diff --git a/Makefile b/Makefile index 1cce182..ffaa508 100644 --- a/Makefile +++ b/Makefile @@ -13,6 +13,9 @@ switch: _switch_${HOST} apply: colmena apply +update-hidden: + nix flake update nixos-config-hidden + _switch_: @echo "ERROR: couldn't find hostname" @false diff --git a/flake.lock b/flake.lock index 0679a7e..2be0811 100644 --- a/flake.lock +++ b/flake.lock @@ -60,11 +60,11 @@ ] }, "locked": { - "lastModified": 1747559278, - "narHash": "sha256-10VfcILI2zYY1/ZlOx/cakDmpJgSEJYEG3gMrjzFREY=", + "lastModified": 1748227609, + "narHash": "sha256-SaSdslyo6UGDpPUlmrPA4dWOEuxCy2ihRN9K6BnqYsA=", "owner": "nix-community", "repo": "home-manager", - "rev": "ee85cfc5c132e2cf956a7b5ab156ddaedaefcbbc", + "rev": "d23d20f55d49d8818ac1f1b2783671e8a6725022", "type": "github" }, "original": { @@ -94,13 +94,33 @@ "type": "github" } }, + "nixos-config-hidden": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1748288309, + "narHash": "sha256-eME8v0XnFUx1okq1mmdBEVV2lgCEVaHRKMl8nzrOrlM=", + "ref": "refs/heads/main", + "rev": "c5c6cb7b0b721ba5dc45788e5d6f154cb8a91dc3", + "revCount": 2, + "type": "git", + "url": "ssh://git@github.com/henridoh/nixos-config-hidden" + }, + "original": { + "type": "git", + "url": "ssh://git@github.com/henridoh/nixos-config-hidden" + } + }, "nixos-hardware": { "locked": { - "lastModified": 1747129300, - "narHash": "sha256-L3clA5YGeYCF47ghsI7Tcex+DnaaN/BbQ4dR2wzoiKg=", + "lastModified": 1747900541, + "narHash": "sha256-dn64Pg9xLETjblwZs9Euu/SsjW80pd6lr5qSiyLY1pg=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "e81fd167b33121269149c57806599045fd33eeed", + "rev": "11f2d9ea49c3e964315215d6baa73a8d42672f06", "type": "github" }, "original": { @@ -128,11 +148,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1747327360, - "narHash": "sha256-LSmTbiq/nqZR9B2t4MRnWG7cb0KVNU70dB7RT4+wYK4=", + "lastModified": 1748190013, + "narHash": "sha256-R5HJFflOfsP5FBtk+zE8FpL8uqE7n62jqOsADvVshhE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e06158e58f3adee28b139e9c2bcfcc41f8625b46", + "rev": "62b852f6c6742134ade1abdd2a21685fd617a291", "type": "github" }, "original": { @@ -146,6 +166,7 @@ "inputs": { "colmena": "colmena", "home-manager": "home-manager", + "nixos-config-hidden": "nixos-config-hidden", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs_2" } diff --git a/flake.nix b/flake.nix index e938e85..4e452b5 100644 --- a/flake.nix +++ b/flake.nix @@ -7,6 +7,10 @@ url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; }; + nixos-config-hidden = { + url = "git+ssh://git@github.com/henridoh/nixos-config-hidden"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = @@ -16,6 +20,7 @@ nixos-hardware, colmena, home-manager, + nixos-config-hidden, }@inputs: let lib = nixpkgs.lib; @@ -24,7 +29,7 @@ specialArgs = { inherit inputs lib' mod; - var = (lib'.walk-dir ./var).map_import; + var = (lib'.walk-dir ./var).map_import_with_lib; }; overlays = _: { nixpkgs.overlays = [ colmena.overlay ]; @@ -34,22 +39,28 @@ nixosConfigurations = { "solo" = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; - inherit specialArgs; + specialArgs = specialArgs // { + host = "solo"; + }; modules = [ ./host/solo mod.common.to_mod mod.pc-common.to_mod + nixos-config-hidden.nixosModules.pc overlays ]; }; "c2" = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; - inherit specialArgs; + specialArgs = specialArgs // { + host = "c2"; + }; modules = [ ./host/c2 mod.common.to_mod mod.pc-common.to_mod + nixos-config-hidden.nixosModules.pc overlays ]; }; diff --git a/host/roam/modules/services.nix b/host/roam/modules/services.nix index fc11a89..fc396e2 100644 --- a/host/roam/modules/services.nix +++ b/host/roam/modules/services.nix @@ -4,36 +4,8 @@ let in { services = { - # TODO: maybe just use wireguard... - /* - headscale = { - enable = true; - address = "127.0.0.1"; - port = 8080; - settings = { - server_url = "https://${headscale-domain}"; - prefixes.v4 = "100.10.11.0/24"; - prefixes.v6 = "fd7a:115c:1011::/48"; - dns = { - magic_dns = true; - base_domain = "net.hdohmen.de"; - }; - }; - }; - */ - nginx = { enable = true; - /* - virtualHosts.${headscale-domain} = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://127.0.0.1:${toString config.services.headscale.port}"; - proxyWebsockets = true; - }; - }; - */ }; }; diff --git a/host/roam/modules/wireguard.nix b/host/roam/modules/wireguard.nix index 80f30f6..bc743b3 100644 --- a/host/roam/modules/wireguard.nix +++ b/host/roam/modules/wireguard.nix @@ -1,7 +1,6 @@ -{ ... }: +{ var, lib, ... }: let wireguard-port = 51820; - wireguard-subnet = "100.10.11.0/24"; in { networking = { @@ -16,9 +15,10 @@ in wireguard = { enable = true; interfaces."wg0" = { - ips = [ wireguard-subnet ]; + ips = var.wg.wireguard-network."roam".ips; listenPort = wireguard-port; - privateKeyFile = "/var/secrets/wg0.key"; + privateKeyFile = var.wg.keyFile; + peers = var.wg.peers-for "roam"; }; }; }; diff --git a/lib.nix b/lib.nix index 6ec418d..205c30c 100644 --- a/lib.nix +++ b/lib.nix @@ -1,47 +1,51 @@ { lib, ... }: with builtins; -rec { - walk-dir = - let - walk-dir-inner = - path: - let - dir = readDir path; +let + lib' = rec { + walk-dir = + let + walk-dir-inner = + path: + let + dir = readDir path; - in - lib.mapAttrs' (filename: value: { - name = lib.removeSuffix ".nix" filename; - value = - if value == "regular" then - path + "/${filename}" - else if value == "directory" then - walk-dir-inner (path + "/${filename}") - else - throw "Items of type ${value} are unsupported."; - }) dir; + in + lib.mapAttrs' (filename: value: { + name = lib.removeSuffix ".nix" filename; + value = + if value == "regular" then + path + "/${filename}" + else if value == "directory" then + walk-dir-inner (path + "/${filename}") + else + throw "Items of type ${value} are unsupported."; + }) dir; - helper-attrs = - subpaths: - let - _files = lib.collect (x: isPath x || isString x) subpaths; - _nix_files = filter (lib.hasSuffix ".nix") _files; - in - rec { - to_mod = _: { - imports = _nix_files; + helper-attrs = + subpaths: + let + _files = lib.collect (x: isPath x || isString x) subpaths; + _nix_files = filter (lib.hasSuffix ".nix") _files; + in + rec { + to_mod = _: { + imports = _nix_files; + }; + to_mod_without_default = without_default.to_mod; + collect_nix_files = _nix_files; + map_import = lib.mapAttrsRecursive (_: import) subpaths; + map_import_with_lib = lib.mapAttrsRecursive (_: x: (import x) { inherit lib lib'; }) subpaths; + without_default = + let + subpaths' = removeAttrs subpaths [ "default" ]; + in + with-helper-attrs subpaths'; }; - to_mod_without_default = without_default.to_mod; - collect_nix_files = _nix_files; - map_import = lib.mapAttrsRecursive (_: import) subpaths; - without_default = - let - subpaths' = removeAttrs subpaths [ "default" ]; - in - with-helper-attrs subpaths'; - }; - with-helper-attrs = - x: if isAttrs x then lib.mapAttrs (_: with-helper-attrs) x // helper-attrs x else x; - in - p: with-helper-attrs (walk-dir-inner p); -} + with-helper-attrs = + x: if isAttrs x then lib.mapAttrs (_: with-helper-attrs) x // helper-attrs x else x; + in + p: with-helper-attrs (walk-dir-inner p); + }; +in +lib' diff --git a/mod/pc-common/network.nix b/mod/pc-common/network.nix index 6a5eb1a..2ab3e4b 100644 --- a/mod/pc-common/network.nix +++ b/mod/pc-common/network.nix @@ -1,4 +1,4 @@ -{ ... }: +{ host, var, ... }: { hardware.bluetooth.enable = true; services.blueman.enable = true; @@ -11,6 +11,46 @@ networking = { enableIPv6 = true; + + wireguard.enable = true; + wg-quick = { + interfaces = { + "onet" = { + address = var.wg.wireguard-network.${host}.ips; + privateKeyFile = var.wg.keyFile; + peers = var.wg.peers-for host; + }; + "mullvad" = + let + conf = { + "solo".ips = [ + "10.68.140.249/32" + "fc00:bbbb:bbbb:bb01::5:8cf8/128" + ]; + }; + in + { + address = conf.${host}.ips; + privateKeyFile = var.wg.keyFile; + peers = [ + { + allowedIPs = [ + "0.0.0.0/0" + "::0/0" + ]; + endpoint = "185.213.155.72:51820"; + publicKey = "flq7zR8W5FxouHBuZoTRHY0A0qFEMQZF5uAgV4+sHVw="; + persistentKeepalive = 23; + } + ]; + }; + }; + }; + + firewall = { + allowedUDPPorts = [ 51820 ]; + }; + networkmanager = { enable = true; wifi.macAddress = "random"; diff --git a/mod/pc-common/services.nix b/mod/pc-common/services.nix index 1bbaddd..f6bfd98 100644 --- a/mod/pc-common/services.nix +++ b/mod/pc-common/services.nix @@ -9,5 +9,6 @@ }; udisks2.enable = true; emacs.enable = true; + protonmail-bridge.enable = true; }; } diff --git a/mod/pc-common/software/programs.nix b/mod/pc-common/software/programs.nix index e5f3d78..d8b32ef 100644 --- a/mod/pc-common/software/programs.nix +++ b/mod/pc-common/software/programs.nix @@ -28,10 +28,12 @@ programs.thunderbird = { enable = true; package = pkgs.thunderbird-latest; - profiles.default.isDefault = true; - profiles.default.settings = { - "mail.openpgp.allow_external_gnupg" = true; - "mail.openpgp.fetch_pubkeys_from_gnupg" = true; + profiles.default = { + isDefault = true; + settings = { + "mail.openpgp.allow_external_gnupg" = true; + "mail.openpgp.fetch_pubkeys_from_gnupg" = true; + }; }; }; }; diff --git a/var/ssh-keys.nix b/var/ssh-keys.nix index 4ef907e..f6bfed7 100644 --- a/var/ssh-keys.nix +++ b/var/ssh-keys.nix @@ -1,4 +1,4 @@ -rec { +_: rec { # this is only used for forcing password entry on colmena apply priviliged-by-host = { "solo" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsl8pLaGeCL3kacGWf8pzoLQr501ga/2OzvI2wWbTZJ"; diff --git a/var/wg.nix b/var/wg.nix new file mode 100644 index 0000000..e685752 --- /dev/null +++ b/var/wg.nix @@ -0,0 +1,29 @@ +{ lib, ... }: +rec { + publicKey = { + "roam" = "yUbdRfRFFVe4FPUaD7pVByLRhpF9Yl1kethxRUHpVgs="; + "solo" = "SRDguh0aN/RH8q/uB09w/OZTbP9JZZy0ABowbWIfkTk="; + }; + wireguard-network = { + "roam" = { + publicKey = publicKey."roam"; + ips = [ "10.10.11.1/24" ]; + allowedIPs = [ "10.10.11.0/24" ]; + endpoint = "185.163.117.158:51820"; + persistentKeepalive = 17; + }; + "solo" = { + publicKey = publicKey."solo"; + ips = [ "10.10.11.2/24" ]; + allowedIPs = [ "10.10.11.2/32" ]; + }; + }; + keyFile = "/var/secrets/wg.key"; + + peers-for = + host: + map (lib.filterAttrs (n: _: n != "ips")) ( + lib.attrValues (lib.filterAttrs (n: _: n != host) wireguard-network) + ); + +} diff --git a/var/wireguard-network.nix b/var/wireguard-network.nix deleted file mode 100644 index 6736b88..0000000 --- a/var/wireguard-network.nix +++ /dev/null @@ -1,12 +0,0 @@ -rec { - peers = { - "roam" = { - publicKey = "yUbdRfRFFVe4FPUaD7pVByLRhpF9Yl1kethxRUHpVgs="; - }; - "solo" = { - publicKey = "SRDguh0aN/RH8q/uB09w/OZTbP9JZZy0ABowbWIfkTk="; - }; - }; - - peersFor = host: { }; # TODO: return peers. -}