Compare commits
8 Commits
ced9c72d4a
...
c9966c2f9b
| Author | SHA1 | Date | |
|---|---|---|---|
|
c9966c2f9b | ||
|
|
ae0fb4257a | ||
|
|
bdebb2c35a | ||
|
|
d4844525c5 | ||
|
|
ae92868aa0 | ||
|
|
5098be7bb3 | ||
|
|
63d50a89d8 | ||
|
|
567c869186 |
1
.gitignore
vendored
1
.gitignore
vendored
@ -1,4 +1,3 @@
|
||||
result
|
||||
result/
|
||||
|
||||
flake.lock
|
||||
|
||||
@ -18,7 +18,6 @@ with import ./network.nix;
|
||||
};
|
||||
|
||||
networking.extraHosts = ''
|
||||
127.0.0.1 ${bazarrdomain}
|
||||
${architect-lan} ${bazarrdomain}
|
||||
${architect-wg} ${bazarrdomain}
|
||||
'';
|
||||
|
||||
@ -25,9 +25,9 @@ in
|
||||
./minio.nix
|
||||
./matrix.nix
|
||||
./fail2ban.nix
|
||||
./plex.nix
|
||||
./dns.nix
|
||||
./minecraft.nix
|
||||
# ./prowlarr.nix
|
||||
./plex.nix
|
||||
];
|
||||
|
||||
@ -87,18 +87,17 @@ in
|
||||
wlp4s0.useDHCP = false;
|
||||
};
|
||||
extraHosts = ''
|
||||
127.0.0.1 ${hostname}.devs.giugl.io giugl.io localhost
|
||||
127.0.0.1 ${hostname}.devs.giugl.io localhost
|
||||
|
||||
# LAN
|
||||
${architect-lan} ${hostname}.devs.giugl.io giugl.io
|
||||
${architect-lan} ${hostname}.devs.giugl.io
|
||||
|
||||
10.0.0.1 router.devs.giugl.io
|
||||
${dvr-lan} dvr.devs.giugl.io
|
||||
${nas-lan} nas.devs.giugl.io
|
||||
${giupi-lan} giupi.devs.giugl.io
|
||||
|
||||
# Wireguard hosts
|
||||
${architect-wg} ${hostname}.devs.giugl.io giugl.io
|
||||
${architect-wg} ${hostname}.devs.giugl.io
|
||||
${galuminum-wg} galuminum.devs.giugl.io
|
||||
${oneplus-wg} oneplus.devs.giugl.io
|
||||
${ipad-wg} ipad.devs.giugl.io
|
||||
@ -111,10 +110,9 @@ in
|
||||
${padulino-wg} padulino.devs.giugl.io
|
||||
${shield-wg} shield.devs.giugl.io
|
||||
${angelino-wg} angelino.devs.giugl.io
|
||||
${pepos_one-wg} peposone.devs.giugl.io
|
||||
${pepos_two-wg} pepostwo.devs.giugl.io
|
||||
${eleonora-wg} eleonora.devs.giugl.io
|
||||
${broccolino-wg} broccolino.devs.giugl.io
|
||||
${angellane-wg} angellane.devs.giugl.io
|
||||
${hotpottino-wg} hotpottino.devs.giugl.io
|
||||
${salvatore-wg} salvatore.devs.giugl.io
|
||||
${papa-wg} papa.devs.giugl.io
|
||||
@ -144,11 +142,6 @@ in
|
||||
0.0.0.0 analytics.oneplus.cn
|
||||
0.0.0.0 click.oneplus.cn
|
||||
0.0.0.0 analytics-api.samsunghealthcn.com
|
||||
|
||||
# The following lines are desirable for IPv6 capable hosts
|
||||
::1 localhost ip6-localhost ip6-loopback
|
||||
ff02::1 ip6-allnodes
|
||||
ff02::2 ip6-allrouters
|
||||
'';
|
||||
};
|
||||
|
||||
|
||||
@ -4,15 +4,19 @@
|
||||
services = {
|
||||
dnsmasq = {
|
||||
enable = true;
|
||||
servers = ["127.0.0.1#5353"];
|
||||
servers = ["127.0.0.1#5300"];
|
||||
extraConfig = ''
|
||||
localise-queries
|
||||
min-cache-ttl=120
|
||||
max-cache-ttl=2400
|
||||
addn-hosts=/etc/adblock_hosts
|
||||
'';
|
||||
};
|
||||
|
||||
adguardhome = {
|
||||
enable= true;
|
||||
port = 3031;
|
||||
};
|
||||
|
||||
dnscrypt-proxy2 = {
|
||||
enable = true;
|
||||
settings = {
|
||||
@ -34,73 +38,4 @@
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
systemd = {
|
||||
timers.update-adblock = {
|
||||
wantedBy = [ "timers.target" ];
|
||||
partOf = [ "update-adblock.service" ];
|
||||
timerConfig.OnCalendar = "daily";
|
||||
};
|
||||
|
||||
services.update-adblock = {
|
||||
serviceConfig.Type = "oneshot";
|
||||
requiredBy = [ "dnsmasq.service" ];
|
||||
postStop = "systemctl restart dnsmasq";
|
||||
script = ''
|
||||
#!/bin/sh
|
||||
|
||||
EASYLIST_HOSTSNAME="easylist_hosts.txt"
|
||||
EASYPRIVACY_HOSTSNAME="easyprivacy_hosts.txt"
|
||||
STEVENBLACK_HOSTSNAME="stevenblack_hosts.txt"
|
||||
|
||||
get_easylist() {
|
||||
EASYLIST_URL="https://raw.githubusercontent.com/easylist/easylist/master/easylist/easylist_adservers.txt"
|
||||
|
||||
tmpfile=`mktemp`
|
||||
|
||||
# download easylist
|
||||
${pkgs.wget}/bin/wget $EASYLIST_URL -O $tmpfile
|
||||
|
||||
# remove IP addresses and prepend 0.0.0.0 to create hosts file
|
||||
cat $tmpfile | egrep -v "([0-9]{1,3}\.){3}[0-9]{1,3}" | grep -oP "^\|\|(\K[a-zA-Z0-9\.\-]+)" | ${pkgs.gawk}/bin/gawk '{print "0.0.0.0 " $0}' > $EASYLIST_HOSTSNAME
|
||||
|
||||
rm $tmpfile
|
||||
}
|
||||
|
||||
get_easyprivacy() {
|
||||
EASYLIST_URL="https://raw.githubusercontent.com/easylist/easylist/master/easyprivacy/easyprivacy_trackingservers.txt"
|
||||
|
||||
tmpfile=`mktemp`
|
||||
|
||||
# download easylist
|
||||
${pkgs.wget}/bin/wget $EASYLIST_URL -O $tmpfile
|
||||
|
||||
# remove IP addresses and prepend 0.0.0.0 to create hosts file
|
||||
|
||||
cat $tmpfile | egrep -v "([0-9]{1,3}\.){3}[0-9]{1,3}" | grep -oP "^\|\|(\K[a-zA-Z0-9\.\-]+)" | ${pkgs.gawk}/bin/gawk '{print "0.0.0.0 " $0}' > $EASYPRIVACY_HOSTSNAME
|
||||
|
||||
rm $tmpfile
|
||||
}
|
||||
|
||||
get_stevenblack() {
|
||||
STEVENBLACK_URL="https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews/hosts"
|
||||
|
||||
${pkgs.wget}/bin/wget $STEVENBLACK_URL -O $STEVENBLACK_HOSTSNAME
|
||||
}
|
||||
|
||||
|
||||
get_easylist
|
||||
get_easyprivacy
|
||||
get_stevenblack
|
||||
|
||||
|
||||
# create unified file
|
||||
|
||||
cat *hosts.txt | sort | uniq | grep "^0" > /etc/adblock_hosts
|
||||
|
||||
rm $EASYLIST_HOSTSNAME $STEVENBLACK_HOSTSNAME $EASYPRIVACY_HOSTSNAME
|
||||
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
@ -61,6 +61,7 @@ in {
|
||||
iifname ${wan-if} ip saddr ${vpn-net} drop comment "bind any ip to intf ${wan-if}"
|
||||
iifname ${wan-if} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${wan-if}"
|
||||
iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}"
|
||||
iifname ${proxy-if} ip saddr ${proxy-net} accept comment "bind ip ${proxy-net} to intf ${proxy-if}"
|
||||
iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}"
|
||||
iifname "lo" accept comment "bind any ip to intf lo"
|
||||
jump mangle_drop
|
||||
@ -115,6 +116,7 @@ in {
|
||||
ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
|
||||
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
|
||||
ip saddr ${lan-net} accept comment "lan > local"
|
||||
ip saddr ${proxy-wg} accept comment "proxy > local"
|
||||
|
||||
iifname ${wan-if} tcp dport {${open_tcp_ports}} accept
|
||||
iifname ${wan-if} udp dport {${open_udp_ports}} accept
|
||||
|
||||
@ -20,13 +20,13 @@ with import ./network.nix;
|
||||
allow 127.0.0.1;
|
||||
allow 10.0.0.0/24;
|
||||
allow 10.3.0.0/24;
|
||||
allow 10.4.0.0/24;
|
||||
deny all;
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
networking.extraHosts = ''
|
||||
127.0.0.1 ${gitdomain}
|
||||
${architect-lan} ${gitdomain}
|
||||
${architect-wg} ${gitdomain}
|
||||
'';
|
||||
|
||||
@ -8,7 +8,10 @@ with import ./network.nix;
|
||||
];
|
||||
|
||||
services = {
|
||||
jellyfin.enable = true;
|
||||
jellyfin = {
|
||||
enable = true;
|
||||
package = pkgs.unstable.jellyfin;
|
||||
};
|
||||
|
||||
nginx.virtualHosts.${mediadomain} = {
|
||||
forceSSL = true;
|
||||
@ -25,7 +28,6 @@ with import ./network.nix;
|
||||
};
|
||||
|
||||
networking.extraHosts = ''
|
||||
127.0.0.1 ${mediadomain}
|
||||
${architect-lan} ${mediadomain}
|
||||
${architect-wg} ${mediadomain}
|
||||
'';
|
||||
|
||||
@ -10,7 +10,7 @@ with import ./network.nix;
|
||||
public_baseurl = "https://${matrixdomain}";
|
||||
registration_shared_secret = "runas!";
|
||||
dynamic_thumbnails = true;
|
||||
#enable_registration = true;
|
||||
# enable_registration = true;
|
||||
app_service_config_files = [
|
||||
"/var/lib/matrix-synapse/discord-registration.yaml"
|
||||
"/var/lib/matrix-synapse/telegram-registration.yaml"
|
||||
@ -37,6 +37,12 @@ with import ./network.nix;
|
||||
];
|
||||
}
|
||||
];
|
||||
turn_uris = [
|
||||
"turns:turn.giugl.io:5349?transport=udp"
|
||||
"turns:turn.giugl.io:5349?transport=tcp"
|
||||
];
|
||||
turn_shared_secret = "69duck duck fuck420";
|
||||
turn_user_lifetime = "1h";
|
||||
};
|
||||
|
||||
postgresql = {
|
||||
@ -159,6 +165,11 @@ with import ./network.nix;
|
||||
background = "020202"; # only for gif, transparency not supported
|
||||
};
|
||||
};
|
||||
|
||||
encryption = {
|
||||
allow = true;
|
||||
default = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
@ -171,10 +182,8 @@ systemd.services.mautrix-telegram.path = with pkgs; [
|
||||
];
|
||||
|
||||
networking.extraHosts = ''
|
||||
127.0.0.1 ${matrixdomain} ${matrixwebdomain}
|
||||
${architect-lan} ${matrixdomain} ${matrixwebdomain}
|
||||
${architect-wg} ${matrixdomain} ${matrixwebdomain}
|
||||
'';
|
||||
|
||||
users.groups.acme.members = [ "turnserver" ];
|
||||
}
|
||||
|
||||
@ -18,7 +18,6 @@ with import ./network.nix;
|
||||
};
|
||||
|
||||
networking.extraHosts = ''
|
||||
127.0.0.1 ${miniodomain}
|
||||
${architect-lan} ${miniodomain}
|
||||
${architect-wg} ${miniodomain}
|
||||
'';
|
||||
|
||||
@ -2,10 +2,12 @@ rec {
|
||||
# interfaces
|
||||
wan-if = "enp5s0";
|
||||
vpn-if = "wg0";
|
||||
proxy-if = "proxy";
|
||||
|
||||
# nets
|
||||
lan-net = "10.0.0.0/24";
|
||||
vpn-net = "10.3.0.0/24";
|
||||
proxy-net = "10.4.0.0/24";
|
||||
external_lan-net = "192.168.1.0/24";
|
||||
|
||||
# ips
|
||||
@ -14,6 +16,7 @@ rec {
|
||||
architect-lan = "10.0.0.250";
|
||||
giupi-lan = "10.0.0.251";
|
||||
|
||||
proxy-wg = "10.4.0.1";
|
||||
architect-wg = "10.3.0.1";
|
||||
galuminum-wg = "10.3.0.2";
|
||||
oneplus-wg = "10.3.0.3";
|
||||
@ -39,14 +42,14 @@ rec {
|
||||
dima-wg = "10.3.0.23";
|
||||
mikey-wg = "10.3.0.24";
|
||||
eleonora-wg = "10.3.0.100";
|
||||
broccolino-wg = "10.3.0.200";
|
||||
angellane-wg = "10.3.0.200";
|
||||
hotpottino-wg = "10.3.0.201";
|
||||
dodino-wg = "10.3.0.202";
|
||||
boogino-wg = "10.3.0.203";
|
||||
|
||||
# groups
|
||||
gdevices-wg = [ galuminum-wg oneplus-wg ipad-wg gbeast-wg peppiniell-wg padulino-wg angelino-wg ];
|
||||
routers-wg = [ hotpottino-wg broccolino-wg dodino-wg ];
|
||||
routers-wg = [ hotpottino-wg angellane-wg dodino-wg ];
|
||||
c2c-wg = [ ] ++ gdevices-wg;
|
||||
towan-wg = [ shield-wg parisaphone-wg parisapc-wg ] ++ gdevices-wg ++ routers-wg;
|
||||
|
||||
@ -62,4 +65,6 @@ rec {
|
||||
clouddomain = "cloud.giugl.io";
|
||||
matrixdomain = "matrix.giugl.io";
|
||||
matrixwebdomain = "chat.giugl.io";
|
||||
prowlarrdomain = "htpro.giugl.io";
|
||||
jupyterdomain = "labs.giugl.io";
|
||||
}
|
||||
|
||||
@ -40,7 +40,6 @@ with import ./network.nix;
|
||||
};
|
||||
|
||||
networking.extraHosts = ''
|
||||
127.0.0.1 ${clouddomain}
|
||||
${architect-lan} ${clouddomain}
|
||||
${architect-wg} ${clouddomain}
|
||||
'';
|
||||
|
||||
@ -18,7 +18,6 @@ with import ./network.nix;
|
||||
};
|
||||
|
||||
networking.extraHosts = ''
|
||||
127.0.0.1 ${nzbgetdomain}
|
||||
${architect-lan} ${nzbgetdomain}
|
||||
${architect-wg} ${nzbgetdomain}
|
||||
'';
|
||||
|
||||
@ -5,6 +5,7 @@ with import ./network.nix;
|
||||
services.plex = {
|
||||
enable = true;
|
||||
package = pkgs.unstable.plex;
|
||||
dataDir = "/plex";
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
@ -71,13 +72,12 @@ with import ./network.nix;
|
||||
proxy_buffering off;
|
||||
'';
|
||||
locations."/" = {
|
||||
proxyPass = "https://localhost:32400";
|
||||
proxyPass = "http://localhost:32400";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
networking.extraHosts = ''
|
||||
127.0.0.1 ${mediadomain}
|
||||
${architect-lan} ${mediadomain}
|
||||
${architect-wg} ${mediadomain}
|
||||
'';
|
||||
|
||||
34
hosts/architect/prowlarr.nix
Normal file
34
hosts/architect/prowlarr.nix
Normal file
@ -0,0 +1,34 @@
|
||||
with import ./network.nix;
|
||||
{
|
||||
services = {
|
||||
prowlarr.enable = true;
|
||||
|
||||
nginx.virtualHosts.${prowlarrdomain} = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://localhost:9696";
|
||||
extraConfig = ''
|
||||
allow 10.0.0.0/24;
|
||||
allow 10.3.0.0/24;
|
||||
deny all;
|
||||
'';
|
||||
};
|
||||
|
||||
# locations."/api" = {
|
||||
# proxyPass = "http://127.0.0.1:9696/prowlarr/api";
|
||||
# };
|
||||
#
|
||||
# locations."/Content" = {
|
||||
# proxyPass = "http://127.0.0.1:9696/prowlarr/Content";
|
||||
# };
|
||||
};
|
||||
};
|
||||
|
||||
networking.extraHosts = ''
|
||||
${architect-lan} ${prowlarrdomain}
|
||||
${architect-wg} ${prowlarrdomain}
|
||||
'';
|
||||
|
||||
users.groups.media.members = ["prowlarr"];
|
||||
}
|
||||
@ -18,7 +18,6 @@ with import ./network.nix;
|
||||
};
|
||||
|
||||
networking.extraHosts = ''
|
||||
127.0.0.1 ${radarrdomain}
|
||||
${architect-lan} ${radarrdomain}
|
||||
${architect-wg} ${radarrdomain}
|
||||
'';
|
||||
|
||||
@ -18,7 +18,6 @@ with import ./network.nix;
|
||||
};
|
||||
|
||||
networking.extraHosts = ''
|
||||
127.0.0.1 ${sonarrdomain}
|
||||
${architect-lan} ${sonarrdomain}
|
||||
${architect-wg} ${sonarrdomain}
|
||||
'';
|
||||
|
||||
@ -1,6 +1,19 @@
|
||||
with import ./network.nix;
|
||||
{
|
||||
networking.wireguard = {
|
||||
interfaces.${proxy-if} = {
|
||||
ips = ["10.4.0.2/32"];
|
||||
privateKeyFile = "/secrets/wireguard/proxy.key";
|
||||
peers = [
|
||||
{
|
||||
publicKey = "WmJBpXpYebcmJEF8nVTKMqQK01KyBe42vzc38K66rVs=";
|
||||
allowedIPs = ["10.4.0.1/32"];
|
||||
endpoint = "giugl.io:1195";
|
||||
persistentKeepalive = 21;
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
interfaces.${vpn-if} = {
|
||||
listenPort = 1194;
|
||||
ips = ["10.3.0.1/24"];
|
||||
@ -17,7 +30,8 @@ with import ./network.nix;
|
||||
{
|
||||
# OnePlus
|
||||
allowedIPs = [oneplus-wg];
|
||||
publicKey = "uOQUJo+AfhTAFq50Pt80rdX4PmO28WUARngE2AtwdXU=";
|
||||
# publicKey = "uOQUJo+AfhTAFq50Pt80rdX4PmO28WUARngE2AtwdXU=";
|
||||
publicKey = "zynSERy6VhxN5zBf1ih3BOAHxvigDixHB9YKnSBgYFs=";
|
||||
}
|
||||
|
||||
|
||||
@ -85,9 +99,9 @@ with import ./network.nix;
|
||||
|
||||
|
||||
{
|
||||
# broccolino
|
||||
allowedIPs = [broccolino-wg];
|
||||
publicKey = "Ig97XCKYZvMperGlQgoKdqvw6VyNHf5+MvcimKEUs1Y=";
|
||||
# angellane
|
||||
allowedIPs = [angellane-wg];
|
||||
publicKey = "MZ+nZklHpBxTL7QN9QJpBBx7yOYRZLONfvqAnuk85x0=";
|
||||
}
|
||||
|
||||
|
||||
@ -139,7 +153,7 @@ with import ./network.nix;
|
||||
{
|
||||
# defy
|
||||
allowedIPs = [defy-wg];
|
||||
publicKey = "wEkDNap9/qmkGd0a0PN8ANHgXgxwp+ZdmDW1CmIl4kM=";
|
||||
publicKey = "Cvi/eto7E6Ef+aiL81ou7x12fJCeuXrf/go9fxEqXG4=";
|
||||
}
|
||||
|
||||
{
|
||||
|
||||
Loading…
Reference in New Issue
Block a user