nixos/spt-omnia: update and fix

6 files changed, 142 insertions, 67 deletions

diff --git a/flake.lock b/flake.lock
index a88521c..2c4788f 100644
--- a/flake.lock
+++ b/flake.lock
@@ -230,11 +230,11 @@
         "nixpkgs": "nixpkgs_2"
       },
       "locked": {
-        "lastModified": 1707918957,
-        "narHash": "sha256-6Ll9RRKKkR2UHReehRcM2kzhO6Rq9kOrRBwwSKgNIfY=",
+        "lastModified": 1708425420,
+        "narHash": "sha256-VCRZDSqxCHrbs46+OEu6MiCcPGpT/JTBvGAb6BjaqcU=",
         "ref": "refs/heads/master",
-        "rev": "710a24d16bde5f45a1c767ae870d534f5ddc774a",
-        "revCount": 3501,
+        "rev": "2082ee48503c3ebe376a9b4d23eb6bc33a54b6a6",
+        "revCount": 3512,
         "submodules": true,
         "type": "git",
         "url": "https://gitlab.elektroline.cz/elektroline/flatlineng.git"
@@ -426,11 +426,11 @@
     },
     "nixpkgs_4": {
       "locked": {
-        "lastModified": 1708057191,
-        "narHash": "sha256-O3M5EGAeKZdEzfFIjqah0d8M44A4QCSVwvkbz4cbC2s=",
+        "lastModified": 1708407374,
+        "narHash": "sha256-EECzarm+uqnNDCwaGg/ppXCO11qibZ1iigORShkkDf0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "5e55f0bb65124b05d0a52e164514c03596023634",
+        "rev": "f33dd27a47ebdf11dc8a5eb05e7c8fbdaf89e73f",
         "type": "github"
       },
       "original": {
@@ -440,11 +440,11 @@
     },
     "nixpkgs_5": {
       "locked": {
-        "lastModified": 1708103068,
-        "narHash": "sha256-A3Itq2swJOJ9+RzcmHEA8Tpd8opWAVin3GchouNR8uk=",
+        "lastModified": 1708405701,
+        "narHash": "sha256-E78TXiZiR9irWdYAVltRxZPJ+pMxXPU5PjHwqq6XLtI=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "607312f76ac46232b6f690748ff0383a2249af05",
+        "rev": "fa15b53dbea5028db38d6e09b4cef6eba42aeebb",
         "type": "github"
       },
       "original": {
@@ -515,11 +515,11 @@
         "nixpkgs": "nixpkgs_6"
       },
       "locked": {
-        "lastModified": 1707903116,
-        "narHash": "sha256-GXCQCsOP8D6mpPDUDJCyhyfUFFq/SfFxDS0ZS5Qg+0k=",
+        "lastModified": 1708186608,
+        "narHash": "sha256-yDIbHSKSyXRWOknzpwZ/dLAa9PjSk5CibwN0nrJEFFk=",
         "owner": "cynerd",
         "repo": "nixturris",
-        "rev": "8551fe9cd3bbf60c0ae8a6835291e3e1bc07280c",
+        "rev": "a446cb11256ae77161384af2451875eb63c19d4d",
         "type": "gitlab"
       },
       "original": {
@@ -530,11 +530,11 @@
     },
     "personal-secret": {
       "locked": {
-        "lastModified": 1708111656,
-        "narHash": "sha256-GXPsF79NePyUy4VoQIzU4gQNNcIqpvsimjV+4Mzqq+I=",
+        "lastModified": 1708459156,
+        "narHash": "sha256-NrEpPIdAceJVeQHKSF2blD++e8FfxPBzWILXsoW8qoc=",
         "ref": "refs/heads/master",
-        "rev": "37ce5a6415fd787fb272f52f30b4cb6a2976f096",
-        "revCount": 88,
+        "rev": "24d085ef420ab7f3186f969f58f70f62c4bd743b",
+        "revCount": 93,
         "type": "git",
         "url": "ssh://git@cynerd.cz/nixos-personal-secret"
       },
@@ -626,11 +626,11 @@
         "nixpkgs": "nixpkgs_11"
       },
       "locked": {
-        "lastModified": 1706904066,
-        "narHash": "sha256-w0rCOahhT991M+QWdEfhwb88B/juXTr66iauNu2w48s=",
+        "lastModified": 1708357912,
+        "narHash": "sha256-+eDr/7AdOiwA63hSVkFgWx37kc+bqg+YVajLYxJC7ro=",
         "ref": "refs/heads/master",
-        "rev": "fa91bbe409a899c8db86de565bf8d7cbba3dba9c",
-        "revCount": 432,
+        "rev": "76601ce0137feeb6bd69432963cb36b12e42f407",
+        "revCount": 434,
         "submodules": true,
         "type": "git",
         "url": "https://github.com/silicon-heaven/shvspy.git"
@@ -812,11 +812,11 @@
     },
     "vpsadminos": {
       "locked": {
-        "lastModified": 1708015534,
-        "narHash": "sha256-IB+aVK43i5/+F3vAlR8UcasviCz1xSUaBC5JNXBD5RM=",
+        "lastModified": 1708364097,
+        "narHash": "sha256-7VYZ9Y7lEtiDQPritENiiIzGTWk4GDrAOqqJFZjwZPg=",
         "owner": "vpsfreecz",
         "repo": "vpsadminos",
-        "rev": "4f2f74ded6a6b1b9de6d45918dbe53073b9561c2",
+        "rev": "b9956bd62059d06114d4368dedd24777fa75f126",
         "type": "github"
       },
       "original": {
diff --git a/nixos/machine/spt-omnia.nix b/nixos/machine/spt-omnia.nix
index ac4ebdf..f2ea4f0 100644
--- a/nixos/machine/spt-omnia.nix
+++ b/nixos/machine/spt-omnia.nix
@@ -14,26 +14,89 @@ in {
         lanIP = hosts.omnia;
         staticLeases = {
           "a8:a1:59:10:32:c4" = hosts.errol;
+          "7c:b0:c2:bb:9c:ca" = hosts.albert;
           "4c:d5:77:0d:85:d9" = hosts.binky;
+          "b8:27:eb:57:a2:31" = hosts.mpd;
+          "74:bf:c0:42:82:19" = hosts.printer;
         };
       };
       wifiAP.spt = {
         enable = true;
         ar9287 = {
-          interface = "wlp3s0";
-          bssids = ["04:f0:21:23:16:64" "08:f0:21:23:16:64"];
-          channel = 13;
+          interface = "wlp1s0";
+          bssids = ["04:f0:21:24:21:93" "08:f0:21:24:21:93"];
+          channel = 11;
         };
         qca988x = {
-          interface = "wlp2s0";
-          bssids = ["04:f0:21:24:21:93" "08:f0:21:24:21:93"];
+          interface = "wlp3s0";
+          bssids = ["04:f0:21:23:16:64" "08:f0:21:23:16:64"];
           channel = 36;
         };
       };
-      #openvpn.oldpersonal = true;
+      openvpn.oldpersonal = true;
       monitoring.speedtest = true;
     };
 
+    environment = {
+      etc.crypttab.text = ''
+        nas UUID=3472bef9-cbae-48bd-873e-fd4858a0b72f /run/secrets/luks-spt-omnia-nas.key luks
+        nassec UUID=016e9e75-bbc8-4b24-8bb7-c800c8f6a500 /run/secrets/luks-spt-omnia-nas.key luks
+      '';
+      systemPackages = with pkgs; [
+        cryptsetup
+      ];
+    };
+    fileSystems = {
+      "/data" = {
+        device = "/dev/mapper/nas";
+        fsType = "btrfs";
+        options = ["compress=lzo" "subvol=@data" "nofail"];
+      };
+      "/srv" = {
+        device = "/dev/mapper/nas";
+        fsType = "btrfs";
+        options = ["compress=lzo" "subvol=@srv" "nofail"];
+        depends = ["/data"];
+      };
+    };
+    services.btrfs.autoScrub = {
+      enable = true;
+      fileSystems = ["/" "/data"];
+    };
+    services.udev.packages = [
+      (pkgs.writeTextFile rec {
+        name = "queue_depth_sata.rules";
+        destination = "/etc/udev/rules.d/50-${name}";
+        text = ''
+          ACTION=="add|change", SUBSYSTEM=="scsi", ATTR{queue_depth}="1"
+        '';
+      })
+    ];
+
+    users = {
+      groups.nas = {};
+      users = {
+        nas = {
+          group = "nas";
+          openssh.authorizedKeys.keyFiles = [(config.personal-secrets + "/unencrypted/nas.pub")];
+          isNormalUser = true;
+          home = "/data/nas";
+          homeMode = "770";
+        };
+        cynerd.extraGroups = ["nas"];
+      };
+    };
+    services.openssh = {
+      settings.Macs = ["hmac-sha2-256"]; # Allow sha2-256 for Nexcloud access
+      extraConfig = ''
+        Match User nas
+          X11Forwarding no
+          AllowTcpForwarding no
+          AllowAgentForwarding no
+          ForceCommand internal-sftp -d /data/nas
+      '';
+    };
+
     networking.useDHCP = false;
     systemd.network = {
       netdevs = {
@@ -102,18 +165,20 @@ in {
       '';
     };
     systemd.services."pppd-wan".after = ["sys-subsystem-net-devices-end2.848.device"];
+    # TODO limit NSS clamping to just pppoe-wan
     networking.firewall.extraForwardRules = ''
-      tcp flags syn tcp option maxseg size set rt mtu
+      tcp flags syn tcp option maxseg size set rt mtu comment "Needed for PPPoE to fix IPv4"
+      iifname {"home", "personalvpn"} oifname {"home", "personalvpn"} accept
     '';
 
     services.syncthing = {
-      enable = true;
+      enable = false;
       openDefaultPorts = true;
 
       overrideDevices = false;
       overrideFolders = false;
 
-      dataDir = "/data";
+      dataDir = "/data"; # TODO this can't be the location
     };
   };
 }
diff --git a/nixos/modules/generic.nix b/nixos/modules/generic.nix
index 33d7024..35880f1 100644
--- a/nixos/modules/generic.nix
+++ b/nixos/modules/generic.nix
@@ -167,7 +167,13 @@ in {
     ];
     networking.dhcpcd.extraConfig = "controlgroup wheel";
 
-    services.openssh.enable = true;
+    services.openssh = {
+      enable = true;
+      settings = {
+        PasswordAuthentication = false;
+        PermitRootLogin = "no";
+      };
+    };
 
     time.timeZone = "Europe/Prague";
     i18n.defaultLocale = "en_US.UTF-8";
diff --git a/nixos/modules/hosts.nix b/nixos/modules/hosts.nix
index 76e884d..8a9318c 100644
--- a/nixos/modules/hosts.nix
+++ b/nixos/modules/hosts.nix
@@ -46,6 +46,7 @@ in {
         # Local
         "mpd" = "10.8.2.51";
         "errol" = "10.8.2.60";
+        "printer" = "10.8.2.90";
         # Portable
         "albert" = "10.8.2.61";
         "binky" = "10.8.2.63";
diff --git a/nixos/routers/router.nix b/nixos/routers/router.nix
index 5aa6cc6..ed634b1 100644
--- a/nixos/routers/router.nix
+++ b/nixos/routers/router.nix
@@ -59,9 +59,6 @@ in {
         };
         rejectPackets = true;
         filterForward = true;
-        extraForwardRules = ''
-          iifname "guest" oifname != "${cnf.wan}" drop comment "prevent guest to access other networks"
-        '';
       };
       nat = {
         enable = true;
diff --git a/nixos/routers/wifi-spt.nix b/nixos/routers/wifi-spt.nix
index 0ebcaa1..769449d 100644
--- a/nixos/routers/wifi-spt.nix
+++ b/nixos/routers/wifi-spt.nix
@@ -3,8 +3,8 @@
   lib,
   pkgs,
   ...
-}:
-with lib; let
+}: let
+  inherit (lib) mkOption mkEnableOption types mkIf mkMerge hostapd elemAt;
   cnf = config.cynerd.wifiAP.spt;
 
   wOptions = card: channelDefault: {
@@ -34,13 +34,17 @@ in {
   };
 
   config = mkIf cnf.enable {
+    # TODO regdom doesn't work for some reason
+    boot.extraModprobeConfig = ''
+      options cfg80211 ieee80211_regdom="CZ"
+    '';
     services.hostapd = {
       enable = true;
-      radios =
-        mkIf (cnf.ar9287.interface != null) {
+      radios = mkMerge [
+        (mkIf (cnf.ar9287.interface != null) {
           "${cnf.ar9287.interface}" = {
-            countryCode = "CZ";
             inherit (cnf.ar9287) channel;
+            countryCode = "CZ";
             wifi4 = {
               enable = true;
               inherit (hostapd.qualcomAtherosAR9287.wifi4) capabilities;
@@ -64,13 +68,13 @@ in {
               #};
             };
           };
-        }
-        // mkIf (cnf.qca988x.interface != null) {
+        })
+        (mkIf (cnf.qca988x.interface != null) {
           "${cnf.qca988x.interface}" = let
             is2g = cnf.qca988x.channel <= 14;
           in {
-            countryCode = "CZ";
             inherit (cnf.qca988x) channel;
+            countryCode = "CZ";
             band =
               if is2g
               then "2g"
@@ -106,21 +110,22 @@ in {
               #};
             };
           };
-        };
+        })
+      ];
     };
-    systemd.network.networks =
-      mkIf (cnf.ar9287.interface != null) {
+    systemd.network.networks = mkMerge [
+      (mkIf (cnf.ar9287.interface != null) {
         "lan-${cnf.ar9287.interface}" = {
           matchConfig.Name = cnf.ar9287.interface;
           networkConfig.Bridge = "brlan";
-          #bridgeVLANs = [
-          #  {
-          #    bridgeVLANConfig = {
-          #      EgressUntagged = 1;
-          #      PVID = 1;
-          #    };
-          #  }
-          #];
+          bridgeVLANs = [
+            {
+              bridgeVLANConfig = {
+                EgressUntagged = 1;
+                PVID = 1;
+              };
+            }
+          ];
         };
         #"lan-${cnf.ar9287.interface}-guest" = {
         #  matchConfig.Name = "${cnf.ar9287.interface}.guest";
@@ -134,19 +139,19 @@ in {
         #    }
         #  ];
         #};
-      }
-      // mkIf (cnf.qca988x.interface != null) {
+      })
+      (mkIf (cnf.qca988x.interface != null) {
         "lan-${cnf.qca988x.interface}" = {
           matchConfig.Name = cnf.qca988x.interface;
           networkConfig.Bridge = "brlan";
-          #bridgeVLANs = [
-          #  {
-          #    bridgeVLANConfig = {
-          #      EgressUntagged = 1;
-          #      PVID = 1;
-          #    };
-          #  }
-          #];
+          bridgeVLANs = [
+            {
+              bridgeVLANConfig = {
+                EgressUntagged = 1;
+                PVID = 1;
+              };
+            }
+          ];
         };
         #"lan-${cnf.qca988x.interface}-guest" = {
         #  matchConfig.Name = "${cnf.qca988x.interface}.guest";
@@ -160,6 +165,7 @@ in {
         #    }
         #  ];
         #};
-      };
+      })
+    ];
   };
 }