forked from mirrors_public/oddlama_nix-config
feat: begin zackbiene rework
This commit is contained in:
oddlama
parent
6ca8df1c30
commit
4e46105e5e
24 changed files with 100 additions and 95 deletions
|
|
@ -33,7 +33,7 @@
|
|||
};
|
||||
|
||||
# Connect safely via wireguard to skip authentication
|
||||
networking.hosts.${nodes.sentinel.config.wireguard.proxy-sentinel.ipv4} = [nodes.sentinel.config.networking.providedDomains.influxdb];
|
||||
networking.hosts.${config.wireguard.proxy-home.ipv4} = [nodes.sentinel.config.networking.providedDomains.influxdb];
|
||||
meta.telegraf = {
|
||||
enable = true;
|
||||
influxdb2 = {
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
in {
|
||||
wireguard.proxy-sentinel = {
|
||||
client.via = "sentinel";
|
||||
firewallRuleForNode.sentinel.allowedTCPPorts = [config.services.adguardhome.settings.port];
|
||||
firewallRuleForNode.sentinel.allowedTCPPorts = [config.services.adguardhome.port];
|
||||
};
|
||||
|
||||
nodes.sentinel = {
|
||||
|
|
@ -17,7 +17,7 @@ in {
|
|||
|
||||
services.nginx = {
|
||||
upstreams.adguardhome = {
|
||||
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.adguardhome.settings.port}" = {};
|
||||
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.adguardhome.port}" = {};
|
||||
extraConfig = ''
|
||||
zone adguardhome 64k;
|
||||
keepalive 2;
|
||||
|
|
@ -52,9 +52,9 @@ in {
|
|||
services.adguardhome = {
|
||||
enable = true;
|
||||
mutableSettings = false;
|
||||
host = "0.0.0.0";
|
||||
port = 3000;
|
||||
settings = {
|
||||
host = "0.0.0.0";
|
||||
port = 3000;
|
||||
dns = {
|
||||
# allowed_clients = [
|
||||
# ];
|
||||
|
|
|
|||
|
|
@ -9,6 +9,13 @@
|
|||
dnsIp = net.cidr.host 3 lanCidrv4;
|
||||
webProxyIp = net.cidr.host 4 lanCidrv4;
|
||||
in {
|
||||
environment.persistence."/persist".directories = [
|
||||
{
|
||||
directory = "/var/lib/private/kea";
|
||||
mode = "0700";
|
||||
}
|
||||
];
|
||||
|
||||
# TODO make meta.kea module?
|
||||
# TODO reserve by default using assignIps algo?
|
||||
services.kea.dhcp4 = {
|
||||
|
|
|
|||
|
|
@ -156,9 +156,6 @@ in {
|
|||
};
|
||||
};
|
||||
|
||||
# Allow accessing influx
|
||||
wireguard.proxy-sentinel.client.via = "sentinel";
|
||||
|
||||
#wireguard.home.server = {
|
||||
# host = todo # config.networking.fqdn;
|
||||
# port = 51192;
|
||||
|
|
|
|||
|
|
@ -6,6 +6,7 @@
|
|||
}: let
|
||||
inherit (config.repo.secrets.local) acme;
|
||||
sentinelCfg = nodes.sentinel.config;
|
||||
wardWebProxyCfg = nodes.ward-web-proxy.config;
|
||||
in {
|
||||
imports = [
|
||||
../../modules/optional/hardware/odroid-n2plus.nix
|
||||
|
|
@ -14,14 +15,14 @@ in {
|
|||
../../modules/optional/initrd-ssh.nix
|
||||
../../modules/optional/zfs.nix
|
||||
|
||||
./esphome.nix
|
||||
#./esphome.nix
|
||||
./fs.nix
|
||||
./home-assistant.nix
|
||||
./hostapd.nix
|
||||
./mosquitto.nix
|
||||
#./home-assistant.nix
|
||||
#./hostapd.nix
|
||||
#./mosquitto.nix
|
||||
./kea.nix
|
||||
./net.nix
|
||||
./zigbee2mqtt.nix
|
||||
#./zigbee2mqtt.nix
|
||||
];
|
||||
|
||||
topology.self.name = "🥔 zackbiene"; # yes this is 2x U+2009, don't ask (satori 🤬).
|
||||
|
|
@ -47,7 +48,12 @@ in {
|
|||
};
|
||||
|
||||
# Connect safely via wireguard to skip http authentication
|
||||
networking.hosts.${sentinelCfg.wireguard.proxy-sentinel.ipv4} = [sentinelCfg.networking.providedDomains.influxdb];
|
||||
networking.hosts.${
|
||||
if config.wireguard ? proxy-home
|
||||
then wardWebProxyCfg.wireguard.proxy-home.ipv4
|
||||
else sentinelCfg.wireguard.proxy-sentinel.ipv4
|
||||
} = [sentinelCfg.networking.providedDomains.influxdb];
|
||||
|
||||
meta.telegraf = {
|
||||
enable = true;
|
||||
influxdb2 = {
|
||||
|
|
|
|||
|
|
@ -4,8 +4,15 @@
|
|||
...
|
||||
}: let
|
||||
inherit (lib) net;
|
||||
iotCidrv4 = "10.0.90.0/24";
|
||||
iotCidrv4 = "10.0.90.0/24"; # FIXME: make all subnet allocations accessible via global.net or smth
|
||||
in {
|
||||
environment.persistence."/persist".directories = [
|
||||
{
|
||||
directory = "/var/lib/private/kea";
|
||||
mode = "0700";
|
||||
}
|
||||
];
|
||||
|
||||
services.kea.dhcp4 = {
|
||||
enable = true;
|
||||
settings = {
|
||||
|
|
@ -14,13 +21,18 @@ in {
|
|||
persist = true;
|
||||
type = "memfile";
|
||||
};
|
||||
valid-lifetime = 4000;
|
||||
renew-timer = 1000;
|
||||
rebind-timer = 2000;
|
||||
valid-lifetime = 86400;
|
||||
renew-timer = 3600;
|
||||
interfaces-config = {
|
||||
interfaces = ["wlan1"];
|
||||
service-sockets-max-retries = -1;
|
||||
};
|
||||
option-data = [
|
||||
{
|
||||
name = "domain-name-servers";
|
||||
data = "192.168.1.3"; # FIXME: global (also search for 192.168 and "*Ip =")
|
||||
}
|
||||
];
|
||||
subnet4 = [
|
||||
{
|
||||
interface = "wlan1";
|
||||
|
|
|
|||
|
|
@ -8,8 +8,8 @@
|
|||
in {
|
||||
networking.hostId = config.repo.secrets.local.networking.hostId;
|
||||
|
||||
wireguard.proxy-sentinel = {
|
||||
client.via = "sentinel";
|
||||
wireguard.proxy-home = {
|
||||
client.via = "ward";
|
||||
};
|
||||
|
||||
boot.initrd.systemd.network = {
|
||||
|
|
@ -51,6 +51,27 @@ in {
|
|||
};
|
||||
|
||||
networking.nftables.firewall = {
|
||||
zones.untrusted.interfaces = ["lan1"];
|
||||
snippets.nnf-icmp.ipv6Types = ["mld-listener-query" "nd-router-solicit"];
|
||||
|
||||
zones = {
|
||||
untrusted.interfaces = ["lan1"];
|
||||
lan.interfaces = ["lan1"];
|
||||
iot.interfaces = ["wlan1"];
|
||||
};
|
||||
|
||||
rules = {
|
||||
masquerade-iot = {
|
||||
from = ["lan"];
|
||||
to = ["iot"];
|
||||
masquerade = true;
|
||||
};
|
||||
|
||||
outbound = {
|
||||
from = ["lan"];
|
||||
to = ["iot"];
|
||||
late = true; # Only accept after any rejects have been processed
|
||||
verdict = "accept";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue