Compare commits

..

No commits in common. "c0afa867fd1959b22c70e8bfe4b81c09275c5257" and "de5f88f6d81d43c2ab0a669501667ffeda1f5078" have entirely different histories.

12 changed files with 26 additions and 24 deletions

View file

@ -13,13 +13,13 @@
programs.ssh = {
enable = true;
matchBlocks."viridian" = {
hostname = "viridian.kanto.dev";
hostname = "192.168.20.4";
identityFile = "/home/sajenim/.ssh/sajenim_sk";
port = 62841;
};
matchBlocks."lavender" = {
hostname = "lavender.kanto.dev";
hostname = "192.168.20.3";
identityFile = "/home/sajenim/.ssh/sajenim_sk";
port = 22;
};

View file

@ -3,12 +3,12 @@
{
services.mpd = {
enable = true;
musicDirectory = "nfs://viridian.kanto.dev/srv/multimedia/library/music";
musicDirectory = "nfs://192.168.1.102/srv/multimedia/library/music";
dbFile = null;
extraConfig = ''
database {
plugin "proxy"
host "viridian.kanto.dev"
host "192.168.1.102"
port "6600"
}

View file

@ -1,7 +1 @@
# Serial: 15895942, Slot: 1
# Name: sajenim
# Created: Sun, 21 Jan 2024 01:47:27 +0000
# PIN policy: Once (A PIN is required once per session, if set)
# Touch policy: Always (A physical touch is required for every decryption)
# Recipient: age1yubikey1qfszrfps2t3n4tqgkzx8vrydhlna3f2ezd7awzjl9ur0yk5swmp0spw0m7q
AGE-PLUGIN-YUBIKEY-1S6XLYQYZSH22WXCHDCFRJ

View file

@ -80,6 +80,7 @@
# Get up and running with large language models locally.
ollama = {
enable = true;
package = pkgs.unstable.ollama;
acceleration = "rocm";
};
@ -95,5 +96,5 @@
};
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
system.stateVersion = "24.05";
system.stateVersion = "22.11";
}

View file

@ -34,7 +34,7 @@ in
"websecure"
];
middlewares = [
"internal"
"admin"
];
service = "lidarr";
};

View file

@ -31,7 +31,7 @@ in
"websecure"
];
middlewares = [
"internal"
"admin"
];
service = "prowlarr";
};

View file

@ -29,12 +29,12 @@ in
services.traefik.dynamicConfigOptions.http.routers = {
qbittorrent = {
rule = "Host(`qbittorrent.kanto.dev`)";
rule = "Host(`torrent.kanto.dev`)";
entryPoints = [
"websecure"
];
middlewares = [
"internal"
"admin"
];
service = "qbittorrent";
};

View file

@ -33,7 +33,7 @@ in
"websecure"
];
middlewares = [
"internal"
"admin"
];
service = "radarr";
};

View file

@ -34,7 +34,7 @@ in
"websecure"
];
middlewares = [
"internal"
"admin"
];
service = "sonarr";
};

View file

@ -41,7 +41,7 @@
"websecure"
];
middlewares = [
"internal"
"admin"
];
service = "grafana";
};

View file

@ -23,7 +23,7 @@
statdPort = 4000;
extraNfsdConfig = '''';
exports = ''
/srv/multimedia/library/music fuchsia.kanto.dev(rw,nohide,insecure,no_subtree_check)
/srv/multimedia/library/music 192.168.1.101(rw,nohide,insecure,no_subtree_check)
'';
};
networking.firewall = {

View file

@ -10,10 +10,18 @@
# Attached to the routers, pieces of middleware are a means of tweaking the requests before they are sent to your service
services.traefik.dynamicConfigOptions.http.middlewares = {
# Restrict access to admin devices only
admin.ipwhitelist.sourcerange = [
"127.0.0.1/32" # localhost
"192.168.1.101" # fuchsia
"10.100.0.2" # Pixel 6 Pro
];
# Restrict access to internal networks
internal.ipwhitelist.sourcerange = [
"127.0.0.1/32" # localhost
"192.168.20.1/24" # lan
"192.168.1.1/24" # lan
"10.100.0.0/24" # wireguard clients
];
# Restrict access based on geo-location
@ -44,8 +52,7 @@
forceMonthlyUpdate = "true";
};
# Disable Crowdsec IP checking but apply Crowdsec Appsec checking.
# This mode is intended to be used when Crowdsec IP checking is applied at the Firewall Level.
# Disable Crowdsec IP checking but apply Crowdsec Appsec checking. This mode is intended to be used when Crowdsec IP checking is applied at the Firewall Level.
crowdsec.plugin.bouncer = {
enabled = "true";
crowdsecMode = "appsec";