From f7c989abdb5fb28688747a160a479e8a6e63750b Mon Sep 17 00:00:00 2001 From: Felix Albrigtsen Date: Mon, 18 Dec 2023 23:17:57 +0100 Subject: [PATCH] voyager: various cleanups --- hosts/voyager/configuration.nix | 6 -- hosts/voyager/services/gitea.nix | 2 +- hosts/voyager/services/jupyter.nix | 128 ----------------------- hosts/voyager/services/nginx/default.nix | 2 + hosts/voyager/services/searx.nix | 58 ---------- secrets/voyager/voyager.yaml | 10 +- 6 files changed, 5 insertions(+), 201 deletions(-) delete mode 100644 hosts/voyager/services/jupyter.nix delete mode 100644 hosts/voyager/services/searx.nix diff --git a/hosts/voyager/configuration.nix b/hosts/voyager/configuration.nix index 7c9afd2..c4b10ca 100644 --- a/hosts/voyager/configuration.nix +++ b/hosts/voyager/configuration.nix @@ -11,13 +11,10 @@ ./exports.nix ./services/snappymail.nix - #./vms.nix - ./services/calibre.nix ./services/fancontrol.nix ./services/gitea.nix ./services/jellyfin.nix - ./services/jupyter.nix ./services/kanidm.nix ./services/metrics ./services/nginx @@ -26,9 +23,6 @@ ./services/timemachine.nix ./services/transmission.nix ./services/vaultwarden.nix - # ./services/searx.nix - # ./services/code-server.nix - ]; networking = { diff --git a/hosts/voyager/services/gitea.nix b/hosts/voyager/services/gitea.nix index d71238b..959bce2 100644 --- a/hosts/voyager/services/gitea.nix +++ b/hosts/voyager/services/gitea.nix @@ -3,7 +3,7 @@ let cfg = config.services.gitea; domain = "git.feal.no"; httpPort = 3004; - /* sshPort = 2222; */ + #sshPort = 2222; in { services.gitea = { enable = true; diff --git a/hosts/voyager/services/jupyter.nix b/hosts/voyager/services/jupyter.nix deleted file mode 100644 index b27ca94..0000000 --- a/hosts/voyager/services/jupyter.nix +++ /dev/null @@ -1,128 +0,0 @@ -{ config, pkgs, lib, ... }: let - cfg = config.services.jupyter; -in { - sops.secrets."jupyter/password" = { - restartUnits = [ "jupyter.service" ]; - owner = cfg.user; - group = cfg.group; - }; - - users.users."jupyter".group = "jupyter"; - users.groups."jupyter".members = [ "nginx" ]; - - services.jupyter = { - enable = true; - group = "jupyter"; - password = let - readFile = f: "open('${f}', 'r', encoding='utf8').read().strip()"; - in - readFile config.sops.secrets."jupyter/password".path; - - /* kernels = { */ - /* pythonDS = let */ - /* env = (pkgs.python310.withPackages (pythonPackages: with pythonPackages; [ */ - /* numpy */ - /* matplotlib */ - /* ipykernel */ - /* ])); */ - /* in { */ - /* displayName = "Python for data science"; */ - /* argv = [ */ - /* "${env.interpreter}" */ - /* "-m" */ - /* "ipykernel_launcher" */ - /* "-f" */ - /* "{connection_file}" */ - /* ]; */ - /* language = "python"; */ - /* logo32 = "${env}/${env.sitePackages}/ipykernel/resources/logo-32x32.png"; */ - /* logo64 = "${env}/${env.sitePackages}/ipykernel/resources/logo-64x64.png"; */ - /* }; */ - /* }; */ - kernels = { - python3 = let - env = (pkgs.python3.withPackages (pythonPackages: with pythonPackages; [ - ipykernel - pandas - numpy - scipy - scikit-learn - ])); - in { - displayName = "Python 3 for statistics"; - argv = [ - "${env.interpreter}" - "-m" - "ipykernel_launcher" - "-f" - "{connection_file}" - ]; - language = "python"; - logo32 = "${env}/${env.sitePackages}/ipykernel/resources/logo-32x32.png"; - logo64 = "${env}/${env.sitePackages}/ipykernel/resources/logo-64x64.png"; - }; - }; - }; - - systemd.services.jupyter = let - notebookConfig = pkgs.writeText "jupyter_config.py" '' - c.NotebookApp.notebook_dir = 'notebooks' - c.NotebookApp.open_browser = False - c.NotebookApp.password = ${cfg.password} - c.NotebookApp.password_required = True - - c.NotebookApp.sock = '/run/jupyter/jupyter.sock' - c.NotebookApp.sock_mode = '0660' - c.NotebookApp.local_hostnames = ['jupyter.feal.no'] - - c.ConnectionFileMixin.transport = 'ipc' - - ${cfg.notebookConfig} - ''; - in { - environment = { - JUPYTER_DATA_DIR = "$STATE_DIRECTORY/data"; - JUPYTER_RUNTIME_DIR = "$RUNTIME_DIRECTORY"; - }; - serviceConfig = { - RuntimeDirectory = "jupyter"; - StateDirectory = "jupyter"; - - # Hardening - CapabilityBoundingSet = ""; - LockPersonality = true; - NoNewPrivileges = true; - PrivateDevices = true; - PrivateMounts = true; - PrivateTmp = true; - PrivateUsers = true; - ProtectClock = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectProc = "invisible"; - ProtectSystem = "strict"; - RemoveIPC = true; - RestrictSUIDSGID = true; - UMask = "0007"; - RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; - SystemCallArchitectures = "native"; - - ExecStartPre = '' - ${pkgs.coreutils}/bin/mkdir -p /var/lib/jupyter/{notebooks,data} - ''; - ExecStart = lib.mkForce '' - ${cfg.package}/bin/${cfg.command} --NotebookApp.config_file=${notebookConfig} - ''; - }; - }; - - services.nginx.virtualHosts."jupyter.feal.no" = { - locations."/" = { - proxyPass = "http://unix:/run/jupyter/jupyter.sock:/"; - proxyWebsockets = true; - }; - }; -} diff --git a/hosts/voyager/services/nginx/default.nix b/hosts/voyager/services/nginx/default.nix index 23a9300..486a2a0 100644 --- a/hosts/voyager/services/nginx/default.nix +++ b/hosts/voyager/services/nginx/default.nix @@ -4,6 +4,8 @@ enable = true; enableReload = true; + clientMaxBodySize = "100m"; + recommendedProxySettings = true; recommendedTlsSettings = true; recommendedGzipSettings = true; diff --git a/hosts/voyager/services/searx.nix b/hosts/voyager/services/searx.nix deleted file mode 100644 index b70d2f9..0000000 --- a/hosts/voyager/services/searx.nix +++ /dev/null @@ -1,58 +0,0 @@ -{ config, lib, pkgs, ... }: -let - domain = "search.feal.no"; - cfg = config.services.searx.settings; -in { - - sops.secrets."searx/env" = { - restartUnits = [ "searx.service" ]; - }; - - services.searx = { - enable = true; - - settings = { - general = { - debug = false; - instance_name = "Taschmex Searx"; - wiki_url = false; - docs_url = false; - twitter_url = false; - }; - server = { - port = 8090; - bind_address = "127.0.1.2"; - secret_key = "@SEARX_SECRETKEY@"; - base_url = domain; - image_proxy = true; - }; - outgoing = { - request_timeout = 2.0; - useragent_suffix = "searx@albrigtsen.it"; - pool_connections = 100; - pool_maxsize = 10; - }; - }; - - environmentFile = config.sops.secrets."searx/env".path; - }; - - services.nginx.virtualHosts.${domain} = { - locations."/".proxyPass = "http://${cfg.server.bind_address}:${toString cfg.server.port}"; - /* addSSL = true; */ - /* enableACME = true; */ - /* listen = [ */ - /* { */ - /* addr = "0.0.0.0"; */ - /* port = 43443; */ - /* ssl = true; */ - /* } */ - /* { */ - /* addr = "0.0.0.0"; */ - /* port = 43080; */ - /* } */ - /* ]; */ - }; - - networking.firewall.allowedTCPPorts = [ 43443 43080 ]; -} diff --git a/secrets/voyager/voyager.yaml b/secrets/voyager/voyager.yaml index 02b37e4..0f675b5 100644 --- a/secrets/voyager/voyager.yaml +++ b/secrets/voyager/voyager.yaml @@ -8,10 +8,6 @@ #ENC[AES256_GCM,data:T+pI1ogtfjo57NrOvCuhbs//,iv:mqkwAHWxqvt9XkQX0EKXQyJrK5KOCVDpva1Ok37XvKc=,tag:qrp2QeNrJSDr3ECN6cBDiA==,type:comment] #ENC[AES256_GCM,data:46+Qt0FRlg2tN8A=,iv:4y5C0S75gp4qFFkJ4lOMcPbftOLyzB12wApqNOFYan4=,tag:T/4zLU7d90GkzDohJd2XTg==,type:comment] #ENC[AES256_GCM,data:fvJA2s0OEs7PDOr/,iv:HlO9MCqBHtz1Hm9tILlEsJ2gfgTPThmmyoCXlGyy/9Y=,tag:7L1Kl4RgAFG+WLvtk30nYQ==,type:comment] -hedgedoc: - env: ENC[AES256_GCM,data:QaDReiDztJhu8n+Sa2SE9XjQS+YIMvQFqY5nSXKPUBrHk3tvEzmST8ZjjthruGWdKoEDQT0phR2KV660Hza8WQNajC85slVIQK2HFXKK8xYn5qeMQj5U1m85rmSjMNg6Rdb+rCQFWiM2KRfdkiWiAzcgOvGd2ziX3oE4tTTpBs2Jy70B+eXEVqZvYajQUyQZItCPb7BUhkhv8rVbI0Q=,iv:3ZcWie2pwfvUsXhQo1Zlpbq6r85OOWASKiwzfY30BHM=,tag:NyH6w9MQPUWvue/wo8LmAg==,type:str] -searx: - env: ENC[AES256_GCM,data:5tzCZulZV+Ls0/N/WMQ4q2A5w04gmlA12AetbcX4pzn1xKDIe/0RwmuJXcq5qIof/A==,iv:/sFUtakRVNX2n1v72FGPFRQy0UK3jKbMS1Qmnrnm/tA=,tag:sxarQL61SDovipJZAd4Ozg==,type:str] transmission: vpncreds: ENC[AES256_GCM,data:KWm6AGlJze0Of9Nkz0moaQCAXMwylsZ+BIZR4BnbuDRbjKRMJSWCOFBSbG3esGprLhoCnYwc9mghSeoP2AQRAT++sERpxX3JTHF9QuauNmhRWb1xLsOfQAu6vsA/0dTshQr8ivhJSnEz57rasdOraovYjVsRXd7cuclajPoS4nl3+1/IrSkAlxNzx8F0PMmyOrvoPVMmqQ4PcKFfkXc1f59O2iJ19Bmt/x5yIxU=,iv:VAYlqL8Pb5J4g+W3QClrgRftYw5UofXmG9cfEsZdLr4=,tag:zJIxYaGEedFjM8IsBfnQog==,type:str] matrix: @@ -23,8 +19,6 @@ wireguard: private: ENC[AES256_GCM,data:XF89i1/TF5CpOvixwFDNOpke0YdWQDAMbvf/jOGR7iHKzz4OJu7K33lQbObT,iv:tVGdkkUU83Ba7VxHa7AJaIHFETp2Dy72dya3FDjnPZY=,tag:h9IJVeGnK7gABbu9hWZpww==,type:str] vaultwarden: admintoken: ENC[AES256_GCM,data:mJDiu0tgJQmvmJcJMULmctJvPN6/uM9VaoigHOMFkve9Vd3IMrpDmyJq+ibLpul+hw4PlLARjRzOxdZVcX7AB+uOOOrypppOIfvYC6U=,iv:YcyYLEHeIsCchcEy+fOMiQi8Cgf24AwQDpL7fhogNEU=,tag:1SqpNvuPhfjYIjvvRV34/Q==,type:str] -jupyter: - password: ENC[AES256_GCM,data:MYnrNSesZn97ArnrGS6nHMnSSmDpBCk4/H6zJx1O+M8tjm2SWf25Pk1HcRzdJ5nUyPvMmoaJ0zAdptZYMiGmh2p4emaEbSOerxhEKyrFnuaS3PZRBgEUBAMQ3r0FNwUFNQ+e711t2fHD,iv:gZkwZwFJCn/oSIanNaOhpTZNG9qVvtRlO8f8KvuDR08=,tag:cXvFwQRhd24mcidMOki2Qg==,type:str] sops: kms: [] gcp_kms: [] @@ -58,8 +52,8 @@ sops: NENEM2VLRDBzTWM0ckdPVThaeE0xL2MKTAvsDKgaoj0Fz9CoNbP6s1kROlDbbXtB 4rFRGN+WZJrBioz5nN4kR7mVFKa4w6z6Pu3D5WLyK7UQQkZJ64avdw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-09-18T12:45:40Z" - mac: ENC[AES256_GCM,data:UfB8zJR4ijFPrm9942XL1uSPCN9wGSM/eEFyT/zEgtUkS8+y8pnRcMrDHBxxgB261us4XLL7lN3gxviPtlHJ3HpoftjRanmRdmyHkeWc3XTPNWHzAsWI9psLWAYOZGympY8nOoFnhgY3WaatMhETs/xB1rIH4k2C8mU3XwsnKhw=,iv:F29buZyeDQgmdZ7BEnpUvXkKcRwIhNvpNq9TJL9pDtk=,tag:b5bh1ATX6bbcboBnpeWApQ==,type:str] + lastmodified: "2023-12-18T22:12:35Z" + mac: ENC[AES256_GCM,data:X20Xx8DdwI9K4SM85I/wWE7GjuQepeT0lWHc85Yqa5Byabs5+zcGmryPo2hOFlkhbhb6U8e6eDKAdi/w/LHPLOmsocc+1RgZfO/mCzSmLBzjphCv3nW470oQNTYIXXlCDQCpEPU7ALe4FHKbuj/cgak4kN9ubnYEOL3tQoJzxk4=,iv:1PKo2A1VUeQ6NONaLCIa70YrhC9PUPQVF1WkYg4hza8=,tag:JUuzTAjNuMiVJwPNljGowQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3