aboutsummaryrefslogtreecommitdiff
path: root/nixos/modules
diff options
context:
space:
mode:
authorKarel Kočí <cynerd@email.cz>2024-03-24 19:05:39 +0100
committerKarel Kočí <cynerd@email.cz>2024-03-24 19:05:39 +0100
commite84e6dcf117080eaf7658b25fb20a9dc3b5d1cfe (patch)
tree55422d1fc9370dc331fa63125a2df5597310c452 /nixos/modules
parent6c16e4133582def100c39b17369e46906a6d3337 (diff)
downloadnixos-personal-e84e6dcf117080eaf7658b25fb20a9dc3b5d1cfe.tar.gz
nixos-personal-e84e6dcf117080eaf7658b25fb20a9dc3b5d1cfe.tar.bz2
nixos-personal-e84e6dcf117080eaf7658b25fb20a9dc3b5d1cfe.zip
Add wireguard and more updates
Diffstat (limited to 'nixos/modules')
-rw-r--r--nixos/modules/desktop.nix1
-rw-r--r--nixos/modules/develop.nix11
-rw-r--r--nixos/modules/generic.nix14
-rw-r--r--nixos/modules/home-assistant.nix20
-rw-r--r--nixos/modules/hosts.nix5
-rw-r--r--nixos/modules/router.nix13
-rw-r--r--nixos/modules/wireguad.nix96
7 files changed, 126 insertions, 34 deletions
diff --git a/nixos/modules/desktop.nix b/nixos/modules/desktop.nix
index d0cc9d5..b145929 100644
--- a/nixos/modules/desktop.nix
+++ b/nixos/modules/desktop.nix
@@ -264,6 +264,7 @@ in {
};
documentation = {
+ enable = true;
man.enable = true;
info.enable = true;
};
diff --git a/nixos/modules/develop.nix b/nixos/modules/develop.nix
index 2daead8..e5510c6 100644
--- a/nixos/modules/develop.nix
+++ b/nixos/modules/develop.nix
@@ -65,6 +65,7 @@ in {
(python3.withPackages (pypkgs:
with pypkgs; [
ipython
+ python-lsp-server
pytest
pytest-html
@@ -151,6 +152,10 @@ in {
programs.wireshark.package = pkgs.wireshark;
documentation = {
+ nixos = {
+ enable = true;
+ includeAllModules = true;
+ };
dev.enable = true;
doc.enable = true;
};
@@ -185,11 +190,5 @@ in {
"develop"
"libvirtd"
];
-
- # Allow using latest git version from registry
- nixpkgs.flake = {
- setNixPath = false;
- setFlakeRegistry = false;
- };
};
}
diff --git a/nixos/modules/generic.nix b/nixos/modules/generic.nix
index 5c6e2fe..e4ac094 100644
--- a/nixos/modules/generic.nix
+++ b/nixos/modules/generic.nix
@@ -43,7 +43,13 @@ in {
services.fwupd.enable = mkDefault (pkgs.system == "x86_64-linux");
systemd.oomd.enable = false;
- nixpkgs.config.allowUnfree = true;
+ nixpkgs = {
+ config.allowUnfree = true;
+ flake = {
+ setNixPath = false;
+ setFlakeRegistry = false;
+ };
+ };
environment.systemPackages = with pkgs;
[
git # We need git for this repository to even work
@@ -201,5 +207,11 @@ in {
'';
programs.fuse.userAllowOther = true;
+
+ documentation = {
+ enable = mkDefault false;
+ doc.enable = mkDefault false;
+ nixos.enable = mkDefault false;
+ };
};
}
diff --git a/nixos/modules/home-assistant.nix b/nixos/modules/home-assistant.nix
index 267f725..769b1c7 100644
--- a/nixos/modules/home-assistant.nix
+++ b/nixos/modules/home-assistant.nix
@@ -5,13 +5,12 @@
...
}: let
inherit (lib) mkIf mkEnableOption;
- cnf = config.cynerd.home-assistant;
in {
options = {
cynerd.home-assistant = mkEnableOption "Enable Home Assistant and Bigclown";
};
- config = mkIf cnf {
+ config = mkIf config.cynerd.home-assistant {
services.mosquitto = {
enable = true;
listeners = [
@@ -52,16 +51,13 @@ in {
1883 # Mosquitto
];
- services.bigclown = {
- gateway = {
- enable = true;
- device = "/dev/ttyUSB0";
- environmentFile = "/run/secrets/bigclown.env";
- baseTopicPrefix = "bigclown/";
- mqtt = {
- username = "bigclown";
- password = "@PASS_MQTT@";
- };
+ services.bcg = {
+ enable = true;
+ device = "/dev/ttyUSB0";
+ baseTopicPrefix = "bigclown/";
+ mqtt = {
+ username = "bigclown";
+ keyfile = "/run/secrets/mqtt-bigclown.pass";
};
};
diff --git a/nixos/modules/hosts.nix b/nixos/modules/hosts.nix
index b9a40a6..054098d 100644
--- a/nixos/modules/hosts.nix
+++ b/nixos/modules/hosts.nix
@@ -9,6 +9,7 @@
staticZoneOption = mkOption {
type = types.attrsOf types.str;
readOnly = true;
+ description = "The mapping of zone hosts to their IP";
};
in {
options = {
@@ -29,7 +30,6 @@ in {
cynerd.hosts = {
vpn = {
"lipwig" = "10.8.0.1";
- "dean" = "10.8.0.4";
# Portable
"binky" = "10.8.0.2";
"albert" = "10.8.0.3";
@@ -81,7 +81,6 @@ in {
"${cnf.vpn.lipwig}" = ["lipwig.vpn"];
"${cnf.vpn.android}" = ["android.vpn"];
"${cnf.vpn.albert}" = ["albert.vpn"];
- "${cnf.vpn.dean}" = ["dean" "dean.vpn"];
"${cnf.vpn.binky}" = ["binky.vpn"];
"${cnf.vpn.spt-omnia}" = ["spt.vpn"];
"${cnf.vpn.adm-omnia}" = ["adm.vpn"];
@@ -91,7 +90,7 @@ in {
"${cnf.wg.android}" = ["android.wg"];
"${cnf.wg.spt-omnia}" = ["spt.wg"];
"${cnf.wg.adm-omnia}" = ["adm.wg"];
- "${cnf.wg.dean}" = ["dean.wg"];
+ "${cnf.wg.dean}" = ["dean" "dean.wg"];
# Spt
"${cnf.spt.omnia}" = ["omnia.spt"];
"${cnf.spt.mox}" = ["mox.spt"];
diff --git a/nixos/modules/router.nix b/nixos/modules/router.nix
index ed634b1..3002d9b 100644
--- a/nixos/modules/router.nix
+++ b/nixos/modules/router.nix
@@ -54,10 +54,9 @@ in {
firewall = {
logRefusedConnections = false;
interfaces = {
- "home" = {allowedUDPPorts = [67 68];};
- "guest" = {allowedUDPPorts = [67 68];};
+ "home" = {allowedUDPPorts = [53 67 68];};
+ "guest" = {allowedUDPPorts = [53 67 68];};
};
- rejectPackets = true;
filterForward = true;
};
nat = {
@@ -119,7 +118,7 @@ in {
PoolOffset = cnf.dynIPStart;
PoolSize = cnf.dynIPCount;
EmitDNS = "yes";
- DNS = "1.1.1.1";
+ DNS = "${cnf.lanIP}";
};
dhcpServerStaticLeases =
mapAttrsToList (n: v: {
@@ -150,7 +149,7 @@ in {
PoolOffset = cnf.dynIPStart;
PoolSize = cnf.dynIPCount;
EmitDNS = "yes";
- DNS = "1.1.1.1";
+ DNS = "192.168.1.1";
};
dhcpPrefixDelegationConfig = {
UplinkInterface = cnf.wan;
@@ -166,6 +165,10 @@ in {
enable = true;
dnssec = "true";
fallbackDns = ["1.1.1.1" "8.8.8.8"];
+ extraConfig = ''
+ DNSStubListenerExtra=${cnf.lanIP}
+ DNSStubListenerExtra=192.168.1.1
+ '';
};
};
}
diff --git a/nixos/modules/wireguad.nix b/nixos/modules/wireguad.nix
index 67bd8d5..d96fc9e 100644
--- a/nixos/modules/wireguad.nix
+++ b/nixos/modules/wireguad.nix
@@ -1,18 +1,100 @@
{
config,
lib,
+ pkgs,
...
}: let
- inherit (lib) mkEnableOption mkIf;
- cnf = config.cynerd.wireguard;
+ inherit (lib) mkEnableOption mkIf mapAttrsToList optional optionals optionalAttrs filterAttrs;
+ inherit (config.networking) hostName;
+ endpoints = {
+ "lipwig" = "cynerd.cz";
+ "spt-omnia" = "spt.cynerd.cz";
+ "adm-omnia" = "adm.cynerd.cz";
+ };
+ is_endpoint = endpoints ? "${hostName}";
in {
options = {
- cynerd.wireguard = {
- enable = mkEnableOption "Enable Wireguard";
- };
+ cynerd.wireguard = mkEnableOption "Enable Wireguard";
};
- config =
- mkIf cnf.enable {
+ config = mkIf config.cynerd.wireguard {
+ environment.systemPackages = [pkgs.wireguard-tools];
+ systemd.network = {
+ netdevs."wg" = {
+ netdevConfig = {
+ Name = "wg";
+ Kind = "wireguard";
+ Description = "Personal Wireguard tunnel";
+ MTUBytes = "1300";
+ };
+ wireguardConfig = {
+ ListenPort = 51820;
+ PrivateKeyFile = "/run/secrets/wg.key";
+ };
+ wireguardPeers =
+ [
+ {
+ wireguardPeerConfig =
+ {
+ Endpoint = "${endpoints.lipwig}:51820";
+ AllowedIPs = ["0.0.0.0/0"];
+ PublicKey = config.secrets.wireguardPubs.lipwig;
+ }
+ // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;});
+ }
+ {
+ wireguardPeerConfig =
+ {
+ Endpoint = "${endpoints.spt-omnia}:51820";
+ AllowedIPs = [
+ "${config.cynerd.hosts.wg.spt-omnia}/32"
+ "10.8.2.0/24"
+ ];
+ PublicKey = config.secrets.wireguardPubs.spt-omnia;
+ }
+ // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;});
+ }
+ #{
+ # wireguardPeerConfig =
+ # {
+ # Endpoint = "${endpoints.adm-omnia}:51820";
+ # AllowedIPs = [
+ # "${config.cynerd.hosts.wg.adm-omnia}/32"
+ # "10.8.3.0/24"
+ # ];
+ # PublicKey = config.secrets.wireguardPubs.adm-omnia;
+ # }
+ # // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;});
+ #}
+ ]
+ ++ (optionals is_endpoint (mapAttrsToList (n: v: {
+ wireguardPeerConfig = {
+ AllowedIPs = "${config.cynerd.hosts.wg."${n}"}/32";
+ PublicKey = v;
+ };
+ }) (filterAttrs (n: _: ! endpoints ? "${n}") config.secrets.wireguardPubs)));
+ };
+ networks."wg" = {
+ matchConfig.Name = "wg";
+ networkConfig = {
+ Address = "${config.cynerd.hosts.wg."${hostName}"}/24";
+ IPForward = is_endpoint;
+ };
+ routes =
+ (optional (hostName != "spt-omnia") {
+ routeConfig = {
+ Gateway = config.cynerd.hosts.wg.spt-omnia;
+ Destination = "10.8.2.0/24";
+ };
+ })
+ ++ (optional (hostName != "adm-omnia" && hostName != "lipwig") {
+ routeConfig = {
+ Gateway = config.cynerd.hosts.wg.adm-omnia;
+ Destination = "10.8.3.0/24";
+ };
+ });
+ };
};
+ networking.firewall.allowedUDPPorts = [51820];
+ };
}