peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: peperunas:0d3b2888fe111f46ab68474977503b9b564900d5
Branches Tags
peperunas:master
peperunas:nixos-21.11
peperunas:laptopshit
..
compare: peperunas:608fd46eb4986b977d7873517b1a88bc4e31e62a
Branches Tags
peperunas:master
peperunas:nixos-21.11
peperunas:laptopshit

8 Commits
0d3b2888fe ... 608fd46eb4

Author SHA1 Message Date
Giulio De Pasquale
608fd46eb4 Formatting 2023-02-11 03:29:48 +01:00
Giulio De Pasquale
a015dc2a89 Removed wireguard devices, cleanup of network names 2023-02-11 03:28:35 +01:00
Giulio De Pasquale
1990ed8a65 Revert "jellyfin: Cleanup derivation" 
This reverts commit 554e5651a7.
 2023-02-11 03:26:30 +01:00
Giulio De Pasquale
554e5651a7 jellyfin: Cleanup derivation 2023-02-11 03:18:52 +01:00
Giulio De Pasquale
b341bee052 architect: Enable SearxNG 2023-02-11 03:16:28 +01:00
Giulio De Pasquale
40d0b5f55c searx: Add service. WIP: use git version 2023-02-11 03:15:49 +01:00
Giulio De Pasquale
7dc674f24f flake: Removed lib/default.nix. Use callPackage to clean up use of lib utilities 2023-02-11 03:09:42 +01:00
Giulio De Pasquale
c3c61f0248 flake: formatting 2023-02-11 02:32:17 +01:00
37 changed files with 306 additions and 224 deletions
Show Stats Expand all files Collapse all files

9
flake.nix
View File

@ -32,8 +32,13 @@
}; };
wrapUtils = { pkgs, unstable, system }: wrapUtils = { pkgs, unstable, system }:
import ./lib { inherit nixpkgs nixos-unstable home-manager system pkgs unstable; }; pkgs.lib.makeScope pkgs.newScope (self: {
inherit nixpkgs home-manager nixos-unstable;
user = self.callPackage ./lib/user.nix { };
host = self.callPackage ./lib/host.nix { };
});
pkgsLinuxX64 = wrapPkgsSystem { system = sysLinuxX64; }; pkgsLinuxX64 = wrapPkgsSystem { system = sysLinuxX64; };
unstableLinuxX64 = wrapUnstablePkgsSystem { system = sysLinuxX64; }; unstableLinuxX64 = wrapUnstablePkgsSystem { system = sysLinuxX64; };
utilsLinuxX64 = wrapUtils { system = sysLinuxX64; pkgs = pkgsLinuxX64; unstable = unstableLinuxX64; }; utilsLinuxX64 = wrapUtils { system = sysLinuxX64; pkgs = pkgsLinuxX64; unstable = unstableLinuxX64; };

11
hosts/architect/default.nix
View File

@ -6,8 +6,10 @@ let
]; ];
hostname = "architect"; hostname = "architect";
network = import ./network.nix; network = import ./network.nix;
in { in
imports = [ # Include the results of the hardware scan. {
imports = [
# Include the results of the hardware scan.
./backup.nix ./backup.nix
./hardware.nix ./hardware.nix
./firewall.nix ./firewall.nix
@ -29,7 +31,7 @@ in {
./invidious.nix ./invidious.nix
./nitter.nix ./nitter.nix
./lidarr.nix ./lidarr.nix
# ./navidrome.nix # ./navidrome.nix
./jellyfin.nix ./jellyfin.nix
./prosody.nix ./prosody.nix
./deluge.nix ./deluge.nix
@ -39,10 +41,11 @@ in {
./lezzo.nix ./lezzo.nix
./runas.nix ./runas.nix
./tailscale.nix ./tailscale.nix
./searx.nix
]; ];
time.timeZone = "Europe/Rome"; time.timeZone = "Europe/Rome";
# system.stateVersion = "21.11"; # system.stateVersion = "21.11";
users.users.giulio.openssh.authorizedKeys.keys = pubkeys; users.users.giulio.openssh.authorizedKeys.keys = pubkeys;
boot = { boot = {
initrd = { initrd = {

3
hosts/architect/deluge.nix
View File

@ -4,7 +4,8 @@ let
domain = "htdel.giugl.io"; domain = "htdel.giugl.io";
network = import ./network.nix; network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in { in
{
services = { services = {
deluge = { deluge = {
enable = true; enable = true;

2
hosts/architect/dns.nix
View File

@ -1,6 +1,6 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let let
adguard_webui_port = 3031; adguard_webui_port = 3031;
adguard_dns_port = "5300"; adguard_dns_port = "5300";
dnscrypt_listen_port = "5353"; dnscrypt_listen_port = "5353";

288
hosts/architect/firewall.nix
View File

@ -9,13 +9,13 @@ let
https_tcp = 443; https_tcp = 443;
synapse_tcp = 8448; synapse_tcp = 8448;
gitea_tcp = 10022; gitea_tcp = 10022;
prosody_tcp = 5222; prosody_tcp = 5222;
minecraft_tcp = 25565; minecraft_tcp = 25565;
# UDP services # UDP services
dns_udp = 53; dns_udp = 53;
wireguard_udp = 1194; wireguard_udp = 1194;
# TCP/UDP services # TCP/UDP services
torrent_a = 51413; torrent_a = 51413;
torrent_b = 51414; torrent_b = 51414;
@ -49,7 +49,8 @@ let
wireguard_udp wireguard_udp
]; ];
in { in
{
networking = { networking = {
# needed to use nftables # needed to use nftables
firewall.enable = false; firewall.enable = false;
@ -58,176 +59,171 @@ in {
nftables = { nftables = {
enable = true; enable = true;
ruleset = '' ruleset = ''
table ip raw { table ip raw {
chain PREROUTING { chain PREROUTING {
type filter hook prerouting priority raw; policy accept; type filter hook prerouting priority raw; policy accept;
} }
chain OUTPUT { chain OUTPUT {
type filter hook output priority raw; policy accept; type filter hook output priority raw; policy accept;
} }
} }
table ip nat { table ip nat {
chain PREROUTING { chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept; type nat hook prerouting priority dstnat; policy accept;
} }
chain INPUT { chain INPUT {
type nat hook input priority 100; policy accept; type nat hook input priority 100; policy accept;
} }
chain OUTPUT { chain OUTPUT {
type nat hook output priority -100; policy accept; type nat hook output priority -100; policy accept;
} }
chain POSTROUTING { chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept; type nat hook postrouting priority srcnat; policy accept;
oifname ${wan-if} ip saddr {${ oifname ${wan-if} ip saddr {${
lib.concatStringsSep "," towan-wg lib.concatStringsSep "," towan-wg
}} masquerade }} masquerade
oifname ${wan-if} ip saddr ${docker-net} masquerade oifname ${wan-if} ip saddr ${docker-net} masquerade
oifname ${wan-if} ip saddr ${tailscale-net} masquerade oifname ${wan-if} ip saddr ${tailscale-net} masquerade
} }
} }
table ip mangle { table ip mangle {
chain PREROUTING { chain PREROUTING {
type filter hook prerouting priority mangle; policy drop; type filter hook prerouting priority mangle; policy drop;
ct state invalid,untracked drop comment "drop invalid" ct state invalid,untracked drop comment "drop invalid"
ip daddr 255.255.255.255 accept comment "allow broadcast traffic" ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic" ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
iifname ${wan-if} ip saddr ${vpn-net} drop comment "bind any ip to intf ${wan-if}" iifname ${wan-if} ip saddr ${vpn-net} drop comment "bind any ip to intf ${wan-if}"
iifname ${wan-if} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${wan-if}" iifname ${wan-if} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${wan-if}"
iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}" iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}"
iifname ${proxy-if} ip saddr ${proxy-net} accept comment "bind ip ${proxy-net} to intf ${proxy-if}" iifname ${proxy-if} ip saddr ${proxy-net} accept comment "bind ip ${proxy-net} to intf ${proxy-if}"
iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}" iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}"
iifname ${docker-if} ip saddr ${docker-net} accept comment "bind ip ${docker-net} to intf ${docker-if}" iifname ${docker-if} ip saddr ${docker-net} accept comment "bind ip ${docker-net} to intf ${docker-if}"
iifname ${tailscale-if} ip saddr ${tailscale-net} accept iifname ${tailscale-if} ip saddr ${tailscale-net} accept
iifname "lo" accept comment "bind any ip to intf lo" iifname "lo" accept comment "bind any ip to intf lo"
jump mangle_drop jump mangle_drop
} }
chain INPUT { chain INPUT {
type filter hook input priority mangle; policy accept; type filter hook input priority mangle; policy accept;
} }
chain FORWARD { chain FORWARD {
type filter hook forward priority mangle; policy accept; type filter hook forward priority mangle; policy accept;
} }
chain OUTPUT { chain OUTPUT {
type route hook output priority mangle; policy accept; type route hook output priority mangle; policy accept;
} }
chain POSTROUTING { chain POSTROUTING {
type filter hook postrouting priority mangle; policy accept; type filter hook postrouting priority mangle; policy accept;
} }
chain mangle_drop { chain mangle_drop {
ip protocol icmp jump mangle_drop_icmp ip protocol icmp jump mangle_drop_icmp
ip protocol udp jump mangle_drop_udp ip protocol udp jump mangle_drop_udp
ip protocol tcp jump mangle_drop_tcp ip protocol tcp jump mangle_drop_tcp
log prefix "MANGLE-DROP-UNK " log prefix "MANGLE-DROP-UNK "
drop drop
} }
chain mangle_drop_icmp { chain mangle_drop_icmp {
log prefix "MANGLE-DROP-ICMP " log prefix "MANGLE-DROP-ICMP "
drop drop
} }
chain mangle_drop_tcp { chain mangle_drop_tcp {
log prefix "MANGLE-DROP-TCP " log prefix "MANGLE-DROP-TCP "
drop drop
} }
chain mangle_drop_udp { chain mangle_drop_udp {
log prefix "MANGLE-DROP-UDP " log prefix "MANGLE-DROP-UDP "
drop drop
} }
} }
table ip filter { table ip filter {
chain INPUT { chain INPUT {
type filter hook input priority filter; policy drop; type filter hook input priority filter; policy drop;
ct state established,related accept ct state established,related accept
iifname "lo" accept comment "loopback" iifname "lo" accept comment "loopback"
ip daddr 255.255.255.255 accept comment "allow broadcast traffic" ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic" ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
ip saddr ${lan-net} accept comment "lan > local" ip saddr ${lan-net} accept comment "lan > local"
ip saddr ${tailscale-net} accept comment "tailscale > local" ip saddr ${tailscale-net} accept comment "tailscale > local"
ip saddr {${lib.concatStringsSep "," gdevices-wg}} accept comment "vpn > local" ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local"
iifname ${wan-if} tcp dport {${open_tcp_ports}} accept iifname ${wan-if} tcp dport {${open_tcp_ports}} accept
iifname ${wan-if} udp dport {${open_udp_ports}} accept iifname ${wan-if} udp dport {${open_udp_ports}} accept
iifname ${vpn-if} tcp dport {${open_tcp_ports_vpn}} accept iifname ${vpn-if} tcp dport {${open_tcp_ports_vpn}} accept
iifname ${vpn-if} udp dport {${open_udp_ports_vpn}} accept iifname ${vpn-if} udp dport {${open_udp_ports_vpn}} accept
iifname ${vpn-if} icmp type echo-request accept iifname ${vpn-if} icmp type echo-request accept
iifname ${docker-if} udp dport 53 accept iifname ${docker-if} udp dport 53 accept
jump filter_drop jump filter_drop
} }
chain FORWARD { chain FORWARD {
type filter hook forward priority filter; policy drop; type filter hook forward priority filter; policy drop;
ct state established,related accept ct state established,related accept
# client to client
ip saddr {${lib.concatStringsSep "," c2c-wg}} ip daddr {${
lib.concatStringsSep "," c2c-wg
}} accept
# gdevices talking to everyone in VPN # gdevices talking to everyone in VPN
ip saddr {${ ip saddr {${
lib.concatStringsSep "," gdevices-wg lib.concatStringsSep "," gdevices
}} ip daddr ${vpn-net} accept }} ip daddr ${vpn-net} accept
ip saddr {${ ip saddr {${
lib.concatStringsSep "," gamenet-wg lib.concatStringsSep "," gamenet-wg
}} ip daddr {${lib.concatStringsSep "," gamenet-wg}} accept }} ip daddr {${lib.concatStringsSep "," gamenet-wg}} accept
# nat to wan # nat to wan
oifname ${wan-if} ip saddr {${ oifname ${wan-if} ip saddr {${
lib.concatStringsSep "," towan-wg lib.concatStringsSep "," towan-wg
}} accept }} accept
oifname ${wan-if} ip saddr ${docker-net} accept oifname ${wan-if} ip saddr ${docker-net} accept
oifname ${wan-if} ip saddr ${tailscale-net} accept oifname ${wan-if} ip saddr ${tailscale-net} accept
jump filter_drop jump filter_drop
} }
chain OUTPUT { chain OUTPUT {
type filter hook output priority filter; policy drop; type filter hook output priority filter; policy drop;
ct state established,related accept ct state established,related accept
accept comment "local > *" accept comment "local > *"
jump filter_drop jump filter_drop
} }
chain filter_drop { chain filter_drop {
ip protocol icmp jump filter_drop_icmp ip protocol icmp jump filter_drop_icmp
ip protocol udp jump filter_drop_udp ip protocol udp jump filter_drop_udp
ip protocol tcp jump filter_drop_tcp ip protocol tcp jump filter_drop_tcp
log prefix "DROP-UNK " log prefix "DROP-UNK "
drop drop
} }
chain filter_drop_icmp { chain filter_drop_icmp {
log prefix "DROP-icmp " log prefix "DROP-icmp "
drop drop
} }
chain filter_drop_tcp { chain filter_drop_tcp {
log prefix "DROP-tcp " log prefix "DROP-tcp "
drop drop
} }
chain filter_drop_udp { chain filter_drop_udp {
log prefix "DROP-udp " log prefix "DROP-udp "
drop drop
} }
} }
''; '';
}; };
}; };
} }

4
hosts/architect/gitea.nix
View File

@ -26,8 +26,8 @@ in
enableACME = true; enableACME = true;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:3000"; proxyPass = "http://127.0.0.1:3000";
# it does not work, it breaks gitea's web portal # it does not work, it breaks gitea's web portal
# extraConfig = auth_block { access_role = "git"; }; # extraConfig = auth_block { access_role = "git"; };
}; };
}; };

2
hosts/architect/hardware.nix
View File

@ -38,7 +38,7 @@
}; };
swapDevices = [{ swapDevices = [{
device = "/swapfile"; device = "/swapfile";
size = 1024 * 64; size = 1024 * 64;
}]; }];
boot = { boot = {

5
hosts/architect/home-assistant.nix
View File

@ -5,7 +5,8 @@ let
network = import ./network.nix; network = import ./network.nix;
host = "127.0.0.1"; host = "127.0.0.1";
port = 8123; port = 8123;
in { in
{
services = { services = {
mosquitto = { mosquitto = {
enable = true; enable = true;
@ -52,7 +53,7 @@ in {
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade"; proxy_set_header Connection "upgrade";
allow 10.0.0.0/24; allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg} ${lib.concatMapStrings (x: "allow ${x};") network.gdevices}
deny all; deny all;
''; '';
}; };

2
hosts/architect/jellyfin.nix
View File

@ -19,7 +19,7 @@ in
nginx.virtualHosts.${domain} = { nginx.virtualHosts.${domain} = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
extraConfig = auth_block { access_role = "jellyfin"; whitelisted_ips = network.gdevices-wg; } + extraConfig = auth_block { access_role = "jellyfin"; whitelisted_ips = network.gdevices; } +
'' ''
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted. # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
#add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'"; #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";

5
hosts/architect/keycloak.nix
View File

@ -3,7 +3,8 @@
let let
network = import ./network.nix; network = import ./network.nix;
domain = "auth.giugl.io"; domain = "auth.giugl.io";
in { in
{
services = { services = {
keycloak = { keycloak = {
enable = true; enable = true;
@ -36,7 +37,7 @@ in {
locations = { locations = {
"/" = { return = "301 https://${domain}/realms/master/account"; }; "/" = { return = "301 https://${domain}/realms/master/account"; };
"/admin" = { "/admin" = {
proxyPass = "http://127.0.0.1:${ proxyPass = "http://127.0.0.1:${
toString config.services.keycloak.settings.http-port toString config.services.keycloak.settings.http-port

2
hosts/architect/lezzo.nix
View File

@ -16,7 +16,7 @@ in
forceSSL = true; forceSSL = true;
root = lezzo_root; root = lezzo_root;
locations."/.git" = { return = "404"; }; locations."/.git" = { return = "404"; };
}; };

3
hosts/architect/lidarr.nix
View File

@ -4,7 +4,8 @@ let
domain = "htlid.giugl.io"; domain = "htlid.giugl.io";
network = import ./network.nix; network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in { in
{
services = { services = {
lidarr = { lidarr = {
enable = true; enable = true;

8
hosts/architect/matrix.nix
View File

@ -27,7 +27,7 @@ in
]; ];
auto_join_rooms = [ "#general:${domain}" "#music:${domain}" "#movies:${domain}" ]; auto_join_rooms = [ "#general:${domain}" "#music:${domain}" "#movies:${domain}" ];
oidc_providers = [{ oidc_providers = [{
idp_id = "keycloak"; idp_id = "keycloak";
idp_name = "Architect SSO"; idp_name = "Architect SSO";
@ -97,9 +97,9 @@ in
return 200 '${builtins.toJSON client}'; return 200 '${builtins.toJSON client}';
''; '';
# locations."/".extraConfig = '' # locations."/".extraConfig = ''
# return 404; # return 404;
# ''; # '';
# forward all Matrix API calls to the synapse Matrix homeserver # forward all Matrix API calls to the synapse Matrix homeserver
locations."/_matrix" = { locations."/_matrix" = {

5
hosts/architect/minio.nix
View File

@ -3,7 +3,8 @@
let let
domain = "s3.giugl.io"; domain = "s3.giugl.io";
network = import ./network.nix; network = import ./network.nix;
in { in
{
services = { services = {
minio.enable = true; minio.enable = true;
@ -15,7 +16,7 @@ in {
extraConfig = '' extraConfig = ''
client_max_body_size 500M; client_max_body_size 500M;
allow 10.0.0.0/24; allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg } ${lib.concatMapStrings (x: "allow ${x};") network.gdevices }
allow ${network.manduria-wg}; allow ${network.manduria-wg};
deny all; deny all;
''; '';

20
hosts/architect/modules/jellyfin.nix
View File

@ -63,21 +63,21 @@ in {
AmbientCapabilities = ""; AmbientCapabilities = "";
CapabilityBoundingSet = ""; CapabilityBoundingSet = "";
# # ProtectClock= adds DeviceAllow=char-rtc r # # ProtectClock= adds DeviceAllow=char-rtc r
# DeviceAllow = [ # DeviceAllow = [
# "char-drm r" # "char-drm r"
# "/dev/nvidia0 r" # "/dev/nvidia0 r"
# "/dev/nvidiactl r" # "/dev/nvidiactl r"
# "/dev/nvidia-uvm r" # "/dev/nvidia-uvm r"
# "/dev/nvidia-uvm-tools r" # "/dev/nvidia-uvm-tools r"
# ]; # ];
DeviceAllow = ""; DeviceAllow = "";
LockPersonality = true; LockPersonality = true;
PrivateTmp = true; PrivateTmp = true;
PrivateUsers = true; PrivateUsers = true;
# ProtectClock = true; # ProtectClock = true;
ProtectControlGroups = true; ProtectControlGroups = true;
ProtectHostname = true; ProtectHostname = true;
ProtectKernelLogs = true; ProtectKernelLogs = true;
@ -87,7 +87,7 @@ in {
RemoveIPC = true; RemoveIPC = true;
RestrictNamespaces = true; RestrictNamespaces = true;
# # AF_NETLINK needed because Jellyfin monitors the network connection # # AF_NETLINK needed because Jellyfin monitors the network connection
RestrictAddressFamilies = [ "AF_NETLINK" "AF_INET" "AF_INET6" "AF_UNIX" ]; RestrictAddressFamilies = [ "AF_NETLINK" "AF_INET" "AF_INET6" "AF_UNIX" ];
RestrictRealtime = true; RestrictRealtime = true;
RestrictSUIDSGID = true; RestrictSUIDSGID = true;

3
hosts/architect/navidrome.nix
View File

@ -6,7 +6,8 @@ let
library_path = "/media/Music"; library_path = "/media/Music";
beets_config = "/media/beets.conf"; beets_config = "/media/beets.conf";
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in { in
{
services = { services = {
navidrome = { navidrome = {
enable = true; enable = true;

10
hosts/architect/network.nix
View File

@ -60,14 +60,10 @@ rec {
architect-ts = "100.67.205.28"; architect-ts = "100.67.205.28";
giuliopc-ts = "100.124.78.64"; giuliopc-ts = "100.124.78.64";
dodino-ts = "100.106.244.35"; dodino-ts = "100.106.244.35";
# groups # groups
gdevices-wg = gdevices = [ giuliophone-ts architect-ts giuliopc-ts dodino-ts ];
[ giuliopc-wg giuliophone-wg gbeast-wg peppiniell-wg kclvm-wg ] ++ routers-wg; towan-wg = [ shield-wg parina-wg parina-ipad-wg germano-wg framecca-wg ];
routers-wg = [ hotpottino-wg angellane-wg dodino-wg ];
c2c-wg = [ ] ++ gdevices-wg;
towan-wg = [ shield-wg parina-wg parina-ipad-wg germano-wg framecca-wg ]
++ gdevices-wg ++ routers-wg;
gamenet-wg = [ gamenet-wg = [
andrew-wg andrew-wg
giuliopc-wg giuliopc-wg

3
hosts/architect/nextcloud.nix
View File

@ -4,7 +4,8 @@ let
domain = "cloud.giugl.io"; domain = "cloud.giugl.io";
network = import ./network.nix; network = import ./network.nix;
redis_port = 6379; redis_port = 6379;
in { in
{
services = { services = {
mysql = { mysql = {
enable = true; enable = true;

3
hosts/architect/nitter.nix
View File

@ -3,7 +3,8 @@
let let
domain = "tweet.giugl.io"; domain = "tweet.giugl.io";
network = import ./network.nix; network = import ./network.nix;
in { in
{
services = { services = {
nitter = { nitter = {
enable = true; enable = true;

3
hosts/architect/nzbget.nix
View File

@ -4,7 +4,8 @@ let
domain = "htnzb.giugl.io"; domain = "htnzb.giugl.io";
network = import ./network.nix; network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in { in
{
services = { services = {
nzbget = { nzbget = {
enable = true; enable = true;

2
hosts/architect/openid.nix
View File

@ -2,7 +2,7 @@
{ {
openresty_oidc_block = openresty_oidc_block =
{ access_role ? "", whitelisted_ips ? [] }: '' { access_role ? "", whitelisted_ips ? [ ] }: ''
access_by_lua_block { access_by_lua_block {
local opts = { local opts = {
discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration", discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration",

3
hosts/architect/plex.nix
View File

@ -3,7 +3,8 @@
let let
domain = "media.giugl.io"; domain = "media.giugl.io";
network = import ./network.nix; network = import ./network.nix;
in { in
{
services.plex = { services.plex = {
enable = true; enable = true;
package = pkgs.unstable.plex; package = pkgs.unstable.plex;

3
hosts/architect/prosody.nix
View File

@ -5,7 +5,8 @@ let
conference_domain = "conference.${domain}"; conference_domain = "conference.${domain}";
upload_domain = "uploads.${domain}"; upload_domain = "uploads.${domain}";
network = import ./network.nix; network = import ./network.nix;
in { in
{
services = { services = {
prosody = { prosody = {
enable = true; enable = true;

5
hosts/architect/prowlarr.nix
View File

@ -3,7 +3,8 @@
let let
domain = "htpro.giugl.io"; domain = "htpro.giugl.io";
network = import ./network.nix; network = import ./network.nix;
in { in
{
services = { services = {
prowlarr.enable = true; prowlarr.enable = true;
@ -14,7 +15,7 @@ in {
proxyPass = "http://127.0.0.1:9696"; proxyPass = "http://127.0.0.1:9696";
extraConfig = '' extraConfig = ''
allow 10.0.0.0/24; allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg} ${lib.concatMapStrings (x: "allow ${x};") network.gdevices}
deny all; deny all;
''; '';
}; };

3
hosts/architect/radarr.nix
View File

@ -4,7 +4,8 @@ let
domain = "htrad.giugl.io"; domain = "htrad.giugl.io";
network = import ./network.nix; network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in { in
{
services = { services = {
radarr = { radarr = {
enable = true; enable = true;

2
hosts/architect/runas.nix
View File

@ -16,7 +16,7 @@ in
forceSSL = true; forceSSL = true;
locations."/".root = runas_root; locations."/".root = runas_root;
locations."/.git" = { return = "404"; }; locations."/.git" = { return = "404"; };
}; };

65
hosts/architect/searx.nix Normal file
View File

@ -0,0 +1,65 @@
{ mach-nix, lib, config, pkgs, ... }:
let
domain = "gugol.giugl.io";
network = import ./network.nix;
in
{
services = {
redis.servers."searx" = { enable = true; port = 4456; };
searx = {
enable = true;
package = pkgs.searxng;
# package = mach-nix.buildPythonPackage "https://github.com/searxng/searxng/commit/2cf1425e8bc5d3143b6e001e82a034a794e8a206https://github.com/searxng/searxng/commit/2cf1425e8bc5d3143b6e001e82a034a794e8a206";
environmentFile = /secrets/searx/env;
settings = {
server = {
secret_key = "@SEARX_SECRET_KEY@";
port = 4455;
};
general = {
instance_name = "Pepe's Gugol";
contact_url = "mailto:gugol@depasquale.giugl.io";
enable_metrics = false;
};
search = {
safe_search = 0;
autocomplete = "duckduckgo";
prefer_configured_language = false;
};
ui = {
infinite_scroll = true;
};
redis.url = "127.0.0.1:${toString config.services.redis.servers."searx".port}";
engines = [
{ name = "google"; disabled = false; }
{ name = "bing"; disabled = false; }
{ name = "qwant"; disabled = false; }
{ name = "duckduckgo"; disabled = false; }
{ name = "yahoo"; disabled = false; }
];
};
};
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.searx.settings.server.port}";
};
};
};
networking.extraHosts = ''
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
${network.architect-ts} ${domain}
'';
}

3
hosts/architect/sonarr.nix
View File

@ -4,7 +4,8 @@ let
domain = "htson.giugl.io"; domain = "htson.giugl.io";
network = import ./network.nix; network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in { in
{
services = { services = {
sonarr = { sonarr = {
enable = true; enable = true;

7
hosts/architect/tailscale.nix
View File

@ -2,9 +2,10 @@
let let
network = import ./network.nix; network = import ./network.nix;
ifname = "ts0"; ifname = "ts0";
in { in
{
services = { services = {
tailscale = { tailscale = {
enable = true; enable = true;
@ -18,4 +19,4 @@ in {
${network.dodino-ts} dodino.devs.giugl.io ${network.dodino-ts} dodino.devs.giugl.io
${network.giuliophone-ts} chuck.devs.giugl.io ${network.giuliophone-ts} chuck.devs.giugl.io
''; '';
} }

5
hosts/architect/transmission.nix
View File

@ -3,7 +3,8 @@
let let
domain = "httra.giugl.io"; domain = "httra.giugl.io";
network = import ./network.nix; network = import ./network.nix;
in { in
{
services = { services = {
transmission = { transmission = {
enable = true; enable = true;
@ -27,7 +28,7 @@ in {
proxyPass = "http://127.0.0.1:9091"; proxyPass = "http://127.0.0.1:9091";
extraConfig = '' extraConfig = ''
allow 10.0.0.0/24; allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg} ${lib.concatMapStrings (x: "allow ${x};") network.gdevices}
deny all; deny all;
''; '';
}; };

5
hosts/gAluminum/default.nix
View File

@ -9,7 +9,8 @@ let
export __VK_LAYER_NV_optimus=NVIDIA_only export __VK_LAYER_NV_optimus=NVIDIA_only
exec -a "$0" "$@" exec -a "$0" "$@"
''; '';
in { in
{
imports = [ ./hardware.nix ./wireguard.nix ./sound.nix ]; imports = [ ./hardware.nix ./wireguard.nix ./sound.nix ];
boot = { boot = {
@ -70,5 +71,5 @@ in {
programs.steam.enable = true; programs.steam.enable = true;
environment.systemPackages = with pkgs; [ efibootmgr nvidia-offload ]; environment.systemPackages = with pkgs; [ efibootmgr nvidia-offload ];
# system.stateVersion = "21.05"; # Did you read the comment? # system.stateVersion = "21.05"; # Did you read the comment?
} }

6
lib/default.nix
View File

@ -1,6 +0,0 @@
{ pkgs, unstable, nixpkgs, nixos-unstable, home-manager, system, ... }: rec {
user = import ./user.nix { inherit pkgs unstable system home-manager; };
host = import ./host.nix {
inherit pkgs nixpkgs unstable nixos-unstable home-manager user system;
};
}

15
lib/host.nix
View File

@ -5,14 +5,17 @@
let let
mkRole = role: import (../roles + "/${role}.nix"); mkRole = role: import (../roles + "/${role}.nix");
users_mod = (map (u: users_mod = (map
user.mkUser { (u:
name = u.user; user.mkUser {
roles = u.roles; name = u.user;
}) users); roles = u.roles;
})
users);
roles_mod = (map (r: mkRole r) roles); roles_mod = (map (r: mkRole r) roles);
add_imports = imports; add_imports = imports;
in nixpkgs.lib.nixosSystem { in
nixpkgs.lib.nixosSystem {
inherit system; inherit system;
modules = [ modules = [

6
lib/user.nix
View File

@ -5,7 +5,8 @@
let let
mkRole = role: import (../roles/home + "/${role}.nix"); mkRole = role: import (../roles/home + "/${role}.nix");
roles_mod = (map (r: mkRole r) roles); roles_mod = (map (r: mkRole r) roles);
in { in
{
users.groups.plugdev = { }; users.groups.plugdev = { };
fileSystems."/home/${name}/Downloads" = { fileSystems."/home/${name}/Downloads" = {
@ -27,7 +28,8 @@
let let
mkRole = role: import (../roles/home + "/${role}.nix"); mkRole = role: import (../roles/home + "/${role}.nix");
roles_mod = (map (r: mkRole r) roles); roles_mod = (map (r: mkRole r) roles);
in home-manager.lib.homeManagerConfiguration { in
home-manager.lib.homeManagerConfiguration {
inherit pkgs; inherit pkgs;
modules = [ modules = [
{ {

2
roles/acme.nix
View File

@ -1,4 +1,4 @@
{ {
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
defaults = { defaults = {

3
roles/home/desktop.nix
View File

@ -9,7 +9,8 @@ let
name = "guake"; name = "guake";
package = pkgs.guake; package = pkgs.guake;
}); });
in { in
{
imports = [ ./gnome.nix ]; imports = [ ./gnome.nix ];
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;

4
roles/home/ssh.nix
View File

@ -10,12 +10,12 @@
user = "root"; user = "root";
identityFile = "~/.ssh/architectproxy"; identityFile = "~/.ssh/architectproxy";
}; };
"192.35.222.32" = { "192.35.222.32" = {
user = "giulio"; user = "giulio";
identityFile = "~/.ssh/gitlab-ucsb"; identityFile = "~/.ssh/gitlab-ucsb";
}; };
"tommy.devs.giugl.io" = { "tommy.devs.giugl.io" = {
user = "giulio"; user = "giulio";
identityFile = "~/.ssh/tommypc"; identityFile = "~/.ssh/tommypc";