jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

renamed computers

Browse Source
This commit is contained in:
Danilo Reyes
2023-09-24 18:15:29 -06:00
parent b8b4589dca
commit 81a348a442
9 changed files with 1476 additions and 241 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
server/.gitignore vendored Normal file
View File

@@ -0,0 +1,4 @@
/dotfiles/*.Appimage
/scripts/download/.direnv/
/configuration.nix
/scripts/PureRef-1.11.1_x64.Appimage

1003
server/configuration.org Executable file
View File

File diff suppressed because it is too large Load Diff

170
server/hardware-configuration.nix Executable file
View File

@@ -0,0 +1,170 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
let
unstable = import
(builtins.fetchTarball "https://github.com/nixos/nixpkgs/tarball/master") {
config = config.nixpkgs.config;
};
in {
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot = {
#plymouth = { enable = true; };
loader = {
efi = {
canTouchEfiVariables = true;
efiSysMountPoint = "/boot/efi";
};
grub = {
enable = true;
device = "nodev";
efiSupport = true;
enableCryptodisk = true;
};
};
initrd.luks.devices = {
nvme = {
device = "/dev/disk/by-uuid/af72f45c-cf7c-4e7d-8eab-2a95ab754921";
preLVM = true;
};
disk1 = {
device = "/dev/disk/by-uuid/a9b0f346-7e38-40a6-baf6-3ad80cafc842";
preLVM = true;
};
disk2 = {
device = "/dev/disk/by-uuid/0ed12b83-4c56-4ba8-b4ea-75a9e927d771";
preLVM = true;
};
hnbox = {
device = "/dev/disk/by-uuid/c7dd2d5a-b0b3-46a0-aca9-3d4975c1f0bc";
preLVM = true;
};
seedbox = {
device = "/dev/disk/by-uuid/04f06a3e-a91f-476b-9a4b-b9c722ba99e7";
preLVM = true;
};
};
kernelModules = [ "kvm-intel" ];
kernel.sysctl = { "vm.swappiness" = 80; };
extraModulePackages = [ ];
initrd = {
availableKernelModules =
[ "xhci_pci" "ahci" "usbhid" "nvme" "usb_storage" "sd_mod" ];
kernelModules = [ ];
};
};
fileSystems = {
"/" = {
device = "/dev/mapper/nvme";
fsType = "btrfs";
options = [
"subvol=nix"
"ssd"
"compress=zstd:3"
"x-systemd.device-timeout=0"
"space_cache=v2"
"commit=120"
"datacow"
"noatime"
];
};
"/home" = {
device = "/dev/mapper/nvme";
fsType = "btrfs";
options = [
"subvol=home"
"ssd"
"compress=zstd:3"
"x-systemd.device-timeout=0"
"space_cache=v2"
"commit=120"
"datacow"
];
};
"/mnt/disk1" = {
device = "/dev/mapper/disk1";
fsType = "btrfs";
options = [ "compress=zstd:3" "space_cache=v2" "commit=120" "datacow" ];
};
"/var/lib/nextcloud/data" = {
device = "/mnt/disk1/nextcloud";
options = [ "bind" ];
};
"/mnt/jellyfin/media" = {
device = "/mnt/disk1/multimedia/media";
options = [ "bind" "ro" ];
};
"/mnt/disk2" = {
device = "/dev/mapper/disk2";
fsType = "btrfs";
options = [ "compress=zstd:3" "space_cache=v2" "commit=120" "datacow" ];
};
"/mnt/hnbox" = {
device = "/dev/mapper/hnbox";
fsType = "btrfs";
options = [ "compress=zstd:3" "space_cache=v2" "commit=120" "datacow" ];
};
"/mnt/seedbox" = {
device = "/dev/mapper/seedbox";
fsType = "btrfs";
options = [ "compress=zstd:3" "space_cache=v2" "commit=120" "datacow" ];
};
"/mnt/jellyfin/external" = {
device = "/mnt/seedbox/external";
options = [ "bind" "ro" ];
};
"/mnt/parity" = {
device = "/dev/disk/by-uuid/643b727a-555d-425c-943c-62f5b93631c9";
fsType = "xfs";
options = [ "defaults" ];
};
"/boot" = {
device = "/dev/disk/by-uuid/c574cb53-dc40-46db-beff-0fe8a4787156";
fsType = "ext4";
};
"/boot/efi" = {
device = "/dev/disk/by-uuid/CBE7-5DEB";
fsType = "vfat";
};
"/export/disk1" = {
device = "/mnt/disk1";
options = [ "bind" ];
};
"/export/disk2" = {
device = "/mnt/disk2";
options = [ "bind" ];
};
"/export/seedbox" = {
device = "/mnt/seedbox";
options = [ "bind" ];
};
"/export/jawz" = {
device = "/home/jawz";
options = [ "bind" ];
};
};
services.nfs = {
server = {
enable = true;
exports = ''
/export 192.168.1.64(rw,fsid=0,no_subtree_check)
/export/disk1 192.168.1.64(rw,nohide,insecure,no_subtree_check)
/export/disk2 192.168.1.64(rw,nohide,insecure,no_subtree_check)
/export/seedbox 192.168.1.64(rw,nohide,insecure,no_subtree_check)
/export/jawz 192.168.1.64(rw,nohide,insecure,no_subtree_check)
'';
};
};
swapDevices = [{
device = "/dev/disk/by-partuuid/cb0ad486-ebf8-4bfc-ad7c-96bdc68576ca";
randomEncryption = {
enable = true;
cipher = "aes-xts-plain64";
keySize = 512;
sectorSize = 4096;
};
}];
}

200
server/nginx.nix Executable file
View File

@@ -0,0 +1,200 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
let
localhost = "127.0.0.1";
battlestation = "192.168.1.64";
jellyfinPort = "8096";
gptPort = "7860";
nextcloudPort = 80;
flamePort = 5005;
secretFlamePort = 5007;
lidarrPort = 8686;
sonarrPort = 8989;
prowlarrPort = 9696;
radarrPort = 7878;
bazarrPort = config.services.bazarr.listenPort;
kavitaPort = config.services.kavita.port;
vaultPort = config.services.vaultwarden.config.ROCKET_PORT;
in {
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
# recommendedProxySettings = true;
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
appendHttpConfig = ''
### GLOBAL
# Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
# Enable CSP for your services.
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
# Minimize information leaked to other domains
add_header 'Referrer-Policy' 'origin-when-cross-origin';
# Disable embedding as a frame
# add_header X-Frame-Options DENY;
# Prevent injection of code in other mime types (XSS Attacks)
add_header X-Content-Type-Options nosniff;
# Enable XSS protection of the browser.
# May be unnecessary when CSP is configured properly (see above)
add_header X-XSS-Protection "1; mode=block";
# This might create errors
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
# NEXTCLOUD
# upstream php-handler {
# server ${localhost}:9000;
# #server unix:/var/run/php/php7.4-fpm.sock;
# }
# Set the `immutable` cache control options only for assets with a cache busting `v` argument
# map $arg_v $asset_immutable {
# "" "";
# default "immutable";
# }
# JELLYFIN
proxy_cache_path /var/cache/nginx/jellyfin-videos levels=1:2 keys_zone=jellyfin-videos:100m inactive=90d max_size=35000m;
proxy_cache_path /var/cache/nginx/jellyfin levels=1:2 keys_zone=jellyfin:100m max_size=15g inactive=30d use_temp_path=off;
map $request_uri $h264Level { ~(h264-level=)(.+?)& $2; }
map $request_uri $h264Profile { ~(h264-profile=)(.+?)& $2; }
'';
virtualHosts = let
base = locations: {
inherit locations;
forceSSL = true;
enableACME = true;
http2 = true;
};
proxy = port:
base { "/".proxyPass = "http://${localhost}:${toString (port)}/"; };
proxyArr = port:
proxy port // {
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_redirect off;
proxy_http_version 1.1;
'';
};
in {
"movies.servidos.lat" = proxyArr radarrPort // { };
"indexer.servidos.lat" = proxyArr prowlarrPort // { };
"music.servidos.lat" = proxyArr lidarrPort // { };
"library.servidos.lat" = proxy kavitaPort // { };
"start.servidos.lat" = proxy flamePort // { };
"subs.servidos.lat" = proxy bazarrPort // { };
"series.servidos.lat" = proxy sonarrPort // { };
"vault.servidos.lat" = proxy vaultPort // { };
"qampqwn4wprhqny8h8zj.servidos.lat" = proxy secretFlamePort // { };
"flix.servidos.lat" = {
forceSSL = true;
enableACME = true;
http2 = true;
extraConfig = ''
# use a variable to store the upstream proxy
# in this example we are using a hostname which is resolved via DNS
# (if you aren't using DNS remove the resolver line and change the variable to point to an IP address
resolver ${localhost} valid=30;
location = / {
return 302 http://$host/web/;
#return 302 https://$host/web/;
}
location = /web/ {
# Proxy main Jellyfin traffic
proxy_pass http://${localhost}:${jellyfinPort}/web/index.html;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
}
'';
locations = {
"/" = {
proxyPass = "http://${localhost}:${jellyfinPort}";
proxyWebsockets = true;
};
"/socket" = {
proxyPass = "http://${localhost}:${jellyfinPort}";
extraConfig = ''
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
'';
};
"~ /Items/(.*)/Images" = {
proxyPass = "http://${localhost}:${jellyfinPort}";
extraConfig = ''
proxy_cache jellyfin;
proxy_cache_revalidate on;
proxy_cache_lock on;
'';
};
"~* ^/Videos/(.*)/(?!live)" = {
proxyPass = "http://${localhost}:${jellyfinPort}";
extraConfig = ''
# Set size of a slice (this amount will be always requested from the backend by nginx)
# Higher value means more latency, lower more overhead
# This size is independent of the size clients/browsers can request
# slice 2m;
proxy_cache jellyfin-videos;
proxy_cache_valid 200 206 301 302 30d;
proxy_ignore_headers Expires Cache-Control Set-Cookie X-Accel-Expires;
proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
proxy_connect_timeout 15s;
proxy_http_version 1.1;
proxy_set_header Connection "";
# Transmit slice range to the backend
proxy_set_header Range 2m;
# This saves bandwidth between the proxy and jellyfin, as a file is only downloaded one time instead of multiple times when multiple clients want to at the same time
# The first client will trigger the download, the other clients will have to wait until the slice is cached
# Esp. practical during SyncPlay
proxy_cache_lock on;
proxy_cache_lock_age 60s;
proxy_cache_key "jellyvideo$uri?MediaSourceId=$arg_MediaSourceId&VideoCodec=$arg_VideoCodec&AudioCodec=$arg_AudioCodec&AudioStreamIndex=$arg_AudioStreamIndex&VideoBitrate=$arg_VideoBitrate&AudioBitrate=$arg_AudioBitrate&SubtitleMethod=$arg_SubtitleMethod&TranscodingMaxAudioChannels=$arg_TranscodingMaxAudioChannels&RequireAvc=$arg_RequireAvc&SegmentContainer=$arg_SegmentContainer&MinSegments=$arg_MinSegments&BreakOnNonKeyFrames=$arg_BreakOnNonKeyFrames&h264-profile=$h264Profile&h264-level=$h264Level&slicerange=2m";
# add_header X-Cache-Status $upstream_cache_status; # This is only for debugging cache
'';
};
};
};
${config.services.nextcloud.hostName} = {
forceSSL = true;
enableACME = true;
http2 = true;
serverAliases = [ "cloud.rotehaare.art" "danilo-reyes.com" ];
};
};
};
networking = {
firewall = let open_firewall_ports = [ 80 443 ];
in {
enable = true;
allowedTCPPorts = open_firewall_ports;
allowedUDPPorts = open_firewall_ports;
};
};
}

83
server/openldap.nix Executable file
View File

@@ -0,0 +1,83 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
let hostname = "servidos.lat";
in {
services.openldap = {
enable = true;
# enable plain and secure connections
urlList = [ "ldap:///" "ldaps:///" ];
settings = {
attrs = {
olcLogLevel = "conns config";
# settings for acme ssl
olcTLSCACertificateFile = "/var/lib/acme/${hostname}/full.pem";
olcTLSCertificateFile = "/var/lib/acme/${hostname}/cert.pem";
olcTLSCertificateKeyFile = "/var/lib/acme/${hostname}/key.pem";
olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL";
olcTLSCRLCheck = "none";
olcTLSVerifyClient = "never";
olcTLSProtocolMin = "3.1";
};
children = {
"cn=schema".includes = [
"${pkgs.openldap}/etc/schema/core.ldif"
"${pkgs.openldap}/etc/schema/cosine.ldif"
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
];
"olcDatabase={1}mdb".attrs = {
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
olcDatabase = "{1}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcSuffix = "dc=example,dc=com";
# your admin account, do not use writeText on a production system
olcRootDN = "cn=admin,dc=example,dc=com";
olcRootPW.path = pkgs.writeText "olcRootPW" "pass";
olcAccess = [
# custom access rules for userPassword attributes
''
{0}to attrs=userPassword
by self write
by anonymous auth
by * none''
# allow read on anything else
''
{1}to *
by * read''
];
};
};
};
};
# ensure openldap is launched after certificates are created
systemd.services.openldap = {
wants = [ "acme-${hostname}.service" ];
after = [ "acme-${hostname}.service" ];
};
# make acme certificates accessible by openldap
security.acme.defaults.group = "certs";
users.groups.certs.members = [ "openldap" ];
# trigger the actual certificate generation for your hostname
security.acme.certs."${hostname}" = { extraDomainNames = [ ]; };
# example using hetzner dns to run letsencrypt verification
security.acme.defaults.dnsProvider = "hetzner";
security.acme.defaults.credentialsFile = pkgs.writeText "credentialsFile" ''
HETZNER_API_KEY=<your-hetzner-dns-api-key>
'';
}

0
server/secrets.nix_wip Normal file
View File

265
server/servers.nix Normal file
View File

@@ -0,0 +1,265 @@
{ config, lib, pkgs, modulesPath, ... }:
let
localhost = "127.0.0.1";
postgresPort = toString (config.services.postgresql.port);
unstable = import
(builtins.fetchTarball "https://github.com/nixos/nixpkgs/tarball/master") {
config = config.nixpkgs.config;
};
in {
imports = [ ./nginx.nix ];
nixpkgs.config = {
permittedInsecurePackages = [ "nodejs-14.21.3" "openssl-1.1.1v" ];
};
users.groups = { piracy.gid = 985; };
users.users = let base = { isSystemUser = true; };
in {
prowlarr = base // { group = "piracy"; };
nextcloud = base // {
extraGroups = [ "render" ];
packages = (with pkgs; [
nodejs_14
perl
(perlPackages.buildPerlPackage rec {
pname = "Image-ExifTool";
version = "12.60";
src = fetchurl {
url = "https://exiftool.org/Image-ExifTool-${version}.tar.gz";
hash = "sha256-c9vgbQBMMQgqVueNfyRvK7AAL7sYNUR7wyorB289Mq0=";
};
})
]);
};
};
services = let
base = {
enable = true;
group = "piracy";
};
in {
sonarr = base // { package = unstable.pkgs.sonarr; };
radarr = base // { package = unstable.pkgs.radarr; };
bazarr = base // { };
jellyfin = base // { };
prowlarr.enable = true;
paperless = {
enable = true;
address = "0.0.0.0";
consumptionDirIsPublic = true;
extraConfig = {
PAPERLESS_DBENGINE = "postgress";
PAPERLESS_DBHOST = "${localhost}";
PAPERLESS_DBNAME = "paperless";
PAPERLESS_DBUSER = "paperless";
PAPERLESS_DBPASS = "sopacerias";
PAPERLESS_DBPORT = "${postgresPort}";
PAPERLESS_CONSUMER_IGNORE_PATTERN =
builtins.toJSON [ ".DS_STORE/*" "desktop.ini" ];
PAPERLESS_TIME_ZONE = "America/Mexico_City";
PAPERLESS_OCR_USER_ARGS = builtins.toJSON {
optimize = 1;
pdfa_image_compression = "lossless";
};
};
};
vaultwarden = {
enable = true;
dbBackend = "postgresql";
package = unstable.pkgs.vaultwarden;
config = {
ROCKET_ADDRESS = "${localhost}";
ROCKET_PORT = 8222;
WEBSOCKET_PORT = 8333;
ADMIN_TOKEN =
"x9BLqz2QmnU5RmrMLt2kPpoPBTNPZxNFw/b8XrPgpQML2/01+MYENl87dmhDX+Jm";
DATABASE_URL =
"postgresql://vaultwarden:sopacerias@${localhost}:${postgresPort}/vaultwarden";
ENABLE_DB_WAL = false;
WEBSOCKET_ENABLED = true;
SHOW_PASSWORD_HINT = false;
SIGNUPS_ALLOWED = false;
EXTENDED_LOGGING = true;
LOG_LEVEL = "warn";
};
};
kavita = {
enable = true;
tokenKeyFile = "${pkgs.writeText "kavitaToken"
"Au002BRkRxBjlQrmWSuXWTGUcpXZjzMo2nJ0Z4g4OZ1S4c2zp6oaesGUXzKp2mhvOwjju002BNoURG3CRIE2qnGybvOgAlDxAZCPBzSNRcx6RJ1lFRgvI8wQR6Nd5ivYX0RMo4S8yOH8XIDhzN6vNo31rCjyv2IycX0JqiJPIovfbvXn9Y="}";
};
nextcloud = {
enable = true;
https = true;
package = pkgs.nextcloud27;
appstoreEnable = true;
configureRedis = true;
extraAppsEnable = true;
enableImagemagick = true;
maxUploadSize = "512M";
hostName = "cloud.servidos.lat";
config = {
adminpassFile = "${pkgs.writeText "adminpass"
"Overlying-Hatchback-Charting-Encounter-Deface-Gallantly7"}";
overwriteProtocol = "https";
defaultPhoneRegion = "MX";
dbtype = "pgsql";
dbuser = "nextcloud";
dbpassFile = "${pkgs.writeText "dbpass" "sopacerias"}";
dbtableprefix = "oc_";
dbname = "nextcloud";
trustedProxies = [ "nginx" ];
extraTrustedDomains = [ "cloud.rotehaare.art" "danilo-reyes.com" ];
};
phpOptions = {
catch_workers_output = "yes";
display_errors = "stderr";
error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT";
expose_php = "Off";
"opcache.enable_cli" = "1";
"opcache.fast_shutdown" = "1";
"opcache.interned_strings_buffer" = "16";
"opcache.jit" = "1255";
"opcache.jit_buffer_size" = "128M";
"opcache.max_accelerated_files" = "10000";
"opcache.memory_consumption" = "128";
"opcache.revalidate_freq" = "1";
"opcache.save_comments" = "1";
"opcache.validate_timestamps" = "0";
"openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
short_open_tag = "Off";
};
extraOptions = {
mail_smtpmode = "sendmail";
mail_sendmailmode = "pipe";
"installed" = true;
"memories.exiftool" = "/etc/profiles/per-user/nextcloud/bin/exiftool";
enabledPreviewProviders = [
"OC\\Preview\\Image"
"OC\\Preview\\HEIC"
"OC\\Preview\\TIFF"
"OC\\Preview\\MKV"
"OC\\Preview\\MP4"
"OC\\Preview\\AVI"
"OC\\Preview\\Movie"
];
};
phpExtraExtensions = all: [ all.pdlib all.bz2 ];
};
postgresql = {
enable = true;
ensureDatabases = [ "paperless" "nextcloud" "mealie" "vaultwarden" ];
ensureUsers = [
{
name = "nextcloud";
ensurePermissions = { "DATABASE nextcloud" = "ALL PRIVILEGES"; };
}
{
name = "paperless";
ensurePermissions = { "DATABASE paperless" = "ALL PRIVILEGES"; };
}
{
name = "mealie";
ensurePermissions = { "DATABASE mealie" = "ALL PRIVILEGES"; };
}
{
name = "vaultwarden";
ensurePermissions = { "DATABASE vaultwarden" = "ALL PRIVILEGES"; };
}
];
authentication = pkgs.lib.mkOverride 10 ''
local all all trust
host all all ${localhost}/32 trust
host all all ::1/128 trust
'';
};
};
environment.systemPackages = with pkgs; [ docker-compose ];
virtualisation.docker = {
enable = true;
enableNvidia = true;
storageDriver = "btrfs";
};
systemd = {
services = {
docker-compose = {
enable = true;
restartIfChanged = true;
description = "Start docker-compose servers";
after = [ "docker.service" "docker.socket" ];
requires = [ "docker.service" "docker.socket" ];
wantedBy = [ "default.target" ];
environment = {
FILE = "/home/jawz/Development/Docker/docker-compose.yml";
};
path = [ pkgs.docker-compose ];
serviceConfig = {
Restart = "on-failure";
RestartSec = 30;
ExecStart =
"${pkgs.docker-compose}/bin/docker-compose -f \${FILE} up --remove-orphans";
ExecStop =
"${pkgs.docker-compose}/bin/docker-compose -f \${FILE} down";
};
};
nextcloud-cronjob = let
jawzNextcloudCronjob = pkgs.writeScriptBin "nextcloud-cronjob"
(builtins.readFile ../scripts/nextcloud-cronjob.sh);
in {
description = "Runs various nextcloud-related cronjobs";
wantedBy = [ "default.target" ];
path = [ pkgs.bash jawzNextcloudCronjob ];
serviceConfig = {
Restart = "on-failure";
RestartSec = 30;
# ${config.services.nextcloud.package}
ExecStart = "${jawzNextcloudCronjob}/bin/nextcloud-cronjob";
};
};
};
timers = {
nextcloud-cronjob = {
enable = true;
description = "Runs various nextcloud-related cronjobs";
wantedBy = [ "timers.target" ];
timerConfig = { OnCalendar = "*:0/10"; };
};
};
user.services = {
update-dns = let
jawzUpdateDns = pkgs.writeScriptBin "update-dns"
(builtins.readFile ../scripts/update-dns.sh);
in {
restartIfChanged = true;
description = "update DNS of my websites";
wantedBy = [ "default.target" ];
path = [ pkgs.bash pkgs.nix jawzUpdateDns ];
serviceConfig = {
Restart = "on-failure";
RestartSec = 30;
ExecStart = "${jawzUpdateDns}/bin/update-dns";
};
};
};
user.timers = {
update-dns = {
enable = true;
description = "update DNS of my websites";
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "1min";
OnUnitActiveSec = "6h";
};
};
};
};
networking = {
firewall = let open_firewall_ports = [ config.services.paperless.port ];
in {
enable = true;
allowedTCPPorts = open_firewall_ports;
allowedUDPPorts = open_firewall_ports;
};
};
}