Compare commits
3 Commits
7e9e114516
...
d564a94aa7
Author | SHA1 | Date |
---|---|---|
coolneng | d564a94aa7 | |
coolneng | 39e2d8f4e5 | |
coolneng | 663e5cb739 |
|
@ -105,7 +105,11 @@ with pkgs;
|
|||
|
||||
# Specify secrets
|
||||
age = {
|
||||
secrets.wireguard.file = secrets/wireguard.age;
|
||||
secrets.wireguard = {
|
||||
file = secrets/wireguard.age;
|
||||
owner = "systemd-network";
|
||||
group = "systemd-network";
|
||||
};
|
||||
secrets.syncthing.file = secrets/syncthing.age;
|
||||
secrets.msmtp.file = secrets/msmtp.age;
|
||||
secrets.gitea = {
|
||||
|
@ -167,6 +171,9 @@ with pkgs;
|
|||
};
|
||||
};
|
||||
|
||||
# Disable man pages
|
||||
documentation.man.enable = false;
|
||||
|
||||
# Import other configuration modules
|
||||
imports = [
|
||||
./modules/hardware-configuration.nix
|
||||
|
|
|
@ -23,82 +23,11 @@
|
|||
fsType = "vfat";
|
||||
};
|
||||
|
||||
fileSystems."/var/lib/containers/storage/overlay" =
|
||||
{ device = "/var/lib/containers/storage/overlay";
|
||||
fsType = "none";
|
||||
options = [ "bind" ];
|
||||
};
|
||||
|
||||
fileSystems."/var/lib/containers/storage/overlay-containers/dba1864ff1473b3ba5fddd103f9cfff67334fbcc5c99c42b619e8a6d88776061/userdata/shm" =
|
||||
{ device = "shm";
|
||||
fsType = "tmpfs";
|
||||
};
|
||||
|
||||
fileSystems."/var/lib/containers/storage/overlay/1990fed1fbfbe8dc75ded251c84e8d82700fef0f01e8ead81916cadc5ec2cac1/merged" =
|
||||
{ device = "overlay";
|
||||
fsType = "overlay";
|
||||
};
|
||||
|
||||
fileSystems."/vault" =
|
||||
{ device = "vault";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/vault/radicale" =
|
||||
{ device = "vault/radicale";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/vault/syncthing" =
|
||||
{ device = "vault/syncthing";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/vault/backups" =
|
||||
{ device = "vault/backups";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/vault/git" =
|
||||
{ device = "vault/git";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/vault/nextcloud" =
|
||||
{ device = "vault/nextcloud";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/vault/backups/monolith" =
|
||||
{ device = "vault/backups/monolith";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/vault/backups/zion" =
|
||||
{ device = "vault/backups/zion";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/vault/backups/zion/databases" =
|
||||
{ device = "vault/backups/zion/databases";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/var/lib/wallabag" =
|
||||
{ device = "vault/state_directories/wallabag";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/var/lib/gitea" =
|
||||
{ device = "vault/state_directories/gitea";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/var/lib/signald" =
|
||||
{ device = "vault/state_directories/signald";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/var/lib/matrix-as-signal" =
|
||||
{ device = "vault/state_directories/matrix-as-signal";
|
||||
fsType = "zfs";
|
||||
|
@ -109,11 +38,81 @@
|
|||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/var/lib/gitea" =
|
||||
{ device = "vault/state_directories/gitea";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/var/lib/matrix-as-telegram" =
|
||||
{ device = "vault/state_directories/matrix-as-telegram";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/var/lib/signald" =
|
||||
{ device = "vault/state_directories/signald";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/var/lib/wallabag" =
|
||||
{ device = "vault/state_directories/wallabag";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/vault/git" =
|
||||
{ device = "vault/git";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/vault/nextcloud" =
|
||||
{ device = "vault/nextcloud";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/vault/backups" =
|
||||
{ device = "vault/backups";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/vault/radicale" =
|
||||
{ device = "vault/radicale";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/vault/backups/zion" =
|
||||
{ device = "vault/backups/zion";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/vault/backups/monolith" =
|
||||
{ device = "vault/backups/monolith";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/vault/backups/zion/databases" =
|
||||
{ device = "vault/backups/zion/databases";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/vault/syncthing" =
|
||||
{ device = "vault/syncthing";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/var/lib/containers" =
|
||||
{ device = "vault/containers";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/var/lib/containers/storage/zfs-containers/1996d0540bceeb3dea027b3e5ef9e6cd94ea527ce657bf6461286d7b4afa637f/userdata/shm" =
|
||||
{ device = "shm";
|
||||
fsType = "tmpfs";
|
||||
};
|
||||
|
||||
fileSystems."/var/lib/containers/storage/zfs/graph/0dc5c84e61d9dccc2f00f9ab164cd1df2ee6e6bf642b99e7d25638ee5e4fe994" =
|
||||
{ device = "vault/containers/0dc5c84e61d9dccc2f00f9ab164cd1df2ee6e6bf642b99e7d25638ee5e4fe994";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
|
@ -123,7 +122,7 @@
|
|||
networking.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.cni-podman0.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.eth0.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.veth65ee03c8.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.vethefb4a13e.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.wg0.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
|
||||
|
||||
|
|
|
@ -31,11 +31,31 @@
|
|||
# Set environment variable pointing to wallabag configuration directory
|
||||
environment.variables.WALLABAG_DATA = "/var/lib/wallabag";
|
||||
|
||||
# Podman setup with ZFS
|
||||
virtualisation = {
|
||||
containers.enable = true;
|
||||
containers.storage.settings.storage = {
|
||||
driver = "zfs";
|
||||
graphroot = "/var/lib/containers/storage";
|
||||
runroot = "/run/containers/storage";
|
||||
};
|
||||
|
||||
podman = {
|
||||
enable = true;
|
||||
dockerCompat = true;
|
||||
extraPackages = with pkgs; [ zfs ];
|
||||
};
|
||||
|
||||
# Openbooks configuration
|
||||
virtualisation.oci-containers.containers = {
|
||||
oci-containers = {
|
||||
backend = "podman";
|
||||
containers = {
|
||||
openbooks = {
|
||||
image = "evanbuss/openbooks:latest";
|
||||
ports = [ "127.0.0.1:9000:80" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
}
|
||||
|
|
|
@ -3,23 +3,24 @@
|
|||
let wireguard_port = 1194;
|
||||
|
||||
in {
|
||||
# Assign a static IP
|
||||
# Enable systemd-networkd
|
||||
networking = {
|
||||
hostName = "zion";
|
||||
hostId = "4e74ea68";
|
||||
interfaces.eth0 = {
|
||||
useDHCP = false;
|
||||
ipv4.addresses = [{
|
||||
address = "192.168.13.2";
|
||||
prefixLength = 24;
|
||||
}];
|
||||
useNetworkd = true;
|
||||
dhcpcd.enable = false;
|
||||
};
|
||||
defaultGateway = {
|
||||
address = "192.168.13.1";
|
||||
interface = "eth0";
|
||||
};
|
||||
nameservers = [ "51.158.108.203" "137.220.55.93" ];
|
||||
enableIPv6 = false;
|
||||
systemd.services."systemd-networkd-wait-online".enable = false;
|
||||
|
||||
# Assign a static IP
|
||||
systemd.network.networks."24-home" = {
|
||||
name = "eth0";
|
||||
matchConfig.Name = "eth0";
|
||||
address = [ "192.168.13.2/24" ];
|
||||
gateway = [ "192.168.13.1" ];
|
||||
dns = [ "51.158.108.203" "137.220.55.93" ];
|
||||
networkConfig.DNSSEC = "no";
|
||||
};
|
||||
|
||||
# Enable zeroconf
|
||||
|
@ -61,38 +62,47 @@ in {
|
|||
'';
|
||||
};
|
||||
|
||||
# Enable NAT for wireguard
|
||||
networking.nat = {
|
||||
enable = true;
|
||||
externalInterface = "eth0";
|
||||
internalInterfaces = [ "wg0" ];
|
||||
};
|
||||
|
||||
# Wireguard setup
|
||||
networking.wireguard.interfaces = {
|
||||
wg0 = {
|
||||
ips = [ "10.8.0.1/24" ];
|
||||
listenPort = wireguard_port;
|
||||
privateKeyFile = config.age.secrets.wireguard.path;
|
||||
peers = [
|
||||
systemd.network.netdevs."wg0" = {
|
||||
netdevConfig = {
|
||||
Kind = "wireguard";
|
||||
Name = "wg0";
|
||||
};
|
||||
wireguardConfig = {
|
||||
ListenPort = wireguard_port;
|
||||
PrivateKeyFile = config.age.secrets.wireguard.path;
|
||||
};
|
||||
wireguardPeers = [
|
||||
# panacea
|
||||
{
|
||||
publicKey = "XMkTztU2Y8hw6Fu/2o4Gszij+EmNacvFMXuZyHS1n38=";
|
||||
allowedIPs = [ "10.8.0.2/32" ];
|
||||
wireguardPeerConfig = {
|
||||
PublicKey = "XMkTztU2Y8hw6Fu/2o4Gszij+EmNacvFMXuZyHS1n38=";
|
||||
AllowedIPs = [ "10.8.0.2/32" ];
|
||||
};
|
||||
}
|
||||
# caravanserai
|
||||
{
|
||||
publicKey = "eeKfAgMisM3K4ZOErev05RJ9LS2NLqL4x9jyi4XhM1Q=";
|
||||
allowedIPs = [ "10.8.0.3/32" ];
|
||||
wireguardPeerConfig = {
|
||||
PublicKey = "eeKfAgMisM3K4ZOErev05RJ9LS2NLqL4x9jyi4XhM1Q=";
|
||||
AllowedIPs = [ "10.8.0.3/32" ];
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
systemd.network.networks."wg0" = {
|
||||
matchConfig.Name = "wg0";
|
||||
networkConfig = {
|
||||
Address = "10.8.0.1/24";
|
||||
IPForward = true;
|
||||
IPMasquerade = "ipv4";
|
||||
};
|
||||
};
|
||||
|
||||
# DNS server with ad-block
|
||||
services.dnsmasq = {
|
||||
enable = true;
|
||||
servers = config.networking.nameservers;
|
||||
servers = config.systemd.network.networks."24-home".dns;
|
||||
extraConfig = ''
|
||||
domain-needed
|
||||
bogus-priv
|
||||
|
|
Loading…
Reference in New Issue