From bdebb2c35a04da36f0816f670e911fb760648eaf Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Mon, 11 Oct 2021 11:31:21 +0200 Subject: [PATCH] removed giugl.io name from services. added encryption to telegram, support for proxy --- hosts/architect/bazarr.nix | 1 - hosts/architect/default.nix | 14 ++++---------- hosts/architect/dns.nix | 1 + hosts/architect/firewall.nix | 2 ++ hosts/architect/gitea.nix | 2 +- hosts/architect/jellyfin.nix | 6 ++++-- hosts/architect/matrix.nix | 15 ++++++++++++--- hosts/architect/minio.nix | 1 - hosts/architect/network.nix | 6 +++++- hosts/architect/nextcloud.nix | 1 - hosts/architect/nzbget.nix | 1 - hosts/architect/plex.nix | 1 - hosts/architect/prowlarr.nix | 1 - hosts/architect/radarr.nix | 1 - hosts/architect/sonarr.nix | 1 - hosts/architect/wireguard.nix | 15 ++++++++++++++- 16 files changed, 43 insertions(+), 26 deletions(-) diff --git a/hosts/architect/bazarr.nix b/hosts/architect/bazarr.nix index 8006250..483f8f1 100644 --- a/hosts/architect/bazarr.nix +++ b/hosts/architect/bazarr.nix @@ -18,7 +18,6 @@ with import ./network.nix; }; networking.extraHosts = '' - 127.0.0.1 ${bazarrdomain} ${architect-lan} ${bazarrdomain} ${architect-wg} ${bazarrdomain} ''; diff --git a/hosts/architect/default.nix b/hosts/architect/default.nix index 3c2118b..866c6ec 100644 --- a/hosts/architect/default.nix +++ b/hosts/architect/default.nix @@ -27,7 +27,7 @@ in ./fail2ban.nix ./dns.nix ./minecraft.nix - ./prowlarr.nix +# ./prowlarr.nix ./plex.nix ]; @@ -87,18 +87,17 @@ in wlp4s0.useDHCP = false; }; extraHosts = '' - 127.0.0.1 ${hostname}.devs.giugl.io giugl.io localhost + 127.0.0.1 ${hostname}.devs.giugl.io localhost # LAN - ${architect-lan} ${hostname}.devs.giugl.io giugl.io + ${architect-lan} ${hostname}.devs.giugl.io - 10.0.0.1 router.devs.giugl.io ${dvr-lan} dvr.devs.giugl.io ${nas-lan} nas.devs.giugl.io ${giupi-lan} giupi.devs.giugl.io # Wireguard hosts - ${architect-wg} ${hostname}.devs.giugl.io giugl.io + ${architect-wg} ${hostname}.devs.giugl.io ${galuminum-wg} galuminum.devs.giugl.io ${oneplus-wg} oneplus.devs.giugl.io ${ipad-wg} ipad.devs.giugl.io @@ -143,11 +142,6 @@ in 0.0.0.0 analytics.oneplus.cn 0.0.0.0 click.oneplus.cn 0.0.0.0 analytics-api.samsunghealthcn.com - - # The following lines are desirable for IPv6 capable hosts - ::1 localhost ip6-localhost ip6-loopback - ff02::1 ip6-allnodes - ff02::2 ip6-allrouters ''; }; diff --git a/hosts/architect/dns.nix b/hosts/architect/dns.nix index 7350ae5..f1d354c 100644 --- a/hosts/architect/dns.nix +++ b/hosts/architect/dns.nix @@ -16,6 +16,7 @@ enable= true; port = 3031; }; + dnscrypt-proxy2 = { enable = true; settings = { diff --git a/hosts/architect/firewall.nix b/hosts/architect/firewall.nix index ed2d898..5062a37 100644 --- a/hosts/architect/firewall.nix +++ b/hosts/architect/firewall.nix @@ -61,6 +61,7 @@ in { iifname ${wan-if} ip saddr ${vpn-net} drop comment "bind any ip to intf ${wan-if}" iifname ${wan-if} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${wan-if}" iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}" + iifname ${proxy-if} ip saddr ${proxy-net} accept comment "bind ip ${proxy-net} to intf ${proxy-if}" iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}" iifname "lo" accept comment "bind any ip to intf lo" jump mangle_drop @@ -115,6 +116,7 @@ in { ip daddr 255.255.255.255 accept comment "allow broadcast traffic" ip daddr 224.0.0.0/4 accept comment "allow multicast traffic" ip saddr ${lan-net} accept comment "lan > local" + ip saddr ${proxy-wg} accept comment "proxy > local" iifname ${wan-if} tcp dport {${open_tcp_ports}} accept iifname ${wan-if} udp dport {${open_udp_ports}} accept diff --git a/hosts/architect/gitea.nix b/hosts/architect/gitea.nix index 54875e4..a3c627b 100644 --- a/hosts/architect/gitea.nix +++ b/hosts/architect/gitea.nix @@ -20,13 +20,13 @@ with import ./network.nix; allow 127.0.0.1; allow 10.0.0.0/24; allow 10.3.0.0/24; + allow 10.4.0.0/24; deny all; ''; }; }; networking.extraHosts = '' - 127.0.0.1 ${gitdomain} ${architect-lan} ${gitdomain} ${architect-wg} ${gitdomain} ''; diff --git a/hosts/architect/jellyfin.nix b/hosts/architect/jellyfin.nix index 0f28f2c..0d2a45a 100644 --- a/hosts/architect/jellyfin.nix +++ b/hosts/architect/jellyfin.nix @@ -8,7 +8,10 @@ with import ./network.nix; ]; services = { - jellyfin.enable = true; + jellyfin = { + enable = true; + package = pkgs.unstable.jellyfin; + }; nginx.virtualHosts.${mediadomain} = { forceSSL = true; @@ -25,7 +28,6 @@ with import ./network.nix; }; networking.extraHosts = '' - 127.0.0.1 ${mediadomain} ${architect-lan} ${mediadomain} ${architect-wg} ${mediadomain} ''; diff --git a/hosts/architect/matrix.nix b/hosts/architect/matrix.nix index d4f7a83..60d6eaf 100644 --- a/hosts/architect/matrix.nix +++ b/hosts/architect/matrix.nix @@ -10,7 +10,7 @@ with import ./network.nix; public_baseurl = "https://${matrixdomain}"; registration_shared_secret = "runas!"; dynamic_thumbnails = true; - #enable_registration = true; +# enable_registration = true; app_service_config_files = [ "/var/lib/matrix-synapse/discord-registration.yaml" "/var/lib/matrix-synapse/telegram-registration.yaml" @@ -37,6 +37,12 @@ with import ./network.nix; ]; } ]; + turn_uris = [ + "turns:turn.giugl.io:5349?transport=udp" + "turns:turn.giugl.io:5349?transport=tcp" + ]; + turn_shared_secret = "69duck duck fuck420"; + turn_user_lifetime = "1h"; }; postgresql = { @@ -159,6 +165,11 @@ with import ./network.nix; background = "020202"; # only for gif, transparency not supported }; }; + + encryption = { + allow = true; + default = true; + }; }; }; }; @@ -171,10 +182,8 @@ systemd.services.mautrix-telegram.path = with pkgs; [ ]; networking.extraHosts = '' - 127.0.0.1 ${matrixdomain} ${matrixwebdomain} ${architect-lan} ${matrixdomain} ${matrixwebdomain} ${architect-wg} ${matrixdomain} ${matrixwebdomain} ''; -users.groups.acme.members = [ "turnserver" ]; } diff --git a/hosts/architect/minio.nix b/hosts/architect/minio.nix index 5f9722c..bb499e5 100644 --- a/hosts/architect/minio.nix +++ b/hosts/architect/minio.nix @@ -18,7 +18,6 @@ with import ./network.nix; }; networking.extraHosts = '' - 127.0.0.1 ${miniodomain} ${architect-lan} ${miniodomain} ${architect-wg} ${miniodomain} ''; diff --git a/hosts/architect/network.nix b/hosts/architect/network.nix index 72d84bf..69459d0 100644 --- a/hosts/architect/network.nix +++ b/hosts/architect/network.nix @@ -2,10 +2,12 @@ rec { # interfaces wan-if = "enp5s0"; vpn-if = "wg0"; + proxy-if = "proxy"; # nets lan-net = "10.0.0.0/24"; vpn-net = "10.3.0.0/24"; + proxy-net = "10.4.0.0/24"; external_lan-net = "192.168.1.0/24"; # ips @@ -13,7 +15,8 @@ rec { nas-lan = "10.0.0.3"; architect-lan = "10.0.0.250"; giupi-lan = "10.0.0.251"; - + + proxy-wg = "10.4.0.1"; architect-wg = "10.3.0.1"; galuminum-wg = "10.3.0.2"; oneplus-wg = "10.3.0.3"; @@ -63,4 +66,5 @@ rec { matrixdomain = "matrix.giugl.io"; matrixwebdomain = "chat.giugl.io"; prowlarrdomain = "htpro.giugl.io"; + jupyterdomain = "labs.giugl.io"; } diff --git a/hosts/architect/nextcloud.nix b/hosts/architect/nextcloud.nix index a6ca9e8..0f629ba 100644 --- a/hosts/architect/nextcloud.nix +++ b/hosts/architect/nextcloud.nix @@ -40,7 +40,6 @@ with import ./network.nix; }; networking.extraHosts = '' - 127.0.0.1 ${clouddomain} ${architect-lan} ${clouddomain} ${architect-wg} ${clouddomain} ''; diff --git a/hosts/architect/nzbget.nix b/hosts/architect/nzbget.nix index 174ec5f..42dbe52 100644 --- a/hosts/architect/nzbget.nix +++ b/hosts/architect/nzbget.nix @@ -18,7 +18,6 @@ with import ./network.nix; }; networking.extraHosts = '' - 127.0.0.1 ${nzbgetdomain} ${architect-lan} ${nzbgetdomain} ${architect-wg} ${nzbgetdomain} ''; diff --git a/hosts/architect/plex.nix b/hosts/architect/plex.nix index f3f02ab..aae9147 100644 --- a/hosts/architect/plex.nix +++ b/hosts/architect/plex.nix @@ -78,7 +78,6 @@ with import ./network.nix; }; networking.extraHosts = '' - 127.0.0.1 ${mediadomain} ${architect-lan} ${mediadomain} ${architect-wg} ${mediadomain} ''; diff --git a/hosts/architect/prowlarr.nix b/hosts/architect/prowlarr.nix index 8a98bd3..c722a6f 100644 --- a/hosts/architect/prowlarr.nix +++ b/hosts/architect/prowlarr.nix @@ -26,7 +26,6 @@ with import ./network.nix; }; networking.extraHosts = '' - 127.0.0.1 ${prowlarrdomain} ${architect-lan} ${prowlarrdomain} ${architect-wg} ${prowlarrdomain} ''; diff --git a/hosts/architect/radarr.nix b/hosts/architect/radarr.nix index 956514f..c48c1bc 100644 --- a/hosts/architect/radarr.nix +++ b/hosts/architect/radarr.nix @@ -18,7 +18,6 @@ with import ./network.nix; }; networking.extraHosts = '' - 127.0.0.1 ${radarrdomain} ${architect-lan} ${radarrdomain} ${architect-wg} ${radarrdomain} ''; diff --git a/hosts/architect/sonarr.nix b/hosts/architect/sonarr.nix index c7b7924..b3ccb77 100644 --- a/hosts/architect/sonarr.nix +++ b/hosts/architect/sonarr.nix @@ -18,7 +18,6 @@ with import ./network.nix; }; networking.extraHosts = '' - 127.0.0.1 ${sonarrdomain} ${architect-lan} ${sonarrdomain} ${architect-wg} ${sonarrdomain} ''; diff --git a/hosts/architect/wireguard.nix b/hosts/architect/wireguard.nix index 6cc0d03..b8e2375 100644 --- a/hosts/architect/wireguard.nix +++ b/hosts/architect/wireguard.nix @@ -1,6 +1,19 @@ with import ./network.nix; { networking.wireguard = { + interfaces.${proxy-if} = { + ips = ["10.4.0.2/32"]; + privateKeyFile = "/secrets/wireguard/proxy.key"; + peers = [ + { + publicKey = "WmJBpXpYebcmJEF8nVTKMqQK01KyBe42vzc38K66rVs="; + allowedIPs = ["10.4.0.1/32"]; + endpoint = "giugl.io:1195"; + persistentKeepalive = 21; + } + ]; + }; + interfaces.${vpn-if} = { listenPort = 1194; ips = ["10.3.0.1/24"]; @@ -140,7 +153,7 @@ with import ./network.nix; { # defy allowedIPs = [defy-wg]; - publicKey = "wEkDNap9/qmkGd0a0PN8ANHgXgxwp+ZdmDW1CmIl4kM="; + publicKey = "Cvi/eto7E6Ef+aiL81ou7x12fJCeuXrf/go9fxEqXG4="; } {