l: move download stuff to yellow.r
This commit is contained in:
parent
53359a60f5
commit
740f8c8ccf
@ -716,6 +716,36 @@ with import <stockholm/lib>;
|
||||
ssh.privkey.path = <secrets/ssh.id_ed25519>;
|
||||
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd/6eCR8yxC14zBJLIQgVa4Zbutv5yr2S8k08ztmBpp";
|
||||
};
|
||||
yellow = {
|
||||
cores = 1;
|
||||
nets = {
|
||||
retiolum = {
|
||||
ip4.addr = "10.243.0.14";
|
||||
ip6.addr = "42:0:0:0:0:0:0:14";
|
||||
aliases = [
|
||||
"yellow.r"
|
||||
];
|
||||
tinc.pubkey = ''
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA6lHmzq8+04h3zivJmIbP
|
||||
MkYiW7KflcTWQrl/4jJ7DVFbrtS6BSSI0wIibW5ygtLrp2nYgWv1jhg7K9q8tWMY
|
||||
b6tDv/ze02ywCwStbjytW3ymSZUJlRkK2DQ4Ld7JEyKmLQIjxXYah+2P3QeUxLfU
|
||||
Uwk6vSRuTlcb94rLFOrCUDRy1cZC73ZmtdbEP2UZz3ey6beo3l/K5O4OOz+lNXgd
|
||||
OXPls4CeNm6NYhSGTBomS/zZBzGqb+4sOtLSPraNQuc75ZVpT8nFa/7tLVytWCOP
|
||||
vWglPTJOyQSygSoVwGU9I8pq8xF1aTE72hLGHprIJAGgQE9rmS9/3mbiGLVZpny6
|
||||
C6Q9t6vkYBRb+jg3WozIXdUvPP19qTEFaeb08kAuf1xhjZhirfDQjI7K6SFaDOUp
|
||||
Y/ZmCrCuaevifaXYza/lM+4qhPXmh82WD5ONOhX0Di98HBtij2lybIRUG/io4DAU
|
||||
52rrNAhRvMkUTBRlGG6LPC4q6khjuYgo9uley5BbyWWbCB1A9DUfbc6KfLUuxSwg
|
||||
zLybZs/SHgXw+pJSXNgFJTYGv1i/1YQdpnbTgW4QsEp05gb+gA9/6+IjSIJdJE3p
|
||||
DSZGcJz3gNSR1vETk8I2sSC/N8wlYXYV7wxQvSlQsehfEPrFtXM65k3RWzAAbNIJ
|
||||
Akz4E3+xLVIMqKmHaGWi0usCAwEAAQ==
|
||||
-----END PUBLIC KEY-----
|
||||
'';
|
||||
};
|
||||
};
|
||||
ssh.privkey.path = <secrets/ssh.id_ed25519>;
|
||||
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC03TCO73NQZHo7NKZiVJp2iiUbe6PQP14Kg3Bnlkqje ";
|
||||
};
|
||||
blue = {
|
||||
cores = 1;
|
||||
nets = {
|
||||
|
@ -207,7 +207,6 @@ with import <stockholm/lib>;
|
||||
RandomizedDelaySec = "2min";
|
||||
};
|
||||
}
|
||||
<stockholm/lass/2configs/downloading.nix>
|
||||
<stockholm/lass/2configs/minecraft.nix>
|
||||
{
|
||||
services.taskserver = {
|
||||
@ -338,6 +337,63 @@ with import <stockholm/lib>;
|
||||
];
|
||||
|
||||
}
|
||||
{
|
||||
systemd.services."container@yellow".reloadIfChanged = mkForce false;
|
||||
containers.yellow = {
|
||||
config = { ... }: {
|
||||
environment.systemPackages = [ pkgs.git ];
|
||||
services.openssh.enable = true;
|
||||
users.users.root.openssh.authorizedKeys.keys = [
|
||||
config.krebs.users.lass.pubkey
|
||||
];
|
||||
};
|
||||
autoStart = false;
|
||||
enableTun = true;
|
||||
privateNetwork = true;
|
||||
hostAddress = "10.233.2.13";
|
||||
localAddress = "10.233.2.14";
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."lassul.us".locations."^~ /transmission".extraConfig = ''
|
||||
if ($scheme != "https") {
|
||||
rewrite ^ https://$host$uri permanent;
|
||||
}
|
||||
auth_basic "Restricted Content";
|
||||
auth_basic_user_file ${pkgs.writeText "transmission-user-pass" ''
|
||||
krebs:$apr1$1Fwt/4T0$YwcUn3OBmtmsGiEPlYWyq0
|
||||
''};
|
||||
proxy_pass http://10.233.2.14:9091;
|
||||
'';
|
||||
|
||||
users.groups.download = {};
|
||||
users.users = {
|
||||
download = {
|
||||
createHome = true;
|
||||
group = "download";
|
||||
name = "download";
|
||||
home = "/var/download";
|
||||
useDefaultShell = true;
|
||||
openssh.authorizedKeys.keys = with config.krebs.users; [
|
||||
lass.pubkey
|
||||
lass-shodan.pubkey
|
||||
lass-icarus.pubkey
|
||||
lass-daedalus.pubkey
|
||||
lass-helios.pubkey
|
||||
makefu.pubkey
|
||||
wine-mors.pubkey
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
system.activationScripts.downloadFolder = ''
|
||||
mkdir -p /var/download
|
||||
chmod 775 /var/download
|
||||
ln -fs /var/download/finished /var/lib/containers/yellow/var/download/finished || :
|
||||
chown download: /var/download/finished
|
||||
ln -fs /var/download/incoming /var/lib/containers/yellow/var/download/incoming || :
|
||||
chown download: /var/download/incoming
|
||||
'';
|
||||
}
|
||||
];
|
||||
|
||||
krebs.build.host = config.krebs.hosts.prism;
|
||||
|
132
lass/1systems/yellow/config.nix
Normal file
132
lass/1systems/yellow/config.nix
Normal file
@ -0,0 +1,132 @@
|
||||
with import <stockholm/lib>;
|
||||
{ config, lib, pkgs, ... }:
|
||||
{
|
||||
imports = [
|
||||
<stockholm/lass>
|
||||
<stockholm/lass/2configs>
|
||||
<stockholm/lass/2configs/retiolum.nix>
|
||||
];
|
||||
|
||||
krebs.build.host = config.krebs.hosts.yellow;
|
||||
|
||||
system.activationScripts.downloadFolder = ''
|
||||
mkdir -p /var/download
|
||||
chown download:download /var/download
|
||||
chmod 775 /var/download
|
||||
'';
|
||||
|
||||
users.users.download = { uid = genid "download"; };
|
||||
users.groups.download.members = [ "transmission" ];
|
||||
users.users.transmission.group = mkForce "download";
|
||||
|
||||
systemd.services.transmission.serviceConfig.bindsTo = [ "openvpn-nordvpn.service" ];
|
||||
services.transmission = {
|
||||
enable = true;
|
||||
settings = {
|
||||
download-dir = "/var/download/finished";
|
||||
incomplete-dir = "/var/download/incoming";
|
||||
incomplete-dir-enable = true;
|
||||
umask = "002";
|
||||
rpc-whitelist-enabled = false;
|
||||
rpc-host-whitelist-enabled = false;
|
||||
};
|
||||
};
|
||||
|
||||
krebs.iptables = {
|
||||
enable = true;
|
||||
tables.filter.INPUT.rules = [
|
||||
{ predicate = "-p tcp --dport 9091"; target = "ACCEPT"; }
|
||||
{ predicate = "-p tcp --dport 51413"; target = "ACCEPT"; }
|
||||
{ predicate = "-p udp --dport 51413"; target = "ACCEPT"; }
|
||||
];
|
||||
};
|
||||
|
||||
services.nginx.enable = true;
|
||||
services.openvpn.servers.nordvpn.config = ''
|
||||
client
|
||||
dev tun
|
||||
proto udp
|
||||
remote 82.102.16.229 1194
|
||||
resolv-retry infinite
|
||||
remote-random
|
||||
nobind
|
||||
tun-mtu 1500
|
||||
tun-mtu-extra 32
|
||||
mssfix 1450
|
||||
persist-key
|
||||
persist-tun
|
||||
ping 15
|
||||
ping-restart 0
|
||||
ping-timer-rem
|
||||
reneg-sec 0
|
||||
comp-lzo no
|
||||
|
||||
explicit-exit-notify 3
|
||||
|
||||
remote-cert-tls server
|
||||
|
||||
#mute 10000
|
||||
auth-user-pass ${toString <secrets/nordvpn.txt>}
|
||||
|
||||
verb 3
|
||||
pull
|
||||
fast-io
|
||||
cipher AES-256-CBC
|
||||
auth SHA512
|
||||
|
||||
<ca>
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIEyjCCA7KgAwIBAgIJANIxRSmgmjW6MA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD
|
||||
VQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQMA4GA1UEChMH
|
||||
Tm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjEaMBgGA1UEAxMRZGUyMjkubm9yZHZw
|
||||
bi5jb20xEDAOBgNVBCkTB05vcmRWUE4xHzAdBgkqhkiG9w0BCQEWEGNlcnRAbm9y
|
||||
ZHZwbi5jb20wHhcNMTcxMTIyMTQ1MTQ2WhcNMjcxMTIwMTQ1MTQ2WjCBnjELMAkG
|
||||
A1UEBhMCUEExCzAJBgNVBAgTAlBBMQ8wDQYDVQQHEwZQYW5hbWExEDAOBgNVBAoT
|
||||
B05vcmRWUE4xEDAOBgNVBAsTB05vcmRWUE4xGjAYBgNVBAMTEWRlMjI5Lm5vcmR2
|
||||
cG4uY29tMRAwDgYDVQQpEwdOb3JkVlBOMR8wHQYJKoZIhvcNAQkBFhBjZXJ0QG5v
|
||||
cmR2cG4uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv++dfZlG
|
||||
UeFF2sGdXjbreygfo78Ujti6X2OiMDFnwgqrhELstumXl7WrFf5EzCYbVriNuUny
|
||||
mNCx3OxXxw49xvvg/KplX1CE3rKBNnzbeaxPmeyEeXe+NgA7rwOCbYPQJScFxK7X
|
||||
+D16ZShY25GyIG7hqFGML0Qz6gpZRGaHSd0Lc3wSgoLzGtsIg8hunhfi00dNqMBT
|
||||
ukCzgfIqbQUuqmOibsWnYvZoXoYKnbRL0Bj8IYvwvu4p2oBQpvM+JR4DC+rv52LI
|
||||
583Q6g3LebQ4JuQf8jgxvEEV4UL1CsUBqN3mcRpVUKJS3ijXmzEX9MfpBRcp1rBA
|
||||
VsiE4Mrk7PXhkwIDAQABo4IBBzCCAQMwHQYDVR0OBBYEFFIv1UuKN2NXaVjRNXDT
|
||||
Rs/+LT/9MIHTBgNVHSMEgcswgciAFFIv1UuKN2NXaVjRNXDTRs/+LT/9oYGkpIGh
|
||||
MIGeMQswCQYDVQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQ
|
||||
MA4GA1UEChMHTm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjEaMBgGA1UEAxMRZGUy
|
||||
Mjkubm9yZHZwbi5jb20xEDAOBgNVBCkTB05vcmRWUE4xHzAdBgkqhkiG9w0BCQEW
|
||||
EGNlcnRAbm9yZHZwbi5jb22CCQDSMUUpoJo1ujAMBgNVHRMEBTADAQH/MA0GCSqG
|
||||
SIb3DQEBCwUAA4IBAQBf1vr93OIkIFehXOCXYFmAYai8/lK7OQH0SRMYdUPvADjQ
|
||||
e5tSDK5At2Ew9YLz96pcDhzLqtbQsRqjuqWKWs7DBZ8ZiJg1nVIXxE+C3ezSyuVW
|
||||
//DdqMeUD80/FZD5kPS2yJJOWfuBBMnaN8Nxb0BaJi9AKFHnfg6Zxqa/FSUPXFwB
|
||||
wH+zeymL2Dib2+ngvCm9VP3LyfIdvodEJ372H7eG8os8allUnkUzpVyGxI4pN/IB
|
||||
KROBRPKb+Aa5FWeWgEUHIr+hNrEMvcWfSvZAkSh680GScQeJh5Xb4RGMCW08tb4p
|
||||
lrojzCvC7OcFeUNW7Ayiuukx8rx/F4+IZ1yJGff9
|
||||
-----END CERTIFICATE-----
|
||||
</ca>
|
||||
key-direction 1
|
||||
<tls-auth>
|
||||
#
|
||||
# 2048 bit OpenVPN static key
|
||||
#
|
||||
-----BEGIN OpenVPN Static key V1-----
|
||||
49b2f54c6ee58d2d97331681bb577d55
|
||||
054f56d92b743c31e80b684de0388702
|
||||
ad3bf51088cd88f3fac7eb0729f2263c
|
||||
51d82a6eb7e2ed4ae6dfa65b1ac764d0
|
||||
b9dedf1379c1b29b36396d64cb6fd6b2
|
||||
e61f869f9a13001dadc02db171f04c4d
|
||||
c46d1132c1f31709e7b54a6eabae3ea8
|
||||
fbd2681363c185f4cb1be5aa42a27c31
|
||||
21db7b2187fd11c1acf224a0d5a44466
|
||||
b4b5a3cc34ec0227fe40007e8b379654
|
||||
f1e8e2b63c6b46ee7ab6f1bd82f57837
|
||||
92c209e8f25bc9ed493cb5c1d891ae72
|
||||
7f54f4693c5b20f136ca23e639fd8ea0
|
||||
865b4e22dd2af43e13e6b075f12427b2
|
||||
08af9ffd09c56baa694165f57fe2697a
|
||||
3377fa34aebcba587c79941d83deaf45
|
||||
-----END OpenVPN Static key V1-----
|
||||
</tls-auth>
|
||||
'';
|
||||
}
|
8
lass/1systems/yellow/physical.nix
Normal file
8
lass/1systems/yellow/physical.nix
Normal file
@ -0,0 +1,8 @@
|
||||
{
|
||||
imports = [
|
||||
./config.nix
|
||||
];
|
||||
boot.isContainer = true;
|
||||
networking.useDHCP = false;
|
||||
environment.variables.NIX_REMOTE = "daemon";
|
||||
}
|
@ -1,65 +0,0 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with import <stockholm/lib>;
|
||||
|
||||
{
|
||||
users.extraUsers = {
|
||||
download = {
|
||||
name = "download";
|
||||
home = "/var/download";
|
||||
createHome = true;
|
||||
useDefaultShell = true;
|
||||
extraGroups = [
|
||||
"download"
|
||||
];
|
||||
openssh.authorizedKeys.keys = with config.krebs.users; [
|
||||
lass.pubkey
|
||||
lass-shodan.pubkey
|
||||
lass-icarus.pubkey
|
||||
lass-daedalus.pubkey
|
||||
lass-helios.pubkey
|
||||
makefu.pubkey
|
||||
wine-mors.pubkey
|
||||
];
|
||||
};
|
||||
|
||||
transmission = {
|
||||
extraGroups = [
|
||||
"download"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
users.extraGroups = {
|
||||
download = {
|
||||
members = [
|
||||
"download"
|
||||
"transmission"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
krebs.rtorrent = {
|
||||
enable = true;
|
||||
web = {
|
||||
enable = true;
|
||||
port = 9091;
|
||||
basicAuth = import <secrets/torrent-auth>;
|
||||
};
|
||||
rutorrent.enable = true;
|
||||
enableXMLRPC = true;
|
||||
listenPort = 51413;
|
||||
downloadDir = "/var/download/finished";
|
||||
# dump old torrents into watch folder to have them re-added
|
||||
watchDir = "/var/download/watch";
|
||||
};
|
||||
|
||||
krebs.iptables = {
|
||||
enable = true;
|
||||
tables.filter.INPUT.rules = [
|
||||
{ predicate = "-p tcp --dport 9091"; target = "ACCEPT"; }
|
||||
{ predicate = "-p tcp --dport 51413"; target = "ACCEPT"; }
|
||||
{ predicate = "-p udp --dport 51413"; target = "ACCEPT"; }
|
||||
];
|
||||
};
|
||||
}
|
Loading…
Reference in New Issue
Block a user