peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: peperunas:0d3b2888fe111f46ab68474977503b9b564900d5
Branches Tags
peperunas:master
peperunas:nixos-21.11
peperunas:laptopshit
..
compare: peperunas:608fd46eb4986b977d7873517b1a88bc4e31e62a
Branches Tags
peperunas:master
peperunas:nixos-21.11
peperunas:laptopshit

8 Commits
0d3b2888fe ... 608fd46eb4

Author SHA1 Message Date
Giulio De Pasquale
608fd46eb4 Formatting 2023-02-11 03:29:48 +01:00
Giulio De Pasquale
a015dc2a89 Removed wireguard devices, cleanup of network names 2023-02-11 03:28:35 +01:00
Giulio De Pasquale
1990ed8a65 Revert "jellyfin: Cleanup derivation" 
This reverts commit 554e5651a7.
 2023-02-11 03:26:30 +01:00
Giulio De Pasquale
554e5651a7 jellyfin: Cleanup derivation 2023-02-11 03:18:52 +01:00
Giulio De Pasquale
b341bee052 architect: Enable SearxNG 2023-02-11 03:16:28 +01:00
Giulio De Pasquale
40d0b5f55c searx: Add service. WIP: use git version 2023-02-11 03:15:49 +01:00
Giulio De Pasquale
7dc674f24f flake: Removed lib/default.nix. Use callPackage to clean up use of lib utilities 2023-02-11 03:09:42 +01:00
Giulio De Pasquale
c3c61f0248 flake: formatting 2023-02-11 02:32:17 +01:00
37 changed files with 306 additions and 224 deletions
Show Stats Expand all files Collapse all files

9
flake.nix
View File

@ -32,8 +32,13 @@
};
wrapUtils = { pkgs, unstable, system }:
import ./lib { inherit nixpkgs nixos-unstable home-manager system pkgs unstable; };
pkgs.lib.makeScope pkgs.newScope (self: {
inherit nixpkgs home-manager nixos-unstable;
user = self.callPackage ./lib/user.nix { };
host = self.callPackage ./lib/host.nix { };
});
pkgsLinuxX64 = wrapPkgsSystem { system = sysLinuxX64; };
unstableLinuxX64 = wrapUnstablePkgsSystem { system = sysLinuxX64; };
utilsLinuxX64 = wrapUtils { system = sysLinuxX64; pkgs = pkgsLinuxX64; unstable = unstableLinuxX64; };

11
hosts/architect/default.nix
View File

@ -6,8 +6,10 @@ let
];
hostname = "architect";
network = import ./network.nix;
in {
imports = [ # Include the results of the hardware scan.
in
{
imports = [
# Include the results of the hardware scan.
./backup.nix
./hardware.nix
./firewall.nix
@ -29,7 +31,7 @@ in {
./invidious.nix
./nitter.nix
./lidarr.nix
# ./navidrome.nix
# ./navidrome.nix
./jellyfin.nix
./prosody.nix
./deluge.nix
@ -39,10 +41,11 @@ in {
./lezzo.nix
./runas.nix
./tailscale.nix
./searx.nix
];
time.timeZone = "Europe/Rome";
# system.stateVersion = "21.11";
# system.stateVersion = "21.11";
users.users.giulio.openssh.authorizedKeys.keys = pubkeys;
boot = {
initrd = {

3
hosts/architect/deluge.nix
View File

@ -4,7 +4,8 @@ let
domain = "htdel.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in {
in
{
services = {
deluge = {
enable = true;

2
hosts/architect/dns.nix
View File

@ -1,6 +1,6 @@
{ config, pkgs, lib, ... }:
let
let
adguard_webui_port = 3031;
adguard_dns_port = "5300";
dnscrypt_listen_port = "5353";

288
hosts/architect/firewall.nix
View File

@ -9,13 +9,13 @@ let
https_tcp = 443;
synapse_tcp = 8448;
gitea_tcp = 10022;
prosody_tcp = 5222;
prosody_tcp = 5222;
minecraft_tcp = 25565;
# UDP services
dns_udp = 53;
wireguard_udp = 1194;
# TCP/UDP services
torrent_a = 51413;
torrent_b = 51414;
@ -49,7 +49,8 @@ let
wireguard_udp
];
in {
in
{
networking = {
# needed to use nftables
firewall.enable = false;
@ -58,176 +59,171 @@ in {
nftables = {
enable = true;
ruleset = ''
table ip raw {
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
}
table ip raw {
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
}
chain OUTPUT {
type filter hook output priority raw; policy accept;
}
}
chain OUTPUT {
type filter hook output priority raw; policy accept;
}
}
table ip nat {
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
}
table ip nat {
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
}
chain INPUT {
type nat hook input priority 100; policy accept;
}
chain INPUT {
type nat hook input priority 100; policy accept;
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oifname ${wan-if} ip saddr {${
lib.concatStringsSep "," towan-wg
}} masquerade
oifname ${wan-if} ip saddr ${docker-net} masquerade
oifname ${wan-if} ip saddr ${tailscale-net} masquerade
}
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oifname ${wan-if} ip saddr {${
lib.concatStringsSep "," towan-wg
}} masquerade
oifname ${wan-if} ip saddr ${docker-net} masquerade
oifname ${wan-if} ip saddr ${tailscale-net} masquerade
}
}
table ip mangle {
chain PREROUTING {
type filter hook prerouting priority mangle; policy drop;
ct state invalid,untracked drop comment "drop invalid"
ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
iifname ${wan-if} ip saddr ${vpn-net} drop comment "bind any ip to intf ${wan-if}"
iifname ${wan-if} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${wan-if}"
iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}"
iifname ${proxy-if} ip saddr ${proxy-net} accept comment "bind ip ${proxy-net} to intf ${proxy-if}"
iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}"
iifname ${docker-if} ip saddr ${docker-net} accept comment "bind ip ${docker-net} to intf ${docker-if}"
iifname ${tailscale-if} ip saddr ${tailscale-net} accept
iifname "lo" accept comment "bind any ip to intf lo"
jump mangle_drop
}
table ip mangle {
chain PREROUTING {
type filter hook prerouting priority mangle; policy drop;
ct state invalid,untracked drop comment "drop invalid"
ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
iifname ${wan-if} ip saddr ${vpn-net} drop comment "bind any ip to intf ${wan-if}"
iifname ${wan-if} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${wan-if}"
iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}"
iifname ${proxy-if} ip saddr ${proxy-net} accept comment "bind ip ${proxy-net} to intf ${proxy-if}"
iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}"
iifname ${docker-if} ip saddr ${docker-net} accept comment "bind ip ${docker-net} to intf ${docker-if}"
iifname ${tailscale-if} ip saddr ${tailscale-net} accept
iifname "lo" accept comment "bind any ip to intf lo"
jump mangle_drop
}
chain INPUT {
type filter hook input priority mangle; policy accept;
}
chain INPUT {
type filter hook input priority mangle; policy accept;
}
chain FORWARD {
type filter hook forward priority mangle; policy accept;
}
chain FORWARD {
type filter hook forward priority mangle; policy accept;
}
chain OUTPUT {
type route hook output priority mangle; policy accept;
}
chain OUTPUT {
type route hook output priority mangle; policy accept;
}
chain POSTROUTING {
type filter hook postrouting priority mangle; policy accept;
}
chain POSTROUTING {
type filter hook postrouting priority mangle; policy accept;
}
chain mangle_drop {
ip protocol icmp jump mangle_drop_icmp
ip protocol udp jump mangle_drop_udp
ip protocol tcp jump mangle_drop_tcp
log prefix "MANGLE-DROP-UNK "
drop
}
chain mangle_drop {
ip protocol icmp jump mangle_drop_icmp
ip protocol udp jump mangle_drop_udp
ip protocol tcp jump mangle_drop_tcp
log prefix "MANGLE-DROP-UNK "
drop
}
chain mangle_drop_icmp {
log prefix "MANGLE-DROP-ICMP "
drop
}
chain mangle_drop_icmp {
log prefix "MANGLE-DROP-ICMP "
drop
}
chain mangle_drop_tcp {
log prefix "MANGLE-DROP-TCP "
drop
}
chain mangle_drop_tcp {
log prefix "MANGLE-DROP-TCP "
drop
}
chain mangle_drop_udp {
log prefix "MANGLE-DROP-UDP "
drop
}
}
chain mangle_drop_udp {
log prefix "MANGLE-DROP-UDP "
drop
}
}
table ip filter {
chain INPUT {
type filter hook input priority filter; policy drop;
table ip filter {
chain INPUT {
type filter hook input priority filter; policy drop;
ct state established,related accept
iifname "lo" accept comment "loopback"
ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
ip saddr ${lan-net} accept comment "lan > local"
ip saddr ${tailscale-net} accept comment "tailscale > local"
ip saddr {${lib.concatStringsSep "," gdevices-wg}} accept comment "vpn > local"
ct state established,related accept
iifname "lo" accept comment "loopback"
ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
ip saddr ${lan-net} accept comment "lan > local"
ip saddr ${tailscale-net} accept comment "tailscale > local"
ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local"
iifname ${wan-if} tcp dport {${open_tcp_ports}} accept
iifname ${wan-if} udp dport {${open_udp_ports}} accept
iifname ${vpn-if} tcp dport {${open_tcp_ports_vpn}} accept
iifname ${vpn-if} udp dport {${open_udp_ports_vpn}} accept
iifname ${vpn-if} icmp type echo-request accept
iifname ${docker-if} udp dport 53 accept
jump filter_drop
}
iifname ${wan-if} tcp dport {${open_tcp_ports}} accept
iifname ${wan-if} udp dport {${open_udp_ports}} accept
iifname ${vpn-if} tcp dport {${open_tcp_ports_vpn}} accept
iifname ${vpn-if} udp dport {${open_udp_ports_vpn}} accept
iifname ${vpn-if} icmp type echo-request accept
iifname ${docker-if} udp dport 53 accept
jump filter_drop
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
ct state established,related accept
# client to client
ip saddr {${lib.concatStringsSep "," c2c-wg}} ip daddr {${
lib.concatStringsSep "," c2c-wg
}} accept
chain FORWARD {
type filter hook forward priority filter; policy drop;
ct state established,related accept
# gdevices talking to everyone in VPN
ip saddr {${
lib.concatStringsSep "," gdevices-wg
}} ip daddr ${vpn-net} accept
ip saddr {${
lib.concatStringsSep "," gamenet-wg
}} ip daddr {${lib.concatStringsSep "," gamenet-wg}} accept
# gdevices talking to everyone in VPN
ip saddr {${
lib.concatStringsSep "," gdevices
}} ip daddr ${vpn-net} accept
ip saddr {${
lib.concatStringsSep "," gamenet-wg
}} ip daddr {${lib.concatStringsSep "," gamenet-wg}} accept
# nat to wan
oifname ${wan-if} ip saddr {${
lib.concatStringsSep "," towan-wg
}} accept
# nat to wan
oifname ${wan-if} ip saddr {${
lib.concatStringsSep "," towan-wg
}} accept
oifname ${wan-if} ip saddr ${docker-net} accept
oifname ${wan-if} ip saddr ${tailscale-net} accept
oifname ${wan-if} ip saddr ${docker-net} accept
oifname ${wan-if} ip saddr ${tailscale-net} accept
jump filter_drop
}
jump filter_drop
}
chain OUTPUT {
type filter hook output priority filter; policy drop;
ct state established,related accept
accept comment "local > *"
jump filter_drop
}
chain OUTPUT {
type filter hook output priority filter; policy drop;
ct state established,related accept
accept comment "local > *"
jump filter_drop
}
chain filter_drop {
ip protocol icmp jump filter_drop_icmp
ip protocol udp jump filter_drop_udp
ip protocol tcp jump filter_drop_tcp
log prefix "DROP-UNK "
drop
}
chain filter_drop {
ip protocol icmp jump filter_drop_icmp
ip protocol udp jump filter_drop_udp
ip protocol tcp jump filter_drop_tcp
log prefix "DROP-UNK "
drop
}
chain filter_drop_icmp {
log prefix "DROP-icmp "
drop
}
chain filter_drop_icmp {
log prefix "DROP-icmp "
drop
}
chain filter_drop_tcp {
log prefix "DROP-tcp "
drop
}
chain filter_drop_tcp {
log prefix "DROP-tcp "
drop
}
chain filter_drop_udp {
log prefix "DROP-udp "
drop
}
}
'';
chain filter_drop_udp {
log prefix "DROP-udp "
drop
}
}
'';
};
};
}

4
hosts/architect/gitea.nix
View File

@ -26,8 +26,8 @@ in
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:3000";
# it does not work, it breaks gitea's web portal
# extraConfig = auth_block { access_role = "git"; };
# it does not work, it breaks gitea's web portal
# extraConfig = auth_block { access_role = "git"; };
};
};

2
hosts/architect/hardware.nix
View File

@ -38,7 +38,7 @@
};
swapDevices = [{
device = "/swapfile";
size = 1024 * 64;
size = 1024 * 64;
}];
boot = {

5
hosts/architect/home-assistant.nix
View File

@ -5,7 +5,8 @@ let
network = import ./network.nix;
host = "127.0.0.1";
port = 8123;
in {
in
{
services = {
mosquitto = {
enable = true;
@ -52,7 +53,7 @@ in {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
${lib.concatMapStrings (x: "allow ${x};") network.gdevices}
deny all;
'';
};

2
hosts/architect/jellyfin.nix
View File

@ -19,7 +19,7 @@ in
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
extraConfig = auth_block { access_role = "jellyfin"; whitelisted_ips = network.gdevices-wg; } +
extraConfig = auth_block { access_role = "jellyfin"; whitelisted_ips = network.gdevices; } +
''
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
#add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";

5
hosts/architect/keycloak.nix
View File

@ -3,7 +3,8 @@
let
network = import ./network.nix;
domain = "auth.giugl.io";
in {
in
{
services = {
keycloak = {
enable = true;
@ -36,7 +37,7 @@ in {
locations = {
"/" = { return = "301 https://${domain}/realms/master/account"; };
"/admin" = {
proxyPass = "http://127.0.0.1:${
toString config.services.keycloak.settings.http-port

2
hosts/architect/lezzo.nix
View File

@ -16,7 +16,7 @@ in
forceSSL = true;
root = lezzo_root;
locations."/.git" = { return = "404"; };
};

3
hosts/architect/lidarr.nix
View File

@ -4,7 +4,8 @@ let
domain = "htlid.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in {
in
{
services = {
lidarr = {
enable = true;

8
hosts/architect/matrix.nix
View File

@ -27,7 +27,7 @@ in
];
auto_join_rooms = [ "#general:${domain}" "#music:${domain}" "#movies:${domain}" ];
oidc_providers = [{
idp_id = "keycloak";
idp_name = "Architect SSO";
@ -97,9 +97,9 @@ in
return 200 '${builtins.toJSON client}';
'';
# locations."/".extraConfig = ''
# return 404;
# '';
# locations."/".extraConfig = ''
# return 404;
# '';
# forward all Matrix API calls to the synapse Matrix homeserver
locations."/_matrix" = {

5
hosts/architect/minio.nix
View File

@ -3,7 +3,8 @@
let
domain = "s3.giugl.io";
network = import ./network.nix;
in {
in
{
services = {
minio.enable = true;
@ -15,7 +16,7 @@ in {
extraConfig = ''
client_max_body_size 500M;
allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg }
${lib.concatMapStrings (x: "allow ${x};") network.gdevices }
allow ${network.manduria-wg};
deny all;
'';

20
hosts/architect/modules/jellyfin.nix
View File

@ -63,21 +63,21 @@ in {
AmbientCapabilities = "";
CapabilityBoundingSet = "";
# # ProtectClock= adds DeviceAllow=char-rtc r
# DeviceAllow = [
# "char-drm r"
# "/dev/nvidia0 r"
# "/dev/nvidiactl r"
# "/dev/nvidia-uvm r"
# "/dev/nvidia-uvm-tools r"
# ];
# # ProtectClock= adds DeviceAllow=char-rtc r
# DeviceAllow = [
# "char-drm r"
# "/dev/nvidia0 r"
# "/dev/nvidiactl r"
# "/dev/nvidia-uvm r"
# "/dev/nvidia-uvm-tools r"
# ];
DeviceAllow = "";
LockPersonality = true;
PrivateTmp = true;
PrivateUsers = true;
# ProtectClock = true;
# ProtectClock = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
@ -87,7 +87,7 @@ in {
RemoveIPC = true;
RestrictNamespaces = true;
# # AF_NETLINK needed because Jellyfin monitors the network connection
# # AF_NETLINK needed because Jellyfin monitors the network connection
RestrictAddressFamilies = [ "AF_NETLINK" "AF_INET" "AF_INET6" "AF_UNIX" ];
RestrictRealtime = true;
RestrictSUIDSGID = true;

3
hosts/architect/navidrome.nix
View File

@ -6,7 +6,8 @@ let
library_path = "/media/Music";
beets_config = "/media/beets.conf";
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in {
in
{
services = {
navidrome = {
enable = true;

10
hosts/architect/network.nix
View File

@ -60,14 +60,10 @@ rec {
architect-ts = "100.67.205.28";
giuliopc-ts = "100.124.78.64";
dodino-ts = "100.106.244.35";
# groups
gdevices-wg =
[ giuliopc-wg giuliophone-wg gbeast-wg peppiniell-wg kclvm-wg ] ++ routers-wg;
routers-wg = [ hotpottino-wg angellane-wg dodino-wg ];
c2c-wg = [ ] ++ gdevices-wg;
towan-wg = [ shield-wg parina-wg parina-ipad-wg germano-wg framecca-wg ]
++ gdevices-wg ++ routers-wg;
gdevices = [ giuliophone-ts architect-ts giuliopc-ts dodino-ts ];
towan-wg = [ shield-wg parina-wg parina-ipad-wg germano-wg framecca-wg ];
gamenet-wg = [
andrew-wg
giuliopc-wg

3
hosts/architect/nextcloud.nix
View File

@ -4,7 +4,8 @@ let
domain = "cloud.giugl.io";
network = import ./network.nix;
redis_port = 6379;
in {
in
{
services = {
mysql = {
enable = true;

3
hosts/architect/nitter.nix
View File

@ -3,7 +3,8 @@
let
domain = "tweet.giugl.io";
network = import ./network.nix;
in {
in
{
services = {
nitter = {
enable = true;

3
hosts/architect/nzbget.nix
View File

@ -4,7 +4,8 @@ let
domain = "htnzb.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in {
in
{
services = {
nzbget = {
enable = true;

2
hosts/architect/openid.nix
View File

@ -2,7 +2,7 @@
{
openresty_oidc_block =
{ access_role ? "", whitelisted_ips ? [] }: ''
{ access_role ? "", whitelisted_ips ? [ ] }: ''
access_by_lua_block {
local opts = {
discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration",

3
hosts/architect/plex.nix
View File

@ -3,7 +3,8 @@
let
domain = "media.giugl.io";
network = import ./network.nix;
in {
in
{
services.plex = {
enable = true;
package = pkgs.unstable.plex;

3
hosts/architect/prosody.nix
View File

@ -5,7 +5,8 @@ let
conference_domain = "conference.${domain}";
upload_domain = "uploads.${domain}";
network = import ./network.nix;
in {
in
{
services = {
prosody = {
enable = true;

5
hosts/architect/prowlarr.nix
View File

@ -3,7 +3,8 @@
let
domain = "htpro.giugl.io";
network = import ./network.nix;
in {
in
{
services = {
prowlarr.enable = true;
@ -14,7 +15,7 @@ in {
proxyPass = "http://127.0.0.1:9696";
extraConfig = ''
allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
${lib.concatMapStrings (x: "allow ${x};") network.gdevices}
deny all;
'';
};

3
hosts/architect/radarr.nix
View File

@ -4,7 +4,8 @@ let
domain = "htrad.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in {
in
{
services = {
radarr = {
enable = true;

2
hosts/architect/runas.nix
View File

@ -16,7 +16,7 @@ in
forceSSL = true;
locations."/".root = runas_root;
locations."/.git" = { return = "404"; };
};

65
hosts/architect/searx.nix Normal file
View File

@ -0,0 +1,65 @@
{ mach-nix, lib, config, pkgs, ... }:
let
domain = "gugol.giugl.io";
network = import ./network.nix;
in
{
services = {
redis.servers."searx" = { enable = true; port = 4456; };
searx = {
enable = true;
package = pkgs.searxng;
# package = mach-nix.buildPythonPackage "https://github.com/searxng/searxng/commit/2cf1425e8bc5d3143b6e001e82a034a794e8a206https://github.com/searxng/searxng/commit/2cf1425e8bc5d3143b6e001e82a034a794e8a206";
environmentFile = /secrets/searx/env;
settings = {
server = {
secret_key = "@SEARX_SECRET_KEY@";
port = 4455;
};
general = {
instance_name = "Pepe's Gugol";
contact_url = "mailto:gugol@depasquale.giugl.io";
enable_metrics = false;
};
search = {
safe_search = 0;
autocomplete = "duckduckgo";
prefer_configured_language = false;
};
ui = {
infinite_scroll = true;
};
redis.url = "127.0.0.1:${toString config.services.redis.servers."searx".port}";
engines = [
{ name = "google"; disabled = false; }
{ name = "bing"; disabled = false; }
{ name = "qwant"; disabled = false; }
{ name = "duckduckgo"; disabled = false; }
{ name = "yahoo"; disabled = false; }
];
};
};
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.searx.settings.server.port}";
};
};
};
networking.extraHosts = ''
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
${network.architect-ts} ${domain}
'';
}

3
hosts/architect/sonarr.nix
View File

@ -4,7 +4,8 @@ let
domain = "htson.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in {
in
{
services = {
sonarr = {
enable = true;

7
hosts/architect/tailscale.nix
View File

@ -2,9 +2,10 @@
let
network = import ./network.nix;
ifname = "ts0";
in {
in
{
services = {
tailscale = {
enable = true;
@ -18,4 +19,4 @@ in {
${network.dodino-ts} dodino.devs.giugl.io
${network.giuliophone-ts} chuck.devs.giugl.io
'';
}
}

5
hosts/architect/transmission.nix
View File

@ -3,7 +3,8 @@
let
domain = "httra.giugl.io";
network = import ./network.nix;
in {
in
{
services = {
transmission = {
enable = true;
@ -27,7 +28,7 @@ in {
proxyPass = "http://127.0.0.1:9091";
extraConfig = ''
allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
${lib.concatMapStrings (x: "allow ${x};") network.gdevices}
deny all;
'';
};

5
hosts/gAluminum/default.nix
View File

@ -9,7 +9,8 @@ let
export __VK_LAYER_NV_optimus=NVIDIA_only
exec -a "$0" "$@"
'';
in {
in
{
imports = [ ./hardware.nix ./wireguard.nix ./sound.nix ];
boot = {
@ -70,5 +71,5 @@ in {
programs.steam.enable = true;
environment.systemPackages = with pkgs; [ efibootmgr nvidia-offload ];
# system.stateVersion = "21.05"; # Did you read the comment?
# system.stateVersion = "21.05"; # Did you read the comment?
}

6
lib/default.nix
View File

@ -1,6 +0,0 @@
{ pkgs, unstable, nixpkgs, nixos-unstable, home-manager, system, ... }: rec {
user = import ./user.nix { inherit pkgs unstable system home-manager; };
host = import ./host.nix {
inherit pkgs nixpkgs unstable nixos-unstable home-manager user system;
};
}

15
lib/host.nix
View File

@ -5,14 +5,17 @@
let
mkRole = role: import (../roles + "/${role}.nix");
users_mod = (map (u:
user.mkUser {
name = u.user;
roles = u.roles;
}) users);
users_mod = (map
(u:
user.mkUser {
name = u.user;
roles = u.roles;
})
users);
roles_mod = (map (r: mkRole r) roles);
add_imports = imports;
in nixpkgs.lib.nixosSystem {
in
nixpkgs.lib.nixosSystem {
inherit system;
modules = [

6
lib/user.nix
View File

@ -5,7 +5,8 @@
let
mkRole = role: import (../roles/home + "/${role}.nix");
roles_mod = (map (r: mkRole r) roles);
in {
in
{
users.groups.plugdev = { };
fileSystems."/home/${name}/Downloads" = {
@ -27,7 +28,8 @@
let
mkRole = role: import (../roles/home + "/${role}.nix");
roles_mod = (map (r: mkRole r) roles);
in home-manager.lib.homeManagerConfiguration {
in
home-manager.lib.homeManagerConfiguration {
inherit pkgs;
modules = [
{

2
roles/acme.nix
View File

@ -1,4 +1,4 @@
{
{
security.acme = {
acceptTerms = true;
defaults = {

3
roles/home/desktop.nix
View File

@ -9,7 +9,8 @@ let
name = "guake";
package = pkgs.guake;
});
in {
in
{
imports = [ ./gnome.nix ];
nixpkgs.config.allowUnfree = true;

4
roles/home/ssh.nix
View File

@ -10,12 +10,12 @@
user = "root";
identityFile = "~/.ssh/architectproxy";
};
"192.35.222.32" = {
user = "giulio";
identityFile = "~/.ssh/gitlab-ucsb";
};
"tommy.devs.giugl.io" = {
user = "giulio";
identityFile = "~/.ssh/tommypc";