From 0700b75f3e749606ba195046aefd58ff451e432f Mon Sep 17 00:00:00 2001 From: Fabrice Bellamy <12b@distrilab.fr> Date: Thu, 19 Dec 2024 17:14:56 +0100 Subject: [PATCH] cleanup arachnide server configuration --- config/arachnide/configuration.nix | 77 ++++++++---------------------- 1 file changed, 20 insertions(+), 57 deletions(-) diff --git a/config/arachnide/configuration.nix b/config/arachnide/configuration.nix index 9f3cc3e..1759dbf 100644 --- a/config/arachnide/configuration.nix +++ b/config/arachnide/configuration.nix @@ -14,20 +14,20 @@ networking = { hostName = "arachnide"; # Define your hostname. - # Pick only one of the below networking options. - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + # primary network interface, connected to WAN through a router interfaces.enp1s0.ipv4.addresses = [ { address = "192.168.36.9"; prefixLength = 24; } ]; + defaultGateway = "192.168.36.1"; + # secondary network interface connected to a private local network interfaces.enp3s0.ipv4.addresses = [ { address = "10.0.0.1"; prefixLength = 24; } ]; - defaultGateway = "192.168.36.1"; nameservers = [ "80.67.169.12" "80.67.169.40" "2001:910:800::12" "2001:910:800::40" ]; enableIPv6 = true; + # wireguard VPN to be reachable from internet wg-quick.interfaces = { wg0 = { address = [ "192.168.12.2/32" "2a01:4f9:1a:9a05::2/128" ]; @@ -46,6 +46,22 @@ }; }; + # Enable ip forwarding to route packets for the local network connected to enp3s0 + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = 1; + "net.ipv6.conf.all.forwarding" = 1; + }; + + # Open ports in the firewall. + # Or disable the firewall altogether. + # networking.firewall.enable = false; + networking.firewall.allowedTCPPorts = [ 80 144 443 ]; + #networking.firewall.allowedUDPPorts = [ 53 ]; + # allow UDP port range for mosh + networking.firewall.allowedUDPPortRanges = [ + { from = 60000; to = 61000; } + ]; + # Set your time zone. time.timeZone = "Etc/UTC"; @@ -78,13 +94,6 @@ wget tmux htop - memtester - # Useful podman development tools - #dive # look into docker image layers - podman-tui # status of containers in the terminal - #aardvark-dns - #docker-compose # start group of containers for dev - #podman-compose # start group of containers for dev mosh dig mtr @@ -96,51 +105,6 @@ vimAlias = true; }; - - # Some programs need SUID wrappers, can be configured further or are - # started in user sessions. - # programs.mtr.enable = true; - # programs.gnupg.agent = { - # enable = true; - # enableSSHSupport = true; - # }; - - # List services that you want to enable: - - boot.kernel.sysctl = { - "net.ipv4.ip_forward" = 1; - "net.ipv6.conf.all.forwarding" = 1; - }; - - # Open ports in the firewall. - # networking.firewall.allowedTCPPorts = [ ... ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - # Or disable the firewall altogether. - # networking.firewall.enable = false; - networking.firewall.allowedTCPPorts = [ 80 144 443 ]; - networking.firewall.allowedUDPPorts = [ 53 ]; - networking.firewall.allowedUDPPortRanges = [ - { from = 60000; to = 61000; } - ]; - - virtualisation.containers.enable = true; - virtualisation.podman = { - enable = true; - - # Create a `docker` alias for podman, to use it as a drop-in replacement - dockerCompat = true; - - # Required for containers under podman-compose to be able to talk to each other. - defaultNetwork.settings.dns_enabled = true; - }; - #virtualisation.oci-containers.containers = { - # nixos = { - # image = "nix:latest" - # extraOptions = [ "--network=host" ]; - # }; - #}; - - # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It's perfectly fine and recommended to leave @@ -148,5 +112,4 @@ # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "24.05"; # Did you read the comment? - }