Compare commits
No commits in common. "608fd46eb4986b977d7873517b1a88bc4e31e62a" and "0d3b2888fe111f46ab68474977503b9b564900d5" have entirely different histories.
608fd46eb4
...
0d3b2888fe
@ -32,12 +32,7 @@
|
||||
};
|
||||
|
||||
wrapUtils = { pkgs, unstable, system }:
|
||||
pkgs.lib.makeScope pkgs.newScope (self: {
|
||||
inherit nixpkgs home-manager nixos-unstable;
|
||||
user = self.callPackage ./lib/user.nix { };
|
||||
host = self.callPackage ./lib/host.nix { };
|
||||
});
|
||||
|
||||
import ./lib { inherit nixpkgs nixos-unstable home-manager system pkgs unstable; };
|
||||
|
||||
pkgsLinuxX64 = wrapPkgsSystem { system = sysLinuxX64; };
|
||||
unstableLinuxX64 = wrapUnstablePkgsSystem { system = sysLinuxX64; };
|
||||
|
@ -6,10 +6,8 @@ let
|
||||
];
|
||||
hostname = "architect";
|
||||
network = import ./network.nix;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
# Include the results of the hardware scan.
|
||||
in {
|
||||
imports = [ # Include the results of the hardware scan.
|
||||
./backup.nix
|
||||
./hardware.nix
|
||||
./firewall.nix
|
||||
@ -41,7 +39,6 @@ in
|
||||
./lezzo.nix
|
||||
./runas.nix
|
||||
./tailscale.nix
|
||||
./searx.nix
|
||||
];
|
||||
|
||||
time.timeZone = "Europe/Rome";
|
||||
|
@ -4,8 +4,7 @@ let
|
||||
domain = "htdel.giugl.io";
|
||||
network = import ./network.nix;
|
||||
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
|
||||
in
|
||||
{
|
||||
in {
|
||||
services = {
|
||||
deluge = {
|
||||
enable = true;
|
||||
|
@ -49,8 +49,7 @@ let
|
||||
wireguard_udp
|
||||
];
|
||||
|
||||
in
|
||||
{
|
||||
in {
|
||||
networking = {
|
||||
# needed to use nftables
|
||||
firewall.enable = false;
|
||||
@ -159,7 +158,7 @@ in
|
||||
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
|
||||
ip saddr ${lan-net} accept comment "lan > local"
|
||||
ip saddr ${tailscale-net} accept comment "tailscale > local"
|
||||
ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local"
|
||||
ip saddr {${lib.concatStringsSep "," gdevices-wg}} accept comment "vpn > local"
|
||||
|
||||
iifname ${wan-if} tcp dport {${open_tcp_ports}} accept
|
||||
iifname ${wan-if} udp dport {${open_udp_ports}} accept
|
||||
@ -174,9 +173,14 @@ in
|
||||
type filter hook forward priority filter; policy drop;
|
||||
ct state established,related accept
|
||||
|
||||
# client to client
|
||||
ip saddr {${lib.concatStringsSep "," c2c-wg}} ip daddr {${
|
||||
lib.concatStringsSep "," c2c-wg
|
||||
}} accept
|
||||
|
||||
# gdevices talking to everyone in VPN
|
||||
ip saddr {${
|
||||
lib.concatStringsSep "," gdevices
|
||||
lib.concatStringsSep "," gdevices-wg
|
||||
}} ip daddr ${vpn-net} accept
|
||||
ip saddr {${
|
||||
lib.concatStringsSep "," gamenet-wg
|
||||
|
@ -5,8 +5,7 @@ let
|
||||
network = import ./network.nix;
|
||||
host = "127.0.0.1";
|
||||
port = 8123;
|
||||
in
|
||||
{
|
||||
in {
|
||||
services = {
|
||||
mosquitto = {
|
||||
enable = true;
|
||||
@ -53,7 +52,7 @@ in
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
allow 10.0.0.0/24;
|
||||
${lib.concatMapStrings (x: "allow ${x};") network.gdevices}
|
||||
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
|
||||
deny all;
|
||||
'';
|
||||
};
|
||||
|
@ -19,7 +19,7 @@ in
|
||||
nginx.virtualHosts.${domain} = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
extraConfig = auth_block { access_role = "jellyfin"; whitelisted_ips = network.gdevices; } +
|
||||
extraConfig = auth_block { access_role = "jellyfin"; whitelisted_ips = network.gdevices-wg; } +
|
||||
''
|
||||
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
|
||||
#add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
|
||||
|
@ -3,8 +3,7 @@
|
||||
let
|
||||
network = import ./network.nix;
|
||||
domain = "auth.giugl.io";
|
||||
in
|
||||
{
|
||||
in {
|
||||
services = {
|
||||
keycloak = {
|
||||
enable = true;
|
||||
|
@ -4,8 +4,7 @@ let
|
||||
domain = "htlid.giugl.io";
|
||||
network = import ./network.nix;
|
||||
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
|
||||
in
|
||||
{
|
||||
in {
|
||||
services = {
|
||||
lidarr = {
|
||||
enable = true;
|
||||
|
@ -3,8 +3,7 @@
|
||||
let
|
||||
domain = "s3.giugl.io";
|
||||
network = import ./network.nix;
|
||||
in
|
||||
{
|
||||
in {
|
||||
services = {
|
||||
minio.enable = true;
|
||||
|
||||
@ -16,7 +15,7 @@ in
|
||||
extraConfig = ''
|
||||
client_max_body_size 500M;
|
||||
allow 10.0.0.0/24;
|
||||
${lib.concatMapStrings (x: "allow ${x};") network.gdevices }
|
||||
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg }
|
||||
allow ${network.manduria-wg};
|
||||
deny all;
|
||||
'';
|
||||
|
@ -6,8 +6,7 @@ let
|
||||
library_path = "/media/Music";
|
||||
beets_config = "/media/beets.conf";
|
||||
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
|
||||
in
|
||||
{
|
||||
in {
|
||||
services = {
|
||||
navidrome = {
|
||||
enable = true;
|
||||
|
@ -62,8 +62,12 @@ rec {
|
||||
dodino-ts = "100.106.244.35";
|
||||
|
||||
# groups
|
||||
gdevices = [ giuliophone-ts architect-ts giuliopc-ts dodino-ts ];
|
||||
towan-wg = [ shield-wg parina-wg parina-ipad-wg germano-wg framecca-wg ];
|
||||
gdevices-wg =
|
||||
[ giuliopc-wg giuliophone-wg gbeast-wg peppiniell-wg kclvm-wg ] ++ routers-wg;
|
||||
routers-wg = [ hotpottino-wg angellane-wg dodino-wg ];
|
||||
c2c-wg = [ ] ++ gdevices-wg;
|
||||
towan-wg = [ shield-wg parina-wg parina-ipad-wg germano-wg framecca-wg ]
|
||||
++ gdevices-wg ++ routers-wg;
|
||||
gamenet-wg = [
|
||||
andrew-wg
|
||||
giuliopc-wg
|
||||
|
@ -4,8 +4,7 @@ let
|
||||
domain = "cloud.giugl.io";
|
||||
network = import ./network.nix;
|
||||
redis_port = 6379;
|
||||
in
|
||||
{
|
||||
in {
|
||||
services = {
|
||||
mysql = {
|
||||
enable = true;
|
||||
|
@ -3,8 +3,7 @@
|
||||
let
|
||||
domain = "tweet.giugl.io";
|
||||
network = import ./network.nix;
|
||||
in
|
||||
{
|
||||
in {
|
||||
services = {
|
||||
nitter = {
|
||||
enable = true;
|
||||
|
@ -4,8 +4,7 @@ let
|
||||
domain = "htnzb.giugl.io";
|
||||
network = import ./network.nix;
|
||||
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
|
||||
in
|
||||
{
|
||||
in {
|
||||
services = {
|
||||
nzbget = {
|
||||
enable = true;
|
||||
|
@ -3,8 +3,7 @@
|
||||
let
|
||||
domain = "media.giugl.io";
|
||||
network = import ./network.nix;
|
||||
in
|
||||
{
|
||||
in {
|
||||
services.plex = {
|
||||
enable = true;
|
||||
package = pkgs.unstable.plex;
|
||||
|
@ -5,8 +5,7 @@ let
|
||||
conference_domain = "conference.${domain}";
|
||||
upload_domain = "uploads.${domain}";
|
||||
network = import ./network.nix;
|
||||
in
|
||||
{
|
||||
in {
|
||||
services = {
|
||||
prosody = {
|
||||
enable = true;
|
||||
|
@ -3,8 +3,7 @@
|
||||
let
|
||||
domain = "htpro.giugl.io";
|
||||
network = import ./network.nix;
|
||||
in
|
||||
{
|
||||
in {
|
||||
services = {
|
||||
prowlarr.enable = true;
|
||||
|
||||
@ -15,7 +14,7 @@ in
|
||||
proxyPass = "http://127.0.0.1:9696";
|
||||
extraConfig = ''
|
||||
allow 10.0.0.0/24;
|
||||
${lib.concatMapStrings (x: "allow ${x};") network.gdevices}
|
||||
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
|
||||
deny all;
|
||||
'';
|
||||
};
|
||||
|
@ -4,8 +4,7 @@ let
|
||||
domain = "htrad.giugl.io";
|
||||
network = import ./network.nix;
|
||||
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
|
||||
in
|
||||
{
|
||||
in {
|
||||
services = {
|
||||
radarr = {
|
||||
enable = true;
|
||||
|
@ -1,65 +0,0 @@
|
||||
{ mach-nix, lib, config, pkgs, ... }:
|
||||
|
||||
let
|
||||
domain = "gugol.giugl.io";
|
||||
network = import ./network.nix;
|
||||
in
|
||||
{
|
||||
services = {
|
||||
redis.servers."searx" = { enable = true; port = 4456; };
|
||||
searx = {
|
||||
enable = true;
|
||||
package = pkgs.searxng;
|
||||
# package = mach-nix.buildPythonPackage "https://github.com/searxng/searxng/commit/2cf1425e8bc5d3143b6e001e82a034a794e8a206https://github.com/searxng/searxng/commit/2cf1425e8bc5d3143b6e001e82a034a794e8a206";
|
||||
|
||||
environmentFile = /secrets/searx/env;
|
||||
settings = {
|
||||
server = {
|
||||
secret_key = "@SEARX_SECRET_KEY@";
|
||||
port = 4455;
|
||||
};
|
||||
|
||||
general = {
|
||||
instance_name = "Pepe's Gugol";
|
||||
contact_url = "mailto:gugol@depasquale.giugl.io";
|
||||
enable_metrics = false;
|
||||
};
|
||||
|
||||
search = {
|
||||
safe_search = 0;
|
||||
autocomplete = "duckduckgo";
|
||||
prefer_configured_language = false;
|
||||
};
|
||||
|
||||
ui = {
|
||||
infinite_scroll = true;
|
||||
};
|
||||
|
||||
redis.url = "127.0.0.1:${toString config.services.redis.servers."searx".port}";
|
||||
|
||||
engines = [
|
||||
{ name = "google"; disabled = false; }
|
||||
{ name = "bing"; disabled = false; }
|
||||
{ name = "qwant"; disabled = false; }
|
||||
{ name = "duckduckgo"; disabled = false; }
|
||||
{ name = "yahoo"; disabled = false; }
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
nginx.virtualHosts.${domain} = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString config.services.searx.settings.server.port}";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
networking.extraHosts = ''
|
||||
${network.architect-lan} ${domain}
|
||||
${network.architect-wg} ${domain}
|
||||
${network.architect-ts} ${domain}
|
||||
'';
|
||||
}
|
@ -4,8 +4,7 @@ let
|
||||
domain = "htson.giugl.io";
|
||||
network = import ./network.nix;
|
||||
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
|
||||
in
|
||||
{
|
||||
in {
|
||||
services = {
|
||||
sonarr = {
|
||||
enable = true;
|
||||
|
@ -4,8 +4,7 @@ let
|
||||
network = import ./network.nix;
|
||||
|
||||
ifname = "ts0";
|
||||
in
|
||||
{
|
||||
in {
|
||||
services = {
|
||||
tailscale = {
|
||||
enable = true;
|
||||
|
@ -3,8 +3,7 @@
|
||||
let
|
||||
domain = "httra.giugl.io";
|
||||
network = import ./network.nix;
|
||||
in
|
||||
{
|
||||
in {
|
||||
services = {
|
||||
transmission = {
|
||||
enable = true;
|
||||
@ -28,7 +27,7 @@ in
|
||||
proxyPass = "http://127.0.0.1:9091";
|
||||
extraConfig = ''
|
||||
allow 10.0.0.0/24;
|
||||
${lib.concatMapStrings (x: "allow ${x};") network.gdevices}
|
||||
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
|
||||
deny all;
|
||||
'';
|
||||
};
|
||||
|
@ -9,8 +9,7 @@ let
|
||||
export __VK_LAYER_NV_optimus=NVIDIA_only
|
||||
exec -a "$0" "$@"
|
||||
'';
|
||||
in
|
||||
{
|
||||
in {
|
||||
imports = [ ./hardware.nix ./wireguard.nix ./sound.nix ];
|
||||
|
||||
boot = {
|
||||
|
6
lib/default.nix
Normal file
6
lib/default.nix
Normal file
@ -0,0 +1,6 @@
|
||||
{ pkgs, unstable, nixpkgs, nixos-unstable, home-manager, system, ... }: rec {
|
||||
user = import ./user.nix { inherit pkgs unstable system home-manager; };
|
||||
host = import ./host.nix {
|
||||
inherit pkgs nixpkgs unstable nixos-unstable home-manager user system;
|
||||
};
|
||||
}
|
@ -5,17 +5,14 @@
|
||||
let
|
||||
mkRole = role: import (../roles + "/${role}.nix");
|
||||
|
||||
users_mod = (map
|
||||
(u:
|
||||
users_mod = (map (u:
|
||||
user.mkUser {
|
||||
name = u.user;
|
||||
roles = u.roles;
|
||||
})
|
||||
users);
|
||||
}) users);
|
||||
roles_mod = (map (r: mkRole r) roles);
|
||||
add_imports = imports;
|
||||
in
|
||||
nixpkgs.lib.nixosSystem {
|
||||
in nixpkgs.lib.nixosSystem {
|
||||
inherit system;
|
||||
|
||||
modules = [
|
||||
|
@ -5,8 +5,7 @@
|
||||
let
|
||||
mkRole = role: import (../roles/home + "/${role}.nix");
|
||||
roles_mod = (map (r: mkRole r) roles);
|
||||
in
|
||||
{
|
||||
in {
|
||||
users.groups.plugdev = { };
|
||||
|
||||
fileSystems."/home/${name}/Downloads" = {
|
||||
@ -28,8 +27,7 @@
|
||||
let
|
||||
mkRole = role: import (../roles/home + "/${role}.nix");
|
||||
roles_mod = (map (r: mkRole r) roles);
|
||||
in
|
||||
home-manager.lib.homeManagerConfiguration {
|
||||
in home-manager.lib.homeManagerConfiguration {
|
||||
inherit pkgs;
|
||||
modules = [
|
||||
{
|
||||
|
@ -9,8 +9,7 @@ let
|
||||
name = "guake";
|
||||
package = pkgs.guake;
|
||||
});
|
||||
in
|
||||
{
|
||||
in {
|
||||
imports = [ ./gnome.nix ];
|
||||
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
|
Loading…
Reference in New Issue
Block a user