repomaa/nixos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7a24ac5fe66cc3a3525058c9b2b36b4b39e29d1f
nixos/hosts/apu/configuration.nix
Joakim Repomaa 7a24ac5fe6 refactor
2025-02-08 15:38:51 +02:00

238 lines
4.9 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Edit this configuration file to define what should be installed on
# your system. Help is availanodev";
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
{ lib, pkgs, config, ... }:
{
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
networking.hostName = "apu";
networking.useNetworkd = true;
nix = {
settings = {
experimental-features = [ "nix-command" "flakes" ];
auto-optimise-store = true;
};
gc = {
automatic = true;
dates = "daily";
options = "--delete-older-than 7d";
};
};
modules.vlans = {
enable = true;
networks = {
koti = {
id = 10;
ipv6 = true;
};
gast = {
id = 20;
ipv6 = true;
staticLeases = {
"dc:a6:32:05:08:5d" = "10.20.1.235";
};
};
iot = {
id = 30;
};
cfg = {
id = 40;
staticLeases = {
"8c:3b:ad:c5:b8:ee" = "10.40.0.10";
};
};
};
bridge = {
enable = true;
pvid = config.modules.vlans.networks.cfg.id;
netdev = "20-lan";
network = "30-lan";
bindNetwork = "30-bind-lan";
};
};
modules.firewall = {
enable = true;
interfaces = {
koti = [ "dhcp" "dns" "ssh" "web" ];
gast = [ "dhcp" "dns" ];
iot = [ "dhcp" "dns" ];
cfg = [ "dhcp" "dns" ];
"tailscale*" = [ "ssh" "web" ];
};
allInterfaces = [ ];
};
systemd.network = {
enable = true;
config.networkConfig.IPv6Forwarding = true;
links = {
"10-extern0" = {
matchConfig.Path = "pci-0000:01:00.0";
linkConfig.Name = "extern0";
};
"10-intern0" = {
matchConfig.Path = "pci-0000:02:00.0";
linkConfig.Name = "intern0";
};
"10-intern1" = {
matchConfig.Path = "pci-0000:03:00.0";
linkConfig.Name = "intern1";
};
};
netdevs = {
"20-lan" = {
netdevConfig = {
Name = "lan";
Kind = "bridge";
};
};
};
networks = {
"30-bind-lan" = {
matchConfig = {
Name = "intern*";
};
networkConfig = {
Bridge = "lan";
};
};
"30-lan" = {
matchConfig = {
Name = "lan";
};
networkConfig = {
IPv6AcceptRA = false;
ConfigureWithoutCarrier = true;
};
};
"30-wan" = {
matchConfig = {
Name = "extern0";
};
networkConfig = {
DHCP = true;
DNS = "127.0.0.1";
IPv6AcceptRA = true;
IPv4Forwarding = true;
};
dhcpV6Config = {
PrefixDelegationHint = "::/56";
};
dhcpV4Config = {
Use6RD = true;
};
};
};
};
services.networkd-dispatcher = {
enable = true;
rules."50-tailscale" = {
onState = [ "routable" ];
script = ''
#!${pkgs.runtimeShell}
${pkgs.ethtool}/bin/ethtool -K ${config.systemd.network.links."10-extern0".linkConfig.Name} rx-udp-gro-forwarding on rx-gro-list off
'';
};
};
time.timeZone = "Europe/Helsinki";
users.users.jokke = {
isNormalUser = true;
extraGroups = [ "wheel" ]; # Enable sudo for the user.
packages = [ pkgs.nh ];
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLIUkESu5NnBi1M0+ZjYrkp6/rIFuwc3aguspf98jmOydNce6l65cnS3GRzc9oWx4lu11ahi87ZuE+pYV+gaHm4="
];
initialPassword = "change-me";
};
environment.systemPackages = with pkgs; [
wget
curl
dig
neovim
vim
htop
];
services.openssh = {
enable = true;
openFirewall = false;
settings.PasswordAuthentication = false;
};
services.tailscale = {
enable = true;
useRoutingFeatures = "both";
};
services.resolved.enable = false;
services.nextdns = {
enable = true;
arguments = [ "-profile" "9c4ac9" "-setup-router" "-mdns" "koti" ];
};
services.home-assistant = {
enable = true;
extraComponents = [
# Components required to complete the onboarding
"esphome"
"met"
"radio_browser"
"yeelight"
"xiaomi_aqara"
"shelly"
];
extraPackages = python3Packages: with python3Packages; [
gtts
numpy
];
config = {
homeassistant = {
name = "Koti";
unit_system = "metric";
time_zone = "Europe/Helsinki";
};
http = {
use_x_forwarded_for = true;
trusted_proxies = "127.0.0.1";
};
default_config = { };
};
};
modules.webserver = {
enable = true;
acme.dnsChallenge = true;
vHosts."koti.repomaa.com" = {
proxyBuffering = false;
locations."/".proxy = "http://127.0.0.1:8123";
};
};
networking.nftables.enable = true;
networking.firewall.enable = true;
networking.useDHCP = false;
system.stateVersion = "24.05";
}
Reference in New Issue View Git Blame Copy Permalink