Compare commits

..

5 commits

10 changed files with 260 additions and 63 deletions

View file

@ -88,11 +88,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1717664902, "lastModified": 1718879355,
"narHash": "sha256-7XfBuLULizXjXfBYy/VV+SpYMHreNRHk9nKMsm1bgb4=", "narHash": "sha256-RTyqP4fBX2MdhNuMP+fnR3lIwbdtXhyj7w7fwtvgspc=",
"owner": "cachix", "owner": "cachix",
"repo": "git-hooks.nix", "repo": "git-hooks.nix",
"rev": "cc4d466cb1254af050ff7bdf47f6d404a7c646d1", "rev": "8cd35b9496d21a6c55164d8547d9d5280162b07a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -152,11 +152,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1717527182, "lastModified": 1718530513,
"narHash": "sha256-vWSkg6AMok1UUQiSYVdGMOXKD2cDFnajITiSi0Zjd1A=", "narHash": "sha256-BmO8d0r+BVlwWtMLQEYnwmngqdXIuyFzMwvmTcLMee8=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "845a5c4c073f74105022533907703441e0464bc3", "rev": "a1fddf0967c33754271761d91a3d921772b30d0e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -182,11 +182,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1717181720, "lastModified": 1718450675,
"narHash": "sha256-yv+QZWsusu/NWjydkxixHC2g+tIJ9v+xkE2EiVpJj6g=", "narHash": "sha256-jpsns6buS4bK+1sF8sL8AaixAiCRjA+nldTKvcwmvUs=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "hyprcursor", "repo": "hyprcursor",
"rev": "9e27a2c2ceb1e0b85bd55b0afefad196056fe87c", "rev": "66d5b46ff94efbfa6fa3d1d1b66735f1779c34a6",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -206,11 +206,11 @@
"xdph": "xdph" "xdph": "xdph"
}, },
"locked": { "locked": {
"lastModified": 1718313803, "lastModified": 1719150233,
"narHash": "sha256-xyptaxC172FB/m4fSCSEYaCVYp6e8IWLDHvDLiSuu6M=", "narHash": "sha256-HOt6FGQdTRIitp5agm3tnZ/4OYM6RG6KOm3UGMntlrY=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "8055b1c00a102f5419e40f5eddfb6ee8be693f33", "rev": "e09addf8dede9a8e7f2dd0e5bb414d3a0d5dc471",
"revCount": 4822, "revCount": 4878,
"submodules": true, "submodules": true,
"type": "git", "type": "git",
"url": "https://github.com/hyprwm/Hyprland" "url": "https://github.com/hyprwm/Hyprland"
@ -228,11 +228,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1716228712, "lastModified": 1718476555,
"narHash": "sha256-y+LOXuSRMfkR2Vfwl5K2NVrszi1h5MJpML+msLnVS8U=", "narHash": "sha256-fuWpgh8KasByIJWE+xVd37Al0LV5YAn6s871T50qVY0=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "contrib", "repo": "contrib",
"rev": "33b38358559054d316eb605ccb733980dfa7dc63", "rev": "29a8374f4b9206d5c4af84aceb7fb5dff441ea60",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -255,11 +255,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1691753796, "lastModified": 1714869498,
"narHash": "sha256-zOEwiWoXk3j3+EoF3ySUJmberFewWlagvewDRuWYAso=", "narHash": "sha256-vbLVOWvQqo4n1yvkg/Q70VTlPbMmTiCQfNTgcWDCfJM=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "hyprland-protocols", "repo": "hyprland-protocols",
"rev": "0c2ce70625cb30aef199cb388f99e19a61a6ce03", "rev": "e06482e0e611130cd1929f75e8c1cf679e57d161",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -309,11 +309,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1717881334, "lastModified": 1718804078,
"narHash": "sha256-a0inRgJhPL6v9v7RPM/rx1kbXdfe3xJA1c9z0ZkYnh4=", "narHash": "sha256-CqRZne63BpYlPd/i8lXV0UInUt59oKogiwdVtBRHt60=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "hyprutils", "repo": "hyprutils",
"rev": "0693f9398ab693d89c9a0aa3b3d062dd61b7a60e", "rev": "4f1351295c55a8f51219b25aa4a6497a067989d0",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -334,11 +334,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1717784906, "lastModified": 1718119275,
"narHash": "sha256-YxmfxHfWed1fosaa7fC1u7XoKp1anEZU+7Lh/ojRKoM=", "narHash": "sha256-nqDYXATNkyGXVmNMkT19fT4sjtSPBDS1LLOxa3Fueo4=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "hyprwayland-scanner", "repo": "hyprwayland-scanner",
"rev": "0f30f9eca6e404130988554accbb64d1c9ec877d", "rev": "1419520d5f7f38d35e05504da5c1b38212a38525",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -357,11 +357,11 @@
"nixpkgs": "nixpkgs_2" "nixpkgs": "nixpkgs_2"
}, },
"locked": { "locked": {
"lastModified": 1718298978, "lastModified": 1719151941,
"narHash": "sha256-7jIX4cUdn6LYP4l38S38nsSNbGMF5eXP9qKe69SR02k=", "narHash": "sha256-6DlzbOUC14DN3ChG6YDfHp3dlyRunlCuNIGiJ0/j0SU=",
"owner": "nix-community", "owner": "nix-community",
"repo": "neovim-nightly-overlay", "repo": "neovim-nightly-overlay",
"rev": "84299e229226207721e142246ff8343f8a8c6e5d", "rev": "8fbf3ad99db5af164230b7965de5572ce238c0da",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -373,11 +373,11 @@
"neovim-src": { "neovim-src": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1718209811, "lastModified": 1719082813,
"narHash": "sha256-hZYLBealuoS3bL3eXFeQVAoasThqf7DDwg8kW0ASTOE=", "narHash": "sha256-C2stSASvUp0XHljA6iZfDFHSH0JIDJ0g7g0uQUIHU2E=",
"owner": "neovim", "owner": "neovim",
"repo": "neovim", "repo": "neovim",
"rev": "53afdf360cf195c02c22865f4e63b273d1ef152e", "rev": "6c3f7e7e27a0ffcf6d58dc1f5ad2fce7e59a2d88",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -388,11 +388,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1717974879, "lastModified": 1718530797,
"narHash": "sha256-GTO3C88+5DX171F/gVS3Qga/hOs/eRMxPFpiHq2t+D8=", "narHash": "sha256-pup6cYwtgvzDpvpSCFh1TEUjw2zkNpk8iolbKnyFmmU=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "c7b821ba2e1e635ba5a76d299af62821cbcb09f3", "rev": "b60ebf54c15553b393d144357375ea956f89e9a9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -404,11 +404,11 @@
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1717880976, "lastModified": 1719099622,
"narHash": "sha256-BRvSCsKtDUr83NEtbGfHLUOdDK0Cgbezj2PtcHnz+sQ=", "narHash": "sha256-YzJECAxFt+U5LPYf/pCwW/e1iUd2PF21WITHY9B/BAs=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "4913a7c3d8b8d00cb9476a6bd730ff57777f740c", "rev": "5e8e3b89adbd0be63192f6e645e0a54080004924",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -420,11 +420,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1718160348, "lastModified": 1719075281,
"narHash": "sha256-9YrUjdztqi4Gz8n3mBuqvCkMo4ojrA6nASwyIKWMpus=", "narHash": "sha256-CyyxvOwFf12I91PBWz43iGT1kjsf5oi6ax7CrvaMyAo=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "57d6973abba7ea108bac64ae7629e7431e0199b6", "rev": "a71e967ef3694799d0c418c98332f7ff4cc5f6af",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -435,11 +435,11 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1718149104, "lastModified": 1718983919,
"narHash": "sha256-Ds1QpobBX2yoUDx9ZruqVGJ/uQPgcXoYuobBguyKEh8=", "narHash": "sha256-+1xgeIow4gJeiwo4ETvMRvWoircnvb0JOt7NS9kUhoM=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "e913ae340076bbb73d9f4d3d065c2bca7caafb16", "rev": "90338afd6177fc683a04d934199d693708c85a3b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -451,11 +451,11 @@
}, },
"nixpkgs_3": { "nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1718208800, "lastModified": 1718835956,
"narHash": "sha256-US1tAChvPxT52RV8GksWZS415tTS7PV42KTc2PNDBmc=", "narHash": "sha256-wM9v2yIxClRYsGHut5vHICZTK7xdrUGfrLkXvSuv6s4=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "cc54fb41d13736e92229c21627ea4f22199fee6b", "rev": "dd457de7e08c6d06789b1f5b88fc9327f4d96309",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -466,11 +466,11 @@
}, },
"nur": { "nur": {
"locked": { "locked": {
"lastModified": 1718354773, "lastModified": 1719153056,
"narHash": "sha256-p0pjm5l6LOYoEzSMLZv0QSE4vgGwfhkCz7VN58IUjzc=", "narHash": "sha256-nIp6HOIrPTMeIoaaj8MavebUI1HBeq1iz9P0nzWq1CI=",
"owner": "nix-community", "owner": "nix-community",
"repo": "NUR", "repo": "NUR",
"rev": "2fe75ecfd4dd1d2063fcc31ccb5db6d9f2b6b33c", "rev": "46ab9f286d5546781726537039455867a59c19a3",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -499,11 +499,11 @@
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1718137936, "lastModified": 1719111739,
"narHash": "sha256-psA+1Q5fPaK6yI3vzlLINNtb6EeXj111zQWnZYyJS9c=", "narHash": "sha256-kr2QzRrplzlCP87ddayCZQS+dhGW98kw2zy7+jUXtF4=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "c279dec105dd53df13a5e57525da97905cc0f0d6", "rev": "5e2e9421e9ed2b918be0a441c4535cfa45e04811",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -544,11 +544,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1717918856, "lastModified": 1718619174,
"narHash": "sha256-I38bmPLqamvOfVSArd1hhZtkVRAYBK38fOHZCU1P9Qg=", "narHash": "sha256-FWW68AVYmB91ZDQnhLMBNCUUTCjb1ZpO2k2KIytHtkA=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "xdg-desktop-portal-hyprland", "repo": "xdg-desktop-portal-hyprland",
"rev": "72907822c19afc0983c69d59d299204381623725", "rev": "c7894aa54f9a7dbd16df5cd24d420c8af22d5623",
"type": "github" "type": "github"
}, },
"original": { "original": {

View file

@ -1,10 +1,10 @@
{ lib, config, pkgs, ... }: { lib, config, pkgs, unstable, ... }:
let let
cfg = config.profile.whatsapp; cfg = config.profile.whatsapp;
in in
{ {
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
home.packages = [ pkgs.whatsapp-for-linux ]; home.packages = [ unstable.whatsapp-for-linux ];
systemd.user = lib.mkIf cfg.autostart { systemd.user = lib.mkIf cfg.autostart {
services.whatsapp = { services.whatsapp = {
@ -21,7 +21,7 @@ in
ping = "${pkgs.unixtools.ping}/bin/ping"; ping = "${pkgs.unixtools.ping}/bin/ping";
host = "web.whatsapp.com"; host = "web.whatsapp.com";
sleep = "${pkgs.coreutils}/bin/sleep"; sleep = "${pkgs.coreutils}/bin/sleep";
whatsapp = "${pkgs.whatsapp-for-linux}/bin/whatsapp-for-linux"; whatsapp = "${unstable.whatsapp-for-linux}/bin/whatsapp-for-linux";
exec = ''${bash} -c "until ${ping} -c 1 ${host}; do ${sleep} 1; done; ${whatsapp}"''; exec = ''${bash} -c "until ${ping} -c 1 ${host}; do ${sleep} 1; done; ${whatsapp}"'';
in in
{ {

View file

@ -15,5 +15,7 @@ in
stubby.enable = mkEnableOption "stubby"; stubby.enable = mkEnableOption "stubby";
jellyfin.enable = mkEnableOption "jellyfin"; jellyfin.enable = mkEnableOption "jellyfin";
rust-motd.enable = mkEnableOption "rust-motd"; rust-motd.enable = mkEnableOption "rust-motd";
wireguard.enable = mkEnableOption "wireguard";
photoprism.enable = mkEnableOption "photoprism";
}; };
} }

View file

@ -45,10 +45,12 @@
samba.enable = true; samba.enable = true;
nextcloud.enable = true; nextcloud.enable = true;
syncthing.enable = true; syncthing.enable = true;
openvpn.enable = true; openvpn.enable = false;
stubby.enable = true; stubby.enable = true;
jellyfin.enable = true; jellyfin.enable = true;
rust-motd.enable = true; rust-motd.enable = true;
wireguard.enable = true;
photoprism.enable = true;
}; };
}; };
} }

22
secrets/photoprism.yaml Normal file
View file

@ -0,0 +1,22 @@
photoprism:
admin_password: ENC[AES256_GCM,data:t1r/fwZkRFHgx9g=,iv:F2tzhjtkFL31sT2d8yEokBagkVVv+0EgNWKOUwUU1Xo=,tag:keya0UMf7XE0VMq8nax89Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1kruum2varzua7w5n6n52vhwyek2arc685rhcwt0u7k2jf5mecsjslkl9ll
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpZ25oYW9zcjFtU1FhT2gv
ODZ1WmJzRWRBR1h5cWxOV1U1UXhnbVcxTlFRCmVIWUlTTUFBdWp0OTgyOUFSZGFK
UTdGbzlvQ1VGZDJVWXBnaUFJREdUNkEKLS0tIG1KdCtXRWF5WVJ6ZnBNWlBnQjNS
eUJUaXd3NDNrWXZnOEk0NUhjTmY4UHcKJ9HEaQ6Ymh1SlzjLkWMe1YhxEC2kR3sF
Q93kWOv6AwOnnypa9Sa+WGRs27Tp5XAAv/6Kmv+gkGMjPrL/H/SDuw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-06-23T13:54:19Z"
mac: ENC[AES256_GCM,data:MYyinNaNmDJiT03xTg6qAZwtjVuDUVXoMF7fI3taMEC5mef43PNdzTT7s/4j2ul223vhg0hYpZunNlOpYtbPgIEh8oV6DycUQqWnpahwCtg5PWgwexb0Je6J7tIno/NF/9qgce1KgLy8qlQa20x4F1Lg/ZvEK6OujoCuc+yMFzU=,iv:+uEhLGXf/97iHhKvsD7D6YlKcTAHYAItxxA8p5g74N0=,tag:Kf5xkiF1aJ758ro5o4KwAg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

25
secrets/wireguard.yaml Normal file
View file

@ -0,0 +1,25 @@
wireguard:
private_keys:
server: ENC[AES256_GCM,data:YMk7ovSiX+vWsTEw1pwVLnLXTxFZwNbAlc9jdOamMJ3RwRePI1gpocg6ygQ=,iv:KteQl87XR6qs8uGX6v5AcSkl/X9/U5HvsDTqQx5ewCc=,tag:bERlujgiMOCfU9PzgFyUaQ==,type:str]
laptop: ENC[AES256_GCM,data:IuXyPe8WoiJ5eU4YCurSIQm9KfnM7isu3lgMuEnwDUDBG6YVtQxaEe2DAa4=,iv:leaYu6Wn/SanZp9//6/ssiFcUq2Z2lIrTP+NkXgdjZ8=,tag:7eSmYjs+y7qnnqfZMFZWfg==,type:str]
phone: ENC[AES256_GCM,data:n/RpqkgQ8NsuPf/K4aWhkxKlJ7KQJ3ogy+sihS/BeU5/NlrqTC7Qc7SJzdU=,iv:oZCTSnSl4IYQEBM514e6dn+HqyBK5IoHjPJ2l2ekBps=,tag:Ld1TzK/65kHkaW9qnvWmlQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1kruum2varzua7w5n6n52vhwyek2arc685rhcwt0u7k2jf5mecsjslkl9ll
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0ODgrS1Y1dERLWWFEYTBY
Ti9zTWYwdlBhVlJIM3hLVUt4TzdmRUZTakRjCkVMOEhQbHBua0JNRVNGbEJJZ2hW
RDhRYzhKWFlDTjJwS0ZCRzA1RFBtY1EKLS0tIGJGcCszd1VaM1NMdnRuazgzT3ox
U3MwaXpzNjZMdjY2UFhOM3dmdUdXdXcKp+1e2vPXL9xoNzepobH8Z23YaAxmOV44
9KYdsjudhLSSbQvVpvSca++WChWlMNHNq+5PgLy7uinP5lOocQUajQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-06-23T12:13:05Z"
mac: ENC[AES256_GCM,data:DaLwpgmaRkiNM4AjbDxf2fH8dbGZ8DKx8rAoyJNnvTVlO4bKt31/yMGeCH6VW0SC0RApRc8NrBgdH3uYHAsSxDlwj/eXXVDAPrjjAhXTmABPGXLtMIK0LYhfq4nu5d5zsIaV1vrAsAmjcSm35FrttYsPMpL7V00Ah3pOlo6UCSA=,iv:qZlM2cgeWSWSKEVZJzojOk4cCWeG3GHD9axwi2WSeFQ=,tag:pbUwOBytwNuFmABuICYa9Q==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

View file

@ -12,5 +12,7 @@
./samba.nix ./samba.nix
./stubby.nix ./stubby.nix
./syncthing.nix ./syncthing.nix
./wireguard.nix
./photoprism.nix
]; ];
} }

View file

@ -0,0 +1,36 @@
{ config, lib, ... }:
let
cfg = config.profile.services.photoprism;
photoDir = "/nas/photos";
domain = "photos.tigor.web.id";
user = config.profile.user;
uid = toString user.uid;
gid = toString user.gid;
inherit (lib) mkIf;
in
{
config = mkIf cfg.enable {
system.activationScripts.photoprism = ''
mkdir -p ${photoDir}
chown ${uid}:${gid} ${photoDir}
'';
users.groups.${user.name}.members = [ "photoprism" ];
services.caddy.virtualHosts.${domain}.extraConfig = ''
reverse_proxy 0.0.0.0:${toString config.services.photoprism.port}
'';
sops.secrets."photoprism/admin_password" = {
sopsFile = ../../secrets/photoprism.yaml;
};
services.photoprism = {
enable = true;
port = 44999;
originalsPath = photoDir;
passwordFile = config.sops.secrets."photoprism/admin_password".path;
settings = {
PHOTOPRISM_ADMIN_USER = "hutasuhut";
};
};
};
}

View file

@ -73,27 +73,32 @@ in
id = "OpenVPN"; id = "OpenVPN";
devices = lib.attrsets.mapAttrsToList (key: _value: key) config.services.syncthing.settings.devices; devices = lib.attrsets.mapAttrsToList (key: _value: key) config.services.syncthing.settings.devices;
}; };
"/nas/Syncthing/Sync/WireGuard" = {
label = "WireGuard";
id = "WireGuard";
devices = lib.attrsets.mapAttrsToList (key: _value: key) config.services.syncthing.settings.devices;
};
}; };
devices = { devices = {
s20fe = { s20fe = {
name = "Samsung S20FE"; name = "Samsung S20FE";
id = "ASH4PGY-H2ANIMX-RJJRODR-AD6KH5X-632CAG2-5NCDSGN-I27XNAC-EMVL6A7"; id = "ASH4PGY-H2ANIMX-RJJRODR-AD6KH5X-632CAG2-5NCDSGN-I27XNAC-EMVL6A7";
autoAcceptFolders = true;
}; };
onyx = { onyx = {
name = "Onyx Note Air 3"; name = "Onyx Note Air 3";
id = "FZMFBD5-5PS566H-XJGV3FO-NQVSMX5-3VHPS7V-SUT27WA-MXHFBYT-BDSS6AW"; id = "FZMFBD5-5PS566H-XJGV3FO-NQVSMX5-3VHPS7V-SUT27WA-MXHFBYT-BDSS6AW";
autoAcceptFolders = true;
}; };
windows = { windows = {
name = "Windows"; name = "Windows";
id = "FSTIYS6-REFXIJX-KPLYC4L-QSZO46L-RV3VTPZ-VWVTE7O-Y663OZN-RTKP3QI"; id = "FSTIYS6-REFXIJX-KPLYC4L-QSZO46L-RV3VTPZ-VWVTE7O-Y663OZN-RTKP3QI";
autoAcceptFolders = true;
}; };
work-laptop = { work-laptop = {
name = "Work Laptop"; name = "Work Laptop";
id = "BOU76IK-5AE7ARF-ZQDFOTX-KWUQL22-SAGXBYG-B75JRZA-L4MCYPU-OYTY5AU"; id = "BOU76IK-5AE7ARF-ZQDFOTX-KWUQL22-SAGXBYG-B75JRZA-L4MCYPU-OYTY5AU";
autoAcceptFolders = true; };
samsung-s22-mama = {
name = "Samsung S22 Mama";
id = "5G2Q7XE-HILUI46-GWTE6P6-NJHAG3A-HSZKMAU-K5PBOKR-QN3IFQO-GX7KTQU";
}; };
}; };
}; };

View file

@ -0,0 +1,103 @@
{ config, lib, pkgs, ... }:
let
cfg = config.profile.services.wireguard;
externalInterface = config.profile.networking.externalInterface;
devices = [
{
name = "phone";
ip = "10.100.0.2";
secret = "wireguard/private_keys/phone";
publicKey = "27GSz9iWqtg23sWcwIQI3VglNtE/RWykv+nZUrmHHxA=";
}
{
name = "laptop";
ip = "10.100.0.3";
secret = "wireguard/private_keys/laptop";
publicKey = "5nporvzbJtTQC9Hek8JBJNIF+wGlWUj4En2w9DrvaV0=";
}
];
serverPublicKey = "GDRUvnKUPNzwAloQ5fxvdHoVw4D1YbdCR0GyiOyyB38=";
sopsFile = ../../secrets/wireguard.yaml;
inherit (lib) mkIf mergeAttrsList generators;
in
{
config = mkIf cfg.enable {
sops.secrets = mergeAttrsList ([
{
"wireguard/private_keys/server" = { inherit sopsFile; };
}
] ++
(map (device: { ${device.secret} = { inherit sopsFile; }; }) devices)
);
sops.templates =
let
template = { privateKey, ip }:
generators.toINI ({ }) {
Interface = {
Address = "${ip}/32";
PrivateKey = privateKey;
DNS = "192.168.100.3";
};
Peer = {
PublicKey = serverPublicKey;
Endpoint = "vpn.tigor.web.id:51820";
AllowedIPs = "0.0.0.0/0, ::/0";
};
};
in
mergeAttrsList (map
(device: {
"wireguard/clients/${device.name}" = {
content = template {
privateKey = config.sops.placeholder.${device.secret};
ip = device.ip;
};
path = "/nas/Syncthing/Sync/WireGuard/${device.name}.conf";
owner = config.profile.user.name;
};
})
devices
);
networking = {
nat = {
enable = true;
inherit externalInterface;
internalInterfaces = [ "wg0" ];
};
firewall.allowedUDPPorts = [ 51820 ];
wireguard.interfaces = {
wg0 = {
# Determines the IP address and subnet of the server's end of the tunnel interface.
ips = [ "10.100.0.1/16" ];
# The port that WireGuard listens to. Must be accessible by the client.
listenPort = 51820;
# This allows the wireguard server to route your traffic to the internet and hence be like a VPN
# For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/16 -o ${externalInterface} -j MASQUERADE
'';
# This undoes the above command
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/16 -o ${externalInterface} -j MASQUERADE
'';
privateKeyFile = config.sops.secrets."wireguard/private_keys/server".path;
peers = map
(device: {
publicKey = device.publicKey;
allowedIPs = [ device.ip ];
})
devices;
};
};
};
};
}