router: firewall: proper filtering for hosts proxied by cloudflare

2025-03-26 00:24:16 -07:00
21 changed files with 213 additions and 524 deletions
--- a/.gitattributes
+++ b/.gitattributes
@@ -1 +0,0 @@
 private.nix  filter=crypt diff=crypt merge=crypt
--- a/flake.lock
+++ b/flake.lock
@@ -7,11 +7,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1747009742,
+        "lastModified": 1742957044,
-        "narHash": "sha256-TNhbM7R45fpq2cdWzvFj+H5ZTcE//I5XSe78GFh0cDY=",
+        "narHash": "sha256-gwW0tBIA77g6qq45y220drTy0DmThF3fJMwVFUtYV9c=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "c74665abd6e4e37d3140e68885bc49a994ffa53c",
+        "rev": "ce287a5cd3ef78203bc78021447f937a988d9f6f",
        "type": "github"
      },
      "original": {
@@ -58,11 +58,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1746904237,
+        "lastModified": 1742669843,
-        "narHash": "sha256-3e+AVBczosP5dCLQmMoMEogM57gmZ2qrVSrmq9aResQ=",
+        "narHash": "sha256-G5n+FOXLXcRx+3hCJ6Rt6ZQyF1zqQ0DL0sWAMn2Nk0w=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "d89fc19e405cb2d55ce7cc114356846a0ee5e956",
+        "rev": "1e5b653dff12029333a6546c11e108ede13052eb",
        "type": "github"
      },
      "original": {
@@ -100,28 +100,7 @@
        "home-manager": "home-manager",
        "nixos-generators": "nixos-generators",
        "nixpkgs": "nixpkgs",
-        "plasma-manager": "plasma-manager",
+        "plasma-manager": "plasma-manager"
        "secrix": "secrix"
      }
    },
    "secrix": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1746643487,
        "narHash": "sha256-dcB/DArJObCvqE/ZEdQSDW2BZMeDyF83Se5KPfJvz60=",
        "owner": "Platonic-Systems",
        "repo": "secrix",
        "rev": "4c64203fa5b377953b1fb6d5388187df8b60c6d5",
        "type": "github"
      },
      "original": {
        "owner": "Platonic-Systems",
        "repo": "secrix",
        "type": "github"
      }
    }
  },
--- a/flake.nix
+++ b/flake.nix
@@ -18,15 +18,9 @@
      url = "github:nix-community/nixos-generators";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    secrix = {
      url = "github:Platonic-Systems/secrix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };
-  outputs = { self, nixpkgs, home-manager, plasma-manager, nixos-generators, secrix }: {
+  outputs = { self, nixpkgs, home-manager, plasma-manager, nixos-generators }: {
    apps.x86_64-linux.secrix = secrix.secrix self;
    nixosConfigurations = {
      Yura-PC = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
@@ -34,7 +28,6 @@
          ./modules
          ./hosts/common.nix
          ./hosts/Yura-PC
          ./users/cazzzer
          # https://nix-community.github.io/home-manager/index.xhtml#sec-flakes-nixos-module
          home-manager.nixosModules.home-manager
          {
@@ -53,19 +46,15 @@
        modules = [
          ./modules
          ./hosts/common.nix
          ./hosts/hw-vm.nix
          ./hosts/vm
          ./users/cazzzer
        ];
      };
      router = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
        modules = [
          secrix.nixosModules.default
          ./modules
          ./hosts/common.nix
          ./hosts/router
          ./users/cazzzer
        ];
      };
    };
@@ -76,25 +65,11 @@
        modules = [
          ./modules
          ./hosts/common.nix
-          ./hosts/hw-proxmox.nix
+          ./hosts/vm/proxmox.nix
          ./hosts/vm
          ./users/cazzzer
        ];
        format = "proxmox";
      };
    };
    vm-proxmox = let
      image = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
        modules = [
          ./modules
          ./hosts/common.nix
          ./hosts/hw-proxmox.nix
          ./hosts/vm
          ./users/cazzzer
        ];
      };
    in
      image.config.system.build.VMA;
  };
 }
--- a/home/default.nix
+++ b/home/default.nix
@@ -1,12 +1,15 @@
 { config, lib, pkgs, ... }:
 let
-  username = "cazzzer";
+  defaultFont = {
    family = "Noto Sans";
    pointSize = 14;
  };
 in
 {
  # Home Manager needs a bit of information about you and the paths it should
  # manage.
-  home.username = username;
+  home.username = "cazzzer";
-  home.homeDirectory = "/home/${username}";
+  home.homeDirectory = "/home/cazzzer";
  # Let Home Manager install and manage itself.
  programs.home-manager.enable = true;
@@ -16,7 +19,6 @@ in
    SHELL = "fish";
  };
  # TODO: remove (replace by bitwarden-desktop)
  services.gnome-keyring = {
    enable = true;
    components = [ "pkcs11" "ssh" ];
@@ -46,7 +48,7 @@ in
      ll = "exa -l --color=always --group-directories-first --icons";  # long format
      lt = "exa -aT --color=always --group-directories-first --icons"; # tree listing
      "l." = "exa -a | rg '^\.'";                                      # show only dotfiles
-
+      
      # Replace cat with bat
      cat = "bat";
    };
@@ -123,15 +125,8 @@ in
  programs.plasma = {
    enable = true;
    overrideConfig = true;
    # TODO: figure out how to enable tela-circle icon theme if installed in systemPackages
    # workspace.iconTheme = if builtins.elem pkgs.tela-circle-icon-theme config.environment.systemPackages then "Tela-circle" else null;
    workspace.iconTheme = "Tela-circle";
-    fonts = let
+    fonts = {
      defaultFont = {
        family = "Noto Sans";
        pointSize = 14;
      };
    in {
      general = defaultFont;
      fixedWidth = defaultFont // { family = "Hack"; };
      small = defaultFont // { pointSize = defaultFont.pointSize - 2; };
@@ -166,7 +161,6 @@ in
        shellExpand = true;
      };
      dolphinrc.General.ShowFullPath = true;
      dolphinrc.DetailsMode.PreviewSize.persistent = true;
      kactivitymanagerdrc = {
        activities."809dc779-bf5b-49e6-8e3f-cbe283cb05b6" = "Default";
        activities."b34a506d-ac4f-4797-8c08-6ef45bc49341" = "Fun";
--- a/hosts/Yura-PC/default.nix
+++ b/hosts/Yura-PC/default.nix
@@ -32,7 +32,7 @@
  boot.loader.timeout = 3;
  boot.loader.systemd-boot.configurationLimit = 5;
-  boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_13;
+  boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_12;
  # https://nixos.wiki/wiki/Accelerated_Video_Playback
  hardware.graphics = {
@@ -88,7 +88,7 @@
  services.openssh.enable = true;
  services.flatpak.enable = true;
  # services.geoclue2.enable = true;
-  # location.provider = "geoclue2";
+  location.provider = "geoclue2";
  # services.gnome.gnome-keyring.enable = true;
  security.pam.services.sddm.enableGnomeKeyring = true;
  # security.pam.services.sddm.gnupg.enable = true;
@@ -97,6 +97,41 @@
  # Enable touchpad support (enabled default in most desktopManager).
  # services.xserver.libinput.enable = true;
  # Define a user account. Don't forget to set a password with ‘passwd’.
  users.groups = {
    cazzzer = {
      gid = 1000;
    };
  };
  users.users.cazzzer = {
    isNormalUser = true;
    description = "Yura";
    uid = 1000;
    group = "cazzzer";
    extraGroups = [ "networkmanager" "wheel" "docker" "wireshark" "geoclue" ];
    packages = with pkgs; [
      # Python
      python3
      poetry
      # Haskell
      haskellPackages.ghc
      haskellPackages.stack
      # Node
      nodejs_22
      pnpm
      bun
      # Nix
      nixd
      # Gleam
      gleam
      beamMinimal26Packages.erlang
    ];
  };
  hardware.bluetooth.enable = true;
  hardware.bluetooth.powerOnBoot = false;
  # Install firefox.
@@ -124,7 +159,7 @@
  # https://discourse.nixos.org/t/firefox-does-not-use-kde-window-decorations-and-cursor/32132/3
  # programs.dconf.enable = true;
-  # programs.firefox = {
+  # programs.firefox = {                  
    # enable = true;
    # preferences = {
      # "widget.use-xdg-desktop-portal.file-picker" = 1;
@@ -132,6 +167,9 @@
    # };
  # };
  # Allow unfree packages
  nixpkgs.config.allowUnfree = true;
  # List packages installed in system profile. To search, run:
  # $ nix search wget
@@ -140,9 +178,9 @@
  programs.nix-ld.enable = true;
  programs.nix-ld.libraries = with pkgs; [
-    # Add any missing dynamic libraries for unpackaged
+    # Add any missing dynamic libraries for unpackaged 
    # programs here, NOT in environment.systemPackages
-
+    
    # For JetBrains stuff
    # https://github.com/NixOS/nixpkgs/issues/240444
  ];
@@ -169,7 +207,7 @@
   ];
  # fonts.fontDir.enable = true;
  # fonts.fontconfig.allowBitmaps = false;
-
+  
  environment.systemPackages = with pkgs; [
    dust
    eza
@@ -177,11 +215,9 @@
    fd
    helix
    micro
    openssl
    ripgrep
    starship
    tealdeer
    transcrypt
  ] ++ [
    efibootmgr
    ffmpeg
@@ -201,14 +237,12 @@
    whois
    yt-dlp
  ] ++ [
    bitwarden-desktop
    darkman
    host-spawn # for flatpaks
    kdePackages.filelight
    kdePackages.flatpak-kcm
    kdePackages.kate
    kdePackages.yakuake
    # TODO: remove (replace by bitwarden-desktop)
    gcr
    gnome-keyring # config for this and some others
    mpv
@@ -227,7 +261,6 @@
    jetbrains.webstorm
    android-studio
    rustup
    zed-editor
  ];
  # Some programs need SUID wrappers, can be configured further or are
--- a/hosts/hw-proxmox.nix
+++ b/hosts/hw-proxmox.nix
@@ -1,16 +0,0 @@
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports = [
    "${modulesPath}/virtualisation/proxmox-image.nix"
  ];
  # boot.kernelParams = [ "console=tty0" ];
  proxmox.qemuConf.bios = "ovmf";
  proxmox.qemuExtraConf = {
    machine = "q35";
    # efidisk0 = "local-lvm:vm-9999-disk-1";
    cpu = "host";
  };
  proxmox.cloudInit.enable = false;
 }
--- a/hosts/hw-vm.nix
+++ b/hosts/hw-vm.nix
@@ -1,26 +0,0 @@
 { config, lib, pkgs, modulesPath, ... }: {
  imports = [
    "${modulesPath}/profiles/qemu-guest.nix"
  ];
  boot.initrd.availableKernelModules = lib.mkDefault [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
  fileSystems."/" = lib.mkDefault {
    device = "/dev/disk/by-label/nixos";
    autoResize = true;
    fsType = "ext4";
  };
  fileSystems."/boot" = lib.mkDefault {
    device = "/dev/disk/by-label/ESP";
    fsType = "vfat";
  };
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp6s18.useDHCP = lib.mkDefault true;
  # nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/hosts/router/default.nix
+++ b/hosts/router/default.nix
@@ -1,8 +1,5 @@
 { config, lib, pkgs, ... }:
-let
+
  vars = import ./vars.nix;
  enableDesktop = false;
 in
 {
  imports =
    [ # Include the results of the hardware scan.
@@ -11,11 +8,8 @@ in
      ./firewall.nix
      ./dns.nix
      ./kea.nix
      ./glance.nix
      ./services.nix
    ];
  # Secrix for secrets management
  secrix.hostPubKey = vars.pubkey;
  # Bootloader.
  boot.loader.systemd-boot.enable = true;
@@ -37,10 +31,10 @@ in
  # Enable the KDE Plasma Desktop Environment.
  # Useful for debugging with wireshark.
  # services.displayManager.sddm.enable = true;
  hardware.graphics.enable = true;
-  services.displayManager.sddm.enable = enableDesktop;
+  services.displayManager.sddm.wayland.enable = true;
-  services.displayManager.sddm.wayland.enable = enableDesktop;
+  services.desktopManager.plasma6.enable = true;
  services.desktopManager.plasma6.enable = enableDesktop;
  # No need for audio in VM
  services.pipewire.enable = false;
@@ -53,6 +47,24 @@ in
  security.sudo.wheelNeedsPassword = false;
  users.groups = {
    cazzzer = {
      gid = 1000;
    };
  };
  users.users.cazzzer = {
    password = "";
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPWgEzbEjbbu96MVQzkiuCrw+UGYAXN4sRe2zM6FVopq cazzzer@Yura-PC"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIApFeLVi3BOquL0Rt+gQK2CutNHaBDQ0m4PcGWf9Bc43 cazzzer@Yura-TPX13"
    ];
    isNormalUser = true;
    description = "Yura";
    uid = 1000;
    group = "cazzzer";
    extraGroups = [ "wheel" "wireshark" ];
  };
  programs.firefox.enable = true;
  programs.fish.enable = true;
  programs.git.enable = true;
@@ -67,17 +79,17 @@ in
    eza
    fastfetch
    fd
    kdePackages.filelight
    kdePackages.kate
    kdePackages.yakuake
    ldns
    lsof
    micro
    mpv
    openssl
    ripgrep
    rustscan
    starship
    tealdeer
    transcrypt
    waypipe
    whois
  ];
--- a/hosts/router/dns.nix
+++ b/hosts/router/dns.nix
@@ -42,12 +42,8 @@ in
  services.adguardhome.enable = true;
  services.adguardhome.mutableSettings = false;
  # https://github.com/AdguardTeam/Adguardhome/wiki/Configuration
  services.adguardhome.settings = {
    dns = {
      # Disable rate limit, default of 20 is too low
      # https://github.com/AdguardTeam/AdGuardHome/issues/6726
      ratelimit = 0;
      bootstrap_dns = [ "1.1.1.1" "9.9.9.9" ];
      upstream_dns = [
        # Default upstreams
--- a/hosts/router/firewall.nix
+++ b/hosts/router/firewall.nix
@@ -4,96 +4,52 @@ let
  links = vars.links;
  ifs = vars.ifs;
  pdFromWan = vars.pdFromWan;
  nftIdentifiers = ''
    define ZONE_WAN_IFS = { ${ifs.wan.name} }
    define ZONE_LAN_IFS = {
        ${ifs.lan.name},
        ${ifs.lan10.name},
        ${ifs.lan20.name},
        ${ifs.lan30.name},
        ${ifs.lan40.name},
        ${ifs.lan50.name},
    }
    define OPNSENSE_NET6 = ${vars.extra.opnsense.net6}
    define ZONE_LAN_EXTRA_NET6 = {
        # TODO: reevaluate this statement
        ${ifs.lan20.net6},  # needed since packets can come in from wan on these addrs
        $OPNSENSE_NET6,
    }
    define RFC1918 = { 10.0.0.0/8, 172.12.0.0/12, 192.168.0.0/16 }
    define CLOUDFLARE_NET6 = {
        # https://www.cloudflare.com/ips-v6
        # TODO: figure out a better way to get addrs dynamically from url
        # perhaps building a nixos module/package that fetches the ips?
        2400:cb00::/32,
        2606:4700::/32,
        2803:f800::/32,
        2405:b500::/32,
        2405:8100::/32,
        2a06:98c0::/29,
        2c0f:f248::/32,
    }
  '';
 in
 {
  networking.firewall.enable = false;
  networking.nftables.enable = true;
-  # networking.nftables.ruleset = nftIdentifiers; #doesn't work because it's appended to the end
+  networking.nftables.tables.firewall = {
-  networking.nftables.tables.nat4 = {
+    family = "inet";
    family = "ip";
    content = ''
-      ${nftIdentifiers}
+      define ZONE_WAN_IFS = { ${ifs.wan.name} }
-      map port_forward {
+      define ZONE_LAN_IFS = {
          ${ifs.lan.name},
          ${ifs.lan10.name},
          ${ifs.lan20.name},
          ${ifs.lan30.name},
          ${ifs.lan40.name},
          ${ifs.lan50.name},
      }
      define OPNSENSE_NET6 = ${pdFromWan}d::/64
      define ZONE_LAN_EXTRA_NET6 = {
          ${ifs.lan20.net6},  # needed since packets can come in from wan on these addrs
          $OPNSENSE_NET6,
      }
      define RFC1918 = { 10.0.0.0/8, 172.12.0.0/12, 192.168.0.0/16 }
      define CLOUDFLARE_NET6 = {
          # https://www.cloudflare.com/ips-v6
          # TODO: figure out a better way to get addrs dynamically from url
          2400:cb00::/32,
          2606:4700::/32,
          2803:f800::/32,
          2405:b500::/32,
          2405:8100::/32,
          2a06:98c0::/29,
          2c0f:f248::/32,
      }
      define ALLOWED_TCP_PORTS = { ssh, https }
      define ALLOWED_UDP_PORTS = { bootps, dhcpv6-server, domain }
      map port_forward_v4 {
          type inet_proto . inet_service : ipv4_addr . inet_service
          elements = {
              tcp . 8006 : ${ifs.lan50.p4}.10 . 8006
          }
      }
      chain prerouting {
          # Initial step, accept by default
          type nat hook prerouting priority dstnat; policy accept;
          # Port forwarding
          fib daddr type local dnat ip to meta l4proto . th dport map @port_forward
      }
      chain postrouting {
          # Last step, accept by default
          type nat hook postrouting priority srcnat; policy accept;
          # Masquerade LAN addrs
          oifname $ZONE_WAN_IFS ip saddr $RFC1918 masquerade
      }
    '';
  };
  # Optional IPv6 masquerading (big L if enabled, don't forget to allow forwarding)
  networking.nftables.tables.nat6 = {
    family = "ip6";
    enable = false;
    content = ''
      ${nftIdentifiers}
      chain postrouting {
          type nat hook postrouting priority srcnat; policy accept;
          oifname $ZONE_WAN_IFS ip6 saddr fd00::/8 masquerade
      }
    '';
  };
  networking.nftables.tables.firewall = {
    family = "inet";
    content = ''
      ${nftIdentifiers}
      define ALLOWED_TCP_PORTS = { ssh, https }
      define ALLOWED_UDP_PORTS = { bootps, dhcpv6-server, domain, https }
      set port_forward_v6 {
          type inet_proto . ipv6_addr . inet_service
-          elements = {
+          # elements = {}
              # syncthing on alpina
              tcp . ${ifs.lan.p6}::11:1 . 22000 ,
              udp . ${ifs.lan.p6}::11:1 . 22000 ,
          }
      }
      set cloudflare_forward_v6 {
          type ipv6_addr
@@ -136,7 +92,7 @@ in
          # WAN zone input rules
          iifname $ZONE_WAN_IFS jump zone_wan_input
          # LAN zone input rules
-          # iifname $ZONE_LAN_IFS accept
+          iifname $ZONE_LAN_IFS accept
          iifname $ZONE_LAN_IFS jump zone_lan_input
          ip6 saddr $ZONE_LAN_EXTRA_NET6 jump zone_lan_input
@@ -169,7 +125,7 @@ in
          meta l4proto . ip6 daddr . th dport @port_forward_v6 accept
          # Allowed IPv6 from cloudflare
-          ip6 saddr $CLOUDFLARE_NET6 ip6 daddr @cloudflare_forward_v6 th dport https accept
+          ip6 saddr $CLOUDFLARE_NET6 ip6 daddr @cloudflare_forward_v6 accept
      }
      chain zone_lan_input {
@@ -202,6 +158,25 @@ in
          # NAT reflection
          # oif lo ip daddr != 127.0.0.0/8 dnat ip to meta l4proto . th dport map @port_forward_v4
      }
      chain prerouting {
          # Initial step, accept by default
          type nat hook prerouting priority dstnat; policy accept;
          # Port forwarding
          fib daddr type local dnat ip to meta l4proto . th dport map @port_forward_v4
      }
      chain postrouting {
          # Last step, accept by default
          type nat hook postrouting priority srcnat; policy accept;
          # Masquerade LAN addrs
          oifname $ZONE_WAN_IFS ip saddr $RFC1918 masquerade
          # Optional IPv6 masquerading (big L if enabled, don't forget to allow forwarding)
          # oifname $ZONE_WAN_IFS ip6 saddr fd00::/8 masquerade
      }
    '';
  };
 }
--- a/hosts/router/glance.nix
+++ b/hosts/router/glance.nix
@@ -1,166 +0,0 @@
 { config, lib, pkgs, ... }:
 let
  vars = import ./vars.nix;
  domain = vars.domain;
 in
 {
  # Glance dashboard
  services.glance.enable = true;
  services.glance.settings.pages = [
    {
      name = "Home";
      # hideDesktopNavigation = true; # Uncomment if needed
      columns = [
        {
          size = "small";
          widgets = [
            {
              type = "calendar";
              firstDayOfWeek = "monday";
            }
            {
              type = "rss";
              limit = 10;
              collapseAfter = 3;
              cache = "12h";
              feeds = [
                { url = "https://rtk0c.pages.dev/index.xml"; }
                { url = "https://www.yegor256.com/rss.xml"; }
                { url = "https://selfh.st/rss/"; title = "selfh.st"; }
                { url = "https://ciechanow.ski/atom.xml"; }
                { url = "https://www.joshwcomeau.com/rss.xml"; title = "Josh Comeau"; }
                { url = "https://samwho.dev/rss.xml"; }
                { url = "https://ishadeed.com/feed.xml"; title = "Ahmad Shadeed"; }
              ];
            }
            {
              type = "twitch-channels";
              channels = [
                "theprimeagen"
                "j_blow"
                "piratesoftware"
                "cohhcarnage"
                "christitustech"
                "EJ_SA"
              ];
            }
          ];
        }
        {
          size = "full";
          widgets = [
            {
              type = "group";
              widgets = [
                { type = "hacker-news"; }
                { type = "lobsters"; }
              ];
            }
            {
              type = "videos";
              channels = [
                "UCXuqSBlHAE6Xw-yeJA0Tunw" # Linus Tech Tips
                "UCR-DXc1voovS8nhAvccRZhg" # Jeff Geerling
                "UCsBjURrPoezykLs9EqgamOA" # Fireship
                "UCBJycsmduvYEL83R_U4JriQ" # Marques Brownlee
                "UCHnyfMqiRRG1u-2MsSQLbXA" # Veritasium
              ];
            }
            {
              type = "group";
              widgets = [
                {
                  type = "reddit";
                  subreddit = "technology";
                  showThumbnails = true;
                }
                {
                  type = "reddit";
                  subreddit = "selfhosted";
                  showThumbnails = true;
                }
              ];
            }
          ];
        }
        {
          size = "small";
          widgets = [
            {
              type = "weather";
              location = "San Jose, California, United States";
              units = "metric";
              hourFormat = "12h";
              # hideLocation = true; # Uncomment if needed
            }
            {
              type = "markets";
              markets = [
                { symbol = "SPY"; name = "S&P 500"; }
                { symbol = "BTC-USD"; name = "Bitcoin"; }
                { symbol = "NVDA"; name = "NVIDIA"; }
                { symbol = "AAPL"; name = "Apple"; }
                { symbol = "MSFT"; name = "Microsoft"; }
              ];
            }
            {
              type = "releases";
              cache = "1d";
              # token = "..."; # Uncomment and set if needed
              repositories = [
                "glanceapp/glance"
                "go-gitea/gitea"
                "immich-app/immich"
                "syncthing/syncthing"
              ];
            }
          ];
        }
      ];
    }
    {
      name = "Infrastructure";
      columns = [
        {
          size = "small";
          widgets = [
            {
              type = "server-stats";
              servers = [
                {
                  type = "local";
                  name = "Router";
                  mountpoints."/nix/store".hide = true;
                }
              ];
            }
          ];
        }
        {
          size = "full";
          widgets = [
            {
              type = "iframe";
              title = "Grafana";
              title-url = "/grafana/";
              source = "/grafana/d-solo/rYdddlPWk/node-exporter-full?orgId=1&from=1747211119196&to=1747297519196&timezone=browser&var-datasource=PBFA97CFB590B2093&var-job=node&var-node=localhost:9100&var-diskdevices=%5Ba-z%5D%2B%7Cnvme%5B0-9%5D%2Bn%5B0-9%5D%2B%7Cmmcblk%5B0-9%5D%2B&refresh=1m&panelId=74&__feature.dashboardSceneSolo";
              height = 400;
            }
          ];
        }
        {
          size = "small";
          widgets = [
            {
              type = "dns-stats";
              service = "adguard";
              url = "http://localhost:${toString config.services.adguardhome.port}";
              username = "";
              password = "";
            }
          ];
        }
      ];
    }
  ];
 }
--- a/hosts/router/ifconfig.nix
+++ b/hosts/router/ifconfig.nix
@@ -46,12 +46,6 @@ let
  };
 in
 {
  # By default, Linux will respond to ARP requests that belong to other interfaces.
  # Normally this isn't a problem, but it causes issues
  # since my WAN and LAN20 are technically bridged.
  # https://networkengineering.stackexchange.com/questions/83071/why-linux-answers-arp-requests-for-ips-that-belong-to-different-network-interfac
  boot.kernel.sysctl."net.ipv4.conf.default.arp_filter" = 1;
  # It is impossible to do multiple prefix requests with networkd,
  # so I use dhcpcd for this
  # https://github.com/systemd/systemd/issues/22571
@@ -150,7 +144,6 @@ in
          ifs.lan40.name
          ifs.lan50.name
        ];
        routes = vars.extra.opnsense.routes;
      };
      "30-vlan10" = mkLanConfig ifs.lan10;
      "30-vlan20" = mkLanConfig ifs.lan20;
--- a/hosts/router/private.nix
+++ b/hosts/router/private.nix
@@ -1,2 +0,0 @@
 U2FsdGVkX1/98w32OE1ppwT0I5A3UOTKCLJfvk+TQdrbf0TLfYNZ9TC9n8cH2hC9
 ObKVuFlOLwHlzeBy7MXaLg==
--- a/hosts/router/services.nix
+++ b/hosts/router/services.nix
@@ -4,10 +4,6 @@ let
  domain = vars.domain;
 in
 {
  # vnStat for tracking network interface stats
  services.vnstat.enable = true;
  # https://wiki.nixos.org/wiki/Prometheus
  services.prometheus = {
    enable = true;
@@ -31,15 +27,7 @@ in
  # https://wiki.nixos.org/wiki/Grafana#Declarative_configuration
  services.grafana = {
    enable = true;
-    settings = {
+    settings.server.http_port = 3001;
      security.allow_embedding = true;
      server = {
        http_port = 3001;
        domain = "grouter.${domain}";
        root_url = "https://%(domain)s/grafana/";
        serve_from_sub_path = true;
      };
    };
    provision = {
      enable = true;
      datasources.settings.datasources = [
@@ -52,34 +40,11 @@ in
    };
  };
  secrix.system.secrets.cf-api-key.encrypted.file = ../../secrets/cf_api_key.age;
  systemd.services.caddy.serviceConfig.EnvironmentFile = config.secrix.system.secrets.cf-api-key.decrypted.path;
  services.caddy = {
    enable = true;
    package = pkgs.caddy.withPlugins {
      plugins = [ "github.com/caddy-dns/cloudflare@v0.2.1" ];
      hash = "sha256-saKJatiBZ4775IV2C5JLOmZ4BwHKFtRZan94aS5pO90=";
    };
    virtualHosts."grouter.${domain}".extraConfig = ''
-      encode
+      reverse_proxy localhost:${toString config.services.grafana.settings.server.http_port}
-      tls {
+      tls internal
          dns cloudflare {env.CF_API_KEY}
          resolvers 1.1.1.1
      }
      @grafana path /grafana /grafana/*
      handle @grafana {
          reverse_proxy localhost:${toString config.services.grafana.settings.server.http_port}
      }
      redir /adghome /adghome/
      handle_path /adghome/* {
          reverse_proxy localhost:${toString config.services.adguardhome.port}
          basic_auth {
              Bob $2a$14$HsWmmzQTN68K3vwiRAfiUuqIjKoXEXaj9TOLUtG2mO1vFpdovmyBy
          }
      }
      handle /* {
          reverse_proxy localhost:${toString config.services.glance.settings.server.port}
      }
    '';
  };
 }
--- a/hosts/router/vars.nix
+++ b/hosts/router/vars.nix
@@ -1,6 +1,4 @@
 let
  private = import ./private.nix;
  mkIfConfig = {
    name_,
    domain_,
@@ -33,7 +31,6 @@ let
    };
 in
 rec {
  pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFobB87yYVwhuYrA+tfztLuks3s9jZOqEFktwGw1mo83 root@grouter";
  domain = "cazzzer.com";
  ldomain = "l.${domain}";
  sysdomain = "sys.${domain}";
@@ -45,7 +42,7 @@ rec {
  };
  p4 = "10.17";                      # .0.0/16
-  pdFromWan = private.pdFromWan;  # ::/60
+  pdFromWan = "";  # ::/60
  ulaPrefix = "fdab:07d3:581d";      # ::/48
  ifs = rec {
    wan = rec {
@@ -98,28 +95,4 @@ rec {
      ulaPrefix_ = "${ulaPrefix}:0050";  # ::/64
    };
  };
  extra = {
    opnsense = rec {
      addr4 = "${ifs.lan.p4}.250";
      ulaAddr = "${ifs.lan.ulaPrefix}::250";
      p6 = "${pdFromWan}d";
      net6 = "${p6}::/64";
      # VPN routes on opnsense
      routes = [
        {
          Destination = "10.6.0.0/24";
          Gateway = addr4;
        }
        {
          Destination = "10.18.0.0/20";
          Gateway = addr4;
        }
        {
          Destination = net6;
          Gateway = ulaAddr;
        }
      ];
    };
  };
 }
--- a/hosts/vm/default.nix
+++ b/hosts/vm/default.nix
@@ -7,7 +7,7 @@
 {
  imports =
    [ # Include the results of the hardware scan.
-      # ./hardware-configuration.nix
+#      ./hardware-configuration-vm.nix
    ];
  mods.kb-input.enable = false;
@@ -47,8 +47,8 @@
  services.flatpak.enable = true;
  # VM services
-  # services.cloud-init.enable = false;
+  services.cloud-init.enable = true;
-  # services.cloud-init.network.enable = false;
+#  services.cloud-init.network.enable = false;
  services.qemuGuest.enable = true;
  services.spice-vdagentd.enable = true;
  services.openssh.enable = true;
@@ -57,6 +57,24 @@
  security.sudo.wheelNeedsPassword = false;
  users.groups = {
    cazzzer = {
      gid = 1000;
    };
  };
  users.users.cazzzer = {
    password = "";
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPWgEzbEjbbu96MVQzkiuCrw+UGYAXN4sRe2zM6FVopq cazzzer@Yura-PC"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIApFeLVi3BOquL0Rt+gQK2CutNHaBDQ0m4PcGWf9Bc43 cazzzer@Yura-TPX13"
    ];
    isNormalUser = true;
    description = "Yura";
    uid = 1000;
    group = "cazzzer";
    extraGroups = [ "wheel" "docker" "wireshark" ];
  };
  # Install firefox.
  programs.firefox.enable = true;
  programs.fish.enable = true;
@@ -95,11 +113,9 @@
    ldns
    micro
    mpv
    openssl
    ripgrep
    starship
    tealdeer
    transcrypt
    waypipe
    whois
    zfs
--- a/hosts/vm/hardware-configuration.nix
+++ b/hosts/vm/hardware-configuration.nix
@@ -0,0 +1,37 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/profiles/qemu-guest.nix")
    ];
  boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/da85e220-e2b0-443a-9a0c-a9516b8e5030";
      fsType = "ext4";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/3F96-8974";
      fsType = "vfat";
      options = [ "fmask=0022" "dmask=0022" ];
    };
  swapDevices = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp6s18.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/hosts/vm/proxmox.nix
+++ b/hosts/vm/proxmox.nix
@@ -0,0 +1,11 @@
 { ... }:
 {
 #  boot.kernelParams = [ "console=tty0" ];
  proxmox.qemuConf.bios = "ovmf";
  proxmox.qemuExtraConf = {
    machine = "q35";
 #    efidisk0 = "local-lvm:vm-9999-disk-1";
    cpu = "host";
  };
 }
--- a/renovate.json
+++ b/renovate.json
@@ -1,12 +0,0 @@
 {
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
    "config:recommended"
  ],
  "lockFileMaintenance": {
    "enabled": true
  },
  "nix": {
    "enabled": true
  }
 }
--- a/secrets/cf_api_key.age
+++ b/secrets/cf_api_key.age
@@ -1,5 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 D2MY/A Kj69kavxx+ATNHP5pX0JtGggU76f9uRwkZp2HbjwiWc
 SbU3jIcQzUzaQjRHzVSoW1WKiUj+1ijbkUKqVb406fY
 --- vMV0TcchFvxw1xetQQZ0xVi2KwjLFRfZBM1gl7BGbGI
 <EFBFBD><EFBFBD>1<10><><EFBFBD><EFBFBD>K<EFBFBD><<3C>
--- a/users/cazzzer/default.nix
+++ b/users/cazzzer/default.nix
@@ -1,42 +0,0 @@
 { config, lib, pkgs, ... }: {
  users.groups.cazzzer.gid = 1000;
  users.users.cazzzer = {
    uid = 1000;
    isNormalUser = true;
    description = "Yura";
    group = "cazzzer";
    extraGroups = [ "wheel" ]
      ++ lib.optionals config.networking.networkmanager.enable [ "networkmanager" ]
      ++ lib.optionals config.virtualisation.docker.enable [ "docker" ]
      ++ lib.optionals config.programs.wireshark.enable [ "wireshark" ]
    ;
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE02AhJIZtrtZ+5sZhna39LUUCEojQzmz2BDWguT9ZHG yuri@tati.sh"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHczlipzGWv8c6oYwt2/9ykes5ElfneywDXBTOYbfSfn Pixel7Pro"
    ];
    # TODO: think of a better way to do this
    packages = with pkgs; lib.optionals (config.networking.hostName == "Yura-PC") [
      # Python
      python3
      poetry
      # Haskell
      haskellPackages.ghc
      haskellPackages.stack
      # Node
      nodejs_22
      pnpm
      bun
      # Nix
      nil
      nixd
      nixfmt-rfc-style
      # Gleam
      gleam
      beamMinimal26Packages.erlang
    ];
  };
 }
		`@@ -1 +0,0 @@`
			`private.nix filter=crypt diff=crypt merge=crypt`
		`@@ -1,2 +0,0 @@`
			`U2FsdGVkX1/98w32OE1ppwT0I5A3UOTKCLJfvk+TQdrbf0TLfYNZ9TC9n8cH2hC9`
			`ObKVuFlOLwHlzeBy7MXaLg==`