frumar: move paperless stuff to separate file, fix scanner firewall
parent
4adf2f5ab3
commit
98959934ff
|
@ -3,6 +3,7 @@
|
|||
./fractal.nix
|
||||
../../roles/server.nix
|
||||
../../roles/homeserver.nix
|
||||
./paperless.nix
|
||||
];
|
||||
|
||||
system.stateVersion = "15.09";
|
||||
|
@ -137,12 +138,19 @@
|
|||
# unifiPassword = "ReadOnlyPassword";
|
||||
# };
|
||||
};
|
||||
services.yorick.paperless = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
scanner_ip = "192.168.2.49";
|
||||
};
|
||||
boot.zfs.requestEncryptionCredentials = false;
|
||||
networking.firewall.interfaces.wg-y.allowedTCPPorts = [ 3000 9090 8443 ];
|
||||
# mqtt, wsdd, ??, minecraft
|
||||
networking.firewall.allowedTCPPorts = [ 1883 5357 443 25565 ];
|
||||
# mqtt, wsdd, minecraft
|
||||
networking.firewall.allowedUDPPorts = [ 1883 3702 25565 ];
|
||||
networking.firewall = {
|
||||
interfaces.wg-y.allowedTCPPorts = [ 3000 9090 8443 ];
|
||||
# mqtt, wsdd, ??, minecraft
|
||||
allowedTCPPorts = [ 1883 5357 443 25565 ];
|
||||
# mqtt, wsdd, minecraft
|
||||
allowedUDPPorts = [ 1883 3702 25565 ];
|
||||
};
|
||||
services.rabbitmq = {
|
||||
enable = true;
|
||||
plugins = [ "rabbitmq_mqtt" "rabbitmq_management" ];
|
||||
|
@ -315,5 +323,4 @@
|
|||
TRANSIP_Username = "yorickvp";
|
||||
TRANSIP_Key_File = config.age.secrets.transip-key.path;
|
||||
};
|
||||
|
||||
}
|
||||
|
|
|
@ -0,0 +1,45 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
let cfg = config.services.yorick.paperless;
|
||||
in {
|
||||
options.services.yorick.paperless = with lib; {
|
||||
enable = mkEnableOption "yorick paperless";
|
||||
openFirewall = mkEnableOption "open firewall for scanner";
|
||||
scanner_ip = mkOption {
|
||||
type = types.str;
|
||||
};
|
||||
};
|
||||
config = lib.mkIf cfg.enable {
|
||||
networking.firewall = lib.mkIf cfg.openFirewall {
|
||||
connectionTrackingModules = [ "ftp" ];
|
||||
extraCommands = ''
|
||||
iptables -t raw -A PREROUTING -i eno1 -s ${cfg.scanner_ip}/32 -p tcp --dport 21 -j CT --helper ftp
|
||||
iptables -A nixos-fw -p tcp -m tcp --dport 21 -s ${cfg.scanner_ip}/32 -j nixos-fw-accept
|
||||
'';
|
||||
extraStopCommands = ''
|
||||
iptables -t raw -D PREROUTING -i eno1 -s ${cfg.scanner_ip}/32 -p tcp --dport 21 -j CT --helper ftp
|
||||
iptables -D nixos-fw -p tcp -m tcp --dport 21 -s ${cfg.scanner_ip}/32 -j nixos-fw-accept
|
||||
'';
|
||||
};
|
||||
|
||||
users.users.ads1600w = {
|
||||
home = "/var/ads1600w";
|
||||
group = "ads1600w";
|
||||
initialHashedPassword =
|
||||
"$6$q7E6hnTHHt9v.$OHZjuWISanANGwfhznWwfDlHAqbXBjqcr/q0lGe9ff2r.X9xCSoLP4giME5J9WoEUNuWssMLGBPMfXowBjXg70";
|
||||
isSystemUser = true;
|
||||
shell = "${pkgs.shadow}/bin/nologin";
|
||||
createHome = true;
|
||||
};
|
||||
users.groups.ads1600w = { };
|
||||
|
||||
services.vsftpd = {
|
||||
enable = true;
|
||||
localUsers = true;
|
||||
writeEnable = true;
|
||||
chrootlocalUser = true;
|
||||
allowWriteableChroot = true;
|
||||
userlist = [ "ads1600w" ];
|
||||
};
|
||||
# todo: back up this dir
|
||||
};
|
||||
}
|
Loading…
Reference in New Issue