From 93f227ba7eab22f4e4d0c5c938573ca049702bd2 Mon Sep 17 00:00:00 2001 From: cnst Date: Sun, 5 Oct 2025 15:40:52 +0200 Subject: [PATCH] feat(network): adding options for dns and search --- hosts/kima/modules.nix | 13 +++++++-- hosts/sobotka/modules.nix | 2 +- hosts/sobotka/server.nix | 3 ++ modules/default.nix | 1 + modules/nixos/hardware/network/default.nix | 33 ++++++++++++++-------- modules/server/jellyfin/default.nix | 6 ++-- modules/server/tailscale/default.nix | 28 ++++++++++++++++++ modules/server/traefik/default.nix | 2 +- secrets/secrets.nix | 1 + secrets/sobotkaTsAuth.age | 11 ++++++++ 10 files changed, 81 insertions(+), 19 deletions(-) create mode 100644 modules/server/tailscale/default.nix create mode 100644 secrets/sobotkaTsAuth.age diff --git a/hosts/kima/modules.nix b/hosts/kima/modules.nix index 8ae58028..b55f53d9 100644 --- a/hosts/kima/modules.nix +++ b/hosts/kima/modules.nix @@ -3,8 +3,8 @@ boot = { kernel = { variant = "latest"; - hardware = [ "amd" ]; - extraKernelParams = [ ]; + hardware = ["amd"]; + extraKernelParams = []; amdOverdrive.enable = true; }; loader = { @@ -22,13 +22,20 @@ }; graphics = { enable = true; - vendors = [ "amd" ]; + vendors = ["amd"]; }; logitech = { enable = true; }; network = { enable = true; + nameservers = [ + "192.168.88.1" + "192.168.88.69" + ]; + search = [ + "taila7448a.ts.net" + ]; interfaces = { "eno1" = { allowedTCPPorts = [ diff --git a/hosts/sobotka/modules.nix b/hosts/sobotka/modules.nix index 770172cc..4d70c502 100644 --- a/hosts/sobotka/modules.nix +++ b/hosts/sobotka/modules.nix @@ -214,7 +214,7 @@ flags = "--performance"; }; tailscale = { - enable = true; + enable = false; }; udisks = { enable = true; diff --git a/hosts/sobotka/server.nix b/hosts/sobotka/server.nix index 08323b7c..d6d60b1e 100644 --- a/hosts/sobotka/server.nix +++ b/hosts/sobotka/server.nix @@ -11,6 +11,9 @@ traefik = { enable = true; }; + tailscale = { + enable = true; + }; gitea = { enable = true; }; diff --git a/modules/default.nix b/modules/default.nix index f1c8d7be..f0c6f11d 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -144,6 +144,7 @@ ./server/traefik ./server/www ./server/authentik + ./server/tailscale ]; }; settings = { diff --git a/modules/nixos/hardware/network/default.nix b/modules/nixos/hardware/network/default.nix index 29a02ccf..7bc76281 100644 --- a/modules/nixos/hardware/network/default.nix +++ b/modules/nixos/hardware/network/default.nix @@ -2,38 +2,47 @@ config, lib, ... -}: -let - inherit (lib) +}: let + inherit + (lib) mkIf mkEnableOption mkOption types ; cfg = config.nixos.hardware.network; -in -{ +in { options = { nixos.hardware.network = { enable = mkEnableOption "Enable the custom networking module"; + nameservers = mkOption { + type = types.listOf types.str; + default = []; + description = "The list of nameservers "; + }; + search = mkOption { + type = types.listOf types.str; + default = []; + description = "Domain search paths"; + }; interfaces = mkOption { type = types.attrsOf ( types.submodule { options = { allowedTCPPorts = mkOption { type = types.listOf types.int; - default = [ ]; + default = []; description = "List of allowed TCP ports for this interface."; }; allowedUDPPorts = mkOption { type = types.listOf types.int; - default = [ ]; + default = []; description = "List of allowed UDP ports for this interface."; }; }; } ); - default = { }; + default = {}; description = "Network interface configurations."; }; extraHosts = mkOption { @@ -47,7 +56,7 @@ in config = mkIf cfg.enable { assertions = [ { - assertion = cfg.interfaces != { } -> config.networking.networkmanager.enable; + assertion = cfg.interfaces != {} -> config.networking.networkmanager.enable; message = "Network interfaces configured but NetworkManager is not enabled"; } ]; @@ -55,6 +64,8 @@ in networking = { networkmanager.enable = true; nftables.enable = true; + nameservers = cfg.nameservers; + search = cfg.search; firewall = { enable = true; inherit (cfg) interfaces; @@ -63,8 +74,8 @@ in }; systemd.services.NetworkManager = { - wants = [ "nftables.service" ]; - after = [ "nftables.service" ]; + wants = ["nftables.service"]; + after = ["nftables.service"]; }; }; } diff --git a/modules/server/jellyfin/default.nix b/modules/server/jellyfin/default.nix index ae4d1936..453b3ae2 100644 --- a/modules/server/jellyfin/default.nix +++ b/modules/server/jellyfin/default.nix @@ -18,7 +18,7 @@ in { }; url = lib.mkOption { type = lib.types.str; - default = "jellyfin.${srv.domain}"; + default = "sobotka.taila7448a.ts.net"; }; homepage.name = lib.mkOption { type = lib.types.str; @@ -53,9 +53,9 @@ in { routers = { jellyfinRouter = { entryPoints = ["websecure"]; - rule = "Host(`fin.${srv.www.url}`)"; + rule = "Host(`${cfg.url}`)"; service = "${unit}"; - tls.certResolver = "tailscale"; + tls.certResolver = "vpn"; }; }; }; diff --git a/modules/server/tailscale/default.nix b/modules/server/tailscale/default.nix new file mode 100644 index 00000000..0b19feff --- /dev/null +++ b/modules/server/tailscale/default.nix @@ -0,0 +1,28 @@ +{ + config, + lib, + self, + ... +}: +with lib; let + cfg = config.server.tailscale; +in { + options.server.tailscale = { + enable = mkEnableOption "Enable tailscale server configuration"; + }; + + config = mkIf cfg.enable { + age.secrets.sobotkaTsAuth.file = "${self}/secrets/sobotkaTsAuth.age"; + + services.tailscale = { + enable = true; + openFirewall = true; + useRoutingFeatures = "server"; + authKeyFile = config.age.secrets.sobotkaTsAuth.path; + extraSetFlags = [ + "--advertise-exit-node" + "--advertise-routes=192.168.88.0/24" + ]; + }; + }; +} diff --git a/modules/server/traefik/default.nix b/modules/server/traefik/default.nix index 34225bc0..2ec376b7 100644 --- a/modules/server/traefik/default.nix +++ b/modules/server/traefik/default.nix @@ -49,7 +49,7 @@ in { dashboard = true; }; certificatesResolvers = { - tailscale.tailscale = {}; + vpn.tailscale = {}; letsencrypt = { acme = { email = "adam@cnst.dev"; diff --git a/secrets/secrets.nix b/secrets/secrets.nix index fff8f319..a84e62be 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -61,6 +61,7 @@ in { "traefikEnv.age".publicKeys = kima ++ sobotka; "wwwCloudflared.age".publicKeys = kima ++ sobotka; "authentikCloudflared.age".publicKeys = kima ++ sobotka; + "sobotkaTsAuth.age".publicKeys = kima ++ sobotka; # Ziggy-specific "cloudflareDnsCredentialsZiggy.age".publicKeys = kima ++ ziggy; diff --git a/secrets/sobotkaTsAuth.age b/secrets/sobotkaTsAuth.age new file mode 100644 index 00000000..283a48d5 --- /dev/null +++ b/secrets/sobotkaTsAuth.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 t9iOEg fftdt8orBZoM0sDRAXf0TScDLosNWWWIg7JmmuunuWM +2IfpTH6ptSyLnBtBStkk7SINct6LtBHrL6h22BVNb+k +-> ssh-ed25519 KUYMFA HI04mnVOGPRsRhnqCkbO4My/sBq5v/3UYxDVcfIe4RM +fcSApUYCnJlpzVW5e77CFoSHamEmP+6ztMmzp2WlJvY +-> ssh-ed25519 76RhUQ c2FbmTXGl/F+1acZFEJUoenkxiIGdoXkT67VgxvoFHg +eWExqblEp5VIeXuPEuvj4QAIWtFX5KLfMyh6/fZ9bnA +-> ssh-ed25519 Jf8sqw IAcUf70EufTyjsva8XIlXOfPxwXvtr9AFl0LwrdAMgc +bY098fejLaFbUMX0iF89gz8kiOGZHI8JIg4NzX4ItFw +--- WNqpLyRM2EqISbZky++NbKLw4GCEgwbz2O5+VO7aKzE +ò„“Í(5Ñq ÍÍmýCëàGƒr¿£¶ƒ¾ÞÞ’3©¥ç²7öëºrGái€c7ÍiÏP‘ºlåû7â<„r?cGoŠ^ÇšËW˜Vèßf,2ÉQg!¯t_„ \ No newline at end of file