felixalb/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: felixalb:7401e3bb5e2f5ac3f2e56a70da746ffc6e5fe8b7
Branches Tags
felixalb:main felixalb:nixos-25.11
...
compare: felixalb:main
Branches Tags
felixalb:main felixalb:nixos-25.11

4 Commits
7401e3bb5e ... main

Author SHA1 Message Date
Felix Albrigtsen
39f73a21b2 flake: update 2026-04-28 14:51:03 +02:00
Felix Albrigtsen
92f7943221 morn: add swapfile 2026-04-08 22:17:03 +02:00
Felix Albrigtsen
41ed408c23 leonard: add swapfile 2026-04-08 22:14:25 +02:00
Felix Albrigtsen
7918ebd7ea defiant/nginx: ip allowlist on nextcloud 2026-04-08 22:03:14 +02:00
4 changed files with 47 additions and 10 deletions
Expand all files Collapse all files

12
flake.lock generated
View File

@@ -135,11 +135,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1775610697, "lastModified": 1777339890,
"narHash": "sha256-fw3+p16ZokENxpWPCLR7ngHUPz5lPvZZzKpQUwRgiXE=", "narHash": "sha256-/8cNnAn4FMZgIEEWf9chqo2ffH6bu/vDoJR8mnaNjtM=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "4f9024bce4025dc9a16d9fb27dd258d6cdf52862", "rev": "fcf51609c44b7781822f4258feb16f15085ff47d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -178,11 +178,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1775423009, "lastModified": 1776877367,
"narHash": "sha256-vPKLpjhIVWdDrfiUM8atW6YkIggCEKdSAlJPzzhkQlw=", "narHash": "sha256-EHq1/OX139R1RvBzOJ0aMRT3xnWyqtHBRUBuO1gFzjI=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "68d8aa3d661f0e6bd5862291b5bb263b2a6595c9", "rev": "0726a0ecb6d4e08f6adced58726b95db924cef57",
"type": "github" "type": "github"
}, },
"original": { "original": {

35
hosts/defiant/services/nginx.nix
View File

@@ -35,7 +35,7 @@ in {
# dnsProvider = "domeneshop"; # dnsProvider = "domeneshop";
# environmentFile = config.sops.secrets."domeneshop/acme".path; # environmentFile = config.sops.secrets."domeneshop/acme".path;
# webroot = null; # webroot = null;
# } # };
sops.secrets."domeneshop/acme" = { sops.secrets."domeneshop/acme" = {
group = "nginx"; group = "nginx";
}; };
@@ -63,15 +63,40 @@ in {
''; '';
} // overrides; } // overrides;
in { in {
"amalie.mansaker.no" = publicProxy "http://leonard.home.feal.no/" { };
"cloud.feal.no" = publicProxy "" { "cloud.feal.no" = publicProxy "" {
listen = [
{ addr = "192.168.10.175"; port = 43443; ssl = true; }
{ addr = "192.168.10.175"; port = 43080; ssl = false; }
# Note: cloud.feal.no is overriden in the local DNS, to allow use through Wireguard VPN
{ addr = "192.168.10.175"; port = 443; ssl = true; }
{ addr = "192.168.10.175"; port = 80; ssl = false; }
];
locations."/" = { locations."/" = {
proxyPass = "http://challenger.home.feal.no"; proxyPass = "http://challenger.home.feal.no";
extraConfig = '' extraConfig = ''
client_max_body_size 8G; client_max_body_size 8G;
''; '';
}; };
extraConfig = ''
# Direct local traffic and NAT Hairpin
allow 192.168.10.0/24;
# Wireguard
allow 10.100.0.0/24;
# AS16185
allow 82.146.64.0/19;
allow 217.31.96.0/20;
allow 185.166.44.0/22;
# NTNU
allow 129.241.0.0/16;
deny all;
'';
}; };
"amalie.mansaker.no" = publicProxy "http://leonard.home.feal.no/" { };
"feal.no" = publicProxy "http://leonard.home.feal.no/" { serverAliases = [ "www.feal.no" ]; }; "feal.no" = publicProxy "http://leonard.home.feal.no/" { serverAliases = [ "www.feal.no" ]; };
"git.feal.no" = publicProxy "http://unix:${gitea.server.HTTP_ADDR}" { default = true; }; "git.feal.no" = publicProxy "http://unix:${gitea.server.HTTP_ADDR}" { default = true; };
"iam.feal.no" = publicProxy "http://${keycloak.http-host}:${toString keycloak.http-port}" { }; "iam.feal.no" = publicProxy "http://${keycloak.http-host}:${toString keycloak.http-port}" { };
@@ -79,4 +104,10 @@ in {
"kinealbrigtsen.no" = publicProxy "http://leonard.home.feal.no/" { serverAliases = [ "www.kinealbrigtsen.no" ]; }; "kinealbrigtsen.no" = publicProxy "http://leonard.home.feal.no/" { serverAliases = [ "www.kinealbrigtsen.no" ]; };
"wiki.wackattack.eu" = publicProxy "http://leonard.home.feal.no/" { }; "wiki.wackattack.eu" = publicProxy "http://leonard.home.feal.no/" { };
}; };
security.acme.certs."cloud.feal.no" = {
dnsProvider = "domeneshop";
environmentFile = config.sops.secrets."domeneshop/acme".path;
webroot = null;
};
} }

5
hosts/leonard/hardware-configuration.nix
View File

@@ -15,7 +15,10 @@
fsType = "ext4"; fsType = "ext4";
}; };
swapDevices = [ ]; # TODO swapDevices = [ {
device = "/swapfile";
size = 4*1024;
} ];
networking.useDHCP = lib.mkDefault false; networking.useDHCP = lib.mkDefault false;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true; # networking.interfaces.ens18.useDHCP = lib.mkDefault true;

5
hosts/morn/hardware-configuration.nix
View File

@@ -24,7 +24,10 @@
options = [ "fmask=0077" "dmask=0077" ]; options = [ "fmask=0077" "dmask=0077" ];
}; };
swapDevices = [ ]; swapDevices = [ {
device = "/swapfile";
size = 4*1024;
} ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's