From 748d5a4bf3bebcfa7ec35ae7a4c580dfbf74e4a1 Mon Sep 17 00:00:00 2001 From: oddlama Date: Fri, 1 Aug 2025 21:06:07 +0200 Subject: [PATCH] chore: update flake --- config/users.nix | 1 + flake.lock | 134 ++++++++++---------- globals.nix | 25 ++++ hosts/sausebiene/home-assistant.nix | 1 + hosts/ward/net.nix | 185 ++++++++++++++-------------- modules/mealie.nix | 21 ++-- secrets/global.nix.age | Bin 3735 -> 3782 bytes 7 files changed, 197 insertions(+), 170 deletions(-) diff --git a/config/users.nix b/config/users.nix index cf30a62..1f2da8f 100644 --- a/config/users.nix +++ b/config/users.nix @@ -48,5 +48,6 @@ avahi = uidGid 963; ente = uidGid 962; minio = uidGid 961; + kea = uidGid 960; }; } diff --git a/flake.lock b/flake.lock index 6fb39d1..35705bb 100644 --- a/flake.lock +++ b/flake.lock @@ -12,11 +12,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1747575206, - "narHash": "sha256-NwmAFuDUO/PFcgaGGr4j3ozG9Pe5hZ/ogitWhY+D81k=", + "lastModified": 1750173260, + "narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=", "owner": "ryantm", "repo": "agenix", - "rev": "4835b1dc898959d8547a871ef484930675cb47f1", + "rev": "531beac616433bac6f9e2a19feb8e99a22a66baf", "type": "github" }, "original": { @@ -36,11 +36,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1749289693, - "narHash": "sha256-fSMlofc9z/G/bfwgtDD+zy9RBqKR71FsLNU8mfLwPq0=", + "lastModified": 1752094135, + "narHash": "sha256-kd5/x5SshFVFHWUf/7rRqXQ06aUaD6VJdUYRCDUHHo0=", "owner": "oddlama", "repo": "agenix-rekey", - "rev": "57cb67bc61f8421c576085d595d902f02828d953", + "rev": "395cdb1631e9715e37d0e859a2b1da63f0ae333b", "type": "github" }, "original": { @@ -85,11 +85,11 @@ }, "crane_3": { "locked": { - "lastModified": 1748047550, - "narHash": "sha256-t0qLLqb4C1rdtiY8IFRH5KIapTY/n3Lqt57AmxEv9mk=", + "lastModified": 1753316655, + "narHash": "sha256-tzWa2kmTEN69OEMhxFy+J2oWSvZP5QhEgXp3TROOzl0=", "owner": "ipetkov", "repo": "crane", - "rev": "b718a78696060df6280196a6f992d04c87a16aef", + "rev": "f35a3372d070c9e9ccb63ba7ce347f0634ddf3d2", "type": "github" }, "original": { @@ -273,11 +273,11 @@ ] }, "locked": { - "lastModified": 1749200714, - "narHash": "sha256-W8KiJIrVwmf43JOPbbTu5lzq+cmdtRqaNbOsZigjioY=", + "lastModified": 1753140376, + "narHash": "sha256-7lrVrE0jSvZHrxEzvnfHFE/Wkk9DDqb+mYCodI5uuB8=", "owner": "nix-community", "repo": "disko", - "rev": "17d08c65c241b1d65b3ddf79e3fac1ddc870b0f6", + "rev": "545aba02960caa78a31bd9a8709a0ad4b6320a5c", "type": "github" }, "original": { @@ -547,11 +547,11 @@ "nixpkgs-lib": "nixpkgs-lib_2" }, "locked": { - "lastModified": 1748821116, - "narHash": "sha256-F82+gS044J1APL0n4hH50GYdPRv/5JWm34oCJYmVKdE=", + "lastModified": 1753121425, + "narHash": "sha256-TVcTNvOeWWk1DXljFxVRp+E0tzG1LhrVjOGGoMHuXio=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "49f0870db23e8c1ca0b5259734a02cd9e1e371a1", + "rev": "644e0fc48951a860279da645ba77fe4a6e814c5e", "type": "github" }, "original": { @@ -586,11 +586,11 @@ ] }, "locked": { - "lastModified": 1743550720, - "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=", + "lastModified": 1753121425, + "narHash": "sha256-TVcTNvOeWWk1DXljFxVRp+E0tzG1LhrVjOGGoMHuXio=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "c621e8422220273271f52058f618c94e405bb0f5", + "rev": "644e0fc48951a860279da645ba77fe4a6e814c5e", "type": "github" }, "original": { @@ -607,11 +607,11 @@ ] }, "locked": { - "lastModified": 1743550720, - "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=", + "lastModified": 1753121425, + "narHash": "sha256-TVcTNvOeWWk1DXljFxVRp+E0tzG1LhrVjOGGoMHuXio=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "c621e8422220273271f52058f618c94e405bb0f5", + "rev": "644e0fc48951a860279da645ba77fe4a6e814c5e", "type": "github" }, "original": { @@ -945,11 +945,11 @@ "rust-overlay": "rust-overlay_3" }, "locked": { - "lastModified": 1748959397, - "narHash": "sha256-hq+njWbMLAfQIFEP+8G/7xLz1ZELWC+780332FdpnW0=", + "lastModified": 1753693791, + "narHash": "sha256-pZQyCkqIFwGA77np+vqVQZgg2P0qPAI6x6kC3w6+PjE=", "owner": "nix-community", "repo": "lanzaboote", - "rev": "20721e48123f1f900b323a76349130080a2f8343", + "rev": "785a5701b22259b85735301b1aad19c2bee15498", "type": "github" }, "original": { @@ -980,11 +980,11 @@ "spectrum": "spectrum" }, "locked": { - "lastModified": 1748464257, - "narHash": "sha256-PdnQSE2vPfql9WEjunj2qQnDpuuvk7HH+4djgXJSwFs=", + "lastModified": 1753388547, + "narHash": "sha256-zbjlS9sa2BbtE80YA9C9DMXwCADba3NjUROw/7Rpt7Y=", "owner": "astro", "repo": "microvm.nix", - "rev": "e238645b6f0447a2eb1d538d300d5049d4006f9f", + "rev": "9694139d7c761e857ac9d025f9110a92cd8f7686", "type": "github" }, "original": { @@ -1086,11 +1086,11 @@ ] }, "locked": { - "lastModified": 1748751003, - "narHash": "sha256-i4GZdKAK97S0ZMU3w4fqgEJr0cVywzqjugt2qZPrScs=", + "lastModified": 1753589988, + "narHash": "sha256-y1JlcMB2dKFkrr6g+Ucmj8L//IY09BtSKTH/A7OU7mU=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "2860bee699248d828c2ed9097a1cd82c2f991b43", + "rev": "f0736b09c43028fd726fb70c3eb3d1f0795454cf", "type": "github" }, "original": { @@ -1109,11 +1109,11 @@ "pre-commit-hooks": "pre-commit-hooks_4" }, "locked": { - "lastModified": 1744142264, - "narHash": "sha256-h5KyodobZm8dx/HSNN+basgdmjxrQxudjrss4gAQpZk=", + "lastModified": 1752093877, + "narHash": "sha256-P0TySh6sQl1EhfxjW9ZqGxEyUBSsEpdnchOe1QB0pLA=", "owner": "oddlama", "repo": "nix-topology", - "rev": "f49121cbbf4a86c560638ade406d99ee58deb7aa", + "rev": "6a536c4b686ee4bcf07a7b0f8b823584560e2633", "type": "github" }, "original": { @@ -1169,11 +1169,11 @@ ] }, "locked": { - "lastModified": 1747663185, - "narHash": "sha256-Obh50J+O9jhUM/FgXtI3he/QRNiV9+J53+l+RlKSaAk=", + "lastModified": 1751903740, + "narHash": "sha256-PeSkNMvkpEvts+9DjFiop1iT2JuBpyknmBUs0Un0a4I=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc", + "rev": "032decf9db65efed428afd2fa39d80f7089085eb", "type": "github" }, "original": { @@ -1184,11 +1184,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1749195551, - "narHash": "sha256-W5GKQHgunda/OP9sbKENBZhMBDNu2QahoIPwnsF6CeM=", + "lastModified": 1753122741, + "narHash": "sha256-nFxE8lk9JvGelxClCmwuJYftbHqwnc01dRN4DVLUroM=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "4602f7e1d3f197b3cb540d5accf5669121629628", + "rev": "cc66fddc6cb04ab479a1bb062f4d4da27c936a22", "type": "github" }, "original": { @@ -1220,11 +1220,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1749143949, - "narHash": "sha256-QuUtALJpVrPnPeozlUG/y+oIMSLdptHxb3GK6cpSVhA=", + "lastModified": 1753939845, + "narHash": "sha256-K2ViRJfdVGE8tpJejs8Qpvvejks1+A4GQej/lBk5y7I=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d3d2d80a2191a73d1e86456a751b83aa13085d7d", + "rev": "94def634a20494ee057c76998843c015909d6311", "type": "github" }, "original": { @@ -1248,11 +1248,11 @@ }, "nixpkgs-lib_2": { "locked": { - "lastModified": 1748740939, - "narHash": "sha256-rQaysilft1aVMwF14xIdGS3sj1yHlI6oKQNBRTF40cc=", + "lastModified": 1751159883, + "narHash": "sha256-urW/Ylk9FIfvXfliA1ywh75yszAbiTEVgpPeinFyVZo=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "656a64127e9d791a334452c6b6606d17539476e2", + "rev": "14a40a1d7fb9afa4739275ac642ed7301a9ba1ab", "type": "github" }, "original": { @@ -1299,11 +1299,11 @@ "systems": "systems_6" }, "locked": { - "lastModified": 1749200997, - "narHash": "sha256-In+NjXI8kfJpamTmtytt+rnBzQ213Y9KW55IXvAAK/4=", + "lastModified": 1753977315, + "narHash": "sha256-AM3CZh+Emk/cr5Gf6RUf2xzkWdRB+yewP1YWoRxUbYQ=", "owner": "nix-community", "repo": "nixvim", - "rev": "00524c7935f05606fd1b09e8700e9abcc4af7be8", + "rev": "a16c89c175277309fd3dd065fb5bc4eab450ae07", "type": "github" }, "original": { @@ -1322,11 +1322,11 @@ ] }, "locked": { - "lastModified": 1748298102, - "narHash": "sha256-PP11GVwUt7F4ZZi5A5+99isuq39C59CKc5u5yVisU/U=", + "lastModified": 1753450833, + "narHash": "sha256-Pmpke0JtLRzgdlwDC5a+aiLVZ11JPUO5Bcqkj0nHE/k=", "owner": "NuschtOS", "repo": "search", - "rev": "f8a1c221afb8b4c642ed11ac5ee6746b0fe1d32f", + "rev": "40987cc1a24feba378438d691f87c52819f7bd75", "type": "github" }, "original": { @@ -1415,11 +1415,11 @@ ] }, "locked": { - "lastModified": 1747372754, - "narHash": "sha256-2Y53NGIX2vxfie1rOW0Qb86vjRZ7ngizoo+bnXU9D9k=", + "lastModified": 1750779888, + "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "80479b6ec16fefd9c1db3ea13aeb038c60530f46", + "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d", "type": "github" }, "original": { @@ -1534,11 +1534,11 @@ ] }, "locked": { - "lastModified": 1747372754, - "narHash": "sha256-2Y53NGIX2vxfie1rOW0Qb86vjRZ7ngizoo+bnXU9D9k=", + "lastModified": 1750779888, + "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "80479b6ec16fefd9c1db3ea13aeb038c60530f46", + "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d", "type": "github" }, "original": { @@ -1708,11 +1708,11 @@ ] }, "locked": { - "lastModified": 1748227081, - "narHash": "sha256-RLnN7LBxhEdCJ6+rIL9sbhjBVDaR6jG377M/CLP/fmE=", + "lastModified": 1753584741, + "narHash": "sha256-i147iFSy4K4PJvID+zoszLbRi2o+YV8AyG4TUiDQ3+I=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "1cbe817fd8c64a9f77ba4d7861a4839b0b15983e", + "rev": "69dfe029679e73b8d159011c9547f6148a85ca6b", "type": "github" }, "original": { @@ -1772,11 +1772,11 @@ "spectrum": { "flake": false, "locked": { - "lastModified": 1746869549, - "narHash": "sha256-BKZ/yZO/qeLKh9YqVkKB6wJiDQJAZNN5rk5NsMImsWs=", + "lastModified": 1751265943, + "narHash": "sha256-XoHSo6GEElzRUOYAEg/jlh5c8TDsyDESFIux3nU/NMc=", "ref": "refs/heads/main", - "rev": "d927e78530892ec8ed389e8fae5f38abee00ad87", - "revCount": 862, + "rev": "37c8663fab86fdb202fece339ef7ac7177ffc201", + "revCount": 904, "type": "git", "url": "https://spectrum-os.org/git/spectrum" }, @@ -1967,11 +1967,11 @@ ] }, "locked": { - "lastModified": 1749194973, - "narHash": "sha256-eEy8cuS0mZ2j/r/FE0/LYBSBcIs/MKOIVakwHVuqTfk=", + "lastModified": 1754061284, + "narHash": "sha256-ONcNxdSiPyJ9qavMPJYAXDNBzYobHRxw0WbT38lKbwU=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "a05be418a1af1198ca0f63facb13c985db4cb3c5", + "rev": "58bd4da459f0a39e506847109a2a5cfceb837796", "type": "github" }, "original": { diff --git a/globals.nix b/globals.nix index fe8896f..5c321a3 100644 --- a/globals.nix +++ b/globals.nix @@ -88,6 +88,31 @@ in id = 22; mac = globals.macs.bambulab-p1s; }; + hosts.shelly-mains = { + id = 23; + mac = globals.macs.shelly-mains; + }; + hosts.shelly-solar = { + id = 24; + mac = globals.macs.shelly-solar; + }; + # FIXME: forbid these devices on other interfaces... maybe put them into separate switches vlan. + # hosts.tl-sg105e-flur = { + # id = ; + # mac = globals.macs.tl-sg105e-flur; + # }; + # hosts.tl-sg105e-garage = { + # id = ; + # mac = globals.macs.tl-sg105e-garage; + # }; + # hosts.tl-sg105e-keller = { + # id = ; + # mac = globals.macs.tl-sg105e-keller; + # }; + # hosts.tl-sg108e-dach = { + # id = ; + # mac = globals.macs.tl-sg108e-dach; + # }; }; guests = { id = 50; diff --git a/hosts/sausebiene/home-assistant.nix b/hosts/sausebiene/home-assistant.nix index 06beefe..36019f8 100644 --- a/hosts/sausebiene/home-assistant.nix +++ b/hosts/sausebiene/home-assistant.nix @@ -49,6 +49,7 @@ in "mqtt" "ollama" "radio_browser" + "shelly" "soundtouch" # Bose SoundTouch "spotify" "wake_word" diff --git a/hosts/ward/net.nix b/hosts/ward/net.nix index b3956f4..3bbb087 100644 --- a/hosts/ward/net.nix +++ b/hosts/ward/net.nix @@ -85,111 +85,109 @@ } ); - systemd.network.networks = - { - "10-lan" = { - matchConfig.Name = "lan"; - # This interface should only be used from attached vlans. + systemd.network.networks = { + "10-lan" = { + matchConfig.Name = "lan"; + # This interface should only be used from attached vlans. + # So don't acquire a link local address and only wait for + # this interface to gain a carrier. + networkConfig.LinkLocalAddressing = "no"; + linkConfig.RequiredForOnline = "carrier"; + vlan = map (name: "vlan-${name}") (builtins.attrNames globals.net.home-lan.vlans); + }; + "10-wan" = { + #DHCP = "yes"; + #dhcpV4Config.UseDNS = false; + #dhcpV6Config.UseDNS = false; + #ipv6AcceptRAConfig.UseDNS = false; + address = [ globals.net.home-wan.hosts.ward.cidrv4 ]; + gateway = [ globals.net.home-wan.hosts.fritzbox.ipv4 ]; + matchConfig.Name = "wan"; + networkConfig.IPv6PrivacyExtensions = "yes"; + # dhcpV6Config.PrefixDelegationHint = "::/64"; + # FIXME: This should not be needed, but for some reason part of networkd + # isn't seeing the RAs and not triggering DHCPv6. Even though some other + # part of networkd is properly seeing them and logging accordingly. + dhcpV6Config.WithoutRA = "solicit"; + linkConfig.RequiredForOnline = "routable"; + }; + # Remaining macvtap interfaces should not be touched. + "90-macvtap-ignore" = { + matchConfig.Kind = "macvtap"; + linkConfig.ActivationPolicy = "manual"; + linkConfig.Unmanaged = "yes"; + }; + } + // lib.flip lib.concatMapAttrs globals.net.home-lan.vlans ( + vlanName: vlanCfg: { + "30-vlan-${vlanName}" = { + matchConfig.Name = "vlan-${vlanName}"; + # This interface should only be used from attached macvlans. # So don't acquire a link local address and only wait for # this interface to gain a carrier. networkConfig.LinkLocalAddressing = "no"; + networkConfig.MACVLAN = "me-${vlanName}"; linkConfig.RequiredForOnline = "carrier"; - vlan = map (name: "vlan-${name}") (builtins.attrNames globals.net.home-lan.vlans); }; - "10-wan" = { - #DHCP = "yes"; - #dhcpV4Config.UseDNS = false; - #dhcpV6Config.UseDNS = false; - #ipv6AcceptRAConfig.UseDNS = false; - address = [ globals.net.home-wan.hosts.ward.cidrv4 ]; - gateway = [ globals.net.home-wan.hosts.fritzbox.ipv4 ]; - matchConfig.Name = "wan"; - networkConfig.IPv6PrivacyExtensions = "yes"; - # dhcpV6Config.PrefixDelegationHint = "::/64"; - # FIXME: This should not be needed, but for some reason part of networkd - # isn't seeing the RAs and not triggering DHCPv6. Even though some other - # part of networkd is properly seeing them and logging accordingly. - dhcpV6Config.WithoutRA = "solicit"; + "40-me-${vlanName}" = { + address = [ + vlanCfg.hosts.ward.cidrv4 + vlanCfg.hosts.ward.cidrv6 + ]; + matchConfig.Name = "me-${vlanName}"; + networkConfig = { + IPv4Forwarding = "yes"; + IPv6PrivacyExtensions = "yes"; + IPv6SendRA = true; + IPv6AcceptRA = false; + # DHCPPrefixDelegation = true; + }; + # dhcpPrefixDelegationConfig.UplinkInterface = "wan"; + # dhcpPrefixDelegationConfig.Token = "::ff"; + # Announce a static prefix + ipv6Prefixes = [ + { Prefix = vlanCfg.cidrv6; } + ]; + # Delegate prefix + # dhcpPrefixDelegationConfig = { + # SubnetId = vlanCfg.id; + # }; + # Provide a DNS resolver + # ipv6SendRAConfig = { + # Managed = true; + # EmitDNS = true; + # FIXME: this is not the true ipv6 of adguardhome DNS = globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv6; + # FIXME: todo assign static additional to reservation in kea + # }; linkConfig.RequiredForOnline = "routable"; }; - # Remaining macvtap interfaces should not be touched. - "90-macvtap-ignore" = { - matchConfig.Kind = "macvtap"; - linkConfig.ActivationPolicy = "manual"; - linkConfig.Unmanaged = "yes"; - }; } - // lib.flip lib.concatMapAttrs globals.net.home-lan.vlans ( - vlanName: vlanCfg: { - "30-vlan-${vlanName}" = { - matchConfig.Name = "vlan-${vlanName}"; - # This interface should only be used from attached macvlans. - # So don't acquire a link local address and only wait for - # this interface to gain a carrier. - networkConfig.LinkLocalAddressing = "no"; - networkConfig.MACVLAN = "me-${vlanName}"; - linkConfig.RequiredForOnline = "carrier"; - }; - "40-me-${vlanName}" = { - address = [ - vlanCfg.hosts.ward.cidrv4 - vlanCfg.hosts.ward.cidrv6 - ]; - matchConfig.Name = "me-${vlanName}"; - networkConfig = { - IPv4Forwarding = "yes"; - IPv6PrivacyExtensions = "yes"; - IPv6SendRA = true; - IPv6AcceptRA = false; - # DHCPPrefixDelegation = true; - }; - # dhcpPrefixDelegationConfig.UplinkInterface = "wan"; - # dhcpPrefixDelegationConfig.Token = "::ff"; - # Announce a static prefix - ipv6Prefixes = [ - { Prefix = vlanCfg.cidrv6; } - ]; - # Delegate prefix - # dhcpPrefixDelegationConfig = { - # SubnetId = vlanCfg.id; - # }; - # Provide a DNS resolver - # ipv6SendRAConfig = { - # Managed = true; - # EmitDNS = true; - # FIXME: this is not the true ipv6 of adguardhome DNS = globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv6; - # FIXME: todo assign static additional to reservation in kea - # }; - linkConfig.RequiredForOnline = "routable"; - }; - } - ); + ); networking.nftables = { firewall = { - zones = - { - untrusted.interfaces = [ "wan" ]; - proxy-home.interfaces = [ "proxy-home" ]; - firezone.interfaces = [ "tun-firezone" ]; - adguardhome.ipv4Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv4 ]; - adguardhome.ipv6Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv6 ]; - web-proxy.ipv4Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-web-proxy.ipv4 ]; - web-proxy.ipv6Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-web-proxy.ipv6 ]; - samba.ipv4Addresses = [ globals.net.home-lan.vlans.services.hosts.sire-samba.ipv4 ]; - samba.ipv6Addresses = [ globals.net.home-lan.vlans.services.hosts.sire-samba.ipv6 ]; - scanner-ads-4300n.ipv4Addresses = [ - globals.net.home-lan.vlans.devices.hosts.scanner-ads-4300n.ipv4 - ]; - scanner-ads-4300n.ipv6Addresses = [ - globals.net.home-lan.vlans.devices.hosts.scanner-ads-4300n.ipv6 - ]; + zones = { + untrusted.interfaces = [ "wan" ]; + proxy-home.interfaces = [ "proxy-home" ]; + firezone.interfaces = [ "tun-firezone" ]; + adguardhome.ipv4Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv4 ]; + adguardhome.ipv6Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv6 ]; + web-proxy.ipv4Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-web-proxy.ipv4 ]; + web-proxy.ipv6Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-web-proxy.ipv6 ]; + samba.ipv4Addresses = [ globals.net.home-lan.vlans.services.hosts.sire-samba.ipv4 ]; + samba.ipv6Addresses = [ globals.net.home-lan.vlans.services.hosts.sire-samba.ipv6 ]; + scanner-ads-4300n.ipv4Addresses = [ + globals.net.home-lan.vlans.devices.hosts.scanner-ads-4300n.ipv4 + ]; + scanner-ads-4300n.ipv6Addresses = [ + globals.net.home-lan.vlans.devices.hosts.scanner-ads-4300n.ipv6 + ]; + } + // lib.flip lib.concatMapAttrs globals.net.home-lan.vlans ( + vlanName: _: { + "vlan-${vlanName}".interfaces = [ "me-${vlanName}" ]; } - // lib.flip lib.concatMapAttrs globals.net.home-lan.vlans ( - vlanName: _: { - "vlan-${vlanName}".interfaces = [ "me-${vlanName}" ]; - } - ); + ); rules = { masquerade-internet = { @@ -280,6 +278,7 @@ verdict = "accept"; }; + # FIXME: is this needed? conntrack should take care of it and we want to masquerade anyway forward-outgoing-firezone-traffic = { from = [ "vlan-services" ]; to = [ "firezone" ]; diff --git a/modules/mealie.nix b/modules/mealie.nix index 0fc0b60..90f88e5 100644 --- a/modules/mealie.nix +++ b/modules/mealie.nix @@ -48,6 +48,12 @@ in ''; }; + trustedProxies = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ ]; + description = "A list of trusted proxies. You must set this when you are using OIDC behind https, otherwise the generated redirect url will have the wrong url scheme."; + }; + credentialsFile = lib.mkOption { type = with lib.types; nullOr path; default = null; @@ -69,20 +75,14 @@ in ''; }; }; - - trustedProxies = lib.mkOption { - type = lib.types.listOf lib.types.str; - default = [ ]; - description = "A list of trusted proxies. You must set this when you are using OIDC behind https, otherwise the generated redirect url will have the wrong url scheme."; - }; }; config = lib.mkIf cfg.enable { systemd.services.mealie = { description = "Mealie, a self hosted recipe manager and meal planner"; - after = [ "network-online.target" ] ++ lib.optional cfg.database.createLocally "postgresql.service"; - requires = lib.optional cfg.database.createLocally "postgresql.service"; + after = [ "network-online.target" ] ++ lib.optional cfg.database.createLocally "postgresql.target"; + requires = lib.optional cfg.database.createLocally "postgresql.target"; wants = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; @@ -91,8 +91,9 @@ in API_PORT = toString cfg.port; BASE_URL = "http://localhost:${toString cfg.port}"; DATA_DIR = "/var/lib/mealie"; - NLTK_DATA = pkgs.nltk-data.averaged_perceptron_tagger_eng; - } // (builtins.mapAttrs (_: toString) cfg.settings); + NLTK_DATA = pkgs.nltk-data.averaged-perceptron-tagger-eng; + } + // (builtins.mapAttrs (_: toString) cfg.settings); serviceConfig = { DynamicUser = true; diff --git a/secrets/global.nix.age b/secrets/global.nix.age index 9016b6aaca93a75f22abce0fcd5361483abff5d8..8dca345b3f23abdfef22d08a47b06cfd9f0c8afe 100644 GIT binary patch literal 3782 zcmV;%4mt5*XJsvAZewzJaCB*JZZ23MrIB;=N zFlA_KHgHB+cuq@rLozivZgx0IS!6hGYe@<%J|HP#W-VuOWnpt=3S~5B3N0-yAVN!2 zVRKVQIeAY^Z$nFZK{hgBR90<6Sz|;naCL5GadlH;MPzj=LQHKm3g7KwphC3e|B`?W zz-|XlTASd8>BS|CzNMI5LC^UMAnl}ikSDOj{{^vpUbvoHqAS@1 z|2u!pK;c&c1PqJ0%v-vF#3A0vG&&7tODF0{uwM`taTGvkD6S9Q>dRAN$lTeI>gGh^ z+8Q@Y?PRpOtyVm*oeeMFK+CFPSKbJr zR1Wb3^KkzUx_ZIn{X$`ziO1{R<6#<782%(LmX%d3xn$m!c3r=!Ljd=3| zW>(wa8s4DL+)`WhM8v}UV4euDp2Es#PU39F8kP@w(a)}og{yoHzCeLm*XPS}6&e9Y z{XN0OluQLr5eE|$G~JwCw~N_{-rUvfmKRBMJ1!nE$4uaC{<(9#ZzPt~lmDeQ;9kJ1 zk2^H<+JxYlC_z`qd2xo*{bjHem1}`Tw@HusTTz>c+ikC#;`8m(CE4Vn34g51@tvVD zIf3qhiJND^S( zmc#+@CF7Xgm;)!#LzTQ|lNLvyHYilqXs=cvvWb^$SB*+_=FN4gf;FVO3@IaOxvZm4 zH>Q2Ys&mTPv;>Wp)T{#vZInPb24Sm0_d2bxlOS3k&tJILGV%avz&N4A7vwEIj0n9gnK5`NidPIx2Kz

ZeKd2uU<(obMEg<72ic`EoL zE1D=wMVLkE?5=y&w9|nmV53Du=@!k%e`(uw;FB|-c+VnB0bFKoBX3TIzl%hb+Zzl1 zRSMa;4U_XZ7}W_2#0aQ>mrJoK)v?aaotsu91J#o14De1*WPeWsih;6l-c@u{Y-`&* zDD&wV7{ZX(>M-SfprnoR4Z#VZ7pGeE6Ewydu)_#V)&}h6#cHoFr<(@nf2w1g;jytY zyj?n-l5Czb&~S~Vk15cS2!cyHaD-ec_IND-TPBRZBg5J61|DcJ$jH6vhDQc2Y!ml} z61<3thZhIHz_l~+F zgPoUg)Qye_c@!7^V3;O=E@69Za^E;VdBW}_UW)C7^?{OjjAFgP)HhJHc7e1F9!i3% z2(cm^`(ySL@_L8{KQQVGRpD`N1Z8xR+6skA%s%SL*WFztLfgyL zAS7S^Bv(rq44bLaWO*}Htj3iv{(hRn8h)Q=5X z0Pb$q&fWE7rbJ5m9okXdA6gAjHkvf!TJYLA+;YjBlHePxPL$vz0e#+@f9ttQUG53^ zu9h^x1Lm?GB;y72EIOvvm3B%5r>vy+WaO`>dE(ATH=t5V!aWsOc!fN|G2dv(tTpc+ z>W3eER#VPfu{9XK8)&*lXl^*xHsodb^*MX+JUEtRAg5~p0izt3F1WfBX=ASE6jp5< zmz%^0b;R8#_X=67t4!R){&)4cK&niYQs1>fnHkBabURNsb?MHvD~>xB{_IC6_$`@9 z9hl>MN^MEz9Z!d>zrqM^<*c3(TaX7cX31>;MWYc9@=UHZ&ASuO#Sji4f3zqG*h(O$<@NhSP2xA#Y z@^bD^3W6E7xbavgg&m}zgX%6Y&YveLEtpuI1Ar8G`xg9hqR%MGCLRuG_04Uxn|ZhN z3Cp2`r*LXNk>b>{m_=D&l)q3hK^Qc=df>OU)azj~d$*hhM4D-EF3`AVu(DDGN&jzh zi*L;cE$E_8V^d;N*6?tl?&~`QAZ-I6(w|-rmyI)^H5s_grEU`xy}cf9P}{{M7<;-i z1*?0W7u`!jlB_W9o4>lPz%*JC z0S|7JRd@ef9mmxSgI0%vwyGwSQAs+e{Zb0)FPV}!L?IE1?1{d;azVujRs%P=fRr}+Wt1^RSi zeP$A2ghKWZY>`wp8DTQhrPz#^=Hq>11$iORh{=X;)`=K0GB5FnC)Jhi1&+8y&MxJ5 zJ7IOs&m7y4rcr@ATr_xBF{2ivZ$KOPS(~%DUnbr$DmJO;{4&iV?RI`6;0YO2R1KV8a zD)n81kl}nVOi=9DkRolU7}b@9iDoNcob9mM8hMA%r#(bt;!$?N`pBQ2+|dkB8KGU+ z^N*@v8wp3{h|kQ_&lgSE7cG6|_pjIdo4v{aHD?DRl04DZ{Qa;h__Kbs96Wnd6W4YE zhoI&{t-unR92OnF_RyeJs_e{DEZbX%iz91r-cn)ePY_4>=05b^s3N63zU9&g3l+R6 zkEM^UG%zxGJu=+^-fdUcOVVj;(cw7H3KqWd7#ep;cg7HY^k{!wz(U6riubzB#I{)zgZYe(ZlrQk;LlXZQ=6P|9Ju%WSRo)7*2|6L>fO6dil zN5#vpg`m2x9&%Hc&=#QVpl;wN&&OJxGNK*dH~K9#i;E#?2BltzASuD4ebmvs)Daw7 zaZlAO_e{iQ1H%+eJ%YfmnDB9-$4Zc`{;~CI!Z%21SH`q#+TvbO&HnH*!4)>546y=^ zt8dgco26k1zYL=&apYJ%XddkWl2%O_{@gH&MytL>SKY3Vd=S>S${+Qk38Y-g^D_pt z3&*?yUvlVZGh%#ukpvnMRnpjY$)7;9l>2hth|E!J-r`&SAtuT&hKwY)*ze?2we{zv18>rG$C>_X<^sQ9jh_{bcVo3F6*YW}Z)o_)z)V>8b7M^9&Ps5ExE4KO2T~p2G8kSxsY9 z$&RaM06+Cv;187JJ*kY#sewm#WbTKUiw_3rAYnctt|o<>9wYioQX_re>mA20&6-oX z=zy_U6aHg^3rN)Sx&p->RU;6WMj8t#!^dkEx}4~zb8J86jN@Ql3U7jJV&yOBv459` z6Fwm}P*l_QJEw*7_1w~jT%COM8ZS5+U1Sa1P*pPca+3h0j-?UcwvCkmwdZib9bH?R zLclYOjAAq3=F#gdn|n=Gl>}J3Kd<1^Y`w&WVJ4e|6K3Hnr!OVC5>Jlm_zV2TPa97+ zr5a8NzGXGlIPz9GXvZX*?zf})H93&{2^$CC9cd5TD5J z4(@q;#sb~^+OdBQAj@EAr@`$AnNV4h0rY5yq>yCm9tImZh#dFE$BjT4u*6neE_><8 w4yK;2f24KOG+8FQa9MYD7$FR0=2KTe)vck-s~@frVrRq`8ub|gm_ik$5=wtGoOf_|AI9GNwPc<}DYAZHjGE8`SFLnxeZEH$lP%>9EH&1LaS}S-= zVR~#+Rb)zOOJ-GdW>YX(ZcAxqX<~L}bubDoJ|IC-E_7clXL4m>b7de?AUSagT4r}f zL3T-FMP^koNp*8WGHz3MGDJ>UL{w)_GE7i$PHahXF;_x!NG~vUaC0~@OldY#F;6Qi zNlZm)L}EBY3TkUf3pQg?M?F<47cVsKV4PIPWeb4p@uIc{QYX9`Df zPTy7npzKh)m+XyH6Cm6DDgC5}P7yy>v_Fkd0C!5A&S(dtrUK4j1FEU>?$>O4PW9jc zhW&iyE5u{FwdKsHI@>_ZzEq(q!#3A$$Z0K}onTni%`9t`OZ8rBw_pvsSrnLauukDx zdiG2CFAq$r(S{2T&-QuuGev)hcNKXx6k%J&Exk&4QztQc#8GwAUzP{`PG!a5y*EgB=Tz!`I-96Xupy)Cd{_UEuU%6{A_rhQnUGG?E9fjV8%==^YxB zv|59`zjV3p?PIDfY)4lU)_Qft?!?w zw*!yG`yV=VDxUf9m|+O@pS?`2Vga8w$=Frg9BGN2tdVNR(=|FN*dM_#} zQ1lqVl$61$qe%*B$KBWLJ2Td(T`&&ATTbr!D(PCHH;bMO|71!Wh3P;`dT_8y16AD? zcWCAruXt+rd8$i4?aQz>bKF-q%eDaJ)F}L|s#NMQp|)dmFWF=1)m?zR(r3OoY@ z9iY-AgzTrxi`eATOQC2&TefdCqvz)DjyaTU;5i~+_dr~wl_gHg6otevSD#YIU<0MO zzXe!v5p?#a@+=-vMH8o71*4UX3XkM@S$3qmT%}FzyQ~C@lO>0GKvHB?r>y$>*gDQ=N zHLg#eLv63^0@k^W^r69aW@Dnocj5ooJ8p3w^5P0KWB+ z%`2}3HRKp7Ac^RwN?^)lglg>+@HIloV1%U{@!lXUETc|+bVGqwqMBJT{r>grs2M$J z-N6e(bokZAYT?v}Hehf4 zwLB}dxYvJKqdU&zYIhk+NO9sHb_H3{Ca^Ht!Mm!}P8t!DCTxf;zHS+IoB@Dv41`+j zv(-rPcYGGBXSyWap}%;o=*YKG?~ljAQT@_vI^uJhhyh{G>vL1cl39mlB`>n4QjeV$tgOzZ>ICg zE`RZ&3bZEdOD_cGEh32g-xOy+xvlt@@iiSMyXqL#!M!(^ZiK2HaNqJR@0;)Xz;#1c z*ql=;<1ap#{1p{Zc>HbWojzf{nnVIlq16oA{^spniI$Mmv0bB#m|dEk?mo7lVt0g2$~3G0TVuKoID-a^yC63{Pj(u8^XR($al!D<&@a1KlAPO^IGfKzFHjo8IXy=)5l z6&o6+`XYoylz&xc?B4|CVjSZ{BBvWLwn_#=%c%vyXqr%rJ*6kQqL4n{fN9~VPl~JJ zeBQBfT(YH&8fzN`a(p;v+A$}dz(i!uCwU&{SvQsq%g$jOPG~2%Mr-P_=*yBBMiq9a zeB*N0r_(-ul@C+7QrUSFNMA7#Df>rle;crqHt!NK$p0lvU7=BoT`e3=Pj@H}kg|u! zk%=KSE3>Neq>s)@nkRnfBD*sqwP~k|M1c$58tjaHmDOW32R+J$Mk6C0TXo~; z%ElijPay^PS?CXWN=o0s0&+{Z_Cj%Z6`hkxB+hK3+m$TLy}z%!7mzmG=mf>5P8jAO z*bJ~RdWxyky?R zT|x!AY;m{UMUg6OVY-1>T~l}pWwG#+)^QxDfMceGU8MtH{G+hS-0;i&t6kn|s>|QZ zv%A4f_raz@r?N3y$v8T+3Pcp_bz>*`D(2h2VsrD(Ff9+SEZHY$pYTrP&5e zb=gm40zr*8ow}A-wOqnhtV_X2R}{z22O^Z2S-d$pQ1(y953v}FVoiZyx3nNTxv?a+ zmRDZ;gEx!K{a77G4gDzCuk?^MJOvFP4JYY)mjZ?^)|IJySjI5A9qZFxLto2!Ib`%2 z)HJz&|g=5$#rM+BZQ&3S0=>(HeU~}f1OCu+>q+ciRyjG2W|Vw z1*@g(cumF6VwwvRX!|xjljIhl*{A=&Q+t_R!Mq+XWaW<;{L%Xx{yRmrdfVg5lp03q_=+!LoemEGaD*U;rXMP!*GiB3wG@rT*9g?4TtM$(l{ zX?Q*YX>|?S3u!<*6kpB&^k&#YxPRGJRC{SOEwit@yryqfyDiyM4~TML z`L_0m_AruD?;56k6zlT}rbb|u_dXJjV=8^ZEK3y3t<){GQ_%#i<~v+vgoiMJq00@shO|cc^rkyyOx`=_4C~o8eZfpS^9Px6i$j;EUOyJ}3)<)J{9$EsA zJnp5V{|A=%(%+EPO@jdx<9(S?n!17uogu%&CtSpuk|CX7ucr)a#-C86Q6eBZ7hiIE z6+I=a0d{=$;WqriZ5_`q&lEfQ_e=Q_zKRIX?V_r2mbOl+DUcqXR%uySOuMqyfby0( zw5PTngK&~mJEDXYoiUpG+=UM$sTe0DOJNMdb>x)mRLg`_jw}I(+5**oHw1_HveO?9 z^v3bBYU`WKm1|NXRYG%=S>!zAC_t0}y`2s1K-zG&SImjDmEIhj=ON(P$pIPO+#vx_ zGPJMN(L$$5mzdiJZ8+_`Ux`8t*EmytZc&DI!&3)(O=}*;m}7V*GB$t7`D8<8V<=w6 zn;d=_$;%TbJnk2f!+mst{Z68OriY@xrdfa@nxmKFzU#q$OvDW4MgNTK#Ou(trm`&3 zbvhwJ%9ow)1@4;_7ZKd2cW(u&nMm1o#;P+RC>O!=KA%R>iGiL3EjZDMXLX?`_@mnt z5vkK0kh24z%MGI*G_eIcY7+bJtGjdwQB-bvFOhak?<|Y}ibMwuL1(5QdC}x_Xp4Ne zS2$M6%>Mb^naEvZ@mLN{tE?`(ol+kktkC65Mi}mfFsz2io4W`5(CPG!JAiypv^BA4 zU4_pA3wG`=C~$GfL3#fpri=9=F3Fk=pdejW_C;Cbw#J40UXDjCYuWz#;GwgCJY2QYP zByd~+A+e!=SDXRf76v7I{=2C^az(dA9ePv*4ou(#4BlaIk!{$hI-p)Jdg^PA6|9kj z6_Gu8P@A-6It^{{cUNHbz@I3n7zP(4$whHA2B6ujE5vE}s^X*%5wT3QJPk3Qg!8sT zsg*OYYHTElLUAVum*nzgtF6?scF~OQ@)unv1`4kEnS$lZyS<8ty~51FZlGVm(uB4} zCykjR(60liAXiTi2!UXh(oBk%+JRF;n{{Ue;Lnwzu{V8Kv7W1r