tanta roba

flake.lock

@@ -16,39 +16,39 @@
       },
       "original": {
         "owner": "nix-community",
-        "ref": "master",
+        "ref": "release-23.05",
         "repo": "home-manager",
         "type": "github"
       }
     },
     "nixos-unstable": {
       "locked": {
-        "lastModified": 1684171979,
+        "lastModified": 1685168767,
-        "narHash": "sha256-KfIpmlqCCtY/T8mWQOkucv4LrYAgIXho6QJOwl2md3g=",
+        "narHash": "sha256-wQgnxz0PdqbyKKpsWl/RU8T8QhJQcHfeC6lh1xRUTfk=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "10092e14180fdff037aea3a14ad3faeaf6950ac1",
+        "rev": "e10802309bf9ae351eb27002c85cfdeb1be3b262",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "master",
+        "ref": "nixos-unstable",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1685004253,
+        "lastModified": 1685302407,
-        "narHash": "sha256-AbVL1nN/TDicUQ5wXZ8xdLERxz/eJr7+o8lqkIOVuaE=",
+        "narHash": "sha256-GaH2fAOQOSJehr085tMNaE2LPTbVRI7burGZUVeSfmQ=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "3e01645c40b92d29f3ae76344a6d654986a91a91",
+        "rev": "b2ea8027e4d43b652293448eeafe564b53ca2a94",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-23.05",
+        "ref": "release-23.05",
         "repo": "nixpkgs",
         "type": "github"
       }

flake.nix

@@ -1,9 +1,9 @@
 {
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05";
+    nixpkgs.url = "github:NixOS/nixpkgs/release-23.05";
-    nixos-unstable.url = "github:NixOS/nixpkgs/master";
+    nixos-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
     home-manager = {
-      url = "github:nix-community/home-manager/master";
+      url = "github:nix-community/home-manager/release-23.05";
       inputs.nixpkgs.follows = "nixpkgs";
     };
   };
@@ -30,6 +30,10 @@
           inherit system;
 
           config.allowUnfree = true;
+
+          config.permittedInsecurePackages = [
+            "openssl-1.1.1t"
+          ];
         };
 
       wrapUtils = { pkgs, unstablePkgs, system }:

hosts/architect/default.nix

@@ -30,7 +30,7 @@ in
     ./minecraft.nix
     ./prowlarr.nix
     ./libreddit.nix
-    #    ./invidious.nix
+    ./invidious.nix
     #    ./lidarr.nix
     #    ./navidrome.nix
     ./jellyfin.nix
@@ -155,10 +155,10 @@ in
       enable = true;
 
       settings = {
-        passwordAuthentication = false;
+        PasswordAuthentication = false;
-        kbdInteractiveAuthentication = false;
+        KbdInteractiveAuthentication = false;
-
       };
+
       extraConfig = ''
         MaxAuthTries 15
       '';

hosts/architect/dns.nix

@@ -1,18 +1,40 @@
 { config, pkgs, lib, ... }:
 
+let
+  adguard_dns_port = 5300;
+  domain = "adguard.architect.devs.giugl.io";
+
+  utilities = import ./utilities.nix { inherit lib config; };
+  inherit (utilities) architectInterfaceAddress;
+in
 {
   architect.firewall.openUDPVPN = [ 53 ];
 
+  networking.extraHosts = ''
+    ${architectInterfaceAddress "lan"} ${domain}
+    ${architectInterfaceAddress "wireguard"} ${domain}
+    ${architectInterfaceAddress "tailscale"} ${domain}
+  '';
+
   services = {
+    nginx.virtualHosts.${domain} = {
+      forceSSL = true;
+      enableACME = true;
+      extraConfig = ''
+        allow ${config.architect.networks.lan.net};
+        allow ${config.architect.networks.tailscale.net};
+        deny all;
+      '';
+
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString config.services.adguardhome.settings.bind_port}";
+      };
+    };
+
     dnsmasq = {
       enable = true;
       settings = {
-        server = [
+        server = [ "127.0.0.1#${toString config.services.adguardhome.settings.dns.port}" ];
-          "45.90.28.77"
-          "45.90.30.77"
-          "2a07:a8c0::d6:5174"
-          "2a07:a8c1::d6:5174"
-        ];
         localise-queries = true;
         min-cache-ttl = 120;
         max-cache-ttl = 2400;
@@ -24,5 +46,19 @@
         ];
       };
     };
+
+    adguardhome = {
+      enable = true;
+      settings = {
+        bind_port = 5353;
+        dns = {
+          port = 5300;
+        };
+        upstream_dns = [
+          "tls://architect.d65174.dns.nextdns.io"
+          "https://dns.nextdns.io/d65174/architect"
+        ];
+      };
+    };
   };
 }

hosts/architect/headscale.nix

@@ -8,12 +8,10 @@ in
     openUDP = [ config.services.tailscale.port ];
   };
 
-  environment.systemPackages = [ pkgs.unstablePkgs.headscale ];
-
   services = {
     headscale = {
       enable = true;
-      package = pkgs.headscale;
+      package = pkgs.unstablePkgs.headscale;
       port = 1194;
       address = "0.0.0.0";
 

hosts/architect/invidious.nix

@@ -1,27 +1,28 @@
-{ lib, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 
 let
   domain = "tube.giugl.io";
-  network = import ./network.nix;
+
+  utilities = import ./utilities.nix { inherit lib config; };
+  inherit (utilities) architectInterfaceAddress;
 in
 {
   services = {
     invidious = {
       enable = true;
-      port = 9092;
       package = pkgs.unstablePkgs.invidious;
     };
 
     nginx.virtualHosts.${domain} = {
       forceSSL = true;
       enableACME = true;
-      locations."/" = { proxyPass = "http://127.0.0.1:9092"; };
+      locations."/" = { proxyPass = "http://127.0.0.1:${toString config.services.invidious.port}"; };
     };
   };
 
   networking.extraHosts = ''
-    ${network.architect-lan} ${domain}
+    ${architectInterfaceAddress "lan"} ${domain}
-    ${network.architect-wg} ${domain}
+    ${architectInterfaceAddress "wireguard"} ${domain}
-    ${network.architect-ts} ${domain}
+    ${architectInterfaceAddress "tailscale"} ${domain}
   '';
 }

hosts/architect/tailscale.nix

@@ -30,7 +30,7 @@ in
     tailscale = {
       enable = true;
       interfaceName = config.architect.networks.tailscale.interface;
-      package = pkgs.tailscale;
+      package = pkgs.unstablePkgs.tailscale;
     };
   };
 

lib/host.nix

@@ -27,13 +27,15 @@
 
       modules = [
         {
-          imports = users_mod ++ roles_mod ++ add_imports ++ [
+          imports = users_mod ++
+            roles_mod ++
+            add_imports ++ [
             (mkSysRole "common")
             (mkSysRole "acme")
+            (mkUser { name = "root"; roles = [ ]; })
           ];
 
           home-manager = {
-            users.root.imports = [ (mkHomeRole "common") ];
             extraSpecialArgs.unstablePkgs = unstablePkgs;
             useGlobalPkgs = true;
           };

lib/user.nix

@@ -6,20 +6,26 @@
       roles_mod = (map (r: mkHomeRole r) roles);
     in
     {
-      users.groups.plugdev = { };
-
       fileSystems."/home/${name}/Downloads" = {
         device = "tmpfs";
         fsType = "tmpfs";
         options = [ "size=3G" ];
       };
 
-      users.users.${name} = {
+      users = {
-        isNormalUser = true;
+        users.${name} = {
+          isNormalUser = name != "root";
           extraGroups = [ "wheel" "plugdev" ];
+          shell = pkgs.zsh;
+        };
       };
 
-      home-manager.users.${name}.imports = [ (mkHomeRole "common") ] ++ roles_mod;
+      programs.zsh.enable = true;
+
+      home-manager.users.${name}.imports = [
+        (mkHomeRole "common")
+        (mkHomeRole "zsh")
+      ] ++ roles_mod;
     };
 
   mkHMUser = { name, roles ? [ ] }:

roles/acme.nix

@@ -1,10 +1,10 @@
-{ ... }:
+{ options, lib, config, ... }:
 
 {
-  security.acme = {
+  config.security.acme = {
     acceptTerms = true;
     defaults = {
-      email = "sysadmin@giugl.io";
+      email = "letsencrypt@depasquale.giugl.io";
     };
   };
 }

roles/home/helix.nix

@@ -118,7 +118,6 @@
       nodePackages.vscode-langservers-extracted
       nodePackages.typescript
       nodePackages.svelte-language-server
-#      swiProlog
       nixpkgs-fmt
     ];
   };