oscar: Allow unfree steam-unwrapped

Apparently this is a new requirement?

https://wiki.nixos.org/w/index.php?title=Steam&diff=prev&oldid=18248

bert/README.md

@@ -5,12 +5,7 @@
 3. Deploy updated config with `make`
 4. Set up [Remote Disk Unlocking](https://nixos.wiki/wiki/Remote_disk_unlocking)
    1. mkdir -p /etc/secrets/initrd && ssh-keygen -N "" -f /etc/secrets/initrd/ssh_host_25519_key
-5. Deploy content:
+5. Deploy content to web services
-   - websites in /srv
-   - factorio world at /var/lib/factorio/saves/default.zip
-   - git/forgejo in /var/lib/forgejo
-   - navidrome
-6. Set up Grafana users (log in with default admin/admin; change creds; configure)
 
 # Notes on Caddy
 Until 2.8 is released with 24.11, Caddy has a pretty limited sense of what

bert/configuration.nix

@@ -8,6 +8,7 @@
       ./services/http/index.nix
       ./services/monitoring.nix
       ./services/forgejo.nix
+      ./services/navidrome.nix
     ];
 
   # Bootloader
@@ -35,8 +36,11 @@
   boot.initrd.luks.devices."luks-48836129-1aa0-45c7-9fd1-6b053fa620b1".device = "/dev/disk/by-uuid/48836129-1aa0-45c7-9fd1-6b053fa620b1";
   networking.hostName = "bert";
 
-  # Enable networking
+  fileSystems."/mnt/bigbird-public" = {
-  networking.networkmanager.enable = true;
+    device = "//bigbird/public";
+    fsType = "cifs";
+    options = [ "guest" ];
+  };
 
   time.timeZone = "America/Chicago";
   i18n.defaultLocale = "en_US.UTF-8";

bert/services/http/0hats.com.nix

@@ -0,0 +1,20 @@
+
+{
+  services.caddy.virtualHosts."0hats.com" = {
+    serverAliases = ["www.0hats.com"];
+    extraConfig = ''
+      encode zstd gzip
+      file_server
+      root * /srv/www/0hats.com
+
+      handle_errors {
+        respond "{err.status_code} {err.status_text}"
+      }
+    '';
+  };
+  systemd.tmpfiles.settings."10-0hats-com" = {
+    "/srv/www/0hats.com" = {
+      d = {};
+    };
+  };
+}

bert/services/http/files.chandlerswift.com.nix

@@ -4,6 +4,10 @@
     encode zstd gzip
     file_server
     root * /srv/www/files.chandlerswift.com
+
+    handle_errors {
+      respond "{err.status_code} {err.status_text}"
+    }
   '';
   systemd.tmpfiles.settings."10-files-chandlerswift-com" = {
     "/srv/www/files.chandlerswift.com" = {

bert/services/http/harborpaperco.com.nix

@@ -6,14 +6,18 @@
       encode zstd gzip
       file_server
       root * /srv/www/harborpaperco.com
+
+      handle_errors {
+        respond "{err.status_code} {err.status_text}"
+      }
+    '';
+  };
+  services.caddy.virtualHosts."pureserendipityweddings.com" = {
+    serverAliases = ["www.pureserendipityweddings.com"];
+    extraConfig = ''
+      redir https://harborpaperco.com
     '';
   };
-  # services.caddy.virtualHosts."pureserendipityweddings.com" = {
-  #   serverAliases = ["www.pureserendipityweddings.com"];
-  #   extraConfig = ''
-  #     redir https://harborpaperco.com
-  #   '';
-  # };
   systemd.tmpfiles.settings."10-harborpaperco-com" = {
     "/srv/www/harborpaperco.com" = {
       d = {};

bert/services/http/home.chandlerswift.com.nix

@@ -6,6 +6,20 @@
     root * /srv/www/home.chandlerswift.com
     reverse_proxy /grafana/* localhost:3000
     # hide .git # ???
+
+    file_server /sheets/* {
+      browse ${./caddy-browse-template.html}
+
+      # TOOD: is there a better way to strip the prefix here? This shouldn't be
+      # vulnerable to a directory traversal attack (and it doesn't really
+      # matter anyway; everything in there is public somewhere or another!) but
+      # it sorta feels wrong to do this without a `/sheets` suffix.
+      root /mnt/bigbird-public
+    }
+
+    handle_errors {
+      respond "{err.status_code} {err.status_text}"
+    }
   '';
   systemd.tmpfiles.settings."10-home-chandlerswift-com" = {
     "/srv/www/home.chandlerswift.com" = {

bert/services/http/index.nix

@@ -1,11 +1,13 @@
 {
   imports = [
+    ./0hats.com.nix
     ./files.chandlerswift.com.nix
     ./git.chandlerswift.com.nix
     ./harborpaperco.com.nix
     ./home.chandlerswift.com.nix
     ./katherineandchandler.com.nix
     ./maps.chandlerswift.com.nix
+    ./music.chandlerswift.com.nix
     ./stjohnscccc.org.nix
     ./swiftgang.net.nix
   ];

bert/services/http/katherineandchandler.com.nix

@@ -5,6 +5,10 @@
     file_server
     root * /srv/www/katherineandchandler.com
     # hide .git # ???
+
+    handle_errors {
+      respond "{err.status_code} {err.status_text}"
+    }
   '';
   systemd.tmpfiles.settings."10-katherineandchandler-com" = {
     "/srv/www/katherineandchandler.com" = {

bert/services/http/maps.chandlerswift.com.nix

@@ -5,6 +5,10 @@
     file_server
     root * /srv/www/maps.chandlerswift.com
     # hide .git # ???
+
+    handle_errors {
+      respond "{err.status_code} {err.status_text}"
+    }
   '';
   systemd.tmpfiles.settings."10-maps-chandlerswift-com" = {
     "/srv/www/maps.chandlerswift.com" = {

bert/services/http/music.chandlerswift.com.nix

@@ -0,0 +1,5 @@
+{config, ...}: {
+  services.caddy.virtualHosts."music.chandlerswift.com".extraConfig = ''
+    reverse_proxy localhost:${toString config.services.navidrome.settings.Port}
+  '';
+}

bert/services/http/swiftgang.net.nix

@@ -4,6 +4,10 @@
     encode zstd gzip
     file_server
     root * /srv/www/swiftgang.net
+
+    handle_errors {
+      respond "{err.status_code} {err.status_text}"
+    }
   '';
   systemd.tmpfiles.settings."10-swiftgang-net" = {
     "/srv/www/swiftgang.net" = {

bert/services/navidrome.nix

@@ -0,0 +1,10 @@
+{
+  services.navidrome = {
+    enable = true;
+    settings = {
+      MusicFolder = "/mnt/bigbird-public/media/music";
+      ScanSchedule = "@every 12h";
+      EnableSharing = true;
+    };
+  };
+}

oscar/configuration.nix

@@ -16,6 +16,7 @@
     "steam"
     "steam-original"
     "steam-run"
+    "steam-unwrapped"
   ];
 
   # https://discourse.nixos.org/t/github-strategies-for-configuration-nix/1983/14