From 5f88fc6ff5818218452ae170e2cfb4b07d523dfb Mon Sep 17 00:00:00 2001
From: noe <git@kat.cafe>
Date: Fri, 22 Dec 2023 19:47:34 -0500
Subject: [PATCH] blueberry: add the saerro stack

---
 nixos/features/nginx.nix          | 16 +++++++
 nixos/hosts/blueberry/default.nix |  4 +-
 nixos/stacks/ps2.live/saerro.nix  | 75 +++++++++++++++++++++++++++----
 secrets/blueberry/saerro.env      | 17 +++++++
 4 files changed, 102 insertions(+), 10 deletions(-)
 create mode 100644 nixos/features/nginx.nix
 create mode 100644 secrets/blueberry/saerro.env

diff --git a/nixos/features/nginx.nix b/nixos/features/nginx.nix
new file mode 100644
index 0000000..baf8ed2
--- /dev/null
+++ b/nixos/features/nginx.nix
@@ -0,0 +1,16 @@
+{pkgs, ...}: {
+  services.nginx = {
+    enable = true;
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedBrotliSettings = true;
+    recommendedGzipSettings = true;
+    recommendedZstdSettings = true;
+    recommendedProxySettings = true;
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "acme@kat.cafe";
+  };
+}
diff --git a/nixos/hosts/blueberry/default.nix b/nixos/hosts/blueberry/default.nix
index df1cfbb..42ce8e3 100644
--- a/nixos/hosts/blueberry/default.nix
+++ b/nixos/hosts/blueberry/default.nix
@@ -4,9 +4,11 @@
     ./hardware-configuration.nix
     ../../server.nix
     ../../features/systemd-boot.nix
+    
     ../../features/podman.nix
+    ../../features/nginx.nix
 
-    #../../stacks/ps2.live
+    ../../stacks/ps2.live
   ];
 
   networking.hostName = "blueberry";
diff --git a/nixos/stacks/ps2.live/saerro.nix b/nixos/stacks/ps2.live/saerro.nix
index ad5ded2..2d82c87 100644
--- a/nixos/stacks/ps2.live/saerro.nix
+++ b/nixos/stacks/ps2.live/saerro.nix
@@ -1,10 +1,67 @@
-{ ... }: let
-  podConfig = (import ../stack-utils.nix).pod "saerro" [
-    "saerro_postgres"
-    "saerro_maint"
-    "saerro_api"
-    "saerro_ws"
-  ] [ 8003 ];
-in podConfig // {
-  
+{ config, pkgs, ... }: let
+  image = name: "ghcr.io/saerro/${name}:latest";
+  port = n: "${8100 + n}";
+  containerGenerics = {
+    environmentFiles = [
+      config.sops.secrets.saerro.path
+    ];
+    extraOptions = [
+      "--pod=saerro"
+      "--pull=always"
+    ];
+  };
+in {
+
+  sops.secrets.saerro = {
+    sopsFile = ../../../../secrets/blueberry/saerro.env;
+    format = "binary";
+  };
+
+  virtualisation.oci-containers.containers = {
+    saerro_api = {
+      image = image "api";
+      environment = {
+        PORT = port 1;
+        WEBSOCKET_HEALTHCHECK = "http://127.0.0.1:${port 2}/healthz";
+      };
+    } // containerGenerics;
+
+    saerro_ws = {
+      image = image "ws";
+      environment = {
+        PORT = port 2;
+        WORLDS = "all";
+      };
+    } // containerGenerics;
+
+    saerro_maint = {
+      image = image "tasks";
+      cmd = [ "auto-maintenance" ];
+    } // containerGenerics;
+
+    saerro_postgres = {
+      image = "docker.io/timescale/timescaledb:latest-pg15";
+      volumes = [
+        "saerrodata:/var/lib/postgresql/data"
+      ];
+    } // containerGenerics;
+  };
+
+  systemd.services.create-saerro-pod = {
+    serviceConfig.Type = "oneshot";
+    wantedBy = map (x: "podman-saerro_${x}.service") [ "api" "ws" "maint" "postgres" ];
+    script = ''
+      ${pkgs.podman}/bin/podman pod exists saerro || \
+      ${pkgs.podman}/bin/podman pod create -n saerro -p '0.0.0.0:${port 1}:${port 1}'
+    '';
+  };
+
+  # TODO: Automatic restart and pull
+
+  services.nginx.virtualHosts = {
+    "saerro.ps2.live" = {
+      serverAliases = [ "saerro-new.ps2.live" ];
+      locations."/".proxyPass = "http://127.0.0.1:${port 1}";
+    };
+  };
 }
diff --git a/secrets/blueberry/saerro.env b/secrets/blueberry/saerro.env
new file mode 100644
index 0000000..20eb4e0
--- /dev/null
+++ b/secrets/blueberry/saerro.env
@@ -0,0 +1,17 @@
+DATABASE_ADDR=ENC[AES256_GCM,data:uKVGdgFJQ+Dgvb7vA3CVvqBaE9MAnPLK3o3T1l5nAZHl/wdZX/Z8IsUDm7EIfI2D6JgtvMQdQtK4apIFZBFmYqXqENk=,iv:iZme5/OLUc40OEW7nejtDdiLKiZIo9KIrlpv4ufHGhU=,tag:XHQnSDCW9kuTwfTBfwFYEg==,type:str]
+POSTGRES_PASSWORD=ENC[AES256_GCM,data:MpFGU6oH2PW+l6foh4lDsIWMLeL3qXua,iv:u8uBtWTAlMd2I5ABHENq4ubg4zvZQMEGv/6YMFOV2MI=,tag:+rwFK4IYNRFSj++5sz6ROg==,type:str]
+POSTGRES_USER=ENC[AES256_GCM,data:NTiSJUQL9cUssw==,iv:4hUtvz3ZnLPbOdtCGzWM2yCLnF9ZbT4ecWa2d7ECiu4=,tag:F80a9RG8kCxpktEclsslrA==,type:str]
+POSTGRES_DB=ENC[AES256_GCM,data:c0dm5LtD,iv:NNnFMZbgWCzGeMyx/QUQqZ3y6jh2KsBr6M8hc8L0JNQ=,tag:XBdXACz+TK2PnAcmzrUxNg==,type:str]
+WS_ADDR=ENC[AES256_GCM,data:Eb+ROzhEVxP3KV5QeSbk/qENvpGXCwrEXNqGi9Ht50cAz1ZaaqAaN3DeE6JpnYbSksaZp3OkC4d6bZRa2eW3vT2gl4EoElv5TSU=,iv:/Scergtv3hLDLvVKiqcbVTg9sMBh36lOVVIiQ7keXJ0=,tag:FiAatiiWZeQpziLMnjFSiA==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmaXJUUGE5OXhzbGduTHM3\nNEhhQnpKVDhUTjQreHY5NGNSeTVrRDZoZzNzCnViRXRYUDN6SHhjSUI0K0hvZ2xP\nQ2hiaHNKaER3ZWRuNUlwS0tOYUsxQVkKLS0tIDlnOERXUkI2MCtqYXovN2tJN2Yr\nVGJlbWRJcEVwS2IrVUNpS0YyWEx1cEEKF2DgTy9jjVHRriaO1unc2DEh9JvotLQB\nhjluI5gc1sNoBGQdjptaKO4vKdwPgnlVobFH4vmiATiCNKmFmlYz8Q==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age1lq5q5g5qjsdcc3key0n6qytkc9z3qx3d3e96ap9zre2aqgvc9ujq82l9hd
+sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlRXZmdDRJV0hJMk5xQ1Ra\nZWs4bUNib1ZMeFA4UGM0aGZTQmRoR2d4Z1NJClRPa1ltb3cxbDNrckhwc2hEZ2Qv\ncnFhcUYzdlhPaGZZQ1hUMlErY0VldFEKLS0tIDdaeVhaR01SSzQvVk1LeUdyaHRU\nNXhyUHc0NTNDYVNoem1LTTJpZ2thd1kKkF7s7XNev+FYhGvcMspQ9BuMC8Iy6GBD\nRMTQvh66aIEMUDx2BRJ98u8GIqCuMEsUDtAugVbYCV1TESBYkeVEdg==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_1__map_recipient=age1p0f62dwatt558sf5s4equdqwtg5m7lsnaytrf3xjnvmx3e0lqu4svtugyp
+sops_age__list_2__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDUWorem9mZTBNSGk1OTAz\neFkzVUNveXJNNGlkS1IrcXRESmtnSGdLam1ZCk1tMzFzSG1LZFpRNG5NTVZHOWVC\nUlYrM0xNeU9zOVprd1NpVFNoOFczYWMKLS0tIFJSS0N2NHg4K1plWGNOQUVkQUJB\nbW05R0ZWRXhwNUZ4M2RxRldUOUd2UkkKQAOcQzpihyBEjnZ8n60Z6VVUiEhW7k72\nNUdIfcvx00Kl7u5JejzP4Q6k6r9hVTpapXFZXIA6w65JWexz9HfjfA==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_2__map_recipient=age13c5wv623jxjja5mjz7fajg9qqwvypzgsfqrs4tmk7rpgyzu7aufs4ul9f9
+sops_age__list_3__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiZXlERkwyRDJwUGNBVUhO\nTkVHOGQzaWVwdjVLLzJac1B0UEVSK1lLamo0CnJENy9VbjFmVllMVE9zRjRpb3Nj\nc21mY3RMZkREZHYxMVNBNDU0UGVqVkEKLS0tIDJ5K2FHb2VNQmRRdzAvREpyem9s\naWIraUJkN0o0UURzMWJLdXl4eFZZYW8KwLEbXRoUg6DkLT8/vSAVj8RV0WkfMEC9\ni2k+1gAaucKNy+wC0I5uTwcjFmlZoUSIiMOyxEv9veigk02aLY+5YA==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_3__map_recipient=age12p9lw3zgufcg7qx375t9lwtckzwgj0tkn2pt9uj3tnx9sn3ucqgsf5ctdd
+sops_lastmodified=2023-12-23T00:41:49Z
+sops_mac=ENC[AES256_GCM,data:9AuqlicT0W3KO8SD0jN2gbtQ8CItY0nKTUIlFwe8g+t4ykiOwGgOFlXeiZNGnv55833bxUTso0/s5jLNFmyAFBFfzmJSXs4/aTw723TE0Yt7dF5y85lPUW0TAAw6SAe0SJcWsB8H5oqGr2ucXO8sRCcHfec9EESm4q91286r2Tc=,iv:Fps/BQZIN2Td32hEmxicA5VrPVoY0Jh1KJuh7xgvD+w=,tag:1WqdjHp8xttrnci0vyNXgg==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.8.1