titaniumtown/server-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: titaniumtown:bf3c949b70ebd5fe06f4e8dd18e45e599ec913a1
Branches Tags
titaniumtown:main
..
compare: titaniumtown:08cbc37f940e624e758c66168d740195f311b690
Branches Tags
titaniumtown:main

3 Commits
bf3c949b70 ... 08cbc37f94

Author SHA1 Message Date
Simon Gardling
08cbc37f94 minecraft: fix map perms 2026-03-04 19:40:18 -05:00
Simon Gardling
f784f26848 monero: changes 2026-03-04 18:56:55 -05:00
Simon Gardling
b5be21ff8c secrets: cleanup activation scripts 2026-03-04 17:35:49 -05:00
5 changed files with 13 additions and 39 deletions
Expand all files Collapse all files

8
modules/age-secrets.nix
View File

@@ -13,11 +13,13 @@
# Configure all agenix secrets # Configure all agenix secrets
age.secrets = { age.secrets = {
# ZFS encryption key # ZFS encryption key
# path is set to /etc/zfs-key to match the ZFS dataset keylocation property
zfs-key = { zfs-key = {
file = ../secrets/zfs-key.age; file = ../secrets/zfs-key.age;
mode = "0400"; mode = "0400";
owner = "root"; owner = "root";
group = "root"; group = "root";
path = "/etc/zfs-key";
}; };
# Secureboot keys archive # Secureboot keys archive
@@ -53,9 +55,9 @@
slskd_env = { slskd_env = {
file = ../secrets/slskd_env.age; file = ../secrets/slskd_env.age;
mode = "0400"; mode = "0500";
owner = "root"; owner = config.services.slskd.user;
group = "root"; group = config.services.slskd.group;
}; };
# Network configuration # Network configuration

18
modules/zfs.nix
View File

@@ -4,24 +4,7 @@
pkgs, pkgs,
... ...
}: }:
let
# DO NOT CHANGE
# path is set via a zfs property
zfs-key = "/etc/zfs-key";
in
{ {
system.activationScripts = {
# Copy decrypted ZFS key from agenix to expected location
# /etc is on tmpfs due to impermanence, so no persistent storage risk
"zfs-key".text = ''
#!/bin/sh
rm -f ${zfs-key} || true
cp ${config.age.secrets.zfs-key.path} ${zfs-key}
chmod 0400 ${zfs-key}
chown root:root ${zfs-key}
'';
};
boot.zfs.package = pkgs.zfs; boot.zfs.package = pkgs.zfs;
boot.initrd.kernelModules = [ "zfs" ]; boot.initrd.kernelModules = [ "zfs" ];
@@ -43,6 +26,7 @@ in
"zfs.zfs_dirty_data_max=${builtins.toString dirty_b}" "zfs.zfs_dirty_data_max=${builtins.toString dirty_b}"
"zfs.zfs_delay_min_dirty_percent=80" # delay write throttling until 80% dirty (default 60%) "zfs.zfs_delay_min_dirty_percent=80" # delay write throttling until 80% dirty (default 60%)
"zfs.zfs_vdev_async_write_max_active=30" # more concurrent async writes to vdevs (default 10) "zfs.zfs_vdev_async_write_max_active=30" # more concurrent async writes to vdevs (default 10)
"zfs.zfs_vdev_async_read_max_active=10" # more concurrent async reads for random I/O (default 3)
]; ];
boot.supportedFilesystems = [ "zfs" ]; boot.supportedFilesystems = [ "zfs" ];

8
services/minecraft.nix
View File

@@ -18,6 +18,9 @@
(lib.serviceFilePerms "minecraft-server-${service_configs.minecraft.server_name}" [ (lib.serviceFilePerms "minecraft-server-${service_configs.minecraft.server_name}" [
"Z ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name} 700 ${config.services.minecraft-servers.user} ${config.services.minecraft-servers.group}" "Z ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name} 700 ${config.services.minecraft-servers.user} ${config.services.minecraft-servers.group}"
"Z ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name}/squaremap/web 750 ${config.services.minecraft-servers.user} ${config.services.minecraft-servers.group}" "Z ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name}/squaremap/web 750 ${config.services.minecraft-servers.user} ${config.services.minecraft-servers.group}"
# Allow caddy (in minecraft group) to traverse to squaremap/web for map.gardling.com
"z ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name} 710 ${config.services.minecraft-servers.user} ${config.services.minecraft-servers.group}"
"z ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name}/squaremap 710 ${config.services.minecraft-servers.user} ${config.services.minecraft-servers.group}"
]) ])
]; ];
@@ -190,9 +193,4 @@
]; ];
}; };
systemd.tmpfiles.rules = [
# Allow caddy (in minecraft group) to traverse to squaremap/web for map.gardling.com
"z ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name} 710 ${config.services.minecraft-servers.user} ${config.services.minecraft-servers.group}"
"z ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name}/squaremap 710 ${config.services.minecraft-servers.user} ${config.services.minecraft-servers.group}"
];
} }

3
services/monero.nix
View File

@@ -17,15 +17,18 @@
enable = true; enable = true;
dataDir = service_configs.monero.dataDir; dataDir = service_configs.monero.dataDir;
rpc = { rpc = {
address = "0.0.0.0";
port = service_configs.ports.monero_rpc; port = service_configs.ports.monero_rpc;
restricted = true; restricted = true;
}; };
extraConfig = '' extraConfig = ''
p2p-bind-port=${builtins.toString service_configs.ports.monero} p2p-bind-port=${builtins.toString service_configs.ports.monero}
db-sync-mode=fast:async:1000000000bytes
''; '';
}; };
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
service_configs.ports.monero service_configs.ports.monero
service_configs.ports.monero_rpc
]; ];
} }

15
services/soulseek.nix
View File

@@ -6,9 +6,6 @@
username, username,
... ...
}: }:
let
slskd_env = "/etc/slskd_env";
in
{ {
imports = [ imports = [
(lib.serviceMountWithZpool "slskd" "" [ (lib.serviceMountWithZpool "slskd" "" [
@@ -26,20 +23,10 @@ in
users.groups."music" = { }; users.groups."music" = { };
system.activationScripts = {
"skskd_env".text = ''
#!/bin/sh
rm -fr ${slskd_env} || true
cp ${config.age.secrets.slskd_env.path} ${slskd_env}
chmod 0500 ${slskd_env}
chown ${config.services.slskd.user}:${config.services.slskd.group} ${slskd_env}
'';
};
services.slskd = { services.slskd = {
enable = true; enable = true;
domain = null; # null so we don't use nginx reverse proxy domain = null; # null so we don't use nginx reverse proxy
environmentFile = slskd_env; environmentFile = config.age.secrets.slskd_env.path;
settings = { settings = {
web = { web = {