From 632519e0413f6316a105c6a4835e23dc851743da Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20B=C3=A4dorf?= Date: Mon, 11 Sep 2023 23:51:13 +0200 Subject: [PATCH] feat: add Pie --- flake.lock | 125 +++++++++++++++++++++++---- flake.nix | 15 +++- hosts/pie/configuration.nix | 37 ++++++++ hosts/pie/default.nix | 7 ++ hosts/pie/dhcpd.nix | 80 +++++++++++++++++ hosts/pie/hardware-configuration.nix | 40 +++++++++ hosts/pie/pie.nix | 47 ++++++++++ hosts/pie/unbound.nix | 41 +++++++++ hosts/pie/wake-droppie.nix | 9 ++ 9 files changed, 382 insertions(+), 19 deletions(-) create mode 100644 hosts/pie/configuration.nix create mode 100644 hosts/pie/default.nix create mode 100644 hosts/pie/dhcpd.nix create mode 100644 hosts/pie/hardware-configuration.nix create mode 100644 hosts/pie/pie.nix create mode 100644 hosts/pie/unbound.nix create mode 100644 hosts/pie/wake-droppie.nix diff --git a/flake.lock b/flake.lock index 299d01eb..f3410075 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,43 @@ { "nodes": { + "adblock-unbound": { + "inputs": { + "adblockStevenBlack": "adblockStevenBlack", + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixos" + ] + }, + "locked": { + "lastModified": 1688055723, + "narHash": "sha256-8WtkSAr4qYA3o6kiOCESK3rHJmIsa6TMBrT3/Cbfvro=", + "owner": "MayNiklas", + "repo": "nixos-adblock-unbound", + "rev": "9356ccd526fdcf91bfee7f0ebebae831349d43cc", + "type": "github" + }, + "original": { + "owner": "MayNiklas", + "repo": "nixos-adblock-unbound", + "type": "github" + } + }, + "adblockStevenBlack": { + "flake": false, + "locked": { + "lastModified": 1665337238, + "narHash": "sha256-LYYjWMy4xXXqnM3ROKseS7y0faNLYyyDPqUe1+Uf+RE=", + "owner": "StevenBlack", + "repo": "hosts", + "rev": "ff7d9bed83732bd3980ae452927541c6c4b15382", + "type": "github" + }, + "original": { + "owner": "StevenBlack", + "repo": "hosts", + "type": "github" + } + }, "agenix": { "inputs": { "darwin": [ @@ -47,8 +85,8 @@ "inputs": { "devshell": "devshell_3", "flake-compat": "flake-compat_2", - "flake-utils": "flake-utils_4", - "nixpkgs": "nixpkgs" + "flake-utils": "flake-utils_5", + "nixpkgs": "nixpkgs_2" }, "locked": { "lastModified": 1686513235, @@ -90,7 +128,7 @@ }, "devshell": { "inputs": { - "flake-utils": "flake-utils", + "flake-utils": "flake-utils_2", "nixpkgs": [ "digga", "nixpkgs" @@ -189,7 +227,7 @@ "flake-compat": [ "flake-compat" ], - "flake-utils": "flake-utils_2", + "flake-utils": "flake-utils_3", "flake-utils-plus": "flake-utils-plus", "home-manager": [ "home" @@ -283,11 +321,11 @@ }, "flake-utils": { "locked": { - "lastModified": 1642700792, - "narHash": "sha256-XqHrk7hFb+zBvRg6Ghl+AZDq03ov6OshJLiSWOoX5es=", + "lastModified": 1659877975, + "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", "owner": "numtide", "repo": "flake-utils", - "rev": "846b2ae0fc4cc943637d3d1def4454213e203cba", + "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0", "type": "github" }, "original": { @@ -319,6 +357,21 @@ } }, "flake-utils_2": { + "locked": { + "lastModified": 1642700792, + "narHash": "sha256-XqHrk7hFb+zBvRg6Ghl+AZDq03ov6OshJLiSWOoX5es=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "846b2ae0fc4cc943637d3d1def4454213e203cba", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_3": { "locked": { "lastModified": 1667395993, "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", @@ -333,7 +386,7 @@ "type": "github" } }, - "flake-utils_3": { + "flake-utils_4": { "inputs": { "systems": "systems_2" }, @@ -351,7 +404,7 @@ "type": "github" } }, - "flake-utils_4": { + "flake-utils_5": { "inputs": { "systems": "systems_4" }, @@ -369,7 +422,7 @@ "type": "github" } }, - "flake-utils_5": { + "flake-utils_6": { "inputs": { "systems": "systems_6" }, @@ -411,7 +464,7 @@ "keycloak-theme-pub-solar": { "inputs": { "devshell": "devshell_2", - "flake-utils": "flake-utils_3", + "flake-utils": "flake-utils_4", "nixpkgs": [ "nixos" ] @@ -463,6 +516,24 @@ "type": "github" } }, + "musnix": { + "inputs": { + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1690426816, + "narHash": "sha256-vvOrLE6LlBVYigA1gSrlkknFwfuq9qmLA4h6ubiJ22g=", + "owner": "musnix", + "repo": "musnix", + "rev": "e651b06f8a3ac7d71486984100e8a79334da8329", + "type": "github" + }, + "original": { + "owner": "musnix", + "repo": "musnix", + "type": "github" + } + }, "nixos": { "locked": { "lastModified": 1693636127, @@ -496,15 +567,15 @@ }, "nixpkgs": { "locked": { - "lastModified": 1686412476, - "narHash": "sha256-inl9SVk6o5h75XKC79qrDCAobTD1Jxh6kVYTZKHzewA=", - "owner": "nixos", + "lastModified": 1690272529, + "narHash": "sha256-MakzcKXEdv/I4qJUtq/k/eG+rVmyOZLnYNC2w1mB59Y=", + "owner": "NixOS", "repo": "nixpkgs", - "rev": "21951114383770f96ae528d0ae68824557768e81", + "rev": "ef99fa5c5ed624460217c31ac4271cfb5cb2502c", "type": "github" }, "original": { - "owner": "nixos", + "owner": "NixOS", "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" @@ -527,6 +598,22 @@ } }, "nixpkgs_2": { + "locked": { + "lastModified": 1686412476, + "narHash": "sha256-inl9SVk6o5h75XKC79qrDCAobTD1Jxh6kVYTZKHzewA=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "21951114383770f96ae528d0ae68824557768e81", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { "locked": { "lastModified": 1693158576, "narHash": "sha256-aRTTXkYvhXosGx535iAFUaoFboUrZSYb1Ooih/auGp0=", @@ -544,6 +631,7 @@ }, "root": { "inputs": { + "adblock-unbound": "adblock-unbound", "agenix": "agenix", "darwin": "darwin", "deploy": "deploy", @@ -555,6 +643,7 @@ "keycloak-theme-pub-solar": "keycloak-theme-pub-solar", "latest": "latest", "master": "master", + "musnix": "musnix", "nixos": "nixos", "nixos-hardware": "nixos-hardware", "scan2paperless": "scan2paperless" @@ -564,8 +653,8 @@ "inputs": { "deno2nix": "deno2nix", "devshell": "devshell_4", - "flake-utils": "flake-utils_5", - "nixpkgs": "nixpkgs_2" + "flake-utils": "flake-utils_6", + "nixpkgs": "nixpkgs_3" }, "locked": { "lastModified": 1693298356, diff --git a/flake.nix b/flake.nix index 6cde0f39..1cc38644 100644 --- a/flake.nix +++ b/flake.nix @@ -42,6 +42,10 @@ fix-yubikey-agent.url = "github:pub-solar/nixpkgs/fix/use-latest-unstable-yubikey-agent"; fix-atomic-container-restarts.url = "github:pub-solar/nixpkgs/fix/atomic-container-restarts"; scan2paperless.url = "git+https://git.pub.solar/b12f/scan2paperless.git"; + musnix.url = "github:musnix/musnix"; + + adblock-unbound.url = "github:MayNiklas/nixos-adblock-unbound"; + adblock-unbound.inputs.nixpkgs.follows = "nixos"; }; outputs = { @@ -53,6 +57,7 @@ agenix, deploy, scan2paperless, + musnix, ... } @ inputs: digga.lib.mkFlake @@ -108,6 +113,7 @@ digga.nixosModules.nixConfig home.nixosModules.home-manager agenix.nixosModules.age + musnix.nixosModules.musnix ]; }; @@ -127,6 +133,11 @@ #}) ]; }; + + pie = { + system = "aarch64-linux"; + modules = [nixos-hardware.nixosModules.raspberry-pi-4]; + }; }; importables = rec { profiles = @@ -179,9 +190,11 @@ deploy.nodes = digga.lib.mkDeployNodes self.nixosConfigurations { droppie = { + hostname = "backup.b12f.io"; sshUser = "yule"; }; - nougat-2 = { + + pie = { sshUser = "yule"; }; #example = { diff --git a/hosts/pie/configuration.nix b/hosts/pie/configuration.nix new file mode 100644 index 00000000..fdc5b953 --- /dev/null +++ b/hosts/pie/configuration.nix @@ -0,0 +1,37 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). +{ + config, + pkgs, + lib, + inputs, + ... +}: { + imports = [ + ./hardware-configuration.nix + ]; + + boot.loader.grub.enable = true; + boot.loader.grub.efiSupport = true; + boot.loader.grub.efiInstallAsRemovable = true; + boot.loader.grub.device = "nodev"; + boot.loader.timeout = 5; + + boot.loader.efi.canTouchEfiVariables = false; + boot.loader.systemd-boot.enable = false; + boot.loader.generic-extlinux-compatible.enable = false; + + boot.supportedFilesystems = [ "zfs" ]; + networking.hostId = "34234773"; + + boot.kernelPackages = pkgs.linuxPackages_6_1; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.11"; # Did you read the comment? +} diff --git a/hosts/pie/default.nix b/hosts/pie/default.nix new file mode 100644 index 00000000..12cc94b9 --- /dev/null +++ b/hosts/pie/default.nix @@ -0,0 +1,7 @@ +{suites, ...}: { + imports = + [ + ./pie.nix + ] + ++ suites.pie; +} diff --git a/hosts/pie/dhcpd.nix b/hosts/pie/dhcpd.nix new file mode 100644 index 00000000..c5f97be0 --- /dev/null +++ b/hosts/pie/dhcpd.nix @@ -0,0 +1,80 @@ +{ pkgs, adblock-unbound, ... }: +{ + services.kea.dhcp4 = { + enable = true; + settings = { + interfaces-config = { + interfaces = [ + "enabcm6e4ei0" + "wlan0" + ]; + }; + + lease-database = { + name = "/var/lib/kea/dhcp4.leases"; + persist = true; + type = "memfile"; + }; + + rebind-timer = 2000; + renew-timer = 1000; + valid-lifetime = 4000; + + subnet4 = [ + { + subnet = "192.168.178.0/24"; + pools = [ + { pool = "192.168.178.2 - 192.168.178.255"; } + ]; + + option-data = [ + { + name = "domain-name-servers"; + space = "dhcp4"; + csv-format = true; + data = "192.168.178.2"; + always-send = true; + } + { + name = "routers"; + data = "192.168.178.1"; + always-send = true; + } + ]; + + reservations = [ + { + hostname = "droppie.local"; + hw-address = "08:F1:EA:97:0F:0C"; + ip-address = "192.168.178.3"; + } + { + hostname = "pie.local"; + hw-address = "dc:a6:32:5c:31:64"; + ip-address = "192.168.178.2"; + } + ]; + } + ]; + }; + }; + + services.kea.dhcp6 = { + enable = true; + settings = { + interfaces-config = { + interfaces = [ + "enabcm6e4ei0" + "wlan0" + ]; + }; + lease-database = { + name = "/var/lib/kea/dhcp6.leases"; + persist = true; + type = "memfile"; + }; + rebind-timer = 2000; + renew-timer = 1000; + }; + }; +} diff --git a/hosts/pie/hardware-configuration.nix b/hosts/pie/hardware-configuration.nix new file mode 100644 index 00000000..22747080 --- /dev/null +++ b/hosts/pie/hardware-configuration.nix @@ -0,0 +1,40 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "usbhid" "uas" "usb_storage" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "zroot/root"; + fsType = "zfs"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/DA7C-BE8B"; + fsType = "vfat"; + }; + + swapDevices = [ + { device = "/dev/disk/by-uuid/8ce4ae9c-2db0-41b0-8468-91bb184707d1"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.end0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlan0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; + powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; +} diff --git a/hosts/pie/pie.nix b/hosts/pie/pie.nix new file mode 100644 index 00000000..1aa30624 --- /dev/null +++ b/hosts/pie/pie.nix @@ -0,0 +1,47 @@ +{ + config, + pkgs, + lib, + self, + ... +}: +with lib; let + psCfg = config.pub-solar; + xdg = config.home-manager.users."${psCfg.user.name}".xdg; +in { + imports = [ + ./configuration.nix + ./unbound.nix + ./dhcpd.nix + ./wake-droppie.nix + ]; + + config = { + pub-solar.core.disk-encryption-active = false; + pub-solar.core.lite = true; + + networking.defaultGateway = { + address = "192.168.178.1"; + interface = "enabcm6e4ei0"; + }; + + networking.interfaces.enabcm6e4ei0.ipv4.addresses = [ + { + address = "192.168.178.2"; + prefixLength = 24; + } + ]; + + security.sudo.extraRules = [ + { + users = ["${psCfg.user.name}"]; + commands = [ + { + command = "ALL"; + options = ["NOPASSWD"]; + } + ]; + } + ]; + }; +} diff --git a/hosts/pie/unbound.nix b/hosts/pie/unbound.nix new file mode 100644 index 00000000..64088248 --- /dev/null +++ b/hosts/pie/unbound.nix @@ -0,0 +1,41 @@ +{ pkgs, inputs, ... }: +let + adlist = inputs.adblock-unbound.packages.${pkgs.system}; +in { + networking.firewall.allowedUDPPorts = [ 53 ]; + networking.firewall.allowedTCPPorts = [ 53 ]; + + services.unbound = { + enable = true; + settings = { + server = { + include = [ + "\"${adlist.unbound-adblockStevenBlack}\"" + ]; + interface = [ "0.0.0.0" ]; + access-control = [ "192.168.178.0/24 allow" ]; + local-zone = [ + "\"b12f.io\" static" + "\"local\" static" + "\"box\" static" + ]; + local-data = [ + "\"backup.b12f.io. 10800 IN A 192.168.178.3\"" + "\"pie.local. 10800 IN A 192.168.178.2\"" + "\"fritz.box. 10800 IN A 192.168.178.1\"" + ]; + }; + forward-zone = [ + { + name = "."; + forward-addr = [ + "9.9.9.9@53#quad9" + "2620:fe::fe@53#quad9" + ]; + forward-tls-upstream = "no"; + } + ]; + }; + }; + +} diff --git a/hosts/pie/wake-droppie.nix b/hosts/pie/wake-droppie.nix new file mode 100644 index 00000000..56aa6c21 --- /dev/null +++ b/hosts/pie/wake-droppie.nix @@ -0,0 +1,9 @@ +{ pkgs, ... }: +{ + services.cron = { + enable = true; + systemCronJobs = [ + "30 1 * * * wake-droppie ${pkgs.wakeonlan}/bin/wakeonlan 08:F1:EA:97:0F:0C" + ]; + }; +}