jonas/.hive
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

System Gen159 @ 2025-04-23-00:25:53

Browse Source
This commit is contained in:
Jonas Röger 2025-04-23 00:25:54 +02:00
parent 376909ae22
commit 99e902a08d
9 changed files with 182 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
.sops.yaml
View File

@ -1,19 +1,28 @@
keys:
- &jonas age1expg8vyduf290pz7l4f3mjzvk9f0azfdn48pyjzs3m6p7v4qjq0qwtn36z
- &harbor age1wf0rq27v0n27zfy0es8ns3n25e2fdt063dgn68tt3f89rgrtu9csq4yhsp
- &comfy-station age1xkmnvzus6fhundn4c0f6hyuwrj0f0m7x3hxtuhnez6cecr6m032qalw308
creation_rules:
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
key_groups:
- age:
- *jonas
- *harbor
- *comfy-station
- path_regex: secrets/jonas/[^/]+\.(yaml|json|env|ini)$
key_groups:
- age:
- *jonas
- path_regex: secrets/comfy-station/[^/]+\.(yaml|json|env|ini)$
key_groups:
- age:
- *comfy-station
- *jonas
- path_regex: secrets/harbor/[^/]+\.(yaml|json|env|ini)$
key_groups:
- age:
- *harbor
- *jonas

1
flake.nix
View File

@ -56,6 +56,7 @@
modules = [
({...}: {nixpkgs.overlays = [overlay-unstable];})
nixos-hardware.nixosModules.lenovo-thinkpad-t14-amd-gen1
inputs.sops-nix.nixosModules.sops
./hosts/comfy-station/configuration.nix
];
};

14
hosts/comfy-station/configuration.nix
View File

@ -2,6 +2,7 @@
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{
config,
pkgs,
inputs,
...
@ -18,9 +19,18 @@
../../modules/hardware/printing.nix
../../modules/hardware/sound.nix
../../modules/hardware/yubikey.nix
../../modules/networking/wireguard
../../modules/programs.nix
../../modules/services/virt-manager.nix
];
# Secret management
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.secrets.wg-priv = {
sopsFile = ../../secrets/comfy-station/wg.yaml;
key = "privateKey";
};
desktop.dm.name = "sddm";
desktop.de.plasma.enable = false;
desktop.de.hyprland.enable = true;
@ -83,6 +93,10 @@
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "24.11"; # Did you read the comment?
# wg client
networking.wg.client.enable = true;
networking.wg.client.privateKeyFile = config.sops.secrets.wg-priv.path;
# boot
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;

27
modules/networking/wireguard/client.nix Normal file
View File

@ -0,0 +1,27 @@
{
config,
lib,
...
}: let
cfg = config.networking.wg.client;
peers = import ./peers.nix {};
in {
options.networking.wg.client = {
enable = lib.mkEnableOption "Enable WireGuard client";
privateKeyFile = lib.mkOption {
type = lib.types.path;
description = "Path to the private key file for the WireGuard client";
};
};
config = lib.mkIf cfg.enable {
networking.wg-quick.interfaces.wg0 = {
inherit (peers.jonas) address;
inherit (cfg) privateKeyFile;
peers = [
peers.harbor
];
};
};
}

3
modules/networking/wireguard/default.nix Normal file
View File

@ -0,0 +1,3 @@
{...}: {
imports = [./client.nix ./server.nix];
}

20
modules/networking/wireguard/peers.nix Normal file
View File

@ -0,0 +1,20 @@
{}: {
harbor = {
publicKey = "aFl1ILLtKQkXctqzMZQxgnfLtSrKabs4NO2fZExeKWE=";
# Forward all trafic to the VPN.
allowedIPs = ["0.0.0.0/0"];
# Server endpoint to connect to.
endpoint = "173.249.42.252:51820";
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
persistentKeepalive = 25;
};
jonas = {
publicKey = "oPMapC1S3TPe+/YQulG0AsVsOu+MzZY7huvAAXVJEnM=";
address = ["10.10.10.2/24"];
allowedIPs = ["10.10.10.2/32"];
};
}

48
modules/networking/wireguard/server.nix Normal file
View File

@ -0,0 +1,48 @@
{
config,
pkgs,
lib,
...
}: let
cfg = config.networking.wg.server;
peers = import ./peers.nix {};
in {
options.networking.wg.server = {
enable = lib.mkEnableOption "Enable WireGuard server";
port = lib.mkOption {
type = lib.types.port;
default = 51820;
description = "Port for WireGuard server";
};
privateKeyFile = lib.mkOption {
type = lib.types.path;
description = "Path to the private key file for the WireGuard server";
};
};
config = lib.mkIf cfg.enable {
# Firewall and NAT configuration
networking.firewall.allowedUDPPorts = [cfg.port];
networking.nat.enable = true;
networking.nat.externalInterface = "eth0";
networking.nat.internalInterfaces = ["wg0"];
# Interface with NAT for internet routing
networking.wireguard.interfaces."wg0" = {
ips = ["10.10.10.1/24"];
listenPort = cfg.port;
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE
'';
inherit (cfg) privateKeyFile;
peers = [
peers.jonas
];
};
};
}

30
secrets/comfy-station/wg.yaml Normal file
View File

@ -0,0 +1,30 @@
privateKey: ENC[AES256_GCM,data:OZy5sAcILzzmQahx40n69DJBrAVIUCBETx0SFdFV43Rk64RmgDve0GJucGw=,iv:MLzyXZ2AFfjU8XuvV6QKjjgUgfjtFNtWJS5A4PI1MUU=,tag:VbT9i/uA098hn4VJyzSKoA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1xkmnvzus6fhundn4c0f6hyuwrj0f0m7x3hxtuhnez6cecr6m032qalw308
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2aTFKdUJYbGViQ2tFd3dX
Qm5vZ2k0alZmOHRZczdSd0hoRlJyeWNHYWpvCmplUXpDZGh0MjhhQnMrekVLWUpT
Ukk2ZFJVR21ndmdUS1JGVnVLM3lBQ3cKLS0tIGhKVU9yWVh1bjk5ZTVLd1RqMUtY
YVpaaHpEdy80STVhVy90Z3hPYkpVSVEKlx+5YxW9+KXxM/0KAA0TDtzVsuuL+b33
uVN8KbGSQ6uE/4PRdzj492L/edGcI8j3nQY59Q8pzxEVXDVzjssOJw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1expg8vyduf290pz7l4f3mjzvk9f0azfdn48pyjzs3m6p7v4qjq0qwtn36z
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBScjNEZHF4d1FWeFZIUnVC
UkJtbXZFWE5TMU9SOTJNSEpHL21ZNG1XalY4Ck9IK2RrRVNQUlRaR2hwSW5mZFVl
WXMxUnlIdWJodFZlRk41UERhNzFiQWsKLS0tIHRCUHdpZVF4OVhLQUJkU1UxVVFz
MTRBS1diMmlRZHZ5L1ZzQzloQnYzSTAKaF+iJeEIeXU+rbiG4kzDyd9gRbMizEEy
G9ORqyLk/y5Uth9EU3/5jIy9A1RvTHum9xLOF6NiBFuFrO+brgeJ6g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-04-22T22:13:18Z"
mac: ENC[AES256_GCM,data:nGoTW/nr+fEOz5PTEg6+VieAg/afbHl5eUa97EL1fBA21JHhcjepjHJAOMJ2DV2TOJ+mfdBmmU9znnbs4u0sSvgNJCguXyVpHZEa8jnYSo88DY2ihy16xjtDVuEUVXy8eKd1lrjgaWn1GBi6cgVefHHxwqviCC1j5PGlvDpYxko=,iv:vqwXFlm4vMIXBaFfp/CmTYXyj5Ps4OEnCzNcbgCoe04=,tag:MymyCdX8oyjPhMv+uwlbeg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4

30
secrets/harbor/wg.yaml Normal file
View File

@ -0,0 +1,30 @@
privateKey: ENC[AES256_GCM,data:kOYKEVlBKFFm/dyr5cfxng4Ga57re9o2meOJ5aGQ67lHcbKyb9pGg2rQM8s=,iv:cCfm65To5Uv9XV7sTUADJyCiPmeO6RHPDtofL51ECyU=,tag:L3a8aDND3qexj0eYc611QA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1wf0rq27v0n27zfy0es8ns3n25e2fdt063dgn68tt3f89rgrtu9csq4yhsp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBESTNYa3lQZmNsOEVHV3Vx
SzBUaEN0eitQOElEQndaV0V5dUNTaUNzaUFjClhFN1RzNzlLVDNEU28zeDZ5Vzk5
MzdYeUwrY2tObHJCWkRxdWJ2T0x5V2cKLS0tIER0V1lsMldMdnhwdVRGMmhadnlz
RlA3SHpvUnJSMVV2eXYzSHovanVBbzgK2kPVcegTTZX6Dd44qHpmoyaER4Ux8l/3
BBzvQthdYP6SfZO8ay5d2F95wbSm2Fi+DWRyhJL7p4+u6/qIeFm5WA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1expg8vyduf290pz7l4f3mjzvk9f0azfdn48pyjzs3m6p7v4qjq0qwtn36z
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0eWtSWGEyODd5b0JOK2pP
K0RhWnJWZTBpaHhGNVV4V0tuVTZnT25rY1ZzClRxdU9xSjZMODZLcmZreFNpMGt0
NnY0TE5JcUdzbmF1d0VOZWZLTjFwc0EKLS0tIEJ2WnEvVkl4c3ZkU3V3dkg1WERp
ME9rMy9jYWRuYmhpN2o5YkRCUU1aSGsKvrXmbsTo7UBrSKh1N2Sl6e6bmAtp3kta
vzcRjEei2uY/9e36Ah2F2XrZLpnqIQwfx9Kez1vPWIpB8OTcCP6MoA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-04-22T21:40:36Z"
mac: ENC[AES256_GCM,data:seCSuL3XybXSDTMVyc4EKU9LtseJituAeQPcm2ublloiYoI03hv/ExAHWYtIGIRKtzfPxZe7kXhhL8uER2jnS7pb7f9soR/4pNb6RiTBF0jxxt3wS7LiaADO3uXs5xjrlQ+GUTfIJbRC3utZ/0aO0O+tM8X6KnpCToix21ZElDg=,iv:T+gWb2ytZHCyJ2SktxwZp8mHJqTAKHO9waTMYLhBZCM=,tag:5qKLv74vybnqXEr4BuBcXQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4