feat(nixos): move network config to common nix files

2023-02-26 22:49:16 +01:00 · 2023-02-26 22:49:16 +01:00 · b55abee6b2
commit b55abee6b2
parent 2f1cf1945d
5 changed files with 126 additions and 6 deletions
--- a/machines/common.nix
+++ b/machines/common.nix
@ -1,4 +1,12 @@
 {
  lib,
  pkgs,
  ...
 }: {
  imports = [
    ./network.nix
  ];
  nix = {
    gc.automatic = true;
    settings = {
--- a/machines/futomaki/default.nix
+++ b/machines/futomaki/default.nix
@ -99,7 +99,6 @@ in {
    # desktop
    blueman.enable = true;
    gnome.gnome-keyring.enable = true;
    mullvad-vpn.enable = true;
    pipewire = {
      enable = true;
      pulse.enable = true;
--- a/machines/network.nix
+++ b/machines/network.nix
@ -0,0 +1,56 @@
 {
  lib,
  pkgs,
  ...
 }: let
  inherit (pkgs.stdenv.hostPlatform) isLinux;
 in {
  services = {
    dnsmasq =
      if isLinux
      then {
        enable = true;
        servers = [
          "::1#53000"
          "127.0.0.1#53000"
        ];
        extraConfig = ''
          # stubby
          no-resolv
          proxy-dnssec
          listen-address=::1,127.0.0.1
          # loopback for development
          address=/test/127.0.0.1
        '';
      }
      # nix-darwin config
      else {
        enable = true;
        addresses."test" = "127.0.0.1";
        bind = "127.0.0.1";
      };
    stubby = lib.mkIf isLinux {
      enable = true;
      settings = {
        resolution_type = "GETDNS_RESOLUTION_STUB";
        listen_addresses = ["127.0.0.1@53000" "0::1@53000"];
        upstream_recursive_servers = [
          {
            address_data = "194.242.2.3";
            tls_port = 853;
            tls_auth_name = "adblock.doh.mullvad.net";
          }
          {
            address_data = "2a07:e340::3";
            tls_port = 853;
            tls_auth_name = "adblock.doh.mullvad.net";
          }
        ];
      };
    };
    mullvad-vpn.enable = isLinux;
  };
 }
--- a/machines/sashimi/default.nix
+++ b/machines/sashimi/default.nix
@ -27,11 +27,6 @@
  system.defaults.alf.stealthenabled = 1;
  services = {
    dnsmasq = {
      enable = true;
      addresses."test" = "127.0.0.1";
      bind = "127.0.0.1";
    };
    # Auto upgrade nix package and the daemon service.
    nix-daemon.enable = true;
  };
--- a/machines/traefik.nix
+++ b/machines/traefik.nix
@ -0,0 +1,62 @@
 # this is half baked, so it's not enabled yet
 {
  lib,
  pkgs,
  ...
 }: let
  inherit (pkgs.stdenv.hostPlatform) isLinux;
 in {
  # add the traefik user to the docker group for socket access
  users = lib.mkIf isLinux {
    users.traefik.extraGroups = ["docker"];
  };
  services = lib.mkIf isLinux {
    traefik = {
      enable = true;
      staticConfigOptions = {
        entryPoints = {
          http = {
            address = ":80";
            http.redirections.entryPoint = {
              to = "https";
              scheme = "https";
              permanent = true;
            };
          };
          https.address = ":443";
        };
        providers = {
          docker = {
            endpoint = "unix:///var/run/docker.sock";
            exposedByDefault = false;
          };
        };
        api = {
          dashboard = true;
          insecure = false;
          debug = false;
        };
        log.level = "INFO";
        accessLog = true;
      };
      dynamicConfigOptions = {
        tls.options.default.minVersion = "VersionTLS13";
        tls.stores.default.defaultCertificate = {
          # this would be an impurity, since it's generated inside the flake
          # via mkcert, another reason why it's deactivated as of now
          certFile = builtins.toString ../certs/local.crt;
          keyFile = builtins.toString ../certs/local.key;
        };
        http.routers.traefik = {
          entryPoints = ["http" "https"];
          rule = "Host(`traefik.this.test`)";
          tls = true;
          service = "api@internal";
        };
      };
    };
  };
 }