diff --git a/hosts/elisabeth/guests.nix b/hosts/elisabeth/guests.nix index 8ad0345..7bae122 100644 --- a/hosts/elisabeth/guests.nix +++ b/hosts/elisabeth/guests.nix @@ -14,7 +14,7 @@ paperlessdomain = "ppl.${config.secrets.secrets.global.domains.web}"; immichdomain = "immich.${config.secrets.secrets.global.domains.web}"; ollamadomain = "ollama.${config.secrets.secrets.global.domains.web}"; - ipOf = hostName: lib.net.cidr.host config.secrets.secrets.global.net.ips."${config.guests.${hostName}.nodeName}" config.secrets.secrets.global.net.privateSubnet; + ipOf = hostName: lib.net.cidr.host config.secrets.secrets.global.net.ips."${config.guests.${hostName}.nodeName}" config.secrets.secrets.global.net.privateSubnetv4; in { services.nginx = { enable = true; @@ -96,7 +96,8 @@ in { proxyWebsockets = true; }; extraConfig = '' - allow ${config.secrets.secrets.global.net.privateSubnet}; + allow ${config.secrets.secrets.global.net.privateSubnetv4}; + allow ${config.secrets.secrets.global.net.privateSubnetv6}; deny all; ''; }; @@ -117,7 +118,8 @@ in { proxyWebsockets = true; }; extraConfig = '' - allow ${config.secrets.secrets.global.net.privateSubnet}; + allow ${config.secrets.secrets.global.net.privateSubnetv4}; + allow ${config.secrets.secrets.global.net.privateSubnetv6}; deny all; ''; }; @@ -201,11 +203,10 @@ in { systemd.network.networks."10-${config.guests.${guestName}.networking.mainLinkName}" = { DHCP = lib.mkForce "no"; address = [ - ( - lib.net.cidr.hostCidr config.secrets.secrets.global.net.ips."${config.guests.${guestName}.nodeName}" config.secrets.secrets.global.net.privateSubnet - ) + (lib.net.cidr.hostCidr config.secrets.secrets.global.net.ips."${config.guests.${guestName}.nodeName}" config.secrets.secrets.global.net.privateSubnetv4) + (lib.net.cidr.hostCidr config.secrets.secrets.global.net.ips."${config.guests.${guestName}.nodeName}" config.secrets.secrets.global.net.privateSubnetv6) ]; - gateway = [(lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnet)]; + gateway = [(lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnetv4)]; }; } ]; diff --git a/hosts/elisabeth/net.nix b/hosts/elisabeth/net.nix index d6134d4..37d0ebe 100644 --- a/hosts/elisabeth/net.nix +++ b/hosts/elisabeth/net.nix @@ -7,11 +7,18 @@ inherit (config.secrets.secrets.local.networking) hostId; }; systemd.network.networks = { + "40-lan01" = { + matchConfig.Name = "lan01"; + dhcpV6Config.UseDNS = false; + dhcpV4Config.UseDNS = false; + }; "10-lan01" = { - address = [(lib.net.cidr.hostCidr config.secrets.secrets.global.net.ips.${config.node.name} config.secrets.secrets.global.net.privateSubnet)]; - gateway = [(lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnet)]; + address = [(lib.net.cidr.hostCidr config.secrets.secrets.global.net.ips.${config.node.name} config.secrets.secrets.global.net.privateSubnetv4)]; + gateway = [(lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnetv4)]; #matchConfig.MACAddress = config.secrets.secrets.local.networking.interfaces.lan01.mac; matchConfig.Name = "lan"; + dhcpV6Config.UseDNS = false; + dhcpV4Config.UseDNS = false; networkConfig = { IPv6PrivacyExtensions = "yes"; MulticastDNS = true; @@ -23,9 +30,11 @@ networks = { # redo the network cause the livesystem has macvlans "10-lan01" = { - address = [(lib.net.cidr.hostCidr config.secrets.secrets.global.net.ips.${config.node.name} config.secrets.secrets.global.net.privateSubnet)]; - gateway = [(lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnet)]; + address = [(lib.net.cidr.hostCidr config.secrets.secrets.global.net.ips.${config.node.name} config.secrets.secrets.global.net.privateSubnetv4)]; + gateway = [(lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnetv4)]; matchConfig.MACAddress = config.secrets.secrets.local.networking.interfaces.lan01.mac; + dhcpV6Config.UseDNS = false; + dhcpV4Config.UseDNS = false; networkConfig = { IPv6PrivacyExtensions = "yes"; MulticastDNS = true; diff --git a/modules/services/adguardhome.nix b/modules/services/adguardhome.nix index d45ec09..9d8540c 100644 --- a/modules/services/adguardhome.nix +++ b/modules/services/adguardhome.nix @@ -11,13 +11,16 @@ bind_port = 3000; bind_host = "0.0.0.0"; dns = { - bind_hosts = [(lib.net.cidr.host config.secrets.secrets.global.net.ips.${config.node.name} config.secrets.secrets.global.net.privateSubnet)]; + bind_hosts = [ + (lib.net.cidr.host config.secrets.secrets.global.net.ips.${config.node.name} config.secrets.secrets.global.net.privateSubnetv4) + (lib.net.cidr.host config.secrets.secrets.global.net.ips.${config.node.name} config.secrets.secrets.global.net.privateSubnetv6) + ]; anonymize_client_ip = false; upstream_dns = [ - "1.0.0.1" - "2606:4700:4700::1111" - "8.8.8.8" - "2001:4860:4860::8844" + "https://dns.google/dns-query" + "https://dns.quad9.net/dns-query" + "https://dns.cloudflare.com/dns-query" + "https://doh.mullvad.net/dns-query" ]; bootstrap_dns = [ "1.0.0.1" @@ -27,9 +30,9 @@ ]; }; user_rules = [ - "||adguardhome.${config.secrets.secrets.global.domains.web}^$dnsrewrite=${lib.net.cidr.host config.secrets.secrets.global.net.ips.elisabeth config.secrets.secrets.global.net.privateSubnet}" - "||nc.${config.secrets.secrets.global.domains.web}^$dnsrewrite=${lib.net.cidr.host config.secrets.secrets.global.net.ips.elisabeth config.secrets.secrets.global.net.privateSubnet}" - "||fritz.box^$dnsrewrite=${lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnet}" + "||adguardhome.${config.secrets.secrets.global.domains.web}^$dnsrewrite=${lib.net.cidr.host config.secrets.secrets.global.net.ips.elisabeth config.secrets.secrets.global.net.privateSubnetv4}" + "||nc.${config.secrets.secrets.global.domains.web}^$dnsrewrite=${lib.net.cidr.host config.secrets.secrets.global.net.ips.elisabeth config.secrets.secrets.global.net.privateSubnetv4}" + "||fritz.box^$dnsrewrite=${lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnetv4}" ]; dhcp.enabled = false; ratelimit = 60; diff --git a/modules/services/immich.nix b/modules/services/immich.nix index d120cee..86e67db 100644 --- a/modules/services/immich.nix +++ b/modules/services/immich.nix @@ -182,7 +182,7 @@ in { allowedTCPPorts = [2283]; filterForward = true; extraForwardRules = '' - ip saddr ${lib.net.cidr.host config.secrets.secrets.global.net.ips."elisabeth" config.secrets.secrets.global.net.privateSubnet} tcp dport 3001 accept + ip saddr ${lib.net.cidr.host config.secrets.secrets.global.net.ips."elisabeth" config.secrets.secrets.global.net.privateSubnetv4} tcp dport 3001 accept iifname "podman1" oifname lan accept ''; }; diff --git a/modules/services/nextcloud.nix b/modules/services/nextcloud.nix index df3c80a..d0be2df 100644 --- a/modules/services/nextcloud.nix +++ b/modules/services/nextcloud.nix @@ -46,7 +46,7 @@ in { phpOptions."opcache.interned_strings_buffer" = "32"; extraOptions = { default_phone_region = "DE"; - trusted_proxies = [(lib.net.cidr.host config.secrets.secrets.global.net.ips.elisabeth config.secrets.secrets.global.net.privateSubnet)]; + trusted_proxies = [(lib.net.cidr.host config.secrets.secrets.global.net.ips.elisabeth config.secrets.secrets.global.net.privateSubnetv4)]; overwriteprotocol = "https"; enabledPreviewProviders = [ "OC\\Preview\\BMP" diff --git a/modules/services/paperless.nix b/modules/services/paperless.nix index c40d516..971589a 100644 --- a/modules/services/paperless.nix +++ b/modules/services/paperless.nix @@ -79,7 +79,7 @@ in { PAPERLESS_URL = "https://${paperlessdomain}"; PAPERLESS_ALLOWED_HOSTS = paperlessdomain; PAPERLESS_CORS_ALLOWED_HOSTS = "https://${paperlessdomain}"; - PAPERLESS_TRUSTED_PROXIES = lib.net.cidr.host config.secrets.secrets.global.net.ips.elisabeth config.secrets.secrets.global.net.privateSubnet; + PAPERLESS_TRUSTED_PROXIES = lib.net.cidr.host config.secrets.secrets.global.net.ips.elisabeth config.secrets.secrets.global.net.privateSubnetv4; # let nginx do all the compression PAPERLESS_ENABLE_COMPRESSION = false; diff --git a/secrets/secrets.nix.age b/secrets/secrets.nix.age index f0b3e73..7af5554 100644 Binary files a/secrets/secrets.nix.age and b/secrets/secrets.nix.age differ