diff options
Diffstat (limited to 'system')
-rwxr-xr-x | system/nanopi.nix | 119 | ||||
-rw-r--r-- | system/prefect.nix | 5 |
2 files changed, 61 insertions, 63 deletions
diff --git a/system/nanopi.nix b/system/nanopi.nix index 6116c62f..b4693530 100755 --- a/system/nanopi.nix +++ b/system/nanopi.nix @@ -70,6 +70,26 @@ in }; }; + systemd.services.backup-golink = { + enable = true; + startAt = "daily"; + description = "Export short links from golink"; + path = with pkgs; [ curl gitMinimal ]; + script = '' + [ -d golink ] || git init --quiet golink --initial-branch=main --shared=world + git config --global user.email linde@alanpearce.eu + cd golink + curl https://go.${ts_domain}/.export > links.json + git add links.json + git commit -m $(date +%F) + ''; + serviceConfig = { + Type = "oneshot"; + User = "linde"; + WorkingDirectory = config.users.users.linde.home; + }; + }; + services.journald.extraConfig = '' MaxRetentionSec=1 month ''; @@ -92,6 +112,9 @@ in hostName = "nanopi"; domain = domain; search = [ domain ]; + hosts = { + "fd7a:115c:a1e0::53" = [ "tailscale" "ts" ]; + }; useDHCP = false; useNetworkd = true; firewall = { @@ -100,44 +123,10 @@ in logRefusedConnections = false; pingLimit = "5/second"; filterForward = true; # we are a router - allowedUDPPorts = [ - 53 - 123 - ]; - allowedTCPPorts = [ - 53 - 123 - 80 - 443 + trustedInterfaces = [ + "bridge0" + "tailscale0" ]; - interfaces.bridge0 = { - allowedTCPPorts = [ - 53 - 67 - 139 - 445 - 1883 - 3000 - 3689 - 5357 - 5533 # SmartDNS - 8096 - 9091 # Transmission - ]; - allowedUDPPorts = [ - 53 - 67 - 69 - 137 - 4011 # PXE - 5533 # SmartDNS - 5353 - 5355 # LLMNR - 3702 # Samba WSDD - 41641 - 51827 - ]; - }; interfaces.wan0 = { allowedTCPPorts = [ 6980 # aria2c @@ -350,13 +339,14 @@ in dhcpV4Config = { UseDNS = false; SendHostname = false; - RouteMetric = 2048; + UseRoutes = false; }; ipv6AcceptRAConfig.UseDNS = false; routes = [ { routeConfig = { Gateway = "_dhcp4"; + Metric = 2048; QuickAck = true; InitialCongestionWindow = 30; InitialAdvertisedReceiveWindow = 30; @@ -381,6 +371,7 @@ in }; dhcpV4Config = { UseDNS = false; + UseRoutes = false; SendHostname = false; SendRelease = false; UseHostname = false; @@ -396,6 +387,7 @@ in }; ipv6AcceptRAConfig = { UseDNS = false; + UseGateway = false; }; addresses = [ { @@ -407,6 +399,24 @@ in }; } ]; + routes = [ + { + routeConfig = { + Gateway = "_dhcp4"; + QuickAck = true; + InitialCongestionWindow = 30; + InitialAdvertisedReceiveWindow = 30; + }; + } + { + routeConfig = { + Gateway = "_ipv6ra"; + QuickAck = true; + InitialCongestionWindow = 30; + InitialAdvertisedReceiveWindow = 30; + }; + } + ]; cakeConfig = { Bandwidth = "24M"; OverheadBytes = 18; @@ -473,7 +483,7 @@ in settings = { local-ttl = 60; domain = domain; - dhcp-fqdn = false; + dhcp-fqdn = true; domain-needed = true; bogus-priv = true; no-resolv = true; @@ -493,17 +503,17 @@ in # smartdns # "127.0.0.1#5533" # "::1#5533" - "/ts.net/100.100.100.100" + "/ts.net/tailscale" ]; localise-queries = true; cname = [ - "homeassistant,ha" + "ha,home-assistant" ]; interface-name = [ - "nanopi,bridge0" - "wan,wan0" - "wlan,wlan0" - "wwan,wwan0" + "nanopi.${domain},bridge0" + "wan.${domain},wan0" + "wlan.${domain},wlan0" + "wwan.${domain},wwan0" ]; interface = [ "lo" @@ -535,7 +545,7 @@ in "10:f0:68:12:b1:e0,10.0.0.11,Ruckus" "9c:93:4e:ad:05:c8,10.0.0.210,xerox-b210" "00:08:9b:f5:b8:25,10.0.0.42,dontpanic" - "d8:3a:dd:34:85:cc,d8:3a:dd:34:85:cd,10.0.0.81,ha" + "d8:3a:dd:34:85:cc,d8:3a:dd:34:85:cd,10.0.0.81,home-assistant" ]; dhcp-option = [ "option:ntp-server,0.0.0.0" @@ -636,6 +646,7 @@ in isSystemUser = true; shell = "/bin/sh"; home = "/srv/backup/linde"; + homeMode = "755"; createHome = true; packages = with pkgs; [ rdiff-backup ]; openssh.authorizedKeys.keys = [ @@ -770,22 +781,6 @@ in ''; }; - services.avahi = { - enable = true; - nssmdns4 = true; - denyInterfaces = [ "wan0" "wwan0" "wlan0" ]; - browseDomains = [ - "alanpearce.eu" - ]; - publish = { - enable = true; - hinfo = true; - addresses = true; - userServices = true; - workstation = true; - }; - }; - services.samba = { enable = true; enableNmbd = false; diff --git a/system/prefect.nix b/system/prefect.nix index 9476f440..e60f22de 100644 --- a/system/prefect.nix +++ b/system/prefect.nix @@ -125,6 +125,9 @@ interfaces.enp7s0 = { useDHCP = true; }; + hosts = { + "fd7a:115c:a1e0::53" = [ "tailscale" "ts" ]; + }; }; networking.nftables = { enable = true; @@ -143,7 +146,7 @@ services.resolved = { llmnr = "false"; - dnssec = "true"; + dnssec = "allow-downgrade"; }; services.tailscale.enable = true; |