From 77ecbd30711dc2abcaa0497eed0e285e04fbe971 Mon Sep 17 00:00:00 2001 From: wayne <...> Date: Tue, 3 Dec 2024 10:21:22 -0800 Subject: [PATCH] PIA w/agenix added. --- configuration.nix | 62 ++++++++++++++++++++++++++---------------- flake.lock | 55 +++++++++++++++++++++++++++++++++++++ flake.nix | 7 ++++- hm/home.nix | 16 +++++++++-- modules/containers.nix | 17 +++++++++++- modules/security.nix | 6 +++- secrets/pia.age | 17 ++++++++++++ secrets/secrets.nix | 3 +- 8 files changed, 153 insertions(+), 30 deletions(-) create mode 100644 secrets/pia.age diff --git a/configuration.nix b/configuration.nix index f2e04e2..1ef4e0a 100644 --- a/configuration.nix +++ b/configuration.nix @@ -1,31 +1,41 @@ # NixOS's declarative configuration calculates which software packages need to be installed and then soft-links the storage paths of these packages in the Nix Store to /run/current-system, and by modifying environment variables like PATH -{ lib, config, pkgs, zen-browser, hyprland, inputs, agenix, pkgs-unstable, ... }: +{ + lib, + config, + pkgs, + zen-browser, + hyprland, + inputs, + agenix, + pkgs-unstable, + pia, + ... +}: let unstable = import { overlays = pkgs.overlays; }; in { - imports = - [ - ./environment.nix - ./hardware-configuration.nix + imports = [ + ./environment.nix + ./hardware-configuration.nix - # (import ./modules/containers.nix { inherit pkgs inputs config lib pkgs-unstable ;}) - ./modules/containers.nix - ./modules/display.nix - ./modules/files.nix - ./modules/fonts.nix - ./modules/musnix.nix - ./modules/network.nix - ./modules/nix.nix - # ./modules/qt.nix - ./modules/security.nix - ./modules/tailscale.nix - ./modules/users.nix - ./modules/wm.nix - ./modules/xdg.nix - ]; + # (import ./modules/containers.nix { inherit pkgs inputs config lib pkgs-unstable ;}) + ./modules/containers.nix + ./modules/display.nix + ./modules/files.nix + ./modules/fonts.nix + ./modules/musnix.nix + ./modules/network.nix + ./modules/nix.nix + # ./modules/qt.nix + ./modules/security.nix + ./modules/tailscale.nix + ./modules/users.nix + ./modules/wm.nix + ./modules/xdg.nix + ]; programs.hyprland = { enable = true; @@ -137,11 +147,15 @@ in #media-session.enable = true; # wireplumber.enable = true; }; - hardware.openrgb = { + # hardware.openrgb = { + # enable = false; + # package = pkgs.openrgb-with-all-plugins; + # motherboard = "intel"; + # server.port = 6742; + # }; + pia = { enable = true; - package = pkgs.openrgb-with-all-plugins; - motherboard = "intel"; - server.port = 6742; + authUserPassFile = config.age.secrets.pia.path; }; }; diff --git a/flake.lock b/flake.lock index dc5535f..c5edde2 100644 --- a/flake.lock +++ b/flake.lock @@ -127,6 +127,24 @@ "type": "github" } }, + "flake-utils_2": { + "inputs": { + "systems": "systems_3" + }, + "locked": { + "lastModified": 1726560853, + "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "fromYaml": { "flake": false, "locked": { @@ -332,6 +350,27 @@ "type": "github" } }, + "pia": { + "inputs": { + "flake-utils": "flake-utils_2", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1730809692, + "narHash": "sha256-L2nzuQOK36xYcY6hQ3+waIFd0lWGlz7YTBnUCgV5Ox4=", + "owner": "Fuwn", + "repo": "pia.nix", + "rev": "445e82bd030080fb250f83805a7cc2feeea174c9", + "type": "github" + }, + "original": { + "owner": "Fuwn", + "repo": "pia.nix", + "type": "github" + } + }, "root": { "inputs": { "agenix": "agenix", @@ -345,6 +384,7 @@ "nix-colors": "nix-colors", "nixpkgs": "nixpkgs_3", "nixpkgs-unstable": "nixpkgs-unstable", + "pia": "pia", "tt-schemes": "tt-schemes", "zen-browser": "zen-browser" } @@ -379,6 +419,21 @@ "type": "github" } }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "tt-schemes": { "flake": false, "locked": { diff --git a/flake.nix b/flake.nix index e9143f6..f64a294 100644 --- a/flake.nix +++ b/flake.nix @@ -45,6 +45,9 @@ # inputs.nixpkgs.follows = "nixpkgs"; # }; agenix.url = "github:ryantm/agenix"; + # PIA + pia.url = "github:Fuwn/pia.nix"; + pia.inputs.nixpkgs.follows = "nixpkgs"; musnix.url = "github:musnix/musnix"; }; @@ -63,6 +66,7 @@ agenix, # nix-ld, musnix, + pia, ... } @ inputs: let @@ -101,11 +105,12 @@ nixosConfigurations = { launchpad = nixpkgs.lib.nixosSystem { - specialArgs = {inherit inputs outputs systemSettings userSettings lib agenix ;}; + specialArgs = {inherit inputs outputs systemSettings userSettings lib agenix pia ;}; modules = [ # kmonad.nixosModules.default musnix.nixosModules.musnix agenix.nixosModules.default + pia.nixosModules."x86_64-linux".default ./configuration.nix # nix-ld.nixosModules.nix-ld diff --git a/hm/home.nix b/hm/home.nix index 5fbdb4d..d374e46 100644 --- a/hm/home.nix +++ b/hm/home.nix @@ -1,6 +1,18 @@ # Last stable generation 359 10/13/24 # home-manager works by soft-linking the software packages configured by the user to /etc/profiles/per-user/your-username and modifying environment variables like PATH to point to this path, thus installing user software packages. -{ inputs, outputs, lib, config, pkgs, systemSettings, userSettings, zen-browser, hyprland, nix-colors, ... }: +{ + inputs, + outputs, + lib, + config, + pkgs, + systemSettings, + userSettings, + zen-browser, + hyprland, + nix-colors, + ... +}: let system = "x86_64-linux"; @@ -139,7 +151,7 @@ in }; }; fonts.fontconfig.enable = true; - # colorScheme = nix-colors.colorSchemes.nord; + # colorScheme = nix-colors.colorSchemes.nord; home.packages = with pkgs; [ zsh bash git stow tmux tmuxPlugins.tmux-fzf diff --git a/modules/containers.nix b/modules/containers.nix index 0719121..41a320a 100644 --- a/modules/containers.nix +++ b/modules/containers.nix @@ -402,6 +402,12 @@ localAddress = "192.168.12.76/24"; hostBridge = "br0"; autoStart = false; + allowedDevices = [ + { + modifier = "rw"; + node = "/dev/net/tun"; + } + ]; bindMounts = { "/var/www" = { hostPath = "/home/wayne/dev/whd/live"; @@ -418,7 +424,7 @@ { networking.firewall = { enable = true; - allowedTCPPorts = [ 22 80 443 1025 3000 3001 8025 8080 2222 3306 ]; + allowedTCPPorts = [ 22 80 443 1025 3000 3001 41641 8025 8080 2222 3306 ]; }; networking = { enableIPv6 = false; @@ -445,6 +451,15 @@ }; }; + services.tailscale = { + enable = true; + package = pkgs.tailscale; + interfaceName = "tailscale0"; + openFirewall = true; + port = 41641; + useRoutingFeatures = "server"; + }; + services.openssh = { enable = true; ports = [ 22 ]; diff --git a/modules/security.nix b/modules/security.nix index 897e7d8..9c6226d 100644 --- a/modules/security.nix +++ b/modules/security.nix @@ -1,6 +1,6 @@ { pkgs, ... }: { - security.polkit = { + security.polkit = { enable = true; extraConfig = '' polkit.addRule(function (action, subject) { @@ -74,6 +74,7 @@ }; age = { + identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; secrets = { nextcloud = { file = ../secrets/nextcloud.age; @@ -84,6 +85,9 @@ onlyoffice = { file = ../secrets/onlyoffice-jwt.age; }; + pia = { + file = ../secrets/pia.age; + }; }; }; } diff --git a/secrets/pia.age b/secrets/pia.age new file mode 100644 index 0000000..6ddee04 --- /dev/null +++ b/secrets/pia.age @@ -0,0 +1,17 @@ +age-encryption.org/v1 +-> ssh-rsa 28puQg +JGtoK7DucZvBPjewFHiFnOKOTjIaSOGfRJybUD14VcHRk0uiSfXidkp/Gf/wf3KJ +narocC7/qcVIdHWiMe+TbNcE/Kcly3BUpW7w7QFIxJ3+X49TttE4/VcTp5QJ2nbV +Wm5q+Kd9IG2B2Bt/8BmQCiwOkoo+ps3mub4xY2yBmuPo8kvZhMdnwEx2NLQy9CiC +JOtd77ZpmsETuBOodu/4eAIxqfS+qooZVUkc/mzywOgCjMU94YLrwGxt1iwdTXMX +xEtm9rd3W2Sjj7ksh6G+rFarg5NODSMc/7LIoiQui6w9ytRsu3FukS8dhYe92Yep +rw+2Jmz5FHLiVdfh9ZTzEOGVojGlHVJpthZPWUGHsWH1+p9FXbPCYThGVSzWZh/2 +vj6/5C/xpN3yzVoQtVqu/svrSH8Ls9cBJpo2yqopS85nzwjnA/ypkHrXQ4QUaZQg +upzsNc7EAaY91CIBGxyattGODJ+bRuehVgo/xpb+W9fwFVkvP6wm3UiTJwFsKwE6 +pdusUwqzyhcvhm8lGj5H0JW5jvEd+UjpVBHc1+DC2vLeqwuUzo/Ya5qNTBrNwdKT +nkXyyiXuTdRJ5lkcM9xjY0vikNN348dURVIB1Ub+iTG85Pg4IdBgR2S5s01L/b4n +c0vOvWf3jcx/SkZoKgiYjiWYoIXVRrAlcVnwXJ09h+8 +-> ssh-ed25519 rxYdLA jMpoBVQ9mBa2Rtyx9EeEGHYKlXYlmTAw0uR+5Jbclyc +xibncpFqofpBcebRdwALgdjJlUIO4dY7kJYXMB2P9xc +--- eM2ZXQ4YYbeGThU1RChJ1Qmn2NwknMc7jOqd264rHGI +*OÁ¨„CEŽñBò÷èŠú°U`c2i’þ«<8“ HëÛÑWÁ|^¥b'2Nµ.Ý– \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index f162419..185df10 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -11,4 +11,5 @@ in "nextcloud.age".publicKeys = [ nextcloud wayne launchpad ]; "onlyoffice-jwt.age".publicKeys = [ onlyoffice wayne launchpad ]; "whayes.age".publicKeys = [ wayne launchpad ]; -} \ No newline at end of file + "pia.age".publicKeys = [ wayne launchpad ]; +}