WIP: router: wireguard: change wg0 subnets to not conflict with opnsense

.gitattributes

@@ -0,0 +1 @@
+private.nix  filter=crypt diff=crypt merge=crypt

.gitignore

@@ -0,0 +1,5 @@
+### Nix template
+# Ignore build outputs from performing a nix-build or `nix build` command
+result
+result-*
+

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1747009742,
-        "narHash": "sha256-TNhbM7R45fpq2cdWzvFj+H5ZTcE//I5XSe78GFh0cDY=",
+        "lastModified": 1748529677,
+        "narHash": "sha256-MJEX3Skt5EAIs/aGHD8/aXXZPcceMMHheyIGSjvxZN0=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "c74665abd6e4e37d3140e68885bc49a994ffa53c",
+        "rev": "da282034f4d30e787b8a10722431e8b650a907ef",
         "type": "github"
       },
       "original": {
@@ -43,11 +43,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1742568034,
-        "narHash": "sha256-QaMEhcnscfF2MqB7flZr+sLJMMYZPnvqO4NYf9B4G38=",
+        "lastModified": 1747663185,
+        "narHash": "sha256-Obh50J+O9jhUM/FgXtI3he/QRNiV9+J53+l+RlKSaAk=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "42ee229088490e3777ed7d1162cb9e9d8c3dbb11",
+        "rev": "ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc",
         "type": "github"
       },
       "original": {
@@ -58,11 +58,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1746904237,
-        "narHash": "sha256-3e+AVBczosP5dCLQmMoMEogM57gmZ2qrVSrmq9aResQ=",
+        "lastModified": 1748370509,
+        "narHash": "sha256-QlL8slIgc16W5UaI3w7xHQEP+Qmv/6vSNTpoZrrSlbk=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "d89fc19e405cb2d55ce7cc114356846a0ee5e956",
+        "rev": "4faa5f5321320e49a78ae7848582f684d64783e9",
         "type": "github"
       },
       "original": {
@@ -82,11 +82,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1742765550,
-        "narHash": "sha256-2vVIh2JrL6GAGfgCeY9e6iNKrBjs0Hw3bGQEAbwVs68=",
+        "lastModified": 1748196248,
+        "narHash": "sha256-1iHjsH6/5UOerJEoZKE+Gx1BgAoge/YcnUsOA4wQ/BU=",
         "owner": "nix-community",
         "repo": "plasma-manager",
-        "rev": "b70be387276e632fe51232887f9e04e2b6ef8c16",
+        "rev": "b7697abe89967839b273a863a3805345ea54ab56",
         "type": "github"
       },
       "original": {

flake.nix

@@ -34,6 +34,7 @@
           ./modules
           ./hosts/common.nix
           ./hosts/Yura-PC
+          ./users/cazzzer
           # https://nix-community.github.io/home-manager/index.xhtml#sec-flakes-nixos-module
           home-manager.nixosModules.home-manager
           {
@@ -52,7 +53,9 @@
         modules = [
           ./modules
           ./hosts/common.nix
+          ./hosts/hw-vm.nix
           ./hosts/vm
+          ./users/cazzzer
         ];
       };
       router = nixpkgs.lib.nixosSystem {
@@ -62,6 +65,7 @@
           ./modules
           ./hosts/common.nix
           ./hosts/router
+          ./users/cazzzer
         ];
       };
     };
@@ -72,11 +76,25 @@
         modules = [
           ./modules
           ./hosts/common.nix
-          ./hosts/vm/proxmox.nix
+          ./hosts/hw-proxmox.nix
           ./hosts/vm
+          ./users/cazzzer
         ];
         format = "proxmox";
       };
+      vm-proxmox = let
+        image = nixpkgs.lib.nixosSystem {
+          system = "x86_64-linux";
+          modules = [
+            ./modules
+            ./hosts/common.nix
+            ./hosts/hw-proxmox.nix
+            ./hosts/vm
+            ./users/cazzzer
+          ];
+        };
+      in
+        image.config.system.build.VMA;
     };
   };
 }

home/default.nix

@@ -1,15 +1,12 @@
 { config, lib, pkgs, ... }:
 let
-  defaultFont = {
-    family = "Noto Sans";
-    pointSize = 14;
-  };
+  username = "cazzzer";
 in
 {
   # Home Manager needs a bit of information about you and the paths it should
   # manage.
-  home.username = "cazzzer";
-  home.homeDirectory = "/home/cazzzer";
+  home.username = username;
+  home.homeDirectory = "/home/${username}";
 
   # Let Home Manager install and manage itself.
   programs.home-manager.enable = true;
@@ -126,8 +123,15 @@ in
   programs.plasma = {
     enable = true;
     overrideConfig = true;
+    # TODO: figure out how to enable tela-circle icon theme if installed in systemPackages
+    # workspace.iconTheme = if builtins.elem pkgs.tela-circle-icon-theme config.environment.systemPackages then "Tela-circle" else null;
     workspace.iconTheme = "Tela-circle";
-    fonts = {
+    fonts = let
+      defaultFont = {
+        family = "Noto Sans";
+        pointSize = 14;
+      };
+    in {
       general = defaultFont;
       fixedWidth = defaultFont // { family = "Hack"; };
       small = defaultFont // { pointSize = defaultFont.pointSize - 2; };

hosts/Yura-PC/default.nix

@@ -32,7 +32,7 @@
 
   boot.loader.timeout = 3;
   boot.loader.systemd-boot.configurationLimit = 5;
-  boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_13;
+  boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_14;
 
   # https://nixos.wiki/wiki/Accelerated_Video_Playback
   hardware.graphics = {
@@ -88,7 +88,7 @@
   services.openssh.enable = true;
   services.flatpak.enable = true;
   # services.geoclue2.enable = true;
-  location.provider = "geoclue2";
+  # location.provider = "geoclue2";
   # services.gnome.gnome-keyring.enable = true;
   security.pam.services.sddm.enableGnomeKeyring = true;
   # security.pam.services.sddm.gnupg.enable = true;
@@ -97,42 +97,6 @@
   # Enable touchpad support (enabled default in most desktopManager).
   # services.xserver.libinput.enable = true;
 
-  # Define a user account. Don't forget to set a password with ‘passwd’.
-  users.groups = {
-    cazzzer = {
-      gid = 1000;
-    };
-  };
-  users.users.cazzzer = {
-    isNormalUser = true;
-    description = "Yura";
-    uid = 1000;
-    group = "cazzzer";
-    extraGroups = [ "networkmanager" "wheel" "docker" "wireshark" "geoclue" ];
-    packages = with pkgs; [
-      # Python
-      python3
-      poetry
-
-      # Haskell
-      haskellPackages.ghc
-      haskellPackages.stack
-
-      # Node
-      nodejs_22
-      pnpm
-      bun
-
-      # Nix
-      nixd
-      nil
-
-      # Gleam
-      gleam
-      beamMinimal26Packages.erlang
-    ];
-  };
-
   hardware.bluetooth.enable = true;
   hardware.bluetooth.powerOnBoot = false;
   # Install firefox.
@@ -168,9 +132,6 @@
     # };
   # };
 
-  # Allow unfree packages
-  nixpkgs.config.allowUnfree = true;
-
   # List packages installed in system profile. To search, run:
   # $ nix search wget
 
@@ -216,9 +177,11 @@
     fd
     helix
     micro
+    openssl
     ripgrep
     starship
     tealdeer
+    transcrypt
   ] ++ [
     efibootmgr
     ffmpeg

hosts/hw-proxmox.nix

@@ -0,0 +1,16 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [
+    "${modulesPath}/virtualisation/proxmox-image.nix"
+  ];
+
+  # boot.kernelParams = [ "console=tty0" ];
+  proxmox.qemuConf.bios = "ovmf";
+  proxmox.qemuExtraConf = {
+    machine = "q35";
+    # efidisk0 = "local-lvm:vm-9999-disk-1";
+    cpu = "host";
+  };
+  proxmox.cloudInit.enable = false;
+}

hosts/hw-vm.nix

@@ -0,0 +1,26 @@
+{ config, lib, pkgs, modulesPath, ... }: {
+  imports = [
+    "${modulesPath}/profiles/qemu-guest.nix"
+  ];
+
+  boot.initrd.availableKernelModules = lib.mkDefault [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+
+  fileSystems."/" = lib.mkDefault {
+    device = "/dev/disk/by-label/nixos";
+    autoResize = true;
+    fsType = "ext4";
+  };
+  fileSystems."/boot" = lib.mkDefault {
+    device = "/dev/disk/by-label/ESP";
+    fsType = "vfat";
+  };
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp6s18.useDHCP = lib.mkDefault true;
+
+  # nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/router/default.nix

@@ -8,9 +8,11 @@ in
     [ # Include the results of the hardware scan.
       ./hardware-configuration.nix
       ./ifconfig.nix
+      ./wireguard.nix
       ./firewall.nix
       ./dns.nix
       ./kea.nix
+      ./glance.nix
       ./services.nix
     ];
   # Secrix for secrets management
@@ -52,24 +54,6 @@ in
 
   security.sudo.wheelNeedsPassword = false;
 
-  users.groups = {
-    cazzzer = {
-      gid = 1000;
-    };
-  };
-  users.users.cazzzer = {
-    password = "";
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPWgEzbEjbbu96MVQzkiuCrw+UGYAXN4sRe2zM6FVopq cazzzer@Yura-PC"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIApFeLVi3BOquL0Rt+gQK2CutNHaBDQ0m4PcGWf9Bc43 cazzzer@Yura-TPX13"
-    ];
-    isNormalUser = true;
-    description = "Yura";
-    uid = 1000;
-    group = "cazzzer";
-    extraGroups = [ "wheel" "wireshark" ];
-  };
-
   programs.firefox.enable = true;
   programs.fish.enable = true;
   programs.git.enable = true;
@@ -89,10 +73,12 @@ in
     lsof
     micro
     mpv
+    openssl
     ripgrep
     rustscan
     starship
     tealdeer
+    transcrypt
     waypipe
     whois
   ];

hosts/router/firewall.nix

@@ -13,6 +13,7 @@ let
         ${ifs.lan30.name},
         ${ifs.lan40.name},
         ${ifs.lan50.name},
+        wg0,
     }
     define OPNSENSE_NET6 = ${vars.extra.opnsense.net6}
     define ZONE_LAN_EXTRA_NET6 = {
@@ -85,8 +86,10 @@ in
     family = "inet";
     content = ''
       ${nftIdentifiers}
-      define ALLOWED_TCP_PORTS = { ssh, https }
-      define ALLOWED_UDP_PORTS = { bootps, dhcpv6-server, domain, https }
+      define ALLOWED_TCP_PORTS = { ssh }
+      define ALLOWED_UDP_PORTS = { 18596 }
+      define ALLOWED_TCP_LAN_PORTS = { ssh, https }
+      define ALLOWED_UDP_LAN_PORTS = { bootps, dhcpv6-server, domain, https }
       set port_forward_v6 {
           type inet_proto . ipv6_addr . inet_service
           elements = {
@@ -133,6 +136,10 @@ in
           # but apparently not.
           ip6 daddr { fe80::/10, ff02::/16 } th dport { dhcpv6-client, dhcpv6-server } accept
 
+          # Global input rules
+          tcp dport $ALLOWED_TCP_PORTS accept
+          udp dport $ALLOWED_UDP_PORTS accept
+
           # WAN zone input rules
           iifname $ZONE_WAN_IFS jump zone_wan_input
           # LAN zone input rules
@@ -157,8 +164,7 @@ in
       }
 
       chain zone_wan_input {
-          # Allow SSH from WAN (if needed)
-          tcp dport ssh accept
+          # Allow specific stuff from WAN
       }
 
       chain zone_wan_forward {
@@ -180,8 +186,8 @@ in
           ip protocol icmp accept
 
           # Allow specific services from LAN
-          tcp dport $ALLOWED_TCP_PORTS accept
-          udp dport $ALLOWED_UDP_PORTS accept
+          tcp dport $ALLOWED_TCP_LAN_PORTS accept
+          udp dport $ALLOWED_UDP_LAN_PORTS accept
       }
 
       chain zone_lan_forward {

hosts/router/glance.nix

@@ -0,0 +1,166 @@
+{ config, lib, pkgs, ... }:
+let
+  vars = import ./vars.nix;
+  domain = vars.domain;
+in
+{
+  # Glance dashboard
+  services.glance.enable = true;
+  services.glance.settings.pages = [
+    {
+      name = "Home";
+      # hideDesktopNavigation = true; # Uncomment if needed
+      columns = [
+        {
+          size = "small";
+          widgets = [
+            {
+              type = "calendar";
+              firstDayOfWeek = "monday";
+            }
+            {
+              type = "rss";
+              limit = 10;
+              collapseAfter = 3;
+              cache = "12h";
+              feeds = [
+                { url = "https://rtk0c.pages.dev/index.xml"; }
+                { url = "https://www.yegor256.com/rss.xml"; }
+                { url = "https://selfh.st/rss/"; title = "selfh.st"; }
+                { url = "https://ciechanow.ski/atom.xml"; }
+                { url = "https://www.joshwcomeau.com/rss.xml"; title = "Josh Comeau"; }
+                { url = "https://samwho.dev/rss.xml"; }
+                { url = "https://ishadeed.com/feed.xml"; title = "Ahmad Shadeed"; }
+              ];
+            }
+            {
+              type = "twitch-channels";
+              channels = [
+                "theprimeagen"
+                "j_blow"
+                "piratesoftware"
+                "cohhcarnage"
+                "christitustech"
+                "EJ_SA"
+              ];
+            }
+          ];
+        }
+        {
+          size = "full";
+          widgets = [
+            {
+              type = "group";
+              widgets = [
+                { type = "hacker-news"; }
+                { type = "lobsters"; }
+              ];
+            }
+            {
+              type = "videos";
+              channels = [
+                "UCXuqSBlHAE6Xw-yeJA0Tunw" # Linus Tech Tips
+                "UCR-DXc1voovS8nhAvccRZhg" # Jeff Geerling
+                "UCsBjURrPoezykLs9EqgamOA" # Fireship
+                "UCBJycsmduvYEL83R_U4JriQ" # Marques Brownlee
+                "UCHnyfMqiRRG1u-2MsSQLbXA" # Veritasium
+              ];
+            }
+            {
+              type = "group";
+              widgets = [
+                {
+                  type = "reddit";
+                  subreddit = "technology";
+                  showThumbnails = true;
+                }
+                {
+                  type = "reddit";
+                  subreddit = "selfhosted";
+                  showThumbnails = true;
+                }
+              ];
+            }
+          ];
+        }
+        {
+          size = "small";
+          widgets = [
+            {
+              type = "weather";
+              location = "San Jose, California, United States";
+              units = "metric";
+              hourFormat = "12h";
+              # hideLocation = true; # Uncomment if needed
+            }
+            {
+              type = "markets";
+              markets = [
+                { symbol = "SPY"; name = "S&P 500"; }
+                { symbol = "BTC-USD"; name = "Bitcoin"; }
+                { symbol = "NVDA"; name = "NVIDIA"; }
+                { symbol = "AAPL"; name = "Apple"; }
+                { symbol = "MSFT"; name = "Microsoft"; }
+              ];
+            }
+            {
+              type = "releases";
+              cache = "1d";
+              # token = "..."; # Uncomment and set if needed
+              repositories = [
+                "glanceapp/glance"
+                "go-gitea/gitea"
+                "immich-app/immich"
+                "syncthing/syncthing"
+              ];
+            }
+          ];
+        }
+      ];
+    }
+    {
+      name = "Infrastructure";
+      columns = [
+        {
+          size = "small";
+          widgets = [
+            {
+              type = "server-stats";
+              servers = [
+                {
+                  type = "local";
+                  name = "Router";
+                  mountpoints."/nix/store".hide = true;
+                }
+              ];
+            }
+          ];
+        }
+        {
+          size = "full";
+          widgets = [
+            {
+              type = "iframe";
+              title = "Grafana";
+              title-url = "/grafana/";
+              source = "/grafana/d-solo/rYdddlPWk/node-exporter-full?orgId=1&from=1747211119196&to=1747297519196&timezone=browser&var-datasource=PBFA97CFB590B2093&var-job=node&var-node=localhost:9100&var-diskdevices=%5Ba-z%5D%2B%7Cnvme%5B0-9%5D%2Bn%5B0-9%5D%2B%7Cmmcblk%5B0-9%5D%2B&refresh=1m&panelId=74&__feature.dashboardSceneSolo";
+              height = 400;
+            }
+          ];
+        }
+        {
+          size = "small";
+          widgets = [
+            {
+              type = "dns-stats";
+              service = "adguard";
+              url = "http://localhost:${toString config.services.adguardhome.port}";
+              username = "";
+              password = "";
+            }
+          ];
+        }
+      ];
+    }
+  ];
+}

hosts/router/private.nix

@@ -0,0 +1,2 @@
+U2FsdGVkX1/98w32OE1ppwT0I5A3UOTKCLJfvk+TQdrbf0TLfYNZ9TC9n8cH2hC9
+ObKVuFlOLwHlzeBy7MXaLg==

hosts/router/secrets/wireguard/wg0-peer-AsusS513-psk.age

@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 D2MY/A YAk0egMScFdPo0uAZzITtgQyPAifDcVUfb957Zhz9Ec
+pAEM+7sbPE8rHBhRV7mTmH1w4mbfKFopMWbwu/3KHCw
+--- ykshsqEqKvCCE2kWIPAJPA/DFW7mu6+0x4MQhHgi1yU
+'<27>zƀ{g<>id\{<7B>E<EFBFBD><45><EFBFBD>tp<74>U<>g2QC3g<33><08>JG<4A>V1<56>6<>WG_E&<26>v<EFBFBD><76>)<29>&<26><><EFBFBD>ޑN"<22><><EFBFBD>n<EFBFBD>_T͒<54>

hosts/router/secrets/wireguard/wg0-peer-Yura-TPX13-psk.age

@@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 D2MY/A P88M0uj4ZphVo3WrRYDu+c7B0Dl7ncctbYkByYmU2wg
+DV3Gn6TQ6iByAlNt0gg8kSZ2r0Gie/wcznZx9M+CC2g
+--- KhwGM50BVql02Jq0do2uhXMfgWPPDfbodzDRmZ9n0O4
+r<EFBFBD><EFBFBD><EFBFBD>Զa<EFBFBD>yY/C<><43>J<EFBFBD>B<EFBFBD>X<EFBFBD>!<21>"F
+<EFBFBD>h<EFBFBD><EFBFBD><EFBFBD>(<28>L><3E>()<29><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>S;<3B>}}2ОO.<2E><13>hoqY<19>K"c<>E<EFBFBD><45>JM?-<2D>O

hosts/router/secrets/wireguard/wg0-private-key.age

@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 D2MY/A tvRtTGWnaB0zxqZRba4/XpzwPa61RrnHCk4tT8OfnGQ
+IX85Q5VKxQTl+MnhzwiuTnNMVkR9QrYo/1njrbZeBnQ
+--- dmlPIL2T+RFhbO2iLDRa4BxxYSSUQdedV3TK83ooFdA
+<18>gE	7<><37>0`d<>V(o<>W<EFBFBD><57><EFBFBD>S@
<01>ۭ<EFBFBD><DBAD><EFBFBD>p<EFBFBD><70><EFBFBD><EFBFBD><EFBFBD>Z<EFBFBD><5A>ЃT<D083><54><EFBFBD><EFBFBD><14>U<EFBFBD><55>+*<2A>\Q<><51>[<5B><><EFBFBD><EFBFBD>x<><78>29<32>i5<69>k

hosts/router/services.nix

@@ -4,6 +4,7 @@ let
   domain = vars.domain;
 in
 {
+
   # vnStat for tracking network interface stats
   services.vnstat.enable = true;
 
@@ -30,10 +31,14 @@ in
   # https://wiki.nixos.org/wiki/Grafana#Declarative_configuration
   services.grafana = {
     enable = true;
-    settings.server = {
-      http_port = 3001;
-      serve_from_sub_path = true;
-      root_url = "%(protocol)s://%(domain)s:%(http_port)s/grafana/";
+    settings = {
+      security.allow_embedding = true;
+      server = {
+        http_port = 3001;
+        domain = "grouter.${domain}";
+        root_url = "https://%(domain)s/grafana/";
+        serve_from_sub_path = true;
+      };
     };
     provision = {
       enable = true;
@@ -47,13 +52,13 @@ in
     };
   };
 
-  secrix.system.secrets.cf-api-key.encrypted.file = ../../secrets/cf_api_key.age;
+  secrix.system.secrets.cf-api-key.encrypted.file = ./secrets/cf-api-key.age;
   systemd.services.caddy.serviceConfig.EnvironmentFile = config.secrix.system.secrets.cf-api-key.decrypted.path;
   services.caddy = {
     enable = true;
     package = pkgs.caddy.withPlugins {
       plugins = [ "github.com/caddy-dns/cloudflare@v0.2.1" ];
-      hash = "sha256-saKJatiBZ4775IV2C5JLOmZ4BwHKFtRZan94aS5pO90=";
+      hash = "sha256-Gsuo+ripJSgKSYOM9/yl6Kt/6BFCA6BuTDvPdteinAI=";
     };
     virtualHosts."grouter.${domain}".extraConfig = ''
       encode
@@ -72,6 +77,9 @@ in
               Bob $2a$14$HsWmmzQTN68K3vwiRAfiUuqIjKoXEXaj9TOLUtG2mO1vFpdovmyBy
           }
       }
+      handle /* {
+          reverse_proxy localhost:${toString config.services.glance.settings.server.port}
+      }
     '';
   };
 }

hosts/router/vars.nix

@@ -1,4 +1,6 @@
 let
+  private = import ./private.nix;
+
   mkIfConfig = {
     name_,
     domain_,
@@ -43,7 +45,7 @@ rec {
   };
 
   p4 = "10.17";                      # .0.0/16
-  pdFromWan = "";  # ::/60
+  pdFromWan = private.pdFromWan;  # ::/60
   ulaPrefix = "fdab:07d3:581d";      # ::/48
   ifs = rec {
     wan = rec {
@@ -97,6 +99,18 @@ rec {
     };
   };
 
+  wg = {
+    wg0 = rec {
+      name = "wg0";
+      p4 = "10.18.16";  # .0/24
+      addr4 = "${p4}.1";
+      addr4Sized = "${addr4}/24";
+      p6 = "${pdFromWan}f::6";  # :0:0/96
+      addr6 = "${p6}:0:1";
+      addr6Sized = "${addr6}/96";
+    };
+  };
+
   extra = {
     opnsense = rec {
       addr4 = "${ifs.lan.p4}.250";

hosts/router/wireguard.nix

@@ -0,0 +1,67 @@
+{ config, lib, pkgs, ... }:
+let
+  vars = import ./vars.nix;
+  wg0 = vars.wg.wg0;
+
+  wg0Peers = {
+    "Yura-TPX13" = {
+      allowedIPs = [ "${wg0.p4}.3/32" "${wg0.p6}:3:0/112" ];
+      publicKey = "iJa5JmJbMHNlbEluNwoB2Q8LyrPAfb7S/mluanMcI08=";
+      pskEnabled = true;
+    };
+    "Yura-Pixel7Pro" = {
+      allowedIPs = [ "${wg0.p4}.4/32" "${wg0.p6}:4:0/112" ];
+      publicKey = "UjZlsukmAsX60Z5FnZwKCSu141Gjj74+hBVT3TRhwT4=";
+      pskEnabled = true;
+    };
+    "AsusS513" = {
+      allowedIPs = [ "${wg0.p4}.100/32" ];
+      publicKey = "XozJ7dHdJfkLORkCVxaB1VmvHEOAA285kRZcmzfPl38=";
+      pskEnabled = false;
+    };
+  };
+  peerSecretName = name: "wg0-peer-${name}-psk";
+  secrets = config.secrix.services.systemd-networkd.secrets;
+in
+{
+  secrix.services.systemd-networkd.secrets = let
+    pskPeers = lib.attrsets.filterAttrs (name: peer: peer.pskEnabled) wg0Peers;
+    mapPeer = name: peer: {
+      name = peerSecretName name;
+      value.encrypted.file = ./secrets/wireguard/${peerSecretName name}.age;
+    };
+    peerSecrets = lib.attrsets.mapAttrs' mapPeer pskPeers;
+  in
+  {
+    wg0-private-key.encrypted.file = ./secrets/wireguard/wg0-private-key.age;
+  } // peerSecrets;
+
+  systemd.network.netdevs = {
+    "10-wg0" = {
+      netdevConfig = {
+        Kind = "wireguard";
+        Name = "wg0";
+      };
+      wireguardConfig = {
+        PrivateKeyFile = secrets.wg0-private-key.decrypted.path;
+        ListenPort = 18596;
+      };
+      wireguardPeers = map (peer: {
+        AllowedIPs = lib.strings.concatStringsSep "," peer.value.allowedIPs;
+        PublicKey = peer.value.publicKey;
+        PresharedKeyFile = if peer.value.pskEnabled then secrets."${peerSecretName peer.name}".decrypted.path else null;
+      }) (lib.attrsToList wg0Peers);
+    };
+  };
+
+  systemd.network.networks = {
+    "10-wg0" = {
+      matchConfig.Name = "wg0";
+      networkConfig = {
+        IPv4Forwarding = true;
+        IPv6SendRA = false;
+        Address = [ wg0.addr4Sized wg0.addr6Sized ];
+      };
+    };
+  };
+}

hosts/vm/default.nix

@@ -7,7 +7,7 @@
 {
   imports =
     [ # Include the results of the hardware scan.
-#      ./hardware-configuration-vm.nix
+      # ./hardware-configuration.nix
     ];
   mods.kb-input.enable = false;
 
@@ -47,8 +47,8 @@
   services.flatpak.enable = true;
 
   # VM services
-  services.cloud-init.enable = true;
-#  services.cloud-init.network.enable = false;
+  # services.cloud-init.enable = false;
+  # services.cloud-init.network.enable = false;
   services.qemuGuest.enable = true;
   services.spice-vdagentd.enable = true;
   services.openssh.enable = true;
@@ -57,24 +57,6 @@
 
   security.sudo.wheelNeedsPassword = false;
 
-  users.groups = {
-    cazzzer = {
-      gid = 1000;
-    };
-  };
-  users.users.cazzzer = {
-    password = "";
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPWgEzbEjbbu96MVQzkiuCrw+UGYAXN4sRe2zM6FVopq cazzzer@Yura-PC"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIApFeLVi3BOquL0Rt+gQK2CutNHaBDQ0m4PcGWf9Bc43 cazzzer@Yura-TPX13"
-    ];
-    isNormalUser = true;
-    description = "Yura";
-    uid = 1000;
-    group = "cazzzer";
-    extraGroups = [ "wheel" "docker" "wireshark" ];
-  };
-
   # Install firefox.
   programs.firefox.enable = true;
   programs.fish.enable = true;
@@ -113,9 +95,11 @@
     ldns
     micro
     mpv
+    openssl
     ripgrep
     starship
     tealdeer
+    transcrypt
     waypipe
     whois
     zfs

hosts/vm/hardware-configuration.nix

@@ -1,37 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports =
-    [ (modulesPath + "/profiles/qemu-guest.nix")
-    ];
-
-  boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/da85e220-e2b0-443a-9a0c-a9516b8e5030";
-      fsType = "ext4";
-    };
-
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/3F96-8974";
-      fsType = "vfat";
-      options = [ "fmask=0022" "dmask=0022" ];
-    };
-
-  swapDevices = [ ];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp6s18.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-}

hosts/vm/proxmox.nix

@@ -1,11 +0,0 @@
-{ ... }:
-
-{
-#  boot.kernelParams = [ "console=tty0" ];
-  proxmox.qemuConf.bios = "ovmf";
-  proxmox.qemuExtraConf = {
-    machine = "q35";
-#    efidisk0 = "local-lvm:vm-9999-disk-1";
-    cpu = "host";
-  };
-}

users/cazzzer/default.nix

@@ -0,0 +1,42 @@
+{ config, lib, pkgs, ... }: {
+  users.groups.cazzzer.gid = 1000;
+  users.users.cazzzer = {
+    uid = 1000;
+    isNormalUser = true;
+    description = "Yura";
+    group = "cazzzer";
+    extraGroups = [ "wheel" ]
+      ++ lib.optionals config.networking.networkmanager.enable [ "networkmanager" ]
+      ++ lib.optionals config.virtualisation.docker.enable [ "docker" ]
+      ++ lib.optionals config.programs.wireshark.enable [ "wireshark" ]
+    ;
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE02AhJIZtrtZ+5sZhna39LUUCEojQzmz2BDWguT9ZHG yuri@tati.sh"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHczlipzGWv8c6oYwt2/9ykes5ElfneywDXBTOYbfSfn Pixel7Pro"
+    ];
+    # TODO: think of a better way to do this
+    packages = with pkgs; lib.optionals (config.networking.hostName == "Yura-PC") [
+      # Python
+      python3
+      poetry
+
+      # Haskell
+      haskellPackages.ghc
+      haskellPackages.stack
+
+      # Node
+      nodejs_22
+      pnpm
+      bun
+
+      # Nix
+      nil
+      nixd
+      nixfmt-rfc-style
+
+      # Gleam
+      gleam
+      beamMinimal26Packages.erlang
+    ];
+  };
+}