zuckerberg/nix-config
zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity

Compare commits

base: zuckerberg:63c0f5295581481396a4d068ef69c405ebdd2306
Branches Tags
zuckerberg:master
zuckerberg:stage
zuckerberg:rpi-hotspot
zuckerberg:attic
zuckerberg:kexec_luks2
zuckerberg:pia-client
..
compare: zuckerberg:8ba08ce982f3175c11ac114fdfa746c0d8632977
Branches Tags
zuckerberg:stage
zuckerberg:master
zuckerberg:rpi-hotspot
zuckerberg:attic
zuckerberg:kexec_luks2
zuckerberg:pia-client

No commits in common. "63c0f5295581481396a4d068ef69c405ebdd2306" and "8ba08ce982f3175c11ac114fdfa746c0d8632977" have entirely different histories.
63c0f52955 ... 8ba08ce982

2 changed files with 16 additions and 10 deletions
Show Stats Expand all files Collapse all files

12
common/network/pia-wireguard.nix
View File

@ -11,7 +11,6 @@
# TODO implement this module such that the wireguard VPN doesn't have to live in a container
# TODO don't add forward rules if the PIA port is the same as cfg.forwardedPort
# TODO verify signatures of PIA responses
# TODO `RuntimeMaxSec = "30d";` for pia-vpn-wireguard-init isn't allowed per the systemd logs. Find alternative.
with builtins;
with lib;
@ -144,14 +143,14 @@ in
systemd.services.pia-vpn-wireguard-init = {
description = "Creates PIA VPN Wireguard Interface";
wants = [ "network-online.target" ];
requires = [ "network-online.target" ];
after = [ "network.target" "network-online.target" ];
before = [ containerServiceName ];
requiredBy = [ containerServiceName ];
partOf = [ containerServiceName ];
wantedBy = [ "multi-user.target" ];
path = with pkgs; [ wireguard-tools jq curl iproute iputils ];
path = with pkgs; [ wireguard-tools jq curl iproute ];
serviceConfig = {
Type = "oneshot";
@ -163,11 +162,6 @@ in
};
script = ''
echo Waiting for internet...
while ! ping -c 1 -W 1 1.1.1.1; do
sleep 1
done
# Prepare to connect by generating wg secrets and auth'ing with PIA since the container
# cannot do without internet to start with. NAT'ing the host's internet would address this
# issue but is not ideal because then leaking network outside of the VPN is more likely.
@ -220,7 +214,7 @@ in
vpn-container.config.systemd.services.pia-vpn-wireguard = {
description = "Initializes the PIA VPN WireGuard Tunnel";
wants = [ "network-online.target" ];
requires = [ "network-online.target" ];
after = [ "network.target" "network-online.target" ];
wantedBy = [ "multi-user.target" ];

14
machines/storage/s0/hardware-configuration.nix
View File

@ -39,6 +39,12 @@
fsType = "zfs";
options = [ "zfsutil" "X-mount.mkdir" ];
};
fileSystems."/home" =
{
device = "rpool/nixos/home";
fsType = "zfs";
options = [ "zfsutil" "X-mount.mkdir" ];
};
fileSystems."/var/lib" =
{
device = "rpool/nixos/var/lib";
@ -51,6 +57,13 @@
fsType = "zfs";
options = [ "zfsutil" "X-mount.mkdir" ];
};
fileSystems."/data" =
{
device = "rpool/nixos/data";
fsType = "zfs";
options = [ "zfsutil" "X-mount.mkdir" ];
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/4FB4-738E";
@ -59,7 +72,6 @@
swapDevices = [ ];
networking.interfaces.eth0.useDHCP = true;
networking.interfaces.eth1.useDHCP = true;
powerManagement.cpuFreqGovernor = "powersave";
}