Compare commits
6 Commits
be0a1be47d
...
3321ec122a
Author | SHA1 | Date | |
---|---|---|---|
|
3321ec122a | ||
|
47d937e12d | ||
|
f5668462eb | ||
|
be0755bcfe | ||
|
fb74112c15 | ||
|
51d961484e |
19
flake.nix
19
flake.nix
@ -18,26 +18,31 @@
|
||||
wrapPkgsSystem = { system }:
|
||||
import nixpkgs rec {
|
||||
inherit system;
|
||||
unstable = wrapUnstablePkgsSystem { inherit system; };
|
||||
|
||||
unstablePkgs = wrapUnstablePkgsSystem { inherit system; };
|
||||
config.allowUnfree = true;
|
||||
overlays = [
|
||||
(final: prev: { inherit unstable; })
|
||||
(final: prev: { inherit unstablePkgs; })
|
||||
];
|
||||
};
|
||||
|
||||
wrapUnstablePkgsSystem = { system }:
|
||||
import nixos-unstable {
|
||||
inherit system;
|
||||
|
||||
config.allowUnfree = true;
|
||||
};
|
||||
|
||||
wrapUtils = { pkgs, unstable, system }:
|
||||
wrapUtils = { pkgs, unstablePkgs, system }:
|
||||
let
|
||||
inherit (pkgs.lib) makeScope;
|
||||
inherit (pkgs) newScope;
|
||||
in
|
||||
makeScope newScope (self: {
|
||||
makeScope newScope (self: rec {
|
||||
inherit nixpkgs home-manager nixos-unstable;
|
||||
inherit (self.callPackage ./lib/utils.nix { }) mkSysRole mkHomeRole;
|
||||
inherit (user) mkUser;
|
||||
|
||||
user = self.callPackage ./lib/user.nix { };
|
||||
host = self.callPackage ./lib/host.nix { };
|
||||
});
|
||||
@ -45,15 +50,15 @@
|
||||
|
||||
pkgsLinuxX64 = wrapPkgsSystem { system = sysLinuxX64; };
|
||||
unstableLinuxX64 = wrapUnstablePkgsSystem { system = sysLinuxX64; };
|
||||
utilsLinuxX64 = wrapUtils { system = sysLinuxX64; pkgs = pkgsLinuxX64; unstable = unstableLinuxX64; };
|
||||
utilsLinuxX64 = wrapUtils { system = sysLinuxX64; pkgs = pkgsLinuxX64; unstablePkgs = unstableLinuxX64; };
|
||||
|
||||
pkgsLinuxAarch = wrapPkgsSystem { system = sysLinuxAarch; };
|
||||
unstableLinuxAarch = wrapUnstablePkgsSystem { system = sysLinuxAarch; };
|
||||
utilsLinuxAarch = wrapUtils { system = sysLinuxAarch; pkgs = pkgsLinuxAarch; unstable = unstableLinuxAarch; };
|
||||
utilsLinuxAarch = wrapUtils { system = sysLinuxAarch; pkgs = pkgsLinuxAarch; unstablePkgs = unstableLinuxAarch; };
|
||||
|
||||
pkgsDarwin = wrapPkgsSystem { system = sysDarwin; };
|
||||
unstableDarwin = wrapUnstablePkgsSystem { system = sysDarwin; };
|
||||
utilsDarwin = wrapUtils { system = sysDarwin; pkgs = pkgsDarwin; unstable = unstableDarwin; };
|
||||
utilsDarwin = wrapUtils { system = sysDarwin; pkgs = pkgsDarwin; unstablePkgs = unstableDarwin; };
|
||||
in
|
||||
{
|
||||
nixosConfigurations = {
|
||||
|
@ -9,7 +9,7 @@ let
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
# Include the results of the hardware scan.
|
||||
./options.nix
|
||||
./backup.nix
|
||||
./hardware.nix
|
||||
./firewall.nix
|
||||
@ -132,6 +132,11 @@ in
|
||||
driSupport = true;
|
||||
};
|
||||
|
||||
architect.firewall = {
|
||||
openTCP = [ 22 ];
|
||||
openTCPVPN = [ 22 ];
|
||||
};
|
||||
|
||||
services = {
|
||||
fwupd.enable = true;
|
||||
das_watchdog.enable = true;
|
||||
|
@ -4,8 +4,15 @@ let
|
||||
domain = "htdel.giugl.io";
|
||||
network = import ./network.nix;
|
||||
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
|
||||
|
||||
listenPorts = [ 51413 51414 ];
|
||||
in
|
||||
{
|
||||
architect.firewall = {
|
||||
openTCP = listenPorts;
|
||||
openUDP = listenPorts;
|
||||
};
|
||||
|
||||
services = {
|
||||
deluge = {
|
||||
enable = true;
|
||||
@ -24,7 +31,7 @@ in
|
||||
max_connections_global = 1000;
|
||||
max_active_limit = 100;
|
||||
max_active_downloading = 100;
|
||||
listen_ports = [ 51413 51414 ];
|
||||
listen_ports = listenPorts;
|
||||
random_port = false;
|
||||
enabled_plugins = [ "Label" "Extractor" ];
|
||||
};
|
||||
|
@ -6,6 +6,8 @@ let
|
||||
dnscrypt_listen_port = "5353";
|
||||
in
|
||||
{
|
||||
architect.firewall.openUDPVPN = [ 53 ];
|
||||
|
||||
services = {
|
||||
dnsmasq = {
|
||||
enable = true;
|
||||
|
@ -1,54 +1,13 @@
|
||||
{ config, lib, ... }:
|
||||
|
||||
with import ./network.nix;
|
||||
with lib;
|
||||
|
||||
let
|
||||
# TCP services
|
||||
ssh_tcp = 22;
|
||||
http_tcp = 80;
|
||||
https_tcp = 443;
|
||||
synapse_tcp = 8448;
|
||||
gitea_tcp = 10022;
|
||||
prosody_tcp = 5222;
|
||||
minecraft_tcp = 25565;
|
||||
|
||||
# UDP services
|
||||
dns_udp = 53;
|
||||
wireguard_udp = 1194;
|
||||
|
||||
# TCP/UDP services
|
||||
torrent_a = 51413;
|
||||
torrent_b = 51414;
|
||||
|
||||
# grouping
|
||||
open_tcp_ports = lib.concatMapStringsSep "," (x: toString x) [
|
||||
ssh_tcp
|
||||
http_tcp
|
||||
https_tcp
|
||||
synapse_tcp
|
||||
gitea_tcp
|
||||
torrent_a
|
||||
torrent_b
|
||||
minecraft_tcp
|
||||
];
|
||||
open_udp_ports = lib.concatMapStringsSep "," (x: toString x) [
|
||||
wireguard_udp
|
||||
torrent_a
|
||||
torrent_b
|
||||
config.services.tailscale.port
|
||||
];
|
||||
open_tcp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [
|
||||
ssh_tcp
|
||||
http_tcp
|
||||
https_tcp
|
||||
prosody_tcp
|
||||
minecraft_tcp
|
||||
];
|
||||
open_udp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [
|
||||
dns_udp
|
||||
wireguard_udp
|
||||
];
|
||||
|
||||
openTCP = concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCP;
|
||||
openUDP = concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDP;
|
||||
openTCPVPN = concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCPVPN;
|
||||
openUDPVPN = concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDPVPN;
|
||||
in
|
||||
{
|
||||
networking = {
|
||||
@ -161,10 +120,11 @@ in
|
||||
ip saddr ${tailscale-net} accept comment "tailscale > local"
|
||||
ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local"
|
||||
|
||||
iifname ${wan-if} tcp dport {${open_tcp_ports}} accept
|
||||
iifname ${wan-if} udp dport {${open_udp_ports}} accept
|
||||
iifname ${vpn-if} tcp dport {${open_tcp_ports_vpn}} accept
|
||||
iifname ${vpn-if} udp dport {${open_udp_ports_vpn}} accept
|
||||
iifname ${wan-if} tcp dport {${openTCP}} accept
|
||||
iifname ${wan-if} udp dport {${openUDP}} accept
|
||||
iifname ${vpn-if} tcp dport {${openTCPVPN}} accept
|
||||
iifname ${vpn-if} udp dport {${openUDPVPN}} accept
|
||||
|
||||
iifname ${vpn-if} icmp type echo-request accept
|
||||
iifname ${docker-if} udp dport 53 accept
|
||||
jump filter_drop
|
||||
|
@ -1,11 +1,12 @@
|
||||
{ lib, ... }:
|
||||
{ config, lib, ... }:
|
||||
|
||||
let
|
||||
domain = "git.giugl.io";
|
||||
network = import ./network.nix;
|
||||
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
|
||||
in
|
||||
{
|
||||
architect.firewall.openTCP = [ config.services.gitea.settings.server.SSH_PORT ];
|
||||
|
||||
services.gitea = {
|
||||
enable = true;
|
||||
database.type = "sqlite3";
|
||||
|
@ -9,7 +9,7 @@ in
|
||||
invidious = {
|
||||
enable = true;
|
||||
port = 9092;
|
||||
package = pkgs.unstable.invidious;
|
||||
package = pkgs.unstablePkgs.invidious;
|
||||
};
|
||||
|
||||
nginx.virtualHosts.${domain} = {
|
||||
|
@ -13,7 +13,7 @@ in
|
||||
jellyfin = {
|
||||
enable = true;
|
||||
group = "media";
|
||||
package = pkgs.unstable.jellyfin;
|
||||
package = pkgs.unstablePkgs.jellyfin;
|
||||
};
|
||||
|
||||
nginx.virtualHosts.${domain} = {
|
||||
|
@ -5,11 +5,13 @@ let
|
||||
network = import ./network.nix;
|
||||
in
|
||||
{
|
||||
architect.firewall.openTCP = [ 25565 ];
|
||||
|
||||
services.minecraft-server = {
|
||||
enable = true;
|
||||
eula = true;
|
||||
declarative = true;
|
||||
package = pkgs.unstable.minecraft-server;
|
||||
package = pkgs.unstablePkgs.minecraft-server;
|
||||
serverProperties = { motd = "Welcome on the RuNas server!"; };
|
||||
};
|
||||
|
||||
|
@ -9,7 +9,7 @@ in
|
||||
services = {
|
||||
mysql = {
|
||||
enable = true;
|
||||
package = pkgs.unstable.mysql80;
|
||||
package = pkgs.unstablePkgs.mysql80;
|
||||
};
|
||||
|
||||
redis = {
|
||||
@ -24,7 +24,7 @@ in
|
||||
enable = true;
|
||||
hostName = domain;
|
||||
https = true;
|
||||
package = pkgs.unstable.nextcloud25;
|
||||
package = pkgs.unstablePkgs.nextcloud25;
|
||||
datadir = "/services/nextcloud";
|
||||
caching = {
|
||||
redis = true;
|
||||
|
@ -1,6 +1,11 @@
|
||||
{ services, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
architect.firewall = {
|
||||
openTCP = [ 80 443 ];
|
||||
openTCPVPN = [ 80 443 ];
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
package = pkgs.openresty;
|
||||
|
@ -12,7 +12,7 @@ in
|
||||
server = {
|
||||
port = 9093;
|
||||
hostname = domain;
|
||||
staticDir = "${pkgs.unstable.nitter}/share/nitter/public";
|
||||
staticDir = "${pkgs.unstablePkgs.nitter}/share/nitter/public";
|
||||
};
|
||||
preferences = {
|
||||
replaceYouTube = "tube.giugl.io";
|
||||
|
25
hosts/architect/options.nix
Normal file
25
hosts/architect/options.nix
Normal file
@ -0,0 +1,25 @@
|
||||
{ config, lib, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
{
|
||||
options.architect.firewall = {
|
||||
openTCP = mkOption {
|
||||
type = types.listOf types.int;
|
||||
default = [ ];
|
||||
};
|
||||
openUDP = mkOption {
|
||||
type = types.listOf types.int;
|
||||
default = [ ];
|
||||
};
|
||||
openTCPVPN = mkOption {
|
||||
type = types.listOf types.int;
|
||||
default = [ ];
|
||||
};
|
||||
openUDPVPN = mkOption {
|
||||
type = types.listOf types.int;
|
||||
default = [ ];
|
||||
};
|
||||
};
|
||||
|
||||
}
|
@ -7,7 +7,7 @@ in
|
||||
{
|
||||
services.plex = {
|
||||
enable = true;
|
||||
package = pkgs.unstable.plex;
|
||||
package = pkgs.unstablePkgs.plex;
|
||||
dataDir = "/plex";
|
||||
};
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
{ lib, ... }:
|
||||
{ config, lib, ... }:
|
||||
|
||||
let
|
||||
network = import ./network.nix;
|
||||
@ -6,6 +6,8 @@ let
|
||||
ifname = "ts0";
|
||||
in
|
||||
{
|
||||
architect.firewall.openUDP = [ config.services.tailscale.port ];
|
||||
|
||||
services = {
|
||||
tailscale = {
|
||||
enable = true;
|
||||
|
@ -1,4 +1,14 @@
|
||||
with import ./network.nix; {
|
||||
{ config, lib, ... }:
|
||||
with import ./network.nix;
|
||||
let
|
||||
listenPort = 1194;
|
||||
in
|
||||
{
|
||||
architect.firewall = {
|
||||
openUDP = lib.singleton listenPort;
|
||||
openUDPVPN = lib.singleton listenPort;
|
||||
};
|
||||
|
||||
networking = {
|
||||
extraHosts = ''
|
||||
${architect-wg} architect.devs.giugl.io
|
||||
@ -37,7 +47,8 @@ with import ./network.nix; {
|
||||
|
||||
wireguard = {
|
||||
interfaces.${vpn-if} = {
|
||||
listenPort = 1194;
|
||||
inherit listenPort;
|
||||
|
||||
ips = [ "10.3.0.1/24" ];
|
||||
privateKeyFile = "/secrets/wireguard/server.key";
|
||||
|
||||
|
44
lib/host.nix
44
lib/host.nix
@ -1,18 +1,26 @@
|
||||
{ pkgs, nixpkgs, nixos-unstable, unstable, home-manager, user, system, ... }:
|
||||
{ pkgs
|
||||
, nixpkgs
|
||||
, nixos-unstable
|
||||
, unstablePkgs
|
||||
, home-manager
|
||||
, system
|
||||
, mkHomeRole
|
||||
, mkSysRole
|
||||
, mkUser
|
||||
, ...
|
||||
}:
|
||||
|
||||
{
|
||||
mkHost = { name, users, roles ? [ ], imports ? [ ] }:
|
||||
let
|
||||
mkRole = role: pkgs.callPackage (../roles + "/${role}.nix") { };
|
||||
|
||||
users_mod = (map
|
||||
(u:
|
||||
user.mkUser {
|
||||
mkUser {
|
||||
name = u.user;
|
||||
roles = u.roles;
|
||||
})
|
||||
users);
|
||||
roles_mod = (map (r: mkRole r) roles);
|
||||
roles_mod = (map (r: mkSysRole r) roles);
|
||||
add_imports = imports;
|
||||
in
|
||||
nixpkgs.lib.nixosSystem {
|
||||
@ -20,26 +28,36 @@
|
||||
|
||||
modules = [
|
||||
{
|
||||
imports = users_mod ++ roles_mod ++ add_imports;
|
||||
imports = users_mod ++ roles_mod ++ add_imports ++ [
|
||||
(mkSysRole "common")
|
||||
(mkSysRole "acme")
|
||||
];
|
||||
|
||||
nixpkgs = { inherit pkgs; };
|
||||
|
||||
nix.nixPath = [ "nixpkgs=${nixpkgs}" "unstable=${nixos-unstable}" ];
|
||||
nix.registry.nixpkgs.flake = nixpkgs;
|
||||
nix.registry.unstable.flake = nixos-unstable;
|
||||
nix = {
|
||||
nixPath = [
|
||||
"nixpkgs=${nixpkgs}"
|
||||
"unstable=${nixos-unstable}"
|
||||
];
|
||||
registry = {
|
||||
nixpkgs.flake = nixpkgs;
|
||||
unstable.flake = nixos-unstable;
|
||||
};
|
||||
};
|
||||
|
||||
users.users.root = { shell = pkgs.zsh; };
|
||||
|
||||
home-manager = {
|
||||
users.root.imports = [ ../roles/home/common.nix ];
|
||||
extraSpecialArgs.unstable = unstable;
|
||||
users.root.imports = pkgs.lib.singleton (mkHomeRole "common");
|
||||
extraSpecialArgs.unstablePkgs = unstablePkgs;
|
||||
useGlobalPkgs = true;
|
||||
};
|
||||
|
||||
system.stateVersion = "22.11";
|
||||
}
|
||||
|
||||
home-manager.nixosModules.home-manager
|
||||
../roles/common.nix
|
||||
../roles/acme.nix
|
||||
../hosts/${name}/default.nix
|
||||
];
|
||||
};
|
||||
|
14
lib/user.nix
14
lib/user.nix
@ -1,10 +1,9 @@
|
||||
{ pkgs, unstable, home-manager, ... }:
|
||||
{ pkgs, home-manager, mkHomeRole, ... }:
|
||||
|
||||
{
|
||||
mkUser = { name, roles ? [ ] }:
|
||||
let
|
||||
mkRole = role: import (../roles/home + "/${role}.nix");
|
||||
roles_mod = (map (r: mkRole r) roles);
|
||||
roles_mod = (map (r: mkHomeRole r) roles);
|
||||
in
|
||||
{
|
||||
users.groups.plugdev = { };
|
||||
@ -21,13 +20,12 @@
|
||||
extraGroups = [ "wheel" "plugdev" ];
|
||||
};
|
||||
|
||||
home-manager.users.${name}.imports = [ (mkRole "common") ] ++ roles_mod;
|
||||
home-manager.users.${name}.imports = [ (mkHomeRole "common") ] ++ roles_mod;
|
||||
};
|
||||
|
||||
mkHMUser = { name, roles }:
|
||||
mkHMUser = { name, roles ? [ ] }:
|
||||
let
|
||||
mkRole = role: import (../roles/home + "/${role}.nix");
|
||||
roles_mod = (map (r: mkRole r) roles);
|
||||
roles_mod = (map (r: mkHomeRole r) roles);
|
||||
in
|
||||
home-manager.lib.homeManagerConfiguration {
|
||||
inherit pkgs;
|
||||
@ -39,7 +37,7 @@
|
||||
if pkgs.stdenv.isLinux then "/home/${name}" else "/Users/${name}";
|
||||
};
|
||||
}
|
||||
(mkRole "common")
|
||||
(mkHomeRole "common")
|
||||
] ++ roles_mod;
|
||||
};
|
||||
}
|
||||
|
6
lib/utils.nix
Normal file
6
lib/utils.nix
Normal file
@ -0,0 +1,6 @@
|
||||
{ ... }:
|
||||
|
||||
{
|
||||
mkSysRole = role: import (../roles/${role}.nix);
|
||||
mkHomeRole = role: import (../roles/home/${role}.nix);
|
||||
}
|
@ -22,7 +22,7 @@
|
||||
environment.systemPackages = with pkgs; [
|
||||
gnomeExtensions.appindicator
|
||||
gnomeExtensions.sound-output-device-chooser
|
||||
pkgs.unstable.gnomeExtensions.pop-shell
|
||||
pkgs.unstablePkgs.gnomeExtensions.pop-shell
|
||||
];
|
||||
security.pam.services.gdm.enableGnomeKeyring = true;
|
||||
}
|
||||
|
@ -33,7 +33,7 @@
|
||||
formatter = { command = "nixpkgs-fmt" }
|
||||
'';
|
||||
|
||||
packages = with pkgs.unstable; [
|
||||
packages = with pkgs.unstablePkgs; [
|
||||
helix
|
||||
clang-tools
|
||||
rust-analyzer
|
||||
|
Loading…
Reference in New Issue
Block a user