Archived as I cannot be assed to fix my IPv6 routing issues from the Fedora IoT vm on my Firewall.
- direnv: Update environment per working directory.
- podman: A tool for managing OCI containers and pods with native systemd integration.
- renovate: Universal dependency automation tool.
- sops: Manage secrets which are commited to Git using Age for encryption.
- task: A task runner / simpler Make alternative written in Go.
-
Install required system deps and reboot
sudo rpm-ostree install --idempotent --assumeyes git go-task sudo systemctl reboot
-
Make a new SSH key, add it to GitHub and clone your repo
export GITHUB_USER="onedr0p" curl https://github.com/$GITHUB_USER.keys > ~/.ssh/authorized_keys sudo install -d -o $(logname) -g $(logname) -m 755 /var/opt/home-service git clone git@github.com:$GITHUB_USER/home-service.git /var/opt/home-service/.
-
Install additional system deps and reboot
cd /var/opt/home-service go-task deps sudo systemctl reboot
-
Create an Age public/private key pair for use with sops
age-keygen -o /var/opt/home-service/age.key
Note
I am using ipvlan to expose most containers on their own IP addresses on the same network as this here device, the available addresses are mentioned in the --ip-range
flag below. Beware of IP addressing and interface names.
-
Create the podman
containernet
networksudo podman network create \ --driver=ipvlan \ --ipam-driver=host-local \ --subnet=192.168.1.0/24 \ --gateway=192.168.1.1 \ --ip-range=192.168.1.121-192.168.1.149 \ containernet
-
Setup the currently used interface with
systemd-networkd
📍 Setting the DNS server to a container used on this system might make dragons appear 🐉.
sudo bash -c 'cat << EOF > /etc/systemd/network/enp1s0.network [Match] Name = enp1s0 [Network] DHCP = yes DNS = 1.1.1.1 DNS = 1.0.0.1 IPVLAN = containernet [DHCPv4] UseDNS = false'
-
Setup
containernet
withsystemd-networkd
sudo bash -c 'cat << EOF > /etc/systemd/network/containernet.netdev [NetDev] Name = containernet Kind = ipvlan' sudo bash -c 'cat << EOF > /etc/systemd/network/containernet.network [Match] Name = containernet [Network] IPForward = yes Address = 192.168.1.120/24'
-
Disable
networkmanager
, the enable and startsystemd-networkd
sudo systemctl disable --now NetworkManager sudo systemctl enable systemd-networkd sudo systemctl start systemd-networkd
Tip
To encrypt files with sops replace the public key in the .sops.yaml
file with your Age public key. The format should look similar to the one already present.
View the apps directory for documentation on configuring an app container used here, or setup your own by reviewing the structure of this repository.
Using the included Taskfile there are helper commands to start, stop, restart containers and more. Run the command below to view all available tasks.
go-task --list
Tip
🐟 fish is awesome, you should try fish!
chsh -s /usr/bin/fish
# IMPORTANT: Log out and log back in
go-task dotfiles
Tip
⌚ You can also update /etc/chrony.conf
with custom NTP servers.
sudo sed -i 's/^#allow .*/allow all/g' /etc/chrony.conf
sudo systemctl restart chronyd
sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
sudo systemctl reboot
sudo systemctl disable --now firewalld.service
Name | Subnet | DHCP range | ARP reserved |
---|---|---|---|
LAN | 192.168.1.0/24 | 150-254 | 120-149 |
TRUSTED | 192.168.10.0/24 | 150-254 | - |
SERVERS | 192.168.42.0/24 | 150-254 | 120-149 |
GUESTS | 192.168.50.0/24 | 150-254 | - |
IOT | 192.168.70.0/24 | 150-254 | - |
WIREGUARD | 192.168.80.0/28 | - | - |
- bjw-s/nix-config: NixOS driven configuration for running a home service machine, a nas or nix-darwin using deploy-rs and home-manager.
- truxnell/nix-config: NixOS driven configuration for running your entire homelab.
- joryirving/home-service: Docker-compose implementation of this repository.