add sternchen computer

assets/tinc/sternchen_host_file

@@ -0,0 +1,14 @@
+Ed25519PublicKey = Z567IKl00Kw5JFBNwMvjL33QYe2hRoNtQcNIDFRPReB
+-----BEGIN RSA PUBLIC KEY-----
+MIICCgKCAgEA1vhCFsFK0QSYDlXSS6ngpZbilplYtaPBzbxWYGAxa5vNtwoaO2Tz
+BZ4ptvE26TR2+Jygvlk5xdoNYAL/yhNI9p86vs/pA+sJmBlsYAWOA5qAnXoIL2u4
+1CBB9t+uMnQKhyPoBoDq6QXmM1HlFhxtkKVlLyEHxARxu7g/inFtghPqYD/HyjVJ
+V6h9OdKEgY+wcn6GGLXGjrSMAsIZP2w8fPQfS45UAtjK+cFODFKElxGZrjqgJP1w
+/Jw6nB03yKMGsMHNkiwC2BJbK3+pT92JfyqXRg3REw0hVMZghcsoNtWfBoNYLvFY
+qwk+bvf5bVdLxLMEv33+B3F8SScXuwMUpBwCeMi58ltt+OuOVhh8PLA9ncA6tGa9
+tzyUo7i8qjGTremSilWIdRYqOexriPKCdnYcJcw/L9Vl2H3QbIj7uVxbszQbqDGS
+KM43U5cXgpMIYI9CwxnWB8np7n/IXZFG5E+9afd4kYTLShzaObzu2I1yom0O4Ks7
+HsdvlsBgv4iT6ctquHtU6IFsa/Wfm4ntDiAcczoQEXs0F2v839FH62TPTY70xzyd
+wQhAdCegb6MYVmVmQL9jv8QDfxwUxtsohbW3ncBDYrdy2rmeiZDGaRJVEbyf6MKI
+OfaobRGXY0NnOURX9/fkXSydDKd3rIhOMubfUq0+Smm3YrsHWeZVvNMCAwEAAQ==
+-----END RSA PUBLIC KEY-----

configs/porani/syncthing.nix

@@ -1,6 +1,6 @@
 { config, pkgs, lib, ... }: {
 
-  networking.firewall.interfaces."tinc.insecure".allowedTCPPorts = [ 8384 ];
+  networking.firewall.interfaces."tinc.secure".allowedTCPPorts = [ 8384 ];
 
   custom.samba-share = {
     enable = true;
@@ -12,7 +12,7 @@
   };
 
   services.syncthing = {
-    guiAddress = lib.mkForce "${config.networking.hostName}.insecure:8384";
+    guiAddress = lib.mkForce "${config.networking.hostName}.secret:8384";
     enable = true;
     openDefaultPorts = true;
     declarative = {

configs/porani/tinc.nix

@@ -6,7 +6,7 @@
     #  openPort = true;
     #  connectTo = [ "sputnik" ];
     #};
-    "insecure" = {
+    "secure" = {
       enable = true;
       openPort = true;
       connectTo = [ "sputnik" ];

configs/sputnik/tinc.nix

@@ -4,7 +4,7 @@
       enable = true;
       openPort = true;
     };
-    "insecure" = {
+    "secret" = {
       enable = true;
       openPort = true;
     };

configs/sternchen/configuration.nix

@@ -0,0 +1,81 @@
+{ config, pkgs, lib, ... }: {
+
+  imports = [
+
+    <system/desktop>
+    ./hardware-configuration.nix
+
+    ./packages.nix
+    #./syncthing.nix
+    ./tinc.nix
+
+  ];
+
+  networking.hostName = "sternchen";
+
+  system.custom.mainUser.userName = "tina";
+
+  system.custom.wifi.interfaces = [ "wlp3s0" ];
+
+  security.wrappers = {
+    pmount.source = "${pkgs.pmount}/bin/pmount";
+    pumount.source = "${pkgs.pmount}/bin/pumount";
+  };
+
+  # keybase
+  services.keybase.enable = false;
+  services.kbfs.enable = false;
+
+  programs.custom.steam.enable = false;
+  programs.custom.video.enable = false;
+
+  services.printing.enable = true;
+
+  # fonts
+  # -----
+  programs.custom.urxvt.fontSize = 12;
+  programs.custom.xterm.fontSize = 12;
+  system.custom.fonts.dpi = 100;
+
+  virtualisation = {
+    docker.enable = false;
+
+    virtualbox = {
+      host.enable = false;
+      guest.x11 = false;
+      guest.enable = false;
+    };
+  };
+
+  configuration.desktop = {
+    width = 1366;
+    height = 768;
+  };
+
+  custom.samba-share = {
+    enable = false;
+    folders = {
+      #public = "/home/palo/movies";
+      share = "/home/share";
+      #syncthing = "/mnt/syncthing";
+      #movies = "/mnt/syncthing/movies";
+      #series = "/mnt/syncthing/series";
+    };
+  };
+
+  # enable this to use sidequest
+  programs.adb.enable = false;
+  users.users.mainUser.extraGroups = [ "adbusers" "video" ];
+
+  # for congress and streaming
+  hardware.opengl = {
+    enable = true;
+    extraPackages = [ pkgs.vaapiIntel ];
+    driSupport32Bit = true;
+  };
+  nixpkgs.config.packageOverrides = pkgs: {
+    vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
+  };
+
+}
+

configs/sternchen/hardware-configuration.nix

@@ -0,0 +1,79 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, ... }:
+
+{
+
+  imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
+
+  boot.initrd.availableKernelModules =
+    [ "ehci_pci" "ahci" "xhci_pci" "usb_storage" "sd_mod" "sdhci_pci" ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  # Use the systemd-boot EFI boot loader, not grub
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  zramSwap = {
+    enable = true;
+    numDevices = 2;
+    swapDevices = 1;
+    memoryPercent = 50;
+  };
+
+  #fileSystems."/share/" = {
+  #  device = "/dev/ram1";
+  #  fsType = "tmpfs";
+  #};
+
+  #fileSystems."/browsers/" = {
+  #  #device = "/dev/ram2";
+  #  #fsType = "tmpfs";
+  #  options = [ "noatime" "nodiratime" "discard" ];
+  #  device = "/dev/vg/browser";
+  #  fsType = "ext4";
+  #};
+
+  nix.maxJobs = lib.mkDefault 4;
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+
+  # lvm volume group
+  # ----------------
+  boot.initrd.luks.devices = {
+    vg = {
+      device = "/dev/sda2";
+      preLVM = true;
+    };
+  };
+
+  # NTFS support
+  # ------------
+  environment.systemPackages = [ pkgs.ntfs3g ];
+
+  # root
+  # ----
+  fileSystems."/" = {
+    options = [ "noatime" "nodiratime" "discard" ];
+    device = "/dev/vg/root";
+    fsType = "ext4";
+  };
+
+  # home
+  # ----
+  fileSystems."/home" = {
+    options = [ "noatime" "nodiratime" "discard" ];
+    device = "/dev/vg/home";
+    fsType = "ext4";
+  };
+
+  # boot
+  # ----
+  fileSystems."/boot" = {
+    device = "/dev/sda1";
+    fsType = "vfat";
+  };
+
+}

configs/sternchen/packages.nix

@@ -0,0 +1,13 @@
+{ config, lib, pkgs, ... }:
+let unstable = import <nixpkgs-unstable> { };
+in {
+
+  # overlay included
+  #nixpkgs.overlays = [ (import <mozilla-overlay/rust-overlay.nix>) ];
+
+  environment.systemPackages = with pkgs; [
+    darktable
+    keepass
+  ];
+
+}

configs/sternchen/syncthing.nix

@@ -0,0 +1,77 @@
+{ config, pkgs, lib, ... }: {
+
+  services.syncthing = {
+    enable = true;
+    openDefaultPorts = false;
+    user = "palo";
+    dataDir = "/home/palo/.syncthing";
+    configDir = "/home/palo/.syncthing";
+    declarative = {
+      cert = toString <secrets/syncthing/cert.pem>;
+      key = toString <secrets/syncthing/key.pem>;
+      overrideFolders = true;
+      folders = {
+
+        # on encrypted drive
+        # ------------------
+        private = {
+          enable = true;
+          path = "/home/palo/private";
+        };
+        desktop = {
+          enable = true;
+          path = "/home/palo/desktop";
+        };
+        finance = {
+          enable = true;
+          path = "/home/palo/finance";
+        };
+        fotos = {
+          enable = true;
+          path = "/home/palo/fotos";
+        };
+        samples = {
+          enable = true;
+          path = "/home/palo/samples";
+        };
+        zettlr = {
+          enable = true;
+          path = "/home/palo/zettlr";
+        };
+        programs = {
+          enable = true;
+          path = "/home/palo/programs";
+        };
+
+        # no need to be encrypted
+        # -----------------------
+        books = {
+          enable = true;
+          path = "/home/palo/books";
+        };
+        music-library = {
+          enable = true;
+          path = "/home/palo/music-library";
+        };
+        music-projects = {
+          enable = true;
+          path = "/home/palo/music-projects";
+        };
+        smartphone-folder = {
+          enable = true;
+          path = "/home/palo/smartphone-folder";
+        };
+        processing = {
+          enable = true;
+          path = "/home/palo/sketchbook";
+        };
+
+      };
+    };
+  };
+
+  system.permown."/home/palo/music-library" = {
+    owner = "palo";
+    group = "users";
+  };
+}

configs/sternchen/tinc.nix

@@ -0,0 +1,24 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+
+  module.cluster.services.tinc = {
+    #"private" = {
+    #  enable = true;
+    #  openPort = true;
+    #  connectTo = [ "sputnik" ];
+    #};
+    #"retiolum" = {
+    #  enable = true;
+    #  openPort = true;
+    #};
+    "secret" = {
+      enable = true;
+      openPort = true;
+      connectTo = [ "sputnik" ];
+    };
+  };
+
+}

configs/sternchen/wifi-access-point.nix

@@ -0,0 +1,84 @@
+{ lib, pkgs, ... }:
+
+let
+  wifi = "wlp0s29u1u2";
+  ipAddress = "10.123.145.1";
+  prefixLength = 24;
+  servedAddressRange = "10.123.145.2,10.123.145.150,12h";
+  ssid = "bumbumbum";
+  wifiPassword = lib.fileContents <secrets/wifi-access-point>;
+
+in {
+  # todo only open needed ports
+  networking.firewall.trustedInterfaces = [ wifi ];
+
+  networking.networkmanager.unmanaged = [ wifi ];
+  networking.dhcpcd.denyInterfaces = [ wifi ];
+
+  networking.interfaces."${wifi}".ipv4.addresses = [{
+    address = ipAddress;
+    prefixLength = prefixLength;
+  }];
+
+  # forward traffic coming in trough the access point => provide internet and vpn network access
+  # todo : forward to own servers
+  boot.kernel.sysctl = {
+    "net.ipv4.conf.${wifi}.forwarding" = true;
+    "net.ipv6.conf.${wifi}.forwarding" = true;
+  };
+
+  systemd.services.hostapd = {
+    description = "hostapd wireless AP";
+    path = [ pkgs.hostapd ];
+
+    # start manual
+    # wantedBy = [ "network.target" ];
+
+    after = [
+      "${wifi}-cfg.service"
+      "nat.service"
+      "bind.service"
+      "dhcpd.service"
+      "sys-subsystem-net-devices-${wifi}.device"
+    ];
+
+    serviceConfig = {
+      ExecStart = "${pkgs.hostapd}/bin/hostapd ${
+          pkgs.writeText "hostapd.conf" ''
+            interface=${wifi}
+            hw_mode=g
+            channel=10
+            ieee80211d=1
+            country_code=DE
+            ieee80211n=1
+            wmm_enabled=1
+
+            ssid=${ssid}
+            auth_algs=1
+            wpa=2
+            wpa_key_mgmt=WPA-PSK
+            rsn_pairwise=CCMP
+            wpa_passphrase=${wifiPassword}
+          ''
+        }";
+      Restart = "always";
+    };
+  };
+
+  services.dnsmasq = {
+    enable = true;
+    extraConfig = ''
+      # Only listen to routers' LAN NIC.  Doing so opens up tcp/udp port 53 to
+      # localhost and udp port 67 to world:
+      interface=${wifi}
+
+      # Explicitly specify the address to listen on
+      listen-address=${ipAddress}
+
+      # Dynamic range of IPs to make available to LAN PC and the lease time.
+      # Ideally set the lease time to 5m only at first to test everything works okay before you set long-lasting records.
+      dhcp-range=${servedAddressRange}
+    '';
+  };
+
+}

configs/sternchen/wireshark.nix

@@ -0,0 +1,45 @@
+{ pkgs, config, ... }: {
+
+  users.users.mainUser.extraGroups = [ "wireshark" ];
+  programs.wireshark.enable = true;
+
+  environment.systemPackages = [
+
+    pkgs.wireshark
+
+    # alternative packet analyzer (only works with elasticsearch)
+    pkgs.packetbeat7
+  ];
+
+  # elastic search is good for analysing stuff
+  # https://www.elastic.co/blog/analyzing-network-packets-with-wireshark-elasticsearch-and-kibana
+  services.elasticsearch.enable = true;
+  services.elasticsearch.listenAddress =
+    "${config.networking.hostName}.private";
+  services.kibana.enable = true;
+  services.kibana.elasticsearch.hosts =
+    [ "http://${config.networking.hostName}.private:9200" ];
+  services.kibana.listenAddress = "${config.networking.hostName}.private";
+  services.kibana.port = 5601;
+
+  # using tshark with elastic search
+  # --------------------------------
+  # tshark -r file.pcap -T ek > packages.json
+  # curl -XPOST "sterni.private:9200/packets/doc/_bulk" -H 'Content-Type: application/json' --data-binary "@packets.json"
+
+  services.nginx = {
+    enable = true;
+    statusPage = true;
+    virtualHosts = {
+      "kibana.${config.networking.hostName}.private" = {
+        serverAliases = [ ];
+        locations."/" = {
+          proxyPass = "http://${config.networking.hostName}.private:${
+              toString config.services.kibana.port
+            }";
+        };
+      };
+    };
+  };
+
+}

configs/sterni/tinc.nix

@@ -14,7 +14,7 @@ with lib;
       enable = true;
       openPort = true;
     };
-    "insecure" = {
+    "secret" = {
       enable = true;
       openPort = true;
       connectTo = [ "sputnik" ];

configs/workhorse/tinc.nix

@@ -10,7 +10,7 @@
       enable = true;
       openPort = true;
     };
-    "insecure" = {
+    "secret" = {
       enable = true;
       openPort = true;
       connectTo = [ "sputnik" ];

shell.nix

@@ -2,7 +2,7 @@ let
 
   # host used to install stuff. (can be an onion id if you use torify)
   #installHost = "localhost";
-  installHost = "adsf.onion";
+  installHost = "mobi.private";
 
   #ops = import ../plops ;
   ops = import ((import <nixpkgs> { }).fetchgit {
@@ -132,7 +132,7 @@ let
 
   hostPattern = name:
     if name == "porani" then
-      "${name}.insecure"
+      "${name}.secret"
     else if name == "dummy" then
       "95.217.223.75"
     else
@@ -233,7 +233,7 @@ in pkgs.mkShell {
 
   buildInputs = with pkgs;
     (servers [ "workhorse" "sputnik" "porani" "dummy" ])
-    ++ (desktops [ "pepe" "workout" "sterni" "mobi" ]) ++ [
+    ++ (desktops [ "pepe" "workout" "sterni" "mobi" "sternchen" ]) ++ [
       (pkgs.writers.writeBashBin "reformat" ''
         find ${
           toString ./.

system/all/sshd-known-hosts-private.nix

@@ -5,9 +5,9 @@
     "sterni.private" = {
       hostNames = [
         "sterni.private"
-        "sterni.insecure"
+        "sterni.secret"
         config.module.cluster.services.tinc.private.hosts.sterni.tincIp
-        config.module.cluster.services.tinc.insecure.hosts.sterni.tincIp
+        config.module.cluster.services.tinc.secret.hosts.sterni.tincIp
       ];
       publicKey =
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDyHmHJy2Va45p9mn+Hj3DyaY5yxnQIKvXeACHjzgSKt";
@@ -24,9 +24,9 @@
     "sputnik.private" = {
       hostNames = [
         "sputnik.private"
-        "sputnik.insecure"
+        "sputnik.secret"
         config.module.cluster.services.tinc.private.hosts.sputnik.tincIp
-        config.module.cluster.services.tinc.insecure.hosts.sputnik.tincIp
+        config.module.cluster.services.tinc.secret.hosts.sputnik.tincIp
       ];
       publicKey =
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICTLXDTqUtl0BQgzH1O7CRulGCRN1P4KU8imL/wjYFh8";
@@ -34,17 +34,17 @@
     "workhorse.private" = {
       hostNames = [
         "workhorse.private"
-        "workhorse.insecure"
+        "workhorse.secret"
         config.module.cluster.services.tinc.private.hosts.workhorse.tincIp
-        config.module.cluster.services.tinc.insecure.hosts.workhorse.tincIp
+        config.module.cluster.services.tinc.secret.hosts.workhorse.tincIp
       ];
       publicKey =
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDaK0Vv33TuGQa/B5p54sGilgpYvfKkBaBGlEBpIk1QB";
     };
-    "porani.insecure" = {
+    "porani.secret" = {
       hostNames = [
-        "porani.insecure"
+        "porani.secret"
-        config.module.cluster.services.tinc.insecure.hosts.porani.tincIp
+        config.module.cluster.services.tinc.secret.hosts.porani.tincIp
       ];
       publicKey =
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOKNtRWVrqADgAMtTSWgnpp8gRKUtn4QUMFzQ78fC+aK";

system/all/syncthing.nix

@@ -27,7 +27,7 @@ with lib; {
             id =
               "6YOIA4E-X52ZD5Z-FPNWPRS-77QIMMU-VDIXVZB-6BPQN7A-FFJDU4W-EXEGFAI";
             addresses =
-              [ "tcp://porani.insecure:22000" "tcp://porani.insecure:21027" ];
+              [ "tcp://porani.secret:22000" "tcp://porani.secret:21027" ];
           };
         } // {
           smartphone = {

system/all/tinc.nix

@@ -44,7 +44,7 @@ in {
       };
     };
     # nix-shell -p tinc_pre --run "tinc --config . generate-keys 4096"
-    "insecure" = {
+    "secret" = {
       networkSubnet = "10.123.42.0/24";
       port = 721;
       extraConfig = ''
@@ -54,6 +54,11 @@ in {
       privateEd25519KeyFile = toString <secrets/tinc/ed25519_key>;
       privateRsaKeyFile = toString <secrets/tinc/rsa_key>;
       hosts = {
+        sternchen = {
+          tincIp = "10.123.42.25";
+          # publicKey  = lib.fileContents <assets/tinc/sterni_host_file>;
+          publicKey = lib.fileContents <assets/tinc/sternchen_host_file>;
+        };
         sterni = {
           tincIp = "10.123.42.24";
           # publicKey  = lib.fileContents <assets/tinc/sterni_host_file>;

system/desktop/home-manager/ssh.nix

@@ -15,7 +15,7 @@ with lib; {
         identitiesOnly = true;
         user = "root";
       };
-      "*.insecure" = {
+      "*.secret" = {
         identityFile = "~/.ssh/card_rsa.pub";
         identitiesOnly = true;
         user = "root";

system/desktop/user.nix

@@ -3,7 +3,7 @@
 
   system.custom.mainUser = {
     enable = true;
-    userName = "palo";
+    userName = lib.mkDefault "palo";
     authorizedKeyFiles =
       config.users.users.root.openssh.authorizedKeys.keyFiles;
   };