From 7206622bec4e1c152eb95959f664b43be359ae8a Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Mon, 11 Oct 2021 08:59:31 +0000 Subject: [PATCH 01/15] refactored proxy conf --- hosts/proxy/coturn.nix | 36 ++++++++++------- hosts/proxy/default.nix | 83 +++++++++++---------------------------- hosts/proxy/ssh.nix | 15 +++++++ hosts/proxy/wireguard.nix | 46 ++++++++++++++++++++++ 4 files changed, 105 insertions(+), 75 deletions(-) create mode 100644 hosts/proxy/ssh.nix create mode 100644 hosts/proxy/wireguard.nix diff --git a/hosts/proxy/coturn.nix b/hosts/proxy/coturn.nix index 3148bda..c88cb51 100644 --- a/hosts/proxy/coturn.nix +++ b/hosts/proxy/coturn.nix @@ -1,22 +1,28 @@ {pkgs, config, ...}: let + public_ip = "23.88.108.216"; realm = "turn.giugl.io"; static-auth-secret = "69duck duck fuck420"; in { services.coturn = rec { + inherit realm static-auth-secret; + + secure-stun = true; enable = true; no-cli = true; no-tcp-relay = true; min-port = 49000; max-port = 50000; use-auth-secret = true; -# cert = "${config.security.acme.certs.${realm}.directory}/full.pem"; -# pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; + relay-ips = [ public_ip ]; + listening-ips = [ public_ip ]; + cert = "${config.security.acme.certs.${realm}.directory}/full.pem"; + pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; extraConfig = '' - # for debugging verbose - # ban private IP ranges + + cipher-list=\"HIGH\" no-multicast-peers denied-peer-ip=0.0.0.0-0.255.255.255 denied-peer-ip=10.0.0.0-10.255.255.255 @@ -42,7 +48,6 @@ in { denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff ''; }; - # open the firewall networking.firewall = { interfaces.ens3 = let range = with config.services.coturn; [ { @@ -52,15 +57,18 @@ in { in { allowedUDPPortRanges = range; - allowedUDPPorts = [ 3478 ]; - allowedTCPPortRanges = range; - allowedTCPPorts = [ 3478 ]; + allowedUDPPorts = [ 5349 ]; + #allowedTCPPortRanges = range; + allowedTCPPorts = [ 80 443 5349 ]; }; }; - # get a certificate -# security.acme.certs.${realm} = { -# webroot = "/var/lib/acme/acme-challenge"; -# postRun = "systemctl restart coturn.service"; -# group = "turnserver"; -# }; + + services.nginx.enable = true; + services.nginx.virtualHosts.${realm} = { + addSSL = true; + enableACME = true; + }; + + # to access the ACME files + users.groups.nginx.members = [ "turnserver" ]; } diff --git a/hosts/proxy/default.nix b/hosts/proxy/default.nix index 7c850de..3f88bb6 100644 --- a/hosts/proxy/default.nix +++ b/hosts/proxy/default.nix @@ -1,70 +1,31 @@ { config, pkgs, ... }: { - imports = - [ - ./hardware-configuration.nix - ./coturn.nix - ]; + imports = [ + ./hardware-configuration.nix + ./coturn.nix + ./wireguard.nix + ./ssh.nix + ]; - boot.loader.grub.enable = true; - boot.loader.grub.version = 2; + boot.loader.grub = { + enable = true; + version = 2; + devices = [ "/dev/sda" ]; + }; - system.stateVersion = "21.05"; # Did you read the comment? - boot.loader.grub.devices = [ "/dev/sda" ]; - services.openssh.permitRootLogin = "prohibit-password"; - services.openssh.passwordAuthentication = false; - services.openssh.enable = true; + system.stateVersion = "21.05"; - networking = { - useDHCP = false; - hostName = "proxy"; - nameservers = [ "10.4.0.2" "1.1.1.1" ]; - - firewall.allowedTCPPorts = [ 22 ]; - interfaces.ens3.useDHCP = true; + networking = { + useDHCP = false; + hostName = "proxy"; + nameservers = [ "10.4.0.2" "1.1.1.1" ]; - nat = { - enable = true; - externalInterface = "ens3"; - internalInterfaces = ["wg0"]; - forwardPorts = [ - { - destination = "10.4.0.2:1194"; - proto = "udp"; - sourcePort = 1194; - } - ]; - }; + interfaces.ens3.useDHCP = true; + }; - wireguard = { - interfaces."wg0" = { - listenPort = 1195; - ips = [ "10.4.0.1/24" ]; - privateKeyFile = "/secrets/wireguard/server.key"; - - postSetup = '' - /run/current-system/sw/bin/iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE - ''; - - postShutdown = '' - /run/current-system/sw/bin/iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE - ''; - peers = [ - { - allowedIPs = [ "10.4.0.2" "10.3.0.0/24" ]; - publicKey = "73oFhyQA3mgX4GmN6ul5HuOsgxa4INlzCPsyuXna0AA="; - } - ]; - }; - }; - }; - - services = { - fail2ban.enable = true; - }; - users.users.root.openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCuURERnIFe2XbNu6AsPe2DO11RuaHxVGUcaoJUsIB1F+VOggOVLhxSenOPYLm6NvvGeXVi95G5Sm1UZRcJEEkvxus4bSViV4t/Q2azfYFE27yRH/IeMMoWNPGYNm5Bok2qFb4vHifra9FffwXnOzr0nDDTdHXCft4TO5nsenLJwqu5zOO1CR7J52otY7LheNPyzbGxgIkB3Y7LeOj1+/xXSOJ379NOL2RQBobsg7k442WCX7tU6AC1ct3W+93tcJUUdzJKTT9TJ+XmhdjXNWhDd+QZUNAMr+nKoEdExHp0H40/wIhcLD2OV95gX4i/YBzCg4OQOqZqWiibiEQfGTSAh5aD+nX/PqjXf0XSLEUOA81biLFu28oO8gocjwnhgqmlghvO4SG1rs6uZ8EyPyWsrVMjy8B9FX4aloKqua3aicgC+upjLl3x+KkMJizlMB5Ew7KOjPsjXwMqeJmeBOEd6TSEctttR+lIp+/368FtwXeBxzx9MBT4620mnjWtVKM= giulio@gAluminum" - ]; - } + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCuURERnIFe2XbNu6AsPe2DO11RuaHxVGUcaoJUsIB1F+VOggOVLhxSenOPYLm6NvvGeXVi95G5Sm1UZRcJEEkvxus4bSViV4t/Q2azfYFE27yRH/IeMMoWNPGYNm5Bok2qFb4vHifra9FffwXnOzr0nDDTdHXCft4TO5nsenLJwqu5zOO1CR7J52otY7LheNPyzbGxgIkB3Y7LeOj1+/xXSOJ379NOL2RQBobsg7k442WCX7tU6AC1ct3W+93tcJUUdzJKTT9TJ+XmhdjXNWhDd+QZUNAMr+nKoEdExHp0H40/wIhcLD2OV95gX4i/YBzCg4OQOqZqWiibiEQfGTSAh5aD+nX/PqjXf0XSLEUOA81biLFu28oO8gocjwnhgqmlghvO4SG1rs6uZ8EyPyWsrVMjy8B9FX4aloKqua3aicgC+upjLl3x+KkMJizlMB5Ew7KOjPsjXwMqeJmeBOEd6TSEctttR+lIp+/368FtwXeBxzx9MBT4620mnjWtVKM= giulio@gAluminum" + ]; +} diff --git a/hosts/proxy/ssh.nix b/hosts/proxy/ssh.nix new file mode 100644 index 0000000..c64a38a --- /dev/null +++ b/hosts/proxy/ssh.nix @@ -0,0 +1,15 @@ +{ config, ...}: + +{ + services = { + fail2ban.enable = true; + + openssh = { + permitRootLogin = "prohibit-password"; + passwordAuthentication = false; + enable = true; + }; + }; + + networking.firewall.allowedTCPPorts = [ 22 ]; +} diff --git a/hosts/proxy/wireguard.nix b/hosts/proxy/wireguard.nix new file mode 100644 index 0000000..6b904b5 --- /dev/null +++ b/hosts/proxy/wireguard.nix @@ -0,0 +1,46 @@ +{ config, ...}: + +let + wg_if = "wg0"; + wan_if = "ens3"; +in { + networking = { + firewall.allowedUDPPorts = [ 1195 ]; + + nat = { + enable = true; + externalInterface = wan_if; + internalInterfaces = [ wg_if ]; + forwardPorts = [ + { + destination = "10.4.0.2:1194"; + proto = "udp"; + sourcePort = 1194; + } + ]; + }; + + wireguard = { + interfaces.${wg_if} = { + listenPort = 1195; + ips = [ "10.4.0.1/24" ]; + privateKeyFile = "/secrets/wireguard/server.key"; + + postSetup = '' + /run/current-system/sw/bin/iptables -t nat -A POSTROUTING -o ${wg_if} -j MASQUERADE + ''; + + postShutdown = '' + /run/current-system/sw/bin/iptables -t nat -D POSTROUTING -o ${wg_if} -j MASQUERADE + ''; + + peers = [ + { + allowedIPs = [ "10.4.0.2" "10.3.0.0/24" ]; + publicKey = "73oFhyQA3mgX4GmN6ul5HuOsgxa4INlzCPsyuXna0AA="; + } + ]; + }; + }; + }; +} From ad0558710d4d299891de741484c2a4114f9f982e Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Thu, 14 Oct 2021 15:55:41 +0000 Subject: [PATCH 02/15] removed external pkgs --- pkgs/binaryninja | 1 - pkgs/ida | 1 - 2 files changed, 2 deletions(-) delete mode 160000 pkgs/binaryninja delete mode 160000 pkgs/ida diff --git a/pkgs/binaryninja b/pkgs/binaryninja deleted file mode 160000 index 8ed0f28..0000000 --- a/pkgs/binaryninja +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 8ed0f28dc78dfc482c397056b73a6a1e680e8af0 diff --git a/pkgs/ida b/pkgs/ida deleted file mode 160000 index fe8eed0..0000000 --- a/pkgs/ida +++ /dev/null @@ -1 +0,0 @@ -Subproject commit fe8eed08ff9f6e09abaa8216beaa45aa83767862 From 3e356fe7032bc1af9fc75d671fdda902b7ef7285 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Thu, 14 Oct 2021 15:56:08 +0000 Subject: [PATCH 03/15] add git to common home --- flake.nix | 2 +- roles/home/common.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/flake.nix b/flake.nix index 5eda88f..d46ce6c 100644 --- a/flake.nix +++ b/flake.nix @@ -30,7 +30,7 @@ nixosConfigurations = { architect = host.mkHost { name = "architect"; users = [ { user = "giulio"; roles = []; } ]; }; gAluminum = host.mkHost { name = "gAluminum"; users = [ { user = "giulio"; roles = [ "desktop" "ssh" "git" ]; } ]; roles = [ "gnome" ]; }; - proxy = host.mkHost { name = "proxy"; }; + proxy = host.mkHost { name = "proxy"; users = []; }; }; }; } diff --git a/roles/home/common.nix b/roles/home/common.nix index fe1b6a2..597fcee 100644 --- a/roles/home/common.nix +++ b/roles/home/common.nix @@ -1,7 +1,7 @@ { config, pkgs, ... }: { - imports = [ ./zsh.nix ]; + imports = [ ./zsh.nix ./git.nix ]; home = { stateVersion = "21.05"; From f58b776a3ddc5fb597627c12a54fb3ad59dee649 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Thu, 21 Oct 2021 15:51:44 +0200 Subject: [PATCH 04/15] added prowlarr from unstable, moved hosts to wireguard file --- flake.lock | 18 ++++++------ flake.nix | 2 +- hosts/architect/default.nix | 40 ++----------------------- hosts/architect/prowlarr.nix | 2 ++ hosts/architect/wireguard.nix | 55 ++++++++++++++++++++++++++--------- lib/host.nix | 8 +++-- 6 files changed, 63 insertions(+), 62 deletions(-) diff --git a/flake.lock b/flake.lock index 7dbb2a9..e766bb8 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1633596850, - "narHash": "sha256-5+qVLYvfOropjLAvpQs/APtD8eYnEIbAd9a36lGHZM0=", + "lastModified": 1634544068, + "narHash": "sha256-RlRQBaAHfdWqfRyHdWuDPMkplBTYwuyDQqDcNbP/Sog=", "owner": "rycee", "repo": "home-manager", - "rev": "49695f33aac22358b59e49c94fe6472218e5d766", + "rev": "ff2bed9dac84fb202bbb3c49fdcfe30c29d0b12f", "type": "github" }, "original": { @@ -23,11 +23,11 @@ }, "nixos-unstable": { "locked": { - "lastModified": 1633971123, - "narHash": "sha256-WmI4NbH1IPGFWVkuBkKoYgOnxgwSfWDgdZplJlQ93vA=", + "lastModified": 1634515797, + "narHash": "sha256-elgCUC2khtBkOSpE4gDymNvthTZAI4hGI2iNu3YEUkA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e4ef597edfd8a0ba5f12362932fc9b1dd01a0aef", + "rev": "5f0194220f2402b06f7f79bba6351895facb5acb", "type": "github" }, "original": { @@ -39,11 +39,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1634115022, - "narHash": "sha256-K9DZMQ47VRrg9gtTPwex5p0E8LnwM/dDkNe7AQW0qj0=", + "lastModified": 1634661806, + "narHash": "sha256-fBuR7EZ67UOdNt3gEwhoyWJ6zJtXh4kuupIALRcx/7I=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "564cb4d81d4f734dd068684adec5a60077397fe9", + "rev": "8fe3b97ef4527ac88d03ea33e0789f3512e01adc", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 5eda88f..aa02909 100644 --- a/flake.nix +++ b/flake.nix @@ -28,7 +28,7 @@ inherit (utils) user; in { nixosConfigurations = { - architect = host.mkHost { name = "architect"; users = [ { user = "giulio"; roles = []; } ]; }; + architect = host.mkHost { name = "architect"; users = [ { user = "giulio"; roles = [ "git" ]; } ]; }; gAluminum = host.mkHost { name = "gAluminum"; users = [ { user = "giulio"; roles = [ "desktop" "ssh" "git" ]; } ]; roles = [ "gnome" ]; }; proxy = host.mkHost { name = "proxy"; }; }; diff --git a/hosts/architect/default.nix b/hosts/architect/default.nix index 4000ff3..62b1b77 100644 --- a/hosts/architect/default.nix +++ b/hosts/architect/default.nix @@ -17,7 +17,6 @@ in ./radarr.nix ./bazarr.nix ./nzbget.nix -# ./jellyfin.nix ./nextcloud.nix ./wireguard.nix ./minio.nix @@ -25,14 +24,14 @@ in ./fail2ban.nix ./dns.nix ./minecraft.nix -# ./prowlarr.nix + ./prowlarr.nix ./plex.nix ]; time.timeZone = "Europe/Rome"; system.stateVersion = "21.05"; # Did you read the comment? users.users.giulio.openssh.authorizedKeys.keys = pubkeys; - + fileSystems."/tmp" = { device = "tmpfs"; fsType = "tmpfs"; @@ -94,35 +93,6 @@ in ${nas-lan} nas.devs.giugl.io ${giupi-lan} giupi.devs.giugl.io - # Wireguard hosts - ${architect-wg} ${hostname}.devs.giugl.io - ${galuminum-wg} galuminum.devs.giugl.io - ${oneplus-wg} oneplus.devs.giugl.io - ${ipad-wg} ipad.devs.giugl.io - ${manduria-wg} manduria.devs.giugl.io - ${antonio-wg} antonio.devs.giugl.io - ${gbeast-wg} gbeast.devs.giugl.io - ${parisaphone-wg} parisa-phone.devs.giugl.io - ${parisapc-wg} parisa-pc.devs.giugl.io - ${peppiniell-wg} peppiniell.devs.giugl.io - ${padulino-wg} padulino.devs.giugl.io - ${shield-wg} shield.devs.giugl.io - ${angelino-wg} angelino.devs.giugl.io - ${pepos_two-wg} pepostwo.devs.giugl.io - ${eleonora-wg} eleonora.devs.giugl.io - ${angellane-wg} angellane.devs.giugl.io - ${hotpottino-wg} hotpottino.devs.giugl.io - ${salvatore-wg} salvatore.devs.giugl.io - ${papa-wg} papa.devs.giugl.io - ${defy-wg} defy.devs.giugl.io - ${germano-wg} germano.devs.giugl.io - ${dodino-wg} dodino.devs.giugl.io - ${tommy-wg} tommy.devs.giugl.io - ${alain-wg} alain.devs.giugl.io - ${dima-wg} dima.devs.giugl.io - ${boogino-wg} boogino.devs.giugl.io - ${mikey-wg} mikey.devs.giugl.io - # Blacklist 0.0.0.0 metrics.plex.tv 0.0.0.0 analytics.plex.tv @@ -143,11 +113,7 @@ in ''; }; - environment.systemPackages = with pkgs; - [ - wireguard - cudatoolkit - ]; + environment.systemPackages = with pkgs; [ cudatoolkit ]; hardware = { cpu.amd.updateMicrocode = true; diff --git a/hosts/architect/prowlarr.nix b/hosts/architect/prowlarr.nix index c722a6f..7c64705 100644 --- a/hosts/architect/prowlarr.nix +++ b/hosts/architect/prowlarr.nix @@ -1,3 +1,5 @@ +{ pkgs, ...}: + with import ./network.nix; { services = { diff --git a/hosts/architect/wireguard.nix b/hosts/architect/wireguard.nix index b8e2375..77fe8d7 100644 --- a/hosts/architect/wireguard.nix +++ b/hosts/architect/wireguard.nix @@ -1,7 +1,38 @@ with import ./network.nix; { - networking.wireguard = { - interfaces.${proxy-if} = { + networking = { + extraHosts = '' + ${architect-wg} architect.devs.giugl.io + ${galuminum-wg} galuminum.devs.giugl.io + ${oneplus-wg} oneplus.devs.giugl.io + ${ipad-wg} ipad.devs.giugl.io + ${manduria-wg} manduria.devs.giugl.io + ${antonio-wg} antonio.devs.giugl.io + ${gbeast-wg} gbeast.devs.giugl.io + ${parisaphone-wg} parisa-phone.devs.giugl.io + ${parisapc-wg} parisa-pc.devs.giugl.io + ${peppiniell-wg} peppiniell.devs.giugl.io + ${padulino-wg} padulino.devs.giugl.io + ${shield-wg} shield.devs.giugl.io + ${angelino-wg} angelino.devs.giugl.io + ${pepos_two-wg} pepostwo.devs.giugl.io + ${eleonora-wg} eleonora.devs.giugl.io + ${angellane-wg} angellane.devs.giugl.io + ${hotpottino-wg} hotpottino.devs.giugl.io + ${salvatore-wg} salvatore.devs.giugl.io + ${papa-wg} papa.devs.giugl.io + ${defy-wg} defy.devs.giugl.io + ${germano-wg} germano.devs.giugl.io + ${dodino-wg} dodino.devs.giugl.io + ${tommy-wg} tommy.devs.giugl.io + ${alain-wg} alain.devs.giugl.io + ${dima-wg} dima.devs.giugl.io + ${boogino-wg} boogino.devs.giugl.io + ${mikey-wg} mikey.devs.giugl.io + ''; + + wireguard = { + interfaces.${proxy-if} = { ips = ["10.4.0.2/32"]; privateKeyFile = "/secrets/wireguard/proxy.key"; peers = [ @@ -12,29 +43,26 @@ with import ./network.nix; persistentKeepalive = 21; } ]; - }; + }; - interfaces.${vpn-if} = { - listenPort = 1194; - ips = ["10.3.0.1/24"]; - privateKeyFile = "/secrets/wireguard/server.key"; + interfaces.${vpn-if} = { + listenPort = 1194; + ips = ["10.3.0.1/24"]; + privateKeyFile = "/secrets/wireguard/server.key"; - peers = [ - { + peers = [ + { # gAluminum allowedIPs = [galuminum-wg]; publicKey = "pEEgSs7xmO0cfyvoQlU8lfwqdYM1ISgmPAunPtF+0xw="; } - { # OnePlus allowedIPs = [oneplus-wg]; -# publicKey = "uOQUJo+AfhTAFq50Pt80rdX4PmO28WUARngE2AtwdXU="; publicKey = "zynSERy6VhxN5zBf1ih3BOAHxvigDixHB9YKnSBgYFs="; } - { # iPad allowedIPs = [ipad-wg]; @@ -132,12 +160,12 @@ with import ./network.nix; publicKey = "HcIqulGahsHJeuq6zAt5EJieWhDSKX4tFlUOEr2U1gA="; } - { # pepos_two allowedIPs = [pepos_two-wg]; publicKey = "mb1VaMLML5J24oCMBuhqvBrT6S4tAqWERn30z+h/LwM="; } + { # salvatore allowedIPs = [salvatore-wg]; @@ -206,4 +234,5 @@ with import ./network.nix; ]; }; }; +}; } diff --git a/lib/host.nix b/lib/host.nix index e7579d5..699d566 100644 --- a/lib/host.nix +++ b/lib/host.nix @@ -14,9 +14,13 @@ modules = [ { - imports = users_mod ++ roles_mod; + imports = users_mod ++ roles_mod ++ [(nixos-unstable + "/nixos/modules/services/misc/prowlarr.nix")]; + + nixpkgs = { + pkgs = pkgs; + overlays = [ (self: super: {prowlarr = pkgs.unstable.prowlarr;}) ]; + }; - nixpkgs.pkgs = pkgs; nix.nixPath = [ "nixpkgs=${nixpkgs}" "unstable=${nixos-unstable}" From 77931ab71a0522a58deec81de94c7d7fb4b0bc8c Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Fri, 5 Nov 2021 20:16:08 +0100 Subject: [PATCH 05/15] jacopo, mikey, andrew wg clients. transmission added --- flake.lock | 12 +++++----- hosts/architect/default.nix | 1 + hosts/architect/firewall.nix | 3 +++ hosts/architect/network.nix | 5 ++++ hosts/architect/plex.nix | 4 ++++ hosts/architect/transmission.nix | 41 ++++++++++++++++++++++++++++++++ hosts/architect/wireguard.nix | 26 ++++++++++++++++++++ roles/home/common.nix | 3 +-- 8 files changed, 87 insertions(+), 8 deletions(-) create mode 100644 hosts/architect/transmission.nix diff --git a/flake.lock b/flake.lock index e766bb8..d0d9a71 100644 --- a/flake.lock +++ b/flake.lock @@ -23,11 +23,11 @@ }, "nixos-unstable": { "locked": { - "lastModified": 1634515797, - "narHash": "sha256-elgCUC2khtBkOSpE4gDymNvthTZAI4hGI2iNu3YEUkA=", + "lastModified": 1635702959, + "narHash": "sha256-ZKxX9DjJJGJqq20pE4dIj1G4ssCLVXXRFerM6lNuF0k=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5f0194220f2402b06f7f79bba6351895facb5acb", + "rev": "e544ee88fa4590df75e221e645a03fe157a99e5b", "type": "github" }, "original": { @@ -39,11 +39,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1634661806, - "narHash": "sha256-fBuR7EZ67UOdNt3gEwhoyWJ6zJtXh4kuupIALRcx/7I=", + "lastModified": 1635719588, + "narHash": "sha256-pWjdy0NheM97NsPE6+jUnr5LYyeA0sBGTdw4mfXMGZQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8fe3b97ef4527ac88d03ea33e0789f3512e01adc", + "rev": "f0869b1a2c0b150aac26e10bb5c2364ffb2e804f", "type": "github" }, "original": { diff --git a/hosts/architect/default.nix b/hosts/architect/default.nix index 62b1b77..300cd86 100644 --- a/hosts/architect/default.nix +++ b/hosts/architect/default.nix @@ -26,6 +26,7 @@ in ./minecraft.nix ./prowlarr.nix ./plex.nix + ./transmission.nix ]; time.timeZone = "Europe/Rome"; diff --git a/hosts/architect/firewall.nix b/hosts/architect/firewall.nix index 5062a37..bfc0e9d 100644 --- a/hosts/architect/firewall.nix +++ b/hosts/architect/firewall.nix @@ -9,10 +9,12 @@ let 443 # https 8448 # matrix 10022 # gitea + 51413 # transmission ]; open_udp_ports = lib.concatMapStringsSep "," (x: toString x) [ 1194 # wireguard 3478 # turn + 51413 # transmission ]; in { networking = { @@ -134,6 +136,7 @@ in { # gdevices talking to everyone in VPN ip saddr {${lib.concatStringsSep "," gdevices-wg}} ip daddr ${vpn-net} accept + ip saddr {${lib.concatStringsSep "," gamenet-wg}} ip daddr {${lib.concatStringsSep "," gamenet-wg}} accept # nat to wan oifname ${wan-if} ip saddr {${lib.concatStringsSep "," towan-wg}} accept diff --git a/hosts/architect/network.nix b/hosts/architect/network.nix index 69459d0..bac9952 100644 --- a/hosts/architect/network.nix +++ b/hosts/architect/network.nix @@ -41,6 +41,10 @@ rec { alain-wg = "10.3.0.22"; dima-wg = "10.3.0.23"; mikey-wg = "10.3.0.24"; + andrew-wg = "10.3.0.25"; + mikeylaptop-wg = "10.3.0.26"; + andrewdesktop-wg = "10.3.0.27"; + jacopo-wg = "10.3.0.28"; eleonora-wg = "10.3.0.100"; angellane-wg = "10.3.0.200"; hotpottino-wg = "10.3.0.201"; @@ -52,6 +56,7 @@ rec { routers-wg = [ hotpottino-wg angellane-wg dodino-wg ]; c2c-wg = [ ] ++ gdevices-wg; towan-wg = [ shield-wg parisaphone-wg parisapc-wg ] ++ gdevices-wg ++ routers-wg; + gamenet-wg = [ andrew-wg galuminum-wg gbeast-wg mikey-wg andrewdesktop-wg mikeylaptop-wg ]; # domains sonarrdomain = "htson.giugl.io"; diff --git a/hosts/architect/plex.nix b/hosts/architect/plex.nix index aae9147..b570b35 100644 --- a/hosts/architect/plex.nix +++ b/hosts/architect/plex.nix @@ -16,6 +16,10 @@ with import ./network.nix; enableACME = true; http2 = true; extraConfig = '' + allow 10.3.0.0/24; + allow 10.0.0.0/24; + deny all; + #Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause send_timeout 100m; diff --git a/hosts/architect/transmission.nix b/hosts/architect/transmission.nix new file mode 100644 index 0000000..024378f --- /dev/null +++ b/hosts/architect/transmission.nix @@ -0,0 +1,41 @@ +with import ./network.nix; + +let + domain = "httra.giugl.io"; +in { + services = { + transmission = { + enable = true; + settings = { + download-dir = "/media/transmission"; + incomplete-dir = "/media/transmission/.incomplete"; + rpc-host-whitelist = "${domain}"; + encryption = 2; + speed-limit-up = 10; + speed-limit-up-enabled = true; + peer-port = 51413; + }; + performanceNetParameters = true; + }; + + nginx.virtualHosts.${domain} = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:9091"; + extraConfig = '' + allow 10.0.0.0/24; + allow 10.3.0.0/24; + deny all; + ''; + }; + }; + }; + + networking.extraHosts = '' + ${architect-lan} ${domain} + ${architect-wg} ${domain} + ''; + + users.groups.media.members = ["transmission"]; +} diff --git a/hosts/architect/wireguard.nix b/hosts/architect/wireguard.nix index 77fe8d7..89a31f2 100644 --- a/hosts/architect/wireguard.nix +++ b/hosts/architect/wireguard.nix @@ -29,6 +29,8 @@ with import ./network.nix; ${dima-wg} dima.devs.giugl.io ${boogino-wg} boogino.devs.giugl.io ${mikey-wg} mikey.devs.giugl.io + ${andrew-wg} andrew.devs.giugl.io + ${mikeylaptop-wg} mikeylaptop.devs.giugl.io ''; wireguard = { @@ -231,6 +233,30 @@ with import ./network.nix; allowedIPs = [mikey-wg]; publicKey = "ewbDdX3z7nxG2aPIf9TogXkhxPlGipLFcy6XfyDC6gI="; } + + { + # andrew + allowedIPs = [andrew-wg]; + publicKey = "LP/FgST9fmBQSoKQFq9sFGvjRFOtRooMcuEcjuqaoWM="; + } + + { + # mikey laptop + allowedIPs = [mikeylaptop-wg]; + publicKey = "kz/pY/PgV+dwF1JZ2It4r5B5QfRSQM7HkbFCdvd5Yxk="; + } + + { + # andrew desktop + allowedIPs = [andrewdesktop-wg]; + publicKey = "rpYr3JNLIzxpxzFuQuaHFEl/XvPEPfwLbDETBP8KYXI="; + } + + { + # laptop desktop + allowedIPs = [jacopo-wg]; + publicKey = "W/taWI79bPIKOolVVu5xZfiJnPw9K91Xn1zhcM0+4g0="; + } ]; }; }; diff --git a/roles/home/common.nix b/roles/home/common.nix index fe1b6a2..b76bac7 100644 --- a/roles/home/common.nix +++ b/roles/home/common.nix @@ -1,7 +1,7 @@ { config, pkgs, ... }: { - imports = [ ./zsh.nix ]; + imports = [ ./zsh.nix ./git.nix ]; home = { stateVersion = "21.05"; @@ -19,7 +19,6 @@ programs.neovim = { enable = true; - #package = pkgs.unstable.neovim-unwrapped; extraConfig = '' " syntax From fa96208b1907a1acf85086c1665f465d6ae25078 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Wed, 17 Nov 2021 17:52:50 +0100 Subject: [PATCH 06/15] remove any-nix-shell --- roles/home/zsh.nix | 6 ------ 1 file changed, 6 deletions(-) diff --git a/roles/home/zsh.nix b/roles/home/zsh.nix index cf12329..fd2bca5 100644 --- a/roles/home/zsh.nix +++ b/roles/home/zsh.nix @@ -1,6 +1,4 @@ { config, pkgs, lib, ... }: { - home.packages = with pkgs; [ zsh any-nix-shell ]; - programs.zsh = { enable = true; @@ -9,9 +7,5 @@ plugins = [ "git" "sudo" "docker" "docker-compose" "adb" "systemd" ]; theme = "bira"; }; - - initExtra = '' - any-nix-shell zsh --info-right | source /dev/stdin - ''; }; } From e90a82f3ba914478bbb277d4985170b96c97412f Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Thu, 18 Nov 2021 00:58:50 +0100 Subject: [PATCH 07/15] added frznn, changed pubkey of wolfsonhouse --- hosts/architect/wireguard.nix | 36 ++++++++++++++--------------------- 1 file changed, 14 insertions(+), 22 deletions(-) diff --git a/hosts/architect/wireguard.nix b/hosts/architect/wireguard.nix index 89a31f2..84d5dca 100644 --- a/hosts/architect/wireguard.nix +++ b/hosts/architect/wireguard.nix @@ -14,8 +14,7 @@ with import ./network.nix; ${peppiniell-wg} peppiniell.devs.giugl.io ${padulino-wg} padulino.devs.giugl.io ${shield-wg} shield.devs.giugl.io - ${angelino-wg} angelino.devs.giugl.io - ${pepos_two-wg} pepostwo.devs.giugl.io + ${pepos-wg} pepos.devs.giugl.io ${eleonora-wg} eleonora.devs.giugl.io ${angellane-wg} angellane.devs.giugl.io ${hotpottino-wg} hotpottino.devs.giugl.io @@ -27,10 +26,11 @@ with import ./network.nix; ${tommy-wg} tommy.devs.giugl.io ${alain-wg} alain.devs.giugl.io ${dima-wg} dima.devs.giugl.io - ${boogino-wg} boogino.devs.giugl.io ${mikey-wg} mikey.devs.giugl.io ${andrew-wg} andrew.devs.giugl.io ${mikeylaptop-wg} mikeylaptop.devs.giugl.io + ${wolfsonhouse-wg} wolfsonhouse.devs.giugl.io + ${frznn-wg} frznn.devs.giugl.io ''; wireguard = { @@ -148,23 +148,9 @@ with import ./network.nix; publicKey = "1GaV/M48sHqQTrBVRQ+jrFU2pUMmv2xkguncVcwPCFs="; } - { - # angelino - allowedIPs = [angelino-wg]; - publicKey = "MhY4d824LuKPltQHfaUbtWGiQz4XsfqCRAx0n1FDaiY="; - } - - - { - # pepos_one - allowedIPs = [pepos_one-wg]; - publicKey = "HcIqulGahsHJeuq6zAt5EJieWhDSKX4tFlUOEr2U1gA="; - } - - { - # pepos_two - allowedIPs = [pepos_two-wg]; + # pepos + allowedIPs = [pepos-wg]; publicKey = "mb1VaMLML5J24oCMBuhqvBrT6S4tAqWERn30z+h/LwM="; } @@ -223,9 +209,9 @@ with import ./network.nix; } { - # boogino - allowedIPs = [boogino-wg]; - publicKey = "p21tD9S04+b+TC27a1CvkJL7V6fcfjOpVU7Ke1FzV3A="; + # wolfsonhouse + allowedIPs = [wolfsonhouse-wg]; + publicKey = "UJRJcAOcnEjEB3o4K2I7gEM97SrhENEesZNf28z+EBQ="; } { @@ -257,6 +243,12 @@ with import ./network.nix; allowedIPs = [jacopo-wg]; publicKey = "W/taWI79bPIKOolVVu5xZfiJnPw9K91Xn1zhcM0+4g0="; } + + { + # frznn + allowedIPs = [frznn-wg]; + publicKey = "dXcrdME6VnnE5PBYwvUmayf7cn2wpcExeCR9gIXOO0o="; + } ]; }; }; From 14c1b77f91e3c0e3c0d34885254045b89ccccf31 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Fri, 19 Nov 2021 11:39:04 +0100 Subject: [PATCH 08/15] added github-runner --- flake.lock | 12 ++++++------ hosts/architect/default.nix | 1 + hosts/architect/githubrunner.nix | 9 +++++++++ hosts/architect/network.nix | 13 ++++++------- hosts/architect/overseerr.nix | 13 +++++++++++++ 5 files changed, 35 insertions(+), 13 deletions(-) create mode 100644 hosts/architect/githubrunner.nix create mode 100644 hosts/architect/overseerr.nix diff --git a/flake.lock b/flake.lock index d0d9a71..f36ebb7 100644 --- a/flake.lock +++ b/flake.lock @@ -23,11 +23,11 @@ }, "nixos-unstable": { "locked": { - "lastModified": 1635702959, - "narHash": "sha256-ZKxX9DjJJGJqq20pE4dIj1G4ssCLVXXRFerM6lNuF0k=", + "lastModified": 1636800699, + "narHash": "sha256-SwbyVxXffu3G2ulJIbTf0iQfqhbGbdml4Dyv5j9BiAI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e544ee88fa4590df75e221e645a03fe157a99e5b", + "rev": "2fa862644fc15ecb525eb8cd0a60276f1c340c7c", "type": "github" }, "original": { @@ -39,11 +39,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1635719588, - "narHash": "sha256-pWjdy0NheM97NsPE6+jUnr5LYyeA0sBGTdw4mfXMGZQ=", + "lastModified": 1636792033, + "narHash": "sha256-5RwKd3+OolhWAPUQG9SNoptr9eks8j2oukKgjAo5NQA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "f0869b1a2c0b150aac26e10bb5c2364ffb2e804f", + "rev": "68d4f5970b69b0fd0a95c57c8d0ab4b2b68fb9aa", "type": "github" }, "original": { diff --git a/hosts/architect/default.nix b/hosts/architect/default.nix index 300cd86..4d9b1cb 100644 --- a/hosts/architect/default.nix +++ b/hosts/architect/default.nix @@ -27,6 +27,7 @@ in ./prowlarr.nix ./plex.nix ./transmission.nix + ./githubrunner.nix ]; time.timeZone = "Europe/Rome"; diff --git a/hosts/architect/githubrunner.nix b/hosts/architect/githubrunner.nix new file mode 100644 index 0000000..1ae2e7d --- /dev/null +++ b/hosts/architect/githubrunner.nix @@ -0,0 +1,9 @@ +{ ... }: + +{ + services.github-runner = { + enable = true; + url = "https://github.com/ropfuscator/ropfuscator"; + tokenFile = "/secrets/github-runner/token"; + }; +} diff --git a/hosts/architect/network.nix b/hosts/architect/network.nix index bac9952..709c8d5 100644 --- a/hosts/architect/network.nix +++ b/hosts/architect/network.nix @@ -29,9 +29,7 @@ rec { peppiniell-wg = "10.3.0.10"; padulino-wg = "10.3.0.11"; shield-wg = "10.3.0.12"; - angelino-wg = "10.3.0.13"; - pepos_one-wg = "10.3.0.14"; - pepos_two-wg = "10.3.0.15"; + pepos-wg = "10.3.0.15"; salvatore-wg = "10.3.0.16"; papa-wg = "10.3.0.17"; defy-wg = "10.3.0.18"; @@ -45,18 +43,19 @@ rec { mikeylaptop-wg = "10.3.0.26"; andrewdesktop-wg = "10.3.0.27"; jacopo-wg = "10.3.0.28"; + frznn-wg = "10.3.0.29"; eleonora-wg = "10.3.0.100"; angellane-wg = "10.3.0.200"; hotpottino-wg = "10.3.0.201"; dodino-wg = "10.3.0.202"; - boogino-wg = "10.3.0.203"; + wolfsonhouse-wg = "10.3.0.203"; # groups - gdevices-wg = [ galuminum-wg oneplus-wg ipad-wg gbeast-wg peppiniell-wg padulino-wg angelino-wg ]; - routers-wg = [ hotpottino-wg angellane-wg dodino-wg ]; + gdevices-wg = [ galuminum-wg oneplus-wg ipad-wg gbeast-wg peppiniell-wg padulino-wg ]; + routers-wg = [ hotpottino-wg angellane-wg dodino-wg wolfsonhouse-wg ]; c2c-wg = [ ] ++ gdevices-wg; towan-wg = [ shield-wg parisaphone-wg parisapc-wg ] ++ gdevices-wg ++ routers-wg; - gamenet-wg = [ andrew-wg galuminum-wg gbeast-wg mikey-wg andrewdesktop-wg mikeylaptop-wg ]; + gamenet-wg = [ andrew-wg galuminum-wg gbeast-wg mikey-wg andrewdesktop-wg mikeylaptop-wg flavio-wg salvatore-wg ]; # domains sonarrdomain = "htson.giugl.io"; diff --git a/hosts/architect/overseerr.nix b/hosts/architect/overseerr.nix new file mode 100644 index 0000000..08fa25b --- /dev/null +++ b/hosts/architect/overseerr.nix @@ -0,0 +1,13 @@ +{...}: + +{ + virtualisation.oci-containers.containers."overseerr" = { + image = "sctx/overseerr:latest"; + volumes = [ "/var/lib/overseerr:/app/config" ]; + environment = { + "LOG_LEVEL" = "debug"; + "TZ" = "Europe/Rome"; + }; + #ports = [ "5055:5055" ]; + }; +} From 5a8050ed2cc7787e6bcc8dcafd1e0eefa2854b19 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Sun, 21 Nov 2021 11:36:57 +0100 Subject: [PATCH 09/15] added neovim formatter pkgs --- roles/home/common.nix | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/roles/home/common.nix b/roles/home/common.nix index b76bac7..a970bb3 100644 --- a/roles/home/common.nix +++ b/roles/home/common.nix @@ -4,22 +4,18 @@ imports = [ ./zsh.nix ./git.nix ]; home = { - stateVersion = "21.05"; + stateVersion = "21.05"; sessionVariables = { EDITOR = "nvim"; VISUAL = "nvim"; }; - packages = with pkgs; [ - rizin - sshfs - nixfmt - ]; + packages = with pkgs; [ rizin sshfs nixfmt ]; }; programs.neovim = { - enable = true; - + enable = true; + extraPackages = with pkgs; [ nodePackages.prettier cmake-format clang-tools rustfmt ]; extraConfig = '' " syntax syntax enable @@ -76,28 +72,32 @@ set cindent cinkeys-=0# set expandtab shiftwidth=2 tabstop=2 softtabstop=2 - set statusline+=%#warningmsg# - set statusline+=%{SyntasticStatuslineFlag()} - set statusline+=%* + " Enable alignment + let g:neoformat_basic_format_align = 1 + + " Enable tab to spaces conversion + let g:neoformat_basic_format_retab = 1 + + " Enable trimmming of trailing whitespace + let g:neoformat_basic_format_trim = 1 ''; - viAlias = true; + viAlias = true; vimAlias = true; - plugins = with pkgs.vimPlugins; [ + plugins = with pkgs.vimPlugins; [ vim-nix molokai YouCompleteMe vim-airline vim-airline-themes - vim-lsp + vim-lsp vim-indent-guides - vim-signify + vim-signify nerdtree vim-easy-align vim-fugitive - vim-yaml - vim-autoformat vimtex + neoformat ]; }; } From 9ff2e78681afca73208ee7fb66f61a22d0dfdfb5 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Sun, 21 Nov 2021 11:37:18 +0100 Subject: [PATCH 10/15] added github-runner --- flake.lock | 18 +++++++++--------- hosts/architect/default.nix | 3 +++ hosts/architect/githubrunner.nix | 3 ++- 3 files changed, 14 insertions(+), 10 deletions(-) diff --git a/flake.lock b/flake.lock index f36ebb7..9cac6e8 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1634544068, - "narHash": "sha256-RlRQBaAHfdWqfRyHdWuDPMkplBTYwuyDQqDcNbP/Sog=", + "lastModified": 1637019201, + "narHash": "sha256-lq4gz51fx4m5FXfx1SCB444aEBeaYtLMVm3P18Wi9ls=", "owner": "rycee", "repo": "home-manager", - "rev": "ff2bed9dac84fb202bbb3c49fdcfe30c29d0b12f", + "rev": "bcf03fa16a1f06b8a0abb27bf49afa8d6fffe8f1", "type": "github" }, "original": { @@ -23,11 +23,11 @@ }, "nixos-unstable": { "locked": { - "lastModified": 1636800699, - "narHash": "sha256-SwbyVxXffu3G2ulJIbTf0iQfqhbGbdml4Dyv5j9BiAI=", + "lastModified": 1637155076, + "narHash": "sha256-26ZPNiuzlsnXpt55Q44+yzXvp385aNAfevzVEKbrU5Q=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "2fa862644fc15ecb525eb8cd0a60276f1c340c7c", + "rev": "715f63411952c86c8f57ab9e3e3cb866a015b5f2", "type": "github" }, "original": { @@ -39,11 +39,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1636792033, - "narHash": "sha256-5RwKd3+OolhWAPUQG9SNoptr9eks8j2oukKgjAo5NQA=", + "lastModified": 1636944046, + "narHash": "sha256-74KLDsiWSBsYXKj/ql9EGbw1TbIJRE7clFkhl30HV/c=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "68d4f5970b69b0fd0a95c57c8d0ab4b2b68fb9aa", + "rev": "46251a79f752ae1d46ef733e8e9760b6d3429da4", "type": "github" }, "original": { diff --git a/hosts/architect/default.nix b/hosts/architect/default.nix index 4d9b1cb..fccb0dd 100644 --- a/hosts/architect/default.nix +++ b/hosts/architect/default.nix @@ -124,6 +124,9 @@ in opengl.driSupport = true; }; + boot.crashDump.enable = true; + services.das_watchdog.enable = true; + services = { zfs.autoScrub.enable = true; xserver.videoDrivers = [ "nvidia" ]; diff --git a/hosts/architect/githubrunner.nix b/hosts/architect/githubrunner.nix index 1ae2e7d..b12c605 100644 --- a/hosts/architect/githubrunner.nix +++ b/hosts/architect/githubrunner.nix @@ -3,7 +3,8 @@ { services.github-runner = { enable = true; - url = "https://github.com/ropfuscator/ropfuscator"; + url = "https://github.com/ropfuscator"; tokenFile = "/secrets/github-runner/token"; + replace = true; }; } From 9cd3f738e34eab3875d3ea83431207e33063e003 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Mon, 22 Nov 2021 00:41:17 +0100 Subject: [PATCH 11/15] formatting --- hosts/architect/default.nix | 237 ++++++++++++++++++------------------ 1 file changed, 119 insertions(+), 118 deletions(-) diff --git a/hosts/architect/default.nix b/hosts/architect/default.nix index fccb0dd..f4fa26f 100644 --- a/hosts/architect/default.nix +++ b/hosts/architect/default.nix @@ -2,140 +2,141 @@ with import ./network.nix; let - pubkeys = ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1we38/N+t8Ah5yrLof8QUwhrob7/VXFKIddaJeOVBLuDVnW7ljiAtdtEiL69D/DV4Ohmt5wMvkAAjfuHmim6FD9A6lzPbSU4KH9W2dcckszKbbI636kuDwem/xui6BW3wJa6P+0xW5ksygEAkzcK2PXuC2b4B9uwhuUdKahiGMKDxISG/WianqAe72cGMfNkYvion3Y1VsMLUdm48d2ABnxNpr7NI9B5iJ8dziOft9gpgfz13CCQRlReo75gk/4xI+vSNrQp7eR+wzJy2/dZg/T8jtyA9Q6jVxrxBpqQ1LNXkAKaJkGo9OabF6Wgpzp+YTAurL4nwR2NaJxwFuyoKvACQy0ai4jrS3206gC6JXZv8ktZMZrwUN+jPqCwfgh5qObFkAqKCxbp52ioDek2MQLdOvzQBX//DBhGEp5rzHGLZ3vhRIiiQiaof5sF5zWiYDW5mqezSPNxJPX/BrTP/Wbs/jpwTLBh3wytiia0S1WXQmya89bqzTPFiDWvTRA62EVKB/JaQtPQQOFAxWwg799DMycPeZ81xttZOyMtI/MZSddyqx2S8fWGwvToZQvuZ38mSIpFseLM1IkgabRIrAmat5SBNGGy9Dqa0eMEa7bwIY/4CMB1y6HMTnaoMXA6cnQfHMoB/zyTZ6oTXIeqeOyiZsK+RN0Mvahj8mXi7dw== giulio@giulio-X230"]; - hostname = "architect"; -in - { - imports = - [ # Include the results of the hardware scan. - ./backup.nix - ./hardware.nix - ./firewall.nix - ./nginx.nix - ./gitea.nix - ./sonarr.nix - ./radarr.nix - ./bazarr.nix - ./nzbget.nix - ./nextcloud.nix - ./wireguard.nix - ./minio.nix - ./matrix.nix - ./fail2ban.nix - ./dns.nix - ./minecraft.nix - ./prowlarr.nix - ./plex.nix - ./transmission.nix - ./githubrunner.nix - ]; + pubkeys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1we38/N+t8Ah5yrLof8QUwhrob7/VXFKIddaJeOVBLuDVnW7ljiAtdtEiL69D/DV4Ohmt5wMvkAAjfuHmim6FD9A6lzPbSU4KH9W2dcckszKbbI636kuDwem/xui6BW3wJa6P+0xW5ksygEAkzcK2PXuC2b4B9uwhuUdKahiGMKDxISG/WianqAe72cGMfNkYvion3Y1VsMLUdm48d2ABnxNpr7NI9B5iJ8dziOft9gpgfz13CCQRlReo75gk/4xI+vSNrQp7eR+wzJy2/dZg/T8jtyA9Q6jVxrxBpqQ1LNXkAKaJkGo9OabF6Wgpzp+YTAurL4nwR2NaJxwFuyoKvACQy0ai4jrS3206gC6JXZv8ktZMZrwUN+jPqCwfgh5qObFkAqKCxbp52ioDek2MQLdOvzQBX//DBhGEp5rzHGLZ3vhRIiiQiaof5sF5zWiYDW5mqezSPNxJPX/BrTP/Wbs/jpwTLBh3wytiia0S1WXQmya89bqzTPFiDWvTRA62EVKB/JaQtPQQOFAxWwg799DMycPeZ81xttZOyMtI/MZSddyqx2S8fWGwvToZQvuZ38mSIpFseLM1IkgabRIrAmat5SBNGGy9Dqa0eMEa7bwIY/4CMB1y6HMTnaoMXA6cnQfHMoB/zyTZ6oTXIeqeOyiZsK+RN0Mvahj8mXi7dw== giulio@giulio-X230" + ]; + hostname = "architect"; +in { + imports = [ # Include the results of the hardware scan. + ./backup.nix + ./hardware.nix + ./firewall.nix + ./nginx.nix + ./gitea.nix + ./sonarr.nix + ./radarr.nix + ./bazarr.nix + ./nzbget.nix + ./nextcloud.nix + ./wireguard.nix + ./minio.nix + ./matrix.nix + ./fail2ban.nix + ./dns.nix + ./minecraft.nix + ./prowlarr.nix + ./plex.nix + ./transmission.nix + ./githubrunner.nix + ]; - time.timeZone = "Europe/Rome"; - system.stateVersion = "21.05"; # Did you read the comment? - users.users.giulio.openssh.authorizedKeys.keys = pubkeys; + time.timeZone = "Europe/Rome"; + system.stateVersion = "21.05"; # Did you read the comment? + users.users.giulio.openssh.authorizedKeys.keys = pubkeys; - fileSystems."/tmp" = { - device = "tmpfs"; - fsType = "tmpfs"; - options = ["size=20G"]; - }; + fileSystems."/tmp" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = [ "size=20G" ]; + }; - boot = { - kernelParams = ["ip=${architect-lan}::10.0.0.1:255.255.255.0::${wan-if}:off"]; - kernel.sysctl."net.ipv4.ip_forward" = 1; + boot = { + kernelParams = + [ "ip=${architect-lan}::10.0.0.1:255.255.255.0::${wan-if}:off" ]; + kernel.sysctl."net.ipv4.ip_forward" = 1; - initrd = { - availableKernelModules = ["igc" "r8169"]; - network = { + initrd = { + availableKernelModules = [ "igc" "r8169" ]; + network = { + enable = true; + ssh = { enable = true; - ssh = { - enable = true; - port = 22; - hostKeys = [/boot/ssh_host_rsa_key]; - authorizedKeys = pubkeys; - }; - - postCommands = '' - zpool import backedpool - zpool import zpool - - mkdir /mnt-root - echo "zfs load-key -ar; mount -t zfs zpool/nixos/root /mnt-root; zfs load-key -a; umount /mnt-root; rmdir /mnt-root; killall zfs" >> /root/.profile - ''; + port = 22; + hostKeys = [ /boot/ssh_host_rsa_key ]; + authorizedKeys = pubkeys; }; - }; - loader = { - systemd-boot.enable = true; - efi.canTouchEfiVariables = true; - }; + postCommands = '' + zpool import backedpool + zpool import zpool - supportedFilesystems = ["zfs"]; - zfs.enableUnstable = true; - zfs.requestEncryptionCredentials = true; + mkdir /mnt-root + echo "zfs load-key -ar; mount -t zfs zpool/nixos/root /mnt-root; zfs load-key -a; umount /mnt-root; rmdir /mnt-root; killall zfs" >> /root/.profile + ''; + }; }; - networking = { - hostName = hostname; - hostId = "49350853"; - useDHCP = false; - defaultGateway = "10.0.0.1"; - interfaces = { - enp5s0.ipv4.addresses = [{ address = architect-lan; prefixLength = 24; }]; - enp6s0.useDHCP = false; - wlp4s0.useDHCP = false; - }; - extraHosts = '' - 127.0.0.1 ${hostname}.devs.giugl.io localhost - - # LAN - ${architect-lan} ${hostname}.devs.giugl.io - - ${dvr-lan} dvr.devs.giugl.io - ${nas-lan} nas.devs.giugl.io - ${giupi-lan} giupi.devs.giugl.io - - # Blacklist - 0.0.0.0 metrics.plex.tv - 0.0.0.0 analytics.plex.tv - 0.0.0.0 cdn.luckyorange.com - 0.0.0.0 w1.luckyorange.com - 0.0.0.0 browser.sentry-cdn.com - 0.0.0.0 analytics.facebook.com - 0.0.0.0 ads.facebook.com - 0.0.0.0 extmaps-api.yandex.net - 0.0.0.0 logservice.hicloud.com - 0.0.0.0 logbak.hicloud.com - 0.0.0.0 logservice1.hicloud.com - 0.0.0.0 samsung-com.112.2o7.net - 0.0.0.0 supportmetrics.apple.com - 0.0.0.0 analytics.oneplus.cn - 0.0.0.0 click.oneplus.cn - 0.0.0.0 analytics-api.samsunghealthcn.com - ''; + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; }; - environment.systemPackages = with pkgs; [ cudatoolkit ]; + supportedFilesystems = [ "zfs" ]; + zfs.enableUnstable = true; + zfs.requestEncryptionCredentials = true; + }; - hardware = { - cpu.amd.updateMicrocode = true; - opengl.enable = true; - opengl.extraPackages= with pkgs; [vaapiVdpau]; - opengl.driSupport = true; + networking = { + hostName = hostname; + hostId = "49350853"; + useDHCP = false; + defaultGateway = "10.0.0.1"; + interfaces = { + enp5s0.ipv4.addresses = [{ + address = architect-lan; + prefixLength = 24; + }]; + enp6s0.useDHCP = false; + wlp4s0.useDHCP = false; }; + extraHosts = '' + 127.0.0.1 ${hostname}.devs.giugl.io localhost + + # LAN + ${architect-lan} ${hostname}.devs.giugl.io + + ${dvr-lan} dvr.devs.giugl.io + ${nas-lan} nas.devs.giugl.io + ${giupi-lan} giupi.devs.giugl.io + + # Blacklist + 0.0.0.0 metrics.plex.tv + 0.0.0.0 analytics.plex.tv + 0.0.0.0 cdn.luckyorange.com + 0.0.0.0 w1.luckyorange.com + 0.0.0.0 browser.sentry-cdn.com + 0.0.0.0 analytics.facebook.com + 0.0.0.0 ads.facebook.com + 0.0.0.0 extmaps-api.yandex.net + 0.0.0.0 logservice.hicloud.com + 0.0.0.0 logbak.hicloud.com + 0.0.0.0 logservice1.hicloud.com + 0.0.0.0 samsung-com.112.2o7.net + 0.0.0.0 supportmetrics.apple.com + 0.0.0.0 analytics.oneplus.cn + 0.0.0.0 click.oneplus.cn + 0.0.0.0 analytics-api.samsunghealthcn.com + ''; + }; + + environment.systemPackages = with pkgs; [ cudatoolkit ]; + + hardware = { + cpu.amd.updateMicrocode = true; + opengl.enable = true; + opengl.extraPackages = with pkgs; [ vaapiVdpau ]; + opengl.driSupport = true; + }; boot.crashDump.enable = true; services.das_watchdog.enable = true; - services = { - zfs.autoScrub.enable = true; - xserver.videoDrivers = [ "nvidia" ]; - openssh.enable = true; - smartd.enable = true; - }; - - environment.variables = { - LIBVA_DRIVER_NAME="vdpau"; - }; - } + services = { + zfs.autoScrub.enable = true; + xserver.videoDrivers = [ "nvidia" ]; + openssh.enable = true; + smartd.enable = true; + }; + environment.variables = { LIBVA_DRIVER_NAME = "vdpau"; }; +} From f16d56e8be2cf3cb99a27bad4fa12c24efc089b8 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Thu, 25 Nov 2021 12:25:57 +0100 Subject: [PATCH 12/15] add runner and remove giugl.io from nginx --- hosts/architect/githubrunner.nix | 5 ++++ hosts/architect/nginx.nix | 44 ++++++++++++++++---------------- 2 files changed, 27 insertions(+), 22 deletions(-) diff --git a/hosts/architect/githubrunner.nix b/hosts/architect/githubrunner.nix index b12c605..c6e9620 100644 --- a/hosts/architect/githubrunner.nix +++ b/hosts/architect/githubrunner.nix @@ -7,4 +7,9 @@ tokenFile = "/secrets/github-runner/token"; replace = true; }; + + nix.extraOptions = '' + tarball-ttl = 0 + access-tokens = github.com=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 + ''; } diff --git a/hosts/architect/nginx.nix b/hosts/architect/nginx.nix index 6afe640..3b40cba 100644 --- a/hosts/architect/nginx.nix +++ b/hosts/architect/nginx.nix @@ -8,28 +8,28 @@ recommendedProxySettings = true; recommendedTlsSettings = true; - virtualHosts."giugl.io" = { - default = true; - enableACME = true; - addSSL = true; - root = "/var/lib/nginx/error_pages"; - extraConfig = "error_page 404 /index.htm;"; - - locations = { - "/" = { - return = "404"; - }; - - "/index.htm" = { - }; - - "/style.css" = { - }; - - "/wat.jpg" = { - }; - }; - }; +# virtualHosts."giugl.io" = { +# default = true; +# enableACME = true; +# addSSL = true; +# root = "/var/lib/nginx/error_pages"; +# extraConfig = "error_page 404 /index.htm;"; +# +# locations = { +# "/" = { +# return = "404"; +# }; +# +# "/index.htm" = { +# }; +# +# "/style.css" = { +# }; +# +# "/wat.jpg" = { +# }; +# }; +# }; }; users.groups.acme.members = [ "nginx" ]; From 824695332e3685a64c729b415e7da1dafcd3568e Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Thu, 25 Nov 2021 12:26:21 +0100 Subject: [PATCH 13/15] removed redundant packages --- roles/common.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/common.nix b/roles/common.nix index d9a581c..2f4fad6 100644 --- a/roles/common.nix +++ b/roles/common.nix @@ -41,9 +41,7 @@ glances tcpdump restic - binutils neovim - ripgrep tmux parted unzip From f7455094844a0fd43a18d94bc17ab07b9d796fb5 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Thu, 25 Nov 2021 12:26:29 +0100 Subject: [PATCH 14/15] add delta to git --- roles/home/git.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/home/git.nix b/roles/home/git.nix index 55897d8..2f3dd1a 100644 --- a/roles/home/git.nix +++ b/roles/home/git.nix @@ -3,5 +3,6 @@ enable = true; userName = "Giulio De Pasquale"; userEmail = "depasquale+git@giugl.io"; + delta.enable = true; }; } From 767c798ae60d84b12ae7251a89dca6f744642c49 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Thu, 25 Nov 2021 12:26:54 +0100 Subject: [PATCH 15/15] lock --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 9cac6e8..f332b31 100644 --- a/flake.lock +++ b/flake.lock @@ -23,11 +23,11 @@ }, "nixos-unstable": { "locked": { - "lastModified": 1637155076, - "narHash": "sha256-26ZPNiuzlsnXpt55Q44+yzXvp385aNAfevzVEKbrU5Q=", + "lastModified": 1637595801, + "narHash": "sha256-LkIMwVFKCuEqidaUdg8uxwpESAXjsPo4oCz3eJ7RaRw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "715f63411952c86c8f57ab9e3e3cb866a015b5f2", + "rev": "263ef4cc4146c9fab808085487438c625d4426a9", "type": "github" }, "original": { @@ -39,11 +39,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1636944046, - "narHash": "sha256-74KLDsiWSBsYXKj/ql9EGbw1TbIJRE7clFkhl30HV/c=", + "lastModified": 1637615379, + "narHash": "sha256-wL5+nm7z+42IHyhc52P3aAj1Kp2fQ6C8IyPBihj7Bjg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "46251a79f752ae1d46ef733e8e9760b6d3429da4", + "rev": "09650059d7f5ae59a7f0fb2dd3bfc6d2042a74de", "type": "github" }, "original": {