hswaw/machines/sound.waw.hackerspace.pl/configuration.nix

{ config, lib, pkgs, ... }:

let
  hw = builtins.fromJSON (builtins.readFile ./hw.json);
  ssh-keys = {
    vuko = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFhaCaC/CVYv6hphqmEdKaPrIn+Q946+myvL9SSnzFZk vuko@eagle";
    informatic = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDoKB2p/gFaKthQNXeQvSLzhOlLSq3vjVL3AEOBTMXGH informatic@atuin";
    q3k = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG599UildOrAq+LIOQjKqtGMwjgjIxozI1jtQQRKHtCP q3k@mimeomia";
  };
  networks = {
    lan = {
      description = "LAN";
      hw_addr = "4c:52:62:ba:a9:78";
      ipv4 = "10.8.1.16";
      #ipv6 = "2a0d:eb00:4242::1";
    };
  };

  system-vim = pkgs.vim_configurable.customize {
      name = "vim";
      vimrcConfig.packages.myplugins = with pkgs.vimPlugins; {
        start = [ vim-nix vim-lastplace ];
        opt = [];
      };
      vimrcConfig.customRC = ''
        set nocompatible
      '';
    };


in {
  imports =
    [
      ./hardware-configuration.nix
      ./spejsiot-api.nix
      ./polycom.nix
    ];

  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;

  time.timeZone = "Europe/Warsaw";

  fileSystems."/" = {
    device = "/dev/disk/by-partuuid/${hw.rootUUID}";
    fsType = "ext4";
  };

  networking.hostName = "sound";
  networking.domain = "waw.hackerspace.pl";
  networking.useDHCP = false;

  networking.defaultGateway = {
    address = "10.8.1.2";
    interface = "lan";
  };

  networking.interfaces = {
      lan = {
          ipv4.addresses = [
            {
              address = networks.lan.ipv4;
              prefixLength = 16;
            }
          ];
      };
  };

  networking.nameservers = ["10.8.1.2"];

  services.acpid.enable = true;

  # nixos mosquitto service adds psk_file to its namespace mounts. Using separate service and directory other than
  # /run/mosuitto/ seems like most reliable.
  systemd.services."mosquitto-secrets" = pkgs.lib.mkIf config.services.mosquitto.enable (
    let
      user = config.systemd.services.mosquitto.serviceConfig.User;
    in {
      description = "Mosquitto secrets";
      wantedBy = [ "multi-user.target" ];
      wants = [ "mosquitto.service" ];
      before = [ "mosquitto.service" ];

      serviceConfig.Type = "oneshot";
      serviceConfig.RemainAfterExit = "yes";
      serviceConfig.ExecStart = [
        ''${pkgs.coreutils}/bin/install "--owner=${user}" --mode=500 --directory /run/mosquitto-secrets''
        ''${pkgs.coreutils}/bin/install "--owner=${user}" /root/secrets/mosquitto-pwfile /run/mosquitto-secrets/pwfile''
      ];
      serviceConfig.ExecStop = [
        ''${pkgs.coreutils}/bin/rm -rf /run/mosquitto-secrets''
      ];
    }
  );

  services.mosquitto.enable = true;
  services.mosquitto.listeners = [
    {
      settings.allow_anonymous = true;
      #settings.psk_file = "/run/mosquitto-secrets/pwfile";
      acl = [
        "topic read $SYS/#"
        "topic #"
      ];
    }
  ];
  services.mosquitto.logType = ["all"];

  services.home-assistant = {
    enable = true;
    config = import ./home-assistant.nix;

    # TODO if some components / packages are not needed
    extraComponents = [
        "default_config"
        "mqtt"
        "met"
        "media_player"
        "light"
        "frontend"
        "cast"
        "spotify"
    ];
    extraPackages = ps: [
        ps.aiohttp-cors
        ps.pillow
        ps.sqlalchemy
        ps.websockets
        ps.fnvhash
        ps.hass-nabucasa
        ps.pymetno
        ps.radios
        ps.pyipp
        ps.brother
        ps.wled
        ps.securetar
        ps.numpy
        ps.pyatv
    ];
  };

  sound.enable = true;

  # TODO create config that setups volume, default output etc.
  hardware.pulseaudio = {
    enable = true;
    systemWide = true;
    zeroconf.publish.enable = true;

    # Force use pulseaudioFull to prevent rebuild due to zeroconf
    package = pkgs.pulseaudioFull;

    tcp.enable = true;
    tcp.anonymousClients.allowAll = true;
  };

  services.nginx = {
      enable = true;
      virtualHosts = {
      "iot.waw.hackerspace.pl" = {
        serverAliases = ["default_server"];
        listen = [
          {
            addr = networks.lan.ipv4;
            port = 80;
            ssl = false;
          }
        ];
        locations."/" = {
            extraConfig = ''
              proxy_set_header Upgrade $http_upgrade;
              proxy_set_header Connection $http_connection;
              proxy_set_header Host $host;
              proxy_set_header X-Real-IP $remote_addr;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header X-Forwarded-Host $host:$server_port;
              proxy_set_header X-Forwarded-Server $host;
              proxy_set_header X-Forwarded-Proto $scheme;
            '';
            proxyPass = "http://localhost:8123";
          };
        };
        "spejsiot.waw.hackerspace.pl" = {
          serverAliases = ["default_server"];
          listen = [
            {
              addr = networks.lan.ipv4;
              port = 80;
              ssl = false;
            }
          ];
          locations."/" = {
            # TODO copied from iot, are all headers needed?
            extraConfig = ''
              proxy_set_header Upgrade $http_upgrade;
              proxy_set_header Connection $http_connection;
              proxy_set_header Host $host;
              proxy_set_header X-Real-IP $remote_addr;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header X-Forwarded-Host $host:$server_port;
              proxy_set_header X-Forwarded-Server $host;
              proxy_set_header X-Forwarded-Proto $scheme;
            '';
            proxyPass = "http://localhost:5100";
          };
        };
      };
    };


  systemd.network.links = builtins.listToAttrs (map (
    name: { name = "10-link-${name}"; value = {
      enable = true;
      matchConfig = {
        MACAddress = networks."${name}".hw_addr;
      };
      linkConfig = {
        Name = "${name}";
      };
    }; }
  ) (builtins.filter (name: builtins.hasAttr "hw_addr" networks."${name}") (builtins.attrNames networks)));

  networking.firewall = {
    enable = true;
    allowedTCPPorts = [
        22 # ssh
        80 # nginx http
        1883 # mqtt (mosquitto)
        8883 # tls mqtt (mosquitto)
        4713 # pulseaudo
    ];
  };

  services.openssh = {
    enable = true;
    passwordAuthentication = false;
  };

  # TODO extract ssh keys synchronization from customs and add it here
  users.users.root.openssh.authorizedKeys.keys = lib.mapAttrsToList (_: v: v) ssh-keys;

  environment.systemPackages = with pkgs; [
    system-vim tcpdump htop nmon tmux git file procps parted dmidecode ack utillinux
    nmap mosh ncdu tree lz4 bind neovim hdparm usbutils
  ];

  programs.mtr.enable = true;

  environment.variables = {
    EDITOR = "vim";
  };

  #environment.extraInit = ''
  #  export NIX_PATH="nixpkgs=${config.channel-sources.nixpkgs}";
  #'';

  environment.etc."inputrc" = {
    text = pkgs.lib.mkDefault( pkgs.lib.mkAfter ''
      set colored-stats on
      set show-all-if-ambiguous on
      set completion-ignore-case on

      # arrow up
      "\e[A": history-search-backward
      # arrow down
      "\e[B": history-search-forward

      "\e[5~": history-search-backward
      "\e[6~": history-search-forward
    '');
  };

  system.stateVersion = "22.05";


  boot.vesa = false;
  boot.loader.grub.splashImage = null;
}