diff --git a/containers/amethyst/flake.nix b/containers/amethyst/flake.nix index 5b9817e..739c3e5 100644 --- a/containers/amethyst/flake.nix +++ b/containers/amethyst/flake.nix @@ -21,7 +21,8 @@ services.nginx.virtualHosts."${fqdn}" = { useACMEHost = "lava.moe"; forceSSL = true; - locations."/".proxyPass = "http://[fd0d:1::${subnet}:2]:9091"; + #locations."/".proxyPass = "http://[fd0d:1::${subnet}:2]:9091"; + locations."/".proxyPass = "http://10.30.${subnet}.2:9091"; listenAddresses = [ "10.0.0.1" "[fd0d::1]" ]; }; diff --git a/containers/beryllium/configuration.nix b/containers/beryllium/configuration.nix index 07740d2..6629a31 100644 --- a/containers/beryllium/configuration.nix +++ b/containers/beryllium/configuration.nix @@ -9,14 +9,15 @@ networking.firewall.allowedUDPPorts = [ 6167 ]; # TODO: this should be generically set networking.useHostResolvConf = false; - networking.nameservers = [ "fd0d:1::2:1" ]; + networking.nameservers = [ "8.8.8.8" ]; services.matrix-continuwuity = { enable = true; settings.global = { # TODO: link this with outer container's address - address = [ "fd0d:1::2:2" ]; + address = [ "10.30.2.2" ]; server_name = "lava.moe"; + rocksdb_recovery_mode = 2; }; }; } diff --git a/containers/beryllium/flake.nix b/containers/beryllium/flake.nix index c6b6cae..5805401 100644 --- a/containers/beryllium/flake.nix +++ b/containers/beryllium/flake.nix @@ -22,9 +22,9 @@ useACMEHost = "lava.moe"; forceSSL = true; locations."/".extraConfig = "return 302 'https://lava.moe';"; - locations."/_matrix".proxyPass = "http://[fd0d:1::${subnet}:2]:6167"; - locations."/_conduwuit".proxyPass = "http://[fd0d:1::${subnet}:2]:6167"; - locations."/_continuwuity".proxyPass = "http://[fd0d:1::${subnet}:2]:6167"; + locations."/_matrix".proxyPass = "http://10.30.${subnet}.2:6167"; + locations."/_conduwuit".proxyPass = "http://10.30.${subnet}.2:6167"; + locations."/_continuwuity".proxyPass = "http://10.30.${subnet}.2:6167"; }; services.nginx.virtualHosts."lava.moe" = { @@ -52,9 +52,8 @@ containers.${name} = { autoStart = true; privateNetwork = true; - hostAddress6 = "fd0d:1::${subnet}:1"; - localAddress6 = "fd0d:1::${subnet}:2"; - # privateUsers = "pick"; + hostAddress = "10.30.${subnet}.1"; + localAddress = "10.30.${subnet}.2"; nixpkgs = nixpkgs; ephemeral = true; config = { imports = [ ./configuration.nix ]; }; @@ -64,7 +63,6 @@ mountPoint = "/persist"; isReadOnly = false; }; - # flake = "path:" + ./.; }; }; }; diff --git a/hosts/alyssum/default.nix b/hosts/alyssum/default.nix index 4a6ef0c..087c77f 100644 --- a/hosts/alyssum/default.nix +++ b/hosts/alyssum/default.nix @@ -20,6 +20,7 @@ nix-stable packages security + tailscale ./filesystem.nix ./kernel.nix diff --git a/hosts/dandelion/default.nix b/hosts/dandelion/default.nix index 92e53be..33b6eec 100644 --- a/hosts/dandelion/default.nix +++ b/hosts/dandelion/default.nix @@ -19,6 +19,7 @@ nix-stable packages security + tailscale wireguard modules.services.banksia diff --git a/modules/services/nginx.nix b/modules/services/nginx.nix index 51641b4..a02b7e9 100644 --- a/modules/services/nginx.nix +++ b/modules/services/nginx.nix @@ -6,7 +6,7 @@ email = "me@lava.moe"; group = "nginx"; dnsProvider = "cloudflare"; - credentialsFile = config.age.secrets."acme_dns".path; + environmentFile = config.age.secrets."acme_dns".path; }; certs."lava.moe" = { extraDomainNames = [ diff --git a/modules/services/unbound.nix b/modules/services/unbound.nix index 349f9e8..8aae0fd 100644 --- a/modules/services/unbound.nix +++ b/modules/services/unbound.nix @@ -27,8 +27,12 @@ in { forward-addr = [ "2606:4700:4700::1111@853#cloudflare-dns.com" "2606:4700:4700::1001@853#cloudflare-dns.com" + "2001:4860:4860::8888@853#dns.google" + "2001:4860:4860::8844@853#dns.google" "1.1.1.1@853#cloudflare-dns.com" "1.0.0.1@853#cloudflare-dns.com" + "8.8.8.8@853#dns.google" + "8.8.4.4@853#dns.google" ]; }]; @@ -37,8 +41,10 @@ in { access-control = [ "127.0.0.1/8 allow" "10.0.0.0/8 allow" + "100.64.0.0/10 allow" "192.168.100.0/24 allow" - "fd0d::/16 allow" + "fd0d::/16 allow" + "fd7a:115c:a1e0::/48 allow" "${gcSecrets.wireguard.ipv6Subnet}:/80 allow" ]; domain-insecure = [ "\"local.lava.moe\"" ]; diff --git a/modules/system/wireguard.nix b/modules/system/wireguard.nix index bdfe900..71f85ad 100644 --- a/modules/system/wireguard.nix +++ b/modules/system/wireguard.nix @@ -6,7 +6,7 @@ let serverIp = gcSecrets.wireguard.gateway; forwarding = { -# "22727" = [ "10.100.0.3" "7777" ]; + "22727" = [ "10.100.0.3" "7777" ]; }; mapForwards = type: @@ -18,6 +18,8 @@ let in '' ${pkgs.iptables}/bin/iptables -${type} PREROUTING -t nat -i ${serverInterface} -p tcp --dport ${sport} -j DNAT --to ${dest}:${dport} ${pkgs.iptables}/bin/iptables -${type} FORWARD -p tcp -d ${dest} --dport ${dport} -j ACCEPT + ${pkgs.iptables}/bin/iptables -${type} PREROUTING -t nat -i ${serverInterface} -p udp --dport ${sport} -j DNAT --to ${dest}:${dport} + ${pkgs.iptables}/bin/iptables -${type} FORWARD -p udp -d ${dest} --dport ${dport} -j ACCEPT '') forwarding ); diff --git a/modules/user/neovim-minimal.nix b/modules/user/neovim-minimal.nix index a7d3f8c..392097d 100644 --- a/modules/user/neovim-minimal.nix +++ b/modules/user/neovim-minimal.nix @@ -9,6 +9,8 @@ vimAlias = true; vimdiffAlias = true; withNodeJs = false; + withPython3 = false; + withRuby = false; plugins = with pkgs.vimPlugins; [ fzf-vim diff --git a/modules/user/neovim.nix b/modules/user/neovim.nix index 30ffac9..d691c61 100644 --- a/modules/user/neovim.nix +++ b/modules/user/neovim.nix @@ -17,6 +17,8 @@ in { vimdiffAlias = true; #package = pkgs.neovim-nightly; withNodeJs = true; + withPython3 = true; + withRuby = false; extraPackages = with pkgs; [ rust-analyzer diff --git a/secrets/slskd_env.age b/secrets/slskd_env.age index 7515e1f..eded5d0 100644 Binary files a/secrets/slskd_env.age and b/secrets/slskd_env.age differ