diff --git a/modules/config/default.nix b/modules/config/default.nix index 86e8df0..5c7cb29 100755 --- a/modules/config/default.nix +++ b/modules/config/default.nix @@ -60,6 +60,7 @@ let domains = genOptions stringType "url"; dns = genOptions stringType "provider"; localhost = genOptions stringType "address"; + wireguard = genOptions stringType "interface"; remotehost = genOptions stringType "address"; email = genOptions stringType "address"; sops = genOptions stringType "path"; @@ -87,6 +88,7 @@ let label = stringType; name = stringType; sync = genOptions stringType "address"; + wireguard = genOptions stringType "ip"; } // genOptions mountConfig "folder" // genOptions mountConfig "samba" diff --git a/modules/config/devices/config/ceres.nix b/modules/config/devices/config/ceres.nix index 4caeb4e..723cca4 100755 --- a/modules/config/devices/config/ceres.nix +++ b/modules/config/devices/config/ceres.nix @@ -27,6 +27,9 @@ in boot = { options = ownerExclusiveReadWriteMask; }; + wireguard = { + ip0 = "10.100.0.1"; + }; storage0 = { mount = "/mnt/media/${ceresStorageDriveName}"; device = "/dev/disk/by-label/${ceresStorageDriveName}"; diff --git a/modules/config/devices/config/mars.nix b/modules/config/devices/config/mars.nix index 0dc12d2..5ea9e56 100755 --- a/modules/config/devices/config/mars.nix +++ b/modules/config/devices/config/mars.nix @@ -18,6 +18,9 @@ in boot = { options = ownerWriteOthersReadMask; }; + wireguard = { + ip0 = "10.100.0.2"; + }; storage0 = { mount = "/mnt/media/games"; device = "/dev/disk/by-label/Games"; diff --git a/modules/config/instances/config/firefly-iii.nix b/modules/config/instances/config/firefly-iii.nix deleted file mode 100644 index 2b8c1a1..0000000 --- a/modules/config/instances/config/firefly-iii.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ moduleFunctions }: -let - inherit (moduleFunctions.instancesFunctions) - domain0 - servicePath - sslPath - sopsPath - ; - - label = "Firefly-III"; - name = "firefly-iii"; - subdomain = "finances"; - domain = "${subdomain}.${domain0}"; -in -{ - label = label; - name = name; - email = { - address0 = "noreply@${name}.${domain0}"; - }; - sops = { - path0 = "${sopsPath}/${name}"; - }; - domains = { - url0 = domain; - }; - subdomain = subdomain; - paths = { - path0 = "${servicePath}/${label}"; - }; - ports = { - port0 = 3306; - }; - ssl = { - cert = "${sslPath}/${subdomain}.${domain0}/fullchain.pem"; - key = "${sslPath}/${subdomain}.${domain0}/key.pem"; - }; -} diff --git a/modules/config/instances/config/kanboard.nix b/modules/config/instances/config/kanboard.nix deleted file mode 100755 index 045d1b1..0000000 --- a/modules/config/instances/config/kanboard.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ moduleFunctions }: -let - inherit (moduleFunctions.instancesFunctions) - domain0 - servicePath - sslPath - sopsPath - ; - - label = "Kanboard"; - name = "kanboard"; - subdomain = "todo"; - domain = "${subdomain}.${domain0}"; -in -{ - label = label; - name = name; - email = { - address0 = "noreply@${name}.${domain0}"; - }; - sops = { - path0 = "${sopsPath}/${name}"; - }; - domains = { - url0 = domain; - }; - subdomain = subdomain; - paths = { - path0 = "${servicePath}/${label}"; - }; - ports = { - port0 = 3128; - }; - ssl = { - cert = "${sslPath}/${subdomain}.${domain0}/fullchain.pem"; - key = "${sslPath}/${subdomain}.${domain0}/key.pem"; - }; -} diff --git a/modules/config/instances/config/web.nix b/modules/config/instances/config/web.nix index ce8c8dd..590f58b 100755 --- a/modules/config/instances/config/web.nix +++ b/modules/config/instances/config/web.nix @@ -26,4 +26,7 @@ in remotehost = { address0 = "24.76.173.0"; }; + wireguard = { + interface0 = "10.100.0.1"; + }; } diff --git a/modules/config/instances/config/wireGuard.nix b/modules/config/instances/config/wireGuard.nix index 19f748b..4a8ed16 100755 --- a/modules/config/instances/config/wireGuard.nix +++ b/modules/config/instances/config/wireGuard.nix @@ -14,5 +14,6 @@ in path0 = "${sopsPath}/${name}"; }; ports = { + port0 = 51821; }; } diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 955d979..27be9b5 100755 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -66,7 +66,6 @@ in searx vaultwarden forgejo - firefly ; }; }; diff --git a/modules/nixos/services/acme/default.nix b/modules/nixos/services/acme/default.nix index be6fedc..659eff6 100755 --- a/modules/nixos/services/acme/default.nix +++ b/modules/nixos/services/acme/default.nix @@ -41,7 +41,6 @@ in "podgrab" "vaultwarden" "audiobookshelf" - "firefly-iii" ] ) ++ (map diff --git a/modules/nixos/services/firefly/default.nix b/modules/nixos/services/firefly/default.nix deleted file mode 100644 index 4dc6940..0000000 --- a/modules/nixos/services/firefly/default.nix +++ /dev/null @@ -1,123 +0,0 @@ -{ flake, config, ... }: -let - inherit (flake.config.people) user0; - inherit (flake.config.people.users.${user0}) email; - inherit (flake.config.services.instances) firefly-iii web; - inherit (flake.config.machines.devices) ceres; - service = firefly-iii; - localhost = web.localhost.address1; - host = service.domains.url0; -in -{ - services = { - firefly-iii = { - enable = true; - virtualHost = host; - enableNginx = true; - settings = { - APP_KEY_FILE = config.sops.secrets."${service.name}-key".path; - SITE_OWNER = email.address0; - DB_DATABASE = "firefly"; - DB_USERNAME = "firefly"; - DB_PASSWORD_FILE = config.sops.secrets."${service.name}-pass".path; - TRUSTED_PROXIES = "**"; - }; - }; - - nginx = { - enable = true; - virtualHosts.${config.services.firefly-iii.virtualHost} = { - listen = [ - { - addr = "0.0.0.0"; - port = 8080; - } - ]; - }; - }; - - caddy = { - virtualHosts = { - "${host}" = { - extraConfig = '' - encode gzip - - reverse_proxy localhost:8080 { - header_up Host {host} - header_up X-Real-IP {remote_host} - header_up X-Forwarded-For {remote_host} - header_up X-Forwarded-Proto https - header_up X-Forwarded-Host {host} - header_up X-Forwarded-Ssl on - header_up Connection "" - timeout 240s - dial_timeout 240s - } - - @session_cookie header Cookie *session* - handle @session_cookie { - header Cache-Control "no-cache, no-store, must-revalidate" - } - - request_body { - max_size 64MB - } - - tls ${service.ssl.cert} ${service.ssl.key} - ''; - }; - }; - }; - }; - - sops = - let - sopsPath = secret: { - path = "${service.sops.path0}/${service.name}-${secret}"; - owner = service.name; - mode = "600"; - }; - in - { - secrets = builtins.listToAttrs ( - map - (secret: { - name = "${service.name}-${secret}"; - value = sopsPath secret; - }) - [ - "key" - "pass" - ] - ); - }; - - # fileSystems."/var/lib/${service.name}" = { - # device = service.paths.path0; - # fsType = "none"; - # options = [ - # "bind" - # ]; - # depends = [ - # ceres.storage0.mount - # ]; - # }; - - users.users.${service.name}.extraGroups = [ - "caddy" - ]; - - systemd.tmpfiles.rules = [ - # "Z ${service.paths.path0} 755 ${service.name} ${service.name} -" - "Z ${service.sops.path0} 755 ${service.name} ${service.name} -" - ]; - - networking = { - firewall = { - allowedTCPPorts = [ - 8080 - service.ports.port0 - ]; - }; - }; -} diff --git a/modules/nixos/services/hLedger/default.nix b/modules/nixos/services/hLedger/default.nix deleted file mode 100755 index b88433d..0000000 --- a/modules/nixos/services/hLedger/default.nix +++ /dev/null @@ -1,72 +0,0 @@ -{ - flake, - pkgs, - ... -}: -let - inherit (flake.config.machines.devices) - ceres - ; - inherit (flake.config.services.instances) - hledger - web - ; - service = hledger; - localhost = web.localhost.address0; -in -{ - services = { - hledger-web = { - enable = true; - host = localhost; - # baseUrl = "https://${host}"; - stateDir = service.paths.path0; - port = service.ports.port0; - journalFiles = [ - ".hledger.journal" - ]; - allow = "edit"; - }; - }; - - environment = { - systemPackages = builtins.attrValues { - inherit (pkgs) - hledger - hledger-ui - ; - }; - }; - - users = { - users.${service.name} = { - isSystemUser = true; - group = service.name; - home = service.paths.path0; - }; - groups.${service.name} = { }; - }; - - fileSystems."/var/lib/${service.name}" = { - device = service.paths.path0; - fsType = "none"; - options = [ - "bind" - ]; - depends = [ - ceres.storage0.mount - ]; - }; - - systemd.tmpfiles.rules = [ - "Z ${service.paths.path0} 0755 ${service.name} ${service.name} -" - ]; - - networking = { - firewall = { - allowedTCPPorts = [ - service.ports.port0 - ]; - }; - }; -} diff --git a/modules/nixos/services/kanboard/default.nix b/modules/nixos/services/kanboard/default.nix deleted file mode 100755 index 7429d7a..0000000 --- a/modules/nixos/services/kanboard/default.nix +++ /dev/null @@ -1,83 +0,0 @@ -{ flake, ... }: -let - inherit (flake.config.services.instances) kanboard web; - service = kanboard; - localhost = web.localhost.address0; - host = service.domains.url0; -in -{ - services = { - kanboard = { - enable = true; - domain = host; - nginx = null; - # dataDir = "/var/lib/${service.name}"; - # settings = { - # MAIL_FROM = service.email.address0; - # # HTTP_PROXY_HOSTNAME = host; - # HTTP_PROXY_PORT = service.ports.port0; - # MAIL_TRANSPORT = "smtp"; - # MAIL_SMTP_HOSTNAME = smtp.hostname; - # MAIL_SMTP_PORT = smtp.ports.port0; - # MAIL_SMTP_USERNAME = service.email.address0; - # MAIL_SMTP_PASSWORD = config.sops.secrets."${service.name}-smtp".path; - # MAIL_SMTP_ENCRYPTION = "ssl"; - # }; - }; - caddy = { - virtualHosts = { - "${host}" = { - extraConfig = '' - reverse_proxy ${localhost}:${toString service.ports.port0} - - tls ${service.ssl.cert} ${service.ssl.key} - ''; - }; - }; - }; - }; - sops = - let - sopsPath = secret: { - path = "${service.sops.path0}/${service.name}-${secret}"; - owner = service.name; - mode = "600"; - }; - in - { - secrets = builtins.listToAttrs ( - map - (secret: { - name = "${service.name}-${secret}"; - value = sopsPath secret; - }) - [ - "smtp" - ] - ); - }; - - # fileSystems."/var/lib/${service.name}" = { - # device = service.paths.path0; - # fsType = "none"; - # options = [ - # "bind" - # ]; - # depends = [ - # ceres.storage0.mount - # ]; - # }; - - systemd.tmpfiles.rules = [ - # "Z ${service.paths.path0} 755 ${service.name} ${service.name} -" - "Z ${service.sops.path0} 755 ${service.name} ${service.name} -" - ]; - - networking = { - firewall = { - allowedTCPPorts = [ - service.ports.port0 - ]; - }; - }; -} diff --git a/modules/nixos/services/searx/config/engines.nix b/modules/nixos/services/searx/config/engines.nix new file mode 100644 index 0000000..bf09673 --- /dev/null +++ b/modules/nixos/services/searx/config/engines.nix @@ -0,0 +1,65 @@ +{ lib, ... }: +lib.mapAttrsToList (name: value: { inherit name; } // value) { + "duckduckgo".disabled = false; + "brave".disabled = false; + "bing".disabled = false; + "mojeek".disabled = true; + "mwmbl".disabled = false; + "mwmbl".weight = 0.4; + "qwant".disabled = true; + "crowdview".disabled = false; + "crowdview".weight = 0.5; + "curlie".disabled = true; + "ddg definitions".disabled = false; + "ddg definitions".weight = 2; + "wikibooks".disabled = false; + "wikidata".disabled = false; + "wikiquote".disabled = true; + "wikisource".disabled = true; + "wikispecies".disabled = false; + "wikispecies".weight = 0.5; + "wikiversity".disabled = false; + "wikiversity".weight = 0.5; + "wikivoyage".disabled = false; + "wikivoyage".weight = 0.5; + "currency".disabled = true; + "dictzone".disabled = true; + "lingva".disabled = true; + "bing images".disabled = false; + "brave.images".disabled = false; + "duckduckgo images".disabled = false; + "google images".disabled = false; + "qwant images".disabled = true; + "1x".disabled = true; + "artic".disabled = false; + "deviantart".disabled = false; + "flickr".disabled = true; + "imgur".disabled = false; + "library of congress".disabled = false; + "material icons".disabled = true; + "material icons".weight = 0.2; + "openverse".disabled = false; + "pinterest".disabled = true; + "svgrepo".disabled = false; + "unsplash".disabled = false; + "wallhaven".disabled = false; + "wikicommons.images".disabled = false; + "yacy images".disabled = true; + "bing videos".disabled = false; + "brave.videos".disabled = true; + "duckduckgo videos".disabled = true; + "google videos".disabled = false; + "qwant videos".disabled = false; + "dailymotion".disabled = true; + "google play movies".disabled = true; + "invidious".disabled = true; + "odysee".disabled = true; + "peertube".disabled = true; + "piped".disabled = true; + "rumble".disabled = false; + "sepiasearch".disabled = false; + "vimeo".disabled = true; + "youtube".disabled = false; + "brave.news".disabled = true; + "google news".disabled = true; +} diff --git a/modules/nixos/services/searx/config/general.nix b/modules/nixos/services/searx/config/general.nix new file mode 100644 index 0000000..3c8dc61 --- /dev/null +++ b/modules/nixos/services/searx/config/general.nix @@ -0,0 +1,8 @@ +{ + debug = false; + instance_name = "SearXNG Instance"; + donation_url = false; + contact_url = false; + privacypolicy_url = false; + enable_metrics = false; +} diff --git a/modules/nixos/services/searx/config/outgoing.nix b/modules/nixos/services/searx/config/outgoing.nix new file mode 100644 index 0000000..f71e6aa --- /dev/null +++ b/modules/nixos/services/searx/config/outgoing.nix @@ -0,0 +1,7 @@ +{ + request_timeout = 5.0; + max_request_timeout = 15.0; + pool_connections = 100; + pool_maxsize = 15; + enable_http2 = true; +} diff --git a/modules/nixos/services/searx/config/plugins.nix b/modules/nixos/services/searx/config/plugins.nix new file mode 100644 index 0000000..d58c480 --- /dev/null +++ b/modules/nixos/services/searx/config/plugins.nix @@ -0,0 +1,9 @@ +[ + "Basic Calculator" + "Hash plugin" + "Tor check plugin" + "Open Access DOI rewrite" + "Hostnames plugin" + "Unit converter plugin" + "Tracker URL remover" +] diff --git a/modules/nixos/services/searx/config/search.nix b/modules/nixos/services/searx/config/search.nix new file mode 100644 index 0000000..3d6c408 --- /dev/null +++ b/modules/nixos/services/searx/config/search.nix @@ -0,0 +1,7 @@ +{ + safe_search = 0; + autocomplete_min = 2; + autocomplete = "duckduckgo"; + ban_time_on_fail = 5; + max_ban_time_on_fail = 120; +} diff --git a/modules/nixos/services/searx/config/server.nix b/modules/nixos/services/searx/config/server.nix new file mode 100644 index 0000000..b8fbb7d --- /dev/null +++ b/modules/nixos/services/searx/config/server.nix @@ -0,0 +1,26 @@ +{ + flake, + config, + configHelpers, + ... +}: +let + inherit (flake.config.machines.devices) ceres; +in +{ + port = configHelpers.service.ports.port0; + bind_address = ceres.wireguard.ip0; + secret_key = config.sops.secrets.searx-key.path; + limiter = false; + public_instance = false; + image_proxy = true; + method = "GET"; +} +// ( + if configHelpers.hostname == ceres.name then + { + base_url = "https://${configHelpers.host}"; + } + else + { } +) diff --git a/modules/nixos/services/searx/config/ui.nix b/modules/nixos/services/searx/config/ui.nix new file mode 100644 index 0000000..ab8cea6 --- /dev/null +++ b/modules/nixos/services/searx/config/ui.nix @@ -0,0 +1,11 @@ +{ + static_use_hash = true; + default_locale = "en"; + query_in_title = true; + infinite_scroll = true; + center_alignment = true; + default_theme = "simple"; + theme_args.simple_style = "auto"; + search_on_category_select = true; + hotkeys = "vim"; +} diff --git a/modules/nixos/services/searx/default.nix b/modules/nixos/services/searx/default.nix index c3d286a..c6ad71b 100755 --- a/modules/nixos/services/searx/default.nix +++ b/modules/nixos/services/searx/default.nix @@ -7,10 +7,23 @@ let inherit (flake.config.machines.devices) ceres; inherit (flake.config.services.instances) searx web; - service = searx; - hostname = config.networking.hostName; - localhost = web.localhost.address0; - host = service.domains.url0; + configHelpers = { + service = searx; + hostname = config.networking.hostName; + localhost = web.localhost.address0; + host = configHelpers.service.domains.url0; + }; + configPath = ./config; + configImports = { + general = import (configPath + /general.nix); + ui = import (configPath + /ui.nix); + search = import (configPath + /search.nix); + server = import (configPath + /server.nix) { inherit config flake configHelpers; }; + engines = import (configPath + /engines.nix) { inherit lib; }; + outgoing = import (configPath + /outgoing.nix); + enabled_plugins = import (configPath + /plugins.nix); + }; + in { services = @@ -20,150 +33,31 @@ in redisCreateLocally = true; uwsgiConfig = { socket = "/run/searx/searx.sock"; - http = ":${builtins.toString service.ports.port0}"; + http = ":${builtins.toString configHelpers.service.ports.port0}"; chmod-socket = "660"; }; - settings = { - general = { - debug = false; - instance_name = "SearXNG Instance"; - donation_url = false; - contact_url = false; - privacypolicy_url = false; - enable_metrics = false; - }; - ui = { - static_use_hash = true; - default_locale = "en"; - query_in_title = true; - infinite_scroll = true; - center_alignment = true; - default_theme = "simple"; - theme_args.simple_style = "auto"; - search_on_category_select = true; - hotkeys = "vim"; - }; - search = { - safe_search = 0; - autocomplete_min = 2; - autocomplete = "duckduckgo"; - ban_time_on_fail = 5; - max_ban_time_on_fail = 120; - }; - server = - { - port = service.ports.port0; - bind_address = localhost; - secret_key = config.sops.secrets.searx-key.path; - limiter = false; - public_instance = false; - image_proxy = true; - method = "GET"; - } - // ( - if hostname == ceres.name then - { - base_url = "https://${host}"; - } - else - { } - ); - engines = lib.mapAttrsToList (name: value: { inherit name; } // value) { - "duckduckgo".disabled = false; - "brave".disabled = false; - "bing".disabled = false; - "mojeek".disabled = true; - "mwmbl".disabled = false; - "mwmbl".weight = 0.4; - "qwant".disabled = true; - "crowdview".disabled = false; - "crowdview".weight = 0.5; - "curlie".disabled = true; - "ddg definitions".disabled = false; - "ddg definitions".weight = 2; - "wikibooks".disabled = false; - "wikidata".disabled = false; - "wikiquote".disabled = true; - "wikisource".disabled = true; - "wikispecies".disabled = false; - "wikispecies".weight = 0.5; - "wikiversity".disabled = false; - "wikiversity".weight = 0.5; - "wikivoyage".disabled = false; - "wikivoyage".weight = 0.5; - "currency".disabled = true; - "dictzone".disabled = true; - "lingva".disabled = true; - "bing images".disabled = false; - "brave.images".disabled = false; - "duckduckgo images".disabled = false; - "google images".disabled = false; - "qwant images".disabled = true; - "1x".disabled = true; - "artic".disabled = false; - "deviantart".disabled = false; - "flickr".disabled = true; - "imgur".disabled = false; - "library of congress".disabled = false; - "material icons".disabled = true; - "material icons".weight = 0.2; - "openverse".disabled = false; - "pinterest".disabled = true; - "svgrepo".disabled = false; - "unsplash".disabled = false; - "wallhaven".disabled = false; - "wikicommons.images".disabled = false; - "yacy images".disabled = true; - "bing videos".disabled = false; - "brave.videos".disabled = true; - "duckduckgo videos".disabled = true; - "google videos".disabled = false; - "qwant videos".disabled = false; - "dailymotion".disabled = true; - "google play movies".disabled = true; - "invidious".disabled = true; - "odysee".disabled = true; - "peertube".disabled = true; - "piped".disabled = true; - "rumble".disabled = false; - "sepiasearch".disabled = false; - "vimeo".disabled = true; - "youtube".disabled = false; - "brave.news".disabled = true; - "google news".disabled = true; - }; - outgoing = { - request_timeout = 5.0; - max_request_timeout = 15.0; - pool_connections = 100; - pool_maxsize = 15; - enable_http2 = true; - }; - enabled_plugins = [ - "Basic Calculator" - "Hash plugin" - "Tor check plugin" - "Open Access DOI rewrite" - "Hostnames plugin" - "Unit converter plugin" - "Tracker URL remover" - ]; - }; + settings = configImports; }; } // ( - if hostname == ceres.name then + if configHelpers.hostname == ceres.name then { caddy = { virtualHosts = { - "${host}" = { + "${configHelpers.host}" = { extraConfig = '' - redir /.well-known/carddav /remote.php/dav/ 301 - redir /.well-known/caldav /remote.php/dav/ 301 - - reverse_proxy ${localhost}:${toString service.ports.port0} - - tls ${service.ssl.cert} ${service.ssl.key} + @allowed_ips { + remote_ip 10.100.0.2 + } + handle @allowed_ips { + redir /.well-known/carddav /remote.php/dav/ 301 + redir /.well-known/caldav /remote.php/dav/ 301 + reverse_proxy ${ceres.wireguard.ip0}:${toString configHelpers.service.ports.port0} + } + handle { + respond "Access Denied" 403 + } + tls ${configHelpers.service.ssl.cert} ${configHelpers.service.ssl.key} ''; }; }; @@ -179,8 +73,8 @@ in sops = let sopsPath = secret: { - path = "${service.sops.path0}/${service.name}-${secret}"; - owner = service.name; + path = "${configHelpers.service.sops.path0}/${configHelpers.service.name}-${secret}"; + owner = configHelpers.service.name; mode = "600"; }; in @@ -188,7 +82,7 @@ in secrets = builtins.listToAttrs ( map (secret: { - name = "${service.name}-${secret}"; + name = "${configHelpers.service.name}-${secret}"; value = sopsPath secret; }) [ @@ -199,8 +93,8 @@ in networking = { firewall = { - allowedTCPPorts = [ - service.ports.port0 + interfaces.wg0.allowedTCPPorts = [ + configHelpers.service.ports.port0 ]; }; }; diff --git a/modules/nixos/services/wireGuard/default.nix b/modules/nixos/services/wireGuard/default.nix index 75b1e38..7717479 100755 --- a/modules/nixos/services/wireGuard/default.nix +++ b/modules/nixos/services/wireGuard/default.nix @@ -2,7 +2,6 @@ let inherit (flake.config.services.instances) wireGuard; service = wireGuard; - wireGuardInterface = { secret, @@ -25,7 +24,6 @@ let ]; }; }; - interfaces = [ { secret = "CA363"; @@ -48,20 +46,24 @@ let endpoint = "139.28.218.130:51820"; } ]; - - sopsPath = secret: { - path = "${service.sops.path0}/${service.name}-${secret}"; - owner = "root"; - mode = "600"; - }; in { - networking.wg-quick.interfaces = builtins.listToAttrs (map wireGuardInterface interfaces); + networking = { + wg-quick.interfaces = builtins.listToAttrs (map wireGuardInterface interfaces); + }; - sops.secrets = builtins.listToAttrs ( - map (interface: { - name = "${service.name}-${interface.secret}"; - value = sopsPath interface.secret; - }) interfaces - ); + sops.secrets = + let + sopsPath = secret: { + path = "${service.sops.path0}/${service.name}-${secret}"; + owner = "root"; + mode = "600"; + }; + in + builtins.listToAttrs ( + (map (interface: { + name = "${service.name}-${interface.secret}"; + value = sopsPath interface.secret; + }) interfaces) + ); } diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index 43f3976..34a8a1c 100755 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -34,6 +34,12 @@ wireguard-CA363: ENC[AES256_GCM,data:iGiAjP5Dbw0kXR3iM50YTS8jBXODNr//W/0OPMAiu1G wireguard-CA220: ENC[AES256_GCM,data:rNy/IMKqAOsgMUu5r8BZsjTCu0L5fDDDV3/g+pkhW1y44Y2rqhhsZgcXG5M=,iv:onyHBn4npqiwC/v37SOMJLLhdfcrtvPmKbMVTgxaSQg=,tag:OmXDL3oYCDPwH1yBsKAYKQ==,type:str] wireguard-CA358: ENC[AES256_GCM,data:/VewmiNfRc9/wSE7TT+z1F9LLIvr/5wPsQZ/zBwAh3dEi9yswOGyde2b/XQ=,iv:7U5dmqFiwhCoL1moGSfHprv85o5TdMr6T2sNk5gH82I=,tag:T1hqh8CiO2iBa+ksaiKCtA==,type:str] wireguard-CA627: ENC[AES256_GCM,data:chmDsH2nE0nagjFRZWuxX08/Ykt+rIgCHYkMHd+7nIqihK5SebF7MJlrp84=,iv:NVOlGE7W70nQ0UM/i5WixJvDULO3Y4cLf8h+OAGHhQQ=,tag:L123ShCnr9+kIg1itIoqBA==,type:str] +wireguard-private: ENC[AES256_GCM,data:JjkTL+ZiU90Rxq1Ut/0TuLLYINAVjOfjHEC8PvUQJLBCORoimUObKT5Q+XI=,iv:XFuc4SlgiVK0kp+QH/jXKyOrRpjSto+ilnkIxRXzWhQ=,tag:+DpxdNJQQWdbs39yCLFgVQ==,type:str] +wireguard-public: ENC[AES256_GCM,data:X2UEVJmLu24w5imKJ6z68wmp4hMdG5ugD59xa9m+xNFTVgOzzhE+0fLN7Rs=,iv:IzW5NkUE6MHpb6Vi2nzCmR9OfB6Ftca5M3xWWhNeZSU=,tag:I2OJPLDC/8YZTjchsIWAwg==,type:str] +wireguard-phone-private: ENC[AES256_GCM,data:hm6KoNseaalt+/SYCkCW0w4sRzzpNNMjhdaxUG2KryNGgKU3HO4yig7JxuE=,iv:WHDqJFJrNTWdq46VDj8Zf6zCgi6rXwSJvnkY2cyPv4o=,tag:BSzN6WyIJM558EW3q9LicQ==,type:str] +wireguard-phone-public: ENC[AES256_GCM,data:gGMAIg3T6dOmo1z2c6oZ8Sgnylp0wjpADRWRyBCAEhmlJp1PVj+d478TO08=,iv:A4DV7zPKXwVF2nyFySyrmfdExoo3LrbiYt6PYa4/WcQ=,tag:wY4fYv1wXE0tYonrLoHpGQ==,type:str] +wireguard-mars-private: ENC[AES256_GCM,data:pUkR29PgGhHeR3d6fFJDs0bwASaC/RqUTsJe+vYs+P2skIGivkRzhi3LRBE=,iv:JK7O28r73V3NiVGikMIZunJtrdtp4jOGPi2quLYSkWY=,tag:nSHqfnZhiLrm7JuZuJtc7Q==,type:str] +wireguard-mars-public: ENC[AES256_GCM,data:fA37Ev7WL2vsgG/PE4YMFHclbhjHqCgNCOiF5J9L5UD8YuGCHUbpTV7A+w4=,iv:K9W/IZatUL+HZ5k9FGjmA4+He4xTO3IAswqpbelfhPw=,tag:FC5kiMD/pdtNjQxklDvfrA==,type:str] glance-jellyfin: ENC[AES256_GCM,data:ozdDKgAWkA88J2j8RtiOP/aQPAt/neUOSlAZF20g510=,iv:x+VhYlnA9F/VPrzVcma4/oPelCc8kjWoTZvOs4L9Uqo=,tag:crdSDjr8Y5GH/JAF6t8Yeg==,type:str] kanboard-smtp: ENC[AES256_GCM,data:eOIEGwJZlvbJaTfDRU3IFQ==,iv:Jex01WlHG3uxqUnTSF+v1BgnNcIu4cS9OwHBCFl1m28=,tag:3Eld1FkI6AftlCyC3419BA==,type:str] podgrab-pass: ENC[AES256_GCM,data:DVmJDb4VqcZDKNcedSaRA5dqKOzx1tSzDiK3i23+a6v3nK+4Kh7n8EA=,iv:SiiUjJLHkCOO1VKCmubftKx06laFqNv79tIPnkVYrJU=,tag:kdkT+03DemlNAsuzps8fnw==,type:str] @@ -50,7 +56,7 @@ sops: bXBOa1VSakoyaWxpODJEOU11QUZCaUEK8Ch9Ten3DdrPHF1DTH2qei85AlHUOaLD aNfzakake7ej+MxJYdKEU0bcWofNMKzIlZa2uM10KZSENDP8d8qlig== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-06-27T07:07:16Z" - mac: ENC[AES256_GCM,data:yNS+bjiHnrHHmmMkChrF5PmxrYAY9HEEErhScsxTNS2OIpiK3Q+ARiTfmT01vmqFBu63RtYJFPQ3gXM1iNrqjQcnp0btXPo2uvLewbHqfj6UaQsj34GXzf9dIzeHAnXWxtlJxkrCA1ufVwW78bzlDt0x64DhboWk5pqlDUaGR6Y=,iv:oEZzK7RBxIK/DbV3wvbL4UYB59PBygGFV3uktHtjVjg=,tag:Lldass5AJL3Ka1bniaxECg==,type:str] + lastmodified: "2025-07-01T08:55:49Z" + mac: ENC[AES256_GCM,data:2m5iKDV7yIkYIL2bq9+7sFD2Nf8K1Z7mB6EKE3U+nFurOTxgUE0W10kV3BJoPoD78t5xjdbbmIt+NpmH9D41oE4lSPlOdTZujEpT0EcuNBVwz4MDBR/N7GRk74Etq1kJQ2f/NInhh8eH4xZDCQHR8BKxSX1RCd/0yWqrEbpfWrk=,iv:7gI48Urn0xFJwx3l3IzBT7KLTf4FlIf5p5Y/6Pms3ZA=,tag:QdA9cuKvFbXfT7kMbth5hQ==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2 diff --git a/systems/ceres/config/wireguard.nix b/systems/ceres/config/wireguard.nix new file mode 100644 index 0000000..8547055 --- /dev/null +++ b/systems/ceres/config/wireguard.nix @@ -0,0 +1,68 @@ +{ config, flake, ... }: +let + inherit (flake.config.services.instances) wireGuard web; + inherit (flake.config.machines.devices) mars ceres; + service = wireGuard; +in +{ + networking = { + firewall = { + allowedUDPPorts = [ + 53 + service.ports.port0 + ]; + interfaces.wg0.allowedTCPPorts = [ + 80 + 443 + 8080 + ]; + }; + + nat = { + enable = true; + enableIPv6 = true; + externalInterface = "eth0"; + internalInterfaces = [ "wg0" ]; + }; + + wireguard.interfaces = { + wg0 = { + ips = [ "${ceres.wireguard.ip0}/24" ]; + listenPort = service.ports.port0; + privateKeyFile = config.sops.secrets."${service.name}-private".path; + peers = [ + { + publicKey = "9zfRPxkxTLHM9tABC8lIaDMrzdjcF2l1mtG82uqGKUQ="; + allowedIPs = [ "${mars.wireguard.ip0}/32" ]; + } + ]; + }; + }; + }; + + sops = + let + sopsPath = secret: { + path = "${service.sops.path0}/${service.name}-${secret}-pass"; + owner = "root"; + mode = "600"; + }; + in + { + secrets = builtins.listToAttrs ( + map + (secret: { + name = "${service.name}-${secret}"; + value = sopsPath secret; + }) + [ + "private" + "public" + ] + ); + }; + + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = 1; + }; +} diff --git a/systems/mars/config/wireguard.nix b/systems/mars/config/wireguard.nix new file mode 100755 index 0000000..b0d279b --- /dev/null +++ b/systems/mars/config/wireguard.nix @@ -0,0 +1,49 @@ +{ config, flake, ... }: +let + inherit (flake.config.services.instances) wireGuard web; + inherit (flake.config.machines.devices) mars; + service = wireGuard; +in +{ + networking = { + wg-quick.interfaces = { + wg0 = { + address = [ "${mars.wireguard.ip0}/24" ]; + privateKeyFile = config.sops.secrets."${service.name}-mars-private".path; + peers = [ + { + publicKey = "fs58+Kz+eG9qAXvvMB2NkW+wa88yP61uam4HHWaBJVw="; + allowedIPs = [ + "10.100.0.0/24" + "192.168.1.0/24" + ]; + endpoint = "${web.remotehost.address0}:${builtins.toString service.ports.port0}"; + persistentKeepalive = 25; + } + ]; + }; + }; + }; + + sops = + let + sopsPath = secret: { + path = "${service.sops.path0}/${service.name}-${secret}-pass"; + owner = "root"; + mode = "600"; + }; + in + { + secrets = builtins.listToAttrs ( + map + (secret: { + name = "${service.name}-${secret}"; + value = sopsPath secret; + }) + [ + "mars-private" + "mars-public" + ] + ); + }; +}