nixos: few more fixes

14 files changed, 78 insertions, 53 deletions

diff --git a/flake.lock b/flake.lock
index 2bcba70..115aa8b 100644
--- a/flake.lock
+++ b/flake.lock
@@ -256,11 +256,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1710783728,
-        "narHash": "sha256-eIsfu3c9JUBgm3cURSKTXLEI9Dlk1azo+MWKZVqrmkc=",
+        "lastModified": 1711352745,
+        "narHash": "sha256-luvqik+i3HTvCbXQZgB6uggvEcxI9uae0nmrgtXJ17U=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "1e679b9a9970780cd5d4dfe755a74a8f96d33388",
+        "rev": "9a763a7acc4cfbb8603bb0231fec3eda864f81c0",
         "type": "github"
       },
       "original": {
@@ -314,11 +314,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1710861126,
-        "narHash": "sha256-q8fiy9mgUvTAt2OMjiVpQgDlykyGury9Fpsm0jekBfY=",
+        "lastModified": 1711939449,
+        "narHash": "sha256-k8HBuawAk2hWNzNkCiGebbStq3opqnyV1RdHXXojxNg=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "2dcadb7087e38314cebb15af65f8f2a15d2940cc",
+        "rev": "292a4d8fa11907f90eb2e9730b8cf2414f03bf58",
         "type": "github"
       },
       "original": {
@@ -432,11 +432,11 @@
     },
     "personal-secret": {
       "locked": {
-        "lastModified": 1710863858,
-        "narHash": "sha256-6qKqa5cdchvGSBGigs/K4VWVfITGdMudrKYw2Sc79wo=",
+        "lastModified": 1711963377,
+        "narHash": "sha256-0hTTeEEzK4ZhFmjfT4gVzliNlhfJFmugGuSFYCeUpq4=",
         "ref": "refs/heads/master",
-        "rev": "0306d300b34e6221230bb7886f077bb78997da3a",
-        "revCount": 101,
+        "rev": "a402800a9d82061610250f2f37aebd5694896c50",
+        "revCount": 104,
         "type": "git",
         "url": "ssh://git@cynerd.cz/nixos-personal-secret"
       },
@@ -697,11 +697,11 @@
     },
     "vpsadminos": {
       "locked": {
-        "lastModified": 1710509949,
-        "narHash": "sha256-U4rYEcV40x7VpZfeOw21cZFIZrh+bjxx2iYRtnCRfTc=",
+        "lastModified": 1711619904,
+        "narHash": "sha256-BVmRhYvidQAT5t63EzGKOCGRlhCrfjLjf1oz8BozBns=",
         "owner": "vpsfreecz",
         "repo": "vpsadminos",
-        "rev": "d61fad3eedeaae209870f3f8f4e65e996e778ad0",
+        "rev": "8c8eb700db5d18e07d167e048756135f877442d9",
         "type": "github"
       },
       "original": {
diff --git a/nixos/configurations/adm-omnia.nix b/nixos/configurations/adm-omnia.nix
index 3f857ee..672788a 100644
--- a/nixos/configurations/adm-omnia.nix
+++ b/nixos/configurations/adm-omnia.nix
@@ -12,7 +12,6 @@
       ar9287.interface = "wlp3s0";
       qca988x.interface = "wlp2s0";
     };
-    openvpn.oldpersonal = false;
     monitoring.speedtest = true;
   };
 
diff --git a/nixos/configurations/dean.nix b/nixos/configurations/dean.nix
index 44feaea..c903794 100644
--- a/nixos/configurations/dean.nix
+++ b/nixos/configurations/dean.nix
@@ -1,4 +1,10 @@
-{pkgs, ...}: {
+{
+  lib,
+  pkgs,
+  ...
+}: let
+  inherit (lib) mkForce;
+in {
   turris.board = "mox";
   deploy.enable = true;
 
@@ -10,6 +16,11 @@
   networking = {
     useNetworkd = true;
     useDHCP = false;
+    nat = {
+      enable = true;
+      externalInterface = "brlan";
+      internalInterfaces = ["wg"];
+    };
   };
   systemd.network = {
     netdevs."brlab".netdevConfig = {
@@ -28,6 +39,7 @@
         matchConfig.Name = "lan* end0";
         networkConfig.Bridge = "brlan";
       };
+      "wg".networkConfig.IPForward = mkForce "yes";
     };
     # TODO investigate why it doesn't work
     wait-online.enable = false;
@@ -37,7 +49,4 @@
     #openocd
     tio
   ];
-
-  # TODO: ubootTools build is broken!
-  firmware.environment.enable = false;
 }
diff --git a/nixos/configurations/errol.nix b/nixos/configurations/errol.nix
index a9475ef..3f7ad8c 100644
--- a/nixos/configurations/errol.nix
+++ b/nixos/configurations/errol.nix
@@ -13,9 +13,7 @@ in {
     desktop.enable = true;
     develop = true;
     gaming = true;
-    openvpn = {
-      elektroline = true;
-    };
+    openvpn.elektroline = true;
   };
 
   boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "usb_storage"];
@@ -35,6 +33,11 @@ in {
       fsType = "btrfs";
       options = ["compress=lzo" "subvol=@nix"];
     };
+    "/nix" = {
+      device = "/dev/mapper/encroot";
+      fsType = "btrfs";
+      options = ["compress=lzo" "subvol=@nix-store"];
+    };
     "/home" = {
       device = "/dev/mapper/encroot";
       fsType = "btrfs";
diff --git a/nixos/configurations/lipwig.nix b/nixos/configurations/lipwig.nix
index 0eefe5f..2e5253d 100644
--- a/nixos/configurations/lipwig.nix
+++ b/nixos/configurations/lipwig.nix
@@ -33,7 +33,6 @@
     networking = {
       useNetworkd = true;
       useDHCP = false;
-      nftables.enable = true;
       firewall = {
         allowedTCPPorts = [80 443];
         allowedUDPPorts = [1194];
@@ -206,17 +205,17 @@
         passwords = pkgs.fetchNextcloudApp {
           url = "https://git.mdns.eu/api/v4/projects/45/packages/generic/passwords/2024.2.0/passwords.tar.gz";
           sha256 = "0s5z6pxkcwmhlbzy9s2g0s05n1iqjmxr2jqxz7ayklin9kcgr3h7";
-          license = "agpl3";
+          license = "gpl3";
         };
         integration_github = pkgs.fetchNextcloudApp {
           url = "https://github.com/nextcloud-releases/integration_github/releases/download/v2.0.6/integration_github-v2.0.6.tar.gz";
           sha256 = "0rjdlsalayb21nmh3j5bl42dcbavxka2r5g9csagz7vc9dl0qrw6";
-          license = "agpl3";
+          license = "gpl3";
         };
         integration_gitlab = pkgs.fetchNextcloudApp {
           url = "https://github.com/nextcloud-releases/integration_gitlab/releases/download/v1.0.18/integration_gitlab-v1.0.18.tar.gz";
           sha256 = "13vlbr7sigqrh480a9zp7zl9nbzb4pk8m1zzlqv9lkzj3zywp7mi";
-          license = "agpl3";
+          license = "gpl3";
         };
       };
     };
diff --git a/nixos/configurations/spt-omnia.nix b/nixos/configurations/spt-omnia.nix
index 8456368..22d9ecc 100644
--- a/nixos/configurations/spt-omnia.nix
+++ b/nixos/configurations/spt-omnia.nix
@@ -38,7 +38,6 @@ in {
       };
     };
     wireguard = true;
-    openvpn.oldpersonal = true;
     monitoring.speedtest = true;
   };
 
diff --git a/nixos/modules/develop.nix b/nixos/modules/develop.nix
index e5510c6..d07bc66 100644
--- a/nixos/modules/develop.nix
+++ b/nixos/modules/develop.nix
@@ -73,8 +73,13 @@ in {
           coverage
           mypy
 
+          scipy
+          sympy
+
           pygraphviz
           matplotlib
+          plotly
+          pygal
 
           python-gitlab
           PyGithub
diff --git a/nixos/modules/generic.nix b/nixos/modules/generic.nix
index e4ac094..97391b8 100644
--- a/nixos/modules/generic.nix
+++ b/nixos/modules/generic.nix
@@ -177,7 +177,10 @@ in {
         commands = ["ALL"];
       }
     ];
-    networking.dhcpcd.extraConfig = "controlgroup wheel";
+    networking = {
+      nftables.enable = true;
+      dhcpcd.extraConfig = "controlgroup wheel";
+    };
 
     services.openssh = {
       enable = true;
diff --git a/nixos/modules/home-assistant.nix b/nixos/modules/home-assistant.nix
index 769b1c7..ab16e8a 100644
--- a/nixos/modules/home-assistant.nix
+++ b/nixos/modules/home-assistant.nix
@@ -55,9 +55,10 @@ in {
       enable = true;
       device = "/dev/ttyUSB0";
       baseTopicPrefix = "bigclown/";
+      environmentFiles = ["/run/secrets/bigclown.env"];
       mqtt = {
         username = "bigclown";
-        keyfile = "/run/secrets/mqtt-bigclown.pass";
+        password = "\${MQTT_PASSWORD}";
       };
     };
 
diff --git a/nixos/modules/hosts.nix b/nixos/modules/hosts.nix
index 054098d..e7ad76b 100644
--- a/nixos/modules/hosts.nix
+++ b/nixos/modules/hosts.nix
@@ -30,12 +30,6 @@ in {
     cynerd.hosts = {
       vpn = {
         "lipwig" = "10.8.0.1";
-        # Portable
-        "binky" = "10.8.0.2";
-        "albert" = "10.8.0.3";
-        "android" = "10.8.0.6";
-        # Endpoints
-        "spt-omnia" = "10.8.0.50";
         "adm-omnia" = "10.8.0.51";
       };
       wg = {
@@ -79,10 +73,6 @@ in {
     networking.hosts = mkIf cnf.enable {
       # VPN
       "${cnf.vpn.lipwig}" = ["lipwig.vpn"];
-      "${cnf.vpn.android}" = ["android.vpn"];
-      "${cnf.vpn.albert}" = ["albert.vpn"];
-      "${cnf.vpn.binky}" = ["binky.vpn"];
-      "${cnf.vpn.spt-omnia}" = ["spt.vpn"];
       "${cnf.vpn.adm-omnia}" = ["adm.vpn"];
       # Wireguard
       "${cnf.wg.lipwig}" = ["lipwig.wg"];
diff --git a/nixos/modules/openvpn.nix b/nixos/modules/openvpn.nix
index d80dd9d..789d430 100644
--- a/nixos/modules/openvpn.nix
+++ b/nixos/modules/openvpn.nix
@@ -8,11 +8,6 @@
 in {
   options = {
     cynerd.openvpn = {
-      personal = mkOption {
-        type = types.bool;
-        default = false;
-        description = "My personal OpenVPN";
-      };
       oldpersonal = mkOption {
         type = types.bool;
         default = false;
@@ -28,9 +23,6 @@ in {
 
   config = {
     services.openvpn.servers = {
-      personal = mkIf cnf.personal {
-        config = "config /run/secrets/personal.ovpn";
-      };
       oldpersonal = mkIf cnf.oldpersonal {
         config = "config /run/secrets/old.ovpn";
       };
diff --git a/nixos/modules/router.nix b/nixos/modules/router.nix
index 3002d9b..c8b1283 100644
--- a/nixos/modules/router.nix
+++ b/nixos/modules/router.nix
@@ -50,7 +50,6 @@ in {
   config = mkIf cnf.enable {
     networking = {
       useNetworkd = true;
-      nftables.enable = true;
       firewall = {
         logRefusedConnections = false;
         interfaces = {
diff --git a/nixos/modules/switch.nix b/nixos/modules/switch.nix
index 669b6ab..37ac687 100644
--- a/nixos/modules/switch.nix
+++ b/nixos/modules/switch.nix
@@ -21,10 +21,7 @@ in {
   };
 
   config = mkIf cnf.enable {
-    networking = {
-      useNetworkd = true;
-      nftables.enable = true;
-    };
+    networking.useNetworkd = true;
 
     systemd.network = {
       netdevs = {
diff --git a/nixos/modules/wireguad.nix b/nixos/modules/wireguad.nix
index d96fc9e..ca28818 100644
--- a/nixos/modules/wireguad.nix
+++ b/nixos/modules/wireguad.nix
@@ -81,18 +81,47 @@ in {
           IPForward = is_endpoint;
         };
         routes =
-          (optional (hostName != "spt-omnia") {
+          (optional (hostName != "lipwig") {
+            # OpenVPN network
+            routeConfig = {
+              Gateway = config.cynerd.hosts.wg.lipwig;
+              Destination = "10.8.0.0/24";
+              Metric = 2048;
+            };
+          })
+          ++ (optional (hostName != "spt-omnia") {
+            # SPT network
             routeConfig = {
               Gateway = config.cynerd.hosts.wg.spt-omnia;
               Destination = "10.8.2.0/24";
+              Metric = 2048;
             };
           })
           ++ (optional (hostName != "adm-omnia" && hostName != "lipwig") {
+            # Adamkovi network
             routeConfig = {
               Gateway = config.cynerd.hosts.wg.adm-omnia;
               Destination = "10.8.3.0/24";
+              Metric = 2048;
             };
-          });
+          })
+          ++ (optionals (hostName != "dean") [
+            # Elektroline
+            {
+              routeConfig = {
+                Gateway = config.cynerd.hosts.wg.dean;
+                Destination = "10.0.0.0/22";
+                Metric = 2048;
+              };
+            }
+            {
+              routeConfig = {
+                Gateway = config.cynerd.hosts.wg.dean;
+                Destination = "10.0.20.0/24";
+                Metric = 2048;
+              };
+            }
+          ]);
       };
     };
     networking.firewall.allowedUDPPorts = [51820];