aboutsummaryrefslogtreecommitdiff
path: root/nixos/configurations
diff options
context:
space:
mode:
authorKarel Kočí <cynerd@email.cz>2024-03-15 09:13:05 +0100
committerKarel Kočí <cynerd@email.cz>2024-03-15 16:57:21 +0100
commita48d057700c636666a5e835cbcb0b667848008c2 (patch)
tree6e6dc0b9fcf2e85415c2f66b2beb567403be73ca /nixos/configurations
parent422ef34e58bc8a187594779d95ef8d74e8332a47 (diff)
downloadnixos-personal-a48d057700c636666a5e835cbcb0b667848008c2.tar.gz
nixos-personal-a48d057700c636666a5e835cbcb0b667848008c2.tar.bz2
nixos-personal-a48d057700c636666a5e835cbcb0b667848008c2.zip
nixos: rework configurations management
Diffstat (limited to 'nixos/configurations')
-rw-r--r--nixos/configurations/adm-mpd.nix56
-rw-r--r--nixos/configurations/adm-omnia.nix82
-rw-r--r--nixos/configurations/adm-omnia2.nix57
-rw-r--r--nixos/configurations/albert.nix41
-rw-r--r--nixos/configurations/binky.nix71
-rw-r--r--nixos/configurations/dean.nix40
-rw-r--r--nixos/configurations/default.nix42
-rw-r--r--nixos/configurations/errol.nix142
-rw-r--r--nixos/configurations/gaspode.nix17
-rw-r--r--nixos/configurations/lipwig.nix237
-rw-r--r--nixos/configurations/ridcully.nix73
-rw-r--r--nixos/configurations/spt-mox.nix53
-rw-r--r--nixos/configurations/spt-mox2.nix52
-rw-r--r--nixos/configurations/spt-mpd.nix15
-rw-r--r--nixos/configurations/spt-omnia.nix194
-rw-r--r--nixos/configurations/spt-omniax.nix51
16 files changed, 1223 insertions, 0 deletions
diff --git a/nixos/configurations/adm-mpd.nix b/nixos/configurations/adm-mpd.nix
new file mode 100644
index 0000000..ac3b4de
--- /dev/null
+++ b/nixos/configurations/adm-mpd.nix
@@ -0,0 +1,56 @@
+{
+ config,
+ lib,
+ ...
+}: let
+ inherit (lib) filterAttrs;
+in {
+ nixpkgs.hostPlatform.system = "aarch64-linux";
+
+ fileSystems = {
+ "/" = {
+ device = "/dev/mmcblk0p2";
+ options = ["compress=lzo" "subvol=@nix"];
+ };
+ "/home" = {
+ device = "/dev/mmcblk0p2";
+ options = ["compress=lzo" "subvol=@home"];
+ };
+ "/boot" = {
+ device = "/dev/mmcblk0p1";
+ };
+ };
+
+ networking.wireless = {
+ enable = true;
+ networks = filterAttrs (n: _: n == "Nela") config.secrets.wifiNetworks;
+ environmentFile = "/run/secrets/wifi.env";
+ userControlled.enable = true;
+ };
+
+ #services.pipewire = {
+ #enable = true;
+ #alsa.enable = true;
+ #pulse.enable = true;
+ #};
+ hardware.pulseaudio = {
+ enable = true;
+ systemWide = true;
+ zeroconf.publish.enable = true;
+ };
+
+ services.spotifyd = {
+ enable = true;
+ settings.global = {
+ device_name = "Adámkovi";
+ device = "sysdefault";
+ mixer = "Master";
+ bitrate = 320;
+ cache_path = "/var/cahe/spotify";
+ no_audio_cache = true;
+ volume_normalisation = true;
+ normalisation_pregain = -10;
+ initial_volume = 60;
+ };
+ };
+}
diff --git a/nixos/configurations/adm-omnia.nix b/nixos/configurations/adm-omnia.nix
new file mode 100644
index 0000000..3f857ee
--- /dev/null
+++ b/nixos/configurations/adm-omnia.nix
@@ -0,0 +1,82 @@
+{config, ...}: {
+ turris.board = "omnia";
+
+ cynerd = {
+ router = {
+ enable = true;
+ wan = "pppoe-wan";
+ lanIP = config.cynerd.hosts.adm.omnia;
+ };
+ wifiAP.adm = {
+ enable = true;
+ ar9287.interface = "wlp3s0";
+ qca988x.interface = "wlp2s0";
+ };
+ openvpn.oldpersonal = false;
+ monitoring.speedtest = true;
+ };
+
+ networking.useDHCP = false;
+ systemd.network = {
+ networks = {
+ "end2" = {
+ matchConfig.Name = "end2";
+ #networkConfig = {
+ # DHCP = "ipv6";
+ # IPv6AcceptRA = "yes";
+ # DHCPPrefixDelegation = "yes";
+ #};
+ #dhcpPrefixDelegationConfig = {
+ # UplinkInterface = ":self";
+ # SubnetId = 0;
+ # Announce = "no";
+ #};
+ linkConfig.RequiredForOnline = "routable";
+ };
+ "lan-brlan" = {
+ matchConfig.Name = "lan[1-4]";
+ networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 1;
+ PVID = 1;
+ };
+ }
+ {bridgeVLANConfig.VLAN = 2;}
+ ];
+ };
+ "lan0-guest" = {
+ matchConfig.Name = "lan0";
+ networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 2;
+ PVID = 2;
+ };
+ }
+ ];
+ };
+ };
+ };
+
+ services.pppd = {
+ enable = true;
+ peers."wan".config = ''
+ plugin pppoe.so end2
+ ifname pppoe-wan
+ lcp-echo-interval 1
+ lcp-echo-failure 5
+ lcp-echo-adaptive
+ +ipv6
+ defaultroute
+ defaultroute6
+ usepeerdns
+ maxfail 1
+ user O2
+ password 02
+ '';
+ };
+ systemd.services."pppd-wan".after = ["sys-subsystem-net-devices-end2.device"];
+}
diff --git a/nixos/configurations/adm-omnia2.nix b/nixos/configurations/adm-omnia2.nix
new file mode 100644
index 0000000..19ee446
--- /dev/null
+++ b/nixos/configurations/adm-omnia2.nix
@@ -0,0 +1,57 @@
+{config, ...}: {
+ turris.board = "omnia";
+ deploy = {
+ enable = true;
+ ssh.host = "omnia2.adm";
+ };
+
+ cynerd = {
+ switch = {
+ enable = true;
+ lanAddress = "${config.cynerd.hosts.adm.omnia2}/24";
+ lanGateway = config.cynerd.hosts.adm.omnia;
+ };
+ wifiAP.adm = {
+ enable = true;
+ ar9287 = {
+ interface = "wlp1s0";
+ bssids = ["12:f0:21:23:2b:00" "12:f0:21:23:2b:01" "12:f0:21:23:2b:02"];
+ channel = 11;
+ };
+ qca988x = {
+ interface = "wlp2s0";
+ bssids = ["12:f0:21:23:2b:03" "12:f0:21:23:2b:04" "12:f0:21:23:2b:05"];
+ channel = 36;
+ };
+ };
+ };
+
+ services.journald.extraConfig = ''
+ SystemMaxUse=8G
+ '';
+
+ services.btrfs.autoScrub = {
+ enable = true;
+ fileSystems = ["/"];
+ };
+
+ networking = {
+ useNetworkd = true;
+ useDHCP = false;
+ };
+ systemd.network.networks = {
+ "lan-brlan" = {
+ matchConfig.Name = "lan* end2";
+ networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 1;
+ PVID = 1;
+ };
+ }
+ {bridgeVLANConfig.VLAN = 2;}
+ ];
+ };
+ };
+}
diff --git a/nixos/configurations/albert.nix b/nixos/configurations/albert.nix
new file mode 100644
index 0000000..a6a4ee1
--- /dev/null
+++ b/nixos/configurations/albert.nix
@@ -0,0 +1,41 @@
+{
+ nixpkgs.hostPlatform.system = "x86_64-linux";
+
+ cynerd = {
+ desktop = {
+ enable = true;
+ laptop = true;
+ };
+ wifiClient = true;
+ openvpn = {
+ oldpersonal = true;
+ };
+ };
+
+ boot.initrd.availableKernelModules = ["xhci_pci" "usb_storage" "sd_mod"];
+
+ hardware.cpu.intel.updateMicrocode = true;
+
+ fileSystems = {
+ "/" = {
+ device = "/dev/disk/by-uuid/1c9bafac-fcf8-41c4-b394-bca5917ca82d";
+ fsType = "btrfs";
+ options = ["compress=lzo" "subvol=@nix"];
+ };
+ "/home" = {
+ device = "/dev/disk/by-uuid/1c9bafac-fcf8-41c4-b394-bca5917ca82d";
+ fsType = "btrfs";
+ options = ["compress=lzo" "subvol=@home"];
+ };
+ "/boot" = {
+ device = "/dev/disk/by-uuid/E403-124B";
+ fsType = "vfat";
+ };
+
+ "/home2" = {
+ device = "/dev/disk/by-uuid/55e177a1-215e-475b-ba9c-771b5fa3f8f0";
+ fsType = "btrfs";
+ options = ["compress=lzo" "subvol=@home"];
+ };
+ };
+}
diff --git a/nixos/configurations/binky.nix b/nixos/configurations/binky.nix
new file mode 100644
index 0000000..c51f95b
--- /dev/null
+++ b/nixos/configurations/binky.nix
@@ -0,0 +1,71 @@
+{lib, ...}: let
+ inherit (lib) mkDefault;
+in {
+ nixpkgs.hostPlatform.system = "x86_64-linux";
+ deploy = {
+ enable = true;
+ default = false;
+ };
+
+ cynerd = {
+ desktop = {
+ enable = true;
+ laptop = true;
+ };
+ wifiClient = true;
+ develop = true;
+ openvpn = {
+ oldpersonal = true;
+ elektroline = true;
+ };
+ };
+
+ boot = {
+ initrd.availableKernelModules = ["nvme" "xhci_pci" "usb_storage" "sd_mod"];
+ kernelModules = ["kvm-amd"];
+ };
+
+ hardware.cpu.amd.updateMicrocode = true;
+
+ boot.initrd.luks.devices = {
+ "encroot".device = "/dev/disk/by-uuid/b317feb5-d68d-4ec3-a24f-0307c116cac8";
+ };
+ fileSystems = {
+ "/" = {
+ device = "/dev/mapper/encroot";
+ fsType = "btrfs";
+ options = ["compress=lzo" "subvol=@"];
+ };
+ "/nix" = {
+ device = "/dev/mapper/encroot";
+ fsType = "btrfs";
+ options = ["compress=lzo" "subvol=@nix"];
+ };
+ "/home" = {
+ device = "/dev/mapper/encroot";
+ fsType = "btrfs";
+ options = ["compress=lzo" "subvol=@home"];
+ };
+ "/boot" = {
+ device = "/dev/disk/by-uuid/8F7D-A154";
+ fsType = "vfat";
+ };
+ };
+ services.btrfs.autoScrub = {
+ enable = true;
+ fileSystems = ["/"];
+ };
+
+ services.syncthing = {
+ enable = true;
+ user = mkDefault "cynerd";
+ group = mkDefault "cynerd";
+ openDefaultPorts = true;
+
+ overrideDevices = false;
+ overrideFolders = false;
+
+ dataDir = "/home/cynerd";
+ configDir = "/home/cynerd/.config/syncthing";
+ };
+}
diff --git a/nixos/configurations/dean.nix b/nixos/configurations/dean.nix
new file mode 100644
index 0000000..b91083c
--- /dev/null
+++ b/nixos/configurations/dean.nix
@@ -0,0 +1,40 @@
+{pkgs, ...}: {
+ nixpkgs.hostPlatform.system = "aarch64-linux";
+
+ cynerd = {
+ openvpn = {
+ oldpersonal = true;
+ };
+ monitoring.speedtest = true;
+ };
+
+ networking = {
+ bridges = {
+ brlan = {
+ interfaces = [
+ "eth0"
+ "lan1"
+ "lan2"
+ "lan3"
+ "lan4"
+ ];
+ };
+ };
+ dhcpcd.allowInterfaces = ["brlan"];
+ };
+
+ swapDevices = [
+ {
+ device = "/var/swap";
+ priority = 1;
+ }
+ ];
+
+ environment.systemPackages = with pkgs; [
+ #openocd
+ tio
+ ];
+
+ # TODO: ubootTools build is broken!
+ firmware.environment.enable = false;
+}
diff --git a/nixos/configurations/default.nix b/nixos/configurations/default.nix
new file mode 100644
index 0000000..497c0fb
--- /dev/null
+++ b/nixos/configurations/default.nix
@@ -0,0 +1,42 @@
+self: let
+ inherit (builtins) readDir;
+ inherit (self.inputs) nixpkgs nixturris;
+ inherit
+ (nixpkgs.lib)
+ filterAttrs
+ composeManyExtensions
+ hasSuffix
+ nameValuePair
+ nixosSystem
+ removeSuffix
+ mapAttrs
+ mapAttrs'
+ ;
+in
+ mapAttrs' (
+ fname: _: let
+ name = removeSuffix ".nix" fname;
+ in
+ nameValuePair name (nixosSystem {
+ modules = [
+ (./. + ("/" + fname))
+ {networking.hostName = name;}
+ self.nixosModules.default
+ ];
+ specialArgs = {
+ inputModules =
+ mapAttrs (v: v.nixosModules) self.inputs
+ // {
+ vpsadminos = self.inputs.vpsadminos.nixosConfigurations.container;
+ };
+ lib = nixpkgs.lib.extend (composeManyExtensions [
+ nixturris.overlays.lib
+ self.overlays.lib
+ ]);
+ };
+ })
+ )
+ (filterAttrs (
+ n: v:
+ v == "regular" && n != "default.nix" && hasSuffix ".nix" n
+ ) (readDir ./.))
diff --git a/nixos/configurations/errol.nix b/nixos/configurations/errol.nix
new file mode 100644
index 0000000..a9475ef
--- /dev/null
+++ b/nixos/configurations/errol.nix
@@ -0,0 +1,142 @@
+{
+ config,
+ lib,
+ pkgs,
+ ...
+}: let
+ inherit (lib) mkDefault;
+in {
+ nixpkgs.hostPlatform.system = "x86_64-linux";
+ deploy.enable = true;
+
+ cynerd = {
+ desktop.enable = true;
+ develop = true;
+ gaming = true;
+ openvpn = {
+ elektroline = true;
+ };
+ };
+
+ boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "usb_storage"];
+ boot.kernelModules = ["kvm-amd"];
+
+ hardware.cpu.amd.updateMicrocode = true;
+ services.hardware.openrgb.motherboard = "amd";
+
+ cynerd.autounlock = {
+ "encroot" = "/dev/disk/by-uuid/7c412ae6-6016-45af-8c2a-8fcc394dbbe6";
+ "enchdd1" = "/dev/disk/by-uuid/87f16080-5ff6-43dd-89f3-307455a46fbe";
+ "enchdd2" = "/dev/disk/by-uuid/be4a33fa-8bc6-431d-a3ac-787668f223ed";
+ };
+ fileSystems = {
+ "/" = {
+ device = "/dev/mapper/encroot";
+ fsType = "btrfs";
+ options = ["compress=lzo" "subvol=@nix"];
+ };
+ "/home" = {
+ device = "/dev/mapper/encroot";
+ fsType = "btrfs";
+ options = ["compress=lzo" "subvol=@home"];
+ };
+ "/boot" = {
+ device = "/dev/disk/by-uuid/49D9-3A0D";
+ fsType = "vfat";
+ };
+
+ "/home2" = {
+ device = "/dev/mapper/enchdd1";
+ fsType = "btrfs";
+ options = ["compress=lzo" "subvol=@home"];
+ };
+ };
+ services.btrfs.autoScrub = {
+ enable = true;
+ fileSystems = ["/" "/home2"];
+ };
+ #services.beesd.filesystems = {
+ # root = {
+ # spec = "/";
+ # hashTableSizeMB = 4096; # 4KB blocks for 1TB drive
+ # extraOptions = ["--workaround-btrfs-send"];
+ # };
+ # hdd = {
+ # spec = "/home2";
+ # hashTableSizeMB = 8192; # 4KB blocks for 2TB drive
+ # extraOptions = ["--workaround-btrfs-send"];
+ # };
+ #};
+
+ services.syncthing = {
+ enable = true;
+ user = mkDefault "cynerd";
+ group = mkDefault "cynerd";
+ openDefaultPorts = true;
+
+ overrideDevices = false;
+ overrideFolders = false;
+
+ dataDir = "/home/cynerd";
+ configDir = "/home/cynerd/.config/syncthing";
+ };
+
+ nixpkgs.config.permittedInsecurePackages = ["openssl-1.1.1w"]; # TODO
+ services.home-assistant = {
+ enable = true;
+ openFirewall = true;
+ configDir = "/var/lib/hass";
+ config = {
+ homeassistant = {
+ name = "SPT";
+ latitude = "!secret latitude";
+ longitude = "!secret longitude";
+ elevation = "!secret elevation";
+ time_zone = "Europe/Prague";
+ country = "CZ";
+ };
+ http.server_port = 8808;
+ mqtt = {
+ sensor = import ../modules/home-assistant/sensors.nix;
+ light = import ../modules/home-assistant/light.nix;
+ };
+ default_config = {};
+ automation = "!include automations.yaml";
+ };
+ extraComponents = ["met"];
+ package = pkgs.home-assistant.override {
+ extraPackages = pkgs:
+ with pkgs; [
+ securetar
+ pyipp
+ ];
+ };
+ };
+
+ services.zigbee2mqtt = {
+ enable = true;
+ settings = {
+ serial.port = "/dev/serial/by-id/usb-ITEAD_SONOFF_Zigbee_3.0_USB_Dongle_Plus_V2_20220812153849-if00";
+ mqtt = {
+ server = "mqtt://${config.cynerd.hosts.spt.mox}:1883";
+ user = "zigbee2mqtt";
+ password = "!secret.yaml mqtt_password";
+ };
+ advanced = {
+ network_key = "!secret.yaml network_key";
+ homeassistant_legacy_entity_attributes = false;
+ legacy_api = false;
+ legacy_availability_payload = false;
+ last_seen = "epoch";
+ };
+ frontend = true;
+ availability = true;
+ homeassistant = {
+ legacy_triggers = false;
+ };
+ device_options.legacy = false;
+ permit_join = false;
+ devices = config.secrets.zigbee2mqttDevices;
+ };
+ };
+}
diff --git a/nixos/configurations/gaspode.nix b/nixos/configurations/gaspode.nix
new file mode 100644
index 0000000..78d8277
--- /dev/null
+++ b/nixos/configurations/gaspode.nix
@@ -0,0 +1,17 @@
+{
+ nixpkgs.hostPlatform.system = "armv7l-linux";
+
+ fileSystems = {
+ "/" = {
+ device = "/dev/mmcblk0p2";
+ options = ["compress=lzo" "subvol=@nix"];
+ };
+ "/home" = {
+ device = "/dev/mmcblk0p2";
+ options = ["compress=lzo" "subvol=@home"];
+ };
+ "/boot" = {
+ device = "/dev/mmcblk0p1";
+ };
+ };
+}
diff --git a/nixos/configurations/lipwig.nix b/nixos/configurations/lipwig.nix
new file mode 100644
index 0000000..c484541
--- /dev/null
+++ b/nixos/configurations/lipwig.nix
@@ -0,0 +1,237 @@
+{
+ config,
+ pkgs,
+ inputModules,
+ ...
+}: {
+ imports = [inputModules.vpsadminos];
+
+ config = {
+ nixpkgs.hostPlatform.system = "x86_64-linux";
+
+ deploy = {
+ enable = true;
+ ssh.host = "cynerd.cz";
+ };
+
+ cynerd = {
+ syncthing = {
+ enable = false;
+ baseDir = "/nas";
+ };
+ openvpn.oldpersonal = true;
+ };
+
+ boot.loader.systemd-boot.enable = false;
+
+ fileSystems."/nas" = {
+ device = "172.16.128.63:/nas/2682";
+ fsType = "nfs";
+ };
+
+ networking.firewall = {
+ allowedTCPPorts = [80 443];
+ allowedUDPPorts = [1194];
+ };
+
+ # Web ######################################################################
+ services.nginx = {
+ enable = true;
+ virtualHosts = {
+ "cynerd.cz" = {
+ forceSSL = true;
+ enableACME = true;
+ locations = {
+ "/".root = ../../web;
+ "/radicale/" = {
+ proxyPass = "http://127.0.0.1:5232/";
+ extraConfig = ''
+ proxy_set_header X-Script-Name /radicale;
+ proxy_pass_header Authorization;
+ '';
+ };
+ };
+ };
+ "git.cynerd.cz" = {
+ forceSSL = true;
+ useACMEHost = "cynerd.cz";
+ root = "${pkgs.cgit}/cgit";
+ locations."/".tryFiles = "$uri @cgit";
+ locations."@cgit".extraConfig = ''
+ fastcgi_param SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi;
+ fastcgi_pass unix:${config.services.fcgiwrap.socketAddress};
+ fastcgi_param PATH_INFO $uri;
+ fastcgi_param QUERY_STRING $args;
+ fastcgi_param HTTP_HOST $server_name;
+ '';
+ };
+ "cloud.cynerd.cz" = {
+ forceSSL = true;
+ useACMEHost = "cynerd.cz";
+ };
+ "grafana.cynerd.cz" = {
+ forceSSL = true;
+ useACMEHost = "cynerd.cz";
+ locations."/" = {
+ proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}/";
+ extraConfig = "proxy_set_header Host $host;";
+ proxyWebsockets = true;
+ };
+ };
+ };
+ };
+ services.fcgiwrap = {
+ enable = true;
+ inherit (config.services.nginx) group;
+ };
+ security.acme = {
+ acceptTerms = true;
+ defaults.email = "cynerd+acme@email.cz";
+ certs."cynerd.cz".extraDomainNames = [
+ "git.cynerd.cz"
+ "cloud.cynerd.cz"
+ "grafana.cynerd.cz"
+ ];
+ };
+
+ # Git ######################################################################
+ services.gitolite = {
+ enable = true;
+ user = "git";
+ group = "git";
+ dataDir = "/var/lib/git";
+ adminPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIaMmBV0wPvG5JQIWxi20IDlLokhRBumTEbUUD9TNWoY Bootstrap gitolite key";
+ };
+ services.gitDaemon = {
+ enable = false;
+ user = "gitdemon";
+ group = "gitdaemon";
+ basePath = "/var/lib/git/repositories";
+ };
+ environment.etc."cgitrc".text = ''
+ root-title=Cynerd's git repository
+ root-desc=All my projects (at least those released to public)
+ #logo=cynerd.cz/wolf.svg
+ virtual-root=/
+
+ # Allow download of tar.gz, tar.bz2 and zip-files
+ snapshots=tar.gz tar.bz2 zip
+ ## List of common mimetypes
+ mimetype.gif=image/gif
+ mimetype.html=text/html
+ mimetype.jpg=image/jpeg
+ mimetype.jpeg=image/jpeg
+ mimetype.pdf=application/pdf
+ mimetype.png=image/png
+ mimetype.svg=image/svg+xml
+
+ source-filter=${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py
+ about-filter=${pkgs.cgit}/lib/cgit/filters/about-formatting.sh
+
+ readme=:README.md
+ readme=:README.adoc
+
+ enable-index-owner=0
+ enable-index-links=1
+ enable-http-clone=1
+ clone-url=https://git.cynerd.cz/$CGIT_REPO_URL git://cynerd.cz/$CGIT_REPO_URL.git git@cynerd.cz:$CGIT_REPO_URL
+ enable-commit-graph=1
+ branch-sort=age
+
+ remove-suffix=1
+ enable-git-config=1
+ project-list=/var/lib/git/projects.list
+ scan-path=/var/lib/git/repositories/
+ '';
+
+ # Nextcloud ################################################################
+ services.nextcloud = {
+ enable = true;
+ package = pkgs.nextcloud28;
+ https = true;
+ hostName = "cloud.cynerd.cz";
+ datadir = "/nas/nextcloud";
+ config = {
+ adminuser = "cynerd";
+ adminpassFile = "/run/secrets/nextcloud.admin.pass";
+ dbtype = "pgsql";
+ dbhost = "/run/postgresql";
+ dbtableprefix = "oc_";
+ };
+ settings = {
+ #log_type = "systemd";
+ default_phone_region = "CZ";
+ };
+ phpExtraExtensions = php: [php.pgsql php.pdo_pgsql];
+ phpOptions = {
+ "opcache.interned_strings_buffer" = "16";
+ };
+ maxUploadSize = "1G";
+ appstoreEnable = false;
+ extraApps = {
+ inherit
+ (config.services.nextcloud.package.packages.apps)
+ bookmarks
+ calendar
+ contacts
+ cookbook
+ deck
+ forms
+ groupfolders
+ impersonate
+ maps
+ memories
+ notes
+ phonetrack
+ previewgenerator
+ spreed
+ tasks
+ twofactor_nextcloud_notification
+ twofactor_webauthn
+ ;
+ # Additional modules can be fetched with:
+ # NEXTCLOUD_VERSIONS=28 nix run nixpkgs#nc4nix -- -apps "passwords,integration_homeassistant,integration_github,integration_gitlab"
+ passwords = pkgs.fetchNextcloudApp {
+ url = "https://git.mdns.eu/api/v4/projects/45/packages/generic/passwords/2024.2.0/passwords.tar.gz";
+ sha256 = "0s5z6pxkcwmhlbzy9s2g0s05n1iqjmxr2jqxz7ayklin9kcgr3h7";
+ license = "agpl3";
+ };
+ integration_github = pkgs.fetchNextcloudApp {
+ url = "https://github.com/nextcloud-releases/integration_github/releases/download/v2.0.6/integration_github-v2.0.6.tar.gz";
+ sha256 = "0rjdlsalayb21nmh3j5bl42dcbavxka2r5g9csagz7vc9dl0qrw6";
+ license = "agpl3";
+ };
+ integration_gitlab = pkgs.fetchNextcloudApp {
+ url = "https://github.com/nextcloud-releases/integration_gitlab/releases/download/v1.0.18/integration_gitlab-v1.0.18.tar.gz";
+ sha256 = "13vlbr7sigqrh480a9zp7zl9nbzb4pk8m1zzlqv9lkzj3zywp7mi";
+ license = "agpl3";
+ };
+ };
+ };
+ environment.systemPackages = with pkgs; [exiftool ffmpeg-headless nodejs];
+
+ # Postgresql ###############################################################
+ services.postgresql = {
+ enable = true;
+ ensureUsers = [
+ {
+ name = "nextcloud";
+ ensureDBOwnership = true;
+ }
+ ];
+ ensureDatabases = ["nextcloud"];
+ };
+
+ # Old Syncthing ############################################################
+ services.syncthing = {
+ enable = true;
+ openDefaultPorts = true;
+
+ overrideDevices = false;
+ overrideFolders = false;
+
+ dataDir = "/nas/sync";
+ configDir = "/nas/sync/.syncthing";
+ };
+ };
+}
diff --git a/nixos/configurations/ridcully.nix b/nixos/configurations/ridcully.nix
new file mode 100644
index 0000000..3e2b474
--- /dev/null
+++ b/nixos/configurations/ridcully.nix
@@ -0,0 +1,73 @@
+{lib, ...}: let
+ inherit (lib) mkDefault;
+in {
+ nixpkgs.hostPlatform.system = "x86_64-linux";
+ deploy.enable = true;
+
+ cynerd = {
+ desktop.enable = true;
+ develop = true;
+ gaming = true;
+ openvpn = {
+ elektroline = true;
+ };
+ };
+
+ boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "usb_storage"];
+ boot.kernelModules = ["kvm-amd"];
+
+ hardware.cpu.amd.updateMicrocode = true;
+ services.hardware.openrgb.motherboard = "amd";
+
+ cynerd.autounlock = {
+ "encroot" = "/dev/disk/by-uuid/bc7d2ba4-6e04-4c49-b40c-3aecd1a86c71";
+ "enchdd" = "/dev/disk/by-uuid/7fee3cda-efa0-47cd-8832-fdead9a7e6db";
+ };
+ fileSystems = {
+ "/" = {
+ device = "/dev/mapper/encroot";
+ fsType = "btrfs";
+ options = ["compress=lzo" "subvol=@nix"];
+ };
+ "/home" = {
+ device = "/dev/mapper/encroot";
+ fsType = "btrfs";
+ options = ["compress=lzo" "subvol=@home"];
+ };
+ "/boot" = {
+ device = "/dev/disk/by-uuid/6DAD-3819";
+ fsType = "vfat";
+ };
+
+ "/home2" = {
+ device = "/dev/mapper/enchdd";
+ fsType = "btrfs";
+ options = ["compress=lzo" "subvol=@home"];
+ };
+ };
+ services.btrfs.autoScrub = {
+ enable = true;
+ fileSystems = ["/" "/home2"];
+ };
+
+ #networking.vlans."enp6s0.adm" = {
+ #id = 2;
+ #interface = "enp6s0";
+ #};
+
+ services.syncthing = {
+ enable = true;
+ user = mkDefault "cynerd";
+ group = mkDefault "cynerd";
+ openDefaultPorts = true;
+
+ overrideDevices = false;
+ overrideFolders = false;
+
+ dataDir = "/home/cynerd";
+ configDir = "/home/cynerd/.config/syncthing";
+ };
+
+ # Force nix to use less jobs
+ nix.settings.max-jobs = 8;
+}
diff --git a/nixos/configurations/spt-mox.nix b/nixos/configurations/spt-mox.nix
new file mode 100644
index 0000000..7b1ffb8
--- /dev/null
+++ b/nixos/configurations/spt-mox.nix
@@ -0,0 +1,53 @@
+{config, ...}: {
+ turris.board = "mox";
+ deploy = {
+ enable = true;
+ ssh.host = "mox.spt";
+ };
+
+ cynerd = {
+ home-assistant = true;
+ switch = {
+ enable = true;
+ lanAddress = "${config.cynerd.hosts.spt.mox}/24";
+ lanGateway = config.cynerd.hosts.spt.omnia;
+ };
+ wifiAP.spt = {
+ enable = true;
+ qca988x = {
+ interface = "wls1";
+ bssids = ["04:f0:21:24:24:d2" "08:f0:21:24:24:d2"];
+ channel = 7;
+ };
+ };
+ };
+
+ services.journald.extraConfig = ''
+ SystemMaxUse=512M
+ '';
+
+ services.btrfs.autoScrub = {
+ enable = true;
+ fileSystems = ["/"];
+ };
+
+ networking = {
+ useNetworkd = true;
+ useDHCP = false;
+ };
+ systemd.network.networks = {
+ "lan-brlan" = {
+ matchConfig.Name = "lan* end0";
+ networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 1;
+ PVID = 1;
+ };
+ }
+ {bridgeVLANConfig.VLAN = 2;}
+ ];
+ };
+ };
+}
diff --git a/nixos/configurations/spt-mox2.nix b/nixos/configurations/spt-mox2.nix
new file mode 100644
index 0000000..612e85e
--- /dev/null
+++ b/nixos/configurations/spt-mox2.nix
@@ -0,0 +1,52 @@
+{config, ...}: {
+ turris.board = "mox";
+ deploy = {
+ enable = true;
+ ssh.host = "mox2.spt";
+ };
+
+ cynerd = {
+ switch = {
+ enable = true;
+ lanAddress = "${config.cynerd.hosts.spt.mox2}/24";
+ lanGateway = config.cynerd.hosts.spt.omnia;
+ };
+ wifiAP.spt = {
+ enable = true;
+ qca988x = {
+ interface = "wls1";
+ bssids = ["04:f0:21:45:d3:47" "08:f0:21:45:d3:47"];
+ channel = 1;
+ };
+ };
+ };
+
+ services.journald.extraConfig = ''
+ SystemMaxUse=512M
+ '';
+
+ services.btrfs.autoScrub = {
+ enable = true;
+ fileSystems = ["/"];
+ };
+
+ networking = {
+ useNetworkd = true;
+ useDHCP = false;
+ };
+ systemd.network.networks = {
+ "lan-brlan" = {
+ matchConfig.Name = "end0";
+ networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 1;
+ PVID = 1;
+ };
+ }
+ {bridgeVLANConfig.VLAN = 2;}
+ ];
+ };
+ };
+}
diff --git a/nixos/configurations/spt-mpd.nix b/nixos/configurations/spt-mpd.nix
new file mode 100644
index 0000000..b212932
--- /dev/null
+++ b/nixos/configurations/spt-mpd.nix
@@ -0,0 +1,15 @@
+{inputModules, ...}: {
+ imports = [inputModules.nixos-hardware.raspberry-pi-2];
+
+ config = {
+ nixpkgs.hostPlatform.system = "armv7l-linux";
+
+ fileSystems = {
+ "/" = {
+ device = "/dev/mmcblk0p1";
+ fsType = "btrfs";
+ options = ["compress=lzo"];
+ };
+ };
+ };
+}
diff --git a/nixos/configurations/spt-omnia.nix b/nixos/configurations/spt-omnia.nix
new file mode 100644
index 0000000..ca4d211
--- /dev/null
+++ b/nixos/configurations/spt-omnia.nix
@@ -0,0 +1,194 @@
+{
+ config,
+ pkgs,
+ ...
+}: let
+ hosts = config.cynerd.hosts.spt;
+in {
+ turris.board = "omnia";
+ deploy = {
+ enable = true;
+ ssh.host = "omnia.spt";
+ };
+
+ cynerd = {
+ router = {
+ enable = true;
+ wan = "pppoe-wan";
+ lanIP = hosts.omnia;
+ staticLeases = {
+ "a8:a1:59:10:32:c4" = hosts.errol;
+ "7c:b0:c2:bb:9c:ca" = hosts.albert;
+ "4c:d5:77:0d:85:d9" = hosts.binky;
+ "b8:27:eb:57:a2:31" = hosts.mpd;
+ "74:bf:c0:42:82:19" = hosts.printer;
+ };
+ };
+ wifiAP.spt = {
+ enable = true;
+ ar9287 = {
+ interface = "wlp1s0";
+ bssids = ["04:f0:21:24:21:93" "08:f0:21:24:21:93"];
+ channel = 11;
+ };
+ qca988x = {
+ interface = "wlp3s0";
+ bssids = ["04:f0:21:23:16:64" "08:f0:21:23:16:64"];
+ channel = 36;
+ };
+ };
+ openvpn.oldpersonal = true;
+ monitoring.speedtest = true;
+ };
+
+ services.journald.extraConfig = ''
+ SystemMaxUse=512M
+ '';
+
+ environment = {
+ etc.crypttab.text = ''
+ nas UUID=3472bef9-cbae-48bd-873e-fd4858a0b72f /run/secrets/luks-spt-omnia-nas.key luks
+ nassec UUID=016e9e75-bbc8-4b24-8bb7-c800c8f6a500 /run/secrets/luks-spt-omnia-nas.key luks
+ '';
+ systemPackages = with pkgs; [
+ cryptsetup
+ ];
+ };
+ fileSystems = {
+ "/data" = {
+ device = "/dev/mapper/nas";
+ fsType = "btrfs";
+ options = ["compress=lzo" "subvol=@data" "nofail"];
+ };
+ "/srv" = {
+ device = "/dev/mapper/nas";
+ fsType = "btrfs";
+ options = ["compress=lzo" "subvol=@srv" "nofail"];
+ depends = ["/data"];
+ };
+ };
+ services.btrfs.autoScrub = {
+ enable = true;
+ fileSystems = ["/" "/data"];
+ };
+ services.udev.packages = [
+ (pkgs.writeTextFile rec {
+ name = "queue_depth_sata.rules";
+ destination = "/etc/udev/rules.d/50-${name}";
+ text = ''
+ SUBSYSTEMS=="pci", DRIVER=="ahci", ATTR{device}!="0x0612", GOTO="turris_pci_end"
+ ACTION=="add|change", SUBSYSTEM=="scsi", ATTR{vendor}=="ATA", ATTR{queue_depth}="1"
+ LABEL="turris_pci_end"
+ '';
+ })
+ ];
+
+ users = {
+ groups.nas = {};
+ users = {
+ nas = {
+ group = "nas";
+ openssh.authorizedKeys.keyFiles = [(config.personal-secrets + "/unencrypted/nas.pub")];
+ isNormalUser = true;
+ home = "/data/nas";
+ homeMode = "770";
+ };
+ cynerd.extraGroups = ["nas"];
+ };
+ };
+ services.openssh = {
+ settings.Macs = ["hmac-sha2-256"]; # Allow sha2-256 for Nexcloud access
+ extraConfig = ''
+ Match User nas
+ X11Forwarding no
+ AllowTcpForwarding no
+ AllowAgentForwarding no
+ ForceCommand internal-sftp -d /data/nas
+ '';
+ };
+ services.fail2ban.enable = true;
+
+ networking.useDHCP = false;
+ systemd.network = {
+ netdevs = {
+ "end2.848" = {
+ netdevConfig = {
+ Kind = "vlan";
+ Name = "end2.848";
+ };
+ vlanConfig.Id = 848;
+ };
+ };
+ networks = {
+ "end2" = {
+ matchConfig.Name = "end2";
+ networkConfig.VLAN = ["end2.848"];
+ };
+ "end2.848" = {
+ matchConfig.Name = "end2.848";
+ networkConfig.BindCarrier = "end2";
+ };
+ "pppoe-wan" = {
+ matchConfig.Name = "pppoe-wan";
+ networkConfig = {
+ BindCarrier = "end2.848";
+ DHCP = "ipv6";
+ IPv6AcceptRA = "no";
+ DHCPPrefixDelegation = "yes";
+ };
+ dhcpPrefixDelegationConfig = {
+ UplinkInterface = ":self";
+ SubnetId = 0;
+ Announce = "no";
+ };
+ linkConfig.RequiredForOnline = "routable";
+ };
+ "lan-brlan" = {
+ matchConfig.Name = "lan*";
+ networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 1;
+ PVID = 1;
+ };
+ }
+ {bridgeVLANConfig.VLAN = 2;}
+ ];
+ };
+ };
+ };
+
+ services.pppd = {
+ enable = true;
+ peers."wan".config = ''
+ plugin pppoe.so end2.848
+ ifname pppoe-wan
+ lcp-echo-interval 1
+ lcp-echo-failure 5
+ lcp-echo-adaptive
+ defaultroute
+ defaultroute6
+ usepeerdns
+ maxfail 1
+ user metronet
+ password metronet
+ '';
+ };
+ systemd.services."pppd-wan".after = ["sys-subsystem-net-devices-end2.848.device"];
+ # TODO limit NSS clamping to just pppoe-wan
+ networking.firewall.extraForwardRules = ''
+ tcp flags syn tcp option maxseg size set rt mtu comment "Needed for PPPoE to fix IPv4"
+ iifname {"home", "personalvpn"} oifname {"home", "personalvpn"} accept
+ '';
+
+ services.syncthing = {
+ enable = false;
+ openDefaultPorts = true;
+
+ overrideDevices = false;
+ overrideFolders = false;
+
+ dataDir = "/data"; # TODO this can't be the location
+ };
+}
diff --git a/nixos/configurations/spt-omniax.nix b/nixos/configurations/spt-omniax.nix
new file mode 100644
index 0000000..4f9e0e0
--- /dev/null
+++ b/nixos/configurations/spt-omniax.nix
@@ -0,0 +1,51 @@
+{
+ turris.board = "omnia";
+
+ cynerd = {
+ router = {
+ enable = true;
+ wan = "end2";
+ lanIP = "192.168.2.1";
+ };
+ wifiAP.spt = {
+ enable = true;
+ ar9287.interface = "wlp3s0";
+ qca988x.interface = "wlp2s0";
+ };
+ monitoring.speedtest = true;
+ };
+
+ networking.useDHCP = false;
+ systemd.network = {
+ networks = {
+ "end2" = {
+ matchConfig.Name = "end2";
+ networkConfig = {
+ BindCarrier = "end2";
+ DHCP = "yes";
+ IPv6AcceptRA = "yes";
+ DHCPPrefixDelegation = "yes";
+ };
+ dhcpPrefixDelegationConfig = {
+ UplinkInterface = ":self";
+ SubnetId = 0;
+ Announce = "no";
+ };
+ linkConfig.RequiredForOnline = "routable";
+ };
+ "lan-brlan" = {
+ matchConfig.Name = "lan*";
+ networkConfig.Bridge = "brlan";
+ bridgeVLANs = [
+ {
+ bridgeVLANConfig = {
+ EgressUntagged = 1;
+ PVID = 1;
+ };
+ }
+ {bridgeVLANConfig.VLAN = 2;}
+ ];
+ };
+ };
+ };
+}