Compare commits

...

2 Commits

Author SHA1 Message Date
stupidcomputer d31e18b824 finalize photoprism configuration 2024-10-27 23:55:42 -05:00
stupidcomputer 55cb186947 stupid wireguard configuration 2024-10-27 23:49:52 -05:00
7 changed files with 103 additions and 8 deletions

View File

@ -107,13 +107,26 @@
hostName = "copernicus";
firewall = {
enable = true;
allowedTCPPorts = [ 6000 ];
allowedTCPPortRanges = [
{ from = 1714; to = 1764; } # KDE Connect
];
allowedUDPPortRanges = [
{ from = 1714; to = 1764; } # KDE Connect
];
interfaces = {
eno1 = {
allowedTCPPorts = [ 6000 ];
allowedTCPPortRanges = [
{ from = 1714; to = 1764; } # KDE Connect
];
allowedUDPPortRanges = [
{ from = 1714; to = 1764; } # KDE Connect
];
};
wg0 = {
# allow everything bound to the wg0 interface
allowedTCPPortRanges = [
{ from = 1; to = 35565; }
];
allowedUDPPortRanges = [
{ from = 1; to = 35565; }
];
};
};
};
};

View File

@ -3,5 +3,6 @@
{
imports = [
./photoprism.nix
./wireguard.nix
];
}

View File

@ -4,10 +4,12 @@
services.photoprism = {
enable = true;
originalsPath = "/var/lib/photoprism/originals";
passwordFile = "/home/usr/wg-keys/photoprism-password";
settings = {
PHOTOPRISM_ADMIN_USER = "usr";
PHOTOPRISM_ADMIN_PASSWORD = "usr";
PHOTOPRISM_SITE_TITLE = "photos.beepboop.systems";
PHOTOPRISM_SITE_URL = "https://photos.beepboop.systems";
PHOTOPRISM_DEFAULT_LOCALE = "en";
};
};
}

View File

@ -0,0 +1,24 @@
{ lib, config, pkgs, ... }:
{
networking = {
firewall.allowedUDPPorts = [ 51820 ];
wireguard.interfaces = {
wg0 = {
ips = [ "10.100.0.2/24" ];
listenPort = 51820;
privateKeyFile = "/home/usr/wg-keys/private";
peers = [
{ # netbox
publicKey = "0fOqAfsYO4HvshMPnlkKL7Z1RChq98hjDr0Q8o7OJFE=";
allowedIPs = [ "10.100.0.0/24" ]; # only stuff in the wg-subnet (10.100.0.*)
endpoint = "149.28.63.115:51820";
persistentKeepalive = 25;
}
];
};
};
};
}

View File

@ -16,6 +16,8 @@
./fail2ban.nix
./nginx.nix
./franklincce.nix
./wireguard.nix
./photoprism-bridge.nix
];
nix = {

View File

@ -0,0 +1,17 @@
{ lib, config, pkgs, ... }:
{
services.nginx.virtualHosts."photos.beepboop.systems" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://10.100.0.2:2342";
proxyWebsockets = true;
extraConfig = ''
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_buffering off;
proxy_http_version 1.1;
'';
};
};
}

View File

@ -0,0 +1,36 @@
{ lib, config, pkgs, ... }:
{
networking = {
nat = {
enable = true;
externalInterface = "eth0";
internalInterfaces = [ "wg0" ];
};
firewall.allowedUDPPorts = [ 51820 ];
wireguard.interfaces = {
wg0 = {
ips = [ "10.100.0.1/24" ];
listenPort = 51820;
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
'';
privateKeyFile = "/home/ryan/wg-keys/private";
peers = [
{ # copernicus
publicKey = "JlH1X4KRT+B8Uau+qTLtBqyapkbGClIj1db7znU77kc=";
allowedIPs = [ "10.100.0.2/32" ];
}
];
};
};
};
}