diff --git a/flake.nix b/flake.nix index 0ed00b9..5808da3 100644 --- a/flake.nix +++ b/flake.nix @@ -1,9 +1,9 @@ { inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.05"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11"; nixos-unstable.url = "github:NixOS/nixpkgs/master"; home-manager = { - url = "github:rycee/home-manager/release-22.05"; + url = "github:rycee/home-manager/release-22.11"; inputs.nixpkgs.follows = "nixpkgs"; }; vim-extra-plugins.url = "github:m15a/nixpkgs-vim-extra-plugins"; @@ -67,10 +67,6 @@ }]; roles = [ "gnome" ]; }; - proxy = utilsX64.host.mkHost { - name = "proxy"; - users = [ ]; - }; }; }; } diff --git a/hosts/architect/default.nix b/hosts/architect/default.nix index 1b8cff3..1014e05 100644 --- a/hosts/architect/default.nix +++ b/hosts/architect/default.nix @@ -40,7 +40,7 @@ in { ]; time.timeZone = "Europe/Rome"; - system.stateVersion = "21.11"; +# system.stateVersion = "21.11"; users.users.giulio.openssh.authorizedKeys.keys = pubkeys; boot = { initrd = { diff --git a/hosts/architect/domains.nix b/hosts/architect/domains.nix new file mode 100644 index 0000000..6df97c8 --- /dev/null +++ b/hosts/architect/domains.nix @@ -0,0 +1,11 @@ +{ lib }: + +let + domains = [ "runas.rocks" "giugl.io" ]; +in +rec { + genSubdomainFQN = { subdomain }: + map (d: "${subdomain}.${d}") domains; + concatSubdomainSep = { subdomain, sep ? "," }: + lib.concatStringSep sep (genSubdomainFQN { inherit subdomain; }); +} diff --git a/hosts/architect/matrix.nix b/hosts/architect/matrix.nix index 2dfd288..72693c8 100644 --- a/hosts/architect/matrix.nix +++ b/hosts/architect/matrix.nix @@ -18,12 +18,16 @@ in url_preview_enabled = true; dynamic_thumbnails = true; withJemalloc = true; + enable_registration = false; + password_config.enabled = false; app_service_config_files = [ "/var/lib/matrix-synapse/discord-registration.yaml" # "/var/lib/matrix-synapse/hookshot-registration.yml" # "/var/lib/matrix-synapse/telegram-registration.yaml" ]; + auto_join_rooms = [ "#general:${domain}" "#music:${domain}" "#movies:${domain}" ]; + oidc_providers = [{ idp_id = "keycloak"; idp_name = "Architect SSO"; @@ -35,6 +39,7 @@ in user_mapping_provider.config = { localpart_template = "{{ user.preferred_username }}"; display_name_template = "{{ user.name }}"; + confirm_localpart = true; }; backchannel_logout_enabled = true; }]; diff --git a/hosts/architect/navidrome.nix b/hosts/architect/navidrome.nix index 0bc9b85..d3de5d9 100644 --- a/hosts/architect/navidrome.nix +++ b/hosts/architect/navidrome.nix @@ -1,10 +1,11 @@ { lib, pkgs, ... }: let - domain = "music.giugl.io"; + domain = "music.runas.rocks"; network = import ./network.nix; library_path = "/media/Music"; beets_config = "/media/beets.conf"; + auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; in { services = { navidrome = { @@ -27,12 +28,8 @@ in { enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:4533"; - # extraConfig = '' - # allow 10.0.0.0/24; - # ${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg} - # deny all; - # ''; }; + extraConfig = auth_block { access_role = "navidrome"; }; }; }; diff --git a/hosts/architect/nextcloud.nix b/hosts/architect/nextcloud.nix index 0ddcf39..c766c8b 100644 --- a/hosts/architect/nextcloud.nix +++ b/hosts/architect/nextcloud.nix @@ -24,7 +24,7 @@ in { hostName = domain; https = true; package = pkgs.unstable.nextcloud25; - + datadir = "/services/nextcloud"; caching = { redis = true; }; diff --git a/hosts/gAluminum/default.nix b/hosts/gAluminum/default.nix index 2bc4986..3dddb54 100644 --- a/hosts/gAluminum/default.nix +++ b/hosts/gAluminum/default.nix @@ -70,5 +70,5 @@ in { programs.steam.enable = true; environment.systemPackages = with pkgs; [ efibootmgr nvidia-offload ]; - system.stateVersion = "21.05"; # Did you read the comment? +# system.stateVersion = "21.05"; # Did you read the comment? } diff --git a/hosts/proxy/coturn.nix b/hosts/proxy/coturn.nix deleted file mode 100644 index d4b5311..0000000 --- a/hosts/proxy/coturn.nix +++ /dev/null @@ -1,73 +0,0 @@ -{ pkgs, config, ... }: - -let - public_ip = "23.88.108.216"; - realm = "turn.giugl.io"; - static-auth-secret = "69duck duck fuck420"; -in { - services.coturn = rec { - inherit realm static-auth-secret; - - secure-stun = true; - enable = true; - no-cli = true; - no-tcp-relay = true; - min-port = 49000; - max-port = 50000; - use-auth-secret = true; - relay-ips = [ public_ip ]; - listening-ips = [ public_ip ]; - cert = "${config.security.acme.certs.${realm}.directory}/full.pem"; - pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; - extraConfig = '' - verbose - - cipher-list=\"HIGH\" - no-multicast-peers - denied-peer-ip=0.0.0.0-0.255.255.255 - denied-peer-ip=10.0.0.0-10.255.255.255 - denied-peer-ip=100.64.0.0-100.127.255.255 - denied-peer-ip=127.0.0.0-127.255.255.255 - denied-peer-ip=169.254.0.0-169.254.255.255 - denied-peer-ip=172.16.0.0-172.31.255.255 - denied-peer-ip=192.0.0.0-192.0.0.255 - denied-peer-ip=192.0.2.0-192.0.2.255 - denied-peer-ip=192.88.99.0-192.88.99.255 - denied-peer-ip=192.168.0.0-192.168.255.255 - denied-peer-ip=198.18.0.0-198.19.255.255 - denied-peer-ip=198.51.100.0-198.51.100.255 - denied-peer-ip=203.0.113.0-203.0.113.255 - denied-peer-ip=240.0.0.0-255.255.255.255 - denied-peer-ip=::1 - denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff - denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255 - denied-peer-ip=100::-100::ffff:ffff:ffff:ffff - denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff - denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff - denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff - denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff - ''; - }; - networking.firewall = { - interfaces.ens3 = let - range = with config.services.coturn; [{ - from = min-port; - to = max-port; - }]; - in { - allowedUDPPortRanges = range; - allowedUDPPorts = [ 5349 ]; - #allowedTCPPortRanges = range; - allowedTCPPorts = [ 80 443 5349 ]; - }; - }; - - services.nginx.enable = true; - services.nginx.virtualHosts.${realm} = { - addSSL = true; - enableACME = true; - }; - - # to access the ACME files - users.groups.nginx.members = [ "turnserver" ]; -} diff --git a/hosts/proxy/default.nix b/hosts/proxy/default.nix deleted file mode 100644 index e6c7633..0000000 --- a/hosts/proxy/default.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ config, pkgs, ... }: - -{ - imports = - [ ./hardware-configuration.nix ./coturn.nix ./wireguard.nix ./ssh.nix ]; - - boot.loader.grub = { - enable = true; - version = 2; - devices = [ "/dev/sda" ]; - }; - - system.stateVersion = "21.05"; - - networking = { - useDHCP = false; - hostName = "proxy"; - nameservers = [ "10.4.0.2" "1.1.1.1" ]; - - interfaces.ens3.useDHCP = true; - }; - - users.users.root.openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCuURERnIFe2XbNu6AsPe2DO11RuaHxVGUcaoJUsIB1F+VOggOVLhxSenOPYLm6NvvGeXVi95G5Sm1UZRcJEEkvxus4bSViV4t/Q2azfYFE27yRH/IeMMoWNPGYNm5Bok2qFb4vHifra9FffwXnOzr0nDDTdHXCft4TO5nsenLJwqu5zOO1CR7J52otY7LheNPyzbGxgIkB3Y7LeOj1+/xXSOJ379NOL2RQBobsg7k442WCX7tU6AC1ct3W+93tcJUUdzJKTT9TJ+XmhdjXNWhDd+QZUNAMr+nKoEdExHp0H40/wIhcLD2OV95gX4i/YBzCg4OQOqZqWiibiEQfGTSAh5aD+nX/PqjXf0XSLEUOA81biLFu28oO8gocjwnhgqmlghvO4SG1rs6uZ8EyPyWsrVMjy8B9FX4aloKqua3aicgC+upjLl3x+KkMJizlMB5Ew7KOjPsjXwMqeJmeBOEd6TSEctttR+lIp+/368FtwXeBxzx9MBT4620mnjWtVKM= giulio@gAluminum" - ]; -} diff --git a/hosts/proxy/hardware-configuration.nix b/hosts/proxy/hardware-configuration.nix deleted file mode 100644 index 2588670..0000000 --- a/hosts/proxy/hardware-configuration.nix +++ /dev/null @@ -1,22 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - - boot.initrd.availableKernelModules = - [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = { - device = "/dev/disk/by-uuid/8b5bcd4a-02b8-4e11-b856-eda792b8b7b8"; - fsType = "ext4"; - }; - - swapDevices = [ ]; - -} diff --git a/hosts/proxy/ssh.nix b/hosts/proxy/ssh.nix deleted file mode 100644 index f7e5a30..0000000 --- a/hosts/proxy/ssh.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ config, ... }: - -{ - services = { - fail2ban.enable = true; - - openssh = { - permitRootLogin = "prohibit-password"; - passwordAuthentication = false; - enable = true; - }; - }; - - networking.firewall.allowedTCPPorts = [ 22 ]; -} diff --git a/hosts/proxy/wireguard.nix b/hosts/proxy/wireguard.nix deleted file mode 100644 index 9a9d133..0000000 --- a/hosts/proxy/wireguard.nix +++ /dev/null @@ -1,42 +0,0 @@ -{ config, ... }: - -let - wg_if = "wg0"; - wan_if = "ens3"; -in { - networking = { - firewall.allowedUDPPorts = [ 1195 ]; - - nat = { - enable = true; - externalInterface = wan_if; - internalInterfaces = [ wg_if ]; - forwardPorts = [{ - destination = "10.4.0.2:1194"; - proto = "udp"; - sourcePort = 1194; - }]; - }; - - wireguard = { - interfaces.${wg_if} = { - listenPort = 1195; - ips = [ "10.4.0.1/24" ]; - privateKeyFile = "/secrets/wireguard/server.key"; - - postSetup = '' - /run/current-system/sw/bin/iptables -t nat -A POSTROUTING -o ${wg_if} -j MASQUERADE - ''; - - postShutdown = '' - /run/current-system/sw/bin/iptables -t nat -D POSTROUTING -o ${wg_if} -j MASQUERADE - ''; - - peers = [{ - allowedIPs = [ "10.4.0.2" "10.3.0.0/24" ]; - publicKey = "73oFhyQA3mgX4GmN6ul5HuOsgxa4INlzCPsyuXna0AA="; - }]; - }; - }; - }; -}