From c712d76fac93c20a0727cbb244d3842fa390fe44 Mon Sep 17 00:00:00 2001 From: Sebastian Moser Date: Tue, 21 Nov 2023 20:11:26 +0100 Subject: [PATCH] ... --- common/all.nix | 2 - common/wg-peers.nix | 82 ++++++++ flake.lock | 13 ++ flake.nix | 24 +-- hosts/acern.nix | 5 - hosts/hpm.nix | 14 +- hosts/lush.nix | 125 ++++++++++-- hosts/main.nix | 181 +++++++++++++++--- hosts/rpi.md | 26 +-- hosts/rpi.nix | 127 +++++++++++- programs/ssh.nix | 20 +- .../{me/home-headless.nix => common/home.nix} | 1 + users/files/headless.nix | 27 +++ users/me/{default.nix => gui.nix} | 7 + users/me/headless.nix | 11 +- users/me/home.nix | 2 +- users/server/headles.nix | 23 +++ 17 files changed, 605 insertions(+), 85 deletions(-) create mode 100644 common/wg-peers.nix rename users/{me/home-headless.nix => common/home.nix} (98%) create mode 100644 users/files/headless.nix rename users/me/{default.nix => gui.nix} (57%) create mode 100644 users/server/headles.nix diff --git a/common/all.nix b/common/all.nix index c640758..e460e4e 100644 --- a/common/all.nix +++ b/common/all.nix @@ -4,7 +4,6 @@ { imports = [ - inputs.home-manager.nixosModules.home-manager ../mods/my-nixpkgs-overlay.nix ]; @@ -36,7 +35,6 @@ users.mutableUsers = true; - networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. # This value determines the NixOS release from which the default diff --git a/common/wg-peers.nix b/common/wg-peers.nix new file mode 100644 index 0000000..afb9b38 --- /dev/null +++ b/common/wg-peers.nix @@ -0,0 +1,82 @@ +{ secretsDir, ... }: let + main-pub = builtins.readFile "${secretsDir}/wg-pub-main"; + rpi-pub = builtins.readFile "${secretsDir}/wg-pub-rpi"; + lush-pub = builtins.readFile "${secretsDir}/wg-pub-lush"; + hpm-pub = builtins.readFile "${secretsDir}/wg-pub-hpm"; + acern-pub = builtins.readFile "${secretsDir}/wg-pub-acern"; + phone-pub = builtins.readFile "${secretsDir}/wg-pub-phone"; +in +{ + "wireguard-peer.${main-pub}" = { + endpoint = "192.168.1.40:51820"; + persistent-keepalive = "25"; + allowed-ips = "0.0.0.0"; + }; + "wireguard-peer.${rpi-pub}" = { + endpoint = "192.168.1.2:49390"; + persistent-keepalive = "25"; + allowed-ips = "0.0.0.0"; + }; + "wireguard-peer.${lush-pub}" = { + endpoint = "192.168.5.5:51820"; + persistent-keepalive = "25"; + allowed-ips = "0.0.0.0"; + }; +} + + + + +################### old config ######################### + +/* +{ secretsDir, ... }: [ + #### local #### + { + name = "rpi"; + publicKey = builtins.readFile "${secretsDir}/wg-pub-rpi"; + allowedIPs = [ "10.1.1.0/24" ]; + endpoint = "192.168.1.2:49390, c2vi.dev:49389"; + persistentKeepalive = 25; + } + { + name = "main-local"; + publicKey = builtins.readFile "${secretsDir}/wg-pub-main"; + allowedIPs = [ "10.1.1.0/24" ]; + endpoint = "192.168.1.40:51820"; + persistentKeepalive = 25; + } + { + name = "lush-local"; + publicKey = builtins.readFile "${secretsDir}/wg-pub-lush"; + allowedIPs = [ "10.1.1.0/24" ]; + endpoint = "192.168.5.5:51820"; + persistentKeepalive = 25; + } + + + + + + /* + { + name = "main"; + publicKey = "${secretsDir}"/wg-public-main; + allowedIPs = [ "10.1.1.2/24" ]; + } + { + name = "phone"; + publicKey = "${secretsDir}"/wg-public-phone; + allowedIPs = [ "10.1.1.3/24" ]; + } + { + name = "hpm"; + publicKey = "${secretsDir}"/wg-public-hpm; + allowedIPs = [ "10.1.1.6/24" ]; + } + { + name = "main"; + publicKey = "${secretsDir}"/wg-public-main; + allowedIPs = [ "10.1.1.2/24" ]; + } + */ diff --git a/flake.lock b/flake.lock index d486cf0..cac13d9 100644 --- a/flake.lock +++ b/flake.lock @@ -449,6 +449,18 @@ "type": "github" } }, + "networkmanager": { + "locked": { + "lastModified": 1700588409, + "narHash": "sha256-mbQKI5yjy2fkjeJo9+EuEsEuOVu6LPyEDmrP4zsujbA=", + "path": "/home/me/work/config/gitignore/nixos-networkmanager-profiles", + "type": "path" + }, + "original": { + "path": "/home/me/work/config/gitignore/nixos-networkmanager-profiles", + "type": "path" + } + }, "nix-doom-emacs": { "inputs": { "doom-emacs": "doom-emacs", @@ -898,6 +910,7 @@ "inputs": { "firefox": "firefox", "home-manager": "home-manager", + "networkmanager": "networkmanager", "nix-doom-emacs": "nix-doom-emacs", "nix-index-database": "nix-index-database", "nix-on-droid": "nix-on-droid", diff --git a/flake.nix b/flake.nix index bc9f223..de8e9aa 100644 --- a/flake.nix +++ b/flake.nix @@ -32,6 +32,7 @@ nixos-hardware.url = "github:nixos/nixos-hardware"; + networkmanager.url = "path:/home/me/work/config/gitignore/nixos-networkmanager-profiles"; robotnix = { url = "github:nix-community/robotnix"; @@ -70,21 +71,18 @@ in { nixosConfigurations = rec { - "main" = nixpkgs.lib.nixosSystem { inherit specialArgs; system = "x86_64-linux"; - modules = [ ./hosts/main.nix - ./hardware/my-hp-laptop.nix + ./hardware/my-hp-laptop.nix ]; }; "hpm" = nixpkgs.lib.nixosSystem { inherit specialArgs; system = "x86_64-linux"; - modules = [ ./hosts/hpm.nix ./hardware/hpm-laptop.nix @@ -145,14 +143,18 @@ ]; }; "test" = nixpkgs.lib.nixosSystem { - #specialArgs = { inherit inputs confDir workDir secretsDir persistentDir self; }; + specialArgs = { inherit inputs confDir workDir secretsDir persistentDir self; }; system = "aarch64-linux"; + #inherit specialArgs; modules = [ - "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" - { - nixpkgs.hostPlatform.system = "aarch64-linux"; - nixpkgs.buildPlatform.system = "x86_64-linux"; - } + "${inputs.nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" + ./common/all.nix + #./common/nixos-headless.nix + #./common/nixos-graphical.nix + #./common/building.nix + + inputs.home-manager.nixosModules.home-manager + ./users/me/headless.nix ]; }; }; @@ -201,7 +203,7 @@ #}).config.system.build.sdImage; lush = self.nixosConfigurations.lush.config.system.build.sdImage; rpi = self.nixosConfigurations.rpi.config.system.build.sdImage; - test = nixpkgs.legacyPackages.x86_64-linux.pkgsCross.raspberryPi.raspberrypi-armstubs; + test = self.nixosConfigurations.test.config.system.build.sdImage; }; apps.x86_64-linux = { diff --git a/hosts/acern.nix b/hosts/acern.nix index fe00fd7..8217d08 100644 --- a/hosts/acern.nix +++ b/hosts/acern.nix @@ -17,10 +17,5 @@ settings.KbdInteractiveAuthentication = false; }; - users.users.me.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjgXf9S9hxjyph2EEFh1el0z4OUT9fMoFAaDanjiuKa me@main" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICWsqiz0gEepvPONYxqhKKq4Vxfe1h+jo11k88QozUch me@bitwarden" - ]; - programs.bash.loginShellInit = "nixos-wsl-welcome"; } diff --git a/hosts/hpm.nix b/hosts/hpm.nix index bbca857..556d2f1 100644 --- a/hosts/hpm.nix +++ b/hosts/hpm.nix @@ -6,7 +6,8 @@ ../common/nixos-graphical.nix ../common/building.nix - ../users/me/default.nix + inputs.home-manager.nixosModules.home-manager + ../users/me/gui.nix ]; services.openssh = { @@ -17,6 +18,13 @@ settings.PermitRootLogin = "yes"; }; + networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + + # to build rpi images + boot.binfmt.emulatedSystems = [ + "aarch64-linux" + ]; + environment.systemPackages = with pkgs; [ ntfs3g ]; @@ -28,10 +36,6 @@ trusted-users = [ "me" ]; }; - users.users.me.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjgXf9S9hxjyph2EEFh1el0z4OUT9fMoFAaDanjiuKa me@main" - ]; - networking = { #usePredictableInterfaceNames = false; defaultGateway = { diff --git a/hosts/lush.nix b/hosts/lush.nix index e812e39..5faac42 100644 --- a/hosts/lush.nix +++ b/hosts/lush.nix @@ -1,12 +1,22 @@ -{ lib, pkgs, inputs, ... }: +{ lib, pkgs, inputs, secretsDir, ... }: { - system.stateVersion = "23.05"; # Did you read the comment? + + #system.stateVersion = "23.05"; # Did you read the comment? imports = [ "${inputs.nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" #inputs.nixos-hardware.nixosModules.raspberry-pi-4 + inputs.networkmanager.nixosModules.networkmanager + + ../common/all.nix + + inputs.home-manager.nixosModules.home-manager + ../users/me/headless.nix ]; + # home-manager.users.me = import ../users/me/home-headless.nix; + + #nixpkgs.hostPlatform.system = "aarch64-linux"; #nixpkgs.buildPlatform.system = "x86_64-linux"; @@ -14,6 +24,10 @@ # This causes an overlay which causes a lot of rebuilding environment.noXlibs = lib.mkForce false; + + + environment.systemPackages = with pkgs; [ vim git ]; + # "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" creates a # disk with this label on first boot. Therefore, we need to keep it. It is the # only information from the installer image that we need to keep persistent @@ -30,31 +44,98 @@ }; }; + ########################### ssh ############################ services.openssh = { enable = true; ports = [ 22 ]; settings.PasswordAuthentication = false; settings.KbdInteractiveAuthentication = false; + settings.PermitRootLogin = "no"; }; - # end of base.nix - environment.systemPackages = with pkgs; [ vim git ]; + ####################################### networking ########################## + networking.hostName = "lush"; - users = { - users.me = { - password = "hello"; - isNormalUser = true; - extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjgXf9S9hxjyph2EEFh1el0z4OUT9fMoFAaDanjiuKa me@main" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICWsqiz0gEepvPONYxqhKKq4Vxfe1h+jo11k88QozUch me@bitwarden" - ]; + + networking.networkmanager.enable = true; + + networking.networkmanager.profiles = { + main = { + connection = { + id = "main"; + uuid = "a02273d9-ad12-395e-8372-f61129635b6f"; + type = "ethernet"; + autoconnect-priority = "-999"; + interface-name = "eth0"; + }; + ipv4 = { + address1 = "192.168.1.44/24,192.168.1.1"; + dns = "1.1.1.1;"; + method = "manual"; + }; }; + + pw = { + connection = { + id = "pw"; + uuid = "e0103dac-7da0-4e32-a01b-487b8c4c813c"; + type = "wifi"; + interface-name = "wlan0"; + }; + + wifi = { + hidden = "true"; + mode = "infrastructure"; + ssid = builtins.readFile "${secretsDir}/wifi-ssid"; + }; + + wifi-security = { + key-mgmt = "wpa-psk"; + psk = builtins.readFile "${secretsDir}/wifi-password"; + }; + + ipv4 = { + address1 = "192.168.20.21/24"; + method = "auto"; + }; + }; + + me = { + connection = { + id = "me"; + uuid = "fe45d3bc-21c6-41ff-bc06-c936017c6e02"; + type = "wireguard"; + autoconnect = "true"; + interface-name = "me0"; + }; + wireguard = { + listen-port = "51820"; + private-key = builtins.readFile "${secretsDir}/wg-private-lush"; + }; + ipv4 = { + address1 = "10.1.1.4/24"; + method = "manual"; + }; + } // (import ../common/wg-peers.nix { inherit secretsDir; }); }; + + + systemd.services.iwd.serviceConfig.Restart = "always"; + /* networking = { interfaces."wlan0".useDHCP = true; + + interfaces."eth0" = { + #name = "eth0"; + ipv4.addresses = [ + { address = "192.168.5.5"; prefixLength = 24;} + ]; + }; + */ + + /* wireless = { interfaces = [ "wlan0" ]; enable = true; @@ -64,6 +145,24 @@ }; }; + */ + + + ####################################### wireguard ########################## + /* + systemd.network.netdevs.me0 = { + enable = true; + wireguardPeers = import ../common/wg-peers.nix { inherit secretsDir; }; + wireguardConfig = { + ListenPort = 51820; + PrivateKeyFile = "/etc/wireguard/secret.key"; + }; + }; + networking.wireguard.interfaces = { + me = { + ips = [ "10.1.1.11/24" ]; + }; + */ /* boot = { diff --git a/hosts/main.nix b/hosts/main.nix index 3751de5..89e0205 100644 --- a/hosts/main.nix +++ b/hosts/main.nix @@ -1,5 +1,5 @@ -{ pkgs, lib, workDir, self, secretsDir, config, ... }: +{ pkgs, lib, workDir, self, secretsDir, config, inputs, ... }: { # https://bugzilla.kernel.org/show_bug.cgi?id=110941 @@ -17,18 +17,17 @@ ../common/nixos-graphical.nix ../common/building.nix - ../users/me/default.nix + inputs.networkmanager.nixosModules.networkmanager + inputs.home-manager.nixosModules.home-manager + ../users/me/gui.nix ../users/root/default.nix ]; - services.avahi.enable = true; - environment.systemPackages = with pkgs; [ cifs-utils ntfs3g ]; - virtualisation.podman.enable = true; hardware.bluetooth.settings = { General = { @@ -40,22 +39,11 @@ distributedBuilds = false; # false, because i can't build on hpm currently ... not signed by trusted user error }; - networking.hostName = "main"; - networking.search = [ "c2vi.local" ]; - networking.extraHosts = '' - 192.168.1.6 hpm - 192.168.1.2 rpi - 127.0.0.1 youtube.com - 127.0.0.1 www.youtube.com - ''; # to build rpi images boot.binfmt.emulatedSystems = [ "aarch64-linux" - #"x86_64-unknown-linux-gnu" - #"armv6l-unknown-linux-gnueabihf" - #"armv7l-hf-multiplatform" ]; @@ -73,7 +61,7 @@ options = [ "bind" ]; }; - # my youtube blocking service + ################################ my youtube blocking service ############################# systemd.services.stark = let stark = pkgs.writeShellApplication { @@ -89,9 +77,9 @@ then rm /etc/host-youtube-block else - echo old: $timeout + echo old: "$timeout" timeout=$((timeout - 1)) - echo new: $timeout + echo new: "$timeout" echo -en $timeout > /etc/host-youtube-block fi else @@ -116,7 +104,7 @@ }; - # syncthing for main + ############################## syncthing for main ############################################# services.syncthing = { enable = true; user = "me"; @@ -146,16 +134,20 @@ }; + ############################## networking ############################################### + + networking.hostName = "main"; + security.polkit.enable = true; + services.avahi.enable = true; + + networking.networkmanager.enable = true; + networking.firewall.allowPing = true; networking.firewall.enable = true; services.samba.openFirewall = true; - - # samba - services.samba-wsdd.enable = true; # make shares visible for windows 10 clients - networking.firewall.allowedTCPPorts = [ 5357 # wsdd 8888 # for general usage @@ -165,7 +157,144 @@ networking.firewall.allowedUDPPorts = [ 3702 # wsdd + 51820 # wireguard ]; + + networking.search = [ "c2vi.local" ]; + networking.extraHosts = '' + 192.168.1.6 hpm + 192.168.1.2 rpi + 127.0.0.1 youtube.com + 127.0.0.1 www.youtube.com + ''; + + networking.networkmanager.profiles = { + home = { + connection = { + id = "home"; + uuid = "a02273d9-ad12-395e-8372-f61129635b6f"; + type = "ethernet"; + autoconnect-priority = "-999"; + interface-name = "enp1s0"; + }; + ipv4 = { + address1 = "192.168.1.40/24,192.168.1.1"; + dns = "1.1.1.1;"; + method = "manual"; + }; + }; + + htl = { + connection = { + id = "htl"; + uuid = "0d3af539-9abd-4417-b882-cbff96fc3490"; + type = "wifi"; + interface-name = "wlp2s0"; + }; + ipv4 = { + method = "auto"; + }; + wifi = { + mode = "infrastructure"; + ssid = "HTLinn"; + }; + wifi-security = { + key-mgmt = "wpa-eap"; + }; + "802-1x" = { + eap = "peap"; + identity = builtins.readFile "${secretsDir}/school-username"; + password = builtins.readFile "${secretsDir}/school-password"; + phase2-auth = "mschapv2"; + }; + }; + + pt = { + connection = { + id = "pt"; + uuid = "f028117e-9eef-47c1-8483-574f7ee798a4"; + type = "bluetooth"; + autoconnect = "false"; + }; + + bluetooth = { + bdaddr = "E8:78:29:C4:BA:7C"; + type = "panu"; + }; + + ipv4 = { + method = "auto"; + }; + }; + + pw = { + connection = { + id = "pw"; + uuid = "e0103dac-7da0-4e32-a01b-487b8c4c813c"; + type = "wifi"; + interface-name = "wlp2s0"; + }; + + wifi = { + hidden = "true"; + mode = "infrastructure"; + ssid = builtins.readFile "${secretsDir}/wifi-ssid"; + }; + + wifi-security = { + key-mgmt = "wpa-psk"; + psk = builtins.readFile "${secretsDir}/wifi-password"; + }; + + ipv4 = { + address1 = "192.168.20.20/24"; + method = "auto"; + }; + }; + + hot = { + connection = { + id = "hot"; + uuid = "ab51de8a-9742-465a-928b-be54a83ab6a3"; + type = "wifi"; + autoconnect = "false"; + interface-name = "wlp2s0"; + }; + wifi = { + mac-address = "0C:96:E6:E3:64:03"; + mode = "ap"; + ssid = "c2vi-main"; + }; + + ipv4 = { + method = "shared"; + }; + }; + + me = { + connection = { + id = "me"; + uuid = "fe45d3bc-21c6-41ff-bc06-c936017c6e02"; + type = "wireguard"; + autoconnect = "true"; + interface-name = "me0"; + }; + wireguard = { + listen-port = "12345"; + private-key = builtins.readFile "${secretsDir}/wg-private-main"; + }; + ipv4 = { + address1 = "10.1.1.1/24"; + method = "manual"; + }; + } // (import ../common/wg-peers.nix { inherit secretsDir; }); + }; + + + + #################################### samba ###################################### + services.samba-wsdd.enable = true; # make shares visible for windows 10 clients + services.samba = { enable = true; securityType = "user"; @@ -200,7 +329,9 @@ }; + ######################################### virtualisation ############################### virtualisation.libvirtd.enable = true; + virtualisation.podman.enable = true; system.activationScripts.setupLibvirt = lib.stringAfter [ "var" ] '' mkdir -p /var/lib/libvirt/storage @@ -217,7 +348,7 @@ ''; - # swap and hibernate + ############################## swap and hibernate ################################### swapDevices = [ { device = "/dev/lvm0/swap"; } ]; boot.resumeDevice = "/dev/lvm0/swap"; services.logind = { diff --git a/hosts/rpi.md b/hosts/rpi.md index 067d440..149d209 100644 --- a/hosts/rpi.md +++ b/hosts/rpi.md @@ -40,26 +40,30 @@ CMD: sudo dphys-swapfile setup CMD: sudo dphys-swapfile swapon # things +- mdadm +- bcache +- mount /home/files/storage + - so that other users can't read it + +- podman containers + +- me-net (wireguard) + +- rclone mount onedrive backups +- borgmatic + +## things done +- smb shares +- swap - users admin - sudo without password and access to bitwarden files - for managing files (old: dateimanager) server - for deployed servers (podman) mamafiles - for the mamafiles share -- swap -- mdadm -- bcache -- mount /home/files/storage - - so that other users can't read it -- smb shares - ssh acces - ssh config: PermitRootAccess and PasswordAuthentication -- me-net (wireguard) -- podman containers - dyndns - wstunnel for wireguard -- rclone mount onedrive backups -- borgmatic - diff --git a/hosts/rpi.nix b/hosts/rpi.nix index 99b305c..eb56637 100644 --- a/hosts/rpi.nix +++ b/hosts/rpi.nix @@ -1,14 +1,17 @@ -{ lib, pkgs, inputs, ... }: +{ lib, pkgs, inputs, secretsDir, ... }: { imports = [ "${inputs.nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" - inputs.nixos-hardware.nixosModules.raspberry-pi-4 + #inputs.nixos-hardware.nixosModules.raspberry-pi-4 ../common/all.nix ../common/nixos-headless.nix + inputs.home-manager.nixosModules.home-manager ../users/me/headless.nix ../users/root/default.nix + ../users/server/headles.nix + ../users/files/headless.nix ]; system.stateVersion = "23.05"; @@ -25,11 +28,20 @@ # disk with this label on first boot. Therefore, we need to keep it. It is the # only information from the installer image that we need to keep persistent + environment.systemPackages = with pkgs; [ + bcache-tools + ]; + fileSystems."/" = { device = "/dev/disk/by-label/NIXOS_SD"; fsType = "ext4"; }; + swapDevices = [ { + device = "/swapfile"; + size = 10*1024; + } ]; + boot = { #kernelPackages = lib.mkForce pkgs.linuxPackages_latest; loader = { @@ -43,6 +55,14 @@ virtualisation.podman.enable = true; + + users.users.mamafiles = { + isNormalUser = true; + password = "changeme"; + }; + +########################## networking ########################################### + networking.firewall.allowPing = true; networking.firewall.enable = true; services.samba.openFirewall = true; @@ -55,10 +75,10 @@ interface = "eth0"; }; - interface."eth0" = { + interfaces."eth0" = { #name = "eth0"; ipv4.addresses = [ - { address = "192.168.1.6"; prefixLength = 24;} + { address = "192.168.1.2"; prefixLength = 24;} ]; }; @@ -85,11 +105,100 @@ ]; + networking.networkmanager.enable = true; + + networking.networkmanager.profiles = { + main = { + connection = { + id = "main"; + uuid = "a02273d9-ad12-395e-8372-f61129635b6f"; + type = "ethernet"; + autoconnect-priority = "-999"; + interface-name = "eth0"; + }; + ipv4 = { + address1 = "192.168.1.2/24,192.168.1.1"; + dns = "1.1.1.1;"; + method = "manual"; + }; + }; + + me = { + connection = { + id = "me"; + uuid = "fe45d3bc-21c6-41ff-bc06-c936017c6e02"; + type = "wireguard"; + autoconnect = "true"; + interface-name = "me0"; + }; + wireguard = { + listen-port = "49390"; + private-key = builtins.readFile "${secretsDir}/wg-private-rpi"; + }; + ipv4 = { + address1 = "10.1.1.2/24"; + method = "manual"; + }; + } // (import ../common/wg-peers.nix { inherit secretsDir; }) ; + }; + + ######################################### wstunnel ####################################### + + systemd.services.wstunnel = { + enable = true; + description = "WStunnel for SSH connections and Wireguard VPN"; + after = [ "network.target" ]; + unitConfig = { + Type = "simple"; + }; + serviceConfig = { + Restart = "always"; + ExecStart = "${pkgs.wstunnel}/bin/wstunnel --server ws://0.0.0.0:49389 -r 127.0.0.1:49388 -r 127.0.0.1:49390"; + }; + wantedBy = [ "multi-user.target" ]; + }; + + ###################################### dyndns #################################### + + systemd.services.update-ip = + let + update-ip = pkgs.writeShellApplication { + name = "update-ip"; + + runtimeInputs = with pkgs; [ curl w3m ]; + + text = '' + ip=$(curl my.ip.fi) + curl "http://dynv6.com/api/update?hostname=${builtins.readFile "${secretsDir}/dns-name-two"}&ipv4=$ip&token=${builtins.readFile "${secretsDir}/dns-name-two-token"}" + curl "https://dynamicdns.park-your-domain.com/update?host=@&domain=${builtins.readFile "${secretsDir}/dns-name"}&password=${builtins.readFile "${secretsDir}/dns-name-token"}&ip=$ip" + # https://www.namecheap.com/support/knowledgebase/article.aspx/29/11/how-to-dynamically-update-the-hosts-ip-with-an-https-request/ + ''; + }; + in + { + enable = true; + description = "block Youtube"; + unitConfig = { + Type = "simple"; + }; + serviceConfig = { + Restart = "always"; + RestartSec = "500s"; + ExecStart = "${update-ip}/bin/update-ip"; + }; + wantedBy = [ "multi-user.target" ]; + }; + + ################################## ssh ###################################### - services.openssh.enable = true; - users.users.me.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjgXf9S9hxjyph2EEFh1el0z4OUT9fMoFAaDanjiuKa me@main" - ]; + services.openssh = { + enable = true; + ports = [ 49388 ]; + + settings.PasswordAuthentication = false; + settings.KbdInteractiveAuthentication = false; + settings.PermitRootLogin = "no"; + }; ################################ samba ###################################### services.samba-wsdd.enable = true; # make shares visible for windows 10 clients @@ -111,6 +220,7 @@ "valid users" = "files"; "comment" = "all my files"; "path" = "/home/files/storage/files"; + "browsable" = "no"; "read only" = "no"; "guest ok" = "no"; "force user" = "files"; @@ -145,6 +255,7 @@ mama = { "comment" = "Meine Dateien auf Mamas Laptop"; "path" = "/home/files/storage/files/stuff/Mamas-Laptop"; + "browsable" = "no"; "read only" = "no"; "guest ok" = "no"; "valid users" = "mamafiles"; diff --git a/programs/ssh.nix b/programs/ssh.nix index 84db89e..d42a659 100644 --- a/programs/ssh.nix +++ b/programs/ssh.nix @@ -2,12 +2,24 @@ { programs.ssh = { enable = true; - includes = [ "./current_rpi_config" ]; + #includes = [ "./current_rpi_config" ]; matchBlocks = { + "*" = { + identityFile = "${secretsDir}/private-key"; + }; "github.com" = { hostname = "github.com"; identityFile = "${secretsDir}/private-key-main"; }; + rpi = { + port = 49388; + user = "me"; + hostname = "192.168.1.2"; + }; + lush = { + user = "me"; + hostname = "192.168.5.5"; + }; phone = { user = "u0_a345"; hostname = "192.168.44.1"; @@ -23,6 +35,7 @@ user = "me"; identityFile = "${secretsDir}/private-key-main"; hostname = "192.168.1.5"; + port = 2222; }; hpm = { #hostname = "192.168.1.6"; @@ -59,7 +72,10 @@ home.file.".ssh/known_hosts".force = true; home.file.".ssh/known_hosts".text = '' hpm ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ+FpaNOf+ao6RCa6e43vAHFcQZTGu45rIqAG3Vx0/M8 - hpm ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDbIgfPvt3NUWLxAv0jvWv7IUXHaR7k5M7Z1Kz24K+ZYuPRboHWNbcqGjik0kWDGwXejtTLkyiThK641Q0ffYp3bumKL3b3fBNLoRwHfVMHT9ZuM7e9nALJRa+0keBPTcO9kHliYJlEBiF4jHSZhVDPnZ0Qskg2m94AipKrhUC4KIbLFAERlDnFTxw8LTnzdfzs/n/80zH5tKq1TSlYd2XBIMlzYwxTGEgItifierQhncleVVUJ8IPLsSulMgCQu3BA8cGmdApbSe41FIieIsYzLEtJVnCRt0PymdYa1NdyngJ8ZWyXo6JjTCEHWv35WW05Oiw/tMyUDQoeebACe+Ve9WsYdb+0uttAQWZauODimGY/kRrwy2jCqDRoKjq+rWmTgLsXzuTr7sZ2nmlCIs0XkTXzwduo6ZJ1uNHYWTIjnC1in5uB5TMBlVQxEOdeLOIB9reHP7dajguCGLsOg/a7W/kx181w5MdXq5e9ch7Hp2eC9wBbwcy4EtmX0GAYSPV4GWGwunU92TFE5kg7haV23sdRfLf6ARrDLtsfvTzvoWWQFiO7AgrcOdSQtMUM0/egLUj0lg/A5fxV1pfXvxAF7TquNJCXhDYczCbej4PQM2WBe2eGY+BjY3gDHtUdzWEqhH+b6/Cz78yAa4aSWDB8D+Ejv0N0BZLaImYQhma5PQ== + lush ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFevbQp0XTZOVFZTDMKzgsZn4NNEIN+SFMqUhSbF5WFo + github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl + rpi ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOX+6B6Axx7AqgCm1H1rrou/3yOLeOLcTd8s0In0mOIY + phone ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHxg0HKtGAkwymll8r17d9cXdt40dJgRkSAzB699pWke+edne4Ildcnbde2yle01nEL7GOg92vh5t1sh6vkCzJQ= ''; home.file.".ssh/rpi/local".text = '' diff --git a/users/me/home-headless.nix b/users/common/home.nix similarity index 98% rename from users/me/home-headless.nix rename to users/common/home.nix index 6ed95fe..7929582 100644 --- a/users/me/home-headless.nix +++ b/users/common/home.nix @@ -50,6 +50,7 @@ jq wget tmux + wireguard-tools # python.... (python310.withPackages (p: with p; [ pandas diff --git a/users/files/headless.nix b/users/files/headless.nix new file mode 100644 index 0000000..d2473ed --- /dev/null +++ b/users/files/headless.nix @@ -0,0 +1,27 @@ +{ self, config, inputs, ... }: +{ + users.users.files = { + isNormalUser = true; + password = "changeme"; + }; + + home-manager.extraSpecialArgs = { + inherit self; + hostname = config.networking.hostName; + }; + + home-manager.users.files = import ../common/home.nix; + + users.users.files.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjgXf9S9hxjyph2EEFh1el0z4OUT9fMoFAaDanjiuKa me@main" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICWsqiz0gEepvPONYxqhKKq4Vxfe1h+jo11k88QozUch me@bitwarden" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAioUu4ow6k+OMjjLdzogiQM4ZEM3TNekGNasaSDzQQE me@phone" + + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPmwi4ovyqhX/5YwGUZqntVD+i44qL+Nxf9Ubj4XxV9n me@acern" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAIh7LDjwojcjJM8puPqFibx9zPn/k1cYgWXNQf0ZbC4 me@hpm" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC81lBzAYuwvcEITxRrUR8BT2geyj2dB91pNavUsulKj me@loki" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDvGUZE8lZ7OZifndT0nPPJrgKXScD7zMTRIeBfQOfwh me@lush" + ]; + + +} diff --git a/users/me/default.nix b/users/me/gui.nix similarity index 57% rename from users/me/default.nix rename to users/me/gui.nix index 5329bb0..4dbf8b9 100644 --- a/users/me/default.nix +++ b/users/me/gui.nix @@ -17,4 +17,11 @@ fonts.fonts = with pkgs; [ hack-font ]; + + users.users.me.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjgXf9S9hxjyph2EEFh1el0z4OUT9fMoFAaDanjiuKa me@main" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICWsqiz0gEepvPONYxqhKKq4Vxfe1h+jo11k88QozUch me@bitwarden" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAioUu4ow6k+OMjjLdzogiQM4ZEM3TNekGNasaSDzQQE me@phone" + ]; + } diff --git a/users/me/headless.nix b/users/me/headless.nix index 648385d..a898a4f 100644 --- a/users/me/headless.nix +++ b/users/me/headless.nix @@ -1,4 +1,4 @@ -{ self, config, ... }: +{ self, config, inputs, ... }: { users.users.me = { isNormalUser = true; @@ -12,6 +12,13 @@ hostname = config.networking.hostName; }; - home-manager.users.me = import ./home-headless.nix; + home-manager.users.me = import ../common/home.nix; + + users.users.me.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjgXf9S9hxjyph2EEFh1el0z4OUT9fMoFAaDanjiuKa me@main" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICWsqiz0gEepvPONYxqhKKq4Vxfe1h+jo11k88QozUch me@bitwarden" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAioUu4ow6k+OMjjLdzogiQM4ZEM3TNekGNasaSDzQQE me@phone" + ]; + } diff --git a/users/me/home.nix b/users/me/home.nix index 6c24992..b88a671 100644 --- a/users/me/home.nix +++ b/users/me/home.nix @@ -3,7 +3,7 @@ { imports = [ - ./home-headless.nix + ../common/home.nix # my gui programs ../../programs/alacritty.nix diff --git a/users/server/headles.nix b/users/server/headles.nix new file mode 100644 index 0000000..b9de8c5 --- /dev/null +++ b/users/server/headles.nix @@ -0,0 +1,23 @@ +{ self, config, inputs, ... }: +{ + users.users.server = { + isNormalUser = true; + #passwordFile = "${secretsDir}/me-pwd"; + password = "changeme"; + }; + + home-manager.extraSpecialArgs = { + inherit self; + hostname = config.networking.hostName; + }; + + home-manager.users.server = import ../common/home.nix; + + users.users.server.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjgXf9S9hxjyph2EEFh1el0z4OUT9fMoFAaDanjiuKa me@main" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICWsqiz0gEepvPONYxqhKKq4Vxfe1h+jo11k88QozUch me@bitwarden" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAioUu4ow6k+OMjjLdzogiQM4ZEM3TNekGNasaSDzQQE me@phone" + ]; + + +}