From 1df80e29d2110ef344a7af3499930d7ec12c615d Mon Sep 17 00:00:00 2001 From: Mark Nipper Date: Mon, 11 Nov 2024 00:59:35 -0800 Subject: Add netboot image directly @arrakis --- hosts/arrakis/services.nix | 173 ++++++++++++++++++++++++++++----------------- 1 file changed, 108 insertions(+), 65 deletions(-) (limited to 'hosts/arrakis/services.nix') diff --git a/hosts/arrakis/services.nix b/hosts/arrakis/services.nix index 9a0f4b8..f4a5a33 100644 --- a/hosts/arrakis/services.nix +++ b/hosts/arrakis/services.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: { +{ config, inputs, lib, pkgs, ... }: { environment.etc."gitconfig".text = '' [safe] @@ -84,81 +84,124 @@ }; }; - nginx = { - appendHttpConfig = '' - geo $geo { - default 0; - 127.0.0.1 1; - ::1 1; - 192.168.1.0/24 1; - } - ''; - enable = true; + let - # Use recommended settings - recommendedGzipSettings = true; - recommendedOptimisation = true; - #recommendedProxySettings = true; - recommendedTlsSettings = true; + sys = inputs.nixos.lib.nixosSystem { + system = "x86_64-linux"; - # Only allow PFS-enabled ciphers with AES256 - sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + modules = [ + ({ config, pkgs, lib, modulesPath, ... }: { + imports = [ (modulesPath + "/installer/netboot/netboot-minimal.nix") ]; - virtualHosts = { - "arrakis.bitgnome.net" = { - addSSL = true; - enableACME = true; - extraConfig = '' - if ($geo = 0) { - return 301 https://$host$request_uri; - } - ''; - locations = { - "/" = { - tryFiles = "$uri $uri/ =404"; - }; - "/jellyfin" = { - return = "302 $scheme://$host/jellyfin/"; + config = { + services.openssh = { + enable = true; + openFirewall = true; + + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + }; + }; + + users.users = { + nixos.openssh.authorizedKeys.keys = [ (builtins.readFile ../common/users/nipsy/keys/id_arrakis.pub) ]; + root.openssh.authorizedKeys.keys = [ (builtins.readFile ../common/users/nipsy/keys/id_arrakis.pub) ]; + }; }; - "/jellyfin/" = { - extraConfig = '' - proxy_pass_request_headers on; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $http_host; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $http_connection; - proxy_buffering off; + }) + ]; + }; - # CORS setup - add_header 'Access-Control-Allow-Origin' '*' always; - add_header 'Access-Control-Expose-Headers' 'Content-Length'; + build = sys.config.system.build; - # Allow CORS preflight requests - if ($request_method = 'OPTIONS') { - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Max-Age' 1728000; - add_header 'Content-Type' 'text/plain charset=UTF-8'; - add_header 'Content-Length' 0; - return 204; - } - ''; - proxyPass = "http://192.168.1.2:8096/jellyfin/"; + in { + nginx = { + appendHttpConfig = '' + geo $geo { + default 0; + 127.0.0.1 1; + ::1 1; + 192.168.1.0/24 1; + } + ''; + enable = true; + + # Use recommended settings + recommendedGzipSettings = true; + recommendedOptimisation = true; + #recommendedProxySettings = true; + recommendedTlsSettings = true; + + # Only allow PFS-enabled ciphers with AES256 + sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + + virtualHosts = { + "arrakis.bitgnome.net" = { + addSSL = true; + enableACME = true; + extraConfig = '' + if ($geo = 0) { + return 301 https://$host$request_uri; + } + ''; + locations = { + "= /boot/bzImage" = { + alias = "${build.kernel}/bzImage"; + }; + "= /boot/initrd" = { + alias = "${build.netbootRamdisk}/initrd"; + }; + "= /boot/netboot.ipxe" = { + alias = "${build.netbootIpxeScript}/netboot.ipxe"; + }; + "/" = { + tryFiles = "$uri $uri/ =404"; + }; + "/jellyfin" = { + return = "302 $scheme://$host/jellyfin/"; + }; + "/jellyfin/" = { + extraConfig = '' + proxy_pass_request_headers on; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $http_connection; + proxy_buffering off; + + # CORS setup + add_header 'Access-Control-Allow-Origin' '*' always; + add_header 'Access-Control-Expose-Headers' 'Content-Length'; + + # Allow CORS preflight requests + if ($request_method = 'OPTIONS') { + add_header 'Access-Control-Allow-Origin' '*'; + add_header 'Access-Control-Max-Age' 1728000; + add_header 'Content-Type' 'text/plain charset=UTF-8'; + add_header 'Content-Length' 0; + return 204; + } + ''; + proxyPass = "http://192.168.1.2:8096/jellyfin/"; + + }; + "/nipsy" = { + extraConfig = '' + autoindex on; + ''; + tryFiles = "$uri $uri/ =404"; + }; }; - "/nipsy" = { - extraConfig = '' - autoindex on; - ''; - tryFiles = "$uri $uri/ =404"; - }; + root = "/var/www"; }; - root = "/var/www"; }; }; - }; + } postfix = let my_email = "nipsy@bitgnome.net"; in { enable = true; -- cgit v1.2.3