sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: per-bss settings in hostapd module, prepare vaultwarden for later

Browse source
This commit is contained in:
oddlama 2023-04-02 17:33:04 +02:00
parent 66bea99eb6
commit 5d095392cf
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
8 changed files with 900 additions and 611 deletions
Download patch file Download diff file Expand all files Collapse all files

30
flake.lock generated
View file

@ -8,11 +8,11 @@
]
},
"locked": {
"lastModified": 1677969766,
"narHash": "sha256-AIp/ZYZMNLDZR/H7iiAlaGpu4lcXsVt9JQpBlf43HRY=",
"lastModified": 1680281360,
"narHash": "sha256-XdLTgAzjJNDhAG2V+++0bHpSzfvArvr2pW6omiFfEJk=",
"owner": "ryantm",
"repo": "agenix",
"rev": "03b51fe8e459a946c4b88dcfb6446e45efb2c24e",
"rev": "e64961977f60388dd0b49572bb0fc453b871f896",
"type": "github"
},
"original": {
@ -188,11 +188,11 @@
]
},
"locked": {
"lastModified": 1680000368,
"narHash": "sha256-TlgC4IJ7aotynUdkGRtaAVxquaiddO38Ws89nB7VGY8=",
"lastModified": 1680389554,
"narHash": "sha256-+8FUmS4GbDMynQErZGXKg+wU76rq6mI5fprxFXFWKSM=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "765e4007b6f9f111469a25d1df6540e8e0ca73a6",
"rev": "ddd8866c0306c48f465e7f48432e6f1ecd1da7f8",
"type": "github"
},
"original": {
@ -227,11 +227,11 @@
]
},
"locked": {
"lastModified": 1679533405,
"narHash": "sha256-LQbHTnEn/jAME1AsJtjif5oVeNWUGdL/RMUZCb2Ts5I=",
"lastModified": 1680291155,
"narHash": "sha256-s1YCdBGhKl3kqlhTICKgfrfHyIbiUczqiUM/TBzCyf4=",
"owner": "astro",
"repo": "microvm.nix",
"rev": "31d3c1a05fba175e5d96f16256296ad4088ca9f5",
"rev": "2528d10d30524522027878c871b680532b5172da",
"type": "github"
},
"original": {
@ -257,11 +257,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1679944645,
"narHash": "sha256-e5Qyoe11UZjVfgRfwNoSU57ZeKuEmjYb77B9IVW7L/M=",
"lastModified": 1680213900,
"narHash": "sha256-cIDr5WZIj3EkKyCgj/6j3HBH4Jj1W296z7HTcWj1aMA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "4bb072f0a8b267613c127684e099a70e1f6ff106",
"rev": "e3652e0735fbec227f342712f180f4f21f0594f2",
"type": "github"
},
"original": {
@ -300,11 +300,11 @@
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1678976941,
"narHash": "sha256-skNr08frCwN9NO+7I77MjOHHAw+L410/37JknNld+W4=",
"lastModified": 1680170909,
"narHash": "sha256-FtKU/edv1jFRr/KwUxWTYWXEyj9g8GBrHntC2o8oFI8=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "32b1dbedfd77892a6e375737ef04d8efba634e9e",
"rev": "29dbe1efaa91c3a415d8b45d62d48325a4748816",
"type": "github"
},
"original": {

67
hosts/ward/default.nix
View file

@ -22,9 +22,66 @@
boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "sdhci_pci"];
microvm.vms.agag = {
flake = self;
updateFlake = microvm;
};
autostart = ["guest"];
#services.authelia.instances.main = {
# enable = true;
# settings = {
# theme = "dark";
# log = {
# level = "info";
# format = "text";
# };
# server = {
# host = "127.0.0.1";
# port = 9091;
# };
# session = {
# name = "session";
# domain = "pas.sh";
# };
# authentication_backend.ldap = {
# implementation = "custom";
# url = "ldap://127.0.0.1:3890";
# base_dn = "dc=pas,dc=sh";
# username_attribute = "uid";
# additional_users_dn = "ou=people";
# users_filter = "(&({username_attribute}={input})(objectclass=person))";
# additional_groups_dn = "ou=groups";
# groups_filter = "(member={dn})";
# group_name_attribute = "cn";
# mail_attribute = "mail";
# display_name_attribute = "uid";
# user = "uid=authelia,ou=people,dc=pas,dc=sh";
# };
# storage.local = {
# path = "/var/lib/authelia-${cfg.name}/db.sqlite3";
# };
# access_control = {
# default_policy = "deny";
# };
# notifier.smtp = rec {
# host = "smtp.fastmail.com";
# port = 587;
# username = "a@example.com";
# sender = "noreply@example.com";
# startup_check_address = sender;
# disable_html_emails = true;
# };
# identity_providers.oidc = {
# cors.allowed_origins_from_client_redirect_uris = true;
# cors.endpoints = [
# "authorization"
# "introspection"
# "revocation"
# "token"
# "userinfo"
# ];
# };
# };
#};
#microvm.vms.agag = {
# flake = self;
# updateFlake = microvm;
#};
#microvm.autostart = ["guest"];
}

81
hosts/ward/vaultwarden.nix Normal file
View file

@ -0,0 +1,81 @@
{
config,
nodeSecrets,
...
}: {
services.vaultwarden = {
enable = true;
dbBackend = "sqlite";
settings = {
DATA_FOLDER = "/var/lib/vaultwarden";
EXTENDED_LOGGING = true;
USE_SYSLOG = true;
WEB_VAULT_ENABLED = true;
WEBSOCKET_ENABLED = true;
WEBSOCKET_ADDRESS = "127.0.0.1";
WEBSOCKET_PORT = 3012;
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 8012;
SIGNUPS_ALLOWED = false;
PASSWORD_ITERATIONS = 1000000;
INVITATIONS_ALLOWED = true;
INVITATION_ORG_NAME = "Vaultwarden";
DOMAIN = nodeSecrets.vaultwarden.domain;
SMTP_EMBED_IMAGES = true;
};
#backupDir = "/data/backup";
#YUBICO_CLIENT_ID=;
#YUBICO_SECRET_KEY=;
#ADMIN_TOKEN="$argon2id:TODO";
#SMTP_HOST={{ vaultwarden_smtp_host }};
#SMTP_FROM={{ vaultwarden_smtp_from }};
#SMTP_FROM_NAME={{ vaultwarden_smtp_from_name }};
#SMTP_PORT = 465;
#SMTP_SECURITY = "force_tls";
#SMTP_USERNAME={{ vaultwarden_smtp_username }};
#SMTP_PASSWORD={{ vaultwarden_smtp_password }};
#environmentFile = config.rekey.secrets.vaultwarden-env.path;
};
# Replace uses of old name
systemd.services.vaultwarden.seviceConfig.StateDirectory = "vaultwarden";
systemd.services.backup-vaultwarden.environment.DATA_FOLDER = "/var/lib/vaultwarden";
services.nginx = {
upstreams."vaultwarden" = {
servers = {"localhost:8012" = {};};
extraConfig = ''
zone vaultwarden 64k;
keepalive 2;
'';
};
upstreams."vaultwarden-websocket" = {
servers = {"localhost:3012" = {};};
extraConfig = ''
zone vaultwarden-websocket 64k;
keepalive 2;
'';
};
virtualHosts."${nodeSecrets.vaultwarden.domain}" = {
forceSSL = true;
#enableACME = true;
sslCertificate = config.rekey.secrets."selfcert.crt".path;
sslCertificateKey = config.rekey.secrets."selfcert.key".path;
locations."/" = {
proxyPass = "http://vaultwarden";
proxyWebsockets = true;
};
locations."/notifications/hub" = {
proxyPass = "http://vaultwarden-websocket";
proxyWebsockets = true;
};
locations."/notifications/hub/negotiate" = {
proxyPass = "http://vaultwarden";
proxyWebsockets = true;
};
};
};
}

2
hosts/zackbiene/default.nix
View file

@ -16,7 +16,7 @@
./fs.nix
./net.nix
./dnsmasq.nix
#./dnsmasq.nix
./esphome.nix
./home-assistant.nix
./hostapd.nix

14
hosts/zackbiene/hostapd.nix
View file

@ -2,6 +2,7 @@
lib,
config,
pkgs,
nodeSecrets,
...
}: {
imports = [../../modules/hostapd.nix];
@ -12,19 +13,24 @@
services.hostapd = {
enable = true;
interfaces = {
"wlan1" = {
ssid = "🍯🐝💨";
radios.wlan1 = {
hwMode = "g";
countryCode = "DE";
channel = 13; # Automatic Channel Selection (ACS) is unfortunately not implemented for mt7612u.
wifi4.capabilities = ["LDPC" "HT40+" "HT40-" "GF" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1"];
networks.wlan1 = {
inherit (nodeSecrets.hostapd) ssid;
macAcl = "deny";
apIsolate = true;
authentication = {
saePasswordsFile = config.rekey.secrets.wifi-clients.path;
saeAddToMacAllow = true;
enableRecommendedPairwiseCiphers = true;
};
wifi4.capabilities = ["LDPC" "HT40+" "HT40-" "GF" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1"];
};
networks.wlan1-1 = {
ssid = "Open";
authentication.mode = "none";
};
};
};

BIN
hosts/zackbiene/secrets/secrets.nix.age
View file

Binary file not shown.

BIN
hosts/zackbiene/secrets/wifi-clients.age
View file

Binary file not shown.

955
modules/hostapd.nix
View file

File diff suppressed because it is too large Load diff