zuckerberg/nix-config
zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity

Compare commits

base: zuckerberg:8ba08ce982f3175c11ac114fdfa746c0d8632977
Branches Tags
zuckerberg:master
zuckerberg:stage
zuckerberg:rpi-hotspot
zuckerberg:attic
zuckerberg:kexec_luks2
zuckerberg:pia-client
...
compare: zuckerberg:63c0f5295581481396a4d068ef69c405ebdd2306
Branches Tags
zuckerberg:stage
zuckerberg:master
zuckerberg:rpi-hotspot
zuckerberg:attic
zuckerberg:kexec_luks2
zuckerberg:pia-client

3 Commits
8ba08ce982 ... 63c0f52955

Author SHA1 Message Date
Zuckerberg
63c0f52955 s0: use eth1
Some checks failed
Check Flake / check-flake (push) Failing after 9s
Details
2023-10-16 20:21:00 -06:00
Zuckerberg
5413a8e7db Remove mounts that fail. These never worked 2023-10-16 20:20:32 -06:00
Zuckerberg
330c801e43 Fix issue where wg vpn starts slightly too early for internet access 2023-10-16 20:19:34 -06:00
2 changed files with 10 additions and 16 deletions
Show Stats Expand all files Collapse all files

12
common/network/pia-wireguard.nix
View File

@ -11,6 +11,7 @@
# TODO implement this module such that the wireguard VPN doesn't have to live in a container
# TODO don't add forward rules if the PIA port is the same as cfg.forwardedPort
# TODO verify signatures of PIA responses
# TODO `RuntimeMaxSec = "30d";` for pia-vpn-wireguard-init isn't allowed per the systemd logs. Find alternative.
with builtins;
with lib;
@ -143,14 +144,14 @@ in
systemd.services.pia-vpn-wireguard-init = {
description = "Creates PIA VPN Wireguard Interface";
requires = [ "network-online.target" ];
wants = [ "network-online.target" ];
after = [ "network.target" "network-online.target" ];
before = [ containerServiceName ];
requiredBy = [ containerServiceName ];
partOf = [ containerServiceName ];
wantedBy = [ "multi-user.target" ];
path = with pkgs; [ wireguard-tools jq curl iproute ];
path = with pkgs; [ wireguard-tools jq curl iproute iputils ];
serviceConfig = {
Type = "oneshot";
@ -162,6 +163,11 @@ in
};
script = ''
echo Waiting for internet...
while ! ping -c 1 -W 1 1.1.1.1; do
sleep 1
done
# Prepare to connect by generating wg secrets and auth'ing with PIA since the container
# cannot do without internet to start with. NAT'ing the host's internet would address this
# issue but is not ideal because then leaking network outside of the VPN is more likely.
@ -214,7 +220,7 @@ in
vpn-container.config.systemd.services.pia-vpn-wireguard = {
description = "Initializes the PIA VPN WireGuard Tunnel";
requires = [ "network-online.target" ];
wants = [ "network-online.target" ];
after = [ "network.target" "network-online.target" ];
wantedBy = [ "multi-user.target" ];

14
machines/storage/s0/hardware-configuration.nix
View File

@ -39,12 +39,6 @@
fsType = "zfs";
options = [ "zfsutil" "X-mount.mkdir" ];
};
fileSystems."/home" =
{
device = "rpool/nixos/home";
fsType = "zfs";
options = [ "zfsutil" "X-mount.mkdir" ];
};
fileSystems."/var/lib" =
{
device = "rpool/nixos/var/lib";
@ -57,13 +51,6 @@
fsType = "zfs";
options = [ "zfsutil" "X-mount.mkdir" ];
};
fileSystems."/data" =
{
device = "rpool/nixos/data";
fsType = "zfs";
options = [ "zfsutil" "X-mount.mkdir" ];
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/4FB4-738E";
@ -72,6 +59,7 @@
swapDevices = [ ];
networking.interfaces.eth0.useDHCP = true;
networking.interfaces.eth1.useDHCP = true;
powerManagement.cpuFreqGovernor = "powersave";
}