From aca4caf02cf23fe1bc3a850478ae055b20d23550 Mon Sep 17 00:00:00 2001 From: Henri Dohmen Date: Fri, 10 Oct 2025 19:29:55 +0200 Subject: [PATCH] framework --- common/boot.nix | 18 ----- common/default.nix | 1 - desktop/default.nix | 18 ++--- flake.lock | 22 ++++++ flake.nix | 18 +++++ host/c2/default.nix | 22 +++++- host/fw/default.nix | 43 ++++++++++++ host/fw/disko.nix | 97 +++++++++++++++++++++++++++ host/fw/hardware-configuration.nix | 28 ++++++++ host/roam/default.nix | 18 ++++- host/solo/default.nix | 18 ++++- secrets/hd-password.age | Bin 506 -> 616 bytes secrets/roam/firefox-sync-secret.age | Bin 516 -> 626 bytes secrets/roam/rclone-conf.age | Bin 2868 -> 2978 bytes secrets/tlskey.age | Bin 2136 -> 2246 bytes var/ssh-keys.nix | 2 + var/wg.nix | 7 ++ 17 files changed, 279 insertions(+), 33 deletions(-) delete mode 100644 common/boot.nix create mode 100644 host/fw/default.nix create mode 100644 host/fw/disko.nix create mode 100644 host/fw/hardware-configuration.nix diff --git a/common/boot.nix b/common/boot.nix deleted file mode 100644 index 985e701..0000000 --- a/common/boot.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ pkgs, ... }: -{ - boot = { - loader = { - efi.canTouchEfiVariables = true; - grub = { - enable = true; - efiSupport = true; - device = "nodev"; - }; - }; - - kernelPackages = pkgs.linuxPackages_6_12; - kernel.sysctl."kernel.sysrq" = 1; - - initrd.systemd.network.wait-online.enable = false; - }; -} diff --git a/common/default.nix b/common/default.nix index 8bdfa2b..5d7d18c 100644 --- a/common/default.nix +++ b/common/default.nix @@ -4,7 +4,6 @@ inputs.agenix.nixosModules.default ../mod ../desktop - ./boot.nix ./locale.nix ./nix.nix ./security.nix diff --git a/desktop/default.nix b/desktop/default.nix index f1894ab..90887a8 100644 --- a/desktop/default.nix +++ b/desktop/default.nix @@ -33,15 +33,15 @@ in config = mkIf cfg.enable { hd.desktop = { - accounts.enable = true; - audio.enable = true; - fonts.enable = true; - gpg.enable = true; - network.enable = true; - security.enable = true; - services.enable = true; - software.enable = true; - wm.enable = true; + accounts.enable = lib.mkDefault true; + audio.enable = lib.mkDefault true; + fonts.enable = lib.mkDefault true; + gpg.enable = lib.mkDefault true; + network.enable = lib.mkDefault true; + security.enable = lib.mkDefault true; + services.enable = lib.mkDefault true; + software.enable = lib.mkDefault true; + wm.enable = lib.mkDefault true; }; nixpkgs.config.allowUnfreePredicate = diff --git a/flake.lock b/flake.lock index d22881c..2f59eb4 100644 --- a/flake.lock +++ b/flake.lock @@ -49,6 +49,27 @@ "type": "github" } }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1746728054, + "narHash": "sha256-eDoSOhxGEm2PykZFa/x9QG5eTH0MJdiJ9aR00VAofXE=", + "owner": "nix-community", + "repo": "disko", + "rev": "ff442f5d1425feb86344c028298548024f21256d", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "latest", + "repo": "disko", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { @@ -181,6 +202,7 @@ "inputs": { "agenix": "agenix", "colmena": "colmena", + "disko": "disko", "flake-utils": "flake-utils", "home-manager": "home-manager_2", "nixos-hardware": "nixos-hardware", diff --git a/flake.nix b/flake.nix index 7402912..316a2fb 100644 --- a/flake.nix +++ b/flake.nix @@ -22,6 +22,10 @@ inputs.nixpkgs.follows = "nixpkgs"; inputs.flake-utils.follows = "flake-utils"; }; + disko = { + url = "github:nix-community/disko/latest"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = @@ -29,6 +33,7 @@ self, agenix, colmena, + disko, flake-utils, home-manager, nixos-hardware, @@ -78,6 +83,19 @@ overlays ]; }; + + "fw" = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = specialArgs // { + host = "fw"; + }; + modules = [ + ./host/fw + ./home + ./common + overlays + ]; + }; }; colmenaHive = colmena.lib.makeHive { diff --git a/host/c2/default.nix b/host/c2/default.nix index b54bac6..eac23c5 100644 --- a/host/c2/default.nix +++ b/host/c2/default.nix @@ -1,4 +1,4 @@ -{ inputs, ... }: +{ inputs, pkgs, ... }: { networking.hostName = "c2"; @@ -13,8 +13,24 @@ common-pc-laptop-ssd ]; - boot.loader.efi.efiSysMountPoint = "/boot/efi"; - boot.resumeDevice = "/dev/disk/by-label/nixswap"; + boot = { + loader = { + efi.canTouchEfiVariables = true; + efi.efiSysMountPoint = "/boot/efi"; + grub = { + enable = true; + efiSupport = true; + device = "nodev"; + }; + }; + + resumeDevice = "/dev/disk/by-label/nixswap"; + + kernelPackages = pkgs.linuxPackages_6_12; + kernel.sysctl."kernel.sysrq" = 1; + + initrd.systemd.network.wait-online.enable = false; + }; # Fix for touchpad physical click not working boot.kernelParams = [ "psmouse.synaptics_intertouch=0" ]; diff --git a/host/fw/default.nix b/host/fw/default.nix new file mode 100644 index 0000000..31d438b --- /dev/null +++ b/host/fw/default.nix @@ -0,0 +1,43 @@ +{ inputs, pkgs, ... }: +{ + networking.hostName = "fw"; + + age.identityPaths = [ + "/root/.ssh/id_ed25519" + ]; + + imports = [ + ./hardware-configuration.nix + inputs.disko.nixosModules.disko + ./disko.nix + ]; + + boot = { + loader = { + efi.canTouchEfiVariables = true; + grub = { + enable = true; + efiSupport = true; + }; + }; + + kernelPackages = pkgs.linuxPackages_6_12; + kernel.sysctl."kernel.sysrq" = 1; + + initrd.systemd.network.wait-online.enable = false; + }; + + powerManagement = { + enable = true; + cpuFreqGovernor = "ondemand"; + }; + + hd.desktop.enable = true; + + networking.firewall = { + enable = true; + }; + + # ====== DON'T CHANGE ====== + system.stateVersion = "25.05"; +} diff --git a/host/fw/disko.nix b/host/fw/disko.nix new file mode 100644 index 0000000..25f1cf8 --- /dev/null +++ b/host/fw/disko.nix @@ -0,0 +1,97 @@ +let + rootfs = { + type = "btrfs"; + extraArgs = [ + "-f" + "-L" + "nixroot" + ]; + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/home" = { + mountpoint = "/home"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + }; + }; +in +{ + disko.devices = { + disk = { + main = { + type = "disk"; + device = "/dev/nvme0n1"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; + }; + ESP = { + size = "1G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; + }; + luks = { + size = "100%"; + label = "crypt"; + content = { + type = "luks"; + name = "cryptlvm"; + settings = { + allowDiscards = true; + }; + content = { + type = "lvm_pv"; + vg = "pool"; + }; + }; + }; + }; + }; + }; + }; + lvm_vg = { + pool = { + type = "lvm_vg"; + lvs = { + root = { + size = "100%"; + content = rootfs; + }; + swap = { + size = "48G"; + content = { + extraArgs = [ "-L nixswap" ]; + type = "swap"; + resumeDevice = true; + }; + }; + + }; + }; + }; + }; +} diff --git a/host/fw/hardware-configuration.nix b/host/fw/hardware-configuration.nix new file mode 100644 index 0000000..e289037 --- /dev/null +++ b/host/fw/hardware-configuration.nix @@ -0,0 +1,28 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: + +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ + "nvme" + "xhci_pci" + "thunderbolt" + ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/host/roam/default.nix b/host/roam/default.nix index ecc870c..59ef5f2 100644 --- a/host/roam/default.nix +++ b/host/roam/default.nix @@ -1,4 +1,5 @@ -_: { +{ pkgs, ... }: +{ networking.hostName = "roam"; age.identityPaths = [ @@ -14,6 +15,21 @@ _: { ./services.nix ]; + boot = { + loader = { + efi.canTouchEfiVariables = true; + grub = { + enable = true; + efiSupport = true; + device = "nodev"; + }; + }; + + kernelPackages = pkgs.linuxPackages_6_12; + + initrd.systemd.network.wait-online.enable = false; + }; + security = { acme = { acceptTerms = true; diff --git a/host/solo/default.nix b/host/solo/default.nix index 9ddc15d..683cb57 100644 --- a/host/solo/default.nix +++ b/host/solo/default.nix @@ -1,4 +1,4 @@ -{ ... }: +{ pkgs, ... }: { networking = { hostName = "solo"; @@ -21,6 +21,22 @@ ./nvidia-gpu.nix ]; + boot = { + loader = { + efi.canTouchEfiVariables = true; + grub = { + enable = true; + efiSupport = true; + device = "nodev"; + }; + }; + + kernelPackages = pkgs.linuxPackages_6_12; + kernel.sysctl."kernel.sysrq" = 1; + + initrd.systemd.network.wait-online.enable = false; + }; + powerManagement = { enable = true; cpuFreqGovernor = "performance"; diff --git a/secrets/hd-password.age b/secrets/hd-password.age index c9a29c42699626ea40c59b6754bf111c6df32023..3ac162991f5f1041349197b9ff7be34ec74aae4c 100644 GIT binary patch delta 563 zcmeyx{DNhIPJOA%xkX`spNUbJyP3ahiF-w%M^;`+u6wzgi%UqcXGM63 z1y_n;hL>fOewb%aey(|nMWA_NsbQ+Gqi1eTAhQ4QTUb=rlSa5P)nqgH~qN|r%XtBRxQB-MAT12`d zx^?ME#TKdQ3MQFV&gQvhQR#&x`soH4!GVPy0Tvnl=H&rF{+Si&g}G*?ULM*(2A<1`|Ju*Qcjv zhDVn82IzbEg(nvVW|#ORT84S~n5PFCdX|-^Rb*G?npe0NIC%s{auruvhPswkm>O65 zxTabr=ejxP1^F6fI)=Ds8oC=;MEWOHhL)8F8G1)$bLr~pDg-!&Sf+brRcaUcgob;% z=VuogbY5t)WQCY3?% zW=W>Lp%y-dM!Dwh9tGas=00YD5s5iDRgq4qmga`Olj9l1>-}7{3yr)YiUPAr3rkD_ zO}&FMO!bRRjVto2^wX0oEVK0kt0J=v{X%m?xk~d)P5lF_5v(#PNGB6}N+soa@)zvIGMc=G6C?~JbGu+X+#2_Hk)gvX$ zmn+;aBRoLgy(pkKDA%;u+biG9r!=Xuw8TBK%3MF$UE4@M*wQb}A}pfJkxSQ3p}06h zH#Nn`)YQ;Y!86I#vdU4x%fvlBxhf+fE8WY;DJn1^qQ1=6yClljIWZ_hKd&maB+D%- z&{#jjsVd!=~3($vMfu%yy7)G*yA(!(RU$iq3jz$2$BI5EheA}1_3EjO$pJ=Y=` z-MaLoVvE#t1()zFUuVzI@=TAk3TF@Fz>q30kG!y)0wdo{gM6bbljIcBLLW01<4kvV zPcFCOEXzbUqu{7W?*O0dlw@u5vQP`xu$06I^WuCX!?4VNVxwZ`aEqYO{D~jM>phB! zyewV(3!{q6yo@r+LkgYK(!3+nGR-4{DyocK^z+J{3d&3ZB7AaOxy;SAElPqbD_tzj z%Od>DLUVI7L!z%ZfcS3bXwUxO8=O6^dLF!!jzpqrxIH3aecG zP12lv3k{44qP!wqqdW@r%_2gJYRwZ}Qc?@@L%CKRl-kK)yy1QtE90!F`1AT-V{Ru; zl6LJB7gW`@jw)75ZCG$L^+tEbV{ftOwB+eZ2{+YLXQVRy>YkS}SMw|=*`@PH+M>$Lk`0qMS-CntB{_E1Stn(A5-+pix0Q8K> AeE)X2Xi$0IG*%g8)4 zlq)q|C&M&}40Irvewps?e}-Q>W6hvT{F5*TjPC$?=Th^}dcy#U*9Q;fAUH>G@8M zk^aV!IogGOE?y}a29ANgo{r8zW`Uj-m6eX=TxEp@ZV{0MA(gqVx%w_9#=%A9aBl zWvNN|zQN@IwI%wIeo>|dkzC&x8qA9)n>4*TFs$+ytibWh;-SV-MdtJz{8#g_I-C3_G6;3&$ pVC{AI{`$=hIX4fk4(FZmbFpFspS|>{S(#advw2`uWtet_ zE0>Q?NReZqONg&qc4$OSa#mqszO#q6Q%ay;R=%I1fq7|OQ9yaAQA(h(1(&X!LUD11 zZfc5=si~o*f@hMeWtF2sKu$oIw{L1zc35h9a*DQRLA_I?SwWbycciaDMy_+7Wtn+) zdZIybepGrnmv>G^SyXCqT5_U=Uz&w+s=vN|Nojs+vSoQ?W^hnyMOL7%c~(Voh<}s; zx^?ME#TKdQ3OT+O`V~eYQNCqfB^FWX9;P{E7Ew{DDP<`po|)xUuC9ir7WxJjsR1du zkzDzvk);_$2HMV^u9+Sw=H8`2W$6_@<^kURCMD(-9=`gXej#Db+KvG^=@UPS*Bkr# zx;h(YxJQKfh57rXIy$?BloV9x>zA9C1VtDndqq0uh6ETy1o?%QbNLw?MdZ2{M_ME~ z=XnIDdFA8>n>wW%78Mx>_@+b{`G%MHIu|6TWw>fPa_Q>oDikIs>iZk|YP%$7m^v0k zRi;IiCkOhbc@>oxq-PkGxtaxp)aM75x>o9Y1ahTpPFGD|xM1_!HykILS4HZCF{z}m zRH!iiy8gt(C%N`ntENz~!k;@zVNcdqF1vsF{4I|Yfs?i#`WYy(c>VF;i;wx9RPg)V zZSeS1Xo10R*OT5eb$EC_G{2l*GUr@r%Nr|c-CxnqJfmVSH7wzupQJBc-~Hx7m9Jhs zljhTktEuX&#=?byA8zLD;+_*&Vtd11;&@b0x0r>Qq2shgCARykZwjTndFZd`=JTw3 zdHNpdov*jvZj_BUyXXs-@#%%t&(R}ayPtb~e6iQr<=n*20_)jMt(Bzxt7dubIa*7u8=F-X%N~2z zMs|J}I<^_d^U?5e%I*DZS4aeb<8l-Q#^s}JzJKmX4A+y{G6+0ZSo|LFXPoPXJZ zPeSa2L$CV&MR6{ColdT4dtZl@2dvyyRoeJF+k9ozf&IG0g1=gQ({7pG&~WN%n-s5j zM|RVkCFdU=OWK)sVcqA0pC5UM(woz-vaWvmzJeU9E3^6yIZ zhIt|j9fPj~SRSjoml@OHWk2_kaFyMjhYw7$Ije8h2Ysq}Yr4a7b?FX%j^8iN@6oY6 zeNN-3#o5POO?ltFZ4terC|u0l8Z4eZX@=s)81KaoMECwnuP4ML1V$tPd^U4laxEwyY;(w5!*t^XtD=Ss_*Kf9tPZOK|Q##Px`);~O{huGH zd-ihb+>KrO^L5yP;MLqe7tBtd*rGSX>0Yu&yWYL&QXzSTAGX!3cZxAA&u9+Nv#!v1 z+Wd8*#3Lgg=li!-Dr`OJ!k)97qkm=Ck$E}YZ!I<7o-EU1Uh$r%#G6Yq(qNWv<;wqx z9XBUU@_F>}>VoTREr)pT_c8V7RPbHmuk@)`{dIf>Zojv4#msu%rF(D8Hj-EL-@7ztlNawoCEi8$$6A6C1AyIRQ)`1mTmMtry{@0)KK9;Iwa!6r+8E4@B zf3KLzzBFBEPTvy3bnN(yxE~qMY})O6I*j<9vgM_>={p`17s;NMcfi#(@4&hap9c)< zLxshIWOQv~zFrW5lN&K{ut2z&_McZ6@{_jx5#5eYHeJZ-jHpa(v zSSsDonA|e!;LP>ELO!iEv5!*IXE-RY`Z82XbNiImEf0IOmQ~coObI#b?URwK@1uO> z>GLz|laF1p)>`VhSBSTl)yO^l@s0xdm>t^R7{jZGr5Y z*y3LDUzwP>@#KDud4h5L6@L^inQX6>BW*V;8( z-Y`1kEeO zx~FA1bV9fnKX@{4vXPDCo7uOFcX#Z~pYQoqhOKBW>*kpoe|SnL-kBeE;oO#ot4&H~ zzbX5`yejezMw6!F!$S}*k_8ouTH!zi!&4Hj5e*b6RyncCI40fY z30wYaFjV^`M1Q+*@ARLOyI(X;pCa-0U3;y$(8MkF3@V&2UY`xhb1>}Bc_@1>+UKyy zv9$_$3)k1(o8Z25iZU=Pp%v=Prw#Yu~VZt6jgc7R7Jt6X{Bk7d$e*hxxP51S6mhQqY@f|4sKM@W?7(^_= zn@qU<)~K{@FD*QnIlI5%lHXbRpqac+HMjMat#P>0GyRaxcQ%;-!Ov$a(qA2oUA`sZ zkgeh+!OrZ$2A(bHbL;15wP^HLJp8uS=s+IRcFW`ckLs*R`QP$(e z8=vMlovXj6wCCD}=)K=%G%RoBco;XaeR$R9d$xMwCKi3kH8zXN*FKv0yJc7R^{mV@ z94VHv2l#j1Hv1T~{r{~!%$w6{HkLU4dsoM1SMzScnMfQ2a!0@luEs9*oCuNGS1vIJ@i4vk_t-fruv-1H*{vgX F8~`osYH0uf delta 2814 zcmZ1^zC~<;PIzIYexjwEgp*N)S73IfMPhzHpqqPyOG<#5VQFz_MWk1eVNzsyPH=jZ>%@=Z;r{yB zuAym8=H)4t73n$V?iCe2o_=N?VaBP+`mP>nez`>fg(WHBnXcJ^T-iaT#Th2$X>LUk zp(P>OzWyeG0j|Xn!6l9<*&e3BPL=tY$@)pz&Q50Klj9l1>)p(p%+1a6+^Wn>EVDB+ zLk)|P0}~^(lg&&^qB1f(qVx+~D}u@c@{-ESx%~X{)0~2Ho%~IF(kmccHc1N_rUvblo%4BYQI>ns*{QCD^DlfuP4yL@|%*$bweSQTO*UOxc)K{By{93*2{`W6DtoHAnnPa#; z{>i@^i(I)mp|jV*rC>wKBeM^B!Ia>g$<+Ih3vY|7GW zzmN4kF*aJ1nr3gb@5w{4+ksjaTs{l-KH_c*>dw=<{pr5@PG>KPJIgoS_4yn7n)}`9 z>V<7dqTx*}3!OO*J-M^_aD8ZWnNUS+e_Y4jxgi$9KYZ1C_c}~j-*qHrQRCIHU1vAn zcJr$a%(k89>M(P){g$qse|FB-XWu@*vtnJQ@WJyT3w9>WnD=N$j*;O@m#mt?U#%M} zs#ur3u#!=|DIc-<%J(;~nh(4dnO~{+xHmgvQ=jdO#cyu;D#zeV%*>p%g7yqwPisA5oOb`-oIR~` z`}(_&?pQKo;@N)J0^Q(ZOAK=+OX+u=lLtiQ%(17ydku-p4}>I;psK<7IUVqvB@|#(fGbWiRwd^ zGrZqy;&~nZTGsu2uNimyWJhfKCq1^6o24hVb$r(A`<`B@cHDQvaqIA)()lIl-*5Zv zrzC#zi+LL)phM-z4*Q@hjSa=SlMy+`TFg=ctfj(kN*jCp}Z_N z8~diSC#OzzPCT^XVOh_Ticx=a#Ls*R6lB@F@%bN~t#GLXGBd zDc17m!pB_mq~C-KxBl*2#+4&f+#z@&H)6A-)GQwcr7xxc=^Yo9rO72)%OPT-`RY@_47ngg)@TdX8mJLYY=9L((z96o=4=7 z+L^9LSXi^77KvE{qvcGLZ?YxH*6ef6`M-Q((g`?4^f_m<_{QvThB*NZk;`~3O-l6#NW*~glH_HFQ*cg9k# z`LMZI)zg^SJjdo|Mt{5PA9qQ1b4tpdpGF_eRvpjk%}|!`lxbc!i>p7KPifEQ-`!z% zg!Fam!>bOdD>tn8G53%zS3sk`?7HU~;!7*;xqi0M3wz^JvPC{XC8fdSN6o5lx7`-K z3cLPpOI-KcbgL`=&o)RH3!iP;S<3MI)tt8rW*re*D;0S1+e6E+Z%4bI>Ce!Sf2_D8 z2mY*I=g5_{SU5V z_bm>Y2xqWuFXcS#ux8_B$Ioo@8sA#Vw})Ngp2lt$Fkj$GX8rM=S-qPoZ5baHJ<)vC ztvx5Bb4sMSk?7Xx4R_?`XI8f?UeOh&aJSR`i$sb>t&GBpsHaoBQu4N5^z@p_*w)wk zqxOG2$9t(e_h*a!tPei0=cei5x4Y)Mes5>adhm*Csk=UN&6m5~>E2J{ZKs}l5N-NC z^7Q+C-s_iaJNtI=f-CI{w{X4c`&zYY(ML|^o)D{uPZokAzDz&X#H{%CP5p!JKOKAB z#Vh~5{Qvm=dX|5g>*pS~oFlq1U$D|&O}Elfr^2De!>W{d(fR2KUrbc;>p4xP^0%kI z5dN@IzKN?fs)OH6dgtMfZEM%QxzXc1gVp}cHO12*V%2Z;yADr?v}gV2yOrCy?sbr- zx!)O09rfTFbGAnb{gau$$s_N2@GqVhab}0pS84nE&Yv#MtA5t%p#MBuUPhU7^PA>m z__(dnHrv2()SjNv8h7(<|#ae{R0$w25Pu`Rw+(M*=Bn$CsX;xJNG0&}q7h zn$zB$VnOUZM-#TTrFcI$@KRi7_tk5OO6O-jw$l|_P`1^6PK;Vzg3M_TR}U-4mhfCR zi%-5kU(KjbQsUgF`nW1{MNo|8CkZ*JO*=g0Zz}j)w)-m-8^8DF)F=Mc8AXOWq(qC> z)|*bW;oM>OGB(}doVhf+cB9JNa@Bb)p&VwGM|6+e56%9~7PI+J%J_-t^yl2( zYOxPhno2#5YITyxi1(N!w(s+#PT>QLvah9&K9xB0 z>$;E3vaQ?sD;CLf-2S{-t?J0)*v*|1@|{`0wXO-vw;6`@3$zo&U3V z-FLZ6VBoFt?D`_)y>&aEg^l!gE&h{hH#c9Oci>f8ABp>~dmWzYi#Cd@z2|w9KvIdgqkx%8b(X|7;@b zocHhPESGXq(p*$8+ZEwB*^8Co^7dc$_AkFbnzxNNAz$G`M2YO)^vwd5x;IL=x9we& zXgEdF-0$z|Tf6ohU;D|zRX}ebYcaQmj3sZl{0o9_PutKoaN{G6(qdg$@mTdzL+l3Wow zQRDNj_+3+Z**D!)kqm5k`M_h&2Zvp`#rxU0yKXAY!UrKa0ch+Tgg{N&s#QE)@U( diff --git a/secrets/tlskey.age b/secrets/tlskey.age index 926f347dac39e321789927448b2cf4cd00556304..99fc887b4d35cfff12996232836182b3cbb190f8 100644 GIT binary patch delta 2206 zcmca1a7=K5PJL-;CxscirsouAl{r@AbEQdP8@L5TSp?>$Il227aOvvmDinKp`xb?VhniPb1(;bD zrR5rj8o30R8aq3AM3|L(=M;q-)hDNTd6jVV_c|8y(lKMM_W8oQCwKHtI(yH# zKD8y^_1h#hjs1G7U-d0ui9Q|ne%9Z8UhOV{|7WVN^9k=Z(~0@B;DqkhlR8g|BJRx5 zySv)EziX>@dW|7d#6i>holKLP{$FZ!TQno!+t%AMhb_v*_Wxo*=E16A**%Zn?Lcz76V zbC&)wnke7AIH)kOVx7VLg<^KwT2yD0l>E;smAkeH5R_^PSkA>y*ZZ?6CSb#cA?6l{<%(SbGar%D-pS?z*)6?uXmX z>))9!wfY?Iv&E)C*rR0ijAVx9&3`zIU$y+1G=-Ic({m@A(6Zai`&n+5zU6%1CVFMT zVUtCNwz@^W>MU3`!^bn+qR*Rc>HJAs?l~MRRQz*v$ zechHk@Azps_b6HOxDs_i1yQD}7ppr3^|pupQJFLE!O#2+8E#js7r6go+3;yOzwJZ! znZ+O3*SBx+*_XM%{N*;&DP}7@|0w-k_`H>IqtOL_wdC?GMsJr^UZ1pl)zhQ8=37tS z_tLR6y~wfPe0%)MS8mzOT~3<=NG7Fhb*?ml&5$O^j2Dy@NqP>Vx|k=_hP_ zPCaur^izDru>2ZNxrI^i8o~F1JsUUpuDQHQX&<|-(BJo&rVrW5vf94|tm5l=@>wM5 zpuvnvR*&Nb$?{X#?2Y4J21&0gd^oN4)rGK9*?XsErrf;wK&>HDwPOv z^sJbaxpQV)ZRn+23yrxa98`HFIx%*!XpU-!$@!A~x&Bl8HCB6W+wCzkZ_{heeMhS1 znIv6n*=LgZL&M{H?dJQnL1#>#w(j&f@iKnWPSN_UAD->m`*X#m<$^9R0)8pJ{xDVc zaLB()A78JnK3zIb;=WIfx&ODHIg%@Fx4bCtGrM&A{(md~O26DoYn=ZDzu%!78ohDJ z|1}a3tKYtheRfT%`uSJ&kih&1uZSs`hZw*5JqRw?GylO7#YWdRvj20^`E6HE_WSdB z?+hpX$pI&y#23~-{32bw;BsQ?mW~y5=UQauHJ6_Vx~%N7^nD(~#h759DK3Hk*KC)$ zacbF@*Y?|!)$VcJSoP>aY|+=LVdizFk=h6r! zZ`P&gpIZ5Gaqw3K?`I#S3>>DXzr8bO)5^m~Hr^8buDQ{+fBS_ECW?BVn!ab1CI4!% z++Jn2)KI-6!sWt*w%?OCTBh9iQ~#!X=^pk%{lav{=ZikiHTxy??Lc{*k@WAbV*z!x zY8%c?eh`pwK~3zR`q!^VPP-_}G4>cJ#=NbZb1ygk{hve0pN=x0yVvGspS8u+s%`aa z;a}Eqwx5qJxN_q2CJigSYfr5*JMX8Rwk%0eI=1|_+m_$6kN$snH^*M7&dQ-?)3i|A zdV|kj{Wjm{ySs)%LqLx0Kf|uyr{rJ0cg-~7wJd*ne*LVSCbh>NOuw2nIdp2Rx!)a+ zsB=oS0x6$MzEnMUxvSbRB=Os8y@Cyy{D-v9pA+16toGMs=Q{BTW$tA?3+H$|IDJ7Q zIpSeM_vy-e$0Q_9cNJPpk#axXbA<0jXYbSL0dE89xAzNQF75w5nVnDYdeo|=d*&Z; zI2pQm#WM$=y;myUul>7YW=`&lC34}RF^W1;i|AoKzp71!i^jpzW_xZu!?N+=@$kZ(g z75ch+(vyi&56tg9`4Rlzao*d?`CKbJbXyL#Er>sP*2Z}M#QV#&l$g6BlYeG&nK}H5 MThOlP|FG{T04voMZvX%Q delta 2076 zcmX>mctc=(f%byvy{xqWoPwe9|I~ zeccVc_00?Q)014h4UD{t%A8A+4GTj{!zx|Mxq{L?a-9RhLn_mQbKRqIQYyUjveNx? z1D#XK%d|bb%F|MFOM{&&osG*axO8=O6O&GEJ>8AG4YbTfS{@3EwO1v z5ns<}F5A4W!|cLOWfvZc-5xHFISQT}e|_S4#*D!BMc3SaZ=Y5FxG(gTpk_`V%aOJ< zI)9A$x2^fHMtJLPrt|E5FWx#B?bq{Z!~e290rKoF!Oh1X zUR`g|x5~`%v46?l6P%o(cYo(EN%$#fHbrw!`yVcrX zu*%M1%}z4>tHyor$z#8HZ`QpMyp>$GRzdsNFF}VL|II_UFZ$6S&iYoN)G6HOVEvl) zbG{lV?>S`@U3_4HcdwTJvfI6#XO6Ekd%AaF+WqC#%;_7IyQ|jg99hg9`J!|3)E?;v z{|@RW+~l}&?S_A`fr#wvpsBXUcU<2lH-Da<%cH4H>lS@9o47XO{&kPIrfCa)dri

r^MM-zH^#Aa0Tb!&x?mldgOf zFZLIII-+1|_ZY#!{XELmQ{Ga)E2E8@SzjIGXIC8_&-qOORu*{u7SRKyx9?qVN*UuSqZAwO>! zujN@Kxo6?U_n*sM*cm$WMVaLu#loP1a4V7Ld((AhN^1Q{duRJ>dibr0k}CX59>&#$ zb;pUV>e;_%mAgdG^=;{%Z9n?gzTCAjCPmuy-hn42aXzk--d(A;n8VF*@o)Xw^Jha% zCa>;{Sh#MwBWvxk3m;?d{!PfOm|TDL?b&6F-h190y!#+*?%Q1%e`f6E%`!Flu5vGA zfAG4zC5pk}=Hgqe0yAY_9B4Wdt!KL4>DjZ)kEOTwoSwp>c0a@W+YOG{actbW{tx1E z;@@w3ms>5YZrD*9E?1Jkb*sLkFj}g{`}CQ|c5}GrW=1u%GfLg^HVXWd$2v3V&zb1| zoeqWvRgFIs+FV`4Zsr_*Y1@t33G=jbPX+S6GjH3I{Y~F7`2M3G4Ivv;*=iGY>N9^i zU-9@>uGTcWSY(CZizJ1Fqt{-h&-!6`=jsEmX&zDQIbLZxZpu8!6tuLmS@JDM{Vbav zrfWVail$wR$G7urOFs~^(B1QxmEOk$J)f!lvSnwrxPO|doBE0|TMHW|DBoX|DZm-C zO@FUJ*7?`-i@(o*n#*GD9_rBQIzr7p#me=Q)IVT?L`oBW{9LE8(&lXFMosbFL85E@U z%R8k1a(B1E+s6SGPtPX?^#9}zR2H-U+S|S}&?z-zxrk^*v7}!~#qkLdf%*4)E*pJ} z+RI+>)!bmV>dd=`EyZfrJ{DMT;E}66OVj3wSGHxanaXbe&h;Xr!F_FuHiN0`@@LaC zj&z3CbDguEurgSfJL<+jYDD@u%s}uoqiYeo~ri>hYK*-z+{mJ_xjP)!$t4 z>Pq47xR(<|B|k~boqA+twx06u;J*wxZ!kV<(+;%#wV9=Y1!RxPT0vXVI7xT z$Bh4SQgZ9`n*RMQ?#vQc@H64Z4Uv4K+o`)&MQC<^voxtszwp!jmCPz7W-HA_UMVu4 z44(;!AFq2bef#k{YU;=O6x%(@72N8wmVR0Fg6re83W>XWJ{gDq-(`Qgd~<<;fqLE3 z^G}c7k(7*VnHY4i@6@s6^s71_vy>*@zBbL%I%ED}j$bMw=TaXt@7qvbRueXD$)T^k z6PSxwgV$^mY!&SM*;wDV{99^$&+A?HOz*W$dfm3+jNt1~lNrbPmwoR4<9_|y^S|oZ zLjN6;PhEI_;#7y<&mLZ;qpGrx!pNSWqA-7g7W2RQ7jfI|xXyPM z-#5zc{mb@Z^(14n_YV?6=LffkH7OJw1hRB0SY_SuK)l5 diff --git a/var/ssh-keys.nix b/var/ssh-keys.nix index 1561f05..fd9e3d5 100644 --- a/var/ssh-keys.nix +++ b/var/ssh-keys.nix @@ -8,10 +8,12 @@ mkKeys { "solo" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEG+dd4m98aKEWfFa/7VZUlJNX0axvIlHVihT8w7RLyY"; "c2" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIsoj2+esEebRwDV2PuNRt9Vz28oolOy+Hc2THwrWTAB"; "roam" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEDlh8hY01wwmNtfa1eK3mVBIcytdh4n/kV05gP9z1Lc"; + "fw" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJmxhDwylLlklpgiUWHc0BPSCkNkuAIrXLNOHpAcgXiL"; }; root = { "solo" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsl8pLaGeCL3kacGWf8pzoLQr501ga/2OzvI2wWbTZJ"; "c2" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJAZaswaiA+oQ9NviADYFf7BJQHNlmdxQuocIdoJmv3o"; "roam" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID++uLcQOx/to3sEo5Nk97CenGf0Y6/dMsBbLouVTgIQ"; + "fw" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOjfPXDS3UvVGXzJYXU8TyP5q0WDzb0anx4Std40AT+j"; }; } diff --git a/var/wg.nix b/var/wg.nix index 64253b1..76d538a 100644 --- a/var/wg.nix +++ b/var/wg.nix @@ -4,6 +4,7 @@ rec { "roam" = "yUbdRfRFFVe4FPUaD7pVByLRhpF9Yl1kethxRUHpVgs="; "solo" = "SRDguh0aN/RH8q/uB09w/OZTbP9JZZy0ABowbWIfkTk="; "c2" = "yJ1vrI9+qzUHuQJxeRDLCDCMRCIhF+0UNPwz3agyxTk="; + "fw" = "xpiJJMPhZEIEvNDBYRbnOsBeDCdKN1cHdYM95b9+rUY="; }; wireguard-network = { "roam" = { @@ -25,6 +26,12 @@ rec { allowedIPs = [ "10.10.11.3/32" ]; persistentKeepalive = 19; }; + "fw" = { + publicKey = publicKey."fw"; + ips = [ "10.10.11.4/32" ]; + allowedIPs = [ "10.10.11.4/32" ]; + persistentKeepalive = 23; + }; }; keyFile = "/var/secrets/wg.key";