nixos-config/systems/LoutreOS/services.nix

483 lines
14 KiB
Nix
Raw Normal View History

2018-04-10 20:28:22 +02:00
{ config, lib, pkgs, ... }:
with lib;
let
2018-04-19 19:35:11 +02:00
domaine = "nyanlout.re";
2018-04-25 00:32:42 +02:00
2018-04-19 20:17:48 +02:00
riot_port = 52345;
2018-05-03 00:40:16 +02:00
pgmanage_port = 52347;
2018-05-09 16:46:33 +02:00
max_port = 52348;
2018-05-09 16:47:02 +02:00
musique_port = 52349;
2019-01-22 11:03:01 +01:00
factorio_port = 52351;
2019-01-24 09:53:21 +01:00
airsonic_port = 4040;
2019-06-07 11:57:12 +02:00
2019-06-15 14:36:14 +02:00
jellyfin_backend = ''
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
'';
sonarr_acl = ''
acl API path_beg /api
'';
sonarr_auth = ''
!AUTH_OK !API
'';
2019-06-15 14:37:58 +02:00
sendMail = to: subject: message: pkgs.writeShellScriptBin "mail.sh" ''
${pkgs.system-sendmail}/bin/sendmail ${to} <<EOF
2019-06-07 11:57:12 +02:00
From: root@nyanlout.re
2019-06-15 14:37:58 +02:00
Subject: ${subject}
${message}
2019-06-07 11:57:12 +02:00
EOF
2019-06-15 14:37:58 +02:00
'';
login_mail_alert = pkgs.writeShellScriptBin "mail_alert.sh" ''
if [ "$PAM_TYPE" != "close_session" ]; then
2019-07-31 13:53:17 +02:00
${sendMail "paul@nyanlout.re" "SSH Login: $PAM_USER from $PAM_RHOST" "`env`"}/bin/mail.sh
2019-06-07 11:57:12 +02:00
fi
'';
2019-06-15 14:37:58 +02:00
backup_mail_alert = sendMail "paul@nyanlout.re" "ERREUR: Sauvegarde Borg" "Impossible de terminer la sauvegarde. Merci de voir les logs";
2018-04-10 20:28:22 +02:00
in
2018-04-01 15:04:49 +02:00
{
2018-04-11 22:09:44 +02:00
imports = [
2018-06-09 13:23:26 +02:00
../../services/haproxy-acme.nix
../../services/mail-server.nix
../../services/site-musique.nix
../../services/site-max.nix
2018-10-23 22:24:13 +02:00
../../services/auto-pr.nix
../../services/python-ci.nix
2018-11-26 17:26:55 +01:00
../../services/sdtdserver.nix
2018-09-19 11:54:33 +02:00
../../containers/vsftpd.nix
2019-01-03 10:04:35 +01:00
/mnt/secrets/factorio_secrets.nix
2018-04-11 22:09:44 +02:00
];
nixpkgs.overlays = [
(import ../../overlays/dogetipbot-telegram.nix)
];
2018-09-04 14:05:06 +02:00
services = {
fail2ban.enable = true;
2018-04-03 21:13:18 +02:00
2018-09-04 14:05:06 +02:00
smartd = {
enable = true;
defaults.monitored = "-a -o on -s (S/../.././02|L/../../1/04)";
2018-09-04 14:05:06 +02:00
notifications.mail = {
enable = true;
recipient = "paul@nyanlout.re";
2018-06-04 12:31:07 +02:00
};
2018-04-01 15:04:49 +02:00
};
2018-04-10 16:53:13 +02:00
2018-09-04 14:05:06 +02:00
fstrim.enable = true;
haproxy-acme = {
enable = true;
domaine = domaine;
services = {
"grafana.${domaine}" = { ip = "127.0.0.1"; port = 3000; auth = true; };
2019-06-15 14:36:14 +02:00
"emby.${domaine}" = { ip = "127.0.0.1"; port = 8096; auth = false; extraBackend = jellyfin_backend; };
"radarr.${domaine}" = { ip = "127.0.0.1"; port = 7878; auth = true; extraAcls = sonarr_acl; aclBool = sonarr_auth; };
"sonarr.${domaine}" = { ip = "127.0.0.1"; port = 8989; auth = true; extraAcls = sonarr_acl; aclBool = sonarr_auth; };
2018-09-04 14:05:06 +02:00
"transmission.${domaine}" = { ip = "127.0.0.1"; port = 9091; auth = true; };
"syncthing.${domaine}" = { ip = "127.0.0.1"; port = 8384; auth = true; };
"jackett.${domaine}" = { ip = "127.0.0.1"; port = 9117; auth = true; };
"searx.${domaine}" = { ip = "127.0.0.1"; port = 8888; auth = false; };
"riot.${domaine}" = { ip = "127.0.0.1"; port = riot_port; auth = false; };
"matrix.${domaine}" = { ip = "127.0.0.1"; port = 8008; auth = false; };
"pgmanage.${domaine}" = { ip = "127.0.0.1"; port = pgmanage_port; auth = true; };
"gitea.${domaine}" = { ip = "127.0.0.1"; port = 3001; auth = false; };
"ci.${domaine}" = { ip = "127.0.0.1"; port = 52350; auth = false; };
2019-01-22 11:03:01 +01:00
"factorio.${domaine}" = { ip = "127.0.0.1"; port = factorio_port; auth = false; };
2019-01-24 09:53:21 +01:00
"airsonic.${domaine}" = { ip = "127.0.0.1"; port = airsonic_port; auth = false; };
2018-09-04 14:05:06 +02:00
};
};
2018-06-04 12:31:07 +02:00
2018-09-04 14:05:06 +02:00
mailserver = {
enable = true;
domaine = domaine;
};
2018-04-01 15:17:44 +02:00
2018-09-04 14:05:06 +02:00
influxdb = {
enable = true;
dataDir = "/var/db/influxdb";
};
2018-04-01 15:17:44 +02:00
2018-09-04 14:05:06 +02:00
telegraf = {
enable = true;
extraConfig = {
inputs = {
zfs = { poolMetrics = true; };
net = { interfaces = [ "eno1" "eno2" "eno3" "eno4" ]; };
netstat = {};
cpu = { totalcpu = true; };
kernel = {};
mem = {};
processes = {};
system = {};
disk = {};
ipmi_sensor = { path = "${pkgs.ipmitool}/bin/ipmitool"; };
smart = {
path = "${pkgs.writeShellScriptBin "smartctl" "/run/wrappers/bin/sudo ${pkgs.smartmontools}/bin/smartctl $@"}/bin/smartctl";
};
exec= [
{ commands = [
"${pkgs.python}/bin/python ${
pkgs.fetchgit {
url = "https://gitlab.com/nyanloutre/tplink-smartplug.git";
2018-09-04 14:05:06 +02:00
rev = "a0996112fc451b76448589698de440ad5fd6ea79";
sha256 = "1f1625g7rfsddgk428g76p8fr7vz5gfhq3f452q17bjni3rf2pj3";
}
2019-05-01 23:06:17 +02:00
}/tplink_smartplug.py -t 10.30.50.7 -c energy"
2018-09-04 14:05:06 +02:00
];
data_format = "json";
name_suffix = "_tplink-smartplug";
}
{
commands = [
"${pkgs.python3}/bin/python ${pkgs.writeText "zpool.py" ''
import json
from subprocess import check_output
columns = ["NAME", "SIZE", "ALLOC", "FREE", "EXPANDSZ", "FRAG", "CAP", "DEDUP", "HEALTH", "ALTROOT"]
health = {'ONLINE':0, 'DEGRADED':11, 'OFFLINE':21, 'UNAVAIL':22, 'FAULTED':23, 'REMOVED':24}
stdout = check_output(["${pkgs.zfs}/bin/zpool", "list", "-Hp"],encoding='UTF-8').split('\n')
parsed_stdout = list(map(lambda x: dict(zip(columns,x.split('\t'))), stdout))[:-1]
for pool in parsed_stdout:
for item in pool:
if item in ["SIZE", "ALLOC", "FREE", "FRAG", "CAP"]:
pool[item] = int(pool[item])
if item in ["DEDUP"]:
pool[item] = float(pool[item])
if item == "HEALTH":
pool[item] = health[pool[item]]
print(json.dumps(parsed_stdout))
''}"
];
tag_keys = [ "NAME" ];
data_format = "json";
name_suffix = "_python_zpool";
}
];
};
outputs = {
influxdb = { database = "telegraf"; urls = [ "http://localhost:8086" ]; };
};
};
};
2018-04-03 19:21:26 +02:00
2018-09-04 14:05:06 +02:00
udev.extraRules = ''
KERNEL=="ipmi*", MODE="660", OWNER="telegraf"
2018-04-19 00:24:31 +02:00
'';
2018-04-03 18:55:07 +02:00
2018-09-04 14:05:06 +02:00
grafana = {
enable = true;
addr = "127.0.0.1";
dataDir = "/var/lib/grafana";
extraOptions = {
SERVER_ROOT_URL = "https://grafana.${domaine}";
SMTP_ENABLED = "true";
SMTP_FROM_ADDRESS = "grafana@${domaine}";
SMTP_SKIP_VERIFY = "true";
AUTH_DISABLE_LOGIN_FORM = "true";
AUTH_DISABLE_SIGNOUT_MENU = "true";
AUTH_ANONYMOUS_ENABLED = "true";
AUTH_ANONYMOUS_ORG_ROLE = "Admin";
AUTH_BASIC_ENABLED = "false";
};
};
2018-04-03 23:22:44 +02:00
2019-06-15 14:36:14 +02:00
jellyfin.enable = true;
2018-04-11 22:09:29 +02:00
2018-09-04 14:05:06 +02:00
slimserver = {
enable = true;
dataDir = "/var/lib/slimserver";
};
2018-04-18 21:35:57 +02:00
2018-09-04 14:05:06 +02:00
syncthing = {
enable = true;
dataDir = "/var/lib/syncthing";
openDefaultPorts = true;
2018-04-19 20:17:48 +02:00
};
2018-09-04 14:05:06 +02:00
nfs.server = {
enable = true;
exports = ''
2019-05-01 23:06:17 +02:00
/mnt/medias 10.30.0.0/16(ro,no_root_squash)
/exports/steam 10.30.0.0/16(rw,async,no_root_squash)
2018-09-04 14:05:06 +02:00
'';
statdPort = 4000;
lockdPort = 4001;
mountdPort = 4002;
2018-04-22 00:01:25 +02:00
};
2018-09-04 14:05:06 +02:00
transmission = {
enable = true;
home = "/var/lib/transmission";
settings = {
rpc-bind-address = "127.0.0.1";
rpc-host-whitelist = "*";
rpc-whitelist-enabled = false;
};
};
2018-07-26 11:07:10 +02:00
2018-09-04 14:05:06 +02:00
radarr.enable = true;
sonarr.enable = true;
jackett.enable = true;
2018-05-03 00:40:16 +02:00
2018-09-04 14:05:06 +02:00
searx.enable = true;
nginx = {
enable = true;
virtualHosts = {
"riot" = {
listen = [ { addr = "127.0.0.1"; port = riot_port; } ];
locations = { "/" = { root = pkgs.riot-web; }; };
};
2019-01-22 11:03:01 +01:00
"factorio" = {
listen = [ { addr = "127.0.0.1"; port = factorio_port; } ];
locations = { "/" = { root = "/var/www/factorio"; }; };
};
2018-05-27 18:41:47 +02:00
};
2018-09-04 14:05:06 +02:00
};
postgresql.enable = true;
matrix-synapse = {
enable = true;
enable_registration = true;
server_name = "nyanlout.re";
listeners = [
{ # federation
bind_address = "";
port = 8448;
resources = [
{ compress = true; names = [ "client" "webclient" ]; }
{ compress = false; names = [ "federation" ]; }
];
tls = true;
type = "http";
x_forwarded = false;
}
{ # client
bind_address = "127.0.0.1";
port = 8008;
resources = [
{ compress = true; names = [ "client" "webclient" ]; }
];
tls = false;
type = "http";
x_forwarded = true;
}
];
max_upload_size = "100M";
2018-09-04 14:05:06 +02:00
database_type = "psycopg2";
database_args = {
database = "matrix-synapse";
2018-05-27 18:41:47 +02:00
};
tls_private_key_path = "/var/lib/acme/${domaine}/key.pem";
tls_certificate_path = "/var/lib/acme/${domaine}/fullchain.pem";
url_preview_enabled = true;
2018-09-04 14:05:06 +02:00
logConfig = ''
version: 1
formatters:
journal_fmt:
format: '%(name)s: [%(request)s] %(message)s'
filters:
context:
(): synapse.util.logcontext.LoggingContextFilter
request: ""
handlers:
journal:
class: systemd.journal.JournalHandler
formatter: journal_fmt
filters: [context]
SYSLOG_IDENTIFIER: synapse
root:
level: WARNING
handlers: [journal]
disable_existing_loggers: False
2018-05-27 18:41:47 +02:00
'';
};
2018-09-04 14:05:06 +02:00
pgmanage = {
enable = true;
port = pgmanage_port;
connections = {
localhost = "hostaddr=127.0.0.1 port=5432 dbname=postgres";
};
};
2018-09-04 14:05:06 +02:00
borgbackup.jobs = {
loutre = {
paths = [
"/var/certs"
"/var/dkim"
2019-06-15 14:36:14 +02:00
"/var/lib/jellyfin"
2018-09-04 14:05:06 +02:00
"/var/lib/gitea"
"/var/lib/grafana"
"/var/lib/jackett"
2019-02-27 13:32:25 +01:00
"/var/lib/matrix-synapse"
2018-09-04 14:05:06 +02:00
"/var/lib/postgresql/.zfs/snapshot/borgsnap"
"/var/lib/radarr"
"/var/lib/sonarr"
"/var/lib/syncthing"
"/var/lib/transmission"
"/mnt/medias/musique"
"/mnt/medias/torrent/lidarr"
"/mnt/medias/torrent/musique"
"/var/sieve"
"/var/vmail"
];
repo = "/mnt/backup/borg";
encryption = {
mode = "repokey-blake2";
passCommand = "cat /mnt/secrets/borgbackup_loutre_encryption_pass";
};
startAt = "weekly";
prune.keep = {
within = "1d";
weekly = 4;
monthly = 12;
};
preHook = "${pkgs.zfs}/bin/zfs snapshot loutrepool/var/postgresql@borgsnap";
postHook = ''
${pkgs.zfs}/bin/zfs destroy loutrepool/var/postgresql@borgsnap
if [[ $exitStatus == 0 ]]; then
2019-01-22 11:03:15 +01:00
${pkgs.rclone}/bin/rclone --config /mnt/secrets/rclone_loutre.conf sync -v $BORG_REPO BackupStorage:loutre
2019-06-15 14:37:58 +02:00
else
${backup_mail_alert}/bin/mail.sh
2018-09-04 14:05:06 +02:00
fi
'';
};
};
2018-06-05 14:04:36 +02:00
2018-09-04 14:05:06 +02:00
borgbackup.repos = {
diskstation = {
authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDllbxON66dBju7sMnhX8/E0VRo3+PDYvDsHP0/FK+h8JHol4+pouLmI7KIDKYOJmSuom283OqnyZOMqk+RShTwWIFm9hOd2R9aj45Zrd9jPW2APOCec/Epgogj0bwBnc0l2v6qxkxaBMgL5DnAQ+E00uvL1UQpK8c8j4GGiPlkWJD6Kf+pxmnfH1TIm+J2XCwl0oeCkSK/Frd8eM+wCraMSzoaGiEcfMz2jK8hxDWjDxX7epU0ELF22BVCuyN8cYRoFTnV88E38PlaqsOqD5ePkxk425gDh7j/C06f8QKgnasVH2diixo92kYSd7i/RmfeXDDwAD5xqUvODczEuIdt root@DiskStation" ];
path = "/mnt/backup_loutre/diskstation_borg";
user = "synology";
};
};
2018-06-26 14:13:45 +02:00
2018-09-04 14:05:06 +02:00
gitea = {
enable = true;
cookieSecure = true;
httpPort = 3001;
rootUrl = "https://gitea.nyanlout.re/";
database = {
type = "postgres";
port = 5432;
passwordFile = "/mnt/secrets/gitea_database_passwordFile";
};
2019-01-24 09:53:39 +01:00
log.level = "Warn";
extraConfig = ''
[ui]
DEFAULT_THEME = arc-green
[service]
DISABLE_REGISTRATION = true
'';
2018-09-04 14:05:06 +02:00
};
2018-05-10 18:53:34 +02:00
2018-09-04 14:05:06 +02:00
site-musique = {
enable = true;
port = musique_port;
domaine = "musique-meyenheim.fr";
};
site-max = {
enable = true;
port = max_port;
domaine = "maxspiegel.fr";
};
2018-10-23 22:24:13 +02:00
auto-pr.enable = true;
python-ci.enable = true;
2018-11-26 17:26:55 +01:00
2019-01-22 11:03:32 +01:00
sdtdserver.enable = false;
2019-01-03 10:04:35 +01:00
factorio = {
enable = true;
autosave-interval = 10;
game-name = "Shame";
public = true;
username = "nyanloutre";
};
2019-01-24 09:53:21 +01:00
2019-01-24 18:56:41 +01:00
airsonic = {
enable = true;
maxMemory = 500;
};
2018-09-04 14:05:06 +02:00
};
2018-05-10 19:00:14 +02:00
2018-06-28 20:52:31 +02:00
systemd.services.dogetipbot-telegram = {
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
script = "${pkgs.dogetipbot-telegram}/bin/dogetipbot-telegram --block-io-api-key $BLOCK_IO_API_KEY --block-io-pin $BLOCK_IO_PIN --telegram-api-key $TELEGRAM_API_KEY --network DOGE";
enable = true;
serviceConfig = {
2018-08-28 15:30:39 +02:00
EnvironmentFile = "/mnt/secrets/dogetipbot-telegram_env";
2019-01-22 11:01:25 +01:00
DynamicUser = true;
2018-06-28 20:52:31 +02:00
};
};
2018-09-04 14:05:06 +02:00
systemd.services.matrix-synapse = {
serviceConfig = {
MemoryHigh = "3G";
MemoryMax = "5G";
};
};
2018-06-28 20:52:31 +02:00
users.groups.acme.members = [ "matrix-synapse" ];
2019-06-07 11:57:12 +02:00
security = {
sudo.extraRules = [
{ commands = [ { command = "${pkgs.smartmontools}/bin/smartctl"; options = [ "NOPASSWD" ]; } ]; users = [ "telegraf" ]; }
];
pam.services.sshd.text = pkgs.lib.mkDefault( pkgs.lib.mkAfter "session optional ${pkgs.pam}/lib/security/pam_exec.so seteuid ${login_mail_alert}/bin/mail_alert.sh" );
};
2018-09-04 14:05:06 +02:00
2018-09-16 16:28:47 +02:00
networking = {
wireguard.interfaces = {
wg0 = {
ips = [ "192.168.20.1/24" ];
privateKeyFile = "/mnt/secrets/wireguard/wg0.privatekey";
listenPort = 51820;
allowedIPsAsRoutes = false;
peers = [
{
allowedIPs = [ "0.0.0.0/0" ];
publicKey = "b/SXiqo+GPdNOc54lyEVeUBc6B5AbVMKh+g5EZPGzlE=";
}
];
};
};
firewall.allowedTCPPorts = [
51413 # Transmission
8448 # Matrix federation
20 21 # FTP
];
firewall.allowedTCPPortRanges = [
{ from = 64000; to = 65535; } # FTP
];
firewall.allowedUDPPorts = [
51413 # Transmission
51820 # Wireguard
];
};
2018-04-01 15:04:49 +02:00
}