From 67019cd0c27f34785402c0a4ceea32e57a1cc877 Mon Sep 17 00:00:00 2001 From: ChaotiCryptidz Date: Mon, 9 May 2022 09:03:00 +0100 Subject: [PATCH] nix --- extras/shenanigans-hotspot.nix | 68 +++++++++++++++++++++++++ flake.lock | 61 ++++++++++++++-------- flake.nix | 2 + hosts/hetzner-vm/hetzner-vm.nix | 7 +++ hosts/hetzner-vm/services/invidious.nix | 8 +-- hosts/lappy/lappy.nix | 3 ++ profiles/dnscrypt/dnscrypt.nix | 4 ++ profiles/force_dns/force_dns.nix | 7 +++ scripts/rebuild.sh | 2 +- scripts/update.sh | 8 +-- treeConfig.nix | 2 + 11 files changed, 139 insertions(+), 33 deletions(-) create mode 100644 extras/shenanigans-hotspot.nix create mode 100644 profiles/force_dns/force_dns.nix diff --git a/extras/shenanigans-hotspot.nix b/extras/shenanigans-hotspot.nix new file mode 100644 index 0000000..982edcc --- /dev/null +++ b/extras/shenanigans-hotspot.nix @@ -0,0 +1,68 @@ +{ lib, pkgs, tree, ... }: +let + wifiInterface = "shenanigans0"; + wifiMac = "00:0F:55:A8:2B:8E"; + ssid = "Shenanigans"; + password = "password123"; +in { + # Set interface name to ${wifiInterface} + services.udev.extraRules = '' + KERNEL=="wlan*", ATTR{address}=="${ + lib.toLower wifiMac + }", NAME="${wifiInterface}" + ''; + + networking.interfaces."${wifiInterface}".ipv4.addresses = [{ + address = "192.168.2.1"; + prefixLength = 24; + }]; + + networking.networkmanager.unmanaged = [ + # Wifi + "interface-name:${wifiInterface}" + "mac:${wifiMac}" + ]; + + systemd.services.wifi-relay = let inherit (pkgs) iptables gnugrep; + in { + description = "iptables rules for wifi-relay"; + after = [ "dhcpd4.service" ]; + wantedBy = [ "multi-user.target" ]; + script = '' + ${iptables}/bin/iptables -w -t nat -I POSTROUTING -s 192.168.2.0/24 ! -o ${wifiInterface} -j MASQUERADE + ${iptables}/bin/iptables -w -I FORWARD -i ${wifiInterface} -s 192.168.2.0/24 -j ACCEPT + ${iptables}/bin/iptables -t nat -A PREROUTING -i ${wifiInterface} -p tcp --dport 80 -j REDIRECT --to-port 8080 + ${iptables}/bin/iptables -t nat -A PREROUTING -i ${wifiInterface} -p tcp --dport 443 -j REDIRECT --to-port 8080 + ''; + }; + + networking.firewall = { + trustedInterfaces = [ wifiInterface ]; + checkReversePath = lib.mkForce false; + allowedTCPPorts = [ 53 80 443 ]; + }; + + boot.kernel.sysctl."net.ipv4.ip_forward" = 1; + networking.firewall.allowedUDPPorts = [ 53 67 ]; + + services.hostapd = { + enable = true; + interface = wifiInterface; + inherit ssid; + wpaPassphrase = password; + }; + + services.dhcpd4 = { + enable = true; + interfaces = [ "${wifiInterface}" ]; + extraConfig = '' + option subnet-mask 255.255.255.0; + option broadcast-address 192.168.2.255; + option routers 192.168.2.1; + option domain-name-servers 192.168.2.1; + subnet 192.168.2.0 netmask 255.255.255.0 { + range 192.168.2.100 192.168.2.200; + } + ''; + }; +} diff --git a/flake.lock b/flake.lock index 16dd622..868c399 100644 --- a/flake.lock +++ b/flake.lock @@ -9,11 +9,11 @@ "utils": "utils" }, "locked": { - "lastModified": 1648475189, - "narHash": "sha256-gAGAS6IagwoUr1B0ohE3iR6sZ8hP4LSqzYLC8Mq3WGU=", + "lastModified": 1652079807, + "narHash": "sha256-aCs1EwO9K2yJ1DcT4+4g7BMlJBWP7Xjs4k5i8ueR8PU=", "owner": "serokell", "repo": "deploy-rs", - "rev": "83e0c78291cd08cb827ba0d553ad9158ae5a95c3", + "rev": "690f698b18345d894784752b5fa93b9b8f3cc29f", "type": "github" }, "original": { @@ -41,11 +41,11 @@ "flake-compat_2": { "flake": false, "locked": { - "lastModified": 1641205782, - "narHash": "sha256-4jY7RCWUoZ9cKD8co0/4tFARpWB+57+r1bLLvXNJliY=", + "lastModified": 1650374568, + "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", "owner": "edolstra", "repo": "flake-compat", - "rev": "b7547d3eed6f32d06102ead8991ec52ab0a4f1a7", + "rev": "b4a34015c698c7793d592d66adbab377907a2be8", "type": "github" }, "original": { @@ -61,11 +61,11 @@ ] }, "locked": { - "lastModified": 1650234580, - "narHash": "sha256-wTmlRedCrDl+XYJom65GMfI3RgA3eZE/w03lD28Txoc=", + "lastModified": 1651886851, + "narHash": "sha256-kbXOJSf1uho0/7P54nZkJdJY3oAelIjyc6tfiRhaXJI=", "owner": "nix-community", "repo": "home-manager", - "rev": "742c6cb3e9d866e095c629162fe5faf519adeb26", + "rev": "882bd8118bdbff3a6e53e5ced393932b351ce2f6", "type": "github" }, "original": { @@ -83,11 +83,11 @@ "utils": "utils_2" }, "locked": { - "lastModified": 1645539860, - "narHash": "sha256-C4m74Hsc8dGKz0eU69SmX9KI3PP93dFXWD0ewFVRETI=", + "lastModified": 1650728466, + "narHash": "sha256-rsivJjnvUXFvVEeXU+6PqKzqPqYDf5H/wwPrSHWzy2Y=", "owner": "ChaotiCryptidz", "repo": "musicutil", - "rev": "a64f25ebde7e79e29e4ac731441206c7e00dccdf", + "rev": "386be2bd37ade90573d4e61eb01f19772be64461", "type": "gitlab" }, "original": { @@ -103,11 +103,11 @@ ] }, "locked": { - "lastModified": 1648278671, - "narHash": "sha256-1WrR9ex+rKTjZtODNUZQhkWYUprtfOkjOyo9YWL2NMs=", + "lastModified": 1651916036, + "narHash": "sha256-UuD9keUGm4IuVEV6wdSYbuRm7CwfXE63hVkzKDjVsh4=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "4fdbb8168f61d31d3f90bb0d07f48de709c4fe79", + "rev": "2f2bdf658d2b79bada78dc914af99c53cad37cba", "type": "github" }, "original": { @@ -117,13 +117,29 @@ "type": "github" } }, - "nixpkgs-unstable": { + "nixpkgs-stable": { "locked": { - "lastModified": 1650161686, - "narHash": "sha256-70ZWAlOQ9nAZ08OU6WY7n4Ij2kOO199dLfNlvO/+pf8=", + "lastModified": 1652020977, + "narHash": "sha256-9hDlNbrxzD/pLlXmoQ6gzxbYiSAKrj7uHYUWNByLFlI=", "owner": "nixos", "repo": "nixpkgs", - "rev": "1ffba9f2f683063c2b14c9f4d12c55ad5f4ed887", + "rev": "3c5ae9be1f18c790ea890ef8decbd0946c0b4c04", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-21.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1651726670, + "narHash": "sha256-dSGdzB49SEvdOJvrQWfQYkAefewXraHIV08Vz6iDXWQ=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "c777cdf5c564015d5f63b09cc93bef4178b19b01", "type": "github" }, "original": { @@ -139,6 +155,7 @@ "home-manager-unstable": "home-manager-unstable", "musicutil": "musicutil", "nix-darwin-unstable": "nix-darwin-unstable", + "nixpkgs-stable": "nixpkgs-stable", "nixpkgs-unstable": "nixpkgs-unstable" } }, @@ -159,11 +176,11 @@ }, "utils_2": { "locked": { - "lastModified": 1644229661, - "narHash": "sha256-1YdnJAsNy69bpcjuoKdOYQX0YxZBiCYZo4Twxerqv7k=", + "lastModified": 1649676176, + "narHash": "sha256-OWKJratjt2RW151VUlJPRALb7OU2S5s+f0vLj4o1bHM=", "owner": "numtide", "repo": "flake-utils", - "rev": "3cecb5b042f7f209c56ffd8371b2711a290ec797", + "rev": "a4b154ebbdc88c8498a5c7b01589addc9e9cb678", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 1130827..e7104c2 100644 --- a/flake.nix +++ b/flake.nix @@ -9,6 +9,8 @@ nix-darwin-unstable.url = "github:lnl7/nix-darwin/master"; nix-darwin-unstable.inputs.nixpkgs.follows = "nixpkgs-unstable"; + nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-21.11"; + deploy-rs.url = "github:serokell/deploy-rs"; deploy-rs.inputs.nixpkgs.follows = "nixpkgs-unstable"; diff --git a/hosts/hetzner-vm/hetzner-vm.nix b/hosts/hetzner-vm/hetzner-vm.nix index d1c3a0b..4622da8 100644 --- a/hosts/hetzner-vm/hetzner-vm.nix +++ b/hosts/hetzner-vm/hetzner-vm.nix @@ -29,6 +29,13 @@ imports = with tree; [ home.base home.dev.small ]; }; + nix.settings.auto-optimise-store = true; + nix.gc = { + automatic = true; + dates = "daily"; + options = "--delete-older-than 1d"; + }; + networking.hostName = "hetzner-vm"; time.timeZone = "Europe/London"; diff --git a/hosts/hetzner-vm/services/invidious.nix b/hosts/hetzner-vm/services/invidious.nix index 08ceb16..b1316f5 100644 --- a/hosts/hetzner-vm/services/invidious.nix +++ b/hosts/hetzner-vm/services/invidious.nix @@ -1,11 +1,13 @@ -_: { +{ inputs, pkgs, ... }: { services.invidious = { enable = true; + package = + inputs.nixpkgs-stable.outputs.legacyPackages.${pkgs.system}.invidious; port = 3000; settings = { full_refresh = true; https_only = true; - popular_enabled = false; + popular_enabled = true; statistics_enabled = true; registration_enabled = true; channel_threads = 2; @@ -24,7 +26,7 @@ _: { player_style = "invidious"; related_videos = true; autoplay = true; - continue = false; + continue = true; continue_autoplay = true; quality = "hd720"; local = false; diff --git a/hosts/lappy/lappy.nix b/hosts/lappy/lappy.nix index aaad739..2dffa2a 100644 --- a/hosts/lappy/lappy.nix +++ b/hosts/lappy/lappy.nix @@ -35,6 +35,9 @@ in { # For cross compiling and deploying to raspberry profiles.cross.arm64 + + #profiles.force_dns + #extras.shenanigans-hotspot ]; services.mullvad-vpn.enable = true; diff --git a/profiles/dnscrypt/dnscrypt.nix b/profiles/dnscrypt/dnscrypt.nix index dfe8689..01a44c0 100644 --- a/profiles/dnscrypt/dnscrypt.nix +++ b/profiles/dnscrypt/dnscrypt.nix @@ -4,9 +4,13 @@ networkmanager.dns = "none"; }; + #networking.nameservers = lib.mkForce [ "127.0.0.1.5353" ]; + services.dnscrypt-proxy2 = { enable = true; settings = { + #listen_addresses = ["127.0.0.1:5353" "[::1]:5353"]; + ipv6_servers = true; require_dnssec = true; diff --git a/profiles/force_dns/force_dns.nix b/profiles/force_dns/force_dns.nix new file mode 100644 index 0000000..5751fce --- /dev/null +++ b/profiles/force_dns/force_dns.nix @@ -0,0 +1,7 @@ +{ lib, ...}: { + networking = { + resolvconf.useLocalResolver = false; + networkmanager.dns = "none"; + }; + networking.nameservers = lib.mkForce [ "1.1.1.1" ]; +} diff --git a/scripts/rebuild.sh b/scripts/rebuild.sh index 3ec937e..44fed58 100755 --- a/scripts/rebuild.sh +++ b/scripts/rebuild.sh @@ -14,4 +14,4 @@ FIRST_ARG="${1:-switch}" shift -nixos-rebuild --flake "${REPO_ROOT}#$(hostname)" ${FIRST_ARG} $@ +nixos-rebuild --flake "path:${REPO_ROOT}#$(hostname)" ${FIRST_ARG} $@ diff --git a/scripts/update.sh b/scripts/update.sh index 9af2c3a..346926b 100755 --- a/scripts/update.sh +++ b/scripts/update.sh @@ -4,10 +4,4 @@ SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) REPO_ROOT="${SCRIPT_DIR}/.." cd $REPO_ROOT -# re-run as root -if [ "$EUID" -ne 0 ]; then -sudo ${BASH_SOURCE[0]} $@ -exit -fi - -nix flake update \ No newline at end of file +nix flake update diff --git a/treeConfig.nix b/treeConfig.nix index a6eeea6..0d402e8 100644 --- a/treeConfig.nix +++ b/treeConfig.nix @@ -2,6 +2,8 @@ tree = mkTree { folder = ./.; config = { + "extras/*".functor.enable = true; + "hosts/*/services".functor.enable = true; "hosts/raspberry/services/music-friend".functor.enable = true; "hosts/*/home".functor.enable = true;