From a20bb288aa8e2619fbc1439cc4ac7f6efbc82ebe Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Sun, 9 Jun 2024 15:37:03 +0200
Subject: [PATCH] tsuki/jupyter: remove

---
 hosts/tsuki/configuration.nix          |   1 -
 hosts/tsuki/services/jupyter.nix       | 119 -------------------------
 hosts/tsuki/services/nginx/default.nix |   2 -
 secrets/default.yaml                   |   6 +-
 4 files changed, 2 insertions(+), 126 deletions(-)
 delete mode 100644 hosts/tsuki/services/jupyter.nix

diff --git a/hosts/tsuki/configuration.nix b/hosts/tsuki/configuration.nix
index 6430c3c..d207d57 100644
--- a/hosts/tsuki/configuration.nix
+++ b/hosts/tsuki/configuration.nix
@@ -13,7 +13,6 @@
     ./services/headscale.nix
     ./services/hedgedoc.nix
     ./services/invidious.nix
-    ./services/jupyter.nix
     ./services/kanidm.nix
     ./services/matrix
     ./services/minecraft
diff --git a/hosts/tsuki/services/jupyter.nix b/hosts/tsuki/services/jupyter.nix
deleted file mode 100644
index f84e68c..0000000
--- a/hosts/tsuki/services/jupyter.nix
+++ /dev/null
@@ -1,119 +0,0 @@
-{ config, pkgs, lib, ... }: let
-  cfg = config.services.jupyter;
-in {
-  sops.secrets."jupyter/password" = {
-    restartUnits = [ "jupyter.service" ];
-    owner = cfg.user;
-    inherit (cfg) group;
-  };
-
-  users.users."jupyter".group = "jupyter";
-
-  services.jupyter = {
-    enable = true;
-    group = "jupyter";
-    password = let
-      readFile = f: "open('${f}', 'r', encoding='utf8').read().strip()";
-    in
-      readFile config.sops.secrets."jupyter/password".path;
-
-    kernels = {
-      pythonDS = let
-        env = (pkgs.python3.withPackages (pythonPackages: with pythonPackages; [
-          numpy
-          matplotlib
-          ipykernel
-        ]));
-      in {
-        displayName = "Python for data science";
-        argv = [
-          "${env.interpreter}"
-          "-m"
-          "ipykernel_launcher"
-          "-f"
-          "{connection_file}"
-        ];
-        language = "python";
-        logo32 = "${env}/${env.sitePackages}/ipykernel/resources/logo-32x32.png";
-        logo64 = "${env}/${env.sitePackages}/ipykernel/resources/logo-64x64.png";
-      };
-    }; 
-  };
-
-  systemd.tmpfiles.settings."10-jupyter" = {
-    "/var/lib/jupyter/notebooks".d = {
-      mode = "0700";
-      user = "jupyter";
-      group = "jupyter";
-    };
-    "/var/lib/jupyter/data".d = {
-      mode = "0700";
-      user = "jupyter";
-      group = "jupyter";
-    };
-  };
-
-  systemd.services.jupyter = let
-    notebookConfig = pkgs.writeText "jupyter_config.py" ''
-      c.NotebookApp.notebook_dir = 'notebooks'
-      c.NotebookApp.open_browser = False
-      c.NotebookApp.password = ${cfg.password}
-      c.NotebookApp.password_required = True
-
-      c.NotebookApp.sock = '/run/jupyter/jupyter.sock'
-      c.NotebookApp.sock_mode = '0660'
-      c.NotebookApp.local_hostnames = ['py.nani.wtf']
-
-      c.ConnectionFileMixin.transport = 'ipc'
-
-      ${cfg.notebookConfig}
-    '';
-  in {
-    environment = {
-      JUPYTER_DATA_DIR = "%S/${config.systemd.services.jupyter.serviceConfig.StateDirectory}/data";
-      JUPYTER_RUNTIME_DIR = "%t/${config.systemd.services.jupyter.serviceConfig.RuntimeDirectory}";
-    };
-    serviceConfig = {
-      RuntimeDirectory = "jupyter";
-      StateDirectory = "jupyter";
-
-      # Hardening
-      CapabilityBoundingSet = "";
-      LockPersonality = true;
-      NoNewPrivileges = true;
-      PrivateDevices = true;
-      PrivateMounts = true;
-      PrivateTmp = true;
-      PrivateUsers = true;
-      ProtectClock = true;
-      ProtectHome = true;
-      ProtectHostname = true;
-      ProtectKernelLogs = true;
-      ProtectKernelModules = true;
-      ProtectKernelTunables = true;
-      ProtectProc = "invisible";
-      ProtectSystem = "strict";
-      RemoveIPC = true;
-      RestrictSUIDSGID = true;
-      UMask = "0007";
-      RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
-      SystemCallArchitectures = "native";
-
-      ExecStart = lib.mkForce ''
-        ${cfg.package}/bin/${cfg.command} --NotebookApp.config_file=${notebookConfig}
-      '';
-    };
-  };
-
-  local.socketActivation.jupyter = {
-    enable = cfg.enable;
-    originalSocketAddress = "/run/jupyter/jupyter.sock";
-    newSocketAddress = "/run/jupyter.sock";
-    privateNamespace = false;
-  };
-
-  systemd.services.jupyter-proxy.serviceConfig = {
-    User = "jupyter";
-    Group = "jupyter";
-  };
-}
diff --git a/hosts/tsuki/services/nginx/default.nix b/hosts/tsuki/services/nginx/default.nix
index 64106ed..f5bf2b7 100644
--- a/hosts/tsuki/services/nginx/default.nix
+++ b/hosts/tsuki/services/nginx/default.nix
@@ -49,7 +49,6 @@
       "hedgedoc".servers."unix:${srv.hedgedoc.settings.path}" = { };
       "idrac".servers."${ips.idrac}" = { };
       "invidious".servers."unix:${sa.invidious.newSocketAddress}" = { };
-      "jupyter".servers."unix:${sa.jupyter.newSocketAddress}" = { };
       "kanidm".servers."localhost:8300" = { };
       "navidrome".servers."unix:${sa.navidrome.newSocketAddress}" = { };
       "osuchan".servers."localhost:${s ports.osuchan}" = { };
@@ -143,7 +142,6 @@
       (proxy ["osu"] "http://osuchan" {})
       (proxy ["plex"] "http://plex" {})
       (proxy ["mus"] "http://navidrome" enableWebsockets)
-      (proxy ["py"] "http://jupyter" enableWebsockets)
       (proxy ["vpn"] "http://headscale" enableWebsockets)
       (proxy ["yt"] "http://invidious" {})
 
diff --git a/secrets/default.yaml b/secrets/default.yaml
index 4050728..3b7e902 100644
--- a/secrets/default.yaml
+++ b/secrets/default.yaml
@@ -5,8 +5,6 @@ gitea:
     runners:
         ping: ENC[AES256_GCM,data:DRyw59+KE0n/qEr+Az7r8ulZr3dk1u6hVT1SVqKywW4DgtUr1eLj7DGOXvHxug==,iv:W49dNY/V+6KPuQeN5rdWw6Ed+w/oOy9ey+hRRz7Oxdc=,tag:ILzIKgvLs+8RVpHsSuMHrA==,type:str]
         pong: ENC[AES256_GCM,data:VwpNj/FRSkc5/s6aZPaiBwIaj9VBfp6wcnDFkWmTWC6xRWevMUYKv3jHPhD/ZA==,iv:0uVgjmrF4jIa+Eg3Gofb+2eFa1MdZHb9eR4BcWBpkeQ=,tag:YsXjKqeksU9JcXl+5REXFQ==,type:str]
-jupyter:
-    password: ENC[AES256_GCM,data:mm0EHzhK9AqErfsoWWJ5+3ym+VXgEcZ+qadTy3f+NtA=,iv:ntGxklA5oDbGbo3j3ffbAvzGE4c9Ay/SfCWdA6bqzP4=,tag:KG1luMcSjBFm0LVKnoTvGA==,type:str]
 grafana:
     oauth2_secret: ENC[AES256_GCM,data:zxfPtiB/o5cC27O9uQzPvQV1qWcp3xxnIi7/P84I2lJ/X4ovAwXuiEqnc7BDAE4E,iv:ZY8BDTMEvR2JiFHKM8iM90UQbmTqH/DoVklWno6Xa4U=,tag:E8GTGk9IJauCgjaoToShBg==,type:str]
     secretkey: ENC[AES256_GCM,data:aVzqZqwFfm3FcYJE8USxsDbZVwtnF5NJXTAqshv9av4ZeR5YrDfDzLYHHztXMZt2Q7p/6A==,iv:A7x7oRUVvfxqSXRfi9+15z9pE6xX+GZrGU7gXrSKyXE=,tag:2uatRT0XePk2dqZj2ZlM3A==,type:str]
@@ -71,8 +69,8 @@ sops:
             cElPYm5qK2lkTWZ1UGd6TU1NV2h4OTgK8Ecv58Ybnc6iYMjtSKTT1fYbNf4yyFgX
             rjQ2sU8Rqc04MqixnAkF2zSDaaJ0vqwf22MvbO3bYhpqOHwiTMbRLg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-09T13:31:53Z"
-    mac: ENC[AES256_GCM,data:8fdE/+Z0C7YSljHWtYaX4ceg+MJNKC1FZXnfEZhfMo5EB57OKc6CInMuVpxI1b9CP7Ka+3rr6bZQaa6djD0VAOjVOWaJPW79S8ee0iuxrm9a7ZI/tbM/7GFDF6j80ZkJW1+SUdjc6MneA4EKht6VwwO4RvAL94NwxbEfjFXo1wc=,iv:WDmESFjOr8uIiX//zDsQHDOB7cG7wmbmEhypIE/2hPM=,tag:0jGHxIr0f2iMfgrKBKStLQ==,type:str]
+    lastmodified: "2024-06-09T13:40:50Z"
+    mac: ENC[AES256_GCM,data:dMMYtUSNPB8wq/HnFYctRhpU4uHbQfA7k/EkP4pGU0RJUfvcnAtU5KCN+WpcWPNN3xBESJ3mjDGlYp2GrdoGPfj/f/+sJd2OdgPDAagb8yRCTBmQyvnv72WCxZTcV4BkBAJJQKSiTIxZ5q/t83LxzgXJ0mQnpDXFEBNf7sLJr84=,iv:Ga9URI5SbT456/LfFAlYlRu+/TAYTC+k/AKKCL2bHMM=,tag:2lqME8FFL5/BK/vN5FA1GA==,type:str]
     pgp:
         - created_at: "2023-05-08T00:49:52Z"
           enc: |