peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

many updates, yasssss

Browse Source
This commit is contained in:
Giulio De Pasquale 2022-03-15 16:58:04 +01:00
parent 2e352d1032
commit c47d25c943
11 changed files with 181 additions and 106 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
hosts/architect/default.nix
View File

@ -23,10 +23,9 @@ in {
./matrix.nix
./fail2ban.nix
./dns.nix
./minecraft.nix
#./minecraft.nix
./prowlarr.nix
./plex.nix
./transmission.nix
./githubrunner.nix
./libreddit.nix
./invidious.nix
@ -36,6 +35,7 @@ in {
./navidrome.nix
./jellyfin.nix
./prosody.nix
./deluge.nix
];
time.timeZone = "Europe/Rome";
@ -76,7 +76,10 @@ in {
};
loader = {
systemd-boot.enable = true;
systemd-boot ={
enable = true;
memtest86.enable = true;
};
efi.canTouchEfiVariables = true;
};
@ -135,7 +138,6 @@ in {
opengl.driSupport = true;
};
boot.crashDump.enable = true;
services.das_watchdog.enable = true;
services = {

52
hosts/architect/deluge.nix Normal file
View File

@ -0,0 +1,52 @@
{ lib, config, pkgs, ... }:
let
domain = "htdel.giugl.io";
network = import ./network.nix;
in {
services = {
deluge = {
enable = true;
group = "media";
declarative = true;
config = {
download_location = "/media/deluge";
max_upload_speed = 20;
# full-stream
enc_level = 1;
# forced
enc_in_policy = 0;
# forced
enc_out_policy = 0;
max_active_seeding = 100;
max_connections_global = 1000;
max_active_limit = 100;
max_active_downloading = 100;
listen_ports = [ 51413 51414 ];
random_port = false;
enabled_plugins = [ "Label" "Extractor" ];
};
web.enable = true;
authFile = "/secrets/deluge/auth";
extraPackages = [ pkgs.unrar ];
};
nginx.virtualHosts.${domain} = {
locations."/" = {
proxyPass = "http://localhost:8112";
extraConfig = ''
allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
deny all;
'';
};
};
};
networking.extraHosts = ''
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
'';
users.groups.media.members = [ "deluge" ];
}

5
hosts/architect/firewall.nix
View File

@ -9,23 +9,22 @@ let
443 # https
8448 # matrix
10022 # gitea
30303
18080 # monero
51413 # transmission
];
open_udp_ports = lib.concatMapStringsSep "," (x: toString x) [
1194 # wireguard
30303
51413 # transmission
];
open_tcp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [
22
80
443
8848
32400 # plex
];
open_udp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [
53 # dns
1194 # vpn
];
in {

7
hosts/architect/jellyfin.nix
View File

@ -10,6 +10,7 @@ in {
services = {
jellyfin = {
enable = true;
group = "media";
package = pkgs.unstable.jellyfin;
};
@ -35,4 +36,10 @@ in {
users.groups.media.members = [ "jellyfin" ];
users.groups.video.members = [ "jellyfin" ];
users.groups.render.members = [ "jellyfin" ];
fileSystems."/tmp/jellyfin" = {
device = "none";
fsType = "tmpfs";
options = [ "defaults" "size=20G" "uid=jellyfin" ];
};
}

108
hosts/architect/matrix.nix
View File

@ -18,14 +18,13 @@ in {
# enable_registration = true;
app_service_config_files = [
"/var/lib/matrix-synapse/discord-registration.yaml"
# "/var/lib/matrix-synapse/hookshot-registration.yml"
# "/var/lib/matrix-synapse/telegram-registration.yaml"
];
extraConfig = ''
auto_join_rooms:
- "#infra:matrix.giugl.io"
- "#general:matrix.giugl.io"
- "#movies:matrix.giugl.io"
max_upload_size: "30M"
max_upload_size: "50M"
'';
listeners = [{
port = 8008;
@ -125,18 +124,12 @@ in {
enableACME = true;
forceSSL = true;
# root = pkgs.element-web.override {
# conf = {
# default_server_config."m.homeserver" = {
# "base_url" = "https://${domain}";
# "server_name" = "${domain}";
# };
# };
# };
root = pkgs.unstable.cinny.override {
root = pkgs.element-web.override {
conf = {
homeserverList = [ "${domain}" ];
defaultHomeserver = 0;
default_server_config."m.homeserver" = {
"base_url" = "https://${domain}";
"server_name" = "${domain}";
};
};
};
};
@ -152,64 +145,63 @@ in {
bridge = {
domain = domain;
homeserverUrl = "https://${domain}";
disablePresence = true;
};
};
};
# telegram bridge
mautrix-telegram = {
enable = true;
environmentFile = /secrets/mautrix-telegram/mautrix-telegram.env;
# mautrix-telegram = {
# enable = true;
# environmentFile = /secrets/mautrix-telegram/mautrix-telegram.env;
settings = {
homeserver = {
address = "https://${domain}";
domain = "${domain}";
};
# settings = {
# homeserver = {
# address = "https://${domain}";
# domain = "${domain}";
# };
appservice = {
provisioning.enabled = false;
id = "telegram";
};
# appservice = {
# provisioning.enabled = false;
# id = "telegram";
# };
bridge = {
permissions = {
"@pepe:${domain}" = "admin";
"${domain}" = "puppeting";
};
# bridge = {
# permissions = {
# "@pepe:${domain}" = "admin";
# "${domain}" = "puppeting";
# };
# Animated stickers conversion requires additional packages in the
# service's path.
# If this isn't a fresh installation, clearing the bridge's uploaded
# file cache might be necessary (make a database backup first!):
# delete from telegram_file where \
# mime_type in ('application/gzip', 'application/octet-stream')
animated_sticker = {
target = "gif";
args = {
width = 256;
height = 256;
fps = 30; # only for webm
background = "020202"; # only for gif, transparency not supported
};
};
# # Animated stickers conversion requires additional packages in the
# # service's path.
# # If this isn't a fresh installation, clearing the bridge's uploaded
# # file cache might be necessary (make a database backup first!):
# # delete from telegram_file where \
# # mime_type in ('application/gzip', 'application/octet-stream')
# animated_sticker = {
# target = "gif";
# args = {
# width = 256;
# height = 256;
# fps = 30; # only for webm
# background = "020202"; # only for gif, transparency not supported
# };
# };
encryption = {
allow = true;
default = true;
};
};
};
};
# encryption = {
# allow = true;
# default = true;
# };
# };
# };
# };
};
systemd.services.mautrix-telegram.path = with pkgs; [
lottieconverter # for animated stickers conversion, unfree package
ffmpeg # if converting animated stickers to webm (very slow!)
];
# systemd.services.mautrix-telegram.path = with pkgs; [
# lottieconverter # for animated stickers conversion, unfree package
# ffmpeg # if converting animated stickers to webm (very slow!)
# ];
networking.extraHosts = ''
${network.architect-lan} ${domain} ${webui_domain}

58
hosts/architect/modules/jellyfin.nix
View File

@ -50,8 +50,8 @@ in {
serviceConfig = rec {
User = cfg.user;
Group = cfg.group;
# Allows access to drm devices for transcoding with hardware acceleration
SupplementaryGroups = [ "video" ];
# # Allows access to drm devices for transcoding with hardware acceleration
# SupplementaryGroups = [ "video" ];
StateDirectory = "jellyfin";
CacheDirectory = "jellyfin";
ExecStart =
@ -65,7 +65,7 @@ in {
AmbientCapabilities = "";
CapabilityBoundingSet = "";
# ProtectClock= adds DeviceAllow=char-rtc r
# # ProtectClock= adds DeviceAllow=char-rtc r
# DeviceAllow = [
# "char-drm r"
# "/dev/nvidia0 r"
@ -73,33 +73,39 @@ in {
# "/dev/nvidia-uvm r"
# "/dev/nvidia-uvm-tools r"
# ];
DeviceAllow = "";
LockPersonality = true;
# LockPersonality = true;
#
PrivateTmp = true;
# PrivateUsers = true;
#
PrivateUsers = true;
# ProtectClock = true;
# ProtectControlGroups = true;
# ProtectHostname = true;
# ProtectKernelLogs = true;
# ProtectKernelModules = true;
# ProtectKernelTunables = true;
#
# RemoveIPC = true;
#
# RestrictNamespaces = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
RemoveIPC = true;
RestrictNamespaces = true;
# # AF_NETLINK needed because Jellyfin monitors the network connection
# RestrictAddressFamilies = [ "AF_NETLINK" "AF_INET" "AF_INET6" ];
# RestrictRealtime = true;
# RestrictSUIDSGID = true;
#
# SystemCallArchitectures = "native";
# SystemCallErrorNumber = "EPERM";
# SystemCallFilter = [
# "@system-service"
# "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@setuid"
# ];
RestrictAddressFamilies = [ "AF_NETLINK" "AF_INET" "AF_INET6" "AF_UNIX" ];
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallErrorNumber = "EPERM";
SystemCallFilter = [
"@system-service"
"~@cpu-emulation"
"~@debug"
"~@keyring"
"~@memlock"
"~@obsolete"
"~@privileged"
"~@setuid"
];
};
};

4
hosts/architect/network.nix
View File

@ -45,6 +45,8 @@ rec {
frznn-wg = "10.3.0.29";
ludo-wg = "10.3.0.30";
parina-wg = "10.3.0.31";
nilo-wg = "10.3.0.32";
parina-ipad-wg = "10.3.0.33";
eleonora-wg = "10.3.0.100";
angellane-wg = "10.3.0.200";
hotpottino-wg = "10.3.0.201";
@ -56,7 +58,7 @@ rec {
[ galuminum-wg oneplus-wg ipad-wg gbeast-wg peppiniell-wg padulino-wg wolfsonhouse-wg ];
routers-wg = [ hotpottino-wg angellane-wg dodino-wg wolfsonhouse-wg ];
c2c-wg = [ ] ++ gdevices-wg;
towan-wg = [ shield-wg parisaphone-wg parisapc-wg parina-wg ] ++ gdevices-wg
towan-wg = [ shield-wg parisaphone-wg parisapc-wg parina-wg parina-ipad-wg ] ++ gdevices-wg
++ routers-wg;
gamenet-wg = [
andrew-wg

3
hosts/architect/nitter.nix
View File

@ -1,4 +1,4 @@
{ lib, ... }:
{ lib, pkgs, ... }:
let
domain = "tweet.giugl.io";
@ -10,6 +10,7 @@ in {
server = {
port = 9093;
hostname = domain;
staticDir = "${pkgs.unstable.nitter}/share/nitter/public";
};
preferences = {
replaceYouTube = "tube.giugl.io";

4
hosts/architect/prosody.nix
View File

@ -23,8 +23,8 @@ in {
uploadHttp = { domain = upload_domain; };
admins = [ "giulio@${domain}" ];
httpInterfaces = [ "wg0" ];
httpsInterfaces = [ "wg0" ];
#httpInterfaces = [ "wg0" ];
#httpsInterfaces = [ "wg0" ];
};
};

14
hosts/architect/wireguard.nix
View File

@ -32,6 +32,8 @@ with import ./network.nix; {
${frznn-wg} frznn.devs.giugl.io
${ludo-wg} ludo.devs.giugl.io
${parina-wg} parina.devs.giugl.io
${parina-ipad-wg} parinaipad.devs.giugl.io
${nilo-wg} nilo.devs.giugl.io
'';
wireguard = {
@ -249,6 +251,18 @@ with import ./network.nix; {
allowedIPs = [ parina-wg ];
publicKey = "7nubNnfGsg4/7KemMDn9r99mNK8RFU9uOFFqaYv6rUA=";
}
{
# nilo
allowedIPs = [ nilo-wg ];
publicKey = "lhTEDJ9WnizvEHTd5kN21fTHF27HNk+fPLQnB1B3LW0=";
}
{
# parina ipad
allowedIPs = [ parina-ipad-wg ];
publicKey = "ezkCzl2qC7Hd7rFKfqMa0JXDKRhVqy79H52rA06x7mU=";
}
];
};
};

2
roles/home/common.nix
View File

@ -202,7 +202,7 @@
vim-vsnip
nvim-cmp
cmp-nvim-lsp
(nvim-treesitter.withPlugins (_: pkgs.tree-sitter.allGrammars))
(nvim-treesitter.withPlugins (_: unstable.tree-sitter.allGrammars))
nvim-treesitter-textobjects
];
};