From b55abee6b217f0134030e4a44d32b302edb273ae Mon Sep 17 00:00:00 2001 From: winston Date: Sun, 26 Feb 2023 22:49:16 +0100 Subject: [PATCH] feat(nixos): move network config to common nix files --- machines/common.nix | 8 +++++ machines/futomaki/default.nix | 1 - machines/network.nix | 56 +++++++++++++++++++++++++++++++ machines/sashimi/default.nix | 5 --- machines/traefik.nix | 62 +++++++++++++++++++++++++++++++++++ 5 files changed, 126 insertions(+), 6 deletions(-) create mode 100644 machines/network.nix create mode 100644 machines/traefik.nix diff --git a/machines/common.nix b/machines/common.nix index 1697c87..f1fb75c 100644 --- a/machines/common.nix +++ b/machines/common.nix @@ -1,4 +1,12 @@ { + lib, + pkgs, + ... +}: { + imports = [ + ./network.nix + ]; + nix = { gc.automatic = true; settings = { diff --git a/machines/futomaki/default.nix b/machines/futomaki/default.nix index a00ea8e..8e1395c 100644 --- a/machines/futomaki/default.nix +++ b/machines/futomaki/default.nix @@ -99,7 +99,6 @@ in { # desktop blueman.enable = true; gnome.gnome-keyring.enable = true; - mullvad-vpn.enable = true; pipewire = { enable = true; pulse.enable = true; diff --git a/machines/network.nix b/machines/network.nix new file mode 100644 index 0000000..76c5621 --- /dev/null +++ b/machines/network.nix @@ -0,0 +1,56 @@ +{ + lib, + pkgs, + ... +}: let + inherit (pkgs.stdenv.hostPlatform) isLinux; +in { + services = { + dnsmasq = + if isLinux + then { + enable = true; + servers = [ + "::1#53000" + "127.0.0.1#53000" + ]; + extraConfig = '' + # stubby + no-resolv + proxy-dnssec + listen-address=::1,127.0.0.1 + + # loopback for development + address=/test/127.0.0.1 + ''; + } + # nix-darwin config + else { + enable = true; + addresses."test" = "127.0.0.1"; + bind = "127.0.0.1"; + }; + + stubby = lib.mkIf isLinux { + enable = true; + settings = { + resolution_type = "GETDNS_RESOLUTION_STUB"; + listen_addresses = ["127.0.0.1@53000" "0::1@53000"]; + upstream_recursive_servers = [ + { + address_data = "194.242.2.3"; + tls_port = 853; + tls_auth_name = "adblock.doh.mullvad.net"; + } + { + address_data = "2a07:e340::3"; + tls_port = 853; + tls_auth_name = "adblock.doh.mullvad.net"; + } + ]; + }; + }; + + mullvad-vpn.enable = isLinux; + }; +} diff --git a/machines/sashimi/default.nix b/machines/sashimi/default.nix index 850d53f..39ca717 100644 --- a/machines/sashimi/default.nix +++ b/machines/sashimi/default.nix @@ -27,11 +27,6 @@ system.defaults.alf.stealthenabled = 1; services = { - dnsmasq = { - enable = true; - addresses."test" = "127.0.0.1"; - bind = "127.0.0.1"; - }; # Auto upgrade nix package and the daemon service. nix-daemon.enable = true; }; diff --git a/machines/traefik.nix b/machines/traefik.nix new file mode 100644 index 0000000..7bc5254 --- /dev/null +++ b/machines/traefik.nix @@ -0,0 +1,62 @@ +# this is half baked, so it's not enabled yet +{ + lib, + pkgs, + ... +}: let + inherit (pkgs.stdenv.hostPlatform) isLinux; +in { + # add the traefik user to the docker group for socket access + users = lib.mkIf isLinux { + users.traefik.extraGroups = ["docker"]; + }; + + services = lib.mkIf isLinux { + traefik = { + enable = true; + + staticConfigOptions = { + entryPoints = { + http = { + address = ":80"; + http.redirections.entryPoint = { + to = "https"; + scheme = "https"; + permanent = true; + }; + }; + https.address = ":443"; + }; + providers = { + docker = { + endpoint = "unix:///var/run/docker.sock"; + exposedByDefault = false; + }; + }; + api = { + dashboard = true; + insecure = false; + debug = false; + }; + log.level = "INFO"; + accessLog = true; + }; + + dynamicConfigOptions = { + tls.options.default.minVersion = "VersionTLS13"; + tls.stores.default.defaultCertificate = { + # this would be an impurity, since it's generated inside the flake + # via mkcert, another reason why it's deactivated as of now + certFile = builtins.toString ../certs/local.crt; + keyFile = builtins.toString ../certs/local.key; + }; + http.routers.traefik = { + entryPoints = ["http" "https"]; + rule = "Host(`traefik.this.test`)"; + tls = true; + service = "api@internal"; + }; + }; + }; + }; +}