Compare commits
7 Commits
a546edc30d
...
e360aac9e6
Author | SHA1 | Date | |
---|---|---|---|
|
e360aac9e6 | ||
|
6a6d7640a7 | ||
|
68c1ee4869 | ||
|
932378b309 | ||
|
f759f44024 | ||
|
76a0da7dea | ||
|
b46cf0ff6d |
@ -1,9 +1,9 @@
|
|||||||
{
|
{
|
||||||
inputs = {
|
inputs = {
|
||||||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.05";
|
nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11";
|
||||||
nixos-unstable.url = "github:NixOS/nixpkgs/master";
|
nixos-unstable.url = "github:NixOS/nixpkgs/master";
|
||||||
home-manager = {
|
home-manager = {
|
||||||
url = "github:rycee/home-manager/release-22.05";
|
url = "github:rycee/home-manager/release-22.11";
|
||||||
inputs.nixpkgs.follows = "nixpkgs";
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
};
|
};
|
||||||
vim-extra-plugins.url = "github:m15a/nixpkgs-vim-extra-plugins";
|
vim-extra-plugins.url = "github:m15a/nixpkgs-vim-extra-plugins";
|
||||||
@ -67,10 +67,6 @@
|
|||||||
}];
|
}];
|
||||||
roles = [ "gnome" ];
|
roles = [ "gnome" ];
|
||||||
};
|
};
|
||||||
proxy = utilsX64.host.mkHost {
|
|
||||||
name = "proxy";
|
|
||||||
users = [ ];
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@ -40,7 +40,7 @@ in {
|
|||||||
];
|
];
|
||||||
|
|
||||||
time.timeZone = "Europe/Rome";
|
time.timeZone = "Europe/Rome";
|
||||||
system.stateVersion = "21.11";
|
# system.stateVersion = "21.11";
|
||||||
users.users.giulio.openssh.authorizedKeys.keys = pubkeys;
|
users.users.giulio.openssh.authorizedKeys.keys = pubkeys;
|
||||||
boot = {
|
boot = {
|
||||||
initrd = {
|
initrd = {
|
||||||
|
@ -11,9 +11,11 @@ in
|
|||||||
domain = domain;
|
domain = domain;
|
||||||
appName = "Gitea";
|
appName = "Gitea";
|
||||||
rootUrl = "https://${domain}";
|
rootUrl = "https://${domain}";
|
||||||
ssh.clonePort = 22;
|
|
||||||
settings = {
|
settings = {
|
||||||
server.LFS_START_SERVER = true;
|
server = {
|
||||||
|
LFS_START_SERVER = true;
|
||||||
|
SSH_PORT = 22;
|
||||||
|
};
|
||||||
openid.enable_openid_signin = true;
|
openid.enable_openid_signin = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -18,12 +18,16 @@ in
|
|||||||
url_preview_enabled = true;
|
url_preview_enabled = true;
|
||||||
dynamic_thumbnails = true;
|
dynamic_thumbnails = true;
|
||||||
withJemalloc = true;
|
withJemalloc = true;
|
||||||
|
enable_registration = false;
|
||||||
|
password_config.enabled = false;
|
||||||
app_service_config_files = [
|
app_service_config_files = [
|
||||||
"/var/lib/matrix-synapse/discord-registration.yaml"
|
"/var/lib/matrix-synapse/discord-registration.yaml"
|
||||||
# "/var/lib/matrix-synapse/hookshot-registration.yml"
|
# "/var/lib/matrix-synapse/hookshot-registration.yml"
|
||||||
# "/var/lib/matrix-synapse/telegram-registration.yaml"
|
# "/var/lib/matrix-synapse/telegram-registration.yaml"
|
||||||
];
|
];
|
||||||
|
|
||||||
|
auto_join_rooms = [ "#general:${domain}" "#music:${domain}" "#movies:${domain}" ];
|
||||||
|
|
||||||
oidc_providers = [{
|
oidc_providers = [{
|
||||||
idp_id = "keycloak";
|
idp_id = "keycloak";
|
||||||
idp_name = "Architect SSO";
|
idp_name = "Architect SSO";
|
||||||
@ -35,6 +39,7 @@ in
|
|||||||
user_mapping_provider.config = {
|
user_mapping_provider.config = {
|
||||||
localpart_template = "{{ user.preferred_username }}";
|
localpart_template = "{{ user.preferred_username }}";
|
||||||
display_name_template = "{{ user.name }}";
|
display_name_template = "{{ user.name }}";
|
||||||
|
confirm_localpart = true;
|
||||||
};
|
};
|
||||||
backchannel_logout_enabled = true;
|
backchannel_logout_enabled = true;
|
||||||
}];
|
}];
|
||||||
|
@ -1,10 +1,11 @@
|
|||||||
{ lib, pkgs, ... }:
|
{ lib, pkgs, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
domain = "music.giugl.io";
|
domain = "music.runas.rocks";
|
||||||
network = import ./network.nix;
|
network = import ./network.nix;
|
||||||
library_path = "/media/Music";
|
library_path = "/media/Music";
|
||||||
beets_config = "/media/beets.conf";
|
beets_config = "/media/beets.conf";
|
||||||
|
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
|
||||||
in {
|
in {
|
||||||
services = {
|
services = {
|
||||||
navidrome = {
|
navidrome = {
|
||||||
@ -27,12 +28,8 @@ in {
|
|||||||
enableACME = true;
|
enableACME = true;
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
proxyPass = "http://127.0.0.1:4533";
|
proxyPass = "http://127.0.0.1:4533";
|
||||||
# extraConfig = ''
|
|
||||||
# allow 10.0.0.0/24;
|
|
||||||
# ${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
|
|
||||||
# deny all;
|
|
||||||
# '';
|
|
||||||
};
|
};
|
||||||
|
extraConfig = auth_block { access_role = "navidrome"; };
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -24,7 +24,7 @@ in {
|
|||||||
hostName = domain;
|
hostName = domain;
|
||||||
https = true;
|
https = true;
|
||||||
package = pkgs.unstable.nextcloud25;
|
package = pkgs.unstable.nextcloud25;
|
||||||
|
datadir = "/services/nextcloud";
|
||||||
caching = {
|
caching = {
|
||||||
redis = true;
|
redis = true;
|
||||||
};
|
};
|
||||||
|
@ -70,5 +70,5 @@ in {
|
|||||||
|
|
||||||
programs.steam.enable = true;
|
programs.steam.enable = true;
|
||||||
environment.systemPackages = with pkgs; [ efibootmgr nvidia-offload ];
|
environment.systemPackages = with pkgs; [ efibootmgr nvidia-offload ];
|
||||||
system.stateVersion = "21.05"; # Did you read the comment?
|
# system.stateVersion = "21.05"; # Did you read the comment?
|
||||||
}
|
}
|
||||||
|
@ -1,73 +0,0 @@
|
|||||||
{ pkgs, config, ... }:
|
|
||||||
|
|
||||||
let
|
|
||||||
public_ip = "23.88.108.216";
|
|
||||||
realm = "turn.giugl.io";
|
|
||||||
static-auth-secret = "69duck duck fuck420";
|
|
||||||
in {
|
|
||||||
services.coturn = rec {
|
|
||||||
inherit realm static-auth-secret;
|
|
||||||
|
|
||||||
secure-stun = true;
|
|
||||||
enable = true;
|
|
||||||
no-cli = true;
|
|
||||||
no-tcp-relay = true;
|
|
||||||
min-port = 49000;
|
|
||||||
max-port = 50000;
|
|
||||||
use-auth-secret = true;
|
|
||||||
relay-ips = [ public_ip ];
|
|
||||||
listening-ips = [ public_ip ];
|
|
||||||
cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
|
|
||||||
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
|
|
||||||
extraConfig = ''
|
|
||||||
verbose
|
|
||||||
|
|
||||||
cipher-list=\"HIGH\"
|
|
||||||
no-multicast-peers
|
|
||||||
denied-peer-ip=0.0.0.0-0.255.255.255
|
|
||||||
denied-peer-ip=10.0.0.0-10.255.255.255
|
|
||||||
denied-peer-ip=100.64.0.0-100.127.255.255
|
|
||||||
denied-peer-ip=127.0.0.0-127.255.255.255
|
|
||||||
denied-peer-ip=169.254.0.0-169.254.255.255
|
|
||||||
denied-peer-ip=172.16.0.0-172.31.255.255
|
|
||||||
denied-peer-ip=192.0.0.0-192.0.0.255
|
|
||||||
denied-peer-ip=192.0.2.0-192.0.2.255
|
|
||||||
denied-peer-ip=192.88.99.0-192.88.99.255
|
|
||||||
denied-peer-ip=192.168.0.0-192.168.255.255
|
|
||||||
denied-peer-ip=198.18.0.0-198.19.255.255
|
|
||||||
denied-peer-ip=198.51.100.0-198.51.100.255
|
|
||||||
denied-peer-ip=203.0.113.0-203.0.113.255
|
|
||||||
denied-peer-ip=240.0.0.0-255.255.255.255
|
|
||||||
denied-peer-ip=::1
|
|
||||||
denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
|
|
||||||
denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
|
|
||||||
denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
|
|
||||||
denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
|
|
||||||
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
|
||||||
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
|
||||||
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
networking.firewall = {
|
|
||||||
interfaces.ens3 = let
|
|
||||||
range = with config.services.coturn; [{
|
|
||||||
from = min-port;
|
|
||||||
to = max-port;
|
|
||||||
}];
|
|
||||||
in {
|
|
||||||
allowedUDPPortRanges = range;
|
|
||||||
allowedUDPPorts = [ 5349 ];
|
|
||||||
#allowedTCPPortRanges = range;
|
|
||||||
allowedTCPPorts = [ 80 443 5349 ];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services.nginx.enable = true;
|
|
||||||
services.nginx.virtualHosts.${realm} = {
|
|
||||||
addSSL = true;
|
|
||||||
enableACME = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
# to access the ACME files
|
|
||||||
users.groups.nginx.members = [ "turnserver" ];
|
|
||||||
}
|
|
@ -1,26 +0,0 @@
|
|||||||
{ config, pkgs, ... }:
|
|
||||||
|
|
||||||
{
|
|
||||||
imports =
|
|
||||||
[ ./hardware-configuration.nix ./coturn.nix ./wireguard.nix ./ssh.nix ];
|
|
||||||
|
|
||||||
boot.loader.grub = {
|
|
||||||
enable = true;
|
|
||||||
version = 2;
|
|
||||||
devices = [ "/dev/sda" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
system.stateVersion = "21.05";
|
|
||||||
|
|
||||||
networking = {
|
|
||||||
useDHCP = false;
|
|
||||||
hostName = "proxy";
|
|
||||||
nameservers = [ "10.4.0.2" "1.1.1.1" ];
|
|
||||||
|
|
||||||
interfaces.ens3.useDHCP = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
users.users.root.openssh.authorizedKeys.keys = [
|
|
||||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCuURERnIFe2XbNu6AsPe2DO11RuaHxVGUcaoJUsIB1F+VOggOVLhxSenOPYLm6NvvGeXVi95G5Sm1UZRcJEEkvxus4bSViV4t/Q2azfYFE27yRH/IeMMoWNPGYNm5Bok2qFb4vHifra9FffwXnOzr0nDDTdHXCft4TO5nsenLJwqu5zOO1CR7J52otY7LheNPyzbGxgIkB3Y7LeOj1+/xXSOJ379NOL2RQBobsg7k442WCX7tU6AC1ct3W+93tcJUUdzJKTT9TJ+XmhdjXNWhDd+QZUNAMr+nKoEdExHp0H40/wIhcLD2OV95gX4i/YBzCg4OQOqZqWiibiEQfGTSAh5aD+nX/PqjXf0XSLEUOA81biLFu28oO8gocjwnhgqmlghvO4SG1rs6uZ8EyPyWsrVMjy8B9FX4aloKqua3aicgC+upjLl3x+KkMJizlMB5Ew7KOjPsjXwMqeJmeBOEd6TSEctttR+lIp+/368FtwXeBxzx9MBT4620mnjWtVKM= giulio@gAluminum"
|
|
||||||
];
|
|
||||||
}
|
|
@ -1,22 +0,0 @@
|
|||||||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
|
||||||
# and may be overwritten by future invocations. Please make changes
|
|
||||||
# to /etc/nixos/configuration.nix instead.
|
|
||||||
{ config, lib, pkgs, modulesPath, ... }:
|
|
||||||
|
|
||||||
{
|
|
||||||
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
|
|
||||||
|
|
||||||
boot.initrd.availableKernelModules =
|
|
||||||
[ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ];
|
|
||||||
boot.initrd.kernelModules = [ ];
|
|
||||||
boot.kernelModules = [ ];
|
|
||||||
boot.extraModulePackages = [ ];
|
|
||||||
|
|
||||||
fileSystems."/" = {
|
|
||||||
device = "/dev/disk/by-uuid/8b5bcd4a-02b8-4e11-b856-eda792b8b7b8";
|
|
||||||
fsType = "ext4";
|
|
||||||
};
|
|
||||||
|
|
||||||
swapDevices = [ ];
|
|
||||||
|
|
||||||
}
|
|
@ -1,15 +0,0 @@
|
|||||||
{ config, ... }:
|
|
||||||
|
|
||||||
{
|
|
||||||
services = {
|
|
||||||
fail2ban.enable = true;
|
|
||||||
|
|
||||||
openssh = {
|
|
||||||
permitRootLogin = "prohibit-password";
|
|
||||||
passwordAuthentication = false;
|
|
||||||
enable = true;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 22 ];
|
|
||||||
}
|
|
@ -1,42 +0,0 @@
|
|||||||
{ config, ... }:
|
|
||||||
|
|
||||||
let
|
|
||||||
wg_if = "wg0";
|
|
||||||
wan_if = "ens3";
|
|
||||||
in {
|
|
||||||
networking = {
|
|
||||||
firewall.allowedUDPPorts = [ 1195 ];
|
|
||||||
|
|
||||||
nat = {
|
|
||||||
enable = true;
|
|
||||||
externalInterface = wan_if;
|
|
||||||
internalInterfaces = [ wg_if ];
|
|
||||||
forwardPorts = [{
|
|
||||||
destination = "10.4.0.2:1194";
|
|
||||||
proto = "udp";
|
|
||||||
sourcePort = 1194;
|
|
||||||
}];
|
|
||||||
};
|
|
||||||
|
|
||||||
wireguard = {
|
|
||||||
interfaces.${wg_if} = {
|
|
||||||
listenPort = 1195;
|
|
||||||
ips = [ "10.4.0.1/24" ];
|
|
||||||
privateKeyFile = "/secrets/wireguard/server.key";
|
|
||||||
|
|
||||||
postSetup = ''
|
|
||||||
/run/current-system/sw/bin/iptables -t nat -A POSTROUTING -o ${wg_if} -j MASQUERADE
|
|
||||||
'';
|
|
||||||
|
|
||||||
postShutdown = ''
|
|
||||||
/run/current-system/sw/bin/iptables -t nat -D POSTROUTING -o ${wg_if} -j MASQUERADE
|
|
||||||
'';
|
|
||||||
|
|
||||||
peers = [{
|
|
||||||
allowedIPs = [ "10.4.0.2" "10.3.0.0/24" ];
|
|
||||||
publicKey = "73oFhyQA3mgX4GmN6ul5HuOsgxa4INlzCPsyuXna0AA=";
|
|
||||||
}];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
@ -31,6 +31,7 @@
|
|||||||
extraSpecialArgs.unstable = unstable;
|
extraSpecialArgs.unstable = unstable;
|
||||||
useGlobalPkgs = true;
|
useGlobalPkgs = true;
|
||||||
};
|
};
|
||||||
|
system.stateVersion = "22.11";
|
||||||
}
|
}
|
||||||
|
|
||||||
home-manager.nixosModules.home-manager
|
home-manager.nixosModules.home-manager
|
||||||
|
@ -35,7 +35,6 @@
|
|||||||
username = name;
|
username = name;
|
||||||
homeDirectory =
|
homeDirectory =
|
||||||
if pkgs.stdenv.isLinux then "/home/${name}" else "/Users/${name}";
|
if pkgs.stdenv.isLinux then "/home/${name}" else "/Users/${name}";
|
||||||
stateVersion = "22.05";
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
(mkRole "common")
|
(mkRole "common")
|
||||||
|
@ -11,7 +11,7 @@
|
|||||||
i18n.defaultLocale = "en_US.UTF-8";
|
i18n.defaultLocale = "en_US.UTF-8";
|
||||||
|
|
||||||
nix = {
|
nix = {
|
||||||
autoOptimiseStore = true;
|
settings.auto-optimise-store = true;
|
||||||
package = pkgs.nixUnstable;
|
package = pkgs.nixUnstable;
|
||||||
extraOptions = ''
|
extraOptions = ''
|
||||||
experimental-features = nix-command flakes
|
experimental-features = nix-command flakes
|
||||||
|
@ -3,5 +3,8 @@
|
|||||||
{
|
{
|
||||||
imports = [ ./zsh.nix ./git.nix ./helix.nix ];
|
imports = [ ./zsh.nix ./git.nix ./helix.nix ];
|
||||||
|
|
||||||
home = { packages = with pkgs; [ rizin sshfs victor-mono home-manager ]; };
|
home = {
|
||||||
|
packages = with pkgs; [ rizin sshfs victor-mono home-manager ];
|
||||||
|
stateVersion = "22.11";
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user