foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-01-31 16:57:55 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
6bf2642ffc
nixos-config/hosts/ni/default.nix
Gabriel Arazas 6bf2642ffc hosts: add Wireguard services to related peers 
Among other things, Plover now ignores certain IP for fail2ban. This is
for the VPN users that are placed in that range.
2023-01-17 21:34:54 +08:00

247 lines
6.3 KiB
Nix
Raw Blame History

{ config, pkgs, lib, ... }:
let
network = import ../plover/modules/hardware/networks.nix;
inherit (network) publicIP wireguardIPv6BaseAddress wireguardPort;
wireguardAllowedIPs = [ "0:0:0:0/0" "::/0" ];
wireguardIFName = "wireguard0";
in
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
(lib.mapHomeManagerUser "foo-dogsquared" {
extraGroups = [
"adbusers"
"wheel"
"audio"
"docker"
"podman"
"networkmanager"
];
hashedPassword =
"$6$.cMYto0K0CHbpIMT$dRqyKs4q1ppzmTpdzy5FWP/V832a6X..FwM8CJ30ivK0nfLjQ7DubctxOZbeOtygfjcUd1PZ0nQoQpOg/WMvg.";
isNormalUser = true;
createHome = true;
home = "/home/foo-dogsquared";
})
];
services.openssh.hostKeys = [{
path = config.sops.secrets."ni/ssh-key".path;
type = "ed25519";
}];
sops.secrets =
let
getKey = key: {
inherit key;
sopsFile = ./secrets/secrets.yaml;
};
getSecrets = secrets:
lib.mapAttrs'
(secret: config:
lib.nameValuePair
"ni/${secret}"
((getKey secret) // config))
secrets;
in
getSecrets {
ssh-key = { };
"ldap/password" = { };
"wireguard/private-key" = {
group = config.users.users.systemd-network.group;
reloadUnits = [ "systemd-networkd.service" ];
mode = "0640";
};
"wireguard/preshared-keys/plover" = {
group = config.users.users.systemd-network.group;
reloadUnits = [ "systemd-networkd.service" ];
mode = "0640";
};
"wireguard/preshared-keys/phone" = {
group = config.users.users.systemd-network.group;
reloadUnits = [ "systemd-networkd.service" ];
mode = "0640";
};
};
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
boot.binfmt.emulatedSystems = [
"aarch64-linux"
"riscv64-linux"
];
boot.initrd.supportedFilesystems = [ "btrfs" ];
boot.supportedFilesystems = [ "btrfs" ];
services.btrfs.autoScrub = {
enable = true;
fileSystems = [
"/mnt/archives"
];
};
# My custom configuration with my custom modules starts here.
profiles = {
i18n.enable = true;
archiving.enable = true;
desktop = {
enable = true;
audio.enable = true;
fonts.enable = true;
hardware.enable = true;
cleanup.enable = true;
autoUpgrade.enable = true;
};
dev = {
enable = true;
shell.enable = true;
virtualization.enable = true;
neovim.enable = true;
};
};
tasks = {
multimedia-archive.enable = true;
backup-archive.enable = true;
};
workflows.workflows.a-happy-gnome.enable = true;
programs.pop-launcher = {
enable = true;
plugins = with pkgs; [
pop-launcher-plugin-duckduckgo-bangs
pop-launcher-plugin-brightness
];
};
programs.wezterm.enable = true;
programs.adb.enable = true;
environment.systemPackages = with pkgs; [
(swh.swh-core.overrideAttrs (super: self: {
pythonPath = with swh; [
swh-fuse
swh-web-client
swh-model
swh-auth
];
}))
];
# Enable Guix service.
services.guix.enable = true;
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# Set your time zone.
time.timeZone = "Asia/Manila";
# Doxxing myself.
location = {
latitude = 15.0;
longitude = 121.0;
};
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
programs.mtr.enable = true;
services.auto-cpufreq.enable = true;
services.thermald.enable = true;
services.avahi.enable = true;
# The usual doas config.
security.doas = {
enable = true;
extraRules = [
{
groups = [ "wheel" ];
persist = true;
}
# It is the primary user so we may as well just make this easier to run.
{
users = [ "foo-dogsquared" ];
cmd = "nixos-rebuild";
noPass = true;
}
];
};
system.stateVersion = "22.11"; # Yes! I read the comment!
users.ldap = {
enable = true;
base = "dc=foodogsquared,dc=one";
bind = {
distinguishedName = "cn=Manager,dc=foodogsquared,dc=one";
passwordFile = config.sops.secrets."ni/ldap/password".path;
};
daemon.enable = true;
server = "ldaps://ldap.foodogsquared.one/";
};
# Setting up Wireguard as a VPN tunnel. Since this is a laptop that meant to
# be used anywhere, we're configuring Wireguard here as a "client".
#
# We're also setting up this configuration as a forwarder
systemd.network = {
netdevs."99-${wireguardIFName}" = {
netdevConfig = {
Name = wireguardIFName;
Kind = "wireguard";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets."ni/wireguard/private-key".path;
ListenPort = wireguardPort;
};
wireguardPeers = [
# Plover server peer. This is the main "server" of the network.
{
wireguardPeerConfig = {
PublicKey = lib.readFile ../plover/files/wireguard/wireguard-public-key-plover;
PresharedKeyFile = config.sops.secrets."ni/wireguard/preshared-keys/plover".path;
AllowedIPs = lib.concatStringsSep "," wireguardAllowedIPs;
Endpoint = "${publicIP}:51820";
};
}
# "Phone" peer. It is also expected to be anywhere on the global
# network so we're basically setting up our own peer as a traffic
# forwarder in case there's ever a reason to do connect from the phone
# to the server which is always available anyways.
{
wireguardPeerConfig = {
PublicKey = lib.readFile ../plover/files/wireguard/wireguard-public-key-phone;
PresharedKeyFile = config.sops.secrets."ni/wireguard/preshared-keys/phone".path;
AllowedIPs = lib.concatStringsSep "," wireguardAllowedIPs;
Endpoint = "${publicIP}:51820";
};
}
];
};
networks."99-${wireguardIFName}" = {
matchConfig.Name = wireguardIFName;
address = [
"172.45.1.2/24"
"${wireguardIPv6BaseAddress}/48"
];
# Otherwise, it will autostart every bootup when I need it only at few
# hours at a time.
linkConfig.Unmanaged = true;
};
};
}
Reference in New Issue View Git Blame Copy Permalink