From 366f7f2a7b856c07237db8059de6d71df52e21fe Mon Sep 17 00:00:00 2001 From: Richie Cahill Date: Fri, 25 Oct 2024 13:45:17 -0400 Subject: [PATCH] enabled firewall on jeeves --- systems/jeeves/default.nix | 1 + systems/jeeves/docker/haproxy.cfg | 6 ++ systems/jeeves/docker/internal.nix | 85 -------------------- systems/jeeves/docker/photoprism.nix | 114 +++++++++++---------------- systems/jeeves/docker/prowlarr.nix | 19 +++++ systems/jeeves/docker/qbit.nix | 29 +++++++ systems/jeeves/docker/qbitvpn.nix | 41 ++++++++++ systems/jeeves/docker/sonarr.nix | 21 +++++ systems/jeeves/docker/web.nix | 1 - systems/jeeves/networking.nix | 2 +- 10 files changed, 164 insertions(+), 155 deletions(-) delete mode 100644 systems/jeeves/docker/internal.nix create mode 100644 systems/jeeves/docker/prowlarr.nix create mode 100644 systems/jeeves/docker/qbit.nix create mode 100644 systems/jeeves/docker/qbitvpn.nix create mode 100644 systems/jeeves/docker/sonarr.nix diff --git a/systems/jeeves/default.nix b/systems/jeeves/default.nix index 38b2fa8..f4f4d94 100644 --- a/systems/jeeves/default.nix +++ b/systems/jeeves/default.nix @@ -35,6 +35,7 @@ in plex = { enable = true; dataDir = vars.media_plex; + openFirewall = true; }; smartd.enable = true; diff --git a/systems/jeeves/docker/haproxy.cfg b/systems/jeeves/docker/haproxy.cfg index d12a20e..c61e33c 100644 --- a/systems/jeeves/docker/haproxy.cfg +++ b/systems/jeeves/docker/haproxy.cfg @@ -30,6 +30,7 @@ frontend ContentSwitching acl host_filebrowser hdr(host) -i filebrowser.tmmworkshop.com acl host_grafana hdr(host) -i grafana.tmmworkshop.com acl host_mirror hdr(host) -i mirror.tmmworkshop.com + acl host_photoprism hdr(host) -i photoprism.tmmworkshop.com acl host_uptime_kuma hdr(host) -i uptimekuma-jeeves.tmmworkshop.com use_backend audiobookshelf_nodes if host_audiobookshelf @@ -37,6 +38,7 @@ frontend ContentSwitching use_backend filebrowser_nodes if host_filebrowser use_backend grafana_nodes if host_grafana use_backend mirror_nodes if host_mirror + use_backend photoprism_nodes if host_photoprism use_backend uptime_kuma_nodes if host_uptime_kuma backend mirror_nodes @@ -55,6 +57,10 @@ backend filebrowser_nodes mode http server server filebrowser:8080 +backend photoprism_nodes + mode http + server server photoprism:2342 + backend uptime_kuma_nodes mode http server server uptime_kuma:3001 diff --git a/systems/jeeves/docker/internal.nix b/systems/jeeves/docker/internal.nix deleted file mode 100644 index ee2ffef..0000000 --- a/systems/jeeves/docker/internal.nix +++ /dev/null @@ -1,85 +0,0 @@ -let - vars = import ../vars.nix; -in -{ - virtualisation.oci-containers.containers = { - qbit = { - image = "ghcr.io/linuxserver/qbittorrent:latest"; - ports = [ - "6881:6881" - "6881:6881/udp" - "8082:8082" - "29432:29432" - ]; - volumes = [ - "${vars.media_docker_configs}/qbit:/config" - "${vars.torrenting_qbit}:/data" - ]; - environment = { - PUID = "600"; - PGID = "100"; - TZ = "America/New_York"; - WEBUI_PORT = "8082"; - }; - autoStart = true; - }; - qbitvpn = { - image = "binhex/arch-qbittorrentvpn:latest"; - extraOptions = [ "--cap-add=NET_ADMIN" ]; - ports = [ - "6882:6881" - "6882:6881/udp" - "8081:8081" - "8118:8118" - ]; - volumes = [ - "${vars.media_docker_configs}/qbitvpn:/config" - "${vars.torrenting_qbitvpn}:/data" - "/etc/localtime:/etc/localtime:ro" - ]; - environment = { - WEBUI_PORT = "8081"; - PUID = "600"; - PGID = "100"; - VPN_ENABLED = "yes"; - VPN_CLIENT = "openvpn"; - STRICT_PORT_FORWARD = "yes"; - ENABLE_PRIVOXY = "yes"; - LAN_NETWORK = "192.168.90.0/24"; - NAME_SERVERS = "1.1.1.1,1.0.0.1"; - UMASK = "000"; - DEBUG = "false"; - DELUGE_DAEMON_LOG_LEVEL = "debug"; - DELUGE_WEB_LOG_LEVEL = "debug"; - }; - environmentFiles = ["${vars.storage_secrets}/docker/qbitvpn"]; - autoStart = true; - }; - prowlarr = { - image = "ghcr.io/linuxserver/prowlarr:latest"; - ports = [ "9696:9696" ]; - environment = { - PUID = "600"; - PGID = "100"; - TZ = "America/New_York"; - }; - volumes = [ "${vars.media_docker_configs}/prowlarr:/config" ]; - autoStart = true; - }; - sonarr = { - image = "ghcr.io/linuxserver/sonarr:latest"; - ports = [ "8989:8989" ]; - environment = { - PUID = "600"; - PGID = "100"; - TZ = "America/New_York"; - }; - volumes = [ - "${vars.media_docker_configs}/sonarr:/config" - "${vars.storage_plex}/tv:/tv" - "${vars.torrenting_qbitvpn}:/data" - ]; - autoStart = true; - }; - }; -} diff --git a/systems/jeeves/docker/photoprism.nix b/systems/jeeves/docker/photoprism.nix index 085b307..8e71f42 100644 --- a/systems/jeeves/docker/photoprism.nix +++ b/systems/jeeves/docker/photoprism.nix @@ -2,75 +2,53 @@ let vars = import ../vars.nix; in { - - - virtualisation.oci-containers.containers = { - photoprism = { - image = "photoprism/photoprism:latest"; - ports = [ "2342:2342" ]; - volumes = [ - "${vars.media_docker_configs}/photoprism:/photoprism/storage" - "${vars.storage_photos}/originals:/photoprism/originals" - "${vars.storage_photos}/import:/photoprism/import" - ]; - environment = { - PHOTOPRISM_ADMIN_USER="admin"; - PHOTOPRISM_AUTH_MODE="password"; - PHOTOPRISM_DISABLE_TLS="false"; - PHOTOPRISM_DEFAULT_TLS="true"; - PHOTOPRISM_ORIGINALS_LIMIT="30000"; - PHOTOPRISM_HTTP_COMPRESSION="gzip"; - PHOTOPRISM_LOG_LEVEL="info"; - PHOTOPRISM_READONLY="false"; - PHOTOPRISM_EXPERIMENTAL="false"; - PHOTOPRISM_DISABLE_CHOWN="false"; - PHOTOPRISM_DISABLE_WEBDAV="false"; - PHOTOPRISM_DISABLE_SETTINGS="false"; - PHOTOPRISM_DISABLE_TENSORFLOW="false"; - PHOTOPRISM_DISABLE_FACES="false"; - PHOTOPRISM_DISABLE_CLASSIFICATION="false"; - PHOTOPRISM_DISABLE_VECTORS="false"; - PHOTOPRISM_DISABLE_RAW="false"; - PHOTOPRISM_RAW_PRESETS="false"; - PHOTOPRISM_SIDECAR_YAML="true"; - PHOTOPRISM_BACKUP_ALBUMS="true"; - PHOTOPRISM_BACKUP_DATABASE="true"; - PHOTOPRISM_BACKUP_SCHEDULE="daily"; - PHOTOPRISM_INDEX_SCHEDULE=""; - PHOTOPRISM_AUTO_INDEX="300"; - PHOTOPRISM_AUTO_IMPORT= "-1"; - PHOTOPRISM_DETECT_NSFW="false"; - PHOTOPRISM_UPLOAD_NSFW="true"; - PHOTOPRISM_DATABASE_DRIVER="mysql"; - PHOTOPRISM_DATABASE_SERVER="photoprism_mariadb:3306"; - PHOTOPRISM_DATABASE_NAME="photoprism"; - PHOTOPRISM_DATABASE_USER="photoprism"; - PHOTOPRISM_SITE_CAPTION="AI-Powered Photos App"; - PHOTOPRISM_SITE_DESCRIPTION=""; - PHOTOPRISM_SITE_AUTHOR=""; - PHOTOPRISM_UID="600"; - PHOTOPRISM_GID="600"; - # PHOTOPRISM_UMASK: 0000 - }; - environmentFiles = ["${vars.storage_secrets}/docker/photoprism"]; - autoStart = true; - dependsOn = [ "photoprism_mariadb" ]; - extraOptions = [ "--network=web" ]; - }; - photoprism_mariadb = { - image = "mariadb:11"; - volumes = [ "${vars.media_database}/photoprism_mariadb:/var/lib/photoprism_mariadb" ]; - environment = { - MARIADB_AUTO_UPGRADE = "1"; - MARIADB_INITDB_SKIP_TZINFO = "1"; - MARIADB_DATABASE = "photoprism"; - MARIADB_USER = "photoprism"; - }; - environmentFiles = ["${vars.storage_secrets}/docker/photoprism"]; - cmd = [ "--innodb-buffer-pool-size=512M" "--transaction-isolation=READ-COMMITTED" "--character-set-server=utf8mb4" "--collation-server=utf8mb4_unicode_ci" "--max-connections=512" "--innodb-rollback-on-timeout=OFF" "--innodb-lock-wait-timeout=120" ]; - autoStart = true; - extraOptions = [ "--network=web" ]; + virtualisation.oci-containers.containers.photoprism = { + image = "photoprism/photoprism:latest"; + volumes = [ + "${vars.media_docker_configs}/photoprism:/photoprism/storage" + "${vars.storage_photos}/originals:/photoprism/originals" + "${vars.storage_photos}/import:/photoprism/import" + ]; + environment = { + PHOTOPRISM_ADMIN_USER="admin"; + PHOTOPRISM_AUTH_MODE="password"; + PHOTOPRISM_DISABLE_TLS="false"; + PHOTOPRISM_DEFAULT_TLS="true"; + PHOTOPRISM_ORIGINALS_LIMIT="30000"; + PHOTOPRISM_HTTP_COMPRESSION="gzip"; + PHOTOPRISM_LOG_LEVEL="info"; + PHOTOPRISM_READONLY="false"; + PHOTOPRISM_EXPERIMENTAL="false"; + PHOTOPRISM_DISABLE_CHOWN="false"; + PHOTOPRISM_DISABLE_WEBDAV="false"; + PHOTOPRISM_DISABLE_SETTINGS="false"; + PHOTOPRISM_DISABLE_TENSORFLOW="false"; + PHOTOPRISM_DISABLE_FACES="false"; + PHOTOPRISM_DISABLE_CLASSIFICATION="false"; + PHOTOPRISM_DISABLE_VECTORS="false"; + PHOTOPRISM_DISABLE_RAW="false"; + PHOTOPRISM_RAW_PRESETS="false"; + PHOTOPRISM_SIDECAR_YAML="true"; + PHOTOPRISM_BACKUP_ALBUMS="true"; + PHOTOPRISM_BACKUP_DATABASE="true"; + PHOTOPRISM_BACKUP_SCHEDULE="daily"; + PHOTOPRISM_INDEX_SCHEDULE=""; + PHOTOPRISM_AUTO_INDEX="300"; + PHOTOPRISM_AUTO_IMPORT= "-1"; + PHOTOPRISM_DETECT_NSFW="false"; + PHOTOPRISM_UPLOAD_NSFW="true"; + PHOTOPRISM_DATABASE_DRIVER="sqlite"; + PHOTOPRISM_SITE_CAPTION="AI-Powered Photos App"; + PHOTOPRISM_SITE_DESCRIPTION=""; + PHOTOPRISM_SITE_AUTHOR=""; + PHOTOPRISM_UID="600"; + PHOTOPRISM_GID="600"; + # PHOTOPRISM_UMASK: 0000 }; + environmentFiles = ["${vars.storage_secrets}/docker/photoprism"]; + autoStart = true; + dependsOn = [ "photoprism_mariadb" ]; + extraOptions = [ "--network=web" ]; }; } diff --git a/systems/jeeves/docker/prowlarr.nix b/systems/jeeves/docker/prowlarr.nix new file mode 100644 index 0000000..d400b51 --- /dev/null +++ b/systems/jeeves/docker/prowlarr.nix @@ -0,0 +1,19 @@ +let + vars = import ../vars.nix; +in +{ + networking.firewall = { + allowedTCPPorts = [ 9696 ]; + }; + virtualisation.oci-containers.containers.prowlarr = { + image = "ghcr.io/linuxserver/prowlarr:latest"; + ports = [ "9696:9696" ]; + environment = { + PUID = "600"; + PGID = "100"; + TZ = "America/New_York"; + }; + volumes = [ "${vars.media_docker_configs}/prowlarr:/config" ]; + autoStart = true; + }; +} diff --git a/systems/jeeves/docker/qbit.nix b/systems/jeeves/docker/qbit.nix new file mode 100644 index 0000000..d7779b9 --- /dev/null +++ b/systems/jeeves/docker/qbit.nix @@ -0,0 +1,29 @@ +let + vars = import ../vars.nix; +in +{ + networking.firewall = { + allowedTCPPorts = [ 6881 8082 29432 ]; + allowedUDPPorts = [ 6881 ]; + }; + virtualisation.oci-containers.containers.qbit = { + image = "ghcr.io/linuxserver/qbittorrent:latest"; + ports = [ + "6881:6881" + "6881:6881/udp" + "8082:8082" + "29432:29432" + ]; + volumes = [ + "${vars.media_docker_configs}/qbit:/config" + "${vars.torrenting_qbit}:/data" + ]; + environment = { + PUID = "600"; + PGID = "100"; + TZ = "America/New_York"; + WEBUI_PORT = "8082"; + }; + autoStart = true; + }; +} diff --git a/systems/jeeves/docker/qbitvpn.nix b/systems/jeeves/docker/qbitvpn.nix new file mode 100644 index 0000000..2c8dcb4 --- /dev/null +++ b/systems/jeeves/docker/qbitvpn.nix @@ -0,0 +1,41 @@ +let + vars = import ../vars.nix; +in +{ + networking.firewall = { + allowedTCPPorts = [ 6882 8081 8118 ]; + allowedUDPPorts = [ 6882 ]; + }; + virtualisation.oci-containers.containers.qbitvpn = { + image = "binhex/arch-qbittorrentvpn:latest"; + extraOptions = [ "--cap-add=NET_ADMIN" ]; + ports = [ + "6882:6881" + "6882:6881/udp" + "8081:8081" + "8118:8118" + ]; + volumes = [ + "${vars.media_docker_configs}/qbitvpn:/config" + "${vars.torrenting_qbitvpn}:/data" + "/etc/localtime:/etc/localtime:ro" + ]; + environment = { + WEBUI_PORT = "8081"; + PUID = "600"; + PGID = "100"; + VPN_ENABLED = "yes"; + VPN_CLIENT = "openvpn"; + STRICT_PORT_FORWARD = "yes"; + ENABLE_PRIVOXY = "yes"; + LAN_NETWORK = "192.168.90.0/24"; + NAME_SERVERS = "1.1.1.1,1.0.0.1"; + UMASK = "000"; + DEBUG = "false"; + DELUGE_DAEMON_LOG_LEVEL = "debug"; + DELUGE_WEB_LOG_LEVEL = "debug"; + }; + environmentFiles = ["${vars.storage_secrets}/docker/qbitvpn"]; + autoStart = true; + }; +} diff --git a/systems/jeeves/docker/sonarr.nix b/systems/jeeves/docker/sonarr.nix new file mode 100644 index 0000000..278ee36 --- /dev/null +++ b/systems/jeeves/docker/sonarr.nix @@ -0,0 +1,21 @@ +let + vars = import ../vars.nix; +in +{ + networking.firewall.allowedTCPPorts = [ 9696 8989 ]; + virtualisation.oci-containers.containers.sonarr = { + image = "ghcr.io/linuxserver/sonarr:latest"; + ports = [ "8989:8989" ]; + environment = { + PUID = "600"; + PGID = "100"; + TZ = "America/New_York"; + }; + volumes = [ + "${vars.media_docker_configs}/sonarr:/config" + "${vars.storage_plex}/tv:/tv" + "${vars.torrenting_qbitvpn}:/data" + ]; + autoStart = true; + }; +} diff --git a/systems/jeeves/docker/web.nix b/systems/jeeves/docker/web.nix index c071504..02e2c83 100644 --- a/systems/jeeves/docker/web.nix +++ b/systems/jeeves/docker/web.nix @@ -5,7 +5,6 @@ in virtualisation.oci-containers.containers = { audiobookshelf = { image = "ghcr.io/advplyr/audiobookshelf:latest"; - ports = [ "13378:80" ]; volumes = [ "${vars.media_docker_configs}/audiobookshelf:/config" "${vars.media_docker_configs}/audiobookshelf:/metadata" diff --git a/systems/jeeves/networking.nix b/systems/jeeves/networking.nix index 392747f..23d5df0 100644 --- a/systems/jeeves/networking.nix +++ b/systems/jeeves/networking.nix @@ -2,7 +2,7 @@ networking = { hostName = "jeeves"; hostId = "0e15ce35"; - firewall.enable = false; + firewall.enable = true; useNetworkd = true; };