146 lines
3.9 KiB
Nix
146 lines
3.9 KiB
Nix
# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
|
|
#
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
|
|
{ depot, lib, pkgs, rebuilder, config, ... }:
|
|
let
|
|
inherit (depot.ops) secrets;
|
|
in {
|
|
boot.initrd.availableKernelModules = [
|
|
"sd_mod"
|
|
"ahci"
|
|
"usb_storage"
|
|
"usbhid"
|
|
];
|
|
boot.kernelParams = [ "mitigations=off" ];
|
|
|
|
fileSystems = {
|
|
"/" = {
|
|
device = "/dev/disk/by-uuid/fc964ef6-e3d0-4472-bc0e-f96f977ebf11";
|
|
fsType = "ext4";
|
|
};
|
|
"/boot" = {
|
|
device = "/dev/disk/by-uuid/AB36-5BE4";
|
|
fsType = "vfat";
|
|
};
|
|
};
|
|
|
|
nix.maxJobs = lib.mkDefault 4;
|
|
|
|
# Use the systemd-boot EFI boot loader.
|
|
boot.loader.systemd-boot.enable = true;
|
|
boot.loader.efi.canTouchEfiVariables = true;
|
|
|
|
# Networking!
|
|
networking = {
|
|
hostName = "swann"; # Define your hostname.
|
|
domain = "house.as205479.net";
|
|
nameservers = ["8.8.8.8" "8.8.4.4"];
|
|
useDHCP = false;
|
|
interfaces = {
|
|
ens-virginmedia = {
|
|
useDHCP = true;
|
|
};
|
|
ens-general = {
|
|
ipv4.addresses = [
|
|
{ address = "192.168.1.1"; prefixLength = 23; }
|
|
];
|
|
};
|
|
};
|
|
};
|
|
my.ip.tailscale = "100.102.224.95";
|
|
services.udev.extraRules = ''
|
|
ATTR{address}=="e4:3a:6e:16:07:62", NAME="ens-virginmedia"
|
|
ATTR{address}=="e4:3a:6e:16:07:67", NAME="ens-general"
|
|
'';
|
|
boot.kernel.sysctl = {
|
|
"net.ipv4.ip_forward" = "1";
|
|
"net.ipv6.conf.default.forwarding" = "1";
|
|
"net.ipv6.conf.all.forwarding" = "1";
|
|
};
|
|
networking.nat = {
|
|
enable = true;
|
|
externalInterface = "ens-virginmedia";
|
|
internalInterfaces = ["ens-general"];
|
|
forwardPorts = [
|
|
{ destination = "192.168.1.40:22"; proto = "tcp"; sourcePort = 10022; }
|
|
{ destination = "192.168.1.40:41641"; proto = "udp"; sourcePort = 41641; }
|
|
];
|
|
};
|
|
services.dhcpd4 = {
|
|
enable = true;
|
|
interfaces = ["ens-general"];
|
|
authoritative = true;
|
|
extraConfig = ''
|
|
subnet 192.168.1.0 netmask 255.255.255.0 {
|
|
option subnet-mask 255.255.255.0;
|
|
option routers 192.168.1.1;
|
|
option domain-name-servers 8.8.8.8, 8.8.4.4;
|
|
option domain-name "house.as205479.net";
|
|
default-lease-time 600;
|
|
max-lease-time 3600;
|
|
|
|
range 192.168.1.100 192.168.1.200;
|
|
}
|
|
'';
|
|
machines = [
|
|
{
|
|
hostName = "totoro";
|
|
ethernetAddress = "40:8d:5c:1f:e8:68";
|
|
ipAddress = "192.168.1.40";
|
|
}
|
|
{
|
|
hostName = "totoro-pfsense";
|
|
ethernetAddress = "52:54:00:cf:cd:94";
|
|
ipAddress = "192.168.1.41";
|
|
}
|
|
{
|
|
hostName = "kvm";
|
|
ethernetAddress = "00:0d:5d:1b:14:ba";
|
|
ipAddress = "192.168.1.50";
|
|
}
|
|
];
|
|
};
|
|
networking.localCommands = ''
|
|
tc qdisc del dev ens-virginmedia root || true
|
|
tc qdisc add dev ens-virginmedia root cake bandwidth 20Mbit docsis nat dual-srchost
|
|
|
|
ip link add name ifb-virginmedia type ifb || true
|
|
tc qdisc del dev ens-virginmedia ingress || true
|
|
tc qdisc add dev ens-virginmedia handle ffff: ingress
|
|
tc qdisc del dev ifb-virginmedia root || true
|
|
tc qdisc add dev ifb-virginmedia root cake bandwidth 450Mbit besteffort docsis nat wash dual-dsthost
|
|
ip link set dev ifb-virginmedia up
|
|
tc filter add dev ens-virginmedia parent ffff: matchall action mirred egress redirect dev ifb-virginmedia
|
|
'';
|
|
|
|
services.unifi = {
|
|
enable = true;
|
|
openPorts = false;
|
|
unifiPackage = pkgs.unifiBeta;
|
|
};
|
|
services.prometheus.exporters.unifi-poller = {
|
|
enable = true;
|
|
controllers = [{
|
|
url = "https://localhost:8443";
|
|
verify_ssl = false;
|
|
user = "unifipoller";
|
|
pass = pkgs.writeTextFile { name = "unifipoller-password"; text = "unifipoller"; };
|
|
}];
|
|
};
|
|
|
|
networking.firewall = {
|
|
interfaces.ens-general = {
|
|
allowedTCPPorts = [
|
|
8080 6789 # Unifi
|
|
];
|
|
allowedUDPPorts = [
|
|
3478 10001 # Unifi
|
|
];
|
|
};
|
|
};
|
|
|
|
environment.systemPackages = with pkgs; [];
|
|
|
|
system.stateVersion = "21.03";
|
|
}
|