patrick/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Wiki Activity

Compare commits

base: patrick:bdf7180a1322a7a4bbef35d6597277730ea3eb59
Branches Tags
patrick:master
...
compare: patrick:1f8d44514d40fff22b81f3c152fd86c753d3c6ea
Branches Tags
patrick:master

3 commits
bdf7180a13 ... 1f8d44514d

Author SHA1 Message Date
Patrick 1f8d44514d
fix: switch to internal domains 2024-12-23 17:03:10 +01:00
Patrick 606829afb0
chore: small fixes 2024-12-23 17:02:30 +01:00
Patrick 29b100e13e
feat: enable mdns forward 2024-12-23 14:28:22 +01:00
12 changed files with 97 additions and 37 deletions
Show stats Expand all files Collapse all files

4
config/basic/impermanence.nix
View file

@ -5,7 +5,9 @@
... ...
}: }:
let let
onlyHost = lib.mkIf (!config.boot.isContainer); onlyHost = lib.mkIf (
!config.boot.isContainer && !(config ? microvm.guest && config.microvm.guest.enable)
);
prune = prune =
folder: folder:
pkgs.writers.writePython3Bin "impermanence-prune" { } '' pkgs.writers.writePython3Bin "impermanence-prune" { } ''

7
config/basic/secrets.nix
View file

@ -1,3 +1,4 @@
{ config, lib, ... }:
{ {
age.generators.argon2id = age.generators.argon2id =
{ {
@ -17,5 +18,9 @@
| ${pkgs.libargon2}/bin/argon2 "$(${pkgs.openssl}/bin/openssl rand -base64 16)" -id -e \ | ${pkgs.libargon2}/bin/argon2 "$(${pkgs.openssl}/bin/openssl rand -base64 16)" -id -e \
|| die "Failure while generating argon2id hash" || die "Failure while generating argon2id hash"
''; '';
secrets.secretFiles =
let
local = config.node.secretsDir + "/secrets.nix.age";
in
lib.optionalAttrs (config.node.name != null && lib.pathExists local) { inherit local; };
} }

6
config/basic/system.nix
View file

@ -72,10 +72,4 @@
environment.ldso32 = null; environment.ldso32 = null;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
secrets.secretFiles =
let
local = config.node.secretsDir + "/secrets.nix.age";
in
lib.optionalAttrs (config.node.name != null && lib.pathExists local) { inherit local; };
} }

6
config/services/adguardhome.nix
View file

@ -36,9 +36,9 @@
]; ];
}; };
user_rules = [ user_rules = [
"||homematic.${globals.domains.web}^$dnsrewrite=${lib.net.cidr.host 30 globals.net.vlans.home.cidrv4}" "||homematic.internal^$dnsrewrite=${lib.net.cidr.host 30 globals.net.vlans.devices.cidrv4}"
"||testberry.${globals.domains.web}^$dnsrewrite=${lib.net.cidr.host 31 globals.net.vlans.home.cidrv4}" "||testberry.internal^$dnsrewrite=${lib.net.cidr.host 31 globals.net.vlans.devices.cidrv4}"
"||${globals.services.samba.domain}^$dnsrewrite=${lib.net.cidr.host globals.services.samba.ip globals.net.vlans.home.cidrv4}" "||smb.internal^$dnsrewrite=${lib.net.cidr.host globals.services.samba.ip globals.net.vlans.home.cidrv4}"
"||${globals.domains.web}^$dnsrewrite=${lib.net.cidr.host 1 globals.net.vlans.services.cidrv4}" "||${globals.domains.web}^$dnsrewrite=${lib.net.cidr.host 1 globals.net.vlans.services.cidrv4}"
"||fritz.box^$dnsrewrite=${lib.net.cidr.host 1 "10.99.2.0/24"}" "||fritz.box^$dnsrewrite=${lib.net.cidr.host 1 "10.99.2.0/24"}"
]; ];

12
config/services/samba.nix
View file

@ -119,7 +119,7 @@ in
# clients hardcode the host and share names. # clients hardcode the host and share names.
"disable netbios" = "yes"; "disable netbios" = "yes";
# Allow access to local network # Allow access to local network
"hosts allow" = "10. localhost"; "hosts allow" = "10.99.10. localhost";
"guest account" = "nobody"; "guest account" = "nobody";
"map to guest" = "bad user"; "map to guest" = "bad user";
@ -169,11 +169,17 @@ in
hasBunker = true; hasBunker = true;
hasPaperless = true; hasPaperless = true;
} { }) } { })
(mkShare { (mkShare
{
name = "printer"; name = "printer";
user = "printer"; user = "printer";
group = "printer"; group = "printer";
} { }) }
{
# Also allow printer access
"hosts allow" = "10.99.10. ${lib.net.cidr.host 32 globals.net.vlans.home.cidrv4} localhost";
}
)
(mkShare { (mkShare {
name = "family-data"; name = "family-data";
user = "family"; user = "family";

27
hosts/nucnix/forwarding.nix
View file

@ -83,12 +83,25 @@ mkMerge [
protocol = "udp"; protocol = "udp";
}) })
{ {
networking.nftables.chains.prerouting.mdns-forward = { networking.nftables.ruleset = ''
after = [ "hook" ]; table ip mdns {
rules = [ chain prerouting {
# "iifname lan-home ip daddr 224.0.0.251 ip saddr set ${net.cidr.host 1 globals.net.vlans.services.cidrv4} dup to 224.0.0.251 device lan-services notrack" type filter hook prerouting priority mangle; policy accept;
# "iifname lan-services ip daddr 224.0.0.251 ip saddr set ${net.cidr.host 1 globals.net.vlans.home.cidrv4} dup to 224.0.0.251 device lan-home notrack"
]; iifname {lan-home, lan-services} ip daddr 224.0.0.251 meta mark 0xa5f3 jump mdns-saddr
}; iifname {lan-home, lan-services} ip daddr 224.0.0.251 meta mark != 0xa5f3 jump mdns
}
chain mdns {
meta mark set 0xa5f3
iifname lan-services dup to 224.0.0.251 device lan-home
iifname lan-home dup to 224.0.0.251 device lan-services
}
chain mdns-saddr {
# repeat mDNS from IoT to main
iifname lan-services ip saddr set 10.99.20.1
iifname lan-home ip saddr set 10.99.10.1
}
}
'';
} }
] ]

22
hosts/nucnix/kea.nix
View file

@ -11,13 +11,6 @@ let
flip flip
mapAttrsToList mapAttrsToList
; ;
vlans = {
home = 10;
services = 20;
devices = 30;
iot = 40;
guests = 50;
};
in in
{ {
environment.persistence."/persist".directories = [ environment.persistence."/persist".directories = [
@ -38,10 +31,12 @@ in
valid-lifetime = 86400; valid-lifetime = 86400;
renew-timer = 3600; renew-timer = 3600;
interfaces-config = { interfaces-config = {
interfaces = flip mapAttrsToList vlans (x: _: "lan-${x}"); interfaces = flip mapAttrsToList globals.net.vlans (x: _: "lan-${x}");
}; };
subnet4 = flip mapAttrsToList vlans ( subnet4 = flip mapAttrsToList globals.net.vlans (
name: id: rec { name:
{ id, cidrv4, ... }:
rec {
inherit id; inherit id;
interface = "lan-${name}"; interface = "lan-${name}";
subnet = "10.99.${toString id}.0/24"; subnet = "10.99.${toString id}.0/24";
@ -71,13 +66,18 @@ in
hw-address = "d8:3a:dd:dc:b6:6a"; hw-address = "d8:3a:dd:dc:b6:6a";
ip-address = net.cidr.host 31 subnet; ip-address = net.cidr.host 31 subnet;
} }
{
# drucker
hw-address = "48:9e:bd:5c:31:ac";
ip-address = net.cidr.host 32 subnet;
}
]; ];
} }
); );
}; };
}; };
systemd.services.kea-dhcp4-server.after = flip mapAttrsToList vlans ( systemd.services.kea-dhcp4-server.after = flip mapAttrsToList globals.net.vlans (
name: _: "sys-subsystem-net-devices-${utils.escapeSystemdPath "lan-${name}"}.device" name: _: "sys-subsystem-net-devices-${utils.escapeSystemdPath "lan-${name}"}.device"
); );
} }

24
hosts/nucnix/net.nix
View file

@ -2,6 +2,7 @@
config, config,
lib, lib,
globals, globals,
utils,
... ...
}: }:
let let
@ -23,9 +24,15 @@ in
{ {
fritz.interfaces = [ "vlan-fritz" ]; fritz.interfaces = [ "vlan-fritz" ];
wg-services.interfaces = [ "services" ]; wg-services.interfaces = [ "services" ];
printer.ipv4Addresses = [
(lib.net.cidr.host 32 globals.net.vlans.device.cidrv4)
];
adguard.ipv4Addresses = [ adguard.ipv4Addresses = [
(lib.net.cidr.host globals.services.adguardhome.ip globals.net.vlans.services.cidrv4) (lib.net.cidr.host globals.services.adguardhome.ip globals.net.vlans.services.cidrv4)
]; ];
samba.ipv4Addresses = [
(lib.net.cidr.host globals.services.samba.ip globals.net.vlans.home.cidrv4)
];
} }
(genAttrs (attrNames globals.net.vlans) (name: { (genAttrs (attrNames globals.net.vlans) (name: {
interfaces = [ "lan-${name}" ]; interfaces = [ "lan-${name}" ];
@ -136,10 +143,20 @@ in
snippets.nnf-ssh.enable = lib.mkForce false; snippets.nnf-ssh.enable = lib.mkForce false;
rules = { rules = {
mdns = { mdns = {
from = [ "home" ]; from = [
"home"
"services"
];
to = [ "local" ]; to = [ "local" ];
allowedUDPPorts = [ 5353 ]; allowedUDPPorts = [ 5353 ];
}; };
printer-smb = {
from = [
"printer"
];
to = [ "smb" ];
allowedUDPPorts = [ 445 ];
};
ssh = { ssh = {
from = [ from = [
"fritz" "fritz"
@ -153,7 +170,9 @@ in
"home" "home"
]; ];
to = [ to = [
"iot"
"services" "services"
"devices"
"fritz" "fritz"
]; ];
late = true; late = true;
@ -261,4 +280,7 @@ in
}; };
}; };
}; };
systemd.services.nftables.after = flip mapAttrsToList globals.net.vlans (
name: _: "sys-subsystem-net-devices-${utils.escapeSystemdPath "lan-${name}"}.device"
);
} }

1
hosts/nucnix/secrets/hostapd/host.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAOR54uUS7TdVFs8SmKEThJcwNqQhLhqIfkTneoPSNJe

17
hosts/nucnix/secrets/hostapd/secrets.nix.age Normal file
View file

@ -0,0 +1,17 @@
age-encryption.org/v1
-> X25519 q8aZVIpO27A7gSGGepzDYQINfV9BT5Vdlck4Ywl/tw4
f7OZDaBI1nGbWVKz7c/fCTjl5avQMZwweKuGsMZaHmw
-> piv-p256 ZFgiIw AzIXNOToQeNgxBaPr2Ay8PNbWci5KXsOO0hPzntcr9jh
A45KdFFCcHss+yp9o1lMeyGAquweqAAYdN3rebTOV+k
-> piv-p256 XTQkUA Ams4qG3cUEr5JuhwJVl0I9vNvUBSwmeGlO4y1RjW+HM0
09tBHurIIUJrwXfJEDnTpZppseJSxF/Rrzp81tLiEaI
-> piv-p256 ZFgiIw Ar7T0wlAqoYOPxtm8lZnWRCctOFQ3MpmPhZpzz4dm+0i
8vfGeTyhxjU28KeCmOl59IOhxgSEK/invMRBj5y8wvE
-> piv-p256 5vmPtQ Am6sq2Wde4bMWzMTw6+o+yhkM2ZSkpBbbLGVA3RIAylz
6y8WNKVZiMOuyolKGJjGj+Fc9hqkHw362LtYaGhl274
-> 5nt&Ew>-grease V;8yod
bApmEO5jhTtDghPr4gisoTKEuhrFOdKxAuNH4iqUufY3dNfojeB/5IjctLLe5VG7
vWl2CF8Tyw
--- hpy8mTYDQSOQCLhIcQ+5mHcdqRQkvWOIDQHLltWTJD0
…2¿äUðzT§_ÜË´^<5E>
¾¦}…XZg°éVÔ§ñ%áé ?Mèt]vøœ:Ý;ÆwÚ˜*…XOë÷ËÔU}þþd¤Ù<C2A4>ºxKîáA¨§%<25>6

BIN
hosts/nucnix/secrets/secrets.nix.age
View file

Binary file not shown.

2
users/patrick/smb.nix
View file

@ -2,7 +2,7 @@
{ {
hm.home.smb = hm.home.smb =
let let
address = "smb.${config.secrets.secrets.global.domains.web}"; address = "smb.internal";
credentials = config.age.secrets.smb-creds.path; credentials = config.age.secrets.smb-creds.path;
in in
[ [