From 07fcde7c34109d94a685b5e657ce24490a708529 Mon Sep 17 00:00:00 2001 From: Mark Nipper Date: Sun, 13 Oct 2024 00:22:04 -0700 Subject: Add nginx and nftables rules to support Jellyfin --- hosts/arrakis/default.nix | 60 ++++++++++------ hosts/arrakis/services.nix | 169 +++++++++++++++++++++++++++++++-------------- hosts/secrets/arrakis.yaml | 6 +- 3 files changed, 162 insertions(+), 73 deletions(-) diff --git a/hosts/arrakis/default.nix b/hosts/arrakis/default.nix index cb74fd9..073f2a0 100644 --- a/hosts/arrakis/default.nix +++ b/hosts/arrakis/default.nix @@ -82,30 +82,50 @@ defaultSopsFile = ../secrets/arrakis.yaml; secrets = { + "nftables/ssh" = {}; "wpa_supplicant" = {}; }; }; system.stateVersion = "23.11"; - #systemd.services."nftables-extra" = { - # description = "nftables extra firewall rules"; - # script = '' - # ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/ssh".path} - # ''; - # serviceConfig = { - # RemainAfterExit = true; - # Type = "oneshot"; - # }; - # unitConfig = { - # ConditionPathExists = config.sops.secrets."nftables/ssh".path; - # }; - # wantedBy = [ "multi-user.target" ]; - #}; - #systemd.paths."nftables-extra" = { - # pathConfig = { - # PathExists = config.sops.secrets."nftables/ssh".path; - # }; - # wantedBy = [ "multi-user.target" ]; - #}; + systemd.services."nftables-extra" = { + description = "nftables extra firewall rules"; + script = '' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport { http, https } counter accept # 80, 443' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport { netbios-ns, netbios-dgm } counter accept # 137, 138' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport { netbios-ssn, microsoft-ds } counter accept # 139, 445' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport 2049 counter accept' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport { 2456, 2457 } counter accept # Valheim dedicated server' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport 5121 counter accept # Neverwinter Nights Server' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport { 7878, 8080, 8686, 8787, 8989 } counter accept # Radarr, Sabnzb, Lidarr, Sonarr, Readarr' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport 15637 counter accept # Enshrouded' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" ip saddr 192.168.1.0/24 udp dport { 27031, 27036 } counter accept # Steam Remote Play' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" ip saddr 192.168.1.0/24 tcp dport { 27036, 27037 } counter accept # Steam Remote Play' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport 51820 counter accept # WireGuard' + ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/ssh".path} + ''; + serviceConfig = { + RemainAfterExit = true; + Type = "oneshot"; + }; + unitConfig = { + ConditionPathExists = [ + config.sops.secrets."nftables/forward".path + config.sops.secrets."nftables/ssh".path + ]; + }; + wantedBy = [ "multi-user.target" ]; + after = [ "nftables.service" ]; + partOf = [ "nftables.service" ]; + }; + systemd.paths."nftables-extra" = { + pathConfig = { + PathExists = [ + config.sops.secrets."nftables/forward".path + config.sops.secrets."nftables/ssh".path + ]; + }; + wantedBy = [ "multi-user.target" ]; + }; } diff --git a/hosts/arrakis/services.nix b/hosts/arrakis/services.nix index 2e0f7d8..25d4ddb 100644 --- a/hosts/arrakis/services.nix +++ b/hosts/arrakis/services.nix @@ -1,58 +1,124 @@ { - services.clamav.updater.enable = true; + security.acme = { + acceptTerms = true; + defaults.email = "nipsy@bitgnome.net"; + }; - services.jellyfin.enable = true; + services = { + clamav.updater.enable = true; - services.smartd = let my_email_addr = "nipsy@bitgnome.net"; in { - enable = true; - devices = [ - { - device = "/dev/disk/by-id/nvme-WD_BLACK_SN850X_4000GB_23162P800005"; - options = "-a -o on -S on -m ${my_email_addr}"; - } - { - device = "/dev/disk/by-id/nvme-WD_BLACK_SN850X_4000GB_23162P800014"; - options = "-a -o on -S on -m ${my_email_addr}"; - } - { - device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUEZNL"; - options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; - } - { - device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUUSXL"; - options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; - } - { - device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV0H5L"; - options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; - } - { - device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUK5EL"; - options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; - } - { - device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV5JEL"; - options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; - } - { - device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUZ42L"; - options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; - } - { - device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV3BSL"; - options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; - } - { - device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV338L"; - options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; - } - ]; - }; + iperf3.openFirewall = true; + + jellyfin.enable = true; + + nginx = { + enable = true; + + # Use recommended settings + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + # Only allow PFS-enabled ciphers with AES256 + sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + + virtualHosts = { + "arrakis.bitgnome.net" = { + enableACME = true; + forceSSL = true; + locations = { + "/" = { + extraConfig = '' + default_type text/html; + ''; + return = "200 'Hot damn, it works!'"; + }; + "/jellyfin" = { + return = "302 $scheme://$host/jellyfin/"; + }; + "/jellyfin/" = { + extraConfig = '' + proxy_pass_request_headers on; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $http_connection; + proxy_buffering off; + + # CORS setup + add_header 'Access-Control-Allow-Origin' '*' always; + add_header 'Access-Control-Expose-Headers' 'Content-Length'; + + # Allow CORS preflight requests + if ($request_method = 'OPTIONS') { + add_header 'Access-Control-Allow-Origin' '*'; + add_header 'Access-Control-Max-Age' 1728000; + add_header 'Content-Type' 'text/plain charset=UTF-8'; + add_header 'Content-Length' 0; + return 204; + } + ''; + proxyPass = "http://192.168.1.2:8096/jellyfin/"; + + }; + }; + }; + }; + }; + + smartd = let my_email_addr = "nipsy@bitgnome.net"; in { + enable = true; + devices = [ + { + device = "/dev/disk/by-id/nvme-WD_BLACK_SN850X_4000GB_23162P800005"; + options = "-a -o on -S on -m ${my_email_addr}"; + } + { + device = "/dev/disk/by-id/nvme-WD_BLACK_SN850X_4000GB_23162P800014"; + options = "-a -o on -S on -m ${my_email_addr}"; + } + { + device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUEZNL"; + options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; + } + { + device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUUSXL"; + options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; + } + { + device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV0H5L"; + options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; + } + { + device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUK5EL"; + options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; + } + { + device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV5JEL"; + options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; + } + { + device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUZ42L"; + options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; + } + { + device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV3BSL"; + options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; + } + { + device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV338L"; + options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; + } + ]; + }; - services.samba = { - enable = true; - settings = - { + samba = { + enable = true; + settings = { global = { "invalid users" = [ "root" @@ -77,5 +143,6 @@ "wide links" = "yes"; }; }; + }; }; } diff --git a/hosts/secrets/arrakis.yaml b/hosts/secrets/arrakis.yaml index 54b24f5..54fb561 100644 --- a/hosts/secrets/arrakis.yaml +++ b/hosts/secrets/arrakis.yaml @@ -1,3 +1,5 @@ +nftables: + ssh: ENC[AES256_GCM,data:7XB18w9GPsqxT3MOjfxOyYIjgDZoPzWhKTJIGkhcRGXpf68OekCA0Jv3v5g81pxYNHQz5ky1//T5eEEhskBNT1dalScYXMm90CUOlYKHF975SW46p9ht357vUHngxnu4/Dh36Zmn7u4CMxUIeYsVXXVqujCFH+Ypuy7702hwyNJWa/u5Ik8rlsMMtO8aO+31xMf8MaCGVghDzXqXWaV9FJuuH69TJW0tW1Td2QD9yaMkH1kVSRXYi34Zbgcmf6MzGtWkytexjLqejegFUZ/7D6vQrGQIwYkTmtBvqlf0UUOKkZzXRp9e0ScWNnGJKbQSMes1ablDzwcuTzF6HS04Aykf0/CN8k71PxojWdd8HJEEKp1rL2CFW8LB/7CY8MD5zP4JcUilNiyzaFFQU93BRPg+7T6Dhk+qNIYCRaG/xLxzi4SxVSfMhI++/JwhOFatk9hOs3z8d4JgvMgTN0gKZJftt17CJMlAq3iDNvQC8aiIVaGHKoCSDUBBGS4zI75b8AcWRcSUNTixWnCx89KBBzQYTy4h3ZO0n6SsQvKyKdPWcVpnQtRqcToEJcCwvdwZXW3RfuRutmJb19yxIIagKEqWVYvgxIEZ19aV6HLJwUEnP761VsnskTVXbdPIctl4H5Mdg++K919ZVNZ56I0sE3c4TKukVsT+bn84ymoF/BUO+yvszptiCtpoJMLM/MPBbDT+3HB/rdi3gZKi1/MS3uj9cDTQJa6HeXd0PxxRXrBZnMJouUhMdrfVeUdLRpzZbVEcL7BYy3IBWAT5UUsJ+UrkOgK9nySe0NQ27gxSpooOIaxg8QRH0KB5p6hn2cwIHXT6GqbWdxE9T0G3hQmAvab7xpPA0oDRW4jb236vzBvBt7dWlw3QxRZXClaa2f1tYY7e499xQ+KqgC/zaBHJy74dStbc+aVQQwUyy8PqQ3OkaKL4uAsJHbjNmomTtt4OLwWfJvPY1QprfrbyXpFF5hNupi7aiItluKVpTvw+Sou7N1gmcNsbYunVJC6MMN7TGw+YL9kQ6h+5hDnyOt3sa31mZpIU95+PV6vpdxxkT1NC/HskJDPfcnoYnVj7PuyaRij2yRdmL+o6bN1NhEGl6dDuGy3gW5wos03bb9voMlhStuxrvRjUr/db3U1Z1O5winpWyRsDxkZR2EA4MweNbkWSS3FrZkuY1pYJd2RClrUIfuviB9gBXwntkaD06NJlXYlHr989cWuqrxIJ+tjHwThwozQ8knYs+Aa8bIFiw6BoBeOxl2d4QHml+4LmuWxaRSx4RLprgXCvJewqClbxk+4oyW5NqXxtXIHCQawCW+Z8my9j1hfNgM6Ct4L3hH0IRE2wZML3URRlkPI/FpvjitR0IauPl090mQa/kSfAjd0pcdJy37garUh9xIxkwmoyF6i2lmb3KSrK9G0rYmVMYIM2BVFTICr7yEguX/azw8uSLNdjENZ0D8bLvFhjoYrBf2WryqPrvtwh8nH2Q6XBGvPMgO2Aj9x0UgxVoHFrFi1qsoKqJpDrrIGGqYMKDS+m3VorQ3DAoCOMS6A739rOzjxFvi6ZtA03v1W4bDtldmydiMYpBEIA+ZVw0+1NwsSq+vEEIuyhiA05ev8KrexFyixmMvmqS2iGoJ/0MqpYPDnXwbQS66HY+ipn3Ds0RyZdH1cQEgi89p77nb6tjMLBRdsvkoVGwXQqVsmbMbtDsBX8wyzc5GMjG5oY5nO0FQcnudQuA3BBHWFL4Q+eaPGDx27s9sQxKBRaPfMgBBMV63/nmAcSYaqN8S4lVHWrpZvUCxehZ+5rx5tmI0625JODfN0GWK/ef0XRGNBW1I1KZAw3XmhAo+a0jaWTMaQz++JuV0MpVD8/xViOMBQdNHlBoWyUb9ArdkF2gzjOsWW1zeAFT+KPVPFXu/fQ1ZTN4aUnomC2uLpfKBYkQp1qkXx+BNAWFfzEmv6BJbtJaT432S7KnRJTCyQVyATlnMI1hOgkZO+y1OTXguhy4OBbxjmkib3OpUt0yLGI4cb1s8JtA1T4ZDlK6u70+rE1AlYtRAc3OotAhbOv9Uo071Pr8CA6eCzAt4Y/gGcss/AJ7LB0rG4OCXw/N+ic5N9n0YGn3Zp2XRqheLVWrgZiuN7gj+rORS3EpLUb6JnkanXWM5dAY/gWbRd8+iF7cCRCtnkaARp9Uch77SntUdllX+AGIMnRtcAU1cYkEBzKsDLF0PPZQzPXE4z5cRH7rnDSTLixATHS70vwGkBOe7NukiXBVzK7GBCXP1nzJevb7BeeUg9rDcsCxyejoc7YA8+pczMNxl4wjx3H2/x+JhMWrYcZQdhi8Vzaeoz0ulW8xZ6tO4JhLPA/Cb66B0tq9Za6f+uaJOIfqnl0xem6Rif2qUiKkSAZ4rN/2j8pRj9BMXCvKSttvG6hTTaprCe9Jn9rGi84rnIwZmN98C9KyHaTeKPC2NC4ooCsxOZtpeCCXNfFhqDVGL15NhwCravL/8pKf9bFhKW8DOkZRPy7jWtCCfIu0kkuZUkBLfT1lQ6eXKB6P6sC04IgBPV8Euw3woPOgGkJXCfLnxLljgvn70P3VQ==,iv:OnEBPu/havLABMuANjiKMEmhPX2tk/PlyDY0FwvQnsI=,tag:Qny6XbCXMhAr1AjZjr0ucw==,type:str] wpa_supplicant: ENC[AES256_GCM,data:HHs6g3qaaeinVGgteExQvhE0CEC94WjJ0tV7pyI=,iv:6F+DYHieaWWo+V1F9yjwWT7PcdiIpH48nv1SUrFHePk=,tag:cpimCP+YNmCI+t+wpuXwHg==,type:str] sops: kms: [] @@ -23,8 +25,8 @@ sops: ejRLb2Vkd1B3QmxLSE1wUzgrazZJT0UKz1IQxYm7hagYtBsWTpk+f6/79ArRUgNL MfhHMQAwuuXjBSmuFolyU3UoWnDYK6uGAv5nlTJxESqj5eQBafItSw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-10-13T00:57:02Z" - mac: ENC[AES256_GCM,data:5TPECBIcH0HaWiidl8SKYo7ztWowRmCHKWLWS/fGY0DCf60wVMe6U+ybyWguBhHyCjchS0lpOW73Yy+VRYgUZ6amtKdM5w/iD9OEwdW6QoFbveU88Dx+pgp4OLjYHI4nJeWAs1XkGUttEd9imd57UgAn5mlnQjozhHkKD2Xjz4I=,iv:iwAVxJ92lqT6zexMRDUs4BaonuIQbDjZyRy5Fm0/E0Y=,tag:T8tUILp8u/7j5zcSFlVpYg==,type:str] + lastmodified: "2024-10-13T06:55:41Z" + mac: ENC[AES256_GCM,data:71ifeYVwz7jt6Cv19MS2g9VYmQVhygEVAW5xLdblTAofUcNQsEO3JOJyhqICJqdU1nmy1/BlD0pM8hgyqLu96fL24b5N9uZb7S0B2hStlP7TOCot6UoX4Hmb5n2CRiKBgvdtDz86T4EOLfNXBPxSKr1W+mluSYtMJa+aNl0PXqA=,iv:EvwQkyyKybKDo1kMuzFb5FNs6ffoh9qnA3iiXLLyXMo=,tag:AmfdT6lxvbub3PvPKCAwsA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.1 -- cgit v1.2.3