peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: peperunas:be0a1be47d45db1430fcc663cf89b3dd1ce0399c
Branches Tags
peperunas:master
peperunas:nixos-21.11
peperunas:laptopshit
...
compare: peperunas:3321ec122a46bbb306f4f984899472d7996af2bd
Branches Tags
peperunas:master
peperunas:nixos-21.11
peperunas:laptopshit

6 Commits
be0a1be47d ... 3321ec122a

Author SHA1 Message Date
Giulio De Pasquale
3321ec122a architect: Refactored firewall settings. Added architect.firewall option 2023-02-15 00:19:52 +01:00
Giulio De Pasquale
47d937e12d helix: Fixed typo 2023-02-14 22:35:01 +01:00
Giulio De Pasquale
f5668462eb Renamed unstable to unstablePkgs to avoid confusion with nixos-unstable flake 2023-02-14 21:30:37 +01:00
Giulio De Pasquale
be0755bcfe lib.user: Removed unused argument 2023-02-14 21:21:07 +01:00
Giulio De Pasquale
fb74112c15 lib.host: Minor cleanup and formatting 2023-02-14 21:20:01 +01:00
Giulio De Pasquale
51d961484e lib/ cleanup, introduced utils to reduce code duplication 2023-02-14 21:14:30 +01:00
21 changed files with 141 additions and 94 deletions
Show Stats Expand all files Collapse all files

19
flake.nix
View File

@ -18,26 +18,31 @@
wrapPkgsSystem = { system }: wrapPkgsSystem = { system }:
import nixpkgs rec { import nixpkgs rec {
inherit system; inherit system;
unstable = wrapUnstablePkgsSystem { inherit system; };
unstablePkgs = wrapUnstablePkgsSystem { inherit system; };
config.allowUnfree = true; config.allowUnfree = true;
overlays = [ overlays = [
(final: prev: { inherit unstable; }) (final: prev: { inherit unstablePkgs; })
]; ];
}; };
wrapUnstablePkgsSystem = { system }: wrapUnstablePkgsSystem = { system }:
import nixos-unstable { import nixos-unstable {
inherit system; inherit system;
config.allowUnfree = true; config.allowUnfree = true;
}; };
wrapUtils = { pkgs, unstable, system }: wrapUtils = { pkgs, unstablePkgs, system }:
let let
inherit (pkgs.lib) makeScope; inherit (pkgs.lib) makeScope;
inherit (pkgs) newScope; inherit (pkgs) newScope;
in in
makeScope newScope (self: { makeScope newScope (self: rec {
inherit nixpkgs home-manager nixos-unstable; inherit nixpkgs home-manager nixos-unstable;
inherit (self.callPackage ./lib/utils.nix { }) mkSysRole mkHomeRole;
inherit (user) mkUser;
user = self.callPackage ./lib/user.nix { }; user = self.callPackage ./lib/user.nix { };
host = self.callPackage ./lib/host.nix { }; host = self.callPackage ./lib/host.nix { };
}); });
@ -45,15 +50,15 @@
pkgsLinuxX64 = wrapPkgsSystem { system = sysLinuxX64; }; pkgsLinuxX64 = wrapPkgsSystem { system = sysLinuxX64; };
unstableLinuxX64 = wrapUnstablePkgsSystem { system = sysLinuxX64; }; unstableLinuxX64 = wrapUnstablePkgsSystem { system = sysLinuxX64; };
utilsLinuxX64 = wrapUtils { system = sysLinuxX64; pkgs = pkgsLinuxX64; unstable = unstableLinuxX64; }; utilsLinuxX64 = wrapUtils { system = sysLinuxX64; pkgs = pkgsLinuxX64; unstablePkgs = unstableLinuxX64; };
pkgsLinuxAarch = wrapPkgsSystem { system = sysLinuxAarch; }; pkgsLinuxAarch = wrapPkgsSystem { system = sysLinuxAarch; };
unstableLinuxAarch = wrapUnstablePkgsSystem { system = sysLinuxAarch; }; unstableLinuxAarch = wrapUnstablePkgsSystem { system = sysLinuxAarch; };
utilsLinuxAarch = wrapUtils { system = sysLinuxAarch; pkgs = pkgsLinuxAarch; unstable = unstableLinuxAarch; }; utilsLinuxAarch = wrapUtils { system = sysLinuxAarch; pkgs = pkgsLinuxAarch; unstablePkgs = unstableLinuxAarch; };
pkgsDarwin = wrapPkgsSystem { system = sysDarwin; }; pkgsDarwin = wrapPkgsSystem { system = sysDarwin; };
unstableDarwin = wrapUnstablePkgsSystem { system = sysDarwin; }; unstableDarwin = wrapUnstablePkgsSystem { system = sysDarwin; };
utilsDarwin = wrapUtils { system = sysDarwin; pkgs = pkgsDarwin; unstable = unstableDarwin; }; utilsDarwin = wrapUtils { system = sysDarwin; pkgs = pkgsDarwin; unstablePkgs = unstableDarwin; };
in in
{ {
nixosConfigurations = { nixosConfigurations = {

7
hosts/architect/default.nix
View File

@ -9,7 +9,7 @@ let
in in
{ {
imports = [ imports = [
# Include the results of the hardware scan. ./options.nix
./backup.nix ./backup.nix
./hardware.nix ./hardware.nix
./firewall.nix ./firewall.nix
@ -132,6 +132,11 @@ in
driSupport = true; driSupport = true;
}; };
architect.firewall = {
openTCP = [ 22 ];
openTCPVPN = [ 22 ];
};
services = { services = {
fwupd.enable = true; fwupd.enable = true;
das_watchdog.enable = true; das_watchdog.enable = true;

9
hosts/architect/deluge.nix
View File

@ -4,8 +4,15 @@ let
domain = "htdel.giugl.io"; domain = "htdel.giugl.io";
network = import ./network.nix; network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
listenPorts = [ 51413 51414 ];
in in
{ {
architect.firewall = {
openTCP = listenPorts;
openUDP = listenPorts;
};
services = { services = {
deluge = { deluge = {
enable = true; enable = true;
@ -24,7 +31,7 @@ in
max_connections_global = 1000; max_connections_global = 1000;
max_active_limit = 100; max_active_limit = 100;
max_active_downloading = 100; max_active_downloading = 100;
listen_ports = [ 51413 51414 ]; listen_ports = listenPorts;
random_port = false; random_port = false;
enabled_plugins = [ "Label" "Extractor" ]; enabled_plugins = [ "Label" "Extractor" ];
}; };

2
hosts/architect/dns.nix
View File

@ -6,6 +6,8 @@ let
dnscrypt_listen_port = "5353"; dnscrypt_listen_port = "5353";
in in
{ {
architect.firewall.openUDPVPN = [ 53 ];
services = { services = {
dnsmasq = { dnsmasq = {
enable = true; enable = true;

60
hosts/architect/firewall.nix
View File

@ -1,54 +1,13 @@
{ config, lib, ... }: { config, lib, ... }:
with import ./network.nix; with import ./network.nix;
with lib;
let let
# TCP services openTCP = concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCP;
ssh_tcp = 22; openUDP = concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDP;
http_tcp = 80; openTCPVPN = concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCPVPN;
https_tcp = 443; openUDPVPN = concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDPVPN;
synapse_tcp = 8448;
gitea_tcp = 10022;
prosody_tcp = 5222;
minecraft_tcp = 25565;
# UDP services
dns_udp = 53;
wireguard_udp = 1194;
# TCP/UDP services
torrent_a = 51413;
torrent_b = 51414;
# grouping
open_tcp_ports = lib.concatMapStringsSep "," (x: toString x) [
ssh_tcp
http_tcp
https_tcp
synapse_tcp
gitea_tcp
torrent_a
torrent_b
minecraft_tcp
];
open_udp_ports = lib.concatMapStringsSep "," (x: toString x) [
wireguard_udp
torrent_a
torrent_b
config.services.tailscale.port
];
open_tcp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [
ssh_tcp
http_tcp
https_tcp
prosody_tcp
minecraft_tcp
];
open_udp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [
dns_udp
wireguard_udp
];
in in
{ {
networking = { networking = {
@ -161,10 +120,11 @@ in
ip saddr ${tailscale-net} accept comment "tailscale > local" ip saddr ${tailscale-net} accept comment "tailscale > local"
ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local" ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local"
iifname ${wan-if} tcp dport {${open_tcp_ports}} accept iifname ${wan-if} tcp dport {${openTCP}} accept
iifname ${wan-if} udp dport {${open_udp_ports}} accept iifname ${wan-if} udp dport {${openUDP}} accept
iifname ${vpn-if} tcp dport {${open_tcp_ports_vpn}} accept iifname ${vpn-if} tcp dport {${openTCPVPN}} accept
iifname ${vpn-if} udp dport {${open_udp_ports_vpn}} accept iifname ${vpn-if} udp dport {${openUDPVPN}} accept
iifname ${vpn-if} icmp type echo-request accept iifname ${vpn-if} icmp type echo-request accept
iifname ${docker-if} udp dport 53 accept iifname ${docker-if} udp dport 53 accept
jump filter_drop jump filter_drop

5
hosts/architect/gitea.nix
View File

@ -1,11 +1,12 @@
{ lib, ... }: { config, lib, ... }:
let let
domain = "git.giugl.io"; domain = "git.giugl.io";
network = import ./network.nix; network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in in
{ {
architect.firewall.openTCP = [ config.services.gitea.settings.server.SSH_PORT ];
services.gitea = { services.gitea = {
enable = true; enable = true;
database.type = "sqlite3"; database.type = "sqlite3";

2
hosts/architect/invidious.nix
View File

@ -9,7 +9,7 @@ in
invidious = { invidious = {
enable = true; enable = true;
port = 9092; port = 9092;
package = pkgs.unstable.invidious; package = pkgs.unstablePkgs.invidious;
}; };
nginx.virtualHosts.${domain} = { nginx.virtualHosts.${domain} = {

2
hosts/architect/jellyfin.nix
View File

@ -13,7 +13,7 @@ in
jellyfin = { jellyfin = {
enable = true; enable = true;
group = "media"; group = "media";
package = pkgs.unstable.jellyfin; package = pkgs.unstablePkgs.jellyfin;
}; };
nginx.virtualHosts.${domain} = { nginx.virtualHosts.${domain} = {

4
hosts/architect/minecraft.nix
View File

@ -5,11 +5,13 @@ let
network = import ./network.nix; network = import ./network.nix;
in in
{ {
architect.firewall.openTCP = [ 25565 ];
services.minecraft-server = { services.minecraft-server = {
enable = true; enable = true;
eula = true; eula = true;
declarative = true; declarative = true;
package = pkgs.unstable.minecraft-server; package = pkgs.unstablePkgs.minecraft-server;
serverProperties = { motd = "Welcome on the RuNas server!"; }; serverProperties = { motd = "Welcome on the RuNas server!"; };
}; };

4
hosts/architect/nextcloud.nix
View File

@ -9,7 +9,7 @@ in
services = { services = {
mysql = { mysql = {
enable = true; enable = true;
package = pkgs.unstable.mysql80; package = pkgs.unstablePkgs.mysql80;
}; };
redis = { redis = {
@ -24,7 +24,7 @@ in
enable = true; enable = true;
hostName = domain; hostName = domain;
https = true; https = true;
package = pkgs.unstable.nextcloud25; package = pkgs.unstablePkgs.nextcloud25;
datadir = "/services/nextcloud"; datadir = "/services/nextcloud";
caching = { caching = {
redis = true; redis = true;

5
hosts/architect/nginx.nix
View File

@ -1,6 +1,11 @@
{ services, pkgs, lib, ... }: { services, pkgs, lib, ... }:
{ {
architect.firewall = {
openTCP = [ 80 443 ];
openTCPVPN = [ 80 443 ];
};
services.nginx = { services.nginx = {
enable = true; enable = true;
package = pkgs.openresty; package = pkgs.openresty;

2
hosts/architect/nitter.nix
View File

@ -12,7 +12,7 @@ in
server = { server = {
port = 9093; port = 9093;
hostname = domain; hostname = domain;
staticDir = "${pkgs.unstable.nitter}/share/nitter/public"; staticDir = "${pkgs.unstablePkgs.nitter}/share/nitter/public";
}; };
preferences = { preferences = {
replaceYouTube = "tube.giugl.io"; replaceYouTube = "tube.giugl.io";

25
hosts/architect/options.nix Normal file
View File

@ -0,0 +1,25 @@
{ config, lib, ... }:
with lib;
{
options.architect.firewall = {
openTCP = mkOption {
type = types.listOf types.int;
default = [ ];
};
openUDP = mkOption {
type = types.listOf types.int;
default = [ ];
};
openTCPVPN = mkOption {
type = types.listOf types.int;
default = [ ];
};
openUDPVPN = mkOption {
type = types.listOf types.int;
default = [ ];
};
};
}

2
hosts/architect/plex.nix
View File

@ -7,7 +7,7 @@ in
{ {
services.plex = { services.plex = {
enable = true; enable = true;
package = pkgs.unstable.plex; package = pkgs.unstablePkgs.plex;
dataDir = "/plex"; dataDir = "/plex";
}; };

4
hosts/architect/tailscale.nix
View File

@ -1,4 +1,4 @@
{ lib, ... }: { config, lib, ... }:
let let
network = import ./network.nix; network = import ./network.nix;
@ -6,6 +6,8 @@ let
ifname = "ts0"; ifname = "ts0";
in in
{ {
architect.firewall.openUDP = [ config.services.tailscale.port ];
services = { services = {
tailscale = { tailscale = {
enable = true; enable = true;

15
hosts/architect/wireguard.nix
View File

@ -1,4 +1,14 @@
with import ./network.nix; { { config, lib, ... }:
with import ./network.nix;
let
listenPort = 1194;
in
{
architect.firewall = {
openUDP = lib.singleton listenPort;
openUDPVPN = lib.singleton listenPort;
};
networking = { networking = {
extraHosts = '' extraHosts = ''
${architect-wg} architect.devs.giugl.io ${architect-wg} architect.devs.giugl.io
@ -37,7 +47,8 @@ with import ./network.nix; {
wireguard = { wireguard = {
interfaces.${vpn-if} = { interfaces.${vpn-if} = {
listenPort = 1194; inherit listenPort;
ips = [ "10.3.0.1/24" ]; ips = [ "10.3.0.1/24" ];
privateKeyFile = "/secrets/wireguard/server.key"; privateKeyFile = "/secrets/wireguard/server.key";

44
lib/host.nix
View File

@ -1,18 +1,26 @@
{ pkgs, nixpkgs, nixos-unstable, unstable, home-manager, user, system, ... }: { pkgs
, nixpkgs
, nixos-unstable
, unstablePkgs
, home-manager
, system
, mkHomeRole
, mkSysRole
, mkUser
, ...
}:
{ {
mkHost = { name, users, roles ? [ ], imports ? [ ] }: mkHost = { name, users, roles ? [ ], imports ? [ ] }:
let let
mkRole = role: pkgs.callPackage (../roles + "/${role}.nix") { };
users_mod = (map users_mod = (map
(u: (u:
user.mkUser { mkUser {
name = u.user; name = u.user;
roles = u.roles; roles = u.roles;
}) })
users); users);
roles_mod = (map (r: mkRole r) roles); roles_mod = (map (r: mkSysRole r) roles);
add_imports = imports; add_imports = imports;
in in
nixpkgs.lib.nixosSystem { nixpkgs.lib.nixosSystem {
@ -20,26 +28,36 @@
modules = [ modules = [
{ {
imports = users_mod ++ roles_mod ++ add_imports; imports = users_mod ++ roles_mod ++ add_imports ++ [
(mkSysRole "common")
(mkSysRole "acme")
];
nixpkgs = { inherit pkgs; }; nixpkgs = { inherit pkgs; };
nix.nixPath = [ "nixpkgs=${nixpkgs}" "unstable=${nixos-unstable}" ]; nix = {
nix.registry.nixpkgs.flake = nixpkgs; nixPath = [
nix.registry.unstable.flake = nixos-unstable; "nixpkgs=${nixpkgs}"
"unstable=${nixos-unstable}"
];
registry = {
nixpkgs.flake = nixpkgs;
unstable.flake = nixos-unstable;
};
};
users.users.root = { shell = pkgs.zsh; }; users.users.root = { shell = pkgs.zsh; };
home-manager = { home-manager = {
users.root.imports = [ ../roles/home/common.nix ]; users.root.imports = pkgs.lib.singleton (mkHomeRole "common");
extraSpecialArgs.unstable = unstable; extraSpecialArgs.unstablePkgs = unstablePkgs;
useGlobalPkgs = true; useGlobalPkgs = true;
}; };
system.stateVersion = "22.11"; system.stateVersion = "22.11";
} }
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
../roles/common.nix
../roles/acme.nix
../hosts/${name}/default.nix ../hosts/${name}/default.nix
]; ];
}; };

14
lib/user.nix
View File

@ -1,10 +1,9 @@
{ pkgs, unstable, home-manager, ... }: { pkgs, home-manager, mkHomeRole, ... }:
{ {
mkUser = { name, roles ? [ ] }: mkUser = { name, roles ? [ ] }:
let let
mkRole = role: import (../roles/home + "/${role}.nix"); roles_mod = (map (r: mkHomeRole r) roles);
roles_mod = (map (r: mkRole r) roles);
in in
{ {
users.groups.plugdev = { }; users.groups.plugdev = { };
@ -21,13 +20,12 @@
extraGroups = [ "wheel" "plugdev" ]; extraGroups = [ "wheel" "plugdev" ];
}; };
home-manager.users.${name}.imports = [ (mkRole "common") ] ++ roles_mod; home-manager.users.${name}.imports = [ (mkHomeRole "common") ] ++ roles_mod;
}; };
mkHMUser = { name, roles }: mkHMUser = { name, roles ? [ ] }:
let let
mkRole = role: import (../roles/home + "/${role}.nix"); roles_mod = (map (r: mkHomeRole r) roles);
roles_mod = (map (r: mkRole r) roles);
in in
home-manager.lib.homeManagerConfiguration { home-manager.lib.homeManagerConfiguration {
inherit pkgs; inherit pkgs;
@ -39,7 +37,7 @@
if pkgs.stdenv.isLinux then "/home/${name}" else "/Users/${name}"; if pkgs.stdenv.isLinux then "/home/${name}" else "/Users/${name}";
}; };
} }
(mkRole "common") (mkHomeRole "common")
] ++ roles_mod; ] ++ roles_mod;
}; };
} }

6
lib/utils.nix Normal file
View File

@ -0,0 +1,6 @@
{ ... }:
{
mkSysRole = role: import (../roles/${role}.nix);
mkHomeRole = role: import (../roles/home/${role}.nix);
}

2
roles/gnome.nix
View File

@ -22,7 +22,7 @@
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
gnomeExtensions.appindicator gnomeExtensions.appindicator
gnomeExtensions.sound-output-device-chooser gnomeExtensions.sound-output-device-chooser
pkgs.unstable.gnomeExtensions.pop-shell pkgs.unstablePkgs.gnomeExtensions.pop-shell
]; ];
security.pam.services.gdm.enableGnomeKeyring = true; security.pam.services.gdm.enableGnomeKeyring = true;
} }

2
roles/home/helix.nix
View File

@ -33,7 +33,7 @@
formatter = { command = "nixpkgs-fmt" } formatter = { command = "nixpkgs-fmt" }
''; '';
packages = with pkgs.unstable; [ packages = with pkgs.unstablePkgs; [
helix helix
clang-tools clang-tools
rust-analyzer rust-analyzer