diff options
Diffstat (limited to 'system/nanopi.nix')
-rwxr-xr-x | system/nanopi.nix | 107 |
1 files changed, 44 insertions, 63 deletions
diff --git a/system/nanopi.nix b/system/nanopi.nix index 5083f9e7..3a95ebfc 100755 --- a/system/nanopi.nix +++ b/system/nanopi.nix @@ -146,29 +146,12 @@ in ]; }; extraForwardRules = '' - iifname { "wlan0", "lte0" } oifname { "lan1", "lan2", "bridge0" } icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, mld-listener-query, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept - iifname { "lan1", "lan2", "bridge0" } oifname { "wlan0", "lte0" } accept iifname "tailscale0" oifname "bridge0" accept iifname "bridge0" oifname "tailscale0" accept ''; }; nftables = { enable = true; - tables = { - firewall = { - family = "inet"; - content = '' - chain postrouting { - type nat hook postrouting priority srcnat; policy accept; - oifname { "wlan0", "lte0" } masquerade - } - chain prerouting { - type nat hook prerouting priority dstnat; - iifname "wan0" tcp dport { 6922, 51413 } dnat ip to 10.0.0.42 - } - ''; - }; - }; }; wireless = { enable = true; @@ -284,12 +267,6 @@ in Name = "wlan0"; }; }; - "10-name-lte0" = { - matchConfig.MACAddress = "34:4b:50:00:00:00"; - linkConfig = { - Name = "lte0"; - }; - }; }; netdevs = { "20-bridge" = { @@ -337,43 +314,13 @@ in Token = "::1"; }; }; - "50-lte0" = { - matchConfig.Name = "lte0"; - networkConfig = { - DHCP = "yes"; - IPv6AcceptRA = true; - IPForward = "yes"; - }; - dhcpV4Config = { - UseDNS = false; - SendHostname = false; - UseRoutes = false; - }; - ipv6AcceptRAConfig.UseDNS = false; - routes = [ - { - Gateway = "_dhcp4"; - Metric = 2048; - QuickAck = true; - InitialCongestionWindow = 30; - InitialAdvertisedReceiveWindow = 30; - } - ]; - cakeConfig = { - Bandwidth = "1M"; - OverheadBytes = 18; - MPUBytes = 64; - CompensationMode = "none"; - NAT = true; - PriorityQueueingPreset = "diffserv8"; - }; - }; "50-wan" = { matchConfig.Name = "wan0"; networkConfig = { DHCP = "yes"; IPv6AcceptRA = true; - IPForward = "yes"; + IPv4Forwarding = true; + IPv6Forwarding = true; }; dhcpV4Config = { UseDNS = false; @@ -430,7 +377,8 @@ in matchConfig.MACAddress = "9c:53:22:33:bf:e9"; networkConfig = { DHCP = "yes"; - IPForward = "yes"; + IPv4Forwarding = true; + IPv6Forwarding = true; IgnoreCarrierLoss = "3s"; }; dhcpV4Config = { @@ -504,11 +452,9 @@ in "/ts.net/tailscale" ]; localise-queries = true; - cname = [ - "ha,home-assistant" - ]; interface-name = [ "nanopi.${domain},bridge0" + "ca.${domain},bridge0" "wan.${domain},wan0" "wlan.${domain},wlan0" ]; @@ -525,10 +471,6 @@ in # ]; bind-interfaces = true; - # if this is false, a remote query for nanopi returns 127.0.0.2, because that's in /etc/hosts - no-hosts = false; - expand-hosts = true; - dnssec = true; trust-anchor = ".,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D"; @@ -610,6 +552,45 @@ in }; }; + services.caddy = { + enable = true; + globalConfig = '' + pki { + ca home { + name "Home CA" + } + } + ''; + virtualHosts = { + "nanopi.${domain}" = { + serverAliases = [ "nanopi.${ts_domain}" ]; + extraConfig = '' + tls { + issuer internal { + ca home + } + } + root /var/lib/caddy/ca + file_server browse + ''; + }; + "ca.${domain}" = { + extraConfig = '' + tls { + issuer internal { + ca home + } + } + acme_server { + allow { + domains *.test *.${domain} + } + } + ''; + }; + }; + }; + system.stateVersion = "23.05"; programs.fish = { |