{ inputs, config, lib, pkgs, ... }: { deployment.targetHost = config.networking.secondaryIP4; #this enables the following services: restic-server deployment.tags = [ "resticServer" ]; imports = [ ./hardware-configuration.nix ./impermanence.nix # syncthing (and it's backup) ./syncthing.nix # fedi server ./gotosocial.nix ./smarthome ./scanner-sftp.nix ./websites ]; dns.zones."ctu.cx".subdomains."${config.networking.hostName}.home" = lib.mkIf config.networking.usePBBUplink (pkgs.dns.lib.combinators.host config.networking.primaryIP4 config.networking.primaryIP); dns.zones."ctu.cx".subdomains."${config.networking.hostName}".CNAME = lib.mkIf config.networking.usePBBUplink [ "${config.networking.hostName}.home" ]; dns.zones."ctu.cx".subdomains."home".CNAME = lib.mkIf config.networking.usePBBUplink [ "${config.networking.hostName}.home" ]; age.secrets = { restic-server-briefkasten.file = ../../secrets/restic-server/briefkasten.age; restic-server-wanderduene.file = ../../secrets/restic-server/wanderduene.age; wireguard-privkey.file = ./. + "/../../secrets/${config.networking.hostName}/wireguard-privkey.age"; }; boot = { kernel.sysctl = { "net.ipv6.conf.all.forwarding" = true; "net.ipv4.conf.all.forwarding" = true; "net.ipv6.conf.enp1s0.forwarding" = lib.mkIf config.networking.usePBBUplink 0; "net.ipv6.conf.enp1s0.autoconf" = lib.mkIf config.networking.usePBBUplink 0; "net.ipv6.conf.enp1s0.accept_ra" = lib.mkIf config.networking.usePBBUplink 0; }; kernelModules = [ "intel_rapl_common" ]; # seems to make realtek ethernet faster? kernelParams = [ "pcie_aspm=off" ]; loader = { systemd-boot.enable = true; efi.canTouchEfiVariables = true; }; initrd.network = { enable = true; ssh = { enable = true; port = 22; hostKeys = [ /etc/ssh/ssh_host_rsa_key ]; authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users); }; postCommands = '' echo 'cryptsetup-askpass' >> /root/.profile '' + lib.optionalString config.networking.usePBBUplink '' sysctl -w net.ipv6.conf.enp1s0.autoconf=0 sysctl -w net.ipv6.conf.enp1s0.accept_ra=0 '' + '' ip link set dev enp1s0 up ip addr add ${config.networking.primaryIP4}/28 dev enp1s0 ip addr add ${config.networking.secondaryIP4}/8 dev enp1s0 ip route add default via 195.39.246.41 dev enp1s0 onlink '' + lib.optionalString config.networking.usePBBUplink '' ip addr add ${config.networking.primaryIP}/128 dev enp1s0 ip route add default via 2a0f:4ac0:acab::1 dev enp1s0 onlink ''; }; }; nix.optimise.automatic = false; nix.gc.automatic = false; systemd.network.networks = { "40-enp1s0".networkConfig.IPv6AcceptRA = lib.mkIf config.networking.usePBBUplink false; }; services.logind.extraConfig = '' # don’t shutdown when power button is short-pressed HandlePowerKey=ignore ''; services.udev.extraRules = '' ACTION=="add", SUBSYSTEM=="net", ENV{INTERFACE}=="iphone", RUN+="${pkgs.systemd}/bin/networkctl up bruplink", ''; systemd.network.links."10-iphone" = { matchConfig.PermanentMACAddress = "aa:ab:b5:18:95:d9"; linkConfig.Name = "iphone"; }; networking = { useNetworkd = true; usePBBUplink = true; primaryIP = "2a0f:4ac0:acab::45"; primaryIP4 = "195.39.246.45"; secondaryIP4 = "10.0.0.45"; domain = "home.ctu.cx"; nameservers = [ "195.39.246.41" "2a0f:4ac0:acab::1" ]; defaultGateway.address = "195.39.246.41"; defaultGateway.interface = "enp1s0"; defaultGateway6 = lib.mkIf config.networking.usePBBUplink{ address = "2a0f:4ac0:acab::1"; interface = "enp1s0"; }; vlans.vlan10 = { id = 10; interface = "enp1s0"; }; bridges.bruplink = { interfaces = [ "vlan10" "iphone" ]; }; interfaces.enp1s0 = { ipv4.addresses = [ (lib.mkIf config.networking.usePBBUplink { address = config.networking.primaryIP4; prefixLength = 28; }) { address = config.networking.secondaryIP4; prefixLength = 8; } ]; ipv6.addresses = lib.mkIf config.networking.usePBBUplink [{ address = config.networking.primaryIP; prefixLength = 62; }]; }; wireguard = { enable = true; interfaces.wg-wanderduene = { listenPort = 51820; privateKeyFile = config.age.secrets.wireguard-privkey.path; generatePrivateKeyFile = true; postSetup = "ip link set dev wg-wanderduene mtu 1500"; ips = [ "172.17.0.2/24" ]; peers = [ { persistentKeepalive = 10; endpoint = "46.38.253.139:51821"; allowedIPs = [ "172.17.0.0/24" ]; publicKey = "hOUeP8RFchzJXyy8DceTFKN9f1VHi9GzZQii0dX2zww="; } ]; }; }; firewall.allowedTCPPorts = [ 5201 ]; firewall.allowedUDPPorts = [ 5201 51820 ]; firewall.trustedInterfaces = [ "wg-wanderduene" "vlan10" "bruplink" ]; firewall.extraCommands = '' iptables -A nixos-fw -p tcp -s 10.0.0.0/8 -j nixos-fw-accept iptables -A nixos-fw -p udp -s 10.0.0.0/8 -j nixos-fw-accept iptables -A nixos-fw -p tcp -s 195.39.246.32/28 -j nixos-fw-accept iptables -A nixos-fw -p udp -s 195.39.246.32/28 -j nixos-fw-accept ip6tables -A nixos-fw -p tcp -s 2a0f:4ac0:acab::/48 -j nixos-fw-accept ip6tables -A nixos-fw -p udp -s 2a0f:4ac0:acab::/48 -j nixos-fw-accept ''; }; services = { usbmuxd.enable = true; email-notify.enable = true; nginx.virtualHosts."${config.networking.fqdn}" = { enableACME = lib.mkIf (config.networking.usePBBUplink == false) false; forceSSL = lib.mkIf (config.networking.usePBBUplink == false) false; kTLS = lib.mkIf (config.networking.usePBBUplink == false) false; }; nginx.virtualHosts."restic.${config.networking.hostName}.ctu.cx" = { enableACME = lib.mkIf (config.networking.usePBBUplink == false) false; forceSSL = lib.mkIf (config.networking.usePBBUplink == false) false; kTLS = lib.mkIf (config.networking.usePBBUplink == false) false; }; }; ctucxConfig = { programs.yt-dlp.enable = true; programs.ocrmypdf.enable = true; }; system.stateVersion = "22.11"; # Did you read the comment? home-manager.users.leah.home.stateVersion = "22.11"; }