From edb891e22454179bd9b18d6a3fd879c46b721ef0 Mon Sep 17 00:00:00 2001
From: nyanloutre <paul@nyanlout.re>
Date: Fri, 1 Nov 2019 15:24:50 +0100
Subject: [PATCH] LoutreOS: refactor services

---
 systems/LoutreOS/medias.nix     |  42 ++++++
 systems/LoutreOS/monitoring.nix | 113 ++++++++++++++
 systems/LoutreOS/services.nix   | 256 +-------------------------------
 systems/LoutreOS/web.nix        | 113 ++++++++++++++
 4 files changed, 275 insertions(+), 249 deletions(-)
 create mode 100644 systems/LoutreOS/medias.nix
 create mode 100644 systems/LoutreOS/monitoring.nix
 create mode 100644 systems/LoutreOS/web.nix

diff --git a/systems/LoutreOS/medias.nix b/systems/LoutreOS/medias.nix
new file mode 100644
index 0000000..6b92d33
--- /dev/null
+++ b/systems/LoutreOS/medias.nix
@@ -0,0 +1,42 @@
+{ config, lib, pkgs, ... }:
+
+{
+  services = {
+    transmission = {
+      enable = true;
+      home = "/var/lib/transmission";
+      settings = {
+        rpc-bind-address = "127.0.0.1";
+        rpc-host-whitelist = "*";
+        rpc-whitelist-enabled = false;
+        peer-port = 51413;
+      };
+    };
+
+    radarr.enable = true;
+    sonarr.enable = true;
+    jackett.enable = true;
+
+    jellyfin.enable = true;
+
+    slimserver = {
+      enable = true;
+      dataDir = "/var/lib/slimserver";
+    };
+
+    airsonic = {
+      enable = true;
+      maxMemory = 500;
+    };
+  };
+
+  networking = {
+    firewall.allowedTCPPorts = [
+      config.services.transmission.settings.peer-port
+    ];
+
+    firewall.allowedUDPPorts = [
+      config.services.transmission.settings.peer-port
+    ];
+  };
+}
diff --git a/systems/LoutreOS/monitoring.nix b/systems/LoutreOS/monitoring.nix
new file mode 100644
index 0000000..4c5bcd2
--- /dev/null
+++ b/systems/LoutreOS/monitoring.nix
@@ -0,0 +1,113 @@
+{ config, lib, pkgs, ... }:
+
+let
+  domaine = "nyanlout.re";
+in
+{
+  services = {
+    smartd = {
+      enable = true;
+      defaults.monitored = "-a -o on -s (S/../.././02|L/../../1/04)";
+      notifications.mail = {
+        enable = true;
+        recipient = "paul@nyanlout.re";
+      };
+    };
+
+    influxdb = {
+      enable = true;
+      dataDir = "/var/db/influxdb";
+    };
+
+    telegraf = {
+      enable = true;
+      extraConfig = {
+        inputs = {
+          zfs = { poolMetrics = true; };
+          net = { interfaces = [ "eno1" "eno2" "eno3" "eno4" ]; };
+          netstat = {};
+          cpu = { totalcpu = true; };
+          kernel = {};
+          mem = {};
+          processes = {};
+          system = {};
+          disk = {};
+          ipmi_sensor = { path = "${pkgs.ipmitool}/bin/ipmitool"; };
+          smart = {
+            path = "${pkgs.writeShellScriptBin "smartctl" "/run/wrappers/bin/sudo ${pkgs.smartmontools}/bin/smartctl $@"}/bin/smartctl";
+          };
+          exec= [
+            { commands = [
+              "${pkgs.python}/bin/python ${
+                  pkgs.fetchgit {
+                    url = "https://gitlab.com/nyanloutre/tplink-smartplug.git";
+                    rev = "a0996112fc451b76448589698de440ad5fd6ea79";
+                    sha256 = "1f1625g7rfsddgk428g76p8fr7vz5gfhq3f452q17bjni3rf2pj3";
+                  }
+                }/tplink_smartplug.py -t 10.30.50.7 -c energy"
+              ];
+              data_format = "json";
+              name_suffix = "_tplink-smartplug";
+            }
+            {
+              commands = [
+                "${pkgs.python3}/bin/python ${pkgs.writeText "zpool.py" ''
+                  import json
+                  from subprocess import check_output
+
+                  columns = ["NAME", "SIZE", "ALLOC", "FREE", "EXPANDSZ", "FRAG", "CAP", "DEDUP", "HEALTH", "ALTROOT"]
+                  health = {'ONLINE':0, 'DEGRADED':11, 'OFFLINE':21, 'UNAVAIL':22, 'FAULTED':23, 'REMOVED':24}
+
+                  stdout = check_output(["${pkgs.zfs}/bin/zpool", "list", "-Hp"],encoding='UTF-8').split('\n')
+                  parsed_stdout = list(map(lambda x: dict(zip(columns,x.split('\t'))), stdout))[:-1]
+
+                  for pool in parsed_stdout:
+                    for item in pool:
+                      if item in ["SIZE", "ALLOC", "FREE", "FRAG", "CAP"]:
+                        pool[item] = int(pool[item])
+                      if item in ["DEDUP"]:
+                        pool[item] = float(pool[item])
+                      if item == "HEALTH":
+                        pool[item] = health[pool[item]]
+
+                  print(json.dumps(parsed_stdout))
+                ''}"
+              ];
+              tag_keys = [ "NAME" ];
+              data_format = "json";
+              name_suffix = "_python_zpool";
+            }
+          ];
+        };
+        outputs = {
+          influxdb = { database = "telegraf"; urls = [ "http://localhost:8086" ]; };
+        };
+      };
+    };
+
+    udev.extraRules = ''
+      KERNEL=="ipmi*", MODE="660", OWNER="telegraf"
+    '';
+
+    grafana = {
+      enable = true;
+      addr = "127.0.0.1";
+      dataDir = "/var/lib/grafana";
+      extraOptions = {
+        SERVER_ROOT_URL = "https://grafana.${domaine}";
+        SMTP_ENABLED = "true";
+        SMTP_FROM_ADDRESS = "grafana@${domaine}";
+        SMTP_SKIP_VERIFY = "true";
+        AUTH_DISABLE_LOGIN_FORM = "true";
+        AUTH_DISABLE_SIGNOUT_MENU = "true";
+        AUTH_ANONYMOUS_ENABLED = "true";
+        AUTH_ANONYMOUS_ORG_ROLE = "Admin";
+        AUTH_BASIC_ENABLED = "false";
+      };
+    };
+  };
+
+  security.sudo.extraRules = [
+    { commands = [ { command = "${pkgs.smartmontools}/bin/smartctl"; options = [ "NOPASSWD" ]; } ]; users = [ "telegraf" ]; }
+  ];
+}
diff --git a/systems/LoutreOS/services.nix b/systems/LoutreOS/services.nix
index 158b7af..df277e4 100644
--- a/systems/LoutreOS/services.nix
+++ b/systems/LoutreOS/services.nix
@@ -5,25 +5,6 @@ with lib;
 let
   domaine = "nyanlout.re";
 
-  riot_port = 52345;
-  pgmanage_port = 52347;
-  max_port = 52348;
-  musique_port = 52349;
-  factorio_port = 52351;
-  airsonic_port = 4040;
-  wkd_port = 52352;
-
-  jellyfin_backend = ''
-    http-request set-header X-Forwarded-Port %[dst_port]
-    http-request add-header X-Forwarded-Proto https if { ssl_fc }
-  '';
-  sonarr_acl = ''
-    acl API path_beg /api
-  '';
-  sonarr_auth = ''
-    !AUTH_OK !API
-  '';
-
   sendMail = to: subject: message: pkgs.writeShellScriptBin "mail.sh" ''
     ${pkgs.system-sendmail}/bin/sendmail ${to} <<EOF
     From: root@nyanlout.re
@@ -51,7 +32,10 @@ in
     ../../services/python-ci.nix
     ../../services/sdtdserver.nix
     ../../containers/vsftpd.nix
-    /mnt/secrets/factorio_secrets.nix
+    # /mnt/secrets/factorio_secrets.nix
+    ./monitoring.nix
+    ./medias.nix
+    ./web.nix
   ];
 
   nixpkgs.overlays = [
@@ -62,144 +46,13 @@ in
 
     fail2ban.enable = true;
 
-    smartd = {
-      enable = true;
-      defaults.monitored = "-a -o on -s (S/../.././02|L/../../1/04)";
-      notifications.mail = {
-        enable = true;
-        recipient = "paul@nyanlout.re";
-      };
-    };
-
     fstrim.enable = true;
 
-    haproxy-acme = {
-      enable = true;
-      domaine = domaine;
-      services = {
-        "grafana.${domaine}" = { ip = "127.0.0.1"; port = 3000; auth = true; };
-        "emby.${domaine}" = { ip = "127.0.0.1"; port = 8096; auth = false; extraBackend = jellyfin_backend; };
-        "radarr.${domaine}" = { ip = "127.0.0.1"; port = 7878; auth = true; extraAcls = sonarr_acl; aclBool = sonarr_auth; };
-        "sonarr.${domaine}" = { ip = "127.0.0.1"; port = 8989; auth = true; extraAcls = sonarr_acl; aclBool = sonarr_auth; };
-        "transmission.${domaine}" = { ip = "127.0.0.1"; port = 9091; auth = true; };
-        "syncthing.${domaine}" = { ip = "127.0.0.1"; port = 8384; auth = true; };
-        "jackett.${domaine}" = { ip = "127.0.0.1"; port = 9117; auth = true; };
-        "searx.${domaine}" = { ip = "127.0.0.1"; port = 8888; auth = false; };
-        "riot.${domaine}" = { ip = "127.0.0.1"; port = riot_port; auth = false; };
-        "matrix.${domaine}" = { ip = "127.0.0.1"; port = 8008; auth = false; };
-        "pgmanage.${domaine}" = { ip = "127.0.0.1"; port = pgmanage_port; auth = true; };
-        "gitea.${domaine}" = { ip = "127.0.0.1"; port = 3001; auth = false; };
-        "ci.${domaine}" = { ip = "127.0.0.1"; port = 52350; auth = false; };
-        "factorio.${domaine}" = { ip = "127.0.0.1"; port = factorio_port; auth = false; };
-        "airsonic.${domaine}" = { ip = "127.0.0.1"; port = airsonic_port; auth = false; };
-        "${domaine}" = { ip = "127.0.0.1"; port = wkd_port; auth = false; };
-      };
-    };
-
     mailserver = {
       enable = true;
       domaine = domaine;
     };
 
-    influxdb = {
-      enable = true;
-      dataDir = "/var/db/influxdb";
-    };
-
-    telegraf = {
-      enable = true;
-      extraConfig = {
-        inputs = {
-          zfs = { poolMetrics = true; };
-          net = { interfaces = [ "eno1" "eno2" "eno3" "eno4" ]; };
-          netstat = {};
-          cpu = { totalcpu = true; };
-          kernel = {};
-          mem = {};
-          processes = {};
-          system = {};
-          disk = {};
-          ipmi_sensor = { path = "${pkgs.ipmitool}/bin/ipmitool"; };
-          smart = {
-            path = "${pkgs.writeShellScriptBin "smartctl" "/run/wrappers/bin/sudo ${pkgs.smartmontools}/bin/smartctl $@"}/bin/smartctl";
-          };
-          exec= [
-            { commands = [
-              "${pkgs.python}/bin/python ${
-                  pkgs.fetchgit {
-                    url = "https://gitlab.com/nyanloutre/tplink-smartplug.git";
-                    rev = "a0996112fc451b76448589698de440ad5fd6ea79";
-                    sha256 = "1f1625g7rfsddgk428g76p8fr7vz5gfhq3f452q17bjni3rf2pj3";
-                  }
-                }/tplink_smartplug.py -t 10.30.50.7 -c energy"
-              ];
-              data_format = "json";
-              name_suffix = "_tplink-smartplug";
-            }
-            {
-              commands = [
-                "${pkgs.python3}/bin/python ${pkgs.writeText "zpool.py" ''
-                  import json
-                  from subprocess import check_output
-
-                  columns = ["NAME", "SIZE", "ALLOC", "FREE", "EXPANDSZ", "FRAG", "CAP", "DEDUP", "HEALTH", "ALTROOT"]
-                  health = {'ONLINE':0, 'DEGRADED':11, 'OFFLINE':21, 'UNAVAIL':22, 'FAULTED':23, 'REMOVED':24}
-
-                  stdout = check_output(["${pkgs.zfs}/bin/zpool", "list", "-Hp"],encoding='UTF-8').split('\n')
-                  parsed_stdout = list(map(lambda x: dict(zip(columns,x.split('\t'))), stdout))[:-1]
-
-                  for pool in parsed_stdout:
-                    for item in pool:
-                      if item in ["SIZE", "ALLOC", "FREE", "FRAG", "CAP"]:
-                        pool[item] = int(pool[item])
-                      if item in ["DEDUP"]:
-                        pool[item] = float(pool[item])
-                      if item == "HEALTH":
-                        pool[item] = health[pool[item]]
-
-                  print(json.dumps(parsed_stdout))
-                ''}"
-              ];
-              tag_keys = [ "NAME" ];
-              data_format = "json";
-              name_suffix = "_python_zpool";
-            }
-          ];
-        };
-        outputs = {
-          influxdb = { database = "telegraf"; urls = [ "http://localhost:8086" ]; };
-        };
-      };
-    };
-
-    udev.extraRules = ''
-      KERNEL=="ipmi*", MODE="660", OWNER="telegraf"
-    '';
-
-    grafana = {
-      enable = true;
-      addr = "127.0.0.1";
-      dataDir = "/var/lib/grafana";
-      extraOptions = {
-        SERVER_ROOT_URL = "https://grafana.${domaine}";
-        SMTP_ENABLED = "true";
-        SMTP_FROM_ADDRESS = "grafana@${domaine}";
-        SMTP_SKIP_VERIFY = "true";
-        AUTH_DISABLE_LOGIN_FORM = "true";
-        AUTH_DISABLE_SIGNOUT_MENU = "true";
-        AUTH_ANONYMOUS_ENABLED = "true";
-        AUTH_ANONYMOUS_ORG_ROLE = "Admin";
-        AUTH_BASIC_ENABLED = "false";
-      };
-    };
-
-    jellyfin.enable = true;
-
-    slimserver = {
-      enable = true;
-      dataDir = "/var/lib/slimserver";
-    };
-
     syncthing = {
       enable = true;
       dataDir = "/var/lib/syncthing";
@@ -218,47 +71,6 @@ in
       mountdPort = 4002;
     };
 
-    transmission = {
-      enable = true;
-      home = "/var/lib/transmission";
-      settings = {
-        rpc-bind-address = "127.0.0.1";
-        rpc-host-whitelist = "*";
-        rpc-whitelist-enabled = false;
-      };
-    };
-
-    radarr.enable = true;
-    sonarr.enable = true;
-    jackett.enable = true;
-
-    searx.enable = true;
-
-    nginx = {
-      enable = true;
-      virtualHosts = {
-        "riot" = {
-          listen = [ { addr = "127.0.0.1"; port = riot_port; } ];
-          locations = { "/" = { root = pkgs.riot-web; }; };
-        };
-        "factorio" = {
-          listen = [ { addr = "127.0.0.1"; port = factorio_port; } ];
-          locations = { "/" = { root = "/var/www/factorio"; }; };
-        };
-        "wkd" = {
-          listen = [ { addr = "127.0.0.1"; port = wkd_port; } ];
-          locations = { "/.well-known/openpgpkey/" = {
-            alias = "/var/lib/gnupg/wks/nyanlout.re";
-            extraConfig = ''
-              add_header Access-Control-Allow-Origin * always;
-            '';
-          }; };
-        };
-      };
-    };
-
-    postgresql.enable = true;
-
     matrix-synapse = {
       enable = true;
       enable_registration = true;
@@ -345,14 +157,6 @@ in
       serviceDependencies = [ "matrix-synapse.service" ];
     };
 
-    pgmanage = {
-      enable = true;
-      port = pgmanage_port;
-      connections = {
-        localhost = "hostaddr=127.0.0.1 port=5432 dbname=postgres";
-      };
-    };
-
     borgbackup.jobs = {
       loutre = {
         paths = [
@@ -405,57 +209,18 @@ in
       };
     };
 
-    gitea = {
-      enable = true;
-      cookieSecure = true;
-      httpPort = 3001;
-      rootUrl = "https://gitea.nyanlout.re/";
-      database = {
-        type = "postgres";
-        port = 5432;
-        passwordFile = "/var/lib/gitea/custom/conf/database_password";
-      };
-      log.level = "Warn";
-      extraConfig = ''
-        [ui]
-        DEFAULT_THEME = arc-green
-
-        [service]
-        DISABLE_REGISTRATION = true
-      '';
-    };
-
-    site-musique = {
-      enable = true;
-      port = musique_port;
-      domaine = "musique-meyenheim.fr";
-    };
-
-    site-max = {
-      enable = true;
-      port = max_port;
-      domaine = "maxspiegel.fr";
-    };
-
     auto-pr.enable = true;
 
-    python-ci.enable = true;
-
     sdtdserver.enable = false;
 
     factorio = {
-      enable = true;
+      enable = false;
       autosave-interval = 10;
       game-name = "Shame";
       public = true;
       username = "nyanloutre";
     };
 
-    airsonic = {
-      enable = true;
-      maxMemory = 500;
-    };
-
     minecraft-server = {
       enable = false;
       jvmOpts = "-Xms512m -Xmx3072m";
@@ -501,12 +266,7 @@ in
 
   users.groups.acme.members = [ "matrix-synapse" ];
 
-  security = {
-    sudo.extraRules = [
-      { commands = [ { command = "${pkgs.smartmontools}/bin/smartctl"; options = [ "NOPASSWD" ]; } ]; users = [ "telegraf" ]; }
-    ];
-    pam.services.sshd.text = pkgs.lib.mkDefault( pkgs.lib.mkAfter "session optional ${pkgs.pam}/lib/security/pam_exec.so seteuid ${login_mail_alert}/bin/mail_alert.sh" );
-  };
+  security.pam.services.sshd.text = pkgs.lib.mkDefault( pkgs.lib.mkAfter "session optional ${pkgs.pam}/lib/security/pam_exec.so seteuid ${login_mail_alert}/bin/mail_alert.sh" );
 
   networking = {
     wireguard.interfaces = {
@@ -528,7 +288,6 @@ in
     nat.internalIPs = [ "192.168.20.0/24" ];
 
     firewall.allowedTCPPorts = [
-      51413 # Transmission
       8448 # Matrix federation
       20 21 # FTP
     ];
@@ -538,8 +297,7 @@ in
     ];
 
     firewall.allowedUDPPorts = [
-      51413 # Transmission
-      51820 # Wireguard
+      config.networking.wireguard.interfaces.wg0.listenPort
     ];
   };
 }
diff --git a/systems/LoutreOS/web.nix b/systems/LoutreOS/web.nix
new file mode 100644
index 0000000..a7273b6
--- /dev/null
+++ b/systems/LoutreOS/web.nix
@@ -0,0 +1,113 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  domaine = "nyanlout.re";
+
+  jellyfin_backend = ''
+    http-request set-header X-Forwarded-Port %[dst_port]
+    http-request add-header X-Forwarded-Proto https if { ssl_fc }
+  '';
+  sonarr_acl = ''
+    acl API path_beg /api
+  '';
+  sonarr_auth = ''
+    !AUTH_OK !API
+  '';
+in
+{
+  services = {
+    haproxy-acme = {
+      enable = true;
+      domaine = domaine;
+      services = {
+        "grafana.${domaine}" = { ip = "127.0.0.1"; port = config.services.grafana.port; auth = true; };
+        "emby.${domaine}" = { ip = "127.0.0.1"; port = 8096; auth = false; extraBackend = jellyfin_backend; };
+        "radarr.${domaine}" = { ip = "127.0.0.1"; port = 7878; auth = true; extraAcls = sonarr_acl; aclBool = sonarr_auth; };
+        "sonarr.${domaine}" = { ip = "127.0.0.1"; port = 8989; auth = true; extraAcls = sonarr_acl; aclBool = sonarr_auth; };
+        "transmission.${domaine}" = { ip = "127.0.0.1"; port = config.services.transmission.port; auth = true; };
+        "syncthing.${domaine}" = { ip = "127.0.0.1"; port = 8384; auth = true; };
+        "jackett.${domaine}" = { ip = "127.0.0.1"; port = 9117; auth = true; };
+        "searx.${domaine}" = { ip = "127.0.0.1"; port = 8888; auth = false; };
+        "riot.${domaine}" = { ip = "127.0.0.1"; port = (findFirst (x: x.addr == "127.0.0.1") "" config.services.nginx.virtualHosts.riot.listen).port; auth = false; };
+        "matrix.${domaine}" = { ip = "127.0.0.1"; port = 8008; auth = false; };
+        "pgmanage.${domaine}" = { ip = "127.0.0.1"; port = config.services.pgmanage.port; auth = true; };
+        "gitea.${domaine}" = { ip = "127.0.0.1"; port = config.services.gitea.httpPort; auth = false; };
+        "ci.${domaine}" = { ip = "127.0.0.1"; port = 52350; auth = false; };
+        "factorio.${domaine}" = { ip = "127.0.0.1"; port = (findFirst (x: x.addr == "127.0.0.1") "" config.services.nginx.virtualHosts.factorio.listen).port; auth = false; };
+        "airsonic.${domaine}" = { ip = "127.0.0.1"; port = 4040; auth = false; };
+        "${domaine}" = { ip = "127.0.0.1"; port = (findFirst (x: x.addr == "127.0.0.1") "" config.services.nginx.virtualHosts.wkd.listen).port; auth = false; };
+      };
+    };
+
+    searx.enable = true;
+
+    nginx = {
+      enable = true;
+      virtualHosts = {
+        "riot" = {
+          listen = [ { addr = "127.0.0.1"; port = 52345; } ];
+          locations = { "/" = { root = pkgs.riot-web; }; };
+        };
+        "factorio" = {
+          listen = [ { addr = "127.0.0.1"; port = 52351; } ];
+          locations = { "/" = { root = "/var/www/factorio"; }; };
+        };
+        "wkd" = {
+          listen = [ { addr = "127.0.0.1"; port = 52352; } ];
+          locations = { "/.well-known/openpgpkey/" = {
+            alias = "/var/lib/gnupg/wks/nyanlout.re";
+            extraConfig = ''
+              add_header Access-Control-Allow-Origin * always;
+            '';
+          }; };
+        };
+      };
+    };
+
+    postgresql.enable = true;
+
+    pgmanage = {
+      enable = true;
+      port = 52347;
+      connections = {
+        localhost = "hostaddr=127.0.0.1 port=5432 dbname=postgres";
+      };
+    };
+
+    gitea = {
+      enable = true;
+      cookieSecure = true;
+      httpPort = 3001;
+      rootUrl = "https://gitea.nyanlout.re/";
+      database = {
+        type = "postgres";
+        port = 5432;
+        passwordFile = "/var/lib/gitea/custom/conf/database_password";
+      };
+      log.level = "Warn";
+      extraConfig = ''
+        [ui]
+        DEFAULT_THEME = arc-green
+
+        [service]
+        DISABLE_REGISTRATION = true
+      '';
+    };
+
+    python-ci.enable = true;
+
+    site-musique = {
+      enable = true;
+      port = 52349;
+      domaine = "musique-meyenheim.fr";
+    };
+
+    site-max = {
+      enable = true;
+      port = 52348;
+      domaine = "maxspiegel.fr";
+    };
+  };
+}