repomaa/nixos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2358ea6dcddf09db423849e39e71b3b10d36c627
nixos/hosts/apu/configuration.nix
Joakim Repomaa 2358ea6dcd apu local dhcp lease dns and invidious
2026-03-07 13:33:51 +02:00

284 lines
5.4 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Edit this configuration file to define what should be installed on
# your system. Help is availanodev";
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
{
ssh,
pkgs,
config,
lib,
...
}:
{
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
networking.hostName = "apu";
networking.useNetworkd = true;
nix = {
settings = {
experimental-features = [
"nix-command"
"flakes"
];
auto-optimise-store = true;
};
gc = {
automatic = true;
dates = "daily";
options = "--delete-older-than 7d";
};
};
modules.vlans = {
enable = true;
networks = {
koti = {
id = 10;
ipv6 = true;
};
gast = {
id = 20;
ipv6 = true;
staticLeases = {
"dc:a6:32:05:08:5d" = "10.20.1.235";
};
};
iot = {
id = 30;
};
cfg = {
id = 40;
staticLeases = {
"8c:3b:ad:c5:b8:ee" = "10.40.0.10";
};
};
};
bridge = {
enable = true;
pvid = config.modules.vlans.networks.cfg.id;
netdev = "20-lan";
network = "30-lan";
bindNetwork = "30-bind-lan";
};
};
modules.firewall = {
enable = true;
interfaces = {
koti = [
"dhcp"
"dns"
"ssh"
"web"
];
gast = [
"dhcp"
"dns"
];
iot = [
"dhcp"
"dns"
];
cfg = [
"dhcp"
"dns"
];
"tailscale*" = [
"ssh"
"web"
];
};
allInterfaces = [ ];
};
systemd.network = {
enable = true;
config.networkConfig.IPv6Forwarding = true;
links = {
"10-extern0" = {
matchConfig.Path = "pci-0000:01:00.0";
linkConfig.Name = "extern0";
};
"10-intern0" = {
matchConfig.Path = "pci-0000:02:00.0";
linkConfig.Name = "intern0";
};
"10-intern1" = {
matchConfig.Path = "pci-0000:03:00.0";
linkConfig.Name = "intern1";
};
};
netdevs = {
"20-lan" = {
netdevConfig = {
Name = "lan";
Kind = "bridge";
};
};
};
networks = {
"30-bind-lan" = {
matchConfig = {
Name = "intern*";
};
networkConfig = {
Bridge = "lan";
};
};
"30-lan" = {
matchConfig = {
Name = "lan";
};
networkConfig = {
IPv6AcceptRA = false;
ConfigureWithoutCarrier = true;
};
};
"30-wan" = {
matchConfig = {
Name = "extern0";
};
networkConfig = {
DHCP = true;
DNS = "127.0.0.1";
IPv6AcceptRA = true;
IPv4Forwarding = true;
};
dhcpV6Config = {
PrefixDelegationHint = "::/56";
};
dhcpV4Config = {
Use6RD = true;
};
};
};
};
services.networkd-dispatcher = {
enable = true;
rules."50-tailscale" = {
onState = [ "routable" ];
script = ''
#!${pkgs.runtimeShell}
${pkgs.ethtool}/bin/ethtool -K ${
config.systemd.network.links."10-extern0".linkConfig.Name
} rx-udp-gro-forwarding on rx-gro-list off
'';
};
};
time.timeZone = "Europe/Helsinki";
users.users.jokke = {
isNormalUser = true;
extraGroups = [ "wheel" ]; # Enable sudo for the user.
packages = [ pkgs.nh ];
openssh.authorizedKeys.keys = [ ssh.publicKeys.yubikey ];
initialPassword = "change-me";
};
environment.systemPackages = with pkgs; [
wget
curl
dig
neovim
vim
htop
];
services.openssh = {
enable = true;
openFirewall = false;
settings.PasswordAuthentication = false;
};
services.tailscale = {
enable = true;
useRoutingFeatures = "both";
};
services.resolved.enable = false;
modules.services.dhcp-dns-sync = {
enable = true;
interface = "koti";
domain = "home.arpa";
interval = "30s";
};
services.unbound = {
enable = true;
settings = {
server = {
interface =
(lib.map (name: config.systemd.network.networks."30-${name}".dhcpServerConfig.DNS) (
lib.attrNames config.modules.vlans.networks
))
++ [
"127.0.0.1"
"::1"
];
access-control = [
"10.0.0.0/8 allow"
"127.0.0.0/8 allow"
"::1/128 allow"
];
verbosity = 2;
};
forward-zone = [
{
name = ".";
forward-addr = "100.84.105.63#dns.freun.dev";
forward-tls-upstream = true;
}
];
remote-control.control-enable = true;
};
};
services.avahi = {
enable = true;
nssmdns4 = true;
reflector = true;
allowInterfaces = [ "lan" ];
openFirewall = true;
};
services.invidious-companion = {
enable = true;
host = "0.0.0.0";
port = 8282;
secretKeyFile = config.age.secrets.invidious-companion.path;
binaryHash = "sha256-nZXKpExKCc2zgSdVT3qo05NyFdpM9H9NJB5UWo+MVWI=";
};
networking.firewall = {
enable = true;
interfaces.tailscale0.allowedTCPPorts = [ 8282 ];
};
security.acme.defaults.environmentFile = config.age.secrets.hetzner.path;
networking = {
nftables.enable = true;
useDHCP = false;
domain = "apu.home.arpa";
};
system.stateVersion = "24.05";
}
Reference in New Issue View Git Blame Copy Permalink