diff options
-rw-r--r-- | .projectile | 1 | ||||
-rw-r--r-- | configurations/manwe/default.nix | 5 | ||||
-rw-r--r-- | configurations/melian/default.nix | 4 | ||||
-rw-r--r-- | flake.lock | 90 | ||||
-rw-r--r-- | flake.nix | 18 | ||||
-rw-r--r-- | lib/my.nix | 12 | ||||
-rw-r--r-- | modules/nixfiles/alertmanager.nix | 19 | ||||
-rw-r--r-- | modules/nixfiles/common/users.nix | 4 | ||||
-rw-r--r-- | modules/nixfiles/grafana.nix | 9 | ||||
-rw-r--r-- | modules/nixfiles/loki.nix | 12 | ||||
-rw-r--r-- | modules/nixfiles/monitoring.nix | 47 | ||||
-rw-r--r-- | modules/nixfiles/nsd.nix | 5 | ||||
-rw-r--r-- | modules/nixfiles/profiles/dev/containers/default.nix | 1 | ||||
-rw-r--r-- | modules/nixfiles/prometheus.nix | 14 | ||||
-rw-r--r-- | modules/nixfiles/promtail.nix | 2 | ||||
-rw-r--r-- | modules/nixfiles/radicale.nix | 9 | ||||
-rw-r--r-- | modules/nixfiles/syncthing.nix | 25 | ||||
-rw-r--r-- | modules/nixfiles/wireguard.nix | 2 |
18 files changed, 117 insertions, 162 deletions
diff --git a/.projectile b/.projectile new file mode 100644 index 0000000..f8da25c --- /dev/null +++ b/.projectile @@ -0,0 +1 @@ +-/secrets diff --git a/configurations/manwe/default.nix b/configurations/manwe/default.nix index 50acacd..1adc93d 100644 --- a/configurations/manwe/default.nix +++ b/configurations/manwe/default.nix @@ -84,10 +84,7 @@ with lib; { job_name = "postgres"; static_configs = [ { - targets = with postgres; [ - "${manwe.hostname}:${toString port}" - "${varda.hostname}:${toString port}" - ]; + targets = with postgres; ["${manwe.hostname}:${toString port}"]; } ]; } diff --git a/configurations/melian/default.nix b/configurations/melian/default.nix index 2f3da98..cde109d 100644 --- a/configurations/melian/default.nix +++ b/configurations/melian/default.nix @@ -43,7 +43,6 @@ with lib; { key = syncthing-key-melian.path; cert = syncthing-cert-melian.path; }; - # ipfs.enable = true; # High CPU usage is really anoying. beets.enable = true; bluetooth.enable = true; @@ -55,6 +54,8 @@ with lib; { throttled.enable = true; }; + # TODO Move to a separate module so that it could be reused on other desktops + # in the future. hm = { home.packages = with pkgs; [ (aspellWithDicts (p: with p; [en ru])) @@ -68,7 +69,6 @@ with lib; { accounts.email = { maildirBasePath = "${config.my.home}/mail"; - # TODO Move to my.nix. accounts = let base = { mbsync = { diff --git a/flake.lock b/flake.lock index f7141a2..635a820 100644 --- a/flake.lock +++ b/flake.lock @@ -21,29 +21,6 @@ "type": "github" } }, - "alertmanager-gotify": { - "inputs": { - "flake-utils": [ - "flake-utils" - ], - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1638488371, - "narHash": "sha256-WTzMc8W0+U7ifcaiwejFjnDNoBoK+CcaV6VIBLK3BrI=", - "ref": "refs/heads/master", - "rev": "b752ae3ca5974ab5a2d19a59c2e2960faeff699c", - "revCount": 35, - "type": "git", - "url": "https://git.mbosch.me/ma27/alertmanager-gotify" - }, - "original": { - "type": "git", - "url": "https://git.mbosch.me/ma27/alertmanager-gotify" - } - }, "azahi-cc": { "flake": false, "locked": { @@ -111,11 +88,11 @@ ] }, "locked": { - "lastModified": 1659379767, - "narHash": "sha256-cfcutZL9YBqx2uTRfeLpic6baU/nwLlsp/hMnL/boDA=", + "lastModified": 1660360969, + "narHash": "sha256-Ta1Bi+QQjVpWn3fLK6ivXxPOOQ/r26N94AZ8GrvVQR8=", "owner": "nix-community", "repo": "emacs-overlay", - "rev": "e911c43b99c7b9c94ee408c38b0c6e2c6a01132e", + "rev": "e8ea1c440e46dcf900428543438c5fc5c0ea56e0", "type": "github" }, "original": { @@ -128,11 +105,11 @@ "flake-compat": { "flake": false, "locked": { - "lastModified": 1641205782, - "narHash": "sha256-4jY7RCWUoZ9cKD8co0/4tFARpWB+57+r1bLLvXNJliY=", + "lastModified": 1627913399, + "narHash": "sha256-hY8g6H2KFL8ownSiFeMOjwPC8P0ueXpCVEbxgda3pko=", "owner": "edolstra", "repo": "flake-compat", - "rev": "b7547d3eed6f32d06102ead8991ec52ab0a4f1a7", + "rev": "12c64ca55c1014cdc1b16ed5a804aa8576601ff2", "type": "github" }, "original": { @@ -161,11 +138,11 @@ }, "flake-utils": { "locked": { - "lastModified": 1656928814, - "narHash": "sha256-RIFfgBuKz6Hp89yRr7+NR5tzIAbn52h8vT6vXkYjZoM=", + "lastModified": 1659877975, + "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", "owner": "numtide", "repo": "flake-utils", - "rev": "7e2a3b3dfd9af950a856d66b0a7d01e3c18aa249", + "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0", "type": "github" }, "original": { @@ -185,11 +162,11 @@ ] }, "locked": { - "lastModified": 1659398318, - "narHash": "sha256-5wovS14I/DNXwfiMP402Ut2kxI58CO1wD943fboWMDw=", + "lastModified": 1660330190, + "narHash": "sha256-RgQUtZGmdb9fRkdBcI8x1KYuykbQCBaeY6ejFls7hFM=", "owner": "nix-community", "repo": "home-manager", - "rev": "77648a07e459adff69b2c4033a77b2cababb5843", + "rev": "8675cfa549e1240c9d2abb1c878bc427eefcf926", "type": "github" }, "original": { @@ -201,11 +178,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1659356074, - "narHash": "sha256-UwV6hZZEtchvtiTCCD/ODEv1226eam8kEgEyQb7xB0E=", + "lastModified": 1660291411, + "narHash": "sha256-9UfJMJeCl+T/DrOJMd1vLCoV8U3V7f9Qrv/QyH0Nn28=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "ea3efc80f8ab83cb73aec39f4e76fe87afb15a08", + "rev": "78f56d8ec2c67a1f80f2de649ca9aadc284f65b6", "type": "github" }, "original": { @@ -217,11 +194,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1659254610, - "narHash": "sha256-ee5W5MLWZ3kdx5hwOUs6trOJit+GeTDfG+Lg3rANKoc=", + "lastModified": 1660346639, + "narHash": "sha256-yh3woFPLemwCaF6HGQz/KkdtPRnf9LBwvbZgr0HbVe0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "67f49b2a3854e8b5e3f9df4422225daa0985f451", + "rev": "b4110fd26e92b7ee8cf689aaea53c822fe63e206", "type": "github" }, "original": { @@ -233,11 +210,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1659395920, - "narHash": "sha256-Am1N2FK8KJWpEg5Opt7xefw5YDRYmalWF8keybhx3pc=", + "lastModified": 1660378486, + "narHash": "sha256-z8ZklIj1ZHHULAUrQiTEzlJe8gy9y36QWzl7qS/UQDw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ec9cb32147fbd46a4082cb119d274a0990caa390", + "rev": "c0b0e767f42387b7776642e4c6f8dc545865cd30", "type": "github" }, "original": { @@ -249,11 +226,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1659392573, - "narHash": "sha256-YHeOH+cypoB3ZCz7Dnh8/Nolrl2ZMSLsth2U3h+WqJ4=", + "lastModified": 1660370028, + "narHash": "sha256-UeN6M0/109T/3DrFIWbGWJkcB8Gqm8l5L1EekgbUMy0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "760d3360f77eca32cc0cdfea403e89285d82a048", + "rev": "15e66dc65d28652bb9f0ef361506548578713cfd", "type": "github" }, "original": { @@ -299,11 +276,11 @@ }, "nur": { "locked": { - "lastModified": 1659378417, - "narHash": "sha256-76cfWXqX2Yh8+BZYIM7ZyI7o/SfNTdz49bgT4UjGnhI=", + "lastModified": 1660370241, + "narHash": "sha256-PibpRNYYp6euRs47eVeBNzwfjNEWu6eYyG6KdEbWXco=", "owner": "nix-community", "repo": "NUR", - "rev": "b7b48e67de148d87c3a0b798977a45eacbaac3d0", + "rev": "62ddc6406ffcc7a9755f4bc0b1476fd3c6fe671c", "type": "github" }, "original": { @@ -323,11 +300,11 @@ ] }, "locked": { - "lastModified": 1658611562, - "narHash": "sha256-jktQ3mRrFAiFzzmVxQXh+8IxZOEE4hfr7St3ncXeVy4=", + "lastModified": 1659629599, + "narHash": "sha256-c9rvaqaH3HZo/C70E7rB18YSywa4ryTtN7CZ3cuCmoA=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "f436e6dbc10bb3500775785072a40eefe057b18e", + "rev": "6a9402e8f233de16536349d1dd3f4595c23386a4", "type": "github" }, "original": { @@ -340,7 +317,6 @@ "root": { "inputs": { "agenix": "agenix", - "alertmanager-gotify": "alertmanager-gotify", "azahi-cc": "azahi-cc", "dns-nix": "dns-nix", "emacs-overlay": "emacs-overlay", @@ -373,11 +349,11 @@ ] }, "locked": { - "lastModified": 1655930346, - "narHash": "sha256-ht56HHOzEhjeIgAv5ZNFjSVX/in1YlUs0HG9c1EUXTM=", + "lastModified": 1658267644, + "narHash": "sha256-NJRe1rnlF112eZwxNASlRL8/ghwD8g+lpHIYRkWQxC8=", "owner": "simple-nixos-mailserver", "repo": "nixos-mailserver", - "rev": "f535d8123c4761b2ed8138f3d202ea710a334a1d", + "rev": "004c229ca44c069d93c92abf67ff1619fb508c6a", "type": "gitlab" }, "original": { diff --git a/flake.nix b/flake.nix index 5f1ad07..e107c93 100644 --- a/flake.nix +++ b/flake.nix @@ -86,14 +86,15 @@ }; }; - alertmanager-gotify = { - type = "git"; - url = "https://git.mbosch.me/ma27/alertmanager-gotify"; - inputs = { - flake-utils.follows = "flake-utils"; - nixpkgs.follows = "nixpkgs"; - }; - }; + # TODO Integrate into Altertmanager. + # alertmanager-gotify = { + # type = "git"; + # url = "https://git.mbosch.me/ma27/alertmanager-gotify"; + # inputs = { + # flake-utils.follows = "flake-utils"; + # nixpkgs.follows = "nixpkgs"; + # }; + # }; flake-utils = { type = "github"; @@ -180,6 +181,7 @@ overlays = [self.overlays.default]; }; in { + # TODO Add the rest of `self.overlay`. packages.default = pkgs.nixfiles.override { nixfilesSrc = "."; }; diff --git a/lib/my.nix b/lib/my.nix index f7c4141..165074b 100644 --- a/lib/my.nix +++ b/lib/my.nix @@ -70,6 +70,13 @@ with lib; }; }; + # TODO Automate filling of this from the NSD service module. + # Right now I need to copy domain defenitions from there to here + # manually. + # + # Something like taking `config.services.nsd.zones[$domain]` and + # filtering for actual subdomains. We can remove this option + # altogether then. domains = mkOption { description = "External domains that resovle to this address."; type = listOf str; @@ -128,10 +135,13 @@ with lib; publicKey = "[REDACTED]"; }; domains = with my.domain; [ + "alertmanager.${shire}" "frodo.${rohan}" "frodo.${gondor}" "gotify.${shire}" - "monitoring.${shire}" + "grafana.${shire}" + "loki.${shire}" + "prometheus.${shire}" azahi rohan gondor diff --git a/modules/nixfiles/alertmanager.nix b/modules/nixfiles/alertmanager.nix index e067cd1..d903ee3 100644 --- a/modules/nixfiles/alertmanager.nix +++ b/modules/nixfiles/alertmanager.nix @@ -18,21 +18,15 @@ in { domain = mkOption { description = "Domain name sans protocol scheme."; type = with types; nullOr str; - default = config.nixfiles.modules.monitoring.domain; - }; - - path = mkOption { - description = "Path."; - type = with types; str; - default = "/alertmanager"; + default = "alertmanager.${config.networking.domain}"; }; }; config = mkIf cfg.enable { nixfiles.modules.nginx = with cfg; { enable = true; - virtualHosts.${cfg.domain}.locations.${path} = { - proxyPass = "http://127.0.0.1:${toString port}${path}"; + virtualHosts.${cfg.domain}.locations."/" = { + proxyPass = "http://127.0.0.1:${toString port}"; extraConfig = '' if ($internal != 1) { return 403; @@ -50,13 +44,8 @@ in { listenAddress = "127.0.0.1"; inherit (cfg) port; - extraFlags = [ - "--web.external-url=http${ - optionalString acme "s" - }://${cfg.domain}${cfg.path}" - ]; + extraFlags = ["--web.external-url=https://${cfg.domain}"]; - # TODO Make an option. configuration = { global = { smtp_from = "alertmanager@${my.domain.shire}"; diff --git a/modules/nixfiles/common/users.nix b/modules/nixfiles/common/users.nix index 0878db6..c761f55 100644 --- a/modules/nixfiles/common/users.nix +++ b/modules/nixfiles/common/users.nix @@ -6,12 +6,16 @@ with lib; { mutableUsers = false; users = { + # This will unset the root password so that it would be impossible to + # login as it directory. The root user will still be accessable via + # `sudo`. root.hashedPassword = "[REDACTED]"; ${my.username} = { isNormalUser = true; uid = 1000; description = my.fullname; + # TODO Consider switching to passwordFile inherit (my) hashedPassword; openssh.authorizedKeys.keys = [my.ssh.key]; extraGroups = ["wheel"]; diff --git a/modules/nixfiles/grafana.nix b/modules/nixfiles/grafana.nix index 4340f04..c2954bd 100644 --- a/modules/nixfiles/grafana.nix +++ b/modules/nixfiles/grafana.nix @@ -19,7 +19,7 @@ in { domain = mkOption { description = "Domain name sans protocol scheme."; type = with types; nullOr str; - default = null; + default = "grafana.${config.networking.domain}"; }; }; @@ -40,7 +40,10 @@ in { nixfiles.modules = { nginx = { enable = true; - virtualHosts.${cfg.domain}.locations."/".proxyPass = "http://127.0.0.1:${toString cfg.port}"; + virtualHosts.${cfg.domain}.locations."/" = { + proxyPass = "http://127.0.0.1:${toString cfg.port}"; + proxyWebsockets = true; + }; }; postgresql.enable = true; }; @@ -68,6 +71,8 @@ in { secretKeyFile = grafana-key.path; adminPasswordFile = grafana-admin-password.path; }; + + extraOptions.LOG_LEVEL = "warn"; }; postgresql = { diff --git a/modules/nixfiles/loki.nix b/modules/nixfiles/loki.nix index 27217bd..c1dc136 100644 --- a/modules/nixfiles/loki.nix +++ b/modules/nixfiles/loki.nix @@ -8,7 +8,6 @@ with lib; let cfg = config.nixfiles.modules.loki; in { options.nixfiles.modules.loki = { - # TODO Figure out why this shit refuses to work with my configuraiton. enable = mkEnableOption "Whether to enable Loki."; port = mkOption { @@ -20,20 +19,14 @@ in { domain = mkOption { description = "Domain name sans protocol scheme."; type = with types; str; - default = config.nixfiles.modules.monitoring.domain; - }; - - path = mkOption { - description = "Path."; - type = with types; str; - default = "/loki"; + default = "loki.${config.networking.domain}"; }; }; config = mkIf cfg.enable { nixfiles.modules.nginx = with cfg; { enable = true; - virtualHosts.${domain}.locations.${path} = { + virtualHosts.${domain}.locations."/" = { proxyPass = "http://127.0.0.1:${toString port}"; extraConfig = '' if ($internal != 1) { @@ -52,7 +45,6 @@ in { server = rec { http_listen_address = "127.0.0.1"; http_listen_port = cfg.port; - http_path_prefix = cfg.path; grpc_listen_address = "127.0.0.1"; grpc_listen_port = http_listen_port + 1; diff --git a/modules/nixfiles/monitoring.nix b/modules/nixfiles/monitoring.nix index 6db74d4..ceb40d0 100644 --- a/modules/nixfiles/monitoring.nix +++ b/modules/nixfiles/monitoring.nix @@ -7,39 +7,19 @@ with lib; let cfg = config.nixfiles.modules.monitoring; in { - options.nixfiles.modules.monitoring = { - enable = mkEnableOption '' - Whether to enable custom monitoring stack. + options.nixfiles.modules.monitoring.enable = mkEnableOption '' + Whether to enable custom monitoring stack. - Currently this configures and enables Grafana, Loki, Prometheus and - Alertmanager. - ''; - - domain = mkOption { - description = "Domain name sans protocol scheme."; - type = with types; nullOr str; - default = "monitoring.${config.networking.domain}"; - }; - }; + Currently this configures and enables Grafana, Loki, Prometheus and + Alertmanager. + ''; config = mkIf cfg.enable { nixfiles.modules = { - grafana = { - enable = true; - inherit (cfg) domain; - }; - loki = { - enable = true; - inherit (cfg) domain; - }; - prometheus = { - enable = true; - inherit (cfg) domain; - }; - alertmanager = { - enable = true; - inherit (cfg) domain; - }; + grafana.enable = true; + loki.enable = true; + prometheus.enable = true; + alertmanager.enable = true; }; services = { @@ -50,14 +30,14 @@ in { name = "Prometheus"; type = "prometheus"; access = "proxy"; - url = with prometheus; "https://${domain}${path}"; + url = "https://${prometheus.domain}"; isDefault = true; } { name = "Loki"; type = "loki"; access = "proxy"; - url = with loki; "https://${domain}${path}"; + url = "https://${loki.domain}"; } ]; # TODO Move dashboards to this repository. @@ -100,13 +80,12 @@ in { ]; }; - loki.configuration.ruler.alertmanager_url = with config.nixfiles.modules.alertmanager; "https://${domain}${path}"; + loki.configuration.ruler.alertmanager_url = "https://${config.nixfiles.modules.alertmanager.domain}"; prometheus.alertmanagers = [ { scheme = "https"; - path_prefix = config.nixfiles.modules.alertmanager.path; - static_configs = [{targets = [cfg.domain];}]; + static_configs = [{targets = [config.nixfiles.modules.alertmanager.domain];}]; } ]; }; diff --git a/modules/nixfiles/nsd.nix b/modules/nixfiles/nsd.nix index f328b5c..c8ed44b 100644 --- a/modules/nixfiles/nsd.nix +++ b/modules/nixfiles/nsd.nix @@ -99,9 +99,12 @@ in { ns1 = manwe; # ns2 = varda; + alertmanager = manwe; flood = yavanna; gotify = manwe; - monitoring = manwe; + grafana = manwe; + loki = manwe; + prometheus = manwe; radicale = varda; rss-bridge = varda; vaultwarden = varda; diff --git a/modules/nixfiles/profiles/dev/containers/default.nix b/modules/nixfiles/profiles/dev/containers/default.nix index d0e7ed7..3196654 100644 --- a/modules/nixfiles/profiles/dev/containers/default.nix +++ b/modules/nixfiles/profiles/dev/containers/default.nix @@ -26,6 +26,7 @@ in { WERF_LOG_PRETTY = "false"; WERF_LOG_VERBOSE = "true"; WERF_SYNCHRONIZATION = ":local"; + WERF_TELEMETRY = 0; }; file.".minikube/config/config.json".text = generators.toJSON {} { diff --git a/modules/nixfiles/prometheus.nix b/modules/nixfiles/prometheus.nix index b67dd2e..96e74f7 100644 --- a/modules/nixfiles/prometheus.nix +++ b/modules/nixfiles/prometheus.nix @@ -18,20 +18,14 @@ in { domain = mkOption { description = "Domain name sans protocol scheme."; type = with types; str; - default = config.nixfiles.modules.monitoring.domain; - }; - - path = mkOption { - description = "Path."; - type = with types; str; - default = "/prometheus"; + default = "prometheus.${config.networking.domain}"; }; }; config = mkIf cfg.enable { nixfiles.modules.nginx = with cfg; { enable = true; - virtualHosts.${domain}.locations.${path} = { + virtualHosts.${domain}.locations."/" = { proxyPass = with cfg; "http://127.0.0.1:${toString port}"; extraConfig = '' if ($internal != 1) { @@ -48,9 +42,7 @@ in { inherit port; extraFlags = [ - "--web.external-url=http${ - optionalString config.nixfiles.modules.acme.enable "s" - }://${domain}${path}" + "--web.external-url=https://${domain}" "--storage.tsdb.retention.size=50GB" "--storage.tsdb.retention.time=1y" "--storage.tsdb.wal-compression" diff --git a/modules/nixfiles/promtail.nix b/modules/nixfiles/promtail.nix index ba4e635..e3d7428 100644 --- a/modules/nixfiles/promtail.nix +++ b/modules/nixfiles/promtail.nix @@ -14,7 +14,7 @@ in { url = mkOption { description = "Address of a listening Loki service."; type = with types; str; - default = with config.nixfiles.modules.loki; "https://${domain}${path}"; + default = "https://${config.nixfiles.modules.loki.domain}"; }; }; }; diff --git a/modules/nixfiles/radicale.nix b/modules/nixfiles/radicale.nix index 8286be1..ed1fc4f 100644 --- a/modules/nixfiles/radicale.nix +++ b/modules/nixfiles/radicale.nix @@ -29,7 +29,14 @@ in { nixfiles.modules.nginx = { enable = true; - virtualHosts.${cfg.domain}.locations."/".proxyPass = "http://127.0.0.1:${toString port}"; + virtualHosts.${cfg.domain}.locations."/" = { + proxyPass = "http://127.0.0.1:${toString port}"; + extraConfig = '' + if ($internal != 1) { + return 403; + } + ''; + }; }; services.radicale = { diff --git a/modules/nixfiles/syncthing.nix b/modules/nixfiles/syncthing.nix index 5a973cc..44465d9 100644 --- a/modules/nixfiles/syncthing.nix +++ b/modules/nixfiles/syncthing.nix @@ -17,14 +17,14 @@ in { default = "syncthing.${config.networking.fqdn}"; }; - # TODO Make this simpler. + # TODO Set this automatically shire on the hostname. cert = mkOption { description = "Path to the cert file."; type = with types; nullOr string; default = null; }; - # TODO Make this simpler. + # TODO Set this automatically shire on the hostname. key = mkOption { description = "Path to the key file."; type = with types; nullOr string; @@ -84,21 +84,14 @@ in { }; trashcan = { type = "trashcan"; - params.cleanoutDays = "30"; - }; - void = { - type = "external"; - params.versionPath = with pkgs; - writeShellScriptBin "backup" '' - ${coreutils-full}/bin/rm -rf $1/$2 - ''; + params.cleanoutDays = "7"; }; in with config.hm.xdg.userDirs; { share = { path = publicShare; devices = notHeadless; - versioning = void; + versioning = trashcan; }; pass = { path = @@ -124,7 +117,7 @@ in { vidya = { path = "${documents}/vidya"; devices = notOther; - versioning = void; + versioning = trashcan; }; }; @@ -134,9 +127,13 @@ in { insecureSkipHostcheck = this.isHeadless; }; options = { - # Only local discovery is used over VPN. - globalAnnounceEnabled = false; + autoUpgradeIntervalH = 0; + crashReportingEnabled = false; + globalAnnounceEnabled = false; # We don't need that with Wireguard. relaysEnabled = false; + setLowPriority = this.isHeadless; + stunKeepaliveMinS = 0; + stunKeepaliveStartS = 0; urAccepted = -1; }; }; diff --git a/modules/nixfiles/wireguard.nix b/modules/nixfiles/wireguard.nix index 1da3e74..e35d0ee 100644 --- a/modules/nixfiles/wireguard.nix +++ b/modules/nixfiles/wireguard.nix @@ -9,7 +9,7 @@ with lib; let cfg = config.nixfiles.modules.wireguard; in { options.nixfiles.modules.wireguard = { - # TODO Make this simpler. + # TODO Set this automatically shire on the hostname. privateKeyFile = mkOption { description = "Path to the private key file."; type = with types; nullOr string; |