liv/nixos-config
1
0
Fork 0
mirror of https://github.com/Ahwxorg/nixos-config.git synced 2025-12-04 15:00:13 +01:00
Code Issues 1 Projects Releases Packages Wiki Activity Actions

Compare commits

base: liv:96ff21e516695327c6ed3349f4b24f269912f012
Branches Tags
liv:master
...
compare: liv:13294fcb09cae6a8d713f1de1f83b963266cc6e0
Branches Tags
liv:master

7 commits
96ff21e516 ... 13294fcb09

Author SHA1 Message Date
Ahwx
13294fcb09 feat: create vlans and add dhcpd4 as reference, since apparently its state has been changed to "deprecated" 2025-05-23 03:33:59 +02:00
Ahwx
3f11885684 chore: move ssh port away from monitoring module, as it should be in the sshd module 2025-05-23 03:32:39 +02:00
Ahwx
07ffd197ce chore: open firewall for ssh port 2025-05-23 03:31:08 +02:00
Ahwx
569874bee5 chore: merge remote-tracking branch 'refs/remotes/origin/master' 2025-05-23 03:11:34 +02:00
Ahwx
db403cde00 chore: move away from enableACME, remove unused code 2025-05-23 03:11:14 +02:00
Ahwx
34c7796d45 feat: fix some proxy issues, not all of them are resolved yet though. also fix some issues regarding quack.social and make that more universal 2025-05-23 03:10:41 +02:00
Ahwx
8dd8ffb3c8 chore: switch away from useACME 2025-05-23 03:09:40 +02:00
10 changed files with 181 additions and 40 deletions
Download patch file Download diff file Expand all files Collapse all files

93
hosts/lily/default.nix
View file

@ -74,14 +74,93 @@ in
}; };
}; };
}; };
# <100 is trusted; =>100 is untrusted.
vlans = {
lan = {
id = 1;
interface = "lan1";
};
servers = {
id = 10;
interface = "lan1";
};
management = {
id = 21;
interface = "lan1";
};
iot = {
id = 100;
interface = "lan1";
};
guest = {
id = 110;
interface = "lan1";
};
};
}; };
services.udev.extraRules = '' services = {
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:47:67:6e", ATTR{type}=="1", NAME="wan0" udev.extraRules = ''
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:47:67:6f", ATTR{type}=="1", NAME="lan0" SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:47:67:6e", ATTR{type}=="1", NAME="wan0"
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:63:0f:80", ATTR{type}=="1", NAME="lan1" SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:47:67:6f", ATTR{type}=="1", NAME="lan0"
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:63:0f:81", ATTR{type}=="1", NAME="lan2" SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:63:0f:80", ATTR{type}=="1", NAME="lan1"
''; SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:63:0f:81", ATTR{type}=="1", NAME="lan2"
'';
dhcpd4 = {
enable = true;
interfaces = [
"lan"
"servers"
"management"
"iot"
"guest"
];
extraConfig = ''
option domain-name-servers 9.9.9.9, 149.112.112.112;
option subnet-mask 255.255.255.0;
subnet 172.16.1.0 netmask 255.255.255.0 {
option broadcast-address 172.16.1.255;
option routers 172.16.1.1;
interface lan;
range 172.16.1.50 172.16.1.254;
}
subnet 172.16.10.0 netmask 255.255.255.0 {
option broadcast-address 172.16.10.255;
option routers 172.16.10.1;
interface servers;
range 172.16.10.50 172.16.10.254;
}
subnet 172.16.21.0 netmask 255.255.255.0 {
option broadcast-address 172.16.21.255;
option routers 172.16.21.1;
interface management;
range 172.16.21.50 172.16.21.254;
}
subnet 172.16.100.0 netmask 255.255.255.0 {
option broadcast-address 172.16.100.255;
option routers 172.16.100.1;
interface iot;
range 172.16.100.50 172.16.100.254;
}
subnet 172.16.110.0 netmask 255.255.255.0 {
option broadcast-address 172.16.110.255;
option routers 172.16.110.1;
interface guest;
range 172.16.110.50 172.16.110.254;
}
'';
};
avahi = {
enable = true;
reflector = true;
interfaces = [
"lan"
"iot"
];
};
};
networking.hostName = "lily"; networking.hostName = "lily";
@ -91,5 +170,7 @@ in
kitty.terminfo kitty.terminfo
tcpdump tcpdump
dnsutils dnsutils
bind
ethtool
]; ];
} }

4
modules/core/sshd.nix
View file

@ -1,4 +1,4 @@
{ lib, ... }: { lib, config, ... }:
{ {
services.openssh = { services.openssh = {
enable = true; enable = true;
@ -11,6 +11,8 @@
}; };
}; };
networking.firewall.allowedTCPPorts = [ config.services.openssh.ports ];
users.users.liv.openssh.authorizedKeys.keys = [ users.users.liv.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGXi00z/rxVrWLKgYr+tWIsbHsSQO75hUMSTThNm5wUw liv@sakura" # main laptop "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGXi00z/rxVrWLKgYr+tWIsbHsSQO75hUMSTThNm5wUw liv@sakura" # main laptop
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ2nsQHyWnrmuQway0ehoMUcYYfhD8Ph/vpD0Tzip1b1 liv@meow" # main phone "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ2nsQHyWnrmuQway0ehoMUcYYfhD8Ph/vpD0Tzip1b1 liv@meow" # main phone

11
modules/services/gokapi.nix
View file

@ -1,8 +1,15 @@
{ lib, config, pkgs, ... }: { {
lib,
config,
pkgs,
...
}:
{
services = { services = {
nginx.virtualHosts."share.liv.town" = { nginx.virtualHosts."share.liv.town" = {
useACMEHost = "liv.town";
forceSSL = true; forceSSL = true;
sslCertificate = "/var/lib/acme/liv.town/cert.pem";
sslCertificateKey = "/var/lib/acme/liv.town/key.pem";
locations."/" = { locations."/" = {
proxyPass = "http://localhost:53842"; proxyPass = "http://localhost:53842";
}; };

3
modules/services/grafana.nix
View file

@ -11,8 +11,9 @@
}; };
nginx.virtualHosts.${config.services.grafana.domain} = { nginx.virtualHosts.${config.services.grafana.domain} = {
useACMEHost = "liv.town";
forceSSL = true; forceSSL = true;
sslCertificate = "/var/lib/acme/liv.town/cert.pem";
sslCertificateKey = "/var/lib/acme/liv.town/key.pem";
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}"; proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
proxyWebsockets = true; proxyWebsockets = true;

4
modules/services/immich.nix
View file

@ -1,11 +1,11 @@
{ config, ... }: { { config, ... }:
{
services.immich = { services.immich = {
enable = true; enable = true;
port = 2283; port = 2283;
}; };
# services.nginx.virtualHosts."" = { # services.nginx.virtualHosts."" = {
# enableACME = true;
# forceSSL = true; # forceSSL = true;
# locations."/" = { # locations."/" = {
# proxyPass = "http://localhost:${toString config.services.immich.port}"; # proxyPass = "http://localhost:${toString config.services.immich.port}";

3
modules/services/invidious.nix
View file

@ -12,7 +12,8 @@
virtualHosts = { virtualHosts = {
"video.liv.town" = { "video.liv.town" = {
forceSSL = true; forceSSL = true;
enableACME = true; sslCertificate = "/var/lib/acme/liv.town/cert.pem";
sslCertificateKey = "/var/lib/acme/liv.town/key.pem";
locations."/".proxyPass = "http://127.0.0.1:${toString config.services.invidious.port}"; locations."/".proxyPass = "http://127.0.0.1:${toString config.services.invidious.port}";
}; };
}; };

2
modules/services/monitoring.nix
View file

@ -26,8 +26,6 @@
networking.firewall = { networking.firewall = {
allowedTCPPorts = [ allowedTCPPorts = [
9001 9001
22
9123 # always also allow ssh :screaming:
]; ];
}; };
} }

72
modules/services/nginx.nix
View file

@ -1,4 +1,11 @@
{ pkgs, config, lib, ... }: { {
pkgs,
config,
lib,
...
}:
{
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
defaults.email = lib.mkDefault "ahwx@ahwx.org"; defaults.email = lib.mkDefault "ahwx@ahwx.org";
@ -10,7 +17,15 @@
dnsProvider = "desec"; dnsProvider = "desec";
environmentFile = "/home/liv/desec.env"; # location of your DESEC_TOKEN=[value] environmentFile = "/home/liv/desec.env"; # location of your DESEC_TOKEN=[value]
webroot = null; webroot = null;
}; };
"quack.social" = {
domain = "*.quack.social";
extraDomainNames = [ "quack.social" ];
group = config.services.nginx.group;
dnsProvider = "desec";
environmentFile = "/home/liv/desec.env"; # location of your DESEC_TOKEN=[value]
webroot = null;
};
}; };
}; };
@ -22,8 +37,42 @@
recommendedProxySettings = true; recommendedProxySettings = true;
clientMaxBodySize = lib.mkDefault "10G"; clientMaxBodySize = lib.mkDefault "10G";
defaultListen =
let
listen = [
{
addr = "[::]";
port = 80;
extraParameters = [ "proxy_protocol" ];
}
{
addr = "[::]";
port = 443;
ssl = true;
extraParameters = [ "proxy_protocol" ];
}
];
in
map (x: (x // { addr = "0.0.0.0"; })) listen ++ listen;
# Hardened TLS and HSTS preloading # Hardened TLS and HSTS preloading
appendHttpConfig = '' appendHttpConfig = ''
# Proxying
# real_ip_header proxy_protocol;
server {
listen 80 proxy_protocol;
listen 443 ssl proxy_protocol;
# set_real_ip_from 10.7.0.0/24;
}
ssl_certificate /var/lib/acme/quack.social/cert.pem;
ssl_certificate_key /var/lib/acme/quack.social/key.pem;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header X-Forwarded-For $proxy_protocol_addr;
# Add HSTS header with preloading to HTTPS requests. # Add HSTS header with preloading to HTTPS requests.
# Do not add HSTS header to HTTP requests. # Do not add HSTS header to HTTP requests.
map $scheme $hsts_header { map $scheme $hsts_header {
@ -49,5 +98,24 @@
add_header pronouns "any but neopronouns"; add_header pronouns "any but neopronouns";
add_header locale "[en_US, nl_NL]"; add_header locale "[en_US, nl_NL]";
''; '';
appendConfig = ''
# https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
# set_real_ip_from 213.210.34.27;
# real_ip_header proxy_protocol;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $proxy_protocol_addr;
# proxy_set_header X-Forwarded-For $proxy_protocol_addr;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header X-Forwarded-Host $host;
# proxy_set_header X-Forwarded-Server $host;
'';
};
networking.firewall = {
allowedTCPPorts = [
80
443
];
}; };
} }

6
modules/services/ntfy.nix
View file

@ -2,7 +2,8 @@ let
hostname = "notify.liv.town"; hostname = "notify.liv.town";
port = 2586; port = 2586;
url = "https://" + hostname; url = "https://" + hostname;
in { in
{
services = { services = {
ntfy-sh = { ntfy-sh = {
enable = true; enable = true;
@ -16,8 +17,9 @@ in {
}; };
}; };
nginx.virtualHosts.${hostname} = { nginx.virtualHosts.${hostname} = {
useACMEHost = "liv.town";
forceSSL = true; forceSSL = true;
sslCertificate = "/var/lib/acme/liv.town/cert.pem";
sslCertificateKey = "/var/lib/acme/liv.town/key.pem";
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:${toString port}"; proxyPass = "http://127.0.0.1:${toString port}";
proxyWebsockets = true; proxyWebsockets = true;

23
modules/services/sharkey-proxy.nix
View file

@ -2,8 +2,9 @@
{ {
services = { services = {
nginx.virtualHosts."quack.social" = { nginx.virtualHosts."quack.social" = {
enableACME = true;
forceSSL = true; forceSSL = true;
sslCertificate = "/var/lib/acme/quack.social/cert.pem";
sslCertificateKey = "/var/lib/acme/quack.social/key.pem";
locations."/" = { locations."/" = {
proxyPass = "http://localhost:3000"; proxyPass = "http://localhost:3000";
proxyWebsockets = true; proxyWebsockets = true;
@ -16,26 +17,6 @@
''; '';
}; };
locations."/files/" = {
proxyPass = "http://localhost:3000";
proxyWebsockets = true;
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $remote_addr;
# Try cache?
# proxy_cache sharkey;
# proxy_cache_path /var/cache/nginx/sharkey levels=1:2 keys_zone=sharkey:15m;
# proxy_cache_lock on;
# proxy_cache_use_stale updating;
# proxy_force_ranges on;
# add_header X-Cache $upstream_cache_status;
'';
};
locations."/wiki/" = { locations."/wiki/" = {
# Nepenthis # Nepenthis
proxyPass = "http://localhost:8893"; proxyPass = "http://localhost:8893";