API tools faq
paste
Advertisement
SpiderLordCoder1st

Untitled

SpiderLordCoder1st
Jun 10th, 2025
21
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 12.92 KB | None | 0 0
raw download clone embed print report
  1. { pkgs, config, specialArgs, ... }:
  2.  
  3. let
  4. managerIp = "192.168.68.77";
  5. credentialsFile = "/etc/nixos/smb-credentials";
  6. mountPoint = "/mnt/media";
  7. password = builtins.readFile ./password.txt;
  8.  
  9. # Create the credentials file content
  10. credentialsContent = ''
  11. username=spiderunderurbed
  12. password=${password}
  13. domain=WORKGROUP
  14. '';
  15.  
  16. # Bidirectional sync script using unison
  17. syncScript = pkgs.writeShellScript "sync-jellyfin.sh" ''
  18. #!/bin/sh
  19. set -e # Exit on error
  20.  
  21. FLAG="/tmp/sync-jellyfin-flag"
  22.  
  23. if [ ! -f "$FLAG" ]; then
  24. echo "Flag file $FLAG not found, skipping sync."
  25. exit 0
  26. fi
  27.  
  28. # Create directories if they don't exist
  29. ${pkgs.coreutils}/bin/mkdir -p /home/spiderunderurbed/jellyfin/config
  30. ${pkgs.coreutils}/bin/mkdir -p /home/spiderunderurbed/jellyfin/cache
  31. ${pkgs.coreutils}/bin/mkdir -p /mnt/media/jellyfin/config
  32. ${pkgs.coreutils}/bin/mkdir -p /mnt/media/jellyfin/cache
  33.  
  34. # Set proper permissions
  35. ${pkgs.coreutils}/bin/chown -R spiderunderurbed:users /home/spiderunderurbed/jellyfin
  36. ${pkgs.coreutils}/bin/chmod -R 775 /home/spiderunderurbed/jellyfin
  37.  
  38. # Sync using unison (bidirectional)
  39. ${pkgs.unison}/bin/unison -batch -auto /home/spiderunderurbed/jellyfin/config /mnt/media/jellyfin/config
  40. ${pkgs.unison}/bin/unison -batch -auto /home/spiderunderurbed/jellyfin/cache /mnt/media/jellyfin/cache
  41.  
  42. ${pkgs.coreutils}/bin/echo "Bidirectional sync complete for jellyfin config and cache."
  43. '';
  44.  
  45. # File watcher service that triggers sync on changes
  46. syncDaemon = pkgs.writeShellScript "sync-jellyfin-daemon.sh" ''
  47. #!/bin/sh
  48. set -e
  49.  
  50. export HOME=/home/spiderunderurbed
  51. FLAG="/tmp/sync-jellyfin-flag"
  52.  
  53. if [ ! -f "$FLAG" ]; then
  54. echo "Flag file $FLAG not found, skipping sync."
  55. exit 0
  56. fi
  57.  
  58. while true; do
  59. # Watch both directories for changes
  60. ${pkgs.inotify-tools}/bin/inotifywait -r -e modify,create,delete,move \
  61. /home/spiderunderurbed/jellyfin/config \
  62. /home/spiderunderurbed/jellyfin/cache \
  63. /mnt/media/jellyfin/config \
  64. /mnt/media/jellyfin/cache
  65.  
  66. # Wait a moment to avoid rapid successive syncs
  67. ${pkgs.coreutils}/bin/sleep 2
  68.  
  69. # Run the sync script with proper environment
  70. HOME=/home/spiderunderurbed ${syncScript}
  71. done
  72. '';
  73.  
  74. mountScript = pkgs.writeShellScript "mount-samba-share.sh" ''
  75. #!/bin/sh
  76. set -e # Exit on error
  77.  
  78. # Create the mount point directory if it doesn't exist
  79. ${pkgs.coreutils}/bin/mkdir -p ${mountPoint}
  80.  
  81. # Mount the Samba share with the correct UID, GID, and permissions
  82. /run/wrappers/bin/mount -t cifs //192.168.68.36/main ${mountPoint} \
  83. -o credentials=${credentialsFile},iocharset=utf8,uid=1000,gid=100,file_mode=0775,dir_mode=0775
  84.  
  85. ${pkgs.coreutils}/bin/echo "Samba share mounted successfully at ${mountPoint}"
  86. '';
  87.  
  88. # Docker Swarm join script
  89. dockerSwarmJoinScript = pkgs.writeShellScript "docker-swarm-join" ''
  90. #!/bin/sh
  91. set -e
  92.  
  93. ENABLESWARM=$(${pkgs.coreutils}/bin/cat "${config.secrets.enableswarm.file}")
  94. if [ "$ENABLESWARM" != "true" ]; then
  95. ${pkgs.coreutils}/bin/echo "Docker Swarm not enabled"
  96. exit 0
  97. fi
  98.  
  99. if ${pkgs.docker}/bin/docker info --format '{{.Swarm.LocalNodeState}}' | ${pkgs.gnugrep}/bin/grep -q "active"; then
  100. ${pkgs.coreutils}/bin/echo "Already in Docker Swarm"
  101. exit 0
  102. fi
  103.  
  104. TOKEN=$(${pkgs.coreutils}/bin/cat "${config.secrets.dockerswarm.file}")
  105. ${pkgs.coreutils}/bin/echo "Joining Docker Swarm..."
  106. exec ${pkgs.docker}/bin/docker swarm join --token "$TOKEN" ${managerIp}:2377
  107. '';
  108.  
  109. # Docker Swarm monitor script
  110. dockerSwarmMonitorScript = pkgs.writeShellScript "docker-swarm-monitor" ''
  111. #!/bin/sh
  112. set -e
  113.  
  114. ENABLESWARM=$(${pkgs.coreutils}/bin/cat "${config.secrets.enableswarm.file}")
  115. if [ "$ENABLESWARM" != "true" ]; then
  116. exit 0
  117. fi
  118.  
  119. while true; do
  120. if ! ${pkgs.docker}/bin/docker info --format '{{.Swarm.LocalNodeState}}' | ${pkgs.gnugrep}/bin/grep -q "active"; then
  121. ${pkgs.coreutils}/bin/echo "Not in Swarm, attempting to join..."
  122. ${pkgs.systemd}/bin/systemctl restart docker-swarm-join
  123. fi
  124. ${pkgs.coreutils}/bin/sleep 30
  125. done
  126. '';
  127.  
  128. # Kubernetes join script
  129. k8sJoinScript = pkgs.writeShellScript "k8s-join" ''
  130. #!/bin/sh
  131. set -e
  132.  
  133. ENABLEK8S=$(${pkgs.coreutils}/bin/cat "${config.secrets.enablek8s.file}")
  134. if [ "$ENABLEK8S" != "true" ]; then
  135. ${pkgs.coreutils}/bin/echo "Kubernetes not enabled"
  136. exit 0
  137. fi
  138.  
  139. if ${pkgs.procps}/bin/pgrep -f "k3s agent" >/dev/null; then
  140. ${pkgs.coreutils}/bin/echo "k3s agent already running"
  141. exit 0
  142. fi
  143.  
  144. K8S_TOKEN=$(${pkgs.coreutils}/bin/cat ${config.secrets.k8stoken.file})
  145. ${pkgs.coreutils}/bin/echo "Joining Kubernetes cluster..."
  146. exec ${pkgs.k3s}/bin/k3s agent \
  147. --server https://${managerIp}:6443 \
  148. --token "$K8S_TOKEN" \
  149. #--docker \
  150. #--node-name $(${pkgs.coreutils}/bin/hostname) \
  151. #--with-node-id
  152. '';
  153.  
  154. # Kubernetes monitor script
  155. k8sMonitorScript = pkgs.writeShellScript "k8s-monitor" ''
  156. #!/bin/sh
  157. set -e
  158.  
  159. ENABLEK8S=$(${pkgs.coreutils}/bin/cat "${config.secrets.enablek8s.file}")
  160. if [ "$ENABLEK8S" != "true" ]; then
  161. exit 0
  162. fi
  163.  
  164. MAX_ATTEMPTS=8
  165. ATTEMPT_INTERVAL=22.5 # 180 seconds total / 8 attempts = 22.5s between attempts
  166. ATTEMPT=1
  167.  
  168. while [ $ATTEMPT -le $MAX_ATTEMPTS ]; do
  169. if ${pkgs.procps}/bin/pgrep -f "k3s agent" >/dev/null; then
  170. ${pkgs.coreutils}/bin/echo "k3s agent is running (attempt $ATTEMPT/$MAX_ATTEMPTS)"
  171. ${pkgs.coreutils}/bin/sleep $ATTEMPT_INTERVAL
  172. continue
  173. fi
  174.  
  175. ${pkgs.coreutils}/bin/echo "k3s agent not running, attempting to restart (attempt $ATTEMPT/$MAX_ATTEMPTS)..."
  176. ${pkgs.systemd}/bin/systemctl restart k8s-join
  177.  
  178. # Wait before next check
  179. ${pkgs.coreutils}/bin/sleep $ATTEMPT_INTERVAL
  180. ATTEMPT=$((ATTEMPT+1))
  181. done
  182.  
  183. if ! ${pkgs.procps}/bin/pgrep -f "k3s agent" >/dev/null; then
  184. ${pkgs.coreutils}/bin/echo "Failed to start k3s agent after $MAX_ATTEMPTS attempts"
  185. exit 1
  186. fi
  187. '';
  188. in
  189. {
  190.  
  191. services.kubernetes.addons.dns.coredns = {
  192. imageName = "coredns/coredns";
  193. imageDigest = "sha256:a0ead06651cf580044aeb0a0feba63591858fb2e43ade8c9dea45a6a89ae7e5e";
  194. finalImageTag = "1.10.1";
  195. arch = pkgs.go.GOARCH;
  196. hash =
  197. if pkgs.go.GOARCH == "amd64" then
  198. "sha256-wYMJV/rtUDQXUq5W5WaxzTLrYPtCiVIOVbVqIJJJ5nE="
  199. else if pkgs.go.GOARCH == "arm64" then
  200. "sha256-yXkgJW2SQcAFzjmBSAn2qo6O4m5AgMKwiT/LR+dqmzA="
  201. else
  202. builtins.throw "Unsupported arch ${pkgs.go.GOARCH}.";
  203. };
  204. services.openiscsi = {
  205. enable = true;
  206. name = "extranuc";
  207. };
  208. services.tailscale = {
  209. enable = true;
  210. useRoutingFeatures = "both";
  211. package = pkgs.callPackage ./tailscale.nix {};
  212. };
  213. # Enable OpenSSH server
  214. services.openssh = {
  215. enable = true;
  216. settings = {
  217. Port = 3060;
  218. PermitRootLogin = "no";
  219. PasswordAuthentication = false;
  220. };
  221. openFirewall = true;
  222. extraConfig = ''
  223. AllowUsers spiderunderurbed
  224. '';
  225. };
  226.  
  227. netsecrets.client = {
  228. enable = true;
  229. server = "192.168.68.77";
  230. port = 8081;
  231. password = "your_password";
  232. request_secrets = [
  233. "enableswarm"
  234. "enablek8s"
  235. "dockerswarm"
  236. "k8stoken"
  237. ];
  238. verbose = true;
  239. };
  240.  
  241. environment.etc."nixos/smb-credentials" = {
  242. text = credentialsContent;
  243. mode = "0600";
  244. user = "root";
  245. group = "root";
  246. };
  247.  
  248. systemd.tmpfiles.rules = [
  249. "f /tmp/sync-jellyfin-flag 0644 spiderunderurbed users - -"
  250. "d /mnt/media 0775 root users -"
  251. "d /var/lib/calico 0755 root root -"
  252. "f /var/lib/calico/mtu 0644 root root - 1480"
  253. "f /var/lib/calico/nodename 0644 root root - extranuc"
  254. ];
  255.  
  256. systemd.services = {
  257. mount-samba-share = {
  258. description = "Mount Samba Share";
  259. after = [ "network-online.target" ];
  260. wants = [ "network-online.target" ];
  261. path = [ pkgs.coreutils ];
  262. serviceConfig = {
  263. Type = "oneshot";
  264. RemainAfterExit = true;
  265. ExecStart = mountScript;
  266. ExecStop = "${pkgs.cifs-utils}/bin/umount ${mountPoint}";
  267. };
  268. wantedBy = [ "multi-user.target" ];
  269. };
  270.  
  271. sync-jellyfin-directories = {
  272. description = "Sync Jellyfin config and cache directories";
  273. after = [ "mount-samba-share.service" ];
  274. path = with pkgs; [ coreutils unison ];
  275. serviceConfig = {
  276. Type = "oneshot";
  277. RemainAfterExit = true;
  278. Environment = "HOME=/home/spiderunderurbed";
  279. User = "spiderunderurbed";
  280. Group = "users";
  281. ExecStart = "${syncScript}";
  282. };
  283. wantedBy = [ "multi-user.target" ];
  284. };
  285.  
  286. sync-jellyfin-daemon = {
  287. description = "Jellyfin Sync Daemon";
  288. after = [ "sync-jellyfin-directories.service" ];
  289. wants = [ "sync-jellyfin-directories.service" ];
  290. serviceConfig = {
  291. Type = "simple";
  292. Environment = "HOME=/home/spiderunderurbed";
  293. User = "spiderunderurbed";
  294. Group = "users";
  295. ExecStart = "${syncDaemon}";
  296. Restart = "always";
  297. RestartSec = "10s";
  298. };
  299. wantedBy = [ "multi-user.target" ];
  300. };
  301.  
  302. docker-swarm-join = {
  303. description = "Join Docker Swarm Cluster";
  304. after = [ "network.target" "docker.service" "netsecrets-receiver.service" ];
  305. wants = [ "network.target" "docker.service" "netsecrets-receiver.service" ];
  306. serviceConfig = {
  307. Type = "simple";
  308. ExecStart = "${dockerSwarmJoinScript}";
  309. Restart = "on-failure";
  310. RestartSec = "10s";
  311. StartLimitIntervalSec = "60";
  312. StartLimitBurst = "3";
  313. };
  314. wantedBy = [ "multi-user.target" ];
  315. };
  316.  
  317. docker-swarm-monitor = {
  318. description = "Monitor Docker Swarm Status";
  319. after = [ "docker-swarm-join.service" ];
  320. wants = [ "docker-swarm-join.service" ];
  321. serviceConfig = {
  322. Type = "simple";
  323. ExecStart = "${dockerSwarmMonitorScript}";
  324. Restart = "always";
  325. RestartSec = "30s";
  326. };
  327. wantedBy = [ "multi-user.target" ];
  328. };
  329.  
  330. k8s-join = {
  331. description = "Join Kubernetes Cluster";
  332. after = [ "network.target" "netsecrets-receiver.service" ];
  333. wants = [ "network.target" "netsecrets-receiver.service" ];
  334. serviceConfig = {
  335. Type = "simple";
  336. ExecStart = "${k8sJoinScript}";
  337. Restart = "on-failure";
  338. RestartSec = "10s";
  339. StartLimitIntervalSec = "60";
  340. StartLimitBurst = "3";
  341. };
  342. wantedBy = [ "multi-user.target" ];
  343. };
  344.  
  345. k8s-monitor = {
  346. description = "Monitor Kubernetes Agent Status";
  347. after = [ "k8s-join.service" ];
  348. wants = [ "k8s-join.service" ];
  349. serviceConfig = {
  350. Type = "simple";
  351. ExecStart = "${k8sMonitorScript}";
  352. Restart = "always";
  353. RestartSec = "30s";
  354. };
  355. wantedBy = [ "multi-user.target" ];
  356. };
  357. };
  358.  
  359. virtualisation.containerd.enable = true;
  360. virtualisation.docker.enable = true;
  361.  
  362. #networking.extraDhcpOptions = {
  363. # "${pkgs.ethtool} -K eth0 rx-udp-gro-forwarding on rx-gro-list off"
  364. #};
  365. networking.nameservers = [
  366. #"10.90.0.10"
  367. "8.8.8.8"
  368. "8.8.4.4"
  369. ];
  370. networking.defaultGateway = {
  371. address = "192.168.68.1";
  372. interface = "eth0";
  373. };
  374. networking.interfaces.eth0.ipv4.addresses = [ {
  375. address = "192.168.68.38";
  376. prefixLength = 24;
  377. } ];
  378. networking.firewall = {
  379. interfaces."eth0" = {
  380. allowedTCPPorts = [
  381. 3060 22 6443 80 443 30080
  382. # cilium stuff
  383.  
  384. 2379 2380 4240 4244 4245 4250 4251 6060 6061 6062
  385. 9878 9879 9890 9891 9893 9901 9962 9963 9964
  386. #4240 4240 4245 4245 4251 6060
  387. #6061 6062 9878 9879 9890 9891
  388. #9893 9901 9962 9963 9964 51871
  389. ];
  390. allowedUDPPorts = [
  391. 8472 51871
  392. ];
  393. #allowedICMPTypes = [8];
  394. };
  395. };
  396.  
  397. networking.hostName = "extranuc";
  398.  
  399. users.users.spiderunderurbed = {
  400. password = "test";
  401. isNormalUser = true;
  402. openssh.authorizedKeys.keys = [
  403. (builtins.readFile ./id_rsa.pub)
  404. (builtins.readFile ./id_ed25519.pub)
  405. ];
  406. extraGroups = [ "wheel" "users" "docker" ];
  407. };
  408.  
  409. boot.kernelPackages = pkgs.linuxPackages_latest;
  410. boot.supportedFilesystems = [ "nfs" ];
  411.  
  412. environment.systemPackages = with pkgs; [
  413. #python3
  414. git htop sqlite wget gawk util-linux curl fastfetch bash
  415. kubectl jq coreutils nfs-utils samba openiscsi ncdu
  416. cifs-utils tailscale lsof tmux screen k3s kubernetes
  417. specialArgs.netsecrets.packages.${system}.netsecrets
  418. docker docker-compose unison inotify-tools procps
  419. ];
  420. }
  421.  
  422.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!