| { config, pkgs, ... }: |
| |
| let |
| hw = builtins.fromJSON (builtins.readFile ./hw.json); |
| ssh-keys = { |
| vuko = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFhaCaC/CVYv6hphqmEdKaPrIn+Q946+myvL9SSnzFZk vuko@eagle"; |
| informatic = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDoKB2p/gFaKthQNXeQvSLzhOlLSq3vjVL3AEOBTMXGH informatic@atuin"; |
| }; |
| networks = { |
| lan = { |
| description = "LAN"; |
| hw_addr = "4c:52:62:ba:a9:78"; |
| ipv4 = "10.8.1.16"; |
| #ipv6 = "2a0d:eb00:4242::1"; |
| }; |
| }; |
| |
| system-vim = pkgs.vim_configurable.customize { |
| name = "vim"; |
| vimrcConfig.packages.myplugins = with pkgs.vimPlugins; { |
| start = [ vim-nix vim-lastplace ]; |
| opt = []; |
| }; |
| vimrcConfig.customRC = '' |
| set nocompatible |
| ''; |
| }; |
| |
| |
| in { |
| imports = |
| [ |
| ./hardware-configuration.nix |
| ./spejsiot-api.nix |
| ]; |
| |
| boot.loader.systemd-boot.enable = true; |
| boot.loader.efi.canTouchEfiVariables = true; |
| |
| time.timeZone = "Europe/Warsaw"; |
| |
| fileSystems."/" = { |
| device = "/dev/disk/by-partuuid/${hw.rootUUID}"; |
| fsType = "ext4"; |
| }; |
| |
| networking.hostName = "newsound"; |
| networking.domain = "waw.hackerspace.pl"; |
| networking.useDHCP = false; |
| |
| networking.defaultGateway = { |
| address = "10.8.1.2"; |
| interface = "lan"; |
| }; |
| |
| networking.interfaces = { |
| lan = { |
| ipv4.addresses = [ |
| { |
| address = networks.lan.ipv4; |
| prefixLength = 16; |
| } |
| ]; |
| }; |
| }; |
| |
| networking.nameservers = ["10.8.1.2"]; |
| |
| services.acpid.enable = true; |
| |
| # nixos mosquitto service adds psk_file to its namespace mounts. Using separate service and directory other than |
| # /run/mosuitto/ seems like most reliable. |
| systemd.services."mosquitto-secrets" = pkgs.lib.mkIf config.services.mosquitto.enable ( |
| let |
| user = config.systemd.services.mosquitto.serviceConfig.User; |
| in { |
| description = "Mosquitto secrets"; |
| wantedBy = [ "multi-user.target" ]; |
| wants = [ "mosquitto.service" ]; |
| before = [ "mosquitto.service" ]; |
| |
| serviceConfig.Type = "oneshot"; |
| serviceConfig.RemainAfterExit = "yes"; |
| serviceConfig.ExecStart = [ |
| ''${pkgs.coreutils}/bin/install "--owner=${user}" --mode=500 --directory /run/mosquitto-secrets'' |
| ''${pkgs.coreutils}/bin/install "--owner=${user}" /root/secrets/mosquitto-pwfile /run/mosquitto-secrets/pwfile'' |
| ]; |
| serviceConfig.ExecStop = [ |
| ''${pkgs.coreutils}/bin/rm -rf /run/mosquitto-secrets'' |
| ]; |
| } |
| ); |
| |
| services.mosquitto.enable = true; |
| services.mosquitto.listeners = [ |
| { |
| settings.allow_anonymous = true; |
| settings.psk_file = "/run/mosquitto-secrets/pwfile"; |
| acl = [ |
| "topic read $SYS/#" |
| "topic #" |
| ]; |
| } |
| ]; |
| services.mosquitto.logType = ["all"]; |
| |
| services.home-assistant = { |
| enable = true; |
| config = import ./home-assistant.nix; |
| |
| # TODO if some components / packages are not needed |
| extraComponents = [ |
| "default_config" |
| "mqtt" |
| "met" |
| "media_player" |
| "light" |
| "frontend" |
| "cast" |
| "spotify" |
| ]; |
| extraPackages = ps: [ |
| ps.aiohttp-cors |
| ps.pillow |
| ps.sqlalchemy |
| ps.websockets |
| ps.fnvhash |
| ps.hass-nabucasa |
| ps.pymetno |
| ps.radios |
| ps.pyipp |
| ps.brother |
| ps.wled |
| ps.securetar |
| ps.numpy |
| ps.pyatv |
| ]; |
| }; |
| |
| sound.enable = true; |
| |
| # TODO create config that setups volume, default output etc. |
| hardware.pulseaudio = { |
| enable = true; |
| systemWide = true; |
| zeroconf.publish.enable = true; |
| |
| tcp.enable = true; |
| tcp.anonymousClients.allowAll = true; |
| }; |
| |
| services.nginx = { |
| enable = true; |
| virtualHosts = { |
| "iot.waw.hackerspace.pl" = { |
| serverAliases = ["default_server"]; |
| listen = [ |
| { |
| addr = networks.lan.ipv4; |
| port = 80; |
| ssl = false; |
| } |
| ]; |
| locations."/" = { |
| extraConfig = '' |
| proxy_set_header Upgrade $http_upgrade; |
| proxy_set_header Connection $http_connection; |
| proxy_set_header Host $host; |
| proxy_set_header X-Real-IP $remote_addr; |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
| proxy_set_header X-Forwarded-Host $host:$server_port; |
| proxy_set_header X-Forwarded-Server $host; |
| proxy_set_header X-Forwarded-Proto $scheme; |
| ''; |
| proxyPass = "http://localhost:8123"; |
| }; |
| }; |
| "spejsiot.waw.hackerspace.pl" = { |
| serverAliases = ["default_server"]; |
| listen = [ |
| { |
| addr = networks.lan.ipv4; |
| port = 80; |
| ssl = false; |
| } |
| ]; |
| locations."/" = { |
| # TODO copied from iot, are all headers needed? |
| extraConfig = '' |
| proxy_set_header Upgrade $http_upgrade; |
| proxy_set_header Connection $http_connection; |
| proxy_set_header Host $host; |
| proxy_set_header X-Real-IP $remote_addr; |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
| proxy_set_header X-Forwarded-Host $host:$server_port; |
| proxy_set_header X-Forwarded-Server $host; |
| proxy_set_header X-Forwarded-Proto $scheme; |
| ''; |
| proxyPass = "http://localhost:5100"; |
| }; |
| }; |
| }; |
| }; |
| |
| |
| systemd.network.links = builtins.listToAttrs (map ( |
| name: { name = "10-link-${name}"; value = { |
| enable = true; |
| matchConfig = { |
| MACAddress = networks."${name}".hw_addr; |
| }; |
| linkConfig = { |
| Name = "${name}"; |
| }; |
| }; } |
| ) (builtins.filter (name: builtins.hasAttr "hw_addr" networks."${name}") (builtins.attrNames networks))); |
| |
| networking.firewall = { |
| enable = true; |
| allowedTCPPorts = [ |
| 22 # ssh |
| 80 # nginx http |
| 1883 # mqtt (mosquitto) |
| 8883 # tls mqtt (mosquitto) |
| 4713 # pulseaudo |
| ]; |
| }; |
| |
| services.openssh = { |
| enable = true; |
| passwordAuthentication = false; |
| }; |
| |
| # TODO extract ssh keys synchronization from customs and add it here |
| users.users.root.openssh.authorizedKeys.keys = [ ssh-keys.vuko ssh-keys.informatic ]; |
| |
| environment.systemPackages = with pkgs; [ |
| system-vim tcpdump htop nmon tmux git file procps parted dmidecode ack utillinux |
| nmap mosh ncdu tree lz4 bind neovim hdparm usbutils |
| ]; |
| |
| programs.mtr.enable = true; |
| |
| environment.variables = { |
| EDITOR = "vim"; |
| }; |
| |
| #environment.extraInit = '' |
| # export NIX_PATH="nixpkgs=${config.channel-sources.nixpkgs}"; |
| #''; |
| |
| environment.etc."inputrc" = { |
| text = pkgs.lib.mkDefault( pkgs.lib.mkAfter '' |
| set colored-stats on |
| set show-all-if-ambiguous on |
| set completion-ignore-case on |
| |
| # arrow up |
| "\e[A": history-search-backward |
| # arrow down |
| "\e[B": history-search-forward |
| |
| "\e[5~": history-search-backward |
| "\e[6~": history-search-forward |
| ''); |
| }; |
| |
| system.stateVersion = "22.05"; |
| |
| |
| boot.vesa = false; |
| boot.loader.grub.splashImage = null; |
| } |
| |