summaryrefslogtreecommitdiffstats
path: root/lass/1systems/yellow/config.nix
blob: 58fa564a14d868cdacc42ba355f7ffbb768464ab (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
with import <stockholm/lib>;
{ config, lib, pkgs, ... }:
{
  imports = [
    <stockholm/lass>
    <stockholm/lass/2configs>
    <stockholm/lass/2configs/retiolum.nix>
  ];

  krebs.build.host = config.krebs.hosts.yellow;

  system.activationScripts.downloadFolder = ''
    mkdir -p /var/download
    chown download:download /var/download
    chmod 775 /var/download
  '';

  users.users.download = { uid = genid "download"; };
  users.groups.download.members = [ "transmission" ];
  users.users.transmission.group = mkForce "download";

  systemd.services.transmission.bindsTo = [ "openvpn-nordvpn.service" ];
  systemd.services.transmission.after = [ "openvpn-nordvpn.service" ];
  systemd.services.transmission.postStart = ''
    chmod 775 /var/download/finished
  '';
  services.transmission = {
    enable = true;
    settings = {
      download-dir = "/var/download/finished";
      incomplete-dir = "/var/download/incoming";
      incomplete-dir-enable = true;
      umask = "002";
      rpc-whitelist-enabled = false;
      rpc-host-whitelist-enabled = false;
    };
  };

  services.nginx = {
    enable = true;
    package = pkgs.nginx.override {
      modules = with pkgs.nginxModules; [
        fancyindex
      ];
    };
    virtualHosts."dl" = {
      default = true;
      locations."/Nginx-Fancyindex-Theme-dark" = {
        extraConfig = ''
          alias ${pkgs.fetchFromGitHub {
            owner = "Naereen";
            repo = "Nginx-Fancyindex-Theme";
            rev = "e84f7d6a32085c2b6238f85f5fdebe9ceb710fc4";
            sha256 = "0wzl4ws2w8f0749vxfd1c8c21p3jw463wishgfcmaljbh4dwplg6";
          }}/Nginx-Fancyindex-Theme-dark;
          autoindex on;
        '';
      };
      locations."/dl".extraConfig = ''
        return 301 /;
      '';
      locations."/" = {
        root = "/var/download/finished";
        extraConfig = ''
          fancyindex on;
          fancyindex_header "/Nginx-Fancyindex-Theme-dark/header.html";
          fancyindex_footer "/Nginx-Fancyindex-Theme-dark/footer.html";
          dav_methods PUT DELETE MKCOL COPY MOVE;

          create_full_put_path on;
          dav_access all:r;
        '';
      };
    };
  };

  krebs.iptables = {
    enable = true;
    tables.filter.INPUT.rules = [
      { predicate = "-p tcp --dport 80"; target = "ACCEPT"; }
      { predicate = "-p tcp --dport 9091"; target = "ACCEPT"; }
      { predicate = "-p tcp --dport 51413"; target = "ACCEPT"; }
      { predicate = "-p udp --dport 51413"; target = "ACCEPT"; }
    ];
  };

  services.openvpn.servers.nordvpn.config = ''
    client
    dev tun
    proto udp
    remote 82.102.16.229 1194
    resolv-retry infinite
    remote-random
    nobind
    tun-mtu 1500
    tun-mtu-extra 32
    mssfix 1450
    persist-key
    persist-tun
    ping 15
    ping-restart 0
    ping-timer-rem
    reneg-sec 0
    comp-lzo no

    explicit-exit-notify 3

    remote-cert-tls server

    #mute 10000
    auth-user-pass ${toString <secrets/nordvpn.txt>}

    verb 3
    pull
    fast-io
    cipher AES-256-CBC
    auth SHA512

    <ca>
    -----BEGIN CERTIFICATE-----
    MIIEyjCCA7KgAwIBAgIJANIxRSmgmjW6MA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD
    VQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQMA4GA1UEChMH
    Tm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjEaMBgGA1UEAxMRZGUyMjkubm9yZHZw
    bi5jb20xEDAOBgNVBCkTB05vcmRWUE4xHzAdBgkqhkiG9w0BCQEWEGNlcnRAbm9y
    ZHZwbi5jb20wHhcNMTcxMTIyMTQ1MTQ2WhcNMjcxMTIwMTQ1MTQ2WjCBnjELMAkG
    A1UEBhMCUEExCzAJBgNVBAgTAlBBMQ8wDQYDVQQHEwZQYW5hbWExEDAOBgNVBAoT
    B05vcmRWUE4xEDAOBgNVBAsTB05vcmRWUE4xGjAYBgNVBAMTEWRlMjI5Lm5vcmR2
    cG4uY29tMRAwDgYDVQQpEwdOb3JkVlBOMR8wHQYJKoZIhvcNAQkBFhBjZXJ0QG5v
    cmR2cG4uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv++dfZlG
    UeFF2sGdXjbreygfo78Ujti6X2OiMDFnwgqrhELstumXl7WrFf5EzCYbVriNuUny
    mNCx3OxXxw49xvvg/KplX1CE3rKBNnzbeaxPmeyEeXe+NgA7rwOCbYPQJScFxK7X
    +D16ZShY25GyIG7hqFGML0Qz6gpZRGaHSd0Lc3wSgoLzGtsIg8hunhfi00dNqMBT
    ukCzgfIqbQUuqmOibsWnYvZoXoYKnbRL0Bj8IYvwvu4p2oBQpvM+JR4DC+rv52LI
    583Q6g3LebQ4JuQf8jgxvEEV4UL1CsUBqN3mcRpVUKJS3ijXmzEX9MfpBRcp1rBA
    VsiE4Mrk7PXhkwIDAQABo4IBBzCCAQMwHQYDVR0OBBYEFFIv1UuKN2NXaVjRNXDT
    Rs/+LT/9MIHTBgNVHSMEgcswgciAFFIv1UuKN2NXaVjRNXDTRs/+LT/9oYGkpIGh
    MIGeMQswCQYDVQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQ
    MA4GA1UEChMHTm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjEaMBgGA1UEAxMRZGUy
    Mjkubm9yZHZwbi5jb20xEDAOBgNVBCkTB05vcmRWUE4xHzAdBgkqhkiG9w0BCQEW
    EGNlcnRAbm9yZHZwbi5jb22CCQDSMUUpoJo1ujAMBgNVHRMEBTADAQH/MA0GCSqG
    SIb3DQEBCwUAA4IBAQBf1vr93OIkIFehXOCXYFmAYai8/lK7OQH0SRMYdUPvADjQ
    e5tSDK5At2Ew9YLz96pcDhzLqtbQsRqjuqWKWs7DBZ8ZiJg1nVIXxE+C3ezSyuVW
    //DdqMeUD80/FZD5kPS2yJJOWfuBBMnaN8Nxb0BaJi9AKFHnfg6Zxqa/FSUPXFwB
    wH+zeymL2Dib2+ngvCm9VP3LyfIdvodEJ372H7eG8os8allUnkUzpVyGxI4pN/IB
    KROBRPKb+Aa5FWeWgEUHIr+hNrEMvcWfSvZAkSh680GScQeJh5Xb4RGMCW08tb4p
    lrojzCvC7OcFeUNW7Ayiuukx8rx/F4+IZ1yJGff9
    -----END CERTIFICATE-----
    </ca>
    key-direction 1
    <tls-auth>
    #
    # 2048 bit OpenVPN static key
    #
    -----BEGIN OpenVPN Static key V1-----
    49b2f54c6ee58d2d97331681bb577d55
    054f56d92b743c31e80b684de0388702
    ad3bf51088cd88f3fac7eb0729f2263c
    51d82a6eb7e2ed4ae6dfa65b1ac764d0
    b9dedf1379c1b29b36396d64cb6fd6b2
    e61f869f9a13001dadc02db171f04c4d
    c46d1132c1f31709e7b54a6eabae3ea8
    fbd2681363c185f4cb1be5aa42a27c31
    21db7b2187fd11c1acf224a0d5a44466
    b4b5a3cc34ec0227fe40007e8b379654
    f1e8e2b63c6b46ee7ab6f1bd82f57837
    92c209e8f25bc9ed493cb5c1d891ae72
    7f54f4693c5b20f136ca23e639fd8ea0
    865b4e22dd2af43e13e6b075f12427b2
    08af9ffd09c56baa694165f57fe2697a
    3377fa34aebcba587c79941d83deaf45
    -----END OpenVPN Static key V1-----
    </tls-auth>
  '';
}