architect: Add manduria.devs.giugl.io name

network: Added router-lan
architect: Add tailscale IP to hosts for every service
2023-02-01 21:56:13 +01:00 · 2023-02-01 21:55:55 +01:00 · 2023-02-01 21:55:32 +01:00 · 2023-02-01 21:54:20 +01:00 · 2023-01-30 09:46:20 +01:00
30 changed files with 67 additions and 12 deletions
--- a/flake.lock
+++ b/flake.lock
@ -8,11 +8,11 @@
        "utils": "utils"
      },
      "locked": {
-        "lastModified": 1672244468,
+        "lastModified": 1674440933,
-        "narHash": "sha256-xaZb8AZqoXRCSqPusCk4ouf+fUNP8UJdafmMTF1Ltlw=",
+        "narHash": "sha256-CASRcD/rK3fn5vUCti3jzry7zi0GsqRsBohNq9wPgLs=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "89a8ba0b5b43b3350ff2e3ef37b66736b2ef8706",
+        "rev": "65c47ced082e3353113614f77b1bc18822dc731f",
        "type": "github"
      },
      "original": {
@ -24,11 +24,11 @@
    },
    "nixos-unstable": {
      "locked": {
-        "lastModified": 1672568157,
+        "lastModified": 1675279076,
-        "narHash": "sha256-Q7bZvvyMcgaWPy86yn4MzBe8KvURoBQaKLF68WAcjQI=",
+        "narHash": "sha256-I8sMB4TBkhNY4lcKtb+pwEDB50My3+JG5Ti8J3sEmCc=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "1ca08d4c638a89f2c82bec993f9ca4893faf3241",
+        "rev": "c6fd903606866634312e40cceb2caee8c0c9243f",
        "type": "github"
      },
      "original": {
@ -40,11 +40,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1672353432,
+        "lastModified": 1675237434,
-        "narHash": "sha256-oZfgp/44/o2tWiylV30cR+DLyWTJ+5dhsdWZVpzs3e4=",
+        "narHash": "sha256-YoFR0vyEa1HXufLNIFgOGhIFMRnY6aZ0IepZF5cYemo=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "913a47cd064cc06440ea84e5e0452039a85781f0",
+        "rev": "285b3ff0660640575186a4086e1f8dc0df2874b5",
        "type": "github"
      },
      "original": {
--- a/hosts/architect/bazarr.nix
+++ b/hosts/architect/bazarr.nix
@ -27,6 +27,7 @@ in
  networking.extraHosts = ''
    ${network.architect-lan} ${domain}
    ${network.architect-wg} ${domain}
    ${network.architect-ts} ${domain}
  '';
  users.groups.media.members = [ "bazarr" ];
--- a/hosts/architect/calibre.nix
+++ b/hosts/architect/calibre.nix
@ -31,6 +31,7 @@ in
  networking.extraHosts = ''
    ${network.architect-lan} ${domain}
    ${network.architect-wg} ${domain}
    ${network.architect-ts} ${domain}
  '';
  users.groups.media.members = [ "calibre-web" ];
--- a/hosts/architect/default.nix
+++ b/hosts/architect/default.nix
@ -38,6 +38,7 @@ in {
    ./keycloak.nix
    ./lezzo.nix
    ./runas.nix
    ./tailscale.nix
  ];
  time.timeZone = "Europe/Rome";
@ -103,7 +104,9 @@ in {
      ${network.dvr-lan}      dvr.devs.giugl.io
      ${network.nas-lan}      nas.devs.giugl.io
      ${network.router-lan}   manduria.devs.giugl.io
      192.168.1.1           vodafone.station
      # Blacklist
      0.0.0.0                metrics.plex.tv
      0.0.0.0                analytics.plex.tv
--- a/hosts/architect/deluge.nix
+++ b/hosts/architect/deluge.nix
@ -48,6 +48,7 @@ in {
  networking.extraHosts = ''
    ${network.architect-lan} ${domain}
    ${network.architect-wg} ${domain}
    ${network.architect-ts} ${domain}
  '';
  users.groups.media.members = [ "deluge" ];
--- a/hosts/architect/firewall.nix
+++ b/hosts/architect/firewall.nix
@ -15,7 +15,7 @@ let
  # UDP services
  dns_udp = 53;
  wireguard_udp = 1194;
-  
+    
  # TCP/UDP services
  torrent_a = 51413;
  torrent_b = 51414;
@ -35,6 +35,7 @@ let
    wireguard_udp
    torrent_a
    torrent_b
    config.services.tailscale.port
  ];
  open_tcp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [
    ssh_tcp
@ -86,6 +87,7 @@ in {
                      lib.concatStringsSep "," towan-wg
                    }} masquerade
                    oifname ${wan-if} ip saddr ${docker-net} masquerade
                    oifname ${wan-if} ip saddr ${tailscale-net} masquerade
                  }
                }
@ -101,6 +103,7 @@ in {
                    iifname ${proxy-if} ip saddr ${proxy-net} accept comment "bind ip ${proxy-net} to intf ${proxy-if}"
                    iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}"
                    iifname ${docker-if} ip saddr ${docker-net} accept comment "bind ip ${docker-net} to intf ${docker-if}"
                    iifname ${tailscale-if} ip saddr ${tailscale-net} accept
                    iifname "lo" accept comment "bind any ip to intf lo"
                    jump mangle_drop
                  }
@ -154,11 +157,12 @@ in {
                    ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
                    ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
                    ip saddr ${lan-net} accept comment "lan > local"
        	          ip saddr ${proxy-wg} accept comment "proxy > local"
                    ip saddr {${lib.concatStringsSep "," gdevices-wg}} accept comment "vpn > local"
                    iifname ${wan-if} tcp dport {${open_tcp_ports}} accept
                    iifname ${wan-if} udp dport {${open_udp_ports}} accept
                    iifname ${tailscale-if} tcp dport {${open_tcp_ports_vpn}} accept
                    iifname ${tailscale-if} udp dport {${open_udp_ports_vpn}} accept
                    iifname ${vpn-if} tcp dport {${open_tcp_ports_vpn}} accept
                    iifname ${vpn-if} udp dport {${open_udp_ports_vpn}} accept
                    iifname ${vpn-if} icmp type echo-request accept
@ -189,6 +193,7 @@ in {
                    }} accept
                    oifname ${wan-if} ip saddr ${docker-net} accept
                    oifname ${wan-if} ip saddr ${tailscale-net} accept
                    jump filter_drop
                  }
--- a/hosts/architect/gitea.nix
+++ b/hosts/architect/gitea.nix
@ -34,6 +34,7 @@ in
  networking.extraHosts = ''
    ${network.architect-lan} ${domain}
    ${network.architect-wg} ${domain}
    ${network.architect-ts} ${domain}
  '';
 }
--- a/hosts/architect/home-assistant.nix
+++ b/hosts/architect/home-assistant.nix
@ -62,5 +62,6 @@ in {
  networking.extraHosts = ''
    ${network.architect-lan} ${domain}
    ${network.architect-wg} ${domain}
    ${network.architect-ts} ${domain}
  '';
 }
--- a/hosts/architect/invidious.nix
+++ b/hosts/architect/invidious.nix
@ -22,5 +22,6 @@ in
  networking.extraHosts = ''
    ${network.architect-lan} ${domain}
    ${network.architect-wg} ${domain}
    ${network.architect-ts} ${domain}
  '';
 }
--- a/hosts/architect/jellyfin.nix
+++ b/hosts/architect/jellyfin.nix
@ -51,6 +51,7 @@ in
  networking.extraHosts = ''
    ${network.architect-lan} ${domain}
    ${network.architect-wg} ${domain}
    ${network.architect-ts} ${domain}
  '';
  users.groups.media.members = [ "jellyfin" ];
--- a/hosts/architect/keycloak.nix
+++ b/hosts/architect/keycloak.nix
@ -74,5 +74,6 @@ in {
  networking.extraHosts = ''
    ${network.architect-lan} ${domain}
    ${network.architect-wg} ${domain}
    ${network.architect-ts} ${domain}
  '';
 }
--- a/hosts/architect/lezzo.nix
+++ b/hosts/architect/lezzo.nix
@ -41,5 +41,6 @@ in
  networking.extraHosts = ''
    ${network.architect-lan} ${domain}
    ${network.architect-wg} ${domain}
    ${network.architect-ts} ${domain}
  '';
 }
--- a/hosts/architect/libreddit.nix
+++ b/hosts/architect/libreddit.nix
@ -21,5 +21,6 @@ in
  networking.extraHosts = ''
    ${network.architect-lan} ${domain}
    ${network.architect-wg} ${domain}
    ${network.architect-ts} ${domain}
  '';
 }
--- a/hosts/architect/lidarr.nix
+++ b/hosts/architect/lidarr.nix
@ -26,6 +26,7 @@ in {
  networking.extraHosts = ''
    ${network.architect-lan} ${domain}
    ${network.architect-wg} ${domain}
    ${network.architect-ts} ${domain}
  '';
  users.groups.media.members = [ "lidarr" ];
--- a/hosts/architect/matrix.nix
+++ b/hosts/architect/matrix.nix
@ -145,6 +145,7 @@ in
  networking.extraHosts = ''
    ${network.architect-lan} ${lib.concatStringsSep " " [ domain webui_domain]}
    ${network.architect-wg} ${lib.concatStringsSep " " [ domain webui_domain ]}
    ${network.architect-ts} ${lib.concatStringsSep " " [ domain webui_domain ]}
  '';
 }
--- a/hosts/architect/minecraft.nix
+++ b/hosts/architect/minecraft.nix
@ -16,5 +16,6 @@ in
  networking.extraHosts = ''
    ${network.architect-lan} ${domain}
    ${network.architect-wg} ${domain}
    ${network.architect-ts} ${domain}
  '';
 }
--- a/hosts/architect/minio.nix
+++ b/hosts/architect/minio.nix
@ -26,5 +26,6 @@ in {
  networking.extraHosts = ''
    ${network.architect-lan} ${domain}
    ${network.architect-wg} ${domain}
    ${network.architect-ts} ${domain}
  '';
 }
--- a/hosts/architect/navidrome.nix
+++ b/hosts/architect/navidrome.nix
@ -83,6 +83,7 @@ in {
  networking.extraHosts = ''
    ${network.architect-lan} ${domain}
    ${network.architect-wg} ${domain}
    ${network.architect-ts} ${domain}
  '';
  users.groups.media.members = [ "navidrome" ];
--- a/hosts/architect/network.nix
+++ b/hosts/architect/network.nix
@ -4,6 +4,7 @@ rec {
  vpn-if = "wg0";
  proxy-if = "proxy";
  docker-if = "docker0";
  tailscale-if = "ts0";
  # nets
  lan-net = "10.0.0.0/24";
@ -11,13 +12,14 @@ rec {
  proxy-net = "10.4.0.0/24";
  external_lan-net = "192.168.1.0/24";
  docker-net = "172.17.0.0/16";
  tailscale-net = "100.64.0.0/10";
  # ips
  router-lan = "10.0.0.1";
  dvr-lan = "10.0.0.2";
  nas-lan = "10.0.0.3";
  architect-lan = "10.0.0.250";
  proxy-wg = "10.4.0.1";
  architect-wg = "10.3.0.1";
  giuliopc-wg = "10.3.0.2";
  giuliophone-wg = "10.3.0.3";
@ -54,6 +56,8 @@ rec {
  hotpottino-wg = "10.3.0.201";
  dodino-wg = "10.3.0.202";
  architect-ts = "100.67.205.28";
  # groups
  gdevices-wg =
    [ giuliopc-wg giuliophone-wg gbeast-wg peppiniell-wg kclvm-wg ] ++ routers-wg;
--- a/hosts/architect/nextcloud.nix
+++ b/hosts/architect/nextcloud.nix
@ -54,6 +54,7 @@ in {
  networking.extraHosts = ''
    ${network.architect-lan} ${domain}
    ${network.architect-wg} ${domain}
    ${network.architect-ts} ${domain}
  '';
  services.nginx.virtualHosts.${domain} = {
--- a/hosts/architect/nitter.nix
+++ b/hosts/architect/nitter.nix
@ -29,5 +29,6 @@ in {
  networking.extraHosts = ''
    ${network.architect-lan} ${domain}
    ${network.architect-wg} ${domain}
    ${network.architect-ts} ${domain}
  '';
 }
--- a/hosts/architect/nzbget.nix
+++ b/hosts/architect/nzbget.nix
@ -26,6 +26,7 @@ in {
  networking.extraHosts = ''
    ${network.architect-lan} ${domain}
    ${network.architect-wg} ${domain}
    ${network.architect-ts} ${domain}
  '';
  users.groups.media.members = [ "nzbget" ];
--- a/hosts/architect/plex.nix
+++ b/hosts/architect/plex.nix
@ -84,6 +84,7 @@ in {
  networking.extraHosts = ''
    ${network.architect-lan} ${domain}
    ${network.architect-wg} ${domain}
    ${network.architect-ts} ${domain}
  '';
  users.groups.media.members = [ "plex" ];
--- a/hosts/architect/prosody.nix
+++ b/hosts/architect/prosody.nix
@ -35,6 +35,7 @@ in {
  networking.extraHosts = ''
    ${network.architect-lan} ${domain}
    ${network.architect-wg} ${domain}
    ${network.architect-ts} ${domain}
  '';
  users.groups = {
--- a/hosts/architect/prowlarr.nix
+++ b/hosts/architect/prowlarr.nix
@ -32,6 +32,7 @@ in {
  networking.extraHosts = ''
    ${network.architect-lan} ${domain}
    ${network.architect-wg} ${domain}
    ${network.architect-ts} ${domain}
  '';
  users.groups.media.members = [ "prowlarr" ];
--- a/hosts/architect/radarr.nix
+++ b/hosts/architect/radarr.nix
@ -26,6 +26,7 @@ in {
  networking.extraHosts = ''
    ${network.architect-lan} ${domain}
    ${network.architect-wg} ${domain}
    ${network.architect-ts} ${domain}
  '';
  users.groups.media.members = [ "radarr" ];
--- a/hosts/architect/runas.nix
+++ b/hosts/architect/runas.nix
@ -41,5 +41,6 @@ in
  networking.extraHosts = ''
    ${network.architect-lan} ${domain}
    ${network.architect-wg} ${domain}
    ${network.architect-ts} ${domain}
  '';
 }
--- a/hosts/architect/sonarr.nix
+++ b/hosts/architect/sonarr.nix
@ -26,6 +26,7 @@ in {
  networking.extraHosts = ''
    ${network.architect-lan} ${domain}
    ${network.architect-wg} ${domain}
    ${network.architect-ts} ${domain}
  '';
  users.groups.media.members = [ "sonarr" ];
--- a/hosts/architect/tailscale.nix
+++ b/hosts/architect/tailscale.nix
@ -0,0 +1,18 @@
 { lib, ... }:
 let
  network = import ./network.nix;
  auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
  ifname = "ts0";
 in rec {
  services = {
    tailscale = {
      enable = true;
      interfaceName = ifname;
    };
  };
  networking.extraHosts = ''
    ${network.architect-ts} architect.devs.giugl.io
  '';
 }
--- a/hosts/architect/transmission.nix
+++ b/hosts/architect/transmission.nix
@ -37,6 +37,7 @@ in {
  networking.extraHosts = ''
    ${network.architect-lan} ${domain}
    ${network.architect-wg} ${domain}
    ${network.architect-ts} ${domain}
  '';
  users.groups.media.members = [ "transmission" ];
Author	SHA1	Message	Date
Giulio De Pasquale	51b714c159	architect: Add manduria.devs.giugl.io name	2023-02-01 21:56:13 +01:00
Giulio De Pasquale	4414011c95	network: Added router-lan	2023-02-01 21:55:55 +01:00
Giulio De Pasquale	1881025faa	architect: Add tailscale IP to hosts for every service	2023-02-01 21:55:32 +01:00
Giulio De Pasquale	d41001dfe7	Update lock	2023-02-01 21:54:20 +01:00
Giulio De Pasquale	79116ae1a7	architect: Added initial support for Tailscale	2023-01-30 09:46:20 +01:00