stuff

2024-08-04 16:26:35 -07:00
parent 2f498e49c7
commit 9d8a096916
4 changed files with 70 additions and 6 deletions
--- a/flake.nix
+++ b/flake.nix
@@ -122,9 +122,17 @@

    nixosModules.common = import ./common/module.nix;
    packages.x86_64-linux.digitalOceanImage = import ./generic-digitalocean-nixos.nix { inherit inputs; };
+    packages.x86_64-linux.authorizedKeys = let
+      pkgs = nixpkgs.legacyPackages.x86_64-linux;
+    in pkgs.writeText "authorizedKeys" (pkgs.lib.concatStringsSep "\n" self.nixosConfigurations.fw.config.vacu.ssh.authorizedKeys);
+    packages.aarch64-linux.authorizedKeys = let
+      pkgs = nixpkgs.legacyPackages.aarch64-linux;
+    in pkgs.writeText "authorizedKeys" (pkgs.lib.concatStringsSep "\n" self.nixOnDroidConfigurations.default.config.vacu.ssh.authorizedKeys);
+    
    qb = /* qb is "quick build" */ let
      toplevelOf = name: self.nixosConfigurations.${name}.config.system.build.toplevel;
      deterministicCerts = import ./deterministic-certs.nix { nixpkgs = inputs.nixpkgs.legacyPackages.x86_64-linux; };
+      pkgs = nixpkgs.legacyPackages.x86_64-linux;
    in rec {
      # nix-on-droid is impure >:(
      # nod = self.nixOnDroidConfigurations.default.activationPackage;
@@ -143,6 +151,10 @@
      check-trip = check-triple-dezert;
      check-liam = self.checks.x86_64-linux.liam.driver;

+      authorizedKeys = self.packages.x86_64-linux.authorizedKeys;
+      authorizedKeysAarch = self.packages.aarch64-linux.authorizedKeys;
+      ak = authorizedKeys;
+
      dc-priv = deterministicCerts.privKeyFile "test";
      dc-cert = deterministicCerts.selfSigned "test" {};
    };
--- a/triple-dezert/frontproxy.nix
+++ b/triple-dezert/frontproxy.nix
@@ -10,6 +10,7 @@ let
    "vacu.store"
    "jean-luc.org"
    "pwrhs.win"
+    "jf.finaltask.xyz"
  ];
 in {
  security.acme.acceptTerms = true;
@@ -71,6 +72,7 @@ in {
        "${outer_config.containers.nix-cache-nginx.localAddress}" = [ "nix-cache" ];
        "${outer_config.containers.jl-stats.localAddress}" = [ "jl_stats" ];
        "${outer_config.containers.static-stuff.localAddress}" = [ "static_stuff" ];
+        "${outer_config.containers.jellyfin.localAddress}" = [ "jellyfin" ];
      };
    };
  };
--- a/triple-dezert/haproxy-config.cfg
+++ b/triple-dezert/haproxy-config.cfg
@@ -25,7 +25,7 @@ defaults

 frontend main
  bind :80
-  bind :443 ssl crt /certs/shelvacu.com/full.pem crt /certs/vacu.store/full.pem crt /certs/jean-luc.org/full.pem crt /certs/pwrhs.win/full.pem
+  bind :443 ssl crt /certs/shelvacu.com/full.pem crt /certs/vacu.store/full.pem crt /certs/jean-luc.org/full.pem crt /certs/pwrhs.win/full.pem crt /certs/jf.finaltask.xyz/full.pem

  mode http

@@ -36,12 +36,13 @@ frontend main
  # Check whether the client is attempting domain fronting.
  acl ssl_sni_http_host_match ssl_fc_sni,strcmp(req.host) eq 0

-  acl host_vacustore var(req.host) -m str "vacu.store"
  # acl host_auth var(req.host) -m str "auth.shelvacu.com"
-  acl host_cache var(req.host) -m str "nixcache.shelvacu.com"
-  acl host_stats_jl var(req.host) -m str "stats.jean-luc.org"
-  acl host_tulpaudcast_jl var(req.host) -m str "tulpaudcast.jean-luc.org"
-  acl host_habitat_pwrhs var(req.host) -m str "habitat.pwrhs.win"
+  acl host_vacustore       var(req.host) -m str "vacu.store"
+  acl host_cache           var(req.host) -m str "nixcache.shelvacu.com"
+  acl host_stats_jl        var(req.host) -m str "stats.jean-luc.org"
+  acl host_tulpaudcast_jl  var(req.host) -m str "tulpaudcast.jean-luc.org"
+  acl host_habitat_pwrhs   var(req.host) -m str "habitat.pwrhs.win"
+  acl host_jellyfin        var(req.host) -m str "jf.finaltask.xyz"

  http-after-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" if { ssl_fc }

@@ -64,6 +65,7 @@ frontend main
  http-request allow if host_stats_jl
  http-request allow if host_tulpaudcast_jl
  http-request allow if host_habitat_pwrhs
+  http-request allow if host_jellyfin
  http-request return status 404 string "not found" content-type text/plain

  use_backend vacustore if host_vacustore
@@ -72,6 +74,7 @@ frontend main
  use_backend jl_stats if host_stats_jl
  use_backend static_stuff if host_tulpaudcast_jl
  use_backend habitat if host_habitat_pwrhs
+  use_backend jellyfin if host_jellyfin
  
 backend vacustore
  mode http
@@ -83,6 +86,11 @@ backend kani
  option forwardfor
  server main kani:8443 check maxconn 500 ssl verify none ssl-reuse

+backend jellyfin
+  mode http
+  option forwardfor
+  server main jellyfin:8096 check maxconn 100 proto h1
+
 # backend keycloak
 #   mode http
 #   option forwardfor
--- a/triple-dezert/jellyfin.nix
+++ b/triple-dezert/jellyfin.nix
@@ -0,0 +1,42 @@
+{ config, pkgs, ... }: let
+  name = "jellyfin";
+  contain = config.containers.${name};
+in {
+  
+  systemd.tmpfiles.settings.${name}."/trip/${name}".d = {
+    mode = "0755";
+  };
+
+  containers.${name} = {
+    privateNetwork = true;
+    hostAddress = "192.168.100.16";
+    localAddress = "192.168.100.17";
+
+    autoStart = true;
+    ephemeral = true;
+    restartIfChanged = true;
+    bindMounts."/${name}" = {
+      hostPath = "/trip/${name}";
+      isReadOnly = false;
+    };
+
+    config = { pkgs, ... }: {
+      system.stateVersion = "24.05";
+
+      networking.useHostResolvConf = false;
+      networking.nameservers = [ "10.78.79.1" ];
+      networking.firewall.enable = false;
+
+      services.jellyfin = {
+        enable = true;
+	dataDir = "/${name}";
+      };
+
+      environment.systemPackages = with pkgs; [
+        jellyfin
+	jellyfin-web
+	jellyfin-ffmpeg
+      ];
+    };
+  };
+}