From 8be0cce54ae356007e6c95485b45822184aec4ac Mon Sep 17 00:00:00 2001 From: Dominik Polakovics Date: Mon, 27 Nov 2023 00:29:16 +0100 Subject: [PATCH] many changes to fw, small fixes to nb --- README.md | 11 ++ hosts/fw.cloonar.com/configuration.nix | 14 ++ .../fw.cloonar.com/modules/deconz/default.nix | 60 ++++++++ .../modules/deconz/pkg/default.nix | 50 +++++++ hosts/fw.cloonar.com/modules/drone/runner.nix | 48 +++++++ .../fw.cloonar.com/modules/drone/secrets.yaml | 30 ++++ hosts/fw.cloonar.com/modules/drone/server.nix | 63 +++++++++ hosts/fw.cloonar.com/modules/firewall.nix | 18 +-- hosts/fw.cloonar.com/modules/fwmetrics.nix | 34 +++++ hosts/fw.cloonar.com/modules/gitea.nix | 36 +++++ .../fw.cloonar.com/modules/home-assistant.nix | 55 ++++++++ hosts/fw.cloonar.com/modules/mopidy.nix | 59 ++++++++ hosts/fw.cloonar.com/modules/mosquitto.nix | 32 +++++ hosts/fw.cloonar.com/modules/snapserver.nix | 128 ++++++++++++++++++ hosts/fw.cloonar.com/modules/wireguard.nix | 28 +++- hosts/fw.cloonar.com/secrets.yaml | 13 +- hosts/nb-01.cloonar.com/configuration.nix | 7 - .../hardware-configuration.nix | 11 +- hosts/nb-01.cloonar.com/modules/nvidia.nix | 53 -------- utils/pkgs/ykfde/scripts/ykfde_enroll | 2 + 20 files changed, 669 insertions(+), 83 deletions(-) create mode 100644 hosts/fw.cloonar.com/modules/deconz/default.nix create mode 100644 hosts/fw.cloonar.com/modules/deconz/pkg/default.nix create mode 100644 hosts/fw.cloonar.com/modules/drone/runner.nix create mode 100644 hosts/fw.cloonar.com/modules/drone/secrets.yaml create mode 100644 hosts/fw.cloonar.com/modules/drone/server.nix create mode 100644 hosts/fw.cloonar.com/modules/fwmetrics.nix create mode 100644 hosts/fw.cloonar.com/modules/gitea.nix create mode 100644 hosts/fw.cloonar.com/modules/home-assistant.nix create mode 100644 hosts/fw.cloonar.com/modules/mopidy.nix create mode 100644 hosts/fw.cloonar.com/modules/mosquitto.nix create mode 100644 hosts/fw.cloonar.com/modules/snapserver.nix delete mode 100644 hosts/nb-01.cloonar.com/modules/nvidia.nix diff --git a/README.md b/README.md index f0b8e75..2774ddf 100644 --- a/README.md +++ b/README.md @@ -37,3 +37,14 @@ chmod 755 /var/www sftp host.cloonar.com@git.cloonar.com:/config/bootstrap.sh ./ ``` +# 5. Yubikey +```console +ykman fido access change-pin --new-pin 654321 +systemd-cryptenroll --fido2-device=auto --fido2-with-client-pin=yes /dev/nvme0n1p2 +``` + +# 6. Wireguard +```console +wg genkey | (umask 077 && tee privatekey) | wg pubkey > publickey +umask 0077; wg genpsk > psk +``` diff --git a/hosts/fw.cloonar.com/configuration.nix b/hosts/fw.cloonar.com/configuration.nix index 24ceb3d..bb21ff1 100644 --- a/hosts/fw.cloonar.com/configuration.nix +++ b/hosts/fw.cloonar.com/configuration.nix @@ -11,6 +11,7 @@ ./utils/modules/borgbackup.nix ./utils/modules/netdata.nix + # fw ./modules/networking.nix ./modules/firewall.nix ./modules/dhcp4.nix @@ -19,6 +20,19 @@ ./modules/openconnect.nix ./modules/wireguard.nix + # git + ./modules/gitea.nix + ./modules/drone/server.nix + ./modules/drone/runner.nix + ./modules/fwmetrics.nix + + # home assistant + ./modules/home-assistant.nix + ./modules/mopidy.nix + ./modules/mosquitto.nix + ./modules/snapserver.nix + ./modules/deconz + ./hardware-configuration.nix ]; diff --git a/hosts/fw.cloonar.com/modules/deconz/default.nix b/hosts/fw.cloonar.com/modules/deconz/default.nix new file mode 100644 index 0000000..c659563 --- /dev/null +++ b/hosts/fw.cloonar.com/modules/deconz/default.nix @@ -0,0 +1,60 @@ +{ config, lib, pkgs, stdenv, ... }: +let + deconz-full = pkgs.callPackage ./pkg/default.nix { }; + deconz = deconz-full.deCONZ; +in +{ + environment.systemPackages = with pkgs; [ + deconz + ]; + + + users.users."deconz" = { + createHome = true; + isSystemUser = true; + group = "dialout"; + home = "/home/deconz"; + }; + + systemd.services.deconz = { + enable = true; + description = "deconz"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + stopIfChanged = false; + serviceConfig = { + ExecStart = "${deconz}/bin/deCONZ -platform minimal --http-port=8080 --ws-port=8081 --http-listen=127.0.0.1 --dev=/dev/ttyACM0"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + Restart = "always"; + RestartSec = "10s"; + # StartLimitInterval = "1min"; + # StateDirectory = "/var/lib/deconz"; + User = "deconz"; + # DeviceAllow = "char-ttyUSB rwm"; + # DeviceAllow = "char-usb_device rwm"; + # AmbientCapabilities="CAP_NET_BIND_SERVICE CAP_KILL CAP_SYS_BOOT CAP_SYS_TIME"; + }; + }; + + services.nginx.virtualHosts."deconz.cloonar.com" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + extraConfig = '' + proxy_buffering off; + ''; + locations."/".extraConfig = '' + set $p 8080; + if ($http_upgrade = "websocket") { + set $p 8081; + } + proxy_pass http://127.0.0.1:$p; + proxy_set_header Host $host; + proxy_redirect http:// https://; + proxy_http_version 1.1; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + ''; + }; +} diff --git a/hosts/fw.cloonar.com/modules/deconz/pkg/default.nix b/hosts/fw.cloonar.com/modules/deconz/pkg/default.nix new file mode 100644 index 0000000..932c0ef --- /dev/null +++ b/hosts/fw.cloonar.com/modules/deconz/pkg/default.nix @@ -0,0 +1,50 @@ +{ config, pkgs, stdenv, buildFHSUserEnv, fetchurl, dpkg, qt5, sqlite, hicolor-icon-theme, libcap, libpng, libxcrypt-legacy, ... }: +#ith import {}; +let +version = "2.21.02"; +name = "deconz-${version}"; +in +rec { + deCONZ-deb = stdenv.mkDerivation { + #builder = ./builder.sh; + inherit name; + dpkg = dpkg; + src = fetchurl { + url = "https://deconz.dresden-elektronik.de/ubuntu/stable/${name}-qt5.deb"; + sha256 = "2d5ab8af471ffa82fb0fd0c8a2f0bb09e7c0bd9a03ef887abe49c616c63042f0"; + }; + + dontConfigure = true; + dontBuild = true; + dontStrip = true; + + buildInputs = [ dpkg sqlite hicolor-icon-theme libcap libpng qt5.qtbase qt5.qtserialport qt5.qtwebsockets qt5.wrapQtAppsHook libxcrypt-legacy ]; # qt5.qtserialport qt5.qtwebsockets ]; + + unpackPhase = "dpkg-deb -x $src ."; + installPhase = '' + cp -r usr/* . + cp -r ${libxcrypt-legacy}/lib/* share/deCONZ/plugins/ + cp -r share/deCONZ/plugins/* lib/ + cp -r . $out + ''; + + }; + deCONZ = buildFHSUserEnv { + name = "deCONZ"; + targetPkgs = pkgs: [ + deCONZ-deb + ]; + multiPkgs = pkgs: [ + dpkg + qt5.qtbase + qt5.qtserialport + qt5.qtwebsockets + qt5.wrapQtAppsHook + sqlite + hicolor-icon-theme + libcap + libpng + ]; + runScript = "deCONZ"; + }; +} diff --git a/hosts/fw.cloonar.com/modules/drone/runner.nix b/hosts/fw.cloonar.com/modules/drone/runner.nix new file mode 100644 index 0000000..0b2c4a0 --- /dev/null +++ b/hosts/fw.cloonar.com/modules/drone/runner.nix @@ -0,0 +1,48 @@ +{ config, pkgs, ... }: + +{ + virtualisation.docker.enable = true; + + users.users.drone-runner = { + isSystemUser = true; + group = "drone-runner"; + home = "/var/lib/drone-runner"; + createHome = true; + }; + users.groups.drone-runner = { }; + users.groups.docker.members = [ "drone-runner" ]; + + systemd.services.drone-runner = { + description = "Drone Runner (CI CD Service)"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.docker ]; + + serviceConfig = { + # Type = "simple"; + Name = "drone-runner"; + User = "drone-runner"; + Group = "drone-runner"; + Restart = "always"; + ExecStartPre= '' + -${pkgs.docker}/bin/docker stop %n \ + -${pkgs.docker}/bin/docker rm %n \ + ${pkgs.docker}/bin/docker pull drone/drone:2.20.0 + ''; + ExecStart= '' + ${pkgs.docker}/bin/docker run --rm --name %n \ + --volume=/var/run/docker.sock:/var/run/docker.sock \ + --env-file=/run/secrets/drone-runner \ + --env=DRONE_RPC_PROTO=https \ + --env=DRONE_RPC_HOST=drone.cloonar.com \ + --env=DRONE_RUNNER_CAPACITY=2 \ + drone/drone-runner-docker:1.8.3 + ''; + }; + }; + + sops.secrets.drone-runner = { + owner = config.systemd.services.drone-runner.serviceConfig.User; + key = "drone"; + }; +} diff --git a/hosts/fw.cloonar.com/modules/drone/secrets.yaml b/hosts/fw.cloonar.com/modules/drone/secrets.yaml new file mode 100644 index 0000000..cd972be --- /dev/null +++ b/hosts/fw.cloonar.com/modules/drone/secrets.yaml @@ -0,0 +1,30 @@ +drone: ENC[AES256_GCM,data:Z1Rjso+5XYfvp2xJDXCQkI88GXl83v2oEkMLmOV/rb0DwRmhxCYzYX6fcdidk271Drf1YaPstVvm2LQB38jlBnJtg98aAGegj2fWfT44IbPIi8qDe93M2gFxFDgosoA2eOS2MjEwyBDp9GEUnKyi2gHR8khnTCvegVIntsusWOW/1tbzymKXavZAJUlX+82d/+6NWUEcnbislxhyph8P1Lgw546q,iv:SllCBHlq8ZCBqOHwMaCUcX6D/VDWsbN7uICZKb/R35w=,tag:mEb4E02VUaYGVjyI30FcXA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0OW1JN0hjYjh4cDlmLyt6 + dHRlSjN6Y1JWUFdzNWlZZ3c0Z2F4bXBCa1NFCjM3b3pPZVhtbDdob3lsR2xlMmJI + bjRRMHFjQ2kwWWJKT1p5VW5NVGJuZ3MKLS0tICtRcTFoSmxyeUhaaVlxQUxRWkJl + SXR2M293UFBxNFovRnlTQ1o4SzloaEEK+onGdd/7aEF71ibLoLXE5/SbJQWsKigh + h8BhfT1z9P5UYNoGHVv8Ry6LndyrBLEv+PUBuT0XJpEVPjKLm99KbQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age106n5n3rrrss45eqqzz8pq90la3kqdtnw63uw0sfa2mahk5xpe30sxs5x58 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyL3dDczRNMjNQUWVjelR5 + TG93QUFjVGtMNFplaTErOTJjT2dHbWtWUVNzCjNTV0tUY2hpcnp1SDZ4UTB2aFNI + M2JwSkdNS0RFQVlPRUNzRG41aW5aS3cKLS0tIEJtaTRXdTI3NGJxZENJTk9jT1hi + N3RLRjdkMmZkSmZWZGlYbXRRUTJOZFEK2bJo7iyE3A5ds7tW5bAHgyfGqgH4cRjY + hLzYp083QYbXKAqP1w8a3JFXofv1RWd7tUb61I6R4Rd6hXZUv1a5Qw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-02-10T12:35:53Z" + mac: ENC[AES256_GCM,data:44J9abLbHkvjAtIUqXVZlcEAnizgg5yxKwyaZhnqIzzebWEpzqcKP6b72blaD7/jSdAiUo7bk/m4BxKVGHf9XKGxyLastbgYoFtz40rsKg9LOKpEfO2kl3JV5dj7C1f8IgsHWZ8L3Vb6KFKcrK2bzjZ5K5p22hCze4lQbK7CZTE=,iv:TE+6juCOTjTrx5nQhi8W5gaZkMFYrEDtoPrGdSTJSNE=,tag:AVsCIkzPjtfk3uSlsv6Dlg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/hosts/fw.cloonar.com/modules/drone/server.nix b/hosts/fw.cloonar.com/modules/drone/server.nix new file mode 100644 index 0000000..d13f349 --- /dev/null +++ b/hosts/fw.cloonar.com/modules/drone/server.nix @@ -0,0 +1,63 @@ +{ config, pkgs, ... }: + +{ + virtualisation.docker.enable = true; + + users.users.drone-server = { + isSystemUser = true; + group = "drone-server"; + home = "/var/lib/drone-server"; + createHome = true; + }; + users.groups.drone-server = { }; + users.groups.docker.members = [ "drone-server" ]; + + systemd.services.drone-server = { + description = "Drone Server (CI CD Service)"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.docker ]; + + serviceConfig = { + # Type = "simple"; + Name = "drone-server"; + User = "drone-server"; + Group = "drone-server"; + Restart = "always"; + ExecStartPre= '' + -${pkgs.docker}/bin/docker stop %n \ + -${pkgs.docker}/bin/docker rm %n \ + ${pkgs.docker}/bin/docker pull drone/drone:2.20.0 + ''; + ExecStart= '' + ${pkgs.docker}/bin/docker run --rm --name %n \ + --env-file=/run/secrets/drone-server \ + --env=DRONE_AGENTS_ENABLED=true \ + --env=DRONE_GITEA_SERVER=https://git.cloonar.com \ + --env=DRONE_GITEA_CLIENT_ID=6a7b8c57-bd71-49c8-b67d-c2de68fda649 \ + --env=DRONE_GIT_ALWAYS_AUTH=true \ + --env=DRONE_SERVER_HOST=drone.cloonar.com \ + --env=DRONE_SERVER_PROTO=https \ + --env=DRONE_USER_CREATE=username:dominik.polakovics,admin:true \ + -v /var/lib/drone:/data \ + --publish=8080:80 \ + drone/drone:2 + ''; + }; + }; + + services.nginx.enable = true; + services.nginx.virtualHosts."drone.cloonar.com" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + locations."/" = { + proxyPass = "http://localhost:8080"; + }; + }; + + sops.secrets.drone-server = { + owner = config.systemd.services.drone-server.serviceConfig.User; + key = "drone"; + }; +} diff --git a/hosts/fw.cloonar.com/modules/firewall.nix b/hosts/fw.cloonar.com/modules/firewall.nix index 4f11976..1644008 100644 --- a/hosts/fw.cloonar.com/modules/firewall.nix +++ b/hosts/fw.cloonar.com/modules/firewall.nix @@ -9,7 +9,7 @@ # enable flow offloading for better throughput flowtable f { hook ingress priority 0; - devices = { lan, server, wg0, smart, multimedia, guest }; + devices = { lan, server, wg_cloonar, smart, multimedia, guest }; } chain output { @@ -22,16 +22,16 @@ # Allow trusted networks to access the router iifname { "lan", - "wg0" + "wg_cloonar" } counter accept # Accept mDNS for avahi reflection iifname "multimedia" ip saddr tcp dport { llmnr } counter accept iifname "multimedia" ip saddr udp dport { mdns, llmnr } counter accept - # Allow returning traffic from wg0 and drop everthing else - iifname "wg0" ct state { established, related } counter accept - iifname "wg0" drop + # Allow returning traffic from wg_cloonar and drop everthing else + iifname "wg_cloonar" ct state { established, related } counter accept + iifname "wg_cloonar" drop } chain forward { @@ -44,7 +44,7 @@ iifname "multimedia" oifname { "lan" } counter accept # lan and vpn to any - iifname { "lan", "wg0" } oifname { "server", "multimedia", "smart", "wrwks" } counter accept + iifname { "lan", "wg_cloonar" } oifname { "server", "multimedia", "smart", "wrwks", "wg_epicenter_works", "wg_ghetto_at" } counter accept # Allow trusted network WAN access iifname { @@ -52,7 +52,7 @@ "server", "multimedia", "smart", - "wg0", + "wg_cloonar", } oifname { "wan", } counter accept comment "Allow trusted LAN to WAN" @@ -65,7 +65,7 @@ "server", "multimedia", "smart", - "wg0", + "wg_cloonar", } ct state established,related counter accept comment "Allow established back to LANs" } } @@ -78,7 +78,7 @@ # Setup NAT masquerading on the ppp0 interface chain postrouting { type nat hook postrouting priority filter; policy accept; - oifname { "wan", "wrwks" } masquerade + oifname { "wan", "wrwks", "wg_epicenter_works", "wg_ghetto_at" } masquerade } } ''; diff --git a/hosts/fw.cloonar.com/modules/fwmetrics.nix b/hosts/fw.cloonar.com/modules/fwmetrics.nix new file mode 100644 index 0000000..196a4a1 --- /dev/null +++ b/hosts/fw.cloonar.com/modules/fwmetrics.nix @@ -0,0 +1,34 @@ +{ config, pkgs, ... }: +let + configure_prom = builtins.toFile "prometheus.yml" '' + scrape_configs: + - job_name: '${config.networking.hostName}' + stream_parse: true + static_configs: + - targets: + - 127.0.0.1:9100 + - job_name: 'fw' + stream_parse: true + static_configs: + - targets: + - fw.cloonar.com:9100 + ''; +in { + sops.secrets.victoria-agent-env = { + sopsFile = ../utils/modules/victoriametrics/secrets.yaml; + }; + + services.prometheus.exporters.node.enable = true; + + systemd.services.export-fw-to-prometheus = { + path = with pkgs; [victoriametrics]; + enable = true; + after = ["network-online.target"]; + wantedBy = ["multi-user.target"]; + script = "vmagent -promscrape.config=${configure_prom} -envflag.enable -remoteWrite.url=https://victoria-server.cloonar.com/api/v1/write"; + + serviceConfig = { + EnvironmentFile=config.sops.secrets.victoria-agent-env.path; + }; + }; +} diff --git a/hosts/fw.cloonar.com/modules/gitea.nix b/hosts/fw.cloonar.com/modules/gitea.nix new file mode 100644 index 0000000..357f40a --- /dev/null +++ b/hosts/fw.cloonar.com/modules/gitea.nix @@ -0,0 +1,36 @@ +{ config, ... }: +let + domain = "git.cloonar.com"; +in +{ + services.nginx.virtualHosts."${domain}" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://localhost:3001/"; + }; + }; + + services.gitea = { + enable = true; + appName = "Cloonar Gitea server"; # Give the site a name + settings = { + server = { + ROOT_URL = "https://${domain}/"; + HTTP_PORT = 3001; + DOMAIN = domain; + }; + openid = { + ENABLE_OPENID_SIGNIN = false; + ENABLE_OPENID_SIGNUP = true; + WHITELISTED_URIS = "auth.example.com"; + }; + service = { + DISABLE_REGISTRATION = false; + ALLOW_ONLY_EXTERNAL_REGISTRATION = true; + SHOW_REGISTRATION_BUTTON = false; + }; + webhook.ALLOWED_HOST_LIST = "drone.cloonar.com"; + }; + }; +} diff --git a/hosts/fw.cloonar.com/modules/home-assistant.nix b/hosts/fw.cloonar.com/modules/home-assistant.nix new file mode 100644 index 0000000..f838797 --- /dev/null +++ b/hosts/fw.cloonar.com/modules/home-assistant.nix @@ -0,0 +1,55 @@ +{ ... }: { + virtualisation = { + podman = { + enable = true; + + # Create a `docker` alias for podman, to use it as a drop-in replacement + dockerCompat = true; + + # Required for containers under podman-compose to be able to talk to each other. + defaultNetwork.settings.dns_enabled = true; + # For Nixos version > 22.11 + #defaultNetwork.settings = { + # dns_enabled = true; + #}; + }; + }; + + virtualisation.oci-containers = { + backend = "podman"; + containers.homeassistant = { + volumes = [ "home-assistant:/config" ]; + environment.TZ = "Europe/Vienna"; + image = "ghcr.io/home-assistant/home-assistant:2023.9.3"; + extraOptions = [ + "--network=host" + "--device=/dev/serial/by-id/usb-EnOcean_GmbH_EnOcean_USB_300_DC_FT5OI9YG-if00-port0:/dev/serial/by-id/usb-EnOcean_GmbH_EnOcean_USB_300_DC_FT5OI9YG-if00-port0" + ]; + }; + }; + + services.nginx.virtualHosts."home-assistant.cloonar.com" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + extraConfig = '' + proxy_buffering off; + ''; + locations."/".extraConfig = '' + proxy_pass http://127.0.0.1:8123; + proxy_set_header Host $host; + proxy_redirect http:// https://; + proxy_http_version 1.1; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + ''; + }; + + networking.firewall = { + allowedUDPPorts = [ + 5683 # shelly coiot + ]; + }; +} + diff --git a/hosts/fw.cloonar.com/modules/mopidy.nix b/hosts/fw.cloonar.com/modules/mopidy.nix new file mode 100644 index 0000000..0fdc254 --- /dev/null +++ b/hosts/fw.cloonar.com/modules/mopidy.nix @@ -0,0 +1,59 @@ +{ pkgs, lib, ... }: +let +mopidy-autoplay = pkgs.python3Packages.buildPythonApplication rec { + pname = "Mopidy-Autoplay"; + version = "0.2.3"; + + src = pkgs.python3Packages.fetchPypi { + inherit pname version; + sha256 = "sha256-E2Q+Cn2LWSbfoT/gFzUfChwl67Mv17uKmX2woFz/3YM="; + }; + + propagatedBuildInputs = [ + pkgs.mopidy + ] ++ (with pkgs.python3Packages; [ + configobj + ]); + + # no tests implemented + doCheck = false; + + meta = with lib; { + homepage = "https://codeberg.org/sph/mopidy-autoplay"; + }; +}; +in +{ + services.mopidy = { + enable = true; + extensionPackages = [ pkgs.mopidy-iris pkgs.mopidy-tunein mopidy-autoplay ]; + configuration = '' + [audio] + output = audioresample ! audioconvert ! audio/x-raw,rate=48000,channels=2,format=S16LE ! wavenc ! filesink location=/run/snapserver/mopidy + + [file] + enabled = false + + [autoplay] + enabled = true + ''; + }; + + services.nginx.virtualHosts."mopidy.cloonar.com" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + extraConfig = '' + proxy_buffering off; + ''; + locations."/".extraConfig = '' + proxy_pass http://127.0.0.1:6680; + proxy_set_header Host $host; + proxy_redirect http:// https://; + proxy_http_version 1.1; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + ''; + }; +} diff --git a/hosts/fw.cloonar.com/modules/mosquitto.nix b/hosts/fw.cloonar.com/modules/mosquitto.nix new file mode 100644 index 0000000..7a7e7a0 --- /dev/null +++ b/hosts/fw.cloonar.com/modules/mosquitto.nix @@ -0,0 +1,32 @@ +{ config, pkgs, ... }: + +{ + services.mosquitto = { + enable = true; + + listeners = [ + { + users."espresense" = { + password = "insecure-password"; + acl = [ "readwrite #" ]; + }; + users."home-assistant" = { + hashedPassword = "$7$101$7uaagoQWQ3ICJ/wg$5cWZs4ae4DjToe44bOzpDopPv1kRaaVD+zF6BE64yDJH2/MBqXfD6f2/o9M/65ArhV92DAK+txXRYsEcZLl45A=="; + acl = [ "readwrite #" ]; + }; + users."ps5-mqtt" = { + password = "insecure-password"; + acl = [ "readwrite #" ]; + }; + users."shairport-mqtt" = { + password = "insecure-password"; + acl = [ "readwrite #" ]; + }; + } + ]; + }; + + networking.firewall = { + allowedTCPPorts = [ 1883 ]; + }; +} diff --git a/hosts/fw.cloonar.com/modules/snapserver.nix b/hosts/fw.cloonar.com/modules/snapserver.nix new file mode 100644 index 0000000..3d300b8 --- /dev/null +++ b/hosts/fw.cloonar.com/modules/snapserver.nix @@ -0,0 +1,128 @@ +{ pkgs, config, python3Packages, ... }: +let +shairport-sync = pkgs.shairport-sync.overrideAttrs (_: { + configureFlags = [ + "--with-alsa" "--with-pipe" "--with-pa" "--with-stdout" + "--with-avahi" "--with-ssl=openssl" "--with-soxr" + # "--with-mqtt-client" + "--without-configfiles" + "--sysconfdir=/etc" + "--with-metadata" + ]; + # buildInputs = [ + # pkgs.openssl + # pkgs.avahi + # pkgs.popt + # pkgs.libconfig + # pkgs.mosquitto + # pkgs.alsa-lib + # pkgs.libpulseaudio + # pkgs.pipewire + # pkgs.libjack2 + # pkgs.soxr + # ]; +}); +in +{ + environment.etc = { + # Creates /etc/nanorc + shairport = { + text = '' + whatever you want to put in the file goes here. + metadata = + { + enabled = "yes"; // set this to yes to get Shairport Sync to solicit metadata from the source and to pass it on via a pipe + include_cover_art = "yes"; // set to "yes" to get Shairport Sync to solicit cover art from the source and pass it via the pipe. You must also set "enabled" to "yes". + cover_art_cache_directory = "/tmp/shairport-sync/.cache/coverart"; // artwork will be stored in this directory if the dbus or MPRIS interfaces are enabled or if the MQTT client is in use. Set it to "" to prevent caching, which may be useful on some systems + pipe_name = "/tmp/shairport-sync-metadata"; + pipe_timeout = 5000; // wait for this number of milliseconds for a blocked pipe to unblock before giving up + }; + + + mqtt = + { + enabled = "yes"; // set this to yes to enable the mqtt-metadata-service + hostname = "127.0.0.1"; // Hostname of the MQTT Broker + port = 1883; // Port on the MQTT Broker to connect to + username = "espresense"; //set this to a string to your username in order to enable username authentication + password = "insecure-password"; //set this to a string you your password in order to enable username & password authentication + topic = "shairport"; //MQTT topic where this instance of shairport-sync should publish. If not set, the general.name value is used. + // publish_raw = "no"; //whether to publish all available metadata under the codes given in the 'metadata' docs. + publish_parsed = "yes"; //whether to publish a small (but useful) subset of metadata under human-understandable topics + publish_cover = "yes"; //whether to publish the cover over mqtt in binary form. This may lead to a bit of load on the broker + // enable_remote = "no"; //whether to remote control via MQTT. RC is available under `topic`/remote. + }; + ''; + + # The UNIX file mode bits + mode = "0440"; + }; + }; + + services.snapserver = { + enable = true; + codec = "flac"; + http.docRoot = "${pkgs.snapcast}/share/snapserver/snapweb"; + streams.mopidy = { + type = "pipe"; + location = "/run/snapserver/mopidy"; + }; + streams.airplay = { + type = "airplay"; + location = "${shairport-sync}/bin/shairport-sync"; + query = { + devicename = "Multi Room"; + port = "5000"; + params = "--mdns=avahi"; + }; + }; + streams.mixed = { + type = "meta"; + location = "/airplay/mopidy"; + }; + }; + + services.avahi.enable = true; + services.avahi.publish.enable = true; + services.avahi.publish.userServices = true; + + # services.shairport-sync = { + # enable = true; + # arguments = "-v -o=pipe -- pipe:name=/run/snapserver/airplay"; + # }; + + services.nginx.virtualHosts."snapcast.cloonar.com" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + extraConfig = '' + proxy_buffering off; + ''; + locations."/".extraConfig = '' + proxy_pass http://127.0.0.1:1780; + proxy_set_header Host $host; + proxy_redirect http:// https://; + proxy_http_version 1.1; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + ''; + }; + + + networking.firewall.allowedTCPPorts = [ + 80 # http + 443 # https + 1704 # snapcast + 1705 # snapcast + 5000 # airplay + 5353 # airplay + ]; + networking.firewall.allowedUDPPorts = [ + 5000 # airplay + 5353 # airplay + ]; + networking.firewall.allowedUDPPortRanges = [ + { from = 6001; to = 6011; } # airplay + ]; +} diff --git a/hosts/fw.cloonar.com/modules/wireguard.nix b/hosts/fw.cloonar.com/modules/wireguard.nix index 4d59725..7b4ed90 100644 --- a/hosts/fw.cloonar.com/modules/wireguard.nix +++ b/hosts/fw.cloonar.com/modules/wireguard.nix @@ -2,11 +2,11 @@ sops.secrets.wg0_key = {}; networking.wireguard.interfaces = { - wg0 = { + wg_cloonar = { ips = [ "10.42.98.1/24" ]; listenPort = 51820; # publicKey: TKQVDmBnf9av46kQxLQSBDhAeaK8r1zh8zpU64zuc1Q= - privateKeyFile = config.sops.secrets.wg0_key.path; + privateKeyFile = config.sops.secrets.wg_cloonar_key.path; peers = [ { # Notebook publicKey = "YdlRGsjh4hS3OMJI+t6SZ2eGXKbs0wZBXWudHW4NyS8="; @@ -18,5 +18,29 @@ } ]; }; + wg_epicenter_works = { + ips = [ "10.50.60.6/32" ]; + privateKeyFile = config.sops.secrets.wg_epicenter_works_key.path; + peers = [ + { + endpoint = "5.9.131.17:51821"; + publicKey = "T7jPGSapSudtKyWwi2nu+2hjjse96I4U3lccRHZWd2s="; + presharedKeyFile = config.sops.secrets.wg_epicenter_works_psk.path; + allowedIPs = [ "10.14.1.0/24" "10.14.2.0/24" "10.14.11.0/24" "10.14.40.0/24" "10.25.0.0/24" "10.50.60.0/24" ]; + } + ]; + }; + wg_ghetto_at = { + ips = [ "10.43.98.2/32" ]; + # publicKey: o0FsoHL7ymwuDYmWA5N1mngbGT1sZJnhK6zhJkuEtzE= + privateKeyFile = config.sops.secrets.wg_ghetto_at_key.path; + peers = [ + { + endpoint = "vpn.ghetto.at:51820"; + publicKey = "v4pr6tzS0Xpwh/mWTohxxvCRaAj2B4bqtJnNOu9v2Xs="; + allowedIPs = [ "10.43.0.0/16" ]; + } + ]; + }; }; } diff --git a/hosts/fw.cloonar.com/secrets.yaml b/hosts/fw.cloonar.com/secrets.yaml index da7020b..af33ddc 100644 --- a/hosts/fw.cloonar.com/secrets.yaml +++ b/hosts/fw.cloonar.com/secrets.yaml @@ -1,4 +1,13 @@ +borg-passphrase: ENC[AES256_GCM,data:jHb+yXK0RqNdVYtWiueztZFlHC/xQ6ZiAOUcLt6BxmZQewuL3mh4AZ+lQdmA/4EaaTTIhVMR3xFx5fU6b2CtNLiGb/0=,iv:IW09B1EE1OupMCOvv13MXRYiMsD4VmIfyYONUyrPX1c=,tag:3ankeLOaDJkwRUGCd72DuA==,type:str] +borg-ssh-key: ENC[AES256_GCM,data:ir25XfzLBb/H/YWzxP501hCaLBB4jpiLW7WUcnvguzosT9QeOtBdJ0WB1IndEMtiEgQyE9kyGOJ3QJwzbQNkX6CG96Uzt2mKw8gw8ayUqC+B9zR8eIRYiDKOYs+YREVo7nA5pLLzIc/9jaRicDFMmw1Thmk7UUJKB1DNV49nU9K+nAfrCzk7ZQieY8oaasFD0cvNb4Ndj6f9PWSXkNBwKK52ig4hDeNBs1bdy8nDE8VqlwOo8H2DcYMzdMjKCZDBRccy8NofHEhakCW5OdliFyIHsLkcBHca3Bp46JN7wbo8avPPd9bXGuRiOSWYq50RcyZUovnB3g7Dk3swCyuiFztnStN63+g7ZnGFdYLYDYfuDSPN1W2HCkknmaoT910VNE8sEAMyfXk4tqJv4eW4qmFk2UwPlRCrsk9GtdRQ5wm8muNPHEZ8s2dGkn4WDcjy7SUpgF4UJJZV8iJe74W9BK1Ef+AWWNsNjYfZde3iw1+8Fz1u65u4seFWqQMok/noADpszbpk+YYRoM+5D/YVMx+KeDtoFqnZfULM/BqvAqdYYZtRzojndeNW6Ea4sxDE+XQ5b1OwGFlNAlnuS1fYYPvKojrKNgT9KMwbsvPijU5vFddY8Qpz2h6GKEv/OW87j5UeyDW4l32lvyawBuzczBfiFgCElggGSZHM5rjE4Deb06eQleTioZ79EDXTv5UsPQ6Bc1v5Wvnu8DvxJe4B10vxH70JIGIlmjwo0yhMkxDTN7BkAGQC0QAPhwtURDq+XVufQNjlTUjjH1Q1E4u0Vy19clMs8SStqFeMN02BfWZdS9mbueF5Ehc+8wTfAs43CQFublJ4wfG1PzEbqj9LZdimFe4hCnE2y6Gbf591shugVSAMA3UXQUuvFQmm69i9gz88YSYrkLlVStM+dtXCugZho72xgHtnI+5o19wuoZPRoxe47W0T2kJZZeomtqoAsSo5yr5JeYzYdaHYcK2fgRY0HWgWzOxnVEfX/gRPR3b20Tko6yp9lIDECkXVDQSxptxqIYk+VuETnD9YF2OpYeHZLGoo9OLdEHVZRcuy1S74aAOJGO9SAHLw3eukxG//AZlwcOYjOsYDVt3BjhYZEkYCLg8GkAqV/7bGsxT7pgckNEB2NRYQI9ckqEcEw9CdkYre67HwfPCvAble68VnRzgp+v5s0koVjTURF9FTxvVOXQEbvSpY828idyx6nOaAIHoqpIOFz4jsGE9L4FKamqnlnjzj2Ri/MboT9JQBj8bnIF/ej+dQGpfqZo7zqtu3d0B/9e0xuVTcqI9Bxlqn3D4108I8R37Ctr5OFKloeOZ8HHMsHcBUAzZC6/fWrOspru14YHW2YNj8nBxHve/P3oiTQ/nlXLcBGLoFfI+hOpofccQB8FnkKfTbLSRUGrGY6NJt9RCnZgm2+RUgel77XpsCsT/Q5ZGclBdyk8mSaqVjiNyHCbCV5tF/tWnuvf859S0tcmqbJ0FhIRAvwxFucmfi6FSPX5HEMdRbNV7szrHKSX60u7YA2DBBzv3c/+C2bxq70vhwFelqz7FqpVKwebbE4/a59lZpibzefCoji/TPDJB62/ox5NHHE5qenv7IPcEj3dEmdasbrApAw1UFsFlRCnlg4JIYley/AQx7OzUSImqkG8JWvSJ4JXijhsr9dPFR/cb0srUO88aFNh/ZUQhELZCVnzAsF81Y4w6LTGApMfUVN/yx9MqENGvObywzMls1UJphvzDZzvb+Ue6eqELogN1QcEI/WOirwVtJO6E7IevEtK4xxWsLfRHVjtbLc4QjCWuiyszAPTTttKJ+iC2h14Wj1XoiMpWRiVnj+jI9iWRen96P4glYEfuCYQS6vbGkNDEoZt/FnkLJDbLdjXatmhUoRpvExOtp26ULR/f1lwzLMJBt1qPvhuGur1ru2B1e8+AVte1Cfjmk+xrnxNwkTFLGe89Qjd77wPyQv9h0YrhZ6uDi2zLemhZs2LjW5ZvzV5P4thMDxkhezJHatPHAGa8OfclJOyrRTyW2azdz2A45MNzZtCQcnQdQxBXf+XRskLnhquZfgv66hFITjuF/HeI9cq4HJcrgaOcVj+tBdK1bTCyL2kqKkCpSCbh/Pv6FuAlDXgLjsWwZgOKz8gfTIfXMapPLDYVTbS/PPPABylZflN98FFyeFDHB3Fwn1a6qAJ0mC7+4sowVZ1DIAoflaHqNs5TXyb3KeZGgXj5ZQwhv1z6NySvOS6cHxx0PvkFo99T1NHztxCRERNvBdWSwsr32DTwEvZo5iNPy3lvKI5A+rXc7jlQkUbufbddtLw2iPtt29XyMDOysK010fXzzQRjaz4R8ZaDtHNjqPrynvqFPXRB0VSIrwXS2utU7bmD+0dGX26t9k5qRBi7Gm+iZNKGMnSRsm17bVk5o8q0tb1P1eGL9mexZJJvxolfXVFJJtR8m6vLmUX1LSht/JhoWFElrINl0hviwd1dehmTqdQqWz5/imjF+pVOasrt7XVZ+7T/rDpuwNl375qSZptM1pMUExJ3CvzigpnarXXQxEBYkf0haGvQwPWNVHe/bR/1VooSQkH/mGg1g+rcTqp4yB5hsFu1lNK4ph04WQOqaafg40HBv6e5cOjLkFdEtYNpjyd6sRS+WHk7zzFlfPVlzijq8f+oDH9ALRzNnL1Y2DrX53wx4dBBWvxE1Yhb6Kj6Er4ZDiRLLXo+wJOGCpnNTPJMVaYskZ+LN2e9nS2/ZwbsNBnPHxSqCc1oP4d3yXH0j90VKnWg79aIEOagRvTF/9F6SkkGL9zVuUnoVSPwq97etWWtjGoEORMGY7jkGOK+U391p7Z69Hrv2AejS1BoSDeGcxXasFvINpmc+Hl2c+zOlFBySu2zA39cVlcStUFICA5GCmE5Eum4ED9DXP6RAuicD7YE0qSKbMkfLxIWMCZ6wBcwVUjdt43SI/ZqdpDm3E1kTRg07dE0R091rtfzEiIwBM4xFPJBafOx0L/Do61YMOHGzi6wgIQO7P7wIslv62M8MD1KKa/eH0tE2vhG/GyEGtKkg3P9vZRJwioifyshS1hvrt5pLinuCaDYyqMAl8Ro0OOm8di7+mBvXib0nRLfW7wBGDA4ADTipizNWAmbspQQl89kH5gdxgXO5U+N/qc0zXbpB+qeHVkPIK1DmrJ8pHLOE8mOpLy7eHUsSku/WtTt/RP4pcDbBU/43MCbk7NXKu/LjKjkQBjAL49LxnYmhEU7X//jtwSPE3gdx0x+wRJxzlbehM6rpfDRV5WQGSFf7yjLc/Ga1KwsgVdAstJEzDdv2vWSsjNzfJvHVBLrQPIC9fggi3DeLiHTAryCUcLUhNj4xtZWhSS1qmx07E4VzfjDJLMOsLY0vlimgngZ3YYCjC3Sw0frfQH2SZvmbLd3XfBdud67ZaMUobcRhnKzQnilldyD1jWVWLdVTup4RVxT4GYek9nmYflzpWWmwbXatz9Sgcw==,iv:9E1uiPqM3Hh4KWtL8haxm6PRm2VPc+DggrA135FvfB8=,tag:QSOgzVH9IBMgZxJvUhvY2w==,type:str] wrwks_vpn_key: ENC[AES256_GCM,data:gGipXC8JJO59b4KWMSo0+r761raQl7RzgBuUbXmPEKlZR21bs5XRAQalzDCFNtjcpNkXiGqAHCLkDTtjPagMsw==,iv:MH1EBJEOdQDEgm9E0F884fynhsH8KiS5QSc605XbASQ=,tag:FUM1eptHS0rpt6ILyQjGOg==,type:str] +wg_cloonar_key: ENC[AES256_GCM,data:Dtp6I5J0jU5LLVwEFU4DFCpUngPRmFMebGXnk2oSwsKtsir/DtRBFG7ictM=,iv:1Abx/EAZRJrRQURljofzUYDgJpuREriX0nSrFbH5Npw=,tag:l4uFl9Uc+W0XeLVfLGmgZA==,type:str] +wg_epicenter_works_key: ENC[AES256_GCM,data:LeLjfwfaz+loWyHYRgIMIPzHzlOnhl9tluKcQFgdes6r+deft1JfnUzDuF0=,iv:DKrc3I+U2hWDH8nnc8ZQeaVtA1eVXu7SXdTn1fxHoH4=,tag:V0PL0GrL2NEPVslAZa801A==,type:str] +wg_epicenter_works_psk: ENC[AES256_GCM,data:Den3NDWdP013Or6/2Vll1igUahuRSNW4hu+nDa5vkr93bbveQTaWFT4TD4U=,iv:r3UsD3+3lUIP2X3Grti7wpXTQBXtu1/MdrycEmpZfsI=,tag:ghbAcxmjGVOe9jCZsmFzjA==,type:str] +wg_ghetto_at_key: ENC[AES256_GCM,data:OIHmoy3SpIi9aefZnZ1PzpyHbEso18ceoTULf2eQkx1rJbaxC6PD1lma7eQ=,iv:u0eFjHHOBzPTmBvBEQsYY5flcBayiAQKd6e7RyiPwJI=,tag:731C9wvv8bA5fuuQq+weVQ==,type:str] +drone: ENC[AES256_GCM,data:S8WTZqGHfcdpSojavZ87GdE5dagcTAdHBVQEbHHgnB4V7aczS6c5QdEJxK920Pjpf6o54OOQYniVsPiiXSxwjExDKPzhs/DG2hfigmf8RgfkP+3tF2W0KiPmV2jxog8w226ZKnI+hSBs8tuIfJBhrpY7Y/YNmTPfq+cnnLS8ibYqytcpzoogI9I8THzHCu3r+yejoGSyTMs9L4gPhOjz5aK4UV6V,iv:zqN/aSBI3xGGNDnpHPGyQnQP2YZOGUk6dAGtON/QlHU=,tag:o9YFDKAB5uR9lPmChyxB8g==,type:str] +home-assistant-ldap: ENC[AES256_GCM,data:uZEPbSnkgQYSd8ev6FD8TRHWWr+vusadtMcvP7KKL2AZAV0h1hga5fODN6I5u0DNL9hq2pNM+FwU0E/svWLRww==,iv:IhmUgSu34NaAY+kUZehx40uymydUYYAyte1aGqQ33/8=,tag:BKFCJPr7Vz4EG78ry/ZD7g==,type:str] +home-assistant-secrets.yaml: ENC[AES256_GCM,data:8LH3rrbkpRIFuKZmXe7EHcXPlkzfbdaxX7ssWjIUJ0FQ2QbMUOFsrxVt4diMVHJuaDCoC5gXIwWYDXw4yQj+4Pdf0cwk2MiXj2S9O7GxuOQzP4V1Ab4HeLJOXbGP4cigzNak5epbBiyJY13mVPVgjxX2M4GkuB2TXCOZ5GpvHHv0IvNcc6ymov/XkpJh7MOkyKw45jrYjiV/8dSTORhcWms5J/YgRpSQ/XijWkzucsisNyYk6mKYSq5O4xWFNEF1YC5FFr+rX7xzsbAp0niG3r1d+qcxYHOe0KPB0auxdxif3wQELAp/tosm4l+H+llw3t6STdFVUeBHC+naAwr0QTYB2a7yWLvb6Eh9CYQ7Z3qS/CvvVKs3sB0djRU42FZ9O4c2XcMllP0f3nVaF+DnLpaxgCdLoGPBhYdyTniBij+JudvGZvpWZUFLRlx49zC07RMRG4k+xMA4bAJkiLb+T+b30ur7N+EUgCOyp2FROc1ngCiJqr+cYbnWN1wqougm+pM+GxNZNwakiw1RFJPcOzpjtuwYp/gEKOC+Sz3Qkl4VpYxj7t7fikV0s5r+HzuNFa7gFWpApeRt6YuffQRWhlPVlCOkrQUhRl3YPG9khQ==,iv:r5Vb1ucVrMD0xZOuVnyRJ4El5sCBru/4nOV74pz+tA0=,tag:SwrBmA++GWVzf/0lWSuCpg==,type:str] sops: kms: [] gcp_kms: [] @@ -23,8 +32,8 @@ sops: dTNvbDlqMmYyQXJsTlFWWHpVZlZzWEUK18tC5iPbbcr9pNvPy67XzQttnizp8huI faFSGZLKdc7F32F39yw9hAu8QpYBQ+Sb6ucYxZ4pIAKNX+9ICGcnTA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-11-10T18:21:41Z" - mac: ENC[AES256_GCM,data:ejqFUPuyQC5YC5zcB/T8MwpUnb9JE9kCaWelzKf5qceXjD2XbcYHVbFAV2mNb+VwFTRCWAazNzIXGB3KiS9FBts2LfGbuzmjxN3WzcnW9n5oWSME9DMdnYzpI6Rkz35coIFZglaEx+m/DCXzVWTzah/I+zxtK3EiXFNhkCHxlCs=,iv:XK0iRQ/l4eHemzbMHFJ2Y6yW9Ar1GGYBkoYUzxO7k8w=,tag:lfxNcfuktoioXDa0SmDFXw==,type:str] + lastmodified: "2023-11-26T23:25:28Z" + mac: ENC[AES256_GCM,data:T7d81ypM42KVs4nUrftnvljRN4xnA2R9Y/HpPLum/gpX5k/ng6w557sl3Q6aFq8FnDgHBGrcab5N3SIYNte6eXARDhG/nqTj/XlpzQPOwDip9ZvHuOTyKDWs5CK5Q0C2m4YqrwyEt66IyS7ZBTeKjR+nP67PxoULjZNsEY7CPSc=,iv:zO24RWNGVNmu/G+MATNwpplcLtNEou9CmN8DdlrHA80=,tag:KQcsI82F5EJRf7Cfp390Sw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3 diff --git a/hosts/nb-01.cloonar.com/configuration.nix b/hosts/nb-01.cloonar.com/configuration.nix index 37dbeaf..878f19d 100644 --- a/hosts/nb-01.cloonar.com/configuration.nix +++ b/hosts/nb-01.cloonar.com/configuration.nix @@ -16,16 +16,9 @@ ./modules/sway/sway.nix # ./modules/gnome.nix ./modules/printer.nix - ./modules/nvidia.nix ./modules/nvim/default.nix - # ./modules/tuxedo.nix ./utils/modules/autoupgrade.nix - # ./pkgs/howdy/howdy-module.nix - # ./pkgs/howdy/ir-toggle-module.nix - - # ./modules/howdy - ./hardware-configuration.nix ]; diff --git a/hosts/nb-01.cloonar.com/hardware-configuration.nix b/hosts/nb-01.cloonar.com/hardware-configuration.nix index ed9ae58..e90a71c 100644 --- a/hosts/nb-01.cloonar.com/hardware-configuration.nix +++ b/hosts/nb-01.cloonar.com/hardware-configuration.nix @@ -23,18 +23,9 @@ }; boot.initrd = { - luks = { - # yubikeySupport = true; - devices."nixos-enc" = { + luks.devices."nixos-enc" = { crypttabExtraOpts = [ "fido2-device=auto" ]; device = "/dev/disk/by-uuid/7435d48f-f942-485b-9817-328ad3fc0b93"; - # yubikey = { - # slot = 2; - # twoFactor = false; - # storage = { - # device = "/dev/disk/by-uuid/C281-E509"; - # }; - # }; }; }; systemd.enable = true; diff --git a/hosts/nb-01.cloonar.com/modules/nvidia.nix b/hosts/nb-01.cloonar.com/modules/nvidia.nix deleted file mode 100644 index 7303dc0..0000000 --- a/hosts/nb-01.cloonar.com/modules/nvidia.nix +++ /dev/null @@ -1,53 +0,0 @@ -{config, lib, pkgs, ...}: { - programs.steam = { - enable = true; - }; - - hardware.opengl = { - enable = true; - driSupport = true; - driSupport32Bit = true; - }; - - services.xserver.videoDrivers = ["nvidia"]; - - hardware.nvidia = { - # Modesetting is required. - modesetting.enable = true; - - powerManagement.enable = false; - powerManagement.finegrained = false; - - open = false; - - nvidiaSettings = true; - - package = config.boot.kernelPackages.nvidiaPackages.stable; - }; - - # boot.initrd.kernelModules = [ "nvidia" ]; - boot.extraModulePackages = [ - config.boot.kernelPackages.nvidia_x11 - ]; - - hardware.nvidia.prime = { - offload = { - enable = true; - enableOffloadCmd = true; - }; - # Make sure to use the correct Bus ID values for your system! - amdgpuBusId = "PCI:193:0:0"; - nvidiaBusId = "PCI:100:0:0"; - }; - - specialisation = { - gaming.configuration = { - system.nixos.tags = [ "gaming" ]; - hardware.nvidia = { - prime.offload.enable = lib.mkForce false; - prime.offload.enableOffloadCmd = lib.mkForce false; - prime.sync.enable = lib.mkForce true; - }; - }; - }; -} diff --git a/utils/pkgs/ykfde/scripts/ykfde_enroll b/utils/pkgs/ykfde/scripts/ykfde_enroll index fc618a6..e7af997 100755 --- a/utils/pkgs/ykfde/scripts/ykfde_enroll +++ b/utils/pkgs/ykfde/scripts/ykfde_enroll @@ -1,3 +1,5 @@ +#!/bin/bash -p + set -euo pipefail if [ "$EUID" -ne 0 ]