peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Removed wireguard devices, cleanup of network names

Browse Source
This commit is contained in:
Giulio De Pasquale 2023-02-11 03:28:35 +01:00
parent 1990ed8a65
commit a015dc2a89
8 changed files with 11 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
hosts/architect/firewall.nix
View File

@ -158,7 +158,7 @@ in {
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic" ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
ip saddr ${lan-net} accept comment "lan > local" ip saddr ${lan-net} accept comment "lan > local"
ip saddr ${tailscale-net} accept comment "tailscale > local" ip saddr ${tailscale-net} accept comment "tailscale > local"
ip saddr {${lib.concatStringsSep "," gdevices-wg}} accept comment "vpn > local" ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local"
iifname ${wan-if} tcp dport {${open_tcp_ports}} accept iifname ${wan-if} tcp dport {${open_tcp_ports}} accept
iifname ${wan-if} udp dport {${open_udp_ports}} accept iifname ${wan-if} udp dport {${open_udp_ports}} accept
@ -172,15 +172,10 @@ in {
chain FORWARD { chain FORWARD {
type filter hook forward priority filter; policy drop; type filter hook forward priority filter; policy drop;
ct state established,related accept ct state established,related accept
# client to client
ip saddr {${lib.concatStringsSep "," c2c-wg}} ip daddr {${
lib.concatStringsSep "," c2c-wg
}} accept
# gdevices talking to everyone in VPN # gdevices talking to everyone in VPN
ip saddr {${ ip saddr {${
lib.concatStringsSep "," gdevices-wg lib.concatStringsSep "," gdevices
}} ip daddr ${vpn-net} accept }} ip daddr ${vpn-net} accept
ip saddr {${ ip saddr {${
lib.concatStringsSep "," gamenet-wg lib.concatStringsSep "," gamenet-wg

2
hosts/architect/home-assistant.nix
View File

@ -52,7 +52,7 @@ in {
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade"; proxy_set_header Connection "upgrade";
allow 10.0.0.0/24; allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg} ${lib.concatMapStrings (x: "allow ${x};") network.gdevices}
deny all; deny all;
''; '';
}; };

2
hosts/architect/jellyfin.nix
View File

@ -19,7 +19,7 @@ in
nginx.virtualHosts.${domain} = { nginx.virtualHosts.${domain} = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
extraConfig = auth_block { access_role = "jellyfin"; whitelisted_ips = network.gdevices-wg; } + extraConfig = auth_block { access_role = "jellyfin"; whitelisted_ips = network.gdevices; } +
'' ''
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted. # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
#add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'"; #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";

2
hosts/architect/minio.nix
View File

@ -15,7 +15,7 @@ in {
extraConfig = '' extraConfig = ''
client_max_body_size 500M; client_max_body_size 500M;
allow 10.0.0.0/24; allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg } ${lib.concatMapStrings (x: "allow ${x};") network.gdevices }
allow ${network.manduria-wg}; allow ${network.manduria-wg};
deny all; deny all;
''; '';

8
hosts/architect/network.nix
View File

@ -62,12 +62,8 @@ rec {
dodino-ts = "100.106.244.35"; dodino-ts = "100.106.244.35";
# groups # groups
gdevices-wg = gdevices = [ giuliophone-ts architect-ts giuliopc-ts dodino-ts ];
[ giuliopc-wg giuliophone-wg gbeast-wg peppiniell-wg kclvm-wg ] ++ routers-wg; towan-wg = [ shield-wg parina-wg parina-ipad-wg germano-wg framecca-wg ];
routers-wg = [ hotpottino-wg angellane-wg dodino-wg ];
c2c-wg = [ ] ++ gdevices-wg;
towan-wg = [ shield-wg parina-wg parina-ipad-wg germano-wg framecca-wg ]
++ gdevices-wg ++ routers-wg;
gamenet-wg = [ gamenet-wg = [
andrew-wg andrew-wg
giuliopc-wg giuliopc-wg

2
hosts/architect/prowlarr.nix
View File

@ -14,7 +14,7 @@ in {
proxyPass = "http://127.0.0.1:9696"; proxyPass = "http://127.0.0.1:9696";
extraConfig = '' extraConfig = ''
allow 10.0.0.0/24; allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg} ${lib.concatMapStrings (x: "allow ${x};") network.gdevices}
deny all; deny all;
''; '';
}; };

3
hosts/architect/searx.nix
View File

@ -9,7 +9,8 @@ in
redis.servers."searx" = { enable = true; port = 4456; }; redis.servers."searx" = { enable = true; port = 4456; };
searx = { searx = {
enable = true; enable = true;
package = mach-nix.buildPythonPackage "https://github.com/searxng/searxng/commit/2cf1425e8bc5d3143b6e001e82a034a794e8a206https://github.com/searxng/searxng/commit/2cf1425e8bc5d3143b6e001e82a034a794e8a206"; package = pkgs.searxng;
# package = mach-nix.buildPythonPackage "https://github.com/searxng/searxng/commit/2cf1425e8bc5d3143b6e001e82a034a794e8a206https://github.com/searxng/searxng/commit/2cf1425e8bc5d3143b6e001e82a034a794e8a206";
environmentFile = /secrets/searx/env; environmentFile = /secrets/searx/env;
settings = { settings = {

2
hosts/architect/transmission.nix
View File

@ -27,7 +27,7 @@ in {
proxyPass = "http://127.0.0.1:9091"; proxyPass = "http://127.0.0.1:9091";
extraConfig = '' extraConfig = ''
allow 10.0.0.0/24; allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg} ${lib.concatMapStrings (x: "allow ${x};") network.gdevices}
deny all; deny all;
''; '';
}; };