diff options
author | Ben Sima <ben@bsima.me> | 2024-11-15 14:55:37 -0500 |
---|---|---|
committer | Ben Sima <ben@bsima.me> | 2024-12-21 10:06:49 -0500 |
commit | 6513755670892983db88a6633b8c1ea6019c03d1 (patch) | |
tree | 44e9eccdb7a3a74ab7e96a8fee7572dd6a78dc73 /Omni/Dev | |
parent | ae7b7e0186b5f2e0dcd4d5fac0a71fa264caedc2 (diff) |
Re-namespace some stuff to Omni
I was getting confused about what is a product and what is internal
infrastructure; I think it is good to keep those things separate. So I moved a
bunch of stuff to an Omni namespace, actually most stuff went there. Only things
that are explicitly external products are still in the Biz namespace.
Diffstat (limited to 'Omni/Dev')
-rw-r--r-- | Omni/Dev/Beryllium.nix | 14 | ||||
-rw-r--r-- | Omni/Dev/Beryllium/Configuration.nix | 115 | ||||
-rw-r--r-- | Omni/Dev/Beryllium/Hardware.nix | 38 | ||||
-rw-r--r-- | Omni/Dev/Beryllium/Ollama.nix | 48 | ||||
-rw-r--r-- | Omni/Dev/Dns.nix | 19 | ||||
-rw-r--r-- | Omni/Dev/Guix.nix | 43 | ||||
-rw-r--r-- | Omni/Dev/Hoogle.nix | 81 | ||||
-rw-r--r-- | Omni/Dev/Lithium.nix | 27 | ||||
-rw-r--r-- | Omni/Dev/Lithium/Configuration.nix | 217 | ||||
-rw-r--r-- | Omni/Dev/Lithium/Hardware.nix | 32 | ||||
-rw-r--r-- | Omni/Dev/Networking.nix | 44 | ||||
-rw-r--r-- | Omni/Dev/Vpn.nix | 33 |
12 files changed, 711 insertions, 0 deletions
diff --git a/Omni/Dev/Beryllium.nix b/Omni/Dev/Beryllium.nix new file mode 100644 index 0000000..82374c3 --- /dev/null +++ b/Omni/Dev/Beryllium.nix @@ -0,0 +1,14 @@ +{ bild }: +bild.os { + imports = [ + ../OsBase.nix + ../Packages.nix + ../Users.nix + ./Beryllium/Configuration.nix + ./Beryllium/Hardware.nix + ./Beryllium/Ollama.nix + ./Vpn.nix + ]; + networking.hostName = "beryllium"; + networking.domain = "beryl.simatime.com"; +} diff --git a/Omni/Dev/Beryllium/Configuration.nix b/Omni/Dev/Beryllium/Configuration.nix new file mode 100644 index 0000000..16f4bca --- /dev/null +++ b/Omni/Dev/Beryllium/Configuration.nix @@ -0,0 +1,115 @@ +{ pkgs, ... }: + +let ports = import ../../Cloud/Ports.nix; +in { + imports = [ # Include the results of the hardware scan. + ./Hardware.nix + ]; + + # Bootloader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + boot.kernelModules = [ "v4l2loopback" ]; + boot.extraModulePackages = [ pkgs.linuxPackages.v4l2loopback ]; + + # Enable networking + networking.networkmanager.enable = true; + + # Set your time zone. + time.timeZone = "America/New_York"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + + i18n.extraLocaleSettings = { + LC_ADDRESS = "en_US.UTF-8"; + LC_IDENTIFICATION = "en_US.UTF-8"; + LC_MEASUREMENT = "en_US.UTF-8"; + LC_MONETARY = "en_US.UTF-8"; + LC_NAME = "en_US.UTF-8"; + LC_NUMERIC = "en_US.UTF-8"; + LC_PAPER = "en_US.UTF-8"; + LC_TELEPHONE = "en_US.UTF-8"; + LC_TIME = "en_US.UTF-8"; + }; + + # don't auto suspend-to-RAM + powerManagement.enable = true; + + # Enable the X11 windowing system. + services.xserver.enable = true; + + # Enable the KDE Plasma Desktop Environment. + services.xserver.displayManager.gdm.enable = true; + services.xserver.desktopManager.gnome.enable = true; + + # Configure keymap in X11 + services.xserver = { + layout = "us"; + xkbVariant = ""; + }; + + # Enable CUPS to print documents. + services.printing.enable = true; + + # Enable sound with pipewire. + hardware.pulseaudio.enable = false; + security.rtkit.enable = true; + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + # If you want to use JACK applications, uncomment this + jack.enable = true; + wireplumber.enable = true; + }; + + hardware.opengl.enable = true; + hardware.opengl.driSupport32Bit = true; + services.xserver.videoDrivers = [ "nvidia" ]; + hardware.nvidia.nvidiaPersistenced = true; + hardware.nvidia.modesetting.enable = true; + hardware.nvidia.powerManagement.enable = false; + hardware.nvidia.powerManagement.finegrained = false; + hardware.nvidia.open = true; + hardware.nvidia.nvidiaSettings = true; + + hardware.keyboard.zsa.enable = true; + + services.xserver.displayManager.autoLogin.enable = false; + services.xserver.displayManager.autoLogin.user = "ben"; + + services.clight.enable = true; + services.clight.temperature.day = 6500; + services.clight.temperature.night = 1800; + services.clight.settings.sunrise = "7:00"; + services.clight.settings.sunset = "17:00"; + location.latitude = 40.8; + location.longitude = -81.52; + + services.eternal-terminal.enable = true; + + environment.systemPackages = with pkgs; [ + v4l-utils + linuxPackages.v4l2loopback + nvtop + keymapp + wally-cli + # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. + # wget + ]; + + systemd.services.NetworkManager-wait-online.enable = false; + + networking.firewall.allowedTCPPorts = [ ports.barrier ]; + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.05"; # Did you read the comment? + +} diff --git a/Omni/Dev/Beryllium/Hardware.nix b/Omni/Dev/Beryllium/Hardware.nix new file mode 100644 index 0000000..ecf425c --- /dev/null +++ b/Omni/Dev/Beryllium/Hardware.nix @@ -0,0 +1,38 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, modulesPath, ... }: + +{ + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; + + boot.initrd.availableKernelModules = + [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/f96eaa16-d0e2-4230-aece-131ce7b630da"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/A34A-6527"; + fsType = "vfat"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp97s0.useDHCP = lib.mkDefault true; + # networking.interfaces.enp99s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = + lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/Omni/Dev/Beryllium/Ollama.nix b/Omni/Dev/Beryllium/Ollama.nix new file mode 100644 index 0000000..35b4fe1 --- /dev/null +++ b/Omni/Dev/Beryllium/Ollama.nix @@ -0,0 +1,48 @@ +{ pkgs, ... }: +/* Ollama API service + + Don't put too much work into this, there's a much better and more complete + ollama service (with webui!) being built here: + https://github.com/NixOS/nixpkgs/pull/275448 + + If you want to spend time on it, spend time over there. +*/ +let pkg = pkgs.unstable.ollama; +in { + + systemd.services.ollama = { + description = "ollama"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + environment = { + OLLAMA_HOST = "localhost:11434"; + # Where to store LLM model files. + HOME = "%S/ollama"; + OLLAMA_MODELS = "%S/ollama/models"; + OLLAMA_DEBUG = "1"; + }; + + serviceConfig = { + ExecStart = "${pkg}/bin/ollama serve"; + User = "ollama"; + Group = "ollama"; + Type = "simple"; + Restart = "on-failure"; + RestartSec = 3; + # Persistent storage for model files, i.e. /var/lib/<StateDirectory> + StateDirectory = [ "ollama" ]; + }; + }; + + # for administration, make this available to users' PATH + environment.systemPackages = [ pkg ]; + + users.groups.ollama = { }; + + users.users.ollama = { + group = "ollama"; + isSystemUser = true; + extraGroups = [ "render" "video" ]; + }; +} diff --git a/Omni/Dev/Dns.nix b/Omni/Dev/Dns.nix new file mode 100644 index 0000000..baf79aa --- /dev/null +++ b/Omni/Dev/Dns.nix @@ -0,0 +1,19 @@ +{ ... }: + +{ + services.bind = { + enable = true; + forwarders = [ "8.8.8.8" "1.1.1.1" ]; + cacheNetworks = [ "127.0.0.0/8" "192.168.0.0/24" ]; + extraConfig = ""; + extraOptions = '' + dnssec-validation auto; + ''; + }; + + #networking.extraHosts = '' + # 192.168.0.1 router.home + # 192.168.0.196 lithium.home + #''; + +} diff --git a/Omni/Dev/Guix.nix b/Omni/Dev/Guix.nix new file mode 100644 index 0000000..0b261fb --- /dev/null +++ b/Omni/Dev/Guix.nix @@ -0,0 +1,43 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.guix; + +in { + + options.services.guix = { + enable = mkEnableOption "GNU Guix package manager"; + }; + + config = mkIf cfg.enable { + systemd.services.guix-daemon = { + description = "Build daemon for GNU Guix"; + + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + Restart = "always"; + ExecStart = + "${pkgs.guix}/bin/guix-daemon --build-users-group=guixbuild"; + Environment = null; + RemainAfterExit = "yes"; + StandardOutput = "syslog"; + StandardError = "syslog"; + TaskMax = "8192"; + }; + }; + users = { + extraUsers = lib.attrs.genAttrs (lib.lists.range 1 10) (n: { + name = "guixbuilder${n}"; + isSystemUser = true; + extraGroups = [ "guixbuild" ]; + group = "guixbuild"; + description = "Guix build user ${n}"; + }); + extraGroups = { "guixbuild" = { }; }; + }; + }; +} diff --git a/Omni/Dev/Hoogle.nix b/Omni/Dev/Hoogle.nix new file mode 100644 index 0000000..213a31c --- /dev/null +++ b/Omni/Dev/Hoogle.nix @@ -0,0 +1,81 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.my-hoogle; + + hoogleEnv = pkgs.buildEnv { + name = "hoogle"; + paths = [ (cfg.haskellPackages.ghcWithHoogle cfg.packages) ]; + }; + +in { + + options.services.my-hoogle = { + enable = mkEnableOption "Haskell documentation server"; + + port = mkOption { + type = types.int; + default = 8080; + description = '' + Port number Hoogle will be listening to. + ''; + }; + + packages = mkOption { + default = _hp: [ ]; + defaultText = "hp: []"; + example = "hp: with hp; [ text lens ]"; + description = '' + The Haskell packages to generate documentation for. + + The option value is a function that takes the package set specified in + the <varname>haskellPackages</varname> option as its sole parameter and + returns a list of packages. + ''; + }; + + haskellPackages = mkOption { + description = "Which haskell package set to use."; + default = pkgs.haskellPackages; + defaultText = "pkgs.haskellPackages"; + }; + + home = mkOption { + type = types.str; + description = "Url for hoogle logo"; + default = "https://hoogle.haskell.org"; + }; + + host = mkOption { + type = types.str; + description = "Set the host to bind on."; + default = "127.0.0.1"; + }; + }; + + config = mkIf cfg.enable { + systemd.services.hoogle = { + description = "Haskell documentation server"; + + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + Restart = "always"; + ExecStart = "${hoogleEnv}/bin/hoogle server --local --port ${ + toString cfg.port + } --home ${cfg.home} --host ${cfg.host}"; + + DynamicUser = true; + + ProtectHome = true; + + RuntimeDirectory = "hoogle"; + WorkingDirectory = "%t/hoogle"; + }; + }; + }; + +} diff --git a/Omni/Dev/Lithium.nix b/Omni/Dev/Lithium.nix new file mode 100644 index 0000000..567f6e0 --- /dev/null +++ b/Omni/Dev/Lithium.nix @@ -0,0 +1,27 @@ +{ bild }: +# Dev machine for work and building stuff. + +bild.os { + imports = [ + ../OsBase.nix + ../Packages.nix + ../Users.nix + ./Lithium/Configuration.nix + ./Lithium/Hardware.nix + ./Hoogle.nix + ./Networking.nix + ./Dns.nix + ../../Biz/Dragons.nix + #./Guix.nix # I need to package a bunch of guile libs first + ./Vpn.nix + ]; + networking.hostName = "lithium"; + networking.domain = "dev.simatime.com"; + services.dragons = { + enable = true; + port = 8095; + package = bild.run ../../Biz/Dragons.hs; + keep = "/var/dragons/keep"; + depo = "/var/dragons/depo"; + }; +} diff --git a/Omni/Dev/Lithium/Configuration.nix b/Omni/Dev/Lithium/Configuration.nix new file mode 100644 index 0000000..97b00c8 --- /dev/null +++ b/Omni/Dev/Lithium/Configuration.nix @@ -0,0 +1,217 @@ +{ lib, pkgs, ... }: + +let + ghcCompiler = (import ../../Bild/Constants.nix).ghcCompiler; + ports = import ../../Cloud/Ports.nix; +in { + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + boot.enableContainers = true; + + powerManagement.enable = false; + + time.timeZone = "America/New_York"; + + fonts.fonts = with pkgs; [ + google-fonts + mononoki + source-code-pro + fantasque-sans-mono + hack-font + fira + fira-code + fira-code-symbols + ]; + + environment.systemPackages = + [ pkgs.nvtop pkgs.k3s pkgs.wemux pkgs.tmux pkgs.wireguard-tools ]; + + hardware = { + opengl.enable = true; + pulseaudio = { + enable = true; + extraConfig = '' + load-module module-loopback + ''; + }; + }; + + #hardware.nvidia.nvidiaPersistenced = true; + + programs.bash.enableCompletion = true; + programs.command-not-found.enable = true; + programs.gnupg.agent.enable = true; + programs.gnupg.agent.enableSSHSupport = true; + programs.mosh.enable = true; + + virtualisation.docker.enable = true; + virtualisation.docker.liveRestore = false; + virtualisation.libvirtd.enable = false; + virtualisation.virtualbox.host.enable = false; + virtualisation.virtualbox.host.headless = false; + virtualisation.virtualbox.host.addNetworkInterface = false; + virtualisation.virtualbox.guest.enable = false; + + services.my-hoogle.enable = true; + services.my-hoogle.port = ports.hoogle; + services.my-hoogle.home = "//hoogle.simatime.com"; + services.my-hoogle.packages = pkgset: + lib.attrsets.attrVals (import ../../Bild/Deps/Haskell.nix) pkgset; + services.my-hoogle.haskellPackages = pkgs.haskell.packages.${ghcCompiler}; + services.my-hoogle.host = "0.0.0.0"; + + services.eternal-terminal.enable = true; + + services.k3s.enable = false; + services.k3s.role = "server"; + + services.syncthing.enable = true; + services.syncthing.guiAddress = "127.0.0.1:${toString ports.syncthing-gui}"; + services.syncthing.openDefaultPorts = true; + services.syncthing.systemService = true; + + services.tor.enable = true; + services.tor.client.enable = true; + services.tor.relay.role = "bridge"; + services.tor.settings.ORPort = ports.tor; + services.tor.settings.Nickname = "ydeee3q1cjo83tsuqcz"; + services.tor.settings.AccountingMax = "10 GBytes"; + services.tor.settings.AccountingStart = "month 1 1:00"; + services.tor.settings.ContactInfo = + "ContactInfo pgp:66A6AD150399D970DCA4C4E6C8218B7D0BFDECCD ciissversion:2"; + + services.bitcoind.mainnet.enable = true; + services.bitcoind.mainnet.dataDir = "/mnt/campbell/bitcoind-mainnet/data"; + services.bitcoind.mainnet.configFile = + "/mnt/campbell/bitcoind-mainnet/bitcoin.conf"; + services.bitcoind.mainnet.prune = 10000; + + services.pcscd.enable = true; + services.logind.lidSwitch = "ignore"; + services.logind.extraConfig = "IdleAction=ignore"; + + services.deluge.enable = true; + services.deluge.openFilesLimit = 10240; + services.deluge.web.enable = true; + + services.printing.enable = true; + + services.murmur.enable = true; + services.murmur.registerName = "simatime"; + services.murmur.password = "simatime"; + services.murmur.port = ports.murmur; + + services.xserver.enable = true; + services.xserver.autorun = true; + services.xserver.layout = "us"; + services.xserver.xkbOptions = "caps:ctrl_modifier"; + services.xserver.videoDrivers = [ "nvidia" ]; + services.xserver.serverFlagsSection = '' + Option "BlankTime" "0" + Option "StandbyTime" "0" + Option "SuspendTime" "0" + Option "OffTime" "0" + ''; + services.xserver.displayManager.sddm.enable = true; + services.xserver.displayManager.sddm.enableHidpi = true; + # Some of these have conflicting definitions, which might be the source of my + # problems with the display. Start here for debugging. + #services.xserver.displayManager.session.manage = "desktop"; + #services.xserver.displayManager.session.name = "home-manager"; + #services.xserver.displayManager.session.start = '' + # ${pkgs.runtimeShell} $HOME/.hm-xsession & + # waitPID=$! + #''; + #services.xserver.desktopManager.kodi.enable = false; + #services.xserver.desktopManager.plasma5.enable = false; + services.xserver.desktopManager.xterm.enable = true; + services.xserver.windowManager.xmonad.enable = true; + services.xserver.libinput.enable = true; + services.xserver.libinput.touchpad.tapping = true; + services.xserver.modules = [ pkgs.xf86_input_wacom ]; + services.xserver.wacom.enable = true; + + services.jupyter.enable = true; + services.jupyter.port = ports.jupyter; + services.jupyter.ip = "*"; + users.users.jupyter.group = "jupyter"; + users.groups.jupyter = { }; + services.jupyter.password = + "'argon2:$argon2id$v=19$m=10240,t=10,p=8$nvQhgk+htbIYi961YYAf1w$ekpwiTT5L4+OAods0K7EDw'"; + services.jupyter.kernels.python3 = let + env = (pkgs.python3.withPackages (p: + with p; [ + ipykernel + pandas + scikitlearn + numpy + matplotlib + sympy + ipywidgets + ])); + in { + displayName = "py3"; + argv = [ + "${env.interpreter}" + "-m" + "ipykernel_launcher" + "-f" + "{connection_file}" + ]; + language = "python"; + # error: must be of type 'null or path' + #logo32 = "${env.sitePackages}/ipykernel/resources/logo-32x32.png"; + #logo64 = "${env.sitePackages}/ipykernel/resources/logo-64x64.png"; + }; + + # previously emby + services.jellyfin.enable = true; + services.jellyfin.user = "jellyfin"; + services.jellyfin.group = "jellyfin"; + + services.minidlna.enable = true; + services.minidlna.settings.notify_interval = 60; + services.minidlna.settings.friendly_name = "Sima Media"; + services.minidlna.settings.media_dir = [ + "V,/mnt/campbell/ben/youtube" + "A,/mnt/campbell/ben/music" + "V,/mnt/campbell/ben/torrents/done" + ]; + + services.vnstat.enable = true; + + documentation.enable = true; + documentation.dev.enable = true; + documentation.doc.enable = true; + documentation.info.enable = true; + documentation.man.enable = true; + documentation.nixos.enable = true; + + nix.settings.auto-optimise-store = true; + nix.settings.cores = 0; # use all available cores + # Since this is the dev machine, we can turn these on at the expense + # of extra disk space. + nix.extraOptions = '' + keep-outputs = true + keep-derivations = true + ''; + # 1 job * 2 cores = 2 maximum cores used at any one time + nix.settings.max-jobs = 1; + nix.sshServe.enable = true; + nix.sshServe.keys = lib.trivial.pipe ../../Keys/Ben.pub [ + builtins.readFile + (lib.strings.splitString "\n") + (lib.filter (s: s != "")) + ]; + nix.settings.trusted-users = [ "root" "ben" ]; + + # This value determines the NixOS release with which your system is to be + # compatible, in order to avoid breaking some software such as database + # servers. You should change this only after NixOS release notes say you + # should. + system.stateVersion = "20.09"; # Did you read the comment? + + # TODO: is this still necessary? Check nixpkgs upstream + users.users.jupyter.isSystemUser = true; +} diff --git a/Omni/Dev/Lithium/Hardware.nix b/Omni/Dev/Lithium/Hardware.nix new file mode 100644 index 0000000..54c07f5 --- /dev/null +++ b/Omni/Dev/Lithium/Hardware.nix @@ -0,0 +1,32 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ lib, modulesPath, ... }: + +{ + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; + + boot.initrd.availableKernelModules = + [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/f08dd8f9-787c-4e2a-a0cc-7019edc2ce2b"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/C67C-D7B5"; + fsType = "vfat"; + }; + + fileSystems."/mnt/campbell" = { + device = "/dev/disk/by-uuid/037df3ae-4609-402c-ab1d-4593190d0ee7"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; +} diff --git a/Omni/Dev/Networking.nix b/Omni/Dev/Networking.nix new file mode 100644 index 0000000..c89add7 --- /dev/null +++ b/Omni/Dev/Networking.nix @@ -0,0 +1,44 @@ +{ ... }: + +let ports = import ../Cloud/Ports.nix; +in { + networking = { + nameservers = [ "1.1.1.1" ]; + hostName = "lithium"; + hosts = { "::1" = [ "localhost" "ipv6-localhost" "ipv6-loopback" ]; }; + + firewall = { + allowedTCPPorts = [ + ports.bitcoind + ports.bitcoind-rpc + ports.delugeWeb + ports.et + ports.gemini + ports.git + ports.http + ports.https + ports.jellyfin + ports.jupyter + ports.k3s + ports.mpd + ports.mpd-stream + ports.murmur + ports.radicale + ports.sabten + ports.ssh + ports.stableDiffusion + ports.tor + ]; + allowedTCPPortRanges = [ ports.torrents ports.httpdev ]; + allowedUDPPorts = [ ports.dns ports.et ports.murmur ]; + allowedUDPPortRanges = [ ports.torrents ]; + }; + + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + useDHCP = false; + interfaces.enp2s0.useDHCP = true; + }; + +} diff --git a/Omni/Dev/Vpn.nix b/Omni/Dev/Vpn.nix new file mode 100644 index 0000000..9b791b7 --- /dev/null +++ b/Omni/Dev/Vpn.nix @@ -0,0 +1,33 @@ +{ config, ... }: + +let + ports = import ../Cloud/Ports.nix; + domain = "headscale.simatime.com"; +in { + services.headscale = { + enable = true; + address = "0.0.0.0"; + port = ports.headscale; + settings = { dns.base_domain = "simatime.com"; }; + }; + + services.nginx.virtualHosts.${domain} = { + forceSSL = true; + enableAcme = true; + locations."/" = { + proxyPass = "http://localhost:${toString ports.headscale}"; + proxyWebsockets = true; + }; + }; + + environment.systemPackages = [ config.services.headscale.package ]; + + services.tailscale.enable = true; + + networking.firewall = { + checkReversePath = "loose"; + trustedInterfaces = [ "tailscale0" ]; + allowedUDPPorts = [ config.services.tailscale.port ]; + }; + +} |