diff --git a/flake.nix b/flake.nix index 0981a0c..fa354c6 100644 --- a/flake.nix +++ b/flake.nix @@ -50,6 +50,7 @@ catppuccin = { url = "github:catppuccin/nix"; inputs.nixpkgs.follows = "nixpkgs"; + inputs.home-manager.follows = "home-manager"; }; disko = { diff --git a/machines/osmium/default.nix b/machines/osmium/default.nix index 1785582..8378b1c 100644 --- a/machines/osmium/default.nix +++ b/machines/osmium/default.nix @@ -69,7 +69,7 @@ neovim jq iptables - nftables + ebtables tcpdump busybox ethtool @@ -88,53 +88,15 @@ systemd.network = { enable = true; + networks."lan" = { + matchConfig.Name = "enu1"; + networkConfig.DHCP = "no"; + linkConfig.RequiredForOnline = "no"; + }; networks."wan" = { matchConfig.Name = "end0"; networkConfig.DHCP = "yes"; - linkConfig.RequiredForOnline = false; - }; - networks."lan" = { - matchConfig.Name = "enu1"; - networkConfig = { - DHCP = "no"; - DHCPServer = "yes"; - Address = "10.1.1.1/24"; - }; - dhcpServerConfig = { - ServerAddress = "10.1.1.1/24"; - UplinkInterface = "end0"; - EmitDNS = "yes"; - DNS = [ "192.168.1.1" ]; - }; - linkConfig.RequiredForOnline = false; - }; - }; - - networking.firewall.enable = false; - networking.nftables = { - enable = true; - tables = { - filter = { - family = "inet"; - content = '' - chain forward { - iifname { "enu1" } oifname { "end0" } accept comment "Allow trusted LAN to WAN" - iifname { "end0" } oifname { "enu1" } ct state { established, related } accept comment "Allow established back to LANs" - iifname { "enu1" } oifname { "tailscale0" } accept comment "Allow LAN to Tailscale" - } - ''; - }; - - nat = { - family = "ip"; - content = '' - chain postrouting { - type nat hook postrouting priority 100; policy accept; - oifname "end0" masquerade - oifname "tailscale0" masquerade - } - ''; - }; + linkConfig.RequiredForOnline = "yes"; }; }; @@ -143,11 +105,7 @@ configFile = "/var/lib/dae/config.dae"; }; - services.tailscale = { - enable = true; - extraSetFlags = [ - "--advertise-routes=10.1.1.0/24" - ]; - }; + services.tailscale.enable = true; + }; } diff --git a/modules/nixos/monitor/exporters.nix b/modules/nixos/monitor/exporters.nix index a178525..d0e006f 100644 --- a/modules/nixos/monitor/exporters.nix +++ b/modules/nixos/monitor/exporters.nix @@ -5,7 +5,7 @@ ... }: let - inherit (lib) mkIf getExe; + inherit (lib) mkIf concatStringsSep; inherit (config.my-lib.settings) prometheusCollectors; cfg = config.custom.prometheus.exporters; in @@ -16,30 +16,6 @@ in ++ (lib.optional cfg.blackbox.enable "prometheus-blackbox-exporters.service") ++ (lib.optional config.services.caddy.enable "caddy.service"); - systemd.services.tailscaled.serviceConfig.ExecStartPost = - pkgs.writers.writePython3Bin "tailscale-wait-online" - { - flakeIgnore = [ - "E401" # import on one line - "E501" # line length limit - ]; - } - '' - import subprocess, json, time - - for _ in range(30): - status = json.loads( - subprocess.run( - ["${getExe config.services.tailscale.package}", "status", "--peers=false", "--json"], capture_output=True - ).stdout - )["Self"]["Online"] - if status: - exit(0) - time.sleep(1) - - exit(1) - ''; - services.prometheus.exporters.node = mkIf cfg.node.enable { enable = true; enabledCollectors = [