peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: peperunas:9bf85c00cf2fbe967f7836532b5e1b6408359c5e
Branches Tags
peperunas:master
peperunas:nixos-21.11
peperunas:laptopshit
..
compare: peperunas:d3255fdb474611c098308a119c6dcf4a36bd7502
Branches Tags
peperunas:master
peperunas:nixos-21.11
peperunas:laptopshit

No commits in common. "9bf85c00cf2fbe967f7836532b5e1b6408359c5e" and "d3255fdb474611c098308a119c6dcf4a36bd7502" have entirely different histories.
9bf85c00cf ... d3255fdb47

31 changed files with 297 additions and 513 deletions
Show Stats Expand all files Collapse all files

12
flake.lock generated
View File

@ -24,11 +24,11 @@
}, },
"nixos-unstable": { "nixos-unstable": {
"locked": { "locked": {
"lastModified": 1683893492, "lastModified": 1682915526,
"narHash": "sha256-9sINNV7J26/afioFhS0vGrZ2zQHg1eBWE3lesBedyhI=", "narHash": "sha256-j6JZH9MNQfPZ6Fm+LAGJjHLFT26WUB7scB9hNJiBhbA=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "0ad4e41995ef6566cdd8477c132884411b7399a2", "rev": "d46737f11841872e7980b1550511802db85c52b8",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -40,11 +40,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1683627095, "lastModified": 1682817260,
"narHash": "sha256-8u9SejRpL2TrMuHBdhYh4FKc1OGPDLyWTpIbNTtoHsA=", "narHash": "sha256-kFMXzKNj4d/0Iqbm5l57rHSLyUeyCLMuvlROZIuuhvk=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "a08e061a4ee8329747d54ddf1566d34c55c895eb", "rev": "db1e4eeb0f9a9028bcb920e00abbc1409dd3ef36",
"type": "github" "type": "github"
}, },
"original": { "original": {

12
hosts/architect/bazarr.nix
View File

@ -1,11 +1,9 @@
{ config, lib, ... }: { lib, ... }:
let let
domain = "htbaz.giugl.io"; domain = "htbaz.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services = { services = {
@ -27,9 +25,9 @@ in
}; };
networking.extraHosts = '' networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain} ${network.architect-lan} ${domain}
${architectInterfaceAddress "wireguard"} ${domain} ${network.architect-wg} ${domain}
${architectInterfaceAddress "tailscale"} ${domain} ${network.architect-ts} ${domain}
''; '';
users.groups.media.members = [ "bazarr" ]; users.groups.media.members = [ "bazarr" ];

12
hosts/architect/calibre.nix
View File

@ -1,11 +1,9 @@
{ config, lib, ... }: { lib, ... }:
let let
domain = "books.giugl.io"; domain = "books.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services = { services = {
@ -31,9 +29,9 @@ in
}; };
networking.extraHosts = '' networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain} ${network.architect-lan} ${domain}
${architectInterfaceAddress "wireguard"} ${domain} ${network.architect-wg} ${domain}
${architectInterfaceAddress "tailscale"} ${domain} ${network.architect-ts} ${domain}
''; '';
users.groups.media.members = [ "calibre-web" ]; users.groups.media.members = [ "calibre-web" ];

60
hosts/architect/default.nix
View File

@ -1,13 +1,11 @@
{ config, pkgs, lib, ... }: { config, pkgs, ... }:
let let
pubkeys = [ pubkeys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1we38/N+t8Ah5yrLof8QUwhrob7/VXFKIddaJeOVBLuDVnW7ljiAtdtEiL69D/DV4Ohmt5wMvkAAjfuHmim6FD9A6lzPbSU4KH9W2dcckszKbbI636kuDwem/xui6BW3wJa6P+0xW5ksygEAkzcK2PXuC2b4B9uwhuUdKahiGMKDxISG/WianqAe72cGMfNkYvion3Y1VsMLUdm48d2ABnxNpr7NI9B5iJ8dziOft9gpgfz13CCQRlReo75gk/4xI+vSNrQp7eR+wzJy2/dZg/T8jtyA9Q6jVxrxBpqQ1LNXkAKaJkGo9OabF6Wgpzp+YTAurL4nwR2NaJxwFuyoKvACQy0ai4jrS3206gC6JXZv8ktZMZrwUN+jPqCwfgh5qObFkAqKCxbp52ioDek2MQLdOvzQBX//DBhGEp5rzHGLZ3vhRIiiQiaof5sF5zWiYDW5mqezSPNxJPX/BrTP/Wbs/jpwTLBh3wytiia0S1WXQmya89bqzTPFiDWvTRA62EVKB/JaQtPQQOFAxWwg799DMycPeZ81xttZOyMtI/MZSddyqx2S8fWGwvToZQvuZ38mSIpFseLM1IkgabRIrAmat5SBNGGy9Dqa0eMEa7bwIY/4CMB1y6HMTnaoMXA6cnQfHMoB/zyTZ6oTXIeqeOyiZsK+RN0Mvahj8mXi7dw== giulio@giulio-X230" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1we38/N+t8Ah5yrLof8QUwhrob7/VXFKIddaJeOVBLuDVnW7ljiAtdtEiL69D/DV4Ohmt5wMvkAAjfuHmim6FD9A6lzPbSU4KH9W2dcckszKbbI636kuDwem/xui6BW3wJa6P+0xW5ksygEAkzcK2PXuC2b4B9uwhuUdKahiGMKDxISG/WianqAe72cGMfNkYvion3Y1VsMLUdm48d2ABnxNpr7NI9B5iJ8dziOft9gpgfz13CCQRlReo75gk/4xI+vSNrQp7eR+wzJy2/dZg/T8jtyA9Q6jVxrxBpqQ1LNXkAKaJkGo9OabF6Wgpzp+YTAurL4nwR2NaJxwFuyoKvACQy0ai4jrS3206gC6JXZv8ktZMZrwUN+jPqCwfgh5qObFkAqKCxbp52ioDek2MQLdOvzQBX//DBhGEp5rzHGLZ3vhRIiiQiaof5sF5zWiYDW5mqezSPNxJPX/BrTP/Wbs/jpwTLBh3wytiia0S1WXQmya89bqzTPFiDWvTRA62EVKB/JaQtPQQOFAxWwg799DMycPeZ81xttZOyMtI/MZSddyqx2S8fWGwvToZQvuZ38mSIpFseLM1IkgabRIrAmat5SBNGGy9Dqa0eMEa7bwIY/4CMB1y6HMTnaoMXA6cnQfHMoB/zyTZ6oTXIeqeOyiZsK+RN0Mvahj8mXi7dw== giulio@giulio-X230"
]; ];
domain = "devs.giugl.io"; hostname = "architect";
network = import ./network.nix;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) generateDeviceStrings;
in in
{ {
imports = [ imports = [
@ -43,28 +41,8 @@ in
./tailscale.nix ./tailscale.nix
# ./searx.nix # ./searx.nix
./plex.nix ./plex.nix
./headscale.nix
]; ];
architect = {
networks.lan = {
interface = "enp5s0";
net = "10.0.0.0/24";
devices = {
vodafoneStation = { address = "192.168.1.1"; hostname = "vodafone.station"; };
architect = { address = "10.0.0.250"; hostname = "architect.${domain}"; };
router = { address = "10.0.0.1"; hostname = "router.${domain}"; };
dvr = { address = "10.0.0.3"; hostname = "dvr.${domain}"; };
};
};
firewall = {
openTCP = [ 22 ];
openTCPVPN = [ 22 ];
};
};
time.timeZone = "Europe/Rome"; time.timeZone = "Europe/Rome";
users.users.giulio.openssh.authorizedKeys.keys = pubkeys; users.users.giulio.openssh.authorizedKeys.keys = pubkeys;
boot = { boot = {
@ -81,8 +59,8 @@ in
}; };
}; };
kernelParams = with config.architect.networks.lan; [ kernelParams = [
"ip=${devices.architect.address}::${devices.router.address}:255.255.255.0::${interface}:off" "ip=${network.architect-lan}::10.0.0.1:255.255.255.0::${network.wan-if}:off"
"nvme_core.default_ps_max_latency_us=5500" "nvme_core.default_ps_max_latency_us=5500"
"zfs_arc_max=1073741824" "zfs_arc_max=1073741824"
"memmap=32M$0x4ca6f9478" "memmap=32M$0x4ca6f9478"
@ -103,20 +81,30 @@ in
tmpOnTmpfsSize = "50%"; tmpOnTmpfsSize = "50%";
}; };
networking = with config.architect.networks.lan; { networking = {
hostName = "architect"; hostName = hostname;
hostId = "49350853"; hostId = "49350853";
useDHCP = false; useDHCP = false;
defaultGateway = devices.router.address; defaultGateway = "10.0.0.1";
interfaces = { interfaces = {
${interface}.ipv4.addresses = [{ enp5s0.ipv4.addresses = [{
address = devices.architect.address; address = network.architect-lan;
prefixLength = 24; prefixLength = 24;
}]; }];
enp6s0.useDHCP = false; enp6s0.useDHCP = false;
wlp4s0.useDHCP = false; wlp4s0.useDHCP = false;
}; };
extraHosts = (generateDeviceStrings config.architect.networks.lan.devices) + '' extraHosts = ''
127.0.0.1 ${hostname}.devs.giugl.io localhost
# LAN
${network.architect-lan} ${hostname}.devs.giugl.io
${network.dvr-lan} dvr.devs.giugl.io
${network.nas-lan} nas.devs.giugl.io
${network.router-lan} router-manduria.devs.giugl.io
192.168.1.1 vodafone.station
# Blacklist # Blacklist
0.0.0.0 metrics.plex.tv 0.0.0.0 metrics.plex.tv
0.0.0.0 analytics.plex.tv 0.0.0.0 analytics.plex.tv
@ -143,6 +131,11 @@ in
driSupport = true; driSupport = true;
}; };
architect.firewall = {
openTCP = [ 22 ];
openTCPVPN = [ 22 ];
};
services = { services = {
fwupd.enable = true; fwupd.enable = true;
das_watchdog.enable = true; das_watchdog.enable = true;
@ -164,4 +157,3 @@ in
systemPackages = with pkgs; [ cachix ]; systemPackages = with pkgs; [ cachix ];
}; };
} }

10
hosts/architect/deluge.nix
View File

@ -2,10 +2,8 @@
let let
domain = "htdel.giugl.io"; domain = "htdel.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
listenPorts = [ 51413 51414 ]; listenPorts = [ 51413 51414 ];
in in
@ -56,9 +54,9 @@ in
}; };
networking.extraHosts = '' networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain} ${network.architect-lan} ${domain}
${architectInterfaceAddress "wireguard"} ${domain} ${network.architect-wg} ${domain}
${architectInterfaceAddress "tailscale"} ${domain} ${network.architect-ts} ${domain}
''; '';
users.groups.media.members = [ "deluge" ]; users.groups.media.members = [ "deluge" ];

9
hosts/architect/docker.nix
View File

@ -1,15 +1,8 @@
{ config, ... }:
{ {
architect.networks.docker = {
interface = "docker0";
net = "172.17.0.0/16";
};
virtualisation.docker = { virtualisation.docker = {
enable = true; enable = true;
extraOptions = '' extraOptions = ''
--dns 127.0.0.1 --dns ${config.architect.networks.lan.devices.architect.address} --data-root /docker --dns 127.0.0.1 --dns 10.0.0.250 --data-root /docker
''; '';
enableOnBoot = false; enableOnBoot = false;
}; };

9
hosts/architect/fail2ban.nix
View File

@ -1,14 +1,9 @@
{ config, pkgs, ... }: { config, pkgs, ... }: {
{
services.fail2ban = { services.fail2ban = {
enable = true; enable = true;
package = pkgs.fail2ban; package = pkgs.fail2ban;
packageFirewall = pkgs.nftables; packageFirewall = pkgs.nftables;
bantime-increment.enable = true; bantime-increment.enable = true;
ignoreIP = [ ignoreIP = [ "10.0.0.0/24" "10.3.0.0/24" ];
config.architect.networks.lan.net
config.architect.networks.tailscale.net
];
}; };
} }

90
hosts/architect/firewall.nix
View File

@ -1,38 +1,13 @@
{ config, lib, ... }: { config, lib, ... }:
with import ./network.nix;
with lib;
let let
openTCP = lib.concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCP; openTCP = concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCP;
openUDP = lib.concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDP; openUDP = concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDP;
openTCPVPN = lib.concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCPVPN; openTCPVPN = concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCPVPN;
openUDPVPN = lib.concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDPVPN; openUDPVPN = concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDPVPN;
deviceAddress = interface: device:
config.architect.networks.${interface}.devices.${device}.address;
gdevices = [
(deviceAddress "tailscale" "architect")
(deviceAddress "tailscale" "dodino")
(deviceAddress "tailscale" "manduria")
(deviceAddress "tailscale" "kmerr")
(deviceAddress "tailscale" "chuck")
];
wireguardToWAN = [
(deviceAddress "wireguard" "shield")
(deviceAddress "wireguard" "parina")
(deviceAddress "wireguard" "parina-ipad")
(deviceAddress "wireguard" "germano")
];
frameccaDevices = [
(deviceAddress "wireguard" "framecca")
(deviceAddress "wireguard" "framecca_one")
(deviceAddress "wireguard" "framecca_two")
(deviceAddress "wireguard" "framecca_three")
(deviceAddress "wireguard" "framecca_four")
];
clientToClientWireguard = frameccaDevices;
in in
{ {
networking = { networking = {
@ -42,7 +17,7 @@ in
nftables = { nftables = {
enable = true; enable = true;
ruleset = with config.architect.networks; '' ruleset = ''
table ip raw { table ip raw {
chain PREROUTING { chain PREROUTING {
type filter hook prerouting priority raw; policy accept; type filter hook prerouting priority raw; policy accept;
@ -68,11 +43,11 @@ in
chain POSTROUTING { chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept; type nat hook postrouting priority srcnat; policy accept;
oifname ${lan.interface} ip saddr {${ oifname ${wan-if} ip saddr {${
lib.concatStringsSep "," wireguardToWAN lib.concatStringsSep "," towan-wg
}} masquerade }} masquerade
oifname ${lan.interface} ip saddr ${docker.net} masquerade oifname ${wan-if} ip saddr ${docker-net} masquerade
oifname ${lan.interface} ip saddr ${tailscale.net} masquerade oifname ${wan-if} ip saddr ${tailscale-net} masquerade
} }
} }
@ -82,13 +57,12 @@ in
ct state invalid,untracked drop comment "drop invalid" ct state invalid,untracked drop comment "drop invalid"
ip daddr 255.255.255.255 accept comment "allow broadcast traffic" ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic" ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
iifname ${lan.interface} ip saddr ${wireguard.net} drop comment "bind any ip to intf ${lan.interface}" iifname ${wan-if} ip saddr ${vpn-net} drop comment "bind any ip to intf ${wan-if}"
iifname ${lan.interface} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${lan.interface}" iifname ${wan-if} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${wan-if}"
iifname ${lan.interface} accept comment "bind any ip to intf ${lan.interface}" iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}"
iifname ${wireguard.interface} ip saddr ${wireguard.net} accept comment "bind ip ${wireguard.net} to intf ${wireguard.interface}" iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}"
iifname ${docker.interface} ip saddr ${docker.net} accept comment "bind ip ${docker.net} to intf ${docker.interface}" iifname ${docker-if} ip saddr ${docker-net} accept comment "bind ip ${docker-net} to intf ${docker-if}"
iifname ${tailscale.interface} ip saddr ${tailscale.net} accept iifname ${tailscale-if} ip saddr ${tailscale-net} accept
iifname ${tailscale.interface} ip saddr 100.100.100.100/32 accept
iifname "lo" accept comment "bind any ip to intf lo" iifname "lo" accept comment "bind any ip to intf lo"
jump mangle_drop jump mangle_drop
} }
@ -141,17 +115,17 @@ in
iifname "lo" accept comment "loopback" iifname "lo" accept comment "loopback"
ip daddr 255.255.255.255 accept comment "allow broadcast traffic" ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic" ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
ip saddr ${lan.net} accept comment "lan > local" ip saddr ${lan-net} accept comment "lan > local"
ip saddr ${tailscale.net} accept comment "tailscale > local" ip saddr ${tailscale-net} accept comment "tailscale > local"
ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local" ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local"
iifname ${lan.interface} tcp dport {${openTCP}} accept iifname ${wan-if} tcp dport {${openTCP}} accept
iifname ${lan.interface} udp dport {${openUDP}} accept iifname ${wan-if} udp dport {${openUDP}} accept
iifname ${wireguard.interface} tcp dport {${openTCPVPN}} accept iifname ${vpn-if} tcp dport {${openTCPVPN}} accept
iifname ${wireguard.interface} udp dport {${openUDPVPN}} accept iifname ${vpn-if} udp dport {${openUDPVPN}} accept
iifname ${wireguard.interface} icmp type echo-request accept iifname ${vpn-if} icmp type echo-request accept
iifname ${docker.interface} udp dport 53 accept iifname ${docker-if} udp dport 53 accept
jump filter_drop jump filter_drop
} }
@ -160,17 +134,17 @@ in
ct state established,related accept ct state established,related accept
# client to client # client to client
ip saddr {${lib.concatStringsSep "," clientToClientWireguard}} ip daddr {${ ip saddr {${lib.concatStringsSep "," c2c-wg}} ip daddr {${
lib.concatStringsSep "," clientToClientWireguard lib.concatStringsSep "," c2c-wg
}} accept }} accept
# nat to wan # nat to wan
oifname ${lan.interface} ip saddr {${ oifname ${wan-if} ip saddr {${
lib.concatStringsSep "," wireguardToWAN lib.concatStringsSep "," towan-wg
}} accept }} accept
oifname ${lan.interface} ip saddr ${docker.net} accept oifname ${wan-if} ip saddr ${docker-net} accept
oifname ${lan.interface} ip saddr ${tailscale.net} accept oifname ${wan-if} ip saddr ${tailscale-net} accept
jump filter_drop jump filter_drop
} }

11
hosts/architect/gitea.nix
View File

@ -2,9 +2,7 @@
let let
domain = "git.giugl.io"; domain = "git.giugl.io";
network = import ./network.nix;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
architect.firewall.openTCP = [ config.services.gitea.settings.server.SSH_PORT ]; architect.firewall.openTCP = [ config.services.gitea.settings.server.SSH_PORT ];
@ -35,8 +33,9 @@ in
}; };
networking.extraHosts = '' networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain} ${network.architect-lan} ${domain}
${architectInterfaceAddress "wireguard"} ${domain} ${network.architect-wg} ${domain}
${architectInterfaceAddress "tailscale"} ${domain} ${network.architect-ts} ${domain}
''; '';
} }

63
hosts/architect/headscale.nix
View File

@ -1,63 +0,0 @@
{ config, pkgs, lib, ... }:
let
domain = "vipienne.giugl.io";
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in
{
architect.firewall = {
openTCP = [ config.services.headscale.port ];
};
networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "wireguard"} ${domain}
${architectInterfaceAddress "tailscale"} ${domain}
'';
environment.systemPackages = [ pkgs.unstablePkgs.headscale ];
services = {
headscale = {
enable = true;
package = pkgs.unstablePkgs.headscale;
port = 1194;
address = "0.0.0.0";
serverUrl = "https://${domain}";
logLevel = "debug";
settings = {
dns_config = {
magic_dns = true;
domains = [
"giugl.io"
"runas.rocks"
"devs.giugl.io"
];
base_domain = "giugl.io";
override_local_dns = true;
nameservers = [ config.architect.networks.tailscale.devices.architect.address ];
};
logtail.enabled = false;
ip_prefixes = [ config.architect.networks.tailscale.net ];
# The Noise private key is used to encrypt the
# traffic between headscale and Tailscale clients when
# using the new Noise-based protocol. It must be different
# from the legacy private key.
noise.private_key_path = "/var/lib/headscale/noise_private.key";
};
};
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass =
"http://127.0.0.1:${toString config.services.headscale.port}";
proxyWebsockets = true;
};
};
};
}

54
hosts/architect/jellyfin.nix
View File

@ -1,11 +1,9 @@
{ config, pkgs, lib, ... }: { pkgs, lib, ... }:
let let
network = import ./network.nix;
domain = "media.giugl.io"; domain = "media.giugl.io";
port = 8096; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
# needed since StateDirectory does not accept symlinks # needed since StateDirectory does not accept symlinks
@ -21,40 +19,44 @@ in
nginx.virtualHosts.${domain} = { nginx.virtualHosts.${domain} = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
extraConfig = '' extraConfig = auth_block { access_role = "jellyfin"; whitelisted_ips = network.gdevices; } +
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted. ''
#add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'"; # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
# Disable buffering when the nginx proxy gets very resource heavy upon streaming #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
proxy_buffering off; # Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
allow ${config.architect.networks.lan.net}; '';
allow ${config.architect.networks.tailscale.net};
deny all;
'';
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:${toString port}"; proxyPass = "http://127.0.0.1:8096";
# extraConfig = ''
# allow 10.0.0.0/24;
# allow 10.3.0.0/24;
# deny all;
# '';
}; };
locations."/socket" = { locations."/socket" = {
proxyPass = "http://127.0.0.1:${toString port}"; proxyPass = "http://127.0.0.1:8096";
proxyWebsockets = true; proxyWebsockets = true;
# extraConfig = ''
# allow 10.0.0.0/24;
# allow 10.3.0.0/24;
# deny all;
# '';
}; };
}; };
}; };
networking.extraHosts = '' networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain} ${network.architect-lan} ${domain}
${architectInterfaceAddress "wireguard"} ${domain} ${network.architect-wg} ${domain}
${architectInterfaceAddress "tailscale"} ${domain} ${network.architect-ts} ${domain}
''; '';
users.groups = { users.groups.media.members = [ "jellyfin" ];
media.members = [ "jellyfin" ]; users.groups.video.members = [ "jellyfin" ];
video.members = [ "jellyfin" ]; users.groups.render.members = [ "jellyfin" ];
render.members = [ "jellyfin" ];
};
fileSystems."/tmp/jellyfin" = { fileSystems."/tmp/jellyfin" = {
device = "none"; device = "none";

12
hosts/architect/keycloak.nix
View File

@ -1,10 +1,8 @@
{ pkgs, lib, config, ... }: { pkgs, config, ... }:
let let
network = import ./network.nix;
domain = "auth.giugl.io"; domain = "auth.giugl.io";
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services = { services = {
@ -75,8 +73,8 @@ in
}; };
networking.extraHosts = '' networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain} ${network.architect-lan} ${domain}
${architectInterfaceAddress "wireguard"} ${domain} ${network.architect-wg} ${domain}
${architectInterfaceAddress "tailscale"} ${domain} ${network.architect-ts} ${domain}
''; '';
} }

14
hosts/architect/libreddit.nix
View File

@ -1,10 +1,8 @@
{ config, lib, pkgs, ... }: { lib, pkgs, ... }:
let let
domain = "reddit.giugl.io"; domain = "reddit.giugl.io";
network = import ./network.nix;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services = { services = {
@ -16,13 +14,13 @@ in
nginx.virtualHosts.${domain} = { nginx.virtualHosts.${domain} = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/" = { proxyPass = "http://127.0.0.1:${toString config.services.libreddit.port}"; }; locations."/" = { proxyPass = "http://127.0.0.1:9090"; };
}; };
}; };
networking.extraHosts = '' networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain} ${network.architect-lan} ${domain}
${architectInterfaceAddress "wireguard"} ${domain} ${network.architect-wg} ${domain}
${architectInterfaceAddress "tailscale"} ${domain} ${network.architect-ts} ${domain}
''; '';
} }

14
hosts/architect/lidarr.nix
View File

@ -1,11 +1,9 @@
{ config, lib, ... }: { lib, ... }:
let let
domain = "htlid.giugl.io"; domain = "htlid.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services = { services = {
@ -27,10 +25,10 @@ in
}; };
networking.extraHosts = '' networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain} ${network.architect-lan} ${domain}
${architectInterfaceAddress "wireguard"} ${domain} ${network.architect-wg} ${domain}
${architectInterfaceAddress "tailscale"} ${domain} ${network.architect-ts} ${domain}
''; '';
users.groups.media.members = [ "lidarr" ]; users.groups.media.members = [ "lidarr" ];
} }

13
hosts/architect/matrix.nix
View File

@ -1,11 +1,9 @@
{ config, pkgs, lib, ... }: { pkgs, lib, ... }:
let let
domain = "runas.rocks"; domain = "runas.rocks";
network = import ./network.nix;
db_name = "matrix-synapse-runas.rocks"; db_name = "matrix-synapse-runas.rocks";
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services = { services = {
@ -113,8 +111,9 @@ in
}; };
networking.extraHosts = '' networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain} ${network.architect-lan} ${domain}
${architectInterfaceAddress "wireguard"} ${domain} ${network.architect-wg} ${domain}
${architectInterfaceAddress "tailscale"} ${domain} ${network.architect-ts} ${domain}
''; '';
} }

14
hosts/architect/minecraft.nix
View File

@ -1,10 +1,8 @@
{ lib, config, pkgs, ... }: { config, pkgs, ... }:
let let
domain = "minecraft.giugl.io"; domain = "minecraft.giugl.io";
network = import ./network.nix;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
architect.firewall.openTCP = [ 25565 ]; architect.firewall.openTCP = [ 25565 ];
@ -16,10 +14,10 @@ in
package = pkgs.unstablePkgs.minecraft-server; package = pkgs.unstablePkgs.minecraft-server;
serverProperties = { motd = "Welcome on the RuNas server!"; }; serverProperties = { motd = "Welcome on the RuNas server!"; };
}; };
networking.extraHosts = '' networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain} ${network.architect-lan} ${domain}
${architectInterfaceAddress "wireguard"} ${domain} ${network.architect-wg} ${domain}
${architectInterfaceAddress "tailscale"} ${domain} ${network.architect-ts} ${domain}
''; '';
} }

19
hosts/architect/minio.nix
View File

@ -1,10 +1,8 @@
{ config, lib, ... }: { lib, ... }:
let let
domain = "s3.giugl.io"; domain = "s3.giugl.io";
network = import ./network.nix;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services = { services = {
@ -17,17 +15,18 @@ in
proxyPass = "http://127.0.0.1:9000"; proxyPass = "http://127.0.0.1:9000";
extraConfig = '' extraConfig = ''
client_max_body_size 500M; client_max_body_size 500M;
allow ${config.architect.networks.lan.net}; allow 10.0.0.0/24;
allow ${config.architect.networks.tailscale.net}; ${lib.concatMapStrings (x: "allow ${x};") network.gdevices }
allow ${network.manduria-wg};
deny all; deny all;
''; '';
}; };
}; };
}; };
networking.extraHosts = '' networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain} ${network.architect-lan} ${domain}
${architectInterfaceAddress "wireguard"} ${domain} ${network.architect-wg} ${domain}
${architectInterfaceAddress "tailscale"} ${domain} ${network.architect-ts} ${domain}
''; '';
} }

6
hosts/architect/network.nix
View File

@ -11,8 +11,7 @@ rec {
vpn-net = "10.3.0.0/24"; vpn-net = "10.3.0.0/24";
external_lan-net = "192.168.1.0/24"; external_lan-net = "192.168.1.0/24";
docker-net = "172.17.0.0/16"; docker-net = "172.17.0.0/16";
# tailscale-net = "100.64.0.0/10"; tailscale-net = "100.64.0.0/10";
tailscale-net = "10.4.0.0/24";
# ips # ips
router-lan = "10.0.0.1"; router-lan = "10.0.0.1";
@ -52,8 +51,7 @@ rec {
framecca_four-wg = "10.3.0.39"; framecca_four-wg = "10.3.0.39";
giuliophone-ts = "100.68.68.46"; giuliophone-ts = "100.68.68.46";
# architect-ts = "100.67.205.28"; architect-ts = "100.67.205.28";
architect-ts = "10.4.0.2";
giuliopc-ts = "100.124.78.64"; giuliopc-ts = "100.124.78.64";
dodino-ts = "100.106.244.35"; dodino-ts = "100.106.244.35";

21
hosts/architect/nextcloud.nix
View File

@ -1,19 +1,12 @@
{ pkgs, config, lib, ... }: { pkgs, ... }:
let let
domain = "cloud.giugl.io"; domain = "cloud.giugl.io";
network = import ./network.nix;
redis_port = 6379; redis_port = 6379;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services = { services = {
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
};
mysql = { mysql = {
enable = true; enable = true;
package = pkgs.unstablePkgs.mysql80; package = pkgs.unstablePkgs.mysql80;
@ -60,9 +53,13 @@ in
}; };
networking.extraHosts = '' networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain} ${network.architect-lan} ${domain}
${architectInterfaceAddress "wireguard"} ${domain} ${network.architect-wg} ${domain}
${architectInterfaceAddress "tailscale"} ${domain} ${network.architect-ts} ${domain}
''; '';
services.nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
};
} }

1
hosts/architect/nginx.nix
View File

@ -90,6 +90,5 @@
worker_processes 24; worker_processes 24;
''; '';
}; };
users.groups.acme.members = [ "nginx" ]; users.groups.acme.members = [ "nginx" ];
} }

12
hosts/architect/nzbget.nix
View File

@ -1,11 +1,9 @@
{ config, lib, ... }: { lib, ... }:
let let
domain = "htnzb.giugl.io"; domain = "htnzb.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services = { services = {
@ -27,9 +25,9 @@ in
}; };
networking.extraHosts = '' networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain} ${network.architect-lan} ${domain}
${architectInterfaceAddress "wireguard"} ${domain} ${network.architect-wg} ${domain}
${architectInterfaceAddress "tailscale"} ${domain} ${network.architect-ts} ${domain}
''; '';
users.groups.media.members = [ "nzbget" ]; users.groups.media.members = [ "nzbget" ];

69
hosts/architect/options.nix
View File

@ -3,60 +3,23 @@
with lib; with lib;
{ {
options.architect = { options.architect.firewall = {
firewall = { openTCP = mkOption {
openTCP = mkOption { type = types.listOf types.int;
type = types.listOf types.int; default = [ ];
default = [ ];
};
openUDP = mkOption {
type = types.listOf types.int;
default = [ ];
};
openTCPVPN = mkOption {
type = types.listOf types.int;
default = [ ];
};
openUDPVPN = mkOption {
type = types.listOf types.int;
default = [ ];
};
}; };
openUDP = mkOption {
networks = mkOption { type = types.listOf types.int;
type = types.attrsOf (types.submodule { default = [ ];
options = { };
interface = mkOption { openTCPVPN = mkOption {
type = types.str; type = types.listOf types.int;
description = "The network interface name."; default = [ ];
}; };
openUDPVPN = mkOption {
net = mkOption { type = types.listOf types.int;
type = types.str; default = [ ];
description = "The network address in CIDR format.";
};
devices = mkOption {
type = types.attrsOf (types.submodule {
options = {
address = mkOption {
type = types.str;
description = "The IP address of the device.";
};
hostname = mkOption {
type = types.str;
description = "The hostname of the device.";
};
};
});
default = { };
description = "An attribute set of devices with their configurations.";
};
};
});
default = { };
description = "An attribute set of networks with their configurations.";
}; };
}; };
} }

14
hosts/architect/plex.nix
View File

@ -1,11 +1,9 @@
{ pkgs, config, lib, ... }: { pkgs, lib, ... }:
let let
domain = "plex.giugl.io"; domain = "plex.giugl.io";
network = import ./network.nix;
port = 32400; port = 32400;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
architect.firewall = { architect.firewall = {
@ -88,11 +86,11 @@ in
locations."/" = { proxyPass = "http://127.0.0.1:${toString port}"; }; locations."/" = { proxyPass = "http://127.0.0.1:${toString port}"; };
}; };
}; };
networking.extraHosts = '' networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain} ${network.architect-lan} ${domain}
${architectInterfaceAddress "wireguard"} ${domain} ${network.architect-wg} ${domain}
${architectInterfaceAddress "tailscale"} ${domain} ${network.architect-ts} ${domain}
''; '';
users.groups.media.members = [ "plex" ]; users.groups.media.members = [ "plex" ];

10
hosts/architect/prosody.nix
View File

@ -4,9 +4,7 @@ let
domain = "xmpp.giugl.io"; domain = "xmpp.giugl.io";
conference_domain = "conference.${domain}"; conference_domain = "conference.${domain}";
upload_domain = "uploads.${domain}"; upload_domain = "uploads.${domain}";
network = import ./network.nix;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
architect.firewall = { architect.firewall = {
@ -44,9 +42,9 @@ in
}; };
networking.extraHosts = '' networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain} ${network.architect-lan} ${domain}
${architectInterfaceAddress "wireguard"} ${domain} ${network.architect-wg} ${domain}
${architectInterfaceAddress "tailscale"} ${domain} ${network.architect-ts} ${domain}
''; '';
users.groups = { users.groups = {

18
hosts/architect/prowlarr.nix
View File

@ -1,10 +1,8 @@
{ config, lib, ... }: { lib, ... }:
let let
domain = "htpro.giugl.io"; domain = "htpro.giugl.io";
network = import ./network.nix;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services = { services = {
@ -16,8 +14,8 @@ in
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:9696"; proxyPass = "http://127.0.0.1:9696";
extraConfig = '' extraConfig = ''
allow ${config.architect.networks.lan.net}; allow 10.0.0.0/24;
allow ${config.architect.networks.tailscale.net}; ${lib.concatMapStrings (x: "allow ${x};") network.gdevices}
deny all; deny all;
''; '';
}; };
@ -31,11 +29,11 @@ in
# }; # };
}; };
}; };
networking.extraHosts = '' networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain} ${network.architect-lan} ${domain}
${architectInterfaceAddress "wireguard"} ${domain} ${network.architect-wg} ${domain}
${architectInterfaceAddress "tailscale"} ${domain} ${network.architect-ts} ${domain}
''; '';
users.groups.media.members = [ "prowlarr" ]; users.groups.media.members = [ "prowlarr" ];

13
hosts/architect/radarr.nix
View File

@ -1,11 +1,9 @@
{ config, lib, ... }: { lib, ... }:
let let
domain = "htrad.giugl.io"; domain = "htrad.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services = { services = {
@ -26,11 +24,10 @@ in
}; };
}; };
networking.extraHosts = '' networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain} ${network.architect-lan} ${domain}
${architectInterfaceAddress "wireguard"} ${domain} ${network.architect-wg} ${domain}
${architectInterfaceAddress "tailscale"} ${domain} ${network.architect-ts} ${domain}
''; '';
users.groups.media.members = [ "radarr" ]; users.groups.media.members = [ "radarr" ];

13
hosts/architect/runas.nix
View File

@ -1,17 +1,14 @@
{ config, pkgs, lib, ... }: { services, pkgs, lib, makeBinPath, ... }:
let let
domain = "runas.rocks"; domain = "runas.rocks";
runas_root = "/var/lib/runas.rocks/dist"; runas_root = "/var/lib/runas.rocks/dist";
service_name = "runas.rocks-pull"; service_name = "runas.rocks-pull";
network = import ./network.nix;
mkStartScript = name: pkgs.writeShellScript "${name}.sh" '' mkStartScript = name: pkgs.writeShellScript "${name}.sh" ''
set -euo pipefail set -euo pipefail
cd ${runas_root} cd ${runas_root}
git pull origin main --rebase git pull origin main --rebase
''; '';
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services.nginx.virtualHosts.${domain} = { services.nginx.virtualHosts.${domain} = {
@ -42,8 +39,8 @@ in
}; };
networking.extraHosts = '' networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain} ${network.architect-lan} ${domain}
${architectInterfaceAddress "wireguard"} ${domain} ${network.architect-wg} ${domain}
${architectInterfaceAddress "tailscale"} ${domain} ${network.architect-ts} ${domain}
''; '';
} }

12
hosts/architect/sonarr.nix
View File

@ -1,11 +1,9 @@
{ config, lib, ... }: { lib, ... }:
let let
domain = "htson.giugl.io"; domain = "htson.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services = { services = {
@ -27,9 +25,9 @@ in
}; };
networking.extraHosts = '' networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain} ${network.architect-lan} ${domain}
${architectInterfaceAddress "wireguard"} ${domain} ${network.architect-wg} ${domain}
${architectInterfaceAddress "tailscale"} ${domain} ${network.architect-ts} ${domain}
''; '';
users.groups.media.members = [ "sonarr" ]; users.groups.media.members = [ "sonarr" ];

34
hosts/architect/tailscale.nix
View File

@ -1,38 +1,24 @@
{ config, lib, ... }: { config, lib, ... }:
let let
domain = "devs.giugl.io"; network = import ./network.nix;
utilities = import ./utilities.nix { inherit lib config; }; ifname = "ts0";
inherit (utilities) generateDeviceStrings;
in in
{ {
architect = { architect.firewall.openUDP = [ config.services.tailscale.port ];
firewall.openUDP = [ config.services.tailscale.port ];
networks.tailscale = {
interface = "ts0";
net = "100.64.0.0/10";
devices = {
architect = { address = "100.64.0.1"; hostname = "architect.${domain}"; };
kmerr = { address = "100.64.0.2"; hostname = "kmerr.${domain}"; };
chuck = { address = "100.64.0.4"; hostname = "chuck.${domain}"; };
dodino = { address = "100.64.0.5"; hostname = "dodino.${domain}"; };
manduria = { address = "100.64.0.6"; hostname = "manduria.${domain}"; };
tommy = { address = "100.64.0.7"; hostname = "tommy.${domain}"; };
ucsb-workstation = { address = "100.64.0.8"; hostname = "ucsb-workstation.${domain}"; };
alfredo = { address = "100.64.0.9"; hostname = "alfredo.${domain}"; };
};
};
};
services = { services = {
tailscale = { tailscale = {
enable = true; enable = true;
interfaceName = config.architect.networks.tailscale.interface; interfaceName = ifname;
}; };
}; };
networking.extraHosts = generateDeviceStrings config.architect.networks.tailscale.devices; networking.extraHosts = ''
${network.architect-ts} architect.devs.giugl.io
${network.giuliopc-ts} kmerr.devs.giugl.io
${network.dodino-ts} dodino.devs.giugl.io
${network.giuliophone-ts} chuck.devs.giugl.io
'';
} }

13
hosts/architect/utilities.nix
View File

@ -1,13 +0,0 @@
{ config, lib, ... }:
{
# device.address device.hostname
generateDeviceStrings = devices: lib.concatStringsSep "\n"
(lib.mapAttrsToList (name: device: "${device.address} ${device.hostname}") devices);
getDeviceAddress = interface: device:
config.architect.networks.${interface}.devices.${device}.address;
architectInterfaceAddress = interface:
config.architect.networks.${interface}.devices.architect.address;
}

146
hosts/architect/wireguard.nix
View File

@ -1,214 +1,208 @@
{ config, lib, ... }: { config, lib, ... }:
with import ./network.nix;
let let
listenPort = 1194; listenPort = 1194;
domain = "devs.giugl.io";
interface = "wireguard";
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) generateDeviceStrings getDeviceAddress;
getWireguardDeviceAddress = getDeviceAddress "wireguard";
in in
{ {
architect = { architect.firewall = {
firewall = { openUDP = lib.singleton listenPort;
openUDP = lib.singleton listenPort; openUDPVPN = lib.singleton listenPort;
openUDPVPN = lib.singleton listenPort;
};
networks.${interface} = {
interface = "wg0";
net = "10.3.0.0/24";
devices = {
architect = { address = "10.3.0.1"; hostname = "architect.${domain}"; };
antonio = { address = "10.3.0.6"; hostname = "antonio.${domain}"; };
gbeast = { address = "10.3.0.7"; hostname = "gbeast.${domain}"; };
shield = { address = "10.3.0.12"; hostname = "shield.${domain}"; };
salvatore = { address = "10.3.0.16"; hostname = "salvatore.${domain}"; };
papa = { address = "10.3.0.17"; hostname = "papa.${domain}"; };
defy = { address = "10.3.0.18"; hostname = "defy.${domain}"; };
germano = { address = "10.3.0.19"; hostname = "germano.${domain}"; };
flavio = { address = "10.3.0.20"; hostname = "flavio.${domain}"; };
alain = { address = "10.3.0.22"; hostname = "alain.${domain}"; };
dima = { address = "10.3.0.23"; hostname = "dima.${domain}"; };
mikey = { address = "10.3.0.24"; hostname = "mikey.${domain}"; };
andrew = { address = "10.3.0.25"; hostname = "andrew.${domain}"; };
mikeylaptop = { address = "10.3.0.26"; hostname = "mikeylaptop.${domain}"; };
andrewdesktop = { address = "10.3.0.27"; hostname = "andrewdesktop.${domain}"; };
jacopo = { address = "10.3.0.28"; hostname = "jacopo.${domain}"; };
frznn = { address = "10.3.0.29"; hostname = "frznn.${domain}"; };
ludo = { address = "10.3.0.30"; hostname = "ludo.${domain}"; };
parina = { address = "10.3.0.31"; hostname = "parina.${domain}"; };
nilo = { address = "10.3.0.32"; hostname = "nilo.${domain}"; };
parina-ipad = { address = "10.3.0.33"; hostname = "parina-ipad.${domain}"; };
kclvm = { address = "10.3.0.34"; hostname = "kclvm.${domain}"; };
framecca = { address = "10.3.0.35"; hostname = "framecca.${domain}"; };
framecca_one = { address = "10.3.0.36"; hostname = "framecca_one.${domain}"; };
framecca_two = { address = "10.3.0.37"; hostname = "framecca_two.${domain}"; };
framecca_three = { address = "10.3.0.38"; hostname = "framecca_three.${domain}"; };
framecca_four = { address = "10.3.0.39"; hostname = "framecca_four.${domain}"; };
};
};
}; };
networking = { networking = {
extraHosts = generateDeviceStrings config.architect.networks.wireguard.devices; extraHosts = ''
${architect-wg} architect.devs.giugl.io
${manduria-wg} manduria.devs.giugl.io
${antonio-wg} antonio.devs.giugl.io
${gbeast-wg} gbeast.devs.giugl.io
${shield-wg} shield.devs.giugl.io
${salvatore-wg} salvatore.devs.giugl.io
${papa-wg} papa.devs.giugl.io
${defy-wg} defy.devs.giugl.io
${germano-wg} germano.devs.giugl.io
${tommy-wg} tommy.devs.giugl.io
${alain-wg} alain.devs.giugl.io
${dima-wg} dima.devs.giugl.io
${mikey-wg} mikey.devs.giugl.io
${andrew-wg} andrew.devs.giugl.io
${mikeylaptop-wg} mikeylaptop.devs.giugl.io
${frznn-wg} frznn.devs.giugl.io
${ludo-wg} ludo.devs.giugl.io
${parina-wg} parina.devs.giugl.io
${parina-ipad-wg} parinaipad.devs.giugl.io
${nilo-wg} nilo.devs.giugl.io
${kclvm-wg} kclvm.devs.giugl.io
${framecca-wg} framecca.devs.giugl.io
'';
wireguard = { wireguard = {
interfaces.${config.architect.networks.wireguard.interface} = { interfaces.${vpn-if} = {
inherit listenPort; inherit listenPort;
ips = [ "${config.architect.networks.wireguard.devices.architect.address}/24" ]; ips = [ "10.3.0.1/24" ];
privateKeyFile = "/secrets/wireguard/server.key"; privateKeyFile = "/secrets/wireguard/server.key";
peers = [ peers = [
{
# Manduria
allowedIPs = [ manduria-wg ];
publicKey = "wT38oXvDQ8g0hI+pAXQobOWf/Wott2zhwo8TLvXK400=";
}
{ {
# Antonio # Antonio
allowedIPs = [ (getWireguardDeviceAddress "antonio") ]; allowedIPs = [ antonio-wg ];
publicKey = "SPndCvEzuLHtGAQV8u/4dfLlFHoPcXS3L98oFOwTljc="; publicKey = "SPndCvEzuLHtGAQV8u/4dfLlFHoPcXS3L98oFOwTljc=";
} }
{ {
# GBEAST # GBEAST
allowedIPs = [ (getWireguardDeviceAddress "gbeast") ]; allowedIPs = [ gbeast-wg ];
publicKey = "XiK+wk+DErz0RmCWRxuaJN1cvdj+3DoiU6tcR+uZfAI="; publicKey = "XiK+wk+DErz0RmCWRxuaJN1cvdj+3DoiU6tcR+uZfAI=";
} }
{ {
# shield # shield
allowedIPs = [ (getWireguardDeviceAddress "shield") ]; allowedIPs = [ shield-wg ];
publicKey = "1GaV/M48sHqQTrBVRQ+jrFU2pUMmv2xkguncVcwPCFs="; publicKey = "1GaV/M48sHqQTrBVRQ+jrFU2pUMmv2xkguncVcwPCFs=";
} }
{ {
# salvatore # salvatore
allowedIPs = [ (getWireguardDeviceAddress "salvatore") ]; allowedIPs = [ salvatore-wg ];
publicKey = "fhlnBHeMyHZKLUCTSA9kmkKoM5x/qzz/rnCJrUh3Gzs="; publicKey = "fhlnBHeMyHZKLUCTSA9kmkKoM5x/qzz/rnCJrUh3Gzs=";
} }
{ {
# papa # papa
allowedIPs = [ (getWireguardDeviceAddress "papa") ]; allowedIPs = [ papa-wg ];
publicKey = "oGHygt02Oni3IFbScKD0NVEfHKCp6bpw68aq5g4RrAA="; publicKey = "oGHygt02Oni3IFbScKD0NVEfHKCp6bpw68aq5g4RrAA=";
} }
{ {
# defy # defy
allowedIPs = [ (getWireguardDeviceAddress "defy") ]; allowedIPs = [ defy-wg ];
publicKey = "Cvi/eto7E6Ef+aiL81ou7x12fJCeuXrf/go9fxEqXG4="; publicKey = "Cvi/eto7E6Ef+aiL81ou7x12fJCeuXrf/go9fxEqXG4=";
} }
{ {
# germano # germano
allowedIPs = [ (getWireguardDeviceAddress "germano") ]; allowedIPs = [ germano-wg ];
publicKey = "LJ0DHY1sFVLQb3ngUGGH0HxbDOPb9KCUPSaYcjr5Uiw="; publicKey = "LJ0DHY1sFVLQb3ngUGGH0HxbDOPb9KCUPSaYcjr5Uiw=";
} }
{ {
# flavio # flavio
allowedIPs = [ (getWireguardDeviceAddress "flavio") ]; allowedIPs = [ flavio-wg ];
publicKey = "Yg0P+yHi/9SZHyoel8jT9fmmu+irLYmT8yMp/CZoaSg="; publicKey = "Yg0P+yHi/9SZHyoel8jT9fmmu+irLYmT8yMp/CZoaSg=";
} }
{
# tommy
allowedIPs = [ tommy-wg ];
publicKey = "tytknU7wql1d0A2provX3RP7CNcEIajfgBJKoSyVLgo=";
}
{ {
# alain # alain
allowedIPs = [ (getWireguardDeviceAddress "alain") ]; allowedIPs = [ alain-wg ];
publicKey = "/o2msFJoUL4yovcIQJTU8c1faFtekrjSBBWJABouWno="; publicKey = "/o2msFJoUL4yovcIQJTU8c1faFtekrjSBBWJABouWno=";
} }
{ {
# dima # dima
allowedIPs = [ (getWireguardDeviceAddress "dima") ]; allowedIPs = [ dima-wg ];
publicKey = "svzWYIZ6v+cLCp/emGG7mx2YpBJqw2fqjVuHZy7b6H0="; publicKey = "svzWYIZ6v+cLCp/emGG7mx2YpBJqw2fqjVuHZy7b6H0=";
} }
{ {
# mikey # mikey
allowedIPs = [ (getWireguardDeviceAddress "mikey") ]; allowedIPs = [ mikey-wg ];
publicKey = "ewbDdX3z7nxG2aPIf9TogXkhxPlGipLFcy6XfyDC6gI="; publicKey = "ewbDdX3z7nxG2aPIf9TogXkhxPlGipLFcy6XfyDC6gI=";
} }
{ {
# andrew # andrew
allowedIPs = [ (getWireguardDeviceAddress "andrew") ]; allowedIPs = [ andrew-wg ];
publicKey = "LP/FgST9fmBQSoKQFq9sFGvjRFOtRooMcuEcjuqaoWM="; publicKey = "LP/FgST9fmBQSoKQFq9sFGvjRFOtRooMcuEcjuqaoWM=";
} }
{ {
# mikey laptop # mikey laptop
allowedIPs = [ (getWireguardDeviceAddress "mikeylaptop") ]; allowedIPs = [ mikeylaptop-wg ];
publicKey = "kz/pY/PgV+dwF1JZ2It4r5B5QfRSQM7HkbFCdvd5Yxk="; publicKey = "kz/pY/PgV+dwF1JZ2It4r5B5QfRSQM7HkbFCdvd5Yxk=";
} }
{ {
# andrew desktop # andrew desktop
allowedIPs = [ (getWireguardDeviceAddress "andrewdesktop") ]; allowedIPs = [ andrewdesktop-wg ];
publicKey = "rpYr3JNLIzxpxzFuQuaHFEl/XvPEPfwLbDETBP8KYXI="; publicKey = "rpYr3JNLIzxpxzFuQuaHFEl/XvPEPfwLbDETBP8KYXI=";
} }
{ {
# laptop desktop # laptop desktop
allowedIPs = [ (getWireguardDeviceAddress "jacopo") ]; allowedIPs = [ jacopo-wg ];
publicKey = "W/taWI79bPIKOolVVu5xZfiJnPw9K91Xn1zhcM0+4g0="; publicKey = "W/taWI79bPIKOolVVu5xZfiJnPw9K91Xn1zhcM0+4g0=";
} }
{ {
# frznn # frznn
allowedIPs = [ (getWireguardDeviceAddress "frznn") ]; allowedIPs = [ frznn-wg ];
publicKey = "dXcrdME6VnnE5PBYwvUmayf7cn2wpcExeCR9gIXOO0o="; publicKey = "dXcrdME6VnnE5PBYwvUmayf7cn2wpcExeCR9gIXOO0o=";
} }
{ {
# ludo # ludo
allowedIPs = [ (getWireguardDeviceAddress "ludo") ]; allowedIPs = [ ludo-wg ];
publicKey = "ecrxdzx7tQZwMPxZOjHUvxZT2xY79B6XEDIW+fhEtEM="; publicKey = "ecrxdzx7tQZwMPxZOjHUvxZT2xY79B6XEDIW+fhEtEM=";
} }
{ {
# parina # parina
allowedIPs = [ (getWireguardDeviceAddress "parina") ]; allowedIPs = [ parina-wg ];
publicKey = "7nubNnfGsg4/7KemMDn9r99mNK8RFU9uOFFqaYv6rUA="; publicKey = "7nubNnfGsg4/7KemMDn9r99mNK8RFU9uOFFqaYv6rUA=";
} }
{ {
# nilo # nilo
allowedIPs = [ (getWireguardDeviceAddress "nilo") ]; allowedIPs = [ nilo-wg ];
publicKey = "lhTEDJ9WnizvEHTd5kN21fTHF27HNk+fPLQnB1B3LW0="; publicKey = "lhTEDJ9WnizvEHTd5kN21fTHF27HNk+fPLQnB1B3LW0=";
} }
{ {
# parina ipad # parina ipad
allowedIPs = [ (getWireguardDeviceAddress "parina-ipad") ]; allowedIPs = [ parina-ipad-wg ];
publicKey = "ezkCzl2qC7Hd7rFKfqMa0JXDKRhVqy79H52rA06x7mU="; publicKey = "ezkCzl2qC7Hd7rFKfqMa0JXDKRhVqy79H52rA06x7mU=";
} }
{ {
# kcl vm # kcl vm
allowedIPs = [ (getWireguardDeviceAddress "kclvm") ]; allowedIPs = [ kclvm-wg ];
publicKey = "jVBaY8AhgAA7myVjU/PJPDUCOjsCi23LT+pGZUoNEkE="; publicKey = "jVBaY8AhgAA7myVjU/PJPDUCOjsCi23LT+pGZUoNEkE=";
} }
{ {
allowedIPs = [ (getWireguardDeviceAddress "framecca") ]; allowedIPs = [ framecca-wg ];
publicKey = "w0XPu5GcDA2vpNk3KCFRdWNVVQHRtAPApEsK1h3Ovyk="; publicKey = "w0XPu5GcDA2vpNk3KCFRdWNVVQHRtAPApEsK1h3Ovyk=";
} }
{ {
allowedIPs = [ (getWireguardDeviceAddress "framecca_one") ]; allowedIPs = [ framecca_one-wg ];
publicKey = "5PnmExv78fU3SS8liUWY/oBCcJ48wzmz/70O0U7K/xs="; publicKey = "5PnmExv78fU3SS8liUWY/oBCcJ48wzmz/70O0U7K/xs=";
} }
{ {
allowedIPs = [ (getWireguardDeviceAddress "framecca_two") ]; allowedIPs = [ framecca_two-wg ];
publicKey = "FbWfh2rL3OYLTDIte+MgctqL/bphn38eqpNy/chc3wM="; publicKey = "FbWfh2rL3OYLTDIte+MgctqL/bphn38eqpNy/chc3wM=";
} }
{ {
allowedIPs = [ (getWireguardDeviceAddress "framecca_three") ]; allowedIPs = [ framecca_three-wg ];
publicKey = "Z3LRFs6CO0kUh4J3pf+HcPsWch3hUAwJBG8/b0Kqnxs="; publicKey = "Z3LRFs6CO0kUh4J3pf+HcPsWch3hUAwJBG8/b0Kqnxs=";
} }
{ {
allowedIPs = [ (getWireguardDeviceAddress "framecca_four") ]; allowedIPs = [ framecca_four-wg ];
publicKey = "g/Ta12igzxSlCxy7KP865qf+l3+r1LjOo6UXjulmPBc="; publicKey = "g/Ta12igzxSlCxy7KP865qf+l3+r1LjOo6UXjulmPBc=";
} }
]; ];