Compare commits

...

10 Commits

Author SHA1 Message Date
Giulio De Pasquale
190bff3ac0 helix: remove completion-replace 2023-11-16 13:32:40 +01:00
Giulio De Pasquale
e715a7bf3c gitea: allow WAN traffic 2023-11-16 13:28:06 +01:00
Giulio De Pasquale
5eb5613d71 invidious: allow WAN 2023-11-16 13:27:33 +01:00
Giulio De Pasquale
cb3fe8f147 architect: enabled LLM 2023-11-16 13:26:06 +01:00
Giulio De Pasquale
b2cf092f78 architect: added LLM module 2023-11-16 13:25:58 +01:00
Giulio De Pasquale
0da9f7ab9d architect: add allowWAN option, correctly blocking WAN traffic 2023-11-16 13:25:43 +01:00
Giulio De Pasquale
03939c0061 architect: re-enable searxng 2023-10-29 16:16:08 +01:00
Giulio De Pasquale
269e736f47 sonarr: changed port to 8989 2023-10-21 15:12:01 +02:00
Giulio De Pasquale
a66b5edf78 flake: update lock 2023-10-21 15:01:06 +02:00
Giulio De Pasquale
5d93c40c8f architect: removed wireguard 2023-10-21 15:00:58 +02:00
31 changed files with 106 additions and 327 deletions

12
flake.lock generated
View File

@ -23,11 +23,11 @@
}, },
"nixos-unstable": { "nixos-unstable": {
"locked": { "locked": {
"lastModified": 1696019113, "lastModified": 1697723726,
"narHash": "sha256-X3+DKYWJm93DRSdC5M6K5hLqzSya9BjibtBsuARoPco=", "narHash": "sha256-SaTWPkI8a5xSHX/rrKzUe+/uVNy6zCGMXgoeMb7T9rg=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "f5892ddac112a1e9b3612c39af1b72987ee5783a", "rev": "7c9cc5a6e5d38010801741ac830a3f8fd667a7a0",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -39,11 +39,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1696275639, "lastModified": 1697891198,
"narHash": "sha256-3zShVFShYM2/n4p3Y2hzTzIE0zjR6/G1sDXo4awMR/w=", "narHash": "sha256-ckL4NDWuZaxu+sMUPze98xQCdMUm+Q11Yb7DFasE/7E=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "cb1f8c37d44052b9fd2b6bd208ec4dbbe068cced", "rev": "8643a0aff085eb3fbb27cb30c0e1af9585168fcb",
"type": "github" "type": "github"
}, },
"original": { "original": {

View File

@ -10,13 +10,12 @@ in
}; };
architect.vhost.${domain} = with config.architect.networks; { architect.vhost.${domain} = with config.architect.networks; {
dnsInterfaces = [ "wireguard" "tailscale" ]; dnsInterfaces = [ "tailscale" ];
locations."/" = { locations."/" = {
allowLan = true; allowLan = true;
port = 6767; port = 6767;
allow = [ allow = [
wireguard.net
tailscale.net tailscale.net
]; ];
}; };

View File

@ -3,7 +3,7 @@
let let
domain = "books.giugl.io"; domain = "books.giugl.io";
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
utilities = import ./utilities.nix { inherit lib config; }; utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress; inherit (utilities) architectInterfaceAddress;
in in
@ -32,7 +32,6 @@ in
networking.extraHosts = '' networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "wireguard"} ${domain}
${architectInterfaceAddress "tailscale"} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';

View File

@ -22,7 +22,6 @@ in
./bazarr.nix ./bazarr.nix
./nzbget.nix ./nzbget.nix
./nextcloud.nix ./nextcloud.nix
./wireguard.nix
./minio.nix ./minio.nix
./matrix.nix ./matrix.nix
./fail2ban.nix ./fail2ban.nix
@ -41,9 +40,10 @@ in
./keycloak.nix ./keycloak.nix
# ./runas.nix # ./runas.nix
./tailscale.nix ./tailscale.nix
# ./searx.nix ./searx.nix
./plex.nix ./plex.nix
./headscale.nix ./headscale.nix
./llm.nix
]; ];
architect = { architect = {

View File

@ -39,14 +39,13 @@ in
}; };
architect.vhost.${domain} = with config.architect.networks; { architect.vhost.${domain} = with config.architect.networks; {
dnsInterfaces = [ "lan" "wireguard" "tailscale" ]; dnsInterfaces = [ "lan" "tailscale" ];
locations = { locations = {
"/" = { "/" = {
allowLan = true; allowLan = true;
port = 8112; port = 8112;
allow = [ allow = [
wireguard.net
tailscale.net tailscale.net
]; ];
}; };

View File

@ -8,7 +8,7 @@ in
firewall.openUDPVPN = [ 53 ]; firewall.openUDPVPN = [ 53 ];
vhost.${domain} = { vhost.${domain} = {
dnsInterfaces = [ "lan" "tailscale" "wireguard" ]; dnsInterfaces = [ "lan" "tailscale" ];
locations."/" = with config; { locations."/" = with config; {
port = services.adguardhome.settings.bind_port; port = services.adguardhome.settings.bind_port;

View File

@ -16,23 +16,6 @@ let
(deviceAddress "tailscale" "kmerr") (deviceAddress "tailscale" "kmerr")
(deviceAddress "tailscale" "chuck") (deviceAddress "tailscale" "chuck")
]; ];
wireguardToWAN = [
(deviceAddress "wireguard" "shield")
(deviceAddress "wireguard" "parina")
(deviceAddress "wireguard" "parina-ipad")
(deviceAddress "wireguard" "germano")
];
frameccaDevices = [
(deviceAddress "wireguard" "framecca")
(deviceAddress "wireguard" "framecca_one")
(deviceAddress "wireguard" "framecca_two")
(deviceAddress "wireguard" "framecca_three")
(deviceAddress "wireguard" "framecca_four")
];
clientToClientWireguard = frameccaDevices;
in in
{ {
networking = { networking = {
@ -71,9 +54,6 @@ in
chain POSTROUTING { chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept; type nat hook postrouting priority srcnat; policy accept;
oifname ${lan.interface} ip saddr {${
lib.concatStringsSep "," wireguardToWAN
}} masquerade
oifname ${lan.interface} ip saddr ${docker.net} masquerade oifname ${lan.interface} ip saddr ${docker.net} masquerade
oifname ${lan.interface} ip saddr ${tailscale.net} masquerade oifname ${lan.interface} ip saddr ${tailscale.net} masquerade
} }
@ -85,10 +65,8 @@ in
ct state invalid,untracked drop comment "drop invalid" ct state invalid,untracked drop comment "drop invalid"
ip daddr 255.255.255.255 accept comment "allow broadcast traffic" ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic" ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
iifname ${lan.interface} ip saddr ${wireguard.net} drop comment "bind any ip to intf ${lan.interface}"
iifname ${lan.interface} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${lan.interface}" iifname ${lan.interface} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${lan.interface}"
iifname ${lan.interface} accept comment "bind any ip to intf ${lan.interface}" iifname ${lan.interface} accept comment "bind any ip to intf ${lan.interface}"
iifname ${wireguard.interface} ip saddr ${wireguard.net} accept comment "bind ip ${wireguard.net} to intf ${wireguard.interface}"
iifname ${docker.interface} ip saddr ${docker.net} accept comment "bind ip ${docker.net} to intf ${docker.interface}" iifname ${docker.interface} ip saddr ${docker.net} accept comment "bind ip ${docker.net} to intf ${docker.interface}"
iifname ${tailscale.interface} ip saddr ${tailscale.net} accept iifname ${tailscale.interface} ip saddr ${tailscale.net} accept
iifname ${tailscale.interface} ip saddr 100.100.100.100/32 accept iifname ${tailscale.interface} ip saddr 100.100.100.100/32 accept
@ -151,10 +129,6 @@ in
iifname ${lan.interface} tcp dport {${openTCP}} accept iifname ${lan.interface} tcp dport {${openTCP}} accept
iifname ${lan.interface} udp dport {${openUDP}} accept iifname ${lan.interface} udp dport {${openUDP}} accept
iifname ${wireguard.interface} tcp dport {${openTCPVPN}} accept
iifname ${wireguard.interface} udp dport {${openUDPVPN}} accept
iifname ${wireguard.interface} icmp type echo-request accept
jump filter_drop jump filter_drop
} }
@ -162,16 +136,6 @@ in
type filter hook forward priority filter; policy drop; type filter hook forward priority filter; policy drop;
ct state established,related accept ct state established,related accept
# client to client
ip saddr {${lib.concatStringsSep "," clientToClientWireguard}} ip daddr {${
lib.concatStringsSep "," clientToClientWireguard
}} accept
# nat to wan
oifname ${lan.interface} ip saddr {${
lib.concatStringsSep "," wireguardToWAN
}} accept
oifname ${lan.interface} ip saddr ${docker.net} accept oifname ${lan.interface} ip saddr ${docker.net} accept
oifname ${lan.interface} ip saddr ${tailscale.net} accept oifname ${lan.interface} ip saddr ${tailscale.net} accept

View File

@ -7,8 +7,11 @@ in
architect = { architect = {
firewall.openTCP = [ config.services.gitea.settings.server.SSH_PORT ]; firewall.openTCP = [ config.services.gitea.settings.server.SSH_PORT ];
vhost.${domain} = { vhost.${domain} = {
dnsInterfaces = [ "lan" "tailscale" "wireguard" ]; dnsInterfaces = [ "lan" "tailscale" ];
locations."/".port = config.services.gitea.settings.server.HTTP_PORT; locations."/" = {
port = config.services.gitea.settings.server.HTTP_PORT;
allowWAN = true;
};
}; };
}; };

View File

@ -11,9 +11,12 @@ in
hmac_key = "a2a91eca269d26de1221285e8981879834045bff"; hmac_key = "a2a91eca269d26de1221285e8981879834045bff";
}; };
}; };
architect.vhost.${domain} = { architect.vhost.${domain} = {
dnsInterfaces = [ "lan" "tailscale" "wireguard" ]; dnsInterfaces = [ "lan" "tailscale" ];
locations."/".port = config.services.invidious.port; locations."/" = {
port = config.services.invidious.port;
allowWAN = true;
};
}; };
} }

View File

@ -10,13 +10,12 @@ in
systemd.services.jellyfin.serviceConfig.StateDirectory = lib.mkForce ""; systemd.services.jellyfin.serviceConfig.StateDirectory = lib.mkForce "";
architect.vhost.${domain} = with config.architect.networks; { architect.vhost.${domain} = with config.architect.networks; {
dnsInterfaces = [ "lan" "wireguard" "tailscale" ]; dnsInterfaces = [ "lan" "tailscale" ];
locations = { locations = {
"/" = { "/" = {
inherit port allowLan; inherit port allowLan;
allow = [ allow = [
wireguard.net
tailscale.net tailscale.net
]; ];
}; };
@ -26,7 +25,6 @@ in
proxyWebsockets = true; proxyWebsockets = true;
allow = [ allow = [
wireguard.net
tailscale.net tailscale.net
]; ];
}; };

View File

@ -76,7 +76,6 @@ in
networking.extraHosts = '' networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "wireguard"} ${domain}
${architectInterfaceAddress "tailscale"} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
} }

View File

@ -8,9 +8,9 @@ in
enable = true; enable = true;
port = 9090; port = 9090;
}; };
architect.vhost.${domain} = { architect.vhost.${domain} = {
dnsInterfaces = [ "lan" "tailscale" "wireguard" ]; dnsInterfaces = [ "lan" "tailscale" ];
locations."/".port = config.services.libreddit.port; locations."/".port = config.services.libreddit.port;
}; };
} }

View File

@ -28,7 +28,6 @@ in
networking.extraHosts = '' networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "wireguard"} ${domain}
${architectInterfaceAddress "tailscale"} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';

38
hosts/architect/llm.nix Normal file
View File

@ -0,0 +1,38 @@
{ config, ... }:
let
domain = "pino.giugl.io";
backendPort = 3000;
frontendPort = 3002;
in
{
architect.vhost.${domain} = {
dnsInterfaces = [ "tailscale" ];
locations."/" = {
host = "172.17.0.1";
port = frontendPort;
allowLan = true;
allow = [ config.architect.networks."tailscale".net ];
};
};
virtualisation.oci-containers = {
containers = {
big-agi = {
image = "ghcr.io/enricoros/big-agi:main";
autoStart = true;
ports = [
"172.17.0.1:${toString frontendPort}:${toString backendPort}"
];
environmentFiles = [
"/var/lib/llm/big-agi.env"
];
extraOptions = [
"--pull=always"
];
};
};
};
}

View File

@ -111,7 +111,6 @@ in
networking.extraHosts = '' networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "wireguard"} ${domain}
${architectInterfaceAddress "tailscale"} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
} }

View File

@ -19,7 +19,6 @@ in
networking.extraHosts = '' networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "wireguard"} ${domain}
${architectInterfaceAddress "tailscale"} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
} }

View File

@ -30,7 +30,6 @@ in
networking.extraHosts = '' networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "wireguard"} ${domain}
${architectInterfaceAddress "tailscale"} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
} }

View File

@ -22,7 +22,7 @@ in
}; };
architect.vhost.${domain} = { architect.vhost.${domain} = {
dnsInterfaces = [ "lan" "tailscale" "wireguard" ]; dnsInterfaces = [ "lan" "tailscale" ];
locations."/" = { locations."/" = {
port = 4533; port = 4533;
allowLan = true; allowLan = true;

View File

@ -78,7 +78,6 @@ in
networking.extraHosts = '' networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "wireguard"} ${domain}
${architectInterfaceAddress "tailscale"} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';

View File

@ -10,7 +10,7 @@ in
}; };
architect.vhost.${domain} = { architect.vhost.${domain} = {
dnsInterfaces = [ "tailscale" "wireguard" "lan" ]; dnsInterfaces = [ "tailscale" "lan" ];
locations."/" = { locations."/" = {
port = 6789; port = 6789;

View File

@ -96,23 +96,29 @@ in
description = "The host for the location."; description = "The host for the location.";
default = "127.0.0.1"; default = "127.0.0.1";
}; };
port = mkOption { port = mkOption {
type = types.int; type = types.int;
description = "The port number for the location."; description = "The port number for the location.";
}; };
allow = mkOption { allow = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
default = [ ]; default = [ ];
description = "IP address or CIDR block to allow."; description = "IP address or CIDR block to allow.";
}; };
path = mkOption { path = mkOption {
type = types.str; type = types.str;
default = ""; default = "";
}; };
allowWAN = mkOption {
type = types.bool;
default = false;
description = "If set to false, deny all WAN traffic.";
};
deny = mkOption { deny = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
default = [ ]; default = [ ];
@ -140,9 +146,9 @@ in
proxyPass = "http://${location.host}:${toString location.port}${location.path}"; proxyPass = "http://${location.host}:${toString location.port}${location.path}";
proxyWebsockets = location.proxyWebsockets; proxyWebsockets = location.proxyWebsockets;
extraConfig = '' extraConfig = ''
${optionalString location.allowLan "deny 10.0.0.1;"}
${concatMapStringsSep "\n" (denyCIDR: "deny ${denyCIDR};") location.deny}
${concatMapStringsSep "\n" (allowCIDR: "allow ${allowCIDR};") location.allow} ${concatMapStringsSep "\n" (allowCIDR: "allow ${allowCIDR};") location.allow}
${optionalString (!location.allowWAN) "deny all;"}
${concatMapStringsSep "\n" (denyCIDR: "deny ${denyCIDR};") location.deny}
${optionalString location.allowLan ''allow ${config.architect.networks."lan".net};''} ${optionalString location.allowLan ''allow ${config.architect.networks."lan".net};''}
'' + location.extraConfig; '' + location.extraConfig;
}) })

View File

@ -17,7 +17,7 @@ in
}; };
architect.vhost.${domain} = with config.architect.networks; { architect.vhost.${domain} = with config.architect.networks; {
dnsInterfaces = [ "lan" "wireguard" "tailscale" ]; dnsInterfaces = [ "lan" "tailscale" ];
locations = { locations = {
"/" = { "/" = {
inherit port; inherit port;
@ -25,7 +25,6 @@ in
proxyWebsockets = true; proxyWebsockets = true;
# allowLan = true; # allowLan = true;
# allow = [ # allow = [
# wireguard.net
# tailscale.net # tailscale.net
# ]; # ];
extraConfig = '' extraConfig = ''

View File

@ -45,7 +45,6 @@ in
networking.extraHosts = '' networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "wireguard"} ${domain}
${architectInterfaceAddress "tailscale"} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';

View File

@ -7,7 +7,7 @@ in
services.prowlarr.enable = true; services.prowlarr.enable = true;
architect.vhost.${domain} = { architect.vhost.${domain} = {
dnsInterfaces = [ "tailscale" "wireguard" ]; dnsInterfaces = [ "tailscale" ];
locations."/" = { locations."/" = {
port = 9696; port = 9696;

View File

@ -10,13 +10,12 @@ in
}; };
architect.vhost.${domain} = with config.architect.networks; { architect.vhost.${domain} = with config.architect.networks; {
dnsInterfaces = [ "wireguard" "tailscale" ]; dnsInterfaces = [ "tailscale" ];
locations."/" = { locations."/" = {
port = 7878; port = 7878;
allowLan = true; allowLan = true;
allow = [ allow = [
wireguard.net
tailscale.net tailscale.net
]; ];
}; };

View File

@ -43,7 +43,6 @@ in
networking.extraHosts = '' networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "wireguard"} ${domain}
${architectInterfaceAddress "tailscale"} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
} }

View File

@ -1,8 +1,7 @@
{ mach-nix, lib, config, pkgs, ... }: { config, pkgs, ... }:
let let
domain = "gugol.giugl.io"; domain = "search.giugl.io";
network = import ./network.nix;
in in
{ {
services = { services = {
@ -19,14 +18,14 @@ in
}; };
general = { general = {
instance_name = "Pepe's Gugol"; instance_name = "PepoSearch";
contact_url = "mailto:gugol@depasquale.giugl.io"; contact_url = "mailto:search@depasquale.giugl.io";
enable_metrics = false; enable_metrics = true;
}; };
search = { search = {
safe_search = 0; safe_search = 0;
autocomplete = "qwant"; autocomplete = "google";
prefer_configured_language = false; prefer_configured_language = false;
}; };
@ -43,24 +42,23 @@ in
{ name = "google"; disabled = false; } { name = "google"; disabled = false; }
{ name = "bing"; disabled = false; } { name = "bing"; disabled = false; }
{ name = "qwant"; disabled = false; } { name = "qwant"; disabled = false; }
{ name = "duckduckgo"; disabled = false; } { name = "brave"; disabled = false; }
# keep getting access denied (!?)
{ name = "duckduckgo"; disabled = true; }
]; ];
}; };
}; };
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.searx.settings.server.port}";
};
};
}; };
networking.extraHosts = '' architect.vhost.${domain} = with config.architect.networks; {
${network.architect-lan} ${domain} dnsInterfaces = [ "tailscale" ];
${network.architect-wg} ${domain} locations."/" = {
${network.architect-ts} ${domain} port = config.services.searx.settings.server.port;
''; allowLan = true;
allow = [
tailscale.net
];
};
};
} }

View File

@ -8,15 +8,15 @@ in
enable = true; enable = true;
group = "media"; group = "media";
}; };
architect.vhost.${domain} = { architect.vhost.${domain} = {
dnsInterfaces = [ "tailscale" "wireguard" ]; dnsInterfaces = [ "tailscale" ];
locations."/" = { locations."/" = {
port = 6969; port = 8989;
allowLan = true; allowLan = true;
}; };
}; };
users.groups.media.members = [ "sonarr" ]; users.groups.media.members = [ "sonarr" ];
} }

View File

@ -19,7 +19,8 @@ in
dodino = { address = "100.64.0.5"; hostname = "dodino.${domain}"; }; dodino = { address = "100.64.0.5"; hostname = "dodino.${domain}"; };
manduria = { address = "100.64.0.6"; hostname = "manduria.${domain}"; }; manduria = { address = "100.64.0.6"; hostname = "manduria.${domain}"; };
tommy = { address = "100.64.0.7"; hostname = "tommy.${domain}"; }; tommy = { address = "100.64.0.7"; hostname = "tommy.${domain}"; };
ucsb-workstation = { address = "100.64.0.8"; hostname = "ucsb-workstation.${domain}"; }; # ucsb-workstation = { address = "100.64.0.8"; hostname = "ucsb-workstation.${domain}"; };
ucsb-workstation = { address = "100.64.0.10"; hostname = "ucsb-workstation.${domain}"; };
alfredo = { address = "100.64.0.9"; hostname = "alfredo.${domain}"; }; alfredo = { address = "100.64.0.9"; hostname = "alfredo.${domain}"; };
parallels = { address = "100.64.0.3"; hostname = "parallels.${domain}"; }; parallels = { address = "100.64.0.3"; hostname = "parallels.${domain}"; };
}; };

View File

@ -1,218 +0,0 @@
{ config, lib, ... }:
let
listenPort = 1194;
domain = "devs.giugl.io";
interface = "wireguard";
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) generateDeviceStrings getDeviceAddress;
getWireguardDeviceAddress = getDeviceAddress "wireguard";
in
{
architect = {
firewall = {
openUDP = lib.singleton listenPort;
openUDPVPN = lib.singleton listenPort;
};
networks.${interface} = {
interface = "wg0";
net = "10.3.0.0/24";
devices = {
architect = { address = "10.3.0.1"; hostname = "architect.${domain}"; };
antonio = { address = "10.3.0.6"; hostname = "antonio.${domain}"; };
gbeast = { address = "10.3.0.7"; hostname = "gbeast.${domain}"; };
shield = { address = "10.3.0.12"; hostname = "shield.${domain}"; };
salvatore = { address = "10.3.0.16"; hostname = "salvatore.${domain}"; };
papa = { address = "10.3.0.17"; hostname = "papa.${domain}"; };
defy = { address = "10.3.0.18"; hostname = "defy.${domain}"; };
germano = { address = "10.3.0.19"; hostname = "germano.${domain}"; };
flavio = { address = "10.3.0.20"; hostname = "flavio.${domain}"; };
alain = { address = "10.3.0.22"; hostname = "alain.${domain}"; };
dima = { address = "10.3.0.23"; hostname = "dima.${domain}"; };
mikey = { address = "10.3.0.24"; hostname = "mikey.${domain}"; };
andrew = { address = "10.3.0.25"; hostname = "andrew.${domain}"; };
mikeylaptop = { address = "10.3.0.26"; hostname = "mikeylaptop.${domain}"; };
andrewdesktop = { address = "10.3.0.27"; hostname = "andrewdesktop.${domain}"; };
jacopo = { address = "10.3.0.28"; hostname = "jacopo.${domain}"; };
frznn = { address = "10.3.0.29"; hostname = "frznn.${domain}"; };
ludo = { address = "10.3.0.30"; hostname = "ludo.${domain}"; };
parina = { address = "10.3.0.31"; hostname = "parina.${domain}"; };
nilo = { address = "10.3.0.32"; hostname = "nilo.${domain}"; };
parina-ipad = { address = "10.3.0.33"; hostname = "parina-ipad.${domain}"; };
kclvm = { address = "10.3.0.34"; hostname = "kclvm.${domain}"; };
framecca = { address = "10.3.0.35"; hostname = "framecca.${domain}"; };
framecca_one = { address = "10.3.0.36"; hostname = "framecca_one.${domain}"; };
framecca_two = { address = "10.3.0.37"; hostname = "framecca_two.${domain}"; };
framecca_three = { address = "10.3.0.38"; hostname = "framecca_three.${domain}"; };
framecca_four = { address = "10.3.0.39"; hostname = "framecca_four.${domain}"; };
};
};
};
networking = {
extraHosts = generateDeviceStrings config.architect.networks.wireguard.devices;
wireguard = {
interfaces.${config.architect.networks.wireguard.interface} = {
inherit listenPort;
ips = [ "${config.architect.networks.wireguard.devices.architect.address}/24" ];
privateKeyFile = "/secrets/wireguard/server.key";
peers = [
{
# Antonio
allowedIPs = [ (getWireguardDeviceAddress "antonio") ];
publicKey = "SPndCvEzuLHtGAQV8u/4dfLlFHoPcXS3L98oFOwTljc=";
}
{
# GBEAST
allowedIPs = [ (getWireguardDeviceAddress "gbeast") ];
publicKey = "XiK+wk+DErz0RmCWRxuaJN1cvdj+3DoiU6tcR+uZfAI=";
}
{
# shield
allowedIPs = [ (getWireguardDeviceAddress "shield") ];
publicKey = "1GaV/M48sHqQTrBVRQ+jrFU2pUMmv2xkguncVcwPCFs=";
}
{
# salvatore
allowedIPs = [ (getWireguardDeviceAddress "salvatore") ];
publicKey = "fhlnBHeMyHZKLUCTSA9kmkKoM5x/qzz/rnCJrUh3Gzs=";
}
{
# papa
allowedIPs = [ (getWireguardDeviceAddress "papa") ];
publicKey = "oGHygt02Oni3IFbScKD0NVEfHKCp6bpw68aq5g4RrAA=";
}
{
# defy
allowedIPs = [ (getWireguardDeviceAddress "defy") ];
publicKey = "Cvi/eto7E6Ef+aiL81ou7x12fJCeuXrf/go9fxEqXG4=";
}
{
# germano
allowedIPs = [ (getWireguardDeviceAddress "germano") ];
publicKey = "LJ0DHY1sFVLQb3ngUGGH0HxbDOPb9KCUPSaYcjr5Uiw=";
}
{
# flavio
allowedIPs = [ (getWireguardDeviceAddress "flavio") ];
publicKey = "Yg0P+yHi/9SZHyoel8jT9fmmu+irLYmT8yMp/CZoaSg=";
}
{
# alain
allowedIPs = [ (getWireguardDeviceAddress "alain") ];
publicKey = "/o2msFJoUL4yovcIQJTU8c1faFtekrjSBBWJABouWno=";
}
{
# dima
allowedIPs = [ (getWireguardDeviceAddress "dima") ];
publicKey = "svzWYIZ6v+cLCp/emGG7mx2YpBJqw2fqjVuHZy7b6H0=";
}
{
# mikey
allowedIPs = [ (getWireguardDeviceAddress "mikey") ];
publicKey = "ewbDdX3z7nxG2aPIf9TogXkhxPlGipLFcy6XfyDC6gI=";
}
{
# andrew
allowedIPs = [ (getWireguardDeviceAddress "andrew") ];
publicKey = "LP/FgST9fmBQSoKQFq9sFGvjRFOtRooMcuEcjuqaoWM=";
}
{
# mikey laptop
allowedIPs = [ (getWireguardDeviceAddress "mikeylaptop") ];
publicKey = "kz/pY/PgV+dwF1JZ2It4r5B5QfRSQM7HkbFCdvd5Yxk=";
}
{
# andrew desktop
allowedIPs = [ (getWireguardDeviceAddress "andrewdesktop") ];
publicKey = "rpYr3JNLIzxpxzFuQuaHFEl/XvPEPfwLbDETBP8KYXI=";
}
{
# laptop desktop
allowedIPs = [ (getWireguardDeviceAddress "jacopo") ];
publicKey = "W/taWI79bPIKOolVVu5xZfiJnPw9K91Xn1zhcM0+4g0=";
}
{
# frznn
allowedIPs = [ (getWireguardDeviceAddress "frznn") ];
publicKey = "dXcrdME6VnnE5PBYwvUmayf7cn2wpcExeCR9gIXOO0o=";
}
{
# ludo
allowedIPs = [ (getWireguardDeviceAddress "ludo") ];
publicKey = "ecrxdzx7tQZwMPxZOjHUvxZT2xY79B6XEDIW+fhEtEM=";
}
{
# parina
allowedIPs = [ (getWireguardDeviceAddress "parina") ];
publicKey = "7nubNnfGsg4/7KemMDn9r99mNK8RFU9uOFFqaYv6rUA=";
}
{
# nilo
allowedIPs = [ (getWireguardDeviceAddress "nilo") ];
publicKey = "lhTEDJ9WnizvEHTd5kN21fTHF27HNk+fPLQnB1B3LW0=";
}
{
# parina ipad
allowedIPs = [ (getWireguardDeviceAddress "parina-ipad") ];
publicKey = "ezkCzl2qC7Hd7rFKfqMa0JXDKRhVqy79H52rA06x7mU=";
}
{
# kcl vm
allowedIPs = [ (getWireguardDeviceAddress "kclvm") ];
publicKey = "jVBaY8AhgAA7myVjU/PJPDUCOjsCi23LT+pGZUoNEkE=";
}
{
allowedIPs = [ (getWireguardDeviceAddress "framecca") ];
publicKey = "w0XPu5GcDA2vpNk3KCFRdWNVVQHRtAPApEsK1h3Ovyk=";
}
{
allowedIPs = [ (getWireguardDeviceAddress "framecca_one") ];
publicKey = "5PnmExv78fU3SS8liUWY/oBCcJ48wzmz/70O0U7K/xs=";
}
{
allowedIPs = [ (getWireguardDeviceAddress "framecca_two") ];
publicKey = "FbWfh2rL3OYLTDIte+MgctqL/bphn38eqpNy/chc3wM=";
}
{
allowedIPs = [ (getWireguardDeviceAddress "framecca_three") ];
publicKey = "Z3LRFs6CO0kUh4J3pf+HcPsWch3hUAwJBG8/b0Kqnxs=";
}
{
allowedIPs = [ (getWireguardDeviceAddress "framecca_four") ];
publicKey = "g/Ta12igzxSlCxy7KP865qf+l3+r1LjOo6UXjulmPBc=";
}
];
};
};
};
}

View File

@ -23,7 +23,6 @@ in
cursorline = true cursorline = true
true-color = true true-color = true
gutters = ["diff", "diagnostics", "line-numbers", "spacer"] gutters = ["diff", "diagnostics", "line-numbers", "spacer"]
completion-replace = true
[editor.cursor-shape] [editor.cursor-shape]
insert = "bar" insert = "bar"