diff options
Diffstat (limited to '')
-rw-r--r-- | hosts/arrakis/default.nix | 60 | ||||
-rw-r--r-- | hosts/arrakis/services.nix | 169 |
2 files changed, 158 insertions, 71 deletions
diff --git a/hosts/arrakis/default.nix b/hosts/arrakis/default.nix index cb74fd9..073f2a0 100644 --- a/hosts/arrakis/default.nix +++ b/hosts/arrakis/default.nix @@ -82,30 +82,50 @@ defaultSopsFile = ../secrets/arrakis.yaml; secrets = { + "nftables/ssh" = {}; "wpa_supplicant" = {}; }; }; system.stateVersion = "23.11"; - #systemd.services."nftables-extra" = { - # description = "nftables extra firewall rules"; - # script = '' - # ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/ssh".path} - # ''; - # serviceConfig = { - # RemainAfterExit = true; - # Type = "oneshot"; - # }; - # unitConfig = { - # ConditionPathExists = config.sops.secrets."nftables/ssh".path; - # }; - # wantedBy = [ "multi-user.target" ]; - #}; - #systemd.paths."nftables-extra" = { - # pathConfig = { - # PathExists = config.sops.secrets."nftables/ssh".path; - # }; - # wantedBy = [ "multi-user.target" ]; - #}; + systemd.services."nftables-extra" = { + description = "nftables extra firewall rules"; + script = '' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport { http, https } counter accept # 80, 443' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport { netbios-ns, netbios-dgm } counter accept # 137, 138' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport { netbios-ssn, microsoft-ds } counter accept # 139, 445' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport 2049 counter accept' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport { 2456, 2457 } counter accept # Valheim dedicated server' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport 5121 counter accept # Neverwinter Nights Server' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport { 7878, 8080, 8686, 8787, 8989 } counter accept # Radarr, Sabnzb, Lidarr, Sonarr, Readarr' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport 15637 counter accept # Enshrouded' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" ip saddr 192.168.1.0/24 udp dport { 27031, 27036 } counter accept # Steam Remote Play' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" ip saddr 192.168.1.0/24 tcp dport { 27036, 27037 } counter accept # Steam Remote Play' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport 51820 counter accept # WireGuard' + ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/ssh".path} + ''; + serviceConfig = { + RemainAfterExit = true; + Type = "oneshot"; + }; + unitConfig = { + ConditionPathExists = [ + config.sops.secrets."nftables/forward".path + config.sops.secrets."nftables/ssh".path + ]; + }; + wantedBy = [ "multi-user.target" ]; + after = [ "nftables.service" ]; + partOf = [ "nftables.service" ]; + }; + systemd.paths."nftables-extra" = { + pathConfig = { + PathExists = [ + config.sops.secrets."nftables/forward".path + config.sops.secrets."nftables/ssh".path + ]; + }; + wantedBy = [ "multi-user.target" ]; + }; } diff --git a/hosts/arrakis/services.nix b/hosts/arrakis/services.nix index 2e0f7d8..25d4ddb 100644 --- a/hosts/arrakis/services.nix +++ b/hosts/arrakis/services.nix @@ -1,58 +1,124 @@ { - services.clamav.updater.enable = true; + security.acme = { + acceptTerms = true; + defaults.email = "nipsy@bitgnome.net"; + }; - services.jellyfin.enable = true; + services = { + clamav.updater.enable = true; - services.smartd = let my_email_addr = "nipsy@bitgnome.net"; in { - enable = true; - devices = [ - { - device = "/dev/disk/by-id/nvme-WD_BLACK_SN850X_4000GB_23162P800005"; - options = "-a -o on -S on -m ${my_email_addr}"; - } - { - device = "/dev/disk/by-id/nvme-WD_BLACK_SN850X_4000GB_23162P800014"; - options = "-a -o on -S on -m ${my_email_addr}"; - } - { - device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUEZNL"; - options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; - } - { - device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUUSXL"; - options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; - } - { - device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV0H5L"; - options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; - } - { - device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUK5EL"; - options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; - } - { - device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV5JEL"; - options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; - } - { - device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUZ42L"; - options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; - } - { - device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV3BSL"; - options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; - } - { - device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV338L"; - options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; - } - ]; - }; + iperf3.openFirewall = true; + + jellyfin.enable = true; + + nginx = { + enable = true; + + # Use recommended settings + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + # Only allow PFS-enabled ciphers with AES256 + sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + + virtualHosts = { + "arrakis.bitgnome.net" = { + enableACME = true; + forceSSL = true; + locations = { + "/" = { + extraConfig = '' + default_type text/html; + ''; + return = "200 '<html><body>Hot damn, it works!</body></html>'"; + }; + "/jellyfin" = { + return = "302 $scheme://$host/jellyfin/"; + }; + "/jellyfin/" = { + extraConfig = '' + proxy_pass_request_headers on; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $http_connection; + proxy_buffering off; + + # CORS setup + add_header 'Access-Control-Allow-Origin' '*' always; + add_header 'Access-Control-Expose-Headers' 'Content-Length'; + + # Allow CORS preflight requests + if ($request_method = 'OPTIONS') { + add_header 'Access-Control-Allow-Origin' '*'; + add_header 'Access-Control-Max-Age' 1728000; + add_header 'Content-Type' 'text/plain charset=UTF-8'; + add_header 'Content-Length' 0; + return 204; + } + ''; + proxyPass = "http://192.168.1.2:8096/jellyfin/"; + + }; + }; + }; + }; + }; + + smartd = let my_email_addr = "nipsy@bitgnome.net"; in { + enable = true; + devices = [ + { + device = "/dev/disk/by-id/nvme-WD_BLACK_SN850X_4000GB_23162P800005"; + options = "-a -o on -S on -m ${my_email_addr}"; + } + { + device = "/dev/disk/by-id/nvme-WD_BLACK_SN850X_4000GB_23162P800014"; + options = "-a -o on -S on -m ${my_email_addr}"; + } + { + device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUEZNL"; + options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; + } + { + device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUUSXL"; + options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; + } + { + device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV0H5L"; + options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; + } + { + device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUK5EL"; + options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; + } + { + device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV5JEL"; + options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; + } + { + device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUZ42L"; + options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; + } + { + device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV3BSL"; + options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; + } + { + device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV338L"; + options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; + } + ]; + }; - services.samba = { - enable = true; - settings = - { + samba = { + enable = true; + settings = { global = { "invalid users" = [ "root" @@ -77,5 +143,6 @@ "wide links" = "yes"; }; }; + }; }; } |