c3d2
/
nix-config
22
6
Fork 2
Code Issues 16 Pull Requests 1 Releases Wiki Activity

The big format and cleanup

pull/37/head
Sandro - 2022-06-12 17:26:32 +02:00
parent c042dd5c03
commit aaddec8194
Signed by: sandro
GPG Key ID: 3AF5A43A3EECC2E5
33 changed files with 816 additions and 756 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
config/audio-server/default.nix
View File

@ -1,11 +1,11 @@
{ config, lib, pkgs, ... }:
{
options.c3d2.audioServer = with lib; {
enable = mkEnableOption "Enable PulseAudio and Bluetooth sinks";
options.c3d2.audioServer = {
enable = lib.mkEnableOption "Enable PulseAudio and Bluetooth sinks";
};
config = lib.mkIf config.c3d2.audioServer.enable {
# Enable sound.
sound.enable = true;
hardware.bluetooth = {
enable = lib.mkDefault true;
@ -30,12 +30,15 @@
zeroconf.publish.enable = true;
package = pkgs.pulseaudioFull;
};
# TODO: configure system wide service
#services.pipewire = {
# enable = true;
# alsa.enable = true;
# config.pipewire-pulse = lib.importJSON ./pipewire-pulse.conf.json;
# pulse.enable = true;
#};
security.rtkit.enable = true;
# tell Avahi to publish CUPS and PulseAudio

4
config/c3d2.nix
View File

@ -3,8 +3,8 @@
{ config, options, lib, pkgs, ... }:
let
hqPrefix64 = "fd23:42:c3d2:523";
# TODO: Is this stable? Is there a better place to specifiy this?
hqPrefix64 = "fd23:42:c3d2:523";
# Generate a deterministic IPv6 address for a 64 bit prefix
# and seed string. Prefix must not contain trailing ':'.
@ -20,7 +20,6 @@ let
toHqPrivateAddress = toIpv6Address hqPrefix64;
in {
imports = [
./stats.nix
./audio-server
@ -34,7 +33,6 @@ in {
mkIfIsInHq = x: lib.mkIf cfg.isInHq (lib.mkDefault x);
in {
# Configuration specific to this machine
assertions = [
{
assertion = cfg.isInHq -> (config.users.users.root.password == null);

7
config/logging.nix
View File

@ -51,7 +51,8 @@ in {
'';
};
services.prometheus.exporters.node.enable = true;
services.prometheus.exporters.node.openFirewall = true;
services.prometheus.exporters.node = {
enable = true;
openFirewall = true;
};
}

129
config/lxc-container.nix
View File

@ -6,42 +6,78 @@
(modulesPath + "/profiles/docker-container.nix")
];
networking.networkmanager.dns = "unbound";
networking.useHostResolvConf = false;
boot = {
isContainer = true;
loader = {
grub.enable = false;
# /sbin/init
initScript.enable = true;
};
};
environment.etc."resolv.conf".text = lib.concatMapStrings (ns: ''
nameserver ${ns}
'') config.networking.nameservers;
nix.useSandbox = false;
nix.maxJobs = lib.mkDefault 1;
nix.buildCores = lib.mkDefault 4;
networking.useNetworkd = true;
networking.useDHCP = false;
services.resolved.enable = false;
networking.nameservers = [
hostRegistry.hosts.dnscache.ip4
hostRegistry.hosts.dnscache.ip6
"9.9.9.9"
];
networking.interfaces.eth0 = {
useDHCP = false;
tempAddress = "disabled";
fileSystems."/" = {
fsType = "rootfs";
device = "rootfs";
};
systemd.network.networks."40-eth0"
.networkConfig = {
IPv6AcceptRA = true;
LinkLocalAddressing = "ipv6";
nix = {
useSandbox = false;
maxJobs = lib.mkDefault 1;
buildCores = lib.mkDefault 4;
};
networking = {
interfaces.eth0 = {
useDHCP = false;
tempAddress = "disabled";
};
nameservers = with hostRegistry.hosts.dnscache; [
ip4
ip6
"9.9.9.9"
];
networkmanager.dns = "unbound";
useDHCP = false;
useHostResolvConf = false;
useNetworkd = true;
};
boot.isContainer = true;
services = {
journalbeat = {
enable = false;
tags = [ "container" ];
extraConfig = ''
journalbeat.inputs:
# Paths that should be crawled and fetched. Possible values files and directories.
# When setting a directory, all journals under it are merged.
# When empty starts to read from local journal.
- paths: []
journalbeat:
seek_position: cursor
cursor_seek_fallback: tail
write_cursor_state: true
cursor_flush_period: 5s
clean_field_names: true
convert_to_numbers: false
move_metadata_to_field: journal
default_type: journal
kernel: true
output.logstash:
# Boolean flag to enable or disable the output module.
enabled: true
hosts: ["${config.c3d2.hosts.logging.ip4}:5044"]
'';
};
# Required for remote deployment
openssh.enable = true;
resolved.enable = false;
};
# /sbin/init
boot.loader.initScript.enable = true;
boot.loader.grub.enable = false;
# Create a few files early before packing tarball for Proxmox
# architecture/OS detection.
# Create a few files early before packing tarball for Proxmox architecture/OS detection.
system.extraSystemBuilderCmds = ''
mkdir -m 0755 -p $out/bin
ln -s ${pkgs.bash}/bin/bash $out/bin/sh
@ -49,39 +85,8 @@
ln -s ../init $out/sbin/init
'';
fileSystems."/" = {
fsType = "rootfs";
device = "rootfs";
systemd.network.networks."40-eth0".networkConfig = {
IPv6AcceptRA = true;
LinkLocalAddressing = "ipv6";
};
# add central logging
services.journalbeat = {
enable = false;
tags = [ "container" ];
extraConfig = ''
journalbeat.inputs:
# Paths that should be crawled and fetched. Possible values files and directories.
# When setting a directory, all journals under it are merged.
# When empty starts to read from local journal.
- paths: []
journalbeat:
seek_position: cursor
cursor_seek_fallback: tail
write_cursor_state: true
cursor_flush_period: 5s
clean_field_names: true
convert_to_numbers: false
move_metadata_to_field: journal
default_type: journal
kernel: true
output.logstash:
# Boolean flag to enable or disable the output module.
enabled: true
hosts: ["${config.c3d2.hosts.logging.ip4}:5044"]
'';
};
# Required for remote deployment
services.openssh.enable = true;
}

10
config/shared.nix
View File

@ -2,11 +2,15 @@
{
imports = [ ./logging.nix ];
# Set your time zone.
time.timeZone = "Europe/Berlin";
# Select internationalisation properties.
i18n = {
defaultLocale = "en_US.UTF-8";
supportedLocales = lib.mkForce [ "en_US.UTF-8/UTF-8" "de_DE.UTF-8/UTF-8" ];
supportedLocales = lib.mkForce [
"en_US.UTF-8/UTF-8"
"de_DE.UTF-8/UTF-8"
"C.UTF-8/UTF-8"
];
};
}

114
hosts/dacbert/default.nix
View File

@ -1,6 +1,15 @@
{ hostRegistry, config, lib, pkgs, modulesPath, ... }:
{
c3d2 = {
isInHq = true;
mergeHostsFile = true;
hq.interface = "eth0";
hq.statistics.enable = true;
audioServer.enable = true;
k-ot.enable = true;
};
hardware.enableRedistributableFirmware = true;
powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
@ -9,6 +18,7 @@
# prevent kernel install fail due to missing modules
pkgs.makeModulesClosure (x // { allowMissing = true; });
};
boot = {
loader = {
raspberryPi = {
@ -38,15 +48,6 @@
options = [ "nfsvers=3" "proto=tcp" "nolock" "hard" "async" "rw" ];
};
c3d2 = {
isInHq = true;
mergeHostsFile = true;
hq.interface = "eth0";
hq.statistics.enable = true;
audioServer.enable = true;
k-ot.enable = true;
};
networking = {
hostName = "dacbert"; # Define your hostname.
useDHCP = false;
@ -65,13 +66,6 @@
daemonCPUSchedPolicy = "idle";
daemonIOSchedClass = "idle";
};
systemd.services.nix-daemon.serviceConfig = {
LimitNOFILE = lib.mkForce 8192;
CPUWeight = 5;
MemoryHigh = "4G";
MemoryMax = "6G";
MemorySwapMax = "0";
};
environment.systemPackages = with pkgs; [
libraspberrypi
@ -92,15 +86,6 @@
programs.tmux.enable = true;
# Do not log to flash:
services.journald.extraConfig = ''
Storage=volatile
'';
# Enable the OpenSSH daemon.
services.openssh = {
enable = true;
};
security.sudo = {
enable = true;
wheelNeedsPassword = false;
@ -112,41 +97,60 @@
keyMap = "de";
};
# Enable the X11 windowing system.
services.xserver.enable = true;
services.xserver.layout = "de";
services.xserver.xkbOptions = "eurosign:e";
services = {
# Do not log to flash:
journald.extraConfig = ''
Storage=volatile
'';
services.xserver.displayManager = {
lightdm = { enable = true; };
autoLogin = {
openssh = {
enable = true;
user = "k-ot";
};
defaultSession = "gnome-xorg";
};
services.xserver.desktopManager = {
gnome.enable = true;
# kodi.enable = true;
};
systemd.user.services.x11vnc = {
description = "X11 VNC server";
wantedBy = [ "graphical-session.target" ];
partOf = [ "graphical-session.target" ];
serviceConfig = {
ExecStart = ''
${pkgs.x11vnc}/bin/x11vnc -shared -forever -passwd k-ot
'';
RestartSec = 3;
Restart = "always";
xserver = {
enable = true;
layout = "de";
xkbOptions = "eurosign:e";
};
};
services.xserver = {
desktopManager = {
gnome.enable = true;
};
displayManager = {
lightdm = { enable = true; };
autoLogin = {
enable = true;
user = "k-ot";
};
defaultSession = "gnome-xorg";
};
};
systemd = {
services.nix-daemon.serviceConfig = {
LimitNOFILE = lib.mkForce 8192;
CPUWeight = 5;
MemoryHigh = "4G";
MemoryMax = "6G";
MemorySwapMax = "0";
};
user.services.x11vnc = {
description = "X11 VNC server";
wantedBy = [ "graphical-session.target" ];
partOf = [ "graphical-session.target" ];
serviceConfig = {
ExecStart = ''
${pkgs.x11vnc}/bin/x11vnc -shared -forever -passwd k-ot
'';
RestartSec = 3;
Restart = "always";
};
};
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.05"; # Did you read the comment?
}

56
hosts/glotzbert/default.nix
View File

@ -13,6 +13,7 @@
};
nixpkgs.config.allowUnfree = true;
nix = {
useSandbox = true;
buildCores = 4;
@ -21,10 +22,13 @@
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.kernelPackages = pkgs.linuxPackages_latest;
boot = {
loader = {
efi.canTouchEfiVariables = true;
systemd-boot.enable = true;
};
kernelPackages = pkgs.linuxPackages_latest;
};
networking.hostName = "glotzbert"; # Define your hostname.
networking.interfaces.eno1.useDHCP = true;
@ -34,6 +38,7 @@
font = "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz";
keyMap = "de";
};
i18n.defaultLocale = "en_US.UTF-8";
environment.systemPackages = with pkgs; [
@ -70,8 +75,10 @@
# Users must be in "audio" group
systemWide = true;
support32Bit = true;
zeroconf.discovery.enable = true;
zeroconf.publish.enable = true;
zeroconf = {
discovery.enable = true;
publish.enable = true;
};
tcp = {
enable = true;
anonymousClients.allowAll = true;
@ -85,21 +92,25 @@
};
# Enable the X11 windowing system.
services.xserver.enable = true;
services.xserver.layout = "de";
services.xserver.xkbOptions = "eurosign:e";
services.xserver.displayManager = {
lightdm = { enable = true; };
autoLogin = {
enable = true;
user = "k-ot";
};
defaultSession = "gnome-xorg";
services.xserver = {
enable = true;
layout = "de";
xkbOptions = "eurosign:e";
};
services.xserver.desktopManager = {
gnome.enable = true;
kodi.enable = true;
services.xserver = {
displayManager = {
lightdm = { enable = true; };
autoLogin = {
enable = true;
user = "k-ot";
};
defaultSession = "gnome-xorg";
};
desktopManager = {
gnome.enable = true;
kodi.enable = true;
};
};
security.sudo = {
@ -113,10 +124,5 @@
extraGroups = [ "networkmanager" ];
};
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "18.09"; # Did you read the comment?
}

4
hosts/hydra/default.nix
View File

@ -60,9 +60,5 @@
c3d2.hq.statistics.enable = true;
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "20.09"; # Did you read the comment?
}

27
hosts/hydra/hydra.nix
View File

@ -43,18 +43,21 @@ in {
evaluator_max_memory_size = 2048
'';
};
systemd.services.hydra-evaluator.serviceConfig = {
CPUWeight = 2;
MemoryHigh = "32G";
MemoryMax = "32G";
MemorySwapMax = "16G";
};
systemd.services.nix-daemon.serviceConfig = {
LimitNOFILE = lib.mkForce 8192;
CPUWeight = 5;
MemoryHigh = "32G";
MemoryMax = "32G";
MemorySwapMax = "16G";
systemd.services = {
hydra-evaluator.serviceConfig = {
CPUWeight = 2;
MemoryHigh = "32G";
MemoryMax = "32G";
MemorySwapMax = "16G";
};
services.nix-daemon.serviceConfig = {
LimitNOFILE = lib.mkForce 8192;
CPUWeight = 5;
MemoryHigh = "32G";
MemoryMax = "32G";
MemorySwapMax = "16G";
};
};
services.nginx =

85
hosts/hydra/updater.nix
View File

@ -1,49 +1,52 @@
{ config, pkgs, ... }:
{
# Build user
users.groups.updater = {};
users.users.updater = {
isSystemUser = true;
group = "updater";
home = "/var/lib/updater";
};
systemd.tmpfiles.rules = [
# needs to be provisioned with ssh privkey
"d ${config.users.users.updater.home} 0700 updater ${config.users.users.updater.group} -"
];
# Timer-triggered service that updates flake.lock and pushes to a
# branch to be picked up by Hydra.
systemd.services.updater = {
wantedBy = [ "multi-user.target" ];
path = with pkgs; [ git nixFlakes curl openssh ];
script = ''
git config --global user.email "astro@spaceboyz.net"
git config --global user.name "Astrobot"
TEMP=$(mktemp -d)
cd $TEMP
git clone --depth=1 --single-branch gitea@gitea.c3d2.de:C3D2/nix-config.git
cd nix-config
nix flake update --commit-lock-file
git push -f origin HEAD:flake-update
'';
serviceConfig = {
User = "updater";
Group = config.users.users.updater.group;
PrivateTmp = true;
ProtectSystem = "full";
users = {
groups.updater = {};
users.updater = {
isSystemUser = true;
group = "updater";
home = "/var/lib/updater";
};
};
systemd.timers.updater = {
partOf = [ "updater.service" ];
wantedBy = [ "timers.target" ];
# update flake.lock daily at 10am so that systems are freshly
# built by afternoon
timerConfig.OnCalendar = "10:00";
systemd = {
# Timer-triggered service that updates flake.lock and pushes to a branch to be picked up by Hydra.
services.updater = {
wantedBy = [ "multi-user.target" ];
path = with pkgs; [ git nixFlakes curl openssh ];
script = ''
git config --global user.email "astro@spaceboyz.net"
git config --global user.name "Astrobot"
TEMP=$(mktemp -d)
cd $TEMP
git clone --depth=1 --single-branch gitea@gitea.c3d2.de:C3D2/nix-config.git
cd nix-config
nix flake update --commit-lock-file
git push -f origin HEAD:flake-update
'';
serviceConfig = {
User = "updater";
Group = config.users.users.updater.group;
PrivateTmp = true;
ProtectSystem = "full";
};
};
timers.updater = {
partOf = [ "updater.service" ];
wantedBy = [ "timers.target" ];
# update flake.lock daily at 10am so that systems are freshly
# built by afternoon
timerConfig.OnCalendar = "10:00";
};
tmpfiles.rules = [
# needs to be provisioned with ssh privkey
"d ${config.users.users.updater.home} 0700 updater ${config.users.users.updater.group} -"
];
};
}

178
hosts/pulsebert/default.nix
View File

@ -5,10 +5,18 @@ let
in
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
];
c3d2 = {
isInHq = true;
mergeHostsFile = true;
hq.interface = "eth0";
hq.statistics.enable = true;
k-ot.enable = true;
audioServer.enable = true;
};
boot = {
loader = {
grub.enable = false;
@ -24,23 +32,18 @@ in
kernelParams = [ "console=tty0" ];
tmpOnTmpfs = true;
};
hardware.deviceTree = {
enable = true;
kernelPackage = config.boot.kernelPackages.kernel;
};
nixpkgs.config.packageOverrides = pkgs: {
makeModulesClosure = x:
# prevent kernel install fail due to missing modules
pkgs.makeModulesClosure (x // { allowMissing = true; });
};
c3d2 = {
isInHq = true;
mergeHostsFile = true;
hq.interface = "eth0";
hq.statistics.enable = true;
};
nix = {
buildCores = 4;
maxJobs = 2;
@ -69,104 +72,101 @@ in
programs.tmux.enable = true;
# Do not log to flash:
services.journald.extraConfig = ''
Storage=volatile
'';
# Enable the OpenSSH daemon.
services.openssh = {
enable = true;
};
security.sudo = {
enable = true;
wheelNeedsPassword = false;
};
c3d2.k-ot.enable = true;
c3d2.audioServer.enable = true;
# quirk for this pi3
systemd.services.bluetooth.serviceConfig = {
Restart = "always";
RestartSec = "1s";
};
services.nginx = {
enable = true;
#recommendedGzipSettings = true;
recommendedProxySettings = true;
virtualHosts = {
"drkkr.hq.c3d2.de" = {
default = true;
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString octoprintPort}";
proxyWebsockets = true;
extraConfig = ''
proxy_set_header X-Scheme $scheme;
proxy_set_header Accept-Encoding identity;
client_max_body_size 2000M;
'';
};
locations."/cam/stream" = {
proxyPass = "http://localhost:3020/?action=stream";
extraConfig = "proxy_pass_request_headers off;";
};
locations."/cam/capture" = {
proxyPass = "http://localhost:3020/?action=snapshot";
extraConfig = "proxy_pass_request_headers off;";
users.users = {
# Allow access to printer serial port and GPIO
"${config.services.octoprint.user}".extraGroups = [ "dialout" "gpio" ];
# Allow gpio group to access GPIO devices
gpio = { };
};
services = {
# Do not log to flash:
journald.extraConfig = ''
Storage=volatile
'';
openssh = {
enable = true;
};
mjpg-streamer = {
enable = true;
inputPlugin = "input_uvc.so -d /dev/v4l/by-id/usb-046d_0817_4B7115A0-video-index0 -r 640x480 -f 30 -pl 50hz -ex auto";
outputPlugin = "output_http.so -p 3020";
};
nginx = {
enable = true;
#recommendedGzipSettings = true;
recommendedProxySettings = true;
virtualHosts = {
"drkkr.hq.c3d2.de" = {
default = true;
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString octoprintPort}";
proxyWebsockets = true;
extraConfig = ''
proxy_set_header X-Scheme $scheme;
proxy_set_header Accept-Encoding identity;
client_max_body_size 2000M;
'';
};
locations."/cam/stream" = {
proxyPass = "http://localhost:3020/?action=stream";
extraConfig = "proxy_pass_request_headers off;";
};
locations."/cam/capture" = {
proxyPass = "http://localhost:3020/?action=snapshot";
extraConfig = "proxy_pass_request_headers off;";
};
};
};
};
};
services.octoprint = rec {
enable = true;
port = octoprintPort;
extraConfig.webcam = {
snapshot = "http://localhost:3020?action=snapshot";
stream = "https://drkkr.hq.c3d2.de/cam/stream";
octoprint = rec {
enable = true;
port = octoprintPort;
extraConfig.webcam = {
snapshot = "http://localhost:3020?action=snapshot";
stream = "https://drkkr.hq.c3d2.de/cam/stream";
};
# plugins = let
# python = pkgs.octoprint.python;
# octoprint-filament-sensor-universal = python.pkgs.buildPythonPackage rec {
# pname = "OctoPrint-Filament-Sensor-Universal";
# version = "1.0.0";
# src = pkgs.fetchFromGitHub {
# owner = "lopsided98";
# repo = pname;
# rev = "8a72696867a9a008c5a79b49a9b029a4fc426720";
# sha256 = "1a7lzmjbwx47qhrkjp3hggiwnx172x4axcz0labm9by17zxlsimr";
# };
# propagatedBuildInputs = [ pkgs.octoprint python.pkgs.libgpiod ];
# };
# #in p: [ octoprint-filament-sensor-universal ];
# in p: [];
};
# plugins = let
# python = pkgs.octoprint.python;
# octoprint-filament-sensor-universal = python.pkgs.buildPythonPackage rec {
# pname = "OctoPrint-Filament-Sensor-Universal";
# version = "1.0.0";
# src = pkgs.fetchFromGitHub {
# owner = "lopsided98";
# repo = pname;
# rev = "8a72696867a9a008c5a79b49a9b029a4fc426720";
# sha256 = "1a7lzmjbwx47qhrkjp3hggiwnx172x4axcz0labm9by17zxlsimr";
# };
# propagatedBuildInputs = [ pkgs.octoprint python.pkgs.libgpiod ];
# };
# #in p: [ octoprint-filament-sensor-universal ];
# in p: [];
udev.extraRules = ''
KERNEL=="gpiochip*", GROUP="gpio", MODE="0660"
'';
};
# Allow access to printer serial port and GPIO
users.users."${config.services.octoprint.user}".extraGroups = [ "dialout" "gpio" ];
services.mjpg-streamer = {
enable = true;
inputPlugin = "input_uvc.so -d /dev/v4l/by-id/usb-046d_0817_4B7115A0-video-index0 -r 640x480 -f 30 -pl 50hz -ex auto";
outputPlugin = "output_http.so -p 3020";
};
# Allow gpio group to access GPIO devices
users.groups.gpio = { };
services.udev.extraRules = ''
KERNEL=="gpiochip*", GROUP="gpio", MODE="0660"
'';
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.05"; # Did you read the comment?
}

121
hosts/radiobert/base.nix
View File

@ -1,121 +0,0 @@
{ zentralwerk, config, lib, pkgs, ... }:
{
boot.initrd.availableKernelModules = [ "usbhid" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
};
fileSystems."/boot/firmware" = {
device = "/dev/disk/by-label/FIRMWARE";
fsType = "vfat";
};
swapDevices = [ ];
hardware.enableRedistributableFirmware = true;
#networking.wireless.enable = true;
hardware.deviceTree.enable = false;
powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
boot = {
loader = {
grub.enable = false;
raspberryPi = {
enable = true;
version = 4;
# TODO: this machine actually has u-boot setup but that's no
# longer working with nixos-22.05. DO NOT REBOOT! :-)
# https://github.com/NixOS/nixpkgs/pull/112677
# uboot.enable = true;
firmwareConfig = ''
gpu_mem=192
dtparam=audio=on
'';
};
};
kernelPackages = pkgs.linuxPackages_latest;
# No ZFS on latest kernel:
supportedFilesystems = lib.mkForce [ "vfat" "ext4" ];
tmpOnTmpfs = true;
};
nixpkgs.config.packageOverrides = pkgs: {
makeModulesClosure = x:
# prevent kernel install fail due to missing modules
pkgs.makeModulesClosure (x // { allowMissing = true; });
};
c3d2 = {
isInHq = false;
hq.statistics.enable = true;
pi-sensors = if true then [] else [ {
type = "dht22";
pin = 17;
location = "Schrank";
} {
type = "dht22";
pin = 23;
location = "Aussen";
} ];
# unless you automate walking up to the roof, do never enable
# automatic updates for this machine!
autoUpdate = lib.mkForce false;
};
nix = {
buildCores = 4;
maxJobs = 2;
};
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
networking = {
hostName = "radiobert"; # Define your hostname.
useDHCP = false;
interfaces.eth0.ipv4.addresses = [{
address = config.c3d2.hosts."${config.networking.hostName}".ip4;
prefixLength = zentralwerk.lib.config.site.net.serv.subnet4Len;
}];
defaultGateway = "172.20.73.1";
firewall.enable = false;
nameservers = [ "172.20.73.8" "9.9.9.9" ];
};
environment.systemPackages = with pkgs; [
libraspberrypi
raspberrypi-eeprom
vim
wget
];
programs.tmux.enable = true;
# Do not log to flash:
services.journald.extraConfig = ''
Storage=volatile
'';
# Enable the OpenSSH daemon.
services.openssh = {
enable = true;
};
# Allow access to USB
services.udev.extraRules = ''
SUBSYSTEM=="usb", MODE:="0666"
'';
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.05"; # Did you read the comment?
}

122
hosts/radiobert/default.nix
View File

@ -1,7 +1,127 @@
{ zentralwerk, config, lib, pkgs, ... }:
{
imports = [
./base.nix
./soapysdr.nix
./readsb.nix
];
c3d2 = {
isInHq = false;
hq.statistics.enable = true;
pi-sensors = if true then [] else [ {
type = "dht22";
pin = 17;
location = "Schrank";
} {
type = "dht22";
pin = 23;
location = "Aussen";
} ];
# unless you automate walking up to the roof, do never enable
# automatic updates for this machine!
autoUpdate = lib.mkForce false;
};
boot = {
loader = {
grub.enable = false;
raspberryPi = {
enable = true;
version = 4;
# TODO: this machine actually has u-boot setup but that's no
# longer working with nixos-22.05. DO NOT REBOOT! :-)
# https://github.com/NixOS/nixpkgs/pull/112677
# uboot.enable = true;
firmwareConfig = ''
gpu_mem=192
dtparam=audio=on
'';
};
};
kernelPackages = pkgs.linuxPackages_latest;
# No ZFS on latest kernel:
supportedFilesystems = lib.mkForce [ "vfat" "ext4" ];
tmpOnTmpfs = true;
extraModulePackages = [ ];
initrd = {
availableKernelModules = [ "usbhid" ];
kernelModules = [ ];
};
kernelModules = [ ];
};
fileSystems = {
"/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
};
"/boot/firmware" = {
device = "/dev/disk/by-label/FIRMWARE";
fsType = "vfat";
};
};
swapDevices = [ ];
hardware = {
deviceTree.enable = false;
enableRedistributableFirmware = true;
};
powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
nixpkgs.config.packageOverrides = pkgs: {
makeModulesClosure = x:
# prevent kernel install fail due to missing modules
pkgs.makeModulesClosure (x // { allowMissing = true; });
};
nix = {
buildCores = 4;
maxJobs = 2;
};
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
networking = {
hostName = "radiobert"; # Define your hostname.
useDHCP = false;
interfaces.eth0.ipv4.addresses = [{
address = config.c3d2.hosts."${config.networking.hostName}".ip4;
prefixLength = zentralwerk.lib.config.site.net.serv.subnet4Len;
}];
defaultGateway = "172.20.73.1";
firewall.enable = false;
nameservers = [ "172.20.73.8" "9.9.9.9" ];
};
environment.systemPackages = with pkgs; [
libraspberrypi
raspberrypi-eeprom
vim
wget
];
programs.tmux.enable = true;
services = {
# Do not log to flash:
journald.extraConfig = ''
Storage=volatile
'';
openssh = {
enable = true;
};
# Allow access to USB
udev.extraRules = ''
SUBSYSTEM=="usb", MODE:="0666"
'';
};
system.stateVersion = "21.05"; # Did you read the comment?
}

238
hosts/radiobert/readsb.nix
View File

@ -25,122 +25,132 @@ in {
# no watching TV intended
"dvb_usb_rtl28xxu"
];
sops.secrets = {
"chaos-consulting/user".owner = "mlat-client";
};
users.users.readsb = {
isSystemUser = true;
group = "adsb";
};
users.groups.adsb = {};
systemd.services.readsb = {
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${pkgs.readsb}/bin/readsb --modeac --aggressive --fix --stats-range --dcfilter --quiet --gain=-10 --lon=${lon} --lat=${lat} --net --net-ro-port=30002 --net-sbs-port=30003 --net-bo-port=30005 --net-vrs-port=30006 --net-beast-reduce-interval 1 --net-connector feed.adsbexchange.com,30005,beast_reduce_out";
User = "readsb";
Group = "adsb";
ProtectSystem = "full";
ProtectHome = true;
Restart = "always";
RestartSec = "10s";
};
};
users.users.mlat-client = {
isSystemUser = true;
group = "adsb";
};
# Feeds adsbexchange.com, test at https://www.adsbexchange.com/myip/
systemd.services.mlat-client-adsbexchange = makeMlatClientService "--server feed.adsbexchange.com:31090 --user C3D2";
# Feeds https://adsb.chaos-consulting.de/map/
systemd.services.mlat-client-chaos-consulting = makeMlatClientService "--server ${config.services.stunnel.clients.mlat-client-chaos-consulting.accept} --user \"$(cat ${config.sops.secrets."chaos-consulting/user".path})\"";
# mlat-client-chaos-consulting needs ssl
services.stunnel = {
enable = true;
clients.mlat-client-chaos-consulting = {
accept = "127.0.0.1:3334";
connect = "mlat.chaos-consulting.de:3334";
verifyChain = false;
verifyPeer = false;
};
};
users.users.sbs2json = {
isSystemUser = true;
group = "adsb";
};
# SHIM because readsb has no web server like dump1090
systemd.services.sbs2json = {
wantedBy = [ "multi-user.target" ];
requires = [ "readsb.service" ];
serviceConfig = {
ExecStart = "${pkgs.heliwatch.http-json}/bin/http-json";
User = "sbs2json";
Group = "adsb";
ProtectSystem = "full";
ProtectHome = true;
Restart = "always";
RestartSec = "10s";
};
};
systemd.services.feed-chaos-consulting = {
wantedBy = [ "multi-user.target" ];
requires = [ "sbs2json.service" ];
serviceConfig = {
User = "mlat-client";
Group = "adsb";
ProtectHome = true;
Restart = "always";
RestartSec = "10s";
};
path = with pkgs; [ curl gzip ];
script = ''
while (
echo '{"now":'
date +%s
echo ',"aircraft":'
curl -s http://localhost:8080/data.json
echo '}'
) \
| gzip -c \
| curl -s \
-u "$(cat ${config.sops.secrets."chaos-consulting/user".path})" \
-X POST \
-H "Content-type: application/json" \
-H "Content-encoding: gzip" \
--data-binary @- \
https://adsb.chaos-consulting.de/aircraftin/index.php
do
sleep 1
done
'';
};
users.users.dump1090-influxdb = {
isSystemUser = true;
group = "adsb";
};
systemd.services.dump1090-influxdb = {
wantedBy = [ "multi-user.target" ];
requires = [ "readsb.service" ];
serviceConfig = {
ExecStart = "${pkgs.dump1090-influxdb}/bin/dump1090-influxdb";
User = "dump1090-influxdb";
Group = "adsb";
ProtectSystem = "full";
ProtectHome = true;
Restart = "always";
RestartSec = "10s";
};
};
services.collectd.plugins.exec = ''
Exec "${config.services.collectd.user}" "${pkgs.heliwatch.collectd-stats}/bin/collectd-stats"
'';
environment.systemPackages = with pkgs; [
readsb
];
sops.secrets = {
"chaos-consulting/user".owner = "mlat-client";
};
users = {
groups.adsb = {};
users = {
dump1090-influxdb = {
isSystemUser = true;
group = "adsb";
};
mlat-client = {
isSystemUser = true;
group = "adsb";
};
readsb = {
isSystemUser = true;
group = "adsb";
};
sbs2json = {
isSystemUser = true;
group = "adsb";
};
};
};
systemd.services = {
dump1090-influxdb = {
wantedBy = [ "multi-user.target" ];
requires = [ "readsb.service" ];
serviceConfig = {
ExecStart = "${pkgs.dump1090-influxdb}/bin/dump1090-influxdb";
User = "dump1090-influxdb";
Group = "adsb";
ProtectSystem = "full";
ProtectHome = true;
Restart = "always";
RestartSec = "10s";
};
};
feed-chaos-consulting = {
wantedBy = [ "multi-user.target" ];
requires = [ "sbs2json.service" ];
serviceConfig = {
User = "mlat-client";
Group = "adsb";
ProtectHome = true;
Restart = "always";
RestartSec = "10s";
};
path = with pkgs; [ curl gzip ];
script = ''
while (
echo '{"now":'
date +%s
echo ',"aircraft":'
curl -s http://localhost:8080/data.json
echo '}'
) \
| gzip -c \
| curl -s \
-u "$(cat ${config.sops.secrets."chaos-consulting/user".path})" \
-X POST \
-H "Content-type: application/json" \
-H "Content-encoding: gzip" \
--data-binary @- \
https://adsb.chaos-consulting.de/aircraftin/index.php
do
sleep 1
done
'';
};
# Feeds adsbexchange.com, test at https://www.adsbexchange.com/myip/
mlat-client-adsbexchange = makeMlatClientService "--server feed.adsbexchange.com:31090 --user C3D2";
# Feeds https://adsb.chaos-consulting.de/map/
mlat-client-chaos-consulting = makeMlatClientService "--server ${config.services.stunnel.clients.mlat-client-chaos-consulting.accept} --user \"$(cat ${config.sops.secrets."chaos-consulting/user".path})\"";
readsb = {
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${pkgs.readsb}/bin/readsb --modeac --aggressive --fix --stats-range --dcfilter --quiet --gain=-10 --lon=${lon} --lat=${lat} --net --net-ro-port=30002 --net-sbs-port=30003 --net-bo-port=30005 --net-vrs-port=30006 --net-beast-reduce-interval 1 --net-connector feed.adsbexchange.com,30005,beast_reduce_out";
User = "readsb";
Group = "adsb";
ProtectSystem = "full";
ProtectHome = true;
Restart = "always";
RestartSec = "10s";
};
};
# SHIM because readsb has no web server like dump1090
sbs2json = {
wantedBy = [ "multi-user.t