From 163d5f6db2d6c85bb14fbf4d232eb1d797a1a951 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Wed, 8 Dec 2021 17:39:00 +0100 Subject: [PATCH] removed implicit use of network.nix. use domain names in each service conf file. restrict access to gdevices to sensitive services. --- hosts/architect/bazarr.nix | 15 ++++++++---- hosts/architect/default.nix | 15 ++++++------ hosts/architect/gitea.nix | 19 +++++++++------ hosts/architect/invidious.nix | 16 ++++++------ hosts/architect/libreddit.nix | 16 ++++++------ hosts/architect/matrix.nix | 42 +++++++++++++++++--------------- hosts/architect/minecraft.nix | 7 +++--- hosts/architect/minio.nix | 15 ++++++++---- hosts/architect/network.nix | 16 ------------ hosts/architect/nextcloud.nix | 15 +++++++----- hosts/architect/nitter.nix | 16 ++++++------ hosts/architect/nzbget.nix | 15 ++++++++---- hosts/architect/plex.nix | 13 ++++++---- hosts/architect/prowlarr.nix | 15 +++++++----- hosts/architect/radarr.nix | 15 ++++++++---- hosts/architect/sonarr.nix | 15 ++++++++---- hosts/architect/transmission.nix | 12 +++++---- 17 files changed, 150 insertions(+), 127 deletions(-) diff --git a/hosts/architect/bazarr.nix b/hosts/architect/bazarr.nix index a0bd581..bcc81a4 100644 --- a/hosts/architect/bazarr.nix +++ b/hosts/architect/bazarr.nix @@ -1,15 +1,20 @@ -with import ./network.nix; { +{ lib, ... }: + +let + domain = "htbaz.giugl.io"; + network = import ./network.nix; +in { services = { bazarr.enable = true; - nginx.virtualHosts.${bazarrdomain} = { + nginx.virtualHosts.${domain} = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://localhost:6767"; extraConfig = '' allow 10.0.0.0/24; - allow 10.3.0.0/24; + allow ${lib.concatStringsSep " " network.gdevices-wg}; deny all; ''; }; @@ -17,8 +22,8 @@ with import ./network.nix; { }; networking.extraHosts = '' - ${architect-lan} ${bazarrdomain} - ${architect-wg} ${bazarrdomain} + ${network.architect-lan} ${domain} + ${network.architect-wg} ${domain} ''; users.groups.media.members = [ "bazarr" ]; diff --git a/hosts/architect/default.nix b/hosts/architect/default.nix index 8161095..214ba16 100644 --- a/hosts/architect/default.nix +++ b/hosts/architect/default.nix @@ -1,11 +1,11 @@ { config, pkgs, ... }: -with import ./network.nix; let pubkeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1we38/N+t8Ah5yrLof8QUwhrob7/VXFKIddaJeOVBLuDVnW7ljiAtdtEiL69D/DV4Ohmt5wMvkAAjfuHmim6FD9A6lzPbSU4KH9W2dcckszKbbI636kuDwem/xui6BW3wJa6P+0xW5ksygEAkzcK2PXuC2b4B9uwhuUdKahiGMKDxISG/WianqAe72cGMfNkYvion3Y1VsMLUdm48d2ABnxNpr7NI9B5iJ8dziOft9gpgfz13CCQRlReo75gk/4xI+vSNrQp7eR+wzJy2/dZg/T8jtyA9Q6jVxrxBpqQ1LNXkAKaJkGo9OabF6Wgpzp+YTAurL4nwR2NaJxwFuyoKvACQy0ai4jrS3206gC6JXZv8ktZMZrwUN+jPqCwfgh5qObFkAqKCxbp52ioDek2MQLdOvzQBX//DBhGEp5rzHGLZ3vhRIiiQiaof5sF5zWiYDW5mqezSPNxJPX/BrTP/Wbs/jpwTLBh3wytiia0S1WXQmya89bqzTPFiDWvTRA62EVKB/JaQtPQQOFAxWwg799DMycPeZ81xttZOyMtI/MZSddyqx2S8fWGwvToZQvuZ38mSIpFseLM1IkgabRIrAmat5SBNGGy9Dqa0eMEa7bwIY/4CMB1y6HMTnaoMXA6cnQfHMoB/zyTZ6oTXIeqeOyiZsK+RN0Mvahj8mXi7dw== giulio@giulio-X230" ]; hostname = "architect"; + network = import ./network.nix; in { imports = [ # Include the results of the hardware scan. ./backup.nix @@ -26,7 +26,7 @@ in { # ./minecraft.nix ./prowlarr.nix ./plex.nix - ./transmission.nix + # ./transmission.nix ./githubrunner.nix ./libreddit.nix ./invidious.nix @@ -40,7 +40,7 @@ in { services.fwupd.enable = true; boot = { kernelParams = [ - "ip=${architect-lan}::10.0.0.1:255.255.255.0::${wan-if}:off" + "ip=${network.architect-lan}::10.0.0.1:255.255.255.0::${network.wan-if}:off" "nvme_core.default_ps_max_latency_us=5500" ]; kernel.sysctl."net.ipv4.ip_forward" = 1; @@ -82,7 +82,7 @@ in { defaultGateway = "10.0.0.1"; interfaces = { enp5s0.ipv4.addresses = [{ - address = architect-lan; + address = network.architect-lan; prefixLength = 24; }]; enp6s0.useDHCP = false; @@ -92,11 +92,10 @@ in { 127.0.0.1 ${hostname}.devs.giugl.io localhost # LAN - ${architect-lan} ${hostname}.devs.giugl.io + ${network.architect-lan} ${hostname}.devs.giugl.io - ${dvr-lan} dvr.devs.giugl.io - ${nas-lan} nas.devs.giugl.io - ${giupi-lan} giupi.devs.giugl.io + ${network.dvr-lan} dvr.devs.giugl.io + ${network.nas-lan} nas.devs.giugl.io # Blacklist 0.0.0.0 metrics.plex.tv diff --git a/hosts/architect/gitea.nix b/hosts/architect/gitea.nix index 68567c3..fde88d2 100644 --- a/hosts/architect/gitea.nix +++ b/hosts/architect/gitea.nix @@ -1,15 +1,20 @@ -with import ./network.nix; { +{ lib, ... }: + +let + domain = "git.giugl.io"; + network = import ./network.nix; +in { services.gitea = { enable = true; database.type = "sqlite3"; - domain = "git.giugl.io"; + domain = domain; appName = "Gitea"; - rootUrl = "https://git.giugl.io"; + rootUrl = "https://${domain}"; ssh.clonePort = 22; settings.server.LFS_START_SERVER = true; }; - services.nginx.virtualHosts.${gitdomain} = { + services.nginx.virtualHosts.${domain} = { forceSSL = true; enableACME = true; locations."/" = { @@ -17,7 +22,7 @@ with import ./network.nix; { extraConfig = '' allow 127.0.0.1; allow 10.0.0.0/24; - allow 10.3.0.0/24; + allow ${lib.concatStringsSep " " network.gdevices-wg}; allow 10.4.0.0/24; deny all; ''; @@ -25,8 +30,8 @@ with import ./network.nix; { }; networking.extraHosts = '' - ${architect-lan} ${gitdomain} - ${architect-wg} ${gitdomain} + ${network.architect-lan} ${domain} + ${network.architect-wg} ${domain} ''; } diff --git a/hosts/architect/invidious.nix b/hosts/architect/invidious.nix index 7d3a61e..eaf9d64 100644 --- a/hosts/architect/invidious.nix +++ b/hosts/architect/invidious.nix @@ -1,8 +1,8 @@ -{ pkgs, ... }: +{ lib, ... }: -with import ./network.nix; - -let domain = "tube.giugl.io"; +let + domain = "tube.giugl.io"; + network = import ./network.nix; in { services = { invidious = { @@ -13,14 +13,12 @@ in { nginx.virtualHosts.${domain} = { forceSSL = true; enableACME = true; - locations."/" = { - proxyPass = "http://localhost:9092"; - }; + locations."/" = { proxyPass = "http://localhost:9092"; }; }; }; networking.extraHosts = '' - ${architect-lan} ${domain} - ${architect-wg} ${domain} + ${network.architect-lan} ${domain} + ${network.architect-wg} ${domain} ''; } diff --git a/hosts/architect/libreddit.nix b/hosts/architect/libreddit.nix index 40128ba..c6e1fb4 100644 --- a/hosts/architect/libreddit.nix +++ b/hosts/architect/libreddit.nix @@ -1,8 +1,8 @@ -{ pkgs, ... }: +{ lib, ... }: -with import ./network.nix; - -let domain = "reddit.giugl.io"; +let + domain = "reddit.giugl.io"; + network = import ./network.nix; in { services = { libreddit = { @@ -13,14 +13,12 @@ in { nginx.virtualHosts.${domain} = { forceSSL = true; enableACME = true; - locations."/" = { - proxyPass = "http://localhost:9090"; - }; + locations."/" = { proxyPass = "http://localhost:9090"; }; }; }; networking.extraHosts = '' - ${architect-lan} ${domain} - ${architect-wg} ${domain} + ${network.architect-lan} ${domain} + ${network.architect-wg} ${domain} ''; } diff --git a/hosts/architect/matrix.nix b/hosts/architect/matrix.nix index 054e39e..696d0ee 100644 --- a/hosts/architect/matrix.nix +++ b/hosts/architect/matrix.nix @@ -1,12 +1,16 @@ -{ pkgs, config, tmp, ... }: +{ pkgs, ... }: -with import ./network.nix; { +let + domain = "matrix.giugl.io"; + webui_domain = "chat.giugl.io"; + network = import ./network.nix; +in { services = { matrix-synapse = { enable = true; - server_name = "${matrixdomain}"; + server_name = "${domain}"; database_name = "synapse"; - public_baseurl = "https://${matrixdomain}"; + public_baseurl = "https://${domain}"; registration_shared_secret = "runas!"; dynamic_thumbnails = true; # enable_registration = true; @@ -52,14 +56,14 @@ with import ./network.nix; { nginx.virtualHosts = { # server - ${matrixdomain} = { + ${domain} = { enableACME = true; forceSSL = true; extraConfig = '' client_max_body_size 30m; ''; locations."= /.well-known/matrix/server".extraConfig = - let server = { "m.server" = "${matrixdomain}:443"; }; + let server = { "m.server" = "${domain}:443"; }; in '' add_header Content-Type application/json; return 200 '${builtins.toJSON server}'; @@ -67,7 +71,7 @@ with import ./network.nix; { locations."= /.well-known/matrix/client".extraConfig = let client = { - "m.homeserver" = { "base_url" = "https://${matrixdomain}:443"; }; + "m.homeserver" = { "base_url" = "https://${domain}:443"; }; "m.identity_server" = { "base_url" = "https://vector.im"; }; }; # ACAO required to allow element-web on any URL to request this json file @@ -89,15 +93,15 @@ with import ./network.nix; { # web client - "${matrixwebdomain}" = { + "${webui_domain}" = { enableACME = true; forceSSL = true; - root = pkgs.unstable.element-web.override { + root = pkgs.element-web.override { conf = { default_server_config."m.homeserver" = { - "base_url" = "https://${matrixdomain}"; - "server_name" = "${matrixdomain}"; + "base_url" = "https://${domain}"; + "server_name" = "${domain}"; }; }; }; @@ -112,8 +116,8 @@ with import ./network.nix; { # It's also possible to use PostgreSQL. settings = { bridge = { - domain = matrixdomain; - homeserverUrl = "https://${matrixdomain}"; + domain = domain; + homeserverUrl = "https://${domain}"; disablePresence = true; }; }; @@ -127,8 +131,8 @@ with import ./network.nix; { settings = { homeserver = { - address = "https://${matrixdomain}"; - domain = "${matrixdomain}"; + address = "https://${domain}"; + domain = "${domain}"; }; appservice = { @@ -138,8 +142,8 @@ with import ./network.nix; { bridge = { permissions = { - "@pepe:${matrixdomain}" = "admin"; - "${matrixdomain}" = "puppeting"; + "@pepe:${domain}" = "admin"; + "${domain}" = "puppeting"; }; # Animated stickers conversion requires additional packages in the @@ -174,8 +178,8 @@ with import ./network.nix; { ]; networking.extraHosts = '' - ${architect-lan} ${matrixdomain} ${matrixwebdomain} - ${architect-wg} ${matrixdomain} ${matrixwebdomain} + ${network.architect-lan} ${domain} ${webui_domain} + ${network.architect-wg} ${domain} ${webui_domain} ''; } diff --git a/hosts/architect/minecraft.nix b/hosts/architect/minecraft.nix index 81ee05a..adbb095 100644 --- a/hosts/architect/minecraft.nix +++ b/hosts/architect/minecraft.nix @@ -1,6 +1,7 @@ { config, pkgs, ... }: -with import ./network.nix; { +let domain = "minecraft.giugl.io"; +in { services.minecraft-server = { enable = true; eula = true; @@ -9,7 +10,7 @@ with import ./network.nix; { }; networking.extraHosts = '' - ${architect-lan} minecraft.giugl.io - ${architect-wg} minecraft.giugl.io + ${architect-lan} ${domain} + ${architect-wg} ${domain} ''; } diff --git a/hosts/architect/minio.nix b/hosts/architect/minio.nix index cd6bb20..fe62683 100644 --- a/hosts/architect/minio.nix +++ b/hosts/architect/minio.nix @@ -1,15 +1,20 @@ -with import ./network.nix; { +{ lib, ... }: + +let + domain = "s3.giugl.io"; + network = import ./network.nix; +in { services = { minio.enable = true; - nginx.virtualHosts.${miniodomain} = { + nginx.virtualHosts.${domain} = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://localhost:9000"; extraConfig = '' allow 10.0.0.0/24; - allow 10.3.0.0/24; + allow ${lib.concatStringsSep " " network.gdevices-wg}; deny all; ''; }; @@ -17,7 +22,7 @@ with import ./network.nix; { }; networking.extraHosts = '' - ${architect-lan} ${miniodomain} - ${architect-wg} ${miniodomain} + ${network.architect-lan} ${domain} + ${network.architect-wg} ${domain} ''; } diff --git a/hosts/architect/network.nix b/hosts/architect/network.nix index a8e2faa..aa0b7ef 100644 --- a/hosts/architect/network.nix +++ b/hosts/architect/network.nix @@ -14,7 +14,6 @@ rec { dvr-lan = "10.0.0.2"; nas-lan = "10.0.0.3"; architect-lan = "10.0.0.250"; - giupi-lan = "10.0.0.251"; proxy-wg = "10.4.0.1"; architect-wg = "10.3.0.1"; @@ -67,19 +66,4 @@ rec { flavio-wg salvatore-wg ]; - - # domains - sonarrdomain = "htson.giugl.io"; - radarrdomain = "htrad.giugl.io"; - bazarrdomain = "htbaz.giugl.io"; - nzbgetdomain = "htnzb.giugl.io"; - mediadomain = "media.giugl.io"; - gitdomain = "git.giugl.io"; - nextclouddomain = "cloud.giugl.io"; - miniodomain = "s3.giugl.io"; - clouddomain = "cloud.giugl.io"; - matrixdomain = "matrix.giugl.io"; - matrixwebdomain = "chat.giugl.io"; - prowlarrdomain = "htpro.giugl.io"; - jupyterdomain = "labs.giugl.io"; } diff --git a/hosts/architect/nextcloud.nix b/hosts/architect/nextcloud.nix index b0e6b98..43322a7 100644 --- a/hosts/architect/nextcloud.nix +++ b/hosts/architect/nextcloud.nix @@ -1,6 +1,9 @@ { pkgs, ... }: -with import ./network.nix; { +let + domain = "cloud.giugl.io"; + network = import ./network.nix; +in { services = { mysql.enable = true; mysql.package = pkgs.unstable.mysql80; @@ -9,7 +12,7 @@ with import ./network.nix; { nextcloud = { enable = true; - hostName = "${nextclouddomain}"; + hostName = "${domain}"; https = true; package = pkgs.unstable.nextcloud22; @@ -28,7 +31,7 @@ with import ./network.nix; { dbpassFile = "/secrets/nextcloud/dbpass.txt"; adminpassFile = "/secrets/nextcloud/adminpass.txt"; adminuser = "giulio"; - extraTrustedDomains = [ "${nextclouddomain}" ]; + extraTrustedDomains = [ "${domain}" ]; }; }; }; @@ -39,11 +42,11 @@ with import ./network.nix; { }; networking.extraHosts = '' - ${architect-lan} ${clouddomain} - ${architect-wg} ${clouddomain} + ${network.architect-lan} ${domain} + ${network.architect-wg} ${domain} ''; - services.nginx.virtualHosts.${clouddomain} = { + services.nginx.virtualHosts.${domain} = { forceSSL = true; enableACME = true; }; diff --git a/hosts/architect/nitter.nix b/hosts/architect/nitter.nix index 13ebc7d..480eac0 100644 --- a/hosts/architect/nitter.nix +++ b/hosts/architect/nitter.nix @@ -1,8 +1,8 @@ -{ pkgs, ... }: +{ lib, ... }: -with import ./network.nix; - -let domain = "tweet.giugl.io"; +let + domain = "tweet.giugl.io"; + network = import ./network.nix; in { services = { nitter = { @@ -20,14 +20,12 @@ in { nginx.virtualHosts.${domain} = { forceSSL = true; enableACME = true; - locations."/" = { - proxyPass = "http://localhost:9093"; - }; + locations."/" = { proxyPass = "http://localhost:9093"; }; }; }; networking.extraHosts = '' - ${architect-lan} ${domain} - ${architect-wg} ${domain} + ${network.architect-lan} ${domain} + ${network.architect-wg} ${domain} ''; } diff --git a/hosts/architect/nzbget.nix b/hosts/architect/nzbget.nix index 7f5ce81..e5d692d 100644 --- a/hosts/architect/nzbget.nix +++ b/hosts/architect/nzbget.nix @@ -1,15 +1,20 @@ -with import ./network.nix; { +{ lib, ... }: + +let + domain = "htnzb.giugl.io"; + network = import ./network.nix; +in { services = { nzbget.enable = true; - nginx.virtualHosts.${nzbgetdomain} = { + nginx.virtualHosts.${domain} = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://localhost:6789"; extraConfig = '' allow 10.0.0.0/24; - allow 10.3.0.0/24; + allow ${lib.concatStringsSep " " network.gdevices-wg}; deny all; ''; }; @@ -17,8 +22,8 @@ with import ./network.nix; { }; networking.extraHosts = '' - ${architect-lan} ${nzbgetdomain} - ${architect-wg} ${nzbgetdomain} + ${network.architect-lan} ${domain} + ${network.architect-wg} ${domain} ''; users.groups.media.members = [ "nzbget" ]; diff --git a/hosts/architect/plex.nix b/hosts/architect/plex.nix index 6ca100f..b09a4c8 100644 --- a/hosts/architect/plex.nix +++ b/hosts/architect/plex.nix @@ -1,6 +1,9 @@ -{ pkgs, ... }: +{ pkgs, lib, ... }: -with import ./network.nix; { +let + domain = "media.giugl.io"; + network = import ./network.nix; +in { services.plex = { enable = true; package = pkgs.unstable.plex; @@ -10,7 +13,7 @@ with import ./network.nix; { services.nginx = { enable = true; # give a name to the virtual host. It also becomes the server name. - virtualHosts.${mediadomain} = { + virtualHosts.${domain} = { forceSSL = true; enableACME = true; http2 = true; @@ -79,8 +82,8 @@ with import ./network.nix; { }; networking.extraHosts = '' - ${architect-lan} ${mediadomain} - ${architect-wg} ${mediadomain} + ${network.architect-lan} ${domain} + ${network.architect-wg} ${domain} ''; users.groups.media.members = [ "plex" ]; diff --git a/hosts/architect/prowlarr.nix b/hosts/architect/prowlarr.nix index b53c405..e4b08e2 100644 --- a/hosts/architect/prowlarr.nix +++ b/hosts/architect/prowlarr.nix @@ -1,17 +1,20 @@ -{ pkgs, ... }: +{ lib, ... }: -with import ./network.nix; { +let + domain = "htpro.giugl.io"; + network = import ./network.nix; +in { services = { prowlarr.enable = true; - nginx.virtualHosts.${prowlarrdomain} = { + nginx.virtualHosts.${domain} = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://localhost:9696"; extraConfig = '' allow 10.0.0.0/24; - allow 10.3.0.0/24; + allow ${lib.concatStringsSep " " network.gdevices-wg}; deny all; ''; }; @@ -27,8 +30,8 @@ with import ./network.nix; { }; networking.extraHosts = '' - ${architect-lan} ${prowlarrdomain} - ${architect-wg} ${prowlarrdomain} + ${network.architect-lan} ${domain} + ${network.architect-wg} ${domain} ''; users.groups.media.members = [ "prowlarr" ]; diff --git a/hosts/architect/radarr.nix b/hosts/architect/radarr.nix index bc0af46..5dad035 100644 --- a/hosts/architect/radarr.nix +++ b/hosts/architect/radarr.nix @@ -1,15 +1,20 @@ -with import ./network.nix; { +{ lib, ... }: + +let + domain = "htrad.giugl.io"; + network = import ./network.nix; +in { services = { radarr.enable = true; - nginx.virtualHosts.${radarrdomain} = { + nginx.virtualHosts.${domain} = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://localhost:7878"; extraConfig = '' allow 10.0.0.0/24; - allow 10.3.0.0/24; + allow ${lib.concatStringsSep " " network.gdevices-wg}; deny all; ''; }; @@ -17,8 +22,8 @@ with import ./network.nix; { }; networking.extraHosts = '' - ${architect-lan} ${radarrdomain} - ${architect-wg} ${radarrdomain} + ${network.architect-lan} ${domain} + ${network.architect-wg} ${domain} ''; users.groups.media.members = [ "radarr" ]; diff --git a/hosts/architect/sonarr.nix b/hosts/architect/sonarr.nix index 3e94d02..8b0735e 100644 --- a/hosts/architect/sonarr.nix +++ b/hosts/architect/sonarr.nix @@ -1,15 +1,20 @@ -with import ./network.nix; { +{ lib, ... }: + +let + domain = "htson.giugl.io"; + network = import ./network.nix; +in { services = { sonarr.enable = true; - nginx.virtualHosts.${sonarrdomain} = { + nginx.virtualHosts.${domain} = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://localhost:8989"; extraConfig = '' allow 10.0.0.0/24; - allow 10.3.0.0/24; + allow ${lib.concatStringsSep " " network.gdevices-wg}; deny all; ''; }; @@ -17,8 +22,8 @@ with import ./network.nix; { }; networking.extraHosts = '' - ${architect-lan} ${sonarrdomain} - ${architect-wg} ${sonarrdomain} + ${network.architect-lan} ${domain} + ${network.architect-wg} ${domain} ''; users.groups.media.members = [ "sonarr" ]; diff --git a/hosts/architect/transmission.nix b/hosts/architect/transmission.nix index 2a84a79..934fcb4 100644 --- a/hosts/architect/transmission.nix +++ b/hosts/architect/transmission.nix @@ -1,6 +1,8 @@ -with import ./network.nix; +{ lib, config }: -let domain = "httra.giugl.io"; +let + domain = "httra.giugl.io"; + network = import ./network.nix; in { services = { transmission = { @@ -25,7 +27,7 @@ in { proxyPass = "http://localhost:9091"; extraConfig = '' allow 10.0.0.0/24; - allow 10.3.0.0/24; + allow ${lib.concatStringsSep " " network.gdevices-wg}; deny all; ''; }; @@ -33,8 +35,8 @@ in { }; networking.extraHosts = '' - ${architect-lan} ${domain} - ${architect-wg} ${domain} + ${network.architect-lan} ${domain} + ${network.architect-wg} ${domain} ''; users.groups.media.members = [ "transmission" ];