flake.nix

@@ -50,6 +50,7 @@
     catppuccin = {
       url = "github:catppuccin/nix";
       inputs.nixpkgs.follows = "nixpkgs";
+      inputs.home-manager.follows = "home-manager";
     };
 
     disko = {

machines/osmium/default.nix

@@ -69,7 +69,7 @@
       neovim
       jq
       iptables
-      nftables
+      ebtables
       tcpdump
       busybox
       ethtool
@@ -88,53 +88,15 @@
 
     systemd.network = {
       enable = true;
+      networks."lan" = {
+        matchConfig.Name = "enu1";
+        networkConfig.DHCP = "no";
+        linkConfig.RequiredForOnline = "no";
+      };
       networks."wan" = {
         matchConfig.Name = "end0";
         networkConfig.DHCP = "yes";
-        linkConfig.RequiredForOnline = false;
+        linkConfig.RequiredForOnline = "yes";
-      };
-      networks."lan" = {
-        matchConfig.Name = "enu1";
-        networkConfig = {
-          DHCP = "no";
-          DHCPServer = "yes";
-          Address = "10.1.1.1/24";
-        };
-        dhcpServerConfig = {
-          ServerAddress = "10.1.1.1/24";
-          UplinkInterface = "end0";
-          EmitDNS = "yes";
-          DNS = [ "192.168.1.1" ];
-        };
-        linkConfig.RequiredForOnline = false;
-      };
-    };
-
-    networking.firewall.enable = false;
-    networking.nftables = {
-      enable = true;
-      tables = {
-        filter = {
-          family = "inet";
-          content = ''
-            chain forward {
-              iifname { "enu1" } oifname { "end0" } accept comment "Allow trusted LAN to WAN"
-              iifname { "end0" } oifname { "enu1" } ct state { established, related } accept comment "Allow established back to LANs"
-              iifname { "enu1" } oifname { "tailscale0" } accept comment "Allow LAN to Tailscale"
-            }
-          '';
-        };
-
-        nat = {
-          family = "ip";
-          content = ''
-            chain postrouting {
-              type nat hook postrouting priority 100; policy accept;
-              oifname "end0" masquerade
-              oifname "tailscale0" masquerade
-            }
-          '';
-        };
       };
     };
 
@@ -143,11 +105,7 @@
       configFile = "/var/lib/dae/config.dae";
     };
 
-    services.tailscale = {
+    services.tailscale.enable = true;
-      enable = true;
+
-      extraSetFlags = [
-        "--advertise-routes=10.1.1.0/24"
-      ];
-    };
   };
 }

modules/nixos/monitor/exporters.nix

@@ -5,7 +5,7 @@
   ...
 }:
 let
-  inherit (lib) mkIf getExe;
+  inherit (lib) mkIf concatStringsSep;
   inherit (config.my-lib.settings) prometheusCollectors;
   cfg = config.custom.prometheus.exporters;
 in
@@ -16,30 +16,6 @@ in
       ++ (lib.optional cfg.blackbox.enable "prometheus-blackbox-exporters.service")
       ++ (lib.optional config.services.caddy.enable "caddy.service");
 
-    systemd.services.tailscaled.serviceConfig.ExecStartPost =
-      pkgs.writers.writePython3Bin "tailscale-wait-online"
-        {
-          flakeIgnore = [
-            "E401" # import on one line
-            "E501" # line length limit
-          ];
-        }
-        ''
-          import subprocess, json, time
-
-          for _ in range(30):
-              status = json.loads(
-                  subprocess.run(
-                      ["${getExe config.services.tailscale.package}", "status", "--peers=false", "--json"], capture_output=True
-                  ).stdout
-              )["Self"]["Online"]
-              if status:
-                  exit(0)
-              time.sleep(1)
-
-          exit(1)
-        '';
-
     services.prometheus.exporters.node = mkIf cfg.node.enable {
       enable = true;
       enabledCollectors = [