Add wireguard and more updates

7 files changed, 126 insertions, 34 deletions

diff --git a/nixos/modules/desktop.nix b/nixos/modules/desktop.nix
index d0cc9d5..b145929 100644
--- a/nixos/modules/desktop.nix
+++ b/nixos/modules/desktop.nix
@@ -264,6 +264,7 @@ in {
     };
 
     documentation = {
+      enable = true;
       man.enable = true;
       info.enable = true;
     };
diff --git a/nixos/modules/develop.nix b/nixos/modules/develop.nix
index 2daead8..e5510c6 100644
--- a/nixos/modules/develop.nix
+++ b/nixos/modules/develop.nix
@@ -65,6 +65,7 @@ in {
       (python3.withPackages (pypkgs:
         with pypkgs; [
           ipython
+          python-lsp-server
 
           pytest
           pytest-html
@@ -151,6 +152,10 @@ in {
     programs.wireshark.package = pkgs.wireshark;
 
     documentation = {
+      nixos = {
+        enable = true;
+        includeAllModules = true;
+      };
       dev.enable = true;
       doc.enable = true;
     };
@@ -185,11 +190,5 @@ in {
       "develop"
       "libvirtd"
     ];
-
-    # Allow using latest git version from registry
-    nixpkgs.flake = {
-      setNixPath = false;
-      setFlakeRegistry = false;
-    };
   };
 }
diff --git a/nixos/modules/generic.nix b/nixos/modules/generic.nix
index 5c6e2fe..e4ac094 100644
--- a/nixos/modules/generic.nix
+++ b/nixos/modules/generic.nix
@@ -43,7 +43,13 @@ in {
     services.fwupd.enable = mkDefault (pkgs.system == "x86_64-linux");
     systemd.oomd.enable = false;
 
-    nixpkgs.config.allowUnfree = true;
+    nixpkgs = {
+      config.allowUnfree = true;
+      flake = {
+        setNixPath = false;
+        setFlakeRegistry = false;
+      };
+    };
     environment.systemPackages = with pkgs;
       [
         git # We need git for this repository to even work
@@ -201,5 +207,11 @@ in {
     '';
 
     programs.fuse.userAllowOther = true;
+
+    documentation = {
+      enable = mkDefault false;
+      doc.enable = mkDefault false;
+      nixos.enable = mkDefault false;
+    };
   };
 }
diff --git a/nixos/modules/home-assistant.nix b/nixos/modules/home-assistant.nix
index 267f725..769b1c7 100644
--- a/nixos/modules/home-assistant.nix
+++ b/nixos/modules/home-assistant.nix
@@ -5,13 +5,12 @@
   ...
 }: let
   inherit (lib) mkIf mkEnableOption;
-  cnf = config.cynerd.home-assistant;
 in {
   options = {
     cynerd.home-assistant = mkEnableOption "Enable Home Assistant and Bigclown";
   };
 
-  config = mkIf cnf {
+  config = mkIf config.cynerd.home-assistant {
     services.mosquitto = {
       enable = true;
       listeners = [
@@ -52,16 +51,13 @@ in {
       1883 # Mosquitto
     ];
 
-    services.bigclown = {
-      gateway = {
-        enable = true;
-        device = "/dev/ttyUSB0";
-        environmentFile = "/run/secrets/bigclown.env";
-        baseTopicPrefix = "bigclown/";
-        mqtt = {
-          username = "bigclown";
-          password = "@PASS_MQTT@";
-        };
+    services.bcg = {
+      enable = true;
+      device = "/dev/ttyUSB0";
+      baseTopicPrefix = "bigclown/";
+      mqtt = {
+        username = "bigclown";
+        keyfile = "/run/secrets/mqtt-bigclown.pass";
       };
     };
 
diff --git a/nixos/modules/hosts.nix b/nixos/modules/hosts.nix
index b9a40a6..054098d 100644
--- a/nixos/modules/hosts.nix
+++ b/nixos/modules/hosts.nix
@@ -9,6 +9,7 @@
   staticZoneOption = mkOption {
     type = types.attrsOf types.str;
     readOnly = true;
+    description = "The mapping of zone hosts to their IP";
   };
 in {
   options = {
@@ -29,7 +30,6 @@ in {
     cynerd.hosts = {
       vpn = {
         "lipwig" = "10.8.0.1";
-        "dean" = "10.8.0.4";
         # Portable
         "binky" = "10.8.0.2";
         "albert" = "10.8.0.3";
@@ -81,7 +81,6 @@ in {
       "${cnf.vpn.lipwig}" = ["lipwig.vpn"];
       "${cnf.vpn.android}" = ["android.vpn"];
       "${cnf.vpn.albert}" = ["albert.vpn"];
-      "${cnf.vpn.dean}" = ["dean" "dean.vpn"];
       "${cnf.vpn.binky}" = ["binky.vpn"];
       "${cnf.vpn.spt-omnia}" = ["spt.vpn"];
       "${cnf.vpn.adm-omnia}" = ["adm.vpn"];
@@ -91,7 +90,7 @@ in {
       "${cnf.wg.android}" = ["android.wg"];
       "${cnf.wg.spt-omnia}" = ["spt.wg"];
       "${cnf.wg.adm-omnia}" = ["adm.wg"];
-      "${cnf.wg.dean}" = ["dean.wg"];
+      "${cnf.wg.dean}" = ["dean" "dean.wg"];
       # Spt
       "${cnf.spt.omnia}" = ["omnia.spt"];
       "${cnf.spt.mox}" = ["mox.spt"];
diff --git a/nixos/modules/router.nix b/nixos/modules/router.nix
index ed634b1..3002d9b 100644
--- a/nixos/modules/router.nix
+++ b/nixos/modules/router.nix
@@ -54,10 +54,9 @@ in {
       firewall = {
         logRefusedConnections = false;
         interfaces = {
-          "home" = {allowedUDPPorts = [67 68];};
-          "guest" = {allowedUDPPorts = [67 68];};
+          "home" = {allowedUDPPorts = [53 67 68];};
+          "guest" = {allowedUDPPorts = [53 67 68];};
         };
-        rejectPackets = true;
         filterForward = true;
       };
       nat = {
@@ -119,7 +118,7 @@ in {
             PoolOffset = cnf.dynIPStart;
             PoolSize = cnf.dynIPCount;
             EmitDNS = "yes";
-            DNS = "1.1.1.1";
+            DNS = "${cnf.lanIP}";
           };
           dhcpServerStaticLeases =
             mapAttrsToList (n: v: {
@@ -150,7 +149,7 @@ in {
             PoolOffset = cnf.dynIPStart;
             PoolSize = cnf.dynIPCount;
             EmitDNS = "yes";
-            DNS = "1.1.1.1";
+            DNS = "192.168.1.1";
           };
           dhcpPrefixDelegationConfig = {
             UplinkInterface = cnf.wan;
@@ -166,6 +165,10 @@ in {
       enable = true;
       dnssec = "true";
       fallbackDns = ["1.1.1.1" "8.8.8.8"];
+      extraConfig = ''
+        DNSStubListenerExtra=${cnf.lanIP}
+        DNSStubListenerExtra=192.168.1.1
+      '';
     };
   };
 }
diff --git a/nixos/modules/wireguad.nix b/nixos/modules/wireguad.nix
index 67bd8d5..d96fc9e 100644
--- a/nixos/modules/wireguad.nix
+++ b/nixos/modules/wireguad.nix
@@ -1,18 +1,100 @@
 {
   config,
   lib,
+  pkgs,
   ...
 }: let
-  inherit (lib) mkEnableOption mkIf;
-  cnf = config.cynerd.wireguard;
+  inherit (lib) mkEnableOption mkIf mapAttrsToList optional optionals optionalAttrs filterAttrs;
+  inherit (config.networking) hostName;
+  endpoints = {
+    "lipwig" = "cynerd.cz";
+    "spt-omnia" = "spt.cynerd.cz";
+    "adm-omnia" = "adm.cynerd.cz";
+  };
+  is_endpoint = endpoints ? "${hostName}";
 in {
   options = {
-    cynerd.wireguard = {
-      enable = mkEnableOption "Enable Wireguard";
-    };
+    cynerd.wireguard = mkEnableOption "Enable Wireguard";
   };
 
-  config =
-    mkIf cnf.enable {
+  config = mkIf config.cynerd.wireguard {
+    environment.systemPackages = [pkgs.wireguard-tools];
+    systemd.network = {
+      netdevs."wg" = {
+        netdevConfig = {
+          Name = "wg";
+          Kind = "wireguard";
+          Description = "Personal Wireguard tunnel";
+          MTUBytes = "1300";
+        };
+        wireguardConfig = {
+          ListenPort = 51820;
+          PrivateKeyFile = "/run/secrets/wg.key";
+        };
+        wireguardPeers =
+          [
+            {
+              wireguardPeerConfig =
+                {
+                  Endpoint = "${endpoints.lipwig}:51820";
+                  AllowedIPs = ["0.0.0.0/0"];
+                  PublicKey = config.secrets.wireguardPubs.lipwig;
+                }
+                // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;});
+            }
+            {
+              wireguardPeerConfig =
+                {
+                  Endpoint = "${endpoints.spt-omnia}:51820";
+                  AllowedIPs = [
+                    "${config.cynerd.hosts.wg.spt-omnia}/32"
+                    "10.8.2.0/24"
+                  ];
+                  PublicKey = config.secrets.wireguardPubs.spt-omnia;
+                }
+                // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;});
+            }
+            #{
+            #  wireguardPeerConfig =
+            #    {
+            #      Endpoint = "${endpoints.adm-omnia}:51820";
+            #      AllowedIPs = [
+            #        "${config.cynerd.hosts.wg.adm-omnia}/32"
+            #        "10.8.3.0/24"
+            #      ];
+            #      PublicKey = config.secrets.wireguardPubs.adm-omnia;
+            #    }
+            #    // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;});
+            #}
+          ]
+          ++ (optionals is_endpoint (mapAttrsToList (n: v: {
+            wireguardPeerConfig = {
+              AllowedIPs = "${config.cynerd.hosts.wg."${n}"}/32";
+              PublicKey = v;
+            };
+          }) (filterAttrs (n: _: ! endpoints ? "${n}") config.secrets.wireguardPubs)));
+      };
+      networks."wg" = {
+        matchConfig.Name = "wg";
+        networkConfig = {
+          Address = "${config.cynerd.hosts.wg."${hostName}"}/24";
+          IPForward = is_endpoint;
+        };
+        routes =
+          (optional (hostName != "spt-omnia") {
+            routeConfig = {
+              Gateway = config.cynerd.hosts.wg.spt-omnia;
+              Destination = "10.8.2.0/24";
+            };
+          })
+          ++ (optional (hostName != "adm-omnia" && hostName != "lipwig") {
+            routeConfig = {
+              Gateway = config.cynerd.hosts.wg.adm-omnia;
+              Destination = "10.8.3.0/24";
+            };
+          });
+      };
     };
+    networking.firewall.allowedUDPPorts = [51820];
+  };
 }