summary refs log tree commit diff stats
path: root/system
diff options
context:
space:
mode:
Diffstat (limited to 'system')
-rwxr-xr-xsystem/nanopi.nix119
-rw-r--r--system/prefect.nix5
2 files changed, 61 insertions, 63 deletions
diff --git a/system/nanopi.nix b/system/nanopi.nix
index 6116c62f..b4693530 100755
--- a/system/nanopi.nix
+++ b/system/nanopi.nix
@@ -70,6 +70,26 @@ in
     };
   };
 
+  systemd.services.backup-golink = {
+    enable = true;
+    startAt = "daily";
+    description = "Export short links from golink";
+    path = with pkgs; [ curl gitMinimal ];
+    script = ''
+      [ -d golink ] || git init --quiet golink --initial-branch=main --shared=world
+      git config --global user.email linde@alanpearce.eu
+      cd golink
+      curl https://go.${ts_domain}/.export > links.json
+      git add links.json
+      git commit -m $(date +%F)
+    '';
+    serviceConfig = {
+      Type = "oneshot";
+      User = "linde";
+      WorkingDirectory = config.users.users.linde.home;
+    };
+  };
+
   services.journald.extraConfig = ''
     MaxRetentionSec=1 month
   '';
@@ -92,6 +112,9 @@ in
     hostName = "nanopi";
     domain = domain;
     search = [ domain ];
+    hosts = {
+      "fd7a:115c:a1e0::53" = [ "tailscale" "ts" ];
+    };
     useDHCP = false;
     useNetworkd = true;
     firewall = {
@@ -100,44 +123,10 @@ in
       logRefusedConnections = false;
       pingLimit = "5/second";
       filterForward = true; # we are a router
-      allowedUDPPorts = [
-        53
-        123
-      ];
-      allowedTCPPorts = [
-        53
-        123
-        80
-        443
+      trustedInterfaces = [
+        "bridge0"
+        "tailscale0"
       ];
-      interfaces.bridge0 = {
-        allowedTCPPorts = [
-          53
-          67
-          139
-          445
-          1883
-          3000
-          3689
-          5357
-          5533 # SmartDNS
-          8096
-          9091 # Transmission
-        ];
-        allowedUDPPorts = [
-          53
-          67
-          69
-          137
-          4011 # PXE
-          5533 # SmartDNS
-          5353
-          5355 # LLMNR
-          3702 # Samba WSDD
-          41641
-          51827
-        ];
-      };
       interfaces.wan0 = {
         allowedTCPPorts = [
           6980 # aria2c
@@ -350,13 +339,14 @@ in
         dhcpV4Config = {
           UseDNS = false;
           SendHostname = false;
-          RouteMetric = 2048;
+          UseRoutes = false;
         };
         ipv6AcceptRAConfig.UseDNS = false;
         routes = [
           {
             routeConfig = {
               Gateway = "_dhcp4";
+              Metric = 2048;
               QuickAck = true;
               InitialCongestionWindow = 30;
               InitialAdvertisedReceiveWindow = 30;
@@ -381,6 +371,7 @@ in
         };
         dhcpV4Config = {
           UseDNS = false;
+          UseRoutes = false;
           SendHostname = false;
           SendRelease = false;
           UseHostname = false;
@@ -396,6 +387,7 @@ in
         };
         ipv6AcceptRAConfig = {
           UseDNS = false;
+          UseGateway = false;
         };
         addresses = [
           {
@@ -407,6 +399,24 @@ in
             };
           }
         ];
+        routes = [
+          {
+            routeConfig = {
+              Gateway = "_dhcp4";
+              QuickAck = true;
+              InitialCongestionWindow = 30;
+              InitialAdvertisedReceiveWindow = 30;
+            };
+          }
+          {
+            routeConfig = {
+              Gateway = "_ipv6ra";
+              QuickAck = true;
+              InitialCongestionWindow = 30;
+              InitialAdvertisedReceiveWindow = 30;
+            };
+          }
+        ];
         cakeConfig = {
           Bandwidth = "24M";
           OverheadBytes = 18;
@@ -473,7 +483,7 @@ in
     settings = {
       local-ttl = 60;
       domain = domain;
-      dhcp-fqdn = false;
+      dhcp-fqdn = true;
       domain-needed = true;
       bogus-priv = true;
       no-resolv = true;
@@ -493,17 +503,17 @@ in
         # smartdns
         # "127.0.0.1#5533"
         # "::1#5533"
-        "/ts.net/100.100.100.100"
+        "/ts.net/tailscale"
       ];
       localise-queries = true;
       cname = [
-        "homeassistant,ha"
+        "ha,home-assistant"
       ];
       interface-name = [
-        "nanopi,bridge0"
-        "wan,wan0"
-        "wlan,wlan0"
-        "wwan,wwan0"
+        "nanopi.${domain},bridge0"
+        "wan.${domain},wan0"
+        "wlan.${domain},wlan0"
+        "wwan.${domain},wwan0"
       ];
       interface = [
         "lo"
@@ -535,7 +545,7 @@ in
         "10:f0:68:12:b1:e0,10.0.0.11,Ruckus"
         "9c:93:4e:ad:05:c8,10.0.0.210,xerox-b210"
         "00:08:9b:f5:b8:25,10.0.0.42,dontpanic"
-        "d8:3a:dd:34:85:cc,d8:3a:dd:34:85:cd,10.0.0.81,ha"
+        "d8:3a:dd:34:85:cc,d8:3a:dd:34:85:cd,10.0.0.81,home-assistant"
       ];
       dhcp-option = [
         "option:ntp-server,0.0.0.0"
@@ -636,6 +646,7 @@ in
       isSystemUser = true;
       shell = "/bin/sh";
       home = "/srv/backup/linde";
+      homeMode = "755";
       createHome = true;
       packages = with pkgs; [ rdiff-backup ];
       openssh.authorizedKeys.keys = [
@@ -770,22 +781,6 @@ in
     '';
   };
 
-  services.avahi = {
-    enable = true;
-    nssmdns4 = true;
-    denyInterfaces = [ "wan0" "wwan0" "wlan0" ];
-    browseDomains = [
-      "alanpearce.eu"
-    ];
-    publish = {
-      enable = true;
-      hinfo = true;
-      addresses = true;
-      userServices = true;
-      workstation = true;
-    };
-  };
-
   services.samba = {
     enable = true;
     enableNmbd = false;
diff --git a/system/prefect.nix b/system/prefect.nix
index 9476f440..e60f22de 100644
--- a/system/prefect.nix
+++ b/system/prefect.nix
@@ -125,6 +125,9 @@
     interfaces.enp7s0 = {
       useDHCP = true;
     };
+    hosts = {
+      "fd7a:115c:a1e0::53" = [ "tailscale" "ts" ];
+    };
   };
   networking.nftables = {
     enable = true;
@@ -143,7 +146,7 @@
 
   services.resolved = {
     llmnr = "false";
-    dnssec = "true";
+    dnssec = "allow-downgrade";
   };
 
   services.tailscale.enable = true;