peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

flake: Removed proxy host

Browse Source
This commit is contained in:
Giulio De Pasquale 2022-12-01 14:28:10 +01:00
parent f759f44024
commit 932378b309
12 changed files with 24 additions and 193 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
flake.nix
View File

@ -1,9 +1,9 @@
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.05";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11";
nixos-unstable.url = "github:NixOS/nixpkgs/master";
home-manager = {
url = "github:rycee/home-manager/release-22.05";
url = "github:rycee/home-manager/release-22.11";
inputs.nixpkgs.follows = "nixpkgs";
};
vim-extra-plugins.url = "github:m15a/nixpkgs-vim-extra-plugins";
@ -67,10 +67,6 @@
}];
roles = [ "gnome" ];
};
proxy = utilsX64.host.mkHost {
name = "proxy";
users = [ ];
};
};
};
}

2
hosts/architect/default.nix
View File

@ -40,7 +40,7 @@ in {
];
time.timeZone = "Europe/Rome";
system.stateVersion = "21.11";
# system.stateVersion = "21.11";
users.users.giulio.openssh.authorizedKeys.keys = pubkeys;
boot = {
initrd = {

11
hosts/architect/domains.nix Normal file
View File

@ -0,0 +1,11 @@
{ lib }:
let
domains = [ "runas.rocks" "giugl.io" ];
in
rec {
genSubdomainFQN = { subdomain }:
map (d: "${subdomain}.${d}") domains;
concatSubdomainSep = { subdomain, sep ? "," }:
lib.concatStringSep sep (genSubdomainFQN { inherit subdomain; });
}

5
hosts/architect/matrix.nix
View File

@ -18,12 +18,16 @@ in
url_preview_enabled = true;
dynamic_thumbnails = true;
withJemalloc = true;
enable_registration = false;
password_config.enabled = false;
app_service_config_files = [
"/var/lib/matrix-synapse/discord-registration.yaml"
# "/var/lib/matrix-synapse/hookshot-registration.yml"
# "/var/lib/matrix-synapse/telegram-registration.yaml"
];
auto_join_rooms = [ "#general:${domain}" "#music:${domain}" "#movies:${domain}" ];
oidc_providers = [{
idp_id = "keycloak";
idp_name = "Architect SSO";
@ -35,6 +39,7 @@ in
user_mapping_provider.config = {
localpart_template = "{{ user.preferred_username }}";
display_name_template = "{{ user.name }}";
confirm_localpart = true;
};
backchannel_logout_enabled = true;
}];

9
hosts/architect/navidrome.nix
View File

@ -1,10 +1,11 @@
{ lib, pkgs, ... }:
let
domain = "music.giugl.io";
domain = "music.runas.rocks";
network = import ./network.nix;
library_path = "/media/Music";
beets_config = "/media/beets.conf";
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in {
services = {
navidrome = {
@ -27,12 +28,8 @@ in {
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:4533";
# extraConfig = ''
# allow 10.0.0.0/24;
# ${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
# deny all;
# '';
};
extraConfig = auth_block { access_role = "navidrome"; };
};
};

2
hosts/architect/nextcloud.nix
View File

@ -24,7 +24,7 @@ in {
hostName = domain;
https = true;
package = pkgs.unstable.nextcloud25;
datadir = "/services/nextcloud";
caching = {
redis = true;
};

2
hosts/gAluminum/default.nix
View File

@ -70,5 +70,5 @@ in {
programs.steam.enable = true;
environment.systemPackages = with pkgs; [ efibootmgr nvidia-offload ];
system.stateVersion = "21.05"; # Did you read the comment?
# system.stateVersion = "21.05"; # Did you read the comment?
}

73
hosts/proxy/coturn.nix
View File

@ -1,73 +0,0 @@
{ pkgs, config, ... }:
let
public_ip = "23.88.108.216";
realm = "turn.giugl.io";
static-auth-secret = "69duck duck fuck420";
in {
services.coturn = rec {
inherit realm static-auth-secret;
secure-stun = true;
enable = true;
no-cli = true;
no-tcp-relay = true;
min-port = 49000;
max-port = 50000;
use-auth-secret = true;
relay-ips = [ public_ip ];
listening-ips = [ public_ip ];
cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
extraConfig = ''
verbose
cipher-list=\"HIGH\"
no-multicast-peers
denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=100.64.0.0-100.127.255.255
denied-peer-ip=127.0.0.0-127.255.255.255
denied-peer-ip=169.254.0.0-169.254.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
denied-peer-ip=192.0.0.0-192.0.0.255
denied-peer-ip=192.0.2.0-192.0.2.255
denied-peer-ip=192.88.99.0-192.88.99.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=198.18.0.0-198.19.255.255
denied-peer-ip=198.51.100.0-198.51.100.255
denied-peer-ip=203.0.113.0-203.0.113.255
denied-peer-ip=240.0.0.0-255.255.255.255
denied-peer-ip=::1
denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
'';
};
networking.firewall = {
interfaces.ens3 = let
range = with config.services.coturn; [{
from = min-port;
to = max-port;
}];
in {
allowedUDPPortRanges = range;
allowedUDPPorts = [ 5349 ];
#allowedTCPPortRanges = range;
allowedTCPPorts = [ 80 443 5349 ];
};
};
services.nginx.enable = true;
services.nginx.virtualHosts.${realm} = {
addSSL = true;
enableACME = true;
};
# to access the ACME files
users.groups.nginx.members = [ "turnserver" ];
}

26
hosts/proxy/default.nix
View File

@ -1,26 +0,0 @@
{ config, pkgs, ... }:
{
imports =
[ ./hardware-configuration.nix ./coturn.nix ./wireguard.nix ./ssh.nix ];
boot.loader.grub = {
enable = true;
version = 2;
devices = [ "/dev/sda" ];
};
system.stateVersion = "21.05";
networking = {
useDHCP = false;
hostName = "proxy";
nameservers = [ "10.4.0.2" "1.1.1.1" ];
interfaces.ens3.useDHCP = true;
};
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCuURERnIFe2XbNu6AsPe2DO11RuaHxVGUcaoJUsIB1F+VOggOVLhxSenOPYLm6NvvGeXVi95G5Sm1UZRcJEEkvxus4bSViV4t/Q2azfYFE27yRH/IeMMoWNPGYNm5Bok2qFb4vHifra9FffwXnOzr0nDDTdHXCft4TO5nsenLJwqu5zOO1CR7J52otY7LheNPyzbGxgIkB3Y7LeOj1+/xXSOJ379NOL2RQBobsg7k442WCX7tU6AC1ct3W+93tcJUUdzJKTT9TJ+XmhdjXNWhDd+QZUNAMr+nKoEdExHp0H40/wIhcLD2OV95gX4i/YBzCg4OQOqZqWiibiEQfGTSAh5aD+nX/PqjXf0XSLEUOA81biLFu28oO8gocjwnhgqmlghvO4SG1rs6uZ8EyPyWsrVMjy8B9FX4aloKqua3aicgC+upjLl3x+KkMJizlMB5Ew7KOjPsjXwMqeJmeBOEd6TSEctttR+lIp+/368FtwXeBxzx9MBT4620mnjWtVKM= giulio@gAluminum"
];
}

22
hosts/proxy/hardware-configuration.nix
View File

@ -1,22 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.initrd.availableKernelModules =
[ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/8b5bcd4a-02b8-4e11-b856-eda792b8b7b8";
fsType = "ext4";
};
swapDevices = [ ];
}

15
hosts/proxy/ssh.nix
View File

@ -1,15 +0,0 @@
{ config, ... }:
{
services = {
fail2ban.enable = true;
openssh = {
permitRootLogin = "prohibit-password";
passwordAuthentication = false;
enable = true;
};
};
networking.firewall.allowedTCPPorts = [ 22 ];
}

42
hosts/proxy/wireguard.nix
View File

@ -1,42 +0,0 @@
{ config, ... }:
let
wg_if = "wg0";
wan_if = "ens3";
in {
networking = {
firewall.allowedUDPPorts = [ 1195 ];
nat = {
enable = true;
externalInterface = wan_if;
internalInterfaces = [ wg_if ];
forwardPorts = [{
destination = "10.4.0.2:1194";
proto = "udp";
sourcePort = 1194;
}];
};
wireguard = {
interfaces.${wg_if} = {
listenPort = 1195;
ips = [ "10.4.0.1/24" ];
privateKeyFile = "/secrets/wireguard/server.key";
postSetup = ''
/run/current-system/sw/bin/iptables -t nat -A POSTROUTING -o ${wg_if} -j MASQUERADE
'';
postShutdown = ''
/run/current-system/sw/bin/iptables -t nat -D POSTROUTING -o ${wg_if} -j MASQUERADE
'';
peers = [{
allowedIPs = [ "10.4.0.2" "10.3.0.0/24" ];
publicKey = "73oFhyQA3mgX4GmN6ul5HuOsgxa4INlzCPsyuXna0AA=";
}];
};
};
};
}