pub-solar/os
5
0
Fork 2
Code Issues 4 Pull requests Packages Projects 1 Releases Wiki Activity

Compare commits

base: pub-solar:main
Branches Tags
pub-solar:main
pub-solar:hensoko-no-digga
pub-solar:momo/fix-lib-deploy-rs
pub-solar:momo/main
pub-solar:flora-6-forgejo-actions-ci
pub-solar:teutat3s
pub-solar:infra
pub-solar:hensoko
pub-solar:b12f
pub-solar:pub.solar/nougat-2
pub-solar:momo/keycloak
pub-solar:feature/fix-modules
pub-solar:momo/infra-poc
pub-solar:b12f-bash
pub-solar:update/gitea-docker
pub-solar:feature/fix-correct-unit
pub-solar:fix/nvfetcher-rebuild
pub-solar:feature/ci-runner-experiment
pub-solar:adr/01-lvm-on-luks
pub-solar:teutat3s-drone-exec-runner
pub-solar:feature/fake-branch
pub-solar:hensoko-pre-rebase-bak
pub-solar:feature/ci-runner
pub-solar:vlalentim
pub-solar:feature/swaynotificationcenter
pub-solar:feature/wayvnc
pub-solar:feature/atomic-pre-commit
pub-solar:devos
pub-solar:pkg/wlstreamer
pub-solar:t36
pub-solar:t35
pub-solar:t34
pub-solar:t33
pub-solar:t32
pub-solar:t31
pub-solar:t30
pub-solar:t29
pub-solar:t28
pub-solar:t27
pub-solar:t26
pub-solar:t25
pub-solar:t24
pub-solar:t23
pub-solar:t22
pub-solar:t21
pub-solar:t20
pub-solar:t19
pub-solar:t18
pub-solar:t17
pub-solar:t16
pub-solar:t15
pub-solar:t14
pub-solar:t13
pub-solar:t12
pub-solar:t11
pub-solar:t10
pub-solar:t9
pub-solar:t8
pub-solar:t7
pub-solar:t6
pub-solar:t5
pub-solar:t4
pub-solar:t3
pub-solar:t2
pub-solar:t1
pub-solar:test
pub-solar:v0.10.0
pub-solar:v0.9.0
pub-solar:v0.8.0
pub-solar:0.7.0
pub-solar:12052020
pub-solar:07092020
..
compare: pub-solar:hensoko
Branches Tags
pub-solar:hensoko-no-digga
pub-solar:momo/fix-lib-deploy-rs
pub-solar:momo/main
pub-solar:flora-6-forgejo-actions-ci
pub-solar:teutat3s
pub-solar:infra
pub-solar:main
pub-solar:hensoko
pub-solar:b12f
pub-solar:pub.solar/nougat-2
pub-solar:momo/keycloak
pub-solar:feature/fix-modules
pub-solar:momo/infra-poc
pub-solar:b12f-bash
pub-solar:update/gitea-docker
pub-solar:feature/fix-correct-unit
pub-solar:fix/nvfetcher-rebuild
pub-solar:feature/ci-runner-experiment
pub-solar:adr/01-lvm-on-luks
pub-solar:teutat3s-drone-exec-runner
pub-solar:feature/fake-branch
pub-solar:hensoko-pre-rebase-bak
pub-solar:feature/ci-runner
pub-solar:vlalentim
pub-solar:feature/swaynotificationcenter
pub-solar:feature/wayvnc
pub-solar:feature/atomic-pre-commit
pub-solar:devos
pub-solar:pkg/wlstreamer
pub-solar:t36
pub-solar:t35
pub-solar:t34
pub-solar:t33
pub-solar:t32
pub-solar:t31
pub-solar:t30
pub-solar:t29
pub-solar:t28
pub-solar:t27
pub-solar:t26
pub-solar:t25
pub-solar:t24
pub-solar:t23
pub-solar:t22
pub-solar:t21
pub-solar:t20
pub-solar:t19
pub-solar:t18
pub-solar:t17
pub-solar:t16
pub-solar:t15
pub-solar:t14
pub-solar:t13
pub-solar:t12
pub-solar:t11
pub-solar:t10
pub-solar:t9
pub-solar:t8
pub-solar:t7
pub-solar:t6
pub-solar:t5
pub-solar:t4
pub-solar:t3
pub-solar:t2
pub-solar:t1
pub-solar:test
pub-solar:v0.10.0
pub-solar:v0.9.0
pub-solar:v0.8.0
pub-solar:0.7.0
pub-solar:12052020
pub-solar:07092020

65 commits
main ... hensoko

Author SHA1 Message Date
Hendrik Sokolowski 35e8f5116b remove zsh, use bash
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-10-06 01:25:07 +02:00
Hendrik Sokolowski f6ebcdd2a3 remove empty extensions
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-10-06 00:54:45 +02:00
Hendrik Sokolowski 489001fb5b profiles/work: remove teams, use go 1.20, install meld
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-10-06 00:37:48 +02:00
Hendrik Sokolowski 22a8b6ba4b remove virtualisation from norman 2023-10-06 00:36:21 +02:00
Hendrik Sokolowski 8653f517d4 hosts/norman: SQ, update to nixos 23.05, add discard for luks device, set wireguard mtu to 1400 2023-10-06 00:23:48 +02:00
Hendrik Sokolowski 2fe9f3d502 SQ cube 2023-10-06 00:22:12 +02:00
Hendrik Sokolowski e822d1ffb3 hosts/chonk: add teutat3s to libvirt container 2023-10-06 00:19:11 +02:00
Hendrik Sokolowski d30ecc2e24 modules/server: enable nix garbage collection 2023-10-06 00:17:31 +02:00
Hendrik Sokolowski 65990b4fef modules/server: update to 23.05, add lldpd 2023-10-06 00:15:50 +02:00
Hendrik Sokolowski ae934b4bde modules/arduino: disable module by default 2023-10-06 00:14:50 +02:00
Hendrik Sokolowski dbef702ac3 SQ chonk: Use authelia 2023-10-06 00:14:14 +02:00
Hendrik Sokolowski 9accff4383 SQ cube: update to 23.05, add stick for luks 2023-10-06 00:12:11 +02:00
Hendrik Sokolowski bd6b6fd8f6 SQ ringo 2023-10-06 00:09:56 +02:00
Hendrik Sokolowski 2245825774 Update to nixos 23.05
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-10-06 00:08:26 +02:00
Hendrik Sokolowski 5ba1651350 reorganize, use podman
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-10-06 00:03:00 +02:00
Hendrik Sokolowski 1f7e4220ee drop wakeonlan, add wdisplays, gnucash 2023-10-06 00:03:00 +02:00
Hendrik Sokolowski a03aa75d08 extend ssh config, add yubikey-manager 2023-10-06 00:03:00 +02:00
Hendrik Sokolowski c10bb47e15 Update to latest nixos-hardware version 2023-10-06 00:03:00 +02:00
Hendrik Sokolowski 6fc725a83b Use paperless module 2023-10-06 00:03:00 +02:00
Hendrik Sokolowski 5c3b9fd791 Extend monitoring-server 2023-10-06 00:03:00 +02:00
Hendrik Sokolowski 6adbbbeaa4 Extend home-assistant, add dhcp-server, add frigate, add avahi-reflector 2023-10-06 00:03:00 +02:00
Hendrik Sokolowski b5118aa1d4 Use home-assistant from latest, move zigbee2mqtt port to 8081 2023-10-06 00:03:00 +02:00
Hendrik Sokolowski e44fad0057 chonk: extend monitoring, use nextcloud-apps from nixos 2023-10-06 00:03:00 +02:00
Hendrik Sokolowski 49eb99ed51 chonk: drop grub version, add ipv6 2023-10-06 00:03:00 +02:00
Hendrik Sokolowski 42dc259691 no longer use openssh server with hpn patches 2023-10-06 00:03:00 +02:00
Hendrik Sokolowski ef7b1540b4 add python modules for home-assistant, cleanup 2023-10-06 00:03:00 +02:00
Hendrik Sokolowski b4b18e08d7 use fork for nvfetcher 2023-10-06 00:02:59 +02:00
Hendrik Sokolowski 4f99f73981 Add paperless module 2023-10-06 00:01:55 +02:00
Hendrik Sokolowski 668fa94359 Add ha2, update home-assistant config 2023-10-06 00:01:55 +02:00
Hendrik Sokolowski e10e91571c Add honme-assistant module 2023-10-06 00:01:55 +02:00
teutat3s f60a0bc019 wip: track nixos-23.05 2023-10-06 00:01:55 +02:00
Hendrik Sokolowski f1b6caa9c5 fix agenix 2023-10-06 00:01:55 +02:00
Hendrik Sokolowski a67d593499 SQ norman 2023-10-06 00:01:55 +02:00
Hendrik Sokolowski 0647268dd7 SQ norman 2023-10-06 00:01:55 +02:00
Hendrik Sokolowski 570571d7ed SQ chonk 2023-10-06 00:01:55 +02:00
Hendrik Sokolowski 0a32492e8e SQ norman 2023-10-06 00:01:55 +02:00
Hendrik Sokolowski 8a270f07ed add factorio to chonk, update wireguard config 2023-10-06 00:01:55 +02:00
Hendrik Sokolowski a6376572c1 make companion a ha hub 2023-10-06 00:01:55 +02:00
Hendrik Sokolowski 963fc644b1 april fools fools fools fools 2023-10-06 00:01:55 +02:00
Hendrik Sokolowski 358097bfdf Add ungoogled chrome 2023-10-06 00:01:55 +02:00
Hendrik Sokolowski 718db6f8c3 drop obsolete config from cube 2023-10-06 00:01:55 +02:00
Hendrik Sokolowski 645e223aab reset later 2023-10-06 00:01:55 +02:00
Hendrik Sokolowski 4a6a9f11e4 bla 2023-10-06 00:01:53 +02:00
Hendrik Sokolowski f4b49fdcde reset later 2023-10-06 00:00:29 +02:00
Hendrik Sokolowski 19afde40e3 drop docker statements 2023-10-06 00:00:29 +02:00
Hendrik Sokolowski 95eb32b8be rekey secrets 2023-10-06 00:00:29 +02:00
Hendrik Sokolowski 09eb7ed41d Bump flake.lock 2023-10-06 00:00:29 +02:00
Hendrik Sokolowski 8cc79885d8 add hosts 2023-10-06 00:00:29 +02:00
Hendrik Sokolowski 66eadcf1b1 Disable digga fix for now 2023-10-06 00:00:29 +02:00
Hendrik Sokolowski 2df9b037aa allow unfree 2023-10-06 00:00:29 +02:00
Hendrik Sokolowski 684a15972a Adapt terminal-life to personal use-case 2023-10-06 00:00:29 +02:00
Hendrik Sokolowski 1eae96f4f2 add profiles.daw 2023-10-06 00:00:27 +02:00
Hendrik Sokolowski aac86e144b add profiles.server 2023-10-05 23:59:59 +02:00
Hendrik Sokolowski fc3486b4ed Add module to setup wireguard backed zfs enabled k3s cluster 2023-10-05 23:59:59 +02:00
Hendrik Sokolowski 818f0f817a add profiles.non-free 2023-10-05 23:59:59 +02:00
Hendrik Sokolowski 25f158169f Update sway applications 2023-10-05 23:59:59 +02:00
Hendrik Sokolowski d7f35131dc Modify crypto for personal needs 2023-10-05 23:59:59 +02:00
Hendrik Sokolowski a4d831c640 update modules.virtualization to personal needs 2023-10-05 23:59:59 +02:00
Hendrik Sokolowski 1bd344e82d add profiles.virtualisation 2023-10-05 23:59:59 +02:00
Hendrik Sokolowski 0c4a6dab07 add profiles.work 2023-10-05 23:59:59 +02:00
Hendrik Sokolowski 197be5729c Fix nextcloud talk audio issues 2023-10-05 23:59:59 +02:00
Hendrik Sokolowski a88d2d40ed update modules.social for personal needs 2023-10-05 23:59:59 +02:00
Hendrik Sokolowski 6e8676904b add modules.server 2023-10-05 23:59:59 +02:00
Hendrik Sokolowski aa4391161d secrets 2023-10-05 23:59:59 +02:00
Hendrik Sokolowski cd0cd79f97 Initial hensoko 2023-10-05 23:59:59 +02:00
165 changed files with 5975 additions and 153 deletions
Show stats Expand all files Collapse all files

203
flake.lock
View file

@ -10,7 +10,7 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1682101079, "lastModified": 1680281360,
"narHash": "sha256-MdAhtjrLKnk2uiqun1FWABbKpLH090oeqCSiWemtuck=", "narHash": "sha256-MdAhtjrLKnk2uiqun1FWABbKpLH090oeqCSiWemtuck=",
"owner": "ryantm", "owner": "ryantm",
"repo": "agenix", "repo": "agenix",
@ -30,11 +30,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1696360011, "lastModified": 1686210161,
"narHash": "sha256-HpPv27qMuPou4acXcZ8Klm7Zt0Elv9dgDvSJaomWb9Y=", "narHash": "sha256-cgP8P2Gk4WtOzd/Y7nEmweLpPOtMKVvHCIcq9zm9qMk=",
"owner": "LnL7", "owner": "LnL7",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "8b6ea26d5d2e8359d06278364f41fbc4b903b28a", "rev": "40e4b85baac86969f94d6dba893aeae015c562c1",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -54,11 +54,11 @@
"utils": "utils" "utils": "utils"
}, },
"locked": { "locked": {
"lastModified": 1695052866, "lastModified": 1683779844,
"narHash": "sha256-agn7F9Oww4oU6nPiw+YiYI9Xb4vOOE73w8PAoBRP4AA=", "narHash": "sha256-sIeOU0GsCeQEn5TpqE/jFRN4EGsPsjqVRsPdrzIDABM=",
"owner": "serokell", "owner": "serokell",
"repo": "deploy-rs", "repo": "deploy-rs",
"rev": "e3f41832680801d0ee9e2ed33eb63af398b090e9", "rev": "c80189917086e43d49eece2bd86f56813500a0eb",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -129,6 +129,22 @@
"type": "github" "type": "github"
} }
}, },
"factorio-pr": {
"locked": {
"lastModified": 1676729025,
"narHash": "sha256-342GXq1CGPbztLGJcSlbdRbglXlCWMYykeYg/d5Nvyk=",
"owner": "werner291",
"repo": "nixpkgs",
"rev": "e37b8db403154b3c421c6bc21afd725a5ad2df3e",
"type": "github"
},
"original": {
"owner": "werner291",
"ref": "master",
"repo": "nixpkgs",
"type": "github"
}
},
"flake-compat": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -197,50 +213,35 @@
"type": "github" "type": "github"
} }
}, },
"fork": {
"locked": {
"lastModified": 1692960587,
"narHash": "sha256-39SKGdhn8jKKkdqhULbCvQOpdUPE9NNJpy5HTB++Jvg=",
"owner": "teutat3s",
"repo": "nixpkgs",
"rev": "312709dd70684f52496580e533d58645526b1c90",
"type": "github"
},
"original": {
"owner": "teutat3s",
"ref": "nvfetcher-fix",
"repo": "nixpkgs",
"type": "github"
}
},
"home": { "home": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixos" "nixos"
] ],
"utils": "utils_2"
}, },
"locked": { "locked": {
"lastModified": 1695108154, "lastModified": 1681092193,
"narHash": "sha256-gSg7UTVtls2yO9lKtP0yb66XBHT1Fx5qZSZbGMpSn2c=", "narHash": "sha256-JerCqqOqbT2tBnXQW4EqwFl0hHnuZp21rIQ6lu/N4rI=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "07682fff75d41f18327a871088d20af2710d4744", "rev": "f9edbedaf015013eb35f8caacbe0c9666bbc16af",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-community", "owner": "nix-community",
"ref": "release-23.05", "ref": "release-22.11",
"repo": "home-manager", "repo": "home-manager",
"type": "github" "type": "github"
} }
}, },
"latest": { "latest": {
"locked": { "locked": {
"lastModified": 1696604326, "lastModified": 1686226982,
"narHash": "sha256-YXUNI0kLEcI5g8lqGMb0nh67fY9f2YoJsILafh6zlMo=", "narHash": "sha256-nLuiPoeiVfqqzeq9rmXxpybh77VS37dsY/k8N2LoxVg=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "87828a0e03d1418e848d3dd3f3014a632e4a4f64", "rev": "a64b73e07d4aa65cfcbda29ecf78eaf9e72e44bd",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -250,29 +251,83 @@
"type": "github" "type": "github"
} }
}, },
"musnix": {
"inputs": {
"nixpkgs": [
"nixos"
]
},
"locked": {
"lastModified": 1679269409,
"narHash": "sha256-f52ph0rV/tn2Gge6WHqO55K/TNTHAOhgp23uZ7QhlSE=",
"owner": "musnix",
"repo": "musnix",
"rev": "79a6cf5a711e7d2dbf0a3ba0df9bae016d6247f8",
"type": "github"
},
"original": {
"owner": "musnix",
"repo": "musnix",
"type": "github"
}
},
"nixlib": {
"locked": {
"lastModified": 1685840432,
"narHash": "sha256-VJIbiKsY7Xy4E4WcgwUt/UiwYDmN5BAk8tngAjcWsqY=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "961e99baaaa57f5f7042fe7ce089a88786c839f4",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs.lib",
"type": "github"
}
},
"nixos": { "nixos": {
"locked": { "locked": {
"lastModified": 1696697597, "lastModified": 1686190112,
"narHash": "sha256-q26Qv4DQ+h6IeozF2o1secyQG0jt2VUT3V0K58jr3pg=", "narHash": "sha256-BRDO/tnq+ruwv14caQLIqejYJ6w5icja5KYpNunOW24=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "5a237aecb57296f67276ac9ab296a41c23981f56", "rev": "41b86284d3e073bb322da076ae8cd6e116b2ee2a",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nixos", "owner": "nixos",
"ref": "nixos-23.05", "ref": "nixos-22.11",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixos-generators": {
"inputs": {
"nixlib": "nixlib",
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1685943944,
"narHash": "sha256-GpaQwOkvwkmSWxvWaZqbMKyyOSaBAwgdEcHCqLW/240=",
"owner": "nix-community",
"repo": "nixos-generators",
"rev": "122dcc32cadf14c5015aa021fae8882c5058263a",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixos-generators",
"type": "github"
}
},
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1696614066, "lastModified": 1683965003,
"narHash": "sha256-nAyYhO7TCr1tikacP37O9FnGr2USOsVBD3IgvndUYjM=", "narHash": "sha256-DrzSdOnLv/yFBvS2FqmwBA2xIbN/Lny/WlxHyoLR9zE=",
"owner": "nixos", "owner": "nixos",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "bb2db418b616fea536b1be7f6ee72fb45c11afe0", "rev": "81cd886719e10d4822b2a6caa96e95d56cc915ef",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -281,6 +336,40 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs": {
"locked": {
"lastModified": 1685894048,
"narHash": "sha256-QKqv1QS+22k9oxncj1AnAxeqS5jGnQiUW3Jq3B+dI1w=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "2e56a850786211972d99d2bb39665a9b5a1801d6",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-hensoko": {
"inputs": {
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1666884246,
"narHash": "sha256-nSiYCIlMiYodY7GPCFPMF6YHVS2RM/XQZwn2Zrhu2eU=",
"ref": "master",
"rev": "f1863fb8e3866c1559ca885e1b319ea82baecdbb",
"revCount": 23,
"type": "git",
"url": "https://git.b12f.io/hensoko/nixpkgs"
},
"original": {
"type": "git",
"url": "https://git.b12f.io/hensoko/nixpkgs"
}
},
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1672791794, "lastModified": 1672791794,
@ -297,18 +386,37 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_2": {
"locked": {
"lastModified": 1654994491,
"narHash": "sha256-HFu3HTFFFcZSKImuiki3q+MLvcc85hRgYvW+sXmH8LE=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "1f8d88087a3753e55a29b5207f7f0997f7c813fa",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-22.05",
"repo": "nixpkgs",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix", "agenix": "agenix",
"darwin": "darwin", "darwin": "darwin",
"deploy": "deploy", "deploy": "deploy",
"digga": "digga", "digga": "digga",
"factorio-pr": "factorio-pr",
"flake-compat": "flake-compat", "flake-compat": "flake-compat",
"fork": "fork",
"home": "home", "home": "home",
"latest": "latest", "latest": "latest",
"musnix": "musnix",
"nixos": "nixos", "nixos": "nixos",
"nixos-hardware": "nixos-hardware" "nixos-generators": "nixos-generators",
"nixos-hardware": "nixos-hardware",
"nixpkgs-hensoko": "nixpkgs-hensoko"
} }
}, },
"utils": { "utils": {
@ -325,6 +433,21 @@
"repo": "flake-utils", "repo": "flake-utils",
"type": "github" "type": "github"
} }
},
"utils_2": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",

116
flake.nix
View file

@ -36,6 +36,14 @@
agenix.inputs.darwin.follows = "darwin"; agenix.inputs.darwin.follows = "darwin";
nixos-hardware.url = "github:nixos/nixos-hardware"; nixos-hardware.url = "github:nixos/nixos-hardware";
# hensoko additions
musnix.url = "github:musnix/musnix";
musnix.inputs.nixpkgs.follows = "nixos";
nixpkgs-hensoko.url = "git+https://git.b12f.io/hensoko/nixpkgs";
factorio-pr.url = "github:werner291/nixpkgs/master";
}; };
outputs = { outputs = {
@ -46,6 +54,7 @@
nixos-hardware, nixos-hardware,
agenix, agenix,
deploy, deploy,
musnix,
... ...
} @ inputs: } @ inputs:
digga.lib.mkFlake digga.lib.mkFlake
@ -53,7 +62,7 @@
inherit self inputs; inherit self inputs;
channelsConfig = { channelsConfig = {
# allowUnfree = true; allowUnfree = true;
}; };
supportedSystems = ["x86_64-linux" "aarch64-linux" "aarch64-darwin"]; supportedSystems = ["x86_64-linux" "aarch64-linux" "aarch64-darwin"];
@ -71,6 +80,7 @@
]; ];
}; };
latest = {}; latest = {};
factorio-pr = {};
fork = {}; fork = {};
}; };
@ -121,6 +131,35 @@
#}) #})
]; ];
}; };
companion = {
system = "aarch64-linux";
modules = [nixos-hardware.nixosModules.raspberry-pi-4];
};
cox = {
system = "aarch64-linux";
modules = [nixos-hardware.nixosModules.raspberry-pi-4];
};
falcone = {
system = "aarch64-linux";
modules = [nixos-hardware.nixosModules.raspberry-pi-4];
};
giggles = {
system = "aarch64-linux";
modules = [nixos-hardware.nixosModules.raspberry-pi-4];
};
norman = {};
harrison = {
modules = [
musnix.nixosModules.musnix
];
};
surfplace = {
modules = [nixos-hardware.nixosModules.microsoft-surface-pro-intel];
};
}; };
importables = rec { importables = rec {
profiles = profiles =
@ -131,8 +170,39 @@
suites = with profiles; rec { suites = with profiles; rec {
base = [users.pub-solar users.root]; base = [users.pub-solar users.root];
iso = base ++ [base-user graphical pub-solar-iso]; iso = base ++ [base-user graphical pub-solar-iso];
pubsolaros = [full-install base-user users.root]; pubsolaros = [base-user users.root];
anonymous = [pubsolaros users.pub-solar]; anonymous = [pubsolaros users.pub-solar];
hensoko = pubsolaros ++ [users.hensoko];
hensoko-iot = [server base-user users.root users.iot];
# server
cube = hensoko-iot;
# home-controller
companion = hensoko-iot;
cox = hensoko-iot;
giggles = hensoko-iot;
# laptop
ringo = hensoko;
# vm
redpanda = hensoko;
# home pc
harrison = hensoko ++ [daw gaming graphical non-free social work];
# work laptop
norman = hensoko ++ [graphical non-free social work];
# cm4
falcone = hensoko-iot;
# surface
surfplace = hensoko ++ [graphical non-free social];
# chonk
chonk = hensoko-iot;
}; };
}; };
}; };
@ -149,8 +219,15 @@
users = { users = {
pub-solar = {suites, ...}: { pub-solar = {suites, ...}: {
imports = suites.base; imports = suites.base;
home.stateVersion = "22.05";
home.stateVersion = "21.03"; };
hensoko = {suites, ...}: {
imports = suites.base;
home.stateVersion = "22.05";
};
iot = {suites, ...}: {
imports = suites.base;
home.stateVersion = "22.05";
}; };
}; # digga.lib.importers.rakeLeaves ./users/hm; }; # digga.lib.importers.rakeLeaves ./users/hm;
}; };
@ -170,6 +247,37 @@
# path = self.pkgs.x86_64-linux.nixos.deploy-rs.lib.x86_64-linux.activate.home-manager self.homeConfigurationsPortable.x86_64-linux.bartender; # path = self.pkgs.x86_64-linux.nixos.deploy-rs.lib.x86_64-linux.activate.home-manager self.homeConfigurationsPortable.x86_64-linux.bartender;
# }; # };
#}; #};
redpanda = {
hostname = "192.168.42.71:22";
sshUser = "hensoko";
fastConnect = true;
profilesOrder = ["system" "direnv"];
profiles.direnv = {
user = "hensoko";
path = deploy.lib.x86_64-linux.activate.home-manager self.homeConfigurationsPortable.x86_64-linux.hensoko;
};
};
companion = {sshUser = "iot";};
cox = {sshUser = "iot";};
giggles = {sshUser = "iot";};
ringo = {};
cube = {sshUser = "iot";};
chonk = {sshUser = "iot";};
}; };
users = {
pub-solar = {suites, ...}: {
imports = suites.base;
home.stateVersion = "21.03";
};
hensoko = {suites, ...}: {
imports = suites.base;
home.stateVersion = "21.03";
};
iot = {suites, ...}: {
imports = suites.base;
home.stateVersion = "21.03";
};
}; # digga.lib.importers.rakeLeaves ./users/hm;
}; };
} }

10
hosts/chonk/acme.nix Normal file
View file

@ -0,0 +1,10 @@
{
pkgs,
config,
...
}: {
security.acme = {
acceptTerms = true;
defaults.email = "hensoko@gssws.de";
};
}

112
hosts/chonk/authelia.nix Normal file
View file

@ -0,0 +1,112 @@
{
pkgs,
config,
self,
...
}: let
containerStateDir = "/var/lib/authelia-gssws";
hostStateDir = "/opt/authelia";
domain = "auth.gssws.de";
servicePort = 9091;
in {
age.secrets.authelia_users = {
file = "${self}/secrets/chonk_authelia_users.age";
owner = "999";
group = "999";
};
age.secrets.authelia_storage_encryption_key = {
file = "${self}/secrets/chonk_authelia_storage_encryption_key.age";
owner = "999";
group = "999";
};
age.secrets.authelia_jwt_secret = {
file = "${self}/secrets/chonk_authelia_jwt_secret.age";
owner = "999";
group = "999";
};
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString servicePort}";
};
};
containers."authelia" = {
autoStart = true;
ephemeral = true;
bindMounts = {
"${containerStateDir}" = {
hostPath = hostStateDir;
isReadOnly = false;
};
"/run/agenix" = {
hostPath = "/run/agenix";
isReadOnly = false;
};
"/run/agenix.d" = {
hostPath = "/run/agenix.d";
isReadOnly = false;
};
};
config = {
config,
pkgs,
...
}: {
networking.firewall.enable = false;
services.authelia.instances."gssws" = {
enable = true;
secrets = {
jwtSecretFile = "/run/agenix/authelia_jwt_secret";
storageEncryptionKeyFile = "/run/agenix/authelia_storage_encryption_key";
};
settings = {
theme = "auto";
server.port = servicePort;
session.domain = domain;
default_redirection_url = "https://home.gssws.de/";
access_control.default_policy = "two_factor";
authentication_backend = {
password_reset.disable = false;
file = {
path = "/run/agenix/authelia_users";
};
};
storage.local.path = "/var/lib/authelia-gssws/db.sqlite3";
totp = {
issuer = "auth.gssws.de";
algorithm = "SHA512";
digits = 8;
};
webauthn = {
display_name = "auth.gssws.de";
};
notifier.smtp = {
address = "smtp://mail.gssws.de:25";
sender = "Authelia <authelia@gssws.de>";
identifier = "auth.gssws.de";
};
};
};
system.stateVersion = "23.05";
};
};
}

37
hosts/chonk/backup.nix Normal file
View file

@ -0,0 +1,37 @@
{
config,
lib,
self,
...
}: {
age.secrets.restic_repository_password.file = "${self}/secrets/chonk_restic_repository_password.age";
age.secrets.restic_nextcloud_password.file = "${self}/secrets/chonk_restic_nextcloud_password.age";
programs.ssh.extraConfig = ''
Host backup
HostName 10.0.1.12
Port 32222
User backup
IdentityFile /run/agenix/restic_ssh_private_key
'';
services.postgresqlBackup = {
enable = true;
backupAll = true;
compression = "zstd";
};
services.restic.backups = {
cox = {
passwordFile = "/run/agenix/restic_repository_password";
paths = [
"/mnt/internal/nextcloud"
"/var/backup/postgresql"
];
repositoryFile = "/run/agenix/restic_nextcloud_password";
timerConfig = {
OnCalendar = "02:00";
};
};
};
}

29
hosts/chonk/builder.nix Normal file
View file

@ -0,0 +1,29 @@
{
self,
config,
pkgs,
...
}: let
psCfg = config.pub-solar;
in {
age.secrets.nix-builder-private-key = {
owner = "builder";
group = "builder";
file = "${self}/secrets/chonk_nix_builder_private_key.age";
};
nix.settings.trusted-users = ["builder"];
boot.binfmt.emulatedSystems = ["aarch64-linux"];
users.groups."builder" = {};
users.users."builder" = {
isNormalUser = true;
group = "builder";
shell = pkgs.bashInteractive;
openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN8hTdDTA+LVlHkOm5IBjT32PvAdCxYfUfFFRx+JGeS6 root@norman"];
};
nix.settings.secret-key-files = "/run/agenix/nix-builder-private-key";
}

14
hosts/chonk/chonk.nix Normal file
View file

@ -0,0 +1,14 @@
{
config,
pkgs,
lib,
...
}:
with lib;
with pkgs; let
psCfg = config.pub-solar;
in {
imports = [
./configuration.nix
];
}

45
hosts/chonk/configuration.nix Normal file
View file

@ -0,0 +1,45 @@
{
config,
lib,
pkgs,
...
}: {
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
./acme.nix
./backup.nix
./drone.nix
./home-assistant.nix
./nextcloud.nix
./wireguard.nix
./builder.nix
./invidious.nix
./factorio.nix
./invoiceplane.nix
#./tang.nix
#./whiteboard.nix
./libvirt-container.nix
./monitoring.nix
./authelia.nix
];
boot.loader.systemd-boot.enable = lib.mkForce false;
time.timeZone = "Europe/Berlin";
services.openssh.ports = [2222];
networking.nat.enable = true;
networking.nat.internalIPs = ["10.10.42.0/24" "10.0.1.1"];
networking.nat.externalInterface = "br0";
networking.firewall.enable = lib.mkForce true;
networking.firewall.allowedTCPPorts = [80 443 2222];
networking.firewall.allowedUDPPorts = [51899];
system.stateVersion = "21.05"; # Did you read the comment?
}

7
hosts/chonk/default.nix Normal file
View file

@ -0,0 +1,7 @@
{suites, ...}: {
imports =
[
./chonk.nix
]
++ suites.chonk;
}

24
hosts/chonk/drone.nix Normal file
View file

@ -0,0 +1,24 @@
{
self,
config,
pkgs,
...
}: {
age.secrets.drone_exec_runner_config = {
file = "${self}/secrets/chonk_drone_exec_runner_config.age";
owner = "999";
};
pub-solar.docker-ci-runner = {
enable = true;
enableKvm = true;
nixCacheLocation = "/srv/drone-nix-cache/nix";
runnerEnvironment = {
DRONE_RUNNER_CAPACITY = "10";
DRONE_RUNNER_LABELS = "hosttype:baremetal";
};
runnerVarsFile = "/run/agenix/drone_exec_runner_config";
};
}

177
hosts/chonk/factorio.nix Normal file
View file

@ -0,0 +1,177 @@
{
self,
lib,
config,
pkgs,
...
}:
with pkgs; let
modDrv = pkgs.factorio-utils.modDrv {
allRecommendedMods = true;
allOptionalMods = false;
};
# Krastorio
flib = modDrv {
src = fetchurl {
urls = [
"https://cloud.pub.solar/s/EsrBq2XpR9bTp7b/download/flib_0.12.6.zip"
];
sha256 = "Wf/w3Bh4jT5DDEp6GCVdg181DxEjiWe1iN3h5X7/oAw=";
};
};
krastorio2Assets = modDrv {
src = fetchurl {
urls = [
"https://cloud.pub.solar/s/czsmnaiis25TX8m/download/Krastorio2Assets_1.2.1.zip"
];
sha256 = "1Y8I40I8EQLdLuiWDr+aty8p7PNh1pY6IPkRVz2pi5E=";
};
};
krastorio2 = modDrv {
src = fetchurl {
urls = [
"https://cloud.pub.solar/s/DepN4zWWjiEJpZt/download/Krastorio2_1.3.18.zip"
];
sha256 = "wuMVVW7SbDdBxcUmJLT9MzpC9W1RRJaTs2cYylt6ilU=";
};
deps = [flib krastorio2Assets];
};
# Alien Biomes
alienBiomes = modDrv {
src = fetchurl {
urls = [
"https://cloud.pub.solar/s/FH22nM54PfcTios/download/alien-biomes_0.6.8.zip"
];
sha256 = "oy7VeSIxJmTNmpu/0tGqhbrfPFoJRQc5eS6eI/Epp1A=";
};
};
# Auto Deconstruct
autoDeconstruct = modDrv {
src = fetchurl {
urls = [
"https://cloud.pub.solar/s/fSLQCfRGFKTbQSw/download/AutoDeconstruct_0.3.7.zip"
];
sha256 = "VYgLhfWSaWtbY8l+c+9v498IPA/Q7XdRveEsw/pxuJw=";
};
};
# Cargo Ships
cargoShips = modDrv {
src = fetchurl {
urls = [
"https://cloud.pub.solar/s/tcYXBymFT8idCdb/download/cargo-ships_0.1.22.zip"
];
sha256 = "pfP97myiibmp00o75Yo9rVYS6cYKgflGiRNsP+FTjFU=";
};
};
# Electrical Trains
electricalTrains = modDrv {
src = fetchurl {
urls = [
"https://cloud.pub.solar/s/oHXWpoi7kD52Dzt/download/Realistic_Electric_Trains_Krastorio_2_1.0.0.zip"
];
sha256 = "ujO5qRHzKgxX/vsYYvoBjh1UKukGD31FvjLQZzCqxlk=";
};
};
# far reach
farReach = modDrv {
src = fetchurl {
urls = [
"https://cloud.pub.solar/s/KAqfr826ccHHRpG/download/far-reach_1.1.2.zip"
];
sha256 = "y1XuduS9WKMtGKLj7hQgh7wOy8l3l5WWlLTm6BJ1yxA=";
};
};
# Fluid Must Flow
fluidMustFlow = modDrv {
src = fetchurl {
urls = [
"https://cloud.pub.solar/s/J2XA4jPNNWxSSti/download/FluidMustFlow_1.3.1.zip"
];
sha256 = "X2dGJCFL1dRRP7BFhFKI7mgtFd4zjHYWO8ehII6aaDc=";
};
};
# Recipe Book
recipeBook = modDrv {
src = fetchurl {
urls = [
"https://cloud.pub.solar/s/oRQYJ4H7xkc3rtq/download/RecipeBook_3.5.2.zip"
];
sha256 = "dPj9FH0r4dXtdrXyAkVIwXveECCBzcVGlJmQsF0oSpE=";
};
};
# Regenerate Terrain
regenerateTerrain = modDrv {
src = fetchurl {
urls = [
"https://cloud.pub.solar/s/YWTEB6rQeptmxGL/download/regenerate-terrain_0.3.1.zip"
];
sha256 = "EIZQeTzHAvSEFAOh6pN0Xd5GbqV9O/wI2QA5YtR8GxU=";
};
};
# Space Exploration
spaceExploration = modDrv {
src = fetchurl {
urls = [
"https://cloud.pub.solar/s/yy79DMAQtqCcWYW/download/space-exploration_0.6.104.zip"
];
sha256 = "5vFD+6R4jqp2PH6ASa1JJ0+acXi+dBwyrM/xil8RyU0=";
};
};
# Todo List
todoList = modDrv {
src = fetchurl {
urls = [
"https://cloud.pub.solar/s/bJjpgSMamwex7pF/download/Todo-List_19.3.0.zip"
];
sha256 = "0QPp7W2OOrkpLs+fOvTxut+6rV0heZdfEA4sbvyb+rs=";
};
};
# Vehicle Snap
vehicleSnap = modDrv {
src = fetchurl {
urls = [
"https://cloud.pub.solar/s/ZgDTAgY4dxiwZ3d/download/VehicleSnap_1.18.5.zip"
];
sha256 = "VRo2feta/CZGXGHbOwLOWdXZUoiqwlLPne0dC3YPyDA=";
};
};
in rec
{
services.factorio = {
enable = true;
package = pkgs.factorio-headless-experimental;
openFirewall = true;
game-name = "pub.solar Factorio";
game-password = "pub.solar";
admins = ["hensoko"];
mods = [
krastorio2
alienBiomes
autoDeconstruct
cargoShips
electricalTrains
farReach
fluidMustFlow
recipeBook
regenerateTerrain
spaceExploration
todoList
vehicleSnap
];
};
}

118
hosts/chonk/hardware-configuration.nix Normal file
View file

@ -0,0 +1,118 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = ["ehci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod"];
boot.initrd.kernelModules = ["raid1"];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
boot.extraModprobeConfig = "options kvm_intel nested=1";
boot.initrd.luks.forceLuksSupportInInitrd = true;
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_03025429121421051300-0:0";
boot.initrd.luks.devices."cryptroot" = {
device = "/dev/disk/by-uuid/9e13c8ea-96d3-45b1-85f4-d1a61233da6f";
#keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04020116120721075123-0:0-part1";
#fallbackToPassword = true;
#bypassWorkqueues = true;
};
boot.initrd.network = {
enable = true;
ssh = {
enable = true;
port = 22;
authorizedKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy hensoko@hensoko-tp-work"];
hostKeys = [/etc/secrets/initrd/ssh_host_ed25519_key];
};
postCommands = ''
echo 'cryptsetup-askpass' >> /root/.profile
'';
};
boot.initrd.systemd.enable = true;
boot.initrd.services.swraid = {
enable = true;
mdadmConf = ''
ARRAY /dev/md/0 metadata=1.2 name=data:0 UUID=1156202f:835af09b:2e05e02a:a1869d1c
'';
};
fileSystems."/" = {
device = "/dev/disk/by-label/root";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-label/boot";
fsType = "ext4";
};
fileSystems."/mnt/internal" = {
device = "/dev/disk/by-uuid/3563f624-f8ed-4664-95d0-ca8b9db1c60a";
fsType = "ext4";
};
swapDevices = [
{device = "/dev/disk/by-label/swap";}
];
networking.bonds."bond0" = {
interfaces = ["eno1" "eno2"];
driverOptions = {
miimon = "100";
mode = "balance-xor";
xmit_hash_policy = "layer3+4";
};
};
networking = {
defaultGateway = {
address = "80.244.242.1";
interface = "br0";
};
defaultGateway6 = {
address = "2001:4d88:1ffa:26::1";
interface = "br0";
};
nameservers = ["95.129.51.51" "80.244.244.244"];
bridges."br0".interfaces = ["bond0"];
interfaces."br0" = {
ipv4.addresses = [
{
address = "80.244.242.2";
prefixLength = 29;
}
];
ipv6.addresses = [
{
address = "2001:4d88:1ffa:26::2";
prefixLength = 64;
}
];
};
};
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

26
hosts/chonk/home-assistant.nix Normal file
View file

@ -0,0 +1,26 @@
{
self,
pkgs,
config,
...
}: {
# HTTP
services.nginx.virtualHosts = let
makeVirtualHost = target: {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = target;
proxyWebsockets = true;
extraConfig = ''
proxy_ssl_server_name on;
proxy_pass_header Authorization;
'';
};
};
in {
"ha.gssws.de" = makeVirtualHost "http://10.0.1.254:8123";
"ha2.gssws.de" = makeVirtualHost "http://10.0.1.11:8123";
"ha.karinsokolowski.de" = makeVirtualHost "http://10.0.1.13:8123";
};
}

23
hosts/chonk/invidious.nix Normal file
View file

@ -0,0 +1,23 @@
{
self,
config,
pkgs,
...
}: let
domain = "yt.gssws.de";
in {
age.secrets.invidious_db_password.file = "${self}/secrets/chonk_invidious_db_password.age";
services.invidious = {
inherit domain;
enable = true;
nginx.enable = true;
database = {
createLocally = true;
passwordFile = "/run/agenix/invidious_db_password";
};
settings = {
https_only = true;
};
};
}

63
hosts/chonk/invoiceplane.nix Normal file
View file

@ -0,0 +1,63 @@
{
self,
config,
pkgs,
...
}: let
hostAddress = "10.10.42.1";
serviceAddress = "10.10.42.11";
domain = "inv.gssws.de";
hostStateDir = "/mnt/internal/invoiceplane";
containerStateDir = "/var/lib/invoiceplane";
in {
# nginx
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://${serviceAddress}:80";
};
};
};
# invoiceplane
containers."invoiceplane" = {
privateNetwork = true;
hostAddress = "10.10.42.1";
localAddress = serviceAddress;
bindMounts."${containerStateDir}" = {
hostPath = hostStateDir;
isReadOnly = false;
};
config = {
config,
pkgs,
...
}: {
networking.firewall.allowedTCPPorts = [80];
services.rsyslogd.enable = true;
services.phpfpm.pools."invoiceplane-${domain}".phpOptions = ''
date.timezone = Europe/Berlin
'';
services.caddy.virtualHosts."http://${domain}".listenAddresses = ["0.0.0.0"];
services.invoiceplane.sites."${domain}" = {
enable = true;
stateDir = containerStateDir;
database = {
user = "invoiceplane";
name = "invoiceplane";
};
};
system.stateVersion = "22.11";
};
};
}

66
hosts/chonk/libvirt-container.nix Normal file
View file

@ -0,0 +1,66 @@
{
config,
pkgs,
...
}: {
networking.firewall.allowedTCPPorts = [4222];
containers."libvirt-container" = {
autoStart = true;
bindMounts."/dev/kvm" = {
hostPath = "/dev/kvm";
isReadOnly = false;
};
allowedDevices = [
{
node = "/dev/kvm";
modifier = "rw";
}
{
node = "/dev/net/tun";
modifier = "rw";
}
{
node = "/dev/vnet*";
modifier = "rw";
}
];
forwardPorts = [
{
hostPort = 4222;
}
];
enableTun = true;
#extraFlags = [ "-U" ];
config = {
config,
pkgs,
...
}: {
networking.firewall.enable = false;
virtualisation.libvirtd.enable = true;
security.polkit.enable = true;
services.openssh = {
enable = true;
ports = [4222];
};
users.users.root = {
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy hensoko@hensoko-tp-work"
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFro/k4Mgqyh8yV/7Zwjc0dv60ZM7bROBU9JNd99P/4co6fxPt1pJiU/pEz2Dax/HODxgcO+jFZfvPEuLMCeAl0= YubiKey #10593996 PIV Slot 9a @teutat3s"
];
};
system.stateVersion = "22.11";
};
};
}

84
hosts/chonk/monitoring.nix Normal file
View file

@ -0,0 +1,84 @@
{
config,
lib,
self,
...
}: {
pub-solar.monitoring-server = {
enable = true;
listenAddress = "10.0.1.6";
grafana.enable = true;
node_exporter = {
enable = true;
hosts = [
"10.0.1.11:9002"
"10.0.1.12:9002"
"10.0.1.13:9002"
"10.0.1.254:9100"
];
};
snmp = {
enable = true;
hosts = [
"192.168.42.1"
#"10.0.1.254:9116" = [
# {
# targets = [ "192.168.42.1" ];
# auth = [ "public_v2" ];
# modules = [ "if_mib" ];
# }
#];
];
};
smokeping = {
enable = true;
hosts = [
"mail.gssws.de"
"cust.gssws.de"
"data.gssws.de"
"mail.hosting.de"
"blog.fefe.de"
# hosting.de
"ovh2.goekal.de"
"83.151.16.16"
"83.151.16.17"
"83.151.16.51"
"r2backup17.masterlogin.de"
"demo.routing.net"
"vsrv07344.customer.vlinux.de"
"213.160.76.43"
"185.11.139.27"
"185.11.137.4"
"83.151.30.176"
"83.151.28.246"
"83.151.21.204"
"79.140.42.4"
"31.15.67.23"
"31.15.64.79"
"80.244.244.244"
"95.129.51.51"
"185.11.137.122"
"79.140.41.12"
];
};
};
# wireguard exporter
networking.firewall.allowedTCPPorts = [9585];
services.prometheus = {
exporters.wireguard = {
enable = true;
withRemoteIp = true;
};
scrapeConfigs = [
{
job_name = "chonk-wireguard";
static_configs = [
{
targets = ["10.0.1.6:9586"];
}
];
}
];
};
}

29
hosts/chonk/nextcloud-apps.nix Normal file
View file

@ -0,0 +1,29 @@
{
self,
pkgs,
config,
lib,
...
}: {
services.nextcloud.extraApps = with pkgs.nextcloud27Packages.apps; {
inherit bookmarks
calendar
contacts
files_markdown
impersonate
keeweb
maps
news
notes
notify_push
tasks
#twofactor_totp
twofactor_webauthn
user_saml;
"twofactor_totp" = pkgs.fetchzip {
sha256 = "zAPNugbvngXcpgWJLD78YAg4G1QtGaphx1bhhg7mLKE=";
url = "https://github.com/nextcloud-releases/twofactor_totp/releases/download/v6.4.1/twofactor_totp-v6.4.1.tar.gz";
};
};
}

39
hosts/chonk/nextcloud-collabora.nix Normal file
View file

@ -0,0 +1,39 @@
{...}: {
# Collabora Code server
virtualisation.oci-containers.containers."nextcloud-collabora-code" = {
image = "collabora/code";
autoStart = true;
ports = ["127.0.0.1:9980:9980"];
environment.domain = "data\\.gssws\\.de";
extraOptions = ["--cap-add" "MKNOD"];
};
services.nginx.virtualHosts."office.gssws.de" = let
proxyPass = "https://127.0.0.1:9980";
extraConfig = "proxy_ssl_verify off;";
in {
enableACME = true;
forceSSL = true;
locations."^~ /browser" = {
inherit proxyPass extraConfig;
};
locations."^~ /hosting/discovery" = {
inherit proxyPass extraConfig;
};
locations."^~ /hosting/capabilities" = {
inherit proxyPass extraConfig;
};
locations."~ ^/cool/(.*)/ws''$" = {
inherit proxyPass extraConfig;
proxyWebsockets = true;
};
locations."~ ^/(c|l)ool" = {
inherit proxyPass extraConfig;
};
locations."^~ /cool/adminws" = {
inherit proxyPass extraConfig;
proxyWebsockets = true;
};
};
}

124
hosts/chonk/nextcloud.nix Normal file
View file

@ -0,0 +1,124 @@
{
self,
pkgs,
config,
lib,
...
}: let
notifyPushPort = 7867;
in {
imports = [
./nextcloud-apps.nix
./nextcloud-collabora.nix
];
age.secrets.nextcloud_db_pass = {
owner = "nextcloud";
group = "nextcloud";
file = "${self}/secrets/chonk_nextcloud_db_pass.age";
};
age.secrets.nextcloud_admin_pass = {
owner = "nextcloud";
group = "nextcloud";
file = "${self}/secrets/chonk_nextcloud_admin_pass.age";
};
# HTTP
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
virtualHosts."data.gssws.de" = {
enableACME = true;
forceSSL = true;
};
};
# DATABASES
services.postgresql = {
enable = true;
package = pkgs.postgresql_11;
settings = {
max_connections = "200";
};
ensureDatabases = ["nextcloud"];
ensureUsers = [
{
name = "nextcloud";
ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
}
];
};
# NOTIFY PUSH
services.nextcloud.notify_push.enable = true;
# REDIS
services.redis.servers."nextcloud".enable = true;
users.groups."redis-nextcloud".members = ["nextcloud"];
# NEXTCLOUD
systemd.services."nextcloud-setup" = {
requires = ["postgresql.service"];
after = ["postgresql.service"];
};
services.nextcloud = {
enable = true;
package = pkgs.nextcloud27;
enableBrokenCiphersForSSE = false;
hostName = "data.gssws.de";
https = true;
datadir = "/mnt/internal/nextcloud";
caching.apcu = true;
caching.redis = true;
phpPackage = lib.mkForce pkgs.php82;
poolSettings = {
"pm" = "dynamic";
"pm.max_children" = "128";
"pm.start_servers" = "64";
"pm.min_spare_servers" = "32";
"pm.max_spare_servers" = "76";
"pm.max_requests" = "500";
};
phpOptions = {
short_open_tag = "Off";
expose_php = "Off";
error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT";
display_errors = "stderr";
"opcache.enable_cli" = "1";
"opcache.interned_strings_buffer" = "32";
"opcache.max_accelerated_files" = "100000";
"opcache.memory_consumption" = "256";
"opcache.revalidate_freq" = "1";
"opcache.fast_shutdown" = "1";
"openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
catch_workers_output = "yes";
};
config = {
overwriteProtocol = "https";
dbtype = "pgsql";
dbuser = "nextcloud";
dbhost = "127.0.0.1:5432";
dbname = "nextcloud";
dbpassFile = "/run/agenix/nextcloud_db_pass";
adminpassFile = "/run/agenix/nextcloud_admin_pass";
adminuser = "admin";
trustedProxies = ["80.244.242.2"];
defaultPhoneRegion = "DE";
};
};
}

68
hosts/chonk/tang-container.nix Normal file
View file

@ -0,0 +1,68 @@
{
pkgs,
config,
...
}: let
containerStateDir = "/data";
hostStateDir = "/opt/tangd";
domain = "";
serviceAddress = "10.10.42.12";
in {
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://${serviceAddress}:${toString servicePort}";
};
};
containers."tang" = {
autoStart = true;
ephemeral = true;
bindMounts."${containerStateDir}" = {
hostPath = hostStateDir;
isReadOnly = false;
};
config = {
config,
pkgs,
...
}: {
networking.firewall.enable = false;
users.groups."_tang" = {};
users.users."_tang" = {
group = "_tang";
isSystemUser = true;
};
environment.systemPackages = ["${pkgs.jose}"];
systemd.services."tangd@" = {
enable = true;
serviceConfig = {
ExecStartPre = "${pkgs.bash}/bin/bash -c \"mkdir -p ${containerStateDir}/tang-db\"";
ExecStart = "${pkgs.tang}/libexec/tangd ${containerStateDir}/tang-db";
StandardInput = "socket";
StandardOutput = "socket";
StandardError = "journal";
User = "_tang";
Group = "_tang";
};
};
systemd.sockets."tangd" = {
enable = true;
listenStreams = ["${toString servicePort}"];
wantedBy = ["sockets.target"];
socketConfig = {
Accept = true;
};
};
system.stateVersion = "22.11";
};
};
}

25
hosts/chonk/tang.nix Normal file
View file

@ -0,0 +1,25 @@
{
self,
config,
pkgs,
...
}: let
domain = "t.gssws.de";
servicePort = 63080;
in {
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString servicePort}";
};
};
virtualisation.oci-containers.containers."tang" = {
image = "cloggo/tangd";
ports = ["127.0.0.1:${builtins.toString servicePort}:8080"];
environment = {
IP_WHITELIST = "172.17.0.1";
};
};
}

66
hosts/chonk/wireguard.nix Normal file
View file

@ -0,0 +1,66 @@
{
self,
config,
pkgs,
...
}: {
age.secrets.home_controller_wireguard.file = "${self}/secrets/chonk_wireguard_key.age";
systemd.services.wireguard-wg0.serviceConfig.Restart = "on-failure";
systemd.services.wireguard-wg0.serviceConfig.RestartSec = "5s";
# Enable WireGuard
networking.wireguard.interfaces = {
wg0 = {
ips = ["10.0.1.6"];
listenPort = 51899;
privateKeyFile = "/run/agenix/home_controller_wireguard";
peers = [
{
# router
publicKey = "xqifcPfCgLNQ1M3w6zfoWVMkkz2lO5GZ/LlOECnPQFc=";
allowedIPs = ["10.0.1.1/32"];
persistentKeepalive = 25;
}
{
# giggles
publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
allowedIPs = ["10.0.1.11/32"];
persistentKeepalive = 25;
}
{
# cox
publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
allowedIPs = ["10.0.1.12/32"];
persistentKeepalive = 25;
}
{
# companion
publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
allowedIPs = ["10.0.1.13/32"];
persistentKeepalive = 25;
}
{
# norman
publicKey = "FRNg+bJWPn4vAA2Fw8PXYsTpxdEKdVE+b7eTtl8ORxM=";
allowedIPs = ["10.0.1.121/32"];
persistentKeepalive = 25;
}
{
# hsha
publicKey = "sC0wWHE/tvNaVYX3QQTHQUmSTTjZMOjkQ5x/qy6qjTc=";
allowedIPs = ["10.0.1.254/32"];
persistentKeepalive = 25;
}
];
};
};
}

18
hosts/companion/companion.nix Normal file
View file

@ -0,0 +1,18 @@
{
config,
pkgs,
lib,
...
}:
with lib; let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in {
imports = [
./configuration.nix
];
config = {
nixpkgs.crossSystem.system = "aarch64-linux";
};
}

43
hosts/companion/configuration.nix Normal file
View file

@ -0,0 +1,43 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{
inputs,
pkgs,
builtins,
config,
lib,
...
}: {
imports = [
./hardware-configuration.nix
./home-controller.nix
./home-assistant.nix
];
boot.loader.timeout = lib.mkForce 0;
boot.loader.generic-extlinux-compatible.enable = lib.mkForce false;
boot.loader.grub = {
enable = lib.mkForce true;
efiSupport = true;
efiInstallAsRemovable = true;
device = "nodev";
extraInstallCommands = ''
cp -r ${inputs.nixpkgs-hensoko.packages.aarch64-linux.raspberrypi4_firmware_uefi}/share/raspberrypi4-firmware-uefi/* /boot/
'';
};
# Set your time zone.
time.timeZone = "Europe/Berlin";
networking.useDHCP = false;
networking.interfaces.enabcm6e4ei0.useDHCP = true;
networking.networkmanager.enable = lib.mkForce false;
boot.loader.systemd-boot.enable = lib.mkForce false;
system.stateVersion = "22.11"; # Did you read the comment?
}

7
hosts/companion/default.nix Normal file
View file

@ -0,0 +1,7 @@
{suites, ...}: {
imports =
[
./companion.nix
]
++ suites.companion;
}

69
hosts/companion/hardware-configuration.nix Normal file
View file

@ -0,0 +1,69 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = ["xhci_pci" "usbhid" "usb_storage" "uas"];
boot.initrd.kernelModules = [];
boot.kernelModules = [];
boot.extraModulePackages = [];
#boot.kernelParams = [ "usb-storage.quirks=2109:0716:u,174c:55aa:u" ];
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.supportedFilesystems = [];
boot.loader.grub = {
enable = true;
efiSupport = true;
efiInstallAsRemovable = true;
device = "nodev";
};
boot.loader.efi.canTouchEfiVariables = false;
boot.loader.systemd-boot.enable = false;
boot.loader.generic-extlinux-compatible.enable = false;
boot.loader.timeout = 0;
boot.initrd.luks.devices."cryptroot" = {
device = "/dev/disk/by-uuid/2538df0f-9d17-4651-a7ee-26d6f28e4e71";
keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04017028021722045451-0:0-part1";
fallbackToPassword = true;
bypassWorkqueues = true;
};
fileSystems."/" = {
device = "/dev/disk/by-label/root";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/5552-1B21";
fsType = "vfat";
};
swapDevices = [
{device = "/dev/disk/by-label/swap";}
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eth0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
}

99
hosts/companion/home-assistant.nix Normal file
View file

@ -0,0 +1,99 @@
{
self,
config,
pkgs,
...
}: {
pub-solar.home-assistant = {
enable = true;
extraComponents = ["androidtv" "fritz" "fritzbox" "fritzbox_callmonitor" "met" "mqtt"];
extraPackages = python3Packages:
with python3Packages; [
# androidtv
adb-shell
aiofiles
androidtv
# deutsche bahn
schiene
# dwd
markdownify
# hacs
aiogithubapi
# totop
pyotp
];
mqtt = {
enable = true;
users = {
ha = {
acl = [
"readwrite #"
];
hashedPassword = "$7$101$jLA9PReG5btNSvw8$O0c3UzCfcBcvqVH8kMZIwEims7p1L4o/DmOTHO9w9731ggC5SyUpJGQIDiUbv+IrTl/H0+Fz9QF/jvY0QCuxuA==";
};
nono = {
acl = [
"readwrite #"
];
hashedPassword = "$7$101$votbflBI1KrRRzBy$hCC/qo7Ggaf2vaLv7lo5uPnyrTCb0i6hPQvXuL/OrrUpzP+KNl6efEU7yQ0cDH6/rJ16Fe2PWSTcW+pL8dlgmg==";
};
z2m = {
acl = [
"readwrite #"
];
hashedPassword = "$7$101$iZE7WOCQIaLtuoVN$M7AAB/mMmhkuXQVmu2RPoJzm744bmwxGTJwE0eoqlPAjyQHbjmOWfEuKoo9jnQCoQu2T96gS8znsUNizGgPWiQ==";
};
};
};
zigbee2mqtt = {
enable = true;
device = "/dev/ttyS0";
adapter = "deconz";
};
config = {
homeassistant = {
name = "Berrendorf";
time_zone = "Europe/Berlin";
temperature_unit = "C";
unit_system = "metric";
latitude = "50.9279036523298";
longitude = "6.583225751885932";
country = "DE";
external_url = "https://ha.karinsokolowski.de";
internal_url = "http://192.168.178.254:8123";
};
http = {
ip_ban_enabled = false;
use_x_forwarded_for = true;
trusted_proxies = [
"127.0.0.1"
"10.254.0.21"
"10.0.1.5"
"10.0.1.6"
];
};
energy = {};
frontend = {};
history = {};
map = {};
my = {};
mobile_app = {};
network = {};
notify = {};
person = {};
ssdp = {};
sun = {};
system_health = {};
zeroconf = {};
};
};
}

16
hosts/companion/home-controller.nix Normal file
View file

@ -0,0 +1,16 @@
{
self,
config,
pkgs,
...
}: {
config = {
age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_companion_wireguard_key.age";
pub-solar.home-controller = {
enable = true;
ownIp = "10.0.1.13";
wireguardPrivateKeyFile = "/run/agenix/home_controller_wireguard";
};
};
}

87
hosts/cox/backup.nix Normal file
View file

@ -0,0 +1,87 @@
{
self,
config,
pkgs,
...
}: {
age.secrets.backup_restic_htpasswd = {
file = "${self}/secrets/cox_backup_restic_htpasswd.age";
owner = "${toString config.ids.uids.restic}";
};
services.nginx = {
enable = true;
clientMaxBodySize = "1G";
virtualHosts."backup.local" = {
locations."/" = {
proxyPass = "http://127.0.0.1:18000";
extraConfig = ''
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;
proxy_set_header Host ''$host;
proxy_set_header X-Forwarded-For ''$remote_addr;
'';
};
};
};
containers."backup" = {
autoStart = true;
ephemeral = true;
bindMounts = {
"/var/lib/restic" = {
hostPath = "/opt/backup/hdd/restic";
isReadOnly = false;
};
"/var/lib/restic/.htpasswd" = {
hostPath = "/run/agenix/backup_restic_htpasswd";
isReadOnly = false;
};
};
config = {
config,
pkgs,
...
}: {
networking.firewall.enable = false;
services.restic.server = {
enable = true;
listenAddress = "0.0.0.0:18000";
privateRepos = true;
extraFlags = [
"--append-only"
"--prometheus"
"--prometheus-no-auth"
];
};
time.timeZone = "Europe/Berlin";
system.stateVersion = "22.11";
};
};
#virtualisation.oci-containers = {
# backend = "docker";
# containers = {
# backup-ssh = {
# image = "linuxserver/openssh-server:arm64v8-latest";
# ports = [ "32222:2222" ];
#
# environment = {
# PUBLIC_KEY = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOTpA7OHfZhl1wsbvydLNMtMx4q64fz+ojIAZpVUJEMI root@cube";
# USER_NAME = "backup";
# TZ = "Europe/Berlin";
# PUID = "911";
# PGID = "911";
# };
#
# volumes = [
# "/opt/backup/hdd/restic:/data/hdd/restic"
# ];
# };
# };
#};
}

30
hosts/cox/configuration.nix Normal file
View file

@ -0,0 +1,30 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{
config,
pkgs,
lib,
...
}: {
imports = [
./backup.nix
./hardware-configuration.nix
./home-controller.nix
./paperless.nix
];
time.timeZone = "Europe/Berlin";
networking.useDHCP = false;
networking.interfaces.eth0.useDHCP = true;
networking.interfaces.wlan0.useDHCP = false;
networking.networkmanager.enable = false;
networking.firewall.allowedTCPPorts = [3689];
networking.firewall.allowedUDPPorts = [1900];
virtualisation.podman.enable = true;
system.stateVersion = "22.11";
}

16
hosts/cox/cox.nix Normal file
View file

@ -0,0 +1,16 @@
{ config, pkgs, lib, ... }:
with lib;
let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in
{
imports = [
./configuration.nix
];
config = {
boot.plymouth.enable = lib.mkForce false;
pub-solar.nextcloud.enable = lib.mkForce false;
};
}

6
hosts/cox/default.nix Normal file
View file

@ -0,0 +1,6 @@
{ suites, ... }:
{
imports = [
./cox.nix
] ++ suites.cox;
}

57
hosts/cox/hardware-configuration.nix Normal file
View file

@ -0,0 +1,57 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = ["xhci_pci" "usbhid" "usb_storage" "uas"];
boot.kernelPackages = pkgs.linuxPackages_6_1;
boot.kernelParams = ["usb-storage.quirks=2109:0716:ouw,174c:55aa:u,2109:2813:ouw,2109:0813:ouw"];
boot.loader = {
timeout = 0;
efi.canTouchEfiVariables = false;
systemd-boot.enable = false;
generic-extlinux-compatible.enable = false;
grub = {
enable = true;
efiSupport = true;
efiInstallAsRemovable = true;
device = "nodev";
};
};
boot.initrd.luks.devices."cryptroot" = {
device = "/dev/disk/by-uuid/d86a20a6-686c-4bf8-bd3b-911901272742";
keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_03024516121421043657-0:0-part1";
fallbackToPassword = true;
bypassWorkqueues = true;
};
fileSystems."/" = {
device = "/dev/disk/by-label/root";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-label/boot";
fsType = "vfat";
};
swapDevices = [
{device = "/dev/disk/by-label/swap";}
];
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
}

17
hosts/cox/home-controller.nix Normal file
View file

@ -0,0 +1,17 @@
{
self,
config,
pkgs,
...
}: {
config = {
age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_cox_wireguard_key.age";
pub-solar.home-controller = {
enable = true;
ownIp = "10.0.1.12";
wireguardPrivateKeyFile = "/run/agenix/home_controller_wireguard";
};
};
}

19
hosts/cox/paperless.nix Normal file
View file

@ -0,0 +1,19 @@
{
pkgs,
config,
...
}: {
pub-solar.paperless = {
enable = true;
hostStateDir = "/opt/documents/paperless";
ftp = {
enable = true;
listenPort = 20021;
};
nextcloud = {
enable = true;
};
};
}

34
hosts/cube/configuration.nix Normal file
View file

@ -0,0 +1,34 @@
{
config,
lib,
pkgs,
...
}: {
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
./home-controller.nix
];
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/disk/by-id/usb-HP_iLO_Internal_SD-CARD_000002660A01-0:0";
boot.loader.systemd-boot.enable = lib.mkForce false;
time.timeZone = "Europe/Berlin";
networking.interfaces.eno1.useDHCP = true;
networking.nat.enable = true;
networking.nat.internalIPs = ["10.10.42.0/24"];
networking.nat.externalInterface = "eno1";
networking.firewall.allowedTCPPorts = [80 443 22];
networking.firewall.allowedUDPPorts = [51899];
networking.firewall.enable = lib.mkForce true;
system.stateVersion = "21.05"; # Did you read the comment?
}

15
hosts/cube/cube.nix Normal file
View file

@ -0,0 +1,15 @@
{ config, pkgs, lib, ... }:
with lib;
with pkgs;
let
psCfg = config.pub-solar;
in
{
imports = [
./configuration.nix
];
pub-solar.core.disk-encryption-active = false;
networking.networkmanager.enable = lib.mkForce false;
}

6
hosts/cube/default.nix Normal file
View file

@ -0,0 +1,6 @@
{ suites, ... }:
{
imports = [
./cube.nix
] ++ suites.cube;
}

56
hosts/cube/hardware-configuration.nix Normal file
View file

@ -0,0 +1,56 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.loader.grub = {
enable = true;
device = "/dev/disk/by-id/usb-HP_iLO_Internal_SD-CARD_000002660A01-0:0";
};
boot.initrd.availableKernelModules = ["ehci_pci" "ahci" "uhci_hcd" "xhci_pci" "megaraid_sas" "usb_storage" "usbhid" "sd_mod"];
boot.initrd.kernelModules = ["dm-snapshot"];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
boot.initrd.luks.devices."cryptroot" = {
device = "/dev/disk/by-uuid/24ddd650-e9fc-4407-ba4c-cc237de4c484";
keyFile = "/dev/disk/by-id/usb-Kingston_DataTraveler_3.0_E0D55E625BE3E72078790030-0:0-part1";
fallbackToPassword = true;
bypassWorkqueues = true;
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/c47cdc43-d77c-4a01-87b3-a289fa97ef14";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/3ee236cc-c4a6-423b-ba77-7a15ba642123";
fsType = "ext4";
};
swapDevices = [
{device = "/dev/disk/by-uuid/0ddcb856-f39e-45d6-bde3-4fbf9c81fe6c";}
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.eno2.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

63
hosts/cube/wireguard.nix Normal file
View file

@ -0,0 +1,63 @@
{ self, config, pkgs, ... }:
{
age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_cube_wireguard_key.age";
systemd.services.wireguard-wg0.serviceConfig.Restart = "on-failure";
systemd.services.wireguard-wg0.serviceConfig.RestartSec = "5s";
# Enable WireGuard
networking.wireguard.interfaces = {
wg1 = {
# Determines the IP address and subnet of the client's end of the tunnel interface.
ips = [ "10.0.1.5" ];
listenPort = 51899; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
# Path to the private key file.
#
# Note: The private key can also be included inline via the privateKey option,
# but this makes the private key world-readable; thus, using privateKeyFile is
# recommended.
privateKeyFile = "/run/agenix/home_controller_wireguard";
peers = [
# For a client configuration, one peer entry for the server will suffice.
{
# giggles
publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
allowedIPs = [ "10.0.1.11/32" ];
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
persistentKeepalive = 25;
}
{
# cox
publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
allowedIPs = [ "10.0.1.12/32" ];
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
persistentKeepalive = 25;
}
{
# companion
publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
allowedIPs = [ "10.0.1.13/32" ];
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
persistentKeepalive = 25;
}
{
# hsha
publicKey = "sC0wWHE/tvNaVYX3QQTHQUmSTTjZMOjkQ5x/qy6qjTc=";
allowedIPs = [ "10.0.1.254/32" ];
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
persistentKeepalive = 25;
}
];
};
};
}

48
hosts/falcone/configuration.nix Normal file
View file

@ -0,0 +1,48 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ inputs, pkgs, builtins, config, lib, ... }:
{
imports =
[
./hardware-configuration.nix
];
pub-solar.core.disk-encryption-active = false;
boot.loader.grub.enable = lib.mkForce false;
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.loader.generic-extlinux-compatible.enable = lib.mkForce true;
# Set your time zone.
time.timeZone = "Europe/Berlin";
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
networking.interfaces.eth0.useDHCP = true;
networking.networkmanager.enable = lib.mkForce false;
boot.initrd.network = {
enable = true;
};
# Open ports in the firewall.
#networking.firewall.allowedTCPPorts = [ ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.11"; # Did you read the comment?
}

6
hosts/falcone/default.nix Normal file
View file

@ -0,0 +1,6 @@
{ suites, ... }:
{
imports = [
./falcone.nix
] ++ suites.falcone;
}

16
hosts/falcone/falcone.nix Normal file
View file

@ -0,0 +1,16 @@
{ config, pkgs, lib, ... }:
with lib;
let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in
{
imports = [
./configuration.nix
];
config = {
boot.plymouth.enable = lib.mkForce false;
pub-solar.nextcloud.enable = lib.mkForce false;
};
}

41
hosts/falcone/hardware-configuration.nix Normal file
View file

@ -0,0 +1,41 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
#boot.initrd.supportedFilesystems = [ "zfs" ];
#boot.supportedFilesystems = [ "zfs" ];
boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_19;
fileSystems."/" =
{
device = "/dev/disk/by-uuid/9f3208ae-ee05-44b8-a0bc-dc1e7499bdb8";
fsType = "ext4";
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/997A-7FBA";
fsType = "vfat";
};
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = false;
networking.interfaces.eth0.useDHCP = lib.mkDefault true;
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
}

24
hosts/giggles/aioairctrl.nix Normal file
View file

@ -0,0 +1,24 @@
{ pkgs, python311 }:
let
pycryptodomex = python311.pkgs.buildPythonPackage rec {
pname = "pycryptodomex";
version = "3.18.0";
src = pkgs.fetchPypi {
inherit pname version;
sha256 = "Pj7LX+l558G7ACflGDQKz37mBBXXkpXlJR0Txo3eV24=";
};
};
in
python311.pkgs.buildPythonPackage rec {
pname = "aioairctrl";
version = "0.2.4";
src = pkgs.fetchPypi {
inherit pname version;
sha256 = "BIJWwMQq3QQjhyO0TSw+C6muyr3Oyv6UHr/Y3iYqRUM=";
};
propagatedBuildInputs = with python311.pkgs; [
aiocoap
pycryptodomex
];
}

8
hosts/giggles/avahi-reflector.nix Normal file
View file

@ -0,0 +1,8 @@
{...}: {
services.avahi = {
enable = true;
allowInterfaces = ["eth0" "vlan102" "vlan104"];
reflector = true;
publish.enable = true;
};
}

35
hosts/giggles/configuration.nix Normal file
View file

@ -0,0 +1,35 @@
{
config,
pkgs,
lib,
...
}: {
imports = [
./hardware-configuration.nix
./network.nix
./network-dhcp.nix
./avahi-reflector.nix
./unifi.nix
./home-controller.nix
./home-assistant.nix
./frigate.nix
# ./tang-container.nix
];
boot.loader.timeout = 0;
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.loader.generic-extlinux-compatible.enable = lib.mkForce false;
boot.loader.grub = {
enable = true;
efiSupport = true;
efiInstallAsRemovable = true;
device = "nodev";
};
time.timeZone = "Europe/Berlin";
system.stateVersion = "22.11"; # Did you read the comment?
}

7
hosts/giggles/default.nix Normal file
View file

@ -0,0 +1,7 @@
{suites, ...}: {
imports =
[
./giggles.nix
]
++ suites.giggles;
}

73
hosts/giggles/frigate.nix Normal file
View file

@ -0,0 +1,73 @@
{ ... }:
{
networking.firewall.allowedTCPPorts = [80 5000 8554 8555];
#services.go2rtc = {
# enable = true;
# settings = {
# streams = {
# burgi_cam = [
# "rtsp://admin:XpkFk5Df912VWSwM@10.0.42.60:554/Streaming/Channels/101/?transportmode=unicast"
# "ffmpeg:burgi_cam_sub#audio=opus"
# ];
# burgi_cam_sub = [
# "rtsp://admin:XpkFk5Df912VWSwM@10.0.42.60:554/Streaming/Channels/102/?transportmode=unicast"
# ];
# };
# webrtc = {
# candidates = [ "192.168.42.11:8555" ];
# };
# };
#};
services.frigate = {
enable = true;
hostname = "frigate";
settings = {
cameras.burgi = {
ffmpeg = {
inputs = [
{
path = "rtsp://admin:XpkFk5Df912VWSwM@10.0.42.60:554/Streaming/Channels/101/?transportmode=unicast";
#path = "rtsp://127.0.0.1:8554/burgi_cam";
#input_args = "preset-rtsp-restream";
roles = [
"record"
"rtmp"
];
}
{
path = "rtsp://admin:XpkFk5Df912VWSwM@10.0.42.60:554/Streaming/Channels/102/?transportmode=unicast";
#path = "rtsp://127.0.0.1:8554/burgi_cam_sub";
#input_args = "preset-rtsp-restream";
roles = [
"detect"
];
}
];
};
detect = {
width = 1280;
height = 720;
fps = 5;
};
};
objects.track = [ "person" "dog" ];
mqtt = {
enabled = true;
host = "127.0.0.1";
user = "frigate";
password = "rDAnboXJhW8K2OJlPI5KpZhggPJusA==";
};
rtmp.enabled = true;
#detectors.coral = {
# type = "edgetpu";
# device = "usb";
#};
};
};
}

19
hosts/giggles/giggles.nix Normal file
View file

@ -0,0 +1,19 @@
{
config,
pkgs,
lib,
...
}:
with lib; let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in {
imports = [
./configuration.nix
];
config = {
boot.plymouth.enable = lib.mkForce false;
pub-solar.nextcloud.enable = lib.mkForce false;
};
}

61
hosts/giggles/hardware-configuration.nix Normal file
View file

@ -0,0 +1,61 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = ["xhci_pci" "usbhid" "usb_storage" "uas"];
boot.initrd.kernelModules = [];
boot.kernelModules = [];
boot.extraModulePackages = [];
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.supportedFilesystems = [];
boot.loader.grub = {
enable = true;
efiSupport = true;
efiInstallAsRemovable = true;
device = "nodev";
};
boot.loader.efi.canTouchEfiVariables = false;
boot.loader.systemd-boot.enable = false;
boot.loader.generic-extlinux-compatible.enable = false;
boot.loader.timeout = 0;
boot.initrd.luks.devices."cryptroot" = {
device = "/dev/disk/by-uuid/5edec8af-5f84-4d9f-9755-8abbb55e00af";
keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04020116120721075123-0:0-part1";
fallbackToPassword = true;
bypassWorkqueues = true;
};
fileSystems."/" = {
device = "/dev/disk/by-label/root";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-label/boot";
fsType = "vfat";
};
swapDevices = [
{device = "/dev/disk/by-label/swap";}
];
networking.interfaces.enabcm6e4ei0.useDHCP = true;
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
}

249
hosts/giggles/home-assistant.nix Normal file
View file

@ -0,0 +1,249 @@
{
self,
config,
pkgs,
python3Packages,
inputs,
...
}:
{
age.secrets.home-assistant_giggles_secrets = {
file = "${self}/secrets/home-assistant_giggles_secrets.age";
path = "${config.services.home-assistant.configDir}/secrets.yaml";
owner = config.systemd.services.home-assistant.serviceConfig.User;
group = config.systemd.services.home-assistant.serviceConfig.Group;
mode = "0644";
};
users.users."hass".extraGroups = ["dialout"];
pub-solar.home-assistant = {
enable = true;
extraComponents = [
"default_config"
"homeassistant_hardware"
"homeassistant_sky_connect"
"apcupsd"
"androidtv"
"cast"
"esphome"
"homekit_controller"
"icloud"
"ipp"
"luci"
"met"
"python_script"
"rpi_power"
"shopping_list"
"spotify"
"tasmota"
"unifi"
"upnp"
"vacuum"
"xiaomi_aqara"
"xiaomi_miio"
"zeroconf"
];
extraPackages = python311Packages:
with python311Packages; [
# esphome
aiodiscover
scapy
# deutsche bahn
schiene
# dwd
dwdwfsapi
# hacs
aiogithubapi
# philips_airpurifier_coap
(callPackage ./aioairctrl.nix {})
# totop
pyotp
];
config = {
homeassistant = {
name = "Wohnung";
country = "DE";
currency = "EUR";
language = "de";
temperature_unit = "C";
time_zone = "Europe/Berlin";
unit_system = "metric";
latitude = "52.31501090166047";
longitude = "8.910633035293603";
elevation = "59";
external_url = "https://ha2.gssws.de";
internal_url = "http://192.168.42.11:8123";
};
http = {
ip_ban_enabled = false;
use_x_forwarded_for = true;
trusted_proxies = [
"127.0.0.1"
"10.254.0.21"
"10.0.1.5"
"10.0.1.6"
];
};
default_config = {};
energy = {};
"automation ui" = "!include automations.yaml";
device_tracker = [
{
platform = "luci";
host = "192.168.42.1";
username = "!secret router_admin_username";
password = "!secret router_admin_password";
}
];
python_script = {};
waste_collection_schedule = {
sources = [
{
name = "jumomind_de";
args = {
service_id = "sbm";
city = "Minden";
street = "Schwerinstr.";
house_number = "17b";
};
}
];
};
zone = [
{
name = "Home";
latitude = "52.31501090166047";
longitude = "8.910633035293603";
radius = "30";
}
{
name = "DKSB";
latitude = "52.31249954762553";
longitude = "8.910920619964601";
radius = "60";
}
{
name = "Hainweg";
latitude = "52.3176809501406";
longitude = "8.890610933303835";
radius = "60";
}
{
name = "Lande";
latitude = "52.35688908037632";
longitude = "8.898582458496096";
radius = "87";
}
{
name = "Rürups";
latitude = "52.317152702118655";
longitude = "8.89446449221293";
radius = "70";
}
{
name = "Schule";
latitude = "52.30213492276748";
longitude = "8.88126075267792";
radius = "200";
}
{
name = "Sokos";
latitude = "50.92777444599559";
longitude = "6.583169284373658";
radius = "50";
}
{
name = "Wohnung Aachen";
latitude = "50.7800954893528";
longitude = "6.154607534408569";
radius = "13";
}
];
};
mqtt = {
enable = true;
users = {
ha = {
acl = [
"readwrite #"
];
hashedPassword = "$7$101$lFt8hQl3O8aKF+bO$pcZuI18IT5t4/fpKZmLZQwQs+vcbxZdAQAYJOxRwXGYsxCRjb8jUSU+ZRlpqokOGqf/Cgvymfvml+yoGaC8eaw==";
};
z2m = {
acl = [
"readwrite #"
];
hashedPassword = "$7$101$M0Q/s9ReWPaMy+pT$Y8t9DwmW3y74lyvYrCE+sqEcz9yGG9VaHw8vt4wVZgUVVV9muY00ymjkwsTNtaTIlnQyB7z7POPLT3PURtQfeg==";
};
frigate = {
acl = [
"readwrite #"
];
hashedPassword = "$7$101$BZvoqhiaWo8TbFEv$KlE8XiE9dhfNV50SoUiBjTgnvSRaCwWdouuVcN4ZeHkR7/4JufQ7adW0VhVmtpv+6V9KOPDlN3wRaV+5eVlF3Q==";
};
nuki_wohnung = {
acl = [
"readwrite #"
];
hashedPassword = "$7$101$21wWveYvOyQKNuhd$rXD8d4F+Wf4k6LDkM09bsfkQfc+iXakRaH2sygYgOQqfrJ5Egt8D+9LVKa9ZQ12HLPSHDo0bP8ygVmY6iVJCjQ==";
};
poffertjes = {
acl = [
"readwrite #"
];
hashedPassword = "$7$101$n5J9RKGzFF7bOsOH$YNPQawxsfuDZk/N6NrNzkE5rEfTRlCW5Fjpk6kgwyTg4C6Peyz4I79ii4UMSANJ8DFNsPRL1KohCcXK07SMW2w==";
};
shelly1_flur_deckenlicht = {
acl = [
"readwrite #"
];
hashedPassword = "$7$101$n0PyELB9214BiluQ$P24lJlXDpKLaGSerrp51z5UUl3wYSek9SbJN+buqoS9acrCn7s3mtSLZfeMP0JT8zXx83GJrNwlDaA0BOu00xg==";
};
shelly25_abstellraum = {
acl = [
"readwrite #"
];
hashedPassword = "$7$101$n9IcybeGEAhnoWv5$RSnkEJFgDsrKUzEaLfNIa/5v4gkTMZSAq2bb7KzWSG6zaufHdnvtDZT+q7dZ3pkBFXndKtoelmuvm7XJLJC1mg==";
};
shelly25_badezimmer = {
acl = [
"readwrite #"
];
hashedPassword = "$7$101$PNWBSZUE4Ar5dOhx$2u6dneedx7OLOjH1auoax2AC1GP4oVcXe4OAmO3riNpzXZF9V1cJ7k/GREx9/vO/ONt5PuUygilk3X4SIYnf9A==";
};
tasmota_wohnzimmer_tv_steckdosenleiste = {
acl = [
"readwrite #"
];
hashedPassword = "$7$101$cywQWWzxPUUpUqdC$Q9tjqE4bW0VaNMVKIuts/wuyFetC//PyLVcRtpaK02HxwlTPY7jWivXUBA/t8l0wGZsS8lsiOIAu8e6bHb+7Xw==";
};
};
};
zigbee2mqtt = {
enable = true;
device = "/dev/serial/by-id/usb-Nabu_Casa_SkyConnect_v1.0_aaf7050fdb42ed11bb2843ab2a61ed69-if00-port0";
};
};
}

17
hosts/giggles/home-controller.nix Normal file
View file

@ -0,0 +1,17 @@
{
self,
config,
pkgs,
...
}: {
config = {
age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_giggles_wireguard_key.age";
pub-solar.home-controller = {
enable = true;
ownIp = "10.0.1.11";
wireguardPrivateKeyFile = "/run/agenix/home_controller_wireguard";
};
};
}

51
hosts/giggles/lrad.nix Normal file
View file

@ -0,0 +1,51 @@
{
pkgs,
config,
...
}: let
serviceAddress = "10.10.41.11";
containerStateDir = "/data";
hostStateDir = "/srv/container/lrad";
in {
containers."lrad" = {
privateNetwork = true;
hostAddress = "10.10.41.1";
localAddress = serviceAddress;
bindMounts."${containerStateDir}" = {
hostPath = hostStateDir;
isReadOnly = false;
};
config = {
config,
pkgs,
...
}: {
networking.firewall.allowedTCPPorts = [63080];
#users.users."tang".isSystemUser = true;
systemd.services."tangd" = {
enable = true;
# TODO: require data/tangd to exist
serviceConfig = {
ExecStart = "${pkgs.tang}/bin/tangd ${containerStateDir}/data/tangd";
StandardInput = "socket";
StandardOutput = "socket";
StandardError = "journal";
User = "tang";
};
};
systemd.sockets."tangd" = {
enable = true;
listenStreams = ["63080"];
wantedBy = ["sockets.target"];
socketConfig = {
Accept = true;
};
};
};
};
}

81
hosts/giggles/network-dhcp.nix Normal file
View file

@ -0,0 +1,81 @@
{...}: {
networking.firewall.checkReversePath = false;
networking.firewall.allowedUDPPorts = [67]; # allow dhcp request
services.dnsmasq = {
enable = true;
settings = {
interface = [
"vlan101" # network
"vlan102" # iot
"vlan104" # media
];
no-resolv = true;
no-poll = true;
server = [
"1.1.1.1"
"9.9.9.9"
];
dhcp-authoritative = true;
dhcp-host = [
# vlan101
"18:e8:29:c6:29:84,ap-caro,10.0.42.21" # ap-caro
"e4:38:83:e7:00:10,ap-hendrik,10.0.42.22" # ap-hendrik
"e4:38:83:e7:0a:c4,ap-wohnzimmer,10.0.42.23" # ap-wohnzimmer
# vlan102
"38:1a:52:04:37:d8,printer,172.16.0.15" # printer
"3c:e9:0e:87:d2:1c,nspanel-hendrik,172.16.0.21" # nspanel_hendrik
"3c:e9:0e:87:ef:d0,nspanel-schlafzimmer,172.16.0.22" # nspanel_schlafzimmer
"98:0c:33:fe:3d:a8,nuki-wohnung,172.16.0.23" # nuki_wohnung
"c8:5c:cc:5c:54:06,presence-wohnzimmer,172.16.0.24" # presence_wohnzimmer
"c8:5c:cc:5c:28:7b,presence-hendrik,172.16.0.25" # presence_hendrik
"04:78:63:7f:0e:bb,airpurifier-wohnzimmer,172.16.0.26" # airpurifier_wohnzimmer
"48:e7:29:c1:a3:f0,nspanel-caro,172.16.0.27" # nspanel_caro
"5c:c5:63:eb:e8:b8,poffertjes,172.16.0.28" # poffertjes
"d0:ba:e4:e7:7d:d5,airpurifier-hendrik,172.16.0.29" # airpurifier_hendrik
"98:f4:ab:f2:43:98,shelly1-flur-deckenlicht,172.16.0.30" # shelly1 flur deckenlicht
"a4:cf:12:ba:72:c1,shelly25-abstellraum,172.16.0.31" # shelly25 abstellraum
"c8:2b:96:11:10:46,shelly25-badezimmer,172.16.0.32" # shelly25 badezimmer
"24:62:ab:41:06:f2,tasmota-tv-steckdosenleiste,172.16.0.33" # tasmota-tv-steckdosenleiste
# vlan104
"30:58:90:1a:3b:ef,box-hendrik,10.42.0.21" # box_hendrik
"30:58:90:19:b5:03,box-schlafzimmer,10.42.0.22" # box_schlafzimmer
"30:58:90:28:7e:30,box-esstisch,10.42.0.23" # box_esstisch
"1c:53:f9:23:d7:c4,nh-hendrik,10.42.0.31" # nh_hendrik
"1c:53:f9:14:7b:65,nh-kueche,10.42.0.32" # nh_kueche
"1c:53:f9:1c:9e:22,nh-wohnzimmer,10.42.0.33" # nh_wohnzimmer
"20:1f:3b:96:9f:29,nm-schlafzimmer,10.42.0.34" # nm_schlafzimmer
"6c:ad:f8:73:a0:94,cc-wohnzimmer,10.42.0.41" # cc_wohnzimmer
];
dhcp-range = [
"vlan101,10.0.42.51,10.0.42.100"
"vlan102,172.16.0.101,172.16.0.150"
"vlan104,10.42.0.51,10.42.0.100"
];
dhcp-option = [
"option:dns-server,1.1.1.1"
"option:mtu,1460"
# vlan101
"vlan101,option:router,10.0.42.1"
# vlan102
"vlan102,option:router,172.16.0.1"
# vlan104
"vlan104,option:router,10.42.0.1"
];
};
};
}

55
hosts/giggles/network.nix Normal file
View file

@ -0,0 +1,55 @@
{lib, ...}: {
networking = {
enableIPv6 = false;
useDHCP = false;
vlans = {
vlan101 = {
id = 101;
interface = "eth0";
}; # network vlan
vlan102 = {
id = 102;
interface = "eth0";
}; # iot vlan
vlan104 = {
id = 104;
interface = "eth0";
}; # media vlan
};
interfaces = {
eth0 = {
useDHCP = true;
mtu = 1460;
};
vlan101 = {
mtu = 1460;
ipv4.addresses = [
{
address = "10.0.42.11";
prefixLength = 24;
}
];
};
vlan102 = {
mtu = 1460;
ipv4.addresses = [
{
address = "172.16.0.11";
prefixLength = 24;
}
];
};
vlan104 = {
mtu = 1460;
ipv4.addresses = [
{
address = "10.42.0.11";
prefixLength = 24;
}
];
};
};
networkmanager.enable = lib.mkForce false;
};
}

58
hosts/giggles/tang-container.nix Normal file
View file

@ -0,0 +1,58 @@
{
pkgs,
config,
...
}: let
containerStateDir = "/data";
hostStateDir = "/opt/tangd";
servicePort = 8081;
in {
networking.firewall.allowedTCPPorts = [servicePort];
containers."tang" = {
autoStart = true;
ephemeral = true;
bindMounts."${containerStateDir}" = {
hostPath = hostStateDir;
isReadOnly = false;
};
config = {
config,
pkgs,
...
}: {
networking.firewall.enable = false;
users.groups."_tang" = {};
users.users."_tang" = {
group = "_tang";
isSystemUser = true;
};
environment.systemPackages = with pkgs; [jose tang];
systemd.services."tangd@" = {
enable = true;
serviceConfig = {
ExecStartPre = "${pkgs.bash}/bin/bash -c \"mkdir -p ${containerStateDir}/tang-db\"";
ExecStart = "${pkgs.tang}/libexec/tangd ${containerStateDir}/tang-db";
User = "_tang";
Group = "_tang";
};
};
systemd.sockets."tangd" = {
enable = true;
listenStreams = ["${toString servicePort}"];
wantedBy = ["sockets.target"];
socketConfig = {
Accept = true;
};
};
system.stateVersion = "22.11";
};
};
}

11
hosts/giggles/unifi.nix Normal file
View file

@ -0,0 +1,11 @@
{pkgs, ...}:
{
networking.firewall.allowedTCPPorts = [8443]; # open unifi web interface port
services.unifi = {
enable = true;
unifiPackage = pkgs.unifi7;
openFirewall = true;
};
}

19
hosts/harrison/.config/sway/config.d/screens.conf Normal file
View file

@ -0,0 +1,19 @@
set $left 'Dell Inc. DELL S2721DS D0SVQ43'
set $middle 'Samsung Electric Company SMBX2450L 0x00003231'
set $right 'Eizo Nanao Corporation EV2316W 39117013'
output $left {
scale 1
pos 0 0
transform 270
}
output $middle {
scale 1
pos 1440 1150
}
output $right {
scale 1
pos 3360 1150
}

49
hosts/harrison/configuration.nix Normal file
View file

@ -0,0 +1,49 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, lib, ... }:
{
imports =
[
# Include the results of the hardware scan.
./hardware-configuration.nix
];
# Set your time zone.
time.timeZone = "Europe/Berlin";
time.hardwareClockInLocalTime = true; # easiest quirk for windows time offset feature
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.dhcpcd.wait = "background";
networking.useDHCP = false;
networking.interfaces.eno1 = {
useDHCP = true;
wakeOnLan = {
enable = true;
};
};
networking.networkmanager.enable = lib.mkForce false;
nixpkgs.config.allowUnsupportedSystem = true;
# List services that you want to enable:
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [ 22 ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.05"; # Did you read the comment?
}

6
hosts/harrison/default.nix Normal file
View file

@ -0,0 +1,6 @@
{ suites, ... }:
{
imports = [
./harrison.nix
] ++ suites.harrison;
}

70
hosts/harrison/hardware-configuration.nix Normal file
View file

@ -0,0 +1,70 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "usb_storage" "usbhid" "sd_mod" "raid1" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.initrd.luks.devices."cryptroot" = {
device = "/dev/disk/by-uuid/e3a0394d-8bb5-4049-bf65-90d7202163cd";
keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04011806021722115743-0:0-part1";
fallbackToPassword = true;
bypassWorkqueues = true;
};
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.loader.efi = {
canTouchEfiVariables = true;
efiSysMountPoint = "/boot";
};
boot.loader.grub = {
efiSupport = true;
enable = lib.mkForce true;
extraEntries = ''
menuentry "Windows" {
insmod part_gpt
insmod fat
insmod search_fs_uuid
insmod chain
search --fs-uuid --set=root 02DB-F12C
chainloader /efi/Microsoft/Boot/bootmgfw.efi
}
'';
devices = [ "nodev" ];
};
fileSystems = {
"/" =
{
device = "/dev/disk/by-uuid/4ad4db6d-543e-4cc5-a781-396e3b527a05";
fsType = "ext4";
};
"/boot" =
{
device = "/dev/disk/by-uuid/4B4A-B1B4";
fsType = "vfat";
};
"/boot2" =
{
device = "/dev/disk/by-uuid/4B2C-385A";
fsType = "vfat";
};
};
swapDevices =
[{ device = "/dev/mapper/vg0-swap"; }];
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

28
hosts/harrison/harrison.nix Normal file
View file

@ -0,0 +1,28 @@
{ config, pkgs, lib, ... }:
with lib;
with pkgs;
let
psCfg = config.pub-solar;
in
{
imports = [
./configuration.nix
];
config = {
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
home-manager.users."${psCfg.user.name}".xdg.configFile = mkIf psCfg.sway.enable {
"sway/config.d/10-screens.conf".source = ./.config/sway/config.d/screens.conf;
};
pub-solar.paranoia.enable = true;
pub-solar.nextcloud.enable = true;
programs.ausweisapp.enable = true;
services.pcscd = {
enable = true;
plugins = [ pkgs.pcsc-cyberjack ];
};
};
}

16
hosts/norman/.config/sway/config.d/custom-keybindings.conf Normal file
View file

@ -0,0 +1,16 @@
# Screen brightness controls
bindsym XF86MonBrightnessUp exec "brightnessctl -d intel_backlight set +10%; notify-send $(brightnessctl -d intel_backlight i | awk '/Current/ {print $4}')"
bindsym XF86MonBrightnessDown exec "brightnessctl -d intel_backlight set 10%-; notify-send $(brightnessctl -d intel_backlight i | awk '/Current/ { print $4}')"
# Keyboard backlight brightness controls
bindsym XF86KbdBrightnessDown exec "brightnessctl -d smc::kbd_backlight set 10%-; notify-send $(brightnessctl -d smc::kbd_backlight i | awk '/Current/ { print $4}')"
bindsym XF86KbdBrightnessUp exec "brightnessctl -d smc::kbd_backlight set +10%; notify-send $(brightnessctl -d smc::kbd_backlight i | awk '/Current/ { print $4}')"
# Pulse Audio controls
bindsym XF86AudioRaiseVolume exec pactl set-sink-volume @DEFAULT_SINK@ +5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 && notify-send 'Vol. up' #increase sound volume
bindsym XF86AudioLowerVolume exec pactl set-sink-volume @DEFAULT_SINK@ -5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 && notify-send 'Vol. down' #decrease sound volume
bindsym XF86AudioMute exec pactl set-sink-mute @DEFAULT_SINK@ toggle && notify-send 'Mute sound' # mute sound
# Media player controls
bindsym XF86AudioPlay exec "playerctl play-pause; notify-send 'Play/Pause'"
bindsym XF86AudioNext exec "playerctl next; notify-send 'Next'"
bindsym XF86AudioPrev exec "playerctl previous; notify-send 'Prev.'"

1
hosts/norman/.config/sway/config.d/inputs.conf Normal file
View file

@ -0,0 +1 @@
input 2:7:SynPS/2_Synaptics_TouchPad events disabled

19
hosts/norman/.config/sway/config.d/screens.conf Normal file
View file

@ -0,0 +1,19 @@
set $left 'Dell Inc. DELL S3222DGM G1FFT63'
set $right 'Dell Inc. DELL S2721DS D0SVQ43'
set $bottom 'Chimei Innolux Corporation 0x14D4'
output $left {
scale 1
pos 0 690
}
output $right {
scale 1
pos 2560 0
transform 90
}
output $bottom {
scale 1
pos 0 2130
}

27
hosts/norman/builder.nix Normal file
View file

@ -0,0 +1,27 @@
{self, ...}: {
programs.ssh.extraConfig = ''
Host builder
Hostname data.gssws.de
Port 2222
User builder
IdentitiesOnly yes
IdentityFile /root/.ssh/id_ed25519-builder
'';
nix.buildMachines = [
{
hostName = "builder";
systems = ["x86_64-linux" "aarch64-linux" "i686-linux"];
maxJobs = 40;
speedFactor = 20;
supportedFeatures = ["nixos-test" "benchmark" "big-parallel" "kvm"];
mandatoryFeatures = [];
}
];
nix.distributedBuilds = true;
nix.settings = {
trusted-public-keys = ["chonk:1b/yLBRW2ZeL9jErW1ogMRUTq/hidJnZOxopx363JSo="];
builders-use-substitutes = true;
};
}

56
hosts/norman/configuration.nix Normal file
View file

@ -0,0 +1,56 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{
config,
pkgs,
...
}: {
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
./wireguard.nix
./builder.nix
];
# Set your time zone.
time.timeZone = "Europe/Berlin";
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.firewall = {
allowedUDPPorts = [
51820
51821
]; # Clients and peers can use the same port, see listenport
};
services.tlp = {
enable = true;
settings = {
CPU_SCALING_GOVERNOR_ON_AC = "performance";
CPU_SCALING_GOVERNOR_ON_BAT = "powersave";
# The following prevents the battery from charging fully to
# preserve lifetime. Run `tlp fullcharge` to temporarily force
# full charge.
# https://linrunner.de/tlp/faq/battery.html#how-to-choose-good-battery-charge-thresholds
START_CHARGE_THRESH_BAT0 = 40;
STOP_CHARGE_THRESH_BAT0 = 80;
# 100 being the maximum, limit the speed of my CPU to reduce
# heat and increase battery usage:
CPU_MAX_PERF_ON_AC = 100;
CPU_MAX_PERF_ON_BAT = 50;
};
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.11"; # Did you read the comment?
}

6
hosts/norman/default.nix Normal file
View file

@ -0,0 +1,6 @@
{ suites, ... }:
{
imports = [
./norman.nix
] ++ suites.norman;
}

48
hosts/norman/hardware-configuration.nix Normal file
View file

@ -0,0 +1,48 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [];
boot.initrd.availableKernelModules = ["xhci_pci" "nvme" "usbhid" "uas" "sdhci_pci"];
boot.initrd.kernelModules = ["dm-snapshot"];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.initrd.luks.devices."cryptroot" = {
device = "/dev/disk/by-uuid/cdc29f0f-5b18-4ee7-8d38-1f4bac80b1e6";
allowDiscards = true;
bypassWorkqueues = true;
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/5b441f8f-d7eb-44f8-8df2-7354b3314a61";
fsType = "ext4";
options = [ "discard" ];
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/84CD-91B6";
fsType = "vfat";
};
swapDevices = [{device = "/dev/disk/by-uuid/54162798-9017-4b59-afd7-ab9578da4bb9";}];
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
hardware.trackpoint = {
enable = true;
device = "TPPS/2 ALPS TrackPoint";
emulateWheel = true;
sensitivity = 100; # default 128
speed = 64; # default 97
};
}

28
hosts/norman/norman.nix Normal file
View file

@ -0,0 +1,28 @@
{
config,
pkgs,
lib,
...
}:
with lib; let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in {
imports = [
./configuration.nix
];
config = {
boot.binfmt.emulatedSystems = ["aarch64-linux"];
environment.systemPackages = [pkgs.factorio-experimental];
pub-solar.audio.bluetooth.enable = false;
home-manager.users."${psCfg.user.name}".xdg.configFile = mkIf psCfg.sway.enable {
"sway/config.d/10-inputs.conf".source = ./.config/sway/config.d/inputs.conf;
"sway/config.d/10-screens.conf".source = ./.config/sway/config.d/screens.conf;
"sway/config.d/10-custom-keybindings.conf".source = ./.config/sway/config.d/custom-keybindings.conf;
};
};
}

95
hosts/norman/wireguard.nix Normal file
View file

@ -0,0 +1,95 @@
{
config,
pkgs,
...
}: {
systemd.services.wireguard-wg0.serviceConfig.Restart = "on-failure";
systemd.services.wireguard-wg0.serviceConfig.RestartSec = "5s";
systemd.services.wireguard-wg1.serviceConfig.Restart = "on-failure";
systemd.services.wireguard-wg1.serviceConfig.RestartSec = "5s";
# Enable WireGuard
networking.wireguard.interfaces = {
# "wg0" is the network interface name. You can name the interface arbitrarily.
wg0 = {
# Determines the IP address and subnet of the client's end of the tunnel interface.
ips = [
"10.0.0.13/32"
"fc00:200::13/128"
];
mtu = 1400;
listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
# Path to the private key file.
#
# Note: The private key can also be included inline via the privateKey option,
# but this makes the private key world-readable; thus, using privateKeyFile is
# recommended.
privateKeyFile = "/home/hensoko/.config/wireguard/hosting-de.private";
peers = [
# For a client configuration, one peer entry for the server will suffice.
{
# Public key of the server (not a file path).
publicKey = "02/MRPduMGx1as7yS4G7GpL4+pQjsjpyS/tD9iPu8X0=";
# Forward all the traffic via VPN.
allowedIPs = [
"10.0.0.0/24"
"192.168.50.0/24"
"192.168.200.0/24"
"10.20.30.0/24"
"10.20.50.0/24"
"fc00:200::/120"
"95.129.51.5"
"95.129.54.43"
"134.0.28.89"
"134.0.27.108"
"134.0.25.181"
];
# Set this to the server IP and port.
endpoint = "134.0.30.154:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
persistentKeepalive = 25;
}
];
};
wg1 = {
# Determines the IP address and subnet of the client's end of the tunnel interface.
ips = [
"10.0.1.121"
];
mtu = 1400;
listenPort = 51821; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
# Path to the private key file.
#
# Note: The private key can also be included inline via the privateKey option,
# but this makes the private key world-readable; thus, using privateKeyFile is
# recommended.
privateKeyFile = "/home/hensoko/.config/wireguard/data-gssws-de.private";
peers = [
# For a client configuration, one peer entry for the server will suffice.
{
# Public key of the server (not a file path).
publicKey = "t1DS0y6eVzyGwomKAEWTWVsHK3xB7M/fNQ3wLgE3+B8=";
allowedIPs = [
"10.0.1.0/24"
];
# Set this to the server IP and port.
endpoint = "80.244.242.2:51899";
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
persistentKeepalive = 25;
}
];
};
};
}

110
hosts/redpanda/configuration.nix Normal file
View file

@ -0,0 +1,110 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, lib, ... }:
{
imports =
[
# Include the results of the hardware scan.
./hardware-configuration.nix
];
boot.loader.systemd-boot.enable = lib.mkForce false;
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
# boot.loader.grub.efiSupport = true;
# boot.loader.grub.efiInstallAsRemovable = true;
# boot.loader.efi.efiSysMountPoint = "/boot/efi";
# Define on which hard drive you want to install Grub.
boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
# networking.hostName = "nixos"; # Define your hostname.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
# Set your time zone.
# time.timeZone = "Europe/Amsterdam";
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
networking.interfaces.enp0s3.useDHCP = true;
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
nix = {
#package = pkgs.nixFlakes;
extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes) "experimental-features = nix-command flakes";
};
# Select internationalisation properties.
# i18n.defaultLocale = "en_US.UTF-8";
# console = {
# font = "Lat2-Terminus16";
# keyMap = "us";
# };
# Enable the X11 windowing system.
# services.xserver.enable = true;
# Configure keymap in X11
# services.xserver.layout = "us";
# services.xserver.xkbOptions = "eurosign:e";
# Enable CUPS to print documents.
# services.printing.enable = true;
# Enable sound.
# sound.enable = true;
# hardware.pulseaudio.enable = true;
# Enable touchpad support (enabled default in most desktopManager).
# services.xserver.libinput.enable = true;
# Define a user account. Don't forget to set a password with passwd.
# users.users.jane = {
# isNormalUser = true;
# extraGroups = [ "wheel" ]; # Enable sudo for the user.
# };
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
vim
wget
firefox
];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
# List services that you want to enable:
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [ 22 ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.05"; # Did you read the comment?
}

6
hosts/redpanda/default.nix Normal file
View file

@ -0,0 +1,6 @@
{ suites, ... }:
{
imports = [
./redpanda.nix
] ++ suites.redpanda;
}

21
hosts/redpanda/hardware-configuration.nix Normal file
View file

@ -0,0 +1,21 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ ];
boot.initrd.availableKernelModules = [ "ohci_pci" "virtio_pci" "sd_mod" "sr_mod" "virtio_scsi" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{
device = "/dev/disk/by-label/nixos";
fsType = "ext4";
};
#virtualisation.virtualbox.guest.enable = true;
}

17
hosts/redpanda/redpanda.nix Normal file
View file

@ -0,0 +1,17 @@
{ config, pkgs, lib, ... }:
with lib;
let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in
{
imports = [
./configuration.nix
];
#pub-solar.nextcloud.enable = lib.mkForce false;
config = {
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
};
}

35
hosts/ringo/configuration.nix Normal file
View file

@ -0,0 +1,35 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
imports =
[
./hardware-configuration.nix
./home-controller.nix
];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# Set your time zone.
time.timeZone = "Europe/Berlin";
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
networking.interfaces.enp0s25.useDHCP = true;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.11"; # Did you read the comment?
}

6
hosts/ringo/default.nix Normal file
View file

@ -0,0 +1,6 @@
{ suites, ... }:
{
imports = [
./ringo.nix
] ++ suites.ringo;
}

43
hosts/ringo/hardware-configuration.nix Normal file
View file

@ -0,0 +1,43 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ ];
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "sdhci_pci" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.initrd.luks.devices."cryptroot" = {
device = "/dev/disk/by-uuid/bd1ebf98-adc1-4868-842f-3d2c6ee04e13";
keyFile = "/dev/disk/by-partuuid/9ff6ebf7-01";
fallbackToPassword = true;
bypassWorkqueues = true;
};
fileSystems."/" =
{
device = "/dev/disk/by-uuid/1999ec2e-4564-4f5a-8333-6eb23ae03c8b";
fsType = "ext4";
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/47ED-2F0B";
fsType = "vfat";
};
fileSystems."/home" =
{
device = "/dev/disk/by-uuid/69c89392-be11-4bd4-8f3b-6b7db20c716e";
fsType = "ext4";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/4ef0cdbc-38f4-4dcb-8fe8-553bbdb06192"; }];
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

17
hosts/ringo/home-controller.nix Normal file
View file

@ -0,0 +1,17 @@
{
self,
config,
pkgs,
...
}: {
config = {
age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_ringo_wireguard_key.age";
pub-solar.home-controller = {
enable = true;
ownIp = "10.0.1.21";
wireguardPrivateKeyFile = "/run/agenix/home_controller_wireguard";
};
};
}

13
hosts/ringo/ringo.nix Normal file
View file

@ -0,0 +1,13 @@
{ config, pkgs, lib, ... }:
with lib;
let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in
{
imports = [
./configuration.nix
];
config.pub-solar.core.lite = true;
}

32
hosts/surfplace/configuration.nix Normal file
View file

@ -0,0 +1,32 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ inputs, pkgs, builtins, config, lib, ... }:
{
imports =
[
./hardware-configuration.nix
];
time.timeZone = "Europe/Berlin";
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.networkmanager.enable = true;
#boot.loader.systemd-boot.enable = lib.mkForce false;
# Enable the OpenSSH daemon.
services.openssh.enable = true;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.11"; # Did you read the comment?
}

6
hosts/surfplace/default.nix Normal file
View file

@ -0,0 +1,6 @@
{ suites, ... }:
{
imports = [
./surfplace.nix
] ++ suites.surfplace;
}

48
hosts/surfplace/hardware-configuration.nix Normal file
View file

@ -0,0 +1,48 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = ["xhci_pci" "nvme" "usb_storage" "sd_mod"];
boot.extraModulePackages = [config.boot.kernelPackages.rtl88x2bu];
microsoft-surface.kernelVersion = "6.1.18";
fileSystems."/" = {
device = "/dev/disk/by-label/root";
fsType = "ext4";
encrypted = {
enable = true;
label = "cryptroot";
blkDev = "/dev/disk/by-uuid/77829967-0c52-4a52-a65c-cfc093d18776";
};
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/2697-F70A";
fsType = "vfat";
};
swapDevices = [
{device = "/dev/disk/by-label/swap";}
];
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
systemd.services."iptsd" = {
serviceConfig = {
RestartAfter = "5s";
};
};
}

11
hosts/surfplace/surfplace.nix Normal file
View file

@ -0,0 +1,11 @@
{ config, pkgs, lib, ... }:
with lib;
let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in
{
imports = [
./configuration.nix
];
}

5
modules/arduino/default.nix
View file

@ -9,7 +9,10 @@ with lib; let
cfg = config.pub-solar.devops; cfg = config.pub-solar.devops;
in { in {
options.pub-solar.arduino = { options.pub-solar.arduino = {
enable = mkEnableOption "Life with home automation"; enable = mkOption {
description = "Life with home automation";
default = false;
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
users.users = pkgs.lib.setAttrByPath [psCfg.user.name] { users.users = pkgs.lib.setAttrByPath [psCfg.user.name] {

0
modules/core/bluetooth.nix Normal file
View file

10
modules/crypto/default.nix
View file

@ -19,12 +19,17 @@ in {
services.gnome.gnome-keyring.enable = true; services.gnome.gnome-keyring.enable = true;
environment.shellInit = ''
gpg-connect-agent /bye
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
'';
home-manager = with pkgs; home-manager = with pkgs;
pkgs.lib.setAttrByPath ["users" psCfg.user.name] { pkgs.lib.setAttrByPath ["users" psCfg.user.name] {
systemd.user.services.polkit-gnome-authentication-agent = import ./polkit-gnome-authentication-agent.service.nix pkgs; systemd.user.services.polkit-gnome-authentication-agent = import ./polkit-gnome-authentication-agent.service.nix pkgs;
services.gpg-agent = { services.gpg-agent = {
enable = true; enable = true;
enableSshSupport = true;
pinentryFlavor = "gnome3"; pinentryFlavor = "gnome3";
verbose = true; verbose = true;
}; };
@ -36,10 +41,7 @@ in {
home.packages = [ home.packages = [
gnome.seahorse gnome.seahorse
keepassxc keepassxc
libsecret
qMasterPassword
restic
]; ];
}; };
}; };
} }

9
modules/graphical/default.nix
View file

@ -110,16 +110,7 @@ in {
gnome.nautilus gnome.nautilus
gnome.yelp gnome.yelp
hicolor-icon-theme hicolor-icon-theme
wine
toggle-kbd-layout toggle-kbd-layout
wcwd
vlc
gimp
]; ];
xdg.configFile."alacritty/alacritty.yml" = { xdg.configFile."alacritty/alacritty.yml" = {

69
modules/home-assistant/default.nix Normal file
View file

@ -0,0 +1,69 @@
{
lib,
config,
options,
pkgs,
inputs,
...
}:
with lib; let
cfg = config.pub-solar.home-assistant;
unstable = import <nixos-unstable> {};
in {
imports = [
./home-assistant.nix
./mqtt.nix
./zigbee.nix
(inputs.latest + "/nixos/modules/services/home-automation/home-assistant.nix")
];
disabledModules = [
"services/home-automation/home-assistant.nix"
];
options.pub-solar.home-assistant = {
enable = mkOption {
description = "Control your home";
type = types.bool;
default = false;
};
config = options.services.home-assistant.config;
extraComponents = options.services.home-assistant.extraComponents;
extraPackages = options.services.home-assistant.extraPackages;
mqtt = {
enable = mkOption {
description = "use mqtt";
type = types.bool;
default = true;
};
users = mkOption {
description = "mqtt users";
# type = types.AttrSet;
default = null;
};
};
zigbee2mqtt = {
enable = mkOption {
description = "Enable zigbee2mqtt";
type = types.bool;
default = false;
};
device = mkOption {
description = "Device to connect to zigbee network";
type = types.nullOr types.str;
default = null;
};
adapter = mkOption {
description = "Specify zigbee adapter type";
type = types.nullOr types.str;
default = null;
};
};
};
}

23
modules/home-assistant/home-assistant.nix Normal file
View file

@ -0,0 +1,23 @@
{
lib,
config,
pkgs,
...
}:
with lib; let
cfg = config.pub-solar.home-assistant;
in {
config = mkIf cfg.enable {
networking.firewall.allowedUDPPorts = [1900];
services.home-assistant = {
enable = true;
openFirewall = true;
extraComponents =
cfg.extraComponents
++ lib.optionals cfg.mqtt.enable ["mqtt"];
extraPackages = cfg.extraPackages;
config = cfg.config;
};
};
}

21
modules/home-assistant/mqtt.nix Normal file
View file

@ -0,0 +1,21 @@
{
lib,
config,
pkgs,
...
}:
with lib; let
haCfg = config.pub-solar.home-assistant;
cfg = config.pub-solar.home-assistant.mqtt;
in {
config = mkIf (haCfg.enable && cfg.enable) {
networking.firewall.allowedTCPPorts = [
1883 # mosquitto
];
services.mosquitto = {
enable = true;
listeners = [{users = cfg.users;}];
};
};
}

40
modules/home-assistant/zigbee.nix Normal file
View file

@ -0,0 +1,40 @@
{
lib,
config,
pkgs,
...
}:
with lib; let
haCfg = config.pub-solar.home-assistant;
cfg = config.pub-solar.home-assistant.zigbee2mqtt;
in {
config = mkIf (haCfg.enable && cfg.enable) {
networking.firewall.allowedTCPPorts = [
8081 # zigbee2mqtt
];
services.zigbee2mqtt = {
enable = true;
settings = {
frontend = {
port = 8081;
};
permit_join = false;
homeassistant = true;
availability = true;
advanced = {
legacy_availability_payload = false;
};
mqtt = {
user = "z2m";
password = "!secrets.yaml mqtt_password";
};
serial = {
port = cfg.device;
adapter = mkIf (cfg.adapter != null) cfg.adapter;
};
groups = "groups.yaml";
};
};
};
}

33
modules/home-controller/default.nix Normal file
View file

@ -0,0 +1,33 @@
{
lib,
config,
pkgs,
...
}:
with lib; let
psCfg = config.pub-solar;
cfg = config.pub-solar.home-controller;
in {
imports = [
./wireguard.nix
./monitoring-client.nix
];
options.pub-solar.home-controller = {
enable = mkEnableOption "Control your home";
ownIp = mkOption {
description = ''
Internal ip in wireguard used for cluster control-plane communication.
'';
type = types.str;
};
wireguardPrivateKeyFile = mkOption {
description = ''
Location of private key file
'';
type = types.path;
};
};
}

13
modules/home-controller/monitoring-client.nix Normal file
View file

@ -0,0 +1,13 @@
{
config,
pkgs,
lib,
...
}: let
cfg = config.pub-solar.home-controller;
in {
pub-solar.monitoring-client = lib.mkIf cfg.enable {
enable = true;
listenAddress = cfg.ownIp;
};
}

34
modules/home-controller/wireguard.nix Normal file
View file

@ -0,0 +1,34 @@
{
lib,
config,
pkgs,
...
}:
with lib; let
psCfg = config.pub-solar;
cfg = config.pub-solar.home-controller;
in {
config = mkIf cfg.enable {
systemd.services.wireguard-wghome.serviceConfig.Restart = "on-failure";
systemd.services.wireguard-wghome.serviceConfig.RestartSec = "5s";
networking.firewall.allowedUDPPorts = [51899];
networking.wireguard.interfaces = {
wghome = {
ips = [cfg.ownIp];
listenPort = 51899;
privateKeyFile = cfg.wireguardPrivateKeyFile;
peers = [
{
# chonk
publicKey = "t1DS0y6eVzyGwomKAEWTWVsHK3xB7M/fNQ3wLgE3+B8=";
allowedIPs = ["10.0.1.0/24"];
endpoint = "vpn.gssws.de:51899";
persistentKeepalive = 25;
}
];
};
};
};
}

29
modules/monitoring-client/default.nix Normal file
View file

@ -0,0 +1,29 @@
{
lib,
config,
pkgs,
...
}:
with lib; let
psCfg = config.pub-solar;
cfg = config.pub-solar.monitoring-client;
in {
options.pub-solar.monitoring-client = {
enable = mkEnableOption "Install a monitoring client node";
listenAddress = mkOption {
type = types.str;
};
};
config = mkIf cfg.enable {
services.prometheus.exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
port = 9002;
openFirewall = true;
listenAddress = cfg.listenAddress;
};
};
};
}

129
modules/monitoring-server/default.nix Normal file
View file

@ -0,0 +1,129 @@
{
lib,
config,
pkgs,
...
}:
with lib; let
psCfg = config.pub-solar;
cfg = config.pub-solar.monitoring-server;
in {
options.pub-solar.monitoring-server = {
enable = mkEnableOption "Install a monitoring server node";
listenAddress = mkOption {
type = types.str;
default = "127.0.0.1";
};
grafana = {
enable = mkEnableOption "Run grafana";
port = mkOption {
type = types.int;
default = 2342;
};
};
node_exporter = {
enable = mkEnableOption "prometheus node-exporter support";
hosts = mkOption {
type = types.listOf types.str;
};
};
snmp = {
enable = mkEnableOption "prometheus snmp export support";
hosts = mkOption {
#type = types.Or (types.AttrSet types.listOf types.str);
};
settings = mkOption {
type = types.NullOr types.AttrSet;
default = null;
};
};
smokeping = {
enable = mkEnableOption "prometheus smokeping support";
hosts = mkOption {
type = types.listOf types.str;
};
};
};
config = mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [cfg.grafana.port 9001 9374];
pub-solar.monitoring-client = {
enable = true;
listenAddress = cfg.listenAddress;
};
services.grafana = mkIf cfg.grafana.enable {
enable = true;
settings = {
server = {
http_addr = cfg.listenAddress;
http_port = cfg.grafana.port;
};
};
};
services.prometheus = {
enable = true;
listenAddress = cfg.listenAddress;
port = 9001;
scrapeConfigs = [
{
job_name = "node_exporters";
static_configs = [
{
targets =
["${cfg.listenAddress}:9002"]
++ cfg.node_exporter.hosts;
}
];
}
{
job_name = "snmp_wohnung_aachen_mikrotik";
scrape_interval = "15s";
static_configs = [
{
targets = cfg.snmp.hosts;
}
];
metrics_path = "/snmp";
params = {
auth = ["public_v2"];
module = ["if_mib"];
};
relabel_configs = [
{
source_labels = ["__address__"];
target_label = "__param_target";
}
{
source_labels = ["__param_target"];
target_label = "instance";
}
{
target_label = "__address__";
replacement = "10.0.1.254:9116";
}
];
}
{
job_name = "smokeping";
scrape_interval = "15s";
static_configs = [
{
targets = [
"${cfg.listenAddress}:9374"
];
}
];
}
];
exporters.smokeping = mkIf cfg.smokeping.enable {
enable = true;
listenAddress = cfg.listenAddress;
hosts = cfg.smokeping.hosts;
};
};
};
}

96
modules/paperless/container.nix Normal file
View file

@ -0,0 +1,96 @@
{
config,
lib,
...
}:
with lib; let
psCfg = config.pub-solar;
cfg = config.pub-solar.paperless;
in {
config.containers."paperless" = mkIf cfg.enable {
autoStart = true;
ephemeral = true;
tmpfs = ["/tmp:size=2G"];
timeoutStartSec = "5min";
bindMounts."/data" = {
hostPath = cfg.hostStateDir;
isReadOnly = false;
};
config = {
config,
pkgs,
...
}: {
networking.firewall.enable = false;
# paperless
services.paperless = {
enable = true;
dataDir = "/data";
consumptionDir = "/data/ftp/consume";
consumptionDirIsPublic = true;
port = 8899;
extraConfig = {
PAPERLESS_OCR_LANGUAGE = "deu+eng";
PAPERLESS_ALLOWED_HOSTS = "${cfg.domain}";
PAPERLESS_CSRF_TRUSTED_ORIGINS = "http://${cfg.domain}";
PAPERLESS_CORS_ALLOWED_HOSTS = "http://${cfg.domain}";
PAPERLESS_FILENAME_FORMAT = "{correspondent}/{created_year}/{asn}_{title}";
};
};
# increase timeout for systemd service
systemd.services."paperless-scheduler".serviceConfig."TimeoutStartSec" = "300";
# ftp
users.users."paperless".extraGroups = mkIf cfg.ftp.enable ["ftp"];
services.vsftpd = mkIf cfg.ftp.enable {
enable = true;
anonymousUser = true;
anonymousUserNoPassword = true;
anonymousUserHome = "/data/ftp";
anonymousUploadEnable = true;
anonymousUmask = "007";
writeEnable = true;
extraConfig = ''
listen=YES
listen_ipv6=NO
listen_port=${toString cfg.ftp.listenPort}
chown_uploads=YES
chown_username=paperless
download_enable=NO
pasv_min_port=${toString cfg.ftp.pasvMinPort}
pasv_max_port=${toString cfg.ftp.pasvMaxPort}
'';
};
# nextcloud
systemd.services.nextcloud-autosync = mkIf cfg.nextcloud.enable {
unitConfig = {
Description = "Auto sync Nextcloud";
After = "network-online.target";
};
serviceConfig = {
User = "paperless";
Type = "simple";
ExecStart = "${pkgs.nextcloud-client}/bin/nextcloudcmd -h -n --path Documents/_paperless /data/media/documents https://data.gssws.de";
TimeoutStopSec = "180";
KillMode = "process";
KillSignal = "SIGINT";
};
wantedBy = ["multi-user.target"];
};
systemd.timers.nextcloud-autosync = mkIf cfg.nextcloud.enable {
unitConfig.Description = "Automatic sync files with Nextcloud and rerun every 60 minutes";
timerConfig.OnUnitActiveSec = "60min";
wantedBy = ["multi-user.target" "timers.target"];
};
};
};
}

Some files were not shown because too many files have changed in this diff Show more