flake: Removed proxy host

2022-12-01 14:28:10 +01:00 · 2022-12-01 14:28:10 +01:00 · 932378b309
commit 932378b309
parent f759f44024
12 changed files with 24 additions and 193 deletions
--- a/flake.nix
+++ b/flake.nix
@ -1,9 +1,9 @@
 {
  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.05";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11";
    nixos-unstable.url = "github:NixOS/nixpkgs/master";
    home-manager = {
-      url = "github:rycee/home-manager/release-22.05";
+      url = "github:rycee/home-manager/release-22.11";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    vim-extra-plugins.url = "github:m15a/nixpkgs-vim-extra-plugins";
@ -67,10 +67,6 @@
          }];
          roles = [ "gnome" ];
        };
        proxy = utilsX64.host.mkHost {
          name = "proxy";
          users = [ ];
        };
      };
    };
 }
--- a/hosts/architect/default.nix
+++ b/hosts/architect/default.nix
@ -40,7 +40,7 @@ in {
  ];
  time.timeZone = "Europe/Rome";
-  system.stateVersion = "21.11";
+#  system.stateVersion = "21.11";
  users.users.giulio.openssh.authorizedKeys.keys = pubkeys;
  boot = {
    initrd = {
--- a/hosts/architect/domains.nix
+++ b/hosts/architect/domains.nix
@ -0,0 +1,11 @@
 { lib }:
 let
  domains = [ "runas.rocks" "giugl.io" ];
 in
 rec {
  genSubdomainFQN = { subdomain }:
    map (d: "${subdomain}.${d}") domains;
  concatSubdomainSep = { subdomain, sep ? "," }:
    lib.concatStringSep sep (genSubdomainFQN { inherit subdomain; });
 }
--- a/hosts/architect/matrix.nix
+++ b/hosts/architect/matrix.nix
@ -18,12 +18,16 @@ in
        url_preview_enabled = true;
        dynamic_thumbnails = true;
        withJemalloc = true;
        enable_registration = false;
        password_config.enabled = false;
        app_service_config_files = [
          "/var/lib/matrix-synapse/discord-registration.yaml"
          #        "/var/lib/matrix-synapse/hookshot-registration.yml"
          #        "/var/lib/matrix-synapse/telegram-registration.yaml"
        ];
        auto_join_rooms = [ "#general:${domain}" "#music:${domain}" "#movies:${domain}" ];
        oidc_providers = [{
          idp_id = "keycloak";
          idp_name = "Architect SSO";
@ -35,6 +39,7 @@ in
          user_mapping_provider.config = {
            localpart_template = "{{ user.preferred_username }}";
            display_name_template = "{{ user.name }}";
            confirm_localpart = true;
          };
          backchannel_logout_enabled = true;
        }];
--- a/hosts/architect/navidrome.nix
+++ b/hosts/architect/navidrome.nix
@ -1,10 +1,11 @@
 { lib, pkgs, ... }:
 let
-  domain = "music.giugl.io";
+  domain = "music.runas.rocks";
  network = import ./network.nix;
  library_path = "/media/Music";
  beets_config = "/media/beets.conf";
  auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
 in {
  services = {
    navidrome = {
@ -27,12 +28,8 @@ in {
      enableACME = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:4533";
        #        extraConfig = ''
        #          allow 10.0.0.0/24;
        #          ${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
        #          deny all;
        #        '';
      };
      extraConfig = auth_block { access_role = "navidrome"; };
    };
  };
--- a/hosts/architect/nextcloud.nix
+++ b/hosts/architect/nextcloud.nix
@ -24,7 +24,7 @@ in {
      hostName = domain;
      https = true;
      package = pkgs.unstable.nextcloud25;
-
+      datadir = "/services/nextcloud";
      caching = {
        redis = true;
      };
--- a/hosts/gAluminum/default.nix
+++ b/hosts/gAluminum/default.nix
@ -70,5 +70,5 @@ in {
  programs.steam.enable = true;
  environment.systemPackages = with pkgs; [ efibootmgr nvidia-offload ];
-  system.stateVersion = "21.05"; # Did you read the comment?
+#  system.stateVersion = "21.05"; # Did you read the comment?
 }
--- a/hosts/proxy/coturn.nix
+++ b/hosts/proxy/coturn.nix
@ -1,73 +0,0 @@
 { pkgs, config, ... }:
 let
  public_ip = "23.88.108.216";
  realm = "turn.giugl.io";
  static-auth-secret = "69duck duck fuck420";
 in {
  services.coturn = rec {
    inherit realm static-auth-secret;
    secure-stun = true;
    enable = true;
    no-cli = true;
    no-tcp-relay = true;
    min-port = 49000;
    max-port = 50000;
    use-auth-secret = true;
    relay-ips = [ public_ip ];
    listening-ips = [ public_ip ];
    cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
    pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
    extraConfig = ''
      verbose
      cipher-list=\"HIGH\"
      no-multicast-peers
      denied-peer-ip=0.0.0.0-0.255.255.255
      denied-peer-ip=10.0.0.0-10.255.255.255
      denied-peer-ip=100.64.0.0-100.127.255.255
      denied-peer-ip=127.0.0.0-127.255.255.255
      denied-peer-ip=169.254.0.0-169.254.255.255
      denied-peer-ip=172.16.0.0-172.31.255.255
      denied-peer-ip=192.0.0.0-192.0.0.255
      denied-peer-ip=192.0.2.0-192.0.2.255
      denied-peer-ip=192.88.99.0-192.88.99.255
      denied-peer-ip=192.168.0.0-192.168.255.255
      denied-peer-ip=198.18.0.0-198.19.255.255
      denied-peer-ip=198.51.100.0-198.51.100.255
      denied-peer-ip=203.0.113.0-203.0.113.255
      denied-peer-ip=240.0.0.0-255.255.255.255
      denied-peer-ip=::1
      denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
      denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
      denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
      denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
      denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
      denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
      denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
    '';
  };
  networking.firewall = {
    interfaces.ens3 = let
      range = with config.services.coturn; [{
        from = min-port;
        to = max-port;
      }];
    in {
      allowedUDPPortRanges = range;
      allowedUDPPorts = [ 5349 ];
      #allowedTCPPortRanges = range;
      allowedTCPPorts = [ 80 443 5349 ];
    };
  };
  services.nginx.enable = true;
  services.nginx.virtualHosts.${realm} = {
    addSSL = true;
    enableACME = true;
  };
  # to access the ACME files
  users.groups.nginx.members = [ "turnserver" ];
 }
--- a/hosts/proxy/default.nix
+++ b/hosts/proxy/default.nix
@ -1,26 +0,0 @@
 { config, pkgs, ... }:
 {
  imports =
    [ ./hardware-configuration.nix ./coturn.nix ./wireguard.nix ./ssh.nix ];
  boot.loader.grub = {
    enable = true;
    version = 2;
    devices = [ "/dev/sda" ];
  };
  system.stateVersion = "21.05";
  networking = {
    useDHCP = false;
    hostName = "proxy";
    nameservers = [ "10.4.0.2" "1.1.1.1" ];
    interfaces.ens3.useDHCP = true;
  };
  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCuURERnIFe2XbNu6AsPe2DO11RuaHxVGUcaoJUsIB1F+VOggOVLhxSenOPYLm6NvvGeXVi95G5Sm1UZRcJEEkvxus4bSViV4t/Q2azfYFE27yRH/IeMMoWNPGYNm5Bok2qFb4vHifra9FffwXnOzr0nDDTdHXCft4TO5nsenLJwqu5zOO1CR7J52otY7LheNPyzbGxgIkB3Y7LeOj1+/xXSOJ379NOL2RQBobsg7k442WCX7tU6AC1ct3W+93tcJUUdzJKTT9TJ+XmhdjXNWhDd+QZUNAMr+nKoEdExHp0H40/wIhcLD2OV95gX4i/YBzCg4OQOqZqWiibiEQfGTSAh5aD+nX/PqjXf0XSLEUOA81biLFu28oO8gocjwnhgqmlghvO4SG1rs6uZ8EyPyWsrVMjy8B9FX4aloKqua3aicgC+upjLl3x+KkMJizlMB5Ew7KOjPsjXwMqeJmeBOEd6TSEctttR+lIp+/368FtwXeBxzx9MBT4620mnjWtVKM= giulio@gAluminum"
  ];
 }
--- a/hosts/proxy/hardware-configuration.nix
+++ b/hosts/proxy/hardware-configuration.nix
@ -1,22 +0,0 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
  boot.initrd.availableKernelModules =
    [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" = {
    device = "/dev/disk/by-uuid/8b5bcd4a-02b8-4e11-b856-eda792b8b7b8";
    fsType = "ext4";
  };
  swapDevices = [ ];
 }
--- a/hosts/proxy/ssh.nix
+++ b/hosts/proxy/ssh.nix
@ -1,15 +0,0 @@
 { config, ... }:
 {
  services = {
    fail2ban.enable = true;
    openssh = {
      permitRootLogin = "prohibit-password";
      passwordAuthentication = false;
      enable = true;
    };
  };
  networking.firewall.allowedTCPPorts = [ 22 ];
 }
--- a/hosts/proxy/wireguard.nix
+++ b/hosts/proxy/wireguard.nix
@ -1,42 +0,0 @@
 { config, ... }:
 let
  wg_if = "wg0";
  wan_if = "ens3";
 in {
  networking = {
    firewall.allowedUDPPorts = [ 1195 ];
    nat = {
      enable = true;
      externalInterface = wan_if;
      internalInterfaces = [ wg_if ];
      forwardPorts = [{
        destination = "10.4.0.2:1194";
        proto = "udp";
        sourcePort = 1194;
      }];
    };
    wireguard = {
      interfaces.${wg_if} = {
        listenPort = 1195;
        ips = [ "10.4.0.1/24" ];
        privateKeyFile = "/secrets/wireguard/server.key";
        postSetup = ''
          /run/current-system/sw/bin/iptables -t nat -A POSTROUTING -o ${wg_if} -j MASQUERADE
        '';
        postShutdown = ''
          /run/current-system/sw/bin/iptables -t nat -D POSTROUTING -o ${wg_if} -j MASQUERADE
        '';
        peers = [{
          allowedIPs = [ "10.4.0.2" "10.3.0.0/24" ];
          publicKey = "73oFhyQA3mgX4GmN6ul5HuOsgxa4INlzCPsyuXna0AA=";
        }];
      };
    };
  };
 }