From 2a7501b66ccb71d30dc65f76a0a8d46daa88efe0 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 6 Feb 2023 12:46:49 +0100 Subject: l aergia.r: connect to c-base vpn --- lass/1systems/aergia/config.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'lass/1systems') diff --git a/lass/1systems/aergia/config.nix b/lass/1systems/aergia/config.nix index ed5bbcf12..af88a0260 100644 --- a/lass/1systems/aergia/config.nix +++ b/lass/1systems/aergia/config.nix @@ -26,6 +26,7 @@ + ]; system.stateVersion = "22.11"; -- cgit v1.2.3 From 278e6c354a7f5b19465641144784c5e22a01c4db Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 6 Feb 2023 12:49:09 +0100 Subject: l aergia.r: add more power managment stuff --- lass/1systems/aergia/physical.nix | 49 ++++++++++++++++++++++++++++++++++----- 1 file changed, 43 insertions(+), 6 deletions(-) (limited to 'lass/1systems') diff --git a/lass/1systems/aergia/physical.nix b/lass/1systems/aergia/physical.nix index de5f7540e..6200bbfc5 100644 --- a/lass/1systems/aergia/physical.nix +++ b/lass/1systems/aergia/physical.nix @@ -20,15 +20,37 @@ boot.kernelParams = [ # Enable energy savings during sleep "mem_sleep_default=deep" - "initcall_blacklist=acpi_cpufreq_init" + + "amd_pstate=passive" # for ryzenadj -i "iomem=relaxed" ]; - # Enables the amd cpu scaling https://www.kernel.org/doc/html/latest/admin-guide/pm/amd-pstate.html - # On recent AMD CPUs this can be more energy efficient. - boot.kernelModules = [ "amd-pstate" "kvm-amd" ]; + boot.kernelModules = [ + # Enables the amd cpu scaling https://www.kernel.org/doc/html/latest/admin-guide/pm/amd-pstate.html + # On recent AMD CPUs this can be more energy efficient. + "amd-pstate" + "kvm-amd" + + # needed for zenstates + "msr" + + # zenpower + "zenpower" + ]; + + boot.extraModulePackages = [ + (config.boot.kernelPackages.zenpower.overrideAttrs (old: { + src = pkgs.fetchFromGitea { + domain = "git.exozy.me"; + owner = "a"; + repo = "zenpower3"; + rev = "c176fdb0d5bcba6ba2aba99ea36812e40f47751f"; + hash = "sha256-d2WH8Zv7F0phZmEKcDiaak9On+Mo9bAFhMulT/N5FWI="; + }; + })) + ]; # hardware.cpu.amd.updateMicrocode = true; @@ -36,7 +58,16 @@ "amdgpu" ]; - boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.availableKernelModules = [ + "nvme" + "thunderbolt" + "xhci_pci" + "usbhid" + ]; + + boot.initrd.kernelModules = [ + "amdgpu" + ]; environment.systemPackages = [ pkgs.vulkan-tools @@ -54,7 +85,13 @@ hardware.video.hidpi.enable = lib.mkDefault true; # corectrl - programs.corectrl.enable = true; + programs.corectrl = { + enable = true; + gpuOverclock = { + enable = true; + ppfeaturemask = "0xffffffff"; + }; + }; users.users.mainUser.extraGroups = [ "corectrl" ]; # use newer ryzenadj -- cgit v1.2.3 From f4c679dd918e23459a590099bcf6c1847afdfb02 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 6 Feb 2023 12:50:00 +0100 Subject: l aergia.r: fix xmodmap not running on startup --- lass/1systems/aergia/physical.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lass/1systems') diff --git a/lass/1systems/aergia/physical.nix b/lass/1systems/aergia/physical.nix index 6200bbfc5..93bf2a32e 100644 --- a/lass/1systems/aergia/physical.nix +++ b/lass/1systems/aergia/physical.nix @@ -109,7 +109,7 @@ # keyboard quirks services.xserver.displayManager.sessionCommands = '' - xmodmap -e 'keycode 96 = F12 Insert F12 F12' # rebind shift + F12 to shift + insert + ${pkgs.xorg.xmodmap}/bin/xmodmap -e 'keycode 96 = F12 Insert F12 F12' # rebind shift + F12 to shift + insert ''; services.udev.extraHwdb = /* sh */ '' # disable back buttons -- cgit v1.2.3 From ff76a04ea6b06f79ae33fdbfbd4892b0e89d6106 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 6 Feb 2023 12:50:33 +0100 Subject: l aergia.r: enable microcode updates --- lass/1systems/aergia/physical.nix | 3 +++ 1 file changed, 3 insertions(+) (limited to 'lass/1systems') diff --git a/lass/1systems/aergia/physical.nix b/lass/1systems/aergia/physical.nix index 93bf2a32e..44bd53c22 100644 --- a/lass/1systems/aergia/physical.nix +++ b/lass/1systems/aergia/physical.nix @@ -120,4 +120,7 @@ # ignore power key services.logind.extraConfig = "HandlePowerKey=ignore"; + + # update cpu microcode + hardware.cpu.amd.updateMicrocode = true; } -- cgit v1.2.3 From 7eb5804cf7c6f4ee18da4de5e42d0b0df3b849f7 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 6 Feb 2023 12:51:57 +0100 Subject: l green.r: create ~/.config --- lass/1systems/green/config.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'lass/1systems') diff --git a/lass/1systems/green/config.nix b/lass/1systems/green/config.nix index 077f7b3fa..c232be9bd 100644 --- a/lass/1systems/green/config.nix +++ b/lass/1systems/green/config.nix @@ -35,6 +35,7 @@ with import ; systemd.tmpfiles.rules = [ "d /home/lass/.local/share 0700 lass users -" "d /home/lass/.local 0700 lass users -" + "d /home/lass/.config 0700 lass users -" "d /var/state/lass_mail 0700 lass users -" "L+ /home/lass/Maildir - - - - ../../var/state/lass_mail" -- cgit v1.2.3 From fd67132ada8f32c8fde5c0342edc2940926d7abd Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 6 Feb 2023 12:58:32 +0100 Subject: l lasspi.r: fix booting with 22.05 --- lass/1systems/lasspi/config.nix | 5 ++--- lass/1systems/lasspi/physical.nix | 21 ++++++++++++--------- 2 files changed, 14 insertions(+), 12 deletions(-) (limited to 'lass/1systems') diff --git a/lass/1systems/lasspi/config.nix b/lass/1systems/lasspi/config.nix index 9f823dfc8..d2207627d 100644 --- a/lass/1systems/lasspi/config.nix +++ b/lass/1systems/lasspi/config.nix @@ -1,4 +1,3 @@ -with import ; { config, lib, pkgs, ... }: let in @@ -18,9 +17,9 @@ in }; environment.systemPackages = with pkgs; [ vim - rxvt_unicode.terminfo + rxvt-unicode-unwrapped.terminfo ]; services.openssh.enable = true; - system.stateVersion = "21.05"; + system.stateVersion = "22.05"; } diff --git a/lass/1systems/lasspi/physical.nix b/lass/1systems/lasspi/physical.nix index 868bafad5..07efb5ca5 100644 --- a/lass/1systems/lasspi/physical.nix +++ b/lass/1systems/lasspi/physical.nix @@ -1,15 +1,14 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, modulesPath, ... }: { - # This configuration worked on 09-03-2021 nixos-unstable @ commit 102eb68ceec - # The image used https://hydra.nixos.org/build/134720986 imports = [ + (modulesPath + "/installer/scan/not-detected.nix") ./config.nix ]; boot = { # kernelPackages = pkgs.linuxPackages_rpi4; tmpOnTmpfs = true; - initrd.availableKernelModules = [ "usbhid" "usb_storage" ]; + initrd.availableKernelModules = [ "usbhid" "usb_storage" "xhci_pci" ]; # ttyAMA0 is the serial console broken out to the GPIO kernelParams = [ "8250.nr_uarts=1" @@ -20,19 +19,23 @@ ]; }; - boot.loader.raspberryPi = { - enable = true; - version = 4; - }; + # boot.loader.raspberryPi = { + # enable = true; + # version = 4; + # # uboot.enable = true; + # }; boot.loader.grub.enable = false; + boot.loader.generic-extlinux-compatible.enable = true; # Required for the Wireless firmware hardware.enableRedistributableFirmware = true; + networking.interfaces.eth0.useDHCP = true; + # Assuming this is installed on top of the disk image. fileSystems = { "/" = { - device = "/dev/disk/by-label/NIXOS_SD"; + device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888"; fsType = "ext4"; options = [ "noatime" ]; }; -- cgit v1.2.3 From 5b768d2b0050507037584f3b7f4a5cf90d627c57 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 8 Feb 2023 15:01:37 +0100 Subject: l aergia.r: add suspend to disk --- lass/1systems/aergia/physical.nix | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) (limited to 'lass/1systems') diff --git a/lass/1systems/aergia/physical.nix b/lass/1systems/aergia/physical.nix index 44bd53c22..0e5a88aa1 100644 --- a/lass/1systems/aergia/physical.nix +++ b/lass/1systems/aergia/physical.nix @@ -25,6 +25,9 @@ # for ryzenadj -i "iomem=relaxed" + + # suspend + "resume_offset=178345675" ]; boot.kernelModules = [ @@ -119,8 +122,17 @@ ''; # ignore power key - services.logind.extraConfig = "HandlePowerKey=ignore"; # update cpu microcode hardware.cpu.amd.updateMicrocode = true; + + # suspend to disk + swapDevices = [{ + device = "/swapfile"; + }]; + boot.resumeDevice = "/dev/mapper/aergia1"; + services.logind.lidSwitch = "suspend-then-hibernate"; + services.logind.extraConfig = '' + HandlePowerKey=hibernate + ''; } -- cgit v1.2.3 From f62711abe3e627bc4d66a5cc9226ecf87f71feea Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 12 Feb 2023 14:24:43 +0100 Subject: l neoprism.r: add hotdog sync-container --- lass/1systems/neoprism/config.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'lass/1systems') diff --git a/lass/1systems/neoprism/config.nix b/lass/1systems/neoprism/config.nix index 7f6be782e..be80e28da 100644 --- a/lass/1systems/neoprism/config.nix +++ b/lass/1systems/neoprism/config.nix @@ -10,6 +10,7 @@ + # other containers -- cgit v1.2.3 From 6820fe02f6666df1d58ef7c94eb5c29e5ff508bf Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 16 Feb 2023 13:58:10 +0100 Subject: l mumble-reminder: prism.r -> orange.r --- lass/1systems/orange/config.nix | 1 + lass/1systems/prism/config.nix | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) (limited to 'lass/1systems') diff --git a/lass/1systems/orange/config.nix b/lass/1systems/orange/config.nix index 3bc20878e..5e975dba8 100644 --- a/lass/1systems/orange/config.nix +++ b/lass/1systems/orange/config.nix @@ -5,6 +5,7 @@ with import ; + ]; krebs.build.host = config.krebs.hosts.orange; diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index bcc8c1a08..f23778eba 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -137,7 +137,6 @@ with import ; - { services.tor = { -- cgit v1.2.3 From 92cfeace5435e09b203a1e4f91eee28bd5d198ce Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 19 Feb 2023 10:01:55 +0100 Subject: l aergia.r: add antimicrox for gamepad mouse mode --- lass/1systems/aergia/physical.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'lass/1systems') diff --git a/lass/1systems/aergia/physical.nix b/lass/1systems/aergia/physical.nix index 0e5a88aa1..0786acbe1 100644 --- a/lass/1systems/aergia/physical.nix +++ b/lass/1systems/aergia/physical.nix @@ -3,6 +3,7 @@ imports = [ ./config.nix (modulesPath + "/installer/scan/not-detected.nix") + ]; disko.devices = import ./disk.nix; -- cgit v1.2.3 From 0ea072393307e5cd250b412dd0026bf8f6f1251b Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 21 Feb 2023 07:35:27 +0100 Subject: l browsers: use firefox directly, RIP xjails --- lass/1systems/aergia/config.nix | 5 ----- lass/1systems/coaxmetal/config.nix | 6 ------ 2 files changed, 11 deletions(-) (limited to 'lass/1systems') diff --git a/lass/1systems/aergia/config.nix b/lass/1systems/aergia/config.nix index af88a0260..6992db4a5 100644 --- a/lass/1systems/aergia/config.nix +++ b/lass/1systems/aergia/config.nix @@ -48,11 +48,6 @@ }; hardware.pulseaudio.package = pkgs.pulseaudioFull; - lass.browser.config = { - fy = { browser = "chromium"; groups = [ "audio" "video" ]; hidden = true; }; - qt = { browser = "qutebrowser"; groups = [ "audio" "video" ]; hidden = true; }; - }; - nix.trustedUsers = [ "root" "lass" ]; # nix.extraOptions = '' diff --git a/lass/1systems/coaxmetal/config.nix b/lass/1systems/coaxmetal/config.nix index 2c88b68cc..1df56f591 100644 --- a/lass/1systems/coaxmetal/config.nix +++ b/lass/1systems/coaxmetal/config.nix @@ -54,12 +54,6 @@ }; hardware.pulseaudio.package = pkgs.pulseaudioFull; - lass.browser.config = { - dc = { browser = "chromium"; groups = [ "audio" "video" ]; hidden = true; }; - ff = { browser = "firefox"; groups = [ "audio" "video" ]; hidden = true; }; - fy = { browser = "chromium"; groups = [ "audio" "video" ]; hidden = true; }; - }; - nix.trustedUsers = [ "root" "lass" ]; services.tor = { -- cgit v1.2.3 From cae7c2673f6ca0d22884543a0f23b24842075acd Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 21 Feb 2023 07:56:25 +0100 Subject: l aergia.r: use better touchscreen support for firefox --- lass/1systems/aergia/physical.nix | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'lass/1systems') diff --git a/lass/1systems/aergia/physical.nix b/lass/1systems/aergia/physical.nix index 0786acbe1..023639083 100644 --- a/lass/1systems/aergia/physical.nix +++ b/lass/1systems/aergia/physical.nix @@ -22,6 +22,7 @@ # Enable energy savings during sleep "mem_sleep_default=deep" + # use less power with pstate "amd_pstate=passive" # for ryzenadj -i @@ -136,4 +137,7 @@ services.logind.extraConfig = '' HandlePowerKey=hibernate ''; + + # firefox touchscreen support + environment.sessionVariables.MOZ_USE_XINPUT2 = "1"; } -- cgit v1.2.3 From 5bab00f73d27a96f6ce319040b69e4d83a81e52a Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 21 Feb 2023 10:10:53 +0100 Subject: l radio: move to 2/services --- lass/1systems/neoprism/config.nix | 2 +- lass/1systems/radio/config.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'lass/1systems') diff --git a/lass/1systems/neoprism/config.nix b/lass/1systems/neoprism/config.nix index be80e28da..4c9455356 100644 --- a/lass/1systems/neoprism/config.nix +++ b/lass/1systems/neoprism/config.nix @@ -8,7 +8,7 @@ # sync-containers - + diff --git a/lass/1systems/radio/config.nix b/lass/1systems/radio/config.nix index 5e34335d3..00e9bd3fe 100644 --- a/lass/1systems/radio/config.nix +++ b/lass/1systems/radio/config.nix @@ -7,7 +7,7 @@ with import ; - + ]; krebs.build.host = config.krebs.hosts.radio; -- cgit v1.2.3 From 6624d3aab64adcc4f8e1bf8393859fc4769e5ed2 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 21 Feb 2023 10:19:00 +0100 Subject: l neoprism.r: serve radio.lassul.us --- lass/1systems/neoprism/config.nix | 3 +++ 1 file changed, 3 insertions(+) (limited to 'lass/1systems') diff --git a/lass/1systems/neoprism/config.nix b/lass/1systems/neoprism/config.nix index 4c9455356..8af63ee59 100644 --- a/lass/1systems/neoprism/config.nix +++ b/lass/1systems/neoprism/config.nix @@ -14,6 +14,9 @@ # other containers + + # proxying of services + ]; krebs.build.host = config.krebs.hosts.neoprism; -- cgit v1.2.3 From 79a7ab4fd8899e7ac197318bb58a3e04affdf459 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 21 Feb 2023 11:15:26 +0100 Subject: l yellow.r: move flix to services --- lass/1systems/neoprism/config.nix | 3 +- lass/1systems/yellow/config.nix | 330 ++------------------------------------ 2 files changed, 16 insertions(+), 317 deletions(-) (limited to 'lass/1systems') diff --git a/lass/1systems/neoprism/config.nix b/lass/1systems/neoprism/config.nix index 8af63ee59..72de0df83 100644 --- a/lass/1systems/neoprism/config.nix +++ b/lass/1systems/neoprism/config.nix @@ -7,7 +7,7 @@ # sync-containers - + @@ -17,6 +17,7 @@ # proxying of services + ]; krebs.build.host = config.krebs.hosts.neoprism; diff --git a/lass/1systems/yellow/config.nix b/lass/1systems/yellow/config.nix index ff8189e24..fb28fb029 100644 --- a/lass/1systems/yellow/config.nix +++ b/lass/1systems/yellow/config.nix @@ -5,6 +5,7 @@ in { + ]; krebs.build.host = config.krebs.hosts.yellow; @@ -14,281 +15,8 @@ in { pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN737BAP36KiZO97mPKTIUGJUcr97ps8zjfFag6cUiYL"; }; - users.groups.download.members = [ "transmission" ]; - networking.useHostResolvConf = false; networking.useNetworkd = true; - services.transmission = { - enable = true; - home = "/var/state/transmission"; - group = "download"; - downloadDirPermissions = "775"; - settings = { - download-dir = "/var/download/transmission"; - incomplete-dir-enabled = false; - rpc-bind-address = "::"; - message-level = 1; - umask = 18; - rpc-whitelist-enabled = false; - rpc-host-whitelist-enabled = false; - }; - }; - - security.acme.defaults.email = "spam@krebsco.de"; - security.acme.acceptTerms = true; - security.acme.certs."yellow.r".server = config.krebs.ssl.acmeURL; - security.acme.certs."jelly.r".server = config.krebs.ssl.acmeURL; - security.acme.certs."radar.r".server = config.krebs.ssl.acmeURL; - security.acme.certs."sonar.r".server = config.krebs.ssl.acmeURL; - security.acme.certs."transmission.r".server = config.krebs.ssl.acmeURL; - services.nginx = { - enable = true; - package = pkgs.nginx.override { - modules = with pkgs.nginxModules; [ - fancyindex - ]; - }; - virtualHosts."yellow.r" = { - default = true; - enableACME = true; - addSSL = true; - locations."/" = { - root = "/var/download"; - extraConfig = '' - fancyindex on; - fancyindex_footer "/fancy.html"; - include ${pkgs.nginx}/conf/mime.types; - include ${pkgs.writeText "extrMime" '' - types { - video/webm mkv; - } - ''}; - create_full_put_path on; - ''; - }; - locations."/chatty" = { - proxyPass = "http://localhost:3000"; - extraConfig = '' - rewrite /chatty/(.*) /$1 break; - proxy_set_header Host $host; - ''; - }; - locations."= /fancy.html".extraConfig = '' - alias ${pkgs.writeText "nginx_footer" '' -
- -
Click here to move
- -
- - - ''}; - ''; - }; - virtualHosts."jelly.r" = { - enableACME = true; - addSSL = true; - locations."/".extraConfig = '' - proxy_pass http://localhost:8096/; - proxy_set_header Accept-Encoding ""; - ''; - }; - virtualHosts."transmission.r" = { - enableACME = true; - addSSL = true; - locations."/".extraConfig = '' - proxy_pass http://localhost:9091/; - proxy_set_header Accept-Encoding ""; - ''; - }; - virtualHosts."radar.r" = { - enableACME = true; - addSSL = true; - locations."/" = { - proxyWebsockets = true; - proxyPass = "http://localhost:7878"; - }; - }; - virtualHosts."sonar.r" = { - enableACME = true; - addSSL = true; - locations."/" = { - proxyWebsockets = true; - proxyPass = "http://localhost:8989"; - }; - }; - }; - - services.samba = { - enable = true; - enableNmbd = false; - extraConfig = '' - workgroup = WORKGROUP - server string = ${config.networking.hostName} - # only allow retiolum addresses - hosts allow = 42::/16 10.243.0.0/16 10.244.0.0/16 - - # Use sendfile() for performance gain - use sendfile = true - - # No NetBIOS is needed - disable netbios = true - - # Only mangle non-valid NTFS names, don't care about DOS support - mangled names = illegal - - # Performance optimizations - socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536 - - # Disable all printing - load printers = false - disable spoolss = true - printcap name = /dev/null - - map to guest = Bad User - max log size = 50 - dns proxy = no - security = user - - [global] - syslog only = yes - ''; - shares.public = { - comment = "Warez"; - path = "/var/download"; - public = "yes"; - "only guest" = "yes"; - "create mask" = "0644"; - "directory mask" = "2777"; - writable = "no"; - printable = "no"; - }; - }; - - systemd.services.bruellwuerfel = - let - bruellwuerfelSrc = pkgs.fetchFromGitHub { - owner = "krebs"; - repo = "bruellwuerfel"; - rev = "dc73adf69249fb63a4b024f1f3fbc9e541b27015"; - sha256 = "078jp1gbavdp8lnwa09xa5m6bbbd05fi4x5ldkkgin5z04hwlhmd"; - }; - in { - wantedBy = [ "multi-user.target" ]; - environment = { - IRC_CHANNEL = "#flix"; - IRC_NICK = "bruelli"; - IRC_SERVER = "irc.r"; - IRC_HISTORY_FILE = "/tmp/bruelli.history"; - }; - serviceConfig = { - ExecStart = "${pkgs.deno}/bin/deno run -A ${bruellwuerfelSrc}/src/index.ts"; - }; - }; - - krebs.iptables = { - enable = true; - tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport 80"; target = "ACCEPT"; } # nginx web dir - { predicate = "-p tcp --dport 443"; target = "ACCEPT"; } # nginx web dir - { predicate = "-p tcp --dport 9091"; target = "ACCEPT"; } # transmission-web - { predicate = "-p tcp --dport 51413"; target = "ACCEPT"; } # transmission-traffic - { predicate = "-p udp --dport 51413"; target = "ACCEPT"; } # transmission-traffic - { predicate = "-p tcp --dport 8096"; target = "ACCEPT"; } # jellyfin - { predicate = "-p tcp --dport 9696"; target = "ACCEPT"; } # prowlarr - { predicate = "-p tcp --dport 8989"; target = "ACCEPT"; } # sonarr - { predicate = "-p tcp --dport 7878"; target = "ACCEPT"; } # radarr - { predicate = "-p tcp --dport 6767"; target = "ACCEPT"; } # bazarr - - # smbd - { predicate = "-i retiolum -p tcp --dport 445"; target = "ACCEPT"; } - { predicate = "-i retiolum -p tcp --dport 111"; target = "ACCEPT"; } - { predicate = "-i retiolum -p udp --dport 111"; target = "ACCEPT"; } - { predicate = "-i retiolum -p tcp --dport 2049"; target = "ACCEPT"; } - { predicate = "-i retiolum -p udp --dport 2049"; target = "ACCEPT"; } - { predicate = "-i retiolum -p tcp --dport 4000:4002"; target = "ACCEPT"; } - { predicate = "-i retiolum -p udp --dport 4000:4002"; target = "ACCEPT"; } - { predicate = "-i wiregrill -p tcp --dport 445"; target = "ACCEPT"; } - { predicate = "-i wiregrill -p tcp --dport 111"; target = "ACCEPT"; } - { predicate = "-i wiregrill -p udp --dport 111"; target = "ACCEPT"; } - { predicate = "-i wiregrill -p tcp --dport 2049"; target = "ACCEPT"; } - { predicate = "-i wiregrill -p udp --dport 2049"; target = "ACCEPT"; } - { predicate = "-i wiregrill -p tcp --dport 4000:4002"; target = "ACCEPT"; } - { predicate = "-i wiregrill -p udp --dport 4000:4002"; target = "ACCEPT"; } - ]; - tables.filter.OUTPUT = { - policy = "DROP"; - rules = [ - { predicate = "-o lo"; target = "ACCEPT"; } - { v6 = false; predicate = "-d ${vpnIp}/32"; target = "ACCEPT"; } - { predicate = "-o tun0"; target = "ACCEPT"; } - { predicate = "-o retiolum"; target = "ACCEPT"; } - { v6 = false; predicate = "-d 1.1.1.1/32"; target = "ACCEPT"; } - { v6 = false; predicate = "-d 1.0.0.1/32"; target = "ACCEPT"; } - { v6 = false; predicate = "-o eth0 -d 10.233.2.0/24"; target = "ACCEPT"; } - ]; - }; - }; services.openvpn.servers.nordvpn.config = '' client @@ -375,49 +103,19 @@ in { ''; - systemd.services.flix-index = { - wantedBy = [ "multi-user.target" ]; - path = [ - pkgs.coreutils - pkgs.findutils - pkgs.inotify-tools - ]; - serviceConfig = { - Restart = "always"; - ExecStart = pkgs.writers.writeDash "flix-index" '' - set -efu - - DIR=/var/download - cd "$DIR" - while inotifywait -rq -e create -e move -e delete "$DIR"; do - find . -type f > "$DIR"/index.tmp - mv "$DIR"/index.tmp "$DIR"/index - done - ''; - }; - }; - - services.jellyfin = { - enable = true; - group = "download"; - }; - - services.radarr = { - enable = true; - group = "download"; - }; - - services.sonarr = { - enable = true; - group = "download"; - }; - - services.prowlarr = { - enable = true; - }; - - services.bazarr = { + krebs.iptables = { enable = true; - group = "download"; + tables.filter.OUTPUT = { + policy = "DROP"; + rules = [ + { predicate = "-o lo"; target = "ACCEPT"; } + { v6 = false; predicate = "-d ${vpnIp}/32"; target = "ACCEPT"; } + { predicate = "-o tun0"; target = "ACCEPT"; } + { predicate = "-o retiolum"; target = "ACCEPT"; } + { v6 = false; predicate = "-d 1.1.1.1/32"; target = "ACCEPT"; } + { v6 = false; predicate = "-d 1.0.0.1/32"; target = "ACCEPT"; } + { v6 = false; predicate = "-o eth0 -d 10.233.2.0/24"; target = "ACCEPT"; } + ]; + }; }; } -- cgit v1.2.3 From 222f1e92dbc10aa389f712ae0d345befe4e5423f Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 22 Feb 2023 07:27:10 +0100 Subject: l orange.r: add coms service, proxy via neoprism.r --- lass/1systems/neoprism/config.nix | 2 ++ lass/1systems/prism/config.nix | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) (limited to 'lass/1systems') diff --git a/lass/1systems/neoprism/config.nix b/lass/1systems/neoprism/config.nix index 72de0df83..cc08070af 100644 --- a/lass/1systems/neoprism/config.nix +++ b/lass/1systems/neoprism/config.nix @@ -10,6 +10,7 @@ + # other containers @@ -18,6 +19,7 @@ # proxying of services + ]; krebs.build.host = config.krebs.hosts.neoprism; diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index f23778eba..2e82fae6f 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -134,7 +134,7 @@ with import ; - + @@ -280,7 +280,7 @@ with import ; { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT"; } ]; } - + { systemd.services."container@yellow".reloadIfChanged = mkForce false; -- cgit v1.2.3