Compare commits

..

No commits in common. "c9966c2f9b7d9048591ef482bc05263a0f94a689" and "ced9c72d4a17b0a6d5f03dc7cf7e34a853e11ff2" have entirely different histories.

17 changed files with 106 additions and 93 deletions

1
.gitignore vendored
View File

@ -1,3 +1,4 @@
result
result/
flake.lock

View File

@ -18,6 +18,7 @@ with import ./network.nix;
};
networking.extraHosts = ''
127.0.0.1 ${bazarrdomain}
${architect-lan} ${bazarrdomain}
${architect-wg} ${bazarrdomain}
'';

View File

@ -25,9 +25,9 @@ in
./minio.nix
./matrix.nix
./fail2ban.nix
./plex.nix
./dns.nix
./minecraft.nix
# ./prowlarr.nix
./plex.nix
];
@ -87,17 +87,18 @@ in
wlp4s0.useDHCP = false;
};
extraHosts = ''
127.0.0.1 ${hostname}.devs.giugl.io localhost
127.0.0.1 ${hostname}.devs.giugl.io giugl.io localhost
# LAN
${architect-lan} ${hostname}.devs.giugl.io
${architect-lan} ${hostname}.devs.giugl.io giugl.io
10.0.0.1 router.devs.giugl.io
${dvr-lan} dvr.devs.giugl.io
${nas-lan} nas.devs.giugl.io
${giupi-lan} giupi.devs.giugl.io
# Wireguard hosts
${architect-wg} ${hostname}.devs.giugl.io
${architect-wg} ${hostname}.devs.giugl.io giugl.io
${galuminum-wg} galuminum.devs.giugl.io
${oneplus-wg} oneplus.devs.giugl.io
${ipad-wg} ipad.devs.giugl.io
@ -110,9 +111,10 @@ in
${padulino-wg} padulino.devs.giugl.io
${shield-wg} shield.devs.giugl.io
${angelino-wg} angelino.devs.giugl.io
${pepos_one-wg} peposone.devs.giugl.io
${pepos_two-wg} pepostwo.devs.giugl.io
${eleonora-wg} eleonora.devs.giugl.io
${angellane-wg} angellane.devs.giugl.io
${broccolino-wg} broccolino.devs.giugl.io
${hotpottino-wg} hotpottino.devs.giugl.io
${salvatore-wg} salvatore.devs.giugl.io
${papa-wg} papa.devs.giugl.io
@ -142,6 +144,11 @@ in
0.0.0.0 analytics.oneplus.cn
0.0.0.0 click.oneplus.cn
0.0.0.0 analytics-api.samsunghealthcn.com
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
'';
};

View File

@ -4,19 +4,15 @@
services = {
dnsmasq = {
enable = true;
servers = ["127.0.0.1#5300"];
servers = ["127.0.0.1#5353"];
extraConfig = ''
localise-queries
min-cache-ttl=120
max-cache-ttl=2400
addn-hosts=/etc/adblock_hosts
'';
};
adguardhome = {
enable= true;
port = 3031;
};
dnscrypt-proxy2 = {
enable = true;
settings = {
@ -38,4 +34,73 @@
};
};
};
systemd = {
timers.update-adblock = {
wantedBy = [ "timers.target" ];
partOf = [ "update-adblock.service" ];
timerConfig.OnCalendar = "daily";
};
services.update-adblock = {
serviceConfig.Type = "oneshot";
requiredBy = [ "dnsmasq.service" ];
postStop = "systemctl restart dnsmasq";
script = ''
#!/bin/sh
EASYLIST_HOSTSNAME="easylist_hosts.txt"
EASYPRIVACY_HOSTSNAME="easyprivacy_hosts.txt"
STEVENBLACK_HOSTSNAME="stevenblack_hosts.txt"
get_easylist() {
EASYLIST_URL="https://raw.githubusercontent.com/easylist/easylist/master/easylist/easylist_adservers.txt"
tmpfile=`mktemp`
# download easylist
${pkgs.wget}/bin/wget $EASYLIST_URL -O $tmpfile
# remove IP addresses and prepend 0.0.0.0 to create hosts file
cat $tmpfile | egrep -v "([0-9]{1,3}\.){3}[0-9]{1,3}" | grep -oP "^\|\|(\K[a-zA-Z0-9\.\-]+)" | ${pkgs.gawk}/bin/gawk '{print "0.0.0.0 " $0}' > $EASYLIST_HOSTSNAME
rm $tmpfile
}
get_easyprivacy() {
EASYLIST_URL="https://raw.githubusercontent.com/easylist/easylist/master/easyprivacy/easyprivacy_trackingservers.txt"
tmpfile=`mktemp`
# download easylist
${pkgs.wget}/bin/wget $EASYLIST_URL -O $tmpfile
# remove IP addresses and prepend 0.0.0.0 to create hosts file
cat $tmpfile | egrep -v "([0-9]{1,3}\.){3}[0-9]{1,3}" | grep -oP "^\|\|(\K[a-zA-Z0-9\.\-]+)" | ${pkgs.gawk}/bin/gawk '{print "0.0.0.0 " $0}' > $EASYPRIVACY_HOSTSNAME
rm $tmpfile
}
get_stevenblack() {
STEVENBLACK_URL="https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews/hosts"
${pkgs.wget}/bin/wget $STEVENBLACK_URL -O $STEVENBLACK_HOSTSNAME
}
get_easylist
get_easyprivacy
get_stevenblack
# create unified file
cat *hosts.txt | sort | uniq | grep "^0" > /etc/adblock_hosts
rm $EASYLIST_HOSTSNAME $STEVENBLACK_HOSTSNAME $EASYPRIVACY_HOSTSNAME
'';
};
};
}

View File

@ -61,7 +61,6 @@ in {
iifname ${wan-if} ip saddr ${vpn-net} drop comment "bind any ip to intf ${wan-if}"
iifname ${wan-if} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${wan-if}"
iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}"
iifname ${proxy-if} ip saddr ${proxy-net} accept comment "bind ip ${proxy-net} to intf ${proxy-if}"
iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}"
iifname "lo" accept comment "bind any ip to intf lo"
jump mangle_drop
@ -116,7 +115,6 @@ in {
ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
ip saddr ${lan-net} accept comment "lan > local"
ip saddr ${proxy-wg} accept comment "proxy > local"
iifname ${wan-if} tcp dport {${open_tcp_ports}} accept
iifname ${wan-if} udp dport {${open_udp_ports}} accept

View File

@ -20,13 +20,13 @@ with import ./network.nix;
allow 127.0.0.1;
allow 10.0.0.0/24;
allow 10.3.0.0/24;
allow 10.4.0.0/24;
deny all;
'';
};
};
networking.extraHosts = ''
127.0.0.1 ${gitdomain}
${architect-lan} ${gitdomain}
${architect-wg} ${gitdomain}
'';

View File

@ -8,10 +8,7 @@ with import ./network.nix;
];
services = {
jellyfin = {
enable = true;
package = pkgs.unstable.jellyfin;
};
jellyfin.enable = true;
nginx.virtualHosts.${mediadomain} = {
forceSSL = true;
@ -28,6 +25,7 @@ with import ./network.nix;
};
networking.extraHosts = ''
127.0.0.1 ${mediadomain}
${architect-lan} ${mediadomain}
${architect-wg} ${mediadomain}
'';

View File

@ -10,7 +10,7 @@ with import ./network.nix;
public_baseurl = "https://${matrixdomain}";
registration_shared_secret = "runas!";
dynamic_thumbnails = true;
# enable_registration = true;
#enable_registration = true;
app_service_config_files = [
"/var/lib/matrix-synapse/discord-registration.yaml"
"/var/lib/matrix-synapse/telegram-registration.yaml"
@ -37,12 +37,6 @@ with import ./network.nix;
];
}
];
turn_uris = [
"turns:turn.giugl.io:5349?transport=udp"
"turns:turn.giugl.io:5349?transport=tcp"
];
turn_shared_secret = "69duck duck fuck420";
turn_user_lifetime = "1h";
};
postgresql = {
@ -165,11 +159,6 @@ with import ./network.nix;
background = "020202"; # only for gif, transparency not supported
};
};
encryption = {
allow = true;
default = true;
};
};
};
};
@ -182,8 +171,10 @@ systemd.services.mautrix-telegram.path = with pkgs; [
];
networking.extraHosts = ''
127.0.0.1 ${matrixdomain} ${matrixwebdomain}
${architect-lan} ${matrixdomain} ${matrixwebdomain}
${architect-wg} ${matrixdomain} ${matrixwebdomain}
'';
users.groups.acme.members = [ "turnserver" ];
}

View File

@ -18,6 +18,7 @@ with import ./network.nix;
};
networking.extraHosts = ''
127.0.0.1 ${miniodomain}
${architect-lan} ${miniodomain}
${architect-wg} ${miniodomain}
'';

View File

@ -2,12 +2,10 @@ rec {
# interfaces
wan-if = "enp5s0";
vpn-if = "wg0";
proxy-if = "proxy";
# nets
lan-net = "10.0.0.0/24";
vpn-net = "10.3.0.0/24";
proxy-net = "10.4.0.0/24";
external_lan-net = "192.168.1.0/24";
# ips
@ -15,8 +13,7 @@ rec {
nas-lan = "10.0.0.3";
architect-lan = "10.0.0.250";
giupi-lan = "10.0.0.251";
proxy-wg = "10.4.0.1";
architect-wg = "10.3.0.1";
galuminum-wg = "10.3.0.2";
oneplus-wg = "10.3.0.3";
@ -42,14 +39,14 @@ rec {
dima-wg = "10.3.0.23";
mikey-wg = "10.3.0.24";
eleonora-wg = "10.3.0.100";
angellane-wg = "10.3.0.200";
broccolino-wg = "10.3.0.200";
hotpottino-wg = "10.3.0.201";
dodino-wg = "10.3.0.202";
boogino-wg = "10.3.0.203";
# groups
gdevices-wg = [ galuminum-wg oneplus-wg ipad-wg gbeast-wg peppiniell-wg padulino-wg angelino-wg ];
routers-wg = [ hotpottino-wg angellane-wg dodino-wg ];
routers-wg = [ hotpottino-wg broccolino-wg dodino-wg ];
c2c-wg = [ ] ++ gdevices-wg;
towan-wg = [ shield-wg parisaphone-wg parisapc-wg ] ++ gdevices-wg ++ routers-wg;
@ -65,6 +62,4 @@ rec {
clouddomain = "cloud.giugl.io";
matrixdomain = "matrix.giugl.io";
matrixwebdomain = "chat.giugl.io";
prowlarrdomain = "htpro.giugl.io";
jupyterdomain = "labs.giugl.io";
}

View File

@ -40,6 +40,7 @@ with import ./network.nix;
};
networking.extraHosts = ''
127.0.0.1 ${clouddomain}
${architect-lan} ${clouddomain}
${architect-wg} ${clouddomain}
'';

View File

@ -18,6 +18,7 @@ with import ./network.nix;
};
networking.extraHosts = ''
127.0.0.1 ${nzbgetdomain}
${architect-lan} ${nzbgetdomain}
${architect-wg} ${nzbgetdomain}
'';

View File

@ -5,7 +5,6 @@ with import ./network.nix;
services.plex = {
enable = true;
package = pkgs.unstable.plex;
dataDir = "/plex";
};
services.nginx = {
@ -72,12 +71,13 @@ with import ./network.nix;
proxy_buffering off;
'';
locations."/" = {
proxyPass = "http://localhost:32400";
proxyPass = "https://localhost:32400";
};
};
};
networking.extraHosts = ''
127.0.0.1 ${mediadomain}
${architect-lan} ${mediadomain}
${architect-wg} ${mediadomain}
'';

View File

@ -1,34 +0,0 @@
with import ./network.nix;
{
services = {
prowlarr.enable = true;
nginx.virtualHosts.${prowlarrdomain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:9696";
extraConfig = ''
allow 10.0.0.0/24;
allow 10.3.0.0/24;
deny all;
'';
};
# locations."/api" = {
# proxyPass = "http://127.0.0.1:9696/prowlarr/api";
# };
#
# locations."/Content" = {
# proxyPass = "http://127.0.0.1:9696/prowlarr/Content";
# };
};
};
networking.extraHosts = ''
${architect-lan} ${prowlarrdomain}
${architect-wg} ${prowlarrdomain}
'';
users.groups.media.members = ["prowlarr"];
}

View File

@ -18,6 +18,7 @@ with import ./network.nix;
};
networking.extraHosts = ''
127.0.0.1 ${radarrdomain}
${architect-lan} ${radarrdomain}
${architect-wg} ${radarrdomain}
'';

View File

@ -18,6 +18,7 @@ with import ./network.nix;
};
networking.extraHosts = ''
127.0.0.1 ${sonarrdomain}
${architect-lan} ${sonarrdomain}
${architect-wg} ${sonarrdomain}
'';

View File

@ -1,19 +1,6 @@
with import ./network.nix;
{
networking.wireguard = {
interfaces.${proxy-if} = {
ips = ["10.4.0.2/32"];
privateKeyFile = "/secrets/wireguard/proxy.key";
peers = [
{
publicKey = "WmJBpXpYebcmJEF8nVTKMqQK01KyBe42vzc38K66rVs=";
allowedIPs = ["10.4.0.1/32"];
endpoint = "giugl.io:1195";
persistentKeepalive = 21;
}
];
};
interfaces.${vpn-if} = {
listenPort = 1194;
ips = ["10.3.0.1/24"];
@ -30,8 +17,7 @@ with import ./network.nix;
{
# OnePlus
allowedIPs = [oneplus-wg];
# publicKey = "uOQUJo+AfhTAFq50Pt80rdX4PmO28WUARngE2AtwdXU=";
publicKey = "zynSERy6VhxN5zBf1ih3BOAHxvigDixHB9YKnSBgYFs=";
publicKey = "uOQUJo+AfhTAFq50Pt80rdX4PmO28WUARngE2AtwdXU=";
}
@ -99,9 +85,9 @@ with import ./network.nix;
{
# angellane
allowedIPs = [angellane-wg];
publicKey = "MZ+nZklHpBxTL7QN9QJpBBx7yOYRZLONfvqAnuk85x0=";
# broccolino
allowedIPs = [broccolino-wg];
publicKey = "Ig97XCKYZvMperGlQgoKdqvw6VyNHf5+MvcimKEUs1Y=";
}
@ -153,7 +139,7 @@ with import ./network.nix;
{
# defy
allowedIPs = [defy-wg];
publicKey = "Cvi/eto7E6Ef+aiL81ou7x12fJCeuXrf/go9fxEqXG4=";
publicKey = "wEkDNap9/qmkGd0a0PN8ANHgXgxwp+ZdmDW1CmIl4kM=";
}
{