Avery/NixOS
Avery/NixOS
1
0
Fork 0
Code Activity

Update greatyamada config

Browse source
This commit is contained in:
Avery 2025-06-21 15:42:06 +02:00
parent 5c4921895e
commit 97bf3bb177
Signed by: Avery
GPG key ID: B684FD451B692E04
22 changed files with 556 additions and 212 deletions
Download patch file Download diff file Expand all files Collapse all files

13
hosts/greatyamada/services/_port-definitions.nix
View file

@ -1,20 +1,17 @@
{
adguardhome-dns = 53;
adguardhome-http = 3001;
coturn-turn = 3478;
coturn-turn-alt = 3479;
coturn-minimum = 49192;
coturn-maximum = 49200;
adguardhome-dhcp-udp = 67;
forgejo-http = 3000;
jellyfin-http = 8096;
matrix-http = 8008;
matrix-https = 8448;
matrix-bridges-http = 8088;
mautrix-whatsapp = 29318;
minecraft = 13914;
navidrome-https = 4533;
nginx-https = 443;
ntfy-http = 2586;
pgadmin = 5050;
postgresql = 5432;
radicale-http = 5232;
searxng = 8888;
wireguard = 51820;
vaultwarden = 8222;
}

11
hosts/greatyamada/services/acme.nix
View file

@ -2,18 +2,13 @@
security.acme = {
acceptTerms = true;
defaults.email = "aveeryy@protonmail.com";
# Temporarily use staging server for testing
defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
certs."rcia.dev" = {
credentialFiles.CLOUDFLARE_DNS_API_TOKEN_FILE =
"/run/secrets/cloudflare_api_token";
credentialFiles.CLOUDFLARE_DNS_API_TOKEN_FILE = "/run/secrets/acme_token";
extraDomainNames = [ "*.rcia.dev" ];
dnsProvider = "cloudflare";
group = "nginx";
webroot = null;
};
};
sops.secrets."cloudflare/api_token" = {
path = "/run/secrets/cloudflare_api_token";
group = "acme";
};
sops.secrets."acme_token".group = "acme";
}

233
hosts/greatyamada/services/adguardhome.nix
View file

@ -3,18 +3,21 @@ let
portDefinitions = import ./_port-definitions.nix;
nginxLocalServiceConfig = import ./nginx-local-config.nix;
in {
networking.firewall.allowedTCPPorts = [ portDefinitions.adguardhome-dns ];
networking.firewall.allowedUDPPorts = [ portDefinitions.adguardhome-dns ];
networking.firewall = {
allowedTCPPorts = [ portDefinitions.adguardhome-dns ];
allowedUDPPorts =
[ portDefinitions.adguardhome-dns portDefinitions.adguardhome-dhcp-udp ];
};
services = {
adguardhome = {
enable = true;
allowDHCP = true;
port = portDefinitions.adguardhome-http;
mutableSettings = true;
port = portDefinitions.adguardhome-http;
settings = {
http = {
address = "127.0.0.1:${toString portDefinitions.adguardhome-http}";
session_ttl = "1440h";
session_ttl = "720h";
};
dns = {
bind_hosts = [ "0.0.0.0" ];
@ -38,9 +41,231 @@ in {
icmp_timeout_msec = 1000;
};
};
filtering = {
safe_search.enabled = false;
filtering_enabled = true;
parental_enabled = false;
safebrowsing_enabled = false;
protection_enabled = true;
cache_time = 30;
filters_update_interval = 24;
rewrites = [
{
domain = "rcia.dev";
answer = "10.0.0.1";
}
{
domain = "*.rcia.dev";
answer = "10.0.0.1";
}
];
};
clients = {
runtime_sources = {
whois = true;
arp = true;
rdns = true;
dhcp = true;
hosts = true;
};
persistent = [
{
name = "Decodificador";
ids = [ "10.0.0.200" ];
tags = [ "device_tv" ];
upstreams = [ "172.26.23.3" ];
use_global_settings = true;
}
{
name = "Poco X3";
ids = [ "10.0.0.202" ];
tags = [ "device_phone" ];
use_global_settings = false;
filtering_enabled = false;
}
{
name = "Tablet Samsung";
ids = [ "10.0.0.201" ];
tags = [ "device_tablet" ];
use_global_settings = false;
filtering_enabled = false;
}
];
};
filters = [
{
enabled = true;
url =
"https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt";
name = "AdGuard DNS filter";
id = 1;
}
{
enabled = true;
url =
"https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt";
name = "AdAway Default Blocklist";
id = 2;
}
{
enabled = true;
url =
"https://adguardteam.github.io/HostlistsRegistry/assets/filter_23.txt";
name = "WindowsSpyBlocker - Hosts spy rules";
id = 1687062393;
}
{
enabled = true;
url =
"https://adguardteam.github.io/HostlistsRegistry/assets/filter_6.txt";
name = "Dandelion Sprout's Game Console Adblock List";
id = 1687062394;
}
{
enabled = true;
url =
"https://adguardteam.github.io/HostlistsRegistry/assets/filter_30.txt";
name = "Phishing URL Blocklist (PhishTank and OpenPhish)";
id = 1687062395;
}
{
enabled = true;
url =
"https://adguardteam.github.io/HostlistsRegistry/assets/filter_7.txt";
name = "Perflyst and Dandelion Sprout's Smart-TV Blocklist";
id = 1687062396;
}
{
enabled = true;
url =
"https://adguardteam.github.io/HostlistsRegistry/assets/filter_12.txt";
name = "Dandelion Sprout's Anti-Malware List";
id = 1687062397;
}
{
enabled = true;
url =
"https://adguardteam.github.io/HostlistsRegistry/assets/filter_10.txt";
name = "Scam Blocklist by DurableNapkin";
id = 1687062398;
}
{
enabled = true;
url =
"https://adguardteam.github.io/HostlistsRegistry/assets/filter_9.txt";
name = "The Big List of Hacked Malware Web Sites";
id = 1687062399;
}
{
enabled = true;
url =
"https://adguardteam.github.io/HostlistsRegistry/assets/filter_33.txt";
name = "Steven Black's List";
id = 1687062400;
}
{
enabled = true;
url =
"https://adguardteam.github.io/HostlistsRegistry/assets/filter_4.txt";
name = "Dan Pollock's List";
id = 1687062401;
}
{
enabled = true;
url =
"https://adguardteam.github.io/HostlistsRegistry/assets/filter_11.txt";
name = "Malicious URL Blocklist (URLHaus)";
id = 1687062402;
}
{
enabled = true;
url =
"https://adguardteam.github.io/HostlistsRegistry/assets/filter_3.txt";
name = "Peter Lowe's Blocklist";
id = 1687062403;
}
{
enabled = true;
url =
"https://adguardteam.github.io/HostlistsRegistry/assets/filter_32.txt";
name = "The NoTracking blocklist";
id = 1687062404;
}
{
enabled = true;
url =
"https://adguardteam.github.io/HostlistsRegistry/assets/filter_31.txt";
name = "Stalkerware Indicators List";
id = 1694924469;
}
{
enabled = true;
url =
"https://adguardteam.github.io/HostlistsRegistry/assets/filter_44.txt";
name = "HaGeZi's Threat Intelligence Feeds";
id = 1694924470;
}
{
enabled = true;
url =
"https://adguardteam.github.io/HostlistsRegistry/assets/filter_8.txt";
name = "NoCoin Filter List";
id = 1694924471;
}
];
user_rules = [
"||www.googleadservices.com^$important"
"||rdvs.alljoyn.org^$important"
"||safebrowsing.google.com^$client='10.0.0.28'"
"||fm.nvc.heil.nuancemobility.net^$client='10.0.0.230'"
"@@||npdl.cdn.nintendowifi.net^$important"
"||tse3.mm.bing.net^$important"
"@@||repo.webosbrew.org^$important"
"||es.lgeapi.com^$important"
"||discovery.meethue.com^$important"
"||eic.lgtviot.com^$important"
"||qs2-nevoai-iothub-02-prod.azure-devices.net^$important"
"||snu.lge.com^$important"
"||su.lge.com^$important"
"||su-ssl.lge.com^$important"
"||snu-dev.lge.com^$important"
"||su-dev.lge.com^$important"
"||nsu.lge.com^$important"
"||eic.commonpush.lgtviot.com^$important"
"||eic.sports.lgtviot.com^$important"
"||es.lgtvsdp.com^$important"
"||prod-ripcut-delivery.disney-plus.net^$client='TV'"
"||ngfts.lge.com^$important"
"||lgtvonline.lge.com^$important"
"||www.ueiwsp.com^$important"
"||temu.com^$important"
"||www.temu.com^$important"
"@@||unity3d.com^$client='10.0.0.7'"
"@@||config.ads.vungle.com^$client='10.0.0.7'"
"@@||rayjump.com^$client='10.0.0.7'"
"@@||vungle.com^$client='10.0.0.7'"
"@@||mtgglobals.com^$client='10.0.0.7'"
"@@||fundingchoicesmessages.google.com^$client='10.0.0.7'"
"@@||applovin.com^$client='10.0.0.7'"
"@@||rovio.com^$client='10.0.0.7'"
"@@||gov.aniview.com^$client='10.0.0.7'"
"@@||unity3d.com^$client='10.10.0.3'"
"@@||config.ads.vungle.com^$client='10.10.0.3'"
"@@||rayjump.com^$client='10.10.0.3'"
"@@||vungle.com^$client='10.10.0.3'"
"@@||mtgglobals.com^$client='10.10.0.3'"
"@@||fundingchoicesmessages.google.com^$client='10.10.0.3'"
"@@||googleads.g.doubleclick.net^$client='10.10.0.3'"
"@@||applovin.com^$client='10.10.0.3'"
"@@||rovio.com^$client='10.10.0.3'"
"@@||gov.aniview.com^$client='10.10.0.3'"
"@@||cdn.liftoff-creatives.io^$client='10.0.0.7'"
"||googleads.g.doubleclick.net^$client='Tablet'"
];
};
};
nginx.virtualHosts."dns.rcia.dev" = {
forceSSL = true;
locations."/".proxyPass =
"http://127.0.0.1:${toString portDefinitions.adguardhome-http}";
extraConfig = nginxLocalServiceConfig;

6
hosts/greatyamada/services/default.nix
View file

@ -1,13 +1,17 @@
{ ... }: {
imports = [
./acme.nix
./adguardhome.nix
./forgejo.nix
./inadyn.nix
./jellyfin.nix
./minecraft
# ./minecraft
./nginx.nix
./pgadmin.nix
./postgresql.nix
./radicale.nix
./searxng.nix
./vaultwarden.nix
./wireguard.nix
];
# paperlessngx

27
hosts/greatyamada/services/forgejo.nix
View file

@ -1,14 +1,10 @@
{ pkgs, ... }:
{ pkgs, lib, ... }:
let
forgejoSecretsPath = "/run/secrets/forgejo_";
portDefinitions = import ./_port-definitions.nix;
arrayToSecrets = elements:
builtins.listToAttrs (map (key: {
name = "forgejo/${key}";
value = {
path = "${forgejoSecretsPath}${key}";
owner = "forgejo";
};
value.owner = "forgejo";
}) elements);
in {
services = {
@ -18,15 +14,17 @@ in {
database = {
type = "postgres";
port = portDefinitions.postgresql;
passwordFile = "${forgejoSecretsPath}database_password";
passwordFile = "/run/secrets/forgejo/database_password";
};
secrets = {
server.LFS_JWT_SECRET = "${forgejoSecretsPath}lfs_jwt_secret";
server.LFS_JWT_SECRET =
lib.mkForce "/run/secrets/forgejo/lfs_jwt_secret";
security = {
INTERNAL_TOKEN = "${forgejoSecretsPath}internal_token";
SECRET_KEY = "${forgejoSecretsPath}secret_key";
INTERNAL_TOKEN = lib.mkForce "/run/secrets/forgejo/internal_token";
SECRET_KEY = lib.mkForce "/run/secrets/forgejo/secret_key";
};
oauth2.JWT_SECRET = "${forgejoSecretsPath}oauth2_jwt_secret";
oauth2.JWT_SECRET =
lib.mkForce "/run/secrets/forgejo/oauth2_jwt_secret";
};
settings = {
server = {
@ -43,12 +41,13 @@ in {
locations."/" = {
proxyPass = "http://127.0.0.1:${toString portDefinitions.forgejo-http}";
};
forceSSL = true;
useACMEHost = "rcia.dev";
};
};
systemd.services.forgejo.preStart = ''
${pkgs.forgejo}/bin/gitea migrate
'';
# systemd.services.forgejo.preStart = ''
# ${pkgs.forgejo}/bin/gitea migrate
# '';
sops.secrets = arrayToSecrets [
"database_password"
"internal_token"

13
hosts/greatyamada/services/inadyn.nix
View file

@ -1,10 +1,19 @@
{ config, ... }: {
services.inadyn = {
enable = true;
provider."cloudflare.com" = {
settings.provider."cloudflare.com" = {
hostname = [ "rcia.dev" "*.rcia.dev" ];
username = "rcia.dev";
password = "${config.sops.placeholder.cloudflare.api_key}";
include = config.sops.templates."inadyn-password.conf".path;
};
};
sops = {
secrets."cloudflare/api_token" = { };
templates."inadyn-password.conf" = {
content = ''
password = ${config.sops.placeholder."cloudflare/api_token"}
'';
owner = "inadyn";
};
};
}

19
hosts/greatyamada/services/jellyfin.nix
View file

@ -1,21 +1,14 @@
{ ... }:
let
jellyfinPath = "/mnt/Datos/jellyfin";
nginxLocalServiceConfig = import ./nginx-local-config.nix;
portDefinitions = import ./_port-definitions.nix;
let portDefinitions = import ./_port-definitions.nix;
in {
services = {
jellyfin = {
enable = true;
dataDir = "${jellyfinPath}/data/";
};
jellyfin.enable = true;
nginx.virtualHosts."jellyfin.rcia.dev" = {
locations."/" = {
proxyPass =
"http://127.0.0.1:${toString portDefinitions.jellyfin-http}";
};
extraConfig = nginxLocalServiceConfig;
locations."/".proxyPass =
"http://127.0.0.1:${toString portDefinitions.jellyfin-http}";
forceSSL = true;
useACMEHost = "rcia.dev";
};
};
users.users.jellyfin.extraGroups = [ "media" ];
}

8
hosts/greatyamada/services/nginx.nix
View file

@ -1,10 +1,16 @@
{ ... }: {
networking.firewall.allowedTCPPorts = [ 443 ];
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
virtualHosts = {
"rcia.dev" = {
forceSSL = true;
enableACME = true;
# enableACME = true;
useACMEHost = "rcia.dev";
serverAliases = [ "*.rcia.dev" ];
# locations."/" = { root = /var/www/public; };
};

21
hosts/greatyamada/services/pgadmin.nix Normal file
View file

@ -0,0 +1,21 @@
{ ... }:
let
_portDefinitions = import ./_port-definitions.nix;
nginxLocalConfig = import ./nginx-local-config.nix;
in {
services = {
pgadmin = {
enable = true;
initialEmail = "avery@rcia.dev";
initialPasswordFile = "/etc/nixos/a.txt";
port = _portDefinitions.pgadmin;
};
nginx.virtualHosts."pgadmin.rcia.dev" = {
locations."/".proxyPass =
"http://localhost:${toString _portDefinitions.pgadmin}";
forceSSL = true;
useACMEHost = "rcia.dev";
extraConfig = nginxLocalConfig;
};
};
}

5
hosts/greatyamada/services/postgresql.nix
View file

@ -1,8 +1,11 @@
{ ... }:
{ config, pkgs, ... }:
let portDefinitions = import ./_port-definitions.nix;
in {
services.postgresql = {
enable = true;
package = pkgs.postgresql_16;
dataDir =
"/mnt/ssd-01/postgresql/${config.services.postgresql.package.psqlSchema}";
settings.port = portDefinitions.postgresql;
};
}

9
hosts/greatyamada/services/radicale.nix
View file

@ -2,7 +2,6 @@
let
nginxLocalServiceConfig = import ./nginx-local-config.nix;
portDefinitions = import ./_port-definitions.nix;
radicalePath = "/mnt/Datos/radicale";
in {
services = {
radicale = {
@ -12,10 +11,9 @@ in {
[ "127.0.0.1:${toString portDefinitions.radicale-http}" ];
auth = {
type = "htpasswd";
htpasswd_filename = "/etc/radicale/users";
htpasswd_filename = "/var/lib/radicale/users";
htpasswd_encryption = "bcrypt";
};
storage.filesystem_folder = radicalePath;
};
};
nginx.virtualHosts."radicale.rcia.dev" = {
@ -23,12 +21,13 @@ in {
proxyPass =
"http://127.0.0.1:${toString portDefinitions.radicale-http}";
};
extraConfig = nginxLocalServiceConfig;
forceSSL = true;
useACMEHost = "rcia.dev";
extraConfig = nginxLocalServiceConfig;
};
};
sops.secrets."radicale/users" = {
path = "/etc/radicale/users";
path = "/var/lib/radicale/users";
owner = "radicale";
};
}

46
hosts/greatyamada/services/searxng.nix Normal file
View file

@ -0,0 +1,46 @@
{ config, pkgs, ... }:
let
portDefinitions = import ./_port-definitions.nix;
nginxLocalServiceConfig = import ./nginx-local-config.nix;
in {
services = {
searx = {
enable = true;
package = pkgs.searxng;
environmentFile = config.sops.templates."searxng_secret_key.env".path;
redisCreateLocally = true;
# runInUwsgi = true;
# uwsgiConfig = {
# socket = "/run/searx/searxng.sock";
# http = ":${toString portDefinitions.searxng}";
# chmod-socket = "660";
# };
settings = {
base_url = "https://searxng.rcia.dev";
bind_address = "127.0.0.1";
port = portDefinitions.searxng;
public_instance = false;
limiter = false;
};
};
nginx.virtualHosts."searxng.rcia.dev" = {
locations."/".proxyPass =
"http://127.0.0.1:${toString portDefinitions.searxng}";
extraConfig = nginxLocalServiceConfig;
forceSSL = true;
useACMEHost = "rcia.dev";
};
};
sops = {
secrets."searxng_secret_key".owner = "searx";
templates."searxng_secret_key.env" = {
content = ''
SEARXNG_SECRET=${config.sops.placeholder."searxng_secret_key"}
'';
owner = "searx";
};
};
systemd.services.nginx.serviceConfig.ProtectHome = false;
users.groups.searx.members = [ "nginx" ];
}

36
hosts/greatyamada/services/vaultwarden.nix Normal file
View file

@ -0,0 +1,36 @@
{ config, ... }:
let
portDefinitions = import ./_port-definitions.nix;
nginxLocalServiceConfig = import ./nginx-local-config.nix;
in {
services = {
vaultwarden = {
enable = true;
dbBackend = "postgresql";
config = {
domain = "https://vaultwarden.rcia.dev";
rocketAddress = "127.0.0.1";
rocketPort = portDefinitions.vaultwarden;
showPasswordHint = false;
signupsAllowed = false;
};
environmentFile = config.sops.templates."vaultwarden.env".path;
};
nginx.virtualHosts."vaultwarden.rcia.dev" = {
locations."/".proxyPass =
"http://localhost:${toString portDefinitions.vaultwarden}";
forceSSL = true;
useACMEHost = "rcia.dev";
extraConfig = nginxLocalServiceConfig;
};
};
sops = {
secrets."vaultwarden_database_url" = { };
templates."vaultwarden.env" = {
content = ''
DATABASE_URL=${config.sops.placeholder."vaultwarden_database_url"}
'';
owner = "vaultwarden";
};
};
}

34
hosts/greatyamada/services/wireguard.nix
View file

@ -1,34 +1,36 @@
{ ... }:
{ pkgs, ... }:
let portDefinitions = import ./_port-definitions.nix;
in {
networking = {
nat = {
enable = true;
externalInterface = "enp5s0";
internalInterfaces = [ "wg0" ];
};
firewall.allowedUDPPorts = [ portDefinitions.wireguard ];
wireguard = {
enable = true;
interfaces.wg0 = {
ips = [ "10.10.0.1/24" ];
listenPort = portDefinitions.wireguard;
peers = [{
allowedIPs = [ "10.10.0.2/32" ];
name = "Note9";
name = "Pixel9a";
publicKey = "Y5A5iv0ukg1TQMcIdtXd+bmDxtrqHCuoEhYRmBqwkFY=";
presharedKeyFile = "/run/secrets/preshared_keys_note9";
presharedKeyFile = "/run/secrets/wireguard/preshared_keys/note9";
}];
postSetup =
"iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp5s0 -j MASQUERADE";
postShutdown =
"iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp5s0 -j MASQUERADE";
privateKeyFile = "/run/secrets/wg_private_key";
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.10.0.0/24 -o enp5s0 -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.10.0.0/24 -o enp5s0 -j MASQUERADE
'';
privateKeyFile = "/run/secrets/wireguard/private_key";
};
};
};
sops.secrets = {
"wireguard/private_key" = {
path = "/run/secrets/wg_private_key";
owner = "root";
};
"wireguard/preshared_keys/note9" = {
path = "/run/secrets/preshared_keys_note9";
owner = "root";
};
"wireguard/private_key" = { owner = "root"; };
"wireguard/preshared_keys/note9" = { owner = "root"; };
};
}