From a015dc2a89b5bb654569ef2bcc476de630eed7af Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Sat, 11 Feb 2023 03:28:35 +0100 Subject: [PATCH] Removed wireguard devices, cleanup of network names --- hosts/architect/firewall.nix | 9 ++------- hosts/architect/home-assistant.nix | 2 +- hosts/architect/jellyfin.nix | 2 +- hosts/architect/minio.nix | 2 +- hosts/architect/network.nix | 8 ++------ hosts/architect/prowlarr.nix | 2 +- hosts/architect/searx.nix | 3 ++- hosts/architect/transmission.nix | 2 +- 8 files changed, 11 insertions(+), 19 deletions(-) diff --git a/hosts/architect/firewall.nix b/hosts/architect/firewall.nix index e592fe7..96e38c4 100644 --- a/hosts/architect/firewall.nix +++ b/hosts/architect/firewall.nix @@ -158,7 +158,7 @@ in { ip daddr 224.0.0.0/4 accept comment "allow multicast traffic" ip saddr ${lan-net} accept comment "lan > local" ip saddr ${tailscale-net} accept comment "tailscale > local" - ip saddr {${lib.concatStringsSep "," gdevices-wg}} accept comment "vpn > local" + ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local" iifname ${wan-if} tcp dport {${open_tcp_ports}} accept iifname ${wan-if} udp dport {${open_udp_ports}} accept @@ -172,15 +172,10 @@ in { chain FORWARD { type filter hook forward priority filter; policy drop; ct state established,related accept - - # client to client - ip saddr {${lib.concatStringsSep "," c2c-wg}} ip daddr {${ - lib.concatStringsSep "," c2c-wg - }} accept # gdevices talking to everyone in VPN ip saddr {${ - lib.concatStringsSep "," gdevices-wg + lib.concatStringsSep "," gdevices }} ip daddr ${vpn-net} accept ip saddr {${ lib.concatStringsSep "," gamenet-wg diff --git a/hosts/architect/home-assistant.nix b/hosts/architect/home-assistant.nix index 3ac6ff3..5936300 100644 --- a/hosts/architect/home-assistant.nix +++ b/hosts/architect/home-assistant.nix @@ -52,7 +52,7 @@ in { proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; allow 10.0.0.0/24; - ${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg} + ${lib.concatMapStrings (x: "allow ${x};") network.gdevices} deny all; ''; }; diff --git a/hosts/architect/jellyfin.nix b/hosts/architect/jellyfin.nix index 1047dc0..c35d0ea 100644 --- a/hosts/architect/jellyfin.nix +++ b/hosts/architect/jellyfin.nix @@ -19,7 +19,7 @@ in nginx.virtualHosts.${domain} = { forceSSL = true; enableACME = true; - extraConfig = auth_block { access_role = "jellyfin"; whitelisted_ips = network.gdevices-wg; } + + extraConfig = auth_block { access_role = "jellyfin"; whitelisted_ips = network.gdevices; } + '' # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted. #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'"; diff --git a/hosts/architect/minio.nix b/hosts/architect/minio.nix index 6cfe40e..29a31f3 100644 --- a/hosts/architect/minio.nix +++ b/hosts/architect/minio.nix @@ -15,7 +15,7 @@ in { extraConfig = '' client_max_body_size 500M; allow 10.0.0.0/24; - ${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg } + ${lib.concatMapStrings (x: "allow ${x};") network.gdevices } allow ${network.manduria-wg}; deny all; ''; diff --git a/hosts/architect/network.nix b/hosts/architect/network.nix index fcb4da2..ef90a6c 100644 --- a/hosts/architect/network.nix +++ b/hosts/architect/network.nix @@ -62,12 +62,8 @@ rec { dodino-ts = "100.106.244.35"; # groups - gdevices-wg = - [ giuliopc-wg giuliophone-wg gbeast-wg peppiniell-wg kclvm-wg ] ++ routers-wg; - routers-wg = [ hotpottino-wg angellane-wg dodino-wg ]; - c2c-wg = [ ] ++ gdevices-wg; - towan-wg = [ shield-wg parina-wg parina-ipad-wg germano-wg framecca-wg ] - ++ gdevices-wg ++ routers-wg; + gdevices = [ giuliophone-ts architect-ts giuliopc-ts dodino-ts ]; + towan-wg = [ shield-wg parina-wg parina-ipad-wg germano-wg framecca-wg ]; gamenet-wg = [ andrew-wg giuliopc-wg diff --git a/hosts/architect/prowlarr.nix b/hosts/architect/prowlarr.nix index 37dce74..ac52d62 100644 --- a/hosts/architect/prowlarr.nix +++ b/hosts/architect/prowlarr.nix @@ -14,7 +14,7 @@ in { proxyPass = "http://127.0.0.1:9696"; extraConfig = '' allow 10.0.0.0/24; - ${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg} + ${lib.concatMapStrings (x: "allow ${x};") network.gdevices} deny all; ''; }; diff --git a/hosts/architect/searx.nix b/hosts/architect/searx.nix index 97b304b..4e87a91 100644 --- a/hosts/architect/searx.nix +++ b/hosts/architect/searx.nix @@ -9,7 +9,8 @@ in redis.servers."searx" = { enable = true; port = 4456; }; searx = { enable = true; - package = mach-nix.buildPythonPackage "https://github.com/searxng/searxng/commit/2cf1425e8bc5d3143b6e001e82a034a794e8a206https://github.com/searxng/searxng/commit/2cf1425e8bc5d3143b6e001e82a034a794e8a206"; + package = pkgs.searxng; +# package = mach-nix.buildPythonPackage "https://github.com/searxng/searxng/commit/2cf1425e8bc5d3143b6e001e82a034a794e8a206https://github.com/searxng/searxng/commit/2cf1425e8bc5d3143b6e001e82a034a794e8a206"; environmentFile = /secrets/searx/env; settings = { diff --git a/hosts/architect/transmission.nix b/hosts/architect/transmission.nix index 6147af9..d2615c2 100644 --- a/hosts/architect/transmission.nix +++ b/hosts/architect/transmission.nix @@ -27,7 +27,7 @@ in { proxyPass = "http://127.0.0.1:9091"; extraConfig = '' allow 10.0.0.0/24; - ${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg} + ${lib.concatMapStrings (x: "allow ${x};") network.gdevices} deny all; ''; };