Merge branch 'master' of github.com:Kropatz/dotfiles

2025-10-24 11:50:07 +02:00
parent 945322d6b5 71dc7a59e3
commit c278107991
7 changed files with 62 additions and 31 deletions
--- a/home-manager/nixvim/lsp.nix
+++ b/home-manager/nixvim/lsp.nix
@@ -23,7 +23,7 @@
        };
      };
      html.enable = true;
-      dartls.enable = true;
+      dartls.enable = true; # handled by flutter-tools
      ts_ls.enable = true;
      pylsp.enable = true;
      lua_ls.enable = true;
--- a/modules/services/kavita.nix
+++ b/modules/services/kavita.nix
@@ -31,7 +31,7 @@ in {
      githubRunnerEnabled = config.services.github-runners ? oberprofis.enable;
    in
    lib.mkIf cfg.enable {
-      networking.firewall.allowedTCPPorts = [ 5000 ];
+      # not needed with nginx networking.firewall.allowedTCPPorts = [ 5000 ];
      systemd.tmpfiles.rules = [
        (if githubRunnerEnabled then
          "d ${baseDir} 0750 kavita github-actions-runner -"
--- a/modules/services/samba.nix
+++ b/modules/services/samba.nix
@@ -1,36 +1,42 @@
 {
-  #services.samba-wsdd.enable = true; # make shares visible for windows 10 clients
-  #networking.firewall.allowedTCPPorts = [
-  #5357 # wsdd
-  #];
-  #networking.firewall.allowedUDPPorts = [
-  #3702 # wsdd
-  #];
-  services.samba.openFirewall = true;
+  #services.samba-wsdd = {
+  #  enable = true;
+  #  openFirewall = true;
+  #};
+
+  users.users.franz = {
+    isNormalUser = true;
+    home = "/home/franz";
+    hashedPassword = "$y$j9T$opts2crrOHbRzHsFzOh/S1$LU3zmC4tKOw43THlOSw6qDXPse.l1ZvcxolN3EP7/ED";
+  };
+
+  # add user to samba with smbpasswd -a
  services.samba = {
    enable = true;
-    securityType = "user";
+    openFirewall = true;
    invalidUsers = [
      "root"
    ];
-    extraConfig = ''
-      	    disable netbios = yes
-      	    smb ports = 445
-                  workgroup = WORKGROUP
-                  server string = smbnix
-                  security = user 
-                  #use sendfile = yes
-                  #max protocol = smb2
-                  # note: localhost is the ipv6 localhost ::1
-                  hosts allow = 192.168.0. 192.168.174.1 127.0.0.1 localhost
-                  hosts deny = 0.0.0.0/0
-                  guest account = nobody
-                  map to guest = bad user
-    '';
-    shares = {
-      homes = {
-        browseable = "no";
-        writable = "yes";
+    settings = {
+      global = {
+        "workgroup" = "WORKGROUP";
+        "server string" = "smbnix";
+        "netbios name" = "smbnix";
+        "security" = "user";
+        #"use sendfile" = "yes";
+        #"max protocol" = "smb2";
+        # note: localhost is the ipv6 localhost ::1
+        "hosts allow" = "192.168.0. 127.0.0.1 localhost";
+        "hosts deny" = "0.0.0.0/0";
+        "guest account" = "nobody";
+        "map to guest" = "bad user";
+      };
+      "franz" = {
+        "path" = "/hdd/shares/franz";
+        "valid users" = "franz";
+        "public" = "no";
+        "writable" = "yes";
+        "printable" = "no";
      };
    };
  };
--- a/pkgs/ente-frontend/default.nix
+++ b/pkgs/ente-frontend/default.nix
@@ -7,7 +7,7 @@ buildNpmPackage rec {
  src = "${(fetchGit {
    url = "git@github.com:oberprofis/ente.git";
    ref = "master";
-    rev = "f82b14a08080865be3c31144787ffaf8509a018a";
+    rev = "cb63e1e20fd9fde401fa9d3f09b36c572b17ff34";
  })}/website/tracker-site";
  npmDepsHash = "sha256-fYTRhIU+8pdIm3wC5wJRcDUhgN3d+mmvfmVzuu0pjLQ=";

--- a/systems/amd-server-vm/configuration.nix
+++ b/systems/amd-server-vm/configuration.nix
@@ -10,6 +10,7 @@
    ../../modules/misc/motd.nix
    ../../modules/misc/kernel.nix
    ../../modules/services/duckdns.nix
+    ../../modules/services/samba.nix
    ../../modules/services/ddclient-cloudflare.nix
    ./disk-config.nix
    ./mail.nix
@@ -108,6 +109,23 @@

  # 8888 = scheibenmeister skip button
  networking.firewall.allowedTCPPorts = [ 25565 25566 8888 ];
+  networking.nftables.tables.ip_drop = {
+    family = "inet";
+    content = ''
+      set blocked-ip4 {
+        typeof ip saddr
+        flags interval
+        auto-merge
+        elements = { 45.144.212.240 }
+      }
+      chain input {
+        # -100 priority to run before the default filter input chain (0)
+        type filter hook input priority -100; policy accept;
+
+        ip saddr @blocked-ip4 log prefix "nftables drop: " level info counter drop
+      }
+    '';
+  };
  networking.hostName = "server-vm"; # Define your hostname.

  #services.murmur = {
@@ -135,6 +153,12 @@
    options = [ "defaults" "nofail" "noatime" ];
  };

+  fileSystems."/hdd" = {
+    device = "/dev/disk/by-uuid/99954059-3801-4abb-a536-0e7802a3e6b4";
+    fsType = "ext4";
+    options = [ "defaults" "nofail" "noatime" ];
+  };
+

  # Configure console keymap
  console.keyMap = "us";
--- a/systems/amd-server/configuration.nix
+++ b/systems/amd-server/configuration.nix
@@ -73,6 +73,7 @@
    };

    firewall.allowedTCPPorts = [ 25565 25566 ]; # localsend
+
  };

  security.pki.certificates = [
--- a/systems/pc/configuration.nix
+++ b/systems/pc/configuration.nix
@@ -207,7 +207,7 @@
  services.printing.enable = false;
  services.printing.drivers = [ pkgs.brlaser ];
  services.avahi = {
-    enable = true;
+    enable = false;
    nssmdns4 = true;
    openFirewall = true;
  };