* Several updates to support NUC hardware

2024-11-12 23:22:30 -08:00 · 2024-11-12 23:22:30 -08:00 · b51aff6757
commit b51aff6757
parent 4c0b423649
14 changed files with 168 additions and 70 deletions
--- a/TODOS.md
+++ b/TODOS.md
@ -21,6 +21,7 @@ TODOS
      * [ ] If no user key on guest, complain and abort
      * [ ] Fix error messages that mess with getting fingerprit
      * [ ] Make sure uid matches <curruser>@localhost, as it tells sops where to look for keyring
    * [ ] Get nixos-anywhere disko config to work with LUKS with key file
    * [ ] Move hardware config to module config
      * [ ] DB of hardware, similar to nixos-hardware repo
    * [ ] Backups
--- a/hosts/homefree/configuration.nix
+++ b/hosts/homefree/configuration.nix
@ -1,4 +1,4 @@
-{ lib, ... }:
+{ config, lib, ... }:
 {
  imports = [
@ -8,6 +8,7 @@
    ../../profiles/config-editor.nix
    ../../profiles/ddclient.nix
    ../../profiles/home-assistant
    ../../profiles/git.nix
    ../../profiles/gitea.nix
    ../../profiles/hardware-configuration.nix
    ../../profiles/hosting.nix
@ -16,7 +17,6 @@
    ../../profiles/router.nix
    ../../profiles/unifi.nix
    ../../profiles/vaultwarden.nix
    ../../profiles/virtual-machine.nix
    ../../profiles/wireguard.nix
  ];
@ -55,19 +55,19 @@
  # @TODO: Make this UI configurable
  ## Must be forced due to Authentik hard coding a value of UTC
-  time.timeZone = lib.mkForce "America/Los_Angeles";
+  time.timeZone = lib.mkForce config.homefree.system.timeZone;
  networking = {
    # @TODO: Make this UI configurable
-    hostName = "homefree";
+    hostName = config.homefree.system.hostName;
    ## NetworkManager disabled in favor of networkd
    useNetworkd = true;
-    wireless = {
+    # wireless = {
-      # Disable wpa_supplicant
+    #   # Disable wpa_supplicant
-      enable = false;
+    #   enable = false;
-    };
+    # };
    interfaces = {
-      ens3.useDHCP = true;
+      "${config.homefree.network.wan-interface}".useDHCP = true;
    };
  };
--- a/module.nix
+++ b/module.nix
@ -58,7 +58,7 @@
        description = ''
          Hashed password for the system admin
          Generate with:
-          mkpasswd --method=SHA-512 --stdin
+          mkpasswd -m sha-512
        '';
      };
@ -117,14 +117,20 @@
      domains = lib.mkOption {
        type = lib.types.listOf lib.types.str;
-        default = [ "*" "www" "dev" ];
+        default = [ "@" "*" "www" "dev" ];
        description = "Domains for dynamic DNS client";
      };
-      use = lib.mkOption {
+      usev4 = lib.mkOption {
        type = lib.types.str;
        default = "web, web=ipinfo.io/ip";
-        description = "Use format for dynamic DNS client";
+        description = "Use format for obtaining ipv4 for dynamic DNS client";
      };
      usev6 = lib.mkOption {
        type = lib.types.str;
        default = "web, web=v6.ipinfo.io/ip";
        description = "Use format for obtaining ipv6 for dynamic DNS client";
      };
    };
--- a/profiles/acme.nix
+++ b/profiles/acme.nix
--- a/profiles/adguardhome.nix
+++ b/profiles/adguardhome.nix
@ -15,8 +15,9 @@
      };
      users = [
        {
-          name = "erahhal";
+          name = config.homefree.system.adminUsername;
          password = "$2a$10$Tt4QvbLQxnspv2TbcLMP7ug8eJ0NqMsGyVPbpEqtmkyCVrFpvh4GS";
          # password = config.homefree.system.adminHashedPassword;
        }
      ];
      auth_attempts = 5;
@ -24,14 +25,17 @@
      theme = "auto";
      dns = {
        bind_hosts = [ "0.0.0.0" ];
-        port = 53000;
+        port = 53;
        anonymize_client_ip = false;
        ratelimit = 20;
        ratelimit_subnet_len_ipv4 = 24;
        ratelimit_subnet_len_ipv6 = 56;
        ratelimit_whitelist = [];
        refuse_any = true;
-        upstream_dns = [ "https://dns10.quad9.net/dns-query" ];
+        upstream_dns = [
          "10.0.0.1"
          "https://dns10.quad9.net/dns-query"
        ];
        bootstrap_dns = [
          "9.9.9.10"
          "149.112.112.10"
--- a/profiles/agenix.nix
+++ b/profiles/agenix.nix
@ -1,4 +1,4 @@
-{ agenix, options, system, ... }:
+{ config, agenix, options, system, ... }:
 {
  environment.systemPackages = [
    agenix.packages.${system}.default
@ -9,6 +9,6 @@
  # default path is /etc/ssh/ssh_host_rsa_key
  age.identityPaths = options.age.identityPaths.default ++ [
-    "/home/homefree/.ssh/id_rsa"
+    "/home/${config.system.homefree.adminUsername}/.ssh/id_rsa"
  ];
 }
--- a/profiles/authentik.nix
+++ b/profiles/authentik.nix
@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
 {
  environment.systemPackages = with pkgs; [
    openldap
@ -40,7 +40,7 @@
      # @TODO: Move secrets to this folder
      sopsFile = ../secrets/authentik.yaml;
-      owner = "homefree";
+      owner = config.homefree.system.adminUsername;
      path = "/run/secrets/authentik/authentik-env";
      restartUnits = [ "authentik.service" ];
    };
@ -49,7 +49,7 @@
      # @TODO: Move secrets to this folder
      sopsFile = ../secrets/authentik.yaml;
-      owner = "homefree";
+      owner = config.homefree.system.adminUsername;
      path = "/run/secrets/authentik/authentik-ldap-env";
      restartUnits = [ "authentik-ldap.service" ];
    };
--- a/profiles/common.nix
+++ b/profiles/common.nix
@ -1,4 +1,4 @@
-{ homefree-inputs, pkgs, system, ...}:
+{ config, homefree-inputs, pkgs, system, ...}:
 {
  # --------------------------------------------------------------------------------------
@ -11,7 +11,7 @@
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "24.05"; # Did you read the comment?
+  system.stateVersion = "24.11"; # Did you read the comment?
  # @TODO: Could this be useful for auto-upgrading systems out there?
  # system.autoUpgrade = {
@ -27,7 +27,7 @@
  # };
  nix = {
-    nixPath = [ "nixpkgs=${homefree-inputs.nixpkgs}" "nixos-config=/home/homefree/nixcfg" ];
+    nixPath = [ "nixpkgs=${homefree-inputs.nixpkgs}" "nixos-config=/home/${config.homefree.system.adminUsername}/nixcfg" ];
    # Which package collection to use system-wide.
    package = pkgs.nixVersions.stable;
@ -97,14 +97,13 @@
  # User config
  # --------------------------------------------------------------------------------------
-  users.users.homefree = {
+  users.users."${config.homefree.system.adminUsername}" = {
    isNormalUser  = true;
-    home  = "/home/homefree";
+    home  = "/home/${config.homefree.system.adminUsername}";
-    description  = "Homefree User";
+    description  = "Homefree Admin";
    extraGroups  = [ "wheel" ];
-    # @TODO: Make this dynamic, not hard coded
+    openssh.authorizedKeys.keys= config.homefree.system.authorizedKeys;
-    openssh.authorizedKeys.keys  = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNvmGn1/uFnfgnv5qsec0GC04LeVB1Qy/G7WivvvUZVBBDzp8goe1DsE8M8iqnBSin56gQZDWsd50co2MbFAWuqH2HxY7OGay7P/V2q+SziTYFva85WGl84qWvYMmdB+alAFBT3L4eH5cegC5NhNp+OGsQuq32RdojgXXQt6vyZnaOypuz90k3rqV6Rt+iBTLz6VziasCLcYydwOvi9f1q6YQwGPLKaupDrV6gxvoX9bXLdopqwnXPSE/Eqczxgwc3PefvAJPSd6TOqIXvbtpv/B3Evt5SPe2gq+qASc5K0tzgra8KAe813kkpq4FuKJzHbT+EmO70wiJjru7zMEhd erahhal@nfml-erahhalQFL" ];
+    hashedPassword = config.homefree.system.adminHashedPassword;
    hashedPassword = "$6$5.6V9H0g5F47ubUm$e0N.GXZ9eoqmvpO9MjZlCISC9IIxKKcf0xtnuFyuXSQEQlfaazrS4kBhplDB6GCsQgwpOxdrX2DmcwbMiX/h30";
  };
  security.sudo.extraRules = [
@ -130,6 +129,15 @@
  # Nix mounts read-write automatically when it needs to write to it.
  boot.readOnlyNixStore = true;
  boot.kernelPackages = pkgs.linuxPackages_latest;
  # --------------------------------------------------------------------------------------
  # Hardware
  # --------------------------------------------------------------------------------------
  hardware.enableRedistributableFirmware = true;
  hardware.enableAllFirmware = true;
  # --------------------------------------------------------------------------------------
  # Services
  # --------------------------------------------------------------------------------------
@ -163,6 +171,15 @@
    powertop.enable = true;
  };
  # Eternal Terminal
  services.eternal-terminal.enable = true;
  # et port
  networking.firewall.allowedTCPPorts = [ 2022 ];
  environment.variables = {
    ET_NO_TELEMETRY = "1";
  };
  # --------------------------------------------------------------------------------------
  # i18n
  # --------------------------------------------------------------------------------------
@ -190,6 +207,7 @@
    bashmount
    bfg-repo-cleaner
    bind
    btop
    ccze             # readable parsed system logs
    cpufrequtils
    distrobox
--- a/profiles/ddclient.nix
+++ b/profiles/ddclient.nix
@ -7,14 +7,14 @@
  services.ddclient = {
    enable = true;
-    interval = "10m";
+    interval = config.homefree.ddclient.interval;
-    protocol = "hetzner";
+    protocol = config.homefree.ddclient.protocol;
-    username = "erahhal";
+    username = config.homefree.ddclient.username;
-    zone = "homefree.host";
+    zone = config.homefree.ddclient.zone;
-    domains = [ "@" "*" "www" "dev" ];
+    domains = config.homefree.ddclient.domains;
    passwordFile = "/run/secrets/ddclient/ddclient-password";
-    usev4 = "web, web=ipinfo.io/ip";
+    usev4 = config.homefree.ddclient.usev4;
-    usev6 = "web, web=v6.ipinfo.io/ip";
+    usev6 = config.homefree.ddclient.usev6;
    verbose = true;
  };
@ -23,7 +23,7 @@
      format = "yaml";
      sopsFile = ../secrets/ddclient.yaml;
-      owner = "homefree";
+      owner = config.homefree.system.adminUsername;
      path = "/run/secrets/ddclient/ddclient-password";
      restartUnits = [ "ddclient.service" ];
    };
--- a/profiles/git.nix
+++ b/profiles/git.nix
@ -0,0 +1,69 @@
 { config, pkgs, ... }:
 {
  programs.git = {
    enable = true;
    lfs.enable = true;
    config = {
      checkout = {
        defaultRemote = "origin";
      };
      color = {
        ui = "auto";
      };
      core = {
        # Can't specify "${pkgs.neovim}/bin/nvim" because programs.neovim
        # wraps neovim-unwrapped in a special way to load plugins, so must
        # expect nvim to be in $PATH here
        editor = "nvim";
        excludesfile = "~/.gitignore_global";
      };
      delta = {
        enable = true;
      };
      # filter = {
      #   lfs = {
      #     clean = "${pkgs.git-lfs}/bin/git-lfs clean -- %f";
      #     smudge = "${pkgs.git-lfs}/bin/git-lfs smudge --skip -- %f";
      #     process = "${pkgs.git-lfs}/bin/git-lfs filter-process --skip";
      #     required = true;
      #   };
      # };
      push = {
        default = "simple";
      };
      rerere = {
        enabled = true;
      };
      include = {
        path = "~/.gitconfig.local";
      };
      #==========================
      # Diff settings
      #==========================
      pager = {
        difftool = true;
      };
      #-------------------
      ## nvim
      # - text-based
      #------------------
      diff = {
        tool = "nvimdiff";
      };
      difftool = {
        prompt = true;
      };
      merge = {
        tool = "nvimdiff";
        trustExitCode = false;
      };
      mergetool = {
        trustExitCode = false;
      };
    };
  };
 }
--- a/profiles/home-assistant/default.nix
+++ b/profiles/home-assistant/default.nix
@ -95,6 +95,7 @@ in
      # "group ui" = "!include groups.yaml";
      http = {
        # @TODO: Make this a passed-in var
        base_url = "ha.homefree.lan";
        use_x_forwarded_for = true;
        trusted_proxies = [
--- a/profiles/hosting.nix
+++ b/profiles/hosting.nix
@ -35,7 +35,8 @@ in
      '';
      ## @TODO: Remove headers and check if still works
      extraConfig = ''
-        reverse_proxy http://10.1.1.1:9000
+        # reverse_proxy http://10.1.1.1:9000
        reverse_proxy http://127.0.0.1:9000
        header {
          Strict-Transport-Security "max-age=31536000; includeSubdomains"
          X-XSS-Protection "1; mode=block"
@ -52,7 +53,8 @@ in
        output file ${config.services.caddy.logDir}/access-vaultwarden.log
      '';
      extraConfig = ''
-        reverse_proxy http://10.1.1.1:8222
+        # reverse_proxy http://10.1.1.1:8222
        reverse_proxy http://127.0.0.1:8222
        header {
          Strict-Transport-Security "max-age=31536000; includeSubdomains"
          X-XSS-Protection "1; mode=block"
@ -71,7 +73,8 @@ in
    #   '';
      ## @TODO: Remove headers and check if still works
    #   extraConfig = ''
-    #     reverse_proxy http://10.1.1.1:8123
+    #     # reverse_proxy http://10.1.1.1:8123
    #     reverse_proxy http://127.0.0.1:8123
    #     header {
    #       Strict-Transport-Security "max-age=31536000; includeSubdomains"
    #       X-XSS-Protection "1; mode=block"
@ -92,7 +95,8 @@ in
        ## Authentik
        # reverse_proxy http://10.1.1.1:9000
-        reverse_proxy http://10.1.1.1:9000
+        # reverse_proxy http://10.1.1.1:9000
        reverse_proxy http://127.0.0.1:9000
        header {
          Strict-Transport-Security "max-age=31536000; includeSubdomains"
          X-XSS-Protection "1; mode=block"
@ -109,7 +113,8 @@ in
        output file ${config.services.caddy.logDir}/access-git.log
      '';
      extraConfig = ''
-        reverse_proxy http://10.1.1.1:3001
+        # reverse_proxy http://10.1.1.1:3001
        reverse_proxy http://127.0.0.1:3001
        header {
          Strict-Transport-Security "max-age=31536000; includeSubdomains"
          X-XSS-Protection "1; mode=block"
@ -126,7 +131,8 @@ in
        output file ${config.services.caddy.logDir}/access-adguard.log
      '';
      extraConfig = ''
-        reverse_proxy http://10.1.1.1:3000
+        # reverse_proxy http://10.1.1.1:3000
        reverse_proxy http://127.0.0.1:3000
        header {
          Strict-Transport-Security "max-age=31536000; includeSubdomains"
          X-XSS-Protection "1; mode=block"
@ -143,7 +149,8 @@ in
        output file ${config.services.caddy.logDir}/access-unifi.log
      '';
      extraConfig = ''
-        reverse_proxy https://10.1.1.1:8443 {
+        # reverse_proxy https://10.1.1.1:8443 {
        reverse_proxy https://127.0.0.1:8443 {
          transport http {
            tls
            tls_insecure_skip_verify
--- a/profiles/router.nix
+++ b/profiles/router.nix
@ -51,6 +51,9 @@ in
    useDHCP = false;
    nameservers = dns-servers;
    # resolvconf = {
    # };
    ## Define VLANS
    ## https://www.breakds.org/post/vlan-configuration-by-examples/
    # vlans = {
@ -75,7 +78,7 @@ in
    interfaces = {
      # Don't request DHCP on the physical interfaces
      ${wan-interface} = {
-        # useDHCP = false;
+        # useDHCP = true;
      };
      ${lan-interface} = {
        useDHCP = false;
@ -251,7 +254,7 @@ in
        "${lan-interface},10.1.1.100,10.1.1.254,255.255.255.0,8h"
      ];
-      ## Disable DNS
+      ## Disable DNS, since Unbound is handling DNS
      port = 0;
      ## Additional DHCP options
@ -283,6 +286,7 @@ in
        include = [
          "\"${adlist.unbound-adblockStevenBlack}\""
        ];
        port = 5353;
        interface = [
          "127.0.0.1"
          "::1"
@ -308,12 +312,23 @@ in
        local-data-ptr = [
          "\"10.1.1.1 radicale.lan\""
        ];
        hide-identity = true;
        hide-version = true;
        # Based on recommended settings in https://doc.pi-hole.net/guides/dns/unbound/#configure-unbound
        harden-glue = true;
        harden-dnssec-stripped = true;
        use-caps-for-id = false;
        prefetch = true;
        edns-buffer-size = 1232;
      };
      forward-zone = [
        {
          name = ".";
          forward-addr = [
            "9.9.9.9#dns.quad9.net"
            "1.1.1.1@853#cloudflare-dns.com"
            "1.0.0.1@853#cloudflare-dns.com"
          ];
--- a/profiles/virtual-machine.nix
+++ b/profiles/virtual-machine.nix
@ -1,23 +0,0 @@
 { pkgs, ... }:
 {
  environment.systemPackages = with pkgs; [
    libvirt
    virtiofsd
  ];
  systemd.mounts = [
    {
      what = "mount_homefree_source";
      where = "/home/homefree/nixcfg";
      type = "virtiofs";
      wantedBy = [ "multi-user.target" ];
      enable = true;
    }
  ];
  boot.extraModprobeConfig = "options kvm_intel nested=1";
  boot.kernelParams = [
    "intel_iommu=on"
    "cgroup_enable=freezer"
  ];
 }