diff options
Diffstat (limited to 'nixos/configurations')
| -rw-r--r-- | nixos/configurations/adm-omnia.nix | 1 | ||||
| -rw-r--r-- | nixos/configurations/binky.nix | 10 | ||||
| -rw-r--r-- | nixos/configurations/dean.nix | 14 | ||||
| -rw-r--r-- | nixos/configurations/dribbler.nix | 89 | ||||
| -rw-r--r-- | nixos/configurations/errol.nix | 52 | ||||
| -rw-r--r-- | nixos/configurations/lipwig.nix | 147 | ||||
| -rw-r--r-- | nixos/configurations/ridcully.nix | 23 | ||||
| -rw-r--r-- | nixos/configurations/spt-mox.nix | 31 | ||||
| -rw-r--r-- | nixos/configurations/spt-mox2.nix | 16 | ||||
| -rw-r--r-- | nixos/configurations/spt-omnia.nix | 55 | ||||
| -rw-r--r-- | nixos/configurations/zd-mox.nix | 155 | ||||
| -rw-r--r-- | nixos/configurations/zd-one0.nix | 61 |
12 files changed, 447 insertions, 207 deletions
diff --git a/nixos/configurations/adm-omnia.nix b/nixos/configurations/adm-omnia.nix index 55ee733..2b80bbc 100644 --- a/nixos/configurations/adm-omnia.nix +++ b/nixos/configurations/adm-omnia.nix @@ -15,7 +15,6 @@ in { wan = "pppoe-wan"; lanIP = hosts.omnia; staticLeases = { - "70:85:c2:4a:59:f2" = hosts.ridcully; "7c:b0:c2:bb:9c:ca" = hosts.albert; "4c:d5:77:0d:85:d9" = hosts.binky; "b8:27:eb:49:54:5a" = hosts.mpd; diff --git a/nixos/configurations/binky.nix b/nixos/configurations/binky.nix index 6111637..dba1114 100644 --- a/nixos/configurations/binky.nix +++ b/nixos/configurations/binky.nix @@ -1,16 +1,10 @@ -{ - lib, - pkgs, - ... -}: let - inherit (lib) mkDefault; -in { +{pkgs, ...}: { system.stateVersion = "24.05"; nixpkgs.hostPlatform.system = "x86_64-linux"; deploy = { enable = true; default = false; - ssh.host = "binky.spt"; + ssh.host = "binky"; }; cynerd = { diff --git a/nixos/configurations/dean.nix b/nixos/configurations/dean.nix index dfb03e1..a95d9f1 100644 --- a/nixos/configurations/dean.nix +++ b/nixos/configurations/dean.nix @@ -11,6 +11,20 @@ }; }; + boot.initrd.availableKernelModules = ["dm-mod"]; + + hardware.enableAllFirmware = false; # No wifi so we do not need firmwares + services = { + journald.extraConfig = '' + SystemMaxUse=512M + ''; + + btrfs.autoScrub = { + enable = true; + fileSystems = ["/"]; + }; + }; + networking = { useNetworkd = true; useDHCP = false; diff --git a/nixos/configurations/dribbler.nix b/nixos/configurations/dribbler.nix new file mode 100644 index 0000000..306925c --- /dev/null +++ b/nixos/configurations/dribbler.nix @@ -0,0 +1,89 @@ +{pkgs, ...}: { + system.stateVersion = "25.11"; + nixpkgs.hostPlatform.system = "x86_64-linux"; + deploy = { + enable = true; + default = false; + ssh.host = "dribbler"; + }; + + cynerd = { + wifiClient = true; + }; + + boot = { + initrd.availableKernelModules = ["nvme" "xhci_pci" "usb_storage" "sd_mod"]; + kernelModules = ["kvm-intel"]; + }; + + hardware.cpu.intel.updateMicrocode = true; + + boot.initrd.luks.devices = { + "encroot".device = "/dev/disk/by-uuid/b317feb5-d68d-4ec3-a24f-0307c116cac8"; + }; + fileSystems = { + "/" = { + device = "/dev/mapper/encroot"; + fsType = "btrfs"; + options = ["compress=lzo" "subvol=@"]; + }; + "/nix" = { + device = "/dev/mapper/encroot"; + fsType = "btrfs"; + options = ["compress=lzo" "subvol=@nix"]; + }; + "/home" = { + device = "/dev/mapper/encroot"; + fsType = "btrfs"; + options = ["compress=lzo" "subvol=@home"]; + }; + "/boot" = { + device = "/dev/disk/by-uuid/8F7D-A154"; + fsType = "vfat"; + }; + }; + services.btrfs.autoScrub = { + enable = true; + fileSystems = ["/"]; + }; + + networking = { + useNetworkd = true; + useDHCP = false; + }; + systemd.network = { + networks = { + "dhcp" = { + matchConfig.Name = "enp2s0f0"; + networkConfig = { + DHCP = "yes"; + IPv6AcceptRA = "yes"; + }; + linkConfig.RequiredForOnline = "routable"; + }; + "dhcp-wlan" = { + matchConfig.Name = "wlp3s0"; + networkConfig = { + DHCP = "yes"; + IPv6AcceptRA = "yes"; + }; + routes = [{Metric = 1088;}]; + linkConfig.RequiredForOnline = "routable"; + }; + }; + wait-online.enable = false; + }; + + # Kodi + nixpkgs.config.kodi.enableAdvancedLauncher = true; + users.extraUsers.kodi.isNormalUser = true; + services.cage = { + user = "kodi"; + program = "${pkgs.kodi-wayland}/bin/kodi-standalone"; + enable = true; + }; + networking.firewall = { + allowedTCPPorts = [8080]; + allowedUDPPorts = [8080]; + }; +} diff --git a/nixos/configurations/errol.nix b/nixos/configurations/errol.nix index f986631..e45fae5 100644 --- a/nixos/configurations/errol.nix +++ b/nixos/configurations/errol.nix @@ -1,28 +1,19 @@ -{ - config, - lib, - pkgs, - ... -}: let - inherit (lib) mkDefault; -in { +{pkgs, ...}: { system.stateVersion = "24.05"; nixpkgs.hostPlatform.system = "x86_64-linux"; deploy.enable = true; - cynerd = { - desktop.enable = true; - develop = true; - gaming = true; - openvpn.elektroline = true; - }; - boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "usb_storage"]; boot.kernelModules = ["kvm-amd"]; hardware.cpu.amd.updateMicrocode = true; services.hardware.openrgb.motherboard = "amd"; + zramSwap = { + enable = true; + memoryPercent = 50; + }; + cynerd.autounlock = { "encroot" = "/dev/disk/by-uuid/7c412ae6-6016-45af-8c2a-8fcc394dbbe6"; "enchdd1" = "/dev/disk/by-uuid/87f16080-5ff6-43dd-89f3-307455a46fbe"; @@ -96,36 +87,5 @@ in { enable = true; dataDir = "/home/cynerd"; }; - - home-assistant = { - enable = true; - openFirewall = true; - configDir = "/var/lib/hass"; - config = { - homeassistant = { - name = "SPT"; - latitude = "!secret latitude"; - longitude = "!secret longitude"; - elevation = "!secret elevation"; - time_zone = "Europe/Prague"; - country = "CZ"; - }; - http.server_port = 8808; - mqtt = { - sensor = import ../home-assistant/sensors.nix; - light = import ../home-assistant/light.nix; - }; - default_config = {}; - automation = "!include automations.yaml"; - }; - extraComponents = ["met"]; - package = pkgs.home-assistant.override { - extraPackages = pkgs: - with pkgs; [ - securetar - pyipp - ]; - }; - }; }; } diff --git a/nixos/configurations/lipwig.nix b/nixos/configurations/lipwig.nix index 5855b6d..f141fa9 100644 --- a/nixos/configurations/lipwig.nix +++ b/nixos/configurations/lipwig.nix @@ -73,66 +73,64 @@ ]; # Web ###################################################################### - services.nginx = { - enable = true; - virtualHosts = { - "cynerd.cz" = { - forceSSL = true; - enableACME = true; - locations = { - "/".root = ../../web; - "/radicale/" = { - proxyPass = "http://127.0.0.1:5232/"; - extraConfig = '' - proxy_set_header X-Script-Name /radicale; - proxy_pass_header Authorization; - ''; + services = { + nginx = { + enable = true; + virtualHosts = { + "cynerd.cz" = { + forceSSL = true; + enableACME = true; + locations = { + "/".root = ../../web; + "/radicale/" = { + proxyPass = "http://127.0.0.1:5232/"; + extraConfig = '' + proxy_set_header X-Script-Name /radicale; + proxy_pass_header Authorization; + ''; + }; }; }; - }; - "git.cynerd.cz" = { - forceSSL = true; - useACMEHost = "cynerd.cz"; - root = "${pkgs.cgit}/cgit"; - locations."/".tryFiles = "$uri @cgit"; - locations."@cgit".extraConfig = '' - fastcgi_pass unix:${config.services.fcgiwrap.instances.cgit.socket.address}; - fastcgi_param SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi; - fastcgi_param PATH_INFO $uri; - fastcgi_param QUERY_STRING $args; - fastcgi_param HTTP_HOST $server_name; - ''; - }; - "cloud.cynerd.cz" = { - forceSSL = true; - useACMEHost = "cynerd.cz"; - }; - "office.cynerd.cz" = { - forceSSL = true; - useACMEHost = "cynerd.cz"; - }; - "grafana.cynerd.cz" = { - forceSSL = true; - useACMEHost = "cynerd.cz"; - locations."/" = { - proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}"; - proxyWebsockets = true; - recommendedProxySettings = true; + "git.cynerd.cz" = { + forceSSL = true; + useACMEHost = "cynerd.cz"; + root = "${pkgs.cgit}/cgit"; + locations."/".tryFiles = "$uri @cgit"; + locations."@cgit".extraConfig = '' + fastcgi_pass unix:${config.services.fcgiwrap.instances.cgit.socket.address}; + fastcgi_param SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi; + fastcgi_param PATH_INFO $uri; + fastcgi_param QUERY_STRING $args; + fastcgi_param HTTP_HOST $server_name; + ''; + }; + "cloud.cynerd.cz" = { + forceSSL = true; + useACMEHost = "cynerd.cz"; + }; + "grafana.cynerd.cz" = { + forceSSL = true; + useACMEHost = "cynerd.cz"; + locations."/" = { + proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}"; + proxyWebsockets = true; + recommendedProxySettings = true; + }; + }; + "searx.cynerd.cz" = { + forceSSL = true; + useACMEHost = "cynerd.cz"; + locations."/".extraConfig = '' + uwsgi_pass "unix:///run/searx/searx.sock"; + include ${config.services.nginx.package}/conf/uwsgi_params; + ''; }; - }; - "searx.cynerd.cz" = { - forceSSL = true; - useACMEHost = "cynerd.cz"; - locations."/".extraConfig = '' - uwsgi_pass "unix:///run/searx/searx.sock"; - include ${config.services.nginx.package}/conf/uwsgi_params; - ''; }; }; - }; - services.fcgiwrap.instances.cgit = { - process.user = "git"; - socket = {inherit (config.services.nginx) user group;}; + fcgiwrap.instances.cgit = { + process.user = "git"; + socket = {inherit (config.services.nginx) user group;}; + }; }; security.acme = { acceptTerms = true; @@ -199,7 +197,7 @@ # Nextcloud ################################################################ services.nextcloud = { enable = true; - package = pkgs.nextcloud31; + package = pkgs.nextcloud32; https = true; hostName = "cloud.cynerd.cz"; datadir = "/nas/nextcloud"; @@ -245,9 +243,9 @@ forms groupfolders impersonate + #maps memories notes - onlyoffice phonetrack previewgenerator spreed @@ -255,39 +253,34 @@ twofactor_webauthn ; # Additional modules can be fetched with: - # NEXTCLOUD_VERSIONS=30 nix run nixpkgs#nc4nix -- -apps "passwords,money,integration_github,integration_gitlab" + # NEXTCLOUD_VERSIONS=32 nix run nixpkgs#nc4nix -- -apps "passwords,money,integration_github,integration_gitlab,fileslibreofficeedit" + fileslibreofficeedit = pkgs.fetchNextcloudApp { + url = "https://github.com/allotropia/nextcloud_files_libreoffice_edit/releases/download/v2.0.1/fileslibreofficeedit.tar.gz"; + hash = "sha256-Xqx5snQWintYJG3Q1Crw22TkNw18DdADXkurMQqt3X8="; + license = "agpl3Plus"; + }; integration_github = pkgs.fetchNextcloudApp { - url = "https://github.com/nextcloud-releases/integration_github/releases/download/v3.1.1/integration_github-v3.1.1.tar.gz"; - hash = "sha256-nm463H33WyXTJkb7+OSsunARNuSl5nc3uGClgwkVvhM="; + url = "https://github.com/nextcloud-releases/integration_github/releases/download/v3.2.2/integration_github-v3.2.2.tar.gz"; + hash = "sha256-n7U/es4EdwS0cvegeFLnqhooRhkaSIdiVLwSse8hS3I="; license = "agpl3Plus"; }; integration_gitlab = pkgs.fetchNextcloudApp { - url = "https://github.com/nextcloud-releases/integration_gitlab/releases/download/v3.1.2/integration_gitlab-v3.1.2.tar.gz"; - hash = "sha256-nCH0DqYmr4T856sOU5PhSK6WAHIF9mnYThgytxEbkNA="; + url = "https://github.com/nextcloud-releases/integration_gitlab/releases/download/v4.0.0/integration_gitlab-v4.0.0.tar.gz"; + hash = "sha256-0CKvAiwdG6Llomo9ROu0KLdUq1xfjAwlO1e1/LYzL4s="; license = "agpl3Plus"; }; money = pkgs.fetchNextcloudApp { - url = "https://github.com/powerpaul17/nc_money/releases/download/v0.30.0/money.tar.gz"; - hash = "sha256-4gHm6sF9S+1G1naRTr+eR8ZyjCpB3viXTzRCNQFUtF0="; + url = "https://github.com/powerpaul17/nc_money/releases/download/v0.31.0/money.tar.gz"; + hash = "sha256-6RlxWTCw6NP9RquHnfoLLBw/dmAXx21INCzYUcp3E/4="; license = "agpl3Plus"; }; passwords = pkgs.fetchNextcloudApp { - url = "https://git.mdns.eu/api/v4/projects/45/packages/generic/passwords/2025.5.1/passwords.tar.gz"; - hash = "sha256-v4IVpqbTN3TKORESFX+sJsiSrLkUc0b5Stj8CmznSIw="; - license = "agpl3Plus"; - }; - maps = pkgs.fetchNextcloudApp { - url = "https://github.com/nextcloud/maps/releases/download/v1.6.0-3-nightly/maps-1.6.0-3-nightly.tar.gz"; - hash = "sha256-E0S/CwXyye19lcuiONEQCyHJqlL0ZG1A9Q7oOTEZH1g="; + url = "https://git.mdns.eu/api/v4/projects/45/packages/generic/passwords/2025.12.0/passwords-lsr-81.tar.gz"; + hash = "sha256-XhPNM4VH0yuaOlgivrzKXoLX2wUODbEiuz/S2X4Ugxw="; license = "agpl3Plus"; }; }; }; - # OnlyOffice ############################################################### - services.onlyoffice = { - enable = true; - hostname = "office.cynerd.cz"; - }; # Postgresql ############################################################### services.postgresql = { @@ -370,7 +363,7 @@ } ]; }; - runInUwsgi = true; + configureUwsgi = true; uwsgiConfig = { socket = "/run/searx/searx.sock"; chmod-socket = "660"; diff --git a/nixos/configurations/ridcully.nix b/nixos/configurations/ridcully.nix index 0b2705c..97a0456 100644 --- a/nixos/configurations/ridcully.nix +++ b/nixos/configurations/ridcully.nix @@ -1,10 +1,4 @@ -{ - lib, - pkgs, - ... -}: let - inherit (lib) mkDefault; -in { +{pkgs, ...}: { system.stateVersion = "24.05"; nixpkgs.hostPlatform.system = "x86_64-linux"; deploy.enable = true; @@ -18,12 +12,17 @@ in { }; }; - boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "usb_storage"]; + boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"]; boot.kernelModules = ["kvm-amd"]; hardware.cpu.amd.updateMicrocode = true; services.hardware.openrgb.motherboard = "amd"; + zramSwap = { + enable = true; + memoryPercent = 50; + }; + cynerd.autounlock = { "encroot" = "/dev/disk/by-uuid/bc7d2ba4-6e04-4c49-b40c-3aecd1a86c71"; "enchdd" = "/dev/disk/by-uuid/7fee3cda-efa0-47cd-8832-fdead9a7e6db"; @@ -71,13 +70,15 @@ in { environment.systemPackages = [ pkgs.nvtopPackages.amd + #sbctl ]; + # Force nix to use less jobs + nix.settings.max-jobs = 4; + + ############################################################################## services.syncthing = { enable = true; dataDir = "/home/cynerd"; }; - - # Force nix to use less jobs - nix.settings.max-jobs = 8; } diff --git a/nixos/configurations/spt-mox.nix b/nixos/configurations/spt-mox.nix index 8a842b7..4dfa2c8 100644 --- a/nixos/configurations/spt-mox.nix +++ b/nixos/configurations/spt-mox.nix @@ -28,13 +28,17 @@ }; }; - services.journald.extraConfig = '' - SystemMaxUse=512M - ''; + boot.initrd.availableKernelModules = ["dm-mod"]; - services.btrfs.autoScrub = { - enable = true; - fileSystems = ["/"]; + services = { + journald.extraConfig = '' + SystemMaxUse=512M + ''; + + btrfs.autoScrub = { + enable = true; + fileSystems = ["/"]; + }; }; networking = { @@ -73,25 +77,10 @@ acl = ["read bigclown/node/#"]; passwordFile = "/run/secrets/mosquitto.telegraf.pass"; }; - homeassistant = { - acl = [ - "readwrite homeassistant/#" - "readwrite bigclown/#" - "readwrite zigbee2mqtt/#" - ]; - passwordFile = "/run/secrets/mosquitto.homeassistant.pass"; - }; bigclown = { acl = ["readwrite bigclown/#"]; passwordFile = "/run/secrets/mosquitto.bigclown.pass"; }; - zigbee2mqtt = { - acl = [ - "readwrite homeassistant/#" - "readwrite zigbee2mqtt/#" - ]; - passwordFile = "/run/secrets/mosquitto.zigbee2mqtt.pass"; - }; }; } ]; diff --git a/nixos/configurations/spt-mox2.nix b/nixos/configurations/spt-mox2.nix index fd2c074..2e76449 100644 --- a/nixos/configurations/spt-mox2.nix +++ b/nixos/configurations/spt-mox2.nix @@ -23,13 +23,17 @@ }; }; - services.journald.extraConfig = '' - SystemMaxUse=512M - ''; + boot.initrd.availableKernelModules = ["dm-mod"]; - services.btrfs.autoScrub = { - enable = true; - fileSystems = ["/"]; + services = { + journald.extraConfig = '' + SystemMaxUse=512M + ''; + + btrfs.autoScrub = { + enable = true; + fileSystems = ["/"]; + }; }; networking = { diff --git a/nixos/configurations/spt-omnia.nix b/nixos/configurations/spt-omnia.nix index 1809b2a..c13956b 100644 --- a/nixos/configurations/spt-omnia.nix +++ b/nixos/configurations/spt-omnia.nix @@ -38,18 +38,20 @@ in { monitoring.speedtest = true; }; - services.journald.extraConfig = '' - SystemMaxUse=8G - ''; + services = { + journald.extraConfig = '' + SystemMaxUse=8G + ''; - services.btrfs.autoScrub = { - enable = true; - fileSystems = ["/"]; - }; + btrfs.autoScrub = { + enable = true; + fileSystems = ["/"]; + }; - services.fail2ban = { - enable = true; - ignoreIP = ["10.8.1.0/24" "10.8.2.0/24"]; + fail2ban = { + enable = true; + ignoreIP = ["10.8.1.0/24" "10.8.2.0/24"]; + }; }; networking.useDHCP = false; @@ -133,32 +135,11 @@ in { ''; ############################################################################## - services = { - zigbee2mqtt = { - enable = true; - settings = { - serial.port = "/dev/serial/by-id/usb-ITEAD_SONOFF_Zigbee_3.0_USB_Dongle_Plus_V2_20220812153849-if00"; - mqtt = { - server = "mqtt://${config.cynerd.hosts.spt.mox}:1883"; - user = "zigbee2mqtt"; - password = "!secret.yaml mqtt_password"; - }; - advanced = { - network_key = "!secret.yaml network_key"; - homeassistant_legacy_entity_attributes = false; - legacy_api = false; - legacy_availability_payload = false; - last_seen = "epoch"; - }; - frontend = true; - availability = true; - homeassistant = { - legacy_triggers = false; - }; - device_options.legacy = false; - permit_join = false; - devices = config.secrets.zigbee2mqttDevices; - }; - }; + cynerd.ha = { + enable = true; + domain = "spt.cynerd.cz"; + extraOptions = [ + "--device=/dev/serial/by-id/usb-ITEAD_SONOFF_Zigbee_3.0_USB_Dongle_Plus_V2_20220812153849-if00:/dev/ttyACM0" + ]; }; } diff --git a/nixos/configurations/zd-mox.nix b/nixos/configurations/zd-mox.nix new file mode 100644 index 0000000..bba9010 --- /dev/null +++ b/nixos/configurations/zd-mox.nix @@ -0,0 +1,155 @@ +{ + config, + pkgs, + ... +}: let + hosts = config.cynerd.hosts.zd; +in { + system.stateVersion = "25.05"; + turris.board = "mox"; + deploy = { + enable = true; + ssh.host = "zd.cynerd.cz"; + }; + + cynerd = { + router = { + enable = true; + wan = "pppoe-wan"; + lanIP = hosts.mox; + staticLeases = { + "70:85:c2:4a:59:f2" = hosts.ridcully; + "f8:dc:7a:79:00:e6" = hosts.tc; + "4c:d5:77:0d:85:d9" = hosts.binky; + }; + }; + wireguard = true; + monitoring.speedtest = true; + }; + + boot.initrd.availableKernelModules = ["dm-mod"]; + + services = { + journald.extraConfig = '' + SystemMaxUse=512M + ''; + + btrfs.autoScrub = { + enable = true; + fileSystems = ["/"]; + }; + + fail2ban = { + enable = true; + ignoreIP = ["10.8.0.0/24" "10.8.1.0/24" "10.8.2.0/24"]; + }; + }; + + networking.useDHCP = false; + systemd.network = { + netdevs = { + "end0.848" = { + netdevConfig = { + Kind = "vlan"; + Name = "end0.848"; + }; + vlanConfig.Id = 848; + }; + }; + networks = { + "end0" = { + matchConfig.Name = "end0"; + networkConfig.VLAN = ["end0.848"]; + }; + "end0.848" = { + matchConfig.Name = "end0.848"; + networkConfig.BindCarrier = "end0"; + }; + "pppoe-wan" = { + matchConfig.Name = "pppoe-wan"; + networkConfig = { + BindCarrier = "end0.848"; + DHCP = "ipv6"; + IPv6AcceptRA = "no"; + DHCPPrefixDelegation = "yes"; + #DNS = ["84.19.64.3" "84.19.64.4" "1.1.1.1"]; + DNS = "1.1.1.1"; + }; + dhcpV6Config = { + PrefixDelegationHint = "::/56"; + UseDNS = "no"; + }; + dhcpPrefixDelegationConfig = { + UplinkInterface = ":self"; + SubnetId = 0; + Announce = "no"; + }; + linkConfig.RequiredForOnline = "routable"; + }; + "lan-brlan" = { + matchConfig.Name = "lan*"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + EgressUntagged = 1; + PVID = 1; + } + {VLAN = 2;} + ]; + }; + }; + }; + + services.pppd = { + enable = true; + peers."wan".config = '' + plugin pppoe.so end0.848 + ifname pppoe-wan + lcp-echo-interval 1 + lcp-echo-failure 5 + lcp-echo-adaptive + defaultroute + defaultroute6 + maxfail 1 + # user and password added in secrets + ''; + }; + systemd.services = { + "pppd-wan" = { + requires = ["sys-subsystem-net-devices-end0.848.device"]; + partOf = ["systemd-networkd.service"]; + }; + "systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug"; + }; + # TODO limit NSS clamping to just pppoe-wan + networking.firewall.extraForwardRules = '' + tcp flags syn tcp option maxseg size set rt mtu comment "Needed for PPPoE to fix IPv4" + iifname {"home", "wg"} oifname {"home", "wg"} accept + ''; + + services.nginx = { + enable = true; + virtualHosts = { + "zd.cynerd.cz" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://${hosts.one0}:8123"; + proxyWebsockets = true; + recommendedProxySettings = true; + }; + }; + }; + }; + security.acme = { + acceptTerms = true; + defaults.email = "cynerd+acme@email.cz"; + certs."zd.cynerd.cz" = {}; + }; + networking.firewall.allowedTCPPorts = [80 443]; + + environment.systemPackages = with pkgs; [ + nmap + tcpdump + ]; +} diff --git a/nixos/configurations/zd-one0.nix b/nixos/configurations/zd-one0.nix new file mode 100644 index 0000000..98d9691 --- /dev/null +++ b/nixos/configurations/zd-one0.nix @@ -0,0 +1,61 @@ +_: { + system.stateVersion = "25.11"; + deploy = { + enable = true; + ssh.host = "zd-one0"; + }; + + cynerd = { + openwrtone = true; + #switch = { + # enable = true; + # lanAddress = "10.8.12.10/24"; + # lanGateway = config.cynerd.hosts.spt.omnia; + #}; + #wifiAP.zd = { + # enable = false; + # qca988x = { + # interface = "wlp1s0"; + # bssids = config.secrets.wifiMacs.zd-mox.qca988x; + # channel = 36; + # }; + #}; + }; + + boot.initrd.availableKernelModules = ["dm-mod"]; + boot.consoleLogLevel = 7; + + services = { + journald.extraConfig = '' + SystemMaxUse=8G + ''; + + btrfs.autoScrub = { + enable = true; + fileSystems = ["/"]; + }; + + fail2ban = { + enable = true; + ignoreIP = ["10.8.0.0/24" "10.8.1.0/24" "10.8.2.0/24"]; + }; + }; + + networking.useDHCP = false; + networking.useNetworkd = true; + + systemd.network = { + networks = { + "eth0" = { + matchConfig.Name = "eth0"; + networkConfig = { + Address = "10.8.2.10/24"; + Gateway = "10.8.2.1"; + DNS = "1.1.1.1"; + IPv6AcceptRA = "yes"; + }; + }; + }; + wait-online.anyInterface = true; + }; +} |