mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-10 23:00:39 +02:00
Code Activity

chore: update flake

Browse source
This commit is contained in:
oddlama 2025-08-01 21:06:07 +02:00
parent 7d4ce411c2
commit 748d5a4bf3
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
7 changed files with 197 additions and 170 deletions
Download patch file Download diff file Expand all files Collapse all files

1
config/users.nix
View file

@ -48,5 +48,6 @@
avahi = uidGid 963;
ente = uidGid 962;
minio = uidGid 961;
kea = uidGid 960;
};
}

134
flake.lock generated
View file

@ -12,11 +12,11 @@
"systems": "systems"
},
"locked": {
"lastModified": 1747575206,
"narHash": "sha256-NwmAFuDUO/PFcgaGGr4j3ozG9Pe5hZ/ogitWhY+D81k=",
"lastModified": 1750173260,
"narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=",
"owner": "ryantm",
"repo": "agenix",
"rev": "4835b1dc898959d8547a871ef484930675cb47f1",
"rev": "531beac616433bac6f9e2a19feb8e99a22a66baf",
"type": "github"
},
"original": {
@ -36,11 +36,11 @@
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1749289693,
"narHash": "sha256-fSMlofc9z/G/bfwgtDD+zy9RBqKR71FsLNU8mfLwPq0=",
"lastModified": 1752094135,
"narHash": "sha256-kd5/x5SshFVFHWUf/7rRqXQ06aUaD6VJdUYRCDUHHo0=",
"owner": "oddlama",
"repo": "agenix-rekey",
"rev": "57cb67bc61f8421c576085d595d902f02828d953",
"rev": "395cdb1631e9715e37d0e859a2b1da63f0ae333b",
"type": "github"
},
"original": {
@ -85,11 +85,11 @@
},
"crane_3": {
"locked": {
"lastModified": 1748047550,
"narHash": "sha256-t0qLLqb4C1rdtiY8IFRH5KIapTY/n3Lqt57AmxEv9mk=",
"lastModified": 1753316655,
"narHash": "sha256-tzWa2kmTEN69OEMhxFy+J2oWSvZP5QhEgXp3TROOzl0=",
"owner": "ipetkov",
"repo": "crane",
"rev": "b718a78696060df6280196a6f992d04c87a16aef",
"rev": "f35a3372d070c9e9ccb63ba7ce347f0634ddf3d2",
"type": "github"
},
"original": {
@ -273,11 +273,11 @@
]
},
"locked": {
"lastModified": 1749200714,
"narHash": "sha256-W8KiJIrVwmf43JOPbbTu5lzq+cmdtRqaNbOsZigjioY=",
"lastModified": 1753140376,
"narHash": "sha256-7lrVrE0jSvZHrxEzvnfHFE/Wkk9DDqb+mYCodI5uuB8=",
"owner": "nix-community",
"repo": "disko",
"rev": "17d08c65c241b1d65b3ddf79e3fac1ddc870b0f6",
"rev": "545aba02960caa78a31bd9a8709a0ad4b6320a5c",
"type": "github"
},
"original": {
@ -547,11 +547,11 @@
"nixpkgs-lib": "nixpkgs-lib_2"
},
"locked": {
"lastModified": 1748821116,
"narHash": "sha256-F82+gS044J1APL0n4hH50GYdPRv/5JWm34oCJYmVKdE=",
"lastModified": 1753121425,
"narHash": "sha256-TVcTNvOeWWk1DXljFxVRp+E0tzG1LhrVjOGGoMHuXio=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "49f0870db23e8c1ca0b5259734a02cd9e1e371a1",
"rev": "644e0fc48951a860279da645ba77fe4a6e814c5e",
"type": "github"
},
"original": {
@ -586,11 +586,11 @@
]
},
"locked": {
"lastModified": 1743550720,
"narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=",
"lastModified": 1753121425,
"narHash": "sha256-TVcTNvOeWWk1DXljFxVRp+E0tzG1LhrVjOGGoMHuXio=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "c621e8422220273271f52058f618c94e405bb0f5",
"rev": "644e0fc48951a860279da645ba77fe4a6e814c5e",
"type": "github"
},
"original": {
@ -607,11 +607,11 @@
]
},
"locked": {
"lastModified": 1743550720,
"narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=",
"lastModified": 1753121425,
"narHash": "sha256-TVcTNvOeWWk1DXljFxVRp+E0tzG1LhrVjOGGoMHuXio=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "c621e8422220273271f52058f618c94e405bb0f5",
"rev": "644e0fc48951a860279da645ba77fe4a6e814c5e",
"type": "github"
},
"original": {
@ -945,11 +945,11 @@
"rust-overlay": "rust-overlay_3"
},
"locked": {
"lastModified": 1748959397,
"narHash": "sha256-hq+njWbMLAfQIFEP+8G/7xLz1ZELWC+780332FdpnW0=",
"lastModified": 1753693791,
"narHash": "sha256-pZQyCkqIFwGA77np+vqVQZgg2P0qPAI6x6kC3w6+PjE=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "20721e48123f1f900b323a76349130080a2f8343",
"rev": "785a5701b22259b85735301b1aad19c2bee15498",
"type": "github"
},
"original": {
@ -980,11 +980,11 @@
"spectrum": "spectrum"
},
"locked": {
"lastModified": 1748464257,
"narHash": "sha256-PdnQSE2vPfql9WEjunj2qQnDpuuvk7HH+4djgXJSwFs=",
"lastModified": 1753388547,
"narHash": "sha256-zbjlS9sa2BbtE80YA9C9DMXwCADba3NjUROw/7Rpt7Y=",
"owner": "astro",
"repo": "microvm.nix",
"rev": "e238645b6f0447a2eb1d538d300d5049d4006f9f",
"rev": "9694139d7c761e857ac9d025f9110a92cd8f7686",
"type": "github"
},
"original": {
@ -1086,11 +1086,11 @@
]
},
"locked": {
"lastModified": 1748751003,
"narHash": "sha256-i4GZdKAK97S0ZMU3w4fqgEJr0cVywzqjugt2qZPrScs=",
"lastModified": 1753589988,
"narHash": "sha256-y1JlcMB2dKFkrr6g+Ucmj8L//IY09BtSKTH/A7OU7mU=",
"owner": "Mic92",
"repo": "nix-index-database",
"rev": "2860bee699248d828c2ed9097a1cd82c2f991b43",
"rev": "f0736b09c43028fd726fb70c3eb3d1f0795454cf",
"type": "github"
},
"original": {
@ -1109,11 +1109,11 @@
"pre-commit-hooks": "pre-commit-hooks_4"
},
"locked": {
"lastModified": 1744142264,
"narHash": "sha256-h5KyodobZm8dx/HSNN+basgdmjxrQxudjrss4gAQpZk=",
"lastModified": 1752093877,
"narHash": "sha256-P0TySh6sQl1EhfxjW9ZqGxEyUBSsEpdnchOe1QB0pLA=",
"owner": "oddlama",
"repo": "nix-topology",
"rev": "f49121cbbf4a86c560638ade406d99ee58deb7aa",
"rev": "6a536c4b686ee4bcf07a7b0f8b823584560e2633",
"type": "github"
},
"original": {
@ -1169,11 +1169,11 @@
]
},
"locked": {
"lastModified": 1747663185,
"narHash": "sha256-Obh50J+O9jhUM/FgXtI3he/QRNiV9+J53+l+RlKSaAk=",
"lastModified": 1751903740,
"narHash": "sha256-PeSkNMvkpEvts+9DjFiop1iT2JuBpyknmBUs0Un0a4I=",
"owner": "nix-community",
"repo": "nixos-generators",
"rev": "ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc",
"rev": "032decf9db65efed428afd2fa39d80f7089085eb",
"type": "github"
},
"original": {
@ -1184,11 +1184,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1749195551,
"narHash": "sha256-W5GKQHgunda/OP9sbKENBZhMBDNu2QahoIPwnsF6CeM=",
"lastModified": 1753122741,
"narHash": "sha256-nFxE8lk9JvGelxClCmwuJYftbHqwnc01dRN4DVLUroM=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "4602f7e1d3f197b3cb540d5accf5669121629628",
"rev": "cc66fddc6cb04ab479a1bb062f4d4da27c936a22",
"type": "github"
},
"original": {
@ -1220,11 +1220,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1749143949,
"narHash": "sha256-QuUtALJpVrPnPeozlUG/y+oIMSLdptHxb3GK6cpSVhA=",
"lastModified": 1753939845,
"narHash": "sha256-K2ViRJfdVGE8tpJejs8Qpvvejks1+A4GQej/lBk5y7I=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d3d2d80a2191a73d1e86456a751b83aa13085d7d",
"rev": "94def634a20494ee057c76998843c015909d6311",
"type": "github"
},
"original": {
@ -1248,11 +1248,11 @@
},
"nixpkgs-lib_2": {
"locked": {
"lastModified": 1748740939,
"narHash": "sha256-rQaysilft1aVMwF14xIdGS3sj1yHlI6oKQNBRTF40cc=",
"lastModified": 1751159883,
"narHash": "sha256-urW/Ylk9FIfvXfliA1ywh75yszAbiTEVgpPeinFyVZo=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "656a64127e9d791a334452c6b6606d17539476e2",
"rev": "14a40a1d7fb9afa4739275ac642ed7301a9ba1ab",
"type": "github"
},
"original": {
@ -1299,11 +1299,11 @@
"systems": "systems_6"
},
"locked": {
"lastModified": 1749200997,
"narHash": "sha256-In+NjXI8kfJpamTmtytt+rnBzQ213Y9KW55IXvAAK/4=",
"lastModified": 1753977315,
"narHash": "sha256-AM3CZh+Emk/cr5Gf6RUf2xzkWdRB+yewP1YWoRxUbYQ=",
"owner": "nix-community",
"repo": "nixvim",
"rev": "00524c7935f05606fd1b09e8700e9abcc4af7be8",
"rev": "a16c89c175277309fd3dd065fb5bc4eab450ae07",
"type": "github"
},
"original": {
@ -1322,11 +1322,11 @@
]
},
"locked": {
"lastModified": 1748298102,
"narHash": "sha256-PP11GVwUt7F4ZZi5A5+99isuq39C59CKc5u5yVisU/U=",
"lastModified": 1753450833,
"narHash": "sha256-Pmpke0JtLRzgdlwDC5a+aiLVZ11JPUO5Bcqkj0nHE/k=",
"owner": "NuschtOS",
"repo": "search",
"rev": "f8a1c221afb8b4c642ed11ac5ee6746b0fe1d32f",
"rev": "40987cc1a24feba378438d691f87c52819f7bd75",
"type": "github"
},
"original": {
@ -1415,11 +1415,11 @@
]
},
"locked": {
"lastModified": 1747372754,
"narHash": "sha256-2Y53NGIX2vxfie1rOW0Qb86vjRZ7ngizoo+bnXU9D9k=",
"lastModified": 1750779888,
"narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "80479b6ec16fefd9c1db3ea13aeb038c60530f46",
"rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d",
"type": "github"
},
"original": {
@ -1534,11 +1534,11 @@
]
},
"locked": {
"lastModified": 1747372754,
"narHash": "sha256-2Y53NGIX2vxfie1rOW0Qb86vjRZ7ngizoo+bnXU9D9k=",
"lastModified": 1750779888,
"narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "80479b6ec16fefd9c1db3ea13aeb038c60530f46",
"rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d",
"type": "github"
},
"original": {
@ -1708,11 +1708,11 @@
]
},
"locked": {
"lastModified": 1748227081,
"narHash": "sha256-RLnN7LBxhEdCJ6+rIL9sbhjBVDaR6jG377M/CLP/fmE=",
"lastModified": 1753584741,
"narHash": "sha256-i147iFSy4K4PJvID+zoszLbRi2o+YV8AyG4TUiDQ3+I=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "1cbe817fd8c64a9f77ba4d7861a4839b0b15983e",
"rev": "69dfe029679e73b8d159011c9547f6148a85ca6b",
"type": "github"
},
"original": {
@ -1772,11 +1772,11 @@
"spectrum": {
"flake": false,
"locked": {
"lastModified": 1746869549,
"narHash": "sha256-BKZ/yZO/qeLKh9YqVkKB6wJiDQJAZNN5rk5NsMImsWs=",
"lastModified": 1751265943,
"narHash": "sha256-XoHSo6GEElzRUOYAEg/jlh5c8TDsyDESFIux3nU/NMc=",
"ref": "refs/heads/main",
"rev": "d927e78530892ec8ed389e8fae5f38abee00ad87",
"revCount": 862,
"rev": "37c8663fab86fdb202fece339ef7ac7177ffc201",
"revCount": 904,
"type": "git",
"url": "https://spectrum-os.org/git/spectrum"
},
@ -1967,11 +1967,11 @@
]
},
"locked": {
"lastModified": 1749194973,
"narHash": "sha256-eEy8cuS0mZ2j/r/FE0/LYBSBcIs/MKOIVakwHVuqTfk=",
"lastModified": 1754061284,
"narHash": "sha256-ONcNxdSiPyJ9qavMPJYAXDNBzYobHRxw0WbT38lKbwU=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "a05be418a1af1198ca0f63facb13c985db4cb3c5",
"rev": "58bd4da459f0a39e506847109a2a5cfceb837796",
"type": "github"
},
"original": {

25
globals.nix
View file

@ -88,6 +88,31 @@ in
id = 22;
mac = globals.macs.bambulab-p1s;
};
hosts.shelly-mains = {
id = 23;
mac = globals.macs.shelly-mains;
};
hosts.shelly-solar = {
id = 24;
mac = globals.macs.shelly-solar;
};
# FIXME: forbid these devices on other interfaces... maybe put them into separate switches vlan.
# hosts.tl-sg105e-flur = {
# id = ;
# mac = globals.macs.tl-sg105e-flur;
# };
# hosts.tl-sg105e-garage = {
# id = ;
# mac = globals.macs.tl-sg105e-garage;
# };
# hosts.tl-sg105e-keller = {
# id = ;
# mac = globals.macs.tl-sg105e-keller;
# };
# hosts.tl-sg108e-dach = {
# id = ;
# mac = globals.macs.tl-sg108e-dach;
# };
};
guests = {
id = 50;

1
hosts/sausebiene/home-assistant.nix
View file

@ -49,6 +49,7 @@ in
"mqtt"
"ollama"
"radio_browser"
"shelly"
"soundtouch" # Bose SoundTouch
"spotify"
"wake_word"

185
hosts/ward/net.nix
View file

@ -85,111 +85,109 @@
}
);
systemd.network.networks =
{
"10-lan" = {
matchConfig.Name = "lan";
# This interface should only be used from attached vlans.
systemd.network.networks = {
"10-lan" = {
matchConfig.Name = "lan";
# This interface should only be used from attached vlans.
# So don't acquire a link local address and only wait for
# this interface to gain a carrier.
networkConfig.LinkLocalAddressing = "no";
linkConfig.RequiredForOnline = "carrier";
vlan = map (name: "vlan-${name}") (builtins.attrNames globals.net.home-lan.vlans);
};
"10-wan" = {
#DHCP = "yes";
#dhcpV4Config.UseDNS = false;
#dhcpV6Config.UseDNS = false;
#ipv6AcceptRAConfig.UseDNS = false;
address = [ globals.net.home-wan.hosts.ward.cidrv4 ];
gateway = [ globals.net.home-wan.hosts.fritzbox.ipv4 ];
matchConfig.Name = "wan";
networkConfig.IPv6PrivacyExtensions = "yes";
# dhcpV6Config.PrefixDelegationHint = "::/64";
# FIXME: This should not be needed, but for some reason part of networkd
# isn't seeing the RAs and not triggering DHCPv6. Even though some other
# part of networkd is properly seeing them and logging accordingly.
dhcpV6Config.WithoutRA = "solicit";
linkConfig.RequiredForOnline = "routable";
};
# Remaining macvtap interfaces should not be touched.
"90-macvtap-ignore" = {
matchConfig.Kind = "macvtap";
linkConfig.ActivationPolicy = "manual";
linkConfig.Unmanaged = "yes";
};
}
// lib.flip lib.concatMapAttrs globals.net.home-lan.vlans (
vlanName: vlanCfg: {
"30-vlan-${vlanName}" = {
matchConfig.Name = "vlan-${vlanName}";
# This interface should only be used from attached macvlans.
# So don't acquire a link local address and only wait for
# this interface to gain a carrier.
networkConfig.LinkLocalAddressing = "no";
networkConfig.MACVLAN = "me-${vlanName}";
linkConfig.RequiredForOnline = "carrier";
vlan = map (name: "vlan-${name}") (builtins.attrNames globals.net.home-lan.vlans);
};
"10-wan" = {
#DHCP = "yes";
#dhcpV4Config.UseDNS = false;
#dhcpV6Config.UseDNS = false;
#ipv6AcceptRAConfig.UseDNS = false;
address = [ globals.net.home-wan.hosts.ward.cidrv4 ];
gateway = [ globals.net.home-wan.hosts.fritzbox.ipv4 ];
matchConfig.Name = "wan";
networkConfig.IPv6PrivacyExtensions = "yes";
# dhcpV6Config.PrefixDelegationHint = "::/64";
# FIXME: This should not be needed, but for some reason part of networkd
# isn't seeing the RAs and not triggering DHCPv6. Even though some other
# part of networkd is properly seeing them and logging accordingly.
dhcpV6Config.WithoutRA = "solicit";
"40-me-${vlanName}" = {
address = [
vlanCfg.hosts.ward.cidrv4
vlanCfg.hosts.ward.cidrv6
];
matchConfig.Name = "me-${vlanName}";
networkConfig = {
IPv4Forwarding = "yes";
IPv6PrivacyExtensions = "yes";
IPv6SendRA = true;
IPv6AcceptRA = false;
# DHCPPrefixDelegation = true;
};
# dhcpPrefixDelegationConfig.UplinkInterface = "wan";
# dhcpPrefixDelegationConfig.Token = "::ff";
# Announce a static prefix
ipv6Prefixes = [
{ Prefix = vlanCfg.cidrv6; }
];
# Delegate prefix
# dhcpPrefixDelegationConfig = {
# SubnetId = vlanCfg.id;
# };
# Provide a DNS resolver
# ipv6SendRAConfig = {
# Managed = true;
# EmitDNS = true;
# FIXME: this is not the true ipv6 of adguardhome DNS = globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv6;
# FIXME: todo assign static additional to reservation in kea
# };
linkConfig.RequiredForOnline = "routable";
};
# Remaining macvtap interfaces should not be touched.
"90-macvtap-ignore" = {
matchConfig.Kind = "macvtap";
linkConfig.ActivationPolicy = "manual";
linkConfig.Unmanaged = "yes";
};
}
// lib.flip lib.concatMapAttrs globals.net.home-lan.vlans (
vlanName: vlanCfg: {
"30-vlan-${vlanName}" = {
matchConfig.Name = "vlan-${vlanName}";
# This interface should only be used from attached macvlans.
# So don't acquire a link local address and only wait for
# this interface to gain a carrier.
networkConfig.LinkLocalAddressing = "no";
networkConfig.MACVLAN = "me-${vlanName}";
linkConfig.RequiredForOnline = "carrier";
};
"40-me-${vlanName}" = {
address = [
vlanCfg.hosts.ward.cidrv4
vlanCfg.hosts.ward.cidrv6
];
matchConfig.Name = "me-${vlanName}";
networkConfig = {
IPv4Forwarding = "yes";
IPv6PrivacyExtensions = "yes";
IPv6SendRA = true;
IPv6AcceptRA = false;
# DHCPPrefixDelegation = true;
};
# dhcpPrefixDelegationConfig.UplinkInterface = "wan";
# dhcpPrefixDelegationConfig.Token = "::ff";
# Announce a static prefix
ipv6Prefixes = [
{ Prefix = vlanCfg.cidrv6; }
];
# Delegate prefix
# dhcpPrefixDelegationConfig = {
# SubnetId = vlanCfg.id;
# };
# Provide a DNS resolver
# ipv6SendRAConfig = {
# Managed = true;
# EmitDNS = true;
# FIXME: this is not the true ipv6 of adguardhome DNS = globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv6;
# FIXME: todo assign static additional to reservation in kea
# };
linkConfig.RequiredForOnline = "routable";
};
}
);
);
networking.nftables = {
firewall = {
zones =
{
untrusted.interfaces = [ "wan" ];
proxy-home.interfaces = [ "proxy-home" ];
firezone.interfaces = [ "tun-firezone" ];
adguardhome.ipv4Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv4 ];
adguardhome.ipv6Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv6 ];
web-proxy.ipv4Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-web-proxy.ipv4 ];
web-proxy.ipv6Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-web-proxy.ipv6 ];
samba.ipv4Addresses = [ globals.net.home-lan.vlans.services.hosts.sire-samba.ipv4 ];
samba.ipv6Addresses = [ globals.net.home-lan.vlans.services.hosts.sire-samba.ipv6 ];
scanner-ads-4300n.ipv4Addresses = [
globals.net.home-lan.vlans.devices.hosts.scanner-ads-4300n.ipv4
];
scanner-ads-4300n.ipv6Addresses = [
globals.net.home-lan.vlans.devices.hosts.scanner-ads-4300n.ipv6
];
zones = {
untrusted.interfaces = [ "wan" ];
proxy-home.interfaces = [ "proxy-home" ];
firezone.interfaces = [ "tun-firezone" ];
adguardhome.ipv4Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv4 ];
adguardhome.ipv6Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv6 ];
web-proxy.ipv4Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-web-proxy.ipv4 ];
web-proxy.ipv6Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-web-proxy.ipv6 ];
samba.ipv4Addresses = [ globals.net.home-lan.vlans.services.hosts.sire-samba.ipv4 ];
samba.ipv6Addresses = [ globals.net.home-lan.vlans.services.hosts.sire-samba.ipv6 ];
scanner-ads-4300n.ipv4Addresses = [
globals.net.home-lan.vlans.devices.hosts.scanner-ads-4300n.ipv4
];
scanner-ads-4300n.ipv6Addresses = [
globals.net.home-lan.vlans.devices.hosts.scanner-ads-4300n.ipv6
];
}
// lib.flip lib.concatMapAttrs globals.net.home-lan.vlans (
vlanName: _: {
"vlan-${vlanName}".interfaces = [ "me-${vlanName}" ];
}
// lib.flip lib.concatMapAttrs globals.net.home-lan.vlans (
vlanName: _: {
"vlan-${vlanName}".interfaces = [ "me-${vlanName}" ];
}
);
);
rules = {
masquerade-internet = {
@ -280,6 +278,7 @@
verdict = "accept";
};
# FIXME: is this needed? conntrack should take care of it and we want to masquerade anyway
forward-outgoing-firezone-traffic = {
from = [ "vlan-services" ];
to = [ "firezone" ];

21
modules/mealie.nix
View file

@ -48,6 +48,12 @@ in
'';
};
trustedProxies = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
description = "A list of trusted proxies. You must set this when you are using OIDC behind https, otherwise the generated redirect url will have the wrong url scheme.";
};
credentialsFile = lib.mkOption {
type = with lib.types; nullOr path;
default = null;
@ -69,20 +75,14 @@ in
'';
};
};
trustedProxies = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
description = "A list of trusted proxies. You must set this when you are using OIDC behind https, otherwise the generated redirect url will have the wrong url scheme.";
};
};
config = lib.mkIf cfg.enable {
systemd.services.mealie = {
description = "Mealie, a self hosted recipe manager and meal planner";
after = [ "network-online.target" ] ++ lib.optional cfg.database.createLocally "postgresql.service";
requires = lib.optional cfg.database.createLocally "postgresql.service";
after = [ "network-online.target" ] ++ lib.optional cfg.database.createLocally "postgresql.target";
requires = lib.optional cfg.database.createLocally "postgresql.target";
wants = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
@ -91,8 +91,9 @@ in
API_PORT = toString cfg.port;
BASE_URL = "http://localhost:${toString cfg.port}";
DATA_DIR = "/var/lib/mealie";
NLTK_DATA = pkgs.nltk-data.averaged_perceptron_tagger_eng;
} // (builtins.mapAttrs (_: toString) cfg.settings);
NLTK_DATA = pkgs.nltk-data.averaged-perceptron-tagger-eng;
}
// (builtins.mapAttrs (_: toString) cfg.settings);
serviceConfig = {
DynamicUser = true;

BIN
secrets/global.nix.age
View file

Binary file not shown.