Hiden secrets

PIA w/agenix added.
Tailscale added.
2024-12-03 12:15:26 -08:00 · 2024-12-03 12:15:26 -08:00 · 2024-12-03 12:15:26 -08:00
15 changed files with 179 additions and 35 deletions
--- a/configuration.nix
+++ b/configuration.nix
@ -1,13 +1,23 @@
 # NixOS's declarative configuration calculates which software packages need to be installed and then soft-links the storage paths of these packages in the Nix Store to /run/current-system, and by modifying environment variables like PATH
-{ lib, config, pkgs, zen-browser, hyprland, inputs, agenix, pkgs-unstable, ... }:
+{
+  lib,
+  config,
+  pkgs,
+  zen-browser,
+  hyprland,
+  inputs,
+  agenix,
+  pkgs-unstable,
+  pia,
+  ...
+}:
 let
  unstable = import <nixpkgs> {
    overlays = pkgs.overlays;
  };
 in
 {
-  imports =
-    [
+  imports = [
    ./environment.nix
    ./hardware-configuration.nix

@ -21,6 +31,7 @@ in
    ./modules/nix.nix
    # ./modules/qt.nix
    ./modules/security.nix
+    ./modules/tailscale.nix
    ./modules/users.nix
    ./modules/wm.nix
    ./modules/xdg.nix
@ -136,11 +147,15 @@ in
      #media-session.enable = true;
      # wireplumber.enable = true;
    };
-    hardware.openrgb = {
+    # hardware.openrgb = {
+    #   enable = false;
+    #   package = pkgs.openrgb-with-all-plugins;
+    #   motherboard = "intel";
+    #   server.port = 6742;
+    # };
+    pia = {
      enable = true;
-      package = pkgs.openrgb-with-all-plugins;
-      motherboard = "intel";
-      server.port = 6742;
+      authUserPassFile = config.age.secrets.pia.path;
    };
  };

@ -184,6 +199,7 @@ in

    i2c-tools
    android-udev-rules
+    tailscale

    logiops
  ];
--- a/flake.lock
+++ b/flake.lock
@ -127,6 +127,24 @@
        "type": "github"
      }
    },
+    "flake-utils_2": {
+      "inputs": {
+        "systems": "systems_3"
+      },
+      "locked": {
+        "lastModified": 1726560853,
+        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
    "fromYaml": {
      "flake": false,
      "locked": {
@ -332,6 +350,27 @@
        "type": "github"
      }
    },
+    "pia": {
+      "inputs": {
+        "flake-utils": "flake-utils_2",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1730809692,
+        "narHash": "sha256-L2nzuQOK36xYcY6hQ3+waIFd0lWGlz7YTBnUCgV5Ox4=",
+        "owner": "Fuwn",
+        "repo": "pia.nix",
+        "rev": "445e82bd030080fb250f83805a7cc2feeea174c9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Fuwn",
+        "repo": "pia.nix",
+        "type": "github"
+      }
+    },
    "root": {
      "inputs": {
        "agenix": "agenix",
@ -345,6 +384,7 @@
        "nix-colors": "nix-colors",
        "nixpkgs": "nixpkgs_3",
        "nixpkgs-unstable": "nixpkgs-unstable",
+        "pia": "pia",
        "tt-schemes": "tt-schemes",
        "zen-browser": "zen-browser"
      }
@ -379,6 +419,21 @@
        "type": "github"
      }
    },
+    "systems_3": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
    "tt-schemes": {
      "flake": false,
      "locked": {
--- a/flake.nix
+++ b/flake.nix
@ -45,6 +45,9 @@
  #     inputs.nixpkgs.follows = "nixpkgs";
  #   };
    agenix.url = "github:ryantm/agenix";
+    # PIA
+    pia.url = "github:Fuwn/pia.nix";
+    pia.inputs.nixpkgs.follows = "nixpkgs";

    musnix.url = "github:musnix/musnix";
  };
@ -63,6 +66,7 @@
    agenix,
    # nix-ld,
    musnix,
+    pia,
     ...
  } @ inputs:
  let
@ -101,11 +105,12 @@

    nixosConfigurations = {
      launchpad = nixpkgs.lib.nixosSystem {
-        specialArgs = {inherit inputs outputs systemSettings userSettings lib agenix ;};
+        specialArgs = {inherit inputs outputs systemSettings userSettings lib agenix pia ;};
        modules = [
          # kmonad.nixosModules.default
          musnix.nixosModules.musnix
          agenix.nixosModules.default
+          pia.nixosModules."x86_64-linux".default
          ./configuration.nix
          # nix-ld.nixosModules.nix-ld

--- a/hardware-configuration.nix
+++ b/hardware-configuration.nix
@ -22,6 +22,7 @@

  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
  boot.initrd.kernelModules = [ "i2c-dev" "i2c-piix4" ];
+  boot.kernel.sysctl."net.ipv4.ip_forward" = 1; # Added for Tailscale
  boot.kernel.sysctl."net.ipv6.conf.enp4s0.disable_ipv6" = true;
  boot.kernel.sysctl."net.ipv6.conf.wlp5s0.disable_ipv6" = true;
  boot.kernel.sysctl."net.ipv6.conf.br0.disable_ipv6" = true;
--- a/hm/home.nix
+++ b/hm/home.nix
@ -1,6 +1,18 @@
 # Last stable generation 359 10/13/24
 # home-manager works by soft-linking the software packages configured by the user to /etc/profiles/per-user/your-username and modifying environment variables like PATH to point to this path, thus installing user software packages.
-{ inputs, outputs, lib, config, pkgs, systemSettings, userSettings, zen-browser, hyprland, nix-colors, ... }:
+{
+  inputs,
+  outputs,
+  lib,
+  config,
+  pkgs,
+  systemSettings,
+  userSettings,
+  zen-browser,
+  hyprland,
+  nix-colors,
+  ...
+}:
 let
  system = "x86_64-linux";

--- a/hm/pkgs/gramming-packages.nix
+++ b/hm/pkgs/gramming-packages.nix
@ -7,7 +7,7 @@ with pkgs;
  #   ];
  # })
  # IDE's
-  sublime3 vscode # vscode.languages.web vscode.languages.python vscode.languages.nix vscode.languages.bash
+  sublime3 sublime-merge vscode # vscode.languages.web vscode.languages.python vscode.languages.nix vscode.languages.bash
  typora obsidian obsidian-export # vimPlugins.obsidian-nvim
  # Lunarvim Dependencies
  gnumake42 nodejs_22 cargo ripgrep cmake
--- a/hm/pkgs/inet-packages.nix
+++ b/hm/pkgs/inet-packages.nix
@ -26,5 +26,5 @@ with pkgs;
  remmina

  mapscii
-  tidal-dl
+  # tidal-dl
 ]
--- a/modules/containers.nix
+++ b/modules/containers.nix
@ -402,6 +402,12 @@
      localAddress = "192.168.12.76/24";
      hostBridge = "br0";
      autoStart = false;
+      allowedDevices = [
+        {
+          modifier = "rw";
+          node = "/dev/net/tun";
+        }
+      ];
      bindMounts = {
        "/var/www" = {
          hostPath = "/home/wayne/dev/whd/live";
@ -418,7 +424,7 @@
      {
        networking.firewall = {
          enable = true;
-          allowedTCPPorts = [ 22 80 443 1025 3000 3001 8025 8080 2222 3306 ];
+          allowedTCPPorts = [ 22 80 443 1025 3000 3001 41641 8025 8080 2222 3306 ];
        };
        networking = {
          enableIPv6 = false;
@ -445,6 +451,15 @@
          };
        };

+        services.tailscale = {
+          enable = true;
+          package = pkgs.tailscale;
+          interfaceName = "tailscale0";
+          openFirewall = true;
+          port = 41641;
+          useRoutingFeatures = "server";
+        };
+
        services.openssh = {
          enable = true;
          ports = [ 22 ];
--- a/modules/network.nix
+++ b/modules/network.nix
@ -64,7 +64,8 @@
      extraCommands = ''
      iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns
      '';
-      trustedInterfaces = [ "br0" ];
+      trustedInterfaces = [ "br0" "tailscale0" ];
+      checkReversePath = "loose"; # Added for Tailscale
    };
    bridges = {
      br0 = {
--- a/modules/security.nix
+++ b/modules/security.nix
@ -70,11 +70,11 @@
      %wheel ALL=(ALL) NOPASSWD: ${pkgs.input-remapper}/bin/input-remapper-service
      %wheel ALL=(ALL) NOPASSWD: ${pkgs.input-remapper}/bin/input-remapper-control
      %wheel ALL=(ALL) NOPASSWD: /run/wrappers/bin/systemctl restart display-manager
-
    '';
  };

  age = {
+    identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
    secrets = {
      nextcloud = {
        file = ../secrets/nextcloud.age;
@ -85,6 +85,9 @@
      onlyoffice = {
        file = ../secrets/onlyoffice-jwt.age;
      };
+      pia = {
+        file = ../secrets/pia.age;
+      };
    };
  };
 }
--- a/modules/tailscale.nix
+++ b/modules/tailscale.nix
@ -0,0 +1,15 @@
+{ pkgs, ... }:
+
+{
+  services.tailscale = {
+    enable = true;
+    package = pkgs.tailscale;
+    interfaceName = "tailscale0";
+    openFirewall = true;
+    port = 41641;
+    useRoutingFeatures = "both";
+    extraSetFlags = [
+      "--advertise-routes=192.168.12.0/24"
+    ];
+  };
+}
--- a/pkgs/wm/hyprland/hyprland.nix
+++ b/pkgs/wm/hyprland/hyprland.nix
@ -244,10 +244,10 @@
        # "${config.home.homeDirectory}/.config/hypr/scripts/start-in-tray.sh"
        "${config.home.homeDirectory}/.config/hypr/scripts/start-keybase-gui.sh"

-        # "[workspace 4 silent] remmina -c rdp://wayne@xeon.local"
+        "[workspace 4 silent] remmina -c rdp://wayne@xeon.local"

        "[workspace 7 silent] sublime3"
-        "[workspace 9 silentl] keepassxc"
+        "[workspace 9 silent] keepassxc"
        "[workspace 9 silent] /home/wayne/.nix-profile/bin/nextcloud --background"
        "[workspace 9 silent] /nix/store/104jb5a21d1d338zkl1f07si6brsmrk2-keybase-gui-6.2.4/bin/keybase-gui %u &"

--- a/secrets/.gitmodules
+++ b/secrets/.gitmodules
@ -0,0 +1,3 @@
+[submodule "secrets"]
+  path = secrets
+  url = ../secrets.git
--- a/secrets/pia.age
+++ b/secrets/pia.age
@ -0,0 +1,17 @@
+age-encryption.org/v1
+-> ssh-rsa 28puQg
+JGtoK7DucZvBPjewFHiFnOKOTjIaSOGfRJybUD14VcHRk0uiSfXidkp/Gf/wf3KJ
+narocC7/qcVIdHWiMe+TbNcE/Kcly3BUpW7w7QFIxJ3+X49TttE4/VcTp5QJ2nbV
+Wm5q+Kd9IG2B2Bt/8BmQCiwOkoo+ps3mub4xY2yBmuPo8kvZhMdnwEx2NLQy9CiC
+JOtd77ZpmsETuBOodu/4eAIxqfS+qooZVUkc/mzywOgCjMU94YLrwGxt1iwdTXMX
+xEtm9rd3W2Sjj7ksh6G+rFarg5NODSMc/7LIoiQui6w9ytRsu3FukS8dhYe92Yep
+rw+2Jmz5FHLiVdfh9ZTzEOGVojGlHVJpthZPWUGHsWH1+p9FXbPCYThGVSzWZh/2
+vj6/5C/xpN3yzVoQtVqu/svrSH8Ls9cBJpo2yqopS85nzwjnA/ypkHrXQ4QUaZQg
+upzsNc7EAaY91CIBGxyattGODJ+bRuehVgo/xpb+W9fwFVkvP6wm3UiTJwFsKwE6
+pdusUwqzyhcvhm8lGj5H0JW5jvEd+UjpVBHc1+DC2vLeqwuUzo/Ya5qNTBrNwdKT
+nkXyyiXuTdRJ5lkcM9xjY0vikNN348dURVIB1Ub+iTG85Pg4IdBgR2S5s01L/b4n
+c0vOvWf3jcx/SkZoKgiYjiWYoIXVRrAlcVnwXJ09h+8
+-> ssh-ed25519 rxYdLA jMpoBVQ9mBa2Rtyx9EeEGHYKlXYlmTAw0uR+5Jbclyc
+xibncpFqofpBcebRdwALgdjJlUIO4dY7kJYXMB2P9xc
+--- eM2ZXQ4YYbeGThU1RChJ1Qmn2NwknMc7jOqd264rHGI
+*OÁ¨„CEŽñBò÷èŠú°U`c2i’þ«<8“ HëÛÑW<>Á|^¥b'2Nµ.Ý–
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -11,4 +11,5 @@ in
  "nextcloud.age".publicKeys = [ nextcloud wayne launchpad ];
  "onlyoffice-jwt.age".publicKeys = [ onlyoffice wayne launchpad ];
  "whayes.age".publicKeys = [ wayne launchpad ];
+  "pia.age".publicKeys = [ wayne launchpad ];
 }
Author	SHA1	Message	Date
wayne	18d7e1cf09	Hiden secrets	2024-12-03 12:15:26 -08:00
wayne	77ecbd3071	PIA w/agenix added.	2024-12-03 12:15:26 -08:00
wayne	a1e986b617	Tailscale added.	2024-12-03 12:15:26 -08:00