bootstrapping

sorted haproxy.cfg
enabled firewall on jeeves
2026-04-21 06:39:09 -04:00 · 2024-10-25 16:54:01 -04:00 · 2024-10-25 16:50:34 -04:00 · 2024-10-25 16:50:34 -04:00 · 2024-10-25 16:50:34 -04:00 · 2024-10-25 16:50:34 -04:00
14 changed files with 390 additions and 168 deletions
--- a/systems/bob/default.nix
+++ b/systems/bob/default.nix
@@ -16,8 +16,9 @@
  networking = {
    hostName = "bob";
    networkmanager.enable = true;
    hostId = "7c678a41";
    firewall.enable = true;
    networkmanager.enable = true;
  };
  hardware = {
--- a/systems/jeeves/default.nix
+++ b/systems/jeeves/default.nix
@@ -35,6 +35,7 @@ in
    plex = {
      enable = true;
      dataDir = vars.media_plex;
      openFirewall = true;
    };
    smartd.enable = true;
--- a/systems/jeeves/docker/haproxy.cfg
+++ b/systems/jeeves/docker/haproxy.cfg
@@ -30,6 +30,7 @@ frontend ContentSwitching
  acl host_filebrowser  hdr(host) -i filebrowser.tmmworkshop.com
  acl host_grafana  hdr(host) -i grafana.tmmworkshop.com
  acl host_mirror   hdr(host) -i mirror.tmmworkshop.com
  acl host_photoprism  hdr(host) -i photoprism.tmmworkshop.com
  acl host_uptime_kuma  hdr(host) -i uptimekuma-jeeves.tmmworkshop.com
  use_backend audiobookshelf_nodes if host_audiobookshelf
@@ -37,15 +38,16 @@ frontend ContentSwitching
  use_backend filebrowser_nodes  if host_filebrowser
  use_backend grafana_nodes  if host_grafana
  use_backend mirror_nodes   if host_mirror
  use_backend photoprism_nodes  if host_photoprism
  use_backend uptime_kuma_nodes  if host_uptime_kuma
-backend mirror_nodes
+backend audiobookshelf_nodes
  mode http
-  server server arch_mirror:80
+  server server audiobookshelf:80
-backend mirror_rsync
+backend cache_nodes
  mode http
-  server server arch_mirror:873
+  server server 192.168.90.40:5000
 backend grafana_nodes
  mode http
@@ -55,14 +57,15 @@ backend filebrowser_nodes
  mode http
  server server filebrowser:8080
 backend mirror_nodes
  mode http
  server server arch_mirror:80
 backend photoprism_nodes
  mode http
  server server photoprism:2342
 backend uptime_kuma_nodes
  mode http
  server server uptime_kuma:3001
 backend cache_nodes
  mode http
  server server 192.168.90.40:5000
 backend audiobookshelf_nodes
  mode http
  server server audiobookshelf:80
--- a/systems/jeeves/docker/internal.nix
+++ b/systems/jeeves/docker/internal.nix
@@ -1,85 +0,0 @@
 let
  vars = import ../vars.nix;
 in
 {
  virtualisation.oci-containers.containers = {
    qbit = {
      image = "ghcr.io/linuxserver/qbittorrent:latest";
      ports = [
        "6881:6881"
        "6881:6881/udp"
        "8082:8082"
        "29432:29432"
      ];
      volumes = [
        "${vars.media_docker_configs}/qbit:/config"
        "${vars.torrenting_qbit}:/data"
      ];
      environment = {
        PUID = "600";
        PGID = "100";
        TZ = "America/New_York";
        WEBUI_PORT = "8082";
      };
      autoStart = true;
    };
    qbitvpn = {
      image = "binhex/arch-qbittorrentvpn:latest";
      extraOptions = [ "--cap-add=NET_ADMIN" ];
      ports = [
        "6882:6881"
        "6882:6881/udp"
        "8081:8081"
        "8118:8118"
      ];
      volumes = [
        "${vars.media_docker_configs}/qbitvpn:/config"
        "${vars.torrenting_qbitvpn}:/data"
        "/etc/localtime:/etc/localtime:ro"
      ];
      environment = {
        WEBUI_PORT = "8081";
        PUID = "600";
        PGID = "100";
        VPN_ENABLED = "yes";
        VPN_CLIENT = "openvpn";
        STRICT_PORT_FORWARD = "yes";
        ENABLE_PRIVOXY = "yes";
        LAN_NETWORK = "192.168.90.0/24";
        NAME_SERVERS = "1.1.1.1,1.0.0.1";
        UMASK = "000";
        DEBUG = "false";
        DELUGE_DAEMON_LOG_LEVEL = "debug";
        DELUGE_WEB_LOG_LEVEL = "debug";
      };
      environmentFiles = ["${vars.storage_secrets}/docker/qbitvpn"];
      autoStart = true;
    };
    prowlarr = {
      image = "ghcr.io/linuxserver/prowlarr:latest";
      ports = [ "9696:9696" ];
      environment = {
        PUID = "600";
        PGID = "100";
        TZ = "America/New_York";
      };
      volumes = [ "${vars.media_docker_configs}/prowlarr:/config" ];
      autoStart = true;
    };
    sonarr = {
      image = "ghcr.io/linuxserver/sonarr:latest";
      ports = [ "8989:8989" ];
      environment = {
        PUID = "600";
        PGID = "100";
        TZ = "America/New_York";
      };
      volumes = [
        "${vars.media_docker_configs}/sonarr:/config"
        "${vars.storage_plex}/tv:/tv"
        "${vars.torrenting_qbitvpn}:/data"
      ];
      autoStart = true;
    };
  };
 }
--- a/systems/jeeves/docker/photoprism.nix
+++ b/systems/jeeves/docker/photoprism.nix
@@ -2,12 +2,8 @@ let
  vars = import ../vars.nix;
 in
 {
-
+  virtualisation.oci-containers.containers.photoprism = {
  virtualisation.oci-containers.containers = {
    photoprism = {
    image = "photoprism/photoprism:latest";
      ports = [ "2342:2342" ];
    volumes = [ 
      "${vars.media_docker_configs}/photoprism:/photoprism/storage"
      "${vars.storage_photos}/originals:/photoprism/originals"
@@ -41,10 +37,7 @@ in
      PHOTOPRISM_AUTO_IMPORT= "-1";
      PHOTOPRISM_DETECT_NSFW="false";
      PHOTOPRISM_UPLOAD_NSFW="true";
-        PHOTOPRISM_DATABASE_DRIVER="mysql";
+      PHOTOPRISM_DATABASE_DRIVER="sqlite";
        PHOTOPRISM_DATABASE_SERVER="photoprism_mariadb:3306";
        PHOTOPRISM_DATABASE_NAME="photoprism";
        PHOTOPRISM_DATABASE_USER="photoprism";
      PHOTOPRISM_SITE_CAPTION="AI-Powered Photos App";
      PHOTOPRISM_SITE_DESCRIPTION="";
      PHOTOPRISM_SITE_AUTHOR="";
@@ -57,20 +50,5 @@ in
    dependsOn = [ "photoprism_mariadb" ];
    extraOptions = [ "--network=web" ];
  };
    photoprism_mariadb = {
      image = "mariadb:11";
      volumes = [ "${vars.media_database}/photoprism_mariadb:/var/lib/photoprism_mariadb" ];
      environment = {
        MARIADB_AUTO_UPGRADE = "1";
        MARIADB_INITDB_SKIP_TZINFO = "1";
        MARIADB_DATABASE = "photoprism";
        MARIADB_USER = "photoprism";
      };
      environmentFiles = ["${vars.storage_secrets}/docker/photoprism"];
      cmd = [ "--innodb-buffer-pool-size=512M" "--transaction-isolation=READ-COMMITTED" "--character-set-server=utf8mb4" "--collation-server=utf8mb4_unicode_ci" "--max-connections=512" "--innodb-rollback-on-timeout=OFF" "--innodb-lock-wait-timeout=120" ];
      autoStart = true;
      extraOptions = [ "--network=web" ];
    };
  };
 }
--- a/systems/jeeves/docker/prowlarr.nix
+++ b/systems/jeeves/docker/prowlarr.nix
@@ -0,0 +1,19 @@
 let
  vars = import ../vars.nix;
 in
 {
  networking.firewall = {
    allowedTCPPorts = [ 9696 ];
  };
  virtualisation.oci-containers.containers.prowlarr = {
    image = "ghcr.io/linuxserver/prowlarr:latest";
    ports = [ "9696:9696" ];
    environment = {
      PUID = "600";
      PGID = "100";
      TZ = "America/New_York";
    };
    volumes = [ "${vars.media_docker_configs}/prowlarr:/config" ];
    autoStart = true;
  };
 }
--- a/systems/jeeves/docker/qbit.nix
+++ b/systems/jeeves/docker/qbit.nix
@@ -0,0 +1,29 @@
 let
  vars = import ../vars.nix;
 in
 {
  networking.firewall = {
    allowedTCPPorts = [ 6881 8082 29432 ]; 
    allowedUDPPorts = [ 6881 ];
  };
  virtualisation.oci-containers.containers.qbit = {
    image = "ghcr.io/linuxserver/qbittorrent:latest";
    ports = [
      "6881:6881"
      "6881:6881/udp"
      "8082:8082"
      "29432:29432"
    ];
    volumes = [
      "${vars.media_docker_configs}/qbit:/config"
      "${vars.torrenting_qbit}:/data"
    ];
    environment = {
      PUID = "600";
      PGID = "100";
      TZ = "America/New_York";
      WEBUI_PORT = "8082";
    };
    autoStart = true;
  };
 }
--- a/systems/jeeves/docker/qbitvpn.nix
+++ b/systems/jeeves/docker/qbitvpn.nix
@@ -0,0 +1,41 @@
 let
  vars = import ../vars.nix;
 in
 {
  networking.firewall = {
    allowedTCPPorts = [ 6882 8081 8118 ];
    allowedUDPPorts = [ 6882 ];
  };
  virtualisation.oci-containers.containers.qbitvpn = {
    image = "binhex/arch-qbittorrentvpn:latest";
    extraOptions = [ "--cap-add=NET_ADMIN" ];
    ports = [
      "6882:6881"
      "6882:6881/udp"
      "8081:8081"
      "8118:8118"
    ];
    volumes = [
      "${vars.media_docker_configs}/qbitvpn:/config"
      "${vars.torrenting_qbitvpn}:/data"
      "/etc/localtime:/etc/localtime:ro"
    ];
    environment = {
      WEBUI_PORT = "8081";
      PUID = "600";
      PGID = "100";
      VPN_ENABLED = "yes";
      VPN_CLIENT = "openvpn";
      STRICT_PORT_FORWARD = "yes";
      ENABLE_PRIVOXY = "yes";
      LAN_NETWORK = "192.168.90.0/24";
      NAME_SERVERS = "1.1.1.1,1.0.0.1";
      UMASK = "000";
      DEBUG = "false";
      DELUGE_DAEMON_LOG_LEVEL = "debug";
      DELUGE_WEB_LOG_LEVEL = "debug";
    };
    environmentFiles = ["${vars.storage_secrets}/docker/qbitvpn"];
    autoStart = true;
  };
 }
--- a/systems/jeeves/docker/sonarr.nix
+++ b/systems/jeeves/docker/sonarr.nix
@@ -0,0 +1,21 @@
 let
  vars = import ../vars.nix;
 in
 {
  networking.firewall.allowedTCPPorts = [ 9696 8989 ];
  virtualisation.oci-containers.containers.sonarr = {
    image = "ghcr.io/linuxserver/sonarr:latest";
    ports = [ "8989:8989" ];
    environment = {
      PUID = "600";
      PGID = "100";
      TZ = "America/New_York";
    };
    volumes = [
      "${vars.media_docker_configs}/sonarr:/config"
      "${vars.storage_plex}/tv:/tv"
      "${vars.torrenting_qbitvpn}:/data"
    ];
    autoStart = true;
  };
 }
--- a/systems/jeeves/docker/web.nix
+++ b/systems/jeeves/docker/web.nix
@@ -5,7 +5,6 @@ in
  virtualisation.oci-containers.containers = {
    audiobookshelf = {
      image = "ghcr.io/advplyr/audiobookshelf:latest";
      ports = [ "13378:80" ];
      volumes = [
        "${vars.media_docker_configs}/audiobookshelf:/config"
        "${vars.media_docker_configs}/audiobookshelf:/metadata"
--- a/systems/jeeves/networking.nix
+++ b/systems/jeeves/networking.nix
@@ -2,7 +2,7 @@
  networking = {
    hostName = "jeeves";
    hostId = "0e15ce35";
-    firewall.enable = false;
+    firewall.enable = true;
    useNetworkd = true;
  };
--- a/systems/rhapsody-in-green/default.nix
+++ b/systems/rhapsody-in-green/default.nix
@@ -15,8 +15,9 @@
  networking = {
    hostName = "rhapsody-in-green";
    networkmanager.enable = true;
    hostId = "6404140d";
    firewall.enable = true;
    networkmanager.enable = true;
  };
  hardware = {
--- a/systems/router/default.nix
+++ b/systems/router/default.nix
@@ -0,0 +1,147 @@
 # https://github.com/ghostbuster91/blogposts/blob/a2374f0039f8cdf4faddeaaa0347661ffc2ec7cf/router2023-part2/main.md
 # https://francis.begyn.be/blog/nixos-home-router
 {
  imports = [
    ../../users/richie
    ../../common/global
    ../../common/optional/zerotier.nix
    ./docker
    ./hardware.nix
  ];
  boot.kernel = {
    sysctl = {
      "net.ipv4.conf.all.forwarding" = true;
      "net.ipv6.conf.all.forwarding" = false;
    };
  };
  systemd.network = {
    wait-online.anyInterface = true;
    networks = {
      "30-lan0" = {
        matchConfig.Name = "lan0";
        linkConfig.RequiredForOnline = "enslaved";
        networkConfig = {
          ConfigureWithoutCarrier = true;
        };
      };
      # lan1 and lan2 look analogical
      "30-lan3" = {
        matchConfig.Name = "lan3";
        linkConfig.RequiredForOnline = "enslaved";
        networkConfig = {
          ConfigureWithoutCarrier = true;
        };
      };
      "10-wan" = {
        matchConfig.Name = "wan";
        networkConfig = {
          # start a DHCP Client for IPv4 Addressing/Routing
          DHCP = "ipv4";
          DNSOverTLS = true;
          DNSSEC = true;
          IPv6PrivacyExtensions = false;
          IPForward = true;
        };
        # make routing on this interface a dependency for network-online.target
        linkConfig.RequiredForOnline = "routable";
      };
    };
  };
  networking = {
    hostName = "surfer";
    useNetworkd = true;
    useDHCP = false;
    # No local firewall.
    nat.enable = false;
    firewall.enable = false;
    nftables = {
      enable = true;
      ruleset = ''
        table inet filter {
          chain input {
            type filter hook input priority 0; policy drop;
            iifname { "br-lan" } accept comment "Allow local network to access the router"
            iifname "wan" ct state { established, related } accept comment "Allow established traffic"
            iifname "wan" icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP"
            iifname "wan" counter drop comment "Drop all other unsolicited traffic from wan"
            iifname "lo" accept comment "Accept everything from loopback interface"
          }
          chain forward {
            type filter hook forward priority filter; policy drop;
            iifname { "br-lan" } oifname { "wan" } accept comment "Allow trusted LAN to WAN"
            iifname { "wan" } oifname { "br-lan" } ct state { established, related } accept comment "Allow established back to LANs"
          }
        }
        table ip nat {
          chain postrouting {
            type nat hook postrouting priority 100; policy accept;
            oifname "wan" masquerade
          }
        }
      '';
    };
  };
  services.dnsmasq = {
    enable = true;
    settings = {
      # upstream DNS servers
      server = [ "9.9.9.9" "8.8.8.8" "1.1.1.1" ];
      # sensible behaviours
      domain-needed = true;
      bogus-priv = true;
      no-resolv = true;
      # Cache dns queries.
      cache-size = 1000;
      dhcp-range = [ "br-lan,192.168.10.50,192.168.10.254,24h" ];
      interface = "br-lan";
      dhcp-host = "192.168.10.1";
      # local domains
      local = "/lan/";
      domain = "lan";
      expand-hosts = true;
      # don't use /etc/hosts as this would advertise surfer as localhost
      no-hosts = true;
      address = "/surfer.lan/192.168.10.1";
    };
  };
  boot.kernel = {
    sysctl = {
      "net.ipv4.conf.default.rp_filter" = 1;
      "net.ipv4.conf.wan.rp_filter" = 1;
      "net.ipv4.conf.br-lan.rp_filter" = 0;
    };
  };
  services = {
    openssh.ports = [ 629 ];
    smartd.enable = true;
    snapshot_manager = {
      enable = true;
      path = ./snapshot_config.toml;
    };
    sysstat.enable = true;
    zfs = {
      trim.enable = true;
      autoScrub.enable = true;
    };
  };
  system.stateVersion = "24.05";
 }
--- a/systems/router/hardware.nix
+++ b/systems/router/hardware.nix
@@ -0,0 +1,67 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
  config,
  lib,
  modulesPath,
  ...
 }:
 {
  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
  boot = {
    initrd = {
      availableKernelModules = [
        "nvme"
        "xhci_pci"
        "ahci"
        "usbhid"
        "usb_storage"
        "sd_mod"
      ];
      kernelModules = [ ];
      luks.devices."luks-root-pool-nvme-Samsung_SSD_990_PRO_with_Heatsink_1TB_S73JNJ0X114418B-part2" = {
        device = "/dev/disk/by-id/nvme-Samsung_SSD_990_PRO_with_Heatsink_1TB_S73JNJ0X114418B-part2";
        bypassWorkqueues = true;
        allowDiscards = true;
      };
    };
    kernelModules = [ "kvm-amd" ];
    extraModulePackages = [ ];
  };
  fileSystems = {
    "/" = lib.mkDefault {
      device = "root_pool/root";
      fsType = "zfs";
    };
    "/home" = {
      device = "root_pool/home";
      fsType = "zfs";
    };
    "/var" = {
      device = "root_pool/var";
      fsType = "zfs";
    };
    "/boot" = {
      device = "/dev/disk/by-uuid/609D-FF29";
      fsType = "vfat";
      options = [
        "fmask=0077"
        "dmask=0077"
      ];
    };
  };
  swapDevices = [ ];
  networking.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
Author	SHA1	Message	Date
Richie Cahill	4a456c5a06	bootstrapping	2024-10-25 16:54:01 -04:00
Richie Cahill	8d78862326	sorted haproxy.cfg	2024-10-25 16:50:34 -04:00
Richie Cahill	090c14ed47	enabled firewall on jeeves	2024-10-25 16:50:34 -04:00
Richie Cahill	cc7c44203c	enabled firewall on rhapsody-in-green	2024-10-25 16:50:34 -04:00
Richie Cahill	e5239304e7	enabled firewall on bob	2024-10-25 16:50:34 -04:00