peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

prossima volta committo seriamente

Browse Source
This commit is contained in:
Giulio De Pasquale 2022-02-15 11:58:08 +01:00
parent 229d6b9e1a
commit 791da4c612
17 changed files with 226 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
hosts/architect/bazarr.nix
View File

@ -5,7 +5,10 @@ let
network = import ./network.nix;
in {
services = {
bazarr.enable = true;
bazarr = {
enable = true;
group = "media";
};
nginx.virtualHosts.${domain} = {
forceSSL = true;

19
hosts/architect/default.nix
View File

@ -23,15 +23,19 @@ in {
./matrix.nix
./fail2ban.nix
./dns.nix
# ./minecraft.nix
./minecraft.nix
./prowlarr.nix
./plex.nix
# ./transmission.nix
./transmission.nix
./githubrunner.nix
./libreddit.nix
./invidious.nix
./nitter.nix
./ccache.nix
./lidarr.nix
./navidrome.nix
./jellyfin.nix
./prosody.nix
];
time.timeZone = "Europe/Rome";
@ -44,7 +48,12 @@ in {
"ip=${network.architect-lan}::10.0.0.1:255.255.255.0::${network.wan-if}:off"
"nvme_core.default_ps_max_latency_us=5500"
];
kernel.sysctl."net.ipv4.ip_forward" = 1;
kernel.sysctl= {
"net.ipv4.ip_forward" = 1;
"fs.protected_regular" = 0;
};
initrd = {
availableKernelModules = [ "igc" "r8169" ];
network = {
@ -73,7 +82,7 @@ in {
supportedFilesystems = [ "zfs" ];
zfs.requestEncryptionCredentials = true;
tmpOnTmpfsSize = "150%";
tmpOnTmpfsSize = "80%";
};
networking = {
@ -97,7 +106,7 @@ in {
${network.dvr-lan} dvr.devs.giugl.io
${network.nas-lan} nas.devs.giugl.io
192.168.1.1 vodafone.station
# Blacklist
0.0.0.0 metrics.plex.tv
0.0.0.0 analytics.plex.tv

2
hosts/architect/firewall.nix
View File

@ -9,10 +9,12 @@ let
443 # https
8448 # matrix
10022 # gitea
30303
51413 # transmission
];
open_udp_ports = lib.concatMapStringsSep "," (x: toString x) [
1194 # wireguard
30303
51413 # transmission
];
open_tcp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [

2
hosts/architect/hardware.nix
View File

@ -44,7 +44,7 @@
swapDevices = [{
device = "/dev/sdc1";
size = 100000;
size = 10000;
}];
}

15
hosts/architect/jellyfin.nix
View File

@ -1,6 +1,9 @@
{ pkgs, ... }:
with import ./network.nix; {
let
network = import ./network.nix;
domain = "jellyfin.giugl.io";
in {
disabledModules = [ "services/misc/jellyfin.nix" ];
imports = [ ./modules/jellyfin.nix ];
@ -10,9 +13,9 @@ with import ./network.nix; {
package = pkgs.unstable.jellyfin;
};
nginx.virtualHosts.${mediadomain} = {
forceSSL = true;
enableACME = true;
nginx.virtualHosts.${domain} = {
# forceSSL = true;
# enableACME = true;
locations."/" = {
proxyPass = "http://localhost:8096";
extraConfig = ''
@ -25,8 +28,8 @@ with import ./network.nix; {
};
networking.extraHosts = ''
${architect-lan} ${mediadomain}
${architect-wg} ${mediadomain}
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
'';
users.groups.media.members = [ "jellyfin" ];

2
hosts/architect/libreddit.nix
View File

@ -1,4 +1,4 @@
{ lib, ... }:
{ lib, pkgs, ... }:
let
domain = "reddit.giugl.io";

34
hosts/architect/lidarr.nix Normal file
View File

@ -0,0 +1,34 @@
{ lib, ... }:
let
domain = "htlid.giugl.io";
network = import ./network.nix;
in {
services = {
lidarr = {
enable = true;
group = "media";
};
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:8686";
extraConfig = ''
allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
deny all;
deny 10.0.0.1;
'';
};
};
};
networking.extraHosts = ''
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
'';
users.groups.media.members = [ "lidarr" ];
}

48
hosts/architect/matrix.nix
View File

@ -12,11 +12,13 @@ in {
database_name = "synapse";
public_baseurl = "https://${domain}";
registration_shared_secret = "runas!";
url_preview_enabled = true;
dynamic_thumbnails = true;
withJemalloc = true;
# enable_registration = true;
app_service_config_files = [
"/var/lib/matrix-synapse/discord-registration.yaml"
"/var/lib/matrix-synapse/telegram-registration.yaml"
# "/var/lib/matrix-synapse/telegram-registration.yaml"
];
extraConfig = ''
auto_join_rooms:
@ -42,6 +44,33 @@ in {
];
turn_shared_secret = "69duck duck fuck420";
turn_user_lifetime = "1h";
logConfig = ''
version: 1
# In systemd's journal, loglevel is implicitly stored, so let's omit it
# from the message text.
formatters:
journal_fmt:
format: '%(name)s: [%(request)s] %(message)s'
filters:
context:
(): synapse.util.logcontext.LoggingContextFilter
request: ""
handlers:
journal:
class: systemd.journal.JournalHandler
formatter: journal_fmt
filters: [context]
SYSLOG_IDENTIFIER: synapse
root:
level: WARN
handlers: [journal]
disable_existing_loggers: False
'';
};
postgresql = {
@ -92,17 +121,22 @@ in {
};
# web client
"${webui_domain}" = {
enableACME = true;
forceSSL = true;
root = pkgs.element-web.override {
# root = pkgs.element-web.override {
# conf = {
# default_server_config."m.homeserver" = {
# "base_url" = "https://${domain}";
# "server_name" = "${domain}";
# };
# };
# };
root = pkgs.unstable.cinny.override {
conf = {
default_server_config."m.homeserver" = {
"base_url" = "https://${domain}";
"server_name" = "${domain}";
};
homeserverList = [ "${domain}" ];
defaultHomeserver = 0;
};
};
};

53
hosts/architect/navidrome.nix Normal file
View File

@ -0,0 +1,53 @@
{ lib, pkgs, ... }:
let
domain = "music.giugl.io";
network = import ./network.nix;
in {
services = {
navidrome = {
enable = true;
settings = {
MusicFolder = "/media/Music";
LastFM.enable = true;
LastFM.ApiKey = "5cef5cb5f9d31326b97d0f929ca9cf20";
LastFM.Secret = "d1296896126f4caae47407aecf080b25";
Spotify.ID = "3900c029b4f34f3fb61d554dda64794d";
Spotify.Secret = "d931ce5575a9401aa5ff8d37558cca0a";
EnableGravatar = true;
LogLevel = "WARN";
};
};
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:4533";
# extraConfig = ''
# allow 10.0.0.0/24;
# ${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
# deny all;
# '';
};
};
};
systemd.services."beets-rename" = {
enable = true;
serviceConfig = {
Type = "oneshot";
ExecStart =
"${pkgs.findutils}/bin/find /media/Music -type d -mindepth 2 -maxdepth 2 -exec ${pkgs.beets}/bin/beet -c /media/config.conf import --flat -q {} \\;";
};
startAt = "daily";
};
networking.extraHosts = ''
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
'';
users.groups.media.members = [ "navidrome" ];
}

5
hosts/architect/network.nix
View File

@ -44,6 +44,7 @@ rec {
jacopo-wg = "10.3.0.28";
frznn-wg = "10.3.0.29";
ludo-wg = "10.3.0.30";
parina-wg = "10.3.0.31";
eleonora-wg = "10.3.0.100";
angellane-wg = "10.3.0.200";
hotpottino-wg = "10.3.0.201";
@ -52,10 +53,10 @@ rec {
# groups
gdevices-wg =
[ galuminum-wg oneplus-wg ipad-wg gbeast-wg peppiniell-wg padulino-wg ];
[ galuminum-wg oneplus-wg ipad-wg gbeast-wg peppiniell-wg padulino-wg wolfsonhouse-wg ];
routers-wg = [ hotpottino-wg angellane-wg dodino-wg wolfsonhouse-wg ];
c2c-wg = [ ] ++ gdevices-wg;
towan-wg = [ shield-wg parisaphone-wg parisapc-wg ] ++ gdevices-wg
towan-wg = [ shield-wg parisaphone-wg parisapc-wg parina-wg ] ++ gdevices-wg
++ routers-wg;
gamenet-wg = [
andrew-wg

2
hosts/architect/nextcloud.nix
View File

@ -14,7 +14,7 @@ in {
enable = true;
hostName = "${domain}";
https = true;
package = pkgs.unstable.nextcloud22;
package = pkgs.unstable.nextcloud23;
caching.redis = true;

5
hosts/architect/nzbget.nix
View File

@ -5,7 +5,10 @@ let
network = import ./network.nix;
in {
services = {
nzbget.enable = true;
nzbget = {
enable = true;
group = "media";
};
nginx.virtualHosts.${domain} = {
forceSSL = true;

41
hosts/architect/prosody.nix Normal file
View File

@ -0,0 +1,41 @@
{ lib, config, ... }:
let
domain = "xmpp.giugl.io";
conference_domain = "conference.${domain}";
upload_domain = "uploads.${domain}";
network = import ./network.nix;
in {
services = {
prosody = {
enable = true;
virtualHosts = {
"${domain}" = {
domain = domain;
enabled = true;
ssl.key = "${config.security.acme.certs.${domain}.directory}/key.pem";
ssl.cert =
"${config.security.acme.certs.${domain}.directory}/fullchain.pem";
};
};
muc = [{ domain = conference_domain; }];
uploadHttp = { domain = upload_domain; };
admins = [ "giulio@${domain}" ];
httpInterfaces = [ "wg0" ];
httpsInterfaces = [ "wg0" ];
};
};
services.nginx.virtualHosts."${domain}".enableACME = true;
#services.nginx.virtualHosts."${conference_domain}".enableACME = true;
#services.nginx.virtualHosts."${upload_domain}".enableACME = true;
networking.extraHosts = ''
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
'';
users.groups.acme.members = [ "prosody" ];
}

5
hosts/architect/radarr.nix
View File

@ -5,7 +5,10 @@ let
network = import ./network.nix;
in {
services = {
radarr.enable = true;
radarr = {
enable = true;
group = "media";
};
nginx.virtualHosts.${domain} = {
forceSSL = true;

5
hosts/architect/sonarr.nix
View File

@ -5,7 +5,10 @@ let
network = import ./network.nix;
in {
services = {
sonarr.enable = true;
sonarr = {
enable = true;
group = "media";
};
nginx.virtualHosts.${domain} = {
forceSSL = true;

4
hosts/architect/transmission.nix
View File

@ -1,4 +1,4 @@
{ lib, config }:
{ lib, config, ... }:
let
domain = "httra.giugl.io";
@ -7,6 +7,7 @@ in {
services = {
transmission = {
enable = true;
group = "media";
settings = {
download-dir = "/media/transmission";
incomplete-dir = "/media/transmission/.incomplete";
@ -15,7 +16,6 @@ in {
speed-limit-up = 10;
speed-limit-up-enabled = true;
peer-port = 51413;
umask = 2;
};
performanceNetParameters = true;
};

7
hosts/architect/wireguard.nix
View File

@ -31,6 +31,7 @@ with import ./network.nix; {
${wolfsonhouse-wg} wolfsonhouse.devs.giugl.io
${frznn-wg} frznn.devs.giugl.io
${ludo-wg} ludo.devs.giugl.io
${parina-wg} parina.devs.giugl.io
'';
wireguard = {
@ -242,6 +243,12 @@ with import ./network.nix; {
allowedIPs = [ ludo-wg ];
publicKey = "ecrxdzx7tQZwMPxZOjHUvxZT2xY79B6XEDIW+fhEtEM=";
}
{
# parina
allowedIPs = [ parina-wg ];
publicKey = "7nubNnfGsg4/7KemMDn9r99mNK8RFU9uOFFqaYv6rUA=";
}
];
};
};