74 lines
1.4 KiB
Nix
74 lines
1.4 KiB
Nix
# Module: base/network
|
|
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
pkgsUnstable,
|
|
inputs,
|
|
options,
|
|
...
|
|
}:
|
|
|
|
with lib;
|
|
|
|
let
|
|
cfg = config.network;
|
|
in
|
|
{
|
|
options.network = {
|
|
enableMDNS = mkOption {
|
|
type = types.str;
|
|
default = "false";
|
|
description = "Enable Multicast DNS (mDNS), or sets resolve-only mode";
|
|
example = "resolve";
|
|
};
|
|
|
|
enableTSExitNode = {
|
|
type = types.bool;
|
|
default = false;
|
|
description = "Set up this host as a Tailscale exit node";
|
|
example = true;
|
|
};
|
|
};
|
|
|
|
config = {
|
|
environment.systemPackages = [
|
|
pkgs.chrony
|
|
];
|
|
|
|
services.tailscale = {
|
|
enable = true;
|
|
package = pkgsUnstable.tailscale;
|
|
useRoutingFeatures = mkIf enableTSExitNode "server";
|
|
extraSetFlags = mkIf enableTSExitNode [
|
|
"--advertise-exit-node"
|
|
];
|
|
};
|
|
|
|
# Firewall Configuration
|
|
networking.nftables.enable = true;
|
|
networking.firewall = {
|
|
enable = true;
|
|
allowedTCPPorts = [ 22 ];
|
|
allowedUDPPorts = [ config.services.tailscale.port ];
|
|
|
|
# allow traffic from tailscale network
|
|
trustedInterfaces = [ "tailscale0" ];
|
|
};
|
|
|
|
services.resolved = {
|
|
enable = true;
|
|
extraConfig = ''
|
|
MulticastDNS=${cfg.enableMDNS}
|
|
'';
|
|
dnsovertls = "false";
|
|
};
|
|
|
|
services.chrony = {
|
|
enable = true;
|
|
enableNTS = true;
|
|
serverOption = "iburst";
|
|
};
|
|
};
|
|
}
|