Compare commits
No commits in common. "f11815c2b1821db864bc1a2af42a63b1698aab77" and "3a9a3c40b0240835a472add9f57c6ce205d45b88" have entirely different histories.
f11815c2b1
...
3a9a3c40b0
7 changed files with 32 additions and 32 deletions
|
|
@ -18,6 +18,4 @@
|
|||
${lib.getExe config.services.tailscale.package} up --reset ${lib.escapeShellArgs config.services.tailscale.extraUpFlags}
|
||||
'';
|
||||
};
|
||||
|
||||
networking.domain = "birdsong.network";
|
||||
}
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@ in
|
|||
nixpkgs.hostPlatform = "aarch64-linux";
|
||||
networking.hostName = "kalessin";
|
||||
networking.hostId = "534b538e";
|
||||
networking.domain = "birdsong.network";
|
||||
|
||||
fountain.users.qenya.enable = true;
|
||||
fountain.users.randomcat.enable = true;
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@
|
|||
nixpkgs.hostPlatform = "x86_64-linux";
|
||||
networking.hostName = "orm";
|
||||
networking.hostId = "00000000";
|
||||
networking.domain = "birdsong.network";
|
||||
|
||||
fountain.users.qenya.enable = true;
|
||||
fountain.admins = [ "qenya" ];
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@
|
|||
nixpkgs.hostPlatform = "aarch64-linux";
|
||||
networking.hostName = "tehanu";
|
||||
networking.hostId = "8e1185ab";
|
||||
networking.domain = "birdsong.network";
|
||||
|
||||
fountain.users.qenya.enable = true;
|
||||
fountain.admins = [ "qenya" ];
|
||||
|
|
|
|||
|
|
@ -5,12 +5,14 @@
|
|||
./hardware-configuration.nix
|
||||
./networking.nix
|
||||
|
||||
./experiments/pennykettle.nix
|
||||
# TODO: this breaks external IPv6 somehow
|
||||
# ./experiments/pennykettle.nix
|
||||
];
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
networking.hostName = "yevaud";
|
||||
networking.hostId = "09673d65";
|
||||
networking.domain = "birdsong.network";
|
||||
|
||||
fountain.users.qenya.enable = true;
|
||||
fountain.admins = [ "qenya" ];
|
||||
|
|
@ -45,5 +47,16 @@
|
|||
};
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts = {
|
||||
"birdsong.network" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/".return = "301 https://git.unspecified.systems/qenya/birdsong/";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
system.stateVersion = "23.11";
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,30 +2,15 @@
|
|||
|
||||
{
|
||||
networking.nat.enable = true;
|
||||
networking.nat.enableIPv6 = true;
|
||||
networking.nat.internalInterfaces = [ "ve-pennykettle1" ];
|
||||
networking.nat.externalInterface = "ens3";
|
||||
networking.firewall.allowedUDPPorts = [ 51821 ];
|
||||
|
||||
# RA = Router Advertisement (how a host finds a gateway IPv6 address for
|
||||
# SLAAC or DHCPv6).
|
||||
# networkd usually defaults this to true, but instead defaults it to false
|
||||
# for ALL networks if ANY network has IPv6Forwarding enabled, on the
|
||||
# (reasonable) assumption that a host doing IP forwarding is probably a
|
||||
# network bridge.
|
||||
# The kernel's RA implementation does this too, and the NixOS networking.nat
|
||||
# module explicitly overrides that with sysctl, but networkd doesn't pay
|
||||
# attention to that.
|
||||
# We thus explicitly enable it, as otherwise external IPv6 is broken.
|
||||
systemd.network.networks."40-ens3".networkConfig.IPv6AcceptRA = true;
|
||||
|
||||
containers."pennykettle1" = {
|
||||
privateNetwork = true;
|
||||
extraVeths."ve-pennykettle1" = {
|
||||
hostAddress = "10.231.136.1";
|
||||
localAddress = "10.231.136.2";
|
||||
hostAddress6 = "fc00::1";
|
||||
localAddress6 = "fc00::2";
|
||||
hostAddress = "10.235.1.1";
|
||||
localAddress = "10.235.2.1";
|
||||
forwardPorts = [{ hostPort = 51821; }];
|
||||
};
|
||||
ephemeral = true;
|
||||
|
|
@ -45,11 +30,13 @@
|
|||
|
||||
networks."10-ve" = {
|
||||
matchConfig.Name = "ve-pennykettle1";
|
||||
networkConfig.Address = [ "10.231.136.2/24" "fc00::2/64" ];
|
||||
networkConfig.Address = "10.235.2.1/32";
|
||||
# linkConfig.RequiredForOnline = "routable";
|
||||
routes = [{
|
||||
Gateway = [ "10.231.136.1" "fc00::1" ];
|
||||
Destination = "217.138.216.162";
|
||||
routeConfig = {
|
||||
Gateway = "10.235.1.1";
|
||||
Destination = "217.138.216.162/32";
|
||||
};
|
||||
}];
|
||||
};
|
||||
|
||||
|
|
@ -77,10 +64,12 @@
|
|||
PrivateKeyFile = "/run/secrets/wg-key";
|
||||
};
|
||||
wireguardPeers = [{
|
||||
PublicKey = "C+u+eQw5yWI2APCfVJwW6Ovj3g4IrTOfe+tMZnNz43s=";
|
||||
AllowedIPs = "0.0.0.0/0";
|
||||
Endpoint = "217.138.216.162:51820";
|
||||
PersistentKeepalive = 5;
|
||||
wireguardPeerConfig = {
|
||||
PublicKey = "C+u+eQw5yWI2APCfVJwW6Ovj3g4IrTOfe+tMZnNz43s=";
|
||||
AllowedIPs = "0.0.0.0/0";
|
||||
Endpoint = "217.138.216.162:51820";
|
||||
PersistentKeepalive = 5;
|
||||
};
|
||||
}];
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -39,10 +39,7 @@ in
|
|||
settings = {
|
||||
server_url = "https://${cfg.domain}:443";
|
||||
prefixes.allocation = "random";
|
||||
dns = {
|
||||
magic_dns = true;
|
||||
base_domain = "birdsong.network";
|
||||
};
|
||||
dns.magic_dns = false;
|
||||
|
||||
# disable built-in ACME client
|
||||
tls_cert_path = null;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue