diff --git a/generate.nix b/generate.nix index a58049c1..173ab57a 100644 --- a/generate.nix +++ b/generate.nix @@ -24,25 +24,17 @@ mkNodeSystem = system: { network = let inherit (system.config.proxmox) network; - inherit (network) internal; - inherit (network.interfaces) net0; - mapAddress6 = prefix: interface: - if interface.address6 == "dhcp" then null - else if interface.address6 == "auto" then "${prefix}${interface.slaac.postfix}" - else mapNullable (removeSuffix "/64") interface.address6; - mapAddress4 = interface: - if elem interface.address4 [ "dhcp" "auto" ] then null - else mapNullable (removeSuffix "/24") interface.address4; + inherit (network) internal local; in { int = if internal.interface != null then { inherit (internal.interface) macAddress; - address6 = mapAddress6 "fd0c::" internal.interface; - address4 = mapAddress4 internal.interface; + address4 = removeSuffix "/24" internal.interface.address4; + address6 = removeSuffix "/64" internal.interface.address6; } else null; - local = if network.interfaces.net0.bridge or null == "vmbr0" then { - inherit (net0) macAddress; - address6 = mapAddress6 "fd0a::" net0; - address4 = mapAddress4 net0; + local = if local.interface != null then { + inherit (local.interface) macAddress; + address4 = mapNullable (removeSuffix "/24") local.interface.local.address4; + address6 = mapNullable (removeSuffix "/64") local.interface.local.address6; } else null; tail = warn "TODO: generate network.tail" null; }; diff --git a/modules/nixos/access.nix b/modules/nixos/access.nix index 3408e57a..4b895471 100644 --- a/modules/nixos/access.nix +++ b/modules/nixos/access.nix @@ -139,10 +139,10 @@ in { firewall = { interfaces.local = { nftables.conditions = [ - "ip saddr { ${concatStringsSep ", " cfg.cidrForNetwork.local.v4} }" + "ip saddr { ${concatStringsSep ", " (cfg.cidrForNetwork.local.v4 ++ cfg.cidrForNetwork.int.v4)} }" ( mkIf networking.enableIPv6 - "ip6 saddr { $localrange6, ${concatStringsSep ", " cfg.cidrForNetwork.local.v6} }" + "ip6 saddr { $localrange6, ${concatStringsSep ", " (cfg.cidrForNetwork.local.v6 ++ cfg.cidrForNetwork.int.v6)} }" ) ]; }; diff --git a/modules/nixos/network/resolve.nix b/modules/nixos/network/resolve.nix new file mode 100644 index 00000000..451c49ec --- /dev/null +++ b/modules/nixos/network/resolve.nix @@ -0,0 +1,70 @@ +{config, lib, ...}: let + inherit (lib.options) mkOption mkEnableOption; + inherit (lib.modules) mkIf mkDefault mkOptionDefault; + inherit (lib.lists) filter optional; + inherit (lib.strings) hasInfix concatStrings; + inherit (config.services) resolved; + enabledNameservers = filter (ns: ns.enable) (config.networking.nameservers'); + nameserverModule = {config, ...}: let + dnsPort = 53; + mkResolvedValue = { address, port, interface ? null, host ? null }: let + isIpv6 = hasInfix ":" address; + isPlain = port == dnsPort && interface == null && host == null; + addr = if isIpv6 && !isPlain then "[${address}]" else address; + in concatStrings ( + [ addr ] + ++ optional (port != dnsPort) ":${toString port}" + ++ optional (interface != null) "%${interface}" + ++ optional (host != null) "#${host}" + ); + in { + options = with lib.types; { + enable = mkEnableOption "nameserver" // { + default = true; + }; + address = mkOption { + type = str; + }; + port = mkOption { + type = port; + default = dnsPort; + }; + interface = mkOption { + type = nullOr str; + default = null; + }; + host = mkOption { + type = nullOr str; + default = null; + }; + resolvedValue = mkOption { + type = str; + readOnly = true; + }; + value = mkOption { + type = str; + internal = true; + }; + }; + config = { + resolvedValue = mkOptionDefault (mkResolvedValue { + inherit (config) address port interface host; + }); + value = mkOptionDefault (mkResolvedValue { + inherit (config) address port; + }); + }; + }; +in { + options.networking = with lib.types; { + nameservers' = mkOption { + type = listOf (submodule nameserverModule); + default = { }; + }; + }; + config = { + networking.nameservers = mkIf (config.networking.nameservers' != [ ]) ( + map (ns: if resolved.enable then ns.resolvedValue else ns.value) enabledNameservers + ); + }; +} diff --git a/modules/system/access.nix b/modules/system/access.nix index 7aaaff18..25877388 100644 --- a/modules/system/access.nix +++ b/modules/system/access.nix @@ -10,16 +10,26 @@ inherit (inputs.self.lib) systems; inherit (inputs.self.lib.lib) domain; inherit (lib.options) mkOption mkEnableOption; - inherit (lib.modules) mkIf mkDefault mkOptionDefault; + inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault; + inherit (lib.strings) removeSuffix; cfg = config.access; systemConfig = config; systemAccess = access; + hasInt = config.proxmox.enabled && config.proxmox.network.internal.interface != null; + hasLocal = config.proxmox.enabled && config.proxmox.network.local.interface != null; + hasTail = cfg.tailscale.enable; nixosModule = { config, system, + access, ... }: let cfg = config.networking.access; + addressForAttr = if config.networking.enableIPv6 then "address6ForNetwork" else "address4ForNetwork"; + has'Int = system.proxmox.enabled && system.proxmox.network.internal.interface != null; + has'Local = system.proxmox.enabled && system.proxmox.network.local.interface != null; + has'Tail' = config.services.tailscale.enable; + has'Tail = lib.warnIf (hasTail != has'Tail') "tailscale set incorrectly in system.access for ${config.networking.hostName}" has'Tail'; in { options.networking.access = with lib.types; { global.enable = @@ -34,8 +44,22 @@ }; config = { networking.access = { - moduleArgAttrs = { - inherit (systemAccess) hostnameForNetwork; + moduleArgAttrs = let + mkGetAddressFor = addressForAttr: hostName: network: let + forSystem = access.systemFor hostName; + err = throw "no lan interface found between ${config.networking.hostName} and ${hostName}"; + in { + lan = + if has'Int then forSystem.access.${addressForAttr}.int or forSystem.access.${addressForAttr}.local or err + else if hasLocal then forSystem.access.${addressForAttr}.local or err + else err; + ${if has'Local then "local" else null} = forSystem.access.${addressForAttr}.local or err; + ${if has'Int then "int" else null} = forSystem.access.${addressForAttr}.int or err; + # TODO: tail + }.${network} or err; + in { + inherit (systemAccess) hostnameForNetwork address4ForNetwork address6ForNetwork; + addressForNetwork = systemAccess.${addressForAttr}; systemFor = hostName: if hostName == config.networking.hostName then systemConfig @@ -52,6 +76,21 @@ if hostName == config.networking.hostName then config else systemAccess.nixosForOrNull hostName; + getAddressFor = mkGetAddressFor addressForAttr; + getAddress4For = mkGetAddressFor "address4ForNetwork"; + getAddress6For = mkGetAddressFor "address6ForNetwork"; + getHostnameFor = hostName: network: let + forSystem = access.systemFor hostName; + err = throw "no ${network} interface found between ${config.networking.hostName} and ${hostName}"; + in { + lan = + if hasInt then forSystem.access.hostnameForNetwork.int or forSystem.access.hostnameForNetwork.local or err + else if hasLocal then forSystem.access.hostnameForNetwork.local or err + else err; + ${if has'Local then "local" else null} = forSystem.access.hostnameForNetwork.local or err; + ${if has'Int then "int" else null} = forSystem.access.hostnameForNetwork.int or err; + ${if has'Tail then "tail" else null} = forSystem.access.hostnameForNetwork.tail or err; + }.${network} or err; }; }; networking.tempAddresses = mkIf cfg.global.enable ( @@ -77,22 +116,71 @@ in { type = attrsOf str; default = {}; }; + address4ForNetwork = mkOption { + type = attrsOf str; + default = {}; + }; + address6ForNetwork = mkOption { + type = attrsOf str; + default = {}; + }; }; config = { modules = [ nixosModule ]; - access = { - hostnameForNetwork = { - local = mkOptionDefault "${cfg.hostName}.local.${cfg.domain}"; - tail = mkIf cfg.tailscale.enable (mkOptionDefault "${cfg.hostName}.tail.${cfg.domain}"); - global = mkIf cfg.global.enable (mkOptionDefault "${cfg.hostName}.${cfg.domain}"); + access = let + local'interface = config.proxmox.network.local.interface; + int'interface = config.proxmox.network.internal.interface; + hasInt4 = hasInt && int'interface.address4 != null; + hasInt6 = hasInt && int'interface.address6 != null; + hasLocal4 = hasLocal && local'interface.local.address4 or null != null; + hasLocal6 = hasLocal && local'interface.local.address6 or null != null; + in { + hostnameForNetwork = let + int = "${cfg.hostName}.int.${cfg.domain}"; + local = "${cfg.hostName}.local.${cfg.domain}"; + tail = "${cfg.hostName}.tail.${cfg.domain}"; + global = "${cfg.hostName}.${cfg.domain}"; + in { + lan = mkMerge [ + (mkIf hasInt (mkDefault int)) + (mkOptionDefault local) + ]; + int = mkIf hasInt (mkOptionDefault int); + local = mkOptionDefault local; + tail = mkIf hasTail (mkOptionDefault tail); + global = mkIf cfg.global.enable (mkOptionDefault global); + }; + address4ForNetwork = let + int = removeSuffix "/24" int'interface.address4; + local = removeSuffix "/24" local'interface.local.address4; + in { + lan = mkMerge [ + (mkIf hasInt4 (mkDefault int)) + (mkIf hasLocal4 (mkOptionDefault local)) + ]; + int = mkIf hasInt4 (mkOptionDefault int); + local = mkIf hasLocal4 (mkOptionDefault local); + # TODO: tail + }; + address6ForNetwork = let + int = removeSuffix "/64" int'interface.address6; + local = removeSuffix "/64" local'interface.local.address6; + in { + lan = mkMerge [ + (mkIf hasInt6 (mkDefault int)) + (mkIf hasLocal6 (mkOptionDefault local)) + ]; + int = mkIf hasInt6 (mkOptionDefault int); + local = mkIf hasLocal6 (mkOptionDefault local); + # TODO: tail }; }; _module.args.access = { - inherit (cfg) hostnameForNetwork; + inherit (cfg) hostnameForNetwork address4ForNetwork address6ForNetwork; systemFor = hostName: systems.${hostName}.config; systemForOrNull = hostName: systems.${hostName}.config or null; nixosFor = hostName: nixosConfigurations.${hostName}.config or (access.systemFor hostName).built.config; diff --git a/modules/system/proxmox/network.nix b/modules/system/proxmox/network.nix index 7ff1aeb8..9ba1a715 100644 --- a/modules/system/proxmox/network.nix +++ b/modules/system/proxmox/network.nix @@ -3,7 +3,7 @@ inherit (lib.options) mkOption mkEnableOption; inherit (lib.modules) mkIf mkMerge mkOptionDefault mkOverride; inherit (lib.attrsets) attrValues; - inherit (lib.lists) elem findSingle; + inherit (lib.lists) elem findSingle findFirst; inherit (lib.strings) hasPrefix removePrefix replaceStrings; inherit (lib.trivial) mapNullable; mkAlmostOptionDefault = mkOverride 1250; @@ -52,7 +52,7 @@ }; mdns = { enable = mkEnableOption "mDNS" // { - default = system.proxmox.node.name == "reisen" && config.id == "net0"; + default = config.local.enable && config.id == "net0"; }; }; slaac = { @@ -63,6 +63,18 @@ internal = { enable = mkEnableOption "internal network interface"; }; + local = { + enable = mkOption { + type = bool; + default = system.proxmox.node.name == "reisen" && config.id == "net0" && config.bridge == "vmbr0"; + }; + address4 = mkOption { + type = nullOr str; + }; + address6 = mkOption { + type = nullOr str; + }; + }; networkd = { enable = mkEnableOption "systemd.network" // { default = true; @@ -73,7 +85,17 @@ }; }; config = let + hasAddr4 = ! elem config.address4 [ null "dhcp" ]; + hasAddr6 = ! elem config.address6 [ null "dhcp" "auto" ]; conf = { + local = mkIf config.local.enable { + address4 = mkOptionDefault (if hasAddr4 then config.address4 else null); + address6 = mkOptionDefault ( + if config.address6 == "auto" && config.slaac.postfix != null then "fd0a::${config.slaac.postfix}" + else if hasAddr6 then config.address6 + else null + ); + }; name = mkMerge [ (mkIf (hasPrefix "net" config.id && system.proxmox.container.enable) (mkOptionDefault ("eth" + removePrefix "net" config.id))) # VMs have names like `ens18` for net0... @@ -146,10 +168,16 @@ in { type = nullOr unspecified; }; }; + local = { + interface = mkOption { + type = nullOr unspecified; + }; + }; }; config.proxmox.network = { internal = { interface = mkOptionDefault (findSingle (interface: interface.internal.enable) null (throw "expected only one internal network interface") (attrValues cfg.interfaces)); }; + local.interface = mkOptionDefault (findFirst (interface: interface.local.enable) null (attrValues cfg.interfaces)); }; } diff --git a/nixos/access/freepbx.nix b/nixos/access/freepbx.nix index f337824d..4d96b035 100644 --- a/nixos/access/freepbx.nix +++ b/nixos/access/freepbx.nix @@ -3,19 +3,18 @@ lib, ... }: let - inherit (lib.options) mkOption mkEnableOption; + inherit (lib.options) mkOption; inherit (lib.modules) mkIf mkDefault; inherit (lib.lists) head optional; inherit (lib.strings) splitString; inherit (config.services) nginx; access = nginx.access.freepbx; - freepbx = config.lib.access.systemFor "freepbx"; hasSsl = nginx.virtualHosts.freepbx'ucp.listen'.ucpSsl.enable; in { options.services.nginx.access.freepbx = with lib.types; { host = mkOption { type = str; - default = freepbx.access.hostnameForNetwork.local; + default = config.lib.access.getHostnameFor "freepbx" "lan"; }; url = mkOption { type = str; diff --git a/nixos/base/network.nix b/nixos/base/network.nix index e514ed90..99565bdd 100644 --- a/nixos/base/network.nix +++ b/nixos/base/network.nix @@ -12,6 +12,11 @@ in { nftables.enable = true; domain = mkDefault domain; hostName = mkOverride 25 name; + nameservers' = [ + #{ address = "8.8.8.8"; host = "dns.google"; } + { address = "1.1.1.1"; host = "cloudflare-dns.com"; } + { address = "1.0.0.1"; host = "cloudflare-dns.com"; } + ]; }; # work around https://github.com/NixOS/nixpkgs/issues/132646 diff --git a/nixos/dnsmasq.nix b/nixos/dnsmasq.nix new file mode 100644 index 00000000..cb81d668 --- /dev/null +++ b/nixos/dnsmasq.nix @@ -0,0 +1,92 @@ +{ + config, + lib, + inputs, + ... +}: let + inherit (inputs.self.lib) generate; + inherit (lib.options) mkOption; + inherit (lib.modules) mkIf mkBefore mkDefault mkForce; + inherit (lib.attrsets) filterAttrs mapAttrsToList nameValuePair listToAttrs; + inherit (lib.lists) filter concatLists; + inherit (lib.strings) hasPrefix replaceStrings concatStringsSep; + inherit (lib.trivial) mapNullable; + cfg = config.services.dnsmasq; + mkHostRecordPairs = systemName: system: [ + (mkHostRecordPair "int" systemName system) + (mkHostRecordPair "local" systemName system) + #(mkHostRecordPair "tail" systemName system) + ]; + mapDynamic4 = replaceStrings [ "10.1.1." ] [ "0.0.0." ]; + mapDynamic6 = replaceStrings [ "fd0a::" ] [ "2001::" ]; + mkDynamicHostRecord = systemName: system: let + address4 = system.network.local.address4 or null; + address6 = system.network.local.address6 or null; + in concatStringsSep "," ([ + "${systemName}.${config.networking.domain}" + ] ++ lib.optional (address4 != null) + (toString (mapNullable mapDynamic4 address4)) + ++ lib.optional (address6 != null) + (toString (mapNullable mapDynamic6 address6)) + ++ lib.singleton + cfg.dynamic.interface + ); + mkHostRecordPair = network: systemName: system: let + address4 = system.network.${network}.address4 or null; + address6 = system.network.${network}.address6 or null; + in nameValuePair + "${systemName}.${network}.${config.networking.domain}" + (concatStringsSep "," ( + lib.optional (address4 != null) + (toString address4) + ++ lib.optional (address6 != null) + (toString address6) + )); + systemHosts = filterAttrs (_: value: value != "") ( + listToAttrs (concatLists (mapAttrsToList mkHostRecordPairs generate.reisen.systems)) + ); + mkHostRecord = name: record: "${name},${record}"; + filterns = ns: !hasPrefix "127.0.0" ns || ns == "::1"; + filterns' = ns: ns.enable && filterns ns.address; +in { + options.services.dnsmasq = with lib.types; { + resolveLocalQueries' = mkOption { + type = bool; + description = "add to resolv.conf, ignore the origin upstream option thanks"; + default = true; + }; + dynamic.interface = mkOption { + type = str; + default = "eth0"; + }; + }; + config = { + services.dnsmasq = { + enable = mkDefault true; + resolveLocalQueries = mkForce false; + settings = { + host-record = mapAttrsToList mkHostRecord systemHosts; + dynamic-host = mapAttrsToList mkDynamicHostRecord generate.reisen.systems; + server = + if config.networking.nameservers' != [ ] then map (ns: ns.address) (filter filterns' config.networking.nameservers') + else filter filterns config.networking.nameservers + ; + max-cache-ttl = 60; + }; + }; + services.resolved = mkIf cfg.enable { + extraConfig = '' + DNSStubListener=no + ''; + }; + networking = mkIf cfg.enable { + firewall = { + interfaces.local.allowedTCPPorts = [ 53 ]; + interfaces.local.allowedUDPPorts = [ 53 ]; + }; + nameservers' = mkIf cfg.resolveLocalQueries' (mkBefore [ + { address = "127.0.0.1"; } + ]); + }; + }; +} diff --git a/nixos/reisen-ct/network.nix b/nixos/reisen-ct/network.nix index 7f70a392..8bf2f251 100644 --- a/nixos/reisen-ct/network.nix +++ b/nixos/reisen-ct/network.nix @@ -1,11 +1,13 @@ { lib, config, + inputs, options, meta, + access, ... }: let - inherit (lib.modules) mkIf; + inherit (lib.modules) mkIf mkBefore; in { imports = let inherit (meta) nixos; @@ -24,6 +26,9 @@ in { linkConfig.Multicast = true; networkConfig.MulticastDNS = true; }; + networking.nameservers' = mkIf (!config.services.dnsmasq.enable && config.networking.hostName != "utsuho" && config.networking.hostName != "ct") (mkBefore [ + { address = access.getAddressFor "utsuho" "lan"; } + ]); boot.kernel.sysctl = { # not sure how to get it to overlap with subgid/idmap... diff --git a/nixos/zigbee2mqtt.nix b/nixos/zigbee2mqtt.nix index b28fde8d..69978951 100644 --- a/nixos/zigbee2mqtt.nix +++ b/nixos/zigbee2mqtt.nix @@ -46,4 +46,8 @@ in { services.udev.extraRules = mkIf cfg.enable '' SUBSYSTEM=="tty", ATTRS{interface}=="Sonoff Zigbee 3.0 USB Dongle Plus", OWNER="zigbee2mqtt", SYMLINK+="ttyZigbee" ''; + + networking.firewall.interfaces.local.allowedTCPPorts = mkIf cfg.enable [ + cfg.settings.frontend.port + ]; } diff --git a/systems/freeipa/default.nix b/systems/freeipa/default.nix index 9e4a72c3..4b3c3a4e 100644 --- a/systems/freeipa/default.nix +++ b/systems/freeipa/default.nix @@ -16,6 +16,10 @@ _: { }; }; extern.files = { + "/etc/systemd/resolved.conf" = { + source = ./resolved.conf; + mode = "0644"; + }; "/etc/NetworkManager/system-connections/ens18.nmconnection" = { source = ./ens18.nmconnection; mode = "0600"; diff --git a/systems/freeipa/ens18.nmconnection b/systems/freeipa/ens18.nmconnection index 3ae17a73..856b5a6b 100644 --- a/systems/freeipa/ens18.nmconnection +++ b/systems/freeipa/ens18.nmconnection @@ -10,7 +10,7 @@ timestamp=1706677871 [ipv4] address1=10.1.1.46/24,10.1.1.1 -dns=1.1.1.1; +dns=10.1.1.38;1.1.1.1;1.0.0.1; method=manual [ipv6] diff --git a/systems/freeipa/int.nmconnection b/systems/freeipa/int.nmconnection index b47d6dc3..c3573197 100644 --- a/systems/freeipa/int.nmconnection +++ b/systems/freeipa/int.nmconnection @@ -4,6 +4,7 @@ type=ethernet interface-name=ens19 [ipv4] address1=10.9.1.170/24 +dns=10.9.1.76; may-fail=true method=manual [ipv6] diff --git a/systems/freeipa/resolved.conf b/systems/freeipa/resolved.conf new file mode 100644 index 00000000..58432733 --- /dev/null +++ b/systems/freeipa/resolved.conf @@ -0,0 +1,2 @@ +[Resolve] +DNS=fd0c::4c 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com diff --git a/systems/hakurei/nixos.nix b/systems/hakurei/nixos.nix index 84074150..56b40ad5 100644 --- a/systems/hakurei/nixos.nix +++ b/systems/hakurei/nixos.nix @@ -84,6 +84,7 @@ in { domain = config.networking.fqdn; extraDomainNames = [ access.hostnameForNetwork.local + access.hostnameForNetwork.int (mkIf config.services.tailscale.enable access.hostnameForNetwork.tail) ]; }; @@ -201,14 +202,16 @@ in { services.nginx = let inherit (nginx) access; + #inherit (config.lib.access) getHostnameFor; + getHostnameFor = config.lib.access.getAddress4For; in { vouch.enableLocal = false; access.plex = assert plex.enable; { - url = "http://${mediabox.lib.access.hostnameForNetwork.local}:${toString plex.port}"; + url = "http://${getHostnameFor "mediabox" "lan"}:${toString plex.port}"; externalPort = 41324; }; access.unifi = assert unifi.enable; { - host = utsuho.lib.access.hostnameForNetwork.local; + host = getHostnameFor "utsuho" "lan"; }; access.freeipa = { host = "idp.local.${config.networking.domain}"; @@ -232,7 +235,7 @@ in { inherit (keycloak.services) vouch-proxy; in assert vouch-proxy.enable; { ssl.cert.enable = true; - locations."/".proxyPass = "http://${keycloak.lib.access.hostnameForNetwork.local}:${toString vouch-proxy.settings.vouch.port}"; + locations."/".proxyPass = "http://${getHostnameFor "keycloak" "lan"}:${toString vouch-proxy.settings.vouch.port}"; }; vouch'local = let vouch-proxy = config.services.vouch-proxy; @@ -250,25 +253,25 @@ in { # not the real hass record-holder, so don't respond globally.. local.denyGlobal = true; ssl.cert.enable = true; - locations."/".proxyPass = "http://${tei.lib.access.hostnameForNetwork.tail}:${toString home-assistant.config.http.server_port}"; + locations."/".proxyPass = "http://${getHostnameFor "tei" "lan"}:${toString home-assistant.config.http.server_port}"; }; zigbee2mqtt = assert zigbee2mqtt.enable; { # not the real z2m record-holder, so don't respond globally.. local.denyGlobal = true; ssl.cert.enable = true; - locations."/".proxyPass = "http://${tei.lib.access.hostnameForNetwork.tail}:${toString zigbee2mqtt.settings.frontend.port}"; + locations."/".proxyPass = "http://${getHostnameFor "tei" "lan"}:${toString zigbee2mqtt.settings.frontend.port}"; }; grocy = { # not the real grocy record-holder, so don't respond globally.. local.denyGlobal = true; ssl.cert.enable = true; - locations."/".proxyPass = "http://${tei.lib.access.hostnameForNetwork.tail}"; + locations."/".proxyPass = "http://${getHostnameFor "tei" "lan"}"; }; barcodebuddy = { # not the real bbuddy record-holder, so don't respond globally.. local.denyGlobal = true; ssl.cert.enable = true; - locations."/".proxyPass = "http://${tei.lib.access.hostnameForNetwork.tail}"; + locations."/".proxyPass = "http://${getHostnameFor "tei" "lan"}"; }; freepbx = { ssl.cert.enable = true; @@ -283,7 +286,7 @@ in { ssl.cert.enable = true; }; invidious'int = { - locations."/".proxyPass = "http://${mediabox.lib.access.hostnameForNetwork.local}:${toString mediabox.services.invidious.port}"; + locations."/".proxyPass = "http://${getHostnameFor "mediabox" "lan"}:${toString mediabox.services.invidious.port}"; }; }; }; diff --git a/systems/tei/cloudflared.nix b/systems/tei/cloudflared.nix index f0834d5a..f00c8c38 100644 --- a/systems/tei/cloudflared.nix +++ b/systems/tei/cloudflared.nix @@ -14,10 +14,10 @@ accessHostFor = { hostName, system ? nixosFor hostName, - access ? "local", + network ? "lan", ... }: let - host = system.lib.access.hostnameForNetwork.${access} or (throw "unsupported access ${access}"); + host = access.getHostnameFor hostName network; in if hostName == config.networking.hostName then "localhost" diff --git a/systems/utsuho/nixos.nix b/systems/utsuho/nixos.nix index 144ba833..da104994 100644 --- a/systems/utsuho/nixos.nix +++ b/systems/utsuho/nixos.nix @@ -12,6 +12,7 @@ in { nixos.nginx nixos.access.unifi nixos.unifi + nixos.dnsmasq ]; services.cloudflared = let