media server thingy

no sudo in container
2024-06-20 18:36:45 +02:00 · 2024-06-20 16:51:29 +02:00
5 changed files with 60 additions and 24 deletions
--- a/flake.nix
+++ b/flake.nix
@ -24,6 +24,7 @@
              { from = "host"; host.port = 8080;  guest.port = 80;  }
              { from = "host"; host.port = 2222;  guest.port = 22;  }
              { from = "host"; host.port = 22222; guest.port = 222; }
+              { from = "host"; host.port = 2223; guest.port = 2222; }
            ];
          };
        };
--- a/host.nix
+++ b/host.nix
@ -53,6 +53,8 @@ lib.flatMap ({ name, config, ip, ports, volumes, ... }:
          firewall.allowedUDPPorts = ports.udp;
        };

+        security.sudo.enable = false;
+
        system.stateVersion = state-version;
      };
    };
--- a/secrets/guest_password
+++ b/secrets/guest_password
--- a/services/media.nix
+++ b/services/media.nix
@ -0,0 +1,57 @@
+{ pkgs, lib, ... }: 
+{
+  name = "media";
+  config = {
+    services.openssh = {
+      enable = true;
+      ports = [ 22 ];
+      settings = {
+        AllowUsers = [ "media" "guest" ];
+      };
+      extraConfig = ''
+      Match Group media
+        ChrootDirectory /media
+        ForceCommand internal-sftp
+        AllowTcpForwarding no
+        X11Forwarding no
+      '';
+    };
+    users.users.media = {
+      isSystemUser = true;
+      group = "media";
+      openssh.authorizedKeys.keyFiles = [ ../secrets/id_ed25519.pub ];
+    };
+    users.users.guest = {
+      isSystemUser = true;
+      group = "media";
+      hashedPassword = pkgs.lib.removeSuffix "\n" 
+        (builtins.readFile ../secrets/guest_password);
+    };
+    users.groups.media = {};
+    systemd.tmpfiles.settings.media-dir = 
+      let mode = {
+        group = "media";
+        mode = "0750";
+        user = "media";
+      }; in {
+      "/media/series".d = mode;
+      "/media/movies".d = mode;
+      "/media/music".d = mode;
+    };
+  };
+  ports = {
+    tcp = [ ];
+    udp = [ ];
+    http = null;
+    forward = [
+      { container = 22;  host = 2222;  proto = "tcp"; }
+    ];
+  };
+  hosts = [];
+  volumes = [{
+    name = "media";
+    mountPoint = "/media/";
+    readOnly = false;
+    backup = false;
+  }];
+}
--- a/services/smb.nix
+++ b/services/smb.nix
@ -1,24 +0,0 @@
-{ pkgs, lib, ... }: 
-{
-  name = "smb";
-  config = {
-  };
-  ports = {
-    tcp = [ 111 2049 ];
-    udp = [ 111 2049 ];
-    http = null;
-    forward = [
-      { container = 111;  host = 111;  proto = "tcp"; }
-      { container = 111;  host = 111;  proto = "udp"; }
-      { container = 2049; host = 2049; proto = "tcp"; }
-      { container = 2049; host = 2049; proto = "udp"; }
-    ];
-  };
-  hosts = [];
-  volumes = [{
-    name = "smb";
-    mountPoint = "/srv/smb/";
-    readOnly = false;
-    backup = false;
-  }];
-}
Author	SHA1	Message	Date
Rachel Lambda Samuelsson	7744efa70a	media server thingy	2024-06-20 18:36:45 +02:00
Rachel Lambda Samuelsson	f800edfd6f	no sudo in container	2024-06-20 16:51:29 +02:00