WIP: router: wireguard: change wg0 subnets to not conflict with opnsense

# Conflicts:
#	hosts/router/default.nix

.gitattributes

@@ -0,0 +1 @@
+private.nix  filter=crypt diff=crypt merge=crypt

.gitignore

@@ -0,0 +1,5 @@
+### Nix template
+# Ignore build outputs from performing a nix-build or `nix build` command
+result
+result-*
+

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1742957044,
-        "narHash": "sha256-gwW0tBIA77g6qq45y220drTy0DmThF3fJMwVFUtYV9c=",
+        "lastModified": 1748529677,
+        "narHash": "sha256-MJEX3Skt5EAIs/aGHD8/aXXZPcceMMHheyIGSjvxZN0=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "ce287a5cd3ef78203bc78021447f937a988d9f6f",
+        "rev": "da282034f4d30e787b8a10722431e8b650a907ef",
         "type": "github"
       },
       "original": {
@@ -43,11 +43,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1742568034,
-        "narHash": "sha256-QaMEhcnscfF2MqB7flZr+sLJMMYZPnvqO4NYf9B4G38=",
+        "lastModified": 1747663185,
+        "narHash": "sha256-Obh50J+O9jhUM/FgXtI3he/QRNiV9+J53+l+RlKSaAk=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "42ee229088490e3777ed7d1162cb9e9d8c3dbb11",
+        "rev": "ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc",
         "type": "github"
       },
       "original": {
@@ -58,11 +58,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1742669843,
-        "narHash": "sha256-G5n+FOXLXcRx+3hCJ6Rt6ZQyF1zqQ0DL0sWAMn2Nk0w=",
+        "lastModified": 1748370509,
+        "narHash": "sha256-QlL8slIgc16W5UaI3w7xHQEP+Qmv/6vSNTpoZrrSlbk=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "1e5b653dff12029333a6546c11e108ede13052eb",
+        "rev": "4faa5f5321320e49a78ae7848582f684d64783e9",
         "type": "github"
       },
       "original": {
@@ -82,11 +82,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1742765550,
-        "narHash": "sha256-2vVIh2JrL6GAGfgCeY9e6iNKrBjs0Hw3bGQEAbwVs68=",
+        "lastModified": 1748196248,
+        "narHash": "sha256-1iHjsH6/5UOerJEoZKE+Gx1BgAoge/YcnUsOA4wQ/BU=",
         "owner": "nix-community",
         "repo": "plasma-manager",
-        "rev": "b70be387276e632fe51232887f9e04e2b6ef8c16",
+        "rev": "b7697abe89967839b273a863a3805345ea54ab56",
         "type": "github"
       },
       "original": {
@@ -100,7 +100,28 @@
         "home-manager": "home-manager",
         "nixos-generators": "nixos-generators",
         "nixpkgs": "nixpkgs",
-        "plasma-manager": "plasma-manager"
+        "plasma-manager": "plasma-manager",
+        "secrix": "secrix"
+      }
+    },
+    "secrix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1746643487,
+        "narHash": "sha256-dcB/DArJObCvqE/ZEdQSDW2BZMeDyF83Se5KPfJvz60=",
+        "owner": "Platonic-Systems",
+        "repo": "secrix",
+        "rev": "4c64203fa5b377953b1fb6d5388187df8b60c6d5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Platonic-Systems",
+        "repo": "secrix",
+        "type": "github"
       }
     }
   },

flake.nix

@@ -18,9 +18,15 @@
       url = "github:nix-community/nixos-generators";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    secrix = {
+      url = "github:Platonic-Systems/secrix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
-  outputs = { self, nixpkgs, home-manager, plasma-manager, nixos-generators }: {
+  outputs = { self, nixpkgs, home-manager, plasma-manager, nixos-generators, secrix }: {
+    apps.x86_64-linux.secrix = secrix.secrix self;
+
     nixosConfigurations = {
       Yura-PC = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
@@ -28,6 +34,7 @@
           ./modules
           ./hosts/common.nix
           ./hosts/Yura-PC
+          ./users/cazzzer
           # https://nix-community.github.io/home-manager/index.xhtml#sec-flakes-nixos-module
           home-manager.nixosModules.home-manager
           {
@@ -46,15 +53,19 @@
         modules = [
           ./modules
           ./hosts/common.nix
+          ./hosts/hw-vm.nix
           ./hosts/vm
+          ./users/cazzzer
         ];
       };
       router = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
         modules = [
+          secrix.nixosModules.default
           ./modules
           ./hosts/common.nix
           ./hosts/router
+          ./users/cazzzer
         ];
       };
     };
@@ -65,11 +76,25 @@
         modules = [
           ./modules
           ./hosts/common.nix
-          ./hosts/vm/proxmox.nix
+          ./hosts/hw-proxmox.nix
           ./hosts/vm
+          ./users/cazzzer
         ];
         format = "proxmox";
       };
+      vm-proxmox = let
+        image = nixpkgs.lib.nixosSystem {
+          system = "x86_64-linux";
+          modules = [
+            ./modules
+            ./hosts/common.nix
+            ./hosts/hw-proxmox.nix
+            ./hosts/vm
+            ./users/cazzzer
+          ];
+        };
+      in
+        image.config.system.build.VMA;
     };
   };
 }

home/default.nix

@@ -1,15 +1,12 @@
 { config, lib, pkgs, ... }:
 let
-  defaultFont = {
-    family = "Noto Sans";
-    pointSize = 14;
-  };
+  username = "cazzzer";
 in
 {
   # Home Manager needs a bit of information about you and the paths it should
   # manage.
-  home.username = "cazzzer";
-  home.homeDirectory = "/home/cazzzer";
+  home.username = username;
+  home.homeDirectory = "/home/${username}";
 
   # Let Home Manager install and manage itself.
   programs.home-manager.enable = true;
@@ -19,6 +16,7 @@ in
     SHELL = "fish";
   };
 
+  # TODO: remove (replace by bitwarden-desktop)
   services.gnome-keyring = {
     enable = true;
     components = [ "pkcs11" "ssh" ];
@@ -125,8 +123,15 @@ in
   programs.plasma = {
     enable = true;
     overrideConfig = true;
+    # TODO: figure out how to enable tela-circle icon theme if installed in systemPackages
+    # workspace.iconTheme = if builtins.elem pkgs.tela-circle-icon-theme config.environment.systemPackages then "Tela-circle" else null;
     workspace.iconTheme = "Tela-circle";
-    fonts = {
+    fonts = let
+      defaultFont = {
+        family = "Noto Sans";
+        pointSize = 14;
+      };
+    in {
       general = defaultFont;
       fixedWidth = defaultFont // { family = "Hack"; };
       small = defaultFont // { pointSize = defaultFont.pointSize - 2; };
@@ -161,6 +166,7 @@ in
         shellExpand = true;
       };
       dolphinrc.General.ShowFullPath = true;
+      dolphinrc.DetailsMode.PreviewSize.persistent = true;
       kactivitymanagerdrc = {
         activities."809dc779-bf5b-49e6-8e3f-cbe283cb05b6" = "Default";
         activities."b34a506d-ac4f-4797-8c08-6ef45bc49341" = "Fun";

hosts/Yura-PC/default.nix

@@ -32,7 +32,7 @@
 
   boot.loader.timeout = 3;
   boot.loader.systemd-boot.configurationLimit = 5;
-  boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_12;
+  boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_14;
 
   # https://nixos.wiki/wiki/Accelerated_Video_Playback
   hardware.graphics = {
@@ -88,7 +88,7 @@
   services.openssh.enable = true;
   services.flatpak.enable = true;
   # services.geoclue2.enable = true;
-  location.provider = "geoclue2";
+  # location.provider = "geoclue2";
   # services.gnome.gnome-keyring.enable = true;
   security.pam.services.sddm.enableGnomeKeyring = true;
   # security.pam.services.sddm.gnupg.enable = true;
@@ -97,41 +97,6 @@
   # Enable touchpad support (enabled default in most desktopManager).
   # services.xserver.libinput.enable = true;
 
-  # Define a user account. Don't forget to set a password with ‘passwd’.
-  users.groups = {
-    cazzzer = {
-      gid = 1000;
-    };
-  };
-  users.users.cazzzer = {
-    isNormalUser = true;
-    description = "Yura";
-    uid = 1000;
-    group = "cazzzer";
-    extraGroups = [ "networkmanager" "wheel" "docker" "wireshark" "geoclue" ];
-    packages = with pkgs; [
-      # Python
-      python3
-      poetry
-
-      # Haskell
-      haskellPackages.ghc
-      haskellPackages.stack
-
-      # Node
-      nodejs_22
-      pnpm
-      bun
-
-      # Nix
-      nixd
-
-      # Gleam
-      gleam
-      beamMinimal26Packages.erlang
-    ];
-  };
-
   hardware.bluetooth.enable = true;
   hardware.bluetooth.powerOnBoot = false;
   # Install firefox.
@@ -167,9 +132,6 @@
     # };
   # };
 
-  # Allow unfree packages
-  nixpkgs.config.allowUnfree = true;
-
   # List packages installed in system profile. To search, run:
   # $ nix search wget
 
@@ -215,9 +177,11 @@
     fd
     helix
     micro
+    openssl
     ripgrep
     starship
     tealdeer
+    transcrypt
   ] ++ [
     efibootmgr
     ffmpeg
@@ -237,12 +201,14 @@
     whois
     yt-dlp
   ] ++ [
+    bitwarden-desktop
     darkman
     host-spawn # for flatpaks
     kdePackages.filelight
     kdePackages.flatpak-kcm
     kdePackages.kate
     kdePackages.yakuake
+    # TODO: remove (replace by bitwarden-desktop)
     gcr
     gnome-keyring # config for this and some others
     mpv
@@ -261,6 +227,7 @@
     jetbrains.webstorm
     android-studio
     rustup
+    zed-editor
   ];
 
   # Some programs need SUID wrappers, can be configured further or are

hosts/hw-proxmox.nix

@@ -0,0 +1,16 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [
+    "${modulesPath}/virtualisation/proxmox-image.nix"
+  ];
+
+  # boot.kernelParams = [ "console=tty0" ];
+  proxmox.qemuConf.bios = "ovmf";
+  proxmox.qemuExtraConf = {
+    machine = "q35";
+    # efidisk0 = "local-lvm:vm-9999-disk-1";
+    cpu = "host";
+  };
+  proxmox.cloudInit.enable = false;
+}

hosts/hw-vm.nix

@@ -0,0 +1,26 @@
+{ config, lib, pkgs, modulesPath, ... }: {
+  imports = [
+    "${modulesPath}/profiles/qemu-guest.nix"
+  ];
+
+  boot.initrd.availableKernelModules = lib.mkDefault [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+
+  fileSystems."/" = lib.mkDefault {
+    device = "/dev/disk/by-label/nixos";
+    autoResize = true;
+    fsType = "ext4";
+  };
+  fileSystems."/boot" = lib.mkDefault {
+    device = "/dev/disk/by-label/ESP";
+    fsType = "vfat";
+  };
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp6s18.useDHCP = lib.mkDefault true;
+
+  # nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/router/default.nix

@@ -1,15 +1,22 @@
 { config, lib, pkgs, ... }:
-
+let
+  vars = import ./vars.nix;
+  enableDesktop = false;
+in
 {
   imports =
     [ # Include the results of the hardware scan.
       ./hardware-configuration.nix
       ./ifconfig.nix
+      ./wireguard.nix
       ./firewall.nix
       ./dns.nix
       ./kea.nix
+      ./glance.nix
       ./services.nix
     ];
+  # Secrix for secrets management
+  secrix.hostPubKey = vars.pubkey;
 
   # Bootloader.
   boot.loader.systemd-boot.enable = true;
@@ -31,10 +38,10 @@
 
   # Enable the KDE Plasma Desktop Environment.
   # Useful for debugging with wireshark.
-  # services.displayManager.sddm.enable = true;
   hardware.graphics.enable = true;
-  services.displayManager.sddm.wayland.enable = true;
-  services.desktopManager.plasma6.enable = true;
+  services.displayManager.sddm.enable = enableDesktop;
+  services.displayManager.sddm.wayland.enable = enableDesktop;
+  services.desktopManager.plasma6.enable = enableDesktop;
   # No need for audio in VM
   services.pipewire.enable = false;
 
@@ -47,24 +54,6 @@
 
   security.sudo.wheelNeedsPassword = false;
 
-  users.groups = {
-    cazzzer = {
-      gid = 1000;
-    };
-  };
-  users.users.cazzzer = {
-    password = "";
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPWgEzbEjbbu96MVQzkiuCrw+UGYAXN4sRe2zM6FVopq cazzzer@Yura-PC"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIApFeLVi3BOquL0Rt+gQK2CutNHaBDQ0m4PcGWf9Bc43 cazzzer@Yura-TPX13"
-    ];
-    isNormalUser = true;
-    description = "Yura";
-    uid = 1000;
-    group = "cazzzer";
-    extraGroups = [ "wheel" "wireshark" ];
-  };
-
   programs.firefox.enable = true;
   programs.fish.enable = true;
   programs.git.enable = true;
@@ -79,17 +68,17 @@
     eza
     fastfetch
     fd
-    kdePackages.filelight
     kdePackages.kate
-    kdePackages.yakuake
     ldns
     lsof
     micro
     mpv
+    openssl
     ripgrep
     rustscan
     starship
     tealdeer
+    transcrypt
     waypipe
     whois
   ];

hosts/router/dns.nix

@@ -42,8 +42,12 @@ in
 
   services.adguardhome.enable = true;
   services.adguardhome.mutableSettings = false;
+  # https://github.com/AdguardTeam/Adguardhome/wiki/Configuration
   services.adguardhome.settings = {
     dns = {
+      # Disable rate limit, default of 20 is too low
+      # https://github.com/AdguardTeam/AdGuardHome/issues/6726
+      ratelimit = 0;
       bootstrap_dns = [ "1.1.1.1" "9.9.9.9" ];
       upstream_dns = [
         # Default upstreams

hosts/router/firewall.nix

@@ -4,13 +4,7 @@ let
   links = vars.links;
   ifs = vars.ifs;
   pdFromWan = vars.pdFromWan;
-in
-{
-  networking.firewall.enable = false;
-  networking.nftables.enable = true;
-  networking.nftables.tables.firewall = {
-    family = "inet";
-    content = ''
+  nftIdentifiers = ''
     define ZONE_WAN_IFS = { ${ifs.wan.name} }
     define ZONE_LAN_IFS = {
         ${ifs.lan.name},
@@ -19,9 +13,11 @@ in
         ${ifs.lan30.name},
         ${ifs.lan40.name},
         ${ifs.lan50.name},
+        wg0,
     }
-      define OPNSENSE_NET6 = ${pdFromWan}d::/64
+    define OPNSENSE_NET6 = ${vars.extra.opnsense.net6}
     define ZONE_LAN_EXTRA_NET6 = {
+        # TODO: reevaluate this statement
         ${ifs.lan20.net6},  # needed since packets can come in from wan on these addrs
         $OPNSENSE_NET6,
     }
@@ -29,6 +25,7 @@ in
     define CLOUDFLARE_NET6 = {
         # https://www.cloudflare.com/ips-v6
         # TODO: figure out a better way to get addrs dynamically from url
+        # perhaps building a nixos module/package that fetches the ips?
         2400:cb00::/32,
         2606:4700::/32,
         2803:f800::/32,
@@ -37,19 +34,69 @@ in
         2a06:98c0::/29,
         2c0f:f248::/32,
     }
-
-      define ALLOWED_TCP_PORTS = { ssh, https }
-      define ALLOWED_UDP_PORTS = { bootps, dhcpv6-server, domain }
-
-      map port_forward_v4 {
+  '';
+in
+{
+  networking.firewall.enable = false;
+  networking.nftables.enable = true;
+  # networking.nftables.ruleset = nftIdentifiers; #doesn't work because it's appended to the end
+  networking.nftables.tables.nat4 = {
+    family = "ip";
+    content = ''
+      ${nftIdentifiers}
+      map port_forward {
           type inet_proto . inet_service : ipv4_addr . inet_service
           elements = {
               tcp . 8006 : ${ifs.lan50.p4}.10 . 8006
           }
       }
+
+      chain prerouting {
+          # Initial step, accept by default
+          type nat hook prerouting priority dstnat; policy accept;
+
+          # Port forwarding
+          fib daddr type local dnat ip to meta l4proto . th dport map @port_forward
+      }
+
+      chain postrouting {
+          # Last step, accept by default
+          type nat hook postrouting priority srcnat; policy accept;
+
+          # Masquerade LAN addrs
+          oifname $ZONE_WAN_IFS ip saddr $RFC1918 masquerade
+      }
+    '';
+  };
+
+  # Optional IPv6 masquerading (big L if enabled, don't forget to allow forwarding)
+  networking.nftables.tables.nat6 = {
+    family = "ip6";
+    enable = false;
+    content = ''
+      ${nftIdentifiers}
+      chain postrouting {
+          type nat hook postrouting priority srcnat; policy accept;
+          oifname $ZONE_WAN_IFS ip6 saddr fd00::/8 masquerade
+      }
+    '';
+  };
+
+  networking.nftables.tables.firewall = {
+    family = "inet";
+    content = ''
+      ${nftIdentifiers}
+      define ALLOWED_TCP_PORTS = { ssh }
+      define ALLOWED_UDP_PORTS = { 18596 }
+      define ALLOWED_TCP_LAN_PORTS = { ssh, https }
+      define ALLOWED_UDP_LAN_PORTS = { bootps, dhcpv6-server, domain, https }
       set port_forward_v6 {
           type inet_proto . ipv6_addr . inet_service
-          # elements = {}
+          elements = {
+              # syncthing on alpina
+              tcp . ${ifs.lan.p6}::11:1 . 22000 ,
+              udp . ${ifs.lan.p6}::11:1 . 22000 ,
+          }
       }
       set cloudflare_forward_v6 {
           type ipv6_addr
@@ -89,10 +136,14 @@ in
           # but apparently not.
           ip6 daddr { fe80::/10, ff02::/16 } th dport { dhcpv6-client, dhcpv6-server } accept
 
+          # Global input rules
+          tcp dport $ALLOWED_TCP_PORTS accept
+          udp dport $ALLOWED_UDP_PORTS accept
+
           # WAN zone input rules
           iifname $ZONE_WAN_IFS jump zone_wan_input
           # LAN zone input rules
-          iifname $ZONE_LAN_IFS accept
+          # iifname $ZONE_LAN_IFS accept
           iifname $ZONE_LAN_IFS jump zone_lan_input
           ip6 saddr $ZONE_LAN_EXTRA_NET6 jump zone_lan_input
 
@@ -113,8 +164,7 @@ in
       }
 
       chain zone_wan_input {
-          # Allow SSH from WAN (if needed)
-          tcp dport ssh accept
+          # Allow specific stuff from WAN
       }
 
       chain zone_wan_forward {
@@ -125,7 +175,7 @@ in
           meta l4proto . ip6 daddr . th dport @port_forward_v6 accept
 
           # Allowed IPv6 from cloudflare
-          ip6 saddr $CLOUDFLARE_NET6 ip6 daddr @cloudflare_forward_v6 accept
+          ip6 saddr $CLOUDFLARE_NET6 ip6 daddr @cloudflare_forward_v6 th dport https accept
       }
 
       chain zone_lan_input {
@@ -136,8 +186,8 @@ in
           ip protocol icmp accept
 
           # Allow specific services from LAN
-          tcp dport $ALLOWED_TCP_PORTS accept
-          udp dport $ALLOWED_UDP_PORTS accept
+          tcp dport $ALLOWED_TCP_LAN_PORTS accept
+          udp dport $ALLOWED_UDP_LAN_PORTS accept
       }
 
       chain zone_lan_forward {
@@ -158,25 +208,6 @@ in
           # NAT reflection
           # oif lo ip daddr != 127.0.0.0/8 dnat ip to meta l4proto . th dport map @port_forward_v4
       }
-
-      chain prerouting {
-          # Initial step, accept by default
-          type nat hook prerouting priority dstnat; policy accept;
-
-          # Port forwarding
-          fib daddr type local dnat ip to meta l4proto . th dport map @port_forward_v4
-      }
-
-      chain postrouting {
-          # Last step, accept by default
-          type nat hook postrouting priority srcnat; policy accept;
-
-          # Masquerade LAN addrs
-          oifname $ZONE_WAN_IFS ip saddr $RFC1918 masquerade
-
-          # Optional IPv6 masquerading (big L if enabled, don't forget to allow forwarding)
-          # oifname $ZONE_WAN_IFS ip6 saddr fd00::/8 masquerade
-      }
     '';
   };
 }

hosts/router/glance.nix

@@ -0,0 +1,166 @@
+{ config, lib, pkgs, ... }:
+let
+  vars = import ./vars.nix;
+  domain = vars.domain;
+in
+{
+  # Glance dashboard
+  services.glance.enable = true;
+  services.glance.settings.pages = [
+    {
+      name = "Home";
+      # hideDesktopNavigation = true; # Uncomment if needed
+      columns = [
+        {
+          size = "small";
+          widgets = [
+            {
+              type = "calendar";
+              firstDayOfWeek = "monday";
+            }
+            {
+              type = "rss";
+              limit = 10;
+              collapseAfter = 3;
+              cache = "12h";
+              feeds = [
+                { url = "https://rtk0c.pages.dev/index.xml"; }
+                { url = "https://www.yegor256.com/rss.xml"; }
+                { url = "https://selfh.st/rss/"; title = "selfh.st"; }
+                { url = "https://ciechanow.ski/atom.xml"; }
+                { url = "https://www.joshwcomeau.com/rss.xml"; title = "Josh Comeau"; }
+                { url = "https://samwho.dev/rss.xml"; }
+                { url = "https://ishadeed.com/feed.xml"; title = "Ahmad Shadeed"; }
+              ];
+            }
+            {
+              type = "twitch-channels";
+              channels = [
+                "theprimeagen"
+                "j_blow"
+                "piratesoftware"
+                "cohhcarnage"
+                "christitustech"
+                "EJ_SA"
+              ];
+            }
+          ];
+        }
+        {
+          size = "full";
+          widgets = [
+            {
+              type = "group";
+              widgets = [
+                { type = "hacker-news"; }
+                { type = "lobsters"; }
+              ];
+            }
+            {
+              type = "videos";
+              channels = [
+                "UCXuqSBlHAE6Xw-yeJA0Tunw" # Linus Tech Tips
+                "UCR-DXc1voovS8nhAvccRZhg" # Jeff Geerling
+                "UCsBjURrPoezykLs9EqgamOA" # Fireship
+                "UCBJycsmduvYEL83R_U4JriQ" # Marques Brownlee
+                "UCHnyfMqiRRG1u-2MsSQLbXA" # Veritasium
+              ];
+            }
+            {
+              type = "group";
+              widgets = [
+                {
+                  type = "reddit";
+                  subreddit = "technology";
+                  showThumbnails = true;
+                }
+                {
+                  type = "reddit";
+                  subreddit = "selfhosted";
+                  showThumbnails = true;
+                }
+              ];
+            }
+          ];
+        }
+        {
+          size = "small";
+          widgets = [
+            {
+              type = "weather";
+              location = "San Jose, California, United States";
+              units = "metric";
+              hourFormat = "12h";
+              # hideLocation = true; # Uncomment if needed
+            }
+            {
+              type = "markets";
+              markets = [
+                { symbol = "SPY"; name = "S&P 500"; }
+                { symbol = "BTC-USD"; name = "Bitcoin"; }
+                { symbol = "NVDA"; name = "NVIDIA"; }
+                { symbol = "AAPL"; name = "Apple"; }
+                { symbol = "MSFT"; name = "Microsoft"; }
+              ];
+            }
+            {
+              type = "releases";
+              cache = "1d";
+              # token = "..."; # Uncomment and set if needed
+              repositories = [
+                "glanceapp/glance"
+                "go-gitea/gitea"
+                "immich-app/immich"
+                "syncthing/syncthing"
+              ];
+            }
+          ];
+        }
+      ];
+    }
+    {
+      name = "Infrastructure";
+      columns = [
+        {
+          size = "small";
+          widgets = [
+            {
+              type = "server-stats";
+              servers = [
+                {
+                  type = "local";
+                  name = "Router";
+                  mountpoints."/nix/store".hide = true;
+                }
+              ];
+            }
+          ];
+        }
+        {
+          size = "full";
+          widgets = [
+            {
+              type = "iframe";
+              title = "Grafana";
+              title-url = "/grafana/";
+              source = "/grafana/d-solo/rYdddlPWk/node-exporter-full?orgId=1&from=1747211119196&to=1747297519196&timezone=browser&var-datasource=PBFA97CFB590B2093&var-job=node&var-node=localhost:9100&var-diskdevices=%5Ba-z%5D%2B%7Cnvme%5B0-9%5D%2Bn%5B0-9%5D%2B%7Cmmcblk%5B0-9%5D%2B&refresh=1m&panelId=74&__feature.dashboardSceneSolo";
+              height = 400;
+            }
+          ];
+        }
+        {
+          size = "small";
+          widgets = [
+            {
+              type = "dns-stats";
+              service = "adguard";
+              url = "http://localhost:${toString config.services.adguardhome.port}";
+              username = "";
+              password = "";
+            }
+          ];
+        }
+      ];
+    }
+  ];
+}

hosts/router/ifconfig.nix

@@ -46,6 +46,12 @@ let
   };
 in
 {
+  # By default, Linux will respond to ARP requests that belong to other interfaces.
+  # Normally this isn't a problem, but it causes issues
+  # since my WAN and LAN20 are technically bridged.
+  # https://networkengineering.stackexchange.com/questions/83071/why-linux-answers-arp-requests-for-ips-that-belong-to-different-network-interfac
+  boot.kernel.sysctl."net.ipv4.conf.default.arp_filter" = 1;
+
   # It is impossible to do multiple prefix requests with networkd,
   # so I use dhcpcd for this
   # https://github.com/systemd/systemd/issues/22571
@@ -144,6 +150,7 @@ in
           ifs.lan40.name
           ifs.lan50.name
         ];
+        routes = vars.extra.opnsense.routes;
       };
       "30-vlan10" = mkLanConfig ifs.lan10;
       "30-vlan20" = mkLanConfig ifs.lan20;

hosts/router/private.nix

@@ -0,0 +1,2 @@
+U2FsdGVkX1/98w32OE1ppwT0I5A3UOTKCLJfvk+TQdrbf0TLfYNZ9TC9n8cH2hC9
+ObKVuFlOLwHlzeBy7MXaLg==

hosts/router/secrets/cf-api-key.age

@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 D2MY/A Kj69kavxx+ATNHP5pX0JtGggU76f9uRwkZp2HbjwiWc
+SbU3jIcQzUzaQjRHzVSoW1WKiUj+1ijbkUKqVb406fY
+--- vMV0TcchFvxw1xetQQZ0xVi2KwjLFRfZBM1gl7BGbGI
+<EFBFBD><EFBFBD>1<10><><EFBFBD><EFBFBD>K<EFBFBD><<3C>

hosts/router/secrets/wireguard/wg0-peer-AsusS513-psk.age

@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 D2MY/A YAk0egMScFdPo0uAZzITtgQyPAifDcVUfb957Zhz9Ec
+pAEM+7sbPE8rHBhRV7mTmH1w4mbfKFopMWbwu/3KHCw
+--- ykshsqEqKvCCE2kWIPAJPA/DFW7mu6+0x4MQhHgi1yU
+'<27>zƀ{g<>id\{<7B>E<EFBFBD><45><EFBFBD>tp<74>U<>g2QC3g<33><08>JG<4A>V1<56>6<>WG_E&<26>v<EFBFBD><76>)<29>&<26><><EFBFBD>ޑN"<22><><EFBFBD>n<EFBFBD>_T͒<54>

hosts/router/secrets/wireguard/wg0-peer-Yura-TPX13-psk.age

@@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 D2MY/A P88M0uj4ZphVo3WrRYDu+c7B0Dl7ncctbYkByYmU2wg
+DV3Gn6TQ6iByAlNt0gg8kSZ2r0Gie/wcznZx9M+CC2g
+--- KhwGM50BVql02Jq0do2uhXMfgWPPDfbodzDRmZ9n0O4
+r<EFBFBD><EFBFBD><EFBFBD>Զa<EFBFBD>yY/C<><43>J<EFBFBD>B<EFBFBD>X<EFBFBD>!<21>"F
+<EFBFBD>h<EFBFBD><EFBFBD><EFBFBD>(<28>L><3E>()<29><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>S;<3B>}}2ОO.<2E><13>hoqY<19>K"c<>E<EFBFBD><45>JM?-<2D>O

hosts/router/secrets/wireguard/wg0-private-key.age

@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 D2MY/A tvRtTGWnaB0zxqZRba4/XpzwPa61RrnHCk4tT8OfnGQ
+IX85Q5VKxQTl+MnhzwiuTnNMVkR9QrYo/1njrbZeBnQ
+--- dmlPIL2T+RFhbO2iLDRa4BxxYSSUQdedV3TK83ooFdA
+<18>gE	7<><37>0`d<>V(o<>W<EFBFBD><57><EFBFBD>S@
<01>ۭ<EFBFBD><DBAD><EFBFBD>p<EFBFBD><70><EFBFBD><EFBFBD><EFBFBD>Z<EFBFBD><5A>ЃT<D083><54><EFBFBD><EFBFBD><14>U<EFBFBD><55>+*<2A>\Q<><51>[<5B><><EFBFBD><EFBFBD>x<><78>29<32>i5<69>k

hosts/router/services.nix

@@ -4,6 +4,10 @@ let
   domain = vars.domain;
 in
 {
+
+  # vnStat for tracking network interface stats
+  services.vnstat.enable = true;
+
   # https://wiki.nixos.org/wiki/Prometheus
   services.prometheus = {
     enable = true;
@@ -27,7 +31,15 @@ in
   # https://wiki.nixos.org/wiki/Grafana#Declarative_configuration
   services.grafana = {
     enable = true;
-    settings.server.http_port = 3001;
+    settings = {
+      security.allow_embedding = true;
+      server = {
+        http_port = 3001;
+        domain = "grouter.${domain}";
+        root_url = "https://%(domain)s/grafana/";
+        serve_from_sub_path = true;
+      };
+    };
     provision = {
       enable = true;
       datasources.settings.datasources = [
@@ -40,11 +52,34 @@ in
     };
   };
 
+  secrix.system.secrets.cf-api-key.encrypted.file = ./secrets/cf-api-key.age;
+  systemd.services.caddy.serviceConfig.EnvironmentFile = config.secrix.system.secrets.cf-api-key.decrypted.path;
   services.caddy = {
     enable = true;
+    package = pkgs.caddy.withPlugins {
+      plugins = [ "github.com/caddy-dns/cloudflare@v0.2.1" ];
+      hash = "sha256-Gsuo+ripJSgKSYOM9/yl6Kt/6BFCA6BuTDvPdteinAI=";
+    };
     virtualHosts."grouter.${domain}".extraConfig = ''
+      encode
+      tls {
+          dns cloudflare {env.CF_API_KEY}
+          resolvers 1.1.1.1
+      }
+      @grafana path /grafana /grafana/*
+      handle @grafana {
           reverse_proxy localhost:${toString config.services.grafana.settings.server.http_port}
-      tls internal
+      }
+      redir /adghome /adghome/
+      handle_path /adghome/* {
+          reverse_proxy localhost:${toString config.services.adguardhome.port}
+          basic_auth {
+              Bob $2a$14$HsWmmzQTN68K3vwiRAfiUuqIjKoXEXaj9TOLUtG2mO1vFpdovmyBy
+          }
+      }
+      handle /* {
+          reverse_proxy localhost:${toString config.services.glance.settings.server.port}
+      }
     '';
   };
 }

hosts/router/vars.nix

@@ -1,4 +1,6 @@
 let
+  private = import ./private.nix;
+
   mkIfConfig = {
     name_,
     domain_,
@@ -31,6 +33,7 @@ let
     };
 in
 rec {
+  pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFobB87yYVwhuYrA+tfztLuks3s9jZOqEFktwGw1mo83 root@grouter";
   domain = "cazzzer.com";
   ldomain = "l.${domain}";
   sysdomain = "sys.${domain}";
@@ -42,7 +45,7 @@ rec {
   };
 
   p4 = "10.17";                      # .0.0/16
-  pdFromWan = "";  # ::/60
+  pdFromWan = private.pdFromWan;  # ::/60
   ulaPrefix = "fdab:07d3:581d";      # ::/48
   ifs = rec {
     wan = rec {
@@ -95,4 +98,39 @@ rec {
       ulaPrefix_ = "${ulaPrefix}:0050";  # ::/64
     };
   };
+
+  wg = {
+    wg0 = rec {
+      name = "wg0";
+      p4 = "10.18.16";  # .0/24
+      addr4 = "${p4}.1";
+      addr4Sized = "${addr4}/24";
+      p6 = "${pdFromWan}f::6";  # :0:0/96
+      addr6 = "${p6}:0:1";
+      addr6Sized = "${addr6}/96";
+  };
+
+  extra = {
+    opnsense = rec {
+      addr4 = "${ifs.lan.p4}.250";
+      ulaAddr = "${ifs.lan.ulaPrefix}::250";
+      p6 = "${pdFromWan}d";
+      net6 = "${p6}::/64";
+      # VPN routes on opnsense
+      routes = [
+        {
+          Destination = "10.6.0.0/24";
+          Gateway = addr4;
+        }
+        {
+          Destination = "10.18.0.0/20";
+          Gateway = addr4;
+        }
+        {
+          Destination = net6;
+          Gateway = ulaAddr;
+        }
+      ];
+    };
+  };
 }

hosts/router/wireguard.nix

@@ -0,0 +1,67 @@
+{ config, lib, pkgs, ... }:
+let
+  vars = import ./vars.nix;
+  wg0 = vars.wg.wg0;
+
+  wg0Peers = {
+    "Yura-TPX13" = {
+      allowedIPs = [ "${wg0.p4}.3/32" "${wg0.p6}:3:0/112" ];
+      publicKey = "iJa5JmJbMHNlbEluNwoB2Q8LyrPAfb7S/mluanMcI08=";
+      pskEnabled = true;
+    };
+    "Yura-Pixel7Pro" = {
+      allowedIPs = [ "${wg0.p4}.4/32" "${wg0.p6}:4:0/112" ];
+      publicKey = "UjZlsukmAsX60Z5FnZwKCSu141Gjj74+hBVT3TRhwT4=";
+      pskEnabled = true;
+    };
+    "AsusS513" = {
+      allowedIPs = [ "${wg0.p4}.100/32" ];
+      publicKey = "XozJ7dHdJfkLORkCVxaB1VmvHEOAA285kRZcmzfPl38=";
+      pskEnabled = false;
+    };
+  };
+  peerSecretName = name: "wg0-peer-${name}-psk";
+  secrets = config.secrix.services.systemd-networkd.secrets;
+in
+{
+  secrix.services.systemd-networkd.secrets = let
+    pskPeers = lib.attrsets.filterAttrs (name: peer: peer.pskEnabled) wg0Peers;
+    mapPeer = name: peer: {
+      name = peerSecretName name;
+      value.encrypted.file = ./secrets/wireguard/${peerSecretName name}.age;
+    };
+    peerSecrets = lib.attrsets.mapAttrs' mapPeer pskPeers;
+  in
+  {
+    wg0-private-key.encrypted.file = ./secrets/wireguard/wg0-private-key.age;
+  } // peerSecrets;
+
+  systemd.network.netdevs = {
+    "10-wg0" = {
+      netdevConfig = {
+        Kind = "wireguard";
+        Name = "wg0";
+      };
+      wireguardConfig = {
+        PrivateKeyFile = secrets.wg0-private-key.decrypted.path;
+        ListenPort = 18596;
+      };
+      wireguardPeers = map (peer: {
+        AllowedIPs = lib.strings.concatStringsSep "," peer.value.allowedIPs;
+        PublicKey = peer.value.publicKey;
+        PresharedKeyFile = if peer.value.pskEnabled then secrets."${peerSecretName peer.name}".decrypted.path else null;
+      }) (lib.attrsToList wg0Peers);
+    };
+  };
+
+  systemd.network.networks = {
+    "10-wg0" = {
+      matchConfig.Name = "wg0";
+      networkConfig = {
+        IPv4Forwarding = true;
+        IPv6SendRA = false;
+        Address = [ wg0.addr4Sized wg0.addr6Sized ];
+      };
+    };
+  };
+}

hosts/vm/default.nix

@@ -7,7 +7,7 @@
 {
   imports =
     [ # Include the results of the hardware scan.
-#      ./hardware-configuration-vm.nix
+      # ./hardware-configuration.nix
     ];
   mods.kb-input.enable = false;
 
@@ -47,8 +47,8 @@
   services.flatpak.enable = true;
 
   # VM services
-  services.cloud-init.enable = true;
-#  services.cloud-init.network.enable = false;
+  # services.cloud-init.enable = false;
+  # services.cloud-init.network.enable = false;
   services.qemuGuest.enable = true;
   services.spice-vdagentd.enable = true;
   services.openssh.enable = true;
@@ -57,24 +57,6 @@
 
   security.sudo.wheelNeedsPassword = false;
 
-  users.groups = {
-    cazzzer = {
-      gid = 1000;
-    };
-  };
-  users.users.cazzzer = {
-    password = "";
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPWgEzbEjbbu96MVQzkiuCrw+UGYAXN4sRe2zM6FVopq cazzzer@Yura-PC"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIApFeLVi3BOquL0Rt+gQK2CutNHaBDQ0m4PcGWf9Bc43 cazzzer@Yura-TPX13"
-    ];
-    isNormalUser = true;
-    description = "Yura";
-    uid = 1000;
-    group = "cazzzer";
-    extraGroups = [ "wheel" "docker" "wireshark" ];
-  };
-
   # Install firefox.
   programs.firefox.enable = true;
   programs.fish.enable = true;
@@ -113,9 +95,11 @@
     ldns
     micro
     mpv
+    openssl
     ripgrep
     starship
     tealdeer
+    transcrypt
     waypipe
     whois
     zfs

hosts/vm/hardware-configuration.nix

@@ -1,37 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports =
-    [ (modulesPath + "/profiles/qemu-guest.nix")
-    ];
-
-  boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/da85e220-e2b0-443a-9a0c-a9516b8e5030";
-      fsType = "ext4";
-    };
-
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/3F96-8974";
-      fsType = "vfat";
-      options = [ "fmask=0022" "dmask=0022" ];
-    };
-
-  swapDevices = [ ];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp6s18.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-}

hosts/vm/proxmox.nix

@@ -1,11 +0,0 @@
-{ ... }:
-
-{
-#  boot.kernelParams = [ "console=tty0" ];
-  proxmox.qemuConf.bios = "ovmf";
-  proxmox.qemuExtraConf = {
-    machine = "q35";
-#    efidisk0 = "local-lvm:vm-9999-disk-1";
-    cpu = "host";
-  };
-}

renovate.json

@@ -0,0 +1,12 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended"
+  ],
+  "lockFileMaintenance": {
+    "enabled": true
+  },
+  "nix": {
+    "enabled": true
+  }
+}

users/cazzzer/default.nix

@@ -0,0 +1,42 @@
+{ config, lib, pkgs, ... }: {
+  users.groups.cazzzer.gid = 1000;
+  users.users.cazzzer = {
+    uid = 1000;
+    isNormalUser = true;
+    description = "Yura";
+    group = "cazzzer";
+    extraGroups = [ "wheel" ]
+      ++ lib.optionals config.networking.networkmanager.enable [ "networkmanager" ]
+      ++ lib.optionals config.virtualisation.docker.enable [ "docker" ]
+      ++ lib.optionals config.programs.wireshark.enable [ "wireshark" ]
+    ;
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE02AhJIZtrtZ+5sZhna39LUUCEojQzmz2BDWguT9ZHG yuri@tati.sh"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHczlipzGWv8c6oYwt2/9ykes5ElfneywDXBTOYbfSfn Pixel7Pro"
+    ];
+    # TODO: think of a better way to do this
+    packages = with pkgs; lib.optionals (config.networking.hostName == "Yura-PC") [
+      # Python
+      python3
+      poetry
+
+      # Haskell
+      haskellPackages.ghc
+      haskellPackages.stack
+
+      # Node
+      nodejs_22
+      pnpm
+      bun
+
+      # Nix
+      nil
+      nixd
+      nixfmt-rfc-style
+
+      # Gleam
+      gleam
+      beamMinimal26Packages.erlang
+    ];
+  };
+}