summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--makefu/1systems/gum/config.nix60
-rw-r--r--makefu/1systems/hardware/tsp-disk.json23
-rw-r--r--makefu/1systems/omo/config.nix226
-rw-r--r--makefu/1systems/omo/hw/omo.nix117
-rw-r--r--makefu/1systems/omo/hw/tsp-tools.nix11
-rw-r--r--makefu/1systems/omo/hw/tsp.nix32
-rw-r--r--makefu/2configs/dcpp/client.nix9
-rw-r--r--makefu/2configs/dcpp/hub.nix (renamed from makefu/2configs/hub.nix)26
-rw-r--r--makefu/2configs/deployment/homeautomation/default.nix61
-rw-r--r--makefu/2configs/wireguard/server.nix52
10 files changed, 344 insertions, 273 deletions
diff --git a/makefu/1systems/gum/config.nix b/makefu/1systems/gum/config.nix
index 351844482..36af23bb5 100644
--- a/makefu/1systems/gum/config.nix
+++ b/makefu/1systems/gum/config.nix
@@ -74,14 +74,8 @@ in {
<stockholm/makefu/2configs/syncthing.nix>
# <stockholm/makefu/2configs/opentracker.nix>
- <stockholm/makefu/2configs/hub.nix>
- { # ncdc
- environment.systemPackages = [ pkgs.ncdc ];
- networking.firewall = {
- allowedUDPPorts = [ 51411 ];
- allowedTCPPorts = [ 51411 ];
- };
- }
+ <stockholm/makefu/2configs/dcpp/hub.nix>
+ <stockholm/makefu/2configs/dcpp/client.nix>
<stockholm/makefu/2configs/stats/client.nix>
# <stockholm/makefu/2configs/logging/client.nix>
@@ -103,55 +97,7 @@ in {
# locations."/".proxyPass = "http://localhost:5000";
# };
#}
- { # wireguard server
-
- # opkg install wireguard luci-proto-wireguard
-
- # TODO: networking.nat
-
- # boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
- # conf.all.proxy_arp =1
- networking.firewall = {
- allowedUDPPorts = [ 51820 ];
- extraCommands = ''
- iptables -t nat -A POSTROUTING -s 10.244.0.0/24 -o ${ext-if} -j MASQUERADE
- '';
- };
-
- networking.wireguard.interfaces.wg0 = {
- ips = [ "10.244.0.1/24" ];
- listenPort = 51820;
- privateKeyFile = (toString <secrets>) + "/wireguard.key";
- allowedIPsAsRoutes = true;
- peers = [
- {
- # x
- allowedIPs = [ "10.244.0.2/32" ];
- publicKey = "fe5smvKVy5GAn7EV4w4tav6mqIAKhGWQotm7dRuRt1g=";
- }
- {
- # vbob
- allowedIPs = [ "10.244.0.3/32" ];
- publicKey = "Lju7EsCu1OWXhkhdNR7c/uiN60nr0TUPHQ+s8ULPQTw=";
- }
- {
- # x-test
- allowedIPs = [ "10.244.0.4/32" ];
- publicKey = "vZ/AJpfDLJyU3DzvYeW70l4FNziVgSTumA89wGHG7XY=";
- }
- {
- # work-router
- allowedIPs = [ "10.244.0.5/32" ];
- publicKey = "QJMwwYu/92koCASbHnR/vqe/rN00EV6/o7BGwLockDw=";
- }
- {
- # workr
- allowedIPs = [ "10.244.0.6/32" ];
- publicKey = "OFhCF56BrV9tjqW1sxqXEKH/GdqamUT1SqZYSADl5GA=";
- }
- ];
- };
- }
+ <stockholm/makefu/2configs/wireguard/server.nix>
{ # iperf3
networking.firewall.allowedUDPPorts = [ 5201 ];
networking.firewall.allowedTCPPorts = [ 5201 ];
diff --git a/makefu/1systems/hardware/tsp-disk.json b/makefu/1systems/hardware/tsp-disk.json
new file mode 100644
index 000000000..5a4bd26ab
--- /dev/null
+++ b/makefu/1systems/hardware/tsp-disk.json
@@ -0,0 +1,23 @@
+{
+ "type": "devices",
+ "content": {
+ "sda": {
+ "type": "table",
+ "format": "msdos",
+ "partitions": [
+ { "type": "partition",
+ "part-type": "primary",
+ "start": "1M",
+ "end": "100%",
+ "bootable": true,
+ "content": {
+ "type": "filesystem",
+ "format": "ext4",
+ "mountpoint": "/"
+ }
+ }
+ ]
+ }
+ }
+}
+
diff --git a/makefu/1systems/omo/config.nix b/makefu/1systems/omo/config.nix
index 109877bf1..47e815e77 100644
--- a/makefu/1systems/omo/config.nix
+++ b/makefu/1systems/omo/config.nix
@@ -4,52 +4,17 @@
{ config, pkgs, lib, ... }:
let
- toMapper = id: "/media/crypt${builtins.toString id}";
- byid = dev: "/dev/disk/by-id/" + dev;
- keyFile = byid "usb-Verbatim_STORE_N_GO_070B3CEE0B223954-0:0";
- rootDisk = byid "ata-SanDisk_SD8SNAT128G1122_162099420904";
- rootPartition = byid "ata-SanDisk_SD8SNAT128G1122_162099420904-part2";
- primaryInterface = "enp2s0";
- firetv = "192.168.1.238";
- # cryptsetup luksFormat $dev --cipher aes-xts-plain64 -s 512 -h sha512
- # cryptsetup luksAddKey $dev tmpkey
- # cryptsetup luksOpen $dev crypt0 --key-file tmpkey --keyfile-size=4096
- # mkfs.xfs /dev/mapper/crypt0 -L crypt0
-
- # omo Chassis:
- # __FRONT_
- # |* d0 |
- # | |
- # |* d1 |
- # | |
- # |* d3 |
- # | |
- # |* |
- # |* d2 |
- # | * |
- # | * |
- # |_______|
- # cryptDisk0 = byid "ata-ST2000DM001-1CH164_Z240XTT6";
- cryptDisk0 = byid "ata-ST8000DM004-2CX188_ZCT01PLV";
- cryptDisk1 = byid "ata-TP02000GB_TPW151006050068";
- cryptDisk2 = byid "ata-ST4000DM000-1F2168_Z303HVSG";
- cryptDisk3 = byid "ata-ST8000DM004-2CX188_ZCT01SG4";
- # cryptDisk3 = byid "ata-WDC_WD20EARS-00MVWB0_WD-WMAZA1786907";
- # all physical disks
-
- # TODO callPackage ../3modules/MonitorDisks { disks = allDisks }
- dataDisks = [ cryptDisk0 cryptDisk1 cryptDisk2 cryptDisk3 ];
- allDisks = [ rootDisk ] ++ dataDisks;
+ primaryInterface = config.makefu.server.primary-itf;
in {
imports =
[
+ #./hw/omo.nix
+ ./hw/tsp.nix
<stockholm/makefu>
- # TODO: unlock home partition via ssh
- <stockholm/makefu/2configs/fs/sda-crypto-root.nix>
<stockholm/makefu/2configs/zsh-user.nix>
<stockholm/makefu/2configs/backup.nix>
<stockholm/makefu/2configs/exim-retiolum.nix>
- <stockholm/makefu/2configs/smart-monitor.nix>
+ # <stockholm/makefu/2configs/smart-monitor.nix>
<stockholm/makefu/2configs/mail-client.nix>
<stockholm/makefu/2configs/mosh.nix>
<stockholm/makefu/2configs/tools/mobility.nix>
@@ -78,6 +43,7 @@ in {
<stockholm/makefu/2configs/deployment/google-muell.nix>
<stockholm/makefu/2configs/virtualisation/docker.nix>
<stockholm/makefu/2configs/bluetooth-mpd.nix>
+ <stockholm/makefu/2configs/deployment/homeautomation>
{
hardware.pulseaudio.systemWide = true;
makefu.mpd.musicDirectory = "/media/cryptX/music";
@@ -99,74 +65,9 @@ in {
# Temporary:
# <stockholm/makefu/2configs/temp/rst-issue.nix>
- { # ncdc
- environment.systemPackages = [ pkgs.ncdc ];
- networking.firewall = {
- allowedUDPPorts = [ 51411 ];
- allowedTCPPorts = [ 51411 ];
- };
- }
- {
- systemd.services.firetv = {
- wantedBy = [ "multi-user.target" ];
- serviceConfig = {
- User = "nobody";
- ExecStart = "${pkgs.python-firetv}/bin/firetv-server -d ${firetv}:5555";
- };
- };
- nixpkgs.config.permittedInsecurePackages = [
- "homeassistant-0.65.5"
- ];
- services.home-assistant = {
- config = {
- homeassistant = {
- name = "Home"; time_zone = "Europe/Berlin";
- latitude = "48.7687";
- longitude = "9.2478";
- };
- media_player = [
- { platform = "kodi";
- host = firetv;
- }
- { platform = "firetv";
- # assumes python-firetv running
- }
- ];
- sensor = [
- { platform = "luftdaten";
- name = "Ditzingen";
- sensorid = "663";
- monitored_conditions = [ "P1" "P2" ];
- }
- # https://www.home-assistant.io/cookbook/automation_for_rainy_days/
- { platform = "darksky";
- api_key = "c73619e6ea79e553a585be06aacf3679";
- language = "de";
- monitored_conditions = [ "summary" "icon"
- "nearest_storm_distance" "precip_probability"
- "precip_intensity"
- "temperature" # "temperature_high" "temperature_low"
- "hourly_summary"
- "uv_index" ];
- units = "si" ;
- update_interval = {
- days = 0;
- hours = 0;
- minutes = 10;
- seconds = 0;
- };
- }
- ];
- frontend = { };
- http = { };
- };
- enable = true;
- #configDir = "/var/lib/hass";
- };
- }
+
];
makefu.full-populate = true;
- makefu.server.primary-itf = primaryInterface;
krebs.rtorrent = {
downloadDir = lib.mkForce "/media/cryptX/torrent";
extraConfig = ''
@@ -178,18 +79,6 @@ in {
members = [ "makefu" "misa" ];
};
networking.firewall.trustedInterfaces = [ primaryInterface ];
- # udp:137 udp:138 tcp:445 tcp:139 - samba, allowed in local net
- # tcp:80 - nginx for sharing files
- # tcp:655 udp:655 - tinc
- # tcp:8111 - graphite
- # tcp:8112 - pyload
- # tcp:9090 - sabnzbd
- # tcp:9200 - elasticsearch
- # tcp:5601 - kibana
- networking.firewall.allowedUDPPorts = [ 655 ];
- networking.firewall.allowedTCPPorts = [ 80 655 5601 8111 8112 9200 9090 ];
-
- # services.openssh.allowSFTP = false;
# copy config from <secrets/sabnzbd.ini> to /var/lib/sabnzbd/
services.sabnzbd.enable = true;
@@ -199,90 +88,11 @@ in {
enable = true;
servedir = "/media/cryptX/emu/ps3";
};
- # HDD Array stuff
- services.smartd.devices = builtins.map (x: { device = x; }) allDisks;
-
- makefu.snapraid = {
- enable = true;
- # TODO: 3 is not protected
- disks = map toMapper [ 0 1 ];
- parity = toMapper 2;
- };
-
- # TODO create folders in /media
- system.activationScripts.createCryptFolders = ''
- ${lib.concatMapStringsSep "\n"
- (d: "install -m 755 -d " + (toMapper d) )
- [ 0 1 2 "X" ]}
- '';
- environment.systemPackages = with pkgs;[
- mergerfs # hard requirement for mount
- wol # wake up filepimp
- f3
- ];
- fileSystems = let
- cryptMount = name:
- { "/media/${name}" = {
- device = "/dev/mapper/${name}"; fsType = "xfs";
- options = [ "nofail" ];
- };};
- in cryptMount "crypt0"
- // cryptMount "crypt1"
- // cryptMount "crypt2"
- // cryptMount "crypt3"
- // { "/media/cryptX" = {
- device = (lib.concatMapStringsSep ":" (d: (toMapper d)) [ 0 1 2 3 ]);
- fsType = "mergerfs";
- noCheck = true;
- options = [ "defaults" "allow_other" "nofail" "nonempty" ];
- };
- };
-
- powerManagement.powerUpCommands = lib.concatStrings (map (disk: ''
- ${pkgs.hdparm}/sbin/hdparm -S 100 ${disk}
- ${pkgs.hdparm}/sbin/hdparm -B 127 ${disk}
- ${pkgs.hdparm}/sbin/hdparm -y ${disk}
- '') allDisks);
- # crypto unlocking
- boot = {
- initrd.luks = {
- devices = let
- usbkey = name: device: {
- inherit name device keyFile;
- keyFileSize = 4096;
- allowDiscards = true;
- };
- in [
- (usbkey "luksroot" rootPartition)
- (usbkey "crypt0" cryptDisk0)
- (usbkey "crypt1" cryptDisk1)
- (usbkey "crypt2" cryptDisk2)
- (usbkey "crypt3" cryptDisk3)
- ];
- };
- loader.grub.device = lib.mkForce rootDisk;
-
- initrd.availableKernelModules = [
- "ahci"
- "ohci_pci"
- "ehci_pci"
- "pata_atiixp"
- "firewire_ohci"
- "usb_storage"
- "usbhid"
- ];
-
- kernelModules = [ "kvm-intel" ];
- extraModulePackages = [ ];
- };
users.users.misa = {
uid = 9002;
name = "misa";
};
- # hardware.enableAllFirmware = true;
- hardware.enableRedistributableFirmware = true;
- hardware.cpu.intel.updateMicrocode = true;
zramSwap.enable = true;
@@ -290,23 +100,23 @@ in {
nickname = "Reaktor|shack";
workdir = "/var/lib/Reaktor/shack";
channels = [ "#shackspace" ];
- plugins = with pkgs.ReaktorPlugins;[
- shack-correct
- # stockholm-issue
- sed-plugin
- random-emoji ];
+ plugins = with pkgs.ReaktorPlugins;
+ [ shack-correct
+ # stockholm-issue
+ sed-plugin
+ random-emoji ];
};
krebs.Reaktor.reaktor-bgt = {
nickname = "Reaktor|bgt";
workdir = "/var/lib/Reaktor/bgt";
channels = [ "#binaergewitter" ];
- plugins = with pkgs.ReaktorPlugins;[
- titlebot
- # stockholm-issue
- nixos-version
- shack-correct
- sed-plugin
- random-emoji ];
+ plugins = with pkgs.ReaktorPlugins;
+ [ titlebot
+ # stockholm-issue
+ nixos-version
+ shack-correct
+ sed-plugin
+ random-emoji ];
};
krebs.build.host = config.krebs.hosts.omo;
diff --git a/makefu/1systems/omo/hw/omo.nix b/makefu/1systems/omo/hw/omo.nix
new file mode 100644
index 000000000..1b618a486
--- /dev/null
+++ b/makefu/1systems/omo/hw/omo.nix
@@ -0,0 +1,117 @@
+{ config, pkgs, lib, ... }:
+let
+ toMapper = id: "/media/crypt${builtins.toString id}";
+ byid = dev: "/dev/disk/by-id/" + dev;
+ keyFile = byid "usb-Verbatim_STORE_N_GO_070B3CEE0B223954-0:0";
+ rootDisk = byid "ata-SanDisk_SD8SNAT128G1122_162099420904";
+ rootPartition = byid "ata-SanDisk_SD8SNAT128G1122_162099420904-part2";
+ primaryInterface = "enp2s0";
+ # cryptsetup luksFormat $dev --cipher aes-xts-plain64 -s 512 -h sha512
+ # cryptsetup luksAddKey $dev tmpkey
+ # cryptsetup luksOpen $dev crypt0 --key-file tmpkey --keyfile-size=4096
+ # mkfs.xfs /dev/mapper/crypt0 -L crypt0
+
+ # omo Chassis:
+ # __FRONT_
+ # |* d0 |
+ # | |
+ # |* d1 |
+ # | |
+ # |* d3 |
+ # | |
+ # |* |
+ # |* d2 |
+ # | * |
+ # | * |
+ # |_______|
+ # cryptDisk0 = byid "ata-ST2000DM001-1CH164_Z240XTT6";
+ cryptDisk0 = byid "ata-ST8000DM004-2CX188_ZCT01PLV";
+ cryptDisk1 = byid "ata-TP02000GB_TPW151006050068";
+ cryptDisk2 = byid "ata-ST4000DM000-1F2168_Z303HVSG";
+ cryptDisk3 = byid "ata-ST8000DM004-2CX188_ZCT01SG4";
+ # cryptDisk3 = byid "ata-WDC_WD20EARS-00MVWB0_WD-WMAZA1786907";
+ # all physical disks
+
+ # TODO callPackage ../3modules/MonitorDisks { disks = allDisks }
+ dataDisks = [ cryptDisk0 cryptDisk1 cryptDisk2 cryptDisk3 ];
+ allDisks = [ rootDisk ] ++ dataDisks;
+in {
+ imports =
+ [ # TODO: unlock home partition via ssh
+ <stockholm/makefu/2configs/fs/sda-crypto-root.nix> ];
+ makefu.server.primary-itf = primaryInterface;
+ system.activationScripts.createCryptFolders = ''
+ ${lib.concatMapStringsSep "\n"
+ (d: "install -m 755 -d " + (toMapper d) )
+ [ 0 1 2 "X" ]}
+ '';
+
+ makefu.snapraid = {
+ enable = true;
+ # TODO: 3 is not protected
+ disks = map toMapper [ 0 1 ];
+ parity = toMapper 2;
+ };
+ fileSystems = let
+ cryptMount = name:
+ { "/media/${name}" = {
+ device = "/dev/mapper/${name}"; fsType = "xfs";
+ options = [ "nofail" ];
+ };};
+ in cryptMount "crypt0"
+ // cryptMount "crypt1"
+ // cryptMount "crypt2"
+ // cryptMount "crypt3"
+ // { "/media/cryptX" = {
+ device = (lib.concatMapStringsSep ":" (d: (toMapper d)) [ 0 1 2 3 ]);
+ fsType = "mergerfs";
+ noCheck = true;
+ options = [ "defaults" "allow_other" "nofail" "nonempty" ];
+ };
+ };
+
+ powerManagement.powerUpCommands = lib.concatStrings (map (disk: ''
+ ${pkgs.hdparm}/sbin/hdparm -S 100 ${disk}
+ ${pkgs.hdparm}/sbin/hdparm -B 127 ${disk}
+ ${pkgs.hdparm}/sbin/hdparm -y ${disk}
+ '') allDisks);
+
+ # crypto unlocking
+ boot = {
+ initrd.luks = {
+ devices = let
+ usbkey = name: device: {
+ inherit name device keyFile;
+ keyFileSize = 4096;
+ allowDiscards = true;
+ };
+ in [
+ (usbkey "luksroot" rootPartition)
+ (usbkey "crypt0" cryptDisk0)
+ (usbkey "crypt1" cryptDisk1)
+ (usbkey "crypt2" cryptDisk2)
+ (usbkey "crypt3" cryptDisk3)
+ ];
+ };
+ loader.grub.device = lib.mkForce rootDisk;
+
+ initrd.availableKernelModules = [
+ "ahci"
+ "ohci_pci"
+ "ehci_pci"
+ "pata_atiixp"
+ "firewire_ohci"
+ "usb_storage"
+ "usbhid"
+ ];
+
+ kernelModules = [ "kvm-intel" ];
+ extraModulePackages = [ ];
+ };
+ environment.systemPackages = with pkgs;[
+ mergerfs # hard requirement for mount
+ ];
+ hardware.enableRedistributableFirmware = true;
+ hardware.cpu.intel.updateMicrocode = true;
+}
+
diff --git a/makefu/1systems/omo/hw/tsp-tools.nix b/makefu/1systems/omo/hw/tsp-tools.nix
new file mode 100644
index 000000000..6579edd9d
--- /dev/null
+++ b/makefu/1systems/omo/hw/tsp-tools.nix
@@ -0,0 +1,11 @@
+let
+ disko = import (builtins.fetchGit {
+ url = https://cgit.lassul.us/disko/;
+ rev = "9c9b62e15e4ac11d4379e66b974f1389daf939fe";
+ });
+
+ cfg = builtins.fromJSON (builtins.readFile ../../hardware/tsp-disk.json);
+in ''
+${disko.create cfg}
+${disko.mount cfg}
+''
diff --git a/makefu/1systems/omo/hw/tsp.nix b/makefu/1systems/omo/hw/tsp.nix
new file mode 100644
index 000000000..4af0d73fc
--- /dev/null
+++ b/makefu/1systems/omo/hw/tsp.nix
@@ -0,0 +1,32 @@
+{ pkgs, ... }:
+with builtins;
+let
+ disko = import (builtins.fetchGit {
+ url = https://cgit.lassul.us/disko/;
+ rev = "9c9b62e15e4ac11d4379e66b974f1389daf939fe";
+ });
+ cfg = fromJSON (readFile ../../hardware/tsp-disk.json);
+ primaryInterface = "enp1s0";
+ rootDisk = "/dev/sda"; # TODO same as disko uses
+in {
+ imports = [
+ (disko.config cfg)
+ ];
+ makefu.server.primary-itf = primaryInterface;
+ boot = {
+ loader.grub.device = rootDisk;
+
+ initrd.availableKernelModules = [
+ "ahci"
+ "ohci_pci"
+ "ehci_pci"
+ "pata_atiixp"
+ "firewire_ohci"
+ "usb_storage"
+ "usbhid"
+ ];
+
+ kernelModules = [ "kvm-intel" ];
+ };
+
+}
diff --git a/makefu/2configs/dcpp/client.nix b/makefu/2configs/dcpp/client.nix
new file mode 100644
index 000000000..3b27778e5
--- /dev/null
+++ b/makefu/2configs/dcpp/client.nix
@@ -0,0 +1,9 @@
+{ pkgs, ... }:
+{ # ncdc
+ environment.systemPackages = [ pkgs.ncdc ];
+ networking.firewall = {
+ allowedUDPPorts = [ 51411 ];
+ allowedTCPPorts = [ 51411 ];
+ };
+}
+
diff --git a/makefu/2configs/hub.nix b/makefu/2configs/dcpp/hub.nix
index a121157d4..92977b4c8 100644
--- a/makefu/2configs/hub.nix
+++ b/makefu/2configs/dcpp/hub.nix
@@ -30,6 +30,7 @@ let
'') dict)}
'';
+ uhubDir = "/var/lib/uhub";
in {
users.extraUsers = singleton {
@@ -65,22 +66,31 @@ in {
PrivateTmp = true;
PermissionsStartOnly = true;
ExecStartPre = pkgs.writeDash "uhub-pre" ''
- cp ${toString <secrets/wildcard.krebsco.de.crt>} /tmp/uhub.crt
- cp ${toString <secrets/wildcard.krebsco.de.key>} /tmp/uhub.key
- cp ${toString <secrets/uhub.sql>} /tmp/uhub.sql
- chown uhub /tmp/*
+ cp -f ${toString <secrets/wildcard.krebsco.de.crt>} ${uhubDir}/uhub.crt
+ cp -f ${toString <secrets/wildcard.krebsco.de.key>} ${uhubDir}/uhub.key
+ if test -d ${uhubDir};then
+ echo "Directory ${uhubDir} already exists, skipping db init"
+ else
+ echo "Copying sql user db"
+ cp ${toString <secrets/uhub.sql>} ${uhubDir}/uhub.sql
+ fi
+ chown -R uhub ${uhubDir}
'';
};
+ users.users.uhub = {
+ home = uhubDir;
+ createHome = true;
+ };
services.uhub = {
enable = true;
port = 1511;
enableTLS = true;
hubConfig = ''
hub_name = "krebshub"
- tls_certificate = /tmp/uhub.crt
- tls_private_key = /tmp/uhub.key
- registered_users_only = true
+ tls_certificate = ${uhubDir}/uhub.crt
+ tls_private_key = ${uhubDir}/uhub.key
+ registered_users_only = true
'';
plugins = {
welcome = {
@@ -93,7 +103,7 @@ in {
};
authSqlite = {
enable = true;
- file = "/tmp/uhub.sql";
+ file = "${uhubDir}/uhub.sql";
};
};
diff --git a/makefu/2configs/deployment/homeautomation/default.nix b/makefu/2configs/deployment/homeautomation/default.nix
new file mode 100644
index 000000000..1f935e2f8
--- /dev/null
+++ b/makefu/2configs/deployment/homeautomation/default.nix
@@ -0,0 +1,61 @@
+{ pkgs, config, ... }:
+let
+ firetv = "192.168.1.238";
+in {
+ systemd.services.firetv = {
+ wantedBy = [ "multi-user.target" ];
+ serviceConfig = {
+ User = "nobody";
+ ExecStart = "${pkgs.python-firetv}/bin/firetv-server -d ${firetv}:5555";
+ };
+ };
+ nixpkgs.config.permittedInsecurePackages = [
+ "homeassistant-0.65.5"
+ ];
+ services.home-assistant = {
+ config = {
+ homeassistant = {
+ name = "Home"; time_zone = "Europe/Berlin";
+ latitude = "48.7687";
+ longitude = "9.2478";
+ };
+ media_player = [
+ { platform = "kodi";
+ host = firetv;
+ }
+ { platform = "firetv";
+ # assumes python-firetv running
+ }
+ ];
+ sensor = [
+ { platform = "luftdaten";
+ name = "Ditzingen";
+ sensorid = "663";
+ monitored_conditions = [ "P1" "P2" ];
+ }
+ # https://www.home-assistant.io/cookbook/automation_for_rainy_days/
+ { platform = "darksky";
+ api_key = "c73619e6ea79e553a585be06aacf3679";
+ language = "de";
+ monitored_conditions = [ "summary" "icon"
+ "nearest_storm_distance" "precip_probability"
+ "precip_intensity"
+ "temperature" # "temperature_high" "temperature_low"
+ "hourly_summary"
+ "uv_index" ];
+ units = "si" ;
+ update_interval = {
+ days = 0;
+ hours = 0;
+ minutes = 10;
+ seconds = 0;
+ };
+ }
+ ];
+ frontend = { };
+ http = { };
+ };
+ enable = true;
+ #configDir = "/var/lib/hass";
+ };
+}
diff --git a/makefu/2configs/wireguard/server.nix b/makefu/2configs/wireguard/server.nix
new file mode 100644
index 000000000..e38fa05cb
--- /dev/null
+++ b/makefu/2configs/wireguard/server.nix
@@ -0,0 +1,52 @@
+{ config, ... }:
+let
+ ext-if = config.makefu.server.primary-itf;
+in { # wireguard server
+
+ # opkg install wireguard luci-proto-wireguard
+
+ # TODO: networking.nat
+
+ # boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+ # conf.all.proxy_arp =1
+ networking.firewall = {
+ allowedUDPPorts = [ 51820 ];
+ extraCommands = ''
+ iptables -t nat -A POSTROUTING -s 10.244.0.0/24 -o ${ext-if} -j MASQUERADE
+ '';
+ };
+
+ networking.wireguard.interfaces.wg0 = {
+ ips = [ "10.244.0.1/24" ];
+ listenPort = 51820;
+ privateKeyFile = (toString <secrets>) + "/wireguard.key";
+ allowedIPsAsRoutes = true;
+ peers = [
+ {
+ # x
+ allowedIPs = [ "10.244.0.2/32" ];
+ publicKey = "fe5smvKVy5GAn7EV4w4tav6mqIAKhGWQotm7dRuRt1g=";
+ }
+ {
+ # vbob
+ allowedIPs = [ "10.244.0.3/32" ];
+ publicKey = "Lju7EsCu1OWXhkhdNR7c/uiN60nr0TUPHQ+s8ULPQTw=";
+ }
+ {
+ # x-test
+ allowedIPs = [ "10.244.0.4/32" ];
+ publicKey = "vZ/AJpfDLJyU3DzvYeW70l4FNziVgSTumA89wGHG7XY=";
+ }
+ {
+ # work-router
+ allowedIPs = [ "10.244.0.5/32" ];
+ publicKey = "QJMwwYu/92koCASbHnR/vqe/rN00EV6/o7BGwLockDw=";
+ }
+ {
+ # workr
+ allowedIPs = [ "10.244.0.6/32" ];
+ publicKey = "OFhCF56BrV9tjqW1sxqXEKH/GdqamUT1SqZYSADl5GA=";
+ }
+ ];
+ };
+}