diff options
author | lassulus <lassulus@lassul.us> | 2022-03-02 16:37:48 +0100 |
---|---|---|
committer | lassulus <lassulus@lassul.us> | 2022-03-02 16:37:48 +0100 |
commit | 44a42bb268e163e3fa43fe6ea6c4b979da0f49e9 (patch) | |
tree | 0e9475b0a40464b8122ac19ddcc63fe0daab3cd4 | |
parent | 6002189225e347418f07a99d6a85b033fa0edaf7 (diff) | |
parent | 81817007edda4601c95a8f95aa99ce15320e224a (diff) |
Merge remote-tracking branch 'gum/master'
-rw-r--r-- | krebs/3modules/default.nix | 1 | ||||
-rw-r--r-- | krebs/3modules/makefu/default.nix | 3 | ||||
-rw-r--r-- | krebs/3modules/rtorrent.nix | 348 | ||||
-rw-r--r-- | makefu/0tests/data/secrets/hetzner.smb | 0 | ||||
-rw-r--r-- | makefu/1systems/gum/config.nix | 34 | ||||
-rw-r--r-- | makefu/1systems/latte/config.nix | 28 | ||||
-rw-r--r-- | makefu/1systems/omo/config.nix | 7 | ||||
-rw-r--r-- | makefu/1systems/x/config.nix | 12 | ||||
-rw-r--r-- | makefu/2configs/backup/ssh/latte.pub | 1 | ||||
-rw-r--r-- | makefu/2configs/home/ps4srv.nix | 17 | ||||
-rw-r--r-- | makefu/2configs/share/default.nix | 29 | ||||
-rw-r--r-- | makefu/2configs/share/hetzner-client.nix | 12 | ||||
-rw-r--r-- | makefu/2configs/share/omo.nix | 6 | ||||
-rw-r--r-- | makefu/2configs/torrent.nix | 73 | ||||
-rw-r--r-- | makefu/2configs/torrent/rtorrent.nix | 48 |
15 files changed, 167 insertions, 452 deletions
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index fc57d8188..2d73da884 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -46,7 +46,6 @@ let ./realwallpaper.nix ./repo-sync.nix ./retiolum-bootstrap.nix - ./rtorrent.nix ./secret.nix ./setuid.nix ./shadow.nix diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index 1695db3f5..68484a102 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -153,6 +153,7 @@ in { extraZones = { "krebsco.de" = '' latte.euer IN A ${nets.internet.ip4.addr} + rss.euer IN A ${nets.internet.ip4.addr} ''; }; cores = 4; @@ -182,6 +183,7 @@ in { aliases = [ "latte.r" + "torrent.latte.r" ]; }; }; @@ -211,7 +213,6 @@ in { feed.euer IN A ${nets.internet.ip4.addr} board.euer IN A ${nets.internet.ip4.addr} etherpad.euer IN A ${nets.internet.ip4.addr} - rss.euer IN A ${nets.internet.ip4.addr} mediengewitter IN CNAME over.dose.io. mon.euer IN A ${nets.internet.ip4.addr} netdata.euer IN A ${nets.internet.ip4.addr} diff --git a/krebs/3modules/rtorrent.nix b/krebs/3modules/rtorrent.nix deleted file mode 100644 index 4a96f6203..000000000 --- a/krebs/3modules/rtorrent.nix +++ /dev/null @@ -1,348 +0,0 @@ -{ config, lib, pkgs, options, ... }: - -with import <stockholm/lib>; -let - cfg = config.krebs.rtorrent; - webcfg = config.krebs.rtorrent.web; - rucfg = config.krebs.rtorrent.rutorrent; - - nginx-user = config.services.nginx.user; - nginx-group = config.services.nginx.group; - fpm-socket = config.services.phpfpm.pools.rutorrent.socket; - - webdir = rucfg.webdir; - systemd-logfile = cfg.workDir + "/rtorrent-systemd.log"; - - # rutorrent requires a couple of binaries to be available to either the - # rtorrent process or to phpfpm - - rutorrent-deps = with pkgs; [ curl php coreutils procps ffmpeg mediainfo ] ++ - (if (config.nixpkgs.config.allowUnfree or false) then - trace "enabling unfree packages for rutorrent" [ unrar unzip ] else - trace "not enabling unfree packages for rutorrent because allowUnfree is unset" []); - - configFile = pkgs.writeText "rtorrent-config" '' - # THIS FILE IS AUTOGENERATED - ${optionalString (cfg.listenPort != null) '' - port_range = ${toString cfg.listenPort}-${toString cfg.listenPort} - port_random = no - ''} - - ${optionalString (cfg.watchDir != null) '' - directory.watch.added = "${cfg.watchDir}", load.start_verbose - ''} - - directory = ${cfg.downloadDir} - session = ${cfg.sessionDir} - - ${optionalString (cfg.enableXMLRPC ) '' - # prepare socket and set permissions. rtorrent user is part of group nginx - # TODO: configure a shared torrent group - execute.nothrow = rm,${cfg.xmlrpc-socket} - scgi_local = ${cfg.xmlrpc-socket} - schedule = scgi_permission,0,0,"execute.nothrow=chmod,\"ug+w,o=\",${cfg.xmlrpc-socket}" - ''} - - system.file.allocate.set = ${if cfg.preAllocate then "yes" else "no"} - - # Prepare systemd logging - log.open_file = "rtorrent-systemd", ${systemd-logfile} - log.add_output = "warn", "rtorrent-systemd" - log.add_output = "notice", "rtorrent-systemd" - log.add_output = "info", "rtorrent-systemd" - # log.add_output = "debug", "rtorrent-systemd" - ${cfg.extraConfig} - ''; - - out = { - options.krebs.rtorrent = api; - # This only works because none of the attrsets returns the same key - config = with lib; mkIf cfg.enable (lib.mkMerge [ - (lib.mkIf webcfg.enable rpcweb-imp) - # only build rutorrent-imp if webcfg is enabled as well - (lib.mkIf (webcfg.enable && rucfg.enable) rutorrent-imp) - imp - ]); - }; - - api = { - enable = mkEnableOption "rtorrent"; - - web = { - # configure NGINX to provide /RPC2 for listen address - # authentication also applies to rtorrent.rutorrent - enable = mkEnableOption "rtorrent nginx web RPC"; - - addr = mkOption { - type = types.addr4; - default = "0.0.0.0"; - description = '' - the address to listen on - default is 0.0.0.0 - ''; - }; - - port = mkOption { - type = types.nullOr types.int; - description ='' - nginx listen port for rtorrent - ''; - default = 8006; - }; - - basicAuth = mkOption { - type = types.attrsOf types.str ; - description = '' - basic authentication to be used. If unset, no authentication will be - enabled. - - Refer to `services.nginx.virtualHosts.‹name›.basicAuth` - ''; - default = {}; - }; - }; - - rutorrent = { - enable = mkEnableOption "rutorrent"; # requires rtorrent.web.enable - - package = mkOption { - type = types.package; - description = '' - path to rutorrent package. When using your own ruTorrent package, - scgi_port and scgi_host will be patched on startup. - ''; - default = pkgs.rutorrent; - }; - - webdir = mkOption { - type = types.path; - description = '' - rutorrent php files will be written to this folder. - when using nginx, be aware that the the folder should be readable by nginx. - because rutorrent does not hold mutable data in a separate folder - these files must be writable. - ''; - default = "/var/lib/rutorrent"; - }; - - }; - - package = mkOption { - type = types.package; - default = pkgs.rtorrent; - }; - - # TODO: enable xmlrpc with web.enable - enableXMLRPC = mkEnableOption "rtorrent xmlrpc via socket"; - xmlrpc-socket = mkOption { - type = types.str; - description = '' - enable xmlrpc at given socket. Required for web-interface. - - for documentation see: - https://github.com/rakshasa/rtorrent/wiki/RPC-Setup-XMLRPC - ''; - default = cfg.workDir + "/rtorrent.sock"; - }; - - preAllocate = mkOption { - type = types.bool; - description = '' - Pre-Allocate torrent files - ''; - default = true; - }; - - downloadDir = mkOption { - type = types.path; - description = '' - directory where torrents are stored - ''; - default = cfg.workDir + "/downloads"; - }; - - sessionDir = mkOption { - type = types.path; - description = '' - directory where torrent progress is stored - ''; - default = cfg.workDir + "/rtorrent-session"; - }; - - watchDir = mkOption { - type = with types; nullOr str; - description = '' - directory to watch for torrent files. - If unset, no watch directory will be configured - ''; - default = null; - }; - - listenPort = mkOption { - type = with types; nullOr int; - description ='' - listening port. if you want multiple ports, use extraConfig port_range - ''; - }; - - extraConfig = mkOption { - type = types.lines; - description = '' - config to be placed into ${cfg.workDir}/.rtorrent.rc - - see ${cfg.package}/share/doc/rtorrent/rtorrent.rc - ''; - example = literalExample '' - log.execute = ${cfg.workDir}/execute.log - log.xmlrpc = ${cfg.workDir}/xmlrpc.log - ''; - default = ""; - }; - - user = mkOption { - description = '' - user which will run rtorrent. if kept default a new user will be created - ''; - type = types.str; - default = "rtorrent"; - }; - - workDir = mkOption { - description = '' - working directory. rtorrent will search in HOME for `.rtorrent.rc` - ''; - type = types.str; - default = "/var/lib/rtorrent"; - }; - - }; - - imp = { - systemd.services = { - rtorrent-daemon = { - description = "rtorrent headless"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - restartIfChanged = true; - serviceConfig = { - Type = "forking"; - ExecStartPre = pkgs.writeDash "prepare-folder" '' - mkdir -p ${cfg.workDir} ${cfg.sessionDir} - chmod 770 ${cfg.workDir} ${cfg.sessionDir} - touch ${systemd-logfile} - cp -f ${configFile} ${cfg.workDir}/.rtorrent.rc - ''; - ExecStart = "${pkgs.tmux}/bin/tmux new-session -s rt -n rtorrent -d 'PATH=/bin:/usr/bin:${makeBinPath rutorrent-deps} ${cfg.package}/bin/rtorrent'"; - Restart = "always"; - RestartSec = "10"; - - ## you can simply sudo -u rtorrent tmux a if privateTmp is set to false - ## otherwise the tmux session is stored in some private folder in /tmp - PrivateTmp = false; - - WorkingDirectory = cfg.workDir; - User = "${cfg.user}"; - }; - }; - rtorrent-log = { - after = [ "rtorrent-daemon.service" ]; - bindsTo = [ "rtorrent-daemon.service" ]; - wantedBy = [ "rtorrent-daemon.service" ]; - serviceConfig = { - ExecStart = "${pkgs.coreutils}/bin/tail -f ${systemd-logfile}"; - User = "${cfg.user}"; - }; - }; - } // (optionalAttrs webcfg.enable { - rutorrent-prepare = { - after = [ "rtorrent-daemon.service" ]; - wantedBy = [ "rtorrent-daemon.service" ]; - serviceConfig = { - Type = "oneshot"; - # we create the folder and set the permissions to allow nginx - # TODO: update files if the version of rutorrent changed - ExecStart = pkgs.writeDash "create-webconfig-dir" '' - if [ ! -e ${webdir} ];then - echo "creating webconfiguration directory for rutorrent: ${webdir}" - cp -vr ${rucfg.package} ${webdir} - echo "setting permissions for webdir to ${cfg.user}:${nginx-group}" - chown -R ${cfg.user}:${nginx-group} ${webdir} - chmod -R 770 ${webdir} - else - echo "not overwriting ${webdir}" - - fi - echo "updating xmlrpc-socket with unix://${cfg.xmlrpc-socket}" - sed -i -e 's#^\s*$scgi_port.*#$scgi_port = 0;#' \ - -e 's#^\s*$scgi_host.*#$scgi_host = "unix://${cfg.xmlrpc-socket}";#' \ - "${webdir}/conf/config.php" - ''; - }; - }; - }) - // (optionalAttrs rucfg.enable { }); - - users = lib.mkIf (cfg.user == "rtorrent") { - users.rtorrent = { - uid = genid "rtorrent"; - home = cfg.workDir; - group = nginx-group; # required for rutorrent to work - shell = "/bin/sh"; #required for tmux - isSystemUser = true; - createHome = true; - }; - groups.rtorrent.gid = genid "rtorrent"; - }; - }; - - rpcweb-imp = { - services.nginx.enable = mkDefault true; - services.nginx.virtualHosts.rtorrent = { - default = mkDefault true; - inherit (webcfg) basicAuth; - root = optionalString rucfg.enable webdir; - listen = [ { inherit (webcfg) addr port; } ]; - - locations = { - "/RPC2".extraConfig = '' - include ${pkgs.nginx}/conf/scgi_params; - scgi_param SCRIPT_NAME /RPC2; - scgi_pass unix:${cfg.xmlrpc-socket}; - ''; - } // (optionalAttrs rucfg.enable { - "~ \.php$".extraConfig = '' - client_max_body_size 200M; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass unix:${fpm-socket}; - try_files $uri =404; - fastcgi_index index.php; - include ${pkgs.nginx}/conf/fastcgi_params; - include ${pkgs.nginx}/conf/fastcgi.conf; - ''; } - ); - }; - }; - - rutorrent-imp = { - services.phpfpm = { - pools.rutorrent = { - user = nginx-user; - group = nginx-group; - phpEnv.PATH = makeBinPath rutorrent-deps; - - settings = { - "listen.owner" = nginx-user; - "pm" = "dynamic"; - "pm.max_children" = 5; - "pm.start_servers" = 2; - "pm.min_spare_servers" = 1; - "pm.max_spare_servers" = 3; - "chdir" = "/"; - "php_admin_value[error_log]" = "stderr"; - "php_admin_flag[log_errors]" = "on"; - "catch_workers_output" = "yes"; - }; - }; - }; - }; -in out diff --git a/makefu/0tests/data/secrets/hetzner.smb b/makefu/0tests/data/secrets/hetzner.smb new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/makefu/0tests/data/secrets/hetzner.smb diff --git a/makefu/1systems/gum/config.nix b/makefu/1systems/gum/config.nix index a9d9b661f..089fc8e9f 100644 --- a/makefu/1systems/gum/config.nix +++ b/makefu/1systems/gum/config.nix @@ -23,11 +23,12 @@ in { } <stockholm/makefu/2configs/nur.nix> <stockholm/makefu/2configs/support-nixos.nix> - <stockholm/makefu/2configs/nix-community/mediawiki-matrix-bot.nix> <stockholm/makefu/2configs/nix-community/supervision.nix> <stockholm/makefu/2configs/home-manager> <stockholm/makefu/2configs/home-manager/cli.nix> # <stockholm/makefu/2configs/stats/client.nix> + <stockholm/makefu/2configs/share> + <stockholm/makefu/2configs/share/hetzner-client.nix> # <stockholm/makefu/2configs/stats/netdata-server.nix> <stockholm/makefu/2configs/headless.nix> @@ -56,13 +57,13 @@ in { <stockholm/makefu/2configs/tinc/retiolum.nix> { # bonus retiolum config for connecting more hosts krebs.tinc.retiolum = { - extraConfig = lib.mkForce '' - ListenAddress = ${external-ip} 53 - ListenAddress = ${external-ip} 655 - ListenAddress = ${external-ip} 21031 - StrictSubnets = yes - LocalDiscovery = no - ''; + #extraConfig = lib.mkForce '' + # ListenAddress = ${external-ip} 53 + # ListenAddress = ${external-ip} 655 + # ListenAddress = ${external-ip} 21031 + # StrictSubnets = yes + # LocalDiscovery = no + #''; connectTo = [ "prism" "ni" "enklave" "eve" "dishfire" ]; @@ -106,7 +107,7 @@ in { # sharing <stockholm/makefu/2configs/share/gum.nix> # samba sahre - <stockholm/makefu/2configs/torrent.nix> + <stockholm/makefu/2configs/torrent/rtorrent.nix> # <stockholm/makefu/2configs/sickbeard> <stockholm/makefu/2configs/bitwarden.nix> @@ -114,7 +115,7 @@ in { #<stockholm/makefu/2configs/retroshare.nix> ## <stockholm/makefu/2configs/ipfs.nix> #<stockholm/makefu/2configs/syncthing.nix> - <stockholm/makefu/2configs/sync> + # <stockholm/makefu/2configs/sync> # <stockholm/makefu/2configs/opentracker.nix> @@ -125,9 +126,8 @@ in { { makefu.backup.server.repo = "/var/backup/borg"; } <stockholm/makefu/2configs/backup/server.nix> <stockholm/makefu/2configs/backup/state.nix> - <stockholm/makefu/2configs/bitlbee.nix> <stockholm/makefu/2configs/wireguard/server.nix> - <stockholm/makefu/2configs/wireguard/wiregrill.nix> + # <stockholm/makefu/2configs/wireguard/wiregrill.nix> { # recent changes mediawiki bot networking.firewall.allowedUDPPorts = [ 5005 5006 ]; @@ -150,13 +150,12 @@ in { # <stockholm/makefu/2configs/deployment/photostore.krebsco.de.nix> <stockholm/makefu/2configs/deployment/graphs.nix> - <stockholm/makefu/2configs/deployment/owncloud.nix> + #<stockholm/makefu/2configs/deployment/owncloud.nix> <stockholm/makefu/2configs/deployment/board.euer.krebsco.de.nix> - <stockholm/makefu/2configs/deployment/rss.euer.krebsco.de.nix> #<stockholm/makefu/2configs/deployment/feed.euer.krebsco.de> <stockholm/makefu/2configs/deployment/boot-euer.nix> <stockholm/makefu/2configs/deployment/gecloudpad> - <stockholm/makefu/2configs/deployment/docker/archiveteam-warrior.nix> + #<stockholm/makefu/2configs/deployment/docker/archiveteam-warrior.nix> <stockholm/makefu/2configs/deployment/mediengewitter.de.nix> <stockholm/makefu/2configs/bgt/etherpad.euer.krebsco.de.nix> # <stockholm/makefu/2configs/deployment/systemdultras-rss.nix> @@ -182,14 +181,15 @@ in { ## Temporary: # <stockholm/makefu/2configs/temp/rst-issue.nix> - <stockholm/makefu/2configs/virtualisation/docker.nix> + # <stockholm/makefu/2configs/virtualisation/docker.nix> #<stockholm/makefu/2configs/virtualisation/libvirt.nix> # krebs infrastructure services # <stockholm/makefu/2configs/stats/server.nix> ]; - makefu.dl-dir = "/var/download"; + # makefu.dl-dir = "/var/download"; + makefu.dl-dir = "/media/cloud/download"; services.openssh.hostKeys = lib.mkForce [ { bits = 4096; path = (toString <secrets/ssh_host_rsa_key>); type = "rsa"; } diff --git a/makefu/1systems/latte/config.nix b/makefu/1systems/latte/config.nix index fdd3df192..2828aea08 100644 --- a/makefu/1systems/latte/config.nix +++ b/makefu/1systems/latte/config.nix @@ -29,10 +29,29 @@ in { <stockholm/makefu/2configs/remote-build/slave.nix> # Storage + <stockholm/makefu/2configs/share> <stockholm/makefu/2configs/share/hetzner-client.nix> # Services: <stockholm/makefu/2configs/nix-community/mediawiki-matrix-bot.nix> + <stockholm/makefu/2configs/torrent/rtorrent.nix> + ## Web + <stockholm/makefu/2configs/deployment/rss.euer.krebsco.de.nix> + <stockholm/makefu/2configs/deployment/owncloud.nix> + ### Moving owncloud data dir to /media/cloud/nextcloud-data + { + users.users.nextcloud.extraGroups = [ "download" ]; + # nextcloud-setup fails as it cannot set permissions for nextcloud + systemd.services.nextcloud-setup.serviceConfig.SuccessExitStatus = "0 1"; + fileSystems."/var/lib/nextcloud/data" = { + device = "/media/cloud/nextcloud-data"; + options = [ "bind" ]; + }; + } + + # local usage: + <stockholm/makefu/2configs/mosh.nix> + <stockholm/makefu/2configs/bitlbee.nix> # Supervision <stockholm/makefu/2configs/nix-community/supervision.nix> @@ -40,9 +59,9 @@ in { # Krebs <stockholm/makefu/2configs/tinc/retiolum.nix> - #<stockholm/makefu/2configs/home-manager> - # configure your hw: - # <stockholm/makefu/2configs/torrent.nix> + # backup + <stockholm/makefu/2configs/backup/state.nix> + ]; krebs = { @@ -50,4 +69,7 @@ in { build.host = config.krebs.hosts.latte; }; + makefu.dl-dir = "/media/cloud/download"; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + } diff --git a/makefu/1systems/omo/config.nix b/makefu/1systems/omo/config.nix index 3a216ea76..42f335264 100644 --- a/makefu/1systems/omo/config.nix +++ b/makefu/1systems/omo/config.nix @@ -43,14 +43,18 @@ in { <stockholm/makefu/2configs/tools/dev.nix> <stockholm/makefu/2configs/tools/desktop.nix> <stockholm/makefu/2configs/tools/mobility.nix> + <stockholm/makefu/2configs/tools/consoles.nix> #<stockholm/makefu/2configs/graphite-standalone.nix> #<stockholm/makefu/2configs/share-user-sftp.nix> <stockholm/makefu/2configs/urlwatch> # <stockholm/makefu/2configs/legacy_only.nix> + <stockholm/makefu/2configs/share> <stockholm/makefu/2configs/share/omo.nix> <stockholm/makefu/2configs/share/gum-client.nix> + <stockholm/makefu/2configs/share/hetzner-client.nix> + <stockholm/makefu/2configs/sync> <stockholm/makefu/2configs/dcpp/airdcpp.nix> { krebs.airdcpp.dcpp.shares = let d = path: "/media/cryptX/${path}"; @@ -96,6 +100,8 @@ in { <stockholm/makefu/2configs/home/music.nix> <stockholm/makefu/2configs/home/photoprism.nix> + <stockholm/makefu/2configs/home/tonie.nix> + <stockholm/makefu/2configs/home/ps4srv.nix> # <stockholm/makefu/2configs/home/metube.nix> <stockholm/makefu/2configs/home/ham> <stockholm/makefu/2configs/home/zigbee2mqtt> @@ -104,6 +110,7 @@ in { enable = true; servedir = "/media/cryptX/emu/ps3"; }; + users.users.makefu.packages = [ pkgs.pkgrename ]; } diff --git a/makefu/1systems/x/config.nix b/makefu/1systems/x/config.nix index 224277861..3edfcecc1 100644 --- a/makefu/1systems/x/config.nix +++ b/makefu/1systems/x/config.nix @@ -137,6 +137,8 @@ # <stockholm/makefu/2configs/share/anon-ftp.nix> # <stockholm/makefu/2configs/share/anon-sftp.nix> <stockholm/makefu/2configs/share/gum-client.nix> + <stockholm/makefu/2configs/share/hetzner-client.nix> + <stockholm/makefu/2configs/share> # <stockholm/makefu/2configs/share/temp-share-samba.nix> @@ -145,6 +147,7 @@ <stockholm/makefu/2configs/mail-client.nix> <stockholm/makefu/2configs/printer.nix> # <stockholm/makefu/2configs/syncthing.nix> + <stockholm/makefu/2configs/sync> # Virtualization # <stockholm/makefu/2configs/virtualisation/libvirt.nix> @@ -167,7 +170,7 @@ # <stockholm/makefu/2configs/remote-build/gum.nix> # { nixpkgs.overlays = [ (self: super: super.prefer-remote-fetch self super) ]; } - <stockholm/makefu/2configs/binary-cache/gum.nix> + # <stockholm/makefu/2configs/binary-cache/gum.nix> <stockholm/makefu/2configs/binary-cache/lass.nix> @@ -223,7 +226,8 @@ krebs.build.host = config.krebs.hosts.x; - krebs.tinc.retiolum.connectTo = [ "omo" "prism" "nextgum" "wbob" ]; + #krebs.tinc.retiolum.connectTo = lib.mkForce [ "gum" ]; + #krebs.tinc.retiolum.extraConfig = "AutoConnect = no"; environment.systemPackages = [ pkgs.passwdqc-utils ]; @@ -245,6 +249,6 @@ "/home/makefu/.config/syncthing" ]; - services.syncthing.user = lib.mkForce "makefu"; - services.syncthing.dataDir = lib.mkForce "/home/makefu/.config/syncthing/"; + # services.syncthing.user = lib.mkForce "makefu"; + # services.syncthing.dataDir = lib.mkForce "/home/makefu/.config/syncthing/"; } diff --git a/makefu/2configs/backup/ssh/latte.pub b/makefu/2configs/backup/ssh/latte.pub new file mode 100644 index 000000000..52d56d956 --- /dev/null +++ b/makefu/2configs/backup/ssh/latte.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOUZcfi2SXxCo1if0oU3x9qPK8/O5FmiXy2HFZyTp/P1 makefu@x diff --git a/makefu/2configs/home/ps4srv.nix b/makefu/2configs/home/ps4srv.nix new file mode 100644 index 000000000..cb1864fae --- /dev/null +++ b/makefu/2configs/home/ps4srv.nix @@ -0,0 +1,17 @@ +let + internal-ip = "192.168.111.11"; +in +{ + services.nginx.virtualHosts."ps4srv" = { + serverAliases = [ + "ps4srv.lan" + ]; + + locations."/".root = "/media/cryptX/emu/ps4"; + extraConfig = '' + if ( $server_addr != "${internal-ip}" ) { + return 403; + } + ''; + }; +} diff --git a/makefu/2configs/share/default.nix b/makefu/2configs/share/default.nix new file mode 100644 index 000000000..a1ad349b9 --- /dev/null +++ b/makefu/2configs/share/default.nix @@ -0,0 +1,29 @@ +{ config, lib, ... }: +with import <stockholm/lib>; +let + base-dir = config.services.rtorrent.downloadDir; +in { + users.users = { + download = { + name = "download"; + home = base-dir; + isNormalUser = true; + uid = mkDefault (genid "download"); + createHome = false; + useDefaultShell = true; + group = "download"; + openssh.authorizedKeys.keys = [ ]; + }; + }; + + users.groups = { + download = { + gid = lib.mkDefault (genid "download"); + members = [ + config.krebs.build.user.name + "download" + ]; + }; + }; + +} diff --git a/makefu/2configs/share/hetzner-client.nix b/makefu/2configs/share/hetzner-client.nix index e59698063..90bc32deb 100644 --- a/makefu/2configs/share/hetzner-client.nix +++ b/makefu/2configs/share/hetzner-client.nix @@ -1,5 +1,6 @@ { config, lib, pkgs, ... }: +with <stockholm/lib>; let automount_opts = [ "x-systemd.automount" @@ -10,14 +11,16 @@ let host = "u288834.your-storagebox.de"; in { boot.kernel.sysctl."net.ipv6.route.max_size" = 2147483647; + fileSystems."/media/cloud" = { device = "//${host}/backup"; fsType = "cifs"; options = automount_opts ++ - [ "credentials=/var/src/secrets/hetzner.smb" - "file_mode=0775" - "dir_mode=0775" - "uid=9001" + [ "credentials=${toString <secrets/hetzner.smb>}" + "file_mode=0770" + "dir_mode=0770" + "uid=${toString config.users.users.download.uid}" + "gid=${toString config.users.groups.download.gid}" #"vers=3" "vers=2.1" "rsize=65536" @@ -25,5 +28,4 @@ in { "iocharset=utf8" ]; }; - } diff --git a/makefu/2configs/share/omo.nix b/makefu/2configs/share/omo.nix index 93536b63d..e53158b8f 100644 --- a/makefu/2configs/share/omo.nix +++ b/makefu/2configs/share/omo.nix @@ -32,6 +32,12 @@ in { browseable = "yes"; "guest ok" = "yes"; }; + movies = { + path = "/media/cryptX/movies"; + "read only" = "yes"; + browseable = "yes"; + "guest ok" = "yes"; + }; audiobook = { path = "/media/crypt1/audiobooks"; "read only" = "yes"; diff --git a/makefu/2configs/torrent.nix b/makefu/2configs/torrent.nix deleted file mode 100644 index 74f1e5fe8..000000000 --- a/makefu/2configs/torrent.nix +++ /dev/null @@ -1,73 +0,0 @@ -{ config, lib, pkgs, ... }: - -with import <stockholm/lib>; - -let - basicAuth = import <torrent-secrets/auth.nix>; - peer-port = 51412; - web-port = 8112; - daemon-port = 58846; - base-dir = config.krebs.rtorrent.workDir; -in { - - users.users = { - download = { - name = "download"; - home = base-dir; - uid = mkDefault (genid "download"); - createHome = true; - useDefaultShell = true; - group = "download"; - openssh.authorizedKeys.keys = [ ]; - }; - }; - - users.extraGroups = { - download = { - gid = lib.mkDefault (genid "download"); - members = [ - config.krebs.build.user.name - "download" - "rtorrent" - "nginx" - ]; - }; - rtorrent.members = [ "download" ]; - }; - - krebs.rtorrent = let - d = config.makefu.dl-dir; - in { - enable = true; - web = { - enable = true; - port = web-port; - inherit basicAuth; - }; - rutorrent.enable = true; - enableXMLRPC = true; - listenPort = peer-port; - downloadDir = d + "/finished/incoming"; - watchDir = d + "/watch"; - # TODO: maybe test out multiple watch dirs with tags: https://github.com/rakshasa/rtorrent/wiki/TORRENT-Watch-directories - extraConfig = '' - # log.add_output = "debug", "rtorrent-systemd" - # log.add_output = "dht_debug", "rtorrent-systemd" - # log.add_output = "tracker_debug", "rtorrent-systemd" - log.add_output = "rpc_events", "rtorrent-systemd" - # log.add_output = "rpc_dump", "rtorrent-systemd" - system.daemon.set = true - ''; - # dump old torrents into watch folder to have them re-added - }; - - services.nginx.virtualHosts."torrent.${config.krebs.build.host.name}.r".locations."/" = { proxyPass = "http://localhost:${toString web-port}/"; }; - - networking.firewall.extraCommands = '' - iptables -A INPUT -i retiolum -p tcp --dport ${toString web-port} -j ACCEPT - ''; - - networking.firewall.allowedTCPPorts = [ peer-port ]; - networking.firewall.allowedUDPPorts = [ peer-port ]; - state = [ config.krebs.rtorrent.sessionDir ]; # state which torrents were loaded -} diff --git a/makefu/2configs/torrent/rtorrent.nix b/makefu/2configs/torrent/rtorrent.nix new file mode 100644 index 000000000..79325bfc7 --- /dev/null +++ b/makefu/2configs/torrent/rtorrent.nix @@ -0,0 +1,48 @@ +{ config, lib, pkgs, ... }: + +let + basicAuth = import <torrent-secrets/auth.nix>; + peer-port = 51412; + web-port = 8112; + daemon-port = 58846; + dldir = config.makefu.dl-dir; +in { + services.rtorrent.enable = true; + services.rtorrent.user = "rtorrent"; + services.rtorrent.group = "download"; + services.rtorrent.downloadDir = dldir; + services.rtorrent.configText = '' + schedule2 = watch_start, 10, 10, ((load.start, (cat, (cfg.watch), "/media/cloud/watch/*.torrent"))) + ''; + + services.rtorrent.openFirewall = true; + + systemd.services.flood = { + wantedBy = [ "multi-user.target" ]; + wants = [ "rtorrent.service" ]; + after = [ "rtorrent.service" ]; + serviceConfig = { + User = "rtorrent"; + ExecStart = "${pkgs.nodePackages.flood}/bin/flood --auth none --port ${toString web-port} --rtsocket ${config.services.rtorrent.rpcSocket}"; + }; + }; + + #security.acme.certs."torrent.${config.krebs.build.host.name}.r".server = config.krebs.ssl.acmeURL; + + services.nginx = { + enable = true; + virtualHosts."torrent.${config.krebs.build.host.name}.r" = { + # TODO + inherit basicAuth; + #enableACME = true; + #addSSL = true; + root = "${pkgs.nodePackages.flood}/lib/node_modules/flood/dist/assets"; + locations."/api".extraConfig = '' + proxy_pass http://localhost:${toString web-port}; + ''; + locations."/".extraConfig = '' + try_files $uri /index.html; + ''; + }; + }; |