bryan/nixos
0
0
Fork 0
mirror of https://github.com/itme-brain/nixos.git synced 2026-05-08 14:50:12 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Compare commits

base: bryan:357db9eaa4bb6a01fe54c29872d1530dd3ca3c8c
Branches Tags
bryan:master
bryan:wip/tv
..
compare: bryan:6af94e54d5cd5c8d616232006ac318c4b1054d8f
Branches Tags
bryan:master
bryan:wip/tv

No commits in common. "357db9eaa4bb6a01fe54c29872d1530dd3ca3c8c" and "6af94e54d5cd5c8d616232006ac318c4b1054d8f" have entirely different histories.
357db9eaa4 ... 6af94e54d5

9 changed files with 16 additions and 154 deletions
Download patch file Download diff file Expand all files Collapse all files

2
flake.nix
View file

@ -27,7 +27,7 @@
}; };
}; };
outputs = { self, nixpkgs, nixpkgs-unstable, nur, ... }@inputs: outputs = { nixpkgs, nixpkgs-unstable, nur, ... }@inputs:
let let
mkPkgs = system: import nixpkgs { mkPkgs = system: import nixpkgs {
inherit system; inherit system;

5
system/machines/server/modules/frigate/default.nix
View file

@ -7,7 +7,6 @@ let
domain = "ramos.codes"; domain = "ramos.codes";
user = config.sops.placeholder."RTSP_USER"; user = config.sops.placeholder."RTSP_USER";
pass = config.sops.placeholder."RTSP_PASS"; pass = config.sops.placeholder."RTSP_PASS";
privateAccessRules = concatMapStringsSep "\n" (cidr: "allow ${cidr};") nginx.privateAllowCidrs + "\ndeny all;";
in in
{ {
@ -240,13 +239,9 @@ in
services.nginx.virtualHosts."frigate.${domain}" = mkIf nginx.enable { services.nginx.virtualHosts."frigate.${domain}" = mkIf nginx.enable {
useACMEHost = domain; useACMEHost = domain;
forceSSL = true; forceSSL = true;
locations."/" = {
extraConfig = privateAccessRules;
};
locations."/go2rtc/" = { locations."/go2rtc/" = {
proxyPass = "http://127.0.0.1:1984/"; proxyPass = "http://127.0.0.1:1984/";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = privateAccessRules;
}; };
}; };

2
system/machines/server/modules/immich/default.nix
View file

@ -6,7 +6,6 @@ let
nginx = config.modules.system.nginx; nginx = config.modules.system.nginx;
domain = "ramos.codes"; domain = "ramos.codes";
port = 2283; port = 2283;
privateAccessRules = concatMapStringsSep "\n" (cidr: "allow ${cidr};") nginx.privateAllowCidrs + "\ndeny all;";
in in
{ {
@ -52,7 +51,6 @@ in
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:${toString port}"; proxyPass = "http://127.0.0.1:${toString port}";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = privateAccessRules;
}; };
}; };
}; };

28
system/machines/server/modules/nginx/default.nix
View file

@ -4,23 +4,11 @@ with lib;
let let
cfg = config.modules.system.nginx; cfg = config.modules.system.nginx;
domain = "ramos.codes"; domain = "ramos.codes";
privateAccessRules = concatMapStringsSep "\n" (cidr: "allow ${cidr};") cfg.privateAllowCidrs + "\ndeny all;";
in in
{ {
options.modules.system.nginx = { options.modules.system.nginx = {
enable = mkEnableOption "Nginx Reverse Proxy"; enable = mkEnableOption "Nginx Reverse Proxy";
privateAllowCidrs = mkOption {
type = types.listOf types.str;
default = [
"192.168.0.0/24"
"10.8.0.0/24"
];
description = ''
CIDR ranges allowed to access private vhosts (LAN + WireGuard).
'';
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
@ -40,12 +28,25 @@ in
}; };
}; };
services.sslh = {
enable = true;
listenAddresses = [ "0.0.0.0" ];
port = 443;
settings = {
protocols = [
{ name = "ssh"; host = "127.0.0.1"; port = "22"; }
{ name = "tls"; host = "127.0.0.1"; port = "4443"; }
];
};
};
services.nginx = { services.nginx = {
enable = true; enable = true;
recommendedTlsSettings = true; recommendedTlsSettings = true;
recommendedOptimisation = true; recommendedOptimisation = true;
recommendedGzipSettings = true; recommendedGzipSettings = true;
eventsConfig = "worker_connections 4096;"; eventsConfig = "worker_connections 4096;";
defaultSSLListenPort = 4443;
# Catch-all default - friendly error for unknown subdomains # Catch-all default - friendly error for unknown subdomains
virtualHosts."_" = { virtualHosts."_" = {
@ -77,7 +78,6 @@ in
locations."/" = { locations."/" = {
proxyPass = "http://192.168.0.23:3080"; proxyPass = "http://192.168.0.23:3080";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = privateAccessRules;
}; };
}; };
@ -87,7 +87,6 @@ in
locations."/" = { locations."/" = {
proxyPass = "http://192.168.0.23:8000"; proxyPass = "http://192.168.0.23:8000";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = privateAccessRules;
}; };
}; };
@ -97,7 +96,6 @@ in
locations."/" = { locations."/" = {
proxyPass = "http://192.168.0.23:8188"; proxyPass = "http://192.168.0.23:8188";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = privateAccessRules;
}; };
}; };
}; };

5
system/machines/server/modules/sandpack/default.nix
View file

@ -4,7 +4,6 @@ with lib;
let let
cfg = config.modules.system.sandpack; cfg = config.modules.system.sandpack;
domain = "ramos.codes"; domain = "ramos.codes";
privateAccessRules = concatMapStringsSep "\n" (cidr: "allow ${cidr};") config.modules.system.nginx.privateAllowCidrs + "\ndeny all;";
staticBrowserServer = pkgs.stdenvNoCC.mkDerivation (finalAttrs: let staticBrowserServer = pkgs.stdenvNoCC.mkDerivation (finalAttrs: let
pnpm = pkgs.pnpm_10; pnpm = pkgs.pnpm_10;
@ -98,8 +97,6 @@ in
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:4333"; proxyPass = "http://127.0.0.1:4333";
extraConfig = '' extraConfig = ''
${privateAccessRules}
add_header Access-Control-Allow-Origin "*" always; add_header Access-Control-Allow-Origin "*" always;
add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always; add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
add_header Access-Control-Allow-Headers "Content-Type, Authorization" always; add_header Access-Control-Allow-Headers "Content-Type, Authorization" always;
@ -119,8 +116,6 @@ in
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:4324"; proxyPass = "http://127.0.0.1:4324";
extraConfig = '' extraConfig = ''
${privateAccessRules}
add_header Access-Control-Allow-Origin "*" always; add_header Access-Control-Allow-Origin "*" always;
add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always; add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
add_header Access-Control-Allow-Headers "Content-Type, Authorization" always; add_header Access-Control-Allow-Headers "Content-Type, Authorization" always;

3
system/machines/server/modules/webdav/default.nix
View file

@ -4,7 +4,6 @@ with lib;
let let
cfg = config.modules.system.webdav; cfg = config.modules.system.webdav;
domain = "ramos.codes"; domain = "ramos.codes";
privateAccessRules = concatMapStringsSep "\n" (cidr: "allow ${cidr};") config.modules.system.nginx.privateAllowCidrs + "\ndeny all;";
in in
{ {
@ -51,8 +50,6 @@ in
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:8090"; proxyPass = "http://127.0.0.1:8090";
extraConfig = '' extraConfig = ''
${privateAccessRules}
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

106
system/machines/server/modules/wireguard/default.nix
View file

@ -1,106 +0,0 @@
{ pkgs, lib, config, ... }:
with lib;
let
cfg = config.modules.system.wireguard;
in
{
options.modules.system.wireguard = {
enable = mkEnableOption "WireGuard VPN";
address = mkOption {
type = types.str;
default = "10.8.0.1/24";
description = "WireGuard interface address with CIDR";
};
subnet = mkOption {
type = types.str;
default = "10.8.0.0/24";
description = "WireGuard subnet used for peer allocations";
};
listenPort = mkOption {
type = types.port;
default = 51820;
description = "WireGuard UDP listen port";
};
privateKeyFile = mkOption {
type = types.str;
default = "/var/lib/wireguard/server.key";
description = "Path to WireGuard server private key";
};
peers = mkOption {
type = types.listOf (types.submodule ({ ... }: {
options = {
publicKey = mkOption {
type = types.str;
description = "Peer public key";
};
allowedIPs = mkOption {
type = types.listOf types.str;
description = "Allowed IPs for peer, usually a single /32";
};
presharedKeyFile = mkOption {
type = types.nullOr types.str;
default = null;
description = "Optional preshared key file";
};
persistentKeepalive = mkOption {
type = types.nullOr types.int;
default = 25;
description = "Persistent keepalive interval seconds";
};
};
}));
default = [ ];
description = "WireGuard peers";
};
};
config = mkIf cfg.enable {
networking.firewall.allowedUDPPorts = [ cfg.listenPort ];
networking.nat.internalInterfaces = mkAfter [ "wg0" ];
systemd.tmpfiles.rules = [
"d /var/lib/wireguard 0700 root root -"
];
systemd.services.wireguard-generate-key = {
description = "Generate WireGuard server key if missing";
before = [ "wireguard-wg0.service" ];
wantedBy = [ "wireguard-wg0.service" ];
serviceConfig = {
Type = "oneshot";
};
path = with pkgs; [ wireguard-tools coreutils ];
script = ''
set -euo pipefail
if [ ! -s "${cfg.privateKeyFile}" ]; then
umask 077
wg genkey | tee "${cfg.privateKeyFile}" | wg pubkey > /var/lib/wireguard/server.pub
elif [ ! -s /var/lib/wireguard/server.pub ]; then
umask 077
wg pubkey < "${cfg.privateKeyFile}" > /var/lib/wireguard/server.pub
fi
'';
};
networking.wireguard.interfaces.wg0 = {
ips = [ cfg.address ];
listenPort = cfg.listenPort;
privateKeyFile = cfg.privateKeyFile;
peers = map (peer: {
inherit (peer) publicKey allowedIPs;
presharedKeyFile = peer.presharedKeyFile;
persistentKeepalive = peer.persistentKeepalive;
}) cfg.peers;
};
};
}

16
system/machines/server/system.nix
View file

@ -19,15 +19,6 @@
frigate.enable = true; frigate.enable = true;
immich.enable = true; immich.enable = true;
webdav.enable = false; webdav.enable = false;
wireguard = {
enable = true;
peers = [
{
publicKey = "HRFsVXn3jeqKQLQIl0cB6KC/qia7M1gQf2lqG5HDxF8=";
allowedIPs = [ "10.8.0.2/32" ];
}
];
};
# bitcoin = { # bitcoin = {
# enable = true; # enable = true;
# electrum.enable = true; # electrum.enable = true;
@ -181,7 +172,7 @@
cache-size = 1000; cache-size = 1000;
# Camera network DHCP (isolated - no gateway = no internet) # Camera network DHCP (isolated - no gateway = no internet)
interface = [ "enp2s0f1" "wg0" ]; interface = "enp2s0f1";
bind-interfaces = true; bind-interfaces = true;
dhcp-range = "192.168.1.100,192.168.1.200,24h"; dhcp-range = "192.168.1.100,192.168.1.200,24h";
@ -194,11 +185,6 @@
}; };
}; };
systemd.services.dnsmasq = {
after = [ "wireguard-wg0.service" ];
wants = [ "wireguard-wg0.service" ];
};
services.fail2ban = { services.fail2ban = {
enable = true; enable = true;
maxretry = 5; maxretry = 5;

3
user/modules/utils/dev/default.nix
View file

@ -3,14 +3,13 @@
with lib; with lib;
let let
cfg = config.modules.user.utils.dev; cfg = config.modules.user.utils.dev;
in in
{ options.modules.user.utils.dev = { enable = mkEnableOption "user.utils.dev"; }; { options.modules.user.utils.dev = { enable = mkEnableOption "user.utils.dev"; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
home.packages = with pkgs; [ home.packages = with pkgs; [
unstable.claude-code unstable.claude-code
unstable.codex unstable.codex
unstable.opencode
bubblewrap bubblewrap
nix-init nix-init