diff --git a/config/users.nix b/config/users.nix index cf30a62..1f2da8f 100644 --- a/config/users.nix +++ b/config/users.nix @@ -48,5 +48,6 @@ avahi = uidGid 963; ente = uidGid 962; minio = uidGid 961; + kea = uidGid 960; }; } diff --git a/flake.lock b/flake.lock index 6fb39d1..35705bb 100644 --- a/flake.lock +++ b/flake.lock @@ -12,11 +12,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1747575206, - "narHash": "sha256-NwmAFuDUO/PFcgaGGr4j3ozG9Pe5hZ/ogitWhY+D81k=", + "lastModified": 1750173260, + "narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=", "owner": "ryantm", "repo": "agenix", - "rev": "4835b1dc898959d8547a871ef484930675cb47f1", + "rev": "531beac616433bac6f9e2a19feb8e99a22a66baf", "type": "github" }, "original": { @@ -36,11 +36,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1749289693, - "narHash": "sha256-fSMlofc9z/G/bfwgtDD+zy9RBqKR71FsLNU8mfLwPq0=", + "lastModified": 1752094135, + "narHash": "sha256-kd5/x5SshFVFHWUf/7rRqXQ06aUaD6VJdUYRCDUHHo0=", "owner": "oddlama", "repo": "agenix-rekey", - "rev": "57cb67bc61f8421c576085d595d902f02828d953", + "rev": "395cdb1631e9715e37d0e859a2b1da63f0ae333b", "type": "github" }, "original": { @@ -85,11 +85,11 @@ }, "crane_3": { "locked": { - "lastModified": 1748047550, - "narHash": "sha256-t0qLLqb4C1rdtiY8IFRH5KIapTY/n3Lqt57AmxEv9mk=", + "lastModified": 1753316655, + "narHash": "sha256-tzWa2kmTEN69OEMhxFy+J2oWSvZP5QhEgXp3TROOzl0=", "owner": "ipetkov", "repo": "crane", - "rev": "b718a78696060df6280196a6f992d04c87a16aef", + "rev": "f35a3372d070c9e9ccb63ba7ce347f0634ddf3d2", "type": "github" }, "original": { @@ -273,11 +273,11 @@ ] }, "locked": { - "lastModified": 1749200714, - "narHash": "sha256-W8KiJIrVwmf43JOPbbTu5lzq+cmdtRqaNbOsZigjioY=", + "lastModified": 1753140376, + "narHash": "sha256-7lrVrE0jSvZHrxEzvnfHFE/Wkk9DDqb+mYCodI5uuB8=", "owner": "nix-community", "repo": "disko", - "rev": "17d08c65c241b1d65b3ddf79e3fac1ddc870b0f6", + "rev": "545aba02960caa78a31bd9a8709a0ad4b6320a5c", "type": "github" }, "original": { @@ -547,11 +547,11 @@ "nixpkgs-lib": "nixpkgs-lib_2" }, "locked": { - "lastModified": 1748821116, - "narHash": "sha256-F82+gS044J1APL0n4hH50GYdPRv/5JWm34oCJYmVKdE=", + "lastModified": 1753121425, + "narHash": "sha256-TVcTNvOeWWk1DXljFxVRp+E0tzG1LhrVjOGGoMHuXio=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "49f0870db23e8c1ca0b5259734a02cd9e1e371a1", + "rev": "644e0fc48951a860279da645ba77fe4a6e814c5e", "type": "github" }, "original": { @@ -586,11 +586,11 @@ ] }, "locked": { - "lastModified": 1743550720, - "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=", + "lastModified": 1753121425, + "narHash": "sha256-TVcTNvOeWWk1DXljFxVRp+E0tzG1LhrVjOGGoMHuXio=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "c621e8422220273271f52058f618c94e405bb0f5", + "rev": "644e0fc48951a860279da645ba77fe4a6e814c5e", "type": "github" }, "original": { @@ -607,11 +607,11 @@ ] }, "locked": { - "lastModified": 1743550720, - "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=", + "lastModified": 1753121425, + "narHash": "sha256-TVcTNvOeWWk1DXljFxVRp+E0tzG1LhrVjOGGoMHuXio=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "c621e8422220273271f52058f618c94e405bb0f5", + "rev": "644e0fc48951a860279da645ba77fe4a6e814c5e", "type": "github" }, "original": { @@ -945,11 +945,11 @@ "rust-overlay": "rust-overlay_3" }, "locked": { - "lastModified": 1748959397, - "narHash": "sha256-hq+njWbMLAfQIFEP+8G/7xLz1ZELWC+780332FdpnW0=", + "lastModified": 1753693791, + "narHash": "sha256-pZQyCkqIFwGA77np+vqVQZgg2P0qPAI6x6kC3w6+PjE=", "owner": "nix-community", "repo": "lanzaboote", - "rev": "20721e48123f1f900b323a76349130080a2f8343", + "rev": "785a5701b22259b85735301b1aad19c2bee15498", "type": "github" }, "original": { @@ -980,11 +980,11 @@ "spectrum": "spectrum" }, "locked": { - "lastModified": 1748464257, - "narHash": "sha256-PdnQSE2vPfql9WEjunj2qQnDpuuvk7HH+4djgXJSwFs=", + "lastModified": 1753388547, + "narHash": "sha256-zbjlS9sa2BbtE80YA9C9DMXwCADba3NjUROw/7Rpt7Y=", "owner": "astro", "repo": "microvm.nix", - "rev": "e238645b6f0447a2eb1d538d300d5049d4006f9f", + "rev": "9694139d7c761e857ac9d025f9110a92cd8f7686", "type": "github" }, "original": { @@ -1086,11 +1086,11 @@ ] }, "locked": { - "lastModified": 1748751003, - "narHash": "sha256-i4GZdKAK97S0ZMU3w4fqgEJr0cVywzqjugt2qZPrScs=", + "lastModified": 1753589988, + "narHash": "sha256-y1JlcMB2dKFkrr6g+Ucmj8L//IY09BtSKTH/A7OU7mU=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "2860bee699248d828c2ed9097a1cd82c2f991b43", + "rev": "f0736b09c43028fd726fb70c3eb3d1f0795454cf", "type": "github" }, "original": { @@ -1109,11 +1109,11 @@ "pre-commit-hooks": "pre-commit-hooks_4" }, "locked": { - "lastModified": 1744142264, - "narHash": "sha256-h5KyodobZm8dx/HSNN+basgdmjxrQxudjrss4gAQpZk=", + "lastModified": 1752093877, + "narHash": "sha256-P0TySh6sQl1EhfxjW9ZqGxEyUBSsEpdnchOe1QB0pLA=", "owner": "oddlama", "repo": "nix-topology", - "rev": "f49121cbbf4a86c560638ade406d99ee58deb7aa", + "rev": "6a536c4b686ee4bcf07a7b0f8b823584560e2633", "type": "github" }, "original": { @@ -1169,11 +1169,11 @@ ] }, "locked": { - "lastModified": 1747663185, - "narHash": "sha256-Obh50J+O9jhUM/FgXtI3he/QRNiV9+J53+l+RlKSaAk=", + "lastModified": 1751903740, + "narHash": "sha256-PeSkNMvkpEvts+9DjFiop1iT2JuBpyknmBUs0Un0a4I=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc", + "rev": "032decf9db65efed428afd2fa39d80f7089085eb", "type": "github" }, "original": { @@ -1184,11 +1184,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1749195551, - "narHash": "sha256-W5GKQHgunda/OP9sbKENBZhMBDNu2QahoIPwnsF6CeM=", + "lastModified": 1753122741, + "narHash": "sha256-nFxE8lk9JvGelxClCmwuJYftbHqwnc01dRN4DVLUroM=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "4602f7e1d3f197b3cb540d5accf5669121629628", + "rev": "cc66fddc6cb04ab479a1bb062f4d4da27c936a22", "type": "github" }, "original": { @@ -1220,11 +1220,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1749143949, - "narHash": "sha256-QuUtALJpVrPnPeozlUG/y+oIMSLdptHxb3GK6cpSVhA=", + "lastModified": 1753939845, + "narHash": "sha256-K2ViRJfdVGE8tpJejs8Qpvvejks1+A4GQej/lBk5y7I=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d3d2d80a2191a73d1e86456a751b83aa13085d7d", + "rev": "94def634a20494ee057c76998843c015909d6311", "type": "github" }, "original": { @@ -1248,11 +1248,11 @@ }, "nixpkgs-lib_2": { "locked": { - "lastModified": 1748740939, - "narHash": "sha256-rQaysilft1aVMwF14xIdGS3sj1yHlI6oKQNBRTF40cc=", + "lastModified": 1751159883, + "narHash": "sha256-urW/Ylk9FIfvXfliA1ywh75yszAbiTEVgpPeinFyVZo=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "656a64127e9d791a334452c6b6606d17539476e2", + "rev": "14a40a1d7fb9afa4739275ac642ed7301a9ba1ab", "type": "github" }, "original": { @@ -1299,11 +1299,11 @@ "systems": "systems_6" }, "locked": { - "lastModified": 1749200997, - "narHash": "sha256-In+NjXI8kfJpamTmtytt+rnBzQ213Y9KW55IXvAAK/4=", + "lastModified": 1753977315, + "narHash": "sha256-AM3CZh+Emk/cr5Gf6RUf2xzkWdRB+yewP1YWoRxUbYQ=", "owner": "nix-community", "repo": "nixvim", - "rev": "00524c7935f05606fd1b09e8700e9abcc4af7be8", + "rev": "a16c89c175277309fd3dd065fb5bc4eab450ae07", "type": "github" }, "original": { @@ -1322,11 +1322,11 @@ ] }, "locked": { - "lastModified": 1748298102, - "narHash": "sha256-PP11GVwUt7F4ZZi5A5+99isuq39C59CKc5u5yVisU/U=", + "lastModified": 1753450833, + "narHash": "sha256-Pmpke0JtLRzgdlwDC5a+aiLVZ11JPUO5Bcqkj0nHE/k=", "owner": "NuschtOS", "repo": "search", - "rev": "f8a1c221afb8b4c642ed11ac5ee6746b0fe1d32f", + "rev": "40987cc1a24feba378438d691f87c52819f7bd75", "type": "github" }, "original": { @@ -1415,11 +1415,11 @@ ] }, "locked": { - "lastModified": 1747372754, - "narHash": "sha256-2Y53NGIX2vxfie1rOW0Qb86vjRZ7ngizoo+bnXU9D9k=", + "lastModified": 1750779888, + "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "80479b6ec16fefd9c1db3ea13aeb038c60530f46", + "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d", "type": "github" }, "original": { @@ -1534,11 +1534,11 @@ ] }, "locked": { - "lastModified": 1747372754, - "narHash": "sha256-2Y53NGIX2vxfie1rOW0Qb86vjRZ7ngizoo+bnXU9D9k=", + "lastModified": 1750779888, + "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "80479b6ec16fefd9c1db3ea13aeb038c60530f46", + "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d", "type": "github" }, "original": { @@ -1708,11 +1708,11 @@ ] }, "locked": { - "lastModified": 1748227081, - "narHash": "sha256-RLnN7LBxhEdCJ6+rIL9sbhjBVDaR6jG377M/CLP/fmE=", + "lastModified": 1753584741, + "narHash": "sha256-i147iFSy4K4PJvID+zoszLbRi2o+YV8AyG4TUiDQ3+I=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "1cbe817fd8c64a9f77ba4d7861a4839b0b15983e", + "rev": "69dfe029679e73b8d159011c9547f6148a85ca6b", "type": "github" }, "original": { @@ -1772,11 +1772,11 @@ "spectrum": { "flake": false, "locked": { - "lastModified": 1746869549, - "narHash": "sha256-BKZ/yZO/qeLKh9YqVkKB6wJiDQJAZNN5rk5NsMImsWs=", + "lastModified": 1751265943, + "narHash": "sha256-XoHSo6GEElzRUOYAEg/jlh5c8TDsyDESFIux3nU/NMc=", "ref": "refs/heads/main", - "rev": "d927e78530892ec8ed389e8fae5f38abee00ad87", - "revCount": 862, + "rev": "37c8663fab86fdb202fece339ef7ac7177ffc201", + "revCount": 904, "type": "git", "url": "https://spectrum-os.org/git/spectrum" }, @@ -1967,11 +1967,11 @@ ] }, "locked": { - "lastModified": 1749194973, - "narHash": "sha256-eEy8cuS0mZ2j/r/FE0/LYBSBcIs/MKOIVakwHVuqTfk=", + "lastModified": 1754061284, + "narHash": "sha256-ONcNxdSiPyJ9qavMPJYAXDNBzYobHRxw0WbT38lKbwU=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "a05be418a1af1198ca0f63facb13c985db4cb3c5", + "rev": "58bd4da459f0a39e506847109a2a5cfceb837796", "type": "github" }, "original": { diff --git a/globals.nix b/globals.nix index fe8896f..5c321a3 100644 --- a/globals.nix +++ b/globals.nix @@ -88,6 +88,31 @@ in id = 22; mac = globals.macs.bambulab-p1s; }; + hosts.shelly-mains = { + id = 23; + mac = globals.macs.shelly-mains; + }; + hosts.shelly-solar = { + id = 24; + mac = globals.macs.shelly-solar; + }; + # FIXME: forbid these devices on other interfaces... maybe put them into separate switches vlan. + # hosts.tl-sg105e-flur = { + # id = ; + # mac = globals.macs.tl-sg105e-flur; + # }; + # hosts.tl-sg105e-garage = { + # id = ; + # mac = globals.macs.tl-sg105e-garage; + # }; + # hosts.tl-sg105e-keller = { + # id = ; + # mac = globals.macs.tl-sg105e-keller; + # }; + # hosts.tl-sg108e-dach = { + # id = ; + # mac = globals.macs.tl-sg108e-dach; + # }; }; guests = { id = 50; diff --git a/hosts/sausebiene/home-assistant.nix b/hosts/sausebiene/home-assistant.nix index 06beefe..36019f8 100644 --- a/hosts/sausebiene/home-assistant.nix +++ b/hosts/sausebiene/home-assistant.nix @@ -49,6 +49,7 @@ in "mqtt" "ollama" "radio_browser" + "shelly" "soundtouch" # Bose SoundTouch "spotify" "wake_word" diff --git a/hosts/ward/net.nix b/hosts/ward/net.nix index b3956f4..3bbb087 100644 --- a/hosts/ward/net.nix +++ b/hosts/ward/net.nix @@ -85,111 +85,109 @@ } ); - systemd.network.networks = - { - "10-lan" = { - matchConfig.Name = "lan"; - # This interface should only be used from attached vlans. + systemd.network.networks = { + "10-lan" = { + matchConfig.Name = "lan"; + # This interface should only be used from attached vlans. + # So don't acquire a link local address and only wait for + # this interface to gain a carrier. + networkConfig.LinkLocalAddressing = "no"; + linkConfig.RequiredForOnline = "carrier"; + vlan = map (name: "vlan-${name}") (builtins.attrNames globals.net.home-lan.vlans); + }; + "10-wan" = { + #DHCP = "yes"; + #dhcpV4Config.UseDNS = false; + #dhcpV6Config.UseDNS = false; + #ipv6AcceptRAConfig.UseDNS = false; + address = [ globals.net.home-wan.hosts.ward.cidrv4 ]; + gateway = [ globals.net.home-wan.hosts.fritzbox.ipv4 ]; + matchConfig.Name = "wan"; + networkConfig.IPv6PrivacyExtensions = "yes"; + # dhcpV6Config.PrefixDelegationHint = "::/64"; + # FIXME: This should not be needed, but for some reason part of networkd + # isn't seeing the RAs and not triggering DHCPv6. Even though some other + # part of networkd is properly seeing them and logging accordingly. + dhcpV6Config.WithoutRA = "solicit"; + linkConfig.RequiredForOnline = "routable"; + }; + # Remaining macvtap interfaces should not be touched. + "90-macvtap-ignore" = { + matchConfig.Kind = "macvtap"; + linkConfig.ActivationPolicy = "manual"; + linkConfig.Unmanaged = "yes"; + }; + } + // lib.flip lib.concatMapAttrs globals.net.home-lan.vlans ( + vlanName: vlanCfg: { + "30-vlan-${vlanName}" = { + matchConfig.Name = "vlan-${vlanName}"; + # This interface should only be used from attached macvlans. # So don't acquire a link local address and only wait for # this interface to gain a carrier. networkConfig.LinkLocalAddressing = "no"; + networkConfig.MACVLAN = "me-${vlanName}"; linkConfig.RequiredForOnline = "carrier"; - vlan = map (name: "vlan-${name}") (builtins.attrNames globals.net.home-lan.vlans); }; - "10-wan" = { - #DHCP = "yes"; - #dhcpV4Config.UseDNS = false; - #dhcpV6Config.UseDNS = false; - #ipv6AcceptRAConfig.UseDNS = false; - address = [ globals.net.home-wan.hosts.ward.cidrv4 ]; - gateway = [ globals.net.home-wan.hosts.fritzbox.ipv4 ]; - matchConfig.Name = "wan"; - networkConfig.IPv6PrivacyExtensions = "yes"; - # dhcpV6Config.PrefixDelegationHint = "::/64"; - # FIXME: This should not be needed, but for some reason part of networkd - # isn't seeing the RAs and not triggering DHCPv6. Even though some other - # part of networkd is properly seeing them and logging accordingly. - dhcpV6Config.WithoutRA = "solicit"; + "40-me-${vlanName}" = { + address = [ + vlanCfg.hosts.ward.cidrv4 + vlanCfg.hosts.ward.cidrv6 + ]; + matchConfig.Name = "me-${vlanName}"; + networkConfig = { + IPv4Forwarding = "yes"; + IPv6PrivacyExtensions = "yes"; + IPv6SendRA = true; + IPv6AcceptRA = false; + # DHCPPrefixDelegation = true; + }; + # dhcpPrefixDelegationConfig.UplinkInterface = "wan"; + # dhcpPrefixDelegationConfig.Token = "::ff"; + # Announce a static prefix + ipv6Prefixes = [ + { Prefix = vlanCfg.cidrv6; } + ]; + # Delegate prefix + # dhcpPrefixDelegationConfig = { + # SubnetId = vlanCfg.id; + # }; + # Provide a DNS resolver + # ipv6SendRAConfig = { + # Managed = true; + # EmitDNS = true; + # FIXME: this is not the true ipv6 of adguardhome DNS = globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv6; + # FIXME: todo assign static additional to reservation in kea + # }; linkConfig.RequiredForOnline = "routable"; }; - # Remaining macvtap interfaces should not be touched. - "90-macvtap-ignore" = { - matchConfig.Kind = "macvtap"; - linkConfig.ActivationPolicy = "manual"; - linkConfig.Unmanaged = "yes"; - }; } - // lib.flip lib.concatMapAttrs globals.net.home-lan.vlans ( - vlanName: vlanCfg: { - "30-vlan-${vlanName}" = { - matchConfig.Name = "vlan-${vlanName}"; - # This interface should only be used from attached macvlans. - # So don't acquire a link local address and only wait for - # this interface to gain a carrier. - networkConfig.LinkLocalAddressing = "no"; - networkConfig.MACVLAN = "me-${vlanName}"; - linkConfig.RequiredForOnline = "carrier"; - }; - "40-me-${vlanName}" = { - address = [ - vlanCfg.hosts.ward.cidrv4 - vlanCfg.hosts.ward.cidrv6 - ]; - matchConfig.Name = "me-${vlanName}"; - networkConfig = { - IPv4Forwarding = "yes"; - IPv6PrivacyExtensions = "yes"; - IPv6SendRA = true; - IPv6AcceptRA = false; - # DHCPPrefixDelegation = true; - }; - # dhcpPrefixDelegationConfig.UplinkInterface = "wan"; - # dhcpPrefixDelegationConfig.Token = "::ff"; - # Announce a static prefix - ipv6Prefixes = [ - { Prefix = vlanCfg.cidrv6; } - ]; - # Delegate prefix - # dhcpPrefixDelegationConfig = { - # SubnetId = vlanCfg.id; - # }; - # Provide a DNS resolver - # ipv6SendRAConfig = { - # Managed = true; - # EmitDNS = true; - # FIXME: this is not the true ipv6 of adguardhome DNS = globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv6; - # FIXME: todo assign static additional to reservation in kea - # }; - linkConfig.RequiredForOnline = "routable"; - }; - } - ); + ); networking.nftables = { firewall = { - zones = - { - untrusted.interfaces = [ "wan" ]; - proxy-home.interfaces = [ "proxy-home" ]; - firezone.interfaces = [ "tun-firezone" ]; - adguardhome.ipv4Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv4 ]; - adguardhome.ipv6Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv6 ]; - web-proxy.ipv4Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-web-proxy.ipv4 ]; - web-proxy.ipv6Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-web-proxy.ipv6 ]; - samba.ipv4Addresses = [ globals.net.home-lan.vlans.services.hosts.sire-samba.ipv4 ]; - samba.ipv6Addresses = [ globals.net.home-lan.vlans.services.hosts.sire-samba.ipv6 ]; - scanner-ads-4300n.ipv4Addresses = [ - globals.net.home-lan.vlans.devices.hosts.scanner-ads-4300n.ipv4 - ]; - scanner-ads-4300n.ipv6Addresses = [ - globals.net.home-lan.vlans.devices.hosts.scanner-ads-4300n.ipv6 - ]; + zones = { + untrusted.interfaces = [ "wan" ]; + proxy-home.interfaces = [ "proxy-home" ]; + firezone.interfaces = [ "tun-firezone" ]; + adguardhome.ipv4Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv4 ]; + adguardhome.ipv6Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv6 ]; + web-proxy.ipv4Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-web-proxy.ipv4 ]; + web-proxy.ipv6Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-web-proxy.ipv6 ]; + samba.ipv4Addresses = [ globals.net.home-lan.vlans.services.hosts.sire-samba.ipv4 ]; + samba.ipv6Addresses = [ globals.net.home-lan.vlans.services.hosts.sire-samba.ipv6 ]; + scanner-ads-4300n.ipv4Addresses = [ + globals.net.home-lan.vlans.devices.hosts.scanner-ads-4300n.ipv4 + ]; + scanner-ads-4300n.ipv6Addresses = [ + globals.net.home-lan.vlans.devices.hosts.scanner-ads-4300n.ipv6 + ]; + } + // lib.flip lib.concatMapAttrs globals.net.home-lan.vlans ( + vlanName: _: { + "vlan-${vlanName}".interfaces = [ "me-${vlanName}" ]; } - // lib.flip lib.concatMapAttrs globals.net.home-lan.vlans ( - vlanName: _: { - "vlan-${vlanName}".interfaces = [ "me-${vlanName}" ]; - } - ); + ); rules = { masquerade-internet = { @@ -280,6 +278,7 @@ verdict = "accept"; }; + # FIXME: is this needed? conntrack should take care of it and we want to masquerade anyway forward-outgoing-firezone-traffic = { from = [ "vlan-services" ]; to = [ "firezone" ]; diff --git a/modules/mealie.nix b/modules/mealie.nix index 0fc0b60..90f88e5 100644 --- a/modules/mealie.nix +++ b/modules/mealie.nix @@ -48,6 +48,12 @@ in ''; }; + trustedProxies = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ ]; + description = "A list of trusted proxies. You must set this when you are using OIDC behind https, otherwise the generated redirect url will have the wrong url scheme."; + }; + credentialsFile = lib.mkOption { type = with lib.types; nullOr path; default = null; @@ -69,20 +75,14 @@ in ''; }; }; - - trustedProxies = lib.mkOption { - type = lib.types.listOf lib.types.str; - default = [ ]; - description = "A list of trusted proxies. You must set this when you are using OIDC behind https, otherwise the generated redirect url will have the wrong url scheme."; - }; }; config = lib.mkIf cfg.enable { systemd.services.mealie = { description = "Mealie, a self hosted recipe manager and meal planner"; - after = [ "network-online.target" ] ++ lib.optional cfg.database.createLocally "postgresql.service"; - requires = lib.optional cfg.database.createLocally "postgresql.service"; + after = [ "network-online.target" ] ++ lib.optional cfg.database.createLocally "postgresql.target"; + requires = lib.optional cfg.database.createLocally "postgresql.target"; wants = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; @@ -91,8 +91,9 @@ in API_PORT = toString cfg.port; BASE_URL = "http://localhost:${toString cfg.port}"; DATA_DIR = "/var/lib/mealie"; - NLTK_DATA = pkgs.nltk-data.averaged_perceptron_tagger_eng; - } // (builtins.mapAttrs (_: toString) cfg.settings); + NLTK_DATA = pkgs.nltk-data.averaged-perceptron-tagger-eng; + } + // (builtins.mapAttrs (_: toString) cfg.settings); serviceConfig = { DynamicUser = true; diff --git a/secrets/global.nix.age b/secrets/global.nix.age index 9016b6a..8dca345 100644 Binary files a/secrets/global.nix.age and b/secrets/global.nix.age differ