ciapa
/
infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Implement c3moc config

This commit is contained in:
Ciapa 2024-05-20 15:53:55 +02:00
parent 24ea080b34
commit 9c5984ba4f
4 changed files with 245 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

226
hosts/phoenix.lewd.wtf/c3moc.nix Normal file
View File

@ -0,0 +1,226 @@
{ lib, pkgs, config, ... }:
with lib;
let
cfg = config.c3moc;
in {
options.c3moc = {
enable = mkEnableOption "enable c3moc services";
switchNfs = mkEnableOption "switch nfs config to c3moc one";
};
config = mkIf cfg.enable {
fileSystems = {
"/mnt/zbigdata/c3moc_dropfolder" = {
device = "zbigdata/c3moc_dropfolder";
fsType = "zfs";
};
"/export/c3moc/media" = lib.mkIf cfg.switchNfs {
device = "/mnt/zbigdata/media";
options = [ "bind" ];
};
"/export/c3moc/dropfolder" = lib.mkIf cfg.switchNfs {
device = "/mnt/zbigdata/c3moc_dropfolder";
options = [ "bind" ];
};
};
containers.c3moc = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.69.1";
localAddress = "192.168.69.10";
bindMounts = {
"/home/c3moc/media" = {
hostPath = "/mnt/zbigdata/media";
isReadOnly = true;
};
"/home/c3moc/dropfolder" = {
hostPath = "/mnt/zbigdata/c3moc_dropfolder";
isReadOnly = false;
};
};
config = { config, pkgs, ... }: {
system.stateVersion = "24.05";
networking = {
firewall = {
enable = true;
};
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
users.groups.c3moc = {};
users.users.c3moc = {
group = "c3moc";
password = "c3moc";
isNormalUser = true;
home = "/home/c3moc";
};
# Jellyfin
environment.systemPackages = with pkgs; [
jellyfin-ffmpeg
];
services.jellyfin = {
enable = true;
openFirewall = true;
};
# FTP access
services.vsftpd = {
enable = true;
writeEnable = true;
anonymousUser = true;
anonymousUserNoPassword = true;
anonymousUserHome = "/home/c3moc";
anonymousUploadEnable = true;
anonymousMkdirEnable = true;
anonymousUmask = "000";
};
# SFTP access
services.openssh = {
enable = true;
extraConfig = ''
Match Group c3moc
ChrootDirectory /home
ForceCommand internal-sftp
AllowTcpForwarding no
'';
};
# CIFS access
services.samba = {
enable = true;
openFirewall = true;
extraConfig = ''
workgroup = WORKGROUP
server string = c3moc
netbios name = c3moc
security = user
use sendfile = yes
guest account = nobody
map to guest = bad user
'';
shares = {
c3moc = {
path = "/home/c3moc";
browseable = "yes";
"read only" = "no";
"guest ok" = "yes";
"create mask" = "0777";
"directory mask" = "0777";
"force user" = "c3moc";
"force group" = "c3moc";
};
};
};
};
};
services.nfs.server.exports = mkIf cfg.switchNfs ''
/export (ro,fsid=0,no_subtree_check)
/export/c3moc (ro,nohide,insecure,no_subtree_check)
/export/c3moc/dropfolder (rw,nohide,insecure,no_subtree_check)
'';
networking.nat.forwardPorts = [
# FTP
{
destination = "192.168.69.10:20";
proto = "tcp";
sourcePort = 20;
}
{
destination = "192.168.69.10:21";
proto = "tcp";
sourcePort = 21;
}
# SFTP
{
destination = "192.168.69.10:22";
proto = "tcp";
sourcePort = 22;
}
# SMB
{
destination = "192.168.69.10:137";
proto = "udp";
sourcePort = 137;
}
{
destination = "192.168.69.10:138";
proto = "udp";
sourcePort = 138;
}
{
destination = "192.168.69.10:139";
proto = "tcp";
sourcePort = 139;
}
{
destination = "192.168.69.10:445";
proto = "tcp";
sourcePort = 445;
}
];
# Nginx Stuff
services.nginx = {
virtualHosts."gpn22.c3moc.lol" = {
serverName = "gpn22.c3moc.lol";
enableACME = true;
forceSSL = true;
locations = {
"= /" = {
extraConfig = ''
return 302 https://$host/web/;
'';
};
"/" = {
extraConfig = ''
proxy_pass http://192.168.69.10:8096;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_buffering off;
'';
};
"= /web/" = {
extraConfig = ''
proxy_pass http://192.168.69.10:8096/web/index.html;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_buffering off;
'';
};
"/socket" = {
extraConfig = ''
proxy_pass http://192.168.69.10:8096/socket;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
'';
};
};
};
};
};
}

4
hosts/phoenix.lewd.wtf/configuration.nix
View File

@ -8,11 +8,15 @@ let
./hardware-configuration.nix
./networking.nix
./secrets.nix
./c3moc.nix
];
in {
inherit imports;
c3moc.enable = true;
c3moc.switchNfs = true;
boot.loader.systemd-boot.enable = false;
boot.loader.grub = {
enable = true;

14
hosts/phoenix.lewd.wtf/networking.nix
View File

@ -6,6 +6,7 @@
interfaces = [
"eno2"
"enp23s0"
"enp23s0d1"
];
};
};
@ -13,18 +14,23 @@
networking.nat = {
enable = true;
internalInterfaces = ["ve-+"];
externalInterface = "wg0";
externalInterface = "br0";
enableIPv6 = true;
};
networking.interfaces.br0.ipv4.addresses = [
{
address = "10.0.69.69";
prefixLength = 16;
}
{
address = "192.168.0.42";
prefixLength = 22;
}
];
networking.defaultGateway = "192.168.0.1";
networking.defaultGateway = "10.0.0.1";
# networking.defaultGateway = "192.168.0.1";
networking.nameservers = [ "1.1.1.1" ];
networking.firewall.enable = false;
@ -51,6 +57,8 @@
"ip rule add from 192.168.5.0/24 table 2"
# NAT
"${pkgs.iptables}/bin/iptables -I POSTROUTING -t nat -o wg0 -j MASQUERADE"
# c3moc NAT
"${pkgs.iptables}/bin/iptables -I POSTROUTING -t nat -o br0 -j MASQUERADE"
# Port forwarding
"${pkgs.iptables}/bin/iptables -A PREROUTING -t nat -p tcp -i wg0 --dport 51506 -j DNAT --to-destination 192.168.100.11:51506"
];
@ -63,6 +71,8 @@
"ip route del table 2 default dev wg0" +
# NAT
"${pkgs.iptables}/bin/iptables -D POSTROUTING -t nat -o wg0 -j MASQUERADE" +
# c3moc NAT
"${pkgs.iptables}/bin/iptables -D POSTROUTING -t nat -o br0 -j MASQUERADE" +
# Port Forwarding
"${pkgs.iptables}/bin/iptables -D PREROUTING -t nat -p tcp -i wg0 --dport 51506 -j DNAT --to-destination 192.168.100.11:51506"
;

6
hosts/phoenix.lewd.wtf/services/nfs.nix
View File

@ -1,12 +1,12 @@
{ config, lib, ... }:
{
fileSystems."/export/desktop" = {
services.nfs.server.enable = true;
fileSystems."/export/desktop" = lib.mkIf (!config.c3moc.switchNfs) {
device = "/mnt/zvault/desktop";
options = [ "bind" ];
};
services.nfs.server.enable = true;
services.nfs.server.exports = ''
services.nfs.server.exports = lib.mkIf (!config.c3moc.switchNfs) ''
/export 192.168.0.20(rw,fsid=0,no_subtree_check) 192.168.1.39(ro,nohide,insecure,no_subtree_check,all_squash,anonuid=1000,anongid=1000)
/export/desktop 192.168.0.20(rw,nohide,insecure,no_subtree_check) 192.168.1.39(ro,nohide,insecure,no_subtree_check,all_squash,anonuid=1000,anongid=1000)