From 3c3fe165697be36277fb57169a291aa653850b9c Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Tue, 28 Nov 2023 11:46:47 +0000
Subject: [PATCH] servo: enable Soulseek

---
 hosts/by-name/servo/services/default.nix      |  1 +
 hosts/by-name/servo/services/slskd.nix        | 83 +++++++++++++++++++
 hosts/by-name/servo/services/transmission.nix |  5 ++
 hosts/common/ids.nix                          |  2 +
 nixpatches/list.nix                           |  5 ++
 secrets/servo/slskd_env.bin                   | 32 +++++++
 6 files changed, 128 insertions(+)
 create mode 100644 hosts/by-name/servo/services/slskd.nix
 create mode 100644 secrets/servo/slskd_env.bin

diff --git a/hosts/by-name/servo/services/default.nix b/hosts/by-name/servo/services/default.nix
index 88fcd2e6..520789b0 100644
--- a/hosts/by-name/servo/services/default.nix
+++ b/hosts/by-name/servo/services/default.nix
@@ -27,6 +27,7 @@
     ./pleroma.nix
     ./postgres.nix
     ./prosody
+    ./slskd.nix
     ./transmission.nix
     ./trust-dns.nix
     ./wikipedia.nix
diff --git a/hosts/by-name/servo/services/slskd.nix b/hosts/by-name/servo/services/slskd.nix
new file mode 100644
index 00000000..e21de38f
--- /dev/null
+++ b/hosts/by-name/servo/services/slskd.nix
@@ -0,0 +1,83 @@
+# Soulseek daemon (p2p file sharing with an emphasis on Music)
+# docs: <https://github.com/slskd/slskd/blob/master/docs/config.md>
+#
+# config precedence (higher precedence overrules lower precedence):
+# - Default Values < Environment Variables < YAML Configuraiton File < Command Line Arguments
+{ config, lib, ... }:
+{
+  sane.persist.sys.byStore.plaintext = [
+    { user = "slskd"; group = "slskd"; path = "/var/lib/slskd"; }
+  ];
+  sops.secrets."slskd_env" = {
+    owner = config.users.users.slskd.name;
+    mode = "0400";
+  };
+
+  users.users.slskd.extraGroups = [ "media" ];
+
+  sane.ports.ports."50000" = {
+    protocol = [ "tcp" ];
+    # not visible to WAN: i run this in a separate netns
+    visibleTo.ovpn = true;
+    description = "colin-soulseek";
+  };
+
+  sane.dns.zones."uninsane.org".inet.CNAME."soulseek" = "native";
+
+  # slskd unconditionally manages nginx for me.
+  services.nginx.virtualHosts."soulseek.uninsane.org" = lib.mkForce {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://10.0.1.6:5001";
+      proxyWebsockets = true;
+    };
+  };
+
+  services.slskd.enable = true;
+  # env file, for auth (SLSKD_SLSK_PASSWORD, SLSKD_SLSK_USERNAME)
+  services.slskd.environmentFile = config.sops.secrets.slskd_env.path;
+  services.slskd.settings = {
+    soulseek.diagnostic_level = "Debug";  # one of "None"|"Warning"|"Info"|"Debug"
+    shares.directories = [
+      # folders to share
+      # syntax: <https://github.com/slskd/slskd/blob/master/docs/config.md#directories>
+      # [Alias]/path/on/disk
+      # NOTE: Music library is quick to scan; videos take a solid 10min to scan.
+      # TODO: re-enable the other libraries
+      # "[Audioooks]/var/lib/uninsane/media/Books/Audiobooks"
+      # "[Books]/var/lib/uninsane/media/Books/Books"
+      # "[Manga]/var/lib/uninsane/media/Books/Visual"
+      # "[games]/var/lib/uninsane/media/games"
+      "[Music]/var/lib/uninsane/media/Music"
+      # "[Film]/var/lib/uninsane/media/Videos/Film"
+      # "[Shows]/var/lib/uninsane/media/Videos/Shows"
+    ];
+    # directories.downloads = "..." # TODO
+    # directories.incomplete = "..." # TODO
+    # what unit is this? kbps??
+    global.upload.speed_limit = 32000;
+    web.logging = true;
+    debug = true;
+    flags.no_logo = true;  # don't show logo at start
+    # flags.volatile = true;  # store searches and active transfers in RAM (completed transfers still go to disk). rec for btrfs/zfs
+  };
+
+  services.slskd.nginx = {
+    # NOTE: i override these settings elsewhere.
+    # slskd offers no option to disable nginx integration, for now.
+    # but because of the netns, its default config isn't usable for me.
+    domainName = "soulseek.uninsane.org";
+    contextPath = "/";
+  };
+
+  systemd.services.slskd = {
+    serviceConfig = {
+      # run this behind the OVPN static VPN
+      NetworkNamespacePath = "/run/netns/ovpns";
+      Restart = "on-failure";
+      RestartSec = "30s";
+      Group = "media";
+    };
+  };
+}
diff --git a/hosts/by-name/servo/services/transmission.nix b/hosts/by-name/servo/services/transmission.nix
index 1a65244f..0a991001 100644
--- a/hosts/by-name/servo/services/transmission.nix
+++ b/hosts/by-name/servo/services/transmission.nix
@@ -91,5 +91,10 @@
   };
 
   sane.dns.zones."uninsane.org".inet.CNAME."bt" = "native";
+  sane.ports.ports."51413" = {
+    protocol = [ "tcp" "udp" ];
+    visibleTo.ovpn = true;
+    description = "colin-bittorrent";
+  };
 }
 
diff --git a/hosts/common/ids.nix b/hosts/common/ids.nix
index 86b4d682..79366b1c 100644
--- a/hosts/common/ids.nix
+++ b/hosts/common/ids.nix
@@ -51,6 +51,8 @@
   sane.ids.ntfy-sh.gid = 2415;
   sane.ids.monero.uid = 2416;
   sane.ids.monero.gid = 2416;
+  sane.ids.slskd.uid = 2417;
+  sane.ids.slskd.gid = 2417;
 
   sane.ids.colin.uid = 1000;
   sane.ids.guest.uid = 1100;
diff --git a/nixpatches/list.nix b/nixpatches/list.nix
index 01f8e584..0becc9da 100644
--- a/nixpatches/list.nix
+++ b/nixpatches/list.nix
@@ -28,6 +28,11 @@ in [
     prUrl = "https://github.com/NixOS/nixpkgs/pull/270393";
     hash = "sha256-Kqqfy9Mludc5wr0TSUg9gEOZsfUL65WpF+hy64k33MY=";
   })
+  (fetchpatch' {
+    title = "slskd: allow omitting username from yaml config";
+    saneCommit = "541c37e8689b6422ea07be1395f1a63357bb0c63";
+    hash = "sha256-xQEj/oIfNcE4td9jxzDzhlnIYpncOOdXZuswkmcLNuk=";
+  })
   (fetchpatch' {
     title = "vala: look for files in targetOffset";
     prUrl = "https://github.com/NixOS/nixpkgs/pull/267550";
diff --git a/secrets/servo/slskd_env.bin b/secrets/servo/slskd_env.bin
new file mode 100644
index 00000000..00f190e2
--- /dev/null
+++ b/secrets/servo/slskd_env.bin
@@ -0,0 +1,32 @@
+{
+	"data": "ENC[AES256_GCM,data:mZIFDSetNp+8raXDsMhGzYaLkI8OGtZzC06NhhMCGuNute1K95gfmjw4dEPu7uY0Fug2f2I4Vv1+MY5Ep+pPJNgn0Sofrr33gtZEIvgoTeQx2h8EU1Ra4x6UDFp4wT3TyvIVluulCCpO3tFJPQCPNVCMVaQaU3Bkg0087uffMyXtVMVMYZh2SyZ7tUAjTXN3q6ldtOBUFnqDMSBJuAdAwcifOqWhmvg=,iv:GYYP2TJTq0KAicq4w7RcPwqq7jiG3hxe/DYK1RqIo6o=,tag:xEejSMaOmFowg2npk3KwxQ==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKLzFJT1hoMkxQQzAwZ0Mz\naHh5N1BRbSsxTlpPWElLcnpucXI5MkdibndrCmpld3RMTERtQ0JkOTNlSHRsTWFw\nNkRHT1RXRFU3VW16ZEU3TXJuS09QRTgKLS0tIFdoQlFkOHg0MVNMUCtKTFBXblJE\na2o0VUFwN04yWFF1R3ZRSUdob0tIdFkK0XGQ6NCPl/c7TPwoMxKp2ObOaBOX5oOD\nMf75R9cNHCRnfLUOy8n/BBWx9eubneCdr2RzU5M6BhB6VwhFJL78WA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYZFFCUVRBUGVMcDVJeGUr\nNnRUdVdueVRWSkxzZmg4UWU4eU1YbVhMbVdFCjBXSE5xY3lvTU1UYk13eVg4QWRi\nRHpiczBQTlV2QTdjRlRDcnZDT0ZSQW8KLS0tIDlJODU2U3RXUEVJa2tIek9RcTJU\nSlFCZ1BWZjE4ejBzMWNCUXZzSTRjK1UK6bKzyHGjSQ85oLJfrTkz/kOTs74zYgfQ\nneC9WdjHp+gABfuUejGzhY93x+YWhPPT/hlu6vDzIX36NKSd0+u4IA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0LzE1cjdKMUQ0b001U1Fw\nSVJHUUJNVUR6Y3IzcVdXNzFja1RaN25xdFRjCmJzZGdtWk5SazM5SWlnVFRxRzNX\nVExCZnNIVDhxcitzbW1kNGdIbG5lWWMKLS0tIFdZajd0TERHdVNaQnpnWUpPNE1y\nZWdaZS9Ecy9ZRXFnUWd3RUtEc2ZDQWsK1nuj6AFiVXSgyAhLla6TiHG8ehjIREe8\nln5qzUX9gm9nRB9XWiGSoyDdi5pv3Z1Gu/FLChU0rJKjghtXaF23jg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByTWFJQ3lTR3VTdmZlOUFU\nc0tJWDhKSGdheG81YUFwdlRRcXUzYmQxK21JClp3amlnYVBpUFFud1ZzS29keFlB\nSUhubnJYWDFnS2RnUk5HMS8xWUdTMFkKLS0tIEJQOWRRbUVrS3RDdFdKcVR1NVZ0\nTnI4YnJ0Z0I5WVFVbkFpRzVGWjFtLzgKETtaVmBmNQ34GZ7ZDQhGKW+sFcaYH9Y9\nnH+syjA+nXF3VnDxTathpSkFlNIDq8GiZniKxghT1OoMwNEcHWq8cQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2023-11-28T11:23:59Z",
+		"mac": "ENC[AES256_GCM,data:yD7KZUA2XAF/xcYC3lggPMRk/RMLfCMNuaY8iIHzdi9PFqL2HeVMVsrPQgTuct5HUM5gIzOyQHTQTAo7BOsbqbvudiw82Kvyi/NoIl8nL+U0KUWLUGf2x9TfDCjwc+/e4GMAf1BgWDR9KJJn3t7HLHtfuYu7jOZG0XwHUgIsIOY=,iv:t9ZdMmVwNl7JuIF0epbWl8EbEYxvM/DG6DVQfx/W0/Q=,tag:Oz05qMxx9McO8+43gDjn7w==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}
\ No newline at end of file