peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge branch 'master' of ssh://git.giugl.io:10022/peperunas/nixos

Browse Source
This commit is contained in:
Giulio De Pasquale 2021-11-25 11:39:17 +00:00
commit 522e4b7bbc
21 changed files with 453 additions and 326 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
flake.lock generated
View File

@ -7,11 +7,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1633596850, "lastModified": 1637019201,
"narHash": "sha256-5+qVLYvfOropjLAvpQs/APtD8eYnEIbAd9a36lGHZM0=", "narHash": "sha256-lq4gz51fx4m5FXfx1SCB444aEBeaYtLMVm3P18Wi9ls=",
"owner": "rycee", "owner": "rycee",
"repo": "home-manager", "repo": "home-manager",
"rev": "49695f33aac22358b59e49c94fe6472218e5d766", "rev": "bcf03fa16a1f06b8a0abb27bf49afa8d6fffe8f1",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -23,11 +23,11 @@
}, },
"nixos-unstable": { "nixos-unstable": {
"locked": { "locked": {
"lastModified": 1633971123, "lastModified": 1637595801,
"narHash": "sha256-WmI4NbH1IPGFWVkuBkKoYgOnxgwSfWDgdZplJlQ93vA=", "narHash": "sha256-LkIMwVFKCuEqidaUdg8uxwpESAXjsPo4oCz3eJ7RaRw=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "e4ef597edfd8a0ba5f12362932fc9b1dd01a0aef", "rev": "263ef4cc4146c9fab808085487438c625d4426a9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -39,11 +39,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1634115022, "lastModified": 1637615379,
"narHash": "sha256-K9DZMQ47VRrg9gtTPwex5p0E8LnwM/dDkNe7AQW0qj0=", "narHash": "sha256-wL5+nm7z+42IHyhc52P3aAj1Kp2fQ6C8IyPBihj7Bjg=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "564cb4d81d4f734dd068684adec5a60077397fe9", "rev": "09650059d7f5ae59a7f0fb2dd3bfc6d2042a74de",
"type": "github" "type": "github"
}, },
"original": { "original": {

4
flake.nix
View File

@ -28,9 +28,9 @@
inherit (utils) user; inherit (utils) user;
in { in {
nixosConfigurations = { nixosConfigurations = {
architect = host.mkHost { name = "architect"; users = [ { user = "giulio"; roles = []; } ]; }; architect = host.mkHost { name = "architect"; users = [ { user = "giulio"; roles = [ "git" ]; } ]; };
gAluminum = host.mkHost { name = "gAluminum"; users = [ { user = "giulio"; roles = [ "desktop" "ssh" "git" ]; } ]; roles = [ "gnome" ]; }; gAluminum = host.mkHost { name = "gAluminum"; users = [ { user = "giulio"; roles = [ "desktop" "ssh" "git" ]; } ]; roles = [ "gnome" ]; };
proxy = host.mkHost { name = "proxy"; }; proxy = host.mkHost { name = "proxy"; users = []; };
}; };
}; };
} }

66
hosts/architect/default.nix
View File

@ -2,12 +2,12 @@
with import ./network.nix; with import ./network.nix;
let let
pubkeys = ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1we38/N+t8Ah5yrLof8QUwhrob7/VXFKIddaJeOVBLuDVnW7ljiAtdtEiL69D/DV4Ohmt5wMvkAAjfuHmim6FD9A6lzPbSU4KH9W2dcckszKbbI636kuDwem/xui6BW3wJa6P+0xW5ksygEAkzcK2PXuC2b4B9uwhuUdKahiGMKDxISG/WianqAe72cGMfNkYvion3Y1VsMLUdm48d2ABnxNpr7NI9B5iJ8dziOft9gpgfz13CCQRlReo75gk/4xI+vSNrQp7eR+wzJy2/dZg/T8jtyA9Q6jVxrxBpqQ1LNXkAKaJkGo9OabF6Wgpzp+YTAurL4nwR2NaJxwFuyoKvACQy0ai4jrS3206gC6JXZv8ktZMZrwUN+jPqCwfgh5qObFkAqKCxbp52ioDek2MQLdOvzQBX//DBhGEp5rzHGLZ3vhRIiiQiaof5sF5zWiYDW5mqezSPNxJPX/BrTP/Wbs/jpwTLBh3wytiia0S1WXQmya89bqzTPFiDWvTRA62EVKB/JaQtPQQOFAxWwg799DMycPeZ81xttZOyMtI/MZSddyqx2S8fWGwvToZQvuZ38mSIpFseLM1IkgabRIrAmat5SBNGGy9Dqa0eMEa7bwIY/4CMB1y6HMTnaoMXA6cnQfHMoB/zyTZ6oTXIeqeOyiZsK+RN0Mvahj8mXi7dw== giulio@giulio-X230"]; pubkeys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1we38/N+t8Ah5yrLof8QUwhrob7/VXFKIddaJeOVBLuDVnW7ljiAtdtEiL69D/DV4Ohmt5wMvkAAjfuHmim6FD9A6lzPbSU4KH9W2dcckszKbbI636kuDwem/xui6BW3wJa6P+0xW5ksygEAkzcK2PXuC2b4B9uwhuUdKahiGMKDxISG/WianqAe72cGMfNkYvion3Y1VsMLUdm48d2ABnxNpr7NI9B5iJ8dziOft9gpgfz13CCQRlReo75gk/4xI+vSNrQp7eR+wzJy2/dZg/T8jtyA9Q6jVxrxBpqQ1LNXkAKaJkGo9OabF6Wgpzp+YTAurL4nwR2NaJxwFuyoKvACQy0ai4jrS3206gC6JXZv8ktZMZrwUN+jPqCwfgh5qObFkAqKCxbp52ioDek2MQLdOvzQBX//DBhGEp5rzHGLZ3vhRIiiQiaof5sF5zWiYDW5mqezSPNxJPX/BrTP/Wbs/jpwTLBh3wytiia0S1WXQmya89bqzTPFiDWvTRA62EVKB/JaQtPQQOFAxWwg799DMycPeZ81xttZOyMtI/MZSddyqx2S8fWGwvToZQvuZ38mSIpFseLM1IkgabRIrAmat5SBNGGy9Dqa0eMEa7bwIY/4CMB1y6HMTnaoMXA6cnQfHMoB/zyTZ6oTXIeqeOyiZsK+RN0Mvahj8mXi7dw== giulio@giulio-X230"
];
hostname = "architect"; hostname = "architect";
in in {
{ imports = [ # Include the results of the hardware scan.
imports =
[ # Include the results of the hardware scan.
./backup.nix ./backup.nix
./hardware.nix ./hardware.nix
./firewall.nix ./firewall.nix
@ -17,7 +17,6 @@ in
./radarr.nix ./radarr.nix
./bazarr.nix ./bazarr.nix
./nzbget.nix ./nzbget.nix
# ./jellyfin.nix
./nextcloud.nix ./nextcloud.nix
./wireguard.nix ./wireguard.nix
./minio.nix ./minio.nix
@ -25,8 +24,10 @@ in
./fail2ban.nix ./fail2ban.nix
./dns.nix ./dns.nix
./minecraft.nix ./minecraft.nix
# ./prowlarr.nix ./prowlarr.nix
./plex.nix ./plex.nix
./transmission.nix
./githubrunner.nix
]; ];
time.timeZone = "Europe/Rome"; time.timeZone = "Europe/Rome";
@ -40,7 +41,8 @@ in
}; };
boot = { boot = {
kernelParams = ["ip=${architect-lan}::10.0.0.1:255.255.255.0::${wan-if}:off"]; kernelParams =
[ "ip=${architect-lan}::10.0.0.1:255.255.255.0::${wan-if}:off" ];
kernel.sysctl."net.ipv4.ip_forward" = 1; kernel.sysctl."net.ipv4.ip_forward" = 1;
initrd = { initrd = {
@ -80,7 +82,10 @@ in
useDHCP = false; useDHCP = false;
defaultGateway = "10.0.0.1"; defaultGateway = "10.0.0.1";
interfaces = { interfaces = {
enp5s0.ipv4.addresses = [{ address = architect-lan; prefixLength = 24; }]; enp5s0.ipv4.addresses = [{
address = architect-lan;
prefixLength = 24;
}];
enp6s0.useDHCP = false; enp6s0.useDHCP = false;
wlp4s0.useDHCP = false; wlp4s0.useDHCP = false;
}; };
@ -94,35 +99,6 @@ in
${nas-lan} nas.devs.giugl.io ${nas-lan} nas.devs.giugl.io
${giupi-lan} giupi.devs.giugl.io ${giupi-lan} giupi.devs.giugl.io
# Wireguard hosts
${architect-wg} ${hostname}.devs.giugl.io
${galuminum-wg} galuminum.devs.giugl.io
${oneplus-wg} oneplus.devs.giugl.io
${ipad-wg} ipad.devs.giugl.io
${manduria-wg} manduria.devs.giugl.io
${antonio-wg} antonio.devs.giugl.io
${gbeast-wg} gbeast.devs.giugl.io
${parisaphone-wg} parisa-phone.devs.giugl.io
${parisapc-wg} parisa-pc.devs.giugl.io
${peppiniell-wg} peppiniell.devs.giugl.io
${padulino-wg} padulino.devs.giugl.io
${shield-wg} shield.devs.giugl.io
${angelino-wg} angelino.devs.giugl.io
${pepos_two-wg} pepostwo.devs.giugl.io
${eleonora-wg} eleonora.devs.giugl.io
${angellane-wg} angellane.devs.giugl.io
${hotpottino-wg} hotpottino.devs.giugl.io
${salvatore-wg} salvatore.devs.giugl.io
${papa-wg} papa.devs.giugl.io
${defy-wg} defy.devs.giugl.io
${germano-wg} germano.devs.giugl.io
${dodino-wg} dodino.devs.giugl.io
${tommy-wg} tommy.devs.giugl.io
${alain-wg} alain.devs.giugl.io
${dima-wg} dima.devs.giugl.io
${boogino-wg} boogino.devs.giugl.io
${mikey-wg} mikey.devs.giugl.io
# Blacklist # Blacklist
0.0.0.0 metrics.plex.tv 0.0.0.0 metrics.plex.tv
0.0.0.0 analytics.plex.tv 0.0.0.0 analytics.plex.tv
@ -143,11 +119,7 @@ in
''; '';
}; };
environment.systemPackages = with pkgs; environment.systemPackages = with pkgs; [ cudatoolkit ];
[
wireguard
cudatoolkit
];
hardware = { hardware = {
cpu.amd.updateMicrocode = true; cpu.amd.updateMicrocode = true;
@ -156,6 +128,9 @@ in
opengl.driSupport = true; opengl.driSupport = true;
}; };
boot.crashDump.enable = true;
services.das_watchdog.enable = true;
services = { services = {
zfs.autoScrub.enable = true; zfs.autoScrub.enable = true;
xserver.videoDrivers = [ "nvidia" ]; xserver.videoDrivers = [ "nvidia" ];
@ -163,8 +138,5 @@ in
smartd.enable = true; smartd.enable = true;
}; };
environment.variables = { environment.variables = { LIBVA_DRIVER_NAME = "vdpau"; };
LIBVA_DRIVER_NAME="vdpau";
};
} }

3
hosts/architect/firewall.nix
View File

@ -9,10 +9,12 @@ let
443 # https 443 # https
8448 # matrix 8448 # matrix
10022 # gitea 10022 # gitea
51413 # transmission
]; ];
open_udp_ports = lib.concatMapStringsSep "," (x: toString x) [ open_udp_ports = lib.concatMapStringsSep "," (x: toString x) [
1194 # wireguard 1194 # wireguard
3478 # turn 3478 # turn
51413 # transmission
]; ];
in { in {
networking = { networking = {
@ -134,6 +136,7 @@ in {
# gdevices talking to everyone in VPN # gdevices talking to everyone in VPN
ip saddr {${lib.concatStringsSep "," gdevices-wg}} ip daddr ${vpn-net} accept ip saddr {${lib.concatStringsSep "," gdevices-wg}} ip daddr ${vpn-net} accept
ip saddr {${lib.concatStringsSep "," gamenet-wg}} ip daddr {${lib.concatStringsSep "," gamenet-wg}} accept
# nat to wan # nat to wan
oifname ${wan-if} ip saddr {${lib.concatStringsSep "," towan-wg}} accept oifname ${wan-if} ip saddr {${lib.concatStringsSep "," towan-wg}} accept

15
hosts/architect/githubrunner.nix Normal file
View File

@ -0,0 +1,15 @@
{ ... }:
{
services.github-runner = {
enable = true;
url = "https://github.com/ropfuscator";
tokenFile = "/secrets/github-runner/token";
replace = true;
};
nix.extraOptions = ''
tarball-ttl = 0
access-tokens = github.com=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
'';
}

16
hosts/architect/network.nix
View File

@ -29,9 +29,7 @@ rec {
peppiniell-wg = "10.3.0.10"; peppiniell-wg = "10.3.0.10";
padulino-wg = "10.3.0.11"; padulino-wg = "10.3.0.11";
shield-wg = "10.3.0.12"; shield-wg = "10.3.0.12";
angelino-wg = "10.3.0.13"; pepos-wg = "10.3.0.15";
pepos_one-wg = "10.3.0.14";
pepos_two-wg = "10.3.0.15";
salvatore-wg = "10.3.0.16"; salvatore-wg = "10.3.0.16";
papa-wg = "10.3.0.17"; papa-wg = "10.3.0.17";
defy-wg = "10.3.0.18"; defy-wg = "10.3.0.18";
@ -41,17 +39,23 @@ rec {
alain-wg = "10.3.0.22"; alain-wg = "10.3.0.22";
dima-wg = "10.3.0.23"; dima-wg = "10.3.0.23";
mikey-wg = "10.3.0.24"; mikey-wg = "10.3.0.24";
andrew-wg = "10.3.0.25";
mikeylaptop-wg = "10.3.0.26";
andrewdesktop-wg = "10.3.0.27";
jacopo-wg = "10.3.0.28";
frznn-wg = "10.3.0.29";
eleonora-wg = "10.3.0.100"; eleonora-wg = "10.3.0.100";
angellane-wg = "10.3.0.200"; angellane-wg = "10.3.0.200";
hotpottino-wg = "10.3.0.201"; hotpottino-wg = "10.3.0.201";
dodino-wg = "10.3.0.202"; dodino-wg = "10.3.0.202";
boogino-wg = "10.3.0.203"; wolfsonhouse-wg = "10.3.0.203";
# groups # groups
gdevices-wg = [ galuminum-wg oneplus-wg ipad-wg gbeast-wg peppiniell-wg padulino-wg angelino-wg ]; gdevices-wg = [ galuminum-wg oneplus-wg ipad-wg gbeast-wg peppiniell-wg padulino-wg ];
routers-wg = [ hotpottino-wg angellane-wg dodino-wg ]; routers-wg = [ hotpottino-wg angellane-wg dodino-wg wolfsonhouse-wg ];
c2c-wg = [ ] ++ gdevices-wg; c2c-wg = [ ] ++ gdevices-wg;
towan-wg = [ shield-wg parisaphone-wg parisapc-wg ] ++ gdevices-wg ++ routers-wg; towan-wg = [ shield-wg parisaphone-wg parisapc-wg ] ++ gdevices-wg ++ routers-wg;
gamenet-wg = [ andrew-wg galuminum-wg gbeast-wg mikey-wg andrewdesktop-wg mikeylaptop-wg flavio-wg salvatore-wg ];
# domains # domains
sonarrdomain = "htson.giugl.io"; sonarrdomain = "htson.giugl.io";

44
hosts/architect/nginx.nix
View File

@ -8,28 +8,28 @@
recommendedProxySettings = true; recommendedProxySettings = true;
recommendedTlsSettings = true; recommendedTlsSettings = true;
virtualHosts."giugl.io" = { # virtualHosts."giugl.io" = {
default = true; # default = true;
enableACME = true; # enableACME = true;
addSSL = true; # addSSL = true;
root = "/var/lib/nginx/error_pages"; # root = "/var/lib/nginx/error_pages";
extraConfig = "error_page 404 /index.htm;"; # extraConfig = "error_page 404 /index.htm;";
#
locations = { # locations = {
"/" = { # "/" = {
return = "404"; # return = "404";
}; # };
#
"/index.htm" = { # "/index.htm" = {
}; # };
#
"/style.css" = { # "/style.css" = {
}; # };
#
"/wat.jpg" = { # "/wat.jpg" = {
}; # };
}; # };
}; # };
}; };
users.groups.acme.members = [ "nginx" ]; users.groups.acme.members = [ "nginx" ];

13
hosts/architect/overseerr.nix Normal file
View File

@ -0,0 +1,13 @@
{...}:
{
virtualisation.oci-containers.containers."overseerr" = {
image = "sctx/overseerr:latest";
volumes = [ "/var/lib/overseerr:/app/config" ];
environment = {
"LOG_LEVEL" = "debug";
"TZ" = "Europe/Rome";
};
#ports = [ "5055:5055" ];
};
}

4
hosts/architect/plex.nix
View File

@ -16,6 +16,10 @@ with import ./network.nix;
enableACME = true; enableACME = true;
http2 = true; http2 = true;
extraConfig = '' extraConfig = ''
allow 10.3.0.0/24;
allow 10.0.0.0/24;
deny all;
#Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause #Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause
send_timeout 100m; send_timeout 100m;

2
hosts/architect/prowlarr.nix
View File

@ -1,3 +1,5 @@
{ pkgs, ...}:
with import ./network.nix; with import ./network.nix;
{ {
services = { services = {

41
hosts/architect/transmission.nix Normal file
View File

@ -0,0 +1,41 @@
with import ./network.nix;
let
domain = "httra.giugl.io";
in {
services = {
transmission = {
enable = true;
settings = {
download-dir = "/media/transmission";
incomplete-dir = "/media/transmission/.incomplete";
rpc-host-whitelist = "${domain}";
encryption = 2;
speed-limit-up = 10;
speed-limit-up-enabled = true;
peer-port = 51413;
};
performanceNetParameters = true;
};
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:9091";
extraConfig = ''
allow 10.0.0.0/24;
allow 10.3.0.0/24;
deny all;
'';
};
};
};
networking.extraHosts = ''
${architect-lan} ${domain}
${architect-wg} ${domain}
'';
users.groups.media.members = ["transmission"];
}

95
hosts/architect/wireguard.nix
View File

@ -1,6 +1,39 @@
with import ./network.nix; with import ./network.nix;
{ {
networking.wireguard = { networking = {
extraHosts = ''
${architect-wg} architect.devs.giugl.io
${galuminum-wg} galuminum.devs.giugl.io
${oneplus-wg} oneplus.devs.giugl.io
${ipad-wg} ipad.devs.giugl.io
${manduria-wg} manduria.devs.giugl.io
${antonio-wg} antonio.devs.giugl.io
${gbeast-wg} gbeast.devs.giugl.io
${parisaphone-wg} parisa-phone.devs.giugl.io
${parisapc-wg} parisa-pc.devs.giugl.io
${peppiniell-wg} peppiniell.devs.giugl.io
${padulino-wg} padulino.devs.giugl.io
${shield-wg} shield.devs.giugl.io
${pepos-wg} pepos.devs.giugl.io
${eleonora-wg} eleonora.devs.giugl.io
${angellane-wg} angellane.devs.giugl.io
${hotpottino-wg} hotpottino.devs.giugl.io
${salvatore-wg} salvatore.devs.giugl.io
${papa-wg} papa.devs.giugl.io
${defy-wg} defy.devs.giugl.io
${germano-wg} germano.devs.giugl.io
${dodino-wg} dodino.devs.giugl.io
${tommy-wg} tommy.devs.giugl.io
${alain-wg} alain.devs.giugl.io
${dima-wg} dima.devs.giugl.io
${mikey-wg} mikey.devs.giugl.io
${andrew-wg} andrew.devs.giugl.io
${mikeylaptop-wg} mikeylaptop.devs.giugl.io
${wolfsonhouse-wg} wolfsonhouse.devs.giugl.io
${frznn-wg} frznn.devs.giugl.io
'';
wireguard = {
interfaces.${proxy-if} = { interfaces.${proxy-if} = {
ips = ["10.4.0.2/32"]; ips = ["10.4.0.2/32"];
privateKeyFile = "/secrets/wireguard/proxy.key"; privateKeyFile = "/secrets/wireguard/proxy.key";
@ -26,15 +59,12 @@ with import ./network.nix;
publicKey = "pEEgSs7xmO0cfyvoQlU8lfwqdYM1ISgmPAunPtF+0xw="; publicKey = "pEEgSs7xmO0cfyvoQlU8lfwqdYM1ISgmPAunPtF+0xw=";
} }
{ {
# OnePlus # OnePlus
allowedIPs = [oneplus-wg]; allowedIPs = [oneplus-wg];
# publicKey = "uOQUJo+AfhTAFq50Pt80rdX4PmO28WUARngE2AtwdXU=";
publicKey = "zynSERy6VhxN5zBf1ih3BOAHxvigDixHB9YKnSBgYFs="; publicKey = "zynSERy6VhxN5zBf1ih3BOAHxvigDixHB9YKnSBgYFs=";
} }
{ {
# iPad # iPad
allowedIPs = [ipad-wg]; allowedIPs = [ipad-wg];
@ -118,26 +148,12 @@ with import ./network.nix;
publicKey = "1GaV/M48sHqQTrBVRQ+jrFU2pUMmv2xkguncVcwPCFs="; publicKey = "1GaV/M48sHqQTrBVRQ+jrFU2pUMmv2xkguncVcwPCFs=";
} }
{ {
# angelino # pepos
allowedIPs = [angelino-wg]; allowedIPs = [pepos-wg];
publicKey = "MhY4d824LuKPltQHfaUbtWGiQz4XsfqCRAx0n1FDaiY=";
}
{
# pepos_one
allowedIPs = [pepos_one-wg];
publicKey = "HcIqulGahsHJeuq6zAt5EJieWhDSKX4tFlUOEr2U1gA=";
}
{
# pepos_two
allowedIPs = [pepos_two-wg];
publicKey = "mb1VaMLML5J24oCMBuhqvBrT6S4tAqWERn30z+h/LwM="; publicKey = "mb1VaMLML5J24oCMBuhqvBrT6S4tAqWERn30z+h/LwM=";
} }
{ {
# salvatore # salvatore
allowedIPs = [salvatore-wg]; allowedIPs = [salvatore-wg];
@ -193,9 +209,9 @@ with import ./network.nix;
} }
{ {
# boogino # wolfsonhouse
allowedIPs = [boogino-wg]; allowedIPs = [wolfsonhouse-wg];
publicKey = "p21tD9S04+b+TC27a1CvkJL7V6fcfjOpVU7Ke1FzV3A="; publicKey = "UJRJcAOcnEjEB3o4K2I7gEM97SrhENEesZNf28z+EBQ=";
} }
{ {
@ -203,7 +219,38 @@ with import ./network.nix;
allowedIPs = [mikey-wg]; allowedIPs = [mikey-wg];
publicKey = "ewbDdX3z7nxG2aPIf9TogXkhxPlGipLFcy6XfyDC6gI="; publicKey = "ewbDdX3z7nxG2aPIf9TogXkhxPlGipLFcy6XfyDC6gI=";
} }
{
# andrew
allowedIPs = [andrew-wg];
publicKey = "LP/FgST9fmBQSoKQFq9sFGvjRFOtRooMcuEcjuqaoWM=";
}
{
# mikey laptop
allowedIPs = [mikeylaptop-wg];
publicKey = "kz/pY/PgV+dwF1JZ2It4r5B5QfRSQM7HkbFCdvd5Yxk=";
}
{
# andrew desktop
allowedIPs = [andrewdesktop-wg];
publicKey = "rpYr3JNLIzxpxzFuQuaHFEl/XvPEPfwLbDETBP8KYXI=";
}
{
# laptop desktop
allowedIPs = [jacopo-wg];
publicKey = "W/taWI79bPIKOolVVu5xZfiJnPw9K91Xn1zhcM0+4g0=";
}
{
# frznn
allowedIPs = [frznn-wg];
publicKey = "dXcrdME6VnnE5PBYwvUmayf7cn2wpcExeCR9gIXOO0o=";
}
]; ];
}; };
}; };
};
} }

36
hosts/proxy/coturn.nix
View File

@ -1,22 +1,28 @@
{pkgs, config, ...}: {pkgs, config, ...}:
let let
public_ip = "23.88.108.216";
realm = "turn.giugl.io"; realm = "turn.giugl.io";
static-auth-secret = "69duck duck fuck420"; static-auth-secret = "69duck duck fuck420";
in { in {
services.coturn = rec { services.coturn = rec {
inherit realm static-auth-secret;
secure-stun = true;
enable = true; enable = true;
no-cli = true; no-cli = true;
no-tcp-relay = true; no-tcp-relay = true;
min-port = 49000; min-port = 49000;
max-port = 50000; max-port = 50000;
use-auth-secret = true; use-auth-secret = true;
# cert = "${config.security.acme.certs.${realm}.directory}/full.pem"; relay-ips = [ public_ip ];
# pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; listening-ips = [ public_ip ];
cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
extraConfig = '' extraConfig = ''
# for debugging
verbose verbose
# ban private IP ranges
cipher-list=\"HIGH\"
no-multicast-peers no-multicast-peers
denied-peer-ip=0.0.0.0-0.255.255.255 denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=10.0.0.0-10.255.255.255 denied-peer-ip=10.0.0.0-10.255.255.255
@ -42,7 +48,6 @@ in {
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
''; '';
}; };
# open the firewall
networking.firewall = { networking.firewall = {
interfaces.ens3 = let interfaces.ens3 = let
range = with config.services.coturn; [ { range = with config.services.coturn; [ {
@ -52,15 +57,18 @@ in {
in in
{ {
allowedUDPPortRanges = range; allowedUDPPortRanges = range;
allowedUDPPorts = [ 3478 ]; allowedUDPPorts = [ 5349 ];
allowedTCPPortRanges = range; #allowedTCPPortRanges = range;
allowedTCPPorts = [ 3478 ]; allowedTCPPorts = [ 80 443 5349 ];
}; };
}; };
# get a certificate
# security.acme.certs.${realm} = { services.nginx.enable = true;
# webroot = "/var/lib/acme/acme-challenge"; services.nginx.virtualHosts.${realm} = {
# postRun = "systemctl restart coturn.service"; addSSL = true;
# group = "turnserver"; enableACME = true;
# }; };
# to access the ACME files
users.groups.nginx.members = [ "turnserver" ];
} }

57
hosts/proxy/default.nix
View File

@ -1,68 +1,29 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
imports = imports = [
[
./hardware-configuration.nix ./hardware-configuration.nix
./coturn.nix ./coturn.nix
./wireguard.nix
./ssh.nix
]; ];
boot.loader.grub.enable = true; boot.loader.grub = {
boot.loader.grub.version = 2; enable = true;
version = 2;
devices = [ "/dev/sda" ];
};
system.stateVersion = "21.05"; # Did you read the comment? system.stateVersion = "21.05";
boot.loader.grub.devices = [ "/dev/sda" ];
services.openssh.permitRootLogin = "prohibit-password";
services.openssh.passwordAuthentication = false;
services.openssh.enable = true;
networking = { networking = {
useDHCP = false; useDHCP = false;
hostName = "proxy"; hostName = "proxy";
nameservers = [ "10.4.0.2" "1.1.1.1" ]; nameservers = [ "10.4.0.2" "1.1.1.1" ];
firewall.allowedTCPPorts = [ 22 ];
interfaces.ens3.useDHCP = true; interfaces.ens3.useDHCP = true;
nat = {
enable = true;
externalInterface = "ens3";
internalInterfaces = ["wg0"];
forwardPorts = [
{
destination = "10.4.0.2:1194";
proto = "udp";
sourcePort = 1194;
}
];
}; };
wireguard = {
interfaces."wg0" = {
listenPort = 1195;
ips = [ "10.4.0.1/24" ];
privateKeyFile = "/secrets/wireguard/server.key";
postSetup = ''
/run/current-system/sw/bin/iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
'';
postShutdown = ''
/run/current-system/sw/bin/iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
'';
peers = [
{
allowedIPs = [ "10.4.0.2" "10.3.0.0/24" ];
publicKey = "73oFhyQA3mgX4GmN6ul5HuOsgxa4INlzCPsyuXna0AA=";
}
];
};
};
};
services = {
fail2ban.enable = true;
};
users.users.root.openssh.authorizedKeys.keys = [ users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCuURERnIFe2XbNu6AsPe2DO11RuaHxVGUcaoJUsIB1F+VOggOVLhxSenOPYLm6NvvGeXVi95G5Sm1UZRcJEEkvxus4bSViV4t/Q2azfYFE27yRH/IeMMoWNPGYNm5Bok2qFb4vHifra9FffwXnOzr0nDDTdHXCft4TO5nsenLJwqu5zOO1CR7J52otY7LheNPyzbGxgIkB3Y7LeOj1+/xXSOJ379NOL2RQBobsg7k442WCX7tU6AC1ct3W+93tcJUUdzJKTT9TJ+XmhdjXNWhDd+QZUNAMr+nKoEdExHp0H40/wIhcLD2OV95gX4i/YBzCg4OQOqZqWiibiEQfGTSAh5aD+nX/PqjXf0XSLEUOA81biLFu28oO8gocjwnhgqmlghvO4SG1rs6uZ8EyPyWsrVMjy8B9FX4aloKqua3aicgC+upjLl3x+KkMJizlMB5Ew7KOjPsjXwMqeJmeBOEd6TSEctttR+lIp+/368FtwXeBxzx9MBT4620mnjWtVKM= giulio@gAluminum" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCuURERnIFe2XbNu6AsPe2DO11RuaHxVGUcaoJUsIB1F+VOggOVLhxSenOPYLm6NvvGeXVi95G5Sm1UZRcJEEkvxus4bSViV4t/Q2azfYFE27yRH/IeMMoWNPGYNm5Bok2qFb4vHifra9FffwXnOzr0nDDTdHXCft4TO5nsenLJwqu5zOO1CR7J52otY7LheNPyzbGxgIkB3Y7LeOj1+/xXSOJ379NOL2RQBobsg7k442WCX7tU6AC1ct3W+93tcJUUdzJKTT9TJ+XmhdjXNWhDd+QZUNAMr+nKoEdExHp0H40/wIhcLD2OV95gX4i/YBzCg4OQOqZqWiibiEQfGTSAh5aD+nX/PqjXf0XSLEUOA81biLFu28oO8gocjwnhgqmlghvO4SG1rs6uZ8EyPyWsrVMjy8B9FX4aloKqua3aicgC+upjLl3x+KkMJizlMB5Ew7KOjPsjXwMqeJmeBOEd6TSEctttR+lIp+/368FtwXeBxzx9MBT4620mnjWtVKM= giulio@gAluminum"
]; ];

15
hosts/proxy/ssh.nix Normal file
View File

@ -0,0 +1,15 @@
{ config, ...}:
{
services = {
fail2ban.enable = true;
openssh = {
permitRootLogin = "prohibit-password";
passwordAuthentication = false;
enable = true;
};
};
networking.firewall.allowedTCPPorts = [ 22 ];
}

46
hosts/proxy/wireguard.nix Normal file
View File

@ -0,0 +1,46 @@
{ config, ...}:
let
wg_if = "wg0";
wan_if = "ens3";
in {
networking = {
firewall.allowedUDPPorts = [ 1195 ];
nat = {
enable = true;
externalInterface = wan_if;
internalInterfaces = [ wg_if ];
forwardPorts = [
{
destination = "10.4.0.2:1194";
proto = "udp";
sourcePort = 1194;
}
];
};
wireguard = {
interfaces.${wg_if} = {
listenPort = 1195;
ips = [ "10.4.0.1/24" ];
privateKeyFile = "/secrets/wireguard/server.key";
postSetup = ''
/run/current-system/sw/bin/iptables -t nat -A POSTROUTING -o ${wg_if} -j MASQUERADE
'';
postShutdown = ''
/run/current-system/sw/bin/iptables -t nat -D POSTROUTING -o ${wg_if} -j MASQUERADE
'';
peers = [
{
allowedIPs = [ "10.4.0.2" "10.3.0.0/24" ];
publicKey = "73oFhyQA3mgX4GmN6ul5HuOsgxa4INlzCPsyuXna0AA=";
}
];
};
};
};
}

8
lib/host.nix
View File

@ -14,9 +14,13 @@
modules = [ modules = [
{ {
imports = users_mod ++ roles_mod; imports = users_mod ++ roles_mod ++ [(nixos-unstable + "/nixos/modules/services/misc/prowlarr.nix")];
nixpkgs = {
pkgs = pkgs;
overlays = [ (self: super: {prowlarr = pkgs.unstable.prowlarr;}) ];
};
nixpkgs.pkgs = pkgs;
nix.nixPath = [ nix.nixPath = [
"nixpkgs=${nixpkgs}" "nixpkgs=${nixpkgs}"
"unstable=${nixos-unstable}" "unstable=${nixos-unstable}"

2
roles/common.nix
View File

@ -41,9 +41,7 @@
glances glances
tcpdump tcpdump
restic restic
binutils
neovim neovim
ripgrep
tmux tmux
parted parted
unzip unzip

25
roles/home/common.nix
View File

@ -1,7 +1,7 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
imports = [ ./zsh.nix ]; imports = [ ./zsh.nix ./git.nix ];
home = { home = {
stateVersion = "21.05"; stateVersion = "21.05";
@ -10,17 +10,12 @@
VISUAL = "nvim"; VISUAL = "nvim";
}; };
packages = with pkgs; [ packages = with pkgs; [ rizin sshfs nixfmt ];
rizin
sshfs
nixfmt
];
}; };
programs.neovim = { programs.neovim = {
enable = true; enable = true;
#package = pkgs.unstable.neovim-unwrapped; extraPackages = with pkgs; [ nodePackages.prettier cmake-format clang-tools rustfmt ];
extraConfig = '' extraConfig = ''
" syntax " syntax
syntax enable syntax enable
@ -77,9 +72,14 @@
set cindent cinkeys-=0# set cindent cinkeys-=0#
set expandtab shiftwidth=2 tabstop=2 softtabstop=2 set expandtab shiftwidth=2 tabstop=2 softtabstop=2
set statusline+=%#warningmsg# " Enable alignment
set statusline+=%{SyntasticStatuslineFlag()} let g:neoformat_basic_format_align = 1
set statusline+=%*
" Enable tab to spaces conversion
let g:neoformat_basic_format_retab = 1
" Enable trimmming of trailing whitespace
let g:neoformat_basic_format_trim = 1
''; '';
viAlias = true; viAlias = true;
@ -96,9 +96,8 @@
nerdtree nerdtree
vim-easy-align vim-easy-align
vim-fugitive vim-fugitive
vim-yaml
vim-autoformat
vimtex vimtex
neoformat
]; ];
}; };
} }

1
roles/home/git.nix
View File

@ -11,6 +11,7 @@
smudge = "git-lfs smudge -- %f"; smudge = "git-lfs smudge -- %f";
}; };
}; };
delta.enable = true;
}; };
home.packages = [ pkgs.git-lfs ]; home.packages = [ pkgs.git-lfs ];
} }

6
roles/home/zsh.nix
View File

@ -1,6 +1,4 @@
{ config, pkgs, lib, ... }: { { config, pkgs, lib, ... }: {
home.packages = with pkgs; [ zsh any-nix-shell ];
programs.zsh = { programs.zsh = {
enable = true; enable = true;
@ -9,9 +7,5 @@
plugins = [ "git" "sudo" "docker" "docker-compose" "adb" "systemd" ]; plugins = [ "git" "sudo" "docker" "docker-compose" "adb" "systemd" ];
theme = "bira"; theme = "bira";
}; };
initExtra = ''
any-nix-shell zsh --info-right | source /dev/stdin
'';
}; };
} }