Add jellyfin+picard containers + firewall settings
This commit is contained in:
@ -59,7 +59,7 @@
|
|||||||
loader.efi.efiSysMountPoint = "/boot/efi";
|
loader.efi.efiSysMountPoint = "/boot/efi";
|
||||||
|
|
||||||
# Make /tmp volatile
|
# Make /tmp volatile
|
||||||
tmpOnTmpfs = true;
|
tmp.useTmpfs = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
security = {
|
security = {
|
||||||
@ -113,6 +113,7 @@
|
|||||||
# https://github.com/NixOS/nixpkgs/issues/179486
|
# https://github.com/NixOS/nixpkgs/issues/179486
|
||||||
i18n.supportedLocales = ["en_US.UTF-8/UTF-8" "de_DE.UTF-8/UTF-8"];
|
i18n.supportedLocales = ["en_US.UTF-8/UTF-8" "de_DE.UTF-8/UTF-8"];
|
||||||
|
|
||||||
|
# TODO: Networking system module
|
||||||
# NOTE: The systemd networking options are not very flexible, so this will be a problem for the laptop. (=> Use IWD for WiFi)
|
# NOTE: The systemd networking options are not very flexible, so this will be a problem for the laptop. (=> Use IWD for WiFi)
|
||||||
systemd = {
|
systemd = {
|
||||||
network = {
|
network = {
|
||||||
@ -277,14 +278,24 @@
|
|||||||
firewall = {
|
firewall = {
|
||||||
enable = true;
|
enable = true;
|
||||||
# networking.firewall.checkReversePath = "loose";
|
# networking.firewall.checkReversePath = "loose";
|
||||||
|
|
||||||
|
trustedInterfaces = [
|
||||||
|
"podman0"
|
||||||
|
];
|
||||||
|
|
||||||
allowedTCPPorts = [];
|
allowedTCPPorts = [
|
||||||
|
22 # SSH
|
||||||
|
80 # HTTP
|
||||||
|
443 # HTTPS
|
||||||
|
5800 # Picard
|
||||||
|
8096 # Jellyfin
|
||||||
|
];
|
||||||
allowedTCPPortRanges = [];
|
allowedTCPPortRanges = [];
|
||||||
|
|
||||||
allowedUDPPorts = [
|
allowedUDPPorts = [
|
||||||
9918 # Wireguard
|
9918 # Wireguard
|
||||||
18000 # Anno 1800
|
18000 # Anno 1800
|
||||||
24727 # AusweisApp2
|
24727 # AusweisApp2, alternative: programs.ausweisapp.openFirewall
|
||||||
];
|
];
|
||||||
allowedUDPPortRanges = [];
|
allowedUDPPortRanges = [];
|
||||||
};
|
};
|
||||||
@ -411,6 +422,7 @@
|
|||||||
"realtime"
|
"realtime"
|
||||||
"gamemode"
|
"gamemode"
|
||||||
"docker"
|
"docker"
|
||||||
|
"podman"
|
||||||
"adbusers"
|
"adbusers"
|
||||||
"scanner"
|
"scanner"
|
||||||
"lp"
|
"lp"
|
||||||
@ -457,13 +469,15 @@
|
|||||||
adb.enable = true;
|
adb.enable = true;
|
||||||
dconf.enable = true; # NOTE: Also needed for Plasma Wayland (GTK theming)
|
dconf.enable = true; # NOTE: Also needed for Plasma Wayland (GTK theming)
|
||||||
fish.enable = true;
|
fish.enable = true;
|
||||||
firejail.enable = true;
|
firejail.enable = true; # Use to run app in network namespace (e.g. through vpn)
|
||||||
git.enable = true;
|
git.enable = true;
|
||||||
kdeconnect.enable = true; # Use this instead of HM for firewall setup
|
kdeconnect.enable = true; # Use this instead of HM for firewall setup
|
||||||
neovim.enable = true;
|
neovim.enable = true;
|
||||||
starship.enable = true;
|
starship.enable = true;
|
||||||
thefuck.enable = true;
|
thefuck.enable = true;
|
||||||
xwayland.enable = true;
|
xwayland.enable = true;
|
||||||
|
|
||||||
|
# ausweisapp.openFirewall = true; # Directly set port in firewall
|
||||||
};
|
};
|
||||||
|
|
||||||
# List services that you want to enable:
|
# List services that you want to enable:
|
||||||
@ -494,13 +508,13 @@
|
|||||||
fwupd.enable = true; # Device firmware (I don't think I have any supported devices)
|
fwupd.enable = true; # Device firmware (I don't think I have any supported devices)
|
||||||
locate.enable = true; # Periodically update index
|
locate.enable = true; # Periodically update index
|
||||||
ntp.enable = true; # Clock sync
|
ntp.enable = true; # Clock sync
|
||||||
packagekit.enable = true; # KDE Discover/Gnome Software
|
# packagekit.enable = true; # KDE Discover/Gnome Software
|
||||||
|
|
||||||
samba = {
|
# samba = {
|
||||||
package = pkgs.samba4Full;
|
# package = pkgs.samba4Full;
|
||||||
enable = true;
|
# enable = true;
|
||||||
openFirewall = true;
|
# openFirewall = true;
|
||||||
};
|
# };
|
||||||
|
|
||||||
udev = {
|
udev = {
|
||||||
packages = with pkgs; [
|
packages = with pkgs; [
|
||||||
@ -517,8 +531,51 @@
|
|||||||
|
|
||||||
virtualisation = {
|
virtualisation = {
|
||||||
docker = {
|
docker = {
|
||||||
|
enable = false;
|
||||||
|
autoPrune.enable = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
podman = {
|
||||||
enable = true;
|
enable = true;
|
||||||
autoPrune.enable = true;
|
autoPrune.enable = true;
|
||||||
|
dockerCompat = true;
|
||||||
|
defaultNetwork.settings.dns_enabled = true;
|
||||||
|
|
||||||
|
extraPackages = with pkgs; [];
|
||||||
|
};
|
||||||
|
|
||||||
|
# TODO: This (or even single containers) should have their own system modules
|
||||||
|
oci-containers.backend = "podman";
|
||||||
|
oci-containers.containers = {
|
||||||
|
jellyfin = {
|
||||||
|
image = "jellyfin/jellyfin";
|
||||||
|
autoStart = false;
|
||||||
|
|
||||||
|
ports = [
|
||||||
|
"8096:8096/tcp"
|
||||||
|
];
|
||||||
|
|
||||||
|
volumes = [
|
||||||
|
"jellyfin-cache:/cache:Z"
|
||||||
|
"jellyfin-config:/config:Z"
|
||||||
|
"/home/christoph/Videos/Movies:/media/Movies:ro,private"
|
||||||
|
"/home/christoph/Music/Spotify:/media/Music:ro,private"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
picard = {
|
||||||
|
image = "mikenye/picard";
|
||||||
|
autoStart = false;
|
||||||
|
|
||||||
|
ports = [
|
||||||
|
"5800:5800"
|
||||||
|
];
|
||||||
|
|
||||||
|
volumes = [
|
||||||
|
"picard-config:/config:Z"
|
||||||
|
"/home/christoph/Music/Spotify:/storage:rw,private"
|
||||||
|
];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
libvirtd.enable = true;
|
libvirtd.enable = true;
|
||||||
|
|||||||
Reference in New Issue
Block a user