Compare commits

...

3 Commits

Author SHA1 Message Date
coolneng 7e9e114516
Disable man pages 2022-12-20 15:43:52 +01:00
coolneng 39ff4ee9e8
Migrate to systemd-networkd 2022-12-20 15:04:11 +01:00
coolneng 5da50e5290
Use ZFS storage driver for containers 2022-12-20 14:03:09 +01:00
4 changed files with 125 additions and 89 deletions

View File

@ -105,7 +105,11 @@ with pkgs;
# Specify secrets
age = {
secrets.wireguard.file = secrets/wireguard.age;
secrets.wireguard = {
file = secrets/wireguard.age;
owner = "systemd-network";
group = "systemd-network";
};
secrets.syncthing.file = secrets/syncthing.age;
secrets.msmtp.file = secrets/msmtp.age;
secrets.gitea = {
@ -167,6 +171,9 @@ with pkgs;
};
};
# Disable man pages
documentation.man.enable = false;
# Import other configuration modules
imports = [
./modules/hardware-configuration.nix

View File

@ -23,39 +23,38 @@
fsType = "vfat";
};
fileSystems."/var/lib/containers/storage/overlay" =
{ device = "/var/lib/containers/storage/overlay";
fsType = "none";
options = [ "bind" ];
};
fileSystems."/var/lib/containers/storage/overlay-containers/dba1864ff1473b3ba5fddd103f9cfff67334fbcc5c99c42b619e8a6d88776061/userdata/shm" =
{ device = "shm";
fsType = "tmpfs";
};
fileSystems."/var/lib/containers/storage/overlay/1990fed1fbfbe8dc75ded251c84e8d82700fef0f01e8ead81916cadc5ec2cac1/merged" =
{ device = "overlay";
fsType = "overlay";
};
fileSystems."/vault" =
{ device = "vault";
fsType = "zfs";
};
fileSystems."/vault/radicale" =
{ device = "vault/radicale";
fileSystems."/var/lib/signald" =
{ device = "vault/state_directories/signald";
fsType = "zfs";
};
fileSystems."/vault/syncthing" =
{ device = "vault/syncthing";
fileSystems."/var/lib/gitea" =
{ device = "vault/state_directories/gitea";
fsType = "zfs";
};
fileSystems."/vault/backups" =
{ device = "vault/backups";
fileSystems."/var/lib/wallabag" =
{ device = "vault/state_directories/wallabag";
fsType = "zfs";
};
fileSystems."/var/lib/matrix-as-telegram" =
{ device = "vault/state_directories/matrix-as-telegram";
fsType = "zfs";
};
fileSystems."/var/lib/matrix-as-signal" =
{ device = "vault/state_directories/matrix-as-signal";
fsType = "zfs";
};
fileSystems."/var/lib/matrix-as-facebook" =
{ device = "vault/state_directories/matrix-as-facebook";
fsType = "zfs";
};
@ -69,6 +68,21 @@
fsType = "zfs";
};
fileSystems."/vault/backups" =
{ device = "vault/backups";
fsType = "zfs";
};
fileSystems."/vault/radicale" =
{ device = "vault/radicale";
fsType = "zfs";
};
fileSystems."/vault/syncthing" =
{ device = "vault/syncthing";
fsType = "zfs";
};
fileSystems."/vault/backups/monolith" =
{ device = "vault/backups/monolith";
fsType = "zfs";
@ -84,33 +98,18 @@
fsType = "zfs";
};
fileSystems."/var/lib/wallabag" =
{ device = "vault/state_directories/wallabag";
fileSystems."/var/lib/containers" =
{ device = "vault/containers";
fsType = "zfs";
};
fileSystems."/var/lib/gitea" =
{ device = "vault/state_directories/gitea";
fsType = "zfs";
fileSystems."/var/lib/containers/storage/zfs-containers/7521f1406d193340f67dfea6538f5ba05b19c61f757917f13e12b70287841045/userdata/shm" =
{ device = "shm";
fsType = "tmpfs";
};
fileSystems."/var/lib/signald" =
{ device = "vault/state_directories/signald";
fsType = "zfs";
};
fileSystems."/var/lib/matrix-as-signal" =
{ device = "vault/state_directories/matrix-as-signal";
fsType = "zfs";
};
fileSystems."/var/lib/matrix-as-facebook" =
{ device = "vault/state_directories/matrix-as-facebook";
fsType = "zfs";
};
fileSystems."/var/lib/matrix-as-telegram" =
{ device = "vault/state_directories/matrix-as-telegram";
fileSystems."/var/lib/containers/storage/zfs/graph/6bf2a36ab4d55af9e693f55018f5b2fd38b6aae285183b8680969f5820bd0be9" =
{ device = "vault/containers/6bf2a36ab4d55af9e693f55018f5b2fd38b6aae285183b8680969f5820bd0be9";
fsType = "zfs";
};
@ -123,7 +122,7 @@
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.cni-podman0.useDHCP = lib.mkDefault true;
# networking.interfaces.eth0.useDHCP = lib.mkDefault true;
# networking.interfaces.veth65ee03c8.useDHCP = lib.mkDefault true;
# networking.interfaces.veth8009136e.useDHCP = lib.mkDefault true;
# networking.interfaces.wg0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlan0.useDHCP = lib.mkDefault true;

View File

@ -31,11 +31,31 @@
# Set environment variable pointing to wallabag configuration directory
environment.variables.WALLABAG_DATA = "/var/lib/wallabag";
# Openbooks configuration
virtualisation.oci-containers.containers = {
openbooks = {
image = "evanbuss/openbooks:latest";
ports = [ "127.0.0.1:9000:80" ];
# Podman setup with ZFS
virtualisation = {
containers.enable = true;
containers.storage.settings.storage = {
driver = "zfs";
graphroot = "/var/lib/containers/storage";
runroot = "/run/containers/storage";
};
podman = {
enable = true;
dockerCompat = true;
extraPackages = with pkgs; [ zfs ];
};
# Openbooks configuration
oci-containers = {
backend = "podman";
containers = {
openbooks = {
image = "evanbuss/openbooks:latest";
ports = [ "127.0.0.1:9000:80" ];
};
};
};
};
}

View File

@ -3,23 +3,24 @@
let wireguard_port = 1194;
in {
# Assign a static IP
# Enable systemd-networkd
networking = {
hostName = "zion";
hostId = "4e74ea68";
interfaces.eth0 = {
useDHCP = false;
ipv4.addresses = [{
address = "192.168.13.2";
prefixLength = 24;
}];
};
defaultGateway = {
address = "192.168.13.1";
interface = "eth0";
};
nameservers = [ "51.158.108.203" "137.220.55.93" ];
enableIPv6 = false;
useDHCP = false;
useNetworkd = true;
dhcpcd.enable = false;
};
systemd.services."systemd-networkd-wait-online".enable = false;
# Assign a static IP
systemd.network.networks."24-home" = {
name = "eth0";
matchConfig.Name = "eth0";
address = [ "192.168.13.2/24" ];
gateway = [ "192.168.13.1" ];
dns = [ "51.158.108.203" "137.220.55.93" ];
networkConfig.DNSSEC = "no";
};
# Enable zeroconf
@ -61,38 +62,47 @@ in {
'';
};
# Enable NAT for wireguard
networking.nat = {
enable = true;
externalInterface = "eth0";
internalInterfaces = [ "wg0" ];
# Wireguard setup
systemd.network.netdevs."wg0" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg0";
};
wireguardConfig = {
ListenPort = wireguard_port;
PrivateKeyFile = config.age.secrets.wireguard.path;
};
wireguardPeers = [
# panacea
{
wireguardPeerConfig = {
PublicKey = "XMkTztU2Y8hw6Fu/2o4Gszij+EmNacvFMXuZyHS1n38=";
AllowedIPs = [ "10.8.0.2/32" ];
};
}
# caravanserai
{
wireguardPeerConfig = {
PublicKey = "eeKfAgMisM3K4ZOErev05RJ9LS2NLqL4x9jyi4XhM1Q=";
AllowedIPs = [ "10.8.0.3/32" ];
};
}
];
};
# Wireguard setup
networking.wireguard.interfaces = {
wg0 = {
ips = [ "10.8.0.1/24" ];
listenPort = wireguard_port;
privateKeyFile = config.age.secrets.wireguard.path;
peers = [
# panacea
{
publicKey = "XMkTztU2Y8hw6Fu/2o4Gszij+EmNacvFMXuZyHS1n38=";
allowedIPs = [ "10.8.0.2/32" ];
}
# caravanserai
{
publicKey = "eeKfAgMisM3K4ZOErev05RJ9LS2NLqL4x9jyi4XhM1Q=";
allowedIPs = [ "10.8.0.3/32" ];
}
];
systemd.network.networks."wg0" = {
matchConfig.Name = "wg0";
networkConfig = {
Address = "10.8.0.1/24";
IPForward = true;
IPMasquerade = "ipv4";
};
};
# DNS server with ad-block
services.dnsmasq = {
enable = true;
servers = config.networking.nameservers;
servers = config.systemd.network.networks."24-home".dns;
extraConfig = ''
domain-needed
bogus-priv