nixos-config/services.nix

{ config, pkgs, ... }:

{
  services.haproxy.enable = true;
  services.haproxy.config = ''
    global
      log /dev/log local0
      log /dev/log local1 notice
      user haproxy
      group haproxy
      ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
      ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
      ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
      ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
    defaults
      option forwardfor
      option http-server-close
      timeout client 10s
      timeout connect 4s
      timeout server 30s
    userlist LOUTRE
      user paul password $6$6rDdCtzSVsAwB6KP$V8bR7KP7FSL2BSEh6n3op6iYhAnsVSPI2Ar3H6MwKrJ/lZRzUI8a0TwVBD2JPnAntUhLpmRudrvdq2Ls2odAy.
    frontend public
      bind :::80 v4v6
      bind :::443 v4v6 ssl crt /var/lib/acme/tars.nyanlout.re/full.pem
      mode http
      acl letsencrypt-acl path_beg /.well-known/acme-challenge/
      redirect scheme https code 301 if !{ ssl_fc } !letsencrypt-acl
      use_backend letsencrypt-backend if letsencrypt-acl
      acl grafana-acl hdr(host) -i grafana.tars.nyanlout.re
      acl emby-acl hdr(host) -i emby.tars.nyanlout.re
      acl radarr-acl hdr(host) -i radarr.tars.nyanlout.re
      acl transmission-acl hdr(host) -i transmission.tars.nyanlout.re
      acl syncthing-acl hdr(host) -i syncthing.tars.nyanlout.re
      use_backend grafana-backend if grafana-acl
      use_backend emby-backend if emby-acl
      use_backend radarr-backend if radarr-acl
      use_backend transmission-backend if transmission-acl
      use_backend syncthing-backend if syncthing-acl
    backend letsencrypt-backend
      mode http
      server letsencrypt 127.0.0.1:54321
    backend grafana-backend
      mode http
      server grafana 127.0.0.1:3000 check
    backend emby-backend
      mode http
      server emby 127.0.0.1:8096 check
    backend radarr-backend
      mode http
      server radarr 127.0.0.1:7878 check
    backend transmission-backend
      mode http
      acl AuthOK_LOUTRE http_auth(LOUTRE)
      http-request auth realm LOUTRE if !AuthOK_LOUTRE
      server transmission 127.0.0.1:9091 check
    backend syncthing-backend
      mode http
      acl AuthOK_LOUTRE http_auth(LOUTRE)
      http-request auth realm LOUTRE if !AuthOK_LOUTRE
      server syncthing 127.0.0.1:8384 check
  '';

  services.nginx.enable = true;
  services.nginx.virtualHosts = {
    "acme" = {
      listen = [ { addr = "127.0.0.1"; port = 54321; } ];
      locations = { "/" = { root = "/var/www/challenges"; }; };
    };
  };

  security.acme.certs = {
    "tars.nyanlout.re" = {
      extraDomains = {
        "grafana.tars.nyanlout.re" = null;
        "emby.tars.nyanlout.re" = null;
        "radarr.tars.nyanlout.re" = null;
        "transmission.tars.nyanlout.re" = null;
        "syncthing.tars.nyanlout.re" = null;
      };
      webroot = "/var/www/challenges/";
      email = "paul@nyanlout.re";
      user = "haproxy";
      group = "haproxy";
      postRun = "systemctl reload haproxy";
    };
  };
  security.acme.directory = "/var/lib/acme";

  services.influxdb.enable = true;
  services.influxdb.dataDir = "/var/db/influxdb";

  services.telegraf.enable = true;
  services.telegraf.extraConfig = {
    inputs = {
      zfs = { poolMetrics = true; };
      net = { interfaces = [ "eno1" "eno2" "eno3" "eno4" ]; };
      netstat = {};
      cpu = { totalcpu = true; };
      kernel = {};
      mem = {};
      processes = {};
      system = {};
      ipmi_sensor = { path = "${pkgs.ipmitool}/bin/ipmitool"; };
    };
    outputs = {
      influxdb = { database = "telegraf"; urls = [ "http://localhost:8086" ]; };
    };
  };

  services.udev.extraRules = ''
    KERNEL=="ipmi*", MODE="660", OWNER="telegraf"
  '';

  services.grafana.enable = true;
  services.grafana.addr = "127.0.0.1";
  services.grafana.dataDir = "/var/lib/grafana";

  services.emby.enable = true;
  services.emby.dataDir = "/var/lib/emby/ProgramData-Server";

  services.slimserver.enable = true;
  services.slimserver.dataDir = "/var/lib/slimserver";

  services.syncthing.enable = true;
  services.syncthing.dataDir = "/var/lib/syncthing";
  services.syncthing.openDefaultPorts = true;
  
  services.nfs.server = {
    enable = true;
    exports = ''
      /exports/steam  192.168.1.0/24(rw,no_root_squash)
    '';
    statdPort = 4000;
    lockdPort = 4001;
    mountdPort = 4002;
  };

  services.transmission.enable = true;
  services.transmission.home = "/var/lib/transmission";
  services.transmission.settings = {
    rpc-bind-address = "127.0.0.1";
    rpc-host-whitelist = "*";
    rpc-whitelist-enabled = false;
  };

  services.radarr.enable = true;

  services.murmur.enable = true;
  services.murmur.bandwidth = 128000;
  services.murmur.imgMsgLength = 0;
  services.murmur.textMsgLength = 0;

  networking.firewall.allowedTCPPorts = [
    80 443 # HAProxy
    111 2049 4000 4001 4002 # NFS
    3483 9000 # Slimserver
    51413 # Transmission
  ];
  networking.firewall.allowedUDPPorts = [
    111 2049 4000 4001 4002 # NFS
    3483 # Slimserver
    51413 # Transmission
  ];
}
Ajout Telegraf-InfluxDB-Grafana 2018-04-01 15:04:49 +02:00			`{ config, pkgs, ... }:`

			`{`
Ajout HAProxy 2018-04-03 21:13:18 +02:00			`services.haproxy.enable = true;`
			`services.haproxy.config = ''`
Correction HAProxy 2018-04-03 21:58:01 +02:00			`global`
Ajout HAProxy 2018-04-03 21:13:18 +02:00			`log /dev/log local0`
			`log /dev/log local1 notice`
			`user haproxy`
			`group haproxy`
TLS sécurisé 2018-04-05 00:14:12 +02:00			`ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256`
			`ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets`
			`ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256`
			`ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets`
Correction HAProxy 2018-04-03 21:58:01 +02:00			`defaults`
Ajout HAProxy 2018-04-03 21:13:18 +02:00			`option forwardfor`
			`option http-server-close`
Tuning HAProxy 2018-04-07 21:51:02 +02:00			`timeout client 10s`
			`timeout connect 4s`
			`timeout server 30s`
Mot de passe HAProxy 2018-04-03 23:54:27 +02:00			`userlist LOUTRE`
			`user paul password $6$6rDdCtzSVsAwB6KP$V8bR7KP7FSL2BSEh6n3op6iYhAnsVSPI2Ar3H6MwKrJ/lZRzUI8a0TwVBD2JPnAntUhLpmRudrvdq2Ls2odAy.`
HAProxy SSL 2018-04-04 20:30:18 +02:00			`frontend public`
HAProxy IPv6 2018-04-05 00:10:38 +02:00			`bind :::80 v4v6`
			`bind :::443 v4v6 ssl crt /var/lib/acme/tars.nyanlout.re/full.pem`
HAProxy SSL 2018-04-04 20:30:18 +02:00			`mode http`
Ajout HAProxy 2018-04-03 21:13:18 +02:00			`acl letsencrypt-acl path_beg /.well-known/acme-challenge/`
TLS sécurisé 2018-04-05 00:14:12 +02:00			`redirect scheme https code 301 if !{ ssl_fc } !letsencrypt-acl`
Tuning HAProxy 2018-04-07 21:51:02 +02:00			`use_backend letsencrypt-backend if letsencrypt-acl`
Règlages backends HAProxy 2018-04-03 22:25:49 +02:00			`acl grafana-acl hdr(host) -i grafana.tars.nyanlout.re`
			`acl emby-acl hdr(host) -i emby.tars.nyanlout.re`
Ajout service Radarr 2018-04-03 23:09:51 +02:00			`acl radarr-acl hdr(host) -i radarr.tars.nyanlout.re`
Mot de passe HAProxy 2018-04-03 23:54:27 +02:00			`acl transmission-acl hdr(host) -i transmission.tars.nyanlout.re`
Syncthing reverse proxy 2018-04-04 21:22:53 +02:00			`acl syncthing-acl hdr(host) -i syncthing.tars.nyanlout.re`
Règlages backends HAProxy 2018-04-03 22:25:49 +02:00			`use_backend grafana-backend if grafana-acl`
			`use_backend emby-backend if emby-acl`
Ajout service Radarr 2018-04-03 23:09:51 +02:00			`use_backend radarr-backend if radarr-acl`
Mot de passe HAProxy 2018-04-03 23:54:27 +02:00			`use_backend transmission-backend if transmission-acl`
Syncthing reverse proxy 2018-04-04 21:22:53 +02:00			`use_backend syncthing-backend if syncthing-acl`
Règlages backends HAProxy 2018-04-03 22:25:49 +02:00			`backend letsencrypt-backend`
			`mode http`
			`server letsencrypt 127.0.0.1:54321`
Correction HAProxy 2018-04-03 21:58:01 +02:00			`backend grafana-backend`
			`mode http`
			`server grafana 127.0.0.1:3000 check`
Règlages backends HAProxy 2018-04-03 22:25:49 +02:00			`backend emby-backend`
Correction HAProxy 2018-04-03 21:58:01 +02:00			`mode http`
Règlages backends HAProxy 2018-04-03 22:25:49 +02:00			`server emby 127.0.0.1:8096 check`
Ajout service Radarr 2018-04-03 23:09:51 +02:00			`backend radarr-backend`
			`mode http`
			`server radarr 127.0.0.1:7878 check`
Mot de passe HAProxy 2018-04-03 23:54:27 +02:00			`backend transmission-backend`
			`mode http`
			`acl AuthOK_LOUTRE http_auth(LOUTRE)`
			`http-request auth realm LOUTRE if !AuthOK_LOUTRE`
Syncthing reverse proxy 2018-04-04 21:22:53 +02:00			`server transmission 127.0.0.1:9091 check`
			`backend syncthing-backend`
			`mode http`
			`acl AuthOK_LOUTRE http_auth(LOUTRE)`
			`http-request auth realm LOUTRE if !AuthOK_LOUTRE`
			`server syncthing 127.0.0.1:8384 check`
Ajout HAProxy 2018-04-03 21:13:18 +02:00			`'';`

			`services.nginx.enable = true;`
			`services.nginx.virtualHosts = {`
			`"acme" = {`
Correction HAProxy 2018-04-03 21:58:01 +02:00			`listen = [ { addr = "127.0.0.1"; port = 54321; } ];`
			`locations = { "/" = { root = "/var/www/challenges"; }; };`
Ajout HAProxy 2018-04-03 21:13:18 +02:00			`};`
			`};`

Activation ACME 2018-04-04 09:12:23 +02:00			`security.acme.certs = {`
			`"tars.nyanlout.re" = {`
			`extraDomains = {`
			`"grafana.tars.nyanlout.re" = null;`
			`"emby.tars.nyanlout.re" = null;`
			`"radarr.tars.nyanlout.re" = null;`
			`"transmission.tars.nyanlout.re" = null;`
Syncthing reverse proxy 2018-04-04 21:22:53 +02:00			`"syncthing.tars.nyanlout.re" = null;`
Activation ACME 2018-04-04 09:12:23 +02:00			`};`
			`webroot = "/var/www/challenges/";`
			`email = "paul@nyanlout.re";`
HAProxy SSL 2018-04-04 20:30:18 +02:00			`user = "haproxy";`
			`group = "haproxy";`
Tuning HAProxy 2018-04-07 21:51:02 +02:00			`postRun = "systemctl reload haproxy";`
Activation ACME 2018-04-04 09:12:23 +02:00			`};`
			`};`
			`security.acme.directory = "/var/lib/acme";`
Ajout HAProxy 2018-04-03 21:13:18 +02:00
Ajout Telegraf-InfluxDB-Grafana 2018-04-01 15:04:49 +02:00			`services.influxdb.enable = true;`
Nouveaux services 2018-04-03 08:47:49 +02:00			`services.influxdb.dataDir = "/var/db/influxdb";`
Ajout Telegraf-InfluxDB-Grafana 2018-04-01 15:04:49 +02:00
			`services.telegraf.enable = true;`
			`services.telegraf.extraConfig = {`
			`inputs = {`
			`zfs = { poolMetrics = true; };`
			`net = { interfaces = [ "eno1" "eno2" "eno3" "eno4" ]; };`
			`netstat = {};`
			`cpu = { totalcpu = true; };`
			`kernel = {};`
			`mem = {};`
			`processes = {};`
			`system = {};`
Monitoring IPMI 2018-04-10 16:53:13 +02:00			`ipmi_sensor = { path = "${pkgs.ipmitool}/bin/ipmitool"; };`
Ajout Telegraf-InfluxDB-Grafana 2018-04-01 15:04:49 +02:00			`};`
			`outputs = {`
			`influxdb = { database = "telegraf"; urls = [ "http://localhost:8086" ]; };`
			`};`
			`};`

Monitoring IPMI 2018-04-10 16:53:13 +02:00			`services.udev.extraRules = ''`
			`KERNEL=="ipmi*", MODE="660", OWNER="telegraf"`
			`'';`

Ajout Telegraf-InfluxDB-Grafana 2018-04-01 15:04:49 +02:00			`services.grafana.enable = true;`
Règlages backends HAProxy 2018-04-03 22:25:49 +02:00			`services.grafana.addr = "127.0.0.1";`
Nouveaux services 2018-04-03 08:47:49 +02:00			`services.grafana.dataDir = "/var/lib/grafana";`
Ajout Emby 2018-04-01 15:17:44 +02:00
			`services.emby.enable = true;`
Nouveaux services 2018-04-03 08:47:49 +02:00			`services.emby.dataDir = "/var/lib/emby/ProgramData-Server";`
Ajout Emby 2018-04-01 15:17:44 +02:00
Service slimserver 2018-04-03 19:21:26 +02:00			`services.slimserver.enable = true;`
			`services.slimserver.dataDir = "/var/lib/slimserver";`

Nouveaux services 2018-04-03 08:47:49 +02:00			`services.syncthing.enable = true;`
			`services.syncthing.dataDir = "/var/lib/syncthing";`
			`services.syncthing.openDefaultPorts = true;`

Partage NFS Steam 2018-04-03 18:55:07 +02:00			`services.nfs.server = {`
			`enable = true;`
			`exports = ''`
			`/exports/steam 192.168.1.0/24(rw,no_root_squash)`
			`'';`
			`statdPort = 4000;`
			`lockdPort = 4001;`
			`mountdPort = 4002;`
			`};`

Service transmission 2018-04-03 23:22:44 +02:00			`services.transmission.enable = true;`
			`services.transmission.home = "/var/lib/transmission";`
			`services.transmission.settings = {`
Mot de passe HAProxy 2018-04-03 23:54:27 +02:00			`rpc-bind-address = "127.0.0.1";`
			`rpc-host-whitelist = "*";`
Service transmission 2018-04-03 23:22:44 +02:00			`rpc-whitelist-enabled = false;`
			`};`

Ajout service Radarr 2018-04-03 23:09:51 +02:00			`services.radarr.enable = true;`

Service murmur 2018-04-04 00:09:14 +02:00			`services.murmur.enable = true;`
			`services.murmur.bandwidth = 128000;`
			`services.murmur.imgMsgLength = 0;`
			`services.murmur.textMsgLength = 0;`

Ajout Emby 2018-04-01 15:17:44 +02:00			`networking.firewall.allowedTCPPorts = [`
Ajout HAProxy 2018-04-03 21:13:18 +02:00			`80 443 # HAProxy`
Partage NFS Steam 2018-04-03 18:55:07 +02:00			`111 2049 4000 4001 4002 # NFS`
Ouverture différents ports 2018-04-03 20:17:09 +02:00			`3483 9000 # Slimserver`
Ports Transmission 2018-04-04 22:15:27 +02:00			`51413 # Transmission`
Partage NFS Steam 2018-04-03 18:55:07 +02:00			`];`
			`networking.firewall.allowedUDPPorts = [`
			`111 2049 4000 4001 4002 # NFS`
Ouverture différents ports 2018-04-03 20:17:09 +02:00			`3483 # Slimserver`
Ports Transmission 2018-04-04 22:15:27 +02:00			`51413 # Transmission`
Ajout Emby 2018-04-01 15:17:44 +02:00			`];`
Ajout Telegraf-InfluxDB-Grafana 2018-04-01 15:04:49 +02:00			`}`