtime:/etc/localtime:ro"
]; ];
environment =
{
UPDATE_MODS_ON_START = "false";
PORT = "34203";
RCON_PORT = "27019";
};
environmentFiles = [ config.sops.secrets."services/${app}/env".path ];
ports = [ (builtins.toString port) ]; # expose port ports = [ (builtins.toString port) ]; # expose port
labels = lib.myLib.mkTraefikLabels { labels = lib.myLib.mkTraefikLabels {
name = app; name = app;

68
nixos/modules/nixos/containers/factorio/secret.sops.yaml Normal file
View file

@ -0,0 +1,68 @@
services:
factorio:
env: ENC[AES256_GCM,data:mk/GJ725TxKJkNBa0T8YGOpxjthJwZLln5UQW/paElh/8FPt+WrfA3+V7Withu877Fi8jiyn+Pyq+k2mgkaQKtmcog==,iv:kxoD+Xi89Df+pBeIHlwkszbtdxUz5etHYD6rn9uLNxg=,tag:YK0EZ1bKM8AamskktTIDBQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvZUxEZnBzdlBoZ245WDZD
ZXlrd2RCblR4MEo3NWE2Zk82dHBvemVYNUU4CjBCeWVsZnd6T1g0M2hqaDVWYnJX
NFNZNnRmRG9FSm56M0pXN2ljNUlHRWcKLS0tIEFmc2tlY09Qa3A3cXJxaURRNytD
UFBKWTlxYkgvUFZVckpoZHdPYUx2RTAKxz904To3LFDsiKdSM5kZylwx/lXooECm
WX5439E01p/UPqDnvOjc+5wa4Ynu5XCW5DleTdUFw2fjUrb9yg6Z6Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByenI1WktwWWhhdkdxWDFp
Nm1HTGE5U3VRUEYxSFdEOE5XSm1oMThVK0hzCitDSkptSTd4Y3dRTXlxMnJ1eWdH
d1pLNUI2T3FLWWlVSEJmb3BzRTFDTXMKLS0tIGcyWG5OSmhKZmJ6VFlJUlE4Nit2
MDlkQy9NZEg5WWtseTJFdHU1UWpvZkkKsc+vbn/lkzWtSKEvg4xSgDHM7vblgNAa
cbF4+JaMgVsyNox9kuoslzhQoE7eftcBolgRq9m1qhCUfqUhmgsS8A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3Vm5UejU3bjU2MmR0bDIw
dkw3UG1jdzFwTHVGTVYrRjFNUU5GSmdkcEgwCnk0aTh3QjVWUTMzdFI1UC9XaElk
SWtIRktBc2lGOW9jdDBBcmJOSm5qRDgKLS0tIEJSUlY5dFYvcVVEdjl6bHNvazkx
QlFkUlpWRHQyanZEQmJtczRra01ibTAKR80FHc37Dnjo6zrnJHkSpYvGv9W/k4nx
vPXsNki4q6WJKec+4jebJgdoXeT1ztk1HcZquIUiNkpkx8rMrtnrMQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZTlU3OVcxUnFEMmRyeHlX
UUtxK1RRM3ZubThkejdMVjRqQVp5K1o4N2ljCk9ZVk1RZmEwNXBMTitZa2NmZ1Y0
U2ZqdE81WEhzSHByN2FQMTN2M240bDAKLS0tIDVFOEhwL1I3NnRRTTBqZ1UxbEg3
M0paRmNFa3pYakFRRkxtdVAvWk5PT0UKP4nQCuFT2EiLkZUzu/XWj6+v7bdWFj4o
4oQ4bmv+hTklYb9KOl3XM089z4ixtgJeGWzUiV3Omqt3sorbG8wOBw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ekt5xz7u2xgdzgsrffhd9x22n80cn4thxd8zxjy2ey5vq3ca7gnqz25g5r
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMOG5yMVBnSTRLckxXcFVp
cHMwcGtleGhPalROVzlIeXN0QUFqcG9YZDNZCnhSRjI2SUdqWk5KaVg5eXJZQjh2
ME5iUGNLeUxhbkc3YjczN1lmKzFGa28KLS0tIDBIYXkwSGVhVU12eDJ4Mk1ZUFk0
ZVNoUnlwRDhTM1NvZUVYUW5OWm9HdGMKZHO7ouk5xDWfSBeBLAVIYTQc4Zzp2CC8
Mxz8Sc7cIxBPb1qtYQud9pg6fxYNhvbZdwL60p6vRT/KegEmPyEgog==
-----END AGE ENCRYPTED FILE-----
- recipient: age1jpeh4s553taxkyxhzlshzqjfrtvmmp5lw0hmpgn3mdnmgzku332qe082dl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPaXZjb283SjFaZDBOQ1Vs
S1dEWm13dUFyWm1yUnRmaHdRUndDK3paaFI0CmxpcjJIdDZVR203WUg3dWpjbERu
OFZmVGw5Z3BYQVBBQ2VKK2M4RGgwNjAKLS0tIFFGa3V3cUU1N0RyRStJSlNkdzdV
QUx5MEkxM2h2S1FucjBhNkFVWDZnQW8Kj/iJslXSS/I019/JjdXYZsCjMHCc6drH
0kXZL4itv8pjlVGDcGZXAHiDG4+LP4pI6hx8AElTZTk+9umMtaADzg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-24T23:21:20Z"
mac: ENC[AES256_GCM,data:lhS6GQLcCUwfmoSa81vN4EkouILMAAJ1sEc/laaUAQVb3Od2olVcJnXa8wJNaqRAhK9+3B2sJ44sjg6QojU1ROqHvfr5x+rnokws2ax3ikTMZThtBeR2srj+OnvbS/Enai3MHH16bQBKmbyHCk4oHnkr7mgMkGjks1uT8pFJwuk=,iv:aZ70kTNPV/JuD4PjlB/wecCv1ynoQQ6VQ9Ob4eu2jlg=,tag:xBZHz2hm+BRfpUK5+25GQA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

2
nixos/modules/nixos/containers/plex/default.nix
View file

@ -41,7 +41,7 @@ in
"/etc/localtime:/etc/localtime:ro" "/etc/localtime:/etc/localtime:ro"
]; ];
environment = { environment = {
PLEX_ADVERTISE_URL = "https://10.8.20.44:32400,https://${app}.${config.mySystem.domain}:443"; # TODO var ip PLEX_ADVERTISE_URL = "https://10.8.20.42:32400,https://${app}.${config.mySystem.domain}:443"; # TODO var ip
}; };
ports = [ "${builtins.toString port}:${builtins.toString port}" ]; # expose port ports = [ "${builtins.toString port}:${builtins.toString port}" ]; # expose port
labels = lib.myLib.mkTraefikLabels { labels = lib.myLib.mkTraefikLabels {

4
nixos/modules/nixos/containers/redlib/default.nix
View file

@ -12,7 +12,7 @@ in
# fuck /u/spez # fuck /u/spez
config = config =
myLib.mkService mkIf cfg.enable (myLib.mkService
{ {
app = "Redlib"; app = "Redlib";
description = "Reddit alternate frontend"; description = "Reddit alternate frontend";
@ -37,7 +37,7 @@ in
dropAll = true; dropAll = true;
}; };
}; };
}; });
# mkService # mkService
# app: App Name, string, required # app: App Name, string, required
# appUrl: App url, string, default "https://APP.DOMAIN" # appUrl: App url, string, default "https://APP.DOMAIN"