From 8de365b92349365adb38dbb800678d5a32db744f Mon Sep 17 00:00:00 2001 From: nyanloutre Date: Tue, 4 Sep 2018 14:05:06 +0200 Subject: [PATCH] Refactoring LoutreOS --- systems/LoutreOS/configuration.nix | 71 ++-- systems/LoutreOS/services.nix | 650 +++++++++++++++-------------- systems/LoutreOS/users.nix | 3 +- 3 files changed, 377 insertions(+), 347 deletions(-) diff --git a/systems/LoutreOS/configuration.nix b/systems/LoutreOS/configuration.nix index 1e7538e..9cced72 100644 --- a/systems/LoutreOS/configuration.nix +++ b/systems/LoutreOS/configuration.nix @@ -5,37 +5,35 @@ { config, pkgs, ... }: { - imports = - [ # Include the results of the hardware scan. - ./hardware-configuration.nix - ./users.nix - ./services.nix - ]; + imports = [ + ./hardware-configuration.nix + ./users.nix + ./services.nix + ]; - # Use the systemd-boot EFI boot loader. - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; + boot = { + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; - boot.supportedFilesystems = [ "zfs" ]; + supportedFilesystems = [ "zfs" ]; - services.zfs.autoSnapshot.enable = true; - services.zfs.autoScrub.enable = true; + tmpOnTmpfs = true; + }; - networking.hostName = "loutreos"; # Define your hostname. - networking.hostId = "7e66e347"; + services.zfs = { + autoSnapshot.enable = true; + autoScrub.enable = true; + }; - # Select internationalisation properties. - # i18n = { - # consoleFont = "Lat2-Terminus16"; - # consoleKeyMap = "en"; - # defaultLocale = "en_US.UTF-8"; - # }; + networking = { + hostName = "loutreos"; # Define your hostname. + hostId = "7e66e347"; + }; - # Set your time zone. time.timeZone = "Europe/Paris"; - # List packages installed in system profile. To search by name, run: - # $ nix-env -qaP | grep wget nixpkgs.overlays = [ (import ../../overlays/riot-web.nix) (import ../../overlays/sudo.nix) @@ -86,30 +84,23 @@ environment.variables = { EDITOR = "nvim"; }; - # Some programs need SUID wrappers, can be configured further or are - # started in user sessions. - # programs.bash.enableCompletion = true; - # programs.mtr.enable = true; - # programs.gnupg.agent = { enable = true; enableSSHSupport = true; }; + services.openssh = { + enable = true; + permitRootLogin = "no"; + passwordAuthentication = false; + }; - # List services that you want to enable: - - # Enable the OpenSSH daemon. - services.openssh.enable = true; - services.openssh.permitRootLogin = "no"; - services.openssh.passwordAuthentication = false; - - networking.firewall.allowedTCPPorts = [ ]; - networking.firewall.allowedUDPPorts = [ ]; - networking.firewall.enable = true; + networking.firewall = { + allowedTCPPorts = [ ]; + allowedUDPPorts = [ ]; + enable = true; + }; security.sudo.wheelNeedsPassword = false; system.autoUpgrade.enable = true; systemd.services.nixos-upgrade.path = with pkgs; [ gzip gnutar xz.bin config.nix.package.out ]; - services.fstrim.enable = true; - nix.gc.automatic = true; nix.gc.options = "--delete-older-than 15d"; diff --git a/systems/LoutreOS/services.nix b/systems/LoutreOS/services.nix index e59047e..4fbac5d 100644 --- a/systems/LoutreOS/services.nix +++ b/systems/LoutreOS/services.nix @@ -10,12 +10,7 @@ let max_port = 52348; musique_port = 52349; - ekleog_matrix_0_33 = pkgs.fetchgit { - url = "https://github.com/Ekleog/nixpkgs.git"; - rev = "fe1fa933d168faec56767a9bd1daa0d47070bdf0"; - sha256 = "02nlcs46ijjkwl8i521555gpd0w2if87p9bmdn2s5g728pz8mh27"; - }; - ekleog_matrix_0_33_pkgs = import ekleog_matrix_0_33 {}; + unstable = import {}; in { @@ -26,320 +21,354 @@ in ../../services/site-max.nix ]; - services.fail2ban.enable = true; + services = { - services.smartd.enable = true; - services.smartd.notifications.mail.enable = true; - services.smartd.notifications.mail.recipient = "paul@nyanlout.re"; + fail2ban.enable = true; - services.haproxy-acme.enable = true; - services.haproxy-acme.domaine = domaine; - services.haproxy-acme.services = { - "grafana.${domaine}" = { ip = "127.0.0.1"; port = 3000; auth = true; }; - "emby.${domaine}" = { ip = "127.0.0.1"; port = 8096; auth = false; }; - "radarr.${domaine}" = { ip = "127.0.0.1"; port = 7878; auth = true; extraAcls = "acl API url_beg /api\n"; aclBool = "!AUTH_OK !API"; }; - "sonarr.${domaine}" = { ip = "127.0.0.1"; port = 8989; auth = true; extraAcls = "acl API url_beg /api\n"; aclBool = "!AUTH_OK !API"; }; - "transmission.${domaine}" = { ip = "127.0.0.1"; port = 9091; auth = true; }; - "syncthing.${domaine}" = { ip = "127.0.0.1"; port = 8384; auth = true; }; - "jackett.${domaine}" = { ip = "127.0.0.1"; port = 9117; auth = true; }; - "searx.${domaine}" = { ip = "127.0.0.1"; port = 8888; auth = false; }; - "riot.${domaine}" = { ip = "127.0.0.1"; port = riot_port; auth = false; }; - "matrix.${domaine}" = { ip = "127.0.0.1"; port = 8008; auth = false; }; - "pgmanage.${domaine}" = { ip = "127.0.0.1"; port = pgmanage_port; auth = true; }; - "gitea.${domaine}" = { ip = "127.0.0.1"; port = 3001; auth = false; }; - }; - - services.mailserver.enable = true; - services.mailserver.domaine = domaine; - - services.influxdb.enable = true; - services.influxdb.dataDir = "/var/db/influxdb"; - - services.telegraf.enable = true; - services.telegraf.extraConfig = { - inputs = { - zfs = { poolMetrics = true; }; - net = { interfaces = [ "eno1" "eno2" "eno3" "eno4" ]; }; - netstat = {}; - cpu = { totalcpu = true; }; - kernel = {}; - mem = {}; - processes = {}; - system = {}; - disk = {}; - ipmi_sensor = { path = "${pkgs.ipmitool}/bin/ipmitool"; }; - smart = { - path = "${pkgs.writeShellScriptBin "smartctl" "/run/wrappers/bin/sudo ${pkgs.smartmontools}/bin/smartctl $@"}/bin/smartctl"; + smartd = { + enable = true; + defaults.monitored = "-a -o on -s (S/../.././02|L/../../7/04)"; + notifications.mail = { + enable = true; + recipient = "paul@nyanlout.re"; }; - exec= [ - { commands = [ - "${pkgs.python}/bin/python ${ - pkgs.fetchgit { - url = "https://gitea.nyanlout.re/nyanloutre/tplink-smartplug.git"; - rev = "a0996112fc451b76448589698de440ad5fd6ea79"; - sha256 = "1f1625g7rfsddgk428g76p8fr7vz5gfhq3f452q17bjni3rf2pj3"; - } - }/tplink_smartplug.py -t 192.168.0.57 -c energy" + }; + + fstrim.enable = true; + + haproxy-acme = { + enable = true; + domaine = domaine; + services = { + "grafana.${domaine}" = { ip = "127.0.0.1"; port = 3000; auth = true; }; + "emby.${domaine}" = { ip = "127.0.0.1"; port = 8096; auth = false; }; + "radarr.${domaine}" = { ip = "127.0.0.1"; port = 7878; auth = true; extraAcls = "acl API url_beg /api\n"; aclBool = "!AUTH_OK !API"; }; + "sonarr.${domaine}" = { ip = "127.0.0.1"; port = 8989; auth = true; extraAcls = "acl API url_beg /api\n"; aclBool = "!AUTH_OK !API"; }; + "transmission.${domaine}" = { ip = "127.0.0.1"; port = 9091; auth = true; }; + "syncthing.${domaine}" = { ip = "127.0.0.1"; port = 8384; auth = true; }; + "jackett.${domaine}" = { ip = "127.0.0.1"; port = 9117; auth = true; }; + "searx.${domaine}" = { ip = "127.0.0.1"; port = 8888; auth = false; }; + "riot.${domaine}" = { ip = "127.0.0.1"; port = riot_port; auth = false; }; + "matrix.${domaine}" = { ip = "127.0.0.1"; port = 8008; auth = false; }; + "pgmanage.${domaine}" = { ip = "127.0.0.1"; port = pgmanage_port; auth = true; }; + "gitea.${domaine}" = { ip = "127.0.0.1"; port = 3001; auth = false; }; + }; + }; + + mailserver = { + enable = true; + domaine = domaine; + }; + + influxdb = { + enable = true; + dataDir = "/var/db/influxdb"; + }; + + telegraf = { + enable = true; + extraConfig = { + inputs = { + zfs = { poolMetrics = true; }; + net = { interfaces = [ "eno1" "eno2" "eno3" "eno4" ]; }; + netstat = {}; + cpu = { totalcpu = true; }; + kernel = {}; + mem = {}; + processes = {}; + system = {}; + disk = {}; + ipmi_sensor = { path = "${pkgs.ipmitool}/bin/ipmitool"; }; + smart = { + path = "${pkgs.writeShellScriptBin "smartctl" "/run/wrappers/bin/sudo ${pkgs.smartmontools}/bin/smartctl $@"}/bin/smartctl"; + }; + exec= [ + { commands = [ + "${pkgs.python}/bin/python ${ + pkgs.fetchgit { + url = "https://gitea.nyanlout.re/nyanloutre/tplink-smartplug.git"; + rev = "a0996112fc451b76448589698de440ad5fd6ea79"; + sha256 = "1f1625g7rfsddgk428g76p8fr7vz5gfhq3f452q17bjni3rf2pj3"; + } + }/tplink_smartplug.py -t 192.168.0.57 -c energy" + ]; + data_format = "json"; + name_suffix = "_tplink-smartplug"; + } + { + commands = [ + "${pkgs.python3}/bin/python ${pkgs.writeText "zpool.py" '' + import json + from subprocess import check_output + + columns = ["NAME", "SIZE", "ALLOC", "FREE", "EXPANDSZ", "FRAG", "CAP", "DEDUP", "HEALTH", "ALTROOT"] + health = {'ONLINE':0, 'DEGRADED':11, 'OFFLINE':21, 'UNAVAIL':22, 'FAULTED':23, 'REMOVED':24} + + stdout = check_output(["${pkgs.zfs}/bin/zpool", "list", "-Hp"],encoding='UTF-8').split('\n') + parsed_stdout = list(map(lambda x: dict(zip(columns,x.split('\t'))), stdout))[:-1] + + for pool in parsed_stdout: + for item in pool: + if item in ["SIZE", "ALLOC", "FREE", "FRAG", "CAP"]: + pool[item] = int(pool[item]) + if item in ["DEDUP"]: + pool[item] = float(pool[item]) + if item == "HEALTH": + pool[item] = health[pool[item]] + + print(json.dumps(parsed_stdout)) + ''}" + ]; + tag_keys = [ "NAME" ]; + data_format = "json"; + name_suffix = "_python_zpool"; + } ]; - data_format = "json"; - name_suffix = "_tplink-smartplug"; + }; + outputs = { + influxdb = { database = "telegraf"; urls = [ "http://localhost:8086" ]; }; + }; + }; + }; + + udev.extraRules = '' + KERNEL=="ipmi*", MODE="660", OWNER="telegraf" + ''; + + grafana = { + enable = true; + addr = "127.0.0.1"; + dataDir = "/var/lib/grafana"; + extraOptions = { + SERVER_ROOT_URL = "https://grafana.${domaine}"; + SMTP_ENABLED = "true"; + SMTP_FROM_ADDRESS = "grafana@${domaine}"; + SMTP_SKIP_VERIFY = "true"; + AUTH_DISABLE_LOGIN_FORM = "true"; + AUTH_DISABLE_SIGNOUT_MENU = "true"; + AUTH_ANONYMOUS_ENABLED = "true"; + AUTH_ANONYMOUS_ORG_ROLE = "Admin"; + AUTH_BASIC_ENABLED = "false"; + }; + }; + + emby = { + enable = true; + dataDir = "/var/lib/emby/ProgramData-Server"; + }; + + slimserver = { + enable = true; + dataDir = "/var/lib/slimserver"; + }; + + syncthing = { + enable = true; + dataDir = "/var/lib/syncthing"; + openDefaultPorts = true; + }; + + nfs.server = { + enable = true; + exports = '' + /mnt/medias 192.168.0.0/24(ro,no_root_squash) + /exports/steam 192.168.0.0/24(rw,no_root_squash) + ''; + statdPort = 4000; + lockdPort = 4001; + mountdPort = 4002; + }; + + transmission = { + enable = true; + home = "/var/lib/transmission"; + settings = { + rpc-bind-address = "127.0.0.1"; + rpc-host-whitelist = "*"; + rpc-whitelist-enabled = false; + }; + }; + + radarr.enable = true; + sonarr.enable = true; + jackett.enable = true; + + searx.enable = true; + + nginx = { + enable = true; + virtualHosts = { + "riot" = { + listen = [ { addr = "127.0.0.1"; port = riot_port; } ]; + locations = { "/" = { root = pkgs.riot-web; }; }; + }; + }; + }; + + postgresql.enable = true; + + /* + matrix-synapse = { + enable = true; + package = unstable.matrix-synapse; + enable_registration = true; + server_name = "nyanlout.re"; + listeners = [ + { # federation + bind_address = ""; + port = 8448; + resources = [ + { compress = true; names = [ "client" "webclient" ]; } + { compress = false; names = [ "federation" ]; } + ]; + tls = true; + type = "http"; + x_forwarded = false; } - { - commands = [ - "${pkgs.python3}/bin/python ${pkgs.writeText "zpool.py" '' - import json - from subprocess import check_output - - columns = ["NAME", "SIZE", "ALLOC", "FREE", "EXPANDSZ", "FRAG", "CAP", "DEDUP", "HEALTH", "ALTROOT"] - health = {'ONLINE':0, 'DEGRADED':11, 'OFFLINE':21, 'UNAVAIL':22, 'FAULTED':23, 'REMOVED':24} - - stdout = check_output(["${pkgs.zfs}/bin/zpool", "list", "-Hp"],encoding='UTF-8').split('\n') - parsed_stdout = list(map(lambda x: dict(zip(columns,x.split('\t'))), stdout))[:-1] - - for pool in parsed_stdout: - for item in pool: - if item in ["SIZE", "ALLOC", "FREE", "FRAG", "CAP"]: - pool[item] = int(pool[item]) - if item in ["DEDUP"]: - pool[item] = float(pool[item]) - if item == "HEALTH": - pool[item] = health[pool[item]] - - print(json.dumps(parsed_stdout)) - ''}" + { # client + bind_address = "127.0.0.1"; + port = 8008; + resources = [ + { compress = true; names = [ "client" "webclient" ]; } ]; - tag_keys = [ "NAME" ]; - data_format = "json"; - name_suffix = "_python_zpool"; + tls = false; + type = "http"; + x_forwarded = true; } ]; - }; - outputs = { - influxdb = { database = "telegraf"; urls = [ "http://localhost:8086" ]; }; - }; - }; - - services.udev.extraRules = '' - KERNEL=="ipmi*", MODE="660", OWNER="telegraf" - ''; - - security.sudo.extraRules = [ - { commands = [ { command = "${pkgs.smartmontools}/bin/smartctl"; options = [ "NOPASSWD" ]; } ]; users = [ "telegraf" ]; } - ]; - - services.grafana.enable = true; - services.grafana.addr = "127.0.0.1"; - services.grafana.dataDir = "/var/lib/grafana"; - services.grafana.extraOptions = { - SERVER_ROOT_URL = "https://grafana.${domaine}"; - SMTP_ENABLED = "true"; - SMTP_FROM_ADDRESS = "grafana@${domaine}"; - SMTP_SKIP_VERIFY = "true"; - AUTH_DISABLE_LOGIN_FORM = "true"; - AUTH_DISABLE_SIGNOUT_MENU = "true"; - AUTH_ANONYMOUS_ENABLED = "true"; - AUTH_ANONYMOUS_ORG_ROLE = "Admin"; - AUTH_BASIC_ENABLED = "false"; - }; - - services.emby.enable = true; - services.emby.dataDir = "/var/lib/emby/ProgramData-Server"; - - services.slimserver.enable = true; - services.slimserver.dataDir = "/var/lib/slimserver"; - - services.syncthing.enable = true; - services.syncthing.dataDir = "/var/lib/syncthing"; - services.syncthing.openDefaultPorts = true; - - services.nfs.server = { - enable = true; - exports = '' - /mnt/medias 192.168.0.0/24(ro,no_root_squash) - /exports/steam 192.168.0.0/24(rw,no_root_squash) - ''; - statdPort = 4000; - lockdPort = 4001; - mountdPort = 4002; - }; - - services.transmission.enable = true; - services.transmission.home = "/var/lib/transmission"; - services.transmission.settings = { - rpc-bind-address = "127.0.0.1"; - rpc-host-whitelist = "*"; - rpc-whitelist-enabled = false; - }; - - services.radarr.enable = true; - services.sonarr.enable = true; - services.jackett.enable = true; - - services.searx.enable = true; - - services.nginx.enable = true; - services.nginx.virtualHosts = { - "riot" = { - listen = [ { addr = "127.0.0.1"; port = riot_port; } ]; - locations = { "/" = { root = pkgs.riot-web; }; }; - }; - }; - - services.postgresql.enable = true; - services.matrix-synapse = { - enable = true; - package = ekleog_matrix_0_33_pkgs.matrix-synapse; - enable_registration = true; - server_name = "nyanlout.re"; - listeners = [ - { # federation - bind_address = ""; - port = 8448; - resources = [ - { compress = true; names = [ "client" "webclient" ]; } - { compress = false; names = [ "federation" ]; } - ]; - tls = true; - type = "http"; - x_forwarded = false; - } - { # client - bind_address = "127.0.0.1"; - port = 8008; - resources = [ - { compress = true; names = [ "client" "webclient" ]; } - ]; - tls = false; - type = "http"; - x_forwarded = true; - } - ]; - database_type = "psycopg2"; - database_args = { - database = "matrix-synapse"; - }; - extraConfig = '' - max_upload_size: "100M" - ''; - logConfig = '' - version: 1 - - formatters: - journal_fmt: - format: '%(name)s: [%(request)s] %(message)s' - - filters: - context: - (): synapse.util.logcontext.LoggingContextFilter - request: "" - - handlers: - journal: - class: systemd.journal.JournalHandler - formatter: journal_fmt - filters: [context] - SYSLOG_IDENTIFIER: synapse - - root: - level: WARNING - handlers: [journal] - - disable_existing_loggers: False - ''; - }; - - systemd.services.matrix-synapse.serviceConfig = { - MemoryHigh = "3G"; - MemoryMax = "4G"; - }; - - services.pgmanage.enable = true; - services.pgmanage.port = pgmanage_port; - services.pgmanage.connections = { - localhost = "hostaddr=127.0.0.1 port=5432 dbname=postgres"; - }; - - services.borgbackup.jobs = { - loutre = { - paths = [ - "/var/certs" - "/var/dkim" - "/var/lib/gitea" - "/var/lib/grafana" - "/var/lib/matrix-synapse" - "/var/lib/jackett" - "/var/lib/postgresql/.zfs/snapshot/borgsnap" - "/var/lib/radarr" - "/var/lib/sonarr" - "/var/lib/syncthing" - "/var/lib/transmission" - "/mnt/medias/musique" - "/mnt/medias/torrent/lidarr" - "/mnt/medias/torrent/musique" - "/var/sieve" - "/var/vmail" - ]; - repo = "/mnt/backup/borg"; - encryption = { - mode = "repokey-blake2"; - passCommand = "cat /mnt/secrets/borgbackup_loutre_encryption_pass"; + database_type = "psycopg2"; + database_args = { + database = "matrix-synapse"; }; - startAt = "weekly"; - prune.keep = { - within = "1d"; - weekly = 4; - monthly = 12; - }; - preHook = "${pkgs.zfs}/bin/zfs snapshot loutrepool/var/postgresql@borgsnap"; - postHook = '' - ${pkgs.zfs}/bin/zfs destroy loutrepool/var/postgresql@borgsnap - if [[ $exitStatus == 0 ]]; then - ${pkgs.rclone}/bin/rclone --config /mnt/secrets/rclone_loutre.conf sync -v $BORG_REPO loutre_ovh:loutre - fi + extraConfig = '' + max_upload_size: "100M" + ''; + logConfig = '' + version: 1 + + formatters: + journal_fmt: + format: '%(name)s: [%(request)s] %(message)s' + + filters: + context: + (): synapse.util.logcontext.LoggingContextFilter + request: "" + + handlers: + journal: + class: systemd.journal.JournalHandler + formatter: journal_fmt + filters: [context] + SYSLOG_IDENTIFIER: synapse + + root: + level: WARNING + handlers: [journal] + + disable_existing_loggers: False ''; }; - }; + */ - services.borgbackup.repos = { - diskstation = { - authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDllbxON66dBju7sMnhX8/E0VRo3+PDYvDsHP0/FK+h8JHol4+pouLmI7KIDKYOJmSuom283OqnyZOMqk+RShTwWIFm9hOd2R9aj45Zrd9jPW2APOCec/Epgogj0bwBnc0l2v6qxkxaBMgL5DnAQ+E00uvL1UQpK8c8j4GGiPlkWJD6Kf+pxmnfH1TIm+J2XCwl0oeCkSK/Frd8eM+wCraMSzoaGiEcfMz2jK8hxDWjDxX7epU0ELF22BVCuyN8cYRoFTnV88E38PlaqsOqD5ePkxk425gDh7j/C06f8QKgnasVH2diixo92kYSd7i/RmfeXDDwAD5xqUvODczEuIdt root@DiskStation" ]; - path = "/mnt/backup_loutre/diskstation_borg"; - user = "synology"; + pgmanage = { + enable = true; + port = pgmanage_port; + connections = { + localhost = "hostaddr=127.0.0.1 port=5432 dbname=postgres"; + }; + }; + + /* + borgbackup.jobs = { + loutre = { + paths = [ + "/var/certs" + "/var/dkim" + "/var/lib/gitea" + "/var/lib/grafana" + "/var/lib/matrix-synapse" + "/var/lib/jackett" + "/var/lib/postgresql/.zfs/snapshot/borgsnap" + "/var/lib/radarr" + "/var/lib/sonarr" + "/var/lib/syncthing" + "/var/lib/transmission" + "/mnt/medias/musique" + "/mnt/medias/torrent/lidarr" + "/mnt/medias/torrent/musique" + "/var/sieve" + "/var/vmail" + ]; + repo = "/mnt/backup/borg"; + encryption = { + mode = "repokey-blake2"; + passCommand = "cat /mnt/secrets/borgbackup_loutre_encryption_pass"; + }; + startAt = "weekly"; + prune.keep = { + within = "1d"; + weekly = 4; + monthly = 12; + }; + preHook = "${pkgs.zfs}/bin/zfs snapshot loutrepool/var/postgresql@borgsnap"; + postHook = '' + ${pkgs.zfs}/bin/zfs destroy loutrepool/var/postgresql@borgsnap + if [[ $exitStatus == 0 ]]; then + ${pkgs.rclone}/bin/rclone --config /mnt/secrets/rclone_loutre.conf sync -v $BORG_REPO loutre_ovh:loutre + fi + ''; + }; + }; + */ + + borgbackup.repos = { + diskstation = { + authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDllbxON66dBju7sMnhX8/E0VRo3+PDYvDsHP0/FK+h8JHol4+pouLmI7KIDKYOJmSuom283OqnyZOMqk+RShTwWIFm9hOd2R9aj45Zrd9jPW2APOCec/Epgogj0bwBnc0l2v6qxkxaBMgL5DnAQ+E00uvL1UQpK8c8j4GGiPlkWJD6Kf+pxmnfH1TIm+J2XCwl0oeCkSK/Frd8eM+wCraMSzoaGiEcfMz2jK8hxDWjDxX7epU0ELF22BVCuyN8cYRoFTnV88E38PlaqsOqD5ePkxk425gDh7j/C06f8QKgnasVH2diixo92kYSd7i/RmfeXDDwAD5xqUvODczEuIdt root@DiskStation" ]; + path = "/mnt/backup_loutre/diskstation_borg"; + user = "synology"; + }; + }; + + gitea = { + enable = true; + cookieSecure = true; + httpPort = 3001; + rootUrl = "https://gitea.nyanlout.re/"; + database = { + type = "postgres"; + port = 5432; + passwordFile = "/mnt/secrets/gitea_database_passwordFile"; + }; + }; + + vsftpd = { + enable = true; + forceLocalLoginsSSL = true; + forceLocalDataSSL = true; + userlistDeny = false; + localUsers = true; + userlist = ["claire"]; + rsaCertFile = "/var/vsftpd/vsftpd.pem"; + extraConfig = '' + pasv_min_port=64000 + pasv_max_port=65535 + ''; + }; + + site-musique = { + enable = true; + port = musique_port; + domaine = "musique-meyenheim.fr"; + }; + + site-max = { + enable = true; + port = max_port; + domaine = "maxspiegel.fr"; }; }; - services.gitea = { - enable = true; - cookieSecure = true; - httpPort = 3001; - rootUrl = "https://gitea.nyanlout.re/"; - database.type = "postgres"; - database.port = 5432; - database.passwordFile = "/mnt/secrets/gitea_database_passwordFile"; - }; - - services.vsftpd = { - enable = true; - forceLocalLoginsSSL = true; - forceLocalDataSSL = true; - userlistDeny = false; - localUsers = true; - userlist = ["claire"]; - rsaCertFile = "/var/vsftpd/vsftpd.pem"; - extraConfig = '' - pasv_min_port=64000 - pasv_max_port=65535 - ''; - }; - - services.site-musique.enable = true; - services.site-musique.port = musique_port; - services.site-musique.domaine = "musique-meyenheim.fr"; - - services.site-max.enable = true; - services.site-max.port = max_port; - services.site-max.domaine = "maxspiegel.fr"; - /* systemd.services.dogetipbot-telegram = { after = [ "network.target" ]; @@ -352,8 +381,19 @@ in Group = "nogroup"; }; }; + + systemd.services.matrix-synapse = { + serviceConfig = { + MemoryHigh = "3G"; + MemoryMax = "5G"; + }; + }; */ + security.sudo.extraRules = [ + { commands = [ { command = "${pkgs.smartmontools}/bin/smartctl"; options = [ "NOPASSWD" ]; } ]; users = [ "telegraf" ]; } + ]; + networking.firewall.allowedTCPPorts = [ 111 2049 4000 4001 4002 # NFS 3483 9000 9090 # Slimserver diff --git a/systems/LoutreOS/users.nix b/systems/LoutreOS/users.nix index 820812d..9a0b3f4 100644 --- a/systems/LoutreOS/users.nix +++ b/systems/LoutreOS/users.nix @@ -34,8 +34,7 @@ }; }; - users.extraGroups.medias = - { + users.extraGroups.medias = { gid = 498; members = [ "slimserver" "radarr" "sonarr" "emby" "transmission" ]; };