7 files changed, 101 insertions, 4 deletions
diff --git a/lass/1systems/coaxmetal/config.nix b/lass/1systems/coaxmetal/config.nix
index dd8308bbd..2c88b68cc 100644
--- a/lass/1systems/coaxmetal/config.nix
+++ b/lass/1systems/coaxmetal/config.nix
@@ -16,7 +16,7 @@
     <stockholm/lass/2configs/steam.nix>
     <stockholm/lass/2configs/wine.nix>
     <stockholm/lass/2configs/fetchWallpaper.nix>
-    <stockholm/lass/2configs/prism-mounts/samba.nix>
+    <stockholm/lass/2configs/yellow-mounts/samba.nix>
     <stockholm/lass/2configs/pass.nix>
     <stockholm/lass/2configs/mail.nix>
     <stockholm/lass/2configs/bitcoin.nix>
diff --git a/lass/1systems/neoprism/config.nix b/lass/1systems/neoprism/config.nix
index f203abc07..8e5a60c36 100644
--- a/lass/1systems/neoprism/config.nix
+++ b/lass/1systems/neoprism/config.nix
@@ -4,8 +4,13 @@
   imports = [
     <stockholm/lass>
     <stockholm/lass/2configs/retiolum.nix>
+
+    # sync-containers
     <stockholm/lass/2configs/consul.nix>
     <stockholm/lass/2configs/yellow-host.nix>
+    <stockholm/lass/2configs/radio/container-host.nix>
+
+    # other containers
     <stockholm/lass/2configs/riot.nix>
   ];
 
diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix
index c2a405759..bcc8c1a08 100644
--- a/lass/1systems/prism/config.nix
+++ b/lass/1systems/prism/config.nix
@@ -97,9 +97,35 @@ with import <stockholm/lib>;
         localAddress = "10.233.2.2";
       };
     }
+    {
+      services.nginx.virtualHosts."radio.lassul.us" = {
+        enableACME = true;
+        addSSL = true;
+        locations."/" = {
+          # recommendedProxySettings = true;
+          proxyWebsockets = true;
+          proxyPass = "http://radio.r";
+          extraConfig = ''
+            proxy_set_header Host radio.r;
+            # get source ip for weather reports
+            proxy_set_header user-agent "$http_user_agent; client-ip=$remote_addr";
+          '';
+        };
+      };
+      krebs.htgen.radio-redirect = {
+        port = 8000;
+        scriptFile = pkgs.writers.writeDash "redir" ''
+          printf 'HTTP/1.1 301 Moved Permanently\r\n'
+          printf "Location: http://radio.lassul.us''${Request_URI}\r\n"
+          printf '\r\n'
+        '';
+      };
+      krebs.iptables.tables.filter.INPUT.rules = [
+        { predicate = "-p tcp --dport 8000"; target = "ACCEPT"; }
+      ];
+    }
     <stockholm/lass/2configs/exim-smarthost.nix>
     <stockholm/lass/2configs/privoxy-retiolum.nix>
-    <stockholm/lass/2configs/radio>
     <stockholm/lass/2configs/binary-cache/server.nix>
     <stockholm/lass/2configs/iodined.nix>
     <stockholm/lass/2configs/paste.nix>
diff --git a/lass/1systems/radio/config.nix b/lass/1systems/radio/config.nix
new file mode 100644
index 000000000..2fd23a448
--- /dev/null
+++ b/lass/1systems/radio/config.nix
@@ -0,0 +1,24 @@
+with import <stockholm/lib>;
+{ config, lib, pkgs, ... }:
+{
+  imports = [
+    <stockholm/lass>
+    <stockholm/lass/2configs>
+    <stockholm/lass/2configs/retiolum.nix>
+
+    <stockholm/lass/2configs/syncthing.nix>
+    <stockholm/lass/2configs/radio>
+  ];
+
+  krebs.build.host = config.krebs.hosts.radio;
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "acme@lassul.us";
+  };
+
+  lass.sync-containers3.inContainer = {
+    enable = true;
+    pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOvPKdbVwMEFCDMyNAzR8NdVjTbQL2G+03Xomxn6KKFt";
+  };
+}
diff --git a/lass/1systems/radio/physical.nix b/lass/1systems/radio/physical.nix
new file mode 100644
index 000000000..8577daf34
--- /dev/null
+++ b/lass/1systems/radio/physical.nix
@@ -0,0 +1,7 @@
+{
+  imports = [
+    ./config.nix
+  ];
+  boot.isContainer = true;
+  networking.useDHCP = true;
+}
diff --git a/lass/1systems/shodan/config.nix b/lass/1systems/shodan/config.nix
index ef538f339..5e48c216a 100644
--- a/lass/1systems/shodan/config.nix
+++ b/lass/1systems/shodan/config.nix
@@ -16,7 +16,7 @@
     <stockholm/lass/2configs/blue-host.nix>
     <stockholm/lass/2configs/green-host.nix>
     <stockholm/krebs/2configs/news-host.nix>
-    <stockholm/lass/2configs/prism-mounts/samba.nix>
+    <stockholm/lass/2configs/yellow-mounts/samba.nix>
     <stockholm/lass/2configs/fetchWallpaper.nix>
     <stockholm/lass/2configs/consul.nix>
     <stockholm/lass/2configs/red-host.nix>
diff --git a/lass/1systems/yellow/config.nix b/lass/1systems/yellow/config.nix
index 552dd7f00..06561e9cf 100644
--- a/lass/1systems/yellow/config.nix
+++ b/lass/1systems/yellow/config.nix
@@ -34,6 +34,12 @@ in {
     };
   };
 
+  security.acme.defaults.email = "spam@krebsco.de";
+  security.acme.acceptTerms = true;
+  security.acme.certs."yellow.r".server = config.krebs.ssl.acmeURL;
+  security.acme.certs."jelly.r".server = config.krebs.ssl.acmeURL;
+  security.acme.certs."radar.r".server = config.krebs.ssl.acmeURL;
+  security.acme.certs."sonar.r".server = config.krebs.ssl.acmeURL;
   services.nginx = {
     enable = true;
     package = pkgs.nginx.override {
@@ -41,8 +47,10 @@ in {
         fancyindex
       ];
     };
-    virtualHosts.default = {
+    virtualHosts."yellow.r" = {
       default = true;
+      enableACME = true;
+      addSSL = true;
       locations."/" = {
         root = "/var/download";
         extraConfig = ''
@@ -137,11 +145,29 @@ in {
       '';
     };
     virtualHosts."jelly.r" = {
+      enableACME = true;
+      addSSL = true;
       locations."/".extraConfig = ''
         proxy_pass http://localhost:8096/;
         proxy_set_header Accept-Encoding "";
       '';
     };
+    virtualHosts."radar.r" = {
+      enableACME = true;
+      addSSL = true;
+      locations."/" = {
+        proxyWebsockets = true;
+        proxyPass = "http://localhost:7878";
+      };
+    };
+    virtualHosts."sonar.r" = {
+      enableACME = true;
+      addSSL = true;
+      locations."/" = {
+        proxyWebsockets = true;
+        proxyPass = "http://localhost:8989";
+      };
+    };
   };
 
   services.samba = {
@@ -215,6 +241,7 @@ in {
     enable = true;
     tables.filter.INPUT.rules = [
       { predicate = "-p tcp --dport 80"; target = "ACCEPT"; } # nginx web dir
+      { predicate = "-p tcp --dport 443"; target = "ACCEPT"; } # nginx web dir
       { predicate = "-p tcp --dport 9091"; target = "ACCEPT"; } # transmission-web
       { predicate = "-p tcp --dport 51413"; target = "ACCEPT"; } # transmission-traffic
       { predicate = "-p udp --dport 51413"; target = "ACCEPT"; } # transmission-traffic
@@ -222,6 +249,7 @@ in {
       { predicate = "-p tcp --dport 9696"; target = "ACCEPT"; } # prowlarr
       { predicate = "-p tcp --dport 8989"; target = "ACCEPT"; } # sonarr
       { predicate = "-p tcp --dport 7878"; target = "ACCEPT"; } # radarr
+      { predicate = "-p tcp --dport 6767"; target = "ACCEPT"; } # bazarr
 
       # smbd
       { predicate = "-i retiolum -p tcp --dport 445"; target = "ACCEPT"; }
@@ -367,13 +395,20 @@ in {
 
   services.radarr = {
     enable = true;
+    group = "download";
   };
 
   services.sonarr = {
     enable = true;
+    group = "download";
   };
 
   services.prowlarr = {
     enable = true;
   };
+
+  services.bazarr = {
+    enable = true;
+    group = "download";
+  };
 }