diff options
Diffstat (limited to 'nixos/modules')
| -rw-r--r-- | nixos/modules/backup.nix | 63 | ||||
| -rw-r--r-- | nixos/modules/desktop.nix | 41 | ||||
| -rw-r--r-- | nixos/modules/develop.nix | 16 | ||||
| -rw-r--r-- | nixos/modules/gaming.nix | 31 | ||||
| -rw-r--r-- | nixos/modules/generic.nix | 16 | ||||
| -rw-r--r-- | nixos/modules/home-assistant.nix | 164 | ||||
| -rw-r--r-- | nixos/modules/home-assistant/light.nix | 13 | ||||
| -rw-r--r-- | nixos/modules/home-assistant/sensors.nix | 19 | ||||
| -rw-r--r-- | nixos/modules/hosts.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/monitoring.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/nixos-system.sh | 27 | ||||
| -rw-r--r-- | nixos/modules/openvpn.nix | 8 | ||||
| -rw-r--r-- | nixos/modules/packages.nix | 9 | ||||
| -rw-r--r-- | nixos/modules/rpi.md | 25 | ||||
| -rw-r--r-- | nixos/modules/rpi.nix | 88 | ||||
| -rw-r--r-- | nixos/modules/syncthing.nix | 161 | ||||
| -rw-r--r-- | nixos/modules/users.nix | 4 | ||||
| -rw-r--r-- | nixos/modules/wifi-adm.nix | 186 | ||||
| -rw-r--r-- | nixos/modules/wifi-spt.nix | 157 | ||||
| -rw-r--r-- | nixos/modules/wireguard.nix (renamed from nixos/modules/wireguad.nix) | 33 |
20 files changed, 472 insertions, 593 deletions
diff --git a/nixos/modules/backup.nix b/nixos/modules/backup.nix new file mode 100644 index 0000000..3f5042b --- /dev/null +++ b/nixos/modules/backup.nix @@ -0,0 +1,63 @@ +{ + config, + lib, + ... +}: let + inherit (builtins) elem readFile readDir; + inherit (lib) mkOption types mkIf hasSuffix removeSuffix hasAttr filterAttrs mapAttrs mapAttrs' nameValuePair mergeAttrsList recursiveUpdate; + + servers = ["ridcully"]; # TODO "errol" + clients = + mapAttrs' (fname: _: + nameValuePair (removeSuffix ".pub" fname) + (readFile (config.personal-secrets + "/unencrypted/backup/${fname}"))) + (filterAttrs (n: v: v == "regular" && hasSuffix ".pub" n) + (readDir (config.personal-secrets + "/unencrypted/backup"))); + edpersonal = readFile (config.personal-secrets + "/unencrypted/edpersonal.pub"); +in { + options.cynerd = { + borgjobs = mkOption { + type = with types; attrsOf anything; + description = "Job to be backed up for this "; + }; + }; + + config = { + services.borgbackup = { + repos = mkIf (elem config.networking.hostName servers) ( + mapAttrs (name: key: { + path = "/back/${name}"; + authorizedKeys = [key edpersonal]; + allowSubRepos = true; + }) + clients + ); + + jobs = mkIf (hasAttr config.networking.hostName clients) (mergeAttrsList + (map (server: (mapAttrs' (n: v: + nameValuePair "${server}-${n}" + (recursiveUpdate + (recursiveUpdate { + encryption.mode = "none"; + prune = { + keep = { + daily = 7; + weekly = 4; + monthly = -1; + }; + prefix = n; + }; + } + v) + { + repo = "borg@${server}:./${n}"; + environment = { + BORG_RSH = "ssh -i /run/secrets/borgbackup.key"; + }; + archiveBaseName = null; + })) + config.cynerd.borgjobs)) + servers)); + }; + }; +} diff --git a/nixos/modules/desktop.nix b/nixos/modules/desktop.nix index 54c50d2..06c8215 100644 --- a/nixos/modules/desktop.nix +++ b/nixos/modules/desktop.nix @@ -72,9 +72,6 @@ in { astroid dodo taskwarrior3 - vdirsyncer - khal - khard gnupg pinentry-gnome3 pinentry-curses @@ -124,7 +121,6 @@ in { tigervnc freerdp - plasma5Packages.kdeconnect-kde gnome-firmware hdparm @@ -144,21 +140,24 @@ in { gimp inkscape blender - kdenlive + tenacity + #kdePackages.kdenlive # GStreamer - gst_all_1.gst-libav - gst_all_1.gst-plugins-bad + gst_all_1.gstreamer gst_all_1.gst-plugins-base gst_all_1.gst-plugins-good + gst_all_1.gst-plugins-bad gst_all_1.gst-plugins-ugly - gst_all_1.gst-plugins-viperfx + gst_all_1.gst-plugins-rs + gst_all_1.gst-libav + gst_all_1.gst-vaapi # Writing typst - typst-fmt + typstfmt typst-live - typst-lsp + tinymist vale # CAD @@ -200,6 +199,8 @@ in { enableSSHSupport = true; enableBrowserSocket = true; }; + + kdeconnect.enable = true; }; xdg = { @@ -245,9 +246,15 @@ in { alsa.enable = true; alsa.support32Bit = true; pulse.enable = true; - extraConfig.pipewire."10-zeroconf" = { - "context.modules" = [{name = "libpipewire-module-zeroconf-discover";}]; - }; + configPackages = [ + (pkgs.writeTextDir "share/pipewire/pipewire.conf.d/10-zeroconf-discover.conf" '' + context.modules = [ + { name = libpipewire-module-zeroconf-discover + args = { } + } + ] + '') + ]; }; upower.enable = true; @@ -272,6 +279,12 @@ in { davfs2.enable = true; locate.enable = true; + + gnome = { + at-spi2-core.enable = true; + gnome-keyring.enable = true; + gnome-online-accounts.enable = true; + }; }; # Beneficial for Pipewire @@ -284,7 +297,7 @@ in { }; fonts.packages = with pkgs; [ - (nerdfonts.override {fonts = ["Hack"];}) + nerd-fonts.hack arkpandora_ttf corefonts dejavu_fonts diff --git a/nixos/modules/develop.nix b/nixos/modules/develop.nix index 446d205..6444473 100644 --- a/nixos/modules/develop.nix +++ b/nixos/modules/develop.nix @@ -43,6 +43,7 @@ in { cachix nurl nil + nixfmt-rfc-style alejandra statix deadnix @@ -82,6 +83,7 @@ in { pygraphviz matplotlib + seaborn plotly pygal @@ -105,6 +107,9 @@ in { pyserial pylibftdi + pyusb + usbtmc + pylxd selenium ])) @@ -123,6 +128,9 @@ in { # Julia julia + # XML + libxml2 + # Qemmu qemu virt-manager @@ -152,12 +160,15 @@ in { stdmanpages # SHV - shvcli + (shvcli.withPlugins [python3Packages.shvcli-ell]) # Images imagemagick ]; - programs.wireshark.package = pkgs.wireshark; + programs.wireshark = { + enable = true; + package = pkgs.wireshark; + }; documentation = { nixos = { @@ -173,6 +184,7 @@ in { SUBSYSTEMS=="usb", ATTRS{idVendor}=="a600", ATTRS{idProduct}=="a003", MODE:="0660", GROUP="develop", SYMLINK+="aix_forte_%n" SUBSYSTEMS=="usb", ATTRS{idVendor}=="1366", ATTRS{idProduct}=="0105", MODE:="0660", GROUP="develop", SYMLINK+="jlink_%n" SUBSYSTEMS=="usb", ATTRS{idVendor}=="03eb", ATTRS{idProduct}=="2111", MODE:="0660", GROUP="develop", SYMLINK+="cmsip_dap_%n" + SUBSYSTEMS=="usb", ATTRS{idVendor}=="1ab1", ATTRS{idProduct}=="0e11", MODE:="0660", GROUP="develop" ''; virtualisation = { diff --git a/nixos/modules/gaming.nix b/nixos/modules/gaming.nix index 64af068..6e25320 100644 --- a/nixos/modules/gaming.nix +++ b/nixos/modules/gaming.nix @@ -18,7 +18,14 @@ in { config = mkIf cnf { cynerd.desktop.enable = true; - environment.systemPackages = [pkgs.heroic]; + environment.systemPackages = with pkgs; [ + heroic + prismlauncher + ]; + + nixpkgs.config.permittedInsecurePackages = [ + "SDL_ttf-2.0.11" # TODO + ]; programs.steam = { enable = true; @@ -31,8 +38,28 @@ in { with pkgs; [ ncurses xorg.libXpm - flac1_3 + #flac134 + libopus + ]; + }; + heroic = pkgs.heroic.override { + extraPkgs = pkgs: + with pkgs; [ + ncurses + xorg.libXpm + #flac134 libopus + SDL + SDL2_image + SDL2_mixer + SDL2_ttf + SDL_image + SDL_mixer + SDL_ttf + glew110 + libdrm + libidn + tbb ]; }; }; diff --git a/nixos/modules/generic.nix b/nixos/modules/generic.nix index 02afd17..e029058 100644 --- a/nixos/modules/generic.nix +++ b/nixos/modules/generic.nix @@ -6,10 +6,8 @@ inherit (lib) mkOverride mkDefault; in { config = { - system.stateVersion = "24.05"; - nix = { - extraOptions = "experimental-features = nix-command flakes repl-flake"; + extraOptions = "experimental-features = nix-command flakes"; settings = { auto-optimise-store = true; substituters = [ @@ -31,8 +29,11 @@ in { }; boot = { - loader.systemd-boot.enable = mkOverride 1100 true; - loader.efi.canTouchEfiVariables = mkDefault true; + loader = { + systemd-boot.enable = mkOverride 1100 true; + efi.canTouchEfiVariables = mkDefault true; + grub.enable = mkOverride 1100 false; + }; kernelPackages = mkOverride 1100 pkgs.linuxPackages_latest; kernelParams = ["boot.shell_on_fail"]; }; @@ -59,11 +60,6 @@ in { }) ]; - system.extraSystemBuilderCmds = '' - substituteAll ${./nixos-system.sh} $out/bin/nixos-system - chmod +x $out/bin/nixos-system - ''; - documentation = { enable = mkDefault false; doc.enable = mkDefault false; diff --git a/nixos/modules/home-assistant.nix b/nixos/modules/home-assistant.nix deleted file mode 100644 index ab16e8a..0000000 --- a/nixos/modules/home-assistant.nix +++ /dev/null @@ -1,164 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: let - inherit (lib) mkIf mkEnableOption; -in { - options = { - cynerd.home-assistant = mkEnableOption "Enable Home Assistant and Bigclown"; - }; - - config = mkIf config.cynerd.home-assistant { - services.mosquitto = { - enable = true; - listeners = [ - { - users = { - cynerd = { - acl = ["readwrite #"]; - passwordFile = "/run/secrets/mosquitto.cynerd.pass"; - }; - telegraf = { - acl = ["read bigclown/node/#"]; - passwordFile = "/run/secrets/mosquitto.telegraf.pass"; - }; - homeassistant = { - acl = [ - "readwrite homeassistant/#" - "readwrite bigclown/#" - "readwrite zigbee2mqtt/#" - ]; - passwordFile = "/run/secrets/mosquitto.homeassistant.pass"; - }; - bigclown = { - acl = ["readwrite bigclown/#"]; - passwordFile = "/run/secrets/mosquitto.bigclown.pass"; - }; - zigbee2mqtt = { - acl = [ - "readwrite homeassistant/#" - "readwrite zigbee2mqtt/#" - ]; - passwordFile = "/run/secrets/mosquitto.zigbee2mqtt.pass"; - }; - }; - } - ]; - }; - networking.firewall.allowedTCPPorts = [ - 1883 # Mosquitto - ]; - - services.bcg = { - enable = true; - device = "/dev/ttyUSB0"; - baseTopicPrefix = "bigclown/"; - environmentFiles = ["/run/secrets/bigclown.env"]; - mqtt = { - username = "bigclown"; - password = "\${MQTT_PASSWORD}"; - }; - }; - - systemd.services.bigclown-leds = { - description = "Bigclown LEDs control"; - wantedBy = ["multi-user.target"]; - wants = ["mosquitto.service"]; - serviceConfig.ExecStart = "${pkgs.bigclown-leds}/bin/bigclown-leds /run/secrets/bigclown-leds.ini"; - }; - - services.telegraf.extraConfig = { - outputs.influxdb_v2 = [ - { - urls = ["http://cynerd.cz:8086"]; - token = "$INFLUX_TOKEN"; - organization = "personal"; - bucket = "bigclown"; - tagpass.source = ["bigclown"]; - } - ]; - inputs.mqtt_consumer = let - consumer = data_type: topics: { - tags = {source = "bigclown";}; - servers = ["tcp://localhost:1883"]; - inherit topics; - username = "telegraf"; - password = "$MQTT_PASSWORD"; - data_format = "value"; - inherit data_type; - topic_parsing = [ - { - topic = "bigclown/node/+/+/+/+"; - measurement = "_/_/_/_/_/measurement"; - tags = "_/_/device/field/_/_"; - } - ]; - }; - in [ - (consumer "float" [ - "bigclown/node/+/battery/+/voltage" - "bigclown/node/+/thermometer/+/temperature" - "bigclown/node/+/hygrometer/+/relative-humidity" - "bigclown/node/+/lux-meter/+/illuminance" - "bigclown/node/+/barometer/+/pressure" - "bigclown/node/+/pir/+/event-count" - "bigclown/node/+/push-button/+/event-count" - ]) - (consumer "boolean" [ - "bigclown/node/+/flood-detector/+/alarm" - ]) - ]; - processors.pivot = [ - { - tag_key = "field"; - value_key = "value"; - tagpass.source = ["bigclown"]; - } - ]; - }; - systemd.services.telegraf.wants = ["mosquitto.service"]; - - #nixpkgs.config.permittedInsecurePackages = ["openssl-1.1.1w"]; # TODO - services.home-assistant = { - enable = false; - openFirewall = true; - configDir = "/var/lib/hass"; - config = { - homeassistant = { - name = "SPT"; - latitude = "!secret latitude"; - longitude = "!secret longitude"; - elevation = "!secret elevation"; - time_zone = "Europe/Prague"; - country = "CZ"; - }; - http.server_port = 8808; - mqtt = { - sensor = import ./home-assistant/sensors.nix; - light = import ./home-assistant/light.nix; - }; - default_config = {}; - automation = "!include automations.yaml"; - }; - extraComponents = ["met"]; - package = pkgs.home-assistant.override { - extraPackages = pkgs: - with pkgs; [ - securetar - pyipp - ]; - packageOverrides = _: super: { - scapy = super.scapy.override { - withPlottingSupport = false; - }; - s3transfer = super.s3transfer.overridePythonAttrs { - dontUsePytestCheck = true; - dontUseSetuptoolsCheck = true; - }; - }; - }; - }; - }; -} diff --git a/nixos/modules/home-assistant/light.nix b/nixos/modules/home-assistant/light.nix deleted file mode 100644 index a9d158b..0000000 --- a/nixos/modules/home-assistant/light.nix +++ /dev/null @@ -1,13 +0,0 @@ -[ - { - name = "RGB Osvětlení"; - command_topic = "homeassistant/led-strip"; - brightness_scale = 100; - brightness_command_topic = "bigclown/node/power-controller:0/led-strip/-/brightness/set"; - #brightness_state_topic = "bigclown/node/power-controller:0/led-strip/-/brightness/set"; - rgb_command_template = ''"#{{"%02x" % red}}{{"%02x" % green}}{{"%02x" % blue}}"''; - rgb_command_topic = "bigclown/node/power-controller:0/led-strip/-/color/set"; - #rgb_value_template = ''{{int(value[2:4],16)}},{{int(value[5:7],16)}},{{int(value[8:10],16)}}''; - #rgb_state_topic = "bigclown/node/power-controller:0/led-strip/-/color/set"; - } -] diff --git a/nixos/modules/home-assistant/sensors.nix b/nixos/modules/home-assistant/sensors.nix deleted file mode 100644 index fadd4eb..0000000 --- a/nixos/modules/home-assistant/sensors.nix +++ /dev/null @@ -1,19 +0,0 @@ -[ - { - name = "Teplota"; - state_class = "measurement"; - state_topic = "bigclown/node/climate-monitor:0/thermometer/0:0/temperature"; - unit_of_measurement = "°C"; - } - { - name = "Vlhkost"; - state_class = "measurement"; - state_topic = "bigclown/node/climate-monitor:0/hygrometer/0:4/relative-humidity"; - unit_of_measurement = "%"; - } - { - name = "Osvětlení"; - state_class = "measurement"; - state_topic = "bigclown/node/climate-monitor:0/lux-meter/0:0/illuminance"; - } -] diff --git a/nixos/modules/hosts.nix b/nixos/modules/hosts.nix index f53fd8c..4b358b8 100644 --- a/nixos/modules/hosts.nix +++ b/nixos/modules/hosts.nix @@ -64,7 +64,7 @@ in { "ridcully" = "10.8.3.60"; "3dprint" = "10.8.3.80"; "mpd" = "10.8.3.51"; - "printer" = "192.168.0.20"; + "printer" = "192.168.1.20"; # Portable "albert" = "10.8.3.61"; "binky" = "10.8.3.63"; diff --git a/nixos/modules/monitoring.nix b/nixos/modules/monitoring.nix index e4fa195..e8ba2a9 100644 --- a/nixos/modules/monitoring.nix +++ b/nixos/modules/monitoring.nix @@ -136,8 +136,8 @@ in { }) (mkIf (config.networking.hostName == "lipwig") { - # InfluxDB services = { + # InfluxDB influxdb2.enable = true; telegraf.extraConfig.inputs.prometheus = { urls = ["http://localhost:8086/metrics"]; diff --git a/nixos/modules/nixos-system.sh b/nixos/modules/nixos-system.sh deleted file mode 100644 index 7a220bb..0000000 --- a/nixos/modules/nixos-system.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!@shell@ -# Simple script handy to be used for activation - -while getopts "s" opt; do - case "$opt" in - s) - if [ ! -v NIXOS_SYSTEM_GNU_SCREEN ]; then - export NIXOS_SYSTEM_GNU_SCREEN=1 - exec @out@/sw/bin/screen "$0" "$@" - fi - ;; - *) - echo "Invalid argument: $1" >&2 - exit 1 - ;; - esac -done -shift $((OPTIND - 1)) - - -@out@/sw/bin/nix-env --profile /nix/var/nix/profiles/system --set '@out@' - -@out@/bin/switch-to-configuration "$@" || { - echo "Switch failed!" >&2 - read -r _ - exit 1 -} diff --git a/nixos/modules/openvpn.nix b/nixos/modules/openvpn.nix index 6a21721..da29dd7 100644 --- a/nixos/modules/openvpn.nix +++ b/nixos/modules/openvpn.nix @@ -9,11 +9,6 @@ in { options = { cynerd.openvpn = { - oldpersonal = mkOption { - type = types.bool; - default = false; - description = "My personal old OpenVPN"; - }; elektroline = mkOption { type = types.bool; default = false; @@ -24,9 +19,6 @@ in { config = { services.openvpn.servers = { - oldpersonal = mkIf cnf.oldpersonal { - config = "config /run/secrets/old.ovpn"; - }; elektroline = mkIf cnf.elektroline { config = "config /run/secrets/elektroline.ovpn"; up = '' diff --git a/nixos/modules/packages.nix b/nixos/modules/packages.nix index 1052f56..155d8a5 100644 --- a/nixos/modules/packages.nix +++ b/nixos/modules/packages.nix @@ -41,9 +41,7 @@ in { btop iotop mc - screen tmux - pv # ls tools tree @@ -65,14 +63,19 @@ in { wakeonlan speedtest-cli librespeed-cli - termshark + #termshark w3m lm_sensors ] + ++ optionals (system != "armv7l-linux") [ + ranger + ] ++ optionals (system == "x86_64-linux") [ nmap ltrace + pv + screen ] ++ optionals (!isNative) [ ncdu_1 diff --git a/nixos/modules/rpi.md b/nixos/modules/rpi.md new file mode 100644 index 0000000..43b172f --- /dev/null +++ b/nixos/modules/rpi.md @@ -0,0 +1,25 @@ +# Raspberry Pi SD card preparation steps + +``` +~# parted /dev/sdx +(parted) mktable msdos +(parted) mkpart primary fat16 0% 120M +(parted) mkpart primary btrfs 120M 100% +(parted) set 2 boot on +(parted) quit +~# mkfs.vfat -F16 /dev/sdx1 +~# mkfs.btrfs /dev/sdx2 + +~# mount /dev/sdx1 /mnt +~# nix build .#firmware-HOST +~# cp -r result/* /mnt/ +~# umount mnt + +~# mount /dev/sdx2 /mnt +~# nix copy --to /mnt .#toplevel-HOST +~# nix build --print-out-paths .#toplevel-HOST +~# nix eval .#nixosConfigurations.HOST.config.boot.loader.generic-extlinux-compatible.populateCmd +"/nix/store/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-extlinux-conf-builder.sh -g 20 -t 5" +~# /nix/store/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-extlinux-conf-builder.sh -c -d ./mnt/boot +~# umount mnt +``` diff --git a/nixos/modules/rpi.nix b/nixos/modules/rpi.nix new file mode 100644 index 0000000..e4e10fe --- /dev/null +++ b/nixos/modules/rpi.nix @@ -0,0 +1,88 @@ +{ + config, + lib, + pkgs, + ... +}: let + inherit (lib) mkOption types mkMerge mkIf; + + configTxt = pkgs.writeText "config.txt" '' + [pi3] + kernel=u-boot-rpi3.bin + + # Boot in 64-bit mode. + arm_64bit=1 + + # Otherwise the serial output will be garbled. + core_freq=250 + # Boot in 64-bit mode. + arm_64bit=1 + + [all] + # U-Boot needs this to work, regardless of whether UART is actually used or not. + # Look in arch/arm/mach-bcm283x/Kconfig in the U-Boot tree to see if this is still + # a requirement in the future. + enable_uart=1 + + # Prevent the firmware from smashing the framebuffer setup done by the mainline kernel + # when attempting to show low-voltage or overtemperature warnings. + avoid_warnings=1 + ''; +in { + options.cynerd.rpi = mkOption { + type = with types; nullOr (enum [2 3]); + default = null; + description = "If machine is RaspberryPi and which version"; + }; + + config = mkMerge [ + (mkIf (config.cynerd.rpi == 2) { + nixpkgs.hostPlatform.system = "armv7l-linux"; + }) + (mkIf (config.cynerd.rpi == 3) { + nixpkgs.hostPlatform.system = "aarch64-linux"; + boot.kernelParams = ["console=ttyS1,115200n8"]; + }) + (mkIf (config.cynerd.rpi != null) { + boot.loader = { + systemd-boot.enable = false; + efi.canTouchEfiVariables = false; + generic-extlinux-compatible.enable = true; + }; + boot.consoleLogLevel = 7; + + fileSystems = { + "/" = { + device = "/dev/mmcblk0p2"; + fsType = "ext4"; + }; + #"/" = { + # device = "/dev/mmcblk0p2"; + # fsType = "btrfs"; + # options = ["compress=lzo"]; + #}; + "/boot/firmware" = { + device = "/dev/mmcblk0p1"; + fsType = "vfat"; + options = ["nofail"]; + }; + }; + + services.journald.extraConfig = '' + SystemMaxUse=512M + ''; + + system.build.firmware = pkgs.callPackage ({stdenvNoCC}: + stdenvNoCC.mkDerivation { + name = "${config.system.name}-firmware"; + buildCommand = '' + mkdir $out + cp -r ${pkgs.raspberrypifw}/share/raspberrypi/boot/* $out/ + cp ${configTxt} $out/config.txt + # TODO support rpi2 + cp ${pkgs.ubootRaspberryPi3_btrfs}/u-boot.bin $out/u-boot-rpi3.bin + ''; + }) {}; + }) + ]; +} diff --git a/nixos/modules/syncthing.nix b/nixos/modules/syncthing.nix index 91736ca..1148da6 100644 --- a/nixos/modules/syncthing.nix +++ b/nixos/modules/syncthing.nix @@ -3,119 +3,96 @@ lib, ... }: let - inherit (lib) filterAttrs mkOption types mkIf any mkDefault recursiveUpdate genAttrs; - cnf = config.cynerd.syncthing; - inherit (config.networking) hostName; + inherit (lib) elem filterAttrs mkIf any mkDefault recursiveUpdate genAttrs; + allDevices = [ - "albert" "binky" "errol" "lipwig" "ridcully" - "spt-omnia" - ]; - mediaDevices = [ - "lipwig" - "binky" - "errol" - "ridcully" - "spt-omnia" ]; bigStorageDevices = [ "errol" "ridcully" - "spt-omnia" ]; + + inherit (config.networking) hostName; + baseDir = config.services.syncthing.dataDir; filterDevice = filterAttrs (_: v: any (d: d == hostName) v.devices); in { - options = { - cynerd.syncthing = { - enable = mkOption { - type = types.bool; - default = false; - description = "My personal Syncthing configuration"; - }; - - baseDir = mkOption { - type = types.str; - default = "/home/cynerd"; - description = "Base directory for all folders being synced."; - }; - }; - }; - - config = mkIf cnf.enable { + config = mkIf (config.services.syncthing.enable && elem hostName allDevices) { services.syncthing = { - enable = any (n: n == hostName) allDevices; user = mkDefault "cynerd"; + group = mkDefault "cynerd"; + key = "/run/secrets/syncthing.key.pem"; cert = "/run/secrets/syncthing.cert.pem"; openDefaultPorts = true; - overrideFolders = true; - folders = filterDevice { - "${cnf.baseDir}/documents" = { - label = "Documents"; - id = "documents"; - devices = allDevices; - ignorePerms = false; - }; - "${cnf.baseDir}/notes" = { - label = "Notes"; - id = "notes"; - devices = allDevices; - ignorePerms = false; - }; - "${cnf.baseDir}/projects" = { - label = "Projects"; - id = "projects"; - devices = allDevices; - ignorePerms = false; - }; - "${cnf.baseDir}/pictures" = { - label = "Pictures"; - id = "pictures"; - devices = mediaDevices; - ignorePerms = false; - }; - # TODO phone-photos - "${cnf.baseDir}/music/primary" = { - label = "Music-primary"; - id = "music-primary"; - devices = mediaDevices; - ignorePerms = false; - }; - "${cnf.baseDir}/music/secondary" = { - label = "Music-secondary"; - id = "music-secondary"; - devices = bigStorageDevices; - ignorePerms = false; - }; - "${cnf.baseDir}/music/flac" = { - label = "Music-flac"; - id = "music-flac"; - devices = bigStorageDevices; - ignorePerms = false; - }; - "${cnf.baseDir}/video" = { - label = "Video"; - id = "video"; - devices = bigStorageDevices; - ignorePerms = false; - }; - }; - overrideDevices = true; - devices = - recursiveUpdate - (genAttrs allDevices (name: { - id = config.secrets.syncthingIDs."${name}"; - })) - { - lipwig.addresses = ["tcp://cynerd.cz"]; + + settings = { + folders = filterDevice { + "${baseDir}/documents" = { + label = "Documents"; + id = "documents"; + devices = allDevices; + ignorePerms = false; + }; + "${baseDir}/notes" = { + label = "Notes"; + id = "notes"; + devices = allDevices; + ignorePerms = false; + }; + "${baseDir}/projects" = { + label = "Projects"; + id = "projects"; + devices = allDevices; + ignorePerms = false; + }; + "${baseDir}/elektroline" = { + label = "Elektroline"; + id = "elektroline"; + devices = allDevices; + ignorePerms = false; + }; + "${baseDir}/pictures" = { + label = "Pictures"; + id = "pictures"; + devices = bigStorageDevices; + ignorePerms = false; + }; + "${baseDir}/music" = { + label = "Music"; + id = "music"; + devices = bigStorageDevices; + ignorePerms = false; + }; + "${baseDir}/video" = { + label = "Video"; + id = "video"; + devices = bigStorageDevices; + ignorePerms = false; + }; + "${baseDir}/turris" = { + label = "Turris"; + id = "turris"; + devices = bigStorageDevices; + ignorePerms = false; + }; }; - # TODO phone + + devices = + recursiveUpdate + (genAttrs allDevices (name: { + id = config.secrets.syncthingIDs."${name}"; + })) + { + lipwig.addresses = ["tcp://cynerd.cz"]; + }; + }; }; }; } diff --git a/nixos/modules/users.nix b/nixos/modules/users.nix index 1c143bb..7d0dc77 100644 --- a/nixos/modules/users.nix +++ b/nixos/modules/users.nix @@ -4,7 +4,7 @@ ... }: let isNative = config.nixpkgs.hostPlatform == config.nixpkgs.buildPlatform; - isArm = config.nixpkgs.hostPlatform.isAarch; + isArm = pkgs.hostPlatform.isAarch; in { users = { mutableUsers = false; @@ -73,8 +73,6 @@ in { defaultEditor = !isArm; withNodeJs = true; }; - - wireshark.enable = true; }; programs.fuse.userAllowOther = true; diff --git a/nixos/modules/wifi-adm.nix b/nixos/modules/wifi-adm.nix index 1db730c..56ca65a 100644 --- a/nixos/modules/wifi-adm.nix +++ b/nixos/modules/wifi-adm.nix @@ -3,9 +3,73 @@ lib, ... }: let - inherit (lib) mkOption mkEnableOption types mkIf hostapd elemAt; + inherit (lib) mkOption mkEnableOption types mkIf mkMerge hostapd elemAt; cnf = config.cynerd.wifiAP.adm; + wifi-networks = name: { + "${cnf."${name}".interface}" = { + bssid = elemAt cnf."${name}".bssids 0; + ssid = "TurrisAdamkovi"; + authentication = { + mode = "wpa3-sae-transition"; + wpaPasswordFile = "/run/secrets/hostapd-TurrisAdamkovi.pass"; + saePasswordsFile = "/run/secrets/hostapd-TurrisAdamkovi.pass"; + }; + }; + "${cnf."${name}".interface}.nela" = { + bssid = elemAt cnf."${name}".bssids 1; + ssid = "Nela"; + authentication = { + mode = "wpa2-sha256"; + wpaPasswordFile = "/run/secrets/hostapd-Nela.pass"; + }; + }; + "${cnf."${name}".interface}.milan" = { + bssid = elemAt cnf."${name}".bssids 2; + ssid = "MILAN-AC"; + authentication = { + mode = "wpa2-sha1"; + wpaPasswordFile = "/run/secrets/hostapd-MILAN-AC.pass"; + }; + }; + }; + + net-networks = name: { + "lan-${cnf."${name}".interface}" = { + matchConfig = { + Name = cnf."${name}".interface; + WLANInterfaceType = "ap"; + }; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + EgressUntagged = 1; + PVID = 1; + } + ]; + }; + "lan-${cnf."${name}".interface}.nela" = { + matchConfig.Name = "${cnf."${name}".interface}-nela"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + EgressUntagged = 2; + PVID = 2; + } + ]; + }; + "lan-${cnf."${name}".interface}.milan" = { + matchConfig.Name = "${cnf."${name}".interface}.milan"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + EgressUntagged = 2; + PVID = 2; + } + ]; + }; + }; + wOptions = card: channelDefault: { interface = mkOption { type = with types; nullOr str; @@ -43,32 +107,7 @@ in { enable = true; inherit (hostapd.qualcomAtherosAR9287.wifi4) capabilities; }; - networks = { - "${cnf.ar9287.interface}" = { - bssid = elemAt cnf.ar9287.bssids 0; - ssid = "TurrisAdamkovi"; - authentication = { - mode = "wpa2-sha256"; - wpaPasswordFile = "/run/secrets/hostapd-TurrisAdamkovi.pass"; - }; - }; - "${cnf.ar9287.interface}-nela" = { - bssid = elemAt cnf.ar9287.bssids 1; - ssid = "Nela"; - authentication = { - mode = "wpa2-sha256"; - wpaPasswordFile = "/run/secrets/hostapd-Nela.pass"; - }; - }; - "${cnf.ar9287.interface}.milan" = { - bssid = elemAt cnf.ar9287.bssids 2; - ssid = "MILAN-AC"; - authentication = { - mode = "wpa2-sha256"; - wpaPasswordFile = "/run/secrets/hostapd-MILAN-AC.pass"; - }; - }; - }; + networks = wifi-networks "ar9287"; }; "${cnf.qca988x.interface}" = mkIf (cnf.qca988x.interface != null) { countryCode = "CZ"; @@ -82,96 +121,13 @@ in { enable = true; inherit (hostapd.qualcomAtherosQCA988x.wifi5) capabilities; }; - networks = { - "${cnf.qca988x.interface}" = { - bssid = elemAt cnf.qca988x.bssids 0; - ssid = "TurrisAdamkovi"; - authentication = { - mode = "wpa2-sha256"; - wpaPasswordFile = "/run/secrets/hostapd-TurrisAdamkovi.pass"; - }; - }; - "${cnf.qca988x.interface}-nela" = { - bssid = elemAt cnf.qca988x.bssids 1; - ssid = "Nela"; - authentication = { - mode = "wpa2-sha256"; - wpaPasswordFile = "/run/secrets/hostapd-Nela.pass"; - }; - }; - "${cnf.qca988x.interface}.milan" = { - bssid = elemAt cnf.qca988x.bssids 2; - ssid = "MILAN-AC"; - authentication = { - mode = "wpa2-sha256"; - wpaPasswordFile = "/run/secrets/hostapd-MILAN-AC.pass"; - }; - }; - }; + networks = wifi-networks "qca988x"; }; }; }; - systemd.network.networks = { - "lan-${cnf.ar9287.interface}" = { - matchConfig.Name = cnf.ar9287.interface; - networkConfig.Bridge = "brlan"; - bridgeVLANs = [ - { - EgressUntagged = 1; - PVID = 1; - } - ]; - }; - "lan-${cnf.ar9287.interface}-nela" = { - matchConfig.Name = "${cnf.ar9287.interface}-nela"; - networkConfig.Bridge = "brlan"; - bridgeVLANs = [ - { - EgressUntagged = 2; - PVID = 2; - } - ]; - }; - "lan-${cnf.ar9287.interface}.milan" = { - matchConfig.Name = "${cnf.ar9287.interface}.milan"; - networkConfig.Bridge = "brlan"; - bridgeVLANs = [ - { - EgressUntagged = 2; - PVID = 2; - } - ]; - }; - "lan-${cnf.qca988x.interface}" = { - matchConfig.Name = cnf.qca988x.interface; - networkConfig.Bridge = "brlan"; - bridgeVLANs = [ - { - EgressUntagged = 1; - PVID = 1; - } - ]; - }; - "lan-${cnf.qca988x.interface}-nela" = { - matchConfig.Name = "${cnf.qca988x.interface}-nela"; - networkConfig.Bridge = "brlan"; - bridgeVLANs = [ - { - EgressUntagged = 2; - PVID = 2; - } - ]; - }; - "lan-${cnf.qca988x.interface}.milan" = { - matchConfig.Name = "${cnf.qca988x.interface}.milan"; - networkConfig.Bridge = "brlan"; - bridgeVLANs = [ - { - EgressUntagged = 2; - PVID = 2; - } - ]; - }; - }; + systemd.network.networks = mkMerge [ + (mkIf (cnf.ar9287.interface != null) (net-networks "ar9287")) + (mkIf (cnf.qca988x.interface != null) (net-networks "qca988x")) + ]; }; } diff --git a/nixos/modules/wifi-spt.nix b/nixos/modules/wifi-spt.nix index d013473..bec093e 100644 --- a/nixos/modules/wifi-spt.nix +++ b/nixos/modules/wifi-spt.nix @@ -6,6 +6,61 @@ inherit (lib) mkOption mkEnableOption types mkIf mkForce mkMerge hostapd elemAt; cnf = config.cynerd.wifiAP.spt; + wifi-networks = name: let + is2g = cnf."${name}".channel <= 14; + in { + "${cnf."${name}".interface}" = { + bssid = elemAt cnf."${name}".bssids 0; + ssid = "TurrisRules${ + if is2g + then "" + else "5" + }"; + authentication = { + mode = "wpa2-sha256"; + wpaPasswordFile = "/run/secrets/hostapd-TurrisRules.pass"; + }; + settings = mkIf is2g { + ieee80211w = 0; + wpa_key_mgmt = mkForce "WPA-PSK"; # force use without sha256 + }; + }; + "${cnf."${name}".interface}.guest" = { + bssid = elemAt cnf."${name}".bssids 1; + ssid = "Kocovi"; + authentication = { + mode = "wpa2-sha256"; + wpaPasswordFile = "/run/secrets/hostapd-Kocovi.pass"; + }; + }; + }; + + net-networks = name: { + "lan-${cnf."${name}".interface}" = { + matchConfig = { + Name = cnf."${name}".interface; + WLANInterfaceType = "ap"; + }; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + EgressUntagged = 1; + PVID = 1; + } + ]; + }; + "lan-${cnf."${name}".interface}-guest" = { + matchConfig.Name = "${cnf."${name}".interface}.guest"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + EgressUntagged = 2; + PVID = 2; + } + ]; + }; + }; + wOptions = card: channelDefault: { interface = mkOption { type = with types; nullOr str; @@ -48,28 +103,7 @@ in { enable = true; inherit (hostapd.qualcomAtherosAR9287.wifi4) capabilities; }; - networks = { - "${cnf.ar9287.interface}" = { - bssid = elemAt cnf.ar9287.bssids 0; - ssid = "TurrisRules"; - authentication = { - mode = "wpa2-sha256"; - wpaPasswordFile = "/run/secrets/hostapd-TurrisRules.pass"; - }; - settings = { - ieee80211w = 0; - wpa_key_mgmt = mkForce "WPA-PSK"; # force use without sha256 - }; - }; - "${cnf.ar9287.interface}.guest" = { - bssid = elemAt cnf.ar9287.bssids 1; - ssid = "Kocovi"; - authentication = { - mode = "wpa2-sha256"; - wpaPasswordFile = "/run/secrets/hostapd-Kocovi.pass"; - }; - }; - }; + networks = wifi-networks "ar9287"; }; }) (mkIf (cnf.qca988x.interface != null) { @@ -90,87 +124,14 @@ in { enable = !is2g; inherit (hostapd.qualcomAtherosQCA988x.wifi5) capabilities; }; - networks = { - "${cnf.qca988x.interface}" = { - bssid = elemAt cnf.qca988x.bssids 0; - ssid = "TurrisRules${ - if is2g - then "" - else "5" - }"; - authentication = { - mode = "wpa2-sha256"; - wpaPasswordFile = "/run/secrets/hostapd-TurrisRules.pass"; - }; - settings = mkIf is2g { - ieee80211w = 0; - wpa_key_mgmt = mkForce "WPA-PSK"; # force use without sha256 - }; - }; - "${cnf.qca988x.interface}.guest" = { - bssid = elemAt cnf.qca988x.bssids 1; - ssid = "Kocovi"; - authentication = { - mode = "wpa2-sha256"; - wpaPasswordFile = "/run/secrets/hostapd-Kocovi.pass"; - }; - }; - }; + networks = wifi-networks "qca988x"; }; }) ]; }; systemd.network.networks = mkMerge [ - (mkIf (cnf.ar9287.interface != null) { - "lan-${cnf.ar9287.interface}" = { - matchConfig = { - Name = cnf.ar9287.interface; - WLANInterfaceType = "ap"; - }; - networkConfig.Bridge = "brlan"; - bridgeVLANs = [ - { - EgressUntagged = 1; - PVID = 1; - } - ]; - }; - "lan-${cnf.ar9287.interface}-guest" = { - matchConfig.Name = "${cnf.ar9287.interface}.guest"; - networkConfig.Bridge = "brlan"; - bridgeVLANs = [ - { - EgressUntagged = 2; - PVID = 2; - } - ]; - }; - }) - (mkIf (cnf.qca988x.interface != null) { - "lan-${cnf.qca988x.interface}" = { - matchConfig = { - Name = cnf.qca988x.interface; - WLANInterfaceType = "ap"; - }; - networkConfig.Bridge = "brlan"; - bridgeVLANs = [ - { - EgressUntagged = 1; - PVID = 1; - } - ]; - }; - "lan-${cnf.qca988x.interface}-guest" = { - matchConfig.Name = "${cnf.qca988x.interface}.guest"; - networkConfig.Bridge = "brlan"; - bridgeVLANs = [ - { - EgressUntagged = 2; - PVID = 2; - } - ]; - }; - }) + (mkIf (cnf.ar9287.interface != null) (net-networks "ar9287")) + (mkIf (cnf.qca988x.interface != null) (net-networks "qca988x")) ]; }; } diff --git a/nixos/modules/wireguad.nix b/nixos/modules/wireguard.nix index 1b1db90..b49eaae 100644 --- a/nixos/modules/wireguad.nix +++ b/nixos/modules/wireguard.nix @@ -44,18 +44,15 @@ in { PublicKey = config.secrets.wireguardPubs.spt-omnia; } // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;})) - #{ - # wireguardPeerConfig = - # { - # Endpoint = "adm.cynerd.cz:51820"; - # AllowedIPs = [ - # "${config.cynerd.hosts.wg.adm-omnia}/32" - # "10.8.3.0/24" - # ]; - # PublicKey = config.secrets.wireguardPubs.adm-omnia; - # } - # // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;}); - #} + ({ + Endpoint = "adm.cynerd.cz:51820"; + AllowedIPs = [ + "${config.cynerd.hosts.wg.adm-omnia}/32" + "10.8.3.0/24" + ]; + PublicKey = config.secrets.wireguardPubs.adm-omnia; + } + // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;})) ] ++ (optionals is_endpoint (mapAttrsToList (n: v: { AllowedIPs = "${config.cynerd.hosts.wg."${n}"}/32"; @@ -69,20 +66,14 @@ in { IPv4Forwarding = "yes"; }; routes = - (optional (hostName != "lipwig") { - # OpenVPN network - Gateway = config.cynerd.hosts.wg.lipwig; - Destination = "10.8.0.0/24"; - Metric = 2048; - }) - ++ (optional (hostName != "spt-omnia") { + (optional (hostName != "spt-omnia") { # SPT network Gateway = config.cynerd.hosts.wg.spt-omnia; Destination = "10.8.2.0/24"; Metric = 2048; }) - ++ (optional (hostName != "adm-omnia" && hostName != "lipwig") { - # Adamkovi network + ++ (optional (hostName != "adm-omnia") { + # ADM network Gateway = config.cynerd.hosts.wg.adm-omnia; Destination = "10.8.3.0/24"; Metric = 2048; |