diff options
Diffstat (limited to 'system')
| -rw-r--r-- | system/nano-hardware.nix | 17 | ||||
| -rw-r--r-- | system/nano.nix | 70 |
2 files changed, 38 insertions, 49 deletions
diff --git a/system/nano-hardware.nix b/system/nano-hardware.nix index 96a0a287..ce010ea2 100644 --- a/system/nano-hardware.nix +++ b/system/nano-hardware.nix @@ -16,27 +16,16 @@ fileSystems."/" = { - device = "/dev/disk/by-uuid/3e2e984a-0f2d-4615-be50-cea40090b463"; + device = "/dev/disk/by-uuid/7c2a0514-b94f-4369-8898-4d038740a2cd"; fsType = "ext4"; }; fileSystems."/boot" = { - device = "/dev/disk/by-uuid/96FE-219D"; + device = "/dev/disk/by-uuid/EFF6-3E55"; fsType = "vfat"; - options = [ "fmask=0022" "dmask=0022" ]; + options = [ "fmask=0027" "dmask=0027" ]; }; - swapDevices = - [{ device = "/dev/disk/by-uuid/cfedef33-a711-42dd-8816-b1e119e20e55"; }]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.eth0.useDHCP = lib.mkDefault true; - # networking.interfaces.eth1.useDHCP = lib.mkDefault true; - nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; } diff --git a/system/nano.nix b/system/nano.nix index 5de5d887..d0177809 100644 --- a/system/nano.nix +++ b/system/nano.nix @@ -29,19 +29,6 @@ in }; srvos.boot.consoles = [ "ttyS2,1500000" ]; - boot.kernelPackages = pkgs.linuxWithBSDDisklabel; - nixpkgs = { - overlays = [ - (self: super: { - linuxWithBSDDisklabel = super.linuxPackagesFor (super.linux.override { - structuredExtraConfig = with lib.kernel; { - BSD_DISKLABEL = yes; - }; - ignoreConfigErrors = false; - }); - }) - ]; - }; hardware.deviceTree = { enable = true; @@ -71,13 +58,12 @@ in hosts = { "fd7a:115c:a1e0::53" = [ "tailscale" "ts" ]; "192.168.100.1" = [ "modem" "pyur" ]; - "192.168.4.1" = [ "lte" ]; }; nameservers = [ - "2620::fe:fe" - "2620::fe:9" - "9.9.9.9" - "149.112.112.112" + "9.9.9.11" + "149.112.112.11" + "2620:fe::11" + "2620:fe::fe:11" ]; firewall = { trustedInterfaces = [ @@ -85,14 +71,20 @@ in "tailscale0" ]; filterForward = true; + extraForwardRules = '' + iifname "tailscale0" oifname "${lan}" accept + iifname "${lan}" oifname "tailscale0" accept + ''; }; nftables.enable = true; nat = { enable = true; externalInterface = wan; - internalInterfaces = [ lan ]; + internalInterfaces = [ + lan + "tailscale0" + ]; }; - resolvconf.enable = false; }; systemd.network = { enable = true; @@ -112,7 +104,7 @@ in }; }; networks = { - "50-${lan}" = { + "50-${lan}" = rec { matchConfig.Name = lan; address = [ "10.0.0.1/16" @@ -128,11 +120,12 @@ in IPv6AcceptRA = false; DHCPPrefixDelegation = true; ConfigureWithoutCarrier = true; - LLMNR = true; MulticastDNS = true; Domains = [ config.networking.domain ]; IPv6SendRA = !dnsmasqEnable; DHCPServer = !dnsmasqEnable; + DNS = map (a: builtins.head (lib.strings.splitString "/" a)) address; + DNSDefaultRoute = false; }; dhcpPrefixDelegationConfig = { UplinkInterface = wan; @@ -153,8 +146,10 @@ in DHCP = true; IPv6AcceptRA = true; IPv4Forwarding = true; - LLMNR = false; MulticastDNS = false; + DNSDefaultRoute = true; + DNSOverTLS = true; + DNS = map (ns: "${ns}#dns11.quad9.net") config.networking.nameservers; }; dhcpV4Config = { UseDNS = false; @@ -193,17 +188,22 @@ in }; services.resolved = { enable = true; - llmnr = "false"; - fallbackDns = config.networking.nameservers; + extraConfig = '' + DNS = + LLMNR = false + MulticastDNS = true + ''; }; + services.openssh.openFirewall = false; + services.dnsmasq = { enable = dnsmasqEnable; alwaysKeepRunning = true; - resolveLocalQueries = true; settings = { inherit domain; interface = lan; + except-interface = "lo"; bind-interfaces = true; dhcp-fqdn = true; dhcp-authoritative = true; @@ -218,9 +218,9 @@ in quiet-ra = true; enable-ra = true; - dnssec = true; - trust-anchor = ".,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D"; - server = config.networking.nameservers; + cache-size = 0; + no-resolv = true; + server = [ "127.0.0.53" ]; expand-hosts = true; localise-queries = true; @@ -231,7 +231,8 @@ in ]; }; }; - systemd.services.dnsmasq.after = [ "network.target" ]; + systemd.services.dnsmasq.after = [ "network-online.target" ]; + systemd.services.dnsmasq.wants = [ "network-online.target" ]; # TODO find script # systemd.services.dynamic-dns-update = { @@ -281,7 +282,6 @@ in services.tailscale = { enable = true; extraUpFlags = [ - "--accept-dns=false" "--advertise-exit-node" "--advertise-routes=10.0.0.0/16,fd12:d04f:65d:42::/56" ]; @@ -326,10 +326,6 @@ in ]; }; - services.sshguard = { - enable = true; - }; - services.caddy = { enable = true; globalConfig = '' @@ -423,6 +419,9 @@ in settings = { max-jobs = 2; builders-use-substitutes = true; + trusted-public-keys = [ + "mba-1:CxokFjx7YAQWPWMJJKcP50ZpcPUCAFEOrtWdNUMTVjw=" + ]; }; }; @@ -478,6 +477,7 @@ in }; }; + services.timesyncd.enable = false; services.chrony = { enable = true; extraConfig = '' |