peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge branch 'master' of ssh://git.giugl.io:10022/peperunas/nixos

Browse Source
This commit is contained in:
Giulio De Pasquale 2021-11-25 11:39:17 +00:00
commit 522e4b7bbc
21 changed files with 453 additions and 326 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
flake.lock generated
View File

@ -7,11 +7,11 @@
]
},
"locked": {
"lastModified": 1633596850,
"narHash": "sha256-5+qVLYvfOropjLAvpQs/APtD8eYnEIbAd9a36lGHZM0=",
"lastModified": 1637019201,
"narHash": "sha256-lq4gz51fx4m5FXfx1SCB444aEBeaYtLMVm3P18Wi9ls=",
"owner": "rycee",
"repo": "home-manager",
"rev": "49695f33aac22358b59e49c94fe6472218e5d766",
"rev": "bcf03fa16a1f06b8a0abb27bf49afa8d6fffe8f1",
"type": "github"
},
"original": {
@ -23,11 +23,11 @@
},
"nixos-unstable": {
"locked": {
"lastModified": 1633971123,
"narHash": "sha256-WmI4NbH1IPGFWVkuBkKoYgOnxgwSfWDgdZplJlQ93vA=",
"lastModified": 1637595801,
"narHash": "sha256-LkIMwVFKCuEqidaUdg8uxwpESAXjsPo4oCz3eJ7RaRw=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "e4ef597edfd8a0ba5f12362932fc9b1dd01a0aef",
"rev": "263ef4cc4146c9fab808085487438c625d4426a9",
"type": "github"
},
"original": {
@ -39,11 +39,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1634115022,
"narHash": "sha256-K9DZMQ47VRrg9gtTPwex5p0E8LnwM/dDkNe7AQW0qj0=",
"lastModified": 1637615379,
"narHash": "sha256-wL5+nm7z+42IHyhc52P3aAj1Kp2fQ6C8IyPBihj7Bjg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "564cb4d81d4f734dd068684adec5a60077397fe9",
"rev": "09650059d7f5ae59a7f0fb2dd3bfc6d2042a74de",
"type": "github"
},
"original": {

4
flake.nix
View File

@ -28,9 +28,9 @@
inherit (utils) user;
in {
nixosConfigurations = {
architect = host.mkHost { name = "architect"; users = [ { user = "giulio"; roles = []; } ]; };
architect = host.mkHost { name = "architect"; users = [ { user = "giulio"; roles = [ "git" ]; } ]; };
gAluminum = host.mkHost { name = "gAluminum"; users = [ { user = "giulio"; roles = [ "desktop" "ssh" "git" ]; } ]; roles = [ "gnome" ]; };
proxy = host.mkHost { name = "proxy"; };
proxy = host.mkHost { name = "proxy"; users = []; };
};
};
}

272
hosts/architect/default.nix
View File

@ -2,169 +2,141 @@
with import ./network.nix;
let
pubkeys = ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1we38/N+t8Ah5yrLof8QUwhrob7/VXFKIddaJeOVBLuDVnW7ljiAtdtEiL69D/DV4Ohmt5wMvkAAjfuHmim6FD9A6lzPbSU4KH9W2dcckszKbbI636kuDwem/xui6BW3wJa6P+0xW5ksygEAkzcK2PXuC2b4B9uwhuUdKahiGMKDxISG/WianqAe72cGMfNkYvion3Y1VsMLUdm48d2ABnxNpr7NI9B5iJ8dziOft9gpgfz13CCQRlReo75gk/4xI+vSNrQp7eR+wzJy2/dZg/T8jtyA9Q6jVxrxBpqQ1LNXkAKaJkGo9OabF6Wgpzp+YTAurL4nwR2NaJxwFuyoKvACQy0ai4jrS3206gC6JXZv8ktZMZrwUN+jPqCwfgh5qObFkAqKCxbp52ioDek2MQLdOvzQBX//DBhGEp5rzHGLZ3vhRIiiQiaof5sF5zWiYDW5mqezSPNxJPX/BrTP/Wbs/jpwTLBh3wytiia0S1WXQmya89bqzTPFiDWvTRA62EVKB/JaQtPQQOFAxWwg799DMycPeZ81xttZOyMtI/MZSddyqx2S8fWGwvToZQvuZ38mSIpFseLM1IkgabRIrAmat5SBNGGy9Dqa0eMEa7bwIY/4CMB1y6HMTnaoMXA6cnQfHMoB/zyTZ6oTXIeqeOyiZsK+RN0Mvahj8mXi7dw== giulio@giulio-X230"];
hostname = "architect";
in
{
imports =
[ # Include the results of the hardware scan.
./backup.nix
./hardware.nix
./firewall.nix
./nginx.nix
./gitea.nix
./sonarr.nix
./radarr.nix
./bazarr.nix
./nzbget.nix
# ./jellyfin.nix
./nextcloud.nix
./wireguard.nix
./minio.nix
./matrix.nix
./fail2ban.nix
./dns.nix
./minecraft.nix
# ./prowlarr.nix
./plex.nix
];
pubkeys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1we38/N+t8Ah5yrLof8QUwhrob7/VXFKIddaJeOVBLuDVnW7ljiAtdtEiL69D/DV4Ohmt5wMvkAAjfuHmim6FD9A6lzPbSU4KH9W2dcckszKbbI636kuDwem/xui6BW3wJa6P+0xW5ksygEAkzcK2PXuC2b4B9uwhuUdKahiGMKDxISG/WianqAe72cGMfNkYvion3Y1VsMLUdm48d2ABnxNpr7NI9B5iJ8dziOft9gpgfz13CCQRlReo75gk/4xI+vSNrQp7eR+wzJy2/dZg/T8jtyA9Q6jVxrxBpqQ1LNXkAKaJkGo9OabF6Wgpzp+YTAurL4nwR2NaJxwFuyoKvACQy0ai4jrS3206gC6JXZv8ktZMZrwUN+jPqCwfgh5qObFkAqKCxbp52ioDek2MQLdOvzQBX//DBhGEp5rzHGLZ3vhRIiiQiaof5sF5zWiYDW5mqezSPNxJPX/BrTP/Wbs/jpwTLBh3wytiia0S1WXQmya89bqzTPFiDWvTRA62EVKB/JaQtPQQOFAxWwg799DMycPeZ81xttZOyMtI/MZSddyqx2S8fWGwvToZQvuZ38mSIpFseLM1IkgabRIrAmat5SBNGGy9Dqa0eMEa7bwIY/4CMB1y6HMTnaoMXA6cnQfHMoB/zyTZ6oTXIeqeOyiZsK+RN0Mvahj8mXi7dw== giulio@giulio-X230"
];
hostname = "architect";
in {
imports = [ # Include the results of the hardware scan.
./backup.nix
./hardware.nix
./firewall.nix
./nginx.nix
./gitea.nix
./sonarr.nix
./radarr.nix
./bazarr.nix
./nzbget.nix
./nextcloud.nix
./wireguard.nix
./minio.nix
./matrix.nix
./fail2ban.nix
./dns.nix
./minecraft.nix
./prowlarr.nix
./plex.nix
./transmission.nix
./githubrunner.nix
];
time.timeZone = "Europe/Rome";
system.stateVersion = "21.05"; # Did you read the comment?
users.users.giulio.openssh.authorizedKeys.keys = pubkeys;
time.timeZone = "Europe/Rome";
system.stateVersion = "21.05"; # Did you read the comment?
users.users.giulio.openssh.authorizedKeys.keys = pubkeys;
fileSystems."/tmp" = {
device = "tmpfs";
fsType = "tmpfs";
options = ["size=20G"];
};
fileSystems."/tmp" = {
device = "tmpfs";
fsType = "tmpfs";
options = [ "size=20G" ];
};
boot = {
kernelParams = ["ip=${architect-lan}::10.0.0.1:255.255.255.0::${wan-if}:off"];
kernel.sysctl."net.ipv4.ip_forward" = 1;
boot = {
kernelParams =
[ "ip=${architect-lan}::10.0.0.1:255.255.255.0::${wan-if}:off" ];
kernel.sysctl."net.ipv4.ip_forward" = 1;
initrd = {
availableKernelModules = ["igc" "r8169"];
network = {
initrd = {
availableKernelModules = [ "igc" "r8169" ];
network = {
enable = true;
ssh = {
enable = true;
ssh = {
enable = true;
port = 22;
hostKeys = [/boot/ssh_host_rsa_key];
authorizedKeys = pubkeys;
};
postCommands = ''
zpool import backedpool
zpool import zpool
mkdir /mnt-root
echo "zfs load-key -ar; mount -t zfs zpool/nixos/root /mnt-root; zfs load-key -a; umount /mnt-root; rmdir /mnt-root; killall zfs" >> /root/.profile
'';
port = 22;
hostKeys = [ /boot/ssh_host_rsa_key ];
authorizedKeys = pubkeys;
};
postCommands = ''
zpool import backedpool
zpool import zpool
mkdir /mnt-root
echo "zfs load-key -ar; mount -t zfs zpool/nixos/root /mnt-root; zfs load-key -a; umount /mnt-root; rmdir /mnt-root; killall zfs" >> /root/.profile
'';
};
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
supportedFilesystems = ["zfs"];
zfs.enableUnstable = true;
zfs.requestEncryptionCredentials = true;
};
networking = {
hostName = hostname;
hostId = "49350853";
useDHCP = false;
defaultGateway = "10.0.0.1";
interfaces = {
enp5s0.ipv4.addresses = [{ address = architect-lan; prefixLength = 24; }];
enp6s0.useDHCP = false;
wlp4s0.useDHCP = false;
};
extraHosts = ''
127.0.0.1 ${hostname}.devs.giugl.io localhost
# LAN
${architect-lan} ${hostname}.devs.giugl.io
${dvr-lan} dvr.devs.giugl.io
${nas-lan} nas.devs.giugl.io
${giupi-lan} giupi.devs.giugl.io
# Wireguard hosts
${architect-wg} ${hostname}.devs.giugl.io
${galuminum-wg} galuminum.devs.giugl.io
${oneplus-wg} oneplus.devs.giugl.io
${ipad-wg} ipad.devs.giugl.io
${manduria-wg} manduria.devs.giugl.io
${antonio-wg} antonio.devs.giugl.io
${gbeast-wg} gbeast.devs.giugl.io
${parisaphone-wg} parisa-phone.devs.giugl.io
${parisapc-wg} parisa-pc.devs.giugl.io
${peppiniell-wg} peppiniell.devs.giugl.io
${padulino-wg} padulino.devs.giugl.io
${shield-wg} shield.devs.giugl.io
${angelino-wg} angelino.devs.giugl.io
${pepos_two-wg} pepostwo.devs.giugl.io
${eleonora-wg} eleonora.devs.giugl.io
${angellane-wg} angellane.devs.giugl.io
${hotpottino-wg} hotpottino.devs.giugl.io
${salvatore-wg} salvatore.devs.giugl.io
${papa-wg} papa.devs.giugl.io
${defy-wg} defy.devs.giugl.io
${germano-wg} germano.devs.giugl.io
${dodino-wg} dodino.devs.giugl.io
${tommy-wg} tommy.devs.giugl.io
${alain-wg} alain.devs.giugl.io
${dima-wg} dima.devs.giugl.io
${boogino-wg} boogino.devs.giugl.io
${mikey-wg} mikey.devs.giugl.io
# Blacklist
0.0.0.0 metrics.plex.tv
0.0.0.0 analytics.plex.tv
0.0.0.0 cdn.luckyorange.com
0.0.0.0 w1.luckyorange.com
0.0.0.0 browser.sentry-cdn.com
0.0.0.0 analytics.facebook.com
0.0.0.0 ads.facebook.com
0.0.0.0 extmaps-api.yandex.net
0.0.0.0 logservice.hicloud.com
0.0.0.0 logbak.hicloud.com
0.0.0.0 logservice1.hicloud.com
0.0.0.0 samsung-com.112.2o7.net
0.0.0.0 supportmetrics.apple.com
0.0.0.0 analytics.oneplus.cn
0.0.0.0 click.oneplus.cn
0.0.0.0 analytics-api.samsunghealthcn.com
'';
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
environment.systemPackages = with pkgs;
[
wireguard
cudatoolkit
];
supportedFilesystems = [ "zfs" ];
zfs.enableUnstable = true;
zfs.requestEncryptionCredentials = true;
};
hardware = {
cpu.amd.updateMicrocode = true;
opengl.enable = true;
opengl.extraPackages= with pkgs; [vaapiVdpau];
opengl.driSupport = true;
networking = {
hostName = hostname;
hostId = "49350853";
useDHCP = false;
defaultGateway = "10.0.0.1";
interfaces = {
enp5s0.ipv4.addresses = [{
address = architect-lan;
prefixLength = 24;
}];
enp6s0.useDHCP = false;
wlp4s0.useDHCP = false;
};
extraHosts = ''
127.0.0.1 ${hostname}.devs.giugl.io localhost
services = {
zfs.autoScrub.enable = true;
xserver.videoDrivers = [ "nvidia" ];
openssh.enable = true;
smartd.enable = true;
};
# LAN
${architect-lan} ${hostname}.devs.giugl.io
environment.variables = {
LIBVA_DRIVER_NAME="vdpau";
};
}
${dvr-lan} dvr.devs.giugl.io
${nas-lan} nas.devs.giugl.io
${giupi-lan} giupi.devs.giugl.io
# Blacklist
0.0.0.0 metrics.plex.tv
0.0.0.0 analytics.plex.tv
0.0.0.0 cdn.luckyorange.com
0.0.0.0 w1.luckyorange.com
0.0.0.0 browser.sentry-cdn.com
0.0.0.0 analytics.facebook.com
0.0.0.0 ads.facebook.com
0.0.0.0 extmaps-api.yandex.net
0.0.0.0 logservice.hicloud.com
0.0.0.0 logbak.hicloud.com
0.0.0.0 logservice1.hicloud.com
0.0.0.0 samsung-com.112.2o7.net
0.0.0.0 supportmetrics.apple.com
0.0.0.0 analytics.oneplus.cn
0.0.0.0 click.oneplus.cn
0.0.0.0 analytics-api.samsunghealthcn.com
'';
};
environment.systemPackages = with pkgs; [ cudatoolkit ];
hardware = {
cpu.amd.updateMicrocode = true;
opengl.enable = true;
opengl.extraPackages = with pkgs; [ vaapiVdpau ];
opengl.driSupport = true;
};
boot.crashDump.enable = true;
services.das_watchdog.enable = true;
services = {
zfs.autoScrub.enable = true;
xserver.videoDrivers = [ "nvidia" ];
openssh.enable = true;
smartd.enable = true;
};
environment.variables = { LIBVA_DRIVER_NAME = "vdpau"; };
}

3
hosts/architect/firewall.nix
View File

@ -9,10 +9,12 @@ let
443 # https
8448 # matrix
10022 # gitea
51413 # transmission
];
open_udp_ports = lib.concatMapStringsSep "," (x: toString x) [
1194 # wireguard
3478 # turn
51413 # transmission
];
in {
networking = {
@ -134,6 +136,7 @@ in {
# gdevices talking to everyone in VPN
ip saddr {${lib.concatStringsSep "," gdevices-wg}} ip daddr ${vpn-net} accept
ip saddr {${lib.concatStringsSep "," gamenet-wg}} ip daddr {${lib.concatStringsSep "," gamenet-wg}} accept
# nat to wan
oifname ${wan-if} ip saddr {${lib.concatStringsSep "," towan-wg}} accept

15
hosts/architect/githubrunner.nix Normal file
View File

@ -0,0 +1,15 @@
{ ... }:
{
services.github-runner = {
enable = true;
url = "https://github.com/ropfuscator";
tokenFile = "/secrets/github-runner/token";
replace = true;
};
nix.extraOptions = ''
tarball-ttl = 0
access-tokens = github.com=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
'';
}

16
hosts/architect/network.nix
View File

@ -29,9 +29,7 @@ rec {
peppiniell-wg = "10.3.0.10";
padulino-wg = "10.3.0.11";
shield-wg = "10.3.0.12";
angelino-wg = "10.3.0.13";
pepos_one-wg = "10.3.0.14";
pepos_two-wg = "10.3.0.15";
pepos-wg = "10.3.0.15";
salvatore-wg = "10.3.0.16";
papa-wg = "10.3.0.17";
defy-wg = "10.3.0.18";
@ -41,17 +39,23 @@ rec {
alain-wg = "10.3.0.22";
dima-wg = "10.3.0.23";
mikey-wg = "10.3.0.24";
andrew-wg = "10.3.0.25";
mikeylaptop-wg = "10.3.0.26";
andrewdesktop-wg = "10.3.0.27";
jacopo-wg = "10.3.0.28";
frznn-wg = "10.3.0.29";
eleonora-wg = "10.3.0.100";
angellane-wg = "10.3.0.200";
hotpottino-wg = "10.3.0.201";
dodino-wg = "10.3.0.202";
boogino-wg = "10.3.0.203";
wolfsonhouse-wg = "10.3.0.203";
# groups
gdevices-wg = [ galuminum-wg oneplus-wg ipad-wg gbeast-wg peppiniell-wg padulino-wg angelino-wg ];
routers-wg = [ hotpottino-wg angellane-wg dodino-wg ];
gdevices-wg = [ galuminum-wg oneplus-wg ipad-wg gbeast-wg peppiniell-wg padulino-wg ];
routers-wg = [ hotpottino-wg angellane-wg dodino-wg wolfsonhouse-wg ];
c2c-wg = [ ] ++ gdevices-wg;
towan-wg = [ shield-wg parisaphone-wg parisapc-wg ] ++ gdevices-wg ++ routers-wg;
gamenet-wg = [ andrew-wg galuminum-wg gbeast-wg mikey-wg andrewdesktop-wg mikeylaptop-wg flavio-wg salvatore-wg ];
# domains
sonarrdomain = "htson.giugl.io";

44
hosts/architect/nginx.nix
View File

@ -8,28 +8,28 @@
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts."giugl.io" = {
default = true;
enableACME = true;
addSSL = true;
root = "/var/lib/nginx/error_pages";
extraConfig = "error_page 404 /index.htm;";
locations = {
"/" = {
return = "404";
};
"/index.htm" = {
};
"/style.css" = {
};
"/wat.jpg" = {
};
};
};
# virtualHosts."giugl.io" = {
# default = true;
# enableACME = true;
# addSSL = true;
# root = "/var/lib/nginx/error_pages";
# extraConfig = "error_page 404 /index.htm;";
#
# locations = {
# "/" = {
# return = "404";
# };
#
# "/index.htm" = {
# };
#
# "/style.css" = {
# };
#
# "/wat.jpg" = {
# };
# };
# };
};
users.groups.acme.members = [ "nginx" ];

13
hosts/architect/overseerr.nix Normal file
View File

@ -0,0 +1,13 @@
{...}:
{
virtualisation.oci-containers.containers."overseerr" = {
image = "sctx/overseerr:latest";
volumes = [ "/var/lib/overseerr:/app/config" ];
environment = {
"LOG_LEVEL" = "debug";
"TZ" = "Europe/Rome";
};
#ports = [ "5055:5055" ];
};
}

4
hosts/architect/plex.nix
View File

@ -16,6 +16,10 @@ with import ./network.nix;
enableACME = true;
http2 = true;
extraConfig = ''
allow 10.3.0.0/24;
allow 10.0.0.0/24;
deny all;
#Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause
send_timeout 100m;

2
hosts/architect/prowlarr.nix
View File

@ -1,3 +1,5 @@
{ pkgs, ...}:
with import ./network.nix;
{
services = {

41
hosts/architect/transmission.nix Normal file
View File

@ -0,0 +1,41 @@
with import ./network.nix;
let
domain = "httra.giugl.io";
in {
services = {
transmission = {
enable = true;
settings = {
download-dir = "/media/transmission";
incomplete-dir = "/media/transmission/.incomplete";
rpc-host-whitelist = "${domain}";
encryption = 2;
speed-limit-up = 10;
speed-limit-up-enabled = true;
peer-port = 51413;
};
performanceNetParameters = true;
};
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:9091";
extraConfig = ''
allow 10.0.0.0/24;
allow 10.3.0.0/24;
deny all;
'';
};
};
};
networking.extraHosts = ''
${architect-lan} ${domain}
${architect-wg} ${domain}
'';
users.groups.media.members = ["transmission"];
}

111
hosts/architect/wireguard.nix
View File

@ -1,7 +1,40 @@
with import ./network.nix;
{
networking.wireguard = {
interfaces.${proxy-if} = {
networking = {
extraHosts = ''
${architect-wg} architect.devs.giugl.io
${galuminum-wg} galuminum.devs.giugl.io
${oneplus-wg} oneplus.devs.giugl.io
${ipad-wg} ipad.devs.giugl.io
${manduria-wg} manduria.devs.giugl.io
${antonio-wg} antonio.devs.giugl.io
${gbeast-wg} gbeast.devs.giugl.io
${parisaphone-wg} parisa-phone.devs.giugl.io
${parisapc-wg} parisa-pc.devs.giugl.io
${peppiniell-wg} peppiniell.devs.giugl.io
${padulino-wg} padulino.devs.giugl.io
${shield-wg} shield.devs.giugl.io
${pepos-wg} pepos.devs.giugl.io
${eleonora-wg} eleonora.devs.giugl.io
${angellane-wg} angellane.devs.giugl.io
${hotpottino-wg} hotpottino.devs.giugl.io
${salvatore-wg} salvatore.devs.giugl.io
${papa-wg} papa.devs.giugl.io
${defy-wg} defy.devs.giugl.io
${germano-wg} germano.devs.giugl.io
${dodino-wg} dodino.devs.giugl.io
${tommy-wg} tommy.devs.giugl.io
${alain-wg} alain.devs.giugl.io
${dima-wg} dima.devs.giugl.io
${mikey-wg} mikey.devs.giugl.io
${andrew-wg} andrew.devs.giugl.io
${mikeylaptop-wg} mikeylaptop.devs.giugl.io
${wolfsonhouse-wg} wolfsonhouse.devs.giugl.io
${frznn-wg} frznn.devs.giugl.io
'';
wireguard = {
interfaces.${proxy-if} = {
ips = ["10.4.0.2/32"];
privateKeyFile = "/secrets/wireguard/proxy.key";
peers = [
@ -12,29 +45,26 @@ with import ./network.nix;
persistentKeepalive = 21;
}
];
};
};
interfaces.${vpn-if} = {
listenPort = 1194;
ips = ["10.3.0.1/24"];
privateKeyFile = "/secrets/wireguard/server.key";
interfaces.${vpn-if} = {
listenPort = 1194;
ips = ["10.3.0.1/24"];
privateKeyFile = "/secrets/wireguard/server.key";
peers = [
{
peers = [
{
# gAluminum
allowedIPs = [galuminum-wg];
publicKey = "pEEgSs7xmO0cfyvoQlU8lfwqdYM1ISgmPAunPtF+0xw=";
}
{
# OnePlus
allowedIPs = [oneplus-wg];
# publicKey = "uOQUJo+AfhTAFq50Pt80rdX4PmO28WUARngE2AtwdXU=";
publicKey = "zynSERy6VhxN5zBf1ih3BOAHxvigDixHB9YKnSBgYFs=";
}
{
# iPad
allowedIPs = [ipad-wg];
@ -118,26 +148,12 @@ with import ./network.nix;
publicKey = "1GaV/M48sHqQTrBVRQ+jrFU2pUMmv2xkguncVcwPCFs=";
}
{
# angelino
allowedIPs = [angelino-wg];
publicKey = "MhY4d824LuKPltQHfaUbtWGiQz4XsfqCRAx0n1FDaiY=";
}
{
# pepos_one
allowedIPs = [pepos_one-wg];
publicKey = "HcIqulGahsHJeuq6zAt5EJieWhDSKX4tFlUOEr2U1gA=";
}
{
# pepos_two
allowedIPs = [pepos_two-wg];
# pepos
allowedIPs = [pepos-wg];
publicKey = "mb1VaMLML5J24oCMBuhqvBrT6S4tAqWERn30z+h/LwM=";
}
{
# salvatore
allowedIPs = [salvatore-wg];
@ -193,9 +209,9 @@ with import ./network.nix;
}
{
# boogino
allowedIPs = [boogino-wg];
publicKey = "p21tD9S04+b+TC27a1CvkJL7V6fcfjOpVU7Ke1FzV3A=";
# wolfsonhouse
allowedIPs = [wolfsonhouse-wg];
publicKey = "UJRJcAOcnEjEB3o4K2I7gEM97SrhENEesZNf28z+EBQ=";
}
{
@ -203,7 +219,38 @@ with import ./network.nix;
allowedIPs = [mikey-wg];
publicKey = "ewbDdX3z7nxG2aPIf9TogXkhxPlGipLFcy6XfyDC6gI=";
}
{
# andrew
allowedIPs = [andrew-wg];
publicKey = "LP/FgST9fmBQSoKQFq9sFGvjRFOtRooMcuEcjuqaoWM=";
}
{
# mikey laptop
allowedIPs = [mikeylaptop-wg];
publicKey = "kz/pY/PgV+dwF1JZ2It4r5B5QfRSQM7HkbFCdvd5Yxk=";
}
{
# andrew desktop
allowedIPs = [andrewdesktop-wg];
publicKey = "rpYr3JNLIzxpxzFuQuaHFEl/XvPEPfwLbDETBP8KYXI=";
}
{
# laptop desktop
allowedIPs = [jacopo-wg];
publicKey = "W/taWI79bPIKOolVVu5xZfiJnPw9K91Xn1zhcM0+4g0=";
}
{
# frznn
allowedIPs = [frznn-wg];
publicKey = "dXcrdME6VnnE5PBYwvUmayf7cn2wpcExeCR9gIXOO0o=";
}
];
};
};
};
}

36
hosts/proxy/coturn.nix
View File

@ -1,22 +1,28 @@
{pkgs, config, ...}:
let
public_ip = "23.88.108.216";
realm = "turn.giugl.io";
static-auth-secret = "69duck duck fuck420";
in {
services.coturn = rec {
inherit realm static-auth-secret;
secure-stun = true;
enable = true;
no-cli = true;
no-tcp-relay = true;
min-port = 49000;
max-port = 50000;
use-auth-secret = true;
# cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
# pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
relay-ips = [ public_ip ];
listening-ips = [ public_ip ];
cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
extraConfig = ''
# for debugging
verbose
# ban private IP ranges
cipher-list=\"HIGH\"
no-multicast-peers
denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=10.0.0.0-10.255.255.255
@ -42,7 +48,6 @@ in {
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
'';
};
# open the firewall
networking.firewall = {
interfaces.ens3 = let
range = with config.services.coturn; [ {
@ -52,15 +57,18 @@ in {
in
{
allowedUDPPortRanges = range;
allowedUDPPorts = [ 3478 ];
allowedTCPPortRanges = range;
allowedTCPPorts = [ 3478 ];
allowedUDPPorts = [ 5349 ];
#allowedTCPPortRanges = range;
allowedTCPPorts = [ 80 443 5349 ];
};
};
# get a certificate
# security.acme.certs.${realm} = {
# webroot = "/var/lib/acme/acme-challenge";
# postRun = "systemctl restart coturn.service";
# group = "turnserver";
# };
services.nginx.enable = true;
services.nginx.virtualHosts.${realm} = {
addSSL = true;
enableACME = true;
};
# to access the ACME files
users.groups.nginx.members = [ "turnserver" ];
}

83
hosts/proxy/default.nix
View File

@ -1,70 +1,31 @@
{ config, pkgs, ... }:
{
imports =
[
./hardware-configuration.nix
./coturn.nix
];
imports = [
./hardware-configuration.nix
./coturn.nix
./wireguard.nix
./ssh.nix
];
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub = {
enable = true;
version = 2;
devices = [ "/dev/sda" ];
};
system.stateVersion = "21.05"; # Did you read the comment?
boot.loader.grub.devices = [ "/dev/sda" ];
services.openssh.permitRootLogin = "prohibit-password";
services.openssh.passwordAuthentication = false;
services.openssh.enable = true;
system.stateVersion = "21.05";
networking = {
useDHCP = false;
hostName = "proxy";
nameservers = [ "10.4.0.2" "1.1.1.1" ];
networking = {
useDHCP = false;
hostName = "proxy";
nameservers = [ "10.4.0.2" "1.1.1.1" ];
firewall.allowedTCPPorts = [ 22 ];
interfaces.ens3.useDHCP = true;
interfaces.ens3.useDHCP = true;
};
nat = {
enable = true;
externalInterface = "ens3";
internalInterfaces = ["wg0"];
forwardPorts = [
{
destination = "10.4.0.2:1194";
proto = "udp";
sourcePort = 1194;
}
];
};
wireguard = {
interfaces."wg0" = {
listenPort = 1195;
ips = [ "10.4.0.1/24" ];
privateKeyFile = "/secrets/wireguard/server.key";
postSetup = ''
/run/current-system/sw/bin/iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
'';
postShutdown = ''
/run/current-system/sw/bin/iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
'';
peers = [
{
allowedIPs = [ "10.4.0.2" "10.3.0.0/24" ];
publicKey = "73oFhyQA3mgX4GmN6ul5HuOsgxa4INlzCPsyuXna0AA=";
}
];
};
};
};
services = {
fail2ban.enable = true;
};
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCuURERnIFe2XbNu6AsPe2DO11RuaHxVGUcaoJUsIB1F+VOggOVLhxSenOPYLm6NvvGeXVi95G5Sm1UZRcJEEkvxus4bSViV4t/Q2azfYFE27yRH/IeMMoWNPGYNm5Bok2qFb4vHifra9FffwXnOzr0nDDTdHXCft4TO5nsenLJwqu5zOO1CR7J52otY7LheNPyzbGxgIkB3Y7LeOj1+/xXSOJ379NOL2RQBobsg7k442WCX7tU6AC1ct3W+93tcJUUdzJKTT9TJ+XmhdjXNWhDd+QZUNAMr+nKoEdExHp0H40/wIhcLD2OV95gX4i/YBzCg4OQOqZqWiibiEQfGTSAh5aD+nX/PqjXf0XSLEUOA81biLFu28oO8gocjwnhgqmlghvO4SG1rs6uZ8EyPyWsrVMjy8B9FX4aloKqua3aicgC+upjLl3x+KkMJizlMB5Ew7KOjPsjXwMqeJmeBOEd6TSEctttR+lIp+/368FtwXeBxzx9MBT4620mnjWtVKM= giulio@gAluminum"
];
}
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCuURERnIFe2XbNu6AsPe2DO11RuaHxVGUcaoJUsIB1F+VOggOVLhxSenOPYLm6NvvGeXVi95G5Sm1UZRcJEEkvxus4bSViV4t/Q2azfYFE27yRH/IeMMoWNPGYNm5Bok2qFb4vHifra9FffwXnOzr0nDDTdHXCft4TO5nsenLJwqu5zOO1CR7J52otY7LheNPyzbGxgIkB3Y7LeOj1+/xXSOJ379NOL2RQBobsg7k442WCX7tU6AC1ct3W+93tcJUUdzJKTT9TJ+XmhdjXNWhDd+QZUNAMr+nKoEdExHp0H40/wIhcLD2OV95gX4i/YBzCg4OQOqZqWiibiEQfGTSAh5aD+nX/PqjXf0XSLEUOA81biLFu28oO8gocjwnhgqmlghvO4SG1rs6uZ8EyPyWsrVMjy8B9FX4aloKqua3aicgC+upjLl3x+KkMJizlMB5Ew7KOjPsjXwMqeJmeBOEd6TSEctttR+lIp+/368FtwXeBxzx9MBT4620mnjWtVKM= giulio@gAluminum"
];
}

15
hosts/proxy/ssh.nix Normal file
View File

@ -0,0 +1,15 @@
{ config, ...}:
{
services = {
fail2ban.enable = true;
openssh = {
permitRootLogin = "prohibit-password";
passwordAuthentication = false;
enable = true;
};
};
networking.firewall.allowedTCPPorts = [ 22 ];
}

46
hosts/proxy/wireguard.nix Normal file
View File

@ -0,0 +1,46 @@
{ config, ...}:
let
wg_if = "wg0";
wan_if = "ens3";
in {
networking = {
firewall.allowedUDPPorts = [ 1195 ];
nat = {
enable = true;
externalInterface = wan_if;
internalInterfaces = [ wg_if ];
forwardPorts = [
{
destination = "10.4.0.2:1194";
proto = "udp";
sourcePort = 1194;
}
];
};
wireguard = {
interfaces.${wg_if} = {
listenPort = 1195;
ips = [ "10.4.0.1/24" ];
privateKeyFile = "/secrets/wireguard/server.key";
postSetup = ''
/run/current-system/sw/bin/iptables -t nat -A POSTROUTING -o ${wg_if} -j MASQUERADE
'';
postShutdown = ''
/run/current-system/sw/bin/iptables -t nat -D POSTROUTING -o ${wg_if} -j MASQUERADE
'';
peers = [
{
allowedIPs = [ "10.4.0.2" "10.3.0.0/24" ];
publicKey = "73oFhyQA3mgX4GmN6ul5HuOsgxa4INlzCPsyuXna0AA=";
}
];
};
};
};
}

8
lib/host.nix
View File

@ -14,9 +14,13 @@
modules = [
{
imports = users_mod ++ roles_mod;
imports = users_mod ++ roles_mod ++ [(nixos-unstable + "/nixos/modules/services/misc/prowlarr.nix")];
nixpkgs = {
pkgs = pkgs;
overlays = [ (self: super: {prowlarr = pkgs.unstable.prowlarr;}) ];
};
nixpkgs.pkgs = pkgs;
nix.nixPath = [
"nixpkgs=${nixpkgs}"
"unstable=${nixos-unstable}"

2
roles/common.nix
View File

@ -41,9 +41,7 @@
glances
tcpdump
restic
binutils
neovim
ripgrep
tmux
parted
unzip

33
roles/home/common.nix
View File

@ -1,26 +1,21 @@
{ config, pkgs, ... }:
{
imports = [ ./zsh.nix ];
imports = [ ./zsh.nix ./git.nix ];
home = {
stateVersion = "21.05";
stateVersion = "21.05";
sessionVariables = {
EDITOR = "nvim";
VISUAL = "nvim";
};
packages = with pkgs; [
rizin
sshfs
nixfmt
];
packages = with pkgs; [ rizin sshfs nixfmt ];
};
programs.neovim = {
enable = true;
#package = pkgs.unstable.neovim-unwrapped;
enable = true;
extraPackages = with pkgs; [ nodePackages.prettier cmake-format clang-tools rustfmt ];
extraConfig = ''
" syntax
syntax enable
@ -77,14 +72,19 @@
set cindent cinkeys-=0#
set expandtab shiftwidth=2 tabstop=2 softtabstop=2
set statusline+=%#warningmsg#
set statusline+=%{SyntasticStatuslineFlag()}
set statusline+=%*
" Enable alignment
let g:neoformat_basic_format_align = 1
" Enable tab to spaces conversion
let g:neoformat_basic_format_retab = 1
" Enable trimmming of trailing whitespace
let g:neoformat_basic_format_trim = 1
'';
viAlias = true;
viAlias = true;
vimAlias = true;
plugins = with pkgs.vimPlugins; [
plugins = with pkgs.vimPlugins; [
vim-nix
molokai
YouCompleteMe
@ -96,9 +96,8 @@
nerdtree
vim-easy-align
vim-fugitive
vim-yaml
vim-autoformat
vimtex
neoformat
];
};
}

1
roles/home/git.nix
View File

@ -11,6 +11,7 @@
smudge = "git-lfs smudge -- %f";
};
};
delta.enable = true;
};
home.packages = [ pkgs.git-lfs ];
}

6
roles/home/zsh.nix
View File

@ -1,6 +1,4 @@
{ config, pkgs, lib, ... }: {
home.packages = with pkgs; [ zsh any-nix-shell ];
programs.zsh = {
enable = true;
@ -9,9 +7,5 @@
plugins = [ "git" "sudo" "docker" "docker-compose" "adb" "systemd" ];
theme = "bira";
};
initExtra = ''
any-nix-shell zsh --info-right | source /dev/stdin
'';
};
}