# SPDX-FileCopyrightText: 2020 Luke Granger-Brown # # SPDX-License-Identifier: Apache-2.0 { depot, lib, pkgs, rebuilder, config, ... }: let inherit (depot.ops) secrets; in { boot.initrd.availableKernelModules = [ "sd_mod" "ahci" "usb_storage" "usbhid" ]; boot.kernelParams = [ "mitigations=off" ]; fileSystems = { "/" = { device = "/dev/disk/by-uuid/fc964ef6-e3d0-4472-bc0e-f96f977ebf11"; fsType = "ext4"; }; "/boot" = { device = "/dev/disk/by-uuid/AB36-5BE4"; fsType = "vfat"; }; }; nix.maxJobs = lib.mkDefault 4; # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; # Networking! networking = { hostName = "swann"; # Define your hostname. domain = "house.as205479.net"; nameservers = ["8.8.8.8" "8.8.4.4"]; useDHCP = false; interfaces = { ens-virginmedia = { useDHCP = true; }; ens-general = { ipv4.addresses = [ { address = "192.168.1.1"; prefixLength = 23; } ]; }; }; }; my.ip.tailscale = "100.102.224.95"; services.udev.extraRules = '' ATTR{address}=="e4:3a:6e:16:07:62", NAME="ens-virginmedia" ATTR{address}=="e4:3a:6e:16:07:67", NAME="ens-general" ''; boot.kernel.sysctl = { "net.ipv4.ip_forward" = "1"; "net.ipv6.conf.default.forwarding" = "1"; "net.ipv6.conf.all.forwarding" = "1"; }; networking.nat = { enable = true; externalInterface = "ens-virginmedia"; internalInterfaces = ["ens-general"]; forwardPorts = [ { destination = "192.168.1.40:22"; proto = "tcp"; sourcePort = 10022; } { destination = "192.168.1.40:41641"; proto = "udp"; sourcePort = 41641; } ]; }; services.dhcpd4 = { enable = true; interfaces = ["ens-general"]; authoritative = true; extraConfig = '' subnet 192.168.1.0 netmask 255.255.255.0 { option subnet-mask 255.255.255.0; option routers 192.168.1.1; option domain-name-servers 8.8.8.8, 8.8.4.4; option domain-name "house.as205479.net"; default-lease-time 600; max-lease-time 3600; range 192.168.1.100 192.168.1.200; } ''; machines = [ { hostName = "totoro"; ethernetAddress = "40:8d:5c:1f:e8:68"; ipAddress = "192.168.1.40"; } { hostName = "totoro-pfsense"; ethernetAddress = "52:54:00:cf:cd:94"; ipAddress = "192.168.1.41"; } { hostName = "kvm"; ethernetAddress = "00:0d:5d:1b:14:ba"; ipAddress = "192.168.1.50"; } ]; }; networking.localCommands = '' tc qdisc del dev ens-virginmedia root || true tc qdisc add dev ens-virginmedia root cake bandwidth 20Mbit docsis nat dual-srchost ip link add name ifb-virginmedia type ifb || true tc qdisc del dev ens-virginmedia ingress || true tc qdisc add dev ens-virginmedia handle ffff: ingress tc qdisc del dev ifb-virginmedia root || true tc qdisc add dev ifb-virginmedia root cake bandwidth 450Mbit besteffort docsis nat wash dual-dsthost ip link set dev ifb-virginmedia up tc filter add dev ens-virginmedia parent ffff: matchall action mirred egress redirect dev ifb-virginmedia ''; services.unifi = { enable = true; openPorts = false; unifiPackage = pkgs.unifiBeta; }; services.prometheus.exporters.unifi-poller = { enable = true; controllers = [{ url = "https://localhost:8443"; verify_ssl = false; user = "unifipoller"; pass = pkgs.writeTextFile { name = "unifipoller-password"; text = "unifipoller"; }; }]; }; networking.firewall = { interfaces.ens-general = { allowedTCPPorts = [ 8080 6789 # Unifi ]; allowedUDPPorts = [ 3478 10001 # Unifi ]; }; }; environment.systemPackages = with pkgs; []; system.stateVersion = "21.03"; }