frumar: move paperless stuff to separate file, fix scanner firewall
parent
4adf2f5ab3
commit
98959934ff
|
@ -3,6 +3,7 @@
|
||||||
./fractal.nix
|
./fractal.nix
|
||||||
../../roles/server.nix
|
../../roles/server.nix
|
||||||
../../roles/homeserver.nix
|
../../roles/homeserver.nix
|
||||||
|
./paperless.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
system.stateVersion = "15.09";
|
system.stateVersion = "15.09";
|
||||||
|
@ -137,12 +138,19 @@
|
||||||
# unifiPassword = "ReadOnlyPassword";
|
# unifiPassword = "ReadOnlyPassword";
|
||||||
# };
|
# };
|
||||||
};
|
};
|
||||||
|
services.yorick.paperless = {
|
||||||
|
enable = true;
|
||||||
|
openFirewall = true;
|
||||||
|
scanner_ip = "192.168.2.49";
|
||||||
|
};
|
||||||
boot.zfs.requestEncryptionCredentials = false;
|
boot.zfs.requestEncryptionCredentials = false;
|
||||||
networking.firewall.interfaces.wg-y.allowedTCPPorts = [ 3000 9090 8443 ];
|
networking.firewall = {
|
||||||
# mqtt, wsdd, ??, minecraft
|
interfaces.wg-y.allowedTCPPorts = [ 3000 9090 8443 ];
|
||||||
networking.firewall.allowedTCPPorts = [ 1883 5357 443 25565 ];
|
# mqtt, wsdd, ??, minecraft
|
||||||
# mqtt, wsdd, minecraft
|
allowedTCPPorts = [ 1883 5357 443 25565 ];
|
||||||
networking.firewall.allowedUDPPorts = [ 1883 3702 25565 ];
|
# mqtt, wsdd, minecraft
|
||||||
|
allowedUDPPorts = [ 1883 3702 25565 ];
|
||||||
|
};
|
||||||
services.rabbitmq = {
|
services.rabbitmq = {
|
||||||
enable = true;
|
enable = true;
|
||||||
plugins = [ "rabbitmq_mqtt" "rabbitmq_management" ];
|
plugins = [ "rabbitmq_mqtt" "rabbitmq_management" ];
|
||||||
|
@ -315,5 +323,4 @@
|
||||||
TRANSIP_Username = "yorickvp";
|
TRANSIP_Username = "yorickvp";
|
||||||
TRANSIP_Key_File = config.age.secrets.transip-key.path;
|
TRANSIP_Key_File = config.age.secrets.transip-key.path;
|
||||||
};
|
};
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,45 @@
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
let cfg = config.services.yorick.paperless;
|
||||||
|
in {
|
||||||
|
options.services.yorick.paperless = with lib; {
|
||||||
|
enable = mkEnableOption "yorick paperless";
|
||||||
|
openFirewall = mkEnableOption "open firewall for scanner";
|
||||||
|
scanner_ip = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
config = lib.mkIf cfg.enable {
|
||||||
|
networking.firewall = lib.mkIf cfg.openFirewall {
|
||||||
|
connectionTrackingModules = [ "ftp" ];
|
||||||
|
extraCommands = ''
|
||||||
|
iptables -t raw -A PREROUTING -i eno1 -s ${cfg.scanner_ip}/32 -p tcp --dport 21 -j CT --helper ftp
|
||||||
|
iptables -A nixos-fw -p tcp -m tcp --dport 21 -s ${cfg.scanner_ip}/32 -j nixos-fw-accept
|
||||||
|
'';
|
||||||
|
extraStopCommands = ''
|
||||||
|
iptables -t raw -D PREROUTING -i eno1 -s ${cfg.scanner_ip}/32 -p tcp --dport 21 -j CT --helper ftp
|
||||||
|
iptables -D nixos-fw -p tcp -m tcp --dport 21 -s ${cfg.scanner_ip}/32 -j nixos-fw-accept
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
users.users.ads1600w = {
|
||||||
|
home = "/var/ads1600w";
|
||||||
|
group = "ads1600w";
|
||||||
|
initialHashedPassword =
|
||||||
|
"$6$q7E6hnTHHt9v.$OHZjuWISanANGwfhznWwfDlHAqbXBjqcr/q0lGe9ff2r.X9xCSoLP4giME5J9WoEUNuWssMLGBPMfXowBjXg70";
|
||||||
|
isSystemUser = true;
|
||||||
|
shell = "${pkgs.shadow}/bin/nologin";
|
||||||
|
createHome = true;
|
||||||
|
};
|
||||||
|
users.groups.ads1600w = { };
|
||||||
|
|
||||||
|
services.vsftpd = {
|
||||||
|
enable = true;
|
||||||
|
localUsers = true;
|
||||||
|
writeEnable = true;
|
||||||
|
chrootlocalUser = true;
|
||||||
|
allowWriteableChroot = true;
|
||||||
|
userlist = [ "ads1600w" ];
|
||||||
|
};
|
||||||
|
# todo: back up this dir
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in New Issue