fuuko: Adjust README to its current purpose

This is now the main router’s job.

machines/fuuko/README.md

@@ -6,7 +6,7 @@ HP MicroServer Gen8 with an [Intel Xeon E3-1220L
 v2](https://ark.intel.com/content/www/us/en/ark/products/65735/intel-xeon-processor-e3-1220l-v2-3m-cache-2-30-ghz.html)
 and 8 GiB ECC RAM (1600 MHz). It isn’t the best choice, but I already had it
 lying around and it is acceptable after changing the CPU from the original
-Celeron.  I decided not to use another consumer-grade computer for this, since
+Celeron. I decided not to use another consumer-grade computer for this, since
 the server offers ECC memory and therefore should be more reliable.
 
 The SSD (Intel DC S4500 480GB) is connected to the first drive slot in a 3.5 ″
@@ -20,7 +20,9 @@ Ultrastar DC HC320 0B36404) in BTRFS RAID1. They are connected to the 2rd and
 
 ## Purpose
 
-It is my main server handling most long-runing tasks and services.
+It is my main storage server
+that is responsible for handling storage and processing of big files
+to which I need a high throughput connection.
 
 ## Name
 

machines/fuuko/configuration.nix

@@ -5,11 +5,9 @@
     ../../modules
     ../../users/simon
 
-    ./services/dnsmasq.nix
     ./services/fritzbox-exporter.nix
     ./services/media-backup.nix
     ./services/media.nix
-    ./services/scan.nix
     ./services/torrent.nix
     ./services/wordclock-dimmer.nix
   ];

machines/fuuko/hardware-configuration.nix

@@ -11,14 +11,7 @@
     blacklistedKernelModules = [ "acpi_power_meter" ]; # constantly pollutes kernel log
     extraModulePackages = [ ];
     supportedFilesystems = [ "btrfs" ];
-    kernelParams =
-      let
-        mainInterface = config.systemd.network.networks.eno1;
-        first = lib.flip lib.elemAt 0;
-      in
-      [
-        "ip=${first mainInterface.address}::${first mainInterface.gateway}::${config.networking.hostName}:${mainInterface.name}"
-      ];
+    kernelParams = [ "ip=dhcp" ];
     initrd = {
       availableKernelModules = [
         "aesni_intel" # hardware crypto for luks
@@ -82,19 +75,7 @@
   powerManagement.cpuFreqGovernor = "performance";
 
   networking.useDHCP = false;
-  systemd.network = {
-    enable = true;
-    networks = {
-      eno1 = {
-        name = "eno1";
-        dns = [ "192.168.100.1" ];
-        domains = [ "home.sbruder.de" ];
-        address = [ "192.168.100.61/24" ];
-        gateway = [ "192.168.100.1" ];
-      };
-    };
-  };
-  services.resolved.enable = false;
+  networking.interfaces.eno1.useDHCP = true;
 
   systemd.network.wait-online.extraArgs = [ "-i" "eno1" ];
 }

machines/fuuko/services/dnsmasq.nix

@@ -1,44 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-{
-  services.dnsmasq = {
-    enable = true;
-
-    extraConfig = ''
-      bogus-priv # do not forward revese lookups of internal addresses
-      domain-needed # do not forward names without domain
-      local-service # only respond to queries from local network
-      no-hosts # do not resolve hosts from /etc/hosts
-      no-resolv # only use explicitly configured resolvers
-
-      cache-size=10000
-
-      server=/fritz.box/192.168.100.1
-
-      domain=home.sbruder.de
-
-      dhcp-range=192.168.100.20,192.168.100.150,12h
-      dhcp-option=option:router,192.168.100.1
-    '';
-    servers = [
-      "9.9.9.9" # dns.quad9.net
-      "2620:fe::fe"
-      "194.150.168.168" # dns.as250.net
-    ];
-  };
-
-  # Make `local-service` work (requires network interface with all addresses)
-  systemd.services.dnsmasq = {
-    after = [ "network-online.target" ];
-    wants = [ "network-online.target" ];
-  };
-
-  services.prometheus.exporters.dnsmasq = {
-    enable = true;
-    listenAddress = config.sbruder.wireguard.home.address;
-    leasesPath = "/var/lib/dnsmasq/dnsmasq.leases";
-  };
-
-  networking.firewall.allowedUDPPorts = [ 53 67 ];
-  networking.firewall.allowedTCPPorts = [ 53 ];
-}

machines/fuuko/services/scan.nix

@@ -1,89 +0,0 @@
-{ lib, pkgs, ... }:
-{
-  users.users.scan = {
-    home = "/var/lib/scans";
-    isSystemUser = true;
-    group = "scan";
-    # this is a low-risk account and since the only thing the account can do is
-    # login to the ftp server from my home network, you can also sniff the
-    # password since the connection is unencrypted
-    password = "meeB3laodoo8na3z";
-  };
-  users.groups.scan = { };
-
-  systemd.tmpfiles.rules = [
-    "d /var/lib/scans 0755 scan root 7d"
-  ];
-
-  sbruder.restic.system.extraExcludes = [ "/var/lib/scans" ];
-
-  services.vsftpd = {
-    enable = true;
-    writeEnable = true;
-    localUsers = true;
-    userlist = [ "scan" ];
-    extraConfig = ''
-      # I only want this to be reachable from within my home network. Since
-      # IPv6 has all ports forwarded, it is disabled here.
-      listen=YES
-      listen_ipv6=NO
-
-      # user’s shell is nologin
-      check_shell=NO
-
-      # scans should be readable
-      local_umask=022
-
-      pasv_min_port=30000
-      pasv_max_port=30009
-    '';
-  };
-
-  services.nginx.virtualHosts."scan.sbruder.de" = {
-    enableACME = true;
-    forceSSL = true;
-
-    locations."/" = {
-      root = "/var/lib/scans";
-
-      extraConfig = ''
-        autoindex on;
-
-        allow 192.168.100.0/24;
-        allow 2001:470:1f0b:abc::/64;
-        deny all;
-      '';
-    };
-  };
-
-  networking.firewall = {
-    allowedTCPPorts = [ 21 ];
-    allowedTCPPortRanges = [{ from = 30000; to = 30009; }];
-  };
-
-  systemd.services.scan-converter = {
-    wantedBy = [ "multi-user.target" ];
-    script = ''
-      set -euo pipefail
-      ${pkgs.inotify-tools}/bin/inotifywait -m --include "\.tif$" -e close_write /var/lib/scans | while read path action file; do
-          echo "Converting ''${file}…"
-          ${pkgs.imagemagick}/bin/convert -strip "/var/lib/scans/$file" "/var/lib/scans/''${file%.*}.png"
-          rm "/var/lib/scans/$file"
-      done
-    '';
-    serviceConfig = {
-      User = "scan";
-      Restart = "always";
-
-      # systemd-analyze --no-pager security scan-converter.service
-      CapabilityBoundingSet = null;
-      PrivateDevices = true;
-      PrivateNetwork = true;
-      PrivateTmp = true;
-      PrivateUsers = true;
-      ProtectHome = true;
-      RestrictNamespaces = true;
-      SystemCallFilter = "@system-service";
-    };
-  };
-}

machines/renge/services/prometheus.nix

@@ -98,14 +98,6 @@ in
           };
         }
       )
-      {
-        job_name = "dnsmasq";
-        static_configs = mkStaticTarget "fuuko.vpn.sbruder.de:${toString config.services.prometheus.exporters.dnsmasq.port}";
-        relabel_configs = lib.singleton {
-          target_label = "instance";
-          replacement = "fuuko.home.sbruder.de";
-        };
-      }
       {
         job_name = "hcloud";
         static_configs = mkStaticTarget config.services.hcloud_exporter.listenAddress;