diff --git a/flake.lock b/flake.lock index 7dbb2a9..f332b31 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1633596850, - "narHash": "sha256-5+qVLYvfOropjLAvpQs/APtD8eYnEIbAd9a36lGHZM0=", + "lastModified": 1637019201, + "narHash": "sha256-lq4gz51fx4m5FXfx1SCB444aEBeaYtLMVm3P18Wi9ls=", "owner": "rycee", "repo": "home-manager", - "rev": "49695f33aac22358b59e49c94fe6472218e5d766", + "rev": "bcf03fa16a1f06b8a0abb27bf49afa8d6fffe8f1", "type": "github" }, "original": { @@ -23,11 +23,11 @@ }, "nixos-unstable": { "locked": { - "lastModified": 1633971123, - "narHash": "sha256-WmI4NbH1IPGFWVkuBkKoYgOnxgwSfWDgdZplJlQ93vA=", + "lastModified": 1637595801, + "narHash": "sha256-LkIMwVFKCuEqidaUdg8uxwpESAXjsPo4oCz3eJ7RaRw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e4ef597edfd8a0ba5f12362932fc9b1dd01a0aef", + "rev": "263ef4cc4146c9fab808085487438c625d4426a9", "type": "github" }, "original": { @@ -39,11 +39,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1634115022, - "narHash": "sha256-K9DZMQ47VRrg9gtTPwex5p0E8LnwM/dDkNe7AQW0qj0=", + "lastModified": 1637615379, + "narHash": "sha256-wL5+nm7z+42IHyhc52P3aAj1Kp2fQ6C8IyPBihj7Bjg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "564cb4d81d4f734dd068684adec5a60077397fe9", + "rev": "09650059d7f5ae59a7f0fb2dd3bfc6d2042a74de", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 5eda88f..13d5b48 100644 --- a/flake.nix +++ b/flake.nix @@ -28,9 +28,9 @@ inherit (utils) user; in { nixosConfigurations = { - architect = host.mkHost { name = "architect"; users = [ { user = "giulio"; roles = []; } ]; }; + architect = host.mkHost { name = "architect"; users = [ { user = "giulio"; roles = [ "git" ]; } ]; }; gAluminum = host.mkHost { name = "gAluminum"; users = [ { user = "giulio"; roles = [ "desktop" "ssh" "git" ]; } ]; roles = [ "gnome" ]; }; - proxy = host.mkHost { name = "proxy"; }; + proxy = host.mkHost { name = "proxy"; users = []; }; }; }; } diff --git a/hosts/architect/default.nix b/hosts/architect/default.nix index 4000ff3..f4fa26f 100644 --- a/hosts/architect/default.nix +++ b/hosts/architect/default.nix @@ -2,169 +2,141 @@ with import ./network.nix; let - pubkeys = ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1we38/N+t8Ah5yrLof8QUwhrob7/VXFKIddaJeOVBLuDVnW7ljiAtdtEiL69D/DV4Ohmt5wMvkAAjfuHmim6FD9A6lzPbSU4KH9W2dcckszKbbI636kuDwem/xui6BW3wJa6P+0xW5ksygEAkzcK2PXuC2b4B9uwhuUdKahiGMKDxISG/WianqAe72cGMfNkYvion3Y1VsMLUdm48d2ABnxNpr7NI9B5iJ8dziOft9gpgfz13CCQRlReo75gk/4xI+vSNrQp7eR+wzJy2/dZg/T8jtyA9Q6jVxrxBpqQ1LNXkAKaJkGo9OabF6Wgpzp+YTAurL4nwR2NaJxwFuyoKvACQy0ai4jrS3206gC6JXZv8ktZMZrwUN+jPqCwfgh5qObFkAqKCxbp52ioDek2MQLdOvzQBX//DBhGEp5rzHGLZ3vhRIiiQiaof5sF5zWiYDW5mqezSPNxJPX/BrTP/Wbs/jpwTLBh3wytiia0S1WXQmya89bqzTPFiDWvTRA62EVKB/JaQtPQQOFAxWwg799DMycPeZ81xttZOyMtI/MZSddyqx2S8fWGwvToZQvuZ38mSIpFseLM1IkgabRIrAmat5SBNGGy9Dqa0eMEa7bwIY/4CMB1y6HMTnaoMXA6cnQfHMoB/zyTZ6oTXIeqeOyiZsK+RN0Mvahj8mXi7dw== giulio@giulio-X230"]; - hostname = "architect"; -in - { - imports = - [ # Include the results of the hardware scan. - ./backup.nix - ./hardware.nix - ./firewall.nix - ./nginx.nix - ./gitea.nix - ./sonarr.nix - ./radarr.nix - ./bazarr.nix - ./nzbget.nix -# ./jellyfin.nix - ./nextcloud.nix - ./wireguard.nix - ./minio.nix - ./matrix.nix - ./fail2ban.nix - ./dns.nix - ./minecraft.nix -# ./prowlarr.nix - ./plex.nix - ]; + pubkeys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1we38/N+t8Ah5yrLof8QUwhrob7/VXFKIddaJeOVBLuDVnW7ljiAtdtEiL69D/DV4Ohmt5wMvkAAjfuHmim6FD9A6lzPbSU4KH9W2dcckszKbbI636kuDwem/xui6BW3wJa6P+0xW5ksygEAkzcK2PXuC2b4B9uwhuUdKahiGMKDxISG/WianqAe72cGMfNkYvion3Y1VsMLUdm48d2ABnxNpr7NI9B5iJ8dziOft9gpgfz13CCQRlReo75gk/4xI+vSNrQp7eR+wzJy2/dZg/T8jtyA9Q6jVxrxBpqQ1LNXkAKaJkGo9OabF6Wgpzp+YTAurL4nwR2NaJxwFuyoKvACQy0ai4jrS3206gC6JXZv8ktZMZrwUN+jPqCwfgh5qObFkAqKCxbp52ioDek2MQLdOvzQBX//DBhGEp5rzHGLZ3vhRIiiQiaof5sF5zWiYDW5mqezSPNxJPX/BrTP/Wbs/jpwTLBh3wytiia0S1WXQmya89bqzTPFiDWvTRA62EVKB/JaQtPQQOFAxWwg799DMycPeZ81xttZOyMtI/MZSddyqx2S8fWGwvToZQvuZ38mSIpFseLM1IkgabRIrAmat5SBNGGy9Dqa0eMEa7bwIY/4CMB1y6HMTnaoMXA6cnQfHMoB/zyTZ6oTXIeqeOyiZsK+RN0Mvahj8mXi7dw== giulio@giulio-X230" + ]; + hostname = "architect"; +in { + imports = [ # Include the results of the hardware scan. + ./backup.nix + ./hardware.nix + ./firewall.nix + ./nginx.nix + ./gitea.nix + ./sonarr.nix + ./radarr.nix + ./bazarr.nix + ./nzbget.nix + ./nextcloud.nix + ./wireguard.nix + ./minio.nix + ./matrix.nix + ./fail2ban.nix + ./dns.nix + ./minecraft.nix + ./prowlarr.nix + ./plex.nix + ./transmission.nix + ./githubrunner.nix + ]; - time.timeZone = "Europe/Rome"; - system.stateVersion = "21.05"; # Did you read the comment? - users.users.giulio.openssh.authorizedKeys.keys = pubkeys; - - fileSystems."/tmp" = { - device = "tmpfs"; - fsType = "tmpfs"; - options = ["size=20G"]; - }; + time.timeZone = "Europe/Rome"; + system.stateVersion = "21.05"; # Did you read the comment? + users.users.giulio.openssh.authorizedKeys.keys = pubkeys; - boot = { - kernelParams = ["ip=${architect-lan}::10.0.0.1:255.255.255.0::${wan-if}:off"]; - kernel.sysctl."net.ipv4.ip_forward" = 1; + fileSystems."/tmp" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = [ "size=20G" ]; + }; - initrd = { - availableKernelModules = ["igc" "r8169"]; - network = { + boot = { + kernelParams = + [ "ip=${architect-lan}::10.0.0.1:255.255.255.0::${wan-if}:off" ]; + kernel.sysctl."net.ipv4.ip_forward" = 1; + + initrd = { + availableKernelModules = [ "igc" "r8169" ]; + network = { + enable = true; + ssh = { enable = true; - ssh = { - enable = true; - port = 22; - hostKeys = [/boot/ssh_host_rsa_key]; - authorizedKeys = pubkeys; - }; - - postCommands = '' - zpool import backedpool - zpool import zpool - - mkdir /mnt-root - echo "zfs load-key -ar; mount -t zfs zpool/nixos/root /mnt-root; zfs load-key -a; umount /mnt-root; rmdir /mnt-root; killall zfs" >> /root/.profile - ''; + port = 22; + hostKeys = [ /boot/ssh_host_rsa_key ]; + authorizedKeys = pubkeys; }; + + postCommands = '' + zpool import backedpool + zpool import zpool + + mkdir /mnt-root + echo "zfs load-key -ar; mount -t zfs zpool/nixos/root /mnt-root; zfs load-key -a; umount /mnt-root; rmdir /mnt-root; killall zfs" >> /root/.profile + ''; }; - - loader = { - systemd-boot.enable = true; - efi.canTouchEfiVariables = true; - }; - - supportedFilesystems = ["zfs"]; - zfs.enableUnstable = true; - zfs.requestEncryptionCredentials = true; }; - networking = { - hostName = hostname; - hostId = "49350853"; - useDHCP = false; - defaultGateway = "10.0.0.1"; - interfaces = { - enp5s0.ipv4.addresses = [{ address = architect-lan; prefixLength = 24; }]; - enp6s0.useDHCP = false; - wlp4s0.useDHCP = false; - }; - extraHosts = '' - 127.0.0.1 ${hostname}.devs.giugl.io localhost - - # LAN - ${architect-lan} ${hostname}.devs.giugl.io - - ${dvr-lan} dvr.devs.giugl.io - ${nas-lan} nas.devs.giugl.io - ${giupi-lan} giupi.devs.giugl.io - - # Wireguard hosts - ${architect-wg} ${hostname}.devs.giugl.io - ${galuminum-wg} galuminum.devs.giugl.io - ${oneplus-wg} oneplus.devs.giugl.io - ${ipad-wg} ipad.devs.giugl.io - ${manduria-wg} manduria.devs.giugl.io - ${antonio-wg} antonio.devs.giugl.io - ${gbeast-wg} gbeast.devs.giugl.io - ${parisaphone-wg} parisa-phone.devs.giugl.io - ${parisapc-wg} parisa-pc.devs.giugl.io - ${peppiniell-wg} peppiniell.devs.giugl.io - ${padulino-wg} padulino.devs.giugl.io - ${shield-wg} shield.devs.giugl.io - ${angelino-wg} angelino.devs.giugl.io - ${pepos_two-wg} pepostwo.devs.giugl.io - ${eleonora-wg} eleonora.devs.giugl.io - ${angellane-wg} angellane.devs.giugl.io - ${hotpottino-wg} hotpottino.devs.giugl.io - ${salvatore-wg} salvatore.devs.giugl.io - ${papa-wg} papa.devs.giugl.io - ${defy-wg} defy.devs.giugl.io - ${germano-wg} germano.devs.giugl.io - ${dodino-wg} dodino.devs.giugl.io - ${tommy-wg} tommy.devs.giugl.io - ${alain-wg} alain.devs.giugl.io - ${dima-wg} dima.devs.giugl.io - ${boogino-wg} boogino.devs.giugl.io - ${mikey-wg} mikey.devs.giugl.io - - # Blacklist - 0.0.0.0 metrics.plex.tv - 0.0.0.0 analytics.plex.tv - 0.0.0.0 cdn.luckyorange.com - 0.0.0.0 w1.luckyorange.com - 0.0.0.0 browser.sentry-cdn.com - 0.0.0.0 analytics.facebook.com - 0.0.0.0 ads.facebook.com - 0.0.0.0 extmaps-api.yandex.net - 0.0.0.0 logservice.hicloud.com - 0.0.0.0 logbak.hicloud.com - 0.0.0.0 logservice1.hicloud.com - 0.0.0.0 samsung-com.112.2o7.net - 0.0.0.0 supportmetrics.apple.com - 0.0.0.0 analytics.oneplus.cn - 0.0.0.0 click.oneplus.cn - 0.0.0.0 analytics-api.samsunghealthcn.com - ''; + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; }; - environment.systemPackages = with pkgs; - [ - wireguard - cudatoolkit - ]; + supportedFilesystems = [ "zfs" ]; + zfs.enableUnstable = true; + zfs.requestEncryptionCredentials = true; + }; - hardware = { - cpu.amd.updateMicrocode = true; - opengl.enable = true; - opengl.extraPackages= with pkgs; [vaapiVdpau]; - opengl.driSupport = true; + networking = { + hostName = hostname; + hostId = "49350853"; + useDHCP = false; + defaultGateway = "10.0.0.1"; + interfaces = { + enp5s0.ipv4.addresses = [{ + address = architect-lan; + prefixLength = 24; + }]; + enp6s0.useDHCP = false; + wlp4s0.useDHCP = false; }; + extraHosts = '' + 127.0.0.1 ${hostname}.devs.giugl.io localhost - services = { - zfs.autoScrub.enable = true; - xserver.videoDrivers = [ "nvidia" ]; - openssh.enable = true; - smartd.enable = true; - }; + # LAN + ${architect-lan} ${hostname}.devs.giugl.io - environment.variables = { - LIBVA_DRIVER_NAME="vdpau"; - }; - } + ${dvr-lan} dvr.devs.giugl.io + ${nas-lan} nas.devs.giugl.io + ${giupi-lan} giupi.devs.giugl.io + # Blacklist + 0.0.0.0 metrics.plex.tv + 0.0.0.0 analytics.plex.tv + 0.0.0.0 cdn.luckyorange.com + 0.0.0.0 w1.luckyorange.com + 0.0.0.0 browser.sentry-cdn.com + 0.0.0.0 analytics.facebook.com + 0.0.0.0 ads.facebook.com + 0.0.0.0 extmaps-api.yandex.net + 0.0.0.0 logservice.hicloud.com + 0.0.0.0 logbak.hicloud.com + 0.0.0.0 logservice1.hicloud.com + 0.0.0.0 samsung-com.112.2o7.net + 0.0.0.0 supportmetrics.apple.com + 0.0.0.0 analytics.oneplus.cn + 0.0.0.0 click.oneplus.cn + 0.0.0.0 analytics-api.samsunghealthcn.com + ''; + }; + + environment.systemPackages = with pkgs; [ cudatoolkit ]; + + hardware = { + cpu.amd.updateMicrocode = true; + opengl.enable = true; + opengl.extraPackages = with pkgs; [ vaapiVdpau ]; + opengl.driSupport = true; + }; + + boot.crashDump.enable = true; + services.das_watchdog.enable = true; + + services = { + zfs.autoScrub.enable = true; + xserver.videoDrivers = [ "nvidia" ]; + openssh.enable = true; + smartd.enable = true; + }; + + environment.variables = { LIBVA_DRIVER_NAME = "vdpau"; }; +} diff --git a/hosts/architect/firewall.nix b/hosts/architect/firewall.nix index 5062a37..bfc0e9d 100644 --- a/hosts/architect/firewall.nix +++ b/hosts/architect/firewall.nix @@ -9,10 +9,12 @@ let 443 # https 8448 # matrix 10022 # gitea + 51413 # transmission ]; open_udp_ports = lib.concatMapStringsSep "," (x: toString x) [ 1194 # wireguard 3478 # turn + 51413 # transmission ]; in { networking = { @@ -134,6 +136,7 @@ in { # gdevices talking to everyone in VPN ip saddr {${lib.concatStringsSep "," gdevices-wg}} ip daddr ${vpn-net} accept + ip saddr {${lib.concatStringsSep "," gamenet-wg}} ip daddr {${lib.concatStringsSep "," gamenet-wg}} accept # nat to wan oifname ${wan-if} ip saddr {${lib.concatStringsSep "," towan-wg}} accept diff --git a/hosts/architect/githubrunner.nix b/hosts/architect/githubrunner.nix new file mode 100644 index 0000000..c6e9620 --- /dev/null +++ b/hosts/architect/githubrunner.nix @@ -0,0 +1,15 @@ +{ ... }: + +{ + services.github-runner = { + enable = true; + url = "https://github.com/ropfuscator"; + tokenFile = "/secrets/github-runner/token"; + replace = true; + }; + + nix.extraOptions = '' + tarball-ttl = 0 + access-tokens = github.com=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 + ''; +} diff --git a/hosts/architect/network.nix b/hosts/architect/network.nix index 69459d0..709c8d5 100644 --- a/hosts/architect/network.nix +++ b/hosts/architect/network.nix @@ -29,9 +29,7 @@ rec { peppiniell-wg = "10.3.0.10"; padulino-wg = "10.3.0.11"; shield-wg = "10.3.0.12"; - angelino-wg = "10.3.0.13"; - pepos_one-wg = "10.3.0.14"; - pepos_two-wg = "10.3.0.15"; + pepos-wg = "10.3.0.15"; salvatore-wg = "10.3.0.16"; papa-wg = "10.3.0.17"; defy-wg = "10.3.0.18"; @@ -41,17 +39,23 @@ rec { alain-wg = "10.3.0.22"; dima-wg = "10.3.0.23"; mikey-wg = "10.3.0.24"; + andrew-wg = "10.3.0.25"; + mikeylaptop-wg = "10.3.0.26"; + andrewdesktop-wg = "10.3.0.27"; + jacopo-wg = "10.3.0.28"; + frznn-wg = "10.3.0.29"; eleonora-wg = "10.3.0.100"; angellane-wg = "10.3.0.200"; hotpottino-wg = "10.3.0.201"; dodino-wg = "10.3.0.202"; - boogino-wg = "10.3.0.203"; + wolfsonhouse-wg = "10.3.0.203"; # groups - gdevices-wg = [ galuminum-wg oneplus-wg ipad-wg gbeast-wg peppiniell-wg padulino-wg angelino-wg ]; - routers-wg = [ hotpottino-wg angellane-wg dodino-wg ]; + gdevices-wg = [ galuminum-wg oneplus-wg ipad-wg gbeast-wg peppiniell-wg padulino-wg ]; + routers-wg = [ hotpottino-wg angellane-wg dodino-wg wolfsonhouse-wg ]; c2c-wg = [ ] ++ gdevices-wg; towan-wg = [ shield-wg parisaphone-wg parisapc-wg ] ++ gdevices-wg ++ routers-wg; + gamenet-wg = [ andrew-wg galuminum-wg gbeast-wg mikey-wg andrewdesktop-wg mikeylaptop-wg flavio-wg salvatore-wg ]; # domains sonarrdomain = "htson.giugl.io"; diff --git a/hosts/architect/nginx.nix b/hosts/architect/nginx.nix index 6afe640..3b40cba 100644 --- a/hosts/architect/nginx.nix +++ b/hosts/architect/nginx.nix @@ -8,28 +8,28 @@ recommendedProxySettings = true; recommendedTlsSettings = true; - virtualHosts."giugl.io" = { - default = true; - enableACME = true; - addSSL = true; - root = "/var/lib/nginx/error_pages"; - extraConfig = "error_page 404 /index.htm;"; - - locations = { - "/" = { - return = "404"; - }; - - "/index.htm" = { - }; - - "/style.css" = { - }; - - "/wat.jpg" = { - }; - }; - }; +# virtualHosts."giugl.io" = { +# default = true; +# enableACME = true; +# addSSL = true; +# root = "/var/lib/nginx/error_pages"; +# extraConfig = "error_page 404 /index.htm;"; +# +# locations = { +# "/" = { +# return = "404"; +# }; +# +# "/index.htm" = { +# }; +# +# "/style.css" = { +# }; +# +# "/wat.jpg" = { +# }; +# }; +# }; }; users.groups.acme.members = [ "nginx" ]; diff --git a/hosts/architect/overseerr.nix b/hosts/architect/overseerr.nix new file mode 100644 index 0000000..08fa25b --- /dev/null +++ b/hosts/architect/overseerr.nix @@ -0,0 +1,13 @@ +{...}: + +{ + virtualisation.oci-containers.containers."overseerr" = { + image = "sctx/overseerr:latest"; + volumes = [ "/var/lib/overseerr:/app/config" ]; + environment = { + "LOG_LEVEL" = "debug"; + "TZ" = "Europe/Rome"; + }; + #ports = [ "5055:5055" ]; + }; +} diff --git a/hosts/architect/plex.nix b/hosts/architect/plex.nix index aae9147..b570b35 100644 --- a/hosts/architect/plex.nix +++ b/hosts/architect/plex.nix @@ -16,6 +16,10 @@ with import ./network.nix; enableACME = true; http2 = true; extraConfig = '' + allow 10.3.0.0/24; + allow 10.0.0.0/24; + deny all; + #Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause send_timeout 100m; diff --git a/hosts/architect/prowlarr.nix b/hosts/architect/prowlarr.nix index c722a6f..7c64705 100644 --- a/hosts/architect/prowlarr.nix +++ b/hosts/architect/prowlarr.nix @@ -1,3 +1,5 @@ +{ pkgs, ...}: + with import ./network.nix; { services = { diff --git a/hosts/architect/transmission.nix b/hosts/architect/transmission.nix new file mode 100644 index 0000000..024378f --- /dev/null +++ b/hosts/architect/transmission.nix @@ -0,0 +1,41 @@ +with import ./network.nix; + +let + domain = "httra.giugl.io"; +in { + services = { + transmission = { + enable = true; + settings = { + download-dir = "/media/transmission"; + incomplete-dir = "/media/transmission/.incomplete"; + rpc-host-whitelist = "${domain}"; + encryption = 2; + speed-limit-up = 10; + speed-limit-up-enabled = true; + peer-port = 51413; + }; + performanceNetParameters = true; + }; + + nginx.virtualHosts.${domain} = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:9091"; + extraConfig = '' + allow 10.0.0.0/24; + allow 10.3.0.0/24; + deny all; + ''; + }; + }; + }; + + networking.extraHosts = '' + ${architect-lan} ${domain} + ${architect-wg} ${domain} + ''; + + users.groups.media.members = ["transmission"]; +} diff --git a/hosts/architect/wireguard.nix b/hosts/architect/wireguard.nix index b8e2375..84d5dca 100644 --- a/hosts/architect/wireguard.nix +++ b/hosts/architect/wireguard.nix @@ -1,7 +1,40 @@ with import ./network.nix; { - networking.wireguard = { - interfaces.${proxy-if} = { + networking = { + extraHosts = '' + ${architect-wg} architect.devs.giugl.io + ${galuminum-wg} galuminum.devs.giugl.io + ${oneplus-wg} oneplus.devs.giugl.io + ${ipad-wg} ipad.devs.giugl.io + ${manduria-wg} manduria.devs.giugl.io + ${antonio-wg} antonio.devs.giugl.io + ${gbeast-wg} gbeast.devs.giugl.io + ${parisaphone-wg} parisa-phone.devs.giugl.io + ${parisapc-wg} parisa-pc.devs.giugl.io + ${peppiniell-wg} peppiniell.devs.giugl.io + ${padulino-wg} padulino.devs.giugl.io + ${shield-wg} shield.devs.giugl.io + ${pepos-wg} pepos.devs.giugl.io + ${eleonora-wg} eleonora.devs.giugl.io + ${angellane-wg} angellane.devs.giugl.io + ${hotpottino-wg} hotpottino.devs.giugl.io + ${salvatore-wg} salvatore.devs.giugl.io + ${papa-wg} papa.devs.giugl.io + ${defy-wg} defy.devs.giugl.io + ${germano-wg} germano.devs.giugl.io + ${dodino-wg} dodino.devs.giugl.io + ${tommy-wg} tommy.devs.giugl.io + ${alain-wg} alain.devs.giugl.io + ${dima-wg} dima.devs.giugl.io + ${mikey-wg} mikey.devs.giugl.io + ${andrew-wg} andrew.devs.giugl.io + ${mikeylaptop-wg} mikeylaptop.devs.giugl.io + ${wolfsonhouse-wg} wolfsonhouse.devs.giugl.io + ${frznn-wg} frznn.devs.giugl.io + ''; + + wireguard = { + interfaces.${proxy-if} = { ips = ["10.4.0.2/32"]; privateKeyFile = "/secrets/wireguard/proxy.key"; peers = [ @@ -12,29 +45,26 @@ with import ./network.nix; persistentKeepalive = 21; } ]; - }; + }; - interfaces.${vpn-if} = { - listenPort = 1194; - ips = ["10.3.0.1/24"]; - privateKeyFile = "/secrets/wireguard/server.key"; + interfaces.${vpn-if} = { + listenPort = 1194; + ips = ["10.3.0.1/24"]; + privateKeyFile = "/secrets/wireguard/server.key"; - peers = [ - { + peers = [ + { # gAluminum allowedIPs = [galuminum-wg]; publicKey = "pEEgSs7xmO0cfyvoQlU8lfwqdYM1ISgmPAunPtF+0xw="; } - { # OnePlus allowedIPs = [oneplus-wg]; -# publicKey = "uOQUJo+AfhTAFq50Pt80rdX4PmO28WUARngE2AtwdXU="; publicKey = "zynSERy6VhxN5zBf1ih3BOAHxvigDixHB9YKnSBgYFs="; } - { # iPad allowedIPs = [ipad-wg]; @@ -118,26 +148,12 @@ with import ./network.nix; publicKey = "1GaV/M48sHqQTrBVRQ+jrFU2pUMmv2xkguncVcwPCFs="; } - { - # angelino - allowedIPs = [angelino-wg]; - publicKey = "MhY4d824LuKPltQHfaUbtWGiQz4XsfqCRAx0n1FDaiY="; - } - - - { - # pepos_one - allowedIPs = [pepos_one-wg]; - publicKey = "HcIqulGahsHJeuq6zAt5EJieWhDSKX4tFlUOEr2U1gA="; - } - - - { - # pepos_two - allowedIPs = [pepos_two-wg]; + # pepos + allowedIPs = [pepos-wg]; publicKey = "mb1VaMLML5J24oCMBuhqvBrT6S4tAqWERn30z+h/LwM="; } + { # salvatore allowedIPs = [salvatore-wg]; @@ -193,9 +209,9 @@ with import ./network.nix; } { - # boogino - allowedIPs = [boogino-wg]; - publicKey = "p21tD9S04+b+TC27a1CvkJL7V6fcfjOpVU7Ke1FzV3A="; + # wolfsonhouse + allowedIPs = [wolfsonhouse-wg]; + publicKey = "UJRJcAOcnEjEB3o4K2I7gEM97SrhENEesZNf28z+EBQ="; } { @@ -203,7 +219,38 @@ with import ./network.nix; allowedIPs = [mikey-wg]; publicKey = "ewbDdX3z7nxG2aPIf9TogXkhxPlGipLFcy6XfyDC6gI="; } + + { + # andrew + allowedIPs = [andrew-wg]; + publicKey = "LP/FgST9fmBQSoKQFq9sFGvjRFOtRooMcuEcjuqaoWM="; + } + + { + # mikey laptop + allowedIPs = [mikeylaptop-wg]; + publicKey = "kz/pY/PgV+dwF1JZ2It4r5B5QfRSQM7HkbFCdvd5Yxk="; + } + + { + # andrew desktop + allowedIPs = [andrewdesktop-wg]; + publicKey = "rpYr3JNLIzxpxzFuQuaHFEl/XvPEPfwLbDETBP8KYXI="; + } + + { + # laptop desktop + allowedIPs = [jacopo-wg]; + publicKey = "W/taWI79bPIKOolVVu5xZfiJnPw9K91Xn1zhcM0+4g0="; + } + + { + # frznn + allowedIPs = [frznn-wg]; + publicKey = "dXcrdME6VnnE5PBYwvUmayf7cn2wpcExeCR9gIXOO0o="; + } ]; }; }; +}; } diff --git a/hosts/proxy/coturn.nix b/hosts/proxy/coturn.nix index 3148bda..c88cb51 100644 --- a/hosts/proxy/coturn.nix +++ b/hosts/proxy/coturn.nix @@ -1,22 +1,28 @@ {pkgs, config, ...}: let + public_ip = "23.88.108.216"; realm = "turn.giugl.io"; static-auth-secret = "69duck duck fuck420"; in { services.coturn = rec { + inherit realm static-auth-secret; + + secure-stun = true; enable = true; no-cli = true; no-tcp-relay = true; min-port = 49000; max-port = 50000; use-auth-secret = true; -# cert = "${config.security.acme.certs.${realm}.directory}/full.pem"; -# pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; + relay-ips = [ public_ip ]; + listening-ips = [ public_ip ]; + cert = "${config.security.acme.certs.${realm}.directory}/full.pem"; + pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; extraConfig = '' - # for debugging verbose - # ban private IP ranges + + cipher-list=\"HIGH\" no-multicast-peers denied-peer-ip=0.0.0.0-0.255.255.255 denied-peer-ip=10.0.0.0-10.255.255.255 @@ -42,7 +48,6 @@ in { denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff ''; }; - # open the firewall networking.firewall = { interfaces.ens3 = let range = with config.services.coturn; [ { @@ -52,15 +57,18 @@ in { in { allowedUDPPortRanges = range; - allowedUDPPorts = [ 3478 ]; - allowedTCPPortRanges = range; - allowedTCPPorts = [ 3478 ]; + allowedUDPPorts = [ 5349 ]; + #allowedTCPPortRanges = range; + allowedTCPPorts = [ 80 443 5349 ]; }; }; - # get a certificate -# security.acme.certs.${realm} = { -# webroot = "/var/lib/acme/acme-challenge"; -# postRun = "systemctl restart coturn.service"; -# group = "turnserver"; -# }; + + services.nginx.enable = true; + services.nginx.virtualHosts.${realm} = { + addSSL = true; + enableACME = true; + }; + + # to access the ACME files + users.groups.nginx.members = [ "turnserver" ]; } diff --git a/hosts/proxy/default.nix b/hosts/proxy/default.nix index 7c850de..3f88bb6 100644 --- a/hosts/proxy/default.nix +++ b/hosts/proxy/default.nix @@ -1,70 +1,31 @@ { config, pkgs, ... }: { - imports = - [ - ./hardware-configuration.nix - ./coturn.nix - ]; + imports = [ + ./hardware-configuration.nix + ./coturn.nix + ./wireguard.nix + ./ssh.nix + ]; - boot.loader.grub.enable = true; - boot.loader.grub.version = 2; + boot.loader.grub = { + enable = true; + version = 2; + devices = [ "/dev/sda" ]; + }; - system.stateVersion = "21.05"; # Did you read the comment? - boot.loader.grub.devices = [ "/dev/sda" ]; - services.openssh.permitRootLogin = "prohibit-password"; - services.openssh.passwordAuthentication = false; - services.openssh.enable = true; + system.stateVersion = "21.05"; - networking = { - useDHCP = false; - hostName = "proxy"; - nameservers = [ "10.4.0.2" "1.1.1.1" ]; - - firewall.allowedTCPPorts = [ 22 ]; - interfaces.ens3.useDHCP = true; + networking = { + useDHCP = false; + hostName = "proxy"; + nameservers = [ "10.4.0.2" "1.1.1.1" ]; - nat = { - enable = true; - externalInterface = "ens3"; - internalInterfaces = ["wg0"]; - forwardPorts = [ - { - destination = "10.4.0.2:1194"; - proto = "udp"; - sourcePort = 1194; - } - ]; - }; + interfaces.ens3.useDHCP = true; + }; - wireguard = { - interfaces."wg0" = { - listenPort = 1195; - ips = [ "10.4.0.1/24" ]; - privateKeyFile = "/secrets/wireguard/server.key"; - - postSetup = '' - /run/current-system/sw/bin/iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE - ''; - - postShutdown = '' - /run/current-system/sw/bin/iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE - ''; - peers = [ - { - allowedIPs = [ "10.4.0.2" "10.3.0.0/24" ]; - publicKey = "73oFhyQA3mgX4GmN6ul5HuOsgxa4INlzCPsyuXna0AA="; - } - ]; - }; - }; - }; - - services = { - fail2ban.enable = true; - }; - users.users.root.openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCuURERnIFe2XbNu6AsPe2DO11RuaHxVGUcaoJUsIB1F+VOggOVLhxSenOPYLm6NvvGeXVi95G5Sm1UZRcJEEkvxus4bSViV4t/Q2azfYFE27yRH/IeMMoWNPGYNm5Bok2qFb4vHifra9FffwXnOzr0nDDTdHXCft4TO5nsenLJwqu5zOO1CR7J52otY7LheNPyzbGxgIkB3Y7LeOj1+/xXSOJ379NOL2RQBobsg7k442WCX7tU6AC1ct3W+93tcJUUdzJKTT9TJ+XmhdjXNWhDd+QZUNAMr+nKoEdExHp0H40/wIhcLD2OV95gX4i/YBzCg4OQOqZqWiibiEQfGTSAh5aD+nX/PqjXf0XSLEUOA81biLFu28oO8gocjwnhgqmlghvO4SG1rs6uZ8EyPyWsrVMjy8B9FX4aloKqua3aicgC+upjLl3x+KkMJizlMB5Ew7KOjPsjXwMqeJmeBOEd6TSEctttR+lIp+/368FtwXeBxzx9MBT4620mnjWtVKM= giulio@gAluminum" - ]; - } + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCuURERnIFe2XbNu6AsPe2DO11RuaHxVGUcaoJUsIB1F+VOggOVLhxSenOPYLm6NvvGeXVi95G5Sm1UZRcJEEkvxus4bSViV4t/Q2azfYFE27yRH/IeMMoWNPGYNm5Bok2qFb4vHifra9FffwXnOzr0nDDTdHXCft4TO5nsenLJwqu5zOO1CR7J52otY7LheNPyzbGxgIkB3Y7LeOj1+/xXSOJ379NOL2RQBobsg7k442WCX7tU6AC1ct3W+93tcJUUdzJKTT9TJ+XmhdjXNWhDd+QZUNAMr+nKoEdExHp0H40/wIhcLD2OV95gX4i/YBzCg4OQOqZqWiibiEQfGTSAh5aD+nX/PqjXf0XSLEUOA81biLFu28oO8gocjwnhgqmlghvO4SG1rs6uZ8EyPyWsrVMjy8B9FX4aloKqua3aicgC+upjLl3x+KkMJizlMB5Ew7KOjPsjXwMqeJmeBOEd6TSEctttR+lIp+/368FtwXeBxzx9MBT4620mnjWtVKM= giulio@gAluminum" + ]; +} diff --git a/hosts/proxy/ssh.nix b/hosts/proxy/ssh.nix new file mode 100644 index 0000000..c64a38a --- /dev/null +++ b/hosts/proxy/ssh.nix @@ -0,0 +1,15 @@ +{ config, ...}: + +{ + services = { + fail2ban.enable = true; + + openssh = { + permitRootLogin = "prohibit-password"; + passwordAuthentication = false; + enable = true; + }; + }; + + networking.firewall.allowedTCPPorts = [ 22 ]; +} diff --git a/hosts/proxy/wireguard.nix b/hosts/proxy/wireguard.nix new file mode 100644 index 0000000..6b904b5 --- /dev/null +++ b/hosts/proxy/wireguard.nix @@ -0,0 +1,46 @@ +{ config, ...}: + +let + wg_if = "wg0"; + wan_if = "ens3"; +in { + networking = { + firewall.allowedUDPPorts = [ 1195 ]; + + nat = { + enable = true; + externalInterface = wan_if; + internalInterfaces = [ wg_if ]; + forwardPorts = [ + { + destination = "10.4.0.2:1194"; + proto = "udp"; + sourcePort = 1194; + } + ]; + }; + + wireguard = { + interfaces.${wg_if} = { + listenPort = 1195; + ips = [ "10.4.0.1/24" ]; + privateKeyFile = "/secrets/wireguard/server.key"; + + postSetup = '' + /run/current-system/sw/bin/iptables -t nat -A POSTROUTING -o ${wg_if} -j MASQUERADE + ''; + + postShutdown = '' + /run/current-system/sw/bin/iptables -t nat -D POSTROUTING -o ${wg_if} -j MASQUERADE + ''; + + peers = [ + { + allowedIPs = [ "10.4.0.2" "10.3.0.0/24" ]; + publicKey = "73oFhyQA3mgX4GmN6ul5HuOsgxa4INlzCPsyuXna0AA="; + } + ]; + }; + }; + }; +} diff --git a/lib/host.nix b/lib/host.nix index e7579d5..699d566 100644 --- a/lib/host.nix +++ b/lib/host.nix @@ -14,9 +14,13 @@ modules = [ { - imports = users_mod ++ roles_mod; + imports = users_mod ++ roles_mod ++ [(nixos-unstable + "/nixos/modules/services/misc/prowlarr.nix")]; + + nixpkgs = { + pkgs = pkgs; + overlays = [ (self: super: {prowlarr = pkgs.unstable.prowlarr;}) ]; + }; - nixpkgs.pkgs = pkgs; nix.nixPath = [ "nixpkgs=${nixpkgs}" "unstable=${nixos-unstable}" diff --git a/roles/common.nix b/roles/common.nix index d9a581c..2f4fad6 100644 --- a/roles/common.nix +++ b/roles/common.nix @@ -41,9 +41,7 @@ glances tcpdump restic - binutils neovim - ripgrep tmux parted unzip diff --git a/roles/home/common.nix b/roles/home/common.nix index fe1b6a2..a970bb3 100644 --- a/roles/home/common.nix +++ b/roles/home/common.nix @@ -1,26 +1,21 @@ { config, pkgs, ... }: { - imports = [ ./zsh.nix ]; + imports = [ ./zsh.nix ./git.nix ]; home = { - stateVersion = "21.05"; + stateVersion = "21.05"; sessionVariables = { EDITOR = "nvim"; VISUAL = "nvim"; }; - packages = with pkgs; [ - rizin - sshfs - nixfmt - ]; + packages = with pkgs; [ rizin sshfs nixfmt ]; }; programs.neovim = { - enable = true; - #package = pkgs.unstable.neovim-unwrapped; - + enable = true; + extraPackages = with pkgs; [ nodePackages.prettier cmake-format clang-tools rustfmt ]; extraConfig = '' " syntax syntax enable @@ -77,28 +72,32 @@ set cindent cinkeys-=0# set expandtab shiftwidth=2 tabstop=2 softtabstop=2 - set statusline+=%#warningmsg# - set statusline+=%{SyntasticStatuslineFlag()} - set statusline+=%* + " Enable alignment + let g:neoformat_basic_format_align = 1 + + " Enable tab to spaces conversion + let g:neoformat_basic_format_retab = 1 + + " Enable trimmming of trailing whitespace + let g:neoformat_basic_format_trim = 1 ''; - viAlias = true; + viAlias = true; vimAlias = true; - plugins = with pkgs.vimPlugins; [ + plugins = with pkgs.vimPlugins; [ vim-nix molokai YouCompleteMe vim-airline vim-airline-themes - vim-lsp + vim-lsp vim-indent-guides - vim-signify + vim-signify nerdtree vim-easy-align vim-fugitive - vim-yaml - vim-autoformat vimtex + neoformat ]; }; } diff --git a/roles/home/git.nix b/roles/home/git.nix index 63fa87d..0641a49 100644 --- a/roles/home/git.nix +++ b/roles/home/git.nix @@ -11,6 +11,7 @@ smudge = "git-lfs smudge -- %f"; }; }; + delta.enable = true; }; home.packages = [ pkgs.git-lfs ]; } diff --git a/roles/home/zsh.nix b/roles/home/zsh.nix index cf12329..fd2bca5 100644 --- a/roles/home/zsh.nix +++ b/roles/home/zsh.nix @@ -1,6 +1,4 @@ { config, pkgs, lib, ... }: { - home.packages = with pkgs; [ zsh any-nix-shell ]; - programs.zsh = { enable = true; @@ -9,9 +7,5 @@ plugins = [ "git" "sudo" "docker" "docker-compose" "adb" "systemd" ]; theme = "bira"; }; - - initExtra = '' - any-nix-shell zsh --info-right | source /dev/stdin - ''; }; }