diff --git a/flake.nix b/flake.nix index 13d5b48..f1080fe 100644 --- a/flake.nix +++ b/flake.nix @@ -5,32 +5,51 @@ home-manager = { url = "github:rycee/home-manager/release-21.05"; inputs.nixpkgs.follows = "nixpkgs"; - }; - }; - - outputs = inputs @ { self, nixpkgs, nixos-unstable, home-manager }: let - system = "x86_64-linux"; - - pkgs = import nixpkgs { - inherit system; - config.allowUnfree = true; - overlays = [ (final: prev: { inherit unstable; }) ]; - }; - - unstable = import nixos-unstable { - inherit system; - config.allowUnfree = true; - }; - - utils = import ./lib { inherit pkgs unstable nixpkgs nixos-unstable home-manager; }; - - inherit (utils) host; - inherit (utils) user; - in { - nixosConfigurations = { - architect = host.mkHost { name = "architect"; users = [ { user = "giulio"; roles = [ "git" ]; } ]; }; - gAluminum = host.mkHost { name = "gAluminum"; users = [ { user = "giulio"; roles = [ "desktop" "ssh" "git" ]; } ]; roles = [ "gnome" ]; }; - proxy = host.mkHost { name = "proxy"; users = []; }; }; }; + + outputs = inputs@{ self, nixpkgs, nixos-unstable, home-manager }: + let + system = "x86_64-linux"; + + pkgs = import nixpkgs { + inherit system; + config.allowUnfree = true; + overlays = [ (final: prev: { inherit unstable; }) ]; + }; + + unstable = import nixos-unstable { + inherit system; + config.allowUnfree = true; + }; + + utils = import ./lib { + inherit pkgs unstable nixpkgs nixos-unstable home-manager; + }; + + inherit (utils) host; + inherit (utils) user; + in { + nixosConfigurations = { + architect = host.mkHost { + name = "architect"; + users = [{ + user = "giulio"; + roles = [ "git" ]; + }]; + }; + gAluminum = host.mkHost { + name = "gAluminum"; + users = [{ + user = "giulio"; + roles = [ "desktop" "ssh" "git" ]; + }]; + roles = [ "gnome" ]; + }; + proxy = host.mkHost { + name = "proxy"; + users = [ ]; + }; + }; + }; } diff --git a/hosts/architect/backup.nix b/hosts/architect/backup.nix index 43b00a1..6ad0662 100644 --- a/hosts/architect/backup.nix +++ b/hosts/architect/backup.nix @@ -1,4 +1,4 @@ -{config, lib, ...} : +{ config, lib, ... }: { services.restic.backups = { @@ -6,9 +6,9 @@ initialize = true; passwordFile = "/secrets/restic/data.key"; s3CredentialsFile = "/secrets/restic/credentials.txt"; - repository = "b2:architect:/"; - paths = [ "/var/lib" "/secrets" ]; - pruneOpts = [ + repository = "b2:architect:/"; + paths = [ "/var/lib" "/secrets" ]; + pruneOpts = [ "--keep-daily 45" "--keep-weekly 12" "--keep-monthly 12" diff --git a/hosts/architect/bazarr.nix b/hosts/architect/bazarr.nix index 483f8f1..a0bd581 100644 --- a/hosts/architect/bazarr.nix +++ b/hosts/architect/bazarr.nix @@ -1,5 +1,4 @@ -with import ./network.nix; -{ +with import ./network.nix; { services = { bazarr.enable = true; @@ -22,5 +21,5 @@ with import ./network.nix; ${architect-wg} ${bazarrdomain} ''; - users.groups.media.members = ["bazarr"]; + users.groups.media.members = [ "bazarr" ]; } diff --git a/hosts/architect/dns.nix b/hosts/architect/dns.nix index f1d354c..5629e26 100644 --- a/hosts/architect/dns.nix +++ b/hosts/architect/dns.nix @@ -3,8 +3,8 @@ { services = { dnsmasq = { - enable = true; - servers = ["127.0.0.1#5300"]; + enable = true; + servers = [ "127.0.0.1#5300" ]; extraConfig = '' localise-queries min-cache-ttl=120 @@ -13,26 +13,26 @@ }; adguardhome = { - enable= true; + enable = true; port = 3031; }; dnscrypt-proxy2 = { enable = true; settings = { - listen_addresses = ["127.0.0.1:5353"]; - ipv4_servers = true; - ipv6_servers = false; - block_ipv6 = true; - dnscrypt_servers = true; - doh_servers = true; - require_nolog = true; - require_nofilter = true; - timeout = 350; - lb_strategy = "p4"; - lb_estimator = true; - ignore_system_dns = true; - fallback_resolvers = ["1.1.1.1:53" "9.9.9.9:53"]; + listen_addresses = [ "127.0.0.1:5353" ]; + ipv4_servers = true; + ipv6_servers = false; + block_ipv6 = true; + dnscrypt_servers = true; + doh_servers = true; + require_nolog = true; + require_nofilter = true; + timeout = 350; + lb_strategy = "p4"; + lb_estimator = true; + ignore_system_dns = true; + fallback_resolvers = [ "1.1.1.1:53" "9.9.9.9:53" ]; cache_min_ttl = 450; cache_max_ttl = 2400; }; diff --git a/hosts/architect/fail2ban.nix b/hosts/architect/fail2ban.nix index 72305e4..540a1e0 100644 --- a/hosts/architect/fail2ban.nix +++ b/hosts/architect/fail2ban.nix @@ -1,13 +1,12 @@ -{ config, pkgs, ... }: -{ - services.fail2ban = { +{ config, pkgs, ... }: { + services.fail2ban = { enable = true; package = pkgs.fail2ban; packageFirewall = pkgs.nftables; banaction = "nftables-multiport"; banaction-allports = "nftables-allport"; bantime-increment.enable = true; -# ignoreIP = [ "10.0.0.0/24" "10.3.0.0/24" ]; + # ignoreIP = [ "10.0.0.0/24" "10.3.0.0/24" ]; daemonConfig = '' [Definition] loglevel = INFO diff --git a/hosts/architect/firewall.nix b/hosts/architect/firewall.nix index bfc0e9d..2487be5 100644 --- a/hosts/architect/firewall.nix +++ b/hosts/architect/firewall.nix @@ -1,19 +1,19 @@ -{config, lib, ...} : +{ config, lib, ... }: with import ./network.nix; let open_tcp_ports = lib.concatMapStringsSep "," (x: toString x) [ - 22 # ssh - 80 # http - 443 # https - 8448 # matrix + 22 # ssh + 80 # http + 443 # https + 8448 # matrix 10022 # gitea 51413 # transmission ]; open_udp_ports = lib.concatMapStringsSep "," (x: toString x) [ - 1194 # wireguard - 3478 # turn + 1194 # wireguard + 3478 # turn 51413 # transmission ]; in { @@ -25,156 +25,166 @@ in { nftables = { enable = true; ruleset = '' - table ip raw { - chain PREROUTING { - type filter hook prerouting priority raw; policy accept; - } + table ip raw { + chain PREROUTING { + type filter hook prerouting priority raw; policy accept; + } - chain OUTPUT { - type filter hook output priority raw; policy accept; - } - } + chain OUTPUT { + type filter hook output priority raw; policy accept; + } + } - table ip nat { - chain PREROUTING { - type nat hook prerouting priority dstnat; policy accept; - } + table ip nat { + chain PREROUTING { + type nat hook prerouting priority dstnat; policy accept; + } - chain INPUT { - type nat hook input priority 100; policy accept; - } + chain INPUT { + type nat hook input priority 100; policy accept; + } - chain OUTPUT { - type nat hook output priority -100; policy accept; - } + chain OUTPUT { + type nat hook output priority -100; policy accept; + } - chain POSTROUTING { - type nat hook postrouting priority srcnat; policy accept; - oifname ${wan-if} ip saddr {${lib.concatStringsSep "," towan-wg}} masquerade - } - } + chain POSTROUTING { + type nat hook postrouting priority srcnat; policy accept; + oifname ${wan-if} ip saddr {${ + lib.concatStringsSep "," towan-wg + }} masquerade + } + } - table ip mangle { - chain PREROUTING { - type filter hook prerouting priority mangle; policy drop; - ct state invalid,untracked drop comment "drop invalid" - ip daddr 255.255.255.255 accept comment "allow broadcast traffic" - ip daddr 224.0.0.0/4 accept comment "allow multicast traffic" - iifname ${wan-if} ip saddr ${vpn-net} drop comment "bind any ip to intf ${wan-if}" - iifname ${wan-if} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${wan-if}" - iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}" - iifname ${proxy-if} ip saddr ${proxy-net} accept comment "bind ip ${proxy-net} to intf ${proxy-if}" - iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}" - iifname "lo" accept comment "bind any ip to intf lo" - jump mangle_drop - } + table ip mangle { + chain PREROUTING { + type filter hook prerouting priority mangle; policy drop; + ct state invalid,untracked drop comment "drop invalid" + ip daddr 255.255.255.255 accept comment "allow broadcast traffic" + ip daddr 224.0.0.0/4 accept comment "allow multicast traffic" + iifname ${wan-if} ip saddr ${vpn-net} drop comment "bind any ip to intf ${wan-if}" + iifname ${wan-if} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${wan-if}" + iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}" + iifname ${proxy-if} ip saddr ${proxy-net} accept comment "bind ip ${proxy-net} to intf ${proxy-if}" + iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}" + iifname "lo" accept comment "bind any ip to intf lo" + jump mangle_drop + } - chain INPUT { - type filter hook input priority mangle; policy accept; - } + chain INPUT { + type filter hook input priority mangle; policy accept; + } - chain FORWARD { - type filter hook forward priority mangle; policy accept; - } + chain FORWARD { + type filter hook forward priority mangle; policy accept; + } - chain OUTPUT { - type route hook output priority mangle; policy accept; - } + chain OUTPUT { + type route hook output priority mangle; policy accept; + } - chain POSTROUTING { - type filter hook postrouting priority mangle; policy accept; - } + chain POSTROUTING { + type filter hook postrouting priority mangle; policy accept; + } - chain mangle_drop { - ip protocol icmp jump mangle_drop_icmp - ip protocol udp jump mangle_drop_udp - ip protocol tcp jump mangle_drop_tcp - log prefix "MANGLE-DROP-UNK " - drop - } + chain mangle_drop { + ip protocol icmp jump mangle_drop_icmp + ip protocol udp jump mangle_drop_udp + ip protocol tcp jump mangle_drop_tcp + log prefix "MANGLE-DROP-UNK " + drop + } - chain mangle_drop_icmp { - log prefix "MANGLE-DROP-ICMP " - drop - } + chain mangle_drop_icmp { + log prefix "MANGLE-DROP-ICMP " + drop + } - chain mangle_drop_tcp { - log prefix "MANGLE-DROP-TCP " - drop - } + chain mangle_drop_tcp { + log prefix "MANGLE-DROP-TCP " + drop + } - chain mangle_drop_udp { - log prefix "MANGLE-DROP-UDP " - drop - } - } + chain mangle_drop_udp { + log prefix "MANGLE-DROP-UDP " + drop + } + } - table ip filter { - chain INPUT { - type filter hook input priority filter; policy drop; + table ip filter { + chain INPUT { + type filter hook input priority filter; policy drop; - ct state established,related accept - iifname "lo" accept comment "loopback" - ip daddr 255.255.255.255 accept comment "allow broadcast traffic" - ip daddr 224.0.0.0/4 accept comment "allow multicast traffic" - ip saddr ${lan-net} accept comment "lan > local" - ip saddr ${proxy-wg} accept comment "proxy > local" + ct state established,related accept + iifname "lo" accept comment "loopback" + ip daddr 255.255.255.255 accept comment "allow broadcast traffic" + ip daddr 224.0.0.0/4 accept comment "allow multicast traffic" + ip saddr ${lan-net} accept comment "lan > local" + ip saddr ${proxy-wg} accept comment "proxy > local" - iifname ${wan-if} tcp dport {${open_tcp_ports}} accept - iifname ${wan-if} udp dport {${open_udp_ports}} accept - iifname ${vpn-if} accept comment "vpn > local" + iifname ${wan-if} tcp dport {${open_tcp_ports}} accept + iifname ${wan-if} udp dport {${open_udp_ports}} accept + iifname ${vpn-if} accept comment "vpn > local" - jump filter_drop - } + jump filter_drop + } - chain FORWARD { - type filter hook forward priority filter; policy drop; - ct state established,related accept + chain FORWARD { + type filter hook forward priority filter; policy drop; + ct state established,related accept - # client to client - ip saddr {${lib.concatStringsSep "," c2c-wg}} ip daddr {${lib.concatStringsSep "," c2c-wg}} accept - - # gdevices talking to everyone in VPN - ip saddr {${lib.concatStringsSep "," gdevices-wg}} ip daddr ${vpn-net} accept - ip saddr {${lib.concatStringsSep "," gamenet-wg}} ip daddr {${lib.concatStringsSep "," gamenet-wg}} accept - - # nat to wan - oifname ${wan-if} ip saddr {${lib.concatStringsSep "," towan-wg}} accept - - jump filter_drop - } + # client to client + ip saddr {${lib.concatStringsSep "," c2c-wg}} ip daddr {${ + lib.concatStringsSep "," c2c-wg + }} accept + + # gdevices talking to everyone in VPN + ip saddr {${ + lib.concatStringsSep "," gdevices-wg + }} ip daddr ${vpn-net} accept + ip saddr {${ + lib.concatStringsSep "," gamenet-wg + }} ip daddr {${lib.concatStringsSep "," gamenet-wg}} accept + + # nat to wan + oifname ${wan-if} ip saddr {${ + lib.concatStringsSep "," towan-wg + }} accept + + jump filter_drop + } - chain OUTPUT { - type filter hook output priority filter; policy drop; - ct state established,related accept - accept comment "local > *" - jump filter_drop - } + chain OUTPUT { + type filter hook output priority filter; policy drop; + ct state established,related accept + accept comment "local > *" + jump filter_drop + } - chain filter_drop { - ip protocol icmp jump filter_drop_icmp - ip protocol udp jump filter_drop_udp - ip protocol tcp jump filter_drop_tcp - log prefix "DROP-UNK " - drop - } + chain filter_drop { + ip protocol icmp jump filter_drop_icmp + ip protocol udp jump filter_drop_udp + ip protocol tcp jump filter_drop_tcp + log prefix "DROP-UNK " + drop + } - chain filter_drop_icmp { - log prefix "DROP-icmp " - drop - } + chain filter_drop_icmp { + log prefix "DROP-icmp " + drop + } - chain filter_drop_tcp { - log prefix "DROP-tcp " - drop - } + chain filter_drop_tcp { + log prefix "DROP-tcp " + drop + } - chain filter_drop_udp { - log prefix "DROP-udp " - drop - } - } - ''; + chain filter_drop_udp { + log prefix "DROP-udp " + drop + } + } + ''; }; }; } diff --git a/hosts/architect/gitea.nix b/hosts/architect/gitea.nix index a3c627b..1935796 100644 --- a/hosts/architect/gitea.nix +++ b/hosts/architect/gitea.nix @@ -1,13 +1,12 @@ -with import ./network.nix; -{ +with import ./network.nix; { services.gitea = { - enable = true; - database.type = "sqlite3"; - domain = "git.giugl.io"; - appName = "Gitea"; - rootUrl = "https://git.giugl.io"; - ssh.clonePort = 10022; - log.level = "Info"; + enable = true; + database.type = "sqlite3"; + domain = "git.giugl.io"; + appName = "Gitea"; + rootUrl = "https://git.giugl.io"; + ssh.clonePort = 10022; + log.level = "Info"; settings.server.START_SSH_SERVER = true; }; @@ -17,12 +16,12 @@ with import ./network.nix; locations."/" = { proxyPass = "http://localhost:3000"; extraConfig = '' - allow 127.0.0.1; - allow 10.0.0.0/24; - allow 10.3.0.0/24; - allow 10.4.0.0/24; - deny all; - ''; + allow 127.0.0.1; + allow 10.0.0.0/24; + allow 10.3.0.0/24; + allow 10.4.0.0/24; + deny all; + ''; }; }; diff --git a/hosts/architect/githubrunner.nix b/hosts/architect/githubrunner.nix index c6e9620..ab4c464 100644 --- a/hosts/architect/githubrunner.nix +++ b/hosts/architect/githubrunner.nix @@ -7,7 +7,7 @@ tokenFile = "/secrets/github-runner/token"; replace = true; }; - + nix.extraOptions = '' tarball-ttl = 0 access-tokens = github.com=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 diff --git a/hosts/architect/hardware.nix b/hosts/architect/hardware.nix index f0c939f..da3a66f 100644 --- a/hosts/architect/hardware.nix +++ b/hosts/architect/hardware.nix @@ -4,46 +4,47 @@ { config, lib, pkgs, modulesPath, ... }: { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-amd" ]; - boot.extraModulePackages = [ ]; + boot.initrd.availableKernelModules = + [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "zpool/nixos/root"; + fileSystems."/" = { + device = "zpool/nixos/root"; fsType = "zfs"; }; - fileSystems."/home" = - { device = "zpool/data/home"; + fileSystems."/home" = { + device = "zpool/data/home"; fsType = "zfs"; }; - fileSystems."/media" = - { device = "datapool/media"; - fsType = "zfs"; - }; - - fileSystems."/secrets" = - { device = "backedpool/secrets"; + fileSystems."/media" = { + device = "datapool/media"; fsType = "zfs"; }; - fileSystems."/var/lib" = - { device = "backedpool/services"; + fileSystems."/secrets" = { + device = "backedpool/secrets"; fsType = "zfs"; }; - - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/AF19-5616"; + + fileSystems."/var/lib" = { + device = "backedpool/services"; + fsType = "zfs"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/AF19-5616"; fsType = "vfat"; }; - - swapDevices = [ { device = "/dev/zpool/data/swap"; size = 40000; } ]; + swapDevices = [{ + device = "/dev/zpool/data/swap"; + size = 40000; + }]; } diff --git a/hosts/architect/jellyfin.nix b/hosts/architect/jellyfin.nix index 0d2a45a..21f88a2 100644 --- a/hosts/architect/jellyfin.nix +++ b/hosts/architect/jellyfin.nix @@ -1,16 +1,13 @@ { pkgs, ... }: -with import ./network.nix; -{ - disabledModules = ["services/misc/jellyfin.nix"]; - imports = [ - ./modules/jellyfin.nix - ]; - +with import ./network.nix; { + disabledModules = [ "services/misc/jellyfin.nix" ]; + imports = [ ./modules/jellyfin.nix ]; + services = { jellyfin = { - enable = true; - package = pkgs.unstable.jellyfin; + enable = true; + package = pkgs.unstable.jellyfin; }; nginx.virtualHosts.${mediadomain} = { @@ -32,7 +29,7 @@ with import ./network.nix; ${architect-wg} ${mediadomain} ''; - users.groups.media.members = ["jellyfin"]; - users.groups.video.members = ["jellyfin"]; - users.groups.render.members = ["jellyfin"]; + users.groups.media.members = [ "jellyfin" ]; + users.groups.video.members = [ "jellyfin" ]; + users.groups.render.members = [ "jellyfin" ]; } diff --git a/hosts/architect/matrix.nix b/hosts/architect/matrix.nix index 60d6eaf..8561e5a 100644 --- a/hosts/architect/matrix.nix +++ b/hosts/architect/matrix.nix @@ -1,7 +1,6 @@ { pkgs, config, tmp, ... }: -with import ./network.nix; -{ +with import ./network.nix; { services = { matrix-synapse = { enable = true; @@ -10,10 +9,10 @@ with import ./network.nix; public_baseurl = "https://${matrixdomain}"; registration_shared_secret = "runas!"; dynamic_thumbnails = true; -# enable_registration = true; - app_service_config_files = [ - "/var/lib/matrix-synapse/discord-registration.yaml" - "/var/lib/matrix-synapse/telegram-registration.yaml" + # enable_registration = true; + app_service_config_files = [ + "/var/lib/matrix-synapse/discord-registration.yaml" + "/var/lib/matrix-synapse/telegram-registration.yaml" ]; extraConfig = '' auto_join_rooms: @@ -22,40 +21,32 @@ with import ./network.nix; - "#gaming:matrix.giugl.io" - "#movies:matrix.giugl.io" ''; - listeners = [ - { - port = 8008; - bind_address = "::1"; - type = "http"; - tls = false; - x_forwarded = true; - resources = [ - { - names = [ "client" "federation" ]; - compress = false; - } - ]; - } + listeners = [{ + port = 8008; + bind_address = "::1"; + type = "http"; + tls = false; + x_forwarded = true; + resources = [{ + names = [ "client" "federation" ]; + compress = false; + }]; + }]; + turn_uris = [ + "turns:turn.giugl.io:5349?transport=udp" + "turns:turn.giugl.io:5349?transport=tcp" ]; - turn_uris = [ - "turns:turn.giugl.io:5349?transport=udp" - "turns:turn.giugl.io:5349?transport=tcp" - ]; - turn_shared_secret = "69duck duck fuck420"; - turn_user_lifetime = "1h"; + turn_shared_secret = "69duck duck fuck420"; + turn_user_lifetime = "1h"; }; postgresql = { enable = true; ensureDatabases = [ "synapse" ]; - ensureUsers = [ - { - name = "matrix-synapse"; - ensurePermissions = { - "DATABASE synapse" = "ALL PRIVILEGES"; - }; - } - ]; + ensureUsers = [{ + name = "matrix-synapse"; + ensurePermissions = { "DATABASE synapse" = "ALL PRIVILEGES"; }; + }]; }; nginx.virtualHosts = { @@ -64,30 +55,27 @@ with import ./network.nix; enableACME = true; forceSSL = true; locations."= /.well-known/matrix/server".extraConfig = - let - server = { "m.server" = "${matrixdomain}:443"; }; + let server = { "m.server" = "${matrixdomain}:443"; }; in '' add_header Content-Type application/json; return 200 '${builtins.toJSON server}'; ''; - locations."= /.well-known/matrix/client".extraConfig = - let - client = { - "m.homeserver" = { "base_url" = "https://${matrixdomain}:443"; }; - "m.identity_server" = { "base_url" = "https://vector.im"; }; - }; - # ACAO required to allow element-web on any URL to request this json file - in '' - add_header Content-Type application/json; - add_header Access-Control-Allow-Origin *; - return 200 '${builtins.toJSON client}'; - ''; + locations."= /.well-known/matrix/client".extraConfig = let + client = { + "m.homeserver" = { "base_url" = "https://${matrixdomain}:443"; }; + "m.identity_server" = { "base_url" = "https://vector.im"; }; + }; + # ACAO required to allow element-web on any URL to request this json file + in '' + add_header Content-Type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${builtins.toJSON client}'; + ''; - - locations."/".extraConfig = '' - return 404; - ''; + locations."/".extraConfig = '' + return 404; + ''; # forward all Matrix API calls to the synapse Matrix homeserver locations."/_matrix" = { @@ -121,7 +109,7 @@ with import ./network.nix; settings = { bridge = { domain = matrixdomain; - homeserverUrl = "https://${matrixdomain}"; + homeserverUrl = "https://${matrixdomain}"; disablePresence = true; }; }; @@ -150,40 +138,40 @@ with import ./network.nix; "${matrixdomain}" = "puppeting"; }; - # Animated stickers conversion requires additional packages in the - # service's path. - # If this isn't a fresh installation, clearing the bridge's uploaded - # file cache might be necessary (make a database backup first!): - # delete from telegram_file where \ - # mime_type in ('application/gzip', 'application/octet-stream') - animated_sticker = { - target = "gif"; - args = { - width = 256; - height = 256; - fps = 30; # only for webm - background = "020202"; # only for gif, transparency not supported + # Animated stickers conversion requires additional packages in the + # service's path. + # If this isn't a fresh installation, clearing the bridge's uploaded + # file cache might be necessary (make a database backup first!): + # delete from telegram_file where \ + # mime_type in ('application/gzip', 'application/octet-stream') + animated_sticker = { + target = "gif"; + args = { + width = 256; + height = 256; + fps = 30; # only for webm + background = "020202"; # only for gif, transparency not supported + }; + }; + + encryption = { + allow = true; + default = true; }; }; - - encryption = { - allow = true; - default = true; - }; }; }; + }; -}; + systemd.services.mautrix-telegram.path = with pkgs; [ + lottieconverter # for animated stickers conversion, unfree package + ffmpeg # if converting animated stickers to webm (very slow!) + ]; -systemd.services.mautrix-telegram.path = with pkgs; [ - lottieconverter # for animated stickers conversion, unfree package - ffmpeg # if converting animated stickers to webm (very slow!) -]; - -networking.extraHosts = '' - ${architect-lan} ${matrixdomain} ${matrixwebdomain} - ${architect-wg} ${matrixdomain} ${matrixwebdomain} -''; + networking.extraHosts = '' + ${architect-lan} ${matrixdomain} ${matrixwebdomain} + ${architect-wg} ${matrixdomain} ${matrixwebdomain} + ''; } diff --git a/hosts/architect/minecraft.nix b/hosts/architect/minecraft.nix index ceab37f..81ee05a 100644 --- a/hosts/architect/minecraft.nix +++ b/hosts/architect/minecraft.nix @@ -1,18 +1,15 @@ -{config, pkgs, ...}: +{ config, pkgs, ... }: -with import ./network.nix; -{ +with import ./network.nix; { services.minecraft-server = { enable = true; eula = true; declarative = true; - serverProperties = { - motd = "Welcome on the RuNas server!"; - }; + serverProperties = { motd = "Welcome on the RuNas server!"; }; }; networking.extraHosts = '' ${architect-lan} minecraft.giugl.io ${architect-wg} minecraft.giugl.io - ''; + ''; } diff --git a/hosts/architect/minio.nix b/hosts/architect/minio.nix index bb499e5..cd6bb20 100644 --- a/hosts/architect/minio.nix +++ b/hosts/architect/minio.nix @@ -1,5 +1,4 @@ -with import ./network.nix; -{ +with import ./network.nix; { services = { minio.enable = true; diff --git a/hosts/architect/modules/jellyfin.nix b/hosts/architect/modules/jellyfin.nix index e82da55..d44a0a9 100644 --- a/hosts/architect/modules/jellyfin.nix +++ b/hosts/architect/modules/jellyfin.nix @@ -2,10 +2,8 @@ with lib; -let - cfg = config.services.jellyfin; -in -{ +let cfg = config.services.jellyfin; +in { options = { services.jellyfin = { enable = mkEnableOption "Jellyfin Media Server"; @@ -56,7 +54,8 @@ in SupplementaryGroups = [ "video" ]; StateDirectory = "jellyfin"; CacheDirectory = "jellyfin"; - ExecStart = "${cfg.package}/bin/jellyfin --datadir '/var/lib/${StateDirectory}' --cachedir '/var/cache/${CacheDirectory}'"; + ExecStart = + "${cfg.package}/bin/jellyfin --datadir '/var/lib/${StateDirectory}' --cachedir '/var/cache/${CacheDirectory}'"; Restart = "on-failure"; # Security options: @@ -67,40 +66,40 @@ in CapabilityBoundingSet = ""; # ProtectClock= adds DeviceAllow=char-rtc r -# DeviceAllow = [ -# "char-drm r" -# "/dev/nvidia0 r" -# "/dev/nvidiactl r" -# "/dev/nvidia-uvm r" -# "/dev/nvidia-uvm-tools r" -# ]; + # DeviceAllow = [ + # "char-drm r" + # "/dev/nvidia0 r" + # "/dev/nvidiactl r" + # "/dev/nvidia-uvm r" + # "/dev/nvidia-uvm-tools r" + # ]; -# LockPersonality = true; -# - PrivateTmp = true; -# PrivateUsers = true; -# -# ProtectClock = true; -# ProtectControlGroups = true; -# ProtectHostname = true; -# ProtectKernelLogs = true; -# ProtectKernelModules = true; -# ProtectKernelTunables = true; -# -# RemoveIPC = true; -# -# RestrictNamespaces = true; -# # AF_NETLINK needed because Jellyfin monitors the network connection -# RestrictAddressFamilies = [ "AF_NETLINK" "AF_INET" "AF_INET6" ]; -# RestrictRealtime = true; -# RestrictSUIDSGID = true; -# -# SystemCallArchitectures = "native"; -# SystemCallErrorNumber = "EPERM"; -# SystemCallFilter = [ -# "@system-service" -# "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@setuid" -# ]; + # LockPersonality = true; + # + PrivateTmp = true; + # PrivateUsers = true; + # + # ProtectClock = true; + # ProtectControlGroups = true; + # ProtectHostname = true; + # ProtectKernelLogs = true; + # ProtectKernelModules = true; + # ProtectKernelTunables = true; + # + # RemoveIPC = true; + # + # RestrictNamespaces = true; + # # AF_NETLINK needed because Jellyfin monitors the network connection + # RestrictAddressFamilies = [ "AF_NETLINK" "AF_INET" "AF_INET6" ]; + # RestrictRealtime = true; + # RestrictSUIDSGID = true; + # + # SystemCallArchitectures = "native"; + # SystemCallErrorNumber = "EPERM"; + # SystemCallFilter = [ + # "@system-service" + # "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@setuid" + # ]; }; }; @@ -111,9 +110,7 @@ in }; }; - users.groups = mkIf (cfg.group == "jellyfin") { - jellyfin = {}; - }; + users.groups = mkIf (cfg.group == "jellyfin") { jellyfin = { }; }; networking.firewall = mkIf cfg.openFirewall { # from https://jellyfin.org/docs/general/networking/index.html diff --git a/hosts/architect/network.nix b/hosts/architect/network.nix index 709c8d5..a8e2faa 100644 --- a/hosts/architect/network.nix +++ b/hosts/architect/network.nix @@ -1,61 +1,72 @@ rec { # interfaces - wan-if = "enp5s0"; - vpn-if = "wg0"; - proxy-if = "proxy"; + wan-if = "enp5s0"; + vpn-if = "wg0"; + proxy-if = "proxy"; # nets - lan-net = "10.0.0.0/24"; - vpn-net = "10.3.0.0/24"; - proxy-net = "10.4.0.0/24"; + lan-net = "10.0.0.0/24"; + vpn-net = "10.3.0.0/24"; + proxy-net = "10.4.0.0/24"; external_lan-net = "192.168.1.0/24"; # ips - dvr-lan = "10.0.0.2"; - nas-lan = "10.0.0.3"; - architect-lan = "10.0.0.250"; - giupi-lan = "10.0.0.251"; - - proxy-wg = "10.4.0.1"; - architect-wg = "10.3.0.1"; - galuminum-wg = "10.3.0.2"; - oneplus-wg = "10.3.0.3"; - ipad-wg = "10.3.0.4"; - manduria-wg = "10.3.0.5"; - antonio-wg = "10.3.0.6"; - gbeast-wg = "10.3.0.7"; - parisaphone-wg = "10.3.0.8"; - parisapc-wg = "10.3.0.9"; - peppiniell-wg = "10.3.0.10"; - padulino-wg = "10.3.0.11"; - shield-wg = "10.3.0.12"; - pepos-wg = "10.3.0.15"; - salvatore-wg = "10.3.0.16"; - papa-wg = "10.3.0.17"; - defy-wg = "10.3.0.18"; - germano-wg = "10.3.0.19"; - flavio-wg = "10.3.0.20"; - tommy-wg = "10.3.0.21"; - alain-wg = "10.3.0.22"; - dima-wg = "10.3.0.23"; - mikey-wg = "10.3.0.24"; - andrew-wg = "10.3.0.25"; - mikeylaptop-wg = "10.3.0.26"; + dvr-lan = "10.0.0.2"; + nas-lan = "10.0.0.3"; + architect-lan = "10.0.0.250"; + giupi-lan = "10.0.0.251"; + + proxy-wg = "10.4.0.1"; + architect-wg = "10.3.0.1"; + galuminum-wg = "10.3.0.2"; + oneplus-wg = "10.3.0.3"; + ipad-wg = "10.3.0.4"; + manduria-wg = "10.3.0.5"; + antonio-wg = "10.3.0.6"; + gbeast-wg = "10.3.0.7"; + parisaphone-wg = "10.3.0.8"; + parisapc-wg = "10.3.0.9"; + peppiniell-wg = "10.3.0.10"; + padulino-wg = "10.3.0.11"; + shield-wg = "10.3.0.12"; + pepos-wg = "10.3.0.15"; + salvatore-wg = "10.3.0.16"; + papa-wg = "10.3.0.17"; + defy-wg = "10.3.0.18"; + germano-wg = "10.3.0.19"; + flavio-wg = "10.3.0.20"; + tommy-wg = "10.3.0.21"; + alain-wg = "10.3.0.22"; + dima-wg = "10.3.0.23"; + mikey-wg = "10.3.0.24"; + andrew-wg = "10.3.0.25"; + mikeylaptop-wg = "10.3.0.26"; andrewdesktop-wg = "10.3.0.27"; - jacopo-wg = "10.3.0.28"; - frznn-wg = "10.3.0.29"; - eleonora-wg = "10.3.0.100"; - angellane-wg = "10.3.0.200"; - hotpottino-wg = "10.3.0.201"; - dodino-wg = "10.3.0.202"; - wolfsonhouse-wg = "10.3.0.203"; + jacopo-wg = "10.3.0.28"; + frznn-wg = "10.3.0.29"; + eleonora-wg = "10.3.0.100"; + angellane-wg = "10.3.0.200"; + hotpottino-wg = "10.3.0.201"; + dodino-wg = "10.3.0.202"; + wolfsonhouse-wg = "10.3.0.203"; # groups - gdevices-wg = [ galuminum-wg oneplus-wg ipad-wg gbeast-wg peppiniell-wg padulino-wg ]; - routers-wg = [ hotpottino-wg angellane-wg dodino-wg wolfsonhouse-wg ]; - c2c-wg = [ ] ++ gdevices-wg; - towan-wg = [ shield-wg parisaphone-wg parisapc-wg ] ++ gdevices-wg ++ routers-wg; - gamenet-wg = [ andrew-wg galuminum-wg gbeast-wg mikey-wg andrewdesktop-wg mikeylaptop-wg flavio-wg salvatore-wg ]; + gdevices-wg = + [ galuminum-wg oneplus-wg ipad-wg gbeast-wg peppiniell-wg padulino-wg ]; + routers-wg = [ hotpottino-wg angellane-wg dodino-wg wolfsonhouse-wg ]; + c2c-wg = [ ] ++ gdevices-wg; + towan-wg = [ shield-wg parisaphone-wg parisapc-wg ] ++ gdevices-wg + ++ routers-wg; + gamenet-wg = [ + andrew-wg + galuminum-wg + gbeast-wg + mikey-wg + andrewdesktop-wg + mikeylaptop-wg + flavio-wg + salvatore-wg + ]; # domains sonarrdomain = "htson.giugl.io"; diff --git a/hosts/architect/nextcloud.nix b/hosts/architect/nextcloud.nix index 0f629ba..b0e6b98 100644 --- a/hosts/architect/nextcloud.nix +++ b/hosts/architect/nextcloud.nix @@ -1,11 +1,10 @@ -{pkgs, ...}: +{ pkgs, ... }: -with import ./network.nix; -{ +with import ./network.nix; { services = { mysql.enable = true; mysql.package = pkgs.unstable.mysql80; - + redis.enable = true; nextcloud = { @@ -29,14 +28,14 @@ with import ./network.nix; dbpassFile = "/secrets/nextcloud/dbpass.txt"; adminpassFile = "/secrets/nextcloud/adminpass.txt"; adminuser = "giulio"; - extraTrustedDomains = ["${nextclouddomain}"]; + extraTrustedDomains = [ "${nextclouddomain}" ]; }; }; }; systemd.services."nextcloud-setup" = { - requires = ["mysql.service"]; - after = ["mysql.service"]; + requires = [ "mysql.service" ]; + after = [ "mysql.service" ]; }; networking.extraHosts = '' @@ -45,7 +44,7 @@ with import ./network.nix; ''; services.nginx.virtualHosts.${clouddomain} = { - forceSSL = true; - enableACME = true; - }; + forceSSL = true; + enableACME = true; + }; } diff --git a/hosts/architect/nginx.nix b/hosts/architect/nginx.nix index 3b40cba..0e26f37 100644 --- a/hosts/architect/nginx.nix +++ b/hosts/architect/nginx.nix @@ -1,35 +1,35 @@ -{services, ...}: +{ services, ... }: { services.nginx = { - enable = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; recommendedProxySettings = true; - recommendedTlsSettings = true; - -# virtualHosts."giugl.io" = { -# default = true; -# enableACME = true; -# addSSL = true; -# root = "/var/lib/nginx/error_pages"; -# extraConfig = "error_page 404 /index.htm;"; -# -# locations = { -# "/" = { -# return = "404"; -# }; -# -# "/index.htm" = { -# }; -# -# "/style.css" = { -# }; -# -# "/wat.jpg" = { -# }; -# }; -# }; + recommendedTlsSettings = true; + + # virtualHosts."giugl.io" = { + # default = true; + # enableACME = true; + # addSSL = true; + # root = "/var/lib/nginx/error_pages"; + # extraConfig = "error_page 404 /index.htm;"; + # + # locations = { + # "/" = { + # return = "404"; + # }; + # + # "/index.htm" = { + # }; + # + # "/style.css" = { + # }; + # + # "/wat.jpg" = { + # }; + # }; + # }; }; users.groups.acme.members = [ "nginx" ]; diff --git a/hosts/architect/nzbget.nix b/hosts/architect/nzbget.nix index 42dbe52..7f5ce81 100644 --- a/hosts/architect/nzbget.nix +++ b/hosts/architect/nzbget.nix @@ -1,5 +1,4 @@ -with import ./network.nix; -{ +with import ./network.nix; { services = { nzbget.enable = true; @@ -22,5 +21,5 @@ with import ./network.nix; ${architect-wg} ${nzbgetdomain} ''; - users.groups.media.members = ["nzbget"]; + users.groups.media.members = [ "nzbget" ]; } diff --git a/hosts/architect/overseerr.nix b/hosts/architect/overseerr.nix index 08fa25b..5c19a47 100644 --- a/hosts/architect/overseerr.nix +++ b/hosts/architect/overseerr.nix @@ -1,4 +1,4 @@ -{...}: +{ ... }: { virtualisation.oci-containers.containers."overseerr" = { diff --git a/hosts/architect/plex.nix b/hosts/architect/plex.nix index b570b35..6ca100f 100644 --- a/hosts/architect/plex.nix +++ b/hosts/architect/plex.nix @@ -1,7 +1,6 @@ -{ pkgs, ...}: +{ pkgs, ... }: -with import ./network.nix; -{ +with import ./network.nix; { services.plex = { enable = true; package = pkgs.unstable.plex; @@ -16,68 +15,66 @@ with import ./network.nix; enableACME = true; http2 = true; extraConfig = '' - allow 10.3.0.0/24; - allow 10.0.0.0/24; - deny all; + allow 10.3.0.0/24; + allow 10.0.0.0/24; + deny all; - #Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause - send_timeout 100m; + #Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause + send_timeout 100m; - # Why this is important: https://blog.cloudflare.com/ocsp-stapling-how-cloudflare-just-made-ssl-30/ - ssl_stapling on; - ssl_stapling_verify on; + # Why this is important: https://blog.cloudflare.com/ocsp-stapling-how-cloudflare-just-made-ssl-30/ + ssl_stapling on; + ssl_stapling_verify on; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_prefer_server_ciphers on; - #Intentionally not hardened for security for player support and encryption video streams has a lot of overhead with something like AES-256-GCM-SHA384. - ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_prefer_server_ciphers on; + #Intentionally not hardened for security for player support and encryption video streams has a lot of overhead with something like AES-256-GCM-SHA384. + ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; - # Forward real ip and host to Plex - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Host $server_addr; - proxy_set_header Referer $server_addr; - proxy_set_header Origin $server_addr; + # Forward real ip and host to Plex + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $server_addr; + proxy_set_header Referer $server_addr; + proxy_set_header Origin $server_addr; - # Plex has A LOT of javascript, xml and html. This helps a lot, but if it causes playback issues with devices turn it off. - gzip on; - gzip_vary on; - gzip_min_length 1000; - gzip_proxied any; - gzip_types text/plain text/css text/xml application/xml text/javascript application/x-javascript image/svg+xml; - gzip_disable "MSIE [1-6]\."; + # Plex has A LOT of javascript, xml and html. This helps a lot, but if it causes playback issues with devices turn it off. + gzip on; + gzip_vary on; + gzip_min_length 1000; + gzip_proxied any; + gzip_types text/plain text/css text/xml application/xml text/javascript application/x-javascript image/svg+xml; + gzip_disable "MSIE [1-6]\."; - # Nginx default client_max_body_size is 1MB, which breaks Camera Upload feature from the phones. - # Increasing the limit fixes the issue. Anyhow, if 4K videos are expected to be uploaded, the size might need to be increased even more - client_max_body_size 100M; + # Nginx default client_max_body_size is 1MB, which breaks Camera Upload feature from the phones. + # Increasing the limit fixes the issue. Anyhow, if 4K videos are expected to be uploaded, the size might need to be increased even more + client_max_body_size 100M; - # Plex headers - proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier; - proxy_set_header X-Plex-Device $http_x_plex_device; - proxy_set_header X-Plex-Device-Name $http_x_plex_device_name; - proxy_set_header X-Plex-Platform $http_x_plex_platform; - proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version; - proxy_set_header X-Plex-Product $http_x_plex_product; - proxy_set_header X-Plex-Token $http_x_plex_token; - proxy_set_header X-Plex-Version $http_x_plex_version; - proxy_set_header X-Plex-Nocache $http_x_plex_nocache; - proxy_set_header X-Plex-Provides $http_x_plex_provides; - proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor; - proxy_set_header X-Plex-Model $http_x_plex_model; + # Plex headers + proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier; + proxy_set_header X-Plex-Device $http_x_plex_device; + proxy_set_header X-Plex-Device-Name $http_x_plex_device_name; + proxy_set_header X-Plex-Platform $http_x_plex_platform; + proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version; + proxy_set_header X-Plex-Product $http_x_plex_product; + proxy_set_header X-Plex-Token $http_x_plex_token; + proxy_set_header X-Plex-Version $http_x_plex_version; + proxy_set_header X-Plex-Nocache $http_x_plex_nocache; + proxy_set_header X-Plex-Provides $http_x_plex_provides; + proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor; + proxy_set_header X-Plex-Model $http_x_plex_model; - # Websockets - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; + # Websockets + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; - # Buffering off send to the client as soon as the data is received from Plex. - proxy_redirect off; - proxy_buffering off; + # Buffering off send to the client as soon as the data is received from Plex. + proxy_redirect off; + proxy_buffering off; ''; - locations."/" = { - proxyPass = "http://localhost:32400"; - }; + locations."/" = { proxyPass = "http://localhost:32400"; }; }; }; @@ -86,6 +83,6 @@ with import ./network.nix; ${architect-wg} ${mediadomain} ''; - users.groups.media.members = ["plex"]; + users.groups.media.members = [ "plex" ]; } diff --git a/hosts/architect/prowlarr.nix b/hosts/architect/prowlarr.nix index 7c64705..b53c405 100644 --- a/hosts/architect/prowlarr.nix +++ b/hosts/architect/prowlarr.nix @@ -1,7 +1,6 @@ -{ pkgs, ...}: +{ pkgs, ... }: -with import ./network.nix; -{ +with import ./network.nix; { services = { prowlarr.enable = true; @@ -17,13 +16,13 @@ with import ./network.nix; ''; }; -# locations."/api" = { -# proxyPass = "http://127.0.0.1:9696/prowlarr/api"; -# }; -# -# locations."/Content" = { -# proxyPass = "http://127.0.0.1:9696/prowlarr/Content"; -# }; + # locations."/api" = { + # proxyPass = "http://127.0.0.1:9696/prowlarr/api"; + # }; + # + # locations."/Content" = { + # proxyPass = "http://127.0.0.1:9696/prowlarr/Content"; + # }; }; }; @@ -32,5 +31,5 @@ with import ./network.nix; ${architect-wg} ${prowlarrdomain} ''; - users.groups.media.members = ["prowlarr"]; + users.groups.media.members = [ "prowlarr" ]; } diff --git a/hosts/architect/radarr.nix b/hosts/architect/radarr.nix index c48c1bc..bc0af46 100644 --- a/hosts/architect/radarr.nix +++ b/hosts/architect/radarr.nix @@ -1,5 +1,4 @@ -with import ./network.nix; -{ +with import ./network.nix; { services = { radarr.enable = true; @@ -22,5 +21,5 @@ with import ./network.nix; ${architect-wg} ${radarrdomain} ''; - users.groups.media.members = ["radarr"]; + users.groups.media.members = [ "radarr" ]; } diff --git a/hosts/architect/sonarr.nix b/hosts/architect/sonarr.nix index b3ccb77..3e94d02 100644 --- a/hosts/architect/sonarr.nix +++ b/hosts/architect/sonarr.nix @@ -1,5 +1,4 @@ -with import ./network.nix; -{ +with import ./network.nix; { services = { sonarr.enable = true; @@ -22,5 +21,5 @@ with import ./network.nix; ${architect-wg} ${sonarrdomain} ''; - users.groups.media.members = ["sonarr"]; + users.groups.media.members = [ "sonarr" ]; } diff --git a/hosts/architect/transmission.nix b/hosts/architect/transmission.nix index 024378f..571408a 100644 --- a/hosts/architect/transmission.nix +++ b/hosts/architect/transmission.nix @@ -1,7 +1,6 @@ with import ./network.nix; -let - domain = "httra.giugl.io"; +let domain = "httra.giugl.io"; in { services = { transmission = { @@ -37,5 +36,5 @@ in { ${architect-wg} ${domain} ''; - users.groups.media.members = ["transmission"]; + users.groups.media.members = [ "transmission" ]; } diff --git a/hosts/architect/wireguard.nix b/hosts/architect/wireguard.nix index 84d5dca..a256a21 100644 --- a/hosts/architect/wireguard.nix +++ b/hosts/architect/wireguard.nix @@ -1,5 +1,4 @@ -with import ./network.nix; -{ +with import ./network.nix; { networking = { extraHosts = '' ${architect-wg} architect.devs.giugl.io @@ -35,222 +34,209 @@ with import ./network.nix; wireguard = { interfaces.${proxy-if} = { - ips = ["10.4.0.2/32"]; + ips = [ "10.4.0.2/32" ]; privateKeyFile = "/secrets/wireguard/proxy.key"; - peers = [ - { - publicKey = "WmJBpXpYebcmJEF8nVTKMqQK01KyBe42vzc38K66rVs="; - allowedIPs = ["10.4.0.1/32"]; - endpoint = "giugl.io:1195"; - persistentKeepalive = 21; - } - ]; + peers = [{ + publicKey = "WmJBpXpYebcmJEF8nVTKMqQK01KyBe42vzc38K66rVs="; + allowedIPs = [ "10.4.0.1/32" ]; + endpoint = "giugl.io:1195"; + persistentKeepalive = 21; + }]; }; interfaces.${vpn-if} = { listenPort = 1194; - ips = ["10.3.0.1/24"]; + ips = [ "10.3.0.1/24" ]; privateKeyFile = "/secrets/wireguard/server.key"; peers = [ { - # gAluminum - allowedIPs = [galuminum-wg]; - publicKey = "pEEgSs7xmO0cfyvoQlU8lfwqdYM1ISgmPAunPtF+0xw="; - } + # gAluminum + allowedIPs = [ galuminum-wg ]; + publicKey = "pEEgSs7xmO0cfyvoQlU8lfwqdYM1ISgmPAunPtF+0xw="; + } - { - # OnePlus - allowedIPs = [oneplus-wg]; - publicKey = "zynSERy6VhxN5zBf1ih3BOAHxvigDixHB9YKnSBgYFs="; - } + { + # OnePlus + allowedIPs = [ oneplus-wg ]; + publicKey = "zynSERy6VhxN5zBf1ih3BOAHxvigDixHB9YKnSBgYFs="; + } - { - # iPad - allowedIPs = [ipad-wg]; - publicKey = "DPpd+P/hV1XLuvdcrCRv1sgz8BeZt1y5D6VehNuhjSQ="; - } + { + # iPad + allowedIPs = [ ipad-wg ]; + publicKey = "DPpd+P/hV1XLuvdcrCRv1sgz8BeZt1y5D6VehNuhjSQ="; + } + { + # Manduria + allowedIPs = [ manduria-wg ]; + publicKey = "wT38oXvDQ8g0hI+pAXQobOWf/Wott2zhwo8TLvXK400="; + } - { - # Manduria - allowedIPs = [manduria-wg]; - publicKey = "wT38oXvDQ8g0hI+pAXQobOWf/Wott2zhwo8TLvXK400="; - } + { + # Antonio + allowedIPs = [ antonio-wg ]; + publicKey = "SPndCvEzuLHtGAQV8u/4dfLlFHoPcXS3L98oFOwTljc="; + } + { + # Eleonora + allowedIPs = [ eleonora-wg ]; + publicKey = "SL54f1ZeieFyn5X5UAPmypP10GV/c419O94vCzGHFhg="; + } - { - # Antonio - allowedIPs = [antonio-wg]; - publicKey = "SPndCvEzuLHtGAQV8u/4dfLlFHoPcXS3L98oFOwTljc="; - } + { + # padulino + allowedIPs = [ padulino-wg ]; + publicKey = "sk2Wr2OesND9jcuP/8k7BirSpR4pNNbS9gBkbOxZxwg="; + } + { + # GBEAST + allowedIPs = [ gbeast-wg ]; + publicKey = "XiK+wk+DErz0RmCWRxuaJN1cvdj+3DoiU6tcR+uZfAI="; + } - { - # Eleonora - allowedIPs = [eleonora-wg]; - publicKey = "SL54f1ZeieFyn5X5UAPmypP10GV/c419O94vCzGHFhg="; - } + { + # parisa-phone + allowedIPs = [ parisaphone-wg ]; + publicKey = "t9EUnIkfr1b2HPlTXi17+AKMMe5VfeKq7exRVAwaai0="; + } + { + # parisa-pc + allowedIPs = [ parisapc-wg ]; + publicKey = "b2QzZDTgGQbNXSCLYB4KUzq0/099pH2T8H5BckfNSTQ="; + } - { - # padulino - allowedIPs = [padulino-wg]; - publicKey = "sk2Wr2OesND9jcuP/8k7BirSpR4pNNbS9gBkbOxZxwg="; - } + { + # peppiniell + allowedIPs = [ peppiniell-wg ]; + publicKey = "bzoW3Rx+7Un9hx/2opgBQJmmnZ/hgj1lQ2FnonCHjTc="; + } + { + # angellane + allowedIPs = [ angellane-wg ]; + publicKey = "MZ+nZklHpBxTL7QN9QJpBBx7yOYRZLONfvqAnuk85x0="; + } - { - # GBEAST - allowedIPs = [gbeast-wg]; - publicKey = "XiK+wk+DErz0RmCWRxuaJN1cvdj+3DoiU6tcR+uZfAI="; - } + { + # hotpottino + allowedIPs = [ hotpottino-wg ]; + publicKey = "YqtzTWqGBs2GwSPNO0aRSV4nvJDW3UHHt6fV4UC7vnU="; + } + { + # shield + allowedIPs = [ shield-wg ]; + publicKey = "1GaV/M48sHqQTrBVRQ+jrFU2pUMmv2xkguncVcwPCFs="; + } - { - # parisa-phone - allowedIPs = [parisaphone-wg]; - publicKey = "t9EUnIkfr1b2HPlTXi17+AKMMe5VfeKq7exRVAwaai0="; - } + { + # pepos + allowedIPs = [ pepos-wg ]; + publicKey = "mb1VaMLML5J24oCMBuhqvBrT6S4tAqWERn30z+h/LwM="; + } + { + # salvatore + allowedIPs = [ salvatore-wg ]; + publicKey = "fhlnBHeMyHZKLUCTSA9kmkKoM5x/qzz/rnCJrUh3Gzs="; + } - { - # parisa-pc - allowedIPs = [parisapc-wg]; - publicKey = "b2QzZDTgGQbNXSCLYB4KUzq0/099pH2T8H5BckfNSTQ="; - } + { + # papa + allowedIPs = [ papa-wg ]; + publicKey = "oGHygt02Oni3IFbScKD0NVEfHKCp6bpw68aq5g4RrAA="; + } + { + # defy + allowedIPs = [ defy-wg ]; + publicKey = "Cvi/eto7E6Ef+aiL81ou7x12fJCeuXrf/go9fxEqXG4="; + } - { - # peppiniell - allowedIPs = [peppiniell-wg]; - publicKey = "bzoW3Rx+7Un9hx/2opgBQJmmnZ/hgj1lQ2FnonCHjTc="; - } + { + # germano + allowedIPs = [ germano-wg ]; + publicKey = "gi4o+pZWKItzVs7vY8fvXh98jX6CNeCwc1YDzhc3mA4="; + } + { + # flavio + allowedIPs = [ flavio-wg ]; + publicKey = "Yg0P+yHi/9SZHyoel8jT9fmmu+irLYmT8yMp/CZoaSg="; + } - { - # angellane - allowedIPs = [angellane-wg]; - publicKey = "MZ+nZklHpBxTL7QN9QJpBBx7yOYRZLONfvqAnuk85x0="; - } + { + # dodino + allowedIPs = [ dodino-wg ]; + publicKey = "JHkqlADQpY1CUcivraG9i6rIzCzLVFcl8HP5uIk35lk="; + } + { + # tommy + allowedIPs = [ tommy-wg ]; + publicKey = "tytknU7wql1d0A2provX3RP7CNcEIajfgBJKoSyVLgo="; + } - { - # hotpottino - allowedIPs = [hotpottino-wg]; - publicKey = "YqtzTWqGBs2GwSPNO0aRSV4nvJDW3UHHt6fV4UC7vnU="; - } + { + # alain + allowedIPs = [ alain-wg ]; + publicKey = "/o2msFJoUL4yovcIQJTU8c1faFtekrjSBBWJABouWno="; + } + { + # dima + allowedIPs = [ dima-wg ]; + publicKey = "svzWYIZ6v+cLCp/emGG7mx2YpBJqw2fqjVuHZy7b6H0="; + } - { - # shield - allowedIPs = [shield-wg]; - publicKey = "1GaV/M48sHqQTrBVRQ+jrFU2pUMmv2xkguncVcwPCFs="; - } + { + # wolfsonhouse + allowedIPs = [ wolfsonhouse-wg ]; + publicKey = "UJRJcAOcnEjEB3o4K2I7gEM97SrhENEesZNf28z+EBQ="; + } - { - # pepos - allowedIPs = [pepos-wg]; - publicKey = "mb1VaMLML5J24oCMBuhqvBrT6S4tAqWERn30z+h/LwM="; - } + { + # mikey + allowedIPs = [ mikey-wg ]; + publicKey = "ewbDdX3z7nxG2aPIf9TogXkhxPlGipLFcy6XfyDC6gI="; + } - { - # salvatore - allowedIPs = [salvatore-wg]; - publicKey = "fhlnBHeMyHZKLUCTSA9kmkKoM5x/qzz/rnCJrUh3Gzs="; - } + { + # andrew + allowedIPs = [ andrew-wg ]; + publicKey = "LP/FgST9fmBQSoKQFq9sFGvjRFOtRooMcuEcjuqaoWM="; + } - { - # papa - allowedIPs = [papa-wg]; - publicKey = "oGHygt02Oni3IFbScKD0NVEfHKCp6bpw68aq5g4RrAA="; - } + { + # mikey laptop + allowedIPs = [ mikeylaptop-wg ]; + publicKey = "kz/pY/PgV+dwF1JZ2It4r5B5QfRSQM7HkbFCdvd5Yxk="; + } - { - # defy - allowedIPs = [defy-wg]; - publicKey = "Cvi/eto7E6Ef+aiL81ou7x12fJCeuXrf/go9fxEqXG4="; - } + { + # andrew desktop + allowedIPs = [ andrewdesktop-wg ]; + publicKey = "rpYr3JNLIzxpxzFuQuaHFEl/XvPEPfwLbDETBP8KYXI="; + } - { - # germano - allowedIPs = [germano-wg]; - publicKey = "gi4o+pZWKItzVs7vY8fvXh98jX6CNeCwc1YDzhc3mA4="; - } + { + # laptop desktop + allowedIPs = [ jacopo-wg ]; + publicKey = "W/taWI79bPIKOolVVu5xZfiJnPw9K91Xn1zhcM0+4g0="; + } - { - # flavio - allowedIPs = [flavio-wg]; - publicKey = "Yg0P+yHi/9SZHyoel8jT9fmmu+irLYmT8yMp/CZoaSg="; - } - - { - # dodino - allowedIPs = [dodino-wg]; - publicKey = "JHkqlADQpY1CUcivraG9i6rIzCzLVFcl8HP5uIk35lk="; - } - - { - # tommy - allowedIPs = [tommy-wg]; - publicKey = "tytknU7wql1d0A2provX3RP7CNcEIajfgBJKoSyVLgo="; - } - - { - # alain - allowedIPs = [alain-wg]; - publicKey = "/o2msFJoUL4yovcIQJTU8c1faFtekrjSBBWJABouWno="; - } - - { - # dima - allowedIPs = [dima-wg]; - publicKey = "svzWYIZ6v+cLCp/emGG7mx2YpBJqw2fqjVuHZy7b6H0="; - } - - { - # wolfsonhouse - allowedIPs = [wolfsonhouse-wg]; - publicKey = "UJRJcAOcnEjEB3o4K2I7gEM97SrhENEesZNf28z+EBQ="; - } - - { - # mikey - allowedIPs = [mikey-wg]; - publicKey = "ewbDdX3z7nxG2aPIf9TogXkhxPlGipLFcy6XfyDC6gI="; - } - - { - # andrew - allowedIPs = [andrew-wg]; - publicKey = "LP/FgST9fmBQSoKQFq9sFGvjRFOtRooMcuEcjuqaoWM="; - } - - { - # mikey laptop - allowedIPs = [mikeylaptop-wg]; - publicKey = "kz/pY/PgV+dwF1JZ2It4r5B5QfRSQM7HkbFCdvd5Yxk="; - } - - { - # andrew desktop - allowedIPs = [andrewdesktop-wg]; - publicKey = "rpYr3JNLIzxpxzFuQuaHFEl/XvPEPfwLbDETBP8KYXI="; - } - - { - # laptop desktop - allowedIPs = [jacopo-wg]; - publicKey = "W/taWI79bPIKOolVVu5xZfiJnPw9K91Xn1zhcM0+4g0="; - } - - { - # frznn - allowedIPs = [frznn-wg]; - publicKey = "dXcrdME6VnnE5PBYwvUmayf7cn2wpcExeCR9gIXOO0o="; - } - ]; + { + # frznn + allowedIPs = [ frznn-wg ]; + publicKey = "dXcrdME6VnnE5PBYwvUmayf7cn2wpcExeCR9gIXOO0o="; + } + ]; + }; }; }; -}; } diff --git a/hosts/gAluminum/default.nix b/hosts/gAluminum/default.nix index 9906d49..841c85d 100644 --- a/hosts/gAluminum/default.nix +++ b/hosts/gAluminum/default.nix @@ -1,12 +1,8 @@ { config, pkgs, ... }: -let - hostname = "gAluminum"; +let hostname = "gAluminum"; in { - imports = [ - ./hardware.nix - ./wireguard.nix - ]; + imports = [ ./hardware.nix ./wireguard.nix ]; boot = { supportedFilesystems = [ "ntfs" ]; @@ -37,7 +33,7 @@ in { virtualisation.virtualbox.host.enable = true; virtualisation.virtualbox.host.enableExtensionPack = true; users.extraGroups.vboxusers.members = [ "giulio" ]; - + services.printing.enable = true; sound.enable = true; @@ -51,4 +47,3 @@ in { environment.systemPackages = with pkgs; [ efibootmgr ]; system.stateVersion = "21.05"; # Did you read the comment? } - diff --git a/hosts/gAluminum/hardware.nix b/hosts/gAluminum/hardware.nix index 6be79c6..bd99884 100644 --- a/hosts/gAluminum/hardware.nix +++ b/hosts/gAluminum/hardware.nix @@ -4,24 +4,23 @@ { config, lib, pkgs, modulesPath, ... }: { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; + boot.initrd.availableKernelModules = + [ "xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; boot.initrd.kernelModules = [ "dm-snapshot" ]; boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/disk/by-uuid/92ad62ff-627e-4fd7-9ced-0c0716d3f848"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/92ad62ff-627e-4fd7-9ced-0c0716d3f848"; + fsType = "ext4"; + }; - fileSystems."/boot/efi" = - { device = "/dev/disk/by-uuid/3008-4A28"; - fsType = "vfat"; - }; + fileSystems."/boot/efi" = { + device = "/dev/disk/by-uuid/3008-4A28"; + fsType = "vfat"; + }; swapDevices = [ ]; diff --git a/hosts/gAluminum/wireguard.nix b/hosts/gAluminum/wireguard.nix index 639b5f5..af00523 100644 --- a/hosts/gAluminum/wireguard.nix +++ b/hosts/gAluminum/wireguard.nix @@ -1,17 +1,15 @@ { networking.wg-quick.interfaces = { giupi = { - address = ["10.3.0.2/32"]; + address = [ "10.3.0.2/32" ]; privateKeyFile = "/etc/wireguard/giupi.key"; - dns = ["10.3.0.1"]; - peers = [ - { - publicKey = "I4glUMvIGjjhvQMKhwGc8copPl2t9Us/YYRjT0BKuiw="; - allowedIPs = ["0.0.0.0/0"]; - endpoint = "architect.devs.giugl.io:1194"; - persistentKeepalive = 25; - } - ]; + dns = [ "10.3.0.1" ]; + peers = [{ + publicKey = "I4glUMvIGjjhvQMKhwGc8copPl2t9Us/YYRjT0BKuiw="; + allowedIPs = [ "0.0.0.0/0" ]; + endpoint = "architect.devs.giugl.io:1194"; + persistentKeepalive = 25; + }]; }; }; } diff --git a/hosts/proxy/coturn.nix b/hosts/proxy/coturn.nix index c88cb51..d4b5311 100644 --- a/hosts/proxy/coturn.nix +++ b/hosts/proxy/coturn.nix @@ -1,9 +1,9 @@ -{pkgs, config, ...}: +{ pkgs, config, ... }: let - public_ip = "23.88.108.216"; - realm = "turn.giugl.io"; - static-auth-secret = "69duck duck fuck420"; + public_ip = "23.88.108.216"; + realm = "turn.giugl.io"; + static-auth-secret = "69duck duck fuck420"; in { services.coturn = rec { inherit realm static-auth-secret; @@ -21,7 +21,7 @@ in { pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; extraConfig = '' verbose - + cipher-list=\"HIGH\" no-multicast-peers denied-peer-ip=0.0.0.0-0.255.255.255 @@ -50,12 +50,11 @@ in { }; networking.firewall = { interfaces.ens3 = let - range = with config.services.coturn; [ { - from = min-port; - to = max-port; - } ]; - in - { + range = with config.services.coturn; [{ + from = min-port; + to = max-port; + }]; + in { allowedUDPPortRanges = range; allowedUDPPorts = [ 5349 ]; #allowedTCPPortRanges = range; diff --git a/hosts/proxy/default.nix b/hosts/proxy/default.nix index 3f88bb6..e6c7633 100644 --- a/hosts/proxy/default.nix +++ b/hosts/proxy/default.nix @@ -1,12 +1,8 @@ { config, pkgs, ... }: { - imports = [ - ./hardware-configuration.nix - ./coturn.nix - ./wireguard.nix - ./ssh.nix - ]; + imports = + [ ./hardware-configuration.nix ./coturn.nix ./wireguard.nix ./ssh.nix ]; boot.loader.grub = { enable = true; @@ -28,4 +24,3 @@ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCuURERnIFe2XbNu6AsPe2DO11RuaHxVGUcaoJUsIB1F+VOggOVLhxSenOPYLm6NvvGeXVi95G5Sm1UZRcJEEkvxus4bSViV4t/Q2azfYFE27yRH/IeMMoWNPGYNm5Bok2qFb4vHifra9FffwXnOzr0nDDTdHXCft4TO5nsenLJwqu5zOO1CR7J52otY7LheNPyzbGxgIkB3Y7LeOj1+/xXSOJ379NOL2RQBobsg7k442WCX7tU6AC1ct3W+93tcJUUdzJKTT9TJ+XmhdjXNWhDd+QZUNAMr+nKoEdExHp0H40/wIhcLD2OV95gX4i/YBzCg4OQOqZqWiibiEQfGTSAh5aD+nX/PqjXf0XSLEUOA81biLFu28oO8gocjwnhgqmlghvO4SG1rs6uZ8EyPyWsrVMjy8B9FX4aloKqua3aicgC+upjLl3x+KkMJizlMB5Ew7KOjPsjXwMqeJmeBOEd6TSEctttR+lIp+/368FtwXeBxzx9MBT4620mnjWtVKM= giulio@gAluminum" ]; } - diff --git a/hosts/proxy/hardware-configuration.nix b/hosts/proxy/hardware-configuration.nix index 7a5d8f4..2588670 100644 --- a/hosts/proxy/hardware-configuration.nix +++ b/hosts/proxy/hardware-configuration.nix @@ -4,19 +4,18 @@ { config, lib, pkgs, modulesPath, ... }: { - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ]; + boot.initrd.availableKernelModules = + [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/disk/by-uuid/8b5bcd4a-02b8-4e11-b856-eda792b8b7b8"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/8b5bcd4a-02b8-4e11-b856-eda792b8b7b8"; + fsType = "ext4"; + }; swapDevices = [ ]; diff --git a/hosts/proxy/ssh.nix b/hosts/proxy/ssh.nix index c64a38a..f7e5a30 100644 --- a/hosts/proxy/ssh.nix +++ b/hosts/proxy/ssh.nix @@ -1,4 +1,4 @@ -{ config, ...}: +{ config, ... }: { services = { diff --git a/hosts/proxy/wireguard.nix b/hosts/proxy/wireguard.nix index 6b904b5..9a9d133 100644 --- a/hosts/proxy/wireguard.nix +++ b/hosts/proxy/wireguard.nix @@ -1,4 +1,4 @@ -{ config, ...}: +{ config, ... }: let wg_if = "wg0"; @@ -11,13 +11,11 @@ in { enable = true; externalInterface = wan_if; internalInterfaces = [ wg_if ]; - forwardPorts = [ - { - destination = "10.4.0.2:1194"; - proto = "udp"; - sourcePort = 1194; - } - ]; + forwardPorts = [{ + destination = "10.4.0.2:1194"; + proto = "udp"; + sourcePort = 1194; + }]; }; wireguard = { @@ -27,19 +25,17 @@ in { privateKeyFile = "/secrets/wireguard/server.key"; postSetup = '' - /run/current-system/sw/bin/iptables -t nat -A POSTROUTING -o ${wg_if} -j MASQUERADE + /run/current-system/sw/bin/iptables -t nat -A POSTROUTING -o ${wg_if} -j MASQUERADE ''; postShutdown = '' - /run/current-system/sw/bin/iptables -t nat -D POSTROUTING -o ${wg_if} -j MASQUERADE + /run/current-system/sw/bin/iptables -t nat -D POSTROUTING -o ${wg_if} -j MASQUERADE ''; - peers = [ - { - allowedIPs = [ "10.4.0.2" "10.3.0.0/24" ]; - publicKey = "73oFhyQA3mgX4GmN6ul5HuOsgxa4INlzCPsyuXna0AA="; - } - ]; + peers = [{ + allowedIPs = [ "10.4.0.2" "10.3.0.0/24" ]; + publicKey = "73oFhyQA3mgX4GmN6ul5HuOsgxa4INlzCPsyuXna0AA="; + }]; }; }; }; diff --git a/lib/default.nix b/lib/default.nix index 0423072..396f95b 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -1,5 +1,6 @@ -{ pkgs, unstable, nixpkgs, nixos-unstable, home-manager, ...}: -rec { +{ pkgs, unstable, nixpkgs, nixos-unstable, home-manager, ... }: rec { user = import ./user.nix { inherit pkgs; }; - host = import ./host.nix { inherit pkgs nixpkgs unstable nixos-unstable home-manager user; }; -} + host = import ./host.nix { + inherit pkgs nixpkgs unstable nixos-unstable home-manager user; + }; +} diff --git a/lib/user.nix b/lib/user.nix index 18b055f..e9254f5 100644 --- a/lib/user.nix +++ b/lib/user.nix @@ -1,23 +1,26 @@ -{ pkgs, ...}: +{ pkgs, ... }: { - mkUser = { name, roles ? [] }: - let - mkRole = role: import (../roles/home + "/${role}.nix"); - roles_mod = (map (r: mkRole r) roles); - in { - fileSystems."/home/${name}/Downloads" = { - device = "tmpfs"; - fsType = "tmpfs"; - options = ["size=3G"]; - }; + mkUser = { name, roles ? [ ] }: + let + mkRole = role: import (../roles/home + "/${role}.nix"); + roles_mod = (map (r: mkRole r) roles); + in { + users.groups.plugdev = { }; - users.users.${name} = { - isNormalUser = true; - shell = pkgs.zsh; - extraGroups = [ "wheel" ]; - }; + fileSystems."/home/${name}/Downloads" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = [ "size=3G" ]; + }; - home-manager.users.${name}.imports = [ ../roles/home/common.nix ] ++ roles_mod; - }; + users.users.${name} = { + isNormalUser = true; + shell = pkgs.zsh; + extraGroups = [ "wheel" "plugdev" ]; + }; + + home-manager.users.${name}.imports = [ ../roles/home/common.nix ] + ++ roles_mod; + }; } diff --git a/roles/acme.nix b/roles/acme.nix index e149b7f..055270e 100644 --- a/roles/acme.nix +++ b/roles/acme.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +{ ... }: { security.acme.acceptTerms = true; security.acme.email = "sysadmin@giugl.io"; } diff --git a/roles/common.nix b/roles/common.nix index 2f4fad6..994c114 100644 --- a/roles/common.nix +++ b/roles/common.nix @@ -1,9 +1,9 @@ { config, pkgs, variables, lib, ... }: -{ +{ console = { keyMap = "us"; - font = "Lat2-Terminus16"; + font = "Lat2-Terminus16"; }; i18n.defaultLocale = "en_US.UTF-8"; @@ -14,21 +14,17 @@ extraOptions = '' experimental-features = nix-command flakes ''; - + gc = { - automatic = true; - dates = "weekly"; + automatic = true; + dates = "weekly"; persistent = true; }; }; - nixpkgs = { - config = { - allowUnfree = true; - }; - }; + nixpkgs = { config = { allowUnfree = true; }; }; - fonts.fonts = with pkgs; [cascadia-code]; + fonts.fonts = with pkgs; [ cascadia-code ]; environment.systemPackages = with pkgs; [ file @@ -49,5 +45,5 @@ smartmontools nmap ripgrep - ]; + ]; } diff --git a/roles/gnome.nix b/roles/gnome.nix index 0b4fc52..23cd64d 100644 --- a/roles/gnome.nix +++ b/roles/gnome.nix @@ -12,7 +12,7 @@ }; dbus.packages = with pkgs; [ gnome3.dconf ]; - udev.packages = with pkgs; [ gnome3.gnome-settings-daemon ]; + udev.packages = with pkgs; [ gnome3.gnome-settings-daemon ]; }; environment.systemPackages = with pkgs; [ gnomeExtensions.appindicator ]; diff --git a/roles/home/common.nix b/roles/home/common.nix index a970bb3..6ffe2c9 100644 --- a/roles/home/common.nix +++ b/roles/home/common.nix @@ -15,7 +15,12 @@ programs.neovim = { enable = true; - extraPackages = with pkgs; [ nodePackages.prettier cmake-format clang-tools rustfmt ]; + extraPackages = with pkgs; [ + nodePackages.prettier + cmake-format + clang-tools + rustfmt + ]; extraConfig = '' " syntax syntax enable diff --git a/roles/home/desktop.nix b/roles/home/desktop.nix index 323ad24..d9a8752 100644 --- a/roles/home/desktop.nix +++ b/roles/home/desktop.nix @@ -2,41 +2,40 @@ let albert_autostart = (pkgs.makeAutostartItem { - name = "albert"; + name = "albert"; package = pkgs.albert; }); guake_autostart = (pkgs.makeAutostartItem { - name = "guake"; + name = "guake"; package = pkgs.guake; }); -in - { - imports = [ ./gnome.nix ]; +in { + imports = [ ./gnome.nix ]; - nixpkgs.config.allowUnfree = true; - home.packages = with pkgs; [ - albert - guake + nixpkgs.config.allowUnfree = true; + home.packages = with pkgs; [ + albert + guake - firefox - brave - chromium + firefox + brave + chromium - slack - signal-desktop - teams - discord - element-desktop + slack + signal-desktop + teams + discord + element-desktop - spotify + spotify - gparted + gparted - libreoffice - vscode - jetbrains.idea-ultimate + libreoffice + vscode + jetbrains.idea-ultimate - albert_autostart - guake_autostart - ]; - } + albert_autostart + guake_autostart + ]; +} diff --git a/roles/home/gnome.nix b/roles/home/gnome.nix index 3bd6391..3b89367 100644 --- a/roles/home/gnome.nix +++ b/roles/home/gnome.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, ... }: +{ config, pkgs, lib, ... }: { dconf.settings = { @@ -7,7 +7,7 @@ # "org/gnome/desktop/peripherals/touchpad" = { - natural-scroll = false; + natural-scroll = false; two-finger-scrolling-enabled = true; }; @@ -16,16 +16,16 @@ # "org/gnome/desktop/wm/keybindings" = { - close = [ "q" ]; - maximize = [ "Up" ]; - unmaximize = [ "Down" ]; - move-to-workspace-left = [ "Left" ]; - move-to-workspace-right = [ "Right" ]; - switch-to-workspace-left = [ "Left" ]; + close = [ "q" ]; + maximize = [ "Up" ]; + unmaximize = [ "Down" ]; + move-to-workspace-left = [ "Left" ]; + move-to-workspace-right = [ "Right" ]; + switch-to-workspace-left = [ "Left" ]; switch-to-workspace-right = [ "Right" ]; }; "org/gnome/mutter/keybindings" = { - toggle-tiled-left = [ "Left" ]; + toggle-tiled-left = [ "Left" ]; toggle-tiled-right = [ "Right" ]; }; @@ -43,21 +43,21 @@ screensaver = [ "l" ]; # disable screenshot - screenshot = []; + screenshot = [ ]; }; "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom0" = { binding = "F12"; command = "guake-toggle"; - name = "Guake"; + name = "Guake"; }; "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom1" = { binding = "a"; command = "albert toggle"; - name = "Albert"; + name = "Albert"; }; # @@ -65,7 +65,7 @@ # "org/gnome/settings-daemon/plugins/power" = { - sleep-inactive-ac-type = "nothing"; + sleep-inactive-ac-type = "nothing"; sleep-inactive-battery-type = "nothing"; }; @@ -74,7 +74,7 @@ # "org/gnome/settings-daemon/plugins/color" = { - night-light-enabled = true; + night-light-enabled = true; night-light-temperature = 2536; }; diff --git a/roles/home/ssh.nix b/roles/home/ssh.nix index c0c18dc..dc915fb 100644 --- a/roles/home/ssh.nix +++ b/roles/home/ssh.nix @@ -13,7 +13,7 @@ user = "giulio"; identityFile = "~/.ssh/tommypc"; }; - + "dodino.devs.giugl.io" = { user = "pi"; identityFile = "~/.ssh/dodino"; @@ -23,12 +23,12 @@ user = "pepos"; identityFile = "~/.ssh/pepos"; }; - + "bastion.nms.kcl.ac.uk" = { user = "k1804704"; identityFile = "~/.ssh/kcllabs"; }; - + "s2access" = { hostname = "s2lab-access.nms.kcl.ac.uk"; user = "k1804704"; @@ -55,12 +55,12 @@ user = "k1804704"; identityFile = "~/.ssh/kcllabs"; }; - + "ctf.mhackeroni.it" = { user = "root"; identityFile = "~/.ssh/github"; }; - + "hotpottino.devs.giugl.io" = { user = "pi"; identityFile = "~/.ssh/hotpottino"; @@ -83,7 +83,7 @@ user = "giulio"; identityFile = "~/.ssh/padulino"; }; - + "ssh.dev.azure.com" = { user = "git"; identityFile = "~/.ssh/freta"; @@ -93,7 +93,7 @@ user = "giulio"; identityFile = "~/.ssh/peppiniell"; }; - + "broccolino.devs.giugl.io" = { user = "pi"; port = 5541; @@ -138,15 +138,13 @@ user = "ctf"; identityFile = "~/.ssh/gitlab_necst"; }; - + "manduria.devs.giugl.io" = { user = "giulio"; identityFile = "~/.ssh/imacmanduria"; }; - "bitbucket.org" = { - identityFile = "~/.ssh/bitbucket"; - }; + "bitbucket.org" = { identityFile = "~/.ssh/bitbucket"; }; "the.al" = { user = "git"; @@ -169,5 +167,5 @@ IdentitiesOnly yes ServerAliveInterval 3600 ''; - }; + }; }