Compare commits
3 Commits
7e9e114516
...
d564a94aa7
Author | SHA1 | Date |
---|---|---|
coolneng | d564a94aa7 | |
coolneng | 39e2d8f4e5 | |
coolneng | 663e5cb739 |
|
@ -105,7 +105,11 @@ with pkgs;
|
||||||
|
|
||||||
# Specify secrets
|
# Specify secrets
|
||||||
age = {
|
age = {
|
||||||
secrets.wireguard.file = secrets/wireguard.age;
|
secrets.wireguard = {
|
||||||
|
file = secrets/wireguard.age;
|
||||||
|
owner = "systemd-network";
|
||||||
|
group = "systemd-network";
|
||||||
|
};
|
||||||
secrets.syncthing.file = secrets/syncthing.age;
|
secrets.syncthing.file = secrets/syncthing.age;
|
||||||
secrets.msmtp.file = secrets/msmtp.age;
|
secrets.msmtp.file = secrets/msmtp.age;
|
||||||
secrets.gitea = {
|
secrets.gitea = {
|
||||||
|
@ -167,6 +171,9 @@ with pkgs;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Disable man pages
|
||||||
|
documentation.man.enable = false;
|
||||||
|
|
||||||
# Import other configuration modules
|
# Import other configuration modules
|
||||||
imports = [
|
imports = [
|
||||||
./modules/hardware-configuration.nix
|
./modules/hardware-configuration.nix
|
||||||
|
|
|
@ -23,82 +23,11 @@
|
||||||
fsType = "vfat";
|
fsType = "vfat";
|
||||||
};
|
};
|
||||||
|
|
||||||
fileSystems."/var/lib/containers/storage/overlay" =
|
|
||||||
{ device = "/var/lib/containers/storage/overlay";
|
|
||||||
fsType = "none";
|
|
||||||
options = [ "bind" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/var/lib/containers/storage/overlay-containers/dba1864ff1473b3ba5fddd103f9cfff67334fbcc5c99c42b619e8a6d88776061/userdata/shm" =
|
|
||||||
{ device = "shm";
|
|
||||||
fsType = "tmpfs";
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/var/lib/containers/storage/overlay/1990fed1fbfbe8dc75ded251c84e8d82700fef0f01e8ead81916cadc5ec2cac1/merged" =
|
|
||||||
{ device = "overlay";
|
|
||||||
fsType = "overlay";
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/vault" =
|
fileSystems."/vault" =
|
||||||
{ device = "vault";
|
{ device = "vault";
|
||||||
fsType = "zfs";
|
fsType = "zfs";
|
||||||
};
|
};
|
||||||
|
|
||||||
fileSystems."/vault/radicale" =
|
|
||||||
{ device = "vault/radicale";
|
|
||||||
fsType = "zfs";
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/vault/syncthing" =
|
|
||||||
{ device = "vault/syncthing";
|
|
||||||
fsType = "zfs";
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/vault/backups" =
|
|
||||||
{ device = "vault/backups";
|
|
||||||
fsType = "zfs";
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/vault/git" =
|
|
||||||
{ device = "vault/git";
|
|
||||||
fsType = "zfs";
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/vault/nextcloud" =
|
|
||||||
{ device = "vault/nextcloud";
|
|
||||||
fsType = "zfs";
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/vault/backups/monolith" =
|
|
||||||
{ device = "vault/backups/monolith";
|
|
||||||
fsType = "zfs";
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/vault/backups/zion" =
|
|
||||||
{ device = "vault/backups/zion";
|
|
||||||
fsType = "zfs";
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/vault/backups/zion/databases" =
|
|
||||||
{ device = "vault/backups/zion/databases";
|
|
||||||
fsType = "zfs";
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/var/lib/wallabag" =
|
|
||||||
{ device = "vault/state_directories/wallabag";
|
|
||||||
fsType = "zfs";
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/var/lib/gitea" =
|
|
||||||
{ device = "vault/state_directories/gitea";
|
|
||||||
fsType = "zfs";
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/var/lib/signald" =
|
|
||||||
{ device = "vault/state_directories/signald";
|
|
||||||
fsType = "zfs";
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/var/lib/matrix-as-signal" =
|
fileSystems."/var/lib/matrix-as-signal" =
|
||||||
{ device = "vault/state_directories/matrix-as-signal";
|
{ device = "vault/state_directories/matrix-as-signal";
|
||||||
fsType = "zfs";
|
fsType = "zfs";
|
||||||
|
@ -109,11 +38,81 @@
|
||||||
fsType = "zfs";
|
fsType = "zfs";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
fileSystems."/var/lib/gitea" =
|
||||||
|
{ device = "vault/state_directories/gitea";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
fileSystems."/var/lib/matrix-as-telegram" =
|
fileSystems."/var/lib/matrix-as-telegram" =
|
||||||
{ device = "vault/state_directories/matrix-as-telegram";
|
{ device = "vault/state_directories/matrix-as-telegram";
|
||||||
fsType = "zfs";
|
fsType = "zfs";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
fileSystems."/var/lib/signald" =
|
||||||
|
{ device = "vault/state_directories/signald";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/var/lib/wallabag" =
|
||||||
|
{ device = "vault/state_directories/wallabag";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/vault/git" =
|
||||||
|
{ device = "vault/git";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/vault/nextcloud" =
|
||||||
|
{ device = "vault/nextcloud";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/vault/backups" =
|
||||||
|
{ device = "vault/backups";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/vault/radicale" =
|
||||||
|
{ device = "vault/radicale";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/vault/backups/zion" =
|
||||||
|
{ device = "vault/backups/zion";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/vault/backups/monolith" =
|
||||||
|
{ device = "vault/backups/monolith";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/vault/backups/zion/databases" =
|
||||||
|
{ device = "vault/backups/zion/databases";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/vault/syncthing" =
|
||||||
|
{ device = "vault/syncthing";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/var/lib/containers" =
|
||||||
|
{ device = "vault/containers";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/var/lib/containers/storage/zfs-containers/1996d0540bceeb3dea027b3e5ef9e6cd94ea527ce657bf6461286d7b4afa637f/userdata/shm" =
|
||||||
|
{ device = "shm";
|
||||||
|
fsType = "tmpfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/var/lib/containers/storage/zfs/graph/0dc5c84e61d9dccc2f00f9ab164cd1df2ee6e6bf642b99e7d25638ee5e4fe994" =
|
||||||
|
{ device = "vault/containers/0dc5c84e61d9dccc2f00f9ab164cd1df2ee6e6bf642b99e7d25638ee5e4fe994";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
swapDevices = [ ];
|
swapDevices = [ ];
|
||||||
|
|
||||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||||
|
@ -123,7 +122,7 @@
|
||||||
networking.useDHCP = lib.mkDefault true;
|
networking.useDHCP = lib.mkDefault true;
|
||||||
# networking.interfaces.cni-podman0.useDHCP = lib.mkDefault true;
|
# networking.interfaces.cni-podman0.useDHCP = lib.mkDefault true;
|
||||||
# networking.interfaces.eth0.useDHCP = lib.mkDefault true;
|
# networking.interfaces.eth0.useDHCP = lib.mkDefault true;
|
||||||
# networking.interfaces.veth65ee03c8.useDHCP = lib.mkDefault true;
|
# networking.interfaces.vethefb4a13e.useDHCP = lib.mkDefault true;
|
||||||
# networking.interfaces.wg0.useDHCP = lib.mkDefault true;
|
# networking.interfaces.wg0.useDHCP = lib.mkDefault true;
|
||||||
# networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
|
# networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
|
||||||
|
|
||||||
|
|
|
@ -31,11 +31,31 @@
|
||||||
# Set environment variable pointing to wallabag configuration directory
|
# Set environment variable pointing to wallabag configuration directory
|
||||||
environment.variables.WALLABAG_DATA = "/var/lib/wallabag";
|
environment.variables.WALLABAG_DATA = "/var/lib/wallabag";
|
||||||
|
|
||||||
# Openbooks configuration
|
# Podman setup with ZFS
|
||||||
virtualisation.oci-containers.containers = {
|
virtualisation = {
|
||||||
openbooks = {
|
containers.enable = true;
|
||||||
image = "evanbuss/openbooks:latest";
|
containers.storage.settings.storage = {
|
||||||
ports = [ "127.0.0.1:9000:80" ];
|
driver = "zfs";
|
||||||
|
graphroot = "/var/lib/containers/storage";
|
||||||
|
runroot = "/run/containers/storage";
|
||||||
|
};
|
||||||
|
|
||||||
|
podman = {
|
||||||
|
enable = true;
|
||||||
|
dockerCompat = true;
|
||||||
|
extraPackages = with pkgs; [ zfs ];
|
||||||
|
};
|
||||||
|
|
||||||
|
# Openbooks configuration
|
||||||
|
oci-containers = {
|
||||||
|
backend = "podman";
|
||||||
|
containers = {
|
||||||
|
openbooks = {
|
||||||
|
image = "evanbuss/openbooks:latest";
|
||||||
|
ports = [ "127.0.0.1:9000:80" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -3,23 +3,24 @@
|
||||||
let wireguard_port = 1194;
|
let wireguard_port = 1194;
|
||||||
|
|
||||||
in {
|
in {
|
||||||
# Assign a static IP
|
# Enable systemd-networkd
|
||||||
networking = {
|
networking = {
|
||||||
hostName = "zion";
|
hostName = "zion";
|
||||||
hostId = "4e74ea68";
|
hostId = "4e74ea68";
|
||||||
interfaces.eth0 = {
|
useDHCP = false;
|
||||||
useDHCP = false;
|
useNetworkd = true;
|
||||||
ipv4.addresses = [{
|
dhcpcd.enable = false;
|
||||||
address = "192.168.13.2";
|
};
|
||||||
prefixLength = 24;
|
systemd.services."systemd-networkd-wait-online".enable = false;
|
||||||
}];
|
|
||||||
};
|
# Assign a static IP
|
||||||
defaultGateway = {
|
systemd.network.networks."24-home" = {
|
||||||
address = "192.168.13.1";
|
name = "eth0";
|
||||||
interface = "eth0";
|
matchConfig.Name = "eth0";
|
||||||
};
|
address = [ "192.168.13.2/24" ];
|
||||||
nameservers = [ "51.158.108.203" "137.220.55.93" ];
|
gateway = [ "192.168.13.1" ];
|
||||||
enableIPv6 = false;
|
dns = [ "51.158.108.203" "137.220.55.93" ];
|
||||||
|
networkConfig.DNSSEC = "no";
|
||||||
};
|
};
|
||||||
|
|
||||||
# Enable zeroconf
|
# Enable zeroconf
|
||||||
|
@ -61,38 +62,47 @@ in {
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
# Enable NAT for wireguard
|
# Wireguard setup
|
||||||
networking.nat = {
|
systemd.network.netdevs."wg0" = {
|
||||||
enable = true;
|
netdevConfig = {
|
||||||
externalInterface = "eth0";
|
Kind = "wireguard";
|
||||||
internalInterfaces = [ "wg0" ];
|
Name = "wg0";
|
||||||
|
};
|
||||||
|
wireguardConfig = {
|
||||||
|
ListenPort = wireguard_port;
|
||||||
|
PrivateKeyFile = config.age.secrets.wireguard.path;
|
||||||
|
};
|
||||||
|
wireguardPeers = [
|
||||||
|
# panacea
|
||||||
|
{
|
||||||
|
wireguardPeerConfig = {
|
||||||
|
PublicKey = "XMkTztU2Y8hw6Fu/2o4Gszij+EmNacvFMXuZyHS1n38=";
|
||||||
|
AllowedIPs = [ "10.8.0.2/32" ];
|
||||||
|
};
|
||||||
|
}
|
||||||
|
# caravanserai
|
||||||
|
{
|
||||||
|
wireguardPeerConfig = {
|
||||||
|
PublicKey = "eeKfAgMisM3K4ZOErev05RJ9LS2NLqL4x9jyi4XhM1Q=";
|
||||||
|
AllowedIPs = [ "10.8.0.3/32" ];
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
# Wireguard setup
|
systemd.network.networks."wg0" = {
|
||||||
networking.wireguard.interfaces = {
|
matchConfig.Name = "wg0";
|
||||||
wg0 = {
|
networkConfig = {
|
||||||
ips = [ "10.8.0.1/24" ];
|
Address = "10.8.0.1/24";
|
||||||
listenPort = wireguard_port;
|
IPForward = true;
|
||||||
privateKeyFile = config.age.secrets.wireguard.path;
|
IPMasquerade = "ipv4";
|
||||||
peers = [
|
|
||||||
# panacea
|
|
||||||
{
|
|
||||||
publicKey = "XMkTztU2Y8hw6Fu/2o4Gszij+EmNacvFMXuZyHS1n38=";
|
|
||||||
allowedIPs = [ "10.8.0.2/32" ];
|
|
||||||
}
|
|
||||||
# caravanserai
|
|
||||||
{
|
|
||||||
publicKey = "eeKfAgMisM3K4ZOErev05RJ9LS2NLqL4x9jyi4XhM1Q=";
|
|
||||||
allowedIPs = [ "10.8.0.3/32" ];
|
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# DNS server with ad-block
|
# DNS server with ad-block
|
||||||
services.dnsmasq = {
|
services.dnsmasq = {
|
||||||
enable = true;
|
enable = true;
|
||||||
servers = config.networking.nameservers;
|
servers = config.systemd.network.networks."24-home".dns;
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
domain-needed
|
domain-needed
|
||||||
bogus-priv
|
bogus-priv
|
||||||
|
|
Loading…
Reference in New Issue