aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--flake.lock198
-rw-r--r--flake.nix16
-rw-r--r--nixos/configurations/binky.nix24
-rw-r--r--nixos/configurations/dean.nix45
-rw-r--r--nixos/configurations/lipwig.nix18
-rw-r--r--nixos/configurations/spt-omnia.nix6
-rw-r--r--nixos/configurations/spt-omniax.nix51
-rw-r--r--nixos/modules/desktop.nix1
-rw-r--r--nixos/modules/develop.nix11
-rw-r--r--nixos/modules/generic.nix14
-rw-r--r--nixos/modules/home-assistant.nix20
-rw-r--r--nixos/modules/hosts.nix5
-rw-r--r--nixos/modules/router.nix13
-rw-r--r--nixos/modules/wireguad.nix96
14 files changed, 275 insertions, 243 deletions
diff --git a/flake.lock b/flake.lock
index f439301..2bcba70 100644
--- a/flake.lock
+++ b/flake.lock
@@ -60,38 +60,7 @@
"type": "indirect"
}
},
- "flake-utils_10": {
- "inputs": {
- "systems": "systems_9"
- },
- "locked": {
- "lastModified": 1705309234,
- "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
- "owner": "numtide",
- "repo": "flake-utils",
- "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
- "type": "github"
- },
- "original": {
- "id": "flake-utils",
- "type": "indirect"
- }
- },
"flake-utils_2": {
- "locked": {
- "lastModified": 1678901627,
- "narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=",
- "owner": "numtide",
- "repo": "flake-utils",
- "rev": "93a2b84fc4b70d9e089d029deacc3583435c2ed6",
- "type": "github"
- },
- "original": {
- "id": "flake-utils",
- "type": "indirect"
- }
- },
- "flake-utils_3": {
"inputs": {
"systems": "systems_3"
},
@@ -108,7 +77,7 @@
"type": "indirect"
}
},
- "flake-utils_4": {
+ "flake-utils_3": {
"inputs": {
"systems": "systems_4"
},
@@ -125,7 +94,7 @@
"type": "indirect"
}
},
- "flake-utils_5": {
+ "flake-utils_4": {
"locked": {
"lastModified": 1678901627,
"narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=",
@@ -139,7 +108,7 @@
"type": "indirect"
}
},
- "flake-utils_6": {
+ "flake-utils_5": {
"inputs": {
"systems": "systems_5"
},
@@ -156,7 +125,7 @@
"type": "indirect"
}
},
- "flake-utils_7": {
+ "flake-utils_6": {
"inputs": {
"systems": "systems_6"
},
@@ -173,7 +142,7 @@
"type": "indirect"
}
},
- "flake-utils_8": {
+ "flake-utils_7": {
"inputs": {
"systems": "systems_7"
},
@@ -190,7 +159,7 @@
"type": "indirect"
}
},
- "flake-utils_9": {
+ "flake-utils_8": {
"inputs": {
"systems": "systems_8"
},
@@ -207,6 +176,23 @@
"type": "indirect"
}
},
+ "flake-utils_9": {
+ "inputs": {
+ "systems": "systems_9"
+ },
+ "locked": {
+ "lastModified": 1705309234,
+ "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
+ "owner": "numtide",
+ "repo": "flake-utils",
+ "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
+ "type": "github"
+ },
+ "original": {
+ "id": "flake-utils",
+ "type": "indirect"
+ }
+ },
"home-manager": {
"inputs": {
"nixpkgs": [
@@ -230,8 +216,8 @@
},
"libshv": {
"inputs": {
- "flake-utils": "flake-utils_8",
- "nixpkgs": "nixpkgs_8"
+ "flake-utils": "flake-utils_7",
+ "nixpkgs": "nixpkgs_7"
},
"locked": {
"lastModified": 1705505951,
@@ -249,36 +235,17 @@
"url": "https://github.com/silicon-heaven/libshv.git"
}
},
- "nixbigclown": {
+ "nixdeploy": {
"inputs": {
"flake-utils": "flake-utils_2",
"nixpkgs": "nixpkgs_2"
},
"locked": {
- "lastModified": 1680946769,
- "narHash": "sha256-hz9aaa1CqCoSwS9khk+++e80+zTqs7s1VYw0QioTk1g=",
- "owner": "cynerd",
- "repo": "nixbigclown",
- "rev": "22531d43e5e104bf30ddcee77d933e1468748c83",
- "type": "github"
- },
- "original": {
- "owner": "cynerd",
- "repo": "nixbigclown",
- "type": "github"
- }
- },
- "nixdeploy": {
- "inputs": {
- "flake-utils": "flake-utils_3",
- "nixpkgs": "nixpkgs_3"
- },
- "locked": {
- "lastModified": 1710150065,
- "narHash": "sha256-o9B/i2uvEsZWvivDBsstffSUFE+pDcMeskWAXTnmAvA=",
+ "lastModified": 1710927472,
+ "narHash": "sha256-aXzoPTvHjMiAp+ZXKt+oxOgw3MlY4JechopKa+WzPjQ=",
"owner": "cynerd",
"repo": "nixdeploy",
- "rev": "6e251cee712de2de91a5bc28d32702111a95848f",
+ "rev": "5c9ca8950cdba970cca3964780205b91d009b3f7",
"type": "gitlab"
},
"original": {
@@ -289,11 +256,11 @@
},
"nixos-hardware": {
"locked": {
- "lastModified": 1710123225,
- "narHash": "sha256-j3oWlxRZxB7cFsgEntpH3rosjFHRkAo/dhX9H3OfxtY=",
+ "lastModified": 1710783728,
+ "narHash": "sha256-eIsfu3c9JUBgm3cURSKTXLEI9Dlk1azo+MWKZVqrmkc=",
"owner": "NixOS",
"repo": "nixos-hardware",
- "rev": "ad2fd7b978d5e462048729a6c635c45d3d33c9ba",
+ "rev": "1e679b9a9970780cd5d4dfe755a74a8f96d33388",
"type": "github"
},
"original": {
@@ -319,20 +286,6 @@
},
"nixpkgs_10": {
"locked": {
- "lastModified": 1682109806,
- "narHash": "sha256-d9g7RKNShMLboTWwukM+RObDWWpHKaqTYXB48clBWXI=",
- "owner": "NixOS",
- "repo": "nixpkgs",
- "rev": "2362848adf8def2866fabbffc50462e929d7fffb",
- "type": "github"
- },
- "original": {
- "id": "nixpkgs",
- "type": "indirect"
- }
- },
- "nixpkgs_11": {
- "locked": {
"lastModified": 1707877513,
"narHash": "sha256-sp0w2apswd3wv0sAEF7StOGHkns3XUQaO5erhWFZWXk=",
"owner": "NixOS",
@@ -347,20 +300,6 @@
},
"nixpkgs_2": {
"locked": {
- "lastModified": 1679319606,
- "narHash": "sha256-wyEMIZB6BnsmJWInEgDZu66hXVMGJEZFl5uDsn27f9M=",
- "owner": "NixOS",
- "repo": "nixpkgs",
- "rev": "8bc6945b1224a1cfa679d6801580b1054dba1a5c",
- "type": "github"
- },
- "original": {
- "id": "nixpkgs",
- "type": "indirect"
- }
- },
- "nixpkgs_3": {
- "locked": {
"lastModified": 1708469763,
"narHash": "sha256-wCJljz6nQdCAnfTx+3i4fWteB3TnVEq95z6d6LhwVKs=",
"owner": "NixOS",
@@ -373,13 +312,13 @@
"type": "indirect"
}
},
- "nixpkgs_4": {
+ "nixpkgs_3": {
"locked": {
- "lastModified": 1710474764,
- "narHash": "sha256-M43DDaPLL04HBLfh7XBZ8ROiujeL9IvnWsEKUnG2/yU=",
+ "lastModified": 1710861126,
+ "narHash": "sha256-q8fiy9mgUvTAt2OMjiVpQgDlykyGury9Fpsm0jekBfY=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "2bcf18c64c66b95e17d9c8755104d33bc5103c63",
+ "rev": "2dcadb7087e38314cebb15af65f8f2a15d2940cc",
"type": "github"
},
"original": {
@@ -388,7 +327,7 @@
"type": "indirect"
}
},
- "nixpkgs_5": {
+ "nixpkgs_4": {
"locked": {
"lastModified": 1710252211,
"narHash": "sha256-hQChQpB4LDBaSrNlD6DPLhU9T+R6oyxMCg2V+S7Y1jg=",
@@ -402,7 +341,7 @@
"type": "indirect"
}
},
- "nixpkgs_6": {
+ "nixpkgs_5": {
"locked": {
"lastModified": 1678875422,
"narHash": "sha256-T3o6NcQPwXjxJMn2shz86Chch4ljXgZn746c2caGxd8=",
@@ -416,7 +355,7 @@
"type": "indirect"
}
},
- "nixpkgs_7": {
+ "nixpkgs_6": {
"locked": {
"lastModified": 1705566941,
"narHash": "sha256-CLNtVRDA8eUPk+bxsCCZtRO0Cp+SpHdn1nNOLoFypLs=",
@@ -430,7 +369,7 @@
"type": "indirect"
}
},
- "nixpkgs_8": {
+ "nixpkgs_7": {
"locked": {
"lastModified": 1694948089,
"narHash": "sha256-d2B282GmQ9o8klc22/Rbbbj6r99EnELQpOQjWMyv0rU=",
@@ -444,7 +383,7 @@
"type": "indirect"
}
},
- "nixpkgs_9": {
+ "nixpkgs_8": {
"locked": {
"lastModified": 1705566941,
"narHash": "sha256-CLNtVRDA8eUPk+bxsCCZtRO0Cp+SpHdn1nNOLoFypLs=",
@@ -458,17 +397,31 @@
"type": "indirect"
}
},
+ "nixpkgs_9": {
+ "locked": {
+ "lastModified": 1682109806,
+ "narHash": "sha256-d9g7RKNShMLboTWwukM+RObDWWpHKaqTYXB48clBWXI=",
+ "owner": "NixOS",
+ "repo": "nixpkgs",
+ "rev": "2362848adf8def2866fabbffc50462e929d7fffb",
+ "type": "github"
+ },
+ "original": {
+ "id": "nixpkgs",
+ "type": "indirect"
+ }
+ },
"nixturris": {
"inputs": {
- "flake-utils": "flake-utils_4",
- "nixpkgs": "nixpkgs_5"
+ "flake-utils": "flake-utils_3",
+ "nixpkgs": "nixpkgs_4"
},
"locked": {
- "lastModified": 1710278775,
- "narHash": "sha256-4kwVKv2Wrus6kNka/XtcrpYx1hemORAiv0wchoMxEvM=",
+ "lastModified": 1710528104,
+ "narHash": "sha256-fseLCm3s9PCNzdSNlNjgh3gS/BfeCOIAac/xyUEN0yo=",
"owner": "cynerd",
"repo": "nixturris",
- "rev": "b6f0fe38003fe22c2a0b94ac660e6063bb6f67b9",
+ "rev": "8c8595ac5fda5d1ab8ae6416938544298e317640",
"type": "gitlab"
},
"original": {
@@ -479,11 +432,11 @@
},
"personal-secret": {
"locked": {
- "lastModified": 1710423555,
- "narHash": "sha256-m1f4Ifjn80UHMkyXLdMDjtjG2dnaO974USOpCjGOKe8=",
+ "lastModified": 1710863858,
+ "narHash": "sha256-6qKqa5cdchvGSBGigs/K4VWVfITGdMudrKYw2Sc79wo=",
"ref": "refs/heads/master",
- "rev": "ca40867b2d24aebc3f34c01012eda732afb4938b",
- "revCount": 95,
+ "rev": "0306d300b34e6221230bb7886f077bb78997da3a",
+ "revCount": 101,
"type": "git",
"url": "ssh://git@cynerd.cz/nixos-personal-secret"
},
@@ -494,9 +447,9 @@
},
"pyshv": {
"inputs": {
- "flake-utils": "flake-utils_7",
+ "flake-utils": "flake-utils_6",
"libshv": "libshv",
- "nixpkgs": "nixpkgs_9"
+ "nixpkgs": "nixpkgs_8"
},
"locked": {
"lastModified": 1705600354,
@@ -516,10 +469,9 @@
"inputs": {
"agenix": "agenix",
"flake-utils": "flake-utils",
- "nixbigclown": "nixbigclown",
"nixdeploy": "nixdeploy",
"nixos-hardware": "nixos-hardware",
- "nixpkgs": "nixpkgs_4",
+ "nixpkgs": "nixpkgs_3",
"nixturris": "nixturris",
"personal-secret": "personal-secret",
"shellrc": "shellrc",
@@ -531,8 +483,8 @@
},
"shellrc": {
"inputs": {
- "flake-utils": "flake-utils_5",
- "nixpkgs": "nixpkgs_6"
+ "flake-utils": "flake-utils_4",
+ "nixpkgs": "nixpkgs_5"
},
"locked": {
"lastModified": 1710324061,
@@ -550,8 +502,8 @@
},
"shvcli": {
"inputs": {
- "flake-utils": "flake-utils_6",
- "nixpkgs": "nixpkgs_7",
+ "flake-utils": "flake-utils_5",
+ "nixpkgs": "nixpkgs_6",
"pyshv": "pyshv"
},
"locked": {
@@ -570,8 +522,8 @@
},
"shvspy": {
"inputs": {
- "flake-utils": "flake-utils_9",
- "nixpkgs": "nixpkgs_10"
+ "flake-utils": "flake-utils_8",
+ "nixpkgs": "nixpkgs_9"
},
"locked": {
"lastModified": 1709892386,
@@ -726,8 +678,8 @@
},
"usbkey": {
"inputs": {
- "flake-utils": "flake-utils_10",
- "nixpkgs": "nixpkgs_11"
+ "flake-utils": "flake-utils_9",
+ "nixpkgs": "nixpkgs_10"
},
"locked": {
"lastModified": 1707940956,
diff --git a/flake.nix b/flake.nix
index 945f722..58dc86b 100644
--- a/flake.nix
+++ b/flake.nix
@@ -15,7 +15,6 @@
usbkey.url = "gitlab:cynerd/usbkey";
nixturris.url = "gitlab:cynerd/nixturris";
- nixbigclown.url = "github:cynerd/nixbigclown";
vpsadminos.url = "github:vpsfreecz/vpsadminos";
};
@@ -31,11 +30,10 @@
shvcli,
usbkey,
nixturris,
- nixbigclown,
...
}: let
inherit (flake-utils.lib) eachDefaultSystem filterPackages;
- inherit (nixpkgs.lib) attrValues;
+ inherit (nixpkgs.lib) attrValues mapAttrs' nameValuePair filterAttrs;
revision = self.shortRev or self.dirtyShortRev or "unknown";
in
{
@@ -62,7 +60,6 @@
imports =
attrValues modules
++ [
- nixbigclown.nixosModules.default
nixdeploy.nixosModules.default
nixturris.nixosModules.default
personal-secret.nixosModules.default
@@ -82,7 +79,16 @@
// eachDefaultSystem (system: let
pkgs = nixpkgs.legacyPackages."${system}".extend self.overlays.default;
in {
- packages.default = pkgs.nixdeploy;
+ packages =
+ {default = pkgs.nixdeploy;}
+ // mapAttrs' (n: v: let
+ os =
+ if v.config.nixpkgs.hostPlatform.system == system
+ then v
+ else (v.extendModules {modules = [{nixpkgs.buildPlatform.system = system;}];});
+ in
+ nameValuePair "tarball-${n}" os.config.system.build.tarball)
+ (filterAttrs (_: v: v.config.system.build ? tarball) self.nixosConfigurations);
legacyPackages = pkgs;
devShells = filterPackages system (import ./devShells pkgs);
formatter = pkgs.alejandra;
diff --git a/nixos/configurations/binky.nix b/nixos/configurations/binky.nix
index c51f95b..bdfa47e 100644
--- a/nixos/configurations/binky.nix
+++ b/nixos/configurations/binky.nix
@@ -14,10 +14,8 @@ in {
};
wifiClient = true;
develop = true;
- openvpn = {
- oldpersonal = true;
- elektroline = true;
- };
+ wireguard = true;
+ openvpn.elektroline = true;
};
boot = {
@@ -56,6 +54,24 @@ in {
fileSystems = ["/"];
};
+ networking = {
+ useNetworkd = true;
+ useDHCP = false;
+ };
+ systemd.network = {
+ networks = {
+ "dhcp" = {
+ matchConfig.Name = "enp2s0f0 enp5s0f3u1u1 wlp3s0";
+ networkConfig = {
+ DHCP = "yes";
+ IPv6AcceptRA = "yes";
+ };
+ linkConfig.RequiredForOnline = "routable";
+ };
+ };
+ wait-online.enable = false;
+ };
+
services.syncthing = {
enable = true;
user = mkDefault "cynerd";
diff --git a/nixos/configurations/dean.nix b/nixos/configurations/dean.nix
index b91083c..44feaea 100644
--- a/nixos/configurations/dean.nix
+++ b/nixos/configurations/dean.nix
@@ -1,35 +1,38 @@
{pkgs, ...}: {
- nixpkgs.hostPlatform.system = "aarch64-linux";
+ turris.board = "mox";
+ deploy.enable = true;
cynerd = {
- openvpn = {
- oldpersonal = true;
- };
+ wireguard = true;
monitoring.speedtest = true;
};
networking = {
- bridges = {
- brlan = {
- interfaces = [
- "eth0"
- "lan1"
- "lan2"
- "lan3"
- "lan4"
- ];
+ useNetworkd = true;
+ useDHCP = false;
+ };
+ systemd.network = {
+ netdevs."brlab".netdevConfig = {
+ Kind = "bridge";
+ Name = "brlan";
+ };
+ networks = {
+ "brlan" = {
+ matchConfig.Name = "brlan";
+ networkConfig = {
+ DHCP = "yes";
+ IPv6AcceptRA = "yes";
+ };
+ };
+ "lan-brlan" = {
+ matchConfig.Name = "lan* end0";
+ networkConfig.Bridge = "brlan";
};
};
- dhcpcd.allowInterfaces = ["brlan"];
+ # TODO investigate why it doesn't work
+ wait-online.enable = false;
};
- swapDevices = [
- {
- device = "/var/swap";
- priority = 1;
- }
- ];
-
environment.systemPackages = with pkgs; [
#openocd
tio
diff --git a/nixos/configurations/lipwig.nix b/nixos/configurations/lipwig.nix
index c484541..0eefe5f 100644
--- a/nixos/configurations/lipwig.nix
+++ b/nixos/configurations/lipwig.nix
@@ -19,6 +19,7 @@
enable = false;
baseDir = "/nas";
};
+ wireguard = true;
openvpn.oldpersonal = true;
};
@@ -29,10 +30,21 @@
fsType = "nfs";
};
- networking.firewall = {
- allowedTCPPorts = [80 443];
- allowedUDPPorts = [1194];
+ networking = {
+ useNetworkd = true;
+ useDHCP = false;
+ nftables.enable = true;
+ firewall = {
+ allowedTCPPorts = [80 443];
+ allowedUDPPorts = [1194];
+ filterForward = true;
+ extraForwardRules = ''
+ iifname {"wg", "personalvpn"} oifname {"wg", "personalvpn"} accept
+ '';
+ };
};
+ systemd.network.wait-online.enable = false;
+ systemd.services.networking-setup.wantedBy = ["network-online.target"];
# Web ######################################################################
services.nginx = {
diff --git a/nixos/configurations/spt-omnia.nix b/nixos/configurations/spt-omnia.nix
index ca4d211..8456368 100644
--- a/nixos/configurations/spt-omnia.nix
+++ b/nixos/configurations/spt-omnia.nix
@@ -37,12 +37,13 @@ in {
channel = 36;
};
};
+ wireguard = true;
openvpn.oldpersonal = true;
monitoring.speedtest = true;
};
services.journald.extraConfig = ''
- SystemMaxUse=512M
+ SystemMaxUse=8G
'';
environment = {
@@ -136,6 +137,7 @@ in {
IPv6AcceptRA = "no";
DHCPPrefixDelegation = "yes";
};
+ dhcpV6Config.PrefixDelegationHint = "::/56";
dhcpPrefixDelegationConfig = {
UplinkInterface = ":self";
SubnetId = 0;
@@ -179,7 +181,7 @@ in {
# TODO limit NSS clamping to just pppoe-wan
networking.firewall.extraForwardRules = ''
tcp flags syn tcp option maxseg size set rt mtu comment "Needed for PPPoE to fix IPv4"
- iifname {"home", "personalvpn"} oifname {"home", "personalvpn"} accept
+ iifname {"home", "personalvpn", "wg"} oifname {"home", "personalvpn", "wg"} accept
'';
services.syncthing = {
diff --git a/nixos/configurations/spt-omniax.nix b/nixos/configurations/spt-omniax.nix
deleted file mode 100644
index 4f9e0e0..0000000
--- a/nixos/configurations/spt-omniax.nix
+++ /dev/null
@@ -1,51 +0,0 @@
-{
- turris.board = "omnia";
-
- cynerd = {
- router = {
- enable = true;
- wan = "end2";
- lanIP = "192.168.2.1";
- };
- wifiAP.spt = {
- enable = true;
- ar9287.interface = "wlp3s0";
- qca988x.interface = "wlp2s0";
- };
- monitoring.speedtest = true;
- };
-
- networking.useDHCP = false;
- systemd.network = {
- networks = {
- "end2" = {
- matchConfig.Name = "end2";
- networkConfig = {
- BindCarrier = "end2";
- DHCP = "yes";
- IPv6AcceptRA = "yes";
- DHCPPrefixDelegation = "yes";
- };
- dhcpPrefixDelegationConfig = {
- UplinkInterface = ":self";
- SubnetId = 0;
- Announce = "no";
- };
- linkConfig.RequiredForOnline = "routable";
- };
- "lan-brlan" = {
- matchConfig.Name = "lan*";
- networkConfig.Bridge = "brlan";
- bridgeVLANs = [
- {
- bridgeVLANConfig = {
- EgressUntagged = 1;
- PVID = 1;
- };
- }
- {bridgeVLANConfig.VLAN = 2;}
- ];
- };
- };
- };
-}
diff --git a/nixos/modules/desktop.nix b/nixos/modules/desktop.nix
index d0cc9d5..b145929 100644
--- a/nixos/modules/desktop.nix
+++ b/nixos/modules/desktop.nix
@@ -264,6 +264,7 @@ in {
};
documentation = {
+ enable = true;
man.enable = true;
info.enable = true;
};
diff --git a/nixos/modules/develop.nix b/nixos/modules/develop.nix
index 2daead8..e5510c6 100644
--- a/nixos/modules/develop.nix
+++ b/nixos/modules/develop.nix
@@ -65,6 +65,7 @@ in {
(python3.withPackages (pypkgs:
with pypkgs; [
ipython
+ python-lsp-server
pytest
pytest-html
@@ -151,6 +152,10 @@ in {
programs.wireshark.package = pkgs.wireshark;
documentation = {
+ nixos = {
+ enable = true;
+ includeAllModules = true;
+ };
dev.enable = true;
doc.enable = true;
};
@@ -185,11 +190,5 @@ in {
"develop"
"libvirtd"
];
-
- # Allow using latest git version from registry
- nixpkgs.flake = {
- setNixPath = false;
- setFlakeRegistry = false;
- };
};
}
diff --git a/nixos/modules/generic.nix b/nixos/modules/generic.nix
index 5c6e2fe..e4ac094 100644
--- a/nixos/modules/generic.nix
+++ b/nixos/modules/generic.nix
@@ -43,7 +43,13 @@ in {
services.fwupd.enable = mkDefault (pkgs.system == "x86_64-linux");
systemd.oomd.enable = false;
- nixpkgs.config.allowUnfree = true;
+ nixpkgs = {
+ config.allowUnfree = true;
+ flake = {
+ setNixPath = false;
+ setFlakeRegistry = false;
+ };
+ };
environment.systemPackages = with pkgs;
[
git # We need git for this repository to even work
@@ -201,5 +207,11 @@ in {
'';
programs.fuse.userAllowOther = true;
+
+ documentation = {
+ enable = mkDefault false;
+ doc.enable = mkDefault false;
+ nixos.enable = mkDefault false;
+ };
};
}
diff --git a/nixos/modules/home-assistant.nix b/nixos/modules/home-assistant.nix
index 267f725..769b1c7 100644
--- a/nixos/modules/home-assistant.nix
+++ b/nixos/modules/home-assistant.nix
@@ -5,13 +5,12 @@
...
}: let
inherit (lib) mkIf mkEnableOption;
- cnf = config.cynerd.home-assistant;
in {
options = {
cynerd.home-assistant = mkEnableOption "Enable Home Assistant and Bigclown";
};
- config = mkIf cnf {
+ config = mkIf config.cynerd.home-assistant {
services.mosquitto = {
enable = true;
listeners = [
@@ -52,16 +51,13 @@ in {
1883 # Mosquitto
];
- services.bigclown = {
- gateway = {
- enable = true;
- device = "/dev/ttyUSB0";
- environmentFile = "/run/secrets/bigclown.env";
- baseTopicPrefix = "bigclown/";
- mqtt = {
- username = "bigclown";
- password = "@PASS_MQTT@";
- };
+ services.bcg = {
+ enable = true;
+ device = "/dev/ttyUSB0";
+ baseTopicPrefix = "bigclown/";
+ mqtt = {
+ username = "bigclown";
+ keyfile = "/run/secrets/mqtt-bigclown.pass";
};
};
diff --git a/nixos/modules/hosts.nix b/nixos/modules/hosts.nix
index b9a40a6..054098d 100644
--- a/nixos/modules/hosts.nix
+++ b/nixos/modules/hosts.nix
@@ -9,6 +9,7 @@
staticZoneOption = mkOption {
type = types.attrsOf types.str;
readOnly = true;
+ description = "The mapping of zone hosts to their IP";
};
in {
options = {
@@ -29,7 +30,6 @@ in {
cynerd.hosts = {
vpn = {
"lipwig" = "10.8.0.1";
- "dean" = "10.8.0.4";
# Portable
"binky" = "10.8.0.2";
"albert" = "10.8.0.3";
@@ -81,7 +81,6 @@ in {
"${cnf.vpn.lipwig}" = ["lipwig.vpn"];
"${cnf.vpn.android}" = ["android.vpn"];
"${cnf.vpn.albert}" = ["albert.vpn"];
- "${cnf.vpn.dean}" = ["dean" "dean.vpn"];
"${cnf.vpn.binky}" = ["binky.vpn"];
"${cnf.vpn.spt-omnia}" = ["spt.vpn"];
"${cnf.vpn.adm-omnia}" = ["adm.vpn"];
@@ -91,7 +90,7 @@ in {
"${cnf.wg.android}" = ["android.wg"];
"${cnf.wg.spt-omnia}" = ["spt.wg"];
"${cnf.wg.adm-omnia}" = ["adm.wg"];
- "${cnf.wg.dean}" = ["dean.wg"];
+ "${cnf.wg.dean}" = ["dean" "dean.wg"];
# Spt
"${cnf.spt.omnia}" = ["omnia.spt"];
"${cnf.spt.mox}" = ["mox.spt"];
diff --git a/nixos/modules/router.nix b/nixos/modules/router.nix
index ed634b1..3002d9b 100644
--- a/nixos/modules/router.nix
+++ b/nixos/modules/router.nix
@@ -54,10 +54,9 @@ in {
firewall = {
logRefusedConnections = false;
interfaces = {
- "home" = {allowedUDPPorts = [67 68];};
- "guest" = {allowedUDPPorts = [67 68];};
+ "home" = {allowedUDPPorts = [53 67 68];};
+ "guest" = {allowedUDPPorts = [53 67 68];};
};
- rejectPackets = true;
filterForward = true;
};
nat = {
@@ -119,7 +118,7 @@ in {
PoolOffset = cnf.dynIPStart;
PoolSize = cnf.dynIPCount;
EmitDNS = "yes";
- DNS = "1.1.1.1";
+ DNS = "${cnf.lanIP}";
};
dhcpServerStaticLeases =
mapAttrsToList (n: v: {
@@ -150,7 +149,7 @@ in {
PoolOffset = cnf.dynIPStart;
PoolSize = cnf.dynIPCount;
EmitDNS = "yes";
- DNS = "1.1.1.1";
+ DNS = "192.168.1.1";
};
dhcpPrefixDelegationConfig = {
UplinkInterface = cnf.wan;
@@ -166,6 +165,10 @@ in {
enable = true;
dnssec = "true";
fallbackDns = ["1.1.1.1" "8.8.8.8"];
+ extraConfig = ''
+ DNSStubListenerExtra=${cnf.lanIP}
+ DNSStubListenerExtra=192.168.1.1
+ '';
};
};
}
diff --git a/nixos/modules/wireguad.nix b/nixos/modules/wireguad.nix
index 67bd8d5..d96fc9e 100644
--- a/nixos/modules/wireguad.nix
+++ b/nixos/modules/wireguad.nix
@@ -1,18 +1,100 @@
{
config,
lib,
+ pkgs,
...
}: let
- inherit (lib) mkEnableOption mkIf;
- cnf = config.cynerd.wireguard;
+ inherit (lib) mkEnableOption mkIf mapAttrsToList optional optionals optionalAttrs filterAttrs;
+ inherit (config.networking) hostName;
+ endpoints = {
+ "lipwig" = "cynerd.cz";
+ "spt-omnia" = "spt.cynerd.cz";
+ "adm-omnia" = "adm.cynerd.cz";
+ };
+ is_endpoint = endpoints ? "${hostName}";
in {
options = {
- cynerd.wireguard = {
- enable = mkEnableOption "Enable Wireguard";
- };
+ cynerd.wireguard = mkEnableOption "Enable Wireguard";
};
- config =
- mkIf cnf.enable {
+ config = mkIf config.cynerd.wireguard {
+ environment.systemPackages = [pkgs.wireguard-tools];
+ systemd.network = {
+ netdevs."wg" = {
+ netdevConfig = {
+ Name = "wg";
+ Kind = "wireguard";
+ Description = "Personal Wireguard tunnel";
+ MTUBytes = "1300";
+ };
+ wireguardConfig = {
+ ListenPort = 51820;
+ PrivateKeyFile = "/run/secrets/wg.key";
+ };
+ wireguardPeers =
+ [
+ {
+ wireguardPeerConfig =
+ {
+ Endpoint = "${endpoints.lipwig}:51820";
+ AllowedIPs = ["0.0.0.0/0"];
+ PublicKey = config.secrets.wireguardPubs.lipwig;
+ }
+ // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;});
+ }
+ {
+ wireguardPeerConfig =
+ {
+ Endpoint = "${endpoints.spt-omnia}:51820";
+ AllowedIPs = [
+ "${config.cynerd.hosts.wg.spt-omnia}/32"
+ "10.8.2.0/24"
+ ];
+ PublicKey = config.secrets.wireguardPubs.spt-omnia;
+ }
+ // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;});
+ }
+ #{
+ # wireguardPeerConfig =
+ # {
+ # Endpoint = "${endpoints.adm-omnia}:51820";
+ # AllowedIPs = [
+ # "${config.cynerd.hosts.wg.adm-omnia}/32"
+ # "10.8.3.0/24"
+ # ];
+ # PublicKey = config.secrets.wireguardPubs.adm-omnia;
+ # }
+ # // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;});
+ #}
+ ]
+ ++ (optionals is_endpoint (mapAttrsToList (n: v: {
+ wireguardPeerConfig = {
+ AllowedIPs = "${config.cynerd.hosts.wg."${n}"}/32";
+ PublicKey = v;
+ };
+ }) (filterAttrs (n: _: ! endpoints ? "${n}") config.secrets.wireguardPubs)));
+ };
+ networks."wg" = {
+ matchConfig.Name = "wg";
+ networkConfig = {
+ Address = "${config.cynerd.hosts.wg."${hostName}"}/24";
+ IPForward = is_endpoint;
+ };
+ routes =
+ (optional (hostName != "spt-omnia") {
+ routeConfig = {
+ Gateway = config.cynerd.hosts.wg.spt-omnia;
+ Destination = "10.8.2.0/24";
+ };
+ })
+ ++ (optional (hostName != "adm-omnia" && hostName != "lipwig") {
+ routeConfig = {
+ Gateway = config.cynerd.hosts.wg.adm-omnia;
+ Destination = "10.8.3.0/24";
+ };
+ });
+ };
};
+ networking.firewall.allowedUDPPorts = [51820];
+ };
}