defiant/burnham: add riker to wireguard

voyager: fix nextcloud startup problems
flake: update
2025-01-03 01:07:30 +01:00 · 2024-02-08 17:56:53 +01:00 · 2024-02-08 14:45:56 +01:00 · 2024-02-08 14:45:35 +01:00 · 2024-02-08 14:45:26 +01:00
7 changed files with 65 additions and 75 deletions
--- a/flake.lock
+++ b/flake.lock
@ -41,11 +41,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1704980875,
-        "narHash": "sha256-IPZmMjk5f4TBbEpzUFBc3OC1W6OwDNEXk2w/0uVXX1o=",
+        "lastModified": 1706981411,
+        "narHash": "sha256-cLbLPTL1CDmETVh4p0nQtvoF+FSEjsnJTFpTxhXywhQ=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "5f0ab0eedc6ede69beb8f45561ffefa54edc6e65",
+        "rev": "652fda4ca6dafeb090943422c34ae9145787af37",
        "type": "github"
      },
      "original": {
@ -80,11 +80,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1704277720,
-        "narHash": "sha256-meAKNgmh3goankLGWqqpw73pm9IvXjEENJloF0coskE=",
+        "lastModified": 1706833576,
+        "narHash": "sha256-w7BL0EWRts+nD1lbLECIuz6fRzmmV+z8oWwoY7womR0=",
        "owner": "lnl7",
        "repo": "nix-darwin",
-        "rev": "0dd382b70c351f528561f71a0a7df82c9d2be9a4",
+        "rev": "bdbae6ecff8fcc322bf6b9053c0b984912378af7",
        "type": "github"
      },
      "original": {
@ -101,11 +101,11 @@
        "nixpkgs": "nixpkgs"
      },
      "locked": {
-        "lastModified": 1705108818,
-        "narHash": "sha256-V7zG8ihfhcopjaZbIvBl78icARrVPSrdeBpgyk3Aa5k=",
+        "lastModified": 1707354851,
+        "narHash": "sha256-EavLrnN9VlqqTabq+XDEvK2hV0XzZ3eCorsO5MvaWro=",
        "owner": "Infinidoge",
        "repo": "nix-minecraft",
-        "rev": "9151fbf3086d10b5da436616175e71add449f0e1",
+        "rev": "ca6b8974161fee88608ff2addf1cb7655f17d165",
        "type": "github"
      },
      "original": {
@ -147,27 +147,27 @@
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1705033721,
-        "narHash": "sha256-K5eJHmL1/kev6WuqyqqbS1cdNnSidIZ3jeqJ7GbrYnQ=",
+        "lastModified": 1707391491,
+        "narHash": "sha256-TyDXcq8Z3slMNeyeF+ke0BzISWuM6NrBklr7XyiRbZA=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "a1982c92d8980a0114372973cbdfe0a307f1bdea",
+        "rev": "bc6cb3d59b7aab88e967264254f8c1aa4c0284e9",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "release-23.05",
+        "ref": "release-23.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1705183652,
-        "narHash": "sha256-rnfkyUH0x72oHfiSDhuCHDHg3gFgF+lF8zkkg5Zihsw=",
+        "lastModified": 1707238373,
+        "narHash": "sha256-WKxT0yLzWbFZwYi92lI0yWJpYtRaFSWHGX8QXzejapw=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "428544ae95eec077c7f823b422afae5f174dee4b",
+        "rev": "fb0c047e30b69696acc42e669d02452ca1b55755",
        "type": "github"
      },
      "original": {
@ -197,11 +197,11 @@
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
-        "lastModified": 1705201153,
-        "narHash": "sha256-y0/a4IMDZrc7lAkR7Gcm5R3W2iCBiARHnYZe6vkmiNE=",
+        "lastModified": 1707397511,
+        "narHash": "sha256-pYqXcTjcPC/go3FzT1dYtYsbmzAjO1MHhT/xgiI6J7o=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "70dd0d521f7849338e487a219c1a07c429a66d77",
+        "rev": "2168851d58595431ee11ebfc3a49d60d318b7312",
        "type": "github"
      },
      "original": {
@ -227,11 +227,11 @@
    },
    "unstable": {
      "locked": {
-        "lastModified": 1705133751,
-        "narHash": "sha256-rCIsyE80jgiOU78gCWN3A0wE0tR2GI5nH6MlS+HaaSQ=",
+        "lastModified": 1707092692,
+        "narHash": "sha256-ZbHsm+mGk/izkWtT4xwwqz38fdlwu7nUUKXTOmm4SyE=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "9b19f5e77dd906cb52dade0b7bd280339d2a1f3d",
+        "rev": "faf912b086576fd1a15fca610166c98d47bc667e",
        "type": "github"
      },
      "original": {
@ -243,10 +243,11 @@
    },
    "voyager-addons": {
      "locked": {
-        "dirtyRev": "238bcd33b3e2562fcf76f86348909990ddc3d6cc-dirty",
-        "dirtyShortRev": "238bcd3-dirty",
-        "lastModified": 1704460893,
-        "narHash": "sha256-lh5nuxULb6Y8rPIDRWnvUOVs7j3jsp4QqiXvEpJjMec=",
+        "lastModified": 1707399193,
+        "narHash": "sha256-Q570CBu01ufGMitMQVAgsKoQ7zMEDwqDtqKJ1kyeUjQ=",
+        "ref": "refs/heads/main",
+        "rev": "3d04b4ec9c40948693f4efe919413cce9265bae7",
+        "revCount": 4,
        "type": "git",
        "url": "file:///home/felixalb/voyager-addons"
      },
--- a/hosts/burnham/services/wireguard.nix
+++ b/hosts/burnham/services/wireguard.nix
@ -44,6 +44,12 @@ in {
            "10.100.0.5/32"
          ];
        }
+        { # Riker
+          publicKey = "r715vpgH1H0zvN+Z5wcNKcOo5e6UM3fBfh9BZwTBjmA=";
+          allowedIPs = [
+            "10.100.0.6/32"
+          ];
+        }
      ];
    };
  };
--- a/hosts/defiant/services/wireguard.nix
+++ b/hosts/defiant/services/wireguard.nix
@ -50,6 +50,12 @@ in {
            "10.100.0.5/32"
          ];
        }
+        { # Riker
+          publicKey = "r715vpgH1H0zvN+Z5wcNKcOo5e6UM3fBfh9BZwTBjmA=";
+          allowedIPs = [
+            "10.100.0.6/32"
+          ];
+        }
      ];
    };
  };
--- a/hosts/voyager/configuration.nix
+++ b/hosts/voyager/configuration.nix
@ -7,7 +7,7 @@
      ../../common/metrics-exporters.nix
      ./hardware-configuration.nix
      ./filesystems.nix
-      ./wireguard.nix
+      # ./wireguard.nix
      ./exports.nix

      ./services/snappymail.nix
--- a/hosts/voyager/services/nextcloud.nix
+++ b/hosts/voyager/services/nextcloud.nix
@ -59,26 +59,29 @@ in {
    after = [ "postgresql.service" ];
  };

-  systemd.services."phpfpm-nextcloud".serviceConfig = {
-    WorkingDirectory = "/var/lib/nextcloud";
-    NoNewPrivileges = true;
-    PrivateDevices = true;
-    PrivateMounts = true;
-    PrivateTmp = true;
-    ProtectClock = true;
-    ProtectHome = true;
-    ProtectHostname = true;
-    ProtectKernelLogs = true;
-    ProtectKernelModules = true;
-    ProtectKernelTunables = true;
-    ProtectProc = "invisible";
-    ReadWritePaths = [ "/var/lib/nextcloud" "/run/phpfpm" "/run/systemd" "/run/secrets" "/nix/store" ];
-    RemoveIPC = true;
-    RestrictSUIDSGID = true;
-    UMask = "0007";
-    SystemCallArchitectures = "native";
-    SystemCallFilter = "@system-service";
-    CapabilityBoundingSet = "~CAP_FSETID ~CAP_SETFCAP ~CAP_SETUID ~CAP_SETGID ~CAP_SETPCAP ~CAP_NET_ADMIN ~CAP_SYS_ADMIN ~CAP_SYS_PTRACE ";
+  systemd.services."phpfpm-nextcloud" = {
+    requires = [ "var-lib-nextcloud.mount" ];
+    serviceConfig = {
+      WorkingDirectory = "/var/lib/nextcloud";
+      NoNewPrivileges = true;
+      PrivateDevices = true;
+      PrivateMounts = true;
+      PrivateTmp = true;
+      ProtectClock = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      ReadWritePaths = [ "/var/lib/nextcloud" "/run/phpfpm" "/run/systemd" "/run/secrets" "/nix/store" ];
+      RemoveIPC = true;
+      RestrictSUIDSGID = true;
+      UMask = "0007";
+      SystemCallArchitectures = "native";
+      SystemCallFilter = "@system-service";
+      CapabilityBoundingSet = "~CAP_FSETID ~CAP_SETFCAP ~CAP_SETUID ~CAP_SETGID ~CAP_SETPCAP ~CAP_NET_ADMIN ~CAP_SYS_ADMIN ~CAP_SYS_PTRACE ";
+    };
  };

  fileSystems."/var/lib/nextcloud" = {
--- a/hosts/voyager/wireguard.nix
+++ b/hosts/voyager/wireguard.nix
@ -1,22 +0,0 @@
-{ config, pkgs, lib, ... }:
-let
-  port = 51820;
-  endpoint = "vpn.feal.no:51820";
-  publicKey = "ct2FBeSSt0u38tFMv61aVpGwdcJvXi1Q0sV0zCNH7xU=";
-in {
-  sops.secrets."wireguard/wg0/private" = {};
-
-  networking.firewall.allowedUDPPorts = [ port ];
-  networking.wireguard.interfaces.wg0 = {
-    ips = [ "10.100.0.2/24" ];
-    listenPort = port;
-    privateKeyFile = config.sops.secrets."wireguard/wg0/private".path;
-    peers = [
-      {
-        inherit endpoint publicKey;
-        allowedIPs = [ "10.100.0.0/24" ];
-        persistentKeepalive = 25;
-      }
-    ];
-  };
-}
--- a/secrets/voyager/voyager.yaml
+++ b/secrets/voyager/voyager.yaml
@ -10,10 +10,6 @@
 #ENC[AES256_GCM,data:fvJA2s0OEs7PDOr/,iv:HlO9MCqBHtz1Hm9tILlEsJ2gfgTPThmmyoCXlGyy/9Y=,tag:7L1Kl4RgAFG+WLvtk30nYQ==,type:comment]
 transmission:
    vpncreds: ENC[AES256_GCM,data:KWm6AGlJze0Of9Nkz0moaQCAXMwylsZ+BIZR4BnbuDRbjKRMJSWCOFBSbG3esGprLhoCnYwc9mghSeoP2AQRAT++sERpxX3JTHF9QuauNmhRWb1xLsOfQAu6vsA/0dTshQr8ivhJSnEz57rasdOraovYjVsRXd7cuclajPoS4nl3+1/IrSkAlxNzx8F0PMmyOrvoPVMmqQ4PcKFfkXc1f59O2iJ19Bmt/x5yIxU=,iv:VAYlqL8Pb5J4g+W3QClrgRftYw5UofXmG9cfEsZdLr4=,tag:zJIxYaGEedFjM8IsBfnQog==,type:str]
-wireguard:
-    wg0:
-        public: ENC[AES256_GCM,data:jKkYH9giZJ09/hFWF0UgM8TSvQ/qrkSbhCOhHG5Ze2WI8MLZaNzZMQSgWHM=,iv:VI48j/DzQez+L4oW2vUHj8FqDpTAd5P/71ih4D/3I54=,tag:9m23ruMSkFsTbxj9dAD9eg==,type:str]
-        private: ENC[AES256_GCM,data:XF89i1/TF5CpOvixwFDNOpke0YdWQDAMbvf/jOGR7iHKzz4OJu7K33lQbObT,iv:tVGdkkUU83Ba7VxHa7AJaIHFETp2Dy72dya3FDjnPZY=,tag:h9IJVeGnK7gABbu9hWZpww==,type:str]
 nextcloud:
    adminpass: ENC[AES256_GCM,data:r2Z6KsQ1hP90/Bf8J804a5D7BTS7,iv:f3TkiPVxw8lAPcyStWqOZuhF4p/5nUPkzL2j/yjsnyg=,tag:c2JWdxZUjkHQWNWDILBrRQ==,type:str]
 sops:
@ -49,8 +45,8 @@ sops:
            NENEM2VLRDBzTWM0ckdPVThaeE0xL2MKTAvsDKgaoj0Fz9CoNbP6s1kROlDbbXtB
            4rFRGN+WZJrBioz5nN4kR7mVFKa4w6z6Pu3D5WLyK7UQQkZJ64avdw==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-01-03T11:58:32Z"
-    mac: ENC[AES256_GCM,data:17G+wUFH0yV9dQo7kLoMiI7UMBVfj8HbqE0p26/LZ5N0wbLyXKt5YdXQPG8rC22fgHdgePFgIl6qxI2KWgy0bwgBtg9kTxjaKDHkdEs8KKTxbjUXYeIp2JonIH9j3GgN/wa7kABr4QyhDmKhlLupi0ea2A51fDSuhYZDN2kl5As=,iv:XNhmnQJEww6PfHI80bl8LKoiiJdJQcezy71kQZx4oys=,tag:02+GjhSRxw4+qNNjlxPbqA==,type:str]
+    lastmodified: "2024-02-08T13:44:57Z"
+    mac: ENC[AES256_GCM,data:oy6uBKFDm7J70OZuZtCziKeNkV5u9/RabGF2gXOONeHqFD/9jXhHsWIrDYrgwHPCyauJyAZqwnw/+wNUMNUzk25rM1iBaBJg0+mjUnFGBEhrAUJu8hSHl2EAHEauhzPqRS0L7bew75FmuGs56Wo58DkdvdnCjjs3XIAOj8kjv/g=,iv:/rbPS8xANKV9sSC7e1OAQuIeJK7OtlUMggxN/RW+GLs=,tag:5kE7m7ZrfIPF+ulCsiPLVQ==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
Author	SHA1	Message	Date
Felix Albrigtsen	b97c986f4a	defiant/burnham: add riker to wireguard	2024-02-08 17:56:53 +01:00
Felix Albrigtsen	6ed59e1b15	voyager: fix nextcloud startup problems	2024-02-08 14:45:56 +01:00
Felix Albrigtsen	d645a8af8a	flake: update	2024-02-08 14:45:35 +01:00
Felix Albrigtsen	ed61b17234	voyager: remove wireguard to uhura	2024-02-08 14:45:26 +01:00