peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Formatting

Browse Source
This commit is contained in:
Giulio De Pasquale 2023-02-11 03:29:48 +01:00
parent a015dc2a89
commit 608fd46eb4
34 changed files with 227 additions and 201 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
hosts/architect/default.nix
View File

@ -6,8 +6,10 @@ let
];
hostname = "architect";
network = import ./network.nix;
in {
imports = [ # Include the results of the hardware scan.
in
{
imports = [
# Include the results of the hardware scan.
./backup.nix
./hardware.nix
./firewall.nix
@ -29,7 +31,7 @@ in {
./invidious.nix
./nitter.nix
./lidarr.nix
# ./navidrome.nix
# ./navidrome.nix
./jellyfin.nix
./prosody.nix
./deluge.nix
@ -43,7 +45,7 @@ in {
];
time.timeZone = "Europe/Rome";
# system.stateVersion = "21.11";
# system.stateVersion = "21.11";
users.users.giulio.openssh.authorizedKeys.keys = pubkeys;
boot = {
initrd = {

3
hosts/architect/deluge.nix
View File

@ -4,7 +4,8 @@ let
domain = "htdel.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in {
in
{
services = {
deluge = {
enable = true;

2
hosts/architect/dns.nix
View File

@ -1,6 +1,6 @@
{ config, pkgs, lib, ... }:
let
let
adguard_webui_port = 3031;
adguard_dns_port = "5300";
dnscrypt_listen_port = "5353";

283
hosts/architect/firewall.nix
View File

@ -9,13 +9,13 @@ let
https_tcp = 443;
synapse_tcp = 8448;
gitea_tcp = 10022;
prosody_tcp = 5222;
prosody_tcp = 5222;
minecraft_tcp = 25565;
# UDP services
dns_udp = 53;
wireguard_udp = 1194;
# TCP/UDP services
torrent_a = 51413;
torrent_b = 51414;
@ -49,7 +49,8 @@ let
wireguard_udp
];
in {
in
{
networking = {
# needed to use nftables
firewall.enable = false;
@ -58,171 +59,171 @@ in {
nftables = {
enable = true;
ruleset = ''
table ip raw {
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
}
table ip raw {
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
}
chain OUTPUT {
type filter hook output priority raw; policy accept;
}
}
chain OUTPUT {
type filter hook output priority raw; policy accept;
}
}
table ip nat {
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
}
table ip nat {
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
}
chain INPUT {
type nat hook input priority 100; policy accept;
}
chain INPUT {
type nat hook input priority 100; policy accept;
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oifname ${wan-if} ip saddr {${
lib.concatStringsSep "," towan-wg
}} masquerade
oifname ${wan-if} ip saddr ${docker-net} masquerade
oifname ${wan-if} ip saddr ${tailscale-net} masquerade
}
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oifname ${wan-if} ip saddr {${
lib.concatStringsSep "," towan-wg
}} masquerade
oifname ${wan-if} ip saddr ${docker-net} masquerade
oifname ${wan-if} ip saddr ${tailscale-net} masquerade
}
}
table ip mangle {
chain PREROUTING {
type filter hook prerouting priority mangle; policy drop;
ct state invalid,untracked drop comment "drop invalid"
ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
iifname ${wan-if} ip saddr ${vpn-net} drop comment "bind any ip to intf ${wan-if}"
iifname ${wan-if} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${wan-if}"
iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}"
iifname ${proxy-if} ip saddr ${proxy-net} accept comment "bind ip ${proxy-net} to intf ${proxy-if}"
iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}"
iifname ${docker-if} ip saddr ${docker-net} accept comment "bind ip ${docker-net} to intf ${docker-if}"
iifname ${tailscale-if} ip saddr ${tailscale-net} accept
iifname "lo" accept comment "bind any ip to intf lo"
jump mangle_drop
}
table ip mangle {
chain PREROUTING {
type filter hook prerouting priority mangle; policy drop;
ct state invalid,untracked drop comment "drop invalid"
ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
iifname ${wan-if} ip saddr ${vpn-net} drop comment "bind any ip to intf ${wan-if}"
iifname ${wan-if} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${wan-if}"
iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}"
iifname ${proxy-if} ip saddr ${proxy-net} accept comment "bind ip ${proxy-net} to intf ${proxy-if}"
iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}"
iifname ${docker-if} ip saddr ${docker-net} accept comment "bind ip ${docker-net} to intf ${docker-if}"
iifname ${tailscale-if} ip saddr ${tailscale-net} accept
iifname "lo" accept comment "bind any ip to intf lo"
jump mangle_drop
}
chain INPUT {
type filter hook input priority mangle; policy accept;
}
chain INPUT {
type filter hook input priority mangle; policy accept;
}
chain FORWARD {
type filter hook forward priority mangle; policy accept;
}
chain FORWARD {
type filter hook forward priority mangle; policy accept;
}
chain OUTPUT {
type route hook output priority mangle; policy accept;
}
chain OUTPUT {
type route hook output priority mangle; policy accept;
}
chain POSTROUTING {
type filter hook postrouting priority mangle; policy accept;
}
chain POSTROUTING {
type filter hook postrouting priority mangle; policy accept;
}
chain mangle_drop {
ip protocol icmp jump mangle_drop_icmp
ip protocol udp jump mangle_drop_udp
ip protocol tcp jump mangle_drop_tcp
log prefix "MANGLE-DROP-UNK "
drop
}
chain mangle_drop {
ip protocol icmp jump mangle_drop_icmp
ip protocol udp jump mangle_drop_udp
ip protocol tcp jump mangle_drop_tcp
log prefix "MANGLE-DROP-UNK "
drop
}
chain mangle_drop_icmp {
log prefix "MANGLE-DROP-ICMP "
drop
}
chain mangle_drop_icmp {
log prefix "MANGLE-DROP-ICMP "
drop
}
chain mangle_drop_tcp {
log prefix "MANGLE-DROP-TCP "
drop
}
chain mangle_drop_tcp {
log prefix "MANGLE-DROP-TCP "
drop
}
chain mangle_drop_udp {
log prefix "MANGLE-DROP-UDP "
drop
}
}
chain mangle_drop_udp {
log prefix "MANGLE-DROP-UDP "
drop
}
}
table ip filter {
chain INPUT {
type filter hook input priority filter; policy drop;
table ip filter {
chain INPUT {
type filter hook input priority filter; policy drop;
ct state established,related accept
iifname "lo" accept comment "loopback"
ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
ip saddr ${lan-net} accept comment "lan > local"
ip saddr ${tailscale-net} accept comment "tailscale > local"
ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local"
ct state established,related accept
iifname "lo" accept comment "loopback"
ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
ip saddr ${lan-net} accept comment "lan > local"
ip saddr ${tailscale-net} accept comment "tailscale > local"
ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local"
iifname ${wan-if} tcp dport {${open_tcp_ports}} accept
iifname ${wan-if} udp dport {${open_udp_ports}} accept
iifname ${vpn-if} tcp dport {${open_tcp_ports_vpn}} accept
iifname ${vpn-if} udp dport {${open_udp_ports_vpn}} accept
iifname ${vpn-if} icmp type echo-request accept
iifname ${docker-if} udp dport 53 accept
jump filter_drop
}
iifname ${wan-if} tcp dport {${open_tcp_ports}} accept
iifname ${wan-if} udp dport {${open_udp_ports}} accept
iifname ${vpn-if} tcp dport {${open_tcp_ports_vpn}} accept
iifname ${vpn-if} udp dport {${open_udp_ports_vpn}} accept
iifname ${vpn-if} icmp type echo-request accept
iifname ${docker-if} udp dport 53 accept
jump filter_drop
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
ct state established,related accept
chain FORWARD {
type filter hook forward priority filter; policy drop;
ct state established,related accept
# gdevices talking to everyone in VPN
ip saddr {${
lib.concatStringsSep "," gdevices
}} ip daddr ${vpn-net} accept
ip saddr {${
lib.concatStringsSep "," gamenet-wg
}} ip daddr {${lib.concatStringsSep "," gamenet-wg}} accept
# gdevices talking to everyone in VPN
ip saddr {${
lib.concatStringsSep "," gdevices
}} ip daddr ${vpn-net} accept
ip saddr {${
lib.concatStringsSep "," gamenet-wg
}} ip daddr {${lib.concatStringsSep "," gamenet-wg}} accept
# nat to wan
oifname ${wan-if} ip saddr {${
lib.concatStringsSep "," towan-wg
}} accept
# nat to wan
oifname ${wan-if} ip saddr {${
lib.concatStringsSep "," towan-wg
}} accept
oifname ${wan-if} ip saddr ${docker-net} accept
oifname ${wan-if} ip saddr ${tailscale-net} accept
oifname ${wan-if} ip saddr ${docker-net} accept
oifname ${wan-if} ip saddr ${tailscale-net} accept
jump filter_drop
}
jump filter_drop
}
chain OUTPUT {
type filter hook output priority filter; policy drop;
ct state established,related accept
accept comment "local > *"
jump filter_drop
}
chain OUTPUT {
type filter hook output priority filter; policy drop;
ct state established,related accept
accept comment "local > *"
jump filter_drop
}
chain filter_drop {
ip protocol icmp jump filter_drop_icmp
ip protocol udp jump filter_drop_udp
ip protocol tcp jump filter_drop_tcp
log prefix "DROP-UNK "
drop
}
chain filter_drop {
ip protocol icmp jump filter_drop_icmp
ip protocol udp jump filter_drop_udp
ip protocol tcp jump filter_drop_tcp
log prefix "DROP-UNK "
drop
}
chain filter_drop_icmp {
log prefix "DROP-icmp "
drop
}
chain filter_drop_icmp {
log prefix "DROP-icmp "
drop
}
chain filter_drop_tcp {
log prefix "DROP-tcp "
drop
}
chain filter_drop_tcp {
log prefix "DROP-tcp "
drop
}
chain filter_drop_udp {
log prefix "DROP-udp "
drop
}
}
'';
chain filter_drop_udp {
log prefix "DROP-udp "
drop
}
}
'';
};
};
}

4
hosts/architect/gitea.nix
View File

@ -26,8 +26,8 @@ in
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:3000";
# it does not work, it breaks gitea's web portal
# extraConfig = auth_block { access_role = "git"; };
# it does not work, it breaks gitea's web portal
# extraConfig = auth_block { access_role = "git"; };
};
};

2
hosts/architect/hardware.nix
View File

@ -38,7 +38,7 @@
};
swapDevices = [{
device = "/swapfile";
size = 1024 * 64;
size = 1024 * 64;
}];
boot = {

3
hosts/architect/home-assistant.nix
View File

@ -5,7 +5,8 @@ let
network = import ./network.nix;
host = "127.0.0.1";
port = 8123;
in {
in
{
services = {
mosquitto = {
enable = true;

5
hosts/architect/keycloak.nix
View File

@ -3,7 +3,8 @@
let
network = import ./network.nix;
domain = "auth.giugl.io";
in {
in
{
services = {
keycloak = {
enable = true;
@ -36,7 +37,7 @@ in {
locations = {
"/" = { return = "301 https://${domain}/realms/master/account"; };
"/admin" = {
proxyPass = "http://127.0.0.1:${
toString config.services.keycloak.settings.http-port

2
hosts/architect/lezzo.nix
View File

@ -16,7 +16,7 @@ in
forceSSL = true;
root = lezzo_root;
locations."/.git" = { return = "404"; };
};

3
hosts/architect/lidarr.nix
View File

@ -4,7 +4,8 @@ let
domain = "htlid.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in {
in
{
services = {
lidarr = {
enable = true;

8
hosts/architect/matrix.nix
View File

@ -27,7 +27,7 @@ in
];
auto_join_rooms = [ "#general:${domain}" "#music:${domain}" "#movies:${domain}" ];
oidc_providers = [{
idp_id = "keycloak";
idp_name = "Architect SSO";
@ -97,9 +97,9 @@ in
return 200 '${builtins.toJSON client}';
'';
# locations."/".extraConfig = ''
# return 404;
# '';
# locations."/".extraConfig = ''
# return 404;
# '';
# forward all Matrix API calls to the synapse Matrix homeserver
locations."/_matrix" = {

3
hosts/architect/minio.nix
View File

@ -3,7 +3,8 @@
let
domain = "s3.giugl.io";
network = import ./network.nix;
in {
in
{
services = {
minio.enable = true;

20
hosts/architect/modules/jellyfin.nix
View File

@ -63,21 +63,21 @@ in {
AmbientCapabilities = "";
CapabilityBoundingSet = "";
# # ProtectClock= adds DeviceAllow=char-rtc r
# DeviceAllow = [
# "char-drm r"
# "/dev/nvidia0 r"
# "/dev/nvidiactl r"
# "/dev/nvidia-uvm r"
# "/dev/nvidia-uvm-tools r"
# ];
# # ProtectClock= adds DeviceAllow=char-rtc r
# DeviceAllow = [
# "char-drm r"
# "/dev/nvidia0 r"
# "/dev/nvidiactl r"
# "/dev/nvidia-uvm r"
# "/dev/nvidia-uvm-tools r"
# ];
DeviceAllow = "";
LockPersonality = true;
PrivateTmp = true;
PrivateUsers = true;
# ProtectClock = true;
# ProtectClock = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
@ -87,7 +87,7 @@ in {
RemoveIPC = true;
RestrictNamespaces = true;
# # AF_NETLINK needed because Jellyfin monitors the network connection
# # AF_NETLINK needed because Jellyfin monitors the network connection
RestrictAddressFamilies = [ "AF_NETLINK" "AF_INET" "AF_INET6" "AF_UNIX" ];
RestrictRealtime = true;
RestrictSUIDSGID = true;

3
hosts/architect/navidrome.nix
View File

@ -6,7 +6,8 @@ let
library_path = "/media/Music";
beets_config = "/media/beets.conf";
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in {
in
{
services = {
navidrome = {
enable = true;

2
hosts/architect/network.nix
View File

@ -60,7 +60,7 @@ rec {
architect-ts = "100.67.205.28";
giuliopc-ts = "100.124.78.64";
dodino-ts = "100.106.244.35";
# groups
gdevices = [ giuliophone-ts architect-ts giuliopc-ts dodino-ts ];
towan-wg = [ shield-wg parina-wg parina-ipad-wg germano-wg framecca-wg ];

3
hosts/architect/nextcloud.nix
View File

@ -4,7 +4,8 @@ let
domain = "cloud.giugl.io";
network = import ./network.nix;
redis_port = 6379;
in {
in
{
services = {
mysql = {
enable = true;

3
hosts/architect/nitter.nix
View File

@ -3,7 +3,8 @@
let
domain = "tweet.giugl.io";
network = import ./network.nix;
in {
in
{
services = {
nitter = {
enable = true;

3
hosts/architect/nzbget.nix
View File

@ -4,7 +4,8 @@ let
domain = "htnzb.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in {
in
{
services = {
nzbget = {
enable = true;

2
hosts/architect/openid.nix
View File

@ -2,7 +2,7 @@
{
openresty_oidc_block =
{ access_role ? "", whitelisted_ips ? [] }: ''
{ access_role ? "", whitelisted_ips ? [ ] }: ''
access_by_lua_block {
local opts = {
discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration",

3
hosts/architect/plex.nix
View File

@ -3,7 +3,8 @@
let
domain = "media.giugl.io";
network = import ./network.nix;
in {
in
{
services.plex = {
enable = true;
package = pkgs.unstable.plex;

3
hosts/architect/prosody.nix
View File

@ -5,7 +5,8 @@ let
conference_domain = "conference.${domain}";
upload_domain = "uploads.${domain}";
network = import ./network.nix;
in {
in
{
services = {
prosody = {
enable = true;

3
hosts/architect/prowlarr.nix
View File

@ -3,7 +3,8 @@
let
domain = "htpro.giugl.io";
network = import ./network.nix;
in {
in
{
services = {
prowlarr.enable = true;

3
hosts/architect/radarr.nix
View File

@ -4,7 +4,8 @@ let
domain = "htrad.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in {
in
{
services = {
radarr = {
enable = true;

2
hosts/architect/runas.nix
View File

@ -16,7 +16,7 @@ in
forceSSL = true;
locations."/".root = runas_root;
locations."/.git" = { return = "404"; };
};

2
hosts/architect/searx.nix
View File

@ -10,7 +10,7 @@ in
searx = {
enable = true;
package = pkgs.searxng;
# package = mach-nix.buildPythonPackage "https://github.com/searxng/searxng/commit/2cf1425e8bc5d3143b6e001e82a034a794e8a206https://github.com/searxng/searxng/commit/2cf1425e8bc5d3143b6e001e82a034a794e8a206";
# package = mach-nix.buildPythonPackage "https://github.com/searxng/searxng/commit/2cf1425e8bc5d3143b6e001e82a034a794e8a206https://github.com/searxng/searxng/commit/2cf1425e8bc5d3143b6e001e82a034a794e8a206";
environmentFile = /secrets/searx/env;
settings = {

3
hosts/architect/sonarr.nix
View File

@ -4,7 +4,8 @@ let
domain = "htson.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in {
in
{
services = {
sonarr = {
enable = true;

7
hosts/architect/tailscale.nix
View File

@ -2,9 +2,10 @@
let
network = import ./network.nix;
ifname = "ts0";
in {
in
{
services = {
tailscale = {
enable = true;
@ -18,4 +19,4 @@ in {
${network.dodino-ts} dodino.devs.giugl.io
${network.giuliophone-ts} chuck.devs.giugl.io
'';
}
}

3
hosts/architect/transmission.nix
View File

@ -3,7 +3,8 @@
let
domain = "httra.giugl.io";
network = import ./network.nix;
in {
in
{
services = {
transmission = {
enable = true;

5
hosts/gAluminum/default.nix
View File

@ -9,7 +9,8 @@ let
export __VK_LAYER_NV_optimus=NVIDIA_only
exec -a "$0" "$@"
'';
in {
in
{
imports = [ ./hardware.nix ./wireguard.nix ./sound.nix ];
boot = {
@ -70,5 +71,5 @@ in {
programs.steam.enable = true;
environment.systemPackages = with pkgs; [ efibootmgr nvidia-offload ];
# system.stateVersion = "21.05"; # Did you read the comment?
# system.stateVersion = "21.05"; # Did you read the comment?
}

15
lib/host.nix
View File

@ -5,14 +5,17 @@
let
mkRole = role: import (../roles + "/${role}.nix");
users_mod = (map (u:
user.mkUser {
name = u.user;
roles = u.roles;
}) users);
users_mod = (map
(u:
user.mkUser {
name = u.user;
roles = u.roles;
})
users);
roles_mod = (map (r: mkRole r) roles);
add_imports = imports;
in nixpkgs.lib.nixosSystem {
in
nixpkgs.lib.nixosSystem {
inherit system;
modules = [

6
lib/user.nix
View File

@ -5,7 +5,8 @@
let
mkRole = role: import (../roles/home + "/${role}.nix");
roles_mod = (map (r: mkRole r) roles);
in {
in
{
users.groups.plugdev = { };
fileSystems."/home/${name}/Downloads" = {
@ -27,7 +28,8 @@
let
mkRole = role: import (../roles/home + "/${role}.nix");
roles_mod = (map (r: mkRole r) roles);
in home-manager.lib.homeManagerConfiguration {
in
home-manager.lib.homeManagerConfiguration {
inherit pkgs;
modules = [
{

2
roles/acme.nix
View File

@ -1,4 +1,4 @@
{
{
security.acme = {
acceptTerms = true;
defaults = {

3
roles/home/desktop.nix
View File

@ -9,7 +9,8 @@ let
name = "guake";
package = pkgs.guake;
});
in {
in
{
imports = [ ./gnome.nix ];
nixpkgs.config.allowUnfree = true;

4
roles/home/ssh.nix
View File

@ -10,12 +10,12 @@
user = "root";
identityFile = "~/.ssh/architectproxy";
};
"192.35.222.32" = {
user = "giulio";
identityFile = "~/.ssh/gitlab-ucsb";
};
"tommy.devs.giugl.io" = {
user = "giulio";
identityFile = "~/.ssh/tommypc";