{ pkgs, ... }: { systemd.network.wait-online.enable = false; # Force tailscaled to use nftables (Critical for clean nftables-only systems) # This avoids the "iptables-compat" translation layer issues. systemd.services.tailscaled.serviceConfig.Environment = [ "TS_DEBUG_FIREWALL_MODE=nftables" ]; networking.nftables.enable = true; boot.initrd.systemd.network.wait-online.enable = false; # Services configs services = { tailscale = { enable = true; openFirewall = true; useRoutingFeatures = "server"; extraUpFlags = [ "--advertise-exit-node" "--accept-dns=false" "--advertise-routes=10.0.1.0/24" "--hostname=jallen-nas" ]; extraSetFlags = [ "--advertise-exit-node" "--hostname=jallen-nas" "--webclient" ]; # authKeyFile = "/media/nas/main/nix-app-data/tailscale/auth"; }; postgresql = { enable = true; package = pkgs.postgresql_16; enableTCPIP = true; dataDir = "/media/nas/main/nix-app-data/postgresql"; ensureDatabases = [ "authentik" "homeassistant" "nextcloud" "onlyoffice" "synapse" ]; ensureUsers = [ { name = "authentik"; ensureDBOwnership = true; } { name = "homeassistant"; ensureDBOwnership = true; } { name = "nextcloud"; ensureDBOwnership = true; } { name = "onlyoffice"; ensureDBOwnership = true; } { name = "synapse"; ensureDBOwnership = true; } ]; # Allow access via pg_hba.conf rules:10.88.0.63 authentication = pkgs.lib.mkOverride 50 '' # TYPE DATABASE USER ADDRESS METHOD local all all trust host homeassistant homeassistant 10.0.1.0/24 trust local nextcloud nextcloud trust host nextcloud nextcloud 10.0.1.0/24 trust host nextcloud nextcloud ::1/128 trust local onlyoffice onlyoffice trust host onlyoffice onlyoffice 10.88.0.0/24 trust local synapse synapse trust host synapse synapse ::1/128 trust ''; }; redis = { servers = { authentik = { enable = true; port = 6379; }; ccache = { enable = true; port = 6363; bind = "0.0.0.0"; openFirewall = true; extraParams = [ "--protected-mode no" ]; }; manyfold = { enable = true; port = 6380; }; onlyoffice = { enable = true; port = 6381; }; }; }; }; }