homefree/homefree
1
0
Fork 0
Code Issues 66 Pull requests Projects 2 Releases Packages Wiki Activity Actions

* Several updates to support NUC hardware

Browse source
This commit is contained in:
Ellis Rahhal 2024-11-12 23:22:30 -08:00 committed by Ellis Rahhal
parent 4c0b423649
commit b51aff6757
14 changed files with 168 additions and 70 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
TODOS.md
View file

@ -21,6 +21,7 @@ TODOS
* [ ] If no user key on guest, complain and abort
* [ ] Fix error messages that mess with getting fingerprit
* [ ] Make sure uid matches <curruser>@localhost, as it tells sops where to look for keyring
* [ ] Get nixos-anywhere disko config to work with LUKS with key file
* [ ] Move hardware config to module config
* [ ] DB of hardware, similar to nixos-hardware repo
* [ ] Backups

18
hosts/homefree/configuration.nix
View file

@ -1,4 +1,4 @@
{ lib, ... }:
{ config, lib, ... }:
{
imports = [
@ -8,6 +8,7 @@
../../profiles/config-editor.nix
../../profiles/ddclient.nix
../../profiles/home-assistant
../../profiles/git.nix
../../profiles/gitea.nix
../../profiles/hardware-configuration.nix
../../profiles/hosting.nix
@ -16,7 +17,6 @@
../../profiles/router.nix
../../profiles/unifi.nix
../../profiles/vaultwarden.nix
../../profiles/virtual-machine.nix
../../profiles/wireguard.nix
];
@ -55,19 +55,19 @@
# @TODO: Make this UI configurable
## Must be forced due to Authentik hard coding a value of UTC
time.timeZone = lib.mkForce "America/Los_Angeles";
time.timeZone = lib.mkForce config.homefree.system.timeZone;
networking = {
# @TODO: Make this UI configurable
hostName = "homefree";
hostName = config.homefree.system.hostName;
## NetworkManager disabled in favor of networkd
useNetworkd = true;
wireless = {
# Disable wpa_supplicant
enable = false;
};
# wireless = {
# # Disable wpa_supplicant
# enable = false;
# };
interfaces = {
ens3.useDHCP = true;
"${config.homefree.network.wan-interface}".useDHCP = true;
};
};

14
module.nix
View file

@ -58,7 +58,7 @@
description = ''
Hashed password for the system admin
Generate with:
mkpasswd --method=SHA-512 --stdin
mkpasswd -m sha-512
'';
};
@ -117,14 +117,20 @@
domains = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ "*" "www" "dev" ];
default = [ "@" "*" "www" "dev" ];
description = "Domains for dynamic DNS client";
};
use = lib.mkOption {
usev4 = lib.mkOption {
type = lib.types.str;
default = "web, web=ipinfo.io/ip";
description = "Use format for dynamic DNS client";
description = "Use format for obtaining ipv4 for dynamic DNS client";
};
usev6 = lib.mkOption {
type = lib.types.str;
default = "web, web=v6.ipinfo.io/ip";
description = "Use format for obtaining ipv6 for dynamic DNS client";
};
};

0
profiles/acme.nix
View file

10
profiles/adguardhome.nix
View file

@ -15,8 +15,9 @@
};
users = [
{
name = "erahhal";
name = config.homefree.system.adminUsername;
password = "$2a$10$Tt4QvbLQxnspv2TbcLMP7ug8eJ0NqMsGyVPbpEqtmkyCVrFpvh4GS";
# password = config.homefree.system.adminHashedPassword;
}
];
auth_attempts = 5;
@ -24,14 +25,17 @@
theme = "auto";
dns = {
bind_hosts = [ "0.0.0.0" ];
port = 53000;
port = 53;
anonymize_client_ip = false;
ratelimit = 20;
ratelimit_subnet_len_ipv4 = 24;
ratelimit_subnet_len_ipv6 = 56;
ratelimit_whitelist = [];
refuse_any = true;
upstream_dns = [ "https://dns10.quad9.net/dns-query" ];
upstream_dns = [
"10.0.0.1"
"https://dns10.quad9.net/dns-query"
];
bootstrap_dns = [
"9.9.9.10"
"149.112.112.10"

4
profiles/agenix.nix
View file

@ -1,4 +1,4 @@
{ agenix, options, system, ... }:
{ config, agenix, options, system, ... }:
{
environment.systemPackages = [
agenix.packages.${system}.default
@ -9,6 +9,6 @@
# default path is /etc/ssh/ssh_host_rsa_key
age.identityPaths = options.age.identityPaths.default ++ [
"/home/homefree/.ssh/id_rsa"
"/home/${config.system.homefree.adminUsername}/.ssh/id_rsa"
];
}

6
profiles/authentik.nix
View file

@ -1,4 +1,4 @@
{ pkgs, ... }:
{ config, pkgs, ... }:
{
environment.systemPackages = with pkgs; [
openldap
@ -40,7 +40,7 @@
# @TODO: Move secrets to this folder
sopsFile = ../secrets/authentik.yaml;
owner = "homefree";
owner = config.homefree.system.adminUsername;
path = "/run/secrets/authentik/authentik-env";
restartUnits = [ "authentik.service" ];
};
@ -49,7 +49,7 @@
# @TODO: Move secrets to this folder
sopsFile = ../secrets/authentik.yaml;
owner = "homefree";
owner = config.homefree.system.adminUsername;
path = "/run/secrets/authentik/authentik-ldap-env";
restartUnits = [ "authentik-ldap.service" ];
};

36
profiles/common.nix
View file

@ -1,4 +1,4 @@
{ homefree-inputs, pkgs, system, ...}:
{ config, homefree-inputs, pkgs, system, ...}:
{
# --------------------------------------------------------------------------------------
@ -11,7 +11,7 @@
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "24.05"; # Did you read the comment?
system.stateVersion = "24.11"; # Did you read the comment?
# @TODO: Could this be useful for auto-upgrading systems out there?
# system.autoUpgrade = {
@ -27,7 +27,7 @@
# };
nix = {
nixPath = [ "nixpkgs=${homefree-inputs.nixpkgs}" "nixos-config=/home/homefree/nixcfg" ];
nixPath = [ "nixpkgs=${homefree-inputs.nixpkgs}" "nixos-config=/home/${config.homefree.system.adminUsername}/nixcfg" ];
# Which package collection to use system-wide.
package = pkgs.nixVersions.stable;
@ -97,14 +97,13 @@
# User config
# --------------------------------------------------------------------------------------
users.users.homefree = {
users.users."${config.homefree.system.adminUsername}" = {
isNormalUser = true;
home = "/home/homefree";
description = "Homefree User";
home = "/home/${config.homefree.system.adminUsername}";
description = "Homefree Admin";
extraGroups = [ "wheel" ];
# @TODO: Make this dynamic, not hard coded
openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNvmGn1/uFnfgnv5qsec0GC04LeVB1Qy/G7WivvvUZVBBDzp8goe1DsE8M8iqnBSin56gQZDWsd50co2MbFAWuqH2HxY7OGay7P/V2q+SziTYFva85WGl84qWvYMmdB+alAFBT3L4eH5cegC5NhNp+OGsQuq32RdojgXXQt6vyZnaOypuz90k3rqV6Rt+iBTLz6VziasCLcYydwOvi9f1q6YQwGPLKaupDrV6gxvoX9bXLdopqwnXPSE/Eqczxgwc3PefvAJPSd6TOqIXvbtpv/B3Evt5SPe2gq+qASc5K0tzgra8KAe813kkpq4FuKJzHbT+EmO70wiJjru7zMEhd erahhal@nfml-erahhalQFL" ];
hashedPassword = "$6$5.6V9H0g5F47ubUm$e0N.GXZ9eoqmvpO9MjZlCISC9IIxKKcf0xtnuFyuXSQEQlfaazrS4kBhplDB6GCsQgwpOxdrX2DmcwbMiX/h30";
openssh.authorizedKeys.keys= config.homefree.system.authorizedKeys;
hashedPassword = config.homefree.system.adminHashedPassword;
};
security.sudo.extraRules = [
@ -130,6 +129,15 @@
# Nix mounts read-write automatically when it needs to write to it.
boot.readOnlyNixStore = true;
boot.kernelPackages = pkgs.linuxPackages_latest;
# --------------------------------------------------------------------------------------
# Hardware
# --------------------------------------------------------------------------------------
hardware.enableRedistributableFirmware = true;
hardware.enableAllFirmware = true;
# --------------------------------------------------------------------------------------
# Services
# --------------------------------------------------------------------------------------
@ -163,6 +171,15 @@
powertop.enable = true;
};
# Eternal Terminal
services.eternal-terminal.enable = true;
# et port
networking.firewall.allowedTCPPorts = [ 2022 ];
environment.variables = {
ET_NO_TELEMETRY = "1";
};
# --------------------------------------------------------------------------------------
# i18n
# --------------------------------------------------------------------------------------
@ -190,6 +207,7 @@
bashmount
bfg-repo-cleaner
bind
btop
ccze # readable parsed system logs
cpufrequtils
distrobox

16
profiles/ddclient.nix
View file

@ -7,14 +7,14 @@
services.ddclient = {
enable = true;
interval = "10m";
protocol = "hetzner";
username = "erahhal";
zone = "homefree.host";
domains = [ "@" "*" "www" "dev" ];
interval = config.homefree.ddclient.interval;
protocol = config.homefree.ddclient.protocol;
username = config.homefree.ddclient.username;
zone = config.homefree.ddclient.zone;
domains = config.homefree.ddclient.domains;
passwordFile = "/run/secrets/ddclient/ddclient-password";
usev4 = "web, web=ipinfo.io/ip";
usev6 = "web, web=v6.ipinfo.io/ip";
usev4 = config.homefree.ddclient.usev4;
usev6 = config.homefree.ddclient.usev6;
verbose = true;
};
@ -23,7 +23,7 @@
format = "yaml";
sopsFile = ../secrets/ddclient.yaml;
owner = "homefree";
owner = config.homefree.system.adminUsername;
path = "/run/secrets/ddclient/ddclient-password";
restartUnits = [ "ddclient.service" ];
};

69
profiles/git.nix Normal file
View file

@ -0,0 +1,69 @@
{ config, pkgs, ... }:
{
programs.git = {
enable = true;
lfs.enable = true;
config = {
checkout = {
defaultRemote = "origin";
};
color = {
ui = "auto";
};
core = {
# Can't specify "${pkgs.neovim}/bin/nvim" because programs.neovim
# wraps neovim-unwrapped in a special way to load plugins, so must
# expect nvim to be in $PATH here
editor = "nvim";
excludesfile = "~/.gitignore_global";
};
delta = {
enable = true;
};
# filter = {
# lfs = {
# clean = "${pkgs.git-lfs}/bin/git-lfs clean -- %f";
# smudge = "${pkgs.git-lfs}/bin/git-lfs smudge --skip -- %f";
# process = "${pkgs.git-lfs}/bin/git-lfs filter-process --skip";
# required = true;
# };
# };
push = {
default = "simple";
};
rerere = {
enabled = true;
};
include = {
path = "~/.gitconfig.local";
};
#==========================
# Diff settings
#==========================
pager = {
difftool = true;
};
#-------------------
## nvim
# - text-based
#------------------
diff = {
tool = "nvimdiff";
};
difftool = {
prompt = true;
};
merge = {
tool = "nvimdiff";
trustExitCode = false;
};
mergetool = {
trustExitCode = false;
};
};
};
}

1
profiles/home-assistant/default.nix
View file

@ -95,6 +95,7 @@ in
# "group ui" = "!include groups.yaml";
http = {
# @TODO: Make this a passed-in var
base_url = "ha.homefree.lan";
use_x_forwarded_for = true;
trusted_proxies = [

21
profiles/hosting.nix
View file

@ -35,7 +35,8 @@ in
'';
## @TODO: Remove headers and check if still works
extraConfig = ''
reverse_proxy http://10.1.1.1:9000
# reverse_proxy http://10.1.1.1:9000
reverse_proxy http://127.0.0.1:9000
header {
Strict-Transport-Security "max-age=31536000; includeSubdomains"
X-XSS-Protection "1; mode=block"
@ -52,7 +53,8 @@ in
output file ${config.services.caddy.logDir}/access-vaultwarden.log
'';
extraConfig = ''
reverse_proxy http://10.1.1.1:8222
# reverse_proxy http://10.1.1.1:8222
reverse_proxy http://127.0.0.1:8222
header {
Strict-Transport-Security "max-age=31536000; includeSubdomains"
X-XSS-Protection "1; mode=block"
@ -71,7 +73,8 @@ in
# '';
## @TODO: Remove headers and check if still works
# extraConfig = ''
# reverse_proxy http://10.1.1.1:8123
# # reverse_proxy http://10.1.1.1:8123
# reverse_proxy http://127.0.0.1:8123
# header {
# Strict-Transport-Security "max-age=31536000; includeSubdomains"
# X-XSS-Protection "1; mode=block"
@ -92,7 +95,8 @@ in
## Authentik
# reverse_proxy http://10.1.1.1:9000
reverse_proxy http://10.1.1.1:9000
# reverse_proxy http://10.1.1.1:9000
reverse_proxy http://127.0.0.1:9000
header {
Strict-Transport-Security "max-age=31536000; includeSubdomains"
X-XSS-Protection "1; mode=block"
@ -109,7 +113,8 @@ in
output file ${config.services.caddy.logDir}/access-git.log
'';
extraConfig = ''
reverse_proxy http://10.1.1.1:3001
# reverse_proxy http://10.1.1.1:3001
reverse_proxy http://127.0.0.1:3001
header {
Strict-Transport-Security "max-age=31536000; includeSubdomains"
X-XSS-Protection "1; mode=block"
@ -126,7 +131,8 @@ in
output file ${config.services.caddy.logDir}/access-adguard.log
'';
extraConfig = ''
reverse_proxy http://10.1.1.1:3000
# reverse_proxy http://10.1.1.1:3000
reverse_proxy http://127.0.0.1:3000
header {
Strict-Transport-Security "max-age=31536000; includeSubdomains"
X-XSS-Protection "1; mode=block"
@ -143,7 +149,8 @@ in
output file ${config.services.caddy.logDir}/access-unifi.log
'';
extraConfig = ''
reverse_proxy https://10.1.1.1:8443 {
# reverse_proxy https://10.1.1.1:8443 {
reverse_proxy https://127.0.0.1:8443 {
transport http {
tls
tls_insecure_skip_verify

19
profiles/router.nix
View file

@ -51,6 +51,9 @@ in
useDHCP = false;
nameservers = dns-servers;
# resolvconf = {
# };
## Define VLANS
## https://www.breakds.org/post/vlan-configuration-by-examples/
# vlans = {
@ -75,7 +78,7 @@ in
interfaces = {
# Don't request DHCP on the physical interfaces
${wan-interface} = {
# useDHCP = false;
# useDHCP = true;
};
${lan-interface} = {
useDHCP = false;
@ -251,7 +254,7 @@ in
"${lan-interface},10.1.1.100,10.1.1.254,255.255.255.0,8h"
];
## Disable DNS
## Disable DNS, since Unbound is handling DNS
port = 0;
## Additional DHCP options
@ -283,6 +286,7 @@ in
include = [
"\"${adlist.unbound-adblockStevenBlack}\""
];
port = 5353;
interface = [
"127.0.0.1"
"::1"
@ -308,12 +312,23 @@ in
local-data-ptr = [
"\"10.1.1.1 radicale.lan\""
];
hide-identity = true;
hide-version = true;
# Based on recommended settings in https://doc.pi-hole.net/guides/dns/unbound/#configure-unbound
harden-glue = true;
harden-dnssec-stripped = true;
use-caps-for-id = false;
prefetch = true;
edns-buffer-size = 1232;
};
forward-zone = [
{
name = ".";
forward-addr = [
"9.9.9.9#dns.quad9.net"
"1.1.1.1@853#cloudflare-dns.com"
"1.0.0.1@853#cloudflare-dns.com"
];

23
profiles/virtual-machine.nix
View file

@ -1,23 +0,0 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
libvirt
virtiofsd
];
systemd.mounts = [
{
what = "mount_homefree_source";
where = "/home/homefree/nixcfg";
type = "virtiofs";
wantedBy = [ "multi-user.target" ];
enable = true;
}
];
boot.extraModprobeConfig = "options kvm_intel nested=1";
boot.kernelParams = [
"intel_iommu=on"
"cgroup_enable=freezer"
];
}