From 750625dfb72942652925f35e4271c17744c8902b Mon Sep 17 00:00:00 2001 From: xinyangli Date: Thu, 6 Feb 2025 11:31:30 +0800 Subject: [PATCH 1/3] osmium/networking: init --- machines/osmium/default.nix | 60 +++++++++++++++++++++++++++++++------ 1 file changed, 51 insertions(+), 9 deletions(-) diff --git a/machines/osmium/default.nix b/machines/osmium/default.nix index 8378b1c..1785582 100644 --- a/machines/osmium/default.nix +++ b/machines/osmium/default.nix @@ -69,7 +69,7 @@ neovim jq iptables - ebtables + nftables tcpdump busybox ethtool @@ -88,15 +88,53 @@ systemd.network = { enable = true; - networks."lan" = { - matchConfig.Name = "enu1"; - networkConfig.DHCP = "no"; - linkConfig.RequiredForOnline = "no"; - }; networks."wan" = { matchConfig.Name = "end0"; networkConfig.DHCP = "yes"; - linkConfig.RequiredForOnline = "yes"; + linkConfig.RequiredForOnline = false; + }; + networks."lan" = { + matchConfig.Name = "enu1"; + networkConfig = { + DHCP = "no"; + DHCPServer = "yes"; + Address = "10.1.1.1/24"; + }; + dhcpServerConfig = { + ServerAddress = "10.1.1.1/24"; + UplinkInterface = "end0"; + EmitDNS = "yes"; + DNS = [ "192.168.1.1" ]; + }; + linkConfig.RequiredForOnline = false; + }; + }; + + networking.firewall.enable = false; + networking.nftables = { + enable = true; + tables = { + filter = { + family = "inet"; + content = '' + chain forward { + iifname { "enu1" } oifname { "end0" } accept comment "Allow trusted LAN to WAN" + iifname { "end0" } oifname { "enu1" } ct state { established, related } accept comment "Allow established back to LANs" + iifname { "enu1" } oifname { "tailscale0" } accept comment "Allow LAN to Tailscale" + } + ''; + }; + + nat = { + family = "ip"; + content = '' + chain postrouting { + type nat hook postrouting priority 100; policy accept; + oifname "end0" masquerade + oifname "tailscale0" masquerade + } + ''; + }; }; }; @@ -105,7 +143,11 @@ configFile = "/var/lib/dae/config.dae"; }; - services.tailscale.enable = true; - + services.tailscale = { + enable = true; + extraSetFlags = [ + "--advertise-routes=10.1.1.0/24" + ]; + }; }; } From fc4a57febce24b36e2b2fa5ddd139bb7651061ca Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 11 Feb 2025 15:27:20 +0800 Subject: [PATCH 2/3] flake.nix: catppuccin does not depends on home-manager anymore --- flake.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/flake.nix b/flake.nix index fa354c6..0981a0c 100644 --- a/flake.nix +++ b/flake.nix @@ -50,7 +50,6 @@ catppuccin = { url = "github:catppuccin/nix"; inputs.nixpkgs.follows = "nixpkgs"; - inputs.home-manager.follows = "home-manager"; }; disko = { From 3247d1edec6bd4b5958c7a67c8202311162b046a Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 11 Feb 2025 15:28:12 +0800 Subject: [PATCH 3/3] monitor: wait for tailscale interface --- modules/nixos/monitor/exporters.nix | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/modules/nixos/monitor/exporters.nix b/modules/nixos/monitor/exporters.nix index d0e006f..a178525 100644 --- a/modules/nixos/monitor/exporters.nix +++ b/modules/nixos/monitor/exporters.nix @@ -5,7 +5,7 @@ ... }: let - inherit (lib) mkIf concatStringsSep; + inherit (lib) mkIf getExe; inherit (config.my-lib.settings) prometheusCollectors; cfg = config.custom.prometheus.exporters; in @@ -16,6 +16,30 @@ in ++ (lib.optional cfg.blackbox.enable "prometheus-blackbox-exporters.service") ++ (lib.optional config.services.caddy.enable "caddy.service"); + systemd.services.tailscaled.serviceConfig.ExecStartPost = + pkgs.writers.writePython3Bin "tailscale-wait-online" + { + flakeIgnore = [ + "E401" # import on one line + "E501" # line length limit + ]; + } + '' + import subprocess, json, time + + for _ in range(30): + status = json.loads( + subprocess.run( + ["${getExe config.services.tailscale.package}", "status", "--peers=false", "--json"], capture_output=True + ).stdout + )["Self"]["Online"] + if status: + exit(0) + time.sleep(1) + + exit(1) + ''; + services.prometheus.exporters.node = mkIf cfg.node.enable { enable = true; enabledCollectors = [