From 9c5984ba4ffd8fa6122bc9e373c5530b22d55665 Mon Sep 17 00:00:00 2001 From: Ciapa Date: Mon, 20 May 2024 15:53:55 +0200 Subject: [PATCH] Implement c3moc config --- hosts/phoenix.lewd.wtf/c3moc.nix | 226 +++++++++++++++++++++++ hosts/phoenix.lewd.wtf/configuration.nix | 4 + hosts/phoenix.lewd.wtf/networking.nix | 14 +- hosts/phoenix.lewd.wtf/services/nfs.nix | 6 +- 4 files changed, 245 insertions(+), 5 deletions(-) create mode 100644 hosts/phoenix.lewd.wtf/c3moc.nix diff --git a/hosts/phoenix.lewd.wtf/c3moc.nix b/hosts/phoenix.lewd.wtf/c3moc.nix new file mode 100644 index 0000000..dbe020e --- /dev/null +++ b/hosts/phoenix.lewd.wtf/c3moc.nix @@ -0,0 +1,226 @@ +{ lib, pkgs, config, ... }: +with lib; +let + cfg = config.c3moc; +in { + options.c3moc = { + enable = mkEnableOption "enable c3moc services"; + switchNfs = mkEnableOption "switch nfs config to c3moc one"; + }; + config = mkIf cfg.enable { + fileSystems = { + "/mnt/zbigdata/c3moc_dropfolder" = { + device = "zbigdata/c3moc_dropfolder"; + fsType = "zfs"; + }; + "/export/c3moc/media" = lib.mkIf cfg.switchNfs { + device = "/mnt/zbigdata/media"; + options = [ "bind" ]; + }; + "/export/c3moc/dropfolder" = lib.mkIf cfg.switchNfs { + device = "/mnt/zbigdata/c3moc_dropfolder"; + options = [ "bind" ]; + }; + }; + + containers.c3moc = { + autoStart = true; + privateNetwork = true; + hostAddress = "192.168.69.1"; + localAddress = "192.168.69.10"; + + bindMounts = { + "/home/c3moc/media" = { + hostPath = "/mnt/zbigdata/media"; + isReadOnly = true; + }; + "/home/c3moc/dropfolder" = { + hostPath = "/mnt/zbigdata/c3moc_dropfolder"; + isReadOnly = false; + }; + }; + + config = { config, pkgs, ... }: { + system.stateVersion = "24.05"; + + networking = { + firewall = { + enable = true; + }; + useHostResolvConf = lib.mkForce false; + }; + + services.resolved.enable = true; + + users.groups.c3moc = {}; + users.users.c3moc = { + group = "c3moc"; + password = "c3moc"; + isNormalUser = true; + home = "/home/c3moc"; + }; + + # Jellyfin + environment.systemPackages = with pkgs; [ + jellyfin-ffmpeg + ]; + + services.jellyfin = { + enable = true; + openFirewall = true; + }; + + # FTP access + services.vsftpd = { + enable = true; + writeEnable = true; + anonymousUser = true; + anonymousUserNoPassword = true; + anonymousUserHome = "/home/c3moc"; + anonymousUploadEnable = true; + anonymousMkdirEnable = true; + anonymousUmask = "000"; + }; + + # SFTP access + services.openssh = { + enable = true; + extraConfig = '' + Match Group c3moc + ChrootDirectory /home + ForceCommand internal-sftp + AllowTcpForwarding no + ''; + }; + + # CIFS access + services.samba = { + enable = true; + openFirewall = true; + extraConfig = '' + workgroup = WORKGROUP + server string = c3moc + netbios name = c3moc + security = user + use sendfile = yes + guest account = nobody + map to guest = bad user + ''; + shares = { + c3moc = { + path = "/home/c3moc"; + browseable = "yes"; + "read only" = "no"; + "guest ok" = "yes"; + "create mask" = "0777"; + "directory mask" = "0777"; + "force user" = "c3moc"; + "force group" = "c3moc"; + }; + }; + }; + }; + }; + + services.nfs.server.exports = mkIf cfg.switchNfs '' + /export (ro,fsid=0,no_subtree_check) + /export/c3moc (ro,nohide,insecure,no_subtree_check) + /export/c3moc/dropfolder (rw,nohide,insecure,no_subtree_check) + ''; + + networking.nat.forwardPorts = [ + # FTP + { + destination = "192.168.69.10:20"; + proto = "tcp"; + sourcePort = 20; + } + { + destination = "192.168.69.10:21"; + proto = "tcp"; + sourcePort = 21; + } + # SFTP + { + destination = "192.168.69.10:22"; + proto = "tcp"; + sourcePort = 22; + } + # SMB + { + destination = "192.168.69.10:137"; + proto = "udp"; + sourcePort = 137; + } + { + destination = "192.168.69.10:138"; + proto = "udp"; + sourcePort = 138; + } + { + destination = "192.168.69.10:139"; + proto = "tcp"; + sourcePort = 139; + } + { + destination = "192.168.69.10:445"; + proto = "tcp"; + sourcePort = 445; + } + ]; + + # Nginx Stuff + services.nginx = { + virtualHosts."gpn22.c3moc.lol" = { + serverName = "gpn22.c3moc.lol"; + enableACME = true; + forceSSL = true; + locations = { + "= /" = { + extraConfig = '' + return 302 https://$host/web/; + ''; + }; + "/" = { + extraConfig = '' + proxy_pass http://192.168.69.10:8096; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Protocol $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_buffering off; + ''; + }; + "= /web/" = { + extraConfig = '' + proxy_pass http://192.168.69.10:8096/web/index.html; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Protocol $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_buffering off; + ''; + }; + "/socket" = { + extraConfig = '' + proxy_pass http://192.168.69.10:8096/socket; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Protocol $scheme; + proxy_set_header X-Forwarded-Host $http_host; + ''; + }; + }; + }; + }; + }; +} diff --git a/hosts/phoenix.lewd.wtf/configuration.nix b/hosts/phoenix.lewd.wtf/configuration.nix index 0297968..2880850 100644 --- a/hosts/phoenix.lewd.wtf/configuration.nix +++ b/hosts/phoenix.lewd.wtf/configuration.nix @@ -8,11 +8,15 @@ let ./hardware-configuration.nix ./networking.nix ./secrets.nix + ./c3moc.nix ]; in { inherit imports; + c3moc.enable = true; + c3moc.switchNfs = true; + boot.loader.systemd-boot.enable = false; boot.loader.grub = { enable = true; diff --git a/hosts/phoenix.lewd.wtf/networking.nix b/hosts/phoenix.lewd.wtf/networking.nix index 5571f59..6f1896c 100644 --- a/hosts/phoenix.lewd.wtf/networking.nix +++ b/hosts/phoenix.lewd.wtf/networking.nix @@ -6,6 +6,7 @@ interfaces = [ "eno2" "enp23s0" + "enp23s0d1" ]; }; }; @@ -13,18 +14,23 @@ networking.nat = { enable = true; internalInterfaces = ["ve-+"]; - externalInterface = "wg0"; + externalInterface = "br0"; enableIPv6 = true; }; networking.interfaces.br0.ipv4.addresses = [ + { + address = "10.0.69.69"; + prefixLength = 16; + } { address = "192.168.0.42"; prefixLength = 22; } ]; - networking.defaultGateway = "192.168.0.1"; + networking.defaultGateway = "10.0.0.1"; + # networking.defaultGateway = "192.168.0.1"; networking.nameservers = [ "1.1.1.1" ]; networking.firewall.enable = false; @@ -51,6 +57,8 @@ "ip rule add from 192.168.5.0/24 table 2" # NAT "${pkgs.iptables}/bin/iptables -I POSTROUTING -t nat -o wg0 -j MASQUERADE" + # c3moc NAT + "${pkgs.iptables}/bin/iptables -I POSTROUTING -t nat -o br0 -j MASQUERADE" # Port forwarding "${pkgs.iptables}/bin/iptables -A PREROUTING -t nat -p tcp -i wg0 --dport 51506 -j DNAT --to-destination 192.168.100.11:51506" ]; @@ -63,6 +71,8 @@ "ip route del table 2 default dev wg0" + # NAT "${pkgs.iptables}/bin/iptables -D POSTROUTING -t nat -o wg0 -j MASQUERADE" + + # c3moc NAT + "${pkgs.iptables}/bin/iptables -D POSTROUTING -t nat -o br0 -j MASQUERADE" + # Port Forwarding "${pkgs.iptables}/bin/iptables -D PREROUTING -t nat -p tcp -i wg0 --dport 51506 -j DNAT --to-destination 192.168.100.11:51506" ; diff --git a/hosts/phoenix.lewd.wtf/services/nfs.nix b/hosts/phoenix.lewd.wtf/services/nfs.nix index 1dc7653..8a31f3f 100644 --- a/hosts/phoenix.lewd.wtf/services/nfs.nix +++ b/hosts/phoenix.lewd.wtf/services/nfs.nix @@ -1,12 +1,12 @@ { config, lib, ... }: { - fileSystems."/export/desktop" = { + services.nfs.server.enable = true; + fileSystems."/export/desktop" = lib.mkIf (!config.c3moc.switchNfs) { device = "/mnt/zvault/desktop"; options = [ "bind" ]; }; - services.nfs.server.enable = true; - services.nfs.server.exports = '' + services.nfs.server.exports = lib.mkIf (!config.c3moc.switchNfs) '' /export 192.168.0.20(rw,fsid=0,no_subtree_check) 192.168.1.39(ro,nohide,insecure,no_subtree_check,all_squash,anonuid=1000,anongid=1000) /export/desktop 192.168.0.20(rw,nohide,insecure,no_subtree_check) 192.168.1.39(ro,nohide,insecure,no_subtree_check,all_squash,anonuid=1000,anongid=1000)