diff options
Diffstat (limited to 'nixos')
40 files changed, 1125 insertions, 1226 deletions
diff --git a/nixos/configurations/adm-mpd.nix b/nixos/configurations/adm-mpd.nix index ac3b4de..47ac008 100644 --- a/nixos/configurations/adm-mpd.nix +++ b/nixos/configurations/adm-mpd.nix @@ -5,26 +5,18 @@ }: let inherit (lib) filterAttrs; in { - nixpkgs.hostPlatform.system = "aarch64-linux"; + system.stateVersion = "24.05"; - fileSystems = { - "/" = { - device = "/dev/mmcblk0p2"; - options = ["compress=lzo" "subvol=@nix"]; - }; - "/home" = { - device = "/dev/mmcblk0p2"; - options = ["compress=lzo" "subvol=@home"]; - }; - "/boot" = { - device = "/dev/mmcblk0p1"; - }; + cynerd.rpi = 3; + deploy = { + enable = true; + ssh.host = "nixos@mpd.adm"; }; networking.wireless = { enable = true; networks = filterAttrs (n: _: n == "Nela") config.secrets.wifiNetworks; - environmentFile = "/run/secrets/wifi.env"; + secretsFile = "/run/secrets/wifi.secrets"; userControlled.enable = true; }; @@ -33,24 +25,24 @@ in { #alsa.enable = true; #pulse.enable = true; #}; - hardware.pulseaudio = { - enable = true; - systemWide = true; - zeroconf.publish.enable = true; - }; + #hardware.pulseaudio = { + # enable = true; + # systemWide = true; + # zeroconf.publish.enable = true; + #}; - services.spotifyd = { - enable = true; - settings.global = { - device_name = "Adámkovi"; - device = "sysdefault"; - mixer = "Master"; - bitrate = 320; - cache_path = "/var/cahe/spotify"; - no_audio_cache = true; - volume_normalisation = true; - normalisation_pregain = -10; - initial_volume = 60; - }; - }; + #services.spotifyd = { + # enable = true; + # settings.global = { + # device_name = "Adámkovi"; + # device = "sysdefault"; + # mixer = "Master"; + # bitrate = 320; + # cache_path = "/var/cahe/spotify"; + # no_audio_cache = true; + # volume_normalisation = true; + # normalisation_pregain = -10; + # initial_volume = 60; + # }; + #}; } diff --git a/nixos/configurations/adm-omnia.nix b/nixos/configurations/adm-omnia.nix index 672788a..55ee733 100644 --- a/nixos/configurations/adm-omnia.nix +++ b/nixos/configurations/adm-omnia.nix @@ -1,59 +1,105 @@ -{config, ...}: { +{config, ...}: let + hosts = config.cynerd.hosts.adm; +in { + system.stateVersion = "24.05"; + turris.board = "omnia"; + deploy = { + enable = true; + ssh.host = "adm.cynerd.cz"; + }; cynerd = { router = { enable = true; wan = "pppoe-wan"; - lanIP = config.cynerd.hosts.adm.omnia; + lanIP = hosts.omnia; + staticLeases = { + "70:85:c2:4a:59:f2" = hosts.ridcully; + "7c:b0:c2:bb:9c:ca" = hosts.albert; + "4c:d5:77:0d:85:d9" = hosts.binky; + "b8:27:eb:49:54:5a" = hosts.mpd; + }; + guestStaticLeases = { + "f4:a9:97:a4:bd:59" = hosts.printer; + }; }; wifiAP.adm = { enable = true; - ar9287.interface = "wlp3s0"; - qca988x.interface = "wlp2s0"; + ar9287 = { + interface = "wlp2s0"; + bssids = config.secrets.wifiMacs.adm-omnia.ar9287; + channel = 7; + }; + qca988x = { + interface = "wlp1s0"; + bssids = config.secrets.wifiMacs.adm-omnia.qca988x; + channel = 44; + }; }; + wireguard = true; monitoring.speedtest = true; }; + services.journald.extraConfig = '' + SystemMaxUse=8G + ''; + + services.btrfs.autoScrub = { + enable = true; + fileSystems = ["/"]; + }; + + services.fail2ban = { + enable = true; + ignoreIP = ["10.8.1.0/24" "10.8.2.0/24"]; + }; + networking.useDHCP = false; systemd.network = { networks = { "end2" = { - matchConfig.Name = "end2"; - #networkConfig = { - # DHCP = "ipv6"; - # IPv6AcceptRA = "yes"; - # DHCPPrefixDelegation = "yes"; - #}; - #dhcpPrefixDelegationConfig = { - # UplinkInterface = ":self"; - # SubnetId = 0; - # Announce = "no"; - #}; + matchConfig.Name = "end2"; # Ensure that it is managed by systemd-networkd + networkConfig.IPv6AcceptRA = false; + }; + "pppoe-wan" = { + matchConfig.Name = "pppoe-wan"; + networkConfig = { + BindCarrier = "end2"; + DHCP = "ipv6"; + IPv6AcceptRA = "no"; + DHCPPrefixDelegation = "yes"; + DNS = "1.1.1.1"; + }; + dhcpV6Config = { + PrefixDelegationHint = "::/56"; + UseDNS = "no"; + }; + dhcpPrefixDelegationConfig = { + UplinkInterface = ":self"; + SubnetId = 0; + Announce = "no"; + }; linkConfig.RequiredForOnline = "routable"; }; "lan-brlan" = { - matchConfig.Name = "lan[1-4]"; + matchConfig.Name = "lan4"; networkConfig.Bridge = "brlan"; bridgeVLANs = [ { - bridgeVLANConfig = { - EgressUntagged = 1; - PVID = 1; - }; + EgressUntagged = 1; + PVID = 1; } - {bridgeVLANConfig.VLAN = 2;} + {VLAN = 2;} ]; }; - "lan0-guest" = { - matchConfig.Name = "lan0"; + "lan-guest" = { + matchConfig.Name = "lan[0-3]"; networkConfig.Bridge = "brlan"; bridgeVLANs = [ { - bridgeVLANConfig = { - EgressUntagged = 2; - PVID = 2; - }; + EgressUntagged = 2; + PVID = 2; } ]; }; @@ -68,14 +114,22 @@ lcp-echo-interval 1 lcp-echo-failure 5 lcp-echo-adaptive - +ipv6 defaultroute defaultroute6 - usepeerdns + #usepeerdns maxfail 1 user O2 password 02 ''; }; - systemd.services."pppd-wan".after = ["sys-subsystem-net-devices-end2.device"]; + systemd.services."pppd-wan" = { + after = ["sys-subsystem-net-devices-end2.device"]; + partOf = ["systemd-networkd.service"]; + }; + # TODO limit NSS clamping to just pppoe-wan + networking.firewall.extraForwardRules = '' + tcp flags syn tcp option maxseg size set rt mtu comment "Needed for PPPoE to fix IPv4" + iifname {"home", "wg"} oifname {"home", "wg"} accept + iifname "home" oifname "guest" accept comment "Allow home to access guest devices" + ''; } diff --git a/nixos/configurations/adm-omnia2.nix b/nixos/configurations/adm-omnia2.nix index 19ee446..fc5a92d 100644 --- a/nixos/configurations/adm-omnia2.nix +++ b/nixos/configurations/adm-omnia2.nix @@ -1,4 +1,6 @@ {config, ...}: { + system.stateVersion = "24.05"; + turris.board = "omnia"; deploy = { enable = true; @@ -14,13 +16,13 @@ wifiAP.adm = { enable = true; ar9287 = { - interface = "wlp1s0"; - bssids = ["12:f0:21:23:2b:00" "12:f0:21:23:2b:01" "12:f0:21:23:2b:02"]; + interface = "wlp2s0"; + bssids = config.secrets.wifiMacs.adm-omnia2.ar9287; channel = 11; }; qca988x = { - interface = "wlp2s0"; - bssids = ["12:f0:21:23:2b:03" "12:f0:21:23:2b:04" "12:f0:21:23:2b:05"]; + interface = "wlp1s0"; + bssids = config.secrets.wifiMacs.adm-omnia2.qca988x; channel = 36; }; }; @@ -45,12 +47,10 @@ networkConfig.Bridge = "brlan"; bridgeVLANs = [ { - bridgeVLANConfig = { - EgressUntagged = 1; - PVID = 1; - }; + EgressUntagged = 1; + PVID = 1; } - {bridgeVLANConfig.VLAN = 2;} + {VLAN = 2;} ]; }; }; diff --git a/nixos/configurations/albert.nix b/nixos/configurations/albert.nix deleted file mode 100644 index a6a4ee1..0000000 --- a/nixos/configurations/albert.nix +++ /dev/null @@ -1,41 +0,0 @@ -{ - nixpkgs.hostPlatform.system = "x86_64-linux"; - - cynerd = { - desktop = { - enable = true; - laptop = true; - }; - wifiClient = true; - openvpn = { - oldpersonal = true; - }; - }; - - boot.initrd.availableKernelModules = ["xhci_pci" "usb_storage" "sd_mod"]; - - hardware.cpu.intel.updateMicrocode = true; - - fileSystems = { - "/" = { - device = "/dev/disk/by-uuid/1c9bafac-fcf8-41c4-b394-bca5917ca82d"; - fsType = "btrfs"; - options = ["compress=lzo" "subvol=@nix"]; - }; - "/home" = { - device = "/dev/disk/by-uuid/1c9bafac-fcf8-41c4-b394-bca5917ca82d"; - fsType = "btrfs"; - options = ["compress=lzo" "subvol=@home"]; - }; - "/boot" = { - device = "/dev/disk/by-uuid/E403-124B"; - fsType = "vfat"; - }; - - "/home2" = { - device = "/dev/disk/by-uuid/55e177a1-215e-475b-ba9c-771b5fa3f8f0"; - fsType = "btrfs"; - options = ["compress=lzo" "subvol=@home"]; - }; - }; -} diff --git a/nixos/configurations/binky.nix b/nixos/configurations/binky.nix index 6dfb6a5..6111637 100644 --- a/nixos/configurations/binky.nix +++ b/nixos/configurations/binky.nix @@ -1,6 +1,11 @@ -{lib, ...}: let +{ + lib, + pkgs, + ... +}: let inherit (lib) mkDefault; in { + system.stateVersion = "24.05"; nixpkgs.hostPlatform.system = "x86_64-linux"; deploy = { enable = true; @@ -75,7 +80,7 @@ in { DHCP = "yes"; IPv6AcceptRA = "yes"; }; - routes = [{routeConfig.Metric = 1088;}]; + routes = [{Metric = 1088;}]; linkConfig.RequiredForOnline = "routable"; }; }; @@ -84,14 +89,8 @@ in { services.syncthing = { enable = true; - user = mkDefault "cynerd"; - group = mkDefault "cynerd"; - openDefaultPorts = true; - - overrideDevices = false; - overrideFolders = false; - dataDir = "/home/cynerd"; - configDir = "/home/cynerd/.config/syncthing"; }; + + environment.systemPackages = [pkgs.heroic]; } diff --git a/nixos/configurations/dean.nix b/nixos/configurations/dean.nix index 187e148..dfb03e1 100644 --- a/nixos/configurations/dean.nix +++ b/nixos/configurations/dean.nix @@ -1,4 +1,5 @@ {pkgs, ...}: { + system.stateVersion = "24.05"; turris.board = "mox"; deploy.enable = true; diff --git a/nixos/configurations/errol.nix b/nixos/configurations/errol.nix index fd348e8..f986631 100644 --- a/nixos/configurations/errol.nix +++ b/nixos/configurations/errol.nix @@ -6,6 +6,7 @@ }: let inherit (lib) mkDefault; in { + system.stateVersion = "24.05"; nixpkgs.hostPlatform.system = "x86_64-linux"; deploy.enable = true; @@ -26,6 +27,7 @@ in { "encroot" = "/dev/disk/by-uuid/7c412ae6-6016-45af-8c2a-8fcc394dbbe6"; "enchdd1" = "/dev/disk/by-uuid/87f16080-5ff6-43dd-89f3-307455a46fbe"; "enchdd2" = "/dev/disk/by-uuid/be4a33fa-8bc6-431d-a3ac-787668f223ed"; + #"encback" = "/dev/disk/by-uuid/1bd8c637-f71e-4fb0-96de-b660c4f1afaf"; }; fileSystems = { "/" = { @@ -53,6 +55,11 @@ in { fsType = "btrfs"; options = ["compress=lzo" "subvol=@home"]; }; + #"/back" = { + # device = "/dev/mapper/encback"; + # fsType = "btrfs"; + # options = ["compress=lzo"]; + #}; }; services.btrfs.autoScrub = { enable = true; @@ -83,75 +90,42 @@ in { pkgs.nvtopPackages.amd ]; - services.syncthing = { - enable = true; - user = mkDefault "cynerd"; - group = mkDefault "cynerd"; - openDefaultPorts = true; - - overrideDevices = false; - overrideFolders = false; - - dataDir = "/home/cynerd"; - configDir = "/home/cynerd/.config/syncthing"; - }; - - nixpkgs.config.permittedInsecurePackages = ["openssl-1.1.1w"]; # TODO - services.home-assistant = { - enable = true; - openFirewall = true; - configDir = "/var/lib/hass"; - config = { - homeassistant = { - name = "SPT"; - latitude = "!secret latitude"; - longitude = "!secret longitude"; - elevation = "!secret elevation"; - time_zone = "Europe/Prague"; - country = "CZ"; - }; - http.server_port = 8808; - mqtt = { - sensor = import ../modules/home-assistant/sensors.nix; - light = import ../modules/home-assistant/light.nix; - }; - default_config = {}; - automation = "!include automations.yaml"; - }; - extraComponents = ["met"]; - package = pkgs.home-assistant.override { - extraPackages = pkgs: - with pkgs; [ - securetar - pyipp - ]; + ############################################################################## + services = { + syncthing = { + enable = true; + dataDir = "/home/cynerd"; }; - }; - services.zigbee2mqtt = { - enable = true; - settings = { - serial.port = "/dev/serial/by-id/usb-ITEAD_SONOFF_Zigbee_3.0_USB_Dongle_Plus_V2_20220812153849-if00"; - mqtt = { - server = "mqtt://${config.cynerd.hosts.spt.mox}:1883"; - user = "zigbee2mqtt"; - password = "!secret.yaml mqtt_password"; - }; - advanced = { - network_key = "!secret.yaml network_key"; - homeassistant_legacy_entity_attributes = false; - legacy_api = false; - legacy_availability_payload = false; - last_seen = "epoch"; + home-assistant = { + enable = true; + openFirewall = true; + configDir = "/var/lib/hass"; + config = { + homeassistant = { + name = "SPT"; + latitude = "!secret latitude"; + longitude = "!secret longitude"; + elevation = "!secret elevation"; + time_zone = "Europe/Prague"; + country = "CZ"; + }; + http.server_port = 8808; + mqtt = { + sensor = import ../home-assistant/sensors.nix; + light = import ../home-assistant/light.nix; + }; + default_config = {}; + automation = "!include automations.yaml"; }; - frontend = true; - availability = true; - homeassistant = { - legacy_triggers = false; + extraComponents = ["met"]; + package = pkgs.home-assistant.override { + extraPackages = pkgs: + with pkgs; [ + securetar + pyipp + ]; }; - device_options.legacy = false; - permit_join = false; - devices = config.secrets.zigbee2mqttDevices; }; }; } diff --git a/nixos/configurations/gaspode.nix b/nixos/configurations/gaspode.nix index 78d8277..5d6d090 100644 --- a/nixos/configurations/gaspode.nix +++ b/nixos/configurations/gaspode.nix @@ -1,4 +1,5 @@ { + system.stateVersion = "25.05"; nixpkgs.hostPlatform.system = "armv7l-linux"; fileSystems = { diff --git a/nixos/configurations/lipwig.nix b/nixos/configurations/lipwig.nix index e6ec96a..5855b6d 100644 --- a/nixos/configurations/lipwig.nix +++ b/nixos/configurations/lipwig.nix @@ -7,6 +7,7 @@ imports = [inputModules.vpsadminos]; config = { + system.stateVersion = "24.05"; nixpkgs.hostPlatform.system = "x86_64-linux"; deploy = { @@ -19,12 +20,14 @@ hw = false; drives = false; }; - syncthing = { - enable = false; - baseDir = "/nas"; - }; wireguard = true; - openvpn.oldpersonal = true; + borgjobs = { + postgresql.dumpCommand = pkgs.writeScript "postgreqsl-backup.sh" '' + /run/wrappers/bin/sudo -u postgres /run/current-system/sw/bin/pg_dumpall + ''; + nextcloud_data.paths = "/nas/nextcloud/data"; + sync_data.paths = "/sync"; + }; }; boot.loader.systemd-boot.enable = false; @@ -33,27 +36,16 @@ "/nas" = { device = "172.16.128.63:/nas/2682"; fsType = "nfs"; + options = [ + "_netdev" + "x-systemd.automount" + ]; }; "/nas/nextcloud-sync" = { - device = "/nas/sync"; + device = "/sync"; fsType = "fuse.bindfs"; options = ["map=syncthing/nextcloud:@syncthing/@nextcloud"]; }; - "/nas/spt" = { - device = "nas@omnia.spt:/data/nas"; - fsType = "fuse.sshfs"; - options = [ - "noauto" - "x-systemd.automount" - "_netdev" - "reconnect" - "identityfile=/run/secrets/nas.ssh.priv" - "allow_other" - "idmap=user" - "uid=nextcloud" - "gid=nextcloud" - ]; - }; }; networking = { @@ -104,8 +96,8 @@ root = "${pkgs.cgit}/cgit"; locations."/".tryFiles = "$uri @cgit"; locations."@cgit".extraConfig = '' + fastcgi_pass unix:${config.services.fcgiwrap.instances.cgit.socket.address}; fastcgi_param SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi; - fastcgi_pass unix:${config.services.fcgiwrap.socketAddress}; fastcgi_param PATH_INFO $uri; fastcgi_param QUERY_STRING $args; fastcgi_param HTTP_HOST $server_name; @@ -115,28 +107,42 @@ forceSSL = true; useACMEHost = "cynerd.cz"; }; + "office.cynerd.cz" = { + forceSSL = true; + useACMEHost = "cynerd.cz"; + }; "grafana.cynerd.cz" = { forceSSL = true; useACMEHost = "cynerd.cz"; locations."/" = { - proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}/"; - extraConfig = "proxy_set_header Host $host;"; + proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}"; proxyWebsockets = true; + recommendedProxySettings = true; }; }; + "searx.cynerd.cz" = { + forceSSL = true; + useACMEHost = "cynerd.cz"; + locations."/".extraConfig = '' + uwsgi_pass "unix:///run/searx/searx.sock"; + include ${config.services.nginx.package}/conf/uwsgi_params; + ''; + }; }; }; - services.fcgiwrap = { - enable = true; - inherit (config.services.nginx) group; + services.fcgiwrap.instances.cgit = { + process.user = "git"; + socket = {inherit (config.services.nginx) user group;}; }; security.acme = { acceptTerms = true; defaults.email = "cynerd+acme@email.cz"; certs."cynerd.cz".extraDomainNames = [ - "git.cynerd.cz" "cloud.cynerd.cz" + "office.cynerd.cz" + "git.cynerd.cz" "grafana.cynerd.cz" + "searx.cynerd.cz" ]; }; @@ -193,7 +199,7 @@ # Nextcloud ################################################################ services.nextcloud = { enable = true; - package = pkgs.nextcloud28; + package = pkgs.nextcloud31; https = true; hostName = "cloud.cynerd.cz"; datadir = "/nas/nextcloud"; @@ -202,11 +208,25 @@ adminpassFile = "/run/secrets/nextcloud.admin.pass"; dbtype = "pgsql"; dbhost = "/run/postgresql"; - dbtableprefix = "oc_"; }; settings = { #log_type = "systemd"; + default_locale = "CZ"; default_phone_region = "CZ"; + default_timezone = "Europe/Prague"; + enabledPreviewProviders = [ + "OC\\Preview\\BMP" + "OC\\Preview\\GIF" + "OC\\Preview\\JPEG" + "OC\\Preview\\Krita" + "OC\\Preview\\MarkDown" + "OC\\Preview\\MP3" + "OC\\Preview\\OpenDocument" + "OC\\Preview\\PNG" + "OC\\Preview\\TXT" + "OC\\Preview\\XBitmap" + "OC\\Preview\\HEIC" + ]; }; phpExtraExtensions = php: [php.pgsql php.pdo_pgsql]; phpOptions = { @@ -225,58 +245,146 @@ forms groupfolders impersonate - maps memories notes + onlyoffice phonetrack previewgenerator spreed tasks - twofactor_nextcloud_notification twofactor_webauthn ; # Additional modules can be fetched with: - # NEXTCLOUD_VERSIONS=28 nix run nixpkgs#nc4nix -- -apps "passwords,integration_homeassistant,integration_github,integration_gitlab" - passwords = pkgs.fetchNextcloudApp { - url = "https://git.mdns.eu/api/v4/projects/45/packages/generic/passwords/2024.2.0/passwords.tar.gz"; - sha256 = "0s5z6pxkcwmhlbzy9s2g0s05n1iqjmxr2jqxz7ayklin9kcgr3h7"; - license = "gpl3"; - }; + # NEXTCLOUD_VERSIONS=30 nix run nixpkgs#nc4nix -- -apps "passwords,money,integration_github,integration_gitlab" integration_github = pkgs.fetchNextcloudApp { - url = "https://github.com/nextcloud-releases/integration_github/releases/download/v2.0.6/integration_github-v2.0.6.tar.gz"; - sha256 = "0rjdlsalayb21nmh3j5bl42dcbavxka2r5g9csagz7vc9dl0qrw6"; - license = "gpl3"; + url = "https://github.com/nextcloud-releases/integration_github/releases/download/v3.1.1/integration_github-v3.1.1.tar.gz"; + hash = "sha256-nm463H33WyXTJkb7+OSsunARNuSl5nc3uGClgwkVvhM="; + license = "agpl3Plus"; }; integration_gitlab = pkgs.fetchNextcloudApp { - url = "https://github.com/nextcloud-releases/integration_gitlab/releases/download/v1.0.18/integration_gitlab-v1.0.18.tar.gz"; - sha256 = "13vlbr7sigqrh480a9zp7zl9nbzb4pk8m1zzlqv9lkzj3zywp7mi"; - license = "gpl3"; + url = "https://github.com/nextcloud-releases/integration_gitlab/releases/download/v3.1.2/integration_gitlab-v3.1.2.tar.gz"; + hash = "sha256-nCH0DqYmr4T856sOU5PhSK6WAHIF9mnYThgytxEbkNA="; + license = "agpl3Plus"; + }; + money = pkgs.fetchNextcloudApp { + url = "https://github.com/powerpaul17/nc_money/releases/download/v0.30.0/money.tar.gz"; + hash = "sha256-4gHm6sF9S+1G1naRTr+eR8ZyjCpB3viXTzRCNQFUtF0="; + license = "agpl3Plus"; + }; + passwords = pkgs.fetchNextcloudApp { + url = "https://git.mdns.eu/api/v4/projects/45/packages/generic/passwords/2025.5.1/passwords.tar.gz"; + hash = "sha256-v4IVpqbTN3TKORESFX+sJsiSrLkUc0b5Stj8CmznSIw="; + license = "agpl3Plus"; + }; + maps = pkgs.fetchNextcloudApp { + url = "https://github.com/nextcloud/maps/releases/download/v1.6.0-3-nightly/maps-1.6.0-3-nightly.tar.gz"; + hash = "sha256-E0S/CwXyye19lcuiONEQCyHJqlL0ZG1A9Q7oOTEZH1g="; + license = "agpl3Plus"; }; }; }; + # OnlyOffice ############################################################### + services.onlyoffice = { + enable = true; + hostname = "office.cynerd.cz"; + }; # Postgresql ############################################################### services.postgresql = { enable = true; ensureUsers = [ + {name = "cynerd";} { name = "nextcloud"; ensureDBOwnership = true; } ]; ensureDatabases = ["nextcloud"]; + #extraPlugins = ps: with ps; [timescaledb]; }; - # Old Syncthing ############################################################ - services.syncthing = { + # SearX #################################################################### + services.searx = { enable = true; - openDefaultPorts = true; - - overrideDevices = false; - overrideFolders = false; + environmentFile = "/run/secrets/searx.env"; + settings = { + server.secret_key = "@SEARX_SECRET_KEY@"; + search = { + autocomplete = "google"; + autocomplete_min = 2; + }; + ui = { + query_in_title = true; + infinite_scroll = true; + center_alignment = true; + hotkeys = "vim"; + }; + engines = [ + { + name = "seznam"; + disabled = false; + } + { + name = "material icons"; + disabled = false; + } + { + name = "svgrepo"; + disabled = false; + } + { + name = "peertube"; + disabled = false; + } + { + name = "lib.rs"; + disabled = false; + } + { + name = "gitlab"; + disabled = false; + } + { + name = "sourcehut"; + disabled = false; + } + { + name = "free software directory"; + disabled = false; + } + { + name = "cppreference"; + disabled = false; + } + { + name = "searchcode code"; + disabled = false; + } + { + name = "imdb"; + disabled = false; + } + { + name = "tmdb"; + disabled = false; + } + ]; + }; + runInUwsgi = true; + uwsgiConfig = { + socket = "/run/searx/searx.sock"; + chmod-socket = "660"; + }; + redisCreateLocally = true; + }; + users.groups.searx.members = ["nginx"]; - dataDir = "/nas/sync"; - configDir = "/nas/sync/.syncthing"; + # Syncthing ################################################################ + services.syncthing = { + enable = true; + user = "syncthing"; + group = "syncthing"; + dataDir = "/sync"; }; }; } diff --git a/nixos/configurations/ridcully.nix b/nixos/configurations/ridcully.nix index 66daf1b..0b2705c 100644 --- a/nixos/configurations/ridcully.nix +++ b/nixos/configurations/ridcully.nix @@ -5,6 +5,7 @@ }: let inherit (lib) mkDefault; in { + system.stateVersion = "24.05"; nixpkgs.hostPlatform.system = "x86_64-linux"; deploy.enable = true; @@ -26,6 +27,7 @@ in { cynerd.autounlock = { "encroot" = "/dev/disk/by-uuid/bc7d2ba4-6e04-4c49-b40c-3aecd1a86c71"; "enchdd" = "/dev/disk/by-uuid/7fee3cda-efa0-47cd-8832-fdead9a7e6db"; + "encback" = "/dev/disk/by-uuid/b426cbe7-fba2-473b-90f9-9ebe3e34b76e"; }; fileSystems = { "/" = { @@ -48,16 +50,24 @@ in { fsType = "btrfs"; options = ["compress=lzo" "subvol=@home"]; }; + "/back" = { + device = "/dev/mapper/encback"; + fsType = "btrfs"; + options = ["compress=lzo"]; + }; }; services.btrfs.autoScrub = { enable = true; fileSystems = ["/" "/home2"]; }; - #networking.vlans."enp6s0.adm" = { - #id = 2; - #interface = "enp6s0"; - #}; + networking = { + useNetworkd = true; + useDHCP = true; + }; + systemd.network = { + wait-online.enable = false; + }; environment.systemPackages = [ pkgs.nvtopPackages.amd @@ -65,15 +75,7 @@ in { services.syncthing = { enable = true; - user = mkDefault "cynerd"; - group = mkDefault "cynerd"; - openDefaultPorts = true; - - overrideDevices = false; - overrideFolders = false; - dataDir = "/home/cynerd"; - configDir = "/home/cynerd/.config/syncthing"; }; # Force nix to use less jobs diff --git a/nixos/configurations/spt-mox.nix b/nixos/configurations/spt-mox.nix index 4e29bca..8af976c 100644 --- a/nixos/configurations/spt-mox.nix +++ b/nixos/configurations/spt-mox.nix @@ -1,12 +1,17 @@ -{config, ...}: { +{ + config, + pkgs, + ... +}: { + system.stateVersion = "24.05"; turris.board = "mox"; deploy = { enable = true; ssh.host = "mox.spt"; + configurationLimit = 8; }; cynerd = { - home-assistant = true; monitoring.drives = false; switch = { enable = true; @@ -17,19 +22,21 @@ enable = true; qca988x = { interface = "wlp1s0"; - bssids = ["04:f0:21:24:24:d2" "08:f0:21:24:24:d2"]; + bssids = config.secrets.wifiMacs.spt-mox.qca988x; channel = 7; }; }; }; - services.journald.extraConfig = '' - SystemMaxUse=512M - ''; + services = { + journald.extraConfig = '' + SystemMaxUse=512M + ''; - services.btrfs.autoScrub = { - enable = true; - fileSystems = ["/"]; + btrfs.autoScrub = { + enable = true; + fileSystems = ["/"]; + }; }; networking = { @@ -42,13 +49,126 @@ networkConfig.Bridge = "brlan"; bridgeVLANs = [ { - bridgeVLANConfig = { - EgressUntagged = 1; - PVID = 1; + EgressUntagged = 1; + PVID = 1; + } + {VLAN = 2;} + ]; + }; + }; + + ############################################################################## + networking.firewall.allowedTCPPorts = [ + 1883 # Mosquitto + ]; + services = { + mosquitto = { + enable = true; + listeners = [ + { + users = { + cynerd = { + acl = ["readwrite #"]; + passwordFile = "/run/secrets/mosquitto.cynerd.pass"; + }; + telegraf = { + acl = ["read bigclown/node/#"]; + passwordFile = "/run/secrets/mosquitto.telegraf.pass"; + }; + homeassistant = { + acl = [ + "readwrite homeassistant/#" + "readwrite bigclown/#" + "readwrite zigbee2mqtt/#" + ]; + passwordFile = "/run/secrets/mosquitto.homeassistant.pass"; + }; + bigclown = { + acl = ["readwrite bigclown/#"]; + passwordFile = "/run/secrets/mosquitto.bigclown.pass"; + }; + zigbee2mqtt = { + acl = [ + "readwrite homeassistant/#" + "readwrite zigbee2mqtt/#" + ]; + passwordFile = "/run/secrets/mosquitto.zigbee2mqtt.pass"; + }; }; } - {bridgeVLANConfig.VLAN = 2;} ]; }; + + telegraf.extraConfig = { + outputs.influxdb_v2 = [ + { + urls = ["http://cynerd.cz:8086"]; + token = "$INFLUX_TOKEN"; + organization = "personal"; + bucket = "bigclown"; + tagpass.source = ["bigclown"]; + } + ]; + inputs.mqtt_consumer = let + consumer = data_type: topics: { + tags = {source = "bigclown";}; + servers = ["tcp://localhost:1883"]; + inherit topics; + username = "telegraf"; + password = "$MQTT_PASSWORD"; + data_format = "value"; + inherit data_type; + topic_parsing = [ + { + topic = "bigclown/node/+/+/+/+"; + measurement = "_/_/_/_/_/measurement"; + tags = "_/_/device/field/_/_"; + } + ]; + }; + in [ + (consumer "float" [ + "bigclown/node/+/battery/+/voltage" + "bigclown/node/+/thermometer/+/temperature" + "bigclown/node/+/hygrometer/+/relative-humidity" + "bigclown/node/+/lux-meter/+/illuminance" + "bigclown/node/+/barometer/+/pressure" + "bigclown/node/+/pir/+/event-count" + "bigclown/node/+/push-button/+/event-count" + ]) + (consumer "boolean" [ + "bigclown/node/+/flood-detector/+/alarm" + ]) + ]; + processors.pivot = [ + { + tag_key = "field"; + value_key = "value"; + tagpass.source = ["bigclown"]; + } + ]; + }; + + bcg = { + enable = true; + device = "/dev/ttyUSB0"; + baseTopicPrefix = "bigclown/"; + environmentFiles = ["/run/secrets/bigclown.env"]; + mqtt = { + username = "bigclown"; + password = "\${MQTT_PASSWORD}"; + }; + }; + }; + + systemd.services = { + telegraf.wants = ["mosquitto.service"]; + + bigclown-leds = { + description = "Bigclown LEDs control"; + wantedBy = ["multi-user.target"]; + wants = ["mosquitto.service"]; + serviceConfig.ExecStart = "${pkgs.bigclown-leds}/bin/bigclown-leds /run/secrets/bigclown-leds.ini"; + }; }; } diff --git a/nixos/configurations/spt-mox2.nix b/nixos/configurations/spt-mox2.nix index 9ffde96..fd2c074 100644 --- a/nixos/configurations/spt-mox2.nix +++ b/nixos/configurations/spt-mox2.nix @@ -1,4 +1,5 @@ {config, ...}: { + system.stateVersion = "24.05"; turris.board = "mox"; deploy = { enable = true; @@ -16,7 +17,7 @@ enable = true; qca988x = { interface = "wlp1s0"; - bssids = ["04:f0:21:45:d3:47" "08:f0:21:45:d3:47"]; + bssids = config.secrets.wifiMacs.spt-mox2.qca988x; channel = 1; }; }; @@ -41,12 +42,10 @@ networkConfig.Bridge = "brlan"; bridgeVLANs = [ { - bridgeVLANConfig = { - EgressUntagged = 1; - PVID = 1; - }; + EgressUntagged = 1; + PVID = 1; } - {bridgeVLANConfig.VLAN = 2;} + {VLAN = 2;} ]; }; }; diff --git a/nixos/configurations/spt-mpd.nix b/nixos/configurations/spt-mpd.nix index b212932..1849d9b 100644 --- a/nixos/configurations/spt-mpd.nix +++ b/nixos/configurations/spt-mpd.nix @@ -2,6 +2,7 @@ imports = [inputModules.nixos-hardware.raspberry-pi-2]; config = { + system.stateVersion = "24.05"; nixpkgs.hostPlatform.system = "armv7l-linux"; fileSystems = { diff --git a/nixos/configurations/spt-omnia.nix b/nixos/configurations/spt-omnia.nix index e97f29f..1809b2a 100644 --- a/nixos/configurations/spt-omnia.nix +++ b/nixos/configurations/spt-omnia.nix @@ -1,14 +1,11 @@ -{ - config, - pkgs, - ... -}: let +{config, ...}: let hosts = config.cynerd.hosts.spt; in { + system.stateVersion = "24.05"; turris.board = "omnia"; deploy = { enable = true; - ssh.host = "omnia.spt"; + ssh.host = "spt.cynerd.cz"; }; cynerd = { @@ -28,12 +25,12 @@ in { enable = true; ar9287 = { interface = "wlp1s0"; - bssids = ["04:f0:21:24:21:93" "08:f0:21:24:21:93"]; + bssids = config.secrets.wifiMacs.spt-omnia.ar9287; channel = 11; }; qca988x = { - interface = "wlp3s0"; - bssids = ["04:f0:21:23:16:64" "08:f0:21:23:16:64"]; + interface = "wlp2s0"; + bssids = config.secrets.wifiMacs.spt-omnia.qca988x; channel = 36; }; }; @@ -45,71 +42,15 @@ in { SystemMaxUse=8G ''; - environment = { - etc.crypttab.text = '' - nas UUID=3472bef9-cbae-48bd-873e-fd4858a0b72f /run/secrets/luks-spt-omnia-nas.key luks - nassec UUID=016e9e75-bbc8-4b24-8bb7-c800c8f6a500 /run/secrets/luks-spt-omnia-nas.key luks - ''; - systemPackages = with pkgs; [ - cryptsetup - ]; - }; - fileSystems = { - "/data" = { - device = "/dev/mapper/nas"; - fsType = "btrfs"; - options = ["compress=lzo" "subvol=@data" "nofail"]; - }; - "/srv" = { - device = "/dev/mapper/nas"; - fsType = "btrfs"; - options = ["compress=lzo" "subvol=@srv" "nofail"]; - depends = ["/data"]; - }; - }; services.btrfs.autoScrub = { enable = true; - fileSystems = ["/" "/data"]; + fileSystems = ["/"]; }; - services.udev.packages = [ - (pkgs.writeTextFile rec { - name = "queue_depth_sata.rules"; - destination = "/etc/udev/rules.d/50-${name}"; - text = '' - SUBSYSTEMS=="pci", DRIVER=="ahci", ATTR{device}!="0x0612", GOTO="turris_pci_end" - ACTION=="add|change", SUBSYSTEM=="scsi", ATTR{vendor}=="ATA", ATTR{queue_depth}="1" - LABEL="turris_pci_end" - ''; - }) - ]; - users = { - groups.nas = {}; - users = { - nas = { - group = "nas"; - openssh.authorizedKeys.keyFiles = [ - (config.personal-secrets + "/unencrypted/nas.pub") - (config.personal-secrets + "/unencrypted/nas-spt.pub") - ]; - isNormalUser = true; - home = "/data/nas"; - homeMode = "770"; - }; - cynerd.extraGroups = ["nas"]; - }; - }; - services.openssh = { - settings.Macs = ["hmac-sha2-256"]; # Allow sha2-256 for Nexcloud access - extraConfig = '' - Match User nas - X11Forwarding no - AllowTcpForwarding no - AllowAgentForwarding no - ForceCommand internal-sftp -d /data/nas - ''; + services.fail2ban = { + enable = true; + ignoreIP = ["10.8.1.0/24" "10.8.2.0/24"]; }; - services.fail2ban.enable = true; networking.useDHCP = false; systemd.network = { @@ -156,12 +97,10 @@ in { networkConfig.Bridge = "brlan"; bridgeVLANs = [ { - bridgeVLANConfig = { - EgressUntagged = 1; - PVID = 1; - }; + EgressUntagged = 1; + PVID = 1; } - {bridgeVLANConfig.VLAN = 2;} + {VLAN = 2;} ]; }; }; @@ -183,20 +122,43 @@ in { password metronet ''; }; - systemd.services."pppd-wan".after = ["sys-subsystem-net-devices-end2.848.device"]; + systemd.services."pppd-wan" = { + after = ["sys-subsystem-net-devices-end2.848.device"]; + partOf = ["systemd-networkd.service"]; + }; # TODO limit NSS clamping to just pppoe-wan networking.firewall.extraForwardRules = '' tcp flags syn tcp option maxseg size set rt mtu comment "Needed for PPPoE to fix IPv4" - iifname {"home", "personalvpn", "wg"} oifname {"home", "personalvpn", "wg"} accept + iifname {"home", "wg"} oifname {"home", "wg"} accept ''; - services.syncthing = { - enable = false; - openDefaultPorts = true; - - overrideDevices = false; - overrideFolders = false; - - dataDir = "/data"; # TODO this can't be the location + ############################################################################## + services = { + zigbee2mqtt = { + enable = true; + settings = { + serial.port = "/dev/serial/by-id/usb-ITEAD_SONOFF_Zigbee_3.0_USB_Dongle_Plus_V2_20220812153849-if00"; + mqtt = { + server = "mqtt://${config.cynerd.hosts.spt.mox}:1883"; + user = "zigbee2mqtt"; + password = "!secret.yaml mqtt_password"; + }; + advanced = { + network_key = "!secret.yaml network_key"; + homeassistant_legacy_entity_attributes = false; + legacy_api = false; + legacy_availability_payload = false; + last_seen = "epoch"; + }; + frontend = true; + availability = true; + homeassistant = { + legacy_triggers = false; + }; + device_options.legacy = false; + permit_join = false; + devices = config.secrets.zigbee2mqttDevices; + }; + }; }; } diff --git a/nixos/modules/home-assistant/light.nix b/nixos/home-assistant/light.nix index a9d158b..a9d158b 100644 --- a/nixos/modules/home-assistant/light.nix +++ b/nixos/home-assistant/light.nix diff --git a/nixos/modules/home-assistant/sensors.nix b/nixos/home-assistant/sensors.nix index fadd4eb..fadd4eb 100644 --- a/nixos/modules/home-assistant/sensors.nix +++ b/nixos/home-assistant/sensors.nix diff --git a/nixos/modules/backup.nix b/nixos/modules/backup.nix new file mode 100644 index 0000000..3f5042b --- /dev/null +++ b/nixos/modules/backup.nix @@ -0,0 +1,63 @@ +{ + config, + lib, + ... +}: let + inherit (builtins) elem readFile readDir; + inherit (lib) mkOption types mkIf hasSuffix removeSuffix hasAttr filterAttrs mapAttrs mapAttrs' nameValuePair mergeAttrsList recursiveUpdate; + + servers = ["ridcully"]; # TODO "errol" + clients = + mapAttrs' (fname: _: + nameValuePair (removeSuffix ".pub" fname) + (readFile (config.personal-secrets + "/unencrypted/backup/${fname}"))) + (filterAttrs (n: v: v == "regular" && hasSuffix ".pub" n) + (readDir (config.personal-secrets + "/unencrypted/backup"))); + edpersonal = readFile (config.personal-secrets + "/unencrypted/edpersonal.pub"); +in { + options.cynerd = { + borgjobs = mkOption { + type = with types; attrsOf anything; + description = "Job to be backed up for this "; + }; + }; + + config = { + services.borgbackup = { + repos = mkIf (elem config.networking.hostName servers) ( + mapAttrs (name: key: { + path = "/back/${name}"; + authorizedKeys = [key edpersonal]; + allowSubRepos = true; + }) + clients + ); + + jobs = mkIf (hasAttr config.networking.hostName clients) (mergeAttrsList + (map (server: (mapAttrs' (n: v: + nameValuePair "${server}-${n}" + (recursiveUpdate + (recursiveUpdate { + encryption.mode = "none"; + prune = { + keep = { + daily = 7; + weekly = 4; + monthly = -1; + }; + prefix = n; + }; + } + v) + { + repo = "borg@${server}:./${n}"; + environment = { + BORG_RSH = "ssh -i /run/secrets/borgbackup.key"; + }; + archiveBaseName = null; + })) + config.cynerd.borgjobs)) + servers)); + }; + }; +} diff --git a/nixos/modules/bcg.nix b/nixos/modules/bcg.nix deleted file mode 100644 index 3146c15..0000000 --- a/nixos/modules/bcg.nix +++ /dev/null @@ -1,167 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: -with lib; let - cfg = config.services.bcg; - configFile = (pkgs.formats.yaml {}).generate "bcg.conf.yaml" ( - filterAttrsRecursive (_: v: v != null) { - inherit (cfg) device name mqtt; - retain_node_messages = cfg.retainNodeMessages; - qos_node_messages = cfg.qosNodeMessages; - base_topic_prefix = cfg.baseTopicPrefix; - automatic_remove_kit_from_names = cfg.automaticRemoveKitFromNames; - automatic_rename_kit_nodes = cfg.automaticRenameKitNodes; - automatic_rename_generic_nodes = cfg.automaticRenameGenericNodes; - automatic_rename_nodes = cfg.automaticRenameNodes; - } - ); -in { - options = { - services.bcg = { - enable = mkEnableOption "BigClown gateway"; - package = mkPackageOption pkgs ["python3Packages" "bcg"] {}; - environmentFiles = mkOption { - type = types.listOf types.path; - default = []; - example = ["/run/keys/bcg.env"]; - description = '' - File to load as environment file. Environment variables from this file - will be interpolated into the config file using envsubst with this - syntax: `$ENVIRONMENT` or `''${VARIABLE}`. - This is useful to avoid putting secrets into the nix store. - ''; - }; - verbose = mkOption { - type = types.enum ["CRITICAL" "ERROR" "WARNING" "INFO" "DEBUG"]; - default = "WARNING"; - description = "Verbosity level."; - }; - device = mkOption { - type = types.str; - description = "Device name to configure gateway to use."; - }; - name = mkOption { - type = with types; nullOr str; - default = null; - description = '' - Name for the device. - - Supported variables: - * `{ip}` IP address - * `{id}` The ID of the connected usb-dongle or core-module - - `null` can be used for automatic detection from gateway firmware. - ''; - }; - mqtt = { - host = mkOption { - type = types.str; - default = "127.0.0.1"; - description = "Host where MQTT server is running."; - }; - port = mkOption { - type = types.port; - default = 1883; - description = "Port of MQTT server."; - }; - username = mkOption { - type = with types; nullOr str; - default = null; - description = "MQTT server access username."; - }; - password = mkOption { - type = with types; nullOr str; - default = null; - description = "MQTT server access password."; - }; - cafile = mkOption { - type = with types; nullOr str; - default = null; - description = "Certificate Authority file for MQTT server access."; - }; - certfile = mkOption { - type = with types; nullOr str; - default = null; - description = "Certificate file for MQTT server access."; - }; - keyfile = mkOption { - type = with types; nullOr str; - default = null; - description = "Key file for MQTT server access."; - }; - }; - retainNodeMessages = mkOption { - type = types.bool; - default = false; - description = "Specify that node messages should be retaied in MQTT broker."; - }; - qosNodeMessages = mkOption { - type = types.int; - default = 1; - description = "Set the guarantee of MQTT message delivery."; - }; - baseTopicPrefix = mkOption { - type = types.str; - default = ""; - description = "Topic prefix added to all MQTT messages."; - }; - automaticRemoveKitFromNames = mkOption { - type = types.bool; - default = true; - description = "Automatically remove kits."; - }; - automaticRenameKitNodes = mkOption { - type = types.bool; - default = true; - description = "Automatically rename kit's nodes."; - }; - automaticRenameGenericNodes = mkOption { - type = types.bool; - default = true; - description = "Automatically rename generic nodes."; - }; - automaticRenameNodes = mkOption { - type = types.bool; - default = true; - description = "Automatically rename all nodes."; - }; - rename = mkOption { - type = with types; attrsOf str; - default = {}; - description = "Rename nodes to different name."; - }; - }; - }; - - config = mkIf cfg.enable { - environment.systemPackages = with pkgs; [ - python3Packages.bcg - python3Packages.bch - ]; - - systemd.services.bcg = let - envConfig = cfg.environmentFiles != []; - finalConfig = - if envConfig - then "$RUNTIME_DIRECTORY/bcg.config.yaml" - else configFile; - in { - description = "BigClown Gateway"; - wantedBy = ["multi-user.target"]; - wants = ["network-online.target"] ++ lib.optional config.services.mosquitto.enable "mosquitto.service"; - after = ["network-online.target"]; - preStart = '' - umask 077 - ${pkgs.envsubst}/bin/envsubst -i "${configFile}" -o "${finalConfig}" - ''; - serviceConfig = { - EnvironmentFile = cfg.environmentFiles; - ExecStart = "${cfg.package}/bin/bcg -c ${finalConfig} -v ${cfg.verbose}"; - RuntimeDirectory = "bcg"; - }; - }; - }; -} diff --git a/nixos/modules/default.nix b/nixos/modules/default.nix index 6bc0d70..d45cb0a 100644 --- a/nixos/modules/default.nix +++ b/nixos/modules/default.nix @@ -17,6 +17,5 @@ in // { default = { imports = attrValues modules ++ default_modules; - disabledModules = ["services/misc/bcg.nix"]; }; } diff --git a/nixos/modules/desktop.nix b/nixos/modules/desktop.nix index 0c8f287..06c8215 100644 --- a/nixos/modules/desktop.nix +++ b/nixos/modules/desktop.nix @@ -24,9 +24,9 @@ in { config = mkIf cnf.enable { hardware = { - opengl = { - driSupport = true; - driSupport32Bit = true; + graphics = { + enable = true; + enable32Bit = true; }; bluetooth.enable = mkIf cnf.laptop true; }; @@ -37,7 +37,7 @@ in { wrapperFeatures.gtk = true; extraPackages = with pkgs; [ - gnome.dconf-editor + dconf-editor glib gsettings-desktop-schemas sysstat @@ -49,7 +49,7 @@ in { myswaylock alacritty - gnome.nautilus + nautilus kanshi wdisplays @@ -70,18 +70,15 @@ in { msmtp notmuch astroid - taskwarrior - vdirsyncer - #khal - #khard + dodo + taskwarrior3 gnupg pinentry-gnome3 pinentry-curses (pass.withExtensions (exts: [ exts.pass-otp - #exts.pass-audit + exts.pass-audit ])) - nextcloud-client chromium ferdium @@ -105,16 +102,16 @@ in { id3lib vlc mpv - youtube-dl + yt-dlp spotify nordic nordzy-cursor-theme nordzy-icon-theme - gnome.adwaita-icon-theme + adwaita-icon-theme vanilla-dmz sound-theme-freedesktop - gnome.gnome-characters + gnome-characters gucharmap (sdcv.withDictionaries [stardict-en-cz stardict-de-cz stardict-cz]) @@ -124,8 +121,8 @@ in { tigervnc freerdp - plasma5Packages.kdeconnect-kde + gnome-firmware hdparm ethtool multipath-tools @@ -143,27 +140,26 @@ in { gimp inkscape blender - kdenlive + tenacity + #kdePackages.kdenlive # GStreamer - gst_all_1.gst-libav - gst_all_1.gst-plugins-bad + gst_all_1.gstreamer gst_all_1.gst-plugins-base gst_all_1.gst-plugins-good + gst_all_1.gst-plugins-bad gst_all_1.gst-plugins-ugly - gst_all_1.gst-plugins-viperfx + gst_all_1.gst-plugins-rs + gst_all_1.gst-libav + gst_all_1.gst-vaapi # Writing typst - typst-fmt + typstfmt typst-live - typst-lsp + tinymist vale - # Gnome utils - gnome-firmware - #gaphor - # CAD freecad kicad @@ -203,6 +199,8 @@ in { enableSSHSupport = true; enableBrowserSocket = true; }; + + kdeconnect.enable = true; }; xdg = { @@ -248,9 +246,15 @@ in { alsa.enable = true; alsa.support32Bit = true; pulse.enable = true; - extraConfig.pipewire."10-zeroconf" = { - "context.modules" = [{name = "libpipewire-module-zeroconf-discover";}]; - }; + configPackages = [ + (pkgs.writeTextDir "share/pipewire/pipewire.conf.d/10-zeroconf-discover.conf" '' + context.modules = [ + { name = libpipewire-module-zeroconf-discover + args = { } + } + ] + '') + ]; }; upower.enable = true; @@ -275,6 +279,12 @@ in { davfs2.enable = true; locate.enable = true; + + gnome = { + at-spi2-core.enable = true; + gnome-keyring.enable = true; + gnome-online-accounts.enable = true; + }; }; # Beneficial for Pipewire @@ -287,7 +297,7 @@ in { }; fonts.packages = with pkgs; [ - (nerdfonts.override {fonts = ["Hack"];}) + nerd-fonts.hack arkpandora_ttf corefonts dejavu_fonts diff --git a/nixos/modules/develop.nix b/nixos/modules/develop.nix index a18c7ac..6444473 100644 --- a/nixos/modules/develop.nix +++ b/nixos/modules/develop.nix @@ -21,6 +21,7 @@ in { # Tools gitlint tig + gitg gource glab github-cli @@ -41,8 +42,8 @@ in { dev cachix nurl - nix-universal-prefetch nil + nixfmt-rfc-style alejandra statix deadnix @@ -54,13 +55,15 @@ in { bats shellcheck shfmt - nodePackages.bash-language-server + bash-language-server jq yq fq # C clang-tools + massif-visualizer + qcachegrind # Python (python3.withPackages (pypkgs: @@ -75,10 +78,12 @@ in { mypy scipy + statsmodels sympy pygraphviz matplotlib + seaborn plotly pygal @@ -102,6 +107,9 @@ in { pyserial pylibftdi + pyusb + usbtmc + pylxd selenium ])) @@ -120,6 +128,9 @@ in { # Julia julia + # XML + libxml2 + # Qemmu qemu virt-manager @@ -149,12 +160,15 @@ in { stdmanpages # SHV - shvcli + (shvcli.withPlugins [python3Packages.shvcli-ell]) # Images imagemagick ]; - programs.wireshark.package = pkgs.wireshark; + programs.wireshark = { + enable = true; + package = pkgs.wireshark; + }; documentation = { nixos = { @@ -170,6 +184,7 @@ in { SUBSYSTEMS=="usb", ATTRS{idVendor}=="a600", ATTRS{idProduct}=="a003", MODE:="0660", GROUP="develop", SYMLINK+="aix_forte_%n" SUBSYSTEMS=="usb", ATTRS{idVendor}=="1366", ATTRS{idProduct}=="0105", MODE:="0660", GROUP="develop", SYMLINK+="jlink_%n" SUBSYSTEMS=="usb", ATTRS{idVendor}=="03eb", ATTRS{idProduct}=="2111", MODE:="0660", GROUP="develop", SYMLINK+="cmsip_dap_%n" + SUBSYSTEMS=="usb", ATTRS{idVendor}=="1ab1", ATTRS{idProduct}=="0e11", MODE:="0660", GROUP="develop" ''; virtualisation = { diff --git a/nixos/modules/gaming.nix b/nixos/modules/gaming.nix index 64af068..6e25320 100644 --- a/nixos/modules/gaming.nix +++ b/nixos/modules/gaming.nix @@ -18,7 +18,14 @@ in { config = mkIf cnf { cynerd.desktop.enable = true; - environment.systemPackages = [pkgs.heroic]; + environment.systemPackages = with pkgs; [ + heroic + prismlauncher + ]; + + nixpkgs.config.permittedInsecurePackages = [ + "SDL_ttf-2.0.11" # TODO + ]; programs.steam = { enable = true; @@ -31,8 +38,28 @@ in { with pkgs; [ ncurses xorg.libXpm - flac1_3 + #flac134 + libopus + ]; + }; + heroic = pkgs.heroic.override { + extraPkgs = pkgs: + with pkgs; [ + ncurses + xorg.libXpm + #flac134 libopus + SDL + SDL2_image + SDL2_mixer + SDL2_ttf + SDL_image + SDL_mixer + SDL_ttf + glew110 + libdrm + libidn + tbb ]; }; }; diff --git a/nixos/modules/generic.nix b/nixos/modules/generic.nix index 02afd17..e029058 100644 --- a/nixos/modules/generic.nix +++ b/nixos/modules/generic.nix @@ -6,10 +6,8 @@ inherit (lib) mkOverride mkDefault; in { config = { - system.stateVersion = "24.05"; - nix = { - extraOptions = "experimental-features = nix-command flakes repl-flake"; + extraOptions = "experimental-features = nix-command flakes"; settings = { auto-optimise-store = true; substituters = [ @@ -31,8 +29,11 @@ in { }; boot = { - loader.systemd-boot.enable = mkOverride 1100 true; - loader.efi.canTouchEfiVariables = mkDefault true; + loader = { + systemd-boot.enable = mkOverride 1100 true; + efi.canTouchEfiVariables = mkDefault true; + grub.enable = mkOverride 1100 false; + }; kernelPackages = mkOverride 1100 pkgs.linuxPackages_latest; kernelParams = ["boot.shell_on_fail"]; }; @@ -59,11 +60,6 @@ in { }) ]; - system.extraSystemBuilderCmds = '' - substituteAll ${./nixos-system.sh} $out/bin/nixos-system - chmod +x $out/bin/nixos-system - ''; - documentation = { enable = mkDefault false; doc.enable = mkDefault false; diff --git a/nixos/modules/home-assistant.nix b/nixos/modules/home-assistant.nix deleted file mode 100644 index ab16e8a..0000000 --- a/nixos/modules/home-assistant.nix +++ /dev/null @@ -1,164 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: let - inherit (lib) mkIf mkEnableOption; -in { - options = { - cynerd.home-assistant = mkEnableOption "Enable Home Assistant and Bigclown"; - }; - - config = mkIf config.cynerd.home-assistant { - services.mosquitto = { - enable = true; - listeners = [ - { - users = { - cynerd = { - acl = ["readwrite #"]; - passwordFile = "/run/secrets/mosquitto.cynerd.pass"; - }; - telegraf = { - acl = ["read bigclown/node/#"]; - passwordFile = "/run/secrets/mosquitto.telegraf.pass"; - }; - homeassistant = { - acl = [ - "readwrite homeassistant/#" - "readwrite bigclown/#" - "readwrite zigbee2mqtt/#" - ]; - passwordFile = "/run/secrets/mosquitto.homeassistant.pass"; - }; - bigclown = { - acl = ["readwrite bigclown/#"]; - passwordFile = "/run/secrets/mosquitto.bigclown.pass"; - }; - zigbee2mqtt = { - acl = [ - "readwrite homeassistant/#" - "readwrite zigbee2mqtt/#" - ]; - passwordFile = "/run/secrets/mosquitto.zigbee2mqtt.pass"; - }; - }; - } - ]; - }; - networking.firewall.allowedTCPPorts = [ - 1883 # Mosquitto - ]; - - services.bcg = { - enable = true; - device = "/dev/ttyUSB0"; - baseTopicPrefix = "bigclown/"; - environmentFiles = ["/run/secrets/bigclown.env"]; - mqtt = { - username = "bigclown"; - password = "\${MQTT_PASSWORD}"; - }; - }; - - systemd.services.bigclown-leds = { - description = "Bigclown LEDs control"; - wantedBy = ["multi-user.target"]; - wants = ["mosquitto.service"]; - serviceConfig.ExecStart = "${pkgs.bigclown-leds}/bin/bigclown-leds /run/secrets/bigclown-leds.ini"; - }; - - services.telegraf.extraConfig = { - outputs.influxdb_v2 = [ - { - urls = ["http://cynerd.cz:8086"]; - token = "$INFLUX_TOKEN"; - organization = "personal"; - bucket = "bigclown"; - tagpass.source = ["bigclown"]; - } - ]; - inputs.mqtt_consumer = let - consumer = data_type: topics: { - tags = {source = "bigclown";}; - servers = ["tcp://localhost:1883"]; - inherit topics; - username = "telegraf"; - password = "$MQTT_PASSWORD"; - data_format = "value"; - inherit data_type; - topic_parsing = [ - { - topic = "bigclown/node/+/+/+/+"; - measurement = "_/_/_/_/_/measurement"; - tags = "_/_/device/field/_/_"; - } - ]; - }; - in [ - (consumer "float" [ - "bigclown/node/+/battery/+/voltage" - "bigclown/node/+/thermometer/+/temperature" - "bigclown/node/+/hygrometer/+/relative-humidity" - "bigclown/node/+/lux-meter/+/illuminance" - "bigclown/node/+/barometer/+/pressure" - "bigclown/node/+/pir/+/event-count" - "bigclown/node/+/push-button/+/event-count" - ]) - (consumer "boolean" [ - "bigclown/node/+/flood-detector/+/alarm" - ]) - ]; - processors.pivot = [ - { - tag_key = "field"; - value_key = "value"; - tagpass.source = ["bigclown"]; - } - ]; - }; - systemd.services.telegraf.wants = ["mosquitto.service"]; - - #nixpkgs.config.permittedInsecurePackages = ["openssl-1.1.1w"]; # TODO - services.home-assistant = { - enable = false; - openFirewall = true; - configDir = "/var/lib/hass"; - config = { - homeassistant = { - name = "SPT"; - latitude = "!secret latitude"; - longitude = "!secret longitude"; - elevation = "!secret elevation"; - time_zone = "Europe/Prague"; - country = "CZ"; - }; - http.server_port = 8808; - mqtt = { - sensor = import ./home-assistant/sensors.nix; - light = import ./home-assistant/light.nix; - }; - default_config = {}; - automation = "!include automations.yaml"; - }; - extraComponents = ["met"]; - package = pkgs.home-assistant.override { - extraPackages = pkgs: - with pkgs; [ - securetar - pyipp - ]; - packageOverrides = _: super: { - scapy = super.scapy.override { - withPlottingSupport = false; - }; - s3transfer = super.s3transfer.overridePythonAttrs { - dontUsePytestCheck = true; - dontUseSetuptoolsCheck = true; - }; - }; - }; - }; - }; -} diff --git a/nixos/modules/hosts.nix b/nixos/modules/hosts.nix index e7ad76b..4b358b8 100644 --- a/nixos/modules/hosts.nix +++ b/nixos/modules/hosts.nix @@ -64,6 +64,7 @@ in { "ridcully" = "10.8.3.60"; "3dprint" = "10.8.3.80"; "mpd" = "10.8.3.51"; + "printer" = "192.168.1.20"; # Portable "albert" = "10.8.3.61"; "binky" = "10.8.3.63"; diff --git a/nixos/modules/monitoring.nix b/nixos/modules/monitoring.nix index 394915a..e8ba2a9 100644 --- a/nixos/modules/monitoring.nix +++ b/nixos/modules/monitoring.nix @@ -78,7 +78,7 @@ in { nstat = [{}]; system = [{}]; processes = [{}]; - systemd_units = [{}]; + systemd_units = [{details = true;}]; wireguard = [{}]; } // (optionalAttrs cnf.drives { @@ -136,8 +136,8 @@ in { }) (mkIf (config.networking.hostName == "lipwig") { - # InfluxDB services = { + # InfluxDB influxdb2.enable = true; telegraf.extraConfig.inputs.prometheus = { urls = ["http://localhost:8086/metrics"]; @@ -152,6 +152,8 @@ in { admin_password = "$__file{/run/secrets/grafana.admin.pass}"; }; server = { + domain = "grafana.cynerd.cz"; + root_url = "https://%(domain)s/"; http_addr = ""; http_port = 3000; }; diff --git a/nixos/modules/nixos-system.sh b/nixos/modules/nixos-system.sh deleted file mode 100644 index 7a220bb..0000000 --- a/nixos/modules/nixos-system.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!@shell@ -# Simple script handy to be used for activation - -while getopts "s" opt; do - case "$opt" in - s) - if [ ! -v NIXOS_SYSTEM_GNU_SCREEN ]; then - export NIXOS_SYSTEM_GNU_SCREEN=1 - exec @out@/sw/bin/screen "$0" "$@" - fi - ;; - *) - echo "Invalid argument: $1" >&2 - exit 1 - ;; - esac -done -shift $((OPTIND - 1)) - - -@out@/sw/bin/nix-env --profile /nix/var/nix/profiles/system --set '@out@' - -@out@/bin/switch-to-configuration "$@" || { - echo "Switch failed!" >&2 - read -r _ - exit 1 -} diff --git a/nixos/modules/openvpn.nix b/nixos/modules/openvpn.nix index 6a21721..da29dd7 100644 --- a/nixos/modules/openvpn.nix +++ b/nixos/modules/openvpn.nix @@ -9,11 +9,6 @@ in { options = { cynerd.openvpn = { - oldpersonal = mkOption { - type = types.bool; - default = false; - description = "My personal old OpenVPN"; - }; elektroline = mkOption { type = types.bool; default = false; @@ -24,9 +19,6 @@ in { config = { services.openvpn.servers = { - oldpersonal = mkIf cnf.oldpersonal { - config = "config /run/secrets/old.ovpn"; - }; elektroline = mkIf cnf.elektroline { config = "config /run/secrets/elektroline.ovpn"; up = '' diff --git a/nixos/modules/packages.nix b/nixos/modules/packages.nix index d321901..155d8a5 100644 --- a/nixos/modules/packages.nix +++ b/nixos/modules/packages.nix @@ -41,9 +41,7 @@ in { btop iotop mc - screen tmux - pv # ls tools tree @@ -65,13 +63,19 @@ in { wakeonlan speedtest-cli librespeed-cli - termshark + #termshark + w3m lm_sensors ] + ++ optionals (system != "armv7l-linux") [ + ranger + ] ++ optionals (system == "x86_64-linux") [ nmap ltrace + pv + screen ] ++ optionals (!isNative) [ ncdu_1 diff --git a/nixos/modules/router.nix b/nixos/modules/router.nix index c8b1283..224037b 100644 --- a/nixos/modules/router.nix +++ b/nixos/modules/router.nix @@ -44,10 +44,20 @@ in { ''; description = "Mapping of MAC address to IP address"; }; + guestStaticLeases = mkOption { + type = with types; attrsOf str; + default = {}; + example = '' + {"xx:xx:xx:xx:xx:xx" = "10.8.1.30";} + ''; + description = "Mapping of MAC address to IP address"; + }; }; }; config = mkIf cnf.enable { + boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1; + networking = { useNetworkd = true; firewall = { @@ -98,17 +108,18 @@ in { matchConfig.Name = "brlan"; networkConfig.VLAN = ["home" "guest"]; bridgeVLANs = [ - {bridgeVLANConfig.VLAN = 1;} - {bridgeVLANConfig.VLAN = 2;} + {VLAN = 1;} + {VLAN = 2;} ]; }; "home" = { matchConfig.Name = "home"; networkConfig = { Address = "${cnf.lanIP}/${toString cnf.lanPrefix}"; - IPForward = "yes"; + IPv4Forwarding = "yes"; DHCPServer = "yes"; DHCPPrefixDelegation = "yes"; + IPv6Forwarding = "yes"; IPv6SendRA = "yes"; IPv6AcceptRA = "no"; }; @@ -121,10 +132,8 @@ in { }; dhcpServerStaticLeases = mapAttrsToList (n: v: { - dhcpServerStaticLeaseConfig = { - MACAddress = n; - Address = v; - }; + MACAddress = n; + Address = v; }) cnf.staticLeases; dhcpPrefixDelegationConfig = { @@ -137,9 +146,10 @@ in { matchConfig.Name = "guest"; networkConfig = { Address = "192.168.1.1/24"; - IPForward = "yes"; + IPv4Forwarding = "yes"; DHCPServer = "yes"; DHCPPrefixDelegation = "yes"; + IPv6Forwarding = "yes"; IPv6SendRA = "yes"; IPv6AcceptRA = "no"; }; @@ -150,6 +160,12 @@ in { EmitDNS = "yes"; DNS = "192.168.1.1"; }; + dhcpServerStaticLeases = + mapAttrsToList (n: v: { + MACAddress = n; + Address = v; + }) + cnf.guestStaticLeases; dhcpPrefixDelegationConfig = { UplinkInterface = cnf.wan; SubnetId = 2; diff --git a/nixos/modules/rpi.md b/nixos/modules/rpi.md new file mode 100644 index 0000000..43b172f --- /dev/null +++ b/nixos/modules/rpi.md @@ -0,0 +1,25 @@ +# Raspberry Pi SD card preparation steps + +``` +~# parted /dev/sdx +(parted) mktable msdos +(parted) mkpart primary fat16 0% 120M +(parted) mkpart primary btrfs 120M 100% +(parted) set 2 boot on +(parted) quit +~# mkfs.vfat -F16 /dev/sdx1 +~# mkfs.btrfs /dev/sdx2 + +~# mount /dev/sdx1 /mnt +~# nix build .#firmware-HOST +~# cp -r result/* /mnt/ +~# umount mnt + +~# mount /dev/sdx2 /mnt +~# nix copy --to /mnt .#toplevel-HOST +~# nix build --print-out-paths .#toplevel-HOST +~# nix eval .#nixosConfigurations.HOST.config.boot.loader.generic-extlinux-compatible.populateCmd +"/nix/store/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-extlinux-conf-builder.sh -g 20 -t 5" +~# /nix/store/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-extlinux-conf-builder.sh -c -d ./mnt/boot +~# umount mnt +``` diff --git a/nixos/modules/rpi.nix b/nixos/modules/rpi.nix new file mode 100644 index 0000000..e4e10fe --- /dev/null +++ b/nixos/modules/rpi.nix @@ -0,0 +1,88 @@ +{ + config, + lib, + pkgs, + ... +}: let + inherit (lib) mkOption types mkMerge mkIf; + + configTxt = pkgs.writeText "config.txt" '' + [pi3] + kernel=u-boot-rpi3.bin + + # Boot in 64-bit mode. + arm_64bit=1 + + # Otherwise the serial output will be garbled. + core_freq=250 + # Boot in 64-bit mode. + arm_64bit=1 + + [all] + # U-Boot needs this to work, regardless of whether UART is actually used or not. + # Look in arch/arm/mach-bcm283x/Kconfig in the U-Boot tree to see if this is still + # a requirement in the future. + enable_uart=1 + + # Prevent the firmware from smashing the framebuffer setup done by the mainline kernel + # when attempting to show low-voltage or overtemperature warnings. + avoid_warnings=1 + ''; +in { + options.cynerd.rpi = mkOption { + type = with types; nullOr (enum [2 3]); + default = null; + description = "If machine is RaspberryPi and which version"; + }; + + config = mkMerge [ + (mkIf (config.cynerd.rpi == 2) { + nixpkgs.hostPlatform.system = "armv7l-linux"; + }) + (mkIf (config.cynerd.rpi == 3) { + nixpkgs.hostPlatform.system = "aarch64-linux"; + boot.kernelParams = ["console=ttyS1,115200n8"]; + }) + (mkIf (config.cynerd.rpi != null) { + boot.loader = { + systemd-boot.enable = false; + efi.canTouchEfiVariables = false; + generic-extlinux-compatible.enable = true; + }; + boot.consoleLogLevel = 7; + + fileSystems = { + "/" = { + device = "/dev/mmcblk0p2"; + fsType = "ext4"; + }; + #"/" = { + # device = "/dev/mmcblk0p2"; + # fsType = "btrfs"; + # options = ["compress=lzo"]; + #}; + "/boot/firmware" = { + device = "/dev/mmcblk0p1"; + fsType = "vfat"; + options = ["nofail"]; + }; + }; + + services.journald.extraConfig = '' + SystemMaxUse=512M + ''; + + system.build.firmware = pkgs.callPackage ({stdenvNoCC}: + stdenvNoCC.mkDerivation { + name = "${config.system.name}-firmware"; + buildCommand = '' + mkdir $out + cp -r ${pkgs.raspberrypifw}/share/raspberrypi/boot/* $out/ + cp ${configTxt} $out/config.txt + # TODO support rpi2 + cp ${pkgs.ubootRaspberryPi3_btrfs}/u-boot.bin $out/u-boot-rpi3.bin + ''; + }) {}; + }) + ]; +} diff --git a/nixos/modules/switch.nix b/nixos/modules/switch.nix index 37ac687..e74102a 100644 --- a/nixos/modules/switch.nix +++ b/nixos/modules/switch.nix @@ -42,10 +42,8 @@ in { matchConfig.Name = "brlan"; bridgeVLANs = [ { - bridgeVLANConfig = { - PVID = 1; - EgressUntagged = 1; - }; + PVID = 1; + EgressUntagged = 1; } ]; networkConfig = { diff --git a/nixos/modules/syncthing.nix b/nixos/modules/syncthing.nix index 91736ca..1148da6 100644 --- a/nixos/modules/syncthing.nix +++ b/nixos/modules/syncthing.nix @@ -3,119 +3,96 @@ lib, ... }: let - inherit (lib) filterAttrs mkOption types mkIf any mkDefault recursiveUpdate genAttrs; - cnf = config.cynerd.syncthing; - inherit (config.networking) hostName; + inherit (lib) elem filterAttrs mkIf any mkDefault recursiveUpdate genAttrs; + allDevices = [ - "albert" "binky" "errol" "lipwig" "ridcully" - "spt-omnia" - ]; - mediaDevices = [ - "lipwig" - "binky" - "errol" - "ridcully" - "spt-omnia" ]; bigStorageDevices = [ "errol" "ridcully" - "spt-omnia" ]; + + inherit (config.networking) hostName; + baseDir = config.services.syncthing.dataDir; filterDevice = filterAttrs (_: v: any (d: d == hostName) v.devices); in { - options = { - cynerd.syncthing = { - enable = mkOption { - type = types.bool; - default = false; - description = "My personal Syncthing configuration"; - }; - - baseDir = mkOption { - type = types.str; - default = "/home/cynerd"; - description = "Base directory for all folders being synced."; - }; - }; - }; - - config = mkIf cnf.enable { + config = mkIf (config.services.syncthing.enable && elem hostName allDevices) { services.syncthing = { - enable = any (n: n == hostName) allDevices; user = mkDefault "cynerd"; + group = mkDefault "cynerd"; + key = "/run/secrets/syncthing.key.pem"; cert = "/run/secrets/syncthing.cert.pem"; openDefaultPorts = true; - overrideFolders = true; - folders = filterDevice { - "${cnf.baseDir}/documents" = { - label = "Documents"; - id = "documents"; - devices = allDevices; - ignorePerms = false; - }; - "${cnf.baseDir}/notes" = { - label = "Notes"; - id = "notes"; - devices = allDevices; - ignorePerms = false; - }; - "${cnf.baseDir}/projects" = { - label = "Projects"; - id = "projects"; - devices = allDevices; - ignorePerms = false; - }; - "${cnf.baseDir}/pictures" = { - label = "Pictures"; - id = "pictures"; - devices = mediaDevices; - ignorePerms = false; - }; - # TODO phone-photos - "${cnf.baseDir}/music/primary" = { - label = "Music-primary"; - id = "music-primary"; - devices = mediaDevices; - ignorePerms = false; - }; - "${cnf.baseDir}/music/secondary" = { - label = "Music-secondary"; - id = "music-secondary"; - devices = bigStorageDevices; - ignorePerms = false; - }; - "${cnf.baseDir}/music/flac" = { - label = "Music-flac"; - id = "music-flac"; - devices = bigStorageDevices; - ignorePerms = false; - }; - "${cnf.baseDir}/video" = { - label = "Video"; - id = "video"; - devices = bigStorageDevices; - ignorePerms = false; - }; - }; - overrideDevices = true; - devices = - recursiveUpdate - (genAttrs allDevices (name: { - id = config.secrets.syncthingIDs."${name}"; - })) - { - lipwig.addresses = ["tcp://cynerd.cz"]; + + settings = { + folders = filterDevice { + "${baseDir}/documents" = { + label = "Documents"; + id = "documents"; + devices = allDevices; + ignorePerms = false; + }; + "${baseDir}/notes" = { + label = "Notes"; + id = "notes"; + devices = allDevices; + ignorePerms = false; + }; + "${baseDir}/projects" = { + label = "Projects"; + id = "projects"; + devices = allDevices; + ignorePerms = false; + }; + "${baseDir}/elektroline" = { + label = "Elektroline"; + id = "elektroline"; + devices = allDevices; + ignorePerms = false; + }; + "${baseDir}/pictures" = { + label = "Pictures"; + id = "pictures"; + devices = bigStorageDevices; + ignorePerms = false; + }; + "${baseDir}/music" = { + label = "Music"; + id = "music"; + devices = bigStorageDevices; + ignorePerms = false; + }; + "${baseDir}/video" = { + label = "Video"; + id = "video"; + devices = bigStorageDevices; + ignorePerms = false; + }; + "${baseDir}/turris" = { + label = "Turris"; + id = "turris"; + devices = bigStorageDevices; + ignorePerms = false; + }; }; - # TODO phone + + devices = + recursiveUpdate + (genAttrs allDevices (name: { + id = config.secrets.syncthingIDs."${name}"; + })) + { + lipwig.addresses = ["tcp://cynerd.cz"]; + }; + }; }; }; } diff --git a/nixos/modules/users.nix b/nixos/modules/users.nix index d098ec7..7d0dc77 100644 --- a/nixos/modules/users.nix +++ b/nixos/modules/users.nix @@ -4,7 +4,7 @@ ... }: let isNative = config.nixpkgs.hostPlatform == config.nixpkgs.buildPlatform; - isArm = config.nixpkgs.hostPlatform.isAarch; + isArm = pkgs.hostPlatform.isAarch; in { users = { mutableUsers = false; @@ -64,14 +64,15 @@ in { syntaxHighlighting.enable = isNative; }; shellrc = true; - vim.defaultEditor = isArm; + vim = { + enable = isArm; + defaultEditor = isArm; + }; neovim = { enable = !isArm; - defaultEditor = true; + defaultEditor = !isArm; withNodeJs = true; }; - - wireshark.enable = true; }; programs.fuse.userAllowOther = true; diff --git a/nixos/modules/wifi-adm.nix b/nixos/modules/wifi-adm.nix index 40210e7..56ca65a 100644 --- a/nixos/modules/wifi-adm.nix +++ b/nixos/modules/wifi-adm.nix @@ -3,9 +3,73 @@ lib, ... }: let - inherit (lib) mkOption mkEnableOption types mkIf hostapd elemAt; + inherit (lib) mkOption mkEnableOption types mkIf mkMerge hostapd elemAt; cnf = config.cynerd.wifiAP.adm; + wifi-networks = name: { + "${cnf."${name}".interface}" = { + bssid = elemAt cnf."${name}".bssids 0; + ssid = "TurrisAdamkovi"; + authentication = { + mode = "wpa3-sae-transition"; + wpaPasswordFile = "/run/secrets/hostapd-TurrisAdamkovi.pass"; + saePasswordsFile = "/run/secrets/hostapd-TurrisAdamkovi.pass"; + }; + }; + "${cnf."${name}".interface}.nela" = { + bssid = elemAt cnf."${name}".bssids 1; + ssid = "Nela"; + authentication = { + mode = "wpa2-sha256"; + wpaPasswordFile = "/run/secrets/hostapd-Nela.pass"; + }; + }; + "${cnf."${name}".interface}.milan" = { + bssid = elemAt cnf."${name}".bssids 2; + ssid = "MILAN-AC"; + authentication = { + mode = "wpa2-sha1"; + wpaPasswordFile = "/run/secrets/hostapd-MILAN-AC.pass"; + }; + }; + }; + + net-networks = name: { + "lan-${cnf."${name}".interface}" = { + matchConfig = { + Name = cnf."${name}".interface; + WLANInterfaceType = "ap"; + }; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + EgressUntagged = 1; + PVID = 1; + } + ]; + }; + "lan-${cnf."${name}".interface}.nela" = { + matchConfig.Name = "${cnf."${name}".interface}-nela"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + EgressUntagged = 2; + PVID = 2; + } + ]; + }; + "lan-${cnf."${name}".interface}.milan" = { + matchConfig.Name = "${cnf."${name}".interface}.milan"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + EgressUntagged = 2; + PVID = 2; + } + ]; + }; + }; + wOptions = card: channelDefault: { interface = mkOption { type = with types; nullOr str; @@ -43,32 +107,7 @@ in { enable = true; inherit (hostapd.qualcomAtherosAR9287.wifi4) capabilities; }; - networks = { - "${cnf.ar9287.interface}" = { - bssid = elemAt cnf.ar9287.bssids 0; - ssid = "TurrisAdamkovi"; - authentication = { - mode = "wpa2-sha256"; - wpaPasswordFile = "/run/secrets/hostapd-TurrisAdamkovi.pass"; - }; - }; - "${cnf.ar9287.interface}-nela" = { - bssid = elemAt cnf.ar9287.bssids 1; - ssid = "Nela"; - authentication = { - mode = "wpa2-sha256"; - wpaPasswordFile = "/run/secrets/hostapd-Nela.pass"; - }; - }; - "${cnf.ar9287.interface}.milan" = { - bssid = elemAt cnf.ar9287.bssids 2; - ssid = "MILAN-AC"; - authentication = { - mode = "wpa2-sha256"; - wpaPasswordFile = "/run/secrets/hostapd-MILAN-AC.pass"; - }; - }; - }; + networks = wifi-networks "ar9287"; }; "${cnf.qca988x.interface}" = mkIf (cnf.qca988x.interface != null) { countryCode = "CZ"; @@ -82,108 +121,13 @@ in { enable = true; inherit (hostapd.qualcomAtherosQCA988x.wifi5) capabilities; }; - networks = { - "${cnf.qca988x.interface}" = { - bssid = elemAt cnf.qca988x.bssids 0; - ssid = "TurrisAdamkovi"; - authentication = { - mode = "wpa2-sha256"; - wpaPasswordFile = "/run/secrets/hostapd-TurrisAdamkovi.pass"; - }; - }; - "${cnf.qca988x.interface}-nela" = { - bssid = elemAt cnf.qca988x.bssids 1; - ssid = "Nela"; - authentication = { - mode = "wpa2-sha256"; - wpaPasswordFile = "/run/secrets/hostapd-Nela.pass"; - }; - }; - "${cnf.qca988x.interface}.milan" = { - bssid = elemAt cnf.qca988x.bssids 2; - ssid = "MILAN-AC"; - authentication = { - mode = "wpa2-sha256"; - wpaPasswordFile = "/run/secrets/hostapd-MILAN-AC.pass"; - }; - }; - }; + networks = wifi-networks "qca988x"; }; }; }; - systemd.network.networks = { - "lan-${cnf.ar9287.interface}" = { - matchConfig.Name = cnf.ar9287.interface; - networkConfig.Bridge = "brlan"; - bridgeVLANs = [ - { - bridgeVLANConfig = { - EgressUntagged = 1; - PVID = 1; - }; - } - ]; - }; - "lan-${cnf.ar9287.interface}-nela" = { - matchConfig.Name = "${cnf.ar9287.interface}-nela"; - networkConfig.Bridge = "brlan"; - bridgeVLANs = [ - { - bridgeVLANConfig = { - EgressUntagged = 2; - PVID = 2; - }; - } - ]; - }; - "lan-${cnf.ar9287.interface}.milan" = { - matchConfig.Name = "${cnf.ar9287.interface}.milan"; - networkConfig.Bridge = "brlan"; - bridgeVLANs = [ - { - bridgeVLANConfig = { - EgressUntagged = 2; - PVID = 2; - }; - } - ]; - }; - "lan-${cnf.qca988x.interface}" = { - matchConfig.Name = cnf.qca988x.interface; - networkConfig.Bridge = "brlan"; - bridgeVLANs = [ - { - bridgeVLANConfig = { - EgressUntagged = 1; - PVID = 1; - }; - } - ]; - }; - "lan-${cnf.qca988x.interface}-nela" = { - matchConfig.Name = "${cnf.qca988x.interface}-nela"; - networkConfig.Bridge = "brlan"; - bridgeVLANs = [ - { - bridgeVLANConfig = { - EgressUntagged = 2; - PVID = 2; - }; - } - ]; - }; - "lan-${cnf.qca988x.interface}.milan" = { - matchConfig.Name = "${cnf.qca988x.interface}.milan"; - networkConfig.Bridge = "brlan"; - bridgeVLANs = [ - { - bridgeVLANConfig = { - EgressUntagged = 2; - PVID = 2; - }; - } - ]; - }; - }; + systemd.network.networks = mkMerge [ + (mkIf (cnf.ar9287.interface != null) (net-networks "ar9287")) + (mkIf (cnf.qca988x.interface != null) (net-networks "qca988x")) + ]; }; } diff --git a/nixos/modules/wifi-client.nix b/nixos/modules/wifi-client.nix index 8fc803d..b82633d 100644 --- a/nixos/modules/wifi-client.nix +++ b/nixos/modules/wifi-client.nix @@ -21,7 +21,7 @@ in { networking.wireless = { enable = true; networks = config.secrets.wifiNetworks; - environmentFile = "/run/secrets/wifi.env"; + secretsFile = "/run/secrets/wifi.secrets"; userControlled.enable = true; }; }; diff --git a/nixos/modules/wifi-spt.nix b/nixos/modules/wifi-spt.nix index 669439d..bec093e 100644 --- a/nixos/modules/wifi-spt.nix +++ b/nixos/modules/wifi-spt.nix @@ -6,6 +6,61 @@ inherit (lib) mkOption mkEnableOption types mkIf mkForce mkMerge hostapd elemAt; cnf = config.cynerd.wifiAP.spt; + wifi-networks = name: let + is2g = cnf."${name}".channel <= 14; + in { + "${cnf."${name}".interface}" = { + bssid = elemAt cnf."${name}".bssids 0; + ssid = "TurrisRules${ + if is2g + then "" + else "5" + }"; + authentication = { + mode = "wpa2-sha256"; + wpaPasswordFile = "/run/secrets/hostapd-TurrisRules.pass"; + }; + settings = mkIf is2g { + ieee80211w = 0; + wpa_key_mgmt = mkForce "WPA-PSK"; # force use without sha256 + }; + }; + "${cnf."${name}".interface}.guest" = { + bssid = elemAt cnf."${name}".bssids 1; + ssid = "Kocovi"; + authentication = { + mode = "wpa2-sha256"; + wpaPasswordFile = "/run/secrets/hostapd-Kocovi.pass"; + }; + }; + }; + + net-networks = name: { + "lan-${cnf."${name}".interface}" = { + matchConfig = { + Name = cnf."${name}".interface; + WLANInterfaceType = "ap"; + }; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + EgressUntagged = 1; + PVID = 1; + } + ]; + }; + "lan-${cnf."${name}".interface}-guest" = { + matchConfig.Name = "${cnf."${name}".interface}.guest"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + EgressUntagged = 2; + PVID = 2; + } + ]; + }; + }; + wOptions = card: channelDefault: { interface = mkOption { type = with types; nullOr str; @@ -48,28 +103,7 @@ in { enable = true; inherit (hostapd.qualcomAtherosAR9287.wifi4) capabilities; }; - networks = { - "${cnf.ar9287.interface}" = { - bssid = elemAt cnf.ar9287.bssids 0; - ssid = "TurrisRules"; - authentication = { - mode = "wpa2-sha256"; - wpaPasswordFile = "/run/secrets/hostapd-TurrisRules.pass"; - }; - settings = { - ieee80211w = 0; - wpa_key_mgmt = mkForce "WPA-PSK"; # force use without sha256 - }; - }; - #"${cnf.ar9287.interface}.guest" = { - # bssid = elemAt cnf.ar9287.bssids 1; - # ssid = "Kocovi"; - # authentication = { - # mode = "wpa2-sha256"; - # wpaPasswordFile = "/run/secrets/hostapd-Kocovi.pass"; - # }; - #}; - }; + networks = wifi-networks "ar9287"; }; }) (mkIf (cnf.qca988x.interface != null) { @@ -90,95 +124,14 @@ in { enable = !is2g; inherit (hostapd.qualcomAtherosQCA988x.wifi5) capabilities; }; - networks = { - "${cnf.qca988x.interface}" = { - bssid = elemAt cnf.qca988x.bssids 0; - ssid = "TurrisRules${ - if is2g - then "" - else "5" - }"; - authentication = { - mode = "wpa2-sha256"; - wpaPasswordFile = "/run/secrets/hostapd-TurrisRules.pass"; - }; - settings = mkIf is2g { - ieee80211w = 0; - wpa_key_mgmt = mkForce "WPA-PSK"; # force use without sha256 - }; - }; - #"${cnf.qca988x.interface}.guest" = { - # bssid = elemAt cnf.qca988x.bssids 1; - # ssid = "Kocovi"; - # authentication = { - # mode = "wpa2-sha256"; - # wpaPasswordFile = "/run/secrets/hostapd-Kocovi.pass"; - # }; - #}; - }; + networks = wifi-networks "qca988x"; }; }) ]; }; systemd.network.networks = mkMerge [ - (mkIf (cnf.ar9287.interface != null) { - "lan-${cnf.ar9287.interface}" = { - matchConfig = { - Name = cnf.ar9287.interface; - WLANInterfaceType = "ap"; - }; - networkConfig.Bridge = "brlan"; - bridgeVLANs = [ - { - bridgeVLANConfig = { - EgressUntagged = 1; - PVID = 1; - }; - } - ]; - }; - #"lan-${cnf.ar9287.interface}-guest" = { - # matchConfig.Name = "${cnf.ar9287.interface}.guest"; - # networkConfig.Bridge = "brlan"; - # bridgeVLANs = [ - # { - # bridgeVLANConfig = { - # EgressUntagged = 2; - # PVID = 2; - # }; - # } - # ]; - #}; - }) - (mkIf (cnf.qca988x.interface != null) { - "lan-${cnf.qca988x.interface}" = { - matchConfig = { - Name = cnf.qca988x.interface; - WLANInterfaceType = "ap"; - }; - networkConfig.Bridge = "brlan"; - bridgeVLANs = [ - { - bridgeVLANConfig = { - EgressUntagged = 1; - PVID = 1; - }; - } - ]; - }; - #"lan-${cnf.qca988x.interface}-guest" = { - # matchConfig.Name = "${cnf.qca988x.interface}.guest"; - # networkConfig.Bridge = "brlan"; - # bridgeVLANs = [ - # { - # bridgeVLANConfig = { - # EgressUntagged = 2; - # PVID = 2; - # }; - # } - # ]; - #}; - }) + (mkIf (cnf.ar9287.interface != null) (net-networks "ar9287")) + (mkIf (cnf.qca988x.interface != null) (net-networks "qca988x")) ]; }; } diff --git a/nixos/modules/wireguad.nix b/nixos/modules/wireguad.nix deleted file mode 100644 index eb25a6e..0000000 --- a/nixos/modules/wireguad.nix +++ /dev/null @@ -1,111 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: let - inherit (lib) any all mkEnableOption mkIf mapAttrsToList optional optionals optionalAttrs filterAttrs; - inherit (config.networking) hostName; - endpoints = ["lipwig" "spt-omnia" "adm-omnia"]; - is_endpoint = any (v: v == hostName) endpoints; -in { - options = { - cynerd.wireguard = mkEnableOption "Enable Wireguard"; - }; - - config = mkIf config.cynerd.wireguard { - environment.systemPackages = [pkgs.wireguard-tools]; - systemd.network = { - netdevs."wg" = { - netdevConfig = { - Name = "wg"; - Kind = "wireguard"; - Description = "Personal Wireguard tunnel"; - MTUBytes = "1300"; - }; - wireguardConfig = { - ListenPort = 51820; - PrivateKeyFile = "/run/secrets/wg.key"; - }; - wireguardPeers = - [ - { - wireguardPeerConfig = - { - Endpoint = "cynerd.cz:51820"; - AllowedIPs = ["0.0.0.0/0"]; - PublicKey = config.secrets.wireguardPubs.lipwig; - } - // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;}); - } - { - wireguardPeerConfig = - { - Endpoint = "spt.cynerd.cz:51820"; - AllowedIPs = [ - "${config.cynerd.hosts.wg.spt-omnia}/32" - "10.8.2.0/24" - ]; - PublicKey = config.secrets.wireguardPubs.spt-omnia; - } - // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;}); - } - #{ - # wireguardPeerConfig = - # { - # Endpoint = "adm.cynerd.cz:51820"; - # AllowedIPs = [ - # "${config.cynerd.hosts.wg.adm-omnia}/32" - # "10.8.3.0/24" - # ]; - # PublicKey = config.secrets.wireguardPubs.adm-omnia; - # } - # // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;}); - #} - ] - ++ (optionals is_endpoint (mapAttrsToList (n: v: { - wireguardPeerConfig = { - AllowedIPs = "${config.cynerd.hosts.wg."${n}"}/32"; - PublicKey = v; - }; - }) (filterAttrs (n: _: all (v: v != n) endpoints) config.secrets.wireguardPubs))); - }; - networks."wg" = { - matchConfig.Name = "wg"; - networkConfig = { - Address = "${config.cynerd.hosts.wg."${hostName}"}/24"; - IPForward = is_endpoint; - #DNS = mkIf (hostName != "dean") ["10.0.20.30" "10.0.20.31"]; - #DNSSEC = false; - #Domains = mkIf (hostName != "dean") "~elektroline.cz"; - }; - routes = - (optional (hostName != "lipwig") { - # OpenVPN network - routeConfig = { - Gateway = config.cynerd.hosts.wg.lipwig; - Destination = "10.8.0.0/24"; - Metric = 2048; - }; - }) - ++ (optional (hostName != "spt-omnia") { - # SPT network - routeConfig = { - Gateway = config.cynerd.hosts.wg.spt-omnia; - Destination = "10.8.2.0/24"; - Metric = 2048; - }; - }) - ++ (optional (hostName != "adm-omnia" && hostName != "lipwig") { - # Adamkovi network - routeConfig = { - Gateway = config.cynerd.hosts.wg.adm-omnia; - Destination = "10.8.3.0/24"; - Metric = 2048; - }; - }); - }; - }; - networking.firewall.allowedUDPPorts = [51820]; - }; -} diff --git a/nixos/modules/wireguard.nix b/nixos/modules/wireguard.nix new file mode 100644 index 0000000..b49eaae --- /dev/null +++ b/nixos/modules/wireguard.nix @@ -0,0 +1,85 @@ +{ + config, + lib, + pkgs, + ... +}: let + inherit (lib) any all mkEnableOption mkIf mapAttrsToList optional optionals optionalAttrs filterAttrs; + inherit (config.networking) hostName; + endpoints = ["lipwig" "spt-omnia" "adm-omnia"]; + is_endpoint = any (v: v == hostName) endpoints; +in { + options = { + cynerd.wireguard = mkEnableOption "Enable Wireguard"; + }; + + config = mkIf config.cynerd.wireguard { + environment.systemPackages = [pkgs.wireguard-tools]; + systemd.network = { + netdevs."wg" = { + netdevConfig = { + Name = "wg"; + Kind = "wireguard"; + Description = "Personal Wireguard tunnel"; + MTUBytes = "1300"; + }; + wireguardConfig = { + ListenPort = 51820; + PrivateKeyFile = "/run/secrets/wg.key"; + }; + wireguardPeers = + [ + ({ + Endpoint = "cynerd.cz:51820"; + AllowedIPs = ["0.0.0.0/0"]; + PublicKey = config.secrets.wireguardPubs.lipwig; + } + // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;})) + ({ + Endpoint = "spt.cynerd.cz:51820"; + AllowedIPs = [ + "${config.cynerd.hosts.wg.spt-omnia}/32" + "10.8.2.0/24" + ]; + PublicKey = config.secrets.wireguardPubs.spt-omnia; + } + // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;})) + ({ + Endpoint = "adm.cynerd.cz:51820"; + AllowedIPs = [ + "${config.cynerd.hosts.wg.adm-omnia}/32" + "10.8.3.0/24" + ]; + PublicKey = config.secrets.wireguardPubs.adm-omnia; + } + // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;})) + ] + ++ (optionals is_endpoint (mapAttrsToList (n: v: { + AllowedIPs = "${config.cynerd.hosts.wg."${n}"}/32"; + PublicKey = v; + }) (filterAttrs (n: _: all (v: v != n) endpoints) config.secrets.wireguardPubs))); + }; + networks."wg" = { + matchConfig.Name = "wg"; + networkConfig = { + Address = "${config.cynerd.hosts.wg."${hostName}"}/24"; + IPv4Forwarding = "yes"; + }; + routes = + (optional (hostName != "spt-omnia") { + # SPT network + Gateway = config.cynerd.hosts.wg.spt-omnia; + Destination = "10.8.2.0/24"; + Metric = 2048; + }) + ++ (optional (hostName != "adm-omnia") { + # ADM network + Gateway = config.cynerd.hosts.wg.adm-omnia; + Destination = "10.8.3.0/24"; + Metric = 2048; + }); + }; + }; + networking.firewall.allowedUDPPorts = [51820]; + }; +} |