...

2023-11-21 13:53:05 +01:00
parent 31a632d87b
commit cbcf3a0e3d
13 changed files with 377 additions and 114 deletions
--- a/hosts/acern.nix
+++ b/hosts/acern.nix
@@ -0,0 +1,26 @@
+{ pkgs, inputs, ...}:
+{
+  imports = [
+    inputs.nix-wsl.nixosModules.wsl
+    ./users/me/headless.nix
+    ./common/all.nix
+    ./common/nixos-headless.nix
+  ];
+
+  wsl.enable = true;
+
+  services.openssh = {
+    enable = true;
+    ports = [ 2222 ];
+
+    settings.PasswordAuthentication = false;
+    settings.KbdInteractiveAuthentication = false;
+  };
+
+  users.users.me.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjgXf9S9hxjyph2EEFh1el0z4OUT9fMoFAaDanjiuKa me@main"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICWsqiz0gEepvPONYxqhKKq4Vxfe1h+jo11k88QozUch me@bitwarden"
+  ];
+
+  programs.bash.loginShellInit = "nixos-wsl-welcome";
+}
--- a/hosts/lush.nix
+++ b/hosts/lush.nix
--- a/hosts/main.nix
+++ b/hosts/main.nix
@@ -13,7 +13,7 @@

 	imports = [
 		../common/all.nix
-		../common/nixos.nix
+		../common/nixos-headless.nix
 		../common/nixos-graphical.nix
    ../common/building.nix

@@ -29,6 +29,7 @@
  ];

  virtualisation.podman.enable = true;
+
  hardware.bluetooth.settings = {
    General = {
      MultiProfile = "multiple";
@@ -88,7 +89,9 @@
          then
            rm /etc/host-youtube-block
          else
+            echo old: $timeout
            timeout=$((timeout - 1))
+            echo new: $timeout
            echo -en $timeout > /etc/host-youtube-block
          fi
        else
@@ -144,8 +147,9 @@


 	security.polkit.enable = true;
-	networking.firewall.enable = true;
+
 	networking.firewall.allowPing = true;
+	networking.firewall.enable = true;
 	services.samba.openFirewall = true;


@@ -153,9 +157,10 @@
 	services.samba-wsdd.enable = true; # make shares visible for windows 10 clients

 	networking.firewall.allowedTCPPorts = [
-  		5357 # wsdd
+  	5357 # wsdd
 		8888 # for general usage
 		9999 # for general usage
+    8080 # for mitm proxy
 	];

 	networking.firewall.allowedUDPPorts = [
--- a/hosts/rpi.md
+++ b/hosts/rpi.md
@@ -0,0 +1,66 @@
+
+
+# get pi to boot from usb-source
+echo program_usb_boot_mode=1 | sudo tee -a /boot/config.txt
+https://www.elektronik-kompendium.de/sites/raspberry-pi/2404241.htm
+
+# setup
+## set static ip (192.168.1.2)
+used /etc/network/interfaces (seems to be debian only)
+
+
+## enable ssh (touch ssh file in the boot partition)
+
+## set root pwd (copy hash from local /etc/shadow)
+
+CMD: apt update
+CMD: apt install nodejs npm
+CMD: npm i -g @bitwarden/cli
+
+## set hostname
+
+## setup bcache
+- if "sudo make-bcache -C /dev/sda3 -B /dev/md0" then no need for registering (i think)
+PKG: bcache-tools git build-essential uuid-dev mdadm
+CMD: sudo make-bcache -C /dev/sda3
+CMD: sudo mdadm --create /dev/md0 --level=1 --raid-devices=2 /dev/sdb /dev/sdc
+CMD: sudo make-bcache -B /dev/md0
+
+## other bcache things 
+- you can echo 1 > /sys/fs/bcache/<UUID>/unregister
+- but there also is: echo 1 > /sys/block/bcache0/bcache/stop
+	- if seccond is not done, volumes used by this bcache device will show as "<dev> is apparently in use by the system; will not make a filesystem here!", when mkfs.ext5 <dev>
+
+## mdadm things 
+- do a check: https://www.thomas-krenn.com/de/wiki/Mdadm_checkarray
+
+## add swap file maybe
+CMD: sudo vim /etc/dphys-swapfile
+CMD: sudo dphys-swapfile setup
+CMD: sudo dphys-swapfile swapon
+
+# things
+- users
+    admin - sudo without password and access to bitwarden
+    files - for managing files (old: dateimanager)
+    server - for deployed servers (podman)
+    mamafiles - for the mamafiles share
+- swap
+- mdadm
+- bcache
+- mount /home/files/storage
+    - so that other users can't read it
+- smb shares
+- ssh acces
+    - ssh config: PermitRootAccess and PasswordAuthentication
+- me-net (wireguard)
+- podman containers
+- dyndns
+- wstunnel for wireguard
+- rclone mount onedrive backups
+- borgmatic
+
+
+
+
+
--- a/hosts/rpi.nix
+++ b/hosts/rpi.nix
@@ -0,0 +1,122 @@
+{ lib, pkgs, ... }:
+{
+  imports = [
+		../common/all.nix
+		../common/nixos-headless.nix
+
+		../users/me/default.nix
+		../users/root/default.nix
+  ];
+
+  # This causes an overlay which causes a lot of rebuilding
+  environment.noXlibs = lib.mkForce false;
+  # "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" creates a
+  # disk with this label on first boot. Therefore, we need to keep it. It is the
+  # only information from the installer image that we need to keep persistent
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-label/NIXOS_SD";
+      fsType = "ext4";
+    };
+
+  boot = {
+    kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
+    loader = {
+      generic-extlinux-compatible.enable = lib.mkDefault true;
+      grub.enable = lib.mkDefault false;
+      raspberryPi.firmwareConfig = ''
+        program_usb_boot_mode=1
+      '';
+    };
+  };
+
+  virtualisation.podman.enable = true;
+
+	networking.firewall.allowPing = true;
+	networking.firewall.enable = true;
+	services.samba.openFirewall = true;
+
+  networking.hostName = "rpi";
+
+  networking = {
+		defaultGateway = {
+			address = "192.168.1.1";
+			interface = "eth0";
+		};
+
+    interface."eth0" = {
+				#name = "eth0";
+				ipv4.addresses = [
+					{ address = "192.168.1.6"; prefixLength = 24;}
+				];
+    };
+
+    interfaces."wlan0".useDHCP = true;
+
+    wireless = {
+      interfaces = [ "wlan0" ];
+      enable = true;
+      networks = {
+        seb-phone.psk = "hellogello";
+      };
+    };
+  };
+
+	networking.firewall.allowedTCPPorts = [
+  	5357 # wsdd
+		8888 # for general usage
+		9999 # for general usage
+    8080 # for mitm proxy
+	];
+
+	networking.firewall.allowedUDPPorts = [
+  		3702 # wsdd
+	];
+
+
+  ################################## ssh ######################################
+  services.openssh.enable = true;
+	users.users.me.openssh.authorizedKeys.keys = [
+		"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjgXf9S9hxjyph2EEFh1el0z4OUT9fMoFAaDanjiuKa me@main"
+	];
+
+
+
+	################################ samba ######################################
+	services.samba-wsdd.enable = true; # make shares visible for windows 10 clients
+
+	services.samba = {
+  		enable = true;
+  		securityType = "user";
+  		extraConfig = ''
+			security = user
+			map to guest = bad user
+			guest account = me
+
+			server role = standalone server
+			workgroup = WORKGROUP
+  		'';
+  		shares = {
+    		rpi_schule = {
+    			path = "${workDir}/rpi-schule/";
+	 			"guest ok" = "yes";
+    			"read only" = "no";
+    			public = "yes";
+    			writable = "yes";
+    			printable = "no";
+    			comment = "share for rpi in school wlan";
+    		};
+
+    		share = {
+    			comment = "share for sharing stuff";
+    			path = "${workDir}/share";
+    			public = "yes";
+	 			"guest ok" = "yes";
+    			"read only" = "no";
+    			writable = "yes";
+    		};
+  		};
+	};
+
+
+}