peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: peperunas:d9ef1939b2d9456a80a32ec55c7ea083762c499c
Branches Tags
peperunas:master
peperunas:nixos-21.11
peperunas:laptopshit
...
compare: peperunas:a546edc30d781c41ef2167d901e85751d7126be5
Branches Tags
peperunas:master
peperunas:nixos-21.11
peperunas:laptopshit

15 Commits
d9ef1939b2 ... a546edc30d

Author SHA1 Message Date
Giulio De Pasquale
a546edc30d Lock update 2022-11-29 14:53:35 +01:00
Giulio De Pasquale
30fd214734 nginx, openid: Allow IP whitelist to bypass OpenID auth 2022-11-29 14:53:17 +01:00
Giulio De Pasquale
ae4c55fdee gitea: Enable OpenID signin 2022-11-29 13:24:48 +01:00
Giulio De Pasquale
74fd09cb16 openid: Extend access token validity to one day 2022-11-29 13:03:26 +01:00
Giulio De Pasquale
b244bfad7d openid: Revoke tokens on logout 2022-11-29 12:56:40 +01:00
Giulio De Pasquale
7ffddeca09 nginx: Add default runas.rocks virtualhost 2022-11-27 11:24:35 +01:00
Giulio De Pasquale
b93d3a33b0 Rename giulio devices, add Steam deck to Wireguard 2022-11-27 11:24:12 +01:00
Giulio De Pasquale
6568784680 matrix: Add OpenID connection and transfer to runas.rocks 2022-11-27 11:23:09 +01:00
Giulio De Pasquale
2ed81fcfe3 flake: Formatting 2022-11-22 13:05:53 +01:00
Giulio De Pasquale
ea53e09c1a flake: Use correct wrapper function for unstable packages 2022-11-22 13:02:39 +01:00
Giulio De Pasquale
7e61526538 calibre: Add OpenID auth 2022-11-22 12:59:27 +01:00
Giulio De Pasquale
75b51d24e9 firewall: Allow connections to Minecraft from WAN 2022-11-20 14:56:32 +01:00
Giulio De Pasquale
3c4caaaea5 jellyfin: Go through SSO auth 2022-11-20 14:55:59 +01:00
Giulio De Pasquale
9efea759e4 navidrome: Move beets-import script execution from daily to weekly 2022-11-15 01:12:54 +01:00
Giulio De Pasquale
1122be76bb nginx: Fix indentation 2022-11-15 01:11:39 +01:00
12 changed files with 206 additions and 153 deletions
Show Stats Expand all files Collapse all files

24
flake.lock generated
View File

@ -38,11 +38,11 @@
]
},
"locked": {
"lastModified": 1665475263,
"narHash": "sha256-T4at7d+KsQNWh5rfjvOtQCaIMWjSDlSgQZKvxb+LcEY=",
"lastModified": 1667907331,
"narHash": "sha256-bHkAwkYlBjkupPUFcQjimNS8gxWSWjOTevEuwdnp5m0=",
"owner": "rycee",
"repo": "home-manager",
"rev": "17208be516fc36e2ab0ceb064d931e90eb88b2a3",
"rev": "6639e3a837fc5deb6f99554072789724997bc8e5",
"type": "github"
},
"original": {
@ -54,11 +54,11 @@
},
"nixos-unstable": {
"locked": {
"lastModified": 1665672983,
"narHash": "sha256-V7Va7CRKmQRy95xSdlga5nV7q3/PusZwNAF/leb5PcU=",
"lastModified": 1669721229,
"narHash": "sha256-4Sh+gXzEVHI6E/8c7OgDW60tYKh9ZGPVoL2YXlC2Yk0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "bb2fb1524795f2d720cd13a2eb4d35d3a7a0d888",
"rev": "46eabb1198af88c73036edecdf6950c19be33308",
"type": "github"
},
"original": {
@ -70,11 +70,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1665596265,
"narHash": "sha256-H7Ku1SF+7zDEqw8QOyEDA5blMJQW9MvdfgB+K3KJNLw=",
"lastModified": 1669546925,
"narHash": "sha256-Gvtk9agz88tBgqmCdHl5U7gYttTkiuEd8/Rq1Im0pTg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "9234f5a17e1a7820b5e91ecd4ff0de449e293383",
"rev": "fecf05d4861f3985e8dee73f08bc82668ef75125",
"type": "github"
},
"original": {
@ -115,11 +115,11 @@
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1665671907,
"narHash": "sha256-+YXxqH7OROLJ9G4va5BZb4a8aIzulaUZbnH+R1iWoaw=",
"lastModified": 1669558651,
"narHash": "sha256-0oZd2rdg2050yapyjX7zMWsYWptFp55YFHoEFgsVrN0=",
"owner": "m15a",
"repo": "nixpkgs-vim-extra-plugins",
"rev": "6c1624b0942cdecf7f30aa4d411cb3578bc29a38",
"rev": "38107b1aceaccc2ac14a4697bbcea3d70fd016f6",
"type": "github"
},
"original": {

7
flake.nix
View File

@ -33,7 +33,7 @@
};
pkgsX64 = wrapPkgsSystem { system = x64System; };
unstableX64 = wrapPkgsSystem { system = x64System; };
unstableX64 = wrapUnstablePkgsSystem { system = x64System; };
utilsX64 = import ./lib {
inherit nixpkgs nixos-unstable home-manager;
pkgs = pkgsX64;
@ -42,14 +42,15 @@
};
pkgsDarwin = wrapPkgsSystem { system = darwinSystem; };
unstableDarwin = wrapPkgsSystem { system = darwinSystem; };
unstableDarwin = wrapUnstablePkgsSystem { system = darwinSystem; };
utilsDarwin = import ./lib {
inherit nixpkgs nixos-unstable home-manager;
pkgs = pkgsDarwin;
unstable = unstableDarwin;
system = darwinSystem;
};
in {
in
{
nixosConfigurations = {
architect = utilsX64.host.mkHost {
name = "architect";

6
hosts/architect/calibre.nix
View File

@ -3,7 +3,9 @@
let
domain = "books.giugl.io";
network = import ./network.nix;
in {
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in
{
services = {
calibre-web = {
enable = true;
@ -21,7 +23,7 @@ in {
proxyPass = "http://127.0.0.1:8083";
extraConfig = ''
client_max_body_size 500M;
'';
'' + auth_block { access_role = "calibre"; };
};
};
};

1
hosts/architect/firewall.nix
View File

@ -29,6 +29,7 @@ let
gitea_tcp
torrent_a
torrent_b
minecraft_tcp
];
open_udp_ports = lib.concatMapStringsSep "," (x: toString x) [
wireguard_udp

8
hosts/architect/gitea.nix
View File

@ -3,7 +3,8 @@
let
domain = "git.giugl.io";
network = import ./network.nix;
in {
in
{
services.gitea = {
enable = true;
database.type = "sqlite3";
@ -11,7 +12,10 @@ in {
appName = "Gitea";
rootUrl = "https://${domain}";
ssh.clonePort = 22;
settings.server.LFS_START_SERVER = true;
settings = {
server.LFS_START_SERVER = true;
openid.enable_openid_signin = true;
};
};
services.nginx.virtualHosts.${domain} = {

9
hosts/architect/jellyfin.nix
View File

@ -1,9 +1,11 @@
{ pkgs, ... }:
{ pkgs, lib, ... }:
let
network = import ./network.nix;
domain = "media.giugl.io";
in {
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in
{
disabledModules = [ "services/misc/jellyfin.nix" ];
imports = [ ./modules/jellyfin.nix ];
@ -17,7 +19,8 @@ in {
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
extraConfig = ''
extraConfig = auth_block { access_role = "jellyfin"; } +
''
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
#add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
# Disable buffering when the nginx proxy gets very resource heavy upon streaming

56
hosts/architect/matrix.nix
View File

@ -1,28 +1,44 @@
{ pkgs, ... }:
{ pkgs, lib, ... }:
let
domain = "matrix.giugl.io";
webui_domain = "chat.giugl.io";
domain = "runas.rocks";
webui_domain = "webchat.runas.rocks";
network = import ./network.nix;
db_name = "matrix-synapse";
in {
db_name = "matrix-synapse-runas.rocks";
in
{
services = {
matrix-synapse = {
enable = true;
settings = {
server_name = "${domain}";
database_name = db_name;
database.args.database = db_name;
public_baseurl = "https://${domain}";
registration_shared_secret = "runas!";
url_preview_enabled = true;
dynamic_thumbnails = true;
withJemalloc = true;
# enable_registration = true;
app_service_config_files = [
"/var/lib/matrix-synapse/discord-registration.yaml"
# "/var/lib/matrix-synapse/hookshot-registration.yml"
# "/var/lib/matrix-synapse/telegram-registration.yaml"
];
oidc_providers = [{
idp_id = "keycloak";
idp_name = "Architect SSO";
issuer = "https://auth.giugl.io/realms/master";
client_id = "synapse";
client_secret = "hj7dkbAI75jIeggr1cW0JTRzAdvJUtq6";
scopes = [ "openid" "profile" ];
user_profile_method = "userinfo_endpoint";
user_mapping_provider.config = {
localpart_template = "{{ user.preferred_username }}";
display_name_template = "{{ user.name }}";
};
backchannel_logout_enabled = true;
}];
listeners = [{
port = 8008;
bind_addresses = [ "127.0.0.1" ];
@ -35,18 +51,11 @@ in {
}];
}];
};
#extraConfig = ''
# auto_join_rooms:
# - "#general:matrix.giugl.io"
# max_upload_size: "50M"
#'';
};
postgresql = {
enable = true;
package = pkgs.postgresql;
ensureDatabases = [ db_name ];
ensureUsers = [{
name = db_name;
ensurePermissions = { "DATABASE \"${db_name}\"" = "ALL PRIVILEGES"; };
@ -63,18 +72,21 @@ in {
'';
locations."= /.well-known/matrix/server".extraConfig =
let server = { "m.server" = "${domain}:443"; };
in ''
in
''
add_header Content-Type application/json;
return 200 '${builtins.toJSON server}';
'';
locations."= /.well-known/matrix/client".extraConfig = let
locations."= /.well-known/matrix/client".extraConfig =
let
client = {
"m.homeserver" = { "base_url" = "https://${domain}:443"; };
"m.identity_server" = { "base_url" = "https://vector.im"; };
};
# ACAO required to allow element-web on any URL to request this json file
in ''
in
''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON client}';
@ -88,6 +100,10 @@ in {
locations."/_matrix" = {
proxyPass = "http://127.0.0.1:8008"; # without a trailing /
};
locations."/_synapse" = {
proxyPass = "http://127.0.0.1:8008"; # without a trailing /
};
};
# web client
@ -114,7 +130,7 @@ in {
# It's also possible to use PostgreSQL.
settings = {
bridge = {
domain = domain;
inherit domain;
homeserverUrl = "https://${domain}";
};
};
@ -122,8 +138,8 @@ in {
};
networking.extraHosts = ''
${network.architect-lan} ${domain} ${webui_domain}
${network.architect-wg} ${domain} ${webui_domain}
${network.architect-lan} ${lib.concatStringsSep " " [ domain webui_domain]}
${network.architect-wg} ${lib.concatStringsSep " " [ domain webui_domain ]}
'';
}

2
hosts/architect/navidrome.nix
View File

@ -57,7 +57,7 @@ in {
ExecStart =
"${pkgs.beets}/bin/beet -c ${beets_config} import --flat -q ${library_path}";
};
startAt = "daily";
startAt = "weekly";
};
"remove-badmp3" = {

10
hosts/architect/network.nix
View File

@ -19,9 +19,9 @@ rec {
proxy-wg = "10.4.0.1";
architect-wg = "10.3.0.1";
galuminum-wg = "10.3.0.2";
oneplus-wg = "10.3.0.3";
ipad-wg = "10.3.0.4";
giuliopc-wg = "10.3.0.2";
giuliophone-wg = "10.3.0.3";
giuliodeck-wg = "10.3.0.4";
manduria-wg = "10.3.0.5";
antonio-wg = "10.3.0.6";
gbeast-wg = "10.3.0.7";
@ -57,14 +57,14 @@ rec {
# groups
gdevices-wg =
[ galuminum-wg oneplus-wg gbeast-wg peppiniell-wg kclvm-wg ] ++ routers-wg;
[ giuliopc-wg giuliophone-wg gbeast-wg peppiniell-wg kclvm-wg ] ++ routers-wg;
routers-wg = [ hotpottino-wg angellane-wg dodino-wg ];
c2c-wg = [ ] ++ gdevices-wg;
towan-wg = [ shield-wg parisaphone-wg parisapc-wg parina-wg parina-ipad-wg ]
++ gdevices-wg ++ routers-wg;
gamenet-wg = [
andrew-wg
galuminum-wg
giuliopc-wg
gbeast-wg
mikey-wg
andrewdesktop-wg

44
hosts/architect/nginx.nix
View File

@ -1,18 +1,10 @@
{ services, pkgs, lib, ... }:
let
serviceSkeleton = { default ? false }: {
inherit default;
{
services.nginx = {
enable = true;
package = pkgs.openresty;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts."architect.devs.giugl.io" = {
default = true;
enableACME = true;
addSSL = true;
forceSSL = true;
root = "/var/lib/nginx/error_pages";
extraConfig = "error_page 404 /index.htm;";
@ -26,7 +18,20 @@
"/wat.jpg" = { };
};
};
appendHttpConfig = let
in {
services.nginx = {
enable = true;
package = pkgs.openresty;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts."architect.devs.giugl.io" = serviceSkeleton { default = true; };
virtualHosts."runas.rocks" = serviceSkeleton {};
appendHttpConfig =
let
extraPureLuaPackages = with pkgs.luajitPackages; [
lua-resty-openidc
lua-resty-http
@ -36,7 +41,8 @@
];
luaPath = pkg: "${pkg}/share/lua/5.1/?.lua";
makeLuaPath = lib.concatMapStringsSep ";" luaPath;
in ''
in
''
lua_package_path '${makeLuaPath extraPureLuaPackages};;';
lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
lua_ssl_verify_depth 5;
@ -62,6 +68,16 @@
return false
end
function is_ip_whitelisted(ip, whitelist)
for _, x in ipairs(whitelist) do
if ip == x then
return true
end
end
return false
end
}
'';

15
hosts/architect/openid.nix
View File

@ -2,7 +2,7 @@
{
openresty_oidc_block =
{ access_role ? "" }: ''
{ access_role ? "", whitelisted_ips ? [] }: ''
access_by_lua_block {
local opts = {
discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration",
@ -12,9 +12,20 @@
redirect_after_logout_uri = "/",
redirect_uri = "/redirect_uri",
keepalive = "yes",
accept_none_alg = true
accept_none_alg = true,
revoke_tokens_on_logout = true,
-- access token valid for a day
access_token_expires_in = 86400
}
${lib.optionalString (whitelisted_ips != []) ''
local whitelist = {${lib.strings.concatMapStringsSep "," (x: "\"${x}\"") whitelisted_ips}}
if is_ip_whitelisted(ngx.var.remote_addr, whitelist) then
return
end
''}
-- call introspect for OAuth 2.0 Bearer Access Token validation
local res, err = require("resty.openidc").authenticate(opts)

25
hosts/architect/wireguard.nix
View File

@ -2,9 +2,8 @@ with import ./network.nix; {
networking = {
extraHosts = ''
${architect-wg} architect.devs.giugl.io
${galuminum-wg} galuminum.devs.giugl.io
${oneplus-wg} oneplus.devs.giugl.io
${ipad-wg} ipad.devs.giugl.io
${giuliopc-wg} giuliopc.devs.giugl.io
${giuliophone-wg} giuliophone.devs.giugl.io
${manduria-wg} manduria.devs.giugl.io
${antonio-wg} antonio.devs.giugl.io
${gbeast-wg} gbeast.devs.giugl.io
@ -34,6 +33,7 @@ with import ./network.nix; {
${parina-ipad-wg} parinaipad.devs.giugl.io
${nilo-wg} nilo.devs.giugl.io
${kclvm-wg} kclvm.devs.giugl.io
${giuliodeck-wg} giuliodeck.devs.giugl.io
'';
wireguard = {
@ -55,23 +55,17 @@ with import ./network.nix; {
peers = [
{
# gAluminum
allowedIPs = [ galuminum-wg ];
# giuliopc
allowedIPs = [ giuliopc-wg ];
publicKey = "pEEgSs7xmO0cfyvoQlU8lfwqdYM1ISgmPAunPtF+0xw=";
}
{
# OnePlus
allowedIPs = [ oneplus-wg ];
# giuliophone
allowedIPs = [ giuliophone-wg ];
publicKey = "zynSERy6VhxN5zBf1ih3BOAHxvigDixHB9YKnSBgYFs=";
}
{
# iPad
allowedIPs = [ ipad-wg ];
publicKey = "DPpd+P/hV1XLuvdcrCRv1sgz8BeZt1y5D6VehNuhjSQ=";
}
{
# Manduria
allowedIPs = [ manduria-wg ];
@ -263,6 +257,11 @@ with import ./network.nix; {
allowedIPs = [ kclvm-wg ];
publicKey = "jVBaY8AhgAA7myVjU/PJPDUCOjsCi23LT+pGZUoNEkE=";
}
{
# Giulio's Deck
allowedIPs = [ giuliodeck-wg ];
publicKey = "7TGYsYvElTLY3V7qJfggkF+kFG7Y5sUsHA88h0cYJx0=";
}
];
};
};