PIA w/agenix added.

configuration.nix

@@ -1,13 +1,23 @@
 # NixOS's declarative configuration calculates which software packages need to be installed and then soft-links the storage paths of these packages in the Nix Store to /run/current-system, and by modifying environment variables like PATH
-{ lib, config, pkgs, zen-browser, hyprland, inputs, agenix, pkgs-unstable, ... }:
+{
+  lib,
+  config,
+  pkgs,
+  zen-browser,
+  hyprland,
+  inputs,
+  agenix,
+  pkgs-unstable,
+  pia,
+  ...
+}:
 let
   unstable = import <nixpkgs> {
     overlays = pkgs.overlays;
   };
 in
 {
-  imports =
+  imports = [
-    [
     ./environment.nix
     ./hardware-configuration.nix
 
@@ -137,11 +147,15 @@ in
       #media-session.enable = true;
       # wireplumber.enable = true;
     };
-    hardware.openrgb = {
+    # hardware.openrgb = {
+    #   enable = false;
+    #   package = pkgs.openrgb-with-all-plugins;
+    #   motherboard = "intel";
+    #   server.port = 6742;
+    # };
+    pia = {
       enable = true;
-      package = pkgs.openrgb-with-all-plugins;
+      authUserPassFile = config.age.secrets.pia.path;
-      motherboard = "intel";
-      server.port = 6742;
     };
   };
 

flake.lock

@@ -127,6 +127,24 @@
         "type": "github"
       }
     },
+    "flake-utils_2": {
+      "inputs": {
+        "systems": "systems_3"
+      },
+      "locked": {
+        "lastModified": 1726560853,
+        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
     "fromYaml": {
       "flake": false,
       "locked": {
@@ -332,6 +350,27 @@
         "type": "github"
       }
     },
+    "pia": {
+      "inputs": {
+        "flake-utils": "flake-utils_2",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1730809692,
+        "narHash": "sha256-L2nzuQOK36xYcY6hQ3+waIFd0lWGlz7YTBnUCgV5Ox4=",
+        "owner": "Fuwn",
+        "repo": "pia.nix",
+        "rev": "445e82bd030080fb250f83805a7cc2feeea174c9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Fuwn",
+        "repo": "pia.nix",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
         "agenix": "agenix",
@@ -345,6 +384,7 @@
         "nix-colors": "nix-colors",
         "nixpkgs": "nixpkgs_3",
         "nixpkgs-unstable": "nixpkgs-unstable",
+        "pia": "pia",
         "tt-schemes": "tt-schemes",
         "zen-browser": "zen-browser"
       }
@@ -379,6 +419,21 @@
         "type": "github"
       }
     },
+    "systems_3": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "tt-schemes": {
       "flake": false,
       "locked": {

flake.nix

@@ -45,6 +45,9 @@
   #     inputs.nixpkgs.follows = "nixpkgs";
   #   };
     agenix.url = "github:ryantm/agenix";
+    # PIA
+    pia.url = "github:Fuwn/pia.nix";
+    pia.inputs.nixpkgs.follows = "nixpkgs";
 
     musnix.url = "github:musnix/musnix";
   };
@@ -63,6 +66,7 @@
     agenix,
     # nix-ld,
     musnix,
+    pia,
      ...
   } @ inputs:
   let
@@ -101,11 +105,12 @@
 
     nixosConfigurations = {
       launchpad = nixpkgs.lib.nixosSystem {
-        specialArgs = {inherit inputs outputs systemSettings userSettings lib agenix ;};
+        specialArgs = {inherit inputs outputs systemSettings userSettings lib agenix pia ;};
         modules = [
           # kmonad.nixosModules.default
           musnix.nixosModules.musnix
           agenix.nixosModules.default
+          pia.nixosModules."x86_64-linux".default
           ./configuration.nix
           # nix-ld.nixosModules.nix-ld
 

hm/home.nix

@@ -1,6 +1,18 @@
 # Last stable generation 359 10/13/24
 # home-manager works by soft-linking the software packages configured by the user to /etc/profiles/per-user/your-username and modifying environment variables like PATH to point to this path, thus installing user software packages.
-{ inputs, outputs, lib, config, pkgs, systemSettings, userSettings, zen-browser, hyprland, nix-colors, ... }:
+{
+  inputs,
+  outputs,
+  lib,
+  config,
+  pkgs,
+  systemSettings,
+  userSettings,
+  zen-browser,
+  hyprland,
+  nix-colors,
+  ...
+}:
 let
   system = "x86_64-linux";
 

modules/containers.nix

@@ -402,6 +402,12 @@
       localAddress = "192.168.12.76/24";
       hostBridge = "br0";
       autoStart = false;
+      allowedDevices = [
+        {
+          modifier = "rw";
+          node = "/dev/net/tun";
+        }
+      ];
       bindMounts = {
         "/var/www" = {
           hostPath = "/home/wayne/dev/whd/live";
@@ -418,7 +424,7 @@
       {
         networking.firewall = {
           enable = true;
-          allowedTCPPorts = [ 22 80 443 1025 3000 3001 8025 8080 2222 3306 ];
+          allowedTCPPorts = [ 22 80 443 1025 3000 3001 41641 8025 8080 2222 3306 ];
         };
         networking = {
           enableIPv6 = false;
@@ -445,6 +451,15 @@
           };
         };
 
+        services.tailscale = {
+          enable = true;
+          package = pkgs.tailscale;
+          interfaceName = "tailscale0";
+          openFirewall = true;
+          port = 41641;
+          useRoutingFeatures = "server";
+        };
+
         services.openssh = {
           enable = true;
           ports = [ 22 ];

modules/security.nix

@@ -74,6 +74,7 @@
   };
 
   age = {
+    identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
     secrets = {
       nextcloud = {
         file = ../secrets/nextcloud.age;
@@ -84,6 +85,9 @@
       onlyoffice = {
         file = ../secrets/onlyoffice-jwt.age;
       };
+      pia = {
+        file = ../secrets/pia.age;
+      };
     };
   };
 }

secrets/pia.age

@@ -0,0 +1,17 @@
+age-encryption.org/v1
+-> ssh-rsa 28puQg
+JGtoK7DucZvBPjewFHiFnOKOTjIaSOGfRJybUD14VcHRk0uiSfXidkp/Gf/wf3KJ
+narocC7/qcVIdHWiMe+TbNcE/Kcly3BUpW7w7QFIxJ3+X49TttE4/VcTp5QJ2nbV
+Wm5q+Kd9IG2B2Bt/8BmQCiwOkoo+ps3mub4xY2yBmuPo8kvZhMdnwEx2NLQy9CiC
+JOtd77ZpmsETuBOodu/4eAIxqfS+qooZVUkc/mzywOgCjMU94YLrwGxt1iwdTXMX
+xEtm9rd3W2Sjj7ksh6G+rFarg5NODSMc/7LIoiQui6w9ytRsu3FukS8dhYe92Yep
+rw+2Jmz5FHLiVdfh9ZTzEOGVojGlHVJpthZPWUGHsWH1+p9FXbPCYThGVSzWZh/2
+vj6/5C/xpN3yzVoQtVqu/svrSH8Ls9cBJpo2yqopS85nzwjnA/ypkHrXQ4QUaZQg
+upzsNc7EAaY91CIBGxyattGODJ+bRuehVgo/xpb+W9fwFVkvP6wm3UiTJwFsKwE6
+pdusUwqzyhcvhm8lGj5H0JW5jvEd+UjpVBHc1+DC2vLeqwuUzo/Ya5qNTBrNwdKT
+nkXyyiXuTdRJ5lkcM9xjY0vikNN348dURVIB1Ub+iTG85Pg4IdBgR2S5s01L/b4n
+c0vOvWf3jcx/SkZoKgiYjiWYoIXVRrAlcVnwXJ09h+8
+-> ssh-ed25519 rxYdLA jMpoBVQ9mBa2Rtyx9EeEGHYKlXYlmTAw0uR+5Jbclyc
+xibncpFqofpBcebRdwALgdjJlUIO4dY7kJYXMB2P9xc
+--- eM2ZXQ4YYbeGThU1RChJ1Qmn2NwknMc7jOqd264rHGI
+*OÁ¨„CEŽñBò÷èŠú°U`c2i’þ«<8“ HëÛÑW<>Á|^¥b'2Nµ.Ý–

secrets/secrets.nix

@@ -11,4 +11,5 @@ in
   "nextcloud.age".publicKeys = [ nextcloud wayne launchpad ];
   "onlyoffice-jwt.age".publicKeys = [ onlyoffice wayne launchpad ];
   "whayes.age".publicKeys = [ wayne launchpad ];
+  "pia.age".publicKeys = [ wayne launchpad ];
 }