From b8af70ffc71d37a57d8e13eeb5217aabdc5620eb Mon Sep 17 00:00:00 2001 From: Ingolf Wagner Date: Mon, 14 Aug 2023 03:29:02 +0200 Subject: [PATCH] reconfigure sternchen --- flake.nix | 9 ++ nixos/components/network/tinc/secret.nix | 6 +- .../sternchen => legacy}/wireshark.nix | 0 nixos/machines/sternchen/configuration.nix | 30 +++---- nixos/machines/sternchen/packages.nix | 2 + nixos/machines/sternchen/tinc.nix | 17 +--- .../machines/sternchen/wifi-access-point.nix | 85 ------------------- nixos/machines/sterni/configuration.nix | 3 +- 8 files changed, 34 insertions(+), 118 deletions(-) rename nixos/{machines/sternchen => legacy}/wireshark.nix (100%) delete mode 100644 nixos/machines/sternchen/wifi-access-point.nix diff --git a/flake.nix b/flake.nix index 3776d89..0fe6ce9 100644 --- a/flake.nix +++ b/flake.nix @@ -281,6 +281,15 @@ nixosConfigurations = { + sternchen = nixosConfigurationSetup { + name = "sternchen"; + modules = [ + nixos-hardware.nixosModules.lenovo-thinkpad-x220 + #retiolum.nixosModules.retiolum + #private_assets.nixosModules.jobrad + homeManagerModules + ]; + }; sterni = nixosConfigurationSetup { name = "sterni"; modules = [ diff --git a/nixos/components/network/tinc/secret.nix b/nixos/components/network/tinc/secret.nix index 4a28e9a..695bf31 100644 --- a/nixos/components/network/tinc/secret.nix +++ b/nixos/components/network/tinc/secret.nix @@ -33,7 +33,7 @@ in }; cream = { subnets = [{ address = hosts.cream; }]; - settings.Ed25519PublicKey = ""; + settings.Ed25519PublicKey = "Y/YRA90mAlNEmdhUWlUTHjjsco6d6hlvW11sPtarIdL"; }; sterni = { subnets = [{ address = hosts.sterni; }]; @@ -65,6 +65,10 @@ in networking.extraHosts = concatStringsSep "\n" (mapAttrsToList (name: ip: "${ip} ${name}.${network}") hosts); services.openssh.knownHosts = { + "cream.${network}" = { + hostNames = [ "cream.${network}" hosts.cream ]; + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIConHiCL7INgAhuN6Z9TqP0zP+xNpdV7+OHwUca4IRDD"; + }; "sternchen.${network}" = { hostNames = [ "sterni.${network}" hosts.sterni ]; publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILriD/0+65L1mkbjKENwpvB3wUMXz/rEf9J8wuJjJa0q"; diff --git a/nixos/machines/sternchen/wireshark.nix b/nixos/legacy/wireshark.nix similarity index 100% rename from nixos/machines/sternchen/wireshark.nix rename to nixos/legacy/wireshark.nix diff --git a/nixos/machines/sternchen/configuration.nix b/nixos/machines/sternchen/configuration.nix index 04f40d5..f5c8c52 100644 --- a/nixos/machines/sternchen/configuration.nix +++ b/nixos/machines/sternchen/configuration.nix @@ -11,15 +11,19 @@ ]; - - home-manager.users.mainUser.home.git-pull.enable = false; - sops.defaultSopsFile = ../../secrets/sternchen.yaml; networking.hostName = "sternchen"; + components.gui.enable = true; + components.terminal.enable = true; + components.network.enable = true; + components.network.wifi.enable = true; + components.mainUser.enable = true; + users.users.mainUser.extraGroups = [ "adbusers" "video" ]; + home-manager.users.mainUser.home.git-pull.enable = false; system.custom.mainUser.userName = "tina"; - system.custom.wifi.interfaces = [ "wlp3s0" ]; + #system.custom.wifi.interfaces = [ "wlp3s0" ]; security.wrappers = { pmount = { @@ -37,7 +41,7 @@ }; programs.custom.steam.enable = false; - programs.custom.video.enable = true; + programs.custom.video.enable = false; # keyboard fiddling i18n.defaultLocale = "de_DE.UTF-8"; @@ -45,7 +49,7 @@ services.xserver.layout = "de,us"; system.custom.suspend.enable = false; - services.printing.enable = true; + services.printing.enable = false; # fonts # ----- @@ -62,13 +66,13 @@ # for congress and streaming hardware.opengl = { enable = true; - extraPackages = [ pkgs.vaapiIntel ]; + #extraPackages = [ pkgs.vaapiIntel ]; driSupport = true; driSupport32Bit = true; }; - nixpkgs.config.packageOverrides = pkgs: { - vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; }; - }; + #nixpkgs.config.packageOverrides = pkgs: { + # vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; }; + #}; services.xserver.displayManager.defaultSession = "plasma"; @@ -76,7 +80,6 @@ services.xserver.desktopManager.xfce.enable = false; services.xserver.desktopManager.gnome.enable = false; - services.xserver.desktopManager.cinnamon.enable = true; services.xserver.desktopManager.lxqt.enable = true; services.xserver.desktopManager.mate.enable = true; @@ -93,13 +96,8 @@ }; }; - # enable this to use sidequest - programs.adb.enable = false; - users.users.mainUser.extraGroups = [ "adbusers" "video" ]; - virtualisation = { docker.enable = false; - virtualbox = { host.enable = false; guest.x11 = false; diff --git a/nixos/machines/sternchen/packages.nix b/nixos/machines/sternchen/packages.nix index c81e531..c026fed 100644 --- a/nixos/machines/sternchen/packages.nix +++ b/nixos/machines/sternchen/packages.nix @@ -40,6 +40,8 @@ #synfigstudio valentina + vscode + # kde programs okular ark diff --git a/nixos/machines/sternchen/tinc.nix b/nixos/machines/sternchen/tinc.nix index 8cba6a2..bfe2281 100644 --- a/nixos/machines/sternchen/tinc.nix +++ b/nixos/machines/sternchen/tinc.nix @@ -1,18 +1,7 @@ -{ config, lib, pkgs, ... }: - -with lib; - +{ config, ... }: { - module.cluster.services.tinc = { - "secret" = { - enable = true; - openPort = true; - connectTo = [ "robi" ]; - }; - }; - - users.users."tinc.secret".group = "tinc.secret"; - users.groups."tinc.secret" = { }; + tinc.secret.enable = true; + tinc.secret.ipv4 = "10.123.42.25"; } diff --git a/nixos/machines/sternchen/wifi-access-point.nix b/nixos/machines/sternchen/wifi-access-point.nix deleted file mode 100644 index 9ce0cc8..0000000 --- a/nixos/machines/sternchen/wifi-access-point.nix +++ /dev/null @@ -1,85 +0,0 @@ -{ lib, pkgs, ... }: - -let - wifi = "wlp0s29u1u2"; - ipAddress = "10.123.145.1"; - prefixLength = 24; - servedAddressRange = "10.123.145.2,10.123.145.150,12h"; - ssid = "bumbumbum"; - wifiPassword = lib.fileContents ; - -in -{ - # todo only open needed ports - networking.firewall.trustedInterfaces = [ wifi ]; - - networking.networkmanager.unmanaged = [ wifi ]; - networking.dhcpcd.denyInterfaces = [ wifi ]; - - networking.interfaces."${wifi}".ipv4.addresses = [{ - address = ipAddress; - prefixLength = prefixLength; - }]; - - # forward traffic coming in trough the access point => provide internet and vpn network access - # todo : forward to own servers - boot.kernel.sysctl = { - "net.ipv4.conf.${wifi}.forwarding" = true; - "net.ipv6.conf.${wifi}.forwarding" = true; - }; - - systemd.services.hostapd = { - description = "hostapd wireless AP"; - path = [ pkgs.hostapd ]; - - # start manual - # wantedBy = [ "network.target" ]; - - after = [ - "${wifi}-cfg.service" - "nat.service" - "bind.service" - "dhcpd.service" - "sys-subsystem-net-devices-${wifi}.device" - ]; - - serviceConfig = { - ExecStart = "${pkgs.hostapd}/bin/hostapd ${ - pkgs.writeText "hostapd.conf" '' - interface=${wifi} - hw_mode=g - channel=10 - ieee80211d=1 - country_code=DE - ieee80211n=1 - wmm_enabled=1 - - ssid=${ssid} - auth_algs=1 - wpa=2 - wpa_key_mgmt=WPA-PSK - rsn_pairwise=CCMP - wpa_passphrase=${wifiPassword} - '' - }"; - Restart = "always"; - }; - }; - - services.dnsmasq = { - enable = true; - extraConfig = '' - # Only listen to routers' LAN NIC. Doing so opens up tcp/udp port 53 to - # localhost and udp port 67 to world: - interface=${wifi} - - # Explicitly specify the address to listen on - listen-address=${ipAddress} - - # Dynamic range of IPs to make available to LAN PC and the lease time. - # Ideally set the lease time to 5m only at first to test everything works okay before you set long-lasting records. - dhcp-range=${servedAddressRange} - ''; - }; - -} diff --git a/nixos/machines/sterni/configuration.nix b/nixos/machines/sterni/configuration.nix index df3a488..d7e5856 100644 --- a/nixos/machines/sterni/configuration.nix +++ b/nixos/machines/sterni/configuration.nix @@ -26,7 +26,6 @@ components.mainUser.enable = true; users.users.mainUser.extraGroups = [ "adbusers" "video" ]; - # todo programs.custom.steam.enable = false; programs.custom.video.enable = false; services.printing.enable = false; @@ -86,7 +85,7 @@ }; # enable this to use sidequest - programs.adb.enable = true; + # programs.adb.enable = false; # for congress and streaming hardware.opengl = {