telent/lenscap.nix

## lenscap.nix
{ config, pkgs, lib, modulesPath, ... } :
let
  inherit (pkgs.liminix.services) oneshot longrun bundle target;
  inherit (pkgs.pseudofile) dir symlink;
  inherit (pkgs) writeText dropbear ifwait serviceFns;
  sshkeys = import ../users/dan/authorized-keys.nix;
  svc = config.system.service;
in rec {
  boot = {
    tftp = {
      freeSpaceBytes = 3 * 1024 * 1024;
      serverip = "10.0.0.1";
      ipaddr = "10.0.0.8";
    };
  };

  imports = [
    "${modulesPath}/network"
    "${modulesPath}/vlan"
    "${modulesPath}/ssh"
    "${modulesPath}/firewall"
    "${modulesPath}/ntp"
    "${modulesPath}/watchdog"
    "${modulesPath}/dnsmasq"
  ];
  hostname = "lenscap"; # because what else do you call the thing covering the camera?

  # the WAN interface is plugged into my switch, the LAN
  # interface is plugged into the camera

  services.dhcpc =
    let iface = config.hardware.networkInterfaces.wan;
    in svc.network.dhcp.client.build {
      interface = iface;
      dependencies = [ config.services.hostname ];
    };

  services.defaultroute4 = svc.network.route.build {
    via = "$(output ${services.dhcpc} router)";
    target = "default";
    dependencies = [services.dhcpc];
  };

  services.sshd = svc.ssh.build { };

  services.int = svc.network.address.build {
    interface = config.hardware.networkInterfaces.lan;
    address = "10.2.3.1";
    prefixLength = 24;
    family = "inet";
  };

  services.dnsmasq = svc.dnsmasq.build {
    interface = services.int;
    ranges = ["10.2.3.2,10.2.3.250"];
    hosts.camera = {
      mac = "00:14:06:ff:gg:hh";
      v4 = "10.2.3.79";
      leasetime = 86400;
    };
    domain = "cam";
  };

  services.watchdog = svc.watchdog.build {
    watched = with config.services ; [ sshd dhcpc ];
  };

  services.resolvconf = oneshot rec {
    dependencies = [ services.dhcpc ];
    name = "resolvconf";
    up = ''
      . ${serviceFns}
      ( in_outputs ${name}
      for i in $(output ${services.dhcpc} dns); do
        echo "nameserver $i" > resolv.conf
      done
      )
    '';
  };

  services.packet_forwarding = svc.network.forward.build { };

  services.rtspforward = svc.firewall.build {
    rules = {
      dnat = {
        type = "nat";
        hook = "prerouting";
        family = "ip";
        priority = "-100";
        policy = "accept";
        rules = [
          "iif eth0.2 tcp dport 554 dnat to 10.2.3.79"
        ];
      };
      masq = {
        type = "nat";
        hook = "postrouting";
        family = "ip";
        priority = "-100";
        policy = "accept";
        rules = [
          "tcp sport 554 masquerade"
        ];
      };
    };
  };

  filesystem = dir {
    etc = dir {
      "resolv.conf" = symlink "${services.resolvconf}/.outputs/resolv.conf";
    };
  };

  users.root = {
    #  mkpasswd -m sha512crypt
    passwd = "$6$Iu8gv5U[....]FYnnpLVe//";
    openssh.authorizedKeys.keys = sshkeys;
  };

  defaultProfile.packages = with pkgs; [
    nftables
    tcpdump
    (levitate.override {
      config  = {
        services = {
          inherit (config.services) dhcpc sshd watchdog;
        };
        defaultProfile.packages = [ mtdutils ];
        users.root = config.users.root;
      };
    })
  ];
}
	{ config, pkgs, lib, modulesPath, ... } :
	let
	inherit (pkgs.liminix.services) oneshot longrun bundle target;
	inherit (pkgs.pseudofile) dir symlink;
	inherit (pkgs) writeText dropbear ifwait serviceFns;
	sshkeys = import ../users/dan/authorized-keys.nix;
	svc = config.system.service;
	in rec {
	boot = {
	tftp = {
	freeSpaceBytes = 3 * 1024 * 1024;
	serverip = "10.0.0.1";
	ipaddr = "10.0.0.8";
	};
	};

	imports = [
	"${modulesPath}/network"
	"${modulesPath}/vlan"
	"${modulesPath}/ssh"
	"${modulesPath}/firewall"
	"${modulesPath}/ntp"
	"${modulesPath}/watchdog"
	"${modulesPath}/dnsmasq"
	];
	hostname = "lenscap"; # because what else do you call the thing covering the camera?

	# the WAN interface is plugged into my switch, the LAN
	# interface is plugged into the camera

	services.dhcpc =
	let iface = config.hardware.networkInterfaces.wan;
	in svc.network.dhcp.client.build {
	interface = iface;
	dependencies = [ config.services.hostname ];
	};

	services.defaultroute4 = svc.network.route.build {
	via = "$(output ${services.dhcpc} router)";
	target = "default";
	dependencies = [services.dhcpc];
	};

	services.sshd = svc.ssh.build { };

	services.int = svc.network.address.build {
	interface = config.hardware.networkInterfaces.lan;
	address = "10.2.3.1";
	prefixLength = 24;
	family = "inet";
	};

	services.dnsmasq = svc.dnsmasq.build {
	interface = services.int;
	ranges = ["10.2.3.2,10.2.3.250"];
	hosts.camera = {
	mac = "00:14:06:ff:gg:hh";
	v4 = "10.2.3.79";
	leasetime = 86400;
	};
	domain = "cam";
	};

	services.watchdog = svc.watchdog.build {
	watched = with config.services ; [ sshd dhcpc ];
	};

	services.resolvconf = oneshot rec {
	dependencies = [ services.dhcpc ];
	name = "resolvconf";
	up = ''
	. ${serviceFns}
	( in_outputs ${name}
	for i in $(output ${services.dhcpc} dns); do
	echo "nameserver $i" > resolv.conf
	done
	)
	'';
	};

	services.packet_forwarding = svc.network.forward.build { };

	services.rtspforward = svc.firewall.build {
	rules = {
	dnat = {
	type = "nat";
	hook = "prerouting";
	family = "ip";
	priority = "-100";
	policy = "accept";
	rules = [
	"iif eth0.2 tcp dport 554 dnat to 10.2.3.79"
	];
	};
	masq = {
	type = "nat";
	hook = "postrouting";
	family = "ip";
	priority = "-100";
	policy = "accept";
	rules = [
	"tcp sport 554 masquerade"
	];
	};
	};
	};

	filesystem = dir {
	etc = dir {
	"resolv.conf" = symlink "${services.resolvconf}/.outputs/resolv.conf";
	};
	};

	users.root = {
	# mkpasswd -m sha512crypt
	passwd = "$6$Iu8gv5U[....]FYnnpLVe//";
	openssh.authorizedKeys.keys = sshkeys;
	};

	defaultProfile.packages = with pkgs; [
	nftables
	tcpdump
	(levitate.override {
	config = {
	services = {
	inherit (config.services) dhcpc sshd watchdog;
	};
	defaultProfile.packages = [ mtdutils ];
	users.root = config.users.root;
	};
	})
	];
	}