Merge branch 'master' of ssh://gitea.c3d2.de:2222/C3D2/nix-config

flake.lock

@@ -1,39 +1,33 @@
 {
   "nodes": {
     "hydra": {
-      "info": {
-        "lastModified": 1587883324,
-        "narHash": "sha256-WQxv9rrG2HX8j2UfXjifeBkMjgea3uIAEB3Swv+IIus="
-      },
       "inputs": {
         "nix": "nix",
         "nixpkgs": "nixpkgs_2"
       },
       "locked": {
-        "owner": "ehmry",
+        "lastModified": 1593509723,
+        "narHash": "sha256-ESv86LNnQQy5cYqeC1S4otpvkA8ABgs/zbge8xp35aE=",
+        "owner": "NixOS",
         "repo": "hydra",
-        "rev": "e93c36aab1bf96cf392ab0e40157b0620638b599",
+        "rev": "d0deebc4fc95dbeb0249f7b774b03d366596fbed",
         "type": "github"
       },
       "original": {
-        "owner": "ehmry",
-        "ref": "sotest",
-        "repo": "hydra",
-        "type": "github"
+        "id": "hydra",
+        "type": "indirect"
       }
     },
     "nix": {
-      "info": {
-        "lastModified": 1586440843,
-        "narHash": "sha256-7YxrpRPmAOoCSl6KtepKCXcae5MUm1Pl+lwDunBFGoo="
-      },
       "inputs": {
         "nixpkgs": "nixpkgs"
       },
       "locked": {
+        "lastModified": 1592818267,
+        "narHash": "sha256-t66Ny6NDA9sQa0U79iqo4w7tEBitUGgio9U/H6z3QpE=",
         "owner": "NixOS",
         "repo": "nix",
-        "rev": "3aaceeb7e2d3fb8a07a1aa5a21df1dca6bbaa0ef",
+        "rev": "334e26bfc2ce82912602e8a0f9f9c7e0fb5c3221",
         "type": "github"
       },
       "original": {
@@ -42,14 +36,12 @@
       }
     },
     "nixpkgs": {
-      "info": {
-        "lastModified": 1585405475,
-        "narHash": "sha256-bESW0n4KgPmZ0luxvwJ+UyATrC6iIltVCsGdLiphVeE="
-      },
       "locked": {
+        "lastModified": 1591633336,
+        "narHash": "sha256-oVXv4xAnDJB03LvZGbC72vSVlIbbJr8tpjEW5o/Fdek=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b88ff468e9850410070d4e0ccd68c7011f15b2be",
+        "rev": "70717a337f7ae4e486ba71a500367cad697e5f09",
         "type": "github"
       },
       "original": {
@@ -59,14 +51,12 @@
       }
     },
     "nixpkgs_2": {
-      "info": {
-        "lastModified": 1586219474,
-        "narHash": "sha256-fvfrMnEA2lDnXvH/eInGV5i0sO/EGLVHa4pOek8VG78="
-      },
       "locked": {
+        "lastModified": 1592263354,
+        "narHash": "sha256-1wHPn5qKfzfG06dZhpXDEg5Zt6HwvfyPPgW1tkYFejg=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "29eddfc36d720dcc4822581175217543b387b1e8",
+        "rev": "a84b797b28eb104db758b5cb2b61ba8face6744b",
         "type": "github"
       },
       "original": {
@@ -75,31 +65,16 @@
         "type": "indirect"
       }
     },
-    "nixpkgs_3": {
-      "info": {
-        "lastModified": 1586724123,
-        "narHash": "sha256-VQ7zZy2xpz6dULpjar4jxNaQ0N/2q68l+EYO2nXaXDo="
-      },
-      "locked": {
-        "owner": "nixos",
-        "repo": "nixpkgs-channels",
-        "rev": "708cb6b307b04ad862cc50de792e57e7a4a8bb5a",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixos-20.03",
-        "repo": "nixpkgs-channels",
-        "type": "github"
-      }
-    },
     "root": {
       "inputs": {
         "hydra": "hydra",
-        "nixpkgs": "nixpkgs_3"
+        "nixpkgs": [
+          "hydra",
+          "nixpkgs"
+        ]
       }
     }
   },
   "root": "root",
-  "version": 5
+  "version": 7
 }

flake.nix

@@ -1,17 +1,18 @@
 {
   description = "C3D2 NixOS configurations";
 
-  edition = 201909;
-
-  inputs.nixpkgs.url = "github:nixos/nixpkgs-channels/nixos-20.03";
-  inputs.hydra.url = "github:ehmry/hydra/sotest";
+  inputs = {
+    nixpkgs.follows = "hydra/nixpkgs";
+    # nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    # secrets.url = "git+file:///etc/nixos/secrets";
+  };
 
   outputs = { self, nixpkgs, hydra }: {
 
     nixosConfigurations = {
 
-      server7 = nixpkgs.lib.nixosSystem {
-        modules = [ ./hosts/server7 hydra.nixosModules.hydra ];
+      glotzbert = nixpkgs.lib.nixosSystem {
+        modules = [ ./hosts/glotzbert/configuration.nix ];
         system = "x86_64-linux";
       };
 
@@ -20,8 +21,18 @@
         system = "x86_64-linux";
       };
 
+      kibana = nixpkgs.lib.nixosSystem {
+        modules = [ ./hosts/containers/kibana/configuration.nix ];
+        system = "x86_64-linux";
+      };
+
       pulsebert = nixpkgs.lib.nixosSystem {
         modules = [ ./hosts/pulsebert/configuration.nix ];
+        system = "aarch64-linux";
+      };
+
+      server7 = nixpkgs.lib.nixosSystem {
+        modules = [ ./hosts/server7 hydra.nixosModules.hydra ];
         system = "x86_64-linux";
       };
 

host-registry.nix

@@ -9,7 +9,7 @@ rec {
     ledstripes = {};
 
     glotzbert.publicKey =
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHPrkD07abpTU/66fEjmiMYsUfJCSF62MVFe8BED7wu4";
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAnEWn/8CKIiCtehh6Ha3XUQqjODj0ygyo3aGAsFWgfG";
 
     hydra.publicKey =
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDhurL/sxsXRglKdLfiWIcK+iqpyhGrGt/MoBODsgvig";

hosts/containers/deployer/configuration.nix

@@ -25,6 +25,9 @@
     htop
   ];
 
+  networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.16"; prefixLength = 26; } ];
+  networking.defaultGateway = "172.20.73.1";
+
   networking = {
     hostName = "deployer";
     # usePredictableInterfacenames = false;

hosts/containers/dhcp/configuration.nix

@@ -31,7 +31,10 @@
   services.dhcpd4 = {
     enable = true;
     interfaces = [ "eth0" ];
-    extraConfig = builtins.readFile ../../../secrets/hosts/dhcp/config;
+    extraConfig = ''
+      authoritative;
+
+    '' + builtins.readFile ../../../secrets/hosts/dhcp/config;
   };
 
   # This value determines the NixOS release with which your system is to be

hosts/containers/dn42/configuration.nix

@@ -30,8 +30,6 @@ in {
 
   environment.systemPackages = with pkgs; [
     vim
-    # for `vtysh`
-    quagga
   ];
 
   # SSH for nixops
@@ -41,6 +39,12 @@ in {
   # No Firewalling!
   networking.firewall.enable = false;
 
+  boot.postBootCommands = ''
+    if [ ! -c /dev/net/tun ]; then
+      mkdir -p /dev/net
+      mknod -m 666 /dev/net/tun c 10 200
+    fi
+  '';
   services.openvpn =
     let
       openvpnNeighbors = lib.filterAttrs (_: conf: conf ? openvpn) neighbors;
@@ -63,7 +67,9 @@ in {
           secret ${keyfile name}
         '';
         up = ''
-          ${pkgs.iproute}/bin/ip a a fe80::deca:fbad/64 dev $1
+          ${pkgs.iproute}/bin/ip addr flush dev $1
+          ${pkgs.iproute}/bin/ip addr add ${address4} dev ${name} peer ${conf.address4}/32
+          ${pkgs.iproute}/bin/ip addr add ${address6}/64 dev $1
         '';
       };
     in {

hosts/containers/dnscache/configuration.nix

@@ -22,6 +22,7 @@
   networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.8"; prefixLength = 26; } ];
   networking.defaultGateway = "172.20.73.1";
   services.resolved.enable = false;
+  networking.nameservers = [ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ];
 
   # Set your time zone.
   time.timeZone = "Europe/Berlin";
@@ -73,6 +74,7 @@
       "::1/128"
       "172.20.72.0/21"
       "10.0.0.0/24"
+      "10.200.0.0/15"
       "172.22.99.0/24"
       "127.0.0.0/8"
     ];
@@ -217,7 +219,7 @@
           Exec "collectd" "${pkgs.ruby}/bin/ruby" "${unboundScript}"
         '';
       network = ''
-        Server "grafana.hq.c3d2.de" "25826"
+        Server "grafana.serv.zentralwerk.dn42" "25826"
       '';
     };
     extraConfig = ''

hosts/containers/elastic/configuration.nix

@@ -17,6 +17,8 @@
 
   networking = {
     hostName = "elastic1";
+    interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.15"; prefixLength = 26; } ];
+    defaultGateway = "172.20.73.1";
     firewall = {
       allowedTCPPorts = [ 
         22

hosts/containers/freifunk/sysinfo-json.nix

@@ -56,7 +56,7 @@ stdenv.mkDerivation {
       --replace awk ${gawk}/bin/awk
   '' +
   lib.strings.concatStrings (lib.attrsets.mapAttrsToList (
-    var: value: "substituteInPlace sysinfo-json.cgi --replace ${lib.strings.escapeShellArg "$(nvram get ${var})"} '${value}'\n"
+    var: value: "substituteInPlace sysinfo-json.cgi --replace ${lib.strings.escapeShellArg "$(uci -qX get ffdd.sys.${var})"} '${value}'\n"
   ) nvram);
   installPhase = ''
     pwd

hosts/containers/grafana/configuration.nix

@@ -1,24 +1,22 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, lib, modulesPath, ... }:
 
 {
   imports = [
-    <nixpkgs/nixos/modules/profiles/minimal.nix>
+    (modulesPath + "/profiles/minimal.nix")
     ../../../lib
     ../../../lib/lxc-container.nix
     ../../../lib/shared.nix
     ../../../lib/admins.nix
   ];
 
-  c3d2 = {
-    isInHq = true;
-    hq.interface = "eth0";
-    enableHail = true;
-  };
+  c3d2.isInHq = false;
 
   services.openssh.enable = true;
 
   networking.hostName = "grafana";
   networking.useNetworkd = true;
+  networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.43"; prefixLength = 26; } ];
+  networking.defaultGateway = "172.20.73.1";
 
   # http https influxdb
   networking.firewall.allowedTCPPorts = [ 80 443 8086 ];
@@ -39,7 +37,7 @@
       enable = true;
       org_name = "Chaos";
     };
-    users.allowSignUp = true;
+    users.allowSignUp = false;
   };
   services.influxdb = let
     collectdTypes = pkgs.stdenv.mkDerivation {

hosts/containers/kibana/configuration.nix

@@ -0,0 +1,66 @@
+{ config, pkgs, lib, modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/profiles/minimal.nix")
+    ../../../lib
+    ../../../lib/lxc-container.nix
+    ../../../lib/shared.nix
+  ];
+
+  networking.hostName = "kibana";
+  networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.44"; prefixLength = 26; } ];
+  networking.defaultGateway = "172.20.73.1";
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  # Required for krops
+  services.openssh.enable = true;
+  environment.systemPackages = [ pkgs.git ];
+
+  nixpkgs.config.allowUnfree = true;
+  services.elasticsearch = {
+    enable = true;
+    package = pkgs.elasticsearch7;
+  };
+  services.kibana = {
+    enable = true;
+    package = pkgs.kibana7;
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    email = "mail@c3d2.de";
+  };
+  services.nginx =
+    let
+      authFile = pkgs.writeText "htpasswd" "k-ot:sawCOTsl/fIUY";
+      vhost = url: {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = url;
+          extraConfig = ''
+            auth_basic "Chaos";
+            auth_basic_user_file ${authFile};
+          '';
+        };
+      };
+    in
+    {
+      enable = true;
+      recommendedGzipSettings = true;
+      recommendedProxySettings = true;
+      virtualHosts = {
+        "kibana.hq.c3d2.de" =
+          vhost "http://127.0.0.1:${toString config.services.kibana.port}";
+        "kibana-es.hq.c3d2.de" =
+          vhost "http://127.0.0.1:${toString config.services.elasticsearch.port}";
+      };
+    };
+
+  # This value determines the NixOS release with which your system is to be
+  # compatible, in order to avoid breaking some software such as database
+  # servers. You should change this only after NixOS release notes say you
+  # should.
+  system.stateVersion = "20.03"; # Did you read the comment?
+}

hosts/containers/ledstripes/configuration.nix

@@ -1,11 +1,11 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, lib, modulesPath, ... }:
 
 {
   imports = [
-    <nixpkgs/nixos/modules/profiles/minimal.nix>
-    <lib>
-    <lib/lxc-container.nix>
-    <lib/shared.nix>
+    (modulesPath + "/profiles/minimal.nix")
+    ../../../lib
+    ../../../lib/lxc-container.nix
+    ../../../lib/shared.nix
   ];
 
   c3d2 = {
@@ -22,8 +22,7 @@
   environment.systemPackages = [ pkgs.git ];
 
   systemd.services.ledball =
-    let
-      pile = import (toString <lib/pkgs/pile.nix>) { inherit pkgs; };
+    let pile = import ../../../lib/pkgs/pile.nix { inherit pkgs; };
     in {
       after = [ "network-online.target" ];
       wantedBy = [ "multi-user.target" ];

hosts/containers/logging/configuration.nix

@@ -17,6 +17,8 @@
 
   networking = {
     hostName = "logging";
+    interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.13"; prefixLength = 26; } ];
+    defaultGateway = "172.20.73.1";
     firewall = {
       allowedTCPPorts = [ 
         22

hosts/containers/lxc-template.nix

@@ -2,15 +2,15 @@
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 
-{ config, pkgs, lib, ... }:
+{ config, pkgs, lib, modulesPath, ... }:
 
 {
-  imports =
-    [ ../../lib/lxc-container.nix
-      ../../lib/shared.nix
-      ../../lib/admins.nix
-      <nixpkgs/nixos/modules/profiles/minimal.nix>
-    ];
+  imports = [
+    ../../lib/lxc-container.nix
+    ../../lib/shared.nix
+    ../../lib/admins.nix
+    (modulesPath + "/profiles/minimal.nix")
+  ];
 
   networking.hostName = "nixbert"; # Define your hostname.
   networking.useNetworkd = false;

hosts/containers/mongo/configuration.nix

@@ -18,6 +18,8 @@
 
   networking = {
     hostName = "mongo";
+    interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.21"; prefixLength = 26; } ];
+    defaultGateway = "172.20.73.1";
     firewall = {
       allowedTCPPorts = [ 
         22

hosts/containers/mucbot/configuration.nix

@@ -12,11 +12,9 @@ in
     ];
 
   networking.hostName = "mucbot";
-  networking.useNetworkd = true;
-  networking.useDHCP = false;
-  networking.interfaces.eth0.useDHCP = true;
+  networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.27"; prefixLength = 26; } ];
+  networking.defaultGateway = "172.20.73.1";
   networking.nameservers = [ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ];
-  services.resolved.enable = false;
 
   users.users.tigger = {
     createHome = true;

hosts/containers/public-access-proxy/configuration.nix

@@ -9,13 +9,15 @@
     [ ../../../lib/lxc-container.nix
       ../../../lib/shared.nix
       ../../../lib/admins.nix
-      ../../../lib/default-gateway.nix
       ./proxy.nix
     ];
 
   networking.hostName = "public-access-proxy";
   networking.useNetworkd = true;
-  networking.dhcpcd.enable = lib.mkForce true;
+  networking.interfaces.eth0 = {
+    ipv4.addresses = [ { address = "172.20.73.45"; prefixLength = 26; } ];
+  };
+  networking.defaultGateway = "172.20.73.1";
 
   my.services.proxy = {
     enable = true;
@@ -24,6 +26,14 @@
         hostNames = [ "cloud.bombenverleih.de" "unifi.arkom.men" ];
         proxyTo = { host = "172.22.99.192"; httpPort = 80; httpsPort = 443; };
       }
+      {
+        hostNames = [ "grafana.hq.c3d2.de" ];
+        proxyTo = { host = "grafana.serv.zentralwerk.dn42"; httpPort = 80; httpsPort = 443; };
+      }
+      {
+        hostNames = [ "kibana.hq.c3d2.de" "kibana-es.hq.c3d2.de" ];
+        proxyTo = { host = "kibana.serv.zentralwerk.dn42"; httpPort = 80; httpsPort = 443; };
+      }
     ];
   };
 

hosts/containers/scrape/configuration.nix

@@ -1,11 +1,21 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, lib, modulesPath, ... }:
 
-{
+let
+  freifunkNodes = {
+    "1139" = "10.200.4.120";
+    "1487" = "10.200.5.213";
+    "1884" = "10.200.7.100";
+    "1891" = "10.200.7.107";
+    "1768" = "10.200.6.239";
+    "1176" = "10.200.7.80";
+    "1099" = "10.200.4.80";
+  };
+in {
   imports = [
-    <nixpkgs/nixos/modules/profiles/minimal.nix>
-    <lib>
-    <lib/lxc-container.nix>
-    <lib/shared.nix>
+    (modulesPath + "/profiles/minimal.nix")
+    ../../../lib
+    ../../../lib/lxc-container.nix
+    ../../../lib/shared.nix
   ];
 
   c3d2 = {
@@ -16,7 +26,8 @@
 
 
   networking.hostName = "scrape";
-  networking.useNetworkd = true;
+  networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.32"; prefixLength = 26; } ];
+  networking.defaultGateway = "172.20.73.1";
 
   # Required for krops
   services.openssh.enable = true;
@@ -35,6 +46,13 @@
       xeriLogin = import <secrets/hosts/scrape/xeri.nix>;
       fhemLogin = import <secrets/hosts/scrape/fhem.nix>;
       matematLogin = import <secrets/hosts/scrape/matemat.nix>;
+      makeNodeScraper = nodeId: {
+        name = "scrape-node${nodeId}";
+        value = makeService {
+          script = "freifunk_node";
+          host = freifunkNodes.${nodeId};
+        };
+      };
     in {
       scrape-xeri = makeService {
         script = "xerox";
@@ -55,81 +73,28 @@
         host = "matemat.hq.c3d2.de";
         inherit (matematLogin) user password;
       };
-      scrape-node1139 = makeService {
-        script = "freifunk_node";
-        host = "10.200.4.120";
+    } // builtins.listToAttrs (map makeNodeScraper (builtins.attrNames freifunkNodes));
+
+  systemd.timers =
+    let
+      makeTimer = service: interval: {
+        partOf      = [ "${service}.service" ];
+        wantedBy    = [ "timers.target" ];
+        timerConfig.OnCalendar = interval;
       };
-      scrape-node1487 = makeService {
-        script = "freifunk_node";
-        host = "10.200.5.213";
-      };
-      scrape-node1884 = makeService {
-        script = "freifunk_node";
-        host = "10.200.7.100";
-      };
-      scrape-node1891 = makeService {
-        script = "freifunk_node";
-        host = "10.200.7.107";
-      };
-      scrape-node1768 = makeService {
-        script = "freifunk_node";
-        host = "10.200.6.239";
-      };
-      scrape-node1176 = makeService {
-        script = "freifunk_node";
-        host = "10.200.7.80";
-      };
-    };
-  systemd.timers.scrape-xeri = {
-    partOf      = [ "scrape-xeri.service" ];
-    wantedBy    = [ "timers.target" ];
-    timerConfig.OnCalendar = "minutely";
-  };
-  systemd.timers.scrape-roxi = {
-    partOf      = [ "scrape-roxi.service" ];
-    wantedBy    = [ "timers.target" ];
-    timerConfig.OnCalendar = "minutely";
-  };
-  systemd.timers.scrape-fhem = {
-    partOf      = [ "scrape-fhem.service" ];
-    wantedBy    = [ "timers.target" ];
-    timerConfig.OnCalendar = "minutely";
-  };
-  systemd.timers.scrape-matemat = {
-    partOf      = [ "scrape-matemat.service" ];
-    wantedBy    = [ "timers.target" ];
-    timerConfig.OnCalendar = "minutely";
-  };
-  systemd.timers.scrape-node1139 = {
-    partOf      = [ "scrape-node1139.service" ];
-    wantedBy    = [ "timers.target" ];
-    timerConfig.OnCalendar = "minutely";
-  };
-  systemd.timers.scrape-node1487 = {
-    partOf      = [ "scrape-node1487.service" ];
-    wantedBy    = [ "timers.target" ];
-    timerConfig.OnCalendar = "minutely";
-  };
-  systemd.timers.scrape-node1884 = {
-    partOf      = [ "scrape-node1884.service" ];
-    wantedBy    = [ "timers.target" ];
-    timerConfig.OnCalendar = "minutely";
-  };
-  systemd.timers.scrape-node1891 = {
-    partOf      = [ "scrape-node1894.service" ];
-    wantedBy    = [ "timers.target" ];
-    timerConfig.OnCalendar = "minutely";
-  };
-  systemd.timers.scrape-node1768 = {
-    partOf      = [ "scrape-node1768.service" ];
-    wantedBy    = [ "timers.target" ];
-    timerConfig.OnCalendar = "minutely";
-  };
-  systemd.timers.scrape-node1176 = {
-    partOf      = [ "scrape-node1176.service" ];
-    wantedBy    = [ "timers.target" ];
-    timerConfig.OnCalendar = "minutely";
-  };
+      makeNodeScraperTimer = nodeId:
+        let
+          name = "scrape-node${nodeId}";
+        in {
+          inherit name;
+          value = makeTimer name "minutely";
+        };
+    in {
+      scrape-xeri = makeTimer "scrape-xeri.service" "minutely";
+      scrape-roxi = makeTimer "scrape-roxi.service" "minutely";
+      scrape-fhem = makeTimer "scrape-fhem.service" "minutely";
+      scrape-matemat = makeTimer "scrape-matemat.service" "minutely";
+    } // builtins.listToAttrs (map makeNodeScraperTimer (builtins.attrNames freifunkNodes));
 
   # This value determines the NixOS release with which your system is to be
   # compatible, in order to avoid breaking some software such as database

hosts/containers/spaceapi/configuration.nix

@@ -8,14 +8,13 @@ in
     [ ../../../lib/lxc-container.nix
       ../../../lib/shared.nix
       ../../../lib/admins.nix
-      ../../../lib/default-gateway.nix
       "${spacemsgGit}/spaceapi/module.nix"
     ];
 
   networking.hostName = "spaceapi";
-  networking.useNetworkd = true;
-  networking.useDHCP = lib.mkForce true;
-  networking.firewall.allowedTCPPorts = [ 3000 3001 ];
+  networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.25"; prefixLength = 26; } ];
+  networking.defaultGateway = "172.20.73.1";
+  networking.firewall.enable = false;
 
   services.spaceapi = {
     enable = true;

hosts/glotzbert/configuration.nix

@@ -6,41 +6,48 @@
   c3d2 = {
     users.k-ot = true;
     isInHq = true;
-    hq.interface = "enp0s10";
-    enableHail = true;
+    hq.interface = "eno1";
+    hq.enableBinaryCache = false;
+    enableHail = false;
   };
 
   nixpkgs.config.allowUnfree = true;
   nix = {
     useSandbox = true;
-    buildCores = 2;
+    buildCores = 4;
+    maxJobs = 4;
   };
 
   # Use the systemd-boot EFI boot loader.
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
-  boot.kernelPackages = pkgs.linuxPackages_4_19;
+  boot.kernelPackages = pkgs.linuxPackages_latest;
 
   networking.hostName = "glotzbert"; # Define your hostname.
   # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
+  networking.interfaces.eno1.useDHCP = true;
 
   # Configure network proxy if necessary
   # networking.proxy.default = "http://user:password@proxy:port/";
   # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
 
   # Select internationalisation properties.
-  i18n = {
-    consoleFont = "Lat2-Terminus16";
-    consoleKeyMap = "de";
-    defaultLocale = "en_US.UTF-8";
+  console = {
+    font = "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz";
+    keyMap = "de";
   };
+  i18n.defaultLocale = "en_US.UTF-8";
 
   # Set your time zone.
   time.timeZone = "Europe/Berlin";
 
   # List packages installed in system profile. To search, run:
   # $ nix search wget
-  environment.systemPackages = with pkgs; [ wget vim x11vnc ];
+  environment.systemPackages = with pkgs; [
+    wget vim git tmux screen
+    chromium firefox
+    mpv kodi
+  ];
 
   systemd.user.services.x11vnc = {
     description = "X11 VNC server";
@@ -108,11 +115,11 @@
         user = "k-ot";
       };
     };
+    defaultSession = "gnome-xorg";
   };
   services.xserver.desktopManager = {
     gnome3.enable = true;
     kodi.enable = true;
-    default = "kodi";
   };
 
   security.sudo = {
@@ -123,7 +130,6 @@
   # Define a user account. Don't forget to set a password with ‘passwd’.
   users.groups."k-ot" = { gid = 1000; };
   users.users."k-ot" = {
-    password = "k-ot";
     isNormalUser = true;
     uid = 1000;
     group = "k-ot";
@@ -133,6 +139,8 @@
     ];
   };
 
+  users.users.emery.cryptHomeLuks = "/home/emery.luks.img";
+
   # This value determines the NixOS release with which your system is to be
   # compatible, in order to avoid breaking some software such as database
   # servers. You should change this only after NixOS release notes say you

hosts/glotzbert/hardware-configuration.nix

@@ -1,33 +1,27 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, modulesPath, ... }:
 
 {
-  imports =
-    [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
-    ];
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
 
-  boot.initrd.availableKernelModules = [ "ohci_pci" "ehci_pci" "ahci" "firewire_ohci" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
-  boot.kernelModules = [ "kvm-intel" "wl" "forcedeth" "b43" ];
-  boot.kernelParams = [ "irqpoll" "hpet=off" ];  # noapic seems to improve things
+  boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
 
   fileSystems."/" =
-    { device = "/dev/disk/by-uuid/4568bf11-6e40-4514-9bc9-3194a299c45f";
-      fsType = "btrfs";
+    { device = "/dev/disk/by-uuid/3a8ddd25-0c5d-4fec-b957-bdcea1c52db4";
+      fsType = "ext4";
     };
 
   fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/67E3-17ED";
+    { device = "/dev/disk/by-uuid/6490-45A0";
       fsType = "vfat";
     };
 
-  zramSwap = { enable = true; priority = 1000; };
-  swapDevices = [
-    { device = "/dev/disk/by-uuid/f602ea23-99e5-416b-98d2-ef76cbc5c934";
-    } ];
+  swapDevices = [ ];
 
-  nix.maxJobs = lib.mkDefault 2;
-
-  services.xserver.videoDriver = "nouveau";
+  nix.maxJobs = lib.mkDefault 4;
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
 }

hosts/pulsebert/configuration.nix

@@ -4,164 +4,116 @@
 
 { config, pkgs, ... }:
 
-let
-  ympdPort = 8080;
-  mpdVhost = "mpd.hq.c3d2.de";
-in {
+{
   imports = [ # Include the results of the hardware scan.
     ./hardware-configuration.nix
-    ../../lib
-    ../../lib/admins.nix
-    ../../lib/hq.nix
-    ./mpdConsole.nix
   ];
 
-  c3d2 = {
-    users = {
-      emery = true;
-      k-ot = true;
-    };
-    isInHq = true;
-    mapHqHosts = true;
-    hq = {
-      interface = "eno1";
-      enableMpdProxy = true;
-      yggdrasi.enableGateway = true;
-    };
-    enableHail = true;
-  };
+  boot.loader.grub.enable = false;
+  boot.loader.generic-extlinux-compatible.enable = false;
+  boot.loader.raspberryPi = { enable = true; version = 4; uboot.enable = false; };
+  #boot.kernelPackages = pkgs.linuxPackages_rpi4;
+  boot.kernelPackages = pkgs.linuxPackages_latest;
 
-  # Use the systemd-boot EFI boot loader.
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-  boot.kernelPackages = pkgs.linuxPackages_4_19;
+  boot.tmpOnTmpfs = true;
+  nix.buildCores = 4;
+  nix.maxJobs = 4;
 
   networking.hostName = "pulsebert"; # Define your hostname.
   # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
 
+  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
+  # Per-interface useDHCP will be mandatory in the future, so this generated config
+  # replicates the default behaviour.
+  networking.useDHCP = false;
+  networking.interfaces.eth0.useDHCP = true;
+  networking.interfaces.wlan0.useDHCP = true;
+
   # Configure network proxy if necessary
   # networking.proxy.default = "http://user:password@proxy:port/";
   # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
 
   # Select internationalisation properties.
-  i18n = {
-    consoleFont = "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz";
-    consoleKeyMap = "us";
-    defaultLocale = "en_US.UTF-8";
-  };
+  # i18n.defaultLocale = "en_US.UTF-8";
+  # console = {
+  #   font = "Lat2-Terminus16";
+  #   keyMap = "us";
+  # };
+
+  # Set your time zone.
+  # time.timeZone = "Europe/Amsterdam";
 
   # List packages installed in system profile. To search, run:
   # $ nix search wget
   environment.systemPackages = with pkgs; [
-    # specific printer drivers for our printers
-    epson-escpr
-    splix
-    # utilities
-    nix-index
-    usbutils
-    tmux
-    vim
-    git
-    openssl
-    # NCurses Music Player Client (Plus Plus)
-    # a commandline front-end client for mpd
-    # 2019-01-21 mag vater gern gleich einen schoenen lokalen Verwaltung fuer MPD haben.
-#    ncmpcpp
-    home-manager
-    mumble
-    ncpamixer
-    ffmpeg
+    wget vim git
+    raspberrypi-tools
   ];
 
   # Some programs need SUID wrappers, can be configured further or are
   # started in user sessions.
   # programs.mtr.enable = true;
-  # programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
+  # programs.gnupg.agent = {
+  #   enable = true;
+  #   enableSSHSupport = true;
+  #   pinentryFlavor = "gnome3";
+  # };
 
   # List services that you want to enable:
 
+  # Do not log to flash:
+  services.journald.extraConfig = ''
+    Storage=volatile
+  '';
+
   # Enable the OpenSSH daemon.
   services.openssh.enable = true;
+  services.openssh.permitRootLogin = "yes";
+  security.sudo = {
+    enable = true;
+    wheelNeedsPassword = false;
+  };
+
+  users.users.k-ot = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" "audio" ];
+  };
 
-  # X11 Forwarding for mumble...
-  programs.ssh.forwardX11 = true;
-  services.openssh.forwardX11 = true;
 
   # Open ports in the firewall.
-  networking.firewall.allowedTCPPorts = [
-    4713 # PulseAudio
-    631 # cups
-    80
-    443 # Web/ympd
-    5000 # shairport
-    config.services.mpd.network.port
-  ];
-  networking.firewall.allowedUDPPorts = [ 631 ];
-  networking.firewall.extraCommands = ''
-    iptables -I INPUT -p udp --dport mdns -d 224.0.0.251 -j ACCEPT   # zeroconf
-    iptables -I OUTPUT -p udp --dport mdns -d 224.0.0.251 -j ACCEPT  # zeroconf
-  ''; # networking.firewall.allowedUDPPorts = [ ... ];
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
   # Or disable the firewall altogether.
-  # networking.firewall.enable = false;
+  networking.firewall.enable = false;
 
   # Enable CUPS to print documents.
-  services.printing = {
-    enable = true;
-    browsing = true;
-    listenAddresses = [ "*:631" ];
-    defaultShared = true;
-    # logLevel = "debug";
-    drivers = [ pkgs.gutenprint pkgs.hplip pkgs.splix ];
-    extraConf =
-      ''
-        DefaultAuthType Basic
-        <Location />
-          Order allow,deny
-          Allow ALL
-        </Location>
-        <Location /admin>
-          Order allow,deny
-          Allow ALL
-        </Location>
-        <Location /admin/conf>
-          AuthType Basic
-          Require user @SYSTEM
-          Order allow,deny
-          Allow ALL
-        </Location>
-        <Policy default>
-          <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
-            Require user @OWNER @SYSTEM
-            Order deny,allow
-          </Limit>
-          <Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default>
-            AuthType Basic
-            Require user @SYSTEM
-            Order deny,allow
-          </Limit>
-          <Limit Cancel-Job CUPS-Authenticate-Job>
-            Require user @OWNER @SYSTEM
-            Order deny,allow
-          </Limit>
-          <Limit All>
-            Order deny,allow
-          </Limit>
-        </Policy>
-      '';
-
-  };
+  # services.printing.enable = true;
 
   # Enable sound.
   sound.enable = true;
-  hardware.pulseaudio.enable = true;
-  # PulseAudio as-a-Service
-  hardware.pulseaudio.systemWide = true;
-  hardware.pulseaudio.tcp.anonymousClients.allowedIpRanges = [
-    "127.0.0.0/8" "::1/128"
-    "172.22.99.0/24" "2a02:8106:208:5201:58::/64"
-  ];
-  hardware.pulseaudio.tcp.enable = true;
-  hardware.pulseaudio.zeroconf.publish.enable = true;
+  hardware.bluetooth = {
+    enable = true;
+    config = {
+      Policy.AutoEnable = true;
+      General = {
+        Enable = "Source,Sink,Media,Socket";
+        #DiscoverableTimeout = 0;
+        #Discoverable = true;
+      };
+    };
+  };
+  hardware.pulseaudio = {
+    enable = true;
+    systemWide = true;
+    tcp.enable = true;
+    tcp.anonymousClients.allowedIpRanges = [
+      "127.0.0.0/8" "::1/128"
+      "172.22.99.0/24" "2a02:8106:208:5201:58::/64"
+    ];
+    zeroconf.publish.enable = true;
+    package = pkgs.pulseaudioFull;
+    extraModules = [ pkgs.pulseaudio-modules-bt ];
+  };
 
   # tell Avahi to publish CUPS and PulseAudio
   services.avahi = {
@@ -170,9 +122,6 @@ in {
     publish.userServices = true;
   };
 
-  # Enable Audio streaming for Mac clients
-  services.shairport-sync.enable = true;
-
   # Enable the X11 windowing system.
   # services.xserver.enable = true;
   # services.xserver.layout = "us";
@@ -185,88 +134,19 @@ in {
   # services.xserver.displayManager.sddm.enable = true;
   # services.xserver.desktopManager.plasma5.enable = true;
 
-  security.pam.enableSSHAgentAuth = true;
-  security.sudo = {
-    enable = true;
-    wheelNeedsPassword = false;
-  };
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  # users.users.jane = {
+  #   isNormalUser = true;
+  #   extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
+  # };
 
-  users.users.k-ot.extraGroups = [ "wheel" ];
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "20.09"; # Did you read the comment?
 
-  # This value determines the NixOS release with which your system is to be
-  # compatible, in order to avoid breaking some software such as database
-  # servers. You should change this only after NixOS release notes say you
-  # should.
-  system.stateVersion = "18.09"; # Did you read the comment?
-
-  # vater hoerte, dass menschen im space gern mpd fuer das abspielen von musik erwarten wuerden
-  ####	https://nixos.org/nixos/options.html#services.mpd.enable
-  # See ../../mpd.nix
-  services.mpd = {
-    enable = true;
-    dbFile = null;
-    musicDirectory = "/mnt/storage/Music";
-    playlistDirectory = "/home/k-ot/Playlists";
-    network.listenAddress = "any";
-
-    extraConfig = ''
-      audio_output {
-        type "pulse"
-        name "/proc"
-      }
-    '';
-  };
-
-  services.caddy = {
-    enable = true;
-    agree = true;
-    # TODO: add auth?
-    config = ''
-      ${mpdVhost} {
-        proxy / localhost:${toString ympdPort}
-      }
-
-      :80 {
-        redir https://${mpdVhost}{uri}
-      }
-    '';
-  };
-
-  fileSystems."/mnt/storage" = {
-    #device = "storage-ng.hq.c3d2.de:/mnt/zroot/storage/rpool";
-    #device = "storage-ng.hq.c3d2.de:/c3d2/rpool";
-    device =
-      "172.22.99.13:6789,172.22.99.15:6789,172.22.99.16:6789:/c3d2/rpool";
-    fsType = "ceph";
-    options = [
-      "rw"
-      "relatime"
-      "name=public"
-      "secret=AQDgER1chJcMORAAK1ysRTN59B5x/MyniwVXFQ=="
-      "acl"
-      "wsize=16777216"
-      "_netdev"
-    ];
-  };
-
-  # MPD music playing daemon with webinterface
-  services.ympd = {
-    enable = true;
-    webPort = toString ympdPort;
-  };
-  nixpkgs.config.packageOverrides = pkgs: with pkgs; {
-    ympd = ympd.overrideAttrs (oldAttrs: {
-      src = fetchFromGitHub {
-        owner = "c3d2";
-        repo = "ympd";
-        rev = "feature/somafm_browser";
-        sha256 = "17x3jfys6gxghz5yp0gvd39ylvzfm59qxg75hwc5a52rj1n2jpb1";
-      };
-    });
-  };
-  programs.bash.shellAliases = {
-    mpv = "mpv --no-vid";
-  };
-
-  users.users.emery.cryptHomeLuks = "/home/emery.luks.img";
 }
+

hosts/pulsebert/hardware-configuration.nix

@@ -1,29 +1,39 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, modulesPath, ... }:
 
 {
-  imports =
-    [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
-    ];
+  #imports =
+  #  [ (modulesPath + "/installer/scan/not-detected.nix")
+  #  ];
 
-  boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
-  boot.kernelModules = [ "kvm-intel" ];
+  boot.initrd.availableKernelModules = [ "usbhid" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
   boot.extraModulePackages = [ ];
+  boot.kernelParams = [
+    "snd_bcm2835.enable_headphones=1"
+  ];
 
   fileSystems."/" =
-    { device = "/dev/disk/by-uuid/3a8ddd25-0c5d-4fec-b957-bdcea1c52db4";
+    { device = "/dev/disk/by-label/NIXOS_SD";
       fsType = "ext4";
     };
 
   fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/6490-45A0";
+    { device = "/dev/disk/by-label/FIRMWARE";
       fsType = "vfat";
     };
 
   swapDevices = [ ];
 
-  nix.maxJobs = lib.mkDefault 4;
-  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+  hardware.enableRedistributableFirmware = true;
+  #networking.wireless.enable = true;
+  boot.loader.raspberryPi.firmwareConfig = ''
+    gpu_mem=192
+    dtparam=audio=on
+  '';
+
+  powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
 }

hosts/pulsebert/home.nix

@@ -1,17 +0,0 @@
-{ pkgs, ... }:
-
-{
-  home.packages = with pkgs; [
-    htop
-    fortune
-    ddate
-    mpv
-    ncmpcpp
-    schedtool
-    screen
-    tmux
-    pulsemixer
-    ncpamixer
-    python35.withPackages(ps: with ps; [ youtube-dl ])
-  ];
-}