From 71d816fe804925da5d3c4fbdf8a885346040c16e Mon Sep 17 00:00:00 2001 From: Ahwx Date: Fri, 16 May 2025 11:28:56 +0200 Subject: [PATCH 01/24] feat: adds correct files for `lily` --- hosts/lily/default.nix | 10 ++++---- hosts/lily/hardware-configuration.nix | 37 +++++++++++++++++++++++++++ 2 files changed, 42 insertions(+), 5 deletions(-) create mode 100644 hosts/lily/hardware-configuration.nix diff --git a/hosts/lily/default.nix b/hosts/lily/default.nix index b7772a7..21b6992 100644 --- a/hosts/lily/default.nix +++ b/hosts/lily/default.nix @@ -18,20 +18,20 @@ ]; boot = { - loader = { - systemd-boot.enable = true; - efi.canTouchEfiVariables = true; - }; supportedFilesystems = [ "zfs" ]; }; - networking.hostId = "8wfk1d8a"; + networking.hostId = "8ddb2a9b"; services.zfs = { autoScrub.enable = true; trim.enable = true; }; + boot.loader.grub.enable = true; + boot.loader.grub.device = "/dev/sda"; + boot.loader.grub.useOSProber = true; + # boot.zfs.extraPools = [ "terrabite" ]; # fileSystems."/terrabite/main" = { diff --git a/hosts/lily/hardware-configuration.nix b/hosts/lily/hardware-configuration.nix new file mode 100644 index 0000000..b0c372b --- /dev/null +++ b/hosts/lily/hardware-configuration.nix @@ -0,0 +1,37 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/75447a73-848e-4b34-a1b3-d5b7a8e804ee"; + fsType = "ext4"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/d4552527-c7c6-4047-929b-aeb3500299e3"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eno1.useDHCP = lib.mkDefault true; + # networking.interfaces.eno2.useDHCP = lib.mkDefault true; + # networking.interfaces.enp1s0f0.useDHCP = lib.mkDefault true; + # networking.interfaces.enp1s0f1.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} From 1b8b3f607d0c342e7169c43dec68bdefeb1b2d3d Mon Sep 17 00:00:00 2001 From: Ahwx Date: Sat, 17 May 2025 17:30:47 +0200 Subject: [PATCH 02/24] feat: create router role --- roles/default.nix | 1 + roles/router.nix | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+) create mode 100644 roles/router.nix diff --git a/roles/default.nix b/roles/default.nix index 0d11aa1..8f3d3c2 100644 --- a/roles/default.nix +++ b/roles/default.nix @@ -5,6 +5,7 @@ ++ [ (import ./amdgpu.nix) ] ++ [ (import ./nvidia.nix) ] ++ [ (import ./server.nix) ] + ++ [ (import ./router.nix) ] ++ [ (import ./desktop.nix) ] ++ [ (import ./wine.nix) ] ++ [ (import ./creative.nix) ] diff --git a/roles/router.nix b/roles/router.nix new file mode 100644 index 0000000..a762d7d --- /dev/null +++ b/roles/router.nix @@ -0,0 +1,46 @@ +{ + lib, + pkgs, + config, + username, + home-manager, + ... +}: +with lib; +let + cfg = config.liv.router; +in +{ + options.liv.router = { + enable = mkEnableOption "Enable router"; + }; + + config = mkIf cfg.enable { + environment.systemPackages = with pkgs; [ + pkgs.kitty.terminfo + powertop + bind + ]; + + services = { + thermald.enable = true; + vnstat.enable = true; + # cpupower-gui.enable = true; + # power-profiles-daemon.enable = true; + + # auto-cpufreq = { + # enable = true; + # settings = { + # battery = { + # governor = "powersave"; + # turbo = "auto"; + # }; + # charger = { + # governor = "performance"; + # turbo = "auto"; + # }; + # }; + # }; + }; + }; +} From 87338c456882475cdc2a41e4e94dcb7920ee66ca Mon Sep 17 00:00:00 2001 From: Ahwx Date: Sat, 17 May 2025 17:32:21 +0200 Subject: [PATCH 03/24] feat: also use server home config for host lily --- modules/core/user.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/core/user.nix b/modules/core/user.nix index b96dbee..ee3ecce 100644 --- a/modules/core/user.nix +++ b/modules/core/user.nix @@ -23,6 +23,8 @@ [ ./../home/default.server.nix ] else if (host == "dandelion") then [ ./../home/default.server.nix ] + else if (host == "lily") then + [ ./../home/default.server.nix ] # else if (host == "yoshino") then # [ ./../home/default.nix ] else From 27d6950542aa9813dd5fb00598ae3ca8d503308d Mon Sep 17 00:00:00 2001 From: Ahwx Date: Sat, 17 May 2025 17:32:31 +0200 Subject: [PATCH 04/24] feat: add router core config --- modules/core/default.router.nix | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 modules/core/default.router.nix diff --git a/modules/core/default.router.nix b/modules/core/default.router.nix new file mode 100644 index 0000000..c0f7c80 --- /dev/null +++ b/modules/core/default.router.nix @@ -0,0 +1,11 @@ +{ ... }: +{ + imports = + [ (import ./hardware.nix) ] + ++ [ (import ./program.nix) ] + ++ [ (import ./sshd.nix) ] + ++ [ (import ./security.nix) ] + ++ [ (import ./services.nix) ] + ++ [ (import ./system.nix) ] + ++ [ (import ./user.nix) ]; +} From c6601da4e073364aeb4c0ab6c22c20939b024259 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Sat, 17 May 2025 17:33:57 +0200 Subject: [PATCH 05/24] feat: import correct files, set some kernel options, get started on firewall, rename network interfaces --- hosts/lily/default.nix | 89 ++++++++++++++++++++++++++++++++++++------ 1 file changed, 77 insertions(+), 12 deletions(-) diff --git a/hosts/lily/default.nix b/hosts/lily/default.nix index 21b6992..acc1a6c 100644 --- a/hosts/lily/default.nix +++ b/hosts/lily/default.nix @@ -1,14 +1,87 @@ -{ pkgs, config, ... }: +{ + lib, + pkgs, + config, + ... +}: +let + externalInterface = "wan0"; + # networks = config.homelab.networks.local; + # internalInterfaces = lib.mapAttrsToList (_: val: val.interface) networks; + # internalIPs = lib.mapAttrsToList ( + # _: val: lib.strings.removeSuffix ".1" val.cidr + ".0/24" + # ) networks; +in { imports = [ ./hardware-configuration.nix ./variables.nix - ./../../modules/core/default.server.nix + ./../../modules/core/default.router.nix ]; - networking.hostName = "lily"; + liv = { + server.enable = true; + router.enable = true; + }; - liv.server.enable = true; + boot = { + supportedFilesystems = [ "zfs" ]; + loader.grub = { + enable = true; + device = "/dev/sda"; + useOSProber = true; + }; + kernel = { + sysctl = { + # Forward both IPv4 and IPv6 on all interfaces + "net.ipv4.conf.all.forwarding" = true; + "net.ipv6.conf.all.forwarding" = false; + + # By default, do not automatically configure any IPv6 addresses. + # "net.ipv6.conf.all.accept_ra" = 0; + # "net.ipv6.conf.all.autoconf" = 0; + # "net.ipv6.conf.all.use_tempaddr" = 0; + + # Allow IPv6 autoconfiguration and tempory address use on WAN. + "net.ipv6.conf.${externalInterface}.accept_ra" = 2; + "net.ipv6.conf.${externalInterface}.autoconf" = 1; + }; + }; + }; + + networking = { + firewall = { + enable = true; + allowPing = true; + + # allow ssh on *all* interfaces, even wan. + allowedTCPPorts = lib.mkForce [ 22 ]; + allowedUDPPorts = lib.mkForce [ 22 ]; + + # interface-specific rules + interfaces = { + "lan0" = { + allowedTCPPorts = [ + 22 + 53 + ]; + allowedUDPPorts = [ + 22 + 53 + ]; + }; + }; + }; + }; + + services.udev.extraRules = '' + SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:47:67:6e", ATTR{type}=="1", NAME="wan0" + SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:47:67:6f", ATTR{type}=="1", NAME="lan0" + SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:63:0f:80", ATTR{type}=="1", NAME="lan1" + SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:63:0f:81", ATTR{type}=="1", NAME="lan2" + ''; + + networking.hostName = "lily"; time.timeZone = "Europe/Amsterdam"; @@ -17,10 +90,6 @@ zfs ]; - boot = { - supportedFilesystems = [ "zfs" ]; - }; - networking.hostId = "8ddb2a9b"; services.zfs = { @@ -28,10 +97,6 @@ trim.enable = true; }; - boot.loader.grub.enable = true; - boot.loader.grub.device = "/dev/sda"; - boot.loader.grub.useOSProber = true; - # boot.zfs.extraPools = [ "terrabite" ]; # fileSystems."/terrabite/main" = { From c4a99482cfc538616b740d59175e28fa18820235 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Sat, 17 May 2025 18:20:19 +0200 Subject: [PATCH 06/24] feat: adds packages, import dns file; chore: cleanup some zfs stuff --- hosts/lily/default.nix | 18 +++--------------- 1 file changed, 3 insertions(+), 15 deletions(-) diff --git a/hosts/lily/default.nix b/hosts/lily/default.nix index acc1a6c..8d47c90 100644 --- a/hosts/lily/default.nix +++ b/hosts/lily/default.nix @@ -16,6 +16,7 @@ in imports = [ ./hardware-configuration.nix ./variables.nix + ./dns.nix ./../../modules/core/default.router.nix ]; @@ -87,20 +88,7 @@ in environment.systemPackages = with pkgs; [ kitty.terminfo - zfs + tcpdump + dnsutils ]; - - networking.hostId = "8ddb2a9b"; - - services.zfs = { - autoScrub.enable = true; - trim.enable = true; - }; - - # boot.zfs.extraPools = [ "terrabite" ]; - - # fileSystems."/terrabite/main" = { - # device = "terrabite/main"; - # fsType = "zfs"; - # }; } From 232e57415a12ff5f1495af80ac1f8a2ff5c5dd20 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Sat, 17 May 2025 18:20:32 +0200 Subject: [PATCH 07/24] feat: enable dnsmasq --- hosts/lily/dns.nix | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 hosts/lily/dns.nix diff --git a/hosts/lily/dns.nix b/hosts/lily/dns.nix new file mode 100644 index 0000000..32263f0 --- /dev/null +++ b/hosts/lily/dns.nix @@ -0,0 +1,12 @@ +{ lib, config, ... }: +{ + services = { + dnsmasq = { + enable = true; + settings = { + cache-size = 10000; + server = [ "127.0.0.1#53" ]; + }; + }; + }; +} From 02dea23351a671fe967c70bea8018fcbc159e07e Mon Sep 17 00:00:00 2001 From: Ahwx Date: Sun, 18 May 2025 14:07:34 +0200 Subject: [PATCH 08/24] refactor: prettier --- hosts/dandelion/default.nix | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/hosts/dandelion/default.nix b/hosts/dandelion/default.nix index 6ecda6d..98e0a49 100644 --- a/hosts/dandelion/default.nix +++ b/hosts/dandelion/default.nix @@ -1,4 +1,9 @@ -{ pkgs, config, ... }: +{ + lib, + pkgs, + config, + ... +}: { imports = [ ./hardware-configuration.nix From eb6151b1ac5066964b93e82506b39706ac9d4b0b Mon Sep 17 00:00:00 2001 From: Ahwx Date: Sun, 18 May 2025 14:08:48 +0200 Subject: [PATCH 09/24] feat: import wireguard to lily, import lily's services, disable firewall temporarily; chore: remove an old zfs line --- hosts/lily/default.nix | 5 +++-- hosts/lily/wireguard.nix | 3 +++ 2 files changed, 6 insertions(+), 2 deletions(-) create mode 100644 hosts/lily/wireguard.nix diff --git a/hosts/lily/default.nix b/hosts/lily/default.nix index 8d47c90..2d36d14 100644 --- a/hosts/lily/default.nix +++ b/hosts/lily/default.nix @@ -17,7 +17,9 @@ in ./hardware-configuration.nix ./variables.nix ./dns.nix + ./wireguard.nix ./../../modules/core/default.router.nix + ./../../modules/services/lily.nix ]; liv = { @@ -26,7 +28,6 @@ in }; boot = { - supportedFilesystems = [ "zfs" ]; loader.grub = { enable = true; device = "/dev/sda"; @@ -52,7 +53,7 @@ in networking = { firewall = { - enable = true; + enable = false; allowPing = true; # allow ssh on *all* interfaces, even wan. diff --git a/hosts/lily/wireguard.nix b/hosts/lily/wireguard.nix new file mode 100644 index 0000000..0db3279 --- /dev/null +++ b/hosts/lily/wireguard.nix @@ -0,0 +1,3 @@ +{ + +} From 88177be9a7ce93e3d80520e5a3422267e0f8e35e Mon Sep 17 00:00:00 2001 From: Ahwx Date: Sun, 18 May 2025 14:09:08 +0200 Subject: [PATCH 10/24] feat: adds unifi service so that lily can host that --- modules/services/unifi.nix | 66 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 modules/services/unifi.nix diff --git a/modules/services/unifi.nix b/modules/services/unifi.nix new file mode 100644 index 0000000..c206c3d --- /dev/null +++ b/modules/services/unifi.nix @@ -0,0 +1,66 @@ +{ pkgs, lib, ... }: + +{ + services.unifi = { + enable = true; + unifiPackage = pkgs.unifi8; + mongodbPackage = pkgs.mongodb-7_0; + }; + # services.nginx = { + # enable = true; + # recommendedProxySettings = true; + + # virtualHosts."unifi.local" = { + # forceSSL = true; + # useACMEHost = "unifi.local"; + # locations."/" = { + # proxyPass = "https://127.0.0.1:8443"; + # proxyWebsockets = true; + # }; + # }; + # }; + # virtualisation.oci-containers.containers."unifi" = { + # image = "lscr.io/linuxserver/unifi-network-application:latest"; + # autoStart = true; + # environmentFiles = [ /run/unifi/container-vars.env ]; + # volumes = [ + # "/etc/localtime:/etc/localtime:ro" + # "/run/unifi/data:/config" + # ]; + # ports = [ + # "8443:8443" # web admin UI + # "3478:3478/udp" # STUN + # "10001:10001/udp" # AP discovery + # "8080:8080" # device communication + # "6789:6789/udp" # mobile throughput test (assumption: wifiman) + # "5514:5514/udp" # remote syslog (optional) + # ]; + # dependsOn = [ + # "unifi-mongo" + # ]; + # log-driver = "journald"; + # }; + # virtualisation.oci-containers.containers."unifi-mongo" = { + # image = "mongo:latest"; + # autoStart = true; + # volumes = [ + # "/etc/localtime:/etc/localtime:ro" + # "/run/unifi/mongo/db:/data/db" + # "/run/unifi/mongo/init-mongo.js:/docker-entrypoint-initdb.d/init-mongo.js:ro" + # ]; + # log-driver = "journald"; + # }; + + networking.firewall.interfaces."lan0" = { + allowedTCPPorts = [ + 8443 # web admin UI + 8080 # device communication + ]; + allowedUDPPorts = [ + 6789 # mobile throughput test (assumption: wifiman) + 5514 # remote syslog (optional) + 3478 # STUN + 10001 # AP discovery + ]; + }; +} From f11ba8c63c7ee8c854334daed01b90e2d7624b0d Mon Sep 17 00:00:00 2001 From: Ahwx Date: Sun, 18 May 2025 14:09:33 +0200 Subject: [PATCH 11/24] feat: adds services for lily to run --- modules/services/lily.nix | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 modules/services/lily.nix diff --git a/modules/services/lily.nix b/modules/services/lily.nix new file mode 100644 index 0000000..2e33b08 --- /dev/null +++ b/modules/services/lily.nix @@ -0,0 +1,9 @@ +{ ... }: +{ + imports = + [ (import ./docker.nix) ] + ++ [ (import ./monitoring.nix) ] + ++ [ (import ./smart-monitoring.nix) ] + ++ [ (import ./unifi.nix) ] + ++ [ (import ./grafana.nix) ]; +} From 9d40b2a439f0816865d1cffd316b8286c9a89d49 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Sun, 18 May 2025 14:09:40 +0200 Subject: [PATCH 12/24] feat: adds tailscale --- modules/services/tailscale.nix | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 modules/services/tailscale.nix diff --git a/modules/services/tailscale.nix b/modules/services/tailscale.nix new file mode 100644 index 0000000..d886410 --- /dev/null +++ b/modules/services/tailscale.nix @@ -0,0 +1,3 @@ +{ + services.tailscale.enable = true; +} From 7c9ab547e08323374f298909ef8c822fedd1b113 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Sun, 18 May 2025 20:44:36 +0200 Subject: [PATCH 13/24] feat: adds dnsmasq and settings --- hosts/lily/dns.nix | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/hosts/lily/dns.nix b/hosts/lily/dns.nix index 32263f0..b754a51 100644 --- a/hosts/lily/dns.nix +++ b/hosts/lily/dns.nix @@ -4,8 +4,27 @@ dnsmasq = { enable = true; settings = { - cache-size = 10000; - server = [ "127.0.0.1#53" ]; + cache-size = 10000; # Specifies the size of the DNS query cache. It will store up to n cached DNS queries to improve response times for frequently accessed domains. + server = [ + "9.9.9.9" + "149.112.112.112" + ]; + domain-needed = true; # Ensures that DNS queries are only forwarded for domains that are not found in the local configuration. + bogus-priv = true; # Blocks DNS queries for private IP address ranges to prevent accidental exposure of private resources. + no-resolv = true; # Prevents dnsmasq from using /etc/resolv.conf for DNS server configuration. + + # configure DHCP server; get leases by running: `cat /var/lib/dnsmasq/dnsmasq.leases` + dhcp-range = [ "br-lan,172.16.10.50,172.16.10.254,24h" ]; + interface = "br-lan"; + dhcp-host = "172.16.10.1"; + + # local sets the local domain name to "n". Combinded with expand-hosts = true, it will add a .local suffix to any local defined name when trying to resolve it. + local = "/local/"; + domain = "local"; + expand-hosts = true; + + no-hosts = true; # Prevents the use of /etc/hosts. This ensures that the local hosts file is not used to override DNS resolution. + address = "/booping.local/172.16.10.1"; }; }; }; From 0f2e67f35595a2a2fbc0e494ac18c16e7a3e225b Mon Sep 17 00:00:00 2001 From: Ahwx Date: Sun, 18 May 2025 20:47:41 +0200 Subject: [PATCH 14/24] feat: enables tailscale for lily --- modules/services/lily.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/services/lily.nix b/modules/services/lily.nix index 2e33b08..2774318 100644 --- a/modules/services/lily.nix +++ b/modules/services/lily.nix @@ -5,5 +5,6 @@ ++ [ (import ./monitoring.nix) ] ++ [ (import ./smart-monitoring.nix) ] ++ [ (import ./unifi.nix) ] + ++ [ (import ./tailscale.nix) ] ++ [ (import ./grafana.nix) ]; } From cf62a257c86fb028dd5cb3fbf6a6977fb4b34884 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Tue, 20 May 2025 16:45:11 +0200 Subject: [PATCH 15/24] flake: update --- flake.lock | 146 ++++++++++++++++++++++++++--------------------------- 1 file changed, 73 insertions(+), 73 deletions(-) diff --git a/flake.lock b/flake.lock index 2113071..ee6aeec 100644 --- a/flake.lock +++ b/flake.lock @@ -8,11 +8,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1742767019, - "narHash": "sha256-FdyHDbf31jl5rIU7IQtBVTbZ1ojGrrp5aFaRrE2819s=", + "lastModified": 1747531250, + "narHash": "sha256-uDhXNURTJgQSpiaCgzqAizbblpcEWEB1WGWEqtCnLLM=", "owner": "KZDKM", "repo": "Hyprspace", - "rev": "5b62529c2011ede6069445de9b5b3f8a1f10ecfe", + "rev": "511d399120bdcafb43e57ca5ff35167c2bba6db8", "type": "github" }, "original": { @@ -50,11 +50,11 @@ "systems": "systems_3" }, "locked": { - "lastModified": 1736955230, - "narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=", + "lastModified": 1747575206, + "narHash": "sha256-NwmAFuDUO/PFcgaGGr4j3ozG9Pe5hZ/ogitWhY+D81k=", "owner": "ryantm", "repo": "agenix", - "rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c", + "rev": "4835b1dc898959d8547a871ef484930675cb47f1", "type": "github" }, "original": { @@ -104,11 +104,11 @@ ] }, "locked": { - "lastModified": 1744289235, - "narHash": "sha256-ZFkHLdimtFzQACsVVyZkZlfYdj4iNy3PkzXfrwmlse8=", + "lastModified": 1745357003, + "narHash": "sha256-jYwzQkv1r7HN/4qrAuKp+NR4YYNp2xDrOX5O9YVqkWo=", "owner": "hyprwm", "repo": "aquamarine", - "rev": "c8282f4982b56dfa5e9b9f659809da93f8d37e7a", + "rev": "a19cf76ee1a15c1c12083fa372747ce46387289f", "type": "github" }, "original": { @@ -122,11 +122,11 @@ "nixpkgs": "nixpkgs_3" }, "locked": { - "lastModified": 1745352209, - "narHash": "sha256-u3vJEzi6zxgG59KXjMR5koERsdKT5nd1OEKCpr6zgn8=", + "lastModified": 1747519437, + "narHash": "sha256-uv9Wv59d+mckS2CkorOF484wp2G5TNGijdoBZ5RkAk0=", "owner": "catppuccin", "repo": "nix", - "rev": "6268e50dbb0ac9375e110560395b5dc199e4dfb8", + "rev": "3ba714046ee32373e88166e6e9474d6ae6a5b734", "type": "github" }, "original": { @@ -143,11 +143,11 @@ ] }, "locked": { - "lastModified": 1700795494, - "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", + "lastModified": 1744478979, + "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", + "rev": "43975d782b418ebf4969e9ccba82466728c2851b", "type": "github" }, "original": { @@ -338,11 +338,11 @@ ] }, "locked": { - "lastModified": 1703113217, - "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", + "lastModified": 1745494811, + "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=", "owner": "nix-community", "repo": "home-manager", - "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", + "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be", "type": "github" }, "original": { @@ -358,11 +358,11 @@ ] }, "locked": { - "lastModified": 1745494811, - "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=", + "lastModified": 1747688838, + "narHash": "sha256-FZq4/3OtGV/cti9Vccsy2tGSUrxTO4hkDF9oeGRTen4=", "owner": "nix-community", "repo": "home-manager", - "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be", + "rev": "45c2985644b60ab64de2a2d93a4d132ecb87cf66", "type": "github" }, "original": { @@ -376,11 +376,11 @@ "nixpkgs": "nixpkgs_4" }, "locked": { - "lastModified": 1743417258, - "narHash": "sha256-YItzk1pj8Kz+b7VlC9zN1pSZ6CuX35asYy3HuMQ3lBQ=", + "lastModified": 1747572947, + "narHash": "sha256-PMQoXbfmWPuXnF8EaWqRmvTvl7+WFUrDVgufFRPgOM4=", "owner": "hyprwm", "repo": "contrib", - "rev": "bc2ad24e0b2e66c3e164994c4897cd94a933fd10", + "rev": "910dad4c5755c1735d30da10c96d9086aa2a608d", "type": "github" }, "original": { @@ -405,11 +405,11 @@ ] }, "locked": { - "lastModified": 1742215578, - "narHash": "sha256-zfs71PXVVPEe56WEyNi2TJQPs0wabU4WAlq0XV7GcdE=", + "lastModified": 1745948457, + "narHash": "sha256-lzTV10FJTCGNtMdgW5YAhCAqezeAzKOd/97HbQK8GTU=", "owner": "hyprwm", "repo": "hyprcursor", - "rev": "2fd36421c21aa87e2fe3bee11067540ae612f719", + "rev": "ac903e80b33ba6a88df83d02232483d99f327573", "type": "github" }, "original": { @@ -465,11 +465,11 @@ "xdph": "xdph" }, "locked": { - "lastModified": 1745443874, - "narHash": "sha256-sEI5r1IjmJEgNn/al7zd5lUsjWpeGAY0uOoCab5Pqcc=", + "lastModified": 1747610850, + "narHash": "sha256-eGOtDlq3h+r/X/j4oSNo6cmQlt67TVolgUJMnGKTRt4=", "ref": "refs/heads/main", - "rev": "b06fbdb7431aa2b6653d788ad9fb758478c72d4c", - "revCount": 6021, + "rev": "eb3b38d40baca5c05ddbc1507b3d3f02a0ccb164", + "revCount": 6127, "submodules": true, "type": "git", "url": "https://github.com/hyprwm/Hyprland" @@ -585,11 +585,11 @@ ] }, "locked": { - "lastModified": 1739048983, - "narHash": "sha256-REhTcXq4qs3B3cCDtLlYDz0GZvmsBSh947Ub6pQWGTQ=", + "lastModified": 1745951494, + "narHash": "sha256-2dModE32doiyQMmd6EDAQeZnz+5LOs6KXyE0qX76WIg=", "owner": "hyprwm", "repo": "hyprland-qtutils", - "rev": "3504a293c8f8db4127cb0f7cfc1a318ffb4316f8", + "rev": "4be1d324faf8d6e82c2be9f8510d299984dfdd2e", "type": "github" }, "original": { @@ -614,11 +614,11 @@ ] }, "locked": { - "lastModified": 1744468525, - "narHash": "sha256-9HySx+EtsbbKlZDlY+naqqOV679VdxP6x6fP3wxDXJk=", + "lastModified": 1746655412, + "narHash": "sha256-kVQ0bHVtX6baYxRWWIh4u3LNJZb9Zcm2xBeDPOGz5BY=", "owner": "hyprwm", "repo": "hyprlang", - "rev": "f1000c54d266e6e4e9d646df0774fac5b8a652df", + "rev": "557241780c179cf7ef224df392f8e67dab6cef83", "type": "github" }, "original": { @@ -635,11 +635,11 @@ "systems": "systems_5" }, "locked": { - "lastModified": 1745357051, - "narHash": "sha256-iA+aN9HYnqukhD1nHWuS903NHE90J+KFiGGL4wXZHgM=", + "lastModified": 1747584204, + "narHash": "sha256-F3hXDTk28yyFzkDpsWbhrU+QbUzjMsVX9/jO/aTLJwc=", "owner": "hyprwm", "repo": "hyprpicker", - "rev": "5dcb341c13be994e954eb6d0b3a59c20f7db93f9", + "rev": "500c46185dd4f2b5e16cd1a4edfe9ed1e126452e", "type": "github" }, "original": { @@ -657,11 +657,11 @@ "systems": "systems_6" }, "locked": { - "lastModified": 1742816163, - "narHash": "sha256-EIJka3UtSEtmkDBjYiGeR/hO6s6R4x3K+rbUlc9KPBE=", + "lastModified": 1746481417, + "narHash": "sha256-mal2vIpRz5BU/0ll6gP/N2FqjFtgFNDgMBgoI6tLWag=", "owner": "hyprwm", "repo": "hyprsunset", - "rev": "7b7339f0deef23ec23a723651528cb8ae56c11d9", + "rev": "2a8ef76c6a77ca249e4613fefcd96bad74b5f9b2", "type": "github" }, "original": { @@ -682,11 +682,11 @@ ] }, "locked": { - "lastModified": 1743950287, - "narHash": "sha256-/6IAEWyb8gC/NKZElxiHChkouiUOrVYNq9YqG0Pzm4Y=", + "lastModified": 1746635225, + "narHash": "sha256-W9G9bb0zRYDBRseHbVez0J8qVpD5QbizX67H/vsudhM=", "owner": "hyprwm", "repo": "hyprutils", - "rev": "f2dc70e448b994cef627a157ee340135bd68fbc6", + "rev": "674ea57373f08b7609ce93baff131117a0dfe70d", "type": "github" }, "original": { @@ -856,11 +856,11 @@ "nixpkgs": "nixpkgs_7" }, "locked": { - "lastModified": 1745373052, - "narHash": "sha256-YoxUn3PXwLN7GxtzRLNAWBAgE728FwLy2oy9roiz/Xg=", + "lastModified": 1747620037, + "narHash": "sha256-M5yyl1Cp5rolwGBuCEKXG6qJj9lao16lshqPF83z0qs=", "owner": "fufexan", "repo": "nix-gaming", - "rev": "8582d6d908005589e1e0818da7558d63edbbbaf2", + "rev": "5d7985a2d5c877f6a276a2b024fff6bb2995ff24", "type": "github" }, "original": { @@ -871,11 +871,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1745503349, - "narHash": "sha256-bUGjvaPVsOfQeTz9/rLTNLDyqbzhl0CQtJJlhFPhIYw=", + "lastModified": 1747684167, + "narHash": "sha256-l6jbonaboCBlB8lCjBkrqgh2zEnvt6F3f4dOU/8CLd4=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "f7bee55a5e551bd8e7b5b82c9bc559bc50d868d1", + "rev": "e8f38b2c19c0647e39021c3d47172ff5469af8a9", "type": "github" }, "original": { @@ -886,11 +886,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1703013332, - "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=", + "lastModified": 1745391562, + "narHash": "sha256-sPwcCYuiEopaafePqlG826tBhctuJsLx/mhKKM5Fmjo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6", + "rev": "8a2f738d9d1f1d986b5a4cd2fd2061a7127237d7", "type": "github" }, "original": { @@ -948,11 +948,11 @@ }, "nixpkgs_11": { "locked": { - "lastModified": 1745391562, - "narHash": "sha256-sPwcCYuiEopaafePqlG826tBhctuJsLx/mhKKM5Fmjo=", + "lastModified": 1747542820, + "narHash": "sha256-GaOZntlJ6gPPbbkTLjbd8BMWaDYafhuuYRNrxCGnPJw=", "owner": "nixos", "repo": "nixpkgs", - "rev": "8a2f738d9d1f1d986b5a4cd2fd2061a7127237d7", + "rev": "292fa7d4f6519c074f0a50394dbbe69859bb6043", "type": "github" }, "original": { @@ -1044,11 +1044,11 @@ }, "nixpkgs_7": { "locked": { - "lastModified": 1744868846, - "narHash": "sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs=", + "lastModified": 1747426788, + "narHash": "sha256-N4cp0asTsJCnRMFZ/k19V9akkxb7J/opG+K+jU57JGc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ebe4301cbd8f81c4f8d3244b3632338bbeb6d49c", + "rev": "12a55407652e04dcf2309436eb06fef0d3713ef3", "type": "github" }, "original": { @@ -1060,11 +1060,11 @@ }, "nixpkgs_8": { "locked": { - "lastModified": 1745391562, - "narHash": "sha256-sPwcCYuiEopaafePqlG826tBhctuJsLx/mhKKM5Fmjo=", + "lastModified": 1747542820, + "narHash": "sha256-GaOZntlJ6gPPbbkTLjbd8BMWaDYafhuuYRNrxCGnPJw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8a2f738d9d1f1d986b5a4cd2fd2061a7127237d7", + "rev": "292fa7d4f6519c074f0a50394dbbe69859bb6043", "type": "github" }, "original": { @@ -1137,11 +1137,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1745506616, - "narHash": "sha256-m8M88SUdaKeB2+l+tvyh7I4L7NLWsF/E5Td0y7UGIPo=", + "lastModified": 1747683907, + "narHash": "sha256-dgEK4d1QPNFhv0s5s9lpvEWOVBlRZENp7TVh8V8qYDU=", "owner": "nix-community", "repo": "NUR", - "rev": "d900870bec8e29aae928c868ecea88f220ae87fa", + "rev": "64046fedb710701f87e5e86390b4dbe77f1d733b", "type": "github" }, "original": { @@ -1184,11 +1184,11 @@ ] }, "locked": { - "lastModified": 1742649964, - "narHash": "sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco=", + "lastModified": 1747372754, + "narHash": "sha256-2Y53NGIX2vxfie1rOW0Qb86vjRZ7ngizoo+bnXU9D9k=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82", + "rev": "80479b6ec16fefd9c1db3ea13aeb038c60530f46", "type": "github" }, "original": { @@ -1387,11 +1387,11 @@ ] }, "locked": { - "lastModified": 1744644585, - "narHash": "sha256-p0D/e4J6Sv6GSb+9u8OQcVHSE2gPNYB5ygIfGDyEiXQ=", + "lastModified": 1745871725, + "narHash": "sha256-M24SNc2flblWGXFkGQfqSlEOzAGZnMc9QG3GH4K/KbE=", "owner": "hyprwm", "repo": "xdg-desktop-portal-hyprland", - "rev": "be6771e754345f18244fb00aae5c9e5ab21ccc26", + "rev": "76bbf1a6b1378e4ab5230bad00ad04bc287c969e", "type": "github" }, "original": { From 5f519133d9018efc8cc666366708ce77755861cb Mon Sep 17 00:00:00 2001 From: Ahwx Date: Tue, 20 May 2025 16:46:07 +0200 Subject: [PATCH 16/24] feat: adds more functionality [`C-x {s,r,e}`] to `nsxiv` --- modules/home/hyprland/scripts.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/modules/home/hyprland/scripts.nix b/modules/home/hyprland/scripts.nix index 00e6896..6aca500 100644 --- a/modules/home/hyprland/scripts.nix +++ b/modules/home/hyprland/scripts.nix @@ -12,6 +12,9 @@ case "$1" in "w") setbg "$file" ;; "d") mv "$file" "$HOME/.trash/";; + "s") mkdir -p "$HOME/temp" && cp "$file" "$HOME/temp" ;; + "r") mkdir -p "$HOME/temp" && cp "$(basename "$file" ".JPG").RAF" "$HOME/temp" ;; + "e") echo -e "'$(pwd)"/"$(basename "$file" ".JPG").RAF'\n'$(pwd)/""$file""'" ;; esac done ''; From 96ff21e516695327c6ed3349f4b24f269912f012 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Tue, 20 May 2025 16:46:19 +0200 Subject: [PATCH 17/24] feat: enable tailscale for sakura --- hosts/sakura/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/sakura/default.nix b/hosts/sakura/default.nix index 68d3e51..882e5af 100644 --- a/hosts/sakura/default.nix +++ b/hosts/sakura/default.nix @@ -10,6 +10,7 @@ ./hardware-configuration.nix ./../../modules/core ./../../modules/core/virtualization.nix + ./../../modules/services/tailscale.nix inputs.nixos-hardware.nixosModules.framework-13-7040-amd ]; From 8dd8ffb3c80a3ccb6ae6a5760b2a99a3cfa30b01 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Fri, 23 May 2025 03:09:40 +0200 Subject: [PATCH 18/24] chore: switch away from useACME --- modules/services/gokapi.nix | 11 +++++++++-- modules/services/grafana.nix | 3 ++- modules/services/immich.nix | 4 ++-- modules/services/invidious.nix | 3 ++- modules/services/ntfy.nix | 6 ++++-- 5 files changed, 19 insertions(+), 8 deletions(-) diff --git a/modules/services/gokapi.nix b/modules/services/gokapi.nix index fff1400..8755939 100644 --- a/modules/services/gokapi.nix +++ b/modules/services/gokapi.nix @@ -1,8 +1,15 @@ -{ lib, config, pkgs, ... }: { +{ + lib, + config, + pkgs, + ... +}: +{ services = { nginx.virtualHosts."share.liv.town" = { - useACMEHost = "liv.town"; forceSSL = true; + sslCertificate = "/var/lib/acme/liv.town/cert.pem"; + sslCertificateKey = "/var/lib/acme/liv.town/key.pem"; locations."/" = { proxyPass = "http://localhost:53842"; }; diff --git a/modules/services/grafana.nix b/modules/services/grafana.nix index b0c0184..a4dfb68 100644 --- a/modules/services/grafana.nix +++ b/modules/services/grafana.nix @@ -11,8 +11,9 @@ }; nginx.virtualHosts.${config.services.grafana.domain} = { - useACMEHost = "liv.town"; forceSSL = true; + sslCertificate = "/var/lib/acme/liv.town/cert.pem"; + sslCertificateKey = "/var/lib/acme/liv.town/key.pem"; locations."/" = { proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}"; proxyWebsockets = true; diff --git a/modules/services/immich.nix b/modules/services/immich.nix index 301f192..6b66e76 100644 --- a/modules/services/immich.nix +++ b/modules/services/immich.nix @@ -1,11 +1,11 @@ -{ config, ... }: { +{ config, ... }: +{ services.immich = { enable = true; port = 2283; }; # services.nginx.virtualHosts."" = { - # enableACME = true; # forceSSL = true; # locations."/" = { # proxyPass = "http://localhost:${toString config.services.immich.port}"; diff --git a/modules/services/invidious.nix b/modules/services/invidious.nix index 532e3fb..e4465b8 100644 --- a/modules/services/invidious.nix +++ b/modules/services/invidious.nix @@ -12,7 +12,8 @@ virtualHosts = { "video.liv.town" = { forceSSL = true; - enableACME = true; + sslCertificate = "/var/lib/acme/liv.town/cert.pem"; + sslCertificateKey = "/var/lib/acme/liv.town/key.pem"; locations."/".proxyPass = "http://127.0.0.1:${toString config.services.invidious.port}"; }; }; diff --git a/modules/services/ntfy.nix b/modules/services/ntfy.nix index d7c9424..19c3fba 100644 --- a/modules/services/ntfy.nix +++ b/modules/services/ntfy.nix @@ -2,7 +2,8 @@ let hostname = "notify.liv.town"; port = 2586; url = "https://" + hostname; -in { +in +{ services = { ntfy-sh = { enable = true; @@ -16,8 +17,9 @@ in { }; }; nginx.virtualHosts.${hostname} = { - useACMEHost = "liv.town"; forceSSL = true; + sslCertificate = "/var/lib/acme/liv.town/cert.pem"; + sslCertificateKey = "/var/lib/acme/liv.town/key.pem"; locations."/" = { proxyPass = "http://127.0.0.1:${toString port}"; proxyWebsockets = true; From 34c7796d451eb04ee9d39b9da399bf35eed5f911 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Fri, 23 May 2025 03:10:41 +0200 Subject: [PATCH 19/24] feat: fix some proxy issues, not all of them are resolved yet though. also fix some issues regarding quack.social and make that more universal --- modules/services/nginx.nix | 72 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 70 insertions(+), 2 deletions(-) diff --git a/modules/services/nginx.nix b/modules/services/nginx.nix index bef0680..952473a 100644 --- a/modules/services/nginx.nix +++ b/modules/services/nginx.nix @@ -1,4 +1,11 @@ -{ pkgs, config, lib, ... }: { +{ + pkgs, + config, + lib, + ... +}: +{ + security.acme = { acceptTerms = true; defaults.email = lib.mkDefault "ahwx@ahwx.org"; @@ -10,7 +17,15 @@ dnsProvider = "desec"; environmentFile = "/home/liv/desec.env"; # location of your DESEC_TOKEN=[value] webroot = null; - }; + }; + "quack.social" = { + domain = "*.quack.social"; + extraDomainNames = [ "quack.social" ]; + group = config.services.nginx.group; + dnsProvider = "desec"; + environmentFile = "/home/liv/desec.env"; # location of your DESEC_TOKEN=[value] + webroot = null; + }; }; }; @@ -22,8 +37,42 @@ recommendedProxySettings = true; clientMaxBodySize = lib.mkDefault "10G"; + defaultListen = + let + listen = [ + { + addr = "[::]"; + port = 80; + extraParameters = [ "proxy_protocol" ]; + } + { + addr = "[::]"; + port = 443; + ssl = true; + extraParameters = [ "proxy_protocol" ]; + } + ]; + in + map (x: (x // { addr = "0.0.0.0"; })) listen ++ listen; + # Hardened TLS and HSTS preloading appendHttpConfig = '' + # Proxying + # real_ip_header proxy_protocol; + + server { + listen 80 proxy_protocol; + listen 443 ssl proxy_protocol; + # set_real_ip_from 10.7.0.0/24; + } + + ssl_certificate /var/lib/acme/quack.social/cert.pem; + ssl_certificate_key /var/lib/acme/quack.social/key.pem; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $proxy_protocol_addr; + proxy_set_header X-Forwarded-For $proxy_protocol_addr; + # Add HSTS header with preloading to HTTPS requests. # Do not add HSTS header to HTTP requests. map $scheme $hsts_header { @@ -49,5 +98,24 @@ add_header pronouns "any but neopronouns"; add_header locale "[en_US, nl_NL]"; ''; + appendConfig = '' + # https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/ + # set_real_ip_from 213.210.34.27; + + # real_ip_header proxy_protocol; + + # proxy_set_header Host $host; + # proxy_set_header X-Real-IP $proxy_protocol_addr; + # proxy_set_header X-Forwarded-For $proxy_protocol_addr; + # proxy_set_header X-Forwarded-Proto $scheme; + # proxy_set_header X-Forwarded-Host $host; + # proxy_set_header X-Forwarded-Server $host; + ''; + }; + networking.firewall = { + allowedTCPPorts = [ + 80 + 443 + ]; }; } From db403cde002507ea220c5e2d0c36d2d7abdbe8e7 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Fri, 23 May 2025 03:11:14 +0200 Subject: [PATCH 20/24] chore: move away from enableACME, remove unused code --- modules/services/sharkey-proxy.nix | 23 ++--------------------- 1 file changed, 2 insertions(+), 21 deletions(-) diff --git a/modules/services/sharkey-proxy.nix b/modules/services/sharkey-proxy.nix index 416bfe9..166876c 100644 --- a/modules/services/sharkey-proxy.nix +++ b/modules/services/sharkey-proxy.nix @@ -2,8 +2,9 @@ { services = { nginx.virtualHosts."quack.social" = { - enableACME = true; forceSSL = true; + sslCertificate = "/var/lib/acme/quack.social/cert.pem"; + sslCertificateKey = "/var/lib/acme/quack.social/key.pem"; locations."/" = { proxyPass = "http://localhost:3000"; proxyWebsockets = true; @@ -16,26 +17,6 @@ ''; }; - locations."/files/" = { - proxyPass = "http://localhost:3000"; - proxyWebsockets = true; - extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $remote_addr; - - # Try cache? - # proxy_cache sharkey; - # proxy_cache_path /var/cache/nginx/sharkey levels=1:2 keys_zone=sharkey:15m; - # proxy_cache_lock on; - # proxy_cache_use_stale updating; - # proxy_force_ranges on; - # add_header X-Cache $upstream_cache_status; - ''; - }; - locations."/wiki/" = { # Nepenthis proxyPass = "http://localhost:8893"; From 07ffd197ce4da691b2cc6eb6da8f813d1fc38c79 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Fri, 23 May 2025 03:31:08 +0200 Subject: [PATCH 21/24] chore: open firewall for ssh port --- modules/core/sshd.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/core/sshd.nix b/modules/core/sshd.nix index 2cd550c..012b44a 100644 --- a/modules/core/sshd.nix +++ b/modules/core/sshd.nix @@ -1,4 +1,4 @@ -{ lib, ... }: +{ lib, config, ... }: { services.openssh = { enable = true; @@ -11,6 +11,8 @@ }; }; + networking.firewall.allowedTCPPorts = [ config.services.openssh.ports ]; + users.users.liv.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGXi00z/rxVrWLKgYr+tWIsbHsSQO75hUMSTThNm5wUw liv@sakura" # main laptop "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ2nsQHyWnrmuQway0ehoMUcYYfhD8Ph/vpD0Tzip1b1 liv@meow" # main phone From 3f118856840aff9bfd19b038c9b7220f8a2b13ca Mon Sep 17 00:00:00 2001 From: Ahwx Date: Fri, 23 May 2025 03:31:42 +0200 Subject: [PATCH 22/24] chore: move ssh port away from monitoring module, as it should be in the sshd module --- modules/services/monitoring.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/modules/services/monitoring.nix b/modules/services/monitoring.nix index 848e838..a22d5f9 100644 --- a/modules/services/monitoring.nix +++ b/modules/services/monitoring.nix @@ -26,8 +26,6 @@ networking.firewall = { allowedTCPPorts = [ 9001 - 22 - 9123 # always also allow ssh :screaming: ]; }; } From 13294fcb09cae6a8d713f1de1f83b963266cc6e0 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Fri, 23 May 2025 03:33:29 +0200 Subject: [PATCH 23/24] feat: create vlans and add dhcpd4 as reference, since apparently its state has been changed to "deprecated" --- hosts/lily/default.nix | 93 +++++++++++++++++++++++++++++++++++++++--- 1 file changed, 87 insertions(+), 6 deletions(-) diff --git a/hosts/lily/default.nix b/hosts/lily/default.nix index 2d36d14..fba412b 100644 --- a/hosts/lily/default.nix +++ b/hosts/lily/default.nix @@ -74,14 +74,93 @@ in }; }; }; + + # <100 is trusted; =>100 is untrusted. + vlans = { + lan = { + id = 1; + interface = "lan1"; + }; + servers = { + id = 10; + interface = "lan1"; + }; + management = { + id = 21; + interface = "lan1"; + }; + iot = { + id = 100; + interface = "lan1"; + }; + guest = { + id = 110; + interface = "lan1"; + }; + }; }; - services.udev.extraRules = '' - SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:47:67:6e", ATTR{type}=="1", NAME="wan0" - SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:47:67:6f", ATTR{type}=="1", NAME="lan0" - SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:63:0f:80", ATTR{type}=="1", NAME="lan1" - SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:63:0f:81", ATTR{type}=="1", NAME="lan2" - ''; + services = { + udev.extraRules = '' + SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:47:67:6e", ATTR{type}=="1", NAME="wan0" + SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:47:67:6f", ATTR{type}=="1", NAME="lan0" + SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:63:0f:80", ATTR{type}=="1", NAME="lan1" + SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:63:0f:81", ATTR{type}=="1", NAME="lan2" + ''; + dhcpd4 = { + enable = true; + interfaces = [ + "lan" + "servers" + "management" + "iot" + "guest" + ]; + extraConfig = '' + option domain-name-servers 9.9.9.9, 149.112.112.112; + option subnet-mask 255.255.255.0; + + subnet 172.16.1.0 netmask 255.255.255.0 { + option broadcast-address 172.16.1.255; + option routers 172.16.1.1; + interface lan; + range 172.16.1.50 172.16.1.254; + } + subnet 172.16.10.0 netmask 255.255.255.0 { + option broadcast-address 172.16.10.255; + option routers 172.16.10.1; + interface servers; + range 172.16.10.50 172.16.10.254; + } + subnet 172.16.21.0 netmask 255.255.255.0 { + option broadcast-address 172.16.21.255; + option routers 172.16.21.1; + interface management; + range 172.16.21.50 172.16.21.254; + } + subnet 172.16.100.0 netmask 255.255.255.0 { + option broadcast-address 172.16.100.255; + option routers 172.16.100.1; + interface iot; + range 172.16.100.50 172.16.100.254; + } + subnet 172.16.110.0 netmask 255.255.255.0 { + option broadcast-address 172.16.110.255; + option routers 172.16.110.1; + interface guest; + range 172.16.110.50 172.16.110.254; + } + ''; + }; + avahi = { + enable = true; + reflector = true; + interfaces = [ + "lan" + "iot" + ]; + }; + }; networking.hostName = "lily"; @@ -91,5 +170,7 @@ in kitty.terminfo tcpdump dnsutils + bind + ethtool ]; } From 0de00b4a9c1b7935bbd12ebd102632f04a543056 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Fri, 23 May 2025 12:39:08 +0200 Subject: [PATCH 24/24] feat: adds floating kitty on `mainMod+bspc` --- modules/home/hyprland/config.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/home/hyprland/config.nix b/modules/home/hyprland/config.nix index 151c278..8484878 100644 --- a/modules/home/hyprland/config.nix +++ b/modules/home/hyprland/config.nix @@ -214,6 +214,7 @@ bind = [ # keybindings "$mainMod, Return, exec, kitty" + "$mainMod, Backspace, exec, [float; center; size 950 650] kitty" "$mainMod, Q, killactive," "$mainMod, F, fullscreen, 0" # set 1 to 0 to set full screen without waybar "$mainMod, Space, togglefloating,"