peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: peperunas:608fd46eb4986b977d7873517b1a88bc4e31e62a
Branches Tags
peperunas:master
peperunas:nixos-21.11
peperunas:laptopshit
..
compare: peperunas:0d3b2888fe111f46ab68474977503b9b564900d5
Branches Tags
peperunas:master
peperunas:nixos-21.11
peperunas:laptopshit

No commits in common. "608fd46eb4986b977d7873517b1a88bc4e31e62a" and "0d3b2888fe111f46ab68474977503b9b564900d5" have entirely different histories.
608fd46eb4 ... 0d3b2888fe

37 changed files with 224 additions and 306 deletions
Show Stats Expand all files Collapse all files

7
flake.nix
View File

@ -32,12 +32,7 @@
};
wrapUtils = { pkgs, unstable, system }:
pkgs.lib.makeScope pkgs.newScope (self: {
inherit nixpkgs home-manager nixos-unstable;
user = self.callPackage ./lib/user.nix { };
host = self.callPackage ./lib/host.nix { };
});
import ./lib { inherit nixpkgs nixos-unstable home-manager system pkgs unstable; };
pkgsLinuxX64 = wrapPkgsSystem { system = sysLinuxX64; };
unstableLinuxX64 = wrapUnstablePkgsSystem { system = sysLinuxX64; };

7
hosts/architect/default.nix
View File

@ -6,10 +6,8 @@ let
];
hostname = "architect";
network = import ./network.nix;
in
{
imports = [
# Include the results of the hardware scan.
in {
imports = [ # Include the results of the hardware scan.
./backup.nix
./hardware.nix
./firewall.nix
@ -41,7 +39,6 @@ in
./lezzo.nix
./runas.nix
./tailscale.nix
./searx.nix
];
time.timeZone = "Europe/Rome";

3
hosts/architect/deluge.nix
View File

@ -4,8 +4,7 @@ let
domain = "htdel.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in
{
in {
services = {
deluge = {
enable = true;

12
hosts/architect/firewall.nix
View File

@ -49,8 +49,7 @@ let
wireguard_udp
];
in
{
in {
networking = {
# needed to use nftables
firewall.enable = false;
@ -159,7 +158,7 @@ in
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
ip saddr ${lan-net} accept comment "lan > local"
ip saddr ${tailscale-net} accept comment "tailscale > local"
ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local"
ip saddr {${lib.concatStringsSep "," gdevices-wg}} accept comment "vpn > local"
iifname ${wan-if} tcp dport {${open_tcp_ports}} accept
iifname ${wan-if} udp dport {${open_udp_ports}} accept
@ -174,9 +173,14 @@ in
type filter hook forward priority filter; policy drop;
ct state established,related accept
# client to client
ip saddr {${lib.concatStringsSep "," c2c-wg}} ip daddr {${
lib.concatStringsSep "," c2c-wg
}} accept
# gdevices talking to everyone in VPN
ip saddr {${
lib.concatStringsSep "," gdevices
lib.concatStringsSep "," gdevices-wg
}} ip daddr ${vpn-net} accept
ip saddr {${
lib.concatStringsSep "," gamenet-wg

5
hosts/architect/home-assistant.nix
View File

@ -5,8 +5,7 @@ let
network = import ./network.nix;
host = "127.0.0.1";
port = 8123;
in
{
in {
services = {
mosquitto = {
enable = true;
@ -53,7 +52,7 @@ in
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices}
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
deny all;
'';
};

2
hosts/architect/jellyfin.nix
View File

@ -19,7 +19,7 @@ in
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
extraConfig = auth_block { access_role = "jellyfin"; whitelisted_ips = network.gdevices; } +
extraConfig = auth_block { access_role = "jellyfin"; whitelisted_ips = network.gdevices-wg; } +
''
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
#add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";

3
hosts/architect/keycloak.nix
View File

@ -3,8 +3,7 @@
let
network = import ./network.nix;
domain = "auth.giugl.io";
in
{
in {
services = {
keycloak = {
enable = true;

3
hosts/architect/lidarr.nix
View File

@ -4,8 +4,7 @@ let
domain = "htlid.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in
{
in {
services = {
lidarr = {
enable = true;

5
hosts/architect/minio.nix
View File

@ -3,8 +3,7 @@
let
domain = "s3.giugl.io";
network = import ./network.nix;
in
{
in {
services = {
minio.enable = true;
@ -16,7 +15,7 @@ in
extraConfig = ''
client_max_body_size 500M;
allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices }
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg }
allow ${network.manduria-wg};
deny all;
'';

3
hosts/architect/navidrome.nix
View File

@ -6,8 +6,7 @@ let
library_path = "/media/Music";
beets_config = "/media/beets.conf";
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in
{
in {
services = {
navidrome = {
enable = true;

8
hosts/architect/network.nix
View File

@ -62,8 +62,12 @@ rec {
dodino-ts = "100.106.244.35";
# groups
gdevices = [ giuliophone-ts architect-ts giuliopc-ts dodino-ts ];
towan-wg = [ shield-wg parina-wg parina-ipad-wg germano-wg framecca-wg ];
gdevices-wg =
[ giuliopc-wg giuliophone-wg gbeast-wg peppiniell-wg kclvm-wg ] ++ routers-wg;
routers-wg = [ hotpottino-wg angellane-wg dodino-wg ];
c2c-wg = [ ] ++ gdevices-wg;
towan-wg = [ shield-wg parina-wg parina-ipad-wg germano-wg framecca-wg ]
++ gdevices-wg ++ routers-wg;
gamenet-wg = [
andrew-wg
giuliopc-wg

3
hosts/architect/nextcloud.nix
View File

@ -4,8 +4,7 @@ let
domain = "cloud.giugl.io";
network = import ./network.nix;
redis_port = 6379;
in
{
in {
services = {
mysql = {
enable = true;

3
hosts/architect/nitter.nix
View File

@ -3,8 +3,7 @@
let
domain = "tweet.giugl.io";
network = import ./network.nix;
in
{
in {
services = {
nitter = {
enable = true;

3
hosts/architect/nzbget.nix
View File

@ -4,8 +4,7 @@ let
domain = "htnzb.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in
{
in {
services = {
nzbget = {
enable = true;

3
hosts/architect/plex.nix
View File

@ -3,8 +3,7 @@
let
domain = "media.giugl.io";
network = import ./network.nix;
in
{
in {
services.plex = {
enable = true;
package = pkgs.unstable.plex;

3
hosts/architect/prosody.nix
View File

@ -5,8 +5,7 @@ let
conference_domain = "conference.${domain}";
upload_domain = "uploads.${domain}";
network = import ./network.nix;
in
{
in {
services = {
prosody = {
enable = true;

5
hosts/architect/prowlarr.nix
View File

@ -3,8 +3,7 @@
let
domain = "htpro.giugl.io";
network = import ./network.nix;
in
{
in {
services = {
prowlarr.enable = true;
@ -15,7 +14,7 @@ in
proxyPass = "http://127.0.0.1:9696";
extraConfig = ''
allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices}
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
deny all;
'';
};

3
hosts/architect/radarr.nix
View File

@ -4,8 +4,7 @@ let
domain = "htrad.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in
{
in {
services = {
radarr = {
enable = true;

65
hosts/architect/searx.nix
View File

@ -1,65 +0,0 @@
{ mach-nix, lib, config, pkgs, ... }:
let
domain = "gugol.giugl.io";
network = import ./network.nix;
in
{
services = {
redis.servers."searx" = { enable = true; port = 4456; };
searx = {
enable = true;
package = pkgs.searxng;
# package = mach-nix.buildPythonPackage "https://github.com/searxng/searxng/commit/2cf1425e8bc5d3143b6e001e82a034a794e8a206https://github.com/searxng/searxng/commit/2cf1425e8bc5d3143b6e001e82a034a794e8a206";
environmentFile = /secrets/searx/env;
settings = {
server = {
secret_key = "@SEARX_SECRET_KEY@";
port = 4455;
};
general = {
instance_name = "Pepe's Gugol";
contact_url = "mailto:gugol@depasquale.giugl.io";
enable_metrics = false;
};
search = {
safe_search = 0;
autocomplete = "duckduckgo";
prefer_configured_language = false;
};
ui = {
infinite_scroll = true;
};
redis.url = "127.0.0.1:${toString config.services.redis.servers."searx".port}";
engines = [
{ name = "google"; disabled = false; }
{ name = "bing"; disabled = false; }
{ name = "qwant"; disabled = false; }
{ name = "duckduckgo"; disabled = false; }
{ name = "yahoo"; disabled = false; }
];
};
};
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.searx.settings.server.port}";
};
};
};
networking.extraHosts = ''
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
${network.architect-ts} ${domain}
'';
}

3
hosts/architect/sonarr.nix
View File

@ -4,8 +4,7 @@ let
domain = "htson.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in
{
in {
services = {
sonarr = {
enable = true;

3
hosts/architect/tailscale.nix
View File

@ -4,8 +4,7 @@ let
network = import ./network.nix;
ifname = "ts0";
in
{
in {
services = {
tailscale = {
enable = true;

5
hosts/architect/transmission.nix
View File

@ -3,8 +3,7 @@
let
domain = "httra.giugl.io";
network = import ./network.nix;
in
{
in {
services = {
transmission = {
enable = true;
@ -28,7 +27,7 @@ in
proxyPass = "http://127.0.0.1:9091";
extraConfig = ''
allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices}
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
deny all;
'';
};

3
hosts/gAluminum/default.nix
View File

@ -9,8 +9,7 @@ let
export __VK_LAYER_NV_optimus=NVIDIA_only
exec -a "$0" "$@"
'';
in
{
in {
imports = [ ./hardware.nix ./wireguard.nix ./sound.nix ];
boot = {

6
lib/default.nix Normal file
View File

@ -0,0 +1,6 @@
{ pkgs, unstable, nixpkgs, nixos-unstable, home-manager, system, ... }: rec {
user = import ./user.nix { inherit pkgs unstable system home-manager; };
host = import ./host.nix {
inherit pkgs nixpkgs unstable nixos-unstable home-manager user system;
};
}

9
lib/host.nix
View File

@ -5,17 +5,14 @@
let
mkRole = role: import (../roles + "/${role}.nix");
users_mod = (map
(u:
users_mod = (map (u:
user.mkUser {
name = u.user;
roles = u.roles;
})
users);
}) users);
roles_mod = (map (r: mkRole r) roles);
add_imports = imports;
in
nixpkgs.lib.nixosSystem {
in nixpkgs.lib.nixosSystem {
inherit system;
modules = [

6
lib/user.nix
View File

@ -5,8 +5,7 @@
let
mkRole = role: import (../roles/home + "/${role}.nix");
roles_mod = (map (r: mkRole r) roles);
in
{
in {
users.groups.plugdev = { };
fileSystems."/home/${name}/Downloads" = {
@ -28,8 +27,7 @@
let
mkRole = role: import (../roles/home + "/${role}.nix");
roles_mod = (map (r: mkRole r) roles);
in
home-manager.lib.homeManagerConfiguration {
in home-manager.lib.homeManagerConfiguration {
inherit pkgs;
modules = [
{

3
roles/home/desktop.nix
View File

@ -9,8 +9,7 @@ let
name = "guake";
package = pkgs.guake;
});
in
{
in {
imports = [ ./gnome.nix ];
nixpkgs.config.allowUnfree = true;