voyager: various cleanups

2023-12-18 23:17:57 +01:00 · 2023-12-18 23:17:57 +01:00 · d029fcabf5
commit d029fcabf5
parent df220efff3
6 changed files with 5 additions and 201 deletions
--- a/hosts/voyager/configuration.nix
+++ b/hosts/voyager/configuration.nix
@ -11,13 +11,10 @@
      ./exports.nix

      ./services/snappymail.nix
-      #./vms.nix
-
      ./services/calibre.nix
      ./services/fancontrol.nix
      ./services/gitea.nix
      ./services/jellyfin.nix
-      ./services/jupyter.nix
      ./services/kanidm.nix
      ./services/metrics
      ./services/nginx
@ -25,9 +22,6 @@
      ./services/timemachine.nix
      ./services/transmission.nix
      ./services/vaultwarden.nix
-      # ./services/searx.nix
-      # ./services/code-server.nix
-
  ];

  networking = {
--- a/hosts/voyager/services/gitea.nix
+++ b/hosts/voyager/services/gitea.nix
@ -3,7 +3,7 @@ let
  cfg = config.services.gitea;
  domain = "git.feal.no";
  httpPort = 3004;
-  /* sshPort = 2222; */
+  #sshPort = 2222;
 in {
    services.gitea = {
      enable = true;
--- a/hosts/voyager/services/jupyter.nix
+++ b/hosts/voyager/services/jupyter.nix
@ -1,128 +0,0 @@
-{ config, pkgs, lib, ... }: let
-  cfg = config.services.jupyter;
-in {
-  sops.secrets."jupyter/password" = {
-    restartUnits = [ "jupyter.service" ];
-    owner = cfg.user;
-    group = cfg.group;
-  };
-
-  users.users."jupyter".group = "jupyter";
-  users.groups."jupyter".members = [ "nginx" ];
-
-  services.jupyter = {
-    enable = true;
-    group = "jupyter";
-    password = let
-      readFile = f: "open('${f}', 'r', encoding='utf8').read().strip()";
-    in
-      readFile config.sops.secrets."jupyter/password".path;
-
-    /* kernels = { */
-      /* pythonDS = let */
-      /*   env = (pkgs.python310.withPackages (pythonPackages: with pythonPackages; [ */
-      /*     numpy */
-      /*     matplotlib */
-      /*     ipykernel */
-      /*   ])); */
-      /* in { */
-      /*   displayName = "Python for data science"; */
-      /*   argv = [ */
-      /*     "${env.interpreter}" */
-      /*     "-m" */
-      /*     "ipykernel_launcher" */
-      /*     "-f" */
-      /*     "{connection_file}" */
-      /*   ]; */
-      /*   language = "python"; */
-      /*   logo32 = "${env}/${env.sitePackages}/ipykernel/resources/logo-32x32.png"; */
-      /*   logo64 = "${env}/${env.sitePackages}/ipykernel/resources/logo-64x64.png"; */
-      /* }; */
-    /* }; */
-    kernels = {
-      python3 = let
-        env = (pkgs.python3.withPackages (pythonPackages: with pythonPackages; [
-                ipykernel
-                pandas
-                numpy
-                scipy
-                scikit-learn
-              ]));
-      in {
-        displayName = "Python 3 for statistics";
-        argv = [
-          "${env.interpreter}"
-          "-m"
-          "ipykernel_launcher"
-          "-f"
-          "{connection_file}"
-        ];
-        language = "python";
-        logo32 = "${env}/${env.sitePackages}/ipykernel/resources/logo-32x32.png";
-        logo64 = "${env}/${env.sitePackages}/ipykernel/resources/logo-64x64.png";
-      };
-    };
-  };
-
-  systemd.services.jupyter = let
-    notebookConfig = pkgs.writeText "jupyter_config.py" ''
-      c.NotebookApp.notebook_dir = 'notebooks'
-      c.NotebookApp.open_browser = False
-      c.NotebookApp.password = ${cfg.password}
-      c.NotebookApp.password_required = True
-
-      c.NotebookApp.sock = '/run/jupyter/jupyter.sock'
-      c.NotebookApp.sock_mode = '0660'
-      c.NotebookApp.local_hostnames = ['jupyter.feal.no']
-
-      c.ConnectionFileMixin.transport = 'ipc'
-
-      ${cfg.notebookConfig}
-    '';
-  in {
-    environment = {
-      JUPYTER_DATA_DIR = "$STATE_DIRECTORY/data";
-      JUPYTER_RUNTIME_DIR = "$RUNTIME_DIRECTORY";
-    };
-    serviceConfig = {
-      RuntimeDirectory = "jupyter";
-      StateDirectory = "jupyter";
-
-      # Hardening
-      CapabilityBoundingSet = "";
-      LockPersonality = true;
-      NoNewPrivileges = true;
-      PrivateDevices = true;
-      PrivateMounts = true;
-      PrivateTmp = true;
-      PrivateUsers = true;
-      ProtectClock = true;
-      ProtectHome = true;
-      ProtectHostname = true;
-      ProtectKernelLogs = true;
-      ProtectKernelModules = true;
-      ProtectKernelTunables = true;
-      ProtectProc = "invisible";
-      ProtectSystem = "strict";
-      RemoveIPC = true;
-      RestrictSUIDSGID = true;
-      UMask = "0007";
-      RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
-      SystemCallArchitectures = "native";
-
-      ExecStartPre = ''
-        ${pkgs.coreutils}/bin/mkdir -p /var/lib/jupyter/{notebooks,data}
-      '';
-      ExecStart = lib.mkForce ''
-        ${cfg.package}/bin/${cfg.command} --NotebookApp.config_file=${notebookConfig}
-      '';
-    };
-  };
-
-  services.nginx.virtualHosts."jupyter.feal.no" = {
-    locations."/" = {
-      proxyPass = "http://unix:/run/jupyter/jupyter.sock:/";
-      proxyWebsockets = true;
-    };
-  };
-}
--- a/hosts/voyager/services/nginx/default.nix
+++ b/hosts/voyager/services/nginx/default.nix
@ -4,6 +4,8 @@
    enable = true;
    enableReload = true;

+    clientMaxBodySize = "100m";
+
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    recommendedGzipSettings = true;
--- a/hosts/voyager/services/searx.nix
+++ b/hosts/voyager/services/searx.nix
@ -1,58 +0,0 @@
-{ config, lib, pkgs, ... }:
-let
-  domain = "search.feal.no";
-  cfg = config.services.searx.settings;
-in {
-
-  sops.secrets."searx/env" = {
-    restartUnits = [ "searx.service" ];
-  };
-
-  services.searx = {
-    enable = true;
-    
-    settings = {
-      general = {
-        debug = false;
-        instance_name = "Taschmex Searx";
-        wiki_url = false;
-        docs_url = false;
-        twitter_url = false;
-      };
-      server = {
-        port = 8090;
-        bind_address = "127.0.1.2";
-        secret_key = "@SEARX_SECRETKEY@";
-        base_url = domain;
-        image_proxy = true;
-      };
-      outgoing = {
-        request_timeout = 2.0;
-        useragent_suffix = "searx@albrigtsen.it";
-        pool_connections = 100;
-        pool_maxsize = 10;
-      };
-    };
-
-    environmentFile = config.sops.secrets."searx/env".path;
-  };
-
-  services.nginx.virtualHosts.${domain} = {
-    locations."/".proxyPass = "http://${cfg.server.bind_address}:${toString cfg.server.port}";
-    /* addSSL = true; */
-    /* enableACME = true; */
-    /* listen = [ */
-    /*   { */
-    /*     addr = "0.0.0.0"; */
-    /*     port = 43443; */
-    /*     ssl = true; */
-    /*   } */
-    /*   { */
-    /*     addr = "0.0.0.0"; */
-    /*     port = 43080; */
-    /*   } */
-    /* ]; */
-  };
-
-  networking.firewall.allowedTCPPorts = [ 43443 43080 ];
-}
--- a/secrets/voyager/voyager.yaml
+++ b/secrets/voyager/voyager.yaml
@ -8,10 +8,6 @@
 #ENC[AES256_GCM,data:T+pI1ogtfjo57NrOvCuhbs//,iv:mqkwAHWxqvt9XkQX0EKXQyJrK5KOCVDpva1Ok37XvKc=,tag:qrp2QeNrJSDr3ECN6cBDiA==,type:comment]
 #ENC[AES256_GCM,data:46+Qt0FRlg2tN8A=,iv:4y5C0S75gp4qFFkJ4lOMcPbftOLyzB12wApqNOFYan4=,tag:T/4zLU7d90GkzDohJd2XTg==,type:comment]
 #ENC[AES256_GCM,data:fvJA2s0OEs7PDOr/,iv:HlO9MCqBHtz1Hm9tILlEsJ2gfgTPThmmyoCXlGyy/9Y=,tag:7L1Kl4RgAFG+WLvtk30nYQ==,type:comment]
-hedgedoc:
-    env: ENC[AES256_GCM,data:QaDReiDztJhu8n+Sa2SE9XjQS+YIMvQFqY5nSXKPUBrHk3tvEzmST8ZjjthruGWdKoEDQT0phR2KV660Hza8WQNajC85slVIQK2HFXKK8xYn5qeMQj5U1m85rmSjMNg6Rdb+rCQFWiM2KRfdkiWiAzcgOvGd2ziX3oE4tTTpBs2Jy70B+eXEVqZvYajQUyQZItCPb7BUhkhv8rVbI0Q=,iv:3ZcWie2pwfvUsXhQo1Zlpbq6r85OOWASKiwzfY30BHM=,tag:NyH6w9MQPUWvue/wo8LmAg==,type:str]
-searx:
-    env: ENC[AES256_GCM,data:5tzCZulZV+Ls0/N/WMQ4q2A5w04gmlA12AetbcX4pzn1xKDIe/0RwmuJXcq5qIof/A==,iv:/sFUtakRVNX2n1v72FGPFRQy0UK3jKbMS1Qmnrnm/tA=,tag:sxarQL61SDovipJZAd4Ozg==,type:str]
 transmission:
    vpncreds: ENC[AES256_GCM,data:KWm6AGlJze0Of9Nkz0moaQCAXMwylsZ+BIZR4BnbuDRbjKRMJSWCOFBSbG3esGprLhoCnYwc9mghSeoP2AQRAT++sERpxX3JTHF9QuauNmhRWb1xLsOfQAu6vsA/0dTshQr8ivhJSnEz57rasdOraovYjVsRXd7cuclajPoS4nl3+1/IrSkAlxNzx8F0PMmyOrvoPVMmqQ4PcKFfkXc1f59O2iJ19Bmt/x5yIxU=,iv:VAYlqL8Pb5J4g+W3QClrgRftYw5UofXmG9cfEsZdLr4=,tag:zJIxYaGEedFjM8IsBfnQog==,type:str]
 matrix:
@ -23,8 +19,6 @@ wireguard:
        private: ENC[AES256_GCM,data:XF89i1/TF5CpOvixwFDNOpke0YdWQDAMbvf/jOGR7iHKzz4OJu7K33lQbObT,iv:tVGdkkUU83Ba7VxHa7AJaIHFETp2Dy72dya3FDjnPZY=,tag:h9IJVeGnK7gABbu9hWZpww==,type:str]
 vaultwarden:
    admintoken: ENC[AES256_GCM,data:mJDiu0tgJQmvmJcJMULmctJvPN6/uM9VaoigHOMFkve9Vd3IMrpDmyJq+ibLpul+hw4PlLARjRzOxdZVcX7AB+uOOOrypppOIfvYC6U=,iv:YcyYLEHeIsCchcEy+fOMiQi8Cgf24AwQDpL7fhogNEU=,tag:1SqpNvuPhfjYIjvvRV34/Q==,type:str]
-jupyter:
-    password: ENC[AES256_GCM,data:MYnrNSesZn97ArnrGS6nHMnSSmDpBCk4/H6zJx1O+M8tjm2SWf25Pk1HcRzdJ5nUyPvMmoaJ0zAdptZYMiGmh2p4emaEbSOerxhEKyrFnuaS3PZRBgEUBAMQ3r0FNwUFNQ+e711t2fHD,iv:gZkwZwFJCn/oSIanNaOhpTZNG9qVvtRlO8f8KvuDR08=,tag:cXvFwQRhd24mcidMOki2Qg==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -58,8 +52,8 @@ sops:
            NENEM2VLRDBzTWM0ckdPVThaeE0xL2MKTAvsDKgaoj0Fz9CoNbP6s1kROlDbbXtB
            4rFRGN+WZJrBioz5nN4kR7mVFKa4w6z6Pu3D5WLyK7UQQkZJ64avdw==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-09-18T12:45:40Z"
-    mac: ENC[AES256_GCM,data:UfB8zJR4ijFPrm9942XL1uSPCN9wGSM/eEFyT/zEgtUkS8+y8pnRcMrDHBxxgB261us4XLL7lN3gxviPtlHJ3HpoftjRanmRdmyHkeWc3XTPNWHzAsWI9psLWAYOZGympY8nOoFnhgY3WaatMhETs/xB1rIH4k2C8mU3XwsnKhw=,iv:F29buZyeDQgmdZ7BEnpUvXkKcRwIhNvpNq9TJL9pDtk=,tag:b5bh1ATX6bbcboBnpeWApQ==,type:str]
+    lastmodified: "2023-12-18T22:12:35Z"
+    mac: ENC[AES256_GCM,data:X20Xx8DdwI9K4SM85I/wWE7GjuQepeT0lWHc85Yqa5Byabs5+zcGmryPo2hOFlkhbhb6U8e6eDKAdi/w/LHPLOmsocc+1RgZfO/mCzSmLBzjphCv3nW470oQNTYIXXlCDQCpEPU7ALe4FHKbuj/cgak4kN9ubnYEOL3tQoJzxk4=,iv:1PKo2A1VUeQ6NONaLCIa70YrhC9PUPQVF1WkYg4hza8=,tag:JUuzTAjNuMiVJwPNljGowQ==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.3