peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

formatting

Browse Source
This commit is contained in:
Giulio De Pasquale 2021-11-25 11:42:32 +00:00
parent 522e4b7bbc
commit 91ef8ff1e2
42 changed files with 852 additions and 877 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
flake.nix
View File

@ -8,7 +8,8 @@
}; };
}; };
outputs = inputs @ { self, nixpkgs, nixos-unstable, home-manager }: let outputs = inputs@{ self, nixpkgs, nixos-unstable, home-manager }:
let
system = "x86_64-linux"; system = "x86_64-linux";
pkgs = import nixpkgs { pkgs = import nixpkgs {
@ -22,15 +23,33 @@
config.allowUnfree = true; config.allowUnfree = true;
}; };
utils = import ./lib { inherit pkgs unstable nixpkgs nixos-unstable home-manager; }; utils = import ./lib {
inherit pkgs unstable nixpkgs nixos-unstable home-manager;
};
inherit (utils) host; inherit (utils) host;
inherit (utils) user; inherit (utils) user;
in { in {
nixosConfigurations = { nixosConfigurations = {
architect = host.mkHost { name = "architect"; users = [ { user = "giulio"; roles = [ "git" ]; } ]; }; architect = host.mkHost {
gAluminum = host.mkHost { name = "gAluminum"; users = [ { user = "giulio"; roles = [ "desktop" "ssh" "git" ]; } ]; roles = [ "gnome" ]; }; name = "architect";
proxy = host.mkHost { name = "proxy"; users = []; }; users = [{
user = "giulio";
roles = [ "git" ];
}];
};
gAluminum = host.mkHost {
name = "gAluminum";
users = [{
user = "giulio";
roles = [ "desktop" "ssh" "git" ];
}];
roles = [ "gnome" ];
};
proxy = host.mkHost {
name = "proxy";
users = [ ];
};
}; };
}; };
} }

3
hosts/architect/bazarr.nix
View File

@ -1,5 +1,4 @@
with import ./network.nix; with import ./network.nix; {
{
services = { services = {
bazarr.enable = true; bazarr.enable = true;

3
hosts/architect/fail2ban.nix
View File

@ -1,5 +1,4 @@
{ config, pkgs, ... }: { config, pkgs, ... }: {
{
services.fail2ban = { services.fail2ban = {
enable = true; enable = true;
package = pkgs.fail2ban; package = pkgs.fail2ban;

20
hosts/architect/firewall.nix
View File

@ -50,7 +50,9 @@ in {
chain POSTROUTING { chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept; type nat hook postrouting priority srcnat; policy accept;
oifname ${wan-if} ip saddr {${lib.concatStringsSep "," towan-wg}} masquerade oifname ${wan-if} ip saddr {${
lib.concatStringsSep "," towan-wg
}} masquerade
} }
} }
@ -132,14 +134,22 @@ in {
ct state established,related accept ct state established,related accept
# client to client # client to client
ip saddr {${lib.concatStringsSep "," c2c-wg}} ip daddr {${lib.concatStringsSep "," c2c-wg}} accept ip saddr {${lib.concatStringsSep "," c2c-wg}} ip daddr {${
lib.concatStringsSep "," c2c-wg
}} accept
# gdevices talking to everyone in VPN # gdevices talking to everyone in VPN
ip saddr {${lib.concatStringsSep "," gdevices-wg}} ip daddr ${vpn-net} accept ip saddr {${
ip saddr {${lib.concatStringsSep "," gamenet-wg}} ip daddr {${lib.concatStringsSep "," gamenet-wg}} accept lib.concatStringsSep "," gdevices-wg
}} ip daddr ${vpn-net} accept
ip saddr {${
lib.concatStringsSep "," gamenet-wg
}} ip daddr {${lib.concatStringsSep "," gamenet-wg}} accept
# nat to wan # nat to wan
oifname ${wan-if} ip saddr {${lib.concatStringsSep "," towan-wg}} accept oifname ${wan-if} ip saddr {${
lib.concatStringsSep "," towan-wg
}} accept
jump filter_drop jump filter_drop
} }

3
hosts/architect/gitea.nix
View File

@ -1,5 +1,4 @@
with import ./network.nix; with import ./network.nix; {
{
services.gitea = { services.gitea = {
enable = true; enable = true;
database.type = "sqlite3"; database.type = "sqlite3";

37
hosts/architect/hardware.nix
View File

@ -4,46 +4,47 @@
{ config, lib, pkgs, modulesPath, ... }: { config, lib, pkgs, modulesPath, ... }:
{ {
imports = imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; boot.initrd.availableKernelModules =
[ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ]; boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" = {
{ device = "zpool/nixos/root"; device = "zpool/nixos/root";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/home" = fileSystems."/home" = {
{ device = "zpool/data/home"; device = "zpool/data/home";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/media" = fileSystems."/media" = {
{ device = "datapool/media"; device = "datapool/media";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/secrets" = fileSystems."/secrets" = {
{ device = "backedpool/secrets"; device = "backedpool/secrets";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/var/lib" = fileSystems."/var/lib" = {
{ device = "backedpool/services"; device = "backedpool/services";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/boot" = fileSystems."/boot" = {
{ device = "/dev/disk/by-uuid/AF19-5616"; device = "/dev/disk/by-uuid/AF19-5616";
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = [{
swapDevices = [ { device = "/dev/zpool/data/swap"; size = 40000; } ]; device = "/dev/zpool/data/swap";
size = 40000;
}];
} }

7
hosts/architect/jellyfin.nix
View File

@ -1,11 +1,8 @@
{ pkgs, ... }: { pkgs, ... }:
with import ./network.nix; with import ./network.nix; {
{
disabledModules = [ "services/misc/jellyfin.nix" ]; disabledModules = [ "services/misc/jellyfin.nix" ];
imports = [ imports = [ ./modules/jellyfin.nix ];
./modules/jellyfin.nix
];
services = { services = {
jellyfin = { jellyfin = {

32
hosts/architect/matrix.nix
View File

@ -1,7 +1,6 @@
{ pkgs, config, tmp, ... }: { pkgs, config, tmp, ... }:
with import ./network.nix; with import ./network.nix; {
{
services = { services = {
matrix-synapse = { matrix-synapse = {
enable = true; enable = true;
@ -22,21 +21,17 @@ with import ./network.nix;
- "#gaming:matrix.giugl.io" - "#gaming:matrix.giugl.io"
- "#movies:matrix.giugl.io" - "#movies:matrix.giugl.io"
''; '';
listeners = [ listeners = [{
{
port = 8008; port = 8008;
bind_address = "::1"; bind_address = "::1";
type = "http"; type = "http";
tls = false; tls = false;
x_forwarded = true; x_forwarded = true;
resources = [ resources = [{
{
names = [ "client" "federation" ]; names = [ "client" "federation" ];
compress = false; compress = false;
} }];
]; }];
}
];
turn_uris = [ turn_uris = [
"turns:turn.giugl.io:5349?transport=udp" "turns:turn.giugl.io:5349?transport=udp"
"turns:turn.giugl.io:5349?transport=tcp" "turns:turn.giugl.io:5349?transport=tcp"
@ -48,14 +43,10 @@ with import ./network.nix;
postgresql = { postgresql = {
enable = true; enable = true;
ensureDatabases = [ "synapse" ]; ensureDatabases = [ "synapse" ];
ensureUsers = [ ensureUsers = [{
{
name = "matrix-synapse"; name = "matrix-synapse";
ensurePermissions = { ensurePermissions = { "DATABASE synapse" = "ALL PRIVILEGES"; };
"DATABASE synapse" = "ALL PRIVILEGES"; }];
};
}
];
}; };
nginx.virtualHosts = { nginx.virtualHosts = {
@ -64,15 +55,13 @@ with import ./network.nix;
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."= /.well-known/matrix/server".extraConfig = locations."= /.well-known/matrix/server".extraConfig =
let let server = { "m.server" = "${matrixdomain}:443"; };
server = { "m.server" = "${matrixdomain}:443"; };
in '' in ''
add_header Content-Type application/json; add_header Content-Type application/json;
return 200 '${builtins.toJSON server}'; return 200 '${builtins.toJSON server}';
''; '';
locations."= /.well-known/matrix/client".extraConfig = locations."= /.well-known/matrix/client".extraConfig = let
let
client = { client = {
"m.homeserver" = { "base_url" = "https://${matrixdomain}:443"; }; "m.homeserver" = { "base_url" = "https://${matrixdomain}:443"; };
"m.identity_server" = { "base_url" = "https://vector.im"; }; "m.identity_server" = { "base_url" = "https://vector.im"; };
@ -84,7 +73,6 @@ with import ./network.nix;
return 200 '${builtins.toJSON client}'; return 200 '${builtins.toJSON client}';
''; '';
locations."/".extraConfig = '' locations."/".extraConfig = ''
return 404; return 404;
''; '';

7
hosts/architect/minecraft.nix
View File

@ -1,14 +1,11 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
with import ./network.nix; with import ./network.nix; {
{
services.minecraft-server = { services.minecraft-server = {
enable = true; enable = true;
eula = true; eula = true;
declarative = true; declarative = true;
serverProperties = { serverProperties = { motd = "Welcome on the RuNas server!"; };
motd = "Welcome on the RuNas server!";
};
}; };
networking.extraHosts = '' networking.extraHosts = ''

3
hosts/architect/minio.nix
View File

@ -1,5 +1,4 @@
with import ./network.nix; with import ./network.nix; {
{
services = { services = {
minio.enable = true; minio.enable = true;

13
hosts/architect/modules/jellyfin.nix
View File

@ -2,10 +2,8 @@
with lib; with lib;
let let cfg = config.services.jellyfin;
cfg = config.services.jellyfin; in {
in
{
options = { options = {
services.jellyfin = { services.jellyfin = {
enable = mkEnableOption "Jellyfin Media Server"; enable = mkEnableOption "Jellyfin Media Server";
@ -56,7 +54,8 @@ in
SupplementaryGroups = [ "video" ]; SupplementaryGroups = [ "video" ];
StateDirectory = "jellyfin"; StateDirectory = "jellyfin";
CacheDirectory = "jellyfin"; CacheDirectory = "jellyfin";
ExecStart = "${cfg.package}/bin/jellyfin --datadir '/var/lib/${StateDirectory}' --cachedir '/var/cache/${CacheDirectory}'"; ExecStart =
"${cfg.package}/bin/jellyfin --datadir '/var/lib/${StateDirectory}' --cachedir '/var/cache/${CacheDirectory}'";
Restart = "on-failure"; Restart = "on-failure";
# Security options: # Security options:
@ -111,9 +110,7 @@ in
}; };
}; };
users.groups = mkIf (cfg.group == "jellyfin") { users.groups = mkIf (cfg.group == "jellyfin") { jellyfin = { }; };
jellyfin = {};
};
networking.firewall = mkIf cfg.openFirewall { networking.firewall = mkIf cfg.openFirewall {
# from https://jellyfin.org/docs/general/networking/index.html # from https://jellyfin.org/docs/general/networking/index.html

17
hosts/architect/network.nix
View File

@ -51,11 +51,22 @@ rec {
wolfsonhouse-wg = "10.3.0.203"; wolfsonhouse-wg = "10.3.0.203";
# groups # groups
gdevices-wg = [ galuminum-wg oneplus-wg ipad-wg gbeast-wg peppiniell-wg padulino-wg ]; gdevices-wg =
[ galuminum-wg oneplus-wg ipad-wg gbeast-wg peppiniell-wg padulino-wg ];
routers-wg = [ hotpottino-wg angellane-wg dodino-wg wolfsonhouse-wg ]; routers-wg = [ hotpottino-wg angellane-wg dodino-wg wolfsonhouse-wg ];
c2c-wg = [ ] ++ gdevices-wg; c2c-wg = [ ] ++ gdevices-wg;
towan-wg = [ shield-wg parisaphone-wg parisapc-wg ] ++ gdevices-wg ++ routers-wg; towan-wg = [ shield-wg parisaphone-wg parisapc-wg ] ++ gdevices-wg
gamenet-wg = [ andrew-wg galuminum-wg gbeast-wg mikey-wg andrewdesktop-wg mikeylaptop-wg flavio-wg salvatore-wg ]; ++ routers-wg;
gamenet-wg = [
andrew-wg
galuminum-wg
gbeast-wg
mikey-wg
andrewdesktop-wg
mikeylaptop-wg
flavio-wg
salvatore-wg
];
# domains # domains
sonarrdomain = "htson.giugl.io"; sonarrdomain = "htson.giugl.io";

3
hosts/architect/nextcloud.nix
View File

@ -1,7 +1,6 @@
{ pkgs, ... }: { pkgs, ... }:
with import ./network.nix; with import ./network.nix; {
{
services = { services = {
mysql.enable = true; mysql.enable = true;
mysql.package = pkgs.unstable.mysql80; mysql.package = pkgs.unstable.mysql80;

3
hosts/architect/nzbget.nix
View File

@ -1,5 +1,4 @@
with import ./network.nix; with import ./network.nix; {
{
services = { services = {
nzbget.enable = true; nzbget.enable = true;

7
hosts/architect/plex.nix
View File

@ -1,7 +1,6 @@
{ pkgs, ... }: { pkgs, ... }:
with import ./network.nix; with import ./network.nix; {
{
services.plex = { services.plex = {
enable = true; enable = true;
package = pkgs.unstable.plex; package = pkgs.unstable.plex;
@ -75,9 +74,7 @@ with import ./network.nix;
proxy_redirect off; proxy_redirect off;
proxy_buffering off; proxy_buffering off;
''; '';
locations."/" = { locations."/" = { proxyPass = "http://localhost:32400"; };
proxyPass = "http://localhost:32400";
};
}; };
}; };

3
hosts/architect/prowlarr.nix
View File

@ -1,7 +1,6 @@
{ pkgs, ... }: { pkgs, ... }:
with import ./network.nix; with import ./network.nix; {
{
services = { services = {
prowlarr.enable = true; prowlarr.enable = true;

3
hosts/architect/radarr.nix
View File

@ -1,5 +1,4 @@
with import ./network.nix; with import ./network.nix; {
{
services = { services = {
radarr.enable = true; radarr.enable = true;

3
hosts/architect/sonarr.nix
View File

@ -1,5 +1,4 @@
with import ./network.nix; with import ./network.nix; {
{
services = { services = {
sonarr.enable = true; sonarr.enable = true;

3
hosts/architect/transmission.nix
View File

@ -1,7 +1,6 @@
with import ./network.nix; with import ./network.nix;
let let domain = "httra.giugl.io";
domain = "httra.giugl.io";
in { in {
services = { services = {
transmission = { transmission = {

20
hosts/architect/wireguard.nix
View File

@ -1,5 +1,4 @@
with import ./network.nix; with import ./network.nix; {
{
networking = { networking = {
extraHosts = '' extraHosts = ''
${architect-wg} architect.devs.giugl.io ${architect-wg} architect.devs.giugl.io
@ -37,14 +36,12 @@ with import ./network.nix;
interfaces.${proxy-if} = { interfaces.${proxy-if} = {
ips = [ "10.4.0.2/32" ]; ips = [ "10.4.0.2/32" ];
privateKeyFile = "/secrets/wireguard/proxy.key"; privateKeyFile = "/secrets/wireguard/proxy.key";
peers = [ peers = [{
{
publicKey = "WmJBpXpYebcmJEF8nVTKMqQK01KyBe42vzc38K66rVs="; publicKey = "WmJBpXpYebcmJEF8nVTKMqQK01KyBe42vzc38K66rVs=";
allowedIPs = [ "10.4.0.1/32" ]; allowedIPs = [ "10.4.0.1/32" ];
endpoint = "giugl.io:1195"; endpoint = "giugl.io:1195";
persistentKeepalive = 21; persistentKeepalive = 21;
} }];
];
}; };
interfaces.${vpn-if} = { interfaces.${vpn-if} = {
@ -71,77 +68,66 @@ with import ./network.nix;
publicKey = "DPpd+P/hV1XLuvdcrCRv1sgz8BeZt1y5D6VehNuhjSQ="; publicKey = "DPpd+P/hV1XLuvdcrCRv1sgz8BeZt1y5D6VehNuhjSQ=";
} }
{ {
# Manduria # Manduria
allowedIPs = [ manduria-wg ]; allowedIPs = [ manduria-wg ];
publicKey = "wT38oXvDQ8g0hI+pAXQobOWf/Wott2zhwo8TLvXK400="; publicKey = "wT38oXvDQ8g0hI+pAXQobOWf/Wott2zhwo8TLvXK400=";
} }
{ {
# Antonio # Antonio
allowedIPs = [ antonio-wg ]; allowedIPs = [ antonio-wg ];
publicKey = "SPndCvEzuLHtGAQV8u/4dfLlFHoPcXS3L98oFOwTljc="; publicKey = "SPndCvEzuLHtGAQV8u/4dfLlFHoPcXS3L98oFOwTljc=";
} }
{ {
# Eleonora # Eleonora
allowedIPs = [ eleonora-wg ]; allowedIPs = [ eleonora-wg ];
publicKey = "SL54f1ZeieFyn5X5UAPmypP10GV/c419O94vCzGHFhg="; publicKey = "SL54f1ZeieFyn5X5UAPmypP10GV/c419O94vCzGHFhg=";
} }
{ {
# padulino # padulino
allowedIPs = [ padulino-wg ]; allowedIPs = [ padulino-wg ];
publicKey = "sk2Wr2OesND9jcuP/8k7BirSpR4pNNbS9gBkbOxZxwg="; publicKey = "sk2Wr2OesND9jcuP/8k7BirSpR4pNNbS9gBkbOxZxwg=";
} }
{ {
# GBEAST # GBEAST
allowedIPs = [ gbeast-wg ]; allowedIPs = [ gbeast-wg ];
publicKey = "XiK+wk+DErz0RmCWRxuaJN1cvdj+3DoiU6tcR+uZfAI="; publicKey = "XiK+wk+DErz0RmCWRxuaJN1cvdj+3DoiU6tcR+uZfAI=";
} }
{ {
# parisa-phone # parisa-phone
allowedIPs = [ parisaphone-wg ]; allowedIPs = [ parisaphone-wg ];
publicKey = "t9EUnIkfr1b2HPlTXi17+AKMMe5VfeKq7exRVAwaai0="; publicKey = "t9EUnIkfr1b2HPlTXi17+AKMMe5VfeKq7exRVAwaai0=";
} }
{ {
# parisa-pc # parisa-pc
allowedIPs = [ parisapc-wg ]; allowedIPs = [ parisapc-wg ];
publicKey = "b2QzZDTgGQbNXSCLYB4KUzq0/099pH2T8H5BckfNSTQ="; publicKey = "b2QzZDTgGQbNXSCLYB4KUzq0/099pH2T8H5BckfNSTQ=";
} }
{ {
# peppiniell # peppiniell
allowedIPs = [ peppiniell-wg ]; allowedIPs = [ peppiniell-wg ];
publicKey = "bzoW3Rx+7Un9hx/2opgBQJmmnZ/hgj1lQ2FnonCHjTc="; publicKey = "bzoW3Rx+7Un9hx/2opgBQJmmnZ/hgj1lQ2FnonCHjTc=";
} }
{ {
# angellane # angellane
allowedIPs = [ angellane-wg ]; allowedIPs = [ angellane-wg ];
publicKey = "MZ+nZklHpBxTL7QN9QJpBBx7yOYRZLONfvqAnuk85x0="; publicKey = "MZ+nZklHpBxTL7QN9QJpBBx7yOYRZLONfvqAnuk85x0=";
} }
{ {
# hotpottino # hotpottino
allowedIPs = [ hotpottino-wg ]; allowedIPs = [ hotpottino-wg ];
publicKey = "YqtzTWqGBs2GwSPNO0aRSV4nvJDW3UHHt6fV4UC7vnU="; publicKey = "YqtzTWqGBs2GwSPNO0aRSV4nvJDW3UHHt6fV4UC7vnU=";
} }
{ {
# shield # shield
allowedIPs = [ shield-wg ]; allowedIPs = [ shield-wg ];

9
hosts/gAluminum/default.nix
View File

@ -1,12 +1,8 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
let let hostname = "gAluminum";
hostname = "gAluminum";
in { in {
imports = [ imports = [ ./hardware.nix ./wireguard.nix ];
./hardware.nix
./wireguard.nix
];
boot = { boot = {
supportedFilesystems = [ "ntfs" ]; supportedFilesystems = [ "ntfs" ];
@ -51,4 +47,3 @@ in {
environment.systemPackages = with pkgs; [ efibootmgr ]; environment.systemPackages = with pkgs; [ efibootmgr ];
system.stateVersion = "21.05"; # Did you read the comment? system.stateVersion = "21.05"; # Did you read the comment?
} }

15
hosts/gAluminum/hardware.nix
View File

@ -4,22 +4,21 @@
{ config, lib, pkgs, modulesPath, ... }: { config, lib, pkgs, modulesPath, ... }:
{ {
imports = imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; boot.initrd.availableKernelModules =
[ "xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
boot.initrd.kernelModules = [ "dm-snapshot" ]; boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" = {
{ device = "/dev/disk/by-uuid/92ad62ff-627e-4fd7-9ced-0c0716d3f848"; device = "/dev/disk/by-uuid/92ad62ff-627e-4fd7-9ced-0c0716d3f848";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/boot/efi" = fileSystems."/boot/efi" = {
{ device = "/dev/disk/by-uuid/3008-4A28"; device = "/dev/disk/by-uuid/3008-4A28";
fsType = "vfat"; fsType = "vfat";
}; };

6
hosts/gAluminum/wireguard.nix
View File

@ -4,14 +4,12 @@
address = [ "10.3.0.2/32" ]; address = [ "10.3.0.2/32" ];
privateKeyFile = "/etc/wireguard/giupi.key"; privateKeyFile = "/etc/wireguard/giupi.key";
dns = [ "10.3.0.1" ]; dns = [ "10.3.0.1" ];
peers = [ peers = [{
{
publicKey = "I4glUMvIGjjhvQMKhwGc8copPl2t9Us/YYRjT0BKuiw="; publicKey = "I4glUMvIGjjhvQMKhwGc8copPl2t9Us/YYRjT0BKuiw=";
allowedIPs = [ "0.0.0.0/0" ]; allowedIPs = [ "0.0.0.0/0" ];
endpoint = "architect.devs.giugl.io:1194"; endpoint = "architect.devs.giugl.io:1194";
persistentKeepalive = 25; persistentKeepalive = 25;
} }];
];
}; };
}; };
} }

3
hosts/proxy/coturn.nix
View File

@ -54,8 +54,7 @@ in {
from = min-port; from = min-port;
to = max-port; to = max-port;
}]; }];
in in {
{
allowedUDPPortRanges = range; allowedUDPPortRanges = range;
allowedUDPPorts = [ 5349 ]; allowedUDPPorts = [ 5349 ];
#allowedTCPPortRanges = range; #allowedTCPPortRanges = range;

9
hosts/proxy/default.nix
View File

@ -1,12 +1,8 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
imports = [ imports =
./hardware-configuration.nix [ ./hardware-configuration.nix ./coturn.nix ./wireguard.nix ./ssh.nix ];
./coturn.nix
./wireguard.nix
./ssh.nix
];
boot.loader.grub = { boot.loader.grub = {
enable = true; enable = true;
@ -28,4 +24,3 @@
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCuURERnIFe2XbNu6AsPe2DO11RuaHxVGUcaoJUsIB1F+VOggOVLhxSenOPYLm6NvvGeXVi95G5Sm1UZRcJEEkvxus4bSViV4t/Q2azfYFE27yRH/IeMMoWNPGYNm5Bok2qFb4vHifra9FffwXnOzr0nDDTdHXCft4TO5nsenLJwqu5zOO1CR7J52otY7LheNPyzbGxgIkB3Y7LeOj1+/xXSOJ379NOL2RQBobsg7k442WCX7tU6AC1ct3W+93tcJUUdzJKTT9TJ+XmhdjXNWhDd+QZUNAMr+nKoEdExHp0H40/wIhcLD2OV95gX4i/YBzCg4OQOqZqWiibiEQfGTSAh5aD+nX/PqjXf0XSLEUOA81biLFu28oO8gocjwnhgqmlghvO4SG1rs6uZ8EyPyWsrVMjy8B9FX4aloKqua3aicgC+upjLl3x+KkMJizlMB5Ew7KOjPsjXwMqeJmeBOEd6TSEctttR+lIp+/368FtwXeBxzx9MBT4620mnjWtVKM= giulio@gAluminum" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCuURERnIFe2XbNu6AsPe2DO11RuaHxVGUcaoJUsIB1F+VOggOVLhxSenOPYLm6NvvGeXVi95G5Sm1UZRcJEEkvxus4bSViV4t/Q2azfYFE27yRH/IeMMoWNPGYNm5Bok2qFb4vHifra9FffwXnOzr0nDDTdHXCft4TO5nsenLJwqu5zOO1CR7J52otY7LheNPyzbGxgIkB3Y7LeOj1+/xXSOJ379NOL2RQBobsg7k442WCX7tU6AC1ct3W+93tcJUUdzJKTT9TJ+XmhdjXNWhDd+QZUNAMr+nKoEdExHp0H40/wIhcLD2OV95gX4i/YBzCg4OQOqZqWiibiEQfGTSAh5aD+nX/PqjXf0XSLEUOA81biLFu28oO8gocjwnhgqmlghvO4SG1rs6uZ8EyPyWsrVMjy8B9FX4aloKqua3aicgC+upjLl3x+KkMJizlMB5Ew7KOjPsjXwMqeJmeBOEd6TSEctttR+lIp+/368FtwXeBxzx9MBT4620mnjWtVKM= giulio@gAluminum"
]; ];
} }

11
hosts/proxy/hardware-configuration.nix
View File

@ -4,17 +4,16 @@
{ config, lib, pkgs, modulesPath, ... }: { config, lib, pkgs, modulesPath, ... }:
{ {
imports = imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ]; boot.initrd.availableKernelModules =
[ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ]; boot.kernelModules = [ ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" = {
{ device = "/dev/disk/by-uuid/8b5bcd4a-02b8-4e11-b856-eda792b8b7b8"; device = "/dev/disk/by-uuid/8b5bcd4a-02b8-4e11-b856-eda792b8b7b8";
fsType = "ext4"; fsType = "ext4";
}; };

12
hosts/proxy/wireguard.nix
View File

@ -11,13 +11,11 @@ in {
enable = true; enable = true;
externalInterface = wan_if; externalInterface = wan_if;
internalInterfaces = [ wg_if ]; internalInterfaces = [ wg_if ];
forwardPorts = [ forwardPorts = [{
{
destination = "10.4.0.2:1194"; destination = "10.4.0.2:1194";
proto = "udp"; proto = "udp";
sourcePort = 1194; sourcePort = 1194;
} }];
];
}; };
wireguard = { wireguard = {
@ -34,12 +32,10 @@ in {
/run/current-system/sw/bin/iptables -t nat -D POSTROUTING -o ${wg_if} -j MASQUERADE /run/current-system/sw/bin/iptables -t nat -D POSTROUTING -o ${wg_if} -j MASQUERADE
''; '';
peers = [ peers = [{
{
allowedIPs = [ "10.4.0.2" "10.3.0.0/24" ]; allowedIPs = [ "10.4.0.2" "10.3.0.0/24" ];
publicKey = "73oFhyQA3mgX4GmN6ul5HuOsgxa4INlzCPsyuXna0AA="; publicKey = "73oFhyQA3mgX4GmN6ul5HuOsgxa4INlzCPsyuXna0AA=";
} }];
];
}; };
}; };
}; };

7
lib/default.nix
View File

@ -1,5 +1,6 @@
{ pkgs, unstable, nixpkgs, nixos-unstable, home-manager, ...}: { pkgs, unstable, nixpkgs, nixos-unstable, home-manager, ... }: rec {
rec {
user = import ./user.nix { inherit pkgs; }; user = import ./user.nix { inherit pkgs; };
host = import ./host.nix { inherit pkgs nixpkgs unstable nixos-unstable home-manager user; }; host = import ./host.nix {
inherit pkgs nixpkgs unstable nixos-unstable home-manager user;
};
} }

7
lib/user.nix
View File

@ -6,6 +6,8 @@
mkRole = role: import (../roles/home + "/${role}.nix"); mkRole = role: import (../roles/home + "/${role}.nix");
roles_mod = (map (r: mkRole r) roles); roles_mod = (map (r: mkRole r) roles);
in { in {
users.groups.plugdev = { };
fileSystems."/home/${name}/Downloads" = { fileSystems."/home/${name}/Downloads" = {
device = "tmpfs"; device = "tmpfs";
fsType = "tmpfs"; fsType = "tmpfs";
@ -15,9 +17,10 @@
users.users.${name} = { users.users.${name} = {
isNormalUser = true; isNormalUser = true;
shell = pkgs.zsh; shell = pkgs.zsh;
extraGroups = [ "wheel" ]; extraGroups = [ "wheel" "plugdev" ];
}; };
home-manager.users.${name}.imports = [ ../roles/home/common.nix ] ++ roles_mod; home-manager.users.${name}.imports = [ ../roles/home/common.nix ]
++ roles_mod;
}; };
} }

3
roles/acme.nix
View File

@ -1,5 +1,4 @@
{ ... }: { ... }: {
{
security.acme.acceptTerms = true; security.acme.acceptTerms = true;
security.acme.email = "sysadmin@giugl.io"; security.acme.email = "sysadmin@giugl.io";
} }

6
roles/common.nix
View File

@ -22,11 +22,7 @@
}; };
}; };
nixpkgs = { nixpkgs = { config = { allowUnfree = true; }; };
config = {
allowUnfree = true;
};
};
fonts.fonts = with pkgs; [ cascadia-code ]; fonts.fonts = with pkgs; [ cascadia-code ];

7
roles/home/common.nix
View File

@ -15,7 +15,12 @@
programs.neovim = { programs.neovim = {
enable = true; enable = true;
extraPackages = with pkgs; [ nodePackages.prettier cmake-format clang-tools rustfmt ]; extraPackages = with pkgs; [
nodePackages.prettier
cmake-format
clang-tools
rustfmt
];
extraConfig = '' extraConfig = ''
" syntax " syntax
syntax enable syntax enable

3
roles/home/desktop.nix
View File

@ -9,8 +9,7 @@ let
name = "guake"; name = "guake";
package = pkgs.guake; package = pkgs.guake;
}); });
in in {
{
imports = [ ./gnome.nix ]; imports = [ ./gnome.nix ];
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;

4
roles/home/ssh.nix
View File

@ -144,9 +144,7 @@
identityFile = "~/.ssh/imacmanduria"; identityFile = "~/.ssh/imacmanduria";
}; };
"bitbucket.org" = { "bitbucket.org" = { identityFile = "~/.ssh/bitbucket"; };
identityFile = "~/.ssh/bitbucket";
};
"the.al" = { "the.al" = {
user = "git"; user = "git";