removed giugl.io name from services. added encryption to telegram, support for proxy

2021-10-11 11:31:21 +02:00 · 2021-10-11 11:31:21 +02:00 · bdebb2c35a
commit bdebb2c35a
parent d4844525c5
16 changed files with 43 additions and 26 deletions
--- a/hosts/architect/bazarr.nix
+++ b/hosts/architect/bazarr.nix
@ -18,7 +18,6 @@ with import ./network.nix;
  };
  networking.extraHosts = ''
    127.0.0.1 ${bazarrdomain}
    ${architect-lan} ${bazarrdomain}
    ${architect-wg} ${bazarrdomain}
  '';
--- a/hosts/architect/default.nix
+++ b/hosts/architect/default.nix
@ -27,7 +27,7 @@ in
      ./fail2ban.nix
      ./dns.nix
      ./minecraft.nix
-      ./prowlarr.nix
+#      ./prowlarr.nix
      ./plex.nix
    ];
@ -87,18 +87,17 @@ in
        wlp4s0.useDHCP = false;
      };
      extraHosts = ''
-        127.0.0.1      ${hostname}.devs.giugl.io giugl.io localhost
+        127.0.0.1      ${hostname}.devs.giugl.io localhost
        # LAN
-        ${architect-lan} ${hostname}.devs.giugl.io giugl.io
+        ${architect-lan} ${hostname}.devs.giugl.io
        10.0.0.1       router.devs.giugl.io
        ${dvr-lan}      dvr.devs.giugl.io
        ${nas-lan}      nas.devs.giugl.io
        ${giupi-lan}    giupi.devs.giugl.io
        # Wireguard hosts
-        ${architect-wg} ${hostname}.devs.giugl.io giugl.io
+        ${architect-wg} ${hostname}.devs.giugl.io
        ${galuminum-wg}        galuminum.devs.giugl.io
        ${oneplus-wg}  oneplus.devs.giugl.io
        ${ipad-wg}     ipad.devs.giugl.io
@ -143,11 +142,6 @@ in
        0.0.0.0                analytics.oneplus.cn
        0.0.0.0                click.oneplus.cn
        0.0.0.0        analytics-api.samsunghealthcn.com
        # The following lines are desirable for IPv6 capable hosts
        ::1     localhost ip6-localhost ip6-loopback
        ff02::1 ip6-allnodes
        ff02::2 ip6-allrouters
      '';
    };
--- a/hosts/architect/dns.nix
+++ b/hosts/architect/dns.nix
@ -16,6 +16,7 @@
      enable= true;
      port = 3031;
    };
    dnscrypt-proxy2 = {
      enable = true;
      settings = {
--- a/hosts/architect/firewall.nix
+++ b/hosts/architect/firewall.nix
@ -61,6 +61,7 @@ in {
            iifname ${wan-if} ip saddr ${vpn-net} drop comment "bind any ip to intf ${wan-if}"
            iifname ${wan-if} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${wan-if}"
            iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}"
            iifname ${proxy-if} ip saddr ${proxy-net} accept comment "bind ip ${proxy-net} to intf ${proxy-if}"
            iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}"
            iifname "lo" accept comment "bind any ip to intf lo"
            jump mangle_drop
@ -115,6 +116,7 @@ in {
            ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
            ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
            ip saddr ${lan-net} accept comment "lan > local"
 	    ip saddr ${proxy-wg} accept comment "proxy > local"
            iifname ${wan-if} tcp dport {${open_tcp_ports}} accept
            iifname ${wan-if} udp dport {${open_udp_ports}} accept
--- a/hosts/architect/gitea.nix
+++ b/hosts/architect/gitea.nix
@ -20,13 +20,13 @@ with import ./network.nix;
          allow 127.0.0.1;
          allow 10.0.0.0/24;
          allow 10.3.0.0/24;
 	  allow 10.4.0.0/24;
          deny all;
      '';
    };
  };
  networking.extraHosts = ''
    127.0.0.1 ${gitdomain}
    ${architect-lan} ${gitdomain}
    ${architect-wg} ${gitdomain}
  '';
--- a/hosts/architect/jellyfin.nix
+++ b/hosts/architect/jellyfin.nix
@ -8,7 +8,10 @@ with import ./network.nix;
  ];
  services = {
-    jellyfin.enable = true;
+    jellyfin = {
 	enable = true;
 	package = pkgs.unstable.jellyfin;
    };
    nginx.virtualHosts.${mediadomain} = {
      forceSSL = true;
@ -25,7 +28,6 @@ with import ./network.nix;
  };
  networking.extraHosts = ''
    127.0.0.1 ${mediadomain}
    ${architect-lan} ${mediadomain}
    ${architect-wg} ${mediadomain}
  '';
--- a/hosts/architect/matrix.nix
+++ b/hosts/architect/matrix.nix
@ -10,7 +10,7 @@ with import ./network.nix;
      public_baseurl = "https://${matrixdomain}";
      registration_shared_secret = "runas!";
      dynamic_thumbnails = true;
-      #enable_registration = true;
+#      enable_registration = true;
      app_service_config_files = [ 
        "/var/lib/matrix-synapse/discord-registration.yaml" 
        "/var/lib/matrix-synapse/telegram-registration.yaml" 
@ -37,6 +37,12 @@ with import ./network.nix;
          ];
        }
      ];
      turn_uris = [ 
      "turns:turn.giugl.io:5349?transport=udp" 
      "turns:turn.giugl.io:5349?transport=tcp"
      ];
    turn_shared_secret = "69duck duck fuck420";
    turn_user_lifetime = "1h";
    };
    postgresql = {
@ -159,6 +165,11 @@ with import ./network.nix;
            background = "020202";  # only for gif, transparency not supported
          };
        };
 	encryption = {
 	  allow = true;
 	  default = true;
 	};
      };
    };
  };
@ -171,10 +182,8 @@ systemd.services.mautrix-telegram.path = with pkgs; [
 ];
 networking.extraHosts = ''
        127.0.0.1 ${matrixdomain} ${matrixwebdomain}
        ${architect-lan} ${matrixdomain} ${matrixwebdomain}
        ${architect-wg} ${matrixdomain} ${matrixwebdomain}
 '';
 users.groups.acme.members = [ "turnserver" ];
 }
--- a/hosts/architect/minio.nix
+++ b/hosts/architect/minio.nix
@ -18,7 +18,6 @@ with import ./network.nix;
  };
  networking.extraHosts = ''
    127.0.0.1 ${miniodomain}
    ${architect-lan} ${miniodomain}
    ${architect-wg} ${miniodomain}
  '';
--- a/hosts/architect/network.nix
+++ b/hosts/architect/network.nix
@ -2,10 +2,12 @@ rec {
  # interfaces
  wan-if           = "enp5s0";
  vpn-if           = "wg0";
  proxy-if	   = "proxy";
  # nets
  lan-net          = "10.0.0.0/24";
  vpn-net          = "10.3.0.0/24";
  proxy-net	   = "10.4.0.0/24";
  external_lan-net = "192.168.1.0/24";
  # ips
@ -14,6 +16,7 @@ rec {
  architect-lan    = "10.0.0.250";
  giupi-lan        = "10.0.0.251";
  proxy-wg         = "10.4.0.1";
  architect-wg     = "10.3.0.1";
  galuminum-wg     = "10.3.0.2";
  oneplus-wg       = "10.3.0.3";
@ -63,4 +66,5 @@ rec {
  matrixdomain = "matrix.giugl.io";
  matrixwebdomain = "chat.giugl.io";
  prowlarrdomain = "htpro.giugl.io";
  jupyterdomain = "labs.giugl.io";
 }
--- a/hosts/architect/nextcloud.nix
+++ b/hosts/architect/nextcloud.nix
@ -40,7 +40,6 @@ with import ./network.nix;
  };
  networking.extraHosts = ''
    127.0.0.1 ${clouddomain}
    ${architect-lan} ${clouddomain}
    ${architect-wg} ${clouddomain}
  '';
--- a/hosts/architect/nzbget.nix
+++ b/hosts/architect/nzbget.nix
@ -18,7 +18,6 @@ with import ./network.nix;
  };
  networking.extraHosts = ''
    127.0.0.1 ${nzbgetdomain}
    ${architect-lan} ${nzbgetdomain}
    ${architect-wg} ${nzbgetdomain}
  '';
--- a/hosts/architect/plex.nix
+++ b/hosts/architect/plex.nix
@ -78,7 +78,6 @@ with import ./network.nix;
  };
  networking.extraHosts = ''
    127.0.0.1 ${mediadomain}
    ${architect-lan} ${mediadomain}
    ${architect-wg} ${mediadomain}
  '';
--- a/hosts/architect/prowlarr.nix
+++ b/hosts/architect/prowlarr.nix
@ -26,7 +26,6 @@ with import ./network.nix;
  };
  networking.extraHosts = ''
    127.0.0.1 ${prowlarrdomain}
    ${architect-lan} ${prowlarrdomain}
    ${architect-wg} ${prowlarrdomain}
  '';
--- a/hosts/architect/radarr.nix
+++ b/hosts/architect/radarr.nix
@ -18,7 +18,6 @@ with import ./network.nix;
  };
  networking.extraHosts = ''
    127.0.0.1 ${radarrdomain}
    ${architect-lan} ${radarrdomain}
    ${architect-wg} ${radarrdomain}
  '';
--- a/hosts/architect/sonarr.nix
+++ b/hosts/architect/sonarr.nix
@ -18,7 +18,6 @@ with import ./network.nix;
  };
  networking.extraHosts = ''
    127.0.0.1 ${sonarrdomain}
    ${architect-lan} ${sonarrdomain}
    ${architect-wg} ${sonarrdomain}
  '';
--- a/hosts/architect/wireguard.nix
+++ b/hosts/architect/wireguard.nix
@ -1,6 +1,19 @@
 with import ./network.nix;
 {
  networking.wireguard = {
    interfaces.${proxy-if} = {
        ips = ["10.4.0.2/32"];
        privateKeyFile = "/secrets/wireguard/proxy.key";
        peers = [
          {
            publicKey = "WmJBpXpYebcmJEF8nVTKMqQK01KyBe42vzc38K66rVs=";
            allowedIPs = ["10.4.0.1/32"];
            endpoint = "giugl.io:1195";
            persistentKeepalive = 21;
          }
        ];
    };
    interfaces.${vpn-if} = {
      listenPort = 1194;
      ips = ["10.3.0.1/24"];
@ -140,7 +153,7 @@ with import ./network.nix;
        { 
          # defy
          allowedIPs = [defy-wg];
-          publicKey = "wEkDNap9/qmkGd0a0PN8ANHgXgxwp+ZdmDW1CmIl4kM=";
+          publicKey = "Cvi/eto7E6Ef+aiL81ou7x12fJCeuXrf/go9fxEqXG4=";
        }
        {