WIP RPI hotspot fallback gateway

Flake lock file updates:

• Updated input 'agenix':
    'github:ryantm/agenix/c2fc0762bbe8feb06a2e59a364fa81b3a57671c9' (2024-05-24)
  → 'github:ryantm/agenix/f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41' (2024-08-10)
• Updated input 'deploy-rs':
    'github:serokell/deploy-rs/3867348fa92bc892eba5d9ddb2d7a97b9e127a8a' (2024-06-12)
  → 'github:serokell/deploy-rs/aa07eb05537d4cd025e2310397a6adcedfe72c76' (2024-09-27)
• Updated input 'flake-utils':
    'github:numtide/flake-utils/b1d9ab70662946ef0850d488da1c9019f3a9752a' (2024-03-11)
  → 'github:numtide/flake-utils/c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a' (2024-09-17)
• Updated input 'nix-index-database':
    'github:Mic92/nix-index-database/ff80cb4a11bb87f3ce8459be6f16a25ac86eb2ac' (2024-05-27)
  → 'github:Mic92/nix-index-database/5fce10c871bab6d7d5ac9e5e7efbb3a2783f5259' (2024-10-07)
• Updated input 'nixos-hardware':
    'github:NixOS/nixos-hardware/7b49d3967613d9aacac5b340ef158d493906ba79' (2024-06-01)
  → 'github:NixOS/nixos-hardware/b7ca02c7565fbf6d27ff20dd6dbd49c5b82eef28' (2024-10-04)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/805a384895c696f802a9bf5bf4720f37385df547' (2024-05-31)
  → 'github:NixOS/nixpkgs/ecbc1ca8ffd6aea8372ad16be9ebbb39889e55b6' (2024-10-06)
• Updated input 'simple-nixos-mailserver':
    'gitlab:simple-nixos-mailserver/nixos-mailserver/29916981e7b3b5782dc5085ad18490113f8ff63b' (2024-06-11)
  → 'gitlab:simple-nixos-mailserver/nixos-mailserver/af7d3bf5daeba3fc28089b015c0dd43f06b176f2' (2024-08-05)
• Removed input 'simple-nixos-mailserver/utils'

common/binary-cache.nix

@@ -1,17 +1,29 @@
 { config, lib, ... }:
 
+let
+
+in
 {
-  nix = {
+  options.enableExtraSubstituters = lib.mkEnableOption "Enable extra substituters";
-    settings = {
+
-      substituters = [
+  config = lib.mkMerge [
-        "https://cache.nixos.org/"
+    {
-        "https://nix-community.cachix.org"
+      enableExtraSubstituters = lib.mkDefault true;
-        "http://s0.koi-bebop.ts.net:5000"
+    }
-      ];
+    (lib.mkIf config.enableExtraSubstituters {
-      trusted-public-keys = [
+      nix = {
-        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+        settings = {
-        "s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU="
+          substituters = [
-      ];
+            "https://cache.nixos.org/"
-    };
+            "https://nix-community.cachix.org"
-  };
+            "http://s0.koi-bebop.ts.net:5000"
+          ];
+          trusted-public-keys = [
+            "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+            "s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU="
+          ];
+        };
+      };
+    })
+  ];
 }

common/default.nix

@@ -25,7 +25,7 @@
   networking.firewall.enable = true;
   networking.firewall.allowPing = true;
 
-  time.timeZone = "America/Denver";
+  time.timeZone = "America/Los_Angeles";
   i18n = {
     defaultLocale = "en_US.UTF-8";
     extraLocaleSettings = {

common/server/mailserver.nix

@@ -56,6 +56,7 @@ in
         "damon@runyan.org"
         "jonas@runyan.org"
         "simon@neet.dev"
+        "ellen@runyan.org"
       ];
       forwards = {
         "amazon@runyan.org" = [

common/server/nextcloud.nix

@@ -8,12 +8,23 @@ in
   config = lib.mkIf cfg.enable {
     services.nextcloud = {
       https = true;
-      package = pkgs.nextcloud29;
+      package = pkgs.nextcloud30;
       hostName = "neet.cloud";
       config.dbtype = "sqlite";
       config.adminuser = "jeremy";
       config.adminpassFile = "/run/agenix/nextcloud-pw";
       autoUpdateApps.enable = true;
+      extraApps = with config.services.nextcloud.package.packages.apps; {
+        # Want
+        inherit end_to_end_encryption mail spreed;
+
+        # Might use
+        inherit bookmarks calendar cookbook deck memories onlyoffice qownnotesapi;
+
+        # Try out
+        # inherit maps music news notes phonetrack polls forms;
+      };
+      extraAppsEnable = true;
     };
     age.secrets.nextcloud-pw = {
       file = ../../secrets/nextcloud-pw.age;

flake.lock

@@ -12,11 +12,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1716561646,
+        "lastModified": 1723293904,
-        "narHash": "sha256-UIGtLO89RxKt7RF2iEgPikSdU53r6v/6WYB0RW3k89I=",
+        "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "c2fc0762bbe8feb06a2e59a364fa81b3a57671c9",
+        "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
         "type": "github"
       },
       "original": {
@@ -99,11 +99,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1718194053,
+        "lastModified": 1727447169,
-        "narHash": "sha256-FaGrf7qwZ99ehPJCAwgvNY5sLCqQ3GDiE/6uLhxxwSY=",
+        "narHash": "sha256-3KyjMPUKHkiWhwR91J1YchF6zb6gvckCAY1jOE+ne0U=",
         "owner": "serokell",
         "repo": "deploy-rs",
-        "rev": "3867348fa92bc892eba5d9ddb2d7a97b9e127a8a",
+        "rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76",
         "type": "github"
       },
       "original": {
@@ -135,11 +135,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1710146030,
+        "lastModified": 1726560853,
-        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
         "type": "github"
       },
       "original": {
@@ -176,11 +176,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1716772633,
+        "lastModified": 1728263287,
-        "narHash": "sha256-Idcye44UW+EgjbjCoklf2IDF+XrehV6CVYvxR1omst4=",
+        "narHash": "sha256-GJDtsxz2/zw6g/Nrp4XVWBS5IaZ7ZUkuvxPOBEDe7pg=",
         "owner": "Mic92",
         "repo": "nix-index-database",
-        "rev": "ff80cb4a11bb87f3ce8459be6f16a25ac86eb2ac",
+        "rev": "5fce10c871bab6d7d5ac9e5e7efbb3a2783f5259",
         "type": "github"
       },
       "original": {
@@ -191,11 +191,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1717248095,
+        "lastModified": 1728056216,
-        "narHash": "sha256-e8X2eWjAHJQT82AAN+mCI0B68cIDBJpqJ156+VRrFO0=",
+        "narHash": "sha256-IrO06gFUDTrTlIP3Sz+mRB6WUoO2YsgMtOD3zi0VEt0=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "7b49d3967613d9aacac5b340ef158d493906ba79",
+        "rev": "b7ca02c7565fbf6d27ff20dd6dbd49c5b82eef28",
         "type": "github"
       },
       "original": {
@@ -207,11 +207,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1717144377,
+        "lastModified": 1728193676,
-        "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=",
+        "narHash": "sha256-PbDWAIjKJdlVg+qQRhzdSor04bAPApDqIv2DofTyynk=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "805a384895c696f802a9bf5bf4720f37385df547",
+        "rev": "ecbc1ca8ffd6aea8372ad16be9ebbb39889e55b6",
         "type": "github"
       },
       "original": {
@@ -306,17 +306,14 @@
         ],
         "nixpkgs-24_05": [
           "nixpkgs"
-        ],
-        "utils": [
-          "flake-utils"
         ]
       },
       "locked": {
-        "lastModified": 1718084203,
+        "lastModified": 1722877200,
-        "narHash": "sha256-Cx1xoVfSMv1XDLgKg08CUd1EoTYWB45VmB9XIQzhmzI=",
+        "narHash": "sha256-qgKDNJXs+od+1UbRy62uk7dYal3h98I4WojfIqMoGcg=",
         "owner": "simple-nixos-mailserver",
         "repo": "nixos-mailserver",
-        "rev": "29916981e7b3b5782dc5085ad18490113f8ff63b",
+        "rev": "af7d3bf5daeba3fc28089b015c0dd43f06b176f2",
         "type": "gitlab"
       },
       "original": {

flake.nix

@@ -25,7 +25,6 @@
         nixpkgs.follows = "nixpkgs";
         nixpkgs-24_05.follows = "nixpkgs";
         flake-compat.follows = "flake-compat";
-        utils.follows = "flake-utils";
       };
     };
 

machines/hotspot/default.nix

@@ -0,0 +1,69 @@
+{ config, pkgs, lib, ... }:
+
+let
+  internal = "end0";
+  wireless = "wlan0";
+  internal-gateway-ip = "192.168.0.1";
+  internal-ip-lower = "192.168.0.10";
+  internal-ip-upper = "192.168.0.100";
+in
+{
+  imports = [
+    ./hardware-configuration.nix
+  ];
+
+  enableExtraSubstituters = false;
+
+  # networking.interfaces.${internal}.ipv4.addresses = [{
+  #   address = internal-gateway-ip;
+  #   prefixLength = 24;
+  # }];
+
+  # DHCP on all interfaces except for the internal interface
+  networking.useDHCP = true;
+  networking.interfaces.${internal}.useDHCP = true;
+  networking.interfaces.${wireless}.useDHCP = true;
+
+  # Enable NAT
+  networking.ip_forward = true;
+  networking.nat = {
+    enable = true;
+    internalInterfaces = [ internal ];
+    externalInterface = wireless;
+  };
+
+  networking.wireless = {
+    enable = true;
+    networks = {
+      "Pixel_6054".psk = "@PSK_Pixel_6054@";
+    };
+    interfaces = [ wireless ];
+    environmentFile = "/run/agenix/hostspot-passwords";
+  };
+  age.secrets.hostspot-passwords.file = ../../secrets/hostspot-passwords.age;
+
+  # dnsmasq for internal interface
+  services.dnsmasq = {
+    enable = true;
+    settings = {
+      server = [ "1.1.1.1" "8.8.8.8" ];
+      dhcp-range = "${internal-ip-lower},${internal-ip-upper},24h";
+      dhcp-option = [
+        "option:router,${internal-gateway-ip}"
+        "option:broadcast,10.0.0.255"
+        "option:ntp-server,0.0.0.0"
+      ];
+    };
+  };
+
+  networking.firewall.interfaces.${internal}.allowedTCPPorts = [
+    53 # dnsmasq
+  ];
+
+  # Make it appear we are not using phone tethering to the ISP
+  networking.firewall = {
+    extraCommands = ''
+      iptables -t mangle -A POSTROUTING -o ${wireless} -j TTL --ttl-set 65
+    '';
+  };
+}

machines/hotspot/hardware-configuration.nix

@@ -0,0 +1,27 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot = {
+    kernelPackages = pkgs.linuxKernel.packages.linux_rpi4;
+    initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" ];
+    loader = {
+      grub.enable = false;
+      generic-extlinux-compatible.enable = true;
+    };
+  };
+
+  fileSystems."/" =
+    {
+      device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+}

machines/hotspot/properties.nix

@@ -0,0 +1,13 @@
+{
+  hostNames = [
+    "hotspot"
+  ];
+
+  arch = "aarch64-linux";
+
+  systemRoles = [
+    "hotspot"
+  ];
+
+  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAION4IUAef687RIzWrP4HEZnpdSJswt06QmrdRMDPHHGY";
+}

machines/ponyo/default.nix

@@ -102,7 +102,7 @@
       host = "chat.neet.space";
     };
     jitsi-meet = {
-      enable = true;
+      enable = false; # disabled until vulnerable libolm dependency is removed/fixed
       host = "meet.neet.space";
     };
     turn = {

machines/storage/s0/default.nix

@@ -213,6 +213,7 @@
           };
         }
         (mkVirtualHost "vacuum.s0.neet.dev" "http://192.168.1.125") # valetudo
+        (mkVirtualHost "todo.s0.neet.dev" "http://localhost:${toString config.services.vikunja.port}")
       ];
 
     tailscaleAuth = {
@@ -232,6 +233,7 @@
         "esphome.s0.neet.dev"
         "zigbee.s0.neet.dev"
         "vacuum.s0.neet.dev"
+        "todo.s0.neet.dev"
       ];
       expectedTailnet = "koi-bebop.ts.net";
     };
@@ -260,5 +262,15 @@
     openMinimalFirewall = true;
   };
 
+  services.vikunja = {
+    enable = true;
+    port = 61473;
+    frontendScheme = "https";
+    frontendHostname = "todo.s0.neet.dev";
+    settings = {
+      service.enableregistration = false;
+    };
+  };
+
   boot.binfmt.emulatedSystems = [ "aarch64-linux" "armv7l-linux" ];
 }

machines/storage/s0/home-automation.nix

@@ -14,6 +14,9 @@
       }
     ];
   };
+  networking.firewall.allowedTCPPorts = [
+    1883 # mqtt
+  ];
 
   services.zigbee2mqtt = {
     enable = true;

overlays/actualbudget/default.nix

@@ -7,16 +7,16 @@
 }:
 buildNpmPackage rec {
   pname = "actual-server";
-  version = "24.3.0";
+  version = "24.10.1";
 
   src = fetchFromGitHub {
     owner = "actualbudget";
     repo = pname;
     rev = "refs/tags/v${version}";
-    hash = "sha256-y51Dhdn84AWR/gM4LnAzvBIBpvKwUiclnPnwzkRoJ0I=";
+    hash = "sha256-VJAD+lNamwuYmiPJLXkum6piGi5zLOHBp8cUeZagb4s=";
   };
 
-  npmDepsHash = "sha256-/UM2Tz8t4hi621HtXSu0LTDIzZ9SWMqKXqKfPwkdpE8=";
+  npmDepsHash = "sha256-Z2e4+JMhI/keLerT0F4WYdLnXHRQCqL7NjNyA9SFEF8=";
 
   patches = [
     ./migrations-should-use-pkg-path.patch

overlays/actualbudget/migrations-should-use-pkg-path.patch

@@ -1,5 +1,5 @@
 diff --git a/src/load-config.js b/src/load-config.js
-index d3cc5dd..cfcad8a 100644
+index d99ce42..42d1351 100644
 --- a/src/load-config.js
 +++ b/src/load-config.js
 @@ -3,7 +3,8 @@ import path from 'node:path';
@@ -12,7 +12,7 @@ index d3cc5dd..cfcad8a 100644
  const debugSensitive = createDebug('actual-sensitive:config');
  
  const projectRoot = path.dirname(path.dirname(fileURLToPath(import.meta.url)));
-@@ -90,6 +91,7 @@ const finalConfig = {
+@@ -108,6 +109,7 @@ const finalConfig = {
    serverFiles: process.env.ACTUAL_SERVER_FILES || config.serverFiles,
    userFiles: process.env.ACTUAL_USER_FILES || config.userFiles,
    webRoot: process.env.ACTUAL_WEB_ROOT || config.webRoot,
@@ -21,7 +21,7 @@ index d3cc5dd..cfcad8a 100644
      process.env.ACTUAL_HTTPS_KEY && process.env.ACTUAL_HTTPS_CERT
        ? {
 diff --git a/src/migrations.js b/src/migrations.js
-index 964e1f2..3a341d7 100644
+index cba7db0..9983471 100644
 --- a/src/migrations.js
 +++ b/src/migrations.js
 @@ -1,6 +1,12 @@
@@ -37,11 +37,12 @@ index 964e1f2..3a341d7 100644
  
  export default function run(direction = 'up') {
    console.log(
-@@ -13,6 +19,7 @@ export default function run(direction = 'up') {
+@@ -13,7 +19,7 @@ export default function run(direction = 'up') {
          stateStore: `${path.join(config.dataDir, '.migrate')}${
            config.mode === 'test' ? '-test' : ''
          }`,
-+        migrationsDirectory,
+-        migrationsDirectory: `${path.join(config.projectRoot, 'migrations')}`,
++        migrationsDirectory
        },
        (err, set) => {
-         if (err) {
+         if (err) {

overlays/default.nix

@@ -12,11 +12,4 @@ in
   frigate = frigatePkgs.frigate;
 
   actual-server = prev.callPackage ./actualbudget { };
-  unifi8 = prev.unifi.overrideAttrs (oldAttrs: rec {
-    version = "8.1.113";
-    src = prev.fetchurl {
-      url = "https://dl.ui.com/unifi/8.1.113/unifi_sysvinit_all.deb";
-      sha256 = "1knm+l8MSb7XKq2WIbehAnz7loRPjgnc+R98zpWKEAE=";
-    };
-  });
 }

secrets/hostspot-passwords.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 cObvAg l/suU/M4AATK7lQuZv/qnjG/xqNGoVqhS7b3xirmNUM
+Ao2tP6BBSZdlL7jZJPmLyJQWfqdU89M9hCjkkuqtxlw
+-> ssh-ed25519 w3nu8g szQugiuFfzkzVndyIdP1agun4nmCsZzFG/6EEB2V1Gk
+5+DEUJ5tkVFUpm+w/tptUCByRpMxRigwfrVglTYc8XI
+--- pjviyhRustHHMipIpkKsQ4cpu+YA66JwvWXjceXopi4
+)˜Ö®Äý8³È6Y"@?Ý9”®@¡Ÿžè|ÂÄž+©Z*4ö2å“R<qef…êªG¹ïV+{©%CmÞd^™b

secrets/secrets.nix

@@ -57,4 +57,7 @@ with roles;
 
   # Frigate (DVR)
   "frigate-credentials.age".publicKeys = frigate;
+
+  # Phone hotspot passwords
+  "hostspot-passwords.age".publicKeys = hotspot;
 }