feat: per-bss settings in hostapd module, prepare vaultwarden for later

flake.lock

@@ -8,11 +8,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1677969766,
+        "lastModified": 1680281360,
-        "narHash": "sha256-AIp/ZYZMNLDZR/H7iiAlaGpu4lcXsVt9JQpBlf43HRY=",
+        "narHash": "sha256-XdLTgAzjJNDhAG2V+++0bHpSzfvArvr2pW6omiFfEJk=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "03b51fe8e459a946c4b88dcfb6446e45efb2c24e",
+        "rev": "e64961977f60388dd0b49572bb0fc453b871f896",
         "type": "github"
       },
       "original": {
@@ -188,11 +188,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1680000368,
+        "lastModified": 1680389554,
-        "narHash": "sha256-TlgC4IJ7aotynUdkGRtaAVxquaiddO38Ws89nB7VGY8=",
+        "narHash": "sha256-+8FUmS4GbDMynQErZGXKg+wU76rq6mI5fprxFXFWKSM=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "765e4007b6f9f111469a25d1df6540e8e0ca73a6",
+        "rev": "ddd8866c0306c48f465e7f48432e6f1ecd1da7f8",
         "type": "github"
       },
       "original": {
@@ -227,11 +227,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1679533405,
+        "lastModified": 1680291155,
-        "narHash": "sha256-LQbHTnEn/jAME1AsJtjif5oVeNWUGdL/RMUZCb2Ts5I=",
+        "narHash": "sha256-s1YCdBGhKl3kqlhTICKgfrfHyIbiUczqiUM/TBzCyf4=",
         "owner": "astro",
         "repo": "microvm.nix",
-        "rev": "31d3c1a05fba175e5d96f16256296ad4088ca9f5",
+        "rev": "2528d10d30524522027878c871b680532b5172da",
         "type": "github"
       },
       "original": {
@@ -257,11 +257,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1679944645,
+        "lastModified": 1680213900,
-        "narHash": "sha256-e5Qyoe11UZjVfgRfwNoSU57ZeKuEmjYb77B9IVW7L/M=",
+        "narHash": "sha256-cIDr5WZIj3EkKyCgj/6j3HBH4Jj1W296z7HTcWj1aMA=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "4bb072f0a8b267613c127684e099a70e1f6ff106",
+        "rev": "e3652e0735fbec227f342712f180f4f21f0594f2",
         "type": "github"
       },
       "original": {
@@ -300,11 +300,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1678976941,
+        "lastModified": 1680170909,
-        "narHash": "sha256-skNr08frCwN9NO+7I77MjOHHAw+L410/37JknNld+W4=",
+        "narHash": "sha256-FtKU/edv1jFRr/KwUxWTYWXEyj9g8GBrHntC2o8oFI8=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "32b1dbedfd77892a6e375737ef04d8efba634e9e",
+        "rev": "29dbe1efaa91c3a415d8b45d62d48325a4748816",
         "type": "github"
       },
       "original": {

hosts/ward/default.nix

@@ -22,9 +22,66 @@
 
   boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "sdhci_pci"];
 
-  microvm.vms.agag = {
+  #services.authelia.instances.main = {
-    flake = self;
+  #  enable = true;
-    updateFlake = microvm;
+  #  settings = {
-  };
+  #    theme = "dark";
-  autostart = ["guest"];
+  #    log = {
+  #      level = "info";
+  #      format = "text";
+  #    };
+  #    server = {
+  #      host = "127.0.0.1";
+  #      port = 9091;
+  #    };
+  #    session = {
+  #      name = "session";
+  #      domain = "pas.sh";
+  #    };
+  #    authentication_backend.ldap = {
+  #      implementation = "custom";
+  #      url = "ldap://127.0.0.1:3890";
+  #      base_dn = "dc=pas,dc=sh";
+  #      username_attribute = "uid";
+  #      additional_users_dn = "ou=people";
+  #      users_filter = "(&({username_attribute}={input})(objectclass=person))";
+  #      additional_groups_dn = "ou=groups";
+  #      groups_filter = "(member={dn})";
+  #      group_name_attribute = "cn";
+  #      mail_attribute = "mail";
+  #      display_name_attribute = "uid";
+  #      user = "uid=authelia,ou=people,dc=pas,dc=sh";
+  #    };
+  #    storage.local = {
+  #      path = "/var/lib/authelia-${cfg.name}/db.sqlite3";
+  #    };
+  #    access_control = {
+  #      default_policy = "deny";
+  #    };
+  #    notifier.smtp = rec {
+  #      host = "smtp.fastmail.com";
+  #      port = 587;
+  #      username = "a@example.com";
+  #      sender = "noreply@example.com";
+  #      startup_check_address = sender;
+  #      disable_html_emails = true;
+  #    };
+  #    identity_providers.oidc = {
+  #      cors.allowed_origins_from_client_redirect_uris = true;
+  #      cors.endpoints = [
+  #        "authorization"
+  #          "introspection"
+  #          "revocation"
+  #          "token"
+  #          "userinfo"
+  #      ];
+  #    };
+  #  };
+  #};
+
+  #microvm.vms.agag = {
+  #  flake = self;
+  #  updateFlake = microvm;
+  #};
+  #microvm.autostart = ["guest"];
 }

hosts/ward/vaultwarden.nix

@@ -0,0 +1,81 @@
+{
+  config,
+  nodeSecrets,
+  ...
+}: {
+  services.vaultwarden = {
+    enable = true;
+    dbBackend = "sqlite";
+    settings = {
+      DATA_FOLDER = "/var/lib/vaultwarden";
+      EXTENDED_LOGGING = true;
+      USE_SYSLOG = true;
+      WEB_VAULT_ENABLED = true;
+
+      WEBSOCKET_ENABLED = true;
+      WEBSOCKET_ADDRESS = "127.0.0.1";
+      WEBSOCKET_PORT = 3012;
+      ROCKET_ADDRESS = "127.0.0.1";
+      ROCKET_PORT = 8012;
+
+      SIGNUPS_ALLOWED = false;
+      PASSWORD_ITERATIONS = 1000000;
+      INVITATIONS_ALLOWED = true;
+      INVITATION_ORG_NAME = "Vaultwarden";
+      DOMAIN = nodeSecrets.vaultwarden.domain;
+
+      SMTP_EMBED_IMAGES = true;
+    };
+    #backupDir = "/data/backup";
+    #YUBICO_CLIENT_ID=;
+    #YUBICO_SECRET_KEY=;
+    #ADMIN_TOKEN="$argon2id:TODO";
+    #SMTP_HOST={{ vaultwarden_smtp_host }};
+    #SMTP_FROM={{ vaultwarden_smtp_from }};
+    #SMTP_FROM_NAME={{ vaultwarden_smtp_from_name }};
+    #SMTP_PORT = 465;
+    #SMTP_SECURITY = "force_tls";
+    #SMTP_USERNAME={{ vaultwarden_smtp_username }};
+    #SMTP_PASSWORD={{ vaultwarden_smtp_password }};
+    #environmentFile = config.rekey.secrets.vaultwarden-env.path;
+  };
+
+  # Replace uses of old name
+  systemd.services.vaultwarden.seviceConfig.StateDirectory = "vaultwarden";
+  systemd.services.backup-vaultwarden.environment.DATA_FOLDER = "/var/lib/vaultwarden";
+
+  services.nginx = {
+    upstreams."vaultwarden" = {
+      servers = {"localhost:8012" = {};};
+      extraConfig = ''
+        zone vaultwarden 64k;
+        keepalive 2;
+      '';
+    };
+    upstreams."vaultwarden-websocket" = {
+      servers = {"localhost:3012" = {};};
+      extraConfig = ''
+        zone vaultwarden-websocket 64k;
+        keepalive 2;
+      '';
+    };
+    virtualHosts."${nodeSecrets.vaultwarden.domain}" = {
+      forceSSL = true;
+      #enableACME = true;
+      sslCertificate = config.rekey.secrets."selfcert.crt".path;
+      sslCertificateKey = config.rekey.secrets."selfcert.key".path;
+      locations."/" = {
+        proxyPass = "http://vaultwarden";
+        proxyWebsockets = true;
+      };
+      locations."/notifications/hub" = {
+        proxyPass = "http://vaultwarden-websocket";
+        proxyWebsockets = true;
+      };
+      locations."/notifications/hub/negotiate" = {
+        proxyPass = "http://vaultwarden";
+        proxyWebsockets = true;
+      };
+    };
+  };
+}

hosts/zackbiene/default.nix

@@ -16,7 +16,7 @@
     ./fs.nix
     ./net.nix
 
-    ./dnsmasq.nix
+    #./dnsmasq.nix
     ./esphome.nix
     ./home-assistant.nix
     ./hostapd.nix

hosts/zackbiene/hostapd.nix

@@ -2,6 +2,7 @@
   lib,
   config,
   pkgs,
+  nodeSecrets,
   ...
 }: {
   imports = [../../modules/hostapd.nix];
@@ -12,19 +13,24 @@
 
   services.hostapd = {
     enable = true;
-    interfaces = {
+    radios.wlan1 = {
-      "wlan1" = {
+      hwMode = "g";
-        ssid = "🍯🐝💨";
+      countryCode = "DE";
-        hwMode = "g";
+      channel = 13; # Automatic Channel Selection (ACS) is unfortunately not implemented for mt7612u.
-        countryCode = "DE";
+      wifi4.capabilities = ["LDPC" "HT40+" "HT40-" "GF" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1"];
-        channel = 13; # Automatic Channel Selection (ACS) is unfortunately not implemented for mt7612u.
+      networks.wlan1 = {
+        inherit (nodeSecrets.hostapd) ssid;
         macAcl = "deny";
         apIsolate = true;
         authentication = {
           saePasswordsFile = config.rekey.secrets.wifi-clients.path;
           saeAddToMacAllow = true;
+          enableRecommendedPairwiseCiphers = true;
         };
-        wifi4.capabilities = ["LDPC" "HT40+" "HT40-" "GF" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1"];
+      };
+      networks.wlan1-1 = {
+        ssid = "Open";
+        authentication.mode = "none";
       };
     };
   };