From ca7b57a78a9799d508e27cf5326781bf7c9b4e88 Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Sun, 12 Mar 2023 03:15:34 +0000 Subject: [PATCH] cofractal-ams01: adopt more responsibility from clouvider-fra01 --- nix/pkgs/plex-pass.nix | 6 +-- ops/nixos/cofractal-ams01/default.nix | 61 +++++++++++++++++++++++++++ ops/nixos/etheroute-lon01/default.nix | 12 +++--- ops/nixos/lib/content.nix | 17 +++++++- 4 files changed, 86 insertions(+), 10 deletions(-) diff --git a/nix/pkgs/plex-pass.nix b/nix/pkgs/plex-pass.nix index 11b714e94f..a1368658b2 100644 --- a/nix/pkgs/plex-pass.nix +++ b/nix/pkgs/plex-pass.nix @@ -4,10 +4,10 @@ { pkgs, ... }: let - version = "1.30.1.6497-5fc2e0894"; + version = "1.31.2.6783-9209b39b4"; src = pkgs.fetchurl { - url = "https://downloads.plex.tv/plex-media-server-new/1.30.1.6497-5fc2e0894/debian/plexmediaserver_1.30.1.6497-5fc2e0894_amd64.deb"; - hash = "sha256:019yyyn24nsn33fvrbg2mqhjp4n710pjdj32xcnlmpq3j6s9w1jp"; + url = "https://downloads.plex.tv/plex-media-server-new/1.31.2.6783-9209b39b4/debian/plexmediaserver_1.31.2.6783-9209b39b4_amd64.deb"; + hash = "sha256:0sfqwgw20z6bn7r2jgi8nh7br8fwq75j71py7iidfhbxwwliph9m"; }; in (pkgs.plex.override { diff --git a/ops/nixos/cofractal-ams01/default.nix b/ops/nixos/cofractal-ams01/default.nix index 11d4822664..d6fb22bb01 100644 --- a/ops/nixos/cofractal-ams01/default.nix +++ b/ops/nixos/cofractal-ams01/default.nix @@ -3,12 +3,55 @@ # SPDX-License-Identifier: Apache-2.0 { depot, lib, pkgs, config, ... }: +let + vhostsConfig = { + int = rec { + proxy = _apply (value: { extraConfig = '' + ${bind} + reverse_proxy ${value} + ''; }) { + "http://deluge.int.lukegb.com" = "http://localhost:8112"; + "http://radarr.int.lukegb.com" = "http://localhost:7878"; + "http://sonarr.int.lukegb.com" = "http://localhost:8989"; + }; + serve = _apply (value: { extraConfig = '' + ${bind} + root * ${value} + file_server + ''; }) { + "http://int.lukegb.com" = depot.web.int; + "http://logged-out.int.lukegb.com" = depot.web.logged-out-int; + }; + other = _apply lib.id { + "http://content.int.lukegb.com" = { + serverAliases = ["http://content.int.lukegb.com:18081"]; + extraConfig = '' + ${bind} + root * /store/content + file_server browse + ''; + }; + }; + _apply = f: builtins.mapAttrs (name: value: lib.recursiveUpdate hostBase (f value)); + }; + }; + vhosts = vhostsConfig.int.proxy // vhostsConfig.int.serve // vhostsConfig.int.other; + hostBase = { + extraConfig = '' + ${bind} + ''; + }; + bind = "bind [${config.my.ip.tailscale6}] ${config.my.ip.tailscale}"; +in { imports = [ ../lib/zfs.nix ../lib/bgp.nix ../lib/nixbuild-distributed.nix ../lib/gitlab-runner-cacher.nix + ../lib/coredns/default.nix + ../lib/deluge.nix + ../lib/plex.nix ]; # Otherwise _this_ machine won't enumerate things properly. @@ -51,6 +94,7 @@ "/tmp" = zfs "zfast/local/tmp"; "/persist" = zfs "zfast/safe/persist"; + "/store" = zfs "zslow/safe/store"; "/home" = (zfs "zslow/safe/home") // { neededForBoot = true; }; "/boot" = { @@ -101,6 +145,7 @@ }; my.ip.tailscale = "100.94.187.27"; my.ip.tailscale6 = "fd7a:115c:a1e0:ab12:4843:cd96:625e:bb1b"; + my.coredns.bind = [ "bond0" "tailscale0" "127.0.0.1" "::1" ]; services.openssh.hostKeys = [ { @@ -167,5 +212,21 @@ boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; + services.sonarr.enable = true; + services.radarr.enable = true; + services.kubo = { + enable = true; + settings = { + Discovery.MDNS.Enabled = false; + Swarm.DisableNatPortMap = true; + Experimental.FilestoreEnabled = true; + }; + dataDir = "/store/ipfs"; + }; + services.caddy = { + enable = true; + virtualHosts = vhosts; + }; + system.stateVersion = "23.05"; } diff --git a/ops/nixos/etheroute-lon01/default.nix b/ops/nixos/etheroute-lon01/default.nix index 74f77d41ac..629855e4ac 100644 --- a/ops/nixos/etheroute-lon01/default.nix +++ b/ops/nixos/etheroute-lon01/default.nix @@ -318,12 +318,12 @@ in { allowed_domains = null; } // extraConfig; in [ - (service "clouvider-fra01.int.as205479.net" "int.lukegb.com" {}) - (service "clouvider-fra01.int.as205479.net" "logged-out.int.lukegb.com" (public {})) - (service "clouvider-fra01.int.as205479.net" "sonarr.int.lukegb.com" {}) - (service "clouvider-fra01.int.as205479.net" "radarr.int.lukegb.com" {}) - (service "clouvider-fra01.int.as205479.net" "deluge.int.lukegb.com" {}) - (service "clouvider-fra01.int.as205479.net" "content.int.lukegb.com" {}) + (service "cofractal-ams01.int.as205479.net" "int.lukegb.com" {}) + (service "cofractal-ams01.int.as205479.net" "logged-out.int.lukegb.com" (public {})) + (service "cofractal-ams01.int.as205479.net" "sonarr.int.lukegb.com" {}) + (service "cofractal-ams01.int.as205479.net" "radarr.int.lukegb.com" {}) + (service "cofractal-ams01.int.as205479.net" "deluge.int.lukegb.com" {}) + (service "cofractal-ams01.int.as205479.net" "content.int.lukegb.com" {}) (service "totoro.int.as205479.net:9090" "prometheus.int.lukegb.com" {}) (service "totoro.int.as205479.net:9093" "alertmanager.int.lukegb.com" {}) (service "totoro.int.as205479.net:3000" "grafana.int.lukegb.com" {}) diff --git a/ops/nixos/lib/content.nix b/ops/nixos/lib/content.nix index ee8659a499..2421c27aad 100644 --- a/ops/nixos/lib/content.nix +++ b/ops/nixos/lib/content.nix @@ -2,7 +2,7 @@ # # SPDX-License-Identifier: Apache-2.0 -{ ... }: +{ lib, ... }: { users.users.content = { isSystemUser = true; @@ -11,8 +11,23 @@ users.groups.content = {}; users.users.lukegb.extraGroups = [ "content" ]; + users.users.sonarr.extraGroups = [ "content" ]; + users.users.radarr.extraGroups = [ "content" ]; + users.users.deluge.extraGroups = [ "content" ]; systemd.services.nginx.serviceConfig = { SupplementaryGroups = [ "content" ]; }; + systemd.services.deluged.serviceConfig = { + UMask = "0002"; + Group = lib.mkForce "content"; + }; + systemd.services.sonarr.serviceConfig = { + UMask = "0002"; + Group = lib.mkForce "content"; + }; + systemd.services.radarr.serviceConfig = { + UMask = "0002"; + Group = lib.mkForce "content"; + }; }