peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: peperunas:7f2c129ea94d10536c54be39e757ba9cd92e62aa
Branches Tags
peperunas:master
peperunas:nixos-21.11
peperunas:laptopshit
..
compare: peperunas:4dde4f68d8ea0eefc4605c22c22eef3879646c6e
Branches Tags
peperunas:master
peperunas:nixos-21.11
peperunas:laptopshit

No commits in common. "7f2c129ea94d10536c54be39e757ba9cd92e62aa" and "4dde4f68d8ea0eefc4605c22c22eef3879646c6e" have entirely different histories.
7f2c129ea9 ... 4dde4f68d8

30 changed files with 453 additions and 445 deletions
Show Stats Expand all files Collapse all files

42
flake.lock generated
View File

@ -4,51 +4,52 @@
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
] ],
"utils": "utils"
}, },
"locked": { "locked": {
"lastModified": 1685599623, "lastModified": 1681092193,
"narHash": "sha256-Tob4CMOVHue0D3RzguDBCtUmX5ji2PsdbQDbIOIKvsc=", "narHash": "sha256-JerCqqOqbT2tBnXQW4EqwFl0hHnuZp21rIQ6lu/N4rI=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "93db05480c0c0f30382d3e80779e8386dcb4f9dd", "rev": "f9edbedaf015013eb35f8caacbe0c9666bbc16af",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-community", "owner": "nix-community",
"ref": "release-23.05", "ref": "release-22.11",
"repo": "home-manager", "repo": "home-manager",
"type": "github" "type": "github"
} }
}, },
"nixos-unstable": { "nixos-unstable": {
"locked": { "locked": {
"lastModified": 1685564631, "lastModified": 1684171979,
"narHash": "sha256-8ywr3AkblY4++3lIVxmrWZFzac7+f32ZEhH/A8pNscI=", "narHash": "sha256-KfIpmlqCCtY/T8mWQOkucv4LrYAgIXho6QJOwl2md3g=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "4f53efe34b3a8877ac923b9350c874e3dcd5dc0a", "rev": "10092e14180fdff037aea3a14ad3faeaf6950ac1",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "nixos-unstable", "ref": "master",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1685645444, "lastModified": 1683928319,
"narHash": "sha256-FEuVrowBDU8D+Vt1oqN6j18g/vDvU13WVruTaMjzb8w=", "narHash": "sha256-maz0DRKixJVcNRMiAMWlJniiF8IuQ+WbfmlJJ8D+jfM=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "ce3e618cd3b9792d898b76126c36e6ac50b680e1", "rev": "9656e85a15a0fe67847ee8cdb99a20d8df499962",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "release-23.05", "ref": "nixos-22.11",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
@ -59,6 +60,21 @@
"nixos-unstable": "nixos-unstable", "nixos-unstable": "nixos-unstable",
"nixpkgs": "nixpkgs" "nixpkgs": "nixpkgs"
} }
},
"utils": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",

11
flake.nix
View File

@ -1,9 +1,9 @@
{ {
inputs = { inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/release-23.05"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11";
nixos-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; nixos-unstable.url = "github:NixOS/nixpkgs/master";
home-manager = { home-manager = {
url = "github:nix-community/home-manager/release-23.05"; url = "github:nix-community/home-manager/release-22.11";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
}; };
@ -30,11 +30,6 @@
inherit system; inherit system;
config.allowUnfree = true; config.allowUnfree = true;
config.permittedInsecurePackages = [
"openssl-1.1.1t"
"openssl-1.1.1u"
];
}; };
wrapUtils = { pkgs, unstablePkgs, system }: wrapUtils = { pkgs, unstablePkgs, system }:

32
hosts/architect/bazarr.nix
View File

@ -2,25 +2,35 @@
let let
domain = "htbaz.giugl.io"; domain = "htbaz.giugl.io";
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services.bazarr = { services = {
bazarr = {
enable = true; enable = true;
group = "media"; group = "media";
}; };
architect.vhost.${domain} = with config.architect.networks; { nginx.virtualHosts.${domain} = {
dnsInterfaces = [ "wireguard" "tailscale" ]; forceSSL = true;
enableACME = true;
locations."/" = { locations."/" = {
allowLan = true; proxyPass = "http://127.0.0.1:6767";
port = 6767; extraConfig = auth_block {
access_role = "bazarr";
};
};
};
};
allow = [ networking.extraHosts = ''
wireguard.net ${architectInterfaceAddress "lan"} ${domain}
tailscale.net ${architectInterfaceAddress "wireguard"} ${domain}
]; ${architectInterfaceAddress "tailscale"} ${domain}
}; '';
};
users.groups.media.members = [ "bazarr" ]; users.groups.media.members = [ "bazarr" ];
} }

16
hosts/architect/default.nix
View File

@ -30,7 +30,7 @@ in
./minecraft.nix ./minecraft.nix
./prowlarr.nix ./prowlarr.nix
./libreddit.nix ./libreddit.nix
./invidious.nix # ./invidious.nix
# ./lidarr.nix # ./lidarr.nix
# ./navidrome.nix # ./navidrome.nix
./jellyfin.nix ./jellyfin.nix
@ -88,8 +88,6 @@ in
"memmap=32M$0x4ca6f9478" "memmap=32M$0x4ca6f9478"
]; ];
kernelPackages = pkgs.linuxPackages;
kernel.sysctl = { "net.ipv4.ip_forward" = 1; }; kernel.sysctl = { "net.ipv4.ip_forward" = 1; };
loader = { loader = {
@ -102,7 +100,7 @@ in
supportedFilesystems = [ "zfs" ]; supportedFilesystems = [ "zfs" ];
zfs.requestEncryptionCredentials = true; zfs.requestEncryptionCredentials = true;
tmp.tmpfsSize = "50%"; tmpOnTmpfsSize = "50%";
}; };
networking = with config.architect.networks.lan; { networking = with config.architect.networks.lan; {
@ -153,12 +151,8 @@ in
xserver.videoDrivers = [ "nvidia" ]; xserver.videoDrivers = [ "nvidia" ];
openssh = { openssh = {
enable = true; enable = true;
passwordAuthentication = false;
settings = { kbdInteractiveAuthentication = false;
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
};
extraConfig = '' extraConfig = ''
MaxAuthTries 15 MaxAuthTries 15
''; '';
@ -168,7 +162,7 @@ in
environment = { environment = {
variables = { LIBVA_DRIVER_NAME = "vdpau"; }; variables = { LIBVA_DRIVER_NAME = "vdpau"; };
systemPackages = with pkgs; [ cachix linuxPackages.usbip ]; systemPackages = with pkgs; [ cachix ];
}; };
} }

72
hosts/architect/dns.nix
View File

@ -1,53 +1,53 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let let
domain = "adguard.architect.devs.giugl.io"; adguard_webui_port = 3031;
adguard_dns_port = "5300";
dnscrypt_listen_port = "5353";
in in
{ {
architect = { architect.firewall.openUDPVPN = [ 53 ];
firewall.openUDPVPN = [ 53 ];
vhost.${domain} = {
dnsInterfaces = [ "lan" "tailscale" "wireguard" ];
locations."/" = with config; {
port = services.adguardhome.settings.bind_port;
allow = with architect.networks; [ lan.net tailscale.net ];
deny = [
architect.networks."lan".devices.router.address
];
};
};
};
services = { services = {
dnsmasq = { dnsmasq = {
enable = true; enable = true;
settings = { # adguard port
server = [ "127.0.0.1#${toString config.services.adguardhome.settings.dns.port}" ]; servers = [ "127.0.0.1#${adguard_dns_port}" ];
localise-queries = true; extraConfig = ''
min-cache-ttl = 120; localise-queries
max-cache-ttl = 2400; min-cache-ttl=120
domain = [ max-cache-ttl=2400
"runas.rocks"
"giugl.io" domain=runas.rocks
"devs.runas.rocks" domain=giugl.io
"devs.giugl.io" domain=devs.runas.rocks
]; domain=devs.giugl.io
}; '';
}; };
adguardhome = { adguardhome = {
enable = true; enable = true;
settings = { port = adguard_webui_port;
bind_port = 5353;
dns = {
port = 5300;
}; };
upstream_dns = [
"tls://architect.d65174.dns.nextdns.io" dnscrypt-proxy2 = {
"https://dns.nextdns.io/d65174/architect" enable = true;
]; settings = {
listen_addresses = [ "127.0.0.1:${dnscrypt_listen_port}" ];
ipv4_servers = true;
ipv6_servers = false;
block_ipv6 = true;
dnscrypt_servers = true;
doh_servers = true;
require_nolog = true;
require_nofilter = true;
timeout = 350;
lb_strategy = "p4";
lb_estimator = true;
ignore_system_dns = true;
fallback_resolvers = [ "1.1.1.1:53" "9.9.9.9:53" ];
cache_min_ttl = 450;
cache_max_ttl = 2400;
}; };
}; };
}; };

8
hosts/architect/docker.nix
View File

@ -6,18 +6,12 @@
net = "172.17.0.0/16"; net = "172.17.0.0/16";
}; };
virtualisation = { virtualisation.docker = {
oci-containers.backend = "docker";
docker = {
enable = true; enable = true;
extraOptions = '' extraOptions = ''
--dns 127.0.0.1 --dns ${config.architect.networks.lan.devices.architect.address} --data-root /docker --dns 127.0.0.1 --dns ${config.architect.networks.lan.devices.architect.address} --data-root /docker
''; '';
enableOnBoot = false; enableOnBoot = false;
daemon.settings.iptables = false;
}; };
};
users.users.giulio.extraGroups = [ "docker" ]; users.users.giulio.extraGroups = [ "docker" ];
} }

5
hosts/architect/firewall.nix
View File

@ -54,9 +54,6 @@ in
} }
table ip nat { table ip nat {
chain DOCKER {
type nat hook prerouting priority dstnat; policy accept;
}
chain PREROUTING { chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept; type nat hook prerouting priority dstnat; policy accept;
} }
@ -145,7 +142,6 @@ in
ip daddr 255.255.255.255 accept comment "allow broadcast traffic" ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic" ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
ip saddr ${lan.net} accept comment "lan > local" ip saddr ${lan.net} accept comment "lan > local"
iifname ${docker.interface} accept
ip saddr ${tailscale.net} accept comment "tailscale > local" ip saddr ${tailscale.net} accept comment "tailscale > local"
ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local" ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local"
@ -155,6 +151,7 @@ in
iifname ${wireguard.interface} udp dport {${openUDPVPN}} accept iifname ${wireguard.interface} udp dport {${openUDPVPN}} accept
iifname ${wireguard.interface} icmp type echo-request accept iifname ${wireguard.interface} icmp type echo-request accept
iifname ${docker.interface} udp dport 53 accept
jump filter_drop jump filter_drop
} }

35
hosts/architect/gitea.nix
View File

@ -2,30 +2,41 @@
let let
domain = "git.giugl.io"; domain = "git.giugl.io";
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
architect = { architect.firewall.openTCP = [ config.services.gitea.settings.server.SSH_PORT ];
firewall.openTCP = [ config.services.gitea.settings.server.SSH_PORT ];
vhost.${domain} = {
dnsInterfaces = [ "lan" "tailscale" "wireguard" ];
locations."/".port = config.services.gitea.settings.server.HTTP_PORT;
};
};
services.gitea = { services.gitea = {
enable = true; enable = true;
database.type = "sqlite3"; database.type = "sqlite3";
domain = domain;
appName = "Gitea"; appName = "Gitea";
# https://github.com/NixOS/nixpkgs/issues/235442#issuecomment-1574329453 rootUrl = "https://${domain}";
lfs.enable = true;
settings = { settings = {
server = { server = {
DOMAIN = domain; LFS_START_SERVER = true;
ROOT_URL = "https://${domain}";
SSH_PORT = 22; SSH_PORT = 22;
HTTP_PORT = 3001;
}; };
openid.enable_openid_signin = true; openid.enable_openid_signin = true;
}; };
}; };
services.nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:3000";
# it does not work, it breaks gitea's web portal
# extraConfig = auth_block { access_role = "git"; };
};
};
networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "wireguard"} ${domain}
${architectInterfaceAddress "tailscale"} ${domain}
'';
} }

7
hosts/architect/headscale.nix
View File

@ -8,16 +8,17 @@ in
openUDP = [ config.services.tailscale.port ]; openUDP = [ config.services.tailscale.port ];
}; };
environment.systemPackages = [ pkgs.unstablePkgs.headscale ];
services = { services = {
headscale = { headscale = {
enable = true; enable = true;
package = pkgs.unstablePkgs.headscale; package = pkgs.unstablePkgs.headscale;
port = 1194; port = 1194;
address = "0.0.0.0"; address = "0.0.0.0";
serverUrl = "https://${domain}";
logLevel = "debug";
settings = { settings = {
server_url = "https://${domain}";
log.level = "debug";
dns_config = { dns_config = {
magic_dns = true; magic_dns = true;
base_domain = "giugl.io"; base_domain = "giugl.io";

15
hosts/architect/invidious.nix
View File

@ -1,28 +1,27 @@
{ config, lib, pkgs, ... }: { lib, pkgs, ... }:
let let
domain = "tube.giugl.io"; domain = "tube.giugl.io";
network = import ./network.nix;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services = { services = {
invidious = { invidious = {
enable = true; enable = true;
port = 9092;
package = pkgs.unstablePkgs.invidious; package = pkgs.unstablePkgs.invidious;
}; };
nginx.virtualHosts.${domain} = { nginx.virtualHosts.${domain} = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/" = { proxyPass = "http://127.0.0.1:${toString config.services.invidious.port}"; }; locations."/" = { proxyPass = "http://127.0.0.1:9092"; };
}; };
}; };
networking.extraHosts = '' networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain} ${network.architect-lan} ${domain}
${architectInterfaceAddress "wireguard"} ${domain} ${network.architect-wg} ${domain}
${architectInterfaceAddress "tailscale"} ${domain} ${network.architect-ts} ${domain}
''; '';
} }

63
hosts/architect/jellyfin.nix
View File

@ -3,42 +3,53 @@
let let
domain = "media.giugl.io"; domain = "media.giugl.io";
port = 8096; port = 8096;
allowLan = true;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
# needed since StateDirectory does not accept symlinks # needed since StateDirectory does not accept symlinks
systemd.services.jellyfin.serviceConfig.StateDirectory = lib.mkForce ""; systemd.services.jellyfin.serviceConfig.StateDirectory = lib.mkForce "";
architect.vhost.${domain} = with config.architect.networks; { services = {
dnsInterfaces = [ "lan" "wireguard" "tailscale" ]; jellyfin = {
locations = {
"/" = {
inherit port allowLan;
allow = [
wireguard.net
tailscale.net
];
};
"/socket" = {
inherit port allowLan;
proxyWebsockets = true;
allow = [
wireguard.net
tailscale.net
];
};
};
};
services.jellyfin = {
enable = true; enable = true;
group = "media"; group = "media";
package = pkgs.unstablePkgs.jellyfin; package = pkgs.unstablePkgs.jellyfin;
}; };
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
extraConfig = ''
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
#add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
allow ${config.architect.networks.lan.net};
allow ${config.architect.networks.tailscale.net};
deny all;
'';
locations."/" = {
proxyPass = "http://127.0.0.1:${toString port}";
};
locations."/socket" = {
proxyPass = "http://127.0.0.1:${toString port}";
proxyWebsockets = true;
};
};
};
networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "wireguard"} ${domain}
${architectInterfaceAddress "tailscale"} ${domain}
'';
users.groups = { users.groups = {
media.members = [ "jellyfin" ]; media.members = [ "jellyfin" ];
video.members = [ "jellyfin" ]; video.members = [ "jellyfin" ];

7
hosts/architect/minio.nix
View File

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }: { config, lib, ... }:
let let
domain = "s3.giugl.io"; domain = "s3.giugl.io";
@ -8,10 +8,7 @@ let
in in
{ {
services = { services = {
minio = { minio.enable = true;
enable = true;
package = pkgs.minio_legacy_fs;
};
nginx.virtualHosts.${domain} = { nginx.virtualHosts.${domain} = {
forceSSL = true; forceSSL = true;

66
hosts/architect/network.nix Normal file
View File

@ -0,0 +1,66 @@
rec {
# interfaces
wan-if = "enp5s0";
vpn-if = "wg0";
proxy-if = "proxy";
docker-if = "docker0";
tailscale-if = "ts0";
# nets
lan-net = "10.0.0.0/24";
vpn-net = "10.3.0.0/24";
external_lan-net = "192.168.1.0/24";
docker-net = "172.17.0.0/16";
# tailscale-net = "100.64.0.0/10";
tailscale-net = "10.4.0.0/24";
# ips
router-lan = "10.0.0.1";
dvr-lan = "10.0.0.2";
nas-lan = "10.0.0.3";
architect-lan = "10.0.0.250";
architect-wg = "10.3.0.1";
manduria-wg = "10.3.0.5";
antonio-wg = "10.3.0.6";
gbeast-wg = "10.3.0.7";
shield-wg = "10.3.0.12";
salvatore-wg = "10.3.0.16";
papa-wg = "10.3.0.17";
defy-wg = "10.3.0.18";
germano-wg = "10.3.0.19";
flavio-wg = "10.3.0.20";
tommy-wg = "10.3.0.21";
alain-wg = "10.3.0.22";
dima-wg = "10.3.0.23";
mikey-wg = "10.3.0.24";
andrew-wg = "10.3.0.25";
mikeylaptop-wg = "10.3.0.26";
andrewdesktop-wg = "10.3.0.27";
jacopo-wg = "10.3.0.28";
frznn-wg = "10.3.0.29";
ludo-wg = "10.3.0.30";
parina-wg = "10.3.0.31";
nilo-wg = "10.3.0.32";
parina-ipad-wg = "10.3.0.33";
kclvm-wg = "10.3.0.34";
framecca-wg = "10.3.0.35";
framecca_one-wg = "10.3.0.36";
framecca_two-wg = "10.3.0.37";
framecca_three-wg = "10.3.0.38";
framecca_four-wg = "10.3.0.39";
giuliophone-ts = "100.68.68.46";
# architect-ts = "100.67.205.28";
architect-ts = "10.4.0.2";
giuliopc-ts = "100.124.78.64";
dodino-ts = "100.106.244.35";
framecca-devices = [ framecca-wg framecca_one-wg framecca_three-wg framecca_four-wg ];
c2c-wg = framecca-devices;
# groups
gdevices = [ giuliophone-ts architect-ts giuliopc-ts dodino-ts ];
towan-wg = [ shield-wg parina-wg parina-ipad-wg germano-wg ] ++ framecca-devices;
}

12
hosts/architect/nextcloud.nix
View File

@ -16,7 +16,7 @@ in
mysql = { mysql = {
enable = true; enable = true;
package = pkgs.mariadb; package = pkgs.unstablePkgs.mysql80;
}; };
redis = { redis = {
@ -33,7 +33,6 @@ in
https = true; https = true;
package = pkgs.unstablePkgs.nextcloud26; package = pkgs.unstablePkgs.nextcloud26;
datadir = "/services/nextcloud"; datadir = "/services/nextcloud";
configureRedis = true;
caching = { caching = {
redis = true; redis = true;
}; };
@ -41,16 +40,15 @@ in
autoUpdateApps.enable = true; autoUpdateApps.enable = true;
autoUpdateApps.startAt = "05:00:00"; autoUpdateApps.startAt = "05:00:00";
maxUploadSize = "50G";
config = { config = {
overwriteProtocol = "https"; overwriteProtocol = "https";
dbtype = "mysql"; dbtype = "mysql";
dbuser = "nextcloud"; dbuser = "oc_giulio2";
dbhost = "localhost"; dbhost = "localhost";
dbname = "nextcloud"; dbname = "nextcloud_final";
dbpassFile = "/secrets/nextcloud/dbpass.txt"; dbpassFile = "/secrets/nextcloud/dbpass.txt";
adminpassFile = "/secrets/nextcloud/dbpass.txt"; adminpassFile = "/secrets/nextcloud/adminpass.txt";
adminuser = "giulio";
extraTrustedDomains = [ "${domain}" ]; extraTrustedDomains = [ "${domain}" ];
}; };
}; };

92
hosts/architect/nginx.nix
View File

@ -8,7 +8,7 @@
services.nginx = { services.nginx = {
enable = true; enable = true;
package = pkgs.nginx; package = pkgs.openresty;
recommendedGzipSettings = true; recommendedGzipSettings = true;
recommendedOptimisation = true; recommendedOptimisation = true;
recommendedProxySettings = true; recommendedProxySettings = true;
@ -32,59 +32,59 @@
}; };
}; };
# appendHttpConfig = appendHttpConfig =
# let let
# extraPureLuaPackages = with pkgs.luajitPackages; [ extraPureLuaPackages = with pkgs.luajitPackages; [
# lua-resty-openidc lua-resty-openidc
# lua-resty-http lua-resty-http
# lua-resty-session lua-resty-session
# lua-resty-jwt lua-resty-jwt
# lua-resty-openssl lua-resty-openssl
# ]; ];
# luaPath = pkg: "${pkg}/share/lua/5.1/?.lua"; luaPath = pkg: "${pkg}/share/lua/5.1/?.lua";
# makeLuaPath = lib.concatMapStringsSep ";" luaPath; makeLuaPath = lib.concatMapStringsSep ";" luaPath;
# in in
# '' ''
# # https://stackoverflow.com/questions/38931468/nginx-reverse-proxy-error14077438ssl-ssl-do-handshake-failed # https://stackoverflow.com/questions/38931468/nginx-reverse-proxy-error14077438ssl-ssl-do-handshake-failed
# proxy_ssl_server_name on; proxy_ssl_server_name on;
# lua_package_path '${makeLuaPath extraPureLuaPackages};;'; lua_package_path '${makeLuaPath extraPureLuaPackages};;';
# lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
# lua_ssl_verify_depth 5; lua_ssl_verify_depth 5;
# # cache for OIDC discovery metadata # cache for OIDC discovery metadata
# lua_shared_dict discovery 1m; lua_shared_dict discovery 1m;
# lua_shared_dict jwks 1m; lua_shared_dict jwks 1m;
# # https://github.com/openresty/lua-resty-redis/issues/159 # https://github.com/openresty/lua-resty-redis/issues/159
# resolver local=on ipv6=off; resolver local=on ipv6=off;
# init_worker_by_lua_block { init_worker_by_lua_block {
# function check_role (res, role) function check_role (res, role)
# if res.user.roles == nil then if res.user.roles == nil then
# return false return false
# end end
# for _,v in pairs(res.user.roles) do for _,v in pairs(res.user.roles) do
# if string.lower(v) == role then if string.lower(v) == role then
# return true return true
# end end
# end end
# return false return false
# end end
# function is_ip_whitelisted(ip, whitelist) function is_ip_whitelisted(ip, whitelist)
# for _, x in ipairs(whitelist) do for _, x in ipairs(whitelist) do
# if ip == x then if ip == x then
# return true return true
# end end
# end end
# return false return false
# end end
# } }
# ''; '';
appendConfig = '' appendConfig = ''
worker_processes 24; worker_processes 24;

26
hosts/architect/nzbget.nix
View File

@ -2,21 +2,35 @@
let let
domain = "htnzb.giugl.io"; domain = "htnzb.giugl.io";
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services.nzbget = { services = {
nzbget = {
enable = true; enable = true;
group = "media"; group = "media";
}; };
architect.vhost.${domain} = { nginx.virtualHosts.${domain} = {
dnsInterfaces = [ "tailscale" "wireguard" "lan" ]; forceSSL = true;
enableACME = true;
locations."/" = { locations."/" = {
port = 6789; proxyPass = "http://127.0.0.1:6789";
allowLan = true; extraConfig = auth_block {
access_role = "nzbget";
}; };
}; };
};
};
networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "wireguard"} ${domain}
${architectInterfaceAddress "tailscale"} ${domain}
'';
users.groups.media.members = [ "nzbget" ]; users.groups.media.members = [ "nzbget" ];
} }

82
hosts/architect/openid.nix
View File

@ -3,48 +3,46 @@
{ {
openresty_oidc_block = openresty_oidc_block =
{ access_role ? "", whitelisted_ips ? [ ] }: '' { access_role ? "", whitelisted_ips ? [ ] }: ''
access_by_lua_block {
local opts = {
discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration",
client_id = "nginx",
client_secret = "9C6BYxPhTbrRS4DIwd3Smk7e11ABmnt8",
logout_path = "/logout",
redirect_after_logout_uri = "/",
redirect_uri = "/redirect_uri",
keepalive = "yes",
accept_none_alg = true,
revoke_tokens_on_logout = true,
-- access token valid for a day
access_token_expires_in = 86400
}
${lib.optionalString (whitelisted_ips != []) ''
local whitelist = {${lib.strings.concatMapStringsSep "," (x: "\"${x}\"") whitelisted_ips}}
if is_ip_whitelisted(ngx.var.remote_addr, whitelist) then
return
end
''}
-- call introspect for OAuth 2.0 Bearer Access Token validation
local res, err = require("resty.openidc").authenticate(opts)
if err then
ngx.status = 403
ngx.say(err)
ngx.exit(ngx.HTTP_FORBIDDEN)
end
${lib.optionalString (access_role != "") ''
if not check_role(res, "${access_role}") then
ngx.status = 401
ngx.header.content_type = 'text/html';
ngx.say("You are not authorized to access this page. Please contact Er Pepotto.")
ngx.exit(ngx.HTTP_UNAUTHORIZED)
end
''}
}
''; '';
# access_by_lua_block {
# local opts = {
# discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration",
# client_id = "nginx",
# client_secret = "9C6BYxPhTbrRS4DIwd3Smk7e11ABmnt8",
# logout_path = "/logout",
# redirect_after_logout_uri = "/",
# redirect_uri = "/redirect_uri",
# keepalive = "yes",
# accept_none_alg = true,
# revoke_tokens_on_logout = true,
# -- access token valid for a day
# access_token_expires_in = 86400
# }
# ${lib.optionalString (whitelisted_ips != []) ''
# local whitelist = {${lib.strings.concatMapStringsSep "," (x: "\"${x}\"") whitelisted_ips}}
# if is_ip_whitelisted(ngx.var.remote_addr, whitelist) then
# return
# end
# ''}
# -- call introspect for OAuth 2.0 Bearer Access Token validation
# local res, err = require("resty.openidc").authenticate(opts)
# if err then
# ngx.status = 403
# ngx.say(err)
# ngx.exit(ngx.HTTP_FORBIDDEN)
# end
# ${lib.optionalString (access_role != "") ''
# if not check_role(res, "${access_role}") then
# ngx.status = 401
# ngx.header.content_type = 'text/html';
# ngx.say("You are not authorized to access this page. Please contact Er Pepotto.")
# ngx.exit(ngx.HTTP_UNAUTHORIZED)
# end
# ''}
# }
# '';
} }

94
hosts/architect/options.nix
View File

@ -2,10 +2,6 @@
with lib; with lib;
let
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in
{ {
options.architect = { options.architect = {
firewall = { firewall = {
@ -62,95 +58,5 @@ in
default = { }; default = { };
description = "An attribute set of networks with their configurations."; description = "An attribute set of networks with their configurations.";
}; };
vhost = mkOption {
type = types.attrsOf (types.submodule {
options = {
dnsInterfaces = mkOption {
type = types.listOf types.str;
default = [ ];
description = "List of interfaces to add extra DNS hosts for this vhost.";
};
locations = mkOption {
type = types.attrsOf (types.submodule {
options = {
extraConfig = mkOption {
type = types.str;
description = "Extra configuration for the location.";
default = "";
};
allowLan = mkOption {
type = types.bool;
default = false;
};
proxyWebsockets = mkOption {
type = types.bool;
default = false;
};
host = mkOption {
type = types.str;
description = "The host for the location.";
default = "127.0.0.1";
};
port = mkOption {
type = types.int;
description = "The port number for the location.";
};
allow = mkOption {
type = types.listOf types.str;
default = [ ];
description = "IP address or CIDR block to allow.";
};
deny = mkOption {
type = types.listOf types.str;
default = [ ];
description = "IP address or CIDR block to deny.";
};
};
});
default = { };
description = "An attribute set of location configurations.";
};
};
});
default = { };
description = "An attribute set of domain configurations.";
};
};
config = {
services.nginx.virtualHosts = mapAttrs
(domain: conf: {
forceSSL = true;
enableACME = true;
locations = mapAttrs
(path: location: {
proxyPass = "http://${location.host}:${toString location.port}";
proxyWebsockets = location.proxyWebsockets;
extraConfig = ''
${optionalString location.allowLan "deny 10.0.0.1;"}
${concatMapStringsSep "\n" (denyCIDR: "deny ${denyCIDR};") location.deny}
${concatMapStringsSep "\n" (allowCIDR: "allow ${allowCIDR};") location.allow}
${optionalString location.allowLan ''allow ${config.architect.networks."lan".net};''}
'' + location.extraConfig;
})
conf.locations;
})
config.architect.vhost;
networking.extraHosts = concatStringsSep "\n" (
mapAttrsToList
(domain: conf: concatMapStringsSep "\n"
(iface: "${architectInterfaceAddress iface} ${domain}")
conf.dnsInterfaces)
config.architect.vhost
);
}; };
} }

37
hosts/architect/photoprism.nix
View File

@ -1,37 +0,0 @@
{ config, pkgs, lib, ... }:
let
domain = "photos.giugl.io";
in
{
services.photoprism = {
enable = true;
package = pkgs.photoprism;
originalsPath = "/var/lib/private/photoprism/originals";
address = "0.0.0.0";
settings = {
PHOTOPRISM_DEFAULT_LOCALE = "en";
PHOTOPRISM_DATABASE_DRIVER = "mysql";
PHOTOPRISM_DATABASE_NAME = "photoprism";
PHOTOPRISM_DATABASE_SERVER = "/run/mysqld/mysqld.sock";
PHOTOPRISM_DATABASE_USER = "photoprism";
PHOTOPRISM_SITE_URL = "https://${domain}";
PHOTOPRISM_SITE_TITLE = "PePrism";
PHOTOPRISM_FFMPEG_ENCODER = "nvidia";
PHOTOPRISM_INIT = "tensorflow";
NVIDIA_VISIBLE_DEVICES = "all";
NVIDIA_DRIVER_CAPABILITIES = "compute,video,utility";
PHOTOPRISM_FFMPEG_BIN = "${pkgs.ffmpeg}/bin/ffmpeg";
};
};
architect.vhost.${domain} = {
dnsInterfaces = [ "tailscale" "lan" ];
locations."/" = {
port = config.services.photoprism.port;
allowLan = true;
allow = [ config.architect.networks."tailscale".net ];
proxyWebsockets = true;
};
};
}

35
hosts/architect/prowlarr.nix
View File

@ -2,18 +2,41 @@
let let
domain = "htpro.giugl.io"; domain = "htpro.giugl.io";
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services.prowlarr.enable = true; services = {
prowlarr.enable = true;
architect.vhost.${domain} = {
dnsInterfaces = [ "tailscale" "wireguard" ];
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = { locations."/" = {
port = 9696; proxyPass = "http://127.0.0.1:9696";
allowLan = true; extraConfig = ''
allow ${config.architect.networks.lan.net};
allow ${config.architect.networks.tailscale.net};
deny all;
'';
};
# locations."/api" = {
# proxyPass = "http://127.0.0.1:9696/prowlarr/api";
# };
#
# locations."/Content" = {
# proxyPass = "http://127.0.0.1:9696/prowlarr/Content";
# };
}; };
}; };
networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "wireguard"} ${domain}
${architectInterfaceAddress "tailscale"} ${domain}
'';
users.groups.media.members = [ "prowlarr" ]; users.groups.media.members = [ "prowlarr" ];
} }

33
hosts/architect/radarr.nix
View File

@ -2,25 +2,36 @@
let let
domain = "htrad.giugl.io"; domain = "htrad.giugl.io";
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services.radarr = { services = {
radarr = {
enable = true; enable = true;
group = "media"; group = "media";
}; };
architect.vhost.${domain} = with config.architect.networks; { nginx.virtualHosts.${domain} = {
dnsInterfaces = [ "wireguard" "tailscale" ]; forceSSL = true;
enableACME = true;
locations."/" = { locations."/" = {
port = 7878; proxyPass = "http://127.0.0.1:7878";
allowLan = true; extraConfig = auth_block {
access_role = "radarr";
};
};
};
};
allow = [
wireguard.net networking.extraHosts = ''
tailscale.net ${architectInterfaceAddress "lan"} ${domain}
]; ${architectInterfaceAddress "wireguard"} ${domain}
}; ${architectInterfaceAddress "tailscale"} ${domain}
}; '';
users.groups.media.members = [ "radarr" ]; users.groups.media.members = [ "radarr" ];
} }

26
hosts/architect/sonarr.nix
View File

@ -2,21 +2,35 @@
let let
domain = "htson.giugl.io"; domain = "htson.giugl.io";
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services.sonarr = { services = {
sonarr = {
enable = true; enable = true;
group = "media"; group = "media";
}; };
architect.vhost.${domain} = { nginx.virtualHosts.${domain} = {
dnsInterfaces = [ "tailscale" "wireguard" ]; forceSSL = true;
enableACME = true;
locations."/" = { locations."/" = {
port = 6969; proxyPass = "http://127.0.0.1:8989";
allowLan = true; extraConfig = auth_block {
access_role = "sonarr";
}; };
}; };
};
};
networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "wireguard"} ${domain}
${architectInterfaceAddress "tailscale"} ${domain}
'';
users.groups.media.members = [ "sonarr" ]; users.groups.media.members = [ "sonarr" ];
} }

1
hosts/architect/tailscale.nix
View File

@ -21,7 +21,6 @@ in
tommy = { address = "100.64.0.7"; hostname = "tommy.${domain}"; }; tommy = { address = "100.64.0.7"; hostname = "tommy.${domain}"; };
ucsb-workstation = { address = "100.64.0.8"; hostname = "ucsb-workstation.${domain}"; }; ucsb-workstation = { address = "100.64.0.8"; hostname = "ucsb-workstation.${domain}"; };
alfredo = { address = "100.64.0.9"; hostname = "alfredo.${domain}"; }; alfredo = { address = "100.64.0.9"; hostname = "alfredo.${domain}"; };
parallels = { address = "100.64.0.3"; hostname = "parallels.${domain}"; };
}; };
}; };
}; };

11
lib/host.nix
View File

@ -27,20 +27,21 @@
modules = [ modules = [
{ {
imports = users_mod ++ imports = users_mod ++ roles_mod ++ add_imports ++ [
roles_mod ++
add_imports ++ [
(mkSysRole "common") (mkSysRole "common")
(mkSysRole "acme") (mkSysRole "acme")
(mkUser { name = "root"; roles = [ ]; })
]; ];
home-manager = { home-manager = {
users.root.imports = [ (mkHomeRole "common") ];
extraSpecialArgs.unstablePkgs = unstablePkgs; extraSpecialArgs.unstablePkgs = unstablePkgs;
useGlobalPkgs = true; useGlobalPkgs = true;
}; };
system.stateVersion = "23.05"; system.stateVersion = "22.11";
environment.shells = [ pkgs.zsh ];
users.defaultUserShell = pkgs.zsh;
} }
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager

16
lib/user.nix
View File

@ -6,26 +6,20 @@
roles_mod = (map (r: mkHomeRole r) roles); roles_mod = (map (r: mkHomeRole r) roles);
in in
{ {
users.groups.plugdev = { };
fileSystems."/home/${name}/Downloads" = { fileSystems."/home/${name}/Downloads" = {
device = "tmpfs"; device = "tmpfs";
fsType = "tmpfs"; fsType = "tmpfs";
options = [ "size=3G" ]; options = [ "size=3G" ];
}; };
users = { users.users.${name} = {
users.${name} = { isNormalUser = true;
isNormalUser = name != "root";
extraGroups = [ "wheel" "plugdev" ]; extraGroups = [ "wheel" "plugdev" ];
shell = pkgs.zsh;
};
}; };
programs.zsh.enable = true; home-manager.users.${name}.imports = [ (mkHomeRole "common") ] ++ roles_mod;
home-manager.users.${name}.imports = [
(mkHomeRole "common")
(mkHomeRole "zsh")
] ++ roles_mod;
}; };
mkHMUser = { name, roles ? [ ] }: mkHMUser = { name, roles ? [ ] }:

6
roles/acme.nix
View File

@ -1,10 +1,10 @@
{ options, lib, config, ... }: { ... }:
{ {
config.security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
defaults = { defaults = {
email = "letsencrypt@depasquale.giugl.io"; email = "sysadmin@giugl.io";
}; };
}; };
} }

6
roles/common.nix
View File

@ -1,9 +1,7 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
{ {
boot.tmp = { boot.tmpOnTmpfs = true;
useTmpfs = true;
};
console = { console = {
keyMap = "us"; keyMap = "us";
@ -43,6 +41,7 @@
glances glances
tcpdump tcpdump
restic restic
neovim
tmux tmux
parted parted
unzip unzip
@ -51,6 +50,5 @@
nmap nmap
ripgrep ripgrep
jq jq
helix
]; ];
} }

3
roles/home/common.nix
View File

@ -11,10 +11,9 @@
home-manager home-manager
ripgrep ripgrep
ydiff ydiff
nix-index
] ]
++ lib.optional (!stdenv.isDarwin) pastebinit; ++ lib.optional (!stdenv.isDarwin) pastebinit;
stateVersion = "23.05"; stateVersion = "22.11";
}; };
} }

1
roles/home/helix.nix
View File

@ -118,6 +118,7 @@
nodePackages.vscode-langservers-extracted nodePackages.vscode-langservers-extracted
nodePackages.typescript nodePackages.typescript
nodePackages.svelte-language-server nodePackages.svelte-language-server
swiProlog
nixpkgs-fmt nixpkgs-fmt
]; ];
}; };

2
roles/home/zsh.nix
View File

@ -14,8 +14,6 @@
initExtra = '' initExtra = ''
any-nix-shell zsh --info-right | source /dev/stdin any-nix-shell zsh --info-right | source /dev/stdin
source ${pkgs.nix-index}/etc/profile.d/command-not-found.sh
''; '';
}; };
} }