eljojo/hardware-raspberry-pi.nix

## hardware-raspberry-pi.nix
{ config, lib, pkgs, modulesPath, ... }:

{
  imports =
    [
    "${fetchTarball "https://github.com/NixOS/nixos-hardware/archive/2a7063461c3751d83869a2a0a8ebc59e34bec5b2.tar.gz" }/raspberry-pi/4"
    ];

  boot.kernelPackages = pkgs.linuxPackages_rpi4;
  boot.kernel.sysctl."vm.swappiness" = 0;
  boot.tmpOnTmpfs = true;

  fileSystems = {
    "/boot/firmware" = {
      device = "/dev/disk/by-label/FIRMWARE";
      fsType = "vfat";
      options = [ "nofail" "noauto" ];
    };
    "/var/log" = {
      device = "none";
      fsType = "tmpfs";
      options = [ "defaults" "size=256M" "mode=755" ];
    };
    "/" = {
      device = "/dev/disk/by-label/NIXOS_SD";
      fsType = "ext4";
      options = [ "noatime" ];
    };
  };


  boot.initrd.availableKernelModules = [
	  "reset-raspberrypi" # https://github.com/NixOS/nixpkgs/pull/143885
		  "xhci_pci" # from hardware configuration
  ];

  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
}

## host-bb8.nix
{ config, pkgs, lib, ... }:

let
  nara = import ../apps/nara-arm.nix { inherit pkgs; };

in {
  imports = [
    ../hardware/raspberry-pi.nix
    ../profiles/common.nix
    ../profiles/edge.nix
    ../profiles/dns-server.nix
  ];

  networking.hostName = "bb8";
  time.timeZone = "America/Toronto";

  systemd.services.nara-music-station = (nara.mkNara "bb8");

  services.journald.extraConfig = "Storage=volatile";

  virtualisation.oci-containers.containers = {
    traefik.ports = [ "192.168.90.56:80:80" "192.168.90.56:443:443" ];
  };

  networking = {
	  firewall = {
		  allowedTCPPorts = [ 80 443 ];
		  allowedUDPPorts = [ ];
	  };

    useDHCP = false;
    dhcpcd.enable = false;
    usePredictableInterfaceNames = lib.mkForce false;

    defaultGateway = "192.168.90.1";
    nameservers = [ "192.168.90.1" ];

    interfaces.eth0 = {
      ipv4.addresses = [
        { address = "192.168.90.56"; prefixLength = 24; }
      ];
    };
  };
}

## profiles-common.nix
{ config, lib, pkgs, modulesPath, ... }:

let
  unstable = import <nixos-unstable> { config = { allowUnfree = true; }; };

  sshKeysUrl = pkgs.fetchurl {
	  url = "https://github.com/eljojo.keys?1";
	  sha256 = "10mx82w2wrkk17li83gpp2ln1qna91d43sgj13qywayc2msymclf";
  };
  sshKeys = (lib.splitString "\n" (builtins.readFile sshKeysUrl));

in {
  imports =
    [
      (modulesPath + "/profiles/base.nix")
      ./security.nix
      ./docker.nix
    ];

  i18n = {
    defaultLocale = "en_US.UTF-8";
  };

  console = {
    font = "Lat2-Terminus16";
    keyMap = "us";
  };

  hardware.enableRedistributableFirmware = true;

  boot.cleanTmpDir = true;

  # safety glasses ON
  boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_5_15_hardened;
  security.allowSimultaneousMultithreading = true;
  boot.supportedFilesystems = lib.mkForce [ "btrfs" "vfat" "xfs" "cifs" "ext4" "nfs" "rpc_pipefs" "nfsd" ];

  services.tailscale = { enable = true ; package = unstable.tailscale; } ;
  systemd.services.tailscaled.wantedBy = [ "network-online.target" "multi-user.target" "network.target" "sshd.service" ];
  security.sudo.wheelNeedsPassword = false;

  networking = {
	  firewall.enable = true;
	  firewall.allowPing = true;
	  firewall.allowedTCPPorts = [ 22 ];
	  firewall.allowedUDPPorts = [ config.services.tailscale.port  ];
	  firewall.trustedInterfaces = ["tailscale0"];
  };

  nixpkgs.config = {
	  allowUnfree = true;
  };

  services.chrony.enable = true;
  programs.mtr.enable = true;
  programs.mosh.enable = true;
  programs.vim.defaultEditor = true;

  services.openssh.enable = true;
  services.openssh.passwordAuthentication = false;
  services.openssh.challengeResponseAuthentication = false;
  services.fail2ban = {
	  enable = true;
	  maxretry = 5;
	  ignoreIP = [
		  "127.0.0.0/8"
		  "192.168.90.0/24"
		  "174.115.97.0"
	  ];
  };


  environment.systemPackages = with pkgs; [
	  service-wrapper coreutils-prefixed # unsure what i need this for
	  wget htop tmux silver-searcher git unstable.go curl
	  traceroute iftop iotop bind unstable.tailscale whois
	  vim
    jq # nara
    tree
    openssl # many things work better with this
    inetutils # telnet
    unstable.vault
  ];

  users.users.root = {
    openssh.authorizedKeys.keys = sshKeys;
  };
  users.users.jojo = {
    isNormalUser = true;
    extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
    shell = pkgs.zsh;
    openssh.authorizedKeys.keys = sshKeys;
  };

  system.autoUpgrade.enable = true;
  system.autoUpgrade.allowReboot = false;
  system.autoUpgrade.dates = "Saturday *-*-* 8:00";
  nix.gc.automatic = true;
  nix.gc.dates = "Saturday *-*-* 10:00";
  nix.gc.options = "--delete-older-than 60d";
  nix.autoOptimiseStore = true;

  services.cron = {
	  enable = true;
	  systemCronJobs = [
		# min hour day-of-month month day-of-week
		"@weekly   root    nix-collect-garbage >> /tmp/cron.log"
		"@monthly  root    nix-collect-garbage -d >> /tmp/cron.log" # delete all old system version
	  ];
  };

  programs.zsh = {
	  enable = true;
	  enableCompletion = true;
	  autosuggestions.enable = true;
	  syntaxHighlighting.enable = true;
	  shellAliases = {
		  st = "git status";
		  gd = "git diff";
		  ga = "git add";
		  gc = "git commit";
		  push = "git push";
		  pull = "git pull origin --ff-only";
	  };

  };
  programs.bash.shellAliases = config.programs.zsh.shellAliases;

  system.activationScripts.binbash =
      ''
        mkdir -m 0755 -p /bin
	ln -sfn "${pkgs.bashInteractive}/bin/bash" /bin/.bash.tmp
	mv /bin/.bash.tmp /bin/bash # atomically replace /bin/bash
      '';

}

## profiles-dns-server.nix
{ config, lib, pkgs, ... }:

let

hintsFile = "/var/lib/unbound/root.hints";

in {
  imports =
    [
    ];

  config.services.adguardhome.enable = true;

  config.services.unbound = {
    enable = true;
    resolveLocalQueries = false;

    settings = {
	    server = {
		    interface = [ "0.0.0.0" ];
		    port = 5353;
		    do-ip4 = "yes";
		    do-ip6 = "yes";
		    do-udp = "yes";
		    do-tcp = "yes";

		    private-address = [
			    "192.168.0.0/16"
			    "10.0.0.0/8"
			    "fd00::/8"
			    "fe80::/10"
		    ];

		    access-control = [
			    "192.168.0.0/16 allow"
			    "10.0.0.0/8 allow"
			    "127.0.0.0/8 allow"
		    ];

		    unblock-lan-zones = "yes";
		    insecure-lan-zones = "yes";
		    private-domain = [
			    "eljojo.casa"
			    "eljojo.net"
		    ];
		    domain-insecure = [
			    "eljojo.casa"
		    ];

		# cache size
		    rrset-cache-size = "256m";
		    msg-cache-size = "128m";

		# TTL bounds for cache
		    cache-min-ttl = 3600;
		    cache-max-ttl = 86400;

		# One thread should be sufficient, probably increases cache hits
		    num-threads = 1;

		    root-hints = hintsFile;

		# https://calomel.org/unbound_dns.html
		    rrset-roundrobin = "yes";
		    so-reuseport = "yes";
		    aggressive-nsec = "yes";

		# Ensure kernel buffer is large enough to not loose messages in traffic spikes
		    so-rcvbuf = "1m";

		# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
		    harden-dnssec-stripped = "yes";

		# Reduce EDNS reassembly buffer size.
		# Suggested by the unbound man page to reduce fragmentation reassembly problems
		    edns-buffer-size = 1472;

		# Perform prefetching of close to expired message cache entries
		# This only applies to domains that have been frequently queried
		    prefetch = "yes";
		    prefetch-key = "yes";

		# Trust glue only if it is within the servers authority
		    harden-glue = "yes";

		# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
		# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
		    use-caps-for-id = "no";

		# See RFC 7816 "DNS Query Name Minimisation to Improve Privacy" for details
		    qname-minimisation = "yes";
	    };
    };

  };

  config.boot.kernel.sysctl."net.core.rmem_max" = 1048576;

  config.networking.firewall = {
	  allowedTCPPorts = [ 3000 4433 853 784 ];
	  allowedUDPPorts = [ 53 5353 853 784];
  };

  config.services.cron = {
	  systemCronJobs = [
	  "@monthly   root   ${pkgs.wget}/bin/wget https://www.internic.net/domain/named.root -qO ${hintsFile} && chown unbound:unbound ${hintsFile}"
	  ];
  };
}

## sd-card-build.sh
#!/usr/bin/env bash
# based on https://github.com/lucernae/nixos-pi
# and https://nix.dev/tutorials/installing-nixos-on-a-raspberry-pi
nix-build '<nixpkgs/nixos>' -A config.system.build.sdImage -I nixos-config=./configuration.sdImage.nix   --argstr system aarch64-linux   --option sandbox false --show-trace

## sd-card-configuration.sdImage.nix
{ config, pkgs, lib, ... }:
{

  imports = [
    <nixpkgs/nixos/modules/installer/sd-card/sd-image-aarch64-installer.nix>

    # For nixpkgs cache
    <nixpkgs/nixos/modules/installer/cd-dvd/channel.nix>

    ../profiles/common.nix
    ../hardware/raspberry-pi.nix
  ];

  sdImage.compressImage = false;
  sdImage.firmwareSize = 256; # larger default for future needs

  # NixOS wants to enable GRUB by default
  boot.loader.grub.enable = false;
  # Enables the generation of /boot/extlinux/extlinux.conf
  boot.loader.generic-extlinux-compatible.enable = true;

  # Networking
  networking = {
    # useDHCP = true;
    interfaces.eth0 = {
      useDHCP = true;
      # I used DHCP because sometimes I disconnect the LAN cable
      #ipv4.addresses = [{
      #  address = "192.168.100.3";
      #  prefixLength = 24;
      #}];
    };
  };
}
	{ config, lib, pkgs, modulesPath, ... }:

	{
	imports =
	[
	"${fetchTarball "https://github.com/NixOS/nixos-hardware/archive/2a7063461c3751d83869a2a0a8ebc59e34bec5b2.tar.gz" }/raspberry-pi/4"
	];

	boot.kernelPackages = pkgs.linuxPackages_rpi4;
	boot.kernel.sysctl."vm.swappiness" = 0;
	boot.tmpOnTmpfs = true;

	fileSystems = {
	"/boot/firmware" = {
	device = "/dev/disk/by-label/FIRMWARE";
	fsType = "vfat";
	options = [ "nofail" "noauto" ];
	};
	"/var/log" = {
	device = "none";
	fsType = "tmpfs";
	options = [ "defaults" "size=256M" "mode=755" ];
	};
	"/" = {
	device = "/dev/disk/by-label/NIXOS_SD";
	fsType = "ext4";
	options = [ "noatime" ];
	};
	};


	boot.initrd.availableKernelModules = [
	"reset-raspberrypi" # https://github.com/NixOS/nixpkgs/pull/143885
	"xhci_pci" # from hardware configuration
	];

	powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
	}
	{ config, pkgs, lib, ... }:

	let
	nara = import ../apps/nara-arm.nix { inherit pkgs; };

	in {
	imports = [
	../hardware/raspberry-pi.nix
	../profiles/common.nix
	../profiles/edge.nix
	../profiles/dns-server.nix
	];

	networking.hostName = "bb8";
	time.timeZone = "America/Toronto";

	systemd.services.nara-music-station = (nara.mkNara "bb8");

	services.journald.extraConfig = "Storage=volatile";

	virtualisation.oci-containers.containers = {
	traefik.ports = [ "192.168.90.56:80:80" "192.168.90.56:443:443" ];
	};

	networking = {
	firewall = {
	allowedTCPPorts = [ 80 443 ];
	allowedUDPPorts = [ ];
	};

	useDHCP = false;
	dhcpcd.enable = false;
	usePredictableInterfaceNames = lib.mkForce false;

	defaultGateway = "192.168.90.1";
	nameservers = [ "192.168.90.1" ];

	interfaces.eth0 = {
	ipv4.addresses = [
	{ address = "192.168.90.56"; prefixLength = 24; }
	];
	};
	};
	}
	{ config, lib, pkgs, modulesPath, ... }:

	let
	unstable = import <nixos-unstable> { config = { allowUnfree = true; }; };

	sshKeysUrl = pkgs.fetchurl {
	url = "https://github.com/eljojo.keys?1";
	sha256 = "10mx82w2wrkk17li83gpp2ln1qna91d43sgj13qywayc2msymclf";
	};
	sshKeys = (lib.splitString "\n" (builtins.readFile sshKeysUrl));

	in {
	imports =
	[
	(modulesPath + "/profiles/base.nix")
	./security.nix
	./docker.nix
	];

	i18n = {
	defaultLocale = "en_US.UTF-8";
	};

	console = {
	font = "Lat2-Terminus16";
	keyMap = "us";
	};

	hardware.enableRedistributableFirmware = true;

	boot.cleanTmpDir = true;

	# safety glasses ON
	boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_5_15_hardened;
	security.allowSimultaneousMultithreading = true;
	boot.supportedFilesystems = lib.mkForce [ "btrfs" "vfat" "xfs" "cifs" "ext4" "nfs" "rpc_pipefs" "nfsd" ];

	services.tailscale = { enable = true ; package = unstable.tailscale; } ;
	systemd.services.tailscaled.wantedBy = [ "network-online.target" "multi-user.target" "network.target" "sshd.service" ];
	security.sudo.wheelNeedsPassword = false;

	networking = {
	firewall.enable = true;
	firewall.allowPing = true;
	firewall.allowedTCPPorts = [ 22 ];
	firewall.allowedUDPPorts = [ config.services.tailscale.port ];
	firewall.trustedInterfaces = ["tailscale0"];
	};

	nixpkgs.config = {
	allowUnfree = true;
	};

	services.chrony.enable = true;
	programs.mtr.enable = true;
	programs.mosh.enable = true;
	programs.vim.defaultEditor = true;

	services.openssh.enable = true;
	services.openssh.passwordAuthentication = false;
	services.openssh.challengeResponseAuthentication = false;
	services.fail2ban = {
	enable = true;
	maxretry = 5;
	ignoreIP = [
	"127.0.0.0/8"
	"192.168.90.0/24"
	"174.115.97.0"
	];
	};


	environment.systemPackages = with pkgs; [
	service-wrapper coreutils-prefixed # unsure what i need this for
	wget htop tmux silver-searcher git unstable.go curl
	traceroute iftop iotop bind unstable.tailscale whois
	vim
	jq # nara
	tree
	openssl # many things work better with this
	inetutils # telnet
	unstable.vault
	];

	users.users.root = {
	openssh.authorizedKeys.keys = sshKeys;
	};
	users.users.jojo = {
	isNormalUser = true;
	extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
	shell = pkgs.zsh;
	openssh.authorizedKeys.keys = sshKeys;
	};

	system.autoUpgrade.enable = true;
	system.autoUpgrade.allowReboot = false;
	system.autoUpgrade.dates = "Saturday --* 8:00";
	nix.gc.automatic = true;
	nix.gc.dates = "Saturday --* 10:00";
	nix.gc.options = "--delete-older-than 60d";
	nix.autoOptimiseStore = true;

	services.cron = {
	enable = true;
	systemCronJobs = [
	# min hour day-of-month month day-of-week
	"@weekly root nix-collect-garbage >> /tmp/cron.log"
	"@monthly root nix-collect-garbage -d >> /tmp/cron.log" # delete all old system version
	];
	};

	programs.zsh = {
	enable = true;
	enableCompletion = true;
	autosuggestions.enable = true;
	syntaxHighlighting.enable = true;
	shellAliases = {
	st = "git status";
	gd = "git diff";
	ga = "git add";
	gc = "git commit";
	push = "git push";
	pull = "git pull origin --ff-only";
	};

	};
	programs.bash.shellAliases = config.programs.zsh.shellAliases;

	system.activationScripts.binbash =
	''
	mkdir -m 0755 -p /bin
	ln -sfn "${pkgs.bashInteractive}/bin/bash" /bin/.bash.tmp
	mv /bin/.bash.tmp /bin/bash # atomically replace /bin/bash
	'';

	}
	{ config, lib, pkgs, ... }:

	let

	hintsFile = "/var/lib/unbound/root.hints";

	in {
	imports =
	[
	];

	config.services.adguardhome.enable = true;

	config.services.unbound = {
	enable = true;
	resolveLocalQueries = false;

	settings = {
	server = {
	interface = [ "0.0.0.0" ];
	port = 5353;
	do-ip4 = "yes";
	do-ip6 = "yes";
	do-udp = "yes";
	do-tcp = "yes";

	private-address = [
	"192.168.0.0/16"
	"10.0.0.0/8"
	"fd00::/8"
	"fe80::/10"
	];

	access-control = [
	"192.168.0.0/16 allow"
	"10.0.0.0/8 allow"
	"127.0.0.0/8 allow"
	];

	unblock-lan-zones = "yes";
	insecure-lan-zones = "yes";
	private-domain = [
	"eljojo.casa"
	"eljojo.net"
	];
	domain-insecure = [
	"eljojo.casa"
	];

	# cache size
	rrset-cache-size = "256m";
	msg-cache-size = "128m";

	# TTL bounds for cache
	cache-min-ttl = 3600;
	cache-max-ttl = 86400;

	# One thread should be sufficient, probably increases cache hits
	num-threads = 1;

	root-hints = hintsFile;

	# https://calomel.org/unbound_dns.html
	rrset-roundrobin = "yes";
	so-reuseport = "yes";
	aggressive-nsec = "yes";

	# Ensure kernel buffer is large enough to not loose messages in traffic spikes
	so-rcvbuf = "1m";

	# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
	harden-dnssec-stripped = "yes";

	# Reduce EDNS reassembly buffer size.
	# Suggested by the unbound man page to reduce fragmentation reassembly problems
	edns-buffer-size = 1472;

	# Perform prefetching of close to expired message cache entries
	# This only applies to domains that have been frequently queried
	prefetch = "yes";
	prefetch-key = "yes";

	# Trust glue only if it is within the servers authority
	harden-glue = "yes";

	# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
	# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
	use-caps-for-id = "no";

	# See RFC 7816 "DNS Query Name Minimisation to Improve Privacy" for details
	qname-minimisation = "yes";
	};
	};

	};

	config.boot.kernel.sysctl."net.core.rmem_max" = 1048576;

	config.networking.firewall = {
	allowedTCPPorts = [ 3000 4433 853 784 ];
	allowedUDPPorts = [ 53 5353 853 784];
	};

	config.services.cron = {
	systemCronJobs = [
	"@monthly root ${pkgs.wget}/bin/wget https://www.internic.net/domain/named.root -qO ${hintsFile} && chown unbound:unbound ${hintsFile}"
	];
	};
	}
	#!/usr/bin/env bash
	# based on https://github.com/lucernae/nixos-pi
	# and https://nix.dev/tutorials/installing-nixos-on-a-raspberry-pi
	nix-build '<nixpkgs/nixos>' -A config.system.build.sdImage -I nixos-config=./configuration.sdImage.nix --argstr system aarch64-linux --option sandbox false --show-trace
	{ config, pkgs, lib, ... }:
	{

	imports = [
	<nixpkgs/nixos/modules/installer/sd-card/sd-image-aarch64-installer.nix>

	# For nixpkgs cache
	<nixpkgs/nixos/modules/installer/cd-dvd/channel.nix>

	../profiles/common.nix
	../hardware/raspberry-pi.nix
	];

	sdImage.compressImage = false;
	sdImage.firmwareSize = 256; # larger default for future needs

	# NixOS wants to enable GRUB by default
	boot.loader.grub.enable = false;
	# Enables the generation of /boot/extlinux/extlinux.conf
	boot.loader.generic-extlinux-compatible.enable = true;

	# Networking
	networking = {
	# useDHCP = true;
	interfaces.eth0 = {
	useDHCP = true;
	# I used DHCP because sometimes I disconnect the LAN cable
	#ipv4.addresses = [{
	# address = "192.168.100.3";
	# prefixLength = 24;
	#}];
	};
	};
	}