aboutsummaryrefslogtreecommitdiffstats
path: root/hosts/arrakis
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--hosts/arrakis/default.nix60
-rw-r--r--hosts/arrakis/services.nix169
2 files changed, 158 insertions, 71 deletions
diff --git a/hosts/arrakis/default.nix b/hosts/arrakis/default.nix
index cb74fd9..073f2a0 100644
--- a/hosts/arrakis/default.nix
+++ b/hosts/arrakis/default.nix
@@ -82,30 +82,50 @@
defaultSopsFile = ../secrets/arrakis.yaml;
secrets = {
+ "nftables/ssh" = {};
"wpa_supplicant" = {};
};
};
system.stateVersion = "23.11";
- #systemd.services."nftables-extra" = {
- # description = "nftables extra firewall rules";
- # script = ''
- # ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/ssh".path}
- # '';
- # serviceConfig = {
- # RemainAfterExit = true;
- # Type = "oneshot";
- # };
- # unitConfig = {
- # ConditionPathExists = config.sops.secrets."nftables/ssh".path;
- # };
- # wantedBy = [ "multi-user.target" ];
- #};
- #systemd.paths."nftables-extra" = {
- # pathConfig = {
- # PathExists = config.sops.secrets."nftables/ssh".path;
- # };
- # wantedBy = [ "multi-user.target" ];
- #};
+ systemd.services."nftables-extra" = {
+ description = "nftables extra firewall rules";
+ script = ''
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport { http, https } counter accept # 80, 443'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport { netbios-ns, netbios-dgm } counter accept # 137, 138'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport { netbios-ssn, microsoft-ds } counter accept # 139, 445'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport 2049 counter accept'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport { 2456, 2457 } counter accept # Valheim dedicated server'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport 5121 counter accept # Neverwinter Nights Server'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport { 7878, 8080, 8686, 8787, 8989 } counter accept # Radarr, Sabnzb, Lidarr, Sonarr, Readarr'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport 15637 counter accept # Enshrouded'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" ip saddr 192.168.1.0/24 udp dport { 27031, 27036 } counter accept # Steam Remote Play'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" ip saddr 192.168.1.0/24 tcp dport { 27036, 27037 } counter accept # Steam Remote Play'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport 51820 counter accept # WireGuard'
+ ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/ssh".path}
+ '';
+ serviceConfig = {
+ RemainAfterExit = true;
+ Type = "oneshot";
+ };
+ unitConfig = {
+ ConditionPathExists = [
+ config.sops.secrets."nftables/forward".path
+ config.sops.secrets."nftables/ssh".path
+ ];
+ };
+ wantedBy = [ "multi-user.target" ];
+ after = [ "nftables.service" ];
+ partOf = [ "nftables.service" ];
+ };
+ systemd.paths."nftables-extra" = {
+ pathConfig = {
+ PathExists = [
+ config.sops.secrets."nftables/forward".path
+ config.sops.secrets."nftables/ssh".path
+ ];
+ };
+ wantedBy = [ "multi-user.target" ];
+ };
}
diff --git a/hosts/arrakis/services.nix b/hosts/arrakis/services.nix
index 2e0f7d8..25d4ddb 100644
--- a/hosts/arrakis/services.nix
+++ b/hosts/arrakis/services.nix
@@ -1,58 +1,124 @@
{
- services.clamav.updater.enable = true;
+ security.acme = {
+ acceptTerms = true;
+ defaults.email = "nipsy@bitgnome.net";
+ };
- services.jellyfin.enable = true;
+ services = {
+ clamav.updater.enable = true;
- services.smartd = let my_email_addr = "nipsy@bitgnome.net"; in {
- enable = true;
- devices = [
- {
- device = "/dev/disk/by-id/nvme-WD_BLACK_SN850X_4000GB_23162P800005";
- options = "-a -o on -S on -m ${my_email_addr}";
- }
- {
- device = "/dev/disk/by-id/nvme-WD_BLACK_SN850X_4000GB_23162P800014";
- options = "-a -o on -S on -m ${my_email_addr}";
- }
- {
- device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUEZNL";
- options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
- }
- {
- device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUUSXL";
- options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
- }
- {
- device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV0H5L";
- options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
- }
- {
- device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUK5EL";
- options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
- }
- {
- device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV5JEL";
- options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
- }
- {
- device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUZ42L";
- options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
- }
- {
- device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV3BSL";
- options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
- }
- {
- device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV338L";
- options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
- }
- ];
- };
+ iperf3.openFirewall = true;
+
+ jellyfin.enable = true;
+
+ nginx = {
+ enable = true;
+
+ # Use recommended settings
+ recommendedGzipSettings = true;
+ recommendedOptimisation = true;
+ recommendedProxySettings = true;
+ recommendedTlsSettings = true;
+
+ # Only allow PFS-enabled ciphers with AES256
+ sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+
+ virtualHosts = {
+ "arrakis.bitgnome.net" = {
+ enableACME = true;
+ forceSSL = true;
+ locations = {
+ "/" = {
+ extraConfig = ''
+ default_type text/html;
+ '';
+ return = "200 '<html><body>Hot damn, it works!</body></html>'";
+ };
+ "/jellyfin" = {
+ return = "302 $scheme://$host/jellyfin/";
+ };
+ "/jellyfin/" = {
+ extraConfig = ''
+ proxy_pass_request_headers on;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header X-Forwarded-Host $http_host;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection $http_connection;
+ proxy_buffering off;
+
+ # CORS setup
+ add_header 'Access-Control-Allow-Origin' '*' always;
+ add_header 'Access-Control-Expose-Headers' 'Content-Length';
+
+ # Allow CORS preflight requests
+ if ($request_method = 'OPTIONS') {
+ add_header 'Access-Control-Allow-Origin' '*';
+ add_header 'Access-Control-Max-Age' 1728000;
+ add_header 'Content-Type' 'text/plain charset=UTF-8';
+ add_header 'Content-Length' 0;
+ return 204;
+ }
+ '';
+ proxyPass = "http://192.168.1.2:8096/jellyfin/";
+
+ };
+ };
+ };
+ };
+ };
+
+ smartd = let my_email_addr = "nipsy@bitgnome.net"; in {
+ enable = true;
+ devices = [
+ {
+ device = "/dev/disk/by-id/nvme-WD_BLACK_SN850X_4000GB_23162P800005";
+ options = "-a -o on -S on -m ${my_email_addr}";
+ }
+ {
+ device = "/dev/disk/by-id/nvme-WD_BLACK_SN850X_4000GB_23162P800014";
+ options = "-a -o on -S on -m ${my_email_addr}";
+ }
+ {
+ device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUEZNL";
+ options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
+ }
+ {
+ device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUUSXL";
+ options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
+ }
+ {
+ device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV0H5L";
+ options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
+ }
+ {
+ device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUK5EL";
+ options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
+ }
+ {
+ device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV5JEL";
+ options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
+ }
+ {
+ device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUZ42L";
+ options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
+ }
+ {
+ device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV3BSL";
+ options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
+ }
+ {
+ device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV338L";
+ options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}";
+ }
+ ];
+ };
- services.samba = {
- enable = true;
- settings =
- {
+ samba = {
+ enable = true;
+ settings = {
global = {
"invalid users" = [
"root"
@@ -77,5 +143,6 @@
"wide links" = "yes";
};
};
+ };
};
}