From 79a7ab4fd8899e7ac197318bb58a3e04affdf459 Mon Sep 17 00:00:00 2001
From: lassulus <git@lassul.us>
Date: Tue, 21 Feb 2023 11:15:26 +0100
Subject: l yellow.r: move flix to services

---
 lass/1systems/yellow/config.nix | 330 ++--------------------------------------
 1 file changed, 14 insertions(+), 316 deletions(-)

(limited to 'lass/1systems/yellow')

diff --git a/lass/1systems/yellow/config.nix b/lass/1systems/yellow/config.nix
index ff8189e2..fb28fb02 100644
--- a/lass/1systems/yellow/config.nix
+++ b/lass/1systems/yellow/config.nix
@@ -5,6 +5,7 @@ in {
     <stockholm/lass>
     <stockholm/lass/2configs>
     <stockholm/lass/2configs/retiolum.nix>
+    <stockholm/lass/2configs/services/flix>
   ];
 
   krebs.build.host = config.krebs.hosts.yellow;
@@ -14,281 +15,8 @@ in {
     pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN737BAP36KiZO97mPKTIUGJUcr97ps8zjfFag6cUiYL";
   };
 
-  users.groups.download.members = [ "transmission" ];
-
   networking.useHostResolvConf = false;
   networking.useNetworkd = true;
-  services.transmission = {
-    enable = true;
-    home = "/var/state/transmission";
-    group = "download";
-    downloadDirPermissions = "775";
-    settings = {
-      download-dir = "/var/download/transmission";
-      incomplete-dir-enabled = false;
-      rpc-bind-address = "::";
-      message-level = 1;
-      umask = 18;
-      rpc-whitelist-enabled = false;
-      rpc-host-whitelist-enabled = false;
-    };
-  };
-
-  security.acme.defaults.email = "spam@krebsco.de";
-  security.acme.acceptTerms = true;
-  security.acme.certs."yellow.r".server = config.krebs.ssl.acmeURL;
-  security.acme.certs."jelly.r".server = config.krebs.ssl.acmeURL;
-  security.acme.certs."radar.r".server = config.krebs.ssl.acmeURL;
-  security.acme.certs."sonar.r".server = config.krebs.ssl.acmeURL;
-  security.acme.certs."transmission.r".server = config.krebs.ssl.acmeURL;
-  services.nginx = {
-    enable = true;
-    package = pkgs.nginx.override {
-      modules = with pkgs.nginxModules; [
-        fancyindex
-      ];
-    };
-    virtualHosts."yellow.r" = {
-      default = true;
-      enableACME = true;
-      addSSL = true;
-      locations."/" = {
-        root = "/var/download";
-        extraConfig = ''
-          fancyindex on;
-          fancyindex_footer "/fancy.html";
-          include ${pkgs.nginx}/conf/mime.types;
-          include ${pkgs.writeText "extrMime" ''
-            types {
-              video/webm mkv;
-            }
-          ''};
-          create_full_put_path on;
-        '';
-      };
-      locations."/chatty" = {
-        proxyPass = "http://localhost:3000";
-        extraConfig = ''
-          rewrite /chatty/(.*) /$1  break;
-          proxy_set_header Host $host;
-        '';
-      };
-      locations."= /fancy.html".extraConfig = ''
-        alias ${pkgs.writeText "nginx_footer" ''
-          <div id="mydiv">
-            <!-- Include a header DIV with the same name as the draggable DIV, followed by "header" -->
-            <div id="mydivheader">Click here to move</div>
-              <iframe src="/chatty/index.html"></iframe>
-          </div>
-          <style>
-          #mydiv {
-            position: absolute;
-            z-index: 9;
-            background-color: #f1f1f1;
-            border: 1px solid #d3d3d3;
-            text-align: center;
-          }
-
-          #mydivheader {
-            padding: 10px;
-            cursor: move;
-            z-index: 10;
-            background-color: #2196F3;
-            color: #fff;
-          }
-          </style>
-          <script>
-            // Make the DIV element draggable:
-            dragElement(document.getElementById("mydiv"));
-
-            function dragElement(elmnt) {
-              var pos1 = 0, pos2 = 0, pos3 = 0, pos4 = 0;
-              if (document.getElementById(elmnt.id + "header")) {
-                // if present, the header is where you move the DIV from:
-                document.getElementById(elmnt.id + "header").onmousedown = dragMouseDown;
-              } else {
-                // otherwise, move the DIV from anywhere inside the DIV:
-                elmnt.onmousedown = dragMouseDown;
-              }
-
-              function dragMouseDown(e) {
-                e = e || window.event;
-                e.preventDefault();
-                // get the mouse cursor position at startup:
-                pos3 = e.clientX;
-                pos4 = e.clientY;
-                document.onmouseup = closeDragElement;
-                // call a function whenever the cursor moves:
-                document.onmousemove = elementDrag;
-              }
-
-              function elementDrag(e) {
-                e = e || window.event;
-                e.preventDefault();
-                // calculate the new cursor position:
-                pos1 = pos3 - e.clientX;
-                pos2 = pos4 - e.clientY;
-                pos3 = e.clientX;
-                pos4 = e.clientY;
-                // set the element's new position:
-                elmnt.style.top = (elmnt.offsetTop - pos2) + "px";
-                elmnt.style.left = (elmnt.offsetLeft - pos1) + "px";
-              }
-
-              function closeDragElement() {
-                // stop moving when mouse button is released:
-                document.onmouseup = null;
-                document.onmousemove = null;
-              }
-            }
-          </script>
-        ''};
-      '';
-    };
-    virtualHosts."jelly.r" = {
-      enableACME = true;
-      addSSL = true;
-      locations."/".extraConfig = ''
-        proxy_pass http://localhost:8096/;
-        proxy_set_header Accept-Encoding "";
-      '';
-    };
-    virtualHosts."transmission.r" = {
-      enableACME = true;
-      addSSL = true;
-      locations."/".extraConfig = ''
-        proxy_pass http://localhost:9091/;
-        proxy_set_header Accept-Encoding "";
-      '';
-    };
-    virtualHosts."radar.r" = {
-      enableACME = true;
-      addSSL = true;
-      locations."/" = {
-        proxyWebsockets = true;
-        proxyPass = "http://localhost:7878";
-      };
-    };
-    virtualHosts."sonar.r" = {
-      enableACME = true;
-      addSSL = true;
-      locations."/" = {
-        proxyWebsockets = true;
-        proxyPass = "http://localhost:8989";
-      };
-    };
-  };
-
-  services.samba = {
-    enable = true;
-    enableNmbd = false;
-    extraConfig = ''
-      workgroup = WORKGROUP
-      server string = ${config.networking.hostName}
-      # only allow retiolum addresses
-      hosts allow = 42::/16 10.243.0.0/16 10.244.0.0/16
-
-      # Use sendfile() for performance gain
-      use sendfile = true
-
-      # No NetBIOS is needed
-      disable netbios = true
-
-      # Only mangle non-valid NTFS names, don't care about DOS support
-      mangled names = illegal
-
-      # Performance optimizations
-      socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536
-
-      # Disable all printing
-      load printers = false
-      disable spoolss = true
-      printcap name = /dev/null
-
-      map to guest = Bad User
-      max log size = 50
-      dns proxy = no
-      security = user
-
-      [global]
-      syslog only = yes
-    '';
-    shares.public = {
-      comment = "Warez";
-      path = "/var/download";
-      public = "yes";
-      "only guest" = "yes";
-      "create mask" = "0644";
-      "directory mask" = "2777";
-      writable = "no";
-      printable = "no";
-    };
-  };
-
-  systemd.services.bruellwuerfel =
-  let
-    bruellwuerfelSrc = pkgs.fetchFromGitHub {
-      owner = "krebs";
-      repo = "bruellwuerfel";
-      rev = "dc73adf69249fb63a4b024f1f3fbc9e541b27015";
-      sha256 = "078jp1gbavdp8lnwa09xa5m6bbbd05fi4x5ldkkgin5z04hwlhmd";
-    };
-  in {
-    wantedBy = [ "multi-user.target" ];
-    environment = {
-      IRC_CHANNEL = "#flix";
-      IRC_NICK = "bruelli";
-      IRC_SERVER = "irc.r";
-      IRC_HISTORY_FILE = "/tmp/bruelli.history";
-    };
-    serviceConfig = {
-      ExecStart = "${pkgs.deno}/bin/deno run -A ${bruellwuerfelSrc}/src/index.ts";
-    };
-  };
-
-  krebs.iptables = {
-    enable = true;
-    tables.filter.INPUT.rules = [
-      { predicate = "-p tcp --dport 80"; target = "ACCEPT"; } # nginx web dir
-      { predicate = "-p tcp --dport 443"; target = "ACCEPT"; } # nginx web dir
-      { predicate = "-p tcp --dport 9091"; target = "ACCEPT"; } # transmission-web
-      { predicate = "-p tcp --dport 51413"; target = "ACCEPT"; } # transmission-traffic
-      { predicate = "-p udp --dport 51413"; target = "ACCEPT"; } # transmission-traffic
-      { predicate = "-p tcp --dport 8096"; target = "ACCEPT"; } # jellyfin
-      { predicate = "-p tcp --dport 9696"; target = "ACCEPT"; } # prowlarr
-      { predicate = "-p tcp --dport 8989"; target = "ACCEPT"; } # sonarr
-      { predicate = "-p tcp --dport 7878"; target = "ACCEPT"; } # radarr
-      { predicate = "-p tcp --dport 6767"; target = "ACCEPT"; } # bazarr
-
-      # smbd
-      { predicate = "-i retiolum -p tcp --dport 445"; target = "ACCEPT"; }
-      { predicate = "-i retiolum -p tcp --dport 111"; target = "ACCEPT"; }
-      { predicate = "-i retiolum -p udp --dport 111"; target = "ACCEPT"; }
-      { predicate = "-i retiolum -p tcp --dport 2049"; target = "ACCEPT"; }
-      { predicate = "-i retiolum -p udp --dport 2049"; target = "ACCEPT"; }
-      { predicate = "-i retiolum -p tcp --dport 4000:4002"; target = "ACCEPT"; }
-      { predicate = "-i retiolum -p udp --dport 4000:4002"; target = "ACCEPT"; }
-      { predicate = "-i wiregrill -p tcp --dport 445"; target = "ACCEPT"; }
-      { predicate = "-i wiregrill -p tcp --dport 111"; target = "ACCEPT"; }
-      { predicate = "-i wiregrill -p udp --dport 111"; target = "ACCEPT"; }
-      { predicate = "-i wiregrill -p tcp --dport 2049"; target = "ACCEPT"; }
-      { predicate = "-i wiregrill -p udp --dport 2049"; target = "ACCEPT"; }
-      { predicate = "-i wiregrill -p tcp --dport 4000:4002"; target = "ACCEPT"; }
-      { predicate = "-i wiregrill -p udp --dport 4000:4002"; target = "ACCEPT"; }
-    ];
-    tables.filter.OUTPUT = {
-      policy = "DROP";
-      rules = [
-        { predicate = "-o lo"; target = "ACCEPT"; }
-        { v6 = false; predicate = "-d ${vpnIp}/32"; target = "ACCEPT"; }
-        { predicate = "-o tun0"; target = "ACCEPT"; }
-        { predicate = "-o retiolum"; target = "ACCEPT"; }
-        { v6 = false; predicate = "-d 1.1.1.1/32"; target = "ACCEPT"; }
-        { v6 = false; predicate = "-d 1.0.0.1/32"; target = "ACCEPT"; }
-        { v6 = false; predicate = "-o eth0 -d 10.233.2.0/24"; target = "ACCEPT"; }
-      ];
-    };
-  };
 
   services.openvpn.servers.nordvpn.config = ''
     client
@@ -375,49 +103,19 @@ in {
     </tls-auth>
   '';
 
-  systemd.services.flix-index = {
-    wantedBy = [ "multi-user.target" ];
-    path = [
-      pkgs.coreutils
-      pkgs.findutils
-      pkgs.inotify-tools
-    ];
-    serviceConfig = {
-      Restart = "always";
-      ExecStart = pkgs.writers.writeDash "flix-index" ''
-        set -efu
-
-        DIR=/var/download
-        cd "$DIR"
-        while inotifywait -rq -e create -e move -e delete "$DIR"; do
-          find . -type f > "$DIR"/index.tmp
-          mv "$DIR"/index.tmp "$DIR"/index
-        done
-      '';
-    };
-  };
-
-  services.jellyfin = {
-    enable = true;
-    group = "download";
-  };
-
-  services.radarr = {
-    enable = true;
-    group = "download";
-  };
-
-  services.sonarr = {
-    enable = true;
-    group = "download";
-  };
-
-  services.prowlarr = {
-    enable = true;
-  };
-
-  services.bazarr = {
+  krebs.iptables = {
     enable = true;
-    group = "download";
+    tables.filter.OUTPUT = {
+      policy = "DROP";
+      rules = [
+        { predicate = "-o lo"; target = "ACCEPT"; }
+        { v6 = false; predicate = "-d ${vpnIp}/32"; target = "ACCEPT"; }
+        { predicate = "-o tun0"; target = "ACCEPT"; }
+        { predicate = "-o retiolum"; target = "ACCEPT"; }
+        { v6 = false; predicate = "-d 1.1.1.1/32"; target = "ACCEPT"; }
+        { v6 = false; predicate = "-d 1.0.0.1/32"; target = "ACCEPT"; }
+        { v6 = false; predicate = "-o eth0 -d 10.233.2.0/24"; target = "ACCEPT"; }
+      ];
+    };
   };
 }
-- 
cgit v1.2.3