peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

reorganized services in files

Browse Source
This commit is contained in:
Giulio De Pasquale 2021-07-07 14:13:19 +02:00
parent 48dc479be6
commit 863cc724f5
10 changed files with 213 additions and 125 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
hosts/architect/bazarr.nix Normal file
View File

@ -0,0 +1,27 @@
with import ./network.nix;
{
services = {
bazarr.enable = true;
nginx.virtualHosts.${bazarrdomain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:6767";
extraConfig = ''
allow 10.0.0.0/24;
allow 10.3.0.0/24;
deny all;
'';
};
};
};
networking.extraHosts = ''
127.0.0.1 ${bazarrdomain}
${architect-lan} ${bazarrdomain}
${architect-wg} ${bazarrdomain}
'';
users.groups.media.members = ["bazarr"];
}

43
hosts/architect/default.nix
View File

@ -19,6 +19,12 @@ in
../../users.nix ../../users.nix
./firewall.nix ./firewall.nix
./nginx.nix ./nginx.nix
./gitea.nix
./sonarr.nix
./radarr.nix
./bazarr.nix
./nzbget.nix
./jellyfin.nix
]; ];
variables.hostname = hostname; variables.hostname = hostname;
@ -27,7 +33,7 @@ in
users.users.giulio.openssh.authorizedKeys.keys = pubkeys; users.users.giulio.openssh.authorizedKeys.keys = pubkeys;
boot = { boot = {
kernelParams = ["ip=${giupi_lan_ip}::10.0.0.1:255.255.255.0::${wan_if}:off"]; kernelParams = ["ip=${architect-lan}::10.0.0.1:255.255.255.0::${wan-if}:off"];
initrd = { initrd = {
availableKernelModules = ["igc" "r8169"]; availableKernelModules = ["igc" "r8169"];
@ -65,22 +71,22 @@ in
useDHCP = false; useDHCP = false;
defaultGateway = "10.0.0.1"; defaultGateway = "10.0.0.1";
interfaces = { interfaces = {
enp5s0.ipv4.addresses = [{ address = giupi_lan_ip; prefixLength = 24; }]; enp5s0.ipv4.addresses = [{ address = architect-lan; prefixLength = 24; }];
enp6s0.useDHCP = false; enp6s0.useDHCP = false;
wlp4s0.useDHCP = false; wlp4s0.useDHCP = false;
}; };
extraHosts = '' extraHosts = ''
127.0.0.1 ${hostname}.devs.giugl.io jf.giugl.io yt.giugl.io s3.giugl.io synclounge.giugl.io giugl.io htson.giugl.io htrad.giugl.io htnzb.giugl.io httra.giugl.io giupyter.giugl.io irc.giugl.io localhost 127.0.0.1 ${hostname}.devs.giugl.io localhost
# LAN # LAN
${giupi_lan_ip} ${hostname}.devs.giugl.io media.giugl.io giugl.io jf.giugl.io yt.giugl.io s3.giugl.io synclounge.giugl.io htson.giugl.io htrad.giugl.io htnzb.giugl.io httra.giugl.io todo.giugl.io giupyter.giugl.io collabora.giugl.io htjak.giugl.io irc.giugl.io ${architect-lan} ${hostname}.devs.giugl.io
10.0.0.1 router.devs.giugl.io 10.0.0.1 router.devs.giugl.io
${dvr_ip} dvr.devs.giugl.io ${dvr-lan} dvr.devs.giugl.io
${nas_ip} nas.devs.giugl.io ${nas-lan} nas.devs.giugl.io
# Wireguard hosts # Wireguard hosts
${giupi_wg_ip} ${hostname}.devs.giugl.io media.giugl.io jf.giugl.io giugl.io yt.giugl.io s0.giugl.io synclounge.giugl.io htson.giugl.io htrad.giugl.io htnzb.giugl.io httra.giugl.io todo.giugl.io giupyter.giugl.io collabora.giugl.io htjak.giugl.io irc.giugl.io ${architect-wg} ${hostname}.devs.giugl.io
${galuminum-wg} galuminum.devs.giugl.io ${galuminum-wg} galuminum.devs.giugl.io
${oneplus-wg} oneplus.devs.giugl.io ${oneplus-wg} oneplus.devs.giugl.io
${ipad-wg} ipad.devs.giugl.io ${ipad-wg} ipad.devs.giugl.io
@ -117,7 +123,7 @@ in
0.0.0.0 click.oneplus.cn 0.0.0.0 click.oneplus.cn
0.0.0.0 analytics-api.samsunghealthcn.com 0.0.0.0 analytics-api.samsunghealthcn.com
# The following lines are desirable for IPv6 capable hosts # The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback ::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes ff02::1 ip6-allnodes
ff02::2 ip6-allrouters ff02::2 ip6-allrouters
@ -141,13 +147,8 @@ in
services = { services = {
zfs.autoScrub.enable = true; zfs.autoScrub.enable = true;
xserver.videoDrivers = [ "nvidia" ]; xserver.videoDrivers = [ "nvidia" ];
jellyfin.enable = true; openssh.enable = true;
bazarr.enable = true; mysql.enable = true;
radarr.enable = true;
sonarr.enable = true;
nzbget.enable = true;
thelounge.enable = true;
mysql.enable = false;
mysql.package = with pkgs; mysql80; mysql.package = with pkgs; mysql80;
dnsmasq = { dnsmasq = {
@ -175,20 +176,10 @@ in
fallback_resolvers = ["1.1.1.1:53" "9.9.9.9:53"]; fallback_resolvers = ["1.1.1.1:53" "9.9.9.9:53"];
}; };
}; };
openssh = {
enable = true;
passwordAuthentication = true;
permitRootLogin = "yes";
};
}; };
environment.variables = { environment.variables = {
LIBVA_DRIVER_NAME="vdpau"; LIBVA_DRIVER_NAME="vdpau";
}; };
users.groups.media.members = ["radarr" "sonarr" "nzbget" "bazarr" "transmission" "jellyfin" "jellyfin"];
users.groups.video.members = ["jellyfin"];
users.groups.render.members = ["jellyfin"];
} }

33
hosts/architect/firewall.nix
View File

@ -1,27 +1,16 @@
{config, lib, ...} : {config, lib, ...} :
with import ./network.nix; with import ./network.nix;
let let
open_tcp_ports = lib.concatMapStringsSep "," (x: toString x) [ open_tcp_ports = lib.concatMapStringsSep "," (x: toString x) [
22 # ssh 22 # ssh
80 # http 80 # http
443 # https 443 # https
6567 # mindustry
9001 # rocketpool
10022 # gitea 10022 # gitea
25565 # minecraft
30303 # rocketpool
51413 # transmission
60025 # protonmail IMAP
60143 # protonmail SMTP
]; ];
open_udp_ports = lib.concatMapStringsSep "," (x: toString x) [ open_udp_ports = lib.concatMapStringsSep "," (x: toString x) [
1194 # wireguard 1194 # wireguard
6567 # mindustry
9001 # rocketpool
25565 # minecraft
30303 # rocketpool
51413 # transmission
]; ];
in { in {
networking = { networking = {
@ -57,7 +46,7 @@ in {
chain POSTROUTING { chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept; type nat hook postrouting priority srcnat; policy accept;
oifname ${wan_if} ip saddr {${lib.concatStringsSep "," towan-wg}} masquerade oifname ${wan-if} ip saddr {${lib.concatStringsSep "," towan-wg}} masquerade
} }
} }
@ -67,10 +56,10 @@ in {
ct state invalid,untracked drop comment "drop invalid" ct state invalid,untracked drop comment "drop invalid"
ip daddr 255.255.255.255 accept comment "allow broadcast traffic" ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic" ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
iifname ${wan_if} ip saddr 10.3.0.0/24 drop comment "bind any ip to intf ${wan_if}" iifname ${wan-if} ip saddr ${vpn-net} drop comment "bind any ip to intf ${wan-if}"
iifname ${wan_if} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${wan_if}" iifname ${wan-if} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${wan-if}"
iifname ${wan_if} accept comment "bind any ip to intf ${wan_if}" iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}"
iifname ${wg_if} ip saddr 10.3.0.0/24 accept comment "bind ip 10.3.0.0/24 to intf ${wg_if}" iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}"
iifname "lo" accept comment "bind any ip to intf lo" iifname "lo" accept comment "bind any ip to intf lo"
jump mangle_drop jump mangle_drop
} }
@ -123,11 +112,11 @@ in {
iifname "lo" accept comment "loopback" iifname "lo" accept comment "loopback"
ip daddr 255.255.255.255 accept comment "allow broadcast traffic" ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic" ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
ip saddr ${lan_net} accept comment "lan > local" ip saddr ${lan-net} accept comment "lan > local"
iifname ${wan_if} tcp dport {${open_tcp_ports}} accept iifname ${wan-if} tcp dport {${open_tcp_ports}} accept
iifname ${wan_if} udp dport {${open_udp_ports}} accept iifname ${wan-if} udp dport {${open_udp_ports}} accept
iifname ${wg_if} accept comment "vpn > local" iifname ${vpn-if} accept comment "vpn > local"
jump filter_drop jump filter_drop
} }
@ -141,7 +130,7 @@ in {
# gdevices talking to each other # gdevices talking to each other
ip saddr {${lib.concatStringsSep "," gdevices-wg}} ip daddr {${lib.concatStringsSep "," gdevices-wg}} accept ip saddr {${lib.concatStringsSep "," gdevices-wg}} ip daddr {${lib.concatStringsSep "," gdevices-wg}} accept
# nat to wan # nat to wan
oifname ${wan_if} ip saddr {${lib.concatStringsSep "," towan-wg}} accept oifname ${wan-if} ip saddr {${lib.concatStringsSep "," towan-wg}} accept
jump filter_drop jump filter_drop
} }

33
hosts/architect/gitea.nix Normal file
View File

@ -0,0 +1,33 @@
with import ./network.nix;
{
services.gitea = {
enable = true;
database.type = "sqlite3";
domain = "git.giugl.io";
appName = "Gitea";
rootUrl = "https://git.giugl.io";
ssh.clonePort = 10022;
log.level = "Info";
settings.server.START_SSH_SERVER = true;
};
services.nginx.virtualHosts.${gitdomain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:3000";
extraConfig = ''
allow 127.0.0.1;
allow 10.0.0.0/24;
allow 10.3.0.0/24;
deny all;
'';
};
};
networking.extraHosts = ''
127.0.0.1 ${gitdomain}
${architect-lan} ${gitdomain}
${architect-wg} ${gitdomain}
'';
}

29
hosts/architect/jellyfin.nix Normal file
View File

@ -0,0 +1,29 @@
with import ./network.nix;
{
services = {
jellyfin.enable = true;
nginx.virtualHosts.${mediadomain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:8096";
extraConfig = ''
allow 10.0.0.0/24;
allow 10.3.0.0/24;
deny all;
'';
};
};
};
networking.extraHosts = ''
127.0.0.1 ${mediadomain}
${architect-lan} ${mediadomain}
${architect-wg} ${mediadomain}
'';
users.groups.media.members = ["jellyfin"];
users.groups.video.members = ["jellyfin"];
users.groups.render.members = ["jellyfin"];
}

27
hosts/architect/network.nix
View File

@ -1,19 +1,19 @@
rec { rec {
# interfaces # interfaces
wan_if = "enp5s0"; wan-if = "enp5s0";
wg_if = "wg0"; vpn-if = "wg0";
# nets # nets
lan_net = "10.0.0.0/24"; lan-net = "10.0.0.0/24";
wg_net = "10.3.0.0/24"; vpn-net = "10.3.0.0/24";
external_lan_net = "192.168.1.0/24"; external_lan-net = "192.168.1.0/24";
# ips # ips
giupi_lan_ip = "10.0.0.250"; architect-lan = "10.0.0.250";
dvr_ip = "10.0.0.2"; dvr-lan = "10.0.0.2";
nas_ip = "10.0.0.3"; nas-lan = "10.0.0.3";
giupi_wg_ip = "10.3.0.1"; architect-wg = "10.3.0.1";
galuminum-wg = "10.3.0.2"; galuminum-wg = "10.3.0.2";
oneplus-wg = "10.3.0.3"; oneplus-wg = "10.3.0.3";
ipad-wg = "10.3.0.4"; ipad-wg = "10.3.0.4";
@ -39,7 +39,10 @@ rec {
towan-wg = [ shield-wg parisaphone-wg parisapc-wg ] ++ gdevices-wg ++ routers-wg; towan-wg = [ shield-wg parisaphone-wg parisapc-wg ] ++ gdevices-wg ++ routers-wg;
# domains # domains
domain = "giugl.io"; sonarrdomain = "htson.giugl.io";
dom_media = "media.${domain}"; radarrdomain = "htrad.giugl.io";
dom_cloud = "cloud.${domain}"; bazarrdomain = "htbaz.giugl.io";
nzbgetdomain = "htnzb.giugl.io";
mediadomain = "media.giugl.io";
gitdomain = "git.giugl.io";
} }

65
hosts/architect/nginx.nix
View File

@ -10,70 +10,5 @@
recommendedOptimisation = true; recommendedOptimisation = true;
recommendedProxySettings = true; recommendedProxySettings = true;
recommendedTlsSettings = true; recommendedTlsSettings = true;
virtualHosts."media.giugl.io" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:8096";
extraConfig = ''
allow 10.0.0.0/24;
allow 10.3.0.0/24;
deny all;
'';
};
};
virtualHosts."htbaz.giugl.io" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:6767";
extraConfig = ''
allow 10.0.0.0/24;
allow 10.3.0.0/24;
deny all;
'';
};
};
virtualHosts."htrad.giugl.io" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:7878";
extraConfig = ''
allow 10.0.0.0/24;
allow 10.3.0.0/24;
deny all;
'';
};
};
virtualHosts."htson.giugl.io" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:8989";
extraConfig = ''
allow 10.0.0.0/24;
allow 10.3.0.0/24;
deny all;
'';
};
};
virtualHosts."htnzb.giugl.io" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:6789";
extraConfig = ''
allow 10.0.0.0/24;
allow 10.3.0.0/24;
deny all;
'';
};
};
}; };
} }

27
hosts/architect/nzbget.nix Normal file
View File

@ -0,0 +1,27 @@
with import ./network.nix;
{
services = {
nzbget.enable = true;
nginx.virtualHosts.${nzbgetdomain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:6789";
extraConfig = ''
allow 10.0.0.0/24;
allow 10.3.0.0/24;
deny all;
'';
};
};
};
networking.extraHosts = ''
127.0.0.1 ${nzbgetdomain}
${architect-lan} ${nzbgetdomain}
${architect-wg} ${nzbgetdomain}
'';
users.groups.media.members = ["nzbget"];
}

27
hosts/architect/radarr.nix Normal file
View File

@ -0,0 +1,27 @@
with import ./network.nix;
{
services = {
radarr.enable = true;
nginx.virtualHosts.${radarrdomain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:7878";
extraConfig = ''
allow 10.0.0.0/24;
allow 10.3.0.0/24;
deny all;
'';
};
};
};
networking.extraHosts = ''
127.0.0.1 ${radarrdomain}
${architect-lan} ${radarrdomain}
${architect-wg} ${radarrdomain}
'';
users.groups.media.members = ["radarr"];
}

27
hosts/architect/sonarr.nix Normal file
View File

@ -0,0 +1,27 @@
with import ./network.nix;
{
services = {
sonarr.enable = true;
nginx.virtualHosts.${sonarrdomain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:8989";
extraConfig = ''
allow 10.0.0.0/24;
allow 10.3.0.0/24;
deny all;
'';
};
};
};
networking.extraHosts = ''
127.0.0.1 ${sonarrdomain}
${architect-lan} ${sonarrdomain}
${architect-wg} ${sonarrdomain}
'';
users.groups.media.members = ["sonarr"];
}