diff options
Diffstat (limited to 'nixos/configurations')
| -rw-r--r-- | nixos/configurations/adm-mpd.nix | 58 | ||||
| -rw-r--r-- | nixos/configurations/adm-omnia.nix | 41 | ||||
| -rw-r--r-- | nixos/configurations/adm-omnia2.nix | 2 | ||||
| -rw-r--r-- | nixos/configurations/albert.nix | 41 | ||||
| -rw-r--r-- | nixos/configurations/binky.nix | 19 | ||||
| -rw-r--r-- | nixos/configurations/dean.nix | 15 | ||||
| -rw-r--r-- | nixos/configurations/dribbler.nix | 112 | ||||
| -rw-r--r-- | nixos/configurations/errol.nix | 102 | ||||
| -rw-r--r-- | nixos/configurations/gaspode.nix | 1 | ||||
| -rw-r--r-- | nixos/configurations/lipwig.nix | 181 | ||||
| -rw-r--r-- | nixos/configurations/ridcully.nix | 81 | ||||
| -rw-r--r-- | nixos/configurations/spt-mox.nix | 125 | ||||
| -rw-r--r-- | nixos/configurations/spt-mox2.nix | 23 | ||||
| -rw-r--r-- | nixos/configurations/spt-mpd.nix | 1 | ||||
| -rw-r--r-- | nixos/configurations/spt-omnia.nix | 42 | ||||
| -rw-r--r-- | nixos/configurations/zd-mox.nix | 157 | ||||
| -rw-r--r-- | nixos/configurations/zd-one0.nix | 61 |
17 files changed, 736 insertions, 326 deletions
diff --git a/nixos/configurations/adm-mpd.nix b/nixos/configurations/adm-mpd.nix index ac3b4de..47ac008 100644 --- a/nixos/configurations/adm-mpd.nix +++ b/nixos/configurations/adm-mpd.nix @@ -5,26 +5,18 @@ }: let inherit (lib) filterAttrs; in { - nixpkgs.hostPlatform.system = "aarch64-linux"; + system.stateVersion = "24.05"; - fileSystems = { - "/" = { - device = "/dev/mmcblk0p2"; - options = ["compress=lzo" "subvol=@nix"]; - }; - "/home" = { - device = "/dev/mmcblk0p2"; - options = ["compress=lzo" "subvol=@home"]; - }; - "/boot" = { - device = "/dev/mmcblk0p1"; - }; + cynerd.rpi = 3; + deploy = { + enable = true; + ssh.host = "nixos@mpd.adm"; }; networking.wireless = { enable = true; networks = filterAttrs (n: _: n == "Nela") config.secrets.wifiNetworks; - environmentFile = "/run/secrets/wifi.env"; + secretsFile = "/run/secrets/wifi.secrets"; userControlled.enable = true; }; @@ -33,24 +25,24 @@ in { #alsa.enable = true; #pulse.enable = true; #}; - hardware.pulseaudio = { - enable = true; - systemWide = true; - zeroconf.publish.enable = true; - }; + #hardware.pulseaudio = { + # enable = true; + # systemWide = true; + # zeroconf.publish.enable = true; + #}; - services.spotifyd = { - enable = true; - settings.global = { - device_name = "Adámkovi"; - device = "sysdefault"; - mixer = "Master"; - bitrate = 320; - cache_path = "/var/cahe/spotify"; - no_audio_cache = true; - volume_normalisation = true; - normalisation_pregain = -10; - initial_volume = 60; - }; - }; + #services.spotifyd = { + # enable = true; + # settings.global = { + # device_name = "Adámkovi"; + # device = "sysdefault"; + # mixer = "Master"; + # bitrate = 320; + # cache_path = "/var/cahe/spotify"; + # no_audio_cache = true; + # volume_normalisation = true; + # normalisation_pregain = -10; + # initial_volume = 60; + # }; + #}; } diff --git a/nixos/configurations/adm-omnia.nix b/nixos/configurations/adm-omnia.nix index 056a68e..2b80bbc 100644 --- a/nixos/configurations/adm-omnia.nix +++ b/nixos/configurations/adm-omnia.nix @@ -1,10 +1,12 @@ {config, ...}: let hosts = config.cynerd.hosts.adm; in { + system.stateVersion = "24.05"; + turris.board = "omnia"; deploy = { - enable = false; - ssh.host = "omnia.adm"; + enable = true; + ssh.host = "adm.cynerd.cz"; }; cynerd = { @@ -13,7 +15,6 @@ in { wan = "pppoe-wan"; lanIP = hosts.omnia; staticLeases = { - "70:85:c2:4a:59:f2" = hosts.ridcully; "7c:b0:c2:bb:9c:ca" = hosts.albert; "4c:d5:77:0d:85:d9" = hosts.binky; "b8:27:eb:49:54:5a" = hosts.mpd; @@ -23,16 +24,16 @@ in { }; }; wifiAP.adm = { - enable = false; + enable = true; ar9287 = { - interface = "wlp1s0"; + interface = "wlp2s0"; bssids = config.secrets.wifiMacs.adm-omnia.ar9287; - channel = 11; + channel = 7; }; qca988x = { - interface = "wlp3s0"; + interface = "wlp1s0"; bssids = config.secrets.wifiMacs.adm-omnia.qca988x; - channel = 36; + channel = 44; }; }; wireguard = true; @@ -48,12 +49,18 @@ in { fileSystems = ["/"]; }; - networking = { - useNetworkd = true; - useDHCP = false; + services.fail2ban = { + enable = true; + ignoreIP = ["10.8.1.0/24" "10.8.2.0/24"]; }; + + networking.useDHCP = false; systemd.network = { networks = { + "end2" = { + matchConfig.Name = "end2"; # Ensure that it is managed by systemd-networkd + networkConfig.IPv6AcceptRA = false; + }; "pppoe-wan" = { matchConfig.Name = "pppoe-wan"; networkConfig = { @@ -75,7 +82,7 @@ in { linkConfig.RequiredForOnline = "routable"; }; "lan-brlan" = { - matchConfig.Name = "lan[1-4]"; + matchConfig.Name = "lan4"; networkConfig.Bridge = "brlan"; bridgeVLANs = [ { @@ -86,7 +93,7 @@ in { ]; }; "lan-guest" = { - matchConfig.Name = "lan0"; + matchConfig.Name = "lan[0-3]"; networkConfig.Bridge = "brlan"; bridgeVLANs = [ { @@ -114,10 +121,14 @@ in { password 02 ''; }; - systemd.services."pppd-wan".after = ["sys-subsystem-net-devices-end2.device"]; + systemd.services."pppd-wan" = { + after = ["sys-subsystem-net-devices-end2.device"]; + partOf = ["systemd-networkd.service"]; + }; # TODO limit NSS clamping to just pppoe-wan networking.firewall.extraForwardRules = '' tcp flags syn tcp option maxseg size set rt mtu comment "Needed for PPPoE to fix IPv4" - iifname {"home", "personalvpn", "wg"} oifname {"home", "personalvpn", "wg"} accept + iifname {"home", "wg"} oifname {"home", "wg"} accept + iifname "home" oifname "guest" accept comment "Allow home to access guest devices" ''; } diff --git a/nixos/configurations/adm-omnia2.nix b/nixos/configurations/adm-omnia2.nix index 8b47e63..fc5a92d 100644 --- a/nixos/configurations/adm-omnia2.nix +++ b/nixos/configurations/adm-omnia2.nix @@ -1,4 +1,6 @@ {config, ...}: { + system.stateVersion = "24.05"; + turris.board = "omnia"; deploy = { enable = true; diff --git a/nixos/configurations/albert.nix b/nixos/configurations/albert.nix deleted file mode 100644 index a6a4ee1..0000000 --- a/nixos/configurations/albert.nix +++ /dev/null @@ -1,41 +0,0 @@ -{ - nixpkgs.hostPlatform.system = "x86_64-linux"; - - cynerd = { - desktop = { - enable = true; - laptop = true; - }; - wifiClient = true; - openvpn = { - oldpersonal = true; - }; - }; - - boot.initrd.availableKernelModules = ["xhci_pci" "usb_storage" "sd_mod"]; - - hardware.cpu.intel.updateMicrocode = true; - - fileSystems = { - "/" = { - device = "/dev/disk/by-uuid/1c9bafac-fcf8-41c4-b394-bca5917ca82d"; - fsType = "btrfs"; - options = ["compress=lzo" "subvol=@nix"]; - }; - "/home" = { - device = "/dev/disk/by-uuid/1c9bafac-fcf8-41c4-b394-bca5917ca82d"; - fsType = "btrfs"; - options = ["compress=lzo" "subvol=@home"]; - }; - "/boot" = { - device = "/dev/disk/by-uuid/E403-124B"; - fsType = "vfat"; - }; - - "/home2" = { - device = "/dev/disk/by-uuid/55e177a1-215e-475b-ba9c-771b5fa3f8f0"; - fsType = "btrfs"; - options = ["compress=lzo" "subvol=@home"]; - }; - }; -} diff --git a/nixos/configurations/binky.nix b/nixos/configurations/binky.nix index 7765d01..9e3866f 100644 --- a/nixos/configurations/binky.nix +++ b/nixos/configurations/binky.nix @@ -1,15 +1,10 @@ { - lib, - pkgs, - ... -}: let - inherit (lib) mkDefault; -in { + system.stateVersion = "24.05"; nixpkgs.hostPlatform.system = "x86_64-linux"; deploy = { enable = true; default = false; - ssh.host = "binky.spt"; + ssh.host = "binky"; }; cynerd = { @@ -88,16 +83,6 @@ in { services.syncthing = { enable = true; - user = mkDefault "cynerd"; - group = mkDefault "cynerd"; - openDefaultPorts = true; - - overrideDevices = false; - overrideFolders = false; - dataDir = "/home/cynerd"; - configDir = "/home/cynerd/.config/syncthing"; }; - - environment.systemPackages = [pkgs.heroic]; } diff --git a/nixos/configurations/dean.nix b/nixos/configurations/dean.nix index 187e148..a95d9f1 100644 --- a/nixos/configurations/dean.nix +++ b/nixos/configurations/dean.nix @@ -1,4 +1,5 @@ {pkgs, ...}: { + system.stateVersion = "24.05"; turris.board = "mox"; deploy.enable = true; @@ -10,6 +11,20 @@ }; }; + boot.initrd.availableKernelModules = ["dm-mod"]; + + hardware.enableAllFirmware = false; # No wifi so we do not need firmwares + services = { + journald.extraConfig = '' + SystemMaxUse=512M + ''; + + btrfs.autoScrub = { + enable = true; + fileSystems = ["/"]; + }; + }; + networking = { useNetworkd = true; useDHCP = false; diff --git a/nixos/configurations/dribbler.nix b/nixos/configurations/dribbler.nix new file mode 100644 index 0000000..038f455 --- /dev/null +++ b/nixos/configurations/dribbler.nix @@ -0,0 +1,112 @@ +{pkgs, ...}: { + system.stateVersion = "25.11"; + nixpkgs.hostPlatform.system = "x86_64-linux"; + deploy = { + enable = true; + default = false; + ssh.host = "dribbler"; + }; + + cynerd = { + wifiClient = true; + }; + + boot = { + initrd.availableKernelModules = ["nvme" "xhci_pci" "usb_storage" "sd_mod"]; + kernelModules = ["kvm-intel"]; + kernelParams = ["video=eDP-1:d"]; # Disable internal display for kodi to use HDMI + }; + + hardware.cpu.intel.updateMicrocode = true; + + cynerd.autounlock = { + "encroot" = "/dev/disk/by-uuid/f791f524-0552-487b-9bf9-5c20ca78651b"; + }; + fileSystems = { + "/" = { + device = "/dev/mapper/encroot"; + fsType = "btrfs"; + options = ["compress=lzo"]; + }; + "/boot" = { + device = "/dev/disk/by-uuid/7143-1EE7"; + fsType = "vfat"; + }; + }; + services.btrfs.autoScrub = { + enable = true; + fileSystems = ["/"]; + }; + + networking = { + useNetworkd = true; + useDHCP = false; + }; + systemd.network = { + networks = { + "dhcp" = { + matchConfig.Name = "enp1s0"; + networkConfig = { + DHCP = "yes"; + IPv6AcceptRA = "yes"; + }; + linkConfig.RequiredForOnline = "routable"; + }; + "dhcp-wlan" = { + matchConfig.Name = "wlp2s0"; + networkConfig = { + DHCP = "yes"; + IPv6AcceptRA = "yes"; + }; + routes = [{Metric = 1088;}]; + linkConfig.RequiredForOnline = "routable"; + }; + }; + wait-online.enable = false; + }; + + # Kodi + environment.systemPackages = with pkgs; [ + kodi-gbm + ]; + hardware = { + graphics = { + enable = true; + enable32Bit = true; + extraPackages = with pkgs; [ + intel-media-driver + libvdpau-va-gl + ]; + }; + bluetooth.enable = true; + }; + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + }; + security.rtkit.enable = true; + #nixpkgs.config.kodi.enableAdvancedLauncher = true; + users.extraUsers.kodi = { + isNormalUser = true; + extraGroups = ["audio" "video" "input"]; + }; + systemd.services.kodi = { + description = "Kodi standalone (GBM)"; + wantedBy = ["multi-user.target"]; + conflicts = ["getty@tty1.service"]; + serviceConfig = { + User = "kodi"; + TTYPath = "/dev/tty1"; + ExecStart = "${pkgs.kodi-gbm}/bin/kodi-standalone"; + Restart = "on-abort"; + StandardInput = "tty"; + StandardOutput = "journal"; + }; + }; + networking.firewall = { + allowedTCPPorts = [8080]; + allowedUDPPorts = [8080]; + }; +} diff --git a/nixos/configurations/errol.nix b/nixos/configurations/errol.nix index fd348e8..e45fae5 100644 --- a/nixos/configurations/errol.nix +++ b/nixos/configurations/errol.nix @@ -1,31 +1,24 @@ -{ - config, - lib, - pkgs, - ... -}: let - inherit (lib) mkDefault; -in { +{pkgs, ...}: { + system.stateVersion = "24.05"; nixpkgs.hostPlatform.system = "x86_64-linux"; deploy.enable = true; - cynerd = { - desktop.enable = true; - develop = true; - gaming = true; - openvpn.elektroline = true; - }; - boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "usb_storage"]; boot.kernelModules = ["kvm-amd"]; hardware.cpu.amd.updateMicrocode = true; services.hardware.openrgb.motherboard = "amd"; + zramSwap = { + enable = true; + memoryPercent = 50; + }; + cynerd.autounlock = { "encroot" = "/dev/disk/by-uuid/7c412ae6-6016-45af-8c2a-8fcc394dbbe6"; "enchdd1" = "/dev/disk/by-uuid/87f16080-5ff6-43dd-89f3-307455a46fbe"; "enchdd2" = "/dev/disk/by-uuid/be4a33fa-8bc6-431d-a3ac-787668f223ed"; + #"encback" = "/dev/disk/by-uuid/1bd8c637-f71e-4fb0-96de-b660c4f1afaf"; }; fileSystems = { "/" = { @@ -53,6 +46,11 @@ in { fsType = "btrfs"; options = ["compress=lzo" "subvol=@home"]; }; + #"/back" = { + # device = "/dev/mapper/encback"; + # fsType = "btrfs"; + # options = ["compress=lzo"]; + #}; }; services.btrfs.autoScrub = { enable = true; @@ -83,75 +81,11 @@ in { pkgs.nvtopPackages.amd ]; - services.syncthing = { - enable = true; - user = mkDefault "cynerd"; - group = mkDefault "cynerd"; - openDefaultPorts = true; - - overrideDevices = false; - overrideFolders = false; - - dataDir = "/home/cynerd"; - configDir = "/home/cynerd/.config/syncthing"; - }; - - nixpkgs.config.permittedInsecurePackages = ["openssl-1.1.1w"]; # TODO - services.home-assistant = { - enable = true; - openFirewall = true; - configDir = "/var/lib/hass"; - config = { - homeassistant = { - name = "SPT"; - latitude = "!secret latitude"; - longitude = "!secret longitude"; - elevation = "!secret elevation"; - time_zone = "Europe/Prague"; - country = "CZ"; - }; - http.server_port = 8808; - mqtt = { - sensor = import ../modules/home-assistant/sensors.nix; - light = import ../modules/home-assistant/light.nix; - }; - default_config = {}; - automation = "!include automations.yaml"; - }; - extraComponents = ["met"]; - package = pkgs.home-assistant.override { - extraPackages = pkgs: - with pkgs; [ - securetar - pyipp - ]; - }; - }; - - services.zigbee2mqtt = { - enable = true; - settings = { - serial.port = "/dev/serial/by-id/usb-ITEAD_SONOFF_Zigbee_3.0_USB_Dongle_Plus_V2_20220812153849-if00"; - mqtt = { - server = "mqtt://${config.cynerd.hosts.spt.mox}:1883"; - user = "zigbee2mqtt"; - password = "!secret.yaml mqtt_password"; - }; - advanced = { - network_key = "!secret.yaml network_key"; - homeassistant_legacy_entity_attributes = false; - legacy_api = false; - legacy_availability_payload = false; - last_seen = "epoch"; - }; - frontend = true; - availability = true; - homeassistant = { - legacy_triggers = false; - }; - device_options.legacy = false; - permit_join = false; - devices = config.secrets.zigbee2mqttDevices; + ############################################################################## + services = { + syncthing = { + enable = true; + dataDir = "/home/cynerd"; }; }; } diff --git a/nixos/configurations/gaspode.nix b/nixos/configurations/gaspode.nix index 78d8277..5d6d090 100644 --- a/nixos/configurations/gaspode.nix +++ b/nixos/configurations/gaspode.nix @@ -1,4 +1,5 @@ { + system.stateVersion = "25.05"; nixpkgs.hostPlatform.system = "armv7l-linux"; fileSystems = { diff --git a/nixos/configurations/lipwig.nix b/nixos/configurations/lipwig.nix index 7d00a37..556ca5d 100644 --- a/nixos/configurations/lipwig.nix +++ b/nixos/configurations/lipwig.nix @@ -7,6 +7,7 @@ imports = [inputModules.vpsadminos]; config = { + system.stateVersion = "24.05"; nixpkgs.hostPlatform.system = "x86_64-linux"; deploy = { @@ -19,12 +20,15 @@ hw = false; drives = false; }; - syncthing = { - enable = false; - baseDir = "/nas"; - }; wireguard = true; - openvpn.oldpersonal = true; + borgjobs = { + # TODO backup influx + postgresql.dumpCommand = pkgs.writeScript "postgreqsl-backup.sh" '' + /run/wrappers/bin/sudo -u postgres /run/current-system/sw/bin/pg_dumpall + ''; + nextcloud_data.paths = "/nas/nextcloud/data"; + sync_data.paths = "/sync"; + }; }; boot.loader.systemd-boot.enable = false; @@ -39,7 +43,7 @@ ]; }; "/nas/nextcloud-sync" = { - device = "/nas/sync"; + device = "/sync"; fsType = "fuse.bindfs"; options = ["map=syncthing/nextcloud:@syncthing/@nextcloud"]; }; @@ -70,68 +74,71 @@ ]; # Web ###################################################################### - services.nginx = { - enable = true; - virtualHosts = { - "cynerd.cz" = { - forceSSL = true; - enableACME = true; - locations = { - "/".root = ../../web; - "/radicale/" = { - proxyPass = "http://127.0.0.1:5232/"; - extraConfig = '' - proxy_set_header X-Script-Name /radicale; - proxy_pass_header Authorization; - ''; + services = { + nginx = { + enable = true; + virtualHosts = { + "cynerd.cz" = { + forceSSL = true; + enableACME = true; + locations = { + "/".root = ../../web; + "/radicale/" = { + proxyPass = "http://127.0.0.1:5232/"; + extraConfig = '' + proxy_set_header X-Script-Name /radicale; + proxy_pass_header Authorization; + ''; + }; }; }; - }; - "git.cynerd.cz" = { - forceSSL = true; - useACMEHost = "cynerd.cz"; - root = "${pkgs.cgit}/cgit"; - locations."/".tryFiles = "$uri @cgit"; - locations."@cgit".extraConfig = '' - fastcgi_pass unix:${config.services.fcgiwrap.instances.cgit.socket.address}; - fastcgi_param SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi; - fastcgi_param PATH_INFO $uri; - fastcgi_param QUERY_STRING $args; - fastcgi_param HTTP_HOST $server_name; - ''; - }; - "cloud.cynerd.cz" = { - forceSSL = true; - useACMEHost = "cynerd.cz"; - }; - "grafana.cynerd.cz" = { - forceSSL = true; - useACMEHost = "cynerd.cz"; - locations."/" = { - proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}/"; - extraConfig = "proxy_set_header Host $host;"; - proxyWebsockets = true; + "git.cynerd.cz" = { + forceSSL = true; + useACMEHost = "cynerd.cz"; + root = "${pkgs.cgit}/cgit"; + locations."/".tryFiles = "$uri @cgit"; + locations."@cgit".extraConfig = '' + fastcgi_pass unix:${config.services.fcgiwrap.instances.cgit.socket.address}; + fastcgi_param SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi; + fastcgi_param PATH_INFO $uri; + fastcgi_param QUERY_STRING $args; + fastcgi_param HTTP_HOST $server_name; + ''; + }; + "cloud.cynerd.cz" = { + forceSSL = true; + useACMEHost = "cynerd.cz"; + }; + "grafana.cynerd.cz" = { + forceSSL = true; + useACMEHost = "cynerd.cz"; + locations."/" = { + proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}"; + proxyWebsockets = true; + recommendedProxySettings = true; + }; + }; + "searx.cynerd.cz" = { + forceSSL = true; + useACMEHost = "cynerd.cz"; + locations."/".extraConfig = '' + uwsgi_pass "unix://${config.services.searx.uwsgiConfig.socket}"; + include ${config.services.nginx.package}/conf/uwsgi_params; + ''; }; - }; - "searx.cynerd.cz" = { - forceSSL = true; - useACMEHost = "cynerd.cz"; - locations."/".extraConfig = '' - uwsgi_pass "unix:///run/searx/searx.sock"; - include ${config.services.nginx.package}/conf/uwsgi_params; - ''; }; }; - }; - services.fcgiwrap.instances.cgit = { - process.user = "git"; - socket = {inherit (config.services.nginx) user group;}; + fcgiwrap.instances.cgit = { + process.user = "git"; + socket = {inherit (config.services.nginx) user group;}; + }; }; security.acme = { acceptTerms = true; defaults.email = "cynerd+acme@email.cz"; certs."cynerd.cz".extraDomainNames = [ "cloud.cynerd.cz" + "office.cynerd.cz" "git.cynerd.cz" "grafana.cynerd.cz" "searx.cynerd.cz" @@ -191,7 +198,7 @@ # Nextcloud ################################################################ services.nextcloud = { enable = true; - package = pkgs.nextcloud28; + package = pkgs.nextcloud32; https = true; hostName = "cloud.cynerd.cz"; datadir = "/nas/nextcloud"; @@ -200,11 +207,25 @@ adminpassFile = "/run/secrets/nextcloud.admin.pass"; dbtype = "pgsql"; dbhost = "/run/postgresql"; - dbtableprefix = "oc_"; }; settings = { #log_type = "systemd"; + default_locale = "CZ"; default_phone_region = "CZ"; + default_timezone = "Europe/Prague"; + enabledPreviewProviders = [ + "OC\\Preview\\BMP" + "OC\\Preview\\GIF" + "OC\\Preview\\JPEG" + "OC\\Preview\\Krita" + "OC\\Preview\\MarkDown" + "OC\\Preview\\MP3" + "OC\\Preview\\OpenDocument" + "OC\\Preview\\PNG" + "OC\\Preview\\TXT" + "OC\\Preview\\XBitmap" + "OC\\Preview\\HEIC" + ]; }; phpExtraExtensions = php: [php.pgsql php.pdo_pgsql]; phpOptions = { @@ -223,36 +244,40 @@ forms groupfolders impersonate - maps + #maps memories notes phonetrack previewgenerator spreed tasks - twofactor_nextcloud_notification twofactor_webauthn ; # Additional modules can be fetched with: - # NEXTCLOUD_VERSIONS=28 nix run nixpkgs#nc4nix -- -apps "passwords,money,integration_github,integration_gitlab" - passwords = pkgs.fetchNextcloudApp { - url = "https://git.mdns.eu/api/v4/projects/45/packages/generic/passwords/2024.9.0/passwords.tar.gz"; - sha256 = "L+jumcussL0c9xNMg/GMs1GSd1IY9wUvC8ZEg+3U+sc="; + # NEXTCLOUD_VERSIONS=32 nix run nixpkgs#nc4nix -- -apps "passwords,money,integration_github,integration_gitlab,fileslibreofficeedit" + fileslibreofficeedit = pkgs.fetchNextcloudApp { + url = "https://github.com/allotropia/nextcloud_files_libreoffice_edit/releases/download/v2.0.1/fileslibreofficeedit.tar.gz"; + hash = "sha256-Xqx5snQWintYJG3Q1Crw22TkNw18DdADXkurMQqt3X8="; license = "agpl3Plus"; }; integration_github = pkgs.fetchNextcloudApp { - url = "https://github.com/nextcloud-releases/integration_github/releases/download/v2.0.7/integration_github-v2.0.7.tar.gz"; - sha256 = "x4BrBdrvmbdwZcZL6FLAY27B5OpkXIsw92XsD076Aqg="; + url = "https://github.com/nextcloud-releases/integration_github/releases/download/v3.2.2/integration_github-v3.2.2.tar.gz"; + hash = "sha256-n7U/es4EdwS0cvegeFLnqhooRhkaSIdiVLwSse8hS3I="; license = "agpl3Plus"; }; integration_gitlab = pkgs.fetchNextcloudApp { - url = "https://github.com/nextcloud-releases/integration_gitlab/releases/download/v3.1.1/integration_gitlab-v3.1.1.tar.gz"; - sha256 = "nBqnBDVoNEqRGp+WKq4okis1kCr6pzEz4G6368MaxuE="; + url = "https://github.com/nextcloud-releases/integration_gitlab/releases/download/v4.0.0/integration_gitlab-v4.0.0.tar.gz"; + hash = "sha256-0CKvAiwdG6Llomo9ROu0KLdUq1xfjAwlO1e1/LYzL4s="; license = "agpl3Plus"; }; money = pkgs.fetchNextcloudApp { - url = "https://github.com/powerpaul17/nc_money/releases/download/v0.29.0/money.tar.gz"; - sha256 = "EXcY69z5h6rT0RdkmOhQYKSWmVBr2zaWuSRj/m5dMkI="; + url = "https://github.com/powerpaul17/nc_money/releases/download/v0.31.0/money.tar.gz"; + hash = "sha256-6RlxWTCw6NP9RquHnfoLLBw/dmAXx21INCzYUcp3E/4="; + license = "agpl3Plus"; + }; + passwords = pkgs.fetchNextcloudApp { + url = "https://git.mdns.eu/api/v4/projects/45/packages/generic/passwords/2026.3.0/passwords.tar.gz"; + hash = "sha256-YHilpFaZHNCtqLRvTCDhyVoFWLC85Qkj1mMxp08YCho="; license = "agpl3Plus"; }; }; @@ -339,7 +364,7 @@ } ]; }; - runInUwsgi = true; + configureUwsgi = true; uwsgiConfig = { socket = "/run/searx/searx.sock"; chmod-socket = "660"; @@ -348,16 +373,12 @@ }; users.groups.searx.members = ["nginx"]; - # Old Syncthing ############################################################ + # Syncthing ################################################################ services.syncthing = { enable = true; - openDefaultPorts = true; - - overrideDevices = false; - overrideFolders = false; - - dataDir = "/nas/sync"; - configDir = "/nas/sync/.syncthing"; + user = "syncthing"; + group = "syncthing"; + dataDir = "/sync"; }; }; } diff --git a/nixos/configurations/ridcully.nix b/nixos/configurations/ridcully.nix index 2be1a7a..9f3ed57 100644 --- a/nixos/configurations/ridcully.nix +++ b/nixos/configurations/ridcully.nix @@ -1,10 +1,5 @@ -{ - lib, - pkgs, - ... -}: let - inherit (lib) mkDefault; -in { +{pkgs, ...}: { + system.stateVersion = "24.05"; nixpkgs.hostPlatform.system = "x86_64-linux"; deploy.enable = true; @@ -15,17 +10,26 @@ in { openvpn = { elektroline = true; }; + borgjobs = { + hetzner-s3.paths = "/back/hetzner-s3-sync"; + }; }; - boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "usb_storage"]; + boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"]; boot.kernelModules = ["kvm-amd"]; hardware.cpu.amd.updateMicrocode = true; services.hardware.openrgb.motherboard = "amd"; + zramSwap = { + enable = true; + memoryPercent = 50; + }; + cynerd.autounlock = { "encroot" = "/dev/disk/by-uuid/bc7d2ba4-6e04-4c49-b40c-3aecd1a86c71"; "enchdd" = "/dev/disk/by-uuid/7fee3cda-efa0-47cd-8832-fdead9a7e6db"; + "encback" = "/dev/disk/by-uuid/b426cbe7-fba2-473b-90f9-9ebe3e34b76e"; }; fileSystems = { "/" = { @@ -48,6 +52,11 @@ in { fsType = "btrfs"; options = ["compress=lzo" "subvol=@home"]; }; + "/back" = { + device = "/dev/mapper/encback"; + fsType = "btrfs"; + options = ["compress=lzo"]; + }; }; services.btrfs.autoScrub = { enable = true; @@ -61,28 +70,54 @@ in { systemd.network = { wait-online.enable = false; }; - #networking.vlans."enp6s0.adm" = { - #id = 2; - #interface = "enp6s0"; - #}; environment.systemPackages = [ pkgs.nvtopPackages.amd + #sbctl ]; - services.syncthing = { - enable = true; - user = mkDefault "cynerd"; - group = mkDefault "cynerd"; - openDefaultPorts = true; + # Force nix to use less jobs + nix.settings.max-jobs = 4; - overrideDevices = false; - overrideFolders = false; + ############################################################################## + services = { + syncthing = { + enable = true; + dataDir = "/home/cynerd"; + }; + + octoprint = { + enable = true; + openFirewall = true; + }; - dataDir = "/home/cynerd"; - configDir = "/home/cynerd/.config/syncthing"; + mjpg-streamer = { + enable = true; + inputPlugin = "input_uvc.so -d /dev/video2 -r 1920x1080 -f 30"; + outputPlugin = "output_http.so -p 5001 -w @www@"; + }; }; + networking.firewall.allowedTCPPorts = [5001]; - # Force nix to use less jobs - nix.settings.max-jobs = 8; + # Service to synchronize local copy of Hetzner S3 + systemd = { + services."hetzner-sync" = { + script = '' + /run/current-system/sw/bin/rclone --config /run/secrets/rclone-hetzner.conf \ + sync hetzner: /back/hetzner-s3-sync + ''; + serviceConfig = { + Type = "oneshot"; + User = "root"; + }; + }; + timers."hetzner-sync" = { + wantedBy = ["timers.target"]; + timerConfig.Unit = "hetzner-sync.service"; + timerConfig = { + OnCalendar = "daily"; + Persistent = false; + }; + }; + }; } diff --git a/nixos/configurations/spt-mox.nix b/nixos/configurations/spt-mox.nix index 989df29..4dfa2c8 100644 --- a/nixos/configurations/spt-mox.nix +++ b/nixos/configurations/spt-mox.nix @@ -1,12 +1,17 @@ -{config, ...}: { +{ + config, + pkgs, + ... +}: { + system.stateVersion = "24.05"; turris.board = "mox"; deploy = { enable = true; ssh.host = "mox.spt"; + configurationLimit = 8; }; cynerd = { - home-assistant = true; monitoring.drives = false; switch = { enable = true; @@ -23,13 +28,17 @@ }; }; - services.journald.extraConfig = '' - SystemMaxUse=512M - ''; + boot.initrd.availableKernelModules = ["dm-mod"]; - services.btrfs.autoScrub = { - enable = true; - fileSystems = ["/"]; + services = { + journald.extraConfig = '' + SystemMaxUse=512M + ''; + + btrfs.autoScrub = { + enable = true; + fileSystems = ["/"]; + }; }; networking = { @@ -49,4 +58,104 @@ ]; }; }; + + ############################################################################## + networking.firewall.allowedTCPPorts = [ + 1883 # Mosquitto + ]; + services = { + mosquitto = { + enable = true; + listeners = [ + { + users = { + cynerd = { + acl = ["readwrite #"]; + passwordFile = "/run/secrets/mosquitto.cynerd.pass"; + }; + telegraf = { + acl = ["read bigclown/node/#"]; + passwordFile = "/run/secrets/mosquitto.telegraf.pass"; + }; + bigclown = { + acl = ["readwrite bigclown/#"]; + passwordFile = "/run/secrets/mosquitto.bigclown.pass"; + }; + }; + } + ]; + }; + + telegraf.extraConfig = { + outputs.influxdb_v2 = [ + { + urls = ["http://cynerd.cz:8086"]; + token = "$INFLUX_TOKEN"; + organization = "personal"; + bucket = "bigclown"; + tagpass.source = ["bigclown"]; + } + ]; + inputs.mqtt_consumer = let + consumer = data_type: topics: { + tags = {source = "bigclown";}; + servers = ["tcp://localhost:1883"]; + inherit topics; + username = "telegraf"; + password = "$MQTT_PASSWORD"; + data_format = "value"; + inherit data_type; + topic_parsing = [ + { + topic = "bigclown/node/+/+/+/+"; + measurement = "_/_/_/_/_/measurement"; + tags = "_/_/device/field/_/_"; + } + ]; + }; + in [ + (consumer "float" [ + "bigclown/node/+/battery/+/voltage" + "bigclown/node/+/thermometer/+/temperature" + "bigclown/node/+/hygrometer/+/relative-humidity" + "bigclown/node/+/lux-meter/+/illuminance" + "bigclown/node/+/barometer/+/pressure" + "bigclown/node/+/pir/+/event-count" + "bigclown/node/+/push-button/+/event-count" + ]) + (consumer "boolean" [ + "bigclown/node/+/flood-detector/+/alarm" + ]) + ]; + processors.pivot = [ + { + tag_key = "field"; + value_key = "value"; + tagpass.source = ["bigclown"]; + } + ]; + }; + + bcg = { + enable = true; + device = "/dev/ttyUSB0"; + baseTopicPrefix = "bigclown/"; + environmentFiles = ["/run/secrets/bigclown.env"]; + mqtt = { + username = "bigclown"; + password = "\${MQTT_PASSWORD}"; + }; + }; + }; + + systemd.services = { + telegraf.wants = ["mosquitto.service"]; + + bigclown-leds = { + description = "Bigclown LEDs control"; + wantedBy = ["multi-user.target"]; + wants = ["mosquitto.service"]; + serviceConfig.ExecStart = "${pkgs.bigclown-leds}/bin/bigclown-leds /run/secrets/bigclown-leds.ini"; + }; + }; } diff --git a/nixos/configurations/spt-mox2.nix b/nixos/configurations/spt-mox2.nix index b416671..2e76449 100644 --- a/nixos/configurations/spt-mox2.nix +++ b/nixos/configurations/spt-mox2.nix @@ -1,8 +1,5 @@ -{ - config, - pkgs, - ... -}: { +{config, ...}: { + system.stateVersion = "24.05"; turris.board = "mox"; deploy = { enable = true; @@ -26,13 +23,17 @@ }; }; - services.journald.extraConfig = '' - SystemMaxUse=512M - ''; + boot.initrd.availableKernelModules = ["dm-mod"]; - services.btrfs.autoScrub = { - enable = true; - fileSystems = ["/"]; + services = { + journald.extraConfig = '' + SystemMaxUse=512M + ''; + + btrfs.autoScrub = { + enable = true; + fileSystems = ["/"]; + }; }; networking = { diff --git a/nixos/configurations/spt-mpd.nix b/nixos/configurations/spt-mpd.nix index b212932..1849d9b 100644 --- a/nixos/configurations/spt-mpd.nix +++ b/nixos/configurations/spt-mpd.nix @@ -2,6 +2,7 @@ imports = [inputModules.nixos-hardware.raspberry-pi-2]; config = { + system.stateVersion = "24.05"; nixpkgs.hostPlatform.system = "armv7l-linux"; fileSystems = { diff --git a/nixos/configurations/spt-omnia.nix b/nixos/configurations/spt-omnia.nix index e55e34f..c2ef049 100644 --- a/nixos/configurations/spt-omnia.nix +++ b/nixos/configurations/spt-omnia.nix @@ -1,6 +1,7 @@ {config, ...}: let hosts = config.cynerd.hosts.spt; in { + system.stateVersion = "24.05"; turris.board = "omnia"; deploy = { enable = true; @@ -17,7 +18,6 @@ in { "7c:b0:c2:bb:9c:ca" = hosts.albert; "4c:d5:77:0d:85:d9" = hosts.binky; "b8:27:eb:57:a2:31" = hosts.mpd; - "74:bf:c0:42:82:19" = hosts.printer; }; }; wifiAP.spt = { @@ -28,7 +28,7 @@ in { channel = 11; }; qca988x = { - interface = "wlp3s0"; + interface = "wlp2s0"; bssids = config.secrets.wifiMacs.spt-omnia.qca988x; channel = 36; }; @@ -37,18 +37,20 @@ in { monitoring.speedtest = true; }; - services.journald.extraConfig = '' - SystemMaxUse=8G - ''; + services = { + journald.extraConfig = '' + SystemMaxUse=8G + ''; - services.btrfs.autoScrub = { - enable = true; - fileSystems = ["/"]; - }; + btrfs.autoScrub = { + enable = true; + fileSystems = ["/"]; + }; - services.fail2ban = { - enable = true; - ignoreIP = ["10.8.1.0/24" "10.8.2.0/24"]; + fail2ban = { + enable = true; + ignoreIP = ["10.8.1.0/24" "10.8.2.0/24"]; + }; }; networking.useDHCP = false; @@ -121,10 +123,22 @@ in { password metronet ''; }; - systemd.services."pppd-wan".after = ["sys-subsystem-net-devices-end2.848.device"]; + systemd.services."pppd-wan" = { + after = ["sys-subsystem-net-devices-end2.848.device"]; + partOf = ["systemd-networkd.service"]; + }; # TODO limit NSS clamping to just pppoe-wan networking.firewall.extraForwardRules = '' tcp flags syn tcp option maxseg size set rt mtu comment "Needed for PPPoE to fix IPv4" - iifname {"home", "personalvpn", "wg"} oifname {"home", "personalvpn", "wg"} accept + iifname {"home", "wg"} oifname {"home", "wg"} accept ''; + + ############################################################################## + cynerd.ha = { + enable = true; + domain = "spt.cynerd.cz"; + extraOptions = [ + "--device=/dev/serial/by-id/usb-ITEAD_SONOFF_Zigbee_3.0_USB_Dongle_Plus_V2_20220812153849-if00:/dev/ttyACM0" + ]; + }; } diff --git a/nixos/configurations/zd-mox.nix b/nixos/configurations/zd-mox.nix new file mode 100644 index 0000000..6ce1b6b --- /dev/null +++ b/nixos/configurations/zd-mox.nix @@ -0,0 +1,157 @@ +{ + config, + pkgs, + ... +}: let + hosts = config.cynerd.hosts.zd; +in { + system.stateVersion = "25.05"; + turris.board = "mox"; + deploy = { + enable = true; + ssh.host = "zd.cynerd.cz"; + }; + + cynerd = { + router = { + enable = true; + wan = "pppoe-wan"; + lanIP = hosts.mox; + staticLeases = { + "4c:d5:77:0d:85:d9" = hosts.binky; + "70:85:c2:4a:59:f2" = hosts.ridcully; + "74:bf:c0:42:82:19" = hosts.printer; + "f8:dc:7a:79:00:e6" = hosts.tc; + "34:94:54:33:6b:48" = hosts.vb; + }; + }; + wireguard = true; + monitoring.speedtest = true; + }; + + boot.initrd.availableKernelModules = ["dm-mod"]; + + services = { + journald.extraConfig = '' + SystemMaxUse=512M + ''; + + btrfs.autoScrub = { + enable = true; + fileSystems = ["/"]; + }; + + fail2ban = { + enable = true; + ignoreIP = ["10.8.0.0/24" "10.8.1.0/24" "10.8.2.0/24"]; + }; + }; + + networking.useDHCP = false; + systemd.network = { + netdevs = { + "end0.848" = { + netdevConfig = { + Kind = "vlan"; + Name = "end0.848"; + }; + vlanConfig.Id = 848; + }; + }; + networks = { + "end0" = { + matchConfig.Name = "end0"; + networkConfig.VLAN = ["end0.848"]; + }; + "end0.848" = { + matchConfig.Name = "end0.848"; + networkConfig.BindCarrier = "end0"; + }; + "pppoe-wan" = { + matchConfig.Name = "pppoe-wan"; + networkConfig = { + BindCarrier = "end0.848"; + DHCP = "ipv6"; + IPv6AcceptRA = "no"; + DHCPPrefixDelegation = "yes"; + #DNS = ["84.19.64.3" "84.19.64.4" "1.1.1.1"]; + DNS = "1.1.1.1"; + }; + dhcpV6Config = { + PrefixDelegationHint = "::/56"; + UseDNS = "no"; + }; + dhcpPrefixDelegationConfig = { + UplinkInterface = ":self"; + SubnetId = 0; + Announce = "no"; + }; + linkConfig.RequiredForOnline = "routable"; + }; + "lan-brlan" = { + matchConfig.Name = "lan*"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + EgressUntagged = 1; + PVID = 1; + } + {VLAN = 2;} + ]; + }; + }; + }; + + services.pppd = { + enable = true; + peers."wan".config = '' + plugin pppoe.so end0.848 + ifname pppoe-wan + lcp-echo-interval 1 + lcp-echo-failure 5 + lcp-echo-adaptive + defaultroute + defaultroute6 + maxfail 1 + # user and password added in secrets + ''; + }; + systemd.services = { + "pppd-wan" = { + requires = ["sys-subsystem-net-devices-end0.848.device"]; + partOf = ["systemd-networkd.service"]; + }; + "systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug"; + }; + # TODO limit NSS clamping to just pppoe-wan + networking.firewall.extraForwardRules = '' + tcp flags syn tcp option maxseg size set rt mtu comment "Needed for PPPoE to fix IPv4" + iifname {"home", "wg"} oifname {"home", "wg"} accept + ''; + + services.nginx = { + enable = true; + virtualHosts = { + "zd.cynerd.cz" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://${hosts.one0}:8123"; + proxyWebsockets = true; + recommendedProxySettings = true; + }; + }; + }; + }; + security.acme = { + acceptTerms = true; + defaults.email = "cynerd+acme@email.cz"; + certs."zd.cynerd.cz" = {}; + }; + networking.firewall.allowedTCPPorts = [80 443]; + + environment.systemPackages = with pkgs; [ + nmap + tcpdump + ]; +} diff --git a/nixos/configurations/zd-one0.nix b/nixos/configurations/zd-one0.nix new file mode 100644 index 0000000..98d9691 --- /dev/null +++ b/nixos/configurations/zd-one0.nix @@ -0,0 +1,61 @@ +_: { + system.stateVersion = "25.11"; + deploy = { + enable = true; + ssh.host = "zd-one0"; + }; + + cynerd = { + openwrtone = true; + #switch = { + # enable = true; + # lanAddress = "10.8.12.10/24"; + # lanGateway = config.cynerd.hosts.spt.omnia; + #}; + #wifiAP.zd = { + # enable = false; + # qca988x = { + # interface = "wlp1s0"; + # bssids = config.secrets.wifiMacs.zd-mox.qca988x; + # channel = 36; + # }; + #}; + }; + + boot.initrd.availableKernelModules = ["dm-mod"]; + boot.consoleLogLevel = 7; + + services = { + journald.extraConfig = '' + SystemMaxUse=8G + ''; + + btrfs.autoScrub = { + enable = true; + fileSystems = ["/"]; + }; + + fail2ban = { + enable = true; + ignoreIP = ["10.8.0.0/24" "10.8.1.0/24" "10.8.2.0/24"]; + }; + }; + + networking.useDHCP = false; + networking.useNetworkd = true; + + systemd.network = { + networks = { + "eth0" = { + matchConfig.Name = "eth0"; + networkConfig = { + Address = "10.8.2.10/24"; + Gateway = "10.8.2.1"; + DNS = "1.1.1.1"; + IPv6AcceptRA = "yes"; + }; + }; + }; + wait-online.anyInterface = true; + }; +} |