diff --git a/hosts/fw/configuration.nix b/hosts/fw/configuration.nix index f41b36c..0c7af8d 100644 --- a/hosts/fw/configuration.nix +++ b/hosts/fw/configuration.nix @@ -34,6 +34,7 @@ ./modules/microvm.nix ./modules/gitea-vm.nix ./modules/forgejo-runner.nix + ./modules/dev-microvm.nix # ./modules/vscode-server.nix # Add VS Code Server microvm ./modules/ai-mailer.nix @@ -94,6 +95,7 @@ "mongodb" "ai-mailer" "filebot" + "claude-code" ]; # Intel N100 Graphics Support for hardware transcoding diff --git a/hosts/fw/modules/dev-microvm.nix b/hosts/fw/modules/dev-microvm.nix index 965141e..56c49a7 100644 --- a/hosts/fw/modules/dev-microvm.nix +++ b/hosts/fw/modules/dev-microvm.nix @@ -3,7 +3,19 @@ let hostname = "dev"; in { + # Create persist directories on the host + # UID 1000 = dominik user inside the microvm + systemd.tmpfiles.rules = [ + "d /var/lib/microvm-persist 0755 root root -" + "d /var/lib/microvm-persist/dev 0755 root root -" + "d /var/lib/microvm-persist/dev/home 0755 root root -" + "d /var/lib/microvm-persist/dev/home/dominik 0700 1000 100 -" + ]; + microvm.vms.dev = { + # Use host's pkgs which already has overlays applied + inherit pkgs; + config = { imports = [ ../dev/configuration.nix @@ -24,13 +36,13 @@ in proto = "virtiofs"; } { - source = "/var/lib/microvms/persist/dev"; + source = "/var/lib/microvm-persist/dev"; mountPoint = "/persist"; tag = "persist"; proto = "virtiofs"; } { - source = "/var/lib/microvms/persist/dev/home"; + source = "/var/lib/microvm-persist/dev/home"; mountPoint = "/home"; tag = "home"; proto = "virtiofs"; diff --git a/hosts/fw/modules/dnsmasq.nix b/hosts/fw/modules/dnsmasq.nix index f1e0e79..768f255 100644 --- a/hosts/fw/modules/dnsmasq.nix +++ b/hosts/fw/modules/dnsmasq.nix @@ -97,6 +97,8 @@ "/invidious.cloonar.com/${config.networkPrefix}.97.5" "/fivefilters.cloonar.com/${config.networkPrefix}.97.5" "/n8n.cloonar.com/${config.networkPrefix}.97.5" + "/dev.cloonar.com/${config.networkPrefix}.97.15" + "/.ddev.site/${config.networkPrefix}.97.15" # Wildcard for ddev projects "/home-assistant.cloonar.com/${config.networkPrefix}.97.20" "/mopidy.cloonar.com/${config.networkPrefix}.97.21" "/snapcast.cloonar.com/${config.networkPrefix}.97.21" diff --git a/hosts/fw/modules/unbound.nix b/hosts/fw/modules/unbound.nix deleted file mode 100644 index c5f21c5..0000000 --- a/hosts/fw/modules/unbound.nix +++ /dev/null @@ -1,349 +0,0 @@ -{ config, pkgs, ... }: -let - cids = import ../modules/staticids.nix; - domain = "ns.cloonar.com"; - - adblockLocalZones = pkgs.stdenv.mkDerivation { - name = "unbound-zones-adblock"; - - src = (pkgs.fetchFromGitHub { - owner = "StevenBlack"; - repo = "hosts"; - rev = "3.0.0"; - sha256 = "01g6pc9s1ah2w1cbf6bvi424762hkbpbgja9585a0w99cq0n6bxv"; - } + "/hosts"); - - phases = [ "installPhase" ]; - - installPhase = '' - ${pkgs.gawk}/bin/awk '{sub(/\r$/,"")} {sub(/^127\.0\.0\.1/,"0.0.0.0")} BEGIN { OFS = "" } NF == 2 && $1 == "0.0.0.0" { print "local-zone: \"", $2, "\" static"}' $src | tr '[:upper:]' '[:lower:]' | sort -u > $out - ''; - - }; - cfg = { - remote-control.control-enable = true; - server = { - # include = [ - # "\"${adblockLocalZones}\"" - # ]; - interface = [ "0.0.0.0" "::0" ]; - interface-automatic = "yes"; - access-control = [ - "127.0.0.0/8 allow" - "${config.networkPrefix}.96.0/24 allow" - "${config.networkPrefix}.97.0/24 allow" - "${config.networkPrefix}.98.0/24 allow" - "${config.networkPrefix}.99.0/24 allow" - "${config.networkPrefix}.101.0/24 allow" - "0.0.0.0/0 allow" - ]; - tls-cert-bundle = "/etc/ssl/certs/ca-certificates.crt"; - local-zone = "\"cloonar.com\" transparent"; - local-data = [ - "\"localhost A 127.0.0.1\"" - "\"localhost.cloonar.com A 127.0.0.1\"" - "\"localhost AAAA ::1\"" - "\"localhost.cloonar.com AAAA ::1\"" - "\"fw.cloonar.com A ${config.networkPrefix}.97.1\"" - "\"fw A ${config.networkPrefix}.97.1\"" - - "\"www.7-zip.org A 49.12.202.237\"" - - "\"pc.cloonar.com IN A ${config.networkPrefix}.96.5\"" - "\"omada.cloonar.com IN A ${config.networkPrefix}.97.2\"" - "\"switch.cloonar.com IN A ${config.networkPrefix}.97.10\"" - "\"mopidy.cloonar.com IN A ${config.networkPrefix}.97.21\"" - "\"deconz.cloonar.com IN A ${config.networkPrefix}.97.22\"" - "\"wazuh-manager.cloonar.com IN A ${config.networkPrefix}.97.31\"" - "\"wazuh-indexer.cloonar.com IN A ${config.networkPrefix}.97.32\"" - "\"wazuh.cloonar.com IN A ${config.networkPrefix}.97.33\"" - "\"brn30055c566237.cloonar.com IN A ${config.networkPrefix}.96.100\"" - "\"snapcast.cloonar.com IN A ${config.networkPrefix}.97.21\"" - "\"home-assistant.cloonar.com IN A ${config.networkPrefix}.97.20\"" - "\"web-02.cloonar.com IN A ${config.networkPrefix}.97.5\"" - "\"matrix.cloonar.com IN A ${config.networkPrefix}.97.5\"" - "\"element.cloonar.com IN A ${config.networkPrefix}.97.5\"" - "\"support.cloonar.com IN A ${config.networkPrefix}.97.5\"" - "\"tinder.cloonar.com IN A ${config.networkPrefix}.97.5\"" - "\"git.cloonar.com IN A ${config.networkPrefix}.97.50\"" - "\"sync.cloonar.com IN A ${config.networkPrefix}.97.51\"" - - "\"feeds.cloonar.com IN A 188.34.191.144\"" - # "\"paraclub.cloonar.dev IN A 49.12.244.139\"" - # "\"api.paraclub.cloonar.dev IN A 49.12.244.139\"" - # "\"module.paraclub.cloonar.dev IN A 49.12.244.139\"" - # "\"tandem.paraclub.cloonar.dev IN A 49.12.244.139\"" - - "\"stage.wsw.at IN A 10.254.235.22\"" - "\"prod.wsw.at IN A 10.254.217.23\"" - "\"piwik.wohnservice-wien.at IN A 10.254.240.109\"" - "\"wohnservice-wien.at IN A 10.254.240.109\"" - "\"mieterhilfe.at IN A 10.254.240.109\"" - "\"wohnpartner-wien.at IN A 10.254.240.109\"" - "\"new.wohnberatung-wien.at IN A 10.254.240.109\"" - "\"new.wohnpartner-wien.at IN A 10.254.240.109\"" - "\"wohnberatung-wien.at IN A 10.254.240.109\"" - "\"wienbautvor.at IN A 10.254.240.109\"" - "\"wienwohntbesser.at IN A 10.254.240.109\"" - "\"b.wohnservice-wien.at IN A 10.254.240.109\"" - "\"b.mieterhilfe.at IN A 10.254.240.109\"" - "\"b.wohnpartner-wien.at IN A 10.254.240.109\"" - "\"b.wohnberatung-wien.at IN A 10.254.240.109\"" - "\"b.wienbautvor.at IN A 10.254.240.109\"" - "\"b.wienwohntbesser.at IN A 10.254.240.109\"" - "\"a.wohnservice-wien.at IN A 10.254.240.109\"" - "\"a.wohnpartner-wien.at IN A 10.254.240.109\"" - "\"a.stage.wohnservice-wien.at IN A 10.254.240.110\"" - "\"a.stage.mieterhilfe.at IN A 10.254.240.110\"" - "\"a.stage.wohnpartner-wien.at IN A 10.254.240.110\"" - "\"a.stage.wohnberatung-wien.at IN A 10.254.240.110\"" - "\"a.stage.wienbautvor.at IN A 10.254.240.110\"" - "\"a.stage.wienwohntbesser.at IN A 10.254.240.110\"" - "\"b.stage.wohnservice-wien.at IN A 10.254.240.110\"" - "\"b.stage.mieterhilfe.at IN A 10.254.240.110\"" - "\"b.stage.wohnpartner-wien.at IN A 10.254.240.110\"" - "\"b.stage.new.wohnberatung-wien.at IN A 10.254.240.110\"" - "\"b.stage.new.wohnpartner-wien.at IN A 10.254.240.110\"" - "\"b.stage.wohnberatung-wien.at IN A 10.254.240.110\"" - "\"b.stage.wienbautvor.at IN A 10.254.240.110\"" - "\"b.stage.wienwohntbesser.at IN A 10.254.240.110\"" - "\"upgrade-staging.wohnservice-wien.at IN A 10.254.240.110\"" - "\"upgrade-staging.mieterhilfe.at IN A 10.254.240.110\"" - "\"upgrade-staging.wohnpartner-wien.at IN A 10.254.240.110\"" - "\"upgrade-staging.wohnberatung-wien.at IN A 10.254.240.110\"" - "\"upgrade-staging.wienbautvor.at IN A 10.254.240.110\"" - "\"upgrade-staging.wienwohntbesser.at IN A 10.254.240.110\"" - "\"conf.wrwks.at IN A 10.254.240.105\"" - - "\"web.hilgenberg-gmbh.de IN A 91.107.197.169\"" - "\"web.lenaschilling.at IN A 159.69.3.18\"" - - # gaming - "\"foundry-vtt.cloonar.com IN A ${config.networkPrefix}.97.5\"" - - "\"deconz.cloonar.multimedia IN A ${config.networkPrefix}.97.22\"" - "\"metz.cloonar.multimedia IN A ${config.networkPrefix}.99.10\"" - # "\"ps5.cloonar.multimedia IN A ${config.networkPrefix}.99.12\"" - "\"xbox.cloonar.multimedia IN A ${config.networkPrefix}.99.13\"" - # "\"switch.cloonar.multimedia IN A ${config.networkPrefix}.99.14\"" - #living room - "\"shellyuni-livingroom-1.cloonar.smart IN A ${config.networkPrefix}.100.8\"" - "\"shellyswitch25-livingroom-1.cloonar.smart IN A ${config.networkPrefix}.100.9\"" - "\"shellyplug-s-living-1.cloonar.smart IN A ${config.networkPrefix}.100.10\"" - "\"shellyplug-s-living-2.cloonar.smart IN A ${config.networkPrefix}.100.11\"" - # kitchen - "\"shellyplug-s-kitchen-1.cloonar.smart IN A ${config.networkPrefix}.100.17\"" - "\"shellyrgbw2-kitchen-1.cloonar.smart IN A ${config.networkPrefix}.100.18\"" - #bedroom - "\"shelly1-bedroom-1.cloonar.smart IN A ${config.networkPrefix}.100.33\"" - "\"shellybutton1-bedroom-1.cloonar.smart IN A ${config.networkPrefix}.100.34\"" - "\"shellybutton1-bedroom-2.cloonar.smart IN A ${config.networkPrefix}.100.35\"" # todo - "\"shellyrgbw2-bedroom-1.cloonar.smart IN A ${config.networkPrefix}.100.36\"" - "\"shellyrgbw2-bedroom-2.cloonar.smart IN A ${config.networkPrefix}.100.37\"" - "\"shellyrgbw2-bedroom-3.cloonar.smart IN A ${config.networkPrefix}.100.38\"" - # bath - "\"shellyswitch25-bath-1.cloonar.smart IN A ${config.networkPrefix}.100.49\"" - "\"shelly1pm-bath-1.cloonar.smart IN A ${config.networkPrefix}.100.52\"" - "\"shellyht-bath-1.cloonar.smart IN A ${config.networkPrefix}.100.53\"" # todo - # hallway - "\"shelly1-hallway-1.cloonar.smart IN A ${config.networkPrefix}.100.65\"" - "\"shellyem3.cloonar.smart IN A ${config.networkPrefix}.100.70\"" - "\"shellypro-1.cloonar.smart IN A ${config.networkPrefix}.100.71\"" - "\"shellypro-2.cloonar.smart IN A ${config.networkPrefix}.100.72\"" - # toilet - "\"shelly1-toilet-1.cloonar.smart IN A ${config.networkPrefix}.100.81\"" - "\"shellybulbduo-toilet-1.cloonar.smart IN A ${config.networkPrefix}.100.82\"" - # storage - "\"shelly1-storage-1.cloonar.smart IN A ${config.networkPrefix}.100.97\"" - "\"shellyplug-storage-1.cloonar.smart IN A ${config.networkPrefix}.100.98\"" - "\"brn30055c566237.cloonar.multimedia IN A ${config.networkPrefix}.99.100\"" - - "\"ddl-warez.to IN A 172.67.184.30\"" - "\"cdnjs.cloudflare.com IN A 104.17.24.14\"" - ]; - local-data-ptr = [ - "\"127.0.0.1 localhost\"" - "\"::1 localhost\"" - "\"${config.networkPrefix}.97.1 fw.cloonar.com\"" - "\"${config.networkPrefix}.97.20 home-assistant.cloonar.com\"" - "\"${config.networkPrefix}.97.21 snapcast.cloonar.com\"" - "\"${config.networkPrefix}.97.22 deconz.cloonar.com\"" - "\"${config.networkPrefix}.97.50 git.cloonar.com\"" - - "\"10.254.235.22 stage.wsw.at\"" - "\"10.254.217.23 prod.wsw.at\"" - "\"10.254.240.109 wohnservice-wien.at\"" - "\"10.254.240.110 a.stage.wohnservice-wien.at\"" - - "\"172.67.184.30 ddl-warez.to\"" - "\"104.17.24.14 cdnjs.cloudflare.com\"" - ]; - # ssl-upstream = "yes"; - }; - forward-zone = [ - { - name = "local.ghetto.at."; - forward-tls-upstream = "no"; - forward-addr = [ - "10.43.97.1" - ]; - } - { - name = "ghetto.at.local."; - forward-tls-upstream = "no"; - forward-addr = [ - "10.43.97.1" - ]; - } - { - name = "epicenter.works."; - forward-tls-upstream = "no"; - forward-addr = [ - "10.50.60.1" - ]; - } - { - name = "akvorrat.at."; - forward-tls-upstream = "no"; - forward-addr = [ - "10.50.60.1" - ]; - } - { - name = "epicenter.intra."; - forward-tls-upstream = "no"; - forward-addr = [ - "10.14.1.1" - ]; - } - { - name = "intra.epicenter.works."; - forward-tls-upstream = "no"; - forward-addr = [ - "10.14.1.1" - ]; - } - { - name = "."; - forward-tls-upstream = "yes"; - forward-first = "no"; - forward-addr = [ - "9.9.9.9@853#dns9.quad9.net" - "149.112.112.11@853#dns11.quad9.net" - ]; - } - ]; - }; -in { - users.users.unbound = { - group = "unbound"; - isSystemUser = true; - uid = cids.uids.unbound; - }; - users.groups.unbound = { - gid = cids.gids.unbound; - }; - - security.acme.certs."${domain}" = { - group = "unbound"; - }; - security.acme.certs."fw.cloonar.com" = { - group = "unbound"; - }; - - services.resolved.enable = false; - - services.unbound = { - enable = true; - settings = cfg; - }; - systemd.services.unbound-sync = { - enable = true; - path = with pkgs; [ unbound inotify-tools ]; - script = '' - #!/usr/bin/env bash - set -euo pipefail - - # readFile and readFileUnique as beforeā€¦ - function readFile() { - if [[ "''\$2" == "A" ]] ; then - cat "''\$1" | tail -n +2 | while IFS=, read -r address hwaddr client_id valid_lifetime expire subnet_id fqdn_fwd fqdn_rev hostname state user_context - do - echo "''\${address},''\${hostname}" - done - else - cat "''\$1" | tail -n +2 | while IFS=, read -r address duid valid_lifetime expire subnet_id pref_lifetime lease_type iaid prefix_len fqdn_fwd fqdn_rev hostname hwaddr state user_context hwtype hwaddr_source - do - echo "''\${address},''\${hostname}" - done - fi - } - - function readFileUnique() { - readFile "''\$1" ''\$2 | uniq | while IFS=, read -r address hostname - do - if echo "''\${1}" | grep -Eq '.*\.(cloonar.com|cloonar.multimedia|cloonar.smart)'; then - echo ''\${hostname} ''\$2 ''\${address} - unbound-control local_data ''\${hostname} ''\$2 ''\${address} > /dev/null 2>&1 - if [[ "''\$2" == "A" ]] ; then - echo ''\${address} | while IFS=. read -r ip0 ip1 ip2 ip3 - do - unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.ip4.arpa. PTR ''\${hostname} > /dev/null 2>&1 - unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.in-addr.arpa. PTR ''\${hostname} > /dev/null 2>&1 - done - fi - else - if [[ "''\$2" == "A" ]] ; then - echo ''\${address} | while IFS=. read -r ip0 ip1 ip2 ip3 - do - if [[ "''\${hostname}" != "" ]]; then - domain=cloonar.com - if [[ "''\${ip2}" == 99 ]]; then - domain=cloonar.multimedia - fi - if [[ "''\${ip2}" == 100 ]]; then - domain=cloonar.smart - fi - if [[ "''\${hostname}" != *. ]]; then - unbound-control local_data ''\${hostname}.''\${domain} ''\$2 ''\${address} > /dev/null 2>&1 - else - unbound-control local_data ''\${hostname}''\${domain} ''\$2 ''\${address} > /dev/null 2>&1 - fi - - fi - unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.ip4.arpa. PTR ''\${hostname} > /dev/null 2>&1 - unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.in-addr.arpa. PTR ''\${hostname} > /dev/null 2>&1 - done - fi - fi - done - } - - function syncLeases() { - # 1) nuke all of our old lease records from unbound - unbound-control list_local_data \ - | grep -E 'cloonar\.(com|multimedia|smart)|ip4\.arpa|in-addr\.arpa' \ - | while read -r name type data; do - unbound-control local_data_remove "$name" "$type" "$data" \ - > /dev/null 2>&1 - done - - # 2) re-push every current lease - readFileUnique "/var/lib/kea/dhcp4.leases" A - # if you need IPv6: - # readFileUnique "/var/lib/kea/dhcp6.leases" AAAA - } - - while true; do - syncLeases - sleep 10 - done - ''; - wants = [ "network-online.target" "unbound.service" ]; - after = [ "network-online.target" "unbound.service" ]; - partOf = [ "unbound.service" ]; - wantedBy = [ "multi-user.target" ]; - }; - - networking.firewall.allowedUDPPorts = [ 53 5353 ]; -}