diff --git a/common.nix b/common.nix index d34e31e..6bdd6ec 100644 --- a/common.nix +++ b/common.nix @@ -81,13 +81,13 @@ systemd.services.nix-daemon.serviceConfig.LimitNOFILE = lib.mkForce 1048576000; system.autoUpgrade = { - enable = false; - dates = "minutely"; + enable = true; + dates = "hourly"; flake = "git+https://git.missing.ninja/lf3/server-conf.git"; }; networking.hosts = { - "192.168.88.251" = [ "wiki.it3" ]; + "192.168.88.251" = builtins.attrNames self.nixosConfigurations.mio-mio-mate.config.services.nginx.virtualHosts; "192.168.88.1" = [ "router" ]; }; diff --git a/router.nix b/router.nix index c676be2..ba266cb 100644 --- a/router.nix +++ b/router.nix @@ -1,4 +1,5 @@ { + # Resret router with /system reset-configuration keep-users no-defaults run-after-reset=router-config.rsc "/interface bridge" = [ { auto-mac = "no"; @@ -101,8 +102,10 @@ } ]; "/ip dns" = { - "allow-remote-requests" = "yes"; - servers = "1.1.1.1,1.0.0.1"; + no_label = { + allow-remote-requests = "yes"; + servers = "1.1.1.1,1.0.0.1"; + }; }; "/ip dns static" = [ { @@ -110,69 +113,23 @@ name = "router.lan"; } ]; + "/ip firewall address-list" = [ + { + address = "10.10.10.10-10.10.10.10.254"; + list = "allowed_to_router"; + } + ]; "/ip firewall filter" = [ { action = "accept"; chain = "input"; - comment = "defconf: accept established,related,untracked"; - "connection-state" = "established,related,untracked"; - } - { - action = "drop"; - chain = "input"; - comment = "defconf: drop invalid"; - "connection-state" = "invalid"; + src-address-list = "allowed_to_router"; } { action = "accept"; chain = "input"; - comment = "defconf: accept ICMP"; protocol = "icmp"; } - { - action = "drop"; - chain = "input"; - comment = "defconf: drop all not coming from LAN"; - "in-interface-list" = "!LAN"; - } - { - action = "accept"; - chain = "forward"; - comment = "defconf: accept in ipsec policy"; - "ipsec-policy" = "in,ipsec"; - } - { - action = "accept"; - chain = "forward"; - comment = "defconf: accept out ipsec policy"; - "ipsec-policy" = "out,ipsec"; - } - { - action = "fasttrack-connection"; - chain = "forward"; - comment = "defconf: fasttrack"; - "connection-state" = "established,related"; - } - { - action = "accept"; - chain = "forward"; - comment = "defconf: accept established,related, untracked"; - "connection-state" = "established,related,untracked"; - } - { - action = "drop"; - chain = "forward"; - comment = "defconf: drop invalid"; - "connection-state" = "invalid"; - } - { - action = "drop"; - chain = "forward"; - comment = "defconf: drop all from WAN not DSTNATed"; - "connection-nat-state" = "!dstnat"; - "connection-state" = "new"; - "in-interface-list" = "WAN"; - } ]; "/ip firewall nat" = [ { diff --git a/systems/mio-mio-mate/default.nix b/systems/mio-mio-mate/default.nix index 0c51bc5..43e70a6 100644 --- a/systems/mio-mio-mate/default.nix +++ b/systems/mio-mio-mate/default.nix @@ -49,6 +49,13 @@ services.nginx = { enable = true; + virtualHosts = { + "manga.it3" = { + locations."/" = { + proxyPass = "http://localhost:8080/"; + }; + }; + }; }; services.dnsmasq = { @@ -72,4 +79,27 @@ nginx.hostName = "wiki.it3"; passwordFile = "${../../init/mediawiki}"; }; + + services.suwayomi-server = { + enable = true; + settings = { + server = { + systemTrayEnabled = true; + extensionRepos = [ + "https://raw.githubusercontent.com/keiyoushi/extensions/repo/index.min.json" + ]; + webUIEnabled = true; + initialOpenInBrowserEnabled = true; + webUIInterface = "browser"; + webUIFlavor = "WebUI"; + }; + }; + }; + + services.freshrss = { + enable = true; + virtualHost = "rss.it3"; + authType = "none"; + baseUrl = "http://rss.it3"; + }; }