diff --git a/config/services/adguardhome.nix b/config/services/adguardhome.nix index d586715..67365f2 100644 --- a/config/services/adguardhome.nix +++ b/config/services/adguardhome.nix @@ -13,12 +13,7 @@ settings = { dns = { bind_hosts = [ - (lib.net.cidr.host config.secrets.secrets.global.net.ips.${config.node.name} - config.secrets.secrets.global.net.privateSubnetv4 - ) - (lib.net.cidr.host config.secrets.secrets.global.net.ips.${config.node.name} - config.secrets.secrets.global.net.privateSubnetv6 - ) + "0.0.0.0" ]; anonymize_client_ip = false; upstream_dns = [ diff --git a/flake.lock b/flake.lock index 112b0b5..c3996f8 100644 --- a/flake.lock +++ b/flake.lock @@ -1556,12 +1556,13 @@ "pre-commit-hooks": "pre-commit-hooks_4" }, "locked": { - "lastModified": 1734380654, - "narHash": "sha256-YrJ4vz6fbz5Sz7H6mdFsqaqEkLVOJUnrUi6swiYbmc4=", - "owner": "oddlama", - "repo": "nixos-extra-modules", - "rev": "da6945497bb3e6a2baf3d783c12d780ea8c4b5ea", - "type": "github" + "lastModified": 1734643696, + "narHash": "sha256-W5JSWhhThI9erzhZmpHy1gZGwSxEGPKYmOUBEXH/WGA=", + "ref": "refs/heads/main", + "rev": "6a4736e0773a1852b0b6c5f71cbe96dd39c3caf1", + "revCount": 40, + "type": "git", + "url": "file:///home/patrick/repos/nix/nixos-extra-modules" }, "original": { "owner": "oddlama", diff --git a/hosts/elisabeth/guests.nix b/hosts/elisabeth/guests.nix index a044d01..5a53f0c 100644 --- a/hosts/elisabeth/guests.nix +++ b/hosts/elisabeth/guests.nix @@ -219,23 +219,11 @@ in ../../config/services/${guestName}.nix { node.secretsDir = config.node.secretsDir + "/${guestName}"; - networking.nftables.firewall.zones.untrusted.interfaces = [ - config.guests.${guestName}.networking.mainLinkName - ]; - systemd.network.networks."10-${config.guests.${guestName}.networking.mainLinkName}" = { - DHCP = lib.mkForce "no"; - address = [ - (lib.net.cidr.hostCidr - config.secrets.secrets.global.net.ips."${config.guests.${guestName}.nodeName}" - config.secrets.secrets.global.net.privateSubnetv4 - ) - (lib.net.cidr.hostCidr - config.secrets.secrets.global.net.ips."${config.guests.${guestName}.nodeName}" - config.secrets.secrets.global.net.privateSubnetv6 - ) - ]; - gateway = [ (lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnetv4) ]; - }; + networking.nftables.firewall.zones.untrusted.interfaces = + if lib.length config.guests.${guestName}.networking.links < 2 then + config.guests.${guestName}.networking.links + else + [ ]; } ]; }; @@ -245,7 +233,7 @@ in backend = "microvm"; microvm = { system = "x86_64-linux"; - macvtap = "lan"; + interfaces."lan" = { }; baseMac = config.secrets.secrets.local.networking.interfaces.lan01.mac; }; extraSpecialArgs = { @@ -259,7 +247,7 @@ in mkContainer = guestName: cfg: { ${guestName} = mkGuest guestName cfg // { backend = "container"; - container.macvlan = "lan"; + container.macvlans = [ "lan" ]; extraSpecialArgs = { inherit lib diff --git a/hosts/nucnix/guests.nix b/hosts/nucnix/guests.nix index 04e25f4..624a2d4 100644 --- a/hosts/nucnix/guests.nix +++ b/hosts/nucnix/guests.nix @@ -114,7 +114,7 @@ in guests = let - mkGuest = guestName: { + mkGuest = guestName: _: { autostart = true; zfs."/state" = { pool = "rpool"; @@ -129,12 +129,11 @@ in ../../config/services/${guestName}.nix { node.secretsDir = config.node.secretsDir + "/${guestName}"; - networking.nftables.firewall.zones.untrusted.interfaces = [ - config.guests.${guestName}.networking.mainLinkName - ]; - systemd.network.networks."10-${config.guests.${guestName}.networking.mainLinkName}" = { - DHCP = "yes"; - }; + networking.nftables.firewall.zones.untrusted.interfaces = + if lib.length config.guests.${guestName}.networking.links < 2 then + config.guests.${guestName}.networking.links + else + [ ]; } ]; }; @@ -155,21 +154,27 @@ in }; }; - mkContainer = guestName: cfg: { - ${guestName} = mkGuest guestName cfg // { - backend = "container"; - container.macvlan = "lan"; - extraSpecialArgs = { - inherit - lib - nodes - inputs - minimal - stateVersion - ; + mkContainer = + guestName: + { + macvlans ? [ "lan-services" ], + ... + }@cfg: + { + ${guestName} = mkGuest guestName cfg // { + backend = "container"; + container.macvlans = macvlans; + extraSpecialArgs = { + inherit + lib + nodes + inputs + minimal + stateVersion + ; + }; }; }; - }; in - { }; + { } // mkContainer "adguardhome" { macvlans = [ "lan-services" ]; }; } diff --git a/secrets/wireguard/elisabeth/keys/nucnix-adguardhome.age b/secrets/wireguard/elisabeth/keys/nucnix-adguardhome.age new file mode 100644 index 0000000..ec388f9 Binary files /dev/null and b/secrets/wireguard/elisabeth/keys/nucnix-adguardhome.age differ diff --git a/secrets/wireguard/elisabeth/keys/nucnix-adguardhome.pub b/secrets/wireguard/elisabeth/keys/nucnix-adguardhome.pub new file mode 100644 index 0000000..fcabb70 --- /dev/null +++ b/secrets/wireguard/elisabeth/keys/nucnix-adguardhome.pub @@ -0,0 +1 @@ +F3tFnEGn58ahB2p4hI4xFRfwyK7SU3+Dx598DcLAQlA= diff --git a/secrets/wireguard/elisabeth/psks/elisabeth+nucnix-adguardhome.age b/secrets/wireguard/elisabeth/psks/elisabeth+nucnix-adguardhome.age new file mode 100644 index 0000000..f3e2bda --- /dev/null +++ b/secrets/wireguard/elisabeth/psks/elisabeth+nucnix-adguardhome.age @@ -0,0 +1,16 @@ +age-encryption.org/v1 +-> X25519 SaIhuXPtLjcLt1Bmbbmx8WaluLUtJRGS6Ehu641msW0 +3Jyo1+XU0WVEsndNWFadBOcbE2TD7akuyyocxnzXcsU +-> piv-p256 ZFgiIw At2NriI63IhtpOKPqROmstH/t/kIMbXwWD/pKijLGdsd +yTUXG+ZeR9451nnGg5Nevhf6ES2tL6GpsTgNriNpg0Q +-> piv-p256 XTQkUA A9BJKAQ8L6ZjMm8W087HhkLNticb/Ddr7eiv/cI0guis +qPgkfSrq1RtZYCjXgujchhm1M9cW9boWrxCLhwoN/1c +-> piv-p256 ZFgiIw AzR6JgDfdmALfrIMrk43Fskz3ANKkSHz9bKlW2OF5T/P +k/vh/K8fmyCGQkoMvNf02b9KB0CZqMLu5RZc9yj1wRE +-> piv-p256 5vmPtQ AxioglXD0p1v6ZepKafFLW49RG3CUyl4lxjagpkUuI0H +3/XzPXIV1S7kuTICI0fD+Y2lCjSwcSPwrH9YfkPIyDI +-> #8D3.~O-grease [Gk GcS +wuRoJDrp0TmHzMmIEyPkSe4N9ITWjxfMbqQJSxn4rWH4wE+YAbXmJE+Ujtecupnf +xmymVCCVP5Cvmnx/KrXVVsyxKaLtiYcAnqHvTsmQgQR1LbuV9FB/tw +--- v0LwqJa53xUGcC7NIzI1UwACS8kGzRaMOsf0HIF6X2A +Ékv?V"0nd" ;QHS򂫿T^I*(>ӅbWmBL-, \ No newline at end of file