diff --git a/flake.lock b/flake.lock index b68b2129..ba227dc9 100644 --- a/flake.lock +++ b/flake.lock @@ -20,26 +20,6 @@ "type": "github" } }, - "beautysh": { - "inputs": { - "flake-utils": "flake-utils", - "nixpkgs": "nixpkgs", - "poetry2nix": "poetry2nix" - }, - "locked": { - "lastModified": 1641830469, - "narHash": "sha256-uhDmgNP/biOWe4FtOa6c2xZnREH+NP9rdrMm0LccRUk=", - "owner": "lovesegfault", - "repo": "beautysh", - "rev": "e85d9736927c0fcf2abb05cb3a2d8d9b4502a2eb", - "type": "github" - }, - "original": { - "owner": "lovesegfault", - "repo": "beautysh", - "type": "github" - } - }, "blank": { "locked": { "lastModified": 1625557891, @@ -55,31 +35,6 @@ "type": "github" } }, - "bud": { - "inputs": { - "beautysh": "beautysh", - "devshell": [ - "digga", - "devshell" - ], - "nixpkgs": [ - "nixos" - ] - }, - "locked": { - "lastModified": 1654190822, - "narHash": "sha256-B8z3stYaULNDBBjzJHrFHGgiJHrLqhBkxH+9u5iBP7E=", - "owner": "divnix", - "repo": "bud", - "rev": "0ff3e4e4b8791ea4d827bf5bfcac28cef060f209", - "type": "github" - }, - "original": { - "owner": "divnix", - "repo": "bud", - "type": "github" - } - }, "darwin": { "inputs": { "nixpkgs": [ @@ -145,7 +100,7 @@ }, "devshell": { "inputs": { - "flake-utils": "flake-utils_2", + "flake-utils": "flake-utils", "nixpkgs": [ "digga", "nixpkgs" @@ -251,11 +206,11 @@ }, "flake-utils": { "locked": { - "lastModified": 1631561581, - "narHash": "sha256-3VQMV5zvxaVLvqqUrNz3iJelLw30mIVSfZmAaauM3dA=", + "lastModified": 1642700792, + "narHash": "sha256-XqHrk7hFb+zBvRg6Ghl+AZDq03ov6OshJLiSWOoX5es=", "owner": "numtide", "repo": "flake-utils", - "rev": "7e5bf3925f6fbdfaf50a2a7ca0be2879c4261d19", + "rev": "846b2ae0fc4cc943637d3d1def4454213e203cba", "type": "github" }, "original": { @@ -266,7 +221,7 @@ }, "flake-utils-plus": { "inputs": { - "flake-utils": "flake-utils_3" + "flake-utils": "flake-utils_2" }, "locked": { "lastModified": 1654029967, @@ -284,21 +239,6 @@ } }, "flake-utils_2": { - "locked": { - "lastModified": 1642700792, - "narHash": "sha256-XqHrk7hFb+zBvRg6Ghl+AZDq03ov6OshJLiSWOoX5es=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "846b2ae0fc4cc943637d3d1def4454213e203cba", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_3": { "locked": { "lastModified": 1644229661, "narHash": "sha256-1YdnJAsNy69bpcjuoKdOYQX0YxZBiCYZo4Twxerqv7k=", @@ -313,22 +253,7 @@ "type": "github" } }, - "flake-utils_4": { - "locked": { - "lastModified": 1656928814, - "narHash": "sha256-RIFfgBuKz6Hp89yRr7+NR5tzIAbn52h8vT6vXkYjZoM=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "7e2a3b3dfd9af950a856d66b0a7d01e3c18aa249", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_5": { + "flake-utils_3": { "locked": { "lastModified": 1649676176, "narHash": "sha256-OWKJratjt2RW151VUlJPRALb7OU2S5s+f0vLj4o1bHM=", @@ -436,27 +361,6 @@ "type": "github" } }, - "nix-dram": { - "inputs": { - "flake-utils": "flake-utils_4", - "nixpkgs": [ - "latest" - ] - }, - "locked": { - "lastModified": 1660180791, - "narHash": "sha256-oPO+keK4S9daL9ubU51hZ+QOWVSMbZ56F20iFI9Px3s=", - "owner": "dramforever", - "repo": "nix-dram", - "rev": "ae7f0b7c5d39eec5941fe21e9f202106bdea9ac2", - "type": "github" - }, - "original": { - "owner": "dramforever", - "repo": "nix-dram", - "type": "github" - } - }, "nixlib": { "locked": { "lastModified": 1636849918, @@ -491,7 +395,7 @@ "nixos-generators": { "inputs": { "nixlib": "nixlib", - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs" }, "locked": { "lastModified": 1660661347, @@ -524,16 +428,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1633971123, - "narHash": "sha256-WmI4NbH1IPGFWVkuBkKoYgOnxgwSfWDgdZplJlQ93vA=", + "lastModified": 1637186689, + "narHash": "sha256-NU7BhgnwA/3ibmCeSzFK6xGi+Bari9mPfn+4cBmyEjw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e4ef597edfd8a0ba5f12362932fc9b1dd01a0aef", + "rev": "7fad01d9d5a3f82081c00fb57918d64145dc904c", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-unstable-small", + "ref": "nixpkgs-unstable", "repo": "nixpkgs", "type": "github" } @@ -554,22 +458,6 @@ "type": "github" } }, - "nixpkgs_2": { - "locked": { - "lastModified": 1637186689, - "narHash": "sha256-NU7BhgnwA/3ibmCeSzFK6xGi+Bari9mPfn+4cBmyEjw=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "7fad01d9d5a3f82081c00fb57918d64145dc904c", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, "nur": { "locked": { "lastModified": 0, @@ -585,7 +473,7 @@ "nvfetcher": { "inputs": { "flake-compat": "flake-compat_3", - "flake-utils": "flake-utils_5", + "flake-utils": "flake-utils_3", "nixpkgs": [ "nixos" ] @@ -604,37 +492,9 @@ "type": "github" } }, - "poetry2nix": { - "inputs": { - "flake-utils": [ - "bud", - "beautysh", - "flake-utils" - ], - "nixpkgs": [ - "bud", - "beautysh", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1633382856, - "narHash": "sha256-hYlet806M9xJj4yxf0g5fhDT2IEUVIMAl7sqIeZ8DUM=", - "owner": "nix-community", - "repo": "poetry2nix", - "rev": "705cbfa10e3d9bfed2e59e0256844ae3704dbd7e", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "poetry2nix", - "type": "github" - } - }, "root": { "inputs": { "agenix": "agenix", - "bud": "bud", "darwin": "darwin", "deploy": "deploy", "digga": "digga", @@ -642,7 +502,6 @@ "latest": "latest_2", "musnix": "musnix", "naersk": "naersk", - "nix-dram": "nix-dram", "nixos": "nixos", "nixos-generators": "nixos-generators", "nixos-hardware": "nixos-hardware", diff --git a/flake.nix b/flake.nix index 5eeb91d8..09cac836 100644 --- a/flake.nix +++ b/flake.nix @@ -133,10 +133,10 @@ iso = base ++ [ base-user graphical pub-solar-iso ]; pubsolaros = [ base-user users.root ]; anonymous = [ pubsolaros users.pub-solar ]; - pubsolaros-light = [ core-light base-user users.root ]; + pubsolaros-light = [ base-user users.root ]; hensoko = pubsolaros ++ [ users.hensoko ]; hensoko-light = pubsolaros-light ++ [ users.hensoko ]; - hensoko-iot = [ core-light base-user users.root users.hensoko ]; + hensoko-iot = [ base-user users.root users.hensoko ]; # server cube = hensoko-iot; @@ -182,8 +182,7 @@ homeConfigurations = digga.lib.mkHomeConfigurations self.nixosConfigurations; deploy.nodes = digga.lib.mkDeployNodes self.nixosConfigurations { - cube = { - }; + cube = { }; companion = { #profilesOrder = [ "system" "direnv" ]; #profiles.direnv = { diff --git a/hosts/cube/configuration.nix b/hosts/cube/configuration.nix index 73bc446f..04a32845 100644 --- a/hosts/cube/configuration.nix +++ b/hosts/cube/configuration.nix @@ -5,10 +5,10 @@ [ # Include the results of the hardware scan. ./hardware-configuration.nix - ./home-controller.nix ./acme.nix ./home-assistant.nix ./nextcloud.nix + ./wireguard.nix ]; # Use the GRUB 2 boot loader. @@ -34,7 +34,7 @@ services.openssh.ports = [ 2222 ]; - networking.firewall.allowedTCPPorts = [ 2222 ]; + networking.firewall.allowedTCPPorts = [ 80 443 2222 ]; networking.firewall.allowedUDPPorts = [ 51899 ]; networking.firewall.enable = lib.mkForce true; diff --git a/hosts/cube/cube.nix b/hosts/cube/cube.nix index 894cab9c..0b115dd8 100644 --- a/hosts/cube/cube.nix +++ b/hosts/cube/cube.nix @@ -9,5 +9,5 @@ in ./configuration.nix ]; - + pub-solar.core.disk-encryption-active = false; } diff --git a/hosts/cube/home-controller.nix b/hosts/cube/home-controller.nix deleted file mode 100644 index c472b12d..00000000 --- a/hosts/cube/home-controller.nix +++ /dev/null @@ -1,48 +0,0 @@ -{ self, config, pkgs, ... }: - -{ - config = { - age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age"; - age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_cube_wireguard_key.age"; - - pub-solar.home-controller = { - enable = true; - role = "agent"; - ownIp = "10.0.1.5"; - - k3s = { - enableLocalStorage = false; - enableZfs = false; - serverAddr = "https://api.kube:6443"; - tokenFile = "/run/agenix/home_controller_k3s_token"; - }; - - wireguard = { - privateKeyFile = "/run/agenix/home_controller_wireguard"; - peers = [ - { - # giggles - publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg="; - allowedIPs = [ "10.0.1.11/32" ]; - } - { - # cox - publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k="; - allowedIPs = [ "10.0.1.12/32" ]; - } - { - # companion - publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0="; - allowedIPs = [ "10.0.1.13/32" ]; - } - - { - # hsha - publicKey = "sC0wWHE/tvNaVYX3QQTHQUmSTTjZMOjkQ5x/qy6qjTc="; - allowedIPs = [ "10.0.1.254/32" ]; - } - ]; - }; - }; - }; -} diff --git a/hosts/cube/nextcloud.nix b/hosts/cube/nextcloud.nix index fe389722..2b179a9a 100644 --- a/hosts/cube/nextcloud.nix +++ b/hosts/cube/nextcloud.nix @@ -52,7 +52,7 @@ package = pkgs.nextcloud24; hostName = "data.gssws.de"; https = true; - #datadir = "/mnt/internal/nextcloud"; + datadir = "/mnt/internal/nextcloud"; autoUpdateApps.enable = true; autoUpdateApps.startAt = "05:00:00"; diff --git a/hosts/cube/wireguard.nix b/hosts/cube/wireguard.nix new file mode 100644 index 00000000..92b1ffd1 --- /dev/null +++ b/hosts/cube/wireguard.nix @@ -0,0 +1,63 @@ +{ self, config, pkgs, ... }: + +{ + age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_cube_wireguard_key.age"; + + + systemd.services.wireguard-wg0.serviceConfig.Restart = "on-failure"; + systemd.services.wireguard-wg0.serviceConfig.RestartSec = "5s"; + + # Enable WireGuard + networking.wireguard.interfaces = { + wg1 = { + # Determines the IP address and subnet of the client's end of the tunnel interface. + ips = [ "10.0.1.5" ]; + listenPort = 51899; # to match firewall allowedUDPPorts (without this wg uses random port numbers) + + # Path to the private key file. + # + # Note: The private key can also be included inline via the privateKey option, + # but this makes the private key world-readable; thus, using privateKeyFile is + # recommended. + privateKeyFile = "/run/agenix/home_controller_wireguard"; + + peers = [ + # For a client configuration, one peer entry for the server will suffice. + + { + # giggles + publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg="; + allowedIPs = [ "10.0.1.11/32" ]; + + # Send keepalives every 25 seconds. Important to keep NAT tables alive. + persistentKeepalive = 25; + } + { + # cox + publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k="; + allowedIPs = [ "10.0.1.12/32" ]; + + # Send keepalives every 25 seconds. Important to keep NAT tables alive. + persistentKeepalive = 25; + } + { + # companion + publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0="; + allowedIPs = [ "10.0.1.13/32" ]; + + # Send keepalives every 25 seconds. Important to keep NAT tables alive. + persistentKeepalive = 25; + } + + { + # hsha + publicKey = "sC0wWHE/tvNaVYX3QQTHQUmSTTjZMOjkQ5x/qy6qjTc="; + allowedIPs = [ "10.0.1.254/32" ]; + + # Send keepalives every 25 seconds. Important to keep NAT tables alive. + persistentKeepalive = 25; + } + ]; + }; + }; +}