diff options
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/configurations/errol.nix | 7 | ||||
| -rw-r--r-- | nixos/configurations/lipwig.nix | 108 | ||||
| -rw-r--r-- | nixos/configurations/ridcully.nix | 16 | ||||
| -rw-r--r-- | nixos/configurations/spt-omnia.nix | 1 | ||||
| -rw-r--r-- | nixos/configurations/zd-mox.nix | 53 | ||||
| -rw-r--r-- | nixos/configurations/zd-one0.nix | 61 | ||||
| -rw-r--r-- | nixos/modules/desktop.nix | 8 | ||||
| -rw-r--r-- | nixos/modules/develop.nix | 5 | ||||
| -rw-r--r-- | nixos/modules/generic.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/hosts.nix | 10 | ||||
| -rw-r--r-- | nixos/modules/openwrtone.nix | 120 | ||||
| -rw-r--r-- | nixos/modules/packages.nix | 10 | ||||
| -rw-r--r-- | nixos/modules/router.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/users.nix | 4 | ||||
| -rw-r--r-- | nixos/modules/wireguard.nix | 17 |
15 files changed, 322 insertions, 102 deletions
diff --git a/nixos/configurations/errol.nix b/nixos/configurations/errol.nix index defacf3..ef634fb 100644 --- a/nixos/configurations/errol.nix +++ b/nixos/configurations/errol.nix @@ -3,13 +3,6 @@ nixpkgs.hostPlatform.system = "x86_64-linux"; deploy.enable = true; - cynerd = { - desktop.enable = true; - develop = true; - gaming = true; - openvpn.elektroline = true; - }; - boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "usb_storage"]; boot.kernelModules = ["kvm-amd"]; diff --git a/nixos/configurations/lipwig.nix b/nixos/configurations/lipwig.nix index a02f57c..5277b39 100644 --- a/nixos/configurations/lipwig.nix +++ b/nixos/configurations/lipwig.nix @@ -73,62 +73,64 @@ ]; # Web ###################################################################### - services.nginx = { - enable = true; - virtualHosts = { - "cynerd.cz" = { - forceSSL = true; - enableACME = true; - locations = { - "/".root = ../../web; - "/radicale/" = { - proxyPass = "http://127.0.0.1:5232/"; - extraConfig = '' - proxy_set_header X-Script-Name /radicale; - proxy_pass_header Authorization; - ''; + services = { + nginx = { + enable = true; + virtualHosts = { + "cynerd.cz" = { + forceSSL = true; + enableACME = true; + locations = { + "/".root = ../../web; + "/radicale/" = { + proxyPass = "http://127.0.0.1:5232/"; + extraConfig = '' + proxy_set_header X-Script-Name /radicale; + proxy_pass_header Authorization; + ''; + }; }; }; - }; - "git.cynerd.cz" = { - forceSSL = true; - useACMEHost = "cynerd.cz"; - root = "${pkgs.cgit}/cgit"; - locations."/".tryFiles = "$uri @cgit"; - locations."@cgit".extraConfig = '' - fastcgi_pass unix:${config.services.fcgiwrap.instances.cgit.socket.address}; - fastcgi_param SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi; - fastcgi_param PATH_INFO $uri; - fastcgi_param QUERY_STRING $args; - fastcgi_param HTTP_HOST $server_name; - ''; - }; - "cloud.cynerd.cz" = { - forceSSL = true; - useACMEHost = "cynerd.cz"; - }; - "grafana.cynerd.cz" = { - forceSSL = true; - useACMEHost = "cynerd.cz"; - locations."/" = { - proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}"; - proxyWebsockets = true; - recommendedProxySettings = true; + "git.cynerd.cz" = { + forceSSL = true; + useACMEHost = "cynerd.cz"; + root = "${pkgs.cgit}/cgit"; + locations."/".tryFiles = "$uri @cgit"; + locations."@cgit".extraConfig = '' + fastcgi_pass unix:${config.services.fcgiwrap.instances.cgit.socket.address}; + fastcgi_param SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi; + fastcgi_param PATH_INFO $uri; + fastcgi_param QUERY_STRING $args; + fastcgi_param HTTP_HOST $server_name; + ''; + }; + "cloud.cynerd.cz" = { + forceSSL = true; + useACMEHost = "cynerd.cz"; + }; + "grafana.cynerd.cz" = { + forceSSL = true; + useACMEHost = "cynerd.cz"; + locations."/" = { + proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}"; + proxyWebsockets = true; + recommendedProxySettings = true; + }; + }; + "searx.cynerd.cz" = { + forceSSL = true; + useACMEHost = "cynerd.cz"; + locations."/".extraConfig = '' + uwsgi_pass "unix:///run/searx/searx.sock"; + include ${config.services.nginx.package}/conf/uwsgi_params; + ''; }; - }; - "searx.cynerd.cz" = { - forceSSL = true; - useACMEHost = "cynerd.cz"; - locations."/".extraConfig = '' - uwsgi_pass "unix:///run/searx/searx.sock"; - include ${config.services.nginx.package}/conf/uwsgi_params; - ''; }; }; - }; - services.fcgiwrap.instances.cgit = { - process.user = "git"; - socket = {inherit (config.services.nginx) user group;}; + fcgiwrap.instances.cgit = { + process.user = "git"; + socket = {inherit (config.services.nginx) user group;}; + }; }; security.acme = { acceptTerms = true; @@ -273,8 +275,8 @@ license = "agpl3Plus"; }; passwords = pkgs.fetchNextcloudApp { - url = "https://git.mdns.eu/api/v4/projects/45/packages/generic/passwords/2025.9.0/passwords.tar.gz"; - hash = "sha256-BMu7TPd6xwa/bSQOgN/wFPnK7AK0KgsUKqSqMatjqqw="; + url = "https://git.mdns.eu/api/v4/projects/45/packages/generic/passwords/2025.10.0/passwords-lsr-81.tar.gz"; + hash = "sha256-6QKbmm804BN5bANcdH1BbG2oy1nBgnLY5CLidPF44Uk="; license = "agpl3Plus"; }; }; diff --git a/nixos/configurations/ridcully.nix b/nixos/configurations/ridcully.nix index 3dd9beb..03b615b 100644 --- a/nixos/configurations/ridcully.nix +++ b/nixos/configurations/ridcully.nix @@ -1,6 +1,6 @@ {pkgs, ...}: { system.stateVersion = "24.05"; - nixpkgs.hostPlatform.system = "x86_64-linux"; + nixpkgs.hostPlatform.config = "x86_64-linux"; deploy.enable = true; cynerd = { @@ -12,12 +12,13 @@ }; }; - boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "usb_storage"]; + boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"]; boot.kernelModules = ["kvm-amd"]; hardware.cpu.amd.updateMicrocode = true; services.hardware.openrgb.motherboard = "amd"; + cynerd.autounlock = { "encroot" = "/dev/disk/by-uuid/bc7d2ba4-6e04-4c49-b40c-3aecd1a86c71"; "enchdd" = "/dev/disk/by-uuid/7fee3cda-efa0-47cd-8832-fdead9a7e6db"; @@ -63,8 +64,9 @@ wait-online.enable = false; }; - environment.systemPackages = [ - pkgs.nvtopPackages.amd + environment.systemPackages = with pkgs; [ + nvtopPackages.amd + sbctl ]; services.syncthing = { @@ -74,4 +76,10 @@ # Force nix to use less jobs nix.settings.max-jobs = 4; + + # Cover case when we are running out of memory + zramSwap = { + enable = true; + memoryPercent = 50; + }; } diff --git a/nixos/configurations/spt-omnia.nix b/nixos/configurations/spt-omnia.nix index 8449f0d..c13956b 100644 --- a/nixos/configurations/spt-omnia.nix +++ b/nixos/configurations/spt-omnia.nix @@ -15,7 +15,6 @@ in { lanIP = hosts.omnia; staticLeases = { "a8:a1:59:10:32:c4" = hosts.errol; - "70:85:c2:4a:59:f2" = hosts.ridcully; "7c:b0:c2:bb:9c:ca" = hosts.albert; "4c:d5:77:0d:85:d9" = hosts.binky; "b8:27:eb:57:a2:31" = hosts.mpd; diff --git a/nixos/configurations/zd-mox.nix b/nixos/configurations/zd-mox.nix index a6f327c..3796af0 100644 --- a/nixos/configurations/zd-mox.nix +++ b/nixos/configurations/zd-mox.nix @@ -14,17 +14,11 @@ in { wan = "pppoe-wan"; lanIP = hosts.mox; staticLeases = { + "70:85:c2:4a:59:f2" = hosts.ridcully; + "f8:dc:7a:79:00:e6" = hosts.tc; "4c:d5:77:0d:85:d9" = hosts.binky; }; }; - wifiAP.zd = { - enable = false; - qca988x = { - interface = "wlp1s0"; - bssids = config.secrets.wifiMacs.zd-mox.qca988x; - channel = 36; - }; - }; wireguard = true; monitoring.speedtest = true; }; @@ -50,27 +44,27 @@ in { networking.useDHCP = false; systemd.network = { netdevs = { - "end2.848" = { + "end0.848" = { netdevConfig = { Kind = "vlan"; - Name = "end2.848"; + Name = "end0.848"; }; vlanConfig.Id = 848; }; }; networks = { - "end2" = { - matchConfig.Name = "end2"; - networkConfig.VLAN = ["end2.848"]; + "end0" = { + matchConfig.Name = "end0"; + networkConfig.VLAN = ["end0.848"]; }; - "end2.848" = { - matchConfig.Name = "end2.848"; - networkConfig.BindCarrier = "end2"; + "end0.848" = { + matchConfig.Name = "end0.848"; + networkConfig.BindCarrier = "end0"; }; "pppoe-wan" = { matchConfig.Name = "pppoe-wan"; networkConfig = { - BindCarrier = "end2.848"; + BindCarrier = "end0.848"; DHCP = "ipv6"; IPv6AcceptRA = "no"; DHCPPrefixDelegation = "yes"; @@ -105,7 +99,7 @@ in { services.pppd = { enable = true; peers."wan".config = '' - plugin pppoe.so end2.848 + plugin pppoe.so end0.848 ifname pppoe-wan lcp-echo-interval 1 lcp-echo-failure 5 @@ -117,7 +111,7 @@ in { ''; }; systemd.services."pppd-wan" = { - after = ["sys-subsystem-net-devices-end2.848.device"]; + after = ["sys-subsystem-net-devices-end0.848.device"]; partOf = ["systemd-networkd.service"]; }; # TODO limit NSS clamping to just pppoe-wan @@ -125,4 +119,25 @@ in { tcp flags syn tcp option maxseg size set rt mtu comment "Needed for PPPoE to fix IPv4" iifname {"home", "wg"} oifname {"home", "wg"} accept ''; + + services.nginx = { + enable = true; + virtualHosts = { + "zd.cynerd.cz" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://${hosts.one0}:8123"; + proxyWebsockets = true; + recommendedProxySettings = true; + }; + }; + }; + }; + security.acme = { + acceptTerms = true; + defaults.email = "cynerd+acme@email.cz"; + certs."zd.cynerd.cz" = {}; + }; + networking.firewall.allowedTCPPorts = [80 443]; } diff --git a/nixos/configurations/zd-one0.nix b/nixos/configurations/zd-one0.nix new file mode 100644 index 0000000..98d9691 --- /dev/null +++ b/nixos/configurations/zd-one0.nix @@ -0,0 +1,61 @@ +_: { + system.stateVersion = "25.11"; + deploy = { + enable = true; + ssh.host = "zd-one0"; + }; + + cynerd = { + openwrtone = true; + #switch = { + # enable = true; + # lanAddress = "10.8.12.10/24"; + # lanGateway = config.cynerd.hosts.spt.omnia; + #}; + #wifiAP.zd = { + # enable = false; + # qca988x = { + # interface = "wlp1s0"; + # bssids = config.secrets.wifiMacs.zd-mox.qca988x; + # channel = 36; + # }; + #}; + }; + + boot.initrd.availableKernelModules = ["dm-mod"]; + boot.consoleLogLevel = 7; + + services = { + journald.extraConfig = '' + SystemMaxUse=8G + ''; + + btrfs.autoScrub = { + enable = true; + fileSystems = ["/"]; + }; + + fail2ban = { + enable = true; + ignoreIP = ["10.8.0.0/24" "10.8.1.0/24" "10.8.2.0/24"]; + }; + }; + + networking.useDHCP = false; + networking.useNetworkd = true; + + systemd.network = { + networks = { + "eth0" = { + matchConfig.Name = "eth0"; + networkConfig = { + Address = "10.8.2.10/24"; + Gateway = "10.8.2.1"; + DNS = "1.1.1.1"; + IPv6AcceptRA = "yes"; + }; + }; + }; + wait-online.anyInterface = true; + }; +} diff --git a/nixos/modules/desktop.nix b/nixos/modules/desktop.nix index 618e9cd..0b0b7c6 100644 --- a/nixos/modules/desktop.nix +++ b/nixos/modules/desktop.nix @@ -101,7 +101,7 @@ in { pulsemixer mpd - mpc-cli + mpc ncmpcpp feh shotwell @@ -161,7 +161,7 @@ in { # Writing typst - typstfmt + typstyle typst-live tinymist vale @@ -318,9 +318,9 @@ in { libertine nerd-fonts.hack noto-fonts - noto-fonts-emoji + noto-fonts-color-emoji terminus_font_ttf - ubuntu_font_family + ubuntu-classic unifont ]; diff --git a/nixos/modules/develop.nix b/nixos/modules/develop.nix index 8e24707..14cf55f 100644 --- a/nixos/modules/develop.nix +++ b/nixos/modules/develop.nix @@ -32,6 +32,7 @@ in { vim-vint nodePackages.vim-language-server vale + can-utils # Required for neovim plugins editorconfig-checker @@ -49,6 +50,7 @@ in { deadnix agenix nix-tree + nix-output-monitor # Shell dash # Posix shell @@ -63,7 +65,6 @@ in { # C clang-tools massif-visualizer - #qcachegrind # Python (python3.withPackages (pypkgs: @@ -88,7 +89,7 @@ in { pygal python-gitlab - PyGithub + pygithub schema jinja2 diff --git a/nixos/modules/generic.nix b/nixos/modules/generic.nix index e6e96a4..c57cc19 100644 --- a/nixos/modules/generic.nix +++ b/nixos/modules/generic.nix @@ -38,7 +38,7 @@ in { kernelParams = ["boot.shell_on_fail"]; }; hardware.enableAllFirmware = mkDefault true; - services.fwupd.enable = mkDefault (pkgs.system == "x86_64-linux"); + services.fwupd.enable = mkDefault (pkgs.stdenv.hostPlatform.system == "x86_64-linux"); systemd.oomd.enable = false; networking = { diff --git a/nixos/modules/hosts.nix b/nixos/modules/hosts.nix index 9affe19..bd5a5ab 100644 --- a/nixos/modules/hosts.nix +++ b/nixos/modules/hosts.nix @@ -29,7 +29,12 @@ in { config = { cynerd.hosts = { zd = { + # Network "mox" = "10.8.0.1"; + "one0" = "10.8.0.2"; + # Local + "ridcully" = "10.8.0.59"; + "tc" = "10.8.0.99"; # Portable "binky" = "10.8.0.63"; }; @@ -53,7 +58,6 @@ in { # Local "mpd" = "10.8.2.51"; "errol" = "10.8.2.60"; - "ridcully" = "10.8.2.59"; "printer" = "10.8.2.90"; # Portable "albert" = "10.8.2.61"; @@ -76,6 +80,9 @@ in { networking.hosts = mkIf cnf.enable { # Zd "${cnf.zd.mox}" = ["mox.zd"]; + "${cnf.zd.one0}" = ["one0.zd"]; + "${cnf.zd.ridcully}" = ["ridcully"]; + "${cnf.zd.tc}" = ["tc.zd"]; "${cnf.zd.binky}" = ["binky.zd"]; # Wireguard "${cnf.wg.lipwig}" = ["lipwig.wg"]; @@ -92,7 +99,6 @@ in { "10.8.2.4" = ["mi3g.spt"]; "${cnf.spt.mpd}" = ["mpd.spt"]; "${cnf.spt.errol}" = ["errol"]; - "${cnf.spt.ridcully}" = ["ridcully"]; "${cnf.spt.albert}" = ["albert.spt"]; "${cnf.spt.binky}" = ["binky.spt"]; # Adm diff --git a/nixos/modules/openwrtone.nix b/nixos/modules/openwrtone.nix new file mode 100644 index 0000000..85ddbd2 --- /dev/null +++ b/nixos/modules/openwrtone.nix @@ -0,0 +1,120 @@ +{ + config, + lib, + pkgs, + modulesPath, + extendModules, + ... +}: let + inherit (lib) mkEnableOption mkIf mkDefault; + variant = extendModules { + modules = [ + { + boot.postBootCommands = '' + # On the first boot do some maintenance tasks + if [ -f /nix-path-registration ]; then + set -euo pipefail + + # Register the contents of the initial Nix store + ${config.nix.package.out}/bin/nix-store --load-db < /nix-path-registration + + # nixos-rebuild also requires a "system" profile and an /etc/NIXOS tag. + touch /etc/NIXOS + ${config.nix.package.out}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system + + # Prevents this from running on later boots. + rm -f /nix-path-registration + fi + ''; + # We do not have generations in the initial image + boot.loader.generic-extlinux-compatible.configurationLimit = 0; + } + ]; + }; + inherit (variant.config.system.build) toplevel; +in { + options.cynerd.openwrtone = mkEnableOption "Configuration for OpenWrt One"; + + config = mkIf config.cynerd.openwrtone { + nixpkgs = { + hostPlatform = { + config = "aarch64-unknown-linux-gnu"; + system = "aarch64-linux"; + }; + buildPlatform = { + config = "x86_64-unknown-linux-gnu"; + system = "x86_64-linux"; + }; + }; + + # We do not need Grub as U-Boot supports boot using extlinux like file + boot = { + loader = { + grub.enable = mkDefault false; + systemd-boot.enable = mkDefault false; + generic-extlinux-compatible.enable = mkDefault true; + }; + + # Use OpenWrt One specific kernel. It fixes SError with patch. + kernelPackages = mkDefault (pkgs.linuxPackagesFor pkgs.linuxOpenWrtOne); + kernelParams = [ + "fw_devlink=permissive" + "clk_ignore_unused" + "pcie_aspm=off" + ]; + + initrd = { + kernelModules = ["pcie-mediatek-gen3" "nvme"]; + # This includes modules to support common PC manufacturers but is not + # something required on embedded device. + includeDefaultModules = false; + supportedFilesystems = ["btrfs"]; + }; + supportedFilesystems = ["btrfs"]; + }; + hardware.deviceTree.name = mkDefault "mediatek/mt7981b-openwrt-one.dtb"; + + # Cover nix memory consumption peaks by compressing the RAM + zramSwap = mkDefault { + enable = true; + memoryPercent = 80; + }; + + fileSystems = { + "/boot" = mkDefault { + device = "/dev/nvme0n1p1"; + fsType = "vfat"; + }; + "/" = mkDefault { + device = "/dev/nvme0n1p2"; + fsType = "btrfs"; + }; + }; + + environment.systemPackages = with pkgs; [ + iw + ]; + + # No need for installer tools in standard system + system.disableInstallerTools = true; + # No need for NixOS documentation in headless system + documentation.nixos.enable = mkDefault false; + + system.build.tarball = pkgs.callPackage "${modulesPath}/../lib/make-system-tarball.nix" { + extraCommands = pkgs.buildPackages.writeShellScript "tarball-extra-commands" '' + ${variant.config.boot.loader.generic-extlinux-compatible.populateCmd} \ + -c ${toplevel} -d ./boot + ''; + contents = []; + + storeContents = + map (x: { + object = x; + symlink = "none"; + }) [ + toplevel + pkgs.stdenv + ]; + }; + }; +} diff --git a/nixos/modules/packages.nix b/nixos/modules/packages.nix index 96e9a2e..f6961af 100644 --- a/nixos/modules/packages.nix +++ b/nixos/modules/packages.nix @@ -1,11 +1,11 @@ { - config, lib, pkgs, ... }: let inherit (lib) optionals; - isNative = config.nixpkgs.hostPlatform == config.nixpkgs.buildPlatform; + inherit (pkgs.stdenv.hostPlatform) isx86_64; + isNative = pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform; in { nixpkgs = { config.allowUnfree = true; @@ -63,14 +63,14 @@ in { wakeonlan speedtest-cli librespeed-cli - #termshark + termshark w3m lm_sensors ] - ++ optionals (system == "x86_64-linux") [ + ++ optionals isx86_64 [ nmap - ltrace + #ltrace pv screen ] diff --git a/nixos/modules/router.nix b/nixos/modules/router.nix index 224037b..01110ae 100644 --- a/nixos/modules/router.nix +++ b/nixos/modules/router.nix @@ -178,7 +178,7 @@ in { services.resolved = { enable = true; - dnssec = "true"; + #dnssec = "true"; fallbackDns = ["1.1.1.1" "8.8.8.8"]; extraConfig = '' DNSStubListenerExtra=${cnf.lanIP} diff --git a/nixos/modules/users.nix b/nixos/modules/users.nix index f3b7fbe..9c65f8b 100644 --- a/nixos/modules/users.nix +++ b/nixos/modules/users.nix @@ -3,8 +3,8 @@ config, ... }: let - isNative = config.nixpkgs.hostPlatform == config.nixpkgs.buildPlatform; - isArm = pkgs.hostPlatform.isAarch; + isNative = pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform; + isArm = pkgs.stdenv.hostPlatform.isAarch; in { users = { mutableUsers = false; diff --git a/nixos/modules/wireguard.nix b/nixos/modules/wireguard.nix index b49eaae..4fd942c 100644 --- a/nixos/modules/wireguard.nix +++ b/nixos/modules/wireguard.nix @@ -6,7 +6,7 @@ }: let inherit (lib) any all mkEnableOption mkIf mapAttrsToList optional optionals optionalAttrs filterAttrs; inherit (config.networking) hostName; - endpoints = ["lipwig" "spt-omnia" "adm-omnia"]; + endpoints = ["lipwig" "spt-omnia" "adm-omnia" "zd-mox"]; is_endpoint = any (v: v == hostName) endpoints; in { options = { @@ -53,6 +53,15 @@ in { PublicKey = config.secrets.wireguardPubs.adm-omnia; } // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;})) + ({ + Endpoint = "zd.cynerd.cz:51820"; + AllowedIPs = [ + "${config.cynerd.hosts.wg.zd-mox}/32" + "10.8.0.0/24" + ]; + PublicKey = config.secrets.wireguardPubs.zd-mox; + } + // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;})) ] ++ (optionals is_endpoint (mapAttrsToList (n: v: { AllowedIPs = "${config.cynerd.hosts.wg."${n}"}/32"; @@ -77,6 +86,12 @@ in { Gateway = config.cynerd.hosts.wg.adm-omnia; Destination = "10.8.3.0/24"; Metric = 2048; + }) + ++ (optional (hostName != "zd-mox") { + # ZD network + Gateway = config.cynerd.hosts.wg.zd-mox; + Destination = "10.8.0.0/24"; + Metric = 2048; }); }; }; |