Compare commits

..

No commits in common. "c0afa867fd1959b22c70e8bfe4b81c09275c5257" and "de5f88f6d81d43c2ab0a669501667ffeda1f5078" have entirely different histories.

12 changed files with 26 additions and 24 deletions

View file

@ -13,13 +13,13 @@
programs.ssh = { programs.ssh = {
enable = true; enable = true;
matchBlocks."viridian" = { matchBlocks."viridian" = {
hostname = "viridian.kanto.dev"; hostname = "192.168.20.4";
identityFile = "/home/sajenim/.ssh/sajenim_sk"; identityFile = "/home/sajenim/.ssh/sajenim_sk";
port = 62841; port = 62841;
}; };
matchBlocks."lavender" = { matchBlocks."lavender" = {
hostname = "lavender.kanto.dev"; hostname = "192.168.20.3";
identityFile = "/home/sajenim/.ssh/sajenim_sk"; identityFile = "/home/sajenim/.ssh/sajenim_sk";
port = 22; port = 22;
}; };

View file

@ -3,12 +3,12 @@
{ {
services.mpd = { services.mpd = {
enable = true; enable = true;
musicDirectory = "nfs://viridian.kanto.dev/srv/multimedia/library/music"; musicDirectory = "nfs://192.168.1.102/srv/multimedia/library/music";
dbFile = null; dbFile = null;
extraConfig = '' extraConfig = ''
database { database {
plugin "proxy" plugin "proxy"
host "viridian.kanto.dev" host "192.168.1.102"
port "6600" port "6600"
} }

View file

@ -1,7 +1 @@
# Serial: 15895942, Slot: 1
# Name: sajenim
# Created: Sun, 21 Jan 2024 01:47:27 +0000
# PIN policy: Once (A PIN is required once per session, if set)
# Touch policy: Always (A physical touch is required for every decryption)
# Recipient: age1yubikey1qfszrfps2t3n4tqgkzx8vrydhlna3f2ezd7awzjl9ur0yk5swmp0spw0m7q
AGE-PLUGIN-YUBIKEY-1S6XLYQYZSH22WXCHDCFRJ AGE-PLUGIN-YUBIKEY-1S6XLYQYZSH22WXCHDCFRJ

View file

@ -80,6 +80,7 @@
# Get up and running with large language models locally. # Get up and running with large language models locally.
ollama = { ollama = {
enable = true; enable = true;
package = pkgs.unstable.ollama;
acceleration = "rocm"; acceleration = "rocm";
}; };
@ -95,5 +96,5 @@
}; };
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
system.stateVersion = "24.05"; system.stateVersion = "22.11";
} }

View file

@ -34,7 +34,7 @@ in
"websecure" "websecure"
]; ];
middlewares = [ middlewares = [
"internal" "admin"
]; ];
service = "lidarr"; service = "lidarr";
}; };

View file

@ -31,7 +31,7 @@ in
"websecure" "websecure"
]; ];
middlewares = [ middlewares = [
"internal" "admin"
]; ];
service = "prowlarr"; service = "prowlarr";
}; };

View file

@ -9,8 +9,8 @@ in
autoStart = true; autoStart = true;
image = "ghcr.io/hotio/qbittorrent:release-4.6.5"; image = "ghcr.io/hotio/qbittorrent:release-4.6.5";
ports = [ ports = [
"${port}:8080/tcp" # WebUI "${port}:8080/tcp" # WebUI
"32372:32372/tcp" # Transport protocol "32372:32372/tcp" # Transport protocol
]; ];
volumes = [ volumes = [
# Seedbox # Seedbox
@ -29,12 +29,12 @@ in
services.traefik.dynamicConfigOptions.http.routers = { services.traefik.dynamicConfigOptions.http.routers = {
qbittorrent = { qbittorrent = {
rule = "Host(`qbittorrent.kanto.dev`)"; rule = "Host(`torrent.kanto.dev`)";
entryPoints = [ entryPoints = [
"websecure" "websecure"
]; ];
middlewares = [ middlewares = [
"internal" "admin"
]; ];
service = "qbittorrent"; service = "qbittorrent";
}; };

View file

@ -33,7 +33,7 @@ in
"websecure" "websecure"
]; ];
middlewares = [ middlewares = [
"internal" "admin"
]; ];
service = "radarr"; service = "radarr";
}; };

View file

@ -34,7 +34,7 @@ in
"websecure" "websecure"
]; ];
middlewares = [ middlewares = [
"internal" "admin"
]; ];
service = "sonarr"; service = "sonarr";
}; };

View file

@ -41,7 +41,7 @@
"websecure" "websecure"
]; ];
middlewares = [ middlewares = [
"internal" "admin"
]; ];
service = "grafana"; service = "grafana";
}; };

View file

@ -23,7 +23,7 @@
statdPort = 4000; statdPort = 4000;
extraNfsdConfig = ''''; extraNfsdConfig = '''';
exports = '' exports = ''
/srv/multimedia/library/music fuchsia.kanto.dev(rw,nohide,insecure,no_subtree_check) /srv/multimedia/library/music 192.168.1.101(rw,nohide,insecure,no_subtree_check)
''; '';
}; };
networking.firewall = { networking.firewall = {

View file

@ -10,10 +10,18 @@
# Attached to the routers, pieces of middleware are a means of tweaking the requests before they are sent to your service # Attached to the routers, pieces of middleware are a means of tweaking the requests before they are sent to your service
services.traefik.dynamicConfigOptions.http.middlewares = { services.traefik.dynamicConfigOptions.http.middlewares = {
# Restrict access to admin devices only
admin.ipwhitelist.sourcerange = [
"127.0.0.1/32" # localhost
"192.168.1.101" # fuchsia
"10.100.0.2" # Pixel 6 Pro
];
# Restrict access to internal networks # Restrict access to internal networks
internal.ipwhitelist.sourcerange = [ internal.ipwhitelist.sourcerange = [
"127.0.0.1/32" # localhost "127.0.0.1/32" # localhost
"192.168.20.1/24" # lan "192.168.1.1/24" # lan
"10.100.0.0/24" # wireguard clients
]; ];
# Restrict access based on geo-location # Restrict access based on geo-location
@ -44,8 +52,7 @@
forceMonthlyUpdate = "true"; forceMonthlyUpdate = "true";
}; };
# Disable Crowdsec IP checking but apply Crowdsec Appsec checking. # Disable Crowdsec IP checking but apply Crowdsec Appsec checking. This mode is intended to be used when Crowdsec IP checking is applied at the Firewall Level.
# This mode is intended to be used when Crowdsec IP checking is applied at the Firewall Level.
crowdsec.plugin.bouncer = { crowdsec.plugin.bouncer = {
enabled = "true"; enabled = "true";
crowdsecMode = "appsec"; crowdsecMode = "appsec";