noah/dotfiles
1
0
Fork 0
mirror of https://github.com/nmasur/dotfiles synced 2024-10-19 03:49:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: noah:22cba9acac6933c17b1949ce804bdd948ad8f031
Branches Tags
noah:master
noah:eblume-mole
noah:language-checks
noah:keyd-2.4.3
noah:sway
noah:nixosmodules
noah:unfree-predicate-by-pkgs
noah:darwin-ssl
noah:begin-nixos
noah:begin-nix
noah:neovim-lua
noah:pre-nix
noah:legacy
..
compare: noah:b07a8f5e20e45f6c513f6c91e00b1444984e9f72
Branches Tags
noah:master
noah:eblume-mole
noah:language-checks
noah:keyd-2.4.3
noah:sway
noah:nixosmodules
noah:unfree-predicate-by-pkgs
noah:darwin-ssl
noah:begin-nixos
noah:begin-nix
noah:neovim-lua
noah:pre-nix
noah:legacy

No commits in common. "22cba9acac6933c17b1949ce804bdd948ad8f031" and "b07a8f5e20e45f6c513f6c91e00b1444984e9f72" have entirely different histories.
22cba9acac ... b07a8f5e20

6 changed files with 54 additions and 119 deletions
Show Stats Expand all files Collapse all files

1
hosts/swan/default.nix
View File

@ -53,7 +53,6 @@ inputs.nixpkgs.lib.nixosSystem {
dotfiles.enable = true;
arrs.enable = true;
services.bind.enable = true;
services.caddy.enable = true;
services.jellyfin.enable = true;
services.nextcloud.enable = true;

7
modules/nixos/hardware/networking.nix
View File

@ -10,9 +10,6 @@
services.avahi = {
enable = true;
domainName = "local";
ipv6 = false; # Should work either way
# Resolve local hostnames using Avahi DNS
nssmdns = true;
publish = {
enable = true;
addresses = true;
@ -20,6 +17,10 @@
workstation = true;
};
};
# Resolve local hostnames using Avahi DNS
services.avahi.nssmdns = true;
};
}

55
modules/nixos/services/bind.nix
View File

@ -1,55 +0,0 @@
{ config, pkgs, lib, ... }:
let
localIp = "192.168.1.218";
localServices = [
config.hostnames.stream
config.hostnames.content
config.hostnames.books
config.hostnames.download
];
mkRecord = service: "${service} A ${localIp}";
localRecords = lib.concatLines (map mkRecord localServices);
in {
config = lib.mkIf config.services.bind.enable {
caddy.cidrAllowlist = [ "192.168.0.0/16" ];
services.bind = {
cacheNetworks = [ "127.0.0.0/24" "192.168.0.0/16" ];
forwarders = [ "1.1.1.1" "1.0.0.1" ];
ipv4Only = true;
# Use rpz zone as an override
extraOptions = ''response-policy { zone "rpz"; };'';
zones = {
rpz = {
master = true;
file = pkgs.writeText "db.rpz" ''
$TTL 60 ; 1 minute
@ IN SOA localhost. root.localhost. (
2023071800 ; serial
1h ; refresh
30m ; retry
1w ; expire
30m ; minimum ttl
)
IN NS localhost.
localhost A 127.0.0.1
${localRecords}
'';
};
};
};
networking.firewall.allowedTCPPorts = [ 53 ];
networking.firewall.allowedUDPPorts = [ 53 ];
};
}

25
modules/nixos/services/caddy.nix
View File

@ -1,40 +1,25 @@
{ config, pkgs, lib, ... }: {
options = {
caddy = {
tlsPolicies = lib.mkOption {
caddy.tlsPolicies = lib.mkOption {
type = lib.types.listOf lib.types.attrs;
description = "Caddy JSON TLS policies";
default = [ ];
};
routes = lib.mkOption {
caddy.routes = lib.mkOption {
type = lib.types.listOf lib.types.attrs;
description = "Caddy JSON routes for http servers";
default = [ ];
};
blocks = lib.mkOption {
caddy.blocks = lib.mkOption {
type = lib.types.listOf lib.types.attrs;
description = "Caddy JSON error blocks for http servers";
default = [ ];
};
cidrAllowlist = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = "CIDR blocks to allow for requests";
default = [ "127.0.0.1/32" ];
};
};
};
config = lib.mkIf config.services.caddy.enable {
# Force Caddy to 403 if not coming from allowlisted source
caddy.routes = [{
match = [{ not = [{ remote_ip.ranges = config.caddy.cidrAllowlist; }]; }];
handle = [{
handler = "static_response";
status_code = "403";
}];
}];
config =
lib.mkIf (config.services.caddy.enable && config.caddy.routes != [ ]) {
services.caddy = {
adapter = "''"; # Required to enable JSON

8
modules/nixos/services/cloudflare.nix
View File

@ -41,7 +41,13 @@ in {
config = lib.mkIf config.cloudflare.enable {
# Forces Caddy to error if coming from a non-Cloudflare IP
caddy.cidrAllowlist = cloudflareIpRanges;
caddy.routes = [{
match = [{ not = [{ remote_ip.ranges = cloudflareIpRanges; }]; }];
handle = [{
handler = "static_response";
status_code = "403";
}];
}];
# Tell Caddy to use Cloudflare DNS for ACME challenge validation
services.caddy.package = (pkgs.callPackage ../../../overlays/caddy.nix {

1
modules/nixos/services/default.nix
View File

@ -3,7 +3,6 @@
imports = [
./arr.nix
./backups.nix
./bind.nix
./caddy.nix
./calibre.nix
./cloudflare-tunnel.nix