diff options
Diffstat (limited to 'lass/1systems/prism/config.nix')
| -rw-r--r-- | lass/1systems/prism/config.nix | 157 |
1 files changed, 17 insertions, 140 deletions
diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 1faa23ec..990dac09 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -3,12 +3,13 @@ with import <stockholm/lib>; { imports = [ + ./backup.nix <stockholm/lass> <stockholm/lass/2configs/retiolum.nix> <stockholm/lass/2configs/libvirt.nix> <stockholm/lass/2configs/tv.nix> <stockholm/lass/2configs/websites/lassulus.nix> - <stockholm/lass/2configs/telegraf.nix> + <stockholm/lass/2configs/monitoring/telegraf.nix> { services.nginx.enable = true; imports = [ @@ -80,24 +81,6 @@ with import <stockholm/lib>; }; } { - #hotdog - systemd.services."container@hotdog".reloadIfChanged = mkForce false; - containers.hotdog = { - config = { ... }: { - environment.systemPackages = [ pkgs.git ]; - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keys = [ - config.krebs.users.lass.pubkey - ]; - }; - autoStart = false; - enableTun = true; - privateNetwork = true; - hostAddress = "10.233.2.1"; - localAddress = "10.233.2.2"; - }; - } - { services.nginx.virtualHosts."radio.lassul.us" = { enableACME = true; addSSL = true; @@ -159,40 +142,6 @@ with import <stockholm/lib>; }; } { - users.users.jeschli = { - uid = genid_uint31 "jeschli"; - isNormalUser = true; - openssh.authorizedKeys.keys = with config.krebs.users; [ - jeschli.pubkey - jeschli-bln.pubkey - jeschli-bolide.pubkey - jeschli-brauerei.pubkey - ]; - }; - krebs.git.rules = [ - { - user = with config.krebs.users; [ - jeschli - jeschli-bln - jeschli-bolide - jeschli-brauerei - ]; - repo = [ config.krebs.git.repos.xmonad-stockholm ]; - perm = with git; push "refs/heads/jeschli*" [ fast-forward non-fast-forward create delete merge ]; - } - { - user = with config.krebs.users; [ - jeschli - jeschli-bln - jeschli-bolide - jeschli-brauerei - ]; - repo = [ config.krebs.git.repos.stockholm ]; - perm = with git; push "refs/heads/staging/jeschli*" [ fast-forward non-fast-forward create delete merge ]; - } - ]; - } - { krebs.repo-sync.repos.stockholm.timerConfig = { OnBootSec = "5min"; OnUnitInactiveSec = "2min"; @@ -201,43 +150,8 @@ with import <stockholm/lib>; } <stockholm/lass/2configs/minecraft.nix> <stockholm/lass/2configs/codimd.nix> - <stockholm/lass/2configs/searx.nix> - { - services.taskserver = { - enable = true; - fqdn = "lassul.us"; - listenHost = "::"; - listenPort = 53589; - organisations.lass.users = [ "lass" "android" ]; - }; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport 53589"; target = "ACCEPT"; } - ]; - } <stockholm/lass/2configs/go.nix> { - environment.systemPackages = [ pkgs.cryptsetup ]; - systemd.services."container@red".reloadIfChanged = mkForce false; - containers.red = { - config = { ... }: { - environment.systemPackages = [ pkgs.git ]; - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keys = [ - config.krebs.users.lass.pubkey - ]; - }; - autoStart = false; - enableTun = true; - privateNetwork = true; - hostAddress = "10.233.2.3"; - localAddress = "10.233.2.4"; - }; - } - { - users.users.download.openssh.authorizedKeys.keys = [ - ]; - } - { lass.nichtparasoup.enable = true; services.nginx = { enable = true; @@ -255,7 +169,7 @@ with import <stockholm/lib>; <stockholm/lass/2configs/wiregrill.nix> ]; krebs.iptables.tables.nat.PREROUTING.rules = mkOrder 999 [ - { v6 = false; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; } + { v6 = false; predicate = "-s 10.244.0.0/16"; target = "ACCEPT"; } { v4 = false; predicate = "-s 42:1::/32"; target = "ACCEPT"; } ]; krebs.iptables.tables.filter.FORWARD.rules = mkBefore [ @@ -264,16 +178,16 @@ with import <stockholm/lib>; ]; krebs.iptables.tables.nat.POSTROUTING.rules = [ { v4 = false; predicate = "-s 42:1::/32 ! -d 42:1::/48"; target = "MASQUERADE"; } - { v6 = false; predicate = "-s 10.244.1.0/24 ! -d 10.244.1.0/24"; target = "MASQUERADE"; } + { v6 = false; predicate = "-s 10.244.0.0/16 ! -d 10.244.0.0/16"; target = "MASQUERADE"; } ]; services.dnsmasq = { enable = true; resolveLocalQueries = false; extraConfig= '' - listen-address=42:1:ce16::1,10.244.1.103 - except-interface=lo + bind-interfaces interface=wiregrill + interface=retiolum ''; }; } @@ -285,33 +199,15 @@ with import <stockholm/lib>; <stockholm/lass/2configs/services/coms/murmur.nix> <stockholm/lass/2configs/docker.nix> { - systemd.services."container@yellow".reloadIfChanged = mkForce false; - containers.yellow = { - config = { ... }: { - environment.systemPackages = [ pkgs.git ]; - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keys = [ - config.krebs.users.lass.pubkey - ]; - }; - autoStart = false; - enableTun = true; - privateNetwork = true; - hostAddress = "10.233.2.13"; - localAddress = "10.233.2.14"; - }; - services.nginx.virtualHosts."jelly.r" = { - locations."/".extraConfig = '' - proxy_pass http://10.233.2.14:8096/; - proxy_set_header Accept-Encoding ""; - ''; - }; - services.nginx.virtualHosts."flix.r" = { - locations."/".extraConfig = '' - proxy_pass http://10.233.2.14:80/; - proxy_set_header Accept-Encoding ""; - ''; + services.nginx.virtualHosts."flix.lassul.us" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://yellow.r:8096"; + proxyWebsockets = true; + recommendedProxySettings = true; + }; }; services.nginx.virtualHosts."lassul.us" = { locations."^~ /flix/".extraConfig = '' @@ -322,7 +218,7 @@ with import <stockholm/lib>; auth_basic_user_file ${pkgs.writeText "flix-user-pass" '' krebs:$apr1$1Fwt/4T0$YwcUn3OBmtmsGiEPlYWyq0 ''}; - proxy_pass http://10.233.2.14:80/; + proxy_pass http://yellow.r:80/; proxy_set_header Accept-Encoding ""; sub_filter "https://lassul.us/" "https://lassul.us/flix/"; sub_filter_once off; @@ -396,7 +292,7 @@ with import <stockholm/lib>; netbios name = PRISM server string = ${config.networking.hostName} # only allow retiolum addresses - hosts allow = 42::/16 10.243.0.0/16 + hosts allow = 42::/16 10.243.0.0/16 10.244.0.0/16 # Use sendfile() for performance gain use sendfile = true @@ -438,13 +334,13 @@ with import <stockholm/lib>; krebs.iptables.tables.filter.INPUT.rules = [ # smbd { predicate = "-i retiolum -p tcp --dport 445"; target = "ACCEPT"; } - { predicate = "-i retiolum -p tcp --dport 111"; target = "ACCEPT"; } { predicate = "-i retiolum -p udp --dport 111"; target = "ACCEPT"; } { predicate = "-i retiolum -p tcp --dport 2049"; target = "ACCEPT"; } { predicate = "-i retiolum -p udp --dport 2049"; target = "ACCEPT"; } { predicate = "-i retiolum -p tcp --dport 4000:4002"; target = "ACCEPT"; } { predicate = "-i retiolum -p udp --dport 4000:4002"; target = "ACCEPT"; } + { predicate = "-i wiregrill -p tcp --dport 445"; target = "ACCEPT"; } { predicate = "-i wiregrill -p tcp --dport 111"; target = "ACCEPT"; } { predicate = "-i wiregrill -p udp --dport 111"; target = "ACCEPT"; } { predicate = "-i wiregrill -p tcp --dport 2049"; target = "ACCEPT"; } @@ -453,25 +349,6 @@ with import <stockholm/lib>; { predicate = "-i wiregrill -p udp --dport 4000:4002"; target = "ACCEPT"; } ]; } - { - users.users.shannan = { - uid = genid_uint31 "shannan"; - isNormalUser = true; - openssh.authorizedKeys.keys = [ - config.krebs.users.shannan.pubkey - ]; - }; - } - { - nix.trustedUsers = [ "mic92" ]; - users.users.mic92 = { - uid = genid_uint31 "mic92"; - isNormalUser = true; - openssh.authorizedKeys.keys = [ - config.krebs.users.mic92.pubkey - ]; - }; - } ]; krebs.build.host = config.krebs.hosts.prism; |