Cloonar/nixos
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: many changes

Browse Source
This commit is contained in:
Dominik Polakovics Polakovics
2025-08-01 19:48:49 +02:00
parent 7f01dc4cac
commit 3990566fe5
21 changed files with 363 additions and 170 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
hosts/fw/modules/dnsmasq.nix
View File

@@ -66,9 +66,9 @@
];
dhcp-host = [
"30:05:5c:56:62:37,${config.networkPrefix}.96.100,brn30055c566237"
"24:df:a7:b1:1b:74,${config.networkPrefix}.96.101,rmproplus-b1-1b-74"
"30:05:5c:56:62:37,${config.networkPrefix}.99.100,brn30055c566237"
"1a:c4:04:6e:29:bd,${config.networkPrefix}.97.2,omada"
"02:00:00:00:00:04,${config.networkPrefix}.97.6,matrix"
"ea:db:d4:c1:18:ba,${config.networkPrefix}.97.50,git"
@@ -79,7 +79,6 @@
"f0:2f:9e:d4:3b:21,${config.networkPrefix}.99.11,firetv-living"
"e4:2a:ac:32:3f:79,${config.networkPrefix}.99.13,xbox"
"f0:2f:9e:c1:74:72,${config.networkPrefix}.99.21,firetv-bedroom"
"30:05:5c:56:62:37,${config.networkPrefix}.99.100,brn30055c566237"
"fc:ee:28:03:63:e9,${config.networkPrefix}.100.148,k1c"
"cc:50:e3:bc:27:64,${config.networkPrefix}.100.112,Nuki_Bridge_1A753F72"
@@ -100,7 +99,7 @@
"/feeds.cloonar.com/188.34.191.144"
"/nukibridge1a753f72.cloonar.smart/${config.networkPrefix}.100.112"
"/allywatch.cloonar.com/${config.networkPrefix}.97.5"
"/brn30055c566237.cloonar.com/${config.networkPrefix}.96.100"
"/brn30055c566237.cloonar.multimedia/${config.networkPrefix}.99.100"
"/stage.wsw.at/10.254.235.22"
"/prod.wsw.at/10.254.217.23"

7
hosts/fw/modules/foundry-vtt.nix
View File

@@ -38,6 +38,7 @@ in {
address = "${hostConfig.networkPrefix}.96.1";
interface = "eth0";
};
firewall.enable = false;
nameservers = [ "${hostConfig.networkPrefix}.97.1" ];
};
systemd.services.foundry-vtt = {
@@ -66,12 +67,6 @@ in {
gid = cids.gids.foundry-vtt;
};
networking.firewall = {
enable = true;
allowedTCPPorts = [ 30000 ];
};
system.stateVersion = "24.05";
};
};

102
hosts/fw/modules/home-assistant/light.nix
View File

@@ -274,46 +274,88 @@
};
};
};
"automation bed_button_1" = {
alias = "bed_button_1";
trigger = {
"automation bedroom light" = {
alias = "bedroom light";
trigger = [
{
platform = "event";
event_type = "button_pressed";
event_data = {
id = [ 254 207 162 105 ];
which = 1;
onoff = 1;
pushed = 1;
};
}
{
platform = "event";
event_type = "shelly.click";
event_data = {
device = "shellybutton1-E8DB84AA196D";
};
device = "shellybutton1-E8DB84AA136D";
click_type = "double";
};
}
];
action = [
{
choose = [
{
conditions = [ "{{ trigger.event.data.click_type == \"single\" }}" ];
sequence = [
{
service = "light.toggle";
entity_id = "light.bed_reading_1";
}
];
}
{
conditions = [ "{{ trigger.event.data.click_type == \"double\" }}" ];
sequence = [
{
service = "light.toggle";
target = {
entity_id = "light.bedroom_lights";
};
}
];
};
"automation bed light" = {
alias = "bed light";
trigger = [
{
platform = "event";
event_type = "button_pressed";
event_data = {
id = [ 254 207 162 105 ];
which = 0;
onoff = 1;
pushed = 1;
};
}
{
conditions = [ "{{ trigger.event.data.click_type == \"triple\" }}" ];
sequence = [
platform = "event";
event_type = "shelly.click";
event_data = {
device = "shellybutton1-E8DB84AA136D";
click_type = "triple";
};
}
];
action = [
{
service = "light.toggle";
target = {
entity_id = "light.bedroom_bed";
};
}
];
};
"automation reading 1 light" = {
alias = "reading 1 light";
trigger = [
{
platform = "event";
event_type = "button_pressed";
event_data = {
id = [ 254 207 162 105 ];
which = 0;
onoff = 0;
pushed = 1;
};
}
];
action = [
{
service = "light.toggle";
target = {
entity_id = "light.bed_reading_1";
};
}
];
};
@@ -338,24 +380,6 @@
}
];
}
{
conditions = [ "{{ trigger.event.data.click_type == \"double\" }}" ];
sequence = [
{
service = "light.toggle";
entity_id = "light.bedroom_lights";
}
];
}
{
conditions = [ "{{ trigger.event.data.click_type == \"triple\" }}" ];
sequence = [
{
service = "light.toggle";
entity_id = "light.bedroom_bed";
}
];
}
];
}
];

10
hosts/fw/modules/home-assistant/multimedia.nix
View File

@@ -290,16 +290,6 @@
command = "b64:JgDaAAABKZMUERMSExITEhMSExETEhMSExITEhMSExETNxQ2ExITEhMSEzcTNxM3ExITEhM3ExITNxMSEhITEhM3EzcTEhM3EwAFyAABKJQUERMSEhITEhMSExITEhMSEhITEhMSExITNxM3ExITEhMREzcTNxQ3EhITEhM3ExITNxMSExITEhM3EzcTEhM3EwAFyAABKJQUERMSExETEhMSExITEhMSExETEhMSExITNxM3ExITEhMREzcTOBI4ExETEhM3ExITNxMSExITEhM3EzcTEhM3E5IGAA0FAAAAAAAAAAAAAAAAAAA=";
};
}
{
delay = 30;
}
# turn off tv switch
{
service = "switch.turn_off";
target = {
entity_id = "switch.tv_switch";
};
}
];
};
"automation all_multimedia_on" = {

55
hosts/fw/modules/home-assistant/sleep.nix
View File

@@ -7,10 +7,6 @@
at = "input_datetime.wakeup";
};
action = [
{
service = "switch.turn_on";
entity_id = "switch.coffee";
}
{
delay = 1700;
}
@@ -27,25 +23,16 @@
trigger = [
{
platform = "event";
event_type = "shelly.click";
event_type = "button_pressed";
event_data = {
device = "shellybutton1-E8DB84AA196D";
};
}
{
platform = "event";
event_type = "shelly.click";
event_data = {
device = "shellybutton1-E8DB84AA136D";
id = [ 254 207 162 105 ];
which = 1;
onoff = 0;
pushed = 1;
};
}
];
action = [
{
choose = [
{
conditions = [ "{{ trigger.event.data.click_type == \"long\" }}" ];
sequence = [
{
service = "script.turn_on";
target = {
@@ -53,10 +40,6 @@
};
}
];
}
];
}
];
};
script = {
turn_off_everything = {
@@ -65,22 +48,18 @@
service = "light.turn_off";
entity_id = "all";
}
{
service = "switch.turn_off";
entity_id = "switch.coffee";
}
{
service = "switch.turn_off";
entity_id = "switch.78_8c_b5_fe_41_62_port_2_poe";
}
{
service = "switch.turn_off";
entity_id = "switch.78_8c_b5_fe_41_62_port_3_poe";
}
{
service = "switch.turn_off";
entity_id = "switch.hallway_circuit";
}
# {
# service = "switch.turn_off";
# entity_id = "switch.78_8c_b5_fe_41_62_port_2_poe";
# }
# {
# service = "switch.turn_off";
# entity_id = "switch.78_8c_b5_fe_41_62_port_3_poe";
# }
# {
# service = "switch.turn_off";
# entity_id = "switch.hallway_circuit";
# }
# TODO: needs to stay on because phone is not loading otherwise
# {
# service = "switch.turn_off";

2
hosts/fw/modules/phpldapadmin.nix
View File

@@ -4,7 +4,7 @@
virtualisation.oci-containers.backend = "podman";
virtualisation.oci-containers.containers = {
phpldapadmin = {
image = "phpldapadmin/phpldapadmin:latest";
image = "phpldapadmin/phpldapadmin:2.2.2";
autoStart = true;
ports = [
"80:8087/tcp"

1
hosts/nb/configuration.nix
View File

@@ -21,6 +21,7 @@ in {
./modules/appimage.nix
./modules/desktop
./modules/development
./modules/printer.nix
# ./modules/cyberghost.nix
./utils/modules/autoupgrade.nix
./modules/puppeteer.nix

74
hosts/nb/modules/desktop/bitwarden.nix
View File

@@ -1,9 +1,42 @@
{ config, pkgs, ... }:
let
polkitAgent = pkgs.lxqt.lxqt-policykit;
in
{
#### Fingerprint stack #######################################################
services.fprintd.enable = true;
services.fprintd.tod.enable = true;
# Change the driver if your sensor isnt Goodix.
services.fprintd.tod.driver = pkgs.libfprint-2-tod1-goodix;
#### Polkit (needed for Bitwardens “system authentication” prompt) ###########
security.polkit.enable = true;
services.dbus.enable = true;
systemd.user.services.polkit-agent = {
description = "Polkit authentication agent";
after = [ "graphical-session.target" ];
wantedBy = [ "graphical-session.target" ];
serviceConfig.ExecStart = "${polkitAgent}/bin/lxqt-policykit-agent";
serviceConfig.Restart = "on-failure";
};
#### Autostart Bitwarden desktop in your user session ########################
systemd.user.services.bitwarden = {
description = "Bitwarden Desktop";
after = [ "graphical-session.target" ];
wantedBy = [ "graphical-session.target" ];
serviceConfig.ExecStart = "${pkgs.bitwarden}/bin/bitwarden";
serviceConfig.Restart = "on-abort";
};
#### Handy tools #############################################################
environment.systemPackages = with pkgs; [
goldwarden
bitwarden
bitwarden-cli
fprintd
lxqt.lxqt-policykit
];
environment.shellAliases = {
@@ -14,4 +47,43 @@
environment.shellInit = ''
mkdir -p ~/.config/bitwarden-cli-epicenter ~/.config/bitwarden-cli-cloonar
'';
# environment.systemPackages = with pkgs; [
# bitwarden
# bitwarden-cli
# (runCommand "bitwarden-polkit-policy" {} ''
# mkdir -p $out/share/polkit-1/actions
# cat > $out/share/polkit-1/actions/com.bitwarden.Bitwarden.policy <<'EOF'
# <?xml version="1.0" encoding="UTF-8"?>
# <!DOCTYPE policyconfig PUBLIC
# "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
# "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
# <policyconfig>
# <action id="com.bitwarden.Bitwarden.unlock">
# <description>Unlock Bitwarden</description>
# <message>Authenticate to unlock Bitwarden</message>
# <defaults>
# <allow_any>no</allow_any>
# <allow_inactive>no</allow_inactive>
# <allow_active>auth_self</allow_active>
# </defaults>
# </action>
# </policyconfig>
# EOF
# '')
# ];
# systemd.user.services.polkit-gnome-authentication-agent-1 = {
# description = "polkit-gnome-authentication-agent-1";
# wantedBy = [ "graphical-session.target" ];
# wants = [ "graphical-session.target" ];
# after = [ "graphical-session.target" ];
# serviceConfig = {
# Type = "simple";
# ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
# Restart = "on-failure";
# RestartSec = 1;
# TimeoutStopSec = 10;
# };
# };
}

1
hosts/nb/modules/desktop/default.nix
View File

@@ -19,6 +19,7 @@ in {
freecad
firefox
openscad
orca-slicer
(where-is-my-sddm-theme.override {
themeConfig.General = {

4
hosts/nb/modules/development/default.nix
View File

@@ -21,7 +21,11 @@ in {
git
git-filter-repo
glib
gnumake
air
go
jq
mkcert
mqttui

17
hosts/nb/modules/printer.nix
View File

@@ -1,5 +1,22 @@
{ lib, pkgs, ... }:
let
printerFix = pkgs.writeShellApplication {
name = "printer-fix";
runtimeInputs = [ pkgs.cups ];
text = ''
lpadmin -p 'Cloonar' -E \
-v 'ipp://brn30055c566237.cloonar.multimedia/ipp/print' \
-m 'everywhere'
lpadmin -d 'epicenter.works'
'';
};
printerFixDesktopItem = pkgs.makeDesktopItem {
name = "printer-fix";
desktopName = "Printer Fix";
exec = "printer-fix";
};
in {
services.printing.enable = true;

1
hosts/nb/users/configs/project_history
View File

@@ -10,6 +10,7 @@
/home/dominik/projects/cloonar/updns
/home/dominik/projects/cloonar/mcp-servers-nix
/home/dominik/projects/cloonar/ldap2vcard
/home/dominik/projects/accessowl/ao-domainscraping
/home/dominik/projects/cloonar/flow/flow-docs
/home/dominik/projects/cloonar/flow/flow-user-service

1
hosts/nb/users/dominik.nix
View File

@@ -607,6 +607,7 @@ in
git clone gitea@git.cloonar.com:Cloonar/updns.git ${persistHome}/projects/cloonar/updns 2>/dev/null
git clone git@github.com:dpolakovics/mcp-servers-nix.git ${persistHome}/cloonar/mcp-servers-nix 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/ldap2vcard.git ${persistHome}/projects/cloonar/ldap2vcard 2>/dev/null
git clone gitea@git.cloonar.com:AccessOwl/ao-domainscraping.git ${persistHome}/projects/accessowl/ao-domainscraping 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/flow-docs.git ${persistHome}/projects/cloonar/flow/flow-docs 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/flow-user-service.git ${persistHome}/projects/cloonar/flow/flow-user-service 2>/dev/null

4
hosts/web-arm/configuration.nix
View File

@@ -23,6 +23,7 @@
./utils/modules/autoupgrade.nix
./utils/modules/promtail
./utils/modules/borgbackup.nix
# ./utils/modules/ldap-auth.nix
./modules/set-nix-channel.nix # Automatically manage nix-channel from /var/bento/channel
./hardware-configuration.nix
@@ -35,6 +36,9 @@
./sites/autoconfig.cloonar.com.nix
./sites/feeds.cloonar.com.nix
./sites/vcard.cloonar.dev.nix
./sites/vcard.cloonar.com.nix
./sites/cloonar.com.nix
./sites/gbv-aktuell.at.nix
./sites/matomo.cloonar.com.nix

8
hosts/web-arm/modules/authelia/default.nix
View File

@@ -177,7 +177,7 @@ in {
public = false;
authorization_policy = "one_factor";
redirect_uris = [ "https://git.cloonar.com/user/oauth2/authelia/callback" ];
pre_configured_consent_duration = "1y";
consent_mode = "implicit";
scopes = [
"openid"
"profile"
@@ -194,7 +194,7 @@ in {
redirect_uris = [
"https://nextcloud.cloonar.com/apps/oidc_login/oidc"
];
pre_configured_consent_duration = "1y";
consent_mode = "implicit";
scopes = [
"openid"
"profile"
@@ -210,7 +210,7 @@ in {
public = false;
authorization_policy = "one_factor";
redirect_uris = [ "https://grafana.cloonar.com/login/generic_oauth" ];
pre_configured_consent_duration = "1y";
consent_mode = "implicit";
scopes = [
"openid"
"profile"
@@ -226,7 +226,7 @@ in {
public = false;
authorization_policy = "one_factor";
redirect_uris = [ "https://support.cloonar.dev/oauth-login/callback/fryg87l64" ];
pre_configured_consent_duration = "1y";
consent_mode = "implicit";
token_endpoint_auth_method = "client_secret_post";
scopes = [
"openid"

60
hosts/web-arm/modules/grafana/default.nix
View File

@@ -28,13 +28,12 @@ let
in
{
imports = [
# Individual alert files removed, now handled by alerting/system/default.nix
./alerting/system/default.nix # Added: Imports the consolidated system alerts module
./alerting/service/default.nix # Added: Imports the new service alerts module
./alerting/websites/default.nix # Added: Imports the new websites alerts module
# ... other rule files can be added here ...
./alerting/system/default.nix
./alerting/service/default.nix
./alerting/websites/default.nix
./datasources/victoriametrics.nix
./datasources/loki.nix # Add Loki datasource
./datasources/loki.nix
];
systemd.services.grafana.script = lib.mkBefore ''
@@ -97,15 +96,15 @@ in
};
provision = {
alerting = {
rules.settings.groups = lib.mkMerge []; # Allows rule groups to be merged (including the one from system/default.nix)
rules.settings.groups = lib.mkMerge [];
contactPoints = {
settings = {
apiVersion = 1; # As per Grafana provisioning API
apiVersion = 1;
contactPoints = [{
orgId = 1;
name = "cp_dominik";
receivers = [{
uid = "dominik_pushover_cp_receiver"; # Made UID even more specific
uid = "dominik_pushover_cp_receiver";
type = "pushover";
settings = {
apiToken = "\${PUSHOVER_API_TOKEN}";
@@ -125,49 +124,16 @@ in
};
};
policies = { # Corrected from notificationPolicies to policies
policies = {
settings = {
apiVersion = 1; # As per Grafana provisioning API
# Grafana's new unified alerting expects a single policy tree per org.
# For OrgID 1 (default), this defines the root of that tree.
# The NixOS module should translate this into the correct YAML structure.
# The `policies` attribute within `settings` usually takes a list of policy trees.
# For a single default organization, we define one policy tree.
# Grafana's own YAML examples show a top-level 'route' for the default policy,
# or a list under 'policies' if you're managing multiple policy sets (less common for basic setup).
# Given the NixOS option `services.grafana.provision.alerting.policies.settings.policies`,
# it's likely expecting a list here.
policies = [{ # This outer list corresponds to the `policies` option
# orgId = 1; # Usually implicit for the default policy file, but can be specified
receiver = "cp_dominik"; # This sets the default receiver for the root route
# The actual routing tree starts here.
# For a simple setup where all alerts go to one receiver,
# just setting the top-level 'receiver' is often enough.
# If more complex routing is needed, 'routes' would be defined here.
# Example:
# route = {
# receiver = "cp_dominik";
# group_by = [ "alertname", "job" ];
# # ... other root route settings
# routes = [
# {
# matcher_re = { severity = "critical" };
# receiver = "critical_alerts_receiver"; # Another contact point
# continue = false;
# },
# # ... other specific routes
# ];
# };
# For the simplest case, just defining the receiver at this level should work
# as the root policy for the default organization.
apiVersion = 1;
policies = [{
receiver = "cp_dominik";
}];
# resetPolicies = false; # Default, set to true to remove existing policies not in this config.
};
};
};
datasources.settings.datasources = lib.mkMerge []; # Allows datasources to be merged
datasources.settings.datasources = lib.mkMerge [];
};
};

38
hosts/web-arm/sites/vcard.cloonar.com.nix Normal file
View File

@@ -0,0 +1,38 @@
{ pkgs, lib, config, ... }:
{
services.webstack.instances."vcard.cloonar.com" = {
enableDefaultLocations = false;
enableMysql = false;
authorizedKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMkN2nAB8RIJqeYl/d20P0viXmKsGDIrUIl5N+HAN99b"
];
extraConfig = ''
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
index index.php
charset utf-8;
'';
locations."/favicon.ico".extraConfig = ''
log_not_found off;
access_log off;
'';
locations."/robots.txt".extraConfig = ''
access_log off;
log_not_found off;
'';
locations."/".extraConfig = ''
try_files $uri $uri/ /index.php$is_args$args;
'';
phpPackage = pkgs.php82.withExtensions ({ enabled, all }:
enabled ++ [ all.imagick ]);
phpOptions = ''
opcache.enable=1
opcache.memory_consumption=128
opcache.validate_timestamps=0
opcache.revalidate_path=0
'';
};
}

38
hosts/web-arm/sites/vcard.cloonar.dev.nix Normal file
View File

@@ -0,0 +1,38 @@
{ pkgs, lib, config, ... }:
{
services.webstack.instances."vcard.cloonar.dev" = {
enableDefaultLocations = false;
enableMysql = false;
authorizedKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKzlgVs4/MCCU/Mw3nXsZquSXZ2x8h4uXjBEWLEvdQgV"
];
extraConfig = ''
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
index index.php
charset utf-8;
'';
locations."/favicon.ico".extraConfig = ''
log_not_found off;
access_log off;
'';
locations."/robots.txt".extraConfig = ''
access_log off;
log_not_found off;
'';
locations."/".extraConfig = ''
try_files $uri $uri/ /index.php$is_args$args;
'';
phpPackage = pkgs.php82.withExtensions ({ enabled, all }:
enabled ++ [ all.imagick ]);
phpOptions = ''
opcache.enable=1
opcache.memory_consumption=128
opcache.validate_timestamps=0
opcache.revalidate_path=0
'';
};
}

4
todos.md
View File

@@ -3,3 +3,7 @@ change sddm theme
add yubikey
change playmouth theme
look into secure boot
## chache server
https://github.com/zhaofengli/attic

2
utils/modules/borgbackup.nix
View File

@@ -77,6 +77,8 @@ in {
"/var/cache"
"/var/tmp"
"/var/log"
"var/lib/microvms"
"/var/lib/nixos-containers"
];
environment.BORG_RSH = "ssh -p23 -i ${config.sops.secrets.borg-ssh-key.path}";
repo = repo;

57
utils/modules/ldap-auth.nix Normal file
View File

@@ -0,0 +1,57 @@
{ lib, config, pkgs, ... }:
let
ldapAuthorizedKeys =
pkgs.writeShellScript "ldap-authorized-keys" ''
exec ${pkgs.openldap}/bin/ldapsearch -LLL -x -H ldap://ldap.cloonar.com \
-D "cn=linuxbind,ou=system,ou=users,dc=cloonar,dc=com" \
-y ${config.sops.secrets.linuxbind-password.path} \
-b "ou=users,dc=cloonar,dc=com" \
"(uid=$1)" sshPublicKey \
| sed -n 's/^sshPublicKey: //p'
'';
in
{
environment.systemPackages = with pkgs; [ openldap ];
users.ldap = {
enable = true;
daemon.enable = true;
base = "ou=users,dc=cloonar,dc=com";
server = "ldap://ldap.cloonar.com/";
useTLS = true;
bind = {
policy = "soft";
distinguishedName = "cn=linuxbind,ou=system,ou=users,dc=cloonar,dc=com";
passwordFile = config.sops.secrets.linuxbind-password.path;
};
loginPam = true;
extraConfig = ''
ldap_version 3
# pam_password ssha
pam_filter objectClass=posixAccount
pam_login_attribute uid
pam_member_attribute gidNumber
'';
};
security.pam.services.login.makeHomeDir = true;
security.pam.services.systemd-user.makeHomeDir = true;
systemd.services.nslcd = {
after = [ "Network-Manager.service" ];
};
# evil, horrifying hack for dysfunctional nss_override_attribute_value
systemd.tmpfiles.rules = [
"L /bin/bash - - - - /run/current-system/sw/bin/bash"
];
services.openssh = {
settings = {
AuthorizedKeysCommand = ldapAuthorizedKeys;
AuthorizedKeysCommandUser = "nslcd"; # default is “nobody” :contentReference[oaicite:0]{index=0}
PubkeyAuthentication = "yes";
};
};
sops.secrets.linuxbind-password.owner = "nslcd";
}