l yellow.r: move to neoprism, refactor
This commit is contained in:
parent
de0226995d
commit
767c6fbd14
|
@ -66,7 +66,6 @@ rec {
|
||||||
"cgit.prism.r"
|
"cgit.prism.r"
|
||||||
"bota.r"
|
"bota.r"
|
||||||
"flix.r"
|
"flix.r"
|
||||||
"jelly.r"
|
|
||||||
"paste.r"
|
"paste.r"
|
||||||
"c.r"
|
"c.r"
|
||||||
"p.r"
|
"p.r"
|
||||||
|
|
|
@ -6,6 +6,7 @@
|
||||||
ip6.addr = r6 "3110";
|
ip6.addr = r6 "3110";
|
||||||
aliases = [
|
aliases = [
|
||||||
"yellow.r"
|
"yellow.r"
|
||||||
|
"jelly.r"
|
||||||
];
|
];
|
||||||
tinc = {
|
tinc = {
|
||||||
pubkey = ''
|
pubkey = ''
|
||||||
|
|
|
@ -4,7 +4,8 @@
|
||||||
imports = [
|
imports = [
|
||||||
<stockholm/lass>
|
<stockholm/lass>
|
||||||
<stockholm/lass/2configs/retiolum.nix>
|
<stockholm/lass/2configs/retiolum.nix>
|
||||||
<stockholm/lass/2configs/libvirt.nix>
|
<stockholm/lass/2configs/consul.nix>
|
||||||
|
<stockholm/lass/2configs/yellow-host.nix>
|
||||||
{ # TODO make new hfos.nix out of this vv
|
{ # TODO make new hfos.nix out of this vv
|
||||||
users.users.riot = {
|
users.users.riot = {
|
||||||
uid = pkgs.stockholm.lib.genid_uint31 "riot";
|
uid = pkgs.stockholm.lib.genid_uint31 "riot";
|
||||||
|
|
|
@ -9,20 +9,23 @@ in {
|
||||||
|
|
||||||
krebs.build.host = config.krebs.hosts.yellow;
|
krebs.build.host = config.krebs.hosts.yellow;
|
||||||
|
|
||||||
|
lass.sync-containers3.inContainer = {
|
||||||
|
enable = true;
|
||||||
|
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN737BAP36KiZO97mPKTIUGJUcr97ps8zjfFag6cUiYL";
|
||||||
|
};
|
||||||
|
|
||||||
users.groups.download.members = [ "transmission" ];
|
users.groups.download.members = [ "transmission" ];
|
||||||
|
|
||||||
networking.useHostResolvConf = false;
|
networking.useHostResolvConf = false;
|
||||||
networking.useNetworkd = true;
|
networking.useNetworkd = true;
|
||||||
systemd.services.transmission.bindsTo = [ "openvpn-nordvpn.service" ];
|
|
||||||
systemd.services.transmission.after = [ "openvpn-nordvpn.service" ];
|
|
||||||
services.transmission = {
|
services.transmission = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
home = "/var/state/transmission";
|
||||||
group = "download";
|
group = "download";
|
||||||
downloadDirPermissions = "775";
|
downloadDirPermissions = "775";
|
||||||
settings = {
|
settings = {
|
||||||
download-dir = "/var/download/finished";
|
download-dir = "/var/download/transmission";
|
||||||
incomplete-dir = "/var/download/incoming";
|
incomplete-dir-enabled = false;
|
||||||
incomplete-dir-enable = true;
|
|
||||||
rpc-bind-address = "::";
|
rpc-bind-address = "::";
|
||||||
message-level = 1;
|
message-level = 1;
|
||||||
umask = 18;
|
umask = 18;
|
||||||
|
@ -40,11 +43,8 @@ in {
|
||||||
};
|
};
|
||||||
virtualHosts.default = {
|
virtualHosts.default = {
|
||||||
default = true;
|
default = true;
|
||||||
locations."/dl".extraConfig = ''
|
|
||||||
return 301 /;
|
|
||||||
'';
|
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
root = "/var/download/finished";
|
root = "/var/download";
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
fancyindex on;
|
fancyindex on;
|
||||||
fancyindex_footer "/fancy.html";
|
fancyindex_footer "/fancy.html";
|
||||||
|
@ -136,6 +136,58 @@ in {
|
||||||
''};
|
''};
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
virtualHosts."jelly.r" = {
|
||||||
|
locations."/".extraConfig = ''
|
||||||
|
proxy_pass http://localhost:8096/;
|
||||||
|
proxy_set_header Accept-Encoding "";
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.samba = {
|
||||||
|
enable = true;
|
||||||
|
enableNmbd = false;
|
||||||
|
extraConfig = ''
|
||||||
|
workgroup = WORKGROUP
|
||||||
|
server string = ${config.networking.hostName}
|
||||||
|
# only allow retiolum addresses
|
||||||
|
hosts allow = 42::/16 10.243.0.0/16 10.244.0.0/16
|
||||||
|
|
||||||
|
# Use sendfile() for performance gain
|
||||||
|
use sendfile = true
|
||||||
|
|
||||||
|
# No NetBIOS is needed
|
||||||
|
disable netbios = true
|
||||||
|
|
||||||
|
# Only mangle non-valid NTFS names, don't care about DOS support
|
||||||
|
mangled names = illegal
|
||||||
|
|
||||||
|
# Performance optimizations
|
||||||
|
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536
|
||||||
|
|
||||||
|
# Disable all printing
|
||||||
|
load printers = false
|
||||||
|
disable spoolss = true
|
||||||
|
printcap name = /dev/null
|
||||||
|
|
||||||
|
map to guest = Bad User
|
||||||
|
max log size = 50
|
||||||
|
dns proxy = no
|
||||||
|
security = user
|
||||||
|
|
||||||
|
[global]
|
||||||
|
syslog only = yes
|
||||||
|
'';
|
||||||
|
shares.public = {
|
||||||
|
comment = "Warez";
|
||||||
|
path = "/var/download";
|
||||||
|
public = "yes";
|
||||||
|
"only guest" = "yes";
|
||||||
|
"create mask" = "0644";
|
||||||
|
"directory mask" = "2777";
|
||||||
|
writable = "no";
|
||||||
|
printable = "no";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.bruellwuerfel =
|
systemd.services.bruellwuerfel =
|
||||||
|
@ -164,14 +216,33 @@ in {
|
||||||
tables.filter.INPUT.rules = [
|
tables.filter.INPUT.rules = [
|
||||||
{ predicate = "-p tcp --dport 80"; target = "ACCEPT"; } # nginx web dir
|
{ predicate = "-p tcp --dport 80"; target = "ACCEPT"; } # nginx web dir
|
||||||
{ predicate = "-p tcp --dport 9091"; target = "ACCEPT"; } # transmission-web
|
{ predicate = "-p tcp --dport 9091"; target = "ACCEPT"; } # transmission-web
|
||||||
{ predicate = "-p tcp --dport 9092"; target = "ACCEPT"; } # magnetico webinterface
|
|
||||||
{ predicate = "-p tcp --dport 51413"; target = "ACCEPT"; } # transmission-traffic
|
{ predicate = "-p tcp --dport 51413"; target = "ACCEPT"; } # transmission-traffic
|
||||||
{ predicate = "-p udp --dport 51413"; target = "ACCEPT"; } # transmission-traffic
|
{ predicate = "-p udp --dport 51413"; target = "ACCEPT"; } # transmission-traffic
|
||||||
{ predicate = "-p tcp --dport 8096"; target = "ACCEPT"; } # jellyfin
|
{ predicate = "-p tcp --dport 8096"; target = "ACCEPT"; } # jellyfin
|
||||||
|
{ predicate = "-p tcp --dport 9696"; target = "ACCEPT"; } # prowlarr
|
||||||
|
{ predicate = "-p tcp --dport 8989"; target = "ACCEPT"; } # sonarr
|
||||||
|
{ predicate = "-p tcp --dport 7878"; target = "ACCEPT"; } # radarr
|
||||||
|
|
||||||
|
# smbd
|
||||||
|
{ predicate = "-i retiolum -p tcp --dport 445"; target = "ACCEPT"; }
|
||||||
|
{ predicate = "-i retiolum -p tcp --dport 111"; target = "ACCEPT"; }
|
||||||
|
{ predicate = "-i retiolum -p udp --dport 111"; target = "ACCEPT"; }
|
||||||
|
{ predicate = "-i retiolum -p tcp --dport 2049"; target = "ACCEPT"; }
|
||||||
|
{ predicate = "-i retiolum -p udp --dport 2049"; target = "ACCEPT"; }
|
||||||
|
{ predicate = "-i retiolum -p tcp --dport 4000:4002"; target = "ACCEPT"; }
|
||||||
|
{ predicate = "-i retiolum -p udp --dport 4000:4002"; target = "ACCEPT"; }
|
||||||
|
{ predicate = "-i wiregrill -p tcp --dport 445"; target = "ACCEPT"; }
|
||||||
|
{ predicate = "-i wiregrill -p tcp --dport 111"; target = "ACCEPT"; }
|
||||||
|
{ predicate = "-i wiregrill -p udp --dport 111"; target = "ACCEPT"; }
|
||||||
|
{ predicate = "-i wiregrill -p tcp --dport 2049"; target = "ACCEPT"; }
|
||||||
|
{ predicate = "-i wiregrill -p udp --dport 2049"; target = "ACCEPT"; }
|
||||||
|
{ predicate = "-i wiregrill -p tcp --dport 4000:4002"; target = "ACCEPT"; }
|
||||||
|
{ predicate = "-i wiregrill -p udp --dport 4000:4002"; target = "ACCEPT"; }
|
||||||
];
|
];
|
||||||
tables.filter.OUTPUT = {
|
tables.filter.OUTPUT = {
|
||||||
policy = "DROP";
|
policy = "DROP";
|
||||||
rules = [
|
rules = [
|
||||||
|
{ predicate = "-o lo"; target = "ACCEPT"; }
|
||||||
{ v6 = false; predicate = "-d ${vpnIp}/32"; target = "ACCEPT"; }
|
{ v6 = false; predicate = "-d ${vpnIp}/32"; target = "ACCEPT"; }
|
||||||
{ predicate = "-o tun0"; target = "ACCEPT"; }
|
{ predicate = "-o tun0"; target = "ACCEPT"; }
|
||||||
{ predicate = "-o retiolum"; target = "ACCEPT"; }
|
{ predicate = "-o retiolum"; target = "ACCEPT"; }
|
||||||
|
@ -279,7 +350,7 @@ in {
|
||||||
ExecStart = pkgs.writers.writeDash "flix-index" ''
|
ExecStart = pkgs.writers.writeDash "flix-index" ''
|
||||||
set -efu
|
set -efu
|
||||||
|
|
||||||
DIR=/var/download/finished
|
DIR=/var/download
|
||||||
cd "$DIR"
|
cd "$DIR"
|
||||||
while inotifywait -rq -e create -e move -e delete "$DIR"; do
|
while inotifywait -rq -e create -e move -e delete "$DIR"; do
|
||||||
find . -type f > "$DIR"/index.tmp
|
find . -type f > "$DIR"/index.tmp
|
||||||
|
@ -294,9 +365,15 @@ in {
|
||||||
group = "download";
|
group = "download";
|
||||||
};
|
};
|
||||||
|
|
||||||
services.magnetico = {
|
services.radarr = {
|
||||||
|
enable = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
services.sonarr = {
|
||||||
|
enable = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
services.prowlarr = {
|
||||||
enable = true;
|
enable = true;
|
||||||
web.address = "0.0.0.0";
|
|
||||||
web.port = 9092;
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
14
lass/2configs/yellow-host.nix
Normal file
14
lass/2configs/yellow-host.nix
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
{
|
||||||
|
lass.sync-containers3.containers.yellow = {
|
||||||
|
sshKey = "${toString <secrets>}/yellow.sync.key";
|
||||||
|
};
|
||||||
|
containers.yellow.bindMounts."/var/lib" = {
|
||||||
|
hostPath = "/var/lib/sync-containers3/yellow/state";
|
||||||
|
isReadOnly = false;
|
||||||
|
};
|
||||||
|
containers.yellow.bindMounts."/var/download" = {
|
||||||
|
hostPath = "/var/download";
|
||||||
|
isReadOnly = false;
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in a new issue