From a8630322f77dbb7be4810099a42352b9278996a1 Mon Sep 17 00:00:00 2001
From: seth <getchoo@tuta.io>
Date: Sun, 1 Oct 2023 10:41:09 -0400
Subject: treewide!: flatten to parts/ layout

---
 parts/systems/atlas/default.nix                    |  50 ++++++
 parts/systems/atlas/hardware-configuration.nix     |  29 ++++
 parts/systems/atlas/miniflux.nix                   |  20 +++
 parts/systems/atlas/nginx.nix                      |  32 ++++
 parts/systems/caroline/default.nix                 |  17 ++
 parts/systems/default.nix                          |  47 +++++
 parts/systems/glados-wsl/default.nix               |  39 +++++
 parts/systems/glados/boot.nix                      |  25 +++
 parts/systems/glados/default.nix                   |  61 +++++++
 parts/systems/glados/hardware-configuration.nix    |  72 ++++++++
 parts/systems/profiles.nix                         | 101 +++++++++++
 parts/systems/turret/default.nix                   |  38 +++++
 parts/systems/turret/files/etc/config/dhcp         |  55 ++++++
 parts/systems/turret/files/etc/config/dropbear     |   5 +
 parts/systems/turret/files/etc/config/firewall     | 189 +++++++++++++++++++++
 .../turret/files/etc/config/https-dns-proxy        |  18 ++
 parts/systems/turret/files/etc/config/luci         |  41 +++++
 parts/systems/turret/files/etc/config/network      |  29 ++++
 parts/systems/turret/files/etc/config/rpcd         |  10 ++
 parts/systems/turret/files/etc/config/system       |  16 ++
 parts/systems/turret/files/etc/config/ucitrack     |  56 ++++++
 parts/systems/turret/files/etc/config/uhttpd       |  31 ++++
 parts/systems/turret/files/etc/config/wireless     |  34 ++++
 .../turret/files/etc/dropbear/authorized_keys      |   1 +
 24 files changed, 1016 insertions(+)
 create mode 100644 parts/systems/atlas/default.nix
 create mode 100644 parts/systems/atlas/hardware-configuration.nix
 create mode 100644 parts/systems/atlas/miniflux.nix
 create mode 100644 parts/systems/atlas/nginx.nix
 create mode 100644 parts/systems/caroline/default.nix
 create mode 100644 parts/systems/default.nix
 create mode 100644 parts/systems/glados-wsl/default.nix
 create mode 100644 parts/systems/glados/boot.nix
 create mode 100644 parts/systems/glados/default.nix
 create mode 100644 parts/systems/glados/hardware-configuration.nix
 create mode 100644 parts/systems/profiles.nix
 create mode 100644 parts/systems/turret/default.nix
 create mode 100644 parts/systems/turret/files/etc/config/dhcp
 create mode 100644 parts/systems/turret/files/etc/config/dropbear
 create mode 100644 parts/systems/turret/files/etc/config/firewall
 create mode 100644 parts/systems/turret/files/etc/config/https-dns-proxy
 create mode 100644 parts/systems/turret/files/etc/config/luci
 create mode 100644 parts/systems/turret/files/etc/config/network
 create mode 100644 parts/systems/turret/files/etc/config/rpcd
 create mode 100644 parts/systems/turret/files/etc/config/system
 create mode 100644 parts/systems/turret/files/etc/config/ucitrack
 create mode 100644 parts/systems/turret/files/etc/config/uhttpd
 create mode 100644 parts/systems/turret/files/etc/config/wireless
 create mode 100644 parts/systems/turret/files/etc/dropbear/authorized_keys

(limited to 'parts/systems')

diff --git a/parts/systems/atlas/default.nix b/parts/systems/atlas/default.nix
new file mode 100644
index 0000000..24cb139
--- /dev/null
+++ b/parts/systems/atlas/default.nix
@@ -0,0 +1,50 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  imports = [
+    ./hardware-configuration.nix
+    ./miniflux.nix
+    ./nginx.nix
+  ];
+
+  _module.args.nixinate = {
+    host = "atlas";
+    sshUser = "root";
+    buildOn = "remote";
+    substituteOnTarget = true;
+    hermetic = false;
+  };
+
+  boot = {
+    loader.systemd-boot.enable = true;
+    loader.efi.canTouchEfiVariables = true;
+    tmp.cleanOnBoot = true;
+  };
+
+  networking = {
+    domain = "mydadleft.me";
+    hostName = "atlas";
+  };
+
+  services = {
+    guzzle-api = {
+      enable = true;
+      domain = "api.${config.networking.domain}";
+      nginx = {
+        enableACME = true;
+        acmeRoot = null;
+        addSSL = true;
+      };
+    };
+  };
+
+  users.users.atlas = {
+    isNormalUser = true;
+    shell = pkgs.bash;
+    passwordFile = config.age.secrets.userPassword.path;
+  };
+
+  zramSwap.enable = true;
+}
diff --git a/parts/systems/atlas/hardware-configuration.nix b/parts/systems/atlas/hardware-configuration.nix
new file mode 100644
index 0000000..00c6cd8
--- /dev/null
+++ b/parts/systems/atlas/hardware-configuration.nix
@@ -0,0 +1,29 @@
+{modulesPath, ...}: {
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot = {
+    extraModulePackages = [];
+    kernelModules = [];
+
+    initrd = {
+      availableKernelModules = ["virtio_pci" "usbhid"];
+      kernelModules = [];
+    };
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/f0c84809-83f5-414b-a973-496d25d74c6d";
+      fsType = "ext4";
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-uuid/A253-0826";
+      fsType = "vfat";
+    };
+  };
+
+  swapDevices = [];
+}
diff --git a/parts/systems/atlas/miniflux.nix b/parts/systems/atlas/miniflux.nix
new file mode 100644
index 0000000..5ed5d40
--- /dev/null
+++ b/parts/systems/atlas/miniflux.nix
@@ -0,0 +1,20 @@
+{
+  config,
+  self,
+  ...
+}: {
+  config = {
+    age.secrets = {
+      miniflux.file = "${self}/parts/secrets/systems/${config.networking.hostName}/miniflux.age";
+    };
+
+    services.miniflux = {
+      enable = true;
+      adminCredentialsFile = config.age.secrets.miniflux.path;
+      config = {
+        BASE_URL = "https://miniflux.${config.networking.domain}";
+        LISTEN_ADDR = "localhost:7000";
+      };
+    };
+  };
+}
diff --git a/parts/systems/atlas/nginx.nix b/parts/systems/atlas/nginx.nix
new file mode 100644
index 0000000..cdf483d
--- /dev/null
+++ b/parts/systems/atlas/nginx.nix
@@ -0,0 +1,32 @@
+{
+  config,
+  self,
+  ...
+}: let
+  inherit (config.networking) domain;
+  inherit (self.lib.utils.nginx) mkVHosts mkProxy;
+in {
+  server = {
+    acme.enable = true;
+    services.cloudflared.enable = true;
+  };
+
+  services.nginx = {
+    enable = true;
+
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    virtualHosts = mkVHosts {
+      "miniflux.${domain}" = {
+        locations = mkProxy "/" "7000";
+      };
+
+      "msix.${domain}" = {
+        root = "/var/www/msix";
+      };
+    };
+  };
+}
diff --git a/parts/systems/caroline/default.nix b/parts/systems/caroline/default.nix
new file mode 100644
index 0000000..43dc82f
--- /dev/null
+++ b/parts/systems/caroline/default.nix
@@ -0,0 +1,17 @@
+_: {
+  desktop = {
+    homebrew.enable = true;
+    gpg.enable = true;
+  };
+
+  homebrew.casks = ["arc"];
+
+  networking = rec {
+    computerName = "caroline";
+    hostName = computerName;
+  };
+
+  nix.settings.trusted-users = ["seth"];
+
+  services.tailscale.enable = true;
+}
diff --git a/parts/systems/default.nix b/parts/systems/default.nix
new file mode 100644
index 0000000..e9ef9ba
--- /dev/null
+++ b/parts/systems/default.nix
@@ -0,0 +1,47 @@
+{
+  inputs,
+  self,
+  withSystem,
+  ...
+}: {
+  flake = let
+    inherit (self.lib.configs) mapSystems;
+    profiles = import ./profiles.nix {inherit self inputs;};
+  in {
+    darwinConfigurations = mapSystems {
+      caroline = {
+        system = "x86_64-darwin";
+        profile = profiles.personal-darwin;
+      };
+    };
+
+    nixosConfigurations = mapSystems {
+      glados = {
+        modules = with inputs; [
+          lanzaboote.nixosModules.lanzaboote
+        ];
+        profile = profiles.personal;
+      };
+
+      glados-wsl = {
+        modules = [inputs.nixos-wsl.nixosModules.wsl];
+        profile = profiles.personal;
+      };
+
+      atlas = {
+        modules = [inputs.guzzle_api.nixosModules.default];
+        system = "aarch64-linux";
+        profile = profiles.server;
+      };
+    };
+
+    openwrtConfigurations.turret = withSystem "x86_64-linux" ({pkgs, ...}:
+      pkgs.callPackage ./turret {
+        inherit (inputs) openwrt-imagebuilder;
+      });
+  };
+
+  perSystem = {system, ...}: {
+    apps = (inputs.nixinate.nixinate.${system} self).nixinate;
+  };
+}
diff --git a/parts/systems/glados-wsl/default.nix b/parts/systems/glados-wsl/default.nix
new file mode 100644
index 0000000..98b57ed
--- /dev/null
+++ b/parts/systems/glados-wsl/default.nix
@@ -0,0 +1,39 @@
+{
+  modulesPath,
+  pkgs,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/profiles/minimal.nix")
+    ../../modules/nixos/features/tailscale.nix
+  ];
+
+  environment.systemPackages = with pkgs; [
+    wslu
+  ];
+
+  base.networking.enable = false;
+  features.tailscale.enable = true;
+
+  wsl = {
+    enable = true;
+    defaultUser = "seth";
+    nativeSystemd = true;
+    wslConf.network = {
+      hostname = "glados-wsl";
+      generateResolvConf = true;
+    };
+    startMenuLaunchers = false;
+    interop.includePath = false;
+  };
+
+  services.dbus.apparmor = "disabled";
+
+  networking.hostName = "glados-wsl";
+
+  security = {
+    apparmor.enable = false;
+    audit.enable = false;
+    auditd.enable = false;
+  };
+}
diff --git a/parts/systems/glados/boot.nix b/parts/systems/glados/boot.nix
new file mode 100644
index 0000000..4a9af4e
--- /dev/null
+++ b/parts/systems/glados/boot.nix
@@ -0,0 +1,25 @@
+{
+  lib,
+  pkgs,
+  ...
+}: {
+  environment.systemPackages = with pkgs; [
+    sbctl
+    tpm2-tss
+  ];
+
+  boot = {
+    initrd.systemd.enable = true;
+    kernelPackages = pkgs.linuxPackages_latest;
+
+    bootspec.enable = true;
+    loader.systemd-boot.enable = lib.mkForce false;
+
+    lanzaboote = {
+      enable = true;
+      pkiBundle = "/etc/secureboot";
+    };
+
+    supportedFilesystems = ["btrfs" "ntfs"];
+  };
+}
diff --git a/parts/systems/glados/default.nix b/parts/systems/glados/default.nix
new file mode 100644
index 0000000..de2c1d5
--- /dev/null
+++ b/parts/systems/glados/default.nix
@@ -0,0 +1,61 @@
+{lib, ...}: {
+  imports = [
+    ./boot.nix
+    ./hardware-configuration.nix
+    ../../modules/nixos/features/tailscale.nix
+    ../../modules/nixos/features/virtualisation.nix
+  ];
+
+  boot = {
+    kernelParams = ["amd_pstate=active"];
+    kernel.sysctl = {
+      "vm.swappiness" = 100;
+      "vm.vfs_cache_pressure" = 500;
+      "vm.dirty_background_ratio" = 1;
+      "vm.dirty_ratio" = 50;
+    };
+  };
+
+  desktop.gnome.enable = true;
+
+  features = {
+    tailscale.enable = true;
+    virtualisation.enable = true;
+  };
+
+  hardware = {
+    nvidia.enable = true;
+    ssd.enable = true;
+  };
+
+  networking.hostName = "glados";
+
+  security.tpm2 = {
+    enable = true;
+    abrmd.enable = true;
+  };
+
+  services = {
+    flatpak.enable = true;
+    fwupd.enable = true;
+  };
+
+  systemd = {
+    services."prepare-kexec".wantedBy = ["multi-user.target"];
+    tmpfiles.rules = let
+      nproc = 12;
+    in
+      builtins.map
+      (n: "w /sys/devices/system/cpu/cpu${builtins.toString n}/cpufreq/energy_performance_preference - - - - ${"balance_performance"}")
+      (lib.range 0 (nproc - 1));
+  };
+
+  powerManagement.cpuFreqGovernor = "powersave";
+
+  zramSwap = {
+    enable = true;
+    algorithm = "zstd";
+    swapDevices = 1;
+    memoryPercent = 50;
+  };
+}
diff --git a/parts/systems/glados/hardware-configuration.nix b/parts/systems/glados/hardware-configuration.nix
new file mode 100644
index 0000000..a7ff9e9
--- /dev/null
+++ b/parts/systems/glados/hardware-configuration.nix
@@ -0,0 +1,72 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot = {
+    extraModulePackages = [];
+    kernelModules = ["kvm-amd"];
+
+    initrd = {
+      availableKernelModules = ["xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod"];
+      kernelModules = [];
+
+      luks.devices."cryptroot" = {
+        device = "/dev/disk/by-uuid/bbbc1f37-53f5-4776-a70e-f2779179de50";
+        allowDiscards = true;
+        crypttabExtraOpts = ["tpm2-device=auto"];
+      };
+    };
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/mapper/cryptroot";
+      fsType = "btrfs";
+      options = ["subvol=root" "compress=zstd" "noatime"];
+    };
+
+    "/var/log" = {
+      device = "/dev/mapper/cryptroot";
+      fsType = "btrfs";
+      options = ["subvol=var_log" "compress=zstd" "noatime"];
+    };
+
+    "/nix" = {
+      device = "/dev/mapper/cryptroot";
+      fsType = "btrfs";
+      options = ["subvol=nix" "compress=zstd" "noatime" "nodatacow"];
+    };
+
+    "/home" = {
+      device = "/dev/mapper/cryptroot";
+      fsType = "btrfs";
+      options = ["subvol=home" "compress=zstd" "noatime"];
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-uuid/B95B-9412";
+      fsType = "vfat";
+    };
+  };
+
+  swapDevices = [];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp4s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/parts/systems/profiles.nix b/parts/systems/profiles.nix
new file mode 100644
index 0000000..277d3c1
--- /dev/null
+++ b/parts/systems/profiles.nix
@@ -0,0 +1,101 @@
+{
+  inputs,
+  self,
+  ...
+}: let
+  specialArgs = {inherit inputs self;};
+in {
+  personal = {
+    system = "x86_64-linux";
+    builder = inputs.nixpkgs.lib.nixosSystem;
+    inherit specialArgs;
+
+    modules = with inputs; [
+      agenix.nixosModules.default
+      hm.nixosModules.home-manager
+      nur.nixosModules.nur
+      self.nixosModules.default
+
+      ../users/seth/system.nix
+
+      {
+        age = {
+          identityPaths = ["/etc/age/key"];
+          secrets = let
+            baseDir = "${self}/parts/secrets/shared";
+          in {
+            rootPassword.file = "${baseDir}/rootPassword.age";
+            sethPassword.file = "${baseDir}/sethPassword.age";
+          };
+        };
+
+        base.enable = true;
+        system.stateVersion = "23.11";
+
+        home-manager = {
+          useGlobalPkgs = true;
+          useUserPackages = true;
+          extraSpecialArgs = specialArgs;
+        };
+      }
+    ];
+  };
+
+  personal-darwin = {
+    builder = inputs.darwin.lib.darwinSystem;
+    inherit specialArgs;
+    modules = with inputs; [
+      hm.darwinModules.home-manager
+      self.darwinModules.default
+
+      ../users/seth/system.nix
+
+      {
+        base.enable = true;
+        desktop.enable = true;
+        system.stateVersion = 4;
+
+        home-manager = {
+          useGlobalPkgs = true;
+          useUserPackages = true;
+          extraSpecialArgs = specialArgs;
+
+          users.seth = {
+            imports = [
+              ../users/seth/darwin.nix
+            ];
+
+            getchoo.desktop.enable = false;
+          };
+        };
+      }
+    ];
+  };
+
+  server = {
+    builder = inputs.nixpkgs-stable.lib.nixosSystem;
+    inherit specialArgs;
+
+    modules = with inputs; [
+      agenix.nixosModules.default
+      ../modules/nixos/base
+      ../modules/nixos/server
+      ../modules/nixos/features/tailscale.nix
+
+      {
+        features.tailscale = {
+          enable = true;
+          ssh.enable = true;
+        };
+
+        server = {
+          enable = true;
+          secrets.enable = true;
+        };
+
+        nix.registry.n.flake = nixpkgs-stable;
+        system.stateVersion = "23.05";
+      }
+    ];
+  };
+}
diff --git a/parts/systems/turret/default.nix b/parts/systems/turret/default.nix
new file mode 100644
index 0000000..faac3d2
--- /dev/null
+++ b/parts/systems/turret/default.nix
@@ -0,0 +1,38 @@
+{
+  pkgs,
+  openwrt-imagebuilder,
+  ...
+}: let
+  inherit (pkgs) runCommand;
+  inherit (pkgs.stdenv) mkDerivation;
+  inherit (openwrt-imagebuilder.lib) build profiles;
+  wrtProfiles = profiles {
+    inherit pkgs;
+    release = "22.03.3";
+  };
+  config = mkDerivation {
+    name = "openwrt-config-files";
+    src = ./files;
+    installPhase = ''
+      mkdir -p $out
+      cp -r * $out/
+    '';
+  };
+  image =
+    wrtProfiles.identifyProfile "netgear_wac104"
+    // {
+      packages = ["https-dns-proxy"];
+
+      files = runCommand "image-files" {} ''
+        mkdir -p $out/etc/uci-defaults
+        cat > $out/etc/uci-defaults/99-custom <<EOF
+        uci -q batch << EOI
+        set system.@system[0].hostname='turret'
+        commit
+        EOI
+        EOF
+        cp -fr ${config}/etc/* $out/etc/
+      '';
+    };
+in
+  build image
diff --git a/parts/systems/turret/files/etc/config/dhcp b/parts/systems/turret/files/etc/config/dhcp
new file mode 100644
index 0000000..4a471cf
--- /dev/null
+++ b/parts/systems/turret/files/etc/config/dhcp
@@ -0,0 +1,55 @@
+
+config dnsmasq
+	option domainneeded '1'
+	option boguspriv '1'
+	option filterwin2k '0'
+	option localise_queries '1'
+	option rebind_protection '1'
+	option rebind_localhost '1'
+	option local '/lan/'
+	option domain 'lan'
+	option expandhosts '1'
+	option nonegcache '0'
+	option authoritative '1'
+	option readethers '1'
+	option leasefile '/tmp/dhcp.leases'
+	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
+	option nonwildcard '1'
+	option localservice '1'
+	option ednspacket_max '1232'
+	option doh_backup_noresolv '-1'
+	option noresolv '1'
+	list doh_backup_server ''
+	list doh_backup_server '/mask.icloud.com/'
+	list doh_backup_server '/mask-h2.icloud.com/'
+	list doh_backup_server '/use-application-dns.net/'
+	list doh_backup_server '127.0.0.1#5054'
+	list doh_backup_server '127.0.0.1#5053'
+	list server '/mask.icloud.com/'
+	list server '/mask-h2.icloud.com/'
+	list server '/use-application-dns.net/'
+	list server '127.0.0.1#5054'
+	list server '127.0.0.1#5053'
+
+config dhcp 'lan'
+	option interface 'lan'
+	option start '100'
+	option limit '150'
+	option leasetime '12h'
+	option dhcpv4 'server'
+	option dhcpv6 'server'
+	option ra 'server'
+	option ra_slaac '1'
+	list ra_flags 'managed-config'
+	list ra_flags 'other-config'
+
+config dhcp 'wan'
+	option interface 'wan'
+	option ignore '1'
+
+config odhcpd 'odhcpd'
+	option maindhcp '0'
+	option leasefile '/tmp/hosts/odhcpd'
+	option leasetrigger '/usr/sbin/odhcpd-update'
+	option loglevel '4'
+
diff --git a/parts/systems/turret/files/etc/config/dropbear b/parts/systems/turret/files/etc/config/dropbear
new file mode 100644
index 0000000..2139ba0
--- /dev/null
+++ b/parts/systems/turret/files/etc/config/dropbear
@@ -0,0 +1,5 @@
+config dropbear
+	option PasswordAuth 'on'
+	option RootPasswordAuth 'on'
+	option Port         '22'
+#	option BannerFile   '/etc/banner'
diff --git a/parts/systems/turret/files/etc/config/firewall b/parts/systems/turret/files/etc/config/firewall
new file mode 100644
index 0000000..b9a4647
--- /dev/null
+++ b/parts/systems/turret/files/etc/config/firewall
@@ -0,0 +1,189 @@
+config defaults
+	option syn_flood	1
+	option input		ACCEPT
+	option output		ACCEPT
+	option forward		REJECT
+# Uncomment this line to disable ipv6 rules
+#	option disable_ipv6	1
+
+config zone
+	option name		lan
+	list   network		'lan'
+	option input		ACCEPT
+	option output		ACCEPT
+	option forward		ACCEPT
+
+config zone
+	option name		wan
+	list   network		'wan'
+	list   network		'wan6'
+	option input		REJECT
+	option output		ACCEPT
+	option forward		REJECT
+	option masq		1
+	option mtu_fix		1
+
+config forwarding
+	option src		lan
+	option dest		wan
+
+# We need to accept udp packets on port 68,
+# see https://dev.openwrt.org/ticket/4108
+config rule
+	option name		Allow-DHCP-Renew
+	option src		wan
+	option proto		udp
+	option dest_port	68
+	option target		ACCEPT
+	option family		ipv4
+
+# Allow IPv4 ping
+config rule
+	option name		Allow-Ping
+	option src		wan
+	option proto		icmp
+	option icmp_type	echo-request
+	option family		ipv4
+	option target		ACCEPT
+
+config rule
+	option name		Allow-IGMP
+	option src		wan
+	option proto		igmp
+	option family		ipv4
+	option target		ACCEPT
+
+# Allow DHCPv6 replies
+# see https://github.com/openwrt/openwrt/issues/5066
+config rule
+	option name		Allow-DHCPv6
+	option src		wan
+	option proto		udp
+	option dest_port	546
+	option family		ipv6
+	option target		ACCEPT
+
+config rule
+	option name		Allow-MLD
+	option src		wan
+	option proto		icmp
+	option src_ip		fe80::/10
+	list icmp_type		'130/0'
+	list icmp_type		'131/0'
+	list icmp_type		'132/0'
+	list icmp_type		'143/0'
+	option family		ipv6
+	option target		ACCEPT
+
+# Allow essential incoming IPv6 ICMP traffic
+config rule
+	option name		Allow-ICMPv6-Input
+	option src		wan
+	option proto	icmp
+	list icmp_type		echo-request
+	list icmp_type		echo-reply
+	list icmp_type		destination-unreachable
+	list icmp_type		packet-too-big
+	list icmp_type		time-exceeded
+	list icmp_type		bad-header
+	list icmp_type		unknown-header-type
+	list icmp_type		router-solicitation
+	list icmp_type		neighbour-solicitation
+	list icmp_type		router-advertisement
+	list icmp_type		neighbour-advertisement
+	option limit		1000/sec
+	option family		ipv6
+	option target		ACCEPT
+
+# Allow essential forwarded IPv6 ICMP traffic
+config rule
+	option name		Allow-ICMPv6-Forward
+	option src		wan
+	option dest		*
+	option proto		icmp
+	list icmp_type		echo-request
+	list icmp_type		echo-reply
+	list icmp_type		destination-unreachable
+	list icmp_type		packet-too-big
+	list icmp_type		time-exceeded
+	list icmp_type		bad-header
+	list icmp_type		unknown-header-type
+	option limit		1000/sec
+	option family		ipv6
+	option target		ACCEPT
+
+config rule
+	option name		Allow-IPSec-ESP
+	option src		wan
+	option dest		lan
+	option proto		esp
+	option target		ACCEPT
+
+config rule
+	option name		Allow-ISAKMP
+	option src		wan
+	option dest		lan
+	option dest_port	500
+	option proto		udp
+	option target		ACCEPT
+
+
+### EXAMPLE CONFIG SECTIONS
+# do not allow a specific ip to access wan
+#config rule
+#	option src		lan
+#	option src_ip	192.168.45.2
+#	option dest		wan
+#	option proto	tcp
+#	option target	REJECT
+
+# block a specific mac on wan
+#config rule
+#	option dest		wan
+#	option src_mac	00:11:22:33:44:66
+#	option target	REJECT
+
+# block incoming ICMP traffic on a zone
+#config rule
+#	option src		lan
+#	option proto	ICMP
+#	option target	DROP
+
+# port redirect port coming in on wan to lan
+#config redirect
+#	option src			wan
+#	option src_dport	80
+#	option dest			lan
+#	option dest_ip		192.168.16.235
+#	option dest_port	80
+#	option proto		tcp
+
+# port redirect of remapped ssh port (22001) on wan
+#config redirect
+#	option src		wan
+#	option src_dport	22001
+#	option dest		lan
+#	option dest_port	22
+#	option proto		tcp
+
+### FULL CONFIG SECTIONS
+#config rule
+#	option src		lan
+#	option src_ip	192.168.45.2
+#	option src_mac	00:11:22:33:44:55
+#	option src_port	80
+#	option dest		wan
+#	option dest_ip	194.25.2.129
+#	option dest_port	120
+#	option proto	tcp
+#	option target	REJECT
+
+#config redirect
+#	option src		lan
+#	option src_ip	192.168.45.2
+#	option src_mac	00:11:22:33:44:55
+#	option src_port		1024
+#	option src_dport	80
+#	option dest_ip	194.25.2.129
+#	option dest_port	120
+#	option proto	tcp
diff --git a/parts/systems/turret/files/etc/config/https-dns-proxy b/parts/systems/turret/files/etc/config/https-dns-proxy
new file mode 100644
index 0000000..e5623ad
--- /dev/null
+++ b/parts/systems/turret/files/etc/config/https-dns-proxy
@@ -0,0 +1,18 @@
+
+config main 'config'
+	option dnsmasq_config_update '*'
+	list force_dns_port '53'
+	list force_dns_port '853'
+	option procd_trigger_wan6 '0'
+	option canary_domains_icloud '0'
+	option canary_domains_mozilla '0'
+	option force_dns '0'
+
+config https-dns-proxy
+	option bootstrap_dns '1.1.1.1,1.0.0.1'
+	option resolver_url 'https://cloudflare-dns.com/dns-query'
+	option listen_addr '127.0.0.1'
+	option listen_port '5054'
+	option user 'nobody'
+	option group 'nogroup'
+
diff --git a/parts/systems/turret/files/etc/config/luci b/parts/systems/turret/files/etc/config/luci
new file mode 100644
index 0000000..8eb8a9b
--- /dev/null
+++ b/parts/systems/turret/files/etc/config/luci
@@ -0,0 +1,41 @@
+
+config core 'main'
+	option lang 'auto'
+	option mediaurlbase '/luci-static/bootstrap'
+	option resourcebase '/luci-static/resources'
+	option ubuspath '/ubus/'
+
+config extern 'flash_keep'
+	option uci '/etc/config/'
+	option dropbear '/etc/dropbear/'
+	option openvpn '/etc/openvpn/'
+	option passwd '/etc/passwd'
+	option opkg '/etc/opkg.conf'
+	option firewall '/etc/firewall.user'
+	option uploads '/lib/uci/upload/'
+
+config internal 'languages'
+
+config internal 'sauth'
+	option sessionpath '/tmp/luci-sessions'
+	option sessiontime '3600'
+
+config internal 'ccache'
+	option enable '1'
+
+config internal 'themes'
+	option Bootstrap '/luci-static/bootstrap'
+	option BootstrapDark '/luci-static/bootstrap-dark'
+	option BootstrapLight '/luci-static/bootstrap-light'
+
+config internal 'apply'
+	option rollback '90'
+	option holdoff '4'
+	option timeout '5'
+	option display '1.5'
+
+config internal 'diag'
+	option dns 'openwrt.org'
+	option ping 'openwrt.org'
+	option route 'openwrt.org'
+
diff --git a/parts/systems/turret/files/etc/config/network b/parts/systems/turret/files/etc/config/network
new file mode 100644
index 0000000..c71cf98
--- /dev/null
+++ b/parts/systems/turret/files/etc/config/network
@@ -0,0 +1,29 @@
+
+config interface 'loopback'
+	option device 'lo'
+	option proto 'static'
+	option ipaddr '127.0.0.1'
+	option netmask '255.0.0.0'
+
+config globals 'globals'
+	option packet_steering '1'
+	option ula_prefix 'fd26:3166:dece::/48'
+
+config device
+	option name 'br-lan'
+	option type 'bridge'
+	list ports 'lan2'
+	list ports 'lan3'
+	list ports 'lan4'
+
+config interface 'lan'
+	option device 'br-lan'
+	option proto 'static'
+	option ipaddr '192.168.1.1'
+	option netmask '255.255.255.0'
+	option ip6assign '60'
+
+config interface 'wan'
+	option device 'lan1'
+	option proto 'dhcp'
+
diff --git a/parts/systems/turret/files/etc/config/rpcd b/parts/systems/turret/files/etc/config/rpcd
new file mode 100644
index 0000000..176c643
--- /dev/null
+++ b/parts/systems/turret/files/etc/config/rpcd
@@ -0,0 +1,10 @@
+config rpcd
+	option socket /var/run/ubus/ubus.sock
+	option timeout 30
+
+config login
+	option username 'root'
+	option password '$p$root'
+	list read '*'
+	list write '*'
+
diff --git a/parts/systems/turret/files/etc/config/system b/parts/systems/turret/files/etc/config/system
new file mode 100644
index 0000000..ee3415f
--- /dev/null
+++ b/parts/systems/turret/files/etc/config/system
@@ -0,0 +1,16 @@
+
+config system
+	option hostname 'turret'
+	option timezone 'UTC'
+	option ttylogin '0'
+	option log_size '64'
+	option urandom_seed '0'
+	option compat_version '1.1'
+
+config timeserver 'ntp'
+	option enabled '1'
+	option enable_server '0'
+	list server '0.openwrt.pool.ntp.org'
+	list server '1.openwrt.pool.ntp.org'
+	list server '2.openwrt.pool.ntp.org'
+	list server '3.openwrt.pool.ntp.org'
diff --git a/parts/systems/turret/files/etc/config/ucitrack b/parts/systems/turret/files/etc/config/ucitrack
new file mode 100644
index 0000000..bb4cdbc
--- /dev/null
+++ b/parts/systems/turret/files/etc/config/ucitrack
@@ -0,0 +1,56 @@
+config network
+	option init network
+	list affects dhcp
+
+config wireless
+	list affects network
+
+config firewall
+	option init firewall
+	list affects luci-splash
+	list affects qos
+	list affects miniupnpd
+
+config olsr
+	option init olsrd
+
+config dhcp
+	option init dnsmasq
+	list affects odhcpd
+
+config odhcpd
+	option init odhcpd
+
+config dropbear
+	option init dropbear
+
+config httpd
+	option init httpd
+
+config fstab
+	option exec '/sbin/block mount'
+
+config qos
+	option init qos
+
+config system
+	option init led
+	option exec '/etc/init.d/log reload'
+	list affects luci_statistics
+	list affects dhcp
+
+config luci_splash
+	option init luci_splash
+
+config upnpd
+	option init miniupnpd
+
+config ntpclient
+	option init ntpclient
+
+config samba
+	option init samba
+
+config tinyproxy
+	option init tinyproxy
+
diff --git a/parts/systems/turret/files/etc/config/uhttpd b/parts/systems/turret/files/etc/config/uhttpd
new file mode 100644
index 0000000..cb2ff71
--- /dev/null
+++ b/parts/systems/turret/files/etc/config/uhttpd
@@ -0,0 +1,31 @@
+
+config uhttpd 'main'
+	list listen_http '0.0.0.0:80'
+	list listen_http '[::]:80'
+	list listen_https '0.0.0.0:443'
+	list listen_https '[::]:443'
+	option redirect_https '0'
+	option home '/www'
+	option rfc1918_filter '1'
+	option max_requests '3'
+	option max_connections '100'
+	option cert '/etc/uhttpd.crt'
+	option key '/etc/uhttpd.key'
+	option cgi_prefix '/cgi-bin'
+	list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
+	option script_timeout '60'
+	option network_timeout '30'
+	option http_keepalive '20'
+	option tcp_keepalive '1'
+	option ubus_prefix '/ubus'
+
+config cert 'defaults'
+	option days '730'
+	option key_type 'ec'
+	option bits '2048'
+	option ec_curve 'P-256'
+	option country 'ZZ'
+	option state 'Somewhere'
+	option location 'Unknown'
+	option commonname 'OpenWrt'
+
diff --git a/parts/systems/turret/files/etc/config/wireless b/parts/systems/turret/files/etc/config/wireless
new file mode 100644
index 0000000..c8bb9d7
--- /dev/null
+++ b/parts/systems/turret/files/etc/config/wireless
@@ -0,0 +1,34 @@
+
+config wifi-device 'radio0'
+	option type 'mac80211'
+	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
+	option band '2g'
+	option disabled '0'
+	option htmode 'HT40'
+	option channel '1'
+	option cell_density '0'
+
+config wifi-iface 'default_radio0'
+	option device 'radio0'
+	option network 'lan'
+	option mode 'ap'
+	option ssid 'Box-2.4G'
+	option encryption 'psk2'
+	option key 'REPLACEME'
+
+config wifi-device 'radio1'
+	option type 'mac80211'
+	option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
+	option band '5g'
+	option disabled '0'
+	option htmode 'VHT40'
+	option channel '36'
+	option cell_density '0'
+
+config wifi-iface 'default_radio1'
+	option device 'radio1'
+	option network 'lan'
+	option mode 'ap'
+	option ssid 'Box-5G'
+	option key 'REPLACEME'
+	option encryption 'psk2'
diff --git a/parts/systems/turret/files/etc/dropbear/authorized_keys b/parts/systems/turret/files/etc/dropbear/authorized_keys
new file mode 100644
index 0000000..495c605
--- /dev/null
+++ b/parts/systems/turret/files/etc/dropbear/authorized_keys
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIERx0I8DKtALZ9VrYnY1iBEpwl2pBlRiS8oJQvZwpl5e seth@glados
-- 
cgit v1.2.3