nix
/
nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
nixos-config/config/host-config/wormhole0.nix

230 lines
6.3 KiB
Nix
Raw Blame History

{ config, lib, pkgs, ... }:
with lib;
let
hostname = "wormhole0";
primary-ip = "10.0.0.3";
state-dir = "/state";
zigbee2mqtt-statedir = "${state-dir}/services/zigbee2mqtt";
mosquitto-statedir = "${state-dir}/services/mosquitto";
home-assistant-port = 8123;
zigbee2mqtt-user = config.systemd.services.zigbee2mqtt.serviceConfig.User;
mosquitto-user = config.systemd.services.mosquitto.serviceConfig.User;
zigbee2mqtt-passwd-file =
pkgs.lib.passwd.stablerandom-passwd-file "zigbee2mqtt-passwd"
config.instance.build-seed;
host-secrets = config.fudo.secrets.host-secrets.${hostname};
host-passwds = config.fudo.secrets.files.service-passwords.${hostname};
in {
boot.kernel.sysctl = { "net.ipv4.ip_forward" = true; };
networking = {
hostName = hostname;
firewall.enable = false;
defaultGateway = {
address = "10.0.0.1";
interface = "intif0";
};
nameservers = [ "10.0.0.1" ];
interfaces = {
intif0 = {
useDHCP = false;
ipv4 = {
addresses = [{
address = primary-ip;
prefixLength = 24;
}];
};
};
wormif0.useDHCP = true;
wlp2s0.useDHCP = false;
};
dhcpcd.extraConfig = concatStringsSep "\n" [ "nogateway" ];
};
fudo.secrets.host-secrets.${hostname} = {
mosquitto-zigbee2mqtt-passwd = {
source-file = zigbee2mqtt-passwd-file;
target-file = "/run/mosquitto-secrets/zigbee2mqtt.passwd";
user = mosquitto-user;
};
mosquitto-home-assistant-passwd = {
source-file = host-passwds.mosquitto-home-assistant;
target-file = "/run/mosquitto-secrets/home-assistant.passwd";
user = mosquitto-user;
};
mosquitto-niten-passwd = {
source-file = host-passwds.mosquitto-niten;
target-file = "/run/mosquitto-secrets/niten.passwd";
user = mosquitto-user;
};
mosquitto-xiaoxuan-passwd = {
source-file = host-passwds.mosquitto-xiaoxuan;
target-file = "/run/mosquitto-secrets/xiaoxuan.passwd";
user = mosquitto-user;
};
};
systemd = {
services = {
wormhole-route = {
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" ];
serviceConfig = {
ExecStart =
"${pkgs.iproute2}/bin/ip route add 192.168.86.0/24 dev wormif0";
ExecStop =
"${pkgs.iproute2}/bin/ip route del 192.168.86.0/24 dev wormif0";
RemainAfterExit = true;
};
};
zigbee2mqtt = {
after = [ config.fudo.secrets.secret-target "mosquitto.service" ];
restartIfChanged = true;
};
mosquitto = {
after = [ config.fudo.secrets.secret-target ];
restartIfChanged = true;
};
};
tmpfiles.rules = [
"L /root/.gnupg - - - - ${state-dir}/user/root/gnupg"
"L /root/.ssh/id_rsa - - - - ${state-dir}/user/root/ssh/id_rsa"
"L /root/.ssh/id_rsa.pub - - - - ${state-dir}/user/root/ssh/id_rsa.pub"
"L /root/.ssh/known_hosts - - - - ${state-dir}/user/root/ssh/known_hosts"
"L /etc/adjtime - - - - ${state-dir}/etc/adjtime"
"d /state/services 0711 root root - -"
"d ${zigbee2mqtt-statedir} 0700 ${zigbee2mqtt-user} - - -"
"d ${mosquitto-statedir} 0700 ${mosquitto-user} - - -"
];
};
users.groups = let
zigbee2mqtt-user = config.systemd.services.zigbee2mqtt.serviceConfig.User;
in { dialout.members = [ zigbee2mqtt-user ]; };
services = {
openssh.hostKeys = [
{
path = "${state-dir}/ssh/ssh_host_rsa_key";
type = "rsa";
bits = 4096;
}
{
path = "${state-dir}/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
];
nginx = {
enable = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedGzipSettings = true;
virtualHosts."home-assist.sea.fudo.org" = {
locations."/" = {
proxyPass = "http://localhost:${toString home-assistant-port}";
proxyWebsockets = true;
};
};
};
mosquitto = {
enable = true;
dataDir = mosquitto-statedir;
listeners = [{
settings.allow_anonymous = false;
port = 1883;
users = {
zigbee2mqtt = {
passwordFile =
host-secrets.mosquitto-zigbee2mqtt-passwd.target-file;
acl = [ "readwrite #" ];
};
home-assistant = {
passwordFile =
host-secrets.mosquitto-home-assistant-passwd.target-file;
acl = [ "readwrite #" ];
};
niten = {
passwordFile = host-secrets.mosquitto-niten-passwd.target-file;
acl = [ "readwrite #" ];
};
xiaoxuan = {
passwordFile = host-secrets.mosquitto-xiaoxuan-passwd.target-file;
acl = [ "readwrite #" ];
};
};
}];
};
zigbee2mqtt = {
enable = true;
dataDir = zigbee2mqtt-statedir;
package = pkgs.pkgsUnstable.zigbee2mqtt;
settings = {
homeassistant = true;
permit_join = true;
serial.port = "/dev/ttyUSB0";
mqtt = {
server = "mqtt://127.0.0.1:1883";
user = "zigbee2mqtt";
password = readFile zigbee2mqtt-passwd-file;
# TODO: could make a yaml file containing password
# described https://www.zigbee2mqtt.io/guide/configuration/mqtt.html#server-connection
# Weird, though.
};
advanced.log_level = "debug";
};
};
avahi = {
enable = true;
reflector = true;
interfaces = [ "intif0" "worm0" ];
};
};
virtualisation = {
docker = {
enable = true;
enableOnBoot = true;
autoPrune.enable = true;
};
oci-containers = {
backend = "docker";
containers = {
home-assistant = {
image = "homeassistant/home-assistant:stable";
autoStart = true;
environment.TZ = config.time.timeZone;
#ports = [ "${toString home-assistant-port}:8123" ];
volumes = [ "/state/services/home-assistant:/config" ];
extraOptions = [ "--network=host" ];
};
};
};
};
security.sudo.extraConfig = ''
# Due to rollback, sudo will lecture after every reboot
Defaults lecture = never
'';
}
Reference in New Issue View Git Blame Copy Permalink