patrick/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Wiki Activity

feat: added local IPv6

Browse source
This commit is contained in:
Patrick 2024-02-10 17:53:16 +01:00
parent 30bedae84c
commit eb1de17bc3
Signed by: patrick
GPG key ID: 451F95EFB8BECD0F
7 changed files with 35 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
hosts/elisabeth/guests.nix
View file

@ -14,7 +14,7 @@
paperlessdomain = "ppl.${config.secrets.secrets.global.domains.web}";
immichdomain = "immich.${config.secrets.secrets.global.domains.web}";
ollamadomain = "ollama.${config.secrets.secrets.global.domains.web}";
ipOf = hostName: lib.net.cidr.host config.secrets.secrets.global.net.ips."${config.guests.${hostName}.nodeName}" config.secrets.secrets.global.net.privateSubnet;
ipOf = hostName: lib.net.cidr.host config.secrets.secrets.global.net.ips."${config.guests.${hostName}.nodeName}" config.secrets.secrets.global.net.privateSubnetv4;
in {
services.nginx = {
enable = true;
@ -96,7 +96,8 @@ in {
proxyWebsockets = true;
};
extraConfig = ''
allow ${config.secrets.secrets.global.net.privateSubnet};
allow ${config.secrets.secrets.global.net.privateSubnetv4};
allow ${config.secrets.secrets.global.net.privateSubnetv6};
deny all;
'';
};
@ -117,7 +118,8 @@ in {
proxyWebsockets = true;
};
extraConfig = ''
allow ${config.secrets.secrets.global.net.privateSubnet};
allow ${config.secrets.secrets.global.net.privateSubnetv4};
allow ${config.secrets.secrets.global.net.privateSubnetv6};
deny all;
'';
};
@ -201,11 +203,10 @@ in {
systemd.network.networks."10-${config.guests.${guestName}.networking.mainLinkName}" = {
DHCP = lib.mkForce "no";
address = [
(
lib.net.cidr.hostCidr config.secrets.secrets.global.net.ips."${config.guests.${guestName}.nodeName}" config.secrets.secrets.global.net.privateSubnet
)
(lib.net.cidr.hostCidr config.secrets.secrets.global.net.ips."${config.guests.${guestName}.nodeName}" config.secrets.secrets.global.net.privateSubnetv4)
(lib.net.cidr.hostCidr config.secrets.secrets.global.net.ips."${config.guests.${guestName}.nodeName}" config.secrets.secrets.global.net.privateSubnetv6)
];
gateway = [(lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnet)];
gateway = [(lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnetv4)];
};
}
];

17
hosts/elisabeth/net.nix
View file

@ -7,11 +7,18 @@
inherit (config.secrets.secrets.local.networking) hostId;
};
systemd.network.networks = {
"40-lan01" = {
matchConfig.Name = "lan01";
dhcpV6Config.UseDNS = false;
dhcpV4Config.UseDNS = false;
};
"10-lan01" = {
address = [(lib.net.cidr.hostCidr config.secrets.secrets.global.net.ips.${config.node.name} config.secrets.secrets.global.net.privateSubnet)];
gateway = [(lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnet)];
address = [(lib.net.cidr.hostCidr config.secrets.secrets.global.net.ips.${config.node.name} config.secrets.secrets.global.net.privateSubnetv4)];
gateway = [(lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnetv4)];
#matchConfig.MACAddress = config.secrets.secrets.local.networking.interfaces.lan01.mac;
matchConfig.Name = "lan";
dhcpV6Config.UseDNS = false;
dhcpV4Config.UseDNS = false;
networkConfig = {
IPv6PrivacyExtensions = "yes";
MulticastDNS = true;
@ -23,9 +30,11 @@
networks = {
# redo the network cause the livesystem has macvlans
"10-lan01" = {
address = [(lib.net.cidr.hostCidr config.secrets.secrets.global.net.ips.${config.node.name} config.secrets.secrets.global.net.privateSubnet)];
gateway = [(lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnet)];
address = [(lib.net.cidr.hostCidr config.secrets.secrets.global.net.ips.${config.node.name} config.secrets.secrets.global.net.privateSubnetv4)];
gateway = [(lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnetv4)];
matchConfig.MACAddress = config.secrets.secrets.local.networking.interfaces.lan01.mac;
dhcpV6Config.UseDNS = false;
dhcpV4Config.UseDNS = false;
networkConfig = {
IPv6PrivacyExtensions = "yes";
MulticastDNS = true;

19
modules/services/adguardhome.nix
View file

@ -11,13 +11,16 @@
bind_port = 3000;
bind_host = "0.0.0.0";
dns = {
bind_hosts = [(lib.net.cidr.host config.secrets.secrets.global.net.ips.${config.node.name} config.secrets.secrets.global.net.privateSubnet)];
bind_hosts = [
(lib.net.cidr.host config.secrets.secrets.global.net.ips.${config.node.name} config.secrets.secrets.global.net.privateSubnetv4)
(lib.net.cidr.host config.secrets.secrets.global.net.ips.${config.node.name} config.secrets.secrets.global.net.privateSubnetv6)
];
anonymize_client_ip = false;
upstream_dns = [
"1.0.0.1"
"2606:4700:4700::1111"
"8.8.8.8"
"2001:4860:4860::8844"
"https://dns.google/dns-query"
"https://dns.quad9.net/dns-query"
"https://dns.cloudflare.com/dns-query"
"https://doh.mullvad.net/dns-query"
];
bootstrap_dns = [
"1.0.0.1"
@ -27,9 +30,9 @@
];
};
user_rules = [
"||adguardhome.${config.secrets.secrets.global.domains.web}^$dnsrewrite=${lib.net.cidr.host config.secrets.secrets.global.net.ips.elisabeth config.secrets.secrets.global.net.privateSubnet}"
"||nc.${config.secrets.secrets.global.domains.web}^$dnsrewrite=${lib.net.cidr.host config.secrets.secrets.global.net.ips.elisabeth config.secrets.secrets.global.net.privateSubnet}"
"||fritz.box^$dnsrewrite=${lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnet}"
"||adguardhome.${config.secrets.secrets.global.domains.web}^$dnsrewrite=${lib.net.cidr.host config.secrets.secrets.global.net.ips.elisabeth config.secrets.secrets.global.net.privateSubnetv4}"
"||nc.${config.secrets.secrets.global.domains.web}^$dnsrewrite=${lib.net.cidr.host config.secrets.secrets.global.net.ips.elisabeth config.secrets.secrets.global.net.privateSubnetv4}"
"||fritz.box^$dnsrewrite=${lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnetv4}"
];
dhcp.enabled = false;
ratelimit = 60;

2
modules/services/immich.nix
View file

@ -182,7 +182,7 @@ in {
allowedTCPPorts = [2283];
filterForward = true;
extraForwardRules = ''
ip saddr ${lib.net.cidr.host config.secrets.secrets.global.net.ips."elisabeth" config.secrets.secrets.global.net.privateSubnet} tcp dport 3001 accept
ip saddr ${lib.net.cidr.host config.secrets.secrets.global.net.ips."elisabeth" config.secrets.secrets.global.net.privateSubnetv4} tcp dport 3001 accept
iifname "podman1" oifname lan accept
'';
};

2
modules/services/nextcloud.nix
View file

@ -46,7 +46,7 @@ in {
phpOptions."opcache.interned_strings_buffer" = "32";
extraOptions = {
default_phone_region = "DE";
trusted_proxies = [(lib.net.cidr.host config.secrets.secrets.global.net.ips.elisabeth config.secrets.secrets.global.net.privateSubnet)];
trusted_proxies = [(lib.net.cidr.host config.secrets.secrets.global.net.ips.elisabeth config.secrets.secrets.global.net.privateSubnetv4)];
overwriteprotocol = "https";
enabledPreviewProviders = [
"OC\\Preview\\BMP"

2
modules/services/paperless.nix
View file

@ -79,7 +79,7 @@ in {
PAPERLESS_URL = "https://${paperlessdomain}";
PAPERLESS_ALLOWED_HOSTS = paperlessdomain;
PAPERLESS_CORS_ALLOWED_HOSTS = "https://${paperlessdomain}";
PAPERLESS_TRUSTED_PROXIES = lib.net.cidr.host config.secrets.secrets.global.net.ips.elisabeth config.secrets.secrets.global.net.privateSubnet;
PAPERLESS_TRUSTED_PROXIES = lib.net.cidr.host config.secrets.secrets.global.net.ips.elisabeth config.secrets.secrets.global.net.privateSubnetv4;
# let nginx do all the compression
PAPERLESS_ENABLE_COMPRESSION = false;

BIN
secrets/secrets.nix.age
View file

Binary file not shown.