From 08297376a85a1719518507e54fca9de954d2376a Mon Sep 17 00:00:00 2001 From: Petri Hienonen Date: Thu, 23 May 2024 13:56:00 +0300 Subject: Agenix configuration --- hosts/kataja/default.nix | 141 ++++++++++++++ hosts/kataja/hardware-configuration.nix | 79 ++++++++ hosts/pihlaja/default.nix | 269 ++++++++++++++++++++++++++ hosts/pihlaja/hardware-configuration.nix | 80 ++++++++ hosts/saarni/default.nix | 316 +++++++++++------------------- hosts/saarni/hardware-configuration.nix | 81 +++++--- hosts/tammi/20-wired.network | 31 +++ hosts/tammi/21-wired.network | 48 +++++ hosts/tammi/CM3588.md | 284 +++++++++++++++++++++++++++ hosts/tammi/Caddyfile | 319 +++++++++++++++++++++++++++++++ hosts/tammi/cgitrc | 47 +++++ hosts/tammi/feeds.opml | 118 ++++++++++++ hosts/tammi/iptable-nat.service | 11 ++ hosts/tammi/syntax-highlighting.js | 23 +++ 14 files changed, 1615 insertions(+), 232 deletions(-) create mode 100644 hosts/kataja/default.nix create mode 100644 hosts/kataja/hardware-configuration.nix create mode 100644 hosts/pihlaja/default.nix create mode 100644 hosts/pihlaja/hardware-configuration.nix create mode 100644 hosts/tammi/20-wired.network create mode 100644 hosts/tammi/21-wired.network create mode 100644 hosts/tammi/CM3588.md create mode 100644 hosts/tammi/Caddyfile create mode 100644 hosts/tammi/cgitrc create mode 100644 hosts/tammi/feeds.opml create mode 100644 hosts/tammi/iptable-nat.service create mode 100644 hosts/tammi/syntax-highlighting.js (limited to 'hosts') diff --git a/hosts/kataja/default.nix b/hosts/kataja/default.nix new file mode 100644 index 0000000..f664cab --- /dev/null +++ b/hosts/kataja/default.nix @@ -0,0 +1,141 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ + inputs, + outputs, + lib, + config, + pkgs, + vars, + ... +}: + +{ + imports = [ ./hardware-configuration.nix ]; + networking = { + hostName = "kataja"; + interfaces.eno1.wakeOnLan.enable = true; + }; + + systemd = { + network = { + enable = true; + wait-online.enable = false; + config = { + networkConfig = { + SpeedMeter = true; + }; + }; + networks = { + "10-wlan" = { + matchConfig = { + MACAddress = "10:6f:d9:28:3f:b3"; + }; + linkConfig = { + Multicast = true; + }; + networkConfig = { + DHCP = true; + IPv6AcceptRA = true; + MulticastDNS = true; + UseDomains = true; + }; + dhcpV4Config = { + RouteMetric = 600; + UseMTU = true; + }; + ipv6AcceptRAConfig = { + RouteMetric = 600; + UseMTU = true; + }; + linkConfig.RequiredForOnline = "no"; + }; + "11-lan" = { + matchConfig = { + MACAddress = "70:70:fc:00:29:25"; + }; + linkConfig = { + Multicast = true; + }; + networkConfig = { + DHCP = true; + IPv6AcceptRA = true; + MulticastDNS = true; + UseDomains = true; + }; + dhcpV4Config = { + RouteMetric = 100; + UseMTU = true; + }; + ipv6AcceptRAConfig = { + RouteMetric = 100; + UseMTU = true; + }; + linkConfig.RequiredForOnline = "no"; + }; + "12-lan" = { + matchConfig = { + MACAddress = "70:70:fc:00:29:26"; + }; + networkConfig = { + DHCP = true; + IPv6AcceptRA = true; + UseDomains = true; + }; + ipv6AcceptRAConfig = { + UseMTU = true; + }; + linkConfig.RequiredForOnline = "no"; + }; + }; + }; + sleep.extraConfig = "HibernateDelaySec=90m"; + }; + + environment = { + sessionVariables = { + LIBVA_DRIVER_NAME = "radeonsi"; + }; + }; + + services = { + godns = { + enable = true; + settings = { + domains = [ + { + domain_name = "www.duckdns.org"; + sub_domains = [ "kataja" ]; + } + ]; + ip_interface = "eno1"; + interval = 300; + ip_type = "IPv6"; + login_token_file = config.age.secrets.duckdns.path; + provider = "DuckDNS"; + }; + }; + xserver = { + deviceSection = '' + Option "DRI" "3" + Option "VariableRefresh" "True" + Option "TearFree" "False" + ''; + }; + }; + + hardware = { + graphics = { + extraPackages = with pkgs; [ + amdvlk + rocmPackages.clr.icd + ]; + }; + + bluetooth.settings.General.Name = "kataja"; + }; + + system.stateVersion = "24.05"; +} diff --git a/hosts/kataja/hardware-configuration.nix b/hosts/kataja/hardware-configuration.nix new file mode 100644 index 0000000..5d1d1b7 --- /dev/null +++ b/hosts/kataja/hardware-configuration.nix @@ -0,0 +1,79 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: + +{ + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; + + boot = { + kernelPackages = pkgs.linuxPackages_zen; + initrd = { + luks.devices."luks-b3e9864c-2a40-43d7-b1a0-51f3b2ec42bc".device = + "/dev/disk/by-uuid/b3e9864c-2a40-43d7-b1a0-51f3b2ec42bc"; + availableKernelModules = [ + "ahci" + "amdgpu" + "mt7921e" + "nvme" + "r8169" + "sd_mod" + "usb_storage" + "usbhid" + "xhci_pci" + "cdc_acm" + ]; + }; + kernelParams = [ + "amdgpu.modeset=1" + "default_hugepagesz=2M" + "mitigations=off" + "nospectre_v2" + "transparent_hugepage=always" + ]; + kernelModules = [ + "k10temp" + "kvm-amd" + "snd_hda_intel" + "tcp_bbr" + ]; + extraModulePackages = [ ]; + }; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/3e7f6b6b-b656-4f42-b314-f447e2562718"; + fsType = "ext4"; + }; + + boot.initrd.luks.devices."luks-b9b738dc-8554-41d9-82f9-042663b52e79".device = + "/dev/disk/by-uuid/b9b738dc-8554-41d9-82f9-042663b52e79"; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/4121-BEC3"; + fsType = "vfat"; + options = [ + "fmask=0077" + "dmask=0077" + ]; + }; + + swapDevices = [ { device = "/dev/disk/by-uuid/97641877-607c-46cd-853d-e431c8a90dc2"; } ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + # networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eno1.useDHCP = lib.mkDefault true; + # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/pihlaja/default.nix b/hosts/pihlaja/default.nix new file mode 100644 index 0000000..8101815 --- /dev/null +++ b/hosts/pihlaja/default.nix @@ -0,0 +1,269 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ + inputs, + outputs, + lib, + config, + pkgs, + vars, + ... +}: + +{ + imports = [ ./hardware-configuration.nix ]; + + hardware = { + bluetooth.enable = true; + keyboard.qmk.enable = true; + logitech.wireless.enable = true; + nvidia = { + modesetting.enable = true; + powerManagement = { + enable = true; + finegrained = false; + }; + open = true; + nvidiaSettings = false; + package = config.boot.kernelPackages.nvidiaPackages.latest; + }; + graphics = { + extraPackages = with pkgs; [ + nvidia-vaapi-driver + cudatoolkit + ]; + }; + + bluetooth.settings.General.Name = "pihlaja"; + }; + + networking = { + hostName = "pihlaja"; + interfaces.enp5s0.wakeOnLan.enable = true; + }; + + environment = { + sessionVariables = { + LIBVA_DRIVER_NAME = "nvidia"; + VK_DRIVER_FILES = "/run/opengl-driver/share/vulkan/icd.d/nvidia_icd.x86_64.json"; + GBM_BACKEND = "nvidia-drm"; + __GLX_VENDOR_LIBRARY_NAME = "nvidia"; + NVD_BACKEND = "direct"; + }; + systemPackages = with pkgs; [ + logiops + qmk_hid + qmk + via + qmk-udev-rules + ]; + }; + + services.hardware.openrgb = { + enable = true; + package = pkgs.openrgb-with-all-plugins; + motherboard = "amd"; + server = { + port = 6742; + }; + }; + + systemd = { + network = { + enable = true; + wait-online.enable = false; + config = { + networkConfig = { + SpeedMeter = true; + }; + }; + networks = { + "10-wlan" = { + matchConfig.MACAddress = "34:cf:f6:25:c7:db"; + linkConfig = { + Multicast = true; + }; + networkConfig = { + DHCP = "yes"; + IPv6AcceptRA = true; + MulticastDNS = true; + LinkLocalAddressing = "ipv6"; + DNSSEC = true; + UseDomains = true; + }; + dhcpV4Config = { + RouteMetric = 100; + UseDNS = true; + UseMTU = true; + }; + ipv6AcceptRAConfig = { + UseMTU = true; + }; + linkConfig.RequiredForOnline = "yes"; + }; + "11-lan" = { + matchConfig.MACAddress = "18:c0:4d:04:cf:e9"; + linkConfig = { + Multicast = true; + }; + networkConfig = { + DHCP = "yes"; + IPv6AcceptRA = true; + MulticastDNS = true; + LinkLocalAddressing = "ipv6"; + DNSSEC = true; + UseDomains = true; + }; + dhcpV4Config = { + RouteMetric = 90; + UseDNS = true; + UseMTU = true; + }; + ipv6AcceptRAConfig = { + RouteMetric = 80; + UseMTU = true; + }; + linkConfig.RequiredForOnline = "no"; + }; + }; + }; + services = { + logiops = { + enable = true; + description = "An unofficial userspace driver for HID++ Logitech devices"; + serviceConfig = { + Type = "simple"; + ExecStart = "${pkgs.logiops}/bin/logid"; + }; + wantedBy = [ "multi-user.target" ]; + }; + }; + }; + + services = { + godns = { + enable = true; + settings = { + domains = [ + { + domain_name = "www.duckdns.org"; + sub_domains = [ "pihlaja" ]; + } + ]; + ip_interface = "enp5s0"; + interval = 300; + ip_type = "IPv6"; + login_token_file = config.age.secrets.duckdns.path; + provider = "DuckDNS"; + }; + }; + xserver = { + videoDrivers = [ "nvidia" ]; + }; + udev.packages = with pkgs; [ + qmk + qmk_hid + qmk-udev-rules + via + ]; + llama-cpp = { + enable = false; + openFirewall = true; + model = "/home/petri/Programming/DeepSeek-R1-Distill-Qwen-32B-Q8_0.gguf"; + host = "0.0.0.0"; + }; + }; + fonts.fontconfig.subpixel.rgba = "bgr"; + + # Configuration for logiops + environment.etc."logid.cfg".text = '' + devices: ({ + name: "Wireless Mouse MX Master 3"; + smartshift: { + on: true; + threshold: 12; + }; + hiresscroll: { + hires: true; + target: false; + }; + thumbwheel: { + divert: true; + invert: false; + left: { + threshold: 1; + interval: 1; + direction: "Left"; + mode: "OnInterval"; + action = { + type: "Keypress"; + keys: ["KEY_VOLUMEDOWN"]; + }; + }; + right: { + threshold: 1; + interval: 1; + direction: "Right"; + mode: "OnInterval"; + action = { + type: "Keypress"; + keys: ["KEY_VOLUMEUP"]; + }; + }; + }; + dpi: 1500; + buttons: ({ + cid: 0xc3; + action = { + type: "Gestures"; + gestures: ({ + direction: "Left"; + mode: "OnRelease"; + action = { + type = "Keypress"; + keys: ["KEY_F15"]; + }; + }, { + direction: "Right"; + mode: "OnRelease"; + action = { + type = "Keypress"; + keys: ["KEY_F16"]; + }; + }, { + direction: "Down"; + mode: "OnRelease"; + action = { + type: "Keypress"; + keys: ["KEY_F17"]; + }; + }, { + direction: "Up"; + mode: "OnRelease"; + action = { + type: "Keypress"; + keys: ["KEY_F18"]; + }; + }, { + direction: "None"; + mode: "OnRelease"; + action = { + type = "Keypress"; + keys: ["KEY_PLAYPAUSE"]; + }; + }); + }; + }, { + cid: 0xc4; + action = { + type: "Keypress"; + keys: ["KEY_F19"]; + }; + }); + }); + ''; + + system.stateVersion = "24.05"; # Did you read the comment? +} diff --git a/hosts/pihlaja/hardware-configuration.nix b/hosts/pihlaja/hardware-configuration.nix new file mode 100644 index 0000000..1e81932 --- /dev/null +++ b/hosts/pihlaja/hardware-configuration.nix @@ -0,0 +1,80 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: + +{ + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; + + boot = { + kernelPackages = pkgs.linuxPackages; + kernelParams = [ + "NVreg_PreserveVideoMemoryAllocations=1" + "mitigations=off" + "nospectre_v2" + "nvidia_drm.fbdev=1" + "nvidia_drm.modeset=1" + "transparent_hugepage=always" + ]; + initrd = { + luks.devices."luks-a47a6087-e6bf-4e8d-a034-2229259c38f5".device = + "/dev/disk/by-uuid/a47a6087-e6bf-4e8d-a034-2229259c38f5"; + availableKernelModules = [ + "cdc_acm" + "ahci" + "iwldvm" + "iwlwifi" + "nvme" + "sd_mod" + "usb_storage" + "usbhid" + "xhci_pci" + "nvidia" + "nvidia_drm" + "nvidia_modeset" + "nvidia_uvm" + ]; + luks.devices."luks-1efa1182-2964-49bf-a413-fb51bd7b107f".device = + "/dev/disk/by-uuid/1efa1182-2964-49bf-a413-fb51bd7b107f"; + }; + kernelModules = [ + "tcp_bbr" + "iwldvm" + "iwlwifi" + "k10temp" + "kvm-amd" + ]; + extraModulePackages = [ ]; + }; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/eecfd181-138c-4c90-add6-2ef528d5dbb4"; + fsType = "ext4"; + }; + + fileSystems."/data" = { + device = "/dev/disk/by-uuid/a02a4e78-32ea-40e6-8398-087bfd8dca93"; + fsType = "ext4"; + options = [ "nofail" ]; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/A4F5-0899"; + fsType = "vfat"; + options = [ + "fmask=0077" + "dmask=0077" + ]; + }; + + swapDevices = [ { device = "/dev/disk/by-uuid/d0e5a93d-18a7-4d24-893c-d2417c3d5043"; } ]; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/saarni/default.nix b/hosts/saarni/default.nix index 010a8eb..5252e6f 100644 --- a/hosts/saarni/default.nix +++ b/hosts/saarni/default.nix @@ -2,249 +2,147 @@ # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). -{ inputs, outputs, lib, config, pkgs, vars, ... }: +{ + inputs, + outputs, + lib, + config, + pkgs, + vars, + ... +}: { - imports = [ - ./hardware-configuration.nix - inputs.home-manager.nixosModules.home-manager - ]; + imports = [ ./hardware-configuration.nix ]; - nix = { - nixPath = [ "/etc/nix/path" ]; - gc = { - automatic = true; - }; - settings = { - auto-optimise-store = true; - experimental-features = "nix-command flakes"; + hardware = { + graphics = { + extraPackages = with pkgs; [ + libvpl + libvdpau-va-gl + sof-firmware + vpl-gpu-rt + ]; }; - registry = (lib.mapAttrs (_: flake: { inherit flake; })) - ((lib.filterAttrs (_: lib.isType "flake")) inputs); - }; - nixpkgs.config.allowUnfree = true; - security.rtkit.enable = true; - - home-manager = { - extraSpecialArgs = { inherit inputs outputs vars; }; - users = { ${vars.user} = import ../../home; }; - }; - - powerManagement = { - enable = true; - powertop.enable = true; - }; - # Bootloader. - boot = { - loader = { - systemd-boot.enable = true; - efi.canTouchEfiVariables = true; - }; - kernelPackages = pkgs.linuxPackages_latest; - plymouth.enable = true; - kernelParams = [ "quiet" "splash" ]; + bluetooth.settings.General.Name = "saarni"; }; networking = { - nameservers = [ "1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one" ]; hostName = "saarni"; - useNetworkd = true; - wireless.iwd.enable = true; }; systemd = { - watchdog = { - device = "/dev/watchdog"; - runtimeTime = "30s"; + services."enable-wifi-on-boot" = { + description = "Enable wifi on boot"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${pkgs.util-linux}/bin/rfkill unblock all"; + Type = "oneshot"; + }; }; - sleep.extraConfig = "HibernateDelaysSec=90m"; network = { enable = true; wait-online.enable = false; + config = { + networkConfig = { + SpeedMeter = true; + }; + }; networks = { "10-lan" = { - matchConfig.Name = "enp0s20f0u9"; - networkConfig.DHCP = "yes"; + matchConfig = { + Name = "enps0"; + }; + linkConfig = { + Multicast = true; + }; + networkConfig = { + DHCP = true; + IPv6AcceptRA = true; + MulticastDNS = true; + LinkLocalAddressing = "ipv6"; + DNSSEC = true; + UseDomains = true; + }; + dhcpV4Config = { + RouteMetric = 20; + UseDNS = true; + UseMTU = true; + }; + ipv6AcceptRAConfig = { + UseMTU = true; + }; }; - "11-lan" = { - matchConfig.Name = "wlan0"; - networkConfig.DHCP = "yes"; + "11-wlan" = { + matchConfig = { + MACAddress = "64:d6:9a:9e:06:60"; + }; + linkConfig = { + Multicast = true; + }; + networkConfig = { + DHCP = true; + IPv6AcceptRA = true; + MulticastDNS = true; + LinkLocalAddressing = "ipv6"; + DNSSEC = true; + UseDomains = true; + }; + dhcpV4Config = { + RouteMetric = 100; + UseDNS = true; + UseMTU = true; + SendHostname = true; + }; + dhcpV6Config = { + WithoutRA = "solicit"; + }; + ipv6AcceptRAConfig = { + UseMTU = true; + }; }; }; }; }; - system.autoUpgrade = { - enable = true; - }; - - sound.enable = true; - - hardware = { - opengl = { - enable = true; - driSupport = true; - extraPackages = with pkgs; [ - intel-media-driver - libvdpau-va-gl - ]; - }; - bluetooth = { - enable = true; - powerOnBoot = true; - }; - }; - - # Set your time zone. - time.timeZone = "Europe/Helsinki"; - - # Select internationalisation properties. - i18n = { - defaultLocale = "en_US.UTF-8"; - extraLocaleSettings = { - LC_ADDRESS = "fi_FI.UTF-8"; - LC_IDENTIFICATION = "fi_FI.UTF-8"; - LC_MEASUREMENT = "fi_FI.UTF-8"; - LC_MONETARY = "fi_FI.UTF-8"; - LC_NAME = "fi_FI.UTF-8"; - LC_NUMERIC = "fi_FI.UTF-8"; - LC_PAPER = "fi_FI.UTF-8"; - LC_TELEPHONE = "fi_FI.UTF-8"; - LC_TIME = "fi_FI.UTF-8"; - }; - }; - - console.keyMap = "fi"; - - # Define a user account. Don't forget to set a password with ‘passwd’. - users.users.${vars.user} = { - isNormalUser = true; - description = "${vars.name}"; - extraGroups = [ "input" "network" "wheel" ]; - packages = with pkgs; [ ]; - ignoreShellProgramCheck = true; - shell = pkgs.${vars.shell}; - }; - - programs = { - firefox.enable = true; - hyprland.enable = true; - gnupg.agent = { - enable = true; - enableSSHSupport = true; - }; - mtr.enable = true; - }; - environment = { - sessionVariables = { - LIBVA_DRIVER_NAME = "iHD"; - }; - systemPackages = with pkgs; [ - fastfetch - vulkan-tools - libva-utils - wget - curl - git - gzip - btop - glxinfo - sqlite - openssh - gnupg - helix - nixfmt - ]; - etc = lib.mapAttrs' (name: value: { - name = "nix/path/${name}"; - value.source = value.flake; - }) config.nix.registry; - }; - - fonts = { - enableDefaultPackages = true; - packages = with pkgs; [ noto-fonts fira-code fira-code-symbols ]; - fontconfig = { - defaultFonts = { - serif = [ "Noto Serif" ]; - sansSerif = [ "Noto Sans" ]; - monospace = [ "Fira Code" ]; - }; - }; + sessionVariables = { }; }; - # List services that you want to enable: services = { - getty.autologinUser = "petri"; - resolved = { - enable = true; - dnsovertls = "true"; - }; - xserver = { - layout = "fi"; - xkbVariant = "normal"; - }; - pipewire = { + godns = { enable = true; - alsa.enable = true; - pulse.enable = true; - }; - openssh.enable = true; - printing.enable = true; - kmscon = { - enable = true; - hwRender = true; - extraOptions = "--xkb-layout=fi"; - }; - blueman.enable = true; - upower.enable = true; - upower.criticalPowerAction = "Hibernate"; - fstrim.enable = false; - thermald.enable = true; - auto-cpufreq.enable = true; - greetd = { - enable = true; - settings = rec { - initial_session = { - command = "${pkgs.hyprland}/bin/Hyprland"; - user = "petri"; - }; - default_session = initial_session; + settings = { + domains = [ + { + domain_name = "www.duckdns.org"; + sub_domains = [ "saarni" ]; + } + ]; + ip_interface = "wlan0"; + interval = 300; + ip_type = "IPv6"; + login_token_file = config.age.secrets.duckdns.path; + provider = "DuckDNS"; }; }; - }; - - xdg.portal = { - enable = true; - xdgOpenUsePortal = true; - extraPortals = [ - pkgs.xdg-desktop-portal-hyprland - pkgs.xdg-desktop-portal-gtk - ]; - wlr = { + tlp = { enable = true; settings = { - screencast = { - chooser_type = "simple"; - chooser_cmd = "${pkgs.slurp}/bin/slurp -f %o -ro"; - }; + CPU_PERF_POLICY_ON_AC = "performance"; + CPU_PERF_POLICY_ON_BAT = "power"; + CPU_SCALING_GOVERNOR_ON_AC = "performance"; + CPU_SCALING_GOVERNOR_ON_BAT = "powersave"; + START_CHARGE_THRESH_BAT0 = 40; + STOP_CHARGE_TRESH_BAT0 = 20; }; }; + upower = { + enable = true; + criticalPowerAction = "Hibernate"; + }; + thermald.enable = true; }; - - # Open ports in the firewall. - # networking.firewall.allowedTCPPorts = [ ... ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - # Or disable the firewall altogether. - # networking.firewall.enable = false; - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "23.11"; # Did you read the comment? + system.stateVersion = "24.05"; } diff --git a/hosts/saarni/hardware-configuration.nix b/hosts/saarni/hardware-configuration.nix index 6aef572..798aa7b 100644 --- a/hosts/saarni/hardware-configuration.nix +++ b/hosts/saarni/hardware-configuration.nix @@ -1,37 +1,72 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") ]; + config, + lib, + pkgs, + modulesPath, + ... +}: - boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; +{ + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; - fileSystems."/" = - { device = "/dev/disk/by-uuid/3968a07a-5e37-4bdb-9e3a-6c74950fd03d"; - fsType = "ext4"; + boot = { + kernelPackages = pkgs.linuxPackages_zen; + initrd = { + availableKernelModules = [ + "xhci_pci" + "thunderbolt" + "nvme" + "usb_storage" + "sd_mod" + "i915" + "cdc_acm" + ]; }; + kernelModules = [ + "kvm-intel" + "iwlwifi" + "iwldvm" + "snd_hda_intel" + "snd_soc_avs" + "snd_sof_pci_intel_tgl" + "tcp_bbr" + ]; + extraModulePackages = [ ]; + kernelParams = [ + "default_hugepagesz=2M" + "i915.enable_guc=3" + "i915.fastboot=1" + "mitigations=off" + "nospectre_v2" + "snd-intel-dspcfg.dsp_driver=3" + "transparent_hugepage=always" + "usbcore.blinkenlights=1" + ]; + extraModprobeConfig = '' + options snd_hda_intel enable=0,1 + ''; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/9B7E-3D1B"; - fsType = "vfat"; - options = [ "fmask=0022" "dmask=0022" ]; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/3968a07a-5e37-4bdb-9e3a-6c74950fd03d"; + fsType = "ext4"; + }; - swapDevices = [ ]; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/9B7E-3D1B"; + fsType = "vfat"; + options = [ + "fmask=0022" + "dmask=0022" + ]; + }; - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - # networking.useDHCP = lib.mkDefault true; - # networking.interfaces.wlan0.useDHCP = lib.mkDefault true; + hardware.firmware = [ pkgs.sof-firmware ]; + swapDevices = [ ]; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; } diff --git a/hosts/tammi/20-wired.network b/hosts/tammi/20-wired.network new file mode 100644 index 0000000..1a39f55 --- /dev/null +++ b/hosts/tammi/20-wired.network @@ -0,0 +1,31 @@ +# WAN +[Match] +Name=eth0 + +[Network] +DHCP=yes +IPv6PrivacyExtensions=no +IPv6AcceptRA=yes +IPMasquerade=both +DHCPPrefixDelegation=yes +IPForward=yes + +[DHCPv4] +UseMTU=yes +UseDNS=false +UseNTP=false + +[IPv6AcceptRA] +UseMTU=yes +UseDNS=false + +[DHCPv6] +WithoutRA=solicit +PrefixDelegationHint=::/56 +RapidCommit=yes + +[DHCPPrefixDelegation] +UplinkInterface=auto +SubnetId=auto +Announce=yes +Assign=yes diff --git a/hosts/tammi/21-wired.network b/hosts/tammi/21-wired.network new file mode 100644 index 0000000..4ab692d --- /dev/null +++ b/hosts/tammi/21-wired.network @@ -0,0 +1,48 @@ +[Match] +# Name=eth1 - LAN +MACAddress=6c:1f:f7:1b:f2:6c + +[Link] +Multicast=yes + +[Network] +DNS=10.1.1.1#adguard.tammi.cc +DNS=2001:14ba:a304:aff4::1#adguard.tammi.cc +NTP=10.1.1.1 +DHCP=no +LLDP=yes +LLMNR=yes +Address=10.1.1.1/24 +DHCPServer=true +MulticastDNS=true +IPv6SendRA=yes +IPv6AcceptRA=no +IPv6PrefixDelegation=yes +DHCPPrefixDelegation=yes +LinkLocalAddressing=yes +LLMNR=yes +IPForward=yes + +[DHCPServer] +PoolOffset=100 +PoolSize=40 +EmitDNS=yes +EmitNTP=yes +EmitTimezone=yes +DNS=_server_address +NTP=_server_address +DefaultLeaseTimeSec=3600 +MaxLeaseTimeSec=7200 + +[IPv6SendRA] +Managed=yes +OtherInformation=yes +EmitDNS=yes +DNS=_link_local +RouterPreference=high + +[DHCPPrefixDelegation] +UplinkInterface=eth0 +SubnetId=0 +Announce=yes +Assign=yes diff --git a/hosts/tammi/CM3588.md b/hosts/tammi/CM3588.md new file mode 100644 index 0000000..d62780a --- /dev/null +++ b/hosts/tammi/CM3588.md @@ -0,0 +1,284 @@ +--- +title: "Running the gateway for testing" +author: [Petri Hienonen] +date: "2023-03-31" +--- + +# CM3588 setup guide for Debian Bookworm + +[CM3588](https://www.friendlyelec.com/index.php?route=product/product&product_id=294) works as our reference hardware. + +`SDCARD` to `EMMC` image [should be used](https://drive.google.com/file/d/1CrYDAZFwGdZoFIRfrQGEVd6SEu6f0PwU/view) + +[Wiki documents things related to the device installation](https://wiki.friendlyelec.com/wiki/index.php/NanoPi_R5S) + +## Basic configuration + +Login with SSH (Username: `pi`, Password: `pi`) + +`/etc/systemd/network/20-wired.network` + +``` +[Match] +Name=eth0 + +[Network] +DHCP=yes +DNS=8.8.8.8 +MulticastDNS=true + +[Link] +MTUBytes=9000 +``` + +`/etc/systemd/timesyncd.conf` + +``` +[Time] +NTP=0.arch.pool.ntp.org 1.arch.pool.ntp.org 2.arch.pool.ntp.org 3.arch.pool.ntp.org +FallbackNTP=0.pool.ntp.org 1.pool.ntp.org 0.fr.pool.ntp.org +``` + +```bash +sudo apt update && sudo apt dist-upgrade -y && sudo apt autoremove -y +sudo systemctl stop NetworkManager +sudo systemctl disable NetworkManager +sudo apt remove network-manager ntp wpa_supplicant +sudo systemctl enable systemd-timesyncd.service +sudo systemctl start systemd-timesyncd.service +sudo timedatectl set-timezone Europe/Helsinki +``` + +Modify `/etc/hostname` to wanted (tammi.cc). + +Modify `/etc/systemd/journald.conf` (following keys): + +``` +[Journal] +Storage=volatile +SystemMaxUse=20M +RuntimeMaxUse=20M +MaxRetentionSec=2day +``` + +Wireless network configuration (`wlan0` with [`iwd`](https://iwd.wiki.kernel.org/)) + +```bash +sudo apt remove wpasupplicant +sudo apt install iwd +sudo mkdir -p /var/lib/iwd/ +``` + +`/etc/systemd/network/20-wired.network` + +``` +[Match] +Name=eth0 + +[Network] +DHCP=yes +DNSSEC=allow-downgrade +DNS=9.9.9.9 2620:fe::fe +LinkLocalAddresssing=yes +``` + +`/etc/systemd/network/26-wireless.network` + +``` +[Match] +Name=wlan0 + +[Network] +DHCP=yes +DNSSEC=allow-downgrade +DNS=9.9.9.9 2620:fe::fe +LinkLocalAddresssing=yes +``` + +`/var/lib/iwd/example_network.psk`: + +``` +[Security] +Passphrase=Relynx8WP +``` + +```bash +sudo systemctl start iwd.service +sudo systemctl enable iwd.service +sudo systemctl restart systemd-networkd.service +``` + +Create petri user: + +```bash +sudo useradd -m petri +sudo passwd petri (password) +sudo usermod -a -G sudo petri +sudo usermod -a -G systemd-journal petri +sudo chsh -s /bin/bash petri +sudo reboot +``` + +Stop autologin for user `petri` by commenting out user `petri` in `/etc/lightdm/lightdm.conf`. + +Login with `petri` user. + +Check that network looks sane: + +```bash +networkctl status --all +``` + +Delete `pi` user: + +```bash +sudo userdel -r pi +``` + +Create necessary keys and clone and build rust packages: + +```bash +sudo apt install llvm clang libssl-dev -y +curl --proto '=https' --tlsv1.3 -sSf https://sh.rustup.rs | sh +source "$HOME/.cargo/env" +ssh-keygen -t ed25519 +cat .ssh/id_ed25519.pub +``` + +## Applications + +### SSH + +Guideline from: https://infosec.mozilla.org/guidelines/openssh + +```bash +sudo apt install mosh +``` + +### Backports + +```bash +echo "deb http://deb.debian.org/debian bookworm-backports main contrib non-free-firmware">/etc/apt/sources.list.d/debian-12-backports.list +``` + +### BTRFS + +```bash +sudo apt install btrfs-progs +sudo mkfs.btrfs -m raid1 -d raid1 /dev/nvme1n1 /dev/nvme0n1 +sudo mkdir /media/data +echo "UUID=f566eaa0-f004-4acc-9d0d-f6fb97daca5e /media/data btrfs defaults,discard=async,compress=zstd 0 0">>/etc/fstab + +sudo mkdir /media/data/db +sudo chattr -R +C /media/data/db # make the DB not COW + +sudo mkdir /media/data/logs +sudo chattr -R +C /media/data/logs # make the DB not COW +``` + +/etc/systemd/system/btrfs-scrub@.service + +```systemd +[Unit] +Description=Btrfs scrub on %f +ConditionPathIsMountPoint=%f +RequiresMountsFor=%f + +[Service] +Nice=19 +IOSchedulingClass=idle +KillSignal=SIGINT +ExecStart=/usr/bin/btrfs scrub start -B %f +``` + +/etc/systemd/system/btrfs-scrub@.timer + +```systemd +[Unit] +Description=Btrfs scrub on %f twice per month + +[Timer] +OnCalendar=*-*-1,15 +AccuracySec=1d +RandomizedDelaySec=1w +Persistent=true + +[Install] +WantedBy=timers.target +``` + +```bash +sudo systemctl start btrfs-scrub@(systemd-escape -p /media/data).service +sudo systemctl enable --now btrfs-scrub@(systemd-escape -p /media/data).timer +``` + +### Docker + +```bash +sudo apt install docker.io docker-compose +sudo usermod -aG docker $USER +sudo systemctl enable docker.service +``` + +### Postgresql (edit the datapaths) + +```bash +sudo apt install postgresql postgresql-contrib +sudo mkdir /media/data/db/postgresql/16/main +sudo vim /etc/postgresql/16/main/postgresql.conf +sudo chown -R postgres:postgres postgresql/ +``` +Add Environment=PGDATA=/media/data/db/postgresql/%I/main to /lib/systemd/system/postgresql@.service under [Service] + +### Miniflux + +```bash +echo "deb [trusted=yes] https://repo.miniflux.app/apt/ * *" | sudo tee /etc/apt/sources.list.d/miniflux.list > /dev/null +apt update && apt install miniflux +systemctl status miniflux.service + +sudo -u postgres psql +CREATE USER miniflix with PASSWORD 'miniflux'; +CREATE DATABASE miniflux2 OWNER miniflux; +``` + +### Vaultwarden (/etc/vaultwarden): + +```bash +wget -O /etc/apt/trusted.gpg.d/bananian-keyring.gpg https://bitwarden-deb.tech-network.de/bananian-keyring.gpg +echo "deb http://bitwarden-deb.tech-network.de bookworm main" > /etc/apt/sources.list.d/vaultwarden.list +apt update && apt install vaultwarden + +sudo -u postgres psql +CREATE USER vaultwarden WITH ENCRYPTED PASSWORD 'yourpassword'; +CREATE DATABASE vaultwarden OWNER vaultwarden; + +(vaultwarden binary will have to be compiled with hand to enable postgresql, this is irritating) +sudo apt install libpq-dev +(add following systemd service environment variable) +Environment="DATABASE_URL=postgresql://vaultwarden:yourpassword@127.0.0.1:5432/vaultwarden" +systemctl enable vaultwarden.service +``` + +/etc/enviroment + +```bash +PATH="/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin" +``` + +### Webmin + +```bash +curl -o setup-repos.sh https://raw.githubusercontent.com/webmin/webmin/master/setup-repos.sh +sh setup-repos.sh +apt install webmin + +(configure using /etc/webmin/miniserv.conf) +``` + +### Minio + +```bash +wget https://dl.min.io/server/minio/release/linux-arm64/minio_20240611031330.0.0_arm64.deb -O minio.deb +sudo dpkg -i minio.deb +``` diff --git a/hosts/tammi/Caddyfile b/hosts/tammi/Caddyfile new file mode 100644 index 0000000..fe9d437 --- /dev/null +++ b/hosts/tammi/Caddyfile @@ -0,0 +1,319 @@ +# The Caddyfile is an easy way to configure your Caddy web server. +# +# Unless the file starts with a global options block, the first +# uncommented line is always the address of your site. +# +# To use your own domain name (with automatic HTTPS), first make +# sure your domain's A/AAAA DNS records are properly pointed to +# this machine's public IP, then replace ":80" below with your +# domain name. +(cors) { + @cors_preflight method OPTIONS + + header { + Access-Control-Allow-Origin "{header.origin}" + Vary Origin + Access-Control-Expose-Headers "Authorization" + Access-Control-Allow-Credentials "true" + } + + handle @cors_preflight { + header { + Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE" + Access-Control-Max-Age "3600" + } + respond "" 204 + } +} + +{ + metrics + log { + output file /var/log/caddy/caddy_main.log { + roll_size 20MiB + roll_keep 5 + roll_keep_for 100d + } + format json + level INFO + } +} + +tammi.cc { + root * /media/data/hienotammi + file_server browse + encode zstd gzip + log { + output file /media/data/logs/tammi.log { + roll_size 1mb + roll_keep 1 + } + } +} + +holvi.tammi.cc { + root * /media/data/holvi + file_server browse + encode zstd gzip + log { + output file /media/data/logs/holvi.log { + roll_size 1mb + roll_keep 1 + } + } +} + +grafana.tammi.cc { + reverse_proxy 127.0.0.1:3010 + encode zstd gzip + log { + output file /media/data/logs/grafana.log { + roll_size 1mb + roll_keep 1 + } + } +} + +ntfy.tammi.cc { + reverse_proxy 127.0.0.1:3070 + encode zstd gzip + log { + output file /media/data/logs/ntfy.log { + roll_size 1mb + roll_keep 1 + } + } +} + +adguard.tammi.cc { + basic_auth { + petri $2a$14$1gj396cBvvMoC7kW0qSZBOF9Qzwt8ewyujua1EpdDJm9gXdBFsfEe + } + reverse_proxy 127.0.0.1:3000 + encode zstd gzip + log { + output file /media/data/logs/adguard.log { + roll_size 1mb + roll_keep 1 + } + } +} + +n8n.tammi.cc { + reverse_proxy 127.0.0.1:5678 + encode zstd gzip + log { + output file /media/data/logs/n8n.log { + roll_size 1mb + roll_keep 1 + } + } +} + +couch.tammi.cc { + reverse_proxy 127.0.0.1:5984 + encode zstd gzip + log { + output file /media/data/logs/couch.log { + roll_size 1mb + roll_keep 1 + } + } +} + +shiori.tammi.cc { + reverse_proxy 127.0.0.1:7766 + encode zstd gzip + log { + output file /media/data/logs/shiori.log { + roll_size 1mb + roll_keep 1 + } + } +} + +read.tammi.cc { + reverse_proxy 127.0.0.1:7767 + encode zstd gzip + log { + output file /media/data/logs/read.log { + roll_size 1mb + roll_keep 1 + } + } +} + +atuin.tammi.cc { + reverse_proxy 127.0.0.1:4444 + encode zstd gzip + log { + output file /media/data/logs/atuin.log { + roll_size 1mb + roll_keep 1 + } + } +} + +relationship.tammi.cc { + root * /media/data/relationship + file_server + encode zstd gzip + log { + output file /media/data/logs/relationship.log { + roll_size 1mb + roll_keep 1 + } + } +} + +start.tammi.cc { + basic_auth { + petri $2a$14$1gj396cBvvMoC7kW0qSZBOF9Qzwt8ewyujua1EpdDJm9gXdBFsfEe + } + reverse_proxy 127.0.0.1:5555 + encode zstd gzip + log { + output file /media/data/logs/start.log { + roll_size 1mb + roll_keep 1 + } + } +} + +bin.tammi.cc { + reverse_proxy 127.0.0.1:8820 + encode zstd gzip + import cors {header.origin} + log { + output file /media/data/logs/bin.log { + roll_size 1mb + roll_keep 1 + } + } +} + +llm.tammi.cc { + reverse_proxy 127.0.0.1:12500 + encode zstd gzip + log { + output file /media/data/logs/llm.log { + roll_size 1mb + roll_keep 1 + } + } +} + +base.tammi.cc { + reverse_proxy 127.0.0.1:980 + encode zstd gzip + log { + output file /media/data/logs/base.log { + roll_size 1mb + roll_keep 1 + } + } +} + +threat.tammi.cc { + reverse_proxy 127.0.0.1:3050 + encode zstd gzip + log { + output file /media/data/logs/threat.log { + roll_size 1mb + roll_keep 1 + } + } +} + +flux.tammi.cc { + reverse_proxy 127.0.0.1:8080 + encode zstd gzip + log { + output file /media/data/logs/flux.log { + roll_size 1mb + roll_keep 1 + } + } +} + +haku.tammi.cc { + reverse_proxy 127.0.0.1:8888 + encode zstd gzip + log { + output file /media/data/logs/haku.log { + roll_size 1mb + roll_keep 1 + } + } +} + +memos.tammi.cc { + reverse_proxy 127.0.0.1:8081 + encode zstd gzip + log { + output file /media/data/logs/memos.log { + roll_size 1mb + roll_keep 1 + } + } +} + +dav.tammi.cc { + reverse_proxy 127.0.0.1:5232 + encode zstd gzip + log { + output file /media/data/logs/haku.log { + roll_size 1mb + roll_keep 1 + } + } +} + +admin.tammi.cc { + reverse_proxy 127.0.0.1:10000 + encode zstd gzip + log { + output file /media/data/logs/webmin.log { + roll_size 1mb + roll_keep 1 + } + } +} + +minio.tammi.cc { + reverse_proxy localhost:9001 +} + +s3.tammi.cc { + reverse_proxy localhost:9199 +} + +vault.tammi.cc { + encode zstd gzip + reverse_proxy /notifications/hub/negotiate 127.0.0.1:8000 + reverse_proxy /notifications/hub 127.0.0.1:3012 + reverse_proxy 127.0.0.1:8000 { + header_up X-Real-IP {remote_host} + } + log { + output file /media/data/logs/vault.log { + roll_size 1mb + roll_keep 1 + } + } +} + +audio.tammi.cc { + reverse_proxy 127.0.0.1:3333 + encode zstd gzip + log { + output file /media/data/logs/audio.log { + roll_size 1mb + roll_keep 1 + } + } +} + +import conf.d/* + +# Refer to the Caddy docs for more information: diff --git a/hosts/tammi/cgitrc b/hosts/tammi/cgitrc new file mode 100644 index 0000000..caa011d --- /dev/null +++ b/hosts/tammi/cgitrc @@ -0,0 +1,47 @@ +# +# cgit config +# + +# The defaults +#css=/cgit.css +#logo=/cgit.png +cache-size=0 +branch-sort=age +commit-sort=date +max-stats=quarter +root-title=tammi.cc git repositories +robots=noindex, nofollow +snapshots=tar.zst +clone-url=ssh://git@tammi.cc:/git/$CGIT_REPO_URL.git +virtual-root=/ + +# options +enable-index-owner=true +enable-index-links=true +enable-commit-graph=1 +enable-log-filecount=1 +enable-log-linecount=1 +enable-html-serving=1 +enable-http-clone=1 +enable-blame=1 + +# mimes +mimetype.gif=image/gif +mimetype.html=text/html +mimetype.jpg=image/jpeg +mimetype.webp=image/webp +mimetype.jpeg=image/jpeg +mimetype.pdf=application/pdf +mimetype.png=image/png +mimetype.svg=image/svg+xml + +# plugins +head-include=/usr/local/lib/cgit/head_include.html +source-filter=/usr/local/lib/cgit/filters/syntax-highlighting.js +about-filter=/usr/local/lib/cgit/filters/about-formatting-custom.sh +auth-filter=lua:/usr/local/lib/cgit/filters/simple-authentication-modified.lua + +# repositories +readme=:README.adoc +readme=:README.md +remove-suffix=1 diff --git a/hosts/tammi/feeds.opml b/hosts/tammi/feeds.opml new file mode 100644 index 0000000..b0ea84f --- /dev/null +++ b/hosts/tammi/feeds.opml @@ -0,0 +1,118 @@ + + + + Miniflux + Wed, 29 Oct 2025 10:42:41 EET + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/hosts/tammi/iptable-nat.service b/hosts/tammi/iptable-nat.service new file mode 100644 index 0000000..f5ecd63 --- /dev/null +++ b/hosts/tammi/iptable-nat.service @@ -0,0 +1,11 @@ +[Unit] +Description=Apply NAT rules for IPv4 +After=network.target + +[Service] +Type=oneshot +ExecStart=/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/hosts/tammi/syntax-highlighting.js b/hosts/tammi/syntax-highlighting.js new file mode 100644 index 0000000..362994a --- /dev/null +++ b/hosts/tammi/syntax-highlighting.js @@ -0,0 +1,23 @@ +#!/usr/bin/node +// Server side syntax highlight with Shiki https://shiki.matsu.io/ +// This script is replacement for pygments/highlight for cgit +// Shiki is installed with `npm install -g shiki` +// input: filename, stdin - source file. Outputs the highligted html to stdout. +import { argv, stdin, stdout } from 'node:process'; +import { codeToHtml } from "/usr/lib/node_modules/shiki/dist/index.mjs"; + +async function highlight(syntax) { + stdin.on("data", async (data) => { + const text = Buffer.from(data).toString("utf8"); + const html = await codeToHtml(text, { + lang: syntax, + theme: "gruvbox-dark-soft" + }); + stdout.write(html); + }); + return true +} + +const filename = argv[1]; +const lang = filename.split(".")[1]; +highlight(lang); -- cgit v1.2.3-70-g09d2