aboutsummaryrefslogtreecommitdiff
path: root/nixos
diff options
context:
space:
mode:
authorKarel Kočí <cynerd@email.cz>2024-03-24 19:05:39 +0100
committerKarel Kočí <cynerd@email.cz>2024-03-24 19:05:39 +0100
commite84e6dcf117080eaf7658b25fb20a9dc3b5d1cfe (patch)
tree55422d1fc9370dc331fa63125a2df5597310c452 /nixos
parent6c16e4133582def100c39b17369e46906a6d3337 (diff)
downloadnixos-personal-e84e6dcf117080eaf7658b25fb20a9dc3b5d1cfe.tar.gz
nixos-personal-e84e6dcf117080eaf7658b25fb20a9dc3b5d1cfe.tar.bz2
nixos-personal-e84e6dcf117080eaf7658b25fb20a9dc3b5d1cfe.zip
Add wireguard and more updates
Diffstat (limited to 'nixos')
-rw-r--r--nixos/configurations/binky.nix24
-rw-r--r--nixos/configurations/dean.nix45
-rw-r--r--nixos/configurations/lipwig.nix18
-rw-r--r--nixos/configurations/spt-omnia.nix6
-rw-r--r--nixos/configurations/spt-omniax.nix51
-rw-r--r--nixos/modules/desktop.nix1
-rw-r--r--nixos/modules/develop.nix11
-rw-r--r--nixos/modules/generic.nix14
-rw-r--r--nixos/modules/home-assistant.nix20
-rw-r--r--nixos/modules/hosts.nix5
-rw-r--r--nixos/modules/router.nix13
-rw-r--r--nixos/modules/wireguad.nix96
12 files changed, 189 insertions, 115 deletions
diff --git a/nixos/configurations/binky.nix b/nixos/configurations/binky.nix
index c51f95b..bdfa47e 100644
--- a/nixos/configurations/binky.nix
+++ b/nixos/configurations/binky.nix
@@ -14,10 +14,8 @@ in {
};
wifiClient = true;
develop = true;
- openvpn = {
- oldpersonal = true;
- elektroline = true;
- };
+ wireguard = true;
+ openvpn.elektroline = true;
};
boot = {
@@ -56,6 +54,24 @@ in {
fileSystems = ["/"];
};
+ networking = {
+ useNetworkd = true;
+ useDHCP = false;
+ };
+ systemd.network = {
+ networks = {
+ "dhcp" = {
+ matchConfig.Name = "enp2s0f0 enp5s0f3u1u1 wlp3s0";
+ networkConfig = {
+ DHCP = "yes";
+ IPv6AcceptRA = "yes";
+ };
+ linkConfig.RequiredForOnline = "routable";
+ };
+ };
+ wait-online.enable = false;
+ };
+
services.syncthing = {
enable = true;
user = mkDefault "cynerd";
diff --git a/nixos/configurations/dean.nix b/nixos/configurations/dean.nix
index b91083c..44feaea 100644
--- a/nixos/configurations/dean.nix
+++ b/nixos/configurations/dean.nix
@@ -1,35 +1,38 @@
{pkgs, ...}: {
- nixpkgs.hostPlatform.system = "aarch64-linux";
+ turris.board = "mox";
+ deploy.enable = true;
cynerd = {
- openvpn = {
- oldpersonal = true;
- };
+ wireguard = true;
monitoring.speedtest = true;
};
networking = {
- bridges = {
- brlan = {
- interfaces = [
- "eth0"
- "lan1"
- "lan2"
- "lan3"
- "lan4"
- ];
+ useNetworkd = true;
+ useDHCP = false;
+ };
+ systemd.network = {
+ netdevs."brlab".netdevConfig = {
+ Kind = "bridge";
+ Name = "brlan";
+ };
+ networks = {
+ "brlan" = {
+ matchConfig.Name = "brlan";
+ networkConfig = {
+ DHCP = "yes";
+ IPv6AcceptRA = "yes";
+ };
+ };
+ "lan-brlan" = {
+ matchConfig.Name = "lan* end0";
+ networkConfig.Bridge = "brlan";
};
};
- dhcpcd.allowInterfaces = ["brlan"];
+ # TODO investigate why it doesn't work
+ wait-online.enable = false;
};
- swapDevices = [
- {
- device = "/var/swap";
- priority = 1;
- }
- ];
-
environment.systemPackages = with pkgs; [
#openocd
tio
diff --git a/nixos/configurations/lipwig.nix b/nixos/configurations/lipwig.nix
index c484541..0eefe5f 100644
--- a/nixos/configurations/lipwig.nix
+++ b/nixos/configurations/lipwig.nix
@@ -19,6 +19,7 @@
enable = false;
baseDir = "/nas";
};
+ wireguard = true;
openvpn.oldpersonal = true;
};
@@ -29,10 +30,21 @@
fsType = "nfs";
};
- networking.firewall = {
- allowedTCPPorts = [80 443];
- allowedUDPPorts = [1194];
+ networking = {
+ useNetworkd = true;
+ useDHCP = false;
+ nftables.enable = true;
+ firewall = {
+ allowedTCPPorts = [80 443];
+ allowedUDPPorts = [1194];
+ filterForward = true;
+ extraForwardRules = ''
+ iifname {"wg", "personalvpn"} oifname {"wg", "personalvpn"} accept
+ '';
+ };
};
+ systemd.network.wait-online.enable = false;
+ systemd.services.networking-setup.wantedBy = ["network-online.target"];
# Web ######################################################################
services.nginx = {
diff --git a/nixos/configurations/spt-omnia.nix b/nixos/configurations/spt-omnia.nix
index ca4d211..8456368 100644
--- a/nixos/configurations/spt-omnia.nix
+++ b/nixos/configurations/spt-omnia.nix
@@ -37,12 +37,13 @@ in {
channel = 36;
};
};
+ wireguard = true;
openvpn.oldpersonal = true;
monitoring.speedtest = true;
};
services.journald.extraConfig = ''
- SystemMaxUse=512M
+ SystemMaxUse=8G
'';
environment = {
@@ -136,6 +137,7 @@ in {
IPv6AcceptRA = "no";
DHCPPrefixDelegation = "yes";
};
+ dhcpV6Config.PrefixDelegationHint = "::/56";
dhcpPrefixDelegationConfig = {
UplinkInterface = ":self";
SubnetId = 0;
@@ -179,7 +181,7 @@ in {
# TODO limit NSS clamping to just pppoe-wan
networking.firewall.extraForwardRules = ''
tcp flags syn tcp option maxseg size set rt mtu comment "Needed for PPPoE to fix IPv4"
- iifname {"home", "personalvpn"} oifname {"home", "personalvpn"} accept
+ iifname {"home", "personalvpn", "wg"} oifname {"home", "personalvpn", "wg"} accept
'';
services.syncthing = {
diff --git a/nixos/configurations/spt-omniax.nix b/nixos/configurations/spt-omniax.nix
deleted file mode 100644
index 4f9e0e0..0000000
--- a/nixos/configurations/spt-omniax.nix
+++ /dev/null
@@ -1,51 +0,0 @@
-{
- turris.board = "omnia";
-
- cynerd = {
- router = {
- enable = true;
- wan = "end2";
- lanIP = "192.168.2.1";
- };
- wifiAP.spt = {
- enable = true;
- ar9287.interface = "wlp3s0";
- qca988x.interface = "wlp2s0";
- };
- monitoring.speedtest = true;
- };
-
- networking.useDHCP = false;
- systemd.network = {
- networks = {
- "end2" = {
- matchConfig.Name = "end2";
- networkConfig = {
- BindCarrier = "end2";
- DHCP = "yes";
- IPv6AcceptRA = "yes";
- DHCPPrefixDelegation = "yes";
- };
- dhcpPrefixDelegationConfig = {
- UplinkInterface = ":self";
- SubnetId = 0;
- Announce = "no";
- };
- linkConfig.RequiredForOnline = "routable";
- };
- "lan-brlan" = {
- matchConfig.Name = "lan*";
- networkConfig.Bridge = "brlan";
- bridgeVLANs = [
- {
- bridgeVLANConfig = {
- EgressUntagged = 1;
- PVID = 1;
- };
- }
- {bridgeVLANConfig.VLAN = 2;}
- ];
- };
- };
- };
-}
diff --git a/nixos/modules/desktop.nix b/nixos/modules/desktop.nix
index d0cc9d5..b145929 100644
--- a/nixos/modules/desktop.nix
+++ b/nixos/modules/desktop.nix
@@ -264,6 +264,7 @@ in {
};
documentation = {
+ enable = true;
man.enable = true;
info.enable = true;
};
diff --git a/nixos/modules/develop.nix b/nixos/modules/develop.nix
index 2daead8..e5510c6 100644
--- a/nixos/modules/develop.nix
+++ b/nixos/modules/develop.nix
@@ -65,6 +65,7 @@ in {
(python3.withPackages (pypkgs:
with pypkgs; [
ipython
+ python-lsp-server
pytest
pytest-html
@@ -151,6 +152,10 @@ in {
programs.wireshark.package = pkgs.wireshark;
documentation = {
+ nixos = {
+ enable = true;
+ includeAllModules = true;
+ };
dev.enable = true;
doc.enable = true;
};
@@ -185,11 +190,5 @@ in {
"develop"
"libvirtd"
];
-
- # Allow using latest git version from registry
- nixpkgs.flake = {
- setNixPath = false;
- setFlakeRegistry = false;
- };
};
}
diff --git a/nixos/modules/generic.nix b/nixos/modules/generic.nix
index 5c6e2fe..e4ac094 100644
--- a/nixos/modules/generic.nix
+++ b/nixos/modules/generic.nix
@@ -43,7 +43,13 @@ in {
services.fwupd.enable = mkDefault (pkgs.system == "x86_64-linux");
systemd.oomd.enable = false;
- nixpkgs.config.allowUnfree = true;
+ nixpkgs = {
+ config.allowUnfree = true;
+ flake = {
+ setNixPath = false;
+ setFlakeRegistry = false;
+ };
+ };
environment.systemPackages = with pkgs;
[
git # We need git for this repository to even work
@@ -201,5 +207,11 @@ in {
'';
programs.fuse.userAllowOther = true;
+
+ documentation = {
+ enable = mkDefault false;
+ doc.enable = mkDefault false;
+ nixos.enable = mkDefault false;
+ };
};
}
diff --git a/nixos/modules/home-assistant.nix b/nixos/modules/home-assistant.nix
index 267f725..769b1c7 100644
--- a/nixos/modules/home-assistant.nix
+++ b/nixos/modules/home-assistant.nix
@@ -5,13 +5,12 @@
...
}: let
inherit (lib) mkIf mkEnableOption;
- cnf = config.cynerd.home-assistant;
in {
options = {
cynerd.home-assistant = mkEnableOption "Enable Home Assistant and Bigclown";
};
- config = mkIf cnf {
+ config = mkIf config.cynerd.home-assistant {
services.mosquitto = {
enable = true;
listeners = [
@@ -52,16 +51,13 @@ in {
1883 # Mosquitto
];
- services.bigclown = {
- gateway = {
- enable = true;
- device = "/dev/ttyUSB0";
- environmentFile = "/run/secrets/bigclown.env";
- baseTopicPrefix = "bigclown/";
- mqtt = {
- username = "bigclown";
- password = "@PASS_MQTT@";
- };
+ services.bcg = {
+ enable = true;
+ device = "/dev/ttyUSB0";
+ baseTopicPrefix = "bigclown/";
+ mqtt = {
+ username = "bigclown";
+ keyfile = "/run/secrets/mqtt-bigclown.pass";
};
};
diff --git a/nixos/modules/hosts.nix b/nixos/modules/hosts.nix
index b9a40a6..054098d 100644
--- a/nixos/modules/hosts.nix
+++ b/nixos/modules/hosts.nix
@@ -9,6 +9,7 @@
staticZoneOption = mkOption {
type = types.attrsOf types.str;
readOnly = true;
+ description = "The mapping of zone hosts to their IP";
};
in {
options = {
@@ -29,7 +30,6 @@ in {
cynerd.hosts = {
vpn = {
"lipwig" = "10.8.0.1";
- "dean" = "10.8.0.4";
# Portable
"binky" = "10.8.0.2";
"albert" = "10.8.0.3";
@@ -81,7 +81,6 @@ in {
"${cnf.vpn.lipwig}" = ["lipwig.vpn"];
"${cnf.vpn.android}" = ["android.vpn"];
"${cnf.vpn.albert}" = ["albert.vpn"];
- "${cnf.vpn.dean}" = ["dean" "dean.vpn"];
"${cnf.vpn.binky}" = ["binky.vpn"];
"${cnf.vpn.spt-omnia}" = ["spt.vpn"];
"${cnf.vpn.adm-omnia}" = ["adm.vpn"];
@@ -91,7 +90,7 @@ in {
"${cnf.wg.android}" = ["android.wg"];
"${cnf.wg.spt-omnia}" = ["spt.wg"];
"${cnf.wg.adm-omnia}" = ["adm.wg"];
- "${cnf.wg.dean}" = ["dean.wg"];
+ "${cnf.wg.dean}" = ["dean" "dean.wg"];
# Spt
"${cnf.spt.omnia}" = ["omnia.spt"];
"${cnf.spt.mox}" = ["mox.spt"];
diff --git a/nixos/modules/router.nix b/nixos/modules/router.nix
index ed634b1..3002d9b 100644
--- a/nixos/modules/router.nix
+++ b/nixos/modules/router.nix
@@ -54,10 +54,9 @@ in {
firewall = {
logRefusedConnections = false;
interfaces = {
- "home" = {allowedUDPPorts = [67 68];};
- "guest" = {allowedUDPPorts = [67 68];};
+ "home" = {allowedUDPPorts = [53 67 68];};
+ "guest" = {allowedUDPPorts = [53 67 68];};
};
- rejectPackets = true;
filterForward = true;
};
nat = {
@@ -119,7 +118,7 @@ in {
PoolOffset = cnf.dynIPStart;
PoolSize = cnf.dynIPCount;
EmitDNS = "yes";
- DNS = "1.1.1.1";
+ DNS = "${cnf.lanIP}";
};
dhcpServerStaticLeases =
mapAttrsToList (n: v: {
@@ -150,7 +149,7 @@ in {
PoolOffset = cnf.dynIPStart;
PoolSize = cnf.dynIPCount;
EmitDNS = "yes";
- DNS = "1.1.1.1";
+ DNS = "192.168.1.1";
};
dhcpPrefixDelegationConfig = {
UplinkInterface = cnf.wan;
@@ -166,6 +165,10 @@ in {
enable = true;
dnssec = "true";
fallbackDns = ["1.1.1.1" "8.8.8.8"];
+ extraConfig = ''
+ DNSStubListenerExtra=${cnf.lanIP}
+ DNSStubListenerExtra=192.168.1.1
+ '';
};
};
}
diff --git a/nixos/modules/wireguad.nix b/nixos/modules/wireguad.nix
index 67bd8d5..d96fc9e 100644
--- a/nixos/modules/wireguad.nix
+++ b/nixos/modules/wireguad.nix
@@ -1,18 +1,100 @@
{
config,
lib,
+ pkgs,
...
}: let
- inherit (lib) mkEnableOption mkIf;
- cnf = config.cynerd.wireguard;
+ inherit (lib) mkEnableOption mkIf mapAttrsToList optional optionals optionalAttrs filterAttrs;
+ inherit (config.networking) hostName;
+ endpoints = {
+ "lipwig" = "cynerd.cz";
+ "spt-omnia" = "spt.cynerd.cz";
+ "adm-omnia" = "adm.cynerd.cz";
+ };
+ is_endpoint = endpoints ? "${hostName}";
in {
options = {
- cynerd.wireguard = {
- enable = mkEnableOption "Enable Wireguard";
- };
+ cynerd.wireguard = mkEnableOption "Enable Wireguard";
};
- config =
- mkIf cnf.enable {
+ config = mkIf config.cynerd.wireguard {
+ environment.systemPackages = [pkgs.wireguard-tools];
+ systemd.network = {
+ netdevs."wg" = {
+ netdevConfig = {
+ Name = "wg";
+ Kind = "wireguard";
+ Description = "Personal Wireguard tunnel";
+ MTUBytes = "1300";
+ };
+ wireguardConfig = {
+ ListenPort = 51820;
+ PrivateKeyFile = "/run/secrets/wg.key";
+ };
+ wireguardPeers =
+ [
+ {
+ wireguardPeerConfig =
+ {
+ Endpoint = "${endpoints.lipwig}:51820";
+ AllowedIPs = ["0.0.0.0/0"];
+ PublicKey = config.secrets.wireguardPubs.lipwig;
+ }
+ // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;});
+ }
+ {
+ wireguardPeerConfig =
+ {
+ Endpoint = "${endpoints.spt-omnia}:51820";
+ AllowedIPs = [
+ "${config.cynerd.hosts.wg.spt-omnia}/32"
+ "10.8.2.0/24"
+ ];
+ PublicKey = config.secrets.wireguardPubs.spt-omnia;
+ }
+ // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;});
+ }
+ #{
+ # wireguardPeerConfig =
+ # {
+ # Endpoint = "${endpoints.adm-omnia}:51820";
+ # AllowedIPs = [
+ # "${config.cynerd.hosts.wg.adm-omnia}/32"
+ # "10.8.3.0/24"
+ # ];
+ # PublicKey = config.secrets.wireguardPubs.adm-omnia;
+ # }
+ # // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;});
+ #}
+ ]
+ ++ (optionals is_endpoint (mapAttrsToList (n: v: {
+ wireguardPeerConfig = {
+ AllowedIPs = "${config.cynerd.hosts.wg."${n}"}/32";
+ PublicKey = v;
+ };
+ }) (filterAttrs (n: _: ! endpoints ? "${n}") config.secrets.wireguardPubs)));
+ };
+ networks."wg" = {
+ matchConfig.Name = "wg";
+ networkConfig = {
+ Address = "${config.cynerd.hosts.wg."${hostName}"}/24";
+ IPForward = is_endpoint;
+ };
+ routes =
+ (optional (hostName != "spt-omnia") {
+ routeConfig = {
+ Gateway = config.cynerd.hosts.wg.spt-omnia;
+ Destination = "10.8.2.0/24";
+ };
+ })
+ ++ (optional (hostName != "adm-omnia" && hostName != "lipwig") {
+ routeConfig = {
+ Gateway = config.cynerd.hosts.wg.adm-omnia;
+ Destination = "10.8.3.0/24";
+ };
+ });
+ };
};
+ networking.firewall.allowedUDPPorts = [51820];
+ };
}