peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: peperunas:a84d6fe16374d394515474957abaa28aae972f0c
Branches Tags
peperunas:master
peperunas:nixos-21.11
peperunas:laptopshit
..
compare: peperunas:685ff000d75ff3bdda2fd001d72a877e501882e0
Branches Tags
peperunas:master
peperunas:nixos-21.11
peperunas:laptopshit

No commits in common. "a84d6fe16374d394515474957abaa28aae972f0c" and "685ff000d75ff3bdda2fd001d72a877e501882e0" have entirely different histories.
a84d6fe163 ... 685ff000d7

19 changed files with 33 additions and 238 deletions
Show Stats Expand all files Collapse all files

10
flake.nix
View File

@ -6,10 +6,9 @@
url = "github:rycee/home-manager/release-21.11";
inputs.nixpkgs.follows = "nixpkgs";
};
navidrome.url = "github:antifuchs/nixpkgs/fix-151550";
};
outputs = inputs@{ self, nixpkgs, nixos-unstable, home-manager, navidrome}:
outputs = inputs@{ self, nixpkgs, nixos-unstable, home-manager }:
let
system = "x86_64-linux";
@ -38,13 +37,6 @@
user = "giulio";
roles = [ ];
}];
imports = [
{
disabledModules = [ "services/audio/navidrome.nix" ];
imports =
[ (navidrome + "/nixos/modules/services/audio/navidrome.nix") ];
}
];
};
gAluminum = host.mkHost {
name = "gAluminum";

5
hosts/architect/bazarr.nix
View File

@ -5,10 +5,7 @@ let
network = import ./network.nix;
in {
services = {
bazarr = {
enable = true;
group = "media";
};
bazarr.enable = true;
nginx.virtualHosts.${domain} = {
forceSSL = true;

19
hosts/architect/default.nix
View File

@ -23,19 +23,15 @@ in {
./matrix.nix
./fail2ban.nix
./dns.nix
./minecraft.nix
# ./minecraft.nix
./prowlarr.nix
./plex.nix
./transmission.nix
# ./transmission.nix
./githubrunner.nix
./libreddit.nix
./invidious.nix
./nitter.nix
./ccache.nix
./lidarr.nix
./navidrome.nix
./jellyfin.nix
./prosody.nix
];
time.timeZone = "Europe/Rome";
@ -48,12 +44,7 @@ in {
"ip=${network.architect-lan}::10.0.0.1:255.255.255.0::${network.wan-if}:off"
"nvme_core.default_ps_max_latency_us=5500"
];
kernel.sysctl= {
"net.ipv4.ip_forward" = 1;
"fs.protected_regular" = 0;
};
kernel.sysctl."net.ipv4.ip_forward" = 1;
initrd = {
availableKernelModules = [ "igc" "r8169" ];
network = {
@ -82,7 +73,7 @@ in {
supportedFilesystems = [ "zfs" ];
zfs.requestEncryptionCredentials = true;
tmpOnTmpfsSize = "80%";
tmpOnTmpfsSize = "150%";
};
networking = {
@ -106,7 +97,7 @@ in {
${network.dvr-lan} dvr.devs.giugl.io
${network.nas-lan} nas.devs.giugl.io
192.168.1.1 vodafone.station
# Blacklist
0.0.0.0 metrics.plex.tv
0.0.0.0 analytics.plex.tv

2
hosts/architect/firewall.nix
View File

@ -9,12 +9,10 @@ let
443 # https
8448 # matrix
10022 # gitea
30303
51413 # transmission
];
open_udp_ports = lib.concatMapStringsSep "," (x: toString x) [
1194 # wireguard
30303
51413 # transmission
];
open_tcp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [

2
hosts/architect/hardware.nix
View File

@ -44,7 +44,7 @@
swapDevices = [{
device = "/dev/sdc1";
size = 10000;
size = 100000;
}];
}

15
hosts/architect/jellyfin.nix
View File

@ -1,9 +1,6 @@
{ pkgs, ... }:
let
network = import ./network.nix;
domain = "jellyfin.giugl.io";
in {
with import ./network.nix; {
disabledModules = [ "services/misc/jellyfin.nix" ];
imports = [ ./modules/jellyfin.nix ];
@ -13,9 +10,9 @@ in {
package = pkgs.unstable.jellyfin;
};
nginx.virtualHosts.${domain} = {
# forceSSL = true;
# enableACME = true;
nginx.virtualHosts.${mediadomain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:8096";
extraConfig = ''
@ -28,8 +25,8 @@ in {
};
networking.extraHosts = ''
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
${architect-lan} ${mediadomain}
${architect-wg} ${mediadomain}
'';
users.groups.media.members = [ "jellyfin" ];

2
hosts/architect/libreddit.nix
View File

@ -1,4 +1,4 @@
{ lib, pkgs, ... }:
{ lib, ... }:
let
domain = "reddit.giugl.io";

34
hosts/architect/lidarr.nix
View File

@ -1,34 +0,0 @@
{ lib, ... }:
let
domain = "htlid.giugl.io";
network = import ./network.nix;
in {
services = {
lidarr = {
enable = true;
group = "media";
};
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:8686";
extraConfig = ''
allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
deny all;
deny 10.0.0.1;
'';
};
};
};
networking.extraHosts = ''
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
'';
users.groups.media.members = [ "lidarr" ];
}

50
hosts/architect/matrix.nix
View File

@ -12,13 +12,11 @@ in {
database_name = "synapse";
public_baseurl = "https://${domain}";
registration_shared_secret = "runas!";
url_preview_enabled = true;
dynamic_thumbnails = true;
withJemalloc = true;
# enable_registration = true;
app_service_config_files = [
"/var/lib/matrix-synapse/discord-registration.yaml"
# "/var/lib/matrix-synapse/telegram-registration.yaml"
"/var/lib/matrix-synapse/telegram-registration.yaml"
];
extraConfig = ''
auto_join_rooms:
@ -44,33 +42,6 @@ in {
];
turn_shared_secret = "69duck duck fuck420";
turn_user_lifetime = "1h";
logConfig = ''
version: 1
# In systemd's journal, loglevel is implicitly stored, so let's omit it
# from the message text.
formatters:
journal_fmt:
format: '%(name)s: [%(request)s] %(message)s'
filters:
context:
(): synapse.util.logcontext.LoggingContextFilter
request: ""
handlers:
journal:
class: systemd.journal.JournalHandler
formatter: journal_fmt
filters: [context]
SYSLOG_IDENTIFIER: synapse
root:
level: WARN
handlers: [journal]
disable_existing_loggers: False
'';
};
postgresql = {
@ -121,24 +92,19 @@ in {
};
# web client
"${webui_domain}" = {
enableACME = true;
forceSSL = true;
# root = pkgs.element-web.override {
# conf = {
# default_server_config."m.homeserver" = {
# "base_url" = "https://${domain}";
# "server_name" = "${domain}";
# };
# };
# };
root = pkgs.unstable.cinny.override {
root = pkgs.element-web.override {
conf = {
homeserverList = [ "${domain}" ];
defaultHomeserver = 0;
default_server_config."m.homeserver" = {
"base_url" = "https://${domain}";
"server_name" = "${domain}";
};
};
};
};
};
};

53
hosts/architect/navidrome.nix
View File

@ -1,53 +0,0 @@
{ lib, pkgs, ... }:
let
domain = "music.giugl.io";
network = import ./network.nix;
in {
services = {
navidrome = {
enable = true;
settings = {
MusicFolder = "/media/Music";
LastFM.enable = true;
LastFM.ApiKey = "5cef5cb5f9d31326b97d0f929ca9cf20";
LastFM.Secret = "d1296896126f4caae47407aecf080b25";
Spotify.ID = "3900c029b4f34f3fb61d554dda64794d";
Spotify.Secret = "d931ce5575a9401aa5ff8d37558cca0a";
EnableGravatar = true;
LogLevel = "WARN";
};
};
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:4533";
# extraConfig = ''
# allow 10.0.0.0/24;
# ${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
# deny all;
# '';
};
};
};
systemd.services."beets-rename" = {
enable = true;
serviceConfig = {
Type = "oneshot";
ExecStart =
"${pkgs.findutils}/bin/find /media/Music -type d -mindepth 2 -maxdepth 2 -exec ${pkgs.beets}/bin/beet -c /media/config.conf import --flat -q {} \\;";
};
startAt = "daily";
};
networking.extraHosts = ''
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
'';
users.groups.media.members = [ "navidrome" ];
}

5
hosts/architect/network.nix
View File

@ -44,7 +44,6 @@ rec {
jacopo-wg = "10.3.0.28";
frznn-wg = "10.3.0.29";
ludo-wg = "10.3.0.30";
parina-wg = "10.3.0.31";
eleonora-wg = "10.3.0.100";
angellane-wg = "10.3.0.200";
hotpottino-wg = "10.3.0.201";
@ -53,10 +52,10 @@ rec {
# groups
gdevices-wg =
[ galuminum-wg oneplus-wg ipad-wg gbeast-wg peppiniell-wg padulino-wg wolfsonhouse-wg ];
[ galuminum-wg oneplus-wg ipad-wg gbeast-wg peppiniell-wg padulino-wg ];
routers-wg = [ hotpottino-wg angellane-wg dodino-wg wolfsonhouse-wg ];
c2c-wg = [ ] ++ gdevices-wg;
towan-wg = [ shield-wg parisaphone-wg parisapc-wg parina-wg ] ++ gdevices-wg
towan-wg = [ shield-wg parisaphone-wg parisapc-wg ] ++ gdevices-wg
++ routers-wg;
gamenet-wg = [
andrew-wg

2
hosts/architect/nextcloud.nix
View File

@ -14,7 +14,7 @@ in {
enable = true;
hostName = "${domain}";
https = true;
package = pkgs.unstable.nextcloud23;
package = pkgs.unstable.nextcloud22;
caching.redis = true;

5
hosts/architect/nzbget.nix
View File

@ -5,10 +5,7 @@ let
network = import ./network.nix;
in {
services = {
nzbget = {
enable = true;
group = "media";
};
nzbget.enable = true;
nginx.virtualHosts.${domain} = {
forceSSL = true;

41
hosts/architect/prosody.nix
View File

@ -1,41 +0,0 @@
{ lib, config, ... }:
let
domain = "xmpp.giugl.io";
conference_domain = "conference.${domain}";
upload_domain = "uploads.${domain}";
network = import ./network.nix;
in {
services = {
prosody = {
enable = true;
virtualHosts = {
"${domain}" = {
domain = domain;
enabled = true;
ssl.key = "${config.security.acme.certs.${domain}.directory}/key.pem";
ssl.cert =
"${config.security.acme.certs.${domain}.directory}/fullchain.pem";
};
};
muc = [{ domain = conference_domain; }];
uploadHttp = { domain = upload_domain; };
admins = [ "giulio@${domain}" ];
httpInterfaces = [ "wg0" ];
httpsInterfaces = [ "wg0" ];
};
};
services.nginx.virtualHosts."${domain}".enableACME = true;
#services.nginx.virtualHosts."${conference_domain}".enableACME = true;
#services.nginx.virtualHosts."${upload_domain}".enableACME = true;
networking.extraHosts = ''
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
'';
users.groups.acme.members = [ "prosody" ];
}

5
hosts/architect/radarr.nix
View File

@ -5,10 +5,7 @@ let
network = import ./network.nix;
in {
services = {
radarr = {
enable = true;
group = "media";
};
radarr.enable = true;
nginx.virtualHosts.${domain} = {
forceSSL = true;

5
hosts/architect/sonarr.nix
View File

@ -5,10 +5,7 @@ let
network = import ./network.nix;
in {
services = {
sonarr = {
enable = true;
group = "media";
};
sonarr.enable = true;
nginx.virtualHosts.${domain} = {
forceSSL = true;

4
hosts/architect/transmission.nix
View File

@ -1,4 +1,4 @@
{ lib, config, ... }:
{ lib, config }:
let
domain = "httra.giugl.io";
@ -7,7 +7,6 @@ in {
services = {
transmission = {
enable = true;
group = "media";
settings = {
download-dir = "/media/transmission";
incomplete-dir = "/media/transmission/.incomplete";
@ -16,6 +15,7 @@ in {
speed-limit-up = 10;
speed-limit-up-enabled = true;
peer-port = 51413;
umask = 2;
};
performanceNetParameters = true;
};

7
hosts/architect/wireguard.nix
View File

@ -31,7 +31,6 @@ with import ./network.nix; {
${wolfsonhouse-wg} wolfsonhouse.devs.giugl.io
${frznn-wg} frznn.devs.giugl.io
${ludo-wg} ludo.devs.giugl.io
${parina-wg} parina.devs.giugl.io
'';
wireguard = {
@ -243,12 +242,6 @@ with import ./network.nix; {
allowedIPs = [ ludo-wg ];
publicKey = "ecrxdzx7tQZwMPxZOjHUvxZT2xY79B6XEDIW+fhEtEM=";
}
{
# parina
allowedIPs = [ parina-wg ];
publicKey = "7nubNnfGsg4/7KemMDn9r99mNK8RFU9uOFFqaYv6rUA=";
}
];
};
};

5
lib/host.nix
View File

@ -1,7 +1,7 @@
{ pkgs, nixpkgs, nixos-unstable, unstable, home-manager, user, ... }:
{
mkHost = { name, users, roles ? [], imports ? [] }:
mkHost = { name, users, roles ? [] }:
let
system = "x86_64-linux";
@ -9,13 +9,12 @@
users_mod= (map (u: user.mkUser {name = u.user; roles = u.roles; }) users);
roles_mod = (map (r: mkRole r) roles);
add_imports = imports;
in nixpkgs.lib.nixosSystem {
inherit system;
modules = [
{
imports = users_mod ++ roles_mod ++ add_imports;
imports = users_mod ++ roles_mod;
nixpkgs = {
pkgs = pkgs;
};