diff --git a/common/wg-peers.nix b/common/wg-peers.nix index afb9b38..d56df6e 100644 --- a/common/wg-peers.nix +++ b/common/wg-peers.nix @@ -1,4 +1,103 @@ -{ secretsDir, ... }: let +{ secretsDir, ... }: [ + #################### home #################### + { + name = "phone-pt"; + publicKey = builtins.readFile "${secretsDir}/wg-pub-phone"; + allowedIPs = [ "10.1.1.3" ]; + endpoint = "192.168.44.1:51820"; + persistentKeepalive = 25; + } + { + name = "phone-pw"; + publicKey = builtins.readFile "${secretsDir}/wg-pub-phone"; + allowedIPs = [ "10.1.1.3" ]; + endpoint = "192.168.133.118:51820"; + persistentKeepalive = 25; + } + /* + { + name = "main-pw"; + publicKey = builtins.readFile "${secretsDir}/wg-pub-main"; + allowedIPs = [ "10.1.1.11" ]; + endpoint = "192.168.20.11:51820"; + persistentKeepalive = 25; + } + { + name = "main-pt"; + publicKey = builtins.readFile "${secretsDir}/wg-pub-main"; + allowedIPs = [ "10.1.1.11" ]; + endpoint = "192.168.44.11:51820"; + persistentKeepalive = 25; + } + { + name = "main-home"; + publicKey = builtins.readFile "${secretsDir}/wg-pub-main"; + #allowedIPs = [ "10.1.1.0/24" ]; + endpoint = "192.168.1.11:51820"; + persistentKeepalive = 25; + } + { + name = "rpi-pt"; + publicKey = builtins.readFile "${secretsDir}/wg-pub-rpi"; + #allowedIPs = [ "10.1.1.0/24" ]; + endpoint = "192.168.44.2:49390"; + persistentKeepalive = 25; + } + { + name = "rpi-local"; + publicKey = builtins.readFile "${secretsDir}/wg-pub-rpi"; + #allowedIPs = [ "10.1.1.0/24" ]; + endpoint = "192.168.1.2:49390"; + persistentKeepalive = 25; + } + { + name = "rpi-web"; + publicKey = builtins.readFile "${secretsDir}/wg-pub-rpi"; + #allowedIPs = [ "10.1.1.0/24" ]; + endpoint = "c2vi.dev:49390"; + persistentKeepalive = 25; + } + + /* + { + name = "main"; + publicKey = builtins.readFile "${secretsDir}"/wg-pub-main; + allowedIPs = [ "10.1.1.2/24" ]; + } + { + name = "phone"; + publicKey = builtins.readFile "${secretsDir}"/wg-pub-phone; + allowedIPs = [ "10.1.1.3/24" ]; + } + { + name = "hpm"; + publicKey =builtins.readFile "${secretsDir}"/wg-pub-hpm; + allowedIPs = [ "10.1.1.6/24" ]; + } + { + name = "main"; + publicKey = builtins.readFile "${secretsDir}"/wg-pub-main; + allowedIPs = [ "10.1.1.2/24" ]; + } + + { + name = "rpi"; + publicKey = builtins.readFile "${secretsDir}/wg-pub-rpi"; + allowedIPs = [ "10.1.1.0/24" ]; + endpoint = "192.168.1.2:49390, c2vi.dev:49389"; + persistentKeepalive = 25; + } + { + name = "lush-local"; + publicKey = builtins.readFile "${secretsDir}/wg-pub-lush"; + allowedIPs = [ "10.1.1.0/24" ]; + endpoint = "192.168.5.5:51820"; + persistentKeepalive = 25; + } + */ +] +/* the networkmanager config +let main-pub = builtins.readFile "${secretsDir}/wg-pub-main"; rpi-pub = builtins.readFile "${secretsDir}/wg-pub-rpi"; lush-pub = builtins.readFile "${secretsDir}/wg-pub-lush"; @@ -23,6 +122,7 @@ in allowed-ips = "0.0.0.0"; }; } +*/ @@ -32,51 +132,8 @@ in /* { secretsDir, ... }: [ #### local #### - { - name = "rpi"; - publicKey = builtins.readFile "${secretsDir}/wg-pub-rpi"; - allowedIPs = [ "10.1.1.0/24" ]; - endpoint = "192.168.1.2:49390, c2vi.dev:49389"; - persistentKeepalive = 25; - } - { - name = "main-local"; - publicKey = builtins.readFile "${secretsDir}/wg-pub-main"; - allowedIPs = [ "10.1.1.0/24" ]; - endpoint = "192.168.1.40:51820"; - persistentKeepalive = 25; - } - { - name = "lush-local"; - publicKey = builtins.readFile "${secretsDir}/wg-pub-lush"; - allowedIPs = [ "10.1.1.0/24" ]; - endpoint = "192.168.5.5:51820"; - persistentKeepalive = 25; - } - - - - - - /* - { - name = "main"; - publicKey = "${secretsDir}"/wg-public-main; - allowedIPs = [ "10.1.1.2/24" ]; - } - { - name = "phone"; - publicKey = "${secretsDir}"/wg-public-phone; - allowedIPs = [ "10.1.1.3/24" ]; - } - { - name = "hpm"; - publicKey = "${secretsDir}"/wg-public-hpm; - allowedIPs = [ "10.1.1.6/24" ]; - } - { - name = "main"; - publicKey = "${secretsDir}"/wg-public-main; - allowedIPs = [ "10.1.1.2/24" ]; - } */ + + + + diff --git a/flake.nix b/flake.nix index 2d9a9de..78a4726 100644 --- a/flake.nix +++ b/flake.nix @@ -165,6 +165,19 @@ nixOnDroidConfigurations = rec { "phone" = inputs.nix-on-droid.lib.nixOnDroidConfiguration { + imports = [ + ./users/me/headless.nix + ]; + users.users.nix-on-droid.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjgXf9S9hxjyph2EEFh1el0z4OUT9fMoFAaDanjiuKa me@main" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICWsqiz0gEepvPONYxqhKKq4Vxfe1h+jo11k88QozUch me@bitwarden" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAioUu4ow6k+OMjjLdzogiQM4ZEM3TNekGNasaSDzQQE me@phone" + ]; + environment.packages = with pkgs; [ + vim + openssh + ]; + system.stateVersion = "23.05"; }; }; diff --git a/hosts/lush.nix b/hosts/lush.nix index 2d94fbb..1402de7 100644 --- a/hosts/lush.nix +++ b/hosts/lush.nix @@ -17,10 +17,14 @@ # home-manager.users.me = import ../users/me/home-headless.nix; + /* for cross compiling #nixpkgs.hostPlatform.system = "aarch64-linux"; #nixpkgs.buildPlatform.system = "x86_64-linux"; nixpkgs.overlays = [ + (outerFinal: outerPrev: { + #https://github.com/adrienverge/openfortivpn/issues/446 + #https://github.com/NixOS/nixpkgs/blob/nixos-23.05/pkgs/tools/networking/openfortivpn/default.nix#L47 openfortivpn = outerPrev.openfortivpn.overrideAttrs (final: prev: { configureFlags = prev.configureFlags or [] ++ [ "--disable-proc" @@ -30,6 +34,7 @@ }); }) ]; + */ hardware.enableRedistributableFirmware = true; @@ -113,6 +118,27 @@ }; }; + + pt = { + connection = { + id = "pt"; + uuid = "f028117e-9eef-47c1-8483-574f7ee798a4"; + type = "bluetooth"; + autoconnect = "false"; + }; + + bluetooth = { + bdaddr = "E8:78:29:C4:BA:7C"; + type = "panu"; + }; + + ipv4 = { + address1 = "192.168.20.21/24"; + method = "auto"; + }; + }; + + me = { connection = { id = "me"; diff --git a/hosts/main.nix b/hosts/main.nix index ea15ced..e5886e8 100644 --- a/hosts/main.nix +++ b/hosts/main.nix @@ -39,14 +39,11 @@ distributedBuilds = false; # false, because i can't build on hpm currently ... not signed by trusted user error }; - - # to build rpi images boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; - # some bind mounts fileSystems."${workDir}/priv-share/things" = { device = "${workDir}/things"; @@ -84,7 +81,8 @@ fi else rm /etc/hosts - ln -nsf ${config.environment.etc.hosts.source.outPath} /etc/hosts + cat ${self}/misc/my-hosts > /etc/hosts + cat ${self}/misc/my-hosts-"$(cat /etc/current_hosts)" >> /etc/hosts fi ''; }; @@ -92,9 +90,10 @@ { enable = true; description = "block Youtube"; - unitConfig = { - Type = "simple"; - }; + #type = "simple"; + #unitConfig = { + #Type = "simple"; + #}; serviceConfig = { Restart = "always"; RestartSec = "60s"; @@ -153,6 +152,7 @@ 8888 # for general usage 9999 # for general usage 8080 # for mitm proxy + 51820 # wireguard ]; networking.firewall.allowedUDPPorts = [ @@ -161,13 +161,16 @@ ]; networking.search = [ "c2vi.local" ]; + #networking.hosts = { + #"10.1.1.3" = [ "phone" ]; + #}; networking.extraHosts = '' - 192.168.1.6 hpm - 192.168.1.2 rpi - 192.168.5.5 lush - 127.0.0.1 youtube.com - 127.0.0.1 www.youtube.com + ${builtins.readFile "${self}/misc/my-hosts"} + ${builtins.readFile "${self}/misc/my-hosts-me"} ''; + environment.etc.current_hosts.text = "me"; + environment.etc.current_hosts.mode = "rw"; + #environment.etc.hosts.mode = "rw"; networking.networkmanager.profiles = { home = { @@ -179,7 +182,7 @@ interface-name = "enp1s0"; }; ipv4 = { - address1 = "192.168.1.40/24,192.168.1.1"; + address1 = "192.168.1.11/24,192.168.1.1"; dns = "1.1.1.1;"; method = "manual"; }; @@ -224,6 +227,7 @@ }; ipv4 = { + address1 = "192.168.44.11/24"; method = "auto"; }; }; @@ -248,7 +252,7 @@ }; ipv4 = { - address1 = "192.168.20.20/24"; + address1 = "192.168.20.11/24"; method = "auto"; }; }; @@ -272,6 +276,7 @@ }; }; + /* me = { connection = { id = "me"; @@ -281,14 +286,26 @@ interface-name = "me0"; }; wireguard = { - listen-port = "12345"; + listen-port = "51820"; private-key = builtins.readFile "${secretsDir}/wg-private-main"; }; ipv4 = { - address1 = "10.1.1.1/24"; + address1 = "10.1.1.11/24"; method = "manual"; }; } // (import ../common/wg-peers.nix { inherit secretsDir; }); + */ + }; + + networking.wireguard.interfaces = { + me1 = { + ips = [ "10.1.1.11/24" ]; + listenPort = 51820; + + privateKeyFile = "${secretsDir}/wg-private-main"; + + peers = import ../common/wg-peers.nix { inherit secretsDir; }; + }; }; diff --git a/hosts/rpi.nix b/hosts/rpi.nix index 1cdeb46..99ffd55 100644 --- a/hosts/rpi.nix +++ b/hosts/rpi.nix @@ -75,6 +75,13 @@ 8888 # for general usage 9999 # for general usage 8080 # for mitm proxy + + 49388 + 49389 + 49390 + 49391 + 49392 + 49393 ]; networking.firewall.allowedUDPPorts = [ diff --git a/misc/my-hosts b/misc/my-hosts new file mode 100644 index 0000000..39d9423 --- /dev/null +++ b/misc/my-hosts @@ -0,0 +1 @@ +127.0.0.1 youtube.com diff --git a/misc/my-hosts-h b/misc/my-hosts-h new file mode 100644 index 0000000..2203451 --- /dev/null +++ b/misc/my-hosts-h @@ -0,0 +1,4 @@ +192.168.1.6 hpm +192.168.1.2 rpi +192.168.1.5 acern +192.168.1.122 lush diff --git a/misc/my-hosts-me b/misc/my-hosts-me new file mode 100644 index 0000000..48bf958 --- /dev/null +++ b/misc/my-hosts-me @@ -0,0 +1,3 @@ +10.1.1.3 phone +10.1.1.11 main + diff --git a/misc/my-hosts-pt b/misc/my-hosts-pt new file mode 100644 index 0000000..72c07a0 --- /dev/null +++ b/misc/my-hosts-pt @@ -0,0 +1,4 @@ +192.168.44.1 phone +192.168.44.11 main +c2vi.dev rpi + diff --git a/misc/my-hosts-pw b/misc/my-hosts-pw new file mode 100644 index 0000000..fe5334d --- /dev/null +++ b/misc/my-hosts-pw @@ -0,0 +1 @@ +c2vi.dev rpi diff --git a/misc/my-hosts-r b/misc/my-hosts-r new file mode 100644 index 0000000..fe5334d --- /dev/null +++ b/misc/my-hosts-r @@ -0,0 +1 @@ +c2vi.dev rpi diff --git a/programs/alacritty.nix b/programs/alacritty.nix index e4bc9b5..b601e16 100644 --- a/programs/alacritty.nix +++ b/programs/alacritty.nix @@ -46,7 +46,7 @@ style = "Bold Italic"; }; - size = 10; + size = 9; }; # Dracula theme for alacritty diff --git a/programs/bash.nix b/programs/bash.nix index 7ccb79a..524a67b 100644 --- a/programs/bash.nix +++ b/programs/bash.nix @@ -140,37 +140,13 @@ # a little programm, that changes the ssh config to always be able to acces rpi function rpi(){ - ssh_dir=~/.ssh - rm -f $ssh_dir/current_rpi_config - if [ "$1" == "l" ] - then - cp $ssh_dir/rpi/local $ssh_dir/current_rpi_config - fi - - if [ "$1" == "local" ] - then - cp $ssh_dir/rpi/local $ssh_dir/current_rpi_config - fi - - if [ "$1" == "r" ] - then - cp $ssh_dir/rpi/remote $ssh_dir/current_rpi_config - fi - - if [ "$1" == "remote" ] - then - cp $ssh_dir/rpi/remote $ssh_dir/current_rpi_config - fi - - if [ "$1" == "w" ] - then - cp $ssh_dir/rpi/wstunnel $ssh_dir/current_rpi_config - fi - + sudo rm /etc/hosts + sudo su -c "cat ${self}/misc/my-hosts > /etc/hosts" + sudo su -c "cat ${self}/misc/my-hosts-$1 >> /etc/hosts" + sudo su -c "echo -en "$1" > /etc/current_hosts" } - # git commit func function gc(){ tmp=$(echo -en $@) diff --git a/programs/ssh.nix b/programs/ssh.nix index d0cdf6d..dbafe23 100644 --- a/programs/ssh.nix +++ b/programs/ssh.nix @@ -16,15 +16,9 @@ user = "me"; hostname = "192.168.1.2"; }; - #lush = { - #user = "me"; - #hostname = "192.168.5.5"; - #}; phone = { user = "u0_a345"; - hostname = "192.168.44.1"; port = 8022; - identityFile = "${secretsDir}/private-key-main"; }; uwu = { user = "sebastian"; diff --git a/users/me/headless.nix b/users/me/headless.nix index a898a4f..a59b72b 100644 --- a/users/me/headless.nix +++ b/users/me/headless.nix @@ -4,7 +4,7 @@ isNormalUser = true; #passwordFile = "${secretsDir}/me-pwd"; password = "changeme"; - extraGroups = [ "networkmanager" "wheel" "libvirtd" ]; # Enable ‘sudo’ for the user. + extraGroups = [ "networkmanager" "wheel" "libvirtd" "plugdev" ]; # Enable ‘sudo’ for the user. }; home-manager.extraSpecialArgs = {