config: add more comments

2025-04-19 00:19:11 +00:00 · 2023-06-08 19:53:20 +08:00 · 2023-06-08 19:53:20 +08:00 · ab8ab4921c
commit ab8ab4921c
parent 29d990f33c
4 changed files with 10 additions and 3 deletions
--- a/hosts/plover/modules/hardware/hetzner-cloud-cx21.nix
+++ b/hosts/plover/modules/hardware/hetzner-cloud-cx21.nix
@ -86,6 +86,8 @@ in
      "20-lan" = with interfaces.internal; {
        matchConfig.Name = lib.concatStringsSep " " internalEthernetInterfaceNames;

+        # Take note of the private subnets set in your Hetzner Cloud instance
+        # (at least for IPv4 addresses)..
        address = [
          "${IPv4.address}/16"
          "${IPv6.address}/64"
@ -102,8 +104,10 @@ in
          "::1"
        ];

+        # Force our own internal domain to be used in the system.
        domains = [ config.networking.fqdn ];

+        # Use the gateway to enable resolution of external domains.
        gateway = [
          IPv4.gateway
          IPv6.gateway
--- a/hosts/plover/modules/services/coredns.nix
+++ b/hosts/plover/modules/services/coredns.nix
@ -73,8 +73,8 @@ in
  # Setting up the firewall to make less things to screw up in case anything is
  # screwed up.
  networking.firewall.extraInputRules = ''
-    meta l4proto {tcp, udp} th dport 53 ip saddr { ${lib.concatStringsSep ", " allowedIPs} } accept comment "Accept DNS queries from secondary nameservers"
-    meta l4proto {tcp, udp} th dport 53 ip6 saddr { ${lib.concatStringsSep ", " allowedIPv6s} } accept comment "Accept DNS queries from secondary nameservers"
+    meta l4proto {tcp, udp} th dport 53 ip saddr { ${lib.concatStringsSep ", " allowedIPs} } accept comment "Accept DNS queries from secondary nameservers and private networks"
+    meta l4proto {tcp, udp} th dport 53 ip6 saddr { ${lib.concatStringsSep ", " allowedIPv6s} } accept comment "Accept DNS queries from secondary nameservers and private networks"
  '';

  # The main DNS server.
--- a/hosts/plover/modules/services/keycloak.nix
+++ b/hosts/plover/modules/services/keycloak.nix
@ -12,7 +12,7 @@ let
  keycloakDbName = if config.services.keycloak.database.createLocally then keycloakUser else config.services.keycloak.database.username;

  certs = config.security.acme.certs;
-  host = "127.0.0.1";
+  host = "localhost";
 in
 {
  # Hey, the hub for your application sign-in.
--- a/hosts/plover/modules/services/wireguard.nix
+++ b/hosts/plover/modules/services/wireguard.nix
@ -27,6 +27,9 @@ in
    filterForward = true;
  };

+  # Since we're using systemd-networkd to configure interfaces, we can control
+  # how each interface can handle things such as IP masquerading so no need for
+  # modifying sysctl settings like 'ipv4.ip_forward' or similar.
  systemd.network = {
    wait-online.ignoredInterfaces = [ wireguardIFName ];