disable mastodon

change users config
change home assistant config
2021-10-11 11:03:49 +02:00 · 2021-10-11 11:03:18 +02:00 · 2021-10-11 11:02:59 +02:00 · 2021-10-11 11:01:46 +02:00 · 2021-10-11 11:00:40 +02:00 · 2021-10-11 11:00:25 +02:00
11 changed files with 393 additions and 267 deletions
--- a/flake.lock
+++ b/flake.lock
@ -0,0 +1,95 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1633934814,
+        "narHash": "sha256-OF62Alp2ocacmDMzvRWMduITf87lcuGonxn9eg9uGG8=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "b313502c719069cce2dd6fd1d5e7fc5999b21c70",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "release-21.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-unstable": {
+      "locked": {
+        "lastModified": 1633791597,
+        "narHash": "sha256-HzpxqTEnqsjkKWfW87kSI3WVizYjUMQeUjSIm3b5I0Y=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "9bf75dd50b7b6d3ce6aaf6563db95f41438b9bdb",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1607522989,
+        "narHash": "sha256-o/jWhOSAlaK7y2M57OIriRt6whuVVocS/T0mG7fd1TI=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "e9158eca70ae59e73fae23be5d13d3fa0cfc78b4",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-unstable",
+        "type": "indirect"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs",
+        "nixpkgs-unstable": "nixpkgs-unstable",
+        "simple-nixos-mailserver": "simple-nixos-mailserver"
+      }
+    },
+    "simple-nixos-mailserver": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_2",
+        "utils": "utils"
+      },
+      "locked": {
+        "lastModified": 1622967674,
+        "narHash": "sha256-8RLe6Rqy2rKR/PGDMg/EVsWihsO+DQe/RYmlXdRZkLs=",
+        "owner": "simple-nixos-mailserver",
+        "repo": "nixos-mailserver",
+        "rev": "5675b122a947b40e551438df6a623efad19fd2e7",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "simple-nixos-mailserver",
+        "ref": "nixos-21.05",
+        "repo": "nixos-mailserver",
+        "type": "gitlab"
+      }
+    },
+    "utils": {
+      "locked": {
+        "lastModified": 1605370193,
+        "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "5021eac20303a61fafe17224c087f5519baed54d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
--- a/flake.nix
+++ b/flake.nix
@ -0,0 +1,25 @@
+{
+  inputs = {
+    nixpkgs.url = "github:nixos/nixpkgs/release-21.05";
+    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
+    simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-21.05";
+  };
+
+  outputs = { self, nixpkgs, nixpkgs-unstable, simple-nixos-mailserver }: {
+    nixosConfigurations.loutreos = nixpkgs.lib.nixosSystem {
+      system = "x86_64-linux";
+      modules = [
+        ({ pkgs, ... }: {
+          nix.nixPath = [
+            "nixpkgs=${nixpkgs}"
+          ];
+        })
+        nixpkgs.nixosModules.notDetected
+        "${nixpkgs-unstable}/nixos/modules/services/audio/navidrome.nix"
+        simple-nixos-mailserver.nixosModule
+        ./systems/LoutreOS/configuration.nix
+      ];
+    };
+  };
+}
+
--- a/services/mail-server.nix
+++ b/services/mail-server.nix
@ -1,76 +0,0 @@
-{ lib, config, pkgs, ... }:
-
-with lib;
-
-let
-  cfg = config.services.mailserver;
-in
-{
-  options.services.mailserver = {
-    enable = mkEnableOption "Mail Server";
-    domaine = mkOption {
-      type = types.str;
-      example = "example.com";
-      description = "Nom de domaine du serveur de mails";
-    };
-  };
-
-  imports = [
-    (builtins.fetchTarball {
-      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/5cd6f8e7b3f5d5bf56e407c5e79a682cb250d911/nixos-mailserver-5cd6f8e7b3f5d5bf56e407c5e79a682cb250d911.tar.gz";
-      sha256 = "0vdq5qsz8vvaryyzsama76lh3v57abvq3j5a3hb23yp7z2wlrk63";
-    })
-  ];
-
-  config = mkIf cfg.enable {
-
-    mailserver = {
-      enable = true;
-      fqdn = "mail.${cfg.domaine}";
-      domains = [ cfg.domaine ];
-
-      # A list of all login accounts. To create the password hashes, use
-      # mkpasswd -m sha-512 "super secret password"
-      loginAccounts = {
-        "paul@${cfg.domaine}" = {
-          hashedPassword = "$6$8wWQbtqVqUoH8$pQKg0bZPcjCbuPvyhjJ1lQy949M/AgfmAye/hDEIVUnCfwtlUxC1yj8CBHpNKeiiXhd8IUqk9r0/IJNvB6okf0";
-        };
-      };
-
-      # Certificate setup
-      certificateScheme = 1;
-      certificateFile = "/var/lib/acme/${cfg.domaine}/fullchain.pem";
-      keyFile = "/var/lib/acme/${cfg.domaine}/key.pem";
-
-      # Enable IMAP and POP3
-      enableImap = true;
-      enablePop3 = true;
-      enableImapSsl = true;
-      enablePop3Ssl = true;
-
-      # Enable the ManageSieve protocol
-      enableManageSieve = true;
-    };
-
-    services.postfix = {
-      relayHost = "mailvps.nyanlout.re";
-      relayPort = 587;
-      config = {
-        smtp_tls_cert_file = lib.mkForce "/var/lib/postfix/postfixrelay.crt";
-        smtp_tls_key_file = lib.mkForce "/var/lib/postfix/postfixrelay.key";
-      };
-    };
-
-    security.acme.certs = {
-      "${cfg.domaine}" = {
-        extraDomainNames = [
-          "mail.${cfg.domaine}"
-        ];
-        postRun = ''
-          systemctl reload dovecot2.service
-        '';
-      };
-    };
-
-  };
-}
--- a/systems/LoutreOS/configuration.nix
+++ b/systems/LoutreOS/configuration.nix
@ -4,10 +4,6 @@

 { config, pkgs, ... }:

-let
-  gitRev = "4c45e960e797d660358a11723e736afee3998261";
-  nixpkgs = fetchTarball "https://github.com/nyanloutre/nixpkgs/archive/${gitRev}.tar.gz";
-in
 {
  imports = [
    ../common-cli.nix
@ -27,15 +23,17 @@ in
    tmpOnTmpfs = true;
  };

-  nix.nixPath = [
-    "nixpkgs=${nixpkgs}"
-    "nixos-config=/etc/nixos/configuration.nix"
-  ];
+  nix = {
+    package = pkgs.nixUnstable;
+    extraOptions = ''
+      experimental-features = nix-command flakes
+    '';
+  };

  documentation.nixos.enable = false;

  nixpkgs.config.allowUnfree = false;
-  nixpkgs.config.allowUnfreePredicate = (pkg: builtins.elem pkg.pname or (builtins.parseDrvName pkg.name).name [ "factorio-headless" "perl5.32.0-slimserver" "minecraft-server" ]);
+  nixpkgs.config.allowUnfreePredicate = (pkg: builtins.elem pkg.pname or (builtins.parseDrvName pkg.name).name [ "factorio-headless" "perl5.32.1-slimserver" "minecraft-server" ]);

  services.zfs = {
    autoSnapshot.enable = true;
@ -175,11 +173,14 @@ in
      home = "/home/autossh";
      createHome = true;
      group = "autossh";
+      isSystemUser = true;
    };
  };

  services.autossh.sessions = [ { extraArguments = "-N -R 0.0.0.0:2222:127.0.0.1:22 loutre@vps772619.ovh.net"; monitoringPort = 20000; name = "backup-ssh-reverse"; user = "autossh"; } ];

+  virtualisation.podman.enable = true;
+
  security.sudo.wheelNeedsPassword = false;

  system.stateVersion = "18.03";
--- a/systems/LoutreOS/hardware-configuration.nix
+++ b/systems/LoutreOS/hardware-configuration.nix
@ -4,10 +4,6 @@
 { config, lib, pkgs, ... }:

 {
-  imports =
-    [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
-    ];
-
  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
@ -162,6 +158,16 @@
      fsType = "zfs";
    };

+  fileSystems."/mnt/paul-home" =
+    { device = "loutrepool/zfs-replicate/paul-fixe/fastaf/home";
+      fsType = "zfs";
+    };
+
+  fileSystems."/mnt/webdav" =
+    { device = "loutrepool/webdav";
+      fsType = "zfs";
+    };
+
  swapDevices =
    [
      {
--- a/systems/LoutreOS/medias.nix
+++ b/systems/LoutreOS/medias.nix
@ -6,6 +6,7 @@
      enable = true;
      home = "/var/lib/transmission";
      port = 9091;
+      group = "medias";
      settings = {
        rpc-bind-address = "127.0.0.1";
        rpc-host-whitelist = "*";
@ -24,11 +25,6 @@
      package = pkgs.jellyfin;
    };

-    slimserver = {
-      enable = true;
-      dataDir = "/var/lib/slimserver";
-    };
-
    navidrome = {
      enable = true;
      settings = {
@ -38,7 +34,10 @@
    };
  };

-  systemd.services.transmission.serviceConfig.BindPaths = [ "/mnt/medias" ];
+  systemd.services.transmission.serviceConfig = {
+    BindPaths = [ "/mnt/medias" ];
+    LimitNOFILE = 1048576;
+  };

  networking = {
    firewall.allowedTCPPorts = [
@ -49,4 +48,25 @@
      config.services.transmission.settings.peer-port
    ];
  };
+
+  virtualisation.oci-containers = {
+    backend = "podman";
+    containers = {
+      slimserver = {
+        image = "docker.io/lmscommunity/logitechmediaserver:stable";
+        volumes = [
+          "/mnt/medias/musique:/music:ro"
+          "/var/lib/slimserver:/config:rw"
+          "/etc/localtime:/etc/localtime:ro"
+        ];
+        ports = [
+          "9000:9000/tcp"
+          "9090:9090/tcp"
+          "3483:3483/tcp"
+          "3483:3483/udp"
+        ];
+        extraOptions = ["--pull=always"];
+      };
+    };
+  };
 }
--- a/systems/LoutreOS/monitoring.nix
+++ b/systems/LoutreOS/monitoring.nix
@ -112,98 +112,7 @@ in
      ZED_EMAIL_ADDR = [ "paul@nyanlout.re" ];
      ZED_NOTIFY_VERBOSE = true;
    };
-
-    loki = {
-      enable = true;
-      configuration = {
-        auth_enabled = false;
-        server.http_listen_port = 3100;
-        ingester = {
-          lifecycler = {
-            address = "127.0.0.1";
-            ring = {
-              kvstore.store = "inmemory";
-              replication_factor = 1;
  };
-          };
-          chunk_idle_period = "1h";
-          chunk_target_size = 1000000;
-        };
-        schema_config.configs = [
-          {
-            from = "2018-04-15";
-            store = "boltdb";
-            object_store = "filesystem";
-            schema = "v11";
-            index = {
-              prefix = "index_";
-              period = "168h";
-            };
-          }
-        ];
-        storage_config = {
-          boltdb.directory = "/var/lib/loki/index";
-          filesystem.directory = "/var/lib/loki/chunks";
-        };
-        limits_config = {
-          enforce_metric_name = false;
-          reject_old_samples = true;
-          reject_old_samples_max_age = "168h";
-        };
-        chunk_store_config.max_look_back_period = "168h";
-        table_manager = {
-          retention_deletes_enabled = true;
-          retention_period = "168h";
-        };
-      };
-    };
-
-    promtail = {
-      enable = true;
-      configuration = {
-        server = {
-          http_listen_port = 9080;
-          grpc_listen_port = 0;
-        };
-        positions.filename = "/tmp/positions.yaml";
-        clients = [ { url = "http://127.0.0.1:3100/loki/api/v1/push"; } ];
-        scrape_configs = [
-          {
-            job_name = "nginx";
-            static_configs = [
-              {
-                labels = {
-                  job = "nginx";
-                  __path__ = "/var/log/nginx/*log";
-                };
-              }
-            ];
-            pipeline_stages = [
-              {
-                match = {
-                  selector = ''{job="nginx"}'';
-                  stages = [
-                    {
-                      regex.expression = ''^(?P<remote_addr>[\w\.]+) - (?P<remote_user>[^ ]*) \[(?P<time_local>.*)\] "(?P<method>[^ ]*) (?P<request>[^ ]*) (?P<protocol>[^ ]*)" (?P<status>[\d]+) (?P<body_bytes_sent>[\d]+) "(?P<http_referer>[^"]*)" "(?P<http_user_agent>[^"]*)"?'';
-                    }
-                    {
-                      labels = {
-                        method = null;
-                        request = null;
-                        status = null;
-                      };
-                    }
-                  ];
-                };
-              }
-            ];
-          }
-        ];
-      };
-    };
-  };
-
-  systemd.services.promtail.serviceConfig.SupplementaryGroups = [ "nginx" ];

  security.sudo.extraRules = [
    { commands = [ { command = "${pkgs.smartmontools}/bin/smartctl"; options = [ "NOPASSWD" ]; } ]; users = [ "telegraf" ]; }
--- a/systems/LoutreOS/services.nix
+++ b/systems/LoutreOS/services.nix
@ -14,17 +14,18 @@ let
  '';

  login_mail_alert = pkgs.writeShellScriptBin "mail_alert.sh" ''
-    if [ "$PAM_TYPE" != "close_session" ]; then
+    if [ "$PAM_TYPE" != "close_session" ] && [ "$PAM_USER" != "zfspaulfixe" ] && [ "$PAM_USER" != "synology" ] && [ "$PAM_USER" != "rezome" ]; then
      ${sendMail "paul@nyanlout.re" "SSH Login: $PAM_USER from $PAM_RHOST" "`env`"}/bin/mail.sh
    fi
  '';

  backup_mail_alert = sendMail "paul@nyanlout.re" "ERREUR: Sauvegarde Borg" "Impossible de terminer la sauvegarde. Merci de voir les logs";
+
+  unstable = import <nixos-unstable> { };
 in

 {
  imports = [
-    ../../services/mail-server.nix
    ../../services/python-ci.nix
    ../../services/sdtdserver.nix
    # ../../containers/vsftpd.nix
@ -34,7 +35,62 @@ in
    ./web.nix
  ];

+  security.acme.certs = {
+    "${domaine}" = {
+      extraDomainNames = [
+        "mail.${domaine}"
+      ];
+      postRun = ''
+        systemctl reload dovecot2.service
+      '';
+    };
+  };
+
+  mailserver = {
+    enable = true;
+    fqdn = "mail.${domaine}";
+    domains = [ domaine ];
+
+    # A list of all login accounts. To create the password hashes, use
+    # mkpasswd -m sha-512 "super secret password"
+    loginAccounts = {
+      "paul@${domaine}" = {
+        hashedPassword = "$6$8wWQbtqVqUoH8$pQKg0bZPcjCbuPvyhjJ1lQy949M/AgfmAye/hDEIVUnCfwtlUxC1yj8CBHpNKeiiXhd8IUqk9r0/IJNvB6okf0";
+      };
+      "claire@${domaine}" = {
+        hashedPassword = "$6$Y.vlWP9./DX$NEQQOLzYftbHOvXDkKdBYFAjzIjh8mlpomDuQRq6qkkZijrdy/p6jSbrpBLhoWwVmj4j1OWekHU1f4C9xCNJk.";
+      };
+    };
+
+    # Certificate setup
+    certificateScheme = 1;
+    certificateFile = "/var/lib/acme/${domaine}/fullchain.pem";
+    keyFile = "/var/lib/acme/${domaine}/key.pem";
+
+    # Enable IMAP and POP3
+    enableImap = true;
+    enablePop3 = true;
+    enableImapSsl = true;
+    enablePop3Ssl = true;
+
+    # Enable the ManageSieve protocol
+    enableManageSieve = true;
+  };
+
  services = {
+    postfix = {
+      relayHost = "mailvps.nyanlout.re";
+      relayPort = 587;
+      config = {
+        smtp_tls_cert_file = lib.mkForce "/var/lib/postfix/postfixrelay.crt";
+        smtp_tls_key_file = lib.mkForce "/var/lib/postfix/postfixrelay.key";
+      };
+    };
+
+    rspamd.workers.controller.extraConfig = ''
+      secure_ip = ["127.0.0.1", "10.30.135.71"];
+    '';
+
    redis.enable = true;

    logrotate = {
@ -56,11 +112,6 @@ in

    fstrim.enable = true;

-    mailserver = {
-      enable = true;
-      domaine = domaine;
-    };
-
    syncthing = {
      enable = true;
      dataDir = "/var/lib/syncthing";
@ -177,14 +228,18 @@ in
          "/var/lib/postgresql/.zfs/snapshot/borgsnap"
          "/var/lib/radarr"
          "/var/lib/sonarr"
-          "/var/lib/syncthing"
          "/var/lib/transmission"
          "/mnt/medias/musique"
          "/mnt/medias/torrent/lidarr"
          "/mnt/medias/torrent/musique"
+          "/mnt/paul-home/paul"
          "/var/sieve"
          "/var/vmail"
        ];
+        exclude = [
+          "/var/lib/radarr/.config/Radarr/radarr.db-wal"
+          "/var/lib/radarr/.config/Radarr/radarr.db-shm"
+        ];
        repo = "/mnt/backup/borg";
        encryption = {
          mode = "repokey-blake2";
@ -197,10 +252,11 @@ in
          monthly = 12;
        };
        preHook = "${pkgs.zfs}/bin/zfs snapshot loutrepool/var/postgresql@borgsnap";
+        readWritePaths = [ "/var/lib/postfix/queue/maildrop" ];
        postHook = ''
          ${pkgs.zfs}/bin/zfs destroy loutrepool/var/postgresql@borgsnap
          if [[ $exitStatus == 0 ]]; then
-            ${pkgs.rclone}/bin/rclone --config /mnt/secrets/rclone_loutre.conf sync -v $BORG_REPO BackupStorage:loutre
+            ${pkgs.rclone}/bin/rclone --config /mnt/secrets/rclone_loutre.conf sync -v $BORG_REPO BackupStorage:default
          else
            ${backup_mail_alert}/bin/mail.sh
          fi
@ -214,6 +270,11 @@ in
        path = "/mnt/backup_loutre/diskstation_borg";
        user = "synology";
      };
+      minecraft-rezome = {
+        authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDc1nGsSesW96k0DPMSt/chjvCrYmfgPgHG1hdUYB5x0pZPdOJaVRIlETWdoFlO+ViviC518B3TF7Qc3oJXPZMchJQl684Nukbc312juf+j9z/KT3dqD8YvKX6o5ynx1Dyq52ftrfkBAEAvzE0OfRljUPbwGBOM0dGRD4R1jbiHquTXpITlbgGTZymbwr4Jr9W9atgf5kHMiX7xOqMZcasDtUE8g+AG4ysHdpjOrBOUM9QeRbVP1bxEFP8xjqOOoET5tbkwektP4B2jaf+EHBPUy2lkwjVEKT6MaSlkJx/wMvUWp25kG9mrXgwUw1bgfOeZIsK6ztcki3l92BJQD9ip shame@minecraft.rezom.eu" ];
+        path = "/mnt/backup_loutre/minecraft_rezome";
+        user = "rezome";
+      };
    };

    sdtdserver.enable = false;
@ -262,11 +323,13 @@ in
        };
        influxdb = null;
        config = null;
-        frontend.themes = "!include ${pkgs.fetchurl {
-          url = "https://raw.githubusercontent.com/bbbenji/synthwave-hass/0.3.3.1/themes/synthwave.yaml";
-          sha256 = "1n2yhk98cf778z7fdl5bswljhj45nv6bld191rxw7q6ckp235q4h";
-        }}";
+        dhcp = null;
+        frontend = null;
        history = null;
+        http = {
+          use_x_forwarded_for = true;
+          trusted_proxies = [ "127.0.0.1" ];
+        };
        logbook = null;
        map = null;
        mobile_app = null;
--- a/systems/LoutreOS/users.nix
+++ b/systems/LoutreOS/users.nix
@ -1,7 +1,7 @@
-{ config, pkgs, ... }:
+{ lib, config, pkgs, ... }:

 {
-  users.extraUsers = {
+  users.users = {
    paul = {
      uid = 1000;
      isNormalUser = true;
@ -24,11 +24,33 @@
      ];
    };

+    amandoleen = {
+      isNormalUser = true;
+      description = "Amandine <3";
+      openssh.authorizedKeys.keys = [
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDRu0M10AfF2nS8Ky9JzQ4cDRbcjmR+LLvENohxTJhW4xwAwN/f2I0ObbiJ5PHC3mXi8V5JqnSaYNdIMXuULDxxc1QEa0aeLw4xIrYw1wEOrHvL9DeYvS289sRgWSb/PvyejEHwcBBm4Xf0/nQNQF462C064Ms56cT3YAOhNBA7ubyCAqd0VW8RHc1mZ5b/owzM7SviXrpcIM5QDPVP2051SxrqGbunAnwe5x2kNDeYqicyIik61rpYe+erhkyvL3WdgC7mHnF8VPKx049zIsfK5UmJwI+rI24cDUT9E6B4XZttpdyJK6i7/6NSYm4nrMXQxCF1tofd5yZK5vpYH8Dyiic5ykhB57kr1QCmck70VMmt77uOoMeGZ+IJCY5oZYcR/n04mUwN9mmRsECcr17a8IDQkmPd8PNbjrNRgtVKDVLtw4HyOPCAfdH+XzEGiMxnZfzq0rLEYU3S4RAkLpe2W3C0fWniEWzSnXj76AGcyJcxIVzrIYg4uzTgNhZlb08vO1ytw9QaEY17Po5YFjBD8fT9Z0UijG3WQBm7AmSrcg/OLP6UOghbnlkZFYpC0hYcbX1sTfdfysw9kT/d8BImQvwBzmJ/YRqHmCejZGTkCCmw8i93EYFm3uVFZypcSe50JV9rx9P7yPtWS4QVOg/6ltlvJiGsz45P87qjA9nO/Q== amandoleen"
+      ];
+    };
+
    synology = {
      uid = 1001;
      isNormalUser = true;
+      isSystemUser = lib.mkForce false;
      description = "Synology Diskstation maison";
    };
+
+    rezome = {
+      description = "Rezome Minecraft backup";
+    };
+
+    zfspaulfixe = {
+      uid = 1002;
+      isNormalUser = true;
+      openssh.authorizedKeys.keys = [
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIQjzpEBNEwJhBTh82K5bJMyPSuHvYJyipaZYVtOZSJIDIRcec9YwMOQuMl9+O5kI36tiataEpmb/y3OWU567DXKp/BtljfVfNSQracKJPt6GJFOz4fKqCqoBh7M06ZGsBHUi/NsKIvw4asJsBuK6uACvxKFt2pSR6fp+/2y/3NH0LpDmDuuYORhciJUBC+RUTCLtVUfzkMAeR2p+M079Ia0rnkEXNFgc75FQon1bQu/0bnbHPweSwnNfRB0XPm6Qgz3sS2Cyhf1/GqgvARs80P4MWuqqZFXhsBTajOHOjCu6fiaylPNXNWfLnahkRzKIOkIy7/yEO+MmMD+V7pjbvSqB7MD1T5wfcPHvHTISM4E+7dw9aPj9+JspkgSSACtIFKsqxkWlq5creUV1syDm2Cd4rBnKrc8yWtAxBSusFWbAr6xtxP6I+ibS4trjNdHHrjMJK9jpbPxdblJJrO3qn6VYC/WzFAxzDDUi5ysGzNdpQLacacne/95gSGXCgIIc= root@paul-fixe"
+      ];
+      description = "paul-fixe zfs backup user";
+    };
  };

  users.extraGroups.medias = {
--- a/systems/LoutreOS/web.nix
+++ b/systems/LoutreOS/web.nix
@ -48,14 +48,24 @@ in
    acceptTerms = true;
  };

-  users.groups.work = {};
-  users.users.work = {
+  users.groups = {
+    work = {};
+    webdav = {};
+  };
+  users.users = {
+    work = {
      isSystemUser = true;
      group = config.users.groups.work.name;
    };
+    webdav = {
+      isSystemUser = true;
+      group = config.users.groups.webdav.name;
+    };
+  };

  services = {
-    phpfpm.pools.work = {
+    phpfpm.pools = {
+      work = {
        user = config.users.users.work.name;
        phpPackage = pkgs.php.withExtensions ({ all, ... }: with all; [ redis filter ]);
        settings = {
@ -68,10 +78,26 @@ in
          "pm.max_requests" = 500;
        };
      };
+      drive = {
+        user = config.users.users.webdav.name;
+        settings = {
+          "listen.owner" = config.services.nginx.user;
+          "pm" = "dynamic";
+          "pm.max_children" = 75;
+          "pm.start_servers" = 10;
+          "pm.min_spare_servers" = 5;
+          "pm.max_spare_servers" = 20;
+          "pm.max_requests" = 500;
+        };
+        phpOptions = ''
+          output_buffering=off
+        '';
+      };
+    };
    nginx = {
      enable = true;
      package = pkgs.nginx.override {
-        modules = with pkgs.nginxModules; [ dav ];
+        modules = with pkgs.nginxModules; [ dav moreheaders ];
      };
      recommendedGzipSettings = true;
      recommendedOptimisation = true;
@ -83,12 +109,9 @@ in
        }
        add_header Strict-Transport-Security  $hsts_header;
        add_header Referrer-Policy            origin-when-cross-origin;
-
-        error_page 500 502 503 504 https://nyanlout.re/errorpages/50x.html;
      '';
      sso = {
        enable = true;
-        environmentFile = "/mnt/secrets/nginx-sso.env";
        configuration = {
          listen = {
            addr = "127.0.0.1";
@ -129,16 +152,27 @@ in
      };
      virtualHosts = let
        base = locations: {
-          inherit locations;
+          locations = locations // {
+            "@maintenance" = {
+              root = "/var/www/errorpages/";
+              extraConfig = ''
+                rewrite ^(.*)$ /50x.html break;
+              '';
+            };
+          };
          forceSSL = true;
          enableACME = true;
+          extraConfig = ''
+            error_page 500 502 503 504 = @maintenance;
+          '';
        };
        simpleReverse = rport: base {
          "/" = {
            proxyPass = "http://127.0.0.1:${toString(rport)}/";
          };
        };
-        authReverse = rport: base {
+        authReverse = rport: zipAttrsWith (name: vs: if name == "extraConfig" then (concatStrings vs) else elemAt vs 0) [
+          (base {
            "/" = {
              proxyPass = "http://127.0.0.1:${toString(rport)}/";
              extraConfig = ''
@ -146,17 +180,19 @@ in
                add_header Set-Cookie $cookie;
              '';
            };
-        } // {
+          })
+          {
            extraConfig = ''
              include ${nginxSsoAuth};
            '';
-        };
+          }
+        ];
      in {
        "nyanlout.re" = base {
          "/" = {
            alias = "/var/www/site-perso/";
          };
-          "/errorpages/" = {
+          "/maintenance/" = {
            alias = "/var/www/errorpages/";
          };
          "/.well-known/openpgpkey/" = {
@ -195,7 +231,11 @@ in
        "jackett.nyanlout.re" = authReverse 9117;
        "pgmanage.nyanlout.re" = authReverse config.services.pgmanage.port;
        "matrix.nyanlout.re" = simpleReverse 8008;
-        "emby.nyanlout.re" = simpleReverse 8096;
+        "emby.nyanlout.re" = recursiveUpdate (simpleReverse 8096) {
+          locations."/" = {
+            proxyWebsockets = true;
+          };
+        };
        "ci.nyanlout.re" = simpleReverse 52350;
        "gitea.nyanlout.re" = simpleReverse config.services.gitea.httpPort;
        "musique.nyanlout.re" = simpleReverse config.services.navidrome.settings.Port;
@ -204,27 +244,58 @@ in
            proxyWebsockets = true;
          };
        };
-        "work.rezom.eu" = base {
+        # "work.rezom.eu" = base {
+        #   "/" = {
+        #     index = "/_h5ai/public/index.php";
+        #     extraConfig = ''
+        #       dav_ext_methods PROPFIND OPTIONS;
+        #     '';
+        #   };
+        #   "~ ^/(_h5ai/public/index|random).php" = {
+        #     extraConfig = ''
+        #       fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        #       fastcgi_pass unix:${config.services.phpfpm.pools.work.socket};
+        #       include ${pkgs.nginx}/conf/fastcgi_params;
+        #       include ${pkgs.nginx}/conf/fastcgi.conf;
+        #     '';
+        #   };
+        # } // {
+        #   root = "/mnt/medias/iso_linux";
+        #   extraConfig = ''
+        #     access_log /var/log/nginx/$host.log;
+        #   '';
+        # };
+        "drive.nyanlout.re" = base {
          "/" = {
-            index = "/_h5ai/public/index.php";
-            extraConfig = ''
-              dav_ext_methods PROPFIND OPTIONS;
-            '';
-          };
-          "~ ^/(_h5ai/public/index|random).php" = {
+            index = "/index.php";
            extraConfig = ''
              fastcgi_split_path_info ^(.+\.php)(/.+)$;
-              fastcgi_pass unix:${config.services.phpfpm.pools.work.socket};
+              fastcgi_pass unix:${config.services.phpfpm.pools.drive.socket};
              include ${pkgs.nginx}/conf/fastcgi_params;
              include ${pkgs.nginx}/conf/fastcgi.conf;
+
+              client_max_body_size    0;
            '';
          };
        } // {
-          root = "/mnt/medias/iso_linux";
+          root = "/mnt/webdav";
+        };
+        "rspamd.nyanlout.re" = zipAttrsWith (name: vs: if name == "extraConfig" then (concatStrings vs) else elemAt vs 0) [
+          (base {
+            "/" = {
+              proxyPass = "http://unix:/run/rspamd/worker-controller.sock";
              extraConfig = ''
-            access_log /var/log/nginx/$host.log;
+                auth_request_set $cookie $upstream_http_set_cookie;
+                add_header Set-Cookie $cookie;
              '';
            };
+          })
+          {
+            extraConfig = ''
+              include ${nginxSsoAuth};
+            '';
+          }
+        ];
      };
    };

@ -261,26 +332,13 @@ in
    };

    python-ci.enable = true;
-
-    mastodon = {
-      enable = false;
-      localDomain = "social.nyanlout.re";
-      configureNginx = true;
-      extraConfig = {
-        SMTP_AUTH_METHOD = "none";
-        SMTP_OPENSSL_VERIFY_MODE = "none";
-      };
-      smtp = {
-        fromAddress = "social@nyanlout.re";
-        user = "social@nyanlout.re";
-        authenticate = false;
-      };
-      mediaPruneTimer = true;
-    };
  };

  systemd.services.nginx.serviceConfig = {
-    ReadWritePaths = "/var/www/hls";
+    ReadWritePaths = [
+      "/var/www/hls"
+      "/mnt/webdav"
+    ];
  };

  systemd.services.phpfpm-work.serviceConfig = {
@ -291,7 +349,7 @@ in
  };

  systemd.services.site-musique = let
-    djangoEnv =(pkgs.python3.withPackages (ps: with ps; [ gunicorn django_2_2 pillow setuptools ]));
+    djangoEnv =(pkgs.python3.withPackages (ps: with ps; [ gunicorn django_3 pillow setuptools ]));
  in {
    description = "Site Django de la musique de Meyenheim";
    after = [ "network.target" ];
@ -325,4 +383,6 @@ in
    wantedBy = [ "sockets.target" ];
    listenStreams = [ "/run/site-musique.sock" ];
  };
+
+  systemd.services.nginx-sso.serviceConfig.EnvironmentFile = "/mnt/secrets/nginx-sso.env";
 }
--- a/systems/common-cli.nix
+++ b/systems/common-cli.nix
@ -67,6 +67,7 @@
    binutils
    bat
    molly-guard
+    lz4

    # Développement
    openssl
Author	SHA1	Message	Date
nyanloutre	be9e640d3e	disable mastodon	2021-10-11 11:03:49 +02:00
nyanloutre	3c348df23e	change users config	2021-10-11 11:03:18 +02:00
nyanloutre	01ba2ce633	change home assistant config	2021-10-11 11:02:59 +02:00
nyanloutre	55b5529ea8	add minecraft backup user	2021-10-11 11:01:46 +02:00
nyanloutre	dc468ea4fe	fix backup config	2021-10-11 11:00:40 +02:00
nyanloutre	aecacc75d4	disable email notification for backup users	2021-10-11 11:00:25 +02:00
nyanloutre	d9500e4a24	fix transmission config	2021-10-11 11:00:09 +02:00
nyanloutre	d39e2659f7	disable loki and promtail	2021-10-11 10:59:16 +02:00
nyanloutre	d1212c9d73	update nginx conf	2021-10-11 10:58:02 +02:00
nyanloutre	dea468e9f1	setup zfs replication destination and backup	2021-10-11 10:52:39 +02:00
nyanloutre	c3a629cc03	set autossh as system user	2021-10-11 10:49:30 +02:00
nyanloutre	a1d875e903	migrate slimserver to docker container	2021-10-11 10:48:26 +02:00
nyanloutre	53cf463bba	migrate to nix flake	2021-10-11 10:43:57 +02:00
nyanloutre	999ee11693	Changes for 21.05	2021-07-28 23:07:30 +02:00