Merge branch 'main' of ssh://alanpearce.eu/nixfiles
2 files changed, 61 insertions(+), 63 deletions(-)
M system/nanopi.nix → system/nanopi.nix
@@ -70,6 +70,26 @@ ExecStart = "/bin/sh /etc/nixos/update-ip ${config.age.secrets.dyndns.path}"; }; }; + systemd.services.backup-golink = { + enable = true; + startAt = "daily"; + description = "Export short links from golink"; + path = with pkgs; [ curl gitMinimal ]; + script = '' + [ -d golink ] || git init --quiet golink --initial-branch=main --shared=world + git config --global user.email linde@alanpearce.eu + cd golink + curl https://go.${ts_domain}/.export > links.json + git add links.json + git commit -m $(date +%F) + ''; + serviceConfig = { + Type = "oneshot"; + User = "linde"; + WorkingDirectory = config.users.users.linde.home; + }; + }; + services.journald.extraConfig = '' MaxRetentionSec=1 month '';@@ -92,6 +112,9 @@ networking = { hostName = "nanopi"; domain = domain; search = [ domain ]; + hosts = { + "fd7a:115c:a1e0::53" = [ "tailscale" "ts" ]; + }; useDHCP = false; useNetworkd = true; firewall = {@@ -100,44 +123,10 @@ rejectPackets = true; logRefusedConnections = false; pingLimit = "5/second"; filterForward = true; # we are a router - allowedUDPPorts = [ - 53 - 123 - ]; - allowedTCPPorts = [ - 53 - 123 - 80 - 443 + trustedInterfaces = [ + "bridge0" + "tailscale0" ]; - interfaces.bridge0 = { - allowedTCPPorts = [ - 53 - 67 - 139 - 445 - 1883 - 3000 - 3689 - 5357 - 5533 # SmartDNS - 8096 - 9091 # Transmission - ]; - allowedUDPPorts = [ - 53 - 67 - 69 - 137 - 4011 # PXE - 5533 # SmartDNS - 5353 - 5355 # LLMNR - 3702 # Samba WSDD - 41641 - 51827 - ]; - }; interfaces.wan0 = { allowedTCPPorts = [ 6980 # aria2c@@ -350,13 +339,14 @@ }; dhcpV4Config = { UseDNS = false; SendHostname = false; - RouteMetric = 2048; + UseRoutes = false; }; ipv6AcceptRAConfig.UseDNS = false; routes = [ { routeConfig = { Gateway = "_dhcp4"; + Metric = 2048; QuickAck = true; InitialCongestionWindow = 30; InitialAdvertisedReceiveWindow = 30;@@ -381,6 +371,7 @@ IPForward = "yes"; }; dhcpV4Config = { UseDNS = false; + UseRoutes = false; SendHostname = false; SendRelease = false; UseHostname = false;@@ -396,6 +387,7 @@ UplinkInterface = ":self"; }; ipv6AcceptRAConfig = { UseDNS = false; + UseGateway = false; }; addresses = [ {@@ -407,6 +399,24 @@ # Scope = "link"; }; } ]; + routes = [ + { + routeConfig = { + Gateway = "_dhcp4"; + QuickAck = true; + InitialCongestionWindow = 30; + InitialAdvertisedReceiveWindow = 30; + }; + } + { + routeConfig = { + Gateway = "_ipv6ra"; + QuickAck = true; + InitialCongestionWindow = 30; + InitialAdvertisedReceiveWindow = 30; + }; + } + ]; cakeConfig = { Bandwidth = "24M"; OverheadBytes = 18;@@ -473,7 +483,7 @@ alwaysKeepRunning = true; settings = { local-ttl = 60; domain = domain; - dhcp-fqdn = false; + dhcp-fqdn = true; domain-needed = true; bogus-priv = true; no-resolv = true;@@ -493,17 +503,17 @@ "::1#5553" # smartdns # "127.0.0.1#5533" # "::1#5533" - "/ts.net/100.100.100.100" + "/ts.net/tailscale" ]; localise-queries = true; cname = [ - "homeassistant,ha" + "ha,home-assistant" ]; interface-name = [ - "nanopi,bridge0" - "wan,wan0" - "wlan,wlan0" - "wwan,wwan0" + "nanopi.${domain},bridge0" + "wan.${domain},wan0" + "wlan.${domain},wlan0" + "wwan.${domain},wwan0" ]; interface = [ "lo"@@ -535,7 +545,7 @@ "00:a0:de:b3:0c:01,10.0.0.50,wxa-50" "10:f0:68:12:b1:e0,10.0.0.11,Ruckus" "9c:93:4e:ad:05:c8,10.0.0.210,xerox-b210" "00:08:9b:f5:b8:25,10.0.0.42,dontpanic" - "d8:3a:dd:34:85:cc,d8:3a:dd:34:85:cd,10.0.0.81,ha" + "d8:3a:dd:34:85:cc,d8:3a:dd:34:85:cd,10.0.0.81,home-assistant" ]; dhcp-option = [ "option:ntp-server,0.0.0.0"@@ -636,6 +646,7 @@ description = "Backup user for system 'linde'"; isSystemUser = true; shell = "/bin/sh"; home = "/srv/backup/linde"; + homeMode = "755"; createHome = true; packages = with pkgs; [ rdiff-backup ]; openssh.authorizedKeys.keys = [@@ -768,22 +779,6 @@ allow 10.0.0.0/8 allow fd12:d04f:65d:42::0/56 ''; - }; - - services.avahi = { - enable = true; - nssmdns4 = true; - denyInterfaces = [ "wan0" "wwan0" "wlan0" ]; - browseDomains = [ - "alanpearce.eu" - ]; - publish = { - enable = true; - hinfo = true; - addresses = true; - userServices = true; - workstation = true; - }; }; services.samba = {
M system/prefect.nix → system/prefect.nix
@@ -125,6 +125,9 @@ useNetworkd = true; interfaces.enp7s0 = { useDHCP = true; }; + hosts = { + "fd7a:115c:a1e0::53" = [ "tailscale" "ts" ]; + }; }; networking.nftables = { enable = true;@@ -143,7 +146,7 @@ }; services.resolved = { llmnr = "false"; - dnssec = "true"; + dnssec = "allow-downgrade"; }; services.tailscale.enable = true;