6 changed files with 16 additions and 18 deletions
--- a/flake.lock
+++ b/flake.lock
@ -24,11 +24,11 @@
    },
    "nixos-unstable": {
      "locked": {
-        "lastModified": 1671717682,
-        "narHash": "sha256-LZ699rotWAmhhFh3Wd6Vi7e8U6mFrmGpr4EV3P/DNVQ=",
+        "lastModified": 1670595967,
+        "narHash": "sha256-aVy09HbuOBmwjU62lMaRzSKem82Q7/dqVkyaXAqWSJE=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "b467047119513b2e1c4e2253d9699a8bdc3ff9f3",
+        "rev": "bf76dcab50dcc2f3e663637839ff1e551f537173",
        "type": "github"
      },
      "original": {
@ -40,11 +40,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1671525405,
-        "narHash": "sha256-MEgNxm/oRt5w4ycMENewfZQKOak0ixmjVPfXM96N1FA=",
+        "lastModified": 1670543317,
+        "narHash": "sha256-4mMR56rtxKr+Gwz399jFr4i76SQZxsLWxxyfQlPXRm0=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "cbe419ed4c8f98bd82d169c321d339ea30904f1f",
+        "rev": "7a6a010c3a1d00f8470a5ca888f2f927f1860a19",
        "type": "github"
      },
      "original": {
--- a/hosts/architect/default.nix
+++ b/hosts/architect/default.nix
@ -29,7 +29,7 @@ in {
    ./invidious.nix
    ./nitter.nix
    ./lidarr.nix
-#    ./navidrome.nix
+    ./navidrome.nix
    ./jellyfin.nix
    ./prosody.nix
    ./deluge.nix
--- a/hosts/architect/gitea.nix
+++ b/hosts/architect/gitea.nix
@ -3,7 +3,6 @@
 let
  domain = "git.giugl.io";
  network = import ./network.nix;
-  auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
 in
 {
  services.gitea = {
@ -26,8 +25,13 @@ in
    enableACME = true;
    locations."/" = {
      proxyPass = "http://127.0.0.1:3000";
-    # it does not work, it breaks gitea's web portal
-    #  extraConfig = auth_block { access_role = "git"; };
+      extraConfig = ''
+        allow 127.0.0.1;
+        allow 10.0.0.0/24;
+        ${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
+        allow 10.4.0.0/24;
+        deny all;
+      '';
    };
  };

--- a/hosts/architect/jellyfin.nix
+++ b/hosts/architect/jellyfin.nix
@ -19,7 +19,7 @@ in
    nginx.virtualHosts.${domain} = {
      forceSSL = true;
      enableACME = true;
-      extraConfig = auth_block { access_role = "jellyfin"; whitelisted_ips = network.gdevices-wg; } +
+      extraConfig = auth_block { access_role = "jellyfin"; whitelisted_ips = [ network.giuliopc-wg ]; } +
        ''
          # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
          #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
--- a/hosts/architect/network.nix
+++ b/hosts/architect/network.nix
@ -50,7 +50,6 @@ rec {
  nilo-wg = "10.3.0.32";
  parina-ipad-wg = "10.3.0.33";
  kclvm-wg = "10.3.0.34";
-  framecca-wg = "10.3.0.35";
  eleonora-wg = "10.3.0.100";
  angellane-wg = "10.3.0.203";
  hotpottino-wg = "10.3.0.201";
@ -61,7 +60,7 @@ rec {
    [ giuliopc-wg giuliophone-wg gbeast-wg peppiniell-wg kclvm-wg ] ++ routers-wg;
  routers-wg = [ hotpottino-wg angellane-wg dodino-wg ];
  c2c-wg = [ ] ++ gdevices-wg;
-  towan-wg = [ shield-wg parisaphone-wg parisapc-wg parina-wg parina-ipad-wg germano-wg framecca-wg ]
+  towan-wg = [ shield-wg parisaphone-wg parisapc-wg parina-wg parina-ipad-wg ]
    ++ gdevices-wg ++ routers-wg;
  gamenet-wg = [
    andrew-wg
--- a/hosts/architect/wireguard.nix
+++ b/hosts/architect/wireguard.nix
@ -34,7 +34,6 @@ with import ./network.nix; {
      ${nilo-wg}            nilo.devs.giugl.io
      ${kclvm-wg}           kclvm.devs.giugl.io
      ${giuliodeck-wg}      giuliodeck.devs.giugl.io
-      ${framecca-wg}        framecca.devs.giugl.io
    '';

    wireguard = {
@ -263,10 +262,6 @@ with import ./network.nix; {
            allowedIPs = [ giuliodeck-wg ];
            publicKey = "7TGYsYvElTLY3V7qJfggkF+kFG7Y5sUsHA88h0cYJx0=";
          }
-          {
-            allowedIPs = [ framecca-wg ];
-            publicKey = "w0XPu5GcDA2vpNk3KCFRdWNVVQHRtAPApEsK1h3Ovyk=";
-          }
        ];
      };
    };