box: clobber some networking bits

2022-10-21 09:38:41 -06:00 · 2022-10-21 09:38:41 -06:00 · ac44c31958
commit ac44c31958
parent d163d868b8
1 changed files with 64 additions and 67 deletions
--- a/hosts/box/default.nix
+++ b/hosts/box/default.nix
@ -107,27 +107,36 @@ in {
    enableIPv6 = false;
    hosts = { "127.0.0.1" = [ "git.tapenet.org" ]; };
-    defaultGateway = "10.20.30.1";
+    interfaces.enp7s0 = { useDHCP = true; };
-    nameservers = [ "10.20.30.1" ];
+
-    interfaces.enp7s0 = {
+    firewall = {
-      ipv4 = {
+      interfaces = { "tailscale0" = { allowedTCPPorts = [ 3030 ]; }; };
-        routes = [{
+      allowedTCPPorts = config.services.openssh.ports
-          address = "10.6.0.0";
+        ++ [ 80 443 config.services.gitea.ssh.clonePort ];
-          prefixLength = 24;
+      allowedUDPPortRanges = [{
-          via = "10.6.0.1";
+        from = 60000;
-        }];
+        to = 61000;
        addresses = [{
          address = "10.6.0.15";
          prefixLength = 24;
        }];
      };
    };
    interfaces.enp8s0 = {
      ipv4.addresses = [{
        address = "10.20.30.15";
        prefixLength = 24;
      }];
    };
    wireguard = {
      enable = false;
      interfaces = {
        wg0 = {
          listenPort = 7122;
          ips = [ "192.168.112.4/32" ];
          peers = [{
            publicKey = "IMJ1gVK6KzRghon5Wg1dxv1JCB8IbdSqeFjwQAxJM10=";
            endpoint = "23.29.118.127:7122";
            allowedIPs = [ "192.168.112.3/32" ];
            persistentKeepalive = 25;
          }];
          #privateKeyFile = "${config.sops.secrets.wireguard_private_key.path}";
          privateKeyFile = "/root/wgpk";
        };
      };
    };
  };
  nixpkgs.config.allowUnfree = true;
@ -164,42 +173,42 @@ in {
  #  openssh.authorizedKeys.keys = pubKeys;
  #};
-  virtualisation.podman = {
+  #virtualisation.podman = {
-    enable = false;
+  #  enable = false;
-    #dockerCompat = true;
+  #  #dockerCompat = true;
-  };
+  #};
-  virtualisation.oci-containers.backend = "podman";
+  #virtualisation.oci-containers.backend = "podman";
-  virtualisation.oci-containers.containers = {
+  #virtualisation.oci-containers.containers = {
-    #kativa = {
+  #  #kativa = {
-    #  autoStart = true;
+  #  #  autoStart = true;
-    #  ports = [ "127.0.0.1:5000:5000" ];
+  #  #  ports = [ "127.0.0.1:5000:5000" ];
-    #  image = "kizaing/kavita:0.5.2";
+  #  #  image = "kizaing/kavita:0.5.2";
-    #  volumes = [ "/media/books:/books" "/media/books/config:/kativa/config" ];
+  #  #  volumes = [ "/media/books:/books" "/media/books/config:/kativa/config" ];
-    #};
+  #  #};
-    photoprism = {
+  #  photoprism = {
-      #user = "${toString config.users.users.photoprism.name}:${toString config.users.groups.photoprism.name}";
+  #    #user = "${toString config.users.users.photoprism.name}:${toString config.users.groups.photoprism.name}";
-      autoStart = true;
+  #    autoStart = true;
-      ports = [ "127.0.0.1:2343:2343" ];
+  #    ports = [ "127.0.0.1:2343:2343" ];
-      image = "photoprism/photoprism:${photoPrismTag}";
+  #    image = "photoprism/photoprism:${photoPrismTag}";
-      workdir = "/photoprism";
+  #    workdir = "/photoprism";
-      volumes = [
+  #    volumes = [
-        "/media/pictures/photoprism/storage:/photoprism/storage"
+  #      "/media/pictures/photoprism/storage:/photoprism/storage"
-        "/media/pictures/photoprism/originals:/photoprism/originals"
+  #      "/media/pictures/photoprism/originals:/photoprism/originals"
-        "/media/pictures/photoprism/import:/photoprism/import"
+  #      "/media/pictures/photoprism/import:/photoprism/import"
-      ];
+  #    ];
-      environment = {
+  #    environment = {
-        PHOTOPRISM_HTTP_PORT = "2343";
+  #      PHOTOPRISM_HTTP_PORT = "2343";
-        PHOTOPRISM_UPLOAD_NSFW = "true";
+  #      PHOTOPRISM_UPLOAD_NSFW = "true";
-        PHOTOPRISM_DETECT_NSFW = "false";
+  #      PHOTOPRISM_DETECT_NSFW = "false";
-        PHOTOPRISM_UID = "${toString config.users.users.photoprism.uid}";
+  #      PHOTOPRISM_UID = "${toString config.users.users.photoprism.uid}";
-        PHOTOPRISM_GID = "${toString config.users.groups.photoprism.gid}";
+  #      PHOTOPRISM_GID = "${toString config.users.groups.photoprism.gid}";
-        #PHOTOPRISM_SITE_URL = "https://photos.tapenet.org/";
+  #      #PHOTOPRISM_SITE_URL = "https://photos.tapenet.org/";
-        PHOTOPRISM_SITE_URL = "https://box.humpback-trout.ts.net/photos";
+  #      PHOTOPRISM_SITE_URL = "https://box.humpback-trout.ts.net/photos";
-        PHOTOPRISM_SETTINGS_HIDDEN = "false";
+  #      PHOTOPRISM_SETTINGS_HIDDEN = "false";
-        PHOTOPRISM_DATABASE_DRIVER = "sqlite";
+  #      PHOTOPRISM_DATABASE_DRIVER = "sqlite";
-      };
+  #    };
-    };
+  #  };
-  };
+  #};
  users.groups.media = {
    name = "media";
@ -879,18 +888,6 @@ in {
  #  after = [ "postgresql.service" ];
  #};
  networking = {
    firewall = {
      interfaces = { "tailscale0" = { allowedTCPPorts = [ 3030 ]; }; };
      allowedTCPPorts = config.services.openssh.ports
        ++ [ 80 443 config.services.gitea.ssh.clonePort ];
      allowedUDPPortRanges = [{
        from = 60000;
        to = 61000;
      }];
    };
  };
  users.users.qbit = userBase;
  users.users.root = userBase;