diff options
-rw-r--r-- | devShells/c.nix | 10 | ||||
-rw-r--r-- | devShells/default.nix | 2 | ||||
-rw-r--r-- | flake.lock | 228 | ||||
-rw-r--r-- | flake.nix | 2 | ||||
-rw-r--r-- | nixos/configurations/adm-omnia.nix | 88 | ||||
-rw-r--r-- | nixos/configurations/adm-omnia2.nix | 4 | ||||
-rw-r--r-- | nixos/configurations/binky.nix | 8 | ||||
-rw-r--r-- | nixos/configurations/lipwig.nix | 49 | ||||
-rw-r--r-- | nixos/configurations/ridcully.nix | 7 | ||||
-rw-r--r-- | nixos/configurations/spt-mox2.nix | 6 | ||||
-rw-r--r-- | nixos/configurations/spt-omnia.nix | 74 | ||||
-rw-r--r-- | nixos/modules/desktop.nix | 31 | ||||
-rw-r--r-- | nixos/modules/develop.nix | 4 | ||||
-rw-r--r-- | nixos/modules/hosts.nix | 1 | ||||
-rw-r--r-- | nixos/modules/monitoring.nix | 4 | ||||
-rw-r--r-- | nixos/modules/router.nix | 22 | ||||
-rw-r--r-- | nixos/modules/users.nix | 7 | ||||
-rw-r--r-- | nixos/modules/wifi-client.nix | 2 | ||||
-rw-r--r-- | nixos/modules/wifi-spt.nix | 72 | ||||
-rw-r--r-- | nixos/modules/wireguad.nix | 5 | ||||
-rw-r--r-- | pkgs/default.nix | 38 | ||||
-rwxr-xr-x | tools/install.sh | 1 |
22 files changed, 277 insertions, 388 deletions
diff --git a/devShells/c.nix b/devShells/c.nix index f1b98a3..5798129 100644 --- a/devShells/c.nix +++ b/devShells/c.nix @@ -46,6 +46,16 @@ pkgs.mkShell { libffi.dev # Qt + #qt6.qttools + #qt6.qtbase + #qt6.qttranslations + #qt6.qtserialport + #qt6.qtwebsockets + #qt6.qtcharts + #qt6.qtsvg + #qt6.qtnetworkauth + #qt6.qtwayland + #qt6.wrapQtAppsHook libsForQt5.qtbase libsForQt5.qttranslations libsForQt5.qtserialport diff --git a/devShells/default.nix b/devShells/default.nix index 882f828..d09fa70 100644 --- a/devShells/default.nix +++ b/devShells/default.nix @@ -1,4 +1,6 @@ pkgs: rec { c = import ./c.nix pkgs; + musl = import ./c.nix pkgs.pkgsMusl; + #llvm = import ./c.nix pkgs.pkgsLLVM; apo = import ./apo.nix pkgs c; } @@ -8,11 +8,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1716561646, - "narHash": "sha256-UIGtLO89RxKt7RF2iEgPikSdU53r6v/6WYB0RW3k89I=", + "lastModified": 1723293904, + "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=", "owner": "ryantm", "repo": "agenix", - "rev": "c2fc0762bbe8feb06a2e59a364fa81b3a57671c9", + "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41", "type": "github" }, "original": { @@ -48,11 +48,11 @@ "systems": "systems_2" }, "locked": { - "lastModified": 1710146030, - "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "lastModified": 1726560853, + "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", "owner": "numtide", "repo": "flake-utils", - "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", "type": "github" }, "original": { @@ -113,11 +113,11 @@ "systems": "systems_5" }, "locked": { - "lastModified": 1710146030, - "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "lastModified": 1726560853, + "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", "owner": "numtide", "repo": "flake-utils", - "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", "type": "github" }, "original": { @@ -130,11 +130,11 @@ "systems": "systems_6" }, "locked": { - "lastModified": 1710146030, - "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "lastModified": 1726560853, + "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", "owner": "numtide", "repo": "flake-utils", - "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", "type": "github" }, "original": { @@ -147,40 +147,6 @@ "systems": "systems_7" }, "locked": { - "lastModified": 1710146030, - "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", - "type": "github" - }, - "original": { - "id": "flake-utils", - "type": "indirect" - } - }, - "flake-utils_8": { - "inputs": { - "systems": "systems_8" - }, - "locked": { - "lastModified": 1709126324, - "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "d465f4819400de7c8d874d50b982301f28a84605", - "type": "github" - }, - "original": { - "id": "flake-utils", - "type": "indirect" - } - }, - "flake-utils_9": { - "inputs": { - "systems": "systems_9" - }, - "locked": { "lastModified": 1705309234, "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=", "owner": "numtide", @@ -214,45 +180,6 @@ "type": "github" } }, - "libshv": { - "inputs": { - "flake-utils": "flake-utils_7", - "necrolog": "necrolog", - "nixpkgs": "nixpkgs_8" - }, - "locked": { - "lastModified": 1712426213, - "narHash": "sha256-KDPqP9z5LT6Bau2uq7dgyNrx3fZpiXl/g+0//ICZ0a8=", - "owner": "silicon-heaven", - "repo": "libshv", - "rev": "0639a8d9139f69592baa9c8914d6f40e6aa2d3ac", - "type": "github" - }, - "original": { - "owner": "silicon-heaven", - "repo": "libshv", - "type": "github" - } - }, - "necrolog": { - "inputs": { - "flake-utils": "flake-utils_8", - "nixpkgs": "nixpkgs_7" - }, - "locked": { - "lastModified": 1710239929, - "narHash": "sha256-Sy7absZtICGCYJkBV1/4wpI72743WgDHaMLJk7BhmLQ=", - "owner": "fvacek", - "repo": "necrolog", - "rev": "87ed76143e10a5d07d881795eac11a1429a09012", - "type": "github" - }, - "original": { - "owner": "fvacek", - "repo": "necrolog", - "type": "github" - } - }, "nixdeploy": { "inputs": { "flake-utils": "flake-utils_2", @@ -274,11 +201,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1717995329, - "narHash": "sha256-lQJXEFHHVsFdFLx0bvoRbZH3IXUBsle6EWj9JroTJ/s=", + "lastModified": 1727040444, + "narHash": "sha256-19FNN5QT9Z11ZUMfftRplyNN+2PgcHKb3oq8KMW/hDA=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "58b52b0dd191af70f538c707c66c682331cfdffc", + "rev": "d0cb432a9d28218df11cbd77d984a2a46caeb5ac", "type": "github" }, "original": { @@ -302,20 +229,6 @@ "type": "github" } }, - "nixpkgs_10": { - "locked": { - "lastModified": 1707877513, - "narHash": "sha256-sp0w2apswd3wv0sAEF7StOGHkns3XUQaO5erhWFZWXk=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "89653a03e0915e4a872788d10680e7eec92f8600", - "type": "github" - }, - "original": { - "id": "nixpkgs", - "type": "indirect" - } - }, "nixpkgs_2": { "locked": { "lastModified": 1712883908, @@ -332,16 +245,16 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1717974879, - "narHash": "sha256-GTO3C88+5DX171F/gVS3Qga/hOs/eRMxPFpiHq2t+D8=", + "lastModified": 1727320268, + "narHash": "sha256-B4AK91+9frHerQ6mFAtaR46ECMRtZufrtXFj/b5NqYU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c7b821ba2e1e635ba5a76d299af62821cbcb09f3", + "rev": "ea2838e1ce0a9da2abf88275843aca29d9f82b30", "type": "github" }, "original": { "id": "nixpkgs", - "ref": "nixos-unstable", + "ref": "nixos-unstable-small", "type": "indirect" } }, @@ -375,11 +288,11 @@ }, "nixpkgs_6": { "locked": { - "lastModified": 1712388808, - "narHash": "sha256-9ogU4c3vUmuMDoRlbQCeq3OKx0XJmgHcLZ4XywJNYWI=", + "lastModified": 1726583932, + "narHash": "sha256-zACxiQx8knB3F8+Ze+1BpiYrI+CbhxyWpcSID9kVhkQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "fe4295b9ecd88764c1abf6179e03b1a828ca0e9a", + "rev": "658e7223191d2598641d50ee4e898126768fe847", "type": "github" }, "original": { @@ -389,11 +302,11 @@ }, "nixpkgs_7": { "locked": { - "lastModified": 1709780214, - "narHash": "sha256-p4iDKdveHMhfGAlpxmkCtfQO3WRzmlD11aIcThwPqhk=", + "lastModified": 1726583932, + "narHash": "sha256-zACxiQx8knB3F8+Ze+1BpiYrI+CbhxyWpcSID9kVhkQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "f945939fd679284d736112d3d5410eb867f3b31c", + "rev": "658e7223191d2598641d50ee4e898126768fe847", "type": "github" }, "original": { @@ -403,25 +316,11 @@ }, "nixpkgs_8": { "locked": { - "lastModified": 1710222005, - "narHash": "sha256-irXySffHz7b82dZIme6peyAu+8tTJr1zyxcfUPhqUrg=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "9a9a7552431c4f1a3b2eee9398641babf7c30d0e", - "type": "github" - }, - "original": { - "id": "nixpkgs", - "type": "indirect" - } - }, - "nixpkgs_9": { - "locked": { - "lastModified": 1712328247, - "narHash": "sha256-cswxdMQH0fATfonhXgVfxliuZMfkdrCQQud4cO76eDw=", + "lastModified": 1707877513, + "narHash": "sha256-sp0w2apswd3wv0sAEF7StOGHkns3XUQaO5erhWFZWXk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8311011fcea909e0cc9684ada784dae080fbfb60", + "rev": "89653a03e0915e4a872788d10680e7eec92f8600", "type": "github" }, "original": { @@ -450,11 +349,11 @@ }, "personal-secret": { "locked": { - "lastModified": 1716452759, - "narHash": "sha256-leiQrRghrECNEwkNA/TFVlNFLe+yu/qS+IHKcsLXUxw=", + "lastModified": 1727268086, + "narHash": "sha256-WcZ5Aa2XKLNHz4ly83CRrmFuWBo6Fg+kMGrERudvTUY=", "ref": "refs/heads/master", - "rev": "a437d31815d8ce9f5907884fd9d87a0d7f9011f0", - "revCount": 107, + "rev": "dfdcf00c0dae3694a256b0a1d78e1348636a7589", + "revCount": 113, "type": "git", "url": "ssh://git@cynerd.cz/nixos-personal-secret" }, @@ -466,15 +365,14 @@ "pyshv": { "inputs": { "flake-utils": "flake-utils_6", - "libshv": "libshv", - "nixpkgs": "nixpkgs_9" + "nixpkgs": "nixpkgs_7" }, "locked": { - "lastModified": 1712430672, - "narHash": "sha256-WKPEaBEu3GB3feu4/vubBKxvs7/tmfvalPCsANnnSW0=", + "lastModified": 1726844448, + "narHash": "sha256-t7gRe6u+Ax3BYNVSUjRpY3klRRWyq+6SoC3hxehnGe0=", "owner": "silicon-heaven", "repo": "pyshv", - "rev": "84bfbc700432dec5483e6af6777dd076aadef54f", + "rev": "f593327ec9aa8f03443392962fba9d825c72a659", "type": "gitlab" }, "original": { @@ -504,11 +402,11 @@ "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1716543407, - "narHash": "sha256-/Ly4X3SYtSCb8utV+lzRO6Rc2oig7uN6dhFT70uKG6A=", + "lastModified": 1721899791, + "narHash": "sha256-dT+kwR2nuymeq3qqzc5//g4nQJRG1pVWUeZztCXgYCM=", "ref": "refs/heads/master", - "rev": "31f5accaa54f6110cfeefa19e3e4ed6d1a71190b", - "revCount": 111, + "rev": "0adc7c32594913d0f4ec774a85cb03554cd719d4", + "revCount": 112, "type": "git", "url": "https://git.cynerd.cz/shellrc" }, @@ -524,11 +422,11 @@ "pyshv": "pyshv" }, "locked": { - "lastModified": 1712433922, - "narHash": "sha256-pLgYcPnWADRFh9dAmaMkkekcKVJ2cc9E+EQFvqE3q9Y=", + "lastModified": 1727108673, + "narHash": "sha256-a+4TBiW/r0/Ts7Yd/gBsCQiU15F104bUHIHNecXmGQE=", "owner": "silicon-heaven", "repo": "shvcli", - "rev": "cd5eedb592a7bc6bade45fb7a28d73f04fd2d53b", + "rev": "9021aa09b94b0b83e5baf8ad409ca861b5b4edfe", "type": "github" }, "original": { @@ -642,40 +540,10 @@ "type": "github" } }, - "systems_8": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_9": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, "usbkey": { "inputs": { - "flake-utils": "flake-utils_9", - "nixpkgs": "nixpkgs_10" + "flake-utils": "flake-utils_7", + "nixpkgs": "nixpkgs_8" }, "locked": { "lastModified": 1707940956, @@ -693,11 +561,11 @@ }, "vpsadminos": { "locked": { - "lastModified": 1717952947, - "narHash": "sha256-RAgrrmJvCJb4Kntsb49hbucPIY0833V9V9I7pKcqbl8=", + "lastModified": 1727306253, + "narHash": "sha256-PdVXdZvhAqQFALZiACXIjwFRSo0EhEKMm94uxvyFyPk=", "owner": "vpsfreecz", "repo": "vpsadminos", - "rev": "0330fef1b06f3b7186825d236381f94a5bed7938", + "rev": "bd2b87cbcb75a9e9aa25f76fb7e1f0f625963277", "type": "github" }, "original": { @@ -2,7 +2,7 @@ description = "Cynerd's personal flake"; inputs = { - nixpkgs.url = "nixpkgs/nixos-unstable"; + nixpkgs.url = "nixpkgs/nixos-unstable-small"; nixos-hardware.url = "nixos-hardware"; nixdeploy.url = "gitlab:cynerd/nixosdeploy"; personal-secret.url = "git+ssh://git@cynerd.cz/nixos-personal-secret"; diff --git a/nixos/configurations/adm-omnia.nix b/nixos/configurations/adm-omnia.nix index dad595b..069dfb0 100644 --- a/nixos/configurations/adm-omnia.nix +++ b/nixos/configurations/adm-omnia.nix @@ -1,35 +1,77 @@ -{config, ...}: { +{config, ...}: let + hosts = config.cynerd.hosts.adm; +in { turris.board = "omnia"; + deploy = { + enable = false; + ssh.host = "omnia.adm"; + }; cynerd = { router = { enable = true; wan = "pppoe-wan"; - lanIP = config.cynerd.hosts.adm.omnia; + lanIP = hosts.omnia; + staticLeases = { + "70:85:c2:4a:59:f2" = hosts.ridcully; + "7c:b0:c2:bb:9c:ca" = hosts.albert; + "4c:d5:77:0d:85:d9" = hosts.binky; + "b8:27:eb:49:54:5a" = hosts.mpd; + }; + guestStaticLeases = { + "f4:a9:97:a4:bd:59" = hosts.printer; + }; }; wifiAP.adm = { - enable = true; - ar9287.interface = "wlp3s0"; - qca988x.interface = "wlp2s0"; + enable = false; + ar9287 = { + interface = "wlp1s0"; + bssids = ["04:f0:21:23:3d:ce" "08:f0:21:23:3d:ce" "0c:f0:21:23:3d:ce"]; + channel = 11; + }; + qca988x = { + interface = "wlp3s0"; + bssids = ["04:f0:21:24:0b:4e" "08:f0:21:24:0b:4e" "0c:f0:21:24:0b:4e"]; + channel = 36; + }; }; + wireguard = true; monitoring.speedtest = true; }; - networking.useDHCP = false; + services.journald.extraConfig = '' + SystemMaxUse=8G + ''; + + services.btrfs.autoScrub = { + enable = true; + fileSystems = ["/"]; + }; + + networking = { + useNetworkd = true; + useDHCP = false; + }; systemd.network = { networks = { - "end2" = { - matchConfig.Name = "end2"; - #networkConfig = { - # DHCP = "ipv6"; - # IPv6AcceptRA = "yes"; - # DHCPPrefixDelegation = "yes"; - #}; - #dhcpPrefixDelegationConfig = { - # UplinkInterface = ":self"; - # SubnetId = 0; - # Announce = "no"; - #}; + "pppoe-wan" = { + matchConfig.Name = "pppoe-wan"; + networkConfig = { + BindCarrier = "end2"; + DHCP = "ipv6"; + IPv6AcceptRA = "no"; + DHCPPrefixDelegation = "yes"; + DNS = "1.1.1.1"; + }; + dhcpV6Config = { + PrefixDelegationHint = "::/56"; + UseDNS = "no"; + }; + dhcpPrefixDelegationConfig = { + UplinkInterface = ":self"; + SubnetId = 0; + Announce = "no"; + }; linkConfig.RequiredForOnline = "routable"; }; "lan-brlan" = { @@ -43,7 +85,7 @@ {VLAN = 2;} ]; }; - "lan0-guest" = { + "lan-guest" = { matchConfig.Name = "lan0"; networkConfig.Bridge = "brlan"; bridgeVLANs = [ @@ -64,14 +106,18 @@ lcp-echo-interval 1 lcp-echo-failure 5 lcp-echo-adaptive - +ipv6 defaultroute defaultroute6 - usepeerdns + #usepeerdns maxfail 1 user O2 password 02 ''; }; systemd.services."pppd-wan".after = ["sys-subsystem-net-devices-end2.device"]; + # TODO limit NSS clamping to just pppoe-wan + networking.firewall.extraForwardRules = '' + tcp flags syn tcp option maxseg size set rt mtu comment "Needed for PPPoE to fix IPv4" + iifname {"home", "personalvpn", "wg"} oifname {"home", "personalvpn", "wg"} accept + ''; } diff --git a/nixos/configurations/adm-omnia2.nix b/nixos/configurations/adm-omnia2.nix index 2848bd9..45b8dc4 100644 --- a/nixos/configurations/adm-omnia2.nix +++ b/nixos/configurations/adm-omnia2.nix @@ -14,12 +14,12 @@ wifiAP.adm = { enable = true; ar9287 = { - interface = "wlp1s0"; + interface = "wlp2s0"; bssids = ["12:f0:21:23:2b:00" "12:f0:21:23:2b:01" "12:f0:21:23:2b:02"]; channel = 11; }; qca988x = { - interface = "wlp2s0"; + interface = "wlp1s0"; bssids = ["12:f0:21:23:2b:03" "12:f0:21:23:2b:04" "12:f0:21:23:2b:05"]; channel = 36; }; diff --git a/nixos/configurations/binky.nix b/nixos/configurations/binky.nix index 4b552d5..7765d01 100644 --- a/nixos/configurations/binky.nix +++ b/nixos/configurations/binky.nix @@ -1,4 +1,8 @@ -{lib, ...}: let +{ + lib, + pkgs, + ... +}: let inherit (lib) mkDefault; in { nixpkgs.hostPlatform.system = "x86_64-linux"; @@ -94,4 +98,6 @@ in { dataDir = "/home/cynerd"; configDir = "/home/cynerd/.config/syncthing"; }; + + environment.systemPackages = [pkgs.heroic]; } diff --git a/nixos/configurations/lipwig.nix b/nixos/configurations/lipwig.nix index 524a864..7d00a37 100644 --- a/nixos/configurations/lipwig.nix +++ b/nixos/configurations/lipwig.nix @@ -43,20 +43,6 @@ fsType = "fuse.bindfs"; options = ["map=syncthing/nextcloud:@syncthing/@nextcloud"]; }; - "/nas/spt" = { - device = "nas@omnia.spt:/data/nas"; - fsType = "fuse.sshfs"; - options = [ - "allow_other" - "_netdev" - "x-systemd.automount" - "reconnect" - "identityfile=/run/secrets/nas.ssh.priv" - "idmap=user" - "uid=nextcloud" - "gid=nextcloud" - ]; - }; }; networking = { @@ -107,7 +93,7 @@ root = "${pkgs.cgit}/cgit"; locations."/".tryFiles = "$uri @cgit"; locations."@cgit".extraConfig = '' - fastcgi_pass unix:${config.services.fcgiwrap.socketAddress}; + fastcgi_pass unix:${config.services.fcgiwrap.instances.cgit.socket.address}; fastcgi_param SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi; fastcgi_param PATH_INFO $uri; fastcgi_param QUERY_STRING $args; @@ -137,9 +123,9 @@ }; }; }; - services.fcgiwrap = { - enable = true; - inherit (config.services.nginx) group; + services.fcgiwrap.instances.cgit = { + process.user = "git"; + socket = {inherit (config.services.nginx) user group;}; }; security.acme = { acceptTerms = true; @@ -248,21 +234,26 @@ twofactor_webauthn ; # Additional modules can be fetched with: - # NEXTCLOUD_VERSIONS=28 nix run nixpkgs#nc4nix -- -apps "passwords,integration_homeassistant,integration_github,integration_gitlab" + # NEXTCLOUD_VERSIONS=28 nix run nixpkgs#nc4nix -- -apps "passwords,money,integration_github,integration_gitlab" passwords = pkgs.fetchNextcloudApp { - url = "https://git.mdns.eu/api/v4/projects/45/packages/generic/passwords/2024.2.0/passwords.tar.gz"; - sha256 = "0s5z6pxkcwmhlbzy9s2g0s05n1iqjmxr2jqxz7ayklin9kcgr3h7"; - license = "gpl3"; + url = "https://git.mdns.eu/api/v4/projects/45/packages/generic/passwords/2024.9.0/passwords.tar.gz"; + sha256 = "L+jumcussL0c9xNMg/GMs1GSd1IY9wUvC8ZEg+3U+sc="; + license = "agpl3Plus"; }; integration_github = pkgs.fetchNextcloudApp { - url = "https://github.com/nextcloud-releases/integration_github/releases/download/v2.0.6/integration_github-v2.0.6.tar.gz"; - sha256 = "0rjdlsalayb21nmh3j5bl42dcbavxka2r5g9csagz7vc9dl0qrw6"; - license = "gpl3"; + url = "https://github.com/nextcloud-releases/integration_github/releases/download/v2.0.7/integration_github-v2.0.7.tar.gz"; + sha256 = "x4BrBdrvmbdwZcZL6FLAY27B5OpkXIsw92XsD076Aqg="; + license = "agpl3Plus"; }; integration_gitlab = pkgs.fetchNextcloudApp { - url = "https://github.com/nextcloud-releases/integration_gitlab/releases/download/v1.0.18/integration_gitlab-v1.0.18.tar.gz"; - sha256 = "13vlbr7sigqrh480a9zp7zl9nbzb4pk8m1zzlqv9lkzj3zywp7mi"; - license = "gpl3"; + url = "https://github.com/nextcloud-releases/integration_gitlab/releases/download/v3.1.1/integration_gitlab-v3.1.1.tar.gz"; + sha256 = "nBqnBDVoNEqRGp+WKq4okis1kCr6pzEz4G6368MaxuE="; + license = "agpl3Plus"; + }; + money = pkgs.fetchNextcloudApp { + url = "https://github.com/powerpaul17/nc_money/releases/download/v0.29.0/money.tar.gz"; + sha256 = "EXcY69z5h6rT0RdkmOhQYKSWmVBr2zaWuSRj/m5dMkI="; + license = "agpl3Plus"; }; }; }; @@ -271,12 +262,14 @@ services.postgresql = { enable = true; ensureUsers = [ + {name = "cynerd";} { name = "nextcloud"; ensureDBOwnership = true; } ]; ensureDatabases = ["nextcloud"]; + #extraPlugins = ps: with ps; [timescaledb]; }; # SearX #################################################################### diff --git a/nixos/configurations/ridcully.nix b/nixos/configurations/ridcully.nix index 66daf1b..2be1a7a 100644 --- a/nixos/configurations/ridcully.nix +++ b/nixos/configurations/ridcully.nix @@ -54,6 +54,13 @@ in { fileSystems = ["/" "/home2"]; }; + networking = { + useNetworkd = true; + useDHCP = true; + }; + systemd.network = { + wait-online.enable = false; + }; #networking.vlans."enp6s0.adm" = { #id = 2; #interface = "enp6s0"; diff --git a/nixos/configurations/spt-mox2.nix b/nixos/configurations/spt-mox2.nix index 085bb5f..af0796c 100644 --- a/nixos/configurations/spt-mox2.nix +++ b/nixos/configurations/spt-mox2.nix @@ -1,4 +1,8 @@ -{config, ...}: { +{ + config, + pkgs, + ... +}: { turris.board = "mox"; deploy = { enable = true; diff --git a/nixos/configurations/spt-omnia.nix b/nixos/configurations/spt-omnia.nix index 29fe8c4..79ced79 100644 --- a/nixos/configurations/spt-omnia.nix +++ b/nixos/configurations/spt-omnia.nix @@ -45,71 +45,15 @@ in { SystemMaxUse=8G ''; - environment = { - etc.crypttab.text = '' - nas UUID=3472bef9-cbae-48bd-873e-fd4858a0b72f /run/secrets/luks-spt-omnia-nas.key luks - nassec UUID=016e9e75-bbc8-4b24-8bb7-c800c8f6a500 /run/secrets/luks-spt-omnia-nas.key luks - ''; - systemPackages = with pkgs; [ - cryptsetup - ]; - }; - fileSystems = { - "/data" = { - device = "/dev/mapper/nas"; - fsType = "btrfs"; - options = ["compress=lzo" "subvol=@data" "nofail"]; - }; - "/srv" = { - device = "/dev/mapper/nas"; - fsType = "btrfs"; - options = ["compress=lzo" "subvol=@srv" "nofail"]; - depends = ["/data"]; - }; - }; services.btrfs.autoScrub = { enable = true; - fileSystems = ["/" "/data"]; + fileSystems = ["/"]; }; - services.udev.packages = [ - (pkgs.writeTextFile rec { - name = "queue_depth_sata.rules"; - destination = "/etc/udev/rules.d/50-${name}"; - text = '' - SUBSYSTEMS=="pci", DRIVER=="ahci", ATTR{device}!="0x0612", GOTO="turris_pci_end" - ACTION=="add|change", SUBSYSTEM=="scsi", ATTR{vendor}=="ATA", ATTR{queue_depth}="1" - LABEL="turris_pci_end" - ''; - }) - ]; - users = { - groups.nas = {}; - users = { - nas = { - group = "nas"; - openssh.authorizedKeys.keyFiles = [ - (config.personal-secrets + "/unencrypted/nas.pub") - (config.personal-secrets + "/unencrypted/nas-spt.pub") - ]; - isNormalUser = true; - home = "/data/nas"; - homeMode = "770"; - }; - cynerd.extraGroups = ["nas"]; - }; - }; - services.openssh = { - settings.Macs = ["hmac-sha2-256"]; # Allow sha2-256 for Nexcloud access - extraConfig = '' - Match User nas - X11Forwarding no - AllowTcpForwarding no - AllowAgentForwarding no - ForceCommand internal-sftp -d /data/nas - ''; + services.fail2ban = { + enable = true; + ignoreIP = ["10.8.1.0/24" "10.8.2.0/24"]; }; - services.fail2ban.enable = true; networking.useDHCP = false; systemd.network = { @@ -187,14 +131,4 @@ in { tcp flags syn tcp option maxseg size set rt mtu comment "Needed for PPPoE to fix IPv4" iifname {"home", "personalvpn", "wg"} oifname {"home", "personalvpn", "wg"} accept ''; - - services.syncthing = { - enable = false; - openDefaultPorts = true; - - overrideDevices = false; - overrideFolders = false; - - dataDir = "/data"; # TODO this can't be the location - }; } diff --git a/nixos/modules/desktop.nix b/nixos/modules/desktop.nix index 1b29b86..4a8c7dd 100644 --- a/nixos/modules/desktop.nix +++ b/nixos/modules/desktop.nix @@ -24,9 +24,9 @@ in { config = mkIf cnf.enable { hardware = { - opengl = { - driSupport = true; - driSupport32Bit = true; + graphics = { + enable = true; + enable32Bit = true; }; bluetooth.enable = mkIf cnf.laptop true; }; @@ -37,7 +37,7 @@ in { wrapperFeatures.gtk = true; extraPackages = with pkgs; [ - gnome.dconf-editor + dconf-editor glib gsettings-desktop-schemas sysstat @@ -49,7 +49,7 @@ in { myswaylock alacritty - gnome.nautilus + nautilus kanshi wdisplays @@ -69,17 +69,17 @@ in { isync msmtp notmuch - mastroid - taskwarrior + astroid + taskwarrior3 vdirsyncer - #khal - #khard + khal + khard gnupg pinentry-gnome3 pinentry-curses (pass.withExtensions (exts: [ exts.pass-otp - #exts.pass-audit + exts.pass-audit ])) chromium @@ -104,16 +104,16 @@ in { id3lib vlc mpv - youtube-dl + yt-dlp spotify nordic nordzy-cursor-theme nordzy-icon-theme - gnome.adwaita-icon-theme + adwaita-icon-theme vanilla-dmz sound-theme-freedesktop - gnome.gnome-characters + gnome-characters gucharmap (sdcv.withDictionaries [stardict-en-cz stardict-de-cz stardict-cz]) @@ -125,6 +125,7 @@ in { freerdp plasma5Packages.kdeconnect-kde + gnome-firmware hdparm ethtool multipath-tools @@ -159,10 +160,6 @@ in { typst-lsp vale - # Gnome utils - gnome-firmware - #gaphor - # CAD freecad kicad diff --git a/nixos/modules/develop.nix b/nixos/modules/develop.nix index 2a20527..446d205 100644 --- a/nixos/modules/develop.nix +++ b/nixos/modules/develop.nix @@ -21,6 +21,7 @@ in { # Tools gitlint tig + gitg gource glab github-cli @@ -41,7 +42,6 @@ in { dev cachix nurl - nix-universal-prefetch nil alejandra statix @@ -54,7 +54,7 @@ in { bats shellcheck shfmt - nodePackages.bash-language-server + bash-language-server jq yq fq diff --git a/nixos/modules/hosts.nix b/nixos/modules/hosts.nix index e7ad76b..f53fd8c 100644 --- a/nixos/modules/hosts.nix +++ b/nixos/modules/hosts.nix @@ -64,6 +64,7 @@ in { "ridcully" = "10.8.3.60"; "3dprint" = "10.8.3.80"; "mpd" = "10.8.3.51"; + "printer" = "192.168.0.20"; # Portable "albert" = "10.8.3.61"; "binky" = "10.8.3.63"; diff --git a/nixos/modules/monitoring.nix b/nixos/modules/monitoring.nix index 394915a..e4fa195 100644 --- a/nixos/modules/monitoring.nix +++ b/nixos/modules/monitoring.nix @@ -78,7 +78,7 @@ in { nstat = [{}]; system = [{}]; processes = [{}]; - systemd_units = [{}]; + systemd_units = [{details = true;}]; wireguard = [{}]; } // (optionalAttrs cnf.drives { @@ -152,6 +152,8 @@ in { admin_password = "$__file{/run/secrets/grafana.admin.pass}"; }; server = { + domain = "grafana.cynerd.cz"; + root_url = "https://%(domain)s/"; http_addr = ""; http_port = 3000; }; diff --git a/nixos/modules/router.nix b/nixos/modules/router.nix index a658515..224037b 100644 --- a/nixos/modules/router.nix +++ b/nixos/modules/router.nix @@ -44,10 +44,20 @@ in { ''; description = "Mapping of MAC address to IP address"; }; + guestStaticLeases = mkOption { + type = with types; attrsOf str; + default = {}; + example = '' + {"xx:xx:xx:xx:xx:xx" = "10.8.1.30";} + ''; + description = "Mapping of MAC address to IP address"; + }; }; }; config = mkIf cnf.enable { + boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1; + networking = { useNetworkd = true; firewall = { @@ -106,9 +116,10 @@ in { matchConfig.Name = "home"; networkConfig = { Address = "${cnf.lanIP}/${toString cnf.lanPrefix}"; - IPForward = "yes"; + IPv4Forwarding = "yes"; DHCPServer = "yes"; DHCPPrefixDelegation = "yes"; + IPv6Forwarding = "yes"; IPv6SendRA = "yes"; IPv6AcceptRA = "no"; }; @@ -135,9 +146,10 @@ in { matchConfig.Name = "guest"; networkConfig = { Address = "192.168.1.1/24"; - IPForward = "yes"; + IPv4Forwarding = "yes"; DHCPServer = "yes"; DHCPPrefixDelegation = "yes"; + IPv6Forwarding = "yes"; IPv6SendRA = "yes"; IPv6AcceptRA = "no"; }; @@ -148,6 +160,12 @@ in { EmitDNS = "yes"; DNS = "192.168.1.1"; }; + dhcpServerStaticLeases = + mapAttrsToList (n: v: { + MACAddress = n; + Address = v; + }) + cnf.guestStaticLeases; dhcpPrefixDelegationConfig = { UplinkInterface = cnf.wan; SubnetId = 2; diff --git a/nixos/modules/users.nix b/nixos/modules/users.nix index d098ec7..1c143bb 100644 --- a/nixos/modules/users.nix +++ b/nixos/modules/users.nix @@ -64,10 +64,13 @@ in { syntaxHighlighting.enable = isNative; }; shellrc = true; - vim.defaultEditor = isArm; + vim = { + enable = isArm; + defaultEditor = isArm; + }; neovim = { enable = !isArm; - defaultEditor = true; + defaultEditor = !isArm; withNodeJs = true; }; diff --git a/nixos/modules/wifi-client.nix b/nixos/modules/wifi-client.nix index 8fc803d..b82633d 100644 --- a/nixos/modules/wifi-client.nix +++ b/nixos/modules/wifi-client.nix @@ -21,7 +21,7 @@ in { networking.wireless = { enable = true; networks = config.secrets.wifiNetworks; - environmentFile = "/run/secrets/wifi.env"; + secretsFile = "/run/secrets/wifi.secrets"; userControlled.enable = true; }; }; diff --git a/nixos/modules/wifi-spt.nix b/nixos/modules/wifi-spt.nix index 2ecc3a3..d013473 100644 --- a/nixos/modules/wifi-spt.nix +++ b/nixos/modules/wifi-spt.nix @@ -61,14 +61,14 @@ in { wpa_key_mgmt = mkForce "WPA-PSK"; # force use without sha256 }; }; - #"${cnf.ar9287.interface}.guest" = { - # bssid = elemAt cnf.ar9287.bssids 1; - # ssid = "Kocovi"; - # authentication = { - # mode = "wpa2-sha256"; - # wpaPasswordFile = "/run/secrets/hostapd-Kocovi.pass"; - # }; - #}; + "${cnf.ar9287.interface}.guest" = { + bssid = elemAt cnf.ar9287.bssids 1; + ssid = "Kocovi"; + authentication = { + mode = "wpa2-sha256"; + wpaPasswordFile = "/run/secrets/hostapd-Kocovi.pass"; + }; + }; }; }; }) @@ -107,14 +107,14 @@ in { wpa_key_mgmt = mkForce "WPA-PSK"; # force use without sha256 }; }; - #"${cnf.qca988x.interface}.guest" = { - # bssid = elemAt cnf.qca988x.bssids 1; - # ssid = "Kocovi"; - # authentication = { - # mode = "wpa2-sha256"; - # wpaPasswordFile = "/run/secrets/hostapd-Kocovi.pass"; - # }; - #}; + "${cnf.qca988x.interface}.guest" = { + bssid = elemAt cnf.qca988x.bssids 1; + ssid = "Kocovi"; + authentication = { + mode = "wpa2-sha256"; + wpaPasswordFile = "/run/secrets/hostapd-Kocovi.pass"; + }; + }; }; }; }) @@ -135,16 +135,16 @@ in { } ]; }; - #"lan-${cnf.ar9287.interface}-guest" = { - # matchConfig.Name = "${cnf.ar9287.interface}.guest"; - # networkConfig.Bridge = "brlan"; - # bridgeVLANs = [ - # { - # EgressUntagged = 2; - # PVID = 2; - # } - # ]; - #}; + "lan-${cnf.ar9287.interface}-guest" = { + matchConfig.Name = "${cnf.ar9287.interface}.guest"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + EgressUntagged = 2; + PVID = 2; + } + ]; + }; }) (mkIf (cnf.qca988x.interface != null) { "lan-${cnf.qca988x.interface}" = { @@ -160,16 +160,16 @@ in { } ]; }; - #"lan-${cnf.qca988x.interface}-guest" = { - # matchConfig.Name = "${cnf.qca988x.interface}.guest"; - # networkConfig.Bridge = "brlan"; - # bridgeVLANs = [ - # { - # EgressUntagged = 2; - # PVID = 2; - # } - # ]; - #}; + "lan-${cnf.qca988x.interface}-guest" = { + matchConfig.Name = "${cnf.qca988x.interface}.guest"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + EgressUntagged = 2; + PVID = 2; + } + ]; + }; }) ]; }; diff --git a/nixos/modules/wireguad.nix b/nixos/modules/wireguad.nix index 69e1ccd..1b1db90 100644 --- a/nixos/modules/wireguad.nix +++ b/nixos/modules/wireguad.nix @@ -66,10 +66,7 @@ in { matchConfig.Name = "wg"; networkConfig = { Address = "${config.cynerd.hosts.wg."${hostName}"}/24"; - IPForward = is_endpoint; - #DNS = mkIf (hostName != "dean") ["10.0.20.30" "10.0.20.31"]; - #DNSSEC = false; - #Domains = mkIf (hostName != "dean") "~elektroline.cz"; + IPv4Forwarding = "yes"; }; routes = (optional (hostName != "lipwig") { diff --git a/pkgs/default.nix b/pkgs/default.nix index 430a7b8..eca6db6 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -1,6 +1,12 @@ final: prev: let - inherit (final.lib) optional; - is_cross = final.buildPlatform != final.targetPlatform; + # The NodeJS packages has to be build in 32bit environment if host platform is + # also 32bit because it uses 32bit stubs and links against 32bit OpenSSL. The + # only architecture that generally supports execution of 32bit is x86_64 and + # thus that is the only one handled here. + callPackageNodejs = + if prev.stdenv.buildPlatform.isx86_64 && prev.stdenv.is32bit + then prev.buildPackages.pkgsi686Linux.callPackage + else prev.callPackage; in { luks-hw-password = final.callPackage ./luks-hw-password {}; dev = final.callPackage ./dev { @@ -24,9 +30,17 @@ in { bigclown-leds = final.callPackage ./bigclown-leds {}; # nixpkgs patches - #zigbee2mqtt = prev.zigbee2mqtt.overrideAttrs (oldAttrs: { - # npmInstallFlags = ["--no-optional"]; # Fix cross build - #}); + zigbee2mqtt = prev.zigbee2mqtt.overrideAttrs { + npmInstallFlags = ["--no-optional"]; # Fix cross build + }; + nodejs_18 = callPackageNodejs (prev.path + "/pkgs/development/web/nodejs/v18.nix") {}; + nodejs-slim_18 = callPackageNodejs (prev.path + "/pkgs/development/web/nodejs/v18.nix") {enableNpm = false;}; + nodejs_20 = callPackageNodejs (prev.path + "/pkgs/development/web/nodejs/v20.nix") {}; + nodejs-slim_20 = callPackageNodejs (prev.path + "/pkgs/development/web/nodejs/v20.nix") {enableNpm = false;}; + nodejs_22 = callPackageNodejs (prev.path + "/pkgs/development/web/nodejs/v22.nix") {}; + nodejs-slim_22 = callPackageNodejs (prev.path + "/pkgs/development/web/nodejs/v22.nix") {enableNpm = false;}; + + # Older version of packages flac1_3 = prev.flac.overrideAttrs { version = "1.3.4"; src = final.fetchurl { @@ -35,18 +49,4 @@ in { }; outputs = ["out"]; }; - gnupg = prev.gnupg.overrideAttrs (oldAttrs: { - nativeBuildInputs = - oldAttrs.nativeBuildInputs - ++ (optional is_cross prev.libgpg-error); - }); - mastroid = prev.astroid.overrideAttrs (oldAttrs: { - src = final.fetchFromGitHub { - owner = "astroidmail"; - repo = "astroid"; - rev = "c1e5cdbd662e2bcfef2fe5dc72dbc444a692a0e8"; - sha256 = "sha256-aLxVA9gW4dzRMqgaPsP5slfYl8fz/lKHRzl+NnkH60s="; - }; - patches = []; - }); } diff --git a/tools/install.sh b/tools/install.sh index 5a10830..2bb98ad 100755 --- a/tools/install.sh +++ b/tools/install.sh @@ -25,6 +25,7 @@ fi if [ ! -s "$root/.personal-secrets.key" ]; then echo "Please paste the personal secret key (terminate using ^D)" >&2 sudo tee "$root/.personal-secrets.key" >/dev/null + chown 600 "$root/.personal-secrets.key" fi if [ -f "$src/flake.nix" ]; then |