From 6297268c8ae16722530de8a0eb587885e835d148 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Wed, 19 Apr 2023 05:57:21 +0200 Subject: [PATCH 01/62] Update lock --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 2960ad5..f63e44b 100644 --- a/flake.lock +++ b/flake.lock @@ -24,11 +24,11 @@ }, "nixos-unstable": { "locked": { - "lastModified": 1681147610, - "narHash": "sha256-v4D4kTiQszI/3UXbeEYfpYtSdSD64DyAwB4rLK6i8mQ=", + "lastModified": 1681866352, + "narHash": "sha256-9XLyzaykO/kf1fc+5CmDxIDHshVmaNHY8FOkqXU0JBU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a9a909139f21c687d856fd3b19d7fb70439c7863", + "rev": "10e706e52dfda585f96ddc00b1544edf7d9b9f87", "type": "github" }, "original": { @@ -40,11 +40,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1681041438, - "narHash": "sha256-NmRGMklxBZ8Ol47CKMQxAU1F+v8ySpsHAAiC7ZL4vxY=", + "lastModified": 1681759395, + "narHash": "sha256-7aaRtLxLAy8qFVIA26ulB+Q5nDVzuQ71qi0s0wMjAws=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "48dcbaf7fa799509cbec85d55b8d62dcf1477d57", + "rev": "cd749f58ba83f7155b7062dd49d08e5e47e44d50", "type": "github" }, "original": { From 6bdaacbc08e1097398d168b374230b4e86214b75 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Mon, 1 May 2023 05:50:42 +0200 Subject: [PATCH 02/62] plex: update module --- hosts/architect/plex.nix | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/hosts/architect/plex.nix b/hosts/architect/plex.nix index 285abcd..b7e1e3e 100644 --- a/hosts/architect/plex.nix +++ b/hosts/architect/plex.nix @@ -1,16 +1,23 @@ { pkgs, lib, ... }: let - domain = "media.giugl.io"; + domain = "plex.giugl.io"; network = import ./network.nix; + port = 32400; in { + architect.firewall = { + openTCP = [ 32400 3005 8324 32469 ]; + openUDP = [ 1900 5353 32410 32412 32413 32414 ]; + }; + services.plex = { enable = true; package = pkgs.unstablePkgs.plex; - dataDir = "/plex"; + # dataDir = "/plex"; }; + services.nginx = { enable = true; # give a name to the virtual host. It also becomes the server name. @@ -19,10 +26,6 @@ in enableACME = true; http2 = true; extraConfig = '' - allow 10.3.0.0/24; - allow 10.0.0.0/24; - deny all; - #Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause send_timeout 100m; @@ -77,8 +80,10 @@ in # Buffering off send to the client as soon as the data is received from Plex. proxy_redirect off; proxy_buffering off; + + add_header 'Content-Security-Policy' 'upgrade-insecure-requests'; ''; - locations."/" = { proxyPass = "http://127.0.0.1:32400"; }; + locations."/" = { proxyPass = "http://127.0.0.1:${toString port}"; }; }; }; From f1f52b015439c91d771f38dcfdc2aaf79b58b67b Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Mon, 1 May 2023 05:51:06 +0200 Subject: [PATCH 03/62] nextcloud: push to v26 --- hosts/architect/nextcloud.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/architect/nextcloud.nix b/hosts/architect/nextcloud.nix index 519f6f8..1350744 100644 --- a/hosts/architect/nextcloud.nix +++ b/hosts/architect/nextcloud.nix @@ -24,7 +24,7 @@ in enable = true; hostName = domain; https = true; - package = pkgs.unstablePkgs.nextcloud25; + package = pkgs.unstablePkgs.nextcloud26; datadir = "/services/nextcloud"; caching = { redis = true; From 77699945b53ddd7a225ccd1567372b2cddfb284d Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Mon, 1 May 2023 06:05:06 +0200 Subject: [PATCH 04/62] architect: disable unused services --- hosts/architect/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hosts/architect/default.nix b/hosts/architect/default.nix index ad5e343..f3b785e 100644 --- a/hosts/architect/default.nix +++ b/hosts/architect/default.nix @@ -28,8 +28,8 @@ in ./minecraft.nix ./prowlarr.nix ./libreddit.nix - ./invidious.nix -# ./lidarr.nix + # ./invidious.nix + # ./lidarr.nix # ./navidrome.nix ./jellyfin.nix ./prosody.nix @@ -37,7 +37,7 @@ in #./calibre.nix ./docker.nix ./keycloak.nix - ./runas.nix + # ./runas.nix ./tailscale.nix ./searx.nix ]; From e439068b1d7f55756711698f2a5ec52bf5d896ea Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Mon, 1 May 2023 06:05:25 +0200 Subject: [PATCH 05/62] architect: enable plex --- hosts/architect/default.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hosts/architect/default.nix b/hosts/architect/default.nix index f3b785e..d5d732a 100644 --- a/hosts/architect/default.nix +++ b/hosts/architect/default.nix @@ -39,7 +39,8 @@ in ./keycloak.nix # ./runas.nix ./tailscale.nix - ./searx.nix + # ./searx.nix + ./plex.nix ]; time.timeZone = "Europe/Rome"; From 4557b3ad27d3a58e8505387b75a94fb603d5de47 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Mon, 1 May 2023 06:31:48 +0200 Subject: [PATCH 06/62] dns: added search domains --- hosts/architect/dns.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/hosts/architect/dns.nix b/hosts/architect/dns.nix index 4121292..f2a1473 100644 --- a/hosts/architect/dns.nix +++ b/hosts/architect/dns.nix @@ -17,6 +17,12 @@ in localise-queries min-cache-ttl=120 max-cache-ttl=2400 + + expand-hosts + domain=runas.rocks + domain=giugl.io + domain=devs.runas.rocks + domain=devs.giugl.io ''; }; From d3255fdb474611c098308a119c6dcf4a36bd7502 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Mon, 1 May 2023 06:32:55 +0200 Subject: [PATCH 07/62] Update lock --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index f63e44b..fb9d5ad 100644 --- a/flake.lock +++ b/flake.lock @@ -24,11 +24,11 @@ }, "nixos-unstable": { "locked": { - "lastModified": 1681866352, - "narHash": "sha256-9XLyzaykO/kf1fc+5CmDxIDHshVmaNHY8FOkqXU0JBU=", + "lastModified": 1682915526, + "narHash": "sha256-j6JZH9MNQfPZ6Fm+LAGJjHLFT26WUB7scB9hNJiBhbA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "10e706e52dfda585f96ddc00b1544edf7d9b9f87", + "rev": "d46737f11841872e7980b1550511802db85c52b8", "type": "github" }, "original": { @@ -40,11 +40,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1681759395, - "narHash": "sha256-7aaRtLxLAy8qFVIA26ulB+Q5nDVzuQ71qi0s0wMjAws=", + "lastModified": 1682817260, + "narHash": "sha256-kFMXzKNj4d/0Iqbm5l57rHSLyUeyCLMuvlROZIuuhvk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "cd749f58ba83f7155b7062dd49d08e5e47e44d50", + "rev": "db1e4eeb0f9a9028bcb920e00abbc1409dd3ef36", "type": "github" }, "original": { From 098e0a6147bffd74fd3d465471501bd0abc51c65 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Sat, 6 May 2023 15:03:20 +0200 Subject: [PATCH 08/62] dnsmasq: domain -> local --- hosts/architect/dns.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/hosts/architect/dns.nix b/hosts/architect/dns.nix index f2a1473..71351b8 100644 --- a/hosts/architect/dns.nix +++ b/hosts/architect/dns.nix @@ -19,10 +19,10 @@ in max-cache-ttl=2400 expand-hosts - domain=runas.rocks - domain=giugl.io - domain=devs.runas.rocks - domain=devs.giugl.io + local=runas.rocks + local=giugl.io + local=devs.runas.rocks + local=devs.giugl.io ''; }; From b644b9d684279de8f417b1d8a5d7ca0150064724 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Sat, 6 May 2023 15:04:25 +0200 Subject: [PATCH 09/62] headscale: init --- hosts/architect/default.nix | 1 + hosts/architect/firewall.nix | 1 + hosts/architect/headscale.nix | 61 +++++++++++++++++++++++++++++++++++ hosts/architect/network.nix | 6 ++-- 4 files changed, 67 insertions(+), 2 deletions(-) create mode 100644 hosts/architect/headscale.nix diff --git a/hosts/architect/default.nix b/hosts/architect/default.nix index d5d732a..3ca0903 100644 --- a/hosts/architect/default.nix +++ b/hosts/architect/default.nix @@ -41,6 +41,7 @@ in ./tailscale.nix # ./searx.nix ./plex.nix + ./headscale.nix ]; time.timeZone = "Europe/Rome"; diff --git a/hosts/architect/firewall.nix b/hosts/architect/firewall.nix index 1f43c40..b7989cc 100644 --- a/hosts/architect/firewall.nix +++ b/hosts/architect/firewall.nix @@ -63,6 +63,7 @@ in iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}" iifname ${docker-if} ip saddr ${docker-net} accept comment "bind ip ${docker-net} to intf ${docker-if}" iifname ${tailscale-if} ip saddr ${tailscale-net} accept + iifname ${tailscale-if} ip saddr 100.100.100.100/32 accept iifname "lo" accept comment "bind any ip to intf lo" jump mangle_drop } diff --git a/hosts/architect/headscale.nix b/hosts/architect/headscale.nix new file mode 100644 index 0000000..6b01593 --- /dev/null +++ b/hosts/architect/headscale.nix @@ -0,0 +1,61 @@ +{ config, pkgs, ... }: + +let + domain = "vipienne.giugl.io"; + network = import ./network.nix; +in +{ + architect.firewall = { + openTCP = [ config.services.headscale.port ]; + }; + + networking.extraHosts = '' + ${network.architect-lan} ${domain} + ${network.architect-wg} ${domain} + ${network.architect-ts} ${domain} + ''; + + environment.systemPackages = [ pkgs.unstablePkgs.headscale ]; + + services = { + headscale = { + enable = true; + package = pkgs.unstablePkgs.headscale; + port = 1194; + address = "0.0.0.0"; + serverUrl = "https://${domain}"; + logLevel = "debug"; + settings = { + dns_config = { + magic_dns = true; +# domains = [ "giugl.io" "runas.rocks" ]; +# base_domain = "giugl.io"; + override_local_dns = true; + nameservers = "10.4.0.2"; + }; + logtail.enabled = false; + ip_prefixes = [ "10.4.0.0/24" ]; + # The Noise private key is used to encrypt the + # traffic between headscale and Tailscale clients when + # using the new Noise-based protocol. It must be different + # from the legacy private key. + noise.private_key_path = "/var/lib/headscale/noise_private.key"; + }; + }; + + # ssl.key = "${config.security.acme.certs.${domain}.directory}/key.pem"; + # ssl.cert = + # "${config.security.acme.certs.${domain}.directory}/fullchain.pem"; + + nginx.virtualHosts.${domain} = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = + "http://127.0.0.1:${toString config.services.headscale.port}"; + proxyWebsockets = true; + }; + }; + + }; +} diff --git a/hosts/architect/network.nix b/hosts/architect/network.nix index 5829676..05fa061 100644 --- a/hosts/architect/network.nix +++ b/hosts/architect/network.nix @@ -11,7 +11,8 @@ rec { vpn-net = "10.3.0.0/24"; external_lan-net = "192.168.1.0/24"; docker-net = "172.17.0.0/16"; - tailscale-net = "100.64.0.0/10"; +# tailscale-net = "100.64.0.0/10"; + tailscale-net = "10.4.0.0/24"; # ips router-lan = "10.0.0.1"; @@ -51,7 +52,8 @@ rec { framecca_four-wg = "10.3.0.39"; giuliophone-ts = "100.68.68.46"; - architect-ts = "100.67.205.28"; +# architect-ts = "100.67.205.28"; + architect-ts = "10.4.0.2"; giuliopc-ts = "100.124.78.64"; dodino-ts = "100.106.244.35"; From dc9dfd66ed8d47d29cf900d31ab9436804fc528b Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Sat, 6 May 2023 15:04:31 +0200 Subject: [PATCH 10/62] Revert "dnsmasq: domain -> local" This reverts commit 098e0a6147bffd74fd3d465471501bd0abc51c65. --- hosts/architect/dns.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/hosts/architect/dns.nix b/hosts/architect/dns.nix index 71351b8..f2a1473 100644 --- a/hosts/architect/dns.nix +++ b/hosts/architect/dns.nix @@ -19,10 +19,10 @@ in max-cache-ttl=2400 expand-hosts - local=runas.rocks - local=giugl.io - local=devs.runas.rocks - local=devs.giugl.io + domain=runas.rocks + domain=giugl.io + domain=devs.runas.rocks + domain=devs.giugl.io ''; }; From ce8efa33711d167e376603d06b8e0bca9ce9fe60 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Fri, 12 May 2023 12:32:29 +0200 Subject: [PATCH 11/62] architect: Added architect.networks option attribute set --- hosts/architect/options.nix | 69 ++++++++++++++++++++++++++++--------- 1 file changed, 53 insertions(+), 16 deletions(-) diff --git a/hosts/architect/options.nix b/hosts/architect/options.nix index 5f530b9..fd0b5ab 100644 --- a/hosts/architect/options.nix +++ b/hosts/architect/options.nix @@ -3,23 +3,60 @@ with lib; { - options.architect.firewall = { - openTCP = mkOption { - type = types.listOf types.int; - default = [ ]; + options.architect = { + firewall = { + openTCP = mkOption { + type = types.listOf types.int; + default = [ ]; + }; + openUDP = mkOption { + type = types.listOf types.int; + default = [ ]; + }; + openTCPVPN = mkOption { + type = types.listOf types.int; + default = [ ]; + }; + openUDPVPN = mkOption { + type = types.listOf types.int; + default = [ ]; + }; }; - openUDP = mkOption { - type = types.listOf types.int; - default = [ ]; - }; - openTCPVPN = mkOption { - type = types.listOf types.int; - default = [ ]; - }; - openUDPVPN = mkOption { - type = types.listOf types.int; - default = [ ]; + + networks = mkOption { + type = types.attrsOf (types.submodule { + options = { + interface = mkOption { + type = types.str; + description = "The network interface name."; + }; + + net = mkOption { + type = types.str; + description = "The network address in CIDR format."; + }; + + devices = mkOption { + type = types.attrsOf (types.submodule { + options = { + address = mkOption { + type = types.str; + description = "The IP address of the device."; + }; + + hostname = mkOption { + type = types.str; + description = "The hostname of the device."; + }; + }; + }); + default = { }; + description = "An attribute set of devices with their configurations."; + }; + }; + }); + default = { }; + description = "An attribute set of networks with their configurations."; }; }; - } From 26a07a20e5f32a131897982fa183fe9b82b35b07 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Fri, 12 May 2023 12:32:48 +0200 Subject: [PATCH 12/62] architect: Moved wireguard config to new network attribute set --- hosts/architect/wireguard.nix | 140 +++++++++++++++++++--------------- 1 file changed, 80 insertions(+), 60 deletions(-) diff --git a/hosts/architect/wireguard.nix b/hosts/architect/wireguard.nix index 9614a64..6a317ce 100644 --- a/hosts/architect/wireguard.nix +++ b/hosts/architect/wireguard.nix @@ -1,208 +1,228 @@ { config, lib, ... }: -with import ./network.nix; - let listenPort = 1194; + domain = "devs.giugl.io"; + interface = "wireguard"; + # device.address device.hostname + generateDeviceStrings = devices: lib.concatStringsSep "\n" + (lib.mapAttrsToList (name: device: "${device.address} ${device.hostname}") devices); + getDeviceAddress = device: + config.architect.networks.${interface}.devices.${device}.address; in { - architect.firewall = { - openUDP = lib.singleton listenPort; - openUDPVPN = lib.singleton listenPort; + architect = { + firewall = { + openUDP = lib.singleton listenPort; + openUDPVPN = lib.singleton listenPort; + }; + + networks.${interface} = { + interface = "wg0"; + net = "10.3.0.0/24"; + devices = { + architect = { address = "10.3.0.1"; hostname = "architect.${domain}"; }; + manduria = { address = "10.3.0.5"; hostname = "manduria.${domain}"; }; + antonio = { address = "10.3.0.6"; hostname = "antonio.${domain}"; }; + gbeast = { address = "10.3.0.7"; hostname = "gbeast.${domain}"; }; + shield = { address = "10.3.0.12"; hostname = "shield.${domain}"; }; + salvatore = { address = "10.3.0.16"; hostname = "salvatore.${domain}"; }; + papa = { address = "10.3.0.17"; hostname = "papa.${domain}"; }; + defy = { address = "10.3.0.18"; hostname = "defy.${domain}"; }; + germano = { address = "10.3.0.19"; hostname = "germano.${domain}"; }; + flavio = { address = "10.3.0.20"; hostname = "flavio.${domain}"; }; + tommy = { address = "10.3.0.21"; hostname = "tommy.${domain}"; }; + alain = { address = "10.3.0.22"; hostname = "alain.${domain}"; }; + dima = { address = "10.3.0.23"; hostname = "dima.${domain}"; }; + mikey = { address = "10.3.0.24"; hostname = "mikey.${domain}"; }; + andrew = { address = "10.3.0.25"; hostname = "andrew.${domain}"; }; + mikeylaptop = { address = "10.3.0.26"; hostname = "mikeylaptop.${domain}"; }; + andrewdesktop = { address = "10.3.0.27"; hostname = "andrewdesktop.${domain}"; }; + jacopo = { address = "10.3.0.28"; hostname = "jacopo.${domain}"; }; + frznn = { address = "10.3.0.29"; hostname = "frznn.${domain}"; }; + ludo = { address = "10.3.0.30"; hostname = "ludo.${domain}"; }; + parina = { address = "10.3.0.31"; hostname = "parina.${domain}"; }; + nilo = { address = "10.3.0.32"; hostname = "nilo.${domain}"; }; + parina-ipad = { address = "10.3.0.33"; hostname = "parina-ipad.${domain}"; }; + kclvm = { address = "10.3.0.34"; hostname = "kclvm.${domain}"; }; + framecca = { address = "10.3.0.35"; hostname = "framecca.${domain}"; }; + framecca_one = { address = "10.3.0.36"; hostname = "framecca_one.${domain}"; }; + framecca_two = { address = "10.3.0.37"; hostname = "framecca_two.${domain}"; }; + framecca_three = { address = "10.3.0.38"; hostname = "framecca_three.${domain}"; }; + framecca_four = { address = "10.3.0.39"; hostname = "framecca_four.${domain}"; }; + }; + }; }; networking = { - extraHosts = '' - ${architect-wg} architect.devs.giugl.io - ${manduria-wg} manduria.devs.giugl.io - ${antonio-wg} antonio.devs.giugl.io - ${gbeast-wg} gbeast.devs.giugl.io - ${shield-wg} shield.devs.giugl.io - ${salvatore-wg} salvatore.devs.giugl.io - ${papa-wg} papa.devs.giugl.io - ${defy-wg} defy.devs.giugl.io - ${germano-wg} germano.devs.giugl.io - ${tommy-wg} tommy.devs.giugl.io - ${alain-wg} alain.devs.giugl.io - ${dima-wg} dima.devs.giugl.io - ${mikey-wg} mikey.devs.giugl.io - ${andrew-wg} andrew.devs.giugl.io - ${mikeylaptop-wg} mikeylaptop.devs.giugl.io - ${frznn-wg} frznn.devs.giugl.io - ${ludo-wg} ludo.devs.giugl.io - ${parina-wg} parina.devs.giugl.io - ${parina-ipad-wg} parinaipad.devs.giugl.io - ${nilo-wg} nilo.devs.giugl.io - ${kclvm-wg} kclvm.devs.giugl.io - ${framecca-wg} framecca.devs.giugl.io - ''; + extraHosts = generateDeviceStrings config.architect.networks.wireguard.devices; wireguard = { - interfaces.${vpn-if} = { + interfaces.${config.architect.networks.wireguard.interface} = { inherit listenPort; - ips = [ "10.3.0.1/24" ]; + ips = [ "${config.architect.networks.wireguard.devices.architect.address}/24" ]; privateKeyFile = "/secrets/wireguard/server.key"; peers = [ { # Manduria - allowedIPs = [ manduria-wg ]; + allowedIPs = [ (getDeviceAddress "manduria") ]; publicKey = "wT38oXvDQ8g0hI+pAXQobOWf/Wott2zhwo8TLvXK400="; } { # Antonio - allowedIPs = [ antonio-wg ]; + allowedIPs = [ (getDeviceAddress "antonio") ]; publicKey = "SPndCvEzuLHtGAQV8u/4dfLlFHoPcXS3L98oFOwTljc="; } { # GBEAST - allowedIPs = [ gbeast-wg ]; + allowedIPs = [ (getDeviceAddress "gbeast") ]; publicKey = "XiK+wk+DErz0RmCWRxuaJN1cvdj+3DoiU6tcR+uZfAI="; } { # shield - allowedIPs = [ shield-wg ]; + allowedIPs = [ (getDeviceAddress "shield") ]; publicKey = "1GaV/M48sHqQTrBVRQ+jrFU2pUMmv2xkguncVcwPCFs="; } { # salvatore - allowedIPs = [ salvatore-wg ]; + allowedIPs = [ (getDeviceAddress "salvatore") ]; publicKey = "fhlnBHeMyHZKLUCTSA9kmkKoM5x/qzz/rnCJrUh3Gzs="; } { # papa - allowedIPs = [ papa-wg ]; + allowedIPs = [ (getDeviceAddress "papa") ]; publicKey = "oGHygt02Oni3IFbScKD0NVEfHKCp6bpw68aq5g4RrAA="; } { # defy - allowedIPs = [ defy-wg ]; + allowedIPs = [ (getDeviceAddress "defy") ]; publicKey = "Cvi/eto7E6Ef+aiL81ou7x12fJCeuXrf/go9fxEqXG4="; } { # germano - allowedIPs = [ germano-wg ]; + allowedIPs = [ (getDeviceAddress "germano") ]; publicKey = "LJ0DHY1sFVLQb3ngUGGH0HxbDOPb9KCUPSaYcjr5Uiw="; } { # flavio - allowedIPs = [ flavio-wg ]; + allowedIPs = [ (getDeviceAddress "flavio") ]; publicKey = "Yg0P+yHi/9SZHyoel8jT9fmmu+irLYmT8yMp/CZoaSg="; } { # tommy - allowedIPs = [ tommy-wg ]; + allowedIPs = [ (getDeviceAddress "tommy") ]; publicKey = "tytknU7wql1d0A2provX3RP7CNcEIajfgBJKoSyVLgo="; } { # alain - allowedIPs = [ alain-wg ]; + allowedIPs = [ (getDeviceAddress "alain") ]; publicKey = "/o2msFJoUL4yovcIQJTU8c1faFtekrjSBBWJABouWno="; } { # dima - allowedIPs = [ dima-wg ]; + allowedIPs = [ (getDeviceAddress "dima") ]; publicKey = "svzWYIZ6v+cLCp/emGG7mx2YpBJqw2fqjVuHZy7b6H0="; } { # mikey - allowedIPs = [ mikey-wg ]; + allowedIPs = [ (getDeviceAddress "mikey") ]; publicKey = "ewbDdX3z7nxG2aPIf9TogXkhxPlGipLFcy6XfyDC6gI="; } { # andrew - allowedIPs = [ andrew-wg ]; + allowedIPs = [ (getDeviceAddress "andrew") ]; publicKey = "LP/FgST9fmBQSoKQFq9sFGvjRFOtRooMcuEcjuqaoWM="; } { # mikey laptop - allowedIPs = [ mikeylaptop-wg ]; + allowedIPs = [ (getDeviceAddress "mikeylaptop") ]; publicKey = "kz/pY/PgV+dwF1JZ2It4r5B5QfRSQM7HkbFCdvd5Yxk="; } { # andrew desktop - allowedIPs = [ andrewdesktop-wg ]; + allowedIPs = [ (getDeviceAddress "andrewdesktop") ]; publicKey = "rpYr3JNLIzxpxzFuQuaHFEl/XvPEPfwLbDETBP8KYXI="; } { # laptop desktop - allowedIPs = [ jacopo-wg ]; + allowedIPs = [ (getDeviceAddress "jacopo") ]; publicKey = "W/taWI79bPIKOolVVu5xZfiJnPw9K91Xn1zhcM0+4g0="; } { # frznn - allowedIPs = [ frznn-wg ]; + allowedIPs = [ (getDeviceAddress "frznn") ]; publicKey = "dXcrdME6VnnE5PBYwvUmayf7cn2wpcExeCR9gIXOO0o="; } { # ludo - allowedIPs = [ ludo-wg ]; + allowedIPs = [ (getDeviceAddress "ludo") ]; publicKey = "ecrxdzx7tQZwMPxZOjHUvxZT2xY79B6XEDIW+fhEtEM="; } { # parina - allowedIPs = [ parina-wg ]; + allowedIPs = [ (getDeviceAddress "parina") ]; publicKey = "7nubNnfGsg4/7KemMDn9r99mNK8RFU9uOFFqaYv6rUA="; } { # nilo - allowedIPs = [ nilo-wg ]; + allowedIPs = [ (getDeviceAddress "nilo") ]; publicKey = "lhTEDJ9WnizvEHTd5kN21fTHF27HNk+fPLQnB1B3LW0="; } { # parina ipad - allowedIPs = [ parina-ipad-wg ]; + allowedIPs = [ (getDeviceAddress "parina-ipad") ]; publicKey = "ezkCzl2qC7Hd7rFKfqMa0JXDKRhVqy79H52rA06x7mU="; } { # kcl vm - allowedIPs = [ kclvm-wg ]; + allowedIPs = [ (getDeviceAddress "kclvm") ]; publicKey = "jVBaY8AhgAA7myVjU/PJPDUCOjsCi23LT+pGZUoNEkE="; } { - allowedIPs = [ framecca-wg ]; + allowedIPs = [ (getDeviceAddress "framecca") ]; publicKey = "w0XPu5GcDA2vpNk3KCFRdWNVVQHRtAPApEsK1h3Ovyk="; } { - allowedIPs = [ framecca_one-wg ]; + allowedIPs = [ (getDeviceAddress "framecca_one") ]; publicKey = "5PnmExv78fU3SS8liUWY/oBCcJ48wzmz/70O0U7K/xs="; } - + { - allowedIPs = [ framecca_two-wg ]; + allowedIPs = [ (getDeviceAddress "framecca_two") ]; publicKey = "FbWfh2rL3OYLTDIte+MgctqL/bphn38eqpNy/chc3wM="; } { - allowedIPs = [ framecca_three-wg ]; + allowedIPs = [ (getDeviceAddress "framecca_three") ]; publicKey = "Z3LRFs6CO0kUh4J3pf+HcPsWch3hUAwJBG8/b0Kqnxs="; } { - allowedIPs = [ framecca_four-wg ]; + allowedIPs = [ (getDeviceAddress "framecca_four") ]; publicKey = "g/Ta12igzxSlCxy7KP865qf+l3+r1LjOo6UXjulmPBc="; } ]; From 65c76f5a6ac8fc04f70e7bba1e0f7d1a863e3692 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Fri, 12 May 2023 12:50:20 +0200 Subject: [PATCH 13/62] architect: Moved tailscale config to new network attribute set --- hosts/architect/tailscale.nix | 36 ++++++++++++++++++++++++----------- 1 file changed, 25 insertions(+), 11 deletions(-) diff --git a/hosts/architect/tailscale.nix b/hosts/architect/tailscale.nix index 43dcab0..aaa5b14 100644 --- a/hosts/architect/tailscale.nix +++ b/hosts/architect/tailscale.nix @@ -1,24 +1,38 @@ { config, lib, ... }: let - network = import ./network.nix; - - ifname = "ts0"; + domain = "devs.giugl.io"; + # device.address device.hostname + generateDeviceStrings = devices: lib.concatStringsSep "\n" + (lib.mapAttrsToList (name: device: "${device.address} ${device.hostname}") devices); in { - architect.firewall.openUDP = [ config.services.tailscale.port ]; + architect = { + firewall.openUDP = [ config.services.tailscale.port ]; + + networks.tailscale = { + interface = "ts0"; + net = "100.64.0.0/10"; + + devices = { + architect = { address = "100.64.0.1"; hostname = "architect.${domain}"; }; + kmerr = { address = "100.64.0.2"; hostname = "kmerr.${domain}"; }; + chuck = { address = "100.64.0.4"; hostname = "chuck.${domain}"; }; + dodino = { address = "100.64.0.5"; hostname = "dodino.${domain}"; }; + manduria = { address = "100.64.0.6"; hostname = "manduria.${domain}"; }; + tommy = { address = "100.64.0.7"; hostname = "tommy.${domain}"; }; + ucsb-workstation = { address = "100.64.0.8"; hostname = "ucsb-workstation.${domain}"; }; + alfredo = { address = "100.64.0.9"; hostname = "alfredo.${domain}"; }; + }; + }; + }; services = { tailscale = { enable = true; - interfaceName = ifname; + interfaceName = config.architect.networks.tailscale.interface; }; }; - networking.extraHosts = '' - ${network.architect-ts} architect.devs.giugl.io - ${network.giuliopc-ts} kmerr.devs.giugl.io - ${network.dodino-ts} dodino.devs.giugl.io - ${network.giuliophone-ts} chuck.devs.giugl.io - ''; + networking.extraHosts = generateDeviceStrings config.architect.networks.tailscale.devices; } From 3a4d4e9c4f39be206be4706ac5255a1433599b83 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Fri, 12 May 2023 13:48:45 +0200 Subject: [PATCH 14/62] architect: Use networking options --- hosts/architect/default.nix | 59 +++++++++++++++++++++---------------- 1 file changed, 33 insertions(+), 26 deletions(-) diff --git a/hosts/architect/default.nix b/hosts/architect/default.nix index 3ca0903..56ba5fa 100644 --- a/hosts/architect/default.nix +++ b/hosts/architect/default.nix @@ -1,11 +1,13 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: let pubkeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1we38/N+t8Ah5yrLof8QUwhrob7/VXFKIddaJeOVBLuDVnW7ljiAtdtEiL69D/DV4Ohmt5wMvkAAjfuHmim6FD9A6lzPbSU4KH9W2dcckszKbbI636kuDwem/xui6BW3wJa6P+0xW5ksygEAkzcK2PXuC2b4B9uwhuUdKahiGMKDxISG/WianqAe72cGMfNkYvion3Y1VsMLUdm48d2ABnxNpr7NI9B5iJ8dziOft9gpgfz13CCQRlReo75gk/4xI+vSNrQp7eR+wzJy2/dZg/T8jtyA9Q6jVxrxBpqQ1LNXkAKaJkGo9OabF6Wgpzp+YTAurL4nwR2NaJxwFuyoKvACQy0ai4jrS3206gC6JXZv8ktZMZrwUN+jPqCwfgh5qObFkAqKCxbp52ioDek2MQLdOvzQBX//DBhGEp5rzHGLZ3vhRIiiQiaof5sF5zWiYDW5mqezSPNxJPX/BrTP/Wbs/jpwTLBh3wytiia0S1WXQmya89bqzTPFiDWvTRA62EVKB/JaQtPQQOFAxWwg799DMycPeZ81xttZOyMtI/MZSddyqx2S8fWGwvToZQvuZ38mSIpFseLM1IkgabRIrAmat5SBNGGy9Dqa0eMEa7bwIY/4CMB1y6HMTnaoMXA6cnQfHMoB/zyTZ6oTXIeqeOyiZsK+RN0Mvahj8mXi7dw== giulio@giulio-X230" ]; - hostname = "architect"; - network = import ./network.nix; + domain = "devs.giugl.io"; + # device.address device.hostname + generateDeviceStrings = devices: lib.concatStringsSep "\n" + (lib.mapAttrsToList (name: device: "${device.address} ${device.hostname}") devices); in { imports = [ @@ -44,6 +46,25 @@ in ./headscale.nix ]; + architect = { + networks.lan = { + interface = "enp5s0"; + net = "10.0.0.0/24"; + devices = { + vodafoneStation = { address = "192.168.1.1"; hostname = "vodafone.station"; }; + + architect = { address = "10.0.0.250"; hostname = "architect.${domain}"; }; + router = { address = "10.0.0.1"; hostname = "router.${domain}"; }; + dvr = { address = "10.0.0.3"; hostname = "dvr.${domain}"; }; + }; + }; + + firewall = { + openTCP = [ 22 ]; + openTCPVPN = [ 22 ]; + }; + }; + time.timeZone = "Europe/Rome"; users.users.giulio.openssh.authorizedKeys.keys = pubkeys; boot = { @@ -60,8 +81,8 @@ in }; }; - kernelParams = [ - "ip=${network.architect-lan}::10.0.0.1:255.255.255.0::${network.wan-if}:off" + kernelParams = with config.architect.networks.lan; [ + "ip=${devices.architect.address}::${devices.router.address}:255.255.255.0::${interface}:off" "nvme_core.default_ps_max_latency_us=5500" "zfs_arc_max=1073741824" "memmap=32M$0x4ca6f9478" @@ -82,30 +103,20 @@ in tmpOnTmpfsSize = "50%"; }; - networking = { - hostName = hostname; + networking = with config.architect.networks.lan; { + hostName = "architect"; hostId = "49350853"; useDHCP = false; - defaultGateway = "10.0.0.1"; + defaultGateway = devices.router.address; interfaces = { - enp5s0.ipv4.addresses = [{ - address = network.architect-lan; + ${interface}.ipv4.addresses = [{ + address = devices.architect.address; prefixLength = 24; }]; enp6s0.useDHCP = false; wlp4s0.useDHCP = false; }; - extraHosts = '' - 127.0.0.1 ${hostname}.devs.giugl.io localhost - - # LAN - ${network.architect-lan} ${hostname}.devs.giugl.io - - ${network.dvr-lan} dvr.devs.giugl.io - ${network.nas-lan} nas.devs.giugl.io - ${network.router-lan} router-manduria.devs.giugl.io - 192.168.1.1 vodafone.station - + extraHosts = (generateDeviceStrings config.architect.networks.lan.devices) + '' # Blacklist 0.0.0.0 metrics.plex.tv 0.0.0.0 analytics.plex.tv @@ -132,11 +143,6 @@ in driSupport = true; }; - architect.firewall = { - openTCP = [ 22 ]; - openTCPVPN = [ 22 ]; - }; - services = { fwupd.enable = true; das_watchdog.enable = true; @@ -158,3 +164,4 @@ in systemPackages = with pkgs; [ cachix ]; }; } + From 1e19a08665e15dce1e4e1026d1fdedd3266bea6d Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Fri, 12 May 2023 14:28:39 +0200 Subject: [PATCH 15/62] tailscale: Use networking attrset --- hosts/architect/headscale.nix | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/hosts/architect/headscale.nix b/hosts/architect/headscale.nix index 6b01593..12ae648 100644 --- a/hosts/architect/headscale.nix +++ b/hosts/architect/headscale.nix @@ -1,8 +1,9 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: let domain = "vipienne.giugl.io"; - network = import ./network.nix; + architectInterfaceAddress = interface: + config.architect.networks.${interface}.devices.architect.address; in { architect.firewall = { @@ -10,9 +11,9 @@ in }; networking.extraHosts = '' - ${network.architect-lan} ${domain} - ${network.architect-wg} ${domain} - ${network.architect-ts} ${domain} + ${architectInterfaceAddress "lan"} ${domain} + ${architectInterfaceAddress "wireguard"} ${domain} + ${architectInterfaceAddress "tailscale"} ${domain} ''; environment.systemPackages = [ pkgs.unstablePkgs.headscale ]; @@ -28,13 +29,17 @@ in settings = { dns_config = { magic_dns = true; -# domains = [ "giugl.io" "runas.rocks" ]; -# base_domain = "giugl.io"; + domains = [ + "giugl.io" + "runas.rocks" + "devs.giugl.io" + ]; + base_domain = "giugl.io"; override_local_dns = true; - nameservers = "10.4.0.2"; + nameservers = [ config.architect.networks.tailscale.devices.architect.address ]; }; logtail.enabled = false; - ip_prefixes = [ "10.4.0.0/24" ]; + ip_prefixes = [ config.architect.networks.tailscale.net ]; # The Noise private key is used to encrypt the # traffic between headscale and Tailscale clients when # using the new Noise-based protocol. It must be different @@ -43,10 +48,6 @@ in }; }; - # ssl.key = "${config.security.acme.certs.${domain}.directory}/key.pem"; - # ssl.cert = - # "${config.security.acme.certs.${domain}.directory}/fullchain.pem"; - nginx.virtualHosts.${domain} = { forceSSL = true; enableACME = true; From e5aab58be74888639d6a9abc6c3ddd120ed76c25 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Fri, 12 May 2023 14:28:58 +0200 Subject: [PATCH 16/62] architect: port firewall to networking attrset --- hosts/architect/firewall.nix | 91 +++++++++++++++++++++++------------- 1 file changed, 58 insertions(+), 33 deletions(-) diff --git a/hosts/architect/firewall.nix b/hosts/architect/firewall.nix index b7989cc..3194b36 100644 --- a/hosts/architect/firewall.nix +++ b/hosts/architect/firewall.nix @@ -1,13 +1,38 @@ { config, lib, ... }: -with import ./network.nix; -with lib; - let - openTCP = concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCP; - openUDP = concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDP; - openTCPVPN = concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCPVPN; - openUDPVPN = concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDPVPN; + openTCP = lib.concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCP; + openUDP = lib.concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDP; + openTCPVPN = lib.concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCPVPN; + openUDPVPN = lib.concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDPVPN; + + deviceAddress = interface: device: + config.architect.networks.${interface}.devices.${device}.address; + + gdevices = [ + (deviceAddress "tailscale" "architect") + (deviceAddress "tailscale" "dodino") + (deviceAddress "tailscale" "manduria") + (deviceAddress "tailscale" "kmerr") + (deviceAddress "tailscale" "chuck") + ]; + + wireguardToWAN = [ + (deviceAddress "wireguard" "shield") + (deviceAddress "wireguard" "parina") + (deviceAddress "wireguard" "parina-ipad") + (deviceAddress "wireguard" "germano") + ]; + + frameccaDevices = [ + (deviceAddress "wireguard" "framecca") + (deviceAddress "wireguard" "framecca_one") + (deviceAddress "wireguard" "framecca_two") + (deviceAddress "wireguard" "framecca_three") + (deviceAddress "wireguard" "framecca_four") + ]; + + clientToClientWireguard = frameccaDevices; in { networking = { @@ -17,7 +42,7 @@ in nftables = { enable = true; - ruleset = '' + ruleset = with config.architect.networks; '' table ip raw { chain PREROUTING { type filter hook prerouting priority raw; policy accept; @@ -43,11 +68,11 @@ in chain POSTROUTING { type nat hook postrouting priority srcnat; policy accept; - oifname ${wan-if} ip saddr {${ - lib.concatStringsSep "," towan-wg + oifname ${lan.interface} ip saddr {${ + lib.concatStringsSep "," wireguardToWAN }} masquerade - oifname ${wan-if} ip saddr ${docker-net} masquerade - oifname ${wan-if} ip saddr ${tailscale-net} masquerade + oifname ${lan.interface} ip saddr ${docker.net} masquerade + oifname ${lan.interface} ip saddr ${tailscale.net} masquerade } } @@ -57,13 +82,13 @@ in ct state invalid,untracked drop comment "drop invalid" ip daddr 255.255.255.255 accept comment "allow broadcast traffic" ip daddr 224.0.0.0/4 accept comment "allow multicast traffic" - iifname ${wan-if} ip saddr ${vpn-net} drop comment "bind any ip to intf ${wan-if}" - iifname ${wan-if} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${wan-if}" - iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}" - iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}" - iifname ${docker-if} ip saddr ${docker-net} accept comment "bind ip ${docker-net} to intf ${docker-if}" - iifname ${tailscale-if} ip saddr ${tailscale-net} accept - iifname ${tailscale-if} ip saddr 100.100.100.100/32 accept + iifname ${lan.interface} ip saddr ${wireguard.net} drop comment "bind any ip to intf ${lan.interface}" + iifname ${lan.interface} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${lan.interface}" + iifname ${lan.interface} accept comment "bind any ip to intf ${lan.interface}" + iifname ${wireguard.interface} ip saddr ${wireguard.net} accept comment "bind ip ${wireguard.net} to intf ${wireguard.interface}" + iifname ${docker.interface} ip saddr ${docker.net} accept comment "bind ip ${docker.net} to intf ${docker.interface}" + iifname ${tailscale.interface} ip saddr ${tailscale.net} accept + iifname ${tailscale.interface} ip saddr 100.100.100.100/32 accept iifname "lo" accept comment "bind any ip to intf lo" jump mangle_drop } @@ -116,17 +141,17 @@ in iifname "lo" accept comment "loopback" ip daddr 255.255.255.255 accept comment "allow broadcast traffic" ip daddr 224.0.0.0/4 accept comment "allow multicast traffic" - ip saddr ${lan-net} accept comment "lan > local" - ip saddr ${tailscale-net} accept comment "tailscale > local" + ip saddr ${lan.net} accept comment "lan > local" + ip saddr ${tailscale.net} accept comment "tailscale > local" ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local" - iifname ${wan-if} tcp dport {${openTCP}} accept - iifname ${wan-if} udp dport {${openUDP}} accept - iifname ${vpn-if} tcp dport {${openTCPVPN}} accept - iifname ${vpn-if} udp dport {${openUDPVPN}} accept + iifname ${lan.interface} tcp dport {${openTCP}} accept + iifname ${lan.interface} udp dport {${openUDP}} accept + iifname ${wireguard.interface} tcp dport {${openTCPVPN}} accept + iifname ${wireguard.interface} udp dport {${openUDPVPN}} accept - iifname ${vpn-if} icmp type echo-request accept - iifname ${docker-if} udp dport 53 accept + iifname ${wireguard.interface} icmp type echo-request accept + iifname ${docker.interface} udp dport 53 accept jump filter_drop } @@ -135,17 +160,17 @@ in ct state established,related accept # client to client - ip saddr {${lib.concatStringsSep "," c2c-wg}} ip daddr {${ - lib.concatStringsSep "," c2c-wg + ip saddr {${lib.concatStringsSep "," clientToClientWireguard}} ip daddr {${ + lib.concatStringsSep "," clientToClientWireguard }} accept # nat to wan - oifname ${wan-if} ip saddr {${ - lib.concatStringsSep "," towan-wg + oifname ${lan.interface} ip saddr {${ + lib.concatStringsSep "," wireguardToWAN }} accept - oifname ${wan-if} ip saddr ${docker-net} accept - oifname ${wan-if} ip saddr ${tailscale-net} accept + oifname ${lan.interface} ip saddr ${docker.net} accept + oifname ${lan.interface} ip saddr ${tailscale.net} accept jump filter_drop } From ac5176e731a43815035dde1e90811344713f89fd Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Fri, 12 May 2023 14:29:17 +0200 Subject: [PATCH 17/62] docker: port to networking attrset --- hosts/architect/docker.nix | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/hosts/architect/docker.nix b/hosts/architect/docker.nix index 6e294da..93c2d37 100644 --- a/hosts/architect/docker.nix +++ b/hosts/architect/docker.nix @@ -1,8 +1,15 @@ +{ config, ... }: + { + architect.networks.docker = { + interface = "docker0"; + net = "172.17.0.0/16"; + }; + virtualisation.docker = { enable = true; extraOptions = '' - --dns 127.0.0.1 --dns 10.0.0.250 --data-root /docker + --dns 127.0.0.1 --dns ${config.architect.networks.lan.devices.architect.address} --data-root /docker ''; enableOnBoot = false; }; From 39c2fe2c6b78af2a7a942b20b000555f5671808f Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Fri, 12 May 2023 14:31:04 +0200 Subject: [PATCH 18/62] Update lock --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index fb9d5ad..0563a19 100644 --- a/flake.lock +++ b/flake.lock @@ -24,11 +24,11 @@ }, "nixos-unstable": { "locked": { - "lastModified": 1682915526, - "narHash": "sha256-j6JZH9MNQfPZ6Fm+LAGJjHLFT26WUB7scB9hNJiBhbA=", + "lastModified": 1683893492, + "narHash": "sha256-9sINNV7J26/afioFhS0vGrZ2zQHg1eBWE3lesBedyhI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d46737f11841872e7980b1550511802db85c52b8", + "rev": "0ad4e41995ef6566cdd8477c132884411b7399a2", "type": "github" }, "original": { @@ -40,11 +40,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1682817260, - "narHash": "sha256-kFMXzKNj4d/0Iqbm5l57rHSLyUeyCLMuvlROZIuuhvk=", + "lastModified": 1683627095, + "narHash": "sha256-8u9SejRpL2TrMuHBdhYh4FKc1OGPDLyWTpIbNTtoHsA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "db1e4eeb0f9a9028bcb920e00abbc1409dd3ef36", + "rev": "a08e061a4ee8329747d54ddf1566d34c55c895eb", "type": "github" }, "original": { From 7c00b8bf0b41495ce6ae218073c486c40505c92a Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Fri, 12 May 2023 14:33:25 +0200 Subject: [PATCH 19/62] wireguard: remove devices --- hosts/architect/wireguard.nix | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/hosts/architect/wireguard.nix b/hosts/architect/wireguard.nix index 6a317ce..d85743e 100644 --- a/hosts/architect/wireguard.nix +++ b/hosts/architect/wireguard.nix @@ -22,7 +22,6 @@ in net = "10.3.0.0/24"; devices = { architect = { address = "10.3.0.1"; hostname = "architect.${domain}"; }; - manduria = { address = "10.3.0.5"; hostname = "manduria.${domain}"; }; antonio = { address = "10.3.0.6"; hostname = "antonio.${domain}"; }; gbeast = { address = "10.3.0.7"; hostname = "gbeast.${domain}"; }; shield = { address = "10.3.0.12"; hostname = "shield.${domain}"; }; @@ -31,7 +30,6 @@ in defy = { address = "10.3.0.18"; hostname = "defy.${domain}"; }; germano = { address = "10.3.0.19"; hostname = "germano.${domain}"; }; flavio = { address = "10.3.0.20"; hostname = "flavio.${domain}"; }; - tommy = { address = "10.3.0.21"; hostname = "tommy.${domain}"; }; alain = { address = "10.3.0.22"; hostname = "alain.${domain}"; }; dima = { address = "10.3.0.23"; hostname = "dima.${domain}"; }; mikey = { address = "10.3.0.24"; hostname = "mikey.${domain}"; }; @@ -65,12 +63,6 @@ in privateKeyFile = "/secrets/wireguard/server.key"; peers = [ - { - # Manduria - allowedIPs = [ (getDeviceAddress "manduria") ]; - publicKey = "wT38oXvDQ8g0hI+pAXQobOWf/Wott2zhwo8TLvXK400="; - } - { # Antonio allowedIPs = [ (getDeviceAddress "antonio") ]; @@ -119,12 +111,6 @@ in publicKey = "Yg0P+yHi/9SZHyoel8jT9fmmu+irLYmT8yMp/CZoaSg="; } - { - # tommy - allowedIPs = [ (getDeviceAddress "tommy") ]; - publicKey = "tytknU7wql1d0A2provX3RP7CNcEIajfgBJKoSyVLgo="; - } - { # alain allowedIPs = [ (getDeviceAddress "alain") ]; From 9bf85c00cf2fbe967f7836532b5e1b6408359c5e Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Fri, 12 May 2023 23:05:10 +0200 Subject: [PATCH 20/62] architect: services use new networking attrset --- hosts/architect/bazarr.nix | 12 ++++--- hosts/architect/calibre.nix | 12 ++++--- hosts/architect/default.nix | 6 ++-- hosts/architect/deluge.nix | 10 +++--- hosts/architect/fail2ban.nix | 9 +++-- hosts/architect/gitea.nix | 11 ++++--- hosts/architect/headscale.nix | 5 +-- hosts/architect/jellyfin.nix | 54 +++++++++++++++--------------- hosts/architect/keycloak.nix | 12 ++++--- hosts/architect/libreddit.nix | 14 ++++---- hosts/architect/lidarr.nix | 14 ++++---- hosts/architect/matrix.nix | 13 ++++---- hosts/architect/minecraft.nix | 14 ++++---- hosts/architect/minio.nix | 19 ++++++----- hosts/architect/nextcloud.nix | 21 +++++++----- hosts/architect/nginx.nix | 1 + hosts/architect/nzbget.nix | 12 ++++--- hosts/architect/plex.nix | 14 ++++---- hosts/architect/prosody.nix | 10 +++--- hosts/architect/prowlarr.nix | 18 +++++----- hosts/architect/radarr.nix | 13 +++++--- hosts/architect/runas.nix | 13 +++++--- hosts/architect/sonarr.nix | 12 ++++--- hosts/architect/tailscale.nix | 6 ++-- hosts/architect/utilities.nix | 13 ++++++++ hosts/architect/wireguard.nix | 62 +++++++++++++++++------------------ 26 files changed, 227 insertions(+), 173 deletions(-) create mode 100644 hosts/architect/utilities.nix diff --git a/hosts/architect/bazarr.nix b/hosts/architect/bazarr.nix index d4a6a57..7ca8884 100644 --- a/hosts/architect/bazarr.nix +++ b/hosts/architect/bazarr.nix @@ -1,9 +1,11 @@ -{ lib, ... }: +{ config, lib, ... }: let domain = "htbaz.giugl.io"; - network = import ./network.nix; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; + + utilities = import ./utilities.nix { inherit lib config; }; + inherit (utilities) architectInterfaceAddress; in { services = { @@ -25,9 +27,9 @@ in }; networking.extraHosts = '' - ${network.architect-lan} ${domain} - ${network.architect-wg} ${domain} - ${network.architect-ts} ${domain} + ${architectInterfaceAddress "lan"} ${domain} + ${architectInterfaceAddress "wireguard"} ${domain} + ${architectInterfaceAddress "tailscale"} ${domain} ''; users.groups.media.members = [ "bazarr" ]; diff --git a/hosts/architect/calibre.nix b/hosts/architect/calibre.nix index 185bc75..362a4f0 100644 --- a/hosts/architect/calibre.nix +++ b/hosts/architect/calibre.nix @@ -1,9 +1,11 @@ -{ lib, ... }: +{ config, lib, ... }: let domain = "books.giugl.io"; - network = import ./network.nix; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; + + utilities = import ./utilities.nix { inherit lib config; }; + inherit (utilities) architectInterfaceAddress; in { services = { @@ -29,9 +31,9 @@ in }; networking.extraHosts = '' - ${network.architect-lan} ${domain} - ${network.architect-wg} ${domain} - ${network.architect-ts} ${domain} + ${architectInterfaceAddress "lan"} ${domain} + ${architectInterfaceAddress "wireguard"} ${domain} + ${architectInterfaceAddress "tailscale"} ${domain} ''; users.groups.media.members = [ "calibre-web" ]; diff --git a/hosts/architect/default.nix b/hosts/architect/default.nix index 56ba5fa..193076d 100644 --- a/hosts/architect/default.nix +++ b/hosts/architect/default.nix @@ -5,9 +5,9 @@ let "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1we38/N+t8Ah5yrLof8QUwhrob7/VXFKIddaJeOVBLuDVnW7ljiAtdtEiL69D/DV4Ohmt5wMvkAAjfuHmim6FD9A6lzPbSU4KH9W2dcckszKbbI636kuDwem/xui6BW3wJa6P+0xW5ksygEAkzcK2PXuC2b4B9uwhuUdKahiGMKDxISG/WianqAe72cGMfNkYvion3Y1VsMLUdm48d2ABnxNpr7NI9B5iJ8dziOft9gpgfz13CCQRlReo75gk/4xI+vSNrQp7eR+wzJy2/dZg/T8jtyA9Q6jVxrxBpqQ1LNXkAKaJkGo9OabF6Wgpzp+YTAurL4nwR2NaJxwFuyoKvACQy0ai4jrS3206gC6JXZv8ktZMZrwUN+jPqCwfgh5qObFkAqKCxbp52ioDek2MQLdOvzQBX//DBhGEp5rzHGLZ3vhRIiiQiaof5sF5zWiYDW5mqezSPNxJPX/BrTP/Wbs/jpwTLBh3wytiia0S1WXQmya89bqzTPFiDWvTRA62EVKB/JaQtPQQOFAxWwg799DMycPeZ81xttZOyMtI/MZSddyqx2S8fWGwvToZQvuZ38mSIpFseLM1IkgabRIrAmat5SBNGGy9Dqa0eMEa7bwIY/4CMB1y6HMTnaoMXA6cnQfHMoB/zyTZ6oTXIeqeOyiZsK+RN0Mvahj8mXi7dw== giulio@giulio-X230" ]; domain = "devs.giugl.io"; - # device.address device.hostname - generateDeviceStrings = devices: lib.concatStringsSep "\n" - (lib.mapAttrsToList (name: device: "${device.address} ${device.hostname}") devices); + + utilities = import ./utilities.nix { inherit lib config; }; + inherit (utilities) generateDeviceStrings; in { imports = [ diff --git a/hosts/architect/deluge.nix b/hosts/architect/deluge.nix index cf3a781..98522f8 100644 --- a/hosts/architect/deluge.nix +++ b/hosts/architect/deluge.nix @@ -2,8 +2,10 @@ let domain = "htdel.giugl.io"; - network = import ./network.nix; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; + + utilities = import ./utilities.nix { inherit lib config; }; + inherit (utilities) architectInterfaceAddress; listenPorts = [ 51413 51414 ]; in @@ -54,9 +56,9 @@ in }; networking.extraHosts = '' - ${network.architect-lan} ${domain} - ${network.architect-wg} ${domain} - ${network.architect-ts} ${domain} + ${architectInterfaceAddress "lan"} ${domain} + ${architectInterfaceAddress "wireguard"} ${domain} + ${architectInterfaceAddress "tailscale"} ${domain} ''; users.groups.media.members = [ "deluge" ]; diff --git a/hosts/architect/fail2ban.nix b/hosts/architect/fail2ban.nix index 2dfa35c..65836f0 100644 --- a/hosts/architect/fail2ban.nix +++ b/hosts/architect/fail2ban.nix @@ -1,9 +1,14 @@ -{ config, pkgs, ... }: { +{ config, pkgs, ... }: + +{ services.fail2ban = { enable = true; package = pkgs.fail2ban; packageFirewall = pkgs.nftables; bantime-increment.enable = true; - ignoreIP = [ "10.0.0.0/24" "10.3.0.0/24" ]; + ignoreIP = [ + config.architect.networks.lan.net + config.architect.networks.tailscale.net + ]; }; } diff --git a/hosts/architect/gitea.nix b/hosts/architect/gitea.nix index 3f4c8a9..49dd14a 100644 --- a/hosts/architect/gitea.nix +++ b/hosts/architect/gitea.nix @@ -2,7 +2,9 @@ let domain = "git.giugl.io"; - network = import ./network.nix; + + utilities = import ./utilities.nix { inherit lib config; }; + inherit (utilities) architectInterfaceAddress; in { architect.firewall.openTCP = [ config.services.gitea.settings.server.SSH_PORT ]; @@ -33,9 +35,8 @@ in }; networking.extraHosts = '' - ${network.architect-lan} ${domain} - ${network.architect-wg} ${domain} - ${network.architect-ts} ${domain} + ${architectInterfaceAddress "lan"} ${domain} + ${architectInterfaceAddress "wireguard"} ${domain} + ${architectInterfaceAddress "tailscale"} ${domain} ''; - } diff --git a/hosts/architect/headscale.nix b/hosts/architect/headscale.nix index 12ae648..c9f11b3 100644 --- a/hosts/architect/headscale.nix +++ b/hosts/architect/headscale.nix @@ -2,8 +2,9 @@ let domain = "vipienne.giugl.io"; - architectInterfaceAddress = interface: - config.architect.networks.${interface}.devices.architect.address; + + utilities = import ./utilities.nix { inherit lib config; }; + inherit (utilities) architectInterfaceAddress; in { architect.firewall = { diff --git a/hosts/architect/jellyfin.nix b/hosts/architect/jellyfin.nix index e2ad9fc..b61a73d 100644 --- a/hosts/architect/jellyfin.nix +++ b/hosts/architect/jellyfin.nix @@ -1,9 +1,11 @@ -{ pkgs, lib, ... }: +{ config, pkgs, lib, ... }: let - network = import ./network.nix; domain = "media.giugl.io"; - auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; + port = 8096; + + utilities = import ./utilities.nix { inherit lib config; }; + inherit (utilities) architectInterfaceAddress; in { # needed since StateDirectory does not accept symlinks @@ -19,44 +21,40 @@ in nginx.virtualHosts.${domain} = { forceSSL = true; enableACME = true; - extraConfig = auth_block { access_role = "jellyfin"; whitelisted_ips = network.gdevices; } + - '' - # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted. - #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'"; - # Disable buffering when the nginx proxy gets very resource heavy upon streaming - proxy_buffering off; - ''; + extraConfig = '' + # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted. + #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'"; + # Disable buffering when the nginx proxy gets very resource heavy upon streaming + proxy_buffering off; + + allow ${config.architect.networks.lan.net}; + allow ${config.architect.networks.tailscale.net}; + deny all; + ''; locations."/" = { - proxyPass = "http://127.0.0.1:8096"; - # extraConfig = '' - # allow 10.0.0.0/24; - # allow 10.3.0.0/24; - # deny all; - # ''; + proxyPass = "http://127.0.0.1:${toString port}"; }; locations."/socket" = { - proxyPass = "http://127.0.0.1:8096"; + proxyPass = "http://127.0.0.1:${toString port}"; proxyWebsockets = true; - # extraConfig = '' - # allow 10.0.0.0/24; - # allow 10.3.0.0/24; - # deny all; - # ''; }; }; }; + networking.extraHosts = '' - ${network.architect-lan} ${domain} - ${network.architect-wg} ${domain} - ${network.architect-ts} ${domain} + ${architectInterfaceAddress "lan"} ${domain} + ${architectInterfaceAddress "wireguard"} ${domain} + ${architectInterfaceAddress "tailscale"} ${domain} ''; - users.groups.media.members = [ "jellyfin" ]; - users.groups.video.members = [ "jellyfin" ]; - users.groups.render.members = [ "jellyfin" ]; + users.groups = { + media.members = [ "jellyfin" ]; + video.members = [ "jellyfin" ]; + render.members = [ "jellyfin" ]; + }; fileSystems."/tmp/jellyfin" = { device = "none"; diff --git a/hosts/architect/keycloak.nix b/hosts/architect/keycloak.nix index 6972892..c8e7aa6 100644 --- a/hosts/architect/keycloak.nix +++ b/hosts/architect/keycloak.nix @@ -1,8 +1,10 @@ -{ pkgs, config, ... }: +{ pkgs, lib, config, ... }: let - network = import ./network.nix; domain = "auth.giugl.io"; + + utilities = import ./utilities.nix { inherit lib config; }; + inherit (utilities) architectInterfaceAddress; in { services = { @@ -73,8 +75,8 @@ in }; networking.extraHosts = '' - ${network.architect-lan} ${domain} - ${network.architect-wg} ${domain} - ${network.architect-ts} ${domain} + ${architectInterfaceAddress "lan"} ${domain} + ${architectInterfaceAddress "wireguard"} ${domain} + ${architectInterfaceAddress "tailscale"} ${domain} ''; } diff --git a/hosts/architect/libreddit.nix b/hosts/architect/libreddit.nix index e652599..71c841b 100644 --- a/hosts/architect/libreddit.nix +++ b/hosts/architect/libreddit.nix @@ -1,8 +1,10 @@ -{ lib, pkgs, ... }: +{ config, lib, pkgs, ... }: let domain = "reddit.giugl.io"; - network = import ./network.nix; + + utilities = import ./utilities.nix { inherit lib config; }; + inherit (utilities) architectInterfaceAddress; in { services = { @@ -14,13 +16,13 @@ in nginx.virtualHosts.${domain} = { forceSSL = true; enableACME = true; - locations."/" = { proxyPass = "http://127.0.0.1:9090"; }; + locations."/" = { proxyPass = "http://127.0.0.1:${toString config.services.libreddit.port}"; }; }; }; networking.extraHosts = '' - ${network.architect-lan} ${domain} - ${network.architect-wg} ${domain} - ${network.architect-ts} ${domain} + ${architectInterfaceAddress "lan"} ${domain} + ${architectInterfaceAddress "wireguard"} ${domain} + ${architectInterfaceAddress "tailscale"} ${domain} ''; } diff --git a/hosts/architect/lidarr.nix b/hosts/architect/lidarr.nix index 15f3a9b..c07bc97 100644 --- a/hosts/architect/lidarr.nix +++ b/hosts/architect/lidarr.nix @@ -1,9 +1,11 @@ -{ lib, ... }: +{ config, lib, ... }: let domain = "htlid.giugl.io"; - network = import ./network.nix; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; + + utilities = import ./utilities.nix { inherit lib config; }; + inherit (utilities) architectInterfaceAddress; in { services = { @@ -25,10 +27,10 @@ in }; networking.extraHosts = '' - ${network.architect-lan} ${domain} - ${network.architect-wg} ${domain} - ${network.architect-ts} ${domain} + ${architectInterfaceAddress "lan"} ${domain} + ${architectInterfaceAddress "wireguard"} ${domain} + ${architectInterfaceAddress "tailscale"} ${domain} ''; - + users.groups.media.members = [ "lidarr" ]; } diff --git a/hosts/architect/matrix.nix b/hosts/architect/matrix.nix index 19feccb..ba13c57 100644 --- a/hosts/architect/matrix.nix +++ b/hosts/architect/matrix.nix @@ -1,9 +1,11 @@ -{ pkgs, lib, ... }: +{ config, pkgs, lib, ... }: let domain = "runas.rocks"; - network = import ./network.nix; db_name = "matrix-synapse-runas.rocks"; + + utilities = import ./utilities.nix { inherit lib config; }; + inherit (utilities) architectInterfaceAddress; in { services = { @@ -111,9 +113,8 @@ in }; networking.extraHosts = '' - ${network.architect-lan} ${domain} - ${network.architect-wg} ${domain} - ${network.architect-ts} ${domain} + ${architectInterfaceAddress "lan"} ${domain} + ${architectInterfaceAddress "wireguard"} ${domain} + ${architectInterfaceAddress "tailscale"} ${domain} ''; - } diff --git a/hosts/architect/minecraft.nix b/hosts/architect/minecraft.nix index 96a4a35..f2a4f24 100644 --- a/hosts/architect/minecraft.nix +++ b/hosts/architect/minecraft.nix @@ -1,8 +1,10 @@ -{ config, pkgs, ... }: +{ lib, config, pkgs, ... }: let domain = "minecraft.giugl.io"; - network = import ./network.nix; + + utilities = import ./utilities.nix { inherit lib config; }; + inherit (utilities) architectInterfaceAddress; in { architect.firewall.openTCP = [ 25565 ]; @@ -14,10 +16,10 @@ in package = pkgs.unstablePkgs.minecraft-server; serverProperties = { motd = "Welcome on the RuNas server!"; }; }; - + networking.extraHosts = '' - ${network.architect-lan} ${domain} - ${network.architect-wg} ${domain} - ${network.architect-ts} ${domain} + ${architectInterfaceAddress "lan"} ${domain} + ${architectInterfaceAddress "wireguard"} ${domain} + ${architectInterfaceAddress "tailscale"} ${domain} ''; } diff --git a/hosts/architect/minio.nix b/hosts/architect/minio.nix index 6e03f79..174125f 100644 --- a/hosts/architect/minio.nix +++ b/hosts/architect/minio.nix @@ -1,8 +1,10 @@ -{ lib, ... }: +{ config, lib, ... }: let domain = "s3.giugl.io"; - network = import ./network.nix; + + utilities = import ./utilities.nix { inherit lib config; }; + inherit (utilities) architectInterfaceAddress; in { services = { @@ -15,18 +17,17 @@ in proxyPass = "http://127.0.0.1:9000"; extraConfig = '' client_max_body_size 500M; - allow 10.0.0.0/24; - ${lib.concatMapStrings (x: "allow ${x};") network.gdevices } - allow ${network.manduria-wg}; + allow ${config.architect.networks.lan.net}; + allow ${config.architect.networks.tailscale.net}; deny all; ''; }; }; }; - + networking.extraHosts = '' - ${network.architect-lan} ${domain} - ${network.architect-wg} ${domain} - ${network.architect-ts} ${domain} + ${architectInterfaceAddress "lan"} ${domain} + ${architectInterfaceAddress "wireguard"} ${domain} + ${architectInterfaceAddress "tailscale"} ${domain} ''; } diff --git a/hosts/architect/nextcloud.nix b/hosts/architect/nextcloud.nix index 1350744..000ead5 100644 --- a/hosts/architect/nextcloud.nix +++ b/hosts/architect/nextcloud.nix @@ -1,12 +1,19 @@ -{ pkgs, ... }: +{ pkgs, config, lib, ... }: let domain = "cloud.giugl.io"; - network = import ./network.nix; redis_port = 6379; + + utilities = import ./utilities.nix { inherit lib config; }; + inherit (utilities) architectInterfaceAddress; in { services = { + nginx.virtualHosts.${domain} = { + forceSSL = true; + enableACME = true; + }; + mysql = { enable = true; package = pkgs.unstablePkgs.mysql80; @@ -53,13 +60,9 @@ in }; networking.extraHosts = '' - ${network.architect-lan} ${domain} - ${network.architect-wg} ${domain} - ${network.architect-ts} ${domain} + ${architectInterfaceAddress "lan"} ${domain} + ${architectInterfaceAddress "wireguard"} ${domain} + ${architectInterfaceAddress "tailscale"} ${domain} ''; - services.nginx.virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; - }; } diff --git a/hosts/architect/nginx.nix b/hosts/architect/nginx.nix index 18817f3..d1d2e2c 100644 --- a/hosts/architect/nginx.nix +++ b/hosts/architect/nginx.nix @@ -90,5 +90,6 @@ worker_processes 24; ''; }; + users.groups.acme.members = [ "nginx" ]; } diff --git a/hosts/architect/nzbget.nix b/hosts/architect/nzbget.nix index 07fedfe..d83280f 100644 --- a/hosts/architect/nzbget.nix +++ b/hosts/architect/nzbget.nix @@ -1,9 +1,11 @@ -{ lib, ... }: +{ config, lib, ... }: let domain = "htnzb.giugl.io"; - network = import ./network.nix; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; + + utilities = import ./utilities.nix { inherit lib config; }; + inherit (utilities) architectInterfaceAddress; in { services = { @@ -25,9 +27,9 @@ in }; networking.extraHosts = '' - ${network.architect-lan} ${domain} - ${network.architect-wg} ${domain} - ${network.architect-ts} ${domain} + ${architectInterfaceAddress "lan"} ${domain} + ${architectInterfaceAddress "wireguard"} ${domain} + ${architectInterfaceAddress "tailscale"} ${domain} ''; users.groups.media.members = [ "nzbget" ]; diff --git a/hosts/architect/plex.nix b/hosts/architect/plex.nix index b7e1e3e..bfaaee4 100644 --- a/hosts/architect/plex.nix +++ b/hosts/architect/plex.nix @@ -1,9 +1,11 @@ -{ pkgs, lib, ... }: +{ pkgs, config, lib, ... }: let domain = "plex.giugl.io"; - network = import ./network.nix; port = 32400; + + utilities = import ./utilities.nix { inherit lib config; }; + inherit (utilities) architectInterfaceAddress; in { architect.firewall = { @@ -86,11 +88,11 @@ in locations."/" = { proxyPass = "http://127.0.0.1:${toString port}"; }; }; }; - + networking.extraHosts = '' - ${network.architect-lan} ${domain} - ${network.architect-wg} ${domain} - ${network.architect-ts} ${domain} + ${architectInterfaceAddress "lan"} ${domain} + ${architectInterfaceAddress "wireguard"} ${domain} + ${architectInterfaceAddress "tailscale"} ${domain} ''; users.groups.media.members = [ "plex" ]; diff --git a/hosts/architect/prosody.nix b/hosts/architect/prosody.nix index d9a257a..d5c8302 100644 --- a/hosts/architect/prosody.nix +++ b/hosts/architect/prosody.nix @@ -4,7 +4,9 @@ let domain = "xmpp.giugl.io"; conference_domain = "conference.${domain}"; upload_domain = "uploads.${domain}"; - network = import ./network.nix; + + utilities = import ./utilities.nix { inherit lib config; }; + inherit (utilities) architectInterfaceAddress; in { architect.firewall = { @@ -42,9 +44,9 @@ in }; networking.extraHosts = '' - ${network.architect-lan} ${domain} - ${network.architect-wg} ${domain} - ${network.architect-ts} ${domain} + ${architectInterfaceAddress "lan"} ${domain} + ${architectInterfaceAddress "wireguard"} ${domain} + ${architectInterfaceAddress "tailscale"} ${domain} ''; users.groups = { diff --git a/hosts/architect/prowlarr.nix b/hosts/architect/prowlarr.nix index 17fdeba..ad5b8e8 100644 --- a/hosts/architect/prowlarr.nix +++ b/hosts/architect/prowlarr.nix @@ -1,8 +1,10 @@ -{ lib, ... }: +{ config, lib, ... }: let domain = "htpro.giugl.io"; - network = import ./network.nix; + + utilities = import ./utilities.nix { inherit lib config; }; + inherit (utilities) architectInterfaceAddress; in { services = { @@ -14,8 +16,8 @@ in locations."/" = { proxyPass = "http://127.0.0.1:9696"; extraConfig = '' - allow 10.0.0.0/24; - ${lib.concatMapStrings (x: "allow ${x};") network.gdevices} + allow ${config.architect.networks.lan.net}; + allow ${config.architect.networks.tailscale.net}; deny all; ''; }; @@ -29,11 +31,11 @@ in # }; }; }; - + networking.extraHosts = '' - ${network.architect-lan} ${domain} - ${network.architect-wg} ${domain} - ${network.architect-ts} ${domain} + ${architectInterfaceAddress "lan"} ${domain} + ${architectInterfaceAddress "wireguard"} ${domain} + ${architectInterfaceAddress "tailscale"} ${domain} ''; users.groups.media.members = [ "prowlarr" ]; diff --git a/hosts/architect/radarr.nix b/hosts/architect/radarr.nix index 0d042d0..15748e6 100644 --- a/hosts/architect/radarr.nix +++ b/hosts/architect/radarr.nix @@ -1,9 +1,11 @@ -{ lib, ... }: +{ config, lib, ... }: let domain = "htrad.giugl.io"; - network = import ./network.nix; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; + + utilities = import ./utilities.nix { inherit lib config; }; + inherit (utilities) architectInterfaceAddress; in { services = { @@ -24,10 +26,11 @@ in }; }; + networking.extraHosts = '' - ${network.architect-lan} ${domain} - ${network.architect-wg} ${domain} - ${network.architect-ts} ${domain} + ${architectInterfaceAddress "lan"} ${domain} + ${architectInterfaceAddress "wireguard"} ${domain} + ${architectInterfaceAddress "tailscale"} ${domain} ''; users.groups.media.members = [ "radarr" ]; diff --git a/hosts/architect/runas.nix b/hosts/architect/runas.nix index 99eb081..2bcc112 100644 --- a/hosts/architect/runas.nix +++ b/hosts/architect/runas.nix @@ -1,14 +1,17 @@ -{ services, pkgs, lib, makeBinPath, ... }: +{ config, pkgs, lib, ... }: + let domain = "runas.rocks"; runas_root = "/var/lib/runas.rocks/dist"; service_name = "runas.rocks-pull"; - network = import ./network.nix; mkStartScript = name: pkgs.writeShellScript "${name}.sh" '' set -euo pipefail cd ${runas_root} git pull origin main --rebase ''; + + utilities = import ./utilities.nix { inherit lib config; }; + inherit (utilities) architectInterfaceAddress; in { services.nginx.virtualHosts.${domain} = { @@ -39,8 +42,8 @@ in }; networking.extraHosts = '' - ${network.architect-lan} ${domain} - ${network.architect-wg} ${domain} - ${network.architect-ts} ${domain} + ${architectInterfaceAddress "lan"} ${domain} + ${architectInterfaceAddress "wireguard"} ${domain} + ${architectInterfaceAddress "tailscale"} ${domain} ''; } diff --git a/hosts/architect/sonarr.nix b/hosts/architect/sonarr.nix index 93c5aa1..42874e8 100644 --- a/hosts/architect/sonarr.nix +++ b/hosts/architect/sonarr.nix @@ -1,9 +1,11 @@ -{ lib, ... }: +{ config, lib, ... }: let domain = "htson.giugl.io"; - network = import ./network.nix; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; + + utilities = import ./utilities.nix { inherit lib config; }; + inherit (utilities) architectInterfaceAddress; in { services = { @@ -25,9 +27,9 @@ in }; networking.extraHosts = '' - ${network.architect-lan} ${domain} - ${network.architect-wg} ${domain} - ${network.architect-ts} ${domain} + ${architectInterfaceAddress "lan"} ${domain} + ${architectInterfaceAddress "wireguard"} ${domain} + ${architectInterfaceAddress "tailscale"} ${domain} ''; users.groups.media.members = [ "sonarr" ]; diff --git a/hosts/architect/tailscale.nix b/hosts/architect/tailscale.nix index aaa5b14..4b79313 100644 --- a/hosts/architect/tailscale.nix +++ b/hosts/architect/tailscale.nix @@ -2,9 +2,9 @@ let domain = "devs.giugl.io"; - # device.address device.hostname - generateDeviceStrings = devices: lib.concatStringsSep "\n" - (lib.mapAttrsToList (name: device: "${device.address} ${device.hostname}") devices); + + utilities = import ./utilities.nix { inherit lib config; }; + inherit (utilities) generateDeviceStrings; in { architect = { diff --git a/hosts/architect/utilities.nix b/hosts/architect/utilities.nix new file mode 100644 index 0000000..b61bd7f --- /dev/null +++ b/hosts/architect/utilities.nix @@ -0,0 +1,13 @@ +{ config, lib, ... }: + +{ + # device.address device.hostname + generateDeviceStrings = devices: lib.concatStringsSep "\n" + (lib.mapAttrsToList (name: device: "${device.address} ${device.hostname}") devices); + + getDeviceAddress = interface: device: + config.architect.networks.${interface}.devices.${device}.address; + + architectInterfaceAddress = interface: + config.architect.networks.${interface}.devices.architect.address; +} diff --git a/hosts/architect/wireguard.nix b/hosts/architect/wireguard.nix index d85743e..d793151 100644 --- a/hosts/architect/wireguard.nix +++ b/hosts/architect/wireguard.nix @@ -4,11 +4,11 @@ let listenPort = 1194; domain = "devs.giugl.io"; interface = "wireguard"; - # device.address device.hostname - generateDeviceStrings = devices: lib.concatStringsSep "\n" - (lib.mapAttrsToList (name: device: "${device.address} ${device.hostname}") devices); - getDeviceAddress = device: - config.architect.networks.${interface}.devices.${device}.address; + + utilities = import ./utilities.nix { inherit lib config; }; + inherit (utilities) generateDeviceStrings getDeviceAddress; + + getWireguardDeviceAddress = getDeviceAddress "wireguard"; in { architect = { @@ -65,150 +65,150 @@ in peers = [ { # Antonio - allowedIPs = [ (getDeviceAddress "antonio") ]; + allowedIPs = [ (getWireguardDeviceAddress "antonio") ]; publicKey = "SPndCvEzuLHtGAQV8u/4dfLlFHoPcXS3L98oFOwTljc="; } { # GBEAST - allowedIPs = [ (getDeviceAddress "gbeast") ]; + allowedIPs = [ (getWireguardDeviceAddress "gbeast") ]; publicKey = "XiK+wk+DErz0RmCWRxuaJN1cvdj+3DoiU6tcR+uZfAI="; } { # shield - allowedIPs = [ (getDeviceAddress "shield") ]; + allowedIPs = [ (getWireguardDeviceAddress "shield") ]; publicKey = "1GaV/M48sHqQTrBVRQ+jrFU2pUMmv2xkguncVcwPCFs="; } { # salvatore - allowedIPs = [ (getDeviceAddress "salvatore") ]; + allowedIPs = [ (getWireguardDeviceAddress "salvatore") ]; publicKey = "fhlnBHeMyHZKLUCTSA9kmkKoM5x/qzz/rnCJrUh3Gzs="; } { # papa - allowedIPs = [ (getDeviceAddress "papa") ]; + allowedIPs = [ (getWireguardDeviceAddress "papa") ]; publicKey = "oGHygt02Oni3IFbScKD0NVEfHKCp6bpw68aq5g4RrAA="; } { # defy - allowedIPs = [ (getDeviceAddress "defy") ]; + allowedIPs = [ (getWireguardDeviceAddress "defy") ]; publicKey = "Cvi/eto7E6Ef+aiL81ou7x12fJCeuXrf/go9fxEqXG4="; } { # germano - allowedIPs = [ (getDeviceAddress "germano") ]; + allowedIPs = [ (getWireguardDeviceAddress "germano") ]; publicKey = "LJ0DHY1sFVLQb3ngUGGH0HxbDOPb9KCUPSaYcjr5Uiw="; } { # flavio - allowedIPs = [ (getDeviceAddress "flavio") ]; + allowedIPs = [ (getWireguardDeviceAddress "flavio") ]; publicKey = "Yg0P+yHi/9SZHyoel8jT9fmmu+irLYmT8yMp/CZoaSg="; } { # alain - allowedIPs = [ (getDeviceAddress "alain") ]; + allowedIPs = [ (getWireguardDeviceAddress "alain") ]; publicKey = "/o2msFJoUL4yovcIQJTU8c1faFtekrjSBBWJABouWno="; } { # dima - allowedIPs = [ (getDeviceAddress "dima") ]; + allowedIPs = [ (getWireguardDeviceAddress "dima") ]; publicKey = "svzWYIZ6v+cLCp/emGG7mx2YpBJqw2fqjVuHZy7b6H0="; } { # mikey - allowedIPs = [ (getDeviceAddress "mikey") ]; + allowedIPs = [ (getWireguardDeviceAddress "mikey") ]; publicKey = "ewbDdX3z7nxG2aPIf9TogXkhxPlGipLFcy6XfyDC6gI="; } { # andrew - allowedIPs = [ (getDeviceAddress "andrew") ]; + allowedIPs = [ (getWireguardDeviceAddress "andrew") ]; publicKey = "LP/FgST9fmBQSoKQFq9sFGvjRFOtRooMcuEcjuqaoWM="; } { # mikey laptop - allowedIPs = [ (getDeviceAddress "mikeylaptop") ]; + allowedIPs = [ (getWireguardDeviceAddress "mikeylaptop") ]; publicKey = "kz/pY/PgV+dwF1JZ2It4r5B5QfRSQM7HkbFCdvd5Yxk="; } { # andrew desktop - allowedIPs = [ (getDeviceAddress "andrewdesktop") ]; + allowedIPs = [ (getWireguardDeviceAddress "andrewdesktop") ]; publicKey = "rpYr3JNLIzxpxzFuQuaHFEl/XvPEPfwLbDETBP8KYXI="; } { # laptop desktop - allowedIPs = [ (getDeviceAddress "jacopo") ]; + allowedIPs = [ (getWireguardDeviceAddress "jacopo") ]; publicKey = "W/taWI79bPIKOolVVu5xZfiJnPw9K91Xn1zhcM0+4g0="; } { # frznn - allowedIPs = [ (getDeviceAddress "frznn") ]; + allowedIPs = [ (getWireguardDeviceAddress "frznn") ]; publicKey = "dXcrdME6VnnE5PBYwvUmayf7cn2wpcExeCR9gIXOO0o="; } { # ludo - allowedIPs = [ (getDeviceAddress "ludo") ]; + allowedIPs = [ (getWireguardDeviceAddress "ludo") ]; publicKey = "ecrxdzx7tQZwMPxZOjHUvxZT2xY79B6XEDIW+fhEtEM="; } { # parina - allowedIPs = [ (getDeviceAddress "parina") ]; + allowedIPs = [ (getWireguardDeviceAddress "parina") ]; publicKey = "7nubNnfGsg4/7KemMDn9r99mNK8RFU9uOFFqaYv6rUA="; } { # nilo - allowedIPs = [ (getDeviceAddress "nilo") ]; + allowedIPs = [ (getWireguardDeviceAddress "nilo") ]; publicKey = "lhTEDJ9WnizvEHTd5kN21fTHF27HNk+fPLQnB1B3LW0="; } { # parina ipad - allowedIPs = [ (getDeviceAddress "parina-ipad") ]; + allowedIPs = [ (getWireguardDeviceAddress "parina-ipad") ]; publicKey = "ezkCzl2qC7Hd7rFKfqMa0JXDKRhVqy79H52rA06x7mU="; } { # kcl vm - allowedIPs = [ (getDeviceAddress "kclvm") ]; + allowedIPs = [ (getWireguardDeviceAddress "kclvm") ]; publicKey = "jVBaY8AhgAA7myVjU/PJPDUCOjsCi23LT+pGZUoNEkE="; } { - allowedIPs = [ (getDeviceAddress "framecca") ]; + allowedIPs = [ (getWireguardDeviceAddress "framecca") ]; publicKey = "w0XPu5GcDA2vpNk3KCFRdWNVVQHRtAPApEsK1h3Ovyk="; } { - allowedIPs = [ (getDeviceAddress "framecca_one") ]; + allowedIPs = [ (getWireguardDeviceAddress "framecca_one") ]; publicKey = "5PnmExv78fU3SS8liUWY/oBCcJ48wzmz/70O0U7K/xs="; } { - allowedIPs = [ (getDeviceAddress "framecca_two") ]; + allowedIPs = [ (getWireguardDeviceAddress "framecca_two") ]; publicKey = "FbWfh2rL3OYLTDIte+MgctqL/bphn38eqpNy/chc3wM="; } { - allowedIPs = [ (getDeviceAddress "framecca_three") ]; + allowedIPs = [ (getWireguardDeviceAddress "framecca_three") ]; publicKey = "Z3LRFs6CO0kUh4J3pf+HcPsWch3hUAwJBG8/b0Kqnxs="; } { - allowedIPs = [ (getDeviceAddress "framecca_four") ]; + allowedIPs = [ (getWireguardDeviceAddress "framecca_four") ]; publicKey = "g/Ta12igzxSlCxy7KP865qf+l3+r1LjOo6UXjulmPBc="; } ]; From 3840386d32fdcc8ef747ee769285179908a15c49 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Sat, 13 May 2023 00:53:03 +0200 Subject: [PATCH 21/62] dns: do not expand hosts --- hosts/architect/dns.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/hosts/architect/dns.nix b/hosts/architect/dns.nix index f2a1473..fb6fd01 100644 --- a/hosts/architect/dns.nix +++ b/hosts/architect/dns.nix @@ -18,7 +18,6 @@ in min-cache-ttl=120 max-cache-ttl=2400 - expand-hosts domain=runas.rocks domain=giugl.io domain=devs.runas.rocks From 4eca8e4bb57ff22fb0dd97cd30abdad90ddcfef6 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Sat, 13 May 2023 00:53:17 +0200 Subject: [PATCH 22/62] plex: disabled --- hosts/architect/default.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hosts/architect/default.nix b/hosts/architect/default.nix index 193076d..2d2c1a0 100644 --- a/hosts/architect/default.nix +++ b/hosts/architect/default.nix @@ -42,7 +42,7 @@ in # ./runas.nix ./tailscale.nix # ./searx.nix - ./plex.nix + #./plex.nix ./headscale.nix ]; @@ -117,6 +117,7 @@ in wlp4s0.useDHCP = false; }; extraHosts = (generateDeviceStrings config.architect.networks.lan.devices) + '' + # Blacklist 0.0.0.0 metrics.plex.tv 0.0.0.0 analytics.plex.tv From ccd57040df002669e4739442c436369ea6b463b7 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Sat, 13 May 2023 00:54:24 +0200 Subject: [PATCH 23/62] tailscale: use unstable pkg --- hosts/architect/tailscale.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hosts/architect/tailscale.nix b/hosts/architect/tailscale.nix index 4b79313..8feedf2 100644 --- a/hosts/architect/tailscale.nix +++ b/hosts/architect/tailscale.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: +{ pkgs, config, lib, ... }: let domain = "devs.giugl.io"; @@ -31,6 +31,7 @@ in tailscale = { enable = true; interfaceName = config.architect.networks.tailscale.interface; + package = pkgs.unstablePkgs.tailscale; }; }; From 6d51a10659004e12801b2b4e20a79a4be51eba16 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Sat, 13 May 2023 14:10:40 +0200 Subject: [PATCH 24/62] headscale: DO NOT bind vipienne.giugl.io to avoid in-vpn lock --- hosts/architect/headscale.nix | 29 +++++++++-------------------- 1 file changed, 9 insertions(+), 20 deletions(-) diff --git a/hosts/architect/headscale.nix b/hosts/architect/headscale.nix index c9f11b3..7afa411 100644 --- a/hosts/architect/headscale.nix +++ b/hosts/architect/headscale.nix @@ -2,21 +2,12 @@ let domain = "vipienne.giugl.io"; - - utilities = import ./utilities.nix { inherit lib config; }; - inherit (utilities) architectInterfaceAddress; in { architect.firewall = { - openTCP = [ config.services.headscale.port ]; + openUDP = [ config.services.tailscale.port ]; }; - networking.extraHosts = '' - ${architectInterfaceAddress "lan"} ${domain} - ${architectInterfaceAddress "wireguard"} ${domain} - ${architectInterfaceAddress "tailscale"} ${domain} - ''; - environment.systemPackages = [ pkgs.unstablePkgs.headscale ]; services = { @@ -30,21 +21,12 @@ in settings = { dns_config = { magic_dns = true; - domains = [ - "giugl.io" - "runas.rocks" - "devs.giugl.io" - ]; base_domain = "giugl.io"; override_local_dns = true; nameservers = [ config.architect.networks.tailscale.devices.architect.address ]; }; logtail.enabled = false; ip_prefixes = [ config.architect.networks.tailscale.net ]; - # The Noise private key is used to encrypt the - # traffic between headscale and Tailscale clients when - # using the new Noise-based protocol. It must be different - # from the legacy private key. noise.private_key_path = "/var/lib/headscale/noise_private.key"; }; }; @@ -52,12 +34,19 @@ in nginx.virtualHosts.${domain} = { forceSSL = true; enableACME = true; + extraConfig = '' + ssl_protocols TLSv1.2 TLSv1.3; + ''; locations."/" = { proxyPass = "http://127.0.0.1:${toString config.services.headscale.port}"; proxyWebsockets = true; + recommendedProxySettings = true; + extraConfig = '' + proxy_buffering off; + add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; + ''; }; }; - }; } From aa9d2a5e03ea5c55f908c14865779c718ea67331 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Sat, 13 May 2023 14:11:07 +0200 Subject: [PATCH 25/62] tailscale: remove openUDP (moved to headscale) --- hosts/architect/tailscale.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/hosts/architect/tailscale.nix b/hosts/architect/tailscale.nix index 8feedf2..014aad0 100644 --- a/hosts/architect/tailscale.nix +++ b/hosts/architect/tailscale.nix @@ -8,8 +8,6 @@ let in { architect = { - firewall.openUDP = [ config.services.tailscale.port ]; - networks.tailscale = { interface = "ts0"; net = "100.64.0.0/10"; From 4dde4f68d8ea0eefc4605c22c22eef3879646c6e Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Mon, 15 May 2023 19:50:51 +0200 Subject: [PATCH 26/62] Update lock --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 0563a19..f581dff 100644 --- a/flake.lock +++ b/flake.lock @@ -24,11 +24,11 @@ }, "nixos-unstable": { "locked": { - "lastModified": 1683893492, - "narHash": "sha256-9sINNV7J26/afioFhS0vGrZ2zQHg1eBWE3lesBedyhI=", + "lastModified": 1684171979, + "narHash": "sha256-KfIpmlqCCtY/T8mWQOkucv4LrYAgIXho6QJOwl2md3g=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "0ad4e41995ef6566cdd8477c132884411b7399a2", + "rev": "10092e14180fdff037aea3a14ad3faeaf6950ac1", "type": "github" }, "original": { @@ -40,11 +40,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1683627095, - "narHash": "sha256-8u9SejRpL2TrMuHBdhYh4FKc1OGPDLyWTpIbNTtoHsA=", + "lastModified": 1683928319, + "narHash": "sha256-maz0DRKixJVcNRMiAMWlJniiF8IuQ+WbfmlJJ8D+jfM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a08e061a4ee8329747d54ddf1566d34c55c895eb", + "rev": "9656e85a15a0fe67847ee8cdb99a20d8df499962", "type": "github" }, "original": { From 84df2e348dfe6bf140c1db7813943dd3b315a477 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Mon, 15 May 2023 19:51:50 +0200 Subject: [PATCH 27/62] architect: removed network.nix --- hosts/architect/network.nix | 66 ------------------------------------- 1 file changed, 66 deletions(-) delete mode 100644 hosts/architect/network.nix diff --git a/hosts/architect/network.nix b/hosts/architect/network.nix deleted file mode 100644 index 05fa061..0000000 --- a/hosts/architect/network.nix +++ /dev/null @@ -1,66 +0,0 @@ -rec { - # interfaces - wan-if = "enp5s0"; - vpn-if = "wg0"; - proxy-if = "proxy"; - docker-if = "docker0"; - tailscale-if = "ts0"; - - # nets - lan-net = "10.0.0.0/24"; - vpn-net = "10.3.0.0/24"; - external_lan-net = "192.168.1.0/24"; - docker-net = "172.17.0.0/16"; -# tailscale-net = "100.64.0.0/10"; - tailscale-net = "10.4.0.0/24"; - - # ips - router-lan = "10.0.0.1"; - dvr-lan = "10.0.0.2"; - nas-lan = "10.0.0.3"; - architect-lan = "10.0.0.250"; - - architect-wg = "10.3.0.1"; - manduria-wg = "10.3.0.5"; - antonio-wg = "10.3.0.6"; - gbeast-wg = "10.3.0.7"; - shield-wg = "10.3.0.12"; - salvatore-wg = "10.3.0.16"; - papa-wg = "10.3.0.17"; - defy-wg = "10.3.0.18"; - germano-wg = "10.3.0.19"; - flavio-wg = "10.3.0.20"; - tommy-wg = "10.3.0.21"; - alain-wg = "10.3.0.22"; - dima-wg = "10.3.0.23"; - mikey-wg = "10.3.0.24"; - andrew-wg = "10.3.0.25"; - mikeylaptop-wg = "10.3.0.26"; - andrewdesktop-wg = "10.3.0.27"; - jacopo-wg = "10.3.0.28"; - frznn-wg = "10.3.0.29"; - ludo-wg = "10.3.0.30"; - parina-wg = "10.3.0.31"; - nilo-wg = "10.3.0.32"; - parina-ipad-wg = "10.3.0.33"; - kclvm-wg = "10.3.0.34"; - framecca-wg = "10.3.0.35"; - - framecca_one-wg = "10.3.0.36"; - framecca_two-wg = "10.3.0.37"; - framecca_three-wg = "10.3.0.38"; - framecca_four-wg = "10.3.0.39"; - - giuliophone-ts = "100.68.68.46"; -# architect-ts = "100.67.205.28"; - architect-ts = "10.4.0.2"; - giuliopc-ts = "100.124.78.64"; - dodino-ts = "100.106.244.35"; - - framecca-devices = [ framecca-wg framecca_one-wg framecca_three-wg framecca_four-wg ]; - c2c-wg = framecca-devices; - - # groups - gdevices = [ giuliophone-ts architect-ts giuliopc-ts dodino-ts ]; - towan-wg = [ shield-wg parina-wg parina-ipad-wg germano-wg ] ++ framecca-devices; -} From 08c898ed46067286a859a706b96d45ff4dd50bc1 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Sun, 28 May 2023 00:16:46 +0200 Subject: [PATCH 28/62] Initial move to 23.05 --- flake.lock | 34 ++++--------- flake.nix | 4 +- hosts/architect/default.nix | 16 +++++-- hosts/architect/dns.nix | 56 ++++++---------------- hosts/architect/gitea.nix | 4 +- hosts/architect/headscale.nix | 7 +-- hosts/architect/nginx.nix | 90 +++++++++++++++++------------------ hosts/architect/openid.nix | 84 ++++++++++++++++---------------- hosts/architect/tailscale.nix | 3 +- lib/host.nix | 5 +- roles/common.nix | 6 ++- roles/home/common.nix | 2 +- roles/home/helix.nix | 2 +- 13 files changed, 140 insertions(+), 173 deletions(-) diff --git a/flake.lock b/flake.lock index f581dff..8fe4a37 100644 --- a/flake.lock +++ b/flake.lock @@ -4,20 +4,19 @@ "inputs": { "nixpkgs": [ "nixpkgs" - ], - "utils": "utils" + ] }, "locked": { - "lastModified": 1681092193, - "narHash": "sha256-JerCqqOqbT2tBnXQW4EqwFl0hHnuZp21rIQ6lu/N4rI=", + "lastModified": 1685189510, + "narHash": "sha256-Hq5WF7zIixojPgvhgcd6MBvywwycVZ9wpK/8ogOyoaA=", "owner": "nix-community", "repo": "home-manager", - "rev": "f9edbedaf015013eb35f8caacbe0c9666bbc16af", + "rev": "2d963854ae2499193c0c72fd67435fee34d3e4fd", "type": "github" }, "original": { "owner": "nix-community", - "ref": "release-22.11", + "ref": "master", "repo": "home-manager", "type": "github" } @@ -40,16 +39,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1683928319, - "narHash": "sha256-maz0DRKixJVcNRMiAMWlJniiF8IuQ+WbfmlJJ8D+jfM=", + "lastModified": 1685004253, + "narHash": "sha256-AbVL1nN/TDicUQ5wXZ8xdLERxz/eJr7+o8lqkIOVuaE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9656e85a15a0fe67847ee8cdb99a20d8df499962", + "rev": "3e01645c40b92d29f3ae76344a6d654986a91a91", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-22.11", + "ref": "nixos-23.05", "repo": "nixpkgs", "type": "github" } @@ -60,21 +59,6 @@ "nixos-unstable": "nixos-unstable", "nixpkgs": "nixpkgs" } - }, - "utils": { - "locked": { - "lastModified": 1667395993, - "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 62fd26e..90c5aca 100644 --- a/flake.nix +++ b/flake.nix @@ -1,9 +1,9 @@ { inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05"; nixos-unstable.url = "github:NixOS/nixpkgs/master"; home-manager = { - url = "github:nix-community/home-manager/release-22.11"; + url = "github:nix-community/home-manager/master"; inputs.nixpkgs.follows = "nixpkgs"; }; }; diff --git a/hosts/architect/default.nix b/hosts/architect/default.nix index 2d2c1a0..1cc767e 100644 --- a/hosts/architect/default.nix +++ b/hosts/architect/default.nix @@ -5,7 +5,7 @@ let "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1we38/N+t8Ah5yrLof8QUwhrob7/VXFKIddaJeOVBLuDVnW7ljiAtdtEiL69D/DV4Ohmt5wMvkAAjfuHmim6FD9A6lzPbSU4KH9W2dcckszKbbI636kuDwem/xui6BW3wJa6P+0xW5ksygEAkzcK2PXuC2b4B9uwhuUdKahiGMKDxISG/WianqAe72cGMfNkYvion3Y1VsMLUdm48d2ABnxNpr7NI9B5iJ8dziOft9gpgfz13CCQRlReo75gk/4xI+vSNrQp7eR+wzJy2/dZg/T8jtyA9Q6jVxrxBpqQ1LNXkAKaJkGo9OabF6Wgpzp+YTAurL4nwR2NaJxwFuyoKvACQy0ai4jrS3206gC6JXZv8ktZMZrwUN+jPqCwfgh5qObFkAqKCxbp52ioDek2MQLdOvzQBX//DBhGEp5rzHGLZ3vhRIiiQiaof5sF5zWiYDW5mqezSPNxJPX/BrTP/Wbs/jpwTLBh3wytiia0S1WXQmya89bqzTPFiDWvTRA62EVKB/JaQtPQQOFAxWwg799DMycPeZ81xttZOyMtI/MZSddyqx2S8fWGwvToZQvuZ38mSIpFseLM1IkgabRIrAmat5SBNGGy9Dqa0eMEa7bwIY/4CMB1y6HMTnaoMXA6cnQfHMoB/zyTZ6oTXIeqeOyiZsK+RN0Mvahj8mXi7dw== giulio@giulio-X230" ]; domain = "devs.giugl.io"; - + utilities = import ./utilities.nix { inherit lib config; }; inherit (utilities) generateDeviceStrings; in @@ -88,6 +88,8 @@ in "memmap=32M$0x4ca6f9478" ]; + kernelPackages = pkgs.linuxPackages; + kernel.sysctl = { "net.ipv4.ip_forward" = 1; }; loader = { @@ -100,7 +102,7 @@ in supportedFilesystems = [ "zfs" ]; zfs.requestEncryptionCredentials = true; - tmpOnTmpfsSize = "50%"; + tmp.tmpfsSize = "50%"; }; networking = with config.architect.networks.lan; { @@ -151,8 +153,12 @@ in xserver.videoDrivers = [ "nvidia" ]; openssh = { enable = true; - passwordAuthentication = false; - kbdInteractiveAuthentication = false; + + settings = { + passwordAuthentication = false; + kbdInteractiveAuthentication = false; + + }; extraConfig = '' MaxAuthTries 15 ''; @@ -162,7 +168,7 @@ in environment = { variables = { LIBVA_DRIVER_NAME = "vdpau"; }; - systemPackages = with pkgs; [ cachix ]; + systemPackages = with pkgs; [ cachix linuxPackages.usbip ]; }; } diff --git a/hosts/architect/dns.nix b/hosts/architect/dns.nix index fb6fd01..5d667a8 100644 --- a/hosts/architect/dns.nix +++ b/hosts/architect/dns.nix @@ -1,53 +1,27 @@ { config, pkgs, lib, ... }: -let - adguard_webui_port = 3031; - adguard_dns_port = "5300"; - dnscrypt_listen_port = "5353"; -in { architect.firewall.openUDPVPN = [ 53 ]; services = { dnsmasq = { - enable = true; - # adguard port - servers = [ "127.0.0.1#${adguard_dns_port}" ]; - extraConfig = '' - localise-queries - min-cache-ttl=120 - max-cache-ttl=2400 - - domain=runas.rocks - domain=giugl.io - domain=devs.runas.rocks - domain=devs.giugl.io - ''; - }; - - adguardhome = { - enable = true; - port = adguard_webui_port; - }; - - dnscrypt-proxy2 = { enable = true; settings = { - listen_addresses = [ "127.0.0.1:${dnscrypt_listen_port}" ]; - ipv4_servers = true; - ipv6_servers = false; - block_ipv6 = true; - dnscrypt_servers = true; - doh_servers = true; - require_nolog = true; - require_nofilter = true; - timeout = 350; - lb_strategy = "p4"; - lb_estimator = true; - ignore_system_dns = true; - fallback_resolvers = [ "1.1.1.1:53" "9.9.9.9:53" ]; - cache_min_ttl = 450; - cache_max_ttl = 2400; + server = [ + "45.90.28.77" + "45.90.30.77" + "2a07:a8c0::d6:5174" + "2a07:a8c1::d6:5174" + ]; + localise-queries = true; + min-cache-ttl = 120; + max-cache-ttl = 2400; + domain = [ + "runas.rocks" + "giugl.io" + "devs.runas.rocks" + "devs.giugl.io" + ]; }; }; }; diff --git a/hosts/architect/gitea.nix b/hosts/architect/gitea.nix index 49dd14a..58b0474 100644 --- a/hosts/architect/gitea.nix +++ b/hosts/architect/gitea.nix @@ -12,11 +12,11 @@ in services.gitea = { enable = true; database.type = "sqlite3"; - domain = domain; appName = "Gitea"; - rootUrl = "https://${domain}"; settings = { server = { + DOMAIN = domain; + ROOT_URL = "https://${domain}"; LFS_START_SERVER = true; SSH_PORT = 22; }; diff --git a/hosts/architect/headscale.nix b/hosts/architect/headscale.nix index 7afa411..1fe0f3b 100644 --- a/hosts/architect/headscale.nix +++ b/hosts/architect/headscale.nix @@ -13,12 +13,13 @@ in services = { headscale = { enable = true; - package = pkgs.unstablePkgs.headscale; + package = pkgs.headscale; port = 1194; address = "0.0.0.0"; - serverUrl = "https://${domain}"; - logLevel = "debug"; + settings = { + server_url = "https://${domain}"; + log.level = "debug"; dns_config = { magic_dns = true; base_domain = "giugl.io"; diff --git a/hosts/architect/nginx.nix b/hosts/architect/nginx.nix index d1d2e2c..3a44116 100644 --- a/hosts/architect/nginx.nix +++ b/hosts/architect/nginx.nix @@ -32,59 +32,59 @@ }; }; - appendHttpConfig = - let - extraPureLuaPackages = with pkgs.luajitPackages; [ - lua-resty-openidc - lua-resty-http - lua-resty-session - lua-resty-jwt - lua-resty-openssl - ]; - luaPath = pkg: "${pkg}/share/lua/5.1/?.lua"; - makeLuaPath = lib.concatMapStringsSep ";" luaPath; - in - '' - # https://stackoverflow.com/questions/38931468/nginx-reverse-proxy-error14077438ssl-ssl-do-handshake-failed - proxy_ssl_server_name on; + # appendHttpConfig = + # let + # extraPureLuaPackages = with pkgs.luajitPackages; [ + # lua-resty-openidc + # lua-resty-http + # lua-resty-session + # lua-resty-jwt + # lua-resty-openssl + # ]; + # luaPath = pkg: "${pkg}/share/lua/5.1/?.lua"; + # makeLuaPath = lib.concatMapStringsSep ";" luaPath; + # in + # '' + # # https://stackoverflow.com/questions/38931468/nginx-reverse-proxy-error14077438ssl-ssl-do-handshake-failed + # proxy_ssl_server_name on; - lua_package_path '${makeLuaPath extraPureLuaPackages};;'; - lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; - lua_ssl_verify_depth 5; + # lua_package_path '${makeLuaPath extraPureLuaPackages};;'; + # lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; + # lua_ssl_verify_depth 5; - # cache for OIDC discovery metadata - lua_shared_dict discovery 1m; - lua_shared_dict jwks 1m; + # # cache for OIDC discovery metadata + # lua_shared_dict discovery 1m; + # lua_shared_dict jwks 1m; - # https://github.com/openresty/lua-resty-redis/issues/159 - resolver local=on ipv6=off; + # # https://github.com/openresty/lua-resty-redis/issues/159 + # resolver local=on ipv6=off; - init_worker_by_lua_block { - function check_role (res, role) - if res.user.roles == nil then - return false - end + # init_worker_by_lua_block { + # function check_role (res, role) + # if res.user.roles == nil then + # return false + # end - for _,v in pairs(res.user.roles) do - if string.lower(v) == role then - return true - end - end + # for _,v in pairs(res.user.roles) do + # if string.lower(v) == role then + # return true + # end + # end - return false - end + # return false + # end - function is_ip_whitelisted(ip, whitelist) - for _, x in ipairs(whitelist) do - if ip == x then - return true - end - end + # function is_ip_whitelisted(ip, whitelist) + # for _, x in ipairs(whitelist) do + # if ip == x then + # return true + # end + # end - return false - end - } - ''; + # return false + # end + # } + # ''; appendConfig = '' worker_processes 24; diff --git a/hosts/architect/openid.nix b/hosts/architect/openid.nix index cd2fd31..4c6326b 100644 --- a/hosts/architect/openid.nix +++ b/hosts/architect/openid.nix @@ -3,46 +3,48 @@ { openresty_oidc_block = { access_role ? "", whitelisted_ips ? [ ] }: '' - access_by_lua_block { - local opts = { - discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration", - client_id = "nginx", - client_secret = "9C6BYxPhTbrRS4DIwd3Smk7e11ABmnt8", - logout_path = "/logout", - redirect_after_logout_uri = "/", - redirect_uri = "/redirect_uri", - keepalive = "yes", - accept_none_alg = true, - revoke_tokens_on_logout = true, - -- access token valid for a day - access_token_expires_in = 86400 - } - - ${lib.optionalString (whitelisted_ips != []) '' - local whitelist = {${lib.strings.concatMapStringsSep "," (x: "\"${x}\"") whitelisted_ips}} - - if is_ip_whitelisted(ngx.var.remote_addr, whitelist) then - return - end - ''} - - -- call introspect for OAuth 2.0 Bearer Access Token validation - local res, err = require("resty.openidc").authenticate(opts) - - if err then - ngx.status = 403 - ngx.say(err) - ngx.exit(ngx.HTTP_FORBIDDEN) - end - - ${lib.optionalString (access_role != "") '' - if not check_role(res, "${access_role}") then - ngx.status = 401 - ngx.header.content_type = 'text/html'; - ngx.say("You are not authorized to access this page. Please contact Er Pepotto.") - ngx.exit(ngx.HTTP_UNAUTHORIZED) - end - ''} - } + ''; + # access_by_lua_block { + # local opts = { + # discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration", + # client_id = "nginx", + # client_secret = "9C6BYxPhTbrRS4DIwd3Smk7e11ABmnt8", + # logout_path = "/logout", + # redirect_after_logout_uri = "/", + # redirect_uri = "/redirect_uri", + # keepalive = "yes", + # accept_none_alg = true, + # revoke_tokens_on_logout = true, + # -- access token valid for a day + # access_token_expires_in = 86400 + # } + + # ${lib.optionalString (whitelisted_ips != []) '' + # local whitelist = {${lib.strings.concatMapStringsSep "," (x: "\"${x}\"") whitelisted_ips}} + + # if is_ip_whitelisted(ngx.var.remote_addr, whitelist) then + # return + # end + # ''} + + # -- call introspect for OAuth 2.0 Bearer Access Token validation + # local res, err = require("resty.openidc").authenticate(opts) + + # if err then + # ngx.status = 403 + # ngx.say(err) + # ngx.exit(ngx.HTTP_FORBIDDEN) + # end + + # ${lib.optionalString (access_role != "") '' + # if not check_role(res, "${access_role}") then + # ngx.status = 401 + # ngx.header.content_type = 'text/html'; + # ngx.say("You are not authorized to access this page. Please contact Er Pepotto.") + # ngx.exit(ngx.HTTP_UNAUTHORIZED) + # end + # ''} + # } + # ''; } diff --git a/hosts/architect/tailscale.nix b/hosts/architect/tailscale.nix index 014aad0..77692ad 100644 --- a/hosts/architect/tailscale.nix +++ b/hosts/architect/tailscale.nix @@ -21,6 +21,7 @@ in tommy = { address = "100.64.0.7"; hostname = "tommy.${domain}"; }; ucsb-workstation = { address = "100.64.0.8"; hostname = "ucsb-workstation.${domain}"; }; alfredo = { address = "100.64.0.9"; hostname = "alfredo.${domain}"; }; + parallels = { address = "100.64.0.3"; hostname = "parallels.${domain}"; }; }; }; }; @@ -29,7 +30,7 @@ in tailscale = { enable = true; interfaceName = config.architect.networks.tailscale.interface; - package = pkgs.unstablePkgs.tailscale; + package = pkgs.tailscale; }; }; diff --git a/lib/host.nix b/lib/host.nix index a6f5105..7ec6ed9 100644 --- a/lib/host.nix +++ b/lib/host.nix @@ -38,10 +38,7 @@ useGlobalPkgs = true; }; - system.stateVersion = "22.11"; - - environment.shells = [ pkgs.zsh ]; - users.defaultUserShell = pkgs.zsh; + system.stateVersion = "23.05"; } home-manager.nixosModules.home-manager diff --git a/roles/common.nix b/roles/common.nix index ccfe52a..1987fad 100644 --- a/roles/common.nix +++ b/roles/common.nix @@ -1,7 +1,9 @@ { config, pkgs, lib, ... }: { - boot.tmpOnTmpfs = true; + boot.tmp = { + useTmpfs = true; + }; console = { keyMap = "us"; @@ -41,7 +43,6 @@ glances tcpdump restic - neovim tmux parted unzip @@ -50,5 +51,6 @@ nmap ripgrep jq + helix ]; } diff --git a/roles/home/common.nix b/roles/home/common.nix index 8b5128d..e65c744 100644 --- a/roles/home/common.nix +++ b/roles/home/common.nix @@ -14,6 +14,6 @@ ] ++ lib.optional (!stdenv.isDarwin) pastebinit; - stateVersion = "22.11"; + stateVersion = "23.05"; }; } diff --git a/roles/home/helix.nix b/roles/home/helix.nix index b305f77..cb90d35 100644 --- a/roles/home/helix.nix +++ b/roles/home/helix.nix @@ -118,7 +118,7 @@ nodePackages.vscode-langservers-extracted nodePackages.typescript nodePackages.svelte-language-server - swiProlog +# swiProlog nixpkgs-fmt ]; }; From 229e92222e2cfd2543d5fadf106a5553adb2d666 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Sun, 28 May 2023 06:22:56 +0200 Subject: [PATCH 29/62] architect: switch to nextdns --- hosts/architect/dns.nix | 53 +++++++++++++++++++++-------------------- 1 file changed, 27 insertions(+), 26 deletions(-) diff --git a/hosts/architect/dns.nix b/hosts/architect/dns.nix index fb6fd01..9a9a638 100644 --- a/hosts/architect/dns.nix +++ b/hosts/architect/dns.nix @@ -1,18 +1,40 @@ { config, pkgs, lib, ... }: let - adguard_webui_port = 3031; - adguard_dns_port = "5300"; - dnscrypt_listen_port = "5353"; + adguard_dns_port = 5300; + domain = "adguard.architect.devs.giugl.io"; + + utilities = import ./utilities.nix { inherit lib config; }; + inherit (utilities) architectInterfaceAddress; in { architect.firewall.openUDPVPN = [ 53 ]; + networking.extraHosts = '' + ${architectInterfaceAddress "lan"} ${domain} + ${architectInterfaceAddress "wireguard"} ${domain} + ${architectInterfaceAddress "tailscale"} ${domain} + ''; + services = { + nginx.virtualHosts.${domain} = { + forceSSL = true; + enableACME = true; + extraConfig = '' + allow ${config.architect.networks.lan.net}; + allow ${config.architect.networks.tailscale.net}; + deny all; + ''; + + locations."/" = { + proxyPass = "http://127.0.0.1:${toString config.services.adguardhome.port}"; + }; + }; + dnsmasq = { enable = true; # adguard port - servers = [ "127.0.0.1#${adguard_dns_port}" ]; + servers = [ "127.0.0.1#${toString adguard_dns_port}" ]; extraConfig = '' localise-queries min-cache-ttl=120 @@ -27,28 +49,7 @@ in adguardhome = { enable = true; - port = adguard_webui_port; - }; - - dnscrypt-proxy2 = { - enable = true; - settings = { - listen_addresses = [ "127.0.0.1:${dnscrypt_listen_port}" ]; - ipv4_servers = true; - ipv6_servers = false; - block_ipv6 = true; - dnscrypt_servers = true; - doh_servers = true; - require_nolog = true; - require_nofilter = true; - timeout = 350; - lb_strategy = "p4"; - lb_estimator = true; - ignore_system_dns = true; - fallback_resolvers = [ "1.1.1.1:53" "9.9.9.9:53" ]; - cache_min_ttl = 450; - cache_max_ttl = 2400; - }; + port = 5353; }; }; } From ef96a959f6cf427f0853e34ae044225d944bccea Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Sun, 28 May 2023 07:14:48 +0200 Subject: [PATCH 30/62] acme: change default email --- roles/acme.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/acme.nix b/roles/acme.nix index d23825a..bd22485 100644 --- a/roles/acme.nix +++ b/roles/acme.nix @@ -1,10 +1,10 @@ -{ ... }: +{ options, lib, config, ... }: { - security.acme = { + config.security.acme = { acceptTerms = true; defaults = { - email = "sysadmin@giugl.io"; + email = "letsencrypt@depasquale.giugl.io"; }; }; } From b479c748e02390b76dbd50b6c440d74ea3eb51de Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Sun, 28 May 2023 07:21:04 +0200 Subject: [PATCH 31/62] flake: allow openssl1.1.1t --- flake.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/flake.nix b/flake.nix index 62fd26e..c879ef1 100644 --- a/flake.nix +++ b/flake.nix @@ -30,6 +30,10 @@ inherit system; config.allowUnfree = true; + + config.permittedInsecurePackages = [ + "openssl-1.1.1t" + ]; }; wrapUtils = { pkgs, unstablePkgs, system }: From 9f819d13572a6f484e57b7543a7fba8dfe42a2dc Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Sun, 28 May 2023 07:21:31 +0200 Subject: [PATCH 32/62] helix: remove swiProlog --- roles/home/helix.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/home/helix.nix b/roles/home/helix.nix index b305f77..c2d0772 100644 --- a/roles/home/helix.nix +++ b/roles/home/helix.nix @@ -118,7 +118,6 @@ nodePackages.vscode-langservers-extracted nodePackages.typescript nodePackages.svelte-language-server - swiProlog nixpkgs-fmt ]; }; From fef4b471f08699b60457c73842855c2bfd97d3be Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Thu, 1 Jun 2023 21:08:28 +0200 Subject: [PATCH 33/62] minio: Use legacy package --- hosts/architect/minio.nix | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/hosts/architect/minio.nix b/hosts/architect/minio.nix index 174125f..c8d0c7b 100644 --- a/hosts/architect/minio.nix +++ b/hosts/architect/minio.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: +{ config, lib, pkgs, ... }: let domain = "s3.giugl.io"; @@ -8,7 +8,10 @@ let in { services = { - minio.enable = true; + minio = { + enable = true; + package = pkgs.minio_legacy_fs; + }; nginx.virtualHosts.${domain} = { forceSSL = true; @@ -24,7 +27,7 @@ in }; }; }; - + networking.extraHosts = '' ${architectInterfaceAddress "lan"} ${domain} ${architectInterfaceAddress "wireguard"} ${domain} From 2c906d715eaf26f2e57f851b4524cb5e22c71fa2 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Thu, 1 Jun 2023 21:08:42 +0200 Subject: [PATCH 34/62] architect: Disable gitea --- hosts/architect/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/architect/default.nix b/hosts/architect/default.nix index 6d2ec6d..cd6baf8 100644 --- a/hosts/architect/default.nix +++ b/hosts/architect/default.nix @@ -16,7 +16,7 @@ in ./hardware.nix ./firewall.nix ./nginx.nix - ./gitea.nix + # ./gitea.nix ./sonarr.nix ./radarr.nix ./bazarr.nix From 6cb4fa08d2da13b4241bec1ee3fe90a1e5c949e1 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Thu, 1 Jun 2023 21:09:04 +0200 Subject: [PATCH 35/62] Add nix-index and command-not-found --- roles/home/common.nix | 1 + roles/home/zsh.nix | 2 ++ 2 files changed, 3 insertions(+) diff --git a/roles/home/common.nix b/roles/home/common.nix index e65c744..d19a65a 100644 --- a/roles/home/common.nix +++ b/roles/home/common.nix @@ -11,6 +11,7 @@ home-manager ripgrep ydiff + nix-index ] ++ lib.optional (!stdenv.isDarwin) pastebinit; diff --git a/roles/home/zsh.nix b/roles/home/zsh.nix index 60cadbe..2cf25fa 100644 --- a/roles/home/zsh.nix +++ b/roles/home/zsh.nix @@ -14,6 +14,8 @@ initExtra = '' any-nix-shell zsh --info-right | source /dev/stdin + source ${pkgs.nix-index}/etc/profile.d/command-not-found.sh ''; }; } + From 0747c0ebf4722e74dbc685c3501ed8e1ded33f61 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Thu, 1 Jun 2023 21:09:30 +0200 Subject: [PATCH 36/62] openssl: Ignore 1.1.1u being vulnerable along with 1.1.1t --- flake.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/flake.nix b/flake.nix index 6701a83..9b8f89f 100644 --- a/flake.nix +++ b/flake.nix @@ -33,6 +33,7 @@ config.permittedInsecurePackages = [ "openssl-1.1.1t" + "openssl-1.1.1u" ]; }; From 708687d2581604088e1d40f87a2b3cddd071753c Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Thu, 1 Jun 2023 21:09:36 +0200 Subject: [PATCH 37/62] Update lock --- flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index e2a8730..4d05361 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1685189510, - "narHash": "sha256-Hq5WF7zIixojPgvhgcd6MBvywwycVZ9wpK/8ogOyoaA=", + "lastModified": 1685599623, + "narHash": "sha256-Tob4CMOVHue0D3RzguDBCtUmX5ji2PsdbQDbIOIKvsc=", "owner": "nix-community", "repo": "home-manager", - "rev": "2d963854ae2499193c0c72fd67435fee34d3e4fd", + "rev": "93db05480c0c0f30382d3e80779e8386dcb4f9dd", "type": "github" }, "original": { @@ -23,11 +23,11 @@ }, "nixos-unstable": { "locked": { - "lastModified": 1685168767, - "narHash": "sha256-wQgnxz0PdqbyKKpsWl/RU8T8QhJQcHfeC6lh1xRUTfk=", + "lastModified": 1685564631, + "narHash": "sha256-8ywr3AkblY4++3lIVxmrWZFzac7+f32ZEhH/A8pNscI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e10802309bf9ae351eb27002c85cfdeb1be3b262", + "rev": "4f53efe34b3a8877ac923b9350c874e3dcd5dc0a", "type": "github" }, "original": { @@ -39,11 +39,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1685302407, - "narHash": "sha256-GaH2fAOQOSJehr085tMNaE2LPTbVRI7burGZUVeSfmQ=", + "lastModified": 1685645444, + "narHash": "sha256-FEuVrowBDU8D+Vt1oqN6j18g/vDvU13WVruTaMjzb8w=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b2ea8027e4d43b652293448eeafe564b53ca2a94", + "rev": "ce3e618cd3b9792d898b76126c36e6ac50b680e1", "type": "github" }, "original": { From 3bc816b66572d7628698dc50d7a5b5979561b43c Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Sat, 3 Jun 2023 01:46:08 +0200 Subject: [PATCH 38/62] gitea: move LFS setting into gitea.lfs --- hosts/architect/gitea.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hosts/architect/gitea.nix b/hosts/architect/gitea.nix index 58b0474..b3ce7ae 100644 --- a/hosts/architect/gitea.nix +++ b/hosts/architect/gitea.nix @@ -13,11 +13,12 @@ in enable = true; database.type = "sqlite3"; appName = "Gitea"; + # https://github.com/NixOS/nixpkgs/issues/235442#issuecomment-1574329453 + lfs.enable = true; settings = { server = { DOMAIN = domain; ROOT_URL = "https://${domain}"; - LFS_START_SERVER = true; SSH_PORT = 22; }; openid.enable_openid_signin = true; From 78fc53024fcacffbe8392d8e297d912fbd0459db Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Mon, 5 Jun 2023 00:29:43 +0200 Subject: [PATCH 39/62] options: added vhost attributes --- hosts/architect/options.nix | 69 +++++++++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) diff --git a/hosts/architect/options.nix b/hosts/architect/options.nix index fd0b5ab..8f807b6 100644 --- a/hosts/architect/options.nix +++ b/hosts/architect/options.nix @@ -2,6 +2,10 @@ with lib; +let + utilities = import ./utilities.nix { inherit lib config; }; + inherit (utilities) architectInterfaceAddress; +in { options.architect = { firewall = { @@ -58,5 +62,70 @@ with lib; default = { }; description = "An attribute set of networks with their configurations."; }; + + vhost = mkOption { + type = types.attrsOf (types.submodule { + options = { + dnsInterfaces = mkOption { + type = types.listOf types.str; + default = [ ]; + description = "List of interfaces to add extra DNS hosts for this vhost."; + }; + + locations = mkOption { + type = types.attrsOf (types.submodule { + options = { + port = mkOption { + type = types.int; + description = "The port number for the location."; + }; + + allow = mkOption { + type = types.listOf types.str; + default = [ ]; + description = "IP address or CIDR block to allow."; + }; + + deny = mkOption { + type = types.listOf types.str; + default = [ ]; + description = "IP address or CIDR block to deny."; + }; + }; + }); + default = { }; + description = "An attribute set of location configurations."; + }; + }; + }); + default = { }; + description = "An attribute set of domain configurations."; + }; + }; + + config = { + services.nginx.virtualHosts = mapAttrs + (domain: conf: { + forceSSL = true; + enableACME = true; + locations = mapAttrs + (path: location: { + proxyPass = "http://127.0.0.1:${toString location.port}"; + extraConfig = '' + ${concatMapStringsSep "\n" (denyCIDR: "deny ${denyCIDR};") location.deny} + ${concatMapStringsSep "\n" (allowCIDR: "allow ${allowCIDR};") location.allow} + ''; + }) + conf.locations; + }) + config.architect.vhost; + + networking.extraHosts = concatStringsSep "\n" ( + mapAttrsToList + (domain: conf: concatMapStringsSep "\n" + (iface: "${architectInterfaceAddress iface} ${domain}") + conf.dnsInterfaces) + config.architect.vhost + ); }; } From acb47f5a73ecf8fdd206cff28081f60de571df06 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Mon, 5 Jun 2023 00:30:07 +0200 Subject: [PATCH 40/62] dns: moved config to vhost --- hosts/architect/dns.nix | 34 ++++++++++++---------------------- 1 file changed, 12 insertions(+), 22 deletions(-) diff --git a/hosts/architect/dns.nix b/hosts/architect/dns.nix index 99507ab..801cbae 100644 --- a/hosts/architect/dns.nix +++ b/hosts/architect/dns.nix @@ -1,36 +1,26 @@ { config, pkgs, lib, ... }: let - adguard_dns_port = 5300; domain = "adguard.architect.devs.giugl.io"; - - utilities = import ./utilities.nix { inherit lib config; }; - inherit (utilities) architectInterfaceAddress; in { - architect.firewall.openUDPVPN = [ 53 ]; + architect = { + firewall.openUDPVPN = [ 53 ]; - networking.extraHosts = '' - ${architectInterfaceAddress "lan"} ${domain} - ${architectInterfaceAddress "wireguard"} ${domain} - ${architectInterfaceAddress "tailscale"} ${domain} - ''; + vhost.${domain} = { + dnsInterfaces = [ "lan" "tailscale" "wireguard" ]; - services = { - nginx.virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; - extraConfig = '' - allow ${config.architect.networks.lan.net}; - allow ${config.architect.networks.tailscale.net}; - deny all; - ''; - - locations."/" = { - proxyPass = "http://127.0.0.1:${toString config.services.adguardhome.settings.bind_port}"; + locations."/" = with config; { + port = services.adguardhome.settings.bind_port; + allow = with architect.networks; [ lan.net tailscale.net ]; + deny = [ + architect.networks."lan".devices.router.address + ]; }; }; + }; + services = { dnsmasq = { enable = true; settings = { From da1b08c44ac2daa8ea3983a97e83cae603c59c27 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Mon, 5 Jun 2023 00:46:39 +0200 Subject: [PATCH 41/62] radarr: use vhost --- hosts/architect/radarr.nix | 39 ++++++++++++++------------------------ 1 file changed, 14 insertions(+), 25 deletions(-) diff --git a/hosts/architect/radarr.nix b/hosts/architect/radarr.nix index 15748e6..39b4ff7 100644 --- a/hosts/architect/radarr.nix +++ b/hosts/architect/radarr.nix @@ -2,36 +2,25 @@ let domain = "htrad.giugl.io"; - auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; - - utilities = import ./utilities.nix { inherit lib config; }; - inherit (utilities) architectInterfaceAddress; in { - services = { - radarr = { - enable = true; - group = "media"; - }; + services.radarr = { + enable = true; + group = "media"; + }; - nginx.virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://127.0.0.1:7878"; - extraConfig = auth_block { - access_role = "radarr"; - }; - }; + architect.vhost.${domain} = with config.architect.networks; { + dnsInterfaces = [ "lan" "wireguard" "tailscale" ]; + locations."/" = { + port = 7878; + deny = [ lan.devices.router.address ]; + allow = [ + lan.net + wireguard.net + tailscale.net + ]; }; }; - - networking.extraHosts = '' - ${architectInterfaceAddress "lan"} ${domain} - ${architectInterfaceAddress "wireguard"} ${domain} - ${architectInterfaceAddress "tailscale"} ${domain} - ''; - users.groups.media.members = [ "radarr" ]; } From 17d2e103459cbe127de67c17882d4a694746b8f3 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Mon, 5 Jun 2023 00:50:31 +0200 Subject: [PATCH 42/62] bazarr: use vhost --- hosts/architect/bazarr.nix | 38 ++++++++++++++------------------------ 1 file changed, 14 insertions(+), 24 deletions(-) diff --git a/hosts/architect/bazarr.nix b/hosts/architect/bazarr.nix index 7ca8884..4586da8 100644 --- a/hosts/architect/bazarr.nix +++ b/hosts/architect/bazarr.nix @@ -2,35 +2,25 @@ let domain = "htbaz.giugl.io"; - auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; - - utilities = import ./utilities.nix { inherit lib config; }; - inherit (utilities) architectInterfaceAddress; in { - services = { - bazarr = { - enable = true; - group = "media"; - }; + services.bazarr = { + enable = true; + group = "media"; + }; - nginx.virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://127.0.0.1:6767"; - extraConfig = auth_block { - access_role = "bazarr"; - }; - }; + architect.vhost.${domain} = with config.architect.networks; { + dnsInterfaces = [ "lan" "wireguard" "tailscale" ]; + locations."/" = { + port = 6767; + deny = [ lan.devices.router.address ]; + allow = [ + lan.net + wireguard.net + tailscale.net + ]; }; }; - networking.extraHosts = '' - ${architectInterfaceAddress "lan"} ${domain} - ${architectInterfaceAddress "wireguard"} ${domain} - ${architectInterfaceAddress "tailscale"} ${domain} - ''; - users.groups.media.members = [ "bazarr" ]; } From 9aeacafbb2faadadbfc168d0d929ffceed2050c7 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Mon, 5 Jun 2023 03:01:37 +0200 Subject: [PATCH 43/62] docker: use docker as default backend for containers. disable iptables --- hosts/architect/docker.nix | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/hosts/architect/docker.nix b/hosts/architect/docker.nix index 93c2d37..69b0ee5 100644 --- a/hosts/architect/docker.nix +++ b/hosts/architect/docker.nix @@ -5,13 +5,19 @@ interface = "docker0"; net = "172.17.0.0/16"; }; - - virtualisation.docker = { - enable = true; - extraOptions = '' - --dns 127.0.0.1 --dns ${config.architect.networks.lan.devices.architect.address} --data-root /docker - ''; - enableOnBoot = false; + + virtualisation = { + oci-containers.backend = "docker"; + + docker = { + enable = true; + extraOptions = '' + --dns 127.0.0.1 --dns ${config.architect.networks.lan.devices.architect.address} --data-root /docker + ''; + enableOnBoot = false; + daemon.settings.iptables = false; + }; }; + users.users.giulio.extraGroups = [ "docker" ]; } From 65ba588d8ea3faf73dfd35db771348609efd75ce Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Mon, 5 Jun 2023 03:02:02 +0200 Subject: [PATCH 44/62] vhost: added attributes --- hosts/architect/options.nix | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/hosts/architect/options.nix b/hosts/architect/options.nix index 8f807b6..90642d3 100644 --- a/hosts/architect/options.nix +++ b/hosts/architect/options.nix @@ -75,6 +75,22 @@ in locations = mkOption { type = types.attrsOf (types.submodule { options = { + extraConfig = mkOption { + type = types.str; + description = "Extra configuration for the location."; + default = ""; + }; + + allowLan = mkOption { + type = types.bool; + default = false; + }; + + proxyWebsockets = mkOption { + type = types.bool; + default = false; + }; + port = mkOption { type = types.int; description = "The port number for the location."; @@ -111,10 +127,13 @@ in locations = mapAttrs (path: location: { proxyPass = "http://127.0.0.1:${toString location.port}"; + proxyWebsockets = location.proxyWebsockets; extraConfig = '' + ${optionalString location.allowLan "deny 10.0.0.1;"} ${concatMapStringsSep "\n" (denyCIDR: "deny ${denyCIDR};") location.deny} ${concatMapStringsSep "\n" (allowCIDR: "allow ${allowCIDR};") location.allow} - ''; + ${optionalString location.allowLan ''allow ${config.architect.networks."lan".net};''} + '' + location.extraConfig; }) conf.locations; }) From b37897576902f5d66b5b2ba5d445d9466545b556 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Mon, 5 Jun 2023 03:02:26 +0200 Subject: [PATCH 45/62] sonarr: port to vhost --- hosts/architect/sonarr.nix | 36 +++++++++++------------------------- 1 file changed, 11 insertions(+), 25 deletions(-) diff --git a/hosts/architect/sonarr.nix b/hosts/architect/sonarr.nix index 42874e8..acebe43 100644 --- a/hosts/architect/sonarr.nix +++ b/hosts/architect/sonarr.nix @@ -2,35 +2,21 @@ let domain = "htson.giugl.io"; - auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; - - utilities = import ./utilities.nix { inherit lib config; }; - inherit (utilities) architectInterfaceAddress; in { - services = { - sonarr = { - enable = true; - group = "media"; - }; + services.sonarr = { + enable = true; + group = "media"; + }; + + architect.vhost.${domain} = { + dnsInterfaces = [ "tailscale" "wireguard" ]; - nginx.virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://127.0.0.1:8989"; - extraConfig = auth_block { - access_role = "sonarr"; - }; - }; + locations."/" = { + port = 6969; + allowLan = true; }; }; - - networking.extraHosts = '' - ${architectInterfaceAddress "lan"} ${domain} - ${architectInterfaceAddress "wireguard"} ${domain} - ${architectInterfaceAddress "tailscale"} ${domain} - ''; - + users.groups.media.members = [ "sonarr" ]; } From 2f4374516256f31882d76406f507499d6e320781 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Mon, 5 Jun 2023 03:10:13 +0200 Subject: [PATCH 46/62] Move to vhost --- hosts/architect/bazarr.nix | 4 ++-- hosts/architect/prowlarr.nix | 35 ++++++----------------------------- hosts/architect/radarr.nix | 6 +++--- 3 files changed, 11 insertions(+), 34 deletions(-) diff --git a/hosts/architect/bazarr.nix b/hosts/architect/bazarr.nix index 4586da8..85d0179 100644 --- a/hosts/architect/bazarr.nix +++ b/hosts/architect/bazarr.nix @@ -12,10 +12,10 @@ in architect.vhost.${domain} = with config.architect.networks; { dnsInterfaces = [ "lan" "wireguard" "tailscale" ]; locations."/" = { + allowLan = true; port = 6767; - deny = [ lan.devices.router.address ]; + allow = [ - lan.net wireguard.net tailscale.net ]; diff --git a/hosts/architect/prowlarr.nix b/hosts/architect/prowlarr.nix index ad5b8e8..2fff070 100644 --- a/hosts/architect/prowlarr.nix +++ b/hosts/architect/prowlarr.nix @@ -2,41 +2,18 @@ let domain = "htpro.giugl.io"; - - utilities = import ./utilities.nix { inherit lib config; }; - inherit (utilities) architectInterfaceAddress; in { - services = { - prowlarr.enable = true; + services.prowlarr.enable = true; - nginx.virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://127.0.0.1:9696"; - extraConfig = '' - allow ${config.architect.networks.lan.net}; - allow ${config.architect.networks.tailscale.net}; - deny all; - ''; - }; + architect.vhost.${domain} = { + dnsInterfaces = [ "tailscale" "wireguard" ]; - # locations."/api" = { - # proxyPass = "http://127.0.0.1:9696/prowlarr/api"; - # }; - # - # locations."/Content" = { - # proxyPass = "http://127.0.0.1:9696/prowlarr/Content"; - # }; + locations."/" = { + port = 9696; + allowLan = true; }; }; - - networking.extraHosts = '' - ${architectInterfaceAddress "lan"} ${domain} - ${architectInterfaceAddress "wireguard"} ${domain} - ${architectInterfaceAddress "tailscale"} ${domain} - ''; users.groups.media.members = [ "prowlarr" ]; } diff --git a/hosts/architect/radarr.nix b/hosts/architect/radarr.nix index 39b4ff7..46491cd 100644 --- a/hosts/architect/radarr.nix +++ b/hosts/architect/radarr.nix @@ -10,12 +10,12 @@ in }; architect.vhost.${domain} = with config.architect.networks; { - dnsInterfaces = [ "lan" "wireguard" "tailscale" ]; + dnsInterfaces = [ "wireguard" "tailscale" ]; locations."/" = { port = 7878; - deny = [ lan.devices.router.address ]; + allowLan = true; + allow = [ - lan.net wireguard.net tailscale.net ]; From f2e33628c04ba2b09d0bccb46ccd939ba146195f Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Mon, 5 Jun 2023 03:11:46 +0200 Subject: [PATCH 47/62] jellyfin: vhost --- hosts/architect/jellyfin.nix | 55 +++++++++++++++--------------------- 1 file changed, 22 insertions(+), 33 deletions(-) diff --git a/hosts/architect/jellyfin.nix b/hosts/architect/jellyfin.nix index b61a73d..5d319e3 100644 --- a/hosts/architect/jellyfin.nix +++ b/hosts/architect/jellyfin.nix @@ -3,52 +3,41 @@ let domain = "media.giugl.io"; port = 8096; - - utilities = import ./utilities.nix { inherit lib config; }; - inherit (utilities) architectInterfaceAddress; + allowLan = true; in { # needed since StateDirectory does not accept symlinks systemd.services.jellyfin.serviceConfig.StateDirectory = lib.mkForce ""; - services = { - jellyfin = { - enable = true; - group = "media"; - package = pkgs.unstablePkgs.jellyfin; - }; + architect.vhost.${domain} = with config.architect.networks; { + dnsInterfaces = [ "lan" "wireguard" "tailscale" ]; + locations = { + "/" = { + inherit port allowLan; - nginx.virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; - extraConfig = '' - # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted. - #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'"; - # Disable buffering when the nginx proxy gets very resource heavy upon streaming - proxy_buffering off; - - allow ${config.architect.networks.lan.net}; - allow ${config.architect.networks.tailscale.net}; - deny all; - ''; - - locations."/" = { - proxyPass = "http://127.0.0.1:${toString port}"; + allow = [ + wireguard.net + tailscale.net + ]; }; - locations."/socket" = { - proxyPass = "http://127.0.0.1:${toString port}"; + "/socket" = { + inherit port allowLan; + proxyWebsockets = true; + allow = [ + wireguard.net + tailscale.net + ]; }; }; }; - - networking.extraHosts = '' - ${architectInterfaceAddress "lan"} ${domain} - ${architectInterfaceAddress "wireguard"} ${domain} - ${architectInterfaceAddress "tailscale"} ${domain} - ''; + services.jellyfin = { + enable = true; + group = "media"; + package = pkgs.unstablePkgs.jellyfin; + }; users.groups = { media.members = [ "jellyfin" ]; From edf4ba07eea2d60b6d8839d81d4dc307289a6c41 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Mon, 5 Jun 2023 03:12:09 +0200 Subject: [PATCH 48/62] nginx: switch to nginx as package --- hosts/architect/nginx.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/architect/nginx.nix b/hosts/architect/nginx.nix index 3a44116..a0b1bab 100644 --- a/hosts/architect/nginx.nix +++ b/hosts/architect/nginx.nix @@ -8,7 +8,7 @@ services.nginx = { enable = true; - package = pkgs.openresty; + package = pkgs.nginx; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; From 0698f9b8db615f14d3cf55c7fcaaf05db775fe3d Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Mon, 5 Jun 2023 03:12:34 +0200 Subject: [PATCH 49/62] nzbget: vhost --- hosts/architect/nzbget.nix | 34 ++++++++++------------------------ 1 file changed, 10 insertions(+), 24 deletions(-) diff --git a/hosts/architect/nzbget.nix b/hosts/architect/nzbget.nix index d83280f..180915e 100644 --- a/hosts/architect/nzbget.nix +++ b/hosts/architect/nzbget.nix @@ -2,35 +2,21 @@ let domain = "htnzb.giugl.io"; - auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; - - utilities = import ./utilities.nix { inherit lib config; }; - inherit (utilities) architectInterfaceAddress; in { - services = { - nzbget = { - enable = true; - group = "media"; - }; + services.nzbget = { + enable = true; + group = "media"; + }; - nginx.virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://127.0.0.1:6789"; - extraConfig = auth_block { - access_role = "nzbget"; - }; - }; + architect.vhost.${domain} = { + dnsInterfaces = [ "tailscale" "wireguard" "lan" ]; + + locations."/" = { + port = 6789; + allowLan = true; }; }; - networking.extraHosts = '' - ${architectInterfaceAddress "lan"} ${domain} - ${architectInterfaceAddress "wireguard"} ${domain} - ${architectInterfaceAddress "tailscale"} ${domain} - ''; - users.groups.media.members = [ "nzbget" ]; } From d423200c59ee9adee2bfa48972efd11025fa9c07 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Mon, 5 Jun 2023 03:12:59 +0200 Subject: [PATCH 50/62] bazarr: add lan to dnsinterface --- hosts/architect/bazarr.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/architect/bazarr.nix b/hosts/architect/bazarr.nix index 85d0179..07d36fc 100644 --- a/hosts/architect/bazarr.nix +++ b/hosts/architect/bazarr.nix @@ -10,7 +10,7 @@ in }; architect.vhost.${domain} = with config.architect.networks; { - dnsInterfaces = [ "lan" "wireguard" "tailscale" ]; + dnsInterfaces = [ "wireguard" "tailscale" ]; locations."/" = { allowLan = true; port = 6767; From d1d0793e2ca5af00b3829f2166b10953028050b5 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Mon, 5 Jun 2023 03:15:23 +0200 Subject: [PATCH 51/62] photoprism: use vhost --- hosts/architect/photoprism.nix | 37 ++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 hosts/architect/photoprism.nix diff --git a/hosts/architect/photoprism.nix b/hosts/architect/photoprism.nix new file mode 100644 index 0000000..38ef065 --- /dev/null +++ b/hosts/architect/photoprism.nix @@ -0,0 +1,37 @@ +{ config, pkgs, lib, ... }: + +let + domain = "photos.giugl.io"; +in +{ + services = { + photoprism = { + enable = true; + package = pkgs.photoprism; + originalsPath = "/var/lib/private/photoprism/originals"; + address = "0.0.0.0"; + settings = { + PHOTOPRISM_DEFAULT_LOCALE = "en"; + PHOTOPRISM_DATABASE_DRIVER = "mysql"; + PHOTOPRISM_DATABASE_NAME = "photoprism"; + PHOTOPRISM_DATABASE_SERVER = "/run/mysqld/mysqld.sock"; + PHOTOPRISM_DATABASE_USER = "photoprism"; + PHOTOPRISM_SITE_URL = "https://${domain}"; + PHOTOPRISM_SITE_TITLE = "PePrism"; + PHOTOPRISM_FFMPEG_ENCODER = "nvidia"; + PHOTOPRISM_INIT = "tensorflow"; + NVIDIA_VISIBLE_DEVICES = "all"; + NVIDIA_DRIVER_CAPABILITIES = "compute,video,utility"; + PHOTOPRISM_FFMPEG_BIN = "${pkgs.ffmpeg}/bin/ffmpeg"; + }; + }; + + architect.vhost.${domain} = { + dnsInterfaces = [ "tailscale" "lan" ]; + locations."/" = { + port = config.services.photoprism.port; + allowLan = true; + allow = [ config.architect.networks."tailscale".net ]; + }; + }; + } From 6d7235935361f7b1f2240abef5f4794fd82ecda2 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Mon, 5 Jun 2023 03:16:19 +0200 Subject: [PATCH 52/62] gitea: reenable gitea --- hosts/architect/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/architect/default.nix b/hosts/architect/default.nix index cd6baf8..6d2ec6d 100644 --- a/hosts/architect/default.nix +++ b/hosts/architect/default.nix @@ -16,7 +16,7 @@ in ./hardware.nix ./firewall.nix ./nginx.nix - # ./gitea.nix + ./gitea.nix ./sonarr.nix ./radarr.nix ./bazarr.nix From 1df031965a4bddb324cd2682845226ed02c3644a Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Mon, 5 Jun 2023 03:22:41 +0200 Subject: [PATCH 53/62] photoprism: use vhost --- hosts/architect/photoprism.nix | 56 +++++++++++++++++----------------- 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/hosts/architect/photoprism.nix b/hosts/architect/photoprism.nix index 38ef065..c30b0e1 100644 --- a/hosts/architect/photoprism.nix +++ b/hosts/architect/photoprism.nix @@ -4,34 +4,34 @@ let domain = "photos.giugl.io"; in { - services = { - photoprism = { - enable = true; - package = pkgs.photoprism; - originalsPath = "/var/lib/private/photoprism/originals"; - address = "0.0.0.0"; - settings = { - PHOTOPRISM_DEFAULT_LOCALE = "en"; - PHOTOPRISM_DATABASE_DRIVER = "mysql"; - PHOTOPRISM_DATABASE_NAME = "photoprism"; - PHOTOPRISM_DATABASE_SERVER = "/run/mysqld/mysqld.sock"; - PHOTOPRISM_DATABASE_USER = "photoprism"; - PHOTOPRISM_SITE_URL = "https://${domain}"; - PHOTOPRISM_SITE_TITLE = "PePrism"; - PHOTOPRISM_FFMPEG_ENCODER = "nvidia"; - PHOTOPRISM_INIT = "tensorflow"; - NVIDIA_VISIBLE_DEVICES = "all"; - NVIDIA_DRIVER_CAPABILITIES = "compute,video,utility"; - PHOTOPRISM_FFMPEG_BIN = "${pkgs.ffmpeg}/bin/ffmpeg"; - }; + services.photoprism = { + enable = true; + package = pkgs.photoprism; + originalsPath = "/var/lib/private/photoprism/originals"; + address = "0.0.0.0"; + settings = { + PHOTOPRISM_DEFAULT_LOCALE = "en"; + PHOTOPRISM_DATABASE_DRIVER = "mysql"; + PHOTOPRISM_DATABASE_NAME = "photoprism"; + PHOTOPRISM_DATABASE_SERVER = "/run/mysqld/mysqld.sock"; + PHOTOPRISM_DATABASE_USER = "photoprism"; + PHOTOPRISM_SITE_URL = "https://${domain}"; + PHOTOPRISM_SITE_TITLE = "PePrism"; + PHOTOPRISM_FFMPEG_ENCODER = "nvidia"; + PHOTOPRISM_INIT = "tensorflow"; + NVIDIA_VISIBLE_DEVICES = "all"; + NVIDIA_DRIVER_CAPABILITIES = "compute,video,utility"; + PHOTOPRISM_FFMPEG_BIN = "${pkgs.ffmpeg}/bin/ffmpeg"; }; + }; - architect.vhost.${domain} = { - dnsInterfaces = [ "tailscale" "lan" ]; - locations."/" = { - port = config.services.photoprism.port; - allowLan = true; - allow = [ config.architect.networks."tailscale".net ]; - }; + architect.vhost.${domain} = { + dnsInterfaces = [ "tailscale" "lan" ]; + locations."/" = { + port = config.services.photoprism.port; + allowLan = true; + allow = [ config.architect.networks."tailscale".net ]; + proxyWebsockets = true; }; - } + }; +} From 2c387448ba2e7fe505bdea5e2f9b0dfe06b23813 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Mon, 5 Jun 2023 04:41:10 +0200 Subject: [PATCH 54/62] gitea: vhost --- hosts/architect/gitea.nix | 28 ++++++++-------------------- 1 file changed, 8 insertions(+), 20 deletions(-) diff --git a/hosts/architect/gitea.nix b/hosts/architect/gitea.nix index b3ce7ae..62eb732 100644 --- a/hosts/architect/gitea.nix +++ b/hosts/architect/gitea.nix @@ -2,12 +2,15 @@ let domain = "git.giugl.io"; - - utilities = import ./utilities.nix { inherit lib config; }; - inherit (utilities) architectInterfaceAddress; in { - architect.firewall.openTCP = [ config.services.gitea.settings.server.SSH_PORT ]; + architect = { + firewall.openTCP = [ config.services.gitea.settings.server.SSH_PORT ]; + vhost.${domain} = { + dnsInterfaces = [ "lan" "tailscale" "wireguard" ]; + locations."/".port = config.services.gitea.settings.server.HTTP_PORT; + }; + }; services.gitea = { enable = true; @@ -20,24 +23,9 @@ in DOMAIN = domain; ROOT_URL = "https://${domain}"; SSH_PORT = 22; + HTTP_PORT = 3001; }; openid.enable_openid_signin = true; }; }; - - services.nginx.virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://127.0.0.1:3000"; - # it does not work, it breaks gitea's web portal - # extraConfig = auth_block { access_role = "git"; }; - }; - }; - - networking.extraHosts = '' - ${architectInterfaceAddress "lan"} ${domain} - ${architectInterfaceAddress "wireguard"} ${domain} - ${architectInterfaceAddress "tailscale"} ${domain} - ''; } From 842b3f0ac7808498a0e31b9d9fd7f4c2a76bc5eb Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Mon, 5 Jun 2023 04:43:07 +0200 Subject: [PATCH 55/62] firewall: give docker more freedom --- hosts/architect/firewall.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/hosts/architect/firewall.nix b/hosts/architect/firewall.nix index 3194b36..255f46f 100644 --- a/hosts/architect/firewall.nix +++ b/hosts/architect/firewall.nix @@ -54,6 +54,9 @@ in } table ip nat { + chain DOCKER { + type nat hook prerouting priority dstnat; policy accept; + } chain PREROUTING { type nat hook prerouting priority dstnat; policy accept; } @@ -142,6 +145,7 @@ in ip daddr 255.255.255.255 accept comment "allow broadcast traffic" ip daddr 224.0.0.0/4 accept comment "allow multicast traffic" ip saddr ${lan.net} accept comment "lan > local" + iifname ${docker.interface} accept ip saddr ${tailscale.net} accept comment "tailscale > local" ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local" @@ -151,7 +155,6 @@ in iifname ${wireguard.interface} udp dport {${openUDPVPN}} accept iifname ${wireguard.interface} icmp type echo-request accept - iifname ${docker.interface} udp dport 53 accept jump filter_drop } From 6389d1950a2155887f722fc40b3a88988577e571 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Mon, 5 Jun 2023 04:43:42 +0200 Subject: [PATCH 56/62] nextcloud: switched to mariadb. increased max upload size to 50GB --- hosts/architect/nextcloud.nix | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/hosts/architect/nextcloud.nix b/hosts/architect/nextcloud.nix index 000ead5..5ad507f 100644 --- a/hosts/architect/nextcloud.nix +++ b/hosts/architect/nextcloud.nix @@ -13,10 +13,10 @@ in forceSSL = true; enableACME = true; }; - + mysql = { enable = true; - package = pkgs.unstablePkgs.mysql80; + package = pkgs.mariadb; }; redis = { @@ -33,6 +33,7 @@ in https = true; package = pkgs.unstablePkgs.nextcloud26; datadir = "/services/nextcloud"; + configureRedis = true; caching = { redis = true; }; @@ -40,15 +41,16 @@ in autoUpdateApps.enable = true; autoUpdateApps.startAt = "05:00:00"; + maxUploadSize = "50G"; + config = { overwriteProtocol = "https"; dbtype = "mysql"; - dbuser = "oc_giulio2"; + dbuser = "nextcloud"; dbhost = "localhost"; - dbname = "nextcloud_final"; + dbname = "nextcloud"; dbpassFile = "/secrets/nextcloud/dbpass.txt"; - adminpassFile = "/secrets/nextcloud/adminpass.txt"; - adminuser = "giulio"; + adminpassFile = "/secrets/nextcloud/dbpass.txt"; extraTrustedDomains = [ "${domain}" ]; }; }; From 7f2c129ea94d10536c54be39e757ba9cd92e62aa Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Mon, 5 Jun 2023 04:44:33 +0200 Subject: [PATCH 57/62] vhost: added host --- hosts/architect/options.nix | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/hosts/architect/options.nix b/hosts/architect/options.nix index 90642d3..6138eb8 100644 --- a/hosts/architect/options.nix +++ b/hosts/architect/options.nix @@ -91,6 +91,12 @@ in default = false; }; + host = mkOption { + type = types.str; + description = "The host for the location."; + default = "127.0.0.1"; + }; + port = mkOption { type = types.int; description = "The port number for the location."; @@ -126,7 +132,7 @@ in enableACME = true; locations = mapAttrs (path: location: { - proxyPass = "http://127.0.0.1:${toString location.port}"; + proxyPass = "http://${location.host}:${toString location.port}"; proxyWebsockets = location.proxyWebsockets; extraConfig = '' ${optionalString location.allowLan "deny 10.0.0.1;"} From cd6c3e75ed2e813b4bcd3fc7298d228a5904477f Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Mon, 5 Jun 2023 04:50:44 +0200 Subject: [PATCH 58/62] invidious: vhost --- hosts/architect/invidious.nix | 28 ++++++++-------------------- 1 file changed, 8 insertions(+), 20 deletions(-) diff --git a/hosts/architect/invidious.nix b/hosts/architect/invidious.nix index 3f0e451..7b67e64 100644 --- a/hosts/architect/invidious.nix +++ b/hosts/architect/invidious.nix @@ -2,27 +2,15 @@ let domain = "tube.giugl.io"; - - utilities = import ./utilities.nix { inherit lib config; }; - inherit (utilities) architectInterfaceAddress; in { - services = { - invidious = { - enable = true; - package = pkgs.unstablePkgs.invidious; - }; - - nginx.virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; - locations."/" = { proxyPass = "http://127.0.0.1:${toString config.services.invidious.port}"; }; - }; + services.invidious = { + enable = true; + package = pkgs.unstablePkgs.invidious; + }; + + architect.vhost.${domain} = { + dnsInterfaces = [ "lan" "tailscale" "wireguard" ]; + locations."/".port = config.services.invidious.port; }; - - networking.extraHosts = '' - ${architectInterfaceAddress "lan"} ${domain} - ${architectInterfaceAddress "wireguard"} ${domain} - ${architectInterfaceAddress "tailscale"} ${domain} - ''; } From b95afdd4710490fccaab7e9cda9bdcd61a634255 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Mon, 5 Jun 2023 04:54:30 +0200 Subject: [PATCH 59/62] libreddit: vhost --- hosts/architect/libreddit.nix | 28 ++++++++-------------------- 1 file changed, 8 insertions(+), 20 deletions(-) diff --git a/hosts/architect/libreddit.nix b/hosts/architect/libreddit.nix index 71c841b..c8313d3 100644 --- a/hosts/architect/libreddit.nix +++ b/hosts/architect/libreddit.nix @@ -2,27 +2,15 @@ let domain = "reddit.giugl.io"; - - utilities = import ./utilities.nix { inherit lib config; }; - inherit (utilities) architectInterfaceAddress; in { - services = { - libreddit = { - enable = true; - port = 9090; - }; - - nginx.virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; - locations."/" = { proxyPass = "http://127.0.0.1:${toString config.services.libreddit.port}"; }; - }; + services.libreddit = { + enable = true; + port = 9090; + }; + + architect.vhost.${domain} = { + dnsInterfaces = [ "lan" "tailscale" "wireguard" ]; + locations."/".port = config.services.libreddit.port; }; - - networking.extraHosts = '' - ${architectInterfaceAddress "lan"} ${domain} - ${architectInterfaceAddress "wireguard"} ${domain} - ${architectInterfaceAddress "tailscale"} ${domain} - ''; } From 1304289db613d382520089685d9581417cf663a3 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Mon, 5 Jun 2023 05:00:55 +0200 Subject: [PATCH 60/62] navidrome: commented out scripts. ported to vhost --- hosts/architect/navidrome.nix | 138 ++++++++++++++++------------------ 1 file changed, 64 insertions(+), 74 deletions(-) diff --git a/hosts/architect/navidrome.nix b/hosts/architect/navidrome.nix index ae3f660..753f059 100644 --- a/hosts/architect/navidrome.nix +++ b/hosts/architect/navidrome.nix @@ -1,91 +1,81 @@ -{ lib, pkgs, ... }: +{ config, lib, pkgs, ... }: let domain = "music.runas.rocks"; - network = import ./network.nix; library_path = "/media/Music"; beets_config = "/media/beets.conf"; - auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; in { - services = { - navidrome = { - enable = true; + services.navidrome = { + enable = true; - settings = { - MusicFolder = library_path; - LastFM.enable = true; - LastFM.ApiKey = "5cef5cb5f9d31326b97d0f929ca9cf20"; - LastFM.Secret = "d1296896126f4caae47407aecf080b25"; - Spotify.ID = "3900c029b4f34f3fb61d554dda64794d"; - Spotify.Secret = "d931ce5575a9401aa5ff8d37558cca0a"; - EnableGravatar = true; - LogLevel = "WARN"; - }; - }; - - nginx.virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://127.0.0.1:4533"; - }; - extraConfig = auth_block { access_role = "navidrome"; }; + settings = { + MusicFolder = library_path; + LastFM.enable = true; + LastFM.ApiKey = "5cef5cb5f9d31326b97d0f929ca9cf20"; + LastFM.Secret = "d1296896126f4caae47407aecf080b25"; + Spotify.ID = "3900c029b4f34f3fb61d554dda64794d"; + Spotify.Secret = "d931ce5575a9401aa5ff8d37558cca0a"; + EnableGravatar = true; + LogLevel = "WARN"; }; }; - systemd.services = { - "beets-update" = { - enable = true; - # requires = [ "remove-badmp3.service" "remove-badflac.service" ]; - before = [ "beets-import.service" ]; - serviceConfig = { - Type = "oneshot"; - ExecStart = "${pkgs.beets}/bin/beet -c ${beets_config} update"; - }; - }; - - "beets-import" = { - enable = true; - path = [ pkgs.imagemagick ]; - requires = [ "beets-update.service" ]; - after = [ "beets-update.service" ]; - serviceConfig = { - Type = "oneshot"; - ExecStart = - "${pkgs.beets}/bin/beet -c ${beets_config} import --flat -q ${library_path}"; - }; - startAt = "weekly"; - }; - - "remove-badmp3" = { - enable = true; - before = [ "beets-import.service" "beets-update.service" ]; - serviceConfig = { - Type = "oneshot"; - ExecStart = '' - ${pkgs.findutils}/bin/find ${library_path} -name "*.mp3" -type f -exec ${pkgs.bash}/bin/sh -c '${pkgs.mp3val}/bin/mp3val "{}" | grep -Pi error 1>/dev/null && ${pkgs.busybox}/bin/rm "{}"' \; - ''; - }; - }; - - "remove-badflac" = { - enable = true; - before = [ "beets-import.service" "beets-update.service" ]; - serviceConfig = { - Type = "oneshot"; - ExecStart = '' - ${pkgs.findutils}/bin/find ${library_path} -name "*.flac" -type f -exec ${pkgs.bash}/bin/sh -c '${pkgs.flac}/bin/flac -st "{}" || ${pkgs.busybox}/bin/rm "{}"' \; - ''; - }; + architect.vhost.${domain} = { + dnsInterfaces = [ "lan" "tailscale" "wireguard" ]; + locations."/" = { + port = 4533; + allowLan = true; + allow = [ config.architect.networks."tailscale".net ]; }; }; - networking.extraHosts = '' - ${network.architect-lan} ${domain} - ${network.architect-wg} ${domain} - ${network.architect-ts} ${domain} - ''; + # systemd.services = { + # "beets-update" = { + # enable = true; + # # requires = [ "remove-badmp3.service" "remove-badflac.service" ]; + # before = [ "beets-import.service" ]; + # serviceConfig = { + # Type = "oneshot"; + # ExecStart = "${pkgs.beets}/bin/beet -c ${beets_config} update"; + # }; + # }; + + # "beets-import" = { + # enable = true; + # path = [ pkgs.imagemagick ]; + # requires = [ "beets-update.service" ]; + # after = [ "beets-update.service" ]; + # serviceConfig = { + # Type = "oneshot"; + # ExecStart = + # "${pkgs.beets}/bin/beet -c ${beets_config} import --flat -q ${library_path}"; + # }; + # startAt = "weekly"; + # }; + + # "remove-badmp3" = { + # enable = true; + # before = [ "beets-import.service" "beets-update.service" ]; + # serviceConfig = { + # Type = "oneshot"; + # ExecStart = '' + # ${pkgs.findutils}/bin/find ${library_path} -name "*.mp3" -type f -exec ${pkgs.bash}/bin/sh -c '${pkgs.mp3val}/bin/mp3val "{}" | grep -Pi error 1>/dev/null && ${pkgs.busybox}/bin/rm "{}"' \; + # ''; + # }; + # }; + + # "remove-badflac" = { + # enable = true; + # before = [ "beets-import.service" "beets-update.service" ]; + # serviceConfig = { + # Type = "oneshot"; + # ExecStart = '' + # ${pkgs.findutils}/bin/find ${library_path} -name "*.flac" -type f -exec ${pkgs.bash}/bin/sh -c '${pkgs.flac}/bin/flac -st "{}" || ${pkgs.busybox}/bin/rm "{}"' \; + # ''; + # }; + # }; + # }; users.groups.media.members = [ "navidrome" ]; } From cba8f451d62d518186b5b5a70cc115910e03776d Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Tue, 6 Jun 2023 22:32:02 +0200 Subject: [PATCH 61/62] librephotos: add module --- hosts/architect/librephotos.nix | 82 +++++++++++++++++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 hosts/architect/librephotos.nix diff --git a/hosts/architect/librephotos.nix b/hosts/architect/librephotos.nix new file mode 100644 index 0000000..82d933e --- /dev/null +++ b/hosts/architect/librephotos.nix @@ -0,0 +1,82 @@ +{ config, lib, ... }: + +let + domain = "photos.giugl.io"; + backendPort = 8001; + frontendPort = 3000; +in +{ + architect.vhost.${domain} = { + dnsInterfaces = [ "tailscale" ]; + + locations."/" = { + host = "172.17.0.1"; + port = frontendPort; + # allowLan = true; + # allow = [ config.architect.networks."tailscale".net ]; + }; + + locations."~ ^/(api|media)/" = { + host = "172.17.0.1"; + port = backendPort; + # allowLan = true; + # allow = [ config.architect.networks."tailscale".net ]; + }; + + locations."/ws" = { + host = "172.17.0.1"; + port = backendPort; + proxyWebsockets = true; + # allowLan = true; + # allow = [ config.architect.networks."tailscale".net ]; + }; + }; + + services.redis.servers."librephotos" = { + enable = true; + port = 1233; + bind = "172.17.0.1"; + extraParams = [ "--protected-mode no" ]; + }; + + virtualisation.oci-containers = { + containers = { + librephotos-front = { + image = "reallibrephotos/librephotos-frontend:latest"; + autoStart = true; + ports = [ + "172.17.0.1:${toString frontendPort}:${toString frontendPort}" + ]; + }; + + librephotos-back = { + image = "reallibrephotos/librephotos:latest"; + autoStart = true; + + ports = [ + "172.17.0.1:${toString backendPort}:${toString backendPort}" + ]; + + environment = { + SECRET_KEY = "LOLOL"; + BACKEND_HOST = domain; + ADMIN_EMAIL = "me@giugl.io"; + ADMIN_USERNAME = "giulio"; + ADMIN_PASSWORD = "giulio"; + ALLOWED_HOSTS = domain; + DB_BACKEND = "mysql"; + DB_NAME = "librephotos"; + DB_USER = "librephotos"; + DB_PASS = "librephotos"; + DB_HOST = "172.17.0.1"; + DB_PORT = toString config.services.mysql.settings.mysqld.port; + REDIS_HOST = "172.17.0.1"; + REDIS_PORT = toString config.services.redis.servers."librephotos".port; + MAPBOX_API_KEY = "SOME_KEY"; + WEB_CONCURRENCY = "24"; + DEBUG = "0"; + }; + }; + }; + }; +} From 127bcfa2f581512a921821a06cd9326a4634d962 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Tue, 6 Jun 2023 22:32:15 +0200 Subject: [PATCH 62/62] Update lock --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 4d05361..86d414f 100644 --- a/flake.lock +++ b/flake.lock @@ -23,11 +23,11 @@ }, "nixos-unstable": { "locked": { - "lastModified": 1685564631, - "narHash": "sha256-8ywr3AkblY4++3lIVxmrWZFzac7+f32ZEhH/A8pNscI=", + "lastModified": 1685931219, + "narHash": "sha256-8EWeOZ6LKQfgAjB/USffUSELPRjw88A+xTcXnOUvO5M=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "4f53efe34b3a8877ac923b9350c874e3dcd5dc0a", + "rev": "7409480d5c8584a1a83c422530419efe4afb0d19", "type": "github" }, "original": { @@ -39,11 +39,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1685645444, - "narHash": "sha256-FEuVrowBDU8D+Vt1oqN6j18g/vDvU13WVruTaMjzb8w=", + "lastModified": 1686059680, + "narHash": "sha256-sp0WlCIeVczzB0G8f8iyRg3IYW7KG31mI66z7HIZwrI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ce3e618cd3b9792d898b76126c36e6ac50b680e1", + "rev": "a558f7ac29f50c4b937fb5c102f587678ae1c9fb", "type": "github" }, "original": {