mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Files
f8560764527494a31bd61233e8003483aa909be7
nix-config/systems/x86_64-linux/jallen-nas/services.nix
mjallen18 f856076452 stuffs
2026-02-02 19:33:04 -06:00

116 lines
3.0 KiB
Nix
Executable File
Raw Blame History

{
config,
lib,
pkgs,
...
}:
{
systemd.network.wait-online.enable = false;
# Force tailscaled to use nftables (Critical for clean nftables-only systems)
# This avoids the "iptables-compat" translation layer issues.
systemd.services.tailscaled.serviceConfig.Environment = [
"TS_DEBUG_FIREWALL_MODE=nftables"
];
networking.nftables.enable = true;
boot.initrd.systemd.network.wait-online.enable = false;
# Services configs
services = {
tailscale = {
enable = true;
openFirewall = true;
useRoutingFeatures = "server";
extraUpFlags = [
"--advertise-exit-node"
"--accept-dns=false"
"--advertise-routes=10.0.1.0/24"
"--hostname=jallen-nas"
];
extraSetFlags = [
"--advertise-exit-node"
"--hostname=jallen-nas"
"--webclient"
];
# authKeyFile = "/media/nas/main/nix-app-data/tailscale/auth";
};
postgresql = {
enable = true;
package = pkgs.postgresql_16;
enableTCPIP = true;
dataDir = "/media/nas/main/databases/postgresql";
ensureDatabases = [
"authentik"
"homeassistant"
"nextcloud"
"onlyoffice"
"synapse"
];
ensureUsers = [
{
name = "authentik";
ensureDBOwnership = true;
}
{
name = "homeassistant";
ensureDBOwnership = true;
}
{
name = "nextcloud";
ensureDBOwnership = true;
}
{
name = "onlyoffice";
ensureDBOwnership = true;
}
{
name = "synapse";
ensureDBOwnership = true;
}
];
# Allow access via pg_hba.conf rules:10.88.0.63
authentication = pkgs.lib.mkOverride 50 ''
# TYPE DATABASE USER ADDRESS METHOD
local all all trust
host homeassistant homeassistant 10.0.1.0/24 trust
local nextcloud nextcloud trust
host nextcloud nextcloud 10.0.1.0/24 trust
host nextcloud nextcloud ::1/128 trust
local onlyoffice onlyoffice trust
host onlyoffice onlyoffice 10.88.0.0/24 trust
local synapse synapse trust
host synapse synapse ::1/128 trust
'';
};
redis = {
servers = {
authentik = {
enable = true;
port = 6379;
};
ccache = {
enable = true;
port = 6363;
bind = "0.0.0.0";
openFirewall = true;
extraParams = [ "--protected-mode no" ];
};
manyfold = {
enable = true;
port = 6380;
};
onlyoffice = {
enable = true;
port = 6381;
};
};
};
};
}
Reference in New Issue View Git Blame Copy Permalink