Compare commits
13 Commits
d3255fdb47
...
9bf85c00cf
Author | SHA1 | Date | |
---|---|---|---|
|
9bf85c00cf | ||
|
7c00b8bf0b | ||
|
39c2fe2c6b | ||
|
ac5176e731 | ||
|
e5aab58be7 | ||
|
1e19a08665 | ||
|
3a4d4e9c4f | ||
|
65c76f5a6a | ||
|
26a07a20e5 | ||
|
ce8efa3371 | ||
|
dc9dfd66ed | ||
|
b644b9d684 | ||
|
098e0a6147 |
12
flake.lock
generated
12
flake.lock
generated
@ -24,11 +24,11 @@
|
|||||||
},
|
},
|
||||||
"nixos-unstable": {
|
"nixos-unstable": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1682915526,
|
"lastModified": 1683893492,
|
||||||
"narHash": "sha256-j6JZH9MNQfPZ6Fm+LAGJjHLFT26WUB7scB9hNJiBhbA=",
|
"narHash": "sha256-9sINNV7J26/afioFhS0vGrZ2zQHg1eBWE3lesBedyhI=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "d46737f11841872e7980b1550511802db85c52b8",
|
"rev": "0ad4e41995ef6566cdd8477c132884411b7399a2",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@ -40,11 +40,11 @@
|
|||||||
},
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1682817260,
|
"lastModified": 1683627095,
|
||||||
"narHash": "sha256-kFMXzKNj4d/0Iqbm5l57rHSLyUeyCLMuvlROZIuuhvk=",
|
"narHash": "sha256-8u9SejRpL2TrMuHBdhYh4FKc1OGPDLyWTpIbNTtoHsA=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "db1e4eeb0f9a9028bcb920e00abbc1409dd3ef36",
|
"rev": "a08e061a4ee8329747d54ddf1566d34c55c895eb",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -1,9 +1,11 @@
|
|||||||
{ lib, ... }:
|
{ config, lib, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
domain = "htbaz.giugl.io";
|
domain = "htbaz.giugl.io";
|
||||||
network = import ./network.nix;
|
|
||||||
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
|
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
|
||||||
|
|
||||||
|
utilities = import ./utilities.nix { inherit lib config; };
|
||||||
|
inherit (utilities) architectInterfaceAddress;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
services = {
|
services = {
|
||||||
@ -25,9 +27,9 @@ in
|
|||||||
};
|
};
|
||||||
|
|
||||||
networking.extraHosts = ''
|
networking.extraHosts = ''
|
||||||
${network.architect-lan} ${domain}
|
${architectInterfaceAddress "lan"} ${domain}
|
||||||
${network.architect-wg} ${domain}
|
${architectInterfaceAddress "wireguard"} ${domain}
|
||||||
${network.architect-ts} ${domain}
|
${architectInterfaceAddress "tailscale"} ${domain}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
users.groups.media.members = [ "bazarr" ];
|
users.groups.media.members = [ "bazarr" ];
|
||||||
|
@ -1,9 +1,11 @@
|
|||||||
{ lib, ... }:
|
{ config, lib, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
domain = "books.giugl.io";
|
domain = "books.giugl.io";
|
||||||
network = import ./network.nix;
|
|
||||||
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
|
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
|
||||||
|
|
||||||
|
utilities = import ./utilities.nix { inherit lib config; };
|
||||||
|
inherit (utilities) architectInterfaceAddress;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
services = {
|
services = {
|
||||||
@ -29,9 +31,9 @@ in
|
|||||||
};
|
};
|
||||||
|
|
||||||
networking.extraHosts = ''
|
networking.extraHosts = ''
|
||||||
${network.architect-lan} ${domain}
|
${architectInterfaceAddress "lan"} ${domain}
|
||||||
${network.architect-wg} ${domain}
|
${architectInterfaceAddress "wireguard"} ${domain}
|
||||||
${network.architect-ts} ${domain}
|
${architectInterfaceAddress "tailscale"} ${domain}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
users.groups.media.members = [ "calibre-web" ];
|
users.groups.media.members = [ "calibre-web" ];
|
||||||
|
@ -1,11 +1,13 @@
|
|||||||
{ config, pkgs, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
pubkeys = [
|
pubkeys = [
|
||||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1we38/N+t8Ah5yrLof8QUwhrob7/VXFKIddaJeOVBLuDVnW7ljiAtdtEiL69D/DV4Ohmt5wMvkAAjfuHmim6FD9A6lzPbSU4KH9W2dcckszKbbI636kuDwem/xui6BW3wJa6P+0xW5ksygEAkzcK2PXuC2b4B9uwhuUdKahiGMKDxISG/WianqAe72cGMfNkYvion3Y1VsMLUdm48d2ABnxNpr7NI9B5iJ8dziOft9gpgfz13CCQRlReo75gk/4xI+vSNrQp7eR+wzJy2/dZg/T8jtyA9Q6jVxrxBpqQ1LNXkAKaJkGo9OabF6Wgpzp+YTAurL4nwR2NaJxwFuyoKvACQy0ai4jrS3206gC6JXZv8ktZMZrwUN+jPqCwfgh5qObFkAqKCxbp52ioDek2MQLdOvzQBX//DBhGEp5rzHGLZ3vhRIiiQiaof5sF5zWiYDW5mqezSPNxJPX/BrTP/Wbs/jpwTLBh3wytiia0S1WXQmya89bqzTPFiDWvTRA62EVKB/JaQtPQQOFAxWwg799DMycPeZ81xttZOyMtI/MZSddyqx2S8fWGwvToZQvuZ38mSIpFseLM1IkgabRIrAmat5SBNGGy9Dqa0eMEa7bwIY/4CMB1y6HMTnaoMXA6cnQfHMoB/zyTZ6oTXIeqeOyiZsK+RN0Mvahj8mXi7dw== giulio@giulio-X230"
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1we38/N+t8Ah5yrLof8QUwhrob7/VXFKIddaJeOVBLuDVnW7ljiAtdtEiL69D/DV4Ohmt5wMvkAAjfuHmim6FD9A6lzPbSU4KH9W2dcckszKbbI636kuDwem/xui6BW3wJa6P+0xW5ksygEAkzcK2PXuC2b4B9uwhuUdKahiGMKDxISG/WianqAe72cGMfNkYvion3Y1VsMLUdm48d2ABnxNpr7NI9B5iJ8dziOft9gpgfz13CCQRlReo75gk/4xI+vSNrQp7eR+wzJy2/dZg/T8jtyA9Q6jVxrxBpqQ1LNXkAKaJkGo9OabF6Wgpzp+YTAurL4nwR2NaJxwFuyoKvACQy0ai4jrS3206gC6JXZv8ktZMZrwUN+jPqCwfgh5qObFkAqKCxbp52ioDek2MQLdOvzQBX//DBhGEp5rzHGLZ3vhRIiiQiaof5sF5zWiYDW5mqezSPNxJPX/BrTP/Wbs/jpwTLBh3wytiia0S1WXQmya89bqzTPFiDWvTRA62EVKB/JaQtPQQOFAxWwg799DMycPeZ81xttZOyMtI/MZSddyqx2S8fWGwvToZQvuZ38mSIpFseLM1IkgabRIrAmat5SBNGGy9Dqa0eMEa7bwIY/4CMB1y6HMTnaoMXA6cnQfHMoB/zyTZ6oTXIeqeOyiZsK+RN0Mvahj8mXi7dw== giulio@giulio-X230"
|
||||||
];
|
];
|
||||||
hostname = "architect";
|
domain = "devs.giugl.io";
|
||||||
network = import ./network.nix;
|
|
||||||
|
utilities = import ./utilities.nix { inherit lib config; };
|
||||||
|
inherit (utilities) generateDeviceStrings;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
@ -41,8 +43,28 @@ in
|
|||||||
./tailscale.nix
|
./tailscale.nix
|
||||||
# ./searx.nix
|
# ./searx.nix
|
||||||
./plex.nix
|
./plex.nix
|
||||||
|
./headscale.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
|
architect = {
|
||||||
|
networks.lan = {
|
||||||
|
interface = "enp5s0";
|
||||||
|
net = "10.0.0.0/24";
|
||||||
|
devices = {
|
||||||
|
vodafoneStation = { address = "192.168.1.1"; hostname = "vodafone.station"; };
|
||||||
|
|
||||||
|
architect = { address = "10.0.0.250"; hostname = "architect.${domain}"; };
|
||||||
|
router = { address = "10.0.0.1"; hostname = "router.${domain}"; };
|
||||||
|
dvr = { address = "10.0.0.3"; hostname = "dvr.${domain}"; };
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
firewall = {
|
||||||
|
openTCP = [ 22 ];
|
||||||
|
openTCPVPN = [ 22 ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
time.timeZone = "Europe/Rome";
|
time.timeZone = "Europe/Rome";
|
||||||
users.users.giulio.openssh.authorizedKeys.keys = pubkeys;
|
users.users.giulio.openssh.authorizedKeys.keys = pubkeys;
|
||||||
boot = {
|
boot = {
|
||||||
@ -59,8 +81,8 @@ in
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
kernelParams = [
|
kernelParams = with config.architect.networks.lan; [
|
||||||
"ip=${network.architect-lan}::10.0.0.1:255.255.255.0::${network.wan-if}:off"
|
"ip=${devices.architect.address}::${devices.router.address}:255.255.255.0::${interface}:off"
|
||||||
"nvme_core.default_ps_max_latency_us=5500"
|
"nvme_core.default_ps_max_latency_us=5500"
|
||||||
"zfs_arc_max=1073741824"
|
"zfs_arc_max=1073741824"
|
||||||
"memmap=32M$0x4ca6f9478"
|
"memmap=32M$0x4ca6f9478"
|
||||||
@ -81,30 +103,20 @@ in
|
|||||||
tmpOnTmpfsSize = "50%";
|
tmpOnTmpfsSize = "50%";
|
||||||
};
|
};
|
||||||
|
|
||||||
networking = {
|
networking = with config.architect.networks.lan; {
|
||||||
hostName = hostname;
|
hostName = "architect";
|
||||||
hostId = "49350853";
|
hostId = "49350853";
|
||||||
useDHCP = false;
|
useDHCP = false;
|
||||||
defaultGateway = "10.0.0.1";
|
defaultGateway = devices.router.address;
|
||||||
interfaces = {
|
interfaces = {
|
||||||
enp5s0.ipv4.addresses = [{
|
${interface}.ipv4.addresses = [{
|
||||||
address = network.architect-lan;
|
address = devices.architect.address;
|
||||||
prefixLength = 24;
|
prefixLength = 24;
|
||||||
}];
|
}];
|
||||||
enp6s0.useDHCP = false;
|
enp6s0.useDHCP = false;
|
||||||
wlp4s0.useDHCP = false;
|
wlp4s0.useDHCP = false;
|
||||||
};
|
};
|
||||||
extraHosts = ''
|
extraHosts = (generateDeviceStrings config.architect.networks.lan.devices) + ''
|
||||||
127.0.0.1 ${hostname}.devs.giugl.io localhost
|
|
||||||
|
|
||||||
# LAN
|
|
||||||
${network.architect-lan} ${hostname}.devs.giugl.io
|
|
||||||
|
|
||||||
${network.dvr-lan} dvr.devs.giugl.io
|
|
||||||
${network.nas-lan} nas.devs.giugl.io
|
|
||||||
${network.router-lan} router-manduria.devs.giugl.io
|
|
||||||
192.168.1.1 vodafone.station
|
|
||||||
|
|
||||||
# Blacklist
|
# Blacklist
|
||||||
0.0.0.0 metrics.plex.tv
|
0.0.0.0 metrics.plex.tv
|
||||||
0.0.0.0 analytics.plex.tv
|
0.0.0.0 analytics.plex.tv
|
||||||
@ -131,11 +143,6 @@ in
|
|||||||
driSupport = true;
|
driSupport = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
architect.firewall = {
|
|
||||||
openTCP = [ 22 ];
|
|
||||||
openTCPVPN = [ 22 ];
|
|
||||||
};
|
|
||||||
|
|
||||||
services = {
|
services = {
|
||||||
fwupd.enable = true;
|
fwupd.enable = true;
|
||||||
das_watchdog.enable = true;
|
das_watchdog.enable = true;
|
||||||
@ -157,3 +164,4 @@ in
|
|||||||
systemPackages = with pkgs; [ cachix ];
|
systemPackages = with pkgs; [ cachix ];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -2,8 +2,10 @@
|
|||||||
|
|
||||||
let
|
let
|
||||||
domain = "htdel.giugl.io";
|
domain = "htdel.giugl.io";
|
||||||
network = import ./network.nix;
|
|
||||||
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
|
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
|
||||||
|
|
||||||
|
utilities = import ./utilities.nix { inherit lib config; };
|
||||||
|
inherit (utilities) architectInterfaceAddress;
|
||||||
|
|
||||||
listenPorts = [ 51413 51414 ];
|
listenPorts = [ 51413 51414 ];
|
||||||
in
|
in
|
||||||
@ -54,9 +56,9 @@ in
|
|||||||
};
|
};
|
||||||
|
|
||||||
networking.extraHosts = ''
|
networking.extraHosts = ''
|
||||||
${network.architect-lan} ${domain}
|
${architectInterfaceAddress "lan"} ${domain}
|
||||||
${network.architect-wg} ${domain}
|
${architectInterfaceAddress "wireguard"} ${domain}
|
||||||
${network.architect-ts} ${domain}
|
${architectInterfaceAddress "tailscale"} ${domain}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
users.groups.media.members = [ "deluge" ];
|
users.groups.media.members = [ "deluge" ];
|
||||||
|
@ -1,8 +1,15 @@
|
|||||||
|
{ config, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
|
architect.networks.docker = {
|
||||||
|
interface = "docker0";
|
||||||
|
net = "172.17.0.0/16";
|
||||||
|
};
|
||||||
|
|
||||||
virtualisation.docker = {
|
virtualisation.docker = {
|
||||||
enable = true;
|
enable = true;
|
||||||
extraOptions = ''
|
extraOptions = ''
|
||||||
--dns 127.0.0.1 --dns 10.0.0.250 --data-root /docker
|
--dns 127.0.0.1 --dns ${config.architect.networks.lan.devices.architect.address} --data-root /docker
|
||||||
'';
|
'';
|
||||||
enableOnBoot = false;
|
enableOnBoot = false;
|
||||||
};
|
};
|
||||||
|
@ -1,9 +1,14 @@
|
|||||||
{ config, pkgs, ... }: {
|
{ config, pkgs, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
services.fail2ban = {
|
services.fail2ban = {
|
||||||
enable = true;
|
enable = true;
|
||||||
package = pkgs.fail2ban;
|
package = pkgs.fail2ban;
|
||||||
packageFirewall = pkgs.nftables;
|
packageFirewall = pkgs.nftables;
|
||||||
bantime-increment.enable = true;
|
bantime-increment.enable = true;
|
||||||
ignoreIP = [ "10.0.0.0/24" "10.3.0.0/24" ];
|
ignoreIP = [
|
||||||
|
config.architect.networks.lan.net
|
||||||
|
config.architect.networks.tailscale.net
|
||||||
|
];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@ -1,13 +1,38 @@
|
|||||||
{ config, lib, ... }:
|
{ config, lib, ... }:
|
||||||
|
|
||||||
with import ./network.nix;
|
|
||||||
with lib;
|
|
||||||
|
|
||||||
let
|
let
|
||||||
openTCP = concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCP;
|
openTCP = lib.concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCP;
|
||||||
openUDP = concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDP;
|
openUDP = lib.concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDP;
|
||||||
openTCPVPN = concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCPVPN;
|
openTCPVPN = lib.concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCPVPN;
|
||||||
openUDPVPN = concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDPVPN;
|
openUDPVPN = lib.concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDPVPN;
|
||||||
|
|
||||||
|
deviceAddress = interface: device:
|
||||||
|
config.architect.networks.${interface}.devices.${device}.address;
|
||||||
|
|
||||||
|
gdevices = [
|
||||||
|
(deviceAddress "tailscale" "architect")
|
||||||
|
(deviceAddress "tailscale" "dodino")
|
||||||
|
(deviceAddress "tailscale" "manduria")
|
||||||
|
(deviceAddress "tailscale" "kmerr")
|
||||||
|
(deviceAddress "tailscale" "chuck")
|
||||||
|
];
|
||||||
|
|
||||||
|
wireguardToWAN = [
|
||||||
|
(deviceAddress "wireguard" "shield")
|
||||||
|
(deviceAddress "wireguard" "parina")
|
||||||
|
(deviceAddress "wireguard" "parina-ipad")
|
||||||
|
(deviceAddress "wireguard" "germano")
|
||||||
|
];
|
||||||
|
|
||||||
|
frameccaDevices = [
|
||||||
|
(deviceAddress "wireguard" "framecca")
|
||||||
|
(deviceAddress "wireguard" "framecca_one")
|
||||||
|
(deviceAddress "wireguard" "framecca_two")
|
||||||
|
(deviceAddress "wireguard" "framecca_three")
|
||||||
|
(deviceAddress "wireguard" "framecca_four")
|
||||||
|
];
|
||||||
|
|
||||||
|
clientToClientWireguard = frameccaDevices;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
networking = {
|
networking = {
|
||||||
@ -17,7 +42,7 @@ in
|
|||||||
|
|
||||||
nftables = {
|
nftables = {
|
||||||
enable = true;
|
enable = true;
|
||||||
ruleset = ''
|
ruleset = with config.architect.networks; ''
|
||||||
table ip raw {
|
table ip raw {
|
||||||
chain PREROUTING {
|
chain PREROUTING {
|
||||||
type filter hook prerouting priority raw; policy accept;
|
type filter hook prerouting priority raw; policy accept;
|
||||||
@ -43,11 +68,11 @@ in
|
|||||||
|
|
||||||
chain POSTROUTING {
|
chain POSTROUTING {
|
||||||
type nat hook postrouting priority srcnat; policy accept;
|
type nat hook postrouting priority srcnat; policy accept;
|
||||||
oifname ${wan-if} ip saddr {${
|
oifname ${lan.interface} ip saddr {${
|
||||||
lib.concatStringsSep "," towan-wg
|
lib.concatStringsSep "," wireguardToWAN
|
||||||
}} masquerade
|
}} masquerade
|
||||||
oifname ${wan-if} ip saddr ${docker-net} masquerade
|
oifname ${lan.interface} ip saddr ${docker.net} masquerade
|
||||||
oifname ${wan-if} ip saddr ${tailscale-net} masquerade
|
oifname ${lan.interface} ip saddr ${tailscale.net} masquerade
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -57,12 +82,13 @@ in
|
|||||||
ct state invalid,untracked drop comment "drop invalid"
|
ct state invalid,untracked drop comment "drop invalid"
|
||||||
ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
|
ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
|
||||||
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
|
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
|
||||||
iifname ${wan-if} ip saddr ${vpn-net} drop comment "bind any ip to intf ${wan-if}"
|
iifname ${lan.interface} ip saddr ${wireguard.net} drop comment "bind any ip to intf ${lan.interface}"
|
||||||
iifname ${wan-if} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${wan-if}"
|
iifname ${lan.interface} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${lan.interface}"
|
||||||
iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}"
|
iifname ${lan.interface} accept comment "bind any ip to intf ${lan.interface}"
|
||||||
iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}"
|
iifname ${wireguard.interface} ip saddr ${wireguard.net} accept comment "bind ip ${wireguard.net} to intf ${wireguard.interface}"
|
||||||
iifname ${docker-if} ip saddr ${docker-net} accept comment "bind ip ${docker-net} to intf ${docker-if}"
|
iifname ${docker.interface} ip saddr ${docker.net} accept comment "bind ip ${docker.net} to intf ${docker.interface}"
|
||||||
iifname ${tailscale-if} ip saddr ${tailscale-net} accept
|
iifname ${tailscale.interface} ip saddr ${tailscale.net} accept
|
||||||
|
iifname ${tailscale.interface} ip saddr 100.100.100.100/32 accept
|
||||||
iifname "lo" accept comment "bind any ip to intf lo"
|
iifname "lo" accept comment "bind any ip to intf lo"
|
||||||
jump mangle_drop
|
jump mangle_drop
|
||||||
}
|
}
|
||||||
@ -115,17 +141,17 @@ in
|
|||||||
iifname "lo" accept comment "loopback"
|
iifname "lo" accept comment "loopback"
|
||||||
ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
|
ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
|
||||||
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
|
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
|
||||||
ip saddr ${lan-net} accept comment "lan > local"
|
ip saddr ${lan.net} accept comment "lan > local"
|
||||||
ip saddr ${tailscale-net} accept comment "tailscale > local"
|
ip saddr ${tailscale.net} accept comment "tailscale > local"
|
||||||
ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local"
|
ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local"
|
||||||
|
|
||||||
iifname ${wan-if} tcp dport {${openTCP}} accept
|
iifname ${lan.interface} tcp dport {${openTCP}} accept
|
||||||
iifname ${wan-if} udp dport {${openUDP}} accept
|
iifname ${lan.interface} udp dport {${openUDP}} accept
|
||||||
iifname ${vpn-if} tcp dport {${openTCPVPN}} accept
|
iifname ${wireguard.interface} tcp dport {${openTCPVPN}} accept
|
||||||
iifname ${vpn-if} udp dport {${openUDPVPN}} accept
|
iifname ${wireguard.interface} udp dport {${openUDPVPN}} accept
|
||||||
|
|
||||||
iifname ${vpn-if} icmp type echo-request accept
|
iifname ${wireguard.interface} icmp type echo-request accept
|
||||||
iifname ${docker-if} udp dport 53 accept
|
iifname ${docker.interface} udp dport 53 accept
|
||||||
jump filter_drop
|
jump filter_drop
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -134,17 +160,17 @@ in
|
|||||||
ct state established,related accept
|
ct state established,related accept
|
||||||
|
|
||||||
# client to client
|
# client to client
|
||||||
ip saddr {${lib.concatStringsSep "," c2c-wg}} ip daddr {${
|
ip saddr {${lib.concatStringsSep "," clientToClientWireguard}} ip daddr {${
|
||||||
lib.concatStringsSep "," c2c-wg
|
lib.concatStringsSep "," clientToClientWireguard
|
||||||
}} accept
|
}} accept
|
||||||
|
|
||||||
# nat to wan
|
# nat to wan
|
||||||
oifname ${wan-if} ip saddr {${
|
oifname ${lan.interface} ip saddr {${
|
||||||
lib.concatStringsSep "," towan-wg
|
lib.concatStringsSep "," wireguardToWAN
|
||||||
}} accept
|
}} accept
|
||||||
|
|
||||||
oifname ${wan-if} ip saddr ${docker-net} accept
|
oifname ${lan.interface} ip saddr ${docker.net} accept
|
||||||
oifname ${wan-if} ip saddr ${tailscale-net} accept
|
oifname ${lan.interface} ip saddr ${tailscale.net} accept
|
||||||
|
|
||||||
jump filter_drop
|
jump filter_drop
|
||||||
}
|
}
|
||||||
|
@ -2,7 +2,9 @@
|
|||||||
|
|
||||||
let
|
let
|
||||||
domain = "git.giugl.io";
|
domain = "git.giugl.io";
|
||||||
network = import ./network.nix;
|
|
||||||
|
utilities = import ./utilities.nix { inherit lib config; };
|
||||||
|
inherit (utilities) architectInterfaceAddress;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
architect.firewall.openTCP = [ config.services.gitea.settings.server.SSH_PORT ];
|
architect.firewall.openTCP = [ config.services.gitea.settings.server.SSH_PORT ];
|
||||||
@ -33,9 +35,8 @@ in
|
|||||||
};
|
};
|
||||||
|
|
||||||
networking.extraHosts = ''
|
networking.extraHosts = ''
|
||||||
${network.architect-lan} ${domain}
|
${architectInterfaceAddress "lan"} ${domain}
|
||||||
${network.architect-wg} ${domain}
|
${architectInterfaceAddress "wireguard"} ${domain}
|
||||||
${network.architect-ts} ${domain}
|
${architectInterfaceAddress "tailscale"} ${domain}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
}
|
}
|
||||||
|
63
hosts/architect/headscale.nix
Normal file
63
hosts/architect/headscale.nix
Normal file
@ -0,0 +1,63 @@
|
|||||||
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
domain = "vipienne.giugl.io";
|
||||||
|
|
||||||
|
utilities = import ./utilities.nix { inherit lib config; };
|
||||||
|
inherit (utilities) architectInterfaceAddress;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
architect.firewall = {
|
||||||
|
openTCP = [ config.services.headscale.port ];
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.extraHosts = ''
|
||||||
|
${architectInterfaceAddress "lan"} ${domain}
|
||||||
|
${architectInterfaceAddress "wireguard"} ${domain}
|
||||||
|
${architectInterfaceAddress "tailscale"} ${domain}
|
||||||
|
'';
|
||||||
|
|
||||||
|
environment.systemPackages = [ pkgs.unstablePkgs.headscale ];
|
||||||
|
|
||||||
|
services = {
|
||||||
|
headscale = {
|
||||||
|
enable = true;
|
||||||
|
package = pkgs.unstablePkgs.headscale;
|
||||||
|
port = 1194;
|
||||||
|
address = "0.0.0.0";
|
||||||
|
serverUrl = "https://${domain}";
|
||||||
|
logLevel = "debug";
|
||||||
|
settings = {
|
||||||
|
dns_config = {
|
||||||
|
magic_dns = true;
|
||||||
|
domains = [
|
||||||
|
"giugl.io"
|
||||||
|
"runas.rocks"
|
||||||
|
"devs.giugl.io"
|
||||||
|
];
|
||||||
|
base_domain = "giugl.io";
|
||||||
|
override_local_dns = true;
|
||||||
|
nameservers = [ config.architect.networks.tailscale.devices.architect.address ];
|
||||||
|
};
|
||||||
|
logtail.enabled = false;
|
||||||
|
ip_prefixes = [ config.architect.networks.tailscale.net ];
|
||||||
|
# The Noise private key is used to encrypt the
|
||||||
|
# traffic between headscale and Tailscale clients when
|
||||||
|
# using the new Noise-based protocol. It must be different
|
||||||
|
# from the legacy private key.
|
||||||
|
noise.private_key_path = "/var/lib/headscale/noise_private.key";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
nginx.virtualHosts.${domain} = {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
locations."/" = {
|
||||||
|
proxyPass =
|
||||||
|
"http://127.0.0.1:${toString config.services.headscale.port}";
|
||||||
|
proxyWebsockets = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
};
|
||||||
|
}
|
@ -1,9 +1,11 @@
|
|||||||
{ pkgs, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
network = import ./network.nix;
|
|
||||||
domain = "media.giugl.io";
|
domain = "media.giugl.io";
|
||||||
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
|
port = 8096;
|
||||||
|
|
||||||
|
utilities = import ./utilities.nix { inherit lib config; };
|
||||||
|
inherit (utilities) architectInterfaceAddress;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
# needed since StateDirectory does not accept symlinks
|
# needed since StateDirectory does not accept symlinks
|
||||||
@ -19,44 +21,40 @@ in
|
|||||||
nginx.virtualHosts.${domain} = {
|
nginx.virtualHosts.${domain} = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
extraConfig = auth_block { access_role = "jellyfin"; whitelisted_ips = network.gdevices; } +
|
extraConfig = ''
|
||||||
''
|
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
|
||||||
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
|
#add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
|
||||||
#add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
|
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
|
||||||
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
|
proxy_buffering off;
|
||||||
proxy_buffering off;
|
|
||||||
'';
|
allow ${config.architect.networks.lan.net};
|
||||||
|
allow ${config.architect.networks.tailscale.net};
|
||||||
|
deny all;
|
||||||
|
'';
|
||||||
|
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
proxyPass = "http://127.0.0.1:8096";
|
proxyPass = "http://127.0.0.1:${toString port}";
|
||||||
# extraConfig = ''
|
|
||||||
# allow 10.0.0.0/24;
|
|
||||||
# allow 10.3.0.0/24;
|
|
||||||
# deny all;
|
|
||||||
# '';
|
|
||||||
};
|
};
|
||||||
|
|
||||||
locations."/socket" = {
|
locations."/socket" = {
|
||||||
proxyPass = "http://127.0.0.1:8096";
|
proxyPass = "http://127.0.0.1:${toString port}";
|
||||||
proxyWebsockets = true;
|
proxyWebsockets = true;
|
||||||
# extraConfig = ''
|
|
||||||
# allow 10.0.0.0/24;
|
|
||||||
# allow 10.3.0.0/24;
|
|
||||||
# deny all;
|
|
||||||
# '';
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
networking.extraHosts = ''
|
networking.extraHosts = ''
|
||||||
${network.architect-lan} ${domain}
|
${architectInterfaceAddress "lan"} ${domain}
|
||||||
${network.architect-wg} ${domain}
|
${architectInterfaceAddress "wireguard"} ${domain}
|
||||||
${network.architect-ts} ${domain}
|
${architectInterfaceAddress "tailscale"} ${domain}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
users.groups.media.members = [ "jellyfin" ];
|
users.groups = {
|
||||||
users.groups.video.members = [ "jellyfin" ];
|
media.members = [ "jellyfin" ];
|
||||||
users.groups.render.members = [ "jellyfin" ];
|
video.members = [ "jellyfin" ];
|
||||||
|
render.members = [ "jellyfin" ];
|
||||||
|
};
|
||||||
|
|
||||||
fileSystems."/tmp/jellyfin" = {
|
fileSystems."/tmp/jellyfin" = {
|
||||||
device = "none";
|
device = "none";
|
||||||
|
@ -1,8 +1,10 @@
|
|||||||
{ pkgs, config, ... }:
|
{ pkgs, lib, config, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
network = import ./network.nix;
|
|
||||||
domain = "auth.giugl.io";
|
domain = "auth.giugl.io";
|
||||||
|
|
||||||
|
utilities = import ./utilities.nix { inherit lib config; };
|
||||||
|
inherit (utilities) architectInterfaceAddress;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
services = {
|
services = {
|
||||||
@ -73,8 +75,8 @@ in
|
|||||||
};
|
};
|
||||||
|
|
||||||
networking.extraHosts = ''
|
networking.extraHosts = ''
|
||||||
${network.architect-lan} ${domain}
|
${architectInterfaceAddress "lan"} ${domain}
|
||||||
${network.architect-wg} ${domain}
|
${architectInterfaceAddress "wireguard"} ${domain}
|
||||||
${network.architect-ts} ${domain}
|
${architectInterfaceAddress "tailscale"} ${domain}
|
||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
|
@ -1,8 +1,10 @@
|
|||||||
{ lib, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
domain = "reddit.giugl.io";
|
domain = "reddit.giugl.io";
|
||||||
network = import ./network.nix;
|
|
||||||
|
utilities = import ./utilities.nix { inherit lib config; };
|
||||||
|
inherit (utilities) architectInterfaceAddress;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
services = {
|
services = {
|
||||||
@ -14,13 +16,13 @@ in
|
|||||||
nginx.virtualHosts.${domain} = {
|
nginx.virtualHosts.${domain} = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
locations."/" = { proxyPass = "http://127.0.0.1:9090"; };
|
locations."/" = { proxyPass = "http://127.0.0.1:${toString config.services.libreddit.port}"; };
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.extraHosts = ''
|
networking.extraHosts = ''
|
||||||
${network.architect-lan} ${domain}
|
${architectInterfaceAddress "lan"} ${domain}
|
||||||
${network.architect-wg} ${domain}
|
${architectInterfaceAddress "wireguard"} ${domain}
|
||||||
${network.architect-ts} ${domain}
|
${architectInterfaceAddress "tailscale"} ${domain}
|
||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
|
@ -1,9 +1,11 @@
|
|||||||
{ lib, ... }:
|
{ config, lib, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
domain = "htlid.giugl.io";
|
domain = "htlid.giugl.io";
|
||||||
network = import ./network.nix;
|
|
||||||
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
|
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
|
||||||
|
|
||||||
|
utilities = import ./utilities.nix { inherit lib config; };
|
||||||
|
inherit (utilities) architectInterfaceAddress;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
services = {
|
services = {
|
||||||
@ -25,10 +27,10 @@ in
|
|||||||
};
|
};
|
||||||
|
|
||||||
networking.extraHosts = ''
|
networking.extraHosts = ''
|
||||||
${network.architect-lan} ${domain}
|
${architectInterfaceAddress "lan"} ${domain}
|
||||||
${network.architect-wg} ${domain}
|
${architectInterfaceAddress "wireguard"} ${domain}
|
||||||
${network.architect-ts} ${domain}
|
${architectInterfaceAddress "tailscale"} ${domain}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
users.groups.media.members = [ "lidarr" ];
|
users.groups.media.members = [ "lidarr" ];
|
||||||
}
|
}
|
||||||
|
@ -1,9 +1,11 @@
|
|||||||
{ pkgs, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
domain = "runas.rocks";
|
domain = "runas.rocks";
|
||||||
network = import ./network.nix;
|
|
||||||
db_name = "matrix-synapse-runas.rocks";
|
db_name = "matrix-synapse-runas.rocks";
|
||||||
|
|
||||||
|
utilities = import ./utilities.nix { inherit lib config; };
|
||||||
|
inherit (utilities) architectInterfaceAddress;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
services = {
|
services = {
|
||||||
@ -111,9 +113,8 @@ in
|
|||||||
};
|
};
|
||||||
|
|
||||||
networking.extraHosts = ''
|
networking.extraHosts = ''
|
||||||
${network.architect-lan} ${domain}
|
${architectInterfaceAddress "lan"} ${domain}
|
||||||
${network.architect-wg} ${domain}
|
${architectInterfaceAddress "wireguard"} ${domain}
|
||||||
${network.architect-ts} ${domain}
|
${architectInterfaceAddress "tailscale"} ${domain}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
}
|
}
|
||||||
|
@ -1,8 +1,10 @@
|
|||||||
{ config, pkgs, ... }:
|
{ lib, config, pkgs, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
domain = "minecraft.giugl.io";
|
domain = "minecraft.giugl.io";
|
||||||
network = import ./network.nix;
|
|
||||||
|
utilities = import ./utilities.nix { inherit lib config; };
|
||||||
|
inherit (utilities) architectInterfaceAddress;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
architect.firewall.openTCP = [ 25565 ];
|
architect.firewall.openTCP = [ 25565 ];
|
||||||
@ -14,10 +16,10 @@ in
|
|||||||
package = pkgs.unstablePkgs.minecraft-server;
|
package = pkgs.unstablePkgs.minecraft-server;
|
||||||
serverProperties = { motd = "Welcome on the RuNas server!"; };
|
serverProperties = { motd = "Welcome on the RuNas server!"; };
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.extraHosts = ''
|
networking.extraHosts = ''
|
||||||
${network.architect-lan} ${domain}
|
${architectInterfaceAddress "lan"} ${domain}
|
||||||
${network.architect-wg} ${domain}
|
${architectInterfaceAddress "wireguard"} ${domain}
|
||||||
${network.architect-ts} ${domain}
|
${architectInterfaceAddress "tailscale"} ${domain}
|
||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
|
@ -1,8 +1,10 @@
|
|||||||
{ lib, ... }:
|
{ config, lib, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
domain = "s3.giugl.io";
|
domain = "s3.giugl.io";
|
||||||
network = import ./network.nix;
|
|
||||||
|
utilities = import ./utilities.nix { inherit lib config; };
|
||||||
|
inherit (utilities) architectInterfaceAddress;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
services = {
|
services = {
|
||||||
@ -15,18 +17,17 @@ in
|
|||||||
proxyPass = "http://127.0.0.1:9000";
|
proxyPass = "http://127.0.0.1:9000";
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
client_max_body_size 500M;
|
client_max_body_size 500M;
|
||||||
allow 10.0.0.0/24;
|
allow ${config.architect.networks.lan.net};
|
||||||
${lib.concatMapStrings (x: "allow ${x};") network.gdevices }
|
allow ${config.architect.networks.tailscale.net};
|
||||||
allow ${network.manduria-wg};
|
|
||||||
deny all;
|
deny all;
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.extraHosts = ''
|
networking.extraHosts = ''
|
||||||
${network.architect-lan} ${domain}
|
${architectInterfaceAddress "lan"} ${domain}
|
||||||
${network.architect-wg} ${domain}
|
${architectInterfaceAddress "wireguard"} ${domain}
|
||||||
${network.architect-ts} ${domain}
|
${architectInterfaceAddress "tailscale"} ${domain}
|
||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
|
@ -11,7 +11,8 @@ rec {
|
|||||||
vpn-net = "10.3.0.0/24";
|
vpn-net = "10.3.0.0/24";
|
||||||
external_lan-net = "192.168.1.0/24";
|
external_lan-net = "192.168.1.0/24";
|
||||||
docker-net = "172.17.0.0/16";
|
docker-net = "172.17.0.0/16";
|
||||||
tailscale-net = "100.64.0.0/10";
|
# tailscale-net = "100.64.0.0/10";
|
||||||
|
tailscale-net = "10.4.0.0/24";
|
||||||
|
|
||||||
# ips
|
# ips
|
||||||
router-lan = "10.0.0.1";
|
router-lan = "10.0.0.1";
|
||||||
@ -51,7 +52,8 @@ rec {
|
|||||||
framecca_four-wg = "10.3.0.39";
|
framecca_four-wg = "10.3.0.39";
|
||||||
|
|
||||||
giuliophone-ts = "100.68.68.46";
|
giuliophone-ts = "100.68.68.46";
|
||||||
architect-ts = "100.67.205.28";
|
# architect-ts = "100.67.205.28";
|
||||||
|
architect-ts = "10.4.0.2";
|
||||||
giuliopc-ts = "100.124.78.64";
|
giuliopc-ts = "100.124.78.64";
|
||||||
dodino-ts = "100.106.244.35";
|
dodino-ts = "100.106.244.35";
|
||||||
|
|
||||||
|
@ -1,12 +1,19 @@
|
|||||||
{ pkgs, ... }:
|
{ pkgs, config, lib, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
domain = "cloud.giugl.io";
|
domain = "cloud.giugl.io";
|
||||||
network = import ./network.nix;
|
|
||||||
redis_port = 6379;
|
redis_port = 6379;
|
||||||
|
|
||||||
|
utilities = import ./utilities.nix { inherit lib config; };
|
||||||
|
inherit (utilities) architectInterfaceAddress;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
services = {
|
services = {
|
||||||
|
nginx.virtualHosts.${domain} = {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
};
|
||||||
|
|
||||||
mysql = {
|
mysql = {
|
||||||
enable = true;
|
enable = true;
|
||||||
package = pkgs.unstablePkgs.mysql80;
|
package = pkgs.unstablePkgs.mysql80;
|
||||||
@ -53,13 +60,9 @@ in
|
|||||||
};
|
};
|
||||||
|
|
||||||
networking.extraHosts = ''
|
networking.extraHosts = ''
|
||||||
${network.architect-lan} ${domain}
|
${architectInterfaceAddress "lan"} ${domain}
|
||||||
${network.architect-wg} ${domain}
|
${architectInterfaceAddress "wireguard"} ${domain}
|
||||||
${network.architect-ts} ${domain}
|
${architectInterfaceAddress "tailscale"} ${domain}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
services.nginx.virtualHosts.${domain} = {
|
|
||||||
forceSSL = true;
|
|
||||||
enableACME = true;
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
@ -90,5 +90,6 @@
|
|||||||
worker_processes 24;
|
worker_processes 24;
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
users.groups.acme.members = [ "nginx" ];
|
users.groups.acme.members = [ "nginx" ];
|
||||||
}
|
}
|
||||||
|
@ -1,9 +1,11 @@
|
|||||||
{ lib, ... }:
|
{ config, lib, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
domain = "htnzb.giugl.io";
|
domain = "htnzb.giugl.io";
|
||||||
network = import ./network.nix;
|
|
||||||
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
|
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
|
||||||
|
|
||||||
|
utilities = import ./utilities.nix { inherit lib config; };
|
||||||
|
inherit (utilities) architectInterfaceAddress;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
services = {
|
services = {
|
||||||
@ -25,9 +27,9 @@ in
|
|||||||
};
|
};
|
||||||
|
|
||||||
networking.extraHosts = ''
|
networking.extraHosts = ''
|
||||||
${network.architect-lan} ${domain}
|
${architectInterfaceAddress "lan"} ${domain}
|
||||||
${network.architect-wg} ${domain}
|
${architectInterfaceAddress "wireguard"} ${domain}
|
||||||
${network.architect-ts} ${domain}
|
${architectInterfaceAddress "tailscale"} ${domain}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
users.groups.media.members = [ "nzbget" ];
|
users.groups.media.members = [ "nzbget" ];
|
||||||
|
@ -3,23 +3,60 @@
|
|||||||
with lib;
|
with lib;
|
||||||
|
|
||||||
{
|
{
|
||||||
options.architect.firewall = {
|
options.architect = {
|
||||||
openTCP = mkOption {
|
firewall = {
|
||||||
type = types.listOf types.int;
|
openTCP = mkOption {
|
||||||
default = [ ];
|
type = types.listOf types.int;
|
||||||
|
default = [ ];
|
||||||
|
};
|
||||||
|
openUDP = mkOption {
|
||||||
|
type = types.listOf types.int;
|
||||||
|
default = [ ];
|
||||||
|
};
|
||||||
|
openTCPVPN = mkOption {
|
||||||
|
type = types.listOf types.int;
|
||||||
|
default = [ ];
|
||||||
|
};
|
||||||
|
openUDPVPN = mkOption {
|
||||||
|
type = types.listOf types.int;
|
||||||
|
default = [ ];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
openUDP = mkOption {
|
|
||||||
type = types.listOf types.int;
|
networks = mkOption {
|
||||||
default = [ ];
|
type = types.attrsOf (types.submodule {
|
||||||
};
|
options = {
|
||||||
openTCPVPN = mkOption {
|
interface = mkOption {
|
||||||
type = types.listOf types.int;
|
type = types.str;
|
||||||
default = [ ];
|
description = "The network interface name.";
|
||||||
};
|
};
|
||||||
openUDPVPN = mkOption {
|
|
||||||
type = types.listOf types.int;
|
net = mkOption {
|
||||||
default = [ ];
|
type = types.str;
|
||||||
|
description = "The network address in CIDR format.";
|
||||||
|
};
|
||||||
|
|
||||||
|
devices = mkOption {
|
||||||
|
type = types.attrsOf (types.submodule {
|
||||||
|
options = {
|
||||||
|
address = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
description = "The IP address of the device.";
|
||||||
|
};
|
||||||
|
|
||||||
|
hostname = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
description = "The hostname of the device.";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
});
|
||||||
|
default = { };
|
||||||
|
description = "An attribute set of devices with their configurations.";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
});
|
||||||
|
default = { };
|
||||||
|
description = "An attribute set of networks with their configurations.";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
}
|
}
|
||||||
|
@ -1,9 +1,11 @@
|
|||||||
{ pkgs, lib, ... }:
|
{ pkgs, config, lib, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
domain = "plex.giugl.io";
|
domain = "plex.giugl.io";
|
||||||
network = import ./network.nix;
|
|
||||||
port = 32400;
|
port = 32400;
|
||||||
|
|
||||||
|
utilities = import ./utilities.nix { inherit lib config; };
|
||||||
|
inherit (utilities) architectInterfaceAddress;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
architect.firewall = {
|
architect.firewall = {
|
||||||
@ -86,11 +88,11 @@ in
|
|||||||
locations."/" = { proxyPass = "http://127.0.0.1:${toString port}"; };
|
locations."/" = { proxyPass = "http://127.0.0.1:${toString port}"; };
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.extraHosts = ''
|
networking.extraHosts = ''
|
||||||
${network.architect-lan} ${domain}
|
${architectInterfaceAddress "lan"} ${domain}
|
||||||
${network.architect-wg} ${domain}
|
${architectInterfaceAddress "wireguard"} ${domain}
|
||||||
${network.architect-ts} ${domain}
|
${architectInterfaceAddress "tailscale"} ${domain}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
users.groups.media.members = [ "plex" ];
|
users.groups.media.members = [ "plex" ];
|
||||||
|
@ -4,7 +4,9 @@ let
|
|||||||
domain = "xmpp.giugl.io";
|
domain = "xmpp.giugl.io";
|
||||||
conference_domain = "conference.${domain}";
|
conference_domain = "conference.${domain}";
|
||||||
upload_domain = "uploads.${domain}";
|
upload_domain = "uploads.${domain}";
|
||||||
network = import ./network.nix;
|
|
||||||
|
utilities = import ./utilities.nix { inherit lib config; };
|
||||||
|
inherit (utilities) architectInterfaceAddress;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
architect.firewall = {
|
architect.firewall = {
|
||||||
@ -42,9 +44,9 @@ in
|
|||||||
};
|
};
|
||||||
|
|
||||||
networking.extraHosts = ''
|
networking.extraHosts = ''
|
||||||
${network.architect-lan} ${domain}
|
${architectInterfaceAddress "lan"} ${domain}
|
||||||
${network.architect-wg} ${domain}
|
${architectInterfaceAddress "wireguard"} ${domain}
|
||||||
${network.architect-ts} ${domain}
|
${architectInterfaceAddress "tailscale"} ${domain}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
users.groups = {
|
users.groups = {
|
||||||
|
@ -1,8 +1,10 @@
|
|||||||
{ lib, ... }:
|
{ config, lib, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
domain = "htpro.giugl.io";
|
domain = "htpro.giugl.io";
|
||||||
network = import ./network.nix;
|
|
||||||
|
utilities = import ./utilities.nix { inherit lib config; };
|
||||||
|
inherit (utilities) architectInterfaceAddress;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
services = {
|
services = {
|
||||||
@ -14,8 +16,8 @@ in
|
|||||||
locations."/" = {
|
locations."/" = {
|
||||||
proxyPass = "http://127.0.0.1:9696";
|
proxyPass = "http://127.0.0.1:9696";
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
allow 10.0.0.0/24;
|
allow ${config.architect.networks.lan.net};
|
||||||
${lib.concatMapStrings (x: "allow ${x};") network.gdevices}
|
allow ${config.architect.networks.tailscale.net};
|
||||||
deny all;
|
deny all;
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
@ -29,11 +31,11 @@ in
|
|||||||
# };
|
# };
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.extraHosts = ''
|
networking.extraHosts = ''
|
||||||
${network.architect-lan} ${domain}
|
${architectInterfaceAddress "lan"} ${domain}
|
||||||
${network.architect-wg} ${domain}
|
${architectInterfaceAddress "wireguard"} ${domain}
|
||||||
${network.architect-ts} ${domain}
|
${architectInterfaceAddress "tailscale"} ${domain}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
users.groups.media.members = [ "prowlarr" ];
|
users.groups.media.members = [ "prowlarr" ];
|
||||||
|
@ -1,9 +1,11 @@
|
|||||||
{ lib, ... }:
|
{ config, lib, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
domain = "htrad.giugl.io";
|
domain = "htrad.giugl.io";
|
||||||
network = import ./network.nix;
|
|
||||||
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
|
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
|
||||||
|
|
||||||
|
utilities = import ./utilities.nix { inherit lib config; };
|
||||||
|
inherit (utilities) architectInterfaceAddress;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
services = {
|
services = {
|
||||||
@ -24,10 +26,11 @@ in
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
networking.extraHosts = ''
|
networking.extraHosts = ''
|
||||||
${network.architect-lan} ${domain}
|
${architectInterfaceAddress "lan"} ${domain}
|
||||||
${network.architect-wg} ${domain}
|
${architectInterfaceAddress "wireguard"} ${domain}
|
||||||
${network.architect-ts} ${domain}
|
${architectInterfaceAddress "tailscale"} ${domain}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
users.groups.media.members = [ "radarr" ];
|
users.groups.media.members = [ "radarr" ];
|
||||||
|
@ -1,14 +1,17 @@
|
|||||||
{ services, pkgs, lib, makeBinPath, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
domain = "runas.rocks";
|
domain = "runas.rocks";
|
||||||
runas_root = "/var/lib/runas.rocks/dist";
|
runas_root = "/var/lib/runas.rocks/dist";
|
||||||
service_name = "runas.rocks-pull";
|
service_name = "runas.rocks-pull";
|
||||||
network = import ./network.nix;
|
|
||||||
mkStartScript = name: pkgs.writeShellScript "${name}.sh" ''
|
mkStartScript = name: pkgs.writeShellScript "${name}.sh" ''
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
cd ${runas_root}
|
cd ${runas_root}
|
||||||
git pull origin main --rebase
|
git pull origin main --rebase
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
utilities = import ./utilities.nix { inherit lib config; };
|
||||||
|
inherit (utilities) architectInterfaceAddress;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
services.nginx.virtualHosts.${domain} = {
|
services.nginx.virtualHosts.${domain} = {
|
||||||
@ -39,8 +42,8 @@ in
|
|||||||
};
|
};
|
||||||
|
|
||||||
networking.extraHosts = ''
|
networking.extraHosts = ''
|
||||||
${network.architect-lan} ${domain}
|
${architectInterfaceAddress "lan"} ${domain}
|
||||||
${network.architect-wg} ${domain}
|
${architectInterfaceAddress "wireguard"} ${domain}
|
||||||
${network.architect-ts} ${domain}
|
${architectInterfaceAddress "tailscale"} ${domain}
|
||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
|
@ -1,9 +1,11 @@
|
|||||||
{ lib, ... }:
|
{ config, lib, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
domain = "htson.giugl.io";
|
domain = "htson.giugl.io";
|
||||||
network = import ./network.nix;
|
|
||||||
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
|
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
|
||||||
|
|
||||||
|
utilities = import ./utilities.nix { inherit lib config; };
|
||||||
|
inherit (utilities) architectInterfaceAddress;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
services = {
|
services = {
|
||||||
@ -25,9 +27,9 @@ in
|
|||||||
};
|
};
|
||||||
|
|
||||||
networking.extraHosts = ''
|
networking.extraHosts = ''
|
||||||
${network.architect-lan} ${domain}
|
${architectInterfaceAddress "lan"} ${domain}
|
||||||
${network.architect-wg} ${domain}
|
${architectInterfaceAddress "wireguard"} ${domain}
|
||||||
${network.architect-ts} ${domain}
|
${architectInterfaceAddress "tailscale"} ${domain}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
users.groups.media.members = [ "sonarr" ];
|
users.groups.media.members = [ "sonarr" ];
|
||||||
|
@ -1,24 +1,38 @@
|
|||||||
{ config, lib, ... }:
|
{ config, lib, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
network = import ./network.nix;
|
domain = "devs.giugl.io";
|
||||||
|
|
||||||
ifname = "ts0";
|
utilities = import ./utilities.nix { inherit lib config; };
|
||||||
|
inherit (utilities) generateDeviceStrings;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
architect.firewall.openUDP = [ config.services.tailscale.port ];
|
architect = {
|
||||||
|
firewall.openUDP = [ config.services.tailscale.port ];
|
||||||
|
|
||||||
|
networks.tailscale = {
|
||||||
|
interface = "ts0";
|
||||||
|
net = "100.64.0.0/10";
|
||||||
|
|
||||||
|
devices = {
|
||||||
|
architect = { address = "100.64.0.1"; hostname = "architect.${domain}"; };
|
||||||
|
kmerr = { address = "100.64.0.2"; hostname = "kmerr.${domain}"; };
|
||||||
|
chuck = { address = "100.64.0.4"; hostname = "chuck.${domain}"; };
|
||||||
|
dodino = { address = "100.64.0.5"; hostname = "dodino.${domain}"; };
|
||||||
|
manduria = { address = "100.64.0.6"; hostname = "manduria.${domain}"; };
|
||||||
|
tommy = { address = "100.64.0.7"; hostname = "tommy.${domain}"; };
|
||||||
|
ucsb-workstation = { address = "100.64.0.8"; hostname = "ucsb-workstation.${domain}"; };
|
||||||
|
alfredo = { address = "100.64.0.9"; hostname = "alfredo.${domain}"; };
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
services = {
|
services = {
|
||||||
tailscale = {
|
tailscale = {
|
||||||
enable = true;
|
enable = true;
|
||||||
interfaceName = ifname;
|
interfaceName = config.architect.networks.tailscale.interface;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.extraHosts = ''
|
networking.extraHosts = generateDeviceStrings config.architect.networks.tailscale.devices;
|
||||||
${network.architect-ts} architect.devs.giugl.io
|
|
||||||
${network.giuliopc-ts} kmerr.devs.giugl.io
|
|
||||||
${network.dodino-ts} dodino.devs.giugl.io
|
|
||||||
${network.giuliophone-ts} chuck.devs.giugl.io
|
|
||||||
'';
|
|
||||||
}
|
}
|
||||||
|
13
hosts/architect/utilities.nix
Normal file
13
hosts/architect/utilities.nix
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
{ config, lib, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
# device.address device.hostname
|
||||||
|
generateDeviceStrings = devices: lib.concatStringsSep "\n"
|
||||||
|
(lib.mapAttrsToList (name: device: "${device.address} ${device.hostname}") devices);
|
||||||
|
|
||||||
|
getDeviceAddress = interface: device:
|
||||||
|
config.architect.networks.${interface}.devices.${device}.address;
|
||||||
|
|
||||||
|
architectInterfaceAddress = interface:
|
||||||
|
config.architect.networks.${interface}.devices.architect.address;
|
||||||
|
}
|
@ -1,208 +1,214 @@
|
|||||||
{ config, lib, ... }:
|
{ config, lib, ... }:
|
||||||
|
|
||||||
with import ./network.nix;
|
|
||||||
|
|
||||||
let
|
let
|
||||||
listenPort = 1194;
|
listenPort = 1194;
|
||||||
|
domain = "devs.giugl.io";
|
||||||
|
interface = "wireguard";
|
||||||
|
|
||||||
|
utilities = import ./utilities.nix { inherit lib config; };
|
||||||
|
inherit (utilities) generateDeviceStrings getDeviceAddress;
|
||||||
|
|
||||||
|
getWireguardDeviceAddress = getDeviceAddress "wireguard";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
architect.firewall = {
|
architect = {
|
||||||
openUDP = lib.singleton listenPort;
|
firewall = {
|
||||||
openUDPVPN = lib.singleton listenPort;
|
openUDP = lib.singleton listenPort;
|
||||||
|
openUDPVPN = lib.singleton listenPort;
|
||||||
|
};
|
||||||
|
|
||||||
|
networks.${interface} = {
|
||||||
|
interface = "wg0";
|
||||||
|
net = "10.3.0.0/24";
|
||||||
|
devices = {
|
||||||
|
architect = { address = "10.3.0.1"; hostname = "architect.${domain}"; };
|
||||||
|
antonio = { address = "10.3.0.6"; hostname = "antonio.${domain}"; };
|
||||||
|
gbeast = { address = "10.3.0.7"; hostname = "gbeast.${domain}"; };
|
||||||
|
shield = { address = "10.3.0.12"; hostname = "shield.${domain}"; };
|
||||||
|
salvatore = { address = "10.3.0.16"; hostname = "salvatore.${domain}"; };
|
||||||
|
papa = { address = "10.3.0.17"; hostname = "papa.${domain}"; };
|
||||||
|
defy = { address = "10.3.0.18"; hostname = "defy.${domain}"; };
|
||||||
|
germano = { address = "10.3.0.19"; hostname = "germano.${domain}"; };
|
||||||
|
flavio = { address = "10.3.0.20"; hostname = "flavio.${domain}"; };
|
||||||
|
alain = { address = "10.3.0.22"; hostname = "alain.${domain}"; };
|
||||||
|
dima = { address = "10.3.0.23"; hostname = "dima.${domain}"; };
|
||||||
|
mikey = { address = "10.3.0.24"; hostname = "mikey.${domain}"; };
|
||||||
|
andrew = { address = "10.3.0.25"; hostname = "andrew.${domain}"; };
|
||||||
|
mikeylaptop = { address = "10.3.0.26"; hostname = "mikeylaptop.${domain}"; };
|
||||||
|
andrewdesktop = { address = "10.3.0.27"; hostname = "andrewdesktop.${domain}"; };
|
||||||
|
jacopo = { address = "10.3.0.28"; hostname = "jacopo.${domain}"; };
|
||||||
|
frznn = { address = "10.3.0.29"; hostname = "frznn.${domain}"; };
|
||||||
|
ludo = { address = "10.3.0.30"; hostname = "ludo.${domain}"; };
|
||||||
|
parina = { address = "10.3.0.31"; hostname = "parina.${domain}"; };
|
||||||
|
nilo = { address = "10.3.0.32"; hostname = "nilo.${domain}"; };
|
||||||
|
parina-ipad = { address = "10.3.0.33"; hostname = "parina-ipad.${domain}"; };
|
||||||
|
kclvm = { address = "10.3.0.34"; hostname = "kclvm.${domain}"; };
|
||||||
|
framecca = { address = "10.3.0.35"; hostname = "framecca.${domain}"; };
|
||||||
|
framecca_one = { address = "10.3.0.36"; hostname = "framecca_one.${domain}"; };
|
||||||
|
framecca_two = { address = "10.3.0.37"; hostname = "framecca_two.${domain}"; };
|
||||||
|
framecca_three = { address = "10.3.0.38"; hostname = "framecca_three.${domain}"; };
|
||||||
|
framecca_four = { address = "10.3.0.39"; hostname = "framecca_four.${domain}"; };
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
extraHosts = ''
|
extraHosts = generateDeviceStrings config.architect.networks.wireguard.devices;
|
||||||
${architect-wg} architect.devs.giugl.io
|
|
||||||
${manduria-wg} manduria.devs.giugl.io
|
|
||||||
${antonio-wg} antonio.devs.giugl.io
|
|
||||||
${gbeast-wg} gbeast.devs.giugl.io
|
|
||||||
${shield-wg} shield.devs.giugl.io
|
|
||||||
${salvatore-wg} salvatore.devs.giugl.io
|
|
||||||
${papa-wg} papa.devs.giugl.io
|
|
||||||
${defy-wg} defy.devs.giugl.io
|
|
||||||
${germano-wg} germano.devs.giugl.io
|
|
||||||
${tommy-wg} tommy.devs.giugl.io
|
|
||||||
${alain-wg} alain.devs.giugl.io
|
|
||||||
${dima-wg} dima.devs.giugl.io
|
|
||||||
${mikey-wg} mikey.devs.giugl.io
|
|
||||||
${andrew-wg} andrew.devs.giugl.io
|
|
||||||
${mikeylaptop-wg} mikeylaptop.devs.giugl.io
|
|
||||||
${frznn-wg} frznn.devs.giugl.io
|
|
||||||
${ludo-wg} ludo.devs.giugl.io
|
|
||||||
${parina-wg} parina.devs.giugl.io
|
|
||||||
${parina-ipad-wg} parinaipad.devs.giugl.io
|
|
||||||
${nilo-wg} nilo.devs.giugl.io
|
|
||||||
${kclvm-wg} kclvm.devs.giugl.io
|
|
||||||
${framecca-wg} framecca.devs.giugl.io
|
|
||||||
'';
|
|
||||||
|
|
||||||
wireguard = {
|
wireguard = {
|
||||||
interfaces.${vpn-if} = {
|
interfaces.${config.architect.networks.wireguard.interface} = {
|
||||||
inherit listenPort;
|
inherit listenPort;
|
||||||
|
|
||||||
ips = [ "10.3.0.1/24" ];
|
ips = [ "${config.architect.networks.wireguard.devices.architect.address}/24" ];
|
||||||
privateKeyFile = "/secrets/wireguard/server.key";
|
privateKeyFile = "/secrets/wireguard/server.key";
|
||||||
|
|
||||||
peers = [
|
peers = [
|
||||||
{
|
|
||||||
# Manduria
|
|
||||||
allowedIPs = [ manduria-wg ];
|
|
||||||
publicKey = "wT38oXvDQ8g0hI+pAXQobOWf/Wott2zhwo8TLvXK400=";
|
|
||||||
}
|
|
||||||
|
|
||||||
{
|
{
|
||||||
# Antonio
|
# Antonio
|
||||||
allowedIPs = [ antonio-wg ];
|
allowedIPs = [ (getWireguardDeviceAddress "antonio") ];
|
||||||
publicKey = "SPndCvEzuLHtGAQV8u/4dfLlFHoPcXS3L98oFOwTljc=";
|
publicKey = "SPndCvEzuLHtGAQV8u/4dfLlFHoPcXS3L98oFOwTljc=";
|
||||||
}
|
}
|
||||||
|
|
||||||
{
|
{
|
||||||
# GBEAST
|
# GBEAST
|
||||||
allowedIPs = [ gbeast-wg ];
|
allowedIPs = [ (getWireguardDeviceAddress "gbeast") ];
|
||||||
publicKey = "XiK+wk+DErz0RmCWRxuaJN1cvdj+3DoiU6tcR+uZfAI=";
|
publicKey = "XiK+wk+DErz0RmCWRxuaJN1cvdj+3DoiU6tcR+uZfAI=";
|
||||||
}
|
}
|
||||||
|
|
||||||
{
|
{
|
||||||
# shield
|
# shield
|
||||||
allowedIPs = [ shield-wg ];
|
allowedIPs = [ (getWireguardDeviceAddress "shield") ];
|
||||||
publicKey = "1GaV/M48sHqQTrBVRQ+jrFU2pUMmv2xkguncVcwPCFs=";
|
publicKey = "1GaV/M48sHqQTrBVRQ+jrFU2pUMmv2xkguncVcwPCFs=";
|
||||||
}
|
}
|
||||||
|
|
||||||
{
|
{
|
||||||
# salvatore
|
# salvatore
|
||||||
allowedIPs = [ salvatore-wg ];
|
allowedIPs = [ (getWireguardDeviceAddress "salvatore") ];
|
||||||
publicKey = "fhlnBHeMyHZKLUCTSA9kmkKoM5x/qzz/rnCJrUh3Gzs=";
|
publicKey = "fhlnBHeMyHZKLUCTSA9kmkKoM5x/qzz/rnCJrUh3Gzs=";
|
||||||
}
|
}
|
||||||
|
|
||||||
{
|
{
|
||||||
# papa
|
# papa
|
||||||
allowedIPs = [ papa-wg ];
|
allowedIPs = [ (getWireguardDeviceAddress "papa") ];
|
||||||
publicKey = "oGHygt02Oni3IFbScKD0NVEfHKCp6bpw68aq5g4RrAA=";
|
publicKey = "oGHygt02Oni3IFbScKD0NVEfHKCp6bpw68aq5g4RrAA=";
|
||||||
}
|
}
|
||||||
|
|
||||||
{
|
{
|
||||||
# defy
|
# defy
|
||||||
allowedIPs = [ defy-wg ];
|
allowedIPs = [ (getWireguardDeviceAddress "defy") ];
|
||||||
publicKey = "Cvi/eto7E6Ef+aiL81ou7x12fJCeuXrf/go9fxEqXG4=";
|
publicKey = "Cvi/eto7E6Ef+aiL81ou7x12fJCeuXrf/go9fxEqXG4=";
|
||||||
}
|
}
|
||||||
|
|
||||||
{
|
{
|
||||||
# germano
|
# germano
|
||||||
allowedIPs = [ germano-wg ];
|
allowedIPs = [ (getWireguardDeviceAddress "germano") ];
|
||||||
publicKey = "LJ0DHY1sFVLQb3ngUGGH0HxbDOPb9KCUPSaYcjr5Uiw=";
|
publicKey = "LJ0DHY1sFVLQb3ngUGGH0HxbDOPb9KCUPSaYcjr5Uiw=";
|
||||||
}
|
}
|
||||||
|
|
||||||
{
|
{
|
||||||
# flavio
|
# flavio
|
||||||
allowedIPs = [ flavio-wg ];
|
allowedIPs = [ (getWireguardDeviceAddress "flavio") ];
|
||||||
publicKey = "Yg0P+yHi/9SZHyoel8jT9fmmu+irLYmT8yMp/CZoaSg=";
|
publicKey = "Yg0P+yHi/9SZHyoel8jT9fmmu+irLYmT8yMp/CZoaSg=";
|
||||||
}
|
}
|
||||||
|
|
||||||
{
|
|
||||||
# tommy
|
|
||||||
allowedIPs = [ tommy-wg ];
|
|
||||||
publicKey = "tytknU7wql1d0A2provX3RP7CNcEIajfgBJKoSyVLgo=";
|
|
||||||
}
|
|
||||||
|
|
||||||
{
|
{
|
||||||
# alain
|
# alain
|
||||||
allowedIPs = [ alain-wg ];
|
allowedIPs = [ (getWireguardDeviceAddress "alain") ];
|
||||||
publicKey = "/o2msFJoUL4yovcIQJTU8c1faFtekrjSBBWJABouWno=";
|
publicKey = "/o2msFJoUL4yovcIQJTU8c1faFtekrjSBBWJABouWno=";
|
||||||
}
|
}
|
||||||
|
|
||||||
{
|
{
|
||||||
# dima
|
# dima
|
||||||
allowedIPs = [ dima-wg ];
|
allowedIPs = [ (getWireguardDeviceAddress "dima") ];
|
||||||
publicKey = "svzWYIZ6v+cLCp/emGG7mx2YpBJqw2fqjVuHZy7b6H0=";
|
publicKey = "svzWYIZ6v+cLCp/emGG7mx2YpBJqw2fqjVuHZy7b6H0=";
|
||||||
}
|
}
|
||||||
|
|
||||||
{
|
{
|
||||||
# mikey
|
# mikey
|
||||||
allowedIPs = [ mikey-wg ];
|
allowedIPs = [ (getWireguardDeviceAddress "mikey") ];
|
||||||
publicKey = "ewbDdX3z7nxG2aPIf9TogXkhxPlGipLFcy6XfyDC6gI=";
|
publicKey = "ewbDdX3z7nxG2aPIf9TogXkhxPlGipLFcy6XfyDC6gI=";
|
||||||
}
|
}
|
||||||
|
|
||||||
{
|
{
|
||||||
# andrew
|
# andrew
|
||||||
allowedIPs = [ andrew-wg ];
|
allowedIPs = [ (getWireguardDeviceAddress "andrew") ];
|
||||||
publicKey = "LP/FgST9fmBQSoKQFq9sFGvjRFOtRooMcuEcjuqaoWM=";
|
publicKey = "LP/FgST9fmBQSoKQFq9sFGvjRFOtRooMcuEcjuqaoWM=";
|
||||||
}
|
}
|
||||||
|
|
||||||
{
|
{
|
||||||
# mikey laptop
|
# mikey laptop
|
||||||
allowedIPs = [ mikeylaptop-wg ];
|
allowedIPs = [ (getWireguardDeviceAddress "mikeylaptop") ];
|
||||||
publicKey = "kz/pY/PgV+dwF1JZ2It4r5B5QfRSQM7HkbFCdvd5Yxk=";
|
publicKey = "kz/pY/PgV+dwF1JZ2It4r5B5QfRSQM7HkbFCdvd5Yxk=";
|
||||||
}
|
}
|
||||||
|
|
||||||
{
|
{
|
||||||
# andrew desktop
|
# andrew desktop
|
||||||
allowedIPs = [ andrewdesktop-wg ];
|
allowedIPs = [ (getWireguardDeviceAddress "andrewdesktop") ];
|
||||||
publicKey = "rpYr3JNLIzxpxzFuQuaHFEl/XvPEPfwLbDETBP8KYXI=";
|
publicKey = "rpYr3JNLIzxpxzFuQuaHFEl/XvPEPfwLbDETBP8KYXI=";
|
||||||
}
|
}
|
||||||
|
|
||||||
{
|
{
|
||||||
# laptop desktop
|
# laptop desktop
|
||||||
allowedIPs = [ jacopo-wg ];
|
allowedIPs = [ (getWireguardDeviceAddress "jacopo") ];
|
||||||
publicKey = "W/taWI79bPIKOolVVu5xZfiJnPw9K91Xn1zhcM0+4g0=";
|
publicKey = "W/taWI79bPIKOolVVu5xZfiJnPw9K91Xn1zhcM0+4g0=";
|
||||||
}
|
}
|
||||||
|
|
||||||
{
|
{
|
||||||
# frznn
|
# frznn
|
||||||
allowedIPs = [ frznn-wg ];
|
allowedIPs = [ (getWireguardDeviceAddress "frznn") ];
|
||||||
publicKey = "dXcrdME6VnnE5PBYwvUmayf7cn2wpcExeCR9gIXOO0o=";
|
publicKey = "dXcrdME6VnnE5PBYwvUmayf7cn2wpcExeCR9gIXOO0o=";
|
||||||
}
|
}
|
||||||
|
|
||||||
{
|
{
|
||||||
# ludo
|
# ludo
|
||||||
allowedIPs = [ ludo-wg ];
|
allowedIPs = [ (getWireguardDeviceAddress "ludo") ];
|
||||||
publicKey = "ecrxdzx7tQZwMPxZOjHUvxZT2xY79B6XEDIW+fhEtEM=";
|
publicKey = "ecrxdzx7tQZwMPxZOjHUvxZT2xY79B6XEDIW+fhEtEM=";
|
||||||
}
|
}
|
||||||
|
|
||||||
{
|
{
|
||||||
# parina
|
# parina
|
||||||
allowedIPs = [ parina-wg ];
|
allowedIPs = [ (getWireguardDeviceAddress "parina") ];
|
||||||
publicKey = "7nubNnfGsg4/7KemMDn9r99mNK8RFU9uOFFqaYv6rUA=";
|
publicKey = "7nubNnfGsg4/7KemMDn9r99mNK8RFU9uOFFqaYv6rUA=";
|
||||||
}
|
}
|
||||||
|
|
||||||
{
|
{
|
||||||
# nilo
|
# nilo
|
||||||
allowedIPs = [ nilo-wg ];
|
allowedIPs = [ (getWireguardDeviceAddress "nilo") ];
|
||||||
publicKey = "lhTEDJ9WnizvEHTd5kN21fTHF27HNk+fPLQnB1B3LW0=";
|
publicKey = "lhTEDJ9WnizvEHTd5kN21fTHF27HNk+fPLQnB1B3LW0=";
|
||||||
}
|
}
|
||||||
|
|
||||||
{
|
{
|
||||||
# parina ipad
|
# parina ipad
|
||||||
allowedIPs = [ parina-ipad-wg ];
|
allowedIPs = [ (getWireguardDeviceAddress "parina-ipad") ];
|
||||||
publicKey = "ezkCzl2qC7Hd7rFKfqMa0JXDKRhVqy79H52rA06x7mU=";
|
publicKey = "ezkCzl2qC7Hd7rFKfqMa0JXDKRhVqy79H52rA06x7mU=";
|
||||||
}
|
}
|
||||||
|
|
||||||
{
|
{
|
||||||
# kcl vm
|
# kcl vm
|
||||||
allowedIPs = [ kclvm-wg ];
|
allowedIPs = [ (getWireguardDeviceAddress "kclvm") ];
|
||||||
publicKey = "jVBaY8AhgAA7myVjU/PJPDUCOjsCi23LT+pGZUoNEkE=";
|
publicKey = "jVBaY8AhgAA7myVjU/PJPDUCOjsCi23LT+pGZUoNEkE=";
|
||||||
}
|
}
|
||||||
|
|
||||||
{
|
{
|
||||||
allowedIPs = [ framecca-wg ];
|
allowedIPs = [ (getWireguardDeviceAddress "framecca") ];
|
||||||
publicKey = "w0XPu5GcDA2vpNk3KCFRdWNVVQHRtAPApEsK1h3Ovyk=";
|
publicKey = "w0XPu5GcDA2vpNk3KCFRdWNVVQHRtAPApEsK1h3Ovyk=";
|
||||||
}
|
}
|
||||||
|
|
||||||
{
|
{
|
||||||
allowedIPs = [ framecca_one-wg ];
|
allowedIPs = [ (getWireguardDeviceAddress "framecca_one") ];
|
||||||
publicKey = "5PnmExv78fU3SS8liUWY/oBCcJ48wzmz/70O0U7K/xs=";
|
publicKey = "5PnmExv78fU3SS8liUWY/oBCcJ48wzmz/70O0U7K/xs=";
|
||||||
}
|
}
|
||||||
|
|
||||||
{
|
{
|
||||||
allowedIPs = [ framecca_two-wg ];
|
allowedIPs = [ (getWireguardDeviceAddress "framecca_two") ];
|
||||||
publicKey = "FbWfh2rL3OYLTDIte+MgctqL/bphn38eqpNy/chc3wM=";
|
publicKey = "FbWfh2rL3OYLTDIte+MgctqL/bphn38eqpNy/chc3wM=";
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
allowedIPs = [ framecca_three-wg ];
|
allowedIPs = [ (getWireguardDeviceAddress "framecca_three") ];
|
||||||
publicKey = "Z3LRFs6CO0kUh4J3pf+HcPsWch3hUAwJBG8/b0Kqnxs=";
|
publicKey = "Z3LRFs6CO0kUh4J3pf+HcPsWch3hUAwJBG8/b0Kqnxs=";
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
allowedIPs = [ framecca_four-wg ];
|
allowedIPs = [ (getWireguardDeviceAddress "framecca_four") ];
|
||||||
publicKey = "g/Ta12igzxSlCxy7KP865qf+l3+r1LjOo6UXjulmPBc=";
|
publicKey = "g/Ta12igzxSlCxy7KP865qf+l3+r1LjOo6UXjulmPBc=";
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
Loading…
Reference in New Issue
Block a user