Enable firewall and migrate Jellyfin to NixOS

2023-08-02 22:46:07 +02:00 · 2023-08-02 22:46:07 +02:00 · 39bc88eb0f
parent def599be28
commit 39bc88eb0f
10 changed files with 78 additions and 5 deletions
--- a/hosts.nix
+++ b/hosts.nix
@ -35,6 +35,7 @@ in
      site = "vs";
    };
    jellyfin = {
+      hostNixpkgs = nixpkgs-unstable;
      site = "vs";
    };
    nitter = {
@ -50,4 +51,8 @@ in
      hostNixpkgs = nixpkgs-unstable;
      site = "vs";
    };
+    web-nonpublic-linuxcrewd = {
+      hostNixpkgs = nixpkgs-unstable;
+      site = "vs";
+    };
  }
--- a/hosts/hydra/configuration.nix
+++ b/hosts/hydra/configuration.nix
@ -15,7 +15,10 @@

  networking = {
    hostName = "hydra";
-    firewall.enable = false;
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [ 8443 ];
+    };
  };

  nix = {
--- a/hosts/iperf/configuration.nix
+++ b/hosts/iperf/configuration.nix
@ -7,7 +7,7 @@

  networking = {
    hostName = "iperf";
-    firewall.enable = false;
+    firewall.enable = true;
  };

  system.stateVersion = "23.05";
--- a/hosts/jellyfin/configuration.nix
+++ b/hosts/jellyfin/configuration.nix
@ -9,7 +9,7 @@
    hostName = "jellyfin";
    firewall = {
      enable = true;
-      allowedTCPPorts = [ 80 443 ];
+      allowedTCPPorts = [ 80 443 8443 ];
    };
  };

--- a/hosts/jellyfin/nginx.nix
+++ b/hosts/jellyfin/nginx.nix
@ -15,6 +15,12 @@
          port = 443;
          ssl = true;
        }
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
      ];
      locations."= /" = {
        return = "302 https://$host/web/";
--- a/hosts/tor-relay/configuration.nix
+++ b/hosts/tor-relay/configuration.nix
@ -19,7 +19,10 @@
    };

    hostName = "tor-relay";
-    firewall.enable = false;
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [ 9001 9030 ];
+    };
  };

  system.stateVersion = "23.05";
--- a/hosts/web-nonpublic-linuxcrewd/configuration.nix
+++ b/hosts/web-nonpublic-linuxcrewd/configuration.nix
@ -0,0 +1,17 @@
+{ ... }:
+{
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/vda";
+  };
+
+  networking = {    
+    hostName = "web-public-2";
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [ 80 443 ];
+    };
+  };
+
+  system.stateVersion = "23.05";
+}
--- a/hosts/web-nonpublic-linuxcrewd/default.nix
+++ b/hosts/web-nonpublic-linuxcrewd/default.nix
@ -0,0 +1,7 @@
+{ ... }:
+{
+  imports = [
+    ./configuration.nix
+    ./nginx.nix
+  ];
+}
--- a/hosts/web-nonpublic-linuxcrewd/nginx.nix
+++ b/hosts/web-nonpublic-linuxcrewd/nginx.nix
@ -0,0 +1,29 @@
+{ ... }:
+{
+  services.nginx = {
+    enable = true;
+
+    virtualHosts."_" = {
+      listen = [{
+          addr = "0.0.0.0";
+          port = 80;
+      }];
+      locations."/" = {
+        return = "301 https://$host$request_uri";
+      };
+    };
+
+    streamConfig = ''
+      map $ssl_preread_server_name $address {
+        jellyfin.grzb.de 10.202.46.101:8443;
+      }
+
+      server {
+        listen 0.0.0.0:443;
+        proxy_pass $address;
+        ssl_preread on;
+        proxy_protocol on;
+      }
+    '';
+  };
+}
--- a/hosts/web-public-2/configuration.nix
+++ b/hosts/web-public-2/configuration.nix
@ -19,7 +19,10 @@
    };

    hostName = "web-public-2";
-    firewall.enable = false;
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [ 80 443 5000 8448 ];
+    };
  };

  system.stateVersion = "23.05";