peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: peperunas:f221f5e2b3fc7041c81cd33a0c5dd0501b300a3a
Branches Tags
peperunas:master
peperunas:nixos-21.11
peperunas:laptopshit
...
compare: peperunas:51b714c1596731149f117eac07571be828cac2eb
Branches Tags
peperunas:master
peperunas:nixos-21.11
peperunas:laptopshit

5 Commits
f221f5e2b3 ... 51b714c159

Author SHA1 Message Date
Giulio De Pasquale
51b714c159 architect: Add manduria.devs.giugl.io name 2023-02-01 21:56:13 +01:00
Giulio De Pasquale
4414011c95 network: Added router-lan 2023-02-01 21:55:55 +01:00
Giulio De Pasquale
1881025faa architect: Add tailscale IP to hosts for every service 2023-02-01 21:55:32 +01:00
Giulio De Pasquale
d41001dfe7 Update lock 2023-02-01 21:54:20 +01:00
Giulio De Pasquale
79116ae1a7 architect: Added initial support for Tailscale 2023-01-30 09:46:20 +01:00
30 changed files with 67 additions and 12 deletions
Show Stats Expand all files Collapse all files

18
flake.lock generated
View File

@ -8,11 +8,11 @@
"utils": "utils" "utils": "utils"
}, },
"locked": { "locked": {
"lastModified": 1672244468, "lastModified": 1674440933,
"narHash": "sha256-xaZb8AZqoXRCSqPusCk4ouf+fUNP8UJdafmMTF1Ltlw=", "narHash": "sha256-CASRcD/rK3fn5vUCti3jzry7zi0GsqRsBohNq9wPgLs=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "89a8ba0b5b43b3350ff2e3ef37b66736b2ef8706", "rev": "65c47ced082e3353113614f77b1bc18822dc731f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -24,11 +24,11 @@
}, },
"nixos-unstable": { "nixos-unstable": {
"locked": { "locked": {
"lastModified": 1672568157, "lastModified": 1675279076,
"narHash": "sha256-Q7bZvvyMcgaWPy86yn4MzBe8KvURoBQaKLF68WAcjQI=", "narHash": "sha256-I8sMB4TBkhNY4lcKtb+pwEDB50My3+JG5Ti8J3sEmCc=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "1ca08d4c638a89f2c82bec993f9ca4893faf3241", "rev": "c6fd903606866634312e40cceb2caee8c0c9243f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -40,11 +40,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1672353432, "lastModified": 1675237434,
"narHash": "sha256-oZfgp/44/o2tWiylV30cR+DLyWTJ+5dhsdWZVpzs3e4=", "narHash": "sha256-YoFR0vyEa1HXufLNIFgOGhIFMRnY6aZ0IepZF5cYemo=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "913a47cd064cc06440ea84e5e0452039a85781f0", "rev": "285b3ff0660640575186a4086e1f8dc0df2874b5",
"type": "github" "type": "github"
}, },
"original": { "original": {

1
hosts/architect/bazarr.nix
View File

@ -27,6 +27,7 @@ in
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${network.architect-lan} ${domain}
${network.architect-wg} ${domain} ${network.architect-wg} ${domain}
${network.architect-ts} ${domain}
''; '';
users.groups.media.members = [ "bazarr" ]; users.groups.media.members = [ "bazarr" ];

1
hosts/architect/calibre.nix
View File

@ -31,6 +31,7 @@ in
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${network.architect-lan} ${domain}
${network.architect-wg} ${domain} ${network.architect-wg} ${domain}
${network.architect-ts} ${domain}
''; '';
users.groups.media.members = [ "calibre-web" ]; users.groups.media.members = [ "calibre-web" ];

3
hosts/architect/default.nix
View File

@ -38,6 +38,7 @@ in {
./keycloak.nix ./keycloak.nix
./lezzo.nix ./lezzo.nix
./runas.nix ./runas.nix
./tailscale.nix
]; ];
time.timeZone = "Europe/Rome"; time.timeZone = "Europe/Rome";
@ -103,7 +104,9 @@ in {
${network.dvr-lan} dvr.devs.giugl.io ${network.dvr-lan} dvr.devs.giugl.io
${network.nas-lan} nas.devs.giugl.io ${network.nas-lan} nas.devs.giugl.io
${network.router-lan} manduria.devs.giugl.io
192.168.1.1 vodafone.station 192.168.1.1 vodafone.station
# Blacklist # Blacklist
0.0.0.0 metrics.plex.tv 0.0.0.0 metrics.plex.tv
0.0.0.0 analytics.plex.tv 0.0.0.0 analytics.plex.tv

1
hosts/architect/deluge.nix
View File

@ -48,6 +48,7 @@ in {
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${network.architect-lan} ${domain}
${network.architect-wg} ${domain} ${network.architect-wg} ${domain}
${network.architect-ts} ${domain}
''; '';
users.groups.media.members = [ "deluge" ]; users.groups.media.members = [ "deluge" ];

7
hosts/architect/firewall.nix
View File

@ -35,6 +35,7 @@ let
wireguard_udp wireguard_udp
torrent_a torrent_a
torrent_b torrent_b
config.services.tailscale.port
]; ];
open_tcp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [ open_tcp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [
ssh_tcp ssh_tcp
@ -86,6 +87,7 @@ in {
lib.concatStringsSep "," towan-wg lib.concatStringsSep "," towan-wg
}} masquerade }} masquerade
oifname ${wan-if} ip saddr ${docker-net} masquerade oifname ${wan-if} ip saddr ${docker-net} masquerade
oifname ${wan-if} ip saddr ${tailscale-net} masquerade
} }
} }
@ -101,6 +103,7 @@ in {
iifname ${proxy-if} ip saddr ${proxy-net} accept comment "bind ip ${proxy-net} to intf ${proxy-if}" iifname ${proxy-if} ip saddr ${proxy-net} accept comment "bind ip ${proxy-net} to intf ${proxy-if}"
iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}" iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}"
iifname ${docker-if} ip saddr ${docker-net} accept comment "bind ip ${docker-net} to intf ${docker-if}" iifname ${docker-if} ip saddr ${docker-net} accept comment "bind ip ${docker-net} to intf ${docker-if}"
iifname ${tailscale-if} ip saddr ${tailscale-net} accept
iifname "lo" accept comment "bind any ip to intf lo" iifname "lo" accept comment "bind any ip to intf lo"
jump mangle_drop jump mangle_drop
} }
@ -154,11 +157,12 @@ in {
ip daddr 255.255.255.255 accept comment "allow broadcast traffic" ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic" ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
ip saddr ${lan-net} accept comment "lan > local" ip saddr ${lan-net} accept comment "lan > local"
ip saddr ${proxy-wg} accept comment "proxy > local"
ip saddr {${lib.concatStringsSep "," gdevices-wg}} accept comment "vpn > local" ip saddr {${lib.concatStringsSep "," gdevices-wg}} accept comment "vpn > local"
iifname ${wan-if} tcp dport {${open_tcp_ports}} accept iifname ${wan-if} tcp dport {${open_tcp_ports}} accept
iifname ${wan-if} udp dport {${open_udp_ports}} accept iifname ${wan-if} udp dport {${open_udp_ports}} accept
iifname ${tailscale-if} tcp dport {${open_tcp_ports_vpn}} accept
iifname ${tailscale-if} udp dport {${open_udp_ports_vpn}} accept
iifname ${vpn-if} tcp dport {${open_tcp_ports_vpn}} accept iifname ${vpn-if} tcp dport {${open_tcp_ports_vpn}} accept
iifname ${vpn-if} udp dport {${open_udp_ports_vpn}} accept iifname ${vpn-if} udp dport {${open_udp_ports_vpn}} accept
iifname ${vpn-if} icmp type echo-request accept iifname ${vpn-if} icmp type echo-request accept
@ -189,6 +193,7 @@ in {
}} accept }} accept
oifname ${wan-if} ip saddr ${docker-net} accept oifname ${wan-if} ip saddr ${docker-net} accept
oifname ${wan-if} ip saddr ${tailscale-net} accept
jump filter_drop jump filter_drop
} }

1
hosts/architect/gitea.nix
View File

@ -34,6 +34,7 @@ in
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${network.architect-lan} ${domain}
${network.architect-wg} ${domain} ${network.architect-wg} ${domain}
${network.architect-ts} ${domain}
''; '';
} }

1
hosts/architect/home-assistant.nix
View File

@ -62,5 +62,6 @@ in {
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${network.architect-lan} ${domain}
${network.architect-wg} ${domain} ${network.architect-wg} ${domain}
${network.architect-ts} ${domain}
''; '';
} }

1
hosts/architect/invidious.nix
View File

@ -22,5 +22,6 @@ in
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${network.architect-lan} ${domain}
${network.architect-wg} ${domain} ${network.architect-wg} ${domain}
${network.architect-ts} ${domain}
''; '';
} }

1
hosts/architect/jellyfin.nix
View File

@ -51,6 +51,7 @@ in
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${network.architect-lan} ${domain}
${network.architect-wg} ${domain} ${network.architect-wg} ${domain}
${network.architect-ts} ${domain}
''; '';
users.groups.media.members = [ "jellyfin" ]; users.groups.media.members = [ "jellyfin" ];

1
hosts/architect/keycloak.nix
View File

@ -74,5 +74,6 @@ in {
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${network.architect-lan} ${domain}
${network.architect-wg} ${domain} ${network.architect-wg} ${domain}
${network.architect-ts} ${domain}
''; '';
} }

1
hosts/architect/lezzo.nix
View File

@ -41,5 +41,6 @@ in
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${network.architect-lan} ${domain}
${network.architect-wg} ${domain} ${network.architect-wg} ${domain}
${network.architect-ts} ${domain}
''; '';
} }

1
hosts/architect/libreddit.nix
View File

@ -21,5 +21,6 @@ in
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${network.architect-lan} ${domain}
${network.architect-wg} ${domain} ${network.architect-wg} ${domain}
${network.architect-ts} ${domain}
''; '';
} }

1
hosts/architect/lidarr.nix
View File

@ -26,6 +26,7 @@ in {
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${network.architect-lan} ${domain}
${network.architect-wg} ${domain} ${network.architect-wg} ${domain}
${network.architect-ts} ${domain}
''; '';
users.groups.media.members = [ "lidarr" ]; users.groups.media.members = [ "lidarr" ];

1
hosts/architect/matrix.nix
View File

@ -145,6 +145,7 @@ in
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${lib.concatStringsSep " " [ domain webui_domain]} ${network.architect-lan} ${lib.concatStringsSep " " [ domain webui_domain]}
${network.architect-wg} ${lib.concatStringsSep " " [ domain webui_domain ]} ${network.architect-wg} ${lib.concatStringsSep " " [ domain webui_domain ]}
${network.architect-ts} ${lib.concatStringsSep " " [ domain webui_domain ]}
''; '';
} }

1
hosts/architect/minecraft.nix
View File

@ -16,5 +16,6 @@ in
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${network.architect-lan} ${domain}
${network.architect-wg} ${domain} ${network.architect-wg} ${domain}
${network.architect-ts} ${domain}
''; '';
} }

1
hosts/architect/minio.nix
View File

@ -26,5 +26,6 @@ in {
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${network.architect-lan} ${domain}
${network.architect-wg} ${domain} ${network.architect-wg} ${domain}
${network.architect-ts} ${domain}
''; '';
} }

1
hosts/architect/navidrome.nix
View File

@ -83,6 +83,7 @@ in {
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${network.architect-lan} ${domain}
${network.architect-wg} ${domain} ${network.architect-wg} ${domain}
${network.architect-ts} ${domain}
''; '';
users.groups.media.members = [ "navidrome" ]; users.groups.media.members = [ "navidrome" ];

6
hosts/architect/network.nix
View File

@ -4,6 +4,7 @@ rec {
vpn-if = "wg0"; vpn-if = "wg0";
proxy-if = "proxy"; proxy-if = "proxy";
docker-if = "docker0"; docker-if = "docker0";
tailscale-if = "ts0";
# nets # nets
lan-net = "10.0.0.0/24"; lan-net = "10.0.0.0/24";
@ -11,13 +12,14 @@ rec {
proxy-net = "10.4.0.0/24"; proxy-net = "10.4.0.0/24";
external_lan-net = "192.168.1.0/24"; external_lan-net = "192.168.1.0/24";
docker-net = "172.17.0.0/16"; docker-net = "172.17.0.0/16";
tailscale-net = "100.64.0.0/10";
# ips # ips
router-lan = "10.0.0.1";
dvr-lan = "10.0.0.2"; dvr-lan = "10.0.0.2";
nas-lan = "10.0.0.3"; nas-lan = "10.0.0.3";
architect-lan = "10.0.0.250"; architect-lan = "10.0.0.250";
proxy-wg = "10.4.0.1";
architect-wg = "10.3.0.1"; architect-wg = "10.3.0.1";
giuliopc-wg = "10.3.0.2"; giuliopc-wg = "10.3.0.2";
giuliophone-wg = "10.3.0.3"; giuliophone-wg = "10.3.0.3";
@ -54,6 +56,8 @@ rec {
hotpottino-wg = "10.3.0.201"; hotpottino-wg = "10.3.0.201";
dodino-wg = "10.3.0.202"; dodino-wg = "10.3.0.202";
architect-ts = "100.67.205.28";
# groups # groups
gdevices-wg = gdevices-wg =
[ giuliopc-wg giuliophone-wg gbeast-wg peppiniell-wg kclvm-wg ] ++ routers-wg; [ giuliopc-wg giuliophone-wg gbeast-wg peppiniell-wg kclvm-wg ] ++ routers-wg;

1
hosts/architect/nextcloud.nix
View File

@ -54,6 +54,7 @@ in {
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${network.architect-lan} ${domain}
${network.architect-wg} ${domain} ${network.architect-wg} ${domain}
${network.architect-ts} ${domain}
''; '';
services.nginx.virtualHosts.${domain} = { services.nginx.virtualHosts.${domain} = {

1
hosts/architect/nitter.nix
View File

@ -29,5 +29,6 @@ in {
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${network.architect-lan} ${domain}
${network.architect-wg} ${domain} ${network.architect-wg} ${domain}
${network.architect-ts} ${domain}
''; '';
} }

1
hosts/architect/nzbget.nix
View File

@ -26,6 +26,7 @@ in {
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${network.architect-lan} ${domain}
${network.architect-wg} ${domain} ${network.architect-wg} ${domain}
${network.architect-ts} ${domain}
''; '';
users.groups.media.members = [ "nzbget" ]; users.groups.media.members = [ "nzbget" ];

1
hosts/architect/plex.nix
View File

@ -84,6 +84,7 @@ in {
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${network.architect-lan} ${domain}
${network.architect-wg} ${domain} ${network.architect-wg} ${domain}
${network.architect-ts} ${domain}
''; '';
users.groups.media.members = [ "plex" ]; users.groups.media.members = [ "plex" ];

1
hosts/architect/prosody.nix
View File

@ -35,6 +35,7 @@ in {
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${network.architect-lan} ${domain}
${network.architect-wg} ${domain} ${network.architect-wg} ${domain}
${network.architect-ts} ${domain}
''; '';
users.groups = { users.groups = {

1
hosts/architect/prowlarr.nix
View File

@ -32,6 +32,7 @@ in {
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${network.architect-lan} ${domain}
${network.architect-wg} ${domain} ${network.architect-wg} ${domain}
${network.architect-ts} ${domain}
''; '';
users.groups.media.members = [ "prowlarr" ]; users.groups.media.members = [ "prowlarr" ];

1
hosts/architect/radarr.nix
View File

@ -26,6 +26,7 @@ in {
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${network.architect-lan} ${domain}
${network.architect-wg} ${domain} ${network.architect-wg} ${domain}
${network.architect-ts} ${domain}
''; '';
users.groups.media.members = [ "radarr" ]; users.groups.media.members = [ "radarr" ];

1
hosts/architect/runas.nix
View File

@ -41,5 +41,6 @@ in
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${network.architect-lan} ${domain}
${network.architect-wg} ${domain} ${network.architect-wg} ${domain}
${network.architect-ts} ${domain}
''; '';
} }

1
hosts/architect/sonarr.nix
View File

@ -26,6 +26,7 @@ in {
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${network.architect-lan} ${domain}
${network.architect-wg} ${domain} ${network.architect-wg} ${domain}
${network.architect-ts} ${domain}
''; '';
users.groups.media.members = [ "sonarr" ]; users.groups.media.members = [ "sonarr" ];

18
hosts/architect/tailscale.nix Normal file
View File

@ -0,0 +1,18 @@
{ lib, ... }:
let
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
ifname = "ts0";
in rec {
services = {
tailscale = {
enable = true;
interfaceName = ifname;
};
};
networking.extraHosts = ''
${network.architect-ts} architect.devs.giugl.io
'';
}

1
hosts/architect/transmission.nix
View File

@ -37,6 +37,7 @@ in {
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${network.architect-lan} ${domain}
${network.architect-wg} ${domain} ${network.architect-wg} ${domain}
${network.architect-ts} ${domain}
''; '';
users.groups.media.members = [ "transmission" ]; users.groups.media.members = [ "transmission" ];