Compare commits

..

No commits in common. "608fd46eb4986b977d7873517b1a88bc4e31e62a" and "0d3b2888fe111f46ab68474977503b9b564900d5" have entirely different histories.

37 changed files with 224 additions and 306 deletions

View File

@ -32,12 +32,7 @@
};
wrapUtils = { pkgs, unstable, system }:
pkgs.lib.makeScope pkgs.newScope (self: {
inherit nixpkgs home-manager nixos-unstable;
user = self.callPackage ./lib/user.nix { };
host = self.callPackage ./lib/host.nix { };
});
import ./lib { inherit nixpkgs nixos-unstable home-manager system pkgs unstable; };
pkgsLinuxX64 = wrapPkgsSystem { system = sysLinuxX64; };
unstableLinuxX64 = wrapUnstablePkgsSystem { system = sysLinuxX64; };

View File

@ -6,10 +6,8 @@ let
];
hostname = "architect";
network = import ./network.nix;
in
{
imports = [
# Include the results of the hardware scan.
in {
imports = [ # Include the results of the hardware scan.
./backup.nix
./hardware.nix
./firewall.nix
@ -41,7 +39,6 @@ in
./lezzo.nix
./runas.nix
./tailscale.nix
./searx.nix
];
time.timeZone = "Europe/Rome";

View File

@ -4,8 +4,7 @@ let
domain = "htdel.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in
{
in {
services = {
deluge = {
enable = true;

View File

@ -49,8 +49,7 @@ let
wireguard_udp
];
in
{
in {
networking = {
# needed to use nftables
firewall.enable = false;
@ -159,7 +158,7 @@ in
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
ip saddr ${lan-net} accept comment "lan > local"
ip saddr ${tailscale-net} accept comment "tailscale > local"
ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local"
ip saddr {${lib.concatStringsSep "," gdevices-wg}} accept comment "vpn > local"
iifname ${wan-if} tcp dport {${open_tcp_ports}} accept
iifname ${wan-if} udp dport {${open_udp_ports}} accept
@ -174,9 +173,14 @@ in
type filter hook forward priority filter; policy drop;
ct state established,related accept
# client to client
ip saddr {${lib.concatStringsSep "," c2c-wg}} ip daddr {${
lib.concatStringsSep "," c2c-wg
}} accept
# gdevices talking to everyone in VPN
ip saddr {${
lib.concatStringsSep "," gdevices
lib.concatStringsSep "," gdevices-wg
}} ip daddr ${vpn-net} accept
ip saddr {${
lib.concatStringsSep "," gamenet-wg

View File

@ -5,8 +5,7 @@ let
network = import ./network.nix;
host = "127.0.0.1";
port = 8123;
in
{
in {
services = {
mosquitto = {
enable = true;
@ -53,7 +52,7 @@ in
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices}
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
deny all;
'';
};

View File

@ -19,7 +19,7 @@ in
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
extraConfig = auth_block { access_role = "jellyfin"; whitelisted_ips = network.gdevices; } +
extraConfig = auth_block { access_role = "jellyfin"; whitelisted_ips = network.gdevices-wg; } +
''
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
#add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";

View File

@ -3,8 +3,7 @@
let
network = import ./network.nix;
domain = "auth.giugl.io";
in
{
in {
services = {
keycloak = {
enable = true;

View File

@ -4,8 +4,7 @@ let
domain = "htlid.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in
{
in {
services = {
lidarr = {
enable = true;

View File

@ -3,8 +3,7 @@
let
domain = "s3.giugl.io";
network = import ./network.nix;
in
{
in {
services = {
minio.enable = true;
@ -16,7 +15,7 @@ in
extraConfig = ''
client_max_body_size 500M;
allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices }
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg }
allow ${network.manduria-wg};
deny all;
'';

View File

@ -6,8 +6,7 @@ let
library_path = "/media/Music";
beets_config = "/media/beets.conf";
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in
{
in {
services = {
navidrome = {
enable = true;

View File

@ -62,8 +62,12 @@ rec {
dodino-ts = "100.106.244.35";
# groups
gdevices = [ giuliophone-ts architect-ts giuliopc-ts dodino-ts ];
towan-wg = [ shield-wg parina-wg parina-ipad-wg germano-wg framecca-wg ];
gdevices-wg =
[ giuliopc-wg giuliophone-wg gbeast-wg peppiniell-wg kclvm-wg ] ++ routers-wg;
routers-wg = [ hotpottino-wg angellane-wg dodino-wg ];
c2c-wg = [ ] ++ gdevices-wg;
towan-wg = [ shield-wg parina-wg parina-ipad-wg germano-wg framecca-wg ]
++ gdevices-wg ++ routers-wg;
gamenet-wg = [
andrew-wg
giuliopc-wg

View File

@ -4,8 +4,7 @@ let
domain = "cloud.giugl.io";
network = import ./network.nix;
redis_port = 6379;
in
{
in {
services = {
mysql = {
enable = true;

View File

@ -3,8 +3,7 @@
let
domain = "tweet.giugl.io";
network = import ./network.nix;
in
{
in {
services = {
nitter = {
enable = true;

View File

@ -4,8 +4,7 @@ let
domain = "htnzb.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in
{
in {
services = {
nzbget = {
enable = true;

View File

@ -3,8 +3,7 @@
let
domain = "media.giugl.io";
network = import ./network.nix;
in
{
in {
services.plex = {
enable = true;
package = pkgs.unstable.plex;

View File

@ -5,8 +5,7 @@ let
conference_domain = "conference.${domain}";
upload_domain = "uploads.${domain}";
network = import ./network.nix;
in
{
in {
services = {
prosody = {
enable = true;

View File

@ -3,8 +3,7 @@
let
domain = "htpro.giugl.io";
network = import ./network.nix;
in
{
in {
services = {
prowlarr.enable = true;
@ -15,7 +14,7 @@ in
proxyPass = "http://127.0.0.1:9696";
extraConfig = ''
allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices}
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
deny all;
'';
};

View File

@ -4,8 +4,7 @@ let
domain = "htrad.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in
{
in {
services = {
radarr = {
enable = true;

View File

@ -1,65 +0,0 @@
{ mach-nix, lib, config, pkgs, ... }:
let
domain = "gugol.giugl.io";
network = import ./network.nix;
in
{
services = {
redis.servers."searx" = { enable = true; port = 4456; };
searx = {
enable = true;
package = pkgs.searxng;
# package = mach-nix.buildPythonPackage "https://github.com/searxng/searxng/commit/2cf1425e8bc5d3143b6e001e82a034a794e8a206https://github.com/searxng/searxng/commit/2cf1425e8bc5d3143b6e001e82a034a794e8a206";
environmentFile = /secrets/searx/env;
settings = {
server = {
secret_key = "@SEARX_SECRET_KEY@";
port = 4455;
};
general = {
instance_name = "Pepe's Gugol";
contact_url = "mailto:gugol@depasquale.giugl.io";
enable_metrics = false;
};
search = {
safe_search = 0;
autocomplete = "duckduckgo";
prefer_configured_language = false;
};
ui = {
infinite_scroll = true;
};
redis.url = "127.0.0.1:${toString config.services.redis.servers."searx".port}";
engines = [
{ name = "google"; disabled = false; }
{ name = "bing"; disabled = false; }
{ name = "qwant"; disabled = false; }
{ name = "duckduckgo"; disabled = false; }
{ name = "yahoo"; disabled = false; }
];
};
};
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.searx.settings.server.port}";
};
};
};
networking.extraHosts = ''
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
${network.architect-ts} ${domain}
'';
}

View File

@ -4,8 +4,7 @@ let
domain = "htson.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in
{
in {
services = {
sonarr = {
enable = true;

View File

@ -4,8 +4,7 @@ let
network = import ./network.nix;
ifname = "ts0";
in
{
in {
services = {
tailscale = {
enable = true;

View File

@ -3,8 +3,7 @@
let
domain = "httra.giugl.io";
network = import ./network.nix;
in
{
in {
services = {
transmission = {
enable = true;
@ -28,7 +27,7 @@ in
proxyPass = "http://127.0.0.1:9091";
extraConfig = ''
allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices}
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
deny all;
'';
};

View File

@ -9,8 +9,7 @@ let
export __VK_LAYER_NV_optimus=NVIDIA_only
exec -a "$0" "$@"
'';
in
{
in {
imports = [ ./hardware.nix ./wireguard.nix ./sound.nix ];
boot = {

6
lib/default.nix Normal file
View File

@ -0,0 +1,6 @@
{ pkgs, unstable, nixpkgs, nixos-unstable, home-manager, system, ... }: rec {
user = import ./user.nix { inherit pkgs unstable system home-manager; };
host = import ./host.nix {
inherit pkgs nixpkgs unstable nixos-unstable home-manager user system;
};
}

View File

@ -5,17 +5,14 @@
let
mkRole = role: import (../roles + "/${role}.nix");
users_mod = (map
(u:
users_mod = (map (u:
user.mkUser {
name = u.user;
roles = u.roles;
})
users);
}) users);
roles_mod = (map (r: mkRole r) roles);
add_imports = imports;
in
nixpkgs.lib.nixosSystem {
in nixpkgs.lib.nixosSystem {
inherit system;
modules = [

View File

@ -5,8 +5,7 @@
let
mkRole = role: import (../roles/home + "/${role}.nix");
roles_mod = (map (r: mkRole r) roles);
in
{
in {
users.groups.plugdev = { };
fileSystems."/home/${name}/Downloads" = {
@ -28,8 +27,7 @@
let
mkRole = role: import (../roles/home + "/${role}.nix");
roles_mod = (map (r: mkRole r) roles);
in
home-manager.lib.homeManagerConfiguration {
in home-manager.lib.homeManagerConfiguration {
inherit pkgs;
modules = [
{

View File

@ -9,8 +9,7 @@ let
name = "guake";
package = pkgs.guake;
});
in
{
in {
imports = [ ./gnome.nix ];
nixpkgs.config.allowUnfree = true;