Hiden secrets

PIA w/agenix added.
Tailscale added.
2024-12-03 12:15:26 -08:00 · 2024-12-03 12:15:26 -08:00 · 2024-12-03 12:15:26 -08:00
15 changed files with 179 additions and 35 deletions
--- a/configuration.nix
+++ b/configuration.nix
@ -1,13 +1,23 @@
 # NixOS's declarative configuration calculates which software packages need to be installed and then soft-links the storage paths of these packages in the Nix Store to /run/current-system, and by modifying environment variables like PATH
-{ lib, config, pkgs, zen-browser, hyprland, inputs, agenix, pkgs-unstable, ... }:
+{
  lib,
  config,
  pkgs,
  zen-browser,
  hyprland,
  inputs,
  agenix,
  pkgs-unstable,
  pia,
  ...
 }:
 let
  unstable = import <nixpkgs> {
    overlays = pkgs.overlays;
  };
 in
 {
-  imports =
+  imports = [
    [
    ./environment.nix
    ./hardware-configuration.nix
@ -21,6 +31,7 @@ in
    ./modules/nix.nix
    # ./modules/qt.nix
    ./modules/security.nix
    ./modules/tailscale.nix
    ./modules/users.nix
    ./modules/wm.nix
    ./modules/xdg.nix
@ -136,11 +147,15 @@ in
      #media-session.enable = true;
      # wireplumber.enable = true;
    };
-    hardware.openrgb = {
+    # hardware.openrgb = {
    #   enable = false;
    #   package = pkgs.openrgb-with-all-plugins;
    #   motherboard = "intel";
    #   server.port = 6742;
    # };
    pia = {
      enable = true;
-      package = pkgs.openrgb-with-all-plugins;
+      authUserPassFile = config.age.secrets.pia.path;
      motherboard = "intel";
      server.port = 6742;
    };
  };
@ -184,6 +199,7 @@ in
    i2c-tools
    android-udev-rules
    tailscale
    logiops
  ];
--- a/flake.lock
+++ b/flake.lock
@ -127,6 +127,24 @@
        "type": "github"
      }
    },
    "flake-utils_2": {
      "inputs": {
        "systems": "systems_3"
      },
      "locked": {
        "lastModified": 1726560853,
        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "fromYaml": {
      "flake": false,
      "locked": {
@ -332,6 +350,27 @@
        "type": "github"
      }
    },
    "pia": {
      "inputs": {
        "flake-utils": "flake-utils_2",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1730809692,
        "narHash": "sha256-L2nzuQOK36xYcY6hQ3+waIFd0lWGlz7YTBnUCgV5Ox4=",
        "owner": "Fuwn",
        "repo": "pia.nix",
        "rev": "445e82bd030080fb250f83805a7cc2feeea174c9",
        "type": "github"
      },
      "original": {
        "owner": "Fuwn",
        "repo": "pia.nix",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "agenix": "agenix",
@ -345,6 +384,7 @@
        "nix-colors": "nix-colors",
        "nixpkgs": "nixpkgs_3",
        "nixpkgs-unstable": "nixpkgs-unstable",
        "pia": "pia",
        "tt-schemes": "tt-schemes",
        "zen-browser": "zen-browser"
      }
@ -379,6 +419,21 @@
        "type": "github"
      }
    },
    "systems_3": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "tt-schemes": {
      "flake": false,
      "locked": {
--- a/flake.nix
+++ b/flake.nix
@ -45,6 +45,9 @@
  #     inputs.nixpkgs.follows = "nixpkgs";
  #   };
    agenix.url = "github:ryantm/agenix";
    # PIA
    pia.url = "github:Fuwn/pia.nix";
    pia.inputs.nixpkgs.follows = "nixpkgs";
    musnix.url = "github:musnix/musnix";
  };
@ -63,6 +66,7 @@
    agenix,
    # nix-ld,
    musnix,
    pia,
     ...
  } @ inputs:
  let
@ -101,11 +105,12 @@
    nixosConfigurations = {
      launchpad = nixpkgs.lib.nixosSystem {
-        specialArgs = {inherit inputs outputs systemSettings userSettings lib agenix ;};
+        specialArgs = {inherit inputs outputs systemSettings userSettings lib agenix pia ;};
        modules = [
          # kmonad.nixosModules.default
          musnix.nixosModules.musnix
          agenix.nixosModules.default
          pia.nixosModules."x86_64-linux".default
          ./configuration.nix
          # nix-ld.nixosModules.nix-ld
--- a/hardware-configuration.nix
+++ b/hardware-configuration.nix
@ -22,6 +22,7 @@
  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
  boot.initrd.kernelModules = [ "i2c-dev" "i2c-piix4" ];
  boot.kernel.sysctl."net.ipv4.ip_forward" = 1; # Added for Tailscale
  boot.kernel.sysctl."net.ipv6.conf.enp4s0.disable_ipv6" = true;
  boot.kernel.sysctl."net.ipv6.conf.wlp5s0.disable_ipv6" = true;
  boot.kernel.sysctl."net.ipv6.conf.br0.disable_ipv6" = true;
--- a/hm/home.nix
+++ b/hm/home.nix
@ -1,6 +1,18 @@
 # Last stable generation 359 10/13/24
 # home-manager works by soft-linking the software packages configured by the user to /etc/profiles/per-user/your-username and modifying environment variables like PATH to point to this path, thus installing user software packages.
-{ inputs, outputs, lib, config, pkgs, systemSettings, userSettings, zen-browser, hyprland, nix-colors, ... }:
+{
  inputs,
  outputs,
  lib,
  config,
  pkgs,
  systemSettings,
  userSettings,
  zen-browser,
  hyprland,
  nix-colors,
  ...
 }:
 let
  system = "x86_64-linux";
--- a/hm/pkgs/gramming-packages.nix
+++ b/hm/pkgs/gramming-packages.nix
@ -7,7 +7,7 @@ with pkgs;
  #   ];
  # })
  # IDE's
-  sublime3 vscode # vscode.languages.web vscode.languages.python vscode.languages.nix vscode.languages.bash
+  sublime3 sublime-merge vscode # vscode.languages.web vscode.languages.python vscode.languages.nix vscode.languages.bash
  typora obsidian obsidian-export # vimPlugins.obsidian-nvim
  # Lunarvim Dependencies
  gnumake42 nodejs_22 cargo ripgrep cmake
--- a/hm/pkgs/inet-packages.nix
+++ b/hm/pkgs/inet-packages.nix
@ -26,5 +26,5 @@ with pkgs;
  remmina
  mapscii
-  tidal-dl
+  # tidal-dl
 ]
--- a/modules/containers.nix
+++ b/modules/containers.nix
@ -402,6 +402,12 @@
      localAddress = "192.168.12.76/24";
      hostBridge = "br0";
      autoStart = false;
      allowedDevices = [
        {
          modifier = "rw";
          node = "/dev/net/tun";
        }
      ];
      bindMounts = {
        "/var/www" = {
          hostPath = "/home/wayne/dev/whd/live";
@ -418,7 +424,7 @@
      {
        networking.firewall = {
          enable = true;
-          allowedTCPPorts = [ 22 80 443 1025 3000 3001 8025 8080 2222 3306 ];
+          allowedTCPPorts = [ 22 80 443 1025 3000 3001 41641 8025 8080 2222 3306 ];
        };
        networking = {
          enableIPv6 = false;
@ -445,6 +451,15 @@
          };
        };
        services.tailscale = {
          enable = true;
          package = pkgs.tailscale;
          interfaceName = "tailscale0";
          openFirewall = true;
          port = 41641;
          useRoutingFeatures = "server";
        };
        services.openssh = {
          enable = true;
          ports = [ 22 ];
--- a/modules/network.nix
+++ b/modules/network.nix
@ -64,7 +64,8 @@
      extraCommands = ''
      iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns
      '';
-      trustedInterfaces = [ "br0" ];
+      trustedInterfaces = [ "br0" "tailscale0" ];
      checkReversePath = "loose"; # Added for Tailscale
    };
    bridges = {
      br0 = {
--- a/modules/security.nix
+++ b/modules/security.nix
@ -70,11 +70,11 @@
      %wheel ALL=(ALL) NOPASSWD: ${pkgs.input-remapper}/bin/input-remapper-service
      %wheel ALL=(ALL) NOPASSWD: ${pkgs.input-remapper}/bin/input-remapper-control
      %wheel ALL=(ALL) NOPASSWD: /run/wrappers/bin/systemctl restart display-manager
    '';
  };
  age = {
    identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
    secrets = {
      nextcloud = {
        file = ../secrets/nextcloud.age;
@ -85,6 +85,9 @@
      onlyoffice = {
        file = ../secrets/onlyoffice-jwt.age;
      };
      pia = {
        file = ../secrets/pia.age;
      };
    };
  };
 }
--- a/modules/tailscale.nix
+++ b/modules/tailscale.nix
@ -0,0 +1,15 @@
 { pkgs, ... }:
 {
  services.tailscale = {
    enable = true;
    package = pkgs.tailscale;
    interfaceName = "tailscale0";
    openFirewall = true;
    port = 41641;
    useRoutingFeatures = "both";
    extraSetFlags = [
      "--advertise-routes=192.168.12.0/24"
    ];
  };
 }
--- a/pkgs/wm/hyprland/hyprland.nix
+++ b/pkgs/wm/hyprland/hyprland.nix
@ -244,10 +244,10 @@
        # "${config.home.homeDirectory}/.config/hypr/scripts/start-in-tray.sh"
        "${config.home.homeDirectory}/.config/hypr/scripts/start-keybase-gui.sh"
-        # "[workspace 4 silent] remmina -c rdp://wayne@xeon.local"
+        "[workspace 4 silent] remmina -c rdp://wayne@xeon.local"
        "[workspace 7 silent] sublime3"
-        "[workspace 9 silentl] keepassxc"
+        "[workspace 9 silent] keepassxc"
        "[workspace 9 silent] /home/wayne/.nix-profile/bin/nextcloud --background"
        "[workspace 9 silent] /nix/store/104jb5a21d1d338zkl1f07si6brsmrk2-keybase-gui-6.2.4/bin/keybase-gui %u &"
--- a/secrets/.gitmodules
+++ b/secrets/.gitmodules
@ -0,0 +1,3 @@
 [submodule "secrets"]
  path = secrets
  url = ../secrets.git
--- a/secrets/pia.age
+++ b/secrets/pia.age
@ -0,0 +1,17 @@
 age-encryption.org/v1
 -> ssh-rsa 28puQg
 JGtoK7DucZvBPjewFHiFnOKOTjIaSOGfRJybUD14VcHRk0uiSfXidkp/Gf/wf3KJ
 narocC7/qcVIdHWiMe+TbNcE/Kcly3BUpW7w7QFIxJ3+X49TttE4/VcTp5QJ2nbV
 Wm5q+Kd9IG2B2Bt/8BmQCiwOkoo+ps3mub4xY2yBmuPo8kvZhMdnwEx2NLQy9CiC
 JOtd77ZpmsETuBOodu/4eAIxqfS+qooZVUkc/mzywOgCjMU94YLrwGxt1iwdTXMX
 xEtm9rd3W2Sjj7ksh6G+rFarg5NODSMc/7LIoiQui6w9ytRsu3FukS8dhYe92Yep
 rw+2Jmz5FHLiVdfh9ZTzEOGVojGlHVJpthZPWUGHsWH1+p9FXbPCYThGVSzWZh/2
 vj6/5C/xpN3yzVoQtVqu/svrSH8Ls9cBJpo2yqopS85nzwjnA/ypkHrXQ4QUaZQg
 upzsNc7EAaY91CIBGxyattGODJ+bRuehVgo/xpb+W9fwFVkvP6wm3UiTJwFsKwE6
 pdusUwqzyhcvhm8lGj5H0JW5jvEd+UjpVBHc1+DC2vLeqwuUzo/Ya5qNTBrNwdKT
 nkXyyiXuTdRJ5lkcM9xjY0vikNN348dURVIB1Ub+iTG85Pg4IdBgR2S5s01L/b4n
 c0vOvWf3jcx/SkZoKgiYjiWYoIXVRrAlcVnwXJ09h+8
 -> ssh-ed25519 rxYdLA jMpoBVQ9mBa2Rtyx9EeEGHYKlXYlmTAw0uR+5Jbclyc
 xibncpFqofpBcebRdwALgdjJlUIO4dY7kJYXMB2P9xc
 --- eM2ZXQ4YYbeGThU1RChJ1Qmn2NwknMc7jOqd264rHGI
 *OÁ¨„CEŽñBò÷èŠú°U`c2i’þ«<8“ HëÛÑW<>Á|^¥b'2Nµ.Ý–
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -11,4 +11,5 @@ in
  "nextcloud.age".publicKeys = [ nextcloud wayne launchpad ];
  "onlyoffice-jwt.age".publicKeys = [ onlyoffice wayne launchpad ];
  "whayes.age".publicKeys = [ wayne launchpad ];
  "pia.age".publicKeys = [ wayne launchpad ];
 }
Author	SHA1	Message	Date
wayne	18d7e1cf09	Hiden secrets	2024-12-03 12:15:26 -08:00
wayne	77ecbd3071	PIA w/agenix added.	2024-12-03 12:15:26 -08:00
wayne	a1e986b617	Tailscale added.	2024-12-03 12:15:26 -08:00