vskilet/nixos-config
1
0
Fork 0
forked from nyanloutre/nixos-config
Code Issues Pull Requests Releases Wiki Activity

Refactoring LoutreOS

Browse Source
This commit is contained in:
nyanloutre 2018-09-04 14:05:06 +02:00
parent 3792a3a19e
commit 8de365b923
3 changed files with 377 additions and 347 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
systems/LoutreOS/configuration.nix
View File

@ -5,37 +5,35 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
imports = imports = [
[ # Include the results of the hardware scan. ./hardware-configuration.nix
./hardware-configuration.nix ./users.nix
./users.nix ./services.nix
./services.nix ];
];
# Use the systemd-boot EFI boot loader. boot = {
boot.loader.systemd-boot.enable = true; loader = {
boot.loader.efi.canTouchEfiVariables = true; systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
boot.supportedFilesystems = [ "zfs" ]; supportedFilesystems = [ "zfs" ];
services.zfs.autoSnapshot.enable = true; tmpOnTmpfs = true;
services.zfs.autoScrub.enable = true; };
networking.hostName = "loutreos"; # Define your hostname. services.zfs = {
networking.hostId = "7e66e347"; autoSnapshot.enable = true;
autoScrub.enable = true;
};
# Select internationalisation properties. networking = {
# i18n = { hostName = "loutreos"; # Define your hostname.
# consoleFont = "Lat2-Terminus16"; hostId = "7e66e347";
# consoleKeyMap = "en"; };
# defaultLocale = "en_US.UTF-8";
# };
# Set your time zone.
time.timeZone = "Europe/Paris"; time.timeZone = "Europe/Paris";
# List packages installed in system profile. To search by name, run:
# $ nix-env -qaP | grep wget
nixpkgs.overlays = [ nixpkgs.overlays = [
(import ../../overlays/riot-web.nix) (import ../../overlays/riot-web.nix)
(import ../../overlays/sudo.nix) (import ../../overlays/sudo.nix)
@ -86,30 +84,23 @@
environment.variables = { EDITOR = "nvim"; }; environment.variables = { EDITOR = "nvim"; };
# Some programs need SUID wrappers, can be configured further or are services.openssh = {
# started in user sessions. enable = true;
# programs.bash.enableCompletion = true; permitRootLogin = "no";
# programs.mtr.enable = true; passwordAuthentication = false;
# programs.gnupg.agent = { enable = true; enableSSHSupport = true; }; };
# List services that you want to enable: networking.firewall = {
allowedTCPPorts = [ ];
# Enable the OpenSSH daemon. allowedUDPPorts = [ ];
services.openssh.enable = true; enable = true;
services.openssh.permitRootLogin = "no"; };
services.openssh.passwordAuthentication = false;
networking.firewall.allowedTCPPorts = [ ];
networking.firewall.allowedUDPPorts = [ ];
networking.firewall.enable = true;
security.sudo.wheelNeedsPassword = false; security.sudo.wheelNeedsPassword = false;
system.autoUpgrade.enable = true; system.autoUpgrade.enable = true;
systemd.services.nixos-upgrade.path = with pkgs; [ gzip gnutar xz.bin config.nix.package.out ]; systemd.services.nixos-upgrade.path = with pkgs; [ gzip gnutar xz.bin config.nix.package.out ];
services.fstrim.enable = true;
nix.gc.automatic = true; nix.gc.automatic = true;
nix.gc.options = "--delete-older-than 15d"; nix.gc.options = "--delete-older-than 15d";

650
systems/LoutreOS/services.nix
View File

@ -10,12 +10,7 @@ let
max_port = 52348; max_port = 52348;
musique_port = 52349; musique_port = 52349;
ekleog_matrix_0_33 = pkgs.fetchgit { unstable = import <nixos-unstable> {};
url = "https://github.com/Ekleog/nixpkgs.git";
rev = "fe1fa933d168faec56767a9bd1daa0d47070bdf0";
sha256 = "02nlcs46ijjkwl8i521555gpd0w2if87p9bmdn2s5g728pz8mh27";
};
ekleog_matrix_0_33_pkgs = import ekleog_matrix_0_33 {};
in in
{ {
@ -26,320 +21,354 @@ in
../../services/site-max.nix ../../services/site-max.nix
]; ];
services.fail2ban.enable = true; services = {
services.smartd.enable = true; fail2ban.enable = true;
services.smartd.notifications.mail.enable = true;
services.smartd.notifications.mail.recipient = "paul@nyanlout.re";
services.haproxy-acme.enable = true; smartd = {
services.haproxy-acme.domaine = domaine; enable = true;
services.haproxy-acme.services = { defaults.monitored = "-a -o on -s (S/../.././02|L/../../7/04)";
"grafana.${domaine}" = { ip = "127.0.0.1"; port = 3000; auth = true; }; notifications.mail = {
"emby.${domaine}" = { ip = "127.0.0.1"; port = 8096; auth = false; }; enable = true;
"radarr.${domaine}" = { ip = "127.0.0.1"; port = 7878; auth = true; extraAcls = "acl API url_beg /api\n"; aclBool = "!AUTH_OK !API"; }; recipient = "paul@nyanlout.re";
"sonarr.${domaine}" = { ip = "127.0.0.1"; port = 8989; auth = true; extraAcls = "acl API url_beg /api\n"; aclBool = "!AUTH_OK !API"; };
"transmission.${domaine}" = { ip = "127.0.0.1"; port = 9091; auth = true; };
"syncthing.${domaine}" = { ip = "127.0.0.1"; port = 8384; auth = true; };
"jackett.${domaine}" = { ip = "127.0.0.1"; port = 9117; auth = true; };
"searx.${domaine}" = { ip = "127.0.0.1"; port = 8888; auth = false; };
"riot.${domaine}" = { ip = "127.0.0.1"; port = riot_port; auth = false; };
"matrix.${domaine}" = { ip = "127.0.0.1"; port = 8008; auth = false; };
"pgmanage.${domaine}" = { ip = "127.0.0.1"; port = pgmanage_port; auth = true; };
"gitea.${domaine}" = { ip = "127.0.0.1"; port = 3001; auth = false; };
};
services.mailserver.enable = true;
services.mailserver.domaine = domaine;
services.influxdb.enable = true;
services.influxdb.dataDir = "/var/db/influxdb";
services.telegraf.enable = true;
services.telegraf.extraConfig = {
inputs = {
zfs = { poolMetrics = true; };
net = { interfaces = [ "eno1" "eno2" "eno3" "eno4" ]; };
netstat = {};
cpu = { totalcpu = true; };
kernel = {};
mem = {};
processes = {};
system = {};
disk = {};
ipmi_sensor = { path = "${pkgs.ipmitool}/bin/ipmitool"; };
smart = {
path = "${pkgs.writeShellScriptBin "smartctl" "/run/wrappers/bin/sudo ${pkgs.smartmontools}/bin/smartctl $@"}/bin/smartctl";
}; };
exec= [ };
{ commands = [
"${pkgs.python}/bin/python ${ fstrim.enable = true;
pkgs.fetchgit {
url = "https://gitea.nyanlout.re/nyanloutre/tplink-smartplug.git"; haproxy-acme = {
rev = "a0996112fc451b76448589698de440ad5fd6ea79"; enable = true;
sha256 = "1f1625g7rfsddgk428g76p8fr7vz5gfhq3f452q17bjni3rf2pj3"; domaine = domaine;
} services = {
}/tplink_smartplug.py -t 192.168.0.57 -c energy" "grafana.${domaine}" = { ip = "127.0.0.1"; port = 3000; auth = true; };
"emby.${domaine}" = { ip = "127.0.0.1"; port = 8096; auth = false; };
"radarr.${domaine}" = { ip = "127.0.0.1"; port = 7878; auth = true; extraAcls = "acl API url_beg /api\n"; aclBool = "!AUTH_OK !API"; };
"sonarr.${domaine}" = { ip = "127.0.0.1"; port = 8989; auth = true; extraAcls = "acl API url_beg /api\n"; aclBool = "!AUTH_OK !API"; };
"transmission.${domaine}" = { ip = "127.0.0.1"; port = 9091; auth = true; };
"syncthing.${domaine}" = { ip = "127.0.0.1"; port = 8384; auth = true; };
"jackett.${domaine}" = { ip = "127.0.0.1"; port = 9117; auth = true; };
"searx.${domaine}" = { ip = "127.0.0.1"; port = 8888; auth = false; };
"riot.${domaine}" = { ip = "127.0.0.1"; port = riot_port; auth = false; };
"matrix.${domaine}" = { ip = "127.0.0.1"; port = 8008; auth = false; };
"pgmanage.${domaine}" = { ip = "127.0.0.1"; port = pgmanage_port; auth = true; };
"gitea.${domaine}" = { ip = "127.0.0.1"; port = 3001; auth = false; };
};
};
mailserver = {
enable = true;
domaine = domaine;
};
influxdb = {
enable = true;
dataDir = "/var/db/influxdb";
};
telegraf = {
enable = true;
extraConfig = {
inputs = {
zfs = { poolMetrics = true; };
net = { interfaces = [ "eno1" "eno2" "eno3" "eno4" ]; };
netstat = {};
cpu = { totalcpu = true; };
kernel = {};
mem = {};
processes = {};
system = {};
disk = {};
ipmi_sensor = { path = "${pkgs.ipmitool}/bin/ipmitool"; };
smart = {
path = "${pkgs.writeShellScriptBin "smartctl" "/run/wrappers/bin/sudo ${pkgs.smartmontools}/bin/smartctl $@"}/bin/smartctl";
};
exec= [
{ commands = [
"${pkgs.python}/bin/python ${
pkgs.fetchgit {
url = "https://gitea.nyanlout.re/nyanloutre/tplink-smartplug.git";
rev = "a0996112fc451b76448589698de440ad5fd6ea79";
sha256 = "1f1625g7rfsddgk428g76p8fr7vz5gfhq3f452q17bjni3rf2pj3";
}
}/tplink_smartplug.py -t 192.168.0.57 -c energy"
];
data_format = "json";
name_suffix = "_tplink-smartplug";
}
{
commands = [
"${pkgs.python3}/bin/python ${pkgs.writeText "zpool.py" ''
import json
from subprocess import check_output
columns = ["NAME", "SIZE", "ALLOC", "FREE", "EXPANDSZ", "FRAG", "CAP", "DEDUP", "HEALTH", "ALTROOT"]
health = {'ONLINE':0, 'DEGRADED':11, 'OFFLINE':21, 'UNAVAIL':22, 'FAULTED':23, 'REMOVED':24}
stdout = check_output(["${pkgs.zfs}/bin/zpool", "list", "-Hp"],encoding='UTF-8').split('\n')
parsed_stdout = list(map(lambda x: dict(zip(columns,x.split('\t'))), stdout))[:-1]
for pool in parsed_stdout:
for item in pool:
if item in ["SIZE", "ALLOC", "FREE", "FRAG", "CAP"]:
pool[item] = int(pool[item])
if item in ["DEDUP"]:
pool[item] = float(pool[item])
if item == "HEALTH":
pool[item] = health[pool[item]]
print(json.dumps(parsed_stdout))
''}"
];
tag_keys = [ "NAME" ];
data_format = "json";
name_suffix = "_python_zpool";
}
]; ];
data_format = "json"; };
name_suffix = "_tplink-smartplug"; outputs = {
influxdb = { database = "telegraf"; urls = [ "http://localhost:8086" ]; };
};
};
};
udev.extraRules = ''
KERNEL=="ipmi*", MODE="660", OWNER="telegraf"
'';
grafana = {
enable = true;
addr = "127.0.0.1";
dataDir = "/var/lib/grafana";
extraOptions = {
SERVER_ROOT_URL = "https://grafana.${domaine}";
SMTP_ENABLED = "true";
SMTP_FROM_ADDRESS = "grafana@${domaine}";
SMTP_SKIP_VERIFY = "true";
AUTH_DISABLE_LOGIN_FORM = "true";
AUTH_DISABLE_SIGNOUT_MENU = "true";
AUTH_ANONYMOUS_ENABLED = "true";
AUTH_ANONYMOUS_ORG_ROLE = "Admin";
AUTH_BASIC_ENABLED = "false";
};
};
emby = {
enable = true;
dataDir = "/var/lib/emby/ProgramData-Server";
};
slimserver = {
enable = true;
dataDir = "/var/lib/slimserver";
};
syncthing = {
enable = true;
dataDir = "/var/lib/syncthing";
openDefaultPorts = true;
};
nfs.server = {
enable = true;
exports = ''
/mnt/medias 192.168.0.0/24(ro,no_root_squash)
/exports/steam 192.168.0.0/24(rw,no_root_squash)
'';
statdPort = 4000;
lockdPort = 4001;
mountdPort = 4002;
};
transmission = {
enable = true;
home = "/var/lib/transmission";
settings = {
rpc-bind-address = "127.0.0.1";
rpc-host-whitelist = "*";
rpc-whitelist-enabled = false;
};
};
radarr.enable = true;
sonarr.enable = true;
jackett.enable = true;
searx.enable = true;
nginx = {
enable = true;
virtualHosts = {
"riot" = {
listen = [ { addr = "127.0.0.1"; port = riot_port; } ];
locations = { "/" = { root = pkgs.riot-web; }; };
};
};
};
postgresql.enable = true;
/*
matrix-synapse = {
enable = true;
package = unstable.matrix-synapse;
enable_registration = true;
server_name = "nyanlout.re";
listeners = [
{ # federation
bind_address = "";
port = 8448;
resources = [
{ compress = true; names = [ "client" "webclient" ]; }
{ compress = false; names = [ "federation" ]; }
];
tls = true;
type = "http";
x_forwarded = false;
} }
{ { # client
commands = [ bind_address = "127.0.0.1";
"${pkgs.python3}/bin/python ${pkgs.writeText "zpool.py" '' port = 8008;
import json resources = [
from subprocess import check_output { compress = true; names = [ "client" "webclient" ]; }
columns = ["NAME", "SIZE", "ALLOC", "FREE", "EXPANDSZ", "FRAG", "CAP", "DEDUP", "HEALTH", "ALTROOT"]
health = {'ONLINE':0, 'DEGRADED':11, 'OFFLINE':21, 'UNAVAIL':22, 'FAULTED':23, 'REMOVED':24}
stdout = check_output(["${pkgs.zfs}/bin/zpool", "list", "-Hp"],encoding='UTF-8').split('\n')
parsed_stdout = list(map(lambda x: dict(zip(columns,x.split('\t'))), stdout))[:-1]
for pool in parsed_stdout:
for item in pool:
if item in ["SIZE", "ALLOC", "FREE", "FRAG", "CAP"]:
pool[item] = int(pool[item])
if item in ["DEDUP"]:
pool[item] = float(pool[item])
if item == "HEALTH":
pool[item] = health[pool[item]]
print(json.dumps(parsed_stdout))
''}"
]; ];
tag_keys = [ "NAME" ]; tls = false;
data_format = "json"; type = "http";
name_suffix = "_python_zpool"; x_forwarded = true;
} }
]; ];
}; database_type = "psycopg2";
outputs = { database_args = {
influxdb = { database = "telegraf"; urls = [ "http://localhost:8086" ]; }; database = "matrix-synapse";
};
};
services.udev.extraRules = ''
KERNEL=="ipmi*", MODE="660", OWNER="telegraf"
'';
security.sudo.extraRules = [
{ commands = [ { command = "${pkgs.smartmontools}/bin/smartctl"; options = [ "NOPASSWD" ]; } ]; users = [ "telegraf" ]; }
];
services.grafana.enable = true;
services.grafana.addr = "127.0.0.1";
services.grafana.dataDir = "/var/lib/grafana";
services.grafana.extraOptions = {
SERVER_ROOT_URL = "https://grafana.${domaine}";
SMTP_ENABLED = "true";
SMTP_FROM_ADDRESS = "grafana@${domaine}";
SMTP_SKIP_VERIFY = "true";
AUTH_DISABLE_LOGIN_FORM = "true";
AUTH_DISABLE_SIGNOUT_MENU = "true";
AUTH_ANONYMOUS_ENABLED = "true";
AUTH_ANONYMOUS_ORG_ROLE = "Admin";
AUTH_BASIC_ENABLED = "false";
};
services.emby.enable = true;
services.emby.dataDir = "/var/lib/emby/ProgramData-Server";
services.slimserver.enable = true;
services.slimserver.dataDir = "/var/lib/slimserver";
services.syncthing.enable = true;
services.syncthing.dataDir = "/var/lib/syncthing";
services.syncthing.openDefaultPorts = true;
services.nfs.server = {
enable = true;
exports = ''
/mnt/medias 192.168.0.0/24(ro,no_root_squash)
/exports/steam 192.168.0.0/24(rw,no_root_squash)
'';
statdPort = 4000;
lockdPort = 4001;
mountdPort = 4002;
};
services.transmission.enable = true;
services.transmission.home = "/var/lib/transmission";
services.transmission.settings = {
rpc-bind-address = "127.0.0.1";
rpc-host-whitelist = "*";
rpc-whitelist-enabled = false;
};
services.radarr.enable = true;
services.sonarr.enable = true;
services.jackett.enable = true;
services.searx.enable = true;
services.nginx.enable = true;
services.nginx.virtualHosts = {
"riot" = {
listen = [ { addr = "127.0.0.1"; port = riot_port; } ];
locations = { "/" = { root = pkgs.riot-web; }; };
};
};
services.postgresql.enable = true;
services.matrix-synapse = {
enable = true;
package = ekleog_matrix_0_33_pkgs.matrix-synapse;
enable_registration = true;
server_name = "nyanlout.re";
listeners = [
{ # federation
bind_address = "";
port = 8448;
resources = [
{ compress = true; names = [ "client" "webclient" ]; }
{ compress = false; names = [ "federation" ]; }
];
tls = true;
type = "http";
x_forwarded = false;
}
{ # client
bind_address = "127.0.0.1";
port = 8008;
resources = [
{ compress = true; names = [ "client" "webclient" ]; }
];
tls = false;
type = "http";
x_forwarded = true;
}
];
database_type = "psycopg2";
database_args = {
database = "matrix-synapse";
};
extraConfig = ''
max_upload_size: "100M"
'';
logConfig = ''
version: 1
formatters:
journal_fmt:
format: '%(name)s: [%(request)s] %(message)s'
filters:
context:
(): synapse.util.logcontext.LoggingContextFilter
request: ""
handlers:
journal:
class: systemd.journal.JournalHandler
formatter: journal_fmt
filters: [context]
SYSLOG_IDENTIFIER: synapse
root:
level: WARNING
handlers: [journal]
disable_existing_loggers: False
'';
};
systemd.services.matrix-synapse.serviceConfig = {
MemoryHigh = "3G";
MemoryMax = "4G";
};
services.pgmanage.enable = true;
services.pgmanage.port = pgmanage_port;
services.pgmanage.connections = {
localhost = "hostaddr=127.0.0.1 port=5432 dbname=postgres";
};
services.borgbackup.jobs = {
loutre = {
paths = [
"/var/certs"
"/var/dkim"
"/var/lib/gitea"
"/var/lib/grafana"
"/var/lib/matrix-synapse"
"/var/lib/jackett"
"/var/lib/postgresql/.zfs/snapshot/borgsnap"
"/var/lib/radarr"
"/var/lib/sonarr"
"/var/lib/syncthing"
"/var/lib/transmission"
"/mnt/medias/musique"
"/mnt/medias/torrent/lidarr"
"/mnt/medias/torrent/musique"
"/var/sieve"
"/var/vmail"
];
repo = "/mnt/backup/borg";
encryption = {
mode = "repokey-blake2";
passCommand = "cat /mnt/secrets/borgbackup_loutre_encryption_pass";
}; };
startAt = "weekly"; extraConfig = ''
prune.keep = { max_upload_size: "100M"
within = "1d"; '';
weekly = 4; logConfig = ''
monthly = 12; version: 1
};
preHook = "${pkgs.zfs}/bin/zfs snapshot loutrepool/var/postgresql@borgsnap"; formatters:
postHook = '' journal_fmt:
${pkgs.zfs}/bin/zfs destroy loutrepool/var/postgresql@borgsnap format: '%(name)s: [%(request)s] %(message)s'
if [[ $exitStatus == 0 ]]; then
${pkgs.rclone}/bin/rclone --config /mnt/secrets/rclone_loutre.conf sync -v $BORG_REPO loutre_ovh:loutre filters:
fi context:
(): synapse.util.logcontext.LoggingContextFilter
request: ""
handlers:
journal:
class: systemd.journal.JournalHandler
formatter: journal_fmt
filters: [context]
SYSLOG_IDENTIFIER: synapse
root:
level: WARNING
handlers: [journal]
disable_existing_loggers: False
''; '';
}; };
}; */
services.borgbackup.repos = { pgmanage = {
diskstation = { enable = true;
authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDllbxON66dBju7sMnhX8/E0VRo3+PDYvDsHP0/FK+h8JHol4+pouLmI7KIDKYOJmSuom283OqnyZOMqk+RShTwWIFm9hOd2R9aj45Zrd9jPW2APOCec/Epgogj0bwBnc0l2v6qxkxaBMgL5DnAQ+E00uvL1UQpK8c8j4GGiPlkWJD6Kf+pxmnfH1TIm+J2XCwl0oeCkSK/Frd8eM+wCraMSzoaGiEcfMz2jK8hxDWjDxX7epU0ELF22BVCuyN8cYRoFTnV88E38PlaqsOqD5ePkxk425gDh7j/C06f8QKgnasVH2diixo92kYSd7i/RmfeXDDwAD5xqUvODczEuIdt root@DiskStation" ]; port = pgmanage_port;
path = "/mnt/backup_loutre/diskstation_borg"; connections = {
user = "synology"; localhost = "hostaddr=127.0.0.1 port=5432 dbname=postgres";
};
};
/*
borgbackup.jobs = {
loutre = {
paths = [
"/var/certs"
"/var/dkim"
"/var/lib/gitea"
"/var/lib/grafana"
"/var/lib/matrix-synapse"
"/var/lib/jackett"
"/var/lib/postgresql/.zfs/snapshot/borgsnap"
"/var/lib/radarr"
"/var/lib/sonarr"
"/var/lib/syncthing"
"/var/lib/transmission"
"/mnt/medias/musique"
"/mnt/medias/torrent/lidarr"
"/mnt/medias/torrent/musique"
"/var/sieve"
"/var/vmail"
];
repo = "/mnt/backup/borg";
encryption = {
mode = "repokey-blake2";
passCommand = "cat /mnt/secrets/borgbackup_loutre_encryption_pass";
};
startAt = "weekly";
prune.keep = {
within = "1d";
weekly = 4;
monthly = 12;
};
preHook = "${pkgs.zfs}/bin/zfs snapshot loutrepool/var/postgresql@borgsnap";
postHook = ''
${pkgs.zfs}/bin/zfs destroy loutrepool/var/postgresql@borgsnap
if [[ $exitStatus == 0 ]]; then
${pkgs.rclone}/bin/rclone --config /mnt/secrets/rclone_loutre.conf sync -v $BORG_REPO loutre_ovh:loutre
fi
'';
};
};
*/
borgbackup.repos = {
diskstation = {
authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDllbxON66dBju7sMnhX8/E0VRo3+PDYvDsHP0/FK+h8JHol4+pouLmI7KIDKYOJmSuom283OqnyZOMqk+RShTwWIFm9hOd2R9aj45Zrd9jPW2APOCec/Epgogj0bwBnc0l2v6qxkxaBMgL5DnAQ+E00uvL1UQpK8c8j4GGiPlkWJD6Kf+pxmnfH1TIm+J2XCwl0oeCkSK/Frd8eM+wCraMSzoaGiEcfMz2jK8hxDWjDxX7epU0ELF22BVCuyN8cYRoFTnV88E38PlaqsOqD5ePkxk425gDh7j/C06f8QKgnasVH2diixo92kYSd7i/RmfeXDDwAD5xqUvODczEuIdt root@DiskStation" ];
path = "/mnt/backup_loutre/diskstation_borg";
user = "synology";
};
};
gitea = {
enable = true;
cookieSecure = true;
httpPort = 3001;
rootUrl = "https://gitea.nyanlout.re/";
database = {
type = "postgres";
port = 5432;
passwordFile = "/mnt/secrets/gitea_database_passwordFile";
};
};
vsftpd = {
enable = true;
forceLocalLoginsSSL = true;
forceLocalDataSSL = true;
userlistDeny = false;
localUsers = true;
userlist = ["claire"];
rsaCertFile = "/var/vsftpd/vsftpd.pem";
extraConfig = ''
pasv_min_port=64000
pasv_max_port=65535
'';
};
site-musique = {
enable = true;
port = musique_port;
domaine = "musique-meyenheim.fr";
};
site-max = {
enable = true;
port = max_port;
domaine = "maxspiegel.fr";
}; };
}; };
services.gitea = {
enable = true;
cookieSecure = true;
httpPort = 3001;
rootUrl = "https://gitea.nyanlout.re/";
database.type = "postgres";
database.port = 5432;
database.passwordFile = "/mnt/secrets/gitea_database_passwordFile";
};
services.vsftpd = {
enable = true;
forceLocalLoginsSSL = true;
forceLocalDataSSL = true;
userlistDeny = false;
localUsers = true;
userlist = ["claire"];
rsaCertFile = "/var/vsftpd/vsftpd.pem";
extraConfig = ''
pasv_min_port=64000
pasv_max_port=65535
'';
};
services.site-musique.enable = true;
services.site-musique.port = musique_port;
services.site-musique.domaine = "musique-meyenheim.fr";
services.site-max.enable = true;
services.site-max.port = max_port;
services.site-max.domaine = "maxspiegel.fr";
/* /*
systemd.services.dogetipbot-telegram = { systemd.services.dogetipbot-telegram = {
after = [ "network.target" ]; after = [ "network.target" ];
@ -352,8 +381,19 @@ in
Group = "nogroup"; Group = "nogroup";
}; };
}; };
systemd.services.matrix-synapse = {
serviceConfig = {
MemoryHigh = "3G";
MemoryMax = "5G";
};
};
*/ */
security.sudo.extraRules = [
{ commands = [ { command = "${pkgs.smartmontools}/bin/smartctl"; options = [ "NOPASSWD" ]; } ]; users = [ "telegraf" ]; }
];
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
111 2049 4000 4001 4002 # NFS 111 2049 4000 4001 4002 # NFS
3483 9000 9090 # Slimserver 3483 9000 9090 # Slimserver

3
systems/LoutreOS/users.nix
View File

@ -34,8 +34,7 @@
}; };
}; };
users.extraGroups.medias = users.extraGroups.medias = {
{
gid = 498; gid = 498;
members = [ "slimserver" "radarr" "sonarr" "emby" "transmission" ]; members = [ "slimserver" "radarr" "sonarr" "emby" "transmission" ];
}; };