From 01c04cd91cccaf3fc541de4148453bf0bd7cbfbd Mon Sep 17 00:00:00 2001 From: fwastring Date: Sat, 13 Sep 2025 22:02:42 +0200 Subject: [PATCH] Added lots of sops --- .sops.yaml | 11 ++ flake.lock | 21 ++++ flake.nix | 14 +-- maskiner/desktop/alloy-systemd.yaml | 20 ++++ maskiner/desktop/configuration.nix | 31 +++++- maskiner/jobb/configuration.nix | 12 +++ maskiner/macmini/alloy-systemd.yaml | 20 ++++ maskiner/macmini/configuration.nix | 25 ++--- moduler/base.nix | 1 + moduler/dev.nix | 60 +++++------ moduler/fish.nix | 5 +- moduler/home.nix | 2 +- moduler/hyprland.nix | 4 +- moduler/lsp.nix | 1 - moduler/network.nix | 45 ++++---- moduler/programs.nix | 5 +- moduler/radicale.nix | 25 ++--- moduler/services/headscale/default.nix | 46 ++++++++ moduler/services/monitoring/default.nix | 101 ++++++++++++++---- moduler/services/monitoring/loki.yaml | 55 ++++++++++ moduler/services/wireguard-server/default.nix | 63 +++++++++++ moduler/system.nix | 98 ++++++++--------- moduler/vaultwarden.nix | 12 +-- moduler/wastring.nix | 2 +- secrets/sops.yaml | 36 +++++++ 25 files changed, 532 insertions(+), 183 deletions(-) create mode 100644 .sops.yaml create mode 100644 maskiner/desktop/alloy-systemd.yaml create mode 100644 maskiner/macmini/alloy-systemd.yaml create mode 100644 moduler/services/headscale/default.nix create mode 100644 moduler/services/monitoring/loki.yaml create mode 100644 moduler/services/wireguard-server/default.nix create mode 100644 secrets/sops.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..356cf9d --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,11 @@ +keys: + - &admin_fw age1jeyw96795qu52swmtkjqgr2w3g4vxc43ckc5r4hlwpje23ptnfwsheah0s + - &server_desktop age106ml0ssx0p24dvfamp322myzka4wzeze9yhzyvtptp9c6fmmru6slswh2x + - &server_macmini age1dql5lwetk39a9y8ummfgjx3aym02yn205lxk389k6q0tu9y3ff4s94l66t +creation_rules: + - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - age: + - *admin_fw + - *server_desktop + - *server_macmini diff --git a/flake.lock b/flake.lock index edecc46..b024ca1 100644 --- a/flake.lock +++ b/flake.lock @@ -791,9 +791,30 @@ "minimal-tmux": "minimal-tmux", "neovim-nightly-overlay": "neovim-nightly-overlay", "nixpkgs": "nixpkgs_3", + "sops-nix": "sops-nix", "stylix": "stylix" } }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1757503115, + "narHash": "sha256-S9F6bHUBh+CFEUalv/qxNImRapCxvSnOzWBUZgK1zDU=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "0bf793823386187dff101ee2a9d4ed26de8bbf8c", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "stylix": { "inputs": { "base16": "base16", diff --git a/flake.nix b/flake.nix index 551eb13..79b0a57 100644 --- a/flake.nix +++ b/flake.nix @@ -8,7 +8,10 @@ url = "github:nix-community/stylix"; inputs.nixpkgs.follows = "nixpkgs"; }; - # fw-pkgs.url = "github:fwastring/fwpkgs/main"; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; # Neovim neovim-nightly-overlay.url = "github:nix-community/neovim-nightly-overlay"; @@ -31,17 +34,12 @@ nixpkgs, home-manager, stylix, + sops-nix, ... }@inputs: let inherit (self) outputs; system = "x86_64-linux"; - # overlay-fw-pkgs = final: prev: { - # fw-pkgs = import fw-pkgs { - # inherit system; - # config.allowUnfree = false; - # }; - # }; in { # NixOS configuration entrypoint @@ -63,6 +61,7 @@ }; modules = [ ./maskiner/desktop/configuration.nix + sops-nix.nixosModules.sops ]; }; jobb = nixpkgs.lib.nixosSystem { @@ -74,6 +73,7 @@ ./maskiner/jobb/configuration.nix stylix.nixosModules.stylix home-manager.nixosModules.home-manager + sops-nix.nixosModules.sops ]; }; work-desktop = nixpkgs.lib.nixosSystem { diff --git a/maskiner/desktop/alloy-systemd.yaml b/maskiner/desktop/alloy-systemd.yaml new file mode 100644 index 0000000..9e80626 --- /dev/null +++ b/maskiner/desktop/alloy-systemd.yaml @@ -0,0 +1,20 @@ +loki.relabel "journal" { + forward_to = [] + + rule { + source_labels = ["__journal__systemd_unit"] + target_label = "unit" + } +} + +loki.source.journal "read" { + forward_to = [loki.write.endpoint.receiver] + relabel_rules = loki.relabel.journal.rules + labels = {component = "desktop"} +} + +loki.write "endpoint" { + endpoint { + url ="http://localhost:3100/loki/api/v1/push" + } +} diff --git a/maskiner/desktop/configuration.nix b/maskiner/desktop/configuration.nix index 05039a7..ff4a471 100644 --- a/maskiner/desktop/configuration.nix +++ b/maskiner/desktop/configuration.nix @@ -19,9 +19,38 @@ ../../moduler/vaultwarden.nix ../../moduler/signal.nix ../../moduler/uptime-kuma.nix + ../../moduler/services/monitoring + ../../moduler/services/wireguard-server # ../../moduler/wastring.nix ]; + sops.defaultSopsFile = ../../secrets/sops.yaml; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + sops.secrets.gandi_key = { + path = "/run/secrets/gandi_key"; + owner = "root"; + mode = "0440"; + }; + + grafana = { + enable = true; + host = "127.0.0.1"; + domain = "grafana.wastring.com"; + }; + + prometheus = { + enable = true; + exporters.enable = true; + }; + + loki = { + enable = true; + }; + + alloy = { + enable = true; + configPath = ./alloy-systemd.yaml; + }; nix.settings = { trusted-public-keys = [ @@ -44,7 +73,7 @@ certs."shop.wastring.com" = { dnsProvider = "gandiv5"; webroot = null; - credentialsFile = /run/secrets/gandi_key; + credentialsFile = config.sops.secrets.gandi_key.path; dnsPropagationCheck = true; }; }; diff --git a/maskiner/jobb/configuration.nix b/maskiner/jobb/configuration.nix index 99bfcf7..75daa37 100644 --- a/maskiner/jobb/configuration.nix +++ b/maskiner/jobb/configuration.nix @@ -26,8 +26,20 @@ in ../../moduler/lsp.nix ../../moduler/hyprland.nix ../../moduler/sound.nix + ../../moduler/programs/kubernetes-tools.nix ]; + kubernetes-tools.enable = true; + + sops.defaultSopsFile = ../../secrets/sops.yaml; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + sops.secrets.gandi_key = { + # This path is where the *decrypted* secret will be placed at runtime + path = "/run/secrets/gandi_key"; + owner = "root"; + mode = "0440"; + }; + stylix = { enable = true; base16Scheme = "${pkgs.base16-schemes}/share/themes/catppuccin-latte.yaml"; diff --git a/maskiner/macmini/alloy-systemd.yaml b/maskiner/macmini/alloy-systemd.yaml new file mode 100644 index 0000000..c7bf697 --- /dev/null +++ b/maskiner/macmini/alloy-systemd.yaml @@ -0,0 +1,20 @@ +loki.relabel "journal" { + forward_to = [] + + rule { + source_labels = ["__journal__systemd_unit"] + target_label = "unit" + } +} + +loki.source.journal "read" { + forward_to = [loki.write.endpoint.receiver] + relabel_rules = loki.relabel.journal.rules + labels = {component = "macmini"} +} + +loki.write "endpoint" { + endpoint { + url ="http://192.168.1.227:3100/loki/api/v1/push" + } +} diff --git a/maskiner/macmini/configuration.nix b/maskiner/macmini/configuration.nix index 527602d..e63a1cc 100644 --- a/maskiner/macmini/configuration.nix +++ b/maskiner/macmini/configuration.nix @@ -14,31 +14,18 @@ ./hardware-configuration.nix ../../moduler/users.nix ../../moduler/base.nix + ../../moduler/services/monitoring ]; + alloy = { + enable = true; + configPath = ./alloy-systemd.yaml; + }; + nixpkgs.config.permittedInsecurePackages = [ "broadcom-sta-6.30.223.271-57-6.12.45" ]; - networking.firewall = { - enable = true; - allowedTCPPorts = [ - 80 - 443 - 3000 - 8384 - 8008 - 8009 - 22000 - ]; - allowedUDPPortRanges = [ - { - from = 1; - to = 65535; - } - ]; - }; - nix.settings = { trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" diff --git a/moduler/base.nix b/moduler/base.nix index 8307310..c3a0ced 100644 --- a/moduler/base.nix +++ b/moduler/base.nix @@ -17,6 +17,7 @@ ); nix.nixPath = [ "/etc/nix/path" ]; users.defaultUserShell = pkgs.bash; + documentation.man.generateCaches = false; programs.fish.enable = true; programs.bash = { interactiveShellInit = '' diff --git a/moduler/dev.nix b/moduler/dev.nix index 9686bc5..b579440 100644 --- a/moduler/dev.nix +++ b/moduler/dev.nix @@ -18,65 +18,55 @@ in ]; environment.systemPackages = with pkgs; [ - timewarrior + # Neovim + inputs.neovim-nightly-overlay.packages.${pkgs.system}.default + # Nix devenv nixfmt-rfc-style - # Containers - kubectl - docker-slim + # Docker dive - buildkit - containerd - cri-tools - yq - skopeo - umoci - velero - podman-tui + lazydocker + # Jobb azure-cli dotnetCorePackages.dotnet_9.sdk - google-cloud-sdk jira-cli-go gh - allure - kubectx - python314 + # Minio awscli minio-client + + # Blogging hugo + + # System Design sqlc postgresql - go-migrate-pg - argocd - ngrok - tailwindcss - yarn plantuml + + # Web Dev + tailwindcss + prettierd + + # Go + air go templ - goa - prettierd - qrencode - air + go-migrate-pg + + # Build git - lazydocker gcc gnumake cmake + + # System Tools + yq jq git - (wrapHelm kubernetes-helm { - plugins = with pkgs.kubernetes-helmPlugins; [ - helm-secrets - helm-diff - helm-s3 - helm-git - ]; - }) - k3sup + qrencode ]; } diff --git a/moduler/fish.nix b/moduler/fish.nix index 698d91c..ee34526 100644 --- a/moduler/fish.nix +++ b/moduler/fish.nix @@ -55,10 +55,9 @@ }; interactiveShellInit = '' fish_vi_key_bindings - set fish_greeting # Disable greeting + set fish_greeting set FLAKE_DIR "/home/fw/nix" - set HM_DIR "$FLAKE_DIR#fw@jobb" - set SYSTEM_DIR "$FLAKE_DIR#jobb" + set JIRA_API_TOKEN ATATT3xFfGF0_fkpGB1ne-QOSJzFVG0yH31j2CRtdNqbePCyEm9enpnA2uA3go75_GQwZPFX_IO9tf10ALJWvDLjsuHl8MSOUkNd703Vqr4uuGLAbHY73Z_b9fDJVrfodTrGAN9sZ5Sp75opCVkXB7MVXSAIvlWimRdwe-tqDPH4vhwY9Hqcs6M=0510D6CD set -Ux FZF_CTRL_R_OPTS "--reverse" set -Ux FZF_TMUX_OPTS "-p" set -e GOROOT diff --git a/moduler/home.nix b/moduler/home.nix index e634895..f97513e 100644 --- a/moduler/home.nix +++ b/moduler/home.nix @@ -21,7 +21,7 @@ ../moduler/oh-my-posh.nix ../moduler/gtk.nix # ../moduler/neovim.nix - ../moduler/k9s + ../moduler/programs/k9s ]; programs.home-manager.enable = true; diff --git a/moduler/hyprland.nix b/moduler/hyprland.nix index 107cfd7..c6e89ac 100644 --- a/moduler/hyprland.nix +++ b/moduler/hyprland.nix @@ -400,11 +400,11 @@ in # Applications "$mod, q, exec, ${pkgs.firefox}/bin/firefox" - "$mod, d, exec, ${pkgs.rofi}/bin/rofi -show drun" + "$mod, d, exec, ${pkgs.rofi}/bin/rofi -show drun -p 'Run: '" # Screencapture "$mod, S, exec, ${pkgs.grim}/bin/grim | wl-copy" - "$mod SHIFT+ALT, S, exec, ${pkgs.grim}/bin/grim -g \"$(slurp)\" - | ${pkgs.swappy}/bin/swappy -f -" + "$mod SHIFT+ALT, S, exec, ${pkgs.grim}/bin/grim -g \"$(slurp)\" ~/$(date +%Y-%m-%d-%H%M%S).png" ]; bindm = [ diff --git a/moduler/lsp.nix b/moduler/lsp.nix index fbd9b66..a6bb043 100644 --- a/moduler/lsp.nix +++ b/moduler/lsp.nix @@ -12,7 +12,6 @@ environment.systemPackages = with pkgs; [ nixd gopls - inputs.neovim-nightly-overlay.packages.${pkgs.system}.default omnisharp-roslyn nodePackages.vscode-json-languageserver tailwindcss-language-server diff --git a/moduler/network.nix b/moduler/network.nix index 74afdff..9ad4e2b 100644 --- a/moduler/network.nix +++ b/moduler/network.nix @@ -7,27 +7,32 @@ pkgs, myhostname, ... -}: { +}: +{ - services.netbird = { - enable = true; - ui.enable = true; - }; + services.netbird = { + enable = true; + ui.enable = true; + }; - environment.systemPackages = with pkgs; [ - openvpn - networkmanagerapplet - wireguard-tools - networkmanager - openssh + environment.systemPackages = with pkgs; [ + openvpn + networkmanagerapplet + wireguard-tools + networkmanager + openssh - mtr # A network diagnostic tool - iperf3 - dnsutils # `dig` + `nslookup` - ldns # replacement of `dig`, it provide the command `drill` - aria2 # A lightweight multi-protocol & multi-source command-line download utility - socat # replacement of openbsd-netcat - nmap # A utility for network discovery and security auditing - ipcalc # it is a calculator for the IPv4/v6 addresses - ]; + (octodns.withProviders (ps: [ + octodns-providers.gandi + ])) + + mtr # A network diagnostic tool + iperf3 + dnsutils # `dig` + `nslookup` + ldns # replacement of `dig`, it provide the command `drill` + aria2 # A lightweight multi-protocol & multi-source command-line download utility + socat # replacement of openbsd-netcat + nmap # A utility for network discovery and security auditing + ipcalc # it is a calculator for the IPv4/v6 addresses + ]; } diff --git a/moduler/programs.nix b/moduler/programs.nix index 1ce17a7..c6bbdc9 100644 --- a/moduler/programs.nix +++ b/moduler/programs.nix @@ -37,15 +37,12 @@ ghostty kdePackages.okular xdg-user-dirs + angryipscanner # Browsers librewolf chawan - # Capturing - byzanz - scrot - # Displaying zathura feh diff --git a/moduler/radicale.nix b/moduler/radicale.nix index 7a9d49f..dbf7daa 100644 --- a/moduler/radicale.nix +++ b/moduler/radicale.nix @@ -1,4 +1,5 @@ { + config, ... }: { @@ -7,21 +8,21 @@ certs."cal.wastring.com" = { dnsProvider = "gandiv5"; webroot = null; - credentialsFile = /run/secrets/gandi_key; + credentialsFile = config.sops.secrets.gandi_key.path; dnsPropagationCheck = true; }; }; - services.nginx = { - virtualHosts."cal.wastring.com" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://127.0.0.1:5232"; - proxyWebsockets = true; # needed if you need to use WebSocket - extraConfig = "proxy_ssl_server_name on;" + "proxy_pass_header Authorization;"; - }; - }; - }; + # services.nginx = { + # virtualHosts."cal.wastring.com" = { + # enableACME = true; + # forceSSL = true; + # locations."/" = { + # proxyPass = "http://127.0.0.1:5232"; + # proxyWebsockets = true; # needed if you need to use WebSocket + # extraConfig = "proxy_ssl_server_name on;" + "proxy_pass_header Authorization;"; + # }; + # }; + # }; services.radicale = { enable = true; settings = { diff --git a/moduler/services/headscale/default.nix b/moduler/services/headscale/default.nix new file mode 100644 index 0000000..1ac4bd7 --- /dev/null +++ b/moduler/services/headscale/default.nix @@ -0,0 +1,46 @@ +{ + lib, + config, + ... +}: +with lib; +{ + options = { + headscale = { + enable = mkEnableOption "enables headscale"; + domain = lib.mkOption { + type = lib.types.str; + default = "headscale.wastring.com"; + description = "The domain that headscale is served on."; + }; + }; + }; + + config = mkMerge [ + (mkIf config.headscale.enable { + services = { + headscale = { + enable = true; + address = "0.0.0.0"; + port = 8080; + server_url = "https://${domain}"; + dns = { + baseDomain = "example.com"; + }; + settings = { + logtail.enabled = false; + }; + }; + + nginx.virtualHosts.${domain} = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:${toString config.services.headscale.port}"; + proxyWebsockets = true; + }; + }; + }; + }) + ]; +} diff --git a/moduler/services/monitoring/default.nix b/moduler/services/monitoring/default.nix index 5cd99ce..99d4eb0 100644 --- a/moduler/services/monitoring/default.nix +++ b/moduler/services/monitoring/default.nix @@ -1,53 +1,115 @@ { lib, config, - pkgs, ... }: +with lib; + +let + +in { options = { grafana = { - enable = lib.mkEnableOption "enables grafana"; - host = lib.mkDefault "127.0.0.1"; - port = lib.mkDefault 2342; - domain = lib.mkOption { - type = lib.types.str; + enable = mkEnableOption "enables grafana"; + port = lib.mkOption { + type = lib.types.int; + default = 2342; + description = "The port Grafana listens on."; + }; + host = mkOption { + type = types.str; + defaultText = literalExpression "127.0.0.1"; + description = "The hostname that Grafana binds to"; + }; + domain = mkOption { + type = types.str; description = "Domain name for Grafana to be served on."; }; }; + alloy = { + enable = mkEnableOption "enables alloy"; + configPath = lib.mkOption { + type = lib.types.path; + default = ./alloy.yaml; + description = "The path to the configPath."; + }; + }; prometheus = { - enable = lib.mkEnableOption "enables prometheus"; - port = lib.mkDefault 9001; - exporter = { - enable = lib.mkEnableOption "enables node exporter"; - port = lib.mkDefault 9002; + enable = mkEnableOption "enables prometheus"; + port = lib.mkOption { + type = lib.types.int; + default = 9001; + description = "The port Prometheus listens on."; + }; + exporters = { + enable = mkEnableOption "enables node exporters"; + port = lib.mkOption { + type = lib.types.int; + default = 9002; + description = "The port Prometheus node exporter listens on."; + }; + }; + }; + loki = { + enable = mkEnableOption "enables prometheus"; + configFile = lib.mkOption { + type = lib.types.path; + default = ./loki.yaml; + description = "The path to the configFile."; + }; + dataDir = lib.mkOption { + type = lib.types.str; + default = "/var/loki"; + description = "The path to the data directory."; }; }; }; - config = lib.mkMerge [ - (lib.mkIf config.grafana.enable { + config = mkMerge [ + (mkIf config.grafana.enable { services.grafana = { enable = true; - domain = config.grafana.domain; - port = config.grafana.port; - addr = config.grafana.host; + settings = { + server = { + domain = config.grafana.domain; + http_port = config.grafana.port; + http_addr = config.grafana.host; + }; + }; }; # nginx reverse proxy services.nginx.virtualHosts."${config.grafana.domain}" = { + enableACME = true; + forceSSL = true; locations."/" = { proxyPass = "http://${config.grafana.host}:${toString config.grafana.port}"; proxyWebsockets = true; + extraConfig = "proxy_ssl_server_name on;" + "proxy_pass_header Authorization;"; }; }; }) + (mkIf config.loki.enable { + networking.firewall.allowedTCPPorts = [ 3100 ]; + services.loki = { + enable = true; + configFile = config.loki.configFile; + dataDir = config.loki.dataDir; + }; + }) + (mkIf config.alloy.enable { + services.alloy = { + enable = true; + configPath = config.alloy.configPath; + }; + }) - (lib.mkIf config.prometheus.enable { + (mkIf config.prometheus.enable { services.prometheus = { enable = true; port = config.prometheus.port; - exporters = lib.mkIf config.prometheus.exporters { + exporters = mkIf config.prometheus.exporters.enable { node = { enable = true; enabledCollectors = [ "systemd" ]; @@ -56,7 +118,7 @@ }; scrapeConfigs = [ { - job_name = "chrysalis"; + job_name = "desktop"; static_configs = [ { targets = [ "${config.grafana.host}:${toString config.prometheus.exporters.port}" ]; @@ -64,7 +126,6 @@ ]; } ]; - }; }) ]; diff --git a/moduler/services/monitoring/loki.yaml b/moduler/services/monitoring/loki.yaml new file mode 100644 index 0000000..a48f2f8 --- /dev/null +++ b/moduler/services/monitoring/loki.yaml @@ -0,0 +1,55 @@ +auth_enabled: false + +server: + http_listen_port: 3100 + +ingester: + lifecycler: + address: 0.0.0.0 + ring: + kvstore: + store: inmemory + replication_factor: 1 + final_sleep: 0s + chunk_idle_period: 1h + max_chunk_age: 1h + chunk_target_size: 1048576 + chunk_retain_period: 30s + +schema_config: + configs: + - from: 2020-10-24 + store: boltdb-shipper + object_store: filesystem + schema: v11 + index: + prefix: index_ + period: 24h + - from: 2025-09-14 # Set this to a future date + store: tsdb + object_store: filesystem + schema: v13 + index: + prefix: index_ + period: 24h + +storage_config: + boltdb_shipper: + active_index_directory: /var/lib/loki/boltdb-shipper-active + cache_location: /var/lib/loki/boltdb-shipper-cache + cache_ttl: 24h + filesystem: + directory: /var/lib/loki/chunks + tsdb_shipper: + active_index_directory: /var/lib/loki/tsdb-active-index + cache_location: /var/lib/loki/tsdb-cache + +limits_config: + reject_old_samples: true + reject_old_samples_max_age: 168h + allow_structured_metadata: false + +table_manager: + retention_deletes_enabled: false + retention_period: 0s + diff --git a/moduler/services/wireguard-server/default.nix b/moduler/services/wireguard-server/default.nix new file mode 100644 index 0000000..263054a --- /dev/null +++ b/moduler/services/wireguard-server/default.nix @@ -0,0 +1,63 @@ +{ + lib, + config, + pkgs, + ... +}: +with lib; + +let + +in +{ + options = { + wireguard-server = { + enable = mkEnableOption "enables wireguard-server"; + port = lib.mkOption { + type = lib.types.int; + default = 51820; + description = "The port that the Wireguard server listens on."; + }; + }; + }; + + config = mkMerge [ + (mkIf config.loki.enable { + sops.secrets.wireguard_private_key = {}; + users.users."systemd-network".extraGroups = [ "keys" ]; + networking.nat.enable = true; + networking.nat.externalInterface = "eth0"; + networking.nat.internalInterfaces = [ "wg0" ]; + networking.firewall = { + allowedUDPPorts = [ config.wireguard-server.port ]; + }; + + networking.wireguard.enable = true; + networking.wireguard.interfaces = { + wg0 = { + ips = [ "10.100.0.1/24" ]; + + listenPort = config.wireguard-server.port; + + postSetup = '' + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE + ''; + + postShutdown = '' + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE + ''; + + privateKeyFile = config.sops.secrets.wireguard_private_key.path; + + peers = [ + { + name = "fwastring"; + publicKey = "iJw5Km99HT9/TuVtSyDhOwPPcoWeRO67dhhrKPbjRTA="; + allowedIPs = [ "10.100.0.2/32" ]; + } + ]; + }; + }; + }) + ]; +} diff --git a/moduler/system.nix b/moduler/system.nix index 8a120d0..1679ebd 100644 --- a/moduler/system.nix +++ b/moduler/system.nix @@ -24,68 +24,37 @@ }; environment.systemPackages = with pkgs; [ - # Build - just + # Bluetooth + bluez + bluez-tools + + # Zathura + poppler_utils + + # Transform + imagemagick + pandoc + + # Sound + alsa-utils + + # Monitor + brightnessctl # System + sops libnotify - lf - xsel - xbanish unzip zip wget - alsa-utils htop procps - fzf - eza btop - xclip - dysk - rsync procs - dust - brightnessctl - lolcat - fortune - cowsay - ripgrep - poppler_utils + dysk grc - pkg-config vim - fd - bluez - bluez-tools - openssl - imagemagick - pandoc - texliveFull fastfetch - keyutils - pinentry-all - (pass.withExtensions ( - ext: with ext; [ - pass-import - pass-genphrase - pass-update - ] - )) - lazygit - chawan - go-passbolt-cli - waypipe - wl-clipboard - smartmontools - - # Typesetting - typst - typstyle - tinymist - websocat - nix-search-cli - libsixel # system call monitoring strace # system call monitoring @@ -99,6 +68,37 @@ pciutils # lspci usbutils # lsusb + # Files + fzf + eza + rsync + dust + ripgrep + fd + + # Misc + lolcat + fortune + cowsay + + # Security + openssl + + # Git + lazygit + + # Terminal Stuff + chawan + go-passbolt-cli + + # Typesetting + typst + typstyle + tinymist + websocat + nix-search-cli + libsixel + ( let base = pkgs.appimageTools.defaultFhsEnvArgs; diff --git a/moduler/vaultwarden.nix b/moduler/vaultwarden.nix index 158df48..5ec167c 100644 --- a/moduler/vaultwarden.nix +++ b/moduler/vaultwarden.nix @@ -1,4 +1,5 @@ { +config, ... }: { @@ -15,7 +16,7 @@ certs."pass.wastring.com" = { dnsProvider = "gandiv5"; webroot = null; - credentialsFile = /run/secrets/gandi_key; + credentialsFile = config.sops.secrets.gandi_key.path; dnsPropagationCheck = true; }; }; @@ -23,19 +24,14 @@ enable = true; recommendedProxySettings = true; recommendedTlsSettings = true; - # other Nginx options virtualHosts."pass.wastring.com" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:8222"; - proxyWebsockets = true; # needed if you need to use WebSocket + proxyWebsockets = true; extraConfig = - # required when the target is also TLS server with multiple hosts - "proxy_ssl_server_name on;" - + - # required when the server wants to use HTTP Authentication - "proxy_pass_header Authorization;"; + "proxy_ssl_server_name on;" + "proxy_pass_header Authorization;"; }; }; }; diff --git a/moduler/wastring.nix b/moduler/wastring.nix index 9a99fbf..4044810 100644 --- a/moduler/wastring.nix +++ b/moduler/wastring.nix @@ -7,7 +7,7 @@ in certs."wastring.com" = { dnsProvider = "gandiv5"; webroot = null; - credentialsFile = /run/secrets/gandi_key; + credentialsFile = config.sops.secrets.gandi_key.path; dnsPropagationCheck = true; }; }; diff --git a/secrets/sops.yaml b/secrets/sops.yaml new file mode 100644 index 0000000..623737c --- /dev/null +++ b/secrets/sops.yaml @@ -0,0 +1,36 @@ +gandi_key: ENC[AES256_GCM,data:rhsDbf5RyChBWsgyLZoHCr12K1CztsoSitGNJbqqXlGhvYIP47cIXO8gCiEDOxhhC+gKp5Zc5biHUZ6Kf9vkV64X9SHoyw==,iv:WU+tuNpU8tlg6utPfah/EU9PrrO02SgJ1Fi07oxUjZI=,tag:9EYL9qX8DCy5U6IC7gP/eg==,type:str] +wireguard_private_key: ENC[AES256_GCM,data:Fk3ZYyj51iSC0q7gQKY9kyg+kPHDJJJOYLiKyIuB2aDbI5yy8pggGyRBjtY=,iv:RQa34Irb93NlOCnpH7oEzDjJ30qlzMTAiosUsZYreqQ=,tag:0UFrh55JHSlJvzDtw7A60w==,type:str] +wireguard_public_key: ENC[AES256_GCM,data:4ETVdAeLrqwPh7LZGN6wounajnh8bD9zdq4GWMCdSOJB6Z5ZA4iNHFKPU0k=,iv:RPKRI6A8sOmn22OdVrgl2RpbKGdfkrDdExlRd2QT/Wg=,tag:68cWti2y7f99GFHVYH1rtQ==,type:str] +sops: + age: + - recipient: age1jeyw96795qu52swmtkjqgr2w3g4vxc43ckc5r4hlwpje23ptnfwsheah0s + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdUw2TU9XcEFlTkxnT0lj + S2lodU5BQ1U0QU11ZmcrZUNJWEVNSERPK2trCnZHVDZxR3FVckdsdGNTVTJ5aE9p + SlhuV2NldHN3c0xOR1prMlM3SEhJNEEKLS0tIC9YaS8zcEVqMW1jWUFBTXBVbGFG + bzMxUUY2ODZhaUtjSUJjM3BWVjU5cDQKx5PhabRSkrIvKhYnvkjc2chQeEXcb2xd + mta6liWOXfn2VRnWAeEKCIJq/x6wNSBsNeQK0IRWxPGNCfJdtoos4w== + -----END AGE ENCRYPTED FILE----- + - recipient: age106ml0ssx0p24dvfamp322myzka4wzeze9yhzyvtptp9c6fmmru6slswh2x + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjNkxwMksxV21tVDJSL0JI + dGc1UEJZS3VvNTh3WnZkTW9LeFpqSGwzVVdVCnIzOW1oTnFvSnZRUWhvdzIzdVlB + OUlBTU1DeHplS0RRTkc1MlNIZk9DVzAKLS0tIHZxcmVqbGlVMm9Bai9VRW9qc0xS + bEVJNU5NbXgvNTBzN202MTdQeHlUeEkKIV3jTYkl8/3C1TQA+AjYpmjLZc7TgFI6 + ZkhP/CzYcPoRt4KHOrY/cROPAPDj4uki3RF+yyTxAsTKn8BBLSRjxQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dql5lwetk39a9y8ummfgjx3aym02yn205lxk389k6q0tu9y3ff4s94l66t + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsYktrK1BmZjhQY216MWxH + aHJBRGFHMWVXQWUrZS90dEpQeXZzU1grWm1VClhnTVYrR2tabU5LWFc1ZmgwY1dF + M0lFOU1hd1gxTFJPaDBGV2hIbW16WWsKLS0tIExCSGVPM1Jsb1R1VFNTTXRpalBK + OU8yT0cvcnZMMXphMFVHSXpHNjc4dEkKyXiwholsJthB9O7onb0buF6qHNVNZA3s + A2+HSl5P0HCyaZhDIDBFdaUL2r0CHKOPCN3Lrd5+Rirnx48RnDxwBA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-09-13T19:07:35Z" + mac: ENC[AES256_GCM,data:aQy8wXhipZtFjAGvHd4+M1wj18vIQNOw2gRvjtcCpvsnD35CDHPNPC2taH9p8Dj3zDta+2L+GP7mwsxKyU/jMKQrgVmLb0A2ConBx0IcuAhs1xI6E9lW2zGiQg6eWllQvvFispakc1mT1f763wQRUnsWif/GvNCluBybm0TPjbE=,iv:tFYEFMHear3tI6VTXrvyEJB0jIrmXzK1j7p7R0uRQEo=,tag:uEeJoaaF14YYQSWliZctgw==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2