sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: finish vlan setup

Browse source
This commit is contained in:
oddlama 2024-12-20 01:05:17 +01:00
parent d0448757bf
commit 297d19fa0c
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
16 changed files with 115 additions and 100 deletions
Download patch file Download diff file Expand all files Collapse all files

6
hosts/sire/default.nix
View file

@ -95,7 +95,9 @@
{
node.secretsDir = ./secrets/${guestName};
networking.nftables.firewall = {
zones.untrusted.interfaces = [ config.guests.${guestName}.networking.mainLinkName ];
zones.untrusted.interfaces = lib.mkIf (
lib.length config.guests.${guestName}.networking.links == 1
) config.guests.${guestName}.networking.links;
};
}
];
@ -106,8 +108,8 @@
backend = "microvm";
microvm = {
system = "x86_64-linux";
macvtap = "lan";
baseMac = config.repo.secrets.local.networking.interfaces.lan.mac;
interfaces.lan = { };
};
extraSpecialArgs = {
inherit (inputs.self) nodes globals;

30
hosts/sire/guests/grafana.nix
View file

@ -65,12 +65,13 @@ in
group = "influxdb2";
};
services.influxdb2.provision.organizations.machines.auths."grafana machines:telegraf (${config.node.name})" = {
readBuckets = [ "telegraf" ];
writeBuckets = [ "telegraf" ];
tokenFile =
nodes.sire-influxdb.config.age.secrets."grafana-influxdb-token-machines-${config.node.name}".path;
};
services.influxdb2.provision.organizations.machines.auths."grafana machines:telegraf (${config.node.name})" =
{
readBuckets = [ "telegraf" ];
writeBuckets = [ "telegraf" ];
tokenFile =
nodes.sire-influxdb.config.age.secrets."grafana-influxdb-token-machines-${config.node.name}".path;
};
age.secrets."grafana-influxdb-token-home-${config.node.name}" = {
inherit (config.age.secrets.grafana-influxdb-token-home) rekeyFile;
@ -78,12 +79,13 @@ in
group = "influxdb2";
};
services.influxdb2.provision.organizations.home.auths."grafana home:home_assistant (${config.node.name})" = {
readBuckets = [ "home_assistant" ];
writeBuckets = [ "home_assistant" ];
tokenFile =
nodes.sire-influxdb.config.age.secrets."grafana-influxdb-token-home-${config.node.name}".path;
};
services.influxdb2.provision.organizations.home.auths."grafana home:home_assistant (${config.node.name})" =
{
readBuckets = [ "home_assistant" ];
writeBuckets = [ "home_assistant" ];
tokenFile =
nodes.sire-influxdb.config.age.secrets."grafana-influxdb-token-home-${config.node.name}".path;
};
};
globals.services.grafana.domain = grafanaDomain;
@ -144,8 +146,8 @@ in
proxyWebsockets = true;
};
extraConfig = ''
allow ${globals.net.home-lan.cidrv4};
allow ${globals.net.home-lan.cidrv6};
allow ${globals.net.home-lan.vlans.services.cidrv4};
allow ${globals.net.home-lan.vlans.services.cidrv6};
deny all;
'';
};

4
hosts/sire/guests/immich.nix
View file

@ -249,8 +249,8 @@ in
proxy_read_timeout 600s;
proxy_send_timeout 600s;
send_timeout 600s;
allow ${globals.net.home-lan.cidrv4};
allow ${globals.net.home-lan.cidrv6};
allow ${globals.net.home-lan.vlans.services.cidrv4};
allow ${globals.net.home-lan.vlans.services.cidrv6};
deny all;
'';
};

4
hosts/sire/guests/paperless.nix
View file

@ -79,8 +79,8 @@ in
useACMEWildcardHost = true;
extraConfig = ''
client_max_body_size 512M;
allow ${globals.net.home-lan.cidrv4};
allow ${globals.net.home-lan.cidrv6};
allow ${globals.net.home-lan.vlans.services.cidrv4};
allow ${globals.net.home-lan.vlans.services.cidrv6};
deny all;
'';
locations."/" = {

7
hosts/sire/guests/samba.nix
View file

@ -148,9 +148,9 @@ in
};
globals.monitoring.tcp.samba = {
host = globals.net.home-lan.hosts.sire-samba.ipv4;
host = globals.net.home-lan.vlans.services.hosts.sire-samba.ipv4;
port = 445;
network = "home-lan";
network = "home-lan.vlans.services";
};
services.samba = {
@ -179,7 +179,8 @@ in
# Deny access to all hosts by default.
"hosts deny" = "0.0.0.0/0";
# Allow access to local network and TODO: wireguard
"hosts allow" = "${globals.net.home-lan.cidrv4} ${globals.net.home-lan.cidrv6}";
"hosts allow" =
"${globals.net.home-lan.vlans.services.cidrv4} ${globals.net.home-lan.vlans.services.cidrv6}";
# Don't advertise inaccessible shares to users
"access based share enum" = "yes";

14
hosts/sire/net.nix
View file

@ -8,16 +8,16 @@
networking.hostId = config.repo.secrets.local.networking.hostId;
globals.monitoring.ping.sire = {
hostv4 = lib.net.cidr.ip globals.net.home-lan.hosts.sire.cidrv4;
hostv6 = lib.net.cidr.ip globals.net.home-lan.hosts.sire.cidrv6;
network = "home-lan";
hostv4 = lib.net.cidr.ip globals.net.home-lan.vlans.services.hosts.sire.cidrv4;
hostv6 = lib.net.cidr.ip globals.net.home-lan.vlans.services.hosts.sire.cidrv6;
network = "home-lan.vlans.services";
};
boot.initrd.systemd.network = {
enable = true;
networks."10-lan" = {
address = [ globals.net.home-lan.hosts.sire.cidrv4 ];
gateway = [ globals.net.home-lan.hosts.ward.ipv4 ];
address = [ globals.net.home-lan.vlans.services.hosts.sire.cidrv4 ];
gateway = [ globals.net.home-lan.vlans.services.hosts.ward.ipv4 ];
matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.lan.mac;
networkConfig = {
IPv6PrivacyExtensions = "yes";
@ -54,8 +54,8 @@
'';
};
"20-lan-self" = {
address = [ globals.net.home-lan.hosts.sire.cidrv4 ];
gateway = [ globals.net.home-lan.hosts.ward.ipv4 ];
address = [ globals.net.home-lan.vlans.services.hosts.sire.cidrv4 ];
gateway = [ globals.net.home-lan.vlans.services.hosts.ward.ipv4 ];
matchConfig.Name = "lan-self";
networkConfig = {
IPv6PrivacyExtensions = "yes";