trim down some of the bridged services
This commit is contained in:
parent
5cb5d4253d
commit
1621f46af1
|
@ -3,9 +3,6 @@
|
|||
{
|
||||
imports = [
|
||||
./wireguard.nix
|
||||
./grafana.nix
|
||||
./nextcloud.nix
|
||||
./paperless.nix
|
||||
./guacamole
|
||||
];
|
||||
}
|
||||
|
|
|
@ -1,44 +0,0 @@
|
|||
{ lib, config, pkgs, ...}:
|
||||
|
||||
{
|
||||
services.grafana = {
|
||||
enable = true;
|
||||
settings = {
|
||||
server = {
|
||||
http_addr = "10.100.0.2";
|
||||
http_port = 9802;
|
||||
domain = "grafana.beepboop.systems";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.prometheus = {
|
||||
enable = true;
|
||||
listenAddress = "10.100.0.2";
|
||||
port = 9001;
|
||||
|
||||
exporters = {
|
||||
node = {
|
||||
enable = true;
|
||||
enabledCollectors = [ "systemd" ];
|
||||
listenAddress = "10.100.0.2";
|
||||
port = 9002;
|
||||
};
|
||||
};
|
||||
|
||||
scrapeConfigs = [
|
||||
{
|
||||
job_name = "copernicus";
|
||||
static_configs = [{
|
||||
targets = [ "10.100.0.2:9002" ];
|
||||
}];
|
||||
}
|
||||
{
|
||||
job_name = "netbox";
|
||||
static_configs = [{
|
||||
targets = [ "10.100.0.1:9002" ];
|
||||
}];
|
||||
}
|
||||
];
|
||||
};
|
||||
}
|
|
@ -1,45 +0,0 @@
|
|||
{ lib, config, pkgs, ...}:
|
||||
|
||||
{
|
||||
services = {
|
||||
guacamole-server = {
|
||||
enable = true;
|
||||
host = "127.0.0.1";
|
||||
port = 4823;
|
||||
userMappingXml = (
|
||||
builtins.toFile "mapping.xml" (
|
||||
builtins.replaceStrings
|
||||
[ "hashedUserPassword" ]
|
||||
[(
|
||||
lib.removeSuffix
|
||||
"\n"
|
||||
# echo -n PASSWORD | openssl dgst -sha256 | awk -F' ' '{print $2}'
|
||||
( builtins.readFile /home/usr/wg-keys/guacamole-server-credentials )
|
||||
)]
|
||||
( builtins.readFile ./mapping.xml )
|
||||
)
|
||||
);
|
||||
};
|
||||
|
||||
guacamole-client = {
|
||||
enable = true;
|
||||
enableWebserver = true;
|
||||
settings = {
|
||||
guacd-port = 4823;
|
||||
guacd-hostname = "127.0.0.1";
|
||||
};
|
||||
};
|
||||
|
||||
tomcat.serverXml = builtins.readFile ./server.xml;
|
||||
|
||||
openssh = {
|
||||
enable = true;
|
||||
listenAddresses = [
|
||||
{
|
||||
addr = "127.0.0.1";
|
||||
port = 22;
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,51 +0,0 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<user-mapping>
|
||||
<authorize
|
||||
username="ryan"
|
||||
password="hashedUserPassword"
|
||||
encoding="sha256">
|
||||
|
||||
<connection name="[copernicus] ssh">
|
||||
<protocol>ssh</protocol>
|
||||
<param name="hostname">127.0.0.1</param>
|
||||
<param name="port">22</param>
|
||||
</connection>
|
||||
|
||||
<connection name="[copernicus] vnc (all screens)">
|
||||
<protocol>vnc</protocol>
|
||||
<param name="hostname">127.0.0.1</param>
|
||||
<param name="port">5900</param>
|
||||
</connection>
|
||||
|
||||
<connection name="[copernicus] vnc (screen 0)">
|
||||
<protocol>vnc</protocol>
|
||||
<param name="hostname">127.0.0.1</param>
|
||||
<param name="port">5901</param>
|
||||
</connection>
|
||||
|
||||
<connection name="[copernicus] vnc (screen 1)">
|
||||
<protocol>vnc</protocol>
|
||||
<param name="hostname">127.0.0.1</param>
|
||||
<param name="port">5902</param>
|
||||
</connection>
|
||||
|
||||
<connection name="[copernicus] vnc (screen 2)">
|
||||
<protocol>vnc</protocol>
|
||||
<param name="hostname">127.0.0.1</param>
|
||||
<param name="port">5903</param>
|
||||
</connection>
|
||||
|
||||
<connection name="[copernicus] vnc (screen 3)">
|
||||
<protocol>vnc</protocol>
|
||||
<param name="hostname">127.0.0.1</param>
|
||||
<param name="port">5904</param>
|
||||
</connection>
|
||||
|
||||
<connection name="[copernicus] vnc (screen 4)">
|
||||
<protocol>vnc</protocol>
|
||||
<param name="hostname">127.0.0.1</param>
|
||||
<param name="port">5905</param>
|
||||
</connection>
|
||||
|
||||
</authorize>
|
||||
</user-mapping>
|
|
@ -1,188 +0,0 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!--
|
||||
Licensed to the Apache Software Foundation (ASF) under one or more
|
||||
contributor license agreements. See the NOTICE file distributed with
|
||||
this work for additional information regarding copyright ownership.
|
||||
The ASF licenses this file to You under the Apache License, Version 2.0
|
||||
(the "License"); you may not use this file except in compliance with
|
||||
the License. You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
-->
|
||||
<!-- Note: A "Server" is not itself a "Container", so you may not
|
||||
define subcomponents such as "Valves" at this level.
|
||||
Documentation at /docs/config/server.html
|
||||
-->
|
||||
<Server port="8005" shutdown="SHUTDOWN">
|
||||
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
|
||||
<!-- Security listener. Documentation at /docs/config/listeners.html
|
||||
<Listener className="org.apache.catalina.security.SecurityListener" />
|
||||
-->
|
||||
<!-- APR library loader. Documentation at /docs/apr.html -->
|
||||
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
|
||||
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
|
||||
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
|
||||
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
|
||||
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
|
||||
|
||||
<!-- Global JNDI resources
|
||||
Documentation at /docs/jndi-resources-howto.html
|
||||
-->
|
||||
<GlobalNamingResources>
|
||||
<!-- Editable user database that can also be used by
|
||||
UserDatabaseRealm to authenticate users
|
||||
-->
|
||||
<Resource name="UserDatabase" auth="Container"
|
||||
type="org.apache.catalina.UserDatabase"
|
||||
description="User database that can be updated and saved"
|
||||
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
|
||||
pathname="conf/tomcat-users.xml" />
|
||||
</GlobalNamingResources>
|
||||
|
||||
<!-- A "Service" is a collection of one or more "Connectors" that share
|
||||
a single "Container" Note: A "Service" is not itself a "Container",
|
||||
so you may not define subcomponents such as "Valves" at this level.
|
||||
Documentation at /docs/config/service.html
|
||||
-->
|
||||
<Service name="Catalina">
|
||||
|
||||
<!--The connectors can use a shared executor, you can define one or more named thread pools-->
|
||||
<!--
|
||||
<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
|
||||
maxThreads="150" minSpareThreads="4"/>
|
||||
-->
|
||||
|
||||
|
||||
<!-- A "Connector" represents an endpoint by which requests are received
|
||||
and responses are returned. Documentation at :
|
||||
Java HTTP Connector: /docs/config/http.html
|
||||
Java AJP Connector: /docs/config/ajp.html
|
||||
APR (HTTP/AJP) Connector: /docs/apr.html
|
||||
Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
|
||||
-->
|
||||
<Connector port="10001" protocol="HTTP/1.1"
|
||||
connectionTimeout="20000"
|
||||
address="192.168.1.210"
|
||||
redirectPort="10443"
|
||||
maxParameterCount="1000"
|
||||
/>
|
||||
|
||||
<Connector port="6733" protocol="HTTP/1.1"
|
||||
connectionTimeout="20000"
|
||||
address="10.100.0.2"
|
||||
redirectPort="10442"
|
||||
maxParameterCount="1000"
|
||||
/>
|
||||
<!-- A "Connector" using the shared thread pool-->
|
||||
<!--
|
||||
<Connector executor="tomcatThreadPool"
|
||||
port="8080" protocol="HTTP/1.1"
|
||||
connectionTimeout="20000"
|
||||
redirectPort="8443"
|
||||
maxParameterCount="1000"
|
||||
/>
|
||||
-->
|
||||
<!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443
|
||||
This connector uses the NIO implementation. The default
|
||||
SSLImplementation will depend on the presence of the APR/native
|
||||
library and the useOpenSSL attribute of the AprLifecycleListener.
|
||||
Either JSSE or OpenSSL style configuration may be used regardless of
|
||||
the SSLImplementation selected. JSSE style configuration is used below.
|
||||
-->
|
||||
<!--
|
||||
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
|
||||
maxThreads="150" SSLEnabled="true"
|
||||
maxParameterCount="1000"
|
||||
>
|
||||
<SSLHostConfig>
|
||||
<Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
|
||||
type="RSA" />
|
||||
</SSLHostConfig>
|
||||
</Connector>
|
||||
-->
|
||||
<!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
|
||||
This connector uses the APR/native implementation which always uses
|
||||
OpenSSL for TLS.
|
||||
Either JSSE or OpenSSL style configuration may be used. OpenSSL style
|
||||
configuration is used below.
|
||||
-->
|
||||
<!--
|
||||
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
|
||||
maxThreads="150" SSLEnabled="true"
|
||||
maxParameterCount="1000"
|
||||
>
|
||||
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
|
||||
<SSLHostConfig>
|
||||
<Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
|
||||
certificateFile="conf/localhost-rsa-cert.pem"
|
||||
certificateChainFile="conf/localhost-rsa-chain.pem"
|
||||
type="RSA" />
|
||||
</SSLHostConfig>
|
||||
</Connector>
|
||||
-->
|
||||
|
||||
<!-- Define an AJP 1.3 Connector on port 8009 -->
|
||||
<!--
|
||||
<Connector protocol="AJP/1.3"
|
||||
address="::1"
|
||||
port="8009"
|
||||
redirectPort="8443"
|
||||
maxParameterCount="1000"
|
||||
/>
|
||||
-->
|
||||
|
||||
<!-- An Engine represents the entry point (within Catalina) that processes
|
||||
every request. The Engine implementation for Tomcat stand alone
|
||||
analyzes the HTTP headers included with the request, and passes them
|
||||
on to the appropriate Host (virtual host).
|
||||
Documentation at /docs/config/engine.html -->
|
||||
|
||||
<!-- You should set jvmRoute to support load-balancing via AJP ie :
|
||||
<Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
|
||||
-->
|
||||
<Engine name="Catalina" defaultHost="localhost">
|
||||
|
||||
<!--For clustering, please take a look at documentation at:
|
||||
/docs/cluster-howto.html (simple how to)
|
||||
/docs/config/cluster.html (reference documentation) -->
|
||||
<!--
|
||||
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
|
||||
-->
|
||||
|
||||
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
|
||||
via a brute-force attack -->
|
||||
<Realm className="org.apache.catalina.realm.LockOutRealm">
|
||||
<!-- This Realm uses the UserDatabase configured in the global JNDI
|
||||
resources under the key "UserDatabase". Any edits
|
||||
that are performed against this UserDatabase are immediately
|
||||
available for use by the Realm. -->
|
||||
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
|
||||
resourceName="UserDatabase"/>
|
||||
</Realm>
|
||||
|
||||
<Host name="localhost" appBase="webapps"
|
||||
unpackWARs="true" autoDeploy="true">
|
||||
|
||||
<!-- SingleSignOn valve, share authentication between web applications
|
||||
Documentation at: /docs/config/valve.html -->
|
||||
<!--
|
||||
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
|
||||
-->
|
||||
|
||||
<!-- Access log processes all example.
|
||||
Documentation at: /docs/config/valve.html
|
||||
Note: The pattern used is equivalent to using pattern="common" -->
|
||||
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
|
||||
prefix="localhost_access_log" suffix=".txt"
|
||||
pattern="%h %l %u %t "%r" %s %b" />
|
||||
|
||||
</Host>
|
||||
</Engine>
|
||||
</Service>
|
||||
</Server>
|
|
@ -1,13 +0,0 @@
|
|||
{ lib, config, pkgs, ...}:
|
||||
|
||||
{
|
||||
services.paperless = {
|
||||
enable = true;
|
||||
passwordFile = "/home/usr/wg-keys/paperless";
|
||||
address = "10.100.0.2";
|
||||
port = 6230;
|
||||
settings = {
|
||||
PAPERLESS_URL = "https://paperless.beepboop.systems";
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,16 +0,0 @@
|
|||
{ lib, config, pkgs, ...}:
|
||||
|
||||
{
|
||||
services.photoprism = {
|
||||
enable = true;
|
||||
originalsPath = "/var/lib/photoprism/originals";
|
||||
address = "10.100.0.2";
|
||||
settings = {
|
||||
PHOTOPRISM_ADMIN_USER = "usr";
|
||||
PHOTOPRISM_ADMIN_PASSWORD = "testing"; # THIS IS AN INITIAL PASSWORD -- changed later
|
||||
PHOTOPRISM_SITE_TITLE = "photos.beepboop.systems";
|
||||
PHOTOPRISM_SITE_URL = "https://photos.beepboop.systems";
|
||||
PHOTOPRISM_DEFAULT_LOCALE = "en";
|
||||
};
|
||||
};
|
||||
}
|
|
@ -12,18 +12,11 @@
|
|||
./radicale.nix
|
||||
./vaultwarden.nix
|
||||
./sslh.nix
|
||||
./rss2email.nix
|
||||
./fail2ban.nix
|
||||
./nginx.nix
|
||||
./franklincce.nix
|
||||
./wireguard.nix
|
||||
./prometheus.nix
|
||||
./socks.nix
|
||||
|
||||
./nextcloud-bridge.nix
|
||||
./grafana-bridge.nix
|
||||
./guacamole-bridge.nix
|
||||
./paperless-bridge.nix
|
||||
];
|
||||
|
||||
nix = {
|
||||
|
|
|
@ -1,42 +0,0 @@
|
|||
{ lib, config, pkgs, ... }:
|
||||
{
|
||||
services.fail2ban = {
|
||||
enable = true;
|
||||
ignoreIP = [
|
||||
"192.168.1.0/24"
|
||||
];
|
||||
extraPackages = [pkgs.ipset];
|
||||
banaction = "iptables-ipset-proto6-allports";
|
||||
|
||||
jails = {
|
||||
"nginx-bruteforce" = ''
|
||||
enabled = true
|
||||
filter = nginx-bruteforce
|
||||
logpath = /var/log/nginx/access.log
|
||||
backend = auto
|
||||
maxretry = 6
|
||||
findtime = 600
|
||||
'';
|
||||
|
||||
"postfix-bruteforce" = ''
|
||||
enabled = true
|
||||
filter = postfix-bruteforce
|
||||
maxretry = 6
|
||||
findtime = 600
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
environment.etc = {
|
||||
"fail2ban/filter.d/nginx-bruteforce.conf".text = ''
|
||||
[Definition]
|
||||
failregex = ^<HOST>.*GET.*(matrix/server|\.php|admin|wp\-).* HTTP/\d.\d\" 404.*$
|
||||
'';
|
||||
|
||||
"fail2ban/filter.d/postfix-bruteforce.conf".text = ''
|
||||
[Definition]
|
||||
failregex = warning: [\w\.\-]+\[<HOST>\]: SASL LOGIN authentication failed.*$
|
||||
journalmatch = _SYSTEMD_UNIT=postfix.service
|
||||
'';
|
||||
};
|
||||
}
|
|
@ -1,16 +0,0 @@
|
|||
{ lib, config, pkgs, ... }:
|
||||
{
|
||||
services.nginx.virtualHosts."grafana.beepboop.systems" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://10.100.0.2:9802";
|
||||
proxyWebsockets = true;
|
||||
extraConfig = ''
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header Host $host;
|
||||
proxy_buffering off;
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,23 +0,0 @@
|
|||
{ lib, config, pkgs, ... }:
|
||||
{
|
||||
services.nginx.virtualHosts."rcon.beepboop.systems" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://10.100.0.2:6733";
|
||||
proxyWebsockets = true;
|
||||
extraConfig = ''
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header Host $host;
|
||||
proxy_buffering off;
|
||||
|
||||
port_in_redirect off;
|
||||
absolute_redirect off;
|
||||
|
||||
location = / {
|
||||
return 301 /guacamole/;
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,15 +0,0 @@
|
|||
{ lib, config, pkgs, ... }:
|
||||
{
|
||||
services.nginx.virtualHosts."paperless.beepboop.systems" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://10.100.0.2:6230";
|
||||
extraConfig = ''
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header Host $host;
|
||||
proxy_buffering off;
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,13 +0,0 @@
|
|||
{ lib, config, pkgs, ... }:
|
||||
{
|
||||
services.prometheus = {
|
||||
exporters = {
|
||||
node = {
|
||||
enable = true;
|
||||
enabledCollectors = [ "systemd" ];
|
||||
listenAddress = "10.100.0.1";
|
||||
port = 9002;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,24 +0,0 @@
|
|||
{ lib, config, pkgs, ... }:
|
||||
{
|
||||
services.rss2email = {
|
||||
enable = true;
|
||||
to = "ryan@beepboop.systems";
|
||||
feeds = {
|
||||
"eff" = {
|
||||
url = "https://www.eff.org/rss/updates.xml";
|
||||
};
|
||||
"nixos" = {
|
||||
url = "https://nixos.org/blog/announcements-rss.xml";
|
||||
};
|
||||
"drewdevault" = {
|
||||
url = "https://drewdevault.com/blog/index.xml";
|
||||
};
|
||||
"nullprogram" = {
|
||||
url = "https://nullprogram.com/feed/";
|
||||
};
|
||||
"computersarebad" = {
|
||||
url = "https://computer.rip/rss.xml";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,14 +0,0 @@
|
|||
{ lib, config, pkgs, ... }:
|
||||
{
|
||||
services._3proxy = {
|
||||
enable = true;
|
||||
services = [
|
||||
{
|
||||
type = "socks";
|
||||
auth = [ "none" ];
|
||||
bindAddress = "10.100.0.1";
|
||||
bindPort = 3128;
|
||||
}
|
||||
];
|
||||
};
|
||||
}
|
Loading…
Reference in New Issue