peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

formatting

Browse Source
This commit is contained in:
Giulio De Pasquale 2021-11-25 11:42:32 +00:00
parent 522e4b7bbc
commit 91ef8ff1e2
42 changed files with 852 additions and 877 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
flake.nix
View File

@ -8,7 +8,8 @@
}; };
}; };
outputs = inputs @ { self, nixpkgs, nixos-unstable, home-manager }: let outputs = inputs@{ self, nixpkgs, nixos-unstable, home-manager }:
let
system = "x86_64-linux"; system = "x86_64-linux";
pkgs = import nixpkgs { pkgs = import nixpkgs {
@ -22,15 +23,33 @@
config.allowUnfree = true; config.allowUnfree = true;
}; };
utils = import ./lib { inherit pkgs unstable nixpkgs nixos-unstable home-manager; }; utils = import ./lib {
inherit pkgs unstable nixpkgs nixos-unstable home-manager;
};
inherit (utils) host; inherit (utils) host;
inherit (utils) user; inherit (utils) user;
in { in {
nixosConfigurations = { nixosConfigurations = {
architect = host.mkHost { name = "architect"; users = [ { user = "giulio"; roles = [ "git" ]; } ]; }; architect = host.mkHost {
gAluminum = host.mkHost { name = "gAluminum"; users = [ { user = "giulio"; roles = [ "desktop" "ssh" "git" ]; } ]; roles = [ "gnome" ]; }; name = "architect";
proxy = host.mkHost { name = "proxy"; users = []; }; users = [{
user = "giulio";
roles = [ "git" ];
}];
};
gAluminum = host.mkHost {
name = "gAluminum";
users = [{
user = "giulio";
roles = [ "desktop" "ssh" "git" ];
}];
roles = [ "gnome" ];
};
proxy = host.mkHost {
name = "proxy";
users = [ ];
};
}; };
}; };
} }

2
hosts/architect/backup.nix
View File

@ -1,4 +1,4 @@
{config, lib, ...} : { config, lib, ... }:
{ {
services.restic.backups = { services.restic.backups = {

5
hosts/architect/bazarr.nix
View File

@ -1,5 +1,4 @@
with import ./network.nix; with import ./network.nix; {
{
services = { services = {
bazarr.enable = true; bazarr.enable = true;
@ -22,5 +21,5 @@ with import ./network.nix;
${architect-wg} ${bazarrdomain} ${architect-wg} ${bazarrdomain}
''; '';
users.groups.media.members = ["bazarr"]; users.groups.media.members = [ "bazarr" ];
} }

8
hosts/architect/dns.nix
View File

@ -4,7 +4,7 @@
services = { services = {
dnsmasq = { dnsmasq = {
enable = true; enable = true;
servers = ["127.0.0.1#5300"]; servers = [ "127.0.0.1#5300" ];
extraConfig = '' extraConfig = ''
localise-queries localise-queries
min-cache-ttl=120 min-cache-ttl=120
@ -13,14 +13,14 @@
}; };
adguardhome = { adguardhome = {
enable= true; enable = true;
port = 3031; port = 3031;
}; };
dnscrypt-proxy2 = { dnscrypt-proxy2 = {
enable = true; enable = true;
settings = { settings = {
listen_addresses = ["127.0.0.1:5353"]; listen_addresses = [ "127.0.0.1:5353" ];
ipv4_servers = true; ipv4_servers = true;
ipv6_servers = false; ipv6_servers = false;
block_ipv6 = true; block_ipv6 = true;
@ -32,7 +32,7 @@
lb_strategy = "p4"; lb_strategy = "p4";
lb_estimator = true; lb_estimator = true;
ignore_system_dns = true; ignore_system_dns = true;
fallback_resolvers = ["1.1.1.1:53" "9.9.9.9:53"]; fallback_resolvers = [ "1.1.1.1:53" "9.9.9.9:53" ];
cache_min_ttl = 450; cache_min_ttl = 450;
cache_max_ttl = 2400; cache_max_ttl = 2400;
}; };

5
hosts/architect/fail2ban.nix
View File

@ -1,5 +1,4 @@
{ config, pkgs, ... }: { config, pkgs, ... }: {
{
services.fail2ban = { services.fail2ban = {
enable = true; enable = true;
package = pkgs.fail2ban; package = pkgs.fail2ban;
@ -7,7 +6,7 @@
banaction = "nftables-multiport"; banaction = "nftables-multiport";
banaction-allports = "nftables-allport"; banaction-allports = "nftables-allport";
bantime-increment.enable = true; bantime-increment.enable = true;
# ignoreIP = [ "10.0.0.0/24" "10.3.0.0/24" ]; # ignoreIP = [ "10.0.0.0/24" "10.3.0.0/24" ];
daemonConfig = '' daemonConfig = ''
[Definition] [Definition]
loglevel = INFO loglevel = INFO

22
hosts/architect/firewall.nix
View File

@ -1,4 +1,4 @@
{config, lib, ...} : { config, lib, ... }:
with import ./network.nix; with import ./network.nix;
@ -50,7 +50,9 @@ in {
chain POSTROUTING { chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept; type nat hook postrouting priority srcnat; policy accept;
oifname ${wan-if} ip saddr {${lib.concatStringsSep "," towan-wg}} masquerade oifname ${wan-if} ip saddr {${
lib.concatStringsSep "," towan-wg
}} masquerade
} }
} }
@ -132,14 +134,22 @@ in {
ct state established,related accept ct state established,related accept
# client to client # client to client
ip saddr {${lib.concatStringsSep "," c2c-wg}} ip daddr {${lib.concatStringsSep "," c2c-wg}} accept ip saddr {${lib.concatStringsSep "," c2c-wg}} ip daddr {${
lib.concatStringsSep "," c2c-wg
}} accept
# gdevices talking to everyone in VPN # gdevices talking to everyone in VPN
ip saddr {${lib.concatStringsSep "," gdevices-wg}} ip daddr ${vpn-net} accept ip saddr {${
ip saddr {${lib.concatStringsSep "," gamenet-wg}} ip daddr {${lib.concatStringsSep "," gamenet-wg}} accept lib.concatStringsSep "," gdevices-wg
}} ip daddr ${vpn-net} accept
ip saddr {${
lib.concatStringsSep "," gamenet-wg
}} ip daddr {${lib.concatStringsSep "," gamenet-wg}} accept
# nat to wan # nat to wan
oifname ${wan-if} ip saddr {${lib.concatStringsSep "," towan-wg}} accept oifname ${wan-if} ip saddr {${
lib.concatStringsSep "," towan-wg
}} accept
jump filter_drop jump filter_drop
} }

3
hosts/architect/gitea.nix
View File

@ -1,5 +1,4 @@
with import ./network.nix; with import ./network.nix; {
{
services.gitea = { services.gitea = {
enable = true; enable = true;
database.type = "sqlite3"; database.type = "sqlite3";

37
hosts/architect/hardware.nix
View File

@ -4,46 +4,47 @@
{ config, lib, pkgs, modulesPath, ... }: { config, lib, pkgs, modulesPath, ... }:
{ {
imports = imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; boot.initrd.availableKernelModules =
[ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ]; boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" = {
{ device = "zpool/nixos/root"; device = "zpool/nixos/root";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/home" = fileSystems."/home" = {
{ device = "zpool/data/home"; device = "zpool/data/home";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/media" = fileSystems."/media" = {
{ device = "datapool/media"; device = "datapool/media";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/secrets" = fileSystems."/secrets" = {
{ device = "backedpool/secrets"; device = "backedpool/secrets";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/var/lib" = fileSystems."/var/lib" = {
{ device = "backedpool/services"; device = "backedpool/services";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/boot" = fileSystems."/boot" = {
{ device = "/dev/disk/by-uuid/AF19-5616"; device = "/dev/disk/by-uuid/AF19-5616";
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = [{
swapDevices = [ { device = "/dev/zpool/data/swap"; size = 40000; } ]; device = "/dev/zpool/data/swap";
size = 40000;
}];
} }

15
hosts/architect/jellyfin.nix
View File

@ -1,11 +1,8 @@
{ pkgs, ... }: { pkgs, ... }:
with import ./network.nix; with import ./network.nix; {
{ disabledModules = [ "services/misc/jellyfin.nix" ];
disabledModules = ["services/misc/jellyfin.nix"]; imports = [ ./modules/jellyfin.nix ];
imports = [
./modules/jellyfin.nix
];
services = { services = {
jellyfin = { jellyfin = {
@ -32,7 +29,7 @@ with import ./network.nix;
${architect-wg} ${mediadomain} ${architect-wg} ${mediadomain}
''; '';
users.groups.media.members = ["jellyfin"]; users.groups.media.members = [ "jellyfin" ];
users.groups.video.members = ["jellyfin"]; users.groups.video.members = [ "jellyfin" ];
users.groups.render.members = ["jellyfin"]; users.groups.render.members = [ "jellyfin" ];
} }

44
hosts/architect/matrix.nix
View File

@ -1,7 +1,6 @@
{ pkgs, config, tmp, ... }: { pkgs, config, tmp, ... }:
with import ./network.nix; with import ./network.nix; {
{
services = { services = {
matrix-synapse = { matrix-synapse = {
enable = true; enable = true;
@ -10,7 +9,7 @@ with import ./network.nix;
public_baseurl = "https://${matrixdomain}"; public_baseurl = "https://${matrixdomain}";
registration_shared_secret = "runas!"; registration_shared_secret = "runas!";
dynamic_thumbnails = true; dynamic_thumbnails = true;
# enable_registration = true; # enable_registration = true;
app_service_config_files = [ app_service_config_files = [
"/var/lib/matrix-synapse/discord-registration.yaml" "/var/lib/matrix-synapse/discord-registration.yaml"
"/var/lib/matrix-synapse/telegram-registration.yaml" "/var/lib/matrix-synapse/telegram-registration.yaml"
@ -22,21 +21,17 @@ with import ./network.nix;
- "#gaming:matrix.giugl.io" - "#gaming:matrix.giugl.io"
- "#movies:matrix.giugl.io" - "#movies:matrix.giugl.io"
''; '';
listeners = [ listeners = [{
{
port = 8008; port = 8008;
bind_address = "::1"; bind_address = "::1";
type = "http"; type = "http";
tls = false; tls = false;
x_forwarded = true; x_forwarded = true;
resources = [ resources = [{
{
names = [ "client" "federation" ]; names = [ "client" "federation" ];
compress = false; compress = false;
} }];
]; }];
}
];
turn_uris = [ turn_uris = [
"turns:turn.giugl.io:5349?transport=udp" "turns:turn.giugl.io:5349?transport=udp"
"turns:turn.giugl.io:5349?transport=tcp" "turns:turn.giugl.io:5349?transport=tcp"
@ -48,14 +43,10 @@ with import ./network.nix;
postgresql = { postgresql = {
enable = true; enable = true;
ensureDatabases = [ "synapse" ]; ensureDatabases = [ "synapse" ];
ensureUsers = [ ensureUsers = [{
{
name = "matrix-synapse"; name = "matrix-synapse";
ensurePermissions = { ensurePermissions = { "DATABASE synapse" = "ALL PRIVILEGES"; };
"DATABASE synapse" = "ALL PRIVILEGES"; }];
};
}
];
}; };
nginx.virtualHosts = { nginx.virtualHosts = {
@ -64,15 +55,13 @@ with import ./network.nix;
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."= /.well-known/matrix/server".extraConfig = locations."= /.well-known/matrix/server".extraConfig =
let let server = { "m.server" = "${matrixdomain}:443"; };
server = { "m.server" = "${matrixdomain}:443"; };
in '' in ''
add_header Content-Type application/json; add_header Content-Type application/json;
return 200 '${builtins.toJSON server}'; return 200 '${builtins.toJSON server}';
''; '';
locations."= /.well-known/matrix/client".extraConfig = locations."= /.well-known/matrix/client".extraConfig = let
let
client = { client = {
"m.homeserver" = { "base_url" = "https://${matrixdomain}:443"; }; "m.homeserver" = { "base_url" = "https://${matrixdomain}:443"; };
"m.identity_server" = { "base_url" = "https://vector.im"; }; "m.identity_server" = { "base_url" = "https://vector.im"; };
@ -84,7 +73,6 @@ with import ./network.nix;
return 200 '${builtins.toJSON client}'; return 200 '${builtins.toJSON client}';
''; '';
locations."/".extraConfig = '' locations."/".extraConfig = ''
return 404; return 404;
''; '';
@ -174,16 +162,16 @@ with import ./network.nix;
}; };
}; };
}; };
systemd.services.mautrix-telegram.path = with pkgs; [ systemd.services.mautrix-telegram.path = with pkgs; [
lottieconverter # for animated stickers conversion, unfree package lottieconverter # for animated stickers conversion, unfree package
ffmpeg # if converting animated stickers to webm (very slow!) ffmpeg # if converting animated stickers to webm (very slow!)
]; ];
networking.extraHosts = '' networking.extraHosts = ''
${architect-lan} ${matrixdomain} ${matrixwebdomain} ${architect-lan} ${matrixdomain} ${matrixwebdomain}
${architect-wg} ${matrixdomain} ${matrixwebdomain} ${architect-wg} ${matrixdomain} ${matrixwebdomain}
''; '';
} }

9
hosts/architect/minecraft.nix
View File

@ -1,14 +1,11 @@
{config, pkgs, ...}: { config, pkgs, ... }:
with import ./network.nix; with import ./network.nix; {
{
services.minecraft-server = { services.minecraft-server = {
enable = true; enable = true;
eula = true; eula = true;
declarative = true; declarative = true;
serverProperties = { serverProperties = { motd = "Welcome on the RuNas server!"; };
motd = "Welcome on the RuNas server!";
};
}; };
networking.extraHosts = '' networking.extraHosts = ''

3
hosts/architect/minio.nix
View File

@ -1,5 +1,4 @@
with import ./network.nix; with import ./network.nix; {
{
services = { services = {
minio.enable = true; minio.enable = true;

77
hosts/architect/modules/jellyfin.nix
View File

@ -2,10 +2,8 @@
with lib; with lib;
let let cfg = config.services.jellyfin;
cfg = config.services.jellyfin; in {
in
{
options = { options = {
services.jellyfin = { services.jellyfin = {
enable = mkEnableOption "Jellyfin Media Server"; enable = mkEnableOption "Jellyfin Media Server";
@ -56,7 +54,8 @@ in
SupplementaryGroups = [ "video" ]; SupplementaryGroups = [ "video" ];
StateDirectory = "jellyfin"; StateDirectory = "jellyfin";
CacheDirectory = "jellyfin"; CacheDirectory = "jellyfin";
ExecStart = "${cfg.package}/bin/jellyfin --datadir '/var/lib/${StateDirectory}' --cachedir '/var/cache/${CacheDirectory}'"; ExecStart =
"${cfg.package}/bin/jellyfin --datadir '/var/lib/${StateDirectory}' --cachedir '/var/cache/${CacheDirectory}'";
Restart = "on-failure"; Restart = "on-failure";
# Security options: # Security options:
@ -67,40 +66,40 @@ in
CapabilityBoundingSet = ""; CapabilityBoundingSet = "";
# ProtectClock= adds DeviceAllow=char-rtc r # ProtectClock= adds DeviceAllow=char-rtc r
# DeviceAllow = [ # DeviceAllow = [
# "char-drm r" # "char-drm r"
# "/dev/nvidia0 r" # "/dev/nvidia0 r"
# "/dev/nvidiactl r" # "/dev/nvidiactl r"
# "/dev/nvidia-uvm r" # "/dev/nvidia-uvm r"
# "/dev/nvidia-uvm-tools r" # "/dev/nvidia-uvm-tools r"
# ]; # ];
# LockPersonality = true; # LockPersonality = true;
# #
PrivateTmp = true; PrivateTmp = true;
# PrivateUsers = true; # PrivateUsers = true;
# #
# ProtectClock = true; # ProtectClock = true;
# ProtectControlGroups = true; # ProtectControlGroups = true;
# ProtectHostname = true; # ProtectHostname = true;
# ProtectKernelLogs = true; # ProtectKernelLogs = true;
# ProtectKernelModules = true; # ProtectKernelModules = true;
# ProtectKernelTunables = true; # ProtectKernelTunables = true;
# #
# RemoveIPC = true; # RemoveIPC = true;
# #
# RestrictNamespaces = true; # RestrictNamespaces = true;
# # AF_NETLINK needed because Jellyfin monitors the network connection # # AF_NETLINK needed because Jellyfin monitors the network connection
# RestrictAddressFamilies = [ "AF_NETLINK" "AF_INET" "AF_INET6" ]; # RestrictAddressFamilies = [ "AF_NETLINK" "AF_INET" "AF_INET6" ];
# RestrictRealtime = true; # RestrictRealtime = true;
# RestrictSUIDSGID = true; # RestrictSUIDSGID = true;
# #
# SystemCallArchitectures = "native"; # SystemCallArchitectures = "native";
# SystemCallErrorNumber = "EPERM"; # SystemCallErrorNumber = "EPERM";
# SystemCallFilter = [ # SystemCallFilter = [
# "@system-service" # "@system-service"
# "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@setuid" # "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@setuid"
# ]; # ];
}; };
}; };
@ -111,9 +110,7 @@ in
}; };
}; };
users.groups = mkIf (cfg.group == "jellyfin") { users.groups = mkIf (cfg.group == "jellyfin") { jellyfin = { }; };
jellyfin = {};
};
networking.firewall = mkIf cfg.openFirewall { networking.firewall = mkIf cfg.openFirewall {
# from https://jellyfin.org/docs/general/networking/index.html # from https://jellyfin.org/docs/general/networking/index.html

17
hosts/architect/network.nix
View File

@ -51,11 +51,22 @@ rec {
wolfsonhouse-wg = "10.3.0.203"; wolfsonhouse-wg = "10.3.0.203";
# groups # groups
gdevices-wg = [ galuminum-wg oneplus-wg ipad-wg gbeast-wg peppiniell-wg padulino-wg ]; gdevices-wg =
[ galuminum-wg oneplus-wg ipad-wg gbeast-wg peppiniell-wg padulino-wg ];
routers-wg = [ hotpottino-wg angellane-wg dodino-wg wolfsonhouse-wg ]; routers-wg = [ hotpottino-wg angellane-wg dodino-wg wolfsonhouse-wg ];
c2c-wg = [ ] ++ gdevices-wg; c2c-wg = [ ] ++ gdevices-wg;
towan-wg = [ shield-wg parisaphone-wg parisapc-wg ] ++ gdevices-wg ++ routers-wg; towan-wg = [ shield-wg parisaphone-wg parisapc-wg ] ++ gdevices-wg
gamenet-wg = [ andrew-wg galuminum-wg gbeast-wg mikey-wg andrewdesktop-wg mikeylaptop-wg flavio-wg salvatore-wg ]; ++ routers-wg;
gamenet-wg = [
andrew-wg
galuminum-wg
gbeast-wg
mikey-wg
andrewdesktop-wg
mikeylaptop-wg
flavio-wg
salvatore-wg
];
# domains # domains
sonarrdomain = "htson.giugl.io"; sonarrdomain = "htson.giugl.io";

11
hosts/architect/nextcloud.nix
View File

@ -1,7 +1,6 @@
{pkgs, ...}: { pkgs, ... }:
with import ./network.nix; with import ./network.nix; {
{
services = { services = {
mysql.enable = true; mysql.enable = true;
mysql.package = pkgs.unstable.mysql80; mysql.package = pkgs.unstable.mysql80;
@ -29,14 +28,14 @@ with import ./network.nix;
dbpassFile = "/secrets/nextcloud/dbpass.txt"; dbpassFile = "/secrets/nextcloud/dbpass.txt";
adminpassFile = "/secrets/nextcloud/adminpass.txt"; adminpassFile = "/secrets/nextcloud/adminpass.txt";
adminuser = "giulio"; adminuser = "giulio";
extraTrustedDomains = ["${nextclouddomain}"]; extraTrustedDomains = [ "${nextclouddomain}" ];
}; };
}; };
}; };
systemd.services."nextcloud-setup" = { systemd.services."nextcloud-setup" = {
requires = ["mysql.service"]; requires = [ "mysql.service" ];
after = ["mysql.service"]; after = [ "mysql.service" ];
}; };
networking.extraHosts = '' networking.extraHosts = ''

46
hosts/architect/nginx.nix
View File

@ -1,4 +1,4 @@
{services, ...}: { services, ... }:
{ {
services.nginx = { services.nginx = {
@ -8,28 +8,28 @@
recommendedProxySettings = true; recommendedProxySettings = true;
recommendedTlsSettings = true; recommendedTlsSettings = true;
# virtualHosts."giugl.io" = { # virtualHosts."giugl.io" = {
# default = true; # default = true;
# enableACME = true; # enableACME = true;
# addSSL = true; # addSSL = true;
# root = "/var/lib/nginx/error_pages"; # root = "/var/lib/nginx/error_pages";
# extraConfig = "error_page 404 /index.htm;"; # extraConfig = "error_page 404 /index.htm;";
# #
# locations = { # locations = {
# "/" = { # "/" = {
# return = "404"; # return = "404";
# }; # };
# #
# "/index.htm" = { # "/index.htm" = {
# }; # };
# #
# "/style.css" = { # "/style.css" = {
# }; # };
# #
# "/wat.jpg" = { # "/wat.jpg" = {
# }; # };
# }; # };
# }; # };
}; };
users.groups.acme.members = [ "nginx" ]; users.groups.acme.members = [ "nginx" ];

5
hosts/architect/nzbget.nix
View File

@ -1,5 +1,4 @@
with import ./network.nix; with import ./network.nix; {
{
services = { services = {
nzbget.enable = true; nzbget.enable = true;
@ -22,5 +21,5 @@ with import ./network.nix;
${architect-wg} ${nzbgetdomain} ${architect-wg} ${nzbgetdomain}
''; '';
users.groups.media.members = ["nzbget"]; users.groups.media.members = [ "nzbget" ];
} }

2
hosts/architect/overseerr.nix
View File

@ -1,4 +1,4 @@
{...}: { ... }:
{ {
virtualisation.oci-containers.containers."overseerr" = { virtualisation.oci-containers.containers."overseerr" = {

11
hosts/architect/plex.nix
View File

@ -1,7 +1,6 @@
{ pkgs, ...}: { pkgs, ... }:
with import ./network.nix; with import ./network.nix; {
{
services.plex = { services.plex = {
enable = true; enable = true;
package = pkgs.unstable.plex; package = pkgs.unstable.plex;
@ -75,9 +74,7 @@ with import ./network.nix;
proxy_redirect off; proxy_redirect off;
proxy_buffering off; proxy_buffering off;
''; '';
locations."/" = { locations."/" = { proxyPass = "http://localhost:32400"; };
proxyPass = "http://localhost:32400";
};
}; };
}; };
@ -86,6 +83,6 @@ with import ./network.nix;
${architect-wg} ${mediadomain} ${architect-wg} ${mediadomain}
''; '';
users.groups.media.members = ["plex"]; users.groups.media.members = [ "plex" ];
} }

21
hosts/architect/prowlarr.nix
View File

@ -1,7 +1,6 @@
{ pkgs, ...}: { pkgs, ... }:
with import ./network.nix; with import ./network.nix; {
{
services = { services = {
prowlarr.enable = true; prowlarr.enable = true;
@ -17,13 +16,13 @@ with import ./network.nix;
''; '';
}; };
# locations."/api" = { # locations."/api" = {
# proxyPass = "http://127.0.0.1:9696/prowlarr/api"; # proxyPass = "http://127.0.0.1:9696/prowlarr/api";
# }; # };
# #
# locations."/Content" = { # locations."/Content" = {
# proxyPass = "http://127.0.0.1:9696/prowlarr/Content"; # proxyPass = "http://127.0.0.1:9696/prowlarr/Content";
# }; # };
}; };
}; };
@ -32,5 +31,5 @@ with import ./network.nix;
${architect-wg} ${prowlarrdomain} ${architect-wg} ${prowlarrdomain}
''; '';
users.groups.media.members = ["prowlarr"]; users.groups.media.members = [ "prowlarr" ];
} }

5
hosts/architect/radarr.nix
View File

@ -1,5 +1,4 @@
with import ./network.nix; with import ./network.nix; {
{
services = { services = {
radarr.enable = true; radarr.enable = true;
@ -22,5 +21,5 @@ with import ./network.nix;
${architect-wg} ${radarrdomain} ${architect-wg} ${radarrdomain}
''; '';
users.groups.media.members = ["radarr"]; users.groups.media.members = [ "radarr" ];
} }

5
hosts/architect/sonarr.nix
View File

@ -1,5 +1,4 @@
with import ./network.nix; with import ./network.nix; {
{
services = { services = {
sonarr.enable = true; sonarr.enable = true;
@ -22,5 +21,5 @@ with import ./network.nix;
${architect-wg} ${sonarrdomain} ${architect-wg} ${sonarrdomain}
''; '';
users.groups.media.members = ["sonarr"]; users.groups.media.members = [ "sonarr" ];
} }

5
hosts/architect/transmission.nix
View File

@ -1,7 +1,6 @@
with import ./network.nix; with import ./network.nix;
let let domain = "httra.giugl.io";
domain = "httra.giugl.io";
in { in {
services = { services = {
transmission = { transmission = {
@ -37,5 +36,5 @@ in {
${architect-wg} ${domain} ${architect-wg} ${domain}
''; '';
users.groups.media.members = ["transmission"]; users.groups.media.members = [ "transmission" ];
} }

90
hosts/architect/wireguard.nix
View File

@ -1,5 +1,4 @@
with import ./network.nix; with import ./network.nix; {
{
networking = { networking = {
extraHosts = '' extraHosts = ''
${architect-wg} architect.devs.giugl.io ${architect-wg} architect.devs.giugl.io
@ -35,222 +34,209 @@ with import ./network.nix;
wireguard = { wireguard = {
interfaces.${proxy-if} = { interfaces.${proxy-if} = {
ips = ["10.4.0.2/32"]; ips = [ "10.4.0.2/32" ];
privateKeyFile = "/secrets/wireguard/proxy.key"; privateKeyFile = "/secrets/wireguard/proxy.key";
peers = [ peers = [{
{
publicKey = "WmJBpXpYebcmJEF8nVTKMqQK01KyBe42vzc38K66rVs="; publicKey = "WmJBpXpYebcmJEF8nVTKMqQK01KyBe42vzc38K66rVs=";
allowedIPs = ["10.4.0.1/32"]; allowedIPs = [ "10.4.0.1/32" ];
endpoint = "giugl.io:1195"; endpoint = "giugl.io:1195";
persistentKeepalive = 21; persistentKeepalive = 21;
} }];
];
}; };
interfaces.${vpn-if} = { interfaces.${vpn-if} = {
listenPort = 1194; listenPort = 1194;
ips = ["10.3.0.1/24"]; ips = [ "10.3.0.1/24" ];
privateKeyFile = "/secrets/wireguard/server.key"; privateKeyFile = "/secrets/wireguard/server.key";
peers = [ peers = [
{ {
# gAluminum # gAluminum
allowedIPs = [galuminum-wg]; allowedIPs = [ galuminum-wg ];
publicKey = "pEEgSs7xmO0cfyvoQlU8lfwqdYM1ISgmPAunPtF+0xw="; publicKey = "pEEgSs7xmO0cfyvoQlU8lfwqdYM1ISgmPAunPtF+0xw=";
} }
{ {
# OnePlus # OnePlus
allowedIPs = [oneplus-wg]; allowedIPs = [ oneplus-wg ];
publicKey = "zynSERy6VhxN5zBf1ih3BOAHxvigDixHB9YKnSBgYFs="; publicKey = "zynSERy6VhxN5zBf1ih3BOAHxvigDixHB9YKnSBgYFs=";
} }
{ {
# iPad # iPad
allowedIPs = [ipad-wg]; allowedIPs = [ ipad-wg ];
publicKey = "DPpd+P/hV1XLuvdcrCRv1sgz8BeZt1y5D6VehNuhjSQ="; publicKey = "DPpd+P/hV1XLuvdcrCRv1sgz8BeZt1y5D6VehNuhjSQ=";
} }
{ {
# Manduria # Manduria
allowedIPs = [manduria-wg]; allowedIPs = [ manduria-wg ];
publicKey = "wT38oXvDQ8g0hI+pAXQobOWf/Wott2zhwo8TLvXK400="; publicKey = "wT38oXvDQ8g0hI+pAXQobOWf/Wott2zhwo8TLvXK400=";
} }
{ {
# Antonio # Antonio
allowedIPs = [antonio-wg]; allowedIPs = [ antonio-wg ];
publicKey = "SPndCvEzuLHtGAQV8u/4dfLlFHoPcXS3L98oFOwTljc="; publicKey = "SPndCvEzuLHtGAQV8u/4dfLlFHoPcXS3L98oFOwTljc=";
} }
{ {
# Eleonora # Eleonora
allowedIPs = [eleonora-wg]; allowedIPs = [ eleonora-wg ];
publicKey = "SL54f1ZeieFyn5X5UAPmypP10GV/c419O94vCzGHFhg="; publicKey = "SL54f1ZeieFyn5X5UAPmypP10GV/c419O94vCzGHFhg=";
} }
{ {
# padulino # padulino
allowedIPs = [padulino-wg]; allowedIPs = [ padulino-wg ];
publicKey = "sk2Wr2OesND9jcuP/8k7BirSpR4pNNbS9gBkbOxZxwg="; publicKey = "sk2Wr2OesND9jcuP/8k7BirSpR4pNNbS9gBkbOxZxwg=";
} }
{ {
# GBEAST # GBEAST
allowedIPs = [gbeast-wg]; allowedIPs = [ gbeast-wg ];
publicKey = "XiK+wk+DErz0RmCWRxuaJN1cvdj+3DoiU6tcR+uZfAI="; publicKey = "XiK+wk+DErz0RmCWRxuaJN1cvdj+3DoiU6tcR+uZfAI=";
} }
{ {
# parisa-phone # parisa-phone
allowedIPs = [parisaphone-wg]; allowedIPs = [ parisaphone-wg ];
publicKey = "t9EUnIkfr1b2HPlTXi17+AKMMe5VfeKq7exRVAwaai0="; publicKey = "t9EUnIkfr1b2HPlTXi17+AKMMe5VfeKq7exRVAwaai0=";
} }
{ {
# parisa-pc # parisa-pc
allowedIPs = [parisapc-wg]; allowedIPs = [ parisapc-wg ];
publicKey = "b2QzZDTgGQbNXSCLYB4KUzq0/099pH2T8H5BckfNSTQ="; publicKey = "b2QzZDTgGQbNXSCLYB4KUzq0/099pH2T8H5BckfNSTQ=";
} }
{ {
# peppiniell # peppiniell
allowedIPs = [peppiniell-wg]; allowedIPs = [ peppiniell-wg ];
publicKey = "bzoW3Rx+7Un9hx/2opgBQJmmnZ/hgj1lQ2FnonCHjTc="; publicKey = "bzoW3Rx+7Un9hx/2opgBQJmmnZ/hgj1lQ2FnonCHjTc=";
} }
{ {
# angellane # angellane
allowedIPs = [angellane-wg]; allowedIPs = [ angellane-wg ];
publicKey = "MZ+nZklHpBxTL7QN9QJpBBx7yOYRZLONfvqAnuk85x0="; publicKey = "MZ+nZklHpBxTL7QN9QJpBBx7yOYRZLONfvqAnuk85x0=";
} }
{ {
# hotpottino # hotpottino
allowedIPs = [hotpottino-wg]; allowedIPs = [ hotpottino-wg ];
publicKey = "YqtzTWqGBs2GwSPNO0aRSV4nvJDW3UHHt6fV4UC7vnU="; publicKey = "YqtzTWqGBs2GwSPNO0aRSV4nvJDW3UHHt6fV4UC7vnU=";
} }
{ {
# shield # shield
allowedIPs = [shield-wg]; allowedIPs = [ shield-wg ];
publicKey = "1GaV/M48sHqQTrBVRQ+jrFU2pUMmv2xkguncVcwPCFs="; publicKey = "1GaV/M48sHqQTrBVRQ+jrFU2pUMmv2xkguncVcwPCFs=";
} }
{ {
# pepos # pepos
allowedIPs = [pepos-wg]; allowedIPs = [ pepos-wg ];
publicKey = "mb1VaMLML5J24oCMBuhqvBrT6S4tAqWERn30z+h/LwM="; publicKey = "mb1VaMLML5J24oCMBuhqvBrT6S4tAqWERn30z+h/LwM=";
} }
{ {
# salvatore # salvatore
allowedIPs = [salvatore-wg]; allowedIPs = [ salvatore-wg ];
publicKey = "fhlnBHeMyHZKLUCTSA9kmkKoM5x/qzz/rnCJrUh3Gzs="; publicKey = "fhlnBHeMyHZKLUCTSA9kmkKoM5x/qzz/rnCJrUh3Gzs=";
} }
{ {
# papa # papa
allowedIPs = [papa-wg]; allowedIPs = [ papa-wg ];
publicKey = "oGHygt02Oni3IFbScKD0NVEfHKCp6bpw68aq5g4RrAA="; publicKey = "oGHygt02Oni3IFbScKD0NVEfHKCp6bpw68aq5g4RrAA=";
} }
{ {
# defy # defy
allowedIPs = [defy-wg]; allowedIPs = [ defy-wg ];
publicKey = "Cvi/eto7E6Ef+aiL81ou7x12fJCeuXrf/go9fxEqXG4="; publicKey = "Cvi/eto7E6Ef+aiL81ou7x12fJCeuXrf/go9fxEqXG4=";
} }
{ {
# germano # germano
allowedIPs = [germano-wg]; allowedIPs = [ germano-wg ];
publicKey = "gi4o+pZWKItzVs7vY8fvXh98jX6CNeCwc1YDzhc3mA4="; publicKey = "gi4o+pZWKItzVs7vY8fvXh98jX6CNeCwc1YDzhc3mA4=";
} }
{ {
# flavio # flavio
allowedIPs = [flavio-wg]; allowedIPs = [ flavio-wg ];
publicKey = "Yg0P+yHi/9SZHyoel8jT9fmmu+irLYmT8yMp/CZoaSg="; publicKey = "Yg0P+yHi/9SZHyoel8jT9fmmu+irLYmT8yMp/CZoaSg=";
} }
{ {
# dodino # dodino
allowedIPs = [dodino-wg]; allowedIPs = [ dodino-wg ];
publicKey = "JHkqlADQpY1CUcivraG9i6rIzCzLVFcl8HP5uIk35lk="; publicKey = "JHkqlADQpY1CUcivraG9i6rIzCzLVFcl8HP5uIk35lk=";
} }
{ {
# tommy # tommy
allowedIPs = [tommy-wg]; allowedIPs = [ tommy-wg ];
publicKey = "tytknU7wql1d0A2provX3RP7CNcEIajfgBJKoSyVLgo="; publicKey = "tytknU7wql1d0A2provX3RP7CNcEIajfgBJKoSyVLgo=";
} }
{ {
# alain # alain
allowedIPs = [alain-wg]; allowedIPs = [ alain-wg ];
publicKey = "/o2msFJoUL4yovcIQJTU8c1faFtekrjSBBWJABouWno="; publicKey = "/o2msFJoUL4yovcIQJTU8c1faFtekrjSBBWJABouWno=";
} }
{ {
# dima # dima
allowedIPs = [dima-wg]; allowedIPs = [ dima-wg ];
publicKey = "svzWYIZ6v+cLCp/emGG7mx2YpBJqw2fqjVuHZy7b6H0="; publicKey = "svzWYIZ6v+cLCp/emGG7mx2YpBJqw2fqjVuHZy7b6H0=";
} }
{ {
# wolfsonhouse # wolfsonhouse
allowedIPs = [wolfsonhouse-wg]; allowedIPs = [ wolfsonhouse-wg ];
publicKey = "UJRJcAOcnEjEB3o4K2I7gEM97SrhENEesZNf28z+EBQ="; publicKey = "UJRJcAOcnEjEB3o4K2I7gEM97SrhENEesZNf28z+EBQ=";
} }
{ {
# mikey # mikey
allowedIPs = [mikey-wg]; allowedIPs = [ mikey-wg ];
publicKey = "ewbDdX3z7nxG2aPIf9TogXkhxPlGipLFcy6XfyDC6gI="; publicKey = "ewbDdX3z7nxG2aPIf9TogXkhxPlGipLFcy6XfyDC6gI=";
} }
{ {
# andrew # andrew
allowedIPs = [andrew-wg]; allowedIPs = [ andrew-wg ];
publicKey = "LP/FgST9fmBQSoKQFq9sFGvjRFOtRooMcuEcjuqaoWM="; publicKey = "LP/FgST9fmBQSoKQFq9sFGvjRFOtRooMcuEcjuqaoWM=";
} }
{ {
# mikey laptop # mikey laptop
allowedIPs = [mikeylaptop-wg]; allowedIPs = [ mikeylaptop-wg ];
publicKey = "kz/pY/PgV+dwF1JZ2It4r5B5QfRSQM7HkbFCdvd5Yxk="; publicKey = "kz/pY/PgV+dwF1JZ2It4r5B5QfRSQM7HkbFCdvd5Yxk=";
} }
{ {
# andrew desktop # andrew desktop
allowedIPs = [andrewdesktop-wg]; allowedIPs = [ andrewdesktop-wg ];
publicKey = "rpYr3JNLIzxpxzFuQuaHFEl/XvPEPfwLbDETBP8KYXI="; publicKey = "rpYr3JNLIzxpxzFuQuaHFEl/XvPEPfwLbDETBP8KYXI=";
} }
{ {
# laptop desktop # laptop desktop
allowedIPs = [jacopo-wg]; allowedIPs = [ jacopo-wg ];
publicKey = "W/taWI79bPIKOolVVu5xZfiJnPw9K91Xn1zhcM0+4g0="; publicKey = "W/taWI79bPIKOolVVu5xZfiJnPw9K91Xn1zhcM0+4g0=";
} }
{ {
# frznn # frznn
allowedIPs = [frznn-wg]; allowedIPs = [ frznn-wg ];
publicKey = "dXcrdME6VnnE5PBYwvUmayf7cn2wpcExeCR9gIXOO0o="; publicKey = "dXcrdME6VnnE5PBYwvUmayf7cn2wpcExeCR9gIXOO0o=";
} }
]; ];
}; };
}; };
}; };
} }

9
hosts/gAluminum/default.nix
View File

@ -1,12 +1,8 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
let let hostname = "gAluminum";
hostname = "gAluminum";
in { in {
imports = [ imports = [ ./hardware.nix ./wireguard.nix ];
./hardware.nix
./wireguard.nix
];
boot = { boot = {
supportedFilesystems = [ "ntfs" ]; supportedFilesystems = [ "ntfs" ];
@ -51,4 +47,3 @@ in {
environment.systemPackages = with pkgs; [ efibootmgr ]; environment.systemPackages = with pkgs; [ efibootmgr ];
system.stateVersion = "21.05"; # Did you read the comment? system.stateVersion = "21.05"; # Did you read the comment?
} }

15
hosts/gAluminum/hardware.nix
View File

@ -4,22 +4,21 @@
{ config, lib, pkgs, modulesPath, ... }: { config, lib, pkgs, modulesPath, ... }:
{ {
imports = imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; boot.initrd.availableKernelModules =
[ "xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
boot.initrd.kernelModules = [ "dm-snapshot" ]; boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" = {
{ device = "/dev/disk/by-uuid/92ad62ff-627e-4fd7-9ced-0c0716d3f848"; device = "/dev/disk/by-uuid/92ad62ff-627e-4fd7-9ced-0c0716d3f848";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/boot/efi" = fileSystems."/boot/efi" = {
{ device = "/dev/disk/by-uuid/3008-4A28"; device = "/dev/disk/by-uuid/3008-4A28";
fsType = "vfat"; fsType = "vfat";
}; };

12
hosts/gAluminum/wireguard.nix
View File

@ -1,17 +1,15 @@
{ {
networking.wg-quick.interfaces = { networking.wg-quick.interfaces = {
giupi = { giupi = {
address = ["10.3.0.2/32"]; address = [ "10.3.0.2/32" ];
privateKeyFile = "/etc/wireguard/giupi.key"; privateKeyFile = "/etc/wireguard/giupi.key";
dns = ["10.3.0.1"]; dns = [ "10.3.0.1" ];
peers = [ peers = [{
{
publicKey = "I4glUMvIGjjhvQMKhwGc8copPl2t9Us/YYRjT0BKuiw="; publicKey = "I4glUMvIGjjhvQMKhwGc8copPl2t9Us/YYRjT0BKuiw=";
allowedIPs = ["0.0.0.0/0"]; allowedIPs = [ "0.0.0.0/0" ];
endpoint = "architect.devs.giugl.io:1194"; endpoint = "architect.devs.giugl.io:1194";
persistentKeepalive = 25; persistentKeepalive = 25;
} }];
];
}; };
}; };
} }

9
hosts/proxy/coturn.nix
View File

@ -1,4 +1,4 @@
{pkgs, config, ...}: { pkgs, config, ... }:
let let
public_ip = "23.88.108.216"; public_ip = "23.88.108.216";
@ -50,12 +50,11 @@ in {
}; };
networking.firewall = { networking.firewall = {
interfaces.ens3 = let interfaces.ens3 = let
range = with config.services.coturn; [ { range = with config.services.coturn; [{
from = min-port; from = min-port;
to = max-port; to = max-port;
} ]; }];
in in {
{
allowedUDPPortRanges = range; allowedUDPPortRanges = range;
allowedUDPPorts = [ 5349 ]; allowedUDPPorts = [ 5349 ];
#allowedTCPPortRanges = range; #allowedTCPPortRanges = range;

9
hosts/proxy/default.nix
View File

@ -1,12 +1,8 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
imports = [ imports =
./hardware-configuration.nix [ ./hardware-configuration.nix ./coturn.nix ./wireguard.nix ./ssh.nix ];
./coturn.nix
./wireguard.nix
./ssh.nix
];
boot.loader.grub = { boot.loader.grub = {
enable = true; enable = true;
@ -28,4 +24,3 @@
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCuURERnIFe2XbNu6AsPe2DO11RuaHxVGUcaoJUsIB1F+VOggOVLhxSenOPYLm6NvvGeXVi95G5Sm1UZRcJEEkvxus4bSViV4t/Q2azfYFE27yRH/IeMMoWNPGYNm5Bok2qFb4vHifra9FffwXnOzr0nDDTdHXCft4TO5nsenLJwqu5zOO1CR7J52otY7LheNPyzbGxgIkB3Y7LeOj1+/xXSOJ379NOL2RQBobsg7k442WCX7tU6AC1ct3W+93tcJUUdzJKTT9TJ+XmhdjXNWhDd+QZUNAMr+nKoEdExHp0H40/wIhcLD2OV95gX4i/YBzCg4OQOqZqWiibiEQfGTSAh5aD+nX/PqjXf0XSLEUOA81biLFu28oO8gocjwnhgqmlghvO4SG1rs6uZ8EyPyWsrVMjy8B9FX4aloKqua3aicgC+upjLl3x+KkMJizlMB5Ew7KOjPsjXwMqeJmeBOEd6TSEctttR+lIp+/368FtwXeBxzx9MBT4620mnjWtVKM= giulio@gAluminum" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCuURERnIFe2XbNu6AsPe2DO11RuaHxVGUcaoJUsIB1F+VOggOVLhxSenOPYLm6NvvGeXVi95G5Sm1UZRcJEEkvxus4bSViV4t/Q2azfYFE27yRH/IeMMoWNPGYNm5Bok2qFb4vHifra9FffwXnOzr0nDDTdHXCft4TO5nsenLJwqu5zOO1CR7J52otY7LheNPyzbGxgIkB3Y7LeOj1+/xXSOJ379NOL2RQBobsg7k442WCX7tU6AC1ct3W+93tcJUUdzJKTT9TJ+XmhdjXNWhDd+QZUNAMr+nKoEdExHp0H40/wIhcLD2OV95gX4i/YBzCg4OQOqZqWiibiEQfGTSAh5aD+nX/PqjXf0XSLEUOA81biLFu28oO8gocjwnhgqmlghvO4SG1rs6uZ8EyPyWsrVMjy8B9FX4aloKqua3aicgC+upjLl3x+KkMJizlMB5Ew7KOjPsjXwMqeJmeBOEd6TSEctttR+lIp+/368FtwXeBxzx9MBT4620mnjWtVKM= giulio@gAluminum"
]; ];
} }

11
hosts/proxy/hardware-configuration.nix
View File

@ -4,17 +4,16 @@
{ config, lib, pkgs, modulesPath, ... }: { config, lib, pkgs, modulesPath, ... }:
{ {
imports = imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ]; boot.initrd.availableKernelModules =
[ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ]; boot.kernelModules = [ ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" = {
{ device = "/dev/disk/by-uuid/8b5bcd4a-02b8-4e11-b856-eda792b8b7b8"; device = "/dev/disk/by-uuid/8b5bcd4a-02b8-4e11-b856-eda792b8b7b8";
fsType = "ext4"; fsType = "ext4";
}; };

2
hosts/proxy/ssh.nix
View File

@ -1,4 +1,4 @@
{ config, ...}: { config, ... }:
{ {
services = { services = {

14
hosts/proxy/wireguard.nix
View File

@ -1,4 +1,4 @@
{ config, ...}: { config, ... }:
let let
wg_if = "wg0"; wg_if = "wg0";
@ -11,13 +11,11 @@ in {
enable = true; enable = true;
externalInterface = wan_if; externalInterface = wan_if;
internalInterfaces = [ wg_if ]; internalInterfaces = [ wg_if ];
forwardPorts = [ forwardPorts = [{
{
destination = "10.4.0.2:1194"; destination = "10.4.0.2:1194";
proto = "udp"; proto = "udp";
sourcePort = 1194; sourcePort = 1194;
} }];
];
}; };
wireguard = { wireguard = {
@ -34,12 +32,10 @@ in {
/run/current-system/sw/bin/iptables -t nat -D POSTROUTING -o ${wg_if} -j MASQUERADE /run/current-system/sw/bin/iptables -t nat -D POSTROUTING -o ${wg_if} -j MASQUERADE
''; '';
peers = [ peers = [{
{
allowedIPs = [ "10.4.0.2" "10.3.0.0/24" ]; allowedIPs = [ "10.4.0.2" "10.3.0.0/24" ];
publicKey = "73oFhyQA3mgX4GmN6ul5HuOsgxa4INlzCPsyuXna0AA="; publicKey = "73oFhyQA3mgX4GmN6ul5HuOsgxa4INlzCPsyuXna0AA=";
} }];
];
}; };
}; };
}; };

7
lib/default.nix
View File

@ -1,5 +1,6 @@
{ pkgs, unstable, nixpkgs, nixos-unstable, home-manager, ...}: { pkgs, unstable, nixpkgs, nixos-unstable, home-manager, ... }: rec {
rec {
user = import ./user.nix { inherit pkgs; }; user = import ./user.nix { inherit pkgs; };
host = import ./host.nix { inherit pkgs nixpkgs unstable nixos-unstable home-manager user; }; host = import ./host.nix {
inherit pkgs nixpkgs unstable nixos-unstable home-manager user;
};
} }

13
lib/user.nix
View File

@ -1,23 +1,26 @@
{ pkgs, ...}: { pkgs, ... }:
{ {
mkUser = { name, roles ? [] }: mkUser = { name, roles ? [ ] }:
let let
mkRole = role: import (../roles/home + "/${role}.nix"); mkRole = role: import (../roles/home + "/${role}.nix");
roles_mod = (map (r: mkRole r) roles); roles_mod = (map (r: mkRole r) roles);
in { in {
users.groups.plugdev = { };
fileSystems."/home/${name}/Downloads" = { fileSystems."/home/${name}/Downloads" = {
device = "tmpfs"; device = "tmpfs";
fsType = "tmpfs"; fsType = "tmpfs";
options = ["size=3G"]; options = [ "size=3G" ];
}; };
users.users.${name} = { users.users.${name} = {
isNormalUser = true; isNormalUser = true;
shell = pkgs.zsh; shell = pkgs.zsh;
extraGroups = [ "wheel" ]; extraGroups = [ "wheel" "plugdev" ];
}; };
home-manager.users.${name}.imports = [ ../roles/home/common.nix ] ++ roles_mod; home-manager.users.${name}.imports = [ ../roles/home/common.nix ]
++ roles_mod;
}; };
} }

3
roles/acme.nix
View File

@ -1,5 +1,4 @@
{ ... }: { ... }: {
{
security.acme.acceptTerms = true; security.acme.acceptTerms = true;
security.acme.email = "sysadmin@giugl.io"; security.acme.email = "sysadmin@giugl.io";
} }

8
roles/common.nix
View File

@ -22,13 +22,9 @@
}; };
}; };
nixpkgs = { nixpkgs = { config = { allowUnfree = true; }; };
config = {
allowUnfree = true;
};
};
fonts.fonts = with pkgs; [cascadia-code]; fonts.fonts = with pkgs; [ cascadia-code ];
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
file file

7
roles/home/common.nix
View File

@ -15,7 +15,12 @@
programs.neovim = { programs.neovim = {
enable = true; enable = true;
extraPackages = with pkgs; [ nodePackages.prettier cmake-format clang-tools rustfmt ]; extraPackages = with pkgs; [
nodePackages.prettier
cmake-format
clang-tools
rustfmt
];
extraConfig = '' extraConfig = ''
" syntax " syntax
syntax enable syntax enable

5
roles/home/desktop.nix
View File

@ -9,8 +9,7 @@ let
name = "guake"; name = "guake";
package = pkgs.guake; package = pkgs.guake;
}); });
in in {
{
imports = [ ./gnome.nix ]; imports = [ ./gnome.nix ];
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
@ -39,4 +38,4 @@ in
albert_autostart albert_autostart
guake_autostart guake_autostart
]; ];
} }

2
roles/home/gnome.nix
View File

@ -43,7 +43,7 @@
screensaver = [ "<Primary><Alt>l" ]; screensaver = [ "<Primary><Alt>l" ];
# disable screenshot # disable screenshot
screenshot = []; screenshot = [ ];
}; };
"org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom0" = "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom0" =

4
roles/home/ssh.nix
View File

@ -144,9 +144,7 @@
identityFile = "~/.ssh/imacmanduria"; identityFile = "~/.ssh/imacmanduria";
}; };
"bitbucket.org" = { "bitbucket.org" = { identityFile = "~/.ssh/bitbucket"; };
identityFile = "~/.ssh/bitbucket";
};
"the.al" = { "the.al" = {
user = "git"; user = "git";