WIP RPI hotspot fallback gateway

common/binary-cache.nix

@@ -1,17 +1,29 @@
 { config, lib, ... }:
 
+let
+
+in
 {
-  nix = {
+  options.enableExtraSubstituters = lib.mkEnableOption "Enable extra substituters";
-    settings = {
+
-      substituters = [
+  config = lib.mkMerge [
-        "https://cache.nixos.org/"
+    {
-        "https://nix-community.cachix.org"
+      enableExtraSubstituters = lib.mkDefault true;
-        "http://s0.koi-bebop.ts.net:5000"
+    }
-      ];
+    (lib.mkIf config.enableExtraSubstituters {
-      trusted-public-keys = [
+      nix = {
-        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+        settings = {
-        "s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU="
+          substituters = [
-      ];
+            "https://cache.nixos.org/"
-    };
+            "https://nix-community.cachix.org"
-  };
+            "http://s0.koi-bebop.ts.net:5000"
+          ];
+          trusted-public-keys = [
+            "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+            "s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU="
+          ];
+        };
+      };
+    })
+  ];
 }

machines/hotspot/default.nix

@@ -0,0 +1,69 @@
+{ config, pkgs, lib, ... }:
+
+let
+  internal = "end0";
+  wireless = "wlan0";
+  internal-gateway-ip = "192.168.0.1";
+  internal-ip-lower = "192.168.0.10";
+  internal-ip-upper = "192.168.0.100";
+in
+{
+  imports = [
+    ./hardware-configuration.nix
+  ];
+
+  enableExtraSubstituters = false;
+
+  # networking.interfaces.${internal}.ipv4.addresses = [{
+  #   address = internal-gateway-ip;
+  #   prefixLength = 24;
+  # }];
+
+  # DHCP on all interfaces except for the internal interface
+  networking.useDHCP = true;
+  networking.interfaces.${internal}.useDHCP = true;
+  networking.interfaces.${wireless}.useDHCP = true;
+
+  # Enable NAT
+  networking.ip_forward = true;
+  networking.nat = {
+    enable = true;
+    internalInterfaces = [ internal ];
+    externalInterface = wireless;
+  };
+
+  networking.wireless = {
+    enable = true;
+    networks = {
+      "Pixel_6054".psk = "@PSK_Pixel_6054@";
+    };
+    interfaces = [ wireless ];
+    environmentFile = "/run/agenix/hostspot-passwords";
+  };
+  age.secrets.hostspot-passwords.file = ../../secrets/hostspot-passwords.age;
+
+  # dnsmasq for internal interface
+  services.dnsmasq = {
+    enable = true;
+    settings = {
+      server = [ "1.1.1.1" "8.8.8.8" ];
+      dhcp-range = "${internal-ip-lower},${internal-ip-upper},24h";
+      dhcp-option = [
+        "option:router,${internal-gateway-ip}"
+        "option:broadcast,10.0.0.255"
+        "option:ntp-server,0.0.0.0"
+      ];
+    };
+  };
+
+  networking.firewall.interfaces.${internal}.allowedTCPPorts = [
+    53 # dnsmasq
+  ];
+
+  # Make it appear we are not using phone tethering to the ISP
+  networking.firewall = {
+    extraCommands = ''
+      iptables -t mangle -A POSTROUTING -o ${wireless} -j TTL --ttl-set 65
+    '';
+  };
+}

machines/hotspot/hardware-configuration.nix

@@ -0,0 +1,27 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot = {
+    kernelPackages = pkgs.linuxKernel.packages.linux_rpi4;
+    initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" ];
+    loader = {
+      grub.enable = false;
+      generic-extlinux-compatible.enable = true;
+    };
+  };
+
+  fileSystems."/" =
+    {
+      device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+}

machines/hotspot/properties.nix

@@ -0,0 +1,13 @@
+{
+  hostNames = [
+    "hotspot"
+  ];
+
+  arch = "aarch64-linux";
+
+  systemRoles = [
+    "hotspot"
+  ];
+
+  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAION4IUAef687RIzWrP4HEZnpdSJswt06QmrdRMDPHHGY";
+}

machines/storage/s0/default.nix

@@ -262,7 +262,6 @@
     openMinimalFirewall = true;
   };
 
-  # TODO: setup backup
   services.vikunja = {
     enable = true;
     port = 61473;
@@ -272,9 +271,6 @@
       service.enableregistration = false;
     };
   };
-  backup.group."vikunja".paths = [
-    "/var/lib/vikunja"
-  ];
 
   boot.binfmt.emulatedSystems = [ "aarch64-linux" "armv7l-linux" ];
 }

machines/storage/s0/home-automation.nix

@@ -3,14 +3,14 @@
 {
   services.esphome.enable = true;
 
+  # TODO lock down
   services.mosquitto = {
     enable = true;
     listeners = [
       {
-        users.root = {
+        acl = [ "pattern readwrite #" ];
-          acl = [ "readwrite #" ];
+        omitPasswordAuth = true;
-          hashedPassword = "$7$101$8+QnkTzCdGizaKqq$lpU4o84n6D/1uwfA9pZDVExr1NDm1D/8tNla2tE9J9HdUqkvu192yYfiySY1MFqVNgUKgWEFu5P1bUKqRnzbUw==";
+        settings.allow_anonymous = true;
-        };
       }
     ];
   };
@@ -28,8 +28,7 @@
       };
       mqtt = {
         server = "mqtt://localhost:1883";
-        user = "root";
+        # base_topic = "zigbee2mqtt";
-        password = "'!/run/agenix/zigbee2mqtt.yaml mqtt_password'";
       };
       frontend = {
         host = "localhost";
@@ -37,10 +36,6 @@
       };
     };
   };
-  age.secrets."zigbee2mqtt.yaml" = {
-    file = ../../../secrets/zigbee2mqtt.yaml.age;
-    owner = "zigbee2mqtt";
-  };
 
   services.home-assistant = {
     enable = true;

machines/storage/s0/properties.nix

@@ -12,7 +12,6 @@
     "binary-cache"
     "gitea-actions-runner"
     "frigate"
-    "zigbee"
   ];
 
   hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";

secrets/digitalocean-dns-credentials.age

@@ -1,11 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 WBT1Hw TGdD8Nw+GPITDOXGhevSu+880DWET7WYN3nIyJ0xy2o
+-> ssh-ed25519 WBT1Hw wjZGPvilRXGZsC2+7dWm/Nbau8Allv29WwQCr0XSAWU
-69xepRTnmaFwa4IsGJjDdwZqTSf5fz6EZK0/q3oz/ZA
+uTOf/sokutOGDyc8fbTbBWXqCVQCFhGdHxwA6SXqhdA
--> ssh-ed25519 6AT2/g EmqXrXXsRxSS6AsH+7VMgoJTYo9eGj8ebLiLT4IWNxg
+-> ssh-ed25519 6AT2/g NU068qwqOWiKk0QwqP9vU4xJaND2OR4bo8xkmdWATgY
-eKs5/3tQMdg5bGJKNz8PFh9C7HiV+IlOU9dzpYcGIjo
+uGd0sb5PH+rREn9pgLOFwk29CX66aPBQMvr4rBazylc
--> ssh-ed25519 hPp1nw wsIF676is8FquF6oANNauPrumsMnfVUZpPeVKEtBOzQ
+-> ssh-ed25519 hPp1nw r2JRiZ7fsHPYDlte6Oh2Gx1KkugekFeeg3xSjziI+hQ
-qZR8LSF+TQ2K3K0An69NHfk53ZqNEWev0IVcb71SR40
+xnO0gscMdR25mj5uAX7D42FCbCQhqbU0wkiLX4OmVqk
--> ssh-ed25519 w3nu8g TKHY/5JuzFMhbW9CQAOI3woX8M9b1H/XXUpIMT0Mylk
+-> ssh-ed25519 w3nu8g F03mPU63WwEs1SLUFErLOVCkARoggGIvvz9TFZfMOBY
-byJV0/BJ3ftG5eYv5BeyIYBi0VoWG31HRiENUxSeYE8
+HOdVA3xW9pqUPhclO6VueSfXg3ux06Ch3fucF6Vr4hM
---- fwHXHtE/sMLqCLSD8tR0oCPgNuif9Y/ncHU97hbf/Bw
+--- niyo231HPT/+2dzflP+zhYjL9XiWsk7svesCYdkU1jA
-f"+ÉŒqc<71>H†Ñjï!JSšË¡Ì|yMìðX¼þMl<4D>ýçCy™îUXn»Égk¨ë)¤óOY§uº„¦²¶g%è Håvn·œ5ô!$Jœ¤Š…¶›$<24>#Dö;±¥àÖ	}ÏŸcçKšˆ{R/
+DÑØQî¬5–-ô@<40>¢¿—ßÐN5<4E> Ãÿ$Ø‚™’Çž…êÐ<C3AA>X=ŒHŽDÁ`P×5ZA´÷¼YóäÓ?¡é^[³1”6ÕK*mP݈ª­æ1æç÷ß›ƒ:$^ÑfDœ*î†ÿ“š-zi´"·Tàuÿüò

secrets/hostspot-passwords.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 cObvAg l/suU/M4AATK7lQuZv/qnjG/xqNGoVqhS7b3xirmNUM
+Ao2tP6BBSZdlL7jZJPmLyJQWfqdU89M9hCjkkuqtxlw
+-> ssh-ed25519 w3nu8g szQugiuFfzkzVndyIdP1agun4nmCsZzFG/6EEB2V1Gk
+5+DEUJ5tkVFUpm+w/tptUCByRpMxRigwfrVglTYc8XI
+--- pjviyhRustHHMipIpkKsQ4cpu+YA66JwvWXjceXopi4
+)˜Ö®Äý8³È6Y"@?Ý9”®@¡Ÿžè|ÂÄž+©Z*4ö2å“R<qef…êªG¹ïV+{©%CmÞd^™b

secrets/secrets.nix

@@ -58,6 +58,6 @@ with roles;
   # Frigate (DVR)
   "frigate-credentials.age".publicKeys = frigate;
 
-  # zigbee2mqtt secrets
+  # Phone hotspot passwords
-  "zigbee2mqtt.yaml.age".publicKeys = zigbee;
+  "hostspot-passwords.age".publicKeys = hotspot;
 }

secrets/zigbee2mqtt.yaml.age

@@ -1,8 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 hPp1nw TSDuPaFp/Qcz4r819X4QmU/4J2TGpoX7jCCJCdFDog0
-SwQUqEp45xMOeTkvBG6uX28kB8YWG66laYqakSgl9w4
--> ssh-ed25519 w3nu8g tLZDNE0iBgOpUB3djpNu3CgimsRc0zcds+AgctzxyQ4
-Oyz6XORsApM4vFxWyaD3bR/ApIUFPY3q4yGvtbosUIY
---- vuXlQmuOFbJhBTACN5ciH2GlOCbRCMPZdlogG2O+KOk
-Áëÿ!}UIì	p0@Xž|°þ#晆0HÙõò#BÇRR<52>Ù
-òùø5¾Iÿ?vX?pÝ<70>—<>fqÍ[lž¸˜xÏ­G7ü;UäÀOUä¶