router: setup cameras vlan

chore(deps): lock file maintenance
macbook: add shell utilities
2024-09-17 09:20:27 +01:00 · 2024-09-15 16:01:08 +00:00 · 2024-09-14 02:39:26 +01:00 · 2024-09-14 02:30:20 +01:00 · 2024-09-10 00:00:51 +00:00 · 2024-09-09 23:00:50 +00:00
31 changed files with 462 additions and 147 deletions
--- a/.gitea/workflows/flake.yaml
+++ b/.gitea/workflows/flake.yaml
@ -12,11 +12,8 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - name: Prepare for Nix installation
-        run: |
-          apt-get update
-          apt-get install -y sudo
-      - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
+      - uses: DeterminateSystems/nix-installer-action@da36cb69b1c3247ad7a1f931ebfd954a1105ef14 # v14
+      - uses: DeterminateSystems/magic-nix-cache-action@87b14cf437d03d37989d87f0fa5ce4f5dc1a330b # v8
      - name: lint
        run: |
          nix fmt
--- a/darwin/jakehillion-mba-m2-15/configuration.nix
+++ b/darwin/jakehillion-mba-m2-15/configuration.nix
@ -0,0 +1,27 @@
+{ config, pkgs, ... }:
+
+{
+  config = {
+    system.stateVersion = 4;
+
+    networking.hostName = "jakehillion-mba-m2-15";
+
+    nix = {
+      useDaemon = true;
+    };
+
+    programs.zsh.enable = true;
+
+    security.pam.enableSudoTouchIdAuth = true;
+
+    environment.systemPackages = with pkgs; [
+      fd
+      htop
+      mosh
+      neovim
+      nix
+      ripgrep
+      sapling
+    ];
+  };
+}
--- a/flake.lock
+++ b/flake.lock
@ -2,7 +2,9 @@
  "nodes": {
    "agenix": {
      "inputs": {
-        "darwin": "darwin",
+        "darwin": [
+          "darwin"
+        ],
        "home-manager": [
          "home-manager"
        ],
@ -12,11 +14,11 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1720546205,
-        "narHash": "sha256-boCXsjYVxDviyzoEyAk624600f3ZBo/DKtUdvMTpbGY=",
+        "lastModified": 1723293904,
+        "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
        "owner": "ryantm",
        "repo": "agenix",
-        "rev": "de96bd907d5fbc3b14fc33ad37d1b9a3cb15edc6",
+        "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
        "type": "github"
      },
      "original": {
@ -28,21 +30,19 @@
    "darwin": {
      "inputs": {
        "nixpkgs": [
-          "agenix",
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1700795494,
-        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
+        "lastModified": 1726188813,
+        "narHash": "sha256-Vop/VRi6uCiScg/Ic+YlwsdIrLabWUJc57dNczp0eBc=",
        "owner": "lnl7",
        "repo": "nix-darwin",
-        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
+        "rev": "21fe31f26473c180390cfa81e3ea81aca0204c80",
        "type": "github"
      },
      "original": {
        "owner": "lnl7",
-        "ref": "master",
        "repo": "nix-darwin",
        "type": "github"
      }
@ -72,11 +72,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1720042825,
-        "narHash": "sha256-A0vrUB6x82/jvf17qPCpxaM+ulJnD8YZwH9Ci0BsAzE=",
+        "lastModified": 1725703823,
+        "narHash": "sha256-tDgM4d8mLK0Hd6YMB2w1BqMto1XBXADOzPEaLl10VI4=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "e1391fb22e18a36f57e6999c7a9f966dc80ac073",
+        "rev": "208df2e558b73b6a1f0faec98493cb59a25f62ba",
        "type": "github"
      },
      "original": {
@ -93,11 +93,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1721135958,
-        "narHash": "sha256-H548rpPMsn25LDKn1PCFmPxmWlClJJGnvdzImHkqjuY=",
+        "lastModified": 1726357542,
+        "narHash": "sha256-p4OrJL2weh0TRtaeu1fmNYP6+TOp/W2qdaIJxxQay4c=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "afd2021bedff2de92dfce0e257a3d03ae65c603d",
+        "rev": "e524c57b1fa55d6ca9d8354c6ce1e538d2a1f47f",
        "type": "github"
      },
      "original": {
@ -108,11 +108,11 @@
    },
    "impermanence": {
      "locked": {
-        "lastModified": 1719091691,
-        "narHash": "sha256-AxaLX5cBEcGtE02PeGsfscSb/fWMnyS7zMWBXQWDKbE=",
+        "lastModified": 1725690722,
+        "narHash": "sha256-4qWg9sNh5g1qPGO6d/GV2ktY+eDikkBTbWSg5/iD2nY=",
        "owner": "nix-community",
        "repo": "impermanence",
-        "rev": "23c1f06316b67cb5dabdfe2973da3785cfe9c34a",
+        "rev": "63f4d0443e32b0dd7189001ee1894066765d18a5",
        "type": "github"
      },
      "original": {
@ -124,11 +124,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1720737798,
-        "narHash": "sha256-G/OtEAts7ZUvW5lrGMXSb8HqRp2Jr9I7reBuvCOL54w=",
+        "lastModified": 1725885300,
+        "narHash": "sha256-5RLEnou1/GJQl+Wd+Bxaj7QY7FFQ9wjnFq1VNEaxTmc=",
        "owner": "nixos",
        "repo": "nixos-hardware",
-        "rev": "c5013aa7ce2c7ec90acee5d965d950c8348db751",
+        "rev": "166dee4f88a7e3ba1b7a243edb1aca822f00680e",
        "type": "github"
      },
      "original": {
@ -139,11 +139,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1720954236,
-        "narHash": "sha256-1mEKHp4m9brvfQ0rjCca8P1WHpymK3TOr3v34ydv9bs=",
+        "lastModified": 1726320982,
+        "narHash": "sha256-RuVXUwcYwaUeks6h3OLrEmg14z9aFXdWppTWPMTwdQw=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "53e81e790209e41f0c1efa9ff26ff2fd7ab35e27",
+        "rev": "8f7492cce28977fbf8bd12c72af08b1f6c7c3e49",
        "type": "github"
      },
      "original": {
@ -155,11 +155,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1720957393,
-        "narHash": "sha256-oedh2RwpjEa+TNxhg5Je9Ch6d3W1NKi7DbRO1ziHemA=",
+        "lastModified": 1726243404,
+        "narHash": "sha256-sjiGsMh+1cWXb53Tecsm4skyFNag33GPbVgCdfj3n9I=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "693bc46d169f5af9c992095736e82c3488bf7dbb",
+        "rev": "345c263f2f53a3710abe117f28a5cb86d0ba4059",
        "type": "github"
      },
      "original": {
@ -172,6 +172,7 @@
    "root": {
      "inputs": {
        "agenix": "agenix",
+        "darwin": "darwin",
        "flake-utils": "flake-utils",
        "home-manager": "home-manager",
        "home-manager-unstable": "home-manager-unstable",
--- a/flake.nix
+++ b/flake.nix
@ -7,8 +7,12 @@

    flake-utils.url = "github:numtide/flake-utils";

+    darwin.url = "github:lnl7/nix-darwin";
+    darwin.inputs.nixpkgs.follows = "nixpkgs";
+
    agenix.url = "github:ryantm/agenix";
    agenix.inputs.nixpkgs.follows = "nixpkgs";
+    agenix.inputs.darwin.follows = "darwin";
    agenix.inputs.home-manager.follows = "home-manager";

    home-manager.url = "github:nix-community/home-manager/release-24.05";
@ -21,47 +25,67 @@

  description = "Hillion Nix flake";

-  outputs = { self, nixpkgs, nixpkgs-unstable, nixos-hardware, flake-utils, agenix, home-manager, home-manager-unstable, impermanence, ... }@inputs: {
-    nixosConfigurations =
-      let
-        fqdns = builtins.attrNames (builtins.readDir ./hosts);
-        getSystemOverlays = system: nixpkgsConfig: [
-          (final: prev: {
-            "storj" = final.callPackage ./pkgs/storj.nix { };
-          })
-        ];
-        mkHost = fqdn:
-          let
-            system = builtins.readFile ./hosts/${fqdn}/system;
-            func = if builtins.pathExists ./hosts/${fqdn}/unstable then nixpkgs-unstable.lib.nixosSystem else nixpkgs.lib.nixosSystem;
-            home-manager-pick = if builtins.pathExists ./hosts/${fqdn}/unstable then home-manager-unstable else home-manager;
-          in
-          func {
-            inherit system;
-            specialArgs = inputs;
-            modules = [
-              ./hosts/${fqdn}/default.nix
-              ./modules/default.nix
+  outputs = { self, nixpkgs, nixpkgs-unstable, nixos-hardware, flake-utils, agenix, home-manager, home-manager-unstable, darwin, impermanence, ... }@inputs:
+    let
+      getSystemOverlays = system: nixpkgsConfig: [
+        (final: prev: {
+          unstable = nixpkgs-unstable.legacyPackages.${prev.system};
+          "storj" = final.callPackage ./pkgs/storj.nix { };
+        })
+      ];
+    in
+    {
+      nixosConfigurations =
+        let
+          fqdns = builtins.attrNames (builtins.readDir ./hosts);
+          mkHost = fqdn:
+            let
+              system = builtins.readFile ./hosts/${fqdn}/system;
+              func = if builtins.pathExists ./hosts/${fqdn}/unstable then nixpkgs-unstable.lib.nixosSystem else nixpkgs.lib.nixosSystem;
+              home-manager-pick = if builtins.pathExists ./hosts/${fqdn}/unstable then home-manager-unstable else home-manager;
+            in
+            func {
+              inherit system;
+              specialArgs = inputs;
+              modules = [
+                ./hosts/${fqdn}/default.nix
+                ./modules/default.nix

-              agenix.nixosModules.default
-              impermanence.nixosModules.impermanence
+                agenix.nixosModules.default
+                impermanence.nixosModules.impermanence

-              home-manager-pick.nixosModules.default
-              {
-                home-manager.sharedModules = [
-                  impermanence.nixosModules.home-manager.impermanence
-                ];
-              }
+                home-manager-pick.nixosModules.default
+                {
+                  home-manager.sharedModules = [
+                    impermanence.nixosModules.home-manager.impermanence
+                  ];
+                }

-              ({ config, ... }: {
-                system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;
-                nixpkgs.overlays = getSystemOverlays config.nixpkgs.hostPlatform.system config.nixpkgs.config;
-              })
-            ];
-          };
-      in
-      nixpkgs.lib.genAttrs fqdns mkHost;
-  } // flake-utils.lib.eachDefaultSystem (system: {
-    formatter = nixpkgs.legacyPackages.${system}.nixpkgs-fmt;
-  });
+                ({ config, ... }: {
+                  system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;
+                  nixpkgs.overlays = getSystemOverlays config.nixpkgs.hostPlatform.system config.nixpkgs.config;
+                })
+              ];
+            };
+        in
+        nixpkgs.lib.genAttrs fqdns mkHost;
+
+      darwinConfigurations = {
+        jakehillion-mba-m2-15 = darwin.lib.darwinSystem {
+          system = "aarch64-darwin";
+          specialArgs = inputs;
+
+          modules = [
+            ./darwin/jakehillion-mba-m2-15/configuration.nix
+
+            ({ config, ... }: {
+              nixpkgs.overlays = getSystemOverlays "aarch64-darwin" config.nixpkgs.config;
+            })
+          ];
+        };
+      };
+
+    } // flake-utils.lib.eachDefaultSystem (system: {
+      formatter = nixpkgs.legacyPackages.${system}.nixpkgs-fmt;
+    });
 }
--- a/hosts/be.lt.ts.hillion.co.uk/default.nix
+++ b/hosts/be.lt.ts.hillion.co.uk/default.nix
@ -24,6 +24,17 @@
      ];
    };

+    ## WiFi
+    age.secrets."wifi/be.lt.ts.hillion.co.uk".file = ../../secrets/wifi/be.lt.ts.hillion.co.uk.age;
+    networking.wireless = {
+      enable = true;
+      environmentFile = config.age.secrets."wifi/be.lt.ts.hillion.co.uk".path;
+
+      networks = {
+        "Hillion WPA3 Network".psk = "@HILLION_WPA3_NETWORK_PSK@";
+      };
+    };
+
    ## Desktop
    custom.users.jake.password = true;
    custom.desktop.awesome.enable = true;
--- a/hosts/boron.cx.ts.hillion.co.uk/default.nix
+++ b/hosts/boron.cx.ts.hillion.co.uk/default.nix
@ -34,14 +34,40 @@
    ### Explicitly use the latest kernel at time of writing because the LTS
    ### kernels available in NixOS do not seem to support this server's very
    ### modern hardware.
-    boot.kernelPackages = pkgs.linuxPackages_6_9;
+    boot.kernelPackages = pkgs.linuxPackages_6_10;
+    ### Apply patch to enable sched_ext which isn't yet available upstream.
+    boot.kernelPatches = [{
+      name = "sched_ext";
+      patch = pkgs.fetchpatch {
+        url = "https://github.com/sched-ext/scx-kernel-releases/releases/download/v6.10.3-scx1/linux-v6.10.3-scx1.patch.zst";
+        hash = "sha256-c4UlXsVOHGe0gvL69K9qTMWqCR8as25qwhfNVxCXUTs=";
+        decode = "${pkgs.zstd}/bin/unzstd";
+        excludes = [ "Makefile" ];
+      };
+      extraConfig = ''
+        BPF y
+        BPF_EVENTS y
+        BPF_JIT y
+        BPF_SYSCALL y
+        DEBUG_INFO_BTF y
+        FTRACE y
+        SCHED_CLASS_EXT y
+      '';
+    }];

    ## Enable btrfs compression
    fileSystems."/data".options = [ "compress=zstd" ];
    fileSystems."/nix".options = [ "compress=zstd" ];

    ## Impermanence
-    custom.impermanence.enable = true;
+    custom.impermanence = {
+      enable = true;
+      cache.enable = true;
+    };
+    boot.initrd.postDeviceCommands = lib.mkAfter ''
+      btrfs subvolume delete /cache/system
+      btrfs subvolume snapshot /cache/empty_snapshot /cache/system
+    '';

    ## Custom Services
    custom = {
@ -75,6 +101,18 @@
      fileSystems = [ "/data" ];
    };

+    ## General usability
+    ### Make podman available for dev tools such as act
+    virtualisation = {
+      containers.enable = true;
+      podman = {
+        enable = true;
+        dockerCompat = true;
+        dockerSocket.enable = true;
+      };
+    };
+    users.users.jake.extraGroups = [ "podman" ];
+
    ## Networking
    boot.kernel.sysctl = {
      "net.ipv4.ip_forward" = true;
--- a/hosts/boron.cx.ts.hillion.co.uk/hardware-configuration.nix
+++ b/hosts/boron.cx.ts.hillion.co.uk/hardware-configuration.nix
@ -18,7 +18,7 @@
    {
      device = "tmpfs";
      fsType = "tmpfs";
-      options = [ "mode=0755" ];
+      options = [ "mode=0755" "size=100%" ];
    };

  fileSystems."/boot" =
@ -35,6 +35,13 @@
      options = [ "subvol=data" ];
    };

+  fileSystems."/cache" =
+    {
+      device = "/dev/disk/by-uuid/9aebe351-156a-4aa0-9a97-f09b01ac23ad";
+      fsType = "btrfs";
+      options = [ "subvol=cache" ];
+    };
+
  fileSystems."/nix" =
    {
      device = "/dev/disk/by-uuid/9aebe351-156a-4aa0-9a97-f09b01ac23ad";
--- a/hosts/gendry.jakehillion-terminals.ts.hillion.co.uk/default.nix
+++ b/hosts/gendry.jakehillion-terminals.ts.hillion.co.uk/default.nix
@ -29,6 +29,13 @@
      ];
    };

+    ## Enable ZRAM swap to help with root on tmpfs
+    zramSwap = {
+      enable = true;
+      memoryPercent = 200;
+      algorithm = "zstd";
+    };
+
    ## Desktop
    custom.users.jake.password = true;
    custom.desktop.awesome.enable = true;
--- a/hosts/microserver.home.ts.hillion.co.uk/default.nix
+++ b/hosts/microserver.home.ts.hillion.co.uk/default.nix
@ -59,6 +59,7 @@
          5353 # HomeKit
        ];
        allowedTCPPorts = [
+          1400 # HA Sonos
          7654 # Tang
          21063 # HomeKit
        ];
--- a/hosts/router.home.ts.hillion.co.uk/default.nix
+++ b/hosts/router.home.ts.hillion.co.uk/default.nix
@ -32,6 +32,14 @@
      nat.enable = lib.mkForce false;

      useDHCP = false;
+
+      vlans = {
+        cameras = {
+          id = 3;
+          interface = "eth2";
+        };
+      };
+
      interfaces = {
        enp1s0 = {
          name = "eth0";
@ -56,6 +64,14 @@
            }
          ];
        };
+        cameras /* cameras@eth2 */ = {
+          ipv4.addresses = [
+            {
+              address = "10.133.145.1";
+              prefixLength = 24;
+            }
+          ];
+        };
        enp4s0 = { name = "eth3"; };
        enp5s0 = { name = "eth4"; };
        enp6s0 = { name = "eth5"; };
@ -82,8 +98,8 @@

              ip protocol icmp counter accept comment "accept all ICMP types"

-              iifname "eth0" ct state { established, related } counter accept
-              iifname "eth0" drop
+              iifname { "eth0", "cameras" } ct state { established, related } counter accept
+              iifname { "eth0", "cameras" } drop
            }

            chain forward {
@ -138,7 +154,7 @@

          settings = {
            interfaces-config = {
-              interfaces = [ "eth1" "eth2" ];
+              interfaces = [ "eth1" "eth2" "cameras" ];
            };
            lease-database = {
              type = "memfile";
@ -243,6 +259,29 @@
                  }
                ];
              }
+              {
+                subnet = "10.133.145.0/24";
+                interface = "cameras";
+                pools = [{
+                  pool = "10.133.145.64 - 10.133.145.254";
+                }];
+                option-data = [
+                  {
+                    name = "routers";
+                    data = "10.133.145.1";
+                  }
+                  {
+                    name = "broadcast-address";
+                    data = "10.133.145.255";
+                  }
+                  {
+                    name = "domain-name-servers";
+                    data = "1.1.1.1, 8.8.8.8";
+                  }
+                ];
+                reservations = [
+                ];
+              }
            ];
          };
        };
--- a/hosts/sodium.pop.ts.hillion.co.uk/default.nix
+++ b/hosts/sodium.pop.ts.hillion.co.uk/default.nix
@ -1,4 +1,4 @@
-{ config, pkgs, nixpkgs-unstable, lib, nixos-hardware, ... }:
+{ config, pkgs, lib, nixos-hardware, ... }:

 {
  imports = [
@ -22,14 +22,19 @@
    fileSystems."/nix".options = [ "compress=zstd" ];

    ## Impermanence
-    custom.impermanence.enable = true;
+    custom.impermanence = {
+      enable = true;
+      cache.enable = true;
+    };
    boot.initrd.postDeviceCommands = lib.mkAfter ''
      btrfs subvolume delete /cache/tmp
      btrfs subvolume snapshot /cache/empty_snapshot /cache/tmp
-      chmod 0777 /cache/tmp
-      chmod +t /cache/tmp
+      chmod 1777 /cache/tmp
    '';

+    ## CA server
+    custom.ca.service.enable = true;
+
    ### nix only supports build-dir from 2.22. bind mount /tmp to something persistent instead.
    fileSystems."/tmp" = {
      device = "/cache/tmp";
--- a/hosts/tywin.storage.ts.hillion.co.uk/default.nix
+++ b/hosts/tywin.storage.ts.hillion.co.uk/default.nix
@ -218,7 +218,7 @@
      enable = true;
      openFirewall = true;
      keyFile = config.age.secrets."chia/farmer.key".path;
-      plotDirectories = builtins.genList (i: "/mnt/d${toString i}/plots/contract-k32") 7;
+      plotDirectories = builtins.genList (i: "/mnt/d${toString i}/plots/contract-k32") 8;
    };

    ## Downloads
--- a/hosts/tywin.storage.ts.hillion.co.uk/hardware-configuration.nix
+++ b/hosts/tywin.storage.ts.hillion.co.uk/hardware-configuration.nix
@ -67,6 +67,18 @@
      fsType = "btrfs";
    };

+  fileSystems."/mnt/d6" =
+    {
+      device = "/dev/disk/by-uuid/b461e07d-39ab-46b4-b1d1-14c2e0791915";
+      fsType = "btrfs";
+    };
+
+  fileSystems."/mnt/d7" =
+    {
+      device = "/dev/disk/by-uuid/eb8d32d0-e506-449b-8dbc-585ba05c4252";
+      fsType = "btrfs";
+    };
+
  swapDevices = [ ];

  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
--- a/modules/ca/README.md
+++ b/modules/ca/README.md
@ -0,0 +1,11 @@
+# ca
+
+Getting the certificates in the right place is a manual process (for now, at least). This is to keep the most control over the root certificate's key and allow manual cycling. The manual commands should be run on a trusted machine.
+
+Creating a 10 year root certificate:
+
+    nix run nixpkgs#step-cli -- certificate create 'Hillion ACME' cert.pem key.pem --kty=EC --curve=P-521 --profile=root-ca --not-after=87600h
+
+Creating the intermediate key:
+
+    nix run nixpkgs#step-cli -- certificate create 'Hillion ACME (sodium.pop.ts.hillion.co.uk)' intermediate_cert.pem intermediate_key.pem --kty=EC --curve=P-521 --profile=intermediate-ca --not-after=8760h --ca=$NIXOS_ROOT/modules/ca/cert.pem --ca-key=DOWNLOADED_KEY.pem
--- a/modules/ca/cert.pem
+++ b/modules/ca/cert.pem
@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB+TCCAVqgAwIBAgIQIZdaIUsuJdjnu7DQP1N8oTAKBggqhkjOPQQDBDAXMRUw
+EwYDVQQDEwxIaWxsaW9uIEFDTUUwHhcNMjQwODAxMjIyMjEwWhcNMzQwNzMwMjIy
+MjEwWjAXMRUwEwYDVQQDEwxIaWxsaW9uIEFDTUUwgZswEAYHKoZIzj0CAQYFK4EE
+ACMDgYYABAAJI3z1PrV97EFc1xaENcr6ML1z6xdXTy+ReHtf42nWsw+c3WDKzJ45
+xHJ/p2BTOR5+NQ7RGQQ68zmFJnEYTYDogAw6U9YzxxDGlG1HlgnZ9PPmXoF+PFl
+Zy2WZCiDPx5KDJcjTPzLV3ITt4fl3PMA12BREVeonvrvRLcpVrMfS2b7wKNFMEMw
+DgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFFBT
+fMT0uUbS+lVUbGKK8/SZHPISMAoGCCqGSM49BAMEA4GMADCBiAJCAPNIwrQztPrN
+MaHB3J0lNVODIGwQWblt99vnjqIWOKJhgckBxaElyInsyt8dlnmTCpOCJdY4BA+K
+Nr87AfwIWdAaAkIBV5i4zXPXVKblGKnmM0FomFSbq2cYE3pmi5BO1StakH1kEHlf
+vbkdwFgkw2MlARp0Ka3zbWivBG9zjPoZtsL/8tk=
+-----END CERTIFICATE-----
--- a/modules/ca/consumer.nix
+++ b/modules/ca/consumer.nix
@ -0,0 +1,14 @@
+{ config, pkgs, lib, ... }:
+
+let
+  cfg = config.custom.ca.consumer;
+in
+{
+  options.custom.ca.consumer = {
+    enable = lib.mkEnableOption "ca.service";
+  };
+
+  config = lib.mkIf cfg.enable {
+    security.pki.certificates = [ (builtins.readFile ./cert.pem) ];
+  };
+}
--- a/modules/ca/default.nix
+++ b/modules/ca/default.nix
@ -0,0 +1,8 @@
+{ ... }:
+
+{
+  imports = [
+    ./consumer.nix
+    ./service.nix
+  ];
+}
--- a/modules/ca/service.nix
+++ b/modules/ca/service.nix
@ -0,0 +1,45 @@
+{ config, pkgs, lib, ... }:
+
+let
+  cfg = config.custom.ca.service;
+in
+{
+  options.custom.ca.service = {
+    enable = lib.mkEnableOption "ca.service";
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.step-ca = {
+      enable = true;
+
+      address = config.custom.dns.tailscale.ipv4;
+      port = 8443;
+
+      intermediatePasswordFile = "/data/system/ca/intermediate.psk";
+
+      settings = {
+        root = ./cert.pem;
+        crt = "/data/system/ca/intermediate.crt";
+        key = "/data/system/ca/intermediate.pem";
+
+        dnsNames = [ "ca.ts.hillion.co.uk" ];
+
+        logger = { format = "text"; };
+
+        db = {
+          type = "badgerv2";
+          dataSource = "/var/lib/step-ca/db";
+        };
+
+        authority = {
+          provisioners = [
+            {
+              type = "ACME";
+              name = "acme";
+            }
+          ];
+        };
+      };
+    };
+  };
+}
--- a/modules/default.nix
+++ b/modules/default.nix
@ -3,6 +3,7 @@
 {
  imports = [
    ./backups/default.nix
+    ./ca/default.nix
    ./chia.nix
    ./defaults.nix
    ./desktop/awesome/default.nix
--- a/modules/defaults.nix
+++ b/modules/defaults.nix
@ -54,6 +54,7 @@
    networking.firewall.enable = true;

    # Delegation
+    custom.ca.consumer.enable = true;
    custom.dns.enable = true;
    custom.home.defaults = true;
    custom.hostinfo.enable = true;
--- a/modules/impermanence.nix
+++ b/modules/impermanence.nix
@ -2,7 +2,6 @@

 let
  cfg = config.custom.impermanence;
-  listIf = (enable: x: if enable then x else [ ]);
 in
 {
  options.custom.impermanence = {
@ -12,6 +11,13 @@ in
      type = lib.types.str;
      default = "/data";
    };
+    cache = {
+      enable = lib.mkEnableOption "impermanence.cache";
+      path = lib.mkOption {
+        type = lib.types.str;
+        default = "/cache";
+      };
+    };

    users = lib.mkOption {
      type = with lib.types; listOf str;
@ -40,19 +46,32 @@ in
      gitea.stateDir = "${cfg.base}/system/var/lib/gitea";
    };

-    environment.persistence."${cfg.base}/system" = {
-      hideMounts = true;
+    environment.persistence = lib.mkMerge [
+      {
+        "${cfg.base}/system" = {
+          hideMounts = true;

-      directories = [
-        "/etc/nixos"
-      ] ++ (listIf config.services.tailscale.enable [ "/var/lib/tailscale" ]) ++
-      (listIf config.services.zigbee2mqtt.enable [ config.services.zigbee2mqtt.dataDir ]) ++
-      (listIf config.services.postgresql.enable [ config.services.postgresql.dataDir ]) ++
-      (listIf config.hardware.bluetooth.enable [ "/var/lib/bluetooth" ]) ++
-      (listIf config.custom.services.unifi.enable [ "/var/lib/unifi" ]) ++
-      (listIf (config.virtualisation.oci-containers.containers != { }) [ "/var/lib/containers" ]) ++
-      (listIf config.services.tang.enable [ "/var/lib/private/tang" ]);
-    };
+          directories = [
+            "/etc/nixos"
+          ] ++ (lib.lists.optional config.services.tailscale.enable "/var/lib/tailscale") ++
+          (lib.lists.optional config.services.zigbee2mqtt.enable config.services.zigbee2mqtt.dataDir) ++
+          (lib.lists.optional config.services.postgresql.enable config.services.postgresql.dataDir) ++
+          (lib.lists.optional config.hardware.bluetooth.enable "/var/lib/bluetooth") ++
+          (lib.lists.optional config.custom.services.unifi.enable "/var/lib/unifi") ++
+          (lib.lists.optional (config.virtualisation.oci-containers.containers != { }) "/var/lib/containers") ++
+          (lib.lists.optional config.services.tang.enable "/var/lib/private/tang") ++
+          (lib.lists.optional config.services.caddy.enable "/var/lib/caddy") ++
+          (lib.lists.optional config.services.step-ca.enable "/var/lib/step-ca/db");
+        };
+      }
+      (lib.mkIf cfg.cache.enable {
+        "${cfg.cache.path}/system" = {
+          hideMounts = true;
+
+          directories = (lib.lists.optional config.services.postgresqlBackup.enable config.services.postgresqlBackup.location);
+        };
+      })
+    ];

    home-manager.users =
      let
--- a/modules/resilio.nix
+++ b/modules/resilio.nix
@ -1,4 +1,4 @@
-{ pkgs, lib, config, nixpkgs-unstable, ... }:
+{ pkgs, lib, config, ... }:

 let
  cfg = config.custom.resilio;
@ -61,5 +61,7 @@ in
        in
        builtins.map (folder: mkFolder folder.name folder.secret) cfg.folders;
    };
+
+    systemd.services.resilio.unitConfig.RequiresMountsFor = builtins.map (folder: "${config.services.resilio.directoryRoot}/${folder.name}") cfg.folders;
  };
 }
--- a/modules/services/authoritative_dns.nix
+++ b/modules/services/authoritative_dns.nix
@ -32,6 +32,7 @@ in

              86400 NS ns1.hillion.co.uk.

+              ca                    21600 CNAME sodium.pop.ts.hillion.co.uk.
              deluge.downloads      21600 CNAME tywin.storage.ts.hillion.co.uk.
              graphs.router.home    21600 CNAME router.home.ts.hillion.co.uk.
              prowlarr.downloads    21600 CNAME tywin.storage.ts.hillion.co.uk.
--- a/modules/services/downloads.nix
+++ b/modules/services/downloads.nix
@ -29,10 +29,16 @@ in

      virtualHosts = builtins.listToAttrs (builtins.map
        (x: {
-          name = "http://${x}.downloads.ts.hillion.co.uk";
+          name = "${x}.downloads.ts.hillion.co.uk";
          value = {
            listenAddresses = [ config.custom.dns.tailscale.ipv4 config.custom.dns.tailscale.ipv6 ];
-            extraConfig = "reverse_proxy unix//${cfg.metadataPath}/caddy/caddy.sock";
+            extraConfig = ''
+              reverse_proxy unix//${cfg.metadataPath}/caddy/caddy.sock
+
+              tls {
+                ca https://ca.ts.hillion.co.uk:8443/acme/acme/directory
+              }
+            '';
          };
        }) [ "prowlarr" "sonarr" "radarr" "deluge" ]);
    };
--- a/modules/services/gitea/actions.nix
+++ b/modules/services/gitea/actions.nix
@ -63,6 +63,11 @@ in
              runner = {
                capacity = 3;
              };
+              cache = {
+                enabled = true;
+                host = "10.108.27.2";
+                port = 41919;
+              };
            };
          };

@ -76,6 +81,8 @@ in
                  chain output {
                    type filter hook output priority 100; policy accept;

+                    ct state { established, related } counter accept
+
                    ip daddr 10.0.0.0/8 drop
                    ip daddr 100.64.0.0/10 drop
                    ip daddr 172.16.0.0/12 drop
--- a/modules/services/gitea/gitea.nix
+++ b/modules/services/gitea/gitea.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, nixpkgs-unstable, ... }:
+{ config, pkgs, lib, ... }:

 let
  cfg = config.custom.services.gitea;
@ -55,7 +55,7 @@ in

    services.gitea = {
      enable = true;
-      package = nixpkgs-unstable.legacyPackages.x86_64-linux.gitea;
+      package = pkgs.unstable.gitea;
      mailerPasswordFile = config.age.secrets."gitea/mailer_password".path;

      appName = "Hillion Gitea";
--- a/modules/services/homeassistant.nix
+++ b/modules/services/homeassistant.nix
@ -44,16 +44,20 @@ in
          "bluetooth"
          "default_config"
          "esphome"
-          "flux"
          "google_assistant"
          "homekit"
          "met"
          "mobile_app"
          "mqtt"
          "otp"
+          "smartthings"
+          "sonos"
          "sun"
          "switchbot"
        ];
+        customComponents = with pkgs.home-assistant-custom-components; [
+          adaptive_lighting
+        ];

        config = {
          default_config = { };
@ -79,6 +83,9 @@ in
            report_state = true;
            expose_by_default = true;
            exposed_domains = [ "light" ];
+            entity_config = {
+              "input_boolean.sleep_mode" = { };
+            };
          };
          homekit = [{
            filter = {
@ -88,25 +95,19 @@ in

          bluetooth = { };

-          switch = [
-            {
-              platform = "flux";
-              start_time = "07:00";
-              stop_time = "23:59";
-              mode = "mired";
-              disable_brightness_adjust = true;
-              lights = [
-                "light.bedroom_lamp"
-                "light.bedroom_light"
-                "light.cubby_light"
-                "light.desk_lamp"
-                "light.hallway_light"
-                "light.living_room_lamp"
-                "light.living_room_light"
-                "light.wardrobe_light"
-              ];
-            }
-          ];
+          adaptive_lighting = {
+            lights = [
+              "light.bedroom_lamp"
+              "light.bedroom_light"
+              "light.cubby_light"
+              "light.desk_lamp"
+              "light.hallway_light"
+              "light.living_room_lamp"
+              "light.living_room_light"
+              "light.wardrobe_light"
+            ];
+            min_sunset_time = "21:00";
+          };

          light = [
            {
@ -114,7 +115,7 @@ in
              lights = {
                bathroom_light = {
                  unique_id = "87a4cbb5-e5a7-44fd-9f28-fec2d6a62538";
-                  value_template = "{{ states('sensor.bathroom_motion_sensor_illuminance_lux') | int > 500 }}";
+                  value_template = "{{ false if state_attr('script.bathroom_light_switch_if_on', 'last_triggered') > states.sensor.bathroom_motion_sensor_illuminance_lux.last_reported else states('sensor.bathroom_motion_sensor_illuminance_lux') | int > 500 }}";
                  turn_on = { service = "script.noop"; };
                  turn_off = { service = "script.bathroom_light_switch_if_on"; };
                };
@ -145,6 +146,13 @@ in
            }
          ];

+          input_boolean = {
+            sleep_mode = {
+              name = "Set house to sleep mode";
+              icon = "mdi:sleep";
+            };
+          };
+
          # UI managed expansions
          automation = "!include automations.yaml";
          script = "!include scripts.yaml";
--- a/modules/services/unifi.nix
+++ b/modules/services/unifi.nix
@ -10,20 +10,14 @@ in
    dataDir = lib.mkOption {
      type = lib.types.str;
      default = "/var/lib/unifi";
+      readOnly = true; # NixOS module only supports this directory
    };
  };

  config = lib.mkIf cfg.enable {
-    users.users.unifi = {
-      uid = config.ids.uids.unifi;
-      isSystemUser = true;
-      group = "unifi";
-      description = "UniFi controller daemon user";
-      home = "${cfg.dataDir}";
-    };
-    users.groups.unifi = {
-      gid = config.ids.gids.unifi;
-    };
+    # Fix dynamically allocated user and group ids
+    users.users.unifi.uid = config.ids.uids.unifi;
+    users.groups.unifi.gid = config.ids.gids.unifi;

    services.caddy = {
      enable = true;
@ -38,21 +32,9 @@ in
      };
    };

-    virtualisation.oci-containers.containers = {
-      "unifi" = {
-        image = "lscr.io/linuxserver/unifi-controller:8.0.24-ls221";
-        environment = {
-          PUID = toString config.ids.uids.unifi;
-          PGID = toString config.ids.gids.unifi;
-          TZ = "Etc/UTC";
-        };
-        volumes = [ "${cfg.dataDir}:/config" ];
-        ports = [
-          "8080:8080"
-          "8443:8443"
-          "3478:3478/udp"
-        ];
-      };
+    services.unifi = {
+      enable = true;
+      unifiPackage = pkgs.unifi8;
    };
  };
 }
--- a/modules/www/global.nix
+++ b/modules/www/global.nix
@ -33,6 +33,11 @@ in

    services.caddy = {
      enable = true;
+      package = pkgs.unstable.caddy;
+
+      globalConfig = ''
+        email acme@hillion.co.uk
+      '';

      virtualHosts = {
        "hillion.co.uk".extraConfig = ''
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -57,6 +57,9 @@ in
  "tailscale/theon.storage.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.storage.theon ];
  "tailscale/tywin.storage.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.storage.tywin ];

+  # WiFi Environment Files
+  "wifi/be.lt.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.lt.be ];
+
  # Resilio Sync Secrets
  ## Encrypted Resilio Sync Secrets
  "resilio/encrypted/dad.age".publicKeys = jake_users ++ [ ];
--- a/secrets/wifi/be.lt.ts.hillion.co.uk.age
+++ b/secrets/wifi/be.lt.ts.hillion.co.uk.age
@ -0,0 +1,20 @@
+age-encryption.org/v1
+-> ssh-rsa GxPFJQ
+j23rAXS9bmi74Aw3K+Ym/+4eajkeddGn0JsT4y7LkM54KZDazHLSpdIY8G4bPEC1
+Hmwb6tC/fXjCwxZlR69UcWOhYtGFNQKKe66uO4+LnLHrosppsFNUduk1/yamorxh
+foTF1BYstniAO4dkeS+gqU+EozOnpOgnXDjJwQu2az7H0ecTkrdaExVSZefoak2Q
+NdiMVzLgx4/jcuNFIQhej9h2RuTZFcYqoxLvpDYhgCHHrZGXT4MpMtpbV/1z0rjE
+RZiMsaD0cFUB0xY4ncZu/UYTqDInCmiQ/hT1IpHXo41mJgAoOjxvBuMtT1JLFIPx
+eHV8+2B6t6cmvJ94oDb6pA
+-> ssh-rsa K9mW1w
+nX3geP4iz2iW8cIaiI+gUsf2Me5N5yLVxyp0AZx3mxm+REVeW/3gIs6RFwgVvNz4
+O3Rd714c5eufkVb0jaHcnh9xPkhd9JPhDx9ALJebFyDwviQelRucCNkAiFU8cCp0
+5CwdTOsa+QoTL0yzkgFch32sEnrmi3NQpMyQdIACFaFyvVl0vd8jOvIrNUqEc1dZ
+XL2brlteJ5tDn4+7riShILdrkWUXMt127YtBLk4kzAFq9bem6KR3mxoupoGOMZKM
+6erqfETaoGyQYfETg7+/4CSoCOnSw7EgleOQ92Esof2KPiLWqvVVLRYQkajr5atn
+QM8pEVHysfP7tYCOw5Pc3Q
+-> ssh-ed25519 ikTTQA pS/dHNYcNr5Td/Gd7bzuODNdtg5Z/EOl2ZMkRhWIbxs
+7S4TzwwGr20Ar2EHYzF42yK3nKf6k2YAV97URcvtssU
+--- aaywXgy4WGMmd1EoyFk/LXbATavqk0N5rrAJ43aHXo0
+*¢’X%jø
gàïP5)ÚKS•=ØøÞa~Ð·R7œ©\>ëŠv¡w°¿›8©Ã
+Ì•ŠQ±Nx…Lžlã`™÷Ì!ä¸^Z¥éE¼R››·V è\×º ‰ÚÝ-R°vÞû¾Sgtw
M©ÞÓÓç)#8ÃÎƒóÉ¾n
Author	SHA1	Message	Date
Jake Hillion	d5c2f8d543	router: setup cameras vlan All checks were successful flake / flake (push) Successful in 1m15s Details	2024-09-17 09:20:27 +01:00
Renovate Bot	1189a41df9	chore(deps): lock file maintenance All checks were successful flake / flake (push) Successful in 1m43s Details	2024-09-15 16:01:08 +00:00
Jake Hillion	39730d2ec3	macbook: add shell utilities All checks were successful flake / flake (push) Successful in 1m16s Details	2024-09-14 02:39:26 +01:00
Jake Hillion	ac6f285400	resilio: require mounts be available All checks were successful flake / flake (push) Successful in 1m15s Details Without this resilio fails on boot on tywin.storage where the paths are on a ZFS array which gets mounted reliably later than the resilio service attempts to start.	2024-09-14 02:30:20 +01:00
Renovate Bot	e4b8fd7438	chore(deps): update determinatesystems/nix-installer-action action to v14 All checks were successful flake / flake (push) Successful in 1m27s Details	2024-09-10 00:00:51 +00:00
Renovate Bot	24be3394bc	chore(deps): update determinatesystems/magic-nix-cache-action action to v8 All checks were successful flake / flake (push) Successful in 1m13s Details	2024-09-09 23:00:50 +00:00
Jake Hillion	ba053c539c	boron: enable podman All checks were successful flake / flake (push) Successful in 1m13s Details	2024-09-06 19:04:25 +01:00
Jake Hillion	3aeeb69c2b	nix-darwin: add macbook All checks were successful flake / flake (push) Successful in 1m13s Details	2024-09-05 00:50:02 +01:00
Jake Hillion	85246af424	caddy: update to unstable All checks were successful flake / flake (push) Successful in 1m13s Details The default config for automatic ACME no longer works in Caddy <2.8.0. This is due to changes with ZeroSSL's auth. Update to unstable Caddy which is new enough to renew certs again. Context: https://github.com/caddyserver/caddy/releases/tag/v2.8.0 Add `pkgs.unstable` as an overlay as recommended on the NixOS wiki. This is needed here as Caddy must be runnable on all architectures.	2024-09-05 00:04:08 +01:00
Renovate Bot	ba7a39b66e	chore(deps): pin dependencies All checks were successful flake / flake (push) Successful in 1m16s Details	2024-09-02 23:00:12 +00:00
Jake Hillion	df31ebebf8	boron: bump tmpfs to 100% of RAM All checks were successful flake / flake (push) Successful in 1m18s Details	2024-08-31 22:04:38 +01:00
Renovate Bot	2f3a33ad8e	chore(deps): lock file maintenance All checks were successful flake / flake (push) Successful in 1m15s Details	2024-08-30 19:01:46 +00:00
Jake Hillion	343b34b4dc	boron: support sched_ext in kernel All checks were successful flake / flake (push) Successful in 1m45s Details	2024-08-30 18:52:31 +01:00
Jake Hillion	264799952e	bathroom_light: trust switchbot if more recently updated All checks were successful flake / flake (push) Successful in 1m13s Details	2024-08-30 18:46:38 +01:00
Jake Hillion	5cef32cf1e	gitea actions: use cache for nix All checks were successful flake / flake (push) Successful in 1m15s Details	2024-08-30 18:39:02 +01:00
Jake Hillion	6cc70e117d	tywin: mount d7 All checks were successful flake / flake (push) Successful in 1m14s Details	2024-08-22 15:17:11 +01:00
Jake Hillion	a52aed5778	gendry: use zram swap All checks were successful flake / flake (push) Successful in 1m14s Details	2024-08-18 13:51:28 +01:00
Renovate Bot	70b53b5c01	chore(deps): lock file maintenance All checks were successful flake / flake (push) Successful in 1m15s Details	2024-08-18 10:35:15 +00:00
Jake Hillion	3d642e2320	boron: move postgresqlBackup to disk to reduce ram pressure All checks were successful flake / flake (push) Successful in 1m14s Details	2024-08-09 23:37:16 +01:00
Jake Hillion	41d5f0cc53	homeassistant: add sonos All checks were successful flake / flake (push) Successful in 1m17s Details	2024-08-08 18:31:10 +01:00
Jake Hillion	974c947130	homeassistant: add smartthings All checks were successful flake / flake (push) Successful in 1m15s Details	2024-08-04 18:15:34 +01:00
Jake Hillion	8a9498f8d7	homeassistant: expose sleep_mode to google All checks were successful flake / flake (push) Successful in 1m15s Details	2024-08-04 17:56:32 +01:00
Jake Hillion	2ecdafe1cf	chore(deps): lock file maintenance All checks were successful flake / flake (push) Successful in 1m32s Details	2024-08-03 12:15:23 +01:00
Jake Hillion	db5dc5aee6	step-ca: enable server on sodium and load root certs All checks were successful flake / flake (push) Successful in 1m14s Details	2024-08-01 23:28:22 +01:00
Jake Hillion	f96f03ba0c	boron: update to Linux 6.10 All checks were successful flake / flake (push) Successful in 1m13s Details	2024-07-27 15:16:59 +01:00
Renovate Bot	e81cad1670	chore(deps): lock file maintenance All checks were successful flake / flake (push) Successful in 1m25s Details	2024-07-26 13:40:49 +00:00
Jake Hillion	67c8e3dcaf	homeassistant: migrate to basnijholt/adaptive-lighting All checks were successful flake / flake (push) Successful in 1m14s Details	2024-07-22 11:16:34 +01:00
Jake Hillion	1052379119	unifi: switch to nixos module All checks were successful flake / flake (push) Successful in 1m24s Details	2024-07-19 16:43:53 +01:00
Jake Hillion	0edb8394c8	tywin: mount d6 All checks were successful flake / flake (push) Successful in 1m14s Details	2024-07-17 22:19:41 +01:00
Jake Hillion	bbab551b0f	be.lt: connect to Hillion WPA3 Network All checks were successful flake / flake (push) Successful in 1m14s Details	2024-07-17 17:10:08 +01:00