Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / c1f372561afe9455a8cacdc1d3fa9bc3cd682c7b / . / hswaw / machines / sound.waw.hackerspace.pl / configuration.nix
blob: 12ecc8301e09220838c39a7080b5711550efae52 [file] [log] [blame]
vukodeeeff82022-10-02 23:12:29 +0200[diff] [blame]1{ config, pkgs, ... }:
2
3let
4 hw = builtins.fromJSON (builtins.readFile ./hw.json);
5 ssh-keys = {
6 vuko = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFhaCaC/CVYv6hphqmEdKaPrIn+Q946+myvL9SSnzFZk vuko@eagle";
7 informatic = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDoKB2p/gFaKthQNXeQvSLzhOlLSq3vjVL3AEOBTMXGH informatic@atuin";
8 };
9 networks = {
10 lan = {
11 description = "LAN";
12 hw_addr = "4c:52:62:ba:a9:78";
vukoaa7303e2022-12-19 23:56:03 +0100[diff] [blame]13 ipv4 = "10.8.1.16";
vukodeeeff82022-10-02 23:12:29 +0200[diff] [blame]14 #ipv6 = "2a0d:eb00:4242::1";
15 };
16 };
17
18 system-vim = pkgs.vim_configurable.customize {
19 name = "vim";
20 vimrcConfig.packages.myplugins = with pkgs.vimPlugins; {
21 start = [ vim-nix vim-lastplace ];
22 opt = [];
23 };
24 vimrcConfig.customRC = ''
25 set nocompatible
26 '';
27 };
28
29
30in {
31 imports =
32 [
33 ./hardware-configuration.nix
vukof0ab6c42022-12-19 23:57:03 +0100[diff] [blame]34 ./spejsiot-api.nix
vukodeeeff82022-10-02 23:12:29 +0200[diff] [blame]35 ];
36
37 boot.loader.systemd-boot.enable = true;
38 boot.loader.efi.canTouchEfiVariables = true;
39
40 time.timeZone = "Europe/Warsaw";
41
42 fileSystems."/" = {
43 device = "/dev/disk/by-partuuid/${hw.rootUUID}";
44 fsType = "ext4";
45 };
46
47 networking.hostName = "newsound";
48 networking.domain = "waw.hackerspace.pl";
49 networking.useDHCP = false;
50
51 networking.defaultGateway = {
52 address = "10.8.1.2";
53 interface = "lan";
54 };
55
56 networking.interfaces = {
57 lan = {
58 ipv4.addresses = [
59 {
60 address = networks.lan.ipv4;
61 prefixLength = 16;
62 }
63 ];
64 };
65 };
66
67 networking.nameservers = ["10.8.1.2"];
68
69 services.acpid.enable = true;
70
vuko142c8e62022-12-20 00:00:59 +0100[diff] [blame]71 # nixos mosquitto service adds psk_file to its namespace mounts. Using separate service and directory other than
72 # /run/mosuitto/ seems like most reliable.
73 systemd.services."mosquitto-secrets" = pkgs.lib.mkIf config.services.mosquitto.enable (
74 let
75 user = config.systemd.services.mosquitto.serviceConfig.User;
76 in {
77 description = "Mosquitto secrets";
78 wantedBy = [ "multi-user.target" ];
79 wants = [ "mosquitto.service" ];
80 before = [ "mosquitto.service" ];
81
82 serviceConfig.Type = "oneshot";
83 serviceConfig.RemainAfterExit = "yes";
84 serviceConfig.ExecStart = [
85 ''${pkgs.coreutils}/bin/install "--owner=${user}" --mode=500 --directory /run/mosquitto-secrets''
86 ''${pkgs.coreutils}/bin/install "--owner=${user}" /root/secrets/mosquitto-pwfile /run/mosquitto-secrets/pwfile''
87 ];
88 serviceConfig.ExecStop = [
89 ''${pkgs.coreutils}/bin/rm -rf /run/mosquitto-secrets''
90 ];
91 }
92 );
93
vukodeeeff82022-10-02 23:12:29 +0200[diff] [blame]94 services.mosquitto.enable = true;
95 services.mosquitto.listeners = [
96 {
97 settings.allow_anonymous = true;
vuko142c8e62022-12-20 00:00:59 +0100[diff] [blame]98 settings.psk_file = "/run/mosquitto-secrets/pwfile";
99 acl = [
100 "topic read $SYS/#"
101 "topic #"
102 ];
vukodeeeff82022-10-02 23:12:29 +0200[diff] [blame]103 }
104 ];
vuko142c8e62022-12-20 00:00:59 +0100[diff] [blame]105 services.mosquitto.logType = ["all"];
vukodeeeff82022-10-02 23:12:29 +0200[diff] [blame]106
107 services.home-assistant = {
108 enable = true;
109 config = import ./home-assistant.nix;
110
111 # TODO if some components / packages are not needed
112 extraComponents = [
113 "default_config"
114 "mqtt"
115 "met"
116 "media_player"
117 "light"
118 "frontend"
119 "cast"
120 "spotify"
121 ];
122 extraPackages = ps: [
123 ps.aiohttp-cors
124 ps.pillow
125 ps.sqlalchemy
126 ps.websockets
127 ps.fnvhash
128 ps.hass-nabucasa
129 ps.pymetno
130 ps.radios
vuko4fe6e022022-12-19 23:55:31 +0100[diff] [blame]131 ps.pyipp
132 ps.brother
133 ps.wled
134 ps.securetar
135 ps.numpy
136 ps.pyatv
vukodeeeff82022-10-02 23:12:29 +0200[diff] [blame]137 ];
138 };
139
140 sound.enable = true;
141
142 # TODO create config that setups volume, default output etc.
143 hardware.pulseaudio = {
144 enable = true;
145 systemWide = true;
146 zeroconf.publish.enable = true;
147
148 tcp.enable = true;
149 tcp.anonymousClients.allowAll = true;
150 };
151
152 services.nginx = {
153 enable = true;
154 virtualHosts = {
155 "iot.waw.hackerspace.pl" = {
156 serverAliases = ["default_server"];
157 listen = [
158 {
159 addr = networks.lan.ipv4;
160 port = 80;
161 ssl = false;
162 }
163 ];
164 locations."/" = {
165 extraConfig = ''
166 proxy_set_header Upgrade $http_upgrade;
167 proxy_set_header Connection $http_connection;
168 proxy_set_header Host $host;
169 proxy_set_header X-Real-IP $remote_addr;
170 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
171 proxy_set_header X-Forwarded-Host $host:$server_port;
172 proxy_set_header X-Forwarded-Server $host;
173 proxy_set_header X-Forwarded-Proto $scheme;
174 '';
175 proxyPass = "http://localhost:8123";
176 };
177 };
vukof0ab6c42022-12-19 23:57:03 +0100[diff] [blame]178 "spejsiot.waw.hackerspace.pl" = {
179 serverAliases = ["default_server"];
180 listen = [
181 {
182 addr = networks.lan.ipv4;
183 port = 80;
184 ssl = false;
185 }
186 ];
187 locations."/" = {
188 # TODO copied from iot, are all headers needed?
189 extraConfig = ''
190 proxy_set_header Upgrade $http_upgrade;
191 proxy_set_header Connection $http_connection;
192 proxy_set_header Host $host;
193 proxy_set_header X-Real-IP $remote_addr;
194 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
195 proxy_set_header X-Forwarded-Host $host:$server_port;
196 proxy_set_header X-Forwarded-Server $host;
197 proxy_set_header X-Forwarded-Proto $scheme;
198 '';
199 proxyPass = "http://localhost:5100";
200 };
201 };
vukodeeeff82022-10-02 23:12:29 +0200[diff] [blame]202 };
203 };
204
205
206 systemd.network.links = builtins.listToAttrs (map (
207 name: { name = "10-link-${name}"; value = {
208 enable = true;
209 matchConfig = {
210 MACAddress = networks."${name}".hw_addr;
211 };
212 linkConfig = {
213 Name = "${name}";
214 };
215 }; }
216 ) (builtins.filter (name: builtins.hasAttr "hw_addr" networks."${name}") (builtins.attrNames networks)));
217
218 networking.firewall = {
219 enable = true;
220 allowedTCPPorts = [
221 22 # ssh
222 80 # nginx http
223 1883 # mqtt (mosquitto)
vuko6204ccd2022-12-20 00:00:32 +0100[diff] [blame]224 8883 # tls mqtt (mosquitto)
vukodeeeff82022-10-02 23:12:29 +0200[diff] [blame]225 4713 # pulseaudo
226 ];
227 };
228
229 services.openssh = {
230 enable = true;
231 passwordAuthentication = false;
232 };
233
234 # TODO extract ssh keys synchronization from customs and add it here
235 users.users.root.openssh.authorizedKeys.keys = [ ssh-keys.vuko ssh-keys.informatic ];
236
237 environment.systemPackages = with pkgs; [
238 system-vim tcpdump htop nmon tmux git file procps parted dmidecode ack utillinux
239 nmap mosh ncdu tree lz4 bind neovim hdparm usbutils
240 ];
241
242 programs.mtr.enable = true;
243
244 environment.variables = {
245 EDITOR = "vim";
246 };
247
248 #environment.extraInit = ''
249 # export NIX_PATH="nixpkgs=${config.channel-sources.nixpkgs}";
250 #'';
251
252 environment.etc."inputrc" = {
253 text = pkgs.lib.mkDefault( pkgs.lib.mkAfter ''
254 set colored-stats on
255 set show-all-if-ambiguous on
256 set completion-ignore-case on
257
258 # arrow up
259 "\e[A": history-search-backward
260 # arrow down
261 "\e[B": history-search-forward
262
263 "\e[5~": history-search-backward
264 "\e[6~": history-search-forward
265 '');
266 };
267
268 system.stateVersion = "22.05";
269
270
271 boot.vesa = false;
272 boot.loader.grub.splashImage = null;
273}
274