feat(nixos): move network config to common nix files
This commit is contained in:
parent
2f1cf1945d
commit
b55abee6b2
5 changed files with 126 additions and 6 deletions
|
@ -1,4 +1,12 @@
|
|||
{
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}: {
|
||||
imports = [
|
||||
./network.nix
|
||||
];
|
||||
|
||||
nix = {
|
||||
gc.automatic = true;
|
||||
settings = {
|
||||
|
|
|
@ -99,7 +99,6 @@ in {
|
|||
# desktop
|
||||
blueman.enable = true;
|
||||
gnome.gnome-keyring.enable = true;
|
||||
mullvad-vpn.enable = true;
|
||||
pipewire = {
|
||||
enable = true;
|
||||
pulse.enable = true;
|
||||
|
|
56
machines/network.nix
Normal file
56
machines/network.nix
Normal file
|
@ -0,0 +1,56 @@
|
|||
{
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}: let
|
||||
inherit (pkgs.stdenv.hostPlatform) isLinux;
|
||||
in {
|
||||
services = {
|
||||
dnsmasq =
|
||||
if isLinux
|
||||
then {
|
||||
enable = true;
|
||||
servers = [
|
||||
"::1#53000"
|
||||
"127.0.0.1#53000"
|
||||
];
|
||||
extraConfig = ''
|
||||
# stubby
|
||||
no-resolv
|
||||
proxy-dnssec
|
||||
listen-address=::1,127.0.0.1
|
||||
|
||||
# loopback for development
|
||||
address=/test/127.0.0.1
|
||||
'';
|
||||
}
|
||||
# nix-darwin config
|
||||
else {
|
||||
enable = true;
|
||||
addresses."test" = "127.0.0.1";
|
||||
bind = "127.0.0.1";
|
||||
};
|
||||
|
||||
stubby = lib.mkIf isLinux {
|
||||
enable = true;
|
||||
settings = {
|
||||
resolution_type = "GETDNS_RESOLUTION_STUB";
|
||||
listen_addresses = ["127.0.0.1@53000" "0::1@53000"];
|
||||
upstream_recursive_servers = [
|
||||
{
|
||||
address_data = "194.242.2.3";
|
||||
tls_port = 853;
|
||||
tls_auth_name = "adblock.doh.mullvad.net";
|
||||
}
|
||||
{
|
||||
address_data = "2a07:e340::3";
|
||||
tls_port = 853;
|
||||
tls_auth_name = "adblock.doh.mullvad.net";
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
mullvad-vpn.enable = isLinux;
|
||||
};
|
||||
}
|
|
@ -27,11 +27,6 @@
|
|||
system.defaults.alf.stealthenabled = 1;
|
||||
|
||||
services = {
|
||||
dnsmasq = {
|
||||
enable = true;
|
||||
addresses."test" = "127.0.0.1";
|
||||
bind = "127.0.0.1";
|
||||
};
|
||||
# Auto upgrade nix package and the daemon service.
|
||||
nix-daemon.enable = true;
|
||||
};
|
||||
|
|
62
machines/traefik.nix
Normal file
62
machines/traefik.nix
Normal file
|
@ -0,0 +1,62 @@
|
|||
# this is half baked, so it's not enabled yet
|
||||
{
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}: let
|
||||
inherit (pkgs.stdenv.hostPlatform) isLinux;
|
||||
in {
|
||||
# add the traefik user to the docker group for socket access
|
||||
users = lib.mkIf isLinux {
|
||||
users.traefik.extraGroups = ["docker"];
|
||||
};
|
||||
|
||||
services = lib.mkIf isLinux {
|
||||
traefik = {
|
||||
enable = true;
|
||||
|
||||
staticConfigOptions = {
|
||||
entryPoints = {
|
||||
http = {
|
||||
address = ":80";
|
||||
http.redirections.entryPoint = {
|
||||
to = "https";
|
||||
scheme = "https";
|
||||
permanent = true;
|
||||
};
|
||||
};
|
||||
https.address = ":443";
|
||||
};
|
||||
providers = {
|
||||
docker = {
|
||||
endpoint = "unix:///var/run/docker.sock";
|
||||
exposedByDefault = false;
|
||||
};
|
||||
};
|
||||
api = {
|
||||
dashboard = true;
|
||||
insecure = false;
|
||||
debug = false;
|
||||
};
|
||||
log.level = "INFO";
|
||||
accessLog = true;
|
||||
};
|
||||
|
||||
dynamicConfigOptions = {
|
||||
tls.options.default.minVersion = "VersionTLS13";
|
||||
tls.stores.default.defaultCertificate = {
|
||||
# this would be an impurity, since it's generated inside the flake
|
||||
# via mkcert, another reason why it's deactivated as of now
|
||||
certFile = builtins.toString ../certs/local.crt;
|
||||
keyFile = builtins.toString ../certs/local.key;
|
||||
};
|
||||
http.routers.traefik = {
|
||||
entryPoints = ["http" "https"];
|
||||
rule = "Host(`traefik.this.test`)";
|
||||
tls = true;
|
||||
service = "api@internal";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
Loading…
Reference in a new issue