enabled firewall on jeeves

systems/jeeves/default.nix

@@ -35,6 +35,7 @@ in
     plex = {
       enable = true;
       dataDir = vars.media_plex;
+      openFirewall = true;
     };
 
     smartd.enable = true;

systems/jeeves/docker/haproxy.cfg

@@ -30,6 +30,7 @@ frontend ContentSwitching
   acl host_filebrowser  hdr(host) -i filebrowser.tmmworkshop.com
   acl host_grafana  hdr(host) -i grafana.tmmworkshop.com
   acl host_mirror   hdr(host) -i mirror.tmmworkshop.com
+  acl host_photoprism  hdr(host) -i photoprism.tmmworkshop.com
   acl host_uptime_kuma  hdr(host) -i uptimekuma-jeeves.tmmworkshop.com
 
   use_backend audiobookshelf_nodes if host_audiobookshelf
@@ -37,6 +38,7 @@ frontend ContentSwitching
   use_backend filebrowser_nodes  if host_filebrowser
   use_backend grafana_nodes  if host_grafana
   use_backend mirror_nodes   if host_mirror
+  use_backend photoprism_nodes  if host_photoprism
   use_backend uptime_kuma_nodes  if host_uptime_kuma
 
 backend mirror_nodes
@@ -55,6 +57,10 @@ backend filebrowser_nodes
   mode http
   server server filebrowser:8080
 
+backend photoprism_nodes
+  mode http
+  server server photoprism:2342
+
 backend uptime_kuma_nodes
   mode http
   server server uptime_kuma:3001

systems/jeeves/docker/internal.nix

@@ -1,85 +0,0 @@
-let
-  vars = import ../vars.nix;
-in
-{
-  virtualisation.oci-containers.containers = {
-    qbit = {
-      image = "ghcr.io/linuxserver/qbittorrent:latest";
-      ports = [
-        "6881:6881"
-        "6881:6881/udp"
-        "8082:8082"
-        "29432:29432"
-      ];
-      volumes = [
-        "${vars.media_docker_configs}/qbit:/config"
-        "${vars.torrenting_qbit}:/data"
-      ];
-      environment = {
-        PUID = "600";
-        PGID = "100";
-        TZ = "America/New_York";
-        WEBUI_PORT = "8082";
-      };
-      autoStart = true;
-    };
-    qbitvpn = {
-      image = "binhex/arch-qbittorrentvpn:latest";
-      extraOptions = [ "--cap-add=NET_ADMIN" ];
-      ports = [
-        "6882:6881"
-        "6882:6881/udp"
-        "8081:8081"
-        "8118:8118"
-      ];
-      volumes = [
-        "${vars.media_docker_configs}/qbitvpn:/config"
-        "${vars.torrenting_qbitvpn}:/data"
-        "/etc/localtime:/etc/localtime:ro"
-      ];
-      environment = {
-        WEBUI_PORT = "8081";
-        PUID = "600";
-        PGID = "100";
-        VPN_ENABLED = "yes";
-        VPN_CLIENT = "openvpn";
-        STRICT_PORT_FORWARD = "yes";
-        ENABLE_PRIVOXY = "yes";
-        LAN_NETWORK = "192.168.90.0/24";
-        NAME_SERVERS = "1.1.1.1,1.0.0.1";
-        UMASK = "000";
-        DEBUG = "false";
-        DELUGE_DAEMON_LOG_LEVEL = "debug";
-        DELUGE_WEB_LOG_LEVEL = "debug";
-      };
-      environmentFiles = ["${vars.storage_secrets}/docker/qbitvpn"];
-      autoStart = true;
-    };
-    prowlarr = {
-      image = "ghcr.io/linuxserver/prowlarr:latest";
-      ports = [ "9696:9696" ];
-      environment = {
-        PUID = "600";
-        PGID = "100";
-        TZ = "America/New_York";
-      };
-      volumes = [ "${vars.media_docker_configs}/prowlarr:/config" ];
-      autoStart = true;
-    };
-    sonarr = {
-      image = "ghcr.io/linuxserver/sonarr:latest";
-      ports = [ "8989:8989" ];
-      environment = {
-        PUID = "600";
-        PGID = "100";
-        TZ = "America/New_York";
-      };
-      volumes = [
-        "${vars.media_docker_configs}/sonarr:/config"
-        "${vars.storage_plex}/tv:/tv"
-        "${vars.torrenting_qbitvpn}:/data"
-      ];
-      autoStart = true;
-    };
-  };
-}

systems/jeeves/docker/photoprism.nix

@@ -2,75 +2,53 @@ let
   vars = import ../vars.nix;
 in
 {
-
+  virtualisation.oci-containers.containers.photoprism = {
-
+    image = "photoprism/photoprism:latest";
-  virtualisation.oci-containers.containers = {
+    volumes = [ 
-    photoprism = {
+      "${vars.media_docker_configs}/photoprism:/photoprism/storage"
-      image = "photoprism/photoprism:latest";
+      "${vars.storage_photos}/originals:/photoprism/originals"
-      ports = [ "2342:2342" ];
+      "${vars.storage_photos}/import:/photoprism/import"
-      volumes = [ 
+    ];
-        "${vars.media_docker_configs}/photoprism:/photoprism/storage"
+    environment = {
-        "${vars.storage_photos}/originals:/photoprism/originals"
+      PHOTOPRISM_ADMIN_USER="admin";
-        "${vars.storage_photos}/import:/photoprism/import"
+      PHOTOPRISM_AUTH_MODE="password";
-      ];
+      PHOTOPRISM_DISABLE_TLS="false";
-      environment = {
+      PHOTOPRISM_DEFAULT_TLS="true";
-        PHOTOPRISM_ADMIN_USER="admin";
+      PHOTOPRISM_ORIGINALS_LIMIT="30000";
-        PHOTOPRISM_AUTH_MODE="password";
+      PHOTOPRISM_HTTP_COMPRESSION="gzip";
-        PHOTOPRISM_DISABLE_TLS="false";
+      PHOTOPRISM_LOG_LEVEL="info";
-        PHOTOPRISM_DEFAULT_TLS="true";
+      PHOTOPRISM_READONLY="false";
-        PHOTOPRISM_ORIGINALS_LIMIT="30000";
+      PHOTOPRISM_EXPERIMENTAL="false";
-        PHOTOPRISM_HTTP_COMPRESSION="gzip";
+      PHOTOPRISM_DISABLE_CHOWN="false";
-        PHOTOPRISM_LOG_LEVEL="info";
+      PHOTOPRISM_DISABLE_WEBDAV="false";
-        PHOTOPRISM_READONLY="false";
+      PHOTOPRISM_DISABLE_SETTINGS="false";
-        PHOTOPRISM_EXPERIMENTAL="false";
+      PHOTOPRISM_DISABLE_TENSORFLOW="false";
-        PHOTOPRISM_DISABLE_CHOWN="false";
+      PHOTOPRISM_DISABLE_FACES="false";
-        PHOTOPRISM_DISABLE_WEBDAV="false";
+      PHOTOPRISM_DISABLE_CLASSIFICATION="false";
-        PHOTOPRISM_DISABLE_SETTINGS="false";
+      PHOTOPRISM_DISABLE_VECTORS="false";
-        PHOTOPRISM_DISABLE_TENSORFLOW="false";
+      PHOTOPRISM_DISABLE_RAW="false";
-        PHOTOPRISM_DISABLE_FACES="false";
+      PHOTOPRISM_RAW_PRESETS="false";
-        PHOTOPRISM_DISABLE_CLASSIFICATION="false";
+      PHOTOPRISM_SIDECAR_YAML="true";
-        PHOTOPRISM_DISABLE_VECTORS="false";
+      PHOTOPRISM_BACKUP_ALBUMS="true";
-        PHOTOPRISM_DISABLE_RAW="false";
+      PHOTOPRISM_BACKUP_DATABASE="true";
-        PHOTOPRISM_RAW_PRESETS="false";
+      PHOTOPRISM_BACKUP_SCHEDULE="daily";
-        PHOTOPRISM_SIDECAR_YAML="true";
+      PHOTOPRISM_INDEX_SCHEDULE="";
-        PHOTOPRISM_BACKUP_ALBUMS="true";
+      PHOTOPRISM_AUTO_INDEX="300";
-        PHOTOPRISM_BACKUP_DATABASE="true";
+      PHOTOPRISM_AUTO_IMPORT= "-1";
-        PHOTOPRISM_BACKUP_SCHEDULE="daily";
+      PHOTOPRISM_DETECT_NSFW="false";
-        PHOTOPRISM_INDEX_SCHEDULE="";
+      PHOTOPRISM_UPLOAD_NSFW="true";
-        PHOTOPRISM_AUTO_INDEX="300";
+      PHOTOPRISM_DATABASE_DRIVER="sqlite";
-        PHOTOPRISM_AUTO_IMPORT= "-1";
+      PHOTOPRISM_SITE_CAPTION="AI-Powered Photos App";
-        PHOTOPRISM_DETECT_NSFW="false";
+      PHOTOPRISM_SITE_DESCRIPTION="";
-        PHOTOPRISM_UPLOAD_NSFW="true";
+      PHOTOPRISM_SITE_AUTHOR="";
-        PHOTOPRISM_DATABASE_DRIVER="mysql";
+      PHOTOPRISM_UID="600";
-        PHOTOPRISM_DATABASE_SERVER="photoprism_mariadb:3306";
+      PHOTOPRISM_GID="600";
-        PHOTOPRISM_DATABASE_NAME="photoprism";
+      # PHOTOPRISM_UMASK: 0000
-        PHOTOPRISM_DATABASE_USER="photoprism";
-        PHOTOPRISM_SITE_CAPTION="AI-Powered Photos App";
-        PHOTOPRISM_SITE_DESCRIPTION="";
-        PHOTOPRISM_SITE_AUTHOR="";
-        PHOTOPRISM_UID="600";
-        PHOTOPRISM_GID="600";
-        # PHOTOPRISM_UMASK: 0000
-      };
-      environmentFiles = ["${vars.storage_secrets}/docker/photoprism"];
-      autoStart = true;
-      dependsOn = [ "photoprism_mariadb" ];
-      extraOptions = [ "--network=web" ];
-    };
-    photoprism_mariadb = {
-      image = "mariadb:11";
-      volumes = [ "${vars.media_database}/photoprism_mariadb:/var/lib/photoprism_mariadb" ];
-      environment = {
-        MARIADB_AUTO_UPGRADE = "1";
-        MARIADB_INITDB_SKIP_TZINFO = "1";
-        MARIADB_DATABASE = "photoprism";
-        MARIADB_USER = "photoprism";
-      };
-      environmentFiles = ["${vars.storage_secrets}/docker/photoprism"];
-      cmd = [ "--innodb-buffer-pool-size=512M" "--transaction-isolation=READ-COMMITTED" "--character-set-server=utf8mb4" "--collation-server=utf8mb4_unicode_ci" "--max-connections=512" "--innodb-rollback-on-timeout=OFF" "--innodb-lock-wait-timeout=120" ];
-      autoStart = true;
-      extraOptions = [ "--network=web" ];
     };
+    environmentFiles = ["${vars.storage_secrets}/docker/photoprism"];
+    autoStart = true;
+    dependsOn = [ "photoprism_mariadb" ];
+    extraOptions = [ "--network=web" ];
   };
 }
 

systems/jeeves/docker/prowlarr.nix

@@ -0,0 +1,19 @@
+let
+  vars = import ../vars.nix;
+in
+{
+  networking.firewall = {
+    allowedTCPPorts = [ 9696 ];
+  };
+  virtualisation.oci-containers.containers.prowlarr = {
+    image = "ghcr.io/linuxserver/prowlarr:latest";
+    ports = [ "9696:9696" ];
+    environment = {
+      PUID = "600";
+      PGID = "100";
+      TZ = "America/New_York";
+    };
+    volumes = [ "${vars.media_docker_configs}/prowlarr:/config" ];
+    autoStart = true;
+  };
+}

systems/jeeves/docker/qbit.nix

@@ -0,0 +1,29 @@
+let
+  vars = import ../vars.nix;
+in
+{
+  networking.firewall = {
+    allowedTCPPorts = [ 6881 8082 29432 ]; 
+    allowedUDPPorts = [ 6881 ];
+  };
+  virtualisation.oci-containers.containers.qbit = {
+    image = "ghcr.io/linuxserver/qbittorrent:latest";
+    ports = [
+      "6881:6881"
+      "6881:6881/udp"
+      "8082:8082"
+      "29432:29432"
+    ];
+    volumes = [
+      "${vars.media_docker_configs}/qbit:/config"
+      "${vars.torrenting_qbit}:/data"
+    ];
+    environment = {
+      PUID = "600";
+      PGID = "100";
+      TZ = "America/New_York";
+      WEBUI_PORT = "8082";
+    };
+    autoStart = true;
+  };
+}

systems/jeeves/docker/qbitvpn.nix

@@ -0,0 +1,41 @@
+let
+  vars = import ../vars.nix;
+in
+{
+  networking.firewall = {
+    allowedTCPPorts = [ 6882 8081 8118 ];
+    allowedUDPPorts = [ 6882 ];
+  };
+  virtualisation.oci-containers.containers.qbitvpn = {
+    image = "binhex/arch-qbittorrentvpn:latest";
+    extraOptions = [ "--cap-add=NET_ADMIN" ];
+    ports = [
+      "6882:6881"
+      "6882:6881/udp"
+      "8081:8081"
+      "8118:8118"
+    ];
+    volumes = [
+      "${vars.media_docker_configs}/qbitvpn:/config"
+      "${vars.torrenting_qbitvpn}:/data"
+      "/etc/localtime:/etc/localtime:ro"
+    ];
+    environment = {
+      WEBUI_PORT = "8081";
+      PUID = "600";
+      PGID = "100";
+      VPN_ENABLED = "yes";
+      VPN_CLIENT = "openvpn";
+      STRICT_PORT_FORWARD = "yes";
+      ENABLE_PRIVOXY = "yes";
+      LAN_NETWORK = "192.168.90.0/24";
+      NAME_SERVERS = "1.1.1.1,1.0.0.1";
+      UMASK = "000";
+      DEBUG = "false";
+      DELUGE_DAEMON_LOG_LEVEL = "debug";
+      DELUGE_WEB_LOG_LEVEL = "debug";
+    };
+    environmentFiles = ["${vars.storage_secrets}/docker/qbitvpn"];
+    autoStart = true;
+  };
+}

systems/jeeves/docker/sonarr.nix

@@ -0,0 +1,21 @@
+let
+  vars = import ../vars.nix;
+in
+{
+  networking.firewall.allowedTCPPorts = [ 9696 8989 ];
+  virtualisation.oci-containers.containers.sonarr = {
+    image = "ghcr.io/linuxserver/sonarr:latest";
+    ports = [ "8989:8989" ];
+    environment = {
+      PUID = "600";
+      PGID = "100";
+      TZ = "America/New_York";
+    };
+    volumes = [
+      "${vars.media_docker_configs}/sonarr:/config"
+      "${vars.storage_plex}/tv:/tv"
+      "${vars.torrenting_qbitvpn}:/data"
+    ];
+    autoStart = true;
+  };
+}

systems/jeeves/docker/web.nix

@@ -5,7 +5,6 @@ in
   virtualisation.oci-containers.containers = {
     audiobookshelf = {
       image = "ghcr.io/advplyr/audiobookshelf:latest";
-      ports = [ "13378:80" ];
       volumes = [
         "${vars.media_docker_configs}/audiobookshelf:/config"
         "${vars.media_docker_configs}/audiobookshelf:/metadata"

systems/jeeves/networking.nix

@@ -2,7 +2,7 @@
   networking = {
     hostName = "jeeves";
     hostId = "0e15ce35";
-    firewall.enable = false;
+    firewall.enable = true;
     useNetworkd = true;
   };