patrick/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Wiki Activity

feat: better your_spotify modules

Browse source
This commit is contained in:
Patrick 2024-03-02 12:52:56 +01:00
parent 6fe5d90427
commit 64c214ae4e
Signed by: patrick
GPG key ID: 451F95EFB8BECD0F
7 changed files with 110 additions and 43 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
hosts/desktopnix/default.nix
View file

@ -19,6 +19,7 @@
../../modules/hardware/physical.nix ../../modules/hardware/physical.nix
../../modules/hardware/pipewire.nix ../../modules/hardware/pipewire.nix
../../modules/hardware/yubikey.nix ../../modules/hardware/yubikey.nix
../../modules/hardware/bluetooth.nix
../../modules/hardware/zfs.nix ../../modules/hardware/zfs.nix
../../modules/optional/streamdeck.nix ../../modules/optional/streamdeck.nix

16
hosts/elisabeth/guests.nix
View file

@ -16,6 +16,7 @@
ttrssdomain = "rss.${config.secrets.secrets.global.domains.web}"; ttrssdomain = "rss.${config.secrets.secrets.global.domains.web}";
vaultwardendomain = "pw.${config.secrets.secrets.global.domains.web}"; vaultwardendomain = "pw.${config.secrets.secrets.global.domains.web}";
spotifydomain = "spotify.${config.secrets.secrets.global.domains.web}"; spotifydomain = "spotify.${config.secrets.secrets.global.domains.web}";
apispotifydomain = "api.spotify.${config.secrets.secrets.global.domains.web}";
ipOf = hostName: lib.net.cidr.host config.secrets.secrets.global.net.ips."${config.guests.${hostName}.nodeName}" config.secrets.secrets.global.net.privateSubnetv4; ipOf = hostName: lib.net.cidr.host config.secrets.secrets.global.net.ips."${config.guests.${hostName}.nodeName}" config.secrets.secrets.global.net.privateSubnetv4;
in { in {
services.nginx = { services.nginx = {
@ -179,6 +180,21 @@ in {
extraConfig = '' extraConfig = ''
''; '';
}; };
upstreams.apispotify = {
servers."${ipOf "your_spotify"}:8080" = {};
extraConfig = ''
zone spotify 64k ;
keepalive 5 ;
'';
};
virtualHosts.${apispotifydomain} = {
forceSSL = true;
useACMEHost = "web";
locations."/".proxyPass = "http://apispotify";
extraConfig = ''
'';
};
upstreams.nextcloud = { upstreams.nextcloud = {
servers."${ipOf "nextcloud"}:80" = {}; servers."${ipOf "nextcloud"}:80" = {};

11
modules/services/your_spotify.nix
View file

@ -1,15 +1,18 @@
{config, ...}: { {config, ...}: {
imports = [./your_spotify_m.nix]; imports = [./your_spotify_m.nix];
age.secrets.spotify = { age.secrets.spotify = {
inherit (config.services.your_spotify) user group; owner = "your_spotify";
mode = "440";
rekeyFile = ../../secrets/your_spotify.age; rekeyFile = ../../secrets/your_spotify.age;
}; };
services.your_spotify = { services.your_spotify = {
enable = true; enable = true;
config = { settings = {
clientEndpoint = "https://spotify.${config.secrets.secrets.global.domains.web}"; CLIENT_ENDPOINT = "https://spotify.${config.secrets.secrets.global.domains.web}";
apiEndpoint = "https://api.spotify.${config.secrets.secrets.global.domains.web}"; API_ENDPOINT = "https://api.spotify.${config.secrets.secrets.global.domains.web}";
}; };
enableLocalDB = true;
enableNginxVirtualHost = true;
environmentFile = config.age.secrets.spotify.path; environmentFile = config.age.secrets.spotify.path;
}; };
environment.persistence."/persist".directories = [ environment.persistence."/persist".directories = [

58
modules/services/your_spotify_m.nix
View file

@ -28,7 +28,7 @@
then boolToString value then boolToString value
else toString value; else toString value;
}) })
cfg.config; cfg.settings;
configFile = pkgs.writeText "your_spotify.env" (concatStrings (mapAttrsToList (name: value: "${name}=${value}\n") configEnv)); configFile = pkgs.writeText "your_spotify.env" (concatStrings (mapAttrsToList (name: value: "${name}=${value}\n") configEnv));
in { in {
@ -44,20 +44,20 @@ in {
clientPackage = mkOption { clientPackage = mkOption {
type = package; type = package;
default = cfg.package.client.override {inherit (cfg.config) apiEndpoint;}; default = cfg.package.client.override {apiEndpoint = cfg.settings.API_ENDPOINT;};
description = "Client package to use."; description = "Client package to use.";
}; };
settings = mkOption { settings = mkOption {
type = types.submodule { type = types.submodule {
freeformType = types.attrOf types.str; freeformType = types.attrsOf types.str;
options = { options = {
clientEndpoint = mkOption { CLIENT_ENDPOINT = mkOption {
type = str; type = str;
description = "The endpoint of your web application"; description = "The endpoint of your web application";
example = "https://your_spotify.example.org"; example = "https://your_spotify.example.org";
}; };
apiEndpoint = mkOption { API_ENDPOINT = mkOption {
type = str; type = str;
description = '' description = ''
The endpoint of your server The endpoint of your server
@ -170,20 +170,58 @@ in {
EnvironmentFile = [configFile] ++ optional (cfg.environmentFile != null) cfg.environmentFile; EnvironmentFile = [configFile] ++ optional (cfg.environmentFile != null) cfg.environmentFile;
ExecStartPre = "${pkgs.your_spotify}/bin/your_spotify_migrate"; ExecStartPre = "${pkgs.your_spotify}/bin/your_spotify_migrate";
ExecStart = "${pkgs.your_spotify}/bin/your_spotify_server"; ExecStart = "${pkgs.your_spotify}/bin/your_spotify_server";
StateDirectory = "your_spotify";
LimitNOFILE = "1048576"; LimitNOFILE = "1048576";
PrivateTmp = true; PrivateTmp = true;
PrivateDevices = true; PrivateDevices = true;
ProtectHome = true;
ProtectSystem = "strict";
StateDirectory = "your_spotify";
StateDirectoryMode = "0700"; StateDirectoryMode = "0700";
Restart = "always"; Restart = "always";
# Hardening
CapabilityBoundingSet = "";
LockPersonality = true;
MemoryDenyWriteExecute = true;
DevicePolicy = "closed";
SupplementaryGroups = ["dialout"];
#NoNewPrivileges = true; # Implied by DynamicUser
PrivateUsers = true;
#PrivateTmp = true; # Implied by DynamicUser
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = false; # breaks bwrap
ProtectKernelLogs = false; # breaks bwrap
ProtectKernelModules = true;
ProtectKernelTunables = false; # breaks bwrap
ProtectProc = "invisible";
ProcSubset = "all"; # Using "pid" breaks bwrap
ProtectSystem = "strict";
#RemoveIPC = true; # Implied by DynamicUser
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_NETLINK"
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
#RestrictSUIDSGID = true; # Implied by DynamicUser
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"@mount" # Required by platformio for chroot
];
UMask = "0077";
}; };
wantedBy = ["multi-user.target"]; wantedBy = ["multi-user.target"];
}; };
services.nginx = { services.nginx = mkIf cfg.enableNginxVirtualHost {
enable = true; enable = true;
virtualHosts.${cfg.clientEndpoint}.root = cfg.clientPackage; virtualHosts.${cfg.settings.CLIENT_ENDPOINT} = {
locations."/".extraConfig = ''
try_files = "$uri $uri/ /index.html;
'';
};
}; };
services.mongodb = mkIf cfg.enableLocalDB { services.mongodb = mkIf cfg.enableLocalDB {
enable = true; enable = true;

30
pkgs/your_spotify.nix
View file

@ -5,7 +5,7 @@
makeWrapper, makeWrapper,
nodejs, nodejs,
lib, lib,
apiEndpoint ? "localhost:8080", callPackage,
}: let }: let
version = "1.7.3"; version = "1.7.3";
src_o = fetchFromGitHub { src_o = fetchFromGitHub {
@ -14,33 +14,7 @@
rev = "refs/tags/${version}"; rev = "refs/tags/${version}";
hash = "sha256-/0xKktywwGcqsuwLytWBJ3O6ADHg1nP6BdMRlkW5ErY="; hash = "sha256-/0xKktywwGcqsuwLytWBJ3O6ADHg1nP6BdMRlkW5ErY=";
}; };
client = mkYarnPackage rec { client = callPackage ./your_spotify_client.nix {inherit src_o version;};
inherit version;
pname = "your_spotify_client";
src = "${src_o}/client";
offlineCache = fetchYarnDeps {
yarnLock = src + "/yarn.lock";
hash = "sha256-9UfRVv7M9311lesnr19oThYnzB9cK23XNZejJY/Fd24=";
};
postPatch = ''
substituteInPlace tsconfig.json --replace-quiet '"extends": "../tsconfig.json",' ""
'';
buildPhase = ''
runHook preBuild
pushd ./deps/client_ts
yarn --offline run build
popd
runHook postBuild
'';
nativeBuildInputs = [makeWrapper];
installPhase = ''
mkdir -p $out
cp -r ./deps/client_ts/build/* $out
substituteInPlace $out/variables-template.js --replace-quiet '__API_ENDPOINT__' "${apiEndpoint}"
mv $out/variables-template.js $out/variables.js
'';
doDist = false;
};
in in
mkYarnPackage rec { mkYarnPackage rec {
inherit version; inherit version;

35
pkgs/your_spotify_client.nix Normal file
View file

@ -0,0 +1,35 @@
{
mkYarnPackage,
makeWrapper,
fetchYarnDeps,
apiEndpoint ? "localhost:8080",
src_o,
version,
}:
mkYarnPackage rec {
inherit version;
pname = "your_spotify_client";
src = "${src_o}/client";
offlineCache = fetchYarnDeps {
yarnLock = src + "/yarn.lock";
hash = "sha256-9UfRVv7M9311lesnr19oThYnzB9cK23XNZejJY/Fd24=";
};
postPatch = ''
substituteInPlace tsconfig.json --replace-quiet '"extends": "../tsconfig.json",' ""
'';
buildPhase = ''
runHook preBuild
pushd ./deps/client_ts
yarn --offline run build
popd
runHook postBuild
'';
nativeBuildInputs = [makeWrapper];
installPhase = ''
mkdir -p $out
cp -r ./deps/client_ts/build/* $out
substituteInPlace $out/variables-template.js --replace-quiet '__API_ENDPOINT__' "${apiEndpoint}"
mv $out/variables-template.js $out/variables.js
'';
doDist = false;
}

2
users/common/graphical/sway3.nix
View file

@ -40,7 +40,7 @@ let
"2:d" = [ "2:d" = [
{class = "^firefox$";} {class = "^firefox$";}
]; ];
"1:1" = [ "2:2" = [
{class = "^spotify$";} {class = "^spotify$";}
]; ];
"3:u" = [ "3:u" = [