7 files changed, 290 insertions, 18 deletions

diff --git a/nixos/configurations/lipwig.nix b/nixos/configurations/lipwig.nix
index 5855b6d..ab61898 100644
--- a/nixos/configurations/lipwig.nix
+++ b/nixos/configurations/lipwig.nix
@@ -245,6 +245,7 @@
           forms
           groupfolders
           impersonate
+          maps
           memories
           notes
           onlyoffice
@@ -255,15 +256,15 @@
           twofactor_webauthn
           ;
         # Additional modules can be fetched with:
-        # NEXTCLOUD_VERSIONS=30 nix run nixpkgs#nc4nix -- -apps "passwords,money,integration_github,integration_gitlab"
+        # NEXTCLOUD_VERSIONS=31 nix run nixpkgs#nc4nix -- -apps "passwords,money,integration_github,integration_gitlab"
         integration_github = pkgs.fetchNextcloudApp {
-          url = "https://github.com/nextcloud-releases/integration_github/releases/download/v3.1.1/integration_github-v3.1.1.tar.gz";
-          hash = "sha256-nm463H33WyXTJkb7+OSsunARNuSl5nc3uGClgwkVvhM=";
+          url = "https://github.com/nextcloud-releases/integration_github/releases/download/v3.2.1/integration_github-v3.2.1.tar.gz";
+          hash = "sha256-iBWphFaXmQHNxgoi9qkfV7vCTChwtk6yg0aVr9Lhn4c=";
           license = "agpl3Plus";
         };
         integration_gitlab = pkgs.fetchNextcloudApp {
-          url = "https://github.com/nextcloud-releases/integration_gitlab/releases/download/v3.1.2/integration_gitlab-v3.1.2.tar.gz";
-          hash = "sha256-nCH0DqYmr4T856sOU5PhSK6WAHIF9mnYThgytxEbkNA=";
+          url = "https://github.com/nextcloud-releases/integration_gitlab/releases/download/v3.2.0/integration_gitlab-v3.2.0.tar.gz";
+          hash = "sha256-BDDuqQIDV3pn1mYutjA7Z3L2nib2wW6DlZgyqU46f8Q=";
           license = "agpl3Plus";
         };
         money = pkgs.fetchNextcloudApp {
@@ -276,11 +277,6 @@
           hash = "sha256-v4IVpqbTN3TKORESFX+sJsiSrLkUc0b5Stj8CmznSIw=";
           license = "agpl3Plus";
         };
-        maps = pkgs.fetchNextcloudApp {
-          url = "https://github.com/nextcloud/maps/releases/download/v1.6.0-3-nightly/maps-1.6.0-3-nightly.tar.gz";
-          hash = "sha256-E0S/CwXyye19lcuiONEQCyHJqlL0ZG1A9Q7oOTEZH1g=";
-          license = "agpl3Plus";
-        };
       };
     };
     # OnlyOffice ###############################################################
diff --git a/nixos/configurations/zd-mox.nix b/nixos/configurations/zd-mox.nix
new file mode 100644
index 0000000..07da891
--- /dev/null
+++ b/nixos/configurations/zd-mox.nix
@@ -0,0 +1,126 @@
+{config, ...}: let
+  hosts = config.cynerd.hosts.zd;
+in {
+  system.stateVersion = "25.05";
+  turris.board = "mox";
+  deploy = {
+    enable = true;
+    ssh.host = "zd.cynerd.cz";
+  };
+
+  cynerd = {
+    router = {
+      enable = true;
+      wan = "pppoe-wan";
+      lanIP = hosts.mox;
+      staticLeases = {
+        "4c:d5:77:0d:85:d9" = hosts.binky;
+      };
+    };
+    wifiAP.zd = {
+      enable = false;
+      qca988x = {
+        interface = "wlp1s0";
+        bssids = config.secrets.wifiMacs.zd-mox.qca988x;
+        channel = 36;
+      };
+    };
+    wireguard = true;
+    monitoring.speedtest = true;
+  };
+
+  services = {
+    journald.extraConfig = ''
+      SystemMaxUse=512M
+    '';
+
+    btrfs.autoScrub = {
+      enable = true;
+      fileSystems = ["/"];
+    };
+
+    fail2ban = {
+      enable = true;
+      ignoreIP = ["10.8.0.0/24" "10.8.1.0/24" "10.8.2.0/24"];
+    };
+  };
+
+  networking.useDHCP = false;
+  systemd.network = {
+    netdevs = {
+      "end2.848" = {
+        netdevConfig = {
+          Kind = "vlan";
+          Name = "end2.848";
+        };
+        vlanConfig.Id = 848;
+      };
+    };
+    networks = {
+      "end2" = {
+        matchConfig.Name = "end2";
+        networkConfig.VLAN = ["end2.848"];
+      };
+      "end2.848" = {
+        matchConfig.Name = "end2.848";
+        networkConfig.BindCarrier = "end2";
+      };
+      "pppoe-wan" = {
+        matchConfig.Name = "pppoe-wan";
+        networkConfig = {
+          BindCarrier = "end2.848";
+          DHCP = "ipv6";
+          IPv6AcceptRA = "no";
+          DHCPPrefixDelegation = "yes";
+          #DNS = ["84.19.64.3" "84.19.64.4" "1.1.1.1"];
+          DNS = "1.1.1.1";
+        };
+        dhcpV6Config = {
+          PrefixDelegationHint = "::/56";
+          UseDNS = "no";
+        };
+        dhcpPrefixDelegationConfig = {
+          UplinkInterface = ":self";
+          SubnetId = 0;
+          Announce = "no";
+        };
+        linkConfig.RequiredForOnline = "routable";
+      };
+      "lan-brlan" = {
+        matchConfig.Name = "lan*";
+        networkConfig.Bridge = "brlan";
+        bridgeVLANs = [
+          {
+            EgressUntagged = 1;
+            PVID = 1;
+          }
+          {VLAN = 2;}
+        ];
+      };
+    };
+  };
+
+  services.pppd = {
+    enable = true;
+    peers."wan".config = ''
+      plugin pppoe.so end2.848
+      ifname pppoe-wan
+      lcp-echo-interval 1
+      lcp-echo-failure 5
+      lcp-echo-adaptive
+      defaultroute
+      defaultroute6
+      maxfail 1
+      # user and password added in secrets
+    '';
+  };
+  systemd.services."pppd-wan" = {
+    after = ["sys-subsystem-net-devices-end2.848.device"];
+    partOf = ["systemd-networkd.service"];
+  };
+  # TODO limit NSS clamping to just pppoe-wan
+  networking.firewall.extraForwardRules = ''
+    tcp flags syn tcp option maxseg size set rt mtu comment "Needed for PPPoE to fix IPv4"
+    iifname {"home", "wg"} oifname {"home", "wg"} accept
+  '';
+}
diff --git a/nixos/modules/desktop.nix b/nixos/modules/desktop.nix
index 06c8215..92e5b42 100644
--- a/nixos/modules/desktop.nix
+++ b/nixos/modules/desktop.nix
@@ -81,13 +81,19 @@ in {
             ]))
 
             chromium
+            tangram
             ferdium
             signal-desktop
-            libreoffice
             mupdf
             zathura
             pdfgrep
 
+            libreoffice-qt6-fresh
+            hunspell
+            hunspellDicts.en_US-large
+            hunspellDicts.en_GB-large
+            hunspellDicts.cs_CZ
+
             xdg-utils
             xdg-launch
             mesa-demos
diff --git a/nixos/modules/develop.nix b/nixos/modules/develop.nix
index 6444473..4973a92 100644
--- a/nixos/modules/develop.nix
+++ b/nixos/modules/develop.nix
@@ -112,6 +112,9 @@ in {
 
           pylxd
           selenium
+
+          pyvisa
+          pyvisa-py
         ]))
       ruff
       geckodriver
diff --git a/nixos/modules/hosts.nix b/nixos/modules/hosts.nix
index 4b358b8..5604792 100644
--- a/nixos/modules/hosts.nix
+++ b/nixos/modules/hosts.nix
@@ -19,7 +19,7 @@ in {
         default = true;
         description = "Use my personal static hosts";
       };
-      vpn = staticZoneOption;
+      zd = staticZoneOption;
       wg = staticZoneOption;
       spt = staticZoneOption;
       adm = staticZoneOption;
@@ -28,9 +28,10 @@ in {
 
   config = {
     cynerd.hosts = {
-      vpn = {
-        "lipwig" = "10.8.0.1";
-        "adm-omnia" = "10.8.0.51";
+      zd = {
+        "mox" = "10.8.0.1";
+        # Portable
+        "binky" = "10.8.0.63";
       };
       wg = {
         "lipwig" = "10.8.1.1";
@@ -40,6 +41,7 @@ in {
         # Endpoints
         "spt-omnia" = "10.8.1.50";
         "adm-omnia" = "10.8.1.51";
+        "zd-mox" = "10.8.1.52";
         # Endpoints without routing
         "dean" = "10.8.1.59";
       };
@@ -72,15 +74,16 @@ in {
     };
 
     networking.hosts = mkIf cnf.enable {
-      # VPN
-      "${cnf.vpn.lipwig}" = ["lipwig.vpn"];
-      "${cnf.vpn.adm-omnia}" = ["adm.vpn"];
+      # Zd
+      "${cnf.zd.mox}" = ["mox.zd"];
+      "${cnf.zd.binky}" = ["binky.zd"];
       # Wireguard
       "${cnf.wg.lipwig}" = ["lipwig.wg"];
       "${cnf.wg.binky}" = ["binky.wg"];
       "${cnf.wg.android}" = ["android.wg"];
       "${cnf.wg.spt-omnia}" = ["spt.wg"];
       "${cnf.wg.adm-omnia}" = ["adm.wg"];
+      "${cnf.wg.zd-mox}" = ["zd.wg"];
       "${cnf.wg.dean}" = ["dean" "dean.wg"];
       # Spt
       "${cnf.spt.omnia}" = ["omnia.spt"];
diff --git a/nixos/modules/packages.nix b/nixos/modules/packages.nix
index 155d8a5..c41e491 100644
--- a/nixos/modules/packages.nix
+++ b/nixos/modules/packages.nix
@@ -47,6 +47,7 @@ in {
       tree
       lsof
       strace
+      ripgrep
 
       sourceHighlight # Colors for less
       unrar
diff --git a/nixos/modules/wifi-zd.nix b/nixos/modules/wifi-zd.nix
new file mode 100644
index 0000000..107fdf4
--- /dev/null
+++ b/nixos/modules/wifi-zd.nix
@@ -0,0 +1,137 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib) mkOption mkEnableOption types mkIf mkForce mkMerge hostapd elemAt;
+  cnf = config.cynerd.wifiAP.zd;
+
+  wifi-networks = name: let
+    is2g = cnf."${name}".channel <= 14;
+  in {
+    "${cnf."${name}".interface}" = {
+      bssid = elemAt cnf."${name}".bssids 0;
+      ssid = "UNas${
+        if is2g
+        then ""
+        else "5"
+      }";
+      authentication = {
+        mode = "wpa2-sha256";
+        wpaPasswordFile = "/run/secrets/hostapd-UNas.pass";
+      };
+      settings = mkIf is2g {
+        ieee80211w = 0;
+        wpa_key_mgmt = mkForce "WPA-PSK"; # force use without sha256
+      };
+    };
+    "${cnf."${name}".interface}.guest" = {
+      bssid = elemAt cnf."${name}".bssids 1;
+      ssid = "Koci";
+      authentication = {
+        mode = "wpa2-sha256";
+        wpaPasswordFile = "/run/secrets/hostapd-Koci.pass";
+      };
+    };
+  };
+
+  net-networks = name: {
+    "lan-${cnf."${name}".interface}" = {
+      matchConfig = {
+        Name = cnf."${name}".interface;
+        WLANInterfaceType = "ap";
+      };
+      networkConfig.Bridge = "brlan";
+      bridgeVLANs = [
+        {
+          EgressUntagged = 1;
+          PVID = 1;
+        }
+      ];
+    };
+    "lan-${cnf."${name}".interface}-guest" = {
+      matchConfig.Name = "${cnf."${name}".interface}.guest";
+      networkConfig.Bridge = "brlan";
+      bridgeVLANs = [
+        {
+          EgressUntagged = 2;
+          PVID = 2;
+        }
+      ];
+    };
+  };
+
+  wOptions = card: channelDefault: {
+    interface = mkOption {
+      type = with types; nullOr str;
+      default = null;
+      description = "Specify interface for ${card}";
+    };
+    bssids = mkOption {
+      type = with types; listOf str;
+      default = [];
+      description = "BSSIDs for networks.";
+    };
+    channel = mkOption {
+      type = types.ints.positive;
+      default = channelDefault;
+      description = "Channel to be used for ${card}";
+    };
+  };
+in {
+  options = {
+    cynerd.wifiAP.zd = {
+      enable = mkEnableOption "Enable Wi-Fi Access Point support";
+      ar9287 = wOptions "Qualcom Atheros AR9287" 7;
+      qca988x = wOptions "Qualcom Atheros QCA988x" 36;
+    };
+  };
+
+  config = mkIf cnf.enable {
+    # TODO regdom doesn't work for some reason
+    boot.extraModprobeConfig = ''
+      options cfg80211 ieee80211_regdom="CZ"
+    '';
+    services.hostapd = {
+      enable = true;
+      radios = mkMerge [
+        (mkIf (cnf.ar9287.interface != null) {
+          "${cnf.ar9287.interface}" = {
+            inherit (cnf.ar9287) channel;
+            countryCode = "CZ";
+            wifi4 = {
+              enable = true;
+              inherit (hostapd.qualcomAtherosAR9287.wifi4) capabilities;
+            };
+            networks = wifi-networks "ar9287";
+          };
+        })
+        (mkIf (cnf.qca988x.interface != null) {
+          "${cnf.qca988x.interface}" = let
+            is2g = cnf.qca988x.channel <= 14;
+          in {
+            inherit (cnf.qca988x) channel;
+            countryCode = "CZ";
+            band =
+              if is2g
+              then "2g"
+              else "5g";
+            wifi4 = {
+              enable = true;
+              inherit (hostapd.qualcomAtherosQCA988x.wifi4) capabilities;
+            };
+            wifi5 = {
+              enable = !is2g;
+              inherit (hostapd.qualcomAtherosQCA988x.wifi5) capabilities;
+            };
+            networks = wifi-networks "qca988x";
+          };
+        })
+      ];
+    };
+    systemd.network.networks = mkMerge [
+      (mkIf (cnf.ar9287.interface != null) (net-networks "ar9287"))
+      (mkIf (cnf.qca988x.interface != null) (net-networks "qca988x"))
+    ];
+  };
+}