370 lines
9.6 KiB
Nix
370 lines
9.6 KiB
Nix
topLevel: {
|
|
flake.modules.nixos."hosts/nixberry" =
|
|
{
|
|
config,
|
|
inputs,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}:
|
|
let
|
|
|
|
ipAddress = "192.168.178.2";
|
|
sopsFile = ../../../secrets/secrets-nixberry.yaml;
|
|
in
|
|
{
|
|
nixpkgs = {
|
|
config.allowUnfree = true;
|
|
crossSystem = lib.mkIf (pkgs.stdenv.buildPlatform.system != "aarch64-linux") (
|
|
lib.systems.elaborate "aarch64-linux"
|
|
);
|
|
};
|
|
|
|
# hack, homemanager needs it
|
|
programs.dconf.enable = true;
|
|
|
|
# build failure
|
|
programs.nix-ld.enable = false;
|
|
|
|
sops.secrets.tailscale_key = {
|
|
inherit sopsFile;
|
|
};
|
|
|
|
imports =
|
|
with topLevel.config.flake.modules.nixos;
|
|
with inputs.nixos-raspberrypi.nixosModules;
|
|
[
|
|
inputs.catppuccin.nixosModules.catppuccin
|
|
raspberry-pi-5.base
|
|
raspberry-pi-5.page-size-16k
|
|
raspberry-pi-5.display-vc4
|
|
|
|
# System modules
|
|
base
|
|
server
|
|
|
|
cholli
|
|
]
|
|
++ [
|
|
{
|
|
home-manager.users.cholli = {
|
|
imports = with topLevel.config.flake.modules.homeManager; [
|
|
inputs.catppuccin.homeModules.catppuccin
|
|
|
|
# components
|
|
base
|
|
|
|
# Activate all user based config
|
|
cholli
|
|
];
|
|
|
|
# https://github.com/NixOS/nixpkgs/pull/398456
|
|
home.enableNixpkgsReleaseCheck = false;
|
|
};
|
|
}
|
|
];
|
|
|
|
services.tailscale = {
|
|
enable = true;
|
|
package = inputs.nixpkgs-master.legacyPackages.${pkgs.stdenv.hostPlatform.system}.tailscale;
|
|
useRoutingFeatures = "server";
|
|
authKeyFile = config.sops.secrets.tailscale_key.path;
|
|
extraUpFlags = [ "--advertise-exit-node" ];
|
|
};
|
|
|
|
networking = {
|
|
interfaces.end0 = {
|
|
ipv4.addresses = [
|
|
{
|
|
address = ipAddress;
|
|
prefixLength = 24;
|
|
}
|
|
];
|
|
useDHCP = true;
|
|
};
|
|
interfaces.wlan0 = {
|
|
ipv4.addresses = [
|
|
{
|
|
address = "192.168.178.3";
|
|
prefixLength = 24;
|
|
}
|
|
];
|
|
useDHCP = true;
|
|
};
|
|
defaultGateway = {
|
|
address = "192.168.178.1";
|
|
interface = "wlan0";
|
|
};
|
|
|
|
firewall = {
|
|
allowedTCPPorts = [
|
|
443
|
|
53
|
|
80
|
|
];
|
|
allowedUDPPorts = [
|
|
53
|
|
];
|
|
};
|
|
};
|
|
|
|
services.adguardhome = {
|
|
enable = true;
|
|
host = ipAddress;
|
|
port = 80;
|
|
|
|
settings = {
|
|
http = {
|
|
address = "0.0.0.0:80";
|
|
};
|
|
dns = {
|
|
ratelimit = 0;
|
|
bind_hosts = [ "0.0.0.0" ];
|
|
upstream_dns = [
|
|
"tls://unfiltered.adguard-dns.com"
|
|
"https://unfiltered.adguard-dns.com/dns-query"
|
|
"tls://dns.quad9.net"
|
|
"https://dns.quad9.net/dns-query"
|
|
"tls://security.cloudflare-dns.com"
|
|
"https://security.cloudflare-dns.com/dns-query"
|
|
];
|
|
upstream_mode = "parallel";
|
|
};
|
|
filtering = {
|
|
protection_enabled = true;
|
|
filtering_enabled = true;
|
|
rewrites = [
|
|
{
|
|
domain = "nixberry.fritz.box";
|
|
answer = "192.168.178.2";
|
|
}
|
|
];
|
|
};
|
|
|
|
user_rules = [
|
|
"||qognify.sysaidit.com^$important"
|
|
"||*.live.darktracesensor.com^$important"
|
|
];
|
|
|
|
filters =
|
|
map
|
|
(url: {
|
|
enabled = true;
|
|
url = url;
|
|
})
|
|
[
|
|
"https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt" # AdGuard Dns filter
|
|
"https://adguardteam.github.io/HostlistsRegistry/assets/filter_59.txt" # AdGuard Dns PopupHosts filter
|
|
"https://adguardteam.github.io/HostlistsRegistry/assets/filter_9.txt" # The Big List of Hacked Malware Web Sites
|
|
"https://adguardteam.github.io/HostlistsRegistry/assets/filter_11.txt" # malicious url blocklist
|
|
"https://adguardteam.github.io/HostlistsRegistry/assets/filter_18.txt" # Phishing
|
|
"https://adguardteam.github.io/HostlistsRegistry/assets/filter_24.txt"
|
|
"https://adguardteam.github.io/HostlistsRegistry/assets/filter_47.txt"
|
|
];
|
|
|
|
statistics = {
|
|
enabled = true;
|
|
interval = "8760h";
|
|
};
|
|
clients = {
|
|
persistent = [
|
|
{
|
|
name = "yggdrasil";
|
|
ids = [ "192.168.178.51" ];
|
|
tags = [
|
|
"device_pc"
|
|
"os_linux"
|
|
];
|
|
uid = "019aac26-684c-7c2c-a43d-2253f4407d45";
|
|
use_global_settings = true;
|
|
}
|
|
{
|
|
name = "holli - phone";
|
|
ids = [
|
|
"192.168.178.52"
|
|
"100.124.47.76"
|
|
"fd7a:115c:a1e0::b701:2f4f"
|
|
];
|
|
tags = [
|
|
"device_pc"
|
|
"os_linux"
|
|
];
|
|
use_global_settings = true;
|
|
}
|
|
{
|
|
name = "nixberry";
|
|
ids = [
|
|
"192.168.178.2"
|
|
"100.90.93.35"
|
|
"fd7a:115c:a1e0::dd01:5d34"
|
|
];
|
|
tags = [
|
|
"device_pc"
|
|
"os_linux"
|
|
];
|
|
uid = "019aac5a-760e-73f9-a246-3470dae6219d";
|
|
use_global_settings = true;
|
|
}
|
|
{
|
|
name = "work-laptop";
|
|
ids = [ "192.168.178.48" ];
|
|
tags = [
|
|
"device_pc"
|
|
"os_windows"
|
|
];
|
|
uid = "019aac55-ae29-7c5e-aac0-baadd7157f92";
|
|
use_global_settings = true;
|
|
}
|
|
];
|
|
};
|
|
|
|
};
|
|
};
|
|
|
|
services.home-assistant = {
|
|
enable = false;
|
|
configWritable = true;
|
|
extraComponents = [
|
|
"default_config"
|
|
"analytics"
|
|
"shopping_list"
|
|
"fritzbox"
|
|
"met"
|
|
"esphome"
|
|
"rpi_power"
|
|
"tuya"
|
|
];
|
|
|
|
customComponents = with pkgs.home-assistant-custom-components; [
|
|
smartthinq-sensors
|
|
sleep_as_android
|
|
];
|
|
|
|
extraPackages =
|
|
python3Packages: with python3Packages; [
|
|
ical
|
|
];
|
|
|
|
customLovelaceModules = with pkgs.home-assistant-custom-lovelace-modules; [
|
|
mushroom
|
|
bubble-card
|
|
clock-weather-card
|
|
vacuum-card
|
|
];
|
|
|
|
config = {
|
|
homeassistant = {
|
|
latitude = 49.4;
|
|
longitude = 8.6;
|
|
temperature_unit = "C";
|
|
unit_system = "metric";
|
|
|
|
external_url = "https://ha.christophhollizeck.dev";
|
|
internal_url = "http://192.168.178.2:8123";
|
|
};
|
|
|
|
default_config = "";
|
|
|
|
mobile_app = "";
|
|
recorder = "";
|
|
|
|
lovelace = {
|
|
# mode = "yaml";
|
|
resources = [
|
|
{
|
|
url = "/local/nixos-lovelace-modules/vacuum-card.js";
|
|
type = "module";
|
|
}
|
|
{
|
|
url = "/local/nixos-lovelace-modules/bubble-card.js";
|
|
type = "module";
|
|
}
|
|
{
|
|
url = "/local/nixos-lovelace-modules/clock-weather-card.js";
|
|
type = "module";
|
|
}
|
|
{
|
|
url = "/local/nixos-lovelace-modules/mushroom.js";
|
|
type = "module";
|
|
}
|
|
];
|
|
};
|
|
|
|
http = {
|
|
use_x_forwarded_for = true;
|
|
trusted_proxies = [
|
|
"100.86.250.97" # loptland tailscale
|
|
];
|
|
};
|
|
};
|
|
openFirewall = true;
|
|
};
|
|
|
|
sops.secrets = {
|
|
"samba/cholli" = {
|
|
inherit sopsFile;
|
|
};
|
|
};
|
|
|
|
services = {
|
|
samba = {
|
|
enable = true;
|
|
openFirewall = true;
|
|
|
|
settings = {
|
|
global = {
|
|
"smb3 unix extensions" = "yes";
|
|
};
|
|
|
|
cholli = {
|
|
path = "/storage/cholli";
|
|
browsable = "yes";
|
|
writable = "yes";
|
|
"create mask" = "0664";
|
|
"directory mask" = "0775";
|
|
"force group" = "users";
|
|
};
|
|
|
|
kaman = {
|
|
path = "/storage/kaman";
|
|
browsable = "yes";
|
|
writable = "yes";
|
|
"create mask" = "0664";
|
|
"directory mask" = "0775";
|
|
"force group" = "users";
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
avahi.enable = true;
|
|
samba-wsdd = {
|
|
enable = true;
|
|
openFirewall = true;
|
|
};
|
|
};
|
|
|
|
# add user passwords
|
|
systemd.services.samba-smbd.postStart =
|
|
let
|
|
users = [
|
|
"cholli"
|
|
];
|
|
setupUser =
|
|
user:
|
|
let
|
|
passwordPath = config.sops.secrets."samba/${user}".path;
|
|
smbpasswd = "${config.services.samba.package}/bin/smbpasswd";
|
|
in
|
|
''
|
|
(echo $(< ${passwordPath});
|
|
echo $(< ${passwordPath})) | \
|
|
${smbpasswd} -s -a ${user}
|
|
'';
|
|
in
|
|
''
|
|
${builtins.concatStringsSep "\n" (map setupUser users)}
|
|
'';
|
|
};
|
|
}
|