From a9738a94e009610163e3c49e9686c12051917af7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Karel=20Ko=C4=8D=C3=AD?= Date: Mon, 1 Apr 2024 12:14:45 +0200 Subject: nixos: few more fixes --- flake.lock | 26 +++++++++++++------------- nixos/configurations/adm-omnia.nix | 1 - nixos/configurations/dean.nix | 17 +++++++++++++---- nixos/configurations/errol.nix | 9 ++++++--- nixos/configurations/lipwig.nix | 7 +++---- nixos/configurations/spt-omnia.nix | 1 - nixos/modules/develop.nix | 5 +++++ nixos/modules/generic.nix | 5 ++++- nixos/modules/home-assistant.nix | 3 ++- nixos/modules/hosts.nix | 10 ---------- nixos/modules/openvpn.nix | 8 -------- nixos/modules/router.nix | 1 - nixos/modules/switch.nix | 5 +---- nixos/modules/wireguad.nix | 33 +++++++++++++++++++++++++++++++-- 14 files changed, 78 insertions(+), 53 deletions(-) diff --git a/flake.lock b/flake.lock index 2bcba70..115aa8b 100644 --- a/flake.lock +++ b/flake.lock @@ -256,11 +256,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1710783728, - "narHash": "sha256-eIsfu3c9JUBgm3cURSKTXLEI9Dlk1azo+MWKZVqrmkc=", + "lastModified": 1711352745, + "narHash": "sha256-luvqik+i3HTvCbXQZgB6uggvEcxI9uae0nmrgtXJ17U=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "1e679b9a9970780cd5d4dfe755a74a8f96d33388", + "rev": "9a763a7acc4cfbb8603bb0231fec3eda864f81c0", "type": "github" }, "original": { @@ -314,11 +314,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1710861126, - "narHash": "sha256-q8fiy9mgUvTAt2OMjiVpQgDlykyGury9Fpsm0jekBfY=", + "lastModified": 1711939449, + "narHash": "sha256-k8HBuawAk2hWNzNkCiGebbStq3opqnyV1RdHXXojxNg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "2dcadb7087e38314cebb15af65f8f2a15d2940cc", + "rev": "292a4d8fa11907f90eb2e9730b8cf2414f03bf58", "type": "github" }, "original": { @@ -432,11 +432,11 @@ }, "personal-secret": { "locked": { - "lastModified": 1710863858, - "narHash": "sha256-6qKqa5cdchvGSBGigs/K4VWVfITGdMudrKYw2Sc79wo=", + "lastModified": 1711963377, + "narHash": "sha256-0hTTeEEzK4ZhFmjfT4gVzliNlhfJFmugGuSFYCeUpq4=", "ref": "refs/heads/master", - "rev": "0306d300b34e6221230bb7886f077bb78997da3a", - "revCount": 101, + "rev": "a402800a9d82061610250f2f37aebd5694896c50", + "revCount": 104, "type": "git", "url": "ssh://git@cynerd.cz/nixos-personal-secret" }, @@ -697,11 +697,11 @@ }, "vpsadminos": { "locked": { - "lastModified": 1710509949, - "narHash": "sha256-U4rYEcV40x7VpZfeOw21cZFIZrh+bjxx2iYRtnCRfTc=", + "lastModified": 1711619904, + "narHash": "sha256-BVmRhYvidQAT5t63EzGKOCGRlhCrfjLjf1oz8BozBns=", "owner": "vpsfreecz", "repo": "vpsadminos", - "rev": "d61fad3eedeaae209870f3f8f4e65e996e778ad0", + "rev": "8c8eb700db5d18e07d167e048756135f877442d9", "type": "github" }, "original": { diff --git a/nixos/configurations/adm-omnia.nix b/nixos/configurations/adm-omnia.nix index 3f857ee..672788a 100644 --- a/nixos/configurations/adm-omnia.nix +++ b/nixos/configurations/adm-omnia.nix @@ -12,7 +12,6 @@ ar9287.interface = "wlp3s0"; qca988x.interface = "wlp2s0"; }; - openvpn.oldpersonal = false; monitoring.speedtest = true; }; diff --git a/nixos/configurations/dean.nix b/nixos/configurations/dean.nix index 44feaea..c903794 100644 --- a/nixos/configurations/dean.nix +++ b/nixos/configurations/dean.nix @@ -1,4 +1,10 @@ -{pkgs, ...}: { +{ + lib, + pkgs, + ... +}: let + inherit (lib) mkForce; +in { turris.board = "mox"; deploy.enable = true; @@ -10,6 +16,11 @@ networking = { useNetworkd = true; useDHCP = false; + nat = { + enable = true; + externalInterface = "brlan"; + internalInterfaces = ["wg"]; + }; }; systemd.network = { netdevs."brlab".netdevConfig = { @@ -28,6 +39,7 @@ matchConfig.Name = "lan* end0"; networkConfig.Bridge = "brlan"; }; + "wg".networkConfig.IPForward = mkForce "yes"; }; # TODO investigate why it doesn't work wait-online.enable = false; @@ -37,7 +49,4 @@ #openocd tio ]; - - # TODO: ubootTools build is broken! - firmware.environment.enable = false; } diff --git a/nixos/configurations/errol.nix b/nixos/configurations/errol.nix index a9475ef..3f7ad8c 100644 --- a/nixos/configurations/errol.nix +++ b/nixos/configurations/errol.nix @@ -13,9 +13,7 @@ in { desktop.enable = true; develop = true; gaming = true; - openvpn = { - elektroline = true; - }; + openvpn.elektroline = true; }; boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "usb_storage"]; @@ -35,6 +33,11 @@ in { fsType = "btrfs"; options = ["compress=lzo" "subvol=@nix"]; }; + "/nix" = { + device = "/dev/mapper/encroot"; + fsType = "btrfs"; + options = ["compress=lzo" "subvol=@nix-store"]; + }; "/home" = { device = "/dev/mapper/encroot"; fsType = "btrfs"; diff --git a/nixos/configurations/lipwig.nix b/nixos/configurations/lipwig.nix index 0eefe5f..2e5253d 100644 --- a/nixos/configurations/lipwig.nix +++ b/nixos/configurations/lipwig.nix @@ -33,7 +33,6 @@ networking = { useNetworkd = true; useDHCP = false; - nftables.enable = true; firewall = { allowedTCPPorts = [80 443]; allowedUDPPorts = [1194]; @@ -206,17 +205,17 @@ passwords = pkgs.fetchNextcloudApp { url = "https://git.mdns.eu/api/v4/projects/45/packages/generic/passwords/2024.2.0/passwords.tar.gz"; sha256 = "0s5z6pxkcwmhlbzy9s2g0s05n1iqjmxr2jqxz7ayklin9kcgr3h7"; - license = "agpl3"; + license = "gpl3"; }; integration_github = pkgs.fetchNextcloudApp { url = "https://github.com/nextcloud-releases/integration_github/releases/download/v2.0.6/integration_github-v2.0.6.tar.gz"; sha256 = "0rjdlsalayb21nmh3j5bl42dcbavxka2r5g9csagz7vc9dl0qrw6"; - license = "agpl3"; + license = "gpl3"; }; integration_gitlab = pkgs.fetchNextcloudApp { url = "https://github.com/nextcloud-releases/integration_gitlab/releases/download/v1.0.18/integration_gitlab-v1.0.18.tar.gz"; sha256 = "13vlbr7sigqrh480a9zp7zl9nbzb4pk8m1zzlqv9lkzj3zywp7mi"; - license = "agpl3"; + license = "gpl3"; }; }; }; diff --git a/nixos/configurations/spt-omnia.nix b/nixos/configurations/spt-omnia.nix index 8456368..22d9ecc 100644 --- a/nixos/configurations/spt-omnia.nix +++ b/nixos/configurations/spt-omnia.nix @@ -38,7 +38,6 @@ in { }; }; wireguard = true; - openvpn.oldpersonal = true; monitoring.speedtest = true; }; diff --git a/nixos/modules/develop.nix b/nixos/modules/develop.nix index e5510c6..d07bc66 100644 --- a/nixos/modules/develop.nix +++ b/nixos/modules/develop.nix @@ -73,8 +73,13 @@ in { coverage mypy + scipy + sympy + pygraphviz matplotlib + plotly + pygal python-gitlab PyGithub diff --git a/nixos/modules/generic.nix b/nixos/modules/generic.nix index e4ac094..97391b8 100644 --- a/nixos/modules/generic.nix +++ b/nixos/modules/generic.nix @@ -177,7 +177,10 @@ in { commands = ["ALL"]; } ]; - networking.dhcpcd.extraConfig = "controlgroup wheel"; + networking = { + nftables.enable = true; + dhcpcd.extraConfig = "controlgroup wheel"; + }; services.openssh = { enable = true; diff --git a/nixos/modules/home-assistant.nix b/nixos/modules/home-assistant.nix index 769b1c7..ab16e8a 100644 --- a/nixos/modules/home-assistant.nix +++ b/nixos/modules/home-assistant.nix @@ -55,9 +55,10 @@ in { enable = true; device = "/dev/ttyUSB0"; baseTopicPrefix = "bigclown/"; + environmentFiles = ["/run/secrets/bigclown.env"]; mqtt = { username = "bigclown"; - keyfile = "/run/secrets/mqtt-bigclown.pass"; + password = "\${MQTT_PASSWORD}"; }; }; diff --git a/nixos/modules/hosts.nix b/nixos/modules/hosts.nix index 054098d..e7ad76b 100644 --- a/nixos/modules/hosts.nix +++ b/nixos/modules/hosts.nix @@ -30,12 +30,6 @@ in { cynerd.hosts = { vpn = { "lipwig" = "10.8.0.1"; - # Portable - "binky" = "10.8.0.2"; - "albert" = "10.8.0.3"; - "android" = "10.8.0.6"; - # Endpoints - "spt-omnia" = "10.8.0.50"; "adm-omnia" = "10.8.0.51"; }; wg = { @@ -79,10 +73,6 @@ in { networking.hosts = mkIf cnf.enable { # VPN "${cnf.vpn.lipwig}" = ["lipwig.vpn"]; - "${cnf.vpn.android}" = ["android.vpn"]; - "${cnf.vpn.albert}" = ["albert.vpn"]; - "${cnf.vpn.binky}" = ["binky.vpn"]; - "${cnf.vpn.spt-omnia}" = ["spt.vpn"]; "${cnf.vpn.adm-omnia}" = ["adm.vpn"]; # Wireguard "${cnf.wg.lipwig}" = ["lipwig.wg"]; diff --git a/nixos/modules/openvpn.nix b/nixos/modules/openvpn.nix index d80dd9d..789d430 100644 --- a/nixos/modules/openvpn.nix +++ b/nixos/modules/openvpn.nix @@ -8,11 +8,6 @@ in { options = { cynerd.openvpn = { - personal = mkOption { - type = types.bool; - default = false; - description = "My personal OpenVPN"; - }; oldpersonal = mkOption { type = types.bool; default = false; @@ -28,9 +23,6 @@ in { config = { services.openvpn.servers = { - personal = mkIf cnf.personal { - config = "config /run/secrets/personal.ovpn"; - }; oldpersonal = mkIf cnf.oldpersonal { config = "config /run/secrets/old.ovpn"; }; diff --git a/nixos/modules/router.nix b/nixos/modules/router.nix index 3002d9b..c8b1283 100644 --- a/nixos/modules/router.nix +++ b/nixos/modules/router.nix @@ -50,7 +50,6 @@ in { config = mkIf cnf.enable { networking = { useNetworkd = true; - nftables.enable = true; firewall = { logRefusedConnections = false; interfaces = { diff --git a/nixos/modules/switch.nix b/nixos/modules/switch.nix index 669b6ab..37ac687 100644 --- a/nixos/modules/switch.nix +++ b/nixos/modules/switch.nix @@ -21,10 +21,7 @@ in { }; config = mkIf cnf.enable { - networking = { - useNetworkd = true; - nftables.enable = true; - }; + networking.useNetworkd = true; systemd.network = { netdevs = { diff --git a/nixos/modules/wireguad.nix b/nixos/modules/wireguad.nix index d96fc9e..ca28818 100644 --- a/nixos/modules/wireguad.nix +++ b/nixos/modules/wireguad.nix @@ -81,18 +81,47 @@ in { IPForward = is_endpoint; }; routes = - (optional (hostName != "spt-omnia") { + (optional (hostName != "lipwig") { + # OpenVPN network + routeConfig = { + Gateway = config.cynerd.hosts.wg.lipwig; + Destination = "10.8.0.0/24"; + Metric = 2048; + }; + }) + ++ (optional (hostName != "spt-omnia") { + # SPT network routeConfig = { Gateway = config.cynerd.hosts.wg.spt-omnia; Destination = "10.8.2.0/24"; + Metric = 2048; }; }) ++ (optional (hostName != "adm-omnia" && hostName != "lipwig") { + # Adamkovi network routeConfig = { Gateway = config.cynerd.hosts.wg.adm-omnia; Destination = "10.8.3.0/24"; + Metric = 2048; }; - }); + }) + ++ (optionals (hostName != "dean") [ + # Elektroline + { + routeConfig = { + Gateway = config.cynerd.hosts.wg.dean; + Destination = "10.0.0.0/22"; + Metric = 2048; + }; + } + { + routeConfig = { + Gateway = config.cynerd.hosts.wg.dean; + Destination = "10.0.20.0/24"; + Metric = 2048; + }; + } + ]); }; }; networking.firewall.allowedUDPPorts = [51820]; -- cgit v1.2.3