configuration.nix

@@ -2,10 +2,7 @@
 
 {
   disabledModules = [ "system/boot/loader/raspberrypi/raspberrypi.nix" ];
-  imports = [
+  imports = [ ./modules/system/boot/loader/raspberrypi/raspberrypi.nix ];
-    ./modules/system/boot/loader/raspberrypi/raspberrypi.nix
-    ./fileserver.nix
-  ];
 
   boot = {
     kernelPackages = pkgs.linuxPackages_rpi4;
@@ -58,7 +55,6 @@
     tinc_pre
     #file-rename
     rsync
-    rclone gnupg
   ];
   
   networking = {
@@ -67,7 +63,7 @@
     firewall = {
       enable = true;
       allowPing = true;
-      allowedTCPPorts = [ 22 139 445 ];
+      allowedTCPPorts = [ 22 80 139 445 7473 ];
       allowedUDPPorts = [ 137 138 ];
     };
   };
@@ -79,8 +75,7 @@
   services.cron = {
     enable = true;
     systemCronJobs = [
-      "0 20 * * 1 root /root/reassert-nas-permissions.sh"
+      "* 20 * * 1 root /root/reassert-nas-permissions.sh"
-      "0  0 * * 1 tvb  . /etc/profile; /home/tvb/gitea-backup"
     ];
   };
  
@@ -89,6 +84,31 @@
     passwordAuthentication = true;
   };
 
+  services.nginx = {
+    enable = true;
+
+    virtualHosts."catacomb-server" = {
+      listen = [ { addr = "10.7.3.16"; } ];
+      root = "/nas";
+      locations."/".tryFiles = "\$uri @indexer";
+      locations."@indexer".extraConfig = "
+        proxy_buffering off;
+        proxy_pass http://127.0.0.1:5000;
+      ";
+    };
+
+    virtualHosts."guest-server" = {
+      listen = [ { addr = "10.7.3.16"; port = 7473; } ];
+      extraConfig  = "
+        access_log /var/log/nginx/access.guest-server.log;
+      ";
+      locations."/".extraConfig = "
+        proxy_buffering off;
+        proxy_pass http://127.0.0.1:7473/;
+      ";
+    };
+  };
+  
   services.ntp = {
     enable = true;
     servers = ["time.nist.gov"];
@@ -185,6 +205,34 @@
     };
   };
 
+  systemd.services.host-server = {
+    enable = true;
+    description = "catapool host index server";
+    serviceConfig = {
+      Type = "simple";
+      ExecStart = "/nas-indexer/host-server/run.sh";
+      Restart = "on-failure";
+      User = "tvb";
+      WorkingDirectory = "/nas-indexer/host-server";
+    };
+    requires = [ "zfs.target" ];
+    wantedBy = [ "multi-user.target" ];
+  };
+
+  systemd.services.guest-server = {
+    enable = true;
+    description = "catapool guest index server";
+    serviceConfig = {
+      Type = "simple";
+      ExecStart = "/nas-indexer/guest-server/run.sh";
+      Restart = "on-failure";
+      User = "tvb";
+      WorkingDirectory = "/nas-indexer/guest-server";
+    };
+    requires = [ "zfs.target" ];
+    wantedBy = [ "multi-user.target" ];
+  };
+
   users.groups = {
     nas = { gid = 1600; };
   };
@@ -199,10 +247,11 @@
       ./keys/tvb.palamas.pub
       ./keys/tvb.stagirite.pub
       ./keys/monitor.isidore.pub
-      ./keys/inquisitor.conduit.pub
     ];
   };
   #./keys/tvb.empyrean.pub
 
+  users.users.nginx.extraGroups = ["nas"];
+
   nix.buildCores = 4;
 }

fileserver.nix

@@ -1,153 +0,0 @@
-# nas indexer server module
-{ pkgs, ... }:
-
-let
-  # Build the catacomb server package
-  catacombServerSource = builtins.fetchGit {
-    url = "https://git.alogoulogoi.com/Jaculabilis/catacomb-server.git";
-    ref = "develop-nix";
-    rev = "08749de4adeb2ea01f0f646c53c6e30aa9a240e7";
-  };
-  catacombServer = pkgs.callPackage catacombServerSource {};
-
-  catacombUser = "tvb";
-
-  # Define the service directory, which pretty much only stores tokens
-  catacombServerDir = "/var/lib/nas-indexer/";
-
-  # Create a setup script to ensure the token directory exists
-  catacombSetup = pkgs.writeShellScriptBin "catacomb-setup.sh" ''
-    ${pkgs.coreutils}/bin/mkdir -p ${catacombServerDir}tokens
-    chown -R ${catacombUser} ${catacombServerDir}
-  '';
-
-  # Host-mode server run script
-  hostRun = pkgs.writeShellScriptBin "catacomb-run-host.sh" ''
-    cd ${catacombServerDir}
-    ${catacombServer}/bin/gunicorn \
-      --bind=localhost:5000 \
-      --workers=3 \
-      --log-level=debug \
-      --env CATACOMB_ROOT=/nas \
-      --env CATACOMB_TOKENS=${catacombServerDir}tokens \
-      --env CATACOMB_MODE=host \
-      "catacomb.server:wsgi()"
-  '';
-
-  # Guest-mode server run script
-  guestRun = pkgs.writeShellScriptBin "catacomb-run-guest.sh" ''
-    cd ${catacombServerDir}
-    ${catacombServer}/bin/gunicorn \
-      --bind=localhost:5001 \
-      --workers=3 \
-      --log-level=debug \
-      --env CATACOMB_ROOT=/nas \
-      --env CATACOMB_TOKENS=${catacombServerDir}tokens \
-      --env CATACOMB_MODE=guest \
-      "catacomb.server:wsgi()"
-  '';
-
-  # Guest-mode auth server for direct nginx file serving
-  accessRun = pkgs.writeShellScriptBin "catacomb-run-access.sh" ''
-    cd ${catacombServerDir}
-    ${catacombServer}/bin/gunicorn \
-      --bind=localhost:5002 \
-      --workers=3 \
-      --log-level=debug \
-      --env CATACOMB_TOKENS=${catacombServerDir}tokens \
-      "catacomb.access.nginx:wsgi()"
-  '';
-
-in
-{
-  # Run the setup script on activation
-  system.activationScripts.catacombSetup = "${catacombSetup}/bin/catacomb-setup.sh";
-
-  # Set up the host mode service
-  systemd.services."catacomb-host" = {
-    enable = true;
-    description = "catapool host-mode index server";
-    script = "${hostRun}/bin/catacomb-run-host.sh";
-    serviceConfig = {
-      Type = "simple";
-      WorkingDirectory = "${catacombServerDir}";
-    };
-    requires = [ "zfs.target" ];
-    wantedBy = [ "multi-user.target" ];
-    after = [ "network.target" ];
-  };
-
-  # Set up the guest mode service
-  systemd.services."catacomb-guest" = {
-    enable = true;
-    description = "catapool guest-mode index server";
-    script = "${guestRun}/bin/catacomb-run-guest.sh";
-    serviceConfig = {
-      Type = "simple";
-      User = "${catacombUser}";
-      WorkingDirectory = "${catacombServerDir}";
-    };
-    requires = [ "zfs.target" ];
-    wantedBy = [ "multi-user.target" ];
-    after = [ "network.target" ];
-  };
-
-  # Set up the access server service
-  systemd.services."catacomb-access" = {
-    enable = true;
-    description = "catapool access token authenticator";
-    script = "${accessRun}/bin/catacomb-run-access.sh";
-    serviceConfig = {
-      Type = "simple";
-      User = "${catacombUser}";
-      WorkingDirectory = "${catacombServerDir}";
-    };
-    wantedBy = [ "multi-user.target" ];
-    after = [ "network.target" ];
-  };
-
-  networking.firewall.allowedTCPPorts = [ 80 7470 7471 7472 ];
-
-  # Set up nginx to reverse proxy to these services
-  services.nginx = {
-    enable = true;
-
-    # Serve the host server over the internal ip at the default port
-    virtualHosts."catacomb-host-server" = {
-      listen = [ { addr = "10.7.3.16"; } ];
-      root = "/nas";
-      locations."/".tryFiles = "\$uri @indexer";
-      locations."@indexer".proxyPass = "http://localhost:5000";
-    };
-
-    # Serve the guest server over the internal ip at a custom port
-    virtualHosts."catacomb-guest-server" = {
-      listen = [ { addr = "10.7.3.16"; port = 7472; } ];
-      extraConfig = ''
-        access_log /var/log/nginx/access.guest-server.log;
-      '';
-      locations."/".proxyPass = "http://localhost:5001";
-    };
-
-    # Serve the auth server at a custom port internally
-    virtualHosts."catacomb-auth" = {
-      listen = [ { addr = "10.7.3.16"; port = 7471; } ];
-      extraConfig = ''
-        access_log /var/log/nginx/access.guest-auth.log;
-      '';
-      locations."/".proxyPass = "http://localhost:5002";
-    };
-
-    # Serve files at a custom port internally
-    virtualHosts."catacomb-guest-files" = {
-      listen = [ { addr = "10.7.3.16"; port = 7470; } ];
-      extraConfig = ''
-        access_log /var/log/nginx/access.guest-files.log;
-      '';
-      locations."/".root = "/nas";
-    };
-  };
-
-  # Allow nginx to read catapool files
-  users.users.nginx.extraGroups = ["nas"];
-}

keys/inquisitor.conduit.pub

@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDS8T7Vb2z6Xy2XBzy/HCmnRb9R/0gD71tt6m4/MyHCQBoG+zsUcPhTP2tfOeYd8xeAZKiPfunrtTOpICIxsaugeCf9xoOmEag4i965OcUyRpphPc0UtaK7ux5oqT6+rdSuuriGtKlycSn9mX5Uq4Lhwo3mlFOUJtJTrnifHua3pPnBtLwMEFftufhUn+n5UOx9NWL/ItqEPoLiVB5t8ltXhckqrjlnL9lchJN+6nlgXVScwN/EkDqFjVNQ7OjsMShlJPQDYFbJky1ejnn0wkPBJs7xmKgdxwGxlkLrtnhTx0TBIDbRV0YKdcRNm55mhK/3FWBp8IK0vKOpb6BH5CF9fPadwmHC4z9qIgWNI4cjVTjLvxJpBn8tZTzuFeXrPHYkXL1EQCY8uyojIYtMEzUIIsJ42fUEHJ52iFxa1RddvRlxl/zablPH+kfytbCNLJW1DcWMMcRy7VjUlI1U+X1P2pYOFyLxtq6bDNrkdcR3v+n3k2z2CPhKWUP3qoc+bZ8= inquisitor@conduit