diff --git a/flake.lock b/flake.lock index 94c9949..5c04e0a 100644 --- a/flake.lock +++ b/flake.lock @@ -164,6 +164,27 @@ "type": "github" } }, + "flake-utils_2": { + "inputs": { + "systems": [ + "stylix", + "systems" + ] + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "fromYaml": { "flake": false, "locked": { @@ -204,11 +225,11 @@ ] }, "locked": { - "lastModified": 1721852138, - "narHash": "sha256-JH8N5uoqoVA6erV4O40VtKKHsnfmhvMGbxMNDLtim5o=", + "lastModified": 1724435763, + "narHash": "sha256-UNky3lJNGQtUEXT2OY8gMxejakSWPTfWKvpFkpFlAfM=", "owner": "nix-community", "repo": "home-manager", - "rev": "304a011325b7ac7b8c9950333cd215a7aa146b0e", + "rev": "c2cd2a52e02f1dfa1c88f95abeb89298d46023be", "type": "github" }, "original": { @@ -276,11 +297,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1721562059, - "narHash": "sha256-Tybxt65eyOARf285hMHIJ2uul8SULjFZbT9ZaEeUnP8=", + "lastModified": 1724224976, + "narHash": "sha256-Z/ELQhrSd7bMzTO8r7NZgi9g5emh+aRKoCdaAv5fiO0=", "owner": "nixos", "repo": "nixpkgs", - "rev": "68c9ed8bbed9dfce253cc91560bf9043297ef2fe", + "rev": "c374d94f1536013ca8e92341b540eba4c22f9c62", "type": "github" }, "original": { @@ -324,16 +345,18 @@ "base16-tmux": "base16-tmux", "base16-vim": "base16-vim", "flake-compat": "flake-compat_2", + "flake-utils": "flake-utils_2", "gnome-shell": "gnome-shell", "home-manager": "home-manager_2", - "nixpkgs": "nixpkgs_3" + "nixpkgs": "nixpkgs_3", + "systems": "systems_2" }, "locked": { - "lastModified": 1721816671, - "narHash": "sha256-gk+ktb6smoyYmjM5Je2EYxyVLDrFNmRHDzf3iUoElJU=", + "lastModified": 1724444244, + "narHash": "sha256-fH1lyJvJjUhZ8xMlmiI18EZNzodDSe74rFuwlZDL0aQ=", "owner": "danth", "repo": "stylix", - "rev": "c974c17cd089dcbfb16fbde028dd00bcc05e3f73", + "rev": "d042af478ce87e188139480922a3085218194106", "type": "github" }, "original": { @@ -356,6 +379,21 @@ "repo": "default", "type": "github" } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } } }, "root": "root", diff --git a/hosts/muon/configuration.nix b/hosts/muon/configuration.nix index 5ffb6df..3cabb72 100644 --- a/hosts/muon/configuration.nix +++ b/hosts/muon/configuration.nix @@ -33,6 +33,7 @@ in { mods.server.sync.enable = true; mods.tailscale.enable = true; mods.openvpn.enable = false; + mods.wireguard.enable = true; services.xserver.windowManager.i3.enable = true; diff --git a/hosts/muon/hardware-configuration.nix b/hosts/muon/hardware-configuration.nix index 4e54ee3..449f183 100644 --- a/hosts/muon/hardware-configuration.nix +++ b/hosts/muon/hardware-configuration.nix @@ -50,7 +50,7 @@ networking.useDHCP = lib.mkDefault true; # networking.interfaces.docker0.useDHCP = lib.mkDefault true; networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true; - networking.interfaces.enp0s31f6.mtu = 1200; + networking.interfaces.enp0s31f6.mtu = 1500; # networking.interfaces.tun0.useDHCP = lib.mkDefault true; # networking.interfaces.vboxnet0.useDHCP = lib.mkDefault true; diff --git a/modules/home/desktop/productivity.nix b/modules/home/desktop/productivity.nix index 02fc090..1290ef5 100644 --- a/modules/home/desktop/productivity.nix +++ b/modules/home/desktop/productivity.nix @@ -13,13 +13,17 @@ # webgl chromium + mullvad-browser + + # password manager + bitwarden-desktop ]; home.sessionVariables.BROWSER = "librewolf"; programs.zsh.sessionVariables.BROWSER = "librewolf"; programs.librewolf = { - enable = true; + enable = false; settings = { "webgl.disabled" = true; "privacy.resistFingerprinting" = true; @@ -29,8 +33,8 @@ }; }; - programs.qutebrowser = { - enable = true; - }; + # programs.qutebrowser = { + # enable = true; + # }; }; } diff --git a/modules/nixos/core/network.nix b/modules/nixos/core/network.nix index 19dea15..ffa2b7b 100644 --- a/modules/nixos/core/network.nix +++ b/modules/nixos/core/network.nix @@ -1,6 +1,7 @@ { pkgs, lib, config, ... }: { options.mods = { tailscale.enable = lib.mkEnableOption "enables tailscale"; + wireguard.enable = lib.mkEnableOption "enables wireguard client"; openvpn.enable = lib.mkEnableOption "enables openvpn config"; openvpn.config = let username = "${config.mods.user.name}"; @@ -20,5 +21,30 @@ services.openvpn.servers = lib.mkIf config.mods.openvpn.enable { remote.config = ''config ${config.mods.openvpn.config}''; }; + + + networking = lib.mkIf config.mods.wireguard.enable { + firewall = { + allowedUDPPorts = [ 51820 ]; # Clients and peers can use the same port, see listenport + }; + wireguard.interfaces = { + wg0 = { + ips = [ "10.100.0.2/24" ]; + listenPort = 51820; + + privateKeyFile = "/home/muon/wireguard-keys/private"; + + peers = [ + { + publicKey = "2RF8GmTZwQdzVm2l2piYy6U0qiMU3wSxC7Lt8urAjwA="; + allowedIPs = [ "0.0.0.0/0" ]; + endpoint = "{server ip}:51820"; + persistentKeepalive = 25; + } + ]; + }; + }; + }; + }; } diff --git a/modules/nixos/server/containers/steam.nix b/modules/nixos/server/containers/steam.nix index 1cd5fc3..10c3abb 100644 --- a/modules/nixos/server/containers/steam.nix +++ b/modules/nixos/server/containers/steam.nix @@ -20,8 +20,8 @@ in { privateNetwork = true; # hostAddress = "192.168.100.10"; # localAddress = "192.168.100.11"; - hostBridge = "br0"; # Specify the bridge name - localAddress = "192.168.1.171/24"; + # hostBridge = "br0"; # Specify the bridge name + # localAddress = "192.168.1.171/24"; bindMounts = { "/home/steam/.steam/steam/steamapps/common/SMITE" = { diff --git a/modules/nixos/server/default.nix b/modules/nixos/server/default.nix index 4a81151..db452c5 100644 --- a/modules/nixos/server/default.nix +++ b/modules/nixos/server/default.nix @@ -6,5 +6,6 @@ ./media.nix ./sync.nix + ./wireguard.nix ]; } diff --git a/modules/nixos/server/docker/default.nix b/modules/nixos/server/docker/default.nix index c76112b..a9c02a2 100644 --- a/modules/nixos/server/docker/default.nix +++ b/modules/nixos/server/docker/default.nix @@ -1,16 +1,16 @@ -{ pkgs, lib, ... }: { +{ pkgs, lib, config, ... }: { imports = [ ./media.nix ]; - options.mods.docker.media = { + options.mods.docker = { enable = lib.mkEnableOption { default = false; - description = "enables docker containers for media server"; + description = "enables docker containers"; }; }; - config = lib.mkIf config.mods.docker.media.enable { + config = lib.mkIf config.mods.docker.enable { environment.systemPackages = [ pkgs.arion @@ -27,6 +27,6 @@ virtualisation.podman.defaultNetwork.dnsname.enable = true; # Use your username instead of `myuser` - users.extraUsers.${mods.user.name}.extraGroups = ["podman"]; + users.extraUsers.${config.mods.user.name}.extraGroups = ["podman"]; }; } diff --git a/modules/nixos/server/docker/media.nix b/modules/nixos/server/docker/media.nix index 6787be5..8c5f0fd 100644 --- a/modules/nixos/server/docker/media.nix +++ b/modules/nixos/server/docker/media.nix @@ -7,24 +7,24 @@ }; config = lib.mkIf config.mods.docker.media.enable { - virtualisation.arion = { - backend = "docker"; - projects = { - "hyperpipe".settings.services = { - "hyperpipe-frontend".service = { - image = "codeberg.org/hyperpipe/hyperpipe:latest"; - container-name = "hyperpipe-frontend"; - restart = "unless-stopped"; - ports = ["8080:80"]; - }; - "hyperpipe-backend".service = { - image = "codeberg.org/hyperpipe/hyperpipe:latest"; - container_name = "hyperpipe-backend"; - restart = "unless-stopped"; - ports = ["3000:3000"]; - }; - }; - }; - }; + # virtualisation.arion = { + # backend = "docker"; + # projects = { + # "hyperpipe".settings.services = { + # "hyperpipe-frontend".service = { + # image = "codeberg.org/hyperpipe/hyperpipe:latest"; + # container-name = "hyperpipe-frontend"; + # restart = "unless-stopped"; + # ports = ["8080:80"]; + # }; + # "hyperpipe-backend".service = { + # image = "codeberg.org/hyperpipe/hyperpipe:latest"; + # container_name = "hyperpipe-backend"; + # restart = "unless-stopped"; + # ports = ["3000:3000"]; + # }; + # }; + # }; + # }; }; } diff --git a/modules/nixos/server/wireguard.nix b/modules/nixos/server/wireguard.nix new file mode 100644 index 0000000..5b21e65 --- /dev/null +++ b/modules/nixos/server/wireguard.nix @@ -0,0 +1,45 @@ +{ pkgs, lib, config, ... }: { + options.mods.server.wireguard = { + enable = lib.mkEnableOption { + default = false; + description = "enables wireguard server"; + }; + }; + + + config = lib.mkIf config.mods.server.wireguard.enable { + networking.nat.enable = true; + networking.nat.externalInterface = "ens3"; + networking.nat.internalInterfaces = [ "wg0" ]; + networking.firewall = { + allowedUDPPorts = [ 51820 ]; + }; + + networking.wireguard.interfaces = { + wg0 = { + ips = [ "10.100.0.1/24" ]; + + listenPort = 51820; + + postSetup = '' + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE + ''; + + # This undoes the above command + postShutdown = '' + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE + ''; + + privateKeyFile = "/home/muon/wireguard-keys/private"; + + peers = [ + { + publicKey = "MDBdADwP/SE/T9cadXB1Mup7Dr3x+l6gBFBN83BU4Dg="; + allowedIPs = [ "10.100.0.2/32" ]; + } + ]; + }; + }; + + }; +}