qenya/nixfiles
1
0
Fork 0
Code Issues 4 Pull requests Activity Actions

Compare commits

base: qenya:f11815c2b1821db864bc1a2af42a63b1698aab77
Branches Tags
qenya:main
qenya:flakes
qenya:lix
qenya:multihost
..
compare: qenya:3a9a3c40b0240835a472add9f57c6ce205d45b88
Branches Tags
qenya:main
qenya:flakes
qenya:lix
qenya:multihost

No commits in common. "f11815c2b1821db864bc1a2af42a63b1698aab77" and "3a9a3c40b0240835a472add9f57c6ce205d45b88" have entirely different histories.
f11815c2b1 ... 3a9a3c40b0

7 changed files with 32 additions and 32 deletions
Download patch file Download diff file Expand all files Collapse all files

2
common/tailscale.nix
View file

@ -18,6 +18,4 @@
${lib.getExe config.services.tailscale.package} up --reset ${lib.escapeShellArgs config.services.tailscale.extraUpFlags} ${lib.getExe config.services.tailscale.package} up --reset ${lib.escapeShellArgs config.services.tailscale.extraUpFlags}
''; '';
}; };
networking.domain = "birdsong.network";
} }

1
hosts/kalessin/default.nix
View file

@ -12,6 +12,7 @@ in
nixpkgs.hostPlatform = "aarch64-linux"; nixpkgs.hostPlatform = "aarch64-linux";
networking.hostName = "kalessin"; networking.hostName = "kalessin";
networking.hostId = "534b538e"; networking.hostId = "534b538e";
networking.domain = "birdsong.network";
fountain.users.qenya.enable = true; fountain.users.qenya.enable = true;
fountain.users.randomcat.enable = true; fountain.users.randomcat.enable = true;

1
hosts/orm/default.nix
View file

@ -9,6 +9,7 @@
nixpkgs.hostPlatform = "x86_64-linux"; nixpkgs.hostPlatform = "x86_64-linux";
networking.hostName = "orm"; networking.hostName = "orm";
networking.hostId = "00000000"; networking.hostId = "00000000";
networking.domain = "birdsong.network";
fountain.users.qenya.enable = true; fountain.users.qenya.enable = true;
fountain.admins = [ "qenya" ]; fountain.admins = [ "qenya" ];

1
hosts/tehanu/default.nix
View file

@ -9,6 +9,7 @@
nixpkgs.hostPlatform = "aarch64-linux"; nixpkgs.hostPlatform = "aarch64-linux";
networking.hostName = "tehanu"; networking.hostName = "tehanu";
networking.hostId = "8e1185ab"; networking.hostId = "8e1185ab";
networking.domain = "birdsong.network";
fountain.users.qenya.enable = true; fountain.users.qenya.enable = true;
fountain.admins = [ "qenya" ]; fountain.admins = [ "qenya" ];

15
hosts/yevaud/default.nix
View file

@ -5,12 +5,14 @@
./hardware-configuration.nix ./hardware-configuration.nix
./networking.nix ./networking.nix
./experiments/pennykettle.nix # TODO: this breaks external IPv6 somehow
# ./experiments/pennykettle.nix
]; ];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
networking.hostName = "yevaud"; networking.hostName = "yevaud";
networking.hostId = "09673d65"; networking.hostId = "09673d65";
networking.domain = "birdsong.network";
fountain.users.qenya.enable = true; fountain.users.qenya.enable = true;
fountain.admins = [ "qenya" ]; fountain.admins = [ "qenya" ];
@ -45,5 +47,16 @@
}; };
}; };
services.nginx = {
enable = true;
virtualHosts = {
"birdsong.network" = {
forceSSL = true;
enableACME = true;
locations."/".return = "301 https://git.unspecified.systems/qenya/birdsong/";
};
};
};
system.stateVersion = "23.11"; system.stateVersion = "23.11";
} }

29
hosts/yevaud/experiments/pennykettle.nix
View file

@ -2,30 +2,15 @@
{ {
networking.nat.enable = true; networking.nat.enable = true;
networking.nat.enableIPv6 = true;
networking.nat.internalInterfaces = [ "ve-pennykettle1" ]; networking.nat.internalInterfaces = [ "ve-pennykettle1" ];
networking.nat.externalInterface = "ens3"; networking.nat.externalInterface = "ens3";
networking.firewall.allowedUDPPorts = [ 51821 ]; networking.firewall.allowedUDPPorts = [ 51821 ];
# RA = Router Advertisement (how a host finds a gateway IPv6 address for
# SLAAC or DHCPv6).
# networkd usually defaults this to true, but instead defaults it to false
# for ALL networks if ANY network has IPv6Forwarding enabled, on the
# (reasonable) assumption that a host doing IP forwarding is probably a
# network bridge.
# The kernel's RA implementation does this too, and the NixOS networking.nat
# module explicitly overrides that with sysctl, but networkd doesn't pay
# attention to that.
# We thus explicitly enable it, as otherwise external IPv6 is broken.
systemd.network.networks."40-ens3".networkConfig.IPv6AcceptRA = true;
containers."pennykettle1" = { containers."pennykettle1" = {
privateNetwork = true; privateNetwork = true;
extraVeths."ve-pennykettle1" = { extraVeths."ve-pennykettle1" = {
hostAddress = "10.231.136.1"; hostAddress = "10.235.1.1";
localAddress = "10.231.136.2"; localAddress = "10.235.2.1";
hostAddress6 = "fc00::1";
localAddress6 = "fc00::2";
forwardPorts = [{ hostPort = 51821; }]; forwardPorts = [{ hostPort = 51821; }];
}; };
ephemeral = true; ephemeral = true;
@ -45,11 +30,13 @@
networks."10-ve" = { networks."10-ve" = {
matchConfig.Name = "ve-pennykettle1"; matchConfig.Name = "ve-pennykettle1";
networkConfig.Address = [ "10.231.136.2/24" "fc00::2/64" ]; networkConfig.Address = "10.235.2.1/32";
# linkConfig.RequiredForOnline = "routable"; # linkConfig.RequiredForOnline = "routable";
routes = [{ routes = [{
Gateway = [ "10.231.136.1" "fc00::1" ]; routeConfig = {
Destination = "217.138.216.162"; Gateway = "10.235.1.1";
Destination = "217.138.216.162/32";
};
}]; }];
}; };
@ -77,10 +64,12 @@
PrivateKeyFile = "/run/secrets/wg-key"; PrivateKeyFile = "/run/secrets/wg-key";
}; };
wireguardPeers = [{ wireguardPeers = [{
wireguardPeerConfig = {
PublicKey = "C+u+eQw5yWI2APCfVJwW6Ovj3g4IrTOfe+tMZnNz43s="; PublicKey = "C+u+eQw5yWI2APCfVJwW6Ovj3g4IrTOfe+tMZnNz43s=";
AllowedIPs = "0.0.0.0/0"; AllowedIPs = "0.0.0.0/0";
Endpoint = "217.138.216.162:51820"; Endpoint = "217.138.216.162:51820";
PersistentKeepalive = 5; PersistentKeepalive = 5;
};
}]; }];
}; };
}; };

5
services/headscale.nix
View file

@ -39,10 +39,7 @@ in
settings = { settings = {
server_url = "https://${cfg.domain}:443"; server_url = "https://${cfg.domain}:443";
prefixes.allocation = "random"; prefixes.allocation = "random";
dns = { dns.magic_dns = false;
magic_dns = true;
base_domain = "birdsong.network";
};
# disable built-in ACME client # disable built-in ACME client
tls_cert_path = null; tls_cert_path = null;