From c47d25c94377a4d2a71ab528551df57caebef7ac Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Tue, 15 Mar 2022 16:58:04 +0100 Subject: [PATCH] many updates, yasssss --- hosts/architect/default.nix | 10 ++- hosts/architect/deluge.nix | 52 +++++++++++++ hosts/architect/firewall.nix | 5 +- hosts/architect/jellyfin.nix | 7 ++ hosts/architect/matrix.nix | 110 +++++++++++++-------------- hosts/architect/modules/jellyfin.nix | 76 +++++++++--------- hosts/architect/network.nix | 4 +- hosts/architect/nitter.nix | 3 +- hosts/architect/prosody.nix | 4 +- hosts/architect/wireguard.nix | 14 ++++ roles/home/common.nix | 2 +- 11 files changed, 181 insertions(+), 106 deletions(-) create mode 100644 hosts/architect/deluge.nix diff --git a/hosts/architect/default.nix b/hosts/architect/default.nix index 326fb37..0dcb765 100644 --- a/hosts/architect/default.nix +++ b/hosts/architect/default.nix @@ -23,10 +23,9 @@ in { ./matrix.nix ./fail2ban.nix ./dns.nix - ./minecraft.nix + #./minecraft.nix ./prowlarr.nix ./plex.nix - ./transmission.nix ./githubrunner.nix ./libreddit.nix ./invidious.nix @@ -36,6 +35,7 @@ in { ./navidrome.nix ./jellyfin.nix ./prosody.nix + ./deluge.nix ]; time.timeZone = "Europe/Rome"; @@ -76,7 +76,10 @@ in { }; loader = { - systemd-boot.enable = true; + systemd-boot ={ + enable = true; + memtest86.enable = true; + }; efi.canTouchEfiVariables = true; }; @@ -135,7 +138,6 @@ in { opengl.driSupport = true; }; - boot.crashDump.enable = true; services.das_watchdog.enable = true; services = { diff --git a/hosts/architect/deluge.nix b/hosts/architect/deluge.nix new file mode 100644 index 0000000..0ccbbf3 --- /dev/null +++ b/hosts/architect/deluge.nix @@ -0,0 +1,52 @@ +{ lib, config, pkgs, ... }: + +let + domain = "htdel.giugl.io"; + network = import ./network.nix; +in { + services = { + deluge = { + enable = true; + group = "media"; + declarative = true; + config = { + download_location = "/media/deluge"; + max_upload_speed = 20; + # full-stream + enc_level = 1; + # forced + enc_in_policy = 0; + # forced + enc_out_policy = 0; + max_active_seeding = 100; + max_connections_global = 1000; + max_active_limit = 100; + max_active_downloading = 100; + listen_ports = [ 51413 51414 ]; + random_port = false; + enabled_plugins = [ "Label" "Extractor" ]; + }; + web.enable = true; + authFile = "/secrets/deluge/auth"; + extraPackages = [ pkgs.unrar ]; + }; + + nginx.virtualHosts.${domain} = { + locations."/" = { + proxyPass = "http://localhost:8112"; + extraConfig = '' + allow 10.0.0.0/24; + ${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg} + deny all; + ''; + }; + }; + }; + + networking.extraHosts = '' + ${network.architect-lan} ${domain} + ${network.architect-wg} ${domain} + ''; + + users.groups.media.members = [ "deluge" ]; +} diff --git a/hosts/architect/firewall.nix b/hosts/architect/firewall.nix index a709ec7..bf7435e 100644 --- a/hosts/architect/firewall.nix +++ b/hosts/architect/firewall.nix @@ -9,23 +9,22 @@ let 443 # https 8448 # matrix 10022 # gitea - 30303 + 18080 # monero 51413 # transmission ]; open_udp_ports = lib.concatMapStringsSep "," (x: toString x) [ 1194 # wireguard - 30303 51413 # transmission ]; open_tcp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [ 22 80 443 - 8848 32400 # plex ]; open_udp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [ 53 # dns + 1194 # vpn ]; in { diff --git a/hosts/architect/jellyfin.nix b/hosts/architect/jellyfin.nix index ec4565e..a408f6b 100644 --- a/hosts/architect/jellyfin.nix +++ b/hosts/architect/jellyfin.nix @@ -10,6 +10,7 @@ in { services = { jellyfin = { enable = true; + group = "media"; package = pkgs.unstable.jellyfin; }; @@ -35,4 +36,10 @@ in { users.groups.media.members = [ "jellyfin" ]; users.groups.video.members = [ "jellyfin" ]; users.groups.render.members = [ "jellyfin" ]; + + fileSystems."/tmp/jellyfin" = { + device = "none"; + fsType = "tmpfs"; + options = [ "defaults" "size=20G" "uid=jellyfin" ]; + }; } diff --git a/hosts/architect/matrix.nix b/hosts/architect/matrix.nix index 1f263d2..687d341 100644 --- a/hosts/architect/matrix.nix +++ b/hosts/architect/matrix.nix @@ -18,14 +18,13 @@ in { # enable_registration = true; app_service_config_files = [ "/var/lib/matrix-synapse/discord-registration.yaml" +# "/var/lib/matrix-synapse/hookshot-registration.yml" # "/var/lib/matrix-synapse/telegram-registration.yaml" ]; extraConfig = '' auto_join_rooms: - - "#infra:matrix.giugl.io" - "#general:matrix.giugl.io" - - "#movies:matrix.giugl.io" - max_upload_size: "30M" + max_upload_size: "50M" ''; listeners = [{ port = 8008; @@ -125,20 +124,14 @@ in { enableACME = true; forceSSL = true; - # root = pkgs.element-web.override { - # conf = { - # default_server_config."m.homeserver" = { - # "base_url" = "https://${domain}"; - # "server_name" = "${domain}"; - # }; - # }; - # }; - root = pkgs.unstable.cinny.override { + root = pkgs.element-web.override { conf = { - homeserverList = [ "${domain}" ]; - defaultHomeserver = 0; + default_server_config."m.homeserver" = { + "base_url" = "https://${domain}"; + "server_name" = "${domain}"; + }; }; - }; + }; }; }; @@ -152,64 +145,63 @@ in { bridge = { domain = domain; homeserverUrl = "https://${domain}"; - disablePresence = true; }; }; }; # telegram bridge - mautrix-telegram = { - enable = true; - environmentFile = /secrets/mautrix-telegram/mautrix-telegram.env; + # mautrix-telegram = { + # enable = true; + # environmentFile = /secrets/mautrix-telegram/mautrix-telegram.env; - settings = { - homeserver = { - address = "https://${domain}"; - domain = "${domain}"; - }; + # settings = { + # homeserver = { + # address = "https://${domain}"; + # domain = "${domain}"; + # }; - appservice = { - provisioning.enabled = false; - id = "telegram"; - }; + # appservice = { + # provisioning.enabled = false; + # id = "telegram"; + # }; - bridge = { - permissions = { - "@pepe:${domain}" = "admin"; - "${domain}" = "puppeting"; - }; + # bridge = { + # permissions = { + # "@pepe:${domain}" = "admin"; + # "${domain}" = "puppeting"; + # }; - # Animated stickers conversion requires additional packages in the - # service's path. - # If this isn't a fresh installation, clearing the bridge's uploaded - # file cache might be necessary (make a database backup first!): - # delete from telegram_file where \ - # mime_type in ('application/gzip', 'application/octet-stream') - animated_sticker = { - target = "gif"; - args = { - width = 256; - height = 256; - fps = 30; # only for webm - background = "020202"; # only for gif, transparency not supported - }; - }; + # # Animated stickers conversion requires additional packages in the + # # service's path. + # # If this isn't a fresh installation, clearing the bridge's uploaded + # # file cache might be necessary (make a database backup first!): + # # delete from telegram_file where \ + # # mime_type in ('application/gzip', 'application/octet-stream') + # animated_sticker = { + # target = "gif"; + # args = { + # width = 256; + # height = 256; + # fps = 30; # only for webm + # background = "020202"; # only for gif, transparency not supported + # }; + # }; - encryption = { - allow = true; - default = true; - }; - }; - }; - }; + # encryption = { + # allow = true; + # default = true; + # }; + # }; + # }; + # }; }; - systemd.services.mautrix-telegram.path = with pkgs; [ - lottieconverter # for animated stickers conversion, unfree package - ffmpeg # if converting animated stickers to webm (very slow!) - ]; + # systemd.services.mautrix-telegram.path = with pkgs; [ + # lottieconverter # for animated stickers conversion, unfree package + # ffmpeg # if converting animated stickers to webm (very slow!) + # ]; networking.extraHosts = '' ${network.architect-lan} ${domain} ${webui_domain} diff --git a/hosts/architect/modules/jellyfin.nix b/hosts/architect/modules/jellyfin.nix index d44a0a9..1fab5ba 100644 --- a/hosts/architect/modules/jellyfin.nix +++ b/hosts/architect/modules/jellyfin.nix @@ -50,8 +50,8 @@ in { serviceConfig = rec { User = cfg.user; Group = cfg.group; - # Allows access to drm devices for transcoding with hardware acceleration - SupplementaryGroups = [ "video" ]; +# # Allows access to drm devices for transcoding with hardware acceleration +# SupplementaryGroups = [ "video" ]; StateDirectory = "jellyfin"; CacheDirectory = "jellyfin"; ExecStart = @@ -65,41 +65,47 @@ in { AmbientCapabilities = ""; CapabilityBoundingSet = ""; - # ProtectClock= adds DeviceAllow=char-rtc r - # DeviceAllow = [ - # "char-drm r" - # "/dev/nvidia0 r" - # "/dev/nvidiactl r" - # "/dev/nvidia-uvm r" - # "/dev/nvidia-uvm-tools r" - # ]; + # # ProtectClock= adds DeviceAllow=char-rtc r + # DeviceAllow = [ + # "char-drm r" + # "/dev/nvidia0 r" + # "/dev/nvidiactl r" + # "/dev/nvidia-uvm r" + # "/dev/nvidia-uvm-tools r" + # ]; + DeviceAllow = ""; + LockPersonality = true; - # LockPersonality = true; - # PrivateTmp = true; - # PrivateUsers = true; - # - # ProtectClock = true; - # ProtectControlGroups = true; - # ProtectHostname = true; - # ProtectKernelLogs = true; - # ProtectKernelModules = true; - # ProtectKernelTunables = true; - # - # RemoveIPC = true; - # - # RestrictNamespaces = true; - # # AF_NETLINK needed because Jellyfin monitors the network connection - # RestrictAddressFamilies = [ "AF_NETLINK" "AF_INET" "AF_INET6" ]; - # RestrictRealtime = true; - # RestrictSUIDSGID = true; - # - # SystemCallArchitectures = "native"; - # SystemCallErrorNumber = "EPERM"; - # SystemCallFilter = [ - # "@system-service" - # "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@setuid" - # ]; + PrivateUsers = true; + +# ProtectClock = true; + ProtectControlGroups = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + + RemoveIPC = true; + + RestrictNamespaces = true; + # # AF_NETLINK needed because Jellyfin monitors the network connection + RestrictAddressFamilies = [ "AF_NETLINK" "AF_INET" "AF_INET6" "AF_UNIX" ]; + RestrictRealtime = true; + RestrictSUIDSGID = true; + + SystemCallArchitectures = "native"; + SystemCallErrorNumber = "EPERM"; + SystemCallFilter = [ + "@system-service" + "~@cpu-emulation" + "~@debug" + "~@keyring" + "~@memlock" + "~@obsolete" + "~@privileged" + "~@setuid" + ]; }; }; diff --git a/hosts/architect/network.nix b/hosts/architect/network.nix index ae670b5..722e155 100644 --- a/hosts/architect/network.nix +++ b/hosts/architect/network.nix @@ -45,6 +45,8 @@ rec { frznn-wg = "10.3.0.29"; ludo-wg = "10.3.0.30"; parina-wg = "10.3.0.31"; + nilo-wg = "10.3.0.32"; + parina-ipad-wg = "10.3.0.33"; eleonora-wg = "10.3.0.100"; angellane-wg = "10.3.0.200"; hotpottino-wg = "10.3.0.201"; @@ -56,7 +58,7 @@ rec { [ galuminum-wg oneplus-wg ipad-wg gbeast-wg peppiniell-wg padulino-wg wolfsonhouse-wg ]; routers-wg = [ hotpottino-wg angellane-wg dodino-wg wolfsonhouse-wg ]; c2c-wg = [ ] ++ gdevices-wg; - towan-wg = [ shield-wg parisaphone-wg parisapc-wg parina-wg ] ++ gdevices-wg + towan-wg = [ shield-wg parisaphone-wg parisapc-wg parina-wg parina-ipad-wg ] ++ gdevices-wg ++ routers-wg; gamenet-wg = [ andrew-wg diff --git a/hosts/architect/nitter.nix b/hosts/architect/nitter.nix index 480eac0..980bccc 100644 --- a/hosts/architect/nitter.nix +++ b/hosts/architect/nitter.nix @@ -1,4 +1,4 @@ -{ lib, ... }: +{ lib, pkgs, ... }: let domain = "tweet.giugl.io"; @@ -10,6 +10,7 @@ in { server = { port = 9093; hostname = domain; + staticDir = "${pkgs.unstable.nitter}/share/nitter/public"; }; preferences = { replaceYouTube = "tube.giugl.io"; diff --git a/hosts/architect/prosody.nix b/hosts/architect/prosody.nix index 0a189d3..07b0c3b 100644 --- a/hosts/architect/prosody.nix +++ b/hosts/architect/prosody.nix @@ -23,8 +23,8 @@ in { uploadHttp = { domain = upload_domain; }; admins = [ "giulio@${domain}" ]; - httpInterfaces = [ "wg0" ]; - httpsInterfaces = [ "wg0" ]; + #httpInterfaces = [ "wg0" ]; + #httpsInterfaces = [ "wg0" ]; }; }; diff --git a/hosts/architect/wireguard.nix b/hosts/architect/wireguard.nix index 3132611..7fbd70d 100644 --- a/hosts/architect/wireguard.nix +++ b/hosts/architect/wireguard.nix @@ -32,6 +32,8 @@ with import ./network.nix; { ${frznn-wg} frznn.devs.giugl.io ${ludo-wg} ludo.devs.giugl.io ${parina-wg} parina.devs.giugl.io + ${parina-ipad-wg} parinaipad.devs.giugl.io + ${nilo-wg} nilo.devs.giugl.io ''; wireguard = { @@ -249,6 +251,18 @@ with import ./network.nix; { allowedIPs = [ parina-wg ]; publicKey = "7nubNnfGsg4/7KemMDn9r99mNK8RFU9uOFFqaYv6rUA="; } + + { + # nilo + allowedIPs = [ nilo-wg ]; + publicKey = "lhTEDJ9WnizvEHTd5kN21fTHF27HNk+fPLQnB1B3LW0="; + } + + { + # parina ipad + allowedIPs = [ parina-ipad-wg ]; + publicKey = "ezkCzl2qC7Hd7rFKfqMa0JXDKRhVqy79H52rA06x7mU="; + } ]; }; }; diff --git a/roles/home/common.nix b/roles/home/common.nix index 92f3c92..49cf2a4 100644 --- a/roles/home/common.nix +++ b/roles/home/common.nix @@ -202,7 +202,7 @@ vim-vsnip nvim-cmp cmp-nvim-lsp - (nvim-treesitter.withPlugins (_: pkgs.tree-sitter.allGrammars)) + (nvim-treesitter.withPlugins (_: unstable.tree-sitter.allGrammars)) nvim-treesitter-textobjects ]; };