fujin/nixarr
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fixed

Browse Source
This commit is contained in:
Alexandra Østermark
2025-12-14 16:46:46 +01:00
parent b4b30f6c78
commit d6838844ca
4 changed files with 148 additions and 133 deletions
Download Patch File Download Diff File Expand all files Collapse all files
flake.nix
+105 -113
View File
@@ -10,128 +10,120 @@
website-builder.inputs.nixpkgs.follows = "nixpkgs"; website-builder.inputs.nixpkgs.follows = "nixpkgs";
}; };
outputs = outputs = {
{ nixpkgs,
nixpkgs, vpnconfinement,
vpnconfinement, website-builder,
website-builder, self,
self, ...
... } @ inputs: let
}@inputs: # Systems supported
let supportedSystems = [
# Systems supported "x86_64-linux" # 64-bit Intel/AMD Linux
supportedSystems = [ "aarch64-linux" # 64-bit ARM Linux
"x86_64-linux" # 64-bit Intel/AMD Linux "x86_64-darwin" # 64-bit Intel macOS
"aarch64-linux" # 64-bit ARM Linux "aarch64-darwin" # 64-bit ARM macOS
"x86_64-darwin" # 64-bit Intel macOS ];
"aarch64-darwin" # 64-bit ARM macOS
];
# Helper to provide system-specific attributes # Helper to provide system-specific attributes
forAllSystems = forAllSystems = f:
f: nixpkgs.lib.genAttrs supportedSystems (
nixpkgs.lib.genAttrs supportedSystems ( system:
system:
f { f {
pkgs = import nixpkgs { pkgs = import nixpkgs {
inherit system; inherit system;
config.allowUnfree = true; config.allowUnfree = true;
}; };
} }
);
in
{
nixosModules.default.imports = [
./nixarr
vpnconfinement.nixosModules.default
];
# Add tests attribute to the flake outputs
# To run interactively run:
# > nix build .#checks.x86_64-linux.monitoring-test.driver -L
checks = forAllSystems (
{ pkgs }:
{
permissions-test = pkgs.callPackage ./tests/permissions-test.nix {
inherit (self) nixosModules;
};
simple-test = pkgs.callPackage ./tests/simple-test.nix {
inherit (self) nixosModules;
};
# vpn-confinement-test = pkgs.callPackage ./tests/vpn-confinement-test.nix {
# inherit (self) nixosModules;
# };
}
); );
in {
nixosModules.default.imports = [
./nixarr
vpnconfinement.nixosModules.default
];
devShells = forAllSystems ( # Add tests attribute to the flake outputs
{ pkgs }: # To run interactively run:
{ # > nix build .#checks.x86_64-linux.monitoring-test.driver -L
default = pkgs.mkShell { checks = forAllSystems (
packages = with pkgs; [ {pkgs}: {
alejandra permissions-test = pkgs.callPackage ./tests/permissions-test.nix {
nixd inherit (self) nixosModules;
]; };
simple-test = pkgs.callPackage ./tests/simple-test.nix {
inherit (self) nixosModules;
};
# vpn-confinement-test = pkgs.callPackage ./tests/vpn-confinement-test.nix {
# inherit (self) nixosModules;
# };
}
);
devShells = forAllSystems (
{pkgs}: {
default = pkgs.mkShell {
packages = with pkgs; [
alejandra
nixd
];
};
}
);
packages = forAllSystems (
{pkgs}: let
website = website-builder.lib {
pkgs = pkgs;
src = "${self}";
timestamp = self.lastModified;
headerTitle = "Nixarr";
standalonePages = [
{
title = "Nixarr - Media Server Nixos Module";
inputFile = ./README.md;
outputFile = "index.html";
}
];
includedDirs = ["docs"];
articleDirs = ["docs/wiki"];
navbar = [
{
title = "Home";
location = "/";
}
{
title = "Options";
location = "/nixos-options";
}
{
title = "Wiki";
location = "/wiki";
}
{
title = "Github";
location = "https://github.com/rasmus-kirk/nixarr";
}
];
favicons = {
# For all browsers
"16x16" = "/docs/img/favicons/16x16.png";
"32x32" = "/docs/img/favicons/32x32.png";
# For Google and Android
"48x48" = "/docs/img/favicons/48x48.png";
"192x192" = "/docs/img/favicons/192x192.png";
# For iPad
"167x167" = "/docs/img/favicons/167x167.png";
# For iPhone
"180x180" = "/docs/img/favicons/180x180.png";
}; };
} nixosModules = ./nixarr;
); };
in {
default = website.package;
debug = website.loop;
}
);
packages = forAllSystems ( formatter = forAllSystems ({pkgs}: pkgs.alejandra);
{ pkgs }: };
let
website = website-builder.lib {
pkgs = pkgs;
src = "${self}";
timestamp = self.lastModified;
headerTitle = "Nixarr";
standalonePages = [
{
title = "Nixarr - Media Server Nixos Module";
inputFile = ./README.md;
outputFile = "index.html";
}
];
includedDirs = [ "docs" ];
articleDirs = [ "docs/wiki" ];
navbar = [
{
title = "Home";
location = "/";
}
{
title = "Options";
location = "/nixos-options";
}
{
title = "Wiki";
location = "/wiki";
}
{
title = "Github";
location = "https://github.com/rasmus-kirk/nixarr";
}
];
favicons = {
# For all browsers
"16x16" = "/docs/img/favicons/16x16.png";
"32x32" = "/docs/img/favicons/32x32.png";
# For Google and Android
"48x48" = "/docs/img/favicons/48x48.png";
"192x192" = "/docs/img/favicons/192x192.png";
# For iPad
"167x167" = "/docs/img/favicons/167x167.png";
# For iPhone
"180x180" = "/docs/img/favicons/180x180.png";
};
nixosModules = ./nixarr;
};
in
{
default = website.package;
debug = website.loop;
}
);
formatter = forAllSystems ({ pkgs }: pkgs.alejandra);
};
} }
tests/permissions-test.nix
+1 -1
View File
@@ -4,7 +4,7 @@
nixosModules, nixosModules,
lib ? pkgs.lib, lib ? pkgs.lib,
}: }:
pkgs.nixosTest { pkgs.testers.nixosTest {
name = "nixarr-permissions-test"; name = "nixarr-permissions-test";
nodes.machine = { nodes.machine = {
tests/simple-test.nix
+1 -1
View File
@@ -3,7 +3,7 @@
nixosModules, nixosModules,
lib ? pkgs.lib, lib ? pkgs.lib,
}: }:
pkgs.nixosTest { pkgs.testers.nixosTest {
name = "simple-test"; name = "simple-test";
nodes.machine = { nodes.machine = {
tests/vpn-confinement-test.nix
+41 -18
View File
@@ -43,19 +43,27 @@ The test ensures that:
wgGatewayPort = 51820; wgGatewayPort = 51820;
# Generate real WireGuard keys # Generate real WireGuard keys
wgGatewayPrivateKey = pkgs.runCommand "wg-gateway-private" {buildInputs = [pkgs.wireguard-tools];} '' wgGatewayPrivateKey =
wg genkey > $out pkgs.runCommand "wg-gateway-private" {buildInputs = [pkgs.wireguard-tools];}
''; ''
wgGatewayPublicKey = pkgs.runCommand "wg-gateway-public" {buildInputs = [pkgs.wireguard-tools];} '' wg genkey > $out
cat ${wgGatewayPrivateKey} | wg pubkey > $out '';
''; wgGatewayPublicKey =
pkgs.runCommand "wg-gateway-public" {buildInputs = [pkgs.wireguard-tools];}
''
cat ${wgGatewayPrivateKey} | wg pubkey > $out
'';
wgClientPrivateKey = pkgs.runCommand "wg-client-private" {buildInputs = [pkgs.wireguard-tools];} '' wgClientPrivateKey =
wg genkey > $out pkgs.runCommand "wg-client-private" {buildInputs = [pkgs.wireguard-tools];}
''; ''
wgClientPublicKey = pkgs.runCommand "wg-client-public" {buildInputs = [pkgs.wireguard-tools];} '' wg genkey > $out
cat ${wgClientPrivateKey} | wg pubkey > $out '';
''; wgClientPublicKey =
pkgs.runCommand "wg-client-public" {buildInputs = [pkgs.wireguard-tools];}
''
cat ${wgClientPrivateKey} | wg pubkey > $out
'';
# Network configuration # Network configuration
wgGatewayAddr = "10.100.0.1"; wgGatewayAddr = "10.100.0.1";
@@ -92,7 +100,7 @@ The test ensures that:
PersistentKeepalive = 25 PersistentKeepalive = 25
''; '';
in in
pkgs.nixosTest { pkgs.testers.nixosTest {
name = "nixarr-vpn-confinement-test"; name = "nixarr-vpn-confinement-test";
# Disable interactive mode to avoid hanging # Disable interactive mode to avoid hanging
@@ -128,7 +136,10 @@ in
"${internetClientIP}/24" "${internetClientIP}/24"
"${internetClientIPv6}/64" "${internetClientIPv6}/64"
]; ];
gateway = ["${internetGatewayIP}" "${internetGatewayIPv6}"]; gateway = [
"${internetGatewayIP}"
"${internetGatewayIPv6}"
];
routes = [ routes = [
{ {
Destination = "${wgSubnet}"; Destination = "${wgSubnet}";
@@ -189,7 +200,10 @@ in
pkgs, pkgs,
... ...
}: { }: {
virtualisation.vlans = [1 2]; # VLAN 1 for LAN, VLAN 2 for Internet virtualisation.vlans = [
1
2
]; # VLAN 1 for LAN, VLAN 2 for Internet
networking = { networking = {
interfaces.eth1 = { interfaces.eth1 = {
@@ -224,19 +238,28 @@ in
firewall = { firewall = {
enable = true; enable = true;
allowedUDPPorts = [wgGatewayPort 51413]; allowedUDPPorts = [
wgGatewayPort
51413
];
allowedTCPPorts = [51413]; allowedTCPPorts = [51413];
}; };
wireguard.interfaces.wg0 = { wireguard.interfaces.wg0 = {
ips = ["${wgGatewayAddr}/24" "${wgGatewayAddrV6}/64"]; ips = [
"${wgGatewayAddr}/24"
"${wgGatewayAddrV6}/64"
];
listenPort = wgGatewayPort; listenPort = wgGatewayPort;
privateKeyFile = "${wgGatewayPrivateKey}"; privateKeyFile = "${wgGatewayPrivateKey}";
peers = [ peers = [
{ {
publicKey = builtins.readFile wgClientPublicKey; publicKey = builtins.readFile wgClientPublicKey;
allowedIPs = ["${wgClientAddr}/32" "${wgClientAddrV6}/128"]; allowedIPs = [
"${wgClientAddr}/32"
"${wgClientAddrV6}/128"
];
} }
]; ];
}; };