Compare commits

...

3 Commits

Author SHA1 Message Date
coolneng d564a94aa7
Disable man pages 2022-12-20 15:44:48 +01:00
coolneng 39e2d8f4e5
Migrate to systemd-networkd 2022-12-20 15:44:44 +01:00
coolneng 663e5cb739
Use ZFS storage driver for containers 2022-12-20 15:44:40 +01:00
4 changed files with 152 additions and 116 deletions

View File

@ -105,7 +105,11 @@ with pkgs;
# Specify secrets # Specify secrets
age = { age = {
secrets.wireguard.file = secrets/wireguard.age; secrets.wireguard = {
file = secrets/wireguard.age;
owner = "systemd-network";
group = "systemd-network";
};
secrets.syncthing.file = secrets/syncthing.age; secrets.syncthing.file = secrets/syncthing.age;
secrets.msmtp.file = secrets/msmtp.age; secrets.msmtp.file = secrets/msmtp.age;
secrets.gitea = { secrets.gitea = {
@ -167,6 +171,9 @@ with pkgs;
}; };
}; };
# Disable man pages
documentation.man.enable = false;
# Import other configuration modules # Import other configuration modules
imports = [ imports = [
./modules/hardware-configuration.nix ./modules/hardware-configuration.nix

View File

@ -23,82 +23,11 @@
fsType = "vfat"; fsType = "vfat";
}; };
fileSystems."/var/lib/containers/storage/overlay" =
{ device = "/var/lib/containers/storage/overlay";
fsType = "none";
options = [ "bind" ];
};
fileSystems."/var/lib/containers/storage/overlay-containers/dba1864ff1473b3ba5fddd103f9cfff67334fbcc5c99c42b619e8a6d88776061/userdata/shm" =
{ device = "shm";
fsType = "tmpfs";
};
fileSystems."/var/lib/containers/storage/overlay/1990fed1fbfbe8dc75ded251c84e8d82700fef0f01e8ead81916cadc5ec2cac1/merged" =
{ device = "overlay";
fsType = "overlay";
};
fileSystems."/vault" = fileSystems."/vault" =
{ device = "vault"; { device = "vault";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/vault/radicale" =
{ device = "vault/radicale";
fsType = "zfs";
};
fileSystems."/vault/syncthing" =
{ device = "vault/syncthing";
fsType = "zfs";
};
fileSystems."/vault/backups" =
{ device = "vault/backups";
fsType = "zfs";
};
fileSystems."/vault/git" =
{ device = "vault/git";
fsType = "zfs";
};
fileSystems."/vault/nextcloud" =
{ device = "vault/nextcloud";
fsType = "zfs";
};
fileSystems."/vault/backups/monolith" =
{ device = "vault/backups/monolith";
fsType = "zfs";
};
fileSystems."/vault/backups/zion" =
{ device = "vault/backups/zion";
fsType = "zfs";
};
fileSystems."/vault/backups/zion/databases" =
{ device = "vault/backups/zion/databases";
fsType = "zfs";
};
fileSystems."/var/lib/wallabag" =
{ device = "vault/state_directories/wallabag";
fsType = "zfs";
};
fileSystems."/var/lib/gitea" =
{ device = "vault/state_directories/gitea";
fsType = "zfs";
};
fileSystems."/var/lib/signald" =
{ device = "vault/state_directories/signald";
fsType = "zfs";
};
fileSystems."/var/lib/matrix-as-signal" = fileSystems."/var/lib/matrix-as-signal" =
{ device = "vault/state_directories/matrix-as-signal"; { device = "vault/state_directories/matrix-as-signal";
fsType = "zfs"; fsType = "zfs";
@ -109,11 +38,81 @@
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/var/lib/gitea" =
{ device = "vault/state_directories/gitea";
fsType = "zfs";
};
fileSystems."/var/lib/matrix-as-telegram" = fileSystems."/var/lib/matrix-as-telegram" =
{ device = "vault/state_directories/matrix-as-telegram"; { device = "vault/state_directories/matrix-as-telegram";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/var/lib/signald" =
{ device = "vault/state_directories/signald";
fsType = "zfs";
};
fileSystems."/var/lib/wallabag" =
{ device = "vault/state_directories/wallabag";
fsType = "zfs";
};
fileSystems."/vault/git" =
{ device = "vault/git";
fsType = "zfs";
};
fileSystems."/vault/nextcloud" =
{ device = "vault/nextcloud";
fsType = "zfs";
};
fileSystems."/vault/backups" =
{ device = "vault/backups";
fsType = "zfs";
};
fileSystems."/vault/radicale" =
{ device = "vault/radicale";
fsType = "zfs";
};
fileSystems."/vault/backups/zion" =
{ device = "vault/backups/zion";
fsType = "zfs";
};
fileSystems."/vault/backups/monolith" =
{ device = "vault/backups/monolith";
fsType = "zfs";
};
fileSystems."/vault/backups/zion/databases" =
{ device = "vault/backups/zion/databases";
fsType = "zfs";
};
fileSystems."/vault/syncthing" =
{ device = "vault/syncthing";
fsType = "zfs";
};
fileSystems."/var/lib/containers" =
{ device = "vault/containers";
fsType = "zfs";
};
fileSystems."/var/lib/containers/storage/zfs-containers/1996d0540bceeb3dea027b3e5ef9e6cd94ea527ce657bf6461286d7b4afa637f/userdata/shm" =
{ device = "shm";
fsType = "tmpfs";
};
fileSystems."/var/lib/containers/storage/zfs/graph/0dc5c84e61d9dccc2f00f9ab164cd1df2ee6e6bf642b99e7d25638ee5e4fe994" =
{ device = "vault/containers/0dc5c84e61d9dccc2f00f9ab164cd1df2ee6e6bf642b99e7d25638ee5e4fe994";
fsType = "zfs";
};
swapDevices = [ ]; swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
@ -123,7 +122,7 @@
networking.useDHCP = lib.mkDefault true; networking.useDHCP = lib.mkDefault true;
# networking.interfaces.cni-podman0.useDHCP = lib.mkDefault true; # networking.interfaces.cni-podman0.useDHCP = lib.mkDefault true;
# networking.interfaces.eth0.useDHCP = lib.mkDefault true; # networking.interfaces.eth0.useDHCP = lib.mkDefault true;
# networking.interfaces.veth65ee03c8.useDHCP = lib.mkDefault true; # networking.interfaces.vethefb4a13e.useDHCP = lib.mkDefault true;
# networking.interfaces.wg0.useDHCP = lib.mkDefault true; # networking.interfaces.wg0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlan0.useDHCP = lib.mkDefault true; # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;

View File

@ -31,11 +31,31 @@
# Set environment variable pointing to wallabag configuration directory # Set environment variable pointing to wallabag configuration directory
environment.variables.WALLABAG_DATA = "/var/lib/wallabag"; environment.variables.WALLABAG_DATA = "/var/lib/wallabag";
# Podman setup with ZFS
virtualisation = {
containers.enable = true;
containers.storage.settings.storage = {
driver = "zfs";
graphroot = "/var/lib/containers/storage";
runroot = "/run/containers/storage";
};
podman = {
enable = true;
dockerCompat = true;
extraPackages = with pkgs; [ zfs ];
};
# Openbooks configuration # Openbooks configuration
virtualisation.oci-containers.containers = { oci-containers = {
backend = "podman";
containers = {
openbooks = { openbooks = {
image = "evanbuss/openbooks:latest"; image = "evanbuss/openbooks:latest";
ports = [ "127.0.0.1:9000:80" ]; ports = [ "127.0.0.1:9000:80" ];
}; };
}; };
};
};
} }

View File

@ -3,23 +3,24 @@
let wireguard_port = 1194; let wireguard_port = 1194;
in { in {
# Assign a static IP # Enable systemd-networkd
networking = { networking = {
hostName = "zion"; hostName = "zion";
hostId = "4e74ea68"; hostId = "4e74ea68";
interfaces.eth0 = {
useDHCP = false; useDHCP = false;
ipv4.addresses = [{ useNetworkd = true;
address = "192.168.13.2"; dhcpcd.enable = false;
prefixLength = 24;
}];
}; };
defaultGateway = { systemd.services."systemd-networkd-wait-online".enable = false;
address = "192.168.13.1";
interface = "eth0"; # Assign a static IP
}; systemd.network.networks."24-home" = {
nameservers = [ "51.158.108.203" "137.220.55.93" ]; name = "eth0";
enableIPv6 = false; matchConfig.Name = "eth0";
address = [ "192.168.13.2/24" ];
gateway = [ "192.168.13.1" ];
dns = [ "51.158.108.203" "137.220.55.93" ];
networkConfig.DNSSEC = "no";
}; };
# Enable zeroconf # Enable zeroconf
@ -61,38 +62,47 @@ in {
''; '';
}; };
# Enable NAT for wireguard
networking.nat = {
enable = true;
externalInterface = "eth0";
internalInterfaces = [ "wg0" ];
};
# Wireguard setup # Wireguard setup
networking.wireguard.interfaces = { systemd.network.netdevs."wg0" = {
wg0 = { netdevConfig = {
ips = [ "10.8.0.1/24" ]; Kind = "wireguard";
listenPort = wireguard_port; Name = "wg0";
privateKeyFile = config.age.secrets.wireguard.path; };
peers = [ wireguardConfig = {
ListenPort = wireguard_port;
PrivateKeyFile = config.age.secrets.wireguard.path;
};
wireguardPeers = [
# panacea # panacea
{ {
publicKey = "XMkTztU2Y8hw6Fu/2o4Gszij+EmNacvFMXuZyHS1n38="; wireguardPeerConfig = {
allowedIPs = [ "10.8.0.2/32" ]; PublicKey = "XMkTztU2Y8hw6Fu/2o4Gszij+EmNacvFMXuZyHS1n38=";
AllowedIPs = [ "10.8.0.2/32" ];
};
} }
# caravanserai # caravanserai
{ {
publicKey = "eeKfAgMisM3K4ZOErev05RJ9LS2NLqL4x9jyi4XhM1Q="; wireguardPeerConfig = {
allowedIPs = [ "10.8.0.3/32" ]; PublicKey = "eeKfAgMisM3K4ZOErev05RJ9LS2NLqL4x9jyi4XhM1Q=";
AllowedIPs = [ "10.8.0.3/32" ];
};
} }
]; ];
}; };
systemd.network.networks."wg0" = {
matchConfig.Name = "wg0";
networkConfig = {
Address = "10.8.0.1/24";
IPForward = true;
IPMasquerade = "ipv4";
};
}; };
# DNS server with ad-block # DNS server with ad-block
services.dnsmasq = { services.dnsmasq = {
enable = true; enable = true;
servers = config.networking.nameservers; servers = config.systemd.network.networks."24-home".dns;
extraConfig = '' extraConfig = ''
domain-needed domain-needed
bogus-priv bogus-priv