ctucx.git: nixfiles

ctucx' nixfiles

commit 489f7f55aad2be12de85fee4df63d013e74b971e
parent 08547418675428e46a170eac96b70a9b59920b40
Author: Leah (ctucx) <git@ctu.cx>
Date: Wed, 3 Apr 2024 15:05:34 +0200

machines/briefkasten: bridge iphone-hotspot to vlan on eth
1 file changed, 29 insertions(+), 10 deletions(-)
M
machines/briefkasten/configuration.nix
|
39
+++++++++++++++++++++++++++++----------
diff --git a/machines/briefkasten/configuration.nix b/machines/briefkasten/configuration.nix
@@ -38,6 +38,8 @@
   boot = {
 
     kernel.sysctl = {
+      "net.ipv6.conf.all.forwarding"    = true;
+      "net.ipv4.conf.all.forwarding"    = true;
       "net.ipv6.conf.enp1s0.forwarding" = lib.mkIf config.networking.usePBBUplink 0;
       "net.ipv6.conf.enp1s0.autoconf"   = lib.mkIf config.networking.usePBBUplink 0;
       "net.ipv6.conf.enp1s0.accept_ra"  = lib.mkIf config.networking.usePBBUplink 0;

@@ -86,6 +88,9 @@
 
   };
 
+  nix.optimise.automatic = false;
+  nix.gc.automatic       = false;
+
   systemd.network.networks = {
     "40-enp1s0".networkConfig.IPv6AcceptRA = lib.mkIf config.networking.usePBBUplink false;
   };

@@ -95,7 +100,17 @@
     HandlePowerKey=ignore
   '';
 
+  services.udev.extraRules = ''
+    ACTION=="add", SUBSYSTEM=="net", ENV{INTERFACE}=="iphone", RUN+="${pkgs.systemd}/bin/networkctl up bruplink",
+  '';
+
+  systemd.network.links."10-iphone" = {
+    matchConfig.PermanentMACAddress = "aa:ab:b5:18:95:d9";
+    linkConfig.Name = "iphone";
+  };
+
   networking = {
+    useNetworkd  = true;
     usePBBUplink = true;
 
     primaryIP    = "2a0f:4ac0:acab::45";

@@ -106,12 +121,23 @@
 
     nameservers  = [ "195.39.246.41" "2a0f:4ac0:acab::1" ];
 
-    defaultGateway  = "195.39.246.41";
+    defaultGateway.address   = "195.39.246.41";
+    defaultGateway.interface = "enp1s0";
+
     defaultGateway6 = lib.mkIf config.networking.usePBBUplink{
       address   = "2a0f:4ac0:acab::1";
       interface = "enp1s0";
     };
 
+    vlans.vlan10 = {
+      id        = 10;
+      interface = "enp1s0";
+    };
+
+    bridges.bruplink = {
+      interfaces = [ "vlan10" "iphone" ];
+    };
+
     interfaces.enp1s0 = {
       ipv4.addresses = [
         (lib.mkIf config.networking.usePBBUplink {

@@ -153,8 +179,8 @@
 
     firewall.allowedTCPPorts = [ 5201 ];
     firewall.allowedUDPPorts = [ 5201 51820 ];
+    firewall.trustedInterfaces = [ "wg-wanderduene" "vlan10" "bruplink" ];
     firewall.extraCommands = ''
-      iptables  -A nixos-fw -i wg-wanderduene             -j nixos-fw-accept
       iptables  -A nixos-fw -p tcp -s 10.0.0.0/8          -j nixos-fw-accept
       iptables  -A nixos-fw -p udp -s 10.0.0.0/8          -j nixos-fw-accept
       iptables  -A nixos-fw -p tcp -s 195.39.246.32/28    -j nixos-fw-accept

@@ -164,15 +190,8 @@
     '';
   };
 
-  systemd.services.viro-check = {
-    startAt   = "*:0/15";
-    onFailure = [ "email-notify@%i.service" ];
-    script    = ''
-      ${pkgs.curl}/bin/curl -s 'https://onlinetermine.arzt-direkt.com/api/opening?localityIds=&instance=639b0e64db18e24406955d24&terminSucheIdent=130944784281370626&forerunTime=0' | ${pkgs.jq}/bin/jq -e '(.openings | length) == 0'
-    '';
-  };
-
   services = {
+    usbmuxd.enable = true;
     email-notify.enable = true;
     nginx.virtualHosts."${config.networking.fqdn}" = {
       enableACME = lib.mkIf (config.networking.usePBBUplink == false) false;