From 8766c444192b66b1f48a9bdaa0c93f3cc388e1fa Mon Sep 17 00:00:00 2001 From: Max Date: Wed, 5 Jun 2024 00:45:19 +0200 Subject: [PATCH] cluster/services/c-f32aebf5: init --- cluster/services/c-f32aebf5/default.nix | 6 ++ cluster/services/c-f32aebf5/host.nix | 120 ++++++++++++++++++++++++ 2 files changed, 126 insertions(+) create mode 100644 cluster/services/c-f32aebf5/default.nix create mode 100644 cluster/services/c-f32aebf5/host.nix diff --git a/cluster/services/c-f32aebf5/default.nix b/cluster/services/c-f32aebf5/default.nix new file mode 100644 index 0000000..34cf1e6 --- /dev/null +++ b/cluster/services/c-f32aebf5/default.nix @@ -0,0 +1,6 @@ +{ + services.c-f32aebf5 = { + nodes.host = [ "VEGAS" ]; + nixos.host = [ ./host.nix ]; + }; +} diff --git a/cluster/services/c-f32aebf5/host.nix b/cluster/services/c-f32aebf5/host.nix new file mode 100644 index 0000000..141cf31 --- /dev/null +++ b/cluster/services/c-f32aebf5/host.nix @@ -0,0 +1,120 @@ +{ config, depot, lib, pkgs, ... }: + +let + cid = "c-f32aebf5"; + link = config.links.${cid}; + root = "/var/lib/${cid}"; + home = "${root}/pfx"; + + sptAki = { + release-3_8_0 = pkgs.fetchurl { + url = "https://dev.sp-tarkov.com/SPT/Stable-releases/releases/download/3.8.0/RELEASE-SPT-3.8.0-29197-2dd4d91.7z"; + hash = "sha256-IRMzI+hQkoCmVJXkAV4c/b2l/MtLb98IwDftMbFTlxA="; + }; + update-3_8_1 = pkgs.fetchurl { + url = "https://spt-releases.modd.in/SPT-3.8.1-29197-d3ac83e.7z"; + hash = "sha256-3roQlHgi8CUtLKji2YZLNgo8s92eUv3a+AbKo7VFB2U="; + }; + }; + + installSpt = pkgs.writeShellScript "install-spt" '' + mkdir spt + cd spt + ${pkgs.p7zip}/bin/7z x -y ${sptAki.release-3_8_0} + ${pkgs.p7zip}/bin/7z x -y ${sptAki.update-3_8_1} + ''; +in + +{ + links.${cid} = { + protocol = "http"; + ipv4 = depot.reflection.interfaces.primary.addrPublic; + }; + + users.users.${cid} = { + isNormalUser = true; + group = cid; + inherit home; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCvaZG+5642/jjqVaFGsS3DK0Jtg1wfMY4Yh20tFKtdcZEsLRy16KSJkPH447vP91pGkx8T+GJ1kXEw4dMR9dOKDwS2qCgHwAQbZ2V+/NNJ56bCzTo+geSc/imrWjiHQUhzPRcTyI6pVi3rVAhzEnAVjcC7a4LnLsIFW8Ill0kF8OR4tHoeDNCNN/0XOgZH4dIT9eQCyw4u5zOaw9W81eTL7K1PLmbAWW1+qd//C6CrpxpxNO/kAnOavkscK1uJSfGRcs7Vb5mKKV2J7Be0vxCVY8C8h1qcYcrzudTs9MbQAgFP00bVcvl/byd5CAccQ2wBfuwUdJBC4MV8HZ152biGds8sdCBDoxyvSqScaBFza0iHAXPEygvfx+gEW9KNssfBoiU50SJgWbQUp9gQoppATg8XHqUI03xUeVBRbTyf7UMd2Qk3slWPEnEXlzvjwKGxyLsI0WKdWtqALgKe7mDn+wDAG15CayACi4kgKkZh3VariRC5Ks17LJdLH67vBvs=" + ]; + }; + users.groups.${cid} = {}; + + systemd.services.${cid} = { + wantedBy = [ "multi-user.target" ]; + + path = [ + pkgs.jq + pkgs.wine64Packages.staging + pkgs.tmux + ]; + + preStart = '' + cd ${home} + test -e drive_c || wine64 wineboot + + cd drive_c + test -e spt || ${installSpt} + + cd spt + jq < Aki_Data/Server/configs/http.json > .http-new.json \ + '.ip = "${link.ipv4}" | .port = ${link.portStr} | .backendIp = "${link.ipv4}" | .backendPort = ${link.portStr}' + mv .http-new.json Aki_Data/Server/configs/http.json + ''; + + script = '' + cd ${home}/drive_c/spt + tmux new -s 0 -d wine64 Aki.Server.exe + exec tmux wait-for stop + ''; + + environment = { + WINEPREFIX = "${home}"; + }; + + restartIfChanged = false; + + serviceConfig = { + DynamicUser = true; + User = cid; + Group = cid; + ReadWritePaths = [ home ]; + + CPUQuota = "75%"; + MemoryMax = "2G"; + MemorySwapMax = "2G"; + + IPAddressDeny = [ + "10.0.0.0/8" + "100.64.0.0/10" + "169.254.0.0/16" + "172.16.0.0/12" + "192.0.0.0/24" + "192.0.2.0/24" + "192.168.0.0/16" + "198.18.0.0/15" + "198.51.100.0/24" + "203.0.113.0/24" + "240.0.0.0/4" + "100::/64" + "2001:2::/48" + "2001:db8::/32" + "fc00::/7" + "fe80::/10" + ]; + IPAddressAllow = lib.unique config.networking.nameservers; + }; + }; + + services.openssh.extraConfig = '' + Match User ${cid} + ChrootDirectory ${root} + ForceCommand internal-sftp -d /pfx/drive_c + AllowTcpForwarding no + X11Forwarding no + PasswordAuthentication no + ''; + + networking.firewall.allowedTCPPorts = [ link.port ]; +}