peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

removed implicit use of network.nix. use domain names in each service conf file. restrict access to gdevices to sensitive services.

Browse Source
This commit is contained in:
Giulio De Pasquale 2021-12-08 17:39:00 +01:00
parent faf97e2b3f
commit 163d5f6db2
17 changed files with 150 additions and 127 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
hosts/architect/bazarr.nix
View File

@ -1,15 +1,20 @@
with import ./network.nix; { { lib, ... }:
let
domain = "htbaz.giugl.io";
network = import ./network.nix;
in {
services = { services = {
bazarr.enable = true; bazarr.enable = true;
nginx.virtualHosts.${bazarrdomain} = { nginx.virtualHosts.${domain} = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/" = { locations."/" = {
proxyPass = "http://localhost:6767"; proxyPass = "http://localhost:6767";
extraConfig = '' extraConfig = ''
allow 10.0.0.0/24; allow 10.0.0.0/24;
allow 10.3.0.0/24; allow ${lib.concatStringsSep " " network.gdevices-wg};
deny all; deny all;
''; '';
}; };
@ -17,8 +22,8 @@ with import ./network.nix; {
}; };
networking.extraHosts = '' networking.extraHosts = ''
${architect-lan} ${bazarrdomain} ${network.architect-lan} ${domain}
${architect-wg} ${bazarrdomain} ${network.architect-wg} ${domain}
''; '';
users.groups.media.members = [ "bazarr" ]; users.groups.media.members = [ "bazarr" ];

15
hosts/architect/default.nix
View File

@ -1,11 +1,11 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
with import ./network.nix;
let let
pubkeys = [ pubkeys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1we38/N+t8Ah5yrLof8QUwhrob7/VXFKIddaJeOVBLuDVnW7ljiAtdtEiL69D/DV4Ohmt5wMvkAAjfuHmim6FD9A6lzPbSU4KH9W2dcckszKbbI636kuDwem/xui6BW3wJa6P+0xW5ksygEAkzcK2PXuC2b4B9uwhuUdKahiGMKDxISG/WianqAe72cGMfNkYvion3Y1VsMLUdm48d2ABnxNpr7NI9B5iJ8dziOft9gpgfz13CCQRlReo75gk/4xI+vSNrQp7eR+wzJy2/dZg/T8jtyA9Q6jVxrxBpqQ1LNXkAKaJkGo9OabF6Wgpzp+YTAurL4nwR2NaJxwFuyoKvACQy0ai4jrS3206gC6JXZv8ktZMZrwUN+jPqCwfgh5qObFkAqKCxbp52ioDek2MQLdOvzQBX//DBhGEp5rzHGLZ3vhRIiiQiaof5sF5zWiYDW5mqezSPNxJPX/BrTP/Wbs/jpwTLBh3wytiia0S1WXQmya89bqzTPFiDWvTRA62EVKB/JaQtPQQOFAxWwg799DMycPeZ81xttZOyMtI/MZSddyqx2S8fWGwvToZQvuZ38mSIpFseLM1IkgabRIrAmat5SBNGGy9Dqa0eMEa7bwIY/4CMB1y6HMTnaoMXA6cnQfHMoB/zyTZ6oTXIeqeOyiZsK+RN0Mvahj8mXi7dw== giulio@giulio-X230" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1we38/N+t8Ah5yrLof8QUwhrob7/VXFKIddaJeOVBLuDVnW7ljiAtdtEiL69D/DV4Ohmt5wMvkAAjfuHmim6FD9A6lzPbSU4KH9W2dcckszKbbI636kuDwem/xui6BW3wJa6P+0xW5ksygEAkzcK2PXuC2b4B9uwhuUdKahiGMKDxISG/WianqAe72cGMfNkYvion3Y1VsMLUdm48d2ABnxNpr7NI9B5iJ8dziOft9gpgfz13CCQRlReo75gk/4xI+vSNrQp7eR+wzJy2/dZg/T8jtyA9Q6jVxrxBpqQ1LNXkAKaJkGo9OabF6Wgpzp+YTAurL4nwR2NaJxwFuyoKvACQy0ai4jrS3206gC6JXZv8ktZMZrwUN+jPqCwfgh5qObFkAqKCxbp52ioDek2MQLdOvzQBX//DBhGEp5rzHGLZ3vhRIiiQiaof5sF5zWiYDW5mqezSPNxJPX/BrTP/Wbs/jpwTLBh3wytiia0S1WXQmya89bqzTPFiDWvTRA62EVKB/JaQtPQQOFAxWwg799DMycPeZ81xttZOyMtI/MZSddyqx2S8fWGwvToZQvuZ38mSIpFseLM1IkgabRIrAmat5SBNGGy9Dqa0eMEa7bwIY/4CMB1y6HMTnaoMXA6cnQfHMoB/zyTZ6oTXIeqeOyiZsK+RN0Mvahj8mXi7dw== giulio@giulio-X230"
]; ];
hostname = "architect"; hostname = "architect";
network = import ./network.nix;
in { in {
imports = [ # Include the results of the hardware scan. imports = [ # Include the results of the hardware scan.
./backup.nix ./backup.nix
@ -26,7 +26,7 @@ in {
# ./minecraft.nix # ./minecraft.nix
./prowlarr.nix ./prowlarr.nix
./plex.nix ./plex.nix
./transmission.nix # ./transmission.nix
./githubrunner.nix ./githubrunner.nix
./libreddit.nix ./libreddit.nix
./invidious.nix ./invidious.nix
@ -40,7 +40,7 @@ in {
services.fwupd.enable = true; services.fwupd.enable = true;
boot = { boot = {
kernelParams = [ kernelParams = [
"ip=${architect-lan}::10.0.0.1:255.255.255.0::${wan-if}:off" "ip=${network.architect-lan}::10.0.0.1:255.255.255.0::${network.wan-if}:off"
"nvme_core.default_ps_max_latency_us=5500" "nvme_core.default_ps_max_latency_us=5500"
]; ];
kernel.sysctl."net.ipv4.ip_forward" = 1; kernel.sysctl."net.ipv4.ip_forward" = 1;
@ -82,7 +82,7 @@ in {
defaultGateway = "10.0.0.1"; defaultGateway = "10.0.0.1";
interfaces = { interfaces = {
enp5s0.ipv4.addresses = [{ enp5s0.ipv4.addresses = [{
address = architect-lan; address = network.architect-lan;
prefixLength = 24; prefixLength = 24;
}]; }];
enp6s0.useDHCP = false; enp6s0.useDHCP = false;
@ -92,11 +92,10 @@ in {
127.0.0.1 ${hostname}.devs.giugl.io localhost 127.0.0.1 ${hostname}.devs.giugl.io localhost
# LAN # LAN
${architect-lan} ${hostname}.devs.giugl.io ${network.architect-lan} ${hostname}.devs.giugl.io
${dvr-lan} dvr.devs.giugl.io ${network.dvr-lan} dvr.devs.giugl.io
${nas-lan} nas.devs.giugl.io ${network.nas-lan} nas.devs.giugl.io
${giupi-lan} giupi.devs.giugl.io
# Blacklist # Blacklist
0.0.0.0 metrics.plex.tv 0.0.0.0 metrics.plex.tv

19
hosts/architect/gitea.nix
View File

@ -1,15 +1,20 @@
with import ./network.nix; { { lib, ... }:
let
domain = "git.giugl.io";
network = import ./network.nix;
in {
services.gitea = { services.gitea = {
enable = true; enable = true;
database.type = "sqlite3"; database.type = "sqlite3";
domain = "git.giugl.io"; domain = domain;
appName = "Gitea"; appName = "Gitea";
rootUrl = "https://git.giugl.io"; rootUrl = "https://${domain}";
ssh.clonePort = 22; ssh.clonePort = 22;
settings.server.LFS_START_SERVER = true; settings.server.LFS_START_SERVER = true;
}; };
services.nginx.virtualHosts.${gitdomain} = { services.nginx.virtualHosts.${domain} = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/" = { locations."/" = {
@ -17,7 +22,7 @@ with import ./network.nix; {
extraConfig = '' extraConfig = ''
allow 127.0.0.1; allow 127.0.0.1;
allow 10.0.0.0/24; allow 10.0.0.0/24;
allow 10.3.0.0/24; allow ${lib.concatStringsSep " " network.gdevices-wg};
allow 10.4.0.0/24; allow 10.4.0.0/24;
deny all; deny all;
''; '';
@ -25,8 +30,8 @@ with import ./network.nix; {
}; };
networking.extraHosts = '' networking.extraHosts = ''
${architect-lan} ${gitdomain} ${network.architect-lan} ${domain}
${architect-wg} ${gitdomain} ${network.architect-wg} ${domain}
''; '';
} }

16
hosts/architect/invidious.nix
View File

@ -1,8 +1,8 @@
{ pkgs, ... }: { lib, ... }:
with import ./network.nix; let
domain = "tube.giugl.io";
let domain = "tube.giugl.io"; network = import ./network.nix;
in { in {
services = { services = {
invidious = { invidious = {
@ -13,14 +13,12 @@ in {
nginx.virtualHosts.${domain} = { nginx.virtualHosts.${domain} = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/" = { locations."/" = { proxyPass = "http://localhost:9092"; };
proxyPass = "http://localhost:9092";
};
}; };
}; };
networking.extraHosts = '' networking.extraHosts = ''
${architect-lan} ${domain} ${network.architect-lan} ${domain}
${architect-wg} ${domain} ${network.architect-wg} ${domain}
''; '';
} }

16
hosts/architect/libreddit.nix
View File

@ -1,8 +1,8 @@
{ pkgs, ... }: { lib, ... }:
with import ./network.nix; let
domain = "reddit.giugl.io";
let domain = "reddit.giugl.io"; network = import ./network.nix;
in { in {
services = { services = {
libreddit = { libreddit = {
@ -13,14 +13,12 @@ in {
nginx.virtualHosts.${domain} = { nginx.virtualHosts.${domain} = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/" = { locations."/" = { proxyPass = "http://localhost:9090"; };
proxyPass = "http://localhost:9090";
};
}; };
}; };
networking.extraHosts = '' networking.extraHosts = ''
${architect-lan} ${domain} ${network.architect-lan} ${domain}
${architect-wg} ${domain} ${network.architect-wg} ${domain}
''; '';
} }

42
hosts/architect/matrix.nix
View File

@ -1,12 +1,16 @@
{ pkgs, config, tmp, ... }: { pkgs, ... }:
with import ./network.nix; { let
domain = "matrix.giugl.io";
webui_domain = "chat.giugl.io";
network = import ./network.nix;
in {
services = { services = {
matrix-synapse = { matrix-synapse = {
enable = true; enable = true;
server_name = "${matrixdomain}"; server_name = "${domain}";
database_name = "synapse"; database_name = "synapse";
public_baseurl = "https://${matrixdomain}"; public_baseurl = "https://${domain}";
registration_shared_secret = "runas!"; registration_shared_secret = "runas!";
dynamic_thumbnails = true; dynamic_thumbnails = true;
# enable_registration = true; # enable_registration = true;
@ -52,14 +56,14 @@ with import ./network.nix; {
nginx.virtualHosts = { nginx.virtualHosts = {
# server # server
${matrixdomain} = { ${domain} = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
extraConfig = '' extraConfig = ''
client_max_body_size 30m; client_max_body_size 30m;
''; '';
locations."= /.well-known/matrix/server".extraConfig = locations."= /.well-known/matrix/server".extraConfig =
let server = { "m.server" = "${matrixdomain}:443"; }; let server = { "m.server" = "${domain}:443"; };
in '' in ''
add_header Content-Type application/json; add_header Content-Type application/json;
return 200 '${builtins.toJSON server}'; return 200 '${builtins.toJSON server}';
@ -67,7 +71,7 @@ with import ./network.nix; {
locations."= /.well-known/matrix/client".extraConfig = let locations."= /.well-known/matrix/client".extraConfig = let
client = { client = {
"m.homeserver" = { "base_url" = "https://${matrixdomain}:443"; }; "m.homeserver" = { "base_url" = "https://${domain}:443"; };
"m.identity_server" = { "base_url" = "https://vector.im"; }; "m.identity_server" = { "base_url" = "https://vector.im"; };
}; };
# ACAO required to allow element-web on any URL to request this json file # ACAO required to allow element-web on any URL to request this json file
@ -89,15 +93,15 @@ with import ./network.nix; {
# web client # web client
"${matrixwebdomain}" = { "${webui_domain}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
root = pkgs.unstable.element-web.override { root = pkgs.element-web.override {
conf = { conf = {
default_server_config."m.homeserver" = { default_server_config."m.homeserver" = {
"base_url" = "https://${matrixdomain}"; "base_url" = "https://${domain}";
"server_name" = "${matrixdomain}"; "server_name" = "${domain}";
}; };
}; };
}; };
@ -112,8 +116,8 @@ with import ./network.nix; {
# It's also possible to use PostgreSQL. # It's also possible to use PostgreSQL.
settings = { settings = {
bridge = { bridge = {
domain = matrixdomain; domain = domain;
homeserverUrl = "https://${matrixdomain}"; homeserverUrl = "https://${domain}";
disablePresence = true; disablePresence = true;
}; };
}; };
@ -127,8 +131,8 @@ with import ./network.nix; {
settings = { settings = {
homeserver = { homeserver = {
address = "https://${matrixdomain}"; address = "https://${domain}";
domain = "${matrixdomain}"; domain = "${domain}";
}; };
appservice = { appservice = {
@ -138,8 +142,8 @@ with import ./network.nix; {
bridge = { bridge = {
permissions = { permissions = {
"@pepe:${matrixdomain}" = "admin"; "@pepe:${domain}" = "admin";
"${matrixdomain}" = "puppeting"; "${domain}" = "puppeting";
}; };
# Animated stickers conversion requires additional packages in the # Animated stickers conversion requires additional packages in the
@ -174,8 +178,8 @@ with import ./network.nix; {
]; ];
networking.extraHosts = '' networking.extraHosts = ''
${architect-lan} ${matrixdomain} ${matrixwebdomain} ${network.architect-lan} ${domain} ${webui_domain}
${architect-wg} ${matrixdomain} ${matrixwebdomain} ${network.architect-wg} ${domain} ${webui_domain}
''; '';
} }

7
hosts/architect/minecraft.nix
View File

@ -1,6 +1,7 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
with import ./network.nix; { let domain = "minecraft.giugl.io";
in {
services.minecraft-server = { services.minecraft-server = {
enable = true; enable = true;
eula = true; eula = true;
@ -9,7 +10,7 @@ with import ./network.nix; {
}; };
networking.extraHosts = '' networking.extraHosts = ''
${architect-lan} minecraft.giugl.io ${architect-lan} ${domain}
${architect-wg} minecraft.giugl.io ${architect-wg} ${domain}
''; '';
} }

15
hosts/architect/minio.nix
View File

@ -1,15 +1,20 @@
with import ./network.nix; { { lib, ... }:
let
domain = "s3.giugl.io";
network = import ./network.nix;
in {
services = { services = {
minio.enable = true; minio.enable = true;
nginx.virtualHosts.${miniodomain} = { nginx.virtualHosts.${domain} = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/" = { locations."/" = {
proxyPass = "http://localhost:9000"; proxyPass = "http://localhost:9000";
extraConfig = '' extraConfig = ''
allow 10.0.0.0/24; allow 10.0.0.0/24;
allow 10.3.0.0/24; allow ${lib.concatStringsSep " " network.gdevices-wg};
deny all; deny all;
''; '';
}; };
@ -17,7 +22,7 @@ with import ./network.nix; {
}; };
networking.extraHosts = '' networking.extraHosts = ''
${architect-lan} ${miniodomain} ${network.architect-lan} ${domain}
${architect-wg} ${miniodomain} ${network.architect-wg} ${domain}
''; '';
} }

16
hosts/architect/network.nix
View File

@ -14,7 +14,6 @@ rec {
dvr-lan = "10.0.0.2"; dvr-lan = "10.0.0.2";
nas-lan = "10.0.0.3"; nas-lan = "10.0.0.3";
architect-lan = "10.0.0.250"; architect-lan = "10.0.0.250";
giupi-lan = "10.0.0.251";
proxy-wg = "10.4.0.1"; proxy-wg = "10.4.0.1";
architect-wg = "10.3.0.1"; architect-wg = "10.3.0.1";
@ -67,19 +66,4 @@ rec {
flavio-wg flavio-wg
salvatore-wg salvatore-wg
]; ];
# domains
sonarrdomain = "htson.giugl.io";
radarrdomain = "htrad.giugl.io";
bazarrdomain = "htbaz.giugl.io";
nzbgetdomain = "htnzb.giugl.io";
mediadomain = "media.giugl.io";
gitdomain = "git.giugl.io";
nextclouddomain = "cloud.giugl.io";
miniodomain = "s3.giugl.io";
clouddomain = "cloud.giugl.io";
matrixdomain = "matrix.giugl.io";
matrixwebdomain = "chat.giugl.io";
prowlarrdomain = "htpro.giugl.io";
jupyterdomain = "labs.giugl.io";
} }

15
hosts/architect/nextcloud.nix
View File

@ -1,6 +1,9 @@
{ pkgs, ... }: { pkgs, ... }:
with import ./network.nix; { let
domain = "cloud.giugl.io";
network = import ./network.nix;
in {
services = { services = {
mysql.enable = true; mysql.enable = true;
mysql.package = pkgs.unstable.mysql80; mysql.package = pkgs.unstable.mysql80;
@ -9,7 +12,7 @@ with import ./network.nix; {
nextcloud = { nextcloud = {
enable = true; enable = true;
hostName = "${nextclouddomain}"; hostName = "${domain}";
https = true; https = true;
package = pkgs.unstable.nextcloud22; package = pkgs.unstable.nextcloud22;
@ -28,7 +31,7 @@ with import ./network.nix; {
dbpassFile = "/secrets/nextcloud/dbpass.txt"; dbpassFile = "/secrets/nextcloud/dbpass.txt";
adminpassFile = "/secrets/nextcloud/adminpass.txt"; adminpassFile = "/secrets/nextcloud/adminpass.txt";
adminuser = "giulio"; adminuser = "giulio";
extraTrustedDomains = [ "${nextclouddomain}" ]; extraTrustedDomains = [ "${domain}" ];
}; };
}; };
}; };
@ -39,11 +42,11 @@ with import ./network.nix; {
}; };
networking.extraHosts = '' networking.extraHosts = ''
${architect-lan} ${clouddomain} ${network.architect-lan} ${domain}
${architect-wg} ${clouddomain} ${network.architect-wg} ${domain}
''; '';
services.nginx.virtualHosts.${clouddomain} = { services.nginx.virtualHosts.${domain} = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
}; };

16
hosts/architect/nitter.nix
View File

@ -1,8 +1,8 @@
{ pkgs, ... }: { lib, ... }:
with import ./network.nix; let
domain = "tweet.giugl.io";
let domain = "tweet.giugl.io"; network = import ./network.nix;
in { in {
services = { services = {
nitter = { nitter = {
@ -20,14 +20,12 @@ in {
nginx.virtualHosts.${domain} = { nginx.virtualHosts.${domain} = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/" = { locations."/" = { proxyPass = "http://localhost:9093"; };
proxyPass = "http://localhost:9093";
};
}; };
}; };
networking.extraHosts = '' networking.extraHosts = ''
${architect-lan} ${domain} ${network.architect-lan} ${domain}
${architect-wg} ${domain} ${network.architect-wg} ${domain}
''; '';
} }

15
hosts/architect/nzbget.nix
View File

@ -1,15 +1,20 @@
with import ./network.nix; { { lib, ... }:
let
domain = "htnzb.giugl.io";
network = import ./network.nix;
in {
services = { services = {
nzbget.enable = true; nzbget.enable = true;
nginx.virtualHosts.${nzbgetdomain} = { nginx.virtualHosts.${domain} = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/" = { locations."/" = {
proxyPass = "http://localhost:6789"; proxyPass = "http://localhost:6789";
extraConfig = '' extraConfig = ''
allow 10.0.0.0/24; allow 10.0.0.0/24;
allow 10.3.0.0/24; allow ${lib.concatStringsSep " " network.gdevices-wg};
deny all; deny all;
''; '';
}; };
@ -17,8 +22,8 @@ with import ./network.nix; {
}; };
networking.extraHosts = '' networking.extraHosts = ''
${architect-lan} ${nzbgetdomain} ${network.architect-lan} ${domain}
${architect-wg} ${nzbgetdomain} ${network.architect-wg} ${domain}
''; '';
users.groups.media.members = [ "nzbget" ]; users.groups.media.members = [ "nzbget" ];

13
hosts/architect/plex.nix
View File

@ -1,6 +1,9 @@
{ pkgs, ... }: { pkgs, lib, ... }:
with import ./network.nix; { let
domain = "media.giugl.io";
network = import ./network.nix;
in {
services.plex = { services.plex = {
enable = true; enable = true;
package = pkgs.unstable.plex; package = pkgs.unstable.plex;
@ -10,7 +13,7 @@ with import ./network.nix; {
services.nginx = { services.nginx = {
enable = true; enable = true;
# give a name to the virtual host. It also becomes the server name. # give a name to the virtual host. It also becomes the server name.
virtualHosts.${mediadomain} = { virtualHosts.${domain} = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
http2 = true; http2 = true;
@ -79,8 +82,8 @@ with import ./network.nix; {
}; };
networking.extraHosts = '' networking.extraHosts = ''
${architect-lan} ${mediadomain} ${network.architect-lan} ${domain}
${architect-wg} ${mediadomain} ${network.architect-wg} ${domain}
''; '';
users.groups.media.members = [ "plex" ]; users.groups.media.members = [ "plex" ];

15
hosts/architect/prowlarr.nix
View File

@ -1,17 +1,20 @@
{ pkgs, ... }: { lib, ... }:
with import ./network.nix; { let
domain = "htpro.giugl.io";
network = import ./network.nix;
in {
services = { services = {
prowlarr.enable = true; prowlarr.enable = true;
nginx.virtualHosts.${prowlarrdomain} = { nginx.virtualHosts.${domain} = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/" = { locations."/" = {
proxyPass = "http://localhost:9696"; proxyPass = "http://localhost:9696";
extraConfig = '' extraConfig = ''
allow 10.0.0.0/24; allow 10.0.0.0/24;
allow 10.3.0.0/24; allow ${lib.concatStringsSep " " network.gdevices-wg};
deny all; deny all;
''; '';
}; };
@ -27,8 +30,8 @@ with import ./network.nix; {
}; };
networking.extraHosts = '' networking.extraHosts = ''
${architect-lan} ${prowlarrdomain} ${network.architect-lan} ${domain}
${architect-wg} ${prowlarrdomain} ${network.architect-wg} ${domain}
''; '';
users.groups.media.members = [ "prowlarr" ]; users.groups.media.members = [ "prowlarr" ];

15
hosts/architect/radarr.nix
View File

@ -1,15 +1,20 @@
with import ./network.nix; { { lib, ... }:
let
domain = "htrad.giugl.io";
network = import ./network.nix;
in {
services = { services = {
radarr.enable = true; radarr.enable = true;
nginx.virtualHosts.${radarrdomain} = { nginx.virtualHosts.${domain} = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/" = { locations."/" = {
proxyPass = "http://localhost:7878"; proxyPass = "http://localhost:7878";
extraConfig = '' extraConfig = ''
allow 10.0.0.0/24; allow 10.0.0.0/24;
allow 10.3.0.0/24; allow ${lib.concatStringsSep " " network.gdevices-wg};
deny all; deny all;
''; '';
}; };
@ -17,8 +22,8 @@ with import ./network.nix; {
}; };
networking.extraHosts = '' networking.extraHosts = ''
${architect-lan} ${radarrdomain} ${network.architect-lan} ${domain}
${architect-wg} ${radarrdomain} ${network.architect-wg} ${domain}
''; '';
users.groups.media.members = [ "radarr" ]; users.groups.media.members = [ "radarr" ];

15
hosts/architect/sonarr.nix
View File

@ -1,15 +1,20 @@
with import ./network.nix; { { lib, ... }:
let
domain = "htson.giugl.io";
network = import ./network.nix;
in {
services = { services = {
sonarr.enable = true; sonarr.enable = true;
nginx.virtualHosts.${sonarrdomain} = { nginx.virtualHosts.${domain} = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/" = { locations."/" = {
proxyPass = "http://localhost:8989"; proxyPass = "http://localhost:8989";
extraConfig = '' extraConfig = ''
allow 10.0.0.0/24; allow 10.0.0.0/24;
allow 10.3.0.0/24; allow ${lib.concatStringsSep " " network.gdevices-wg};
deny all; deny all;
''; '';
}; };
@ -17,8 +22,8 @@ with import ./network.nix; {
}; };
networking.extraHosts = '' networking.extraHosts = ''
${architect-lan} ${sonarrdomain} ${network.architect-lan} ${domain}
${architect-wg} ${sonarrdomain} ${network.architect-wg} ${domain}
''; '';
users.groups.media.members = [ "sonarr" ]; users.groups.media.members = [ "sonarr" ];

12
hosts/architect/transmission.nix
View File

@ -1,6 +1,8 @@
with import ./network.nix; { lib, config }:
let domain = "httra.giugl.io"; let
domain = "httra.giugl.io";
network = import ./network.nix;
in { in {
services = { services = {
transmission = { transmission = {
@ -25,7 +27,7 @@ in {
proxyPass = "http://localhost:9091"; proxyPass = "http://localhost:9091";
extraConfig = '' extraConfig = ''
allow 10.0.0.0/24; allow 10.0.0.0/24;
allow 10.3.0.0/24; allow ${lib.concatStringsSep " " network.gdevices-wg};
deny all; deny all;
''; '';
}; };
@ -33,8 +35,8 @@ in {
}; };
networking.extraHosts = '' networking.extraHosts = ''
${architect-lan} ${domain} ${network.architect-lan} ${domain}
${architect-wg} ${domain} ${network.architect-wg} ${domain}
''; '';
users.groups.media.members = [ "transmission" ]; users.groups.media.members = [ "transmission" ];