peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: peperunas:ced9c72d4a17b0a6d5f03dc7cf7e34a853e11ff2
Branches Tags
peperunas:master
peperunas:nixos-21.11
peperunas:laptopshit
..
compare: peperunas:c9966c2f9b7d9048591ef482bc05263a0f94a689
Branches Tags
peperunas:master
peperunas:nixos-21.11
peperunas:laptopshit

8 Commits
ced9c72d4a ... c9966c2f9b

Author SHA1 Message Date
Giulio De Pasquale
c9966c2f9b Merge branch 'master' of https://git.giugl.io/peperunas/nixos 2021-10-11 11:34:26 +02:00
Giulio De Pasquale
ae0fb4257a no ignore lock 2021-10-11 11:32:30 +02:00
Giulio De Pasquale
bdebb2c35a removed giugl.io name from services. added encryption to telegram, support for proxy 2021-10-11 11:31:21 +02:00
Giulio De Pasquale
d4844525c5 removed peposone, set angellane host 2021-09-25 18:24:29 +02:00
Giulio De Pasquale
ae92868aa0 different plex datadir, send data over http 2021-09-25 18:23:47 +02:00
Giulio De Pasquale
5098be7bb3 prowlarr host, angellane rename 2021-09-25 18:23:08 +02:00
Giulio De Pasquale
63d50a89d8 use adguardhome, remove script 2021-09-25 18:22:18 +02:00
Giulio De Pasquale
567c869186 prowlarr 2021-09-25 18:21:27 +02:00
17 changed files with 93 additions and 106 deletions
Show Stats Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1,4 +1,3 @@
result result
result/ result/
flake.lock

1
hosts/architect/bazarr.nix
View File

@ -18,7 +18,6 @@ with import ./network.nix;
}; };
networking.extraHosts = '' networking.extraHosts = ''
127.0.0.1 ${bazarrdomain}
${architect-lan} ${bazarrdomain} ${architect-lan} ${bazarrdomain}
${architect-wg} ${bazarrdomain} ${architect-wg} ${bazarrdomain}
''; '';

17
hosts/architect/default.nix
View File

@ -25,9 +25,9 @@ in
./minio.nix ./minio.nix
./matrix.nix ./matrix.nix
./fail2ban.nix ./fail2ban.nix
./plex.nix
./dns.nix ./dns.nix
./minecraft.nix ./minecraft.nix
# ./prowlarr.nix
./plex.nix ./plex.nix
]; ];
@ -87,18 +87,17 @@ in
wlp4s0.useDHCP = false; wlp4s0.useDHCP = false;
}; };
extraHosts = '' extraHosts = ''
127.0.0.1 ${hostname}.devs.giugl.io giugl.io localhost 127.0.0.1 ${hostname}.devs.giugl.io localhost
# LAN # LAN
${architect-lan} ${hostname}.devs.giugl.io giugl.io ${architect-lan} ${hostname}.devs.giugl.io
10.0.0.1 router.devs.giugl.io
${dvr-lan} dvr.devs.giugl.io ${dvr-lan} dvr.devs.giugl.io
${nas-lan} nas.devs.giugl.io ${nas-lan} nas.devs.giugl.io
${giupi-lan} giupi.devs.giugl.io ${giupi-lan} giupi.devs.giugl.io
# Wireguard hosts # Wireguard hosts
${architect-wg} ${hostname}.devs.giugl.io giugl.io ${architect-wg} ${hostname}.devs.giugl.io
${galuminum-wg} galuminum.devs.giugl.io ${galuminum-wg} galuminum.devs.giugl.io
${oneplus-wg} oneplus.devs.giugl.io ${oneplus-wg} oneplus.devs.giugl.io
${ipad-wg} ipad.devs.giugl.io ${ipad-wg} ipad.devs.giugl.io
@ -111,10 +110,9 @@ in
${padulino-wg} padulino.devs.giugl.io ${padulino-wg} padulino.devs.giugl.io
${shield-wg} shield.devs.giugl.io ${shield-wg} shield.devs.giugl.io
${angelino-wg} angelino.devs.giugl.io ${angelino-wg} angelino.devs.giugl.io
${pepos_one-wg} peposone.devs.giugl.io
${pepos_two-wg} pepostwo.devs.giugl.io ${pepos_two-wg} pepostwo.devs.giugl.io
${eleonora-wg} eleonora.devs.giugl.io ${eleonora-wg} eleonora.devs.giugl.io
${broccolino-wg} broccolino.devs.giugl.io ${angellane-wg} angellane.devs.giugl.io
${hotpottino-wg} hotpottino.devs.giugl.io ${hotpottino-wg} hotpottino.devs.giugl.io
${salvatore-wg} salvatore.devs.giugl.io ${salvatore-wg} salvatore.devs.giugl.io
${papa-wg} papa.devs.giugl.io ${papa-wg} papa.devs.giugl.io
@ -144,11 +142,6 @@ in
0.0.0.0 analytics.oneplus.cn 0.0.0.0 analytics.oneplus.cn
0.0.0.0 click.oneplus.cn 0.0.0.0 click.oneplus.cn
0.0.0.0 analytics-api.samsunghealthcn.com 0.0.0.0 analytics-api.samsunghealthcn.com
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
''; '';
}; };

77
hosts/architect/dns.nix
View File

@ -4,15 +4,19 @@
services = { services = {
dnsmasq = { dnsmasq = {
enable = true; enable = true;
servers = ["127.0.0.1#5353"]; servers = ["127.0.0.1#5300"];
extraConfig = '' extraConfig = ''
localise-queries localise-queries
min-cache-ttl=120 min-cache-ttl=120
max-cache-ttl=2400 max-cache-ttl=2400
addn-hosts=/etc/adblock_hosts
''; '';
}; };
adguardhome = {
enable= true;
port = 3031;
};
dnscrypt-proxy2 = { dnscrypt-proxy2 = {
enable = true; enable = true;
settings = { settings = {
@ -34,73 +38,4 @@
}; };
}; };
}; };
systemd = {
timers.update-adblock = {
wantedBy = [ "timers.target" ];
partOf = [ "update-adblock.service" ];
timerConfig.OnCalendar = "daily";
};
services.update-adblock = {
serviceConfig.Type = "oneshot";
requiredBy = [ "dnsmasq.service" ];
postStop = "systemctl restart dnsmasq";
script = ''
#!/bin/sh
EASYLIST_HOSTSNAME="easylist_hosts.txt"
EASYPRIVACY_HOSTSNAME="easyprivacy_hosts.txt"
STEVENBLACK_HOSTSNAME="stevenblack_hosts.txt"
get_easylist() {
EASYLIST_URL="https://raw.githubusercontent.com/easylist/easylist/master/easylist/easylist_adservers.txt"
tmpfile=`mktemp`
# download easylist
${pkgs.wget}/bin/wget $EASYLIST_URL -O $tmpfile
# remove IP addresses and prepend 0.0.0.0 to create hosts file
cat $tmpfile | egrep -v "([0-9]{1,3}\.){3}[0-9]{1,3}" | grep -oP "^\|\|(\K[a-zA-Z0-9\.\-]+)" | ${pkgs.gawk}/bin/gawk '{print "0.0.0.0 " $0}' > $EASYLIST_HOSTSNAME
rm $tmpfile
}
get_easyprivacy() {
EASYLIST_URL="https://raw.githubusercontent.com/easylist/easylist/master/easyprivacy/easyprivacy_trackingservers.txt"
tmpfile=`mktemp`
# download easylist
${pkgs.wget}/bin/wget $EASYLIST_URL -O $tmpfile
# remove IP addresses and prepend 0.0.0.0 to create hosts file
cat $tmpfile | egrep -v "([0-9]{1,3}\.){3}[0-9]{1,3}" | grep -oP "^\|\|(\K[a-zA-Z0-9\.\-]+)" | ${pkgs.gawk}/bin/gawk '{print "0.0.0.0 " $0}' > $EASYPRIVACY_HOSTSNAME
rm $tmpfile
}
get_stevenblack() {
STEVENBLACK_URL="https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews/hosts"
${pkgs.wget}/bin/wget $STEVENBLACK_URL -O $STEVENBLACK_HOSTSNAME
}
get_easylist
get_easyprivacy
get_stevenblack
# create unified file
cat *hosts.txt | sort | uniq | grep "^0" > /etc/adblock_hosts
rm $EASYLIST_HOSTSNAME $STEVENBLACK_HOSTSNAME $EASYPRIVACY_HOSTSNAME
'';
};
};
} }

2
hosts/architect/firewall.nix
View File

@ -61,6 +61,7 @@ in {
iifname ${wan-if} ip saddr ${vpn-net} drop comment "bind any ip to intf ${wan-if}" iifname ${wan-if} ip saddr ${vpn-net} drop comment "bind any ip to intf ${wan-if}"
iifname ${wan-if} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${wan-if}" iifname ${wan-if} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${wan-if}"
iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}" iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}"
iifname ${proxy-if} ip saddr ${proxy-net} accept comment "bind ip ${proxy-net} to intf ${proxy-if}"
iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}" iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}"
iifname "lo" accept comment "bind any ip to intf lo" iifname "lo" accept comment "bind any ip to intf lo"
jump mangle_drop jump mangle_drop
@ -115,6 +116,7 @@ in {
ip daddr 255.255.255.255 accept comment "allow broadcast traffic" ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic" ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
ip saddr ${lan-net} accept comment "lan > local" ip saddr ${lan-net} accept comment "lan > local"
ip saddr ${proxy-wg} accept comment "proxy > local"
iifname ${wan-if} tcp dport {${open_tcp_ports}} accept iifname ${wan-if} tcp dport {${open_tcp_ports}} accept
iifname ${wan-if} udp dport {${open_udp_ports}} accept iifname ${wan-if} udp dport {${open_udp_ports}} accept

2
hosts/architect/gitea.nix
View File

@ -20,13 +20,13 @@ with import ./network.nix;
allow 127.0.0.1; allow 127.0.0.1;
allow 10.0.0.0/24; allow 10.0.0.0/24;
allow 10.3.0.0/24; allow 10.3.0.0/24;
allow 10.4.0.0/24;
deny all; deny all;
''; '';
}; };
}; };
networking.extraHosts = '' networking.extraHosts = ''
127.0.0.1 ${gitdomain}
${architect-lan} ${gitdomain} ${architect-lan} ${gitdomain}
${architect-wg} ${gitdomain} ${architect-wg} ${gitdomain}
''; '';

6
hosts/architect/jellyfin.nix
View File

@ -8,7 +8,10 @@ with import ./network.nix;
]; ];
services = { services = {
jellyfin.enable = true; jellyfin = {
enable = true;
package = pkgs.unstable.jellyfin;
};
nginx.virtualHosts.${mediadomain} = { nginx.virtualHosts.${mediadomain} = {
forceSSL = true; forceSSL = true;
@ -25,7 +28,6 @@ with import ./network.nix;
}; };
networking.extraHosts = '' networking.extraHosts = ''
127.0.0.1 ${mediadomain}
${architect-lan} ${mediadomain} ${architect-lan} ${mediadomain}
${architect-wg} ${mediadomain} ${architect-wg} ${mediadomain}
''; '';

13
hosts/architect/matrix.nix
View File

@ -37,6 +37,12 @@ with import ./network.nix;
]; ];
} }
]; ];
turn_uris = [
"turns:turn.giugl.io:5349?transport=udp"
"turns:turn.giugl.io:5349?transport=tcp"
];
turn_shared_secret = "69duck duck fuck420";
turn_user_lifetime = "1h";
}; };
postgresql = { postgresql = {
@ -159,6 +165,11 @@ with import ./network.nix;
background = "020202"; # only for gif, transparency not supported background = "020202"; # only for gif, transparency not supported
}; };
}; };
encryption = {
allow = true;
default = true;
};
}; };
}; };
}; };
@ -171,10 +182,8 @@ systemd.services.mautrix-telegram.path = with pkgs; [
]; ];
networking.extraHosts = '' networking.extraHosts = ''
127.0.0.1 ${matrixdomain} ${matrixwebdomain}
${architect-lan} ${matrixdomain} ${matrixwebdomain} ${architect-lan} ${matrixdomain} ${matrixwebdomain}
${architect-wg} ${matrixdomain} ${matrixwebdomain} ${architect-wg} ${matrixdomain} ${matrixwebdomain}
''; '';
users.groups.acme.members = [ "turnserver" ];
} }

1
hosts/architect/minio.nix
View File

@ -18,7 +18,6 @@ with import ./network.nix;
}; };
networking.extraHosts = '' networking.extraHosts = ''
127.0.0.1 ${miniodomain}
${architect-lan} ${miniodomain} ${architect-lan} ${miniodomain}
${architect-wg} ${miniodomain} ${architect-wg} ${miniodomain}
''; '';

9
hosts/architect/network.nix
View File

@ -2,10 +2,12 @@ rec {
# interfaces # interfaces
wan-if = "enp5s0"; wan-if = "enp5s0";
vpn-if = "wg0"; vpn-if = "wg0";
proxy-if = "proxy";
# nets # nets
lan-net = "10.0.0.0/24"; lan-net = "10.0.0.0/24";
vpn-net = "10.3.0.0/24"; vpn-net = "10.3.0.0/24";
proxy-net = "10.4.0.0/24";
external_lan-net = "192.168.1.0/24"; external_lan-net = "192.168.1.0/24";
# ips # ips
@ -14,6 +16,7 @@ rec {
architect-lan = "10.0.0.250"; architect-lan = "10.0.0.250";
giupi-lan = "10.0.0.251"; giupi-lan = "10.0.0.251";
proxy-wg = "10.4.0.1";
architect-wg = "10.3.0.1"; architect-wg = "10.3.0.1";
galuminum-wg = "10.3.0.2"; galuminum-wg = "10.3.0.2";
oneplus-wg = "10.3.0.3"; oneplus-wg = "10.3.0.3";
@ -39,14 +42,14 @@ rec {
dima-wg = "10.3.0.23"; dima-wg = "10.3.0.23";
mikey-wg = "10.3.0.24"; mikey-wg = "10.3.0.24";
eleonora-wg = "10.3.0.100"; eleonora-wg = "10.3.0.100";
broccolino-wg = "10.3.0.200"; angellane-wg = "10.3.0.200";
hotpottino-wg = "10.3.0.201"; hotpottino-wg = "10.3.0.201";
dodino-wg = "10.3.0.202"; dodino-wg = "10.3.0.202";
boogino-wg = "10.3.0.203"; boogino-wg = "10.3.0.203";
# groups # groups
gdevices-wg = [ galuminum-wg oneplus-wg ipad-wg gbeast-wg peppiniell-wg padulino-wg angelino-wg ]; gdevices-wg = [ galuminum-wg oneplus-wg ipad-wg gbeast-wg peppiniell-wg padulino-wg angelino-wg ];
routers-wg = [ hotpottino-wg broccolino-wg dodino-wg ]; routers-wg = [ hotpottino-wg angellane-wg dodino-wg ];
c2c-wg = [ ] ++ gdevices-wg; c2c-wg = [ ] ++ gdevices-wg;
towan-wg = [ shield-wg parisaphone-wg parisapc-wg ] ++ gdevices-wg ++ routers-wg; towan-wg = [ shield-wg parisaphone-wg parisapc-wg ] ++ gdevices-wg ++ routers-wg;
@ -62,4 +65,6 @@ rec {
clouddomain = "cloud.giugl.io"; clouddomain = "cloud.giugl.io";
matrixdomain = "matrix.giugl.io"; matrixdomain = "matrix.giugl.io";
matrixwebdomain = "chat.giugl.io"; matrixwebdomain = "chat.giugl.io";
prowlarrdomain = "htpro.giugl.io";
jupyterdomain = "labs.giugl.io";
} }

1
hosts/architect/nextcloud.nix
View File

@ -40,7 +40,6 @@ with import ./network.nix;
}; };
networking.extraHosts = '' networking.extraHosts = ''
127.0.0.1 ${clouddomain}
${architect-lan} ${clouddomain} ${architect-lan} ${clouddomain}
${architect-wg} ${clouddomain} ${architect-wg} ${clouddomain}
''; '';

1
hosts/architect/nzbget.nix
View File

@ -18,7 +18,6 @@ with import ./network.nix;
}; };
networking.extraHosts = '' networking.extraHosts = ''
127.0.0.1 ${nzbgetdomain}
${architect-lan} ${nzbgetdomain} ${architect-lan} ${nzbgetdomain}
${architect-wg} ${nzbgetdomain} ${architect-wg} ${nzbgetdomain}
''; '';

4
hosts/architect/plex.nix
View File

@ -5,6 +5,7 @@ with import ./network.nix;
services.plex = { services.plex = {
enable = true; enable = true;
package = pkgs.unstable.plex; package = pkgs.unstable.plex;
dataDir = "/plex";
}; };
services.nginx = { services.nginx = {
@ -71,13 +72,12 @@ with import ./network.nix;
proxy_buffering off; proxy_buffering off;
''; '';
locations."/" = { locations."/" = {
proxyPass = "https://localhost:32400"; proxyPass = "http://localhost:32400";
}; };
}; };
}; };
networking.extraHosts = '' networking.extraHosts = ''
127.0.0.1 ${mediadomain}
${architect-lan} ${mediadomain} ${architect-lan} ${mediadomain}
${architect-wg} ${mediadomain} ${architect-wg} ${mediadomain}
''; '';

34
hosts/architect/prowlarr.nix Normal file
View File

@ -0,0 +1,34 @@
with import ./network.nix;
{
services = {
prowlarr.enable = true;
nginx.virtualHosts.${prowlarrdomain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:9696";
extraConfig = ''
allow 10.0.0.0/24;
allow 10.3.0.0/24;
deny all;
'';
};
# locations."/api" = {
# proxyPass = "http://127.0.0.1:9696/prowlarr/api";
# };
#
# locations."/Content" = {
# proxyPass = "http://127.0.0.1:9696/prowlarr/Content";
# };
};
};
networking.extraHosts = ''
${architect-lan} ${prowlarrdomain}
${architect-wg} ${prowlarrdomain}
'';
users.groups.media.members = ["prowlarr"];
}

1
hosts/architect/radarr.nix
View File

@ -18,7 +18,6 @@ with import ./network.nix;
}; };
networking.extraHosts = '' networking.extraHosts = ''
127.0.0.1 ${radarrdomain}
${architect-lan} ${radarrdomain} ${architect-lan} ${radarrdomain}
${architect-wg} ${radarrdomain} ${architect-wg} ${radarrdomain}
''; '';

1
hosts/architect/sonarr.nix
View File

@ -18,7 +18,6 @@ with import ./network.nix;
}; };
networking.extraHosts = '' networking.extraHosts = ''
127.0.0.1 ${sonarrdomain}
${architect-lan} ${sonarrdomain} ${architect-lan} ${sonarrdomain}
${architect-wg} ${sonarrdomain} ${architect-wg} ${sonarrdomain}
''; '';

24
hosts/architect/wireguard.nix
View File

@ -1,6 +1,19 @@
with import ./network.nix; with import ./network.nix;
{ {
networking.wireguard = { networking.wireguard = {
interfaces.${proxy-if} = {
ips = ["10.4.0.2/32"];
privateKeyFile = "/secrets/wireguard/proxy.key";
peers = [
{
publicKey = "WmJBpXpYebcmJEF8nVTKMqQK01KyBe42vzc38K66rVs=";
allowedIPs = ["10.4.0.1/32"];
endpoint = "giugl.io:1195";
persistentKeepalive = 21;
}
];
};
interfaces.${vpn-if} = { interfaces.${vpn-if} = {
listenPort = 1194; listenPort = 1194;
ips = ["10.3.0.1/24"]; ips = ["10.3.0.1/24"];
@ -17,7 +30,8 @@ with import ./network.nix;
{ {
# OnePlus # OnePlus
allowedIPs = [oneplus-wg]; allowedIPs = [oneplus-wg];
publicKey = "uOQUJo+AfhTAFq50Pt80rdX4PmO28WUARngE2AtwdXU="; # publicKey = "uOQUJo+AfhTAFq50Pt80rdX4PmO28WUARngE2AtwdXU=";
publicKey = "zynSERy6VhxN5zBf1ih3BOAHxvigDixHB9YKnSBgYFs=";
} }
@ -85,9 +99,9 @@ with import ./network.nix;
{ {
# broccolino # angellane
allowedIPs = [broccolino-wg]; allowedIPs = [angellane-wg];
publicKey = "Ig97XCKYZvMperGlQgoKdqvw6VyNHf5+MvcimKEUs1Y="; publicKey = "MZ+nZklHpBxTL7QN9QJpBBx7yOYRZLONfvqAnuk85x0=";
} }
@ -139,7 +153,7 @@ with import ./network.nix;
{ {
# defy # defy
allowedIPs = [defy-wg]; allowedIPs = [defy-wg];
publicKey = "wEkDNap9/qmkGd0a0PN8ANHgXgxwp+ZdmDW1CmIl4kM="; publicKey = "Cvi/eto7E6Ef+aiL81ou7x12fJCeuXrf/go9fxEqXG4=";
} }
{ {