WIP RPI hotspot fallback gateway

2024-10-27 15:50:47 -07:00
10 changed files with 148 additions and 34 deletions
--- a/common/binary-cache.nix
+++ b/common/binary-cache.nix
@@ -1,17 +1,29 @@
 { config, lib, ... }:
 let
 in
 {
-  nix = {
+  options.enableExtraSubstituters = lib.mkEnableOption "Enable extra substituters";
-    settings = {
+
-      substituters = [
+  config = lib.mkMerge [
-        "https://cache.nixos.org/"
+    {
-        "https://nix-community.cachix.org"
+      enableExtraSubstituters = lib.mkDefault true;
-        "http://s0.koi-bebop.ts.net:5000"
+    }
-      ];
+    (lib.mkIf config.enableExtraSubstituters {
-      trusted-public-keys = [
+      nix = {
-        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+        settings = {
-        "s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU="
+          substituters = [
-      ];
+            "https://cache.nixos.org/"
-    };
+            "https://nix-community.cachix.org"
-  };
+            "http://s0.koi-bebop.ts.net:5000"
          ];
          trusted-public-keys = [
            "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
            "s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU="
          ];
        };
      };
    })
  ];
 }
--- a/machines/hotspot/default.nix
+++ b/machines/hotspot/default.nix
@@ -0,0 +1,69 @@
 { config, pkgs, lib, ... }:
 let
  internal = "end0";
  wireless = "wlan0";
  internal-gateway-ip = "192.168.0.1";
  internal-ip-lower = "192.168.0.10";
  internal-ip-upper = "192.168.0.100";
 in
 {
  imports = [
    ./hardware-configuration.nix
  ];
  enableExtraSubstituters = false;
  # networking.interfaces.${internal}.ipv4.addresses = [{
  #   address = internal-gateway-ip;
  #   prefixLength = 24;
  # }];
  # DHCP on all interfaces except for the internal interface
  networking.useDHCP = true;
  networking.interfaces.${internal}.useDHCP = true;
  networking.interfaces.${wireless}.useDHCP = true;
  # Enable NAT
  networking.ip_forward = true;
  networking.nat = {
    enable = true;
    internalInterfaces = [ internal ];
    externalInterface = wireless;
  };
  networking.wireless = {
    enable = true;
    networks = {
      "Pixel_6054".psk = "@PSK_Pixel_6054@";
    };
    interfaces = [ wireless ];
    environmentFile = "/run/agenix/hostspot-passwords";
  };
  age.secrets.hostspot-passwords.file = ../../secrets/hostspot-passwords.age;
  # dnsmasq for internal interface
  services.dnsmasq = {
    enable = true;
    settings = {
      server = [ "1.1.1.1" "8.8.8.8" ];
      dhcp-range = "${internal-ip-lower},${internal-ip-upper},24h";
      dhcp-option = [
        "option:router,${internal-gateway-ip}"
        "option:broadcast,10.0.0.255"
        "option:ntp-server,0.0.0.0"
      ];
    };
  };
  networking.firewall.interfaces.${internal}.allowedTCPPorts = [
    53 # dnsmasq
  ];
  # Make it appear we are not using phone tethering to the ISP
  networking.firewall = {
    extraCommands = ''
      iptables -t mangle -A POSTROUTING -o ${wireless} -j TTL --ttl-set 65
    '';
  };
 }
--- a/machines/hotspot/hardware-configuration.nix
+++ b/machines/hotspot/hardware-configuration.nix
@@ -0,0 +1,27 @@
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [
      (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot = {
    kernelPackages = pkgs.linuxKernel.packages.linux_rpi4;
    initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" ];
    loader = {
      grub.enable = false;
      generic-extlinux-compatible.enable = true;
    };
  };
  fileSystems."/" =
    {
      device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
      fsType = "ext4";
    };
  swapDevices = [ ];
  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
 }
--- a/machines/hotspot/properties.nix
+++ b/machines/hotspot/properties.nix
@@ -0,0 +1,13 @@
 {
  hostNames = [
    "hotspot"
  ];
  arch = "aarch64-linux";
  systemRoles = [
    "hotspot"
  ];
  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAION4IUAef687RIzWrP4HEZnpdSJswt06QmrdRMDPHHGY";
 }
--- a/machines/storage/s0/default.nix
+++ b/machines/storage/s0/default.nix
@@ -271,9 +271,6 @@
      service.enableregistration = false;
    };
  };
  backup.group."vikunja".paths = [
    "/var/lib/vikunja"
  ];
  boot.binfmt.emulatedSystems = [ "aarch64-linux" "armv7l-linux" ];
 }
--- a/machines/storage/s0/home-automation.nix
+++ b/machines/storage/s0/home-automation.nix
@@ -3,14 +3,14 @@
 {
  services.esphome.enable = true;
  # TODO lock down
  services.mosquitto = {
    enable = true;
    listeners = [
      {
-        users.root = {
+        acl = [ "pattern readwrite #" ];
-          acl = [ "readwrite #" ];
+        omitPasswordAuth = true;
-          hashedPassword = "$7$101$8+QnkTzCdGizaKqq$lpU4o84n6D/1uwfA9pZDVExr1NDm1D/8tNla2tE9J9HdUqkvu192yYfiySY1MFqVNgUKgWEFu5P1bUKqRnzbUw==";
+        settings.allow_anonymous = true;
        };
      }
    ];
  };
@@ -28,8 +28,7 @@
      };
      mqtt = {
        server = "mqtt://localhost:1883";
-        user = "root";
+        # base_topic = "zigbee2mqtt";
        password = "'!/run/agenix/zigbee2mqtt.yaml mqtt_password'";
      };
      frontend = {
        host = "localhost";
@@ -37,7 +36,6 @@
      };
    };
  };
  age.secrets."zigbee2mqtt.yaml".file = ../../../secrets/zigbee2mqtt.yaml.age;
  services.home-assistant = {
    enable = true;
--- a/machines/storage/s0/properties.nix
+++ b/machines/storage/s0/properties.nix
@@ -12,7 +12,6 @@
    "binary-cache"
    "gitea-actions-runner"
    "frigate"
    "zigbee"
  ];
  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";
--- a/secrets/hostspot-passwords.age
+++ b/secrets/hostspot-passwords.age
@@ -0,0 +1,7 @@
 age-encryption.org/v1
 -> ssh-ed25519 cObvAg l/suU/M4AATK7lQuZv/qnjG/xqNGoVqhS7b3xirmNUM
 Ao2tP6BBSZdlL7jZJPmLyJQWfqdU89M9hCjkkuqtxlw
 -> ssh-ed25519 w3nu8g szQugiuFfzkzVndyIdP1agun4nmCsZzFG/6EEB2V1Gk
 5+DEUJ5tkVFUpm+w/tptUCByRpMxRigwfrVglTYc8XI
 --- pjviyhRustHHMipIpkKsQ4cpu+YA66JwvWXjceXopi4
 )˜Ö®Äý8³È6Y"@?Ý9”®@¡Ÿžè|ÂÄž+©Z*4ö2å“R<qef…êªG¹ïV+{©%CmÞd^™b
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -58,6 +58,6 @@ with roles;
  # Frigate (DVR)
  "frigate-credentials.age".publicKeys = frigate;
-  # zigbee2mqtt secrets
+  # Phone hotspot passwords
-  "zigbee2mqtt.yaml.age".publicKeys = zigbee;
+  "hostspot-passwords.age".publicKeys = hotspot;
 }
--- a/secrets/zigbee2mqtt.yaml.age
+++ b/secrets/zigbee2mqtt.yaml.age
@@ -1,8 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 hPp1nw TSDuPaFp/Qcz4r819X4QmU/4J2TGpoX7jCCJCdFDog0
 SwQUqEp45xMOeTkvBG6uX28kB8YWG66laYqakSgl9w4
 -> ssh-ed25519 w3nu8g tLZDNE0iBgOpUB3djpNu3CgimsRc0zcds+AgctzxyQ4
 Oyz6XORsApM4vFxWyaD3bR/ApIUFPY3q4yGvtbosUIY
 --- vuXlQmuOFbJhBTACN5ciH2GlOCbRCMPZdlogG2O+KOk
 Áëÿ!}UIì	p0@Xž|°þ#æ™†0HÙõò#BÇRR<52>Ù
 òùø5¾Iÿ?vX?pÝ<70>—<>fqÍ[lž¸˜xÏG7ü;UäÀOUä¶