many changes to fw, small fixes to nb

hosts/fw.cloonar.com/configuration.nix

@@ -11,6 +11,7 @@
     ./utils/modules/borgbackup.nix
     ./utils/modules/netdata.nix
 
+    # fw
     ./modules/networking.nix
     ./modules/firewall.nix
     ./modules/dhcp4.nix
@@ -19,6 +20,19 @@
     ./modules/openconnect.nix
     ./modules/wireguard.nix
 
+    # git
+    ./modules/gitea.nix
+    ./modules/drone/server.nix
+    ./modules/drone/runner.nix
+    ./modules/fwmetrics.nix
+    
+    # home assistant
+    ./modules/home-assistant.nix
+    ./modules/mopidy.nix
+    ./modules/mosquitto.nix
+    ./modules/snapserver.nix
+    ./modules/deconz
+
     ./hardware-configuration.nix
   ];
 

hosts/fw.cloonar.com/modules/deconz/default.nix

@@ -0,0 +1,60 @@
+{ config, lib, pkgs, stdenv, ... }:
+let
+  deconz-full = pkgs.callPackage ./pkg/default.nix { };
+  deconz = deconz-full.deCONZ;
+in
+{
+  environment.systemPackages = with pkgs; [
+    deconz
+  ];
+
+
+  users.users."deconz" = {
+    createHome = true;
+    isSystemUser = true;
+    group = "dialout";
+    home = "/home/deconz";
+  };
+
+  systemd.services.deconz = {
+    enable = true;
+    description = "deconz";
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+    stopIfChanged = false;
+    serviceConfig = {
+      ExecStart = "${deconz}/bin/deCONZ -platform minimal --http-port=8080 --ws-port=8081 --http-listen=127.0.0.1 --dev=/dev/ttyACM0";
+      ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+      Restart = "always";
+      RestartSec = "10s";
+      # StartLimitInterval = "1min";
+      # StateDirectory = "/var/lib/deconz";
+      User = "deconz";
+      # DeviceAllow = "char-ttyUSB rwm";
+      # DeviceAllow = "char-usb_device rwm";
+      # AmbientCapabilities="CAP_NET_BIND_SERVICE CAP_KILL CAP_SYS_BOOT CAP_SYS_TIME";
+    };
+  };
+
+  services.nginx.virtualHosts."deconz.cloonar.com" = {
+    forceSSL = true;
+    enableACME = true;
+    acmeRoot = null;
+    extraConfig = ''
+      proxy_buffering off;
+    '';
+    locations."/".extraConfig = ''
+      set $p 8080;
+      if ($http_upgrade = "websocket") {
+          set $p 8081;
+      }
+      proxy_pass http://127.0.0.1:$p;
+      proxy_set_header Host $host;
+      proxy_redirect http:// https://;
+      proxy_http_version 1.1;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection $connection_upgrade;
+    '';
+  };
+}

hosts/fw.cloonar.com/modules/deconz/pkg/default.nix

@@ -0,0 +1,50 @@
+{ config, pkgs, stdenv, buildFHSUserEnv, fetchurl, dpkg, qt5, sqlite, hicolor-icon-theme, libcap, libpng, libxcrypt-legacy, ... }:
+#ith import <nixpkgs> {};
+let
+version = "2.21.02";
+name = "deconz-${version}";
+in
+rec {
+  deCONZ-deb = stdenv.mkDerivation {
+    #builder = ./builder.sh;
+    inherit name;
+    dpkg = dpkg;
+    src = fetchurl {
+      url = "https://deconz.dresden-elektronik.de/ubuntu/stable/${name}-qt5.deb";
+      sha256 = "2d5ab8af471ffa82fb0fd0c8a2f0bb09e7c0bd9a03ef887abe49c616c63042f0";
+    };
+
+    dontConfigure = true;
+    dontBuild = true;
+    dontStrip = true;
+
+    buildInputs = [ dpkg sqlite hicolor-icon-theme libcap libpng qt5.qtbase qt5.qtserialport qt5.qtwebsockets qt5.wrapQtAppsHook libxcrypt-legacy ]; # qt5.qtserialport qt5.qtwebsockets ];
+
+    unpackPhase = "dpkg-deb -x $src .";
+    installPhase = ''
+      cp -r usr/* .
+      cp -r ${libxcrypt-legacy}/lib/* share/deCONZ/plugins/
+      cp -r share/deCONZ/plugins/* lib/
+      cp -r . $out
+    '';
+
+  };
+  deCONZ = buildFHSUserEnv {
+    name = "deCONZ";
+    targetPkgs = pkgs: [
+      deCONZ-deb
+    ];
+    multiPkgs = pkgs: [
+      dpkg
+      qt5.qtbase
+      qt5.qtserialport
+      qt5.qtwebsockets
+      qt5.wrapQtAppsHook
+      sqlite
+      hicolor-icon-theme
+      libcap
+      libpng
+    ];
+    runScript = "deCONZ";
+  };
+}

hosts/fw.cloonar.com/modules/drone/runner.nix

@@ -0,0 +1,48 @@
+{ config, pkgs, ... }:
+
+{
+  virtualisation.docker.enable = true;
+
+  users.users.drone-runner = {
+    isSystemUser = true;
+    group = "drone-runner";
+    home = "/var/lib/drone-runner";
+    createHome = true;
+  };
+  users.groups.drone-runner = { };
+  users.groups.docker.members = [ "drone-runner" ];
+
+  systemd.services.drone-runner = {
+    description = "Drone Runner (CI CD Service)";
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+    path = [ pkgs.docker ];
+
+    serviceConfig = {
+      # Type = "simple";
+      Name = "drone-runner";
+      User = "drone-runner";
+      Group = "drone-runner";
+      Restart = "always";
+      ExecStartPre= ''
+        -${pkgs.docker}/bin/docker stop %n \
+        -${pkgs.docker}/bin/docker rm %n \
+        ${pkgs.docker}/bin/docker pull drone/drone:2.20.0
+      '';
+      ExecStart= ''
+        ${pkgs.docker}/bin/docker run --rm --name %n \
+        --volume=/var/run/docker.sock:/var/run/docker.sock \
+        --env-file=/run/secrets/drone-runner \
+        --env=DRONE_RPC_PROTO=https \
+        --env=DRONE_RPC_HOST=drone.cloonar.com \
+        --env=DRONE_RUNNER_CAPACITY=2 \
+        drone/drone-runner-docker:1.8.3
+      '';
+    };
+  };
+
+  sops.secrets.drone-runner = {
+    owner = config.systemd.services.drone-runner.serviceConfig.User;
+    key = "drone";
+  };
+}

hosts/fw.cloonar.com/modules/drone/secrets.yaml

@@ -0,0 +1,30 @@
+drone: ENC[AES256_GCM,data:Z1Rjso+5XYfvp2xJDXCQkI88GXl83v2oEkMLmOV/rb0DwRmhxCYzYX6fcdidk271Drf1YaPstVvm2LQB38jlBnJtg98aAGegj2fWfT44IbPIi8qDe93M2gFxFDgosoA2eOS2MjEwyBDp9GEUnKyi2gHR8khnTCvegVIntsusWOW/1tbzymKXavZAJUlX+82d/+6NWUEcnbislxhyph8P1Lgw546q,iv:SllCBHlq8ZCBqOHwMaCUcX6D/VDWsbN7uICZKb/R35w=,tag:mEb4E02VUaYGVjyI30FcXA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0OW1JN0hjYjh4cDlmLyt6
+            dHRlSjN6Y1JWUFdzNWlZZ3c0Z2F4bXBCa1NFCjM3b3pPZVhtbDdob3lsR2xlMmJI
+            bjRRMHFjQ2kwWWJKT1p5VW5NVGJuZ3MKLS0tICtRcTFoSmxyeUhaaVlxQUxRWkJl
+            SXR2M293UFBxNFovRnlTQ1o4SzloaEEK+onGdd/7aEF71ibLoLXE5/SbJQWsKigh
+            h8BhfT1z9P5UYNoGHVv8Ry6LndyrBLEv+PUBuT0XJpEVPjKLm99KbQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age106n5n3rrrss45eqqzz8pq90la3kqdtnw63uw0sfa2mahk5xpe30sxs5x58
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyL3dDczRNMjNQUWVjelR5
+            TG93QUFjVGtMNFplaTErOTJjT2dHbWtWUVNzCjNTV0tUY2hpcnp1SDZ4UTB2aFNI
+            M2JwSkdNS0RFQVlPRUNzRG41aW5aS3cKLS0tIEJtaTRXdTI3NGJxZENJTk9jT1hi
+            N3RLRjdkMmZkSmZWZGlYbXRRUTJOZFEK2bJo7iyE3A5ds7tW5bAHgyfGqgH4cRjY
+            hLzYp083QYbXKAqP1w8a3JFXofv1RWd7tUb61I6R4Rd6hXZUv1a5Qw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-02-10T12:35:53Z"
+    mac: ENC[AES256_GCM,data:44J9abLbHkvjAtIUqXVZlcEAnizgg5yxKwyaZhnqIzzebWEpzqcKP6b72blaD7/jSdAiUo7bk/m4BxKVGHf9XKGxyLastbgYoFtz40rsKg9LOKpEfO2kl3JV5dj7C1f8IgsHWZ8L3Vb6KFKcrK2bzjZ5K5p22hCze4lQbK7CZTE=,iv:TE+6juCOTjTrx5nQhi8W5gaZkMFYrEDtoPrGdSTJSNE=,tag:AVsCIkzPjtfk3uSlsv6Dlg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

hosts/fw.cloonar.com/modules/drone/server.nix

@@ -0,0 +1,63 @@
+{ config, pkgs, ... }:
+
+{
+  virtualisation.docker.enable = true;
+
+  users.users.drone-server = {
+    isSystemUser = true;
+    group = "drone-server";
+    home = "/var/lib/drone-server";
+    createHome = true;
+  };
+  users.groups.drone-server = { };
+  users.groups.docker.members = [ "drone-server" ];
+
+  systemd.services.drone-server = {
+    description = "Drone Server (CI CD Service)";
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+    path = [ pkgs.docker ];
+
+    serviceConfig = {
+      # Type = "simple";
+      Name = "drone-server";
+      User = "drone-server";
+      Group = "drone-server";
+      Restart = "always";
+      ExecStartPre= ''
+        -${pkgs.docker}/bin/docker stop %n \
+        -${pkgs.docker}/bin/docker rm %n \
+        ${pkgs.docker}/bin/docker pull drone/drone:2.20.0
+      '';
+      ExecStart= ''
+        ${pkgs.docker}/bin/docker run --rm --name %n \
+        --env-file=/run/secrets/drone-server \
+        --env=DRONE_AGENTS_ENABLED=true \
+        --env=DRONE_GITEA_SERVER=https://git.cloonar.com \
+        --env=DRONE_GITEA_CLIENT_ID=6a7b8c57-bd71-49c8-b67d-c2de68fda649 \
+        --env=DRONE_GIT_ALWAYS_AUTH=true \
+        --env=DRONE_SERVER_HOST=drone.cloonar.com \
+        --env=DRONE_SERVER_PROTO=https \
+        --env=DRONE_USER_CREATE=username:dominik.polakovics,admin:true \
+        -v /var/lib/drone:/data \
+        --publish=8080:80 \
+        drone/drone:2
+      '';
+    };
+  };
+
+  services.nginx.enable = true;
+  services.nginx.virtualHosts."drone.cloonar.com" = {
+    forceSSL = true;
+    enableACME = true;
+    acmeRoot = null;
+    locations."/" = {
+      proxyPass = "http://localhost:8080";
+    };
+  };
+
+  sops.secrets.drone-server = {
+    owner = config.systemd.services.drone-server.serviceConfig.User;
+    key = "drone";
+  };
+}

hosts/fw.cloonar.com/modules/firewall.nix

@@ -9,7 +9,7 @@
           # enable flow offloading for better throughput
           flowtable f {
             hook ingress priority 0;
-            devices = { lan, server, wg0, smart, multimedia, guest };
+            devices = { lan, server, wg_cloonar, smart, multimedia, guest };
           }
 
           chain output {
@@ -22,16 +22,16 @@
             # Allow trusted networks to access the router
             iifname {
               "lan",
-              "wg0"
+              "wg_cloonar"
             } counter accept
 
             # Accept mDNS for avahi reflection
             iifname "multimedia" ip saddr <chromecast IP> tcp dport { llmnr } counter accept
             iifname "multimedia" ip saddr <chromecast IP> udp dport { mdns, llmnr } counter accept
 
-            # Allow returning traffic from wg0 and drop everthing else
-            iifname "wg0" ct state { established, related } counter accept
-            iifname "wg0" drop
+            # Allow returning traffic from wg_cloonar and drop everthing else
+            iifname "wg_cloonar" ct state { established, related } counter accept
+            iifname "wg_cloonar" drop
           }
 
           chain forward {
@@ -44,7 +44,7 @@
             iifname "multimedia" oifname { "lan" } counter accept
 
             # lan and vpn to any
-            iifname { "lan", "wg0" } oifname { "server", "multimedia", "smart", "wrwks" } counter accept
+            iifname { "lan", "wg_cloonar" } oifname { "server", "multimedia", "smart", "wrwks", "wg_epicenter_works", "wg_ghetto_at" } counter accept
 
             # Allow trusted network WAN access
             iifname {
@@ -52,7 +52,7 @@
               "server",
               "multimedia",
               "smart",
-              "wg0",
+              "wg_cloonar",
             } oifname {
               "wan",
             } counter accept comment "Allow trusted LAN to WAN"
@@ -65,7 +65,7 @@
               "server",
               "multimedia",
               "smart",
-              "wg0",
+              "wg_cloonar",
             } ct state established,related counter accept comment "Allow established back to LANs"
           }
         }
@@ -78,7 +78,7 @@
           # Setup NAT masquerading on the ppp0 interface
           chain postrouting {
             type nat hook postrouting priority filter; policy accept;
-            oifname { "wan", "wrwks" } masquerade
+            oifname { "wan", "wrwks", "wg_epicenter_works", "wg_ghetto_at" } masquerade
           }
         }
       '';

hosts/fw.cloonar.com/modules/fwmetrics.nix

@@ -0,0 +1,34 @@
+{ config, pkgs, ... }:
+let
+  configure_prom = builtins.toFile "prometheus.yml" ''
+    scrape_configs:
+    - job_name: '${config.networking.hostName}'
+      stream_parse: true
+      static_configs:
+      - targets:
+        - 127.0.0.1:9100
+    - job_name: 'fw'
+      stream_parse: true
+      static_configs:
+      - targets:
+        - fw.cloonar.com:9100
+  '';
+in {
+  sops.secrets.victoria-agent-env = {
+    sopsFile = ../utils/modules/victoriametrics/secrets.yaml;
+  };
+
+  services.prometheus.exporters.node.enable = true;
+  
+  systemd.services.export-fw-to-prometheus = {
+    path = with pkgs; [victoriametrics];
+    enable = true;
+    after = ["network-online.target"];
+    wantedBy = ["multi-user.target"];
+    script = "vmagent -promscrape.config=${configure_prom} -envflag.enable -remoteWrite.url=https://victoria-server.cloonar.com/api/v1/write";
+
+    serviceConfig = {
+      EnvironmentFile=config.sops.secrets.victoria-agent-env.path;
+    };
+  };
+}

hosts/fw.cloonar.com/modules/gitea.nix

@@ -0,0 +1,36 @@
+{ config, ... }:
+let
+  domain = "git.cloonar.com";
+in
+{
+  services.nginx.virtualHosts."${domain}" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://localhost:3001/";
+    };
+  };
+
+  services.gitea = {
+    enable = true;
+    appName = "Cloonar Gitea server"; # Give the site a name
+    settings = {
+      server = {
+        ROOT_URL = "https://${domain}/";
+        HTTP_PORT = 3001;
+        DOMAIN = domain;
+      };
+      openid = {
+        ENABLE_OPENID_SIGNIN = false;
+        ENABLE_OPENID_SIGNUP = true;
+        WHITELISTED_URIS     = "auth.example.com";
+      };
+      service = {
+        DISABLE_REGISTRATION                          = false;
+        ALLOW_ONLY_EXTERNAL_REGISTRATION              = true;
+        SHOW_REGISTRATION_BUTTON                      = false;
+      };
+      webhook.ALLOWED_HOST_LIST = "drone.cloonar.com";
+    };
+  };
+}

hosts/fw.cloonar.com/modules/home-assistant.nix

@@ -0,0 +1,55 @@
+{ ... }: {
+  virtualisation = {
+    podman = {
+      enable = true;
+
+      # Create a `docker` alias for podman, to use it as a drop-in replacement
+      dockerCompat = true;
+
+      # Required for containers under podman-compose to be able to talk to each other.
+      defaultNetwork.settings.dns_enabled = true;
+      # For Nixos version > 22.11
+      #defaultNetwork.settings = {
+      #  dns_enabled = true;
+      #};
+    };
+  };
+
+  virtualisation.oci-containers = {
+    backend = "podman";
+    containers.homeassistant = {
+      volumes = [ "home-assistant:/config" ];
+      environment.TZ = "Europe/Vienna";
+      image = "ghcr.io/home-assistant/home-assistant:2023.9.3";
+      extraOptions = [ 
+        "--network=host" 
+        "--device=/dev/serial/by-id/usb-EnOcean_GmbH_EnOcean_USB_300_DC_FT5OI9YG-if00-port0:/dev/serial/by-id/usb-EnOcean_GmbH_EnOcean_USB_300_DC_FT5OI9YG-if00-port0"
+      ];
+    };
+  };
+
+  services.nginx.virtualHosts."home-assistant.cloonar.com" = {
+    forceSSL = true;
+    enableACME = true;
+    acmeRoot = null;
+    extraConfig = ''
+      proxy_buffering off;
+    '';
+    locations."/".extraConfig = ''
+      proxy_pass http://127.0.0.1:8123;
+      proxy_set_header Host $host;
+      proxy_redirect http:// https://;
+      proxy_http_version 1.1;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection $connection_upgrade;
+    '';
+  };
+
+  networking.firewall = {
+    allowedUDPPorts = [
+      5683 # shelly coiot
+    ];
+  };
+}
+

hosts/fw.cloonar.com/modules/mopidy.nix

@@ -0,0 +1,59 @@
+{ pkgs, lib, ... }:
+let
+mopidy-autoplay = pkgs.python3Packages.buildPythonApplication rec {
+  pname = "Mopidy-Autoplay";
+  version = "0.2.3";
+
+  src = pkgs.python3Packages.fetchPypi {
+    inherit pname version;
+    sha256 = "sha256-E2Q+Cn2LWSbfoT/gFzUfChwl67Mv17uKmX2woFz/3YM=";
+  };
+
+  propagatedBuildInputs = [
+    pkgs.mopidy
+  ] ++ (with pkgs.python3Packages; [
+    configobj
+  ]);
+
+  # no tests implemented
+  doCheck = false;
+
+  meta = with lib; {
+    homepage = "https://codeberg.org/sph/mopidy-autoplay";
+  };
+};
+in
+{
+  services.mopidy = {
+    enable = true;
+    extensionPackages = [ pkgs.mopidy-iris pkgs.mopidy-tunein mopidy-autoplay ];
+    configuration = ''
+      [audio]
+      output = audioresample ! audioconvert ! audio/x-raw,rate=48000,channels=2,format=S16LE ! wavenc ! filesink location=/run/snapserver/mopidy
+
+      [file]
+      enabled = false
+
+      [autoplay]
+      enabled = true
+    '';
+  };
+
+  services.nginx.virtualHosts."mopidy.cloonar.com" = {
+    forceSSL = true;
+    enableACME = true;
+    acmeRoot = null;
+    extraConfig = ''
+      proxy_buffering off;
+    '';
+    locations."/".extraConfig = ''
+      proxy_pass http://127.0.0.1:6680;
+      proxy_set_header Host $host;
+      proxy_redirect http:// https://;
+      proxy_http_version 1.1;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection $connection_upgrade;
+    '';
+  };
+}

hosts/fw.cloonar.com/modules/mosquitto.nix

@@ -0,0 +1,32 @@
+{ config, pkgs, ... }:
+
+{
+  services.mosquitto = {
+    enable = true;
+
+    listeners = [
+      {
+        users."espresense" = {
+          password = "insecure-password";
+          acl = [ "readwrite #" ];
+        };
+        users."home-assistant" = {
+          hashedPassword = "$7$101$7uaagoQWQ3ICJ/wg$5cWZs4ae4DjToe44bOzpDopPv1kRaaVD+zF6BE64yDJH2/MBqXfD6f2/o9M/65ArhV92DAK+txXRYsEcZLl45A==";
+          acl = [ "readwrite #" ];
+        };
+        users."ps5-mqtt" = {
+          password = "insecure-password";
+          acl = [ "readwrite #" ];
+        };
+        users."shairport-mqtt" = {
+          password = "insecure-password";
+          acl = [ "readwrite #" ];
+        };
+      }
+    ];
+  };
+
+  networking.firewall = {
+    allowedTCPPorts = [ 1883 ];
+  };
+}

hosts/fw.cloonar.com/modules/snapserver.nix

@@ -0,0 +1,128 @@
+{ pkgs, config, python3Packages, ... }:
+let
+shairport-sync = pkgs.shairport-sync.overrideAttrs (_: {
+  configureFlags = [
+    "--with-alsa" "--with-pipe" "--with-pa" "--with-stdout"
+    "--with-avahi" "--with-ssl=openssl" "--with-soxr"
+    # "--with-mqtt-client"
+    "--without-configfiles"
+    "--sysconfdir=/etc"
+    "--with-metadata"
+  ];
+  # buildInputs = [
+  #   pkgs.openssl
+  #   pkgs.avahi
+  #   pkgs.popt
+  #   pkgs.libconfig
+  #   pkgs.mosquitto
+  #   pkgs.alsa-lib
+  #   pkgs.libpulseaudio
+  #   pkgs.pipewire
+  #   pkgs.libjack2
+  #   pkgs.soxr
+  # ];
+});
+in
+{
+  environment.etc = {
+    # Creates /etc/nanorc
+    shairport = {
+      text = ''
+        whatever you want to put in the file goes here.
+        metadata =
+        {
+          enabled = "yes"; // set this to yes to get Shairport Sync to solicit metadata from the source and to pass it on via a pipe
+          include_cover_art = "yes"; // set to "yes" to get Shairport Sync to solicit cover art from the source and pass it via the pipe. You must also set "enabled" to "yes".
+          cover_art_cache_directory = "/tmp/shairport-sync/.cache/coverart"; // artwork will be  stored in this directory if the dbus or MPRIS interfaces are enabled or if the MQTT client is in use. Set it to "" to prevent caching, which may be useful on some systems
+          pipe_name = "/tmp/shairport-sync-metadata";
+          pipe_timeout = 5000; // wait for this number of milliseconds for a blocked pipe to unblock before giving up
+        };
+
+
+        mqtt =
+        {
+          enabled = "yes"; // set this to yes to enable the mqtt-metadata-service
+          hostname = "127.0.0.1"; // Hostname of the MQTT Broker
+          port = 1883; // Port on the MQTT Broker to connect to
+          username = "espresense"; //set this to a string to your username in order to enable username authentication
+          password = "insecure-password"; //set this to a string you your password in order to enable username & password authentication
+          topic = "shairport"; //MQTT topic where this instance of shairport-sync should publish. If not set, the general.name value is used.
+          //	publish_raw = "no"; //whether to publish all available metadata under the codes given in the 'metadata' docs.
+          publish_parsed = "yes"; //whether to publish a small (but useful) subset of metadata under human-understandable topics
+          publish_cover = "yes"; //whether to publish the cover over mqtt in binary form. This may lead to a bit of load on the broker
+          //	enable_remote = "no"; //whether to remote control via MQTT. RC is available under `topic`/remote.
+        };
+      '';
+
+      # The UNIX file mode bits
+      mode = "0440";
+    };
+  };
+
+  services.snapserver = {
+    enable = true;
+    codec = "flac";
+    http.docRoot = "${pkgs.snapcast}/share/snapserver/snapweb";
+    streams.mopidy  = {
+      type = "pipe";
+      location = "/run/snapserver/mopidy";
+    };
+    streams.airplay = {
+      type = "airplay";
+      location = "${shairport-sync}/bin/shairport-sync";
+      query = {
+        devicename = "Multi Room";
+        port = "5000";
+        params = "--mdns=avahi";
+      };
+    };
+    streams.mixed = {
+      type = "meta";
+      location = "/airplay/mopidy";
+    };
+  };
+
+  services.avahi.enable = true;
+  services.avahi.publish.enable = true;
+  services.avahi.publish.userServices = true;
+
+  # services.shairport-sync = {
+  #   enable = true;
+  #   arguments = "-v -o=pipe -- pipe:name=/run/snapserver/airplay";
+  # };
+
+  services.nginx.virtualHosts."snapcast.cloonar.com" = {
+    forceSSL = true;
+    enableACME = true;
+    acmeRoot = null;
+    extraConfig = ''
+      proxy_buffering off;
+    '';
+    locations."/".extraConfig = ''
+      proxy_pass http://127.0.0.1:1780;
+      proxy_set_header Host $host;
+      proxy_redirect http:// https://;
+      proxy_http_version 1.1;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection $connection_upgrade;
+    '';
+  };
+
+
+  networking.firewall.allowedTCPPorts = [
+    80 # http
+    443 # https
+    1704 # snapcast
+    1705 # snapcast
+    5000 # airplay
+    5353 # airplay
+  ];
+  networking.firewall.allowedUDPPorts = [
+    5000 # airplay
+    5353 # airplay
+  ];
+  networking.firewall.allowedUDPPortRanges = [
+    { from = 6001; to = 6011; } # airplay
+  ];
+}

hosts/fw.cloonar.com/modules/wireguard.nix

@@ -2,11 +2,11 @@
   sops.secrets.wg0_key = {};
 
   networking.wireguard.interfaces = {
-    wg0 = {
+    wg_cloonar = {
       ips = [ "10.42.98.1/24" ];
       listenPort = 51820;
       # publicKey: TKQVDmBnf9av46kQxLQSBDhAeaK8r1zh8zpU64zuc1Q=
-      privateKeyFile = config.sops.secrets.wg0_key.path;
+      privateKeyFile = config.sops.secrets.wg_cloonar_key.path;
       peers = [
         { # Notebook
           publicKey = "YdlRGsjh4hS3OMJI+t6SZ2eGXKbs0wZBXWudHW4NyS8=";
@@ -18,5 +18,29 @@
         }
       ];
     };
+    wg_epicenter_works = {
+      ips = [ "10.50.60.6/32" ];
+      privateKeyFile = config.sops.secrets.wg_epicenter_works_key.path;
+      peers = [
+        {
+          endpoint = "5.9.131.17:51821";
+          publicKey = "T7jPGSapSudtKyWwi2nu+2hjjse96I4U3lccRHZWd2s=";
+          presharedKeyFile = config.sops.secrets.wg_epicenter_works_psk.path; 
+          allowedIPs = [ "10.14.1.0/24" "10.14.2.0/24" "10.14.11.0/24" "10.14.40.0/24" "10.25.0.0/24" "10.50.60.0/24" ];
+        }
+      ];
+    };
+    wg_ghetto_at = {
+      ips = [ "10.43.98.2/32" ];
+      # publicKey: o0FsoHL7ymwuDYmWA5N1mngbGT1sZJnhK6zhJkuEtzE=
+      privateKeyFile = config.sops.secrets.wg_ghetto_at_key.path;
+      peers = [
+        {
+          endpoint = "vpn.ghetto.at:51820";
+          publicKey = "v4pr6tzS0Xpwh/mWTohxxvCRaAj2B4bqtJnNOu9v2Xs=";
+          allowedIPs = [ "10.43.0.0/16" ];
+        }
+      ];
+    };
   };
 }

hosts/fw.cloonar.com/secrets.yaml

@@ -1,4 +1,13 @@
+borg-passphrase: ENC[AES256_GCM,data:jHb+yXK0RqNdVYtWiueztZFlHC/xQ6ZiAOUcLt6BxmZQewuL3mh4AZ+lQdmA/4EaaTTIhVMR3xFx5fU6b2CtNLiGb/0=,iv:IW09B1EE1OupMCOvv13MXRYiMsD4VmIfyYONUyrPX1c=,tag:3ankeLOaDJkwRUGCd72DuA==,type:str]
+borg-ssh-key: ENC[AES256_GCM,data:ir25XfzLBb/H/YWzxP501hCaLBB4jpiLW7WUcnvguzosT9QeOtBdJ0WB1IndEMtiEgQyE9kyGOJ3QJwzbQNkX6CG96Uzt2mKw8gw8ayUqC+B9zR8eIRYiDKOYs+YREVo7nA5pLLzIc/9jaRicDFMmw1Thmk7UUJKB1DNV49nU9K+nAfrCzk7ZQieY8oaasFD0cvNb4Ndj6f9PWSXkNBwKK52ig4hDeNBs1bdy8nDE8VqlwOo8H2DcYMzdMjKCZDBRccy8NofHEhakCW5OdliFyIHsLkcBHca3Bp46JN7wbo8avPPd9bXGuRiOSWYq50RcyZUovnB3g7Dk3swCyuiFztnStN63+g7ZnGFdYLYDYfuDSPN1W2HCkknmaoT910VNE8sEAMyfXk4tqJv4eW4qmFk2UwPlRCrsk9GtdRQ5wm8muNPHEZ8s2dGkn4WDcjy7SUpgF4UJJZV8iJe74W9BK1Ef+AWWNsNjYfZde3iw1+8Fz1u65u4seFWqQMok/noADpszbpk+YYRoM+5D/YVMx+KeDtoFqnZfULM/BqvAqdYYZtRzojndeNW6Ea4sxDE+XQ5b1OwGFlNAlnuS1fYYPvKojrKNgT9KMwbsvPijU5vFddY8Qpz2h6GKEv/OW87j5UeyDW4l32lvyawBuzczBfiFgCElggGSZHM5rjE4Deb06eQleTioZ79EDXTv5UsPQ6Bc1v5Wvnu8DvxJe4B10vxH70JIGIlmjwo0yhMkxDTN7BkAGQC0QAPhwtURDq+XVufQNjlTUjjH1Q1E4u0Vy19clMs8SStqFeMN02BfWZdS9mbueF5Ehc+8wTfAs43CQFublJ4wfG1PzEbqj9LZdimFe4hCnE2y6Gbf591shugVSAMA3UXQUuvFQmm69i9gz88YSYrkLlVStM+dtXCugZho72xgHtnI+5o19wuoZPRoxe47W0T2kJZZeomtqoAsSo5yr5JeYzYdaHYcK2fgRY0HWgWzOxnVEfX/gRPR3b20Tko6yp9lIDECkXVDQSxptxqIYk+VuETnD9YF2OpYeHZLGoo9OLdEHVZRcuy1S74aAOJGO9SAHLw3eukxG//AZlwcOYjOsYDVt3BjhYZEkYCLg8GkAqV/7bGsxT7pgckNEB2NRYQI9ckqEcEw9CdkYre67HwfPCvAble68VnRzgp+v5s0koVjTURF9FTxvVOXQEbvSpY828idyx6nOaAIHoqpIOFz4jsGE9L4FKamqnlnjzj2Ri/MboT9JQBj8bnIF/ej+dQGpfqZo7zqtu3d0B/9e0xuVTcqI9Bxlqn3D4108I8R37Ctr5OFKloeOZ8HHMsHcBUAzZC6/fWrOspru14YHW2YNj8nBxHve/P3oiTQ/nlXLcBGLoFfI+hOpofccQB8FnkKfTbLSRUGrGY6NJt9RCnZgm2+RUgel77XpsCsT/Q5ZGclBdyk8mSaqVjiNyHCbCV5tF/tWnuvf859S0tcmqbJ0FhIRAvwxFucmfi6FSPX5HEMdRbNV7szrHKSX60u7YA2DBBzv3c/+C2bxq70vhwFelqz7FqpVKwebbE4/a59lZpibzefCoji/TPDJB62/ox5NHHE5qenv7IPcEj3dEmdasbrApAw1UFsFlRCnlg4JIYley/AQx7OzUSImqkG8JWvSJ4JXijhsr9dPFR/cb0srUO88aFNh/ZUQhELZCVnzAsF81Y4w6LTGApMfUVN/yx9MqENGvObywzMls1UJphvzDZzvb+Ue6eqELogN1QcEI/WOirwVtJO6E7IevEtK4xxWsLfRHVjtbLc4QjCWuiyszAPTTttKJ+iC2h14Wj1XoiMpWRiVnj+jI9iWRen96P4glYEfuCYQS6vbGkNDEoZt/FnkLJDbLdjXatmhUoRpvExOtp26ULR/f1lwzLMJBt1qPvhuGur1ru2B1e8+AVte1Cfjmk+xrnxNwkTFLGe89Qjd77wPyQv9h0YrhZ6uDi2zLemhZs2LjW5ZvzV5P4thMDxkhezJHatPHAGa8OfclJOyrRTyW2azdz2A45MNzZtCQcnQdQxBXf+XRskLnhquZfgv66hFITjuF/HeI9cq4HJcrgaOcVj+tBdK1bTCyL2kqKkCpSCbh/Pv6FuAlDXgLjsWwZgOKz8gfTIfXMapPLDYVTbS/PPPABylZflN98FFyeFDHB3Fwn1a6qAJ0mC7+4sowVZ1DIAoflaHqNs5TXyb3KeZGgXj5ZQwhv1z6NySvOS6cHxx0PvkFo99T1NHztxCRERNvBdWSwsr32DTwEvZo5iNPy3lvKI5A+rXc7jlQkUbufbddtLw2iPtt29XyMDOysK010fXzzQRjaz4R8ZaDtHNjqPrynvqFPXRB0VSIrwXS2utU7bmD+0dGX26t9k5qRBi7Gm+iZNKGMnSRsm17bVk5o8q0tb1P1eGL9mexZJJvxolfXVFJJtR8m6vLmUX1LSht/JhoWFElrINl0hviwd1dehmTqdQqWz5/imjF+pVOasrt7XVZ+7T/rDpuwNl375qSZptM1pMUExJ3CvzigpnarXXQxEBYkf0haGvQwPWNVHe/bR/1VooSQkH/mGg1g+rcTqp4yB5hsFu1lNK4ph04WQOqaafg40HBv6e5cOjLkFdEtYNpjyd6sRS+WHk7zzFlfPVlzijq8f+oDH9ALRzNnL1Y2DrX53wx4dBBWvxE1Yhb6Kj6Er4ZDiRLLXo+wJOGCpnNTPJMVaYskZ+LN2e9nS2/ZwbsNBnPHxSqCc1oP4d3yXH0j90VKnWg79aIEOagRvTF/9F6SkkGL9zVuUnoVSPwq97etWWtjGoEORMGY7jkGOK+U391p7Z69Hrv2AejS1BoSDeGcxXasFvINpmc+Hl2c+zOlFBySu2zA39cVlcStUFICA5GCmE5Eum4ED9DXP6RAuicD7YE0qSKbMkfLxIWMCZ6wBcwVUjdt43SI/ZqdpDm3E1kTRg07dE0R091rtfzEiIwBM4xFPJBafOx0L/Do61YMOHGzi6wgIQO7P7wIslv62M8MD1KKa/eH0tE2vhG/GyEGtKkg3P9vZRJwioifyshS1hvrt5pLinuCaDYyqMAl8Ro0OOm8di7+mBvXib0nRLfW7wBGDA4ADTipizNWAmbspQQl89kH5gdxgXO5U+N/qc0zXbpB+qeHVkPIK1DmrJ8pHLOE8mOpLy7eHUsSku/WtTt/RP4pcDbBU/43MCbk7NXKu/LjKjkQBjAL49LxnYmhEU7X//jtwSPE3gdx0x+wRJxzlbehM6rpfDRV5WQGSFf7yjLc/Ga1KwsgVdAstJEzDdv2vWSsjNzfJvHVBLrQPIC9fggi3DeLiHTAryCUcLUhNj4xtZWhSS1qmx07E4VzfjDJLMOsLY0vlimgngZ3YYCjC3Sw0frfQH2SZvmbLd3XfBdud67ZaMUobcRhnKzQnilldyD1jWVWLdVTup4RVxT4GYek9nmYflzpWWmwbXatz9Sgcw==,iv:9E1uiPqM3Hh4KWtL8haxm6PRm2VPc+DggrA135FvfB8=,tag:QSOgzVH9IBMgZxJvUhvY2w==,type:str]
 wrwks_vpn_key: ENC[AES256_GCM,data:gGipXC8JJO59b4KWMSo0+r761raQl7RzgBuUbXmPEKlZR21bs5XRAQalzDCFNtjcpNkXiGqAHCLkDTtjPagMsw==,iv:MH1EBJEOdQDEgm9E0F884fynhsH8KiS5QSc605XbASQ=,tag:FUM1eptHS0rpt6ILyQjGOg==,type:str]
+wg_cloonar_key: ENC[AES256_GCM,data:Dtp6I5J0jU5LLVwEFU4DFCpUngPRmFMebGXnk2oSwsKtsir/DtRBFG7ictM=,iv:1Abx/EAZRJrRQURljofzUYDgJpuREriX0nSrFbH5Npw=,tag:l4uFl9Uc+W0XeLVfLGmgZA==,type:str]
+wg_epicenter_works_key: ENC[AES256_GCM,data:LeLjfwfaz+loWyHYRgIMIPzHzlOnhl9tluKcQFgdes6r+deft1JfnUzDuF0=,iv:DKrc3I+U2hWDH8nnc8ZQeaVtA1eVXu7SXdTn1fxHoH4=,tag:V0PL0GrL2NEPVslAZa801A==,type:str]
+wg_epicenter_works_psk: ENC[AES256_GCM,data:Den3NDWdP013Or6/2Vll1igUahuRSNW4hu+nDa5vkr93bbveQTaWFT4TD4U=,iv:r3UsD3+3lUIP2X3Grti7wpXTQBXtu1/MdrycEmpZfsI=,tag:ghbAcxmjGVOe9jCZsmFzjA==,type:str]
+wg_ghetto_at_key: ENC[AES256_GCM,data:OIHmoy3SpIi9aefZnZ1PzpyHbEso18ceoTULf2eQkx1rJbaxC6PD1lma7eQ=,iv:u0eFjHHOBzPTmBvBEQsYY5flcBayiAQKd6e7RyiPwJI=,tag:731C9wvv8bA5fuuQq+weVQ==,type:str]
+drone: ENC[AES256_GCM,data:S8WTZqGHfcdpSojavZ87GdE5dagcTAdHBVQEbHHgnB4V7aczS6c5QdEJxK920Pjpf6o54OOQYniVsPiiXSxwjExDKPzhs/DG2hfigmf8RgfkP+3tF2W0KiPmV2jxog8w226ZKnI+hSBs8tuIfJBhrpY7Y/YNmTPfq+cnnLS8ibYqytcpzoogI9I8THzHCu3r+yejoGSyTMs9L4gPhOjz5aK4UV6V,iv:zqN/aSBI3xGGNDnpHPGyQnQP2YZOGUk6dAGtON/QlHU=,tag:o9YFDKAB5uR9lPmChyxB8g==,type:str]
+home-assistant-ldap: ENC[AES256_GCM,data:uZEPbSnkgQYSd8ev6FD8TRHWWr+vusadtMcvP7KKL2AZAV0h1hga5fODN6I5u0DNL9hq2pNM+FwU0E/svWLRww==,iv:IhmUgSu34NaAY+kUZehx40uymydUYYAyte1aGqQ33/8=,tag:BKFCJPr7Vz4EG78ry/ZD7g==,type:str]
+home-assistant-secrets.yaml: ENC[AES256_GCM,data:8LH3rrbkpRIFuKZmXe7EHcXPlkzfbdaxX7ssWjIUJ0FQ2QbMUOFsrxVt4diMVHJuaDCoC5gXIwWYDXw4yQj+4Pdf0cwk2MiXj2S9O7GxuOQzP4V1Ab4HeLJOXbGP4cigzNak5epbBiyJY13mVPVgjxX2M4GkuB2TXCOZ5GpvHHv0IvNcc6ymov/XkpJh7MOkyKw45jrYjiV/8dSTORhcWms5J/YgRpSQ/XijWkzucsisNyYk6mKYSq5O4xWFNEF1YC5FFr+rX7xzsbAp0niG3r1d+qcxYHOe0KPB0auxdxif3wQELAp/tosm4l+H+llw3t6STdFVUeBHC+naAwr0QTYB2a7yWLvb6Eh9CYQ7Z3qS/CvvVKs3sB0djRU42FZ9O4c2XcMllP0f3nVaF+DnLpaxgCdLoGPBhYdyTniBij+JudvGZvpWZUFLRlx49zC07RMRG4k+xMA4bAJkiLb+T+b30ur7N+EUgCOyp2FROc1ngCiJqr+cYbnWN1wqougm+pM+GxNZNwakiw1RFJPcOzpjtuwYp/gEKOC+Sz3Qkl4VpYxj7t7fikV0s5r+HzuNFa7gFWpApeRt6YuffQRWhlPVlCOkrQUhRl3YPG9khQ==,iv:r5Vb1ucVrMD0xZOuVnyRJ4El5sCBru/4nOV74pz+tA0=,tag:SwrBmA++GWVzf/0lWSuCpg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -23,8 +32,8 @@ sops:
             dTNvbDlqMmYyQXJsTlFWWHpVZlZzWEUK18tC5iPbbcr9pNvPy67XzQttnizp8huI
             faFSGZLKdc7F32F39yw9hAu8QpYBQ+Sb6ucYxZ4pIAKNX+9ICGcnTA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-11-10T18:21:41Z"
-    mac: ENC[AES256_GCM,data:ejqFUPuyQC5YC5zcB/T8MwpUnb9JE9kCaWelzKf5qceXjD2XbcYHVbFAV2mNb+VwFTRCWAazNzIXGB3KiS9FBts2LfGbuzmjxN3WzcnW9n5oWSME9DMdnYzpI6Rkz35coIFZglaEx+m/DCXzVWTzah/I+zxtK3EiXFNhkCHxlCs=,iv:XK0iRQ/l4eHemzbMHFJ2Y6yW9Ar1GGYBkoYUzxO7k8w=,tag:lfxNcfuktoioXDa0SmDFXw==,type:str]
+    lastmodified: "2023-11-26T23:25:28Z"
+    mac: ENC[AES256_GCM,data:T7d81ypM42KVs4nUrftnvljRN4xnA2R9Y/HpPLum/gpX5k/ng6w557sl3Q6aFq8FnDgHBGrcab5N3SIYNte6eXARDhG/nqTj/XlpzQPOwDip9ZvHuOTyKDWs5CK5Q0C2m4YqrwyEt66IyS7ZBTeKjR+nP67PxoULjZNsEY7CPSc=,iv:zO24RWNGVNmu/G+MATNwpplcLtNEou9CmN8DdlrHA80=,tag:KQcsI82F5EJRf7Cfp390Sw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.3

hosts/nb-01.cloonar.com/configuration.nix

@@ -16,16 +16,9 @@
       ./modules/sway/sway.nix
       # ./modules/gnome.nix
       ./modules/printer.nix
-      ./modules/nvidia.nix
       ./modules/nvim/default.nix
-      # ./modules/tuxedo.nix
       ./utils/modules/autoupgrade.nix
 
-      # ./pkgs/howdy/howdy-module.nix
-      # ./pkgs/howdy/ir-toggle-module.nix
-
-      # ./modules/howdy
-
       ./hardware-configuration.nix
     ];
 

hosts/nb-01.cloonar.com/hardware-configuration.nix

@@ -23,18 +23,9 @@
     };
 
   boot.initrd = {
-    luks = {
-      # yubikeySupport = true;
-      devices."nixos-enc" = {
+    luks.devices."nixos-enc" = {
         crypttabExtraOpts = [ "fido2-device=auto" ];
         device = "/dev/disk/by-uuid/7435d48f-f942-485b-9817-328ad3fc0b93";
-        # yubikey = {
-        #   slot = 2;
-        #   twoFactor = false;
-        #   storage = {
-        #     device = "/dev/disk/by-uuid/C281-E509";
-        #   };
-        # };
       };
     };
     systemd.enable = true;

hosts/nb-01.cloonar.com/modules/nvidia.nix

@@ -1,53 +0,0 @@
-{config, lib, pkgs, ...}: {
-  programs.steam = {
-    enable = true;
-  };
-
-  hardware.opengl = {
-    enable = true;
-    driSupport = true;
-    driSupport32Bit = true;
-  };
-
-  services.xserver.videoDrivers = ["nvidia"];
-
-  hardware.nvidia = {
-    # Modesetting is required.
-    modesetting.enable = true;
-
-    powerManagement.enable = false;
-    powerManagement.finegrained = false;
-
-    open = false;
-
-    nvidiaSettings = true;
-
-    package = config.boot.kernelPackages.nvidiaPackages.stable;
-  };
-
-  # boot.initrd.kernelModules = [ "nvidia" ];
-  boot.extraModulePackages = [
-    config.boot.kernelPackages.nvidia_x11
-  ];
-
-  hardware.nvidia.prime = {
-    offload = {
-			enable = true;
-			enableOffloadCmd = true;
-		};
-		# Make sure to use the correct Bus ID values for your system!
-		amdgpuBusId = "PCI:193:0:0";
-		nvidiaBusId = "PCI:100:0:0";
-	};
-
-  specialisation = {
-    gaming.configuration = {
-      system.nixos.tags = [ "gaming" ];
-      hardware.nvidia = {
-        prime.offload.enable = lib.mkForce false;
-        prime.offload.enableOffloadCmd = lib.mkForce false;
-        prime.sync.enable = lib.mkForce true;
-      };
-    };
-  };
-}