Compare commits
32 Commits
4dde4f68d8
...
7f2c129ea9
Author | SHA1 | Date | |
---|---|---|---|
|
7f2c129ea9 | ||
|
6389d1950a | ||
|
842b3f0ac7 | ||
|
2c387448ba | ||
|
1df031965a | ||
|
6d72359353 | ||
|
d1d0793e2c | ||
|
d423200c59 | ||
|
0698f9b8db | ||
|
edf4ba07ee | ||
|
f2e33628c0 | ||
|
2f43745162 | ||
|
b378975769 | ||
|
65ba588d8e | ||
|
9aeacafbb2 | ||
|
17d2e10345 | ||
|
da1b08c44a | ||
|
acb47f5a73 | ||
|
78fc53024f | ||
|
3bc816b665 | ||
|
708687d258 | ||
|
0747c0ebf4 | ||
|
6cb4fa08d2 | ||
|
2c906d715e | ||
|
fef4b471f0 | ||
|
f7609a7ee6 | ||
|
9f819d1357 | ||
|
b479c748e0 | ||
|
ef96a959f6 | ||
|
229e92222e | ||
|
08c898ed46 | ||
|
84df2e348d |
42
flake.lock
generated
42
flake.lock
generated
@ -4,52 +4,51 @@
|
|||||||
"inputs": {
|
"inputs": {
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
"nixpkgs"
|
"nixpkgs"
|
||||||
],
|
]
|
||||||
"utils": "utils"
|
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1681092193,
|
"lastModified": 1685599623,
|
||||||
"narHash": "sha256-JerCqqOqbT2tBnXQW4EqwFl0hHnuZp21rIQ6lu/N4rI=",
|
"narHash": "sha256-Tob4CMOVHue0D3RzguDBCtUmX5ji2PsdbQDbIOIKvsc=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "home-manager",
|
"repo": "home-manager",
|
||||||
"rev": "f9edbedaf015013eb35f8caacbe0c9666bbc16af",
|
"rev": "93db05480c0c0f30382d3e80779e8386dcb4f9dd",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"ref": "release-22.11",
|
"ref": "release-23.05",
|
||||||
"repo": "home-manager",
|
"repo": "home-manager",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"nixos-unstable": {
|
"nixos-unstable": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1684171979,
|
"lastModified": 1685564631,
|
||||||
"narHash": "sha256-KfIpmlqCCtY/T8mWQOkucv4LrYAgIXho6QJOwl2md3g=",
|
"narHash": "sha256-8ywr3AkblY4++3lIVxmrWZFzac7+f32ZEhH/A8pNscI=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "10092e14180fdff037aea3a14ad3faeaf6950ac1",
|
"rev": "4f53efe34b3a8877ac923b9350c874e3dcd5dc0a",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"ref": "master",
|
"ref": "nixos-unstable",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1683928319,
|
"lastModified": 1685645444,
|
||||||
"narHash": "sha256-maz0DRKixJVcNRMiAMWlJniiF8IuQ+WbfmlJJ8D+jfM=",
|
"narHash": "sha256-FEuVrowBDU8D+Vt1oqN6j18g/vDvU13WVruTaMjzb8w=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "9656e85a15a0fe67847ee8cdb99a20d8df499962",
|
"rev": "ce3e618cd3b9792d898b76126c36e6ac50b680e1",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"ref": "nixos-22.11",
|
"ref": "release-23.05",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
@ -60,21 +59,6 @@
|
|||||||
"nixos-unstable": "nixos-unstable",
|
"nixos-unstable": "nixos-unstable",
|
||||||
"nixpkgs": "nixpkgs"
|
"nixpkgs": "nixpkgs"
|
||||||
}
|
}
|
||||||
},
|
|
||||||
"utils": {
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1667395993,
|
|
||||||
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
|
|
||||||
"owner": "numtide",
|
|
||||||
"repo": "flake-utils",
|
|
||||||
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "numtide",
|
|
||||||
"repo": "flake-utils",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"root": "root",
|
"root": "root",
|
||||||
|
11
flake.nix
11
flake.nix
@ -1,9 +1,9 @@
|
|||||||
{
|
{
|
||||||
inputs = {
|
inputs = {
|
||||||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11";
|
nixpkgs.url = "github:NixOS/nixpkgs/release-23.05";
|
||||||
nixos-unstable.url = "github:NixOS/nixpkgs/master";
|
nixos-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
|
||||||
home-manager = {
|
home-manager = {
|
||||||
url = "github:nix-community/home-manager/release-22.11";
|
url = "github:nix-community/home-manager/release-23.05";
|
||||||
inputs.nixpkgs.follows = "nixpkgs";
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
@ -30,6 +30,11 @@
|
|||||||
inherit system;
|
inherit system;
|
||||||
|
|
||||||
config.allowUnfree = true;
|
config.allowUnfree = true;
|
||||||
|
|
||||||
|
config.permittedInsecurePackages = [
|
||||||
|
"openssl-1.1.1t"
|
||||||
|
"openssl-1.1.1u"
|
||||||
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
wrapUtils = { pkgs, unstablePkgs, system }:
|
wrapUtils = { pkgs, unstablePkgs, system }:
|
||||||
|
@ -2,35 +2,25 @@
|
|||||||
|
|
||||||
let
|
let
|
||||||
domain = "htbaz.giugl.io";
|
domain = "htbaz.giugl.io";
|
||||||
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
|
|
||||||
|
|
||||||
utilities = import ./utilities.nix { inherit lib config; };
|
|
||||||
inherit (utilities) architectInterfaceAddress;
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
services = {
|
services.bazarr = {
|
||||||
bazarr = {
|
enable = true;
|
||||||
enable = true;
|
group = "media";
|
||||||
group = "media";
|
};
|
||||||
};
|
|
||||||
|
|
||||||
nginx.virtualHosts.${domain} = {
|
architect.vhost.${domain} = with config.architect.networks; {
|
||||||
forceSSL = true;
|
dnsInterfaces = [ "wireguard" "tailscale" ];
|
||||||
enableACME = true;
|
locations."/" = {
|
||||||
locations."/" = {
|
allowLan = true;
|
||||||
proxyPass = "http://127.0.0.1:6767";
|
port = 6767;
|
||||||
extraConfig = auth_block {
|
|
||||||
access_role = "bazarr";
|
allow = [
|
||||||
};
|
wireguard.net
|
||||||
};
|
tailscale.net
|
||||||
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.extraHosts = ''
|
|
||||||
${architectInterfaceAddress "lan"} ${domain}
|
|
||||||
${architectInterfaceAddress "wireguard"} ${domain}
|
|
||||||
${architectInterfaceAddress "tailscale"} ${domain}
|
|
||||||
'';
|
|
||||||
|
|
||||||
users.groups.media.members = [ "bazarr" ];
|
users.groups.media.members = [ "bazarr" ];
|
||||||
}
|
}
|
||||||
|
@ -5,7 +5,7 @@ let
|
|||||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1we38/N+t8Ah5yrLof8QUwhrob7/VXFKIddaJeOVBLuDVnW7ljiAtdtEiL69D/DV4Ohmt5wMvkAAjfuHmim6FD9A6lzPbSU4KH9W2dcckszKbbI636kuDwem/xui6BW3wJa6P+0xW5ksygEAkzcK2PXuC2b4B9uwhuUdKahiGMKDxISG/WianqAe72cGMfNkYvion3Y1VsMLUdm48d2ABnxNpr7NI9B5iJ8dziOft9gpgfz13CCQRlReo75gk/4xI+vSNrQp7eR+wzJy2/dZg/T8jtyA9Q6jVxrxBpqQ1LNXkAKaJkGo9OabF6Wgpzp+YTAurL4nwR2NaJxwFuyoKvACQy0ai4jrS3206gC6JXZv8ktZMZrwUN+jPqCwfgh5qObFkAqKCxbp52ioDek2MQLdOvzQBX//DBhGEp5rzHGLZ3vhRIiiQiaof5sF5zWiYDW5mqezSPNxJPX/BrTP/Wbs/jpwTLBh3wytiia0S1WXQmya89bqzTPFiDWvTRA62EVKB/JaQtPQQOFAxWwg799DMycPeZ81xttZOyMtI/MZSddyqx2S8fWGwvToZQvuZ38mSIpFseLM1IkgabRIrAmat5SBNGGy9Dqa0eMEa7bwIY/4CMB1y6HMTnaoMXA6cnQfHMoB/zyTZ6oTXIeqeOyiZsK+RN0Mvahj8mXi7dw== giulio@giulio-X230"
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1we38/N+t8Ah5yrLof8QUwhrob7/VXFKIddaJeOVBLuDVnW7ljiAtdtEiL69D/DV4Ohmt5wMvkAAjfuHmim6FD9A6lzPbSU4KH9W2dcckszKbbI636kuDwem/xui6BW3wJa6P+0xW5ksygEAkzcK2PXuC2b4B9uwhuUdKahiGMKDxISG/WianqAe72cGMfNkYvion3Y1VsMLUdm48d2ABnxNpr7NI9B5iJ8dziOft9gpgfz13CCQRlReo75gk/4xI+vSNrQp7eR+wzJy2/dZg/T8jtyA9Q6jVxrxBpqQ1LNXkAKaJkGo9OabF6Wgpzp+YTAurL4nwR2NaJxwFuyoKvACQy0ai4jrS3206gC6JXZv8ktZMZrwUN+jPqCwfgh5qObFkAqKCxbp52ioDek2MQLdOvzQBX//DBhGEp5rzHGLZ3vhRIiiQiaof5sF5zWiYDW5mqezSPNxJPX/BrTP/Wbs/jpwTLBh3wytiia0S1WXQmya89bqzTPFiDWvTRA62EVKB/JaQtPQQOFAxWwg799DMycPeZ81xttZOyMtI/MZSddyqx2S8fWGwvToZQvuZ38mSIpFseLM1IkgabRIrAmat5SBNGGy9Dqa0eMEa7bwIY/4CMB1y6HMTnaoMXA6cnQfHMoB/zyTZ6oTXIeqeOyiZsK+RN0Mvahj8mXi7dw== giulio@giulio-X230"
|
||||||
];
|
];
|
||||||
domain = "devs.giugl.io";
|
domain = "devs.giugl.io";
|
||||||
|
|
||||||
utilities = import ./utilities.nix { inherit lib config; };
|
utilities = import ./utilities.nix { inherit lib config; };
|
||||||
inherit (utilities) generateDeviceStrings;
|
inherit (utilities) generateDeviceStrings;
|
||||||
in
|
in
|
||||||
@ -30,7 +30,7 @@ in
|
|||||||
./minecraft.nix
|
./minecraft.nix
|
||||||
./prowlarr.nix
|
./prowlarr.nix
|
||||||
./libreddit.nix
|
./libreddit.nix
|
||||||
# ./invidious.nix
|
./invidious.nix
|
||||||
# ./lidarr.nix
|
# ./lidarr.nix
|
||||||
# ./navidrome.nix
|
# ./navidrome.nix
|
||||||
./jellyfin.nix
|
./jellyfin.nix
|
||||||
@ -88,6 +88,8 @@ in
|
|||||||
"memmap=32M$0x4ca6f9478"
|
"memmap=32M$0x4ca6f9478"
|
||||||
];
|
];
|
||||||
|
|
||||||
|
kernelPackages = pkgs.linuxPackages;
|
||||||
|
|
||||||
kernel.sysctl = { "net.ipv4.ip_forward" = 1; };
|
kernel.sysctl = { "net.ipv4.ip_forward" = 1; };
|
||||||
|
|
||||||
loader = {
|
loader = {
|
||||||
@ -100,7 +102,7 @@ in
|
|||||||
|
|
||||||
supportedFilesystems = [ "zfs" ];
|
supportedFilesystems = [ "zfs" ];
|
||||||
zfs.requestEncryptionCredentials = true;
|
zfs.requestEncryptionCredentials = true;
|
||||||
tmpOnTmpfsSize = "50%";
|
tmp.tmpfsSize = "50%";
|
||||||
};
|
};
|
||||||
|
|
||||||
networking = with config.architect.networks.lan; {
|
networking = with config.architect.networks.lan; {
|
||||||
@ -151,8 +153,12 @@ in
|
|||||||
xserver.videoDrivers = [ "nvidia" ];
|
xserver.videoDrivers = [ "nvidia" ];
|
||||||
openssh = {
|
openssh = {
|
||||||
enable = true;
|
enable = true;
|
||||||
passwordAuthentication = false;
|
|
||||||
kbdInteractiveAuthentication = false;
|
settings = {
|
||||||
|
PasswordAuthentication = false;
|
||||||
|
KbdInteractiveAuthentication = false;
|
||||||
|
};
|
||||||
|
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
MaxAuthTries 15
|
MaxAuthTries 15
|
||||||
'';
|
'';
|
||||||
@ -162,7 +168,7 @@ in
|
|||||||
|
|
||||||
environment = {
|
environment = {
|
||||||
variables = { LIBVA_DRIVER_NAME = "vdpau"; };
|
variables = { LIBVA_DRIVER_NAME = "vdpau"; };
|
||||||
systemPackages = with pkgs; [ cachix ];
|
systemPackages = with pkgs; [ cachix linuxPackages.usbip ];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1,53 +1,53 @@
|
|||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
adguard_webui_port = 3031;
|
domain = "adguard.architect.devs.giugl.io";
|
||||||
adguard_dns_port = "5300";
|
|
||||||
dnscrypt_listen_port = "5353";
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
architect.firewall.openUDPVPN = [ 53 ];
|
architect = {
|
||||||
|
firewall.openUDPVPN = [ 53 ];
|
||||||
|
|
||||||
|
vhost.${domain} = {
|
||||||
|
dnsInterfaces = [ "lan" "tailscale" "wireguard" ];
|
||||||
|
|
||||||
|
locations."/" = with config; {
|
||||||
|
port = services.adguardhome.settings.bind_port;
|
||||||
|
allow = with architect.networks; [ lan.net tailscale.net ];
|
||||||
|
deny = [
|
||||||
|
architect.networks."lan".devices.router.address
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
services = {
|
services = {
|
||||||
dnsmasq = {
|
dnsmasq = {
|
||||||
enable = true;
|
enable = true;
|
||||||
# adguard port
|
settings = {
|
||||||
servers = [ "127.0.0.1#${adguard_dns_port}" ];
|
server = [ "127.0.0.1#${toString config.services.adguardhome.settings.dns.port}" ];
|
||||||
extraConfig = ''
|
localise-queries = true;
|
||||||
localise-queries
|
min-cache-ttl = 120;
|
||||||
min-cache-ttl=120
|
max-cache-ttl = 2400;
|
||||||
max-cache-ttl=2400
|
domain = [
|
||||||
|
"runas.rocks"
|
||||||
domain=runas.rocks
|
"giugl.io"
|
||||||
domain=giugl.io
|
"devs.runas.rocks"
|
||||||
domain=devs.runas.rocks
|
"devs.giugl.io"
|
||||||
domain=devs.giugl.io
|
];
|
||||||
'';
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
adguardhome = {
|
adguardhome = {
|
||||||
enable = true;
|
|
||||||
port = adguard_webui_port;
|
|
||||||
};
|
|
||||||
|
|
||||||
dnscrypt-proxy2 = {
|
|
||||||
enable = true;
|
enable = true;
|
||||||
settings = {
|
settings = {
|
||||||
listen_addresses = [ "127.0.0.1:${dnscrypt_listen_port}" ];
|
bind_port = 5353;
|
||||||
ipv4_servers = true;
|
dns = {
|
||||||
ipv6_servers = false;
|
port = 5300;
|
||||||
block_ipv6 = true;
|
};
|
||||||
dnscrypt_servers = true;
|
upstream_dns = [
|
||||||
doh_servers = true;
|
"tls://architect.d65174.dns.nextdns.io"
|
||||||
require_nolog = true;
|
"https://dns.nextdns.io/d65174/architect"
|
||||||
require_nofilter = true;
|
];
|
||||||
timeout = 350;
|
|
||||||
lb_strategy = "p4";
|
|
||||||
lb_estimator = true;
|
|
||||||
ignore_system_dns = true;
|
|
||||||
fallback_resolvers = [ "1.1.1.1:53" "9.9.9.9:53" ];
|
|
||||||
cache_min_ttl = 450;
|
|
||||||
cache_max_ttl = 2400;
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -5,13 +5,19 @@
|
|||||||
interface = "docker0";
|
interface = "docker0";
|
||||||
net = "172.17.0.0/16";
|
net = "172.17.0.0/16";
|
||||||
};
|
};
|
||||||
|
|
||||||
virtualisation.docker = {
|
virtualisation = {
|
||||||
enable = true;
|
oci-containers.backend = "docker";
|
||||||
extraOptions = ''
|
|
||||||
--dns 127.0.0.1 --dns ${config.architect.networks.lan.devices.architect.address} --data-root /docker
|
docker = {
|
||||||
'';
|
enable = true;
|
||||||
enableOnBoot = false;
|
extraOptions = ''
|
||||||
|
--dns 127.0.0.1 --dns ${config.architect.networks.lan.devices.architect.address} --data-root /docker
|
||||||
|
'';
|
||||||
|
enableOnBoot = false;
|
||||||
|
daemon.settings.iptables = false;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
users.users.giulio.extraGroups = [ "docker" ];
|
users.users.giulio.extraGroups = [ "docker" ];
|
||||||
}
|
}
|
||||||
|
@ -54,6 +54,9 @@ in
|
|||||||
}
|
}
|
||||||
|
|
||||||
table ip nat {
|
table ip nat {
|
||||||
|
chain DOCKER {
|
||||||
|
type nat hook prerouting priority dstnat; policy accept;
|
||||||
|
}
|
||||||
chain PREROUTING {
|
chain PREROUTING {
|
||||||
type nat hook prerouting priority dstnat; policy accept;
|
type nat hook prerouting priority dstnat; policy accept;
|
||||||
}
|
}
|
||||||
@ -142,6 +145,7 @@ in
|
|||||||
ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
|
ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
|
||||||
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
|
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
|
||||||
ip saddr ${lan.net} accept comment "lan > local"
|
ip saddr ${lan.net} accept comment "lan > local"
|
||||||
|
iifname ${docker.interface} accept
|
||||||
ip saddr ${tailscale.net} accept comment "tailscale > local"
|
ip saddr ${tailscale.net} accept comment "tailscale > local"
|
||||||
ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local"
|
ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local"
|
||||||
|
|
||||||
@ -151,7 +155,6 @@ in
|
|||||||
iifname ${wireguard.interface} udp dport {${openUDPVPN}} accept
|
iifname ${wireguard.interface} udp dport {${openUDPVPN}} accept
|
||||||
|
|
||||||
iifname ${wireguard.interface} icmp type echo-request accept
|
iifname ${wireguard.interface} icmp type echo-request accept
|
||||||
iifname ${docker.interface} udp dport 53 accept
|
|
||||||
jump filter_drop
|
jump filter_drop
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -2,41 +2,30 @@
|
|||||||
|
|
||||||
let
|
let
|
||||||
domain = "git.giugl.io";
|
domain = "git.giugl.io";
|
||||||
|
|
||||||
utilities = import ./utilities.nix { inherit lib config; };
|
|
||||||
inherit (utilities) architectInterfaceAddress;
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
architect.firewall.openTCP = [ config.services.gitea.settings.server.SSH_PORT ];
|
architect = {
|
||||||
|
firewall.openTCP = [ config.services.gitea.settings.server.SSH_PORT ];
|
||||||
|
vhost.${domain} = {
|
||||||
|
dnsInterfaces = [ "lan" "tailscale" "wireguard" ];
|
||||||
|
locations."/".port = config.services.gitea.settings.server.HTTP_PORT;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
services.gitea = {
|
services.gitea = {
|
||||||
enable = true;
|
enable = true;
|
||||||
database.type = "sqlite3";
|
database.type = "sqlite3";
|
||||||
domain = domain;
|
|
||||||
appName = "Gitea";
|
appName = "Gitea";
|
||||||
rootUrl = "https://${domain}";
|
# https://github.com/NixOS/nixpkgs/issues/235442#issuecomment-1574329453
|
||||||
|
lfs.enable = true;
|
||||||
settings = {
|
settings = {
|
||||||
server = {
|
server = {
|
||||||
LFS_START_SERVER = true;
|
DOMAIN = domain;
|
||||||
|
ROOT_URL = "https://${domain}";
|
||||||
SSH_PORT = 22;
|
SSH_PORT = 22;
|
||||||
|
HTTP_PORT = 3001;
|
||||||
};
|
};
|
||||||
openid.enable_openid_signin = true;
|
openid.enable_openid_signin = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts.${domain} = {
|
|
||||||
forceSSL = true;
|
|
||||||
enableACME = true;
|
|
||||||
locations."/" = {
|
|
||||||
proxyPass = "http://127.0.0.1:3000";
|
|
||||||
# it does not work, it breaks gitea's web portal
|
|
||||||
# extraConfig = auth_block { access_role = "git"; };
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
networking.extraHosts = ''
|
|
||||||
${architectInterfaceAddress "lan"} ${domain}
|
|
||||||
${architectInterfaceAddress "wireguard"} ${domain}
|
|
||||||
${architectInterfaceAddress "tailscale"} ${domain}
|
|
||||||
'';
|
|
||||||
}
|
}
|
||||||
|
@ -8,17 +8,16 @@ in
|
|||||||
openUDP = [ config.services.tailscale.port ];
|
openUDP = [ config.services.tailscale.port ];
|
||||||
};
|
};
|
||||||
|
|
||||||
environment.systemPackages = [ pkgs.unstablePkgs.headscale ];
|
|
||||||
|
|
||||||
services = {
|
services = {
|
||||||
headscale = {
|
headscale = {
|
||||||
enable = true;
|
enable = true;
|
||||||
package = pkgs.unstablePkgs.headscale;
|
package = pkgs.unstablePkgs.headscale;
|
||||||
port = 1194;
|
port = 1194;
|
||||||
address = "0.0.0.0";
|
address = "0.0.0.0";
|
||||||
serverUrl = "https://${domain}";
|
|
||||||
logLevel = "debug";
|
|
||||||
settings = {
|
settings = {
|
||||||
|
server_url = "https://${domain}";
|
||||||
|
log.level = "debug";
|
||||||
dns_config = {
|
dns_config = {
|
||||||
magic_dns = true;
|
magic_dns = true;
|
||||||
base_domain = "giugl.io";
|
base_domain = "giugl.io";
|
||||||
|
@ -1,27 +1,28 @@
|
|||||||
{ lib, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
domain = "tube.giugl.io";
|
domain = "tube.giugl.io";
|
||||||
network = import ./network.nix;
|
|
||||||
|
utilities = import ./utilities.nix { inherit lib config; };
|
||||||
|
inherit (utilities) architectInterfaceAddress;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
services = {
|
services = {
|
||||||
invidious = {
|
invidious = {
|
||||||
enable = true;
|
enable = true;
|
||||||
port = 9092;
|
|
||||||
package = pkgs.unstablePkgs.invidious;
|
package = pkgs.unstablePkgs.invidious;
|
||||||
};
|
};
|
||||||
|
|
||||||
nginx.virtualHosts.${domain} = {
|
nginx.virtualHosts.${domain} = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
locations."/" = { proxyPass = "http://127.0.0.1:9092"; };
|
locations."/" = { proxyPass = "http://127.0.0.1:${toString config.services.invidious.port}"; };
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.extraHosts = ''
|
networking.extraHosts = ''
|
||||||
${network.architect-lan} ${domain}
|
${architectInterfaceAddress "lan"} ${domain}
|
||||||
${network.architect-wg} ${domain}
|
${architectInterfaceAddress "wireguard"} ${domain}
|
||||||
${network.architect-ts} ${domain}
|
${architectInterfaceAddress "tailscale"} ${domain}
|
||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
|
@ -3,52 +3,41 @@
|
|||||||
let
|
let
|
||||||
domain = "media.giugl.io";
|
domain = "media.giugl.io";
|
||||||
port = 8096;
|
port = 8096;
|
||||||
|
allowLan = true;
|
||||||
utilities = import ./utilities.nix { inherit lib config; };
|
|
||||||
inherit (utilities) architectInterfaceAddress;
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
# needed since StateDirectory does not accept symlinks
|
# needed since StateDirectory does not accept symlinks
|
||||||
systemd.services.jellyfin.serviceConfig.StateDirectory = lib.mkForce "";
|
systemd.services.jellyfin.serviceConfig.StateDirectory = lib.mkForce "";
|
||||||
|
|
||||||
services = {
|
architect.vhost.${domain} = with config.architect.networks; {
|
||||||
jellyfin = {
|
dnsInterfaces = [ "lan" "wireguard" "tailscale" ];
|
||||||
enable = true;
|
locations = {
|
||||||
group = "media";
|
"/" = {
|
||||||
package = pkgs.unstablePkgs.jellyfin;
|
inherit port allowLan;
|
||||||
};
|
|
||||||
|
|
||||||
nginx.virtualHosts.${domain} = {
|
allow = [
|
||||||
forceSSL = true;
|
wireguard.net
|
||||||
enableACME = true;
|
tailscale.net
|
||||||
extraConfig = ''
|
];
|
||||||
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
|
|
||||||
#add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
|
|
||||||
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
|
|
||||||
proxy_buffering off;
|
|
||||||
|
|
||||||
allow ${config.architect.networks.lan.net};
|
|
||||||
allow ${config.architect.networks.tailscale.net};
|
|
||||||
deny all;
|
|
||||||
'';
|
|
||||||
|
|
||||||
locations."/" = {
|
|
||||||
proxyPass = "http://127.0.0.1:${toString port}";
|
|
||||||
};
|
};
|
||||||
|
|
||||||
locations."/socket" = {
|
"/socket" = {
|
||||||
proxyPass = "http://127.0.0.1:${toString port}";
|
inherit port allowLan;
|
||||||
|
|
||||||
proxyWebsockets = true;
|
proxyWebsockets = true;
|
||||||
|
allow = [
|
||||||
|
wireguard.net
|
||||||
|
tailscale.net
|
||||||
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
services.jellyfin = {
|
||||||
networking.extraHosts = ''
|
enable = true;
|
||||||
${architectInterfaceAddress "lan"} ${domain}
|
group = "media";
|
||||||
${architectInterfaceAddress "wireguard"} ${domain}
|
package = pkgs.unstablePkgs.jellyfin;
|
||||||
${architectInterfaceAddress "tailscale"} ${domain}
|
};
|
||||||
'';
|
|
||||||
|
|
||||||
users.groups = {
|
users.groups = {
|
||||||
media.members = [ "jellyfin" ];
|
media.members = [ "jellyfin" ];
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
{ config, lib, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
domain = "s3.giugl.io";
|
domain = "s3.giugl.io";
|
||||||
@ -8,7 +8,10 @@ let
|
|||||||
in
|
in
|
||||||
{
|
{
|
||||||
services = {
|
services = {
|
||||||
minio.enable = true;
|
minio = {
|
||||||
|
enable = true;
|
||||||
|
package = pkgs.minio_legacy_fs;
|
||||||
|
};
|
||||||
|
|
||||||
nginx.virtualHosts.${domain} = {
|
nginx.virtualHosts.${domain} = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
@ -24,7 +27,7 @@ in
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.extraHosts = ''
|
networking.extraHosts = ''
|
||||||
${architectInterfaceAddress "lan"} ${domain}
|
${architectInterfaceAddress "lan"} ${domain}
|
||||||
${architectInterfaceAddress "wireguard"} ${domain}
|
${architectInterfaceAddress "wireguard"} ${domain}
|
||||||
|
@ -1,66 +0,0 @@
|
|||||||
rec {
|
|
||||||
# interfaces
|
|
||||||
wan-if = "enp5s0";
|
|
||||||
vpn-if = "wg0";
|
|
||||||
proxy-if = "proxy";
|
|
||||||
docker-if = "docker0";
|
|
||||||
tailscale-if = "ts0";
|
|
||||||
|
|
||||||
# nets
|
|
||||||
lan-net = "10.0.0.0/24";
|
|
||||||
vpn-net = "10.3.0.0/24";
|
|
||||||
external_lan-net = "192.168.1.0/24";
|
|
||||||
docker-net = "172.17.0.0/16";
|
|
||||||
# tailscale-net = "100.64.0.0/10";
|
|
||||||
tailscale-net = "10.4.0.0/24";
|
|
||||||
|
|
||||||
# ips
|
|
||||||
router-lan = "10.0.0.1";
|
|
||||||
dvr-lan = "10.0.0.2";
|
|
||||||
nas-lan = "10.0.0.3";
|
|
||||||
architect-lan = "10.0.0.250";
|
|
||||||
|
|
||||||
architect-wg = "10.3.0.1";
|
|
||||||
manduria-wg = "10.3.0.5";
|
|
||||||
antonio-wg = "10.3.0.6";
|
|
||||||
gbeast-wg = "10.3.0.7";
|
|
||||||
shield-wg = "10.3.0.12";
|
|
||||||
salvatore-wg = "10.3.0.16";
|
|
||||||
papa-wg = "10.3.0.17";
|
|
||||||
defy-wg = "10.3.0.18";
|
|
||||||
germano-wg = "10.3.0.19";
|
|
||||||
flavio-wg = "10.3.0.20";
|
|
||||||
tommy-wg = "10.3.0.21";
|
|
||||||
alain-wg = "10.3.0.22";
|
|
||||||
dima-wg = "10.3.0.23";
|
|
||||||
mikey-wg = "10.3.0.24";
|
|
||||||
andrew-wg = "10.3.0.25";
|
|
||||||
mikeylaptop-wg = "10.3.0.26";
|
|
||||||
andrewdesktop-wg = "10.3.0.27";
|
|
||||||
jacopo-wg = "10.3.0.28";
|
|
||||||
frznn-wg = "10.3.0.29";
|
|
||||||
ludo-wg = "10.3.0.30";
|
|
||||||
parina-wg = "10.3.0.31";
|
|
||||||
nilo-wg = "10.3.0.32";
|
|
||||||
parina-ipad-wg = "10.3.0.33";
|
|
||||||
kclvm-wg = "10.3.0.34";
|
|
||||||
framecca-wg = "10.3.0.35";
|
|
||||||
|
|
||||||
framecca_one-wg = "10.3.0.36";
|
|
||||||
framecca_two-wg = "10.3.0.37";
|
|
||||||
framecca_three-wg = "10.3.0.38";
|
|
||||||
framecca_four-wg = "10.3.0.39";
|
|
||||||
|
|
||||||
giuliophone-ts = "100.68.68.46";
|
|
||||||
# architect-ts = "100.67.205.28";
|
|
||||||
architect-ts = "10.4.0.2";
|
|
||||||
giuliopc-ts = "100.124.78.64";
|
|
||||||
dodino-ts = "100.106.244.35";
|
|
||||||
|
|
||||||
framecca-devices = [ framecca-wg framecca_one-wg framecca_three-wg framecca_four-wg ];
|
|
||||||
c2c-wg = framecca-devices;
|
|
||||||
|
|
||||||
# groups
|
|
||||||
gdevices = [ giuliophone-ts architect-ts giuliopc-ts dodino-ts ];
|
|
||||||
towan-wg = [ shield-wg parina-wg parina-ipad-wg germano-wg ] ++ framecca-devices;
|
|
||||||
}
|
|
@ -13,10 +13,10 @@ in
|
|||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
mysql = {
|
mysql = {
|
||||||
enable = true;
|
enable = true;
|
||||||
package = pkgs.unstablePkgs.mysql80;
|
package = pkgs.mariadb;
|
||||||
};
|
};
|
||||||
|
|
||||||
redis = {
|
redis = {
|
||||||
@ -33,6 +33,7 @@ in
|
|||||||
https = true;
|
https = true;
|
||||||
package = pkgs.unstablePkgs.nextcloud26;
|
package = pkgs.unstablePkgs.nextcloud26;
|
||||||
datadir = "/services/nextcloud";
|
datadir = "/services/nextcloud";
|
||||||
|
configureRedis = true;
|
||||||
caching = {
|
caching = {
|
||||||
redis = true;
|
redis = true;
|
||||||
};
|
};
|
||||||
@ -40,15 +41,16 @@ in
|
|||||||
autoUpdateApps.enable = true;
|
autoUpdateApps.enable = true;
|
||||||
autoUpdateApps.startAt = "05:00:00";
|
autoUpdateApps.startAt = "05:00:00";
|
||||||
|
|
||||||
|
maxUploadSize = "50G";
|
||||||
|
|
||||||
config = {
|
config = {
|
||||||
overwriteProtocol = "https";
|
overwriteProtocol = "https";
|
||||||
dbtype = "mysql";
|
dbtype = "mysql";
|
||||||
dbuser = "oc_giulio2";
|
dbuser = "nextcloud";
|
||||||
dbhost = "localhost";
|
dbhost = "localhost";
|
||||||
dbname = "nextcloud_final";
|
dbname = "nextcloud";
|
||||||
dbpassFile = "/secrets/nextcloud/dbpass.txt";
|
dbpassFile = "/secrets/nextcloud/dbpass.txt";
|
||||||
adminpassFile = "/secrets/nextcloud/adminpass.txt";
|
adminpassFile = "/secrets/nextcloud/dbpass.txt";
|
||||||
adminuser = "giulio";
|
|
||||||
extraTrustedDomains = [ "${domain}" ];
|
extraTrustedDomains = [ "${domain}" ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -8,7 +8,7 @@
|
|||||||
|
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
package = pkgs.openresty;
|
package = pkgs.nginx;
|
||||||
recommendedGzipSettings = true;
|
recommendedGzipSettings = true;
|
||||||
recommendedOptimisation = true;
|
recommendedOptimisation = true;
|
||||||
recommendedProxySettings = true;
|
recommendedProxySettings = true;
|
||||||
@ -32,59 +32,59 @@
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
appendHttpConfig =
|
# appendHttpConfig =
|
||||||
let
|
# let
|
||||||
extraPureLuaPackages = with pkgs.luajitPackages; [
|
# extraPureLuaPackages = with pkgs.luajitPackages; [
|
||||||
lua-resty-openidc
|
# lua-resty-openidc
|
||||||
lua-resty-http
|
# lua-resty-http
|
||||||
lua-resty-session
|
# lua-resty-session
|
||||||
lua-resty-jwt
|
# lua-resty-jwt
|
||||||
lua-resty-openssl
|
# lua-resty-openssl
|
||||||
];
|
# ];
|
||||||
luaPath = pkg: "${pkg}/share/lua/5.1/?.lua";
|
# luaPath = pkg: "${pkg}/share/lua/5.1/?.lua";
|
||||||
makeLuaPath = lib.concatMapStringsSep ";" luaPath;
|
# makeLuaPath = lib.concatMapStringsSep ";" luaPath;
|
||||||
in
|
# in
|
||||||
''
|
# ''
|
||||||
# https://stackoverflow.com/questions/38931468/nginx-reverse-proxy-error14077438ssl-ssl-do-handshake-failed
|
# # https://stackoverflow.com/questions/38931468/nginx-reverse-proxy-error14077438ssl-ssl-do-handshake-failed
|
||||||
proxy_ssl_server_name on;
|
# proxy_ssl_server_name on;
|
||||||
|
|
||||||
lua_package_path '${makeLuaPath extraPureLuaPackages};;';
|
# lua_package_path '${makeLuaPath extraPureLuaPackages};;';
|
||||||
lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
|
# lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
|
||||||
lua_ssl_verify_depth 5;
|
# lua_ssl_verify_depth 5;
|
||||||
|
|
||||||
# cache for OIDC discovery metadata
|
# # cache for OIDC discovery metadata
|
||||||
lua_shared_dict discovery 1m;
|
# lua_shared_dict discovery 1m;
|
||||||
lua_shared_dict jwks 1m;
|
# lua_shared_dict jwks 1m;
|
||||||
|
|
||||||
# https://github.com/openresty/lua-resty-redis/issues/159
|
# # https://github.com/openresty/lua-resty-redis/issues/159
|
||||||
resolver local=on ipv6=off;
|
# resolver local=on ipv6=off;
|
||||||
|
|
||||||
init_worker_by_lua_block {
|
# init_worker_by_lua_block {
|
||||||
function check_role (res, role)
|
# function check_role (res, role)
|
||||||
if res.user.roles == nil then
|
# if res.user.roles == nil then
|
||||||
return false
|
# return false
|
||||||
end
|
# end
|
||||||
|
|
||||||
for _,v in pairs(res.user.roles) do
|
# for _,v in pairs(res.user.roles) do
|
||||||
if string.lower(v) == role then
|
# if string.lower(v) == role then
|
||||||
return true
|
# return true
|
||||||
end
|
# end
|
||||||
end
|
# end
|
||||||
|
|
||||||
return false
|
# return false
|
||||||
end
|
# end
|
||||||
|
|
||||||
function is_ip_whitelisted(ip, whitelist)
|
# function is_ip_whitelisted(ip, whitelist)
|
||||||
for _, x in ipairs(whitelist) do
|
# for _, x in ipairs(whitelist) do
|
||||||
if ip == x then
|
# if ip == x then
|
||||||
return true
|
# return true
|
||||||
end
|
# end
|
||||||
end
|
# end
|
||||||
|
|
||||||
return false
|
# return false
|
||||||
end
|
# end
|
||||||
}
|
# }
|
||||||
'';
|
# '';
|
||||||
|
|
||||||
appendConfig = ''
|
appendConfig = ''
|
||||||
worker_processes 24;
|
worker_processes 24;
|
||||||
|
@ -2,35 +2,21 @@
|
|||||||
|
|
||||||
let
|
let
|
||||||
domain = "htnzb.giugl.io";
|
domain = "htnzb.giugl.io";
|
||||||
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
|
|
||||||
|
|
||||||
utilities = import ./utilities.nix { inherit lib config; };
|
|
||||||
inherit (utilities) architectInterfaceAddress;
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
services = {
|
services.nzbget = {
|
||||||
nzbget = {
|
enable = true;
|
||||||
enable = true;
|
group = "media";
|
||||||
group = "media";
|
};
|
||||||
};
|
|
||||||
|
|
||||||
nginx.virtualHosts.${domain} = {
|
architect.vhost.${domain} = {
|
||||||
forceSSL = true;
|
dnsInterfaces = [ "tailscale" "wireguard" "lan" ];
|
||||||
enableACME = true;
|
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
proxyPass = "http://127.0.0.1:6789";
|
port = 6789;
|
||||||
extraConfig = auth_block {
|
allowLan = true;
|
||||||
access_role = "nzbget";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.extraHosts = ''
|
|
||||||
${architectInterfaceAddress "lan"} ${domain}
|
|
||||||
${architectInterfaceAddress "wireguard"} ${domain}
|
|
||||||
${architectInterfaceAddress "tailscale"} ${domain}
|
|
||||||
'';
|
|
||||||
|
|
||||||
users.groups.media.members = [ "nzbget" ];
|
users.groups.media.members = [ "nzbget" ];
|
||||||
}
|
}
|
||||||
|
@ -3,46 +3,48 @@
|
|||||||
{
|
{
|
||||||
openresty_oidc_block =
|
openresty_oidc_block =
|
||||||
{ access_role ? "", whitelisted_ips ? [ ] }: ''
|
{ access_role ? "", whitelisted_ips ? [ ] }: ''
|
||||||
access_by_lua_block {
|
|
||||||
local opts = {
|
|
||||||
discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration",
|
|
||||||
client_id = "nginx",
|
|
||||||
client_secret = "9C6BYxPhTbrRS4DIwd3Smk7e11ABmnt8",
|
|
||||||
logout_path = "/logout",
|
|
||||||
redirect_after_logout_uri = "/",
|
|
||||||
redirect_uri = "/redirect_uri",
|
|
||||||
keepalive = "yes",
|
|
||||||
accept_none_alg = true,
|
|
||||||
revoke_tokens_on_logout = true,
|
|
||||||
-- access token valid for a day
|
|
||||||
access_token_expires_in = 86400
|
|
||||||
}
|
|
||||||
|
|
||||||
${lib.optionalString (whitelisted_ips != []) ''
|
|
||||||
local whitelist = {${lib.strings.concatMapStringsSep "," (x: "\"${x}\"") whitelisted_ips}}
|
|
||||||
|
|
||||||
if is_ip_whitelisted(ngx.var.remote_addr, whitelist) then
|
|
||||||
return
|
|
||||||
end
|
|
||||||
''}
|
|
||||||
|
|
||||||
-- call introspect for OAuth 2.0 Bearer Access Token validation
|
|
||||||
local res, err = require("resty.openidc").authenticate(opts)
|
|
||||||
|
|
||||||
if err then
|
|
||||||
ngx.status = 403
|
|
||||||
ngx.say(err)
|
|
||||||
ngx.exit(ngx.HTTP_FORBIDDEN)
|
|
||||||
end
|
|
||||||
|
|
||||||
${lib.optionalString (access_role != "") ''
|
|
||||||
if not check_role(res, "${access_role}") then
|
|
||||||
ngx.status = 401
|
|
||||||
ngx.header.content_type = 'text/html';
|
|
||||||
ngx.say("You are not authorized to access this page. Please contact Er Pepotto.")
|
|
||||||
ngx.exit(ngx.HTTP_UNAUTHORIZED)
|
|
||||||
end
|
|
||||||
''}
|
|
||||||
}
|
|
||||||
'';
|
'';
|
||||||
|
# access_by_lua_block {
|
||||||
|
# local opts = {
|
||||||
|
# discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration",
|
||||||
|
# client_id = "nginx",
|
||||||
|
# client_secret = "9C6BYxPhTbrRS4DIwd3Smk7e11ABmnt8",
|
||||||
|
# logout_path = "/logout",
|
||||||
|
# redirect_after_logout_uri = "/",
|
||||||
|
# redirect_uri = "/redirect_uri",
|
||||||
|
# keepalive = "yes",
|
||||||
|
# accept_none_alg = true,
|
||||||
|
# revoke_tokens_on_logout = true,
|
||||||
|
# -- access token valid for a day
|
||||||
|
# access_token_expires_in = 86400
|
||||||
|
# }
|
||||||
|
|
||||||
|
# ${lib.optionalString (whitelisted_ips != []) ''
|
||||||
|
# local whitelist = {${lib.strings.concatMapStringsSep "," (x: "\"${x}\"") whitelisted_ips}}
|
||||||
|
|
||||||
|
# if is_ip_whitelisted(ngx.var.remote_addr, whitelist) then
|
||||||
|
# return
|
||||||
|
# end
|
||||||
|
# ''}
|
||||||
|
|
||||||
|
# -- call introspect for OAuth 2.0 Bearer Access Token validation
|
||||||
|
# local res, err = require("resty.openidc").authenticate(opts)
|
||||||
|
|
||||||
|
# if err then
|
||||||
|
# ngx.status = 403
|
||||||
|
# ngx.say(err)
|
||||||
|
# ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||||
|
# end
|
||||||
|
|
||||||
|
# ${lib.optionalString (access_role != "") ''
|
||||||
|
# if not check_role(res, "${access_role}") then
|
||||||
|
# ngx.status = 401
|
||||||
|
# ngx.header.content_type = 'text/html';
|
||||||
|
# ngx.say("You are not authorized to access this page. Please contact Er Pepotto.")
|
||||||
|
# ngx.exit(ngx.HTTP_UNAUTHORIZED)
|
||||||
|
# end
|
||||||
|
# ''}
|
||||||
|
# }
|
||||||
|
# '';
|
||||||
}
|
}
|
||||||
|
@ -2,6 +2,10 @@
|
|||||||
|
|
||||||
with lib;
|
with lib;
|
||||||
|
|
||||||
|
let
|
||||||
|
utilities = import ./utilities.nix { inherit lib config; };
|
||||||
|
inherit (utilities) architectInterfaceAddress;
|
||||||
|
in
|
||||||
{
|
{
|
||||||
options.architect = {
|
options.architect = {
|
||||||
firewall = {
|
firewall = {
|
||||||
@ -58,5 +62,95 @@ with lib;
|
|||||||
default = { };
|
default = { };
|
||||||
description = "An attribute set of networks with their configurations.";
|
description = "An attribute set of networks with their configurations.";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
vhost = mkOption {
|
||||||
|
type = types.attrsOf (types.submodule {
|
||||||
|
options = {
|
||||||
|
dnsInterfaces = mkOption {
|
||||||
|
type = types.listOf types.str;
|
||||||
|
default = [ ];
|
||||||
|
description = "List of interfaces to add extra DNS hosts for this vhost.";
|
||||||
|
};
|
||||||
|
|
||||||
|
locations = mkOption {
|
||||||
|
type = types.attrsOf (types.submodule {
|
||||||
|
options = {
|
||||||
|
extraConfig = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
description = "Extra configuration for the location.";
|
||||||
|
default = "";
|
||||||
|
};
|
||||||
|
|
||||||
|
allowLan = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
};
|
||||||
|
|
||||||
|
proxyWebsockets = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
};
|
||||||
|
|
||||||
|
host = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
description = "The host for the location.";
|
||||||
|
default = "127.0.0.1";
|
||||||
|
};
|
||||||
|
|
||||||
|
port = mkOption {
|
||||||
|
type = types.int;
|
||||||
|
description = "The port number for the location.";
|
||||||
|
};
|
||||||
|
|
||||||
|
allow = mkOption {
|
||||||
|
type = types.listOf types.str;
|
||||||
|
default = [ ];
|
||||||
|
description = "IP address or CIDR block to allow.";
|
||||||
|
};
|
||||||
|
|
||||||
|
deny = mkOption {
|
||||||
|
type = types.listOf types.str;
|
||||||
|
default = [ ];
|
||||||
|
description = "IP address or CIDR block to deny.";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
});
|
||||||
|
default = { };
|
||||||
|
description = "An attribute set of location configurations.";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
});
|
||||||
|
default = { };
|
||||||
|
description = "An attribute set of domain configurations.";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = {
|
||||||
|
services.nginx.virtualHosts = mapAttrs
|
||||||
|
(domain: conf: {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
locations = mapAttrs
|
||||||
|
(path: location: {
|
||||||
|
proxyPass = "http://${location.host}:${toString location.port}";
|
||||||
|
proxyWebsockets = location.proxyWebsockets;
|
||||||
|
extraConfig = ''
|
||||||
|
${optionalString location.allowLan "deny 10.0.0.1;"}
|
||||||
|
${concatMapStringsSep "\n" (denyCIDR: "deny ${denyCIDR};") location.deny}
|
||||||
|
${concatMapStringsSep "\n" (allowCIDR: "allow ${allowCIDR};") location.allow}
|
||||||
|
${optionalString location.allowLan ''allow ${config.architect.networks."lan".net};''}
|
||||||
|
'' + location.extraConfig;
|
||||||
|
})
|
||||||
|
conf.locations;
|
||||||
|
})
|
||||||
|
config.architect.vhost;
|
||||||
|
|
||||||
|
networking.extraHosts = concatStringsSep "\n" (
|
||||||
|
mapAttrsToList
|
||||||
|
(domain: conf: concatMapStringsSep "\n"
|
||||||
|
(iface: "${architectInterfaceAddress iface} ${domain}")
|
||||||
|
conf.dnsInterfaces)
|
||||||
|
config.architect.vhost
|
||||||
|
);
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
37
hosts/architect/photoprism.nix
Normal file
37
hosts/architect/photoprism.nix
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
domain = "photos.giugl.io";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
services.photoprism = {
|
||||||
|
enable = true;
|
||||||
|
package = pkgs.photoprism;
|
||||||
|
originalsPath = "/var/lib/private/photoprism/originals";
|
||||||
|
address = "0.0.0.0";
|
||||||
|
settings = {
|
||||||
|
PHOTOPRISM_DEFAULT_LOCALE = "en";
|
||||||
|
PHOTOPRISM_DATABASE_DRIVER = "mysql";
|
||||||
|
PHOTOPRISM_DATABASE_NAME = "photoprism";
|
||||||
|
PHOTOPRISM_DATABASE_SERVER = "/run/mysqld/mysqld.sock";
|
||||||
|
PHOTOPRISM_DATABASE_USER = "photoprism";
|
||||||
|
PHOTOPRISM_SITE_URL = "https://${domain}";
|
||||||
|
PHOTOPRISM_SITE_TITLE = "PePrism";
|
||||||
|
PHOTOPRISM_FFMPEG_ENCODER = "nvidia";
|
||||||
|
PHOTOPRISM_INIT = "tensorflow";
|
||||||
|
NVIDIA_VISIBLE_DEVICES = "all";
|
||||||
|
NVIDIA_DRIVER_CAPABILITIES = "compute,video,utility";
|
||||||
|
PHOTOPRISM_FFMPEG_BIN = "${pkgs.ffmpeg}/bin/ffmpeg";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
architect.vhost.${domain} = {
|
||||||
|
dnsInterfaces = [ "tailscale" "lan" ];
|
||||||
|
locations."/" = {
|
||||||
|
port = config.services.photoprism.port;
|
||||||
|
allowLan = true;
|
||||||
|
allow = [ config.architect.networks."tailscale".net ];
|
||||||
|
proxyWebsockets = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
@ -2,41 +2,18 @@
|
|||||||
|
|
||||||
let
|
let
|
||||||
domain = "htpro.giugl.io";
|
domain = "htpro.giugl.io";
|
||||||
|
|
||||||
utilities = import ./utilities.nix { inherit lib config; };
|
|
||||||
inherit (utilities) architectInterfaceAddress;
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
services = {
|
services.prowlarr.enable = true;
|
||||||
prowlarr.enable = true;
|
|
||||||
|
|
||||||
nginx.virtualHosts.${domain} = {
|
architect.vhost.${domain} = {
|
||||||
forceSSL = true;
|
dnsInterfaces = [ "tailscale" "wireguard" ];
|
||||||
enableACME = true;
|
|
||||||
locations."/" = {
|
|
||||||
proxyPass = "http://127.0.0.1:9696";
|
|
||||||
extraConfig = ''
|
|
||||||
allow ${config.architect.networks.lan.net};
|
|
||||||
allow ${config.architect.networks.tailscale.net};
|
|
||||||
deny all;
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
# locations."/api" = {
|
locations."/" = {
|
||||||
# proxyPass = "http://127.0.0.1:9696/prowlarr/api";
|
port = 9696;
|
||||||
# };
|
allowLan = true;
|
||||||
#
|
|
||||||
# locations."/Content" = {
|
|
||||||
# proxyPass = "http://127.0.0.1:9696/prowlarr/Content";
|
|
||||||
# };
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.extraHosts = ''
|
|
||||||
${architectInterfaceAddress "lan"} ${domain}
|
|
||||||
${architectInterfaceAddress "wireguard"} ${domain}
|
|
||||||
${architectInterfaceAddress "tailscale"} ${domain}
|
|
||||||
'';
|
|
||||||
|
|
||||||
users.groups.media.members = [ "prowlarr" ];
|
users.groups.media.members = [ "prowlarr" ];
|
||||||
}
|
}
|
||||||
|
@ -2,36 +2,25 @@
|
|||||||
|
|
||||||
let
|
let
|
||||||
domain = "htrad.giugl.io";
|
domain = "htrad.giugl.io";
|
||||||
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
|
|
||||||
|
|
||||||
utilities = import ./utilities.nix { inherit lib config; };
|
|
||||||
inherit (utilities) architectInterfaceAddress;
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
services = {
|
services.radarr = {
|
||||||
radarr = {
|
enable = true;
|
||||||
enable = true;
|
group = "media";
|
||||||
group = "media";
|
};
|
||||||
};
|
|
||||||
|
|
||||||
nginx.virtualHosts.${domain} = {
|
architect.vhost.${domain} = with config.architect.networks; {
|
||||||
forceSSL = true;
|
dnsInterfaces = [ "wireguard" "tailscale" ];
|
||||||
enableACME = true;
|
locations."/" = {
|
||||||
locations."/" = {
|
port = 7878;
|
||||||
proxyPass = "http://127.0.0.1:7878";
|
allowLan = true;
|
||||||
extraConfig = auth_block {
|
|
||||||
access_role = "radarr";
|
allow = [
|
||||||
};
|
wireguard.net
|
||||||
};
|
tailscale.net
|
||||||
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
networking.extraHosts = ''
|
|
||||||
${architectInterfaceAddress "lan"} ${domain}
|
|
||||||
${architectInterfaceAddress "wireguard"} ${domain}
|
|
||||||
${architectInterfaceAddress "tailscale"} ${domain}
|
|
||||||
'';
|
|
||||||
|
|
||||||
users.groups.media.members = [ "radarr" ];
|
users.groups.media.members = [ "radarr" ];
|
||||||
}
|
}
|
||||||
|
@ -2,35 +2,21 @@
|
|||||||
|
|
||||||
let
|
let
|
||||||
domain = "htson.giugl.io";
|
domain = "htson.giugl.io";
|
||||||
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
|
|
||||||
|
|
||||||
utilities = import ./utilities.nix { inherit lib config; };
|
|
||||||
inherit (utilities) architectInterfaceAddress;
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
services = {
|
services.sonarr = {
|
||||||
sonarr = {
|
enable = true;
|
||||||
enable = true;
|
group = "media";
|
||||||
group = "media";
|
};
|
||||||
};
|
|
||||||
|
architect.vhost.${domain} = {
|
||||||
|
dnsInterfaces = [ "tailscale" "wireguard" ];
|
||||||
|
|
||||||
nginx.virtualHosts.${domain} = {
|
locations."/" = {
|
||||||
forceSSL = true;
|
port = 6969;
|
||||||
enableACME = true;
|
allowLan = true;
|
||||||
locations."/" = {
|
|
||||||
proxyPass = "http://127.0.0.1:8989";
|
|
||||||
extraConfig = auth_block {
|
|
||||||
access_role = "sonarr";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.extraHosts = ''
|
|
||||||
${architectInterfaceAddress "lan"} ${domain}
|
|
||||||
${architectInterfaceAddress "wireguard"} ${domain}
|
|
||||||
${architectInterfaceAddress "tailscale"} ${domain}
|
|
||||||
'';
|
|
||||||
|
|
||||||
users.groups.media.members = [ "sonarr" ];
|
users.groups.media.members = [ "sonarr" ];
|
||||||
}
|
}
|
||||||
|
@ -21,6 +21,7 @@ in
|
|||||||
tommy = { address = "100.64.0.7"; hostname = "tommy.${domain}"; };
|
tommy = { address = "100.64.0.7"; hostname = "tommy.${domain}"; };
|
||||||
ucsb-workstation = { address = "100.64.0.8"; hostname = "ucsb-workstation.${domain}"; };
|
ucsb-workstation = { address = "100.64.0.8"; hostname = "ucsb-workstation.${domain}"; };
|
||||||
alfredo = { address = "100.64.0.9"; hostname = "alfredo.${domain}"; };
|
alfredo = { address = "100.64.0.9"; hostname = "alfredo.${domain}"; };
|
||||||
|
parallels = { address = "100.64.0.3"; hostname = "parallels.${domain}"; };
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
11
lib/host.nix
11
lib/host.nix
@ -27,21 +27,20 @@
|
|||||||
|
|
||||||
modules = [
|
modules = [
|
||||||
{
|
{
|
||||||
imports = users_mod ++ roles_mod ++ add_imports ++ [
|
imports = users_mod ++
|
||||||
|
roles_mod ++
|
||||||
|
add_imports ++ [
|
||||||
(mkSysRole "common")
|
(mkSysRole "common")
|
||||||
(mkSysRole "acme")
|
(mkSysRole "acme")
|
||||||
|
(mkUser { name = "root"; roles = [ ]; })
|
||||||
];
|
];
|
||||||
|
|
||||||
home-manager = {
|
home-manager = {
|
||||||
users.root.imports = [ (mkHomeRole "common") ];
|
|
||||||
extraSpecialArgs.unstablePkgs = unstablePkgs;
|
extraSpecialArgs.unstablePkgs = unstablePkgs;
|
||||||
useGlobalPkgs = true;
|
useGlobalPkgs = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
system.stateVersion = "22.11";
|
system.stateVersion = "23.05";
|
||||||
|
|
||||||
environment.shells = [ pkgs.zsh ];
|
|
||||||
users.defaultUserShell = pkgs.zsh;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
home-manager.nixosModules.home-manager
|
home-manager.nixosModules.home-manager
|
||||||
|
18
lib/user.nix
18
lib/user.nix
@ -6,20 +6,26 @@
|
|||||||
roles_mod = (map (r: mkHomeRole r) roles);
|
roles_mod = (map (r: mkHomeRole r) roles);
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
users.groups.plugdev = { };
|
|
||||||
|
|
||||||
fileSystems."/home/${name}/Downloads" = {
|
fileSystems."/home/${name}/Downloads" = {
|
||||||
device = "tmpfs";
|
device = "tmpfs";
|
||||||
fsType = "tmpfs";
|
fsType = "tmpfs";
|
||||||
options = [ "size=3G" ];
|
options = [ "size=3G" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
users.users.${name} = {
|
users = {
|
||||||
isNormalUser = true;
|
users.${name} = {
|
||||||
extraGroups = [ "wheel" "plugdev" ];
|
isNormalUser = name != "root";
|
||||||
|
extraGroups = [ "wheel" "plugdev" ];
|
||||||
|
shell = pkgs.zsh;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
home-manager.users.${name}.imports = [ (mkHomeRole "common") ] ++ roles_mod;
|
programs.zsh.enable = true;
|
||||||
|
|
||||||
|
home-manager.users.${name}.imports = [
|
||||||
|
(mkHomeRole "common")
|
||||||
|
(mkHomeRole "zsh")
|
||||||
|
] ++ roles_mod;
|
||||||
};
|
};
|
||||||
|
|
||||||
mkHMUser = { name, roles ? [ ] }:
|
mkHMUser = { name, roles ? [ ] }:
|
||||||
|
@ -1,10 +1,10 @@
|
|||||||
{ ... }:
|
{ options, lib, config, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
security.acme = {
|
config.security.acme = {
|
||||||
acceptTerms = true;
|
acceptTerms = true;
|
||||||
defaults = {
|
defaults = {
|
||||||
email = "sysadmin@giugl.io";
|
email = "letsencrypt@depasquale.giugl.io";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@ -1,7 +1,9 @@
|
|||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
boot.tmpOnTmpfs = true;
|
boot.tmp = {
|
||||||
|
useTmpfs = true;
|
||||||
|
};
|
||||||
|
|
||||||
console = {
|
console = {
|
||||||
keyMap = "us";
|
keyMap = "us";
|
||||||
@ -41,7 +43,6 @@
|
|||||||
glances
|
glances
|
||||||
tcpdump
|
tcpdump
|
||||||
restic
|
restic
|
||||||
neovim
|
|
||||||
tmux
|
tmux
|
||||||
parted
|
parted
|
||||||
unzip
|
unzip
|
||||||
@ -50,5 +51,6 @@
|
|||||||
nmap
|
nmap
|
||||||
ripgrep
|
ripgrep
|
||||||
jq
|
jq
|
||||||
|
helix
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
@ -11,9 +11,10 @@
|
|||||||
home-manager
|
home-manager
|
||||||
ripgrep
|
ripgrep
|
||||||
ydiff
|
ydiff
|
||||||
|
nix-index
|
||||||
]
|
]
|
||||||
++ lib.optional (!stdenv.isDarwin) pastebinit;
|
++ lib.optional (!stdenv.isDarwin) pastebinit;
|
||||||
|
|
||||||
stateVersion = "22.11";
|
stateVersion = "23.05";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@ -118,7 +118,6 @@
|
|||||||
nodePackages.vscode-langservers-extracted
|
nodePackages.vscode-langservers-extracted
|
||||||
nodePackages.typescript
|
nodePackages.typescript
|
||||||
nodePackages.svelte-language-server
|
nodePackages.svelte-language-server
|
||||||
swiProlog
|
|
||||||
nixpkgs-fmt
|
nixpkgs-fmt
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
@ -14,6 +14,8 @@
|
|||||||
|
|
||||||
initExtra = ''
|
initExtra = ''
|
||||||
any-nix-shell zsh --info-right | source /dev/stdin
|
any-nix-shell zsh --info-right | source /dev/stdin
|
||||||
|
source ${pkgs.nix-index}/etc/profile.d/command-not-found.sh
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user