ciapa
/
infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: ciapa:def048b9a827aacdf4b279505462bfbb4503172d
Branches Tags
ciapa:master
ciapa:update_flake_lock_action
ciapa:test
...
compare: ciapa:2e8996767eef27dd051657c25c0c60ef0b3abf40
Branches Tags
ciapa:master
ciapa:update_flake_lock_action
ciapa:test

3 Commits
def048b9a8 ... 2e8996767e

Author SHA1 Message Date
Ciapa 2e8996767e Update flake.nix
ci/woodpecker/push/deploy Pipeline failed Details
2024-05-20 15:54:44 +02:00
Ciapa 9c5984ba4f Implement c3moc config 2024-05-20 15:53:55 +02:00
Ciapa 24ea080b34 Install unifi controller 2024-05-04 22:54:00 +02:00
7 changed files with 272 additions and 47 deletions
Show Stats Expand all files Collapse all files

24
flake.lock
View File

@ -52,11 +52,11 @@
"utils": "utils"
},
"locked": {
"lastModified": 1711973905,
"narHash": "sha256-UFKME/N1pbUtn+2Aqnk+agUt8CekbpuqwzljivfIme8=",
"lastModified": 1715699772,
"narHash": "sha256-sKhqIgucN5sI/7UQgBwsonzR4fONjfMr9OcHK/vPits=",
"owner": "serokell",
"repo": "deploy-rs",
"rev": "88b3059b020da69cbe16526b8d639bd5e0b51c8b",
"rev": "b3ea6f333f9057b77efd9091119ba67089399ced",
"type": "github"
},
"original": {
@ -146,11 +146,11 @@
},
"nixpkgs-stable_2": {
"locked": {
"lastModified": 1712437997,
"narHash": "sha256-g0whLLwRvgO2FsyhY8fNk+TWenS3jg5UdlWL4uqgFeo=",
"lastModified": 1716061101,
"narHash": "sha256-H0eCta7ahEgloGIwE/ihkyGstOGu+kQwAiHvwVoXaA0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "e38d7cb66ea4f7a0eb6681920615dfcc30fc2920",
"rev": "e7cc61784ddf51c81487637b3031a6dd2d6673a2",
"type": "github"
},
"original": {
@ -162,11 +162,11 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1712608508,
"narHash": "sha256-vMZ5603yU0wxgyQeHJryOI+O61yrX2AHwY6LOFyV1gM=",
"lastModified": 1716137900,
"narHash": "sha256-sowPU+tLQv8GlqtVtsXioTKeaQvlMz/pefcdwg8MvfM=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "4cba8b53da471aea2ab2b0c1f30a81e7c451f4b6",
"rev": "6c0b7a92c30122196a761b440ac0d46d3d9954f1",
"type": "github"
},
"original": {
@ -193,11 +193,11 @@
"nixpkgs-stable": "nixpkgs-stable_2"
},
"locked": {
"lastModified": 1712617241,
"narHash": "sha256-a4hbls4vlLRMciv62YrYT/Xs/3Cubce8WFHPUDWwzf8=",
"lastModified": 1716087663,
"narHash": "sha256-zuSAGlx8Qk0OILGCC2GUyZ58/SJ5R3GZdeUNQ6IS0fQ=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "538c114cfdf1f0458f507087b1dcf018ce1c0c4c",
"rev": "0bf1808e70ce80046b0cff821c019df2b19aabf5",
"type": "github"
},
"original": {

35
flake.nix
View File

@ -51,16 +51,6 @@
];
};
"oosi.elmosco.lewd.wtf" = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = { inherit inputs self; };
modules = [
sops-nix.nixosModules.sops
./default.nix
./hosts/seedbox/oosi/configuration.nix
];
};
"kinda.sus.lol" = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = { inherit inputs self; };
@ -74,8 +64,8 @@
deploy.nodes = {
"phoenix.lewd.wtf" = {
sshOpts = [ "-p" "22" "-o" "StrictHostKeyChecking=no" "-i" ".privkey" ];
hostname = "phoenix.lewd.wtf";
sshOpts = [ "-p" "222" "-o" "StrictHostKeyChecking=no" ];
hostname = "192.168.0.42";
fastConnection = true;
profiles.system = {
@ -87,7 +77,7 @@
};
"aztul.elmosco.lewd.wtf" = {
sshOpts = [ "-p" "22111" "-o" "StrictHostKeyChecking=no" "-i" ".privkey" ];
sshOpts = [ "-p" "22111" "-o" "StrictHostKeyChecking=no" ];
hostname = "aztul.elmosco.lewd.wtf";
fastConnection = true;
@ -100,7 +90,7 @@
};
"rene.elmosco.lewd.wtf" = {
sshOpts = [ "-p" "22113" "-o" "StrictHostKeyChecking=no" "-i" ".privkey" ];
sshOpts = [ "-p" "22113" "-o" "StrictHostKeyChecking=no" ];
hostname = "rene.elmosco.lewd.wtf";
fastConnection = true;
@ -113,7 +103,7 @@
};
"reject.elmosco.lewd.wtf" = {
sshOpts = [ "-p" "22104" "-o" "StrictHostKeyChecking=no" "-i" ".privkey" ];
sshOpts = [ "-p" "22104" "-o" "StrictHostKeyChecking=no" ];
hostname = "reject.elmosco.lewd.wtf";
fastConnection = true;
@ -125,21 +115,8 @@
};
};
"oosi.elmosco.lewd.wtf" = {
sshOpts = [ "-p" "22106" "-o" "StrictHostKeyChecking=no" "-i" ".privkey" ];
hostname = "oosi.elmosco.lewd.wtf";
fastConnection = true;
profiles.system = {
sshUser = "root";
path =
deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations."oosi.elmosco.lewd.wtf";
user = "root";
};
};
"kinda.sus.lol" = {
sshOpts = [ "-p" "22201" "-o" "StrictHostKeyChecking=no" "-i" ".privkey" ];
sshOpts = [ "-p" "22201" "-o" "StrictHostKeyChecking=no" ];
hostname = "kinda.sus.lol";
fastConnection = true;

226
hosts/phoenix.lewd.wtf/c3moc.nix Normal file
View File

@ -0,0 +1,226 @@
{ lib, pkgs, config, ... }:
with lib;
let
cfg = config.c3moc;
in {
options.c3moc = {
enable = mkEnableOption "enable c3moc services";
switchNfs = mkEnableOption "switch nfs config to c3moc one";
};
config = mkIf cfg.enable {
fileSystems = {
"/mnt/zbigdata/c3moc_dropfolder" = {
device = "zbigdata/c3moc_dropfolder";
fsType = "zfs";
};
"/export/c3moc/media" = lib.mkIf cfg.switchNfs {
device = "/mnt/zbigdata/media";
options = [ "bind" ];
};
"/export/c3moc/dropfolder" = lib.mkIf cfg.switchNfs {
device = "/mnt/zbigdata/c3moc_dropfolder";
options = [ "bind" ];
};
};
containers.c3moc = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.69.1";
localAddress = "192.168.69.10";
bindMounts = {
"/home/c3moc/media" = {
hostPath = "/mnt/zbigdata/media";
isReadOnly = true;
};
"/home/c3moc/dropfolder" = {
hostPath = "/mnt/zbigdata/c3moc_dropfolder";
isReadOnly = false;
};
};
config = { config, pkgs, ... }: {
system.stateVersion = "24.05";
networking = {
firewall = {
enable = true;
};
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
users.groups.c3moc = {};
users.users.c3moc = {
group = "c3moc";
password = "c3moc";
isNormalUser = true;
home = "/home/c3moc";
};
# Jellyfin
environment.systemPackages = with pkgs; [
jellyfin-ffmpeg
];
services.jellyfin = {
enable = true;
openFirewall = true;
};
# FTP access
services.vsftpd = {
enable = true;
writeEnable = true;
anonymousUser = true;
anonymousUserNoPassword = true;
anonymousUserHome = "/home/c3moc";
anonymousUploadEnable = true;
anonymousMkdirEnable = true;
anonymousUmask = "000";
};
# SFTP access
services.openssh = {
enable = true;
extraConfig = ''
Match Group c3moc
ChrootDirectory /home
ForceCommand internal-sftp
AllowTcpForwarding no
'';
};
# CIFS access
services.samba = {
enable = true;
openFirewall = true;
extraConfig = ''
workgroup = WORKGROUP
server string = c3moc
netbios name = c3moc
security = user
use sendfile = yes
guest account = nobody
map to guest = bad user
'';
shares = {
c3moc = {
path = "/home/c3moc";
browseable = "yes";
"read only" = "no";
"guest ok" = "yes";
"create mask" = "0777";
"directory mask" = "0777";
"force user" = "c3moc";
"force group" = "c3moc";
};
};
};
};
};
services.nfs.server.exports = mkIf cfg.switchNfs ''
/export (ro,fsid=0,no_subtree_check)
/export/c3moc (ro,nohide,insecure,no_subtree_check)
/export/c3moc/dropfolder (rw,nohide,insecure,no_subtree_check)
'';
networking.nat.forwardPorts = [
# FTP
{
destination = "192.168.69.10:20";
proto = "tcp";
sourcePort = 20;
}
{
destination = "192.168.69.10:21";
proto = "tcp";
sourcePort = 21;
}
# SFTP
{
destination = "192.168.69.10:22";
proto = "tcp";
sourcePort = 22;
}
# SMB
{
destination = "192.168.69.10:137";
proto = "udp";
sourcePort = 137;
}
{
destination = "192.168.69.10:138";
proto = "udp";
sourcePort = 138;
}
{
destination = "192.168.69.10:139";
proto = "tcp";
sourcePort = 139;
}
{
destination = "192.168.69.10:445";
proto = "tcp";
sourcePort = 445;
}
];
# Nginx Stuff
services.nginx = {
virtualHosts."gpn22.c3moc.lol" = {
serverName = "gpn22.c3moc.lol";
enableACME = true;
forceSSL = true;
locations = {
"= /" = {
extraConfig = ''
return 302 https://$host/web/;
'';
};
"/" = {
extraConfig = ''
proxy_pass http://192.168.69.10:8096;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_buffering off;
'';
};
"= /web/" = {
extraConfig = ''
proxy_pass http://192.168.69.10:8096/web/index.html;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_buffering off;
'';
};
"/socket" = {
extraConfig = ''
proxy_pass http://192.168.69.10:8096/socket;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
'';
};
};
};
};
};
}

4
hosts/phoenix.lewd.wtf/configuration.nix
View File

@ -8,11 +8,15 @@ let
./hardware-configuration.nix
./networking.nix
./secrets.nix
./c3moc.nix
];
in {
inherit imports;
c3moc.enable = true;
c3moc.switchNfs = true;
boot.loader.systemd-boot.enable = false;
boot.loader.grub = {
enable = true;

16
hosts/phoenix.lewd.wtf/networking.nix
View File

@ -6,6 +6,7 @@
interfaces = [
"eno2"
"enp23s0"
"enp23s0d1"
];
};
};
@ -13,19 +14,24 @@
networking.nat = {
enable = true;
internalInterfaces = ["ve-+"];
externalInterface = "wg0";
externalInterface = "br0";
enableIPv6 = true;
};
networking.interfaces.br0.ipv4.addresses = [
{
address = "10.0.69.69";
prefixLength = 16;
}
{
address = "192.168.0.42";
prefixLength = 22;
}
];
networking.defaultGateway = "192.168.0.1";
networking.nameservers = [ "192.168.0.1" ];
networking.defaultGateway = "10.0.0.1";
# networking.defaultGateway = "192.168.0.1";
networking.nameservers = [ "1.1.1.1" ];
networking.firewall.enable = false;
@ -51,6 +57,8 @@
"ip rule add from 192.168.5.0/24 table 2"
# NAT
"${pkgs.iptables}/bin/iptables -I POSTROUTING -t nat -o wg0 -j MASQUERADE"
# c3moc NAT
"${pkgs.iptables}/bin/iptables -I POSTROUTING -t nat -o br0 -j MASQUERADE"
# Port forwarding
"${pkgs.iptables}/bin/iptables -A PREROUTING -t nat -p tcp -i wg0 --dport 51506 -j DNAT --to-destination 192.168.100.11:51506"
];
@ -63,6 +71,8 @@
"ip route del table 2 default dev wg0" +
# NAT
"${pkgs.iptables}/bin/iptables -D POSTROUTING -t nat -o wg0 -j MASQUERADE" +
# c3moc NAT
"${pkgs.iptables}/bin/iptables -D POSTROUTING -t nat -o br0 -j MASQUERADE" +
# Port Forwarding
"${pkgs.iptables}/bin/iptables -D PREROUTING -t nat -p tcp -i wg0 --dport 51506 -j DNAT --to-destination 192.168.100.11:51506"
;

6
hosts/phoenix.lewd.wtf/services/nfs.nix
View File

@ -1,12 +1,12 @@
{ config, lib, ... }:
{
fileSystems."/export/desktop" = {
services.nfs.server.enable = true;
fileSystems."/export/desktop" = lib.mkIf (!config.c3moc.switchNfs) {
device = "/mnt/zvault/desktop";
options = [ "bind" ];
};
services.nfs.server.enable = true;
services.nfs.server.exports = ''
services.nfs.server.exports = lib.mkIf (!config.c3moc.switchNfs) ''
/export 192.168.0.20(rw,fsid=0,no_subtree_check) 192.168.1.39(ro,nohide,insecure,no_subtree_check,all_squash,anonuid=1000,anongid=1000)
/export/desktop 192.168.0.20(rw,nohide,insecure,no_subtree_check) 192.168.1.39(ro,nohide,insecure,no_subtree_check,all_squash,anonuid=1000,anongid=1000)

8
hosts/phoenix.lewd.wtf/services/unifi-controller.nix Normal file
View File

@ -0,0 +1,8 @@
{ config, pkgs, ... }:
{
services.unifi = {
enable = true;
unifiPackage = pkgs.unifi8;
openFirewall = true;
};
}