1e2e2bdd35
grep -- '- &' .sops.yaml | cut -d'&' -f2 | grep _host | sed 's/_host//' | xargs -n2 clan secrets machines add for i in secrets/*.yaml; do host=$(basename $i .yaml); clan secrets import-sops $i --machine $host --user makefu --prefix ${host}-;done for i in secrets/*.yaml; do host=$(basename $i .yaml) ;clan secrets groups add-machine common "$host";done
147 lines
4.6 KiB
Nix
147 lines
4.6 KiB
Nix
{ config, pkgs, lib, ... }:
|
|
let
|
|
user = config.makefu.gui.user;
|
|
primaryIP = "192.168.8.11";
|
|
in {
|
|
|
|
imports =
|
|
[
|
|
../../2configs/default.nix
|
|
# Include the results of the hardware scan.
|
|
./nuc
|
|
|
|
|
|
../../2configs/home-manager
|
|
../../2configs/support-nixos.nix
|
|
../../2configs/zsh-user.nix
|
|
../../2configs/tools/core.nix
|
|
# ../../2configs/disable_v6.nix
|
|
../../2configs/tools/core-gui.nix
|
|
../../2configs/tools/extra-gui.nix
|
|
../../2configs/tools/media.nix
|
|
# ../../2configs/virtualisation/libvirt.nix
|
|
# ../../2configs/virtualisation/virtualbox.nix
|
|
|
|
../../2configs/tinc/retiolum.nix
|
|
../../2configs/gui/wbob-kiosk.nix
|
|
../../2configs/secrets/wbob-users.nix
|
|
{ environment.systemPackages = with pkgs ;[
|
|
nano
|
|
guake
|
|
]; }
|
|
{ services.vscode-server.enable = true; }
|
|
|
|
# ../../2configs/gui/studio-virtual.nix
|
|
# ../../2configs/audio/jack-on-pulse.nix
|
|
# ../../2configs/audio/realtime-audio.nix
|
|
# ../../2configs/vncserver.nix
|
|
## no need for dns logs anymore
|
|
# ../../2configs/logging/server.nix
|
|
|
|
# Services
|
|
# ../../2configs/hydra/stockholm.nix
|
|
|
|
../../2configs/share/wbob.nix
|
|
../../2configs/wireguard/thierry.nix
|
|
../../2configs/bluetooth-mpd.nix
|
|
|
|
# Sensors
|
|
# ../../2configs/stats/client.nix
|
|
# ../../2configs/stats/collectd-client.nix
|
|
../../2configs/stats/telegraf
|
|
../../2configs/stats/telegraf/airsensor.nix
|
|
../../2configs/stats/telegraf/europastats.nix
|
|
# ../../2configs/stats/external/aralast.nix
|
|
# ../../2configs/stats/arafetch.nix
|
|
# ../../2configs/hw/mceusb.nix
|
|
../../2configs/hw/slaesh.nix
|
|
# ../../2configs/stats/telegraf/bamstats.nix
|
|
{ environment.systemPackages = [ pkgs.vlc ]; }
|
|
|
|
../../2configs/bam # new hass entry point
|
|
../../2configs/bam/led-fader.nix
|
|
../../2configs/bam/printer.nix
|
|
# ../../2configs/bam/kalauerbot.nix now runs in thales
|
|
# ../../2configs/bam/visitor-photostore.nix
|
|
# ../../2configs/bam/mpd.nix #mpd is only used for TTS, this is the web interface
|
|
../../2configs/mqtt.nix
|
|
{
|
|
services.mjpg-streamer = {
|
|
enable = true;
|
|
inputPlugin = "input_uvc.so -d /dev/video0 -r 640x480 -y -f 30 -q 50 -n";
|
|
outputPlugin = "output_http.so -w @www@ -n -p 18088";
|
|
};
|
|
}
|
|
(let
|
|
collectd-port = 25826;
|
|
influx-port = 8086;
|
|
admin-port = 8083;
|
|
grafana-port = 3000; # TODO nginx forward
|
|
db = "collectd_db";
|
|
logging-interface = "enp0s25";
|
|
in {
|
|
networking.firewall.allowedTCPPorts = [ 3000 influx-port admin-port ];
|
|
|
|
services.grafana.enable = true;
|
|
services.grafana.settings.server.http_addr = "0.0.0.0";
|
|
services.influxdb.enable = true;
|
|
systemd.services.influxdb.serviceConfig.LimitNOFILE = 8192;
|
|
|
|
services.influxdb.extraConfig = {
|
|
meta.hostname = config.krebs.build.host.name;
|
|
# meta.logging-enabled = true;
|
|
http.bind-address = ":${toString influx-port}";
|
|
admin.bind-address = ":${toString admin-port}";
|
|
collectd = [{
|
|
enabled = true;
|
|
typesdb = "${pkgs.collectd}/share/collectd/types.db";
|
|
database = db;
|
|
bind-address = ":${toString collectd-port}";
|
|
}];
|
|
};
|
|
|
|
networking.firewall.extraCommands = ''
|
|
iptables -A INPUT -i ${logging-interface} -p tcp --dport ${toString grafana-port} -j ACCEPT
|
|
'';
|
|
})
|
|
|
|
../../2configs/backup/state.nix
|
|
# temporary
|
|
# ../../2configs/temp/rst-issue.nix
|
|
{
|
|
services.jellyfin.enable = true;
|
|
}
|
|
];
|
|
|
|
krebs = {
|
|
enable = true;
|
|
build.host = config.krebs.hosts.wbob;
|
|
};
|
|
|
|
networking.firewall.allowedUDPPorts = [ 655 ];
|
|
networking.firewall.allowedTCPPorts = [
|
|
655
|
|
8081 # smokeping
|
|
49152
|
|
];
|
|
networking.firewall.trustedInterfaces = [ "enp0s25" ];
|
|
#services.tinc.networks.siem = {
|
|
# name = "display";
|
|
# extraConfig = ''
|
|
# ConnectTo = sjump
|
|
# Port = 1655
|
|
# '';
|
|
#};
|
|
#boot.kernelPackages = pkgs.linuxPackages_latest;
|
|
# rt2870.bin wifi card, part of linux-unfree
|
|
hardware.enableRedistributableFirmware = true;
|
|
nixpkgs.config.allowUnfree = true;
|
|
# rt2870 with nonfree creates wlp2s0 from wlp0s20u2
|
|
# not explicitly setting the interface results in wpa_supplicant to crash
|
|
#networking.interfaces.virbr1.ipv4.addresses = [{
|
|
# address = "10.8.8.11";
|
|
# prefixLength = 24;
|
|
#}];
|
|
# nuc hardware
|
|
}
|