peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

architect: services use new networking attrset

Browse Source
This commit is contained in:
Giulio De Pasquale 2023-05-12 23:05:10 +02:00
parent 7c00b8bf0b
commit 9bf85c00cf
26 changed files with 227 additions and 173 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
hosts/architect/bazarr.nix
View File

@ -1,9 +1,11 @@
{ lib, ... }: { config, lib, ... }:
let let
domain = "htbaz.giugl.io"; domain = "htbaz.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services = { services = {
@ -25,9 +27,9 @@ in
}; };
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${network.architect-wg} ${domain} ${architectInterfaceAddress "wireguard"} ${domain}
${network.architect-ts} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
users.groups.media.members = [ "bazarr" ]; users.groups.media.members = [ "bazarr" ];

12
hosts/architect/calibre.nix
View File

@ -1,9 +1,11 @@
{ lib, ... }: { config, lib, ... }:
let let
domain = "books.giugl.io"; domain = "books.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services = { services = {
@ -29,9 +31,9 @@ in
}; };
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${network.architect-wg} ${domain} ${architectInterfaceAddress "wireguard"} ${domain}
${network.architect-ts} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
users.groups.media.members = [ "calibre-web" ]; users.groups.media.members = [ "calibre-web" ];

6
hosts/architect/default.nix
View File

@ -5,9 +5,9 @@ let
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1we38/N+t8Ah5yrLof8QUwhrob7/VXFKIddaJeOVBLuDVnW7ljiAtdtEiL69D/DV4Ohmt5wMvkAAjfuHmim6FD9A6lzPbSU4KH9W2dcckszKbbI636kuDwem/xui6BW3wJa6P+0xW5ksygEAkzcK2PXuC2b4B9uwhuUdKahiGMKDxISG/WianqAe72cGMfNkYvion3Y1VsMLUdm48d2ABnxNpr7NI9B5iJ8dziOft9gpgfz13CCQRlReo75gk/4xI+vSNrQp7eR+wzJy2/dZg/T8jtyA9Q6jVxrxBpqQ1LNXkAKaJkGo9OabF6Wgpzp+YTAurL4nwR2NaJxwFuyoKvACQy0ai4jrS3206gC6JXZv8ktZMZrwUN+jPqCwfgh5qObFkAqKCxbp52ioDek2MQLdOvzQBX//DBhGEp5rzHGLZ3vhRIiiQiaof5sF5zWiYDW5mqezSPNxJPX/BrTP/Wbs/jpwTLBh3wytiia0S1WXQmya89bqzTPFiDWvTRA62EVKB/JaQtPQQOFAxWwg799DMycPeZ81xttZOyMtI/MZSddyqx2S8fWGwvToZQvuZ38mSIpFseLM1IkgabRIrAmat5SBNGGy9Dqa0eMEa7bwIY/4CMB1y6HMTnaoMXA6cnQfHMoB/zyTZ6oTXIeqeOyiZsK+RN0Mvahj8mXi7dw== giulio@giulio-X230" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1we38/N+t8Ah5yrLof8QUwhrob7/VXFKIddaJeOVBLuDVnW7ljiAtdtEiL69D/DV4Ohmt5wMvkAAjfuHmim6FD9A6lzPbSU4KH9W2dcckszKbbI636kuDwem/xui6BW3wJa6P+0xW5ksygEAkzcK2PXuC2b4B9uwhuUdKahiGMKDxISG/WianqAe72cGMfNkYvion3Y1VsMLUdm48d2ABnxNpr7NI9B5iJ8dziOft9gpgfz13CCQRlReo75gk/4xI+vSNrQp7eR+wzJy2/dZg/T8jtyA9Q6jVxrxBpqQ1LNXkAKaJkGo9OabF6Wgpzp+YTAurL4nwR2NaJxwFuyoKvACQy0ai4jrS3206gC6JXZv8ktZMZrwUN+jPqCwfgh5qObFkAqKCxbp52ioDek2MQLdOvzQBX//DBhGEp5rzHGLZ3vhRIiiQiaof5sF5zWiYDW5mqezSPNxJPX/BrTP/Wbs/jpwTLBh3wytiia0S1WXQmya89bqzTPFiDWvTRA62EVKB/JaQtPQQOFAxWwg799DMycPeZ81xttZOyMtI/MZSddyqx2S8fWGwvToZQvuZ38mSIpFseLM1IkgabRIrAmat5SBNGGy9Dqa0eMEa7bwIY/4CMB1y6HMTnaoMXA6cnQfHMoB/zyTZ6oTXIeqeOyiZsK+RN0Mvahj8mXi7dw== giulio@giulio-X230"
]; ];
domain = "devs.giugl.io"; domain = "devs.giugl.io";
# device.address device.hostname
generateDeviceStrings = devices: lib.concatStringsSep "\n" utilities = import ./utilities.nix { inherit lib config; };
(lib.mapAttrsToList (name: device: "${device.address} ${device.hostname}") devices); inherit (utilities) generateDeviceStrings;
in in
{ {
imports = [ imports = [

10
hosts/architect/deluge.nix
View File

@ -2,9 +2,11 @@
let let
domain = "htdel.giugl.io"; domain = "htdel.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
listenPorts = [ 51413 51414 ]; listenPorts = [ 51413 51414 ];
in in
{ {
@ -54,9 +56,9 @@ in
}; };
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${network.architect-wg} ${domain} ${architectInterfaceAddress "wireguard"} ${domain}
${network.architect-ts} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
users.groups.media.members = [ "deluge" ]; users.groups.media.members = [ "deluge" ];

9
hosts/architect/fail2ban.nix
View File

@ -1,9 +1,14 @@
{ config, pkgs, ... }: { { config, pkgs, ... }:
{
services.fail2ban = { services.fail2ban = {
enable = true; enable = true;
package = pkgs.fail2ban; package = pkgs.fail2ban;
packageFirewall = pkgs.nftables; packageFirewall = pkgs.nftables;
bantime-increment.enable = true; bantime-increment.enable = true;
ignoreIP = [ "10.0.0.0/24" "10.3.0.0/24" ]; ignoreIP = [
config.architect.networks.lan.net
config.architect.networks.tailscale.net
];
}; };
} }

11
hosts/architect/gitea.nix
View File

@ -2,7 +2,9 @@
let let
domain = "git.giugl.io"; domain = "git.giugl.io";
network = import ./network.nix;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
architect.firewall.openTCP = [ config.services.gitea.settings.server.SSH_PORT ]; architect.firewall.openTCP = [ config.services.gitea.settings.server.SSH_PORT ];
@ -33,9 +35,8 @@ in
}; };
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${network.architect-wg} ${domain} ${architectInterfaceAddress "wireguard"} ${domain}
${network.architect-ts} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
} }

5
hosts/architect/headscale.nix
View File

@ -2,8 +2,9 @@
let let
domain = "vipienne.giugl.io"; domain = "vipienne.giugl.io";
architectInterfaceAddress = interface:
config.architect.networks.${interface}.devices.architect.address; utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
architect.firewall = { architect.firewall = {

54
hosts/architect/jellyfin.nix
View File

@ -1,9 +1,11 @@
{ pkgs, lib, ... }: { config, pkgs, lib, ... }:
let let
network = import ./network.nix;
domain = "media.giugl.io"; domain = "media.giugl.io";
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; port = 8096;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
# needed since StateDirectory does not accept symlinks # needed since StateDirectory does not accept symlinks
@ -19,44 +21,40 @@ in
nginx.virtualHosts.${domain} = { nginx.virtualHosts.${domain} = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
extraConfig = auth_block { access_role = "jellyfin"; whitelisted_ips = network.gdevices; } + extraConfig = ''
'' # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted. #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
#add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'"; # Disable buffering when the nginx proxy gets very resource heavy upon streaming
# Disable buffering when the nginx proxy gets very resource heavy upon streaming proxy_buffering off;
proxy_buffering off;
''; allow ${config.architect.networks.lan.net};
allow ${config.architect.networks.tailscale.net};
deny all;
'';
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:8096"; proxyPass = "http://127.0.0.1:${toString port}";
# extraConfig = ''
# allow 10.0.0.0/24;
# allow 10.3.0.0/24;
# deny all;
# '';
}; };
locations."/socket" = { locations."/socket" = {
proxyPass = "http://127.0.0.1:8096"; proxyPass = "http://127.0.0.1:${toString port}";
proxyWebsockets = true; proxyWebsockets = true;
# extraConfig = ''
# allow 10.0.0.0/24;
# allow 10.3.0.0/24;
# deny all;
# '';
}; };
}; };
}; };
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${network.architect-wg} ${domain} ${architectInterfaceAddress "wireguard"} ${domain}
${network.architect-ts} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
users.groups.media.members = [ "jellyfin" ]; users.groups = {
users.groups.video.members = [ "jellyfin" ]; media.members = [ "jellyfin" ];
users.groups.render.members = [ "jellyfin" ]; video.members = [ "jellyfin" ];
render.members = [ "jellyfin" ];
};
fileSystems."/tmp/jellyfin" = { fileSystems."/tmp/jellyfin" = {
device = "none"; device = "none";

12
hosts/architect/keycloak.nix
View File

@ -1,8 +1,10 @@
{ pkgs, config, ... }: { pkgs, lib, config, ... }:
let let
network = import ./network.nix;
domain = "auth.giugl.io"; domain = "auth.giugl.io";
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services = { services = {
@ -73,8 +75,8 @@ in
}; };
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${network.architect-wg} ${domain} ${architectInterfaceAddress "wireguard"} ${domain}
${network.architect-ts} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
} }

14
hosts/architect/libreddit.nix
View File

@ -1,8 +1,10 @@
{ lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
domain = "reddit.giugl.io"; domain = "reddit.giugl.io";
network = import ./network.nix;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services = { services = {
@ -14,13 +16,13 @@ in
nginx.virtualHosts.${domain} = { nginx.virtualHosts.${domain} = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/" = { proxyPass = "http://127.0.0.1:9090"; }; locations."/" = { proxyPass = "http://127.0.0.1:${toString config.services.libreddit.port}"; };
}; };
}; };
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${network.architect-wg} ${domain} ${architectInterfaceAddress "wireguard"} ${domain}
${network.architect-ts} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
} }

12
hosts/architect/lidarr.nix
View File

@ -1,9 +1,11 @@
{ lib, ... }: { config, lib, ... }:
let let
domain = "htlid.giugl.io"; domain = "htlid.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services = { services = {
@ -25,9 +27,9 @@ in
}; };
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${network.architect-wg} ${domain} ${architectInterfaceAddress "wireguard"} ${domain}
${network.architect-ts} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
users.groups.media.members = [ "lidarr" ]; users.groups.media.members = [ "lidarr" ];

13
hosts/architect/matrix.nix
View File

@ -1,9 +1,11 @@
{ pkgs, lib, ... }: { config, pkgs, lib, ... }:
let let
domain = "runas.rocks"; domain = "runas.rocks";
network = import ./network.nix;
db_name = "matrix-synapse-runas.rocks"; db_name = "matrix-synapse-runas.rocks";
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services = { services = {
@ -111,9 +113,8 @@ in
}; };
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${network.architect-wg} ${domain} ${architectInterfaceAddress "wireguard"} ${domain}
${network.architect-ts} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
} }

12
hosts/architect/minecraft.nix
View File

@ -1,8 +1,10 @@
{ config, pkgs, ... }: { lib, config, pkgs, ... }:
let let
domain = "minecraft.giugl.io"; domain = "minecraft.giugl.io";
network = import ./network.nix;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
architect.firewall.openTCP = [ 25565 ]; architect.firewall.openTCP = [ 25565 ];
@ -16,8 +18,8 @@ in
}; };
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${network.architect-wg} ${domain} ${architectInterfaceAddress "wireguard"} ${domain}
${network.architect-ts} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
} }

17
hosts/architect/minio.nix
View File

@ -1,8 +1,10 @@
{ lib, ... }: { config, lib, ... }:
let let
domain = "s3.giugl.io"; domain = "s3.giugl.io";
network = import ./network.nix;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services = { services = {
@ -15,9 +17,8 @@ in
proxyPass = "http://127.0.0.1:9000"; proxyPass = "http://127.0.0.1:9000";
extraConfig = '' extraConfig = ''
client_max_body_size 500M; client_max_body_size 500M;
allow 10.0.0.0/24; allow ${config.architect.networks.lan.net};
${lib.concatMapStrings (x: "allow ${x};") network.gdevices } allow ${config.architect.networks.tailscale.net};
allow ${network.manduria-wg};
deny all; deny all;
''; '';
}; };
@ -25,8 +26,8 @@ in
}; };
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${network.architect-wg} ${domain} ${architectInterfaceAddress "wireguard"} ${domain}
${network.architect-ts} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
} }

21
hosts/architect/nextcloud.nix
View File

@ -1,12 +1,19 @@
{ pkgs, ... }: { pkgs, config, lib, ... }:
let let
domain = "cloud.giugl.io"; domain = "cloud.giugl.io";
network = import ./network.nix;
redis_port = 6379; redis_port = 6379;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services = { services = {
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
};
mysql = { mysql = {
enable = true; enable = true;
package = pkgs.unstablePkgs.mysql80; package = pkgs.unstablePkgs.mysql80;
@ -53,13 +60,9 @@ in
}; };
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${network.architect-wg} ${domain} ${architectInterfaceAddress "wireguard"} ${domain}
${network.architect-ts} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
services.nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
};
} }

1
hosts/architect/nginx.nix
View File

@ -90,5 +90,6 @@
worker_processes 24; worker_processes 24;
''; '';
}; };
users.groups.acme.members = [ "nginx" ]; users.groups.acme.members = [ "nginx" ];
} }

12
hosts/architect/nzbget.nix
View File

@ -1,9 +1,11 @@
{ lib, ... }: { config, lib, ... }:
let let
domain = "htnzb.giugl.io"; domain = "htnzb.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services = { services = {
@ -25,9 +27,9 @@ in
}; };
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${network.architect-wg} ${domain} ${architectInterfaceAddress "wireguard"} ${domain}
${network.architect-ts} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
users.groups.media.members = [ "nzbget" ]; users.groups.media.members = [ "nzbget" ];

12
hosts/architect/plex.nix
View File

@ -1,9 +1,11 @@
{ pkgs, lib, ... }: { pkgs, config, lib, ... }:
let let
domain = "plex.giugl.io"; domain = "plex.giugl.io";
network = import ./network.nix;
port = 32400; port = 32400;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
architect.firewall = { architect.firewall = {
@ -88,9 +90,9 @@ in
}; };
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${network.architect-wg} ${domain} ${architectInterfaceAddress "wireguard"} ${domain}
${network.architect-ts} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
users.groups.media.members = [ "plex" ]; users.groups.media.members = [ "plex" ];

10
hosts/architect/prosody.nix
View File

@ -4,7 +4,9 @@ let
domain = "xmpp.giugl.io"; domain = "xmpp.giugl.io";
conference_domain = "conference.${domain}"; conference_domain = "conference.${domain}";
upload_domain = "uploads.${domain}"; upload_domain = "uploads.${domain}";
network = import ./network.nix;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
architect.firewall = { architect.firewall = {
@ -42,9 +44,9 @@ in
}; };
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${network.architect-wg} ${domain} ${architectInterfaceAddress "wireguard"} ${domain}
${network.architect-ts} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
users.groups = { users.groups = {

16
hosts/architect/prowlarr.nix
View File

@ -1,8 +1,10 @@
{ lib, ... }: { config, lib, ... }:
let let
domain = "htpro.giugl.io"; domain = "htpro.giugl.io";
network = import ./network.nix;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services = { services = {
@ -14,8 +16,8 @@ in
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:9696"; proxyPass = "http://127.0.0.1:9696";
extraConfig = '' extraConfig = ''
allow 10.0.0.0/24; allow ${config.architect.networks.lan.net};
${lib.concatMapStrings (x: "allow ${x};") network.gdevices} allow ${config.architect.networks.tailscale.net};
deny all; deny all;
''; '';
}; };
@ -31,9 +33,9 @@ in
}; };
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${network.architect-wg} ${domain} ${architectInterfaceAddress "wireguard"} ${domain}
${network.architect-ts} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
users.groups.media.members = [ "prowlarr" ]; users.groups.media.members = [ "prowlarr" ];

13
hosts/architect/radarr.nix
View File

@ -1,9 +1,11 @@
{ lib, ... }: { config, lib, ... }:
let let
domain = "htrad.giugl.io"; domain = "htrad.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services = { services = {
@ -24,10 +26,11 @@ in
}; };
}; };
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${network.architect-wg} ${domain} ${architectInterfaceAddress "wireguard"} ${domain}
${network.architect-ts} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
users.groups.media.members = [ "radarr" ]; users.groups.media.members = [ "radarr" ];

13
hosts/architect/runas.nix
View File

@ -1,14 +1,17 @@
{ services, pkgs, lib, makeBinPath, ... }: { config, pkgs, lib, ... }:
let let
domain = "runas.rocks"; domain = "runas.rocks";
runas_root = "/var/lib/runas.rocks/dist"; runas_root = "/var/lib/runas.rocks/dist";
service_name = "runas.rocks-pull"; service_name = "runas.rocks-pull";
network = import ./network.nix;
mkStartScript = name: pkgs.writeShellScript "${name}.sh" '' mkStartScript = name: pkgs.writeShellScript "${name}.sh" ''
set -euo pipefail set -euo pipefail
cd ${runas_root} cd ${runas_root}
git pull origin main --rebase git pull origin main --rebase
''; '';
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services.nginx.virtualHosts.${domain} = { services.nginx.virtualHosts.${domain} = {
@ -39,8 +42,8 @@ in
}; };
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${network.architect-wg} ${domain} ${architectInterfaceAddress "wireguard"} ${domain}
${network.architect-ts} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
} }

12
hosts/architect/sonarr.nix
View File

@ -1,9 +1,11 @@
{ lib, ... }: { config, lib, ... }:
let let
domain = "htson.giugl.io"; domain = "htson.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services = { services = {
@ -25,9 +27,9 @@ in
}; };
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${network.architect-wg} ${domain} ${architectInterfaceAddress "wireguard"} ${domain}
${network.architect-ts} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
users.groups.media.members = [ "sonarr" ]; users.groups.media.members = [ "sonarr" ];

6
hosts/architect/tailscale.nix
View File

@ -2,9 +2,9 @@
let let
domain = "devs.giugl.io"; domain = "devs.giugl.io";
# device.address device.hostname
generateDeviceStrings = devices: lib.concatStringsSep "\n" utilities = import ./utilities.nix { inherit lib config; };
(lib.mapAttrsToList (name: device: "${device.address} ${device.hostname}") devices); inherit (utilities) generateDeviceStrings;
in in
{ {
architect = { architect = {

13
hosts/architect/utilities.nix Normal file
View File

@ -0,0 +1,13 @@
{ config, lib, ... }:
{
# device.address device.hostname
generateDeviceStrings = devices: lib.concatStringsSep "\n"
(lib.mapAttrsToList (name: device: "${device.address} ${device.hostname}") devices);
getDeviceAddress = interface: device:
config.architect.networks.${interface}.devices.${device}.address;
architectInterfaceAddress = interface:
config.architect.networks.${interface}.devices.architect.address;
}

62
hosts/architect/wireguard.nix
View File

@ -4,11 +4,11 @@ let
listenPort = 1194; listenPort = 1194;
domain = "devs.giugl.io"; domain = "devs.giugl.io";
interface = "wireguard"; interface = "wireguard";
# device.address device.hostname
generateDeviceStrings = devices: lib.concatStringsSep "\n" utilities = import ./utilities.nix { inherit lib config; };
(lib.mapAttrsToList (name: device: "${device.address} ${device.hostname}") devices); inherit (utilities) generateDeviceStrings getDeviceAddress;
getDeviceAddress = device:
config.architect.networks.${interface}.devices.${device}.address; getWireguardDeviceAddress = getDeviceAddress "wireguard";
in in
{ {
architect = { architect = {
@ -65,150 +65,150 @@ in
peers = [ peers = [
{ {
# Antonio # Antonio
allowedIPs = [ (getDeviceAddress "antonio") ]; allowedIPs = [ (getWireguardDeviceAddress "antonio") ];
publicKey = "SPndCvEzuLHtGAQV8u/4dfLlFHoPcXS3L98oFOwTljc="; publicKey = "SPndCvEzuLHtGAQV8u/4dfLlFHoPcXS3L98oFOwTljc=";
} }
{ {
# GBEAST # GBEAST
allowedIPs = [ (getDeviceAddress "gbeast") ]; allowedIPs = [ (getWireguardDeviceAddress "gbeast") ];
publicKey = "XiK+wk+DErz0RmCWRxuaJN1cvdj+3DoiU6tcR+uZfAI="; publicKey = "XiK+wk+DErz0RmCWRxuaJN1cvdj+3DoiU6tcR+uZfAI=";
} }
{ {
# shield # shield
allowedIPs = [ (getDeviceAddress "shield") ]; allowedIPs = [ (getWireguardDeviceAddress "shield") ];
publicKey = "1GaV/M48sHqQTrBVRQ+jrFU2pUMmv2xkguncVcwPCFs="; publicKey = "1GaV/M48sHqQTrBVRQ+jrFU2pUMmv2xkguncVcwPCFs=";
} }
{ {
# salvatore # salvatore
allowedIPs = [ (getDeviceAddress "salvatore") ]; allowedIPs = [ (getWireguardDeviceAddress "salvatore") ];
publicKey = "fhlnBHeMyHZKLUCTSA9kmkKoM5x/qzz/rnCJrUh3Gzs="; publicKey = "fhlnBHeMyHZKLUCTSA9kmkKoM5x/qzz/rnCJrUh3Gzs=";
} }
{ {
# papa # papa
allowedIPs = [ (getDeviceAddress "papa") ]; allowedIPs = [ (getWireguardDeviceAddress "papa") ];
publicKey = "oGHygt02Oni3IFbScKD0NVEfHKCp6bpw68aq5g4RrAA="; publicKey = "oGHygt02Oni3IFbScKD0NVEfHKCp6bpw68aq5g4RrAA=";
} }
{ {
# defy # defy
allowedIPs = [ (getDeviceAddress "defy") ]; allowedIPs = [ (getWireguardDeviceAddress "defy") ];
publicKey = "Cvi/eto7E6Ef+aiL81ou7x12fJCeuXrf/go9fxEqXG4="; publicKey = "Cvi/eto7E6Ef+aiL81ou7x12fJCeuXrf/go9fxEqXG4=";
} }
{ {
# germano # germano
allowedIPs = [ (getDeviceAddress "germano") ]; allowedIPs = [ (getWireguardDeviceAddress "germano") ];
publicKey = "LJ0DHY1sFVLQb3ngUGGH0HxbDOPb9KCUPSaYcjr5Uiw="; publicKey = "LJ0DHY1sFVLQb3ngUGGH0HxbDOPb9KCUPSaYcjr5Uiw=";
} }
{ {
# flavio # flavio
allowedIPs = [ (getDeviceAddress "flavio") ]; allowedIPs = [ (getWireguardDeviceAddress "flavio") ];
publicKey = "Yg0P+yHi/9SZHyoel8jT9fmmu+irLYmT8yMp/CZoaSg="; publicKey = "Yg0P+yHi/9SZHyoel8jT9fmmu+irLYmT8yMp/CZoaSg=";
} }
{ {
# alain # alain
allowedIPs = [ (getDeviceAddress "alain") ]; allowedIPs = [ (getWireguardDeviceAddress "alain") ];
publicKey = "/o2msFJoUL4yovcIQJTU8c1faFtekrjSBBWJABouWno="; publicKey = "/o2msFJoUL4yovcIQJTU8c1faFtekrjSBBWJABouWno=";
} }
{ {
# dima # dima
allowedIPs = [ (getDeviceAddress "dima") ]; allowedIPs = [ (getWireguardDeviceAddress "dima") ];
publicKey = "svzWYIZ6v+cLCp/emGG7mx2YpBJqw2fqjVuHZy7b6H0="; publicKey = "svzWYIZ6v+cLCp/emGG7mx2YpBJqw2fqjVuHZy7b6H0=";
} }
{ {
# mikey # mikey
allowedIPs = [ (getDeviceAddress "mikey") ]; allowedIPs = [ (getWireguardDeviceAddress "mikey") ];
publicKey = "ewbDdX3z7nxG2aPIf9TogXkhxPlGipLFcy6XfyDC6gI="; publicKey = "ewbDdX3z7nxG2aPIf9TogXkhxPlGipLFcy6XfyDC6gI=";
} }
{ {
# andrew # andrew
allowedIPs = [ (getDeviceAddress "andrew") ]; allowedIPs = [ (getWireguardDeviceAddress "andrew") ];
publicKey = "LP/FgST9fmBQSoKQFq9sFGvjRFOtRooMcuEcjuqaoWM="; publicKey = "LP/FgST9fmBQSoKQFq9sFGvjRFOtRooMcuEcjuqaoWM=";
} }
{ {
# mikey laptop # mikey laptop
allowedIPs = [ (getDeviceAddress "mikeylaptop") ]; allowedIPs = [ (getWireguardDeviceAddress "mikeylaptop") ];
publicKey = "kz/pY/PgV+dwF1JZ2It4r5B5QfRSQM7HkbFCdvd5Yxk="; publicKey = "kz/pY/PgV+dwF1JZ2It4r5B5QfRSQM7HkbFCdvd5Yxk=";
} }
{ {
# andrew desktop # andrew desktop
allowedIPs = [ (getDeviceAddress "andrewdesktop") ]; allowedIPs = [ (getWireguardDeviceAddress "andrewdesktop") ];
publicKey = "rpYr3JNLIzxpxzFuQuaHFEl/XvPEPfwLbDETBP8KYXI="; publicKey = "rpYr3JNLIzxpxzFuQuaHFEl/XvPEPfwLbDETBP8KYXI=";
} }
{ {
# laptop desktop # laptop desktop
allowedIPs = [ (getDeviceAddress "jacopo") ]; allowedIPs = [ (getWireguardDeviceAddress "jacopo") ];
publicKey = "W/taWI79bPIKOolVVu5xZfiJnPw9K91Xn1zhcM0+4g0="; publicKey = "W/taWI79bPIKOolVVu5xZfiJnPw9K91Xn1zhcM0+4g0=";
} }
{ {
# frznn # frznn
allowedIPs = [ (getDeviceAddress "frznn") ]; allowedIPs = [ (getWireguardDeviceAddress "frznn") ];
publicKey = "dXcrdME6VnnE5PBYwvUmayf7cn2wpcExeCR9gIXOO0o="; publicKey = "dXcrdME6VnnE5PBYwvUmayf7cn2wpcExeCR9gIXOO0o=";
} }
{ {
# ludo # ludo
allowedIPs = [ (getDeviceAddress "ludo") ]; allowedIPs = [ (getWireguardDeviceAddress "ludo") ];
publicKey = "ecrxdzx7tQZwMPxZOjHUvxZT2xY79B6XEDIW+fhEtEM="; publicKey = "ecrxdzx7tQZwMPxZOjHUvxZT2xY79B6XEDIW+fhEtEM=";
} }
{ {
# parina # parina
allowedIPs = [ (getDeviceAddress "parina") ]; allowedIPs = [ (getWireguardDeviceAddress "parina") ];
publicKey = "7nubNnfGsg4/7KemMDn9r99mNK8RFU9uOFFqaYv6rUA="; publicKey = "7nubNnfGsg4/7KemMDn9r99mNK8RFU9uOFFqaYv6rUA=";
} }
{ {
# nilo # nilo
allowedIPs = [ (getDeviceAddress "nilo") ]; allowedIPs = [ (getWireguardDeviceAddress "nilo") ];
publicKey = "lhTEDJ9WnizvEHTd5kN21fTHF27HNk+fPLQnB1B3LW0="; publicKey = "lhTEDJ9WnizvEHTd5kN21fTHF27HNk+fPLQnB1B3LW0=";
} }
{ {
# parina ipad # parina ipad
allowedIPs = [ (getDeviceAddress "parina-ipad") ]; allowedIPs = [ (getWireguardDeviceAddress "parina-ipad") ];
publicKey = "ezkCzl2qC7Hd7rFKfqMa0JXDKRhVqy79H52rA06x7mU="; publicKey = "ezkCzl2qC7Hd7rFKfqMa0JXDKRhVqy79H52rA06x7mU=";
} }
{ {
# kcl vm # kcl vm
allowedIPs = [ (getDeviceAddress "kclvm") ]; allowedIPs = [ (getWireguardDeviceAddress "kclvm") ];
publicKey = "jVBaY8AhgAA7myVjU/PJPDUCOjsCi23LT+pGZUoNEkE="; publicKey = "jVBaY8AhgAA7myVjU/PJPDUCOjsCi23LT+pGZUoNEkE=";
} }
{ {
allowedIPs = [ (getDeviceAddress "framecca") ]; allowedIPs = [ (getWireguardDeviceAddress "framecca") ];
publicKey = "w0XPu5GcDA2vpNk3KCFRdWNVVQHRtAPApEsK1h3Ovyk="; publicKey = "w0XPu5GcDA2vpNk3KCFRdWNVVQHRtAPApEsK1h3Ovyk=";
} }
{ {
allowedIPs = [ (getDeviceAddress "framecca_one") ]; allowedIPs = [ (getWireguardDeviceAddress "framecca_one") ];
publicKey = "5PnmExv78fU3SS8liUWY/oBCcJ48wzmz/70O0U7K/xs="; publicKey = "5PnmExv78fU3SS8liUWY/oBCcJ48wzmz/70O0U7K/xs=";
} }
{ {
allowedIPs = [ (getDeviceAddress "framecca_two") ]; allowedIPs = [ (getWireguardDeviceAddress "framecca_two") ];
publicKey = "FbWfh2rL3OYLTDIte+MgctqL/bphn38eqpNy/chc3wM="; publicKey = "FbWfh2rL3OYLTDIte+MgctqL/bphn38eqpNy/chc3wM=";
} }
{ {
allowedIPs = [ (getDeviceAddress "framecca_three") ]; allowedIPs = [ (getWireguardDeviceAddress "framecca_three") ];
publicKey = "Z3LRFs6CO0kUh4J3pf+HcPsWch3hUAwJBG8/b0Kqnxs="; publicKey = "Z3LRFs6CO0kUh4J3pf+HcPsWch3hUAwJBG8/b0Kqnxs=";
} }
{ {
allowedIPs = [ (getDeviceAddress "framecca_four") ]; allowedIPs = [ (getWireguardDeviceAddress "framecca_four") ];
publicKey = "g/Ta12igzxSlCxy7KP865qf+l3+r1LjOo6UXjulmPBc="; publicKey = "g/Ta12igzxSlCxy7KP865qf+l3+r1LjOo6UXjulmPBc=";
} }
]; ];