diff --git a/flake.nix b/flake.nix index 500ef39..0fd5913 100644 --- a/flake.nix +++ b/flake.nix @@ -29,6 +29,7 @@ inherit system; config = { allowUnfree = true; + nvidia.acceptLicense = true; }; overlays = [ nur.overlays.default diff --git a/src/system/machines/desktop/system.nix b/src/system/machines/desktop/system.nix index ba97169..f0d0539 100644 --- a/src/system/machines/desktop/system.nix +++ b/src/system/machines/desktop/system.nix @@ -94,7 +94,24 @@ in enable = true; allowedTCPPorts = [ 22 80 443 ]; }; - nameservers = [ "192.168.0.154" ]; + }; + + services.dnsmasq = { + enable = true; + settings = { + # Explicit subdomains -> local server + address = [ + "/git.ramos.codes/192.168.0.154" + "/ln.ramos.codes/192.168.0.154" + "/photos.ramos.codes/192.168.0.154" + "/test.ramos.codes/192.168.0.154" + "/electrum.ramos.codes/192.168.0.154" + "/immich.ramos.codes/192.168.0.154" + "/forgejo.ramos.codes/192.168.0.154" + "/frigate.ramos.codes/192.168.0.154" + ]; + server = [ "192.168.0.1" ]; + }; }; services = { diff --git a/src/system/machines/server/system.nix b/src/system/machines/server/system.nix index 20feaed..5278443 100644 --- a/src/system/machines/server/system.nix +++ b/src/system/machines/server/system.nix @@ -102,12 +102,19 @@ networking = { hostName = "server"; useDHCP = false; - interfaces.eno1 = { + interfaces.enp2s0f0 = { ipv4.addresses = [{ address = "192.168.0.154"; prefixLength = 24; }]; }; + # Camera network - isolated, no gateway + interfaces.enp2s0f1 = { + ipv4.addresses = [{ + address = "192.168.1.1"; + prefixLength = 24; + }]; + }; defaultGateway = "192.168.0.1"; nameservers = [ "1.1.1.1" "8.8.8.8" ]; firewall = { @@ -131,6 +138,12 @@ "8.8.8.8" ]; cache-size = 1000; + + # Camera network DHCP (isolated - no gateway = no internet) + interface = "enp2s0f1"; + bind-interfaces = true; + dhcp-range = "192.168.1.100,192.168.1.200,24h"; + # No gateway option = cameras can't route to internet }; }; diff --git a/src/system/machines/workstation/hardware.nix b/src/system/machines/workstation/hardware.nix index 65039d1..1ee4de9 100644 --- a/src/system/machines/workstation/hardware.nix +++ b/src/system/machines/workstation/hardware.nix @@ -80,13 +80,19 @@ enable = true; enable32Bit = true; }; + nvidia = { open = false; powerManagement.enable = false; powerManagement.finegrained = false; modesetting.enable = true; nvidiaSettings = true; - package = config.boot.kernelPackages.nvidiaPackages.stable; + package = config.boot.kernelPackages.nvidiaPackages.mkDriver { + version = "550.120"; + sha256_64bit = "sha256-gBkoJ0dTzM52JwmOoHjMNwcN2uBN46oIRZHAX8cDVpc="; + settingsSha256 = "sha256-fPfIPwpIijoUpNlAUt9C8EeXR5In633qnlelL+btGbU="; + persistencedSha256 = lib.fakeSha256; + }; }; }; diff --git a/src/system/modules/bitcoin/config/bitcoin.conf b/src/system/modules/bitcoin/config/bitcoin.conf index 756bfc1..d3ed9eb 100644 --- a/src/system/modules/bitcoin/config/bitcoin.conf +++ b/src/system/modules/bitcoin/config/bitcoin.conf @@ -16,3 +16,5 @@ listenonion=1 torcontrol=127.0.0.1:9051 txindex=1 + +dbcache=1024 diff --git a/src/system/modules/forgejo/default.nix b/src/system/modules/forgejo/default.nix index e68256c..a4dcc42 100644 --- a/src/system/modules/forgejo/default.nix +++ b/src/system/modules/forgejo/default.nix @@ -52,6 +52,7 @@ in APP_SLOGAN = ""; }; + service.REQUIRE_SIGNIN_VIEW = false; server = { DOMAIN = "git.${domain}"; ROOT_URL = "https://git.${domain}/"; diff --git a/src/system/modules/nginx/default.nix b/src/system/modules/nginx/default.nix index 6db9d51..7f508f0 100644 --- a/src/system/modules/nginx/default.nix +++ b/src/system/modules/nginx/default.nix @@ -28,12 +28,25 @@ in }; }; + services.sslh = { + enable = true; + listenAddresses = [ "0.0.0.0" ]; + port = 443; + settings = { + protocols = [ + { name = "ssh"; host = "127.0.0.1"; port = "22"; } + { name = "tls"; host = "127.0.0.1"; port = "4443"; } + ]; + }; + }; + services.nginx = { enable = true; recommendedTlsSettings = true; recommendedOptimisation = true; recommendedGzipSettings = true; eventsConfig = "worker_connections 4096;"; + defaultSSLListenPort = 4443; # Catch-all default - friendly error for unknown subdomains virtualHosts."_" = {