Compare commits
	
		
			No commits in common. "7cf37954efecdc2f79c488bbaeeac18da93f33c8" and "ba39859e01e241c9e0486671e69659b5fc5c2359" have entirely different histories.
		
	
	
		
			7cf37954ef
			...
			ba39859e01
		
	
		
| @ -1,49 +1,40 @@ | ||||
| { config, lib, ... }: | ||||
| { config, pkgs, lib, ... }: | ||||
| 
 | ||||
| let | ||||
|   # Function to generate CoreDNS config for a single vhost | ||||
|   generateCoreDNSConfigForVhost = domain: conf: | ||||
|     let | ||||
|       # Retrieve architect's IP on each interface | ||||
|       interfaceConfigs = builtins.map | ||||
|         (iface: | ||||
|           let | ||||
|             architectIP = config.architect.networks.${iface}.devices.architect.address; | ||||
|             interfaceNet = config.architect.networks.${iface}.net; | ||||
|           in | ||||
|           '' | ||||
|             ${domain} { | ||||
|               view ${iface} { | ||||
|                 expr incidr(client_ip(), '${interfaceNet}') | ||||
|               } | ||||
| 
 | ||||
|               template IN A ${domain} { | ||||
|                 answer "${domain}. 60 IN A ${architectIP}" | ||||
|               } | ||||
|               template IN HTTPS ${domain} { | ||||
|                 answer "${domain}. 60 IN HTTPS 1 . ipv4hint=\"${architectIP}\"" | ||||
|               } | ||||
|               cache | ||||
|               log | ||||
|             } | ||||
|           '' | ||||
|         ) | ||||
|         conf.dnsInterfaces; | ||||
|     in | ||||
|     lib.concatStringsSep "\n" interfaceConfigs; | ||||
|   domain = "adguard.architect.devs.giugl.io"; | ||||
| in | ||||
| { | ||||
|   services = { | ||||
|     coredns = { | ||||
|       enable = true; | ||||
|       config = '' | ||||
|         ${lib.concatStringsSep "\n" (lib.mapAttrsToList generateCoreDNSConfigForVhost config.architect.vhost)} | ||||
|   architect = { | ||||
|     firewall.openUDPVPN = [ 53 ]; | ||||
| 
 | ||||
|         . { | ||||
|           cache | ||||
|           forward . 127.0.0.1:${toString config.services.adguardhome.settings.dns.port} | ||||
|         } | ||||
|       ''; | ||||
|     vhost.${domain} = { | ||||
|       dnsInterfaces = [ "lan" "tailscale" ]; | ||||
| 
 | ||||
|       locations."/" = with config; { | ||||
|         port = services.adguardhome.settings.bind_port; | ||||
|         allow = with architect.networks; [ lan.net tailscale.net ]; | ||||
|         deny = [ | ||||
|           architect.networks."lan".devices.router.address | ||||
|         ]; | ||||
|       }; | ||||
|     }; | ||||
|   }; | ||||
| 
 | ||||
|   services = { | ||||
|     dnsmasq = { | ||||
|       enable = true; | ||||
|       settings = { | ||||
|         server = [ "127.0.0.1#${toString config.services.adguardhome.settings.dns.port}" ]; | ||||
|         localise-queries = true; | ||||
|         min-cache-ttl = 120; | ||||
|         max-cache-ttl = 2400; | ||||
|         domain = [ | ||||
|           "runas.rocks" | ||||
|           "giugl.io" | ||||
|           "devs.runas.rocks" | ||||
|           "devs.giugl.io" | ||||
|         ]; | ||||
|       }; | ||||
|     }; | ||||
| 
 | ||||
|     adguardhome = { | ||||
|  | ||||
| @ -1,46 +1,53 @@ | ||||
| { config, pkgs, ... }: | ||||
| { config, pkgs, lib, ... }: | ||||
| 
 | ||||
| let | ||||
|   baseDomain = "giugl.io"; | ||||
|   domain = "vipienne.${baseDomain}"; | ||||
|   headscalePkg = pkgs.unstablePkgs.headscale; | ||||
|   domain = "vipienne.giugl.io"; | ||||
| in | ||||
| { | ||||
|   environment.systemPackages = [ headscalePkg ]; | ||||
|   environment.systemPackages = [ pkgs.headscale ]; | ||||
| 
 | ||||
|   architect = { | ||||
|     firewall = { | ||||
|   architect.firewall = { | ||||
|     openUDP = [ config.services.tailscale.port ]; | ||||
|   }; | ||||
| 
 | ||||
|     vhost.${domain} = { | ||||
|       dnsInterfaces = [ "lan" "tailscale" ]; | ||||
|       locations."/" = { | ||||
|         port = config.services.headscale.port; | ||||
|         allowWAN = true; | ||||
|         proxyWebsockets = true; | ||||
|       }; | ||||
|     }; | ||||
|   }; | ||||
| 
 | ||||
|   services.headscale = { | ||||
|   services = { | ||||
|     headscale = { | ||||
|       enable = true; | ||||
|     package = headscalePkg; | ||||
|       package = pkgs.unstablePkgs.headscale; | ||||
|       port = 1194; | ||||
|       address = "0.0.0.0"; | ||||
| 
 | ||||
|       settings = { | ||||
|         server_url = "https://${domain}"; | ||||
|         log.level = "debug"; | ||||
|         dns_config = { | ||||
|         magic_dns = false; | ||||
|         base_domain = baseDomain; | ||||
|           magic_dns = true; | ||||
|           base_domain = "giugl.io"; | ||||
|           override_local_dns = true; | ||||
|         nameservers = [ | ||||
|           config.architect.networks.tailscale.devices.architect.address | ||||
|         ]; | ||||
|           nameservers = [ config.architect.networks.tailscale.devices.architect.address ]; | ||||
|         }; | ||||
|         logtail.enabled = false; | ||||
|         ip_prefixes = [ config.architect.networks.tailscale.net ]; | ||||
|         noise.private_key_path = "/var/lib/headscale/noise_private.key"; | ||||
|       }; | ||||
|     }; | ||||
| 
 | ||||
|     nginx.virtualHosts.${domain} = { | ||||
|       forceSSL = true; | ||||
|       enableACME = true; | ||||
|       extraConfig = '' | ||||
|         ssl_protocols TLSv1.2 TLSv1.3; | ||||
|       ''; | ||||
|       locations."/" = { | ||||
|         proxyPass = | ||||
|           "http://127.0.0.1:${toString config.services.headscale.port}"; | ||||
|         proxyWebsockets = true; | ||||
|         recommendedProxySettings = true; | ||||
|         extraConfig = '' | ||||
|           proxy_buffering off; | ||||
|           add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; | ||||
|         ''; | ||||
|       }; | ||||
|     }; | ||||
|   }; | ||||
| } | ||||
|  | ||||
| @ -3,6 +3,7 @@ | ||||
| { | ||||
|   architect.firewall = { | ||||
|     openTCP = [ 80 443 ]; | ||||
|     openTCPVPN = [ 80 443 ]; | ||||
|   }; | ||||
| 
 | ||||
|   services.nginx = { | ||||
|  | ||||
| @ -2,6 +2,10 @@ | ||||
| 
 | ||||
| with lib; | ||||
| 
 | ||||
| let | ||||
|   utilities = import ./utilities.nix { inherit lib config; }; | ||||
|   inherit (utilities) architectInterfaceAddress; | ||||
| in | ||||
| { | ||||
|   options.architect = { | ||||
|     firewall = { | ||||
| @ -13,6 +17,14 @@ with lib; | ||||
|         type = types.listOf types.int; | ||||
|         default = [ ]; | ||||
|       }; | ||||
|       openTCPVPN = mkOption { | ||||
|         type = types.listOf types.int; | ||||
|         default = [ ]; | ||||
|       }; | ||||
|       openUDPVPN = mkOption { | ||||
|         type = types.listOf types.int; | ||||
|         default = [ ]; | ||||
|       }; | ||||
|     }; | ||||
| 
 | ||||
|     networks = mkOption { | ||||
| @ -106,6 +118,12 @@ with lib; | ||||
|                   default = false; | ||||
|                   description = "If set to false, deny all WAN traffic."; | ||||
|                 }; | ||||
| 
 | ||||
|                 deny = mkOption { | ||||
|                   type = types.listOf types.str; | ||||
|                   default = [ ]; | ||||
|                   description = "IP address or CIDR block to deny."; | ||||
|                 }; | ||||
|               }; | ||||
|             }); | ||||
|             default = { }; | ||||
| @ -118,7 +136,6 @@ with lib; | ||||
|     }; | ||||
|   }; | ||||
| 
 | ||||
|   # TODO: move to nginx | ||||
|   config = { | ||||
|     services.nginx.virtualHosts = mapAttrs | ||||
|       (domain: conf: { | ||||
| @ -130,12 +147,21 @@ with lib; | ||||
|             proxyWebsockets = location.proxyWebsockets; | ||||
|             extraConfig = '' | ||||
|               ${concatMapStringsSep "\n" (allowCIDR: "allow ${allowCIDR};") location.allow} | ||||
|               ${optionalString location.allowLan ''allow ${config.architect.networks."lan".net};''} | ||||
|               ${optionalString (!location.allowWAN) "deny all;"} | ||||
|               ${concatMapStringsSep "\n" (denyCIDR: "deny ${denyCIDR};") location.deny} | ||||
|               ${optionalString location.allowLan ''allow ${config.architect.networks."lan".net};''} | ||||
|             '' + location.extraConfig; | ||||
|           }) | ||||
|           conf.locations; | ||||
|       }) | ||||
|       config.architect.vhost; | ||||
| 
 | ||||
|     networking.extraHosts = concatStringsSep "\n" ( | ||||
|       mapAttrsToList | ||||
|         (domain: conf: concatMapStringsSep "\n" | ||||
|           (iface: "${architectInterfaceAddress iface} ${domain}") | ||||
|           conf.dnsInterfaces) | ||||
|         config.architect.vhost | ||||
|     ); | ||||
|   }; | ||||
| } | ||||
|  | ||||
| @ -1,13 +1,10 @@ | ||||
| { config, pkgs, ... }: | ||||
| { config, ... }: | ||||
| 
 | ||||
| let | ||||
|   domain = "htpro.giugl.io"; | ||||
| in | ||||
| { | ||||
|   services.prowlarr = { | ||||
|     enable = true; | ||||
|     package = pkgs.unstablePkgs.prowlarr; | ||||
|   }; | ||||
|   services.prowlarr.enable = true; | ||||
| 
 | ||||
|   architect.vhost.${domain} = with config.architect.networks; { | ||||
|     dnsInterfaces = [ "tailscale" ]; | ||||
|  | ||||
| @ -1,4 +1,4 @@ | ||||
| { config, pkgs, ... }: | ||||
| { config, lib, ... }: | ||||
| 
 | ||||
| let | ||||
|   domain = "htrad.giugl.io"; | ||||
| @ -6,7 +6,6 @@ in | ||||
| { | ||||
|   services.radarr = { | ||||
|     enable = true; | ||||
|     package = pkgs.unstablePkgs.radarr; | ||||
|     group = "media"; | ||||
|   }; | ||||
| 
 | ||||
|  | ||||
| @ -1,4 +1,4 @@ | ||||
| { config, pkgs, ... }: | ||||
| { config, lib, ... }: | ||||
| 
 | ||||
| let | ||||
|   domain = "htson.giugl.io"; | ||||
| @ -7,7 +7,6 @@ in | ||||
|   services.sonarr = { | ||||
|     enable = true; | ||||
|     group = "media"; | ||||
|     package = pkgs.unstablePkgs.sonarr; | ||||
|   }; | ||||
| 
 | ||||
|   architect.vhost.${domain} = with config.architect.networks; { | ||||
|  | ||||
| @ -15,16 +15,14 @@ in | ||||
|       devices = { | ||||
|         architect = { address = "100.64.0.1"; hostname = "architect.${domain}"; }; | ||||
|         kmerr = { address = "100.64.0.2"; hostname = "kmerr.${domain}"; }; | ||||
|         parallels = { address = "100.64.0.3"; hostname = "parallels.${domain}"; }; | ||||
|         chuck = { address = "100.64.0.4"; hostname = "chuck.${domain}"; }; | ||||
|         dodino = { address = "100.64.0.5"; hostname = "dodino.${domain}"; }; | ||||
|         manduria = { address = "100.64.0.6"; hostname = "manduria.${domain}"; }; | ||||
|         tommy = { address = "100.64.0.7"; hostname = "tommy.${domain}"; }; | ||||
|         ucsb-workstation = { address = "100.64.0.8"; hostname = "ucsb-workstation.${domain}"; }; | ||||
|         # ucsb-workstation = { address = "100.64.0.8"; hostname = "ucsb-workstation.${domain}"; }; | ||||
|         ucsb-workstation = { address = "100.64.0.10"; hostname = "ucsb-workstation.${domain}"; }; | ||||
|         alfredo = { address = "100.64.0.9"; hostname = "alfredo.${domain}"; }; | ||||
|         appletv = { address = "100.64.0.13"; hostname = "appletv.${domain}"; }; | ||||
|         watkinshouse = { address = "100.64.0.14"; hostname = "watkinshouse.${domain}"; }; | ||||
|         afsun = { address = "100.64.0.15"; hostname = "afsun.${domain}"; }; | ||||
|         parallels = { address = "100.64.0.3"; hostname = "parallels.${domain}"; }; | ||||
|       }; | ||||
|     }; | ||||
|   }; | ||||
|  | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user