From 0c6b8fe15dde0a419cda76ff26b1daa1b8ff76cc Mon Sep 17 00:00:00 2001 From: Kopatz <7265381+Kropatz@users.noreply.github.com> Date: Tue, 21 Oct 2025 19:06:08 +0200 Subject: [PATCH 1/6] block ip --- systems/amd-server-vm/configuration.nix | 17 +++++++++++++++++ systems/amd-server/configuration.nix | 1 + 2 files changed, 18 insertions(+) diff --git a/systems/amd-server-vm/configuration.nix b/systems/amd-server-vm/configuration.nix index 32dfaf3..7aa1613 100644 --- a/systems/amd-server-vm/configuration.nix +++ b/systems/amd-server-vm/configuration.nix @@ -108,6 +108,23 @@ # 8888 = scheibenmeister skip button networking.firewall.allowedTCPPorts = [ 25565 25566 8888 ]; + networking.nftables.tables.ip_drop = { + family = "inet"; + content = '' + set blocked-ip4 { + typeof ip saddr + flags interval + auto-merge + elements = { 45.144.212.240 } + } + chain input { + # -100 priority to run before the default filter input chain (0) + type filter hook input priority -100; policy accept; + + ip saddr @blocked-ip4 log prefix "nftables drop: " level info counter drop + } + ''; + }; networking.hostName = "server-vm"; # Define your hostname. #services.murmur = { diff --git a/systems/amd-server/configuration.nix b/systems/amd-server/configuration.nix index 692cc07..9b21c3a 100644 --- a/systems/amd-server/configuration.nix +++ b/systems/amd-server/configuration.nix @@ -73,6 +73,7 @@ }; firewall.allowedTCPPorts = [ 25565 25566 ]; # localsend + }; security.pki.certificates = [ From 7b738da7a2f58ba65e9343bf15d2d22d6f36ff8a Mon Sep 17 00:00:00 2001 From: Kopatz <7265381+Kropatz@users.noreply.github.com> Date: Tue, 21 Oct 2025 19:09:53 +0200 Subject: [PATCH 2/6] disable kavita port --- modules/services/kavita.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/services/kavita.nix b/modules/services/kavita.nix index 6cd15d5..3859f58 100644 --- a/modules/services/kavita.nix +++ b/modules/services/kavita.nix @@ -31,7 +31,7 @@ in { githubRunnerEnabled = config.services.github-runners ? oberprofis.enable; in lib.mkIf cfg.enable { - networking.firewall.allowedTCPPorts = [ 5000 ]; + # not needed with nginx networking.firewall.allowedTCPPorts = [ 5000 ]; systemd.tmpfiles.rules = [ (if githubRunnerEnabled then "d ${baseDir} 0750 kavita github-actions-runner -" From 73c7178ca40401b74ce1da264b40fba3bbc7cb08 Mon Sep 17 00:00:00 2001 From: Kopatz <7265381+Kropatz@users.noreply.github.com> Date: Wed, 22 Oct 2025 16:00:56 +0200 Subject: [PATCH 3/6] disable avahi --- systems/pc/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systems/pc/configuration.nix b/systems/pc/configuration.nix index 4a76bf7..3a8d451 100644 --- a/systems/pc/configuration.nix +++ b/systems/pc/configuration.nix @@ -207,7 +207,7 @@ services.printing.enable = false; services.printing.drivers = [ pkgs.brlaser ]; services.avahi = { - enable = true; + enable = false; nssmdns4 = true; openFirewall = true; }; From 4cc83041c6827ad590ab1e496593d34338d25744 Mon Sep 17 00:00:00 2001 From: Kopatz <7265381+Kropatz@users.noreply.github.com> Date: Wed, 22 Oct 2025 17:13:38 +0200 Subject: [PATCH 4/6] update ente --- pkgs/ente-frontend/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/ente-frontend/default.nix b/pkgs/ente-frontend/default.nix index b103044..5ff7ada 100644 --- a/pkgs/ente-frontend/default.nix +++ b/pkgs/ente-frontend/default.nix @@ -7,7 +7,7 @@ buildNpmPackage rec { src = "${(fetchGit { url = "git@github.com:oberprofis/ente.git"; ref = "master"; - rev = "f82b14a08080865be3c31144787ffaf8509a018a"; + rev = "cb63e1e20fd9fde401fa9d3f09b36c572b17ff34"; })}/website/tracker-site"; npmDepsHash = "sha256-fYTRhIU+8pdIm3wC5wJRcDUhgN3d+mmvfmVzuu0pjLQ="; From 1f219cbb81e9b56c818adf59c37d5fa5fe3a38cc Mon Sep 17 00:00:00 2001 From: Kopatz <7265381+Kropatz@users.noreply.github.com> Date: Thu, 23 Oct 2025 10:59:01 +0200 Subject: [PATCH 5/6] add samba --- home-manager/nixvim/lsp.nix | 2 +- modules/services/samba.nix | 60 ++++++++++++++----------- systems/amd-server-vm/configuration.nix | 7 +++ 3 files changed, 41 insertions(+), 28 deletions(-) diff --git a/home-manager/nixvim/lsp.nix b/home-manager/nixvim/lsp.nix index f86d994..6614310 100644 --- a/home-manager/nixvim/lsp.nix +++ b/home-manager/nixvim/lsp.nix @@ -23,7 +23,7 @@ }; }; html.enable = true; - dartls.enable = true; + dartls.enable = true; # handled by flutter-tools ts_ls.enable = true; pylsp.enable = true; lua_ls.enable = true; diff --git a/modules/services/samba.nix b/modules/services/samba.nix index 26fe396..7f9fea4 100644 --- a/modules/services/samba.nix +++ b/modules/services/samba.nix @@ -1,36 +1,42 @@ { - #services.samba-wsdd.enable = true; # make shares visible for windows 10 clients - #networking.firewall.allowedTCPPorts = [ - #5357 # wsdd - #]; - #networking.firewall.allowedUDPPorts = [ - #3702 # wsdd - #]; - services.samba.openFirewall = true; + services.samba-wsdd = { + enable = true; + openFirewall = true; + }; + + users.users.franz = { + isNormalUser = true; + home = "/home/franz"; + hashedPassword = "$y$j9T$opts2crrOHbRzHsFzOh/S1$LU3zmC4tKOw43THlOSw6qDXPse.l1ZvcxolN3EP7/ED"; + }; + + # add user to samba with smbpasswd -a services.samba = { enable = true; - securityType = "user"; + openFirewall = true; invalidUsers = [ "root" ]; - extraConfig = '' - disable netbios = yes - smb ports = 445 - workgroup = WORKGROUP - server string = smbnix - security = user - #use sendfile = yes - #max protocol = smb2 - # note: localhost is the ipv6 localhost ::1 - hosts allow = 192.168.0. 192.168.174.1 127.0.0.1 localhost - hosts deny = 0.0.0.0/0 - guest account = nobody - map to guest = bad user - ''; - shares = { - homes = { - browseable = "no"; - writable = "yes"; + settings = { + global = { + "workgroup" = "WORKGROUP"; + "server string" = "smbnix"; + "netbios name" = "smbnix"; + "security" = "user"; + #"use sendfile" = "yes"; + #"max protocol" = "smb2"; + # note: localhost is the ipv6 localhost ::1 + "hosts allow" = "192.168.0. 127.0.0.1 localhost"; + "hosts deny" = "0.0.0.0/0"; + "guest account" = "nobody"; + "map to guest" = "bad user"; + }; + "franz" = { + "path" = "/hdd/shares/franz"; + "valid users" = "franz"; + "public" = "no"; + "writable" = "yes"; + "printable" = "no"; }; }; }; diff --git a/systems/amd-server-vm/configuration.nix b/systems/amd-server-vm/configuration.nix index 7aa1613..23abc5d 100644 --- a/systems/amd-server-vm/configuration.nix +++ b/systems/amd-server-vm/configuration.nix @@ -10,6 +10,7 @@ ../../modules/misc/motd.nix ../../modules/misc/kernel.nix ../../modules/services/duckdns.nix + ../../modules/services/samba.nix ../../modules/services/ddclient-cloudflare.nix ./disk-config.nix ./mail.nix @@ -152,6 +153,12 @@ options = [ "defaults" "nofail" "noatime" ]; }; + fileSystems."/hdd" = { + device = "/dev/disk/by-uuid/99954059-3801-4abb-a536-0e7802a3e6b4"; + fsType = "ext4"; + options = [ "defaults" "nofail" "noatime" ]; + }; + # Configure console keymap console.keyMap = "us"; From 71dc7a59e3f4ce4fc52341578ac69bb3bab1f265 Mon Sep 17 00:00:00 2001 From: Kopatz <7265381+Kropatz@users.noreply.github.com> Date: Thu, 23 Oct 2025 11:15:56 +0200 Subject: [PATCH 6/6] wsdd doesnt work idk --- modules/services/samba.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/services/samba.nix b/modules/services/samba.nix index 7f9fea4..1d84beb 100644 --- a/modules/services/samba.nix +++ b/modules/services/samba.nix @@ -1,8 +1,8 @@ { - services.samba-wsdd = { - enable = true; - openFirewall = true; - }; + #services.samba-wsdd = { + # enable = true; + # openFirewall = true; + #}; users.users.franz = { isNormalUser = true;