felixalb/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

voyager: various cleanups

Browse Source
This commit is contained in:
Felix Albrigtsen
2023-12-18 23:17:57 +01:00
parent 99e61c719f
commit 0951e98cc7
6 changed files with 5 additions and 201 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
hosts/voyager/configuration.nix
View File

@@ -11,13 +11,10 @@
./exports.nix
./services/snappymail.nix
#./vms.nix
./services/calibre.nix
./services/fancontrol.nix
./services/gitea.nix
./services/jellyfin.nix
./services/jupyter.nix
./services/kanidm.nix
./services/metrics
./services/nginx
@@ -25,9 +22,6 @@
./services/timemachine.nix
./services/transmission.nix
./services/vaultwarden.nix
# ./services/searx.nix
# ./services/code-server.nix
];
networking = {

2
hosts/voyager/services/gitea.nix
View File

@@ -3,7 +3,7 @@ let
cfg = config.services.gitea;
domain = "git.feal.no";
httpPort = 3004;
/* sshPort = 2222; */
#sshPort = 2222;
in {
services.gitea = {
enable = true;

128
hosts/voyager/services/jupyter.nix
View File

@@ -1,128 +0,0 @@
{ config, pkgs, lib, ... }: let
cfg = config.services.jupyter;
in {
sops.secrets."jupyter/password" = {
restartUnits = [ "jupyter.service" ];
owner = cfg.user;
group = cfg.group;
};
users.users."jupyter".group = "jupyter";
users.groups."jupyter".members = [ "nginx" ];
services.jupyter = {
enable = true;
group = "jupyter";
password = let
readFile = f: "open('${f}', 'r', encoding='utf8').read().strip()";
in
readFile config.sops.secrets."jupyter/password".path;
/* kernels = { */
/* pythonDS = let */
/* env = (pkgs.python310.withPackages (pythonPackages: with pythonPackages; [ */
/* numpy */
/* matplotlib */
/* ipykernel */
/* ])); */
/* in { */
/* displayName = "Python for data science"; */
/* argv = [ */
/* "${env.interpreter}" */
/* "-m" */
/* "ipykernel_launcher" */
/* "-f" */
/* "{connection_file}" */
/* ]; */
/* language = "python"; */
/* logo32 = "${env}/${env.sitePackages}/ipykernel/resources/logo-32x32.png"; */
/* logo64 = "${env}/${env.sitePackages}/ipykernel/resources/logo-64x64.png"; */
/* }; */
/* }; */
kernels = {
python3 = let
env = (pkgs.python3.withPackages (pythonPackages: with pythonPackages; [
ipykernel
pandas
numpy
scipy
scikit-learn
]));
in {
displayName = "Python 3 for statistics";
argv = [
"${env.interpreter}"
"-m"
"ipykernel_launcher"
"-f"
"{connection_file}"
];
language = "python";
logo32 = "${env}/${env.sitePackages}/ipykernel/resources/logo-32x32.png";
logo64 = "${env}/${env.sitePackages}/ipykernel/resources/logo-64x64.png";
};
};
};
systemd.services.jupyter = let
notebookConfig = pkgs.writeText "jupyter_config.py" ''
c.NotebookApp.notebook_dir = 'notebooks'
c.NotebookApp.open_browser = False
c.NotebookApp.password = ${cfg.password}
c.NotebookApp.password_required = True
c.NotebookApp.sock = '/run/jupyter/jupyter.sock'
c.NotebookApp.sock_mode = '0660'
c.NotebookApp.local_hostnames = ['jupyter.feal.no']
c.ConnectionFileMixin.transport = 'ipc'
${cfg.notebookConfig}
'';
in {
environment = {
JUPYTER_DATA_DIR = "$STATE_DIRECTORY/data";
JUPYTER_RUNTIME_DIR = "$RUNTIME_DIRECTORY";
};
serviceConfig = {
RuntimeDirectory = "jupyter";
StateDirectory = "jupyter";
# Hardening
CapabilityBoundingSet = "";
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RemoveIPC = true;
RestrictSUIDSGID = true;
UMask = "0007";
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
SystemCallArchitectures = "native";
ExecStartPre = ''
${pkgs.coreutils}/bin/mkdir -p /var/lib/jupyter/{notebooks,data}
'';
ExecStart = lib.mkForce ''
${cfg.package}/bin/${cfg.command} --NotebookApp.config_file=${notebookConfig}
'';
};
};
services.nginx.virtualHosts."jupyter.feal.no" = {
locations."/" = {
proxyPass = "http://unix:/run/jupyter/jupyter.sock:/";
proxyWebsockets = true;
};
};
}

2
hosts/voyager/services/nginx/default.nix
View File

@@ -4,6 +4,8 @@
enable = true;
enableReload = true;
clientMaxBodySize = "100m";
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;

58
hosts/voyager/services/searx.nix
View File

@@ -1,58 +0,0 @@
{ config, lib, pkgs, ... }:
let
domain = "search.feal.no";
cfg = config.services.searx.settings;
in {
sops.secrets."searx/env" = {
restartUnits = [ "searx.service" ];
};
services.searx = {
enable = true;
settings = {
general = {
debug = false;
instance_name = "Taschmex Searx";
wiki_url = false;
docs_url = false;
twitter_url = false;
};
server = {
port = 8090;
bind_address = "127.0.1.2";
secret_key = "@SEARX_SECRETKEY@";
base_url = domain;
image_proxy = true;
};
outgoing = {
request_timeout = 2.0;
useragent_suffix = "searx@albrigtsen.it";
pool_connections = 100;
pool_maxsize = 10;
};
};
environmentFile = config.sops.secrets."searx/env".path;
};
services.nginx.virtualHosts.${domain} = {
locations."/".proxyPass = "http://${cfg.server.bind_address}:${toString cfg.server.port}";
/* addSSL = true; */
/* enableACME = true; */
/* listen = [ */
/* { */
/* addr = "0.0.0.0"; */
/* port = 43443; */
/* ssl = true; */
/* } */
/* { */
/* addr = "0.0.0.0"; */
/* port = 43080; */
/* } */
/* ]; */
};
networking.firewall.allowedTCPPorts = [ 43443 43080 ];
}