Move vim packages to pkgs
Add system config Split up modules into home and system sets Update Cleanup Move home config Add module attrs Fix empty LUKS device UUID Import local secrets
This commit is contained in:
parent
4724f264dd
commit
e1c562191b
67 changed files with 1055 additions and 202 deletions
86
modules/networking.nix
Normal file
86
modules/networking.nix
Normal file
|
@ -0,0 +1,86 @@
|
|||
{ config, pkgs, lib, ...}:
|
||||
with lib;
|
||||
let
|
||||
cfg = config.dadada.networking;
|
||||
in {
|
||||
options.dadada.networking = {
|
||||
useLocalResolver = mkEnableOption "Enable local caching name server";
|
||||
domain = mkOption {
|
||||
type = with types; nullOr str;
|
||||
description = "Network domain name";
|
||||
default = null;
|
||||
};
|
||||
wanInterfaces = mkOption {
|
||||
type = with types; listOf str;
|
||||
description = "WAN network interfaces";
|
||||
default = [];
|
||||
};
|
||||
vpnExtension = mkOption {
|
||||
type = with types; nullOr str;
|
||||
description = "Last part of VPN address";
|
||||
default = null;
|
||||
};
|
||||
enableBsShare = mkEnableOption "Enable network share at BS location";
|
||||
};
|
||||
|
||||
config = {
|
||||
networking.domain = cfg.domain;
|
||||
networking.resolvconf.useLocalResolver = mkIf cfg.useLocalResolver true;
|
||||
services.unbound = mkIf cfg.useLocalResolver {
|
||||
enable = true;
|
||||
allowedAccess = [
|
||||
"127.0.0.1/8"
|
||||
"::1"
|
||||
];
|
||||
extraConfig = ''
|
||||
tls-upstream: yes
|
||||
tls-cert-bundle: "/etc/ssl/certs/ca-bundle.crt"
|
||||
forward-zone:
|
||||
name: .
|
||||
forward-tls-upstream: yes
|
||||
forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
|
||||
forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
|
||||
forward-addr: 1.1.1.1@853#cloudflare-dns.com
|
||||
forward-addr: 1.0.0.1@853#cloudflare-dns.com
|
||||
'';
|
||||
};
|
||||
|
||||
networking.useDHCP = false;
|
||||
|
||||
networking.interfaces = listToAttrs (forEach cfg.wanInterfaces (i: nameValuePair i {
|
||||
useDHCP = true;
|
||||
}));
|
||||
|
||||
networking.wireguard.interfaces = mkIf (cfg.vpnExtension != null) {
|
||||
bs = {
|
||||
ips = [ "fd42:dead:beef:1337::${cfg.vpnExtension}/64" ];
|
||||
listenPort = 51234;
|
||||
|
||||
privateKeyFile = "/var/lib/wireguard/privkey";
|
||||
|
||||
peers = [
|
||||
{
|
||||
publicKey = "0eWP1hzkyoXlrjPSOq+6Y1u8tnFH+SejBJs8f8lf+iU=";
|
||||
allowedIPs = [ "fd42:dead:beef::/48" ];
|
||||
endpoint = "bs.vpn.dadada.li:51234";
|
||||
persistentKeepalive = 25;
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
fileSystems."/mnt/media.dadada.li" = mkIf cfg.enableBsShare {
|
||||
device = "media.dadada.li:/mnt/storage/share";
|
||||
fsType = "nfs";
|
||||
options = [ "x-systemd.automount" "noauto" "x-systemd.idle-timeout=600" ];
|
||||
};
|
||||
|
||||
networking.firewall = {
|
||||
enable = true;
|
||||
allowedUDPPorts = [
|
||||
51234 # Wireguard
|
||||
5353 # mDNS
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
Loading…
Add table
Add a link
Reference in a new issue