peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: peperunas:a546edc30d781c41ef2167d901e85751d7126be5
Branches Tags
peperunas:master
peperunas:nixos-21.11
peperunas:laptopshit
..
compare: peperunas:d9ef1939b2d9456a80a32ec55c7ea083762c499c
Branches Tags
peperunas:master
peperunas:nixos-21.11
peperunas:laptopshit

No commits in common. "a546edc30d781c41ef2167d901e85751d7126be5" and "d9ef1939b2d9456a80a32ec55c7ea083762c499c" have entirely different histories.
a546edc30d ... d9ef1939b2

12 changed files with 153 additions and 206 deletions
Show Stats Expand all files Collapse all files

24
flake.lock generated
View File

@ -38,11 +38,11 @@
]
},
"locked": {
"lastModified": 1667907331,
"narHash": "sha256-bHkAwkYlBjkupPUFcQjimNS8gxWSWjOTevEuwdnp5m0=",
"lastModified": 1665475263,
"narHash": "sha256-T4at7d+KsQNWh5rfjvOtQCaIMWjSDlSgQZKvxb+LcEY=",
"owner": "rycee",
"repo": "home-manager",
"rev": "6639e3a837fc5deb6f99554072789724997bc8e5",
"rev": "17208be516fc36e2ab0ceb064d931e90eb88b2a3",
"type": "github"
},
"original": {
@ -54,11 +54,11 @@
},
"nixos-unstable": {
"locked": {
"lastModified": 1669721229,
"narHash": "sha256-4Sh+gXzEVHI6E/8c7OgDW60tYKh9ZGPVoL2YXlC2Yk0=",
"lastModified": 1665672983,
"narHash": "sha256-V7Va7CRKmQRy95xSdlga5nV7q3/PusZwNAF/leb5PcU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "46eabb1198af88c73036edecdf6950c19be33308",
"rev": "bb2fb1524795f2d720cd13a2eb4d35d3a7a0d888",
"type": "github"
},
"original": {
@ -70,11 +70,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1669546925,
"narHash": "sha256-Gvtk9agz88tBgqmCdHl5U7gYttTkiuEd8/Rq1Im0pTg=",
"lastModified": 1665596265,
"narHash": "sha256-H7Ku1SF+7zDEqw8QOyEDA5blMJQW9MvdfgB+K3KJNLw=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "fecf05d4861f3985e8dee73f08bc82668ef75125",
"rev": "9234f5a17e1a7820b5e91ecd4ff0de449e293383",
"type": "github"
},
"original": {
@ -115,11 +115,11 @@
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1669558651,
"narHash": "sha256-0oZd2rdg2050yapyjX7zMWsYWptFp55YFHoEFgsVrN0=",
"lastModified": 1665671907,
"narHash": "sha256-+YXxqH7OROLJ9G4va5BZb4a8aIzulaUZbnH+R1iWoaw=",
"owner": "m15a",
"repo": "nixpkgs-vim-extra-plugins",
"rev": "38107b1aceaccc2ac14a4697bbcea3d70fd016f6",
"rev": "6c1624b0942cdecf7f30aa4d411cb3578bc29a38",
"type": "github"
},
"original": {

7
flake.nix
View File

@ -33,7 +33,7 @@
};
pkgsX64 = wrapPkgsSystem { system = x64System; };
unstableX64 = wrapUnstablePkgsSystem { system = x64System; };
unstableX64 = wrapPkgsSystem { system = x64System; };
utilsX64 = import ./lib {
inherit nixpkgs nixos-unstable home-manager;
pkgs = pkgsX64;
@ -42,15 +42,14 @@
};
pkgsDarwin = wrapPkgsSystem { system = darwinSystem; };
unstableDarwin = wrapUnstablePkgsSystem { system = darwinSystem; };
unstableDarwin = wrapPkgsSystem { system = darwinSystem; };
utilsDarwin = import ./lib {
inherit nixpkgs nixos-unstable home-manager;
pkgs = pkgsDarwin;
unstable = unstableDarwin;
system = darwinSystem;
};
in
{
in {
nixosConfigurations = {
architect = utilsX64.host.mkHost {
name = "architect";

6
hosts/architect/calibre.nix
View File

@ -3,9 +3,7 @@
let
domain = "books.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in
{
in {
services = {
calibre-web = {
enable = true;
@ -23,7 +21,7 @@ in
proxyPass = "http://127.0.0.1:8083";
extraConfig = ''
client_max_body_size 500M;
'' + auth_block { access_role = "calibre"; };
'';
};
};
};

1
hosts/architect/firewall.nix
View File

@ -29,7 +29,6 @@ let
gitea_tcp
torrent_a
torrent_b
minecraft_tcp
];
open_udp_ports = lib.concatMapStringsSep "," (x: toString x) [
wireguard_udp

8
hosts/architect/gitea.nix
View File

@ -3,8 +3,7 @@
let
domain = "git.giugl.io";
network = import ./network.nix;
in
{
in {
services.gitea = {
enable = true;
database.type = "sqlite3";
@ -12,10 +11,7 @@ in
appName = "Gitea";
rootUrl = "https://${domain}";
ssh.clonePort = 22;
settings = {
server.LFS_START_SERVER = true;
openid.enable_openid_signin = true;
};
settings.server.LFS_START_SERVER = true;
};
services.nginx.virtualHosts.${domain} = {

39
hosts/architect/jellyfin.nix
View File

@ -1,11 +1,9 @@
{ pkgs, lib, ... }:
{ pkgs, ... }:
let
network = import ./network.nix;
domain = "media.giugl.io";
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in
{
in {
disabledModules = [ "services/misc/jellyfin.nix" ];
imports = [ ./modules/jellyfin.nix ];
@ -19,31 +17,30 @@ in
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
extraConfig = auth_block { access_role = "jellyfin"; } +
''
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
#add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
'';
extraConfig = ''
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
#add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
'';
locations."/" = {
proxyPass = "http://127.0.0.1:8096";
# extraConfig = ''
# allow 10.0.0.0/24;
# allow 10.3.0.0/24;
# deny all;
# '';
# extraConfig = ''
# allow 10.0.0.0/24;
# allow 10.3.0.0/24;
# deny all;
# '';
};
locations."/socket" = {
proxyPass = "http://127.0.0.1:8096";
proxyWebsockets = true;
# extraConfig = ''
# allow 10.0.0.0/24;
# allow 10.3.0.0/24;
# deny all;
# '';
# extraConfig = ''
# allow 10.0.0.0/24;
# allow 10.3.0.0/24;
# deny all;
# '';
};
};
};

74
hosts/architect/matrix.nix
View File

@ -1,44 +1,28 @@
{ pkgs, lib, ... }:
{ pkgs, ... }:
let
domain = "runas.rocks";
webui_domain = "webchat.runas.rocks";
domain = "matrix.giugl.io";
webui_domain = "chat.giugl.io";
network = import ./network.nix;
db_name = "matrix-synapse-runas.rocks";
in
{
db_name = "matrix-synapse";
in {
services = {
matrix-synapse = {
enable = true;
settings = {
server_name = "${domain}";
database.args.database = db_name;
database_name = db_name;
public_baseurl = "https://${domain}";
registration_shared_secret = "runas!";
url_preview_enabled = true;
dynamic_thumbnails = true;
withJemalloc = true;
# enable_registration = true;
app_service_config_files = [
"/var/lib/matrix-synapse/discord-registration.yaml"
# "/var/lib/matrix-synapse/hookshot-registration.yml"
# "/var/lib/matrix-synapse/telegram-registration.yaml"
];
oidc_providers = [{
idp_id = "keycloak";
idp_name = "Architect SSO";
issuer = "https://auth.giugl.io/realms/master";
client_id = "synapse";
client_secret = "hj7dkbAI75jIeggr1cW0JTRzAdvJUtq6";
scopes = [ "openid" "profile" ];
user_profile_method = "userinfo_endpoint";
user_mapping_provider.config = {
localpart_template = "{{ user.preferred_username }}";
display_name_template = "{{ user.name }}";
};
backchannel_logout_enabled = true;
}];
listeners = [{
port = 8008;
bind_addresses = [ "127.0.0.1" ];
@ -51,11 +35,18 @@ in
}];
}];
};
#extraConfig = ''
# auto_join_rooms:
# - "#general:matrix.giugl.io"
# max_upload_size: "50M"
#'';
};
postgresql = {
enable = true;
package = pkgs.postgresql;
ensureDatabases = [ db_name ];
ensureUsers = [{
name = db_name;
ensurePermissions = { "DATABASE \"${db_name}\"" = "ALL PRIVILEGES"; };
@ -72,25 +63,22 @@ in
'';
locations."= /.well-known/matrix/server".extraConfig =
let server = { "m.server" = "${domain}:443"; };
in
''
in ''
add_header Content-Type application/json;
return 200 '${builtins.toJSON server}';
'';
locations."= /.well-known/matrix/client".extraConfig =
let
client = {
"m.homeserver" = { "base_url" = "https://${domain}:443"; };
"m.identity_server" = { "base_url" = "https://vector.im"; };
};
# ACAO required to allow element-web on any URL to request this json file
in
''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON client}';
'';
locations."= /.well-known/matrix/client".extraConfig = let
client = {
"m.homeserver" = { "base_url" = "https://${domain}:443"; };
"m.identity_server" = { "base_url" = "https://vector.im"; };
};
# ACAO required to allow element-web on any URL to request this json file
in ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON client}';
'';
locations."/".extraConfig = ''
return 404;
@ -100,10 +88,6 @@ in
locations."/_matrix" = {
proxyPass = "http://127.0.0.1:8008"; # without a trailing /
};
locations."/_synapse" = {
proxyPass = "http://127.0.0.1:8008"; # without a trailing /
};
};
# web client
@ -130,7 +114,7 @@ in
# It's also possible to use PostgreSQL.
settings = {
bridge = {
inherit domain;
domain = domain;
homeserverUrl = "https://${domain}";
};
};
@ -138,8 +122,8 @@ in
};
networking.extraHosts = ''
${network.architect-lan} ${lib.concatStringsSep " " [ domain webui_domain]}
${network.architect-wg} ${lib.concatStringsSep " " [ domain webui_domain ]}
${network.architect-lan} ${domain} ${webui_domain}
${network.architect-wg} ${domain} ${webui_domain}
'';
}

2
hosts/architect/navidrome.nix
View File

@ -57,7 +57,7 @@ in {
ExecStart =
"${pkgs.beets}/bin/beet -c ${beets_config} import --flat -q ${library_path}";
};
startAt = "weekly";
startAt = "daily";
};
"remove-badmp3" = {

10
hosts/architect/network.nix
View File

@ -19,9 +19,9 @@ rec {
proxy-wg = "10.4.0.1";
architect-wg = "10.3.0.1";
giuliopc-wg = "10.3.0.2";
giuliophone-wg = "10.3.0.3";
giuliodeck-wg = "10.3.0.4";
galuminum-wg = "10.3.0.2";
oneplus-wg = "10.3.0.3";
ipad-wg = "10.3.0.4";
manduria-wg = "10.3.0.5";
antonio-wg = "10.3.0.6";
gbeast-wg = "10.3.0.7";
@ -57,14 +57,14 @@ rec {
# groups
gdevices-wg =
[ giuliopc-wg giuliophone-wg gbeast-wg peppiniell-wg kclvm-wg ] ++ routers-wg;
[ galuminum-wg oneplus-wg gbeast-wg peppiniell-wg kclvm-wg ] ++ routers-wg;
routers-wg = [ hotpottino-wg angellane-wg dodino-wg ];
c2c-wg = [ ] ++ gdevices-wg;
towan-wg = [ shield-wg parisaphone-wg parisapc-wg parina-wg parina-ipad-wg ]
++ gdevices-wg ++ routers-wg;
gamenet-wg = [
andrew-wg
giuliopc-wg
galuminum-wg
gbeast-wg
mikey-wg
andrewdesktop-wg

116
hosts/architect/nginx.nix
View File

@ -1,24 +1,6 @@
{ services, pkgs, lib, ... }:
let
serviceSkeleton = { default ? false }: {
inherit default;
enableACME = true;
forceSSL = true;
root = "/var/lib/nginx/error_pages";
extraConfig = "error_page 404 /index.htm;";
locations = {
"/" = { return = "404"; };
"/index.htm" = { };
"/style.css" = { };
"/wat.jpg" = { };
};
};
in {
{
services.nginx = {
enable = true;
package = pkgs.openresty;
@ -27,59 +9,61 @@ in {
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts."architect.devs.giugl.io" = serviceSkeleton { default = true; };
virtualHosts."runas.rocks" = serviceSkeleton {};
appendHttpConfig =
let
extraPureLuaPackages = with pkgs.luajitPackages; [
lua-resty-openidc
lua-resty-http
lua-resty-session
lua-resty-jwt
lua-resty-openssl
];
luaPath = pkg: "${pkg}/share/lua/5.1/?.lua";
makeLuaPath = lib.concatMapStringsSep ";" luaPath;
in
''
lua_package_path '${makeLuaPath extraPureLuaPackages};;';
lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
lua_ssl_verify_depth 5;
virtualHosts."architect.devs.giugl.io" = {
default = true;
enableACME = true;
addSSL = true;
root = "/var/lib/nginx/error_pages";
extraConfig = "error_page 404 /index.htm;";
# cache for OIDC discovery metadata
lua_shared_dict discovery 1m;
lua_shared_dict jwks 1m;
locations = {
"/" = { return = "404"; };
# https://github.com/openresty/lua-resty-redis/issues/159
resolver local=on ipv6=off;
"/index.htm" = { };
init_worker_by_lua_block {
function check_role (res, role)
if res.user.roles == nil then
return false
end
"/style.css" = { };
for _,v in pairs(res.user.roles) do
if string.lower(v) == role then
return true
end
end
"/wat.jpg" = { };
};
};
appendHttpConfig = let
extraPureLuaPackages = with pkgs.luajitPackages; [
lua-resty-openidc
lua-resty-http
lua-resty-session
lua-resty-jwt
lua-resty-openssl
];
luaPath = pkg: "${pkg}/share/lua/5.1/?.lua";
makeLuaPath = lib.concatMapStringsSep ";" luaPath;
in ''
lua_package_path '${makeLuaPath extraPureLuaPackages};;';
lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
lua_ssl_verify_depth 5;
return false
# cache for OIDC discovery metadata
lua_shared_dict discovery 1m;
lua_shared_dict jwks 1m;
# https://github.com/openresty/lua-resty-redis/issues/159
resolver local=on ipv6=off;
init_worker_by_lua_block {
function check_role (res, role)
if res.user.roles == nil then
return false
end
for _,v in pairs(res.user.roles) do
if string.lower(v) == role then
return true
end
function is_ip_whitelisted(ip, whitelist)
for _, x in ipairs(whitelist) do
if ip == x then
return true
end
end
return false
end
}
'';
end
return false
end
}
'';
appendConfig = ''
worker_processes 24;

47
hosts/architect/openid.nix
View File

@ -2,7 +2,7 @@
{
openresty_oidc_block =
{ access_role ? "", whitelisted_ips ? [] }: ''
{ access_role ? "" }: ''
access_by_lua_block {
local opts = {
discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration",
@ -12,37 +12,26 @@
redirect_after_logout_uri = "/",
redirect_uri = "/redirect_uri",
keepalive = "yes",
accept_none_alg = true,
revoke_tokens_on_logout = true,
-- access token valid for a day
access_token_expires_in = 86400
}
accept_none_alg = true
}
${lib.optionalString (whitelisted_ips != []) ''
local whitelist = {${lib.strings.concatMapStringsSep "," (x: "\"${x}\"") whitelisted_ips}}
if is_ip_whitelisted(ngx.var.remote_addr, whitelist) then
return
end
''}
-- call introspect for OAuth 2.0 Bearer Access Token validation
local res, err = require("resty.openidc").authenticate(opts)
-- call introspect for OAuth 2.0 Bearer Access Token validation
local res, err = require("resty.openidc").authenticate(opts)
if err then
ngx.status = 403
ngx.say(err)
ngx.exit(ngx.HTTP_FORBIDDEN)
if err then
ngx.status = 403
ngx.say(err)
ngx.exit(ngx.HTTP_FORBIDDEN)
end
${lib.optionalString (access_role != "") ''
if not check_role(res, "${access_role}") then
ngx.status = 401
ngx.header.content_type = 'text/html';
ngx.say("You are not authorized to access this page. Please contact Er Pepotto.")
ngx.exit(ngx.HTTP_UNAUTHORIZED)
end
${lib.optionalString (access_role != "") ''
if not check_role(res, "${access_role}") then
ngx.status = 401
ngx.header.content_type = 'text/html';
ngx.say("You are not authorized to access this page. Please contact Er Pepotto.")
ngx.exit(ngx.HTTP_UNAUTHORIZED)
end
''}
''}
}
'';
}

25
hosts/architect/wireguard.nix
View File

@ -2,8 +2,9 @@ with import ./network.nix; {
networking = {
extraHosts = ''
${architect-wg} architect.devs.giugl.io
${giuliopc-wg} giuliopc.devs.giugl.io
${giuliophone-wg} giuliophone.devs.giugl.io
${galuminum-wg} galuminum.devs.giugl.io
${oneplus-wg} oneplus.devs.giugl.io
${ipad-wg} ipad.devs.giugl.io
${manduria-wg} manduria.devs.giugl.io
${antonio-wg} antonio.devs.giugl.io
${gbeast-wg} gbeast.devs.giugl.io
@ -33,7 +34,6 @@ with import ./network.nix; {
${parina-ipad-wg} parinaipad.devs.giugl.io
${nilo-wg} nilo.devs.giugl.io
${kclvm-wg} kclvm.devs.giugl.io
${giuliodeck-wg} giuliodeck.devs.giugl.io
'';
wireguard = {
@ -55,17 +55,23 @@ with import ./network.nix; {
peers = [
{
# giuliopc
allowedIPs = [ giuliopc-wg ];
# gAluminum
allowedIPs = [ galuminum-wg ];
publicKey = "pEEgSs7xmO0cfyvoQlU8lfwqdYM1ISgmPAunPtF+0xw=";
}
{
# giuliophone
allowedIPs = [ giuliophone-wg ];
# OnePlus
allowedIPs = [ oneplus-wg ];
publicKey = "zynSERy6VhxN5zBf1ih3BOAHxvigDixHB9YKnSBgYFs=";
}
{
# iPad
allowedIPs = [ ipad-wg ];
publicKey = "DPpd+P/hV1XLuvdcrCRv1sgz8BeZt1y5D6VehNuhjSQ=";
}
{
# Manduria
allowedIPs = [ manduria-wg ];
@ -257,11 +263,6 @@ with import ./network.nix; {
allowedIPs = [ kclvm-wg ];
publicKey = "jVBaY8AhgAA7myVjU/PJPDUCOjsCi23LT+pGZUoNEkE=";
}
{
# Giulio's Deck
allowedIPs = [ giuliodeck-wg ];
publicKey = "7TGYsYvElTLY3V7qJfggkF+kFG7Y5sUsHA88h0cYJx0=";
}
];
};
};