Automatisation mise à jour site Max

Accès NFS via VPN Wireguard
Configuration VPN Wireguard
2018-09-16 16:29:26 +02:00 · 2018-09-16 16:29:07 +02:00 · 2018-09-16 16:28:47 +02:00 · 2018-09-16 16:28:16 +02:00 · 2018-09-16 16:26:50 +02:00
3 changed files with 81 additions and 23 deletions
--- a/services/site-max.nix
+++ b/services/site-max.nix
@ -28,14 +28,51 @@ in
      ${cfg.domaine} = { ip = "127.0.0.1"; port = cfg.port; auth = false; };
    };

-    services.nginx.virtualHosts = {
-      "max" = {
-        listen = [ { addr = "127.0.0.1"; port = cfg.port; } ];
-        locations."/" = {
-          root = pkgs.site-max;
+    services.nginx = {
+      virtualHosts = {
+        "max" = {
+          listen = [ { addr = "127.0.0.1"; port = cfg.port; } ];
+          locations."/" = {
+            root = "/run/site-max/result";
+          };
        };
      };
    };

+    systemd.services.build-site-max = {
+      description = "Compilation du site de Max Spiegel";
+      requires = ["network-online.target"];
+      path = with pkgs;[ git nix ];
+      environment = { HOME = "/var/lib/site-max"; NIX_PATH = "nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos/nixpkgs"; };
+
+      serviceConfig = {
+        DynamicUser = true;
+        RuntimeDirectory = "site-max";
+        RuntimeDirectoryPreserve = "yes";
+        CacheDirectory = "site-max";
+        Type = "oneshot";
+        ExecStart = "${pkgs.writeShellScriptBin "build.sh" ''
+          set -x
+          set -e
+          GIT_CLONE_DIR=/var/cache/site-max
+
+          if [ ! -d $GIT_CLONE_DIR/.git ]; then
+            git clone --depth 1 https://github.com/nyanloutre/site-max.git $GIT_CLONE_DIR
+          else
+            git -C $GIT_CLONE_DIR pull
+          fi
+
+          nix-build -o /run/site-max/result $GIT_CLONE_DIR
+        ''}/bin/build.sh";
+      };
+    };
+
+    systemd.timers.build-site-max = {
+      description = "Timer de compilation du site de Max";
+      requires = ["network-online.target"];
+      wantedBy = ["multi-user.target"];
+      timerConfig = { OnCalendar = "*:0/5"; Unit = "build-site-max.service"; };
+    };
+
  };
 }
--- a/systems/LoutreOS/configuration.nix
+++ b/systems/LoutreOS/configuration.nix
@ -62,6 +62,7 @@
    telnet
    tldr
    fzf
+    file
  ];

  nixpkgs.config.allowUnfree = true;
--- a/systems/LoutreOS/services.nix
+++ b/systems/LoutreOS/services.nix
@ -42,8 +42,8 @@ in
      services = {
        "grafana.${domaine}" = { ip = "127.0.0.1"; port = 3000; auth = true; };
        "emby.${domaine}" = { ip = "127.0.0.1"; port = 8096; auth = false; };
-        "radarr.${domaine}" = { ip = "127.0.0.1"; port = 7878; auth = true; extraAcls = "acl API url_beg /api\n"; aclBool = "!AUTH_OK !API"; };
-        "sonarr.${domaine}" = { ip = "127.0.0.1"; port = 8989; auth = true; extraAcls = "acl API url_beg /api\n"; aclBool = "!AUTH_OK !API"; };
+        "radarr.${domaine}" = { ip = "127.0.0.1"; port = 7878; auth = true; extraAcls = "acl API path_beg /api\n"; aclBool = "!AUTH_OK !API"; };
+        "sonarr.${domaine}" = { ip = "127.0.0.1"; port = 8989; auth = true; extraAcls = "acl API path_beg /api\n"; aclBool = "!AUTH_OK !API"; };
        "transmission.${domaine}" = { ip = "127.0.0.1"; port = 9091; auth = true; };
        "syncthing.${domaine}" = { ip = "127.0.0.1"; port = 8384; auth = true; };
        "jackett.${domaine}" = { ip = "127.0.0.1"; port = 9117; auth = true; };
@ -171,7 +171,7 @@ in
    nfs.server = {
      enable = true;
      exports = ''
-        /mnt/medias  192.168.0.0/24(ro,no_root_squash)
+        /mnt/medias  192.168.0.0/16(ro,no_root_squash)
        /exports/steam  192.168.0.0/24(rw,no_root_squash)
      '';
      statdPort = 4000;
@ -394,19 +394,39 @@ in
    { commands = [ { command = "${pkgs.smartmontools}/bin/smartctl"; options = [ "NOPASSWD" ]; } ]; users = [ "telegraf" ]; }
  ];

-  networking.firewall.allowedTCPPorts = [
-    111 2049 4000 4001 4002 # NFS
-    3483 9000 9090 # Slimserver
-    51413 # Transmission
-    8448 # Matrix federation
-    20 21 # FTP
-  ];
-  networking.firewall.allowedTCPPortRanges = [
-    { from = 64000; to = 65535; } # FTP
-  ];
-  networking.firewall.allowedUDPPorts = [
-    111 2049 4000 4001 4002 # NFS
-    3483 # Slimserver
-    51413 # Transmission
-  ];
+  networking = {
+    wireguard.interfaces = {
+      wg0 = {
+        ips = [ "192.168.20.1/24" ];
+        privateKeyFile = "/mnt/secrets/wireguard/wg0.privatekey";
+        listenPort = 51820;
+        allowedIPsAsRoutes = false;
+        peers = [
+          {
+            allowedIPs = [ "0.0.0.0/0" ];
+            publicKey = "b/SXiqo+GPdNOc54lyEVeUBc6B5AbVMKh+g5EZPGzlE=";
+          }
+        ];
+      };
+    };
+
+    firewall.allowedTCPPorts = [
+      111 2049 4000 4001 4002 # NFS
+      3483 9000 9090 # Slimserver
+      51413 # Transmission
+      8448 # Matrix federation
+      20 21 # FTP
+    ];
+
+    firewall.allowedTCPPortRanges = [
+      { from = 64000; to = 65535; } # FTP
+    ];
+
+    firewall.allowedUDPPorts = [
+      111 2049 4000 4001 4002 # NFS
+      3483 # Slimserver
+      51413 # Transmission
+      51820 # Wireguard
+    ];
+  };
 }
Author	SHA1	Message	Date
nyanloutre	3bba3d3e23	Automatisation mise à jour site Max	2018-09-16 16:29:26 +02:00
nyanloutre	daff7842ea	Accès NFS via VPN Wireguard	2018-09-16 16:29:07 +02:00
nyanloutre	fd9b34cd2f	Configuration VPN Wireguard	2018-09-16 16:28:47 +02:00
nyanloutre	42d4d02071	[haproxy] remplacement `url_beg` par `path_beg`	2018-09-16 16:28:16 +02:00
nyanloutre	62402392e9	Installation paquet file	2018-09-16 16:26:50 +02:00