c2vi/dotfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

...

Browse Source
This commit is contained in:
Sebastian Moser
2023-11-21 20:11:26 +01:00
parent 7ed54e66ec
commit c712d76fac
17 changed files with 605 additions and 85 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
common/all.nix
View File

@@ -4,7 +4,6 @@
{ {
imports = [ imports = [
inputs.home-manager.nixosModules.home-manager
../mods/my-nixpkgs-overlay.nix ../mods/my-nixpkgs-overlay.nix
]; ];
@@ -36,7 +35,6 @@
users.mutableUsers = true; users.mutableUsers = true;
networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
# This value determines the NixOS release from which the default # This value determines the NixOS release from which the default

82
common/wg-peers.nix Normal file
View File

@@ -0,0 +1,82 @@
{ secretsDir, ... }: let
main-pub = builtins.readFile "${secretsDir}/wg-pub-main";
rpi-pub = builtins.readFile "${secretsDir}/wg-pub-rpi";
lush-pub = builtins.readFile "${secretsDir}/wg-pub-lush";
hpm-pub = builtins.readFile "${secretsDir}/wg-pub-hpm";
acern-pub = builtins.readFile "${secretsDir}/wg-pub-acern";
phone-pub = builtins.readFile "${secretsDir}/wg-pub-phone";
in
{
"wireguard-peer.${main-pub}" = {
endpoint = "192.168.1.40:51820";
persistent-keepalive = "25";
allowed-ips = "0.0.0.0";
};
"wireguard-peer.${rpi-pub}" = {
endpoint = "192.168.1.2:49390";
persistent-keepalive = "25";
allowed-ips = "0.0.0.0";
};
"wireguard-peer.${lush-pub}" = {
endpoint = "192.168.5.5:51820";
persistent-keepalive = "25";
allowed-ips = "0.0.0.0";
};
}
################### old config #########################
/*
{ secretsDir, ... }: [
#### local ####
{
name = "rpi";
publicKey = builtins.readFile "${secretsDir}/wg-pub-rpi";
allowedIPs = [ "10.1.1.0/24" ];
endpoint = "192.168.1.2:49390, c2vi.dev:49389";
persistentKeepalive = 25;
}
{
name = "main-local";
publicKey = builtins.readFile "${secretsDir}/wg-pub-main";
allowedIPs = [ "10.1.1.0/24" ];
endpoint = "192.168.1.40:51820";
persistentKeepalive = 25;
}
{
name = "lush-local";
publicKey = builtins.readFile "${secretsDir}/wg-pub-lush";
allowedIPs = [ "10.1.1.0/24" ];
endpoint = "192.168.5.5:51820";
persistentKeepalive = 25;
}
/*
{
name = "main";
publicKey = "${secretsDir}"/wg-public-main;
allowedIPs = [ "10.1.1.2/24" ];
}
{
name = "phone";
publicKey = "${secretsDir}"/wg-public-phone;
allowedIPs = [ "10.1.1.3/24" ];
}
{
name = "hpm";
publicKey = "${secretsDir}"/wg-public-hpm;
allowedIPs = [ "10.1.1.6/24" ];
}
{
name = "main";
publicKey = "${secretsDir}"/wg-public-main;
allowedIPs = [ "10.1.1.2/24" ];
}
*/

13
flake.lock generated
View File

@@ -449,6 +449,18 @@
"type": "github" "type": "github"
} }
}, },
"networkmanager": {
"locked": {
"lastModified": 1700588409,
"narHash": "sha256-mbQKI5yjy2fkjeJo9+EuEsEuOVu6LPyEDmrP4zsujbA=",
"path": "/home/me/work/config/gitignore/nixos-networkmanager-profiles",
"type": "path"
},
"original": {
"path": "/home/me/work/config/gitignore/nixos-networkmanager-profiles",
"type": "path"
}
},
"nix-doom-emacs": { "nix-doom-emacs": {
"inputs": { "inputs": {
"doom-emacs": "doom-emacs", "doom-emacs": "doom-emacs",
@@ -898,6 +910,7 @@
"inputs": { "inputs": {
"firefox": "firefox", "firefox": "firefox",
"home-manager": "home-manager", "home-manager": "home-manager",
"networkmanager": "networkmanager",
"nix-doom-emacs": "nix-doom-emacs", "nix-doom-emacs": "nix-doom-emacs",
"nix-index-database": "nix-index-database", "nix-index-database": "nix-index-database",
"nix-on-droid": "nix-on-droid", "nix-on-droid": "nix-on-droid",

24
flake.nix
View File

@@ -32,6 +32,7 @@
nixos-hardware.url = "github:nixos/nixos-hardware"; nixos-hardware.url = "github:nixos/nixos-hardware";
networkmanager.url = "path:/home/me/work/config/gitignore/nixos-networkmanager-profiles";
robotnix = { robotnix = {
url = "github:nix-community/robotnix"; url = "github:nix-community/robotnix";
@@ -70,21 +71,18 @@
in in
{ {
nixosConfigurations = rec { nixosConfigurations = rec {
"main" = nixpkgs.lib.nixosSystem { "main" = nixpkgs.lib.nixosSystem {
inherit specialArgs; inherit specialArgs;
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = [
./hosts/main.nix ./hosts/main.nix
./hardware/my-hp-laptop.nix ./hardware/my-hp-laptop.nix
]; ];
}; };
"hpm" = nixpkgs.lib.nixosSystem { "hpm" = nixpkgs.lib.nixosSystem {
inherit specialArgs; inherit specialArgs;
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = [
./hosts/hpm.nix ./hosts/hpm.nix
./hardware/hpm-laptop.nix ./hardware/hpm-laptop.nix
@@ -145,14 +143,18 @@
]; ];
}; };
"test" = nixpkgs.lib.nixosSystem { "test" = nixpkgs.lib.nixosSystem {
#specialArgs = { inherit inputs confDir workDir secretsDir persistentDir self; }; specialArgs = { inherit inputs confDir workDir secretsDir persistentDir self; };
system = "aarch64-linux"; system = "aarch64-linux";
#inherit specialArgs;
modules = [ modules = [
"${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" "${inputs.nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix"
{ ./common/all.nix
nixpkgs.hostPlatform.system = "aarch64-linux"; #./common/nixos-headless.nix
nixpkgs.buildPlatform.system = "x86_64-linux"; #./common/nixos-graphical.nix
} #./common/building.nix
inputs.home-manager.nixosModules.home-manager
./users/me/headless.nix
]; ];
}; };
}; };
@@ -201,7 +203,7 @@
#}).config.system.build.sdImage; #}).config.system.build.sdImage;
lush = self.nixosConfigurations.lush.config.system.build.sdImage; lush = self.nixosConfigurations.lush.config.system.build.sdImage;
rpi = self.nixosConfigurations.rpi.config.system.build.sdImage; rpi = self.nixosConfigurations.rpi.config.system.build.sdImage;
test = nixpkgs.legacyPackages.x86_64-linux.pkgsCross.raspberryPi.raspberrypi-armstubs; test = self.nixosConfigurations.test.config.system.build.sdImage;
}; };
apps.x86_64-linux = { apps.x86_64-linux = {

5
hosts/acern.nix
View File

@@ -17,10 +17,5 @@
settings.KbdInteractiveAuthentication = false; settings.KbdInteractiveAuthentication = false;
}; };
users.users.me.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjgXf9S9hxjyph2EEFh1el0z4OUT9fMoFAaDanjiuKa me@main"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICWsqiz0gEepvPONYxqhKKq4Vxfe1h+jo11k88QozUch me@bitwarden"
];
programs.bash.loginShellInit = "nixos-wsl-welcome"; programs.bash.loginShellInit = "nixos-wsl-welcome";
} }

14
hosts/hpm.nix
View File

@@ -6,7 +6,8 @@
../common/nixos-graphical.nix ../common/nixos-graphical.nix
../common/building.nix ../common/building.nix
../users/me/default.nix inputs.home-manager.nixosModules.home-manager
../users/me/gui.nix
]; ];
services.openssh = { services.openssh = {
@@ -17,6 +18,13 @@
settings.PermitRootLogin = "yes"; settings.PermitRootLogin = "yes";
}; };
networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
# to build rpi images
boot.binfmt.emulatedSystems = [
"aarch64-linux"
];
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
ntfs3g ntfs3g
]; ];
@@ -28,10 +36,6 @@
trusted-users = [ "me" ]; trusted-users = [ "me" ];
}; };
users.users.me.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjgXf9S9hxjyph2EEFh1el0z4OUT9fMoFAaDanjiuKa me@main"
];
networking = { networking = {
#usePredictableInterfaceNames = false; #usePredictableInterfaceNames = false;
defaultGateway = { defaultGateway = {

125
hosts/lush.nix
View File

@@ -1,12 +1,22 @@
{ lib, pkgs, inputs, ... }: { lib, pkgs, inputs, secretsDir, ... }:
{ {
system.stateVersion = "23.05"; # Did you read the comment?
#system.stateVersion = "23.05"; # Did you read the comment?
imports = [ imports = [
"${inputs.nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" "${inputs.nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix"
#inputs.nixos-hardware.nixosModules.raspberry-pi-4 #inputs.nixos-hardware.nixosModules.raspberry-pi-4
inputs.networkmanager.nixosModules.networkmanager
../common/all.nix
inputs.home-manager.nixosModules.home-manager
../users/me/headless.nix
]; ];
# home-manager.users.me = import ../users/me/home-headless.nix;
#nixpkgs.hostPlatform.system = "aarch64-linux"; #nixpkgs.hostPlatform.system = "aarch64-linux";
#nixpkgs.buildPlatform.system = "x86_64-linux"; #nixpkgs.buildPlatform.system = "x86_64-linux";
@@ -14,6 +24,10 @@
# This causes an overlay which causes a lot of rebuilding # This causes an overlay which causes a lot of rebuilding
environment.noXlibs = lib.mkForce false; environment.noXlibs = lib.mkForce false;
environment.systemPackages = with pkgs; [ vim git ];
# "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" creates a # "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" creates a
# disk with this label on first boot. Therefore, we need to keep it. It is the # disk with this label on first boot. Therefore, we need to keep it. It is the
# only information from the installer image that we need to keep persistent # only information from the installer image that we need to keep persistent
@@ -30,31 +44,98 @@
}; };
}; };
########################### ssh ############################
services.openssh = { services.openssh = {
enable = true; enable = true;
ports = [ 22 ]; ports = [ 22 ];
settings.PasswordAuthentication = false; settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false; settings.KbdInteractiveAuthentication = false;
settings.PermitRootLogin = "no";
}; };
# end of base.nix
environment.systemPackages = with pkgs; [ vim git ]; ####################################### networking ##########################
networking.hostName = "lush"; networking.hostName = "lush";
users = {
users.me = { networking.networkmanager.enable = true;
password = "hello";
isNormalUser = true; networking.networkmanager.profiles = {
extraGroups = [ "wheel" ]; main = {
openssh.authorizedKeys.keys = [ connection = {
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjgXf9S9hxjyph2EEFh1el0z4OUT9fMoFAaDanjiuKa me@main" id = "main";
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICWsqiz0gEepvPONYxqhKKq4Vxfe1h+jo11k88QozUch me@bitwarden" uuid = "a02273d9-ad12-395e-8372-f61129635b6f";
]; type = "ethernet";
autoconnect-priority = "-999";
interface-name = "eth0";
};
ipv4 = {
address1 = "192.168.1.44/24,192.168.1.1";
dns = "1.1.1.1;";
method = "manual";
};
}; };
pw = {
connection = {
id = "pw";
uuid = "e0103dac-7da0-4e32-a01b-487b8c4c813c";
type = "wifi";
interface-name = "wlan0";
};
wifi = {
hidden = "true";
mode = "infrastructure";
ssid = builtins.readFile "${secretsDir}/wifi-ssid";
};
wifi-security = {
key-mgmt = "wpa-psk";
psk = builtins.readFile "${secretsDir}/wifi-password";
};
ipv4 = {
address1 = "192.168.20.21/24";
method = "auto";
};
};
me = {
connection = {
id = "me";
uuid = "fe45d3bc-21c6-41ff-bc06-c936017c6e02";
type = "wireguard";
autoconnect = "true";
interface-name = "me0";
};
wireguard = {
listen-port = "51820";
private-key = builtins.readFile "${secretsDir}/wg-private-lush";
};
ipv4 = {
address1 = "10.1.1.4/24";
method = "manual";
};
} // (import ../common/wg-peers.nix { inherit secretsDir; });
}; };
systemd.services.iwd.serviceConfig.Restart = "always";
/*
networking = { networking = {
interfaces."wlan0".useDHCP = true; interfaces."wlan0".useDHCP = true;
interfaces."eth0" = {
#name = "eth0";
ipv4.addresses = [
{ address = "192.168.5.5"; prefixLength = 24;}
];
};
*/
/*
wireless = { wireless = {
interfaces = [ "wlan0" ]; interfaces = [ "wlan0" ];
enable = true; enable = true;
@@ -64,6 +145,24 @@
}; };
}; };
*/
####################################### wireguard ##########################
/*
systemd.network.netdevs.me0 = {
enable = true;
wireguardPeers = import ../common/wg-peers.nix { inherit secretsDir; };
wireguardConfig = {
ListenPort = 51820;
PrivateKeyFile = "/etc/wireguard/secret.key";
};
};
networking.wireguard.interfaces = {
me = {
ips = [ "10.1.1.11/24" ];
};
*/
/* /*
boot = { boot = {

181
hosts/main.nix
View File

@@ -1,5 +1,5 @@
{ pkgs, lib, workDir, self, secretsDir, config, ... }: { pkgs, lib, workDir, self, secretsDir, config, inputs, ... }:
{ {
# https://bugzilla.kernel.org/show_bug.cgi?id=110941 # https://bugzilla.kernel.org/show_bug.cgi?id=110941
@@ -17,18 +17,17 @@
../common/nixos-graphical.nix ../common/nixos-graphical.nix
../common/building.nix ../common/building.nix
../users/me/default.nix inputs.networkmanager.nixosModules.networkmanager
inputs.home-manager.nixosModules.home-manager
../users/me/gui.nix
../users/root/default.nix ../users/root/default.nix
]; ];
services.avahi.enable = true;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
cifs-utils cifs-utils
ntfs3g ntfs3g
]; ];
virtualisation.podman.enable = true;
hardware.bluetooth.settings = { hardware.bluetooth.settings = {
General = { General = {
@@ -40,22 +39,11 @@
distributedBuilds = false; # false, because i can't build on hpm currently ... not signed by trusted user error distributedBuilds = false; # false, because i can't build on hpm currently ... not signed by trusted user error
}; };
networking.hostName = "main";
networking.search = [ "c2vi.local" ];
networking.extraHosts = ''
192.168.1.6 hpm
192.168.1.2 rpi
127.0.0.1 youtube.com
127.0.0.1 www.youtube.com
'';
# to build rpi images # to build rpi images
boot.binfmt.emulatedSystems = [ boot.binfmt.emulatedSystems = [
"aarch64-linux" "aarch64-linux"
#"x86_64-unknown-linux-gnu"
#"armv6l-unknown-linux-gnueabihf"
#"armv7l-hf-multiplatform"
]; ];
@@ -73,7 +61,7 @@
options = [ "bind" ]; options = [ "bind" ];
}; };
# my youtube blocking service ################################ my youtube blocking service #############################
systemd.services.stark = systemd.services.stark =
let let
stark = pkgs.writeShellApplication { stark = pkgs.writeShellApplication {
@@ -89,9 +77,9 @@
then then
rm /etc/host-youtube-block rm /etc/host-youtube-block
else else
echo old: $timeout echo old: "$timeout"
timeout=$((timeout - 1)) timeout=$((timeout - 1))
echo new: $timeout echo new: "$timeout"
echo -en $timeout > /etc/host-youtube-block echo -en $timeout > /etc/host-youtube-block
fi fi
else else
@@ -116,7 +104,7 @@
}; };
# syncthing for main ############################## syncthing for main #############################################
services.syncthing = { services.syncthing = {
enable = true; enable = true;
user = "me"; user = "me";
@@ -146,16 +134,20 @@
}; };
############################## networking ###############################################
networking.hostName = "main";
security.polkit.enable = true; security.polkit.enable = true;
services.avahi.enable = true;
networking.networkmanager.enable = true;
networking.firewall.allowPing = true; networking.firewall.allowPing = true;
networking.firewall.enable = true; networking.firewall.enable = true;
services.samba.openFirewall = true; services.samba.openFirewall = true;
# samba
services.samba-wsdd.enable = true; # make shares visible for windows 10 clients
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
5357 # wsdd 5357 # wsdd
8888 # for general usage 8888 # for general usage
@@ -165,7 +157,144 @@
networking.firewall.allowedUDPPorts = [ networking.firewall.allowedUDPPorts = [
3702 # wsdd 3702 # wsdd
51820 # wireguard
]; ];
networking.search = [ "c2vi.local" ];
networking.extraHosts = ''
192.168.1.6 hpm
192.168.1.2 rpi
127.0.0.1 youtube.com
127.0.0.1 www.youtube.com
'';
networking.networkmanager.profiles = {
home = {
connection = {
id = "home";
uuid = "a02273d9-ad12-395e-8372-f61129635b6f";
type = "ethernet";
autoconnect-priority = "-999";
interface-name = "enp1s0";
};
ipv4 = {
address1 = "192.168.1.40/24,192.168.1.1";
dns = "1.1.1.1;";
method = "manual";
};
};
htl = {
connection = {
id = "htl";
uuid = "0d3af539-9abd-4417-b882-cbff96fc3490";
type = "wifi";
interface-name = "wlp2s0";
};
ipv4 = {
method = "auto";
};
wifi = {
mode = "infrastructure";
ssid = "HTLinn";
};
wifi-security = {
key-mgmt = "wpa-eap";
};
"802-1x" = {
eap = "peap";
identity = builtins.readFile "${secretsDir}/school-username";
password = builtins.readFile "${secretsDir}/school-password";
phase2-auth = "mschapv2";
};
};
pt = {
connection = {
id = "pt";
uuid = "f028117e-9eef-47c1-8483-574f7ee798a4";
type = "bluetooth";
autoconnect = "false";
};
bluetooth = {
bdaddr = "E8:78:29:C4:BA:7C";
type = "panu";
};
ipv4 = {
method = "auto";
};
};
pw = {
connection = {
id = "pw";
uuid = "e0103dac-7da0-4e32-a01b-487b8c4c813c";
type = "wifi";
interface-name = "wlp2s0";
};
wifi = {
hidden = "true";
mode = "infrastructure";
ssid = builtins.readFile "${secretsDir}/wifi-ssid";
};
wifi-security = {
key-mgmt = "wpa-psk";
psk = builtins.readFile "${secretsDir}/wifi-password";
};
ipv4 = {
address1 = "192.168.20.20/24";
method = "auto";
};
};
hot = {
connection = {
id = "hot";
uuid = "ab51de8a-9742-465a-928b-be54a83ab6a3";
type = "wifi";
autoconnect = "false";
interface-name = "wlp2s0";
};
wifi = {
mac-address = "0C:96:E6:E3:64:03";
mode = "ap";
ssid = "c2vi-main";
};
ipv4 = {
method = "shared";
};
};
me = {
connection = {
id = "me";
uuid = "fe45d3bc-21c6-41ff-bc06-c936017c6e02";
type = "wireguard";
autoconnect = "true";
interface-name = "me0";
};
wireguard = {
listen-port = "12345";
private-key = builtins.readFile "${secretsDir}/wg-private-main";
};
ipv4 = {
address1 = "10.1.1.1/24";
method = "manual";
};
} // (import ../common/wg-peers.nix { inherit secretsDir; });
};
#################################### samba ######################################
services.samba-wsdd.enable = true; # make shares visible for windows 10 clients
services.samba = { services.samba = {
enable = true; enable = true;
securityType = "user"; securityType = "user";
@@ -200,7 +329,9 @@
}; };
######################################### virtualisation ###############################
virtualisation.libvirtd.enable = true; virtualisation.libvirtd.enable = true;
virtualisation.podman.enable = true;
system.activationScripts.setupLibvirt = lib.stringAfter [ "var" ] '' system.activationScripts.setupLibvirt = lib.stringAfter [ "var" ] ''
mkdir -p /var/lib/libvirt/storage mkdir -p /var/lib/libvirt/storage
@@ -217,7 +348,7 @@
''; '';
# swap and hibernate ############################## swap and hibernate ###################################
swapDevices = [ { device = "/dev/lvm0/swap"; } ]; swapDevices = [ { device = "/dev/lvm0/swap"; } ];
boot.resumeDevice = "/dev/lvm0/swap"; boot.resumeDevice = "/dev/lvm0/swap";
services.logind = { services.logind = {

26
hosts/rpi.md
View File

@@ -40,26 +40,30 @@ CMD: sudo dphys-swapfile setup
CMD: sudo dphys-swapfile swapon CMD: sudo dphys-swapfile swapon
# things # things
- mdadm
- bcache
- mount /home/files/storage
- so that other users can't read it
- podman containers
- me-net (wireguard)
- rclone mount onedrive backups
- borgmatic
## things done
- smb shares
- swap
- users - users
admin - sudo without password and access to bitwarden admin - sudo without password and access to bitwarden
files - for managing files (old: dateimanager) files - for managing files (old: dateimanager)
server - for deployed servers (podman) server - for deployed servers (podman)
mamafiles - for the mamafiles share mamafiles - for the mamafiles share
- swap
- mdadm
- bcache
- mount /home/files/storage
- so that other users can't read it
- smb shares
- ssh acces - ssh acces
- ssh config: PermitRootAccess and PasswordAuthentication - ssh config: PermitRootAccess and PasswordAuthentication
- me-net (wireguard)
- podman containers
- dyndns - dyndns
- wstunnel for wireguard - wstunnel for wireguard
- rclone mount onedrive backups
- borgmatic

127
hosts/rpi.nix
View File

@@ -1,14 +1,17 @@
{ lib, pkgs, inputs, ... }: { lib, pkgs, inputs, secretsDir, ... }:
{ {
imports = [ imports = [
"${inputs.nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" "${inputs.nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix"
inputs.nixos-hardware.nixosModules.raspberry-pi-4 #inputs.nixos-hardware.nixosModules.raspberry-pi-4
../common/all.nix ../common/all.nix
../common/nixos-headless.nix ../common/nixos-headless.nix
inputs.home-manager.nixosModules.home-manager
../users/me/headless.nix ../users/me/headless.nix
../users/root/default.nix ../users/root/default.nix
../users/server/headles.nix
../users/files/headless.nix
]; ];
system.stateVersion = "23.05"; system.stateVersion = "23.05";
@@ -25,11 +28,20 @@
# disk with this label on first boot. Therefore, we need to keep it. It is the # disk with this label on first boot. Therefore, we need to keep it. It is the
# only information from the installer image that we need to keep persistent # only information from the installer image that we need to keep persistent
environment.systemPackages = with pkgs; [
bcache-tools
];
fileSystems."/" = fileSystems."/" =
{ device = "/dev/disk/by-label/NIXOS_SD"; { device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4"; fsType = "ext4";
}; };
swapDevices = [ {
device = "/swapfile";
size = 10*1024;
} ];
boot = { boot = {
#kernelPackages = lib.mkForce pkgs.linuxPackages_latest; #kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
loader = { loader = {
@@ -43,6 +55,14 @@
virtualisation.podman.enable = true; virtualisation.podman.enable = true;
users.users.mamafiles = {
isNormalUser = true;
password = "changeme";
};
########################## networking ###########################################
networking.firewall.allowPing = true; networking.firewall.allowPing = true;
networking.firewall.enable = true; networking.firewall.enable = true;
services.samba.openFirewall = true; services.samba.openFirewall = true;
@@ -55,10 +75,10 @@
interface = "eth0"; interface = "eth0";
}; };
interface."eth0" = { interfaces."eth0" = {
#name = "eth0"; #name = "eth0";
ipv4.addresses = [ ipv4.addresses = [
{ address = "192.168.1.6"; prefixLength = 24;} { address = "192.168.1.2"; prefixLength = 24;}
]; ];
}; };
@@ -85,11 +105,100 @@
]; ];
networking.networkmanager.enable = true;
networking.networkmanager.profiles = {
main = {
connection = {
id = "main";
uuid = "a02273d9-ad12-395e-8372-f61129635b6f";
type = "ethernet";
autoconnect-priority = "-999";
interface-name = "eth0";
};
ipv4 = {
address1 = "192.168.1.2/24,192.168.1.1";
dns = "1.1.1.1;";
method = "manual";
};
};
me = {
connection = {
id = "me";
uuid = "fe45d3bc-21c6-41ff-bc06-c936017c6e02";
type = "wireguard";
autoconnect = "true";
interface-name = "me0";
};
wireguard = {
listen-port = "49390";
private-key = builtins.readFile "${secretsDir}/wg-private-rpi";
};
ipv4 = {
address1 = "10.1.1.2/24";
method = "manual";
};
} // (import ../common/wg-peers.nix { inherit secretsDir; }) ;
};
######################################### wstunnel #######################################
systemd.services.wstunnel = {
enable = true;
description = "WStunnel for SSH connections and Wireguard VPN";
after = [ "network.target" ];
unitConfig = {
Type = "simple";
};
serviceConfig = {
Restart = "always";
ExecStart = "${pkgs.wstunnel}/bin/wstunnel --server ws://0.0.0.0:49389 -r 127.0.0.1:49388 -r 127.0.0.1:49390";
};
wantedBy = [ "multi-user.target" ];
};
###################################### dyndns ####################################
systemd.services.update-ip =
let
update-ip = pkgs.writeShellApplication {
name = "update-ip";
runtimeInputs = with pkgs; [ curl w3m ];
text = ''
ip=$(curl my.ip.fi)
curl "http://dynv6.com/api/update?hostname=${builtins.readFile "${secretsDir}/dns-name-two"}&ipv4=$ip&token=${builtins.readFile "${secretsDir}/dns-name-two-token"}"
curl "https://dynamicdns.park-your-domain.com/update?host=@&domain=${builtins.readFile "${secretsDir}/dns-name"}&password=${builtins.readFile "${secretsDir}/dns-name-token"}&ip=$ip"
# https://www.namecheap.com/support/knowledgebase/article.aspx/29/11/how-to-dynamically-update-the-hosts-ip-with-an-https-request/
'';
};
in
{
enable = true;
description = "block Youtube";
unitConfig = {
Type = "simple";
};
serviceConfig = {
Restart = "always";
RestartSec = "500s";
ExecStart = "${update-ip}/bin/update-ip";
};
wantedBy = [ "multi-user.target" ];
};
################################## ssh ###################################### ################################## ssh ######################################
services.openssh.enable = true; services.openssh = {
users.users.me.openssh.authorizedKeys.keys = [ enable = true;
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjgXf9S9hxjyph2EEFh1el0z4OUT9fMoFAaDanjiuKa me@main" ports = [ 49388 ];
];
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
settings.PermitRootLogin = "no";
};
################################ samba ###################################### ################################ samba ######################################
services.samba-wsdd.enable = true; # make shares visible for windows 10 clients services.samba-wsdd.enable = true; # make shares visible for windows 10 clients
@@ -111,6 +220,7 @@
"valid users" = "files"; "valid users" = "files";
"comment" = "all my files"; "comment" = "all my files";
"path" = "/home/files/storage/files"; "path" = "/home/files/storage/files";
"browsable" = "no";
"read only" = "no"; "read only" = "no";
"guest ok" = "no"; "guest ok" = "no";
"force user" = "files"; "force user" = "files";
@@ -145,6 +255,7 @@
mama = { mama = {
"comment" = "Meine Dateien auf Mamas Laptop"; "comment" = "Meine Dateien auf Mamas Laptop";
"path" = "/home/files/storage/files/stuff/Mamas-Laptop"; "path" = "/home/files/storage/files/stuff/Mamas-Laptop";
"browsable" = "no";
"read only" = "no"; "read only" = "no";
"guest ok" = "no"; "guest ok" = "no";
"valid users" = "mamafiles"; "valid users" = "mamafiles";

20
programs/ssh.nix
View File

@@ -2,12 +2,24 @@
{ {
programs.ssh = { programs.ssh = {
enable = true; enable = true;
includes = [ "./current_rpi_config" ]; #includes = [ "./current_rpi_config" ];
matchBlocks = { matchBlocks = {
"*" = {
identityFile = "${secretsDir}/private-key";
};
"github.com" = { "github.com" = {
hostname = "github.com"; hostname = "github.com";
identityFile = "${secretsDir}/private-key-main"; identityFile = "${secretsDir}/private-key-main";
}; };
rpi = {
port = 49388;
user = "me";
hostname = "192.168.1.2";
};
lush = {
user = "me";
hostname = "192.168.5.5";
};
phone = { phone = {
user = "u0_a345"; user = "u0_a345";
hostname = "192.168.44.1"; hostname = "192.168.44.1";
@@ -23,6 +35,7 @@
user = "me"; user = "me";
identityFile = "${secretsDir}/private-key-main"; identityFile = "${secretsDir}/private-key-main";
hostname = "192.168.1.5"; hostname = "192.168.1.5";
port = 2222;
}; };
hpm = { hpm = {
#hostname = "192.168.1.6"; #hostname = "192.168.1.6";
@@ -59,7 +72,10 @@
home.file.".ssh/known_hosts".force = true; home.file.".ssh/known_hosts".force = true;
home.file.".ssh/known_hosts".text = '' home.file.".ssh/known_hosts".text = ''
hpm ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ+FpaNOf+ao6RCa6e43vAHFcQZTGu45rIqAG3Vx0/M8 hpm ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ+FpaNOf+ao6RCa6e43vAHFcQZTGu45rIqAG3Vx0/M8
hpm ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDbIgfPvt3NUWLxAv0jvWv7IUXHaR7k5M7Z1Kz24K+ZYuPRboHWNbcqGjik0kWDGwXejtTLkyiThK641Q0ffYp3bumKL3b3fBNLoRwHfVMHT9ZuM7e9nALJRa+0keBPTcO9kHliYJlEBiF4jHSZhVDPnZ0Qskg2m94AipKrhUC4KIbLFAERlDnFTxw8LTnzdfzs/n/80zH5tKq1TSlYd2XBIMlzYwxTGEgItifierQhncleVVUJ8IPLsSulMgCQu3BA8cGmdApbSe41FIieIsYzLEtJVnCRt0PymdYa1NdyngJ8ZWyXo6JjTCEHWv35WW05Oiw/tMyUDQoeebACe+Ve9WsYdb+0uttAQWZauODimGY/kRrwy2jCqDRoKjq+rWmTgLsXzuTr7sZ2nmlCIs0XkTXzwduo6ZJ1uNHYWTIjnC1in5uB5TMBlVQxEOdeLOIB9reHP7dajguCGLsOg/a7W/kx181w5MdXq5e9ch7Hp2eC9wBbwcy4EtmX0GAYSPV4GWGwunU92TFE5kg7haV23sdRfLf6ARrDLtsfvTzvoWWQFiO7AgrcOdSQtMUM0/egLUj0lg/A5fxV1pfXvxAF7TquNJCXhDYczCbej4PQM2WBe2eGY+BjY3gDHtUdzWEqhH+b6/Cz78yAa4aSWDB8D+Ejv0N0BZLaImYQhma5PQ== lush ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFevbQp0XTZOVFZTDMKzgsZn4NNEIN+SFMqUhSbF5WFo
github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
rpi ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOX+6B6Axx7AqgCm1H1rrou/3yOLeOLcTd8s0In0mOIY
phone ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHxg0HKtGAkwymll8r17d9cXdt40dJgRkSAzB699pWke+edne4Ildcnbde2yle01nEL7GOg92vh5t1sh6vkCzJQ=
''; '';
home.file.".ssh/rpi/local".text = '' home.file.".ssh/rpi/local".text = ''

1
users/me/home-headless.nix → users/common/home.nix
View File

@@ -50,6 +50,7 @@
jq jq
wget wget
tmux tmux
wireguard-tools
# python.... # python....
(python310.withPackages (p: with p; [ (python310.withPackages (p: with p; [
pandas pandas

27
users/files/headless.nix Normal file
View File

@@ -0,0 +1,27 @@
{ self, config, inputs, ... }:
{
users.users.files = {
isNormalUser = true;
password = "changeme";
};
home-manager.extraSpecialArgs = {
inherit self;
hostname = config.networking.hostName;
};
home-manager.users.files = import ../common/home.nix;
users.users.files.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjgXf9S9hxjyph2EEFh1el0z4OUT9fMoFAaDanjiuKa me@main"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICWsqiz0gEepvPONYxqhKKq4Vxfe1h+jo11k88QozUch me@bitwarden"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAioUu4ow6k+OMjjLdzogiQM4ZEM3TNekGNasaSDzQQE me@phone"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPmwi4ovyqhX/5YwGUZqntVD+i44qL+Nxf9Ubj4XxV9n me@acern"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAIh7LDjwojcjJM8puPqFibx9zPn/k1cYgWXNQf0ZbC4 me@hpm"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC81lBzAYuwvcEITxRrUR8BT2geyj2dB91pNavUsulKj me@loki"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDvGUZE8lZ7OZifndT0nPPJrgKXScD7zMTRIeBfQOfwh me@lush"
];
}

7
users/me/default.nix → users/me/gui.nix
View File

@@ -17,4 +17,11 @@
fonts.fonts = with pkgs; [ fonts.fonts = with pkgs; [
hack-font hack-font
]; ];
users.users.me.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjgXf9S9hxjyph2EEFh1el0z4OUT9fMoFAaDanjiuKa me@main"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICWsqiz0gEepvPONYxqhKKq4Vxfe1h+jo11k88QozUch me@bitwarden"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAioUu4ow6k+OMjjLdzogiQM4ZEM3TNekGNasaSDzQQE me@phone"
];
} }

11
users/me/headless.nix
View File

@@ -1,4 +1,4 @@
{ self, config, ... }: { self, config, inputs, ... }:
{ {
users.users.me = { users.users.me = {
isNormalUser = true; isNormalUser = true;
@@ -12,6 +12,13 @@
hostname = config.networking.hostName; hostname = config.networking.hostName;
}; };
home-manager.users.me = import ./home-headless.nix; home-manager.users.me = import ../common/home.nix;
users.users.me.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjgXf9S9hxjyph2EEFh1el0z4OUT9fMoFAaDanjiuKa me@main"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICWsqiz0gEepvPONYxqhKKq4Vxfe1h+jo11k88QozUch me@bitwarden"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAioUu4ow6k+OMjjLdzogiQM4ZEM3TNekGNasaSDzQQE me@phone"
];
} }

2
users/me/home.nix
View File

@@ -3,7 +3,7 @@
{ {
imports = [ imports = [
./home-headless.nix ../common/home.nix
# my gui programs # my gui programs
../../programs/alacritty.nix ../../programs/alacritty.nix

23
users/server/headles.nix Normal file
View File

@@ -0,0 +1,23 @@
{ self, config, inputs, ... }:
{
users.users.server = {
isNormalUser = true;
#passwordFile = "${secretsDir}/me-pwd";
password = "changeme";
};
home-manager.extraSpecialArgs = {
inherit self;
hostname = config.networking.hostName;
};
home-manager.users.server = import ../common/home.nix;
users.users.server.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjgXf9S9hxjyph2EEFh1el0z4OUT9fMoFAaDanjiuKa me@main"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICWsqiz0gEepvPONYxqhKKq4Vxfe1h+jo11k88QozUch me@bitwarden"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAioUu4ow6k+OMjjLdzogiQM4ZEM3TNekGNasaSDzQQE me@phone"
];
}