From cccd4338c96ac35c0f5eb37a82c8131f0268e083 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Karel=20Ko=C4=8D=C3=AD?= Date: Tue, 20 Feb 2024 21:09:58 +0100 Subject: nixos/spt-omnia: update and fix --- flake.lock | 48 +++++++++++++------------- nixos/machine/spt-omnia.nix | 83 ++++++++++++++++++++++++++++++++++++++++----- nixos/modules/generic.nix | 8 ++++- nixos/modules/hosts.nix | 1 + nixos/routers/router.nix | 3 -- nixos/routers/wifi-spt.nix | 66 +++++++++++++++++++---------------- 6 files changed, 142 insertions(+), 67 deletions(-) diff --git a/flake.lock b/flake.lock index a88521c..2c4788f 100644 --- a/flake.lock +++ b/flake.lock @@ -230,11 +230,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1707918957, - "narHash": "sha256-6Ll9RRKKkR2UHReehRcM2kzhO6Rq9kOrRBwwSKgNIfY=", + "lastModified": 1708425420, + "narHash": "sha256-VCRZDSqxCHrbs46+OEu6MiCcPGpT/JTBvGAb6BjaqcU=", "ref": "refs/heads/master", - "rev": "710a24d16bde5f45a1c767ae870d534f5ddc774a", - "revCount": 3501, + "rev": "2082ee48503c3ebe376a9b4d23eb6bc33a54b6a6", + "revCount": 3512, "submodules": true, "type": "git", "url": "https://gitlab.elektroline.cz/elektroline/flatlineng.git" @@ -426,11 +426,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1708057191, - "narHash": "sha256-O3M5EGAeKZdEzfFIjqah0d8M44A4QCSVwvkbz4cbC2s=", + "lastModified": 1708407374, + "narHash": "sha256-EECzarm+uqnNDCwaGg/ppXCO11qibZ1iigORShkkDf0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5e55f0bb65124b05d0a52e164514c03596023634", + "rev": "f33dd27a47ebdf11dc8a5eb05e7c8fbdaf89e73f", "type": "github" }, "original": { @@ -440,11 +440,11 @@ }, "nixpkgs_5": { "locked": { - "lastModified": 1708103068, - "narHash": "sha256-A3Itq2swJOJ9+RzcmHEA8Tpd8opWAVin3GchouNR8uk=", + "lastModified": 1708405701, + "narHash": "sha256-E78TXiZiR9irWdYAVltRxZPJ+pMxXPU5PjHwqq6XLtI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "607312f76ac46232b6f690748ff0383a2249af05", + "rev": "fa15b53dbea5028db38d6e09b4cef6eba42aeebb", "type": "github" }, "original": { @@ -515,11 +515,11 @@ "nixpkgs": "nixpkgs_6" }, "locked": { - "lastModified": 1707903116, - "narHash": "sha256-GXCQCsOP8D6mpPDUDJCyhyfUFFq/SfFxDS0ZS5Qg+0k=", + "lastModified": 1708186608, + "narHash": "sha256-yDIbHSKSyXRWOknzpwZ/dLAa9PjSk5CibwN0nrJEFFk=", "owner": "cynerd", "repo": "nixturris", - "rev": "8551fe9cd3bbf60c0ae8a6835291e3e1bc07280c", + "rev": "a446cb11256ae77161384af2451875eb63c19d4d", "type": "gitlab" }, "original": { @@ -530,11 +530,11 @@ }, "personal-secret": { "locked": { - "lastModified": 1708111656, - "narHash": "sha256-GXPsF79NePyUy4VoQIzU4gQNNcIqpvsimjV+4Mzqq+I=", + "lastModified": 1708459156, + "narHash": "sha256-NrEpPIdAceJVeQHKSF2blD++e8FfxPBzWILXsoW8qoc=", "ref": "refs/heads/master", - "rev": "37ce5a6415fd787fb272f52f30b4cb6a2976f096", - "revCount": 88, + "rev": "24d085ef420ab7f3186f969f58f70f62c4bd743b", + "revCount": 93, "type": "git", "url": "ssh://git@cynerd.cz/nixos-personal-secret" }, @@ -626,11 +626,11 @@ "nixpkgs": "nixpkgs_11" }, "locked": { - "lastModified": 1706904066, - "narHash": "sha256-w0rCOahhT991M+QWdEfhwb88B/juXTr66iauNu2w48s=", + "lastModified": 1708357912, + "narHash": "sha256-+eDr/7AdOiwA63hSVkFgWx37kc+bqg+YVajLYxJC7ro=", "ref": "refs/heads/master", - "rev": "fa91bbe409a899c8db86de565bf8d7cbba3dba9c", - "revCount": 432, + "rev": "76601ce0137feeb6bd69432963cb36b12e42f407", + "revCount": 434, "submodules": true, "type": "git", "url": "https://github.com/silicon-heaven/shvspy.git" @@ -812,11 +812,11 @@ }, "vpsadminos": { "locked": { - "lastModified": 1708015534, - "narHash": "sha256-IB+aVK43i5/+F3vAlR8UcasviCz1xSUaBC5JNXBD5RM=", + "lastModified": 1708364097, + "narHash": "sha256-7VYZ9Y7lEtiDQPritENiiIzGTWk4GDrAOqqJFZjwZPg=", "owner": "vpsfreecz", "repo": "vpsadminos", - "rev": "4f2f74ded6a6b1b9de6d45918dbe53073b9561c2", + "rev": "b9956bd62059d06114d4368dedd24777fa75f126", "type": "github" }, "original": { diff --git a/nixos/machine/spt-omnia.nix b/nixos/machine/spt-omnia.nix index ac4ebdf..f2ea4f0 100644 --- a/nixos/machine/spt-omnia.nix +++ b/nixos/machine/spt-omnia.nix @@ -14,26 +14,89 @@ in { lanIP = hosts.omnia; staticLeases = { "a8:a1:59:10:32:c4" = hosts.errol; + "7c:b0:c2:bb:9c:ca" = hosts.albert; "4c:d5:77:0d:85:d9" = hosts.binky; + "b8:27:eb:57:a2:31" = hosts.mpd; + "74:bf:c0:42:82:19" = hosts.printer; }; }; wifiAP.spt = { enable = true; ar9287 = { - interface = "wlp3s0"; - bssids = ["04:f0:21:23:16:64" "08:f0:21:23:16:64"]; - channel = 13; + interface = "wlp1s0"; + bssids = ["04:f0:21:24:21:93" "08:f0:21:24:21:93"]; + channel = 11; }; qca988x = { - interface = "wlp2s0"; - bssids = ["04:f0:21:24:21:93" "08:f0:21:24:21:93"]; + interface = "wlp3s0"; + bssids = ["04:f0:21:23:16:64" "08:f0:21:23:16:64"]; channel = 36; }; }; - #openvpn.oldpersonal = true; + openvpn.oldpersonal = true; monitoring.speedtest = true; }; + environment = { + etc.crypttab.text = '' + nas UUID=3472bef9-cbae-48bd-873e-fd4858a0b72f /run/secrets/luks-spt-omnia-nas.key luks + nassec UUID=016e9e75-bbc8-4b24-8bb7-c800c8f6a500 /run/secrets/luks-spt-omnia-nas.key luks + ''; + systemPackages = with pkgs; [ + cryptsetup + ]; + }; + fileSystems = { + "/data" = { + device = "/dev/mapper/nas"; + fsType = "btrfs"; + options = ["compress=lzo" "subvol=@data" "nofail"]; + }; + "/srv" = { + device = "/dev/mapper/nas"; + fsType = "btrfs"; + options = ["compress=lzo" "subvol=@srv" "nofail"]; + depends = ["/data"]; + }; + }; + services.btrfs.autoScrub = { + enable = true; + fileSystems = ["/" "/data"]; + }; + services.udev.packages = [ + (pkgs.writeTextFile rec { + name = "queue_depth_sata.rules"; + destination = "/etc/udev/rules.d/50-${name}"; + text = '' + ACTION=="add|change", SUBSYSTEM=="scsi", ATTR{queue_depth}="1" + ''; + }) + ]; + + users = { + groups.nas = {}; + users = { + nas = { + group = "nas"; + openssh.authorizedKeys.keyFiles = [(config.personal-secrets + "/unencrypted/nas.pub")]; + isNormalUser = true; + home = "/data/nas"; + homeMode = "770"; + }; + cynerd.extraGroups = ["nas"]; + }; + }; + services.openssh = { + settings.Macs = ["hmac-sha2-256"]; # Allow sha2-256 for Nexcloud access + extraConfig = '' + Match User nas + X11Forwarding no + AllowTcpForwarding no + AllowAgentForwarding no + ForceCommand internal-sftp -d /data/nas + ''; + }; + networking.useDHCP = false; systemd.network = { netdevs = { @@ -102,18 +165,20 @@ in { ''; }; systemd.services."pppd-wan".after = ["sys-subsystem-net-devices-end2.848.device"]; + # TODO limit NSS clamping to just pppoe-wan networking.firewall.extraForwardRules = '' - tcp flags syn tcp option maxseg size set rt mtu + tcp flags syn tcp option maxseg size set rt mtu comment "Needed for PPPoE to fix IPv4" + iifname {"home", "personalvpn"} oifname {"home", "personalvpn"} accept ''; services.syncthing = { - enable = true; + enable = false; openDefaultPorts = true; overrideDevices = false; overrideFolders = false; - dataDir = "/data"; + dataDir = "/data"; # TODO this can't be the location }; }; } diff --git a/nixos/modules/generic.nix b/nixos/modules/generic.nix index 33d7024..35880f1 100644 --- a/nixos/modules/generic.nix +++ b/nixos/modules/generic.nix @@ -167,7 +167,13 @@ in { ]; networking.dhcpcd.extraConfig = "controlgroup wheel"; - services.openssh.enable = true; + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + PermitRootLogin = "no"; + }; + }; time.timeZone = "Europe/Prague"; i18n.defaultLocale = "en_US.UTF-8"; diff --git a/nixos/modules/hosts.nix b/nixos/modules/hosts.nix index 76e884d..8a9318c 100644 --- a/nixos/modules/hosts.nix +++ b/nixos/modules/hosts.nix @@ -46,6 +46,7 @@ in { # Local "mpd" = "10.8.2.51"; "errol" = "10.8.2.60"; + "printer" = "10.8.2.90"; # Portable "albert" = "10.8.2.61"; "binky" = "10.8.2.63"; diff --git a/nixos/routers/router.nix b/nixos/routers/router.nix index 5aa6cc6..ed634b1 100644 --- a/nixos/routers/router.nix +++ b/nixos/routers/router.nix @@ -59,9 +59,6 @@ in { }; rejectPackets = true; filterForward = true; - extraForwardRules = '' - iifname "guest" oifname != "${cnf.wan}" drop comment "prevent guest to access other networks" - ''; }; nat = { enable = true; diff --git a/nixos/routers/wifi-spt.nix b/nixos/routers/wifi-spt.nix index 0ebcaa1..769449d 100644 --- a/nixos/routers/wifi-spt.nix +++ b/nixos/routers/wifi-spt.nix @@ -3,8 +3,8 @@ lib, pkgs, ... -}: -with lib; let +}: let + inherit (lib) mkOption mkEnableOption types mkIf mkMerge hostapd elemAt; cnf = config.cynerd.wifiAP.spt; wOptions = card: channelDefault: { @@ -34,13 +34,17 @@ in { }; config = mkIf cnf.enable { + # TODO regdom doesn't work for some reason + boot.extraModprobeConfig = '' + options cfg80211 ieee80211_regdom="CZ" + ''; services.hostapd = { enable = true; - radios = - mkIf (cnf.ar9287.interface != null) { + radios = mkMerge [ + (mkIf (cnf.ar9287.interface != null) { "${cnf.ar9287.interface}" = { - countryCode = "CZ"; inherit (cnf.ar9287) channel; + countryCode = "CZ"; wifi4 = { enable = true; inherit (hostapd.qualcomAtherosAR9287.wifi4) capabilities; @@ -64,13 +68,13 @@ in { #}; }; }; - } - // mkIf (cnf.qca988x.interface != null) { + }) + (mkIf (cnf.qca988x.interface != null) { "${cnf.qca988x.interface}" = let is2g = cnf.qca988x.channel <= 14; in { - countryCode = "CZ"; inherit (cnf.qca988x) channel; + countryCode = "CZ"; band = if is2g then "2g" @@ -106,21 +110,22 @@ in { #}; }; }; - }; + }) + ]; }; - systemd.network.networks = - mkIf (cnf.ar9287.interface != null) { + systemd.network.networks = mkMerge [ + (mkIf (cnf.ar9287.interface != null) { "lan-${cnf.ar9287.interface}" = { matchConfig.Name = cnf.ar9287.interface; networkConfig.Bridge = "brlan"; - #bridgeVLANs = [ - # { - # bridgeVLANConfig = { - # EgressUntagged = 1; - # PVID = 1; - # }; - # } - #]; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 1; + PVID = 1; + }; + } + ]; }; #"lan-${cnf.ar9287.interface}-guest" = { # matchConfig.Name = "${cnf.ar9287.interface}.guest"; @@ -134,19 +139,19 @@ in { # } # ]; #}; - } - // mkIf (cnf.qca988x.interface != null) { + }) + (mkIf (cnf.qca988x.interface != null) { "lan-${cnf.qca988x.interface}" = { matchConfig.Name = cnf.qca988x.interface; networkConfig.Bridge = "brlan"; - #bridgeVLANs = [ - # { - # bridgeVLANConfig = { - # EgressUntagged = 1; - # PVID = 1; - # }; - # } - #]; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 1; + PVID = 1; + }; + } + ]; }; #"lan-${cnf.qca988x.interface}-guest" = { # matchConfig.Name = "${cnf.qca988x.interface}.guest"; @@ -160,6 +165,7 @@ in { # } # ]; #}; - }; + }) + ]; }; } -- cgit v1.2.3