motiejus/config
1
Fork 0
Code Packages Releases Activity

open up samba

Browse Source
This commit is contained in:
Motiejus Jakštys 2023-09-12 16:08:08 +03:00
parent e61944dfde
commit 2dd8cda85a
11 changed files with 35 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
data.nix
View File

@ -89,20 +89,22 @@ rec {
# copied from nixpkgs/lib/attrsets.nix # copied from nixpkgs/lib/attrsets.nix
attrVals = nameList: set: map (x: set.${x}) nameList; attrVals = nameList: set: map (x: set.${x}) nameList;
motiejus_ips = let subnets = {
tailscale = {
cidr = "100.89.176.0/20";
range = "100.89.176.0-100.89.191.255";
sshPattern = "100.89.176.?"; # until we have more hosts
};
motiejus.cidrs = let
mHosts = mHosts =
attrVals [ attrVals [
"mxp10.motiejus.jakst" "mxp10.motiejus.jakst"
"fwmine.motiejus.jakst" "fwmine.motiejus.jakst"
] ]
hosts; hosts;
in in builtins.catAttrs "jakstIP" mHosts;
builtins.catAttrs "jakstIP" mHosts;
tailscale_subnet = { vno1.cidr = "192.168.189.0/24";
cidr = "100.89.176.0/20";
range = "100.89.176.0-100.89.191.255";
pattern = "100.89.176.?"; # until we have more hosts
}; };
jakstysLTZone = let jakstysLTZone = let

8
hosts/vno1-oh2/configuration.nix
View File

@ -145,7 +145,7 @@
services = { services = {
friendlyport.ports = [ friendlyport.ports = [
{ {
subnets = [myData.tailscale_subnet.cidr]; subnets = [myData.subnets.tailscale.cidr];
tcp = [ tcp = [
80 80
443 443
@ -165,7 +165,7 @@
headscale = { headscale = {
enable = true; enable = true;
clientOidcPath = config.age.secrets.headscale-client-oidc.path; clientOidcPath = config.age.secrets.headscale-client-oidc.path;
subnetCIDR = myData.tailscale_subnet.cidr; subnetCIDR = myData.subnets.tailscale.cidr;
}; };
nsd-acme = let nsd-acme = let
@ -242,13 +242,13 @@
} }
''; '';
virtualHosts."grafana.jakstys.lt".extraConfig = '' virtualHosts."grafana.jakstys.lt".extraConfig = ''
@denied not remote_ip ${myData.tailscale_subnet.cidr} @denied not remote_ip ${myData.subnets.tailscale.cidr}
abort @denied abort @denied
reverse_proxy 127.0.0.1:3000 reverse_proxy 127.0.0.1:3000
tls {$CREDENTIALS_DIRECTORY}/grafana.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/grafana.jakstys.lt-key.pem tls {$CREDENTIALS_DIRECTORY}/grafana.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/grafana.jakstys.lt-key.pem
''; '';
virtualHosts."bitwarden.jakstys.lt".extraConfig = '' virtualHosts."bitwarden.jakstys.lt".extraConfig = ''
@denied not remote_ip ${myData.tailscale_subnet.cidr} @denied not remote_ip ${myData.subnets.tailscale.cidr}
abort @denied abort @denied
tls {$CREDENTIALS_DIRECTORY}/bitwarden.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/bitwarden.jakstys.lt-key.pem tls {$CREDENTIALS_DIRECTORY}/bitwarden.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/bitwarden.jakstys.lt-key.pem

2
modules/base/default.nix
View File

@ -36,7 +36,7 @@
mj.services.friendlyport.ports = [ mj.services.friendlyport.ports = [
{ {
subnets = [myData.tailscale_subnet.cidr]; subnets = [myData.subnets.tailscale.cidr];
tcp = [config.services.iperf3.port]; tcp = [config.services.iperf3.port];
} }
]; ];

5
modules/base/sshguard/default.nix
View File

@ -16,10 +16,7 @@
enable = true; enable = true;
blocktime = 900; blocktime = 900;
whitelist = whitelist =
[ ["192.168.0.0/16" myData.subnets.tailscale.cidr]
"192.168.0.0/16"
myData.tailscale_subnet.cidr
]
++ (lib.catAttrs "publicIP" (lib.attrValues myData.hosts)); ++ (lib.catAttrs "publicIP" (lib.attrValues myData.hosts));
}; };
}; };

2
modules/services/deployerbot/default.nix
View File

@ -97,7 +97,7 @@
createHome = true; createHome = true;
uid = uidgid; uid = uidgid;
openssh.authorizedKeys.keys = let openssh.authorizedKeys.keys = let
restrictedPubKey = "from=\"${myData.tailscale_subnet.pattern}\" " + publicKey; restrictedPubKey = "from=\"${myData.subnets.tailscale.sshPattern}\" " + publicKey;
in [restrictedPubKey]; in [restrictedPubKey];
}; };
}; };

8
modules/services/jakstpub/default.nix
View File

@ -2,6 +2,7 @@
config, config,
lib, lib,
pkgs, pkgs,
myData,
... ...
}: { }: {
options.mj.services.jakstpub = with lib.types; { options.mj.services.jakstpub = with lib.types; {
@ -49,7 +50,10 @@
unitConfig.Requires = requires; unitConfig.Requires = requires;
}; };
# WIP ports mj.services.friendlyport.ports = [{
#friendlyport.vpn.ports = [ 13 subnets = with myData.subnets; [tailscale.cidr vno1.cidr];
tcp = [ 139 445 ];
udp = [ 137 138 ];
}];
}; };
} }

2
modules/services/node_exporter/default.nix
View File

@ -29,7 +29,7 @@
mj.services.friendlyport.ports = [ mj.services.friendlyport.ports = [
{ {
subnets = [myData.tailscale_subnet.cidr]; subnets = [myData.subnets.tailscale.cidr];
tcp = [myData.ports.exporters.node]; tcp = [myData.ports.exporters.node];
} }
]; ];

2
modules/services/postfix/default.nix
View File

@ -20,7 +20,7 @@
"127.0.0.1/8" "127.0.0.1/8"
"[::ffff:127.0.0.0]/104" "[::ffff:127.0.0.0]/104"
"[::1]/128" "[::1]/128"
myData.tailscale_subnet.cidr myData.subnets.tailscale.cidr
]; ];
hostname = "${config.networking.hostName}.${config.networking.domain}"; hostname = "${config.networking.hostName}.${config.networking.domain}";
relayHost = "smtp.sendgrid.net"; relayHost = "smtp.sendgrid.net";

2
modules/services/snmp_exporter/default.nix
View File

@ -12,7 +12,7 @@
config = lib.mkIf config.mj.services.snmp_exporter.enable { config = lib.mkIf config.mj.services.snmp_exporter.enable {
mj.services.friendlyport.ports = [ mj.services.friendlyport.ports = [
{ {
subnets = [myData.tailscale_subnet.cidr]; subnets = [myData.subnets.tailscale.cidr];
tcp = [config.services.prometheus.exporters.snmp.port]; tcp = [config.services.prometheus.exporters.snmp.port];
} }
]; ];

2
modules/services/syncthing/default.nix
View File

@ -16,7 +16,7 @@ in {
config = lib.mkIf config.mj.services.syncthing.enable { config = lib.mkIf config.mj.services.syncthing.enable {
mj.services.friendlyport.ports = [ mj.services.friendlyport.ports = [
{ {
subnets = myData.motiejus_ips; subnets = myData.subnets.motiejus.cidrs;
tcp = [8384]; tcp = [8384];
} }
]; ];