pub-solar/os
5
0
Fork 2
Code Issues 4 Pull requests Packages Projects 1 Releases Wiki Activity

move hosts to separate flakes

Browse source
This commit is contained in:
Hendrik Sokolowski 2023-11-11 21:17:32 +01:00
parent 20c827e8f2
commit 664e542de6
86 changed files with 1 additions and 4332 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
hosts/chonk/acme.nix
View file

@ -1,10 +0,0 @@
{
pkgs,
config,
...
}: {
security.acme = {
acceptTerms = true;
defaults.email = "hensoko@gssws.de";
};
}

114
hosts/chonk/authelia.nix
View file

@ -1,114 +0,0 @@
{
pkgs,
config,
flake,
...
}: let
containerStateDir = "/var/lib/authelia-gssws";
hostStateDir = "/opt/authelia";
domain = "auth.gssws.de";
redirectDomain = "home.gssws.de";
servicePort = 9091;
in {
age.secrets.authelia_users = {
file = "${flake.self}/secrets/chonk_authelia_users.age";
owner = "999";
group = "999";
};
age.secrets.authelia_storage_encryption_key = {
file = "${flake.self}/secrets/chonk_authelia_storage_encryption_key.age";
owner = "999";
group = "999";
};
age.secrets.authelia_jwt_secret = {
file = "${flake.self}/secrets/chonk_authelia_jwt_secret.age";
owner = "999";
group = "999";
};
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString servicePort}";
};
};
containers."authelia" = {
autoStart = true;
ephemeral = true;
bindMounts = {
"${containerStateDir}" = {
hostPath = hostStateDir;
isReadOnly = false;
};
"/run/agenix" = {
hostPath = "/run/agenix";
isReadOnly = false;
};
"/run/agenix.d" = {
hostPath = "/run/agenix.d";
isReadOnly = false;
};
};
config = {
config,
pkgs,
...
}: {
networking.firewall.enable = false;
services.authelia.instances."gssws" = {
enable = true;
secrets = {
jwtSecretFile = "/run/agenix/authelia_jwt_secret";
storageEncryptionKeyFile = "/run/agenix/authelia_storage_encryption_key";
};
settings = {
theme = "dark";
server.port = servicePort;
session.domain = domain;
default_redirection_url = "https://${redirectDomain}/";
access_control.default_policy = "two_factor";
authentication_backend = {
password_reset.disable = true;
file = {
path = "/run/agenix/authelia_users";
};
};
storage.local.path = "/var/lib/authelia-gssws/db.sqlite3";
totp = {
issuer = "auth.gssws.de";
algorithm = "SHA512";
digits = 8;
};
webauthn = {
display_name = "auth.gssws.de";
};
notifier.smtp = {
host = "mail.gssws.de";
port = 25;
sender = "Authelia <authelia@gssws.de>";
identifier = "auth.gssws.de";
};
};
};
system.stateVersion = "23.05";
};
};
}

37
hosts/chonk/backup.nix
View file

@ -1,37 +0,0 @@
{
config,
lib,
flake,
...
}: {
age.secrets.restic_repository_password.file = "${flake.self}/secrets/chonk_restic_repository_password.age";
age.secrets.restic_nextcloud_password.file = "${flake.self}/secrets/chonk_restic_nextcloud_password.age";
programs.ssh.extraConfig = ''
Host backup
HostName 10.0.1.12
Port 32222
User backup
IdentityFile /run/agenix/restic_ssh_private_key
'';
services.postgresqlBackup = {
enable = true;
backupAll = true;
compression = "zstd";
};
services.restic.backups = {
cox = {
passwordFile = "/run/agenix/restic_repository_password";
paths = [
"/mnt/internal/nextcloud"
"/var/backup/postgresql"
];
repositoryFile = "/run/agenix/restic_nextcloud_password";
timerConfig = {
OnCalendar = "02:00";
};
};
};
}

33
hosts/chonk/builder.nix
View file

@ -1,33 +0,0 @@
{
config,
pkgs,
lib,
flake,
...
}: let
psCfg = config.pub-solar;
in {
age.secrets.nix-builder-private-key = {
owner = "builder";
group = "builder";
file = "${flake.self}/secrets/chonk_nix_builder_private_key.age";
};
nix = {
gc.automatic = lib.mkForce false;
settings.trusted-users = ["builder"];
};
boot.binfmt.emulatedSystems = ["aarch64-linux"];
users.groups."builder" = {};
users.users."builder" = {
isNormalUser = true;
group = "builder";
shell = pkgs.bashInteractive;
openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN8hTdDTA+LVlHkOm5IBjT32PvAdCxYfUfFFRx+JGeS6 root@norman"];
};
nix.settings.secret-key-files = "/run/agenix/nix-builder-private-key";
}

27
hosts/chonk/configuration.nix
View file

@ -1,27 +0,0 @@
{
config,
lib,
pkgs,
...
}: {
boot.loader.systemd-boot.enable = lib.mkForce false;
#pub-solar.concourse-server.enable = true;
time.timeZone = "Europe/Berlin";
services.openssh.ports = [2222];
networking.nat.enable = true;
networking.nat.internalIPs = ["10.10.42.0/24" "10.0.1.1"];
networking.nat.externalInterface = "br0";
networking.firewall.enable = lib.mkForce true;
networking.firewall.allowedTCPPorts = [80 443 2222];
networking.firewall.allowedUDPPorts = [51899];
pub-solar.server.enable = true;
hardware.ksm.enable = true;
system.stateVersion = "21.05"; # Did you read the comment?
}

25
hosts/chonk/default.nix
View file

@ -1,25 +0,0 @@
{ ... }: {
imports = [
./configuration.nix
./hardware-configuration.nix
./acme.nix
./backup.nix
./drone.nix
./home-assistant.nix
./nextcloud.nix
./wireguard.nix
./builder.nix
./invidious.nix
./factorio.nix
./invoiceplane.nix
#./tang.nix
#./whiteboard.nix
./libvirt-container.nix
./monitoring.nix
./authelia.nix
];
}

24
hosts/chonk/drone.nix
View file

@ -1,24 +0,0 @@
{
config,
pkgs,
flake,
...
}: {
age.secrets.drone_exec_runner_config = {
file = "${flake.self}/secrets/chonk_drone_exec_runner_config.age";
owner = "999";
};
pub-solar.docker-ci-runner = {
enable = true;
enableKvm = true;
nixCacheLocation = "/srv/drone-nix-cache/nix";
runnerEnvironment = {
DRONE_RUNNER_CAPACITY = "10";
DRONE_RUNNER_LABELS = "hosttype:baremetal";
};
runnerVarsFile = "/run/agenix/drone_exec_runner_config";
};
}

180
hosts/chonk/factorio.nix
View file

@ -1,180 +0,0 @@
{
lib,
config,
pkgs,
...
}:
with pkgs; let
modDrv = pkgs.factorio-utils.modDrv {
allRecommendedMods = true;
allOptionalMods = false;
};
# Krastorio
flib = modDrv {
src = fetchurl {
urls = [
"https://cloud.pub.solar/s/EsrBq2XpR9bTp7b/download/flib_0.12.6.zip"
];
sha256 = "Wf/w3Bh4jT5DDEp6GCVdg181DxEjiWe1iN3h5X7/oAw=";
};
};
krastorio2Assets = modDrv {
src = fetchurl {
urls = [
"https://cloud.pub.solar/s/czsmnaiis25TX8m/download/Krastorio2Assets_1.2.1.zip"
];
sha256 = "1Y8I40I8EQLdLuiWDr+aty8p7PNh1pY6IPkRVz2pi5E=";
};
};
krastorio2 = modDrv {
src = fetchurl {
urls = [
"https://cloud.pub.solar/s/DepN4zWWjiEJpZt/download/Krastorio2_1.3.18.zip"
];
sha256 = "wuMVVW7SbDdBxcUmJLT9MzpC9W1RRJaTs2cYylt6ilU=";
};
deps = [flib krastorio2Assets];
};
# Alien Biomes
alienBiomes = modDrv {
src = fetchurl {
urls = [
"https://cloud.pub.solar/s/FH22nM54PfcTios/download/alien-biomes_0.6.8.zip"
];
sha256 = "oy7VeSIxJmTNmpu/0tGqhbrfPFoJRQc5eS6eI/Epp1A=";
};
};
# Auto Deconstruct
autoDeconstruct = modDrv {
src = fetchurl {
urls = [
"https://cloud.pub.solar/s/fSLQCfRGFKTbQSw/download/AutoDeconstruct_0.3.7.zip"
];
sha256 = "VYgLhfWSaWtbY8l+c+9v498IPA/Q7XdRveEsw/pxuJw=";
};
};
# Cargo Ships
cargoShips = modDrv {
src = fetchurl {
urls = [
"https://cloud.pub.solar/s/tcYXBymFT8idCdb/download/cargo-ships_0.1.22.zip"
];
sha256 = "pfP97myiibmp00o75Yo9rVYS6cYKgflGiRNsP+FTjFU=";
};
};
# Electrical Trains
electricalTrains = modDrv {
src = fetchurl {
urls = [
"https://cloud.pub.solar/s/oHXWpoi7kD52Dzt/download/Realistic_Electric_Trains_Krastorio_2_1.0.0.zip"
];
sha256 = "ujO5qRHzKgxX/vsYYvoBjh1UKukGD31FvjLQZzCqxlk=";
};
};
# far reach
farReach = modDrv {
src = fetchurl {
urls = [
"https://cloud.pub.solar/s/KAqfr826ccHHRpG/download/far-reach_1.1.2.zip"
];
sha256 = "y1XuduS9WKMtGKLj7hQgh7wOy8l3l5WWlLTm6BJ1yxA=";
};
};
# Fluid Must Flow
fluidMustFlow = modDrv {
src = fetchurl {
urls = [
"https://cloud.pub.solar/s/J2XA4jPNNWxSSti/download/FluidMustFlow_1.3.1.zip"
];
sha256 = "X2dGJCFL1dRRP7BFhFKI7mgtFd4zjHYWO8ehII6aaDc=";
};
};
# Recipe Book
recipeBook = modDrv {
src = fetchurl {
urls = [
"https://cloud.pub.solar/s/oRQYJ4H7xkc3rtq/download/RecipeBook_3.5.2.zip"
];
sha256 = "dPj9FH0r4dXtdrXyAkVIwXveECCBzcVGlJmQsF0oSpE=";
};
};
# Regenerate Terrain
regenerateTerrain = modDrv {
src = fetchurl {
urls = [
"https://cloud.pub.solar/s/YWTEB6rQeptmxGL/download/regenerate-terrain_0.3.1.zip"
];
sha256 = "EIZQeTzHAvSEFAOh6pN0Xd5GbqV9O/wI2QA5YtR8GxU=";
};
};
# Space Exploration
spaceExploration = modDrv {
src = fetchurl {
urls = [
"https://cloud.pub.solar/s/yy79DMAQtqCcWYW/download/space-exploration_0.6.104.zip"
];
sha256 = "5vFD+6R4jqp2PH6ASa1JJ0+acXi+dBwyrM/xil8RyU0=";
};
};
# Todo List
todoList = modDrv {
src = fetchurl {
urls = [
"https://cloud.pub.solar/s/bJjpgSMamwex7pF/download/Todo-List_19.3.0.zip"
];
sha256 = "0QPp7W2OOrkpLs+fOvTxut+6rV0heZdfEA4sbvyb+rs=";
};
};
# Vehicle Snap
vehicleSnap = modDrv {
src = fetchurl {
urls = [
"https://cloud.pub.solar/s/ZgDTAgY4dxiwZ3d/download/VehicleSnap_1.18.5.zip"
];
sha256 = "VRo2feta/CZGXGHbOwLOWdXZUoiqwlLPne0dC3YPyDA=";
};
};
in rec
{
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"factorio-headless"
];
services.factorio = {
enable = true;
package = pkgs.factorio-headless-experimental;
openFirewall = true;
game-name = "pub.solar Factorio";
game-password = "pub.solar";
admins = ["hensoko"];
mods = [
krastorio2
alienBiomes
autoDeconstruct
cargoShips
electricalTrains
farReach
fluidMustFlow
recipeBook
regenerateTerrain
spaceExploration
todoList
vehicleSnap
];
};
}

40
hosts/chonk/garage.nix
View file

@ -1,40 +0,0 @@
{ pkgs, config, lib, self, ... }:
{
age.secrets.garage_rpc_token = {
file = "${self}/secrets/chonk_garage_rpc_secret.age";
owner = "garage";
group = "garage";
};
networking.firewall.interfaces.wg0.allowedTCPPorts = [ 3900 3901 ];
users.groups.garage = {};
users.users.garage = {
group = "garage";
isSystemUser = true;
};
# overwrite dynamicuser
systemd.services.garage.serviceConfig = {
User = "garage";
Group = "garage";
DynamicUser = false;
StateDirectory = lib.mkForce null;
};
services.garage = {
enable = true;
package = pkgs.garage_0_8;
settings = {
replication_mode = "1";
rpc_bind_addr = "[::]:3901";
rpc_secret_file = config.age.secrets.garage_rpc_token.path;
s3_api = {
api_bind_addr = "[::]:3900";
s3_region = "garage";
root_domain = ".s3.gssws.de";
};
};
};
}

119
hosts/chonk/hardware-configuration.nix
View file

@ -1,119 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
...
}: {
boot.initrd.availableKernelModules = ["ehci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod"];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
boot.extraModprobeConfig = "options kvm_intel nested=1";
boot.kernelPackages = pkgs.linuxPackages_6_1;
boot.kernelParams = [ "ip=80.244.242.2::80.244.242.1:255.255.255.248:chonk::off" ];
boot.loader.grub = {
enable = true;
device = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_03025429121421051300-0:0";
};
boot.supportedFilesystems = [ "zfs" ];
boot.initrd = {
systemd.enable = true;
luks = {
forceLuksSupportInInitrd = true;
devices."cryptroot" = {
device = "/dev/disk/by-uuid/9e13c8ea-96d3-45b1-85f4-d1a61233da6f";
};
};
network = {
enable = true;
ssh = {
enable = true;
port = 2234;
authorizedKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy hensoko@hensoko-tp-work"];
hostKeys = [/etc/secrets/initrd/ssh_host_ed25519_key];
};
postCommands = ''
echo 'cryptsetup-askpass' >> /root/.profile
'';
};
services.swraid = {
enable = true;
mdadmConf = ''
ARRAY /dev/md/debian:0 metadata=1.2 name=debian:0 UUID=1156202f:835af09b:2e05e02a:a1869d1c
'';
};
};
fileSystems = {
"/" = {
device = "/dev/disk/by-label/root";
fsType = "ext4";
};
"/boot" = {
device = "/dev/disk/by-label/boot";
fsType = "ext4";
};
"/mnt/internal" = {
device = "/dev/disk/by-uuid/3563f624-f8ed-4664-95d0-ca8b9db1c60a";
fsType = "ext4";
};
};
swapDevices = [
{device = "/dev/disk/by-label/swap";}
];
networking.bonds."bond0" = {
interfaces = ["eno1" "eno2"];
driverOptions = {
miimon = "100";
mode = "balance-xor";
xmit_hash_policy = "layer3+4";
};
};
networking = {
hostId = "c418ba82";
defaultGateway = {
address = "80.244.242.1";
interface = "br0";
};
defaultGateway6 = {
address = "2001:4d88:1ffa:26::1";
interface = "br0";
};
nameservers = ["95.129.51.51" "80.244.244.244"];
bridges."br0".interfaces = ["bond0"];
interfaces."br0" = {
ipv4.addresses = [
{
address = "80.244.242.2";
prefixLength = 29;
}
];
ipv6.addresses = [
{
address = "2001:4d88:1ffa:26::2";
prefixLength = 64;
}
];
};
};
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

25
hosts/chonk/home-assistant.nix
View file

@ -1,25 +0,0 @@
{
pkgs,
config,
...
}: {
# HTTP
services.nginx.virtualHosts = let
makeVirtualHost = target: {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = target;
proxyWebsockets = true;
extraConfig = ''
proxy_ssl_server_name on;
proxy_pass_header Authorization;
'';
};
};
in {
"ha.gssws.de" = makeVirtualHost "http://10.0.1.11:8123";
"ha2.gssws.de" = makeVirtualHost "http://10.0.1.11:8123";
"ha.karinsokolowski.de" = makeVirtualHost "http://10.0.1.13:8123";
};
}

23
hosts/chonk/invidious.nix
View file

@ -1,23 +0,0 @@
{
flake,
config,
pkgs,
...
}: let
domain = "yt.gssws.de";
in {
age.secrets.invidious_db_password.file = "${flake.self}/secrets/chonk_invidious_db_password.age";
services.invidious = {
inherit domain;
enable = true;
nginx.enable = true;
database = {
createLocally = true;
passwordFile = "/run/agenix/invidious_db_password";
};
settings = {
https_only = true;
};
};
}

62
hosts/chonk/invoiceplane.nix
View file

@ -1,62 +0,0 @@
{
config,
pkgs,
...
}: let
hostAddress = "10.10.42.1";
serviceAddress = "10.10.42.11";
domain = "inv.gssws.de";
hostStateDir = "/mnt/internal/invoiceplane";
containerStateDir = "/var/lib/invoiceplane";
in {
# nginx
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://${serviceAddress}:80";
};
};
};
# invoiceplane
containers."invoiceplane" = {
privateNetwork = true;
hostAddress = "10.10.42.1";
localAddress = serviceAddress;
bindMounts."${containerStateDir}" = {
hostPath = hostStateDir;
isReadOnly = false;
};
config = {
config,
pkgs,
...
}: {
networking.firewall.allowedTCPPorts = [80];
services.rsyslogd.enable = true;
services.phpfpm.pools."invoiceplane-${domain}".phpOptions = ''
date.timezone = Europe/Berlin
'';
services.caddy.virtualHosts."http://${domain}".listenAddresses = ["0.0.0.0"];
services.invoiceplane.sites."${domain}" = {
enable = true;
stateDir = containerStateDir;
database = {
user = "invoiceplane";
name = "invoiceplane";
};
};
system.stateVersion = "22.11";
};
};
}

66
hosts/chonk/libvirt-container.nix
View file

@ -1,66 +0,0 @@
{
config,
pkgs,
...
}: {
networking.firewall.allowedTCPPorts = [4222];
containers."libvirt-container" = {
autoStart = true;
bindMounts."/dev/kvm" = {
hostPath = "/dev/kvm";
isReadOnly = false;
};
allowedDevices = [
{
node = "/dev/kvm";
modifier = "rw";
}
{
node = "/dev/net/tun";
modifier = "rw";
}
{
node = "/dev/vnet*";
modifier = "rw";
}
];
forwardPorts = [
{
hostPort = 4222;
}
];
enableTun = true;
#extraFlags = [ "-U" ];
config = {
config,
pkgs,
...
}: {
networking.firewall.enable = false;
virtualisation.libvirtd.enable = true;
security.polkit.enable = true;
services.openssh = {
enable = true;
ports = [4222];
};
users.users.root = {
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy hensoko@hensoko-tp-work"
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFro/k4Mgqyh8yV/7Zwjc0dv60ZM7bROBU9JNd99P/4co6fxPt1pJiU/pEz2Dax/HODxgcO+jFZfvPEuLMCeAl0= YubiKey #10593996 PIV Slot 9a @teutat3s"
];
};
system.stateVersion = "22.11";
};
};
}

92
hosts/chonk/monitoring.nix
View file

@ -1,92 +0,0 @@
{
config,
lib,
flake,
...
}: {
pub-solar.monitoring-server = {
enable = true;
listenAddress = "10.0.1.6";
grafana.enable = true;
node_exporter = {
enable = true;
hosts = [
"10.0.1.11:9002"
"10.0.1.12:9002"
"10.0.1.13:9002"
"10.0.1.254:9100"
];
};
snmp = {
enable = true;
hosts = [
"192.168.42.1"
#"10.0.1.254:9116" = [
# {
# targets = [ "192.168.42.1" ];
# auth = [ "public_v2" ];
# modules = [ "if_mib" ];
# }
#];
];
};
smokeping = {
enable = true;
hosts = [
"mail.gssws.de"
"cust.gssws.de"
"data.gssws.de"
"mail.hosting.de"
"blog.fefe.de"
# hosting.de
"ovh2.goekal.de"
"83.151.16.16"
"83.151.16.17"
"83.151.16.51"
"r2backup17.masterlogin.de"
"demo.routing.net"
"vsrv07344.customer.vlinux.de"
"213.160.76.43"
"185.11.139.27"
"185.11.137.4"
"83.151.30.176"
"83.151.28.246"
"83.151.21.204"
"79.140.42.4"
"31.15.67.23"
"31.15.64.79"
"80.244.244.244"
"95.129.51.51"
"185.11.137.122"
"79.140.41.12"
# pub.solar
"pub.solar"
"git.pub.solar"
"auth.pub.solar"
"cloud.pub.solar"
"collabora.pub.solar"
];
};
};
# wireguard exporter
networking.firewall.allowedTCPPorts = [9585];
services.prometheus = {
exporters.wireguard = {
enable = true;
withRemoteIp = true;
};
scrapeConfigs = [
{
job_name = "chonk-wireguard";
static_configs = [
{
targets = ["10.0.1.6:9586"];
}
];
}
];
};
}

28
hosts/chonk/nextcloud-apps.nix
View file

@ -1,28 +0,0 @@
{
pkgs,
config,
lib,
...
}: {
services.nextcloud.extraApps = with pkgs.nextcloud27Packages.apps; {
inherit bookmarks
calendar
contacts
files_markdown
impersonate
keeweb
maps
news
notes
notify_push
tasks
#twofactor_totp
twofactor_webauthn
user_saml;
"twofactor_totp" = pkgs.fetchzip {
sha256 = "zAPNugbvngXcpgWJLD78YAg4G1QtGaphx1bhhg7mLKE=";
url = "https://github.com/nextcloud-releases/twofactor_totp/releases/download/v6.4.1/twofactor_totp-v6.4.1.tar.gz";
};
};
}

39
hosts/chonk/nextcloud-collabora.nix
View file

@ -1,39 +0,0 @@
{...}: {
# Collabora Code server
virtualisation.oci-containers.containers."nextcloud-collabora-code" = {
image = "collabora/code";
autoStart = true;
ports = ["127.0.0.1:9980:9980"];
environment.domain = "data\\.gssws\\.de";
extraOptions = ["--cap-add" "MKNOD"];
};
services.nginx.virtualHosts."office.gssws.de" = let
proxyPass = "https://127.0.0.1:9980";
extraConfig = "proxy_ssl_verify off;";
in {
enableACME = true;
forceSSL = true;
locations."^~ /browser" = {
inherit proxyPass extraConfig;
};
locations."^~ /hosting/discovery" = {
inherit proxyPass extraConfig;
};
locations."^~ /hosting/capabilities" = {
inherit proxyPass extraConfig;
};
locations."~ ^/cool/(.*)/ws''$" = {
inherit proxyPass extraConfig;
proxyWebsockets = true;
};
locations."~ ^/(c|l)ool" = {
inherit proxyPass extraConfig;
};
locations."^~ /cool/adminws" = {
inherit proxyPass extraConfig;
proxyWebsockets = true;
};
};
}

124
hosts/chonk/nextcloud.nix
View file

@ -1,124 +0,0 @@
{
flake,
pkgs,
config,
lib,
...
}: let
notifyPushPort = 7867;
in {
imports = [
./nextcloud-apps.nix
./nextcloud-collabora.nix
];
age.secrets.nextcloud_db_pass = {
owner = "nextcloud";
group = "nextcloud";
file = "${flake.self}/secrets/chonk_nextcloud_db_pass.age";
};
age.secrets.nextcloud_admin_pass = {
owner = "nextcloud";
group = "nextcloud";
file = "${flake.self}/secrets/chonk_nextcloud_admin_pass.age";
};
# HTTP
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
virtualHosts."data.gssws.de" = {
enableACME = true;
forceSSL = true;
};
};
# DATABASES
services.postgresql = {
enable = true;
package = pkgs.postgresql_11;
settings = {
max_connections = "200";
};
ensureDatabases = ["nextcloud"];
ensureUsers = [
{
name = "nextcloud";
ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
}
];
};
# NOTIFY PUSH
services.nextcloud.notify_push.enable = true;
# REDIS
services.redis.servers."nextcloud".enable = true;
users.groups."redis-nextcloud".members = ["nextcloud"];
# NEXTCLOUD
systemd.services."nextcloud-setup" = {
requires = ["postgresql.service"];
after = ["postgresql.service"];
};
services.nextcloud = {
enable = true;
package = pkgs.nextcloud27;
enableBrokenCiphersForSSE = false;
hostName = "data.gssws.de";
https = true;
datadir = "/mnt/internal/nextcloud";
caching.apcu = true;
caching.redis = true;
phpPackage = lib.mkForce pkgs.php82;
poolSettings = {
"pm" = "dynamic";
"pm.max_children" = "128";
"pm.start_servers" = "64";
"pm.min_spare_servers" = "32";
"pm.max_spare_servers" = "76";
"pm.max_requests" = "500";
};
phpOptions = {
short_open_tag = "Off";
expose_php = "Off";
error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT";
display_errors = "stderr";
"opcache.enable_cli" = "1";
"opcache.interned_strings_buffer" = "32";
"opcache.max_accelerated_files" = "100000";
"opcache.memory_consumption" = "256";
"opcache.revalidate_freq" = "1";
"opcache.fast_shutdown" = "1";
"openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
catch_workers_output = "yes";
};
config = {
overwriteProtocol = "https";
dbtype = "pgsql";
dbuser = "nextcloud";
dbhost = "127.0.0.1:5432";
dbname = "nextcloud";
dbpassFile = "/run/agenix/nextcloud_db_pass";
adminpassFile = "/run/agenix/nextcloud_admin_pass";
adminuser = "admin";
trustedProxies = ["80.244.242.2"];
defaultPhoneRegion = "DE";
};
};
}

68
hosts/chonk/tang-container.nix
View file

@ -1,68 +0,0 @@
{
pkgs,
config,
...
}: let
containerStateDir = "/data";
hostStateDir = "/opt/tangd";
domain = "";
serviceAddress = "10.10.42.12";
in {
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://${serviceAddress}:${toString servicePort}";
};
};
containers."tang" = {
autoStart = true;
ephemeral = true;
bindMounts."${containerStateDir}" = {
hostPath = hostStateDir;
isReadOnly = false;
};
config = {
config,
pkgs,
...
}: {
networking.firewall.enable = false;
users.groups."_tang" = {};
users.users."_tang" = {
group = "_tang";
isSystemUser = true;
};
environment.systemPackages = ["${pkgs.jose}"];
systemd.services."tangd@" = {
enable = true;
serviceConfig = {
ExecStartPre = "${pkgs.bash}/bin/bash -c \"mkdir -p ${containerStateDir}/tang-db\"";
ExecStart = "${pkgs.tang}/libexec/tangd ${containerStateDir}/tang-db";
StandardInput = "socket";
StandardOutput = "socket";
StandardError = "journal";
User = "_tang";
Group = "_tang";
};
};
systemd.sockets."tangd" = {
enable = true;
listenStreams = ["${toString servicePort}"];
wantedBy = ["sockets.target"];
socketConfig = {
Accept = true;
};
};
system.stateVersion = "22.11";
};
};
}

24
hosts/chonk/tang.nix
View file

@ -1,24 +0,0 @@
{
config,
pkgs,
...
}: let
domain = "t.gssws.de";
servicePort = 63080;
in {
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString servicePort}";
};
};
virtualisation.oci-containers.containers."tang" = {
image = "cloggo/tangd";
ports = ["127.0.0.1:${builtins.toString servicePort}:8080"];
environment = {
IP_WHITELIST = "172.17.0.1";
};
};
}

66
hosts/chonk/wireguard.nix
View file

@ -1,66 +0,0 @@
{
flake,
config,
pkgs,
...
}: {
age.secrets.home_controller_wireguard.file = "${flake.self}/secrets/chonk_wireguard_key.age";
systemd.services.wireguard-wg0.serviceConfig.Restart = "on-failure";
systemd.services.wireguard-wg0.serviceConfig.RestartSec = "5s";
# Enable WireGuard
networking.wireguard.interfaces = {
wg0 = {
ips = ["10.0.1.6"];
listenPort = 51899;
privateKeyFile = "/run/agenix/home_controller_wireguard";
peers = [
{
# router
publicKey = "xqifcPfCgLNQ1M3w6zfoWVMkkz2lO5GZ/LlOECnPQFc=";
allowedIPs = ["10.0.1.1/32"];
persistentKeepalive = 25;
}
{
# giggles
publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
allowedIPs = ["10.0.1.11/32"];
persistentKeepalive = 25;
}
{
# cox
publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
allowedIPs = ["10.0.1.12/32"];
persistentKeepalive = 25;
}
{
# companion
publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
allowedIPs = ["10.0.1.13/32"];
persistentKeepalive = 25;
}
{
# norman
publicKey = "FRNg+bJWPn4vAA2Fw8PXYsTpxdEKdVE+b7eTtl8ORxM=";
allowedIPs = ["10.0.1.121/32"];
persistentKeepalive = 25;
}
{
# hsha
publicKey = "sC0wWHE/tvNaVYX3QQTHQUmSTTjZMOjkQ5x/qy6qjTc=";
allowedIPs = ["10.0.1.254/32"];
persistentKeepalive = 25;
}
];
};
};
}

44
hosts/companion/configuration.nix
View file

@ -1,44 +0,0 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{
flake,
pkgs,
builtins,
config,
lib,
...
}: {
imports = [
./home-controller.nix
./home-assistant.nix
];
pub-solar.server.enable = true;
hardware.ksm.enable = true;
boot.loader.timeout = lib.mkForce 0;
boot.loader.generic-extlinux-compatible.enable = lib.mkForce false;
boot.loader.grub = {
enable = lib.mkForce true;
efiSupport = true;
efiInstallAsRemovable = true;
device = "nodev";
extraInstallCommands = ''
cp -r ${flake.inputs.nixpkgs-hensoko.packages.aarch64-linux.raspberrypi4_firmware_uefi}/share/raspberrypi4-firmware-uefi/* /boot/
'';
};
# Set your time zone.
time.timeZone = "Europe/Berlin";
networking.useDHCP = false;
networking.interfaces.enabcm6e4ei0.useDHCP = true;
networking.networkmanager.enable = lib.mkForce false;
boot.loader.systemd-boot.enable = lib.mkForce false;
system.stateVersion = "22.11"; # Did you read the comment?
}

6
hosts/companion/default.nix
View file

@ -1,6 +0,0 @@
{ ... }: {
imports = [
./configuration.nix
./hardware-configuration.nix
];
}

61
hosts/companion/hardware-configuration.nix
View file

@ -1,61 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
boot.initrd.availableKernelModules = ["xhci_pci" "usbhid" "usb_storage" "uas"];
#boot.kernelParams = [ "usb-storage.quirks=2109:0716:u,174c:55aa:u" ];
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.loader.grub = {
enable = true;
efiSupport = true;
efiInstallAsRemovable = true;
device = "nodev";
};
boot.loader.efi.canTouchEfiVariables = false;
boot.loader.systemd-boot.enable = false;
boot.loader.generic-extlinux-compatible.enable = false;
boot.loader.timeout = 0;
boot.initrd.luks.devices."cryptroot" = {
device = "/dev/disk/by-uuid/2538df0f-9d17-4651-a7ee-26d6f28e4e71";
keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04017028021722045451-0:0-part1";
fallbackToPassword = true;
bypassWorkqueues = true;
};
fileSystems."/" = {
device = "/dev/disk/by-label/root";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/5552-1B21";
fsType = "vfat";
};
swapDevices = [
{device = "/dev/disk/by-label/swap";}
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eth0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
}

96
hosts/companion/home-assistant.nix
View file

@ -1,96 +0,0 @@
{
flake,
config,
pkgs,
...
}: {
pub-solar.home-assistant = {
enable = true;
extraComponents = ["androidtv" "brother" "ffmpeg" "fritz" "fritzbox" "fritzbox_callmonitor" "met" "mqtt" "zeroconf"];
extraPackages = python3Packages:
with python3Packages; [
# androidtv
adb-shell
aiofiles
androidtv
# deutsche bahn
schiene
# dwd
markdownify
# hacs
aiogithubapi
# totop
pyotp
];
mqtt = {
enable = true;
users = {
ha = {
acl = [
"readwrite #"
];
hashedPassword = "$7$101$jLA9PReG5btNSvw8$O0c3UzCfcBcvqVH8kMZIwEims7p1L4o/DmOTHO9w9731ggC5SyUpJGQIDiUbv+IrTl/H0+Fz9QF/jvY0QCuxuA==";
};
nono = {
acl = [
"readwrite #"
];
hashedPassword = "$7$101$votbflBI1KrRRzBy$hCC/qo7Ggaf2vaLv7lo5uPnyrTCb0i6hPQvXuL/OrrUpzP+KNl6efEU7yQ0cDH6/rJ16Fe2PWSTcW+pL8dlgmg==";
};
z2m = {
acl = [
"readwrite #"
];
hashedPassword = "$7$101$iZE7WOCQIaLtuoVN$M7AAB/mMmhkuXQVmu2RPoJzm744bmwxGTJwE0eoqlPAjyQHbjmOWfEuKoo9jnQCoQu2T96gS8znsUNizGgPWiQ==";
};
};
};
zigbee2mqtt = {
enable = true;
device = "/dev/ttyS0";
adapter = "deconz";
};
config = {
homeassistant = {
name = "Berrendorf";
time_zone = "Europe/Berlin";
temperature_unit = "C";
unit_system = "metric";
latitude = "50.9279036523298";
longitude = "6.583225751885932";
country = "DE";
external_url = "https://ha.karinsokolowski.de";
internal_url = "http://192.168.178.254:8123";
};
http = {
ip_ban_enabled = false;
use_x_forwarded_for = true;
trusted_proxies = [
"127.0.0.1"
"10.254.0.21"
"10.0.1.5"
"10.0.1.6"
];
};
default_config = {};
energy = {};
"automation ui" = "!include automations.yaml";
map = {};
mobile_app = {};
network = {};
notify = {};
person = {};
};
};
}

16
hosts/companion/home-controller.nix
View file

@ -1,16 +0,0 @@
{
flake,
config,
pkgs,
...
}: {
config = {
age.secrets.home_controller_wireguard.file = "${flake.self}/secrets/home_controller_companion_wireguard_key.age";
pub-solar.home-controller = {
enable = true;
ownIp = "10.0.1.13";
wireguardPrivateKeyFile = "/run/agenix/home_controller_wireguard";
};
};
}

65
hosts/cox/backup.nix
View file

@ -1,65 +0,0 @@
{
flake,
config,
pkgs,
...
}:
let
resticListenPort = 18000;
in
{
age.secrets.backup_restic_htpasswd = {
file = "${flake.self}/secrets/cox_backup_restic_htpasswd.age";
owner = "${toString config.ids.uids.restic}";
};
networking.firewall.allowedTCPPorts = [ resticListenPort ];
systemd.mounts = [
{
what = "/dev/mapper/crypt-backup";
where = "/opt/backup/hdd";
type = "ext4";
}
];
systemd.services."container@backup".unitConfig.RequiresMountsFor = ["/opt/backup/hdd"];
containers."backup" = {
autoStart = true;
ephemeral = true;
bindMounts = {
"/var/lib/restic" = {
hostPath = "/opt/backup/hdd/restic";
isReadOnly = false;
};
"/var/lib/restic/.htpasswd" = {
hostPath = "/run/agenix/backup_restic_htpasswd";
isReadOnly = false;
};
};
config = {
config,
pkgs,
...
}: {
networking.firewall.enable = false;
services.restic.server = {
enable = true;
listenAddress = "0.0.0.0:${toString resticListenPort}";
privateRepos = true;
extraFlags = [
"--append-only"
"--prometheus"
"--prometheus-no-auth"
];
};
time.timeZone = "Europe/Berlin";
system.stateVersion = "22.11";
};
};
}

68
hosts/cox/configuration.nix
View file

@ -1,68 +0,0 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{
config,
pkgs,
lib,
...
}: {
imports = [
./backup.nix
./home-controller.nix
./paperless.nix
./owntone.nix
./jellyfin.nix
./photoprism.nix
];
time.timeZone = "Europe/Berlin";
boot.plymouth.enable = lib.mkForce false;
pub-solar.nextcloud.enable = lib.mkForce false;
networking = {
vlans = {
vlan102 = {
id = 102;
interface = "eth0";
}; # iot vlan
vlan104 = {
id = 104;
interface = "eth0";
}; # media vlan
};
interfaces = {
eth0 = {
useDHCP = true;
mtu = 1460;
};
vlan102 = {
mtu = 1460;
ipv4.addresses = [{
address = "172.16.0.12";
prefixLength = 24;
}];
};
vlan104 = {
mtu = 1460;
ipv4.addresses = [{
address = "10.42.0.12";
prefixLength = 24;
}];
};
};
};
networking.networkmanager.enable = false;
networking.firewall = {
allowedUDPPorts = [1900];
};
virtualisation.podman.enable = true;
system.stateVersion = "22.11";
}

6
hosts/cox/default.nix
View file

@ -1,6 +0,0 @@
{ ... }: {
imports = [
./configuration.nix
./hardware-configuration.nix
];
}

70
hosts/cox/hardware-configuration.nix
View file

@ -1,70 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = ["xhci_pci" "usbhid" "usb_storage" "uas"];
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.kernelParams = ["usb-storage.quirks=2109:0716:ouw,174c:55aa:u,2109:2813:ouw,2109:0813:ouw"];
boot.loader = {
timeout = 0;
efi.canTouchEfiVariables = false;
systemd-boot.enable = false;
generic-extlinux-compatible.enable = false;
grub = {
enable = true;
efiSupport = true;
efiInstallAsRemovable = true;
device = "nodev";
};
};
boot.initrd.luks.devices."cryptroot" = {
device = "/dev/disk/by-uuid/d86a20a6-686c-4bf8-bd3b-911901272742";
keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_03024516121421043657-0:0-part1";
fallbackToPassword = true;
bypassWorkqueues = true;
};
fileSystems."/" = {
device = "/dev/disk/by-label/root";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-label/boot";
fsType = "vfat";
};
swapDevices = [
{device = "/dev/disk/by-label/swap";}
];
hardware = {
raspberry-pi."4".apply-overlays-dtmerge.enable = true;
deviceTree = {
enable = true;
filter = "*rpi-4-*.dtb";
};
};
environment.systemPackages = with pkgs; [
libraspberrypi
raspberrypi-eeprom
];
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
}

17
hosts/cox/home-controller.nix
View file

@ -1,17 +0,0 @@
{
flake,
config,
pkgs,
...
}: {
config = {
age.secrets.home_controller_wireguard.file = "${flake.self}/secrets/home_controller_cox_wireguard_key.age";
pub-solar.home-controller = {
enable = true;
ownIp = "10.0.1.12";
wireguardPrivateKeyFile = "/run/agenix/home_controller_wireguard";
};
};
}

41
hosts/cox/jellyfin.nix
View file

@ -1,41 +0,0 @@
{ config, pkgs, ... }:
{
#boot.kernelModules = [ "v4l2loopback" ];
#boot.extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ];
systemd.mounts = [
{
what = "/dev/mapper/crypt-media";
where = "/opt/media";
type = "ext4";
}
{
what = "/dev/mapper/crypt-movies";
where = "/opt/media/media/video/movies";
type = "ext4";
}
{
what = "/dev/mapper/crypt-tvshows";
where = "/opt/media/media/video/tv-shows";
type = "ext4";
}
];
systemd.services.jellyfin.unitConfig.RequiresMountsFor = [
"/opt/media"
"/opt/media/media/video/movies"
"/opt/media/media/video/tv-shows"
];
users.users.jellyfin.extraGroups = [ "video" ];
environment.systemPackages = [ pkgs.jellyfin-ffmpeg ];
services.jellyfin = {
enable = true;
openFirewall = true;
};
}

37
hosts/cox/owntone.nix
View file

@ -1,37 +0,0 @@
{ config, ... }:
let
owntoneConfigDir = "/opt/media/config/owntone";
owntoneMusicDir = "/opt/media/media";
in
{
networking.firewall.allowedTCPPorts = [
3688 # websocket
3689 # http
6600 # mpd
13988 # airplay
13989 # airplay
];
systemd.services."podman-owntone".unitConfig.RequiresMountsFor = [
owntoneConfigDir
owntoneMusicDir
];
virtualisation.oci-containers.containers."owntone" = {
image = "linuxserver/daapd";
autoStart = true;
extraOptions = ["--network=host"];
environment = {
PUID = "1000";
PGID = "1000";
TZ = "Europe/Berlin";
};
volumes = [
"${owntoneConfigDir}:/config"
"${owntoneMusicDir}:/music"
];
};
}

29
hosts/cox/paperless.nix
View file

@ -1,29 +0,0 @@
{
pkgs,
config,
...
}: {
systemd.mounts = [
{
what = "/dev/mapper/crypt-documents";
where = "/opt/documents";
type = "ext4";
}
];
pub-solar.paperless = {
enable = true;
hostStateDir = "/opt/documents/paperless";
domain = "cox.lan";
path = "/paperless";
ftp = {
enable = true;
listenPort = 20021;
};
nextcloud = {
enable = true;
};
};
}

37
hosts/cox/photoprism.nix
View file

@ -1,37 +0,0 @@
{ lib, ... }:
{
systemd.services.photoprism = {
unitConfig.RequiresMountsFor = [ "/opt/media/photoprism" ];
serviceConfig = {
DynamicUser = lib.mkForce false;
User = "photoprism";
Group = "photoprism";
};
};
services.nginx.virtualHosts."cox.lan".locations."/photoprism" = {
proxyPass = "http://127.0.0.1:18899";
proxyWebsockets = true;
};
users.users.photoprism = {
group = "photoprism";
isSystemUser = true;
};
users.groups.photoprism = {};
services.photoprism = {
enable = true;
originalsPath = "/opt/media/photoprism/originals";
storagePath = "/opt/media/photoprism/data";
importPath = "/opt/media/photoprism/import";
port = 18899;
address = "127.0.0.1";
settings = {
PHOTOPRISM_DEFAULT_LOCALE = "de";
PHOTOPRISM_SITE_URL = "http://cox.lan/photoprism";
PHOTOPRISM_TRUSTED_PROXY = "127.0.0.1/8";
};
};
}

34
hosts/cube/configuration.nix
View file

@ -1,34 +0,0 @@
{
config,
lib,
pkgs,
...
}: {
pub-solar.server.enable = true;
hardware.ksm.enable = true;
pub-solar.core.disk-encryption-active = false;
networking.networkmanager.enable = lib.mkForce false;
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/disk/by-id/usb-HP_iLO_Internal_SD-CARD_000002660A01-0:0";
boot.loader.systemd-boot.enable = lib.mkForce false;
time.timeZone = "Europe/Berlin";
networking.interfaces.eno1.useDHCP = true;
networking.nat.enable = true;
networking.nat.internalIPs = ["10.10.42.0/24"];
networking.nat.externalInterface = "eno1";
networking.firewall.allowedTCPPorts = [80 443 22];
networking.firewall.allowedUDPPorts = [51899];
networking.firewall.enable = lib.mkForce true;
system.stateVersion = "21.05"; # Did you read the comment?
}

6
hosts/cube/default.nix
View file

@ -1,6 +0,0 @@
{ ... }: {
imports = [
./configuration.nix
./hardware-configuration.nix
];
}

56
hosts/cube/hardware-configuration.nix
View file

@ -1,56 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.loader.grub = {
enable = true;
device = "/dev/disk/by-id/usb-HP_iLO_Internal_SD-CARD_000002660A01-0:0";
};
boot.initrd.availableKernelModules = ["ehci_pci" "ahci" "uhci_hcd" "xhci_pci" "megaraid_sas" "usb_storage" "usbhid" "sd_mod"];
boot.initrd.kernelModules = ["dm-snapshot"];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
boot.initrd.luks.devices."cryptroot" = {
device = "/dev/disk/by-uuid/24ddd650-e9fc-4407-ba4c-cc237de4c484";
keyFile = "/dev/disk/by-id/usb-Kingston_DataTraveler_3.0_E0D55E625BE3E72078790030-0:0-part1";
fallbackToPassword = true;
bypassWorkqueues = true;
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/c47cdc43-d77c-4a01-87b3-a289fa97ef14";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/3ee236cc-c4a6-423b-ba77-7a15ba642123";
fsType = "ext4";
};
swapDevices = [
{device = "/dev/disk/by-uuid/0ddcb856-f39e-45d6-bde3-4fbf9c81fe6c";}
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.eno2.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

63
hosts/cube/wireguard.nix
View file

@ -1,63 +0,0 @@
{ self, config, pkgs, ... }:
{
age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_cube_wireguard_key.age";
systemd.services.wireguard-wg0.serviceConfig.Restart = "on-failure";
systemd.services.wireguard-wg0.serviceConfig.RestartSec = "5s";
# Enable WireGuard
networking.wireguard.interfaces = {
wg1 = {
# Determines the IP address and subnet of the client's end of the tunnel interface.
ips = [ "10.0.1.5" ];
listenPort = 51899; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
# Path to the private key file.
#
# Note: The private key can also be included inline via the privateKey option,
# but this makes the private key world-readable; thus, using privateKeyFile is
# recommended.
privateKeyFile = "/run/agenix/home_controller_wireguard";
peers = [
# For a client configuration, one peer entry for the server will suffice.
{
# giggles
publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
allowedIPs = [ "10.0.1.11/32" ];
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
persistentKeepalive = 25;
}
{
# cox
publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
allowedIPs = [ "10.0.1.12/32" ];
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
persistentKeepalive = 25;
}
{
# companion
publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
allowedIPs = [ "10.0.1.13/32" ];
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
persistentKeepalive = 25;
}
{
# hsha
publicKey = "sC0wWHE/tvNaVYX3QQTHQUmSTTjZMOjkQ5x/qy6qjTc=";
allowedIPs = [ "10.0.1.254/32" ];
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
persistentKeepalive = 25;
}
];
};
};
}

2
hosts/default.nix
View file

@ -7,7 +7,7 @@ let
networking.hostName = host;
imports = [
self.nixosModules.base
./${host}
inputs.nixos-config.nixosHosts.${host}
self.nixosModules.${user}
];
};

45
hosts/falcone/configuration.nix
View file

@ -1,45 +0,0 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ inputs, pkgs, builtins, config, lib, ... }:
{
boot.plymouth.enable = lib.mkForce false;
pub-solar.nextcloud.enable = lib.mkForce false;
pub-solar.core.disk-encryption-active = false;
boot.loader.grub.enable = lib.mkForce false;
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.loader.generic-extlinux-compatible.enable = lib.mkForce true;
# Set your time zone.
time.timeZone = "Europe/Berlin";
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
networking.interfaces.eth0.useDHCP = true;
networking.networkmanager.enable = lib.mkForce false;
boot.initrd.network = {
enable = true;
};
# Open ports in the firewall.
#networking.firewall.allowedTCPPorts = [ ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.11"; # Did you read the comment?
}

6
hosts/falcone/default.nix
View file

@ -1,6 +0,0 @@
{ ... }: {
imports = [
./configuration.nix
./hardware-configuration.nix
];
}

41
hosts/falcone/hardware-configuration.nix
View file

@ -1,41 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
#boot.initrd.supportedFilesystems = [ "zfs" ];
#boot.supportedFilesystems = [ "zfs" ];
boot.kernelPackages = lib.mkForce pkgs.linuxPackages;
fileSystems."/" =
{
device = "/dev/disk/by-uuid/9f3208ae-ee05-44b8-a0bc-dc1e7499bdb8";
fsType = "ext4";
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/997A-7FBA";
fsType = "vfat";
};
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = false;
networking.interfaces.eth0.useDHCP = lib.mkDefault true;
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
}

27
hosts/giggles/aioairctrl.nix
View file

@ -1,27 +0,0 @@
{ pkgs, python311 }:
let
pycryptodomex = python311.pkgs.buildPythonPackage rec {
pname = "pycryptodomex";
version = "3.18.0";
src = pkgs.fetchPypi {
inherit pname version;
sha256 = "Pj7LX+l558G7ACflGDQKz37mBBXXkpXlJR0Txo3eV24=";
};
};
in
python311.pkgs.buildPythonPackage rec {
pname = "aioairctrl";
version = "0.2.4";
src = pkgs.fetchFromGitHub {
owner = "kongo09";
repo = "aioairctrl";
rev = "v${version}";
sha256 = "JBXh590wu85ig+LZCgG9S7y9uLOKednFJ/1UfDLz5Fo=";
};
propagatedBuildInputs = [
python311.pkgs.aiocoap
pycryptodomex
];
}

12
hosts/giggles/avahi-reflector.nix
View file

@ -1,12 +0,0 @@
{...}: {
services.avahi = {
enable = true;
openFirewall = true;
allowInterfaces = ["eth0" "vlan104"];
reflector = true;
publish.enable = true;
extraConfig = ''
reflect-filters=_googlecast._tcp.local
'';
};
}

39
hosts/giggles/configuration.nix
View file

@ -1,39 +0,0 @@
{
config,
pkgs,
lib,
...
}: {
imports = [
./network.nix
./network-dhcp.nix
./avahi-reflector.nix
./unifi.nix
./home-controller.nix
./home-assistant.nix
./frigate.nix
# ./tang-container.nix
];
pub-solar.server.enable = true;
hardware.ksm.enable = true;
boot.loader.timeout = 0;
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.loader.generic-extlinux-compatible.enable = lib.mkForce false;
boot.loader.grub = {
enable = true;
efiSupport = true;
efiInstallAsRemovable = true;
device = "nodev";
};
boot.plymouth.enable = lib.mkForce false;
pub-solar.nextcloud.enable = lib.mkForce false;
time.timeZone = "Europe/Berlin";
system.stateVersion = "22.11"; # Did you read the comment?
}

6
hosts/giggles/default.nix
View file

@ -1,6 +0,0 @@
{ ... }: {
imports = [
./configuration.nix
./hardware-configuration.nix
];
}

21
hosts/giggles/forecast-solar.nix
View file

@ -1,21 +0,0 @@
{ pkgs, python311 }:
python311.pkgs.buildPythonPackage rec {
pname = "forecast_solar";
version = "3.0.0";
src = pkgs.fetchFromGitHub {
owner = "home-assistant-libs";
repo = "forecast_solar";
rev = version;
sha256 = "Go0DF2qyVyGVYEeoEEuxsSR9Ge8Pg4S77zM1HL83ELc=";
};
pythonImportsCheck = [ "pytest" "flake8" ];
propagatedBuildInputs = with python311.pkgs; [
aiodns
aiohttp
flake8
pytest
];
}

76
hosts/giggles/frigate.nix
View file

@ -1,76 +0,0 @@
{ ... }:
let
camIp = "10.0.42.31";
in
{
networking.firewall.allowedTCPPorts = [80 5000 8554 8555];
#services.go2rtc = {
# enable = true;
# settings = {
# streams = {
# burgi_cam = [
# "rtsp://admin:XpkFk5Df912VWSwM@${camIp}:554/Streaming/Channels/101/?transportmode=unicast"
# "ffmpeg:burgi_cam_sub#audio=opus"
# ];
# burgi_cam_sub = [
# "rtsp://admin:XpkFk5Df912VWSwM@${camIp}:554/Streaming/Channels/102/?transportmode=unicast"
# ];
# };
# webrtc = {
# candidates = [ "192.168.42.11:8555" ];
# };
# };
#};
services.frigate = {
enable = false;
hostname = "frigate";
settings = {
cameras.burgi = {
ffmpeg = {
inputs = [
{
path = "rtsp://admin:XpkFk5Df912VWSwM@${camIp}:554/Streaming/Channels/101/?transportmode=unicast";
#path = "rtsp://127.0.0.1:8554/burgi_cam";
#input_args = "preset-rtsp-restream";
roles = [
"record"
"rtmp"
];
}
{
path = "rtsp://admin:XpkFk5Df912VWSwM@${camIp}:554/Streaming/Channels/102/?transportmode=unicast";
#path = "rtsp://127.0.0.1:8554/burgi_cam_sub";
#input_args = "preset-rtsp-restream";
roles = [
"detect"
];
}
];
};
detect = {
width = 1280;
height = 720;
fps = 5;
};
};
objects.track = [ "person" "dog" ];
mqtt = {
enabled = true;
host = "127.0.0.1";
user = "frigate";
password = "rDAnboXJhW8K2OJlPI5KpZhggPJusA==";
};
rtmp.enabled = true;
#detectors.coral = {
# type = "edgetpu";
# device = "usb";
#};
};
};
}

56
hosts/giggles/hardware-configuration.nix
View file

@ -1,56 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = ["xhci_pci" "usbhid" "usb_storage" "uas"];
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.loader.grub = {
enable = true;
efiSupport = true;
efiInstallAsRemovable = true;
device = "nodev";
};
boot.loader.efi.canTouchEfiVariables = false;
boot.loader.systemd-boot.enable = false;
boot.loader.generic-extlinux-compatible.enable = false;
boot.loader.timeout = 0;
boot.initrd.luks.devices."cryptroot" = {
device = "/dev/disk/by-uuid/5edec8af-5f84-4d9f-9755-8abbb55e00af";
keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04020116120721075123-0:0-part1";
fallbackToPassword = true;
bypassWorkqueues = true;
};
fileSystems."/" = {
device = "/dev/disk/by-label/root";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-label/boot";
fsType = "vfat";
};
swapDevices = [
{device = "/dev/disk/by-label/swap";}
];
networking.interfaces.enabcm6e4ei0.useDHCP = true;
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
}

58
hosts/giggles/home-assistant-automation-helpers.nix
View file

@ -1,58 +0,0 @@
{
action = rec {
callService = service: entity: {
service = service;
target.entity_id = entity;
};
delayed = f: delay: [
{delay.seconds = delay;}
(f)
];
turnOn = entity: callService "homeassistant.turn_on" entity;
turnOff = entity: callService "homeassistant.turn_off" entity;
};
condition = {
state = entity: state: {
condition = "state";
entity_id = entity;
state = state;
};
stateNot = entity: state: {
condition = "not";
conditions = [{
condition = "state";
entity_id = entity;
state = state;
}];
};
};
trigger = {
state = entity: {
platform = "state";
entity_id = entity;
};
stateFrom = entity: stateFrom: {
platform = "state";
entity_id = entity;
from = stateFrom;
};
stateTo = entity: stateTo: {
platform = "state";
entity_id = entity;
to = stateTo;
};
stateNotTo = entity: stateNotTo: {
platform = "state";
entity_id = entity;
not_to = stateNotTo;
};
};
}

26
hosts/giggles/home-assistant-customize-vacuum.nix
View file

@ -1,26 +0,0 @@
let
mapSegments = [
{id = 1; name = "Hendrik";}
{id = 2; name = "Schlafzimmer";}
{id = 3; name = "Badezimmer";}
{id = 4; name = "Toilette";}
{id = 5; name = "Flur";}
{id = 6; name = "Vorratsraum";}
{id = 7; name = "Küche";}
{id = 8; name = "Caro";}
{id = 9; name = "Wohnzimmer";}
];
mkCustomize = id: [
{
name = "input_boolean.vacuum_segment_${toString id}";
value = {
room_id = id;
};
}
];
mkCustomizes = ms: builtins.concatMap (s: (mkCustomize s.id)) ms;
in
builtins.listToAttrs (mkCustomizes mapSegments)

95
hosts/giggles/home-assistant-package-light.nix
View file

@ -1,95 +0,0 @@
let
helper = import ./home-assistant-automation-helpers.nix;
entityLightSleepingHoursNotBefore = "light_sleeping_hours_not_before";
entityLightSleepingHoursNotAfter = "light_sleeping_hours_not_after";
entityLightDarkHoursNotBefore = "light_dark_hours_not_before";
entityLightDarkHoursNotAfter = "light_dark_hours_not_after";
conditionalAutomation = slug: triggers: conditions: actions: {
alias = "Light: ${slug}";
id = "light_automation_${slug}";
trigger = triggers;
condition = conditions;
action = actions;
};
automation = slug: triggers: actions: (conditionalAutomation slug triggers [] actions);
lightOnOnMovement = room: opts: (conditionalAutomation
"${room}_movement_turn_on"
(map (e: helper.trigger.stateTo e "on") opts.triggers)
opts.conditions
(map (e: helper.action.turnOn e) opts.entities)
);
# switch off light when trigger entity switches to off and all given trigger
# entities are not in state "on" (prevents hassle with unavailable state)
lightOffAfterMovement = room: opts: (conditionalAutomation
"${room}_movement_turn_off"
(map (e: helper.trigger.stateTo e "off") opts.triggers)
(map (e: helper.condition.stateNot e "on") opts.triggers)
(map (e: helper.action.turnOff e) opts.entities)
);
outsideSleepingHoursCondition = [{
condition = "not";
conditions = [{
condition = "time";
after = "input_datetime.${entityLightSleepingHoursNotBefore}";
before = "input_datetime.${entityLightSleepingHoursNotAfter}";
}];
}];
withinDarkHoursCondition = [{
condition = "time";
after = "input_datetime.${entityLightDarkHoursNotBefore}";
before = "input_datetime.${entityLightDarkHoursNotAfter}";
}];
roomEntitiesMap = {
# should switch on when its dark outside but not when someone sleeps
flur = {
triggers = ["binary_sensor.pir_flur_1_occupancy" "binary_sensor.pir_flur_2_occupancy"];
entities = ["light.flur_deckenlicht"];
conditions = [] ++ withinDarkHoursCondition ++ outsideSleepingHoursCondition;
};
#kueche = {
# triggers = [];
# entites = [];
# conditions = [] ++ withinDarkHoursCondition;
#};
# should switch on every time
vorratsraum = {
triggers = ["binary_sensor.pir_vorratsraum_occupancy"];
entities = ["light.vorratsraum_deckenlicht"];
conditions = [];
};
};
in
{
input_datetime = {
"${entityLightDarkHoursNotBefore}" = {
name = "TIME Light: Dark hours start not before";
has_date = false;
has_time = true;
};
"${entityLightDarkHoursNotAfter}" = {
name = "TIME Light: Dark hours start not after";
has_date = false;
has_time = true;
};
"${entityLightSleepingHoursNotBefore}" = {
name = "TIME Light: Sleeping hours start not before";
has_date = false;
has_time = true;
};
"${entityLightSleepingHoursNotAfter}" = {
name = "TIME Light: Sleeping hours start not after";
has_date = false;
has_time = true;
};
};
automation = [] ++
(builtins.attrValues (builtins.mapAttrs (r: o: lightOnOnMovement r o) roomEntitiesMap)) ++
(builtins.attrValues (builtins.mapAttrs (r: o: lightOffAfterMovement r o) roomEntitiesMap));
}

67
hosts/giggles/home-assistant-package-vacuum.nix
View file

@ -1,67 +0,0 @@
let
vacuumName = "IdenticalVeneratedCat";
entityVacuum = "vacuum.valetudo_identicalveneratedcat";
mapSegments = [
{id = 1; name = "Hendrik";}
{id = 2; name = "Schlafzimmer";}
{id = 3; name = "Badezimmer";}
{id = 4; name = "Toilette";}
{id = 5; name = "Flur";}
{id = 6; name = "Vorratsraum";}
{id = 7; name = "Küche";}
{id = 8; name = "Caro";}
{id = 9; name = "Wohnzimmer";}
];
mkBooleanHelper = id: name: [
{
name = "vacuum_segment_${toString id}";
value = {
name = name;
};
}
];
mkBooleanHelpers = ms: builtins.concatMap (s: (mkBooleanHelper s.id s.name)) ms;
in
{
input_boolean = builtins.listToAttrs (mkBooleanHelpers mapSegments);
group = {
vacuum_rooms = {
name = "Vacuum Rooms";
entities = builtins.concatMap (s: ["input_boolean.vacuum_segment_${toString s.id}"]) mapSegments;
};
};
script = {
vacuum_clean_segments = {
mode = "single";
alias = "vacuum_clean_segments";
icon = "mdi:arrow-right";
sequence = [{
service = "script.turn_on";
target = {
entity_id = "script.vacuum_clean_segments_message";
};
data = {
variables = {
segments = "{{expand(\"group.vacuum_rooms\") | selectattr(\"state\",\"eq\",\"on\") | map(attribute=\"attributes.room_id\") | list | to_json}}";
};
};
}];
};
vacuum_clean_segments_message = {
alias = "vacuum_clean_segments_message";
mode = "single";
sequence = [{
service = "mqtt.publish";
data = {
topic = "valetudo/${vacuumName}/MapSegmentationCapability/clean/set";
payload_template = ''{"segment_ids": {{segments}}}'';
};
}];
};
};
}

246
hosts/giggles/home-assistant-package-wohnzimmer-tv.nix
View file

@ -1,246 +0,0 @@
let
helper = import ./home-assistant-automation-helpers.nix;
entityMediaplayerFireTV = "media_player.wohnzimmer_firetv";
entityMediaplayerXBOX = "media_player.wohnzimmer_xbox";
entityMediaplayerZeppelin = "media_player.wohnzimmer_zeppelin";
entitySwitchTV = "switch.wohnzimmer_tv_steckdosenleiste_tv";
entitySwitchFireTV = "switch.wohnzimmer_tv_steckdosenleiste_firetv";
entitySwitchXBOX = "switch.wohnzimmer_tv_steckdosenleiste_xbox";
entitySwitchZeppelin = "switch.wohnzimmer_tv_steckdosenleiste_zeppelin";
entityActivitySelect = "wohnzimmer_tv_activity";
entityVolumeMute = "wohnzimmer_tv_volume_mute";
entityVolumeLevel = "wohnzimmer_tv_volume_level";
entityHarmonyActivitySelect = "select.wohnzimmer_harmony_activities";
activityOptionOff = "Aus";
activityOptionOffHarmony = "power_off";
activityOptionMusic = "Musik";
activityOptionFireTV = "FireTV";
activityOptionXBOX = "XBOX";
# because of tasmota
switchDelaySecondsZeppelin = 1;
switchDelaySecondsTV = 2;
switchDelaySecondsFireTV = 3;
switchDelaySecondsXBOXOn = 4;
switchDelaySecondsXBOXOff = 60; # because it needs longer to shut down
mkAutomationCondition = slug: triggers: conditions: actions: {
alias = "Wohnzimmer TV: ${slug}";
id = "wohnzimmer_tv_automation_${slug}";
trigger = triggers;
condition = conditions;
action = actions;
};
mkAutomation = slug: triggers: actions: (mkAutomationCondition slug triggers [] actions);
rokuButtonPressed = key: {
platform = "event";
event_type = "roku_command";
event_data = {
type = "keypress";
key = key;
};
};
mkRokuVolumeAutomation = key: action: mkAutomation
"roku_vol_${action}"
[(rokuButtonPressed key)]
[(helper.action.callService "input_number.${action}" "input_number.${entityVolumeLevel}")];
tvSelect = option: {
service = "input_select.select_option";
target.entity_id = "input_select.${entityActivitySelect}";
data.option = option;
};
harmonySelect = option: {
service = "select.select_option";
target.entity_id = entityHarmonyActivitySelect;
data.option = option;
};
tvChangedTo = stateTo: (helper.trigger.stateTo "input_select.${entityActivitySelect}" stateTo);
tvChangedNotTo = stateNotTo: (helper.trigger.stateNotTo "input_select.${entityActivitySelect}" stateNotTo);
harmonyChangedTo = stateTo: (helper.trigger.stateTo entityHarmonyActivitySelect stateTo);
harmonyChangedNotTo = stateNotTo: (helper.trigger.stateNotTo entityHarmonyActivitySelect stateNotTo);
in
{
input_boolean = {
"${entityVolumeMute}" = {
name = "Wohnzimmer TV Mute";
icon = "mdi:volume-mute";
};
};
input_number = {
"${entityVolumeLevel}" = {
name = "Wohnzimmer TV Lautstärke";
icon = "mdi:volume-high";
unit_of_measurement = "%";
min = "0.0";
max = "1.0";
step = "0.01";
};
};
input_select = {
"${entityActivitySelect}" = {
name = "Wohnzimmer TV Aktivität";
options = [
activityOptionOff
activityOptionMusic
activityOptionFireTV
activityOptionXBOX
];
};
};
media_player = [
{
platform = "universal";
name = "Wohnzimmer TV Universal";
device_class = "tv";
unique_id = "media_player_universal_wohnzimmer_tv";
children = [
entityMediaplayerFireTV
entityMediaplayerXBOX
entityMediaplayerZeppelin
];
active_child_template = ''
{% if is_state('input_select.${entityActivitySelect}', '${activityOptionMusic}') %}
${entityMediaplayerZeppelin}
{% elif is_state('input_select.${entityActivitySelect}', '${activityOptionFireTV}') %}
${entityMediaplayerFireTV}
{% elif is_state('input_select.${entityActivitySelect}', '${activityOptionXBOX}') %}
${entityMediaplayerXBOX}
{% endif %}
'';
state_template = ''
{% if is_state('input_select.${entityActivitySelect}', '${activityOptionMusic}') %}
{{ states('${entityMediaplayerZeppelin}') }}
{% elif is_state('input_select.${entityActivitySelect}', '${activityOptionFireTV}') %}
{{ states('${entityMediaplayerFireTV}') }}
{% elif is_state('input_select.${entityActivitySelect}', '${activityOptionXBOX}') %}
{{ states('${entityMediaplayerXBOX}') }}
{% else %}
off
{% endif %}
'';
commands = {
turn_on = tvSelect activityOptionFireTV;
turn_off = tvSelect activityOptionOff;
volume_set = helper.action.callService "input_number.set_value" "input_number.${entityVolumeLevel}" // {data.value = "{{ volume_level }}";};
volume_up = helper.action.callService "input_number.increment" "input_number.${entityVolumeLevel}";
volume_down = helper.action.callService "input_number.decrement" "input_number.${entityVolumeLevel}";
volume_mute = helper.action.callService "input_boolean.toggle" "input_boolean.${entityVolumeMute}";
};
attributes = {
is_volume_muted = "input_boolean.${entityVolumeMute}";
volume_level = "input_number.${entityVolumeLevel}";
};
}
];
automation = [
(mkRokuVolumeAutomation "Up" "increment")
(mkRokuVolumeAutomation "Down" "decrement")
(mkAutomation "roku_vol_mute" [(rokuButtonPressed "Right")] [(helper.action.callService "input_boolean.toggle" "input_boolean.${entityVolumeMute}")])
(mkAutomation "sync_off_to_harmony" [(tvChangedTo activityOptionOff)] [(harmonySelect activityOptionOffHarmony)])
(mkAutomation "sync_activity_to_harmony" [(tvChangedNotTo activityOptionOff)] [(harmonySelect "{{ trigger.to_state.state }}")])
(mkAutomation "sync_off_from_harmony" [(harmonyChangedTo activityOptionOffHarmony)] [(tvSelect activityOptionOff)])
(mkAutomation "sync_activity_from_harmony" [(harmonyChangedNotTo activityOptionOffHarmony)] [(tvSelect "{{ trigger.to_state.state }}")])
(
mkAutomationCondition
"set_speaker_volume"
[
(helper.trigger.state "input_number.${entityVolumeLevel}")
(helper.trigger.stateTo "input_boolean.${entityVolumeMute}" "off")
(helper.trigger.stateFrom entityMediaplayerZeppelin "unavailable")
]
[{
condition = "state";
entity_id = "input_boolean.${entityVolumeMute}";
state = "off";
}]
[(helper.action.callService "media_player.volume_set" entityMediaplayerZeppelin // {data.volume_level = "{{ states(\"input_number.${entityVolumeLevel}\") }}";})]
)
(
mkAutomation
"mute_speaker"
[(helper.trigger.stateTo "input_boolean.${entityVolumeMute}" "on")]
[(helper.action.callService "media_player.volume_set" entityMediaplayerZeppelin // {data.volume_level = "0";})]
)
(
mkAutomation
"switch_off_tv"
[
(tvChangedTo activityOptionOff)
(tvChangedTo activityOptionMusic)
]
(helper.action.delayed (helper.action.turnOff entitySwitchTV) switchDelaySecondsTV)
)
(
mkAutomation
"switch_off_firetv"
[
(tvChangedTo activityOptionOff)
(tvChangedTo activityOptionMusic)
(tvChangedTo activityOptionXBOX)
]
(helper.action.delayed (helper.action.turnOff entitySwitchFireTV) switchDelaySecondsFireTV)
)
(
mkAutomation
"switch_off_xbox"
[
(tvChangedTo activityOptionOff)
(tvChangedTo activityOptionMusic)
(tvChangedTo activityOptionFireTV)
]
(helper.action.delayed (helper.action.turnOff entitySwitchXBOX) switchDelaySecondsXBOXOff)
)
(
mkAutomation
"switch_off_zeppelin"
[(tvChangedTo activityOptionOff)]
(helper.action.delayed (helper.action.turnOff entitySwitchZeppelin) switchDelaySecondsZeppelin)
)
(
mkAutomation
"switch_on_tv"
[
(tvChangedTo activityOptionFireTV)
(tvChangedTo activityOptionXBOX)
]
(helper.action.delayed (helper.action.turnOn entitySwitchTV) switchDelaySecondsTV)
)
(
mkAutomation
"switch_on_firetv"
[(tvChangedTo activityOptionFireTV)]
(helper.action.delayed (helper.action.turnOn entitySwitchFireTV) switchDelaySecondsFireTV)
)
(
mkAutomation
"switch_on_xbox"
[(tvChangedTo activityOptionXBOX)]
(helper.action.delayed (helper.action.turnOn entitySwitchXBOX) switchDelaySecondsXBOXOn)
)
(
mkAutomation
"switch_on_zeppelin"
[(tvChangedNotTo activityOptionOff)]
(helper.action.delayed (helper.action.turnOn entitySwitchZeppelin) switchDelaySecondsZeppelin)
)
];
}

304
hosts/giggles/home-assistant.nix
View file

@ -1,304 +0,0 @@
{
flake,
config,
pkgs,
python3Packages,
inputs,
lib,
...
}:
{
age.secrets.home-assistant_giggles_secrets = {
file = "${flake.self}/secrets/home-assistant_giggles_secrets.age";
path = "${config.services.home-assistant.configDir}/secrets.yaml";
owner = config.systemd.services.home-assistant.serviceConfig.User;
group = config.systemd.services.home-assistant.serviceConfig.Group;
mode = "0644";
};
users.users."hass".extraGroups = ["dialout"];
networking.firewall.allowedTCPPortRanges = [{from = 40000; to = 41000;}];
networking.firewall.allowedUDPPortRanges = [{from = 40000; to = 41000;}];
pub-solar.home-assistant = {
enable = true;
extraComponents = [
"default_config"
"homeassistant_hardware"
"homeassistant_sky_connect"
"apcupsd"
"androidtv"
"androidtv_remote"
"cast"
"esphome"
"emulated_hue"
"emulated_roku"
"harmony"
"homekit_controller"
"icloud"
"ipp"
"jellyfin"
"luci"
"met"
"nina"
"python_script"
"radio_browser"
"rpi_power"
"shopping_list"
"spotify"
"tasmota"
"unifi"
"upnp"
"wyoming"
"vacuum"
"xbox"
"xiaomi_aqara"
"xiaomi_miio"
"zeroconf"
];
extraPackages = python311Packages:
with python311Packages; [
# esphome
aiodiscover
scapy
# deutsche bahn
schiene
# dwd
dwdwfsapi
# forecast_solar
(callPackage ./forecast-solar.nix {})
# hacs
aiogithubapi
# owntone
pyatv
(callPackage ./pyforked-daapd.nix {})
# philips_airpurifier_coap
(callPackage ./aioairctrl.nix {})
# totp
pyotp
pyqrcode
];
config = {
homeassistant = {
name = "Wohnung";
country = "DE";
currency = "EUR";
language = "de";
temperature_unit = "C";
time_zone = "Europe/Berlin";
unit_system = "metric";
latitude = "52.31501090166047";
longitude = "8.910633035293603";
elevation = "59";
external_url = "https://ha2.gssws.de";
internal_url = "http://192.168.42.11:8123";
packages = {
package_light = (import ./home-assistant-package-light.nix);
package_vacuum = (import ./home-assistant-package-vacuum.nix);
package_wohnzimmer_tv = (import ./home-assistant-package-wohnzimmer-tv.nix);
};
customize = (import ./home-assistant-customize-vacuum.nix) // { };
};
http = {
ip_ban_enabled = false;
use_x_forwarded_for = true;
trusted_proxies = [
"127.0.0.1"
"10.254.0.21"
"10.0.1.5"
"10.0.1.6"
];
};
default_config = {};
energy = {};
"automation ui" = "!include automations.yaml";
device_tracker = [
{
platform = "luci";
host = "192.168.42.1";
username = "!secret router_admin_username";
password = "!secret router_admin_password";
}
];
emulated_hue = {
host_ip = "172.16.0.11";
listen_port = 40000;
expose_by_default = false;
entities = {
"light.light_wohnzimmer_kugel_links" = {
name = "Kugel links";
};
"light.light_wohnzimmer_kugel_rechts" = {
name = "Kugel rechts";
};
"light.light_wohnzimmer_klemmlampe" = {
name = "Klemmlampe";
};
};
};
emulated_roku = {
servers = [{
name = "Home Assistant";
host_ip = "172.16.0.11";
listen_port = 40001;
}];
};
python_script = {};
waste_collection_schedule = {
sources = [
{
name = "jumomind_de";
args = {
service_id = "sbm";
city = "Minden";
street = "Schwerinstr.";
house_number = "17b";
};
}
];
};
zone = [
{
name = "Home";
latitude = "52.31501090166047";
longitude = "8.910633035293603";
radius = "50";
}
{
name = "DKSB";
latitude = "52.31249954762553";
longitude = "8.910920619964601";
radius = "60";
}
{
name = "Hainweg";
latitude = "52.3176809501406";
longitude = "8.890610933303835";
radius = "60";
}
{
name = "Lande";
latitude = "52.35688908037632";
longitude = "8.898582458496096";
radius = "87";
}
{
name = "Rürups";
latitude = "52.317152702118655";
longitude = "8.89446449221293";
radius = "70";
}
{
name = "Schule";
latitude = "52.30213492276748";
longitude = "8.88126075267792";
radius = "200";
}
{
name = "Sokos";
latitude = "50.92777444599559";
longitude = "6.583169284373658";
radius = "50";
}
{
name = "Wohnung Aachen";
latitude = "50.7800954893528";
longitude = "6.154607534408569";
radius = "13";
}
];
};
mqtt = {
enable = true;
users = {
ha = {
acl = [
"readwrite #"
];
hashedPassword = "$7$101$lFt8hQl3O8aKF+bO$pcZuI18IT5t4/fpKZmLZQwQs+vcbxZdAQAYJOxRwXGYsxCRjb8jUSU+ZRlpqokOGqf/Cgvymfvml+yoGaC8eaw==";
};
z2m = {
acl = [
"readwrite #"
];
hashedPassword = "$7$101$M0Q/s9ReWPaMy+pT$Y8t9DwmW3y74lyvYrCE+sqEcz9yGG9VaHw8vt4wVZgUVVV9muY00ymjkwsTNtaTIlnQyB7z7POPLT3PURtQfeg==";
};
frigate = {
acl = [
"readwrite #"
];
hashedPassword = "$7$101$BZvoqhiaWo8TbFEv$KlE8XiE9dhfNV50SoUiBjTgnvSRaCwWdouuVcN4ZeHkR7/4JufQ7adW0VhVmtpv+6V9KOPDlN3wRaV+5eVlF3Q==";
};
nuki_wohnung = {
acl = [
"readwrite #"
];
hashedPassword = "$7$101$21wWveYvOyQKNuhd$rXD8d4F+Wf4k6LDkM09bsfkQfc+iXakRaH2sygYgOQqfrJ5Egt8D+9LVKa9ZQ12HLPSHDo0bP8ygVmY6iVJCjQ==";
};
poffertjes = {
acl = [
"readwrite #"
];
hashedPassword = "$7$101$n5J9RKGzFF7bOsOH$YNPQawxsfuDZk/N6NrNzkE5rEfTRlCW5Fjpk6kgwyTg4C6Peyz4I79ii4UMSANJ8DFNsPRL1KohCcXK07SMW2w==";
};
shelly1_flur_deckenlicht = {
acl = [
"readwrite #"
];
hashedPassword = "$7$101$n0PyELB9214BiluQ$P24lJlXDpKLaGSerrp51z5UUl3wYSek9SbJN+buqoS9acrCn7s3mtSLZfeMP0JT8zXx83GJrNwlDaA0BOu00xg==";
};
shelly25_abstellraum = {
acl = [
"readwrite #"
];
hashedPassword = "$7$101$n9IcybeGEAhnoWv5$RSnkEJFgDsrKUzEaLfNIa/5v4gkTMZSAq2bb7KzWSG6zaufHdnvtDZT+q7dZ3pkBFXndKtoelmuvm7XJLJC1mg==";
};
shelly25_badezimmer = {
acl = [
"readwrite #"
];
hashedPassword = "$7$101$PNWBSZUE4Ar5dOhx$2u6dneedx7OLOjH1auoax2AC1GP4oVcXe4OAmO3riNpzXZF9V1cJ7k/GREx9/vO/ONt5PuUygilk3X4SIYnf9A==";
};
tasmota_wohnzimmer_tv_steckdosenleiste = {
acl = [
"readwrite #"
];
hashedPassword = "$7$101$cywQWWzxPUUpUqdC$Q9tjqE4bW0VaNMVKIuts/wuyFetC//PyLVcRtpaK02HxwlTPY7jWivXUBA/t8l0wGZsS8lsiOIAu8e6bHb+7Xw==";
};
};
};
zigbee2mqtt = {
enable = true;
device = "/dev/serial/by-id/usb-Nabu_Casa_SkyConnect_v1.0_aaf7050fdb42ed11bb2843ab2a61ed69-if00-port0";
};
};
}

17
hosts/giggles/home-controller.nix
View file

@ -1,17 +0,0 @@
{
flake,
config,
pkgs,
...
}: {
config = {
age.secrets.home_controller_wireguard.file = "${flake.self}/secrets/home_controller_giggles_wireguard_key.age";
pub-solar.home-controller = {
enable = true;
ownIp = "10.0.1.11";
wireguardPrivateKeyFile = "/run/agenix/home_controller_wireguard";
};
};
}

51
hosts/giggles/lrad.nix
View file

@ -1,51 +0,0 @@
{
pkgs,
config,
...
}: let
serviceAddress = "10.10.41.11";
containerStateDir = "/data";
hostStateDir = "/srv/container/lrad";
in {
containers."lrad" = {
privateNetwork = true;
hostAddress = "10.10.41.1";
localAddress = serviceAddress;
bindMounts."${containerStateDir}" = {
hostPath = hostStateDir;
isReadOnly = false;
};
config = {
config,
pkgs,
...
}: {
networking.firewall.allowedTCPPorts = [63080];
#users.users."tang".isSystemUser = true;
systemd.services."tangd" = {
enable = true;
# TODO: require data/tangd to exist
serviceConfig = {
ExecStart = "${pkgs.tang}/bin/tangd ${containerStateDir}/data/tangd";
StandardInput = "socket";
StandardOutput = "socket";
StandardError = "journal";
User = "tang";
};
};
systemd.sockets."tangd" = {
enable = true;
listenStreams = ["63080"];
wantedBy = ["sockets.target"];
socketConfig = {
Accept = true;
};
};
};
};
}

150
hosts/giggles/network-dhcp.nix
View file

@ -1,150 +0,0 @@
{...}:
let
vlan101Hosts = [
# switches
{mac = "28:80:88:72:ae:60"; ip = "10.0.42.15"; hostname = "sw-wohnung";} # statically configured
{mac = "28:87:ba:24:6a:2b"; ip = "10.0.42.16"; hostname = "sw-wohnzimmer";} # statically configured
# access points
{mac = "18:e8:29:c6:29:84"; ip = "10.0.42.21"; hostname = "ap-caro";}
{mac = "e4:38:83:e7:00:10"; ip = "10.0.42.22"; hostname = "ap-hendrik";}
{mac = "e4:38:83:e7:0a:c4"; ip = "10.0.42.23"; hostname = "ap-wohnzimmer";}
# security devices
{mac = "e0:ca:3c:7d:37:5b"; ip = "10.0.42.31"; hostname = "cam-wohnzimmer";}
];
vlan102Hosts = [
{mac = "38:1a:52:04:37:d8"; ip = "172.16.0.15"; hostname = "printer";}
{mac = "3c:e9:0e:87:d2:1c"; ip = "172.16.0.21"; hostname = "nspanel-hendrik";}
{mac = "3c:e9:0e:87:ef:d0"; ip = "172.16.0.22"; hostname = "nspanel-schlafzimmer";}
{mac = "98:0c:33:fe:3d:a8"; ip = "172.16.0.23"; hostname = "nuki-wohnung";}
{mac = "c8:5c:cc:5c:54:06"; ip = "172.16.0.24"; hostname = "presence-wohnzimmer";}
{mac = "c8:5c:cc:5c:28:7b"; ip = "172.16.0.25"; hostname = "presence-hendrik";}
{mac = "04:78:63:7f:0e:bb"; ip = "172.16.0.26"; hostname = "airpurifier-wohnzimmer";}
{mac = "48:e7:29:c1:a3:f0"; ip = "172.16.0.27"; hostname = "nspanel-caro";}
{mac = "5c:c5:63:eb:e8:b8"; ip = "172.16.0.28"; hostname = "poffertjes";}
{mac = "d0:ba:e4:e7:7d:d5"; ip = "172.16.0.29"; hostname = "airpurifier-hendrik";}
{mac = "98:f4:ab:f2:43:98"; ip = "172.16.0.30"; hostname = "shelly1-flur-deckenlicht";}
{mac = "a4:cf:12:ba:72:c1"; ip = "172.16.0.31"; hostname = "shelly25-abstellraum";}
{mac = "c8:2b:96:11:10:46"; ip = "172.16.0.32"; hostname = "shelly25-badezimmer";}
{mac = "24:62:ab:41:06:f2"; ip = "172.16.0.33"; hostname = "tasmota-tv-steckdosenleiste";}
{mac = "c8:db:26:0d:4f:f4"; ip = "172.16.0.34"; hostname = "harmonyhub-tv";}
];
vlan104Hosts = [
{mac = "30:58:90:1a:3b:ef"; ip = "10.42.0.21"; hostname = "box-hendrik";}
{mac = "30:58:90:19:b5:03"; ip = "10.42.0.22"; hostname = "box-schlafzimmer";}
{mac = "30:58:90:28:7e:30"; ip = "10.42.0.23"; hostname = "box-esstisch";}
{mac = "1c:53:f9:23:d7:c4"; ip = "10.42.0.31"; hostname = "nh-hendrik";}
{mac = "1c:53:f9:14:7b:65"; ip = "10.42.0.32"; hostname = "nh-kueche";}
{mac = "1c:53:f9:1c:9e:22"; ip = "10.42.0.33"; hostname = "nh-wohnzimmer";}
{mac = "20:1f:3b:96:9f:29"; ip = "10.42.0.34"; hostname = "nm-schlafzimmer";}
{mac = "6c:ad:f8:73:a0:94"; ip = "10.42.0.35"; hostname = "cc-wohnzimmer";}
{mac = "ec:66:d1:8a:79:71"; ip = "10.42.0.36"; hostname = "zeppelin-wohnzimmer";}
{mac = "c0:91:b9:1e:2b:80"; ip = "10.42.0.37"; hostname = "firetv-wohnzimmer";}
{mac = "cc:60:c8:14:26:2c"; ip = "10.42.0.38"; hostname = "xbox-wohnzimmer";}
];
mkDnsmasqHosts = hosts : map (h : "${h.mac},${h.hostname},${h.ip}") hosts;
mkKeaHosts = hosts : map (h : { hw-address = h.mac; ip-address = h.ip; }) hosts;
mkKeaOptions = router: dns: mtu:
[
{
name = "routers";
data = "${router}";
}
{
name = "domain-name-servers";
data = "${dns}";
}
{
name = "interface-mtu";
data = "${toString mtu}";
}
];
mkKeaSubnet = interface : subnet : pool : options : hosts : {
subnet = subnet;
interface = interface;
pools = [{ pool = pool; }];
option-data = mkKeaOptions options.router options.dns options.mtu;
reservations = mkKeaHosts hosts;
};
enableKea = true;
enableDnsmasq = false;
mtu = 1500;
in
{
networking.firewall.checkReversePath = false;
networking.firewall.allowedUDPPorts = [67]; # allow dhcp request
services.kea.dhcp4 = {
enable = enableKea;
settings = {
authoritative = true;
interfaces-config = {
interfaces = ["vlan101" "vlan102" "vlan104"];
dhcp-socket-type = "raw";
};
valid-lifetime = 3600;
host-reservation-identifiers = [ "hw-address" ];
subnet4 = [
(mkKeaSubnet "vlan101" "10.0.42.0/24" "10.0.42.100 - 10.0.42.200" {router = "10.0.42.1"; dns = "10.0.42.1"; mtu = mtu;} vlan101Hosts)
(mkKeaSubnet "vlan102" "172.16.0.0/24" "172.16.0.100 - 172.16.0.200" {router = "172.16.0.1"; dns = "172.16.0.1"; mtu = mtu;} vlan102Hosts)
(mkKeaSubnet "vlan104" "10.42.0.0/24" "10.42.0.100 - 10.42.0.200" {router = "10.42.0.1"; dns = "10.42.0.1"; mtu = mtu;} vlan104Hosts)
];
};
};
services.dnsmasq = {
enable = enableDnsmasq;
settings = {
interface = [
"vlan101" # network
"vlan102" # iot
"vlan104" # media
];
no-resolv = true;
no-poll = true;
server = [
"1.1.1.1"
"9.9.9.9"
];
dhcp-authoritative = true;
dhcp-host = (mkDnsmasqHosts vlan101Hosts) ++
(mkDnsmasqHosts vlan102Hosts) ++
(mkDnsmasqHosts vlan104Hosts);
dhcp-range = [
"vlan101,10.0.42.51,10.0.42.100"
"vlan102,172.16.0.101,172.16.0.150"
"vlan104,10.42.0.51,10.42.0.100"
];
dhcp-option = [
"option:dns-server,1.1.1.1"
"option:mtu,${mtu}"
# vlan101
"vlan101,option:router,10.0.42.1"
# vlan102
"vlan102,option:router,172.16.0.1"
# vlan104
"vlan104,option:router,10.42.0.1"
];
};
};
}

55
hosts/giggles/network.nix
View file

@ -1,55 +0,0 @@
{lib, ...}: {
networking = {
enableIPv6 = false;
useDHCP = false;
vlans = {
vlan101 = {
id = 101;
interface = "eth0";
}; # network vlan
vlan102 = {
id = 102;
interface = "eth0";
}; # iot vlan
vlan104 = {
id = 104;
interface = "eth0";
}; # media vlan
};
interfaces = {
eth0 = {
useDHCP = true;
mtu = 1460;
};
vlan101 = {
mtu = 1460;
ipv4.addresses = [
{
address = "10.0.42.11";
prefixLength = 24;
}
];
};
vlan102 = {
mtu = 1460;
ipv4.addresses = [
{
address = "172.16.0.11";
prefixLength = 24;
}
];
};
vlan104 = {
mtu = 1460;
ipv4.addresses = [
{
address = "10.42.0.11";
prefixLength = 24;
}
];
};
};
networkmanager.enable = lib.mkForce false;
};
}

29
hosts/giggles/pyforked-daapd.nix
View file

@ -1,29 +0,0 @@
{ pkgs, python311 }:
let
pyLibrespotJava = python311.pkgs.buildPythonPackage rec {
pname = "pylibrespot-java";
version = "0.1.0";
src = pkgs.fetchPypi {
inherit pname version;
sha256 = "DbKPW3mB5IMhj0EqLhQpZ66wGjOGWxhaXM39IjkN/yA=";
};
propagatedBuildInputs = [
python311.pkgs.aiohttp
];
};
in
python311.pkgs.buildPythonPackage rec {
pname = "pyforked-daapd";
version = "0.1.14";
src = pkgs.fetchPypi {
inherit pname version;
sha256 = "v1NOlwP8KtBsQiqwbx1y8p8lABEuEJdNhvR2kGzLxKs=";
};
propagatedBuildInputs = [
pyLibrespotJava
python311.pkgs.aiohttp
];
}

27
hosts/giggles/pyforkeddappd.nix
View file

@ -1,27 +0,0 @@
{ pkgs, python311 }:
let
pycryptodomex = python311.pkgs.buildPythonPackage rec {
pname = "pycryptodomex";
version = "3.18.0";
src = pkgs.fetchPypi {
inherit pname version;
sha256 = "Pj7LX+l558G7ACflGDQKz37mBBXXkpXlJR0Txo3eV24=";
};
};
in
python311.pkgs.buildPythonPackage rec {
pname = "aioairctrl";
version = "0.2.4";
src = pkgs.fetchFromGitHub {
owner = "kongo09";
repo = "aioairctrl";
rev = "v${version}";
sha256 = "JBXh590wu85ig+LZCgG9S7y9uLOKednFJ/1UfDLz5Fo=";
};
propagatedBuildInputs = [
python311.pkgs.aiocoap
pycryptodomex
];
}

58
hosts/giggles/tang-container.nix
View file

@ -1,58 +0,0 @@
{
pkgs,
config,
...
}: let
containerStateDir = "/data";
hostStateDir = "/opt/tangd";
servicePort = 8081;
in {
networking.firewall.allowedTCPPorts = [servicePort];
containers."tang" = {
autoStart = true;
ephemeral = true;
bindMounts."${containerStateDir}" = {
hostPath = hostStateDir;
isReadOnly = false;
};
config = {
config,
pkgs,
...
}: {
networking.firewall.enable = false;
users.groups."_tang" = {};
users.users."_tang" = {
group = "_tang";
isSystemUser = true;
};
environment.systemPackages = with pkgs; [jose tang];
systemd.services."tangd@" = {
enable = true;
serviceConfig = {
ExecStartPre = "${pkgs.bash}/bin/bash -c \"mkdir -p ${containerStateDir}/tang-db\"";
ExecStart = "${pkgs.tang}/libexec/tangd ${containerStateDir}/tang-db";
User = "_tang";
Group = "_tang";
};
};
systemd.sockets."tangd" = {
enable = true;
listenStreams = ["${toString servicePort}"];
wantedBy = ["sockets.target"];
socketConfig = {
Accept = true;
};
};
system.stateVersion = "22.11";
};
};
}

13
hosts/giggles/unifi.nix
View file

@ -1,13 +0,0 @@
{ pkgs, lib, ...}:
{
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "mongodb" "unifi-controller" ];
networking.firewall.allowedTCPPorts = [8443]; # open unifi web interface port
services.unifi = {
enable = true;
unifiPackage = pkgs.unifi7;
openFirewall = true;
};
}

19
hosts/harrison/.config/sway/config.d/screens.conf
View file

@ -1,19 +0,0 @@
set $left 'Dell Inc. DELL S2721DS D0SVQ43'
set $middle 'Samsung Electric Company SMBX2450L 0x00003231'
set $right 'Eizo Nanao Corporation EV2316W 39117013'
output $left {
scale 1
pos 0 0
transform 270
}
output $middle {
scale 1
pos 1440 1150
}
output $right {
scale 1
pos 3360 1150
}

102
hosts/harrison/configuration.nix
View file

@ -1,102 +0,0 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, lib, ... }:
let
psCfg = config.pub-solar;
in
{
# work
pub-solar.docker.enable = true;
pub-solar.nextcloud.enable = true;
pub-solar.social.enable = true;
pub-solar.office.enable = true;
systemd.enableUnifiedCgroupHierarchy = true;
environment.systemPackages = with pkgs; [
jetbrains.goland
minicom
openjdk11
putty
remmina
thunderbird
vscode
vscode-extensions.golang.go
vscode-extensions.ms-python.python
wireshark
go_1_20
meld
ardour
helm
];
# unfree
hardware.enableRedistributableFirmware = true;
# graphical
pub-solar.graphical.enable = true;
pub-solar.sway.enable = true;
# daw
pub-solar.audio.enable = lib.mkForce true;
musnix.enable = true;
services.pipewire.jack.enable = true;
# gaming
pub-solar.gaming.enable = true;
# emulated building for raspi
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
home-manager.users."${psCfg.user.name}".xdg.configFile = lib.mkIf psCfg.sway.enable {
"sway/config.d/10-screens.conf".source = ./.config/sway/config.d/screens.conf;
};
pub-solar.paranoia.enable = true;
programs.ausweisapp.enable = true;
services.pcscd = {
enable = true;
plugins = [ pkgs.pcsc-cyberjack ];
};
# Set your time zone.
time.timeZone = "Europe/Berlin";
time.hardwareClockInLocalTime = true; # easiest quirk for windows time offset feature
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.dhcpcd.wait = "background";
networking.useDHCP = false;
networking.interfaces.eno1 = {
useDHCP = true;
wakeOnLan = {
enable = true;
};
};
networking.networkmanager.enable = lib.mkForce false;
nixpkgs.config.allowUnsupportedSystem = true;
# List services that you want to enable:
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [ 22 ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.05"; # Did you read the comment?
}

6
hosts/harrison/default.nix
View file

@ -1,6 +0,0 @@
{ ... }: {
imports = [
./configuration.nix
./hardware-configuration.nix
];
}

70
hosts/harrison/hardware-configuration.nix
View file

@ -1,70 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "usb_storage" "usbhid" "sd_mod" "raid1" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.initrd.luks.devices."cryptroot" = {
device = "/dev/disk/by-uuid/e3a0394d-8bb5-4049-bf65-90d7202163cd";
keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04011806021722115743-0:0-part1";
fallbackToPassword = true;
bypassWorkqueues = true;
};
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.loader.efi = {
canTouchEfiVariables = true;
efiSysMountPoint = "/boot";
};
boot.loader.grub = {
efiSupport = true;
enable = lib.mkForce true;
extraEntries = ''
menuentry "Windows" {
insmod part_gpt
insmod fat
insmod search_fs_uuid
insmod chain
search --fs-uuid --set=root 02DB-F12C
chainloader /efi/Microsoft/Boot/bootmgfw.efi
}
'';
devices = [ "nodev" ];
};
fileSystems = {
"/" =
{
device = "/dev/disk/by-uuid/4ad4db6d-543e-4cc5-a781-396e3b527a05";
fsType = "ext4";
};
"/boot" =
{
device = "/dev/disk/by-uuid/4B4A-B1B4";
fsType = "vfat";
};
"/boot2" =
{
device = "/dev/disk/by-uuid/4B2C-385A";
fsType = "vfat";
};
};
swapDevices =
[{ device = "/dev/mapper/vg0-swap"; }];
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

16
hosts/norman/.config/sway/config.d/custom-keybindings.conf
View file

@ -1,16 +0,0 @@
# Screen brightness controls
bindsym XF86MonBrightnessUp exec "brightnessctl -d intel_backlight set +10%; notify-send $(brightnessctl -d intel_backlight i | awk '/Current/ {print $4}')"
bindsym XF86MonBrightnessDown exec "brightnessctl -d intel_backlight set 10%-; notify-send $(brightnessctl -d intel_backlight i | awk '/Current/ { print $4}')"
# Keyboard backlight brightness controls
bindsym XF86KbdBrightnessDown exec "brightnessctl -d smc::kbd_backlight set 10%-; notify-send $(brightnessctl -d smc::kbd_backlight i | awk '/Current/ { print $4}')"
bindsym XF86KbdBrightnessUp exec "brightnessctl -d smc::kbd_backlight set +10%; notify-send $(brightnessctl -d smc::kbd_backlight i | awk '/Current/ { print $4}')"
# Pulse Audio controls
bindsym XF86AudioRaiseVolume exec pactl set-sink-volume @DEFAULT_SINK@ +5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 && notify-send 'Vol. up' #increase sound volume
bindsym XF86AudioLowerVolume exec pactl set-sink-volume @DEFAULT_SINK@ -5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 && notify-send 'Vol. down' #decrease sound volume
bindsym XF86AudioMute exec pactl set-sink-mute @DEFAULT_SINK@ toggle && notify-send 'Mute sound' # mute sound
# Media player controls
bindsym XF86AudioPlay exec "playerctl play-pause; notify-send 'Play/Pause'"
bindsym XF86AudioNext exec "playerctl next; notify-send 'Next'"
bindsym XF86AudioPrev exec "playerctl previous; notify-send 'Prev.'"

1
hosts/norman/.config/sway/config.d/inputs.conf
View file

@ -1 +0,0 @@
input 2:7:SynPS/2_Synaptics_TouchPad events disabled

19
hosts/norman/.config/sway/config.d/screens.conf
View file

@ -1,19 +0,0 @@
set $left 'Dell Inc. DELL S3222DGM G1FFT63'
set $right 'Dell Inc. DELL S2721DS D0SVQ43'
set $bottom 'Chimei Innolux Corporation 0x14D4'
output $left {
scale 1
pos 0 690
}
output $right {
scale 1
pos 2560 0
transform 90
}
output $bottom {
scale 1
pos 0 2130
}

27
hosts/norman/builder.nix
View file

@ -1,27 +0,0 @@
{self, ...}: {
programs.ssh.extraConfig = ''
Host builder
Hostname data.gssws.de
Port 2222
User builder
IdentitiesOnly yes
IdentityFile /root/.ssh/id_ed25519-builder
'';
nix.buildMachines = [
{
hostName = "builder";
systems = ["x86_64-linux" "aarch64-linux" "i686-linux"];
maxJobs = 40;
speedFactor = 20;
supportedFeatures = ["nixos-test" "benchmark" "big-parallel" "kvm"];
mandatoryFeatures = [];
}
];
nix.distributedBuilds = true;
nix.settings = {
trusted-public-keys = ["chonk:1b/yLBRW2ZeL9jErW1ogMRUTq/hidJnZOxopx363JSo="];
builders-use-substitutes = true;
};
}

100
hosts/norman/configuration.nix
View file

@ -1,100 +0,0 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{
config,
pkgs,
lib,
...
}:
let
psCfg = config.pub-solar;
in
{
imports = [
./wireguard.nix
./builder.nix
];
pub-solar.docker.enable = true;
pub-solar.nextcloud.enable = true;
pub-solar.social.enable = true;
pub-solar.office.enable = true;
systemd.enableUnifiedCgroupHierarchy = true;
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"goland"
];
environment.systemPackages = with pkgs; [
jetbrains.goland
minicom
openjdk11
putty
remmina
thunderbird
vscode
vscode-extensions.golang.go
vscode-extensions.ms-python.python
wireshark
go_1_20
meld
factorio-experimental
];
hardware.enableRedistributableFirmware = true;
pub-solar.graphical.enable = true;
pub-solar.sway.enable = true;
boot.binfmt.emulatedSystems = ["aarch64-linux"];
pub-solar.audio.bluetooth.enable = false;
home-manager.users."${psCfg.user.name}".xdg.configFile = lib.mkIf psCfg.sway.enable {
"sway/config.d/10-inputs.conf".source = ./.config/sway/config.d/inputs.conf;
"sway/config.d/10-screens.conf".source = ./.config/sway/config.d/screens.conf;
"sway/config.d/10-custom-keybindings.conf".source = ./.config/sway/config.d/custom-keybindings.conf;
};
# Set your time zone.
time.timeZone = "Europe/Berlin";
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.firewall = {
allowedUDPPorts = [
51820
51821
]; # Clients and peers can use the same port, see listenport
};
services.tlp = {
enable = true;
settings = {
CPU_SCALING_GOVERNOR_ON_AC = "performance";
CPU_SCALING_GOVERNOR_ON_BAT = "powersave";
# The following prevents the battery from charging fully to
# preserve lifetime. Run `tlp fullcharge` to temporarily force
# full charge.
# https://linrunner.de/tlp/faq/battery.html#how-to-choose-good-battery-charge-thresholds
START_CHARGE_THRESH_BAT0 = 40;
STOP_CHARGE_THRESH_BAT0 = 80;
# 100 being the maximum, limit the speed of my CPU to reduce
# heat and increase battery usage:
CPU_MAX_PERF_ON_AC = 100;
CPU_MAX_PERF_ON_BAT = 50;
};
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.11"; # Did you read the comment?
}

6
hosts/norman/default.nix
View file

@ -1,6 +0,0 @@
{ ... }: {
imports = [
./configuration.nix
./hardware-configuration.nix
];
}

52
hosts/norman/hardware-configuration.nix
View file

@ -1,52 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [];
boot.initrd.availableKernelModules = ["xhci_pci" "nvme" "usbhid" "uas" "sdhci_pci"];
boot.initrd.kernelModules = ["dm-snapshot"];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
boot.kernelPackages = pkgs.linuxPackages_latest;
hardware.bluetooth.enable = true;
hardware.bluetooth.powerOnBoot = true;
services.blueman.enable = true;
boot.initrd.luks.devices."cryptroot" = {
device = "/dev/disk/by-uuid/cdc29f0f-5b18-4ee7-8d38-1f4bac80b1e6";
allowDiscards = true;
bypassWorkqueues = true;
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/5b441f8f-d7eb-44f8-8df2-7354b3314a61";
fsType = "ext4";
options = [ "discard" ];
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/84CD-91B6";
fsType = "vfat";
};
swapDevices = [{device = "/dev/disk/by-uuid/54162798-9017-4b59-afd7-ab9578da4bb9";}];
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
hardware.trackpoint = {
enable = true;
device = "TPPS/2 ALPS TrackPoint";
emulateWheel = true;
sensitivity = 100; # default 128
speed = 64; # default 97
};
}

95
hosts/norman/wireguard.nix
View file

@ -1,95 +0,0 @@
{
config,
pkgs,
...
}: {
systemd.services.wireguard-wg0.serviceConfig.Restart = "on-failure";
systemd.services.wireguard-wg0.serviceConfig.RestartSec = "5s";
systemd.services.wireguard-wg1.serviceConfig.Restart = "on-failure";
systemd.services.wireguard-wg1.serviceConfig.RestartSec = "5s";
# Enable WireGuard
networking.wireguard.interfaces = {
# "wg0" is the network interface name. You can name the interface arbitrarily.
wg0 = {
# Determines the IP address and subnet of the client's end of the tunnel interface.
ips = [
"10.0.0.13/32"
"fc00:200::13/128"
];
mtu = 1400;
listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
# Path to the private key file.
#
# Note: The private key can also be included inline via the privateKey option,
# but this makes the private key world-readable; thus, using privateKeyFile is
# recommended.
privateKeyFile = "/home/hensoko/.config/wireguard/hosting-de.private";
peers = [
# For a client configuration, one peer entry for the server will suffice.
{
# Public key of the server (not a file path).
publicKey = "02/MRPduMGx1as7yS4G7GpL4+pQjsjpyS/tD9iPu8X0=";
# Forward all the traffic via VPN.
allowedIPs = [
"10.0.0.0/24"
"192.168.50.0/24"
"192.168.200.0/24"
"10.20.30.0/24"
"10.20.50.0/24"
"fc00:200::/120"
"95.129.51.5"
"95.129.54.43"
"134.0.28.89"
"134.0.27.108"
"134.0.25.181"
];
# Set this to the server IP and port.
endpoint = "134.0.30.154:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
persistentKeepalive = 25;
}
];
};
wg1 = {
# Determines the IP address and subnet of the client's end of the tunnel interface.
ips = [
"10.0.1.121"
];
mtu = 1400;
listenPort = 51821; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
# Path to the private key file.
#
# Note: The private key can also be included inline via the privateKey option,
# but this makes the private key world-readable; thus, using privateKeyFile is
# recommended.
privateKeyFile = "/home/hensoko/.config/wireguard/data-gssws-de.private";
peers = [
# For a client configuration, one peer entry for the server will suffice.
{
# Public key of the server (not a file path).
publicKey = "t1DS0y6eVzyGwomKAEWTWVsHK3xB7M/fNQ3wLgE3+B8=";
allowedIPs = [
"10.0.1.0/24"
];
# Set this to the server IP and port.
endpoint = "80.244.242.2:51899";
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
persistentKeepalive = 25;
}
];
};
};
}

105
hosts/redpanda/configuration.nix
View file

@ -1,105 +0,0 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, lib, ... }:
{
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
boot.loader.systemd-boot.enable = lib.mkForce false;
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
# boot.loader.grub.efiSupport = true;
# boot.loader.grub.efiInstallAsRemovable = true;
# boot.loader.efi.efiSysMountPoint = "/boot/efi";
# Define on which hard drive you want to install Grub.
boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
# networking.hostName = "nixos"; # Define your hostname.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
# Set your time zone.
# time.timeZone = "Europe/Amsterdam";
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
networking.interfaces.enp0s3.useDHCP = true;
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
nix = {
#package = pkgs.nixFlakes;
extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes) "experimental-features = nix-command flakes";
};
# Select internationalisation properties.
# i18n.defaultLocale = "en_US.UTF-8";
# console = {
# font = "Lat2-Terminus16";
# keyMap = "us";
# };
# Enable the X11 windowing system.
# services.xserver.enable = true;
# Configure keymap in X11
# services.xserver.layout = "us";
# services.xserver.xkbOptions = "eurosign:e";
# Enable CUPS to print documents.
# services.printing.enable = true;
# Enable sound.
# sound.enable = true;
# hardware.pulseaudio.enable = true;
# Enable touchpad support (enabled default in most desktopManager).
# services.xserver.libinput.enable = true;
# Define a user account. Don't forget to set a password with passwd.
# users.users.jane = {
# isNormalUser = true;
# extraGroups = [ "wheel" ]; # Enable sudo for the user.
# };
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
vim
wget
firefox
];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
# List services that you want to enable:
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [ 22 ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.05"; # Did you read the comment?
}

6
hosts/redpanda/default.nix
View file

@ -1,6 +0,0 @@
{ ... }: {
imports = [
./configuration.nix
./hardware-configuration.nix
];
}

21
hosts/redpanda/hardware-configuration.nix
View file

@ -1,21 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ ];
boot.initrd.availableKernelModules = [ "ohci_pci" "virtio_pci" "sd_mod" "sr_mod" "virtio_scsi" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{
device = "/dev/disk/by-label/nixos";
fsType = "ext4";
};
#virtualisation.virtualbox.guest.enable = true;
}

31
hosts/ringo/configuration.nix
View file

@ -1,31 +0,0 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
pub-solar.core.lite = true;
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# Set your time zone.
time.timeZone = "Europe/Berlin";
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
networking.interfaces.enp0s25.useDHCP = true;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.11"; # Did you read the comment?
}

6
hosts/ringo/default.nix
View file

@ -1,6 +0,0 @@
{ ... }: {
imports = [
./configuration.nix
./hardware-configuration.nix
];
}

41
hosts/ringo/hardware-configuration.nix
View file

@ -1,41 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "sdhci_pci" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.initrd.luks.devices."cryptroot" = {
device = "/dev/disk/by-uuid/bd1ebf98-adc1-4868-842f-3d2c6ee04e13";
keyFile = "/dev/disk/by-partuuid/9ff6ebf7-01";
fallbackToPassword = true;
bypassWorkqueues = true;
};
fileSystems."/" =
{
device = "/dev/disk/by-uuid/1999ec2e-4564-4f5a-8333-6eb23ae03c8b";
fsType = "ext4";
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/47ED-2F0B";
fsType = "vfat";
};
fileSystems."/home" =
{
device = "/dev/disk/by-uuid/69c89392-be11-4bd4-8f3b-6b7db20c716e";
fsType = "ext4";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/4ef0cdbc-38f4-4dcb-8fe8-553bbdb06192"; }];
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

17
hosts/ringo/home-controller.nix
View file

@ -1,17 +0,0 @@
{
self,
config,
pkgs,
...
}: {
config = {
age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_ringo_wireguard_key.age";
pub-solar.home-controller = {
enable = true;
ownIp = "10.0.1.21";
wireguardPrivateKeyFile = "/run/agenix/home_controller_wireguard";
};
};
}

32
hosts/surfplace/configuration.nix
View file

@ -1,32 +0,0 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ inputs, pkgs, builtins, config, lib, ... }:
{
time.timeZone = "Europe/Berlin";
pub-solar.social.enable = true;
hardware.enableRedistributableFirmware = true;
pub-solar.graphical.enable = true;
pub-solar.sway.enable = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.networkmanager.enable = true;
#boot.loader.systemd-boot.enable = lib.mkForce false;
# Enable the OpenSSH daemon.
services.openssh.enable = true;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.11"; # Did you read the comment?
}

6
hosts/surfplace/default.nix
View file

@ -1,6 +0,0 @@
{ ... }: {
imports = [
./configuration.nix
./hardware-configuration.nix
];
}

50
hosts/surfplace/hardware-configuration.nix
View file

@ -1,50 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
inputs,
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
#(modulesPath + "/installer/scan/not-detected.nix")
#inputs.nixos-hardware.nixosModules.raspberry-pi-4
];
boot.initrd.availableKernelModules = ["xhci_pci" "nvme" "usb_storage" "sd_mod"];
boot.extraModulePackages = [config.boot.kernelPackages.rtl88x2bu];
#microsoft-surface.kernelVersion = "6.5.5";
fileSystems."/" = {
device = "/dev/disk/by-label/root";
fsType = "ext4";
encrypted = {
enable = true;
label = "cryptroot";
blkDev = "/dev/disk/by-uuid/77829967-0c52-4a52-a65c-cfc093d18776";
};
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/2697-F70A";
fsType = "vfat";
};
swapDevices = [
{device = "/dev/disk/by-label/swap";}
];
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
systemd.services."iptsd" = {
serviceConfig = {
RestartAfter = "5s";
};
};
}