patrick/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Wiki Activity

Compare commits

base: patrick:053365c2770e4881f15609545431d058dd8e359e
Branches Tags
patrick:master
...
compare: patrick:268bd66c76e7ce1bf7d587b68ee794c465f5f40f
Branches Tags
patrick:master

4 commits
053365c277 ... 268bd66c76

Author SHA1 Message Date
Patrick 268bd66c76
feat: cleaner port forwarding 2024-12-22 00:10:37 +01:00
Patrick 65e207d999
feat: port forwarding 2024-12-21 23:32:42 +01:00
Patrick 9347751df7
feat: dns for vlans 2024-12-21 20:57:16 +01:00
Patrick 5d1bc8cf67
chore: support static ips 2024-12-21 14:06:00 +01:00
9 changed files with 250 additions and 69 deletions
Show stats Expand all files Collapse all files

15
config/services/adguardhome.nix
View file

@ -1,4 +1,9 @@
{ config, ... }: {
config,
lib,
globals,
...
}:
{ {
wireguard.services = { wireguard.services = {
client.via = "nucnix"; client.via = "nucnix";
@ -30,11 +35,9 @@
]; ];
}; };
user_rules = [ user_rules = [
# "||adguardhome.${config.secrets.secrets.global.domains.web}^$dnsrewrite=${lib.net.cidr.host config.secrets.secrets.global.net.ips.elisabeth config.secrets.secrets.global.net.privateSubnetv4}" "||${globals.domains.web}^$dnsrewrite=${lib.net.cidr.host globals.services.nginx.ip globals.net.vlans.home.cidrv4}"
# "||nc.${config.secrets.secrets.global.domains.web}^$dnsrewrite=${lib.net.cidr.host config.secrets.secrets.global.net.ips.elisabeth config.secrets.secrets.global.net.privateSubnetv4}" "||${globals.services.samba.domain}^$dnsrewrite=${lib.net.cidr.host globals.services.samba.ip globals.net.vlans.home.cidrv4}"
# "||immich.${config.secrets.secrets.global.domains.web}^$dnsrewrite=${lib.net.cidr.host config.secrets.secrets.global.net.ips.elisabeth config.secrets.secrets.global.net.privateSubnetv4}" "||fritz.box^$dnsrewrite=${lib.net.cidr.host 1 "10.99.2.0/24"}"
# "||smb.${config.secrets.secrets.global.domains.web}^$dnsrewrite=${lib.net.cidr.host config.secrets.secrets.global.net.ips.elisabeth-samba config.secrets.secrets.global.net.privateSubnetv4}"
# "||fritz.box^$dnsrewrite=${lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnetv4}"
]; ];
dhcp.enabled = false; dhcp.enabled = false;
ratelimit = 60; ratelimit = 60;

24
globals.nix
View file

@ -49,10 +49,12 @@ in
adguardhome = { adguardhome = {
domain = "adguardhome.${globals.domains.web}"; domain = "adguardhome.${globals.domains.web}";
host = "nucnix-adguardhome"; host = "nucnix-adguardhome";
ip = 10;
}; };
forgejo = { forgejo = {
domain = "forge.${globals.domains.web}"; domain = "forge.${globals.domains.web}";
host = "elisabeth-forgejo"; host = "elisabeth-forgejo";
ip = 13;
}; };
immich = { immich = {
domain = "immich.${globals.domains.web}"; domain = "immich.${globals.domains.web}";
@ -84,7 +86,7 @@ in
}; };
apispotify = { apispotify = {
domain = "apisptfy.${globals.domains.web}"; domain = "apisptfy.${globals.domains.web}";
host = "elisabeth-apispotify"; host = "elisabeth-yourspotify";
}; };
kanidm = { kanidm = {
domain = "auth.${globals.domains.web}"; domain = "auth.${globals.domains.web}";
@ -117,6 +119,26 @@ in
netbird = { netbird = {
domain = "netbird.${globals.domains.web}"; domain = "netbird.${globals.domains.web}";
host = "elisabeth-netbird"; host = "elisabeth-netbird";
ip = 16;
};
nginx = {
domain = globals.domains.web;
host = "nucnix-nginx";
ip = 5;
};
samba = {
domain = "smb.${globals.domains.web}";
host = "elisabeth-samba";
ip = 12;
};
ddclient = {
domain = "";
host = "elisabeth-ddclient";
};
murmur = {
domain = "ts.${globals.domains.web}";
host = "elisabeth-murmur";
ip = 9;
}; };
}; };
}; };

32
hosts/elisabeth/guests.nix
View file

@ -1,5 +1,6 @@
{ {
config, config,
globals,
stateVersion, stateVersion,
inputs, inputs,
lib, lib,
@ -17,6 +18,7 @@
enableRenaultFT ? false, enableRenaultFT ? false,
enableBunker ? false, enableBunker ? false,
enableSharedPaperless ? false, enableSharedPaperless ? false,
vlans ? [ "services" ],
... ...
}: }:
{ {
@ -54,6 +56,25 @@
networking.nftables.firewall.zones.untrusted.interfaces = lib.mkIf ( networking.nftables.firewall.zones.untrusted.interfaces = lib.mkIf (
lib.length config.guests.${guestName}.networking.links == 1 lib.length config.guests.${guestName}.networking.links == 1
) config.guests.${guestName}.networking.links; ) config.guests.${guestName}.networking.links;
systemd.network.networks = lib.mkIf (globals.services.${guestName}.ip != null) (
lib.listToAttrs (
lib.flip map vlans (
name:
lib.nameValuePair "09-mv-${name}" {
matchConfig.Name = "mv-${name}";
DHCP = "no";
address = [
(lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv4)
(lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv6)
];
gateway = [
(lib.net.cidr.hostCidr 1 globals.net.vlans.${name}.cidrv4)
(lib.net.cidr.hostCidr 1 globals.net.vlans.${name}.cidrv6)
];
}
)
)
);
} }
]; ];
}; };
@ -74,10 +95,16 @@
}; };
}; };
mkContainer = guestName: cfg: { mkContainer =
guestName:
{
vlans ? [ "services" ],
...
}@cfg:
{
${guestName} = mkGuest guestName cfg // { ${guestName} = mkGuest guestName cfg // {
backend = "container"; backend = "container";
container.macvlans = [ "lan-services" ]; container.macvlans = lib.flip map vlans (x: "lan-${x}:mv-${x}");
extraSpecialArgs = { extraSpecialArgs = {
inherit (inputs.self) nodes globals; inherit (inputs.self) nodes globals;
inherit (inputs.self.pkgs.x86_64-linux) lib; inherit (inputs.self.pkgs.x86_64-linux) lib;
@ -110,5 +137,6 @@
enableRenaultFT = true; enableRenaultFT = true;
enableBunker = true; enableBunker = true;
enableSharedPaperless = true; enableSharedPaperless = true;
vlans = [ "home" ];
}; };
} }

79
hosts/nucnix/forwarding.nix Normal file
View file

@ -0,0 +1,79 @@
{ globals, lib, ... }:
let
inherit (lib)
concatStringsSep
net
toUpper
mkMerge
;
forward =
{
service,
ports,
protocol,
...
}:
{
networking.nftables = {
chains = {
prerouting.port-forward = {
after = [ "hook" ];
rules = [
"iifname lan-fritz ${protocol} dport { ${concatStringsSep ", " (map toString ports)} } dnat ip to ${
net.cidr.host globals.services.${service}.ip globals.net.vlans.services.cidrv4
}"
"iifname lan-fritz ${protocol} dport { ${concatStringsSep ", " (map toString ports)} } dnat ip6 to ${
net.cidr.host globals.services.${service}.ip globals.net.vlans.services.cidrv6
}"
];
};
};
firewall = {
zones = {
${service}.ipv4Addresses = [
(lib.net.cidr.host globals.services.${service}.ip globals.net.vlans.services.cidrv4)
];
};
rules = {
"forward-${service}" = {
from = [ "fritz" ];
to = [ service ];
"allowed${toUpper protocol}Ports" = ports;
};
};
};
};
};
in
mkMerge [
(forward {
service = "nginx";
ports = [
80
443
];
protocol = "tcp";
})
(forward {
service = "forgejo";
ports = [
9922
];
protocol = "tcp";
})
(forward {
service = "murmur";
ports = [
9987
];
protocol = "udp";
})
(forward {
service = "netbird";
ports = [
3478
5349
];
protocol = "udp";
})
]

45
hosts/nucnix/guests.nix
View file

@ -1,6 +1,7 @@
{ {
config, config,
stateVersion, stateVersion,
globals,
inputs, inputs,
lib, lib,
minimal, minimal,
@ -9,7 +10,13 @@
{ {
guests = guests =
let let
mkGuest = guestName: _: { mkGuest =
guestName:
{
vlans ? [ "services" ],
...
}:
{
autostart = true; autostart = true;
zfs."/state" = { zfs."/state" = {
pool = "rpool"; pool = "rpool";
@ -27,6 +34,25 @@
networking.nftables.firewall.zones.untrusted.interfaces = lib.mkIf ( networking.nftables.firewall.zones.untrusted.interfaces = lib.mkIf (
lib.length config.guests.${guestName}.networking.links == 1 lib.length config.guests.${guestName}.networking.links == 1
) config.guests.${guestName}.networking.links; ) config.guests.${guestName}.networking.links;
systemd.network.networks = lib.mkIf (globals.services.${guestName}.ip != null) (
lib.listToAttrs (
lib.flip map vlans (
name:
lib.nameValuePair "09-mv-${name}" {
matchConfig.Name = "mv-${name}";
DHCP = "no";
address = [
(lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv4)
(lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv6)
];
gateway = [
(lib.net.cidr.hostCidr 1 globals.net.vlans.${name}.cidrv4)
(lib.net.cidr.hostCidr 1 globals.net.vlans.${name}.cidrv6)
];
}
)
)
);
} }
]; ];
}; };
@ -36,7 +62,7 @@
backend = "microvm"; backend = "microvm";
microvm = { microvm = {
system = "x86_64-linux"; system = "x86_64-linux";
interfaces.lan = { }; interfaces.lan = lib.trace "This don't work yet" { };
baseMac = config.secrets.secrets.local.networking.interfaces.lan01.mac; baseMac = config.secrets.secrets.local.networking.interfaces.lan01.mac;
}; };
extraSpecialArgs = { extraSpecialArgs = {
@ -50,22 +76,23 @@
mkContainer = mkContainer =
guestName: guestName:
{ {
macvlans ? [ "lan-services" ], vlans ? [ "services" ],
... ...
}@cfg: }@cfg:
{ {
${guestName} = mkGuest guestName cfg // { ${guestName} = lib.mkMerge [
(mkGuest guestName cfg)
{
backend = "container"; backend = "container";
container.macvlans = macvlans; container.macvlans = lib.flip map vlans (x: "lan-${x}:mv-${x}");
extraSpecialArgs = { extraSpecialArgs = {
inherit (inputs.self) nodes globals; inherit (inputs.self) nodes globals;
inherit (inputs.self.pkgs.x86_64-linux) lib; inherit (inputs.self.pkgs.x86_64-linux) lib;
inherit inputs minimal stateVersion; inherit inputs minimal stateVersion;
}; };
}; }
];
}; };
in in
{ } { } // mkContainer "adguardhome" { } // mkContainer "nginx" { };
// mkContainer "adguardhome" { macvlans = [ "lan-services" ]; }
// mkContainer "nginx" { macvlans = [ "lan-services" ]; };
} }

23
hosts/nucnix/kea.nix
View file

@ -1,7 +1,9 @@
{ {
lib, lib,
utils, utils,
globals,
... ...
}: }:
let let
inherit (lib) inherit (lib)
@ -55,30 +57,17 @@ in
} }
{ {
name = "domain-name-servers"; name = "domain-name-servers";
data = "${net.cidr.host 10 subnet}"; data = "${net.cidr.host globals.services.adguardhome.ip globals.net.vlans.services.cidrv4}";
} }
]; ];
reservations = [ reservations = [
#FIXME
# {
# hw-address = nodes.ward-adguardhome.config.lib.microvm.mac;
# ip-address = globals.net.home-lan.hosts.ward-adguardhome.ipv4;
# }
# {
# hw-address = nodes.ward-web-proxy.config.lib.microvm.mac;
# ip-address = globals.net.home-lan.hosts.ward-web-proxy.ipv4;
# }
# {
# hw-address = nodes.sire-samba.config.lib.microvm.mac;
# ip-address = globals.net.home-lan.hosts.sire-samba.ipv4;
# }
]; ];
} }
); );
}; };
}; };
systemd.services.kea-dhcp4-server.after = [ systemd.services.kea-dhcp4-server.after = flip mapAttrsToList vlans (
"sys-subsystem-net-devices-${utils.escapeSystemdPath "lan-self"}.device" name: _: "sys-subsystem-net-devices-${utils.escapeSystemdPath "lan-${name}"}.device"
]; );
} }

30
hosts/nucnix/net.nix
View file

@ -17,9 +17,16 @@ in
imports = [ imports = [
./hostapd.nix ./hostapd.nix
./kea.nix ./kea.nix
./forwarding.nix
]; ];
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
networking.nftables.firewall.zones = mkMerge [ networking.nftables.firewall.zones = mkMerge [
{ fritz.interfaces = [ "vlan-fritz" ]; } {
fritz.interfaces = [ "vlan-fritz" ];
adguard.ipv4Addresses = [
(lib.net.cidr.host globals.services.adguardhome.ip globals.net.vlans.services.cidrv4)
];
}
(genAttrs (attrNames globals.net.vlans) (name: { (genAttrs (attrNames globals.net.vlans) (name: {
interfaces = [ "lan-${name}" ]; interfaces = [ "lan-${name}" ];
})) }))
@ -136,6 +143,27 @@ in
to = [ "local" ]; to = [ "local" ];
allowedTCPPorts = [ 22 ]; allowedTCPPorts = [ 22 ];
}; };
services = {
from = [
"home"
];
to = [
"services"
"fritz"
];
late = true;
verdict = "accept";
};
dns = {
from = [
"home"
"devices"
"guests"
"services"
];
to = [ "adguard" ];
allowedUDPPorts = [ 53 ];
};
internet = { internet = {
from = [ from = [
"home" "home"

5
modules/globals.nix
View file

@ -132,6 +132,11 @@ in
type = types.str; type = types.str;
description = "The node-name on which this service runs"; description = "The node-name on which this service runs";
}; };
ip = mkOption {
type = types.nullOr (types.ints.between 5 49);
default = null;
description = "Optional IP in case this service runs needs a static ip. Shou";
};
}; };
} }
); );

2
users/patrick/theme.nix
View file

@ -95,7 +95,7 @@
image = config.lib.stylix.pixel "base00"; image = config.lib.stylix.pixel "base00";
base16Scheme = { base16Scheme = {
yaml = "${pkgs.base16-schemes}/share/themes/vice.yaml"; yaml = "${pkgs.base16-schemes}/share/themes/vice.yaml";
use-ifd = "auto"; use-ifd = "always";
}; };
# Has to be green # Has to be green
override.base0B = "#00CC99"; override.base0B = "#00CC99";