Luj/snowfield
1
0
Fork 0
mirror of https://github.com/JulienMalka/snowfield.git synced 2025-03-31 17:20:53 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'main' of github.com:JulienMalka/nix-config

Browse source
This commit is contained in:
Julien Malka 2022-05-10 07:01:39 +02:00
commit bc47b08d6e
Signed by: Luj
GPG key ID: 6FC74C847011FD83
8 changed files with 79 additions and 97 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
base.nix
View file

@ -31,4 +31,32 @@
environment.variables.EDITOR = "nvim";
security.pki.certificates = [
''-----BEGIN CERTIFICATE-----
MIIByzCCAXKgAwIBAgIQAcJCOR+99m5v3dHWQw5m9jAKBggqhkjOPQQDAjAwMRIw
EAYDVQQKEwlTYXVtb25OZXQxGjAYBgNVBAMTEVNhdW1vbk5ldCBSb290IENBMB4X
DTIyMDQyNDIwMDE1MFoXDTMyMDQyMTIwMDE1MFowODESMBAGA1UEChMJU2F1bW9u
TmV0MSIwIAYDVQQDExlTYXVtb25OZXQgSW50ZXJtZWRpYXRlIENBMFkwEwYHKoZI
zj0CAQYIKoZIzj0DAQcDQgAE5Sk6vYJcYlh4aW0vAN84MWr84TTVTTdsM2s8skH6
7fDsqNMb7FMwUMEAFwQRiADjYy3saU2Dogh2ESuB1dDFFqNmMGQwDgYDVR0PAQH/
BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFO5iTfZiutpsM7ja
mP3yuMIy6iNTMB8GA1UdIwQYMBaAFBWOQHe4eAeothQTmTNKiG/pAowGMAoGCCqG
SM49BAMCA0cAMEQCICu8u19I7RMfnQ7t3QXHP5fdUm/fX/puqF+jYSf9SZEoAiBc
oVcd0OfuAExWHhOMUZ0OV4bws9WCax333I+Pg4nDNw==
-----END CERTIFICATE-----''
''-----BEGIN CERTIFICATE-----
MIIBpTCCAUqgAwIBAgIRALevKnnElllot/cRNGjnUqUwCgYIKoZIzj0EAwIwMDES
MBAGA1UEChMJU2F1bW9uTmV0MRowGAYDVQQDExFTYXVtb25OZXQgUm9vdCBDQTAe
Fw0yMjA0MjQyMDAxNDlaFw0zMjA0MjEyMDAxNDlaMDAxEjAQBgNVBAoTCVNhdW1v
bk5ldDEaMBgGA1UEAxMRU2F1bW9uTmV0IFJvb3QgQ0EwWTATBgcqhkjOPQIBBggq
hkjOPQMBBwNCAAQG356Ui437dBTSOiJILKjVkwrJMsXN3eba/T1N+IJeqRBfigo7
BW9YZfs1xIbMZ5wL0Zc/DsSEo5xCC7j4YaXro0UwQzAOBgNVHQ8BAf8EBAMCAQYw
EgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUFY5Ad7h4B6i2FBOZM0qIb+kC
jAYwCgYIKoZIzj0EAwIDSQAwRgIhALdsEqiRa4ak5Cnin6Tjnel5uOiHSjoC6LKf
VfXtULncAiEA2gmqdr+ugFz5tvPdKwanroTiMTUMhhCRYVlQlyTApyQ=
-----END CERTIFICATE-----''];
}

48
flake.lock generated
View file

@ -19,11 +19,11 @@
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1648199409,
"narHash": "sha256-JwPKdC2PoVBkG6E+eWw3j6BMR6sL3COpYWfif7RVb8Y=",
"lastModified": 1650374568,
"narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "64a525ee38886ab9028e6f61790de0832aa3ef03",
"rev": "b4a34015c698c7793d592d66adbab377907a2be8",
"type": "github"
},
"original": {
@ -54,11 +54,11 @@
]
},
"locked": {
"lastModified": 1648917498,
"narHash": "sha256-fdyVHsP6XeyCk9FRyjV6Wv+7qiOzWxykGXdNixadvyg=",
"lastModified": 1651886851,
"narHash": "sha256-kbXOJSf1uho0/7P54nZkJdJY3oAelIjyc6tfiRhaXJI=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "cfab869fcebc56710be6ec3aca76036b25c04a0d",
"rev": "882bd8118bdbff3a6e53e5ced393932b351ce2f6",
"type": "github"
},
"original": {
@ -93,11 +93,11 @@
},
"locked": {
"dir": "contrib",
"lastModified": 1648949219,
"narHash": "sha256-gJrYhdeC7wuNMWJtILUqm+FjzaBock+RHhgMCHL6IwQ=",
"lastModified": 1652071951,
"narHash": "sha256-jg/O2yBPJ/xR6hKZI4zPJlz8mKjdgKQcqQmBeY9n2js=",
"owner": "neovim",
"repo": "neovim",
"rev": "6786b6afade97771027fda3c1438969def320cc5",
"rev": "dbdd58e548fcf55848359b696275fd848756db7b",
"type": "github"
},
"original": {
@ -116,11 +116,11 @@
]
},
"locked": {
"lastModified": 1648973670,
"narHash": "sha256-MJNofHXSKFMGwHe4P4zE+u/4wijTOEABg2dQ82Uj4xI=",
"lastModified": 1652084226,
"narHash": "sha256-WH2x3RJ0s3d48jA0GeIEhhhyG9e4rEmtxh0JIONCVVU=",
"owner": "nix-community",
"repo": "neovim-nightly-overlay",
"rev": "89d60799d43d847d7a88a8485e96731d1fe2d685",
"rev": "6ad5194b7229f5d3b6db529844fa194e9e8b61f7",
"type": "github"
},
"original": {
@ -131,11 +131,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1648965846,
"narHash": "sha256-xaO0KS+sgZLYrhaQNjVe6eRcOUIM1mEkAjT+dRbPblU=",
"lastModified": 1652020977,
"narHash": "sha256-9hDlNbrxzD/pLlXmoQ6gzxbYiSAKrj7uHYUWNByLFlI=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "0aac710801aec4ba545527cf41a5706028fe6271",
"rev": "3c5ae9be1f18c790ea890ef8decbd0946c0b4c04",
"type": "github"
},
"original": {
@ -177,11 +177,11 @@
},
"nur": {
"locked": {
"lastModified": 1649009781,
"narHash": "sha256-dmv0fFFdpVxuviWqeb2X2/Tvx/ItUZNFKeaMakHppdM=",
"lastModified": 1652113343,
"narHash": "sha256-/oWymhWXVJvctnaplziyZP9DlNIdn6K6TX/PjosO1ZE=",
"owner": "nix-community",
"repo": "NUR",
"rev": "42e253bf9ae7d494c1fe6fb346dbb19b324d4dd3",
"rev": "405e40de38a8f2c6929fec436c01450b373912fe",
"type": "github"
},
"original": {
@ -233,11 +233,11 @@
]
},
"locked": {
"lastModified": 1647279403,
"narHash": "sha256-ZsHfMah9+TElcjaENsaOIFHBNNtSbXmyLFVbiJiAECs=",
"lastModified": 1649756291,
"narHash": "sha256-KTll8bCINAzIUGaaMrbn9wb5nfhkXRLgmFrWGR/Dku0=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "c01f48b055ac776f9831c9d4a0fff83e3b74dbe3",
"rev": "c2614c4fe61943b3d280ac1892fcebe6e8eaf8c8",
"type": "github"
},
"original": {
@ -248,11 +248,11 @@
},
"unstable": {
"locked": {
"lastModified": 1648632716,
"narHash": "sha256-kCmnDeiaMsdhfnNKjxdOzwRh2H6eQb8yWAL+nNabC/Y=",
"lastModified": 1651726670,
"narHash": "sha256-dSGdzB49SEvdOJvrQWfQYkAefewXraHIV08Vz6iDXWQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "710fed5a2483f945b14f4a58af2cd3676b42d8c8",
"rev": "c777cdf5c564015d5f63b09cc93bef4178b19b01",
"type": "github"
},
"original": {

7
lib/default.nix
View file

@ -35,6 +35,7 @@ in
htpdate = prev.pkgs.callPackage ../packages/htpdate { };
authelia = prev.pkgs.callPackage ../packages/authelia { };
paperless-ng = prev.pkgs.callPackage ../packages/paperless-ng { };
tailscale = prev.unstable.tailscale;
})
inputs.neovim-nightly-overlay.overlay
];
@ -57,14 +58,14 @@ in
mkVPNSubdomain = name: port: {
luj.nginx.enable = true;
security.acme.certs."${name}.luj".server = "https://ca.luj:8443/acme/acme/directory";
services.nginx.virtualHosts."${name}.luj" = {
sslCertificate = "/etc/nginx/certs/${name}.luj/cert.pem";
sslCertificateKey = "/etc/nginx/certs/${name}.luj/key.pem";
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:${toString port}";
extraConfig = ''
allow 10.100.0.0/24;
allow 100.10.10.0/8;
deny all;
'';
};

1
lib/luj.nix
View file

@ -21,6 +21,7 @@ lib: with lib; let
_module.freeformType = with types; attrs;
domain = "julienmalka.me";
internalDomain = "luj";
machines = {
lisa = {

83
machines/lisa/default.nix
View file

@ -51,6 +51,14 @@
};
# make the tailscale command usable to users
environment.systemPackages = [ pkgs.tailscale ];
# enable the tailscale service
services.tailscale.enable = true;
nix.maxJobs = lib.mkDefault 4;
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
@ -69,7 +77,14 @@
prefixLength = 120;
}];
networking.nameservers = [ "10.100.0.2" ];
networking.nameservers = [ "100.127.245.71" "9.9.9.9" ];
environment.etc."resolv.conf" = with lib; with pkgs; {
source = writeText "resolv.conf" ''
${concatStringsSep "\n" (map (ns: "nameserver ${ns}") config.networking.nameservers)}
options edns0
'';
};
networking.hostId = "fbb334ae";
services.zfs.autoSnapshot.enable = true;
services.zfs.autoScrub.enable = true;
@ -77,77 +92,13 @@
system.stateVersion = "21.11";
networking.firewall = {
allowedUDPPorts = [ 51820 ];
};
networking.nat.enable = true;
networking.nat.externalInterface = "ens20";
networking.nat.internalInterfaces = [ "wg0" ];
networking.wireguard.interfaces = {
wg0 = {
ips = [ "10.100.0.1/24" ];
listenPort = 51820;
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ens20 -j MASQUERADE
'';
# This undoes the above command
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ens20 -j MASQUERADE
'';
privateKeyFile = "/root/wg-private";
peers = [
{
allowedIPs = [ "10.100.0.2/32" ];
publicKey = "WQoOWKT6VFn9p8vyLdI1n8tg8IRX1t7tCWXOa1zcHRU=";
}
{
allowedIPs = [ "10.100.0.3/32" ];
publicKey = "Pp4dQhhdokqYD1JBh+HLoqBbC+FEs64qzXHWfXyu2VE=";
}
{
allowedIPs = [ "10.100.0.4/32" ];
publicKey = "1d10sX645HAbXeXbvAs2zgjsoYgfg7d2UCQV1xKoY3s=";
}
{
allowedIPs = [ "10.100.0.5/32" ];
publicKey = "3BlHbLcL05UObnlIWrC/TMjZKdxrH8HTm8h0xxzAWA8=";
}
{
allowedIPs = [ "10.100.0.6/32" ];
publicKey = "ifMWTkMWpjibnthrRNPtfp2xcgqGQGng3XieVO7Lvzg=";
}
{
allowedIPs = [ "10.100.0.7/32" ];
publicKey = "TAIP4faPBx6gk1cifC6fdfIP6slo1ir+HMVKxQXBejo=";
}
{
allowedIPs = [ "10.100.0.8/32" ];
publicKey = "EmWRWnZfr60ekm4ZLdwa6gXU6V3p39p6tWOZ03dL+DA=";
}
{
allowedIPs = [ "10.100.0.9/32" ];
publicKey = "z85y4nc+7O7t2I4VqP0SAKJOD46PlkXoEPiuGOBS+SI=";
}
{
allowedIPs = [ "10.100.0.10/32" ];
publicKey = "SJ9tflQps1kssFsgVGLhqSSVKNPDspd+5xVMSu/aqk4=";
}
];
};
};
services.nginx.virtualHosts."jellyfin.mondon.me" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyWebsockets = true;
proxyPass = "http://10.100.0.4";
proxyPass = "http://100.74.49.77";
};
};

5
modules/homer/default.nix
View file

@ -12,9 +12,10 @@ in
{
luj.nginx.enable = true;
security.acme.certs."home.luj".server = "https://ca.luj:8443/acme/acme/directory";
services.nginx.virtualHosts."home.luj" = {
sslCertificate = "/etc/nginx/certs/home.luj/cert.pem";
sslCertificateKey = "/etc/nginx/certs/home.luj/key.pem";
enableACME = true;
forceSSL = true;
root = "/srv/homer/";
};

2
users/julien.nix
View file

@ -11,7 +11,7 @@
openssh.authorizedKeys.keyFiles = [
(pkgs.fetchurl {
url = "https://github.com/JulienMalka.keys";
sha256 = "sha256-/i6WOEWBfXnRln9r6GCznoc47UzN+jInkWjTSqNafHI=";
sha256 = "sha256-ZTQpJO5/z/RIzvNpLBHv2GyCn8cvWsN5Hx3pd6s7RYY=";
})
];
};

2
users/status.nix
View file

@ -8,7 +8,7 @@
openssh.authorizedKeys.keyFiles = [
(pkgs.fetchurl {
url = "https://github.com/JulienMalka.keys";
sha256 = "sha256-/i6WOEWBfXnRln9r6GCznoc47UzN+jInkWjTSqNafHI=";
sha256 = "sha256-ZTQpJO5/z/RIzvNpLBHv2GyCn8cvWsN5Hx3pd6s7RYY=";
})
];
};