removed giugl.io name from services. added encryption to telegram, support for proxy
This commit is contained in:
parent
d4844525c5
commit
bdebb2c35a
@ -18,7 +18,6 @@ with import ./network.nix;
|
|||||||
};
|
};
|
||||||
|
|
||||||
networking.extraHosts = ''
|
networking.extraHosts = ''
|
||||||
127.0.0.1 ${bazarrdomain}
|
|
||||||
${architect-lan} ${bazarrdomain}
|
${architect-lan} ${bazarrdomain}
|
||||||
${architect-wg} ${bazarrdomain}
|
${architect-wg} ${bazarrdomain}
|
||||||
'';
|
'';
|
||||||
|
@ -27,7 +27,7 @@ in
|
|||||||
./fail2ban.nix
|
./fail2ban.nix
|
||||||
./dns.nix
|
./dns.nix
|
||||||
./minecraft.nix
|
./minecraft.nix
|
||||||
./prowlarr.nix
|
# ./prowlarr.nix
|
||||||
./plex.nix
|
./plex.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
@ -87,18 +87,17 @@ in
|
|||||||
wlp4s0.useDHCP = false;
|
wlp4s0.useDHCP = false;
|
||||||
};
|
};
|
||||||
extraHosts = ''
|
extraHosts = ''
|
||||||
127.0.0.1 ${hostname}.devs.giugl.io giugl.io localhost
|
127.0.0.1 ${hostname}.devs.giugl.io localhost
|
||||||
|
|
||||||
# LAN
|
# LAN
|
||||||
${architect-lan} ${hostname}.devs.giugl.io giugl.io
|
${architect-lan} ${hostname}.devs.giugl.io
|
||||||
|
|
||||||
10.0.0.1 router.devs.giugl.io
|
|
||||||
${dvr-lan} dvr.devs.giugl.io
|
${dvr-lan} dvr.devs.giugl.io
|
||||||
${nas-lan} nas.devs.giugl.io
|
${nas-lan} nas.devs.giugl.io
|
||||||
${giupi-lan} giupi.devs.giugl.io
|
${giupi-lan} giupi.devs.giugl.io
|
||||||
|
|
||||||
# Wireguard hosts
|
# Wireguard hosts
|
||||||
${architect-wg} ${hostname}.devs.giugl.io giugl.io
|
${architect-wg} ${hostname}.devs.giugl.io
|
||||||
${galuminum-wg} galuminum.devs.giugl.io
|
${galuminum-wg} galuminum.devs.giugl.io
|
||||||
${oneplus-wg} oneplus.devs.giugl.io
|
${oneplus-wg} oneplus.devs.giugl.io
|
||||||
${ipad-wg} ipad.devs.giugl.io
|
${ipad-wg} ipad.devs.giugl.io
|
||||||
@ -143,11 +142,6 @@ in
|
|||||||
0.0.0.0 analytics.oneplus.cn
|
0.0.0.0 analytics.oneplus.cn
|
||||||
0.0.0.0 click.oneplus.cn
|
0.0.0.0 click.oneplus.cn
|
||||||
0.0.0.0 analytics-api.samsunghealthcn.com
|
0.0.0.0 analytics-api.samsunghealthcn.com
|
||||||
|
|
||||||
# The following lines are desirable for IPv6 capable hosts
|
|
||||||
::1 localhost ip6-localhost ip6-loopback
|
|
||||||
ff02::1 ip6-allnodes
|
|
||||||
ff02::2 ip6-allrouters
|
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -16,6 +16,7 @@
|
|||||||
enable= true;
|
enable= true;
|
||||||
port = 3031;
|
port = 3031;
|
||||||
};
|
};
|
||||||
|
|
||||||
dnscrypt-proxy2 = {
|
dnscrypt-proxy2 = {
|
||||||
enable = true;
|
enable = true;
|
||||||
settings = {
|
settings = {
|
||||||
|
@ -61,6 +61,7 @@ in {
|
|||||||
iifname ${wan-if} ip saddr ${vpn-net} drop comment "bind any ip to intf ${wan-if}"
|
iifname ${wan-if} ip saddr ${vpn-net} drop comment "bind any ip to intf ${wan-if}"
|
||||||
iifname ${wan-if} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${wan-if}"
|
iifname ${wan-if} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${wan-if}"
|
||||||
iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}"
|
iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}"
|
||||||
|
iifname ${proxy-if} ip saddr ${proxy-net} accept comment "bind ip ${proxy-net} to intf ${proxy-if}"
|
||||||
iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}"
|
iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}"
|
||||||
iifname "lo" accept comment "bind any ip to intf lo"
|
iifname "lo" accept comment "bind any ip to intf lo"
|
||||||
jump mangle_drop
|
jump mangle_drop
|
||||||
@ -115,6 +116,7 @@ in {
|
|||||||
ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
|
ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
|
||||||
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
|
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
|
||||||
ip saddr ${lan-net} accept comment "lan > local"
|
ip saddr ${lan-net} accept comment "lan > local"
|
||||||
|
ip saddr ${proxy-wg} accept comment "proxy > local"
|
||||||
|
|
||||||
iifname ${wan-if} tcp dport {${open_tcp_ports}} accept
|
iifname ${wan-if} tcp dport {${open_tcp_ports}} accept
|
||||||
iifname ${wan-if} udp dport {${open_udp_ports}} accept
|
iifname ${wan-if} udp dport {${open_udp_ports}} accept
|
||||||
|
@ -20,13 +20,13 @@ with import ./network.nix;
|
|||||||
allow 127.0.0.1;
|
allow 127.0.0.1;
|
||||||
allow 10.0.0.0/24;
|
allow 10.0.0.0/24;
|
||||||
allow 10.3.0.0/24;
|
allow 10.3.0.0/24;
|
||||||
|
allow 10.4.0.0/24;
|
||||||
deny all;
|
deny all;
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.extraHosts = ''
|
networking.extraHosts = ''
|
||||||
127.0.0.1 ${gitdomain}
|
|
||||||
${architect-lan} ${gitdomain}
|
${architect-lan} ${gitdomain}
|
||||||
${architect-wg} ${gitdomain}
|
${architect-wg} ${gitdomain}
|
||||||
'';
|
'';
|
||||||
|
@ -8,7 +8,10 @@ with import ./network.nix;
|
|||||||
];
|
];
|
||||||
|
|
||||||
services = {
|
services = {
|
||||||
jellyfin.enable = true;
|
jellyfin = {
|
||||||
|
enable = true;
|
||||||
|
package = pkgs.unstable.jellyfin;
|
||||||
|
};
|
||||||
|
|
||||||
nginx.virtualHosts.${mediadomain} = {
|
nginx.virtualHosts.${mediadomain} = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
@ -25,7 +28,6 @@ with import ./network.nix;
|
|||||||
};
|
};
|
||||||
|
|
||||||
networking.extraHosts = ''
|
networking.extraHosts = ''
|
||||||
127.0.0.1 ${mediadomain}
|
|
||||||
${architect-lan} ${mediadomain}
|
${architect-lan} ${mediadomain}
|
||||||
${architect-wg} ${mediadomain}
|
${architect-wg} ${mediadomain}
|
||||||
'';
|
'';
|
||||||
|
@ -10,7 +10,7 @@ with import ./network.nix;
|
|||||||
public_baseurl = "https://${matrixdomain}";
|
public_baseurl = "https://${matrixdomain}";
|
||||||
registration_shared_secret = "runas!";
|
registration_shared_secret = "runas!";
|
||||||
dynamic_thumbnails = true;
|
dynamic_thumbnails = true;
|
||||||
#enable_registration = true;
|
# enable_registration = true;
|
||||||
app_service_config_files = [
|
app_service_config_files = [
|
||||||
"/var/lib/matrix-synapse/discord-registration.yaml"
|
"/var/lib/matrix-synapse/discord-registration.yaml"
|
||||||
"/var/lib/matrix-synapse/telegram-registration.yaml"
|
"/var/lib/matrix-synapse/telegram-registration.yaml"
|
||||||
@ -37,6 +37,12 @@ with import ./network.nix;
|
|||||||
];
|
];
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
turn_uris = [
|
||||||
|
"turns:turn.giugl.io:5349?transport=udp"
|
||||||
|
"turns:turn.giugl.io:5349?transport=tcp"
|
||||||
|
];
|
||||||
|
turn_shared_secret = "69duck duck fuck420";
|
||||||
|
turn_user_lifetime = "1h";
|
||||||
};
|
};
|
||||||
|
|
||||||
postgresql = {
|
postgresql = {
|
||||||
@ -159,6 +165,11 @@ with import ./network.nix;
|
|||||||
background = "020202"; # only for gif, transparency not supported
|
background = "020202"; # only for gif, transparency not supported
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
encryption = {
|
||||||
|
allow = true;
|
||||||
|
default = true;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
@ -171,10 +182,8 @@ systemd.services.mautrix-telegram.path = with pkgs; [
|
|||||||
];
|
];
|
||||||
|
|
||||||
networking.extraHosts = ''
|
networking.extraHosts = ''
|
||||||
127.0.0.1 ${matrixdomain} ${matrixwebdomain}
|
|
||||||
${architect-lan} ${matrixdomain} ${matrixwebdomain}
|
${architect-lan} ${matrixdomain} ${matrixwebdomain}
|
||||||
${architect-wg} ${matrixdomain} ${matrixwebdomain}
|
${architect-wg} ${matrixdomain} ${matrixwebdomain}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
users.groups.acme.members = [ "turnserver" ];
|
|
||||||
}
|
}
|
||||||
|
@ -18,7 +18,6 @@ with import ./network.nix;
|
|||||||
};
|
};
|
||||||
|
|
||||||
networking.extraHosts = ''
|
networking.extraHosts = ''
|
||||||
127.0.0.1 ${miniodomain}
|
|
||||||
${architect-lan} ${miniodomain}
|
${architect-lan} ${miniodomain}
|
||||||
${architect-wg} ${miniodomain}
|
${architect-wg} ${miniodomain}
|
||||||
'';
|
'';
|
||||||
|
@ -2,10 +2,12 @@ rec {
|
|||||||
# interfaces
|
# interfaces
|
||||||
wan-if = "enp5s0";
|
wan-if = "enp5s0";
|
||||||
vpn-if = "wg0";
|
vpn-if = "wg0";
|
||||||
|
proxy-if = "proxy";
|
||||||
|
|
||||||
# nets
|
# nets
|
||||||
lan-net = "10.0.0.0/24";
|
lan-net = "10.0.0.0/24";
|
||||||
vpn-net = "10.3.0.0/24";
|
vpn-net = "10.3.0.0/24";
|
||||||
|
proxy-net = "10.4.0.0/24";
|
||||||
external_lan-net = "192.168.1.0/24";
|
external_lan-net = "192.168.1.0/24";
|
||||||
|
|
||||||
# ips
|
# ips
|
||||||
@ -14,6 +16,7 @@ rec {
|
|||||||
architect-lan = "10.0.0.250";
|
architect-lan = "10.0.0.250";
|
||||||
giupi-lan = "10.0.0.251";
|
giupi-lan = "10.0.0.251";
|
||||||
|
|
||||||
|
proxy-wg = "10.4.0.1";
|
||||||
architect-wg = "10.3.0.1";
|
architect-wg = "10.3.0.1";
|
||||||
galuminum-wg = "10.3.0.2";
|
galuminum-wg = "10.3.0.2";
|
||||||
oneplus-wg = "10.3.0.3";
|
oneplus-wg = "10.3.0.3";
|
||||||
@ -63,4 +66,5 @@ rec {
|
|||||||
matrixdomain = "matrix.giugl.io";
|
matrixdomain = "matrix.giugl.io";
|
||||||
matrixwebdomain = "chat.giugl.io";
|
matrixwebdomain = "chat.giugl.io";
|
||||||
prowlarrdomain = "htpro.giugl.io";
|
prowlarrdomain = "htpro.giugl.io";
|
||||||
|
jupyterdomain = "labs.giugl.io";
|
||||||
}
|
}
|
||||||
|
@ -40,7 +40,6 @@ with import ./network.nix;
|
|||||||
};
|
};
|
||||||
|
|
||||||
networking.extraHosts = ''
|
networking.extraHosts = ''
|
||||||
127.0.0.1 ${clouddomain}
|
|
||||||
${architect-lan} ${clouddomain}
|
${architect-lan} ${clouddomain}
|
||||||
${architect-wg} ${clouddomain}
|
${architect-wg} ${clouddomain}
|
||||||
'';
|
'';
|
||||||
|
@ -18,7 +18,6 @@ with import ./network.nix;
|
|||||||
};
|
};
|
||||||
|
|
||||||
networking.extraHosts = ''
|
networking.extraHosts = ''
|
||||||
127.0.0.1 ${nzbgetdomain}
|
|
||||||
${architect-lan} ${nzbgetdomain}
|
${architect-lan} ${nzbgetdomain}
|
||||||
${architect-wg} ${nzbgetdomain}
|
${architect-wg} ${nzbgetdomain}
|
||||||
'';
|
'';
|
||||||
|
@ -78,7 +78,6 @@ with import ./network.nix;
|
|||||||
};
|
};
|
||||||
|
|
||||||
networking.extraHosts = ''
|
networking.extraHosts = ''
|
||||||
127.0.0.1 ${mediadomain}
|
|
||||||
${architect-lan} ${mediadomain}
|
${architect-lan} ${mediadomain}
|
||||||
${architect-wg} ${mediadomain}
|
${architect-wg} ${mediadomain}
|
||||||
'';
|
'';
|
||||||
|
@ -26,7 +26,6 @@ with import ./network.nix;
|
|||||||
};
|
};
|
||||||
|
|
||||||
networking.extraHosts = ''
|
networking.extraHosts = ''
|
||||||
127.0.0.1 ${prowlarrdomain}
|
|
||||||
${architect-lan} ${prowlarrdomain}
|
${architect-lan} ${prowlarrdomain}
|
||||||
${architect-wg} ${prowlarrdomain}
|
${architect-wg} ${prowlarrdomain}
|
||||||
'';
|
'';
|
||||||
|
@ -18,7 +18,6 @@ with import ./network.nix;
|
|||||||
};
|
};
|
||||||
|
|
||||||
networking.extraHosts = ''
|
networking.extraHosts = ''
|
||||||
127.0.0.1 ${radarrdomain}
|
|
||||||
${architect-lan} ${radarrdomain}
|
${architect-lan} ${radarrdomain}
|
||||||
${architect-wg} ${radarrdomain}
|
${architect-wg} ${radarrdomain}
|
||||||
'';
|
'';
|
||||||
|
@ -18,7 +18,6 @@ with import ./network.nix;
|
|||||||
};
|
};
|
||||||
|
|
||||||
networking.extraHosts = ''
|
networking.extraHosts = ''
|
||||||
127.0.0.1 ${sonarrdomain}
|
|
||||||
${architect-lan} ${sonarrdomain}
|
${architect-lan} ${sonarrdomain}
|
||||||
${architect-wg} ${sonarrdomain}
|
${architect-wg} ${sonarrdomain}
|
||||||
'';
|
'';
|
||||||
|
@ -1,6 +1,19 @@
|
|||||||
with import ./network.nix;
|
with import ./network.nix;
|
||||||
{
|
{
|
||||||
networking.wireguard = {
|
networking.wireguard = {
|
||||||
|
interfaces.${proxy-if} = {
|
||||||
|
ips = ["10.4.0.2/32"];
|
||||||
|
privateKeyFile = "/secrets/wireguard/proxy.key";
|
||||||
|
peers = [
|
||||||
|
{
|
||||||
|
publicKey = "WmJBpXpYebcmJEF8nVTKMqQK01KyBe42vzc38K66rVs=";
|
||||||
|
allowedIPs = ["10.4.0.1/32"];
|
||||||
|
endpoint = "giugl.io:1195";
|
||||||
|
persistentKeepalive = 21;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
interfaces.${vpn-if} = {
|
interfaces.${vpn-if} = {
|
||||||
listenPort = 1194;
|
listenPort = 1194;
|
||||||
ips = ["10.3.0.1/24"];
|
ips = ["10.3.0.1/24"];
|
||||||
@ -140,7 +153,7 @@ with import ./network.nix;
|
|||||||
{
|
{
|
||||||
# defy
|
# defy
|
||||||
allowedIPs = [defy-wg];
|
allowedIPs = [defy-wg];
|
||||||
publicKey = "wEkDNap9/qmkGd0a0PN8ANHgXgxwp+ZdmDW1CmIl4kM=";
|
publicKey = "Cvi/eto7E6Ef+aiL81ou7x12fJCeuXrf/go9fxEqXG4=";
|
||||||
}
|
}
|
||||||
|
|
||||||
{
|
{
|
||||||
|
Loading…
Reference in New Issue
Block a user