From d46863c777bae46d93e46d96be5e72881f4dd400 Mon Sep 17 00:00:00 2001 From: Alan Pearce Date: Fri, 31 May 2024 00:20:29 +0200 Subject: prefect: fix dns resolution --- system/prefect.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system') diff --git a/system/prefect.nix b/system/prefect.nix index 9476f440..8221623d 100644 --- a/system/prefect.nix +++ b/system/prefect.nix @@ -143,7 +143,7 @@ services.resolved = { llmnr = "false"; - dnssec = "true"; + dnssec = "allow-downgrade"; }; services.tailscale.enable = true; -- cgit 1.4.1 From c71113f92994c4174bfdb191e8a5123e1fa60e40 Mon Sep 17 00:00:00 2001 From: Alan Pearce Date: Fri, 31 May 2024 00:22:01 +0200 Subject: nanopi: simplify firewall --- system/nanopi.nix | 40 +++------------------------------------- 1 file changed, 3 insertions(+), 37 deletions(-) (limited to 'system') diff --git a/system/nanopi.nix b/system/nanopi.nix index 6116c62f..cc8ba062 100755 --- a/system/nanopi.nix +++ b/system/nanopi.nix @@ -100,44 +100,10 @@ in logRefusedConnections = false; pingLimit = "5/second"; filterForward = true; # we are a router - allowedUDPPorts = [ - 53 - 123 - ]; - allowedTCPPorts = [ - 53 - 123 - 80 - 443 + trustedInterfaces = [ + "bridge0" + "tailscale0" ]; - interfaces.bridge0 = { - allowedTCPPorts = [ - 53 - 67 - 139 - 445 - 1883 - 3000 - 3689 - 5357 - 5533 # SmartDNS - 8096 - 9091 # Transmission - ]; - allowedUDPPorts = [ - 53 - 67 - 69 - 137 - 4011 # PXE - 5533 # SmartDNS - 5353 - 5355 # LLMNR - 3702 # Samba WSDD - 41641 - 51827 - ]; - }; interfaces.wan0 = { allowedTCPPorts = [ 6980 # aria2c -- cgit 1.4.1 From 84b93c8b1c03379dcf3f76ddd29db4dcbb7cffcd Mon Sep 17 00:00:00 2001 From: Alan Pearce Date: Fri, 31 May 2024 00:22:43 +0200 Subject: nanopi: optimise routing --- system/nanopi.nix | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) (limited to 'system') diff --git a/system/nanopi.nix b/system/nanopi.nix index cc8ba062..18e9a647 100755 --- a/system/nanopi.nix +++ b/system/nanopi.nix @@ -347,6 +347,7 @@ in }; dhcpV4Config = { UseDNS = false; + UseRoutes = false; SendHostname = false; SendRelease = false; UseHostname = false; @@ -362,6 +363,7 @@ in }; ipv6AcceptRAConfig = { UseDNS = false; + UseGateway = false; }; addresses = [ { @@ -373,6 +375,24 @@ in }; } ]; + routes = [ + { + routeConfig = { + Gateway = "_dhcp4"; + QuickAck = true; + InitialCongestionWindow = 30; + InitialAdvertisedReceiveWindow = 30; + }; + } + { + routeConfig = { + Gateway = "_ipv6ra"; + QuickAck = true; + InitialCongestionWindow = 30; + InitialAdvertisedReceiveWindow = 30; + }; + } + ]; cakeConfig = { Bandwidth = "24M"; OverheadBytes = 18; -- cgit 1.4.1 From 822aa69ea26feb343432c96f3d7a930ae4bdb69d Mon Sep 17 00:00:00 2001 From: Alan Pearce Date: Fri, 31 May 2024 00:23:20 +0200 Subject: nanopi: fix interface-name- based DNS resolution --- system/nanopi.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'system') diff --git a/system/nanopi.nix b/system/nanopi.nix index 18e9a647..a95d9dc0 100755 --- a/system/nanopi.nix +++ b/system/nanopi.nix @@ -486,10 +486,10 @@ in "homeassistant,ha" ]; interface-name = [ - "nanopi,bridge0" - "wan,wan0" - "wlan,wlan0" - "wwan,wwan0" + "nanopi.${domain},bridge0" + "wan.${domain},wan0" + "wlan.${domain},wlan0" + "wwan.${domain},wwan0" ]; interface = [ "lo" -- cgit 1.4.1 From f2950bc0c8cab32de1cdcb5cdde00d5db3dbf10f Mon Sep 17 00:00:00 2001 From: Alan Pearce Date: Fri, 31 May 2024 00:23:47 +0200 Subject: nanopi: rename home-assistant host but keep cname from "ha" --- system/nanopi.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'system') diff --git a/system/nanopi.nix b/system/nanopi.nix index a95d9dc0..60c3fa9a 100755 --- a/system/nanopi.nix +++ b/system/nanopi.nix @@ -483,7 +483,7 @@ in ]; localise-queries = true; cname = [ - "homeassistant,ha" + "ha,home-assistant" ]; interface-name = [ "nanopi.${domain},bridge0" @@ -521,7 +521,7 @@ in "10:f0:68:12:b1:e0,10.0.0.11,Ruckus" "9c:93:4e:ad:05:c8,10.0.0.210,xerox-b210" "00:08:9b:f5:b8:25,10.0.0.42,dontpanic" - "d8:3a:dd:34:85:cc,d8:3a:dd:34:85:cd,10.0.0.81,ha" + "d8:3a:dd:34:85:cc,d8:3a:dd:34:85:cd,10.0.0.81,home-assistant" ]; dhcp-option = [ "option:ntp-server,0.0.0.0" -- cgit 1.4.1 From 7a39e5486b55f3f723ad664cfa741225940e86f6 Mon Sep 17 00:00:00 2001 From: Alan Pearce Date: Fri, 31 May 2024 00:24:19 +0200 Subject: dnsmasq: require FQDN systemd-resolved will add this automatically --- system/nanopi.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system') diff --git a/system/nanopi.nix b/system/nanopi.nix index 60c3fa9a..d55a6768 100755 --- a/system/nanopi.nix +++ b/system/nanopi.nix @@ -459,7 +459,7 @@ in settings = { local-ttl = 60; domain = domain; - dhcp-fqdn = false; + dhcp-fqdn = true; domain-needed = true; bogus-priv = true; no-resolv = true; -- cgit 1.4.1 From 754c82e8f28a79402135a8442ed689633d433c7e Mon Sep 17 00:00:00 2001 From: Alan Pearce Date: Fri, 31 May 2024 00:24:48 +0200 Subject: nanopi: prefer ipv6 tailscale address --- system/nanopi.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'system') diff --git a/system/nanopi.nix b/system/nanopi.nix index d55a6768..a37a1c4b 100755 --- a/system/nanopi.nix +++ b/system/nanopi.nix @@ -92,6 +92,9 @@ in hostName = "nanopi"; domain = domain; search = [ domain ]; + hosts = { + "fd7a:115c:a1e0::53" = [ "tailscale" "ts" ]; + }; useDHCP = false; useNetworkd = true; firewall = { @@ -479,7 +482,7 @@ in # smartdns # "127.0.0.1#5533" # "::1#5533" - "/ts.net/100.100.100.100" + "/ts.net/tailscale" ]; localise-queries = true; cname = [ -- cgit 1.4.1 From b52444517ce8f5e9b28838aa10f4ddc3fc014dda Mon Sep 17 00:00:00 2001 From: Alan Pearce Date: Fri, 31 May 2024 00:25:10 +0200 Subject: nanopi: remove duplicate default route --- system/nanopi.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'system') diff --git a/system/nanopi.nix b/system/nanopi.nix index a37a1c4b..19793909 100755 --- a/system/nanopi.nix +++ b/system/nanopi.nix @@ -319,13 +319,14 @@ in dhcpV4Config = { UseDNS = false; SendHostname = false; - RouteMetric = 2048; + UseRoutes = false; }; ipv6AcceptRAConfig.UseDNS = false; routes = [ { routeConfig = { Gateway = "_dhcp4"; + Metric = 2048; QuickAck = true; InitialCongestionWindow = 30; InitialAdvertisedReceiveWindow = 30; -- cgit 1.4.1 From f6e78e0b82d886b3b628912a750fcad2ae8ca596 Mon Sep 17 00:00:00 2001 From: Alan Pearce Date: Fri, 31 May 2024 00:25:27 +0200 Subject: nanopi: remove avahi --- system/nanopi.nix | 16 ---------------- 1 file changed, 16 deletions(-) (limited to 'system') diff --git a/system/nanopi.nix b/system/nanopi.nix index 19793909..53664de1 100755 --- a/system/nanopi.nix +++ b/system/nanopi.nix @@ -760,22 +760,6 @@ in ''; }; - services.avahi = { - enable = true; - nssmdns4 = true; - denyInterfaces = [ "wan0" "wwan0" "wlan0" ]; - browseDomains = [ - "alanpearce.eu" - ]; - publish = { - enable = true; - hinfo = true; - addresses = true; - userServices = true; - workstation = true; - }; - }; - services.samba = { enable = true; enableNmbd = false; -- cgit 1.4.1 From d7cefcf0500f02cd81eeadcde1193618fa6101fb Mon Sep 17 00:00:00 2001 From: Alan Pearce Date: Fri, 31 May 2024 00:26:30 +0200 Subject: nanopi: keep an export of golink data in a git repo --- system/nanopi.nix | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) (limited to 'system') diff --git a/system/nanopi.nix b/system/nanopi.nix index 53664de1..b4693530 100755 --- a/system/nanopi.nix +++ b/system/nanopi.nix @@ -70,6 +70,26 @@ in }; }; + systemd.services.backup-golink = { + enable = true; + startAt = "daily"; + description = "Export short links from golink"; + path = with pkgs; [ curl gitMinimal ]; + script = '' + [ -d golink ] || git init --quiet golink --initial-branch=main --shared=world + git config --global user.email linde@alanpearce.eu + cd golink + curl https://go.${ts_domain}/.export > links.json + git add links.json + git commit -m $(date +%F) + ''; + serviceConfig = { + Type = "oneshot"; + User = "linde"; + WorkingDirectory = config.users.users.linde.home; + }; + }; + services.journald.extraConfig = '' MaxRetentionSec=1 month ''; @@ -626,6 +646,7 @@ in isSystemUser = true; shell = "/bin/sh"; home = "/srv/backup/linde"; + homeMode = "755"; createHome = true; packages = with pkgs; [ rdiff-backup ]; openssh.authorizedKeys.keys = [ -- cgit 1.4.1 From bdb3cd38ec63c9945a2d54819943f482bed197d1 Mon Sep 17 00:00:00 2001 From: Alan Pearce Date: Fri, 31 May 2024 00:27:07 +0200 Subject: prefect: add host entry for tailscale local IP --- system/prefect.nix | 3 +++ 1 file changed, 3 insertions(+) (limited to 'system') diff --git a/system/prefect.nix b/system/prefect.nix index 8221623d..e60f22de 100644 --- a/system/prefect.nix +++ b/system/prefect.nix @@ -125,6 +125,9 @@ interfaces.enp7s0 = { useDHCP = true; }; + hosts = { + "fd7a:115c:a1e0::53" = [ "tailscale" "ts" ]; + }; }; networking.nftables = { enable = true; -- cgit 1.4.1