no idea
This commit is contained in:
Danilo Reyes
@@ -25,13 +25,13 @@ in
|
||||
network.firewall.enabledServicePorts = true;
|
||||
network.firewall.additionalPorts = [
|
||||
2049 # idk
|
||||
8384 # syncthing gui
|
||||
22000 # syncthing relay
|
||||
3452 # sonarqube
|
||||
8448 # synapse ssl
|
||||
8265 # tdarr
|
||||
5173 # media map
|
||||
51412 # qbittorrent
|
||||
config.my.ports.syncthingGui
|
||||
config.my.ports.syncthingRelay
|
||||
config.my.ports.sonarqube
|
||||
config.my.ports.synapseSsl
|
||||
config.my.ports.tdarr
|
||||
config.my.ports.mediaMap
|
||||
config.my.ports.qbittorrent
|
||||
];
|
||||
};
|
||||
nix.buildMachines = [
|
||||
|
||||
@@ -10,6 +10,7 @@ let
|
||||
wgInterface = "wg0";
|
||||
ips = {
|
||||
homeServer = config.my.ips.wg-server;
|
||||
wgWorkstation = config.my.ips.wg-workstation;
|
||||
wgFriend1 = config.my.ips.wg-friend1;
|
||||
wgGuest1 = config.my.ips.wg-guest1;
|
||||
wgGuest2 = config.my.ips.wg-guest2;
|
||||
@@ -20,15 +21,15 @@ let
|
||||
wgHomelab = config.my.subnets.wg-homelab;
|
||||
};
|
||||
ports = {
|
||||
giteaSsh = 22;
|
||||
ssh = 3456;
|
||||
giteaSsh = config.my.ports.giteaSsh;
|
||||
ssh = config.my.ports.ssh;
|
||||
web = [
|
||||
80
|
||||
443
|
||||
];
|
||||
wg = 51820;
|
||||
syncthing = 22000;
|
||||
synapseFederation = 8448;
|
||||
wg = config.my.ports.wg;
|
||||
syncthing = config.my.ports.syncthingRelay;
|
||||
synapseFederation = config.my.ports.synapseSsl;
|
||||
};
|
||||
portsStr = {
|
||||
giteaSsh = toString ports.giteaSsh;
|
||||
@@ -40,6 +41,10 @@ let
|
||||
jellyfin = toString config.my.servers.jellyfin.port;
|
||||
audiobookshelf = toString config.my.servers.audiobookshelf.port;
|
||||
kavita = toString config.my.servers.kavita.port;
|
||||
openWebui = toString config.my.ports.openWebui;
|
||||
sillytavern = toString config.my.ports.sillytavern;
|
||||
ollama = toString config.my.ports.ollama;
|
||||
comfyui = toString config.my.ports.comfyui;
|
||||
};
|
||||
in
|
||||
{
|
||||
@@ -114,6 +119,8 @@ in
|
||||
iifname "${wgInterface}" ip saddr ${subnets.wgGuests} ip daddr ${ips.homeServer}/32 icmp type echo-request accept
|
||||
|
||||
iifname "${wgInterface}" ip saddr ${subnets.wgHomelab} ip daddr ${ips.homeServer}/32 accept
|
||||
iifname "${wgInterface}" ip saddr ${subnets.wgHomelab} ip daddr ${ips.wgWorkstation}/32 tcp dport { ${portsStr.openWebui}, ${portsStr.sillytavern}, ${portsStr.ollama}, ${portsStr.comfyui} } accept
|
||||
iifname "${wgInterface}" ip saddr ${ips.wgWorkstation}/32 ip daddr ${subnets.wgHomelab} tcp sport { ${portsStr.openWebui}, ${portsStr.sillytavern}, ${portsStr.ollama}, ${portsStr.comfyui} } accept
|
||||
|
||||
iifname "${wgInterface}" ip saddr ${subnets.wgFriends} oifname "${externalInterface}" accept
|
||||
iifname "${wgInterface}" ip saddr ${subnets.wgGuests} oifname "${externalInterface}" accept
|
||||
|
||||
@@ -1,12 +1,12 @@
|
||||
{
|
||||
pkgs,
|
||||
config,
|
||||
lib,
|
||||
inputs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
shellType = config.my.shell.type;
|
||||
comfyuiPort = 8188;
|
||||
krita-thumbnailer = pkgs.writeTextFile {
|
||||
name = "krita-thumbnailer";
|
||||
destination = "/share/thumbnailers/kra.thumbnailer";
|
||||
@@ -38,6 +38,9 @@ in
|
||||
"bearded_dragonn"
|
||||
];
|
||||
};
|
||||
sops.secrets."workstation/private" = lib.mkIf config.my.secureHost {
|
||||
sopsFile = ../../secrets/wireguard.yaml;
|
||||
};
|
||||
home-manager.users.jawz.programs = {
|
||||
vscode = {
|
||||
enable = true;
|
||||
@@ -57,8 +60,8 @@ in
|
||||
hostName = "workstation";
|
||||
firewall = {
|
||||
allowedTCPPorts = [
|
||||
6674 # ns-usbloader
|
||||
8384 # syncthing
|
||||
config.my.ports.nsUsbloader
|
||||
config.my.ports.syncthingGui
|
||||
];
|
||||
allowedTCPPortRanges = [
|
||||
{
|
||||
@@ -70,7 +73,31 @@ in
|
||||
config.services.ollama.port
|
||||
config.services.open-webui.port
|
||||
config.services.sillytavern.port
|
||||
comfyuiPort
|
||||
config.my.ports.comfyui
|
||||
];
|
||||
};
|
||||
nftables.tables.wg-local-redirect = {
|
||||
family = "ip";
|
||||
content = ''
|
||||
chain prerouting {
|
||||
type nat hook prerouting priority dstnat;
|
||||
iifname "wg0" ip daddr ${config.my.ips.wg-workstation}/32 tcp dport ${toString config.my.ports.sillytavern} redirect to :${toString config.my.ports.sillytavern}
|
||||
}
|
||||
'';
|
||||
};
|
||||
wireguard.interfaces.wg0 = lib.mkIf config.my.secureHost {
|
||||
ips = [ "${config.my.ips.wg-workstation}/32" ];
|
||||
privateKeyFile = config.sops.secrets."workstation/private".path;
|
||||
peers = [
|
||||
{
|
||||
publicKey = "dFbiSekBwnZomarcS31o5+w6imHjMPNCipkfc2fZ3GY=";
|
||||
endpoint = "${config.my.ips.vps}:51820";
|
||||
persistentKeepalive = 25;
|
||||
allowedIPs = [
|
||||
"${config.my.ips.wg-vps}/32"
|
||||
config.my.subnets.wg-homelab
|
||||
];
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
@@ -141,7 +168,7 @@ in
|
||||
flatpak.enable = true;
|
||||
open-webui = {
|
||||
enable = true;
|
||||
port = 2345;
|
||||
port = config.my.ports.openWebui;
|
||||
host = config.my.ips.wg-workstation;
|
||||
};
|
||||
scx = {
|
||||
@@ -162,13 +189,14 @@ in
|
||||
models = "/srv/ai/ollama";
|
||||
user = "ollama";
|
||||
group = "ai";
|
||||
port = config.my.ports.ollama;
|
||||
host = config.my.ips.wg-workstation;
|
||||
};
|
||||
sillytavern = {
|
||||
enable = true;
|
||||
port = config.my.ports.sillytavern;
|
||||
group = "ai";
|
||||
listen = true;
|
||||
port = 9324;
|
||||
whitelist = true;
|
||||
listenAddressIPv4 = config.my.ips.wg-workstation;
|
||||
};
|
||||
};
|
||||
|
||||
Reference in New Issue
Block a user