Compare commits
15 Commits
d9ef1939b2
...
a546edc30d
| Author | SHA1 | Date | |
|---|---|---|---|
|
a546edc30d | ||
|
|
30fd214734 | ||
|
|
ae4c55fdee | ||
|
|
74fd09cb16 | ||
|
|
b244bfad7d | ||
|
|
7ffddeca09 | ||
|
|
b93d3a33b0 | ||
|
|
6568784680 | ||
|
|
2ed81fcfe3 | ||
|
|
ea53e09c1a | ||
|
|
7e61526538 | ||
|
|
75b51d24e9 | ||
|
|
3c4caaaea5 | ||
|
|
9efea759e4 | ||
|
|
1122be76bb |
24
flake.lock
generated
24
flake.lock
generated
@ -38,11 +38,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1665475263,
|
||||
"narHash": "sha256-T4at7d+KsQNWh5rfjvOtQCaIMWjSDlSgQZKvxb+LcEY=",
|
||||
"lastModified": 1667907331,
|
||||
"narHash": "sha256-bHkAwkYlBjkupPUFcQjimNS8gxWSWjOTevEuwdnp5m0=",
|
||||
"owner": "rycee",
|
||||
"repo": "home-manager",
|
||||
"rev": "17208be516fc36e2ab0ceb064d931e90eb88b2a3",
|
||||
"rev": "6639e3a837fc5deb6f99554072789724997bc8e5",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -54,11 +54,11 @@
|
||||
},
|
||||
"nixos-unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1665672983,
|
||||
"narHash": "sha256-V7Va7CRKmQRy95xSdlga5nV7q3/PusZwNAF/leb5PcU=",
|
||||
"lastModified": 1669721229,
|
||||
"narHash": "sha256-4Sh+gXzEVHI6E/8c7OgDW60tYKh9ZGPVoL2YXlC2Yk0=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "bb2fb1524795f2d720cd13a2eb4d35d3a7a0d888",
|
||||
"rev": "46eabb1198af88c73036edecdf6950c19be33308",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -70,11 +70,11 @@
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1665596265,
|
||||
"narHash": "sha256-H7Ku1SF+7zDEqw8QOyEDA5blMJQW9MvdfgB+K3KJNLw=",
|
||||
"lastModified": 1669546925,
|
||||
"narHash": "sha256-Gvtk9agz88tBgqmCdHl5U7gYttTkiuEd8/Rq1Im0pTg=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "9234f5a17e1a7820b5e91ecd4ff0de449e293383",
|
||||
"rev": "fecf05d4861f3985e8dee73f08bc82668ef75125",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -115,11 +115,11 @@
|
||||
"nixpkgs": "nixpkgs_2"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1665671907,
|
||||
"narHash": "sha256-+YXxqH7OROLJ9G4va5BZb4a8aIzulaUZbnH+R1iWoaw=",
|
||||
"lastModified": 1669558651,
|
||||
"narHash": "sha256-0oZd2rdg2050yapyjX7zMWsYWptFp55YFHoEFgsVrN0=",
|
||||
"owner": "m15a",
|
||||
"repo": "nixpkgs-vim-extra-plugins",
|
||||
"rev": "6c1624b0942cdecf7f30aa4d411cb3578bc29a38",
|
||||
"rev": "38107b1aceaccc2ac14a4697bbcea3d70fd016f6",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
||||
@ -33,7 +33,7 @@
|
||||
};
|
||||
|
||||
pkgsX64 = wrapPkgsSystem { system = x64System; };
|
||||
unstableX64 = wrapPkgsSystem { system = x64System; };
|
||||
unstableX64 = wrapUnstablePkgsSystem { system = x64System; };
|
||||
utilsX64 = import ./lib {
|
||||
inherit nixpkgs nixos-unstable home-manager;
|
||||
pkgs = pkgsX64;
|
||||
@ -42,14 +42,15 @@
|
||||
};
|
||||
|
||||
pkgsDarwin = wrapPkgsSystem { system = darwinSystem; };
|
||||
unstableDarwin = wrapPkgsSystem { system = darwinSystem; };
|
||||
unstableDarwin = wrapUnstablePkgsSystem { system = darwinSystem; };
|
||||
utilsDarwin = import ./lib {
|
||||
inherit nixpkgs nixos-unstable home-manager;
|
||||
pkgs = pkgsDarwin;
|
||||
unstable = unstableDarwin;
|
||||
system = darwinSystem;
|
||||
};
|
||||
in {
|
||||
in
|
||||
{
|
||||
nixosConfigurations = {
|
||||
architect = utilsX64.host.mkHost {
|
||||
name = "architect";
|
||||
|
||||
@ -3,7 +3,9 @@
|
||||
let
|
||||
domain = "books.giugl.io";
|
||||
network = import ./network.nix;
|
||||
in {
|
||||
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
|
||||
in
|
||||
{
|
||||
services = {
|
||||
calibre-web = {
|
||||
enable = true;
|
||||
@ -21,7 +23,7 @@ in {
|
||||
proxyPass = "http://127.0.0.1:8083";
|
||||
extraConfig = ''
|
||||
client_max_body_size 500M;
|
||||
'';
|
||||
'' + auth_block { access_role = "calibre"; };
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
@ -29,6 +29,7 @@ let
|
||||
gitea_tcp
|
||||
torrent_a
|
||||
torrent_b
|
||||
minecraft_tcp
|
||||
];
|
||||
open_udp_ports = lib.concatMapStringsSep "," (x: toString x) [
|
||||
wireguard_udp
|
||||
|
||||
@ -3,7 +3,8 @@
|
||||
let
|
||||
domain = "git.giugl.io";
|
||||
network = import ./network.nix;
|
||||
in {
|
||||
in
|
||||
{
|
||||
services.gitea = {
|
||||
enable = true;
|
||||
database.type = "sqlite3";
|
||||
@ -11,7 +12,10 @@ in {
|
||||
appName = "Gitea";
|
||||
rootUrl = "https://${domain}";
|
||||
ssh.clonePort = 22;
|
||||
settings.server.LFS_START_SERVER = true;
|
||||
settings = {
|
||||
server.LFS_START_SERVER = true;
|
||||
openid.enable_openid_signin = true;
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts.${domain} = {
|
||||
|
||||
@ -1,9 +1,11 @@
|
||||
{ pkgs, ... }:
|
||||
{ pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
network = import ./network.nix;
|
||||
domain = "media.giugl.io";
|
||||
in {
|
||||
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
|
||||
in
|
||||
{
|
||||
disabledModules = [ "services/misc/jellyfin.nix" ];
|
||||
imports = [ ./modules/jellyfin.nix ];
|
||||
|
||||
@ -17,7 +19,8 @@ in {
|
||||
nginx.virtualHosts.${domain} = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
extraConfig = ''
|
||||
extraConfig = auth_block { access_role = "jellyfin"; } +
|
||||
''
|
||||
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
|
||||
#add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
|
||||
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
|
||||
@ -26,21 +29,21 @@ in {
|
||||
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:8096";
|
||||
# extraConfig = ''
|
||||
# allow 10.0.0.0/24;
|
||||
# allow 10.3.0.0/24;
|
||||
# deny all;
|
||||
# '';
|
||||
# extraConfig = ''
|
||||
# allow 10.0.0.0/24;
|
||||
# allow 10.3.0.0/24;
|
||||
# deny all;
|
||||
# '';
|
||||
};
|
||||
|
||||
locations."/socket" = {
|
||||
proxyPass = "http://127.0.0.1:8096";
|
||||
proxyWebsockets = true;
|
||||
# extraConfig = ''
|
||||
# allow 10.0.0.0/24;
|
||||
# allow 10.3.0.0/24;
|
||||
# deny all;
|
||||
# '';
|
||||
# extraConfig = ''
|
||||
# allow 10.0.0.0/24;
|
||||
# allow 10.3.0.0/24;
|
||||
# deny all;
|
||||
# '';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
@ -1,28 +1,44 @@
|
||||
{ pkgs, ... }:
|
||||
{ pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
domain = "matrix.giugl.io";
|
||||
webui_domain = "chat.giugl.io";
|
||||
domain = "runas.rocks";
|
||||
webui_domain = "webchat.runas.rocks";
|
||||
network = import ./network.nix;
|
||||
db_name = "matrix-synapse";
|
||||
in {
|
||||
db_name = "matrix-synapse-runas.rocks";
|
||||
in
|
||||
{
|
||||
services = {
|
||||
matrix-synapse = {
|
||||
enable = true;
|
||||
settings = {
|
||||
server_name = "${domain}";
|
||||
database_name = db_name;
|
||||
database.args.database = db_name;
|
||||
public_baseurl = "https://${domain}";
|
||||
registration_shared_secret = "runas!";
|
||||
url_preview_enabled = true;
|
||||
dynamic_thumbnails = true;
|
||||
withJemalloc = true;
|
||||
# enable_registration = true;
|
||||
app_service_config_files = [
|
||||
"/var/lib/matrix-synapse/discord-registration.yaml"
|
||||
# "/var/lib/matrix-synapse/hookshot-registration.yml"
|
||||
# "/var/lib/matrix-synapse/telegram-registration.yaml"
|
||||
];
|
||||
|
||||
oidc_providers = [{
|
||||
idp_id = "keycloak";
|
||||
idp_name = "Architect SSO";
|
||||
issuer = "https://auth.giugl.io/realms/master";
|
||||
client_id = "synapse";
|
||||
client_secret = "hj7dkbAI75jIeggr1cW0JTRzAdvJUtq6";
|
||||
scopes = [ "openid" "profile" ];
|
||||
user_profile_method = "userinfo_endpoint";
|
||||
user_mapping_provider.config = {
|
||||
localpart_template = "{{ user.preferred_username }}";
|
||||
display_name_template = "{{ user.name }}";
|
||||
};
|
||||
backchannel_logout_enabled = true;
|
||||
}];
|
||||
|
||||
listeners = [{
|
||||
port = 8008;
|
||||
bind_addresses = [ "127.0.0.1" ];
|
||||
@ -35,18 +51,11 @@ in {
|
||||
}];
|
||||
}];
|
||||
};
|
||||
|
||||
#extraConfig = ''
|
||||
# auto_join_rooms:
|
||||
# - "#general:matrix.giugl.io"
|
||||
# max_upload_size: "50M"
|
||||
#'';
|
||||
};
|
||||
|
||||
postgresql = {
|
||||
enable = true;
|
||||
package = pkgs.postgresql;
|
||||
ensureDatabases = [ db_name ];
|
||||
ensureUsers = [{
|
||||
name = db_name;
|
||||
ensurePermissions = { "DATABASE \"${db_name}\"" = "ALL PRIVILEGES"; };
|
||||
@ -63,18 +72,21 @@ in {
|
||||
'';
|
||||
locations."= /.well-known/matrix/server".extraConfig =
|
||||
let server = { "m.server" = "${domain}:443"; };
|
||||
in ''
|
||||
in
|
||||
''
|
||||
add_header Content-Type application/json;
|
||||
return 200 '${builtins.toJSON server}';
|
||||
'';
|
||||
|
||||
locations."= /.well-known/matrix/client".extraConfig = let
|
||||
locations."= /.well-known/matrix/client".extraConfig =
|
||||
let
|
||||
client = {
|
||||
"m.homeserver" = { "base_url" = "https://${domain}:443"; };
|
||||
"m.identity_server" = { "base_url" = "https://vector.im"; };
|
||||
};
|
||||
# ACAO required to allow element-web on any URL to request this json file
|
||||
in ''
|
||||
in
|
||||
''
|
||||
add_header Content-Type application/json;
|
||||
add_header Access-Control-Allow-Origin *;
|
||||
return 200 '${builtins.toJSON client}';
|
||||
@ -88,6 +100,10 @@ in {
|
||||
locations."/_matrix" = {
|
||||
proxyPass = "http://127.0.0.1:8008"; # without a trailing /
|
||||
};
|
||||
|
||||
locations."/_synapse" = {
|
||||
proxyPass = "http://127.0.0.1:8008"; # without a trailing /
|
||||
};
|
||||
};
|
||||
|
||||
# web client
|
||||
@ -114,7 +130,7 @@ in {
|
||||
# It's also possible to use PostgreSQL.
|
||||
settings = {
|
||||
bridge = {
|
||||
domain = domain;
|
||||
inherit domain;
|
||||
homeserverUrl = "https://${domain}";
|
||||
};
|
||||
};
|
||||
@ -122,8 +138,8 @@ in {
|
||||
};
|
||||
|
||||
networking.extraHosts = ''
|
||||
${network.architect-lan} ${domain} ${webui_domain}
|
||||
${network.architect-wg} ${domain} ${webui_domain}
|
||||
${network.architect-lan} ${lib.concatStringsSep " " [ domain webui_domain]}
|
||||
${network.architect-wg} ${lib.concatStringsSep " " [ domain webui_domain ]}
|
||||
'';
|
||||
|
||||
}
|
||||
|
||||
@ -57,7 +57,7 @@ in {
|
||||
ExecStart =
|
||||
"${pkgs.beets}/bin/beet -c ${beets_config} import --flat -q ${library_path}";
|
||||
};
|
||||
startAt = "daily";
|
||||
startAt = "weekly";
|
||||
};
|
||||
|
||||
"remove-badmp3" = {
|
||||
|
||||
@ -19,9 +19,9 @@ rec {
|
||||
|
||||
proxy-wg = "10.4.0.1";
|
||||
architect-wg = "10.3.0.1";
|
||||
galuminum-wg = "10.3.0.2";
|
||||
oneplus-wg = "10.3.0.3";
|
||||
ipad-wg = "10.3.0.4";
|
||||
giuliopc-wg = "10.3.0.2";
|
||||
giuliophone-wg = "10.3.0.3";
|
||||
giuliodeck-wg = "10.3.0.4";
|
||||
manduria-wg = "10.3.0.5";
|
||||
antonio-wg = "10.3.0.6";
|
||||
gbeast-wg = "10.3.0.7";
|
||||
@ -57,14 +57,14 @@ rec {
|
||||
|
||||
# groups
|
||||
gdevices-wg =
|
||||
[ galuminum-wg oneplus-wg gbeast-wg peppiniell-wg kclvm-wg ] ++ routers-wg;
|
||||
[ giuliopc-wg giuliophone-wg gbeast-wg peppiniell-wg kclvm-wg ] ++ routers-wg;
|
||||
routers-wg = [ hotpottino-wg angellane-wg dodino-wg ];
|
||||
c2c-wg = [ ] ++ gdevices-wg;
|
||||
towan-wg = [ shield-wg parisaphone-wg parisapc-wg parina-wg parina-ipad-wg ]
|
||||
++ gdevices-wg ++ routers-wg;
|
||||
gamenet-wg = [
|
||||
andrew-wg
|
||||
galuminum-wg
|
||||
giuliopc-wg
|
||||
gbeast-wg
|
||||
mikey-wg
|
||||
andrewdesktop-wg
|
||||
|
||||
@ -1,18 +1,10 @@
|
||||
{ services, pkgs, lib, ... }:
|
||||
let
|
||||
serviceSkeleton = { default ? false }: {
|
||||
inherit default;
|
||||
|
||||
{
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
package = pkgs.openresty;
|
||||
recommendedGzipSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedProxySettings = true;
|
||||
recommendedTlsSettings = true;
|
||||
|
||||
virtualHosts."architect.devs.giugl.io" = {
|
||||
default = true;
|
||||
enableACME = true;
|
||||
addSSL = true;
|
||||
forceSSL = true;
|
||||
root = "/var/lib/nginx/error_pages";
|
||||
extraConfig = "error_page 404 /index.htm;";
|
||||
|
||||
@ -26,7 +18,20 @@
|
||||
"/wat.jpg" = { };
|
||||
};
|
||||
};
|
||||
appendHttpConfig = let
|
||||
in {
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
package = pkgs.openresty;
|
||||
recommendedGzipSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedProxySettings = true;
|
||||
recommendedTlsSettings = true;
|
||||
|
||||
virtualHosts."architect.devs.giugl.io" = serviceSkeleton { default = true; };
|
||||
virtualHosts."runas.rocks" = serviceSkeleton {};
|
||||
|
||||
appendHttpConfig =
|
||||
let
|
||||
extraPureLuaPackages = with pkgs.luajitPackages; [
|
||||
lua-resty-openidc
|
||||
lua-resty-http
|
||||
@ -36,7 +41,8 @@
|
||||
];
|
||||
luaPath = pkg: "${pkg}/share/lua/5.1/?.lua";
|
||||
makeLuaPath = lib.concatMapStringsSep ";" luaPath;
|
||||
in ''
|
||||
in
|
||||
''
|
||||
lua_package_path '${makeLuaPath extraPureLuaPackages};;';
|
||||
lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
|
||||
lua_ssl_verify_depth 5;
|
||||
@ -62,6 +68,16 @@
|
||||
|
||||
return false
|
||||
end
|
||||
|
||||
function is_ip_whitelisted(ip, whitelist)
|
||||
for _, x in ipairs(whitelist) do
|
||||
if ip == x then
|
||||
return true
|
||||
end
|
||||
end
|
||||
|
||||
return false
|
||||
end
|
||||
}
|
||||
'';
|
||||
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
|
||||
{
|
||||
openresty_oidc_block =
|
||||
{ access_role ? "" }: ''
|
||||
{ access_role ? "", whitelisted_ips ? [] }: ''
|
||||
access_by_lua_block {
|
||||
local opts = {
|
||||
discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration",
|
||||
@ -12,9 +12,20 @@
|
||||
redirect_after_logout_uri = "/",
|
||||
redirect_uri = "/redirect_uri",
|
||||
keepalive = "yes",
|
||||
accept_none_alg = true
|
||||
accept_none_alg = true,
|
||||
revoke_tokens_on_logout = true,
|
||||
-- access token valid for a day
|
||||
access_token_expires_in = 86400
|
||||
}
|
||||
|
||||
${lib.optionalString (whitelisted_ips != []) ''
|
||||
local whitelist = {${lib.strings.concatMapStringsSep "," (x: "\"${x}\"") whitelisted_ips}}
|
||||
|
||||
if is_ip_whitelisted(ngx.var.remote_addr, whitelist) then
|
||||
return
|
||||
end
|
||||
''}
|
||||
|
||||
-- call introspect for OAuth 2.0 Bearer Access Token validation
|
||||
local res, err = require("resty.openidc").authenticate(opts)
|
||||
|
||||
|
||||
@ -2,9 +2,8 @@ with import ./network.nix; {
|
||||
networking = {
|
||||
extraHosts = ''
|
||||
${architect-wg} architect.devs.giugl.io
|
||||
${galuminum-wg} galuminum.devs.giugl.io
|
||||
${oneplus-wg} oneplus.devs.giugl.io
|
||||
${ipad-wg} ipad.devs.giugl.io
|
||||
${giuliopc-wg} giuliopc.devs.giugl.io
|
||||
${giuliophone-wg} giuliophone.devs.giugl.io
|
||||
${manduria-wg} manduria.devs.giugl.io
|
||||
${antonio-wg} antonio.devs.giugl.io
|
||||
${gbeast-wg} gbeast.devs.giugl.io
|
||||
@ -34,6 +33,7 @@ with import ./network.nix; {
|
||||
${parina-ipad-wg} parinaipad.devs.giugl.io
|
||||
${nilo-wg} nilo.devs.giugl.io
|
||||
${kclvm-wg} kclvm.devs.giugl.io
|
||||
${giuliodeck-wg} giuliodeck.devs.giugl.io
|
||||
'';
|
||||
|
||||
wireguard = {
|
||||
@ -55,23 +55,17 @@ with import ./network.nix; {
|
||||
|
||||
peers = [
|
||||
{
|
||||
# gAluminum
|
||||
allowedIPs = [ galuminum-wg ];
|
||||
# giuliopc
|
||||
allowedIPs = [ giuliopc-wg ];
|
||||
publicKey = "pEEgSs7xmO0cfyvoQlU8lfwqdYM1ISgmPAunPtF+0xw=";
|
||||
}
|
||||
|
||||
{
|
||||
# OnePlus
|
||||
allowedIPs = [ oneplus-wg ];
|
||||
# giuliophone
|
||||
allowedIPs = [ giuliophone-wg ];
|
||||
publicKey = "zynSERy6VhxN5zBf1ih3BOAHxvigDixHB9YKnSBgYFs=";
|
||||
}
|
||||
|
||||
{
|
||||
# iPad
|
||||
allowedIPs = [ ipad-wg ];
|
||||
publicKey = "DPpd+P/hV1XLuvdcrCRv1sgz8BeZt1y5D6VehNuhjSQ=";
|
||||
}
|
||||
|
||||
{
|
||||
# Manduria
|
||||
allowedIPs = [ manduria-wg ];
|
||||
@ -263,6 +257,11 @@ with import ./network.nix; {
|
||||
allowedIPs = [ kclvm-wg ];
|
||||
publicKey = "jVBaY8AhgAA7myVjU/PJPDUCOjsCi23LT+pGZUoNEkE=";
|
||||
}
|
||||
{
|
||||
# Giulio's Deck
|
||||
allowedIPs = [ giuliodeck-wg ];
|
||||
publicKey = "7TGYsYvElTLY3V7qJfggkF+kFG7Y5sUsHA88h0cYJx0=";
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
Loading…
Reference in New Issue
Block a user