peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: peperunas:608fd46eb4986b977d7873517b1a88bc4e31e62a
Branches Tags
peperunas:master
peperunas:nixos-21.11
peperunas:laptopshit
..
compare: peperunas:0d3b2888fe111f46ab68474977503b9b564900d5
Branches Tags
peperunas:master
peperunas:nixos-21.11
peperunas:laptopshit

No commits in common. "608fd46eb4986b977d7873517b1a88bc4e31e62a" and "0d3b2888fe111f46ab68474977503b9b564900d5" have entirely different histories.
608fd46eb4 ... 0d3b2888fe

37 changed files with 224 additions and 306 deletions
Show Stats Expand all files Collapse all files

7
flake.nix
View File

@ -32,12 +32,7 @@
}; };
wrapUtils = { pkgs, unstable, system }: wrapUtils = { pkgs, unstable, system }:
pkgs.lib.makeScope pkgs.newScope (self: { import ./lib { inherit nixpkgs nixos-unstable home-manager system pkgs unstable; };
inherit nixpkgs home-manager nixos-unstable;
user = self.callPackage ./lib/user.nix { };
host = self.callPackage ./lib/host.nix { };
});
pkgsLinuxX64 = wrapPkgsSystem { system = sysLinuxX64; }; pkgsLinuxX64 = wrapPkgsSystem { system = sysLinuxX64; };
unstableLinuxX64 = wrapUnstablePkgsSystem { system = sysLinuxX64; }; unstableLinuxX64 = wrapUnstablePkgsSystem { system = sysLinuxX64; };

7
hosts/architect/default.nix
View File

@ -6,10 +6,8 @@ let
]; ];
hostname = "architect"; hostname = "architect";
network = import ./network.nix; network = import ./network.nix;
in in {
{ imports = [ # Include the results of the hardware scan.
imports = [
# Include the results of the hardware scan.
./backup.nix ./backup.nix
./hardware.nix ./hardware.nix
./firewall.nix ./firewall.nix
@ -41,7 +39,6 @@ in
./lezzo.nix ./lezzo.nix
./runas.nix ./runas.nix
./tailscale.nix ./tailscale.nix
./searx.nix
]; ];
time.timeZone = "Europe/Rome"; time.timeZone = "Europe/Rome";

3
hosts/architect/deluge.nix
View File

@ -4,8 +4,7 @@ let
domain = "htdel.giugl.io"; domain = "htdel.giugl.io";
network = import ./network.nix; network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in in {
{
services = { services = {
deluge = { deluge = {
enable = true; enable = true;

12
hosts/architect/firewall.nix
View File

@ -49,8 +49,7 @@ let
wireguard_udp wireguard_udp
]; ];
in in {
{
networking = { networking = {
# needed to use nftables # needed to use nftables
firewall.enable = false; firewall.enable = false;
@ -159,7 +158,7 @@ in
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic" ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
ip saddr ${lan-net} accept comment "lan > local" ip saddr ${lan-net} accept comment "lan > local"
ip saddr ${tailscale-net} accept comment "tailscale > local" ip saddr ${tailscale-net} accept comment "tailscale > local"
ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local" ip saddr {${lib.concatStringsSep "," gdevices-wg}} accept comment "vpn > local"
iifname ${wan-if} tcp dport {${open_tcp_ports}} accept iifname ${wan-if} tcp dport {${open_tcp_ports}} accept
iifname ${wan-if} udp dport {${open_udp_ports}} accept iifname ${wan-if} udp dport {${open_udp_ports}} accept
@ -174,9 +173,14 @@ in
type filter hook forward priority filter; policy drop; type filter hook forward priority filter; policy drop;
ct state established,related accept ct state established,related accept
# client to client
ip saddr {${lib.concatStringsSep "," c2c-wg}} ip daddr {${
lib.concatStringsSep "," c2c-wg
}} accept
# gdevices talking to everyone in VPN # gdevices talking to everyone in VPN
ip saddr {${ ip saddr {${
lib.concatStringsSep "," gdevices lib.concatStringsSep "," gdevices-wg
}} ip daddr ${vpn-net} accept }} ip daddr ${vpn-net} accept
ip saddr {${ ip saddr {${
lib.concatStringsSep "," gamenet-wg lib.concatStringsSep "," gamenet-wg

5
hosts/architect/home-assistant.nix
View File

@ -5,8 +5,7 @@ let
network = import ./network.nix; network = import ./network.nix;
host = "127.0.0.1"; host = "127.0.0.1";
port = 8123; port = 8123;
in in {
{
services = { services = {
mosquitto = { mosquitto = {
enable = true; enable = true;
@ -53,7 +52,7 @@ in
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade"; proxy_set_header Connection "upgrade";
allow 10.0.0.0/24; allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices} ${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
deny all; deny all;
''; '';
}; };

2
hosts/architect/jellyfin.nix
View File

@ -19,7 +19,7 @@ in
nginx.virtualHosts.${domain} = { nginx.virtualHosts.${domain} = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
extraConfig = auth_block { access_role = "jellyfin"; whitelisted_ips = network.gdevices; } + extraConfig = auth_block { access_role = "jellyfin"; whitelisted_ips = network.gdevices-wg; } +
'' ''
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted. # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
#add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'"; #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";

3
hosts/architect/keycloak.nix
View File

@ -3,8 +3,7 @@
let let
network = import ./network.nix; network = import ./network.nix;
domain = "auth.giugl.io"; domain = "auth.giugl.io";
in in {
{
services = { services = {
keycloak = { keycloak = {
enable = true; enable = true;

3
hosts/architect/lidarr.nix
View File

@ -4,8 +4,7 @@ let
domain = "htlid.giugl.io"; domain = "htlid.giugl.io";
network = import ./network.nix; network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in in {
{
services = { services = {
lidarr = { lidarr = {
enable = true; enable = true;

5
hosts/architect/minio.nix
View File

@ -3,8 +3,7 @@
let let
domain = "s3.giugl.io"; domain = "s3.giugl.io";
network = import ./network.nix; network = import ./network.nix;
in in {
{
services = { services = {
minio.enable = true; minio.enable = true;
@ -16,7 +15,7 @@ in
extraConfig = '' extraConfig = ''
client_max_body_size 500M; client_max_body_size 500M;
allow 10.0.0.0/24; allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices } ${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg }
allow ${network.manduria-wg}; allow ${network.manduria-wg};
deny all; deny all;
''; '';

3
hosts/architect/navidrome.nix
View File

@ -6,8 +6,7 @@ let
library_path = "/media/Music"; library_path = "/media/Music";
beets_config = "/media/beets.conf"; beets_config = "/media/beets.conf";
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in in {
{
services = { services = {
navidrome = { navidrome = {
enable = true; enable = true;

8
hosts/architect/network.nix
View File

@ -62,8 +62,12 @@ rec {
dodino-ts = "100.106.244.35"; dodino-ts = "100.106.244.35";
# groups # groups
gdevices = [ giuliophone-ts architect-ts giuliopc-ts dodino-ts ]; gdevices-wg =
towan-wg = [ shield-wg parina-wg parina-ipad-wg germano-wg framecca-wg ]; [ giuliopc-wg giuliophone-wg gbeast-wg peppiniell-wg kclvm-wg ] ++ routers-wg;
routers-wg = [ hotpottino-wg angellane-wg dodino-wg ];
c2c-wg = [ ] ++ gdevices-wg;
towan-wg = [ shield-wg parina-wg parina-ipad-wg germano-wg framecca-wg ]
++ gdevices-wg ++ routers-wg;
gamenet-wg = [ gamenet-wg = [
andrew-wg andrew-wg
giuliopc-wg giuliopc-wg

3
hosts/architect/nextcloud.nix
View File

@ -4,8 +4,7 @@ let
domain = "cloud.giugl.io"; domain = "cloud.giugl.io";
network = import ./network.nix; network = import ./network.nix;
redis_port = 6379; redis_port = 6379;
in in {
{
services = { services = {
mysql = { mysql = {
enable = true; enable = true;

3
hosts/architect/nitter.nix
View File

@ -3,8 +3,7 @@
let let
domain = "tweet.giugl.io"; domain = "tweet.giugl.io";
network = import ./network.nix; network = import ./network.nix;
in in {
{
services = { services = {
nitter = { nitter = {
enable = true; enable = true;

3
hosts/architect/nzbget.nix
View File

@ -4,8 +4,7 @@ let
domain = "htnzb.giugl.io"; domain = "htnzb.giugl.io";
network = import ./network.nix; network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in in {
{
services = { services = {
nzbget = { nzbget = {
enable = true; enable = true;

3
hosts/architect/plex.nix
View File

@ -3,8 +3,7 @@
let let
domain = "media.giugl.io"; domain = "media.giugl.io";
network = import ./network.nix; network = import ./network.nix;
in in {
{
services.plex = { services.plex = {
enable = true; enable = true;
package = pkgs.unstable.plex; package = pkgs.unstable.plex;

3
hosts/architect/prosody.nix
View File

@ -5,8 +5,7 @@ let
conference_domain = "conference.${domain}"; conference_domain = "conference.${domain}";
upload_domain = "uploads.${domain}"; upload_domain = "uploads.${domain}";
network = import ./network.nix; network = import ./network.nix;
in in {
{
services = { services = {
prosody = { prosody = {
enable = true; enable = true;

5
hosts/architect/prowlarr.nix
View File

@ -3,8 +3,7 @@
let let
domain = "htpro.giugl.io"; domain = "htpro.giugl.io";
network = import ./network.nix; network = import ./network.nix;
in in {
{
services = { services = {
prowlarr.enable = true; prowlarr.enable = true;
@ -15,7 +14,7 @@ in
proxyPass = "http://127.0.0.1:9696"; proxyPass = "http://127.0.0.1:9696";
extraConfig = '' extraConfig = ''
allow 10.0.0.0/24; allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices} ${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
deny all; deny all;
''; '';
}; };

3
hosts/architect/radarr.nix
View File

@ -4,8 +4,7 @@ let
domain = "htrad.giugl.io"; domain = "htrad.giugl.io";
network = import ./network.nix; network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in in {
{
services = { services = {
radarr = { radarr = {
enable = true; enable = true;

65
hosts/architect/searx.nix
View File

@ -1,65 +0,0 @@
{ mach-nix, lib, config, pkgs, ... }:
let
domain = "gugol.giugl.io";
network = import ./network.nix;
in
{
services = {
redis.servers."searx" = { enable = true; port = 4456; };
searx = {
enable = true;
package = pkgs.searxng;
# package = mach-nix.buildPythonPackage "https://github.com/searxng/searxng/commit/2cf1425e8bc5d3143b6e001e82a034a794e8a206https://github.com/searxng/searxng/commit/2cf1425e8bc5d3143b6e001e82a034a794e8a206";
environmentFile = /secrets/searx/env;
settings = {
server = {
secret_key = "@SEARX_SECRET_KEY@";
port = 4455;
};
general = {
instance_name = "Pepe's Gugol";
contact_url = "mailto:gugol@depasquale.giugl.io";
enable_metrics = false;
};
search = {
safe_search = 0;
autocomplete = "duckduckgo";
prefer_configured_language = false;
};
ui = {
infinite_scroll = true;
};
redis.url = "127.0.0.1:${toString config.services.redis.servers."searx".port}";
engines = [
{ name = "google"; disabled = false; }
{ name = "bing"; disabled = false; }
{ name = "qwant"; disabled = false; }
{ name = "duckduckgo"; disabled = false; }
{ name = "yahoo"; disabled = false; }
];
};
};
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.searx.settings.server.port}";
};
};
};
networking.extraHosts = ''
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
${network.architect-ts} ${domain}
'';
}

3
hosts/architect/sonarr.nix
View File

@ -4,8 +4,7 @@ let
domain = "htson.giugl.io"; domain = "htson.giugl.io";
network = import ./network.nix; network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in in {
{
services = { services = {
sonarr = { sonarr = {
enable = true; enable = true;

3
hosts/architect/tailscale.nix
View File

@ -4,8 +4,7 @@ let
network = import ./network.nix; network = import ./network.nix;
ifname = "ts0"; ifname = "ts0";
in in {
{
services = { services = {
tailscale = { tailscale = {
enable = true; enable = true;

5
hosts/architect/transmission.nix
View File

@ -3,8 +3,7 @@
let let
domain = "httra.giugl.io"; domain = "httra.giugl.io";
network = import ./network.nix; network = import ./network.nix;
in in {
{
services = { services = {
transmission = { transmission = {
enable = true; enable = true;
@ -28,7 +27,7 @@ in
proxyPass = "http://127.0.0.1:9091"; proxyPass = "http://127.0.0.1:9091";
extraConfig = '' extraConfig = ''
allow 10.0.0.0/24; allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices} ${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
deny all; deny all;
''; '';
}; };

3
hosts/gAluminum/default.nix
View File

@ -9,8 +9,7 @@ let
export __VK_LAYER_NV_optimus=NVIDIA_only export __VK_LAYER_NV_optimus=NVIDIA_only
exec -a "$0" "$@" exec -a "$0" "$@"
''; '';
in in {
{
imports = [ ./hardware.nix ./wireguard.nix ./sound.nix ]; imports = [ ./hardware.nix ./wireguard.nix ./sound.nix ];
boot = { boot = {

6
lib/default.nix Normal file
View File

@ -0,0 +1,6 @@
{ pkgs, unstable, nixpkgs, nixos-unstable, home-manager, system, ... }: rec {
user = import ./user.nix { inherit pkgs unstable system home-manager; };
host = import ./host.nix {
inherit pkgs nixpkgs unstable nixos-unstable home-manager user system;
};
}

9
lib/host.nix
View File

@ -5,17 +5,14 @@
let let
mkRole = role: import (../roles + "/${role}.nix"); mkRole = role: import (../roles + "/${role}.nix");
users_mod = (map users_mod = (map (u:
(u:
user.mkUser { user.mkUser {
name = u.user; name = u.user;
roles = u.roles; roles = u.roles;
}) }) users);
users);
roles_mod = (map (r: mkRole r) roles); roles_mod = (map (r: mkRole r) roles);
add_imports = imports; add_imports = imports;
in in nixpkgs.lib.nixosSystem {
nixpkgs.lib.nixosSystem {
inherit system; inherit system;
modules = [ modules = [

6
lib/user.nix
View File

@ -5,8 +5,7 @@
let let
mkRole = role: import (../roles/home + "/${role}.nix"); mkRole = role: import (../roles/home + "/${role}.nix");
roles_mod = (map (r: mkRole r) roles); roles_mod = (map (r: mkRole r) roles);
in in {
{
users.groups.plugdev = { }; users.groups.plugdev = { };
fileSystems."/home/${name}/Downloads" = { fileSystems."/home/${name}/Downloads" = {
@ -28,8 +27,7 @@
let let
mkRole = role: import (../roles/home + "/${role}.nix"); mkRole = role: import (../roles/home + "/${role}.nix");
roles_mod = (map (r: mkRole r) roles); roles_mod = (map (r: mkRole r) roles);
in in home-manager.lib.homeManagerConfiguration {
home-manager.lib.homeManagerConfiguration {
inherit pkgs; inherit pkgs;
modules = [ modules = [
{ {

3
roles/home/desktop.nix
View File

@ -9,8 +9,7 @@ let
name = "guake"; name = "guake";
package = pkgs.guake; package = pkgs.guake;
}); });
in in {
{
imports = [ ./gnome.nix ]; imports = [ ./gnome.nix ];
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;