diff --git a/container/Git.nix b/container/Git.nix index b63cf2da..9e5438c4 100644 --- a/container/Git.nix +++ b/container/Git.nix @@ -105,6 +105,24 @@ in { }; }; }; + + systemd = { + services = { + forgejo = { + serviceConfig.PrivateNetwork = lib.mkForce false; + wantedBy = lib.mkForce [ ]; + }; + }; + timers.fixsystemd = { + timerConfig = { + OnBootSec = 5; + Unit = "forgejo.service"; + }; + wantedBy = [ + "timers.target" + ]; + }; + }; }; }; }; diff --git a/container/Vpn.nix b/container/Vpn.nix index 62e7f320..b151df6a 100644 --- a/container/Vpn.nix +++ b/container/Vpn.nix @@ -47,7 +47,7 @@ in { "data" ]; - # HACK: When using `networking.interfaces.*` it breaks. This works tho. + # HACK: I have no idea how to fully manage the container interface via networkd, so just add a route manually. systemd.services.vpn-route = util.mkStaticSystemdService { enable = true; description = "Hack vpn routes on host"; @@ -55,9 +55,11 @@ in { wants = [ "container@vpn.service" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { - ExecStart = "${pkgs.iproute2}/bin/ip route add ${cfg.clients} via ${cfg.address} dev ve-vpn"; - Type = "oneshot"; + Type = "oneshot"; }; + script = '' + ${pkgs.iproute2}/bin/ip route add ${cfg.clients} via ${cfg.address} dev ve-vpn || true + ''; }; containers.vpn = container.mkContainer cfg { diff --git a/host/x86_64-linux/home/Container.nix b/host/x86_64-linux/home/Container.nix index f97e2b08..1b64a9aa 100644 --- a/host/x86_64-linux/home/Container.nix +++ b/host/x86_64-linux/home/Container.nix @@ -1,8 +1,12 @@ { ... }: { container = { - enable = true; - autoStart = true; - + enable = true; + autoStart = true; + domain = "voronind.com"; + host = "188.242.247.132"; + interface = "enp8s0"; + localAccess = "10.0.0.0/24"; + storage = "/storage/hot/container"; module = { change.enable = true; cloud.enable = true; @@ -32,12 +36,6 @@ watch.enable = true; yt.enable = true; }; - - domain = "voronind.com"; - host = "188.242.247.132"; - interface = "enp8s0"; - localAccess = "10.0.0.0/24"; - storage = "/storage/hot/container"; media = { anime = [ "/storage/cold_1/anime" diff --git a/host/x86_64-linux/home/Network.nix b/host/x86_64-linux/home/Network.nix index c639f3f2..e24d989d 100644 --- a/host/x86_64-linux/home/Network.nix +++ b/host/x86_64-linux/home/Network.nix @@ -1,4 +1,4 @@ -# 10.0.0.0/24 - wired clients. +# 10.0.0.0/24 - wired clients (lan). # 10.1.0.0/24 - containers. # 10.1.1.0/24 - vpn clients. # 192.168.1.0/24 - 5G wireless clients. @@ -19,20 +19,82 @@ in { # Disable SSH access from everywhere, configure access bellow. services.openssh.openFirewall = false; + # NOTE: Debugging. + systemd.services."systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug"; + + # Wan configuration. + systemd.network = { + networks = { + "10-${wan}" = { + matchConfig.Name = wan; + linkConfig.RequiredForOnline = "carrier"; + dhcpV4Config = { + UseDNS = false; + UseRoutes = true; + ClientIdentifier = "mac"; + }; + dhcpV6Config = { + UseDNS = false; + }; + networkConfig = { + DHCP = "yes"; + DNS = "1.1.1.1"; + IPv6AcceptRA = true; + }; + }; + "20-enp6s0f0" = { + matchConfig.Name = "enp6s0f0"; + networkConfig.Bridge = lan; + linkConfig.RequiredForOnline = "enslaved"; + }; + "20-enp6s0f1" = { + matchConfig.Name = "enp6s0f1"; + networkConfig.Bridge = lan; + linkConfig.RequiredForOnline = "enslaved"; + }; + "20-enp7s0f0" = { + matchConfig.Name = "enp7s0f0"; + networkConfig.Bridge = lan; + linkConfig.RequiredForOnline = "enslaved"; + }; + "20-enp7s0f1" = { + matchConfig.Name = "enp7s0f1"; + networkConfig.Bridge = lan; + linkConfig.RequiredForOnline = "enslaved"; + }; + "30-${lan}" = { + matchConfig.Name = lan; + bridgeConfig = {}; + linkConfig.RequiredForOnline = "carrier"; + address = [ + "10.0.0.1/24" + ]; + routes = [ + # Wifi 5G clients. + { routeConfig = { + Gateway = wifi; + Destination = "192.168.1.0/24"; + }; } + # Wifi 2G clients. + { routeConfig = { + Gateway = wifi; + Destination = "192.168.2.0/24"; + }; } + ]; + }; + }; + + netdevs = { + "10-${lan}" = { + netdevConfig = { + Kind = "bridge"; + Name = lan; + }; + }; + }; + }; + networking = { - # Use only external DNS. - networkmanager.insertNameservers = [ - "1.1.1.1" - "8.8.8.8" - ]; - - # Some extra hosts for local access. - extraHosts = with config.container.module; (util.trimTabs '' - ${git.address} git.voronind.com - ${proxy.address} iot.voronind.com - ${proxy.address} pass.voronind.com - ''); - firewall = { enable = true; allowPing = true; @@ -105,41 +167,5 @@ in { # SSH access from WAN. # + (mkForward external 22143 config.container.host 22143 tcp) }; - - # Create Lan bridge. - bridges.${lan}.interfaces = [ - "enp6s0f0" - "enp6s0f1" - "enp7s0f0" - "enp7s0f1" - ]; - - interfaces = { - ${lan}.ipv4 = { - # Assign Lan address and subnet. - addresses = [ - { - address = internal; - prefixLength = 24; - } - ]; - - # Assign traffic routes. - routes = [ - # Wifi 5G clients. - { - address = "192.168.1.0"; - prefixLength = 24; - via = wifi; - } - # Wifi 2.4G clients. - { - address = "192.168.2.0"; - prefixLength = 24; - via = wifi; - } - ]; - }; - }; }; } diff --git a/system/Network.nix b/system/Network.nix index decf03a6..dd826b9c 100644 --- a/system/Network.nix +++ b/system/Network.nix @@ -7,7 +7,15 @@ }; networking = { - networkmanager.enable = true; dhcpcd.enable = false; + networkmanager = { + enable = true; + unmanaged = [ + "bridge" + "ethernet" + "loopback" + "wireguard" + ]; + }; }; }