first commit

2026-05-04 19:38:05 +02:00
commit 8e921a05d8
85 changed files with 5524 additions and 0 deletions
--- a/hosts/AZ-LT-NIX/services/ad.nix
+++ b/hosts/AZ-LT-NIX/services/ad.nix
@@ -0,0 +1,114 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  environment.systemPackages = with pkgs; [
+    adcli # Helper library and tools for Active Directory client operations
+    oddjob # Odd Job Daemon
+    samba4Full # Standard Windows interoperability suite of programs for Linux and Unix
+    sssd # System Security Services Daemon
+    krb5 # MIT Kerberos 5
+    realmd # DBus service for configuring Kerberos and other
+  ];
+
+  #
+  # Security
+  #
+  security = {
+    krb5 = {
+      enable = true;
+      settings = {
+        libdefaults = {
+          udp_preference_limit = 0;
+          default_realm = "AZ-GROUP";
+        };
+      };
+    };
+
+    pam = {
+      makeHomeDir.umask = "077";
+      services.login.makeHomeDir = true;
+      services.sshd.makeHomeDir = true;
+    };
+
+    sudo = {
+      extraConfig = ''
+        %domain\ admins ALL=(ALL:ALL) NOPASSWD: ALL
+        Defaults:%domain\ admins env_keep+=TERMINFO_DIRS
+        Defaults:%domain\ admins env_keep+=TERMINFO
+      '';
+
+      # Use extraConfig because of blank space in 'domain admins'.
+      # Alternatively, you can use the GID.
+      # extraRules = [
+      #   { groups = [ "domain admins" ];
+      #     commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; }  ]; }
+      # ];
+    };
+  };
+
+  #
+  # Services
+  #
+  services = {
+    nscd = {
+      enable = true;
+      config = ''
+        server-user nscd
+        enable-cache hosts yes
+        positive-time-to-live hosts 0
+        negative-time-to-live hosts 0
+        shared hosts yes
+        enable-cache passwd no
+        enable-cache group no
+        enable-cache netgroup no
+        enable-cache services no
+      '';
+    };
+
+    sssd = {
+      enable = true;
+      config = ''
+        [sssd]
+        domains = az-group
+        config_file_version = 2
+        services = nss, pam
+
+        [domain/az-group]
+        override_shell = /run/current-system/sw/bin/zsh
+        krb5_store_password_if_offline = True
+        cache_credentials = True
+        krb5_realm = AZ-GROUP
+        realmd_tags = manages-system joined-with-samba
+        id_provider = ad
+        fallback_homedir = /home/%u
+        ad_domain = your_domain_lowercase
+        use_fully_qualified_names = false
+        ldap_id_mapping = false
+        auth_provider = ad
+        access_provider = ad
+        chpass_provider = ad
+        ad_gpo_access_control = permissive
+        enumerate = true
+      '';
+    };
+  };
+
+  #
+  # Systemd
+  #
+  systemd = {
+    services.realmd = {
+      description = "Realm Discovery Service";
+      wantedBy = ["multi-user.target"];
+      after = ["network.target"];
+      serviceConfig = {
+        Type = "dbus";
+        BusName = "org.freedesktop.realmd";
+        ExecStart = "${pkgs.realmd}/libexec/realmd";
+        User = "root";
+      };
+    };
+  };
+}
--- a/hosts/AZ-LT-NIX/services/default.nix
+++ b/hosts/AZ-LT-NIX/services/default.nix
@@ -0,0 +1,44 @@
+{pkgs, ...}: {
+  imports = [
+    # ./ad.nix
+    ./mem0.nix
+    ./n8n.nix
+    ./netbird.nix
+    ./printing.nix
+    ./sound.nix
+    ./udev.nix
+  ];
+  services = {
+    espanso = {
+      enable = true;
+      package = pkgs.espanso-wayland;
+    };
+    hypridle.enable = true;
+    printing.enable = true;
+    gvfs.enable = true;
+    gnome.gnome-keyring.enable = true;
+    qdrant = {
+      enable = true;
+      settings = {
+        service = {
+          host = "0.0.0.0";
+        };
+      };
+    };
+    upower.enable = true;
+    avahi = {
+      enable = true;
+      nssmdns4 = true;
+      publish = {
+        addresses = true;
+        workstation = true;
+        userServices = true;
+      };
+    };
+    asusd = {
+      enable = true;
+    };
+    desktopManager.gnome.enable = true;
+    displayManager.gdm.enable = true;
+  };
+}
--- a/hosts/AZ-LT-NIX/services/mem0.nix
+++ b/hosts/AZ-LT-NIX/services/mem0.nix
@@ -0,0 +1,23 @@
+{
+  m3ta.mem0 = {
+    enable = false;
+    port = 8000;
+    host = "127.0.0.1";
+
+    # LLM Configuration
+    llm = {
+      provider = "openai";
+      apiKeyFile = "/var/lib/mem0/openai-api-key-1"; # Use agenix or sops-nix
+    };
+
+    # Vector Storage Configuration
+    vectorStore = {
+      provider = "qdrant"; # or "chroma", "pinecone", etc.
+      config = {
+        host = "localhost";
+        port = 6333;
+        collection_name = "mem0_alice";
+      };
+    };
+  };
+}
--- a/hosts/AZ-LT-NIX/services/n8n.nix
+++ b/hosts/AZ-LT-NIX/services/n8n.nix
@@ -0,0 +1,14 @@
+{...}: let
+  serviceName = "n8n";
+in {
+  services.${serviceName} = {
+    enable = true;
+    openFirewall = true;
+  };
+  systemd.services.n8n = {
+    environment = {
+      N8N_SECURE_COOKIE = "false";
+      N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS = "false";
+    };
+  };
+}
--- a/hosts/AZ-LT-NIX/services/netbird.nix
+++ b/hosts/AZ-LT-NIX/services/netbird.nix
@@ -0,0 +1,28 @@
+{pkgs, ...}: {
+  services.netbird.enable = true;
+
+  systemd.services.netbird = {
+    environment = {
+      NB_DISABLE_SSH_CONFIG = "true";
+    };
+    path = [
+      pkgs.shadow
+      pkgs.util-linux
+    ];
+  };
+
+  programs.ssh.extraConfig = ''
+    Match exec "${pkgs.netbird}/bin/netbird ssh detect %h %p"
+        PreferredAuthentications password,publickey,keyboard-interactive
+        PasswordAuthentication yes
+        PubkeyAuthentication yes
+        BatchMode no
+        ProxyCommand ${pkgs.netbird}/bin/netbird ssh proxy %h %p
+        StrictHostKeyChecking no
+        UserKnownHostsFile /dev/null
+        CheckHostIP no
+        LogLevel ERROR
+  '';
+
+  networking.firewall.checkReversePath = "loose";
+}
--- a/hosts/AZ-LT-NIX/services/printing.nix
+++ b/hosts/AZ-LT-NIX/services/printing.nix
@@ -0,0 +1,45 @@
+{pkgs, ...}: {
+  # CUPS Druckdienst für PDF-Druck aus n8n
+  # Drucker: Kyocera TASKalfa 4054ci @ 192.168.152.137
+  # Druckernetz (192.168.152.0/24) wird via NetBird geroutet – ensure-printers
+  # muss warten bis NetBird verbunden ist und die Route aktiv ist.
+
+  systemd.services.ensure-printers = {
+    after = ["netbird.service"];
+    requires = ["netbird.service"];
+    serviceConfig.ExecStartPre = [
+      "${pkgs.bash}/bin/bash -c 'for i in $(seq 1 60); do ${pkgs.iproute2}/bin/ip route get 192.168.152.137 2>/dev/null | grep -q wt0 && exit 0; sleep 1; done; echo \"NetBird route to printer not available after 60s\" >&2; exit 1'"
+    ];
+  };
+
+  services.printing = {
+    enable = true;
+    drivers = with pkgs; [
+      cups-filters # driverless IPP Everywhere Support
+    ];
+  };
+
+  # Avahi für mDNS/IPP-Druckererkennung
+  services.avahi = {
+    enable = true;
+    nssmdns4 = true;
+    openFirewall = true;
+  };
+
+  # Kyocera TASKalfa 4054ci deklarativ einrichten
+  hardware.printers = {
+    ensurePrinters = [
+      {
+        name = "JW2OG";
+        location = "Buero";
+        description = "Kyocera TASKalfa 4054ci";
+        deviceUri = "ipps://192.168.152.137:443/ipp/print";
+        model = "everywhere";
+        ppdOptions = {
+          PageSize = "A4";
+        };
+      }
+    ];
+    ensureDefaultPrinter = "JW2OG";
+  };
+}
--- a/hosts/AZ-LT-NIX/services/sound.nix
+++ b/hosts/AZ-LT-NIX/services/sound.nix
@@ -0,0 +1,11 @@
+{
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+    jack.enable = false;
+    wireplumber.enable = true;
+  };
+}
--- a/hosts/AZ-LT-NIX/services/udev.nix
+++ b/hosts/AZ-LT-NIX/services/udev.nix
@@ -0,0 +1,8 @@
+{pkgs, ...}: {
+  services.udev.extraRules = ''
+    SUBSYSTEM=="usb", MODE="0666"
+  '';
+  environment.systemPackages = with pkgs; [
+    zsa-udev-rules
+  ];
+}