feat(network): adding options for dns and search

2025-10-05 15:40:52 +02:00
parent 9d20eff7f9
commit 93f227ba7e
10 changed files with 81 additions and 19 deletions
--- a/hosts/kima/modules.nix
+++ b/hosts/kima/modules.nix
@@ -29,6 +29,13 @@
      };
      network = {
        enable = true;
+        nameservers = [
+          "192.168.88.1"
+          "192.168.88.69"
+        ];
+        search = [
+          "taila7448a.ts.net"
+        ];
        interfaces = {
          "eno1" = {
            allowedTCPPorts = [
--- a/hosts/sobotka/modules.nix
+++ b/hosts/sobotka/modules.nix
@@ -214,7 +214,7 @@
        flags = "--performance";
      };
      tailscale = {
-        enable = true;
+        enable = false;
      };
      udisks = {
        enable = true;
--- a/hosts/sobotka/server.nix
+++ b/hosts/sobotka/server.nix
@@ -11,6 +11,9 @@
    traefik = {
      enable = true;
    };
+    tailscale = {
+      enable = true;
+    };
    gitea = {
      enable = true;
    };
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -144,6 +144,7 @@
        ./server/traefik
        ./server/www
        ./server/authentik
+        ./server/tailscale
      ];
    };
    settings = {
--- a/modules/nixos/hardware/network/default.nix
+++ b/modules/nixos/hardware/network/default.nix
@@ -2,20 +2,29 @@
  config,
  lib,
  ...
-}:
-let
-  inherit (lib)
+}: let
+  inherit
+    (lib)
    mkIf
    mkEnableOption
    mkOption
    types
    ;
  cfg = config.nixos.hardware.network;
-in
-{
+in {
  options = {
    nixos.hardware.network = {
      enable = mkEnableOption "Enable the custom networking module";
+      nameservers = mkOption {
+        type = types.listOf types.str;
+        default = [];
+        description = "The list of nameservers ";
+      };
+      search = mkOption {
+        type = types.listOf types.str;
+        default = [];
+        description = "Domain search paths";
+      };
      interfaces = mkOption {
        type = types.attrsOf (
          types.submodule {
@@ -55,6 +64,8 @@ in
    networking = {
      networkmanager.enable = true;
      nftables.enable = true;
+      nameservers = cfg.nameservers;
+      search = cfg.search;
      firewall = {
        enable = true;
        inherit (cfg) interfaces;
--- a/modules/server/jellyfin/default.nix
+++ b/modules/server/jellyfin/default.nix
@@ -18,7 +18,7 @@ in {
    };
    url = lib.mkOption {
      type = lib.types.str;
-      default = "jellyfin.${srv.domain}";
+      default = "sobotka.taila7448a.ts.net";
    };
    homepage.name = lib.mkOption {
      type = lib.types.str;
@@ -53,9 +53,9 @@ in {
          routers = {
            jellyfinRouter = {
              entryPoints = ["websecure"];
-              rule = "Host(`fin.${srv.www.url}`)";
+              rule = "Host(`${cfg.url}`)";
              service = "${unit}";
-              tls.certResolver = "tailscale";
+              tls.certResolver = "vpn";
            };
          };
        };
--- a/modules/server/tailscale/default.nix
+++ b/modules/server/tailscale/default.nix
@@ -0,0 +1,28 @@
+{
+  config,
+  lib,
+  self,
+  ...
+}:
+with lib; let
+  cfg = config.server.tailscale;
+in {
+  options.server.tailscale = {
+    enable = mkEnableOption "Enable tailscale server configuration";
+  };
+
+  config = mkIf cfg.enable {
+    age.secrets.sobotkaTsAuth.file = "${self}/secrets/sobotkaTsAuth.age";
+
+    services.tailscale = {
+      enable = true;
+      openFirewall = true;
+      useRoutingFeatures = "server";
+      authKeyFile = config.age.secrets.sobotkaTsAuth.path;
+      extraSetFlags = [
+        "--advertise-exit-node"
+        "--advertise-routes=192.168.88.0/24"
+      ];
+    };
+  };
+}
--- a/modules/server/traefik/default.nix
+++ b/modules/server/traefik/default.nix
@@ -49,7 +49,7 @@ in {
            dashboard = true;
          };
          certificatesResolvers = {
-            tailscale.tailscale = {};
+            vpn.tailscale = {};
            letsencrypt = {
              acme = {
                email = "adam@cnst.dev";
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -61,6 +61,7 @@ in {
  "traefikEnv.age".publicKeys = kima ++ sobotka;
  "wwwCloudflared.age".publicKeys = kima ++ sobotka;
  "authentikCloudflared.age".publicKeys = kima ++ sobotka;
+  "sobotkaTsAuth.age".publicKeys = kima ++ sobotka;

  # Ziggy-specific
  "cloudflareDnsCredentialsZiggy.age".publicKeys = kima ++ ziggy;
--- a/secrets/sobotkaTsAuth.age
+++ b/secrets/sobotkaTsAuth.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 t9iOEg fftdt8orBZoM0sDRAXf0TScDLosNWWWIg7JmmuunuWM
+2IfpTH6ptSyLnBtBStkk7SINct6LtBHrL6h22BVNb+k
+-> ssh-ed25519 KUYMFA HI04mnVOGPRsRhnqCkbO4My/sBq5v/3UYxDVcfIe4RM
+fcSApUYCnJlpzVW5e77CFoSHamEmP+6ztMmzp2WlJvY
+-> ssh-ed25519 76RhUQ c2FbmTXGl/F+1acZFEJUoenkxiIGdoXkT67VgxvoFHg
+eWExqblEp5VIeXuPEuvj4QAIWtFX5KLfMyh6/fZ9bnA
+-> ssh-ed25519 Jf8sqw IAcUf70EufTyjsva8XIlXOfPxwXvtr9AFl0LwrdAMgc
+bY098fejLaFbUMX0iF89gz8kiOGZHI8JIg4NzX4ItFw
+--- WNqpLyRM2EqISbZky++NbKLw4GCEgwbz2O5+VO7aKzE
+<EFBFBD><EFBFBD><1A><>(5<0F>q	<09><>m<EFBFBD>C<EFBFBD><43>G<EFBFBD>r<><72><16><><EFBFBD><EFBFBD>ޒ3<DE92><33><17><1F>7<><37><EFBFBD>rG<72>i<EFBFBD>c7<63>i<EFBFBD>P<EFBFBD><50>l<EFBFBD><19>7<EFBFBD><<3C>r?cGo<47>^ǚ<>W<0E>V<EFBFBD><56>f,2<>Qg!<21>t_<74>