peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: peperunas:4dde4f68d8ea0eefc4605c22c22eef3879646c6e
Branches Tags
peperunas:master
peperunas:nixos-21.11
peperunas:laptopshit
...
compare: peperunas:7f2c129ea94d10536c54be39e757ba9cd92e62aa
Branches Tags
peperunas:master
peperunas:nixos-21.11
peperunas:laptopshit

32 Commits
4dde4f68d8 ... 7f2c129ea9

Author SHA1 Message Date
Giulio De Pasquale
7f2c129ea9 vhost: added host 2023-06-05 04:44:33 +02:00
Giulio De Pasquale
6389d1950a nextcloud: switched to mariadb. increased max upload size to 50GB 2023-06-05 04:43:42 +02:00
Giulio De Pasquale
842b3f0ac7 firewall: give docker more freedom 2023-06-05 04:43:07 +02:00
Giulio De Pasquale
2c387448ba gitea: vhost 2023-06-05 04:41:10 +02:00
Giulio De Pasquale
1df031965a photoprism: use vhost 2023-06-05 03:22:41 +02:00
Giulio De Pasquale
6d72359353 gitea: reenable gitea 2023-06-05 03:16:19 +02:00
Giulio De Pasquale
d1d0793e2c photoprism: use vhost 2023-06-05 03:15:23 +02:00
Giulio De Pasquale
d423200c59 bazarr: add lan to dnsinterface 2023-06-05 03:12:59 +02:00
Giulio De Pasquale
0698f9b8db nzbget: vhost 2023-06-05 03:12:34 +02:00
Giulio De Pasquale
edf4ba07ee nginx: switch to nginx as package 2023-06-05 03:12:09 +02:00
Giulio De Pasquale
f2e33628c0 jellyfin: vhost 2023-06-05 03:11:46 +02:00
Giulio De Pasquale
2f43745162 Move to vhost 2023-06-05 03:10:13 +02:00
Giulio De Pasquale
b378975769 sonarr: port to vhost 2023-06-05 03:02:26 +02:00
Giulio De Pasquale
65ba588d8e vhost: added attributes 2023-06-05 03:02:02 +02:00
Giulio De Pasquale
9aeacafbb2 docker: use docker as default backend for containers. disable iptables 2023-06-05 03:01:37 +02:00
Giulio De Pasquale
17d2e10345 bazarr: use vhost 2023-06-05 00:50:31 +02:00
Giulio De Pasquale
da1b08c44a radarr: use vhost 2023-06-05 00:46:39 +02:00
Giulio De Pasquale
acb47f5a73 dns: moved config to vhost 2023-06-05 00:30:07 +02:00
Giulio De Pasquale
78fc53024f options: added vhost attributes 2023-06-05 00:29:43 +02:00
Giulio De Pasquale
3bc816b665 gitea: move LFS setting into gitea.lfs 2023-06-03 01:46:08 +02:00
Giulio De Pasquale
708687d258 Update lock 2023-06-01 21:09:36 +02:00
Giulio De Pasquale
0747c0ebf4 openssl: Ignore 1.1.1u being vulnerable along with 1.1.1t 2023-06-01 21:09:30 +02:00
Giulio De Pasquale
6cb4fa08d2 Add nix-index and command-not-found 2023-06-01 21:09:04 +02:00
Giulio De Pasquale
2c906d715e architect: Disable gitea 2023-06-01 21:08:42 +02:00
Giulio De Pasquale
fef4b471f0 minio: Use legacy package 2023-06-01 21:08:28 +02:00
Giulio De Pasquale
f7609a7ee6 tanta roba 2023-05-28 22:45:49 +02:00
Giulio De Pasquale
9f819d1357 helix: remove swiProlog 2023-05-28 07:21:31 +02:00
Giulio De Pasquale
b479c748e0 flake: allow openssl1.1.1t 2023-05-28 07:21:04 +02:00
Giulio De Pasquale
ef96a959f6 acme: change default email 2023-05-28 07:14:48 +02:00
Giulio De Pasquale
229e92222e architect: switch to nextdns 2023-05-28 06:22:56 +02:00
Giulio De Pasquale
08c898ed46 Initial move to 23.05 2023-05-28 00:16:46 +02:00
Giulio De Pasquale
84df2e348d architect: removed network.nix 2023-05-15 19:51:50 +02:00
30 changed files with 449 additions and 457 deletions
Show Stats Expand all files Collapse all files

42
flake.lock generated
View File

@ -4,52 +4,51 @@
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"utils": "utils"
]
},
"locked": {
"lastModified": 1681092193,
"narHash": "sha256-JerCqqOqbT2tBnXQW4EqwFl0hHnuZp21rIQ6lu/N4rI=",
"lastModified": 1685599623,
"narHash": "sha256-Tob4CMOVHue0D3RzguDBCtUmX5ji2PsdbQDbIOIKvsc=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "f9edbedaf015013eb35f8caacbe0c9666bbc16af",
"rev": "93db05480c0c0f30382d3e80779e8386dcb4f9dd",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-22.11",
"ref": "release-23.05",
"repo": "home-manager",
"type": "github"
}
},
"nixos-unstable": {
"locked": {
"lastModified": 1684171979,
"narHash": "sha256-KfIpmlqCCtY/T8mWQOkucv4LrYAgIXho6QJOwl2md3g=",
"lastModified": 1685564631,
"narHash": "sha256-8ywr3AkblY4++3lIVxmrWZFzac7+f32ZEhH/A8pNscI=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "10092e14180fdff037aea3a14ad3faeaf6950ac1",
"rev": "4f53efe34b3a8877ac923b9350c874e3dcd5dc0a",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "master",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1683928319,
"narHash": "sha256-maz0DRKixJVcNRMiAMWlJniiF8IuQ+WbfmlJJ8D+jfM=",
"lastModified": 1685645444,
"narHash": "sha256-FEuVrowBDU8D+Vt1oqN6j18g/vDvU13WVruTaMjzb8w=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "9656e85a15a0fe67847ee8cdb99a20d8df499962",
"rev": "ce3e618cd3b9792d898b76126c36e6ac50b680e1",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-22.11",
"ref": "release-23.05",
"repo": "nixpkgs",
"type": "github"
}
@ -60,21 +59,6 @@
"nixos-unstable": "nixos-unstable",
"nixpkgs": "nixpkgs"
}
},
"utils": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
}
},
"root": "root",

11
flake.nix
View File

@ -1,9 +1,9 @@
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11";
nixos-unstable.url = "github:NixOS/nixpkgs/master";
nixpkgs.url = "github:NixOS/nixpkgs/release-23.05";
nixos-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
home-manager = {
url = "github:nix-community/home-manager/release-22.11";
url = "github:nix-community/home-manager/release-23.05";
inputs.nixpkgs.follows = "nixpkgs";
};
};
@ -30,6 +30,11 @@
inherit system;
config.allowUnfree = true;
config.permittedInsecurePackages = [
"openssl-1.1.1t"
"openssl-1.1.1u"
];
};
wrapUtils = { pkgs, unstablePkgs, system }:

32
hosts/architect/bazarr.nix
View File

@ -2,35 +2,25 @@
let
domain = "htbaz.giugl.io";
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in
{
services = {
bazarr = {
services.bazarr = {
enable = true;
group = "media";
};
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
architect.vhost.${domain} = with config.architect.networks; {
dnsInterfaces = [ "wireguard" "tailscale" ];
locations."/" = {
proxyPass = "http://127.0.0.1:6767";
extraConfig = auth_block {
access_role = "bazarr";
};
};
};
};
allowLan = true;
port = 6767;
networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "wireguard"} ${domain}
${architectInterfaceAddress "tailscale"} ${domain}
'';
allow = [
wireguard.net
tailscale.net
];
};
};
users.groups.media.members = [ "bazarr" ];
}

16
hosts/architect/default.nix
View File

@ -30,7 +30,7 @@ in
./minecraft.nix
./prowlarr.nix
./libreddit.nix
# ./invidious.nix
./invidious.nix
# ./lidarr.nix
# ./navidrome.nix
./jellyfin.nix
@ -88,6 +88,8 @@ in
"memmap=32M$0x4ca6f9478"
];
kernelPackages = pkgs.linuxPackages;
kernel.sysctl = { "net.ipv4.ip_forward" = 1; };
loader = {
@ -100,7 +102,7 @@ in
supportedFilesystems = [ "zfs" ];
zfs.requestEncryptionCredentials = true;
tmpOnTmpfsSize = "50%";
tmp.tmpfsSize = "50%";
};
networking = with config.architect.networks.lan; {
@ -151,8 +153,12 @@ in
xserver.videoDrivers = [ "nvidia" ];
openssh = {
enable = true;
passwordAuthentication = false;
kbdInteractiveAuthentication = false;
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
};
extraConfig = ''
MaxAuthTries 15
'';
@ -162,7 +168,7 @@ in
environment = {
variables = { LIBVA_DRIVER_NAME = "vdpau"; };
systemPackages = with pkgs; [ cachix ];
systemPackages = with pkgs; [ cachix linuxPackages.usbip ];
};
}

72
hosts/architect/dns.nix
View File

@ -1,53 +1,53 @@
{ config, pkgs, lib, ... }:
let
adguard_webui_port = 3031;
adguard_dns_port = "5300";
dnscrypt_listen_port = "5353";
domain = "adguard.architect.devs.giugl.io";
in
{
architect.firewall.openUDPVPN = [ 53 ];
architect = {
firewall.openUDPVPN = [ 53 ];
vhost.${domain} = {
dnsInterfaces = [ "lan" "tailscale" "wireguard" ];
locations."/" = with config; {
port = services.adguardhome.settings.bind_port;
allow = with architect.networks; [ lan.net tailscale.net ];
deny = [
architect.networks."lan".devices.router.address
];
};
};
};
services = {
dnsmasq = {
enable = true;
# adguard port
servers = [ "127.0.0.1#${adguard_dns_port}" ];
extraConfig = ''
localise-queries
min-cache-ttl=120
max-cache-ttl=2400
domain=runas.rocks
domain=giugl.io
domain=devs.runas.rocks
domain=devs.giugl.io
'';
settings = {
server = [ "127.0.0.1#${toString config.services.adguardhome.settings.dns.port}" ];
localise-queries = true;
min-cache-ttl = 120;
max-cache-ttl = 2400;
domain = [
"runas.rocks"
"giugl.io"
"devs.runas.rocks"
"devs.giugl.io"
];
};
};
adguardhome = {
enable = true;
port = adguard_webui_port;
};
dnscrypt-proxy2 = {
enable = true;
settings = {
listen_addresses = [ "127.0.0.1:${dnscrypt_listen_port}" ];
ipv4_servers = true;
ipv6_servers = false;
block_ipv6 = true;
dnscrypt_servers = true;
doh_servers = true;
require_nolog = true;
require_nofilter = true;
timeout = 350;
lb_strategy = "p4";
lb_estimator = true;
ignore_system_dns = true;
fallback_resolvers = [ "1.1.1.1:53" "9.9.9.9:53" ];
cache_min_ttl = 450;
cache_max_ttl = 2400;
bind_port = 5353;
dns = {
port = 5300;
};
upstream_dns = [
"tls://architect.d65174.dns.nextdns.io"
"https://dns.nextdns.io/d65174/architect"
];
};
};
};

8
hosts/architect/docker.nix
View File

@ -6,12 +6,18 @@
net = "172.17.0.0/16";
};
virtualisation.docker = {
virtualisation = {
oci-containers.backend = "docker";
docker = {
enable = true;
extraOptions = ''
--dns 127.0.0.1 --dns ${config.architect.networks.lan.devices.architect.address} --data-root /docker
'';
enableOnBoot = false;
daemon.settings.iptables = false;
};
};
users.users.giulio.extraGroups = [ "docker" ];
}

5
hosts/architect/firewall.nix
View File

@ -54,6 +54,9 @@ in
}
table ip nat {
chain DOCKER {
type nat hook prerouting priority dstnat; policy accept;
}
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
}
@ -142,6 +145,7 @@ in
ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
ip saddr ${lan.net} accept comment "lan > local"
iifname ${docker.interface} accept
ip saddr ${tailscale.net} accept comment "tailscale > local"
ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local"
@ -151,7 +155,6 @@ in
iifname ${wireguard.interface} udp dport {${openUDPVPN}} accept
iifname ${wireguard.interface} icmp type echo-request accept
iifname ${docker.interface} udp dport 53 accept
jump filter_drop
}

35
hosts/architect/gitea.nix
View File

@ -2,41 +2,30 @@
let
domain = "git.giugl.io";
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in
{
architect.firewall.openTCP = [ config.services.gitea.settings.server.SSH_PORT ];
architect = {
firewall.openTCP = [ config.services.gitea.settings.server.SSH_PORT ];
vhost.${domain} = {
dnsInterfaces = [ "lan" "tailscale" "wireguard" ];
locations."/".port = config.services.gitea.settings.server.HTTP_PORT;
};
};
services.gitea = {
enable = true;
database.type = "sqlite3";
domain = domain;
appName = "Gitea";
rootUrl = "https://${domain}";
# https://github.com/NixOS/nixpkgs/issues/235442#issuecomment-1574329453
lfs.enable = true;
settings = {
server = {
LFS_START_SERVER = true;
DOMAIN = domain;
ROOT_URL = "https://${domain}";
SSH_PORT = 22;
HTTP_PORT = 3001;
};
openid.enable_openid_signin = true;
};
};
services.nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:3000";
# it does not work, it breaks gitea's web portal
# extraConfig = auth_block { access_role = "git"; };
};
};
networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "wireguard"} ${domain}
${architectInterfaceAddress "tailscale"} ${domain}
'';
}

7
hosts/architect/headscale.nix
View File

@ -8,17 +8,16 @@ in
openUDP = [ config.services.tailscale.port ];
};
environment.systemPackages = [ pkgs.unstablePkgs.headscale ];
services = {
headscale = {
enable = true;
package = pkgs.unstablePkgs.headscale;
port = 1194;
address = "0.0.0.0";
serverUrl = "https://${domain}";
logLevel = "debug";
settings = {
server_url = "https://${domain}";
log.level = "debug";
dns_config = {
magic_dns = true;
base_domain = "giugl.io";

15
hosts/architect/invidious.nix
View File

@ -1,27 +1,28 @@
{ lib, pkgs, ... }:
{ config, lib, pkgs, ... }:
let
domain = "tube.giugl.io";
network = import ./network.nix;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in
{
services = {
invidious = {
enable = true;
port = 9092;
package = pkgs.unstablePkgs.invidious;
};
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = { proxyPass = "http://127.0.0.1:9092"; };
locations."/" = { proxyPass = "http://127.0.0.1:${toString config.services.invidious.port}"; };
};
};
networking.extraHosts = ''
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
${network.architect-ts} ${domain}
${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "wireguard"} ${domain}
${architectInterfaceAddress "tailscale"} ${domain}
'';
}

63
hosts/architect/jellyfin.nix
View File

@ -3,53 +3,42 @@
let
domain = "media.giugl.io";
port = 8096;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
allowLan = true;
in
{
# needed since StateDirectory does not accept symlinks
systemd.services.jellyfin.serviceConfig.StateDirectory = lib.mkForce "";
services = {
jellyfin = {
architect.vhost.${domain} = with config.architect.networks; {
dnsInterfaces = [ "lan" "wireguard" "tailscale" ];
locations = {
"/" = {
inherit port allowLan;
allow = [
wireguard.net
tailscale.net
];
};
"/socket" = {
inherit port allowLan;
proxyWebsockets = true;
allow = [
wireguard.net
tailscale.net
];
};
};
};
services.jellyfin = {
enable = true;
group = "media";
package = pkgs.unstablePkgs.jellyfin;
};
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
extraConfig = ''
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
#add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
allow ${config.architect.networks.lan.net};
allow ${config.architect.networks.tailscale.net};
deny all;
'';
locations."/" = {
proxyPass = "http://127.0.0.1:${toString port}";
};
locations."/socket" = {
proxyPass = "http://127.0.0.1:${toString port}";
proxyWebsockets = true;
};
};
};
networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "wireguard"} ${domain}
${architectInterfaceAddress "tailscale"} ${domain}
'';
users.groups = {
media.members = [ "jellyfin" ];
video.members = [ "jellyfin" ];

7
hosts/architect/minio.nix
View File

@ -1,4 +1,4 @@
{ config, lib, ... }:
{ config, lib, pkgs, ... }:
let
domain = "s3.giugl.io";
@ -8,7 +8,10 @@ let
in
{
services = {
minio.enable = true;
minio = {
enable = true;
package = pkgs.minio_legacy_fs;
};
nginx.virtualHosts.${domain} = {
forceSSL = true;

66
hosts/architect/network.nix
View File

@ -1,66 +0,0 @@
rec {
# interfaces
wan-if = "enp5s0";
vpn-if = "wg0";
proxy-if = "proxy";
docker-if = "docker0";
tailscale-if = "ts0";
# nets
lan-net = "10.0.0.0/24";
vpn-net = "10.3.0.0/24";
external_lan-net = "192.168.1.0/24";
docker-net = "172.17.0.0/16";
# tailscale-net = "100.64.0.0/10";
tailscale-net = "10.4.0.0/24";
# ips
router-lan = "10.0.0.1";
dvr-lan = "10.0.0.2";
nas-lan = "10.0.0.3";
architect-lan = "10.0.0.250";
architect-wg = "10.3.0.1";
manduria-wg = "10.3.0.5";
antonio-wg = "10.3.0.6";
gbeast-wg = "10.3.0.7";
shield-wg = "10.3.0.12";
salvatore-wg = "10.3.0.16";
papa-wg = "10.3.0.17";
defy-wg = "10.3.0.18";
germano-wg = "10.3.0.19";
flavio-wg = "10.3.0.20";
tommy-wg = "10.3.0.21";
alain-wg = "10.3.0.22";
dima-wg = "10.3.0.23";
mikey-wg = "10.3.0.24";
andrew-wg = "10.3.0.25";
mikeylaptop-wg = "10.3.0.26";
andrewdesktop-wg = "10.3.0.27";
jacopo-wg = "10.3.0.28";
frznn-wg = "10.3.0.29";
ludo-wg = "10.3.0.30";
parina-wg = "10.3.0.31";
nilo-wg = "10.3.0.32";
parina-ipad-wg = "10.3.0.33";
kclvm-wg = "10.3.0.34";
framecca-wg = "10.3.0.35";
framecca_one-wg = "10.3.0.36";
framecca_two-wg = "10.3.0.37";
framecca_three-wg = "10.3.0.38";
framecca_four-wg = "10.3.0.39";
giuliophone-ts = "100.68.68.46";
# architect-ts = "100.67.205.28";
architect-ts = "10.4.0.2";
giuliopc-ts = "100.124.78.64";
dodino-ts = "100.106.244.35";
framecca-devices = [ framecca-wg framecca_one-wg framecca_three-wg framecca_four-wg ];
c2c-wg = framecca-devices;
# groups
gdevices = [ giuliophone-ts architect-ts giuliopc-ts dodino-ts ];
towan-wg = [ shield-wg parina-wg parina-ipad-wg germano-wg ] ++ framecca-devices;
}

12
hosts/architect/nextcloud.nix
View File

@ -16,7 +16,7 @@ in
mysql = {
enable = true;
package = pkgs.unstablePkgs.mysql80;
package = pkgs.mariadb;
};
redis = {
@ -33,6 +33,7 @@ in
https = true;
package = pkgs.unstablePkgs.nextcloud26;
datadir = "/services/nextcloud";
configureRedis = true;
caching = {
redis = true;
};
@ -40,15 +41,16 @@ in
autoUpdateApps.enable = true;
autoUpdateApps.startAt = "05:00:00";
maxUploadSize = "50G";
config = {
overwriteProtocol = "https";
dbtype = "mysql";
dbuser = "oc_giulio2";
dbuser = "nextcloud";
dbhost = "localhost";
dbname = "nextcloud_final";
dbname = "nextcloud";
dbpassFile = "/secrets/nextcloud/dbpass.txt";
adminpassFile = "/secrets/nextcloud/adminpass.txt";
adminuser = "giulio";
adminpassFile = "/secrets/nextcloud/dbpass.txt";
extraTrustedDomains = [ "${domain}" ];
};
};

92
hosts/architect/nginx.nix
View File

@ -8,7 +8,7 @@
services.nginx = {
enable = true;
package = pkgs.openresty;
package = pkgs.nginx;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
@ -32,59 +32,59 @@
};
};
appendHttpConfig =
let
extraPureLuaPackages = with pkgs.luajitPackages; [
lua-resty-openidc
lua-resty-http
lua-resty-session
lua-resty-jwt
lua-resty-openssl
];
luaPath = pkg: "${pkg}/share/lua/5.1/?.lua";
makeLuaPath = lib.concatMapStringsSep ";" luaPath;
in
''
# https://stackoverflow.com/questions/38931468/nginx-reverse-proxy-error14077438ssl-ssl-do-handshake-failed
proxy_ssl_server_name on;
# appendHttpConfig =
# let
# extraPureLuaPackages = with pkgs.luajitPackages; [
# lua-resty-openidc
# lua-resty-http
# lua-resty-session
# lua-resty-jwt
# lua-resty-openssl
# ];
# luaPath = pkg: "${pkg}/share/lua/5.1/?.lua";
# makeLuaPath = lib.concatMapStringsSep ";" luaPath;
# in
# ''
# # https://stackoverflow.com/questions/38931468/nginx-reverse-proxy-error14077438ssl-ssl-do-handshake-failed
# proxy_ssl_server_name on;
lua_package_path '${makeLuaPath extraPureLuaPackages};;';
lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
lua_ssl_verify_depth 5;
# lua_package_path '${makeLuaPath extraPureLuaPackages};;';
# lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
# lua_ssl_verify_depth 5;
# cache for OIDC discovery metadata
lua_shared_dict discovery 1m;
lua_shared_dict jwks 1m;
# # cache for OIDC discovery metadata
# lua_shared_dict discovery 1m;
# lua_shared_dict jwks 1m;
# https://github.com/openresty/lua-resty-redis/issues/159
resolver local=on ipv6=off;
# # https://github.com/openresty/lua-resty-redis/issues/159
# resolver local=on ipv6=off;
init_worker_by_lua_block {
function check_role (res, role)
if res.user.roles == nil then
return false
end
# init_worker_by_lua_block {
# function check_role (res, role)
# if res.user.roles == nil then
# return false
# end
for _,v in pairs(res.user.roles) do
if string.lower(v) == role then
return true
end
end
# for _,v in pairs(res.user.roles) do
# if string.lower(v) == role then
# return true
# end
# end
return false
end
# return false
# end
function is_ip_whitelisted(ip, whitelist)
for _, x in ipairs(whitelist) do
if ip == x then
return true
end
end
# function is_ip_whitelisted(ip, whitelist)
# for _, x in ipairs(whitelist) do
# if ip == x then
# return true
# end
# end
return false
end
}
'';
# return false
# end
# }
# '';
appendConfig = ''
worker_processes 24;

30
hosts/architect/nzbget.nix
View File

@ -2,35 +2,21 @@
let
domain = "htnzb.giugl.io";
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in
{
services = {
nzbget = {
services.nzbget = {
enable = true;
group = "media";
};
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:6789";
extraConfig = auth_block {
access_role = "nzbget";
};
};
};
};
architect.vhost.${domain} = {
dnsInterfaces = [ "tailscale" "wireguard" "lan" ];
networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "wireguard"} ${domain}
${architectInterfaceAddress "tailscale"} ${domain}
'';
locations."/" = {
port = 6789;
allowLan = true;
};
};
users.groups.media.members = [ "nzbget" ];
}

82
hosts/architect/openid.nix
View File

@ -3,46 +3,48 @@
{
openresty_oidc_block =
{ access_role ? "", whitelisted_ips ? [ ] }: ''
access_by_lua_block {
local opts = {
discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration",
client_id = "nginx",
client_secret = "9C6BYxPhTbrRS4DIwd3Smk7e11ABmnt8",
logout_path = "/logout",
redirect_after_logout_uri = "/",
redirect_uri = "/redirect_uri",
keepalive = "yes",
accept_none_alg = true,
revoke_tokens_on_logout = true,
-- access token valid for a day
access_token_expires_in = 86400
}
${lib.optionalString (whitelisted_ips != []) ''
local whitelist = {${lib.strings.concatMapStringsSep "," (x: "\"${x}\"") whitelisted_ips}}
if is_ip_whitelisted(ngx.var.remote_addr, whitelist) then
return
end
''}
-- call introspect for OAuth 2.0 Bearer Access Token validation
local res, err = require("resty.openidc").authenticate(opts)
if err then
ngx.status = 403
ngx.say(err)
ngx.exit(ngx.HTTP_FORBIDDEN)
end
${lib.optionalString (access_role != "") ''
if not check_role(res, "${access_role}") then
ngx.status = 401
ngx.header.content_type = 'text/html';
ngx.say("You are not authorized to access this page. Please contact Er Pepotto.")
ngx.exit(ngx.HTTP_UNAUTHORIZED)
end
''}
}
'';
# access_by_lua_block {
# local opts = {
# discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration",
# client_id = "nginx",
# client_secret = "9C6BYxPhTbrRS4DIwd3Smk7e11ABmnt8",
# logout_path = "/logout",
# redirect_after_logout_uri = "/",
# redirect_uri = "/redirect_uri",
# keepalive = "yes",
# accept_none_alg = true,
# revoke_tokens_on_logout = true,
# -- access token valid for a day
# access_token_expires_in = 86400
# }
# ${lib.optionalString (whitelisted_ips != []) ''
# local whitelist = {${lib.strings.concatMapStringsSep "," (x: "\"${x}\"") whitelisted_ips}}
# if is_ip_whitelisted(ngx.var.remote_addr, whitelist) then
# return
# end
# ''}
# -- call introspect for OAuth 2.0 Bearer Access Token validation
# local res, err = require("resty.openidc").authenticate(opts)
# if err then
# ngx.status = 403
# ngx.say(err)
# ngx.exit(ngx.HTTP_FORBIDDEN)
# end
# ${lib.optionalString (access_role != "") ''
# if not check_role(res, "${access_role}") then
# ngx.status = 401
# ngx.header.content_type = 'text/html';
# ngx.say("You are not authorized to access this page. Please contact Er Pepotto.")
# ngx.exit(ngx.HTTP_UNAUTHORIZED)
# end
# ''}
# }
# '';
}

94
hosts/architect/options.nix
View File

@ -2,6 +2,10 @@
with lib;
let
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in
{
options.architect = {
firewall = {
@ -58,5 +62,95 @@ with lib;
default = { };
description = "An attribute set of networks with their configurations.";
};
vhost = mkOption {
type = types.attrsOf (types.submodule {
options = {
dnsInterfaces = mkOption {
type = types.listOf types.str;
default = [ ];
description = "List of interfaces to add extra DNS hosts for this vhost.";
};
locations = mkOption {
type = types.attrsOf (types.submodule {
options = {
extraConfig = mkOption {
type = types.str;
description = "Extra configuration for the location.";
default = "";
};
allowLan = mkOption {
type = types.bool;
default = false;
};
proxyWebsockets = mkOption {
type = types.bool;
default = false;
};
host = mkOption {
type = types.str;
description = "The host for the location.";
default = "127.0.0.1";
};
port = mkOption {
type = types.int;
description = "The port number for the location.";
};
allow = mkOption {
type = types.listOf types.str;
default = [ ];
description = "IP address or CIDR block to allow.";
};
deny = mkOption {
type = types.listOf types.str;
default = [ ];
description = "IP address or CIDR block to deny.";
};
};
});
default = { };
description = "An attribute set of location configurations.";
};
};
});
default = { };
description = "An attribute set of domain configurations.";
};
};
config = {
services.nginx.virtualHosts = mapAttrs
(domain: conf: {
forceSSL = true;
enableACME = true;
locations = mapAttrs
(path: location: {
proxyPass = "http://${location.host}:${toString location.port}";
proxyWebsockets = location.proxyWebsockets;
extraConfig = ''
${optionalString location.allowLan "deny 10.0.0.1;"}
${concatMapStringsSep "\n" (denyCIDR: "deny ${denyCIDR};") location.deny}
${concatMapStringsSep "\n" (allowCIDR: "allow ${allowCIDR};") location.allow}
${optionalString location.allowLan ''allow ${config.architect.networks."lan".net};''}
'' + location.extraConfig;
})
conf.locations;
})
config.architect.vhost;
networking.extraHosts = concatStringsSep "\n" (
mapAttrsToList
(domain: conf: concatMapStringsSep "\n"
(iface: "${architectInterfaceAddress iface} ${domain}")
conf.dnsInterfaces)
config.architect.vhost
);
};
}

37
hosts/architect/photoprism.nix Normal file
View File

@ -0,0 +1,37 @@
{ config, pkgs, lib, ... }:
let
domain = "photos.giugl.io";
in
{
services.photoprism = {
enable = true;
package = pkgs.photoprism;
originalsPath = "/var/lib/private/photoprism/originals";
address = "0.0.0.0";
settings = {
PHOTOPRISM_DEFAULT_LOCALE = "en";
PHOTOPRISM_DATABASE_DRIVER = "mysql";
PHOTOPRISM_DATABASE_NAME = "photoprism";
PHOTOPRISM_DATABASE_SERVER = "/run/mysqld/mysqld.sock";
PHOTOPRISM_DATABASE_USER = "photoprism";
PHOTOPRISM_SITE_URL = "https://${domain}";
PHOTOPRISM_SITE_TITLE = "PePrism";
PHOTOPRISM_FFMPEG_ENCODER = "nvidia";
PHOTOPRISM_INIT = "tensorflow";
NVIDIA_VISIBLE_DEVICES = "all";
NVIDIA_DRIVER_CAPABILITIES = "compute,video,utility";
PHOTOPRISM_FFMPEG_BIN = "${pkgs.ffmpeg}/bin/ffmpeg";
};
};
architect.vhost.${domain} = {
dnsInterfaces = [ "tailscale" "lan" ];
locations."/" = {
port = config.services.photoprism.port;
allowLan = true;
allow = [ config.architect.networks."tailscale".net ];
proxyWebsockets = true;
};
};
}

35
hosts/architect/prowlarr.nix
View File

@ -2,41 +2,18 @@
let
domain = "htpro.giugl.io";
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in
{
services = {
prowlarr.enable = true;
services.prowlarr.enable = true;
architect.vhost.${domain} = {
dnsInterfaces = [ "tailscale" "wireguard" ];
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:9696";
extraConfig = ''
allow ${config.architect.networks.lan.net};
allow ${config.architect.networks.tailscale.net};
deny all;
'';
};
# locations."/api" = {
# proxyPass = "http://127.0.0.1:9696/prowlarr/api";
# };
#
# locations."/Content" = {
# proxyPass = "http://127.0.0.1:9696/prowlarr/Content";
# };
port = 9696;
allowLan = true;
};
};
networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "wireguard"} ${domain}
${architectInterfaceAddress "tailscale"} ${domain}
'';
users.groups.media.members = [ "prowlarr" ];
}

33
hosts/architect/radarr.nix
View File

@ -2,36 +2,25 @@
let
domain = "htrad.giugl.io";
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in
{
services = {
radarr = {
services.radarr = {
enable = true;
group = "media";
};
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
architect.vhost.${domain} = with config.architect.networks; {
dnsInterfaces = [ "wireguard" "tailscale" ];
locations."/" = {
proxyPass = "http://127.0.0.1:7878";
extraConfig = auth_block {
access_role = "radarr";
};
};
};
};
port = 7878;
allowLan = true;
networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "wireguard"} ${domain}
${architectInterfaceAddress "tailscale"} ${domain}
'';
allow = [
wireguard.net
tailscale.net
];
};
};
users.groups.media.members = [ "radarr" ];
}

30
hosts/architect/sonarr.nix
View File

@ -2,35 +2,21 @@
let
domain = "htson.giugl.io";
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in
{
services = {
sonarr = {
services.sonarr = {
enable = true;
group = "media";
};
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8989";
extraConfig = auth_block {
access_role = "sonarr";
};
};
};
};
architect.vhost.${domain} = {
dnsInterfaces = [ "tailscale" "wireguard" ];
networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "wireguard"} ${domain}
${architectInterfaceAddress "tailscale"} ${domain}
'';
locations."/" = {
port = 6969;
allowLan = true;
};
};
users.groups.media.members = [ "sonarr" ];
}

1
hosts/architect/tailscale.nix
View File

@ -21,6 +21,7 @@ in
tommy = { address = "100.64.0.7"; hostname = "tommy.${domain}"; };
ucsb-workstation = { address = "100.64.0.8"; hostname = "ucsb-workstation.${domain}"; };
alfredo = { address = "100.64.0.9"; hostname = "alfredo.${domain}"; };
parallels = { address = "100.64.0.3"; hostname = "parallels.${domain}"; };
};
};
};

11
lib/host.nix
View File

@ -27,21 +27,20 @@
modules = [
{
imports = users_mod ++ roles_mod ++ add_imports ++ [
imports = users_mod ++
roles_mod ++
add_imports ++ [
(mkSysRole "common")
(mkSysRole "acme")
(mkUser { name = "root"; roles = [ ]; })
];
home-manager = {
users.root.imports = [ (mkHomeRole "common") ];
extraSpecialArgs.unstablePkgs = unstablePkgs;
useGlobalPkgs = true;
};
system.stateVersion = "22.11";
environment.shells = [ pkgs.zsh ];
users.defaultUserShell = pkgs.zsh;
system.stateVersion = "23.05";
}
home-manager.nixosModules.home-manager

16
lib/user.nix
View File

@ -6,20 +6,26 @@
roles_mod = (map (r: mkHomeRole r) roles);
in
{
users.groups.plugdev = { };
fileSystems."/home/${name}/Downloads" = {
device = "tmpfs";
fsType = "tmpfs";
options = [ "size=3G" ];
};
users.users.${name} = {
isNormalUser = true;
users = {
users.${name} = {
isNormalUser = name != "root";
extraGroups = [ "wheel" "plugdev" ];
shell = pkgs.zsh;
};
};
home-manager.users.${name}.imports = [ (mkHomeRole "common") ] ++ roles_mod;
programs.zsh.enable = true;
home-manager.users.${name}.imports = [
(mkHomeRole "common")
(mkHomeRole "zsh")
] ++ roles_mod;
};
mkHMUser = { name, roles ? [ ] }:

6
roles/acme.nix
View File

@ -1,10 +1,10 @@
{ ... }:
{ options, lib, config, ... }:
{
security.acme = {
config.security.acme = {
acceptTerms = true;
defaults = {
email = "sysadmin@giugl.io";
email = "letsencrypt@depasquale.giugl.io";
};
};
}

6
roles/common.nix
View File

@ -1,7 +1,9 @@
{ config, pkgs, lib, ... }:
{
boot.tmpOnTmpfs = true;
boot.tmp = {
useTmpfs = true;
};
console = {
keyMap = "us";
@ -41,7 +43,6 @@
glances
tcpdump
restic
neovim
tmux
parted
unzip
@ -50,5 +51,6 @@
nmap
ripgrep
jq
helix
];
}

3
roles/home/common.nix
View File

@ -11,9 +11,10 @@
home-manager
ripgrep
ydiff
nix-index
]
++ lib.optional (!stdenv.isDarwin) pastebinit;
stateVersion = "22.11";
stateVersion = "23.05";
};
}

1
roles/home/helix.nix
View File

@ -118,7 +118,6 @@
nodePackages.vscode-langservers-extracted
nodePackages.typescript
nodePackages.svelte-language-server
swiProlog
nixpkgs-fmt
];
};

2
roles/home/zsh.nix
View File

@ -14,6 +14,8 @@
initExtra = ''
any-nix-shell zsh --info-right | source /dev/stdin
source ${pkgs.nix-index}/etc/profile.d/command-not-found.sh
'';
};
}