diff --git a/checks/default.nix b/checks/default.nix index ae2c491..f82204c 100644 --- a/checks/default.nix +++ b/checks/default.nix @@ -11,7 +11,7 @@ ]; perSystem = - { config, ... }: + { config, pkgs, ... }: { treefmt.config = { projectRootFile = ".git/config"; @@ -42,6 +42,18 @@ package = config.treefmt.build.wrapper; }; }; + packages.push-to-cache = + let + allChecks = with self.checks; x86_64-linux // aarch64-linux; + checks = builtins.removeAttrs allChecks [ "push-to-cache" ]; + in + pkgs.writeShellScriptBin "push-to-cache.sh" '' + attic push $1 --stdin --jobs 64 << EOF + ${lib.concatStringsSep "\n" ( + builtins.map (builtins.unsafeDiscardStringContext) (builtins.attrValues checks) + )} + EOF + ''; }; flake.checks = @@ -49,7 +61,7 @@ build = _: nc: nc.config.system.build.toplevel; in { - x86_64-linux = lib.mapAttrs build { inherit (self.nixosConfigurations) picard pike kirk; }; + x86_64-linux = (lib.mapAttrs build { inherit (self.nixosConfigurations) picard pike kirk; }); aarch64-linux = lib.mapAttrs build { inherit (self.nixosConfigurations) sisko; # pbp; }; diff --git a/flake.lock b/flake.lock index 474c3aa..3a7c64e 100644 --- a/flake.lock +++ b/flake.lock @@ -8,11 +8,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1745630506, - "narHash": "sha256-bHCFgGeu8XjWlVuaWzi3QONjDW3coZDqSHvnd4l7xus=", + "lastModified": 1747575206, + "narHash": "sha256-NwmAFuDUO/PFcgaGGr4j3ozG9Pe5hZ/ogitWhY+D81k=", "owner": "ryantm", "repo": "agenix", - "rev": "96e078c646b711aee04b82ba01aefbff87004ded", + "rev": "4835b1dc898959d8547a871ef484930675cb47f1", "type": "github" }, "original": { @@ -26,11 +26,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1746175539, - "narHash": "sha256-/wjcn1CDQqOhwOoYKS8Xp0KejrdXSJZQMF1CbbrVtMw=", + "lastModified": 1748080874, + "narHash": "sha256-sUebEzAkrY8Aq5G0GHFyRddmRNGP/a2iTtV7ISNvi/c=", "owner": "catppuccin", "repo": "nix", - "rev": "a5db9e41a4dccfa5ffe38e6f1841a5f9ad5c5c04", + "rev": "0ba11b12be81f0849a89ed17ab635164ea8f0112", "type": "github" }, "original": { @@ -41,11 +41,11 @@ }, "crane": { "locked": { - "lastModified": 1741481578, - "narHash": "sha256-JBTSyJFQdO3V8cgcL08VaBUByEU6P5kXbTJN6R0PFQo=", + "lastModified": 1746291859, + "narHash": "sha256-DdWJLA+D5tcmrRSg5Y7tp/qWaD05ATI4Z7h22gd1h7Q=", "owner": "ipetkov", "repo": "crane", - "rev": "bb1c9567c43e4434f54e9481eb4b8e8e0d50f0b5", + "rev": "dfd9a8dfd09db9aad544c4d3b6c47b12562544a5", "type": "github" }, "original": { @@ -83,11 +83,11 @@ ] }, "locked": { - "lastModified": 1745812220, - "narHash": "sha256-hotBG0EJ9VmAHJYF0yhWuTVZpENHvwcJ2SxvIPrXm+g=", + "lastModified": 1748832438, + "narHash": "sha256-/CtyLVfNaFP7PrOPrTEuGOJBIhcBKVQ91KiEbtXJi0A=", "owner": "nix-community", "repo": "disko", - "rev": "d0c543d740fad42fe2c035b43c9d41127e073c78", + "rev": "58d6e5a83fff9982d57e0a0a994d4e5c0af441e4", "type": "github" }, "original": { @@ -103,11 +103,11 @@ "pyproject-nix": "pyproject-nix" }, "locked": { - "lastModified": 1735160684, - "narHash": "sha256-n5CwhmqKxifuD4Sq4WuRP/h5LO6f23cGnSAuJemnd/4=", + "lastModified": 1748838242, + "narHash": "sha256-wORL3vLIJdBF8hz73yuD7DVsrbOvFgtH96hQIetXhfg=", "owner": "nix-community", "repo": "dream2nix", - "rev": "8ce6284ff58208ed8961681276f82c2f8f978ef4", + "rev": "e92dacdc57acaa6b2ae79592c1a62c2340931410", "type": "github" }, "original": { @@ -122,11 +122,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1746240489, - "narHash": "sha256-DWMG7jkpxrEGzTZZerDqaxT8X983tibFGfNeoWtX1yU=", + "lastModified": 1748941793, + "narHash": "sha256-HncwK05hos0Z5SSjVF5CtZjwMTn56xjWq08fRIdKBms=", "owner": "nix-community", "repo": "emacs-overlay", - "rev": "66bb2d7a4df96d0c1e63648850b7aed1b2e8d683", + "rev": "78278b770d2c83657657da569544cf20eccee0ef", "type": "github" }, "original": { @@ -191,11 +191,11 @@ ] }, "locked": { - "lastModified": 1741352980, - "narHash": "sha256-+u2UunDA4Cl5Fci3m7S643HzKmIDAe+fiXrLqYsR2fs=", + "lastModified": 1743550720, + "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "f4330d22f1c5d2ba72d3d22df5597d123fdb60a9", + "rev": "c621e8422220273271f52058f618c94e405bb0f5", "type": "github" }, "original": { @@ -245,11 +245,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1743550720, - "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=", + "lastModified": 1748821116, + "narHash": "sha256-F82+gS044J1APL0n4hH50GYdPRv/5JWm34oCJYmVKdE=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "c621e8422220273271f52058f618c94e405bb0f5", + "rev": "49f0870db23e8c1ca0b5259734a02cd9e1e371a1", "type": "github" }, "original": { @@ -282,11 +282,11 @@ ] }, "locked": { - "lastModified": 1742649964, - "narHash": "sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco=", + "lastModified": 1747372754, + "narHash": "sha256-2Y53NGIX2vxfie1rOW0Qb86vjRZ7ngizoo+bnXU9D9k=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82", + "rev": "80479b6ec16fefd9c1db3ea13aeb038c60530f46", "type": "github" }, "original": { @@ -387,11 +387,11 @@ ] }, "locked": { - "lastModified": 1746243165, - "narHash": "sha256-DQycVmlyLQNLjLJ/FzpokVmbxGQ8HjQQ4zN4nyq2vII=", + "lastModified": 1748925027, + "narHash": "sha256-BJ0qRIdvt5aeqm3zg/5if7b5rruG05zrSX3UpLqjDRk=", "owner": "nix-community", "repo": "home-manager", - "rev": "c0962eeeabfb8127713f859ec8a5f0e86dead0f2", + "rev": "cb809ec1ff15cf3237c6592af9bbc7e4d983e98c", "type": "github" }, "original": { @@ -448,11 +448,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1745271491, - "narHash": "sha256-4GAHjus6JRpYHVROMIhFIz/sgLDF/klBM3UHulbSK9s=", + "lastModified": 1747056319, + "narHash": "sha256-qSKcBaISBozadtPq6BomnD+wIYTZIkiua3UuHLaD52c=", "owner": "nix-community", "repo": "lanzaboote", - "rev": "995637eb3ab78eac33f8ee6b45cc2ecd5ede12ba", + "rev": "2e425f3da6ce7f5b34fa6eaf7a2a7f78dbabcc85", "type": "github" }, "original": { @@ -464,11 +464,11 @@ "lix": { "flake": false, "locked": { - "lastModified": 1746186329, - "narHash": "sha256-MLz0MjeVCaqvIvf5szUwNwYEiXC/lKWL0I2VS+6V/e0=", + "lastModified": 1748893954, + "narHash": "sha256-Vj1GHarIzlJI3We5KnYcAQlSjn++fx7/lKRaiIVz3tg=", "ref": "refs/heads/main", - "rev": "4e84fd9a0061a04627ec6962c0ed08c2ad0b8a7f", - "revCount": 17824, + "rev": "019b17f4e93c098f99a9bc691be1f1c4df026c7d", + "revCount": 17982, "type": "git", "url": "https://git@git.lix.systems/lix-project/lix" }, @@ -489,11 +489,11 @@ ] }, "locked": { - "lastModified": 1742945498, - "narHash": "sha256-MB/b/xcDKqaVBxJIIxwb81r8ZiGLeKEcqokATRRroo8=", + "lastModified": 1747667424, + "narHash": "sha256-7EICjbmG6lApWKhFtwvZovdcdORY1CEe6/K7JwtpYfs=", "ref": "refs/heads/main", - "rev": "fa69ae26cc32dda178117b46487c2165c0e08316", - "revCount": 138, + "rev": "3c23c6ae2aecc1f76ae7993efe1a78b5316f0700", + "revCount": 144, "type": "git", "url": "https://git.lix.systems/lix-project/nixos-module" }, @@ -505,11 +505,11 @@ "mobile-nixos": { "flake": false, "locked": { - "lastModified": 1743812405, - "narHash": "sha256-BedQ9Z3+nqtp9BRjHjJNPUeLIMVbTsP3Udbz0b1cUn0=", + "lastModified": 1748200777, + "narHash": "sha256-ELbQ7Apk0QzfhO8WjQIqEBuN2bEnGQHNxeiOSx/mU38=", "owner": "NixOS", "repo": "mobile-nixos", - "rev": "6679fd7a8dd4ccf4aa538b82216723861cfe61a2", + "rev": "6e249e58b5d8166738ebcfd401f05f7496049dd3", "type": "github" }, "original": { @@ -554,11 +554,11 @@ "nmd": "nmd" }, "locked": { - "lastModified": 1725658585, - "narHash": "sha256-P29z4Gt89n5ps1U7+qmIrj0BuRXGZQSIaOe2+tsPgfw=", + "lastModified": 1747382160, + "narHash": "sha256-nlHPjA5GH4wdwnAoOzCt7BVLUKtIAAW2ClNGz2OxTrs=", "owner": "nix-community", "repo": "nix-on-droid", - "rev": "5d88ff2519e4952f8d22472b52c531bb5f1635fc", + "rev": "40b8c7465f78887279a0a3c743094fa6ea671ab1", "type": "github" }, "original": { @@ -569,11 +569,11 @@ }, "nixosHardware": { "locked": { - "lastModified": 1745955289, - "narHash": "sha256-mmV2oPhQN+YF2wmnJzXX8tqgYmUYXUj3uUUBSTmYN5o=", + "lastModified": 1748942041, + "narHash": "sha256-HEu2gTct7nY0tAPRgBtqYepallryBKR1U8B4v2zEEqA=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "72081c9fbbef63765ae82bff9727ea79cc86bd5b", + "rev": "fc7c4714125cfaa19b048e8aaf86b9c53e04d853", "type": "github" }, "original": { @@ -632,11 +632,11 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1743296961, - "narHash": "sha256-b1EdN3cULCqtorQ4QeWgLMrd5ZGOjLSLemfa00heasc=", + "lastModified": 1748740939, + "narHash": "sha256-rQaysilft1aVMwF14xIdGS3sj1yHlI6oKQNBRTF40cc=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "e4822aea2a6d1cdd36653c134cacfd64c97ff4fa", + "rev": "656a64127e9d791a334452c6b6606d17539476e2", "type": "github" }, "original": { @@ -647,11 +647,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1746183838, - "narHash": "sha256-kwaaguGkAqTZ1oK0yXeQ3ayYjs8u/W7eEfrFpFfIDFA=", + "lastModified": 1748810746, + "narHash": "sha256-1na8blYvU1F6HLwx/aFjrhUqpqZ0SCsnqqW9n2vXvok=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "bf3287dac860542719fe7554e21e686108716879", + "rev": "78d9f40fd6941a1543ffc3ed358e19c69961d3c1", "type": "github" }, "original": { @@ -711,11 +711,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1746141548, - "narHash": "sha256-IgBWhX7A2oJmZFIrpRuMnw5RAufVnfvOgHWgIdds+hc=", + "lastModified": 1748693115, + "narHash": "sha256-StSrWhklmDuXT93yc3GrTlb0cKSS0agTAxMGjLKAsY8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "f02fddb8acef29a8b32f10a335d44828d7825b78", + "rev": "910796cabe436259a29a72e8d3f5e180fc6dfacc", "type": "github" }, "original": { @@ -742,11 +742,11 @@ }, "nixpkgs_6": { "locked": { - "lastModified": 1746141548, - "narHash": "sha256-IgBWhX7A2oJmZFIrpRuMnw5RAufVnfvOgHWgIdds+hc=", + "lastModified": 1748693115, + "narHash": "sha256-StSrWhklmDuXT93yc3GrTlb0cKSS0agTAxMGjLKAsY8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "f02fddb8acef29a8b32f10a335d44828d7825b78", + "rev": "910796cabe436259a29a72e8d3f5e180fc6dfacc", "type": "github" }, "original": { @@ -821,11 +821,11 @@ ] }, "locked": { - "lastModified": 1741379162, - "narHash": "sha256-srpAbmJapkaqGRE3ytf3bj4XshspVR5964OX5LfjDWc=", + "lastModified": 1746537231, + "narHash": "sha256-Wb2xeSyOsCoTCTj7LOoD6cdKLEROyFAArnYoS+noCWo=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "b5a62751225b2f62ff3147d0a334055ebadcd5cc", + "rev": "fa466640195d38ec97cf0493d6d6882bc4d14969", "type": "github" }, "original": { @@ -906,11 +906,11 @@ ] }, "locked": { - "lastModified": 1741573199, - "narHash": "sha256-A2sln1GdCf+uZ8yrERSCZUCqZ3JUlOv1WE2VFqqfaLQ=", + "lastModified": 1747017456, + "narHash": "sha256-C/U12fcO+HEF071b5mK65lt4XtAIZyJSSJAg9hdlvTk=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "c777dc8a1e35407b0e80ec89817fe69970f4e81a", + "rev": "5b07506ae89b025b14de91f697eba23b48654c52", "type": "github" }, "original": { @@ -1009,11 +1009,11 @@ ] }, "locked": { - "lastModified": 1746216483, - "narHash": "sha256-4h3s1L/kKqt3gMDcVfN8/4v2jqHrgLIe4qok4ApH5x4=", + "lastModified": 1748243702, + "narHash": "sha256-9YzfeN8CB6SzNPyPm2XjRRqSixDopTapaRsnTpXUEY8=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "29ec5026372e0dec56f890e50dbe4f45930320fd", + "rev": "1f3f7b784643d488ba4bf315638b2b0a4c5fb007", "type": "github" }, "original": { diff --git a/hmModules/emacs/default.nix b/hmModules/emacs/default.nix index ccaccea..ffd5c5a 100644 --- a/hmModules/emacs/default.nix +++ b/hmModules/emacs/default.nix @@ -49,6 +49,7 @@ in copilot-language-server.fhs math-preview emacs-lsp-booster + texlive.combined.scheme-full ] ++ (with hunspellDicts; [ en_US-large diff --git a/hosts/default.nix b/hosts/default.nix index efdd865..170cd88 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -89,6 +89,7 @@ "forgejo-runners-token".owner = "nixuser"; "forgejo-nix-access-tokens".owner = "nixuser"; "nix-netrc" = { }; + "wireguard-mlabs-private-key" = { }; }; }; diff --git a/hosts/picard/default.nix b/hosts/picard/default.nix index 02271ff..bf4c0c7 100644 --- a/hosts/picard/default.nix +++ b/hosts/picard/default.nix @@ -41,6 +41,7 @@ "prometheus-exporters" "zerotier" "alloy" + "wireguard-mlabs" ] ++ [ ./disko.nix ]; diff --git a/hosts/pike/default.nix b/hosts/pike/default.nix index c1c2579..bd39cf3 100644 --- a/hosts/pike/default.nix +++ b/hosts/pike/default.nix @@ -89,6 +89,7 @@ "pantalaimon" "gimp" "jellyfin" + "unison" ]; extraGroups = [ "plugdev" ]; backupPaths = [ ]; diff --git a/modules/home-assistant/default.nix b/modules/home-assistant/default.nix index 086e8e7..3801ed8 100644 --- a/modules/home-assistant/default.nix +++ b/modules/home-assistant/default.nix @@ -163,6 +163,19 @@ in config.services.home-assistant.configDir ]; + services.nginx.virtualHosts."home.aciceri.dev" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:${builtins.toString config.services.home-assistant.config.http.server_port}"; + proxyWebsockets = true; + }; + extraConfig = '' + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + ''; + }; + # virtualisation.oci-containers = { # backend = "podman"; # containers.homeassistant = { diff --git a/modules/immich/default.nix b/modules/immich/default.nix index bf93484..505d325 100644 --- a/modules/immich/default.nix +++ b/modules/immich/default.nix @@ -22,4 +22,16 @@ fsType = "ext4"; options = [ "bind" ]; }; + + services.nginx.virtualHosts."photos.aciceri.dev" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:${builtins.toString config.services.immich.port}"; + proxyWebsockets = true; + }; + extraConfig = '' + client_max_body_size 50000M; + ''; + }; } diff --git a/modules/nix/default.nix b/modules/nix/default.nix index ef46e63..e8dedc8 100644 --- a/modules/nix/default.nix +++ b/modules/nix/default.nix @@ -25,23 +25,23 @@ "https://cache.iog.io" "https://cache.lix.systems" "https://nix-community.cachix.org" - # "https://mlabs.cachix.org" + "https://mlabs.cachix.org" "http://sisko.wg.aciceri.dev:8081/nixfleet" ]; trusted-public-keys = [ "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - # "mlabs.cachix.org-1:gStKdEqNKcrlSQw5iMW6wFCj3+b+1ASpBVY2SYuNV2M=" + "mlabs.cachix.org-1:gStKdEqNKcrlSQw5iMW6wFCj3+b+1ASpBVY2SYuNV2M=" "nixfleet:Bud23440n6mMTmgq/7U+mk91zlLjnx2X3lQQrCBCCU4=" ]; - deprecated-features = [ "url-literals" ]; + deprecated-features = [ "url-literals" ]; # despite a warning saying that this option doesn't exist it seems to work }; nixPath = [ "nixpkgs=${fleetFlake.inputs.nixpkgs}" ]; extraOptions = '' - experimental-features = nix-command flakes impure-derivations + experimental-features = nix-command flakes builders-use-substitutes = true ''; diff --git a/modules/paperless/default.nix b/modules/paperless/default.nix index eea062d..f0ad8f3 100644 --- a/modules/paperless/default.nix +++ b/modules/paperless/default.nix @@ -16,6 +16,7 @@ pdfa_image_compression = "lossless"; invalidate_digital_signatures = true; }; + PAPERLESS_URL = "https://paper.sisko.wg.aciceri.dev"; }; }; @@ -33,6 +34,12 @@ }; extraConfig = '' client_max_body_size 50000M; + proxy_redirect off; + proxy_set_header Host $host:$server_port; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $server_name; + proxy_set_header X-Forwarded-Proto $scheme; ''; serverAliases = [ "paper.sisko.zt.aciceri.dev" ]; }; diff --git a/modules/sisko-proxy/default.nix b/modules/sisko-proxy/default.nix index 19b32b5..2a79fec 100644 --- a/modules/sisko-proxy/default.nix +++ b/modules/sisko-proxy/default.nix @@ -1,105 +1,5 @@ -{ config, ... }: { imports = [ ../nginx-base ]; - services.nginx.virtualHosts = { - localhost.listen = [ { addr = "127.0.0.1"; } ]; - "home.aciceri.dev" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://localhost:${builtins.toString config.services.home-assistant.config.http.server_port}"; - proxyWebsockets = true; - }; - extraConfig = '' - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - ''; - }; - "home.sisko.aciceri.dev" = { - forceSSL = true; - useACMEHost = "aciceri.dev"; - locations."/" = { - proxyPass = "http://localhost:${builtins.toString config.services.home-assistant.config.http.server_port}"; - proxyWebsockets = true; - }; - extraConfig = '' - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - ''; - }; - "photos.aciceri.dev" = { - extraConfig = '' - client_max_body_size 50000M; - ''; - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://localhost:${builtins.toString config.services.immich.port}"; - proxyWebsockets = true; - }; - }; - # "${config.services.nextcloud.hostName}" = { - # forceSSL = true; - # enableACME = true; - # }; - # "sevenofnix.aciceri.dev" = { - # forceSSL = true; - # enableACME = true; - # locations."/" = { - # proxyPass = "http://10.1.1.2:${builtins.toString config.services.buildbot-master.port}"; - # proxyWebsockets = true; - # }; - # }; - }; - - # services.oauth2_proxy = { - # enable = true; - # provider = "oidc"; - # reverseProxy = true; - # # replaces following options with .keyFile - - # clientID = "shouldThisBePrivate?"; - # clientSecret = "thisShouldBePrivate"; - # cookie.secret = "thisShouldBePrivate00000"; - - # email.domains = [ "*" ]; - # extraConfig = { - # # custom-sign-in-logo = "${../../lib/mlabs-logo.svg}"; - # # scope = "user:email"; - # # banner = "MLabs Status"; - # # whitelist-domain = ".status.staging.mlabs.city"; - # oidc-issuer-url = "http://127.0.0.1:5556/dex"; - # }; - # # redirectURL = "https://status.staging.mlabs.city/oauth2/callback"; - # # keyFile = config.age.secrets.status-oauth2-secrets.path; - # # cookie.domain = ".status.staging.mlabs.city"; - # nginx = { - # virtualHosts = [ - # "search.aciceri.dev" - # ]; - # }; - # }; - - # services.dex = { - # enable = true; - # settings = { - # issuer = "http://127.0.0.1:5556/dex"; - # storage = { - # type = "postgres"; - # config.host = "/var/run/postgresql"; - # }; - # web = { - # http = "127.0.0.1:5556"; - # }; - # enablePasswordDB = true; - # staticClients = [ - # { - # # id = "oidcclient"; - # # name = "client"; - # # redirecturis = [ "https://login.aciceri.dev/callback" ]; - # # secretfile = "/etc/dex/oidcclient"; # the content of `secretfile` will be written into to the config as `secret`. - # } - # ]; - # }; - # }; + # TODO this file can be probably deleted now + # each module defining a virtualHost should import nginx-base } diff --git a/modules/wireguard-client/default.nix b/modules/wireguard-client/default.nix index 352aa40..28bc943 100644 --- a/modules/wireguard-client/default.nix +++ b/modules/wireguard-client/default.nix @@ -13,6 +13,7 @@ { publicKey = vpn.sisko.publicKey; allowedIPs = [ "10.100.0.0/24" ]; + # allowedIPs = [ "0.0.0.0/24" ]; # Uncomment for full tunnel endpoint = "vpn.aciceri.dev:51820"; persistentKeepalive = 25; } diff --git a/modules/wireguard-mlabs/default.nix b/modules/wireguard-mlabs/default.nix new file mode 100644 index 0000000..2d583f7 --- /dev/null +++ b/modules/wireguard-mlabs/default.nix @@ -0,0 +1,15 @@ +{ config, ... }: +{ + networking.wireguard.interfaces.wg1 = { + ips = [ "10.10.1.1/32" ]; + peers = [ + { + publicKey = "A4u2Rt5WEMHOAc6YpDABkqAy2dzzFLH9Gn8xWcKaPQQ="; + allowedIPs = [ "10.10.0.0/16" ]; + endpoint = "vpn.staging.mlabs.city:51820"; + persistentKeepalive = 25; + } + ]; + privateKeyFile = config.age.secrets.wireguard-mlabs-private-key.path; + }; +} diff --git a/modules/wireguard-server/default.nix b/modules/wireguard-server/default.nix index a02ccad..efb9b41 100644 --- a/modules/wireguard-server/default.nix +++ b/modules/wireguard-server/default.nix @@ -2,6 +2,7 @@ config, lib, vpn, + pkgs, ... }: { @@ -17,5 +18,13 @@ publicKey = vpnConfig.publicKey; allowedIPs = [ "${vpnConfig.ip}/32" ]; }) vpn; + + postSetup = '' + ${lib.getExe' pkgs.iptables "iptables"} -t nat -A POSTROUTING -s 10.100.0.0/24 -o enP4p65s0 -j MASQUERADE + ''; + + postShutdown = '' + ${lib.getExe' pkgs.iptables "iptables"} -t nat -D POSTROUTING -s 10.100.0.0/24 -o enP4p65s0 -j MASQUERADE + ''; }; } diff --git a/secrets/nix-netrc.age b/secrets/nix-netrc.age index 7b0438f..f2dd53c 100644 Binary files a/secrets/nix-netrc.age and b/secrets/nix-netrc.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index fd1bca9..8646ff3 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -164,6 +164,12 @@ with keys.users; picard kirk ]; + "wireguard-mlabs-private-key.age".publicKeys = [ + ccr-ssh + picard + pike + kirk + ]; # WireGuard "picard-wireguard-private-key.age".publicKeys = [ diff --git a/secrets/wireguard-mlabs-private-key.age b/secrets/wireguard-mlabs-private-key.age new file mode 100644 index 0000000..363e217 --- /dev/null +++ b/secrets/wireguard-mlabs-private-key.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> ssh-ed25519 Zh7Kmw 1pcva3l9KyvXlzWJVeul63s1xnL2yEMzuB1R73IdKlA +TDDa9yQYXrqFS+MCEeqCcQ/27zu3WytSmU5MBNyQTIk +-> ssh-ed25519 /WmILg z9/JeIxSpzndNP+1fwfdRfKYTaNp7wVITCkF7wwayEs +8PlFDHZbA0Z/3svhPWGE/sHfsMNmuXrdP6Qf0FhLMmc +-> ssh-ed25519 OYRzvQ Tk0mN20c8199ZvTY6jXY6ExSXGR3kb4qtnj8HkPj1xY +5SGMhFzIE98NgNw7bnnivVTvuKtBtJdf/2jAjJUSKl8 +-> ssh-ed25519 /yLdGQ 8J4LLlxtMFW8fALPGUk/NaHIJ59bo9tKe5TGiGAvYhk +sgE0SQi169mEtltDWIb4ZZaXKUXORyiKhmOZsNOiqKU +--- sWbCYolqfqwIsja6nNdyPBcOeM/Qq5GninMokUvK4xE +ʼngz{4 X? +A e"v\Ho,m}bq$h:fGkF=#0q \ No newline at end of file