Compare commits
3 commits
fa0afa040f
...
78564e6ef4
Author | SHA1 | Date | |
---|---|---|---|
Simon Bruder | 78564e6ef4 | ||
Simon Bruder | d508543c3c | ||
Simon Bruder | eeb8f25453 |
|
@ -20,7 +20,9 @@ Ultrastar DC HC320 0B36404) in BTRFS RAID1. They are connected to the 2rd and
|
|||
|
||||
## Purpose
|
||||
|
||||
It is my main server handling most long-runing tasks and services.
|
||||
It is my main storage server
|
||||
that is responsible for handling storage and processing of big files
|
||||
to which I need a high throughput connection.
|
||||
|
||||
## Name
|
||||
|
||||
|
|
|
@ -5,11 +5,9 @@
|
|||
../../modules
|
||||
../../users/simon
|
||||
|
||||
./services/dnsmasq.nix
|
||||
./services/fritzbox-exporter.nix
|
||||
./services/media-backup.nix
|
||||
./services/media.nix
|
||||
./services/scan.nix
|
||||
./services/torrent.nix
|
||||
./services/wordclock-dimmer.nix
|
||||
];
|
||||
|
|
|
@ -11,14 +11,7 @@
|
|||
blacklistedKernelModules = [ "acpi_power_meter" ]; # constantly pollutes kernel log
|
||||
extraModulePackages = [ ];
|
||||
supportedFilesystems = [ "btrfs" ];
|
||||
kernelParams =
|
||||
let
|
||||
mainInterface = config.systemd.network.networks.eno1;
|
||||
first = lib.flip lib.elemAt 0;
|
||||
in
|
||||
[
|
||||
"ip=${first mainInterface.address}::${first mainInterface.gateway}::${config.networking.hostName}:${mainInterface.name}"
|
||||
];
|
||||
kernelParams = [ "ip=dhcp" ];
|
||||
initrd = {
|
||||
availableKernelModules = [
|
||||
"aesni_intel" # hardware crypto for luks
|
||||
|
@ -82,19 +75,7 @@
|
|||
powerManagement.cpuFreqGovernor = "performance";
|
||||
|
||||
networking.useDHCP = false;
|
||||
systemd.network = {
|
||||
enable = true;
|
||||
networks = {
|
||||
eno1 = {
|
||||
name = "eno1";
|
||||
dns = [ "192.168.100.1" ];
|
||||
domains = [ "home.sbruder.de" ];
|
||||
address = [ "192.168.100.61/24" ];
|
||||
gateway = [ "192.168.100.1" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
services.resolved.enable = false;
|
||||
networking.interfaces.eno1.useDHCP = true;
|
||||
|
||||
systemd.network.wait-online.extraArgs = [ "-i" "eno1" ];
|
||||
}
|
||||
|
|
|
@ -1,44 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
services.dnsmasq = {
|
||||
enable = true;
|
||||
|
||||
extraConfig = ''
|
||||
bogus-priv # do not forward revese lookups of internal addresses
|
||||
domain-needed # do not forward names without domain
|
||||
local-service # only respond to queries from local network
|
||||
no-hosts # do not resolve hosts from /etc/hosts
|
||||
no-resolv # only use explicitly configured resolvers
|
||||
|
||||
cache-size=10000
|
||||
|
||||
server=/fritz.box/192.168.100.1
|
||||
|
||||
domain=home.sbruder.de
|
||||
|
||||
dhcp-range=192.168.100.20,192.168.100.150,12h
|
||||
dhcp-option=option:router,192.168.100.1
|
||||
'';
|
||||
servers = [
|
||||
"9.9.9.9" # dns.quad9.net
|
||||
"2620:fe::fe"
|
||||
"194.150.168.168" # dns.as250.net
|
||||
];
|
||||
};
|
||||
|
||||
# Make `local-service` work (requires network interface with all addresses)
|
||||
systemd.services.dnsmasq = {
|
||||
after = [ "network-online.target" ];
|
||||
wants = [ "network-online.target" ];
|
||||
};
|
||||
|
||||
services.prometheus.exporters.dnsmasq = {
|
||||
enable = true;
|
||||
listenAddress = config.sbruder.wireguard.home.address;
|
||||
leasesPath = "/var/lib/dnsmasq/dnsmasq.leases";
|
||||
};
|
||||
|
||||
networking.firewall.allowedUDPPorts = [ 53 67 ];
|
||||
networking.firewall.allowedTCPPorts = [ 53 ];
|
||||
}
|
|
@ -1,89 +0,0 @@
|
|||
{ lib, pkgs, ... }:
|
||||
{
|
||||
users.users.scan = {
|
||||
home = "/var/lib/scans";
|
||||
isSystemUser = true;
|
||||
group = "scan";
|
||||
# this is a low-risk account and since the only thing the account can do is
|
||||
# login to the ftp server from my home network, you can also sniff the
|
||||
# password since the connection is unencrypted
|
||||
password = "meeB3laodoo8na3z";
|
||||
};
|
||||
users.groups.scan = { };
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"d /var/lib/scans 0755 scan root 7d"
|
||||
];
|
||||
|
||||
sbruder.restic.system.extraExcludes = [ "/var/lib/scans" ];
|
||||
|
||||
services.vsftpd = {
|
||||
enable = true;
|
||||
writeEnable = true;
|
||||
localUsers = true;
|
||||
userlist = [ "scan" ];
|
||||
extraConfig = ''
|
||||
# I only want this to be reachable from within my home network. Since
|
||||
# IPv6 has all ports forwarded, it is disabled here.
|
||||
listen=YES
|
||||
listen_ipv6=NO
|
||||
|
||||
# user’s shell is nologin
|
||||
check_shell=NO
|
||||
|
||||
# scans should be readable
|
||||
local_umask=022
|
||||
|
||||
pasv_min_port=30000
|
||||
pasv_max_port=30009
|
||||
'';
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."scan.sbruder.de" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
||||
locations."/" = {
|
||||
root = "/var/lib/scans";
|
||||
|
||||
extraConfig = ''
|
||||
autoindex on;
|
||||
|
||||
allow 192.168.100.0/24;
|
||||
allow 2001:470:1f0b:abc::/64;
|
||||
deny all;
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall = {
|
||||
allowedTCPPorts = [ 21 ];
|
||||
allowedTCPPortRanges = [{ from = 30000; to = 30009; }];
|
||||
};
|
||||
|
||||
systemd.services.scan-converter = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
script = ''
|
||||
set -euo pipefail
|
||||
${pkgs.inotify-tools}/bin/inotifywait -m --include "\.tif$" -e close_write /var/lib/scans | while read path action file; do
|
||||
echo "Converting ''${file}…"
|
||||
${pkgs.imagemagick}/bin/convert -strip "/var/lib/scans/$file" "/var/lib/scans/''${file%.*}.png"
|
||||
rm "/var/lib/scans/$file"
|
||||
done
|
||||
'';
|
||||
serviceConfig = {
|
||||
User = "scan";
|
||||
Restart = "always";
|
||||
|
||||
# systemd-analyze --no-pager security scan-converter.service
|
||||
CapabilityBoundingSet = null;
|
||||
PrivateDevices = true;
|
||||
PrivateNetwork = true;
|
||||
PrivateTmp = true;
|
||||
PrivateUsers = true;
|
||||
ProtectHome = true;
|
||||
RestrictNamespaces = true;
|
||||
SystemCallFilter = "@system-service";
|
||||
};
|
||||
};
|
||||
}
|
|
@ -98,14 +98,6 @@ in
|
|||
};
|
||||
}
|
||||
)
|
||||
{
|
||||
job_name = "dnsmasq";
|
||||
static_configs = mkStaticTarget "fuuko.vpn.sbruder.de:${toString config.services.prometheus.exporters.dnsmasq.port}";
|
||||
relabel_configs = lib.singleton {
|
||||
target_label = "instance";
|
||||
replacement = "fuuko.home.sbruder.de";
|
||||
};
|
||||
}
|
||||
{
|
||||
job_name = "hcloud";
|
||||
static_configs = mkStaticTarget config.services.hcloud_exporter.listenAddress;
|
||||
|
|
Loading…
Reference in a new issue