diff options
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/configurations/adm-omnia.nix | 14 | ||||
-rw-r--r-- | nixos/configurations/adm-omnia2.nix | 8 | ||||
-rw-r--r-- | nixos/configurations/binky.nix | 2 | ||||
-rw-r--r-- | nixos/configurations/dean.nix | 13 | ||||
-rw-r--r-- | nixos/configurations/default.nix | 2 | ||||
-rw-r--r-- | nixos/configurations/lipwig.nix | 111 | ||||
-rw-r--r-- | nixos/configurations/spt-mox.nix | 9 | ||||
-rw-r--r-- | nixos/configurations/spt-mox2.nix | 9 | ||||
-rw-r--r-- | nixos/configurations/spt-omnia.nix | 21 | ||||
-rw-r--r-- | nixos/modules/bcg.nix | 170 | ||||
-rw-r--r-- | nixos/modules/default.nix | 1 | ||||
-rw-r--r-- | nixos/modules/desktop.nix | 189 | ||||
-rw-r--r-- | nixos/modules/develop.nix | 8 | ||||
-rw-r--r-- | nixos/modules/generic.nix | 149 | ||||
-rw-r--r-- | nixos/modules/monitoring.nix | 58 | ||||
-rw-r--r-- | nixos/modules/packages.nix | 83 | ||||
-rw-r--r-- | nixos/modules/router.nix | 10 | ||||
-rw-r--r-- | nixos/modules/switch.nix | 6 | ||||
-rw-r--r-- | nixos/modules/syncthing.nix | 2 | ||||
-rw-r--r-- | nixos/modules/users.nix | 78 | ||||
-rw-r--r-- | nixos/modules/wifi-adm.nix | 36 | ||||
-rw-r--r-- | nixos/modules/wifi-spt.nix | 16 | ||||
-rw-r--r-- | nixos/modules/wireguad.nix | 66 |
23 files changed, 497 insertions, 564 deletions
diff --git a/nixos/configurations/adm-omnia.nix b/nixos/configurations/adm-omnia.nix index 672788a..dad595b 100644 --- a/nixos/configurations/adm-omnia.nix +++ b/nixos/configurations/adm-omnia.nix @@ -37,12 +37,10 @@ networkConfig.Bridge = "brlan"; bridgeVLANs = [ { - bridgeVLANConfig = { - EgressUntagged = 1; - PVID = 1; - }; + EgressUntagged = 1; + PVID = 1; } - {bridgeVLANConfig.VLAN = 2;} + {VLAN = 2;} ]; }; "lan0-guest" = { @@ -50,10 +48,8 @@ networkConfig.Bridge = "brlan"; bridgeVLANs = [ { - bridgeVLANConfig = { - EgressUntagged = 2; - PVID = 2; - }; + EgressUntagged = 2; + PVID = 2; } ]; }; diff --git a/nixos/configurations/adm-omnia2.nix b/nixos/configurations/adm-omnia2.nix index 19ee446..2848bd9 100644 --- a/nixos/configurations/adm-omnia2.nix +++ b/nixos/configurations/adm-omnia2.nix @@ -45,12 +45,10 @@ networkConfig.Bridge = "brlan"; bridgeVLANs = [ { - bridgeVLANConfig = { - EgressUntagged = 1; - PVID = 1; - }; + EgressUntagged = 1; + PVID = 1; } - {bridgeVLANConfig.VLAN = 2;} + {VLAN = 2;} ]; }; }; diff --git a/nixos/configurations/binky.nix b/nixos/configurations/binky.nix index 6dfb6a5..4b552d5 100644 --- a/nixos/configurations/binky.nix +++ b/nixos/configurations/binky.nix @@ -75,7 +75,7 @@ in { DHCP = "yes"; IPv6AcceptRA = "yes"; }; - routes = [{routeConfig.Metric = 1088;}]; + routes = [{Metric = 1088;}]; linkConfig.RequiredForOnline = "routable"; }; }; diff --git a/nixos/configurations/dean.nix b/nixos/configurations/dean.nix index adc9e87..187e148 100644 --- a/nixos/configurations/dean.nix +++ b/nixos/configurations/dean.nix @@ -1,16 +1,13 @@ -{ - lib, - pkgs, - ... -}: let - inherit (lib) mkForce; -in { +{pkgs, ...}: { turris.board = "mox"; deploy.enable = true; cynerd = { wireguard = true; - monitoring.speedtest = true; + monitoring = { + speedtest = true; + drives = false; + }; }; networking = { diff --git a/nixos/configurations/default.nix b/nixos/configurations/default.nix index c653c2d..974d9d9 100644 --- a/nixos/configurations/default.nix +++ b/nixos/configurations/default.nix @@ -29,7 +29,7 @@ in ]; specialArgs = { inputModules = - mapAttrs (n: v: v.nixosModules) (filterAttrs (n: v: v ? nixosModules) self.inputs) + mapAttrs (_: v: v.nixosModules) (filterAttrs (_: v: v ? nixosModules) self.inputs) // { vpsadminos = self.inputs.vpsadminos.nixosConfigurations.container; }; diff --git a/nixos/configurations/lipwig.nix b/nixos/configurations/lipwig.nix index 090e8f5..524a864 100644 --- a/nixos/configurations/lipwig.nix +++ b/nixos/configurations/lipwig.nix @@ -15,6 +15,10 @@ }; cynerd = { + monitoring = { + hw = false; + drives = false; + }; syncthing = { enable = false; baseDir = "/nas"; @@ -29,12 +33,30 @@ "/nas" = { device = "172.16.128.63:/nas/2682"; fsType = "nfs"; + options = [ + "_netdev" + "x-systemd.automount" + ]; }; "/nas/nextcloud-sync" = { device = "/nas/sync"; fsType = "fuse.bindfs"; options = ["map=syncthing/nextcloud:@syncthing/@nextcloud"]; }; + "/nas/spt" = { + device = "nas@omnia.spt:/data/nas"; + fsType = "fuse.sshfs"; + options = [ + "allow_other" + "_netdev" + "x-systemd.automount" + "reconnect" + "identityfile=/run/secrets/nas.ssh.priv" + "idmap=user" + "uid=nextcloud" + "gid=nextcloud" + ]; + }; }; networking = { @@ -85,8 +107,8 @@ root = "${pkgs.cgit}/cgit"; locations."/".tryFiles = "$uri @cgit"; locations."@cgit".extraConfig = '' - fastcgi_param SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi; fastcgi_pass unix:${config.services.fcgiwrap.socketAddress}; + fastcgi_param SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi; fastcgi_param PATH_INFO $uri; fastcgi_param QUERY_STRING $args; fastcgi_param HTTP_HOST $server_name; @@ -105,6 +127,14 @@ proxyWebsockets = true; }; }; + "searx.cynerd.cz" = { + forceSSL = true; + useACMEHost = "cynerd.cz"; + locations."/".extraConfig = '' + uwsgi_pass "unix:///run/searx/searx.sock"; + include ${config.services.nginx.package}/conf/uwsgi_params; + ''; + }; }; }; services.fcgiwrap = { @@ -115,9 +145,10 @@ acceptTerms = true; defaults.email = "cynerd+acme@email.cz"; certs."cynerd.cz".extraDomainNames = [ - "git.cynerd.cz" "cloud.cynerd.cz" + "git.cynerd.cz" "grafana.cynerd.cz" + "searx.cynerd.cz" ]; }; @@ -248,6 +279,82 @@ ensureDatabases = ["nextcloud"]; }; + # SearX #################################################################### + services.searx = { + enable = true; + environmentFile = "/run/secrets/searx.env"; + settings = { + server.secret_key = "@SEARX_SECRET_KEY@"; + search = { + autocomplete = "google"; + autocomplete_min = 2; + }; + ui = { + query_in_title = true; + infinite_scroll = true; + center_alignment = true; + hotkeys = "vim"; + }; + engines = [ + { + name = "seznam"; + disabled = false; + } + { + name = "material icons"; + disabled = false; + } + { + name = "svgrepo"; + disabled = false; + } + { + name = "peertube"; + disabled = false; + } + { + name = "lib.rs"; + disabled = false; + } + { + name = "gitlab"; + disabled = false; + } + { + name = "sourcehut"; + disabled = false; + } + { + name = "free software directory"; + disabled = false; + } + { + name = "cppreference"; + disabled = false; + } + { + name = "searchcode code"; + disabled = false; + } + { + name = "imdb"; + disabled = false; + } + { + name = "tmdb"; + disabled = false; + } + ]; + }; + runInUwsgi = true; + uwsgiConfig = { + socket = "/run/searx/searx.sock"; + chmod-socket = "660"; + }; + redisCreateLocally = true; + }; + users.groups.searx.members = ["nginx"]; + # Old Syncthing ############################################################ services.syncthing = { enable = true; diff --git a/nixos/configurations/spt-mox.nix b/nixos/configurations/spt-mox.nix index c5ad7fb..0bc7627 100644 --- a/nixos/configurations/spt-mox.nix +++ b/nixos/configurations/spt-mox.nix @@ -7,6 +7,7 @@ cynerd = { home-assistant = true; + monitoring.drives = false; switch = { enable = true; lanAddress = "${config.cynerd.hosts.spt.mox}/24"; @@ -41,12 +42,10 @@ networkConfig.Bridge = "brlan"; bridgeVLANs = [ { - bridgeVLANConfig = { - EgressUntagged = 1; - PVID = 1; - }; + EgressUntagged = 1; + PVID = 1; } - {bridgeVLANConfig.VLAN = 2;} + {VLAN = 2;} ]; }; }; diff --git a/nixos/configurations/spt-mox2.nix b/nixos/configurations/spt-mox2.nix index c713477..085bb5f 100644 --- a/nixos/configurations/spt-mox2.nix +++ b/nixos/configurations/spt-mox2.nix @@ -6,6 +6,7 @@ }; cynerd = { + monitoring.drives = false; switch = { enable = true; lanAddress = "${config.cynerd.hosts.spt.mox2}/24"; @@ -40,12 +41,10 @@ networkConfig.Bridge = "brlan"; bridgeVLANs = [ { - bridgeVLANConfig = { - EgressUntagged = 1; - PVID = 1; - }; + EgressUntagged = 1; + PVID = 1; } - {bridgeVLANConfig.VLAN = 2;} + {VLAN = 2;} ]; }; }; diff --git a/nixos/configurations/spt-omnia.nix b/nixos/configurations/spt-omnia.nix index 22d9ecc..29fe8c4 100644 --- a/nixos/configurations/spt-omnia.nix +++ b/nixos/configurations/spt-omnia.nix @@ -88,7 +88,10 @@ in { users = { nas = { group = "nas"; - openssh.authorizedKeys.keyFiles = [(config.personal-secrets + "/unencrypted/nas.pub")]; + openssh.authorizedKeys.keyFiles = [ + (config.personal-secrets + "/unencrypted/nas.pub") + (config.personal-secrets + "/unencrypted/nas-spt.pub") + ]; isNormalUser = true; home = "/data/nas"; homeMode = "770"; @@ -135,8 +138,12 @@ in { DHCP = "ipv6"; IPv6AcceptRA = "no"; DHCPPrefixDelegation = "yes"; + DNS = "1.1.1.1"; + }; + dhcpV6Config = { + PrefixDelegationHint = "::/56"; + UseDNS = "no"; }; - dhcpV6Config.PrefixDelegationHint = "::/56"; dhcpPrefixDelegationConfig = { UplinkInterface = ":self"; SubnetId = 0; @@ -149,12 +156,10 @@ in { networkConfig.Bridge = "brlan"; bridgeVLANs = [ { - bridgeVLANConfig = { - EgressUntagged = 1; - PVID = 1; - }; + EgressUntagged = 1; + PVID = 1; } - {bridgeVLANConfig.VLAN = 2;} + {VLAN = 2;} ]; }; }; @@ -170,7 +175,7 @@ in { lcp-echo-adaptive defaultroute defaultroute6 - usepeerdns + #usepeerdns maxfail 1 user metronet password metronet diff --git a/nixos/modules/bcg.nix b/nixos/modules/bcg.nix deleted file mode 100644 index 626a67f..0000000 --- a/nixos/modules/bcg.nix +++ /dev/null @@ -1,170 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: - -with lib; - -let - cfg = config.services.bcg; - configFile = (pkgs.formats.yaml {}).generate "bcg.conf.yaml" ( - filterAttrsRecursive (n: v: v != null) { - inherit (cfg) device name mqtt; - retain_node_messages = cfg.retainNodeMessages; - qos_node_messages = cfg.qosNodeMessages; - base_topic_prefix = cfg.baseTopicPrefix; - automatic_remove_kit_from_names = cfg.automaticRemoveKitFromNames; - automatic_rename_kit_nodes = cfg.automaticRenameKitNodes; - automatic_rename_generic_nodes = cfg.automaticRenameGenericNodes; - automatic_rename_nodes = cfg.automaticRenameNodes; - } - ); -in -{ - options = { - services.bcg = { - enable = mkEnableOption "BigClown gateway"; - package = mkPackageOption pkgs [ "python3Packages" "bcg" ] { }; - environmentFiles = mkOption { - type = types.listOf types.path; - default = []; - example = [ "/run/keys/bcg.env" ]; - description = '' - File to load as environment file. Environment variables from this file - will be interpolated into the config file using envsubst with this - syntax: `$ENVIRONMENT` or `''${VARIABLE}`. - This is useful to avoid putting secrets into the nix store. - ''; - }; - verbose = mkOption { - type = types.enum ["CRITICAL" "ERROR" "WARNING" "INFO" "DEBUG"]; - default = "WARNING"; - description = "Verbosity level."; - }; - device = mkOption { - type = types.str; - description = "Device name to configure gateway to use."; - }; - name = mkOption { - type = with types; nullOr str; - default = null; - description = '' - Name for the device. - - Supported variables: - * `{ip}` IP address - * `{id}` The ID of the connected usb-dongle or core-module - - `null` can be used for automatic detection from gateway firmware. - ''; - }; - mqtt = { - host = mkOption { - type = types.str; - default = "127.0.0.1"; - description = "Host where MQTT server is running."; - }; - port = mkOption { - type = types.port; - default = 1883; - description = "Port of MQTT server."; - }; - username = mkOption { - type = with types; nullOr str; - default = null; - description = "MQTT server access username."; - }; - password = mkOption { - type = with types; nullOr str; - default = null; - description = "MQTT server access password."; - }; - cafile = mkOption { - type = with types; nullOr str; - default = null; - description = "Certificate Authority file for MQTT server access."; - }; - certfile = mkOption { - type = with types; nullOr str; - default = null; - description = "Certificate file for MQTT server access."; - }; - keyfile = mkOption { - type = with types; nullOr str; - default = null; - description = "Key file for MQTT server access."; - }; - }; - retainNodeMessages = mkOption { - type = types.bool; - default = false; - description = "Specify that node messages should be retaied in MQTT broker."; - }; - qosNodeMessages = mkOption { - type = types.int; - default = 1; - description = "Set the guarantee of MQTT message delivery."; - }; - baseTopicPrefix = mkOption { - type = types.str; - default = ""; - description = "Topic prefix added to all MQTT messages."; - }; - automaticRemoveKitFromNames = mkOption { - type = types.bool; - default = true; - description = "Automatically remove kits."; - }; - automaticRenameKitNodes = mkOption { - type = types.bool; - default = true; - description = "Automatically rename kit's nodes."; - }; - automaticRenameGenericNodes = mkOption { - type = types.bool; - default = true; - description = "Automatically rename generic nodes."; - }; - automaticRenameNodes = mkOption { - type = types.bool; - default = true; - description = "Automatically rename all nodes."; - }; - rename = mkOption { - type = with types; attrsOf str; - default = {}; - description = "Rename nodes to different name."; - }; - }; - }; - - config = mkIf cfg.enable { - environment.systemPackages = with pkgs; [ - python3Packages.bcg - python3Packages.bch - ]; - - systemd.services.bcg = let - envConfig = cfg.environmentFiles != []; - finalConfig = if envConfig - then "$RUNTIME_DIRECTORY/bcg.config.yaml" - else configFile; - in { - description = "BigClown Gateway"; - wantedBy = [ "multi-user.target" ]; - wants = [ "network-online.target" ] ++ lib.optional config.services.mosquitto.enable "mosquitto.service"; - after = [ "network-online.target" ]; - preStart = '' - umask 077 - ${pkgs.envsubst}/bin/envsubst -i "${configFile}" -o "${finalConfig}" - ''; - serviceConfig = { - EnvironmentFile = cfg.environmentFiles; - ExecStart="${cfg.package}/bin/bcg -c ${finalConfig} -v ${cfg.verbose}"; - RuntimeDirectory = "bcg"; - }; - }; - }; -} diff --git a/nixos/modules/default.nix b/nixos/modules/default.nix index 90a4b58..d45cb0a 100644 --- a/nixos/modules/default.nix +++ b/nixos/modules/default.nix @@ -17,6 +17,5 @@ in // { default = { imports = attrValues modules ++ default_modules; - disabledModules = [ "services/misc/bcg.nix" ]; }; } diff --git a/nixos/modules/desktop.nix b/nixos/modules/desktop.nix index 2e67730..2b19b93 100644 --- a/nixos/modules/desktop.nix +++ b/nixos/modules/desktop.nix @@ -4,7 +4,7 @@ pkgs, ... }: let - inherit (lib) mkOption mkIf mkDefault types optionals; + inherit (lib) mkOption mkIf types optionals; cnf = config.cynerd.desktop; in { options = { @@ -23,6 +23,14 @@ in { }; config = mkIf cnf.enable { + hardware = { + opengl = { + driSupport = true; + driSupport32Bit = true; + }; + bluetooth.enable = mkIf cnf.laptop true; + }; + programs = { sway = { enable = true; @@ -73,7 +81,6 @@ in { exts.pass-otp #exts.pass-audit ])) - nextcloud-client chromium ferdium @@ -168,73 +175,115 @@ in { acpi ]); }; + firefox = { enable = true; languagePacks = ["en-US" "cs"]; nativeMessagingHosts.packages = with pkgs; [browserpass]; }; + light.enable = mkIf cnf.laptop true; + nix-ld = { enable = true; libraries = with pkgs; [xorg.libXpm]; }; - }; - xdg.portal = { - enable = true; - wlr.enable = true; - extraPortals = with pkgs; [xdg-desktop-portal-gtk]; - }; - xdg.mime.defaultApplications = { - "text/html" = ["firefox.desktop"]; - "application/pdf" = ["org.pwmt.zathura.desktop"]; - "image/jpeg" = ["feh.desktop"]; - "image/png" = ["feh.desktop"]; - "image/svg" = ["feh.desktop"]; - }; - programs.usbkey = { - enable = true; - devicesUUID = ["de269652-2070-46b2-84f8-409dc9dd50ee" "16a089d0-a663-4047-bd88-3885dd7fdee2"]; + usbkey = { + enable = true; + devicesUUID = [ + "de269652-2070-46b2-84f8-409dc9dd50ee" + "16a089d0-a663-4047-bd88-3885dd7fdee2" + ]; + }; + + gnupg.agent = { + enable = true; + enableSSHSupport = true; + enableBrowserSocket = true; + }; }; - programs.gnupg.agent = { - enable = true; - enableSSHSupport = true; - enableBrowserSocket = true; + xdg = { + portal = { + enable = true; + wlr.enable = true; + extraPortals = with pkgs; [xdg-desktop-portal-gtk]; + }; + mime.defaultApplications = { + "text/html" = ["firefox.desktop"]; + "application/pdf" = ["org.pwmt.zathura.desktop"]; + "image/jpeg" = ["feh.desktop"]; + "image/png" = ["feh.desktop"]; + "image/svg" = ["feh.desktop"]; + }; }; - services.dbus.packages = [pkgs.gcr]; - programs.kdeconnect.enable = true; + services = { + # Autologin on the first TTY + getty = { + extraArgs = ["--skip-login"]; + loginProgram = "${pkgs.bash}/bin/sh"; + loginOptions = toString (pkgs.writeText "login-program.sh" '' + if [[ "$(tty)" == '/dev/tty1' ]]; then + ${pkgs.shadow}/bin/login -f cynerd; + else + ${pkgs.shadow}/bin/login; + fi + ''); + }; - services.pipewire = { - enable = true; - alsa.enable = true; - alsa.support32Bit = true; - pulse.enable = true; - extraConfig.pipewire."10-zeroconf" = { - "context.modules" = [{name = "libpipewire-module-zeroconf-discover";}]; + gpm.enable = true; # mouse in buffer + udev.extraRules = '' + ACTION=="add|change", KERNEL=="sd*[!0-9]", ATTR{queue/scheduler}="bfq" + ''; + xserver.xkb.options = "grp:alt_shift_toggle,caps:escape"; + + # Gnome crypto services (GnuPG) + dbus.packages = [pkgs.gcr]; + + pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + extraConfig.pipewire."10-zeroconf" = { + "context.modules" = [{name = "libpipewire-module-zeroconf-discover";}]; + }; }; - }; - security.rtkit.enable = true; - services.printing = { - enable = true; - drivers = with pkgs; [ - gutenprint - gutenprintBin - cnijfilter2 - ]; + upower.enable = true; + hardware.openrgb = { + enable = true; + package = pkgs.openrgb-with-all-plugins; + }; + + printing = { + enable = true; + drivers = with pkgs; [ + gutenprint + gutenprintBin + cnijfilter2 + ]; + }; + avahi.enable = true; + samba-wsdd = { + enable = true; + discovery = true; + }; + davfs2.enable = true; + + locate.enable = true; }; - services.upower.enable = mkDefault cnf.laptop; + # Beneficial for Pipewire + security.rtkit.enable = true; - services.avahi.enable = true; - services.samba-wsdd = { - enable = true; - discovery = true; + # Local share (avahi, samba) + networking.firewall = { + allowedTCPPorts = [5357]; + allowedUDPPorts = [3702]; }; - networking.firewall.allowedTCPPorts = [5357]; - networking.firewall.allowedUDPPorts = [3702]; fonts.packages = with pkgs; [ (nerdfonts.override {fonts = ["Hack"];}) @@ -253,52 +302,12 @@ in { unifont ]; - services.udev.extraRules = '' - ACTION=="add|change", KERNEL=="sd*[!0-9]", ATTR{queue/scheduler}="bfq" - ''; - hardware.opengl = { - driSupport = true; - driSupport32Bit = true; - }; - - hardware.bluetooth.enable = mkIf cnf.laptop true; - - services.hardware.openrgb = { - enable = true; - package = pkgs.openrgb-with-all-plugins; - }; - documentation = { enable = true; man.enable = true; info.enable = true; }; - services.snapper.configs = { - home = { - SUBVOLUME = "/home"; - ALLOW_GROUPS = ["users"]; - TIMELINE_CREATE = true; - TIMELINE_CLEANUP = true; - }; - }; - - # Autologin on the first TTY - services.getty = { - extraArgs = ["--skip-login"]; - loginProgram = "${pkgs.bash}/bin/sh"; - loginOptions = toString (pkgs.writeText "login-program.sh" '' - if [[ "$(tty)" == '/dev/tty1' ]]; then - ${pkgs.shadow}/bin/login -f cynerd; - else - ${pkgs.shadow}/bin/login; - fi - ''); - }; - - # Leds group is required for light - users.users.cynerd.extraGroups = ["leds"]; - # VTI settings console = { colors = [ @@ -322,12 +331,6 @@ in { earlySetup = true; useXkbConfig = true; }; - services.xserver.xkb.options = "grp:alt_shift_toggle,caps:escape"; - services.gpm.enable = true; - - services.locate.enable = true; - - services.davfs2.enable = true; # Support running app images boot.binfmt.registrations.appimage = { diff --git a/nixos/modules/develop.nix b/nixos/modules/develop.nix index 25c40c3..2a20527 100644 --- a/nixos/modules/develop.nix +++ b/nixos/modules/develop.nix @@ -22,8 +22,8 @@ in { gitlint tig gource - hub - github-cli # Git + glab + github-cli wlc # Weblate cloc openssl @@ -47,6 +47,7 @@ in { statix deadnix agenix + nix-tree # Shell dash # Posix shell @@ -60,6 +61,8 @@ in { # C clang-tools + massif-visualizer + qcachegrind # Python (python3.withPackages (pypkgs: @@ -74,6 +77,7 @@ in { mypy scipy + statsmodels sympy pygraphviz diff --git a/nixos/modules/generic.nix b/nixos/modules/generic.nix index 97391b8..02afd17 100644 --- a/nixos/modules/generic.nix +++ b/nixos/modules/generic.nix @@ -1,12 +1,9 @@ { - config, lib, pkgs, ... }: let - inherit (lib) mkOverride mkDefault optionals; - isNative = config.nixpkgs.hostPlatform == config.nixpkgs.buildPlatform; - isArm = config.nixpkgs.hostPlatform.isAarch; + inherit (lib) mkOverride mkDefault; in { config = { system.stateVersion = "24.05"; @@ -43,153 +40,11 @@ in { services.fwupd.enable = mkDefault (pkgs.system == "x86_64-linux"); systemd.oomd.enable = false; - nixpkgs = { - config.allowUnfree = true; - flake = { - setNixPath = false; - setFlakeRegistry = false; - }; - }; - environment.systemPackages = with pkgs; - [ - git # We need git for this repository to even work - # Administration tools - coreutils - binutils - psmisc - progress - lshw - file - vde2 - ldns - wget - gnumake - exfat - exfatprogs - ntfs3g - usbutils - pciutils - smartmontools - parted - - # NCurses tools - htop - btop - iotop - mc - screen - tmux - pv - - # ls tools - tree - lsof - strace - - sourceHighlight # Colors for less - unrar - p7zip - zip - unzip - - # Network - netcat - traceroute - iftop - nethogs - sshfs - wakeonlan - speedtest-cli - librespeed-cli - termshark - - lm_sensors - ] - ++ optionals (system == "x86_64-linux") [ - nmap - ltrace - ] - ++ optionals (!isNative) [ - ncdu_1 - ] - ++ optionals isNative [ - moreutils - glances - ncdu - mlocate - ]; - - users = { - mutableUsers = false; - groups.cynerd.gid = 1000; - users = { - root = { - hashedPasswordFile = "/run/secrets/root.pass"; - }; - cynerd = { - group = "cynerd"; - extraGroups = ["users" "wheel" "dialout" "kvm" "uucp" "wireshark"]; - uid = 1000; - subUidRanges = [ - { - count = 65534; - startUid = 10000; - } - ]; - subGidRanges = [ - { - count = 65534; - startGid = 10000; - } - ]; - isNormalUser = true; - createHome = true; - shell = - if isNative - then pkgs.zsh.out - else pkgs.bash.out; - hashedPasswordFile = "/run/secrets/cynerd.pass"; - openssh.authorizedKeys.keyFiles = [ - (config.personal-secrets + "/unencrypted/git-private.pub") - ]; - }; - }; - }; - programs = { - zsh = { - enable = isNative; - syntaxHighlighting.enable = isNative; - }; - shellrc = true; - vim.defaultEditor = isArm; - neovim = { - enable = !isArm; - defaultEditor = true; - withNodeJs = true; - }; - - wireshark.enable = true; - }; - - security.sudo.extraRules = [ - { - groups = ["wheel"]; - commands = ["ALL"]; - } - ]; networking = { nftables.enable = true; dhcpcd.extraConfig = "controlgroup wheel"; }; - services.openssh = { - enable = true; - settings = { - PasswordAuthentication = false; - PermitRootLogin = "no"; - }; - }; - time.timeZone = "Europe/Prague"; i18n.defaultLocale = "en_US.UTF-8"; @@ -209,8 +64,6 @@ in { chmod +x $out/bin/nixos-system ''; - programs.fuse.userAllowOther = true; - documentation = { enable = mkDefault false; doc.enable = mkDefault false; diff --git a/nixos/modules/monitoring.nix b/nixos/modules/monitoring.nix index 44d0cbb..394915a 100644 --- a/nixos/modules/monitoring.nix +++ b/nixos/modules/monitoring.nix @@ -18,6 +18,11 @@ in { default = true; description = "If hardware should be reported"; }; + drives = mkOption { + type = types.bool; + default = true; + description = "If S.M.A.R.T. should be enabled"; + }; speedtest = mkOption { type = types.bool; default = false; @@ -30,6 +35,9 @@ in { # Telegraf configuration services.telegraf = { enable = true; + package = pkgs.writeShellScriptBin "telegraf" '' + exec /run/wrappers/bin/telegraf "$@" + ''; environmentFiles = ["/run/secrets/telegraf.env"]; extraConfig = { agent = {}; @@ -66,20 +74,23 @@ in { } ]; diskio = [{}]; - net = [{}]; + net = [{ignore_protocol_stats = false;}]; + nstat = [{}]; system = [{}]; processes = [{}]; systemd_units = [{}]; wireguard = [{}]; } - // (optionalAttrs cnf.hw { - sensors = [{}]; + // (optionalAttrs cnf.drives { smart = [ { path_smartctl = "${pkgs.smartmontools}/bin/smartctl"; use_sudo = true; } ]; + }) + // (optionalAttrs cnf.hw { + sensors = [{}]; wireless = [{}]; }) // (optionalAttrs cnf.speedtest { @@ -115,26 +126,35 @@ in { ]; } ]; + + security.wrappers.telegraf = { + owner = "root"; + group = "root"; + capabilities = "CAP_NET_ADMIN+epi"; + source = "${pkgs.telegraf}/bin/telegraf"; + }; }) (mkIf (config.networking.hostName == "lipwig") { # InfluxDB - services.influxdb2.enable = true; - services.telegraf.extraConfig.inputs.prometheus = { - urls = ["http://localhost:8086/metrics"]; - }; - # Grafana - services.grafana = { - enable = true; - settings = { - users.allow_sign_up = false; - security = { - admin_user = "cynerd"; - admin_password = "$__file{/run/secrets/grafana.admin.pass}"; - }; - server = { - http_addr = ""; - http_port = 3000; + services = { + influxdb2.enable = true; + telegraf.extraConfig.inputs.prometheus = { + urls = ["http://localhost:8086/metrics"]; + }; + # Grafana + grafana = { + enable = true; + settings = { + users.allow_sign_up = false; + security = { + admin_user = "cynerd"; + admin_password = "$__file{/run/secrets/grafana.admin.pass}"; + }; + server = { + http_addr = ""; + http_port = 3000; + }; }; }; }; diff --git a/nixos/modules/packages.nix b/nixos/modules/packages.nix new file mode 100644 index 0000000..d321901 --- /dev/null +++ b/nixos/modules/packages.nix @@ -0,0 +1,83 @@ +{ + config, + lib, + pkgs, + ... +}: let + inherit (lib) optionals; + isNative = config.nixpkgs.hostPlatform == config.nixpkgs.buildPlatform; +in { + nixpkgs = { + config.allowUnfree = true; + flake = { + setNixPath = false; + setFlakeRegistry = false; + }; + }; + environment.systemPackages = with pkgs; + [ + git # We need git for this repository to even work + # Administration tools + coreutils + binutils + psmisc + progress + lshw + file + vde2 + ldns + wget + gnumake + exfat + exfatprogs + ntfs3g + usbutils + pciutils + smartmontools + parted + + # NCurses tools + htop + btop + iotop + mc + screen + tmux + pv + + # ls tools + tree + lsof + strace + + sourceHighlight # Colors for less + unrar + p7zip + zip + unzip + + # Network + netcat + traceroute + iftop + nethogs + sshfs + wakeonlan + speedtest-cli + librespeed-cli + termshark + + lm_sensors + ] + ++ optionals (system == "x86_64-linux") [ + nmap + ltrace + ] + ++ optionals (!isNative) [ + ncdu_1 + ] + ++ optionals isNative [ + ncdu + moreutils + ]; +} diff --git a/nixos/modules/router.nix b/nixos/modules/router.nix index c8b1283..a658515 100644 --- a/nixos/modules/router.nix +++ b/nixos/modules/router.nix @@ -98,8 +98,8 @@ in { matchConfig.Name = "brlan"; networkConfig.VLAN = ["home" "guest"]; bridgeVLANs = [ - {bridgeVLANConfig.VLAN = 1;} - {bridgeVLANConfig.VLAN = 2;} + {VLAN = 1;} + {VLAN = 2;} ]; }; "home" = { @@ -121,10 +121,8 @@ in { }; dhcpServerStaticLeases = mapAttrsToList (n: v: { - dhcpServerStaticLeaseConfig = { - MACAddress = n; - Address = v; - }; + MACAddress = n; + Address = v; }) cnf.staticLeases; dhcpPrefixDelegationConfig = { diff --git a/nixos/modules/switch.nix b/nixos/modules/switch.nix index 37ac687..e74102a 100644 --- a/nixos/modules/switch.nix +++ b/nixos/modules/switch.nix @@ -42,10 +42,8 @@ in { matchConfig.Name = "brlan"; bridgeVLANs = [ { - bridgeVLANConfig = { - PVID = 1; - EgressUntagged = 1; - }; + PVID = 1; + EgressUntagged = 1; } ]; networkConfig = { diff --git a/nixos/modules/syncthing.nix b/nixos/modules/syncthing.nix index d6b65e6..91736ca 100644 --- a/nixos/modules/syncthing.nix +++ b/nixos/modules/syncthing.nix @@ -26,7 +26,7 @@ "ridcully" "spt-omnia" ]; - filterDevice = filterAttrs (n: v: any (d: d == hostName) v.devices); + filterDevice = filterAttrs (_: v: any (d: d == hostName) v.devices); in { options = { cynerd.syncthing = { diff --git a/nixos/modules/users.nix b/nixos/modules/users.nix new file mode 100644 index 0000000..d098ec7 --- /dev/null +++ b/nixos/modules/users.nix @@ -0,0 +1,78 @@ +{ + pkgs, + config, + ... +}: let + isNative = config.nixpkgs.hostPlatform == config.nixpkgs.buildPlatform; + isArm = config.nixpkgs.hostPlatform.isAarch; +in { + users = { + mutableUsers = false; + groups.cynerd.gid = 1000; + users = { + root = { + hashedPasswordFile = "/run/secrets/root.pass"; + }; + cynerd = { + group = "cynerd"; + extraGroups = ["users" "wheel" "video" "dialout" "kvm" "uucp" "wireshark" "leds"]; + uid = 1000; + subUidRanges = [ + { + count = 65534; + startUid = 10000; + } + ]; + subGidRanges = [ + { + count = 65534; + startGid = 10000; + } + ]; + isNormalUser = true; + createHome = true; + shell = + if isNative + then pkgs.zsh.out + else pkgs.bash.out; + hashedPasswordFile = "/run/secrets/cynerd.pass"; + openssh.authorizedKeys.keyFiles = [ + (config.personal-secrets + "/unencrypted/git-private.pub") + ]; + }; + }; + }; + + security.sudo.extraRules = [ + { + groups = ["wheel"]; + commands = ["ALL"]; + } + ]; + + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + PermitRootLogin = "no"; + }; + }; + + programs = { + zsh = { + enable = isNative; + syntaxHighlighting.enable = isNative; + }; + shellrc = true; + vim.defaultEditor = isArm; + neovim = { + enable = !isArm; + defaultEditor = true; + withNodeJs = true; + }; + + wireshark.enable = true; + }; + + programs.fuse.userAllowOther = true; +} diff --git a/nixos/modules/wifi-adm.nix b/nixos/modules/wifi-adm.nix index 40210e7..1db730c 100644 --- a/nixos/modules/wifi-adm.nix +++ b/nixos/modules/wifi-adm.nix @@ -117,10 +117,8 @@ in { networkConfig.Bridge = "brlan"; bridgeVLANs = [ { - bridgeVLANConfig = { - EgressUntagged = 1; - PVID = 1; - }; + EgressUntagged = 1; + PVID = 1; } ]; }; @@ -129,10 +127,8 @@ in { networkConfig.Bridge = "brlan"; bridgeVLANs = [ { - bridgeVLANConfig = { - EgressUntagged = 2; - PVID = 2; - }; + EgressUntagged = 2; + PVID = 2; } ]; }; @@ -141,10 +137,8 @@ in { networkConfig.Bridge = "brlan"; bridgeVLANs = [ { - bridgeVLANConfig = { - EgressUntagged = 2; - PVID = 2; - }; + EgressUntagged = 2; + PVID = 2; } ]; }; @@ -153,10 +147,8 @@ in { networkConfig.Bridge = "brlan"; bridgeVLANs = [ { - bridgeVLANConfig = { - EgressUntagged = 1; - PVID = 1; - }; + EgressUntagged = 1; + PVID = 1; } ]; }; @@ -165,10 +157,8 @@ in { networkConfig.Bridge = "brlan"; bridgeVLANs = [ { - bridgeVLANConfig = { - EgressUntagged = 2; - PVID = 2; - }; + EgressUntagged = 2; + PVID = 2; } ]; }; @@ -177,10 +167,8 @@ in { networkConfig.Bridge = "brlan"; bridgeVLANs = [ { - bridgeVLANConfig = { - EgressUntagged = 2; - PVID = 2; - }; + EgressUntagged = 2; + PVID = 2; } ]; }; diff --git a/nixos/modules/wifi-spt.nix b/nixos/modules/wifi-spt.nix index 669439d..2ecc3a3 100644 --- a/nixos/modules/wifi-spt.nix +++ b/nixos/modules/wifi-spt.nix @@ -130,10 +130,8 @@ in { networkConfig.Bridge = "brlan"; bridgeVLANs = [ { - bridgeVLANConfig = { - EgressUntagged = 1; - PVID = 1; - }; + EgressUntagged = 1; + PVID = 1; } ]; }; @@ -142,10 +140,8 @@ in { # networkConfig.Bridge = "brlan"; # bridgeVLANs = [ # { - # bridgeVLANConfig = { # EgressUntagged = 2; # PVID = 2; - # }; # } # ]; #}; @@ -159,10 +155,8 @@ in { networkConfig.Bridge = "brlan"; bridgeVLANs = [ { - bridgeVLANConfig = { - EgressUntagged = 1; - PVID = 1; - }; + EgressUntagged = 1; + PVID = 1; } ]; }; @@ -171,10 +165,8 @@ in { # networkConfig.Bridge = "brlan"; # bridgeVLANs = [ # { - # bridgeVLANConfig = { # EgressUntagged = 2; # PVID = 2; - # }; # } # ]; #}; diff --git a/nixos/modules/wireguad.nix b/nixos/modules/wireguad.nix index eb25a6e..69e1ccd 100644 --- a/nixos/modules/wireguad.nix +++ b/nixos/modules/wireguad.nix @@ -29,27 +29,21 @@ in { }; wireguardPeers = [ - { - wireguardPeerConfig = - { - Endpoint = "cynerd.cz:51820"; - AllowedIPs = ["0.0.0.0/0"]; - PublicKey = config.secrets.wireguardPubs.lipwig; - } - // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;}); - } - { - wireguardPeerConfig = - { - Endpoint = "spt.cynerd.cz:51820"; - AllowedIPs = [ - "${config.cynerd.hosts.wg.spt-omnia}/32" - "10.8.2.0/24" - ]; - PublicKey = config.secrets.wireguardPubs.spt-omnia; - } - // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;}); - } + ({ + Endpoint = "cynerd.cz:51820"; + AllowedIPs = ["0.0.0.0/0"]; + PublicKey = config.secrets.wireguardPubs.lipwig; + } + // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;})) + ({ + Endpoint = "spt.cynerd.cz:51820"; + AllowedIPs = [ + "${config.cynerd.hosts.wg.spt-omnia}/32" + "10.8.2.0/24" + ]; + PublicKey = config.secrets.wireguardPubs.spt-omnia; + } + // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;})) #{ # wireguardPeerConfig = # { @@ -64,10 +58,8 @@ in { #} ] ++ (optionals is_endpoint (mapAttrsToList (n: v: { - wireguardPeerConfig = { - AllowedIPs = "${config.cynerd.hosts.wg."${n}"}/32"; - PublicKey = v; - }; + AllowedIPs = "${config.cynerd.hosts.wg."${n}"}/32"; + PublicKey = v; }) (filterAttrs (n: _: all (v: v != n) endpoints) config.secrets.wireguardPubs))); }; networks."wg" = { @@ -82,27 +74,21 @@ in { routes = (optional (hostName != "lipwig") { # OpenVPN network - routeConfig = { - Gateway = config.cynerd.hosts.wg.lipwig; - Destination = "10.8.0.0/24"; - Metric = 2048; - }; + Gateway = config.cynerd.hosts.wg.lipwig; + Destination = "10.8.0.0/24"; + Metric = 2048; }) ++ (optional (hostName != "spt-omnia") { # SPT network - routeConfig = { - Gateway = config.cynerd.hosts.wg.spt-omnia; - Destination = "10.8.2.0/24"; - Metric = 2048; - }; + Gateway = config.cynerd.hosts.wg.spt-omnia; + Destination = "10.8.2.0/24"; + Metric = 2048; }) ++ (optional (hostName != "adm-omnia" && hostName != "lipwig") { # Adamkovi network - routeConfig = { - Gateway = config.cynerd.hosts.wg.adm-omnia; - Destination = "10.8.3.0/24"; - Metric = 2048; - }; + Gateway = config.cynerd.hosts.wg.adm-omnia; + Destination = "10.8.3.0/24"; + Metric = 2048; }); }; }; |