diff --git a/flake.lock b/flake.lock index 8fe4a37..e2a8730 100644 --- a/flake.lock +++ b/flake.lock @@ -16,39 +16,39 @@ }, "original": { "owner": "nix-community", - "ref": "master", + "ref": "release-23.05", "repo": "home-manager", "type": "github" } }, "nixos-unstable": { "locked": { - "lastModified": 1684171979, - "narHash": "sha256-KfIpmlqCCtY/T8mWQOkucv4LrYAgIXho6QJOwl2md3g=", + "lastModified": 1685168767, + "narHash": "sha256-wQgnxz0PdqbyKKpsWl/RU8T8QhJQcHfeC6lh1xRUTfk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "10092e14180fdff037aea3a14ad3faeaf6950ac1", + "rev": "e10802309bf9ae351eb27002c85cfdeb1be3b262", "type": "github" }, "original": { "owner": "NixOS", - "ref": "master", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } }, "nixpkgs": { "locked": { - "lastModified": 1685004253, - "narHash": "sha256-AbVL1nN/TDicUQ5wXZ8xdLERxz/eJr7+o8lqkIOVuaE=", + "lastModified": 1685302407, + "narHash": "sha256-GaH2fAOQOSJehr085tMNaE2LPTbVRI7burGZUVeSfmQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3e01645c40b92d29f3ae76344a6d654986a91a91", + "rev": "b2ea8027e4d43b652293448eeafe564b53ca2a94", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-23.05", + "ref": "release-23.05", "repo": "nixpkgs", "type": "github" } diff --git a/flake.nix b/flake.nix index 90c5aca..6701a83 100644 --- a/flake.nix +++ b/flake.nix @@ -1,9 +1,9 @@ { inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05"; - nixos-unstable.url = "github:NixOS/nixpkgs/master"; + nixpkgs.url = "github:NixOS/nixpkgs/release-23.05"; + nixos-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; home-manager = { - url = "github:nix-community/home-manager/master"; + url = "github:nix-community/home-manager/release-23.05"; inputs.nixpkgs.follows = "nixpkgs"; }; }; @@ -30,6 +30,10 @@ inherit system; config.allowUnfree = true; + + config.permittedInsecurePackages = [ + "openssl-1.1.1t" + ]; }; wrapUtils = { pkgs, unstablePkgs, system }: diff --git a/hosts/architect/default.nix b/hosts/architect/default.nix index 1cc767e..6d2ec6d 100644 --- a/hosts/architect/default.nix +++ b/hosts/architect/default.nix @@ -30,7 +30,7 @@ in ./minecraft.nix ./prowlarr.nix ./libreddit.nix - # ./invidious.nix + ./invidious.nix # ./lidarr.nix # ./navidrome.nix ./jellyfin.nix @@ -155,10 +155,10 @@ in enable = true; settings = { - passwordAuthentication = false; - kbdInteractiveAuthentication = false; - + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; }; + extraConfig = '' MaxAuthTries 15 ''; diff --git a/hosts/architect/dns.nix b/hosts/architect/dns.nix index 5d667a8..99507ab 100644 --- a/hosts/architect/dns.nix +++ b/hosts/architect/dns.nix @@ -1,18 +1,40 @@ { config, pkgs, lib, ... }: +let + adguard_dns_port = 5300; + domain = "adguard.architect.devs.giugl.io"; + + utilities = import ./utilities.nix { inherit lib config; }; + inherit (utilities) architectInterfaceAddress; +in { architect.firewall.openUDPVPN = [ 53 ]; + networking.extraHosts = '' + ${architectInterfaceAddress "lan"} ${domain} + ${architectInterfaceAddress "wireguard"} ${domain} + ${architectInterfaceAddress "tailscale"} ${domain} + ''; + services = { + nginx.virtualHosts.${domain} = { + forceSSL = true; + enableACME = true; + extraConfig = '' + allow ${config.architect.networks.lan.net}; + allow ${config.architect.networks.tailscale.net}; + deny all; + ''; + + locations."/" = { + proxyPass = "http://127.0.0.1:${toString config.services.adguardhome.settings.bind_port}"; + }; + }; + dnsmasq = { enable = true; settings = { - server = [ - "45.90.28.77" - "45.90.30.77" - "2a07:a8c0::d6:5174" - "2a07:a8c1::d6:5174" - ]; + server = [ "127.0.0.1#${toString config.services.adguardhome.settings.dns.port}" ]; localise-queries = true; min-cache-ttl = 120; max-cache-ttl = 2400; @@ -24,5 +46,19 @@ ]; }; }; + + adguardhome = { + enable = true; + settings = { + bind_port = 5353; + dns = { + port = 5300; + }; + upstream_dns = [ + "tls://architect.d65174.dns.nextdns.io" + "https://dns.nextdns.io/d65174/architect" + ]; + }; + }; }; } diff --git a/hosts/architect/headscale.nix b/hosts/architect/headscale.nix index 1fe0f3b..265bc6a 100644 --- a/hosts/architect/headscale.nix +++ b/hosts/architect/headscale.nix @@ -8,12 +8,10 @@ in openUDP = [ config.services.tailscale.port ]; }; - environment.systemPackages = [ pkgs.unstablePkgs.headscale ]; - services = { headscale = { enable = true; - package = pkgs.headscale; + package = pkgs.unstablePkgs.headscale; port = 1194; address = "0.0.0.0"; diff --git a/hosts/architect/invidious.nix b/hosts/architect/invidious.nix index 9dcfbf8..3f0e451 100644 --- a/hosts/architect/invidious.nix +++ b/hosts/architect/invidious.nix @@ -1,27 +1,28 @@ -{ lib, pkgs, ... }: +{ config, lib, pkgs, ... }: let domain = "tube.giugl.io"; - network = import ./network.nix; + + utilities = import ./utilities.nix { inherit lib config; }; + inherit (utilities) architectInterfaceAddress; in { services = { invidious = { enable = true; - port = 9092; package = pkgs.unstablePkgs.invidious; }; nginx.virtualHosts.${domain} = { forceSSL = true; enableACME = true; - locations."/" = { proxyPass = "http://127.0.0.1:9092"; }; + locations."/" = { proxyPass = "http://127.0.0.1:${toString config.services.invidious.port}"; }; }; }; networking.extraHosts = '' - ${network.architect-lan} ${domain} - ${network.architect-wg} ${domain} - ${network.architect-ts} ${domain} + ${architectInterfaceAddress "lan"} ${domain} + ${architectInterfaceAddress "wireguard"} ${domain} + ${architectInterfaceAddress "tailscale"} ${domain} ''; } diff --git a/hosts/architect/tailscale.nix b/hosts/architect/tailscale.nix index 77692ad..de3dc13 100644 --- a/hosts/architect/tailscale.nix +++ b/hosts/architect/tailscale.nix @@ -30,7 +30,7 @@ in tailscale = { enable = true; interfaceName = config.architect.networks.tailscale.interface; - package = pkgs.tailscale; + package = pkgs.unstablePkgs.tailscale; }; }; diff --git a/lib/host.nix b/lib/host.nix index 7ec6ed9..816eede 100644 --- a/lib/host.nix +++ b/lib/host.nix @@ -27,13 +27,15 @@ modules = [ { - imports = users_mod ++ roles_mod ++ add_imports ++ [ + imports = users_mod ++ + roles_mod ++ + add_imports ++ [ (mkSysRole "common") (mkSysRole "acme") + (mkUser { name = "root"; roles = [ ]; }) ]; home-manager = { - users.root.imports = [ (mkHomeRole "common") ]; extraSpecialArgs.unstablePkgs = unstablePkgs; useGlobalPkgs = true; }; diff --git a/lib/user.nix b/lib/user.nix index 5d4f62f..16382ee 100644 --- a/lib/user.nix +++ b/lib/user.nix @@ -6,20 +6,26 @@ roles_mod = (map (r: mkHomeRole r) roles); in { - users.groups.plugdev = { }; - fileSystems."/home/${name}/Downloads" = { device = "tmpfs"; fsType = "tmpfs"; options = [ "size=3G" ]; }; - users.users.${name} = { - isNormalUser = true; - extraGroups = [ "wheel" "plugdev" ]; + users = { + users.${name} = { + isNormalUser = name != "root"; + extraGroups = [ "wheel" "plugdev" ]; + shell = pkgs.zsh; + }; }; - home-manager.users.${name}.imports = [ (mkHomeRole "common") ] ++ roles_mod; + programs.zsh.enable = true; + + home-manager.users.${name}.imports = [ + (mkHomeRole "common") + (mkHomeRole "zsh") + ] ++ roles_mod; }; mkHMUser = { name, roles ? [ ] }: diff --git a/roles/acme.nix b/roles/acme.nix index d23825a..bd22485 100644 --- a/roles/acme.nix +++ b/roles/acme.nix @@ -1,10 +1,10 @@ -{ ... }: +{ options, lib, config, ... }: { - security.acme = { + config.security.acme = { acceptTerms = true; defaults = { - email = "sysadmin@giugl.io"; + email = "letsencrypt@depasquale.giugl.io"; }; }; } diff --git a/roles/home/helix.nix b/roles/home/helix.nix index cb90d35..c2d0772 100644 --- a/roles/home/helix.nix +++ b/roles/home/helix.nix @@ -118,7 +118,6 @@ nodePackages.vscode-langservers-extracted nodePackages.typescript nodePackages.svelte-language-server -# swiProlog nixpkgs-fmt ]; };