envoi mail après backup

haproxy: désactivation ciphers obsolètes
migration Emby -> Jellyfin
2019-06-15 14:37:58 +02:00 · 2019-06-15 14:36:44 +02:00 · 2019-06-15 14:36:14 +02:00
2 changed files with 33 additions and 15 deletions
--- a/services/haproxy-acme.nix
+++ b/services/haproxy-acme.nix
@ -13,9 +13,9 @@ let
      log /dev/log local1 notice
      user haproxy
      group haproxy
-      ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
+      ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
      ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
-      ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
+      ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
      ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
    defaults
      option forwardfor
@ -58,6 +58,7 @@ let
        ''
        backend ${name}-backend
          mode http
+          ${value.extraBackend}
          ${(
            if value.socket == "" then
              ''
@ -100,6 +101,7 @@ in
        port = mkOption { type = int; description = "Port number"; };
        socket = mkOption { type = str; description = "Emplacement du socket"; default = ""; };
        auth = mkOption { type = bool; description = "Enable authentification"; default = false; };
+        extraBackend = mkOption { type = str; description = "Options backend HaProxy suplémentaires"; default = ""; };
        extraAcls = mkOption { type = str; description = "ACL HaProxy suplémentaires"; default = ""; };
        aclBool = mkOption { type = str; description = "Logique d'authentification"; default = "!AUTH_OK"; };
      }; });
--- a/systems/LoutreOS/services.nix
+++ b/systems/LoutreOS/services.nix
@ -12,15 +12,32 @@ let
  factorio_port = 52351;
  airsonic_port = 4040;

+  jellyfin_backend = ''
+    http-request set-header X-Forwarded-Port %[dst_port]
+    http-request add-header X-Forwarded-Proto https if { ssl_fc }
+  '';
+  sonarr_acl = ''
+    acl API path_beg /api
+  '';
+  sonarr_auth = ''
+    !AUTH_OK !API
+  '';
+
+  sendMail = to: subject: message: pkgs.writeShellScriptBin "mail.sh" ''
+    ${pkgs.system-sendmail}/bin/sendmail ${to} <<EOF
+    From: root@nyanlout.re
+    Subject: ${subject}
+    ${message}
+    EOF
+  '';
+
  login_mail_alert = pkgs.writeShellScriptBin "mail_alert.sh" ''
    if [ "$PAM_TYPE" != "close_session" ]; then
-    ${pkgs.system-sendmail}/bin/sendmail paul@nyanlout.re <<EOF
-    From: root@nyanlout.re
-    Subject: SSH Login: $PAM_USER from $PAM_RHOST
-    `env`
-    EOF
+      ${sendMail "paul@nyanlout.re" "SSH Login: $PAM_USER from $PAM_RHOST" "`env`"}
    fi
  '';
+
+  backup_mail_alert = sendMail "paul@nyanlout.re" "ERREUR: Sauvegarde Borg" "Impossible de terminer la sauvegarde. Merci de voir les logs";
 in

 {
@ -60,9 +77,9 @@ in
      domaine = domaine;
      services = {
        "grafana.${domaine}" = { ip = "127.0.0.1"; port = 3000; auth = true; };
-        "emby.${domaine}" = { ip = "127.0.0.1"; port = 8096; auth = false; };
-        "radarr.${domaine}" = { ip = "127.0.0.1"; port = 7878; auth = true; extraAcls = "acl API path_beg /api\n"; aclBool = "!AUTH_OK !API"; };
-        "sonarr.${domaine}" = { ip = "127.0.0.1"; port = 8989; auth = true; extraAcls = "acl API path_beg /api\n"; aclBool = "!AUTH_OK !API"; };
+        "emby.${domaine}" = { ip = "127.0.0.1"; port = 8096; auth = false; extraBackend = jellyfin_backend; };
+        "radarr.${domaine}" = { ip = "127.0.0.1"; port = 7878; auth = true; extraAcls = sonarr_acl; aclBool = sonarr_auth; };
+        "sonarr.${domaine}" = { ip = "127.0.0.1"; port = 8989; auth = true; extraAcls = sonarr_acl; aclBool = sonarr_auth; };
        "transmission.${domaine}" = { ip = "127.0.0.1"; port = 9091; auth = true; };
        "syncthing.${domaine}" = { ip = "127.0.0.1"; port = 8384; auth = true; };
        "jackett.${domaine}" = { ip = "127.0.0.1"; port = 9117; auth = true; };
@ -174,10 +191,7 @@ in
      };
    };

-    emby = {
-      enable = true;
-      dataDir = "/var/lib/emby/ProgramData-Server";
-    };
+    jellyfin.enable = true;

    slimserver = {
      enable = true;
@ -308,7 +322,7 @@ in
        paths = [
          "/var/certs"
          "/var/dkim"
-          "/var/lib/emby"
+          "/var/lib/jellyfin"
          "/var/lib/gitea"
          "/var/lib/grafana"
          "/var/lib/jackett"
@ -340,6 +354,8 @@ in
          ${pkgs.zfs}/bin/zfs destroy loutrepool/var/postgresql@borgsnap
          if [[ $exitStatus == 0 ]]; then
            ${pkgs.rclone}/bin/rclone --config /mnt/secrets/rclone_loutre.conf sync -v $BORG_REPO BackupStorage:loutre
+          else
+            ${backup_mail_alert}/bin/mail.sh
          fi
        '';
      };
Author	SHA1	Message	Date
nyanloutre	c0cdb3e29d	envoi mail après backup	2019-06-15 14:37:58 +02:00
nyanloutre	0f0eedc57b	haproxy: désactivation ciphers obsolètes	2019-06-15 14:36:44 +02:00
nyanloutre	b98d0b5bb4	migration Emby -> Jellyfin	2019-06-15 14:36:14 +02:00