From 79a7ab4fd8899e7ac197318bb58a3e04affdf459 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 21 Feb 2023 11:15:26 +0100 Subject: [PATCH] l yellow.r: move flix to services --- lass/1systems/neoprism/config.nix | 3 +- lass/1systems/yellow/config.nix | 330 +----------------- .../2configs/services/flix/container-host.nix | 40 +++ lass/2configs/services/flix/default.nix | 316 +++++++++++++++++ lass/2configs/services/flix/proxy.nix | 12 + lass/2configs/yellow-host.nix | 14 - 6 files changed, 384 insertions(+), 331 deletions(-) create mode 100644 lass/2configs/services/flix/container-host.nix create mode 100644 lass/2configs/services/flix/default.nix create mode 100644 lass/2configs/services/flix/proxy.nix delete mode 100644 lass/2configs/yellow-host.nix diff --git a/lass/1systems/neoprism/config.nix b/lass/1systems/neoprism/config.nix index 8af63ee59..72de0df83 100644 --- a/lass/1systems/neoprism/config.nix +++ b/lass/1systems/neoprism/config.nix @@ -7,7 +7,7 @@ # sync-containers - + @@ -17,6 +17,7 @@ # proxying of services + ]; krebs.build.host = config.krebs.hosts.neoprism; diff --git a/lass/1systems/yellow/config.nix b/lass/1systems/yellow/config.nix index ff8189e24..fb28fb029 100644 --- a/lass/1systems/yellow/config.nix +++ b/lass/1systems/yellow/config.nix @@ -5,6 +5,7 @@ in { + ]; krebs.build.host = config.krebs.hosts.yellow; @@ -14,281 +15,8 @@ in { pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN737BAP36KiZO97mPKTIUGJUcr97ps8zjfFag6cUiYL"; }; - users.groups.download.members = [ "transmission" ]; - networking.useHostResolvConf = false; networking.useNetworkd = true; - services.transmission = { - enable = true; - home = "/var/state/transmission"; - group = "download"; - downloadDirPermissions = "775"; - settings = { - download-dir = "/var/download/transmission"; - incomplete-dir-enabled = false; - rpc-bind-address = "::"; - message-level = 1; - umask = 18; - rpc-whitelist-enabled = false; - rpc-host-whitelist-enabled = false; - }; - }; - - security.acme.defaults.email = "spam@krebsco.de"; - security.acme.acceptTerms = true; - security.acme.certs."yellow.r".server = config.krebs.ssl.acmeURL; - security.acme.certs."jelly.r".server = config.krebs.ssl.acmeURL; - security.acme.certs."radar.r".server = config.krebs.ssl.acmeURL; - security.acme.certs."sonar.r".server = config.krebs.ssl.acmeURL; - security.acme.certs."transmission.r".server = config.krebs.ssl.acmeURL; - services.nginx = { - enable = true; - package = pkgs.nginx.override { - modules = with pkgs.nginxModules; [ - fancyindex - ]; - }; - virtualHosts."yellow.r" = { - default = true; - enableACME = true; - addSSL = true; - locations."/" = { - root = "/var/download"; - extraConfig = '' - fancyindex on; - fancyindex_footer "/fancy.html"; - include ${pkgs.nginx}/conf/mime.types; - include ${pkgs.writeText "extrMime" '' - types { - video/webm mkv; - } - ''}; - create_full_put_path on; - ''; - }; - locations."/chatty" = { - proxyPass = "http://localhost:3000"; - extraConfig = '' - rewrite /chatty/(.*) /$1 break; - proxy_set_header Host $host; - ''; - }; - locations."= /fancy.html".extraConfig = '' - alias ${pkgs.writeText "nginx_footer" '' -
- -
Click here to move
- -
- - - ''}; - ''; - }; - virtualHosts."jelly.r" = { - enableACME = true; - addSSL = true; - locations."/".extraConfig = '' - proxy_pass http://localhost:8096/; - proxy_set_header Accept-Encoding ""; - ''; - }; - virtualHosts."transmission.r" = { - enableACME = true; - addSSL = true; - locations."/".extraConfig = '' - proxy_pass http://localhost:9091/; - proxy_set_header Accept-Encoding ""; - ''; - }; - virtualHosts."radar.r" = { - enableACME = true; - addSSL = true; - locations."/" = { - proxyWebsockets = true; - proxyPass = "http://localhost:7878"; - }; - }; - virtualHosts."sonar.r" = { - enableACME = true; - addSSL = true; - locations."/" = { - proxyWebsockets = true; - proxyPass = "http://localhost:8989"; - }; - }; - }; - - services.samba = { - enable = true; - enableNmbd = false; - extraConfig = '' - workgroup = WORKGROUP - server string = ${config.networking.hostName} - # only allow retiolum addresses - hosts allow = 42::/16 10.243.0.0/16 10.244.0.0/16 - - # Use sendfile() for performance gain - use sendfile = true - - # No NetBIOS is needed - disable netbios = true - - # Only mangle non-valid NTFS names, don't care about DOS support - mangled names = illegal - - # Performance optimizations - socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536 - - # Disable all printing - load printers = false - disable spoolss = true - printcap name = /dev/null - - map to guest = Bad User - max log size = 50 - dns proxy = no - security = user - - [global] - syslog only = yes - ''; - shares.public = { - comment = "Warez"; - path = "/var/download"; - public = "yes"; - "only guest" = "yes"; - "create mask" = "0644"; - "directory mask" = "2777"; - writable = "no"; - printable = "no"; - }; - }; - - systemd.services.bruellwuerfel = - let - bruellwuerfelSrc = pkgs.fetchFromGitHub { - owner = "krebs"; - repo = "bruellwuerfel"; - rev = "dc73adf69249fb63a4b024f1f3fbc9e541b27015"; - sha256 = "078jp1gbavdp8lnwa09xa5m6bbbd05fi4x5ldkkgin5z04hwlhmd"; - }; - in { - wantedBy = [ "multi-user.target" ]; - environment = { - IRC_CHANNEL = "#flix"; - IRC_NICK = "bruelli"; - IRC_SERVER = "irc.r"; - IRC_HISTORY_FILE = "/tmp/bruelli.history"; - }; - serviceConfig = { - ExecStart = "${pkgs.deno}/bin/deno run -A ${bruellwuerfelSrc}/src/index.ts"; - }; - }; - - krebs.iptables = { - enable = true; - tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport 80"; target = "ACCEPT"; } # nginx web dir - { predicate = "-p tcp --dport 443"; target = "ACCEPT"; } # nginx web dir - { predicate = "-p tcp --dport 9091"; target = "ACCEPT"; } # transmission-web - { predicate = "-p tcp --dport 51413"; target = "ACCEPT"; } # transmission-traffic - { predicate = "-p udp --dport 51413"; target = "ACCEPT"; } # transmission-traffic - { predicate = "-p tcp --dport 8096"; target = "ACCEPT"; } # jellyfin - { predicate = "-p tcp --dport 9696"; target = "ACCEPT"; } # prowlarr - { predicate = "-p tcp --dport 8989"; target = "ACCEPT"; } # sonarr - { predicate = "-p tcp --dport 7878"; target = "ACCEPT"; } # radarr - { predicate = "-p tcp --dport 6767"; target = "ACCEPT"; } # bazarr - - # smbd - { predicate = "-i retiolum -p tcp --dport 445"; target = "ACCEPT"; } - { predicate = "-i retiolum -p tcp --dport 111"; target = "ACCEPT"; } - { predicate = "-i retiolum -p udp --dport 111"; target = "ACCEPT"; } - { predicate = "-i retiolum -p tcp --dport 2049"; target = "ACCEPT"; } - { predicate = "-i retiolum -p udp --dport 2049"; target = "ACCEPT"; } - { predicate = "-i retiolum -p tcp --dport 4000:4002"; target = "ACCEPT"; } - { predicate = "-i retiolum -p udp --dport 4000:4002"; target = "ACCEPT"; } - { predicate = "-i wiregrill -p tcp --dport 445"; target = "ACCEPT"; } - { predicate = "-i wiregrill -p tcp --dport 111"; target = "ACCEPT"; } - { predicate = "-i wiregrill -p udp --dport 111"; target = "ACCEPT"; } - { predicate = "-i wiregrill -p tcp --dport 2049"; target = "ACCEPT"; } - { predicate = "-i wiregrill -p udp --dport 2049"; target = "ACCEPT"; } - { predicate = "-i wiregrill -p tcp --dport 4000:4002"; target = "ACCEPT"; } - { predicate = "-i wiregrill -p udp --dport 4000:4002"; target = "ACCEPT"; } - ]; - tables.filter.OUTPUT = { - policy = "DROP"; - rules = [ - { predicate = "-o lo"; target = "ACCEPT"; } - { v6 = false; predicate = "-d ${vpnIp}/32"; target = "ACCEPT"; } - { predicate = "-o tun0"; target = "ACCEPT"; } - { predicate = "-o retiolum"; target = "ACCEPT"; } - { v6 = false; predicate = "-d 1.1.1.1/32"; target = "ACCEPT"; } - { v6 = false; predicate = "-d 1.0.0.1/32"; target = "ACCEPT"; } - { v6 = false; predicate = "-o eth0 -d 10.233.2.0/24"; target = "ACCEPT"; } - ]; - }; - }; services.openvpn.servers.nordvpn.config = '' client @@ -375,49 +103,19 @@ in { ''; - systemd.services.flix-index = { - wantedBy = [ "multi-user.target" ]; - path = [ - pkgs.coreutils - pkgs.findutils - pkgs.inotify-tools - ]; - serviceConfig = { - Restart = "always"; - ExecStart = pkgs.writers.writeDash "flix-index" '' - set -efu - - DIR=/var/download - cd "$DIR" - while inotifywait -rq -e create -e move -e delete "$DIR"; do - find . -type f > "$DIR"/index.tmp - mv "$DIR"/index.tmp "$DIR"/index - done - ''; + krebs.iptables = { + enable = true; + tables.filter.OUTPUT = { + policy = "DROP"; + rules = [ + { predicate = "-o lo"; target = "ACCEPT"; } + { v6 = false; predicate = "-d ${vpnIp}/32"; target = "ACCEPT"; } + { predicate = "-o tun0"; target = "ACCEPT"; } + { predicate = "-o retiolum"; target = "ACCEPT"; } + { v6 = false; predicate = "-d 1.1.1.1/32"; target = "ACCEPT"; } + { v6 = false; predicate = "-d 1.0.0.1/32"; target = "ACCEPT"; } + { v6 = false; predicate = "-o eth0 -d 10.233.2.0/24"; target = "ACCEPT"; } + ]; }; }; - - services.jellyfin = { - enable = true; - group = "download"; - }; - - services.radarr = { - enable = true; - group = "download"; - }; - - services.sonarr = { - enable = true; - group = "download"; - }; - - services.prowlarr = { - enable = true; - }; - - services.bazarr = { - enable = true; - group = "download"; - }; } diff --git a/lass/2configs/services/flix/container-host.nix b/lass/2configs/services/flix/container-host.nix new file mode 100644 index 000000000..1c5b81128 --- /dev/null +++ b/lass/2configs/services/flix/container-host.nix @@ -0,0 +1,40 @@ +{ config, pkgs, ... }: +{ + krebs.sync-containers3.containers.yellow = { + sshKey = "${toString }/yellow.sync.key"; + }; + containers.yellow.bindMounts."/var/lib" = { + hostPath = "/var/lib/sync-containers3/yellow/state"; + isReadOnly = false; + }; + containers.yellow.bindMounts."/var/download" = { + hostPath = "/var/download"; + isReadOnly = false; + }; + # krebs.iptables.tables.filter.FORWARD.rules = [ + # { predicate = "-d ${config.krebs.hosts.yellow.nets.retiolum.ip4.addr} -p tcp --dport 8000 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; v6 = false; } + # { predicate = "-d ${config.krebs.hosts.yellow.nets.retiolum.ip6.addr} -p tcp --dport 8000 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; v4 = false; } + # ]; + # krebs.iptables.tables.nat.PREROUTING.rules = [ + # { predicate = "-p tcp --dport 2"; target = "DNAT --to-destination ${config.krebs.hosts.radio.nets.retiolum.ip4.addr}:8000"; v6 = false; } + # { predicate = "-p tcp --dport 2"; target = "DNAT --to-destination ${config.krebs.hosts.radio.nets.retiolum.ip6.addr}:8000"; v4 = false; } + # ]; + networking.firewall.allowedTCPPorts = [ 8096 8920 ]; + networking.firewall.allowedUDPPorts = [ 1900 7359 ]; + containers.yellow.forwardPorts = [ + { hostPort = 8096; containerPort = 8096; protocol = "tcp"; } + { hostPort = 8920; containerPort = 8920; protocol = "tcp"; } + { hostPort = 1900; containerPort = 1900; protocol = "udp"; } + { hostPort = 7359; containerPort = 7359; protocol = "udp"; } + ]; + + services.nginx.virtualHosts."flix.lassul.us" = { + # forceSSL = true; + # enableACME = true; + locations."/" = { + proxyPass = "http://yellow.r:8096"; + proxyWebsockets = true; + recommendedProxySettings = true; + }; + }; +} diff --git a/lass/2configs/services/flix/default.nix b/lass/2configs/services/flix/default.nix new file mode 100644 index 000000000..e6be394ce --- /dev/null +++ b/lass/2configs/services/flix/default.nix @@ -0,0 +1,316 @@ +{ config, lib, pkgs, ... }: +{ + users.groups.download.members = [ "transmission" ]; + services.transmission = { + enable = true; + home = "/var/state/transmission"; + group = "download"; + downloadDirPermissions = "775"; + settings = { + download-dir = "/var/download/transmission"; + incomplete-dir-enabled = false; + rpc-bind-address = "::"; + message-level = 1; + umask = 18; + rpc-whitelist-enabled = false; + rpc-host-whitelist-enabled = false; + }; + }; + + security.acme.defaults.email = "spam@krebsco.de"; + security.acme.acceptTerms = true; + security.acme.certs."yellow.r".server = config.krebs.ssl.acmeURL; + security.acme.certs."jelly.r".server = config.krebs.ssl.acmeURL; + security.acme.certs."radar.r".server = config.krebs.ssl.acmeURL; + security.acme.certs."sonar.r".server = config.krebs.ssl.acmeURL; + security.acme.certs."transmission.r".server = config.krebs.ssl.acmeURL; + services.nginx = { + enable = true; + package = pkgs.nginx.override { + modules = with pkgs.nginxModules; [ + fancyindex + ]; + }; + virtualHosts."yellow.r" = { + default = true; + enableACME = true; + addSSL = true; + locations."/" = { + root = "/var/download"; + extraConfig = '' + fancyindex on; + fancyindex_footer "/fancy.html"; + include ${pkgs.nginx}/conf/mime.types; + include ${pkgs.writeText "extrMime" '' + types { + video/webm mkv; + } + ''}; + create_full_put_path on; + ''; + }; + locations."/chatty" = { + proxyPass = "http://localhost:3000"; + extraConfig = '' + rewrite /chatty/(.*) /$1 break; + proxy_set_header Host $host; + ''; + }; + locations."= /fancy.html".extraConfig = '' + alias ${pkgs.writeText "nginx_footer" '' +
+ +
Click here to move
+ +
+ + + ''}; + ''; + }; + virtualHosts."jelly.r" = { + enableACME = true; + addSSL = true; + locations."/".extraConfig = '' + proxy_pass http://localhost:8096/; + proxy_set_header Accept-Encoding ""; + ''; + }; + virtualHosts."transmission.r" = { + enableACME = true; + addSSL = true; + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://localhost:9091"; + }; + }; + virtualHosts."radar.r" = { + enableACME = true; + addSSL = true; + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://localhost:7878"; + }; + }; + virtualHosts."sonar.r" = { + enableACME = true; + addSSL = true; + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://localhost:8989"; + }; + }; + }; + + services.samba = { + enable = true; + enableNmbd = false; + extraConfig = '' + workgroup = WORKGROUP + server string = ${config.networking.hostName} + # only allow retiolum addresses + hosts allow = 42::/16 10.243.0.0/16 10.244.0.0/16 + + # Use sendfile() for performance gain + use sendfile = true + + # No NetBIOS is needed + disable netbios = true + + # Only mangle non-valid NTFS names, don't care about DOS support + mangled names = illegal + + # Performance optimizations + socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536 + + # Disable all printing + load printers = false + disable spoolss = true + printcap name = /dev/null + + map to guest = Bad User + max log size = 50 + dns proxy = no + security = user + + [global] + syslog only = yes + ''; + shares.public = { + comment = "Warez"; + path = "/var/download"; + public = "yes"; + "only guest" = "yes"; + "create mask" = "0644"; + "directory mask" = "2777"; + writable = "no"; + printable = "no"; + }; + }; + + systemd.services.bruellwuerfel = + let + bruellwuerfelSrc = pkgs.fetchFromGitHub { + owner = "krebs"; + repo = "bruellwuerfel"; + rev = "dc73adf69249fb63a4b024f1f3fbc9e541b27015"; + sha256 = "078jp1gbavdp8lnwa09xa5m6bbbd05fi4x5ldkkgin5z04hwlhmd"; + }; + in { + wantedBy = [ "multi-user.target" ]; + environment = { + IRC_CHANNEL = "#flix"; + IRC_NICK = "bruelli"; + IRC_SERVER = "irc.r"; + IRC_HISTORY_FILE = "/tmp/bruelli.history"; + }; + serviceConfig = { + ExecStart = "${pkgs.deno}/bin/deno run -A ${bruellwuerfelSrc}/src/index.ts"; + }; + }; + + krebs.iptables = { + enable = true; + tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport 80"; target = "ACCEPT"; } # nginx web dir + { predicate = "-p tcp --dport 443"; target = "ACCEPT"; } # nginx web dir + { predicate = "-p tcp --dport 9091"; target = "ACCEPT"; } # transmission-web + { predicate = "-p tcp --dport 51413"; target = "ACCEPT"; } # transmission-traffic + { predicate = "-p udp --dport 51413"; target = "ACCEPT"; } # transmission-traffic + { predicate = "-p tcp --dport 8096"; target = "ACCEPT"; } # jellyfin + { predicate = "-p tcp --dport 8920"; target = "ACCEPT"; } # jellyfin + { predicate = "-p udp --dport 1900"; target = "ACCEPT"; } # jellyfin + { predicate = "-p udp --dport 7359"; target = "ACCEPT"; } # jellyfin + { predicate = "-p tcp --dport 9696"; target = "ACCEPT"; } # prowlarr + { predicate = "-p tcp --dport 8989"; target = "ACCEPT"; } # sonarr + { predicate = "-p tcp --dport 7878"; target = "ACCEPT"; } # radarr + { predicate = "-p tcp --dport 6767"; target = "ACCEPT"; } # bazarr + + # smbd + { predicate = "-i retiolum -p tcp --dport 445"; target = "ACCEPT"; } + { predicate = "-i retiolum -p tcp --dport 111"; target = "ACCEPT"; } + { predicate = "-i retiolum -p udp --dport 111"; target = "ACCEPT"; } + { predicate = "-i retiolum -p tcp --dport 2049"; target = "ACCEPT"; } + { predicate = "-i retiolum -p udp --dport 2049"; target = "ACCEPT"; } + { predicate = "-i retiolum -p tcp --dport 4000:4002"; target = "ACCEPT"; } + { predicate = "-i retiolum -p udp --dport 4000:4002"; target = "ACCEPT"; } + { predicate = "-i wiregrill -p tcp --dport 445"; target = "ACCEPT"; } + { predicate = "-i wiregrill -p tcp --dport 111"; target = "ACCEPT"; } + { predicate = "-i wiregrill -p udp --dport 111"; target = "ACCEPT"; } + { predicate = "-i wiregrill -p tcp --dport 2049"; target = "ACCEPT"; } + { predicate = "-i wiregrill -p udp --dport 2049"; target = "ACCEPT"; } + { predicate = "-i wiregrill -p tcp --dport 4000:4002"; target = "ACCEPT"; } + { predicate = "-i wiregrill -p udp --dport 4000:4002"; target = "ACCEPT"; } + ]; + }; + + systemd.services.flix-index = { + wantedBy = [ "multi-user.target" ]; + path = [ + pkgs.coreutils + pkgs.findutils + pkgs.inotify-tools + ]; + serviceConfig = { + Restart = "always"; + ExecStart = pkgs.writers.writeDash "flix-index" '' + set -efu + + DIR=/var/download + cd "$DIR" + while inotifywait -rq -e create -e move -e delete "$DIR"; do + find . -type f > "$DIR"/index.tmp + mv "$DIR"/index.tmp "$DIR"/index + done + ''; + }; + }; + + services.jellyfin = { + enable = true; + group = "download"; + }; + + # movies + services.radarr = { + enable = true; + group = "download"; + }; + + # shows + services.sonarr = { + enable = true; + group = "download"; + }; + + # indexers + services.prowlarr = { + enable = true; + }; + + # subtitles + services.bazarr = { + enable = true; + group = "download"; + }; +} diff --git a/lass/2configs/services/flix/proxy.nix b/lass/2configs/services/flix/proxy.nix new file mode 100644 index 000000000..c16c6def3 --- /dev/null +++ b/lass/2configs/services/flix/proxy.nix @@ -0,0 +1,12 @@ +{ config, pkgs, ... }: +{ + services.nginx.virtualHosts."flix.lassul.us" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://yellow.r:8096"; + proxyWebsockets = true; + recommendedProxySettings = true; + }; + }; +} diff --git a/lass/2configs/yellow-host.nix b/lass/2configs/yellow-host.nix deleted file mode 100644 index 36027cb5d..000000000 --- a/lass/2configs/yellow-host.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ config, pkgs, ... }: -{ - krebs.sync-containers3.containers.yellow = { - sshKey = "${toString }/yellow.sync.key"; - }; - containers.yellow.bindMounts."/var/lib" = { - hostPath = "/var/lib/sync-containers3/yellow/state"; - isReadOnly = false; - }; - containers.yellow.bindMounts."/var/download" = { - hostPath = "/var/download"; - isReadOnly = false; - }; -}