peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: peperunas:4dde4f68d8ea0eefc4605c22c22eef3879646c6e
Branches Tags
peperunas:master
peperunas:nixos-21.11
peperunas:laptopshit
...
compare: peperunas:7f2c129ea94d10536c54be39e757ba9cd92e62aa
Branches Tags
peperunas:master
peperunas:nixos-21.11
peperunas:laptopshit

32 Commits
4dde4f68d8 ... 7f2c129ea9

Author SHA1 Message Date
Giulio De Pasquale
7f2c129ea9 vhost: added host 2023-06-05 04:44:33 +02:00
Giulio De Pasquale
6389d1950a nextcloud: switched to mariadb. increased max upload size to 50GB 2023-06-05 04:43:42 +02:00
Giulio De Pasquale
842b3f0ac7 firewall: give docker more freedom 2023-06-05 04:43:07 +02:00
Giulio De Pasquale
2c387448ba gitea: vhost 2023-06-05 04:41:10 +02:00
Giulio De Pasquale
1df031965a photoprism: use vhost 2023-06-05 03:22:41 +02:00
Giulio De Pasquale
6d72359353 gitea: reenable gitea 2023-06-05 03:16:19 +02:00
Giulio De Pasquale
d1d0793e2c photoprism: use vhost 2023-06-05 03:15:23 +02:00
Giulio De Pasquale
d423200c59 bazarr: add lan to dnsinterface 2023-06-05 03:12:59 +02:00
Giulio De Pasquale
0698f9b8db nzbget: vhost 2023-06-05 03:12:34 +02:00
Giulio De Pasquale
edf4ba07ee nginx: switch to nginx as package 2023-06-05 03:12:09 +02:00
Giulio De Pasquale
f2e33628c0 jellyfin: vhost 2023-06-05 03:11:46 +02:00
Giulio De Pasquale
2f43745162 Move to vhost 2023-06-05 03:10:13 +02:00
Giulio De Pasquale
b378975769 sonarr: port to vhost 2023-06-05 03:02:26 +02:00
Giulio De Pasquale
65ba588d8e vhost: added attributes 2023-06-05 03:02:02 +02:00
Giulio De Pasquale
9aeacafbb2 docker: use docker as default backend for containers. disable iptables 2023-06-05 03:01:37 +02:00
Giulio De Pasquale
17d2e10345 bazarr: use vhost 2023-06-05 00:50:31 +02:00
Giulio De Pasquale
da1b08c44a radarr: use vhost 2023-06-05 00:46:39 +02:00
Giulio De Pasquale
acb47f5a73 dns: moved config to vhost 2023-06-05 00:30:07 +02:00
Giulio De Pasquale
78fc53024f options: added vhost attributes 2023-06-05 00:29:43 +02:00
Giulio De Pasquale
3bc816b665 gitea: move LFS setting into gitea.lfs 2023-06-03 01:46:08 +02:00
Giulio De Pasquale
708687d258 Update lock 2023-06-01 21:09:36 +02:00
Giulio De Pasquale
0747c0ebf4 openssl: Ignore 1.1.1u being vulnerable along with 1.1.1t 2023-06-01 21:09:30 +02:00
Giulio De Pasquale
6cb4fa08d2 Add nix-index and command-not-found 2023-06-01 21:09:04 +02:00
Giulio De Pasquale
2c906d715e architect: Disable gitea 2023-06-01 21:08:42 +02:00
Giulio De Pasquale
fef4b471f0 minio: Use legacy package 2023-06-01 21:08:28 +02:00
Giulio De Pasquale
f7609a7ee6 tanta roba 2023-05-28 22:45:49 +02:00
Giulio De Pasquale
9f819d1357 helix: remove swiProlog 2023-05-28 07:21:31 +02:00
Giulio De Pasquale
b479c748e0 flake: allow openssl1.1.1t 2023-05-28 07:21:04 +02:00
Giulio De Pasquale
ef96a959f6 acme: change default email 2023-05-28 07:14:48 +02:00
Giulio De Pasquale
229e92222e architect: switch to nextdns 2023-05-28 06:22:56 +02:00
Giulio De Pasquale
08c898ed46 Initial move to 23.05 2023-05-28 00:16:46 +02:00
Giulio De Pasquale
84df2e348d architect: removed network.nix 2023-05-15 19:51:50 +02:00
30 changed files with 449 additions and 457 deletions
Show Stats Expand all files Collapse all files

42
flake.lock generated
View File

@ -4,52 +4,51 @@
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ]
"utils": "utils"
}, },
"locked": { "locked": {
"lastModified": 1681092193, "lastModified": 1685599623,
"narHash": "sha256-JerCqqOqbT2tBnXQW4EqwFl0hHnuZp21rIQ6lu/N4rI=", "narHash": "sha256-Tob4CMOVHue0D3RzguDBCtUmX5ji2PsdbQDbIOIKvsc=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "f9edbedaf015013eb35f8caacbe0c9666bbc16af", "rev": "93db05480c0c0f30382d3e80779e8386dcb4f9dd",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-community", "owner": "nix-community",
"ref": "release-22.11", "ref": "release-23.05",
"repo": "home-manager", "repo": "home-manager",
"type": "github" "type": "github"
} }
}, },
"nixos-unstable": { "nixos-unstable": {
"locked": { "locked": {
"lastModified": 1684171979, "lastModified": 1685564631,
"narHash": "sha256-KfIpmlqCCtY/T8mWQOkucv4LrYAgIXho6QJOwl2md3g=", "narHash": "sha256-8ywr3AkblY4++3lIVxmrWZFzac7+f32ZEhH/A8pNscI=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "10092e14180fdff037aea3a14ad3faeaf6950ac1", "rev": "4f53efe34b3a8877ac923b9350c874e3dcd5dc0a",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "master", "ref": "nixos-unstable",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1683928319, "lastModified": 1685645444,
"narHash": "sha256-maz0DRKixJVcNRMiAMWlJniiF8IuQ+WbfmlJJ8D+jfM=", "narHash": "sha256-FEuVrowBDU8D+Vt1oqN6j18g/vDvU13WVruTaMjzb8w=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "9656e85a15a0fe67847ee8cdb99a20d8df499962", "rev": "ce3e618cd3b9792d898b76126c36e6ac50b680e1",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "nixos-22.11", "ref": "release-23.05",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
@ -60,21 +59,6 @@
"nixos-unstable": "nixos-unstable", "nixos-unstable": "nixos-unstable",
"nixpkgs": "nixpkgs" "nixpkgs": "nixpkgs"
} }
},
"utils": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",

11
flake.nix
View File

@ -1,9 +1,9 @@
{ {
inputs = { inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11"; nixpkgs.url = "github:NixOS/nixpkgs/release-23.05";
nixos-unstable.url = "github:NixOS/nixpkgs/master"; nixos-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
home-manager = { home-manager = {
url = "github:nix-community/home-manager/release-22.11"; url = "github:nix-community/home-manager/release-23.05";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
}; };
@ -30,6 +30,11 @@
inherit system; inherit system;
config.allowUnfree = true; config.allowUnfree = true;
config.permittedInsecurePackages = [
"openssl-1.1.1t"
"openssl-1.1.1u"
];
}; };
wrapUtils = { pkgs, unstablePkgs, system }: wrapUtils = { pkgs, unstablePkgs, system }:

38
hosts/architect/bazarr.nix
View File

@ -2,35 +2,25 @@
let let
domain = "htbaz.giugl.io"; domain = "htbaz.giugl.io";
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services = { services.bazarr = {
bazarr = { enable = true;
enable = true; group = "media";
group = "media"; };
};
nginx.virtualHosts.${domain} = { architect.vhost.${domain} = with config.architect.networks; {
forceSSL = true; dnsInterfaces = [ "wireguard" "tailscale" ];
enableACME = true; locations."/" = {
locations."/" = { allowLan = true;
proxyPass = "http://127.0.0.1:6767"; port = 6767;
extraConfig = auth_block {
access_role = "bazarr"; allow = [
}; wireguard.net
}; tailscale.net
];
}; };
}; };
networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "wireguard"} ${domain}
${architectInterfaceAddress "tailscale"} ${domain}
'';
users.groups.media.members = [ "bazarr" ]; users.groups.media.members = [ "bazarr" ];
} }

18
hosts/architect/default.nix
View File

@ -5,7 +5,7 @@ let
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1we38/N+t8Ah5yrLof8QUwhrob7/VXFKIddaJeOVBLuDVnW7ljiAtdtEiL69D/DV4Ohmt5wMvkAAjfuHmim6FD9A6lzPbSU4KH9W2dcckszKbbI636kuDwem/xui6BW3wJa6P+0xW5ksygEAkzcK2PXuC2b4B9uwhuUdKahiGMKDxISG/WianqAe72cGMfNkYvion3Y1VsMLUdm48d2ABnxNpr7NI9B5iJ8dziOft9gpgfz13CCQRlReo75gk/4xI+vSNrQp7eR+wzJy2/dZg/T8jtyA9Q6jVxrxBpqQ1LNXkAKaJkGo9OabF6Wgpzp+YTAurL4nwR2NaJxwFuyoKvACQy0ai4jrS3206gC6JXZv8ktZMZrwUN+jPqCwfgh5qObFkAqKCxbp52ioDek2MQLdOvzQBX//DBhGEp5rzHGLZ3vhRIiiQiaof5sF5zWiYDW5mqezSPNxJPX/BrTP/Wbs/jpwTLBh3wytiia0S1WXQmya89bqzTPFiDWvTRA62EVKB/JaQtPQQOFAxWwg799DMycPeZ81xttZOyMtI/MZSddyqx2S8fWGwvToZQvuZ38mSIpFseLM1IkgabRIrAmat5SBNGGy9Dqa0eMEa7bwIY/4CMB1y6HMTnaoMXA6cnQfHMoB/zyTZ6oTXIeqeOyiZsK+RN0Mvahj8mXi7dw== giulio@giulio-X230" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1we38/N+t8Ah5yrLof8QUwhrob7/VXFKIddaJeOVBLuDVnW7ljiAtdtEiL69D/DV4Ohmt5wMvkAAjfuHmim6FD9A6lzPbSU4KH9W2dcckszKbbI636kuDwem/xui6BW3wJa6P+0xW5ksygEAkzcK2PXuC2b4B9uwhuUdKahiGMKDxISG/WianqAe72cGMfNkYvion3Y1VsMLUdm48d2ABnxNpr7NI9B5iJ8dziOft9gpgfz13CCQRlReo75gk/4xI+vSNrQp7eR+wzJy2/dZg/T8jtyA9Q6jVxrxBpqQ1LNXkAKaJkGo9OabF6Wgpzp+YTAurL4nwR2NaJxwFuyoKvACQy0ai4jrS3206gC6JXZv8ktZMZrwUN+jPqCwfgh5qObFkAqKCxbp52ioDek2MQLdOvzQBX//DBhGEp5rzHGLZ3vhRIiiQiaof5sF5zWiYDW5mqezSPNxJPX/BrTP/Wbs/jpwTLBh3wytiia0S1WXQmya89bqzTPFiDWvTRA62EVKB/JaQtPQQOFAxWwg799DMycPeZ81xttZOyMtI/MZSddyqx2S8fWGwvToZQvuZ38mSIpFseLM1IkgabRIrAmat5SBNGGy9Dqa0eMEa7bwIY/4CMB1y6HMTnaoMXA6cnQfHMoB/zyTZ6oTXIeqeOyiZsK+RN0Mvahj8mXi7dw== giulio@giulio-X230"
]; ];
domain = "devs.giugl.io"; domain = "devs.giugl.io";
utilities = import ./utilities.nix { inherit lib config; }; utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) generateDeviceStrings; inherit (utilities) generateDeviceStrings;
in in
@ -30,7 +30,7 @@ in
./minecraft.nix ./minecraft.nix
./prowlarr.nix ./prowlarr.nix
./libreddit.nix ./libreddit.nix
# ./invidious.nix ./invidious.nix
# ./lidarr.nix # ./lidarr.nix
# ./navidrome.nix # ./navidrome.nix
./jellyfin.nix ./jellyfin.nix
@ -88,6 +88,8 @@ in
"memmap=32M$0x4ca6f9478" "memmap=32M$0x4ca6f9478"
]; ];
kernelPackages = pkgs.linuxPackages;
kernel.sysctl = { "net.ipv4.ip_forward" = 1; }; kernel.sysctl = { "net.ipv4.ip_forward" = 1; };
loader = { loader = {
@ -100,7 +102,7 @@ in
supportedFilesystems = [ "zfs" ]; supportedFilesystems = [ "zfs" ];
zfs.requestEncryptionCredentials = true; zfs.requestEncryptionCredentials = true;
tmpOnTmpfsSize = "50%"; tmp.tmpfsSize = "50%";
}; };
networking = with config.architect.networks.lan; { networking = with config.architect.networks.lan; {
@ -151,8 +153,12 @@ in
xserver.videoDrivers = [ "nvidia" ]; xserver.videoDrivers = [ "nvidia" ];
openssh = { openssh = {
enable = true; enable = true;
passwordAuthentication = false;
kbdInteractiveAuthentication = false; settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
};
extraConfig = '' extraConfig = ''
MaxAuthTries 15 MaxAuthTries 15
''; '';
@ -162,7 +168,7 @@ in
environment = { environment = {
variables = { LIBVA_DRIVER_NAME = "vdpau"; }; variables = { LIBVA_DRIVER_NAME = "vdpau"; };
systemPackages = with pkgs; [ cachix ]; systemPackages = with pkgs; [ cachix linuxPackages.usbip ];
}; };
} }

72
hosts/architect/dns.nix
View File

@ -1,53 +1,53 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let let
adguard_webui_port = 3031; domain = "adguard.architect.devs.giugl.io";
adguard_dns_port = "5300";
dnscrypt_listen_port = "5353";
in in
{ {
architect.firewall.openUDPVPN = [ 53 ]; architect = {
firewall.openUDPVPN = [ 53 ];
vhost.${domain} = {
dnsInterfaces = [ "lan" "tailscale" "wireguard" ];
locations."/" = with config; {
port = services.adguardhome.settings.bind_port;
allow = with architect.networks; [ lan.net tailscale.net ];
deny = [
architect.networks."lan".devices.router.address
];
};
};
};
services = { services = {
dnsmasq = { dnsmasq = {
enable = true; enable = true;
# adguard port settings = {
servers = [ "127.0.0.1#${adguard_dns_port}" ]; server = [ "127.0.0.1#${toString config.services.adguardhome.settings.dns.port}" ];
extraConfig = '' localise-queries = true;
localise-queries min-cache-ttl = 120;
min-cache-ttl=120 max-cache-ttl = 2400;
max-cache-ttl=2400 domain = [
"runas.rocks"
domain=runas.rocks "giugl.io"
domain=giugl.io "devs.runas.rocks"
domain=devs.runas.rocks "devs.giugl.io"
domain=devs.giugl.io ];
''; };
}; };
adguardhome = { adguardhome = {
enable = true;
port = adguard_webui_port;
};
dnscrypt-proxy2 = {
enable = true; enable = true;
settings = { settings = {
listen_addresses = [ "127.0.0.1:${dnscrypt_listen_port}" ]; bind_port = 5353;
ipv4_servers = true; dns = {
ipv6_servers = false; port = 5300;
block_ipv6 = true; };
dnscrypt_servers = true; upstream_dns = [
doh_servers = true; "tls://architect.d65174.dns.nextdns.io"
require_nolog = true; "https://dns.nextdns.io/d65174/architect"
require_nofilter = true; ];
timeout = 350;
lb_strategy = "p4";
lb_estimator = true;
ignore_system_dns = true;
fallback_resolvers = [ "1.1.1.1:53" "9.9.9.9:53" ];
cache_min_ttl = 450;
cache_max_ttl = 2400;
}; };
}; };
}; };

20
hosts/architect/docker.nix
View File

@ -5,13 +5,19 @@
interface = "docker0"; interface = "docker0";
net = "172.17.0.0/16"; net = "172.17.0.0/16";
}; };
virtualisation.docker = { virtualisation = {
enable = true; oci-containers.backend = "docker";
extraOptions = ''
--dns 127.0.0.1 --dns ${config.architect.networks.lan.devices.architect.address} --data-root /docker docker = {
''; enable = true;
enableOnBoot = false; extraOptions = ''
--dns 127.0.0.1 --dns ${config.architect.networks.lan.devices.architect.address} --data-root /docker
'';
enableOnBoot = false;
daemon.settings.iptables = false;
};
}; };
users.users.giulio.extraGroups = [ "docker" ]; users.users.giulio.extraGroups = [ "docker" ];
} }

5
hosts/architect/firewall.nix
View File

@ -54,6 +54,9 @@ in
} }
table ip nat { table ip nat {
chain DOCKER {
type nat hook prerouting priority dstnat; policy accept;
}
chain PREROUTING { chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept; type nat hook prerouting priority dstnat; policy accept;
} }
@ -142,6 +145,7 @@ in
ip daddr 255.255.255.255 accept comment "allow broadcast traffic" ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic" ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
ip saddr ${lan.net} accept comment "lan > local" ip saddr ${lan.net} accept comment "lan > local"
iifname ${docker.interface} accept
ip saddr ${tailscale.net} accept comment "tailscale > local" ip saddr ${tailscale.net} accept comment "tailscale > local"
ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local" ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local"
@ -151,7 +155,6 @@ in
iifname ${wireguard.interface} udp dport {${openUDPVPN}} accept iifname ${wireguard.interface} udp dport {${openUDPVPN}} accept
iifname ${wireguard.interface} icmp type echo-request accept iifname ${wireguard.interface} icmp type echo-request accept
iifname ${docker.interface} udp dport 53 accept
jump filter_drop jump filter_drop
} }

35
hosts/architect/gitea.nix
View File

@ -2,41 +2,30 @@
let let
domain = "git.giugl.io"; domain = "git.giugl.io";
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
architect.firewall.openTCP = [ config.services.gitea.settings.server.SSH_PORT ]; architect = {
firewall.openTCP = [ config.services.gitea.settings.server.SSH_PORT ];
vhost.${domain} = {
dnsInterfaces = [ "lan" "tailscale" "wireguard" ];
locations."/".port = config.services.gitea.settings.server.HTTP_PORT;
};
};
services.gitea = { services.gitea = {
enable = true; enable = true;
database.type = "sqlite3"; database.type = "sqlite3";
domain = domain;
appName = "Gitea"; appName = "Gitea";
rootUrl = "https://${domain}"; # https://github.com/NixOS/nixpkgs/issues/235442#issuecomment-1574329453
lfs.enable = true;
settings = { settings = {
server = { server = {
LFS_START_SERVER = true; DOMAIN = domain;
ROOT_URL = "https://${domain}";
SSH_PORT = 22; SSH_PORT = 22;
HTTP_PORT = 3001;
}; };
openid.enable_openid_signin = true; openid.enable_openid_signin = true;
}; };
}; };
services.nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:3000";
# it does not work, it breaks gitea's web portal
# extraConfig = auth_block { access_role = "git"; };
};
};
networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "wireguard"} ${domain}
${architectInterfaceAddress "tailscale"} ${domain}
'';
} }

7
hosts/architect/headscale.nix
View File

@ -8,17 +8,16 @@ in
openUDP = [ config.services.tailscale.port ]; openUDP = [ config.services.tailscale.port ];
}; };
environment.systemPackages = [ pkgs.unstablePkgs.headscale ];
services = { services = {
headscale = { headscale = {
enable = true; enable = true;
package = pkgs.unstablePkgs.headscale; package = pkgs.unstablePkgs.headscale;
port = 1194; port = 1194;
address = "0.0.0.0"; address = "0.0.0.0";
serverUrl = "https://${domain}";
logLevel = "debug";
settings = { settings = {
server_url = "https://${domain}";
log.level = "debug";
dns_config = { dns_config = {
magic_dns = true; magic_dns = true;
base_domain = "giugl.io"; base_domain = "giugl.io";

15
hosts/architect/invidious.nix
View File

@ -1,27 +1,28 @@
{ lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
domain = "tube.giugl.io"; domain = "tube.giugl.io";
network = import ./network.nix;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services = { services = {
invidious = { invidious = {
enable = true; enable = true;
port = 9092;
package = pkgs.unstablePkgs.invidious; package = pkgs.unstablePkgs.invidious;
}; };
nginx.virtualHosts.${domain} = { nginx.virtualHosts.${domain} = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/" = { proxyPass = "http://127.0.0.1:9092"; }; locations."/" = { proxyPass = "http://127.0.0.1:${toString config.services.invidious.port}"; };
}; };
}; };
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${network.architect-wg} ${domain} ${architectInterfaceAddress "wireguard"} ${domain}
${network.architect-ts} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
} }

55
hosts/architect/jellyfin.nix
View File

@ -3,52 +3,41 @@
let let
domain = "media.giugl.io"; domain = "media.giugl.io";
port = 8096; port = 8096;
allowLan = true;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
# needed since StateDirectory does not accept symlinks # needed since StateDirectory does not accept symlinks
systemd.services.jellyfin.serviceConfig.StateDirectory = lib.mkForce ""; systemd.services.jellyfin.serviceConfig.StateDirectory = lib.mkForce "";
services = { architect.vhost.${domain} = with config.architect.networks; {
jellyfin = { dnsInterfaces = [ "lan" "wireguard" "tailscale" ];
enable = true; locations = {
group = "media"; "/" = {
package = pkgs.unstablePkgs.jellyfin; inherit port allowLan;
};
nginx.virtualHosts.${domain} = { allow = [
forceSSL = true; wireguard.net
enableACME = true; tailscale.net
extraConfig = '' ];
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
#add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
allow ${config.architect.networks.lan.net};
allow ${config.architect.networks.tailscale.net};
deny all;
'';
locations."/" = {
proxyPass = "http://127.0.0.1:${toString port}";
}; };
locations."/socket" = { "/socket" = {
proxyPass = "http://127.0.0.1:${toString port}"; inherit port allowLan;
proxyWebsockets = true; proxyWebsockets = true;
allow = [
wireguard.net
tailscale.net
];
}; };
}; };
}; };
services.jellyfin = {
networking.extraHosts = '' enable = true;
${architectInterfaceAddress "lan"} ${domain} group = "media";
${architectInterfaceAddress "wireguard"} ${domain} package = pkgs.unstablePkgs.jellyfin;
${architectInterfaceAddress "tailscale"} ${domain} };
'';
users.groups = { users.groups = {
media.members = [ "jellyfin" ]; media.members = [ "jellyfin" ];

9
hosts/architect/minio.nix
View File

@ -1,4 +1,4 @@
{ config, lib, ... }: { config, lib, pkgs, ... }:
let let
domain = "s3.giugl.io"; domain = "s3.giugl.io";
@ -8,7 +8,10 @@ let
in in
{ {
services = { services = {
minio.enable = true; minio = {
enable = true;
package = pkgs.minio_legacy_fs;
};
nginx.virtualHosts.${domain} = { nginx.virtualHosts.${domain} = {
forceSSL = true; forceSSL = true;
@ -24,7 +27,7 @@ in
}; };
}; };
}; };
networking.extraHosts = '' networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "wireguard"} ${domain} ${architectInterfaceAddress "wireguard"} ${domain}

66
hosts/architect/network.nix
View File

@ -1,66 +0,0 @@
rec {
# interfaces
wan-if = "enp5s0";
vpn-if = "wg0";
proxy-if = "proxy";
docker-if = "docker0";
tailscale-if = "ts0";
# nets
lan-net = "10.0.0.0/24";
vpn-net = "10.3.0.0/24";
external_lan-net = "192.168.1.0/24";
docker-net = "172.17.0.0/16";
# tailscale-net = "100.64.0.0/10";
tailscale-net = "10.4.0.0/24";
# ips
router-lan = "10.0.0.1";
dvr-lan = "10.0.0.2";
nas-lan = "10.0.0.3";
architect-lan = "10.0.0.250";
architect-wg = "10.3.0.1";
manduria-wg = "10.3.0.5";
antonio-wg = "10.3.0.6";
gbeast-wg = "10.3.0.7";
shield-wg = "10.3.0.12";
salvatore-wg = "10.3.0.16";
papa-wg = "10.3.0.17";
defy-wg = "10.3.0.18";
germano-wg = "10.3.0.19";
flavio-wg = "10.3.0.20";
tommy-wg = "10.3.0.21";
alain-wg = "10.3.0.22";
dima-wg = "10.3.0.23";
mikey-wg = "10.3.0.24";
andrew-wg = "10.3.0.25";
mikeylaptop-wg = "10.3.0.26";
andrewdesktop-wg = "10.3.0.27";
jacopo-wg = "10.3.0.28";
frznn-wg = "10.3.0.29";
ludo-wg = "10.3.0.30";
parina-wg = "10.3.0.31";
nilo-wg = "10.3.0.32";
parina-ipad-wg = "10.3.0.33";
kclvm-wg = "10.3.0.34";
framecca-wg = "10.3.0.35";
framecca_one-wg = "10.3.0.36";
framecca_two-wg = "10.3.0.37";
framecca_three-wg = "10.3.0.38";
framecca_four-wg = "10.3.0.39";
giuliophone-ts = "100.68.68.46";
# architect-ts = "100.67.205.28";
architect-ts = "10.4.0.2";
giuliopc-ts = "100.124.78.64";
dodino-ts = "100.106.244.35";
framecca-devices = [ framecca-wg framecca_one-wg framecca_three-wg framecca_four-wg ];
c2c-wg = framecca-devices;
# groups
gdevices = [ giuliophone-ts architect-ts giuliopc-ts dodino-ts ];
towan-wg = [ shield-wg parina-wg parina-ipad-wg germano-wg ] ++ framecca-devices;
}

14
hosts/architect/nextcloud.nix
View File

@ -13,10 +13,10 @@ in
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
}; };
mysql = { mysql = {
enable = true; enable = true;
package = pkgs.unstablePkgs.mysql80; package = pkgs.mariadb;
}; };
redis = { redis = {
@ -33,6 +33,7 @@ in
https = true; https = true;
package = pkgs.unstablePkgs.nextcloud26; package = pkgs.unstablePkgs.nextcloud26;
datadir = "/services/nextcloud"; datadir = "/services/nextcloud";
configureRedis = true;
caching = { caching = {
redis = true; redis = true;
}; };
@ -40,15 +41,16 @@ in
autoUpdateApps.enable = true; autoUpdateApps.enable = true;
autoUpdateApps.startAt = "05:00:00"; autoUpdateApps.startAt = "05:00:00";
maxUploadSize = "50G";
config = { config = {
overwriteProtocol = "https"; overwriteProtocol = "https";
dbtype = "mysql"; dbtype = "mysql";
dbuser = "oc_giulio2"; dbuser = "nextcloud";
dbhost = "localhost"; dbhost = "localhost";
dbname = "nextcloud_final"; dbname = "nextcloud";
dbpassFile = "/secrets/nextcloud/dbpass.txt"; dbpassFile = "/secrets/nextcloud/dbpass.txt";
adminpassFile = "/secrets/nextcloud/adminpass.txt"; adminpassFile = "/secrets/nextcloud/dbpass.txt";
adminuser = "giulio";
extraTrustedDomains = [ "${domain}" ]; extraTrustedDomains = [ "${domain}" ];
}; };
}; };

92
hosts/architect/nginx.nix
View File

@ -8,7 +8,7 @@
services.nginx = { services.nginx = {
enable = true; enable = true;
package = pkgs.openresty; package = pkgs.nginx;
recommendedGzipSettings = true; recommendedGzipSettings = true;
recommendedOptimisation = true; recommendedOptimisation = true;
recommendedProxySettings = true; recommendedProxySettings = true;
@ -32,59 +32,59 @@
}; };
}; };
appendHttpConfig = # appendHttpConfig =
let # let
extraPureLuaPackages = with pkgs.luajitPackages; [ # extraPureLuaPackages = with pkgs.luajitPackages; [
lua-resty-openidc # lua-resty-openidc
lua-resty-http # lua-resty-http
lua-resty-session # lua-resty-session
lua-resty-jwt # lua-resty-jwt
lua-resty-openssl # lua-resty-openssl
]; # ];
luaPath = pkg: "${pkg}/share/lua/5.1/?.lua"; # luaPath = pkg: "${pkg}/share/lua/5.1/?.lua";
makeLuaPath = lib.concatMapStringsSep ";" luaPath; # makeLuaPath = lib.concatMapStringsSep ";" luaPath;
in # in
'' # ''
# https://stackoverflow.com/questions/38931468/nginx-reverse-proxy-error14077438ssl-ssl-do-handshake-failed # # https://stackoverflow.com/questions/38931468/nginx-reverse-proxy-error14077438ssl-ssl-do-handshake-failed
proxy_ssl_server_name on; # proxy_ssl_server_name on;
lua_package_path '${makeLuaPath extraPureLuaPackages};;'; # lua_package_path '${makeLuaPath extraPureLuaPackages};;';
lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; # lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
lua_ssl_verify_depth 5; # lua_ssl_verify_depth 5;
# cache for OIDC discovery metadata # # cache for OIDC discovery metadata
lua_shared_dict discovery 1m; # lua_shared_dict discovery 1m;
lua_shared_dict jwks 1m; # lua_shared_dict jwks 1m;
# https://github.com/openresty/lua-resty-redis/issues/159 # # https://github.com/openresty/lua-resty-redis/issues/159
resolver local=on ipv6=off; # resolver local=on ipv6=off;
init_worker_by_lua_block { # init_worker_by_lua_block {
function check_role (res, role) # function check_role (res, role)
if res.user.roles == nil then # if res.user.roles == nil then
return false # return false
end # end
for _,v in pairs(res.user.roles) do # for _,v in pairs(res.user.roles) do
if string.lower(v) == role then # if string.lower(v) == role then
return true # return true
end # end
end # end
return false # return false
end # end
function is_ip_whitelisted(ip, whitelist) # function is_ip_whitelisted(ip, whitelist)
for _, x in ipairs(whitelist) do # for _, x in ipairs(whitelist) do
if ip == x then # if ip == x then
return true # return true
end # end
end # end
return false # return false
end # end
} # }
''; # '';
appendConfig = '' appendConfig = ''
worker_processes 24; worker_processes 24;

34
hosts/architect/nzbget.nix
View File

@ -2,35 +2,21 @@
let let
domain = "htnzb.giugl.io"; domain = "htnzb.giugl.io";
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services = { services.nzbget = {
nzbget = { enable = true;
enable = true; group = "media";
group = "media"; };
};
nginx.virtualHosts.${domain} = { architect.vhost.${domain} = {
forceSSL = true; dnsInterfaces = [ "tailscale" "wireguard" "lan" ];
enableACME = true;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:6789"; port = 6789;
extraConfig = auth_block { allowLan = true;
access_role = "nzbget";
};
};
}; };
}; };
networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "wireguard"} ${domain}
${architectInterfaceAddress "tailscale"} ${domain}
'';
users.groups.media.members = [ "nzbget" ]; users.groups.media.members = [ "nzbget" ];
} }

84
hosts/architect/openid.nix
View File

@ -3,46 +3,48 @@
{ {
openresty_oidc_block = openresty_oidc_block =
{ access_role ? "", whitelisted_ips ? [ ] }: '' { access_role ? "", whitelisted_ips ? [ ] }: ''
access_by_lua_block {
local opts = {
discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration",
client_id = "nginx",
client_secret = "9C6BYxPhTbrRS4DIwd3Smk7e11ABmnt8",
logout_path = "/logout",
redirect_after_logout_uri = "/",
redirect_uri = "/redirect_uri",
keepalive = "yes",
accept_none_alg = true,
revoke_tokens_on_logout = true,
-- access token valid for a day
access_token_expires_in = 86400
}
${lib.optionalString (whitelisted_ips != []) ''
local whitelist = {${lib.strings.concatMapStringsSep "," (x: "\"${x}\"") whitelisted_ips}}
if is_ip_whitelisted(ngx.var.remote_addr, whitelist) then
return
end
''}
-- call introspect for OAuth 2.0 Bearer Access Token validation
local res, err = require("resty.openidc").authenticate(opts)
if err then
ngx.status = 403
ngx.say(err)
ngx.exit(ngx.HTTP_FORBIDDEN)
end
${lib.optionalString (access_role != "") ''
if not check_role(res, "${access_role}") then
ngx.status = 401
ngx.header.content_type = 'text/html';
ngx.say("You are not authorized to access this page. Please contact Er Pepotto.")
ngx.exit(ngx.HTTP_UNAUTHORIZED)
end
''}
}
''; '';
# access_by_lua_block {
# local opts = {
# discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration",
# client_id = "nginx",
# client_secret = "9C6BYxPhTbrRS4DIwd3Smk7e11ABmnt8",
# logout_path = "/logout",
# redirect_after_logout_uri = "/",
# redirect_uri = "/redirect_uri",
# keepalive = "yes",
# accept_none_alg = true,
# revoke_tokens_on_logout = true,
# -- access token valid for a day
# access_token_expires_in = 86400
# }
# ${lib.optionalString (whitelisted_ips != []) ''
# local whitelist = {${lib.strings.concatMapStringsSep "," (x: "\"${x}\"") whitelisted_ips}}
# if is_ip_whitelisted(ngx.var.remote_addr, whitelist) then
# return
# end
# ''}
# -- call introspect for OAuth 2.0 Bearer Access Token validation
# local res, err = require("resty.openidc").authenticate(opts)
# if err then
# ngx.status = 403
# ngx.say(err)
# ngx.exit(ngx.HTTP_FORBIDDEN)
# end
# ${lib.optionalString (access_role != "") ''
# if not check_role(res, "${access_role}") then
# ngx.status = 401
# ngx.header.content_type = 'text/html';
# ngx.say("You are not authorized to access this page. Please contact Er Pepotto.")
# ngx.exit(ngx.HTTP_UNAUTHORIZED)
# end
# ''}
# }
# '';
} }

94
hosts/architect/options.nix
View File

@ -2,6 +2,10 @@
with lib; with lib;
let
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in
{ {
options.architect = { options.architect = {
firewall = { firewall = {
@ -58,5 +62,95 @@ with lib;
default = { }; default = { };
description = "An attribute set of networks with their configurations."; description = "An attribute set of networks with their configurations.";
}; };
vhost = mkOption {
type = types.attrsOf (types.submodule {
options = {
dnsInterfaces = mkOption {
type = types.listOf types.str;
default = [ ];
description = "List of interfaces to add extra DNS hosts for this vhost.";
};
locations = mkOption {
type = types.attrsOf (types.submodule {
options = {
extraConfig = mkOption {
type = types.str;
description = "Extra configuration for the location.";
default = "";
};
allowLan = mkOption {
type = types.bool;
default = false;
};
proxyWebsockets = mkOption {
type = types.bool;
default = false;
};
host = mkOption {
type = types.str;
description = "The host for the location.";
default = "127.0.0.1";
};
port = mkOption {
type = types.int;
description = "The port number for the location.";
};
allow = mkOption {
type = types.listOf types.str;
default = [ ];
description = "IP address or CIDR block to allow.";
};
deny = mkOption {
type = types.listOf types.str;
default = [ ];
description = "IP address or CIDR block to deny.";
};
};
});
default = { };
description = "An attribute set of location configurations.";
};
};
});
default = { };
description = "An attribute set of domain configurations.";
};
};
config = {
services.nginx.virtualHosts = mapAttrs
(domain: conf: {
forceSSL = true;
enableACME = true;
locations = mapAttrs
(path: location: {
proxyPass = "http://${location.host}:${toString location.port}";
proxyWebsockets = location.proxyWebsockets;
extraConfig = ''
${optionalString location.allowLan "deny 10.0.0.1;"}
${concatMapStringsSep "\n" (denyCIDR: "deny ${denyCIDR};") location.deny}
${concatMapStringsSep "\n" (allowCIDR: "allow ${allowCIDR};") location.allow}
${optionalString location.allowLan ''allow ${config.architect.networks."lan".net};''}
'' + location.extraConfig;
})
conf.locations;
})
config.architect.vhost;
networking.extraHosts = concatStringsSep "\n" (
mapAttrsToList
(domain: conf: concatMapStringsSep "\n"
(iface: "${architectInterfaceAddress iface} ${domain}")
conf.dnsInterfaces)
config.architect.vhost
);
}; };
} }

37
hosts/architect/photoprism.nix Normal file
View File

@ -0,0 +1,37 @@
{ config, pkgs, lib, ... }:
let
domain = "photos.giugl.io";
in
{
services.photoprism = {
enable = true;
package = pkgs.photoprism;
originalsPath = "/var/lib/private/photoprism/originals";
address = "0.0.0.0";
settings = {
PHOTOPRISM_DEFAULT_LOCALE = "en";
PHOTOPRISM_DATABASE_DRIVER = "mysql";
PHOTOPRISM_DATABASE_NAME = "photoprism";
PHOTOPRISM_DATABASE_SERVER = "/run/mysqld/mysqld.sock";
PHOTOPRISM_DATABASE_USER = "photoprism";
PHOTOPRISM_SITE_URL = "https://${domain}";
PHOTOPRISM_SITE_TITLE = "PePrism";
PHOTOPRISM_FFMPEG_ENCODER = "nvidia";
PHOTOPRISM_INIT = "tensorflow";
NVIDIA_VISIBLE_DEVICES = "all";
NVIDIA_DRIVER_CAPABILITIES = "compute,video,utility";
PHOTOPRISM_FFMPEG_BIN = "${pkgs.ffmpeg}/bin/ffmpeg";
};
};
architect.vhost.${domain} = {
dnsInterfaces = [ "tailscale" "lan" ];
locations."/" = {
port = config.services.photoprism.port;
allowLan = true;
allow = [ config.architect.networks."tailscale".net ];
proxyWebsockets = true;
};
};
}

35
hosts/architect/prowlarr.nix
View File

@ -2,41 +2,18 @@
let let
domain = "htpro.giugl.io"; domain = "htpro.giugl.io";
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services = { services.prowlarr.enable = true;
prowlarr.enable = true;
nginx.virtualHosts.${domain} = { architect.vhost.${domain} = {
forceSSL = true; dnsInterfaces = [ "tailscale" "wireguard" ];
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:9696";
extraConfig = ''
allow ${config.architect.networks.lan.net};
allow ${config.architect.networks.tailscale.net};
deny all;
'';
};
# locations."/api" = { locations."/" = {
# proxyPass = "http://127.0.0.1:9696/prowlarr/api"; port = 9696;
# }; allowLan = true;
#
# locations."/Content" = {
# proxyPass = "http://127.0.0.1:9696/prowlarr/Content";
# };
}; };
}; };
networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "wireguard"} ${domain}
${architectInterfaceAddress "tailscale"} ${domain}
'';
users.groups.media.members = [ "prowlarr" ]; users.groups.media.members = [ "prowlarr" ];
} }

39
hosts/architect/radarr.nix
View File

@ -2,36 +2,25 @@
let let
domain = "htrad.giugl.io"; domain = "htrad.giugl.io";
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services = { services.radarr = {
radarr = { enable = true;
enable = true; group = "media";
group = "media"; };
};
nginx.virtualHosts.${domain} = { architect.vhost.${domain} = with config.architect.networks; {
forceSSL = true; dnsInterfaces = [ "wireguard" "tailscale" ];
enableACME = true; locations."/" = {
locations."/" = { port = 7878;
proxyPass = "http://127.0.0.1:7878"; allowLan = true;
extraConfig = auth_block {
access_role = "radarr"; allow = [
}; wireguard.net
}; tailscale.net
];
}; };
}; };
networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "wireguard"} ${domain}
${architectInterfaceAddress "tailscale"} ${domain}
'';
users.groups.media.members = [ "radarr" ]; users.groups.media.members = [ "radarr" ];
} }

36
hosts/architect/sonarr.nix
View File

@ -2,35 +2,21 @@
let let
domain = "htson.giugl.io"; domain = "htson.giugl.io";
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services = { services.sonarr = {
sonarr = { enable = true;
enable = true; group = "media";
group = "media"; };
};
architect.vhost.${domain} = {
dnsInterfaces = [ "tailscale" "wireguard" ];
nginx.virtualHosts.${domain} = { locations."/" = {
forceSSL = true; port = 6969;
enableACME = true; allowLan = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8989";
extraConfig = auth_block {
access_role = "sonarr";
};
};
}; };
}; };
networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "wireguard"} ${domain}
${architectInterfaceAddress "tailscale"} ${domain}
'';
users.groups.media.members = [ "sonarr" ]; users.groups.media.members = [ "sonarr" ];
} }

1
hosts/architect/tailscale.nix
View File

@ -21,6 +21,7 @@ in
tommy = { address = "100.64.0.7"; hostname = "tommy.${domain}"; }; tommy = { address = "100.64.0.7"; hostname = "tommy.${domain}"; };
ucsb-workstation = { address = "100.64.0.8"; hostname = "ucsb-workstation.${domain}"; }; ucsb-workstation = { address = "100.64.0.8"; hostname = "ucsb-workstation.${domain}"; };
alfredo = { address = "100.64.0.9"; hostname = "alfredo.${domain}"; }; alfredo = { address = "100.64.0.9"; hostname = "alfredo.${domain}"; };
parallels = { address = "100.64.0.3"; hostname = "parallels.${domain}"; };
}; };
}; };
}; };

11
lib/host.nix
View File

@ -27,21 +27,20 @@
modules = [ modules = [
{ {
imports = users_mod ++ roles_mod ++ add_imports ++ [ imports = users_mod ++
roles_mod ++
add_imports ++ [
(mkSysRole "common") (mkSysRole "common")
(mkSysRole "acme") (mkSysRole "acme")
(mkUser { name = "root"; roles = [ ]; })
]; ];
home-manager = { home-manager = {
users.root.imports = [ (mkHomeRole "common") ];
extraSpecialArgs.unstablePkgs = unstablePkgs; extraSpecialArgs.unstablePkgs = unstablePkgs;
useGlobalPkgs = true; useGlobalPkgs = true;
}; };
system.stateVersion = "22.11"; system.stateVersion = "23.05";
environment.shells = [ pkgs.zsh ];
users.defaultUserShell = pkgs.zsh;
} }
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager

18
lib/user.nix
View File

@ -6,20 +6,26 @@
roles_mod = (map (r: mkHomeRole r) roles); roles_mod = (map (r: mkHomeRole r) roles);
in in
{ {
users.groups.plugdev = { };
fileSystems."/home/${name}/Downloads" = { fileSystems."/home/${name}/Downloads" = {
device = "tmpfs"; device = "tmpfs";
fsType = "tmpfs"; fsType = "tmpfs";
options = [ "size=3G" ]; options = [ "size=3G" ];
}; };
users.users.${name} = { users = {
isNormalUser = true; users.${name} = {
extraGroups = [ "wheel" "plugdev" ]; isNormalUser = name != "root";
extraGroups = [ "wheel" "plugdev" ];
shell = pkgs.zsh;
};
}; };
home-manager.users.${name}.imports = [ (mkHomeRole "common") ] ++ roles_mod; programs.zsh.enable = true;
home-manager.users.${name}.imports = [
(mkHomeRole "common")
(mkHomeRole "zsh")
] ++ roles_mod;
}; };
mkHMUser = { name, roles ? [ ] }: mkHMUser = { name, roles ? [ ] }:

6
roles/acme.nix
View File

@ -1,10 +1,10 @@
{ ... }: { options, lib, config, ... }:
{ {
security.acme = { config.security.acme = {
acceptTerms = true; acceptTerms = true;
defaults = { defaults = {
email = "sysadmin@giugl.io"; email = "letsencrypt@depasquale.giugl.io";
}; };
}; };
} }

6
roles/common.nix
View File

@ -1,7 +1,9 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
{ {
boot.tmpOnTmpfs = true; boot.tmp = {
useTmpfs = true;
};
console = { console = {
keyMap = "us"; keyMap = "us";
@ -41,7 +43,6 @@
glances glances
tcpdump tcpdump
restic restic
neovim
tmux tmux
parted parted
unzip unzip
@ -50,5 +51,6 @@
nmap nmap
ripgrep ripgrep
jq jq
helix
]; ];
} }

3
roles/home/common.nix
View File

@ -11,9 +11,10 @@
home-manager home-manager
ripgrep ripgrep
ydiff ydiff
nix-index
] ]
++ lib.optional (!stdenv.isDarwin) pastebinit; ++ lib.optional (!stdenv.isDarwin) pastebinit;
stateVersion = "22.11"; stateVersion = "23.05";
}; };
} }

1
roles/home/helix.nix
View File

@ -118,7 +118,6 @@
nodePackages.vscode-langservers-extracted nodePackages.vscode-langservers-extracted
nodePackages.typescript nodePackages.typescript
nodePackages.svelte-language-server nodePackages.svelte-language-server
swiProlog
nixpkgs-fmt nixpkgs-fmt
]; ];
}; };

2
roles/home/zsh.nix
View File

@ -14,6 +14,8 @@
initExtra = '' initExtra = ''
any-nix-shell zsh --info-right | source /dev/stdin any-nix-shell zsh --info-right | source /dev/stdin
source ${pkgs.nix-index}/etc/profile.d/command-not-found.sh
''; '';
}; };
} }