aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--hosts/arrakis/default.nix60
-rw-r--r--hosts/arrakis/services.nix169
-rw-r--r--hosts/secrets/arrakis.yaml6
3 files changed, 162 insertions, 73 deletions
diff --git a/hosts/arrakis/default.nix b/hosts/arrakis/default.nix
index cb74fd9..073f2a0 100644
--- a/hosts/arrakis/default.nix
+++ b/hosts/arrakis/default.nix
@@ -82,30 +82,50 @@
defaultSopsFile = ../secrets/arrakis.yaml;
secrets = {
+ "nftables/ssh" = {};
"wpa_supplicant" = {};
};
};
system.stateVersion = "23.11";
- #systemd.services."nftables-extra" = {
- # description = "nftables extra firewall rules";
- # script = ''
- # ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/ssh".path}
- # '';
- # serviceConfig = {
- # RemainAfterExit = true;
- # Type = "oneshot";
- # };
- # unitConfig = {
- # ConditionPathExists = config.sops.secrets."nftables/ssh".path;
- # };
- # wantedBy = [ "multi-user.target" ];
- #};
- #systemd.paths."nftables-extra" = {
- # pathConfig = {
- # PathExists = config.sops.secrets."nftables/ssh".path;
- # };
- # wantedBy = [ "multi-user.target" ];
- #};
+ systemd.services."nftables-extra" = {
+ description = "nftables extra firewall rules";
+ script = ''
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport { http, https } counter accept # 80, 443'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport { netbios-ns, netbios-dgm } counter accept # 137, 138'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport { netbios-ssn, microsoft-ds } counter accept # 139, 445'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport 2049 counter accept'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport { 2456, 2457 } counter accept # Valheim dedicated server'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport 5121 counter accept # Neverwinter Nights Server'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport { 7878, 8080, 8686, 8787, 8989 } counter accept # Radarr, Sabnzb, Lidarr, Sonarr, Readarr'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport 15637 counter accept # Enshrouded'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" ip saddr 192.168.1.0/24 udp dport { 27031, 27036 } counter accept # Steam Remote Play'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" ip saddr 192.168.1.0/24 tcp dport { 27036, 27037 } counter accept # Steam Remote Play'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport 51820 counter accept # WireGuard'
+ ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/ssh".path}
+ '';
+ serviceConfig = {
+ RemainAfterExit = true;
+ Type = "oneshot";
+ };
+ unitConfig = {
+ ConditionPathExists = [
+ config.sops.secrets."nftables/forward".path
+ config.sops.secrets."nftables/ssh".path
+ ];
+ };
+ wantedBy = [ "multi-user.target" ];
+ after = [ "nftables.service" ];
+ partOf = [ "nftables.service" ];
+ };
+ systemd.paths."nftables-extra" = {
+ pathConfig = {
+ PathExists = [
+ config.sops.secrets."nftables/forward".path
+ config.sops.secrets."nftables/ssh".path
+ ];
+ };
+ wantedBy = [ "multi-user.target" ];
+ };
}
diff --git a/hosts/arrakis/services.nix b/hosts/arrakis/services.nix
index 2e0f7d8..25d4ddb 100644
--- a/hosts/arrakis/services.nix
+++ b/hosts/arrakis/services.nix
@@ -1,58 +1,124 @@
{
- services.clamav.updater.enable = true;
+ security.acme = {
+ acceptTerms = true;
+ defaults.email = "nipsy@bitgnome.net";
+ };
- services.jellyfin.enable = true;
+ services = {
+ clamav.updater.enable = true;
- services.smartd = let my_email_addr = "nipsy@bitgnome.net"; in {
- enable = true;
- devices = [
- {
- device = "/dev/disk/by-id/nvme-WD_BLACK_SN850X_4000GB_23162P800005";
- options = "-a -o on -S on -m ${my_email_addr}";
- }
- {
- device = "/dev/disk/by-id/nvme-WD_BLACK_SN850X_4000GB_23162P800014";
- options = "-a -o on -S on -m ${my_email_addr}";
- }
- {
- device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUEZNL";
- options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
- }
- {
- device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUUSXL";
- options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
- }
- {
- device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV0H5L";
- options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
- }
- {
- device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUK5EL";
- options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
- }
- {
- device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV5JEL";
- options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
- }
- {
- device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUZ42L";
- options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
- }
- {
- device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV3BSL";
- options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
- }
- {
- device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV338L";
- options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
- }
- ];
- };
+ iperf3.openFirewall = true;
+
+ jellyfin.enable = true;
+
+ nginx = {
+ enable = true;
+
+ # Use recommended settings
+ recommendedGzipSettings = true;
+ recommendedOptimisation = true;
+ recommendedProxySettings = true;
+ recommendedTlsSettings = true;
+
+ # Only allow PFS-enabled ciphers with AES256
+ sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+
+ virtualHosts = {
+ "arrakis.bitgnome.net" = {
+ enableACME = true;
+ forceSSL = true;
+ locations = {
+ "/" = {
+ extraConfig = ''
+ default_type text/html;
+ '';
+ return = "200 '<html><body>Hot damn, it works!</body></html>'";
+ };
+ "/jellyfin" = {
+ return = "302 $scheme://$host/jellyfin/";
+ };
+ "/jellyfin/" = {
+ extraConfig = ''
+ proxy_pass_request_headers on;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header X-Forwarded-Host $http_host;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection $http_connection;
+ proxy_buffering off;
+
+ # CORS setup
+ add_header 'Access-Control-Allow-Origin' '*' always;
+ add_header 'Access-Control-Expose-Headers' 'Content-Length';
+
+ # Allow CORS preflight requests
+ if ($request_method = 'OPTIONS') {
+ add_header 'Access-Control-Allow-Origin' '*';
+ add_header 'Access-Control-Max-Age' 1728000;
+ add_header 'Content-Type' 'text/plain charset=UTF-8';
+ add_header 'Content-Length' 0;
+ return 204;
+ }
+ '';
+ proxyPass = "http://192.168.1.2:8096/jellyfin/";
+
+ };
+ };
+ };
+ };
+ };
+
+ smartd = let my_email_addr = "nipsy@bitgnome.net"; in {
+ enable = true;
+ devices = [
+ {
+ device = "/dev/disk/by-id/nvme-WD_BLACK_SN850X_4000GB_23162P800005";
+ options = "-a -o on -S on -m ${my_email_addr}";
+ }
+ {
+ device = "/dev/disk/by-id/nvme-WD_BLACK_SN850X_4000GB_23162P800014";
+ options = "-a -o on -S on -m ${my_email_addr}";
+ }
+ {
+ device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUEZNL";
+ options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
+ }
+ {
+ device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUUSXL";
+ options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
+ }
+ {
+ device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV0H5L";
+ options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
+ }
+ {
+ device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUK5EL";
+ options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
+ }
+ {
+ device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV5JEL";
+ options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
+ }
+ {
+ device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUZ42L";
+ options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
+ }
+ {
+ device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV3BSL";
+ options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
+ }
+ {
+ device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV338L";
+ options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
+ }
+ ];
+ };
- services.samba = {
- enable = true;
- settings =
- {
+ samba = {
+ enable = true;
+ settings = {
global = {
"invalid users" = [
"root"
@@ -77,5 +143,6 @@
"wide links" = "yes";
};
};
+ };
};
}
diff --git a/hosts/secrets/arrakis.yaml b/hosts/secrets/arrakis.yaml
index 54b24f5..54fb561 100644
--- a/hosts/secrets/arrakis.yaml
+++ b/hosts/secrets/arrakis.yaml
@@ -1,3 +1,5 @@
+nftables:
+ ssh: ENC[AES256_GCM,data:7XB18w9GPsqxT3MOjfxOyYIjgDZoPzWhKTJIGkhcRGXpf68OekCA0Jv3v5g81pxYNHQz5ky1//T5eEEhskBNT1dalScYXMm90CUOlYKHF975SW46p9ht357vUHngxnu4/Dh36Zmn7u4CMxUIeYsVXXVqujCFH+Ypuy7702hwyNJWa/u5Ik8rlsMMtO8aO+31xMf8MaCGVghDzXqXWaV9FJuuH69TJW0tW1Td2QD9yaMkH1kVSRXYi34Zbgcmf6MzGtWkytexjLqejegFUZ/7D6vQrGQIwYkTmtBvqlf0UUOKkZzXRp9e0ScWNnGJKbQSMes1ablDzwcuTzF6HS04Aykf0/CN8k71PxojWdd8HJEEKp1rL2CFW8LB/7CY8MD5zP4JcUilNiyzaFFQU93BRPg+7T6Dhk+qNIYCRaG/xLxzi4SxVSfMhI++/JwhOFatk9hOs3z8d4JgvMgTN0gKZJftt17CJMlAq3iDNvQC8aiIVaGHKoCSDUBBGS4zI75b8AcWRcSUNTixWnCx89KBBzQYTy4h3ZO0n6SsQvKyKdPWcVpnQtRqcToEJcCwvdwZXW3RfuRutmJb19yxIIagKEqWVYvgxIEZ19aV6HLJwUEnP761VsnskTVXbdPIctl4H5Mdg++K919ZVNZ56I0sE3c4TKukVsT+bn84ymoF/BUO+yvszptiCtpoJMLM/MPBbDT+3HB/rdi3gZKi1/MS3uj9cDTQJa6HeXd0PxxRXrBZnMJouUhMdrfVeUdLRpzZbVEcL7BYy3IBWAT5UUsJ+UrkOgK9nySe0NQ27gxSpooOIaxg8QRH0KB5p6hn2cwIHXT6GqbWdxE9T0G3hQmAvab7xpPA0oDRW4jb236vzBvBt7dWlw3QxRZXClaa2f1tYY7e499xQ+KqgC/zaBHJy74dStbc+aVQQwUyy8PqQ3OkaKL4uAsJHbjNmomTtt4OLwWfJvPY1QprfrbyXpFF5hNupi7aiItluKVpTvw+Sou7N1gmcNsbYunVJC6MMN7TGw+YL9kQ6h+5hDnyOt3sa31mZpIU95+PV6vpdxxkT1NC/HskJDPfcnoYnVj7PuyaRij2yRdmL+o6bN1NhEGl6dDuGy3gW5wos03bb9voMlhStuxrvRjUr/db3U1Z1O5winpWyRsDxkZR2EA4MweNbkWSS3FrZkuY1pYJd2RClrUIfuviB9gBXwntkaD06NJlXYlHr989cWuqrxIJ+tjHwThwozQ8knYs+Aa8bIFiw6BoBeOxl2d4QHml+4LmuWxaRSx4RLprgXCvJewqClbxk+4oyW5NqXxtXIHCQawCW+Z8my9j1hfNgM6Ct4L3hH0IRE2wZML3URRlkPI/FpvjitR0IauPl090mQa/kSfAjd0pcdJy37garUh9xIxkwmoyF6i2lmb3KSrK9G0rYmVMYIM2BVFTICr7yEguX/azw8uSLNdjENZ0D8bLvFhjoYrBf2WryqPrvtwh8nH2Q6XBGvPMgO2Aj9x0UgxVoHFrFi1qsoKqJpDrrIGGqYMKDS+m3VorQ3DAoCOMS6A739rOzjxFvi6ZtA03v1W4bDtldmydiMYpBEIA+ZVw0+1NwsSq+vEEIuyhiA05ev8KrexFyixmMvmqS2iGoJ/0MqpYPDnXwbQS66HY+ipn3Ds0RyZdH1cQEgi89p77nb6tjMLBRdsvkoVGwXQqVsmbMbtDsBX8wyzc5GMjG5oY5nO0FQcnudQuA3BBHWFL4Q+eaPGDx27s9sQxKBRaPfMgBBMV63/nmAcSYaqN8S4lVHWrpZvUCxehZ+5rx5tmI0625JODfN0GWK/ef0XRGNBW1I1KZAw3XmhAo+a0jaWTMaQz++JuV0MpVD8/xViOMBQdNHlBoWyUb9ArdkF2gzjOsWW1zeAFT+KPVPFXu/fQ1ZTN4aUnomC2uLpfKBYkQp1qkXx+BNAWFfzEmv6BJbtJaT432S7KnRJTCyQVyATlnMI1hOgkZO+y1OTXguhy4OBbxjmkib3OpUt0yLGI4cb1s8JtA1T4ZDlK6u70+rE1AlYtRAc3OotAhbOv9Uo071Pr8CA6eCzAt4Y/gGcss/AJ7LB0rG4OCXw/N+ic5N9n0YGn3Zp2XRqheLVWrgZiuN7gj+rORS3EpLUb6JnkanXWM5dAY/gWbRd8+iF7cCRCtnkaARp9Uch77SntUdllX+AGIMnRtcAU1cYkEBzKsDLF0PPZQzPXE4z5cRH7rnDSTLixATHS70vwGkBOe7NukiXBVzK7GBCXP1nzJevb7BeeUg9rDcsCxyejoc7YA8+pczMNxl4wjx3H2/x+JhMWrYcZQdhi8Vzaeoz0ulW8xZ6tO4JhLPA/Cb66B0tq9Za6f+uaJOIfqnl0xem6Rif2qUiKkSAZ4rN/2j8pRj9BMXCvKSttvG6hTTaprCe9Jn9rGi84rnIwZmN98C9KyHaTeKPC2NC4ooCsxOZtpeCCXNfFhqDVGL15NhwCravL/8pKf9bFhKW8DOkZRPy7jWtCCfIu0kkuZUkBLfT1lQ6eXKB6P6sC04IgBPV8Euw3woPOgGkJXCfLnxLljgvn70P3VQ==,iv:OnEBPu/havLABMuANjiKMEmhPX2tk/PlyDY0FwvQnsI=,tag:Qny6XbCXMhAr1AjZjr0ucw==,type:str]
wpa_supplicant: ENC[AES256_GCM,data:HHs6g3qaaeinVGgteExQvhE0CEC94WjJ0tV7pyI=,iv:6F+DYHieaWWo+V1F9yjwWT7PcdiIpH48nv1SUrFHePk=,tag:cpimCP+YNmCI+t+wpuXwHg==,type:str]
sops:
kms: []
@@ -23,8 +25,8 @@ sops:
ejRLb2Vkd1B3QmxLSE1wUzgrazZJT0UKz1IQxYm7hagYtBsWTpk+f6/79ArRUgNL
MfhHMQAwuuXjBSmuFolyU3UoWnDYK6uGAv5nlTJxESqj5eQBafItSw==
-----END AGE ENCRYPTED FILE-----
- lastmodified: "2024-10-13T00:57:02Z"
- mac: ENC[AES256_GCM,data:5TPECBIcH0HaWiidl8SKYo7ztWowRmCHKWLWS/fGY0DCf60wVMe6U+ybyWguBhHyCjchS0lpOW73Yy+VRYgUZ6amtKdM5w/iD9OEwdW6QoFbveU88Dx+pgp4OLjYHI4nJeWAs1XkGUttEd9imd57UgAn5mlnQjozhHkKD2Xjz4I=,iv:iwAVxJ92lqT6zexMRDUs4BaonuIQbDjZyRy5Fm0/E0Y=,tag:T8tUILp8u/7j5zcSFlVpYg==,type:str]
+ lastmodified: "2024-10-13T06:55:41Z"
+ mac: ENC[AES256_GCM,data:71ifeYVwz7jt6Cv19MS2g9VYmQVhygEVAW5xLdblTAofUcNQsEO3JOJyhqICJqdU1nmy1/BlD0pM8hgyqLu96fL24b5N9uZb7S0B2hStlP7TOCot6UoX4Hmb5n2CRiKBgvdtDz86T4EOLfNXBPxSKr1W+mluSYtMJa+aNl0PXqA=,iv:EvwQkyyKybKDo1kMuzFb5FNs6ffoh9qnA3iiXLLyXMo=,tag:AmfdT6lxvbub3PvPKCAwsA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1