From 863cc724f574f710bf5a29323153d59c855f4972 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Wed, 7 Jul 2021 14:13:19 +0200 Subject: [PATCH] reorganized services in files --- hosts/architect/bazarr.nix | 27 +++++++++++++++ hosts/architect/default.nix | 43 ++++++++++-------------- hosts/architect/firewall.nix | 33 ++++++------------ hosts/architect/gitea.nix | 33 ++++++++++++++++++ hosts/architect/jellyfin.nix | 29 ++++++++++++++++ hosts/architect/network.nix | 27 ++++++++------- hosts/architect/nginx.nix | 65 ------------------------------------ hosts/architect/nzbget.nix | 27 +++++++++++++++ hosts/architect/radarr.nix | 27 +++++++++++++++ hosts/architect/sonarr.nix | 27 +++++++++++++++ 10 files changed, 213 insertions(+), 125 deletions(-) create mode 100644 hosts/architect/bazarr.nix create mode 100644 hosts/architect/gitea.nix create mode 100644 hosts/architect/jellyfin.nix create mode 100644 hosts/architect/nzbget.nix create mode 100644 hosts/architect/radarr.nix create mode 100644 hosts/architect/sonarr.nix diff --git a/hosts/architect/bazarr.nix b/hosts/architect/bazarr.nix new file mode 100644 index 0000000..8006250 --- /dev/null +++ b/hosts/architect/bazarr.nix @@ -0,0 +1,27 @@ +with import ./network.nix; +{ + services = { + bazarr.enable = true; + + nginx.virtualHosts.${bazarrdomain} = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:6767"; + extraConfig = '' + allow 10.0.0.0/24; + allow 10.3.0.0/24; + deny all; + ''; + }; + }; + }; + + networking.extraHosts = '' + 127.0.0.1 ${bazarrdomain} + ${architect-lan} ${bazarrdomain} + ${architect-wg} ${bazarrdomain} + ''; + + users.groups.media.members = ["bazarr"]; +} diff --git a/hosts/architect/default.nix b/hosts/architect/default.nix index 2e8b442..f1b2582 100644 --- a/hosts/architect/default.nix +++ b/hosts/architect/default.nix @@ -19,6 +19,12 @@ in ../../users.nix ./firewall.nix ./nginx.nix + ./gitea.nix + ./sonarr.nix + ./radarr.nix + ./bazarr.nix + ./nzbget.nix + ./jellyfin.nix ]; variables.hostname = hostname; @@ -27,7 +33,7 @@ in users.users.giulio.openssh.authorizedKeys.keys = pubkeys; boot = { - kernelParams = ["ip=${giupi_lan_ip}::10.0.0.1:255.255.255.0::${wan_if}:off"]; + kernelParams = ["ip=${architect-lan}::10.0.0.1:255.255.255.0::${wan-if}:off"]; initrd = { availableKernelModules = ["igc" "r8169"]; @@ -65,22 +71,22 @@ in useDHCP = false; defaultGateway = "10.0.0.1"; interfaces = { - enp5s0.ipv4.addresses = [{ address = giupi_lan_ip; prefixLength = 24; }]; + enp5s0.ipv4.addresses = [{ address = architect-lan; prefixLength = 24; }]; enp6s0.useDHCP = false; wlp4s0.useDHCP = false; }; extraHosts = '' - 127.0.0.1 ${hostname}.devs.giugl.io jf.giugl.io yt.giugl.io s3.giugl.io synclounge.giugl.io giugl.io htson.giugl.io htrad.giugl.io htnzb.giugl.io httra.giugl.io giupyter.giugl.io irc.giugl.io localhost + 127.0.0.1 ${hostname}.devs.giugl.io localhost # LAN - ${giupi_lan_ip} ${hostname}.devs.giugl.io media.giugl.io giugl.io jf.giugl.io yt.giugl.io s3.giugl.io synclounge.giugl.io htson.giugl.io htrad.giugl.io htnzb.giugl.io httra.giugl.io todo.giugl.io giupyter.giugl.io collabora.giugl.io htjak.giugl.io irc.giugl.io + ${architect-lan} ${hostname}.devs.giugl.io 10.0.0.1 router.devs.giugl.io - ${dvr_ip} dvr.devs.giugl.io - ${nas_ip} nas.devs.giugl.io - + ${dvr-lan} dvr.devs.giugl.io + ${nas-lan} nas.devs.giugl.io + # Wireguard hosts - ${giupi_wg_ip} ${hostname}.devs.giugl.io media.giugl.io jf.giugl.io giugl.io yt.giugl.io s0.giugl.io synclounge.giugl.io htson.giugl.io htrad.giugl.io htnzb.giugl.io httra.giugl.io todo.giugl.io giupyter.giugl.io collabora.giugl.io htjak.giugl.io irc.giugl.io + ${architect-wg} ${hostname}.devs.giugl.io ${galuminum-wg} galuminum.devs.giugl.io ${oneplus-wg} oneplus.devs.giugl.io ${ipad-wg} ipad.devs.giugl.io @@ -117,7 +123,7 @@ in 0.0.0.0 click.oneplus.cn 0.0.0.0 analytics-api.samsunghealthcn.com -# The following lines are desirable for IPv6 capable hosts + # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters @@ -141,13 +147,8 @@ in services = { zfs.autoScrub.enable = true; xserver.videoDrivers = [ "nvidia" ]; - jellyfin.enable = true; - bazarr.enable = true; - radarr.enable = true; - sonarr.enable = true; - nzbget.enable = true; - thelounge.enable = true; - mysql.enable = false; + openssh.enable = true; + mysql.enable = true; mysql.package = with pkgs; mysql80; dnsmasq = { @@ -175,20 +176,10 @@ in fallback_resolvers = ["1.1.1.1:53" "9.9.9.9:53"]; }; }; - - openssh = { - enable = true; - passwordAuthentication = true; - permitRootLogin = "yes"; - }; }; environment.variables = { LIBVA_DRIVER_NAME="vdpau"; }; - - users.groups.media.members = ["radarr" "sonarr" "nzbget" "bazarr" "transmission" "jellyfin" "jellyfin"]; - users.groups.video.members = ["jellyfin"]; - users.groups.render.members = ["jellyfin"]; } diff --git a/hosts/architect/firewall.nix b/hosts/architect/firewall.nix index 085c23c..38bce3a 100644 --- a/hosts/architect/firewall.nix +++ b/hosts/architect/firewall.nix @@ -1,27 +1,16 @@ {config, lib, ...} : with import ./network.nix; + let open_tcp_ports = lib.concatMapStringsSep "," (x: toString x) [ 22 # ssh 80 # http 443 # https - 6567 # mindustry - 9001 # rocketpool 10022 # gitea - 25565 # minecraft - 30303 # rocketpool - 51413 # transmission - 60025 # protonmail IMAP - 60143 # protonmail SMTP ]; open_udp_ports = lib.concatMapStringsSep "," (x: toString x) [ 1194 # wireguard - 6567 # mindustry - 9001 # rocketpool - 25565 # minecraft - 30303 # rocketpool - 51413 # transmission ]; in { networking = { @@ -57,7 +46,7 @@ in { chain POSTROUTING { type nat hook postrouting priority srcnat; policy accept; - oifname ${wan_if} ip saddr {${lib.concatStringsSep "," towan-wg}} masquerade + oifname ${wan-if} ip saddr {${lib.concatStringsSep "," towan-wg}} masquerade } } @@ -67,10 +56,10 @@ in { ct state invalid,untracked drop comment "drop invalid" ip daddr 255.255.255.255 accept comment "allow broadcast traffic" ip daddr 224.0.0.0/4 accept comment "allow multicast traffic" - iifname ${wan_if} ip saddr 10.3.0.0/24 drop comment "bind any ip to intf ${wan_if}" - iifname ${wan_if} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${wan_if}" - iifname ${wan_if} accept comment "bind any ip to intf ${wan_if}" - iifname ${wg_if} ip saddr 10.3.0.0/24 accept comment "bind ip 10.3.0.0/24 to intf ${wg_if}" + iifname ${wan-if} ip saddr ${vpn-net} drop comment "bind any ip to intf ${wan-if}" + iifname ${wan-if} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${wan-if}" + iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}" + iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}" iifname "lo" accept comment "bind any ip to intf lo" jump mangle_drop } @@ -123,11 +112,11 @@ in { iifname "lo" accept comment "loopback" ip daddr 255.255.255.255 accept comment "allow broadcast traffic" ip daddr 224.0.0.0/4 accept comment "allow multicast traffic" - ip saddr ${lan_net} accept comment "lan > local" + ip saddr ${lan-net} accept comment "lan > local" - iifname ${wan_if} tcp dport {${open_tcp_ports}} accept - iifname ${wan_if} udp dport {${open_udp_ports}} accept - iifname ${wg_if} accept comment "vpn > local" + iifname ${wan-if} tcp dport {${open_tcp_ports}} accept + iifname ${wan-if} udp dport {${open_udp_ports}} accept + iifname ${vpn-if} accept comment "vpn > local" jump filter_drop } @@ -141,7 +130,7 @@ in { # gdevices talking to each other ip saddr {${lib.concatStringsSep "," gdevices-wg}} ip daddr {${lib.concatStringsSep "," gdevices-wg}} accept # nat to wan - oifname ${wan_if} ip saddr {${lib.concatStringsSep "," towan-wg}} accept + oifname ${wan-if} ip saddr {${lib.concatStringsSep "," towan-wg}} accept jump filter_drop } diff --git a/hosts/architect/gitea.nix b/hosts/architect/gitea.nix new file mode 100644 index 0000000..54875e4 --- /dev/null +++ b/hosts/architect/gitea.nix @@ -0,0 +1,33 @@ +with import ./network.nix; +{ + services.gitea = { + enable = true; + database.type = "sqlite3"; + domain = "git.giugl.io"; + appName = "Gitea"; + rootUrl = "https://git.giugl.io"; + ssh.clonePort = 10022; + log.level = "Info"; + settings.server.START_SSH_SERVER = true; + }; + + services.nginx.virtualHosts.${gitdomain} = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:3000"; + extraConfig = '' + allow 127.0.0.1; + allow 10.0.0.0/24; + allow 10.3.0.0/24; + deny all; + ''; + }; + }; + + networking.extraHosts = '' + 127.0.0.1 ${gitdomain} + ${architect-lan} ${gitdomain} + ${architect-wg} ${gitdomain} + ''; +} diff --git a/hosts/architect/jellyfin.nix b/hosts/architect/jellyfin.nix new file mode 100644 index 0000000..2e97a85 --- /dev/null +++ b/hosts/architect/jellyfin.nix @@ -0,0 +1,29 @@ +with import ./network.nix; +{ + services = { + jellyfin.enable = true; + + nginx.virtualHosts.${mediadomain} = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:8096"; + extraConfig = '' + allow 10.0.0.0/24; + allow 10.3.0.0/24; + deny all; + ''; + }; + }; + }; + + networking.extraHosts = '' + 127.0.0.1 ${mediadomain} + ${architect-lan} ${mediadomain} + ${architect-wg} ${mediadomain} + ''; + + users.groups.media.members = ["jellyfin"]; + users.groups.video.members = ["jellyfin"]; + users.groups.render.members = ["jellyfin"]; +} diff --git a/hosts/architect/network.nix b/hosts/architect/network.nix index afd8fb8..b9a3a77 100644 --- a/hosts/architect/network.nix +++ b/hosts/architect/network.nix @@ -1,19 +1,19 @@ rec { # interfaces - wan_if = "enp5s0"; - wg_if = "wg0"; + wan-if = "enp5s0"; + vpn-if = "wg0"; # nets - lan_net = "10.0.0.0/24"; - wg_net = "10.3.0.0/24"; - external_lan_net = "192.168.1.0/24"; + lan-net = "10.0.0.0/24"; + vpn-net = "10.3.0.0/24"; + external_lan-net = "192.168.1.0/24"; # ips - giupi_lan_ip = "10.0.0.250"; - dvr_ip = "10.0.0.2"; - nas_ip = "10.0.0.3"; + architect-lan = "10.0.0.250"; + dvr-lan = "10.0.0.2"; + nas-lan = "10.0.0.3"; - giupi_wg_ip = "10.3.0.1"; + architect-wg = "10.3.0.1"; galuminum-wg = "10.3.0.2"; oneplus-wg = "10.3.0.3"; ipad-wg = "10.3.0.4"; @@ -39,7 +39,10 @@ rec { towan-wg = [ shield-wg parisaphone-wg parisapc-wg ] ++ gdevices-wg ++ routers-wg; # domains - domain = "giugl.io"; - dom_media = "media.${domain}"; - dom_cloud = "cloud.${domain}"; + sonarrdomain = "htson.giugl.io"; + radarrdomain = "htrad.giugl.io"; + bazarrdomain = "htbaz.giugl.io"; + nzbgetdomain = "htnzb.giugl.io"; + mediadomain = "media.giugl.io"; + gitdomain = "git.giugl.io"; } diff --git a/hosts/architect/nginx.nix b/hosts/architect/nginx.nix index feec82c..c9fd448 100644 --- a/hosts/architect/nginx.nix +++ b/hosts/architect/nginx.nix @@ -10,70 +10,5 @@ recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; - - virtualHosts."media.giugl.io" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://localhost:8096"; - extraConfig = '' - allow 10.0.0.0/24; - allow 10.3.0.0/24; - deny all; - ''; - }; - }; - - virtualHosts."htbaz.giugl.io" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://localhost:6767"; - extraConfig = '' - allow 10.0.0.0/24; - allow 10.3.0.0/24; - deny all; - ''; - }; - }; - - virtualHosts."htrad.giugl.io" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://localhost:7878"; - extraConfig = '' - allow 10.0.0.0/24; - allow 10.3.0.0/24; - deny all; - ''; - }; - }; - - virtualHosts."htson.giugl.io" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://localhost:8989"; - extraConfig = '' - allow 10.0.0.0/24; - allow 10.3.0.0/24; - deny all; - ''; - }; - }; - - virtualHosts."htnzb.giugl.io" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://localhost:6789"; - extraConfig = '' - allow 10.0.0.0/24; - allow 10.3.0.0/24; - deny all; - ''; - }; - }; }; } diff --git a/hosts/architect/nzbget.nix b/hosts/architect/nzbget.nix new file mode 100644 index 0000000..174ec5f --- /dev/null +++ b/hosts/architect/nzbget.nix @@ -0,0 +1,27 @@ +with import ./network.nix; +{ + services = { + nzbget.enable = true; + + nginx.virtualHosts.${nzbgetdomain} = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:6789"; + extraConfig = '' + allow 10.0.0.0/24; + allow 10.3.0.0/24; + deny all; + ''; + }; + }; + }; + + networking.extraHosts = '' + 127.0.0.1 ${nzbgetdomain} + ${architect-lan} ${nzbgetdomain} + ${architect-wg} ${nzbgetdomain} + ''; + + users.groups.media.members = ["nzbget"]; +} diff --git a/hosts/architect/radarr.nix b/hosts/architect/radarr.nix new file mode 100644 index 0000000..956514f --- /dev/null +++ b/hosts/architect/radarr.nix @@ -0,0 +1,27 @@ +with import ./network.nix; +{ + services = { + radarr.enable = true; + + nginx.virtualHosts.${radarrdomain} = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:7878"; + extraConfig = '' + allow 10.0.0.0/24; + allow 10.3.0.0/24; + deny all; + ''; + }; + }; + }; + + networking.extraHosts = '' + 127.0.0.1 ${radarrdomain} + ${architect-lan} ${radarrdomain} + ${architect-wg} ${radarrdomain} + ''; + + users.groups.media.members = ["radarr"]; +} diff --git a/hosts/architect/sonarr.nix b/hosts/architect/sonarr.nix new file mode 100644 index 0000000..c7b7924 --- /dev/null +++ b/hosts/architect/sonarr.nix @@ -0,0 +1,27 @@ +with import ./network.nix; +{ + services = { + sonarr.enable = true; + + nginx.virtualHosts.${sonarrdomain} = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:8989"; + extraConfig = '' + allow 10.0.0.0/24; + allow 10.3.0.0/24; + deny all; + ''; + }; + }; + }; + + networking.extraHosts = '' + 127.0.0.1 ${sonarrdomain} + ${architect-lan} ${sonarrdomain} + ${architect-wg} ${sonarrdomain} + ''; + + users.groups.media.members = ["sonarr"]; +}