CaZzzer/nix-conf
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: CaZzzer:585ff678b87b88342a6832a717f5f52baa2496b4
Branches Tags
CaZzzer:master CaZzzer:updates CaZzzer:router/home-assistant CaZzzer:router/keepalived CaZzzer:router/module-1 CaZzzer:router/module CaZzzer:router/desktop CaZzzer:router/wireguard CaZzzer:home/refactor CaZzzer:feature/glance CaZzzer:feature/router-4 CaZzzer:feature/router-3 CaZzzer:feature/router-1 CaZzzer:feature/router CaZzzer:feature/router-2 CaZzzer:feature/home-manager CaZzzer:feature/ollama
..
compare: CaZzzer:83380a612567dd8bb2b051c0cac4aa6e874d08d0
Branches Tags
CaZzzer:updates CaZzzer:master CaZzzer:router/home-assistant CaZzzer:router/keepalived CaZzzer:router/module-1 CaZzzer:router/module CaZzzer:router/desktop CaZzzer:router/wireguard CaZzzer:home/refactor CaZzzer:feature/glance CaZzzer:feature/router-4 CaZzzer:feature/router-3 CaZzzer:feature/router-1 CaZzzer:feature/router CaZzzer:feature/router-2 CaZzzer:feature/home-manager CaZzzer:feature/ollama

3 Commits
585ff678b8 ... 83380a6125

Author SHA1 Message Date
Yuri Tatishchev
83380a6125 router: wireguard: add wg0 interface with some peers for testing 2025-05-20 23:32:21 -07:00
Yuri Tatishchev
fce994ae9f flake: fix vm-proxmox package 2025-05-20 23:30:14 -07:00
Yuri Tatishchev
e0af380656 updates: linux 6.14, nixpkgs, home-manager, nixos-generators 2025-05-20 21:58:24 -07:00
11 changed files with 99 additions and 25 deletions
Expand all files Collapse all files

18
flake.lock generated
View File

@@ -7,11 +7,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1747009742, "lastModified": 1747793476,
"narHash": "sha256-TNhbM7R45fpq2cdWzvFj+H5ZTcE//I5XSe78GFh0cDY=", "narHash": "sha256-2qAOSixSrbb9l6MI+SI4zGineOzDcc2dgOOFK9Dx+IY=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "c74665abd6e4e37d3140e68885bc49a994ffa53c", "rev": "2468b2d35512d093aeb04972a1d8c20a0735793f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -43,11 +43,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1742568034, "lastModified": 1747663185,
"narHash": "sha256-QaMEhcnscfF2MqB7flZr+sLJMMYZPnvqO4NYf9B4G38=", "narHash": "sha256-Obh50J+O9jhUM/FgXtI3he/QRNiV9+J53+l+RlKSaAk=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixos-generators", "repo": "nixos-generators",
"rev": "42ee229088490e3777ed7d1162cb9e9d8c3dbb11", "rev": "ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -58,11 +58,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1746904237, "lastModified": 1747744144,
"narHash": "sha256-3e+AVBczosP5dCLQmMoMEogM57gmZ2qrVSrmq9aResQ=", "narHash": "sha256-W7lqHp0qZiENCDwUZ5EX/lNhxjMdNapFnbErcbnP11Q=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "d89fc19e405cb2d55ce7cc114356846a0ee5e956", "rev": "2795c506fe8fb7b03c36ccb51f75b6df0ab2553f",
"type": "github" "type": "github"
}, },
"original": { "original": {

2
flake.nix
View File

@@ -82,7 +82,6 @@
]; ];
format = "proxmox"; format = "proxmox";
}; };
};
vm-proxmox = let vm-proxmox = let
image = nixpkgs.lib.nixosSystem { image = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
@@ -97,4 +96,5 @@
in in
image.config.system.build.VMA; image.config.system.build.VMA;
}; };
};
} }

2
hosts/Yura-PC/default.nix
View File

@@ -32,7 +32,7 @@
boot.loader.timeout = 3; boot.loader.timeout = 3;
boot.loader.systemd-boot.configurationLimit = 5; boot.loader.systemd-boot.configurationLimit = 5;
boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_13; boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_14;
# https://nixos.wiki/wiki/Accelerated_Video_Playback # https://nixos.wiki/wiki/Accelerated_Video_Playback
hardware.graphics = { hardware.graphics = {

1
hosts/router/default.nix
View File

@@ -8,6 +8,7 @@ in
[ # Include the results of the hardware scan. [ # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
./ifconfig.nix ./ifconfig.nix
./wireguard.nix
./firewall.nix ./firewall.nix
./dns.nix ./dns.nix
./kea.nix ./kea.nix

0
secrets/cf_api_key.age → hosts/router/secrets/cf-api-key.age
View File

5
hosts/router/secrets/wireguard/wg0-peer-AsusS513-psk.age Normal file
View File

@@ -0,0 +1,5 @@
age-encryption.org/v1
-> ssh-ed25519 D2MY/A YAk0egMScFdPo0uAZzITtgQyPAifDcVUfb957Zhz9Ec
pAEM+7sbPE8rHBhRV7mTmH1w4mbfKFopMWbwu/3KHCw
--- ykshsqEqKvCCE2kWIPAJPA/DFW7mu6+0x4MQhHgi1yU
'<27>zƀ{g<>id\{<7B>E<EFBFBD><45><EFBFBD>tp<74>U<>g2QC3g<33><08>JG<4A>V1<56>6<>WG_E&<26>v<EFBFBD><76>)<29>&<26><><EFBFBD>ޑ N"<22><><EFBFBD>n<EFBFBD>_T͒<54>

BIN
hosts/router/secrets/wireguard/wg0-peer-Yura-Pixel7Pro-psk.age Normal file
View File

Binary file not shown.

6
hosts/router/secrets/wireguard/wg0-peer-Yura-TPX13-psk.age Normal file
View File

@@ -0,0 +1,6 @@
age-encryption.org/v1
-> ssh-ed25519 D2MY/A P88M0uj4ZphVo3WrRYDu+c7B0Dl7ncctbYkByYmU2wg
DV3Gn6TQ6iByAlNt0gg8kSZ2r0Gie/wcznZx9M+CC2g
--- KhwGM50BVql02Jq0do2uhXMfgWPPDfbodzDRmZ9n0O4
r<EFBFBD><EFBFBD><EFBFBD>Զa<EFBFBD>yY/C<><43>J<EFBFBD>B<EFBFBD>X<EFBFBD>!<21>"F
<EFBFBD>h<EFBFBD><EFBFBD><EFBFBD>(<28>L><3E>()<29><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>S;<3B>}}2ОO.<2E><13>hoqY<19>K"c<>E<EFBFBD><45>JM?-<2D>O

5
hosts/router/secrets/wireguard/wg0-private-key.age Normal file
View File

@@ -0,0 +1,5 @@
age-encryption.org/v1
-> ssh-ed25519 D2MY/A tvRtTGWnaB0zxqZRba4/XpzwPa61RrnHCk4tT8OfnGQ
IX85Q5VKxQTl+MnhzwiuTnNMVkR9QrYo/1njrbZeBnQ
--- dmlPIL2T+RFhbO2iLDRa4BxxYSSUQdedV3TK83ooFdA
<18>gE 7<><37>0`d<>V(o<>W<EFBFBD><57><EFBFBD>S@<01>ۭ<EFBFBD><DBAD><EFBFBD>p<EFBFBD><70><EFBFBD><EFBFBD><EFBFBD>Z<EFBFBD><5A>ЃT<D083><54><EFBFBD><EFBFBD><14>U<EFBFBD><55>+*<2A>\Q<><51>[<5B><><EFBFBD><EFBFBD>x<><78>29<32>i5<69>k

4
hosts/router/services.nix
View File

@@ -52,13 +52,13 @@ in
}; };
}; };
secrix.system.secrets.cf-api-key.encrypted.file = ../../secrets/cf_api_key.age; secrix.system.secrets.cf-api-key.encrypted.file = ./secrets/cf-api-key.age;
systemd.services.caddy.serviceConfig.EnvironmentFile = config.secrix.system.secrets.cf-api-key.decrypted.path; systemd.services.caddy.serviceConfig.EnvironmentFile = config.secrix.system.secrets.cf-api-key.decrypted.path;
services.caddy = { services.caddy = {
enable = true; enable = true;
package = pkgs.caddy.withPlugins { package = pkgs.caddy.withPlugins {
plugins = [ "github.com/caddy-dns/cloudflare@v0.2.1" ]; plugins = [ "github.com/caddy-dns/cloudflare@v0.2.1" ];
hash = "sha256-saKJatiBZ4775IV2C5JLOmZ4BwHKFtRZan94aS5pO90="; hash = "sha256-Gsuo+ripJSgKSYOM9/yl6Kt/6BFCA6BuTDvPdteinAI=";
}; };
virtualHosts."grouter.${domain}".extraConfig = '' virtualHosts."grouter.${domain}".extraConfig = ''
encode encode

57
hosts/router/wireguard.nix Normal file
View File

@@ -0,0 +1,57 @@
{ config, lib, pkgs, ... }:
let
vars = import ./vars.nix;
wg0Peers = [
{
name = "Yura-TPX13";
allowedIPs = [ "10.6.0.3/32" "${vars.extra.opnsense.p6}::6:3:0/112" ];
publicKey = "iJa5JmJbMHNlbEluNwoB2Q8LyrPAfb7S/mluanMcI08=";
pskEnabled = true;
}
{
name = "Yura-Pixel7Pro";
allowedIPs = [ "10.6.0.4/32" "${vars.extra.opnsense.p6}::6:4:0/112" ];
publicKey = "UjZlsukmAsX60Z5FnZwKCSu141Gjj74+hBVT3TRhwT4=";
pskEnabled = true;
}
{
name = "AsusS513";
allowedIPs = [ "10.6.0.100/32" ];
publicKey = "XozJ7dHdJfkLORkCVxaB1VmvHEOAA285kRZcmzfPl38=";
pskEnabled = true;
}
];
in
{
secrix.system.secrets = let
pskEnabledPeers = builtins.filter (peer: peer.pskEnabled) wg0Peers;
peerToSecretAttrs = peer: {
name = "wg0-peer-${peer.name}-psk";
value.encrypted.file = ./secrets/wireguard/wg0-peer-${peer.name}-psk.age;
};
peerSecretsList = map peerToSecretAttrs pskEnabledPeers;
peerSecrets = builtins.listToAttrs peerSecretsList;
in
{
wg0-private-key.encrypted.file = ./secrets/wireguard/wg0-private-key.age;
} // peerSecrets;
systemd.network.netdevs = {
"10-wg0" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg0";
};
wireguardConfig = {
PrivateKeyFile = config.secrix.system.secrets.wg0-private-key.decrypted.path;
ListenPort = 18596;
};
wireguardPeers = map (peer: {
AllowedIPs = peer.allowedIPs;
PublicKey = peer.publicKey;
PresharedKeyFile = if peer.pskEnabled then config.secrix.system.secrets."wg0-peer-${peer.name}-psk".decrypted.path else null;
}) wg0Peers;
};
};
}