topLevel: { flake.modules.nixos."hosts/nixberry" = { config, inputs, lib, pkgs, ... }: let ipAddress = "192.168.178.2"; sopsFile = ../../../secrets/secrets-nixberry.yaml; in { nixpkgs = { config.allowUnfree = true; crossSystem = lib.mkIf (pkgs.stdenv.buildPlatform.system != "aarch64-linux") ( lib.systems.elaborate "aarch64-linux" ); }; # hack, homemanager needs it programs.dconf.enable = true; # build failure programs.nix-ld.enable = false; sops.secrets.tailscale_key = { inherit sopsFile; }; imports = with topLevel.config.flake.modules.nixos; with inputs.nixos-raspberrypi.nixosModules; [ inputs.catppuccin.nixosModules.catppuccin raspberry-pi-5.base raspberry-pi-5.page-size-16k raspberry-pi-5.display-vc4 # System modules base server cholli ] ++ [ { home-manager.users.cholli = { imports = with topLevel.config.flake.modules.homeManager; [ inputs.catppuccin.homeModules.catppuccin # components base # Activate all user based config cholli ]; # https://github.com/NixOS/nixpkgs/pull/398456 home.enableNixpkgsReleaseCheck = false; }; } ]; services.tailscale = { enable = true; package = inputs.nixpkgs-master.legacyPackages.${pkgs.stdenv.hostPlatform.system}.tailscale; useRoutingFeatures = "server"; authKeyFile = config.sops.secrets.tailscale_key.path; extraUpFlags = [ "--advertise-exit-node" ]; }; networking = { interfaces.end0 = { ipv4.addresses = [ { address = ipAddress; prefixLength = 24; } ]; useDHCP = true; }; interfaces.wlan0 = { ipv4.addresses = [ { address = "192.168.178.3"; prefixLength = 24; } ]; useDHCP = true; }; defaultGateway = { address = "192.168.178.1"; interface = "wlan0"; }; firewall = { allowedTCPPorts = [ 443 53 80 ]; allowedUDPPorts = [ 53 ]; }; }; services.adguardhome = { enable = true; host = ipAddress; port = 80; settings = { http = { address = "0.0.0.0:80"; }; dns = { ratelimit = 0; bind_hosts = [ "0.0.0.0" ]; upstream_dns = [ "tls://unfiltered.adguard-dns.com" "https://unfiltered.adguard-dns.com/dns-query" "tls://dns.quad9.net" "https://dns.quad9.net/dns-query" "tls://security.cloudflare-dns.com" "https://security.cloudflare-dns.com/dns-query" ]; upstream_mode = "parallel"; }; filtering = { protection_enabled = true; filtering_enabled = true; rewrites = [ { domain = "nixberry.fritz.box"; answer = "192.168.178.2"; } ]; }; user_rules = [ "||qognify.sysaidit.com^$important" "||*.live.darktracesensor.com^$important" ]; filters = map (url: { enabled = true; url = url; }) [ "https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt" # AdGuard Dns filter "https://adguardteam.github.io/HostlistsRegistry/assets/filter_59.txt" # AdGuard Dns PopupHosts filter "https://adguardteam.github.io/HostlistsRegistry/assets/filter_9.txt" # The Big List of Hacked Malware Web Sites "https://adguardteam.github.io/HostlistsRegistry/assets/filter_11.txt" # malicious url blocklist "https://adguardteam.github.io/HostlistsRegistry/assets/filter_18.txt" # Phishing "https://adguardteam.github.io/HostlistsRegistry/assets/filter_24.txt" "https://adguardteam.github.io/HostlistsRegistry/assets/filter_47.txt" ]; statistics = { enabled = true; interval = "8760h"; }; clients = { persistent = [ { name = "yggdrasil"; ids = [ "192.168.178.51" ]; tags = [ "device_pc" "os_linux" ]; uid = "019aac26-684c-7c2c-a43d-2253f4407d45"; use_global_settings = true; } { name = "holli - phone"; ids = [ "192.168.178.52" "100.124.47.76" "fd7a:115c:a1e0::b701:2f4f" ]; tags = [ "device_pc" "os_linux" ]; use_global_settings = true; } { name = "nixberry"; ids = [ "192.168.178.2" "100.90.93.35" "fd7a:115c:a1e0::dd01:5d34" ]; tags = [ "device_pc" "os_linux" ]; uid = "019aac5a-760e-73f9-a246-3470dae6219d"; use_global_settings = true; } { name = "work-laptop"; ids = [ "192.168.178.48" ]; tags = [ "device_pc" "os_windows" ]; uid = "019aac55-ae29-7c5e-aac0-baadd7157f92"; use_global_settings = true; } ]; }; }; }; services.home-assistant = { enable = false; configWritable = true; extraComponents = [ "default_config" "analytics" "shopping_list" "fritzbox" "met" "esphome" "rpi_power" "tuya" ]; customComponents = with pkgs.home-assistant-custom-components; [ smartthinq-sensors sleep_as_android ]; extraPackages = python3Packages: with python3Packages; [ ical ]; customLovelaceModules = with pkgs.home-assistant-custom-lovelace-modules; [ mushroom bubble-card clock-weather-card vacuum-card ]; config = { homeassistant = { latitude = 49.4; longitude = 8.6; temperature_unit = "C"; unit_system = "metric"; external_url = "https://ha.christophhollizeck.dev"; internal_url = "http://192.168.178.2:8123"; }; default_config = ""; mobile_app = ""; recorder = ""; lovelace = { # mode = "yaml"; resources = [ { url = "/local/nixos-lovelace-modules/vacuum-card.js"; type = "module"; } { url = "/local/nixos-lovelace-modules/bubble-card.js"; type = "module"; } { url = "/local/nixos-lovelace-modules/clock-weather-card.js"; type = "module"; } { url = "/local/nixos-lovelace-modules/mushroom.js"; type = "module"; } ]; }; http = { use_x_forwarded_for = true; trusted_proxies = [ "100.86.250.97" # loptland tailscale ]; }; }; openFirewall = true; }; sops.secrets = { "samba/cholli" = { inherit sopsFile; }; }; services = { samba = { enable = true; openFirewall = true; settings = { global = { "smb3 unix extensions" = "yes"; }; cholli = { path = "/storage/cholli"; browsable = "yes"; writable = "yes"; "create mask" = "0664"; "directory mask" = "0775"; "force group" = "users"; }; kaman = { path = "/storage/kaman"; browsable = "yes"; writable = "yes"; "create mask" = "0664"; "directory mask" = "0775"; "force group" = "users"; }; }; }; avahi.enable = true; samba-wsdd = { enable = true; openFirewall = true; }; }; # add user passwords systemd.services.samba-smbd.postStart = let users = [ "cholli" ]; setupUser = user: let passwordPath = config.sops.secrets."samba/${user}".path; smbpasswd = "${config.services.samba.package}/bin/smbpasswd"; in '' (echo $(< ${passwordPath}); echo $(< ${passwordPath})) | \ ${smbpasswd} -s -a ${user} ''; in '' ${builtins.concatStringsSep "\n" (map setupUser users)} ''; }; }