router: add glance (very pretty)

# Conflicts:
#	hosts/router/default.nix

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1742957044,
-        "narHash": "sha256-gwW0tBIA77g6qq45y220drTy0DmThF3fJMwVFUtYV9c=",
+        "lastModified": 1747009742,
+        "narHash": "sha256-TNhbM7R45fpq2cdWzvFj+H5ZTcE//I5XSe78GFh0cDY=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "ce287a5cd3ef78203bc78021447f937a988d9f6f",
+        "rev": "c74665abd6e4e37d3140e68885bc49a994ffa53c",
         "type": "github"
       },
       "original": {
@@ -58,11 +58,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1742669843,
-        "narHash": "sha256-G5n+FOXLXcRx+3hCJ6Rt6ZQyF1zqQ0DL0sWAMn2Nk0w=",
+        "lastModified": 1746904237,
+        "narHash": "sha256-3e+AVBczosP5dCLQmMoMEogM57gmZ2qrVSrmq9aResQ=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "1e5b653dff12029333a6546c11e108ede13052eb",
+        "rev": "d89fc19e405cb2d55ce7cc114356846a0ee5e956",
         "type": "github"
       },
       "original": {
@@ -100,7 +100,28 @@
         "home-manager": "home-manager",
         "nixos-generators": "nixos-generators",
         "nixpkgs": "nixpkgs",
-        "plasma-manager": "plasma-manager"
+        "plasma-manager": "plasma-manager",
+        "secrix": "secrix"
+      }
+    },
+    "secrix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1746643487,
+        "narHash": "sha256-dcB/DArJObCvqE/ZEdQSDW2BZMeDyF83Se5KPfJvz60=",
+        "owner": "Platonic-Systems",
+        "repo": "secrix",
+        "rev": "4c64203fa5b377953b1fb6d5388187df8b60c6d5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Platonic-Systems",
+        "repo": "secrix",
+        "type": "github"
       }
     }
   },

flake.nix

@@ -18,9 +18,15 @@
       url = "github:nix-community/nixos-generators";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    secrix = {
+      url = "github:Platonic-Systems/secrix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
-  outputs = { self, nixpkgs, home-manager, plasma-manager, nixos-generators }: {
+  outputs = { self, nixpkgs, home-manager, plasma-manager, nixos-generators, secrix }: {
+    apps.x86_64-linux.secrix = secrix.secrix self;
+
     nixosConfigurations = {
       Yura-PC = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
@@ -52,6 +58,7 @@
       router = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
         modules = [
+          secrix.nixosModules.default
           ./modules
           ./hosts/common.nix
           ./hosts/router

home/default.nix

@@ -19,6 +19,7 @@ in
     SHELL = "fish";
   };
 
+  # TODO: remove (replace by bitwarden-desktop)
   services.gnome-keyring = {
     enable = true;
     components = [ "pkcs11" "ssh" ];
@@ -161,6 +162,7 @@ in
         shellExpand = true;
       };
       dolphinrc.General.ShowFullPath = true;
+      dolphinrc.DetailsMode.PreviewSize.persistent = true;
       kactivitymanagerdrc = {
         activities."809dc779-bf5b-49e6-8e3f-cbe283cb05b6" = "Default";
         activities."b34a506d-ac4f-4797-8c08-6ef45bc49341" = "Fun";

hosts/Yura-PC/default.nix

@@ -32,7 +32,7 @@
 
   boot.loader.timeout = 3;
   boot.loader.systemd-boot.configurationLimit = 5;
-  boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_12;
+  boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_13;
 
   # https://nixos.wiki/wiki/Accelerated_Video_Playback
   hardware.graphics = {
@@ -125,6 +125,7 @@
 
       # Nix
       nixd
+      nil
 
       # Gleam
       gleam
@@ -237,12 +238,14 @@
     whois
     yt-dlp
   ] ++ [
+    bitwarden-desktop
     darkman
     host-spawn # for flatpaks
     kdePackages.filelight
     kdePackages.flatpak-kcm
     kdePackages.kate
     kdePackages.yakuake
+    # TODO: remove (replace by bitwarden-desktop)
     gcr
     gnome-keyring # config for this and some others
     mpv
@@ -261,6 +264,7 @@
     jetbrains.webstorm
     android-studio
     rustup
+    zed-editor
   ];
 
   # Some programs need SUID wrappers, can be configured further or are

hosts/router/default.nix

@@ -1,5 +1,8 @@
 { config, lib, pkgs, ... }:
-
+let
+  vars = import ./vars.nix;
+  enableDesktop = false;
+in
 {
   imports =
     [ # Include the results of the hardware scan.
@@ -8,8 +11,11 @@
       ./firewall.nix
       ./dns.nix
       ./kea.nix
+      ./glance.nix
       ./services.nix
     ];
+  # Secrix for secrets management
+  secrix.hostPubKey = vars.pubkey;
 
   # Bootloader.
   boot.loader.systemd-boot.enable = true;
@@ -31,10 +37,10 @@
 
   # Enable the KDE Plasma Desktop Environment.
   # Useful for debugging with wireshark.
-  # services.displayManager.sddm.enable = true;
   hardware.graphics.enable = true;
-  services.displayManager.sddm.wayland.enable = true;
-  services.desktopManager.plasma6.enable = true;
+  services.displayManager.sddm.enable = enableDesktop;
+  services.displayManager.sddm.wayland.enable = enableDesktop;
+  services.desktopManager.plasma6.enable = enableDesktop;
   # No need for audio in VM
   services.pipewire.enable = false;
 
@@ -79,9 +85,7 @@
     eza
     fastfetch
     fd
-    kdePackages.filelight
     kdePackages.kate
-    kdePackages.yakuake
     ldns
     lsof
     micro

hosts/router/dns.nix

@@ -42,8 +42,12 @@ in
 
   services.adguardhome.enable = true;
   services.adguardhome.mutableSettings = false;
+  # https://github.com/AdguardTeam/Adguardhome/wiki/Configuration
   services.adguardhome.settings = {
     dns = {
+      # Disable rate limit, default of 20 is too low
+      # https://github.com/AdguardTeam/AdGuardHome/issues/6726
+      ratelimit = 0;
       bootstrap_dns = [ "1.1.1.1" "9.9.9.9" ];
       upstream_dns = [
         # Default upstreams

hosts/router/firewall.nix

@@ -4,13 +4,7 @@ let
   links = vars.links;
   ifs = vars.ifs;
   pdFromWan = vars.pdFromWan;
-in
-{
-  networking.firewall.enable = false;
-  networking.nftables.enable = true;
-  networking.nftables.tables.firewall = {
-    family = "inet";
-    content = ''
+  nftIdentifiers = ''
     define ZONE_WAN_IFS = { ${ifs.wan.name} }
     define ZONE_LAN_IFS = {
         ${ifs.lan.name},
@@ -20,8 +14,9 @@ in
         ${ifs.lan40.name},
         ${ifs.lan50.name},
     }
-      define OPNSENSE_NET6 = ${pdFromWan}d::/64
+    define OPNSENSE_NET6 = ${vars.extra.opnsense.net6}
     define ZONE_LAN_EXTRA_NET6 = {
+        # TODO: reevaluate this statement
         ${ifs.lan20.net6},  # needed since packets can come in from wan on these addrs
         $OPNSENSE_NET6,
     }
@@ -29,6 +24,7 @@ in
     define CLOUDFLARE_NET6 = {
         # https://www.cloudflare.com/ips-v6
         # TODO: figure out a better way to get addrs dynamically from url
+        # perhaps building a nixos module/package that fetches the ips?
         2400:cb00::/32,
         2606:4700::/32,
         2803:f800::/32,
@@ -37,19 +33,67 @@ in
         2a06:98c0::/29,
         2c0f:f248::/32,
     }
-
-      define ALLOWED_TCP_PORTS = { ssh, https }
-      define ALLOWED_UDP_PORTS = { bootps, dhcpv6-server, domain }
-
-      map port_forward_v4 {
+  '';
+in
+{
+  networking.firewall.enable = false;
+  networking.nftables.enable = true;
+  # networking.nftables.ruleset = nftIdentifiers; #doesn't work because it's appended to the end
+  networking.nftables.tables.nat4 = {
+    family = "ip";
+    content = ''
+      ${nftIdentifiers}
+      map port_forward {
           type inet_proto . inet_service : ipv4_addr . inet_service
           elements = {
               tcp . 8006 : ${ifs.lan50.p4}.10 . 8006
           }
       }
+
+      chain prerouting {
+          # Initial step, accept by default
+          type nat hook prerouting priority dstnat; policy accept;
+
+          # Port forwarding
+          fib daddr type local dnat ip to meta l4proto . th dport map @port_forward
+      }
+
+      chain postrouting {
+          # Last step, accept by default
+          type nat hook postrouting priority srcnat; policy accept;
+
+          # Masquerade LAN addrs
+          oifname $ZONE_WAN_IFS ip saddr $RFC1918 masquerade
+      }
+    '';
+  };
+
+  # Optional IPv6 masquerading (big L if enabled, don't forget to allow forwarding)
+  networking.nftables.tables.nat6 = {
+    family = "ip6";
+    enable = false;
+    content = ''
+      ${nftIdentifiers}
+      chain postrouting {
+          type nat hook postrouting priority srcnat; policy accept;
+          oifname $ZONE_WAN_IFS ip6 saddr fd00::/8 masquerade
+      }
+    '';
+  };
+
+  networking.nftables.tables.firewall = {
+    family = "inet";
+    content = ''
+      ${nftIdentifiers}
+      define ALLOWED_TCP_PORTS = { ssh, https }
+      define ALLOWED_UDP_PORTS = { bootps, dhcpv6-server, domain, https }
       set port_forward_v6 {
           type inet_proto . ipv6_addr . inet_service
-          # elements = {}
+          elements = {
+              # syncthing on alpina
+              tcp . ${ifs.lan.p6}::11:1 . 22000 ,
+              udp . ${ifs.lan.p6}::11:1 . 22000 ,
+          }
       }
       set cloudflare_forward_v6 {
           type ipv6_addr
@@ -92,7 +136,7 @@ in
           # WAN zone input rules
           iifname $ZONE_WAN_IFS jump zone_wan_input
           # LAN zone input rules
-          iifname $ZONE_LAN_IFS accept
+          # iifname $ZONE_LAN_IFS accept
           iifname $ZONE_LAN_IFS jump zone_lan_input
           ip6 saddr $ZONE_LAN_EXTRA_NET6 jump zone_lan_input
 
@@ -125,7 +169,7 @@ in
           meta l4proto . ip6 daddr . th dport @port_forward_v6 accept
 
           # Allowed IPv6 from cloudflare
-          ip6 saddr $CLOUDFLARE_NET6 ip6 daddr @cloudflare_forward_v6 accept
+          ip6 saddr $CLOUDFLARE_NET6 ip6 daddr @cloudflare_forward_v6 th dport https accept
       }
 
       chain zone_lan_input {
@@ -158,25 +202,6 @@ in
           # NAT reflection
           # oif lo ip daddr != 127.0.0.0/8 dnat ip to meta l4proto . th dport map @port_forward_v4
       }
-
-      chain prerouting {
-          # Initial step, accept by default
-          type nat hook prerouting priority dstnat; policy accept;
-
-          # Port forwarding
-          fib daddr type local dnat ip to meta l4proto . th dport map @port_forward_v4
-      }
-
-      chain postrouting {
-          # Last step, accept by default
-          type nat hook postrouting priority srcnat; policy accept;
-
-          # Masquerade LAN addrs
-          oifname $ZONE_WAN_IFS ip saddr $RFC1918 masquerade
-
-          # Optional IPv6 masquerading (big L if enabled, don't forget to allow forwarding)
-          # oifname $ZONE_WAN_IFS ip6 saddr fd00::/8 masquerade
-      }
     '';
   };
 }

hosts/router/glance.nix

@@ -0,0 +1,166 @@
+{ config, lib, pkgs, ... }:
+let
+  vars = import ./vars.nix;
+  domain = vars.domain;
+in
+{
+  # Glance dashboard
+  services.glance.enable = true;
+  services.glance.settings.pages = [
+    {
+      name = "Home";
+      # hideDesktopNavigation = true; # Uncomment if needed
+      columns = [
+        {
+          size = "small";
+          widgets = [
+            {
+              type = "calendar";
+              firstDayOfWeek = "monday";
+            }
+            {
+              type = "rss";
+              limit = 10;
+              collapseAfter = 3;
+              cache = "12h";
+              feeds = [
+                { url = "https://rtk0c.pages.dev/index.xml"; }
+                { url = "https://www.yegor256.com/rss.xml"; }
+                { url = "https://selfh.st/rss/"; title = "selfh.st"; }
+                { url = "https://ciechanow.ski/atom.xml"; }
+                { url = "https://www.joshwcomeau.com/rss.xml"; title = "Josh Comeau"; }
+                { url = "https://samwho.dev/rss.xml"; }
+                { url = "https://ishadeed.com/feed.xml"; title = "Ahmad Shadeed"; }
+              ];
+            }
+            {
+              type = "twitch-channels";
+              channels = [
+                "theprimeagen"
+                "j_blow"
+                "piratesoftware"
+                "cohhcarnage"
+                "christitustech"
+                "EJ_SA"
+              ];
+            }
+          ];
+        }
+        {
+          size = "full";
+          widgets = [
+            {
+              type = "group";
+              widgets = [
+                { type = "hacker-news"; }
+                { type = "lobsters"; }
+              ];
+            }
+            {
+              type = "videos";
+              channels = [
+                "UCXuqSBlHAE6Xw-yeJA0Tunw" # Linus Tech Tips
+                "UCR-DXc1voovS8nhAvccRZhg" # Jeff Geerling
+                "UCsBjURrPoezykLs9EqgamOA" # Fireship
+                "UCBJycsmduvYEL83R_U4JriQ" # Marques Brownlee
+                "UCHnyfMqiRRG1u-2MsSQLbXA" # Veritasium
+              ];
+            }
+            {
+              type = "group";
+              widgets = [
+                {
+                  type = "reddit";
+                  subreddit = "technology";
+                  showThumbnails = true;
+                }
+                {
+                  type = "reddit";
+                  subreddit = "selfhosted";
+                  showThumbnails = true;
+                }
+              ];
+            }
+          ];
+        }
+        {
+          size = "small";
+          widgets = [
+            {
+              type = "weather";
+              location = "San Jose, California, United States";
+              units = "metric";
+              hourFormat = "12h";
+              # hideLocation = true; # Uncomment if needed
+            }
+            {
+              type = "markets";
+              markets = [
+                { symbol = "SPY"; name = "S&P 500"; }
+                { symbol = "BTC-USD"; name = "Bitcoin"; }
+                { symbol = "NVDA"; name = "NVIDIA"; }
+                { symbol = "AAPL"; name = "Apple"; }
+                { symbol = "MSFT"; name = "Microsoft"; }
+              ];
+            }
+            {
+              type = "releases";
+              cache = "1d";
+              # token = "..."; # Uncomment and set if needed
+              repositories = [
+                "glanceapp/glance"
+                "go-gitea/gitea"
+                "immich-app/immich"
+                "syncthing/syncthing"
+              ];
+            }
+          ];
+        }
+      ];
+    }
+    {
+      name = "Infrastructure";
+      columns = [
+        {
+          size = "small";
+          widgets = [
+            {
+              type = "server-stats";
+              servers = [
+                {
+                  type = "local";
+                  name = "Router";
+                  mountpoints."/nix/store".hide = true;
+                }
+              ];
+            }
+          ];
+        }
+        {
+          size = "full";
+          widgets = [
+            {
+              type = "iframe";
+              title = "Grafana";
+              title-url = "/grafana/";
+              source = "/grafana/d-solo/rYdddlPWk/node-exporter-full?orgId=1&from=1747211119196&to=1747297519196&timezone=browser&var-datasource=PBFA97CFB590B2093&var-job=node&var-node=localhost:9100&var-diskdevices=%5Ba-z%5D%2B%7Cnvme%5B0-9%5D%2Bn%5B0-9%5D%2B%7Cmmcblk%5B0-9%5D%2B&refresh=1m&panelId=74&__feature.dashboardSceneSolo";
+              height = 400;
+            }
+          ];
+        }
+        {
+          size = "small";
+          widgets = [
+            {
+              type = "dns-stats";
+              service = "adguard";
+              url = "http://localhost:${toString config.services.adguardhome.port}";
+              username = "";
+              password = "";
+            }
+          ];
+        }
+      ];
+    }
+  ];
+}

hosts/router/ifconfig.nix

@@ -46,6 +46,12 @@ let
   };
 in
 {
+  # By default, Linux will respond to ARP requests that belong to other interfaces.
+  # Normally this isn't a problem, but it causes issues
+  # since my WAN and LAN20 are technically bridged.
+  # https://networkengineering.stackexchange.com/questions/83071/why-linux-answers-arp-requests-for-ips-that-belong-to-different-network-interfac
+  boot.kernel.sysctl."net.ipv4.conf.default.arp_filter" = 1;
+
   # It is impossible to do multiple prefix requests with networkd,
   # so I use dhcpcd for this
   # https://github.com/systemd/systemd/issues/22571
@@ -144,6 +150,7 @@ in
           ifs.lan40.name
           ifs.lan50.name
         ];
+        routes = vars.extra.opnsense.routes;
       };
       "30-vlan10" = mkLanConfig ifs.lan10;
       "30-vlan20" = mkLanConfig ifs.lan20;

hosts/router/services.nix

@@ -4,6 +4,10 @@ let
   domain = vars.domain;
 in
 {
+
+  # vnStat for tracking network interface stats
+  services.vnstat.enable = true;
+
   # https://wiki.nixos.org/wiki/Prometheus
   services.prometheus = {
     enable = true;
@@ -27,7 +31,15 @@ in
   # https://wiki.nixos.org/wiki/Grafana#Declarative_configuration
   services.grafana = {
     enable = true;
-    settings.server.http_port = 3001;
+    settings = {
+      security.allow_embedding = true;
+      server = {
+        http_port = 3001;
+        domain = "grouter.${domain}";
+        root_url = "https://%(domain)s/grafana/";
+        serve_from_sub_path = true;
+      };
+    };
     provision = {
       enable = true;
       datasources.settings.datasources = [
@@ -40,11 +52,34 @@ in
     };
   };
 
+  secrix.system.secrets.cf-api-key.encrypted.file = ../../secrets/cf_api_key.age;
+  systemd.services.caddy.serviceConfig.EnvironmentFile = config.secrix.system.secrets.cf-api-key.decrypted.path;
   services.caddy = {
     enable = true;
+    package = pkgs.caddy.withPlugins {
+      plugins = [ "github.com/caddy-dns/cloudflare@v0.2.1" ];
+      hash = "sha256-saKJatiBZ4775IV2C5JLOmZ4BwHKFtRZan94aS5pO90=";
+    };
     virtualHosts."grouter.${domain}".extraConfig = ''
+      encode
+      tls {
+          dns cloudflare {env.CF_API_KEY}
+          resolvers 1.1.1.1
+      }
+      @grafana path /grafana /grafana/*
+      handle @grafana {
           reverse_proxy localhost:${toString config.services.grafana.settings.server.http_port}
-      tls internal
+      }
+      redir /adghome /adghome/
+      handle_path /adghome/* {
+          reverse_proxy localhost:${toString config.services.adguardhome.port}
+          basic_auth {
+              Bob $2a$14$HsWmmzQTN68K3vwiRAfiUuqIjKoXEXaj9TOLUtG2mO1vFpdovmyBy
+          }
+      }
+      handle /* {
+          reverse_proxy localhost:${toString config.services.glance.settings.server.port}
+      }
     '';
   };
 }

hosts/router/vars.nix

@@ -31,6 +31,7 @@ let
     };
 in
 rec {
+  pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFobB87yYVwhuYrA+tfztLuks3s9jZOqEFktwGw1mo83 root@grouter";
   domain = "cazzzer.com";
   ldomain = "l.${domain}";
   sysdomain = "sys.${domain}";
@@ -95,4 +96,28 @@ rec {
       ulaPrefix_ = "${ulaPrefix}:0050";  # ::/64
     };
   };
+
+  extra = {
+    opnsense = rec {
+      addr4 = "${ifs.lan.p4}.250";
+      ulaAddr = "${ifs.lan.ulaPrefix}::250";
+      p6 = "${pdFromWan}d";
+      net6 = "${p6}::/64";
+      # VPN routes on opnsense
+      routes = [
+        {
+          Destination = "10.6.0.0/24";
+          Gateway = addr4;
+        }
+        {
+          Destination = "10.18.0.0/20";
+          Gateway = addr4;
+        }
+        {
+          Destination = net6;
+          Gateway = ulaAddr;
+        }
+      ];
+    };
+  };
 }

renovate.json

@@ -0,0 +1,12 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended"
+  ],
+  "lockFileMaintenance": {
+    "enabled": true
+  },
+  "nix": {
+    "enabled": true
+  }
+}

secrets/cf_api_key.age

@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 D2MY/A Kj69kavxx+ATNHP5pX0JtGggU76f9uRwkZp2HbjwiWc
+SbU3jIcQzUzaQjRHzVSoW1WKiUj+1ijbkUKqVb406fY
+--- vMV0TcchFvxw1xetQQZ0xVi2KwjLFRfZBM1gl7BGbGI
+<EFBFBD><EFBFBD>1<10><><EFBFBD><EFBFBD>K<EFBFBD><<3C>