From 7529c0c5c437961dc51a59ed14fb9cfdc9deaba8 Mon Sep 17 00:00:00 2001 From: ashisgreat22 Date: Sat, 31 Jan 2026 20:11:19 +0100 Subject: [PATCH] . --- flake.lock | 132 ++++++++++++++--------------- hosts/nixos/configuration.nix | 5 +- hosts/nixos/home/steam.nix | 18 ---- hosts/nixos/home/vscode.nix | 18 +++- hosts/nixos/system/game-bypass.nix | 108 ----------------------- hosts/nixos/system/services.nix | 24 ++++++ hosts/nixos/system/vpn.nix | 95 --------------------- modules/nixos/kernel-hardening.nix | 2 + modules/nixos/lutris-sandboxed.nix | 9 ++ modules/nixos/media.nix | 1 + modules/nixos/redlib.nix | 63 ++++++++++++++ modules/nixos/searxng.nix | 107 +++++++++++++++++++++-- modules/nixos/steam-gamemode.nix | 2 +- modules/nixos/steam-sandboxed.nix | 3 + secrets/secrets.yaml | 6 +- 15 files changed, 291 insertions(+), 302 deletions(-) delete mode 100644 hosts/nixos/system/game-bypass.nix delete mode 100644 hosts/nixos/system/vpn.nix create mode 100644 modules/nixos/redlib.nix diff --git a/flake.lock b/flake.lock index ef58494..6198ca9 100644 --- a/flake.lock +++ b/flake.lock @@ -3,11 +3,11 @@ "cachyos-kernel": { "flake": false, "locked": { - "lastModified": 1768669154, - "narHash": "sha256-n9peTL7TAv1FIsboTEE1nWvuY2HYB67Jhh8o4O/JGfY=", + "lastModified": 1769435645, + "narHash": "sha256-xxIqw5x8U+13ya2BUcwmAW6BdpCpMhrMTn6Pd0bzocE=", "owner": "CachyOS", "repo": "linux-cachyos", - "rev": "4d7506c820f0d18fc0bbc36ecfec8ed126aee682", + "rev": "e8675eeb9b48a23167b3e43f84e3be76e321935e", "type": "github" }, "original": { @@ -19,11 +19,11 @@ "cachyos-kernel-patches": { "flake": false, "locked": { - "lastModified": 1768668945, - "narHash": "sha256-XKQ3DHUnaa/00BfIaY6K8xCZgx0Sy2wXQbNYE/AmWSk=", + "lastModified": 1769587384, + "narHash": "sha256-fPOlnH9arzQLmkbaZ6p+otwLuH9YEf/t8Q2o9/Yq/YA=", "owner": "CachyOS", "repo": "kernel-patches", - "rev": "cba022ec33a81d60a1e2c9fe4622196e3fef2b54", + "rev": "5f061ab9733ad15eccf6b9995e9d56f572e67266", "type": "github" }, "original": { @@ -37,11 +37,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1768575137, - "narHash": "sha256-e0SsKnkSnq+UwZNS9ZyPJjTjabzq9TRc1hqeDnvOF1Q=", + "lastModified": 1769432988, + "narHash": "sha256-q4arZjXnLiuMnLzO972lrXIGdzyGb4DGaIt69CcCYdE=", "owner": "catppuccin", "repo": "nix", - "rev": "48e67b4ad22072f1ae30b0ed8e1cb020cf06c611", + "rev": "d7a8632c0d8d144478aac1a8c8d5083b770cbb03", "type": "github" }, "original": { @@ -53,11 +53,11 @@ "catppuccin-userstyles": { "flake": false, "locked": { - "lastModified": 1768598910, - "narHash": "sha256-GlhBDOcaNADurl6NrmNGFk4MTf5wpoilzj74JCb04rA=", + "lastModified": 1769478525, + "narHash": "sha256-V/5/yrwKJQldrzMW/lo42oOsceEcXFfsaFD1fHqeaGY=", "owner": "catppuccin", "repo": "userstyles", - "rev": "a705c3166765be722f0d33d34a411b4aa2663169", + "rev": "72d08a0e24318741866741d38148aea50b4083e5", "type": "github" }, "original": { @@ -92,11 +92,11 @@ }, "crane": { "locked": { - "lastModified": 1767744144, - "narHash": "sha256-9/9ntI0D+HbN4G0TrK3KmHbTvwgswz7p8IEJsWyef8Q=", + "lastModified": 1769287525, + "narHash": "sha256-gABuYA6BzoRMLuPaeO5p7SLrpd4qExgkwEmYaYQY4bM=", "owner": "ipetkov", "repo": "crane", - "rev": "2fb033290bf6b23f226d4c8b32f7f7a16b043d7e", + "rev": "0314e365877a85c9e5758f9ea77a9972afbb4c21", "type": "github" }, "original": { @@ -202,11 +202,11 @@ ] }, "locked": { - "lastModified": 1765835352, - "narHash": "sha256-XswHlK/Qtjasvhd1nOa1e8MgZ8GS//jBoTqWtrS1Giw=", + "lastModified": 1768135262, + "narHash": "sha256-PVvu7OqHBGWN16zSi6tEmPwwHQ4rLPU9Plvs8/1TUBY=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "a34fae9c08a15ad73f295041fec82323541400a9", + "rev": "80daad04eddbbf5a4d883996a73f3f542fa437ac", "type": "github" }, "original": { @@ -283,11 +283,11 @@ ] }, "locked": { - "lastModified": 1768749864, - "narHash": "sha256-EKRMFBLBRCHrFZ5luX85RTnsN3b2q3FjZEi62vXwJBE=", + "lastModified": 1769638001, + "narHash": "sha256-hGwdJ/+oo+IRo2TiWV/V8BWWptQihcdFV/olTONaHqg=", "owner": "nix-community", "repo": "home-manager", - "rev": "5148e08046dc8c74c66b8aee4d302a47d6931b56", + "rev": "bd9f031efc634be4b80c5090b9171cc3a9f8e49c", "type": "github" }, "original": { @@ -325,11 +325,11 @@ ] }, "locked": { - "lastModified": 1768749749, - "narHash": "sha256-LznsuRIp4RyjOy6EuHYbmgMx9MQ2lUSH3ymfNPE+O9w=", + "lastModified": 1769548169, + "narHash": "sha256-03+JxvzmfwRu+5JafM0DLbxgHttOQZkUtDWBmeUkN8Y=", "owner": "nix-community", "repo": "impermanence", - "rev": "7d905a5a23f26b62c5b68129ef3780409088327a", + "rev": "7b1d382faf603b6d264f58627330f9faa5cba149", "type": "github" }, "original": { @@ -376,11 +376,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1768307256, - "narHash": "sha256-3yDvlAqWa0Vk3B9hFRJJrSs1xc+FwVQFLtu//VrTR4c=", + "lastModified": 1769417433, + "narHash": "sha256-0WZ7I/N9InaBHL96/qdiJxg8mqFW3vRla8Z062JmQFE=", "owner": "nix-community", "repo": "lanzaboote", - "rev": "7e031eb535a494582f4fc58735b5aecba7b57058", + "rev": "1902463415745b992dbaf301b2a35a1277be1584", "type": "github" }, "original": { @@ -413,11 +413,11 @@ ] }, "locked": { - "lastModified": 1767822362, - "narHash": "sha256-rnpIDY/sy/uV+1dsW+MrFwAFE/RHg5K/6aa5k7Yt1Dc=", + "lastModified": 1769469790, + "narHash": "sha256-VJI4KvK2AWtjPdNqanQ43MUydnU9qwN+HTDXrAtS2bI=", "owner": "utensils", "repo": "mcp-nixos", - "rev": "9706014c1530ba12ff36ca8d9d1717b1e61d29db", + "rev": "af7b82497af2229893d0a5e4edaad4165f45eec7", "type": "github" }, "original": { @@ -450,11 +450,11 @@ "rust-overlay": "rust-overlay_2" }, "locked": { - "lastModified": 1768678265, - "narHash": "sha256-Ub8eed4DsfIDWyg30xEe+8bSxL/z5Af/gCjmvJ0V/Hs=", + "lastModified": 1769577126, + "narHash": "sha256-v9vz9Rj4MGwPuhGELdvpRKl2HH+xvkgat6VwL0L86Fg=", "owner": "YaLTeR", "repo": "niri", - "rev": "d7184a04b904e07113f4623610775ae78d32394c", + "rev": "f30db163b5748e8cf95c05aba77d0d3736f40543", "type": "github" }, "original": { @@ -494,11 +494,11 @@ "nixpkgs": "nixpkgs_4" }, "locked": { - "lastModified": 1768697537, - "narHash": "sha256-+3arRjix3ZmBM7ijdB95tkmcuOTrLCIZba7up+YXihY=", + "lastModified": 1769623217, + "narHash": "sha256-GHpbWLiez3G54o9czW9zc4uy4h0/nMK3/ahMYmILqkY=", "owner": "xddxdd", "repo": "nix-cachyos-kernel", - "rev": "a9f4771d31a7fe8a74711b5a77bb77bfddc2d18b", + "rev": "03f574805ffe01b47e7fa93c7128d678b2037729", "type": "github" }, "original": { @@ -515,11 +515,11 @@ ] }, "locked": { - "lastModified": 1768817462, - "narHash": "sha256-F3aGIF05MLaTbzulCxLuhkTPHnia8zYL8GOPrAy5SY4=", + "lastModified": 1769570521, + "narHash": "sha256-o4crX1S+jsfytfy0liMr1NSnnVDdIOGoW3UTZXJG5PI=", "owner": "kiriwalawren", "repo": "nixflix", - "rev": "174a08001731d38cad88aa4b690ed047090ebfff", + "rev": "8037889b0be0275d1a96a4cc0a1d4aa878e2c82e", "type": "github" }, "original": { @@ -530,11 +530,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1768305791, - "narHash": "sha256-AIdl6WAn9aymeaH/NvBj0H9qM+XuAuYbGMZaP0zcXAQ=", + "lastModified": 1769018530, + "narHash": "sha256-MJ27Cy2NtBEV5tsK+YraYr2g851f3Fl1LpNHDzDX15c=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1412caf7bf9e660f2f962917c14b1ea1c3bc695e", + "rev": "88d3861acdd3d2f0e361767018218e51810df8a1", "type": "github" }, "original": { @@ -608,11 +608,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1768640357, - "narHash": "sha256-NRmPViu76stpOUahRWuR3zMKfY2dKr/qAxRlcqfyps4=", + "lastModified": 1769607364, + "narHash": "sha256-bJIFB86xsMAJb0iEwb9p746T1XoslRAxbqMxBz7tjbo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d157866bc6cc1a986f88f6e78a6884efeeec6187", + "rev": "69459b3b3ea735e9933e1e367db3e68334cce3fe", "type": "github" }, "original": { @@ -624,11 +624,11 @@ }, "nixpkgs_5": { "locked": { - "lastModified": 1768564909, - "narHash": "sha256-Kell/SpJYVkHWMvnhqJz/8DqQg2b6PguxVWOuadbHCc=", + "lastModified": 1769461804, + "narHash": "sha256-msG8SU5WsBUfVVa/9RPLaymvi5bI8edTavbIq3vRlhI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e4bae1bd10c9c57b2cf517953ab70060a828ee6f", + "rev": "bfc1b8a4574108ceef22f02bafcf6611380c100d", "type": "github" }, "original": { @@ -646,11 +646,11 @@ "systems": "systems_2" }, "locked": { - "lastModified": 1768486009, - "narHash": "sha256-I7ymDe6UQooHy9I9wrafKCCDnRbox/EMWAgJgpm7fGs=", + "lastModified": 1769644746, + "narHash": "sha256-1X9o0GjCzku03magX4pM+1OZXA0aUTN7KvEReZ9t3OU=", "owner": "nix-community", "repo": "nixvim", - "rev": "03a638205b5cb04ba9c2ed6c604e137b15f07fa1", + "rev": "3c27e1b35ca0fee6a89bfc20840654361ffe888d", "type": "github" }, "original": { @@ -666,11 +666,11 @@ ] }, "locked": { - "lastModified": 1768757767, - "narHash": "sha256-/z02Cp48mTQBh77DU2c0QefO048a3LHsXtINI/8Vuyc=", + "lastModified": 1769684048, + "narHash": "sha256-KoMHkgsxan9c6JwTuuKSAQBg947zTs+GdjlH9hquccM=", "owner": "noctalia-dev", "repo": "noctalia-shell", - "rev": "e24582770e0b422adeacd2da2254235dc489a691", + "rev": "7bf3dad98949c4895f15cdc4a7412b52e7d689ea", "type": "github" }, "original": { @@ -729,11 +729,11 @@ ] }, "locked": { - "lastModified": 1767281941, - "narHash": "sha256-6MkqajPICgugsuZ92OMoQcgSHnD6sJHwk8AxvMcIgTE=", + "lastModified": 1769069492, + "narHash": "sha256-Efs3VUPelRduf3PpfPP2ovEB4CXT7vHf8W+xc49RL/U=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "f0927703b7b1c8d97511c4116eb9b4ec6645a0fa", + "rev": "a1ef738813b15cf8ec759bdff5761b027e3e1d23", "type": "github" }, "original": { @@ -750,11 +750,11 @@ ] }, "locked": { - "lastModified": 1768691866, - "narHash": "sha256-MvnxwwfyO4fwozHlMWC4vW8l5GVNuv2ojwWtFOk/fUg=", + "lastModified": 1769582933, + "narHash": "sha256-MUzapTJuDJjfeOMlC9V1aesAX9WjFNUvjkyMCBHIA7E=", "owner": "PrismLauncher", "repo": "PrismLauncher", - "rev": "e8b5d491545f181599aaba610e53196e658a8bf2", + "rev": "70cbbf5b07460524a14e661c1242cc51742e0937", "type": "github" }, "original": { @@ -793,11 +793,11 @@ ] }, "locked": { - "lastModified": 1768272338, - "narHash": "sha256-Tg/kL8eKMpZtceDvBDQYU8zowgpr7ucFRnpP/AtfuRM=", + "lastModified": 1769309768, + "narHash": "sha256-AbOIlNO+JoqRJkK1VrnDXhxuX6CrdtIu2hSuy4pxi3g=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "03dda130a8701b08b0347fcaf850a190c53a3c1e", + "rev": "140c9dc582cb73ada2d63a2180524fcaa744fad5", "type": "github" }, "original": { @@ -834,11 +834,11 @@ ] }, "locked": { - "lastModified": 1768709255, - "narHash": "sha256-aigyBfxI20FRtqajVMYXHtj5gHXENY2gLAXEhfJ8/WM=", + "lastModified": 1769469829, + "narHash": "sha256-wFcr32ZqspCxk4+FvIxIL0AZktRs6DuF8oOsLt59YBU=", "owner": "Mic92", "repo": "sops-nix", - "rev": "5e8fae80726b66e9fec023d21cd3b3e638597aa9", + "rev": "c5eebd4eb2e3372fe12a8d70a248a6ee9dd02eff", "type": "github" }, "original": { diff --git a/hosts/nixos/configuration.nix b/hosts/nixos/configuration.nix index b241e0b..1160c7c 100644 --- a/hosts/nixos/configuration.nix +++ b/hosts/nixos/configuration.nix @@ -52,11 +52,11 @@ ./system/secrets.nix # SOPS secrets ./system/compatibility.nix # Compatibility layers (nix-ld) ./system/game-drive.nix - ./system/vpn.nix # System-wide VPN - ./system/game-bypass.nix # Game bypass netns + #./system/authelia.nix # SSO/2FA ../../modules/nixos/media.nix # Arr Stack ../../modules/nixos/steam-gamemode.nix # Steam GameMode Session + ../../modules/nixos/redlib.nix # Redlib private frontend ]; nixpkgs.config.allowUnfreePredicate = @@ -138,6 +138,7 @@ # Enable performance optimizations myModules.performance.enable = true; + myModules.redlib.enable = true; system.stateVersion = "25.05"; } diff --git a/hosts/nixos/home/steam.nix b/hosts/nixos/home/steam.nix index f2255d4..7a11e6d 100644 --- a/hosts/nixos/home/steam.nix +++ b/hosts/nixos/home/steam.nix @@ -19,22 +19,4 @@ }; }; - # Override Steam desktop entry to use bypass - xdg.desktopEntries.steam = { - name = "Steam"; - genericName = "Application Store"; - exec = "game-bypass steam %U"; - terminal = false; - icon = "steam"; - categories = [ - "Network" - "FileTransfer" - "Game" - ]; - mimeType = [ - "x-scheme-handler/steam" - "x-scheme-handler/steamlink" - ]; - prefetchIface = "steam"; - }; } diff --git a/hosts/nixos/home/vscode.nix b/hosts/nixos/home/vscode.nix index a782318..e18a0e7 100644 --- a/hosts/nixos/home/vscode.nix +++ b/hosts/nixos/home/vscode.nix @@ -89,6 +89,20 @@ let antigravityFHSLauncher = pkgs.writeShellScriptBin "antigravity-fhs" '' exec ${antigravityWrapped}/bin/antigravity "$@" ''; + + # Helper to adapt VS Code extensions for Antigravity + # Home Manager expects extensions to be in share/antigravity/extensions based on the package name, + # but standard extensions are in share/vscode/extensions. + adaptToAntigravity = ext: pkgs.symlinkJoin { + name = "${ext.name}-antigravity"; + paths = [ ext ]; + # Ensure passthru attributes are preserved (though symlinkJoin usually handles this, specific ones might help) + inherit (ext) meta; + postBuild = '' + mkdir -p $out/share/antigravity + ln -sf ${ext}/share/vscode/extensions $out/share/antigravity/extensions + ''; + }; in { home.packages = [ @@ -118,7 +132,7 @@ in enableExtensionUpdateCheck = false; # Extensions from nixpkgs - extensions = with pkgs.vscode-extensions; [ + extensions = map adaptToAntigravity (with pkgs.vscode-extensions; [ # Theme & Icons catppuccin.catppuccin-vsc catppuccin.catppuccin-vsc-icons @@ -160,7 +174,7 @@ in # Formatters esbenp.prettier-vscode - ]; + ]); # User settings (settings.json equivalent) userSettings = { diff --git a/hosts/nixos/system/game-bypass.nix b/hosts/nixos/system/game-bypass.nix deleted file mode 100644 index f6dea8b..0000000 --- a/hosts/nixos/system/game-bypass.nix +++ /dev/null @@ -1,108 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: - -{ - # Namespace setup for Game Bypass - systemd.services.game-bypass-netns = { - description = "Game Bypass Network Namespace (Direct Internet)"; - wants = [ "network.target" ]; - after = [ "network.target" ]; - requiredBy = [ "multi-user.target" ]; - - path = [ - pkgs.iproute2 - pkgs.kmod - pkgs.util-linux # for nsenter - pkgs.dhcpcd - ]; - - script = '' - NAME="physical" - VETH_HOST="veth-game" - VETH_NS="eth0" - BRIDGE="br0" - - # 1. Create Namespace if not exists - if ! ip netns list | grep -q "$NAME"; then - ip netns add "$NAME" - fi - - # 2. Setup Veth Pair - # Cleanup previous - ip link delete "$VETH_HOST" 2>/dev/null || true - - # Create pair - ip link add "$VETH_HOST" type veth peer name "$VETH_NS-tmp" - - # Host side: Attach to Bridge - ip link set "$VETH_HOST" master "$BRIDGE" - ip link set "$VETH_HOST" up - - # Client side: Move to NS - ip link set "$VETH_NS-tmp" netns "$NAME" - - # 3. Configure Inside Namespace - # Rename to eth0 - ip netns exec "$NAME" ip link set "$VETH_NS-tmp" name "$VETH_NS" - ip netns exec "$NAME" ip link set "$VETH_NS" up - ip netns exec "$NAME" ip link set lo up - - # 4. DHCP - # Run dhcpcd inside the namespace - # We use -4 for IPv4 only if desired, or just standard - ip netns exec "$NAME" dhcpcd --nobackground "$VETH_NS" & - - # 5. DNS (Use Google/Cloudflare directly) - mkdir -p /etc/netns/"$NAME" - echo "nameserver 1.1.1.1" > /etc/netns/"$NAME"/resolv.conf - echo "nameserver 8.8.8.8" >> /etc/netns/"$NAME"/resolv.conf - ''; - - # We use oneshot to just launch dhcpcd - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - User = "root"; - }; - }; - - # Wrapper script to launch apps in the bypass - environment.systemPackages = [ - (pkgs.writeShellScriptBin "game-bypass" '' - exec doas ip netns exec physical sudo -u ${config.users.users.ashie.name} -E -- "$@" - '') - ]; - - # Security wrapper permissions - security.doas.extraRules = [ - { - users = [ "ashie" ]; - cmd = "/run/current-system/sw/bin/ip"; - args = [ - "netns" - "exec" - "physical" - "sudo" - "-u" - "ashie" - "-E" - "--" - ]; - noPass = true; - keepEnv = true; - } - ]; - - # Also need sudo rules? - # "sudo -u ashie" inside the namespace might prompt for password if not configured. - # Usually user running sudo to switch to themselves needs no password if standard setup, - # OR we can just use setpriv/su if we are already root (which ip netns exec is). - # Wait, `ip netns exec` runs as root. - # So we are root inside the NS. We then drop privileges to 'ashie'. - # `sudo -u ashie` works fine if we are root. - -} diff --git a/hosts/nixos/system/services.nix b/hosts/nixos/system/services.nix index dae1c8b..4c922ea 100644 --- a/hosts/nixos/system/services.nix +++ b/hosts/nixos/system/services.nix @@ -90,6 +90,10 @@ locations."/" = { proxyPass = "http://127.0.0.1:8888"; proxyWebsockets = true; + extraConfig = '' + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + ''; }; }; @@ -229,6 +233,26 @@ forceSSL = true; globalRedirect = "jellyseer.ashisgreat.xyz"; }; + + "reddit.ashisgreat.xyz" = { + useACMEHost = "ashisgreat.xyz"; + forceSSL = true; + extraConfig = '' + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + ''; + locations."/" = { + proxyPass = "http://127.0.0.1:8082"; + proxyWebsockets = true; + extraConfig = '' + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + ''; + }; + }; }; # Hardening for Chrony diff --git a/hosts/nixos/system/vpn.nix b/hosts/nixos/system/vpn.nix deleted file mode 100644 index d87ae69..0000000 --- a/hosts/nixos/system/vpn.nix +++ /dev/null @@ -1,95 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: - -{ - networking.wg-quick.interfaces = { - wg0 = { - address = [ "10.66.219.165/32" ]; # Fallback, should ideally come from secret but wg-quick needs it here or in config - # We will rely on the config file generation to include the address if possible, - # but nixos module usually requires 'address' or 'configFile'. - # Since we are using secrets for everything, we might need a script or careful usage of configFile. - - # Better approach with sops: use the declarative config but read secrets from file for keys. - # However, 'address' usually isn't secret. - # In vpn-namespace.nix: ADDRESS=$(cat ${config.sops.secrets.wireguard_addresses.path}) - - # Valid approach for secrets in wg-quick: - # Use configFile pointing to a secret file, OR use normal config with privateKeyFile. - - autostart = true; - dns = [ "1.1.1.1" ]; # Force DNS through VPN (or public DNS) - privateKeyFile = config.sops.secrets.wireguard_private_key.path; - - peers = [ - { - publicKey = "KPj/q9j/..."; # We need the public key here. - # PROB: The user's vpn-namespace.nix was reading PEER_KEY from a secret. - # NixOS wg-quick module expects publicKey as a string literal in the nix config, usually. - # If the peer public key is secret, we can't easily put it in nix store (it ends up world readable). - # BUT: Public keys are generally safe to be public. - # However, since the user has it in sops, they might want to keep it secret. - - # ALTERNATIVE: Use `configFile` option and generate the whole config from secrets at runtime. - # But `networking.wg-quick.interfaces..configFile` expects a path. - - # Let's write a script to generate the config file from secrets and start it. - # actually, the `networking.wg-quick` module is just a wrapper around systemd services. - - # Let's try to stick to the module if possible. - # If we can't, we can write a systemd service just like vpn-namespace.nix but for the main netns. - } - ]; - }; - }; - - # RE-EVALUATION: - # Since all WireGuard parameters (Addresses, Endpoint, Keys) are in sops secrets, - # trying to use `networking.wg-quick.interfaces` is clumsy because it expects static values for non-secrets. - # We should create a systemd service that constructs the config and runs wg-quick. - - systemd.services.wg-quick-wg0 = { - description = "WireGuard Tunnel wg0"; - wantedBy = [ "multi-user.target" ]; - after = [ "network-online.target" ]; - wants = [ "network-online.target" ]; - path = [ - pkgs.wireguard-tools - pkgs.bash - ]; - - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - ExecStart = pkgs.writeShellScript "wg0-up" '' - # Generate Config - PRIVATE_KEY=$(cat ${config.sops.secrets.wireguard_private_key.path}) - PEER_KEY=$(cat ${config.sops.secrets.wireguard_public_key.path}) - ENDPOINT_IP=$(cat ${config.sops.secrets.wireguard_endpoint_ip.path}) - ENDPOINT_PORT=$(cat ${config.sops.secrets.wireguard_endpoint_port.path}) - ADDRESS=$(cat ${config.sops.secrets.wireguard_addresses.path}) - PRESHARED_KEY=$(cat ${config.sops.secrets.wireguard_preshared_key.path}) - - cat > /run/wg0.conf <