Compare commits
8 Commits
0d3b2888fe
...
608fd46eb4
Author | SHA1 | Date | |
---|---|---|---|
|
608fd46eb4 | ||
|
a015dc2a89 | ||
|
1990ed8a65 | ||
|
554e5651a7 | ||
|
b341bee052 | ||
|
40d0b5f55c | ||
|
7dc674f24f | ||
|
c3c61f0248 |
@ -32,7 +32,12 @@
|
|||||||
};
|
};
|
||||||
|
|
||||||
wrapUtils = { pkgs, unstable, system }:
|
wrapUtils = { pkgs, unstable, system }:
|
||||||
import ./lib { inherit nixpkgs nixos-unstable home-manager system pkgs unstable; };
|
pkgs.lib.makeScope pkgs.newScope (self: {
|
||||||
|
inherit nixpkgs home-manager nixos-unstable;
|
||||||
|
user = self.callPackage ./lib/user.nix { };
|
||||||
|
host = self.callPackage ./lib/host.nix { };
|
||||||
|
});
|
||||||
|
|
||||||
|
|
||||||
pkgsLinuxX64 = wrapPkgsSystem { system = sysLinuxX64; };
|
pkgsLinuxX64 = wrapPkgsSystem { system = sysLinuxX64; };
|
||||||
unstableLinuxX64 = wrapUnstablePkgsSystem { system = sysLinuxX64; };
|
unstableLinuxX64 = wrapUnstablePkgsSystem { system = sysLinuxX64; };
|
||||||
|
@ -6,8 +6,10 @@ let
|
|||||||
];
|
];
|
||||||
hostname = "architect";
|
hostname = "architect";
|
||||||
network = import ./network.nix;
|
network = import ./network.nix;
|
||||||
in {
|
in
|
||||||
imports = [ # Include the results of the hardware scan.
|
{
|
||||||
|
imports = [
|
||||||
|
# Include the results of the hardware scan.
|
||||||
./backup.nix
|
./backup.nix
|
||||||
./hardware.nix
|
./hardware.nix
|
||||||
./firewall.nix
|
./firewall.nix
|
||||||
@ -29,7 +31,7 @@ in {
|
|||||||
./invidious.nix
|
./invidious.nix
|
||||||
./nitter.nix
|
./nitter.nix
|
||||||
./lidarr.nix
|
./lidarr.nix
|
||||||
# ./navidrome.nix
|
# ./navidrome.nix
|
||||||
./jellyfin.nix
|
./jellyfin.nix
|
||||||
./prosody.nix
|
./prosody.nix
|
||||||
./deluge.nix
|
./deluge.nix
|
||||||
@ -39,10 +41,11 @@ in {
|
|||||||
./lezzo.nix
|
./lezzo.nix
|
||||||
./runas.nix
|
./runas.nix
|
||||||
./tailscale.nix
|
./tailscale.nix
|
||||||
|
./searx.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
time.timeZone = "Europe/Rome";
|
time.timeZone = "Europe/Rome";
|
||||||
# system.stateVersion = "21.11";
|
# system.stateVersion = "21.11";
|
||||||
users.users.giulio.openssh.authorizedKeys.keys = pubkeys;
|
users.users.giulio.openssh.authorizedKeys.keys = pubkeys;
|
||||||
boot = {
|
boot = {
|
||||||
initrd = {
|
initrd = {
|
||||||
|
@ -4,7 +4,8 @@ let
|
|||||||
domain = "htdel.giugl.io";
|
domain = "htdel.giugl.io";
|
||||||
network = import ./network.nix;
|
network = import ./network.nix;
|
||||||
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
|
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
|
||||||
in {
|
in
|
||||||
|
{
|
||||||
services = {
|
services = {
|
||||||
deluge = {
|
deluge = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -49,7 +49,8 @@ let
|
|||||||
wireguard_udp
|
wireguard_udp
|
||||||
];
|
];
|
||||||
|
|
||||||
in {
|
in
|
||||||
|
{
|
||||||
networking = {
|
networking = {
|
||||||
# needed to use nftables
|
# needed to use nftables
|
||||||
firewall.enable = false;
|
firewall.enable = false;
|
||||||
@ -58,176 +59,171 @@ in {
|
|||||||
nftables = {
|
nftables = {
|
||||||
enable = true;
|
enable = true;
|
||||||
ruleset = ''
|
ruleset = ''
|
||||||
table ip raw {
|
table ip raw {
|
||||||
chain PREROUTING {
|
chain PREROUTING {
|
||||||
type filter hook prerouting priority raw; policy accept;
|
type filter hook prerouting priority raw; policy accept;
|
||||||
}
|
}
|
||||||
|
|
||||||
chain OUTPUT {
|
chain OUTPUT {
|
||||||
type filter hook output priority raw; policy accept;
|
type filter hook output priority raw; policy accept;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
table ip nat {
|
table ip nat {
|
||||||
chain PREROUTING {
|
chain PREROUTING {
|
||||||
type nat hook prerouting priority dstnat; policy accept;
|
type nat hook prerouting priority dstnat; policy accept;
|
||||||
}
|
}
|
||||||
|
|
||||||
chain INPUT {
|
chain INPUT {
|
||||||
type nat hook input priority 100; policy accept;
|
type nat hook input priority 100; policy accept;
|
||||||
}
|
}
|
||||||
|
|
||||||
chain OUTPUT {
|
chain OUTPUT {
|
||||||
type nat hook output priority -100; policy accept;
|
type nat hook output priority -100; policy accept;
|
||||||
}
|
}
|
||||||
|
|
||||||
chain POSTROUTING {
|
chain POSTROUTING {
|
||||||
type nat hook postrouting priority srcnat; policy accept;
|
type nat hook postrouting priority srcnat; policy accept;
|
||||||
oifname ${wan-if} ip saddr {${
|
oifname ${wan-if} ip saddr {${
|
||||||
lib.concatStringsSep "," towan-wg
|
lib.concatStringsSep "," towan-wg
|
||||||
}} masquerade
|
}} masquerade
|
||||||
oifname ${wan-if} ip saddr ${docker-net} masquerade
|
oifname ${wan-if} ip saddr ${docker-net} masquerade
|
||||||
oifname ${wan-if} ip saddr ${tailscale-net} masquerade
|
oifname ${wan-if} ip saddr ${tailscale-net} masquerade
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
table ip mangle {
|
table ip mangle {
|
||||||
chain PREROUTING {
|
chain PREROUTING {
|
||||||
type filter hook prerouting priority mangle; policy drop;
|
type filter hook prerouting priority mangle; policy drop;
|
||||||
ct state invalid,untracked drop comment "drop invalid"
|
ct state invalid,untracked drop comment "drop invalid"
|
||||||
ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
|
ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
|
||||||
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
|
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
|
||||||
iifname ${wan-if} ip saddr ${vpn-net} drop comment "bind any ip to intf ${wan-if}"
|
iifname ${wan-if} ip saddr ${vpn-net} drop comment "bind any ip to intf ${wan-if}"
|
||||||
iifname ${wan-if} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${wan-if}"
|
iifname ${wan-if} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${wan-if}"
|
||||||
iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}"
|
iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}"
|
||||||
iifname ${proxy-if} ip saddr ${proxy-net} accept comment "bind ip ${proxy-net} to intf ${proxy-if}"
|
iifname ${proxy-if} ip saddr ${proxy-net} accept comment "bind ip ${proxy-net} to intf ${proxy-if}"
|
||||||
iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}"
|
iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}"
|
||||||
iifname ${docker-if} ip saddr ${docker-net} accept comment "bind ip ${docker-net} to intf ${docker-if}"
|
iifname ${docker-if} ip saddr ${docker-net} accept comment "bind ip ${docker-net} to intf ${docker-if}"
|
||||||
iifname ${tailscale-if} ip saddr ${tailscale-net} accept
|
iifname ${tailscale-if} ip saddr ${tailscale-net} accept
|
||||||
iifname "lo" accept comment "bind any ip to intf lo"
|
iifname "lo" accept comment "bind any ip to intf lo"
|
||||||
jump mangle_drop
|
jump mangle_drop
|
||||||
}
|
}
|
||||||
|
|
||||||
chain INPUT {
|
chain INPUT {
|
||||||
type filter hook input priority mangle; policy accept;
|
type filter hook input priority mangle; policy accept;
|
||||||
}
|
}
|
||||||
|
|
||||||
chain FORWARD {
|
chain FORWARD {
|
||||||
type filter hook forward priority mangle; policy accept;
|
type filter hook forward priority mangle; policy accept;
|
||||||
}
|
}
|
||||||
|
|
||||||
chain OUTPUT {
|
chain OUTPUT {
|
||||||
type route hook output priority mangle; policy accept;
|
type route hook output priority mangle; policy accept;
|
||||||
}
|
}
|
||||||
|
|
||||||
chain POSTROUTING {
|
chain POSTROUTING {
|
||||||
type filter hook postrouting priority mangle; policy accept;
|
type filter hook postrouting priority mangle; policy accept;
|
||||||
}
|
}
|
||||||
|
|
||||||
chain mangle_drop {
|
chain mangle_drop {
|
||||||
ip protocol icmp jump mangle_drop_icmp
|
ip protocol icmp jump mangle_drop_icmp
|
||||||
ip protocol udp jump mangle_drop_udp
|
ip protocol udp jump mangle_drop_udp
|
||||||
ip protocol tcp jump mangle_drop_tcp
|
ip protocol tcp jump mangle_drop_tcp
|
||||||
log prefix "MANGLE-DROP-UNK "
|
log prefix "MANGLE-DROP-UNK "
|
||||||
drop
|
drop
|
||||||
}
|
}
|
||||||
|
|
||||||
chain mangle_drop_icmp {
|
chain mangle_drop_icmp {
|
||||||
log prefix "MANGLE-DROP-ICMP "
|
log prefix "MANGLE-DROP-ICMP "
|
||||||
drop
|
drop
|
||||||
}
|
}
|
||||||
|
|
||||||
chain mangle_drop_tcp {
|
chain mangle_drop_tcp {
|
||||||
log prefix "MANGLE-DROP-TCP "
|
log prefix "MANGLE-DROP-TCP "
|
||||||
drop
|
drop
|
||||||
}
|
}
|
||||||
|
|
||||||
chain mangle_drop_udp {
|
chain mangle_drop_udp {
|
||||||
log prefix "MANGLE-DROP-UDP "
|
log prefix "MANGLE-DROP-UDP "
|
||||||
drop
|
drop
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
table ip filter {
|
table ip filter {
|
||||||
chain INPUT {
|
chain INPUT {
|
||||||
type filter hook input priority filter; policy drop;
|
type filter hook input priority filter; policy drop;
|
||||||
|
|
||||||
ct state established,related accept
|
ct state established,related accept
|
||||||
iifname "lo" accept comment "loopback"
|
iifname "lo" accept comment "loopback"
|
||||||
ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
|
ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
|
||||||
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
|
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
|
||||||
ip saddr ${lan-net} accept comment "lan > local"
|
ip saddr ${lan-net} accept comment "lan > local"
|
||||||
ip saddr ${tailscale-net} accept comment "tailscale > local"
|
ip saddr ${tailscale-net} accept comment "tailscale > local"
|
||||||
ip saddr {${lib.concatStringsSep "," gdevices-wg}} accept comment "vpn > local"
|
ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local"
|
||||||
|
|
||||||
iifname ${wan-if} tcp dport {${open_tcp_ports}} accept
|
iifname ${wan-if} tcp dport {${open_tcp_ports}} accept
|
||||||
iifname ${wan-if} udp dport {${open_udp_ports}} accept
|
iifname ${wan-if} udp dport {${open_udp_ports}} accept
|
||||||
iifname ${vpn-if} tcp dport {${open_tcp_ports_vpn}} accept
|
iifname ${vpn-if} tcp dport {${open_tcp_ports_vpn}} accept
|
||||||
iifname ${vpn-if} udp dport {${open_udp_ports_vpn}} accept
|
iifname ${vpn-if} udp dport {${open_udp_ports_vpn}} accept
|
||||||
iifname ${vpn-if} icmp type echo-request accept
|
iifname ${vpn-if} icmp type echo-request accept
|
||||||
iifname ${docker-if} udp dport 53 accept
|
iifname ${docker-if} udp dport 53 accept
|
||||||
jump filter_drop
|
jump filter_drop
|
||||||
}
|
}
|
||||||
|
|
||||||
chain FORWARD {
|
chain FORWARD {
|
||||||
type filter hook forward priority filter; policy drop;
|
type filter hook forward priority filter; policy drop;
|
||||||
ct state established,related accept
|
ct state established,related accept
|
||||||
|
|
||||||
# client to client
|
# gdevices talking to everyone in VPN
|
||||||
ip saddr {${lib.concatStringsSep "," c2c-wg}} ip daddr {${
|
ip saddr {${
|
||||||
lib.concatStringsSep "," c2c-wg
|
lib.concatStringsSep "," gdevices
|
||||||
}} accept
|
}} ip daddr ${vpn-net} accept
|
||||||
|
ip saddr {${
|
||||||
|
lib.concatStringsSep "," gamenet-wg
|
||||||
|
}} ip daddr {${lib.concatStringsSep "," gamenet-wg}} accept
|
||||||
|
|
||||||
# gdevices talking to everyone in VPN
|
# nat to wan
|
||||||
ip saddr {${
|
oifname ${wan-if} ip saddr {${
|
||||||
lib.concatStringsSep "," gdevices-wg
|
lib.concatStringsSep "," towan-wg
|
||||||
}} ip daddr ${vpn-net} accept
|
}} accept
|
||||||
ip saddr {${
|
|
||||||
lib.concatStringsSep "," gamenet-wg
|
|
||||||
}} ip daddr {${lib.concatStringsSep "," gamenet-wg}} accept
|
|
||||||
|
|
||||||
# nat to wan
|
oifname ${wan-if} ip saddr ${docker-net} accept
|
||||||
oifname ${wan-if} ip saddr {${
|
oifname ${wan-if} ip saddr ${tailscale-net} accept
|
||||||
lib.concatStringsSep "," towan-wg
|
|
||||||
}} accept
|
|
||||||
|
|
||||||
oifname ${wan-if} ip saddr ${docker-net} accept
|
jump filter_drop
|
||||||
oifname ${wan-if} ip saddr ${tailscale-net} accept
|
}
|
||||||
|
|
||||||
jump filter_drop
|
chain OUTPUT {
|
||||||
}
|
type filter hook output priority filter; policy drop;
|
||||||
|
ct state established,related accept
|
||||||
|
accept comment "local > *"
|
||||||
|
jump filter_drop
|
||||||
|
}
|
||||||
|
|
||||||
chain OUTPUT {
|
chain filter_drop {
|
||||||
type filter hook output priority filter; policy drop;
|
ip protocol icmp jump filter_drop_icmp
|
||||||
ct state established,related accept
|
ip protocol udp jump filter_drop_udp
|
||||||
accept comment "local > *"
|
ip protocol tcp jump filter_drop_tcp
|
||||||
jump filter_drop
|
log prefix "DROP-UNK "
|
||||||
}
|
drop
|
||||||
|
}
|
||||||
|
|
||||||
chain filter_drop {
|
chain filter_drop_icmp {
|
||||||
ip protocol icmp jump filter_drop_icmp
|
log prefix "DROP-icmp "
|
||||||
ip protocol udp jump filter_drop_udp
|
drop
|
||||||
ip protocol tcp jump filter_drop_tcp
|
}
|
||||||
log prefix "DROP-UNK "
|
|
||||||
drop
|
|
||||||
}
|
|
||||||
|
|
||||||
chain filter_drop_icmp {
|
chain filter_drop_tcp {
|
||||||
log prefix "DROP-icmp "
|
log prefix "DROP-tcp "
|
||||||
drop
|
drop
|
||||||
}
|
}
|
||||||
|
|
||||||
chain filter_drop_tcp {
|
chain filter_drop_udp {
|
||||||
log prefix "DROP-tcp "
|
log prefix "DROP-udp "
|
||||||
drop
|
drop
|
||||||
}
|
}
|
||||||
|
}
|
||||||
chain filter_drop_udp {
|
'';
|
||||||
log prefix "DROP-udp "
|
|
||||||
drop
|
|
||||||
}
|
|
||||||
}
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@ -26,8 +26,8 @@ in
|
|||||||
enableACME = true;
|
enableACME = true;
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
proxyPass = "http://127.0.0.1:3000";
|
proxyPass = "http://127.0.0.1:3000";
|
||||||
# it does not work, it breaks gitea's web portal
|
# it does not work, it breaks gitea's web portal
|
||||||
# extraConfig = auth_block { access_role = "git"; };
|
# extraConfig = auth_block { access_role = "git"; };
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -5,7 +5,8 @@ let
|
|||||||
network = import ./network.nix;
|
network = import ./network.nix;
|
||||||
host = "127.0.0.1";
|
host = "127.0.0.1";
|
||||||
port = 8123;
|
port = 8123;
|
||||||
in {
|
in
|
||||||
|
{
|
||||||
services = {
|
services = {
|
||||||
mosquitto = {
|
mosquitto = {
|
||||||
enable = true;
|
enable = true;
|
||||||
@ -52,7 +53,7 @@ in {
|
|||||||
proxy_set_header Upgrade $http_upgrade;
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
proxy_set_header Connection "upgrade";
|
proxy_set_header Connection "upgrade";
|
||||||
allow 10.0.0.0/24;
|
allow 10.0.0.0/24;
|
||||||
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
|
${lib.concatMapStrings (x: "allow ${x};") network.gdevices}
|
||||||
deny all;
|
deny all;
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
@ -19,7 +19,7 @@ in
|
|||||||
nginx.virtualHosts.${domain} = {
|
nginx.virtualHosts.${domain} = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
extraConfig = auth_block { access_role = "jellyfin"; whitelisted_ips = network.gdevices-wg; } +
|
extraConfig = auth_block { access_role = "jellyfin"; whitelisted_ips = network.gdevices; } +
|
||||||
''
|
''
|
||||||
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
|
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
|
||||||
#add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
|
#add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
|
||||||
|
@ -3,7 +3,8 @@
|
|||||||
let
|
let
|
||||||
network = import ./network.nix;
|
network = import ./network.nix;
|
||||||
domain = "auth.giugl.io";
|
domain = "auth.giugl.io";
|
||||||
in {
|
in
|
||||||
|
{
|
||||||
services = {
|
services = {
|
||||||
keycloak = {
|
keycloak = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -4,7 +4,8 @@ let
|
|||||||
domain = "htlid.giugl.io";
|
domain = "htlid.giugl.io";
|
||||||
network = import ./network.nix;
|
network = import ./network.nix;
|
||||||
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
|
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
|
||||||
in {
|
in
|
||||||
|
{
|
||||||
services = {
|
services = {
|
||||||
lidarr = {
|
lidarr = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -97,9 +97,9 @@ in
|
|||||||
return 200 '${builtins.toJSON client}';
|
return 200 '${builtins.toJSON client}';
|
||||||
'';
|
'';
|
||||||
|
|
||||||
# locations."/".extraConfig = ''
|
# locations."/".extraConfig = ''
|
||||||
# return 404;
|
# return 404;
|
||||||
# '';
|
# '';
|
||||||
|
|
||||||
# forward all Matrix API calls to the synapse Matrix homeserver
|
# forward all Matrix API calls to the synapse Matrix homeserver
|
||||||
locations."/_matrix" = {
|
locations."/_matrix" = {
|
||||||
|
@ -3,7 +3,8 @@
|
|||||||
let
|
let
|
||||||
domain = "s3.giugl.io";
|
domain = "s3.giugl.io";
|
||||||
network = import ./network.nix;
|
network = import ./network.nix;
|
||||||
in {
|
in
|
||||||
|
{
|
||||||
services = {
|
services = {
|
||||||
minio.enable = true;
|
minio.enable = true;
|
||||||
|
|
||||||
@ -15,7 +16,7 @@ in {
|
|||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
client_max_body_size 500M;
|
client_max_body_size 500M;
|
||||||
allow 10.0.0.0/24;
|
allow 10.0.0.0/24;
|
||||||
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg }
|
${lib.concatMapStrings (x: "allow ${x};") network.gdevices }
|
||||||
allow ${network.manduria-wg};
|
allow ${network.manduria-wg};
|
||||||
deny all;
|
deny all;
|
||||||
'';
|
'';
|
||||||
|
@ -63,21 +63,21 @@ in {
|
|||||||
AmbientCapabilities = "";
|
AmbientCapabilities = "";
|
||||||
CapabilityBoundingSet = "";
|
CapabilityBoundingSet = "";
|
||||||
|
|
||||||
# # ProtectClock= adds DeviceAllow=char-rtc r
|
# # ProtectClock= adds DeviceAllow=char-rtc r
|
||||||
# DeviceAllow = [
|
# DeviceAllow = [
|
||||||
# "char-drm r"
|
# "char-drm r"
|
||||||
# "/dev/nvidia0 r"
|
# "/dev/nvidia0 r"
|
||||||
# "/dev/nvidiactl r"
|
# "/dev/nvidiactl r"
|
||||||
# "/dev/nvidia-uvm r"
|
# "/dev/nvidia-uvm r"
|
||||||
# "/dev/nvidia-uvm-tools r"
|
# "/dev/nvidia-uvm-tools r"
|
||||||
# ];
|
# ];
|
||||||
DeviceAllow = "";
|
DeviceAllow = "";
|
||||||
LockPersonality = true;
|
LockPersonality = true;
|
||||||
|
|
||||||
PrivateTmp = true;
|
PrivateTmp = true;
|
||||||
PrivateUsers = true;
|
PrivateUsers = true;
|
||||||
|
|
||||||
# ProtectClock = true;
|
# ProtectClock = true;
|
||||||
ProtectControlGroups = true;
|
ProtectControlGroups = true;
|
||||||
ProtectHostname = true;
|
ProtectHostname = true;
|
||||||
ProtectKernelLogs = true;
|
ProtectKernelLogs = true;
|
||||||
@ -87,7 +87,7 @@ in {
|
|||||||
RemoveIPC = true;
|
RemoveIPC = true;
|
||||||
|
|
||||||
RestrictNamespaces = true;
|
RestrictNamespaces = true;
|
||||||
# # AF_NETLINK needed because Jellyfin monitors the network connection
|
# # AF_NETLINK needed because Jellyfin monitors the network connection
|
||||||
RestrictAddressFamilies = [ "AF_NETLINK" "AF_INET" "AF_INET6" "AF_UNIX" ];
|
RestrictAddressFamilies = [ "AF_NETLINK" "AF_INET" "AF_INET6" "AF_UNIX" ];
|
||||||
RestrictRealtime = true;
|
RestrictRealtime = true;
|
||||||
RestrictSUIDSGID = true;
|
RestrictSUIDSGID = true;
|
||||||
|
@ -6,7 +6,8 @@ let
|
|||||||
library_path = "/media/Music";
|
library_path = "/media/Music";
|
||||||
beets_config = "/media/beets.conf";
|
beets_config = "/media/beets.conf";
|
||||||
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
|
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
|
||||||
in {
|
in
|
||||||
|
{
|
||||||
services = {
|
services = {
|
||||||
navidrome = {
|
navidrome = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -62,12 +62,8 @@ rec {
|
|||||||
dodino-ts = "100.106.244.35";
|
dodino-ts = "100.106.244.35";
|
||||||
|
|
||||||
# groups
|
# groups
|
||||||
gdevices-wg =
|
gdevices = [ giuliophone-ts architect-ts giuliopc-ts dodino-ts ];
|
||||||
[ giuliopc-wg giuliophone-wg gbeast-wg peppiniell-wg kclvm-wg ] ++ routers-wg;
|
towan-wg = [ shield-wg parina-wg parina-ipad-wg germano-wg framecca-wg ];
|
||||||
routers-wg = [ hotpottino-wg angellane-wg dodino-wg ];
|
|
||||||
c2c-wg = [ ] ++ gdevices-wg;
|
|
||||||
towan-wg = [ shield-wg parina-wg parina-ipad-wg germano-wg framecca-wg ]
|
|
||||||
++ gdevices-wg ++ routers-wg;
|
|
||||||
gamenet-wg = [
|
gamenet-wg = [
|
||||||
andrew-wg
|
andrew-wg
|
||||||
giuliopc-wg
|
giuliopc-wg
|
||||||
|
@ -4,7 +4,8 @@ let
|
|||||||
domain = "cloud.giugl.io";
|
domain = "cloud.giugl.io";
|
||||||
network = import ./network.nix;
|
network = import ./network.nix;
|
||||||
redis_port = 6379;
|
redis_port = 6379;
|
||||||
in {
|
in
|
||||||
|
{
|
||||||
services = {
|
services = {
|
||||||
mysql = {
|
mysql = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -3,7 +3,8 @@
|
|||||||
let
|
let
|
||||||
domain = "tweet.giugl.io";
|
domain = "tweet.giugl.io";
|
||||||
network = import ./network.nix;
|
network = import ./network.nix;
|
||||||
in {
|
in
|
||||||
|
{
|
||||||
services = {
|
services = {
|
||||||
nitter = {
|
nitter = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -4,7 +4,8 @@ let
|
|||||||
domain = "htnzb.giugl.io";
|
domain = "htnzb.giugl.io";
|
||||||
network = import ./network.nix;
|
network = import ./network.nix;
|
||||||
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
|
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
|
||||||
in {
|
in
|
||||||
|
{
|
||||||
services = {
|
services = {
|
||||||
nzbget = {
|
nzbget = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
{
|
{
|
||||||
openresty_oidc_block =
|
openresty_oidc_block =
|
||||||
{ access_role ? "", whitelisted_ips ? [] }: ''
|
{ access_role ? "", whitelisted_ips ? [ ] }: ''
|
||||||
access_by_lua_block {
|
access_by_lua_block {
|
||||||
local opts = {
|
local opts = {
|
||||||
discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration",
|
discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration",
|
||||||
|
@ -3,7 +3,8 @@
|
|||||||
let
|
let
|
||||||
domain = "media.giugl.io";
|
domain = "media.giugl.io";
|
||||||
network = import ./network.nix;
|
network = import ./network.nix;
|
||||||
in {
|
in
|
||||||
|
{
|
||||||
services.plex = {
|
services.plex = {
|
||||||
enable = true;
|
enable = true;
|
||||||
package = pkgs.unstable.plex;
|
package = pkgs.unstable.plex;
|
||||||
|
@ -5,7 +5,8 @@ let
|
|||||||
conference_domain = "conference.${domain}";
|
conference_domain = "conference.${domain}";
|
||||||
upload_domain = "uploads.${domain}";
|
upload_domain = "uploads.${domain}";
|
||||||
network = import ./network.nix;
|
network = import ./network.nix;
|
||||||
in {
|
in
|
||||||
|
{
|
||||||
services = {
|
services = {
|
||||||
prosody = {
|
prosody = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -3,7 +3,8 @@
|
|||||||
let
|
let
|
||||||
domain = "htpro.giugl.io";
|
domain = "htpro.giugl.io";
|
||||||
network = import ./network.nix;
|
network = import ./network.nix;
|
||||||
in {
|
in
|
||||||
|
{
|
||||||
services = {
|
services = {
|
||||||
prowlarr.enable = true;
|
prowlarr.enable = true;
|
||||||
|
|
||||||
@ -14,7 +15,7 @@ in {
|
|||||||
proxyPass = "http://127.0.0.1:9696";
|
proxyPass = "http://127.0.0.1:9696";
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
allow 10.0.0.0/24;
|
allow 10.0.0.0/24;
|
||||||
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
|
${lib.concatMapStrings (x: "allow ${x};") network.gdevices}
|
||||||
deny all;
|
deny all;
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
@ -4,7 +4,8 @@ let
|
|||||||
domain = "htrad.giugl.io";
|
domain = "htrad.giugl.io";
|
||||||
network = import ./network.nix;
|
network = import ./network.nix;
|
||||||
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
|
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
|
||||||
in {
|
in
|
||||||
|
{
|
||||||
services = {
|
services = {
|
||||||
radarr = {
|
radarr = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
65
hosts/architect/searx.nix
Normal file
65
hosts/architect/searx.nix
Normal file
@ -0,0 +1,65 @@
|
|||||||
|
{ mach-nix, lib, config, pkgs, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
domain = "gugol.giugl.io";
|
||||||
|
network = import ./network.nix;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
services = {
|
||||||
|
redis.servers."searx" = { enable = true; port = 4456; };
|
||||||
|
searx = {
|
||||||
|
enable = true;
|
||||||
|
package = pkgs.searxng;
|
||||||
|
# package = mach-nix.buildPythonPackage "https://github.com/searxng/searxng/commit/2cf1425e8bc5d3143b6e001e82a034a794e8a206https://github.com/searxng/searxng/commit/2cf1425e8bc5d3143b6e001e82a034a794e8a206";
|
||||||
|
|
||||||
|
environmentFile = /secrets/searx/env;
|
||||||
|
settings = {
|
||||||
|
server = {
|
||||||
|
secret_key = "@SEARX_SECRET_KEY@";
|
||||||
|
port = 4455;
|
||||||
|
};
|
||||||
|
|
||||||
|
general = {
|
||||||
|
instance_name = "Pepe's Gugol";
|
||||||
|
contact_url = "mailto:gugol@depasquale.giugl.io";
|
||||||
|
enable_metrics = false;
|
||||||
|
};
|
||||||
|
|
||||||
|
search = {
|
||||||
|
safe_search = 0;
|
||||||
|
autocomplete = "duckduckgo";
|
||||||
|
prefer_configured_language = false;
|
||||||
|
};
|
||||||
|
|
||||||
|
ui = {
|
||||||
|
infinite_scroll = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
redis.url = "127.0.0.1:${toString config.services.redis.servers."searx".port}";
|
||||||
|
|
||||||
|
engines = [
|
||||||
|
{ name = "google"; disabled = false; }
|
||||||
|
{ name = "bing"; disabled = false; }
|
||||||
|
{ name = "qwant"; disabled = false; }
|
||||||
|
{ name = "duckduckgo"; disabled = false; }
|
||||||
|
{ name = "yahoo"; disabled = false; }
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
nginx.virtualHosts.${domain} = {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
|
||||||
|
locations."/" = {
|
||||||
|
proxyPass = "http://127.0.0.1:${toString config.services.searx.settings.server.port}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.extraHosts = ''
|
||||||
|
${network.architect-lan} ${domain}
|
||||||
|
${network.architect-wg} ${domain}
|
||||||
|
${network.architect-ts} ${domain}
|
||||||
|
'';
|
||||||
|
}
|
@ -4,7 +4,8 @@ let
|
|||||||
domain = "htson.giugl.io";
|
domain = "htson.giugl.io";
|
||||||
network = import ./network.nix;
|
network = import ./network.nix;
|
||||||
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
|
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
|
||||||
in {
|
in
|
||||||
|
{
|
||||||
services = {
|
services = {
|
||||||
sonarr = {
|
sonarr = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -4,7 +4,8 @@ let
|
|||||||
network = import ./network.nix;
|
network = import ./network.nix;
|
||||||
|
|
||||||
ifname = "ts0";
|
ifname = "ts0";
|
||||||
in {
|
in
|
||||||
|
{
|
||||||
services = {
|
services = {
|
||||||
tailscale = {
|
tailscale = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -3,7 +3,8 @@
|
|||||||
let
|
let
|
||||||
domain = "httra.giugl.io";
|
domain = "httra.giugl.io";
|
||||||
network = import ./network.nix;
|
network = import ./network.nix;
|
||||||
in {
|
in
|
||||||
|
{
|
||||||
services = {
|
services = {
|
||||||
transmission = {
|
transmission = {
|
||||||
enable = true;
|
enable = true;
|
||||||
@ -27,7 +28,7 @@ in {
|
|||||||
proxyPass = "http://127.0.0.1:9091";
|
proxyPass = "http://127.0.0.1:9091";
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
allow 10.0.0.0/24;
|
allow 10.0.0.0/24;
|
||||||
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
|
${lib.concatMapStrings (x: "allow ${x};") network.gdevices}
|
||||||
deny all;
|
deny all;
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
@ -9,7 +9,8 @@ let
|
|||||||
export __VK_LAYER_NV_optimus=NVIDIA_only
|
export __VK_LAYER_NV_optimus=NVIDIA_only
|
||||||
exec -a "$0" "$@"
|
exec -a "$0" "$@"
|
||||||
'';
|
'';
|
||||||
in {
|
in
|
||||||
|
{
|
||||||
imports = [ ./hardware.nix ./wireguard.nix ./sound.nix ];
|
imports = [ ./hardware.nix ./wireguard.nix ./sound.nix ];
|
||||||
|
|
||||||
boot = {
|
boot = {
|
||||||
@ -70,5 +71,5 @@ in {
|
|||||||
|
|
||||||
programs.steam.enable = true;
|
programs.steam.enable = true;
|
||||||
environment.systemPackages = with pkgs; [ efibootmgr nvidia-offload ];
|
environment.systemPackages = with pkgs; [ efibootmgr nvidia-offload ];
|
||||||
# system.stateVersion = "21.05"; # Did you read the comment?
|
# system.stateVersion = "21.05"; # Did you read the comment?
|
||||||
}
|
}
|
||||||
|
@ -1,6 +0,0 @@
|
|||||||
{ pkgs, unstable, nixpkgs, nixos-unstable, home-manager, system, ... }: rec {
|
|
||||||
user = import ./user.nix { inherit pkgs unstable system home-manager; };
|
|
||||||
host = import ./host.nix {
|
|
||||||
inherit pkgs nixpkgs unstable nixos-unstable home-manager user system;
|
|
||||||
};
|
|
||||||
}
|
|
15
lib/host.nix
15
lib/host.nix
@ -5,14 +5,17 @@
|
|||||||
let
|
let
|
||||||
mkRole = role: import (../roles + "/${role}.nix");
|
mkRole = role: import (../roles + "/${role}.nix");
|
||||||
|
|
||||||
users_mod = (map (u:
|
users_mod = (map
|
||||||
user.mkUser {
|
(u:
|
||||||
name = u.user;
|
user.mkUser {
|
||||||
roles = u.roles;
|
name = u.user;
|
||||||
}) users);
|
roles = u.roles;
|
||||||
|
})
|
||||||
|
users);
|
||||||
roles_mod = (map (r: mkRole r) roles);
|
roles_mod = (map (r: mkRole r) roles);
|
||||||
add_imports = imports;
|
add_imports = imports;
|
||||||
in nixpkgs.lib.nixosSystem {
|
in
|
||||||
|
nixpkgs.lib.nixosSystem {
|
||||||
inherit system;
|
inherit system;
|
||||||
|
|
||||||
modules = [
|
modules = [
|
||||||
|
@ -5,7 +5,8 @@
|
|||||||
let
|
let
|
||||||
mkRole = role: import (../roles/home + "/${role}.nix");
|
mkRole = role: import (../roles/home + "/${role}.nix");
|
||||||
roles_mod = (map (r: mkRole r) roles);
|
roles_mod = (map (r: mkRole r) roles);
|
||||||
in {
|
in
|
||||||
|
{
|
||||||
users.groups.plugdev = { };
|
users.groups.plugdev = { };
|
||||||
|
|
||||||
fileSystems."/home/${name}/Downloads" = {
|
fileSystems."/home/${name}/Downloads" = {
|
||||||
@ -27,7 +28,8 @@
|
|||||||
let
|
let
|
||||||
mkRole = role: import (../roles/home + "/${role}.nix");
|
mkRole = role: import (../roles/home + "/${role}.nix");
|
||||||
roles_mod = (map (r: mkRole r) roles);
|
roles_mod = (map (r: mkRole r) roles);
|
||||||
in home-manager.lib.homeManagerConfiguration {
|
in
|
||||||
|
home-manager.lib.homeManagerConfiguration {
|
||||||
inherit pkgs;
|
inherit pkgs;
|
||||||
modules = [
|
modules = [
|
||||||
{
|
{
|
||||||
|
@ -9,7 +9,8 @@ let
|
|||||||
name = "guake";
|
name = "guake";
|
||||||
package = pkgs.guake;
|
package = pkgs.guake;
|
||||||
});
|
});
|
||||||
in {
|
in
|
||||||
|
{
|
||||||
imports = [ ./gnome.nix ];
|
imports = [ ./gnome.nix ];
|
||||||
|
|
||||||
nixpkgs.config.allowUnfree = true;
|
nixpkgs.config.allowUnfree = true;
|
||||||
|
Loading…
Reference in New Issue
Block a user