fixes and new stuff

2023-09-10 00:34:14 +02:00 · 2023-09-10 00:34:14 +02:00 · bd128d43b0
parent fa021cc190
commit bd128d43b0
9 changed files with 115 additions and 143 deletions
--- a/flake.nix
+++ b/flake.nix
@ -109,7 +109,6 @@
        netcat-openbsd = super.libressl.nc;
      })
      (import ./overlays/qmk-udev-rules.nix)
-      (import ./overlays/sane-backends.nix)
      (import ./overlays/logisim.nix)
      (import ./overlays/fzf-kak.nix)
      (import ./overlays/prometheus-fritzbox-exporter.nix)
@ -161,7 +160,7 @@
          pkgFiles = builtins.attrNames (builtins.readDir ./pkgs);
          toPackage = file: {
            name = builtins.replaceStrings [".nix"] [""] file;
-            value = pkgs.callPackage ./pkgs/${file} {};
+            value = pkgs.callPackage ./pkgs/${file} {inherit inputs;};
          };
        in
          builtins.listToAttrs (builtins.map toPackage pkgFiles);
--- a/hardware/intel-nuc.nix
+++ b/hardware/intel-nuc.nix
@ -1,6 +1,4 @@
 {
-  lib,
-  pkgs,
  modulesPath,
  ...
 }:
@ -15,97 +13,16 @@

  # === Internal drive ===
  fileSystems."/" = {
-    device = "zroot/safe/root";
-    fsType = "zfs";
-  };
-
-  fileSystems."/nix" = {
-    device = "zroot/local/nix";
-    fsType = "zfs";
-  };
-
-  fileSystems."/var/log/journal" = {
-    device = "zroot/safe/journal";
-    fsType = "zfs";
+    device = "/dev/disk/by-label/root";
+    fsType = "ext4";
  };

  fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/8BB2-9DCB";
+    device = "/dev/disk/by-label/esp";
    fsType = "vfat";
  };

-  # === Swap ===
-  swapDevices = [{device = "/dev/disk/by-uuid/efc7e294-1c18-4dd9-aca5-f868eb9c47fc";}];
+  swapDevices = [
+    {device = "/dev/disk/by-label/swap";}
+  ];
 }
-// (
-  # === External drives ===
-  let
-    cryptsetup = "${pkgs.cryptsetup}/bin/cryptsetup";
-    unlockLuksService = label: keyfile:
-      lib.attrsets.recursiveUpdate {
-        description = "Unlock luks encrypted device '${label}'";
-        bindsTo = ["dev-${label}.device"];
-        after = ["dev-${label}.device"];
-        serviceConfig = {
-          Type = "oneshot";
-          RemainAfterExit = true;
-          ExecStart = ''
-            ${cryptsetup} luksOpen --key-file ${keyfile} /dev/${label} ${label}opened
-          '';
-          ExecStop = ''
-            ${cryptsetup} luksClose ${label}opened
-          '';
-        };
-      };
-
-    disks = {
-      FRA = "8ae45289-82ed-4cf1-9d68-a0e26e5d9bb5";
-      BER = "85ce2e58-72fc-4a66-a376-565bb4fc39a1";
-      HND = "4a3765fc-155e-453d-a348-d1782447bcfe";
-      LEJ = "5e3c2c1e-73f6-43e6-b8f3-71c923cbeb6d";
-    };
-  in {
-    # Unlock all luks devices and import the zfs pools if necessary
-    systemd.services."luks-open-FRA" =
-      unlockLuksService "FRA" "/root/keys/fra" {};
-    systemd.services."luks-open-BER" = unlockLuksService "BER" "/root/keys/ber" {
-      serviceConfig.ExecStartPost = "${pkgs.zfs}/bin/zpool import zBER";
-    };
-    systemd.services."luks-open-HND" = unlockLuksService "HND" "/root/keys/hnd" {
-      serviceConfig.ExecStartPost = "${pkgs.zfs}/bin/zpool import zHND";
-    };
-    systemd.services."luks-open-LEJ" =
-      unlockLuksService "LEJ" "/root/keys/lej" {};
-
-    systemd.mounts = [
-      {
-        what = "/dev/mapper/FRAopened";
-        where = "/srv/fra";
-        type = "ext4";
-        wantedBy = ["default.target"];
-        requires = ["luks-open-FRA.service"];
-        after = ["luks-open-FRA.service"];
-      }
-      {
-        what = "/dev/mapper/vg_lej-lv_lej";
-        where = "/srv/lej";
-        type = "ext4";
-        wantedBy = ["default.target"];
-        requires = ["luks-open-LEJ.service"];
-        after = ["luks-open-LEJ.service"];
-      }
-    ];
-
-    # Add udev rules for every disk
-    services.udev.customRules = [
-      {
-        name = "85-rename-and-unlock-disks";
-        rules = lib.concatStringsSep "\n" (lib.attrsets.mapAttrsToList
-          (alias: uuid: ''
-            SUBSYSTEM=="block", ENV{ID_FS_UUID}=="${uuid}", SYMLINK+="${alias}", TAG+="systemd"
-          '')
-          disks);
-      }
-    ];
-  }
-)
--- a/hosts/cerithium-telescopium.nix
+++ b/hosts/cerithium-telescopium.nix
@ -0,0 +1,31 @@
+{
+  pkgs,
+  ...
+}: {
+  imports = [
+    ../hardware/intel-nuc.nix
+  ];
+  config = {
+    boot.loader.systemd-boot.enable = true;
+    boot.loader.efi.canTouchEfiVariables = true;
+
+    networking.hostName = "cerithium-telescopium";
+    networking.networkmanager.enable = true;
+
+    users.extraUsers.kodi.isNormalUser = true;
+
+    services.cage = {
+      enable = true;
+      program = "${pkgs.kodi-wayland}/bin/kodi-standalone";
+      user = "kodi";
+    };
+
+    # This value determines the NixOS release from which the default
+    # settings for stateful data, like file locations and database versions
+    # on your system were taken. It‘s perfectly fine and recommended to leave
+    # this value at the release version of the first install of this system.
+    # Before changing this value read the documentation for this option
+    # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+    system.stateVersion = "23.11"; # Did you read the comment?
+  };
+}
--- a/hosts/chrysomallon-squamiferum.nix
+++ b/hosts/chrysomallon-squamiferum.nix
@ -0,0 +1,34 @@
+{
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/netboot/netboot-minimal.nix")
+  ];
+
+  config = {
+    networking.hostName = "chrysomallon-squamiferum";
+    networking.networkmanager.enable = true;
+    networking.wireless.enable = false;
+    networking.firewall.enable = false;
+    settings.ssh.openOutsideVPN = true;
+
+    users.users.nixos.openssh.authorizedKeys.keyFiles = [../users/malte/yubikey.pub];
+
+    environment.systemPackages = with pkgs; [
+      # For special computers
+      chntpw
+      # For testing
+      # geekbench
+    ];
+
+    # This value determines the NixOS release from which the default
+    # settings for stateful data, like file locations and database versions
+    # on your system were taken. It‘s perfectly fine and recommended to leave
+    # this value at the release version of the first install of this system.
+    # Before changing this value read the documentation for this option
+    # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+    system.stateVersion = "23.11"; # Did you read the comment?
+  };
+}
--- a/hosts/granodomus-lima.nix
+++ b/hosts/granodomus-lima.nix
@ -75,6 +75,7 @@
          ${point "time" faunus-ater}
          ${point "todo" faunus-ater}
          ${point "support" faunus-ater}
+          ${point "config" faunus-ater}
        '';
      };
    };
--- a/modules/base-system.nix
+++ b/modules/base-system.nix
@ -24,7 +24,6 @@ in {
    ./deck.nix
    ./radicale.nix
    ./restic.nix
-    ./scanner.nix
    ./taskserver.nix
    ./wakeup.nix
    ./darkman.nix
--- a/modules/scanner.nix
+++ b/modules/scanner.nix
@ -1,29 +0,0 @@
-{pkgs, ...}: let
-  # TODO: Can I specify this in a better way?
-  device = "gt68xx";
-
-  scan-a4 = pkgs.writeShellApplication {
-    name = "scan-a4";
-    runtimeInputs = with pkgs; [
-      sane-backends
-      imagemagick
-    ];
-    text = ''
-      if [[ -z $1 ]]; then
-        echo "Missing filename"
-        exit 1
-      fi
-
-      scanimage --device-name ${device} \
-                -x 210 \
-                -y 297 \
-                -o /tmp/last-scan.png \
-                --resolution 150 || exit 2
-      convert /tmp/last-scan.png "$1" || exit 3
-    '';
-  };
-in {
-  hardware.sane.enable = true;
-
-  environment.systemPackages = [scan-a4];
-}
--- a/overlays/sane-backends.nix
+++ b/overlays/sane-backends.nix
@ -1,22 +0,0 @@
-self: super: {
-  sane-backends-old = super.sane-backends;
-  sane-backends =
-    (super.sane-backends.override {
-      extraFirmware = [
-        {
-          src = super.fetchurl {
-            url = "www.meier-geinitz.de/sane/gt68xx-backend/firmware/sbfw.usb";
-            sha256 = "12hnacivpy153alfjyr7k92y90nmb5d7z1ca7aix5w7wi0w4jdjv";
-          };
-          name = "sbfw.usb";
-          backend = "gt68xx";
-        }
-      ];
-    })
-    .overrideAttrs (old: {
-      patches = (old.patches or []) ++ [../patches/gt68xx.conf.patch];
-    });
-  libreoffice-fresh = super.lib.recursiveUpdate super.libreoffice-fresh (super.libreoffice-fresh.libreoffice.override {
-    sane-backends = self.sane-backends-old;
-  });
-}
--- a/pkgs/netboot.nix
+++ b/pkgs/netboot.nix
@ -0,0 +1,42 @@
+{
+  writeShellApplication,
+  pixiecore,
+  nix,
+  iptables,
+  inputs,
+  build ? inputs.self.nixosConfigurations.chrysomallon-squamiferum.config.system.build,
+  ...
+}: let 
+netboot = writeShellApplication {
+  name = "netboot";
+  runtimeInputs = [pixiecore];
+  text = ''
+    exec pixiecore boot \
+      ${build.kernel}/bzImage \
+      ${build.netbootRamdisk}/initrd \
+      --cmdline "init=${build.toplevel}/init loglevel=4" \
+      --dhcp-no-bind \
+      --debug \
+      --port 64172 \
+      --status-port 64172 \
+      "$@"
+  '';
+}; in writeShellApplication {
+  name = "run-netboot-server";
+  runtimeInputs = [
+    netboot
+    nix
+    iptables
+  ];
+  text = ''
+    # Open required firewall ports
+    sudo iptables -w -I nixos-fw -p udp -m multiport --dports 67,69,4011 -j ACCEPT
+    sudo iptables -w -I nixos-fw -p tcp -m tcp --dport 64172 -j ACCEPT
+
+    sudo netboot || echo "Closed netboot"
+
+    # Close ports
+    sudo iptables -w -D nixos-fw -p udp -m multiport --dports 67,69,4011 -j ACCEPT
+    sudo iptables -w -D nixos-fw -p tcp -m tcp --dport 64172 -j ACCEPT
+  '';
+}