{ pkgs, lib, config, repoFlake, nodeFlake, nodeName, ... }: { imports = [ ../../snippets/systemd-resolved.nix ]; networking.firewall.enable = true; networking.nftables.enable = true; networking.nftables.flushRuleset = true; networking.firewall.allowedTCPPorts = [ # iperf3 5201 ]; networking.firewall.logRefusedConnections = false; networking.usePredictableInterfaceNames = false; networking.useNetworkd = true; networking.useDHCP = false; networking.nat = { enable = true; internalInterfaces = ["br0"]; externalInterface = "dmz0"; }; networking.bridges = { br0 = { interfaces = []; }; }; networking.interfaces = { br0 = { ipv4.addresses = [ { address = "192.168.101.1"; prefixLength = 24; } ]; }; }; systemd.network.netdevs."10-dmz0" = { enable = true; netdevConfig = { Name = "dmz0"; Kind = "macvlan"; MACAddress = "1c:69:7a:07:08:6f"; }; macvlanConfig = { Mode = "bridge"; }; }; systemd.network.networks."20-eth0" = { enable = true; matchConfig.Name = "eth0"; # TODO: i'm not sure if and if so why this is required macvlan = [ "dmz0" ]; DHCP = "no"; }; systemd.network.networks."30-dmz0" = { enable = true; matchConfig.Name = "dmz0"; DHCP = "yes"; }; boot.kernel.sysctl = { "net.ipv4.ip_forward" = 1; "net.ipv6.ip_forward" = 1; }; # virtualization virtualisation = {docker.enable = false;}; nix.gc = {automatic = true;}; sops.secrets.restic-password.sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; # adapted from https://github.com/lilyinstarlight/foosteros/blob/5c75ded111878970fd4f600c7adc013f971d5e71/config/restic.nix services.restic.backups.${nodeName} = let btrfs = "${pkgs.btrfs-progs}/bin/btrfs"; in { initialize = true; repository = "sftp://u217879-sub3@u217879-sub3.your-storagebox.de:23/restic/${nodeName}"; paths = [ "/backup" ]; pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 2" ]; timerConfig = { OnCalendar = lib.mkDefault "daily"; Persistent = true; }; passwordFile = config.sops.secrets.restic-password.path; backupPrepareCommand = '' ${btrfs} su snapshot -r /var/lib/container-volumes /backup/container-volumes ''; backupCleanupCommand = '' ${btrfs} su delete /backup/container-volumes ''; }; containers = { mailserver = import ../../containers/mailserver.nix { specialArgs = { inherit repoFlake nodeFlake; }; autoStart = true; hostBridge = "br0"; hostAddress = "192.168.101.1"; localAddress = "192.168.101.10/24"; imapsPort = 993; sievePort = 4190; }; webserver = import ../../containers/webserver.nix { specialArgs = { inherit repoFlake nodeFlake; }; autoStart = true; hostBridge = "br0"; hostAddress = "192.168.101.1"; localAddress = "192.168.101.11/24"; httpPort = 80; httpsPort = 443; forgejoSshPort = 2222; }; syncthing = import ../../containers/syncthing.nix { specialArgs = { inherit repoFlake nodeFlake; }; autoStart = true; hostBridge = "br0"; hostAddress = "192.168.101.1"; localAddress = "192.168.101.12/24"; syncthingPort = 22000; }; }; virtualisation.libvirtd = { enable = true; onShutdown = "shutdown"; parallelShutdown = 3; }; fileSystems."/mnt/8078-532D".device = "/dev/disk/by-uuid/8078-532D"; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "22.11"; # Did you read the comment? }