peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

formatting

Browse Source
This commit is contained in:
Giulio De Pasquale 2021-11-25 11:42:32 +00:00
parent 522e4b7bbc
commit 91ef8ff1e2
42 changed files with 852 additions and 877 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
flake.nix
View File

@ -5,32 +5,51 @@
home-manager = { home-manager = {
url = "github:rycee/home-manager/release-21.05"; url = "github:rycee/home-manager/release-21.05";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = inputs @ { self, nixpkgs, nixos-unstable, home-manager }: let
system = "x86_64-linux";
pkgs = import nixpkgs {
inherit system;
config.allowUnfree = true;
overlays = [ (final: prev: { inherit unstable; }) ];
};
unstable = import nixos-unstable {
inherit system;
config.allowUnfree = true;
};
utils = import ./lib { inherit pkgs unstable nixpkgs nixos-unstable home-manager; };
inherit (utils) host;
inherit (utils) user;
in {
nixosConfigurations = {
architect = host.mkHost { name = "architect"; users = [ { user = "giulio"; roles = [ "git" ]; } ]; };
gAluminum = host.mkHost { name = "gAluminum"; users = [ { user = "giulio"; roles = [ "desktop" "ssh" "git" ]; } ]; roles = [ "gnome" ]; };
proxy = host.mkHost { name = "proxy"; users = []; };
}; };
}; };
outputs = inputs@{ self, nixpkgs, nixos-unstable, home-manager }:
let
system = "x86_64-linux";
pkgs = import nixpkgs {
inherit system;
config.allowUnfree = true;
overlays = [ (final: prev: { inherit unstable; }) ];
};
unstable = import nixos-unstable {
inherit system;
config.allowUnfree = true;
};
utils = import ./lib {
inherit pkgs unstable nixpkgs nixos-unstable home-manager;
};
inherit (utils) host;
inherit (utils) user;
in {
nixosConfigurations = {
architect = host.mkHost {
name = "architect";
users = [{
user = "giulio";
roles = [ "git" ];
}];
};
gAluminum = host.mkHost {
name = "gAluminum";
users = [{
user = "giulio";
roles = [ "desktop" "ssh" "git" ];
}];
roles = [ "gnome" ];
};
proxy = host.mkHost {
name = "proxy";
users = [ ];
};
};
};
} }

8
hosts/architect/backup.nix
View File

@ -1,4 +1,4 @@
{config, lib, ...} : { config, lib, ... }:
{ {
services.restic.backups = { services.restic.backups = {
@ -6,9 +6,9 @@
initialize = true; initialize = true;
passwordFile = "/secrets/restic/data.key"; passwordFile = "/secrets/restic/data.key";
s3CredentialsFile = "/secrets/restic/credentials.txt"; s3CredentialsFile = "/secrets/restic/credentials.txt";
repository = "b2:architect:/"; repository = "b2:architect:/";
paths = [ "/var/lib" "/secrets" ]; paths = [ "/var/lib" "/secrets" ];
pruneOpts = [ pruneOpts = [
"--keep-daily 45" "--keep-daily 45"
"--keep-weekly 12" "--keep-weekly 12"
"--keep-monthly 12" "--keep-monthly 12"

5
hosts/architect/bazarr.nix
View File

@ -1,5 +1,4 @@
with import ./network.nix; with import ./network.nix; {
{
services = { services = {
bazarr.enable = true; bazarr.enable = true;
@ -22,5 +21,5 @@ with import ./network.nix;
${architect-wg} ${bazarrdomain} ${architect-wg} ${bazarrdomain}
''; '';
users.groups.media.members = ["bazarr"]; users.groups.media.members = [ "bazarr" ];
} }

32
hosts/architect/dns.nix
View File

@ -3,8 +3,8 @@
{ {
services = { services = {
dnsmasq = { dnsmasq = {
enable = true; enable = true;
servers = ["127.0.0.1#5300"]; servers = [ "127.0.0.1#5300" ];
extraConfig = '' extraConfig = ''
localise-queries localise-queries
min-cache-ttl=120 min-cache-ttl=120
@ -13,26 +13,26 @@
}; };
adguardhome = { adguardhome = {
enable= true; enable = true;
port = 3031; port = 3031;
}; };
dnscrypt-proxy2 = { dnscrypt-proxy2 = {
enable = true; enable = true;
settings = { settings = {
listen_addresses = ["127.0.0.1:5353"]; listen_addresses = [ "127.0.0.1:5353" ];
ipv4_servers = true; ipv4_servers = true;
ipv6_servers = false; ipv6_servers = false;
block_ipv6 = true; block_ipv6 = true;
dnscrypt_servers = true; dnscrypt_servers = true;
doh_servers = true; doh_servers = true;
require_nolog = true; require_nolog = true;
require_nofilter = true; require_nofilter = true;
timeout = 350; timeout = 350;
lb_strategy = "p4"; lb_strategy = "p4";
lb_estimator = true; lb_estimator = true;
ignore_system_dns = true; ignore_system_dns = true;
fallback_resolvers = ["1.1.1.1:53" "9.9.9.9:53"]; fallback_resolvers = [ "1.1.1.1:53" "9.9.9.9:53" ];
cache_min_ttl = 450; cache_min_ttl = 450;
cache_max_ttl = 2400; cache_max_ttl = 2400;
}; };

7
hosts/architect/fail2ban.nix
View File

@ -1,13 +1,12 @@
{ config, pkgs, ... }: { config, pkgs, ... }: {
{ services.fail2ban = {
services.fail2ban = {
enable = true; enable = true;
package = pkgs.fail2ban; package = pkgs.fail2ban;
packageFirewall = pkgs.nftables; packageFirewall = pkgs.nftables;
banaction = "nftables-multiport"; banaction = "nftables-multiport";
banaction-allports = "nftables-allport"; banaction-allports = "nftables-allport";
bantime-increment.enable = true; bantime-increment.enable = true;
# ignoreIP = [ "10.0.0.0/24" "10.3.0.0/24" ]; # ignoreIP = [ "10.0.0.0/24" "10.3.0.0/24" ];
daemonConfig = '' daemonConfig = ''
[Definition] [Definition]
loglevel = INFO loglevel = INFO

274
hosts/architect/firewall.nix
View File

@ -1,19 +1,19 @@
{config, lib, ...} : { config, lib, ... }:
with import ./network.nix; with import ./network.nix;
let let
open_tcp_ports = lib.concatMapStringsSep "," (x: toString x) [ open_tcp_ports = lib.concatMapStringsSep "," (x: toString x) [
22 # ssh 22 # ssh
80 # http 80 # http
443 # https 443 # https
8448 # matrix 8448 # matrix
10022 # gitea 10022 # gitea
51413 # transmission 51413 # transmission
]; ];
open_udp_ports = lib.concatMapStringsSep "," (x: toString x) [ open_udp_ports = lib.concatMapStringsSep "," (x: toString x) [
1194 # wireguard 1194 # wireguard
3478 # turn 3478 # turn
51413 # transmission 51413 # transmission
]; ];
in { in {
@ -25,156 +25,166 @@ in {
nftables = { nftables = {
enable = true; enable = true;
ruleset = '' ruleset = ''
table ip raw { table ip raw {
chain PREROUTING { chain PREROUTING {
type filter hook prerouting priority raw; policy accept; type filter hook prerouting priority raw; policy accept;
} }
chain OUTPUT { chain OUTPUT {
type filter hook output priority raw; policy accept; type filter hook output priority raw; policy accept;
} }
} }
table ip nat { table ip nat {
chain PREROUTING { chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept; type nat hook prerouting priority dstnat; policy accept;
} }
chain INPUT { chain INPUT {
type nat hook input priority 100; policy accept; type nat hook input priority 100; policy accept;
} }
chain OUTPUT { chain OUTPUT {
type nat hook output priority -100; policy accept; type nat hook output priority -100; policy accept;
} }
chain POSTROUTING { chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept; type nat hook postrouting priority srcnat; policy accept;
oifname ${wan-if} ip saddr {${lib.concatStringsSep "," towan-wg}} masquerade oifname ${wan-if} ip saddr {${
} lib.concatStringsSep "," towan-wg
} }} masquerade
}
}
table ip mangle { table ip mangle {
chain PREROUTING { chain PREROUTING {
type filter hook prerouting priority mangle; policy drop; type filter hook prerouting priority mangle; policy drop;
ct state invalid,untracked drop comment "drop invalid" ct state invalid,untracked drop comment "drop invalid"
ip daddr 255.255.255.255 accept comment "allow broadcast traffic" ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic" ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
iifname ${wan-if} ip saddr ${vpn-net} drop comment "bind any ip to intf ${wan-if}" iifname ${wan-if} ip saddr ${vpn-net} drop comment "bind any ip to intf ${wan-if}"
iifname ${wan-if} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${wan-if}" iifname ${wan-if} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${wan-if}"
iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}" iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}"
iifname ${proxy-if} ip saddr ${proxy-net} accept comment "bind ip ${proxy-net} to intf ${proxy-if}" iifname ${proxy-if} ip saddr ${proxy-net} accept comment "bind ip ${proxy-net} to intf ${proxy-if}"
iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}" iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}"
iifname "lo" accept comment "bind any ip to intf lo" iifname "lo" accept comment "bind any ip to intf lo"
jump mangle_drop jump mangle_drop
} }
chain INPUT { chain INPUT {
type filter hook input priority mangle; policy accept; type filter hook input priority mangle; policy accept;
} }
chain FORWARD { chain FORWARD {
type filter hook forward priority mangle; policy accept; type filter hook forward priority mangle; policy accept;
} }
chain OUTPUT { chain OUTPUT {
type route hook output priority mangle; policy accept; type route hook output priority mangle; policy accept;
} }
chain POSTROUTING { chain POSTROUTING {
type filter hook postrouting priority mangle; policy accept; type filter hook postrouting priority mangle; policy accept;
} }
chain mangle_drop { chain mangle_drop {
ip protocol icmp jump mangle_drop_icmp ip protocol icmp jump mangle_drop_icmp
ip protocol udp jump mangle_drop_udp ip protocol udp jump mangle_drop_udp
ip protocol tcp jump mangle_drop_tcp ip protocol tcp jump mangle_drop_tcp
log prefix "MANGLE-DROP-UNK " log prefix "MANGLE-DROP-UNK "
drop drop
} }
chain mangle_drop_icmp { chain mangle_drop_icmp {
log prefix "MANGLE-DROP-ICMP " log prefix "MANGLE-DROP-ICMP "
drop drop
} }
chain mangle_drop_tcp { chain mangle_drop_tcp {
log prefix "MANGLE-DROP-TCP " log prefix "MANGLE-DROP-TCP "
drop drop
} }
chain mangle_drop_udp { chain mangle_drop_udp {
log prefix "MANGLE-DROP-UDP " log prefix "MANGLE-DROP-UDP "
drop drop
} }
} }
table ip filter { table ip filter {
chain INPUT { chain INPUT {
type filter hook input priority filter; policy drop; type filter hook input priority filter; policy drop;
ct state established,related accept ct state established,related accept
iifname "lo" accept comment "loopback" iifname "lo" accept comment "loopback"
ip daddr 255.255.255.255 accept comment "allow broadcast traffic" ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic" ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
ip saddr ${lan-net} accept comment "lan > local" ip saddr ${lan-net} accept comment "lan > local"
ip saddr ${proxy-wg} accept comment "proxy > local" ip saddr ${proxy-wg} accept comment "proxy > local"
iifname ${wan-if} tcp dport {${open_tcp_ports}} accept iifname ${wan-if} tcp dport {${open_tcp_ports}} accept
iifname ${wan-if} udp dport {${open_udp_ports}} accept iifname ${wan-if} udp dport {${open_udp_ports}} accept
iifname ${vpn-if} accept comment "vpn > local" iifname ${vpn-if} accept comment "vpn > local"
jump filter_drop jump filter_drop
} }
chain FORWARD { chain FORWARD {
type filter hook forward priority filter; policy drop; type filter hook forward priority filter; policy drop;
ct state established,related accept ct state established,related accept
# client to client # client to client
ip saddr {${lib.concatStringsSep "," c2c-wg}} ip daddr {${lib.concatStringsSep "," c2c-wg}} accept ip saddr {${lib.concatStringsSep "," c2c-wg}} ip daddr {${
lib.concatStringsSep "," c2c-wg
# gdevices talking to everyone in VPN }} accept
ip saddr {${lib.concatStringsSep "," gdevices-wg}} ip daddr ${vpn-net} accept
ip saddr {${lib.concatStringsSep "," gamenet-wg}} ip daddr {${lib.concatStringsSep "," gamenet-wg}} accept # gdevices talking to everyone in VPN
ip saddr {${
# nat to wan lib.concatStringsSep "," gdevices-wg
oifname ${wan-if} ip saddr {${lib.concatStringsSep "," towan-wg}} accept }} ip daddr ${vpn-net} accept
ip saddr {${
jump filter_drop lib.concatStringsSep "," gamenet-wg
} }} ip daddr {${lib.concatStringsSep "," gamenet-wg}} accept
# nat to wan
oifname ${wan-if} ip saddr {${
lib.concatStringsSep "," towan-wg
}} accept
jump filter_drop
}
chain OUTPUT { chain OUTPUT {
type filter hook output priority filter; policy drop; type filter hook output priority filter; policy drop;
ct state established,related accept ct state established,related accept
accept comment "local > *" accept comment "local > *"
jump filter_drop jump filter_drop
} }
chain filter_drop { chain filter_drop {
ip protocol icmp jump filter_drop_icmp ip protocol icmp jump filter_drop_icmp
ip protocol udp jump filter_drop_udp ip protocol udp jump filter_drop_udp
ip protocol tcp jump filter_drop_tcp ip protocol tcp jump filter_drop_tcp
log prefix "DROP-UNK " log prefix "DROP-UNK "
drop drop
} }
chain filter_drop_icmp { chain filter_drop_icmp {
log prefix "DROP-icmp " log prefix "DROP-icmp "
drop drop
} }
chain filter_drop_tcp { chain filter_drop_tcp {
log prefix "DROP-tcp " log prefix "DROP-tcp "
drop drop
} }
chain filter_drop_udp { chain filter_drop_udp {
log prefix "DROP-udp " log prefix "DROP-udp "
drop drop
} }
} }
''; '';
}; };
}; };
} }

29
hosts/architect/gitea.nix
View File

@ -1,13 +1,12 @@
with import ./network.nix; with import ./network.nix; {
{
services.gitea = { services.gitea = {
enable = true; enable = true;
database.type = "sqlite3"; database.type = "sqlite3";
domain = "git.giugl.io"; domain = "git.giugl.io";
appName = "Gitea"; appName = "Gitea";
rootUrl = "https://git.giugl.io"; rootUrl = "https://git.giugl.io";
ssh.clonePort = 10022; ssh.clonePort = 10022;
log.level = "Info"; log.level = "Info";
settings.server.START_SSH_SERVER = true; settings.server.START_SSH_SERVER = true;
}; };
@ -17,12 +16,12 @@ with import ./network.nix;
locations."/" = { locations."/" = {
proxyPass = "http://localhost:3000"; proxyPass = "http://localhost:3000";
extraConfig = '' extraConfig = ''
allow 127.0.0.1; allow 127.0.0.1;
allow 10.0.0.0/24; allow 10.0.0.0/24;
allow 10.3.0.0/24; allow 10.3.0.0/24;
allow 10.4.0.0/24; allow 10.4.0.0/24;
deny all; deny all;
''; '';
}; };
}; };

2
hosts/architect/githubrunner.nix
View File

@ -7,7 +7,7 @@
tokenFile = "/secrets/github-runner/token"; tokenFile = "/secrets/github-runner/token";
replace = true; replace = true;
}; };
nix.extraOptions = '' nix.extraOptions = ''
tarball-ttl = 0 tarball-ttl = 0
access-tokens = github.com=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 access-tokens = github.com=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

51
hosts/architect/hardware.nix
View File

@ -4,46 +4,47 @@
{ config, lib, pkgs, modulesPath, ... }: { config, lib, pkgs, modulesPath, ... }:
{ {
imports = imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; boot.initrd.availableKernelModules =
boot.initrd.kernelModules = [ ]; [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.kernelModules = [ "kvm-amd" ]; boot.initrd.kernelModules = [ ];
boot.extraModulePackages = [ ]; boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" = {
{ device = "zpool/nixos/root"; device = "zpool/nixos/root";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/home" = fileSystems."/home" = {
{ device = "zpool/data/home"; device = "zpool/data/home";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/media" = fileSystems."/media" = {
{ device = "datapool/media"; device = "datapool/media";
fsType = "zfs";
};
fileSystems."/secrets" =
{ device = "backedpool/secrets";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/var/lib" = fileSystems."/secrets" = {
{ device = "backedpool/services"; device = "backedpool/secrets";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/boot" = fileSystems."/var/lib" = {
{ device = "/dev/disk/by-uuid/AF19-5616"; device = "backedpool/services";
fsType = "zfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/AF19-5616";
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = [{
swapDevices = [ { device = "/dev/zpool/data/swap"; size = 40000; } ]; device = "/dev/zpool/data/swap";
size = 40000;
}];
} }

21
hosts/architect/jellyfin.nix
View File

@ -1,16 +1,13 @@
{ pkgs, ... }: { pkgs, ... }:
with import ./network.nix; with import ./network.nix; {
{ disabledModules = [ "services/misc/jellyfin.nix" ];
disabledModules = ["services/misc/jellyfin.nix"]; imports = [ ./modules/jellyfin.nix ];
imports = [
./modules/jellyfin.nix
];
services = { services = {
jellyfin = { jellyfin = {
enable = true; enable = true;
package = pkgs.unstable.jellyfin; package = pkgs.unstable.jellyfin;
}; };
nginx.virtualHosts.${mediadomain} = { nginx.virtualHosts.${mediadomain} = {
@ -32,7 +29,7 @@ with import ./network.nix;
${architect-wg} ${mediadomain} ${architect-wg} ${mediadomain}
''; '';
users.groups.media.members = ["jellyfin"]; users.groups.media.members = [ "jellyfin" ];
users.groups.video.members = ["jellyfin"]; users.groups.video.members = [ "jellyfin" ];
users.groups.render.members = ["jellyfin"]; users.groups.render.members = [ "jellyfin" ];
} }

150
hosts/architect/matrix.nix
View File

@ -1,7 +1,6 @@
{ pkgs, config, tmp, ... }: { pkgs, config, tmp, ... }:
with import ./network.nix; with import ./network.nix; {
{
services = { services = {
matrix-synapse = { matrix-synapse = {
enable = true; enable = true;
@ -10,10 +9,10 @@ with import ./network.nix;
public_baseurl = "https://${matrixdomain}"; public_baseurl = "https://${matrixdomain}";
registration_shared_secret = "runas!"; registration_shared_secret = "runas!";
dynamic_thumbnails = true; dynamic_thumbnails = true;
# enable_registration = true; # enable_registration = true;
app_service_config_files = [ app_service_config_files = [
"/var/lib/matrix-synapse/discord-registration.yaml" "/var/lib/matrix-synapse/discord-registration.yaml"
"/var/lib/matrix-synapse/telegram-registration.yaml" "/var/lib/matrix-synapse/telegram-registration.yaml"
]; ];
extraConfig = '' extraConfig = ''
auto_join_rooms: auto_join_rooms:
@ -22,40 +21,32 @@ with import ./network.nix;
- "#gaming:matrix.giugl.io" - "#gaming:matrix.giugl.io"
- "#movies:matrix.giugl.io" - "#movies:matrix.giugl.io"
''; '';
listeners = [ listeners = [{
{ port = 8008;
port = 8008; bind_address = "::1";
bind_address = "::1"; type = "http";
type = "http"; tls = false;
tls = false; x_forwarded = true;
x_forwarded = true; resources = [{
resources = [ names = [ "client" "federation" ];
{ compress = false;
names = [ "client" "federation" ]; }];
compress = false; }];
} turn_uris = [
]; "turns:turn.giugl.io:5349?transport=udp"
} "turns:turn.giugl.io:5349?transport=tcp"
]; ];
turn_uris = [ turn_shared_secret = "69duck duck fuck420";
"turns:turn.giugl.io:5349?transport=udp" turn_user_lifetime = "1h";
"turns:turn.giugl.io:5349?transport=tcp"
];
turn_shared_secret = "69duck duck fuck420";
turn_user_lifetime = "1h";
}; };
postgresql = { postgresql = {
enable = true; enable = true;
ensureDatabases = [ "synapse" ]; ensureDatabases = [ "synapse" ];
ensureUsers = [ ensureUsers = [{
{ name = "matrix-synapse";
name = "matrix-synapse"; ensurePermissions = { "DATABASE synapse" = "ALL PRIVILEGES"; };
ensurePermissions = { }];
"DATABASE synapse" = "ALL PRIVILEGES";
};
}
];
}; };
nginx.virtualHosts = { nginx.virtualHosts = {
@ -64,30 +55,27 @@ with import ./network.nix;
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."= /.well-known/matrix/server".extraConfig = locations."= /.well-known/matrix/server".extraConfig =
let let server = { "m.server" = "${matrixdomain}:443"; };
server = { "m.server" = "${matrixdomain}:443"; };
in '' in ''
add_header Content-Type application/json; add_header Content-Type application/json;
return 200 '${builtins.toJSON server}'; return 200 '${builtins.toJSON server}';
''; '';
locations."= /.well-known/matrix/client".extraConfig = locations."= /.well-known/matrix/client".extraConfig = let
let client = {
client = { "m.homeserver" = { "base_url" = "https://${matrixdomain}:443"; };
"m.homeserver" = { "base_url" = "https://${matrixdomain}:443"; }; "m.identity_server" = { "base_url" = "https://vector.im"; };
"m.identity_server" = { "base_url" = "https://vector.im"; }; };
}; # ACAO required to allow element-web on any URL to request this json file
# ACAO required to allow element-web on any URL to request this json file in ''
in '' add_header Content-Type application/json;
add_header Content-Type application/json; add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Origin *; return 200 '${builtins.toJSON client}';
return 200 '${builtins.toJSON client}'; '';
'';
locations."/".extraConfig = ''
locations."/".extraConfig = '' return 404;
return 404; '';
'';
# forward all Matrix API calls to the synapse Matrix homeserver # forward all Matrix API calls to the synapse Matrix homeserver
locations."/_matrix" = { locations."/_matrix" = {
@ -121,7 +109,7 @@ with import ./network.nix;
settings = { settings = {
bridge = { bridge = {
domain = matrixdomain; domain = matrixdomain;
homeserverUrl = "https://${matrixdomain}"; homeserverUrl = "https://${matrixdomain}";
disablePresence = true; disablePresence = true;
}; };
}; };
@ -150,40 +138,40 @@ with import ./network.nix;
"${matrixdomain}" = "puppeting"; "${matrixdomain}" = "puppeting";
}; };
# Animated stickers conversion requires additional packages in the # Animated stickers conversion requires additional packages in the
# service's path. # service's path.
# If this isn't a fresh installation, clearing the bridge's uploaded # If this isn't a fresh installation, clearing the bridge's uploaded
# file cache might be necessary (make a database backup first!): # file cache might be necessary (make a database backup first!):
# delete from telegram_file where \ # delete from telegram_file where \
# mime_type in ('application/gzip', 'application/octet-stream') # mime_type in ('application/gzip', 'application/octet-stream')
animated_sticker = { animated_sticker = {
target = "gif"; target = "gif";
args = { args = {
width = 256; width = 256;
height = 256; height = 256;
fps = 30; # only for webm fps = 30; # only for webm
background = "020202"; # only for gif, transparency not supported background = "020202"; # only for gif, transparency not supported
};
};
encryption = {
allow = true;
default = true;
}; };
}; };
encryption = {
allow = true;
default = true;
};
}; };
}; };
}; };
}; systemd.services.mautrix-telegram.path = with pkgs; [
lottieconverter # for animated stickers conversion, unfree package
ffmpeg # if converting animated stickers to webm (very slow!)
];
systemd.services.mautrix-telegram.path = with pkgs; [ networking.extraHosts = ''
lottieconverter # for animated stickers conversion, unfree package ${architect-lan} ${matrixdomain} ${matrixwebdomain}
ffmpeg # if converting animated stickers to webm (very slow!) ${architect-wg} ${matrixdomain} ${matrixwebdomain}
]; '';
networking.extraHosts = ''
${architect-lan} ${matrixdomain} ${matrixwebdomain}
${architect-wg} ${matrixdomain} ${matrixwebdomain}
'';
} }

11
hosts/architect/minecraft.nix
View File

@ -1,18 +1,15 @@
{config, pkgs, ...}: { config, pkgs, ... }:
with import ./network.nix; with import ./network.nix; {
{
services.minecraft-server = { services.minecraft-server = {
enable = true; enable = true;
eula = true; eula = true;
declarative = true; declarative = true;
serverProperties = { serverProperties = { motd = "Welcome on the RuNas server!"; };
motd = "Welcome on the RuNas server!";
};
}; };
networking.extraHosts = '' networking.extraHosts = ''
${architect-lan} minecraft.giugl.io ${architect-lan} minecraft.giugl.io
${architect-wg} minecraft.giugl.io ${architect-wg} minecraft.giugl.io
''; '';
} }

3
hosts/architect/minio.nix
View File

@ -1,5 +1,4 @@
with import ./network.nix; with import ./network.nix; {
{
services = { services = {
minio.enable = true; minio.enable = true;

79
hosts/architect/modules/jellyfin.nix
View File

@ -2,10 +2,8 @@
with lib; with lib;
let let cfg = config.services.jellyfin;
cfg = config.services.jellyfin; in {
in
{
options = { options = {
services.jellyfin = { services.jellyfin = {
enable = mkEnableOption "Jellyfin Media Server"; enable = mkEnableOption "Jellyfin Media Server";
@ -56,7 +54,8 @@ in
SupplementaryGroups = [ "video" ]; SupplementaryGroups = [ "video" ];
StateDirectory = "jellyfin"; StateDirectory = "jellyfin";
CacheDirectory = "jellyfin"; CacheDirectory = "jellyfin";
ExecStart = "${cfg.package}/bin/jellyfin --datadir '/var/lib/${StateDirectory}' --cachedir '/var/cache/${CacheDirectory}'"; ExecStart =
"${cfg.package}/bin/jellyfin --datadir '/var/lib/${StateDirectory}' --cachedir '/var/cache/${CacheDirectory}'";
Restart = "on-failure"; Restart = "on-failure";
# Security options: # Security options:
@ -67,40 +66,40 @@ in
CapabilityBoundingSet = ""; CapabilityBoundingSet = "";
# ProtectClock= adds DeviceAllow=char-rtc r # ProtectClock= adds DeviceAllow=char-rtc r
# DeviceAllow = [ # DeviceAllow = [
# "char-drm r" # "char-drm r"
# "/dev/nvidia0 r" # "/dev/nvidia0 r"
# "/dev/nvidiactl r" # "/dev/nvidiactl r"
# "/dev/nvidia-uvm r" # "/dev/nvidia-uvm r"
# "/dev/nvidia-uvm-tools r" # "/dev/nvidia-uvm-tools r"
# ]; # ];
# LockPersonality = true; # LockPersonality = true;
# #
PrivateTmp = true; PrivateTmp = true;
# PrivateUsers = true; # PrivateUsers = true;
# #
# ProtectClock = true; # ProtectClock = true;
# ProtectControlGroups = true; # ProtectControlGroups = true;
# ProtectHostname = true; # ProtectHostname = true;
# ProtectKernelLogs = true; # ProtectKernelLogs = true;
# ProtectKernelModules = true; # ProtectKernelModules = true;
# ProtectKernelTunables = true; # ProtectKernelTunables = true;
# #
# RemoveIPC = true; # RemoveIPC = true;
# #
# RestrictNamespaces = true; # RestrictNamespaces = true;
# # AF_NETLINK needed because Jellyfin monitors the network connection # # AF_NETLINK needed because Jellyfin monitors the network connection
# RestrictAddressFamilies = [ "AF_NETLINK" "AF_INET" "AF_INET6" ]; # RestrictAddressFamilies = [ "AF_NETLINK" "AF_INET" "AF_INET6" ];
# RestrictRealtime = true; # RestrictRealtime = true;
# RestrictSUIDSGID = true; # RestrictSUIDSGID = true;
# #
# SystemCallArchitectures = "native"; # SystemCallArchitectures = "native";
# SystemCallErrorNumber = "EPERM"; # SystemCallErrorNumber = "EPERM";
# SystemCallFilter = [ # SystemCallFilter = [
# "@system-service" # "@system-service"
# "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@setuid" # "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@setuid"
# ]; # ];
}; };
}; };
@ -111,9 +110,7 @@ in
}; };
}; };
users.groups = mkIf (cfg.group == "jellyfin") { users.groups = mkIf (cfg.group == "jellyfin") { jellyfin = { }; };
jellyfin = {};
};
networking.firewall = mkIf cfg.openFirewall { networking.firewall = mkIf cfg.openFirewall {
# from https://jellyfin.org/docs/general/networking/index.html # from https://jellyfin.org/docs/general/networking/index.html

107
hosts/architect/network.nix
View File

@ -1,61 +1,72 @@
rec { rec {
# interfaces # interfaces
wan-if = "enp5s0"; wan-if = "enp5s0";
vpn-if = "wg0"; vpn-if = "wg0";
proxy-if = "proxy"; proxy-if = "proxy";
# nets # nets
lan-net = "10.0.0.0/24"; lan-net = "10.0.0.0/24";
vpn-net = "10.3.0.0/24"; vpn-net = "10.3.0.0/24";
proxy-net = "10.4.0.0/24"; proxy-net = "10.4.0.0/24";
external_lan-net = "192.168.1.0/24"; external_lan-net = "192.168.1.0/24";
# ips # ips
dvr-lan = "10.0.0.2"; dvr-lan = "10.0.0.2";
nas-lan = "10.0.0.3"; nas-lan = "10.0.0.3";
architect-lan = "10.0.0.250"; architect-lan = "10.0.0.250";
giupi-lan = "10.0.0.251"; giupi-lan = "10.0.0.251";
proxy-wg = "10.4.0.1"; proxy-wg = "10.4.0.1";
architect-wg = "10.3.0.1"; architect-wg = "10.3.0.1";
galuminum-wg = "10.3.0.2"; galuminum-wg = "10.3.0.2";
oneplus-wg = "10.3.0.3"; oneplus-wg = "10.3.0.3";
ipad-wg = "10.3.0.4"; ipad-wg = "10.3.0.4";
manduria-wg = "10.3.0.5"; manduria-wg = "10.3.0.5";
antonio-wg = "10.3.0.6"; antonio-wg = "10.3.0.6";
gbeast-wg = "10.3.0.7"; gbeast-wg = "10.3.0.7";
parisaphone-wg = "10.3.0.8"; parisaphone-wg = "10.3.0.8";
parisapc-wg = "10.3.0.9"; parisapc-wg = "10.3.0.9";
peppiniell-wg = "10.3.0.10"; peppiniell-wg = "10.3.0.10";
padulino-wg = "10.3.0.11"; padulino-wg = "10.3.0.11";
shield-wg = "10.3.0.12"; shield-wg = "10.3.0.12";
pepos-wg = "10.3.0.15"; pepos-wg = "10.3.0.15";
salvatore-wg = "10.3.0.16"; salvatore-wg = "10.3.0.16";
papa-wg = "10.3.0.17"; papa-wg = "10.3.0.17";
defy-wg = "10.3.0.18"; defy-wg = "10.3.0.18";
germano-wg = "10.3.0.19"; germano-wg = "10.3.0.19";
flavio-wg = "10.3.0.20"; flavio-wg = "10.3.0.20";
tommy-wg = "10.3.0.21"; tommy-wg = "10.3.0.21";
alain-wg = "10.3.0.22"; alain-wg = "10.3.0.22";
dima-wg = "10.3.0.23"; dima-wg = "10.3.0.23";
mikey-wg = "10.3.0.24"; mikey-wg = "10.3.0.24";
andrew-wg = "10.3.0.25"; andrew-wg = "10.3.0.25";
mikeylaptop-wg = "10.3.0.26"; mikeylaptop-wg = "10.3.0.26";
andrewdesktop-wg = "10.3.0.27"; andrewdesktop-wg = "10.3.0.27";
jacopo-wg = "10.3.0.28"; jacopo-wg = "10.3.0.28";
frznn-wg = "10.3.0.29"; frznn-wg = "10.3.0.29";
eleonora-wg = "10.3.0.100"; eleonora-wg = "10.3.0.100";
angellane-wg = "10.3.0.200"; angellane-wg = "10.3.0.200";
hotpottino-wg = "10.3.0.201"; hotpottino-wg = "10.3.0.201";
dodino-wg = "10.3.0.202"; dodino-wg = "10.3.0.202";
wolfsonhouse-wg = "10.3.0.203"; wolfsonhouse-wg = "10.3.0.203";
# groups # groups
gdevices-wg = [ galuminum-wg oneplus-wg ipad-wg gbeast-wg peppiniell-wg padulino-wg ]; gdevices-wg =
routers-wg = [ hotpottino-wg angellane-wg dodino-wg wolfsonhouse-wg ]; [ galuminum-wg oneplus-wg ipad-wg gbeast-wg peppiniell-wg padulino-wg ];
c2c-wg = [ ] ++ gdevices-wg; routers-wg = [ hotpottino-wg angellane-wg dodino-wg wolfsonhouse-wg ];
towan-wg = [ shield-wg parisaphone-wg parisapc-wg ] ++ gdevices-wg ++ routers-wg; c2c-wg = [ ] ++ gdevices-wg;
gamenet-wg = [ andrew-wg galuminum-wg gbeast-wg mikey-wg andrewdesktop-wg mikeylaptop-wg flavio-wg salvatore-wg ]; towan-wg = [ shield-wg parisaphone-wg parisapc-wg ] ++ gdevices-wg
++ routers-wg;
gamenet-wg = [
andrew-wg
galuminum-wg
gbeast-wg
mikey-wg
andrewdesktop-wg
mikeylaptop-wg
flavio-wg
salvatore-wg
];
# domains # domains
sonarrdomain = "htson.giugl.io"; sonarrdomain = "htson.giugl.io";

19
hosts/architect/nextcloud.nix
View File

@ -1,11 +1,10 @@
{pkgs, ...}: { pkgs, ... }:
with import ./network.nix; with import ./network.nix; {
{
services = { services = {
mysql.enable = true; mysql.enable = true;
mysql.package = pkgs.unstable.mysql80; mysql.package = pkgs.unstable.mysql80;
redis.enable = true; redis.enable = true;
nextcloud = { nextcloud = {
@ -29,14 +28,14 @@ with import ./network.nix;
dbpassFile = "/secrets/nextcloud/dbpass.txt"; dbpassFile = "/secrets/nextcloud/dbpass.txt";
adminpassFile = "/secrets/nextcloud/adminpass.txt"; adminpassFile = "/secrets/nextcloud/adminpass.txt";
adminuser = "giulio"; adminuser = "giulio";
extraTrustedDomains = ["${nextclouddomain}"]; extraTrustedDomains = [ "${nextclouddomain}" ];
}; };
}; };
}; };
systemd.services."nextcloud-setup" = { systemd.services."nextcloud-setup" = {
requires = ["mysql.service"]; requires = [ "mysql.service" ];
after = ["mysql.service"]; after = [ "mysql.service" ];
}; };
networking.extraHosts = '' networking.extraHosts = ''
@ -45,7 +44,7 @@ with import ./network.nix;
''; '';
services.nginx.virtualHosts.${clouddomain} = { services.nginx.virtualHosts.${clouddomain} = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
}; };
} }

56
hosts/architect/nginx.nix
View File

@ -1,35 +1,35 @@
{services, ...}: { services, ... }:
{ {
services.nginx = { services.nginx = {
enable = true; enable = true;
recommendedGzipSettings = true; recommendedGzipSettings = true;
recommendedOptimisation = true; recommendedOptimisation = true;
recommendedProxySettings = true; recommendedProxySettings = true;
recommendedTlsSettings = true; recommendedTlsSettings = true;
# virtualHosts."giugl.io" = { # virtualHosts."giugl.io" = {
# default = true; # default = true;
# enableACME = true; # enableACME = true;
# addSSL = true; # addSSL = true;
# root = "/var/lib/nginx/error_pages"; # root = "/var/lib/nginx/error_pages";
# extraConfig = "error_page 404 /index.htm;"; # extraConfig = "error_page 404 /index.htm;";
# #
# locations = { # locations = {
# "/" = { # "/" = {
# return = "404"; # return = "404";
# }; # };
# #
# "/index.htm" = { # "/index.htm" = {
# }; # };
# #
# "/style.css" = { # "/style.css" = {
# }; # };
# #
# "/wat.jpg" = { # "/wat.jpg" = {
# }; # };
# }; # };
# }; # };
}; };
users.groups.acme.members = [ "nginx" ]; users.groups.acme.members = [ "nginx" ];

5
hosts/architect/nzbget.nix
View File

@ -1,5 +1,4 @@
with import ./network.nix; with import ./network.nix; {
{
services = { services = {
nzbget.enable = true; nzbget.enable = true;
@ -22,5 +21,5 @@ with import ./network.nix;
${architect-wg} ${nzbgetdomain} ${architect-wg} ${nzbgetdomain}
''; '';
users.groups.media.members = ["nzbget"]; users.groups.media.members = [ "nzbget" ];
} }

2
hosts/architect/overseerr.nix
View File

@ -1,4 +1,4 @@
{...}: { ... }:
{ {
virtualisation.oci-containers.containers."overseerr" = { virtualisation.oci-containers.containers."overseerr" = {

109
hosts/architect/plex.nix
View File

@ -1,7 +1,6 @@
{ pkgs, ...}: { pkgs, ... }:
with import ./network.nix; with import ./network.nix; {
{
services.plex = { services.plex = {
enable = true; enable = true;
package = pkgs.unstable.plex; package = pkgs.unstable.plex;
@ -16,68 +15,66 @@ with import ./network.nix;
enableACME = true; enableACME = true;
http2 = true; http2 = true;
extraConfig = '' extraConfig = ''
allow 10.3.0.0/24; allow 10.3.0.0/24;
allow 10.0.0.0/24; allow 10.0.0.0/24;
deny all; deny all;
#Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause #Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause
send_timeout 100m; send_timeout 100m;
# Why this is important: https://blog.cloudflare.com/ocsp-stapling-how-cloudflare-just-made-ssl-30/ # Why this is important: https://blog.cloudflare.com/ocsp-stapling-how-cloudflare-just-made-ssl-30/
ssl_stapling on; ssl_stapling on;
ssl_stapling_verify on; ssl_stapling_verify on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
#Intentionally not hardened for security for player support and encryption video streams has a lot of overhead with something like AES-256-GCM-SHA384. #Intentionally not hardened for security for player support and encryption video streams has a lot of overhead with something like AES-256-GCM-SHA384.
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
# Forward real ip and host to Plex # Forward real ip and host to Plex
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $server_addr; proxy_set_header Host $server_addr;
proxy_set_header Referer $server_addr; proxy_set_header Referer $server_addr;
proxy_set_header Origin $server_addr; proxy_set_header Origin $server_addr;
# Plex has A LOT of javascript, xml and html. This helps a lot, but if it causes playback issues with devices turn it off. # Plex has A LOT of javascript, xml and html. This helps a lot, but if it causes playback issues with devices turn it off.
gzip on; gzip on;
gzip_vary on; gzip_vary on;
gzip_min_length 1000; gzip_min_length 1000;
gzip_proxied any; gzip_proxied any;
gzip_types text/plain text/css text/xml application/xml text/javascript application/x-javascript image/svg+xml; gzip_types text/plain text/css text/xml application/xml text/javascript application/x-javascript image/svg+xml;
gzip_disable "MSIE [1-6]\."; gzip_disable "MSIE [1-6]\.";
# Nginx default client_max_body_size is 1MB, which breaks Camera Upload feature from the phones. # Nginx default client_max_body_size is 1MB, which breaks Camera Upload feature from the phones.
# Increasing the limit fixes the issue. Anyhow, if 4K videos are expected to be uploaded, the size might need to be increased even more # Increasing the limit fixes the issue. Anyhow, if 4K videos are expected to be uploaded, the size might need to be increased even more
client_max_body_size 100M; client_max_body_size 100M;
# Plex headers # Plex headers
proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier; proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier;
proxy_set_header X-Plex-Device $http_x_plex_device; proxy_set_header X-Plex-Device $http_x_plex_device;
proxy_set_header X-Plex-Device-Name $http_x_plex_device_name; proxy_set_header X-Plex-Device-Name $http_x_plex_device_name;
proxy_set_header X-Plex-Platform $http_x_plex_platform; proxy_set_header X-Plex-Platform $http_x_plex_platform;
proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version; proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version;
proxy_set_header X-Plex-Product $http_x_plex_product; proxy_set_header X-Plex-Product $http_x_plex_product;
proxy_set_header X-Plex-Token $http_x_plex_token; proxy_set_header X-Plex-Token $http_x_plex_token;
proxy_set_header X-Plex-Version $http_x_plex_version; proxy_set_header X-Plex-Version $http_x_plex_version;
proxy_set_header X-Plex-Nocache $http_x_plex_nocache; proxy_set_header X-Plex-Nocache $http_x_plex_nocache;
proxy_set_header X-Plex-Provides $http_x_plex_provides; proxy_set_header X-Plex-Provides $http_x_plex_provides;
proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor; proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
proxy_set_header X-Plex-Model $http_x_plex_model; proxy_set_header X-Plex-Model $http_x_plex_model;
# Websockets # Websockets
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade"; proxy_set_header Connection "upgrade";
# Buffering off send to the client as soon as the data is received from Plex. # Buffering off send to the client as soon as the data is received from Plex.
proxy_redirect off; proxy_redirect off;
proxy_buffering off; proxy_buffering off;
''; '';
locations."/" = { locations."/" = { proxyPass = "http://localhost:32400"; };
proxyPass = "http://localhost:32400";
};
}; };
}; };
@ -86,6 +83,6 @@ with import ./network.nix;
${architect-wg} ${mediadomain} ${architect-wg} ${mediadomain}
''; '';
users.groups.media.members = ["plex"]; users.groups.media.members = [ "plex" ];
} }

21
hosts/architect/prowlarr.nix
View File

@ -1,7 +1,6 @@
{ pkgs, ...}: { pkgs, ... }:
with import ./network.nix; with import ./network.nix; {
{
services = { services = {
prowlarr.enable = true; prowlarr.enable = true;
@ -17,13 +16,13 @@ with import ./network.nix;
''; '';
}; };
# locations."/api" = { # locations."/api" = {
# proxyPass = "http://127.0.0.1:9696/prowlarr/api"; # proxyPass = "http://127.0.0.1:9696/prowlarr/api";
# }; # };
# #
# locations."/Content" = { # locations."/Content" = {
# proxyPass = "http://127.0.0.1:9696/prowlarr/Content"; # proxyPass = "http://127.0.0.1:9696/prowlarr/Content";
# }; # };
}; };
}; };
@ -32,5 +31,5 @@ with import ./network.nix;
${architect-wg} ${prowlarrdomain} ${architect-wg} ${prowlarrdomain}
''; '';
users.groups.media.members = ["prowlarr"]; users.groups.media.members = [ "prowlarr" ];
} }

5
hosts/architect/radarr.nix
View File

@ -1,5 +1,4 @@
with import ./network.nix; with import ./network.nix; {
{
services = { services = {
radarr.enable = true; radarr.enable = true;
@ -22,5 +21,5 @@ with import ./network.nix;
${architect-wg} ${radarrdomain} ${architect-wg} ${radarrdomain}
''; '';
users.groups.media.members = ["radarr"]; users.groups.media.members = [ "radarr" ];
} }

5
hosts/architect/sonarr.nix
View File

@ -1,5 +1,4 @@
with import ./network.nix; with import ./network.nix; {
{
services = { services = {
sonarr.enable = true; sonarr.enable = true;
@ -22,5 +21,5 @@ with import ./network.nix;
${architect-wg} ${sonarrdomain} ${architect-wg} ${sonarrdomain}
''; '';
users.groups.media.members = ["sonarr"]; users.groups.media.members = [ "sonarr" ];
} }

5
hosts/architect/transmission.nix
View File

@ -1,7 +1,6 @@
with import ./network.nix; with import ./network.nix;
let let domain = "httra.giugl.io";
domain = "httra.giugl.io";
in { in {
services = { services = {
transmission = { transmission = {
@ -37,5 +36,5 @@ in {
${architect-wg} ${domain} ${architect-wg} ${domain}
''; '';
users.groups.media.members = ["transmission"]; users.groups.media.members = [ "transmission" ];
} }

344
hosts/architect/wireguard.nix
View File

@ -1,5 +1,4 @@
with import ./network.nix; with import ./network.nix; {
{
networking = { networking = {
extraHosts = '' extraHosts = ''
${architect-wg} architect.devs.giugl.io ${architect-wg} architect.devs.giugl.io
@ -35,222 +34,209 @@ with import ./network.nix;
wireguard = { wireguard = {
interfaces.${proxy-if} = { interfaces.${proxy-if} = {
ips = ["10.4.0.2/32"]; ips = [ "10.4.0.2/32" ];
privateKeyFile = "/secrets/wireguard/proxy.key"; privateKeyFile = "/secrets/wireguard/proxy.key";
peers = [ peers = [{
{ publicKey = "WmJBpXpYebcmJEF8nVTKMqQK01KyBe42vzc38K66rVs=";
publicKey = "WmJBpXpYebcmJEF8nVTKMqQK01KyBe42vzc38K66rVs="; allowedIPs = [ "10.4.0.1/32" ];
allowedIPs = ["10.4.0.1/32"]; endpoint = "giugl.io:1195";
endpoint = "giugl.io:1195"; persistentKeepalive = 21;
persistentKeepalive = 21; }];
}
];
}; };
interfaces.${vpn-if} = { interfaces.${vpn-if} = {
listenPort = 1194; listenPort = 1194;
ips = ["10.3.0.1/24"]; ips = [ "10.3.0.1/24" ];
privateKeyFile = "/secrets/wireguard/server.key"; privateKeyFile = "/secrets/wireguard/server.key";
peers = [ peers = [
{ {
# gAluminum # gAluminum
allowedIPs = [galuminum-wg]; allowedIPs = [ galuminum-wg ];
publicKey = "pEEgSs7xmO0cfyvoQlU8lfwqdYM1ISgmPAunPtF+0xw="; publicKey = "pEEgSs7xmO0cfyvoQlU8lfwqdYM1ISgmPAunPtF+0xw=";
} }
{ {
# OnePlus # OnePlus
allowedIPs = [oneplus-wg]; allowedIPs = [ oneplus-wg ];
publicKey = "zynSERy6VhxN5zBf1ih3BOAHxvigDixHB9YKnSBgYFs="; publicKey = "zynSERy6VhxN5zBf1ih3BOAHxvigDixHB9YKnSBgYFs=";
} }
{ {
# iPad # iPad
allowedIPs = [ipad-wg]; allowedIPs = [ ipad-wg ];
publicKey = "DPpd+P/hV1XLuvdcrCRv1sgz8BeZt1y5D6VehNuhjSQ="; publicKey = "DPpd+P/hV1XLuvdcrCRv1sgz8BeZt1y5D6VehNuhjSQ=";
} }
{
# Manduria
allowedIPs = [ manduria-wg ];
publicKey = "wT38oXvDQ8g0hI+pAXQobOWf/Wott2zhwo8TLvXK400=";
}
{ {
# Manduria # Antonio
allowedIPs = [manduria-wg]; allowedIPs = [ antonio-wg ];
publicKey = "wT38oXvDQ8g0hI+pAXQobOWf/Wott2zhwo8TLvXK400="; publicKey = "SPndCvEzuLHtGAQV8u/4dfLlFHoPcXS3L98oFOwTljc=";
} }
{
# Eleonora
allowedIPs = [ eleonora-wg ];
publicKey = "SL54f1ZeieFyn5X5UAPmypP10GV/c419O94vCzGHFhg=";
}
{ {
# Antonio # padulino
allowedIPs = [antonio-wg]; allowedIPs = [ padulino-wg ];
publicKey = "SPndCvEzuLHtGAQV8u/4dfLlFHoPcXS3L98oFOwTljc="; publicKey = "sk2Wr2OesND9jcuP/8k7BirSpR4pNNbS9gBkbOxZxwg=";
} }
{
# GBEAST
allowedIPs = [ gbeast-wg ];
publicKey = "XiK+wk+DErz0RmCWRxuaJN1cvdj+3DoiU6tcR+uZfAI=";
}
{ {
# Eleonora # parisa-phone
allowedIPs = [eleonora-wg]; allowedIPs = [ parisaphone-wg ];
publicKey = "SL54f1ZeieFyn5X5UAPmypP10GV/c419O94vCzGHFhg="; publicKey = "t9EUnIkfr1b2HPlTXi17+AKMMe5VfeKq7exRVAwaai0=";
} }
{
# parisa-pc
allowedIPs = [ parisapc-wg ];
publicKey = "b2QzZDTgGQbNXSCLYB4KUzq0/099pH2T8H5BckfNSTQ=";
}
{ {
# padulino # peppiniell
allowedIPs = [padulino-wg]; allowedIPs = [ peppiniell-wg ];
publicKey = "sk2Wr2OesND9jcuP/8k7BirSpR4pNNbS9gBkbOxZxwg="; publicKey = "bzoW3Rx+7Un9hx/2opgBQJmmnZ/hgj1lQ2FnonCHjTc=";
} }
{
# angellane
allowedIPs = [ angellane-wg ];
publicKey = "MZ+nZklHpBxTL7QN9QJpBBx7yOYRZLONfvqAnuk85x0=";
}
{ {
# GBEAST # hotpottino
allowedIPs = [gbeast-wg]; allowedIPs = [ hotpottino-wg ];
publicKey = "XiK+wk+DErz0RmCWRxuaJN1cvdj+3DoiU6tcR+uZfAI="; publicKey = "YqtzTWqGBs2GwSPNO0aRSV4nvJDW3UHHt6fV4UC7vnU=";
} }
{
# shield
allowedIPs = [ shield-wg ];
publicKey = "1GaV/M48sHqQTrBVRQ+jrFU2pUMmv2xkguncVcwPCFs=";
}
{ {
# parisa-phone # pepos
allowedIPs = [parisaphone-wg]; allowedIPs = [ pepos-wg ];
publicKey = "t9EUnIkfr1b2HPlTXi17+AKMMe5VfeKq7exRVAwaai0="; publicKey = "mb1VaMLML5J24oCMBuhqvBrT6S4tAqWERn30z+h/LwM=";
} }
{
# salvatore
allowedIPs = [ salvatore-wg ];
publicKey = "fhlnBHeMyHZKLUCTSA9kmkKoM5x/qzz/rnCJrUh3Gzs=";
}
{ {
# parisa-pc # papa
allowedIPs = [parisapc-wg]; allowedIPs = [ papa-wg ];
publicKey = "b2QzZDTgGQbNXSCLYB4KUzq0/099pH2T8H5BckfNSTQ="; publicKey = "oGHygt02Oni3IFbScKD0NVEfHKCp6bpw68aq5g4RrAA=";
} }
{
# defy
allowedIPs = [ defy-wg ];
publicKey = "Cvi/eto7E6Ef+aiL81ou7x12fJCeuXrf/go9fxEqXG4=";
}
{ {
# peppiniell # germano
allowedIPs = [peppiniell-wg]; allowedIPs = [ germano-wg ];
publicKey = "bzoW3Rx+7Un9hx/2opgBQJmmnZ/hgj1lQ2FnonCHjTc="; publicKey = "gi4o+pZWKItzVs7vY8fvXh98jX6CNeCwc1YDzhc3mA4=";
} }
{
# flavio
allowedIPs = [ flavio-wg ];
publicKey = "Yg0P+yHi/9SZHyoel8jT9fmmu+irLYmT8yMp/CZoaSg=";
}
{ {
# angellane # dodino
allowedIPs = [angellane-wg]; allowedIPs = [ dodino-wg ];
publicKey = "MZ+nZklHpBxTL7QN9QJpBBx7yOYRZLONfvqAnuk85x0="; publicKey = "JHkqlADQpY1CUcivraG9i6rIzCzLVFcl8HP5uIk35lk=";
} }
{
# tommy
allowedIPs = [ tommy-wg ];
publicKey = "tytknU7wql1d0A2provX3RP7CNcEIajfgBJKoSyVLgo=";
}
{ {
# hotpottino # alain
allowedIPs = [hotpottino-wg]; allowedIPs = [ alain-wg ];
publicKey = "YqtzTWqGBs2GwSPNO0aRSV4nvJDW3UHHt6fV4UC7vnU="; publicKey = "/o2msFJoUL4yovcIQJTU8c1faFtekrjSBBWJABouWno=";
} }
{
# dima
allowedIPs = [ dima-wg ];
publicKey = "svzWYIZ6v+cLCp/emGG7mx2YpBJqw2fqjVuHZy7b6H0=";
}
{ {
# shield # wolfsonhouse
allowedIPs = [shield-wg]; allowedIPs = [ wolfsonhouse-wg ];
publicKey = "1GaV/M48sHqQTrBVRQ+jrFU2pUMmv2xkguncVcwPCFs="; publicKey = "UJRJcAOcnEjEB3o4K2I7gEM97SrhENEesZNf28z+EBQ=";
} }
{ {
# pepos # mikey
allowedIPs = [pepos-wg]; allowedIPs = [ mikey-wg ];
publicKey = "mb1VaMLML5J24oCMBuhqvBrT6S4tAqWERn30z+h/LwM="; publicKey = "ewbDdX3z7nxG2aPIf9TogXkhxPlGipLFcy6XfyDC6gI=";
} }
{ {
# salvatore # andrew
allowedIPs = [salvatore-wg]; allowedIPs = [ andrew-wg ];
publicKey = "fhlnBHeMyHZKLUCTSA9kmkKoM5x/qzz/rnCJrUh3Gzs="; publicKey = "LP/FgST9fmBQSoKQFq9sFGvjRFOtRooMcuEcjuqaoWM=";
} }
{ {
# papa # mikey laptop
allowedIPs = [papa-wg]; allowedIPs = [ mikeylaptop-wg ];
publicKey = "oGHygt02Oni3IFbScKD0NVEfHKCp6bpw68aq5g4RrAA="; publicKey = "kz/pY/PgV+dwF1JZ2It4r5B5QfRSQM7HkbFCdvd5Yxk=";
} }
{ {
# defy # andrew desktop
allowedIPs = [defy-wg]; allowedIPs = [ andrewdesktop-wg ];
publicKey = "Cvi/eto7E6Ef+aiL81ou7x12fJCeuXrf/go9fxEqXG4="; publicKey = "rpYr3JNLIzxpxzFuQuaHFEl/XvPEPfwLbDETBP8KYXI=";
} }
{ {
# germano # laptop desktop
allowedIPs = [germano-wg]; allowedIPs = [ jacopo-wg ];
publicKey = "gi4o+pZWKItzVs7vY8fvXh98jX6CNeCwc1YDzhc3mA4="; publicKey = "W/taWI79bPIKOolVVu5xZfiJnPw9K91Xn1zhcM0+4g0=";
} }
{ {
# flavio # frznn
allowedIPs = [flavio-wg]; allowedIPs = [ frznn-wg ];
publicKey = "Yg0P+yHi/9SZHyoel8jT9fmmu+irLYmT8yMp/CZoaSg="; publicKey = "dXcrdME6VnnE5PBYwvUmayf7cn2wpcExeCR9gIXOO0o=";
} }
];
{ };
# dodino
allowedIPs = [dodino-wg];
publicKey = "JHkqlADQpY1CUcivraG9i6rIzCzLVFcl8HP5uIk35lk=";
}
{
# tommy
allowedIPs = [tommy-wg];
publicKey = "tytknU7wql1d0A2provX3RP7CNcEIajfgBJKoSyVLgo=";
}
{
# alain
allowedIPs = [alain-wg];
publicKey = "/o2msFJoUL4yovcIQJTU8c1faFtekrjSBBWJABouWno=";
}
{
# dima
allowedIPs = [dima-wg];
publicKey = "svzWYIZ6v+cLCp/emGG7mx2YpBJqw2fqjVuHZy7b6H0=";
}
{
# wolfsonhouse
allowedIPs = [wolfsonhouse-wg];
publicKey = "UJRJcAOcnEjEB3o4K2I7gEM97SrhENEesZNf28z+EBQ=";
}
{
# mikey
allowedIPs = [mikey-wg];
publicKey = "ewbDdX3z7nxG2aPIf9TogXkhxPlGipLFcy6XfyDC6gI=";
}
{
# andrew
allowedIPs = [andrew-wg];
publicKey = "LP/FgST9fmBQSoKQFq9sFGvjRFOtRooMcuEcjuqaoWM=";
}
{
# mikey laptop
allowedIPs = [mikeylaptop-wg];
publicKey = "kz/pY/PgV+dwF1JZ2It4r5B5QfRSQM7HkbFCdvd5Yxk=";
}
{
# andrew desktop
allowedIPs = [andrewdesktop-wg];
publicKey = "rpYr3JNLIzxpxzFuQuaHFEl/XvPEPfwLbDETBP8KYXI=";
}
{
# laptop desktop
allowedIPs = [jacopo-wg];
publicKey = "W/taWI79bPIKOolVVu5xZfiJnPw9K91Xn1zhcM0+4g0=";
}
{
# frznn
allowedIPs = [frznn-wg];
publicKey = "dXcrdME6VnnE5PBYwvUmayf7cn2wpcExeCR9gIXOO0o=";
}
];
}; };
}; };
};
} }

11
hosts/gAluminum/default.nix
View File

@ -1,12 +1,8 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
let let hostname = "gAluminum";
hostname = "gAluminum";
in { in {
imports = [ imports = [ ./hardware.nix ./wireguard.nix ];
./hardware.nix
./wireguard.nix
];
boot = { boot = {
supportedFilesystems = [ "ntfs" ]; supportedFilesystems = [ "ntfs" ];
@ -37,7 +33,7 @@ in {
virtualisation.virtualbox.host.enable = true; virtualisation.virtualbox.host.enable = true;
virtualisation.virtualbox.host.enableExtensionPack = true; virtualisation.virtualbox.host.enableExtensionPack = true;
users.extraGroups.vboxusers.members = [ "giulio" ]; users.extraGroups.vboxusers.members = [ "giulio" ];
services.printing.enable = true; services.printing.enable = true;
sound.enable = true; sound.enable = true;
@ -51,4 +47,3 @@ in {
environment.systemPackages = with pkgs; [ efibootmgr ]; environment.systemPackages = with pkgs; [ efibootmgr ];
system.stateVersion = "21.05"; # Did you read the comment? system.stateVersion = "21.05"; # Did you read the comment?
} }

23
hosts/gAluminum/hardware.nix
View File

@ -4,24 +4,23 @@
{ config, lib, pkgs, modulesPath, ... }: { config, lib, pkgs, modulesPath, ... }:
{ {
imports = imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; boot.initrd.availableKernelModules =
[ "xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
boot.initrd.kernelModules = [ "dm-snapshot" ]; boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" = {
{ device = "/dev/disk/by-uuid/92ad62ff-627e-4fd7-9ced-0c0716d3f848"; device = "/dev/disk/by-uuid/92ad62ff-627e-4fd7-9ced-0c0716d3f848";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/boot/efi" = fileSystems."/boot/efi" = {
{ device = "/dev/disk/by-uuid/3008-4A28"; device = "/dev/disk/by-uuid/3008-4A28";
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = [ ]; swapDevices = [ ];

18
hosts/gAluminum/wireguard.nix
View File

@ -1,17 +1,15 @@
{ {
networking.wg-quick.interfaces = { networking.wg-quick.interfaces = {
giupi = { giupi = {
address = ["10.3.0.2/32"]; address = [ "10.3.0.2/32" ];
privateKeyFile = "/etc/wireguard/giupi.key"; privateKeyFile = "/etc/wireguard/giupi.key";
dns = ["10.3.0.1"]; dns = [ "10.3.0.1" ];
peers = [ peers = [{
{ publicKey = "I4glUMvIGjjhvQMKhwGc8copPl2t9Us/YYRjT0BKuiw=";
publicKey = "I4glUMvIGjjhvQMKhwGc8copPl2t9Us/YYRjT0BKuiw="; allowedIPs = [ "0.0.0.0/0" ];
allowedIPs = ["0.0.0.0/0"]; endpoint = "architect.devs.giugl.io:1194";
endpoint = "architect.devs.giugl.io:1194"; persistentKeepalive = 25;
persistentKeepalive = 25; }];
}
];
}; };
}; };
} }

21
hosts/proxy/coturn.nix
View File

@ -1,9 +1,9 @@
{pkgs, config, ...}: { pkgs, config, ... }:
let let
public_ip = "23.88.108.216"; public_ip = "23.88.108.216";
realm = "turn.giugl.io"; realm = "turn.giugl.io";
static-auth-secret = "69duck duck fuck420"; static-auth-secret = "69duck duck fuck420";
in { in {
services.coturn = rec { services.coturn = rec {
inherit realm static-auth-secret; inherit realm static-auth-secret;
@ -21,7 +21,7 @@ in {
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
extraConfig = '' extraConfig = ''
verbose verbose
cipher-list=\"HIGH\" cipher-list=\"HIGH\"
no-multicast-peers no-multicast-peers
denied-peer-ip=0.0.0.0-0.255.255.255 denied-peer-ip=0.0.0.0-0.255.255.255
@ -50,12 +50,11 @@ in {
}; };
networking.firewall = { networking.firewall = {
interfaces.ens3 = let interfaces.ens3 = let
range = with config.services.coturn; [ { range = with config.services.coturn; [{
from = min-port; from = min-port;
to = max-port; to = max-port;
} ]; }];
in in {
{
allowedUDPPortRanges = range; allowedUDPPortRanges = range;
allowedUDPPorts = [ 5349 ]; allowedUDPPorts = [ 5349 ];
#allowedTCPPortRanges = range; #allowedTCPPortRanges = range;

9
hosts/proxy/default.nix
View File

@ -1,12 +1,8 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
imports = [ imports =
./hardware-configuration.nix [ ./hardware-configuration.nix ./coturn.nix ./wireguard.nix ./ssh.nix ];
./coturn.nix
./wireguard.nix
./ssh.nix
];
boot.loader.grub = { boot.loader.grub = {
enable = true; enable = true;
@ -28,4 +24,3 @@
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCuURERnIFe2XbNu6AsPe2DO11RuaHxVGUcaoJUsIB1F+VOggOVLhxSenOPYLm6NvvGeXVi95G5Sm1UZRcJEEkvxus4bSViV4t/Q2azfYFE27yRH/IeMMoWNPGYNm5Bok2qFb4vHifra9FffwXnOzr0nDDTdHXCft4TO5nsenLJwqu5zOO1CR7J52otY7LheNPyzbGxgIkB3Y7LeOj1+/xXSOJ379NOL2RQBobsg7k442WCX7tU6AC1ct3W+93tcJUUdzJKTT9TJ+XmhdjXNWhDd+QZUNAMr+nKoEdExHp0H40/wIhcLD2OV95gX4i/YBzCg4OQOqZqWiibiEQfGTSAh5aD+nX/PqjXf0XSLEUOA81biLFu28oO8gocjwnhgqmlghvO4SG1rs6uZ8EyPyWsrVMjy8B9FX4aloKqua3aicgC+upjLl3x+KkMJizlMB5Ew7KOjPsjXwMqeJmeBOEd6TSEctttR+lIp+/368FtwXeBxzx9MBT4620mnjWtVKM= giulio@gAluminum" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCuURERnIFe2XbNu6AsPe2DO11RuaHxVGUcaoJUsIB1F+VOggOVLhxSenOPYLm6NvvGeXVi95G5Sm1UZRcJEEkvxus4bSViV4t/Q2azfYFE27yRH/IeMMoWNPGYNm5Bok2qFb4vHifra9FffwXnOzr0nDDTdHXCft4TO5nsenLJwqu5zOO1CR7J52otY7LheNPyzbGxgIkB3Y7LeOj1+/xXSOJ379NOL2RQBobsg7k442WCX7tU6AC1ct3W+93tcJUUdzJKTT9TJ+XmhdjXNWhDd+QZUNAMr+nKoEdExHp0H40/wIhcLD2OV95gX4i/YBzCg4OQOqZqWiibiEQfGTSAh5aD+nX/PqjXf0XSLEUOA81biLFu28oO8gocjwnhgqmlghvO4SG1rs6uZ8EyPyWsrVMjy8B9FX4aloKqua3aicgC+upjLl3x+KkMJizlMB5Ew7KOjPsjXwMqeJmeBOEd6TSEctttR+lIp+/368FtwXeBxzx9MBT4620mnjWtVKM= giulio@gAluminum"
]; ];
} }

15
hosts/proxy/hardware-configuration.nix
View File

@ -4,19 +4,18 @@
{ config, lib, pkgs, modulesPath, ... }: { config, lib, pkgs, modulesPath, ... }:
{ {
imports = imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ]; boot.initrd.availableKernelModules =
[ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ]; boot.kernelModules = [ ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" = {
{ device = "/dev/disk/by-uuid/8b5bcd4a-02b8-4e11-b856-eda792b8b7b8"; device = "/dev/disk/by-uuid/8b5bcd4a-02b8-4e11-b856-eda792b8b7b8";
fsType = "ext4"; fsType = "ext4";
}; };
swapDevices = [ ]; swapDevices = [ ];

2
hosts/proxy/ssh.nix
View File

@ -1,4 +1,4 @@
{ config, ...}: { config, ... }:
{ {
services = { services = {

28
hosts/proxy/wireguard.nix
View File

@ -1,4 +1,4 @@
{ config, ...}: { config, ... }:
let let
wg_if = "wg0"; wg_if = "wg0";
@ -11,13 +11,11 @@ in {
enable = true; enable = true;
externalInterface = wan_if; externalInterface = wan_if;
internalInterfaces = [ wg_if ]; internalInterfaces = [ wg_if ];
forwardPorts = [ forwardPorts = [{
{ destination = "10.4.0.2:1194";
destination = "10.4.0.2:1194"; proto = "udp";
proto = "udp"; sourcePort = 1194;
sourcePort = 1194; }];
}
];
}; };
wireguard = { wireguard = {
@ -27,19 +25,17 @@ in {
privateKeyFile = "/secrets/wireguard/server.key"; privateKeyFile = "/secrets/wireguard/server.key";
postSetup = '' postSetup = ''
/run/current-system/sw/bin/iptables -t nat -A POSTROUTING -o ${wg_if} -j MASQUERADE /run/current-system/sw/bin/iptables -t nat -A POSTROUTING -o ${wg_if} -j MASQUERADE
''; '';
postShutdown = '' postShutdown = ''
/run/current-system/sw/bin/iptables -t nat -D POSTROUTING -o ${wg_if} -j MASQUERADE /run/current-system/sw/bin/iptables -t nat -D POSTROUTING -o ${wg_if} -j MASQUERADE
''; '';
peers = [ peers = [{
{ allowedIPs = [ "10.4.0.2" "10.3.0.0/24" ];
allowedIPs = [ "10.4.0.2" "10.3.0.0/24" ]; publicKey = "73oFhyQA3mgX4GmN6ul5HuOsgxa4INlzCPsyuXna0AA=";
publicKey = "73oFhyQA3mgX4GmN6ul5HuOsgxa4INlzCPsyuXna0AA="; }];
}
];
}; };
}; };
}; };

9
lib/default.nix
View File

@ -1,5 +1,6 @@
{ pkgs, unstable, nixpkgs, nixos-unstable, home-manager, ...}: { pkgs, unstable, nixpkgs, nixos-unstable, home-manager, ... }: rec {
rec {
user = import ./user.nix { inherit pkgs; }; user = import ./user.nix { inherit pkgs; };
host = import ./host.nix { inherit pkgs nixpkgs unstable nixos-unstable home-manager user; }; host = import ./host.nix {
} inherit pkgs nixpkgs unstable nixos-unstable home-manager user;
};
}

39
lib/user.nix
View File

@ -1,23 +1,26 @@
{ pkgs, ...}: { pkgs, ... }:
{ {
mkUser = { name, roles ? [] }: mkUser = { name, roles ? [ ] }:
let let
mkRole = role: import (../roles/home + "/${role}.nix"); mkRole = role: import (../roles/home + "/${role}.nix");
roles_mod = (map (r: mkRole r) roles); roles_mod = (map (r: mkRole r) roles);
in { in {
fileSystems."/home/${name}/Downloads" = { users.groups.plugdev = { };
device = "tmpfs";
fsType = "tmpfs";
options = ["size=3G"];
};
users.users.${name} = { fileSystems."/home/${name}/Downloads" = {
isNormalUser = true; device = "tmpfs";
shell = pkgs.zsh; fsType = "tmpfs";
extraGroups = [ "wheel" ]; options = [ "size=3G" ];
}; };
home-manager.users.${name}.imports = [ ../roles/home/common.nix ] ++ roles_mod; users.users.${name} = {
}; isNormalUser = true;
shell = pkgs.zsh;
extraGroups = [ "wheel" "plugdev" ];
};
home-manager.users.${name}.imports = [ ../roles/home/common.nix ]
++ roles_mod;
};
} }

3
roles/acme.nix
View File

@ -1,5 +1,4 @@
{ ... }: { ... }: {
{
security.acme.acceptTerms = true; security.acme.acceptTerms = true;
security.acme.email = "sysadmin@giugl.io"; security.acme.email = "sysadmin@giugl.io";
} }

20
roles/common.nix
View File

@ -1,9 +1,9 @@
{ config, pkgs, variables, lib, ... }: { config, pkgs, variables, lib, ... }:
{ {
console = { console = {
keyMap = "us"; keyMap = "us";
font = "Lat2-Terminus16"; font = "Lat2-Terminus16";
}; };
i18n.defaultLocale = "en_US.UTF-8"; i18n.defaultLocale = "en_US.UTF-8";
@ -14,21 +14,17 @@
extraOptions = '' extraOptions = ''
experimental-features = nix-command flakes experimental-features = nix-command flakes
''; '';
gc = { gc = {
automatic = true; automatic = true;
dates = "weekly"; dates = "weekly";
persistent = true; persistent = true;
}; };
}; };
nixpkgs = { nixpkgs = { config = { allowUnfree = true; }; };
config = {
allowUnfree = true;
};
};
fonts.fonts = with pkgs; [cascadia-code]; fonts.fonts = with pkgs; [ cascadia-code ];
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
file file
@ -49,5 +45,5 @@
smartmontools smartmontools
nmap nmap
ripgrep ripgrep
]; ];
} }

2
roles/gnome.nix
View File

@ -12,7 +12,7 @@
}; };
dbus.packages = with pkgs; [ gnome3.dconf ]; dbus.packages = with pkgs; [ gnome3.dconf ];
udev.packages = with pkgs; [ gnome3.gnome-settings-daemon ]; udev.packages = with pkgs; [ gnome3.gnome-settings-daemon ];
}; };
environment.systemPackages = with pkgs; [ gnomeExtensions.appindicator ]; environment.systemPackages = with pkgs; [ gnomeExtensions.appindicator ];

7
roles/home/common.nix
View File

@ -15,7 +15,12 @@
programs.neovim = { programs.neovim = {
enable = true; enable = true;
extraPackages = with pkgs; [ nodePackages.prettier cmake-format clang-tools rustfmt ]; extraPackages = with pkgs; [
nodePackages.prettier
cmake-format
clang-tools
rustfmt
];
extraConfig = '' extraConfig = ''
" syntax " syntax
syntax enable syntax enable

51
roles/home/desktop.nix
View File

@ -2,41 +2,40 @@
let let
albert_autostart = (pkgs.makeAutostartItem { albert_autostart = (pkgs.makeAutostartItem {
name = "albert"; name = "albert";
package = pkgs.albert; package = pkgs.albert;
}); });
guake_autostart = (pkgs.makeAutostartItem { guake_autostart = (pkgs.makeAutostartItem {
name = "guake"; name = "guake";
package = pkgs.guake; package = pkgs.guake;
}); });
in in {
{ imports = [ ./gnome.nix ];
imports = [ ./gnome.nix ];
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
home.packages = with pkgs; [ home.packages = with pkgs; [
albert albert
guake guake
firefox firefox
brave brave
chromium chromium
slack slack
signal-desktop signal-desktop
teams teams
discord discord
element-desktop element-desktop
spotify spotify
gparted gparted
libreoffice libreoffice
vscode vscode
jetbrains.idea-ultimate jetbrains.idea-ultimate
albert_autostart albert_autostart
guake_autostart guake_autostart
]; ];
} }

28
roles/home/gnome.nix
View File

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
{ {
dconf.settings = { dconf.settings = {
@ -7,7 +7,7 @@
# #
"org/gnome/desktop/peripherals/touchpad" = { "org/gnome/desktop/peripherals/touchpad" = {
natural-scroll = false; natural-scroll = false;
two-finger-scrolling-enabled = true; two-finger-scrolling-enabled = true;
}; };
@ -16,16 +16,16 @@
# #
"org/gnome/desktop/wm/keybindings" = { "org/gnome/desktop/wm/keybindings" = {
close = [ "<Alt>q" ]; close = [ "<Alt>q" ];
maximize = [ "<Primary><Shift>Up" ]; maximize = [ "<Primary><Shift>Up" ];
unmaximize = [ "<Primary><Shift>Down" ]; unmaximize = [ "<Primary><Shift>Down" ];
move-to-workspace-left = [ "<Shift><Alt>Left" ]; move-to-workspace-left = [ "<Shift><Alt>Left" ];
move-to-workspace-right = [ "<Shift><Alt>Right" ]; move-to-workspace-right = [ "<Shift><Alt>Right" ];
switch-to-workspace-left = [ "<Primary><Alt>Left" ]; switch-to-workspace-left = [ "<Primary><Alt>Left" ];
switch-to-workspace-right = [ "<Primary><Alt>Right" ]; switch-to-workspace-right = [ "<Primary><Alt>Right" ];
}; };
"org/gnome/mutter/keybindings" = { "org/gnome/mutter/keybindings" = {
toggle-tiled-left = [ "<Primary><Shift>Left" ]; toggle-tiled-left = [ "<Primary><Shift>Left" ];
toggle-tiled-right = [ "<Primary><Shift>Right" ]; toggle-tiled-right = [ "<Primary><Shift>Right" ];
}; };
@ -43,21 +43,21 @@
screensaver = [ "<Primary><Alt>l" ]; screensaver = [ "<Primary><Alt>l" ];
# disable screenshot # disable screenshot
screenshot = []; screenshot = [ ];
}; };
"org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom0" = "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom0" =
{ {
binding = "F12"; binding = "F12";
command = "guake-toggle"; command = "guake-toggle";
name = "Guake"; name = "Guake";
}; };
"org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom1" = "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom1" =
{ {
binding = "<Alt>a"; binding = "<Alt>a";
command = "albert toggle"; command = "albert toggle";
name = "Albert"; name = "Albert";
}; };
# #
@ -65,7 +65,7 @@
# #
"org/gnome/settings-daemon/plugins/power" = { "org/gnome/settings-daemon/plugins/power" = {
sleep-inactive-ac-type = "nothing"; sleep-inactive-ac-type = "nothing";
sleep-inactive-battery-type = "nothing"; sleep-inactive-battery-type = "nothing";
}; };
@ -74,7 +74,7 @@
# #
"org/gnome/settings-daemon/plugins/color" = { "org/gnome/settings-daemon/plugins/color" = {
night-light-enabled = true; night-light-enabled = true;
night-light-temperature = 2536; night-light-temperature = 2536;
}; };

22
roles/home/ssh.nix
View File

@ -13,7 +13,7 @@
user = "giulio"; user = "giulio";
identityFile = "~/.ssh/tommypc"; identityFile = "~/.ssh/tommypc";
}; };
"dodino.devs.giugl.io" = { "dodino.devs.giugl.io" = {
user = "pi"; user = "pi";
identityFile = "~/.ssh/dodino"; identityFile = "~/.ssh/dodino";
@ -23,12 +23,12 @@
user = "pepos"; user = "pepos";
identityFile = "~/.ssh/pepos"; identityFile = "~/.ssh/pepos";
}; };
"bastion.nms.kcl.ac.uk" = { "bastion.nms.kcl.ac.uk" = {
user = "k1804704"; user = "k1804704";
identityFile = "~/.ssh/kcllabs"; identityFile = "~/.ssh/kcllabs";
}; };
"s2access" = { "s2access" = {
hostname = "s2lab-access.nms.kcl.ac.uk"; hostname = "s2lab-access.nms.kcl.ac.uk";
user = "k1804704"; user = "k1804704";
@ -55,12 +55,12 @@
user = "k1804704"; user = "k1804704";
identityFile = "~/.ssh/kcllabs"; identityFile = "~/.ssh/kcllabs";
}; };
"ctf.mhackeroni.it" = { "ctf.mhackeroni.it" = {
user = "root"; user = "root";
identityFile = "~/.ssh/github"; identityFile = "~/.ssh/github";
}; };
"hotpottino.devs.giugl.io" = { "hotpottino.devs.giugl.io" = {
user = "pi"; user = "pi";
identityFile = "~/.ssh/hotpottino"; identityFile = "~/.ssh/hotpottino";
@ -83,7 +83,7 @@
user = "giulio"; user = "giulio";
identityFile = "~/.ssh/padulino"; identityFile = "~/.ssh/padulino";
}; };
"ssh.dev.azure.com" = { "ssh.dev.azure.com" = {
user = "git"; user = "git";
identityFile = "~/.ssh/freta"; identityFile = "~/.ssh/freta";
@ -93,7 +93,7 @@
user = "giulio"; user = "giulio";
identityFile = "~/.ssh/peppiniell"; identityFile = "~/.ssh/peppiniell";
}; };
"broccolino.devs.giugl.io" = { "broccolino.devs.giugl.io" = {
user = "pi"; user = "pi";
port = 5541; port = 5541;
@ -138,15 +138,13 @@
user = "ctf"; user = "ctf";
identityFile = "~/.ssh/gitlab_necst"; identityFile = "~/.ssh/gitlab_necst";
}; };
"manduria.devs.giugl.io" = { "manduria.devs.giugl.io" = {
user = "giulio"; user = "giulio";
identityFile = "~/.ssh/imacmanduria"; identityFile = "~/.ssh/imacmanduria";
}; };
"bitbucket.org" = { "bitbucket.org" = { identityFile = "~/.ssh/bitbucket"; };
identityFile = "~/.ssh/bitbucket";
};
"the.al" = { "the.al" = {
user = "git"; user = "git";
@ -169,5 +167,5 @@
IdentitiesOnly yes IdentitiesOnly yes
ServerAliveInterval 3600 ServerAliveInterval 3600
''; '';
}; };
} }