diff options
Diffstat (limited to 'systems')
24 files changed, 1043 insertions, 0 deletions
diff --git a/systems/atlas/default.nix b/systems/atlas/default.nix new file mode 100644 index 0000000..00bfab4 --- /dev/null +++ b/systems/atlas/default.nix @@ -0,0 +1,53 @@ +{ + config, + pkgs, + ... +}: { + imports = [ + ./hardware-configuration.nix + ./miniflux.nix + ./nginx.nix + ]; + + _module.args.nixinate = { + host = "atlas"; + sshUser = "root"; + buildOn = "remote"; + substituteOnTarget = true; + hermetic = false; + }; + + boot = { + loader.systemd-boot.enable = true; + loader.efi.canTouchEfiVariables = true; + tmp.cleanOnBoot = true; + }; + + networking = { + domain = "mydadleft.me"; + hostName = "atlas"; + networkmanager.enable = false; + }; + + services = { + guzzle-api = { + enable = true; + domain = "api.${config.networking.domain}"; + nginx = { + enableACME = true; + acmeRoot = null; + addSSL = true; + }; + }; + + resolved.enable = false; + }; + + users.users.atlas = { + isNormalUser = true; + shell = pkgs.bash; + passwordFile = config.age.secrets.userPassword.path; + }; + + zramSwap.enable = true; +} diff --git a/systems/atlas/hardware-configuration.nix b/systems/atlas/hardware-configuration.nix new file mode 100644 index 0000000..00c6cd8 --- /dev/null +++ b/systems/atlas/hardware-configuration.nix @@ -0,0 +1,29 @@ +{modulesPath, ...}: { + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot = { + extraModulePackages = []; + kernelModules = []; + + initrd = { + availableKernelModules = ["virtio_pci" "usbhid"]; + kernelModules = []; + }; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/f0c84809-83f5-414b-a973-496d25d74c6d"; + fsType = "ext4"; + }; + + "/boot" = { + device = "/dev/disk/by-uuid/A253-0826"; + fsType = "vfat"; + }; + }; + + swapDevices = []; +} diff --git a/systems/atlas/miniflux.nix b/systems/atlas/miniflux.nix new file mode 100644 index 0000000..df1c761 --- /dev/null +++ b/systems/atlas/miniflux.nix @@ -0,0 +1,16 @@ +{config, ...}: { + config = { + age.secrets = { + miniflux.file = ../../secrets/systems/${config.networking.hostName}/miniflux.age; + }; + + services.miniflux = { + enable = true; + adminCredentialsFile = config.age.secrets.miniflux.path; + config = { + BASE_URL = "https://miniflux.${config.networking.domain}"; + LISTEN_ADDR = "localhost:7000"; + }; + }; + }; +} diff --git a/systems/atlas/nginx.nix b/systems/atlas/nginx.nix new file mode 100644 index 0000000..6cdd793 --- /dev/null +++ b/systems/atlas/nginx.nix @@ -0,0 +1,46 @@ +{ + config, + lib, + ... +}: let + inherit (config.networking) domain; + + mkProxy = endpoint: port: { + "${endpoint}" = { + proxyPass = "http://localhost:${toString port}"; + proxyWebsockets = true; + }; + }; + + mkVHosts = let + commonSettings = { + enableACME = true; + # workaround for https://github.com/NixOS/nixpkgs/issues/210807 + acmeRoot = null; + + addSSL = true; + }; + in + lib.mapAttrs (_: lib.recursiveUpdate commonSettings); +in { + server.services.cloudflared.enable = true; + + services.nginx = { + enable = true; + + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + virtualHosts = mkVHosts { + "miniflux.${domain}" = { + locations = mkProxy "/" "7000"; + }; + + "msix.${domain}" = { + root = "/var/www/msix"; + }; + }; + }; +} diff --git a/systems/caroline/default.nix b/systems/caroline/default.nix new file mode 100644 index 0000000..ae09dca --- /dev/null +++ b/systems/caroline/default.nix @@ -0,0 +1,12 @@ +{ + homebrew.casks = ["altserver"]; + + networking = rec { + computerName = "caroline"; + hostName = computerName; + }; + + nix.settings.trusted-users = ["seth"]; + + services.tailscale.enable = true; +} diff --git a/systems/common.nix b/systems/common.nix new file mode 100644 index 0000000..8bd29cb --- /dev/null +++ b/systems/common.nix @@ -0,0 +1,78 @@ +{ + inputs, + self, +}: let + hmSetup = { + imports = [ + ../users/seth/system.nix + ]; + + home-manager = { + useGlobalPkgs = true; + useUserPackages = true; + extraSpecialArgs = {inherit inputs self;}; + }; + }; +in { + nixos = + (with inputs; [ + agenix.nixosModules.default + catppuccin.nixosModules.catppuccin + hm.nixosModules.home-manager + nur.nixosModules.nur + ]) + ++ [ + self.nixosModules.default + self.nixosModules.hardware + + hmSetup + + { + age = { + identityPaths = ["/etc/age/key"]; + secrets = let + baseDir = ../secrets/shared; + in { + rootPassword.file = "${baseDir}/rootPassword.age"; + sethPassword.file = "${baseDir}/sethPassword.age"; + }; + }; + + system.stateVersion = "23.11"; + } + ]; + + darwin = [ + inputs.hm.darwinModules.home-manager + self.darwinModules.default + self.darwinModules.desktop + + hmSetup + + { + home-manager.users.seth = { + desktop.enable = true; + }; + + system.stateVersion = 4; + } + ]; + + server = [ + inputs.agenix.nixosModules.default + self.nixosModules.default + self.nixosModules.server + self.nixosModules.services + ../modules/nixos/features/tailscale.nix + + { + features.tailscale = { + enable = true; + ssh.enable = true; + }; + + nix.registry.n.flake = inputs.nixpkgs-stable; + system.stateVersion = "23.05"; + } + ]; +} diff --git a/systems/default.nix b/systems/default.nix new file mode 100644 index 0000000..6807a71 --- /dev/null +++ b/systems/default.nix @@ -0,0 +1,73 @@ +{ + lib, + inputs, + self, + withSystem, + ... +}: let + /* + basic nixosSystem/darwinSystem wrapper; can override + the exact builder by supplying an argument + */ + mapSystems = builder: + lib.mapAttrs (name: args: + (args.builder or builder) ( + (lib.filterAttrs (n: _: n != "builder") args) # use builder but don't include it in output + // { + modules = args.modules ++ [./${name}]; + specialArgs = {inherit inputs self;}; + } + )); + + mapDarwin = mapSystems inputs.darwin.lib.darwinSystem; + mapNixOS = mapSystems inputs.nixpkgs.lib.nixosSystem; + inherit (import ./common.nix {inherit inputs self;}) darwin nixos server; +in { + flake = { + darwinConfigurations = mapDarwin { + caroline = { + system = "x86_64-darwin"; + modules = darwin; + }; + }; + + nixosConfigurations = mapNixOS { + glados = { + system = "x86_64-linux"; + modules = + [ + inputs.lanzaboote.nixosModules.lanzaboote + ] + ++ nixos; + }; + + glados-wsl = { + system = "x86_64-linux"; + modules = + [ + inputs.nixos-wsl.nixosModules.wsl + ] + ++ nixos; + }; + + atlas = { + builder = inputs.nixpkgs-stable.lib.nixosSystem; + system = "aarch64-linux"; + modules = + [ + inputs.guzzle_api.nixosModules.default + ] + ++ server; + }; + }; + + openwrtConfigurations.turret = withSystem "x86_64-linux" ({pkgs, ...}: + pkgs.callPackage ./turret { + inherit (inputs) openwrt-imagebuilder; + }); + }; + + perSystem = {system, ...}: { + apps = (inputs.nixinate.nixinate.${system} self).nixinate; + }; +} diff --git a/systems/glados-wsl/default.nix b/systems/glados-wsl/default.nix new file mode 100644 index 0000000..910e65d --- /dev/null +++ b/systems/glados-wsl/default.nix @@ -0,0 +1,47 @@ +{ + lib, + modulesPath, + pkgs, + ... +}: { + imports = [ + (modulesPath + "/profiles/minimal.nix") + ../../modules/nixos/features/tailscale.nix + ]; + + environment = { + noXlibs = lib.mkForce false; + systemPackages = with pkgs; [ + wslu + ]; + }; + + features.tailscale.enable = true; + + wsl = { + enable = true; + defaultUser = "seth"; + nativeSystemd = true; + wslConf.network = { + hostname = "glados-wsl"; + generateResolvConf = true; + }; + startMenuLaunchers = false; + interop.includePath = false; + }; + + services.dbus.apparmor = "disabled"; + + networking = { + hostName = "glados-wsl"; + networkmanager.enable = false; + }; + + security = { + apparmor.enable = false; + audit.enable = false; + auditd.enable = false; + }; + + services.resolved.enable = false; +} diff --git a/systems/glados/boot.nix b/systems/glados/boot.nix new file mode 100644 index 0000000..4a9af4e --- /dev/null +++ b/systems/glados/boot.nix @@ -0,0 +1,25 @@ +{ + lib, + pkgs, + ... +}: { + environment.systemPackages = with pkgs; [ + sbctl + tpm2-tss + ]; + + boot = { + initrd.systemd.enable = true; + kernelPackages = pkgs.linuxPackages_latest; + + bootspec.enable = true; + loader.systemd-boot.enable = lib.mkForce false; + + lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; + }; + + supportedFilesystems = ["btrfs" "ntfs"]; + }; +} diff --git a/systems/glados/default.nix b/systems/glados/default.nix new file mode 100644 index 0000000..e5a275a --- /dev/null +++ b/systems/glados/default.nix @@ -0,0 +1,69 @@ +{ + lib, + self, + ... +}: { + imports = [ + ./boot.nix + ./hardware-configuration.nix + ../../modules/nixos/features/tailscale.nix + ../../modules/nixos/features/virtualisation.nix + self.nixosModules.desktop + self.nixosModules.gnome + ]; + + boot = { + kernelParams = ["amd_pstate=active"]; + kernel.sysctl = { + "vm.swappiness" = 100; + "vm.vfs_cache_pressure" = 500; + "vm.dirty_background_ratio" = 1; + "vm.dirty_ratio" = 50; + }; + }; + + features = { + tailscale.enable = true; + virtualisation.enable = true; + }; + + hardware = { + nvidia.enable = true; + ssd.enable = true; + }; + + home-manager.users.seth = { + desktop.enable = true; + }; + + networking.hostName = "glados"; + + security.tpm2 = { + enable = true; + abrmd.enable = true; + }; + + services = { + flatpak.enable = true; + fwupd.enable = true; + }; + + systemd = { + services."prepare-kexec".wantedBy = ["multi-user.target"]; + tmpfiles.rules = let + nproc = 12; + in + builtins.map + (n: "w /sys/devices/system/cpu/cpu${builtins.toString n}/cpufreq/energy_performance_preference - - - - ${"balance_performance"}") + (lib.range 0 (nproc - 1)); + }; + + powerManagement.cpuFreqGovernor = "powersave"; + + zramSwap = { + enable = true; + algorithm = "zstd"; + swapDevices = 1; + memoryPercent = 50; + }; +} diff --git a/systems/glados/hardware-configuration.nix b/systems/glados/hardware-configuration.nix new file mode 100644 index 0000000..a7ff9e9 --- /dev/null +++ b/systems/glados/hardware-configuration.nix @@ -0,0 +1,72 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot = { + extraModulePackages = []; + kernelModules = ["kvm-amd"]; + + initrd = { + availableKernelModules = ["xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod"]; + kernelModules = []; + + luks.devices."cryptroot" = { + device = "/dev/disk/by-uuid/bbbc1f37-53f5-4776-a70e-f2779179de50"; + allowDiscards = true; + crypttabExtraOpts = ["tpm2-device=auto"]; + }; + }; + }; + + fileSystems = { + "/" = { + device = "/dev/mapper/cryptroot"; + fsType = "btrfs"; + options = ["subvol=root" "compress=zstd" "noatime"]; + }; + + "/var/log" = { + device = "/dev/mapper/cryptroot"; + fsType = "btrfs"; + options = ["subvol=var_log" "compress=zstd" "noatime"]; + }; + + "/nix" = { + device = "/dev/mapper/cryptroot"; + fsType = "btrfs"; + options = ["subvol=nix" "compress=zstd" "noatime" "nodatacow"]; + }; + + "/home" = { + device = "/dev/mapper/cryptroot"; + fsType = "btrfs"; + options = ["subvol=home" "compress=zstd" "noatime"]; + }; + + "/boot" = { + device = "/dev/disk/by-uuid/B95B-9412"; + fsType = "vfat"; + }; + }; + + swapDevices = []; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp4s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/systems/turret/default.nix b/systems/turret/default.nix new file mode 100644 index 0000000..faac3d2 --- /dev/null +++ b/systems/turret/default.nix @@ -0,0 +1,38 @@ +{ + pkgs, + openwrt-imagebuilder, + ... +}: let + inherit (pkgs) runCommand; + inherit (pkgs.stdenv) mkDerivation; + inherit (openwrt-imagebuilder.lib) build profiles; + wrtProfiles = profiles { + inherit pkgs; + release = "22.03.3"; + }; + config = mkDerivation { + name = "openwrt-config-files"; + src = ./files; + installPhase = '' + mkdir -p $out + cp -r * $out/ + ''; + }; + image = + wrtProfiles.identifyProfile "netgear_wac104" + // { + packages = ["https-dns-proxy"]; + + files = runCommand "image-files" {} '' + mkdir -p $out/etc/uci-defaults + cat > $out/etc/uci-defaults/99-custom <<EOF + uci -q batch << EOI + set system.@system[0].hostname='turret' + commit + EOI + EOF + cp -fr ${config}/etc/* $out/etc/ + ''; + }; +in + build image diff --git a/systems/turret/files/etc/config/dhcp b/systems/turret/files/etc/config/dhcp new file mode 100644 index 0000000..4a471cf --- /dev/null +++ b/systems/turret/files/etc/config/dhcp @@ -0,0 +1,55 @@ + +config dnsmasq + option domainneeded '1' + option boguspriv '1' + option filterwin2k '0' + option localise_queries '1' + option rebind_protection '1' + option rebind_localhost '1' + option local '/lan/' + option domain 'lan' + option expandhosts '1' + option nonegcache '0' + option authoritative '1' + option readethers '1' + option leasefile '/tmp/dhcp.leases' + option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto' + option nonwildcard '1' + option localservice '1' + option ednspacket_max '1232' + option doh_backup_noresolv '-1' + option noresolv '1' + list doh_backup_server '' + list doh_backup_server '/mask.icloud.com/' + list doh_backup_server '/mask-h2.icloud.com/' + list doh_backup_server '/use-application-dns.net/' + list doh_backup_server '127.0.0.1#5054' + list doh_backup_server '127.0.0.1#5053' + list server '/mask.icloud.com/' + list server '/mask-h2.icloud.com/' + list server '/use-application-dns.net/' + list server '127.0.0.1#5054' + list server '127.0.0.1#5053' + +config dhcp 'lan' + option interface 'lan' + option start '100' + option limit '150' + option leasetime '12h' + option dhcpv4 'server' + option dhcpv6 'server' + option ra 'server' + option ra_slaac '1' + list ra_flags 'managed-config' + list ra_flags 'other-config' + +config dhcp 'wan' + option interface 'wan' + option ignore '1' + +config odhcpd 'odhcpd' + option maindhcp '0' + option leasefile '/tmp/hosts/odhcpd' + option leasetrigger '/usr/sbin/odhcpd-update' + option loglevel '4' + diff --git a/systems/turret/files/etc/config/dropbear b/systems/turret/files/etc/config/dropbear new file mode 100644 index 0000000..2139ba0 --- /dev/null +++ b/systems/turret/files/etc/config/dropbear @@ -0,0 +1,5 @@ +config dropbear + option PasswordAuth 'on' + option RootPasswordAuth 'on' + option Port '22' +# option BannerFile '/etc/banner' diff --git a/systems/turret/files/etc/config/firewall b/systems/turret/files/etc/config/firewall new file mode 100644 index 0000000..b9a4647 --- /dev/null +++ b/systems/turret/files/etc/config/firewall @@ -0,0 +1,189 @@ +config defaults + option syn_flood 1 + option input ACCEPT + option output ACCEPT + option forward REJECT +# Uncomment this line to disable ipv6 rules +# option disable_ipv6 1 + +config zone + option name lan + list network 'lan' + option input ACCEPT + option output ACCEPT + option forward ACCEPT + +config zone + option name wan + list network 'wan' + list network 'wan6' + option input REJECT + option output ACCEPT + option forward REJECT + option masq 1 + option mtu_fix 1 + +config forwarding + option src lan + option dest wan + +# We need to accept udp packets on port 68, +# see https://dev.openwrt.org/ticket/4108 +config rule + option name Allow-DHCP-Renew + option src wan + option proto udp + option dest_port 68 + option target ACCEPT + option family ipv4 + +# Allow IPv4 ping +config rule + option name Allow-Ping + option src wan + option proto icmp + option icmp_type echo-request + option family ipv4 + option target ACCEPT + +config rule + option name Allow-IGMP + option src wan + option proto igmp + option family ipv4 + option target ACCEPT + +# Allow DHCPv6 replies +# see https://github.com/openwrt/openwrt/issues/5066 +config rule + option name Allow-DHCPv6 + option src wan + option proto udp + option dest_port 546 + option family ipv6 + option target ACCEPT + +config rule + option name Allow-MLD + option src wan + option proto icmp + option src_ip fe80::/10 + list icmp_type '130/0' + list icmp_type '131/0' + list icmp_type '132/0' + list icmp_type '143/0' + option family ipv6 + option target ACCEPT + +# Allow essential incoming IPv6 ICMP traffic +config rule + option name Allow-ICMPv6-Input + option src wan + option proto icmp + list icmp_type echo-request + list icmp_type echo-reply + list icmp_type destination-unreachable + list icmp_type packet-too-big + list icmp_type time-exceeded + list icmp_type bad-header + list icmp_type unknown-header-type + list icmp_type router-solicitation + list icmp_type neighbour-solicitation + list icmp_type router-advertisement + list icmp_type neighbour-advertisement + option limit 1000/sec + option family ipv6 + option target ACCEPT + +# Allow essential forwarded IPv6 ICMP traffic +config rule + option name Allow-ICMPv6-Forward + option src wan + option dest * + option proto icmp + list icmp_type echo-request + list icmp_type echo-reply + list icmp_type destination-unreachable + list icmp_type packet-too-big + list icmp_type time-exceeded + list icmp_type bad-header + list icmp_type unknown-header-type + option limit 1000/sec + option family ipv6 + option target ACCEPT + +config rule + option name Allow-IPSec-ESP + option src wan + option dest lan + option proto esp + option target ACCEPT + +config rule + option name Allow-ISAKMP + option src wan + option dest lan + option dest_port 500 + option proto udp + option target ACCEPT + + +### EXAMPLE CONFIG SECTIONS +# do not allow a specific ip to access wan +#config rule +# option src lan +# option src_ip 192.168.45.2 +# option dest wan +# option proto tcp +# option target REJECT + +# block a specific mac on wan +#config rule +# option dest wan +# option src_mac 00:11:22:33:44:66 +# option target REJECT + +# block incoming ICMP traffic on a zone +#config rule +# option src lan +# option proto ICMP +# option target DROP + +# port redirect port coming in on wan to lan +#config redirect +# option src wan +# option src_dport 80 +# option dest lan +# option dest_ip 192.168.16.235 +# option dest_port 80 +# option proto tcp + +# port redirect of remapped ssh port (22001) on wan +#config redirect +# option src wan +# option src_dport 22001 +# option dest lan +# option dest_port 22 +# option proto tcp + +### FULL CONFIG SECTIONS +#config rule +# option src lan +# option src_ip 192.168.45.2 +# option src_mac 00:11:22:33:44:55 +# option src_port 80 +# option dest wan +# option dest_ip 194.25.2.129 +# option dest_port 120 +# option proto tcp +# option target REJECT + +#config redirect +# option src lan +# option src_ip 192.168.45.2 +# option src_mac 00:11:22:33:44:55 +# option src_port 1024 +# option src_dport 80 +# option dest_ip 194.25.2.129 +# option dest_port 120 +# option proto tcp diff --git a/systems/turret/files/etc/config/https-dns-proxy b/systems/turret/files/etc/config/https-dns-proxy new file mode 100644 index 0000000..e5623ad --- /dev/null +++ b/systems/turret/files/etc/config/https-dns-proxy @@ -0,0 +1,18 @@ + +config main 'config' + option dnsmasq_config_update '*' + list force_dns_port '53' + list force_dns_port '853' + option procd_trigger_wan6 '0' + option canary_domains_icloud '0' + option canary_domains_mozilla '0' + option force_dns '0' + +config https-dns-proxy + option bootstrap_dns '1.1.1.1,1.0.0.1' + option resolver_url 'https://cloudflare-dns.com/dns-query' + option listen_addr '127.0.0.1' + option listen_port '5054' + option user 'nobody' + option group 'nogroup' + diff --git a/systems/turret/files/etc/config/luci b/systems/turret/files/etc/config/luci new file mode 100644 index 0000000..8eb8a9b --- /dev/null +++ b/systems/turret/files/etc/config/luci @@ -0,0 +1,41 @@ + +config core 'main' + option lang 'auto' + option mediaurlbase '/luci-static/bootstrap' + option resourcebase '/luci-static/resources' + option ubuspath '/ubus/' + +config extern 'flash_keep' + option uci '/etc/config/' + option dropbear '/etc/dropbear/' + option openvpn '/etc/openvpn/' + option passwd '/etc/passwd' + option opkg '/etc/opkg.conf' + option firewall '/etc/firewall.user' + option uploads '/lib/uci/upload/' + +config internal 'languages' + +config internal 'sauth' + option sessionpath '/tmp/luci-sessions' + option sessiontime '3600' + +config internal 'ccache' + option enable '1' + +config internal 'themes' + option Bootstrap '/luci-static/bootstrap' + option BootstrapDark '/luci-static/bootstrap-dark' + option BootstrapLight '/luci-static/bootstrap-light' + +config internal 'apply' + option rollback '90' + option holdoff '4' + option timeout '5' + option display '1.5' + +config internal 'diag' + option dns 'openwrt.org' + option ping 'openwrt.org' + option route 'openwrt.org' + diff --git a/systems/turret/files/etc/config/network b/systems/turret/files/etc/config/network new file mode 100644 index 0000000..c71cf98 --- /dev/null +++ b/systems/turret/files/etc/config/network @@ -0,0 +1,29 @@ + +config interface 'loopback' + option device 'lo' + option proto 'static' + option ipaddr '127.0.0.1' + option netmask '255.0.0.0' + +config globals 'globals' + option packet_steering '1' + option ula_prefix 'fd26:3166:dece::/48' + +config device + option name 'br-lan' + option type 'bridge' + list ports 'lan2' + list ports 'lan3' + list ports 'lan4' + +config interface 'lan' + option device 'br-lan' + option proto 'static' + option ipaddr '192.168.1.1' + option netmask '255.255.255.0' + option ip6assign '60' + +config interface 'wan' + option device 'lan1' + option proto 'dhcp' + diff --git a/systems/turret/files/etc/config/rpcd b/systems/turret/files/etc/config/rpcd new file mode 100644 index 0000000..176c643 --- /dev/null +++ b/systems/turret/files/etc/config/rpcd @@ -0,0 +1,10 @@ +config rpcd + option socket /var/run/ubus/ubus.sock + option timeout 30 + +config login + option username 'root' + option password '$p$root' + list read '*' + list write '*' + diff --git a/systems/turret/files/etc/config/system b/systems/turret/files/etc/config/system new file mode 100644 index 0000000..ee3415f --- /dev/null +++ b/systems/turret/files/etc/config/system @@ -0,0 +1,16 @@ + +config system + option hostname 'turret' + option timezone 'UTC' + option ttylogin '0' + option log_size '64' + option urandom_seed '0' + option compat_version '1.1' + +config timeserver 'ntp' + option enabled '1' + option enable_server '0' + list server '0.openwrt.pool.ntp.org' + list server '1.openwrt.pool.ntp.org' + list server '2.openwrt.pool.ntp.org' + list server '3.openwrt.pool.ntp.org' diff --git a/systems/turret/files/etc/config/ucitrack b/systems/turret/files/etc/config/ucitrack new file mode 100644 index 0000000..bb4cdbc --- /dev/null +++ b/systems/turret/files/etc/config/ucitrack @@ -0,0 +1,56 @@ +config network + option init network + list affects dhcp + +config wireless + list affects network + +config firewall + option init firewall + list affects luci-splash + list affects qos + list affects miniupnpd + +config olsr + option init olsrd + +config dhcp + option init dnsmasq + list affects odhcpd + +config odhcpd + option init odhcpd + +config dropbear + option init dropbear + +config httpd + option init httpd + +config fstab + option exec '/sbin/block mount' + +config qos + option init qos + +config system + option init led + option exec '/etc/init.d/log reload' + list affects luci_statistics + list affects dhcp + +config luci_splash + option init luci_splash + +config upnpd + option init miniupnpd + +config ntpclient + option init ntpclient + +config samba + option init samba + +config tinyproxy + option init tinyproxy + diff --git a/systems/turret/files/etc/config/uhttpd b/systems/turret/files/etc/config/uhttpd new file mode 100644 index 0000000..cb2ff71 --- /dev/null +++ b/systems/turret/files/etc/config/uhttpd @@ -0,0 +1,31 @@ + +config uhttpd 'main' + list listen_http '0.0.0.0:80' + list listen_http '[::]:80' + list listen_https '0.0.0.0:443' + list listen_https '[::]:443' + option redirect_https '0' + option home '/www' + option rfc1918_filter '1' + option max_requests '3' + option max_connections '100' + option cert '/etc/uhttpd.crt' + option key '/etc/uhttpd.key' + option cgi_prefix '/cgi-bin' + list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua' + option script_timeout '60' + option network_timeout '30' + option http_keepalive '20' + option tcp_keepalive '1' + option ubus_prefix '/ubus' + +config cert 'defaults' + option days '730' + option key_type 'ec' + option bits '2048' + option ec_curve 'P-256' + option country 'ZZ' + option state 'Somewhere' + option location 'Unknown' + option commonname 'OpenWrt' + diff --git a/systems/turret/files/etc/config/wireless b/systems/turret/files/etc/config/wireless new file mode 100644 index 0000000..c8bb9d7 --- /dev/null +++ b/systems/turret/files/etc/config/wireless @@ -0,0 +1,34 @@ + +config wifi-device 'radio0' + option type 'mac80211' + option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0' + option band '2g' + option disabled '0' + option htmode 'HT40' + option channel '1' + option cell_density '0' + +config wifi-iface 'default_radio0' + option device 'radio0' + option network 'lan' + option mode 'ap' + option ssid 'Box-2.4G' + option encryption 'psk2' + option key 'REPLACEME' + +config wifi-device 'radio1' + option type 'mac80211' + option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0' + option band '5g' + option disabled '0' + option htmode 'VHT40' + option channel '36' + option cell_density '0' + +config wifi-iface 'default_radio1' + option device 'radio1' + option network 'lan' + option mode 'ap' + option ssid 'Box-5G' + option key 'REPLACEME' + option encryption 'psk2' diff --git a/systems/turret/files/etc/dropbear/authorized_keys b/systems/turret/files/etc/dropbear/authorized_keys new file mode 100644 index 0000000..495c605 --- /dev/null +++ b/systems/turret/files/etc/dropbear/authorized_keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIERx0I8DKtALZ9VrYnY1iBEpwl2pBlRiS8oJQvZwpl5e seth@glados
|