router: option to disable desktop to save space

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1746040799,
-        "narHash": "sha256-osgPX/SzIpkR50vev/rqoTEAVkEcOWXoQXmbzsaI4KU=",
+        "lastModified": 1747009742,
+        "narHash": "sha256-TNhbM7R45fpq2cdWzvFj+H5ZTcE//I5XSe78GFh0cDY=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "5f217e5a319f6c186283b530f8c975e66c028433",
+        "rev": "c74665abd6e4e37d3140e68885bc49a994ffa53c",
         "type": "github"
       },
       "original": {
@@ -58,11 +58,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1745930157,
-        "narHash": "sha256-y3h3NLnzRSiUkYpnfvnS669zWZLoqqI6NprtLQ+5dck=",
+        "lastModified": 1746904237,
+        "narHash": "sha256-3e+AVBczosP5dCLQmMoMEogM57gmZ2qrVSrmq9aResQ=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "46e634be05ce9dc6d4db8e664515ba10b78151ae",
+        "rev": "d89fc19e405cb2d55ce7cc114356846a0ee5e956",
         "type": "github"
       },
       "original": {
@@ -100,7 +100,28 @@
         "home-manager": "home-manager",
         "nixos-generators": "nixos-generators",
         "nixpkgs": "nixpkgs",
-        "plasma-manager": "plasma-manager"
+        "plasma-manager": "plasma-manager",
+        "secrix": "secrix"
+      }
+    },
+    "secrix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1746643487,
+        "narHash": "sha256-dcB/DArJObCvqE/ZEdQSDW2BZMeDyF83Se5KPfJvz60=",
+        "owner": "Platonic-Systems",
+        "repo": "secrix",
+        "rev": "4c64203fa5b377953b1fb6d5388187df8b60c6d5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Platonic-Systems",
+        "repo": "secrix",
+        "type": "github"
       }
     }
   },

flake.nix

@@ -18,9 +18,15 @@
       url = "github:nix-community/nixos-generators";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    secrix = {
+      url = "github:Platonic-Systems/secrix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
-  outputs = { self, nixpkgs, home-manager, plasma-manager, nixos-generators }: {
+  outputs = { self, nixpkgs, home-manager, plasma-manager, nixos-generators, secrix }: {
+    apps.x86_64-linux.secrix = secrix.secrix self;
+
     nixosConfigurations = {
       Yura-PC = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
@@ -52,6 +58,7 @@
       router = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
         modules = [
+          secrix.nixosModules.default
           ./modules
           ./hosts/common.nix
           ./hosts/router

hosts/router/default.nix

@@ -1,5 +1,7 @@
 { config, lib, pkgs, ... }:
-
+let
+  enableDesktop = false;
+in
 {
   imports =
     [ # Include the results of the hardware scan.
@@ -10,6 +12,8 @@
       ./kea.nix
       ./services.nix
     ];
+  # Secrix for secrets management
+  secrix.hostPubKey = vars.pubkey;
 
   # Bootloader.
   boot.loader.systemd-boot.enable = true;
@@ -31,10 +35,10 @@
 
   # Enable the KDE Plasma Desktop Environment.
   # Useful for debugging with wireshark.
-  # services.displayManager.sddm.enable = true;
   hardware.graphics.enable = true;
-  services.displayManager.sddm.wayland.enable = true;
-  services.desktopManager.plasma6.enable = true;
+  services.displayManager.sddm.enable = enableDesktop;
+  services.displayManager.sddm.wayland.enable = enableDesktop;
+  services.desktopManager.plasma6.enable = enableDesktop;
   # No need for audio in VM
   services.pipewire.enable = false;
 
@@ -79,9 +83,7 @@
     eza
     fastfetch
     fd
-    kdePackages.filelight
     kdePackages.kate
-    kdePackages.yakuake
     ldns
     lsof
     micro

hosts/router/firewall.nix

@@ -4,54 +4,96 @@ let
   links = vars.links;
   ifs = vars.ifs;
   pdFromWan = vars.pdFromWan;
+  nftIdentifiers = ''
+    define ZONE_WAN_IFS = { ${ifs.wan.name} }
+    define ZONE_LAN_IFS = {
+        ${ifs.lan.name},
+        ${ifs.lan10.name},
+        ${ifs.lan20.name},
+        ${ifs.lan30.name},
+        ${ifs.lan40.name},
+        ${ifs.lan50.name},
+    }
+    define OPNSENSE_NET6 = ${vars.extra.opnsense.net6}
+    define ZONE_LAN_EXTRA_NET6 = {
+        # TODO: reevaluate this statement
+        ${ifs.lan20.net6},  # needed since packets can come in from wan on these addrs
+        $OPNSENSE_NET6,
+    }
+    define RFC1918 = { 10.0.0.0/8, 172.12.0.0/12, 192.168.0.0/16 }
+    define CLOUDFLARE_NET6 = {
+        # https://www.cloudflare.com/ips-v6
+        # TODO: figure out a better way to get addrs dynamically from url
+        # perhaps building a nixos module/package that fetches the ips?
+        2400:cb00::/32,
+        2606:4700::/32,
+        2803:f800::/32,
+        2405:b500::/32,
+        2405:8100::/32,
+        2a06:98c0::/29,
+        2c0f:f248::/32,
+    }
+  '';
 in
 {
   networking.firewall.enable = false;
   networking.nftables.enable = true;
-  networking.nftables.tables.firewall = {
-    family = "inet";
+  # networking.nftables.ruleset = nftIdentifiers; #doesn't work because it's appended to the end
+  networking.nftables.tables.nat4 = {
+    family = "ip";
     content = ''
-      define ZONE_WAN_IFS = { ${ifs.wan.name} }
-      define ZONE_LAN_IFS = {
-          ${ifs.lan.name},
-          ${ifs.lan10.name},
-          ${ifs.lan20.name},
-          ${ifs.lan30.name},
-          ${ifs.lan40.name},
-          ${ifs.lan50.name},
-      }
-      define OPNSENSE_NET6 = ${vars.extra.opnsense.net6}
-      define ZONE_LAN_EXTRA_NET6 = {
-          # TODO: reevaluate this statement
-          ${ifs.lan20.net6},  # needed since packets can come in from wan on these addrs
-          $OPNSENSE_NET6,
-      }
-      define RFC1918 = { 10.0.0.0/8, 172.12.0.0/12, 192.168.0.0/16 }
-      define CLOUDFLARE_NET6 = {
-          # https://www.cloudflare.com/ips-v6
-          # TODO: figure out a better way to get addrs dynamically from url
-          # perhaps building a nixos module/package that fetches the ips?
-          2400:cb00::/32,
-          2606:4700::/32,
-          2803:f800::/32,
-          2405:b500::/32,
-          2405:8100::/32,
-          2a06:98c0::/29,
-          2c0f:f248::/32,
-      }
-
-      define ALLOWED_TCP_PORTS = { ssh, https }
-      define ALLOWED_UDP_PORTS = { bootps, dhcpv6-server, domain }
-
-      map port_forward_v4 {
+      ${nftIdentifiers}
+      map port_forward {
           type inet_proto . inet_service : ipv4_addr . inet_service
           elements = {
               tcp . 8006 : ${ifs.lan50.p4}.10 . 8006
           }
       }
+
+      chain prerouting {
+          # Initial step, accept by default
+          type nat hook prerouting priority dstnat; policy accept;
+
+          # Port forwarding
+          fib daddr type local dnat ip to meta l4proto . th dport map @port_forward
+      }
+
+      chain postrouting {
+          # Last step, accept by default
+          type nat hook postrouting priority srcnat; policy accept;
+
+          # Masquerade LAN addrs
+          oifname $ZONE_WAN_IFS ip saddr $RFC1918 masquerade
+      }
+    '';
+  };
+
+  # Optional IPv6 masquerading (big L if enabled, don't forget to allow forwarding)
+  networking.nftables.tables.nat6 = {
+    family = "ip6";
+    enable = false;
+    content = ''
+      ${nftIdentifiers}
+      chain postrouting {
+          type nat hook postrouting priority srcnat; policy accept;
+          oifname $ZONE_WAN_IFS ip6 saddr fd00::/8 masquerade
+      }
+    '';
+  };
+
+  networking.nftables.tables.firewall = {
+    family = "inet";
+    content = ''
+      ${nftIdentifiers}
+      define ALLOWED_TCP_PORTS = { ssh, https }
+      define ALLOWED_UDP_PORTS = { bootps, dhcpv6-server, domain }
       set port_forward_v6 {
           type inet_proto . ipv6_addr . inet_service
-          # elements = {}
+          elements = {
+              # syncthing on alpina
+              tcp . ${ifs.lan.p6}::11:1 . 22000 ,
+              udp . ${ifs.lan.p6}::11:1 . 22000 ,
+          }
       }
       set cloudflare_forward_v6 {
           type ipv6_addr
@@ -94,7 +136,7 @@ in
           # WAN zone input rules
           iifname $ZONE_WAN_IFS jump zone_wan_input
           # LAN zone input rules
-          iifname $ZONE_LAN_IFS accept
+          # iifname $ZONE_LAN_IFS accept
           iifname $ZONE_LAN_IFS jump zone_lan_input
           ip6 saddr $ZONE_LAN_EXTRA_NET6 jump zone_lan_input
 
@@ -160,25 +202,6 @@ in
           # NAT reflection
           # oif lo ip daddr != 127.0.0.0/8 dnat ip to meta l4proto . th dport map @port_forward_v4
       }
-
-      chain prerouting {
-          # Initial step, accept by default
-          type nat hook prerouting priority dstnat; policy accept;
-
-          # Port forwarding
-          fib daddr type local dnat ip to meta l4proto . th dport map @port_forward_v4
-      }
-
-      chain postrouting {
-          # Last step, accept by default
-          type nat hook postrouting priority srcnat; policy accept;
-
-          # Masquerade LAN addrs
-          oifname $ZONE_WAN_IFS ip saddr $RFC1918 masquerade
-
-          # Optional IPv6 masquerading (big L if enabled, don't forget to allow forwarding)
-          # oifname $ZONE_WAN_IFS ip6 saddr fd00::/8 masquerade
-      }
     '';
   };
 }

hosts/router/services.nix

@@ -30,7 +30,11 @@ in
   # https://wiki.nixos.org/wiki/Grafana#Declarative_configuration
   services.grafana = {
     enable = true;
-    settings.server.http_port = 3001;
+    settings.server = {
+      http_port = 3001;
+      serve_from_sub_path = true;
+      root_url = "%(protocol)s://%(domain)s:%(http_port)s/grafana/";
+    };
     provision = {
       enable = true;
       datasources.settings.datasources = [
@@ -43,11 +47,30 @@ in
     };
   };
 
+  secrix.system.secrets.cf-api-key.encrypted.file = ../../secrets/cf_api_key.age;
+  systemd.services.caddy.serviceConfig.EnvironmentFile = config.secrix.system.secrets.cf-api-key.decrypted.path;
   services.caddy = {
     enable = true;
+    package = pkgs.caddy.withPlugins {
+      plugins = [ "github.com/caddy-dns/cloudflare@v0.2.1" ];
+      hash = "sha256-saKJatiBZ4775IV2C5JLOmZ4BwHKFtRZan94aS5pO90=";
+    };
     virtualHosts."grouter.${domain}".extraConfig = ''
-      reverse_proxy localhost:${toString config.services.grafana.settings.server.http_port}
-      tls internal
+      tls {
+          dns cloudflare {env.CF_API_KEY}
+          resolvers 1.1.1.1
+      }
+      @grafana path /grafana /grafana/*
+      handle @grafana {
+          reverse_proxy localhost:${toString config.services.grafana.settings.server.http_port}
+      }
+      redir /adghome /adghome/
+      handle_path /adghome/* {
+          reverse_proxy localhost:${toString config.services.adguardhome.port}
+          basic_auth {
+              Bob $2a$14$HsWmmzQTN68K3vwiRAfiUuqIjKoXEXaj9TOLUtG2mO1vFpdovmyBy
+          }
+      }
     '';
   };
 }

hosts/router/vars.nix

@@ -31,6 +31,7 @@ let
     };
 in
 rec {
+  pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFobB87yYVwhuYrA+tfztLuks3s9jZOqEFktwGw1mo83 root@grouter";
   domain = "cazzzer.com";
   ldomain = "l.${domain}";
   sysdomain = "sys.${domain}";

secrets/cf_api_key.age

@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 D2MY/A Kj69kavxx+ATNHP5pX0JtGggU76f9uRwkZp2HbjwiWc
+SbU3jIcQzUzaQjRHzVSoW1WKiUj+1ijbkUKqVb406fY
+--- vMV0TcchFvxw1xetQQZ0xVi2KwjLFRfZBM1gl7BGbGI
+Âä1<10>£ÃéKò<¯
–fNGL½ÍÉ­¶ Ké5c‰é<E280B0>uǶ6Ï-<2D>¢,!H'¹Ð¦Î™4Y»‹c]<%”ßÞ˜Î;B¹ÛÎnŒRb— <20>Œ