simon
/
nixos-config
1
1
Fork 0
Code Issues 8 Pull Requests Projects Releases Activity

Compare commits

base: simon:fa0afa040f63f5dbb8105fa775585507e339fd47
Branches Tags
simon:master
simon:okarin2
simon:hyper
simon:catering
simon:reuse
simon:yuzuru2
simon:renge2
simon:23.11
simon:nazuna
simon:neomutt
simon:sayuri-mesa-clover
simon:upower
simon:binfmt
simon:ayu
simon:restic-rest-server
...
compare: simon:78564e6ef47d7947313c061652c60ae45b3f789b
Branches Tags
simon:master
simon:okarin2
simon:hyper
simon:catering
simon:reuse
simon:yuzuru2
simon:renge2
simon:23.11
simon:nazuna
simon:neomutt
simon:sayuri-mesa-clover
simon:upower
simon:binfmt
simon:ayu
simon:restic-rest-server

3 Commits
fa0afa040f ... 78564e6ef4

Author SHA1 Message Date
Simon Bruder 78564e6ef4
fuuko: Adjust README to its current purpose 2022-09-12 21:02:14 +02:00
Simon Bruder d508543c3c
fuuko: Disable DHCP and DNS server 
This is now the main router’s job.
 2022-09-12 20:54:59 +02:00
Simon Bruder eeb8f25453
fuuko/scan: Drop 2022-09-12 20:34:52 +02:00
6 changed files with 6 additions and 166 deletions
Show Stats Expand all files Collapse all files

6
machines/fuuko/README.md
View File

@ -6,7 +6,7 @@ HP MicroServer Gen8 with an [Intel Xeon E3-1220L
v2](https://ark.intel.com/content/www/us/en/ark/products/65735/intel-xeon-processor-e3-1220l-v2-3m-cache-2-30-ghz.html) v2](https://ark.intel.com/content/www/us/en/ark/products/65735/intel-xeon-processor-e3-1220l-v2-3m-cache-2-30-ghz.html)
and 8GiB ECC RAM (1600MHz). It isnt the best choice, but I already had it and 8GiB ECC RAM (1600MHz). It isnt the best choice, but I already had it
lying around and it is acceptable after changing the CPU from the original lying around and it is acceptable after changing the CPU from the original
Celeron. I decided not to use another consumer-grade computer for this, since Celeron. I decided not to use another consumer-grade computer for this, since
the server offers ECC memory and therefore should be more reliable. the server offers ECC memory and therefore should be more reliable.
The SSD (Intel DC S4500 480GB) is connected to the first drive slot in a 3.5 ″ The SSD (Intel DC S4500 480GB) is connected to the first drive slot in a 3.5 ″
@ -20,7 +20,9 @@ Ultrastar DC HC320 0B36404) in BTRFS RAID1. They are connected to the 2rd and
## Purpose ## Purpose
It is my main server handling most long-runing tasks and services. It is my main storage server
that is responsible for handling storage and processing of big files
to which I need a high throughput connection.
## Name ## Name

2
machines/fuuko/configuration.nix
View File

@ -5,11 +5,9 @@
../../modules ../../modules
../../users/simon ../../users/simon
./services/dnsmasq.nix
./services/fritzbox-exporter.nix ./services/fritzbox-exporter.nix
./services/media-backup.nix ./services/media-backup.nix
./services/media.nix ./services/media.nix
./services/scan.nix
./services/torrent.nix ./services/torrent.nix
./services/wordclock-dimmer.nix ./services/wordclock-dimmer.nix
]; ];

23
machines/fuuko/hardware-configuration.nix
View File

@ -11,14 +11,7 @@
blacklistedKernelModules = [ "acpi_power_meter" ]; # constantly pollutes kernel log blacklistedKernelModules = [ "acpi_power_meter" ]; # constantly pollutes kernel log
extraModulePackages = [ ]; extraModulePackages = [ ];
supportedFilesystems = [ "btrfs" ]; supportedFilesystems = [ "btrfs" ];
kernelParams = kernelParams = [ "ip=dhcp" ];
let
mainInterface = config.systemd.network.networks.eno1;
first = lib.flip lib.elemAt 0;
in
[
"ip=${first mainInterface.address}::${first mainInterface.gateway}::${config.networking.hostName}:${mainInterface.name}"
];
initrd = { initrd = {
availableKernelModules = [ availableKernelModules = [
"aesni_intel" # hardware crypto for luks "aesni_intel" # hardware crypto for luks
@ -82,19 +75,7 @@
powerManagement.cpuFreqGovernor = "performance"; powerManagement.cpuFreqGovernor = "performance";
networking.useDHCP = false; networking.useDHCP = false;
systemd.network = { networking.interfaces.eno1.useDHCP = true;
enable = true;
networks = {
eno1 = {
name = "eno1";
dns = [ "192.168.100.1" ];
domains = [ "home.sbruder.de" ];
address = [ "192.168.100.61/24" ];
gateway = [ "192.168.100.1" ];
};
};
};
services.resolved.enable = false;
systemd.network.wait-online.extraArgs = [ "-i" "eno1" ]; systemd.network.wait-online.extraArgs = [ "-i" "eno1" ];
} }

44
machines/fuuko/services/dnsmasq.nix
View File

@ -1,44 +0,0 @@
{ config, lib, pkgs, ... }:
{
services.dnsmasq = {
enable = true;
extraConfig = ''
bogus-priv # do not forward revese lookups of internal addresses
domain-needed # do not forward names without domain
local-service # only respond to queries from local network
no-hosts # do not resolve hosts from /etc/hosts
no-resolv # only use explicitly configured resolvers
cache-size=10000
server=/fritz.box/192.168.100.1
domain=home.sbruder.de
dhcp-range=192.168.100.20,192.168.100.150,12h
dhcp-option=option:router,192.168.100.1
'';
servers = [
"9.9.9.9" # dns.quad9.net
"2620:fe::fe"
"194.150.168.168" # dns.as250.net
];
};
# Make `local-service` work (requires network interface with all addresses)
systemd.services.dnsmasq = {
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
};
services.prometheus.exporters.dnsmasq = {
enable = true;
listenAddress = config.sbruder.wireguard.home.address;
leasesPath = "/var/lib/dnsmasq/dnsmasq.leases";
};
networking.firewall.allowedUDPPorts = [ 53 67 ];
networking.firewall.allowedTCPPorts = [ 53 ];
}

89
machines/fuuko/services/scan.nix
View File

@ -1,89 +0,0 @@
{ lib, pkgs, ... }:
{
users.users.scan = {
home = "/var/lib/scans";
isSystemUser = true;
group = "scan";
# this is a low-risk account and since the only thing the account can do is
# login to the ftp server from my home network, you can also sniff the
# password since the connection is unencrypted
password = "meeB3laodoo8na3z";
};
users.groups.scan = { };
systemd.tmpfiles.rules = [
"d /var/lib/scans 0755 scan root 7d"
];
sbruder.restic.system.extraExcludes = [ "/var/lib/scans" ];
services.vsftpd = {
enable = true;
writeEnable = true;
localUsers = true;
userlist = [ "scan" ];
extraConfig = ''
# I only want this to be reachable from within my home network. Since
# IPv6 has all ports forwarded, it is disabled here.
listen=YES
listen_ipv6=NO
# users shell is nologin
check_shell=NO
# scans should be readable
local_umask=022
pasv_min_port=30000
pasv_max_port=30009
'';
};
services.nginx.virtualHosts."scan.sbruder.de" = {
enableACME = true;
forceSSL = true;
locations."/" = {
root = "/var/lib/scans";
extraConfig = ''
autoindex on;
allow 192.168.100.0/24;
allow 2001:470:1f0b:abc::/64;
deny all;
'';
};
};
networking.firewall = {
allowedTCPPorts = [ 21 ];
allowedTCPPortRanges = [{ from = 30000; to = 30009; }];
};
systemd.services.scan-converter = {
wantedBy = [ "multi-user.target" ];
script = ''
set -euo pipefail
${pkgs.inotify-tools}/bin/inotifywait -m --include "\.tif$" -e close_write /var/lib/scans | while read path action file; do
echo "Converting ''${file}"
${pkgs.imagemagick}/bin/convert -strip "/var/lib/scans/$file" "/var/lib/scans/''${file%.*}.png"
rm "/var/lib/scans/$file"
done
'';
serviceConfig = {
User = "scan";
Restart = "always";
# systemd-analyze --no-pager security scan-converter.service
CapabilityBoundingSet = null;
PrivateDevices = true;
PrivateNetwork = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectHome = true;
RestrictNamespaces = true;
SystemCallFilter = "@system-service";
};
};
}

8
machines/renge/services/prometheus.nix
View File

@ -98,14 +98,6 @@ in
}; };
} }
) )
{
job_name = "dnsmasq";
static_configs = mkStaticTarget "fuuko.vpn.sbruder.de:${toString config.services.prometheus.exporters.dnsmasq.port}";
relabel_configs = lib.singleton {
target_label = "instance";
replacement = "fuuko.home.sbruder.de";
};
}
{ {
job_name = "hcloud"; job_name = "hcloud";
static_configs = mkStaticTarget config.services.hcloud_exporter.listenAddress; static_configs = mkStaticTarget config.services.hcloud_exporter.listenAddress;