router: setup cameras vlan

chore(deps): lock file maintenance
macbook: add shell utilities
2024-09-17 09:20:27 +01:00 · 2024-09-15 16:01:08 +00:00 · 2024-09-14 02:39:26 +01:00 · 2024-09-14 02:30:20 +01:00 · 2024-09-10 00:00:51 +00:00 · 2024-09-09 23:00:50 +00:00
12 changed files with 185 additions and 74 deletions
--- a/.gitea/workflows/flake.yaml
+++ b/.gitea/workflows/flake.yaml
@ -12,8 +12,8 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: DeterminateSystems/nix-installer-action@v13
-      - uses: DeterminateSystems/magic-nix-cache-action@v7
+      - uses: DeterminateSystems/nix-installer-action@da36cb69b1c3247ad7a1f931ebfd954a1105ef14 # v14
+      - uses: DeterminateSystems/magic-nix-cache-action@87b14cf437d03d37989d87f0fa5ce4f5dc1a330b # v8
      - name: lint
        run: |
          nix fmt
--- a/darwin/jakehillion-mba-m2-15/configuration.nix
+++ b/darwin/jakehillion-mba-m2-15/configuration.nix
@ -0,0 +1,27 @@
+{ config, pkgs, ... }:
+
+{
+  config = {
+    system.stateVersion = 4;
+
+    networking.hostName = "jakehillion-mba-m2-15";
+
+    nix = {
+      useDaemon = true;
+    };
+
+    programs.zsh.enable = true;
+
+    security.pam.enableSudoTouchIdAuth = true;
+
+    environment.systemPackages = with pkgs; [
+      fd
+      htop
+      mosh
+      neovim
+      nix
+      ripgrep
+      sapling
+    ];
+  };
+}
--- a/flake.lock
+++ b/flake.lock
@ -2,7 +2,9 @@
  "nodes": {
    "agenix": {
      "inputs": {
-        "darwin": "darwin",
+        "darwin": [
+          "darwin"
+        ],
        "home-manager": [
          "home-manager"
        ],
@ -28,21 +30,19 @@
    "darwin": {
      "inputs": {
        "nixpkgs": [
-          "agenix",
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1700795494,
-        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
+        "lastModified": 1726188813,
+        "narHash": "sha256-Vop/VRi6uCiScg/Ic+YlwsdIrLabWUJc57dNczp0eBc=",
        "owner": "lnl7",
        "repo": "nix-darwin",
-        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
+        "rev": "21fe31f26473c180390cfa81e3ea81aca0204c80",
        "type": "github"
      },
      "original": {
        "owner": "lnl7",
-        "ref": "master",
        "repo": "nix-darwin",
        "type": "github"
      }
@ -72,11 +72,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1720042825,
-        "narHash": "sha256-A0vrUB6x82/jvf17qPCpxaM+ulJnD8YZwH9Ci0BsAzE=",
+        "lastModified": 1725703823,
+        "narHash": "sha256-tDgM4d8mLK0Hd6YMB2w1BqMto1XBXADOzPEaLl10VI4=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "e1391fb22e18a36f57e6999c7a9f966dc80ac073",
+        "rev": "208df2e558b73b6a1f0faec98493cb59a25f62ba",
        "type": "github"
      },
      "original": {
@ -93,11 +93,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1723399884,
-        "narHash": "sha256-97wn0ihhGqfMb8WcUgzzkM/TuAxce2Gd20A8oiruju4=",
+        "lastModified": 1726357542,
+        "narHash": "sha256-p4OrJL2weh0TRtaeu1fmNYP6+TOp/W2qdaIJxxQay4c=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "086f619dd991a4d355c07837448244029fc2d9ab",
+        "rev": "e524c57b1fa55d6ca9d8354c6ce1e538d2a1f47f",
        "type": "github"
      },
      "original": {
@ -108,11 +108,11 @@
    },
    "impermanence": {
      "locked": {
-        "lastModified": 1719091691,
-        "narHash": "sha256-AxaLX5cBEcGtE02PeGsfscSb/fWMnyS7zMWBXQWDKbE=",
+        "lastModified": 1725690722,
+        "narHash": "sha256-4qWg9sNh5g1qPGO6d/GV2ktY+eDikkBTbWSg5/iD2nY=",
        "owner": "nix-community",
        "repo": "impermanence",
-        "rev": "23c1f06316b67cb5dabdfe2973da3785cfe9c34a",
+        "rev": "63f4d0443e32b0dd7189001ee1894066765d18a5",
        "type": "github"
      },
      "original": {
@ -124,11 +124,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1723310128,
-        "narHash": "sha256-IiH8jG6PpR4h9TxSGMYh+2/gQiJW9MwehFvheSb5rPc=",
+        "lastModified": 1725885300,
+        "narHash": "sha256-5RLEnou1/GJQl+Wd+Bxaj7QY7FFQ9wjnFq1VNEaxTmc=",
        "owner": "nixos",
        "repo": "nixos-hardware",
-        "rev": "c54cf53e022b0b3c1d3b8207aa0f9b194c24f0cf",
+        "rev": "166dee4f88a7e3ba1b7a243edb1aca822f00680e",
        "type": "github"
      },
      "original": {
@ -139,11 +139,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1723688146,
-        "narHash": "sha256-sqLwJcHYeWLOeP/XoLwAtYjr01TISlkOfz+NG82pbdg=",
+        "lastModified": 1726320982,
+        "narHash": "sha256-RuVXUwcYwaUeks6h3OLrEmg14z9aFXdWppTWPMTwdQw=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "c3d4ac725177c030b1e289015989da2ad9d56af0",
+        "rev": "8f7492cce28977fbf8bd12c72af08b1f6c7c3e49",
        "type": "github"
      },
      "original": {
@ -155,11 +155,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1723637854,
-        "narHash": "sha256-med8+5DSWa2UnOqtdICndjDAEjxr5D7zaIiK4pn0Q7c=",
+        "lastModified": 1726243404,
+        "narHash": "sha256-sjiGsMh+1cWXb53Tecsm4skyFNag33GPbVgCdfj3n9I=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "c3aa7b8938b17aebd2deecf7be0636000d62a2b9",
+        "rev": "345c263f2f53a3710abe117f28a5cb86d0ba4059",
        "type": "github"
      },
      "original": {
@ -172,6 +172,7 @@
    "root": {
      "inputs": {
        "agenix": "agenix",
+        "darwin": "darwin",
        "flake-utils": "flake-utils",
        "home-manager": "home-manager",
        "home-manager-unstable": "home-manager-unstable",
--- a/flake.nix
+++ b/flake.nix
@ -7,8 +7,12 @@

    flake-utils.url = "github:numtide/flake-utils";

+    darwin.url = "github:lnl7/nix-darwin";
+    darwin.inputs.nixpkgs.follows = "nixpkgs";
+
    agenix.url = "github:ryantm/agenix";
    agenix.inputs.nixpkgs.follows = "nixpkgs";
+    agenix.inputs.darwin.follows = "darwin";
    agenix.inputs.home-manager.follows = "home-manager";

    home-manager.url = "github:nix-community/home-manager/release-24.05";
@ -21,47 +25,67 @@

  description = "Hillion Nix flake";

-  outputs = { self, nixpkgs, nixpkgs-unstable, nixos-hardware, flake-utils, agenix, home-manager, home-manager-unstable, impermanence, ... }@inputs: {
-    nixosConfigurations =
-      let
-        fqdns = builtins.attrNames (builtins.readDir ./hosts);
-        getSystemOverlays = system: nixpkgsConfig: [
-          (final: prev: {
-            "storj" = final.callPackage ./pkgs/storj.nix { };
-          })
-        ];
-        mkHost = fqdn:
-          let
-            system = builtins.readFile ./hosts/${fqdn}/system;
-            func = if builtins.pathExists ./hosts/${fqdn}/unstable then nixpkgs-unstable.lib.nixosSystem else nixpkgs.lib.nixosSystem;
-            home-manager-pick = if builtins.pathExists ./hosts/${fqdn}/unstable then home-manager-unstable else home-manager;
-          in
-          func {
-            inherit system;
-            specialArgs = inputs;
-            modules = [
-              ./hosts/${fqdn}/default.nix
-              ./modules/default.nix
+  outputs = { self, nixpkgs, nixpkgs-unstable, nixos-hardware, flake-utils, agenix, home-manager, home-manager-unstable, darwin, impermanence, ... }@inputs:
+    let
+      getSystemOverlays = system: nixpkgsConfig: [
+        (final: prev: {
+          unstable = nixpkgs-unstable.legacyPackages.${prev.system};
+          "storj" = final.callPackage ./pkgs/storj.nix { };
+        })
+      ];
+    in
+    {
+      nixosConfigurations =
+        let
+          fqdns = builtins.attrNames (builtins.readDir ./hosts);
+          mkHost = fqdn:
+            let
+              system = builtins.readFile ./hosts/${fqdn}/system;
+              func = if builtins.pathExists ./hosts/${fqdn}/unstable then nixpkgs-unstable.lib.nixosSystem else nixpkgs.lib.nixosSystem;
+              home-manager-pick = if builtins.pathExists ./hosts/${fqdn}/unstable then home-manager-unstable else home-manager;
+            in
+            func {
+              inherit system;
+              specialArgs = inputs;
+              modules = [
+                ./hosts/${fqdn}/default.nix
+                ./modules/default.nix

-              agenix.nixosModules.default
-              impermanence.nixosModules.impermanence
+                agenix.nixosModules.default
+                impermanence.nixosModules.impermanence

-              home-manager-pick.nixosModules.default
-              {
-                home-manager.sharedModules = [
-                  impermanence.nixosModules.home-manager.impermanence
-                ];
-              }
+                home-manager-pick.nixosModules.default
+                {
+                  home-manager.sharedModules = [
+                    impermanence.nixosModules.home-manager.impermanence
+                  ];
+                }

-              ({ config, ... }: {
-                system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;
-                nixpkgs.overlays = getSystemOverlays config.nixpkgs.hostPlatform.system config.nixpkgs.config;
-              })
-            ];
-          };
-      in
-      nixpkgs.lib.genAttrs fqdns mkHost;
-  } // flake-utils.lib.eachDefaultSystem (system: {
-    formatter = nixpkgs.legacyPackages.${system}.nixpkgs-fmt;
-  });
+                ({ config, ... }: {
+                  system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;
+                  nixpkgs.overlays = getSystemOverlays config.nixpkgs.hostPlatform.system config.nixpkgs.config;
+                })
+              ];
+            };
+        in
+        nixpkgs.lib.genAttrs fqdns mkHost;
+
+      darwinConfigurations = {
+        jakehillion-mba-m2-15 = darwin.lib.darwinSystem {
+          system = "aarch64-darwin";
+          specialArgs = inputs;
+
+          modules = [
+            ./darwin/jakehillion-mba-m2-15/configuration.nix
+
+            ({ config, ... }: {
+              nixpkgs.overlays = getSystemOverlays "aarch64-darwin" config.nixpkgs.config;
+            })
+          ];
+        };
+      };
+
+    } // flake-utils.lib.eachDefaultSystem (system: {
+      formatter = nixpkgs.legacyPackages.${system}.nixpkgs-fmt;
+    });
 }
--- a/hosts/boron.cx.ts.hillion.co.uk/default.nix
+++ b/hosts/boron.cx.ts.hillion.co.uk/default.nix
@ -101,6 +101,18 @@
      fileSystems = [ "/data" ];
    };

+    ## General usability
+    ### Make podman available for dev tools such as act
+    virtualisation = {
+      containers.enable = true;
+      podman = {
+        enable = true;
+        dockerCompat = true;
+        dockerSocket.enable = true;
+      };
+    };
+    users.users.jake.extraGroups = [ "podman" ];
+
    ## Networking
    boot.kernel.sysctl = {
      "net.ipv4.ip_forward" = true;
--- a/hosts/boron.cx.ts.hillion.co.uk/hardware-configuration.nix
+++ b/hosts/boron.cx.ts.hillion.co.uk/hardware-configuration.nix
@ -18,7 +18,7 @@
    {
      device = "tmpfs";
      fsType = "tmpfs";
-      options = [ "mode=0755" ];
+      options = [ "mode=0755" "size=100%" ];
    };

  fileSystems."/boot" =
--- a/hosts/router.home.ts.hillion.co.uk/default.nix
+++ b/hosts/router.home.ts.hillion.co.uk/default.nix
@ -32,6 +32,14 @@
      nat.enable = lib.mkForce false;

      useDHCP = false;
+
+      vlans = {
+        cameras = {
+          id = 3;
+          interface = "eth2";
+        };
+      };
+
      interfaces = {
        enp1s0 = {
          name = "eth0";
@ -56,6 +64,14 @@
            }
          ];
        };
+        cameras /* cameras@eth2 */ = {
+          ipv4.addresses = [
+            {
+              address = "10.133.145.1";
+              prefixLength = 24;
+            }
+          ];
+        };
        enp4s0 = { name = "eth3"; };
        enp5s0 = { name = "eth4"; };
        enp6s0 = { name = "eth5"; };
@ -82,8 +98,8 @@

              ip protocol icmp counter accept comment "accept all ICMP types"

-              iifname "eth0" ct state { established, related } counter accept
-              iifname "eth0" drop
+              iifname { "eth0", "cameras" } ct state { established, related } counter accept
+              iifname { "eth0", "cameras" } drop
            }

            chain forward {
@ -138,7 +154,7 @@

          settings = {
            interfaces-config = {
-              interfaces = [ "eth1" "eth2" ];
+              interfaces = [ "eth1" "eth2" "cameras" ];
            };
            lease-database = {
              type = "memfile";
@ -243,6 +259,29 @@
                  }
                ];
              }
+              {
+                subnet = "10.133.145.0/24";
+                interface = "cameras";
+                pools = [{
+                  pool = "10.133.145.64 - 10.133.145.254";
+                }];
+                option-data = [
+                  {
+                    name = "routers";
+                    data = "10.133.145.1";
+                  }
+                  {
+                    name = "broadcast-address";
+                    data = "10.133.145.255";
+                  }
+                  {
+                    name = "domain-name-servers";
+                    data = "1.1.1.1, 8.8.8.8";
+                  }
+                ];
+                reservations = [
+                ];
+              }
            ];
          };
        };
--- a/hosts/sodium.pop.ts.hillion.co.uk/default.nix
+++ b/hosts/sodium.pop.ts.hillion.co.uk/default.nix
@ -1,4 +1,4 @@
-{ config, pkgs, nixpkgs-unstable, lib, nixos-hardware, ... }:
+{ config, pkgs, lib, nixos-hardware, ... }:

 {
  imports = [
--- a/modules/impermanence.nix
+++ b/modules/impermanence.nix
@ -60,6 +60,7 @@ in
          (lib.lists.optional config.custom.services.unifi.enable "/var/lib/unifi") ++
          (lib.lists.optional (config.virtualisation.oci-containers.containers != { }) "/var/lib/containers") ++
          (lib.lists.optional config.services.tang.enable "/var/lib/private/tang") ++
+          (lib.lists.optional config.services.caddy.enable "/var/lib/caddy") ++
          (lib.lists.optional config.services.step-ca.enable "/var/lib/step-ca/db");
        };
      }
--- a/modules/resilio.nix
+++ b/modules/resilio.nix
@ -1,4 +1,4 @@
-{ pkgs, lib, config, nixpkgs-unstable, ... }:
+{ pkgs, lib, config, ... }:

 let
  cfg = config.custom.resilio;
@ -61,5 +61,7 @@ in
        in
        builtins.map (folder: mkFolder folder.name folder.secret) cfg.folders;
    };
+
+    systemd.services.resilio.unitConfig.RequiresMountsFor = builtins.map (folder: "${config.services.resilio.directoryRoot}/${folder.name}") cfg.folders;
  };
 }
--- a/modules/services/gitea/gitea.nix
+++ b/modules/services/gitea/gitea.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, nixpkgs-unstable, ... }:
+{ config, pkgs, lib, ... }:

 let
  cfg = config.custom.services.gitea;
@ -55,7 +55,7 @@ in

    services.gitea = {
      enable = true;
-      package = nixpkgs-unstable.legacyPackages.x86_64-linux.gitea;
+      package = pkgs.unstable.gitea;
      mailerPasswordFile = config.age.secrets."gitea/mailer_password".path;

      appName = "Hillion Gitea";
--- a/modules/www/global.nix
+++ b/modules/www/global.nix
@ -33,6 +33,11 @@ in

    services.caddy = {
      enable = true;
+      package = pkgs.unstable.caddy;
+
+      globalConfig = ''
+        email acme@hillion.co.uk
+      '';

      virtualHosts = {
        "hillion.co.uk".extraConfig = ''
Author	SHA1	Message	Date
Jake Hillion	d5c2f8d543	router: setup cameras vlan All checks were successful flake / flake (push) Successful in 1m15s Details	2024-09-17 09:20:27 +01:00
Renovate Bot	1189a41df9	chore(deps): lock file maintenance All checks were successful flake / flake (push) Successful in 1m43s Details	2024-09-15 16:01:08 +00:00
Jake Hillion	39730d2ec3	macbook: add shell utilities All checks were successful flake / flake (push) Successful in 1m16s Details	2024-09-14 02:39:26 +01:00
Jake Hillion	ac6f285400	resilio: require mounts be available All checks were successful flake / flake (push) Successful in 1m15s Details Without this resilio fails on boot on tywin.storage where the paths are on a ZFS array which gets mounted reliably later than the resilio service attempts to start.	2024-09-14 02:30:20 +01:00
Renovate Bot	e4b8fd7438	chore(deps): update determinatesystems/nix-installer-action action to v14 All checks were successful flake / flake (push) Successful in 1m27s Details	2024-09-10 00:00:51 +00:00
Renovate Bot	24be3394bc	chore(deps): update determinatesystems/magic-nix-cache-action action to v8 All checks were successful flake / flake (push) Successful in 1m13s Details	2024-09-09 23:00:50 +00:00
Jake Hillion	ba053c539c	boron: enable podman All checks were successful flake / flake (push) Successful in 1m13s Details	2024-09-06 19:04:25 +01:00
Jake Hillion	3aeeb69c2b	nix-darwin: add macbook All checks were successful flake / flake (push) Successful in 1m13s Details	2024-09-05 00:50:02 +01:00
Jake Hillion	85246af424	caddy: update to unstable All checks were successful flake / flake (push) Successful in 1m13s Details The default config for automatic ACME no longer works in Caddy <2.8.0. This is due to changes with ZeroSSL's auth. Update to unstable Caddy which is new enough to renew certs again. Context: https://github.com/caddyserver/caddy/releases/tag/v2.8.0 Add `pkgs.unstable` as an overlay as recommended on the NixOS wiki. This is needed here as Caddy must be runnable on all architectures.	2024-09-05 00:04:08 +01:00
Renovate Bot	ba7a39b66e	chore(deps): pin dependencies All checks were successful flake / flake (push) Successful in 1m16s Details	2024-09-02 23:00:12 +00:00
Jake Hillion	df31ebebf8	boron: bump tmpfs to 100% of RAM All checks were successful flake / flake (push) Successful in 1m18s Details	2024-08-31 22:04:38 +01:00
Renovate Bot	2f3a33ad8e	chore(deps): lock file maintenance All checks were successful flake / flake (push) Successful in 1m15s Details	2024-08-30 19:01:46 +00:00