peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

removed implicit use of network.nix. use domain names in each service conf file. restrict access to gdevices to sensitive services.

Browse Source
This commit is contained in:
Giulio De Pasquale 2021-12-08 17:39:00 +01:00
parent faf97e2b3f
commit 163d5f6db2
17 changed files with 150 additions and 127 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
hosts/architect/bazarr.nix
View File

@ -1,15 +1,20 @@
with import ./network.nix; {
{ lib, ... }:
let
domain = "htbaz.giugl.io";
network = import ./network.nix;
in {
services = {
bazarr.enable = true;
nginx.virtualHosts.${bazarrdomain} = {
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:6767";
extraConfig = ''
allow 10.0.0.0/24;
allow 10.3.0.0/24;
allow ${lib.concatStringsSep " " network.gdevices-wg};
deny all;
'';
};
@ -17,8 +22,8 @@ with import ./network.nix; {
};
networking.extraHosts = ''
${architect-lan} ${bazarrdomain}
${architect-wg} ${bazarrdomain}
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
'';
users.groups.media.members = [ "bazarr" ];

15
hosts/architect/default.nix
View File

@ -1,11 +1,11 @@
{ config, pkgs, ... }:
with import ./network.nix;
let
pubkeys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1we38/N+t8Ah5yrLof8QUwhrob7/VXFKIddaJeOVBLuDVnW7ljiAtdtEiL69D/DV4Ohmt5wMvkAAjfuHmim6FD9A6lzPbSU4KH9W2dcckszKbbI636kuDwem/xui6BW3wJa6P+0xW5ksygEAkzcK2PXuC2b4B9uwhuUdKahiGMKDxISG/WianqAe72cGMfNkYvion3Y1VsMLUdm48d2ABnxNpr7NI9B5iJ8dziOft9gpgfz13CCQRlReo75gk/4xI+vSNrQp7eR+wzJy2/dZg/T8jtyA9Q6jVxrxBpqQ1LNXkAKaJkGo9OabF6Wgpzp+YTAurL4nwR2NaJxwFuyoKvACQy0ai4jrS3206gC6JXZv8ktZMZrwUN+jPqCwfgh5qObFkAqKCxbp52ioDek2MQLdOvzQBX//DBhGEp5rzHGLZ3vhRIiiQiaof5sF5zWiYDW5mqezSPNxJPX/BrTP/Wbs/jpwTLBh3wytiia0S1WXQmya89bqzTPFiDWvTRA62EVKB/JaQtPQQOFAxWwg799DMycPeZ81xttZOyMtI/MZSddyqx2S8fWGwvToZQvuZ38mSIpFseLM1IkgabRIrAmat5SBNGGy9Dqa0eMEa7bwIY/4CMB1y6HMTnaoMXA6cnQfHMoB/zyTZ6oTXIeqeOyiZsK+RN0Mvahj8mXi7dw== giulio@giulio-X230"
];
hostname = "architect";
network = import ./network.nix;
in {
imports = [ # Include the results of the hardware scan.
./backup.nix
@ -26,7 +26,7 @@ in {
# ./minecraft.nix
./prowlarr.nix
./plex.nix
./transmission.nix
# ./transmission.nix
./githubrunner.nix
./libreddit.nix
./invidious.nix
@ -40,7 +40,7 @@ in {
services.fwupd.enable = true;
boot = {
kernelParams = [
"ip=${architect-lan}::10.0.0.1:255.255.255.0::${wan-if}:off"
"ip=${network.architect-lan}::10.0.0.1:255.255.255.0::${network.wan-if}:off"
"nvme_core.default_ps_max_latency_us=5500"
];
kernel.sysctl."net.ipv4.ip_forward" = 1;
@ -82,7 +82,7 @@ in {
defaultGateway = "10.0.0.1";
interfaces = {
enp5s0.ipv4.addresses = [{
address = architect-lan;
address = network.architect-lan;
prefixLength = 24;
}];
enp6s0.useDHCP = false;
@ -92,11 +92,10 @@ in {
127.0.0.1 ${hostname}.devs.giugl.io localhost
# LAN
${architect-lan} ${hostname}.devs.giugl.io
${network.architect-lan} ${hostname}.devs.giugl.io
${dvr-lan} dvr.devs.giugl.io
${nas-lan} nas.devs.giugl.io
${giupi-lan} giupi.devs.giugl.io
${network.dvr-lan} dvr.devs.giugl.io
${network.nas-lan} nas.devs.giugl.io
# Blacklist
0.0.0.0 metrics.plex.tv

19
hosts/architect/gitea.nix
View File

@ -1,15 +1,20 @@
with import ./network.nix; {
{ lib, ... }:
let
domain = "git.giugl.io";
network = import ./network.nix;
in {
services.gitea = {
enable = true;
database.type = "sqlite3";
domain = "git.giugl.io";
domain = domain;
appName = "Gitea";
rootUrl = "https://git.giugl.io";
rootUrl = "https://${domain}";
ssh.clonePort = 22;
settings.server.LFS_START_SERVER = true;
};
services.nginx.virtualHosts.${gitdomain} = {
services.nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
@ -17,7 +22,7 @@ with import ./network.nix; {
extraConfig = ''
allow 127.0.0.1;
allow 10.0.0.0/24;
allow 10.3.0.0/24;
allow ${lib.concatStringsSep " " network.gdevices-wg};
allow 10.4.0.0/24;
deny all;
'';
@ -25,8 +30,8 @@ with import ./network.nix; {
};
networking.extraHosts = ''
${architect-lan} ${gitdomain}
${architect-wg} ${gitdomain}
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
'';
}

16
hosts/architect/invidious.nix
View File

@ -1,8 +1,8 @@
{ pkgs, ... }:
{ lib, ... }:
with import ./network.nix;
let domain = "tube.giugl.io";
let
domain = "tube.giugl.io";
network = import ./network.nix;
in {
services = {
invidious = {
@ -13,14 +13,12 @@ in {
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:9092";
};
locations."/" = { proxyPass = "http://localhost:9092"; };
};
};
networking.extraHosts = ''
${architect-lan} ${domain}
${architect-wg} ${domain}
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
'';
}

16
hosts/architect/libreddit.nix
View File

@ -1,8 +1,8 @@
{ pkgs, ... }:
{ lib, ... }:
with import ./network.nix;
let domain = "reddit.giugl.io";
let
domain = "reddit.giugl.io";
network = import ./network.nix;
in {
services = {
libreddit = {
@ -13,14 +13,12 @@ in {
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:9090";
};
locations."/" = { proxyPass = "http://localhost:9090"; };
};
};
networking.extraHosts = ''
${architect-lan} ${domain}
${architect-wg} ${domain}
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
'';
}

42
hosts/architect/matrix.nix
View File

@ -1,12 +1,16 @@
{ pkgs, config, tmp, ... }:
{ pkgs, ... }:
with import ./network.nix; {
let
domain = "matrix.giugl.io";
webui_domain = "chat.giugl.io";
network = import ./network.nix;
in {
services = {
matrix-synapse = {
enable = true;
server_name = "${matrixdomain}";
server_name = "${domain}";
database_name = "synapse";
public_baseurl = "https://${matrixdomain}";
public_baseurl = "https://${domain}";
registration_shared_secret = "runas!";
dynamic_thumbnails = true;
# enable_registration = true;
@ -52,14 +56,14 @@ with import ./network.nix; {
nginx.virtualHosts = {
# server
${matrixdomain} = {
${domain} = {
enableACME = true;
forceSSL = true;
extraConfig = ''
client_max_body_size 30m;
'';
locations."= /.well-known/matrix/server".extraConfig =
let server = { "m.server" = "${matrixdomain}:443"; };
let server = { "m.server" = "${domain}:443"; };
in ''
add_header Content-Type application/json;
return 200 '${builtins.toJSON server}';
@ -67,7 +71,7 @@ with import ./network.nix; {
locations."= /.well-known/matrix/client".extraConfig = let
client = {
"m.homeserver" = { "base_url" = "https://${matrixdomain}:443"; };
"m.homeserver" = { "base_url" = "https://${domain}:443"; };
"m.identity_server" = { "base_url" = "https://vector.im"; };
};
# ACAO required to allow element-web on any URL to request this json file
@ -89,15 +93,15 @@ with import ./network.nix; {
# web client
"${matrixwebdomain}" = {
"${webui_domain}" = {
enableACME = true;
forceSSL = true;
root = pkgs.unstable.element-web.override {
root = pkgs.element-web.override {
conf = {
default_server_config."m.homeserver" = {
"base_url" = "https://${matrixdomain}";
"server_name" = "${matrixdomain}";
"base_url" = "https://${domain}";
"server_name" = "${domain}";
};
};
};
@ -112,8 +116,8 @@ with import ./network.nix; {
# It's also possible to use PostgreSQL.
settings = {
bridge = {
domain = matrixdomain;
homeserverUrl = "https://${matrixdomain}";
domain = domain;
homeserverUrl = "https://${domain}";
disablePresence = true;
};
};
@ -127,8 +131,8 @@ with import ./network.nix; {
settings = {
homeserver = {
address = "https://${matrixdomain}";
domain = "${matrixdomain}";
address = "https://${domain}";
domain = "${domain}";
};
appservice = {
@ -138,8 +142,8 @@ with import ./network.nix; {
bridge = {
permissions = {
"@pepe:${matrixdomain}" = "admin";
"${matrixdomain}" = "puppeting";
"@pepe:${domain}" = "admin";
"${domain}" = "puppeting";
};
# Animated stickers conversion requires additional packages in the
@ -174,8 +178,8 @@ with import ./network.nix; {
];
networking.extraHosts = ''
${architect-lan} ${matrixdomain} ${matrixwebdomain}
${architect-wg} ${matrixdomain} ${matrixwebdomain}
${network.architect-lan} ${domain} ${webui_domain}
${network.architect-wg} ${domain} ${webui_domain}
'';
}

7
hosts/architect/minecraft.nix
View File

@ -1,6 +1,7 @@
{ config, pkgs, ... }:
with import ./network.nix; {
let domain = "minecraft.giugl.io";
in {
services.minecraft-server = {
enable = true;
eula = true;
@ -9,7 +10,7 @@ with import ./network.nix; {
};
networking.extraHosts = ''
${architect-lan} minecraft.giugl.io
${architect-wg} minecraft.giugl.io
${architect-lan} ${domain}
${architect-wg} ${domain}
'';
}

15
hosts/architect/minio.nix
View File

@ -1,15 +1,20 @@
with import ./network.nix; {
{ lib, ... }:
let
domain = "s3.giugl.io";
network = import ./network.nix;
in {
services = {
minio.enable = true;
nginx.virtualHosts.${miniodomain} = {
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:9000";
extraConfig = ''
allow 10.0.0.0/24;
allow 10.3.0.0/24;
allow ${lib.concatStringsSep " " network.gdevices-wg};
deny all;
'';
};
@ -17,7 +22,7 @@ with import ./network.nix; {
};
networking.extraHosts = ''
${architect-lan} ${miniodomain}
${architect-wg} ${miniodomain}
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
'';
}

16
hosts/architect/network.nix
View File

@ -14,7 +14,6 @@ rec {
dvr-lan = "10.0.0.2";
nas-lan = "10.0.0.3";
architect-lan = "10.0.0.250";
giupi-lan = "10.0.0.251";
proxy-wg = "10.4.0.1";
architect-wg = "10.3.0.1";
@ -67,19 +66,4 @@ rec {
flavio-wg
salvatore-wg
];
# domains
sonarrdomain = "htson.giugl.io";
radarrdomain = "htrad.giugl.io";
bazarrdomain = "htbaz.giugl.io";
nzbgetdomain = "htnzb.giugl.io";
mediadomain = "media.giugl.io";
gitdomain = "git.giugl.io";
nextclouddomain = "cloud.giugl.io";
miniodomain = "s3.giugl.io";
clouddomain = "cloud.giugl.io";
matrixdomain = "matrix.giugl.io";
matrixwebdomain = "chat.giugl.io";
prowlarrdomain = "htpro.giugl.io";
jupyterdomain = "labs.giugl.io";
}

15
hosts/architect/nextcloud.nix
View File

@ -1,6 +1,9 @@
{ pkgs, ... }:
with import ./network.nix; {
let
domain = "cloud.giugl.io";
network = import ./network.nix;
in {
services = {
mysql.enable = true;
mysql.package = pkgs.unstable.mysql80;
@ -9,7 +12,7 @@ with import ./network.nix; {
nextcloud = {
enable = true;
hostName = "${nextclouddomain}";
hostName = "${domain}";
https = true;
package = pkgs.unstable.nextcloud22;
@ -28,7 +31,7 @@ with import ./network.nix; {
dbpassFile = "/secrets/nextcloud/dbpass.txt";
adminpassFile = "/secrets/nextcloud/adminpass.txt";
adminuser = "giulio";
extraTrustedDomains = [ "${nextclouddomain}" ];
extraTrustedDomains = [ "${domain}" ];
};
};
};
@ -39,11 +42,11 @@ with import ./network.nix; {
};
networking.extraHosts = ''
${architect-lan} ${clouddomain}
${architect-wg} ${clouddomain}
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
'';
services.nginx.virtualHosts.${clouddomain} = {
services.nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
};

16
hosts/architect/nitter.nix
View File

@ -1,8 +1,8 @@
{ pkgs, ... }:
{ lib, ... }:
with import ./network.nix;
let domain = "tweet.giugl.io";
let
domain = "tweet.giugl.io";
network = import ./network.nix;
in {
services = {
nitter = {
@ -20,14 +20,12 @@ in {
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:9093";
};
locations."/" = { proxyPass = "http://localhost:9093"; };
};
};
networking.extraHosts = ''
${architect-lan} ${domain}
${architect-wg} ${domain}
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
'';
}

15
hosts/architect/nzbget.nix
View File

@ -1,15 +1,20 @@
with import ./network.nix; {
{ lib, ... }:
let
domain = "htnzb.giugl.io";
network = import ./network.nix;
in {
services = {
nzbget.enable = true;
nginx.virtualHosts.${nzbgetdomain} = {
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:6789";
extraConfig = ''
allow 10.0.0.0/24;
allow 10.3.0.0/24;
allow ${lib.concatStringsSep " " network.gdevices-wg};
deny all;
'';
};
@ -17,8 +22,8 @@ with import ./network.nix; {
};
networking.extraHosts = ''
${architect-lan} ${nzbgetdomain}
${architect-wg} ${nzbgetdomain}
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
'';
users.groups.media.members = [ "nzbget" ];

13
hosts/architect/plex.nix
View File

@ -1,6 +1,9 @@
{ pkgs, ... }:
{ pkgs, lib, ... }:
with import ./network.nix; {
let
domain = "media.giugl.io";
network = import ./network.nix;
in {
services.plex = {
enable = true;
package = pkgs.unstable.plex;
@ -10,7 +13,7 @@ with import ./network.nix; {
services.nginx = {
enable = true;
# give a name to the virtual host. It also becomes the server name.
virtualHosts.${mediadomain} = {
virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
http2 = true;
@ -79,8 +82,8 @@ with import ./network.nix; {
};
networking.extraHosts = ''
${architect-lan} ${mediadomain}
${architect-wg} ${mediadomain}
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
'';
users.groups.media.members = [ "plex" ];

15
hosts/architect/prowlarr.nix
View File

@ -1,17 +1,20 @@
{ pkgs, ... }:
{ lib, ... }:
with import ./network.nix; {
let
domain = "htpro.giugl.io";
network = import ./network.nix;
in {
services = {
prowlarr.enable = true;
nginx.virtualHosts.${prowlarrdomain} = {
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:9696";
extraConfig = ''
allow 10.0.0.0/24;
allow 10.3.0.0/24;
allow ${lib.concatStringsSep " " network.gdevices-wg};
deny all;
'';
};
@ -27,8 +30,8 @@ with import ./network.nix; {
};
networking.extraHosts = ''
${architect-lan} ${prowlarrdomain}
${architect-wg} ${prowlarrdomain}
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
'';
users.groups.media.members = [ "prowlarr" ];

15
hosts/architect/radarr.nix
View File

@ -1,15 +1,20 @@
with import ./network.nix; {
{ lib, ... }:
let
domain = "htrad.giugl.io";
network = import ./network.nix;
in {
services = {
radarr.enable = true;
nginx.virtualHosts.${radarrdomain} = {
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:7878";
extraConfig = ''
allow 10.0.0.0/24;
allow 10.3.0.0/24;
allow ${lib.concatStringsSep " " network.gdevices-wg};
deny all;
'';
};
@ -17,8 +22,8 @@ with import ./network.nix; {
};
networking.extraHosts = ''
${architect-lan} ${radarrdomain}
${architect-wg} ${radarrdomain}
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
'';
users.groups.media.members = [ "radarr" ];

15
hosts/architect/sonarr.nix
View File

@ -1,15 +1,20 @@
with import ./network.nix; {
{ lib, ... }:
let
domain = "htson.giugl.io";
network = import ./network.nix;
in {
services = {
sonarr.enable = true;
nginx.virtualHosts.${sonarrdomain} = {
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:8989";
extraConfig = ''
allow 10.0.0.0/24;
allow 10.3.0.0/24;
allow ${lib.concatStringsSep " " network.gdevices-wg};
deny all;
'';
};
@ -17,8 +22,8 @@ with import ./network.nix; {
};
networking.extraHosts = ''
${architect-lan} ${sonarrdomain}
${architect-wg} ${sonarrdomain}
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
'';
users.groups.media.members = [ "sonarr" ];

12
hosts/architect/transmission.nix
View File

@ -1,6 +1,8 @@
with import ./network.nix;
{ lib, config }:
let domain = "httra.giugl.io";
let
domain = "httra.giugl.io";
network = import ./network.nix;
in {
services = {
transmission = {
@ -25,7 +27,7 @@ in {
proxyPass = "http://localhost:9091";
extraConfig = ''
allow 10.0.0.0/24;
allow 10.3.0.0/24;
allow ${lib.concatStringsSep " " network.gdevices-wg};
deny all;
'';
};
@ -33,8 +35,8 @@ in {
};
networking.extraHosts = ''
${architect-lan} ${domain}
${architect-wg} ${domain}
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
'';
users.groups.media.members = [ "transmission" ];