From aaddec81945750222721659be65ecd6bf2503c6a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Sun, 12 Jun 2022 17:26:32 +0200 Subject: [PATCH] The big format and cleanup --- config/audio-server/default.nix | 9 +- config/c3d2.nix | 4 +- config/logging.nix | 7 +- config/lxc-container.nix | 129 ++++++++--------- config/shared.nix | 10 +- hosts/dacbert/default.nix | 114 +++++++-------- hosts/glotzbert/default.nix | 56 ++++---- hosts/hydra/default.nix | 4 - hosts/hydra/hydra.nix | 27 ++-- hosts/hydra/updater.nix | 85 ++++++------ hosts/pulsebert/default.nix | 178 ++++++++++++------------ hosts/radiobert/base.nix | 121 ---------------- hosts/radiobert/default.nix | 122 +++++++++++++++- hosts/radiobert/readsb.nix | 238 +++++++++++++++++--------------- hosts/radiobert/soapysdr.nix | 11 +- hosts/rpi-netboot/default.nix | 160 ++++++++++----------- hosts/server10/default.nix | 70 +++++----- hosts/server10/network.nix | 8 +- hosts/storage-ng/default.nix | 110 ++++++++------- hosts/storage-ng/streamdump.nix | 3 +- modules/c3d2.nix | 1 - modules/default.nix | 13 +- modules/nncp.nix | 6 +- modules/pi-sensors.nix | 1 + modules/rpi-netboot.nix | 2 + nix-maintenance.sh | 3 +- overlay/bmxd.nix | 34 ++--- overlay/dump1090_rs.nix | 4 + overlay/pile.nix | 4 + overlay/readsb.nix | 6 +- overlay/simpleygggen.nix | 6 +- proxmox/nixprox.sh | 23 +-- users.nix | 3 +- 33 files changed, 816 insertions(+), 756 deletions(-) diff --git a/config/audio-server/default.nix b/config/audio-server/default.nix index a4ab4e8d..eb0739ce 100644 --- a/config/audio-server/default.nix +++ b/config/audio-server/default.nix @@ -1,11 +1,11 @@ { config, lib, pkgs, ... }: + { - options.c3d2.audioServer = with lib; { - enable = mkEnableOption "Enable PulseAudio and Bluetooth sinks"; + options.c3d2.audioServer = { + enable = lib.mkEnableOption "Enable PulseAudio and Bluetooth sinks"; }; config = lib.mkIf config.c3d2.audioServer.enable { - # Enable sound. sound.enable = true; hardware.bluetooth = { enable = lib.mkDefault true; @@ -30,12 +30,15 @@ zeroconf.publish.enable = true; package = pkgs.pulseaudioFull; }; + + # TODO: configure system wide service #services.pipewire = { # enable = true; # alsa.enable = true; # config.pipewire-pulse = lib.importJSON ./pipewire-pulse.conf.json; # pulse.enable = true; #}; + security.rtkit.enable = true; # tell Avahi to publish CUPS and PulseAudio diff --git a/config/c3d2.nix b/config/c3d2.nix index 6f5475a9..3a20bb5b 100644 --- a/config/c3d2.nix +++ b/config/c3d2.nix @@ -3,8 +3,8 @@ { config, options, lib, pkgs, ... }: let - hqPrefix64 = "fd23:42:c3d2:523"; # TODO: Is this stable? Is there a better place to specifiy this? + hqPrefix64 = "fd23:42:c3d2:523"; # Generate a deterministic IPv6 address for a 64 bit prefix # and seed string. Prefix must not contain trailing ':'. @@ -20,7 +20,6 @@ let toHqPrivateAddress = toIpv6Address hqPrefix64; in { - imports = [ ./stats.nix ./audio-server @@ -34,7 +33,6 @@ in { mkIfIsInHq = x: lib.mkIf cfg.isInHq (lib.mkDefault x); in { # Configuration specific to this machine - assertions = [ { assertion = cfg.isInHq -> (config.users.users.root.password == null); diff --git a/config/logging.nix b/config/logging.nix index 293048a5..4d262608 100644 --- a/config/logging.nix +++ b/config/logging.nix @@ -51,7 +51,8 @@ in { ''; }; - services.prometheus.exporters.node.enable = true; - services.prometheus.exporters.node.openFirewall = true; - + services.prometheus.exporters.node = { + enable = true; + openFirewall = true; + }; } diff --git a/config/lxc-container.nix b/config/lxc-container.nix index e0d85828..cca201b8 100644 --- a/config/lxc-container.nix +++ b/config/lxc-container.nix @@ -6,42 +6,78 @@ (modulesPath + "/profiles/docker-container.nix") ]; - networking.networkmanager.dns = "unbound"; - networking.useHostResolvConf = false; + boot = { + isContainer = true; + loader = { + grub.enable = false; + # /sbin/init + initScript.enable = true; + }; + }; + environment.etc."resolv.conf".text = lib.concatMapStrings (ns: '' nameserver ${ns} '') config.networking.nameservers; - nix.useSandbox = false; - nix.maxJobs = lib.mkDefault 1; - nix.buildCores = lib.mkDefault 4; - networking.useNetworkd = true; - networking.useDHCP = false; - services.resolved.enable = false; - networking.nameservers = [ - hostRegistry.hosts.dnscache.ip4 - hostRegistry.hosts.dnscache.ip6 - "9.9.9.9" - ]; - - networking.interfaces.eth0 = { - useDHCP = false; - tempAddress = "disabled"; + fileSystems."/" = { + fsType = "rootfs"; + device = "rootfs"; }; - systemd.network.networks."40-eth0" - .networkConfig = { - IPv6AcceptRA = true; - LinkLocalAddressing = "ipv6"; + + nix = { + useSandbox = false; + maxJobs = lib.mkDefault 1; + buildCores = lib.mkDefault 4; + }; + + networking = { + interfaces.eth0 = { + useDHCP = false; + tempAddress = "disabled"; }; + nameservers = with hostRegistry.hosts.dnscache; [ + ip4 + ip6 + "9.9.9.9" + ]; + networkmanager.dns = "unbound"; + useDHCP = false; + useHostResolvConf = false; + useNetworkd = true; + }; - boot.isContainer = true; + services = { + journalbeat = { + enable = false; + tags = [ "container" ]; + extraConfig = '' + journalbeat.inputs: + # Paths that should be crawled and fetched. Possible values files and directories. + # When setting a directory, all journals under it are merged. + # When empty starts to read from local journal. + - paths: [] + journalbeat: + seek_position: cursor + cursor_seek_fallback: tail + write_cursor_state: true + cursor_flush_period: 5s + clean_field_names: true + convert_to_numbers: false + move_metadata_to_field: journal + default_type: journal + kernel: true + output.logstash: + # Boolean flag to enable or disable the output module. + enabled: true + hosts: ["${config.c3d2.hosts.logging.ip4}:5044"] + ''; + }; + # Required for remote deployment + openssh.enable = true; + resolved.enable = false; + }; - # /sbin/init - boot.loader.initScript.enable = true; - boot.loader.grub.enable = false; - - # Create a few files early before packing tarball for Proxmox - # architecture/OS detection. + # Create a few files early before packing tarball for Proxmox architecture/OS detection. system.extraSystemBuilderCmds = '' mkdir -m 0755 -p $out/bin ln -s ${pkgs.bash}/bin/bash $out/bin/sh @@ -49,39 +85,8 @@ ln -s ../init $out/sbin/init ''; - fileSystems."/" = { - fsType = "rootfs"; - device = "rootfs"; + systemd.network.networks."40-eth0".networkConfig = { + IPv6AcceptRA = true; + LinkLocalAddressing = "ipv6"; }; - - # add central logging - services.journalbeat = { - enable = false; - tags = [ "container" ]; - extraConfig = '' - journalbeat.inputs: - # Paths that should be crawled and fetched. Possible values files and directories. - # When setting a directory, all journals under it are merged. - # When empty starts to read from local journal. - - paths: [] - journalbeat: - seek_position: cursor - cursor_seek_fallback: tail - write_cursor_state: true - cursor_flush_period: 5s - clean_field_names: true - convert_to_numbers: false - move_metadata_to_field: journal - default_type: journal - kernel: true - output.logstash: - # Boolean flag to enable or disable the output module. - enabled: true - hosts: ["${config.c3d2.hosts.logging.ip4}:5044"] - ''; - }; - - # Required for remote deployment - services.openssh.enable = true; - } diff --git a/config/shared.nix b/config/shared.nix index ef03fbcc..9bc5c3ee 100644 --- a/config/shared.nix +++ b/config/shared.nix @@ -2,11 +2,15 @@ { imports = [ ./logging.nix ]; - # Set your time zone. + time.timeZone = "Europe/Berlin"; - # Select internationalisation properties. + i18n = { defaultLocale = "en_US.UTF-8"; - supportedLocales = lib.mkForce [ "en_US.UTF-8/UTF-8" "de_DE.UTF-8/UTF-8" ]; + supportedLocales = lib.mkForce [ + "en_US.UTF-8/UTF-8" + "de_DE.UTF-8/UTF-8" + "C.UTF-8/UTF-8" + ]; }; } diff --git a/hosts/dacbert/default.nix b/hosts/dacbert/default.nix index e8699651..c99e8d5a 100644 --- a/hosts/dacbert/default.nix +++ b/hosts/dacbert/default.nix @@ -1,6 +1,15 @@ { hostRegistry, config, lib, pkgs, modulesPath, ... }: { + c3d2 = { + isInHq = true; + mergeHostsFile = true; + hq.interface = "eth0"; + hq.statistics.enable = true; + audioServer.enable = true; + k-ot.enable = true; + }; + hardware.enableRedistributableFirmware = true; powerManagement.cpuFreqGovernor = lib.mkDefault "performance"; @@ -9,6 +18,7 @@ # prevent kernel install fail due to missing modules pkgs.makeModulesClosure (x // { allowMissing = true; }); }; + boot = { loader = { raspberryPi = { @@ -38,15 +48,6 @@ options = [ "nfsvers=3" "proto=tcp" "nolock" "hard" "async" "rw" ]; }; - c3d2 = { - isInHq = true; - mergeHostsFile = true; - hq.interface = "eth0"; - hq.statistics.enable = true; - audioServer.enable = true; - k-ot.enable = true; - }; - networking = { hostName = "dacbert"; # Define your hostname. useDHCP = false; @@ -65,13 +66,6 @@ daemonCPUSchedPolicy = "idle"; daemonIOSchedClass = "idle"; }; - systemd.services.nix-daemon.serviceConfig = { - LimitNOFILE = lib.mkForce 8192; - CPUWeight = 5; - MemoryHigh = "4G"; - MemoryMax = "6G"; - MemorySwapMax = "0"; - }; environment.systemPackages = with pkgs; [ libraspberrypi @@ -92,15 +86,6 @@ programs.tmux.enable = true; - # Do not log to flash: - services.journald.extraConfig = '' - Storage=volatile - ''; - - # Enable the OpenSSH daemon. - services.openssh = { - enable = true; - }; security.sudo = { enable = true; wheelNeedsPassword = false; @@ -112,41 +97,60 @@ keyMap = "de"; }; - # Enable the X11 windowing system. - services.xserver.enable = true; - services.xserver.layout = "de"; - services.xserver.xkbOptions = "eurosign:e"; + services = { + # Do not log to flash: + journald.extraConfig = '' + Storage=volatile + ''; - services.xserver.displayManager = { - lightdm = { enable = true; }; - autoLogin = { + openssh = { enable = true; - user = "k-ot"; }; - defaultSession = "gnome-xorg"; - }; - services.xserver.desktopManager = { - gnome.enable = true; - # kodi.enable = true; - }; - systemd.user.services.x11vnc = { - description = "X11 VNC server"; - wantedBy = [ "graphical-session.target" ]; - partOf = [ "graphical-session.target" ]; - serviceConfig = { - ExecStart = '' - ${pkgs.x11vnc}/bin/x11vnc -shared -forever -passwd k-ot - ''; - RestartSec = 3; - Restart = "always"; + + xserver = { + enable = true; + layout = "de"; + xkbOptions = "eurosign:e"; + }; + }; + + services.xserver = { + desktopManager = { + gnome.enable = true; + }; + + displayManager = { + lightdm = { enable = true; }; + autoLogin = { + enable = true; + user = "k-ot"; + }; + defaultSession = "gnome-xorg"; + }; + }; + + systemd = { + services.nix-daemon.serviceConfig = { + LimitNOFILE = lib.mkForce 8192; + CPUWeight = 5; + MemoryHigh = "4G"; + MemoryMax = "6G"; + MemorySwapMax = "0"; + }; + + user.services.x11vnc = { + description = "X11 VNC server"; + wantedBy = [ "graphical-session.target" ]; + partOf = [ "graphical-session.target" ]; + serviceConfig = { + ExecStart = '' + ${pkgs.x11vnc}/bin/x11vnc -shared -forever -passwd k-ot + ''; + RestartSec = 3; + Restart = "always"; + }; }; }; - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "21.05"; # Did you read the comment? } diff --git a/hosts/glotzbert/default.nix b/hosts/glotzbert/default.nix index 21b5fbc9..43262239 100644 --- a/hosts/glotzbert/default.nix +++ b/hosts/glotzbert/default.nix @@ -13,6 +13,7 @@ }; nixpkgs.config.allowUnfree = true; + nix = { useSandbox = true; buildCores = 4; @@ -21,10 +22,13 @@ sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - # Use the systemd-boot EFI boot loader. - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - boot.kernelPackages = pkgs.linuxPackages_latest; + boot = { + loader = { + efi.canTouchEfiVariables = true; + systemd-boot.enable = true; + }; + kernelPackages = pkgs.linuxPackages_latest; + }; networking.hostName = "glotzbert"; # Define your hostname. networking.interfaces.eno1.useDHCP = true; @@ -34,6 +38,7 @@ font = "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz"; keyMap = "de"; }; + i18n.defaultLocale = "en_US.UTF-8"; environment.systemPackages = with pkgs; [ @@ -70,8 +75,10 @@ # Users must be in "audio" group systemWide = true; support32Bit = true; - zeroconf.discovery.enable = true; - zeroconf.publish.enable = true; + zeroconf = { + discovery.enable = true; + publish.enable = true; + }; tcp = { enable = true; anonymousClients.allowAll = true; @@ -85,21 +92,25 @@ }; # Enable the X11 windowing system. - services.xserver.enable = true; - services.xserver.layout = "de"; - services.xserver.xkbOptions = "eurosign:e"; - - services.xserver.displayManager = { - lightdm = { enable = true; }; - autoLogin = { - enable = true; - user = "k-ot"; - }; - defaultSession = "gnome-xorg"; + services.xserver = { + enable = true; + layout = "de"; + xkbOptions = "eurosign:e"; }; - services.xserver.desktopManager = { - gnome.enable = true; - kodi.enable = true; + + services.xserver = { + displayManager = { + lightdm = { enable = true; }; + autoLogin = { + enable = true; + user = "k-ot"; + }; + defaultSession = "gnome-xorg"; + }; + desktopManager = { + gnome.enable = true; + kodi.enable = true; + }; }; security.sudo = { @@ -113,10 +124,5 @@ extraGroups = [ "networkmanager" ]; }; - # This value determines the NixOS release with which your system is to be - # compatible, in order to avoid breaking some software such as database - # servers. You should change this only after NixOS release notes say you - # should. system.stateVersion = "18.09"; # Did you read the comment? - } diff --git a/hosts/hydra/default.nix b/hosts/hydra/default.nix index a7dd916e..0d04151a 100644 --- a/hosts/hydra/default.nix +++ b/hosts/hydra/default.nix @@ -60,9 +60,5 @@ c3d2.hq.statistics.enable = true; - # This value determines the NixOS release with which your system is to be - # compatible, in order to avoid breaking some software such as database - # servers. You should change this only after NixOS release notes say you - # should. system.stateVersion = "20.09"; # Did you read the comment? } diff --git a/hosts/hydra/hydra.nix b/hosts/hydra/hydra.nix index f3584c79..338560f0 100644 --- a/hosts/hydra/hydra.nix +++ b/hosts/hydra/hydra.nix @@ -43,18 +43,21 @@ in { evaluator_max_memory_size = 2048 ''; }; - systemd.services.hydra-evaluator.serviceConfig = { - CPUWeight = 2; - MemoryHigh = "32G"; - MemoryMax = "32G"; - MemorySwapMax = "16G"; - }; - systemd.services.nix-daemon.serviceConfig = { - LimitNOFILE = lib.mkForce 8192; - CPUWeight = 5; - MemoryHigh = "32G"; - MemoryMax = "32G"; - MemorySwapMax = "16G"; + + systemd.services = { + hydra-evaluator.serviceConfig = { + CPUWeight = 2; + MemoryHigh = "32G"; + MemoryMax = "32G"; + MemorySwapMax = "16G"; + }; + services.nix-daemon.serviceConfig = { + LimitNOFILE = lib.mkForce 8192; + CPUWeight = 5; + MemoryHigh = "32G"; + MemoryMax = "32G"; + MemorySwapMax = "16G"; + }; }; services.nginx = diff --git a/hosts/hydra/updater.nix b/hosts/hydra/updater.nix index b5ed972e..437935cf 100644 --- a/hosts/hydra/updater.nix +++ b/hosts/hydra/updater.nix @@ -1,49 +1,52 @@ { config, pkgs, ... }: { # Build user - users.groups.updater = {}; - users.users.updater = { - isSystemUser = true; - group = "updater"; - home = "/var/lib/updater"; - }; - - systemd.tmpfiles.rules = [ - # needs to be provisioned with ssh privkey - "d ${config.users.users.updater.home} 0700 updater ${config.users.users.updater.group} -" - ]; - - # Timer-triggered service that updates flake.lock and pushes to a - # branch to be picked up by Hydra. - systemd.services.updater = { - wantedBy = [ "multi-user.target" ]; - path = with pkgs; [ git nixFlakes curl openssh ]; - script = '' - git config --global user.email "astro@spaceboyz.net" - git config --global user.name "Astrobot" - - TEMP=$(mktemp -d) - cd $TEMP - - git clone --depth=1 --single-branch gitea@gitea.c3d2.de:C3D2/nix-config.git - cd nix-config - nix flake update --commit-lock-file - - git push -f origin HEAD:flake-update - ''; - serviceConfig = { - User = "updater"; - Group = config.users.users.updater.group; - PrivateTmp = true; - ProtectSystem = "full"; + users = { + groups.updater = {}; + users.updater = { + isSystemUser = true; + group = "updater"; + home = "/var/lib/updater"; }; }; - systemd.timers.updater = { - partOf = [ "updater.service" ]; - wantedBy = [ "timers.target" ]; - # update flake.lock daily at 10am so that systems are freshly - # built by afternoon - timerConfig.OnCalendar = "10:00"; + systemd = { + # Timer-triggered service that updates flake.lock and pushes to a branch to be picked up by Hydra. + services.updater = { + wantedBy = [ "multi-user.target" ]; + path = with pkgs; [ git nixFlakes curl openssh ]; + script = '' + git config --global user.email "astro@spaceboyz.net" + git config --global user.name "Astrobot" + + TEMP=$(mktemp -d) + cd $TEMP + + git clone --depth=1 --single-branch gitea@gitea.c3d2.de:C3D2/nix-config.git + cd nix-config + nix flake update --commit-lock-file + + git push -f origin HEAD:flake-update + ''; + serviceConfig = { + User = "updater"; + Group = config.users.users.updater.group; + PrivateTmp = true; + ProtectSystem = "full"; + }; + }; + + timers.updater = { + partOf = [ "updater.service" ]; + wantedBy = [ "timers.target" ]; + # update flake.lock daily at 10am so that systems are freshly + # built by afternoon + timerConfig.OnCalendar = "10:00"; + }; + + tmpfiles.rules = [ + # needs to be provisioned with ssh privkey + "d ${config.users.users.updater.home} 0700 updater ${config.users.users.updater.group} -" + ]; }; } diff --git a/hosts/pulsebert/default.nix b/hosts/pulsebert/default.nix index bfb8dc82..65b337ac 100644 --- a/hosts/pulsebert/default.nix +++ b/hosts/pulsebert/default.nix @@ -5,10 +5,18 @@ let in { imports = [ - # Include the results of the hardware scan. ./hardware-configuration.nix ]; + c3d2 = { + isInHq = true; + mergeHostsFile = true; + hq.interface = "eth0"; + hq.statistics.enable = true; + k-ot.enable = true; + audioServer.enable = true; + }; + boot = { loader = { grub.enable = false; @@ -24,23 +32,18 @@ in kernelParams = [ "console=tty0" ]; tmpOnTmpfs = true; }; + hardware.deviceTree = { enable = true; kernelPackage = config.boot.kernelPackages.kernel; }; + nixpkgs.config.packageOverrides = pkgs: { makeModulesClosure = x: # prevent kernel install fail due to missing modules pkgs.makeModulesClosure (x // { allowMissing = true; }); }; - c3d2 = { - isInHq = true; - mergeHostsFile = true; - hq.interface = "eth0"; - hq.statistics.enable = true; - }; - nix = { buildCores = 4; maxJobs = 2; @@ -69,104 +72,101 @@ in programs.tmux.enable = true; - # Do not log to flash: - services.journald.extraConfig = '' - Storage=volatile - ''; - - # Enable the OpenSSH daemon. - services.openssh = { - enable = true; - }; security.sudo = { enable = true; wheelNeedsPassword = false; }; - c3d2.k-ot.enable = true; - c3d2.audioServer.enable = true; # quirk for this pi3 systemd.services.bluetooth.serviceConfig = { Restart = "always"; RestartSec = "1s"; }; - services.nginx = { - enable = true; - #recommendedGzipSettings = true; - recommendedProxySettings = true; - virtualHosts = { - "drkkr.hq.c3d2.de" = { - default = true; - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://127.0.0.1:${toString octoprintPort}"; - proxyWebsockets = true; - extraConfig = '' - proxy_set_header X-Scheme $scheme; - proxy_set_header Accept-Encoding identity; - client_max_body_size 2000M; - ''; - }; - locations."/cam/stream" = { - proxyPass = "http://localhost:3020/?action=stream"; - extraConfig = "proxy_pass_request_headers off;"; - }; - locations."/cam/capture" = { - proxyPass = "http://localhost:3020/?action=snapshot"; - extraConfig = "proxy_pass_request_headers off;"; + users.users = { + # Allow access to printer serial port and GPIO + "${config.services.octoprint.user}".extraGroups = [ "dialout" "gpio" ]; + # Allow gpio group to access GPIO devices + gpio = { }; + }; + + services = { + # Do not log to flash: + journald.extraConfig = '' + Storage=volatile + ''; + + openssh = { + enable = true; + }; + + mjpg-streamer = { + enable = true; + inputPlugin = "input_uvc.so -d /dev/v4l/by-id/usb-046d_0817_4B7115A0-video-index0 -r 640x480 -f 30 -pl 50hz -ex auto"; + outputPlugin = "output_http.so -p 3020"; + }; + + nginx = { + enable = true; + #recommendedGzipSettings = true; + recommendedProxySettings = true; + virtualHosts = { + "drkkr.hq.c3d2.de" = { + default = true; + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString octoprintPort}"; + proxyWebsockets = true; + extraConfig = '' + proxy_set_header X-Scheme $scheme; + proxy_set_header Accept-Encoding identity; + client_max_body_size 2000M; + ''; + }; + locations."/cam/stream" = { + proxyPass = "http://localhost:3020/?action=stream"; + extraConfig = "proxy_pass_request_headers off;"; + }; + locations."/cam/capture" = { + proxyPass = "http://localhost:3020/?action=snapshot"; + extraConfig = "proxy_pass_request_headers off;"; + }; }; }; }; - }; - services.octoprint = rec { - enable = true; - port = octoprintPort; - extraConfig.webcam = { - snapshot = "http://localhost:3020?action=snapshot"; - stream = "https://drkkr.hq.c3d2.de/cam/stream"; + + octoprint = rec { + enable = true; + port = octoprintPort; + extraConfig.webcam = { + snapshot = "http://localhost:3020?action=snapshot"; + stream = "https://drkkr.hq.c3d2.de/cam/stream"; + }; + # plugins = let + # python = pkgs.octoprint.python; + + # octoprint-filament-sensor-universal = python.pkgs.buildPythonPackage rec { + # pname = "OctoPrint-Filament-Sensor-Universal"; + # version = "1.0.0"; + + # src = pkgs.fetchFromGitHub { + # owner = "lopsided98"; + # repo = pname; + # rev = "8a72696867a9a008c5a79b49a9b029a4fc426720"; + # sha256 = "1a7lzmjbwx47qhrkjp3hggiwnx172x4axcz0labm9by17zxlsimr"; + # }; + + # propagatedBuildInputs = [ pkgs.octoprint python.pkgs.libgpiod ]; + # }; + # #in p: [ octoprint-filament-sensor-universal ]; + # in p: []; }; - # plugins = let - # python = pkgs.octoprint.python; - # octoprint-filament-sensor-universal = python.pkgs.buildPythonPackage rec { - # pname = "OctoPrint-Filament-Sensor-Universal"; - # version = "1.0.0"; - - # src = pkgs.fetchFromGitHub { - # owner = "lopsided98"; - # repo = pname; - # rev = "8a72696867a9a008c5a79b49a9b029a4fc426720"; - # sha256 = "1a7lzmjbwx47qhrkjp3hggiwnx172x4axcz0labm9by17zxlsimr"; - # }; - - # propagatedBuildInputs = [ pkgs.octoprint python.pkgs.libgpiod ]; - # }; - # #in p: [ octoprint-filament-sensor-universal ]; - # in p: []; + udev.extraRules = '' + KERNEL=="gpiochip*", GROUP="gpio", MODE="0660" + ''; }; - # Allow access to printer serial port and GPIO - users.users."${config.services.octoprint.user}".extraGroups = [ "dialout" "gpio" ]; - - services.mjpg-streamer = { - enable = true; - inputPlugin = "input_uvc.so -d /dev/v4l/by-id/usb-046d_0817_4B7115A0-video-index0 -r 640x480 -f 30 -pl 50hz -ex auto"; - outputPlugin = "output_http.so -p 3020"; - }; - - # Allow gpio group to access GPIO devices - users.groups.gpio = { }; - services.udev.extraRules = '' - KERNEL=="gpiochip*", GROUP="gpio", MODE="0660" - ''; - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "21.05"; # Did you read the comment? } diff --git a/hosts/radiobert/base.nix b/hosts/radiobert/base.nix index 03bb350a..e69de29b 100644 --- a/hosts/radiobert/base.nix +++ b/hosts/radiobert/base.nix @@ -1,121 +0,0 @@ -{ zentralwerk, config, lib, pkgs, ... }: - -{ - boot.initrd.availableKernelModules = [ "usbhid" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = { - device = "/dev/disk/by-label/NIXOS_SD"; - fsType = "ext4"; - }; - - fileSystems."/boot/firmware" = { - device = "/dev/disk/by-label/FIRMWARE"; - fsType = "vfat"; - }; - - swapDevices = [ ]; - - hardware.enableRedistributableFirmware = true; - #networking.wireless.enable = true; - hardware.deviceTree.enable = false; - powerManagement.cpuFreqGovernor = lib.mkDefault "performance"; - - boot = { - loader = { - grub.enable = false; - raspberryPi = { - enable = true; - version = 4; - # TODO: this machine actually has u-boot setup but that's no - # longer working with nixos-22.05. DO NOT REBOOT! :-) - # https://github.com/NixOS/nixpkgs/pull/112677 - # uboot.enable = true; - firmwareConfig = '' - gpu_mem=192 - dtparam=audio=on - ''; - }; - }; - kernelPackages = pkgs.linuxPackages_latest; - # No ZFS on latest kernel: - supportedFilesystems = lib.mkForce [ "vfat" "ext4" ]; - - tmpOnTmpfs = true; - }; - nixpkgs.config.packageOverrides = pkgs: { - makeModulesClosure = x: - # prevent kernel install fail due to missing modules - pkgs.makeModulesClosure (x // { allowMissing = true; }); - }; - - c3d2 = { - isInHq = false; - hq.statistics.enable = true; - pi-sensors = if true then [] else [ { - type = "dht22"; - pin = 17; - location = "Schrank"; - } { - type = "dht22"; - pin = 23; - location = "Aussen"; - } ]; - - # unless you automate walking up to the roof, do never enable - # automatic updates for this machine! - autoUpdate = lib.mkForce false; - }; - - nix = { - buildCores = 4; - maxJobs = 2; - }; - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - - networking = { - hostName = "radiobert"; # Define your hostname. - useDHCP = false; - interfaces.eth0.ipv4.addresses = [{ - address = config.c3d2.hosts."${config.networking.hostName}".ip4; - prefixLength = zentralwerk.lib.config.site.net.serv.subnet4Len; - }]; - defaultGateway = "172.20.73.1"; - firewall.enable = false; - nameservers = [ "172.20.73.8" "9.9.9.9" ]; - }; - - environment.systemPackages = with pkgs; [ - libraspberrypi - raspberrypi-eeprom - vim - wget - ]; - - programs.tmux.enable = true; - - # Do not log to flash: - services.journald.extraConfig = '' - Storage=volatile - ''; - - # Enable the OpenSSH daemon. - services.openssh = { - enable = true; - }; - - # Allow access to USB - services.udev.extraRules = '' - SUBSYSTEM=="usb", MODE:="0666" - ''; - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "21.05"; # Did you read the comment? -} diff --git a/hosts/radiobert/default.nix b/hosts/radiobert/default.nix index bf03fe3e..d879f7b7 100644 --- a/hosts/radiobert/default.nix +++ b/hosts/radiobert/default.nix @@ -1,7 +1,127 @@ +{ zentralwerk, config, lib, pkgs, ... }: + { imports = [ - ./base.nix ./soapysdr.nix ./readsb.nix ]; + + c3d2 = { + isInHq = false; + hq.statistics.enable = true; + pi-sensors = if true then [] else [ { + type = "dht22"; + pin = 17; + location = "Schrank"; + } { + type = "dht22"; + pin = 23; + location = "Aussen"; + } ]; + + # unless you automate walking up to the roof, do never enable + # automatic updates for this machine! + autoUpdate = lib.mkForce false; + }; + + boot = { + loader = { + grub.enable = false; + raspberryPi = { + enable = true; + version = 4; + # TODO: this machine actually has u-boot setup but that's no + # longer working with nixos-22.05. DO NOT REBOOT! :-) + # https://github.com/NixOS/nixpkgs/pull/112677 + # uboot.enable = true; + firmwareConfig = '' + gpu_mem=192 + dtparam=audio=on + ''; + }; + }; + + kernelPackages = pkgs.linuxPackages_latest; + # No ZFS on latest kernel: + supportedFilesystems = lib.mkForce [ "vfat" "ext4" ]; + + tmpOnTmpfs = true; + extraModulePackages = [ ]; + initrd = { + availableKernelModules = [ "usbhid" ]; + kernelModules = [ ]; + }; + kernelModules = [ ]; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-label/NIXOS_SD"; + fsType = "ext4"; + }; + + "/boot/firmware" = { + device = "/dev/disk/by-label/FIRMWARE"; + fsType = "vfat"; + }; + }; + + swapDevices = [ ]; + + hardware = { + deviceTree.enable = false; + enableRedistributableFirmware = true; + }; + + powerManagement.cpuFreqGovernor = lib.mkDefault "performance"; + + nixpkgs.config.packageOverrides = pkgs: { + makeModulesClosure = x: + # prevent kernel install fail due to missing modules + pkgs.makeModulesClosure (x // { allowMissing = true; }); + }; + + nix = { + buildCores = 4; + maxJobs = 2; + }; + + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + + networking = { + hostName = "radiobert"; # Define your hostname. + useDHCP = false; + interfaces.eth0.ipv4.addresses = [{ + address = config.c3d2.hosts."${config.networking.hostName}".ip4; + prefixLength = zentralwerk.lib.config.site.net.serv.subnet4Len; + }]; + defaultGateway = "172.20.73.1"; + firewall.enable = false; + nameservers = [ "172.20.73.8" "9.9.9.9" ]; + }; + + environment.systemPackages = with pkgs; [ + libraspberrypi + raspberrypi-eeprom + vim + wget + ]; + + programs.tmux.enable = true; + + services = { + # Do not log to flash: + journald.extraConfig = '' + Storage=volatile + ''; + openssh = { + enable = true; + }; + # Allow access to USB + udev.extraRules = '' + SUBSYSTEM=="usb", MODE:="0666" + ''; + }; + + system.stateVersion = "21.05"; # Did you read the comment? } diff --git a/hosts/radiobert/readsb.nix b/hosts/radiobert/readsb.nix index 67fbf8b8..7200e9ed 100644 --- a/hosts/radiobert/readsb.nix +++ b/hosts/radiobert/readsb.nix @@ -25,122 +25,132 @@ in { # no watching TV intended "dvb_usb_rtl28xxu" ]; - sops.secrets = { - "chaos-consulting/user".owner = "mlat-client"; - }; - users.users.readsb = { - isSystemUser = true; - group = "adsb"; - }; - users.groups.adsb = {}; - systemd.services.readsb = { - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - ExecStart = "${pkgs.readsb}/bin/readsb --modeac --aggressive --fix --stats-range --dcfilter --quiet --gain=-10 --lon=${lon} --lat=${lat} --net --net-ro-port=30002 --net-sbs-port=30003 --net-bo-port=30005 --net-vrs-port=30006 --net-beast-reduce-interval 1 --net-connector feed.adsbexchange.com,30005,beast_reduce_out"; - User = "readsb"; - Group = "adsb"; - ProtectSystem = "full"; - ProtectHome = true; - Restart = "always"; - RestartSec = "10s"; - }; - }; - - users.users.mlat-client = { - isSystemUser = true; - group = "adsb"; - }; - # Feeds adsbexchange.com, test at https://www.adsbexchange.com/myip/ - systemd.services.mlat-client-adsbexchange = makeMlatClientService "--server feed.adsbexchange.com:31090 --user C3D2"; - # Feeds https://adsb.chaos-consulting.de/map/ - systemd.services.mlat-client-chaos-consulting = makeMlatClientService "--server ${config.services.stunnel.clients.mlat-client-chaos-consulting.accept} --user \"$(cat ${config.sops.secrets."chaos-consulting/user".path})\""; - - # mlat-client-chaos-consulting needs ssl - services.stunnel = { - enable = true; - clients.mlat-client-chaos-consulting = { - accept = "127.0.0.1:3334"; - connect = "mlat.chaos-consulting.de:3334"; - verifyChain = false; - verifyPeer = false; - }; - }; - - users.users.sbs2json = { - isSystemUser = true; - group = "adsb"; - }; - # SHIM because readsb has no web server like dump1090 - systemd.services.sbs2json = { - wantedBy = [ "multi-user.target" ]; - requires = [ "readsb.service" ]; - serviceConfig = { - ExecStart = "${pkgs.heliwatch.http-json}/bin/http-json"; - User = "sbs2json"; - Group = "adsb"; - ProtectSystem = "full"; - ProtectHome = true; - Restart = "always"; - RestartSec = "10s"; - }; - }; - - systemd.services.feed-chaos-consulting = { - wantedBy = [ "multi-user.target" ]; - requires = [ "sbs2json.service" ]; - serviceConfig = { - User = "mlat-client"; - Group = "adsb"; - ProtectHome = true; - Restart = "always"; - RestartSec = "10s"; - }; - path = with pkgs; [ curl gzip ]; - script = '' - while ( - echo '{"now":' - date +%s - echo ',"aircraft":' - curl -s http://localhost:8080/data.json - echo '}' - ) \ - | gzip -c \ - | curl -s \ - -u "$(cat ${config.sops.secrets."chaos-consulting/user".path})" \ - -X POST \ - -H "Content-type: application/json" \ - -H "Content-encoding: gzip" \ - --data-binary @- \ - https://adsb.chaos-consulting.de/aircraftin/index.php - do - sleep 1 - done - ''; - }; - - users.users.dump1090-influxdb = { - isSystemUser = true; - group = "adsb"; - }; - systemd.services.dump1090-influxdb = { - wantedBy = [ "multi-user.target" ]; - requires = [ "readsb.service" ]; - serviceConfig = { - ExecStart = "${pkgs.dump1090-influxdb}/bin/dump1090-influxdb"; - User = "dump1090-influxdb"; - Group = "adsb"; - ProtectSystem = "full"; - ProtectHome = true; - Restart = "always"; - RestartSec = "10s"; - }; - }; - - services.collectd.plugins.exec = '' - Exec "${config.services.collectd.user}" "${pkgs.heliwatch.collectd-stats}/bin/collectd-stats" - ''; environment.systemPackages = with pkgs; [ readsb ]; + + sops.secrets = { + "chaos-consulting/user".owner = "mlat-client"; + }; + + users = { + groups.adsb = {}; + users = { + dump1090-influxdb = { + isSystemUser = true; + group = "adsb"; + }; + mlat-client = { + isSystemUser = true; + group = "adsb"; + }; + readsb = { + isSystemUser = true; + group = "adsb"; + }; + sbs2json = { + isSystemUser = true; + group = "adsb"; + }; + }; + }; + + systemd.services = { + dump1090-influxdb = { + wantedBy = [ "multi-user.target" ]; + requires = [ "readsb.service" ]; + serviceConfig = { + ExecStart = "${pkgs.dump1090-influxdb}/bin/dump1090-influxdb"; + User = "dump1090-influxdb"; + Group = "adsb"; + ProtectSystem = "full"; + ProtectHome = true; + Restart = "always"; + RestartSec = "10s"; + }; + }; + + feed-chaos-consulting = { + wantedBy = [ "multi-user.target" ]; + requires = [ "sbs2json.service" ]; + serviceConfig = { + User = "mlat-client"; + Group = "adsb"; + ProtectHome = true; + Restart = "always"; + RestartSec = "10s"; + }; + path = with pkgs; [ curl gzip ]; + script = '' + while ( + echo '{"now":' + date +%s + echo ',"aircraft":' + curl -s http://localhost:8080/data.json + echo '}' + ) \ + | gzip -c \ + | curl -s \ + -u "$(cat ${config.sops.secrets."chaos-consulting/user".path})" \ + -X POST \ + -H "Content-type: application/json" \ + -H "Content-encoding: gzip" \ + --data-binary @- \ + https://adsb.chaos-consulting.de/aircraftin/index.php + do + sleep 1 + done + ''; + }; + + # Feeds adsbexchange.com, test at https://www.adsbexchange.com/myip/ + mlat-client-adsbexchange = makeMlatClientService "--server feed.adsbexchange.com:31090 --user C3D2"; + # Feeds https://adsb.chaos-consulting.de/map/ + mlat-client-chaos-consulting = makeMlatClientService "--server ${config.services.stunnel.clients.mlat-client-chaos-consulting.accept} --user \"$(cat ${config.sops.secrets."chaos-consulting/user".path})\""; + + readsb = { + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${pkgs.readsb}/bin/readsb --modeac --aggressive --fix --stats-range --dcfilter --quiet --gain=-10 --lon=${lon} --lat=${lat} --net --net-ro-port=30002 --net-sbs-port=30003 --net-bo-port=30005 --net-vrs-port=30006 --net-beast-reduce-interval 1 --net-connector feed.adsbexchange.com,30005,beast_reduce_out"; + User = "readsb"; + Group = "adsb"; + ProtectSystem = "full"; + ProtectHome = true; + Restart = "always"; + RestartSec = "10s"; + }; + }; + + # SHIM because readsb has no web server like dump1090 + sbs2json = { + wantedBy = [ "multi-user.target" ]; + requires = [ "readsb.service" ]; + serviceConfig = { + ExecStart = "${pkgs.heliwatch.http-json}/bin/http-json"; + User = "sbs2json"; + Group = "adsb"; + ProtectSystem = "full"; + ProtectHome = true; + Restart = "always"; + RestartSec = "10s"; + }; + }; + }; + + services = { + collectd.plugins.exec = '' + Exec "${config.services.collectd.user}" "${pkgs.heliwatch.collectd-stats}/bin/collectd-stats" + ''; + # mlat-client-chaos-consulting needs ssl + stunnel = { + enable = true; + clients.mlat-client-chaos-consulting = { + accept = "127.0.0.1:3334"; + connect = "mlat.chaos-consulting.de:3334"; + verifyChain = false; + verifyPeer = false; + }; + }; + }; } diff --git a/hosts/radiobert/soapysdr.nix b/hosts/radiobert/soapysdr.nix index ba0a354d..5ab95409 100644 --- a/hosts/radiobert/soapysdr.nix +++ b/hosts/radiobert/soapysdr.nix @@ -6,11 +6,14 @@ hackrf ]; - users.users.soapysdr = { - isSystemUser = true; - group = "soapysdr"; + users = { + groups.soapysdr = {}; + users.soapysdr = { + isSystemUser = true; + group = "soapysdr"; + }; }; - users.groups.soapysdr = {}; + systemd.services.soapysdr-server = { wantedBy = [ "multi-user.target" ]; serviceConfig = { diff --git a/hosts/rpi-netboot/default.nix b/hosts/rpi-netboot/default.nix index 188e0438..97ed0a63 100644 --- a/hosts/rpi-netboot/default.nix +++ b/hosts/rpi-netboot/default.nix @@ -1,20 +1,6 @@ { hostRegistry, nixpkgs, config, lib, pkgs, modulesPath, ... }: { - boot.kernelParams = [ "verbose" ]; - - swapDevices = [ ]; - - hardware.enableRedistributableFirmware = true; - hardware.bluetooth.enable = true; - powerManagement.cpuFreqGovernor = lib.mkDefault "performance"; - - nixpkgs.config.packageOverrides = pkgs: { - makeModulesClosure = x: - # prevent kernel install fail due to missing modules - pkgs.makeModulesClosure (x // { allowMissing = true; }); - }; - c3d2 = { isInHq = true; mergeHostsFile = true; @@ -25,6 +11,23 @@ autoUpdate = false; }; + boot.kernelParams = [ "verbose" ]; + + swapDevices = [ ]; + + hardware = { + bluetooth.enable = true; + enableRedistributableFirmware = true; + }; + + powerManagement.cpuFreqGovernor = lib.mkDefault "performance"; + + nixpkgs.config.packageOverrides = pkgs: { + makeModulesClosure = x: + # prevent kernel install fail due to missing modules + pkgs.makeModulesClosure (x // { allowMissing = true; }); + }; + networking = { hostName = "rpi-netboot"; # Define your hostname. useDHCP = false; @@ -32,25 +35,26 @@ firewall.enable = false; }; - # mount the server's /nix/store - fileSystems."/nix/store" = { - device = "${hostRegistry.hosts.nix-build.ip4}:/nix/store"; - fsType = "nfs"; - options = [ "nfsvers=3" "proto=tcp" "nolock" "hard" "async" "ro" ]; - neededForBoot = true; - }; - # volatile system: everything is tmpfs - fileSystems."/" = { - fsType = "tmpfs"; - options = [ "mode=0755" ]; - }; - fileSystems."/etc" = { - fsType = "tmpfs"; - options = [ "mode=0755" ]; - }; - fileSystems."/var" = { - fsType = "tmpfs"; - options = [ "mode=0755" ]; + fileSystems = { + "/" = { + fsType = "tmpfs"; + options = [ "mode=0755" ]; + }; + "/etc" = { + fsType = "tmpfs"; + options = [ "mode=0755" ]; + }; + # mount the server's /nix/store + "/nix/store" = { + device = "${hostRegistry.hosts.nix-build.ip4}:/nix/store"; + fsType = "nfs"; + options = [ "nfsvers=3" "proto=tcp" "nolock" "hard" "async" "ro" ]; + neededForBoot = true; + }; + "/var" = { + fsType = "tmpfs"; + options = [ "mode=0755" ]; + }; }; environment.systemPackages = with pkgs; [ @@ -74,23 +78,8 @@ programs.tmux.enable = true; - systemd = { - # r/o /nix/store - services.nix-daemon.enable = false; - sockets.nix-daemon.enable = false; - services.nix-gc.enable = false; - }; nix.gc.automatic = lib.mkForce false; - # Do not log to flash: - services.journald.extraConfig = '' - Storage=volatile - ''; - - # Enable the OpenSSH daemon. - services.openssh = { - enable = true; - }; security.sudo = { enable = true; wheelNeedsPassword = false; @@ -102,41 +91,52 @@ keyMap = "de"; }; - # Enable the X11 windowing system. - services.xserver.enable = true; - services.xserver.layout = "de"; - services.xserver.xkbOptions = "eurosign:e"; + services.xserver = { + enable = true; + layout = "de"; + xkbOptions = "eurosign:e"; + }; - services.xserver.displayManager = { - lightdm = { enable = true; }; - autoLogin = { - enable = true; - user = "k-ot"; - }; - defaultSession = "gnome-xorg"; - }; - services.xserver.desktopManager = { - gnome.enable = true; - # kodi.enable = true; - }; - systemd.user.services.x11vnc = { - description = "X11 VNC server"; - wantedBy = [ "graphical-session.target" ]; - partOf = [ "graphical-session.target" ]; - serviceConfig = { - ExecStart = '' - ${pkgs.x11vnc}/bin/x11vnc -shared -forever -passwd k-ot - ''; - RestartSec = 3; - Restart = "always"; + services = { + # Do not log to flash + journald.extraConfig = '' + Storage=volatile + ''; + openssh.enable = true; + xserver = { + displayManager = { + lightdm.enable = true; + autoLogin = { + enable = true; + user = "k-ot"; + }; + defaultSession = "gnome-xorg"; + }; + desktopManager.gnome.enable = true; + }; + }; + + systemd = { + # r/o /nix/store + services = { + nix-daemon.enable = false; + nix-gc.enable = false + }; + sockets.nix-daemon.enable = false; + + user.services.x11vnc = { + description = "X11 VNC server"; + wantedBy = [ "graphical-session.target" ]; + partOf = [ "graphical-session.target" ]; + serviceConfig = { + ExecStart = '' + ${pkgs.x11vnc}/bin/x11vnc -shared -forever -passwd k-ot + ''; + RestartSec = 3; + Restart = "always"; + }; }; }; - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "21.11"; # Did you read the comment? } diff --git a/hosts/server10/default.nix b/hosts/server10/default.nix index 5398d482..52fe74a7 100644 --- a/hosts/server10/default.nix +++ b/hosts/server10/default.nix @@ -1,52 +1,44 @@ { config, pkgs, ... }: { - imports = - [ # Include the results of the hardware scan. - ./hardware-configuration.nix - ./network.nix - ./microvm-staging.nix - ./microvms.nix - ]; - - # Use the GRUB 2 boot loader. - boot.loader.grub.enable = true; - boot.loader.grub.version = 2; - # boot.loader.grub.efiSupport = true; - # boot.loader.grub.efiInstallAsRemovable = true; - # boot.loader.efi.efiSysMountPoint = "/boot/efi"; - # Define on which hard drive you want to install Grub. - boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only - - # FIXME: Package ‘zfs-kernel-2.1.4-5.18’ is marked as broken - # boot.kernelPackages = pkgs.linuxPackages_latest; - # FIXME: kernel null ptr derefs - # boot.kernelPackages = pkgs.linuxPackages_5_17; - - boot.kernelParams = [ - "preempt=none" - # No server/router runs any untrusted user code - "mitigations=off" + imports = [ + ./hardware-configuration.nix + ./network.nix + ./microvm-staging.nix + ./microvms.nix ]; - boot.tmpOnTmpfs = true; - boot.tmpOnTmpfsSize = "80%"; - - networking.hostName = "server10"; # Define your hostname. - networking.hostId = "10101010"; + + c3d2.hq.statistics.enable = true; + + boot= { + loader.grub = { + enable = true; + version = 2; + device = "/dev/sda"; + }; + + # kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; + kernelParams = [ + "preempt=none" + # No server/router runs any untrusted user code + "mitigations=off" + ]; + tmpOnTmpfs = true; + tmpOnTmpfsSize = "80%"; + }; + + networking = { + hostName = "server10"; + # TODO: change that to something more random + hostId = "10101010"; + }; networking.firewall = { enable = true; allowedTCPPorts = [ 22 ]; }; + services.openssh.enable = true; - c3d2.hq.statistics.enable = true; - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "21.11"; # Did you read the comment? } diff --git a/hosts/server10/network.nix b/hosts/server10/network.nix index 2977c1e4..1729e502 100644 --- a/hosts/server10/network.nix +++ b/hosts/server10/network.nix @@ -19,10 +19,12 @@ in default = {}; }; }; - + config = { - networking.useDHCP = false; - networking.useNetworkd = true; + networking = { + useDHCP = false; + useNetworkd = true; + }; boot.kernelParams = [ # Prevents automatic creation of interface bond0 by the kernel diff --git a/hosts/storage-ng/default.nix b/hosts/storage-ng/default.nix index 9cdc509a..d0e0cf72 100644 --- a/hosts/storage-ng/default.nix +++ b/hosts/storage-ng/default.nix @@ -5,12 +5,8 @@ let in { imports = [ - # Include the results of the hardware scan. ./hardware-configuration.nix ./streamdump.nix - # ../../config - # ../../config/hq.nix - # ../../config/shared.nix ]; c3d2 = { @@ -23,14 +19,19 @@ in sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - boot.loader.grub = { - enable = true; - version = 2; - efiSupport = true; - devices = [ "nodev" ]; + boot = { + kernelPackages = pkgs.linuxPackages_latest; + loader = { + efi.canTouchEfiVariables = true; + grub = { + enable = true; + version = 2; + efiSupport = true; + devices = [ "nodev" ]; + }; + }; }; - boot.kernelPackages = pkgs.linuxPackages_latest; - boot.loader.efi.canTouchEfiVariables = true; + systemd.enableEmergencyMode = false; networking = { @@ -46,14 +47,16 @@ in prefixLength = 64; }]; }; - - defaultGateway.address = "172.22.99.4"; - defaultGateway.interface = eth0; + defaultGateway = { + address = "172.22.99.4"; + interface = eth0; + }; nameservers = [ hostRegistry.hosts.dnscache.ip4 hostRegistry.hosts.dnscache.ip6 "9.9.9.9" ]; + firewall.enable = false; }; environment.systemPackages = with pkgs; [ @@ -68,51 +71,52 @@ in iotop ]; - programs.bash.enableCompletion = true; - programs.mtr.enable = true; - # programs.gnupg.agent = { enable = true; enableSSHSupport = true; }; - - services.openssh = { - enable = true; - allowSFTP = true; + programs = { + bash.enableCompletion = true; + mtr.enable = true; }; - services.atftpd = { - enable = true; - root = "/mnt/cephfs/c3d2/tftp"; - }; + services = { + atftpd = { + enable = true; + root = "/mnt/cephfs/c3d2/tftp"; + }; - services.samba = { - enable = true; - enableNmbd = true; - extraConfig = '' - workgroup = HQ - server string = storage - netbios name = storage - hosts allow = 172.20.0.0/14 127.0.0.0/8 ::1/128 fe80::/64 fd23:42:c3d2:500::/56 2a00:8180:2c00:200::/56 - hosts deny = 0.0.0.0/0 - security = user - guest account = nobody - map to guest = bad user - smb encrypt = required - ntlm auth = yes - passdb backend = smbpasswd - server smb encrypt = desired - ''; - shares = { - c3d2 = { - path = "/mnt/cephfs/c3d2"; - browseable = "yes"; - writable = "yes"; - "valid users" = "k-ot"; - "guest ok" = "no"; - "create mode" = "0666"; - "directory mode" = "0777"; + openssh = { + enable = true; + allowSFTP = true; + }; + + samba = { + enable = true; + enableNmbd = true; + extraConfig = '' + workgroup = HQ + server string = storage + netbios name = storage + hosts allow = 172.20.0.0/14 127.0.0.0/8 ::1/128 fe80::/64 fd23:42:c3d2:500::/56 2a00:8180:2c00:200::/56 + hosts deny = 0.0.0.0/0 + security = user + guest account = nobody + map to guest = bad user + smb encrypt = required + ntlm auth = yes + passdb backend = smbpasswd + server smb encrypt = desired + ''; + shares = { + c3d2 = { + path = "/mnt/cephfs/c3d2"; + browseable = "yes"; + writable = "yes"; + "valid users" = "k-ot"; + "guest ok" = "no"; + "create mode" = "0666"; + "directory mode" = "0777"; + }; }; }; }; - networking.firewall.enable = false; - system.stateVersion = "19.03"; # Did you read the comment? } diff --git a/hosts/storage-ng/streamdump.nix b/hosts/storage-ng/streamdump.nix index bad683a9..908fb669 100644 --- a/hosts/storage-ng/streamdump.nix +++ b/hosts/storage-ng/streamdump.nix @@ -1,6 +1,5 @@ { config, pkgs, ... }: let - archiveRoot = "/mnt/cephfs/c3d2/Radio"; streams = { coloradio = "http://streaming.fueralle.org/coloradio_160.mp3"; }; @@ -17,7 +16,7 @@ in { mp3splt ]; script = '' - DIR=${archiveRoot}/${stream}/$(date +%F) + DIR=mnt/cephfs/c3d2/Radio/${stream}/$(date +%F) mkdir -p $DIR cd $DIR diff --git a/modules/c3d2.nix b/modules/c3d2.nix index 97c3e123..29c89137 100644 --- a/modules/c3d2.nix +++ b/modules/c3d2.nix @@ -67,7 +67,6 @@ in ''; hq = { - interface = mkOption { type = nullOr str; default = null; diff --git a/modules/default.nix b/modules/default.nix index 959cf09c..575d04ab 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -1,14 +1,16 @@ { config, lib, pkgs, ... }: + with lib; let + # TODO: move to flake nixcloud-webservices = pkgs.fetchFromGitHub { owner = "nixcloud"; repo = "nixcloud-webservices"; rev = "3a0767f0536fac811065eb87e6342f27eac085aa"; sha256 = "vC0vBu+0HchrevuWsmE7giouKnSt/q4F0TffwhuNJv8="; }; - inherit ((import "${nixcloud-webservices}/pkgs" { inherit pkgs; })) nixcloud; + inherit (import "${nixcloud-webservices}/pkgs" { inherit pkgs; }) nixcloud; profilesDir = "/nix/var/nix/profiles/lxc"; inherit (config.lxc) containers; @@ -89,10 +91,11 @@ in { path = with pkgs; [ coreutils nix ]; - serviceConfig.Type = "oneshot"; - serviceConfig.RemainAfterExit = true; - serviceConfig.Environment = - [ "NIX_PATH=${builtins.concatStringsSep ":" nixPath}" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + Environment = [ "NIX_PATH=${builtins.concatStringsSep ":" nixPath}" ]; + }; script = '' mkdir -p ${profilesDir}/${name} diff --git a/modules/nncp.nix b/modules/nncp.nix index e518432e..f605a7a7 100644 --- a/modules/nncp.nix +++ b/modules/nncp.nix @@ -9,11 +9,11 @@ let settingsFormat = pkgs.formats.json { }; jsonCfgFile = settingsFormat.generate "nncp.json" programCfg.settings; pkg = programCfg.package; -in { +in +{ options = { services.nncp = { - caller = { enable = mkEnableOption '' croned NNCP TCP daemon caller. @@ -130,7 +130,5 @@ in { wantedBy = [ "sockets.target" ]; socketConfig.Accept = true; }; - }; - } diff --git a/modules/pi-sensors.nix b/modules/pi-sensors.nix index f853ab97..903d8cd5 100644 --- a/modules/pi-sensors.nix +++ b/modules/pi-sensors.nix @@ -1,4 +1,5 @@ { pkgs, config, lib, ... }: + { options.c3d2.pi-sensors = lib.mkOption { default = []; diff --git a/modules/rpi-netboot.nix b/modules/rpi-netboot.nix index b7a9bcee..40c9186f 100644 --- a/modules/rpi-netboot.nix +++ b/modules/rpi-netboot.nix @@ -46,9 +46,11 @@ libraspberrypi raspberrypi-eeprom ]; + services.journald.extraConfig = '' Storage=volatile ''; + networking.networkmanager.enable = false; system.build.tftproot = pkgs.runCommand "tftproot-${config.networking.hostName}" {} '' diff --git a/nix-maintenance.sh b/nix-maintenance.sh index fb10e734..cb4279a3 100755 --- a/nix-maintenance.sh +++ b/nix-maintenance.sh @@ -1,7 +1,6 @@ #!/usr/bin/env bash -set -x -set -e +set -ex sudo nix-channel --update time nix-env -- -u \* diff --git a/overlay/bmxd.nix b/overlay/bmxd.nix index d7883602..b8e2f189 100644 --- a/overlay/bmxd.nix +++ b/overlay/bmxd.nix @@ -1,26 +1,28 @@ { stdenv, fetchgit, fetchpatch, }: -let +stdenv.mkDerivation { + pname = "bmxd"; + version = "0.4-1"; # ${version}-${release} + src = fetchgit { url = "https://gitlab.freifunk-dresden.de/firmware-developer/firmware.git"; rev = "T_FIRMWARE_7.0.1"; sha256 = "sha256-3sV59uqFp+TZKrDf7kmksLvz+5ZKriwFyXZMBH2Sdws="; }; - path = "feeds/19.07/feeds-own/bmxd"; - patch = fetchpatch { - name = "timercpy.patch"; - url = - "https://gitlab.freifunk-dresden.de/firmware-developer/firmware/merge_requests/36.patch"; - sha256 = "sha256-40BbcCZ10cQzvkfsAi8ApCgmC4hGMh2J8xU6gjD3cng="; - }; -in stdenv.mkDerivation { - pname = "bmxd"; - version = "0.4-1"; # ${version}-${release} - inherit src; - patches = [ patch ]; - buildPhase = "cd ${path}/sources"; - installPhase = '' - make install SBINDIR=$out/sbin + patches = [ + (fetchpatch { + name = "timercpy.patch"; + url = "https://gitlab.freifunk-dresden.de/firmware-developer/firmware/merge_requests/36.patch"; + sha256 = "sha256-40BbcCZ10cQzvkfsAi8ApCgmC4hGMh2J8xU6gjD3cng="; + }) + ]; + + buildPhase = '' + cd feeds/19.07/feeds-own/bmxd/sources ''; + + installFlags = [ + "SBINDIR=$out/sbin" + ]; } diff --git a/overlay/dump1090_rs.nix b/overlay/dump1090_rs.nix index 5a663e37..3b2ea3f4 100644 --- a/overlay/dump1090_rs.nix +++ b/overlay/dump1090_rs.nix @@ -6,15 +6,19 @@ rustPlatform.buildRustPackage rec { name = "dump1090_rs"; version = "0.5.1"; + src = fetchFromGitHub { owner = "rsadsb"; repo = "dump1090_rs"; rev = "v${version}"; sha256 = "1jhcb5b3l1q8zz3hfwyxy69i1015jmbdw3zlnhvalgqhp9qli2li"; }; + cargoSha256 = "00270yfbgz794m8mifnskvgqd6h17mm18cxr10371zlymnsnjf2c"; nativeBuildInputs = [ pkg-config llvmPackages.clang ]; + LIBCLANG_PATH = "${llvmPackages.libclang.lib}/lib"; + buildInputs = [ soapysdr-with-plugins ]; } diff --git a/overlay/pile.nix b/overlay/pile.nix index d5556004..fbaf404a 100644 --- a/overlay/pile.nix +++ b/overlay/pile.nix @@ -9,9 +9,13 @@ in rustPlatform.buildRustPackage { name = "ledball"; version = "0.0.0"; + src = "${pile}/ledball"; + cargoSha256 = "0zyfbf3gph8gqab07fmm5a7x5slapsqn8ck6isp53fsa7ljnagjy"; + cargoBuildFlags = [ "--examples" ]; + postInstall = '' mkdir -p $out/bin diff --git a/overlay/readsb.nix b/overlay/readsb.nix index 44cc26ed..df512686 100644 --- a/overlay/readsb.nix +++ b/overlay/readsb.nix @@ -5,7 +5,8 @@ # , libad9361, libiio }: stdenv.mkDerivation rec { - name = "readsb-protobuf"; + pname = "readsb-protobuf"; + version = "unstable-2021-12-10"; src = fetchFromGitHub { owner = "Mictronics"; @@ -18,12 +19,15 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ pkg-config protobufc ]; + buildInputs = [ ncurses rrdtool libusb1 libbladeRF librtlsdr # libad9361 libiio ]; + # enableParallelBuilding = true; + makeFlags = [ "BLADERF=yes" "RTLSDR=yes" diff --git a/overlay/simpleygggen.nix b/overlay/simpleygggen.nix index ff63c006..dac1defd 100644 --- a/overlay/simpleygggen.nix +++ b/overlay/simpleygggen.nix @@ -3,15 +3,19 @@ stdenv.mkDerivation rec { pname = "SimpleYggGen-CPP"; version = "5.1"; + src = fetchurl { url = "https://notabug.org/acetone/${pname}/archive/${version}.tar.gz"; hash = "sha256-z5Wtmw2vq3qRjNSOJ0xlxdmB5g2Oa+UQn1Awt7+R/XY="; }; + nativeBuildInputs = [ cmake ]; + buildInputs = [ libsodium ]; + installPhase = '' - find . install -D src/sygcpp $out/bin/$pname ''; + meta.maintainers = [ lib.maintainers.ehmry ]; } diff --git a/proxmox/nixprox.sh b/proxmox/nixprox.sh index 608fd063..ecc823c8 100755 --- a/proxmox/nixprox.sh +++ b/proxmox/nixprox.sh @@ -44,22 +44,29 @@ echo Preparing sensible defaults run "cat > /etc/nixos/configuration.nix" <