christoph/flake-nixinator
1
Fork 0
Code Activity
Files
5f17a04fbb32a908c9161c36d8f56ff3b73a1ecf
flake-nixinator/system/thinknix/default.nix

133 lines
3.9 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
inputs,
hostname,
lib,
mylib,
config,
pkgs,
system,
username,
headless,
...
}: {
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
# General services
../services/adguard.nix
../services/nginx-proxy-manager.nix
../services/portainer.nix
../services/pulse.nix
../services/pulse-agent-thinknix.nix
../services/whats-up-docker.nix
];
systemmodules = {
docker.networks = [
{
name = "behind-nginx";
disable_masquerade = false;
ipv6.enable = true;
# ipv6.gateway = "fd00::5";
# We have to put an actual prefix from the ISP here.
# OPNSense: Interfaces > Overview > WAN > Details > Dynamic IPv6 Prefix Received.
# With /64, we don't have a prefix to spare for docker.
# Glasfaser Ruhr gives us /62, meaning 4 prefixes.
# The first one is used for the main LAN, so use the second one for docker.
# This also requires a route in OPNSense that specifies ThinkNix as the gateway to this subnet.
ipv6.subnet = "2001:7d8:8023:a009::/64";
}
];
network = {
useNetworkManager = false;
networks = {
"10-ether-1G" = mylib.networking.mkStaticSystemdNetwork {
interface = "ens18";
ips = ["192.168.86.26/24"];
routers = ["192.168.86.5"]; # Don't add "fd00::5", rely on router advertisement instead
nameservers = ["8.8.8.8" "8.8.4.4" "2001:4860:4860::8888" "2001:4860:4860::8844"]; # NOTE: Use reliable DNS for servers instead of 127.0.0.1
routable = true;
extraAddresses = ["fd00::1a/64"]; # IPv6 ULA — declared without creating a route
};
};
allowedTCPPorts = [
53 # DNS
80 # HTTP
];
allowedUDPPorts = [
53 # DNS
67 # DHCP
];
};
sops-nix.secrets.${username} = [
# "wireguard-vps-private-key"
];
};
# networking.wireguard.interfaces."vps-wg-client" = {
# ips = ["10.10.10.2/32"];
# privateKeyFile = "${config.sops.secrets.wireguard-vps-private-key.path}";
# # Create the depending network namespace
# # preSetup = ''
# # ${pkgs.iproute2}/bin/ip netns add ${name}
# # '';
# # postSetup = ''
# # ${pkgs.iptables}/bin/iptables -A FORWARD -i vps-wg-client -j ACCEPT
# # ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o ens18 -j MASQUERADE
# # '';
# # postShutdown = ''
# # ${pkgs.iptables}/bin/iptables -D FORWARD -i vps-wg-client -j ACCEPT
# # ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o ens18 -j MASQUERADE
# # '';
# postSetup = ''
# ${pkgs.iptables} -A FORWARD -i wg0-client -j ACCEPT
# ${pkgs.iptables} -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# '';
# postShutdown = ''
# ${pkgs.iptables} -D FORWARD -i wg0-client -j ACCEPT
# ${pkgs.iptables} -t nat -D POSTROUTING -o eth0 -j MASQUERADE
# '';
# peers = [
# {
# name = "chriphost-vps";
# publicKey = "w/U8p9fizw0jk8PFaMZXV1N49Ws+q6mUHzNFYtoDTS8=";
# endpoint = "212.227.233.241:51820";
# allowedIPs = [
# "10.10.10.0/24"
# ];
# # Keep this connection alive so the server can always reach us
# persistentKeepalive = 25;
# }
# ];
# };
services = {
# Configure keymap in X11
xserver = {
xkb.layout = "us";
xkb.variant = "altgr-intl";
};
qemuGuest.enable = true;
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
}
View Git Blame Copy Permalink