peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

prossima volta committo seriamente

Browse Source
This commit is contained in:
Giulio De Pasquale 2022-02-15 11:58:08 +01:00
parent 229d6b9e1a
commit 791da4c612
17 changed files with 226 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
hosts/architect/bazarr.nix
View File

@ -5,7 +5,10 @@ let
network = import ./network.nix; network = import ./network.nix;
in { in {
services = { services = {
bazarr.enable = true; bazarr = {
enable = true;
group = "media";
};
nginx.virtualHosts.${domain} = { nginx.virtualHosts.${domain} = {
forceSSL = true; forceSSL = true;

19
hosts/architect/default.nix
View File

@ -23,15 +23,19 @@ in {
./matrix.nix ./matrix.nix
./fail2ban.nix ./fail2ban.nix
./dns.nix ./dns.nix
# ./minecraft.nix ./minecraft.nix
./prowlarr.nix ./prowlarr.nix
./plex.nix ./plex.nix
# ./transmission.nix ./transmission.nix
./githubrunner.nix ./githubrunner.nix
./libreddit.nix ./libreddit.nix
./invidious.nix ./invidious.nix
./nitter.nix ./nitter.nix
./ccache.nix ./ccache.nix
./lidarr.nix
./navidrome.nix
./jellyfin.nix
./prosody.nix
]; ];
time.timeZone = "Europe/Rome"; time.timeZone = "Europe/Rome";
@ -44,7 +48,12 @@ in {
"ip=${network.architect-lan}::10.0.0.1:255.255.255.0::${network.wan-if}:off" "ip=${network.architect-lan}::10.0.0.1:255.255.255.0::${network.wan-if}:off"
"nvme_core.default_ps_max_latency_us=5500" "nvme_core.default_ps_max_latency_us=5500"
]; ];
kernel.sysctl."net.ipv4.ip_forward" = 1;
kernel.sysctl= {
"net.ipv4.ip_forward" = 1;
"fs.protected_regular" = 0;
};
initrd = { initrd = {
availableKernelModules = [ "igc" "r8169" ]; availableKernelModules = [ "igc" "r8169" ];
network = { network = {
@ -73,7 +82,7 @@ in {
supportedFilesystems = [ "zfs" ]; supportedFilesystems = [ "zfs" ];
zfs.requestEncryptionCredentials = true; zfs.requestEncryptionCredentials = true;
tmpOnTmpfsSize = "150%"; tmpOnTmpfsSize = "80%";
}; };
networking = { networking = {
@ -97,7 +106,7 @@ in {
${network.dvr-lan} dvr.devs.giugl.io ${network.dvr-lan} dvr.devs.giugl.io
${network.nas-lan} nas.devs.giugl.io ${network.nas-lan} nas.devs.giugl.io
192.168.1.1 vodafone.station
# Blacklist # Blacklist
0.0.0.0 metrics.plex.tv 0.0.0.0 metrics.plex.tv
0.0.0.0 analytics.plex.tv 0.0.0.0 analytics.plex.tv

2
hosts/architect/firewall.nix
View File

@ -9,10 +9,12 @@ let
443 # https 443 # https
8448 # matrix 8448 # matrix
10022 # gitea 10022 # gitea
30303
51413 # transmission 51413 # transmission
]; ];
open_udp_ports = lib.concatMapStringsSep "," (x: toString x) [ open_udp_ports = lib.concatMapStringsSep "," (x: toString x) [
1194 # wireguard 1194 # wireguard
30303
51413 # transmission 51413 # transmission
]; ];
open_tcp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [ open_tcp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [

2
hosts/architect/hardware.nix
View File

@ -44,7 +44,7 @@
swapDevices = [{ swapDevices = [{
device = "/dev/sdc1"; device = "/dev/sdc1";
size = 100000; size = 10000;
}]; }];
} }

15
hosts/architect/jellyfin.nix
View File

@ -1,6 +1,9 @@
{ pkgs, ... }: { pkgs, ... }:
with import ./network.nix; { let
network = import ./network.nix;
domain = "jellyfin.giugl.io";
in {
disabledModules = [ "services/misc/jellyfin.nix" ]; disabledModules = [ "services/misc/jellyfin.nix" ];
imports = [ ./modules/jellyfin.nix ]; imports = [ ./modules/jellyfin.nix ];
@ -10,9 +13,9 @@ with import ./network.nix; {
package = pkgs.unstable.jellyfin; package = pkgs.unstable.jellyfin;
}; };
nginx.virtualHosts.${mediadomain} = { nginx.virtualHosts.${domain} = {
forceSSL = true; # forceSSL = true;
enableACME = true; # enableACME = true;
locations."/" = { locations."/" = {
proxyPass = "http://localhost:8096"; proxyPass = "http://localhost:8096";
extraConfig = '' extraConfig = ''
@ -25,8 +28,8 @@ with import ./network.nix; {
}; };
networking.extraHosts = '' networking.extraHosts = ''
${architect-lan} ${mediadomain} ${network.architect-lan} ${domain}
${architect-wg} ${mediadomain} ${network.architect-wg} ${domain}
''; '';
users.groups.media.members = [ "jellyfin" ]; users.groups.media.members = [ "jellyfin" ];

2
hosts/architect/libreddit.nix
View File

@ -1,4 +1,4 @@
{ lib, ... }: { lib, pkgs, ... }:
let let
domain = "reddit.giugl.io"; domain = "reddit.giugl.io";

34
hosts/architect/lidarr.nix Normal file
View File

@ -0,0 +1,34 @@
{ lib, ... }:
let
domain = "htlid.giugl.io";
network = import ./network.nix;
in {
services = {
lidarr = {
enable = true;
group = "media";
};
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:8686";
extraConfig = ''
allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
deny all;
deny 10.0.0.1;
'';
};
};
};
networking.extraHosts = ''
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
'';
users.groups.media.members = [ "lidarr" ];
}

48
hosts/architect/matrix.nix
View File

@ -12,11 +12,13 @@ in {
database_name = "synapse"; database_name = "synapse";
public_baseurl = "https://${domain}"; public_baseurl = "https://${domain}";
registration_shared_secret = "runas!"; registration_shared_secret = "runas!";
url_preview_enabled = true;
dynamic_thumbnails = true; dynamic_thumbnails = true;
withJemalloc = true;
# enable_registration = true; # enable_registration = true;
app_service_config_files = [ app_service_config_files = [
"/var/lib/matrix-synapse/discord-registration.yaml" "/var/lib/matrix-synapse/discord-registration.yaml"
"/var/lib/matrix-synapse/telegram-registration.yaml" # "/var/lib/matrix-synapse/telegram-registration.yaml"
]; ];
extraConfig = '' extraConfig = ''
auto_join_rooms: auto_join_rooms:
@ -42,6 +44,33 @@ in {
]; ];
turn_shared_secret = "69duck duck fuck420"; turn_shared_secret = "69duck duck fuck420";
turn_user_lifetime = "1h"; turn_user_lifetime = "1h";
logConfig = ''
version: 1
# In systemd's journal, loglevel is implicitly stored, so let's omit it
# from the message text.
formatters:
journal_fmt:
format: '%(name)s: [%(request)s] %(message)s'
filters:
context:
(): synapse.util.logcontext.LoggingContextFilter
request: ""
handlers:
journal:
class: systemd.journal.JournalHandler
formatter: journal_fmt
filters: [context]
SYSLOG_IDENTIFIER: synapse
root:
level: WARN
handlers: [journal]
disable_existing_loggers: False
'';
}; };
postgresql = { postgresql = {
@ -92,17 +121,22 @@ in {
}; };
# web client # web client
"${webui_domain}" = { "${webui_domain}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
root = pkgs.element-web.override { # root = pkgs.element-web.override {
# conf = {
# default_server_config."m.homeserver" = {
# "base_url" = "https://${domain}";
# "server_name" = "${domain}";
# };
# };
# };
root = pkgs.unstable.cinny.override {
conf = { conf = {
default_server_config."m.homeserver" = { homeserverList = [ "${domain}" ];
"base_url" = "https://${domain}"; defaultHomeserver = 0;
"server_name" = "${domain}";
};
}; };
}; };
}; };

53
hosts/architect/navidrome.nix Normal file
View File

@ -0,0 +1,53 @@
{ lib, pkgs, ... }:
let
domain = "music.giugl.io";
network = import ./network.nix;
in {
services = {
navidrome = {
enable = true;
settings = {
MusicFolder = "/media/Music";
LastFM.enable = true;
LastFM.ApiKey = "5cef5cb5f9d31326b97d0f929ca9cf20";
LastFM.Secret = "d1296896126f4caae47407aecf080b25";
Spotify.ID = "3900c029b4f34f3fb61d554dda64794d";
Spotify.Secret = "d931ce5575a9401aa5ff8d37558cca0a";
EnableGravatar = true;
LogLevel = "WARN";
};
};
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:4533";
# extraConfig = ''
# allow 10.0.0.0/24;
# ${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
# deny all;
# '';
};
};
};
systemd.services."beets-rename" = {
enable = true;
serviceConfig = {
Type = "oneshot";
ExecStart =
"${pkgs.findutils}/bin/find /media/Music -type d -mindepth 2 -maxdepth 2 -exec ${pkgs.beets}/bin/beet -c /media/config.conf import --flat -q {} \\;";
};
startAt = "daily";
};
networking.extraHosts = ''
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
'';
users.groups.media.members = [ "navidrome" ];
}

5
hosts/architect/network.nix
View File

@ -44,6 +44,7 @@ rec {
jacopo-wg = "10.3.0.28"; jacopo-wg = "10.3.0.28";
frznn-wg = "10.3.0.29"; frznn-wg = "10.3.0.29";
ludo-wg = "10.3.0.30"; ludo-wg = "10.3.0.30";
parina-wg = "10.3.0.31";
eleonora-wg = "10.3.0.100"; eleonora-wg = "10.3.0.100";
angellane-wg = "10.3.0.200"; angellane-wg = "10.3.0.200";
hotpottino-wg = "10.3.0.201"; hotpottino-wg = "10.3.0.201";
@ -52,10 +53,10 @@ rec {
# groups # groups
gdevices-wg = gdevices-wg =
[ galuminum-wg oneplus-wg ipad-wg gbeast-wg peppiniell-wg padulino-wg ]; [ galuminum-wg oneplus-wg ipad-wg gbeast-wg peppiniell-wg padulino-wg wolfsonhouse-wg ];
routers-wg = [ hotpottino-wg angellane-wg dodino-wg wolfsonhouse-wg ]; routers-wg = [ hotpottino-wg angellane-wg dodino-wg wolfsonhouse-wg ];
c2c-wg = [ ] ++ gdevices-wg; c2c-wg = [ ] ++ gdevices-wg;
towan-wg = [ shield-wg parisaphone-wg parisapc-wg ] ++ gdevices-wg towan-wg = [ shield-wg parisaphone-wg parisapc-wg parina-wg ] ++ gdevices-wg
++ routers-wg; ++ routers-wg;
gamenet-wg = [ gamenet-wg = [
andrew-wg andrew-wg

2
hosts/architect/nextcloud.nix
View File

@ -14,7 +14,7 @@ in {
enable = true; enable = true;
hostName = "${domain}"; hostName = "${domain}";
https = true; https = true;
package = pkgs.unstable.nextcloud22; package = pkgs.unstable.nextcloud23;
caching.redis = true; caching.redis = true;

5
hosts/architect/nzbget.nix
View File

@ -5,7 +5,10 @@ let
network = import ./network.nix; network = import ./network.nix;
in { in {
services = { services = {
nzbget.enable = true; nzbget = {
enable = true;
group = "media";
};
nginx.virtualHosts.${domain} = { nginx.virtualHosts.${domain} = {
forceSSL = true; forceSSL = true;

41
hosts/architect/prosody.nix Normal file
View File

@ -0,0 +1,41 @@
{ lib, config, ... }:
let
domain = "xmpp.giugl.io";
conference_domain = "conference.${domain}";
upload_domain = "uploads.${domain}";
network = import ./network.nix;
in {
services = {
prosody = {
enable = true;
virtualHosts = {
"${domain}" = {
domain = domain;
enabled = true;
ssl.key = "${config.security.acme.certs.${domain}.directory}/key.pem";
ssl.cert =
"${config.security.acme.certs.${domain}.directory}/fullchain.pem";
};
};
muc = [{ domain = conference_domain; }];
uploadHttp = { domain = upload_domain; };
admins = [ "giulio@${domain}" ];
httpInterfaces = [ "wg0" ];
httpsInterfaces = [ "wg0" ];
};
};
services.nginx.virtualHosts."${domain}".enableACME = true;
#services.nginx.virtualHosts."${conference_domain}".enableACME = true;
#services.nginx.virtualHosts."${upload_domain}".enableACME = true;
networking.extraHosts = ''
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
'';
users.groups.acme.members = [ "prosody" ];
}

5
hosts/architect/radarr.nix
View File

@ -5,7 +5,10 @@ let
network = import ./network.nix; network = import ./network.nix;
in { in {
services = { services = {
radarr.enable = true; radarr = {
enable = true;
group = "media";
};
nginx.virtualHosts.${domain} = { nginx.virtualHosts.${domain} = {
forceSSL = true; forceSSL = true;

5
hosts/architect/sonarr.nix
View File

@ -5,7 +5,10 @@ let
network = import ./network.nix; network = import ./network.nix;
in { in {
services = { services = {
sonarr.enable = true; sonarr = {
enable = true;
group = "media";
};
nginx.virtualHosts.${domain} = { nginx.virtualHosts.${domain} = {
forceSSL = true; forceSSL = true;

4
hosts/architect/transmission.nix
View File

@ -1,4 +1,4 @@
{ lib, config }: { lib, config, ... }:
let let
domain = "httra.giugl.io"; domain = "httra.giugl.io";
@ -7,6 +7,7 @@ in {
services = { services = {
transmission = { transmission = {
enable = true; enable = true;
group = "media";
settings = { settings = {
download-dir = "/media/transmission"; download-dir = "/media/transmission";
incomplete-dir = "/media/transmission/.incomplete"; incomplete-dir = "/media/transmission/.incomplete";
@ -15,7 +16,6 @@ in {
speed-limit-up = 10; speed-limit-up = 10;
speed-limit-up-enabled = true; speed-limit-up-enabled = true;
peer-port = 51413; peer-port = 51413;
umask = 2;
}; };
performanceNetParameters = true; performanceNetParameters = true;
}; };

7
hosts/architect/wireguard.nix
View File

@ -31,6 +31,7 @@ with import ./network.nix; {
${wolfsonhouse-wg} wolfsonhouse.devs.giugl.io ${wolfsonhouse-wg} wolfsonhouse.devs.giugl.io
${frznn-wg} frznn.devs.giugl.io ${frznn-wg} frznn.devs.giugl.io
${ludo-wg} ludo.devs.giugl.io ${ludo-wg} ludo.devs.giugl.io
${parina-wg} parina.devs.giugl.io
''; '';
wireguard = { wireguard = {
@ -242,6 +243,12 @@ with import ./network.nix; {
allowedIPs = [ ludo-wg ]; allowedIPs = [ ludo-wg ];
publicKey = "ecrxdzx7tQZwMPxZOjHUvxZT2xY79B6XEDIW+fhEtEM="; publicKey = "ecrxdzx7tQZwMPxZOjHUvxZT2xY79B6XEDIW+fhEtEM=";
} }
{
# parina
allowedIPs = [ parina-wg ];
publicKey = "7nubNnfGsg4/7KemMDn9r99mNK8RFU9uOFFqaYv6rUA=";
}
]; ];
}; };
}; };