fujin/nixarr
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #115 from cramt/cramt/flake_update

Browse Source 
flake update
This commit is contained in:
Rasmus Kirk
2025-12-14 16:56:44 +00:00
committed by GitHub
parent ac11a6d765 d6838844ca
commit 204da9209a
5 changed files with 141 additions and 107 deletions
Download Patch File Download Diff File Expand all files Collapse all files
flake.lock
Generated
+7 -7
View File
@@ -2,16 +2,16 @@
"nodes": { "nodes": {
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1761016216, "lastModified": 1765608474,
"narHash": "sha256-G/iC4t/9j/52i/nm+0/4ybBmAF4hzR8CNHC75qEhjHo=", "narHash": "sha256-9Wx53UK0z8Di5iesJID0tS1dRKwGxI4i7tsSanOHhF0=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "481cf557888e05d3128a76f14c76397b7d7cc869", "rev": "28bb483c11a1214a73f9fd2d9928a6e2ea86ec71",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nixos", "owner": "nixos",
"ref": "nixos-25.05", "ref": "nixos-25.11",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
@@ -25,11 +25,11 @@
}, },
"vpnconfinement": { "vpnconfinement": {
"locked": { "locked": {
"lastModified": 1759956062, "lastModified": 1765634578,
"narHash": "sha256-NUZu0Rb0fwUjfdp51zMm0xM3lcK8Kw4c97LLog7+JjA=", "narHash": "sha256-Fujb9sn1cj+u/bzfo2RbQkcAvJ7Ch1pimJzFie4ptb4=",
"owner": "Maroka-chan", "owner": "Maroka-chan",
"repo": "VPN-Confinement", "repo": "VPN-Confinement",
"rev": "fabe7247b720b5eb4c3c053e24a2b3b70e64c52b", "rev": "f2989e1e3cb06c7185939e9ddc368f88b998616a",
"type": "github" "type": "github"
}, },
"original": { "original": {
flake.nix
+21 -10
View File
@@ -2,7 +2,7 @@
description = "The Nixarr Media Server Nixos Module"; description = "The Nixarr Media Server Nixos Module";
inputs = { inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05"; nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11";
vpnconfinement.url = "github:Maroka-chan/VPN-Confinement"; vpnconfinement.url = "github:Maroka-chan/VPN-Confinement";
@@ -27,20 +27,26 @@
# Helper to provide system-specific attributes # Helper to provide system-specific attributes
forAllSystems = f: forAllSystems = f:
nixpkgs.lib.genAttrs supportedSystems (system: nixpkgs.lib.genAttrs supportedSystems (
system:
f { f {
pkgs = import nixpkgs { pkgs = import nixpkgs {
inherit system; inherit system;
config.allowUnfree = true; config.allowUnfree = true;
}; };
}); }
);
in { in {
nixosModules.default.imports = [./nixarr vpnconfinement.nixosModules.default]; nixosModules.default.imports = [
./nixarr
vpnconfinement.nixosModules.default
];
# Add tests attribute to the flake outputs # Add tests attribute to the flake outputs
# To run interactively run: # To run interactively run:
# > nix build .#checks.x86_64-linux.monitoring-test.driver -L # > nix build .#checks.x86_64-linux.monitoring-test.driver -L
checks = forAllSystems ({pkgs}: { checks = forAllSystems (
{pkgs}: {
permissions-test = pkgs.callPackage ./tests/permissions-test.nix { permissions-test = pkgs.callPackage ./tests/permissions-test.nix {
inherit (self) nixosModules; inherit (self) nixosModules;
}; };
@@ -50,18 +56,22 @@
# vpn-confinement-test = pkgs.callPackage ./tests/vpn-confinement-test.nix { # vpn-confinement-test = pkgs.callPackage ./tests/vpn-confinement-test.nix {
# inherit (self) nixosModules; # inherit (self) nixosModules;
# }; # };
}); }
);
devShells = forAllSystems ({pkgs}: { devShells = forAllSystems (
{pkgs}: {
default = pkgs.mkShell { default = pkgs.mkShell {
packages = with pkgs; [ packages = with pkgs; [
alejandra alejandra
nixd nixd
]; ];
}; };
}); }
);
packages = forAllSystems ({pkgs}: let packages = forAllSystems (
{pkgs}: let
website = website-builder.lib { website = website-builder.lib {
pkgs = pkgs; pkgs = pkgs;
src = "${self}"; src = "${self}";
@@ -111,7 +121,8 @@
in { in {
default = website.package; default = website.package;
debug = website.loop; debug = website.loop;
}); }
);
formatter = forAllSystems ({pkgs}: pkgs.alejandra); formatter = forAllSystems ({pkgs}: pkgs.alejandra);
}; };
tests/permissions-test.nix
+1 -1
View File
@@ -4,7 +4,7 @@
nixosModules, nixosModules,
lib ? pkgs.lib, lib ? pkgs.lib,
}: }:
pkgs.nixosTest { pkgs.testers.nixosTest {
name = "nixarr-permissions-test"; name = "nixarr-permissions-test";
nodes.machine = { nodes.machine = {
tests/simple-test.nix
+1 -1
View File
@@ -3,7 +3,7 @@
nixosModules, nixosModules,
lib ? pkgs.lib, lib ? pkgs.lib,
}: }:
pkgs.nixosTest { pkgs.testers.nixosTest {
name = "simple-test"; name = "simple-test";
nodes.machine = { nodes.machine = {
tests/vpn-confinement-test.nix
+33 -10
View File
@@ -43,17 +43,25 @@ The test ensures that:
wgGatewayPort = 51820; wgGatewayPort = 51820;
# Generate real WireGuard keys # Generate real WireGuard keys
wgGatewayPrivateKey = pkgs.runCommand "wg-gateway-private" {buildInputs = [pkgs.wireguard-tools];} '' wgGatewayPrivateKey =
pkgs.runCommand "wg-gateway-private" {buildInputs = [pkgs.wireguard-tools];}
''
wg genkey > $out wg genkey > $out
''; '';
wgGatewayPublicKey = pkgs.runCommand "wg-gateway-public" {buildInputs = [pkgs.wireguard-tools];} '' wgGatewayPublicKey =
pkgs.runCommand "wg-gateway-public" {buildInputs = [pkgs.wireguard-tools];}
''
cat ${wgGatewayPrivateKey} | wg pubkey > $out cat ${wgGatewayPrivateKey} | wg pubkey > $out
''; '';
wgClientPrivateKey = pkgs.runCommand "wg-client-private" {buildInputs = [pkgs.wireguard-tools];} '' wgClientPrivateKey =
pkgs.runCommand "wg-client-private" {buildInputs = [pkgs.wireguard-tools];}
''
wg genkey > $out wg genkey > $out
''; '';
wgClientPublicKey = pkgs.runCommand "wg-client-public" {buildInputs = [pkgs.wireguard-tools];} '' wgClientPublicKey =
pkgs.runCommand "wg-client-public" {buildInputs = [pkgs.wireguard-tools];}
''
cat ${wgClientPrivateKey} | wg pubkey > $out cat ${wgClientPrivateKey} | wg pubkey > $out
''; '';
@@ -92,7 +100,7 @@ The test ensures that:
PersistentKeepalive = 25 PersistentKeepalive = 25
''; '';
in in
pkgs.nixosTest { pkgs.testers.nixosTest {
name = "nixarr-vpn-confinement-test"; name = "nixarr-vpn-confinement-test";
# Disable interactive mode to avoid hanging # Disable interactive mode to avoid hanging
@@ -128,7 +136,10 @@ in
"${internetClientIP}/24" "${internetClientIP}/24"
"${internetClientIPv6}/64" "${internetClientIPv6}/64"
]; ];
gateway = ["${internetGatewayIP}" "${internetGatewayIPv6}"]; gateway = [
"${internetGatewayIP}"
"${internetGatewayIPv6}"
];
routes = [ routes = [
{ {
Destination = "${wgSubnet}"; Destination = "${wgSubnet}";
@@ -189,7 +200,10 @@ in
pkgs, pkgs,
... ...
}: { }: {
virtualisation.vlans = [1 2]; # VLAN 1 for LAN, VLAN 2 for Internet virtualisation.vlans = [
1
2
]; # VLAN 1 for LAN, VLAN 2 for Internet
networking = { networking = {
interfaces.eth1 = { interfaces.eth1 = {
@@ -224,19 +238,28 @@ in
firewall = { firewall = {
enable = true; enable = true;
allowedUDPPorts = [wgGatewayPort 51413]; allowedUDPPorts = [
wgGatewayPort
51413
];
allowedTCPPorts = [51413]; allowedTCPPorts = [51413];
}; };
wireguard.interfaces.wg0 = { wireguard.interfaces.wg0 = {
ips = ["${wgGatewayAddr}/24" "${wgGatewayAddrV6}/64"]; ips = [
"${wgGatewayAddr}/24"
"${wgGatewayAddrV6}/64"
];
listenPort = wgGatewayPort; listenPort = wgGatewayPort;
privateKeyFile = "${wgGatewayPrivateKey}"; privateKeyFile = "${wgGatewayPrivateKey}";
peers = [ peers = [
{ {
publicKey = builtins.readFile wgClientPublicKey; publicKey = builtins.readFile wgClientPublicKey;
allowedIPs = ["${wgClientAddr}/32" "${wgClientAddrV6}/128"]; allowedIPs = [
"${wgClientAddr}/32"
"${wgClientAddrV6}/128"
];
} }
]; ];
}; };