makefu/nixos-config
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

config wiregrill: split into server and client

Browse source
This commit is contained in:
makefu 2023-10-02 21:28:05 +02:00
parent 2bccacd650
commit bcce7262a7
No known key found for this signature in database
GPG key ID: 36F7711F3FC0F225
8 changed files with 52 additions and 25 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
2configs/home/ham/nginx.nix
View file

@ -3,13 +3,8 @@ let
in {
services.nginx.recommendedProxySettings = true;
services.nginx.virtualHosts."hass" = {
serverAliases = [ "hass.lan" "ha" "ha.lan" ];
serverAliases = [ "hass.lan" "ha" "ha.lan" "hass.omo.w" "hass.omo.r" ];
locations."/".proxyPass = "http://localhost:8123";
locations."/".proxyWebsockets = true;
extraConfig = ''
if ( $server_addr != "${internal-ip}" ) {
return 403;
}
'';
};
}

5
2configs/home/photoprism.nix
View file

@ -21,7 +21,6 @@ let
internal-ip = "192.168.111.11";
in
{
sops.secrets."photoprism/envfile" = {};
virtualisation.oci-containers.backend = "docker";
services.nginx.virtualHosts."photos" = {
@ -100,7 +99,7 @@ in
};
environmentFiles = [
config.sops.secrets."photoprism/envfile".path
config.sops.secrets."omo-photoprism-envfile".path
];
};
@ -122,7 +121,7 @@ in
#];
volumes= [ "${db-dir}:/var/lib/mysql" ];
environmentFiles = [
config.sops.secrets."photoprism/envfile".path
config.sops.secrets."omo-photoprism-envfile".path
];
environment = {
MYSQL_DATABASE= "photoprism";

3
2configs/home/zigbee2mqtt/default.nix
View file

@ -6,9 +6,8 @@ let
webport = 8521;
in
{
sops.secrets."zigbee2mqtt" = {
sops.secrets."omo-zigbee2mqtt" = {
owner = "zigbee2mqtt";
path = "/var/lib/zigbee2mqtt/configuration.yaml";
};
# symlink the zigbee controller

1
2configs/share/gum-client.nix
View file

@ -8,7 +8,6 @@ let
];
host = "gum.w";
in {
sops.secrets."download.smb" = {};
boot.extraModprobeConfig = ''
options cifs CIFSMaxBufSize=130048
'';

6
2configs/sync/default.nix
View file

@ -5,14 +5,12 @@
used_peer_names = unique (flatten (mapAttrsToList (n: v: v.devices) config.services.syncthing.folders));
used_peers = filterAttrs (n: v: elem n used_peer_names) all_peers;
in {
sops.secrets."syncthing.key" = {};
sops.secrets."syncthing.cert" = {};
services.syncthing = {
enable = true;
configDir = "/var/lib/syncthing";
devices = mk_peers used_peers;
key = config.sops.secrets."syncthing.key".path;
cert = config.sops.secrets."syncthing.cert".path;
key = config.sops.secrets."${config.clanCore.machineName}-syncthing.key".path;
cert = config.sops.secrets."${config.clanCore.machineName}-syncthing.cert".path;
};
services.syncthing.folders.the_playlist = {
path = "/home/lass/tmp/the_playlist";

1
2configs/tools/extra-gui.nix
View file

@ -7,6 +7,7 @@
# mirage - last time available in 19.09
inkscape
libreoffice
guake
# skype
# teams
synergy

41
2configs/wireguard/wiregrill-client.nix Normal file
View file

@ -0,0 +1,41 @@
{ config, pkgs, lib, ... }: with lib;
let
self = config.krebs.build.host.nets.wiregrill;
ext-if = config.makefu.server.primary-itf;
in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) {
#hack for modprobe inside containers
systemd.services."wireguard-wiregrill".path = mkIf config.boot.isContainer (mkBefore [
(pkgs.writeDashBin "modprobe" ":")
]);
networking.firewall = {
allowedUDPPorts = [ self.wireguard.port ];
};
networking.wireguard.interfaces.wiregrill = let
ipt = "${pkgs.iptables}/bin/iptables";
ip6 = "${pkgs.iptables}/bin/ip6tables";
in {
ips =
(optional (!isNull self.ip4) self.ip4.addr) ++
(optional (!isNull self.ip6) self.ip6.addr);
listenPort = self.wireguard.port;
privateKeyFile = config.sops.secrets."${config.clanCore.machineName}-wiregrill.key".path;
allowedIPsAsRoutes = true;
peers = let
host = config.krebs.hosts.gum;
in [
{
allowedIPs = host.nets.wiregrill.wireguard.subnets ;
endpoint = mkIf (!isNull host.nets.wiregrill.via) (host.nets.wiregrill.via.ip4.addr + ":${toString host.nets.wiregrill.wireguard.port}");
persistentKeepalive = mkIf (!isNull host.nets.wiregrill.via) 61;
publicKey = (replaceStrings ["\n"] [""] host.nets.wiregrill.wireguard.pubkey);
}
];
};
}

13
2configs/wireguard/wiregrill.nix → 2configs/wireguard/wiregrill-server.nix
View file

@ -12,7 +12,7 @@ in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) {
(pkgs.writeDashBin "modprobe" ":")
]);
boot.kernel.sysctl = mkIf isRouter {
boot.kernel.sysctl = {
"net.ipv6.conf.all.forwarding" = 1;
"net.ipv4.conf.all.forwarding" = 1;
};
@ -25,14 +25,14 @@ in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) {
networking.firewall = {
allowedUDPPorts = [ self.wireguard.port ];
interfaces.wiregrill = mkIf isRouter {
interfaces.wiregrill = {
allowedUDPPorts = [ 53 ];
allowedTCPPorts = [ 53 ];
};
};
services.dnsmasq = mkIf isRouter {
services.dnsmasq = {
enable = true;
resolveLocalQueries = false;
extraConfig = /* dnsmasq */ ''
@ -55,7 +55,6 @@ in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) {
${ip6} -A FORWARD -i wiregrill -o wiregrill -j ACCEPT
${ip6} -A FORWARD -o wiregrill -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
'' + (optionalString isRouter ''
#${ipt} -t nat -A PREROUTING -s 10.244.245.0/24 -j ACCEPT
#${ipt} -t nat -A POSTROUTING -s 10.244.245.0/24 ! -d 10.244.245.0/24 -j MASQUERADE
@ -76,8 +75,6 @@ in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) {
${ip6} -D FORWARD -i wiregrill -o wiregrill -j ACCEPT
${ip6} -D FORWARD -o wiregrill -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
'' + (optionalString isRouter ''
${ipt} -t nat -D PREROUTING -s 10.244.245.0/24 -j ACCEPT
${ipt} -t nat -D POSTROUTING -s 10.244.245.0/24 -j MASQUERADE
@ -92,11 +89,9 @@ in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) {
allowedIPsAsRoutes = true;
peers = mapAttrsToList
(_: host: {
allowedIPs = if isRouter then
allowedIPs =
(optional (!isNull host.nets.wiregrill.ip4) host.nets.wiregrill.ip4.addr) ++
(optional (!isNull host.nets.wiregrill.ip6) host.nets.wiregrill.ip6.addr)
else
host.nets.wiregrill.wireguard.subnets
;
endpoint = mkIf (!isNull host.nets.wiregrill.via) (host.nets.wiregrill.via.ip4.addr + ":${toString host.nets.wiregrill.wireguard.port}");
persistentKeepalive = mkIf (!isNull host.nets.wiregrill.via) 61;