diff options
Diffstat (limited to 'nixos')
28 files changed, 987 insertions, 337 deletions
diff --git a/nixos/configurations/adm-omnia.nix b/nixos/configurations/adm-omnia.nix index 55ee733..2b80bbc 100644 --- a/nixos/configurations/adm-omnia.nix +++ b/nixos/configurations/adm-omnia.nix @@ -15,7 +15,6 @@ in { wan = "pppoe-wan"; lanIP = hosts.omnia; staticLeases = { - "70:85:c2:4a:59:f2" = hosts.ridcully; "7c:b0:c2:bb:9c:ca" = hosts.albert; "4c:d5:77:0d:85:d9" = hosts.binky; "b8:27:eb:49:54:5a" = hosts.mpd; diff --git a/nixos/configurations/binky.nix b/nixos/configurations/binky.nix index 6111637..9e3866f 100644 --- a/nixos/configurations/binky.nix +++ b/nixos/configurations/binky.nix @@ -1,16 +1,10 @@ { - lib, - pkgs, - ... -}: let - inherit (lib) mkDefault; -in { system.stateVersion = "24.05"; nixpkgs.hostPlatform.system = "x86_64-linux"; deploy = { enable = true; default = false; - ssh.host = "binky.spt"; + ssh.host = "binky"; }; cynerd = { @@ -91,6 +85,4 @@ in { enable = true; dataDir = "/home/cynerd"; }; - - environment.systemPackages = [pkgs.heroic]; } diff --git a/nixos/configurations/dean.nix b/nixos/configurations/dean.nix index dfb03e1..a95d9f1 100644 --- a/nixos/configurations/dean.nix +++ b/nixos/configurations/dean.nix @@ -11,6 +11,20 @@ }; }; + boot.initrd.availableKernelModules = ["dm-mod"]; + + hardware.enableAllFirmware = false; # No wifi so we do not need firmwares + services = { + journald.extraConfig = '' + SystemMaxUse=512M + ''; + + btrfs.autoScrub = { + enable = true; + fileSystems = ["/"]; + }; + }; + networking = { useNetworkd = true; useDHCP = false; diff --git a/nixos/configurations/dribbler.nix b/nixos/configurations/dribbler.nix new file mode 100644 index 0000000..038f455 --- /dev/null +++ b/nixos/configurations/dribbler.nix @@ -0,0 +1,112 @@ +{pkgs, ...}: { + system.stateVersion = "25.11"; + nixpkgs.hostPlatform.system = "x86_64-linux"; + deploy = { + enable = true; + default = false; + ssh.host = "dribbler"; + }; + + cynerd = { + wifiClient = true; + }; + + boot = { + initrd.availableKernelModules = ["nvme" "xhci_pci" "usb_storage" "sd_mod"]; + kernelModules = ["kvm-intel"]; + kernelParams = ["video=eDP-1:d"]; # Disable internal display for kodi to use HDMI + }; + + hardware.cpu.intel.updateMicrocode = true; + + cynerd.autounlock = { + "encroot" = "/dev/disk/by-uuid/f791f524-0552-487b-9bf9-5c20ca78651b"; + }; + fileSystems = { + "/" = { + device = "/dev/mapper/encroot"; + fsType = "btrfs"; + options = ["compress=lzo"]; + }; + "/boot" = { + device = "/dev/disk/by-uuid/7143-1EE7"; + fsType = "vfat"; + }; + }; + services.btrfs.autoScrub = { + enable = true; + fileSystems = ["/"]; + }; + + networking = { + useNetworkd = true; + useDHCP = false; + }; + systemd.network = { + networks = { + "dhcp" = { + matchConfig.Name = "enp1s0"; + networkConfig = { + DHCP = "yes"; + IPv6AcceptRA = "yes"; + }; + linkConfig.RequiredForOnline = "routable"; + }; + "dhcp-wlan" = { + matchConfig.Name = "wlp2s0"; + networkConfig = { + DHCP = "yes"; + IPv6AcceptRA = "yes"; + }; + routes = [{Metric = 1088;}]; + linkConfig.RequiredForOnline = "routable"; + }; + }; + wait-online.enable = false; + }; + + # Kodi + environment.systemPackages = with pkgs; [ + kodi-gbm + ]; + hardware = { + graphics = { + enable = true; + enable32Bit = true; + extraPackages = with pkgs; [ + intel-media-driver + libvdpau-va-gl + ]; + }; + bluetooth.enable = true; + }; + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + }; + security.rtkit.enable = true; + #nixpkgs.config.kodi.enableAdvancedLauncher = true; + users.extraUsers.kodi = { + isNormalUser = true; + extraGroups = ["audio" "video" "input"]; + }; + systemd.services.kodi = { + description = "Kodi standalone (GBM)"; + wantedBy = ["multi-user.target"]; + conflicts = ["getty@tty1.service"]; + serviceConfig = { + User = "kodi"; + TTYPath = "/dev/tty1"; + ExecStart = "${pkgs.kodi-gbm}/bin/kodi-standalone"; + Restart = "on-abort"; + StandardInput = "tty"; + StandardOutput = "journal"; + }; + }; + networking.firewall = { + allowedTCPPorts = [8080]; + allowedUDPPorts = [8080]; + }; +} diff --git a/nixos/configurations/errol.nix b/nixos/configurations/errol.nix index f986631..e45fae5 100644 --- a/nixos/configurations/errol.nix +++ b/nixos/configurations/errol.nix @@ -1,28 +1,19 @@ -{ - config, - lib, - pkgs, - ... -}: let - inherit (lib) mkDefault; -in { +{pkgs, ...}: { system.stateVersion = "24.05"; nixpkgs.hostPlatform.system = "x86_64-linux"; deploy.enable = true; - cynerd = { - desktop.enable = true; - develop = true; - gaming = true; - openvpn.elektroline = true; - }; - boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "usb_storage"]; boot.kernelModules = ["kvm-amd"]; hardware.cpu.amd.updateMicrocode = true; services.hardware.openrgb.motherboard = "amd"; + zramSwap = { + enable = true; + memoryPercent = 50; + }; + cynerd.autounlock = { "encroot" = "/dev/disk/by-uuid/7c412ae6-6016-45af-8c2a-8fcc394dbbe6"; "enchdd1" = "/dev/disk/by-uuid/87f16080-5ff6-43dd-89f3-307455a46fbe"; @@ -96,36 +87,5 @@ in { enable = true; dataDir = "/home/cynerd"; }; - - home-assistant = { - enable = true; - openFirewall = true; - configDir = "/var/lib/hass"; - config = { - homeassistant = { - name = "SPT"; - latitude = "!secret latitude"; - longitude = "!secret longitude"; - elevation = "!secret elevation"; - time_zone = "Europe/Prague"; - country = "CZ"; - }; - http.server_port = 8808; - mqtt = { - sensor = import ../home-assistant/sensors.nix; - light = import ../home-assistant/light.nix; - }; - default_config = {}; - automation = "!include automations.yaml"; - }; - extraComponents = ["met"]; - package = pkgs.home-assistant.override { - extraPackages = pkgs: - with pkgs; [ - securetar - pyipp - ]; - }; - }; }; } diff --git a/nixos/configurations/lipwig.nix b/nixos/configurations/lipwig.nix index 5855b6d..556ca5d 100644 --- a/nixos/configurations/lipwig.nix +++ b/nixos/configurations/lipwig.nix @@ -22,6 +22,7 @@ }; wireguard = true; borgjobs = { + # TODO backup influx postgresql.dumpCommand = pkgs.writeScript "postgreqsl-backup.sh" '' /run/wrappers/bin/sudo -u postgres /run/current-system/sw/bin/pg_dumpall ''; @@ -73,66 +74,64 @@ ]; # Web ###################################################################### - services.nginx = { - enable = true; - virtualHosts = { - "cynerd.cz" = { - forceSSL = true; - enableACME = true; - locations = { - "/".root = ../../web; - "/radicale/" = { - proxyPass = "http://127.0.0.1:5232/"; - extraConfig = '' - proxy_set_header X-Script-Name /radicale; - proxy_pass_header Authorization; - ''; + services = { + nginx = { + enable = true; + virtualHosts = { + "cynerd.cz" = { + forceSSL = true; + enableACME = true; + locations = { + "/".root = ../../web; + "/radicale/" = { + proxyPass = "http://127.0.0.1:5232/"; + extraConfig = '' + proxy_set_header X-Script-Name /radicale; + proxy_pass_header Authorization; + ''; + }; }; }; - }; - "git.cynerd.cz" = { - forceSSL = true; - useACMEHost = "cynerd.cz"; - root = "${pkgs.cgit}/cgit"; - locations."/".tryFiles = "$uri @cgit"; - locations."@cgit".extraConfig = '' - fastcgi_pass unix:${config.services.fcgiwrap.instances.cgit.socket.address}; - fastcgi_param SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi; - fastcgi_param PATH_INFO $uri; - fastcgi_param QUERY_STRING $args; - fastcgi_param HTTP_HOST $server_name; - ''; - }; - "cloud.cynerd.cz" = { - forceSSL = true; - useACMEHost = "cynerd.cz"; - }; - "office.cynerd.cz" = { - forceSSL = true; - useACMEHost = "cynerd.cz"; - }; - "grafana.cynerd.cz" = { - forceSSL = true; - useACMEHost = "cynerd.cz"; - locations."/" = { - proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}"; - proxyWebsockets = true; - recommendedProxySettings = true; + "git.cynerd.cz" = { + forceSSL = true; + useACMEHost = "cynerd.cz"; + root = "${pkgs.cgit}/cgit"; + locations."/".tryFiles = "$uri @cgit"; + locations."@cgit".extraConfig = '' + fastcgi_pass unix:${config.services.fcgiwrap.instances.cgit.socket.address}; + fastcgi_param SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi; + fastcgi_param PATH_INFO $uri; + fastcgi_param QUERY_STRING $args; + fastcgi_param HTTP_HOST $server_name; + ''; + }; + "cloud.cynerd.cz" = { + forceSSL = true; + useACMEHost = "cynerd.cz"; + }; + "grafana.cynerd.cz" = { + forceSSL = true; + useACMEHost = "cynerd.cz"; + locations."/" = { + proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}"; + proxyWebsockets = true; + recommendedProxySettings = true; + }; + }; + "searx.cynerd.cz" = { + forceSSL = true; + useACMEHost = "cynerd.cz"; + locations."/".extraConfig = '' + uwsgi_pass "unix://${config.services.searx.uwsgiConfig.socket}"; + include ${config.services.nginx.package}/conf/uwsgi_params; + ''; }; - }; - "searx.cynerd.cz" = { - forceSSL = true; - useACMEHost = "cynerd.cz"; - locations."/".extraConfig = '' - uwsgi_pass "unix:///run/searx/searx.sock"; - include ${config.services.nginx.package}/conf/uwsgi_params; - ''; }; }; - }; - services.fcgiwrap.instances.cgit = { - process.user = "git"; - socket = {inherit (config.services.nginx) user group;}; + fcgiwrap.instances.cgit = { + process.user = "git"; + socket = {inherit (config.services.nginx) user group;}; + }; }; security.acme = { acceptTerms = true; @@ -199,7 +198,7 @@ # Nextcloud ################################################################ services.nextcloud = { enable = true; - package = pkgs.nextcloud31; + package = pkgs.nextcloud32; https = true; hostName = "cloud.cynerd.cz"; datadir = "/nas/nextcloud"; @@ -245,9 +244,9 @@ forms groupfolders impersonate + #maps memories notes - onlyoffice phonetrack previewgenerator spreed @@ -255,39 +254,34 @@ twofactor_webauthn ; # Additional modules can be fetched with: - # NEXTCLOUD_VERSIONS=30 nix run nixpkgs#nc4nix -- -apps "passwords,money,integration_github,integration_gitlab" + # NEXTCLOUD_VERSIONS=32 nix run nixpkgs#nc4nix -- -apps "passwords,money,integration_github,integration_gitlab,fileslibreofficeedit" + fileslibreofficeedit = pkgs.fetchNextcloudApp { + url = "https://github.com/allotropia/nextcloud_files_libreoffice_edit/releases/download/v2.0.1/fileslibreofficeedit.tar.gz"; + hash = "sha256-Xqx5snQWintYJG3Q1Crw22TkNw18DdADXkurMQqt3X8="; + license = "agpl3Plus"; + }; integration_github = pkgs.fetchNextcloudApp { - url = "https://github.com/nextcloud-releases/integration_github/releases/download/v3.1.1/integration_github-v3.1.1.tar.gz"; - hash = "sha256-nm463H33WyXTJkb7+OSsunARNuSl5nc3uGClgwkVvhM="; + url = "https://github.com/nextcloud-releases/integration_github/releases/download/v3.2.2/integration_github-v3.2.2.tar.gz"; + hash = "sha256-n7U/es4EdwS0cvegeFLnqhooRhkaSIdiVLwSse8hS3I="; license = "agpl3Plus"; }; integration_gitlab = pkgs.fetchNextcloudApp { - url = "https://github.com/nextcloud-releases/integration_gitlab/releases/download/v3.1.2/integration_gitlab-v3.1.2.tar.gz"; - hash = "sha256-nCH0DqYmr4T856sOU5PhSK6WAHIF9mnYThgytxEbkNA="; + url = "https://github.com/nextcloud-releases/integration_gitlab/releases/download/v4.0.0/integration_gitlab-v4.0.0.tar.gz"; + hash = "sha256-0CKvAiwdG6Llomo9ROu0KLdUq1xfjAwlO1e1/LYzL4s="; license = "agpl3Plus"; }; money = pkgs.fetchNextcloudApp { - url = "https://github.com/powerpaul17/nc_money/releases/download/v0.30.0/money.tar.gz"; - hash = "sha256-4gHm6sF9S+1G1naRTr+eR8ZyjCpB3viXTzRCNQFUtF0="; + url = "https://github.com/powerpaul17/nc_money/releases/download/v0.31.0/money.tar.gz"; + hash = "sha256-6RlxWTCw6NP9RquHnfoLLBw/dmAXx21INCzYUcp3E/4="; license = "agpl3Plus"; }; passwords = pkgs.fetchNextcloudApp { - url = "https://git.mdns.eu/api/v4/projects/45/packages/generic/passwords/2025.5.1/passwords.tar.gz"; - hash = "sha256-v4IVpqbTN3TKORESFX+sJsiSrLkUc0b5Stj8CmznSIw="; - license = "agpl3Plus"; - }; - maps = pkgs.fetchNextcloudApp { - url = "https://github.com/nextcloud/maps/releases/download/v1.6.0-3-nightly/maps-1.6.0-3-nightly.tar.gz"; - hash = "sha256-E0S/CwXyye19lcuiONEQCyHJqlL0ZG1A9Q7oOTEZH1g="; + url = "https://git.mdns.eu/api/v4/projects/45/packages/generic/passwords/2026.3.0/passwords.tar.gz"; + hash = "sha256-YHilpFaZHNCtqLRvTCDhyVoFWLC85Qkj1mMxp08YCho="; license = "agpl3Plus"; }; }; }; - # OnlyOffice ############################################################### - services.onlyoffice = { - enable = true; - hostname = "office.cynerd.cz"; - }; # Postgresql ############################################################### services.postgresql = { @@ -370,7 +364,7 @@ } ]; }; - runInUwsgi = true; + configureUwsgi = true; uwsgiConfig = { socket = "/run/searx/searx.sock"; chmod-socket = "660"; diff --git a/nixos/configurations/ridcully.nix b/nixos/configurations/ridcully.nix index 0b2705c..9f3ed57 100644 --- a/nixos/configurations/ridcully.nix +++ b/nixos/configurations/ridcully.nix @@ -1,10 +1,4 @@ -{ - lib, - pkgs, - ... -}: let - inherit (lib) mkDefault; -in { +{pkgs, ...}: { system.stateVersion = "24.05"; nixpkgs.hostPlatform.system = "x86_64-linux"; deploy.enable = true; @@ -16,14 +10,22 @@ in { openvpn = { elektroline = true; }; + borgjobs = { + hetzner-s3.paths = "/back/hetzner-s3-sync"; + }; }; - boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "usb_storage"]; + boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"]; boot.kernelModules = ["kvm-amd"]; hardware.cpu.amd.updateMicrocode = true; services.hardware.openrgb.motherboard = "amd"; + zramSwap = { + enable = true; + memoryPercent = 50; + }; + cynerd.autounlock = { "encroot" = "/dev/disk/by-uuid/bc7d2ba4-6e04-4c49-b40c-3aecd1a86c71"; "enchdd" = "/dev/disk/by-uuid/7fee3cda-efa0-47cd-8832-fdead9a7e6db"; @@ -71,13 +73,51 @@ in { environment.systemPackages = [ pkgs.nvtopPackages.amd + #sbctl ]; - services.syncthing = { - enable = true; - dataDir = "/home/cynerd"; + # Force nix to use less jobs + nix.settings.max-jobs = 4; + + ############################################################################## + services = { + syncthing = { + enable = true; + dataDir = "/home/cynerd"; + }; + + octoprint = { + enable = true; + openFirewall = true; + }; + + mjpg-streamer = { + enable = true; + inputPlugin = "input_uvc.so -d /dev/video2 -r 1920x1080 -f 30"; + outputPlugin = "output_http.so -p 5001 -w @www@"; + }; }; + networking.firewall.allowedTCPPorts = [5001]; - # Force nix to use less jobs - nix.settings.max-jobs = 8; + # Service to synchronize local copy of Hetzner S3 + systemd = { + services."hetzner-sync" = { + script = '' + /run/current-system/sw/bin/rclone --config /run/secrets/rclone-hetzner.conf \ + sync hetzner: /back/hetzner-s3-sync + ''; + serviceConfig = { + Type = "oneshot"; + User = "root"; + }; + }; + timers."hetzner-sync" = { + wantedBy = ["timers.target"]; + timerConfig.Unit = "hetzner-sync.service"; + timerConfig = { + OnCalendar = "daily"; + Persistent = false; + }; + }; + }; } diff --git a/nixos/configurations/spt-mox.nix b/nixos/configurations/spt-mox.nix index 8a842b7..4dfa2c8 100644 --- a/nixos/configurations/spt-mox.nix +++ b/nixos/configurations/spt-mox.nix @@ -28,13 +28,17 @@ }; }; - services.journald.extraConfig = '' - SystemMaxUse=512M - ''; + boot.initrd.availableKernelModules = ["dm-mod"]; - services.btrfs.autoScrub = { - enable = true; - fileSystems = ["/"]; + services = { + journald.extraConfig = '' + SystemMaxUse=512M + ''; + + btrfs.autoScrub = { + enable = true; + fileSystems = ["/"]; + }; }; networking = { @@ -73,25 +77,10 @@ acl = ["read bigclown/node/#"]; passwordFile = "/run/secrets/mosquitto.telegraf.pass"; }; - homeassistant = { - acl = [ - "readwrite homeassistant/#" - "readwrite bigclown/#" - "readwrite zigbee2mqtt/#" - ]; - passwordFile = "/run/secrets/mosquitto.homeassistant.pass"; - }; bigclown = { acl = ["readwrite bigclown/#"]; passwordFile = "/run/secrets/mosquitto.bigclown.pass"; }; - zigbee2mqtt = { - acl = [ - "readwrite homeassistant/#" - "readwrite zigbee2mqtt/#" - ]; - passwordFile = "/run/secrets/mosquitto.zigbee2mqtt.pass"; - }; }; } ]; diff --git a/nixos/configurations/spt-mox2.nix b/nixos/configurations/spt-mox2.nix index fd2c074..2e76449 100644 --- a/nixos/configurations/spt-mox2.nix +++ b/nixos/configurations/spt-mox2.nix @@ -23,13 +23,17 @@ }; }; - services.journald.extraConfig = '' - SystemMaxUse=512M - ''; + boot.initrd.availableKernelModules = ["dm-mod"]; - services.btrfs.autoScrub = { - enable = true; - fileSystems = ["/"]; + services = { + journald.extraConfig = '' + SystemMaxUse=512M + ''; + + btrfs.autoScrub = { + enable = true; + fileSystems = ["/"]; + }; }; networking = { diff --git a/nixos/configurations/spt-omnia.nix b/nixos/configurations/spt-omnia.nix index 1809b2a..c2ef049 100644 --- a/nixos/configurations/spt-omnia.nix +++ b/nixos/configurations/spt-omnia.nix @@ -18,7 +18,6 @@ in { "7c:b0:c2:bb:9c:ca" = hosts.albert; "4c:d5:77:0d:85:d9" = hosts.binky; "b8:27:eb:57:a2:31" = hosts.mpd; - "74:bf:c0:42:82:19" = hosts.printer; }; }; wifiAP.spt = { @@ -38,18 +37,20 @@ in { monitoring.speedtest = true; }; - services.journald.extraConfig = '' - SystemMaxUse=8G - ''; + services = { + journald.extraConfig = '' + SystemMaxUse=8G + ''; - services.btrfs.autoScrub = { - enable = true; - fileSystems = ["/"]; - }; + btrfs.autoScrub = { + enable = true; + fileSystems = ["/"]; + }; - services.fail2ban = { - enable = true; - ignoreIP = ["10.8.1.0/24" "10.8.2.0/24"]; + fail2ban = { + enable = true; + ignoreIP = ["10.8.1.0/24" "10.8.2.0/24"]; + }; }; networking.useDHCP = false; @@ -133,32 +134,11 @@ in { ''; ############################################################################## - services = { - zigbee2mqtt = { - enable = true; - settings = { - serial.port = "/dev/serial/by-id/usb-ITEAD_SONOFF_Zigbee_3.0_USB_Dongle_Plus_V2_20220812153849-if00"; - mqtt = { - server = "mqtt://${config.cynerd.hosts.spt.mox}:1883"; - user = "zigbee2mqtt"; - password = "!secret.yaml mqtt_password"; - }; - advanced = { - network_key = "!secret.yaml network_key"; - homeassistant_legacy_entity_attributes = false; - legacy_api = false; - legacy_availability_payload = false; - last_seen = "epoch"; - }; - frontend = true; - availability = true; - homeassistant = { - legacy_triggers = false; - }; - device_options.legacy = false; - permit_join = false; - devices = config.secrets.zigbee2mqttDevices; - }; - }; + cynerd.ha = { + enable = true; + domain = "spt.cynerd.cz"; + extraOptions = [ + "--device=/dev/serial/by-id/usb-ITEAD_SONOFF_Zigbee_3.0_USB_Dongle_Plus_V2_20220812153849-if00:/dev/ttyACM0" + ]; }; } diff --git a/nixos/configurations/zd-mox.nix b/nixos/configurations/zd-mox.nix new file mode 100644 index 0000000..6ce1b6b --- /dev/null +++ b/nixos/configurations/zd-mox.nix @@ -0,0 +1,157 @@ +{ + config, + pkgs, + ... +}: let + hosts = config.cynerd.hosts.zd; +in { + system.stateVersion = "25.05"; + turris.board = "mox"; + deploy = { + enable = true; + ssh.host = "zd.cynerd.cz"; + }; + + cynerd = { + router = { + enable = true; + wan = "pppoe-wan"; + lanIP = hosts.mox; + staticLeases = { + "4c:d5:77:0d:85:d9" = hosts.binky; + "70:85:c2:4a:59:f2" = hosts.ridcully; + "74:bf:c0:42:82:19" = hosts.printer; + "f8:dc:7a:79:00:e6" = hosts.tc; + "34:94:54:33:6b:48" = hosts.vb; + }; + }; + wireguard = true; + monitoring.speedtest = true; + }; + + boot.initrd.availableKernelModules = ["dm-mod"]; + + services = { + journald.extraConfig = '' + SystemMaxUse=512M + ''; + + btrfs.autoScrub = { + enable = true; + fileSystems = ["/"]; + }; + + fail2ban = { + enable = true; + ignoreIP = ["10.8.0.0/24" "10.8.1.0/24" "10.8.2.0/24"]; + }; + }; + + networking.useDHCP = false; + systemd.network = { + netdevs = { + "end0.848" = { + netdevConfig = { + Kind = "vlan"; + Name = "end0.848"; + }; + vlanConfig.Id = 848; + }; + }; + networks = { + "end0" = { + matchConfig.Name = "end0"; + networkConfig.VLAN = ["end0.848"]; + }; + "end0.848" = { + matchConfig.Name = "end0.848"; + networkConfig.BindCarrier = "end0"; + }; + "pppoe-wan" = { + matchConfig.Name = "pppoe-wan"; + networkConfig = { + BindCarrier = "end0.848"; + DHCP = "ipv6"; + IPv6AcceptRA = "no"; + DHCPPrefixDelegation = "yes"; + #DNS = ["84.19.64.3" "84.19.64.4" "1.1.1.1"]; + DNS = "1.1.1.1"; + }; + dhcpV6Config = { + PrefixDelegationHint = "::/56"; + UseDNS = "no"; + }; + dhcpPrefixDelegationConfig = { + UplinkInterface = ":self"; + SubnetId = 0; + Announce = "no"; + }; + linkConfig.RequiredForOnline = "routable"; + }; + "lan-brlan" = { + matchConfig.Name = "lan*"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + EgressUntagged = 1; + PVID = 1; + } + {VLAN = 2;} + ]; + }; + }; + }; + + services.pppd = { + enable = true; + peers."wan".config = '' + plugin pppoe.so end0.848 + ifname pppoe-wan + lcp-echo-interval 1 + lcp-echo-failure 5 + lcp-echo-adaptive + defaultroute + defaultroute6 + maxfail 1 + # user and password added in secrets + ''; + }; + systemd.services = { + "pppd-wan" = { + requires = ["sys-subsystem-net-devices-end0.848.device"]; + partOf = ["systemd-networkd.service"]; + }; + "systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug"; + }; + # TODO limit NSS clamping to just pppoe-wan + networking.firewall.extraForwardRules = '' + tcp flags syn tcp option maxseg size set rt mtu comment "Needed for PPPoE to fix IPv4" + iifname {"home", "wg"} oifname {"home", "wg"} accept + ''; + + services.nginx = { + enable = true; + virtualHosts = { + "zd.cynerd.cz" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://${hosts.one0}:8123"; + proxyWebsockets = true; + recommendedProxySettings = true; + }; + }; + }; + }; + security.acme = { + acceptTerms = true; + defaults.email = "cynerd+acme@email.cz"; + certs."zd.cynerd.cz" = {}; + }; + networking.firewall.allowedTCPPorts = [80 443]; + + environment.systemPackages = with pkgs; [ + nmap + tcpdump + ]; +} diff --git a/nixos/configurations/zd-one0.nix b/nixos/configurations/zd-one0.nix new file mode 100644 index 0000000..98d9691 --- /dev/null +++ b/nixos/configurations/zd-one0.nix @@ -0,0 +1,61 @@ +_: { + system.stateVersion = "25.11"; + deploy = { + enable = true; + ssh.host = "zd-one0"; + }; + + cynerd = { + openwrtone = true; + #switch = { + # enable = true; + # lanAddress = "10.8.12.10/24"; + # lanGateway = config.cynerd.hosts.spt.omnia; + #}; + #wifiAP.zd = { + # enable = false; + # qca988x = { + # interface = "wlp1s0"; + # bssids = config.secrets.wifiMacs.zd-mox.qca988x; + # channel = 36; + # }; + #}; + }; + + boot.initrd.availableKernelModules = ["dm-mod"]; + boot.consoleLogLevel = 7; + + services = { + journald.extraConfig = '' + SystemMaxUse=8G + ''; + + btrfs.autoScrub = { + enable = true; + fileSystems = ["/"]; + }; + + fail2ban = { + enable = true; + ignoreIP = ["10.8.0.0/24" "10.8.1.0/24" "10.8.2.0/24"]; + }; + }; + + networking.useDHCP = false; + networking.useNetworkd = true; + + systemd.network = { + networks = { + "eth0" = { + matchConfig.Name = "eth0"; + networkConfig = { + Address = "10.8.2.10/24"; + Gateway = "10.8.2.1"; + DNS = "1.1.1.1"; + IPv6AcceptRA = "yes"; + }; + }; + }; + wait-online.anyInterface = true; + }; +} diff --git a/nixos/home-assistant/light.nix b/nixos/home-assistant/light.nix deleted file mode 100644 index a9d158b..0000000 --- a/nixos/home-assistant/light.nix +++ /dev/null @@ -1,13 +0,0 @@ -[ - { - name = "RGB Osvětlení"; - command_topic = "homeassistant/led-strip"; - brightness_scale = 100; - brightness_command_topic = "bigclown/node/power-controller:0/led-strip/-/brightness/set"; - #brightness_state_topic = "bigclown/node/power-controller:0/led-strip/-/brightness/set"; - rgb_command_template = ''"#{{"%02x" % red}}{{"%02x" % green}}{{"%02x" % blue}}"''; - rgb_command_topic = "bigclown/node/power-controller:0/led-strip/-/color/set"; - #rgb_value_template = ''{{int(value[2:4],16)}},{{int(value[5:7],16)}},{{int(value[8:10],16)}}''; - #rgb_state_topic = "bigclown/node/power-controller:0/led-strip/-/color/set"; - } -] diff --git a/nixos/home-assistant/sensors.nix b/nixos/home-assistant/sensors.nix deleted file mode 100644 index fadd4eb..0000000 --- a/nixos/home-assistant/sensors.nix +++ /dev/null @@ -1,19 +0,0 @@ -[ - { - name = "Teplota"; - state_class = "measurement"; - state_topic = "bigclown/node/climate-monitor:0/thermometer/0:0/temperature"; - unit_of_measurement = "°C"; - } - { - name = "Vlhkost"; - state_class = "measurement"; - state_topic = "bigclown/node/climate-monitor:0/hygrometer/0:4/relative-humidity"; - unit_of_measurement = "%"; - } - { - name = "Osvětlení"; - state_class = "measurement"; - state_topic = "bigclown/node/climate-monitor:0/lux-meter/0:0/illuminance"; - } -] diff --git a/nixos/modules/desktop.nix b/nixos/modules/desktop.nix index dfc9777..c39f9d2 100644 --- a/nixos/modules/desktop.nix +++ b/nixos/modules/desktop.nix @@ -47,6 +47,7 @@ in { waybar swaybackground myswaylock + brightnessctl alacritty nautilus @@ -67,9 +68,9 @@ in { resources isync + davmail msmtp notmuch - astroid dodo taskwarrior3 gnupg @@ -79,16 +80,22 @@ in { exts.pass-otp exts.pass-audit ])) + ranger chromium + tangram ferdium signal-desktop - libreoffice - onlyoffice-desktopeditors mupdf zathura pdfgrep + libreoffice-qt6-fresh + hunspell + hunspellDicts.en_US-large + hunspellDicts.en_GB-large + hunspellDicts.cs_CZ + xdg-utils xdg-launch mesa-demos @@ -96,8 +103,8 @@ in { pulsemixer mpd - mpc-cli - ncmpcpp + mpc + #ncmpcpp feh shotwell id3lib @@ -142,7 +149,8 @@ in { inkscape blender tenacity - #kdePackages.kdenlive + kdePackages.kdenlive + qrrs # GStreamer gst_all_1.gstreamer @@ -156,8 +164,7 @@ in { # Writing typst - typstfmt - typst-live + typstyle tinymist vale @@ -166,6 +173,7 @@ in { kicad sweethome3d.application qelectrotech + super-slicer ] ++ (optionals cnf.laptop [ # Power management @@ -180,11 +188,9 @@ in { nativeMessagingHosts.packages = with pkgs; [browserpass]; }; - light.enable = mkIf cnf.laptop true; - nix-ld = { enable = true; - libraries = with pkgs; [xorg.libXpm]; + libraries = with pkgs; [libXpm]; }; usbkey = { @@ -199,6 +205,13 @@ in { enable = true; enableSSHSupport = true; enableBrowserSocket = true; + pinentryPackage = pkgs.writeShellScriptBin "pinentry-auto" '' + if [ -n "$WAYLAND_DISPLAY" ] || [ -n "$DISPLAY" ]; then + exec ${pkgs.pinentry-gnome3}/bin/pinentry-gnome3 "$@" + else + exec ${pkgs.pinentry-gnome3}/bin/pinentry-curses "$@" + fi + ''; }; kdeconnect.enable = true; @@ -272,6 +285,7 @@ in { cnijfilter2 ]; }; + saned.enable = true; avahi.enable = true; samba-wsdd = { enable = true; @@ -297,22 +311,30 @@ in { allowedUDPPorts = [3702]; }; - fonts.packages = with pkgs; [ - nerd-fonts.hack - arkpandora_ttf - corefonts - dejavu_fonts - font-awesome - freefont_ttf - hack-font - liberation_ttf - libertine - noto-fonts - noto-fonts-emoji - terminus_font_ttf - ubuntu_font_family - unifont - ]; + fonts = { + enableDefaultPackages = true; + packages = with pkgs; [ + arkpandora_ttf + corefonts + dejavu_fonts + fira-code + fira-code-symbols + fira-math + fira-mono + fira-sans + font-awesome + freefont_ttf + hack-font + liberation_ttf + libertine + nerd-fonts.hack + noto-fonts + noto-fonts-color-emoji + terminus_font_ttf + ubuntu-classic + unifont + ]; + }; documentation = { enable = true; diff --git a/nixos/modules/develop.nix b/nixos/modules/develop.nix index 6444473..587477f 100644 --- a/nixos/modules/develop.nix +++ b/nixos/modules/develop.nix @@ -32,6 +32,7 @@ in { vim-vint nodePackages.vim-language-server vale + can-utils # Required for neovim plugins editorconfig-checker @@ -43,12 +44,13 @@ in { cachix nurl nil - nixfmt-rfc-style + nixfmt alejandra statix deadnix agenix nix-tree + nix-output-monitor # Shell dash # Posix shell @@ -63,7 +65,7 @@ in { # C clang-tools massif-visualizer - qcachegrind + elf-size-analyze # Python (python3.withPackages (pypkgs: @@ -88,7 +90,7 @@ in { pygal python-gitlab - PyGithub + pygithub schema jinja2 @@ -112,6 +114,9 @@ in { pylxd selenium + + pyvisa + pyvisa-py ])) ruff geckodriver @@ -164,6 +169,9 @@ in { # Images imagemagick + + # S3 + rclone ]; programs.wireshark = { enable = true; @@ -179,13 +187,19 @@ in { doc.enable = true; }; - services.udev.extraRules = '' - SUBSYSTEMS=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="3748", MODE:="0660", GROUP="develop", SYMLINK+="stlinkv2_%n" - SUBSYSTEMS=="usb", ATTRS{idVendor}=="a600", ATTRS{idProduct}=="a003", MODE:="0660", GROUP="develop", SYMLINK+="aix_forte_%n" - SUBSYSTEMS=="usb", ATTRS{idVendor}=="1366", ATTRS{idProduct}=="0105", MODE:="0660", GROUP="develop", SYMLINK+="jlink_%n" - SUBSYSTEMS=="usb", ATTRS{idVendor}=="03eb", ATTRS{idProduct}=="2111", MODE:="0660", GROUP="develop", SYMLINK+="cmsip_dap_%n" - SUBSYSTEMS=="usb", ATTRS{idVendor}=="1ab1", ATTRS{idProduct}=="0e11", MODE:="0660", GROUP="develop" - ''; + services = { + udev.extraRules = '' + SUBSYSTEMS=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="3748", MODE:="0660", GROUP="develop", SYMLINK+="stlinkv2_%n" + SUBSYSTEMS=="usb", ATTRS{idVendor}=="a600", ATTRS{idProduct}=="a003", MODE:="0660", GROUP="develop", SYMLINK+="aix_forte_%n" + SUBSYSTEMS=="usb", ATTRS{idVendor}=="1366", ATTRS{idProduct}=="0105", MODE:="0660", GROUP="develop", SYMLINK+="jlink_%n" + SUBSYSTEMS=="usb", ATTRS{idVendor}=="03eb", ATTRS{idProduct}=="2111", MODE:="0660", GROUP="develop", SYMLINK+="cmsip_dap_%n" + SUBSYSTEMS=="usb", ATTRS{idVendor}=="1ab1", ATTRS{idProduct}=="0e11", MODE:="0660", GROUP="develop" + SUBSYSTEMS=="usb", ATTRS{idVendor}=="303a", ATTRS{idProduct}=="1001", MODE:="0660", GROUP="develop", TAG+="uaccess" + SUBSYSTEMS=="usb", ATTRS{idVendor}=="303a", ATTRS{idProduct}=="1002", MODE:="0660", GROUP="develop", TAG+="uaccess" + ''; + + guix.enable = true; + }; virtualisation = { containers.enable = true; @@ -194,10 +208,6 @@ in { autoPrune.enable = true; storageDriver = "btrfs"; }; - lxd = { - enable = true; - recommendedSysctlSettings = true; - }; lxc.enable = true; libvirtd.enable = true; spiceUSBRedirection.enable = true; diff --git a/nixos/modules/gaming.nix b/nixos/modules/gaming.nix index 6dce70d..e939bf2 100644 --- a/nixos/modules/gaming.nix +++ b/nixos/modules/gaming.nix @@ -18,7 +18,10 @@ in { config = mkIf cnf { cynerd.desktop.enable = true; - environment.systemPackages = [pkgs.heroic]; + environment.systemPackages = with pkgs; [ + heroic + prismlauncher + ]; nixpkgs.config.permittedInsecurePackages = [ "SDL_ttf-2.0.11" # TODO @@ -34,8 +37,8 @@ in { extraPkgs = pkgs: with pkgs; [ ncurses - xorg.libXpm - #flac134 + libxpm + flac134 libopus ]; }; @@ -43,8 +46,8 @@ in { extraPkgs = pkgs: with pkgs; [ ncurses - xorg.libXpm - #flac134 + libxpm + flac134 # For Nebuchadnezzar libopus SDL SDL2_image @@ -53,7 +56,7 @@ in { SDL_image SDL_mixer SDL_ttf - glew110 + glew_1_10 libdrm libidn tbb diff --git a/nixos/modules/generic.nix b/nixos/modules/generic.nix index e029058..3e8abaf 100644 --- a/nixos/modules/generic.nix +++ b/nixos/modules/generic.nix @@ -10,14 +10,6 @@ in { extraOptions = "experimental-features = nix-command flakes"; settings = { auto-optimise-store = true; - substituters = [ - "https://thefloweringash-armv7.cachix.org" - "https://arm.cachix.org" - ]; - trusted-public-keys = [ - "thefloweringash-armv7.cachix.org-1:v+5yzBD2odFKeXbmC+OPWVqx4WVoIVO6UXgnSAWFtso=" - "arm.cachix.org-1:K3XjAeWPgWkFtSS9ge5LJSLw3xgnNqyOaG7MDecmTQ8=" - ]; trusted-users = ["@wheel"]; }; registry = { @@ -37,8 +29,8 @@ in { kernelPackages = mkOverride 1100 pkgs.linuxPackages_latest; kernelParams = ["boot.shell_on_fail"]; }; - hardware.enableAllFirmware = true; - services.fwupd.enable = mkDefault (pkgs.system == "x86_64-linux"); + hardware.enableAllFirmware = mkDefault true; + services.fwupd.enable = mkDefault (pkgs.stdenv.hostPlatform.system == "x86_64-linux"); systemd.oomd.enable = false; networking = { diff --git a/nixos/modules/homeassistant.nix b/nixos/modules/homeassistant.nix new file mode 100644 index 0000000..f7ebe9c --- /dev/null +++ b/nixos/modules/homeassistant.nix @@ -0,0 +1,57 @@ +{ + config, + lib, + ... +}: let + inherit (lib) mkOption mkEnableOption types mkIf; + cnf = config.cynerd.ha; +in { + options.cynerd.ha = { + enable = mkEnableOption "Home assistant setup on the primary router."; + domain = mkOption { + type = with types; str; + description = "The domain name of the system."; + }; + extraOptions = mkOption { + type = with types; listOf str; + default = []; + description = "Extra options passed to the container."; + }; + }; + + config = mkIf cnf.enable { + virtualisation.oci-containers = { + backend = "podman"; + containers.homeassistant = { + volumes = ["home-assistant:/config" "/run/dbus:/run/dbus:ro"]; + environment.TZ = "Europe/Prague"; + image = "ghcr.io/home-assistant/armv7-homeassistant:latest"; + extraOptions = + ["--privileged" "--network=host"] + ++ cnf.extraOptions; + }; + }; + + services.nginx = { + enable = true; + virtualHosts = { + "${cnf.domain}" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:8123"; + proxyWebsockets = true; + recommendedProxySettings = true; + }; + }; + }; + }; + security.acme = { + acceptTerms = true; + defaults.email = "cynerd+acme@email.cz"; + certs."${cnf.domain}" = {}; + }; + + networking.firewall.allowedTCPPorts = [80 443]; + }; +} diff --git a/nixos/modules/hosts.nix b/nixos/modules/hosts.nix index 4b358b8..6d901e0 100644 --- a/nixos/modules/hosts.nix +++ b/nixos/modules/hosts.nix @@ -19,7 +19,7 @@ in { default = true; description = "Use my personal static hosts"; }; - vpn = staticZoneOption; + zd = staticZoneOption; wg = staticZoneOption; spt = staticZoneOption; adm = staticZoneOption; @@ -28,9 +28,20 @@ in { config = { cynerd.hosts = { - vpn = { - "lipwig" = "10.8.0.1"; - "adm-omnia" = "10.8.0.51"; + zd = { + # Network + "mox" = "10.8.0.1"; + "one0" = "10.8.0.2"; + "camera1" = "10.8.0.21"; + "camera2" = "10.8.0.22"; + # Local + "ridcully" = "10.8.0.59"; + "dribbler" = "10.8.0.60"; + "tc" = "10.8.0.99"; + "vb" = "10.8.0.98"; + "printer" = "10.8.0.90"; + # Portable + "binky" = "10.8.0.63"; }; wg = { "lipwig" = "10.8.1.1"; @@ -40,6 +51,7 @@ in { # Endpoints "spt-omnia" = "10.8.1.50"; "adm-omnia" = "10.8.1.51"; + "zd-mox" = "10.8.1.52"; # Endpoints without routing "dean" = "10.8.1.59"; }; @@ -51,7 +63,6 @@ in { # Local "mpd" = "10.8.2.51"; "errol" = "10.8.2.60"; - "printer" = "10.8.2.90"; # Portable "albert" = "10.8.2.61"; "binky" = "10.8.2.63"; @@ -61,7 +72,6 @@ in { "omnia" = "10.8.3.1"; "omnia2" = "10.8.3.3"; # Local - "ridcully" = "10.8.3.60"; "3dprint" = "10.8.3.80"; "mpd" = "10.8.3.51"; "printer" = "192.168.1.20"; @@ -72,15 +82,19 @@ in { }; networking.hosts = mkIf cnf.enable { - # VPN - "${cnf.vpn.lipwig}" = ["lipwig.vpn"]; - "${cnf.vpn.adm-omnia}" = ["adm.vpn"]; + # Zd + "${cnf.zd.mox}" = ["mox.zd"]; + "${cnf.zd.one0}" = ["one0.zd"]; + "${cnf.zd.ridcully}" = ["ridcully"]; + "${cnf.zd.tc}" = ["tc.zd"]; + "${cnf.zd.binky}" = ["binky.zd"]; # Wireguard "${cnf.wg.lipwig}" = ["lipwig.wg"]; "${cnf.wg.binky}" = ["binky.wg"]; "${cnf.wg.android}" = ["android.wg"]; "${cnf.wg.spt-omnia}" = ["spt.wg"]; "${cnf.wg.adm-omnia}" = ["adm.wg"]; + "${cnf.wg.zd-mox}" = ["zd.wg"]; "${cnf.wg.dean}" = ["dean" "dean.wg"]; # Spt "${cnf.spt.omnia}" = ["omnia.spt"]; @@ -88,14 +102,13 @@ in { "${cnf.spt.mox2}" = ["mox2.spt"]; "10.8.2.4" = ["mi3g.spt"]; "${cnf.spt.mpd}" = ["mpd.spt"]; - "${cnf.spt.errol}" = ["errol" "desktop.spt"]; + "${cnf.spt.errol}" = ["errol"]; "${cnf.spt.albert}" = ["albert.spt"]; "${cnf.spt.binky}" = ["binky.spt"]; # Adm "${cnf.adm.omnia}" = ["omnia.adm"]; "10.8.3.2" = ["redmi.adm"]; "${cnf.adm.omnia2}" = ["omnia2.adm"]; - "${cnf.adm.ridcully}" = ["ridcully" "desktop.adm"]; "${cnf.adm.albert}" = ["albert.adm"]; "${cnf.adm.binky}" = ["binky.adm"]; "${cnf.adm."3dprint"}" = ["3dprint"]; diff --git a/nixos/modules/openwrtone.nix b/nixos/modules/openwrtone.nix new file mode 100644 index 0000000..40c1ed6 --- /dev/null +++ b/nixos/modules/openwrtone.nix @@ -0,0 +1,119 @@ +{ + config, + lib, + pkgs, + modulesPath, + extendModules, + ... +}: let + inherit (lib) mkEnableOption mkIf mkDefault; + variant = extendModules { + modules = [ + { + boot.postBootCommands = '' + # On the first boot do some maintenance tasks + if [ -f /nix-path-registration ]; then + set -euo pipefail + + # Register the contents of the initial Nix store + ${config.nix.package.out}/bin/nix-store --load-db < /nix-path-registration + + # nixos-rebuild also requires a "system" profile and an /etc/NIXOS tag. + touch /etc/NIXOS + ${config.nix.package.out}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system + + # Prevents this from running on later boots. + rm -f /nix-path-registration + fi + ''; + # We do not have generations in the initial image + boot.loader.generic-extlinux-compatible.configurationLimit = 0; + } + ]; + }; + inherit (variant.config.system.build) toplevel; +in { + options.cynerd.openwrtone = mkEnableOption "Configuration for OpenWrt One"; + + config = mkIf config.cynerd.openwrtone { + nixpkgs = { + hostPlatform = { + config = "aarch64-unknown-linux-gnu"; + system = "aarch64-linux"; + }; + buildPlatform = { + config = "x86_64-unknown-linux-gnu"; + system = "x86_64-linux"; + }; + }; + + # We do not need Grub as U-Boot supports boot using extlinux like file + boot = { + loader = { + grub.enable = mkDefault false; + systemd-boot.enable = mkDefault false; + generic-extlinux-compatible.enable = mkDefault true; + }; + + # Use OpenWrt One specific kernel. It fixes SError with patch. + kernelPackages = mkDefault (pkgs.linuxPackagesFor pkgs.linuxOpenWrtOne); + kernelParams = [ + "fw_devlink=permissive" + "clk_ignore_unused" + ]; + + initrd = { + kernelModules = ["pcie-mediatek-gen3" "nvme"]; + # This includes modules to support common PC manufacturers but is not + # something required on embedded device. + includeDefaultModules = false; + supportedFilesystems = ["btrfs"]; + }; + supportedFilesystems = ["btrfs"]; + }; + hardware.deviceTree.name = mkDefault "mediatek/mt7981b-openwrt-one.dtb"; + + # Cover nix memory consumption peaks by compressing the RAM + zramSwap = mkDefault { + enable = true; + memoryPercent = 80; + }; + + fileSystems = { + "/boot" = mkDefault { + device = "/dev/nvme0n1p1"; + fsType = "vfat"; + }; + "/" = mkDefault { + device = "/dev/nvme0n1p2"; + fsType = "btrfs"; + }; + }; + + environment.systemPackages = with pkgs; [ + iw + ]; + + # No need for installer tools in standard system + system.disableInstallerTools = true; + # No need for NixOS documentation in headless system + documentation.nixos.enable = mkDefault false; + + system.build.tarball = pkgs.callPackage "${modulesPath}/../lib/make-system-tarball.nix" { + extraCommands = pkgs.buildPackages.writeShellScript "tarball-extra-commands" '' + ${variant.config.boot.loader.generic-extlinux-compatible.populateCmd} \ + -c ${toplevel} -d ./boot + ''; + contents = []; + + storeContents = + map (x: { + object = x; + symlink = "none"; + }) [ + toplevel + pkgs.stdenv + ]; + }; + }; +} diff --git a/nixos/modules/packages.nix b/nixos/modules/packages.nix index 155d8a5..e97229f 100644 --- a/nixos/modules/packages.nix +++ b/nixos/modules/packages.nix @@ -1,11 +1,11 @@ { - config, lib, pkgs, ... }: let inherit (lib) optionals; - isNative = config.nixpkgs.hostPlatform == config.nixpkgs.buildPlatform; + inherit (pkgs.stdenv.hostPlatform) isx86_64; + isNative = pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform; in { nixpkgs = { config.allowUnfree = true; @@ -41,12 +41,12 @@ in { btop iotop mc - tmux # ls tools tree lsof strace + ripgrep sourceHighlight # Colors for less unrar @@ -63,15 +63,12 @@ in { wakeonlan speedtest-cli librespeed-cli - #termshark + termshark w3m lm_sensors ] - ++ optionals (system != "armv7l-linux") [ - ranger - ] - ++ optionals (system == "x86_64-linux") [ + ++ optionals isx86_64 [ nmap ltrace pv diff --git a/nixos/modules/router.nix b/nixos/modules/router.nix index 224037b..1c8f4cc 100644 --- a/nixos/modules/router.nix +++ b/nixos/modules/router.nix @@ -178,12 +178,11 @@ in { services.resolved = { enable = true; - dnssec = "true"; - fallbackDns = ["1.1.1.1" "8.8.8.8"]; - extraConfig = '' - DNSStubListenerExtra=${cnf.lanIP} - DNSStubListenerExtra=192.168.1.1 - ''; + settings.Resolve = { + FallbackDNS = ["1.1.1.1" "8.8.8.8"]; + DNSStubListenerExtra=[cnf.lanIP "192.168.1.1"]; + # TODO possibly enforce DNSSEC again + }; }; }; } diff --git a/nixos/modules/syncthing.nix b/nixos/modules/syncthing.nix index 1148da6..eab61c7 100644 --- a/nixos/modules/syncthing.nix +++ b/nixos/modules/syncthing.nix @@ -58,8 +58,8 @@ in { devices = allDevices; ignorePerms = false; }; - "${baseDir}/pictures" = { - label = "Pictures"; + "${baseDir}/images" = { + label = "Images"; id = "pictures"; devices = bigStorageDevices; ignorePerms = false; diff --git a/nixos/modules/users.nix b/nixos/modules/users.nix index 7d0dc77..24eedb5 100644 --- a/nixos/modules/users.nix +++ b/nixos/modules/users.nix @@ -3,8 +3,8 @@ config, ... }: let - isNative = config.nixpkgs.hostPlatform == config.nixpkgs.buildPlatform; - isArm = pkgs.hostPlatform.isAarch; + isNative = pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform; + isArm = pkgs.stdenv.hostPlatform.isAarch; in { users = { mutableUsers = false; @@ -43,12 +43,25 @@ in { }; }; - security.sudo.extraRules = [ - { - groups = ["wheel"]; - commands = ["ALL"]; - } - ]; + security = { + doas = { + enable = true; + extraRules = [ + { + groups = ["wheel"]; + keepEnv = true; + persist = true; + } + ]; + }; + + sudo.extraRules = [ + { + groups = ["wheel"]; + commands = ["ALL"]; + } + ]; + }; services.openssh = { enable = true; @@ -72,6 +85,8 @@ in { enable = !isArm; defaultEditor = !isArm; withNodeJs = true; + withPython3 = true; + withRuby = true; }; }; diff --git a/nixos/modules/wifi-client.nix b/nixos/modules/wifi-client.nix index b82633d..07eb686 100644 --- a/nixos/modules/wifi-client.nix +++ b/nixos/modules/wifi-client.nix @@ -22,7 +22,8 @@ in { enable = true; networks = config.secrets.wifiNetworks; secretsFile = "/run/secrets/wifi.secrets"; - userControlled.enable = true; + userControlled = true; }; + users.users.cynerd.extraGroups = ["wpa_supplicant"]; }; } diff --git a/nixos/modules/wifi-zd.nix b/nixos/modules/wifi-zd.nix new file mode 100644 index 0000000..107fdf4 --- /dev/null +++ b/nixos/modules/wifi-zd.nix @@ -0,0 +1,137 @@ +{ + config, + lib, + ... +}: let + inherit (lib) mkOption mkEnableOption types mkIf mkForce mkMerge hostapd elemAt; + cnf = config.cynerd.wifiAP.zd; + + wifi-networks = name: let + is2g = cnf."${name}".channel <= 14; + in { + "${cnf."${name}".interface}" = { + bssid = elemAt cnf."${name}".bssids 0; + ssid = "UNas${ + if is2g + then "" + else "5" + }"; + authentication = { + mode = "wpa2-sha256"; + wpaPasswordFile = "/run/secrets/hostapd-UNas.pass"; + }; + settings = mkIf is2g { + ieee80211w = 0; + wpa_key_mgmt = mkForce "WPA-PSK"; # force use without sha256 + }; + }; + "${cnf."${name}".interface}.guest" = { + bssid = elemAt cnf."${name}".bssids 1; + ssid = "Koci"; + authentication = { + mode = "wpa2-sha256"; + wpaPasswordFile = "/run/secrets/hostapd-Koci.pass"; + }; + }; + }; + + net-networks = name: { + "lan-${cnf."${name}".interface}" = { + matchConfig = { + Name = cnf."${name}".interface; + WLANInterfaceType = "ap"; + }; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + EgressUntagged = 1; + PVID = 1; + } + ]; + }; + "lan-${cnf."${name}".interface}-guest" = { + matchConfig.Name = "${cnf."${name}".interface}.guest"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + EgressUntagged = 2; + PVID = 2; + } + ]; + }; + }; + + wOptions = card: channelDefault: { + interface = mkOption { + type = with types; nullOr str; + default = null; + description = "Specify interface for ${card}"; + }; + bssids = mkOption { + type = with types; listOf str; + default = []; + description = "BSSIDs for networks."; + }; + channel = mkOption { + type = types.ints.positive; + default = channelDefault; + description = "Channel to be used for ${card}"; + }; + }; +in { + options = { + cynerd.wifiAP.zd = { + enable = mkEnableOption "Enable Wi-Fi Access Point support"; + ar9287 = wOptions "Qualcom Atheros AR9287" 7; + qca988x = wOptions "Qualcom Atheros QCA988x" 36; + }; + }; + + config = mkIf cnf.enable { + # TODO regdom doesn't work for some reason + boot.extraModprobeConfig = '' + options cfg80211 ieee80211_regdom="CZ" + ''; + services.hostapd = { + enable = true; + radios = mkMerge [ + (mkIf (cnf.ar9287.interface != null) { + "${cnf.ar9287.interface}" = { + inherit (cnf.ar9287) channel; + countryCode = "CZ"; + wifi4 = { + enable = true; + inherit (hostapd.qualcomAtherosAR9287.wifi4) capabilities; + }; + networks = wifi-networks "ar9287"; + }; + }) + (mkIf (cnf.qca988x.interface != null) { + "${cnf.qca988x.interface}" = let + is2g = cnf.qca988x.channel <= 14; + in { + inherit (cnf.qca988x) channel; + countryCode = "CZ"; + band = + if is2g + then "2g" + else "5g"; + wifi4 = { + enable = true; + inherit (hostapd.qualcomAtherosQCA988x.wifi4) capabilities; + }; + wifi5 = { + enable = !is2g; + inherit (hostapd.qualcomAtherosQCA988x.wifi5) capabilities; + }; + networks = wifi-networks "qca988x"; + }; + }) + ]; + }; + systemd.network.networks = mkMerge [ + (mkIf (cnf.ar9287.interface != null) (net-networks "ar9287")) + (mkIf (cnf.qca988x.interface != null) (net-networks "qca988x")) + ]; + }; +} diff --git a/nixos/modules/wireguard.nix b/nixos/modules/wireguard.nix index b49eaae..4fd942c 100644 --- a/nixos/modules/wireguard.nix +++ b/nixos/modules/wireguard.nix @@ -6,7 +6,7 @@ }: let inherit (lib) any all mkEnableOption mkIf mapAttrsToList optional optionals optionalAttrs filterAttrs; inherit (config.networking) hostName; - endpoints = ["lipwig" "spt-omnia" "adm-omnia"]; + endpoints = ["lipwig" "spt-omnia" "adm-omnia" "zd-mox"]; is_endpoint = any (v: v == hostName) endpoints; in { options = { @@ -53,6 +53,15 @@ in { PublicKey = config.secrets.wireguardPubs.adm-omnia; } // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;})) + ({ + Endpoint = "zd.cynerd.cz:51820"; + AllowedIPs = [ + "${config.cynerd.hosts.wg.zd-mox}/32" + "10.8.0.0/24" + ]; + PublicKey = config.secrets.wireguardPubs.zd-mox; + } + // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;})) ] ++ (optionals is_endpoint (mapAttrsToList (n: v: { AllowedIPs = "${config.cynerd.hosts.wg."${n}"}/32"; @@ -77,6 +86,12 @@ in { Gateway = config.cynerd.hosts.wg.adm-omnia; Destination = "10.8.3.0/24"; Metric = 2048; + }) + ++ (optional (hostName != "zd-mox") { + # ZD network + Gateway = config.cynerd.hosts.wg.zd-mox; + Destination = "10.8.0.0/24"; + Metric = 2048; }); }; }; |