From 39bc88eb0f13019fce676cc8f78f7e1dd3cd010a Mon Sep 17 00:00:00 2001
From: yuri <yuri@nekover.se>
Date: Wed, 2 Aug 2023 22:46:07 +0200
Subject: [PATCH] Enable firewall and migrate Jellyfin to NixOS

---
 hosts.nix                                     |  5 ++++
 hosts/hydra/configuration.nix                 |  5 +++-
 hosts/iperf/configuration.nix                 |  2 +-
 hosts/jellyfin/configuration.nix              |  2 +-
 hosts/jellyfin/nginx.nix                      |  6 ++++
 hosts/tor-relay/configuration.nix             |  5 +++-
 .../configuration.nix                         | 17 +++++++++++
 hosts/web-nonpublic-linuxcrewd/default.nix    |  7 +++++
 hosts/web-nonpublic-linuxcrewd/nginx.nix      | 29 +++++++++++++++++++
 hosts/web-public-2/configuration.nix          |  5 +++-
 10 files changed, 78 insertions(+), 5 deletions(-)
 create mode 100644 hosts/web-nonpublic-linuxcrewd/configuration.nix
 create mode 100644 hosts/web-nonpublic-linuxcrewd/default.nix
 create mode 100644 hosts/web-nonpublic-linuxcrewd/nginx.nix

diff --git a/hosts.nix b/hosts.nix
index 4cac023..6118252 100644
--- a/hosts.nix
+++ b/hosts.nix
@@ -35,6 +35,7 @@ in
       site = "vs";
     };
     jellyfin = {
+      hostNixpkgs = nixpkgs-unstable;
       site = "vs";
     };
     nitter = {
@@ -50,4 +51,8 @@ in
       hostNixpkgs = nixpkgs-unstable;
       site = "vs";
     };
+    web-nonpublic-linuxcrewd = {
+      hostNixpkgs = nixpkgs-unstable;
+      site = "vs";
+    };
   }
diff --git a/hosts/hydra/configuration.nix b/hosts/hydra/configuration.nix
index 5596bb5..53a26b0 100644
--- a/hosts/hydra/configuration.nix
+++ b/hosts/hydra/configuration.nix
@@ -15,7 +15,10 @@
 
   networking = {
     hostName = "hydra";
-    firewall.enable = false;
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [ 8443 ];
+    };
   };
 
   nix = {
diff --git a/hosts/iperf/configuration.nix b/hosts/iperf/configuration.nix
index 243344b..b46a7ce 100644
--- a/hosts/iperf/configuration.nix
+++ b/hosts/iperf/configuration.nix
@@ -7,7 +7,7 @@
 
   networking = {
     hostName = "iperf";
-    firewall.enable = false;
+    firewall.enable = true;
   };
 
   system.stateVersion = "23.05";
diff --git a/hosts/jellyfin/configuration.nix b/hosts/jellyfin/configuration.nix
index 7d058cd..98624e0 100644
--- a/hosts/jellyfin/configuration.nix
+++ b/hosts/jellyfin/configuration.nix
@@ -9,7 +9,7 @@
     hostName = "jellyfin";
     firewall = {
       enable = true;
-      allowedTCPPorts = [ 80 443 ];
+      allowedTCPPorts = [ 80 443 8443 ];
     };
   };
 
diff --git a/hosts/jellyfin/nginx.nix b/hosts/jellyfin/nginx.nix
index 7d70066..04431d5 100644
--- a/hosts/jellyfin/nginx.nix
+++ b/hosts/jellyfin/nginx.nix
@@ -15,6 +15,12 @@
           port = 443;
           ssl = true;
         }
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
       ];
       locations."= /" = {
         return = "302 https://$host/web/";
diff --git a/hosts/tor-relay/configuration.nix b/hosts/tor-relay/configuration.nix
index 90dbc71..7c2eb84 100644
--- a/hosts/tor-relay/configuration.nix
+++ b/hosts/tor-relay/configuration.nix
@@ -19,7 +19,10 @@
     };
 
     hostName = "tor-relay";
-    firewall.enable = false;
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [ 9001 9030 ];
+    };
   };
 
   system.stateVersion = "23.05";
diff --git a/hosts/web-nonpublic-linuxcrewd/configuration.nix b/hosts/web-nonpublic-linuxcrewd/configuration.nix
new file mode 100644
index 0000000..56a3254
--- /dev/null
+++ b/hosts/web-nonpublic-linuxcrewd/configuration.nix
@@ -0,0 +1,17 @@
+{ ... }:
+{
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/vda";
+  };
+
+  networking = {    
+    hostName = "web-public-2";
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [ 80 443 ];
+    };
+  };
+
+  system.stateVersion = "23.05";
+}
diff --git a/hosts/web-nonpublic-linuxcrewd/default.nix b/hosts/web-nonpublic-linuxcrewd/default.nix
new file mode 100644
index 0000000..3db73ca
--- /dev/null
+++ b/hosts/web-nonpublic-linuxcrewd/default.nix
@@ -0,0 +1,7 @@
+{ ... }:
+{
+  imports = [
+    ./configuration.nix
+    ./nginx.nix
+  ];
+}
diff --git a/hosts/web-nonpublic-linuxcrewd/nginx.nix b/hosts/web-nonpublic-linuxcrewd/nginx.nix
new file mode 100644
index 0000000..7d1a420
--- /dev/null
+++ b/hosts/web-nonpublic-linuxcrewd/nginx.nix
@@ -0,0 +1,29 @@
+{ ... }:
+{
+  services.nginx = {
+    enable = true;
+
+    virtualHosts."_" = {
+      listen = [{
+          addr = "0.0.0.0";
+          port = 80;
+      }];
+      locations."/" = {
+        return = "301 https://$host$request_uri";
+      };
+    };
+
+    streamConfig = ''
+      map $ssl_preread_server_name $address {
+        jellyfin.grzb.de 10.202.46.101:8443;
+      }
+
+      server {
+        listen 0.0.0.0:443;
+        proxy_pass $address;
+        ssl_preread on;
+        proxy_protocol on;
+      }
+    '';
+  };
+}
diff --git a/hosts/web-public-2/configuration.nix b/hosts/web-public-2/configuration.nix
index 081ca9a..94e74b6 100644
--- a/hosts/web-public-2/configuration.nix
+++ b/hosts/web-public-2/configuration.nix
@@ -19,7 +19,10 @@
     };
 
     hostName = "web-public-2";
-    firewall.enable = false;
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [ 80 443 5000 8448 ];
+    };
   };
 
   system.stateVersion = "23.05";