Compare commits
4 commits
58d0e946a3
...
c8494dc85b
Author | SHA1 | Date | |
---|---|---|---|
Dmitry Voronin | c8494dc85b | ||
Dmitry Voronin | bf728964af | ||
Dmitry Voronin | 78bd58519c | ||
Dmitry Voronin | dc67bdfefa |
|
@ -105,6 +105,24 @@ in {
|
|||
};
|
||||
};
|
||||
};
|
||||
|
||||
systemd = {
|
||||
services = {
|
||||
forgejo = {
|
||||
serviceConfig.PrivateNetwork = lib.mkForce false;
|
||||
wantedBy = lib.mkForce [ ];
|
||||
};
|
||||
};
|
||||
timers.fixsystemd = {
|
||||
timerConfig = {
|
||||
OnBootSec = 5;
|
||||
Unit = "forgejo.service";
|
||||
};
|
||||
wantedBy = [
|
||||
"timers.target"
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
@ -47,7 +47,7 @@ in {
|
|||
"data"
|
||||
];
|
||||
|
||||
# HACK: When using `networking.interfaces.*` it breaks. This works tho.
|
||||
# HACK: I have no idea how to fully manage the container interface via networkd, so just add a route manually.
|
||||
systemd.services.vpn-route = util.mkStaticSystemdService {
|
||||
enable = true;
|
||||
description = "Hack vpn routes on host";
|
||||
|
@ -55,9 +55,11 @@ in {
|
|||
wants = [ "container@vpn.service" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig = {
|
||||
ExecStart = "${pkgs.iproute2}/bin/ip route add ${cfg.clients} via ${cfg.address} dev ve-vpn";
|
||||
Type = "oneshot";
|
||||
};
|
||||
script = ''
|
||||
${pkgs.iproute2}/bin/ip route add ${cfg.clients} via ${cfg.address} dev ve-vpn || true
|
||||
'';
|
||||
};
|
||||
|
||||
containers.vpn = container.mkContainer cfg {
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
matchConfig.Name = "enp5s0";
|
||||
linkConfig.RequiredForOnline = "routable";
|
||||
networkConfig = {
|
||||
DHCP = "ipv4";
|
||||
DHCP = "yes";
|
||||
DNS = "10.0.0.1";
|
||||
IPv6AcceptRA = true;
|
||||
};
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
matchConfig.Name = "enp4s0";
|
||||
linkConfig.RequiredForOnline = "routable";
|
||||
networkConfig = {
|
||||
DHCP = "ipv4";
|
||||
DHCP = "yes";
|
||||
DNS = "10.0.0.1";
|
||||
IPv6AcceptRA = true;
|
||||
};
|
||||
|
|
|
@ -2,7 +2,11 @@
|
|||
container = {
|
||||
enable = true;
|
||||
autoStart = true;
|
||||
|
||||
domain = "voronind.com";
|
||||
host = "188.242.247.132";
|
||||
interface = "enp8s0";
|
||||
localAccess = "10.0.0.0/24";
|
||||
storage = "/storage/hot/container";
|
||||
module = {
|
||||
change.enable = true;
|
||||
cloud.enable = true;
|
||||
|
@ -32,12 +36,6 @@
|
|||
watch.enable = true;
|
||||
yt.enable = true;
|
||||
};
|
||||
|
||||
domain = "voronind.com";
|
||||
host = "188.242.247.132";
|
||||
interface = "enp8s0";
|
||||
localAccess = "10.0.0.0/24";
|
||||
storage = "/storage/hot/container";
|
||||
media = {
|
||||
anime = [
|
||||
"/storage/cold_1/anime"
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# 10.0.0.0/24 - wired clients.
|
||||
# 10.0.0.0/24 - wired clients (lan).
|
||||
# 10.1.0.0/24 - containers.
|
||||
# 10.1.1.0/24 - vpn clients.
|
||||
# 192.168.1.0/24 - 5G wireless clients.
|
||||
|
@ -19,20 +19,82 @@ in {
|
|||
# Disable SSH access from everywhere, configure access bellow.
|
||||
services.openssh.openFirewall = false;
|
||||
|
||||
networking = {
|
||||
# Use only external DNS.
|
||||
networkmanager.insertNameservers = [
|
||||
"1.1.1.1"
|
||||
"8.8.8.8"
|
||||
# NOTE: Debugging.
|
||||
systemd.services."systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug";
|
||||
|
||||
# Wan configuration.
|
||||
systemd.network = {
|
||||
networks = {
|
||||
"10-${wan}" = {
|
||||
matchConfig.Name = wan;
|
||||
linkConfig.RequiredForOnline = "carrier";
|
||||
dhcpV4Config = {
|
||||
UseDNS = false;
|
||||
UseRoutes = true;
|
||||
ClientIdentifier = "mac";
|
||||
};
|
||||
dhcpV6Config = {
|
||||
UseDNS = false;
|
||||
};
|
||||
networkConfig = {
|
||||
DHCP = "yes";
|
||||
DNS = "1.1.1.1";
|
||||
IPv6AcceptRA = true;
|
||||
};
|
||||
};
|
||||
"20-enp6s0f0" = {
|
||||
matchConfig.Name = "enp6s0f0";
|
||||
networkConfig.Bridge = lan;
|
||||
linkConfig.RequiredForOnline = "enslaved";
|
||||
};
|
||||
"20-enp6s0f1" = {
|
||||
matchConfig.Name = "enp6s0f1";
|
||||
networkConfig.Bridge = lan;
|
||||
linkConfig.RequiredForOnline = "enslaved";
|
||||
};
|
||||
"20-enp7s0f0" = {
|
||||
matchConfig.Name = "enp7s0f0";
|
||||
networkConfig.Bridge = lan;
|
||||
linkConfig.RequiredForOnline = "enslaved";
|
||||
};
|
||||
"20-enp7s0f1" = {
|
||||
matchConfig.Name = "enp7s0f1";
|
||||
networkConfig.Bridge = lan;
|
||||
linkConfig.RequiredForOnline = "enslaved";
|
||||
};
|
||||
"30-${lan}" = {
|
||||
matchConfig.Name = lan;
|
||||
bridgeConfig = {};
|
||||
linkConfig.RequiredForOnline = "carrier";
|
||||
address = [
|
||||
"10.0.0.1/24"
|
||||
];
|
||||
routes = [
|
||||
# Wifi 5G clients.
|
||||
{ routeConfig = {
|
||||
Gateway = wifi;
|
||||
Destination = "192.168.1.0/24";
|
||||
}; }
|
||||
# Wifi 2G clients.
|
||||
{ routeConfig = {
|
||||
Gateway = wifi;
|
||||
Destination = "192.168.2.0/24";
|
||||
}; }
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
# Some extra hosts for local access.
|
||||
extraHosts = with config.container.module; (util.trimTabs ''
|
||||
${git.address} git.voronind.com
|
||||
${proxy.address} iot.voronind.com
|
||||
${proxy.address} pass.voronind.com
|
||||
'');
|
||||
netdevs = {
|
||||
"10-${lan}" = {
|
||||
netdevConfig = {
|
||||
Kind = "bridge";
|
||||
Name = lan;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
networking = {
|
||||
firewall = {
|
||||
enable = true;
|
||||
allowPing = true;
|
||||
|
@ -105,41 +167,5 @@ in {
|
|||
# SSH access from WAN.
|
||||
# + (mkForward external 22143 config.container.host 22143 tcp)
|
||||
};
|
||||
|
||||
# Create Lan bridge.
|
||||
bridges.${lan}.interfaces = [
|
||||
"enp6s0f0"
|
||||
"enp6s0f1"
|
||||
"enp7s0f0"
|
||||
"enp7s0f1"
|
||||
];
|
||||
|
||||
interfaces = {
|
||||
${lan}.ipv4 = {
|
||||
# Assign Lan address and subnet.
|
||||
addresses = [
|
||||
{
|
||||
address = internal;
|
||||
prefixLength = 24;
|
||||
}
|
||||
];
|
||||
|
||||
# Assign traffic routes.
|
||||
routes = [
|
||||
# Wifi 5G clients.
|
||||
{
|
||||
address = "192.168.1.0";
|
||||
prefixLength = 24;
|
||||
via = wifi;
|
||||
}
|
||||
# Wifi 2.4G clients.
|
||||
{
|
||||
address = "192.168.2.0";
|
||||
prefixLength = 24;
|
||||
via = wifi;
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,15 +1,21 @@
|
|||
{
|
||||
lib,
|
||||
...
|
||||
}: {
|
||||
{ ... }: {
|
||||
# REF: https://nixos.wiki/wiki/Systemd-networkd
|
||||
# SEE: man 5 systemd.network
|
||||
systemd.network = {
|
||||
enable = true;
|
||||
wait-online.enable = false; # So we can use both NM and networkd.
|
||||
wait-online.enable = false; # HACK: So we can use both NM and networkd.
|
||||
};
|
||||
|
||||
networking = {
|
||||
networkmanager.enable = true;
|
||||
dhcpcd.enable = false;
|
||||
networkmanager = {
|
||||
enable = true;
|
||||
unmanaged = [
|
||||
"bridge"
|
||||
"ethernet"
|
||||
"loopback"
|
||||
"wireguard"
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue