zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity

fix networking online target + ntfy notifications
All checks were successful
Check Flake / check-flake (push) Successful in 3m36s
Details

Browse Source
This commit is contained in:
Zuckerberg
2026-02-25 23:24:23 -08:00
parent 1ac3f05e3e
commit f4a4edf478
3 changed files with 28 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
common/network/pia-vpn/service-container.nix
View File

@@ -47,6 +47,24 @@ let
# DNS through VPN container (queries go through WG tunnel = no DNS leak) # DNS through VPN container (queries go through WG tunnel = no DNS leak)
networking.nameservers = [ cfg.vpnAddress ]; networking.nameservers = [ cfg.vpnAddress ];
# Wait for actual VPN connectivity before network-online.target.
# Without this, services start before the VPN tunnel is ready and failures
# can't be reported to ntfy (no outbound connectivity yet).
systemd.services.wait-for-vpn = {
description = "Wait for VPN connectivity";
before = [ "network-online.target" ];
wantedBy = [ "network-online.target" ];
after = [ "systemd-networkd-wait-online.service" ];
serviceConfig.Type = "oneshot";
path = [ pkgs.iputils ];
script = ''
until ping -c1 -W2 1.1.1.1 >/dev/null 2>&1; do
echo "Waiting for VPN connectivity..."
sleep 1
done
'';
};
# Trust the bridge interface (host reaches us directly for nginx) # Trust the bridge interface (host reaches us directly for nginx)
networking.firewall.trustedInterfaces = [ "eth0" ]; networking.firewall.trustedInterfaces = [ "eth0" ];

3
common/network/pia-vpn/vpn-container.nix
View File

@@ -91,6 +91,9 @@ in
# Ignore WG interface for wait-online (it's configured manually, not by networkd) # Ignore WG interface for wait-online (it's configured manually, not by networkd)
systemd.network.wait-online.ignoredInterfaces = [ cfg.interfaceName ]; systemd.network.wait-online.ignoredInterfaces = [ cfg.interfaceName ];
# Route ntfy alerts through the host proxy (VPN container has no gateway on eth0)
ntfy-alerts.curlExtraArgs = "--proxy http://${cfg.hostAddress}:${toString cfg.proxyPort}";
# Enable forwarding so bridge traffic can go through WG # Enable forwarding so bridge traffic can go through WG
boot.kernel.sysctl."net.ipv4.ip_forward" = 1; boot.kernel.sysctl."net.ipv4.ip_forward" = 1;

7
common/ntfy-alerts.nix
View File

@@ -16,6 +16,12 @@ in
default = "service-failures"; default = "service-failures";
description = "ntfy topic to publish alerts to."; description = "ntfy topic to publish alerts to.";
}; };
curlExtraArgs = lib.mkOption {
type = lib.types.str;
default = "";
description = "Extra arguments to pass to curl (e.g. --proxy http://host:port).";
};
}; };
config = lib.mkIf config.thisMachine.hasRole."ntfy" { config = lib.mkIf config.thisMachine.hasRole."ntfy" {
@@ -33,6 +39,7 @@ in
${lib.getExe pkgs.curl} \ ${lib.getExe pkgs.curl} \
--fail --silent --show-error \ --fail --silent --show-error \
--max-time 30 --retry 3 \ --max-time 30 --retry 3 \
${cfg.curlExtraArgs} \
-H "Authorization: Bearer $NTFY_TOKEN" \ -H "Authorization: Bearer $NTFY_TOKEN" \
-H "Title: Service failure on ${config.networking.hostName}" \ -H "Title: Service failure on ${config.networking.hostName}" \
-H "Priority: high" \ -H "Priority: high" \