peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: peperunas:d3255fdb474611c098308a119c6dcf4a36bd7502
Branches Tags
peperunas:master
peperunas:nixos-21.11
peperunas:laptopshit
...
compare: peperunas:9bf85c00cf2fbe967f7836532b5e1b6408359c5e
Branches Tags
peperunas:master
peperunas:nixos-21.11
peperunas:laptopshit

13 Commits
d3255fdb47 ... 9bf85c00cf

Author SHA1 Message Date
Giulio De Pasquale
9bf85c00cf architect: services use new networking attrset 2023-05-12 23:05:10 +02:00
Giulio De Pasquale
7c00b8bf0b wireguard: remove devices 2023-05-12 14:34:49 +02:00
Giulio De Pasquale
39c2fe2c6b Update lock 2023-05-12 14:31:04 +02:00
Giulio De Pasquale
ac5176e731 docker: port to networking attrset 2023-05-12 14:29:17 +02:00
Giulio De Pasquale
e5aab58be7 architect: port firewall to networking attrset 2023-05-12 14:28:58 +02:00
Giulio De Pasquale
1e19a08665 tailscale: Use networking attrset 2023-05-12 14:28:39 +02:00
Giulio De Pasquale
3a4d4e9c4f architect: Use networking options 2023-05-12 13:48:45 +02:00
Giulio De Pasquale
65c76f5a6a architect: Moved tailscale config to new network attribute set 2023-05-12 12:50:20 +02:00
Giulio De Pasquale
26a07a20e5 architect: Moved wireguard config to new network attribute set 2023-05-12 12:32:48 +02:00
Giulio De Pasquale
ce8efa3371 architect: Added architect.networks option attribute set 2023-05-12 12:32:29 +02:00
Giulio De Pasquale
dc9dfd66ed Revert "dnsmasq: domain -> local" 
This reverts commit 098e0a6147.
 2023-05-06 15:04:31 +02:00
Giulio De Pasquale
b644b9d684 headscale: init 2023-05-06 15:04:25 +02:00
Giulio De Pasquale
098e0a6147 dnsmasq: domain -> local 2023-05-06 15:03:20 +02:00
31 changed files with 513 additions and 297 deletions
Show Stats Expand all files Collapse all files

12
flake.lock generated
View File

@ -24,11 +24,11 @@
}, },
"nixos-unstable": { "nixos-unstable": {
"locked": { "locked": {
"lastModified": 1682915526, "lastModified": 1683893492,
"narHash": "sha256-j6JZH9MNQfPZ6Fm+LAGJjHLFT26WUB7scB9hNJiBhbA=", "narHash": "sha256-9sINNV7J26/afioFhS0vGrZ2zQHg1eBWE3lesBedyhI=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "d46737f11841872e7980b1550511802db85c52b8", "rev": "0ad4e41995ef6566cdd8477c132884411b7399a2",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -40,11 +40,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1682817260, "lastModified": 1683627095,
"narHash": "sha256-kFMXzKNj4d/0Iqbm5l57rHSLyUeyCLMuvlROZIuuhvk=", "narHash": "sha256-8u9SejRpL2TrMuHBdhYh4FKc1OGPDLyWTpIbNTtoHsA=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "db1e4eeb0f9a9028bcb920e00abbc1409dd3ef36", "rev": "a08e061a4ee8329747d54ddf1566d34c55c895eb",
"type": "github" "type": "github"
}, },
"original": { "original": {

12
hosts/architect/bazarr.nix
View File

@ -1,9 +1,11 @@
{ lib, ... }: { config, lib, ... }:
let let
domain = "htbaz.giugl.io"; domain = "htbaz.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services = { services = {
@ -25,9 +27,9 @@ in
}; };
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${network.architect-wg} ${domain} ${architectInterfaceAddress "wireguard"} ${domain}
${network.architect-ts} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
users.groups.media.members = [ "bazarr" ]; users.groups.media.members = [ "bazarr" ];

12
hosts/architect/calibre.nix
View File

@ -1,9 +1,11 @@
{ lib, ... }: { config, lib, ... }:
let let
domain = "books.giugl.io"; domain = "books.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services = { services = {
@ -29,9 +31,9 @@ in
}; };
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${network.architect-wg} ${domain} ${architectInterfaceAddress "wireguard"} ${domain}
${network.architect-ts} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
users.groups.media.members = [ "calibre-web" ]; users.groups.media.members = [ "calibre-web" ];

60
hosts/architect/default.nix
View File

@ -1,11 +1,13 @@
{ config, pkgs, ... }: { config, pkgs, lib, ... }:
let let
pubkeys = [ pubkeys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1we38/N+t8Ah5yrLof8QUwhrob7/VXFKIddaJeOVBLuDVnW7ljiAtdtEiL69D/DV4Ohmt5wMvkAAjfuHmim6FD9A6lzPbSU4KH9W2dcckszKbbI636kuDwem/xui6BW3wJa6P+0xW5ksygEAkzcK2PXuC2b4B9uwhuUdKahiGMKDxISG/WianqAe72cGMfNkYvion3Y1VsMLUdm48d2ABnxNpr7NI9B5iJ8dziOft9gpgfz13CCQRlReo75gk/4xI+vSNrQp7eR+wzJy2/dZg/T8jtyA9Q6jVxrxBpqQ1LNXkAKaJkGo9OabF6Wgpzp+YTAurL4nwR2NaJxwFuyoKvACQy0ai4jrS3206gC6JXZv8ktZMZrwUN+jPqCwfgh5qObFkAqKCxbp52ioDek2MQLdOvzQBX//DBhGEp5rzHGLZ3vhRIiiQiaof5sF5zWiYDW5mqezSPNxJPX/BrTP/Wbs/jpwTLBh3wytiia0S1WXQmya89bqzTPFiDWvTRA62EVKB/JaQtPQQOFAxWwg799DMycPeZ81xttZOyMtI/MZSddyqx2S8fWGwvToZQvuZ38mSIpFseLM1IkgabRIrAmat5SBNGGy9Dqa0eMEa7bwIY/4CMB1y6HMTnaoMXA6cnQfHMoB/zyTZ6oTXIeqeOyiZsK+RN0Mvahj8mXi7dw== giulio@giulio-X230" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1we38/N+t8Ah5yrLof8QUwhrob7/VXFKIddaJeOVBLuDVnW7ljiAtdtEiL69D/DV4Ohmt5wMvkAAjfuHmim6FD9A6lzPbSU4KH9W2dcckszKbbI636kuDwem/xui6BW3wJa6P+0xW5ksygEAkzcK2PXuC2b4B9uwhuUdKahiGMKDxISG/WianqAe72cGMfNkYvion3Y1VsMLUdm48d2ABnxNpr7NI9B5iJ8dziOft9gpgfz13CCQRlReo75gk/4xI+vSNrQp7eR+wzJy2/dZg/T8jtyA9Q6jVxrxBpqQ1LNXkAKaJkGo9OabF6Wgpzp+YTAurL4nwR2NaJxwFuyoKvACQy0ai4jrS3206gC6JXZv8ktZMZrwUN+jPqCwfgh5qObFkAqKCxbp52ioDek2MQLdOvzQBX//DBhGEp5rzHGLZ3vhRIiiQiaof5sF5zWiYDW5mqezSPNxJPX/BrTP/Wbs/jpwTLBh3wytiia0S1WXQmya89bqzTPFiDWvTRA62EVKB/JaQtPQQOFAxWwg799DMycPeZ81xttZOyMtI/MZSddyqx2S8fWGwvToZQvuZ38mSIpFseLM1IkgabRIrAmat5SBNGGy9Dqa0eMEa7bwIY/4CMB1y6HMTnaoMXA6cnQfHMoB/zyTZ6oTXIeqeOyiZsK+RN0Mvahj8mXi7dw== giulio@giulio-X230"
]; ];
hostname = "architect"; domain = "devs.giugl.io";
network = import ./network.nix;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) generateDeviceStrings;
in in
{ {
imports = [ imports = [
@ -41,8 +43,28 @@ in
./tailscale.nix ./tailscale.nix
# ./searx.nix # ./searx.nix
./plex.nix ./plex.nix
./headscale.nix
]; ];
architect = {
networks.lan = {
interface = "enp5s0";
net = "10.0.0.0/24";
devices = {
vodafoneStation = { address = "192.168.1.1"; hostname = "vodafone.station"; };
architect = { address = "10.0.0.250"; hostname = "architect.${domain}"; };
router = { address = "10.0.0.1"; hostname = "router.${domain}"; };
dvr = { address = "10.0.0.3"; hostname = "dvr.${domain}"; };
};
};
firewall = {
openTCP = [ 22 ];
openTCPVPN = [ 22 ];
};
};
time.timeZone = "Europe/Rome"; time.timeZone = "Europe/Rome";
users.users.giulio.openssh.authorizedKeys.keys = pubkeys; users.users.giulio.openssh.authorizedKeys.keys = pubkeys;
boot = { boot = {
@ -59,8 +81,8 @@ in
}; };
}; };
kernelParams = [ kernelParams = with config.architect.networks.lan; [
"ip=${network.architect-lan}::10.0.0.1:255.255.255.0::${network.wan-if}:off" "ip=${devices.architect.address}::${devices.router.address}:255.255.255.0::${interface}:off"
"nvme_core.default_ps_max_latency_us=5500" "nvme_core.default_ps_max_latency_us=5500"
"zfs_arc_max=1073741824" "zfs_arc_max=1073741824"
"memmap=32M$0x4ca6f9478" "memmap=32M$0x4ca6f9478"
@ -81,30 +103,20 @@ in
tmpOnTmpfsSize = "50%"; tmpOnTmpfsSize = "50%";
}; };
networking = { networking = with config.architect.networks.lan; {
hostName = hostname; hostName = "architect";
hostId = "49350853"; hostId = "49350853";
useDHCP = false; useDHCP = false;
defaultGateway = "10.0.0.1"; defaultGateway = devices.router.address;
interfaces = { interfaces = {
enp5s0.ipv4.addresses = [{ ${interface}.ipv4.addresses = [{
address = network.architect-lan; address = devices.architect.address;
prefixLength = 24; prefixLength = 24;
}]; }];
enp6s0.useDHCP = false; enp6s0.useDHCP = false;
wlp4s0.useDHCP = false; wlp4s0.useDHCP = false;
}; };
extraHosts = '' extraHosts = (generateDeviceStrings config.architect.networks.lan.devices) + ''
127.0.0.1 ${hostname}.devs.giugl.io localhost
# LAN
${network.architect-lan} ${hostname}.devs.giugl.io
${network.dvr-lan} dvr.devs.giugl.io
${network.nas-lan} nas.devs.giugl.io
${network.router-lan} router-manduria.devs.giugl.io
192.168.1.1 vodafone.station
# Blacklist # Blacklist
0.0.0.0 metrics.plex.tv 0.0.0.0 metrics.plex.tv
0.0.0.0 analytics.plex.tv 0.0.0.0 analytics.plex.tv
@ -131,11 +143,6 @@ in
driSupport = true; driSupport = true;
}; };
architect.firewall = {
openTCP = [ 22 ];
openTCPVPN = [ 22 ];
};
services = { services = {
fwupd.enable = true; fwupd.enable = true;
das_watchdog.enable = true; das_watchdog.enable = true;
@ -157,3 +164,4 @@ in
systemPackages = with pkgs; [ cachix ]; systemPackages = with pkgs; [ cachix ];
}; };
} }

10
hosts/architect/deluge.nix
View File

@ -2,8 +2,10 @@
let let
domain = "htdel.giugl.io"; domain = "htdel.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
listenPorts = [ 51413 51414 ]; listenPorts = [ 51413 51414 ];
in in
@ -54,9 +56,9 @@ in
}; };
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${network.architect-wg} ${domain} ${architectInterfaceAddress "wireguard"} ${domain}
${network.architect-ts} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
users.groups.media.members = [ "deluge" ]; users.groups.media.members = [ "deluge" ];

9
hosts/architect/docker.nix
View File

@ -1,8 +1,15 @@
{ config, ... }:
{ {
architect.networks.docker = {
interface = "docker0";
net = "172.17.0.0/16";
};
virtualisation.docker = { virtualisation.docker = {
enable = true; enable = true;
extraOptions = '' extraOptions = ''
--dns 127.0.0.1 --dns 10.0.0.250 --data-root /docker --dns 127.0.0.1 --dns ${config.architect.networks.lan.devices.architect.address} --data-root /docker
''; '';
enableOnBoot = false; enableOnBoot = false;
}; };

9
hosts/architect/fail2ban.nix
View File

@ -1,9 +1,14 @@
{ config, pkgs, ... }: { { config, pkgs, ... }:
{
services.fail2ban = { services.fail2ban = {
enable = true; enable = true;
package = pkgs.fail2ban; package = pkgs.fail2ban;
packageFirewall = pkgs.nftables; packageFirewall = pkgs.nftables;
bantime-increment.enable = true; bantime-increment.enable = true;
ignoreIP = [ "10.0.0.0/24" "10.3.0.0/24" ]; ignoreIP = [
config.architect.networks.lan.net
config.architect.networks.tailscale.net
];
}; };
} }

90
hosts/architect/firewall.nix
View File

@ -1,13 +1,38 @@
{ config, lib, ... }: { config, lib, ... }:
with import ./network.nix;
with lib;
let let
openTCP = concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCP; openTCP = lib.concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCP;
openUDP = concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDP; openUDP = lib.concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDP;
openTCPVPN = concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCPVPN; openTCPVPN = lib.concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCPVPN;
openUDPVPN = concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDPVPN; openUDPVPN = lib.concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDPVPN;
deviceAddress = interface: device:
config.architect.networks.${interface}.devices.${device}.address;
gdevices = [
(deviceAddress "tailscale" "architect")
(deviceAddress "tailscale" "dodino")
(deviceAddress "tailscale" "manduria")
(deviceAddress "tailscale" "kmerr")
(deviceAddress "tailscale" "chuck")
];
wireguardToWAN = [
(deviceAddress "wireguard" "shield")
(deviceAddress "wireguard" "parina")
(deviceAddress "wireguard" "parina-ipad")
(deviceAddress "wireguard" "germano")
];
frameccaDevices = [
(deviceAddress "wireguard" "framecca")
(deviceAddress "wireguard" "framecca_one")
(deviceAddress "wireguard" "framecca_two")
(deviceAddress "wireguard" "framecca_three")
(deviceAddress "wireguard" "framecca_four")
];
clientToClientWireguard = frameccaDevices;
in in
{ {
networking = { networking = {
@ -17,7 +42,7 @@ in
nftables = { nftables = {
enable = true; enable = true;
ruleset = '' ruleset = with config.architect.networks; ''
table ip raw { table ip raw {
chain PREROUTING { chain PREROUTING {
type filter hook prerouting priority raw; policy accept; type filter hook prerouting priority raw; policy accept;
@ -43,11 +68,11 @@ in
chain POSTROUTING { chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept; type nat hook postrouting priority srcnat; policy accept;
oifname ${wan-if} ip saddr {${ oifname ${lan.interface} ip saddr {${
lib.concatStringsSep "," towan-wg lib.concatStringsSep "," wireguardToWAN
}} masquerade }} masquerade
oifname ${wan-if} ip saddr ${docker-net} masquerade oifname ${lan.interface} ip saddr ${docker.net} masquerade
oifname ${wan-if} ip saddr ${tailscale-net} masquerade oifname ${lan.interface} ip saddr ${tailscale.net} masquerade
} }
} }
@ -57,12 +82,13 @@ in
ct state invalid,untracked drop comment "drop invalid" ct state invalid,untracked drop comment "drop invalid"
ip daddr 255.255.255.255 accept comment "allow broadcast traffic" ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic" ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
iifname ${wan-if} ip saddr ${vpn-net} drop comment "bind any ip to intf ${wan-if}" iifname ${lan.interface} ip saddr ${wireguard.net} drop comment "bind any ip to intf ${lan.interface}"
iifname ${wan-if} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${wan-if}" iifname ${lan.interface} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${lan.interface}"
iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}" iifname ${lan.interface} accept comment "bind any ip to intf ${lan.interface}"
iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}" iifname ${wireguard.interface} ip saddr ${wireguard.net} accept comment "bind ip ${wireguard.net} to intf ${wireguard.interface}"
iifname ${docker-if} ip saddr ${docker-net} accept comment "bind ip ${docker-net} to intf ${docker-if}" iifname ${docker.interface} ip saddr ${docker.net} accept comment "bind ip ${docker.net} to intf ${docker.interface}"
iifname ${tailscale-if} ip saddr ${tailscale-net} accept iifname ${tailscale.interface} ip saddr ${tailscale.net} accept
iifname ${tailscale.interface} ip saddr 100.100.100.100/32 accept
iifname "lo" accept comment "bind any ip to intf lo" iifname "lo" accept comment "bind any ip to intf lo"
jump mangle_drop jump mangle_drop
} }
@ -115,17 +141,17 @@ in
iifname "lo" accept comment "loopback" iifname "lo" accept comment "loopback"
ip daddr 255.255.255.255 accept comment "allow broadcast traffic" ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic" ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
ip saddr ${lan-net} accept comment "lan > local" ip saddr ${lan.net} accept comment "lan > local"
ip saddr ${tailscale-net} accept comment "tailscale > local" ip saddr ${tailscale.net} accept comment "tailscale > local"
ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local" ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local"
iifname ${wan-if} tcp dport {${openTCP}} accept iifname ${lan.interface} tcp dport {${openTCP}} accept
iifname ${wan-if} udp dport {${openUDP}} accept iifname ${lan.interface} udp dport {${openUDP}} accept
iifname ${vpn-if} tcp dport {${openTCPVPN}} accept iifname ${wireguard.interface} tcp dport {${openTCPVPN}} accept
iifname ${vpn-if} udp dport {${openUDPVPN}} accept iifname ${wireguard.interface} udp dport {${openUDPVPN}} accept
iifname ${vpn-if} icmp type echo-request accept iifname ${wireguard.interface} icmp type echo-request accept
iifname ${docker-if} udp dport 53 accept iifname ${docker.interface} udp dport 53 accept
jump filter_drop jump filter_drop
} }
@ -134,17 +160,17 @@ in
ct state established,related accept ct state established,related accept
# client to client # client to client
ip saddr {${lib.concatStringsSep "," c2c-wg}} ip daddr {${ ip saddr {${lib.concatStringsSep "," clientToClientWireguard}} ip daddr {${
lib.concatStringsSep "," c2c-wg lib.concatStringsSep "," clientToClientWireguard
}} accept }} accept
# nat to wan # nat to wan
oifname ${wan-if} ip saddr {${ oifname ${lan.interface} ip saddr {${
lib.concatStringsSep "," towan-wg lib.concatStringsSep "," wireguardToWAN
}} accept }} accept
oifname ${wan-if} ip saddr ${docker-net} accept oifname ${lan.interface} ip saddr ${docker.net} accept
oifname ${wan-if} ip saddr ${tailscale-net} accept oifname ${lan.interface} ip saddr ${tailscale.net} accept
jump filter_drop jump filter_drop
} }

11
hosts/architect/gitea.nix
View File

@ -2,7 +2,9 @@
let let
domain = "git.giugl.io"; domain = "git.giugl.io";
network = import ./network.nix;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
architect.firewall.openTCP = [ config.services.gitea.settings.server.SSH_PORT ]; architect.firewall.openTCP = [ config.services.gitea.settings.server.SSH_PORT ];
@ -33,9 +35,8 @@ in
}; };
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${network.architect-wg} ${domain} ${architectInterfaceAddress "wireguard"} ${domain}
${network.architect-ts} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
} }

63
hosts/architect/headscale.nix Normal file
View File

@ -0,0 +1,63 @@
{ config, pkgs, lib, ... }:
let
domain = "vipienne.giugl.io";
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in
{
architect.firewall = {
openTCP = [ config.services.headscale.port ];
};
networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "wireguard"} ${domain}
${architectInterfaceAddress "tailscale"} ${domain}
'';
environment.systemPackages = [ pkgs.unstablePkgs.headscale ];
services = {
headscale = {
enable = true;
package = pkgs.unstablePkgs.headscale;
port = 1194;
address = "0.0.0.0";
serverUrl = "https://${domain}";
logLevel = "debug";
settings = {
dns_config = {
magic_dns = true;
domains = [
"giugl.io"
"runas.rocks"
"devs.giugl.io"
];
base_domain = "giugl.io";
override_local_dns = true;
nameservers = [ config.architect.networks.tailscale.devices.architect.address ];
};
logtail.enabled = false;
ip_prefixes = [ config.architect.networks.tailscale.net ];
# The Noise private key is used to encrypt the
# traffic between headscale and Tailscale clients when
# using the new Noise-based protocol. It must be different
# from the legacy private key.
noise.private_key_path = "/var/lib/headscale/noise_private.key";
};
};
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass =
"http://127.0.0.1:${toString config.services.headscale.port}";
proxyWebsockets = true;
};
};
};
}

54
hosts/architect/jellyfin.nix
View File

@ -1,9 +1,11 @@
{ pkgs, lib, ... }: { config, pkgs, lib, ... }:
let let
network = import ./network.nix;
domain = "media.giugl.io"; domain = "media.giugl.io";
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; port = 8096;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
# needed since StateDirectory does not accept symlinks # needed since StateDirectory does not accept symlinks
@ -19,44 +21,40 @@ in
nginx.virtualHosts.${domain} = { nginx.virtualHosts.${domain} = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
extraConfig = auth_block { access_role = "jellyfin"; whitelisted_ips = network.gdevices; } + extraConfig = ''
'' # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted. #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
#add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'"; # Disable buffering when the nginx proxy gets very resource heavy upon streaming
# Disable buffering when the nginx proxy gets very resource heavy upon streaming proxy_buffering off;
proxy_buffering off;
''; allow ${config.architect.networks.lan.net};
allow ${config.architect.networks.tailscale.net};
deny all;
'';
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:8096"; proxyPass = "http://127.0.0.1:${toString port}";
# extraConfig = ''
# allow 10.0.0.0/24;
# allow 10.3.0.0/24;
# deny all;
# '';
}; };
locations."/socket" = { locations."/socket" = {
proxyPass = "http://127.0.0.1:8096"; proxyPass = "http://127.0.0.1:${toString port}";
proxyWebsockets = true; proxyWebsockets = true;
# extraConfig = ''
# allow 10.0.0.0/24;
# allow 10.3.0.0/24;
# deny all;
# '';
}; };
}; };
}; };
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${network.architect-wg} ${domain} ${architectInterfaceAddress "wireguard"} ${domain}
${network.architect-ts} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
users.groups.media.members = [ "jellyfin" ]; users.groups = {
users.groups.video.members = [ "jellyfin" ]; media.members = [ "jellyfin" ];
users.groups.render.members = [ "jellyfin" ]; video.members = [ "jellyfin" ];
render.members = [ "jellyfin" ];
};
fileSystems."/tmp/jellyfin" = { fileSystems."/tmp/jellyfin" = {
device = "none"; device = "none";

12
hosts/architect/keycloak.nix
View File

@ -1,8 +1,10 @@
{ pkgs, config, ... }: { pkgs, lib, config, ... }:
let let
network = import ./network.nix;
domain = "auth.giugl.io"; domain = "auth.giugl.io";
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services = { services = {
@ -73,8 +75,8 @@ in
}; };
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${network.architect-wg} ${domain} ${architectInterfaceAddress "wireguard"} ${domain}
${network.architect-ts} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
} }

14
hosts/architect/libreddit.nix
View File

@ -1,8 +1,10 @@
{ lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
domain = "reddit.giugl.io"; domain = "reddit.giugl.io";
network = import ./network.nix;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services = { services = {
@ -14,13 +16,13 @@ in
nginx.virtualHosts.${domain} = { nginx.virtualHosts.${domain} = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/" = { proxyPass = "http://127.0.0.1:9090"; }; locations."/" = { proxyPass = "http://127.0.0.1:${toString config.services.libreddit.port}"; };
}; };
}; };
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${network.architect-wg} ${domain} ${architectInterfaceAddress "wireguard"} ${domain}
${network.architect-ts} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
} }

14
hosts/architect/lidarr.nix
View File

@ -1,9 +1,11 @@
{ lib, ... }: { config, lib, ... }:
let let
domain = "htlid.giugl.io"; domain = "htlid.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services = { services = {
@ -25,10 +27,10 @@ in
}; };
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${network.architect-wg} ${domain} ${architectInterfaceAddress "wireguard"} ${domain}
${network.architect-ts} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
users.groups.media.members = [ "lidarr" ]; users.groups.media.members = [ "lidarr" ];
} }

13
hosts/architect/matrix.nix
View File

@ -1,9 +1,11 @@
{ pkgs, lib, ... }: { config, pkgs, lib, ... }:
let let
domain = "runas.rocks"; domain = "runas.rocks";
network = import ./network.nix;
db_name = "matrix-synapse-runas.rocks"; db_name = "matrix-synapse-runas.rocks";
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services = { services = {
@ -111,9 +113,8 @@ in
}; };
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${network.architect-wg} ${domain} ${architectInterfaceAddress "wireguard"} ${domain}
${network.architect-ts} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
} }

14
hosts/architect/minecraft.nix
View File

@ -1,8 +1,10 @@
{ config, pkgs, ... }: { lib, config, pkgs, ... }:
let let
domain = "minecraft.giugl.io"; domain = "minecraft.giugl.io";
network = import ./network.nix;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
architect.firewall.openTCP = [ 25565 ]; architect.firewall.openTCP = [ 25565 ];
@ -14,10 +16,10 @@ in
package = pkgs.unstablePkgs.minecraft-server; package = pkgs.unstablePkgs.minecraft-server;
serverProperties = { motd = "Welcome on the RuNas server!"; }; serverProperties = { motd = "Welcome on the RuNas server!"; };
}; };
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${network.architect-wg} ${domain} ${architectInterfaceAddress "wireguard"} ${domain}
${network.architect-ts} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
} }

19
hosts/architect/minio.nix
View File

@ -1,8 +1,10 @@
{ lib, ... }: { config, lib, ... }:
let let
domain = "s3.giugl.io"; domain = "s3.giugl.io";
network = import ./network.nix;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services = { services = {
@ -15,18 +17,17 @@ in
proxyPass = "http://127.0.0.1:9000"; proxyPass = "http://127.0.0.1:9000";
extraConfig = '' extraConfig = ''
client_max_body_size 500M; client_max_body_size 500M;
allow 10.0.0.0/24; allow ${config.architect.networks.lan.net};
${lib.concatMapStrings (x: "allow ${x};") network.gdevices } allow ${config.architect.networks.tailscale.net};
allow ${network.manduria-wg};
deny all; deny all;
''; '';
}; };
}; };
}; };
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${network.architect-wg} ${domain} ${architectInterfaceAddress "wireguard"} ${domain}
${network.architect-ts} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
} }

6
hosts/architect/network.nix
View File

@ -11,7 +11,8 @@ rec {
vpn-net = "10.3.0.0/24"; vpn-net = "10.3.0.0/24";
external_lan-net = "192.168.1.0/24"; external_lan-net = "192.168.1.0/24";
docker-net = "172.17.0.0/16"; docker-net = "172.17.0.0/16";
tailscale-net = "100.64.0.0/10"; # tailscale-net = "100.64.0.0/10";
tailscale-net = "10.4.0.0/24";
# ips # ips
router-lan = "10.0.0.1"; router-lan = "10.0.0.1";
@ -51,7 +52,8 @@ rec {
framecca_four-wg = "10.3.0.39"; framecca_four-wg = "10.3.0.39";
giuliophone-ts = "100.68.68.46"; giuliophone-ts = "100.68.68.46";
architect-ts = "100.67.205.28"; # architect-ts = "100.67.205.28";
architect-ts = "10.4.0.2";
giuliopc-ts = "100.124.78.64"; giuliopc-ts = "100.124.78.64";
dodino-ts = "100.106.244.35"; dodino-ts = "100.106.244.35";

21
hosts/architect/nextcloud.nix
View File

@ -1,12 +1,19 @@
{ pkgs, ... }: { pkgs, config, lib, ... }:
let let
domain = "cloud.giugl.io"; domain = "cloud.giugl.io";
network = import ./network.nix;
redis_port = 6379; redis_port = 6379;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services = { services = {
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
};
mysql = { mysql = {
enable = true; enable = true;
package = pkgs.unstablePkgs.mysql80; package = pkgs.unstablePkgs.mysql80;
@ -53,13 +60,9 @@ in
}; };
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${network.architect-wg} ${domain} ${architectInterfaceAddress "wireguard"} ${domain}
${network.architect-ts} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
services.nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
};
} }

1
hosts/architect/nginx.nix
View File

@ -90,5 +90,6 @@
worker_processes 24; worker_processes 24;
''; '';
}; };
users.groups.acme.members = [ "nginx" ]; users.groups.acme.members = [ "nginx" ];
} }

12
hosts/architect/nzbget.nix
View File

@ -1,9 +1,11 @@
{ lib, ... }: { config, lib, ... }:
let let
domain = "htnzb.giugl.io"; domain = "htnzb.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services = { services = {
@ -25,9 +27,9 @@ in
}; };
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${network.architect-wg} ${domain} ${architectInterfaceAddress "wireguard"} ${domain}
${network.architect-ts} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
users.groups.media.members = [ "nzbget" ]; users.groups.media.members = [ "nzbget" ];

69
hosts/architect/options.nix
View File

@ -3,23 +3,60 @@
with lib; with lib;
{ {
options.architect.firewall = { options.architect = {
openTCP = mkOption { firewall = {
type = types.listOf types.int; openTCP = mkOption {
default = [ ]; type = types.listOf types.int;
default = [ ];
};
openUDP = mkOption {
type = types.listOf types.int;
default = [ ];
};
openTCPVPN = mkOption {
type = types.listOf types.int;
default = [ ];
};
openUDPVPN = mkOption {
type = types.listOf types.int;
default = [ ];
};
}; };
openUDP = mkOption {
type = types.listOf types.int; networks = mkOption {
default = [ ]; type = types.attrsOf (types.submodule {
}; options = {
openTCPVPN = mkOption { interface = mkOption {
type = types.listOf types.int; type = types.str;
default = [ ]; description = "The network interface name.";
}; };
openUDPVPN = mkOption {
type = types.listOf types.int; net = mkOption {
default = [ ]; type = types.str;
description = "The network address in CIDR format.";
};
devices = mkOption {
type = types.attrsOf (types.submodule {
options = {
address = mkOption {
type = types.str;
description = "The IP address of the device.";
};
hostname = mkOption {
type = types.str;
description = "The hostname of the device.";
};
};
});
default = { };
description = "An attribute set of devices with their configurations.";
};
};
});
default = { };
description = "An attribute set of networks with their configurations.";
}; };
}; };
} }

14
hosts/architect/plex.nix
View File

@ -1,9 +1,11 @@
{ pkgs, lib, ... }: { pkgs, config, lib, ... }:
let let
domain = "plex.giugl.io"; domain = "plex.giugl.io";
network = import ./network.nix;
port = 32400; port = 32400;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
architect.firewall = { architect.firewall = {
@ -86,11 +88,11 @@ in
locations."/" = { proxyPass = "http://127.0.0.1:${toString port}"; }; locations."/" = { proxyPass = "http://127.0.0.1:${toString port}"; };
}; };
}; };
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${network.architect-wg} ${domain} ${architectInterfaceAddress "wireguard"} ${domain}
${network.architect-ts} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
users.groups.media.members = [ "plex" ]; users.groups.media.members = [ "plex" ];

10
hosts/architect/prosody.nix
View File

@ -4,7 +4,9 @@ let
domain = "xmpp.giugl.io"; domain = "xmpp.giugl.io";
conference_domain = "conference.${domain}"; conference_domain = "conference.${domain}";
upload_domain = "uploads.${domain}"; upload_domain = "uploads.${domain}";
network = import ./network.nix;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
architect.firewall = { architect.firewall = {
@ -42,9 +44,9 @@ in
}; };
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${network.architect-wg} ${domain} ${architectInterfaceAddress "wireguard"} ${domain}
${network.architect-ts} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
users.groups = { users.groups = {

18
hosts/architect/prowlarr.nix
View File

@ -1,8 +1,10 @@
{ lib, ... }: { config, lib, ... }:
let let
domain = "htpro.giugl.io"; domain = "htpro.giugl.io";
network = import ./network.nix;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services = { services = {
@ -14,8 +16,8 @@ in
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:9696"; proxyPass = "http://127.0.0.1:9696";
extraConfig = '' extraConfig = ''
allow 10.0.0.0/24; allow ${config.architect.networks.lan.net};
${lib.concatMapStrings (x: "allow ${x};") network.gdevices} allow ${config.architect.networks.tailscale.net};
deny all; deny all;
''; '';
}; };
@ -29,11 +31,11 @@ in
# }; # };
}; };
}; };
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${network.architect-wg} ${domain} ${architectInterfaceAddress "wireguard"} ${domain}
${network.architect-ts} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
users.groups.media.members = [ "prowlarr" ]; users.groups.media.members = [ "prowlarr" ];

13
hosts/architect/radarr.nix
View File

@ -1,9 +1,11 @@
{ lib, ... }: { config, lib, ... }:
let let
domain = "htrad.giugl.io"; domain = "htrad.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services = { services = {
@ -24,10 +26,11 @@ in
}; };
}; };
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${network.architect-wg} ${domain} ${architectInterfaceAddress "wireguard"} ${domain}
${network.architect-ts} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
users.groups.media.members = [ "radarr" ]; users.groups.media.members = [ "radarr" ];

13
hosts/architect/runas.nix
View File

@ -1,14 +1,17 @@
{ services, pkgs, lib, makeBinPath, ... }: { config, pkgs, lib, ... }:
let let
domain = "runas.rocks"; domain = "runas.rocks";
runas_root = "/var/lib/runas.rocks/dist"; runas_root = "/var/lib/runas.rocks/dist";
service_name = "runas.rocks-pull"; service_name = "runas.rocks-pull";
network = import ./network.nix;
mkStartScript = name: pkgs.writeShellScript "${name}.sh" '' mkStartScript = name: pkgs.writeShellScript "${name}.sh" ''
set -euo pipefail set -euo pipefail
cd ${runas_root} cd ${runas_root}
git pull origin main --rebase git pull origin main --rebase
''; '';
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services.nginx.virtualHosts.${domain} = { services.nginx.virtualHosts.${domain} = {
@ -39,8 +42,8 @@ in
}; };
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${network.architect-wg} ${domain} ${architectInterfaceAddress "wireguard"} ${domain}
${network.architect-ts} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
} }

12
hosts/architect/sonarr.nix
View File

@ -1,9 +1,11 @@
{ lib, ... }: { config, lib, ... }:
let let
domain = "htson.giugl.io"; domain = "htson.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
services = { services = {
@ -25,9 +27,9 @@ in
}; };
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${network.architect-wg} ${domain} ${architectInterfaceAddress "wireguard"} ${domain}
${network.architect-ts} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
users.groups.media.members = [ "sonarr" ]; users.groups.media.members = [ "sonarr" ];

34
hosts/architect/tailscale.nix
View File

@ -1,24 +1,38 @@
{ config, lib, ... }: { config, lib, ... }:
let let
network = import ./network.nix; domain = "devs.giugl.io";
ifname = "ts0"; utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) generateDeviceStrings;
in in
{ {
architect.firewall.openUDP = [ config.services.tailscale.port ]; architect = {
firewall.openUDP = [ config.services.tailscale.port ];
networks.tailscale = {
interface = "ts0";
net = "100.64.0.0/10";
devices = {
architect = { address = "100.64.0.1"; hostname = "architect.${domain}"; };
kmerr = { address = "100.64.0.2"; hostname = "kmerr.${domain}"; };
chuck = { address = "100.64.0.4"; hostname = "chuck.${domain}"; };
dodino = { address = "100.64.0.5"; hostname = "dodino.${domain}"; };
manduria = { address = "100.64.0.6"; hostname = "manduria.${domain}"; };
tommy = { address = "100.64.0.7"; hostname = "tommy.${domain}"; };
ucsb-workstation = { address = "100.64.0.8"; hostname = "ucsb-workstation.${domain}"; };
alfredo = { address = "100.64.0.9"; hostname = "alfredo.${domain}"; };
};
};
};
services = { services = {
tailscale = { tailscale = {
enable = true; enable = true;
interfaceName = ifname; interfaceName = config.architect.networks.tailscale.interface;
}; };
}; };
networking.extraHosts = '' networking.extraHosts = generateDeviceStrings config.architect.networks.tailscale.devices;
${network.architect-ts} architect.devs.giugl.io
${network.giuliopc-ts} kmerr.devs.giugl.io
${network.dodino-ts} dodino.devs.giugl.io
${network.giuliophone-ts} chuck.devs.giugl.io
'';
} }

13
hosts/architect/utilities.nix Normal file
View File

@ -0,0 +1,13 @@
{ config, lib, ... }:
{
# device.address device.hostname
generateDeviceStrings = devices: lib.concatStringsSep "\n"
(lib.mapAttrsToList (name: device: "${device.address} ${device.hostname}") devices);
getDeviceAddress = interface: device:
config.architect.networks.${interface}.devices.${device}.address;
architectInterfaceAddress = interface:
config.architect.networks.${interface}.devices.architect.address;
}

146
hosts/architect/wireguard.nix
View File

@ -1,208 +1,214 @@
{ config, lib, ... }: { config, lib, ... }:
with import ./network.nix;
let let
listenPort = 1194; listenPort = 1194;
domain = "devs.giugl.io";
interface = "wireguard";
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) generateDeviceStrings getDeviceAddress;
getWireguardDeviceAddress = getDeviceAddress "wireguard";
in in
{ {
architect.firewall = { architect = {
openUDP = lib.singleton listenPort; firewall = {
openUDPVPN = lib.singleton listenPort; openUDP = lib.singleton listenPort;
openUDPVPN = lib.singleton listenPort;
};
networks.${interface} = {
interface = "wg0";
net = "10.3.0.0/24";
devices = {
architect = { address = "10.3.0.1"; hostname = "architect.${domain}"; };
antonio = { address = "10.3.0.6"; hostname = "antonio.${domain}"; };
gbeast = { address = "10.3.0.7"; hostname = "gbeast.${domain}"; };
shield = { address = "10.3.0.12"; hostname = "shield.${domain}"; };
salvatore = { address = "10.3.0.16"; hostname = "salvatore.${domain}"; };
papa = { address = "10.3.0.17"; hostname = "papa.${domain}"; };
defy = { address = "10.3.0.18"; hostname = "defy.${domain}"; };
germano = { address = "10.3.0.19"; hostname = "germano.${domain}"; };
flavio = { address = "10.3.0.20"; hostname = "flavio.${domain}"; };
alain = { address = "10.3.0.22"; hostname = "alain.${domain}"; };
dima = { address = "10.3.0.23"; hostname = "dima.${domain}"; };
mikey = { address = "10.3.0.24"; hostname = "mikey.${domain}"; };
andrew = { address = "10.3.0.25"; hostname = "andrew.${domain}"; };
mikeylaptop = { address = "10.3.0.26"; hostname = "mikeylaptop.${domain}"; };
andrewdesktop = { address = "10.3.0.27"; hostname = "andrewdesktop.${domain}"; };
jacopo = { address = "10.3.0.28"; hostname = "jacopo.${domain}"; };
frznn = { address = "10.3.0.29"; hostname = "frznn.${domain}"; };
ludo = { address = "10.3.0.30"; hostname = "ludo.${domain}"; };
parina = { address = "10.3.0.31"; hostname = "parina.${domain}"; };
nilo = { address = "10.3.0.32"; hostname = "nilo.${domain}"; };
parina-ipad = { address = "10.3.0.33"; hostname = "parina-ipad.${domain}"; };
kclvm = { address = "10.3.0.34"; hostname = "kclvm.${domain}"; };
framecca = { address = "10.3.0.35"; hostname = "framecca.${domain}"; };
framecca_one = { address = "10.3.0.36"; hostname = "framecca_one.${domain}"; };
framecca_two = { address = "10.3.0.37"; hostname = "framecca_two.${domain}"; };
framecca_three = { address = "10.3.0.38"; hostname = "framecca_three.${domain}"; };
framecca_four = { address = "10.3.0.39"; hostname = "framecca_four.${domain}"; };
};
};
}; };
networking = { networking = {
extraHosts = '' extraHosts = generateDeviceStrings config.architect.networks.wireguard.devices;
${architect-wg} architect.devs.giugl.io
${manduria-wg} manduria.devs.giugl.io
${antonio-wg} antonio.devs.giugl.io
${gbeast-wg} gbeast.devs.giugl.io
${shield-wg} shield.devs.giugl.io
${salvatore-wg} salvatore.devs.giugl.io
${papa-wg} papa.devs.giugl.io
${defy-wg} defy.devs.giugl.io
${germano-wg} germano.devs.giugl.io
${tommy-wg} tommy.devs.giugl.io
${alain-wg} alain.devs.giugl.io
${dima-wg} dima.devs.giugl.io
${mikey-wg} mikey.devs.giugl.io
${andrew-wg} andrew.devs.giugl.io
${mikeylaptop-wg} mikeylaptop.devs.giugl.io
${frznn-wg} frznn.devs.giugl.io
${ludo-wg} ludo.devs.giugl.io
${parina-wg} parina.devs.giugl.io
${parina-ipad-wg} parinaipad.devs.giugl.io
${nilo-wg} nilo.devs.giugl.io
${kclvm-wg} kclvm.devs.giugl.io
${framecca-wg} framecca.devs.giugl.io
'';
wireguard = { wireguard = {
interfaces.${vpn-if} = { interfaces.${config.architect.networks.wireguard.interface} = {
inherit listenPort; inherit listenPort;
ips = [ "10.3.0.1/24" ]; ips = [ "${config.architect.networks.wireguard.devices.architect.address}/24" ];
privateKeyFile = "/secrets/wireguard/server.key"; privateKeyFile = "/secrets/wireguard/server.key";
peers = [ peers = [
{
# Manduria
allowedIPs = [ manduria-wg ];
publicKey = "wT38oXvDQ8g0hI+pAXQobOWf/Wott2zhwo8TLvXK400=";
}
{ {
# Antonio # Antonio
allowedIPs = [ antonio-wg ]; allowedIPs = [ (getWireguardDeviceAddress "antonio") ];
publicKey = "SPndCvEzuLHtGAQV8u/4dfLlFHoPcXS3L98oFOwTljc="; publicKey = "SPndCvEzuLHtGAQV8u/4dfLlFHoPcXS3L98oFOwTljc=";
} }
{ {
# GBEAST # GBEAST
allowedIPs = [ gbeast-wg ]; allowedIPs = [ (getWireguardDeviceAddress "gbeast") ];
publicKey = "XiK+wk+DErz0RmCWRxuaJN1cvdj+3DoiU6tcR+uZfAI="; publicKey = "XiK+wk+DErz0RmCWRxuaJN1cvdj+3DoiU6tcR+uZfAI=";
} }
{ {
# shield # shield
allowedIPs = [ shield-wg ]; allowedIPs = [ (getWireguardDeviceAddress "shield") ];
publicKey = "1GaV/M48sHqQTrBVRQ+jrFU2pUMmv2xkguncVcwPCFs="; publicKey = "1GaV/M48sHqQTrBVRQ+jrFU2pUMmv2xkguncVcwPCFs=";
} }
{ {
# salvatore # salvatore
allowedIPs = [ salvatore-wg ]; allowedIPs = [ (getWireguardDeviceAddress "salvatore") ];
publicKey = "fhlnBHeMyHZKLUCTSA9kmkKoM5x/qzz/rnCJrUh3Gzs="; publicKey = "fhlnBHeMyHZKLUCTSA9kmkKoM5x/qzz/rnCJrUh3Gzs=";
} }
{ {
# papa # papa
allowedIPs = [ papa-wg ]; allowedIPs = [ (getWireguardDeviceAddress "papa") ];
publicKey = "oGHygt02Oni3IFbScKD0NVEfHKCp6bpw68aq5g4RrAA="; publicKey = "oGHygt02Oni3IFbScKD0NVEfHKCp6bpw68aq5g4RrAA=";
} }
{ {
# defy # defy
allowedIPs = [ defy-wg ]; allowedIPs = [ (getWireguardDeviceAddress "defy") ];
publicKey = "Cvi/eto7E6Ef+aiL81ou7x12fJCeuXrf/go9fxEqXG4="; publicKey = "Cvi/eto7E6Ef+aiL81ou7x12fJCeuXrf/go9fxEqXG4=";
} }
{ {
# germano # germano
allowedIPs = [ germano-wg ]; allowedIPs = [ (getWireguardDeviceAddress "germano") ];
publicKey = "LJ0DHY1sFVLQb3ngUGGH0HxbDOPb9KCUPSaYcjr5Uiw="; publicKey = "LJ0DHY1sFVLQb3ngUGGH0HxbDOPb9KCUPSaYcjr5Uiw=";
} }
{ {
# flavio # flavio
allowedIPs = [ flavio-wg ]; allowedIPs = [ (getWireguardDeviceAddress "flavio") ];
publicKey = "Yg0P+yHi/9SZHyoel8jT9fmmu+irLYmT8yMp/CZoaSg="; publicKey = "Yg0P+yHi/9SZHyoel8jT9fmmu+irLYmT8yMp/CZoaSg=";
} }
{
# tommy
allowedIPs = [ tommy-wg ];
publicKey = "tytknU7wql1d0A2provX3RP7CNcEIajfgBJKoSyVLgo=";
}
{ {
# alain # alain
allowedIPs = [ alain-wg ]; allowedIPs = [ (getWireguardDeviceAddress "alain") ];
publicKey = "/o2msFJoUL4yovcIQJTU8c1faFtekrjSBBWJABouWno="; publicKey = "/o2msFJoUL4yovcIQJTU8c1faFtekrjSBBWJABouWno=";
} }
{ {
# dima # dima
allowedIPs = [ dima-wg ]; allowedIPs = [ (getWireguardDeviceAddress "dima") ];
publicKey = "svzWYIZ6v+cLCp/emGG7mx2YpBJqw2fqjVuHZy7b6H0="; publicKey = "svzWYIZ6v+cLCp/emGG7mx2YpBJqw2fqjVuHZy7b6H0=";
} }
{ {
# mikey # mikey
allowedIPs = [ mikey-wg ]; allowedIPs = [ (getWireguardDeviceAddress "mikey") ];
publicKey = "ewbDdX3z7nxG2aPIf9TogXkhxPlGipLFcy6XfyDC6gI="; publicKey = "ewbDdX3z7nxG2aPIf9TogXkhxPlGipLFcy6XfyDC6gI=";
} }
{ {
# andrew # andrew
allowedIPs = [ andrew-wg ]; allowedIPs = [ (getWireguardDeviceAddress "andrew") ];
publicKey = "LP/FgST9fmBQSoKQFq9sFGvjRFOtRooMcuEcjuqaoWM="; publicKey = "LP/FgST9fmBQSoKQFq9sFGvjRFOtRooMcuEcjuqaoWM=";
} }
{ {
# mikey laptop # mikey laptop
allowedIPs = [ mikeylaptop-wg ]; allowedIPs = [ (getWireguardDeviceAddress "mikeylaptop") ];
publicKey = "kz/pY/PgV+dwF1JZ2It4r5B5QfRSQM7HkbFCdvd5Yxk="; publicKey = "kz/pY/PgV+dwF1JZ2It4r5B5QfRSQM7HkbFCdvd5Yxk=";
} }
{ {
# andrew desktop # andrew desktop
allowedIPs = [ andrewdesktop-wg ]; allowedIPs = [ (getWireguardDeviceAddress "andrewdesktop") ];
publicKey = "rpYr3JNLIzxpxzFuQuaHFEl/XvPEPfwLbDETBP8KYXI="; publicKey = "rpYr3JNLIzxpxzFuQuaHFEl/XvPEPfwLbDETBP8KYXI=";
} }
{ {
# laptop desktop # laptop desktop
allowedIPs = [ jacopo-wg ]; allowedIPs = [ (getWireguardDeviceAddress "jacopo") ];
publicKey = "W/taWI79bPIKOolVVu5xZfiJnPw9K91Xn1zhcM0+4g0="; publicKey = "W/taWI79bPIKOolVVu5xZfiJnPw9K91Xn1zhcM0+4g0=";
} }
{ {
# frznn # frznn
allowedIPs = [ frznn-wg ]; allowedIPs = [ (getWireguardDeviceAddress "frznn") ];
publicKey = "dXcrdME6VnnE5PBYwvUmayf7cn2wpcExeCR9gIXOO0o="; publicKey = "dXcrdME6VnnE5PBYwvUmayf7cn2wpcExeCR9gIXOO0o=";
} }
{ {
# ludo # ludo
allowedIPs = [ ludo-wg ]; allowedIPs = [ (getWireguardDeviceAddress "ludo") ];
publicKey = "ecrxdzx7tQZwMPxZOjHUvxZT2xY79B6XEDIW+fhEtEM="; publicKey = "ecrxdzx7tQZwMPxZOjHUvxZT2xY79B6XEDIW+fhEtEM=";
} }
{ {
# parina # parina
allowedIPs = [ parina-wg ]; allowedIPs = [ (getWireguardDeviceAddress "parina") ];
publicKey = "7nubNnfGsg4/7KemMDn9r99mNK8RFU9uOFFqaYv6rUA="; publicKey = "7nubNnfGsg4/7KemMDn9r99mNK8RFU9uOFFqaYv6rUA=";
} }
{ {
# nilo # nilo
allowedIPs = [ nilo-wg ]; allowedIPs = [ (getWireguardDeviceAddress "nilo") ];
publicKey = "lhTEDJ9WnizvEHTd5kN21fTHF27HNk+fPLQnB1B3LW0="; publicKey = "lhTEDJ9WnizvEHTd5kN21fTHF27HNk+fPLQnB1B3LW0=";
} }
{ {
# parina ipad # parina ipad
allowedIPs = [ parina-ipad-wg ]; allowedIPs = [ (getWireguardDeviceAddress "parina-ipad") ];
publicKey = "ezkCzl2qC7Hd7rFKfqMa0JXDKRhVqy79H52rA06x7mU="; publicKey = "ezkCzl2qC7Hd7rFKfqMa0JXDKRhVqy79H52rA06x7mU=";
} }
{ {
# kcl vm # kcl vm
allowedIPs = [ kclvm-wg ]; allowedIPs = [ (getWireguardDeviceAddress "kclvm") ];
publicKey = "jVBaY8AhgAA7myVjU/PJPDUCOjsCi23LT+pGZUoNEkE="; publicKey = "jVBaY8AhgAA7myVjU/PJPDUCOjsCi23LT+pGZUoNEkE=";
} }
{ {
allowedIPs = [ framecca-wg ]; allowedIPs = [ (getWireguardDeviceAddress "framecca") ];
publicKey = "w0XPu5GcDA2vpNk3KCFRdWNVVQHRtAPApEsK1h3Ovyk="; publicKey = "w0XPu5GcDA2vpNk3KCFRdWNVVQHRtAPApEsK1h3Ovyk=";
} }
{ {
allowedIPs = [ framecca_one-wg ]; allowedIPs = [ (getWireguardDeviceAddress "framecca_one") ];
publicKey = "5PnmExv78fU3SS8liUWY/oBCcJ48wzmz/70O0U7K/xs="; publicKey = "5PnmExv78fU3SS8liUWY/oBCcJ48wzmz/70O0U7K/xs=";
} }
{ {
allowedIPs = [ framecca_two-wg ]; allowedIPs = [ (getWireguardDeviceAddress "framecca_two") ];
publicKey = "FbWfh2rL3OYLTDIte+MgctqL/bphn38eqpNy/chc3wM="; publicKey = "FbWfh2rL3OYLTDIte+MgctqL/bphn38eqpNy/chc3wM=";
} }
{ {
allowedIPs = [ framecca_three-wg ]; allowedIPs = [ (getWireguardDeviceAddress "framecca_three") ];
publicKey = "Z3LRFs6CO0kUh4J3pf+HcPsWch3hUAwJBG8/b0Kqnxs="; publicKey = "Z3LRFs6CO0kUh4J3pf+HcPsWch3hUAwJBG8/b0Kqnxs=";
} }
{ {
allowedIPs = [ framecca_four-wg ]; allowedIPs = [ (getWireguardDeviceAddress "framecca_four") ];
publicKey = "g/Ta12igzxSlCxy7KP865qf+l3+r1LjOo6UXjulmPBc="; publicKey = "g/Ta12igzxSlCxy7KP865qf+l3+r1LjOo6UXjulmPBc=";
} }
]; ];