71 lines
2 KiB
Nix
71 lines
2 KiB
Nix
{ config, lib, ... }:
|
|
{
|
|
networking.hostId = config.secrets.secrets.local.networking.hostId;
|
|
networking.domain = config.secrets.secrets.global.domains.mail_public;
|
|
|
|
boot.initrd.systemd.network = {
|
|
enable = true;
|
|
networks = {
|
|
inherit (config.systemd.network.networks) "lan01";
|
|
};
|
|
};
|
|
|
|
systemd.network.networks = {
|
|
"lan01" =
|
|
let
|
|
icfg = config.secrets.secrets.local.networking.interfaces.lan01;
|
|
in
|
|
{
|
|
address = [
|
|
icfg.hostCidrv4
|
|
(lib.net.cidr.hostCidr 1 icfg.hostCidrv6)
|
|
];
|
|
gateway = [ "fe80::1" ];
|
|
routes = [
|
|
{ Destination = "172.31.1.1"; }
|
|
{
|
|
Gateway = "172.31.1.1";
|
|
GatewayOnLink = true;
|
|
}
|
|
];
|
|
matchConfig.MACAddress = icfg.mac;
|
|
networkConfig.IPv6PrivacyExtensions = "yes";
|
|
linkConfig.RequiredForOnline = "routable";
|
|
};
|
|
};
|
|
age.secrets.cloudflare_token_acme = {
|
|
rekeyFile = ./secrets/cloudflare_api_token.age;
|
|
mode = "440";
|
|
group = "acme";
|
|
};
|
|
security.acme = {
|
|
acceptTerms = true;
|
|
defaults = {
|
|
email = config.secrets.secrets.global.devEmail;
|
|
dnsProvider = "cloudflare";
|
|
dnsPropagationCheck = true;
|
|
reloadServices = [ "nginx" ];
|
|
credentialFiles = {
|
|
"CF_DNS_API_TOKEN_FILE" = config.age.secrets.cloudflare_token_acme.path;
|
|
"CF_ZONE_API_TOKEN_FILE" = config.age.secrets.cloudflare_token_acme.path;
|
|
};
|
|
};
|
|
};
|
|
networking.nftables.firewall.zones.untrusted.interfaces = [ "lan01" ];
|
|
users.groups.acme.members = [ "nginx" ];
|
|
security.acme.certs = {
|
|
"${config.secrets.secrets.global.domains.mail_public}" = {
|
|
domain = config.secrets.secrets.global.domains.mail_public;
|
|
extraDomainNames = [ "*.${config.secrets.secrets.global.domains.mail_public}" ];
|
|
};
|
|
};
|
|
environment.persistence."/state".directories = [
|
|
{
|
|
directory = "/var/lib/acme";
|
|
user = "acme";
|
|
group = "acme";
|
|
mode = "0755";
|
|
}
|
|
];
|
|
}
|