defiant/burnham: add riker to wireguard

flake.lock

@@ -41,11 +41,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1704980875,
+        "lastModified": 1706981411,
-        "narHash": "sha256-IPZmMjk5f4TBbEpzUFBc3OC1W6OwDNEXk2w/0uVXX1o=",
+        "narHash": "sha256-cLbLPTL1CDmETVh4p0nQtvoF+FSEjsnJTFpTxhXywhQ=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "5f0ab0eedc6ede69beb8f45561ffefa54edc6e65",
+        "rev": "652fda4ca6dafeb090943422c34ae9145787af37",
         "type": "github"
       },
       "original": {
@@ -80,11 +80,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1704277720,
+        "lastModified": 1706833576,
-        "narHash": "sha256-meAKNgmh3goankLGWqqpw73pm9IvXjEENJloF0coskE=",
+        "narHash": "sha256-w7BL0EWRts+nD1lbLECIuz6fRzmmV+z8oWwoY7womR0=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "0dd382b70c351f528561f71a0a7df82c9d2be9a4",
+        "rev": "bdbae6ecff8fcc322bf6b9053c0b984912378af7",
         "type": "github"
       },
       "original": {
@@ -101,11 +101,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1705108818,
+        "lastModified": 1707354851,
-        "narHash": "sha256-V7zG8ihfhcopjaZbIvBl78icARrVPSrdeBpgyk3Aa5k=",
+        "narHash": "sha256-EavLrnN9VlqqTabq+XDEvK2hV0XzZ3eCorsO5MvaWro=",
         "owner": "Infinidoge",
         "repo": "nix-minecraft",
-        "rev": "9151fbf3086d10b5da436616175e71add449f0e1",
+        "rev": "ca6b8974161fee88608ff2addf1cb7655f17d165",
         "type": "github"
       },
       "original": {
@@ -147,27 +147,27 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1705033721,
+        "lastModified": 1707391491,
-        "narHash": "sha256-K5eJHmL1/kev6WuqyqqbS1cdNnSidIZ3jeqJ7GbrYnQ=",
+        "narHash": "sha256-TyDXcq8Z3slMNeyeF+ke0BzISWuM6NrBklr7XyiRbZA=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a1982c92d8980a0114372973cbdfe0a307f1bdea",
+        "rev": "bc6cb3d59b7aab88e967264254f8c1aa4c0284e9",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "release-23.05",
+        "ref": "release-23.11",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1705183652,
+        "lastModified": 1707238373,
-        "narHash": "sha256-rnfkyUH0x72oHfiSDhuCHDHg3gFgF+lF8zkkg5Zihsw=",
+        "narHash": "sha256-WKxT0yLzWbFZwYi92lI0yWJpYtRaFSWHGX8QXzejapw=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "428544ae95eec077c7f823b422afae5f174dee4b",
+        "rev": "fb0c047e30b69696acc42e669d02452ca1b55755",
         "type": "github"
       },
       "original": {
@@ -197,11 +197,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1705201153,
+        "lastModified": 1707397511,
-        "narHash": "sha256-y0/a4IMDZrc7lAkR7Gcm5R3W2iCBiARHnYZe6vkmiNE=",
+        "narHash": "sha256-pYqXcTjcPC/go3FzT1dYtYsbmzAjO1MHhT/xgiI6J7o=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "70dd0d521f7849338e487a219c1a07c429a66d77",
+        "rev": "2168851d58595431ee11ebfc3a49d60d318b7312",
         "type": "github"
       },
       "original": {
@@ -227,11 +227,11 @@
     },
     "unstable": {
       "locked": {
-        "lastModified": 1705133751,
+        "lastModified": 1707092692,
-        "narHash": "sha256-rCIsyE80jgiOU78gCWN3A0wE0tR2GI5nH6MlS+HaaSQ=",
+        "narHash": "sha256-ZbHsm+mGk/izkWtT4xwwqz38fdlwu7nUUKXTOmm4SyE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "9b19f5e77dd906cb52dade0b7bd280339d2a1f3d",
+        "rev": "faf912b086576fd1a15fca610166c98d47bc667e",
         "type": "github"
       },
       "original": {
@@ -243,10 +243,11 @@
     },
     "voyager-addons": {
       "locked": {
-        "dirtyRev": "238bcd33b3e2562fcf76f86348909990ddc3d6cc-dirty",
+        "lastModified": 1707399193,
-        "dirtyShortRev": "238bcd3-dirty",
+        "narHash": "sha256-Q570CBu01ufGMitMQVAgsKoQ7zMEDwqDtqKJ1kyeUjQ=",
-        "lastModified": 1704460893,
+        "ref": "refs/heads/main",
-        "narHash": "sha256-lh5nuxULb6Y8rPIDRWnvUOVs7j3jsp4QqiXvEpJjMec=",
+        "rev": "3d04b4ec9c40948693f4efe919413cce9265bae7",
+        "revCount": 4,
         "type": "git",
         "url": "file:///home/felixalb/voyager-addons"
       },

hosts/burnham/services/wireguard.nix

@@ -44,6 +44,12 @@ in {
             "10.100.0.5/32"
           ];
         }
+        { # Riker
+          publicKey = "r715vpgH1H0zvN+Z5wcNKcOo5e6UM3fBfh9BZwTBjmA=";
+          allowedIPs = [
+            "10.100.0.6/32"
+          ];
+        }
       ];
     };
   };

hosts/defiant/services/wireguard.nix

@@ -50,6 +50,12 @@ in {
             "10.100.0.5/32"
           ];
         }
+        { # Riker
+          publicKey = "r715vpgH1H0zvN+Z5wcNKcOo5e6UM3fBfh9BZwTBjmA=";
+          allowedIPs = [
+            "10.100.0.6/32"
+          ];
+        }
       ];
     };
   };

hosts/voyager/configuration.nix

@@ -7,7 +7,7 @@
       ../../common/metrics-exporters.nix
       ./hardware-configuration.nix
       ./filesystems.nix
-      ./wireguard.nix
+      # ./wireguard.nix
       ./exports.nix
 
       ./services/snappymail.nix

hosts/voyager/services/nextcloud.nix

@@ -59,26 +59,29 @@ in {
     after = [ "postgresql.service" ];
   };
 
-  systemd.services."phpfpm-nextcloud".serviceConfig = {
+  systemd.services."phpfpm-nextcloud" = {
-    WorkingDirectory = "/var/lib/nextcloud";
+    requires = [ "var-lib-nextcloud.mount" ];
-    NoNewPrivileges = true;
+    serviceConfig = {
-    PrivateDevices = true;
+      WorkingDirectory = "/var/lib/nextcloud";
-    PrivateMounts = true;
+      NoNewPrivileges = true;
-    PrivateTmp = true;
+      PrivateDevices = true;
-    ProtectClock = true;
+      PrivateMounts = true;
-    ProtectHome = true;
+      PrivateTmp = true;
-    ProtectHostname = true;
+      ProtectClock = true;
-    ProtectKernelLogs = true;
+      ProtectHome = true;
-    ProtectKernelModules = true;
+      ProtectHostname = true;
-    ProtectKernelTunables = true;
+      ProtectKernelLogs = true;
-    ProtectProc = "invisible";
+      ProtectKernelModules = true;
-    ReadWritePaths = [ "/var/lib/nextcloud" "/run/phpfpm" "/run/systemd" "/run/secrets" "/nix/store" ];
+      ProtectKernelTunables = true;
-    RemoveIPC = true;
+      ProtectProc = "invisible";
-    RestrictSUIDSGID = true;
+      ReadWritePaths = [ "/var/lib/nextcloud" "/run/phpfpm" "/run/systemd" "/run/secrets" "/nix/store" ];
-    UMask = "0007";
+      RemoveIPC = true;
-    SystemCallArchitectures = "native";
+      RestrictSUIDSGID = true;
-    SystemCallFilter = "@system-service";
+      UMask = "0007";
-    CapabilityBoundingSet = "~CAP_FSETID ~CAP_SETFCAP ~CAP_SETUID ~CAP_SETGID ~CAP_SETPCAP ~CAP_NET_ADMIN ~CAP_SYS_ADMIN ~CAP_SYS_PTRACE ";
+      SystemCallArchitectures = "native";
+      SystemCallFilter = "@system-service";
+      CapabilityBoundingSet = "~CAP_FSETID ~CAP_SETFCAP ~CAP_SETUID ~CAP_SETGID ~CAP_SETPCAP ~CAP_NET_ADMIN ~CAP_SYS_ADMIN ~CAP_SYS_PTRACE ";
+    };
   };
 
   fileSystems."/var/lib/nextcloud" = {

hosts/voyager/wireguard.nix

@@ -1,22 +0,0 @@
-{ config, pkgs, lib, ... }:
-let
-  port = 51820;
-  endpoint = "vpn.feal.no:51820";
-  publicKey = "ct2FBeSSt0u38tFMv61aVpGwdcJvXi1Q0sV0zCNH7xU=";
-in {
-  sops.secrets."wireguard/wg0/private" = {};
-
-  networking.firewall.allowedUDPPorts = [ port ];
-  networking.wireguard.interfaces.wg0 = {
-    ips = [ "10.100.0.2/24" ];
-    listenPort = port;
-    privateKeyFile = config.sops.secrets."wireguard/wg0/private".path;
-    peers = [
-      {
-        inherit endpoint publicKey;
-        allowedIPs = [ "10.100.0.0/24" ];
-        persistentKeepalive = 25;
-      }
-    ];
-  };
-}

secrets/voyager/voyager.yaml

@@ -10,10 +10,6 @@
 #ENC[AES256_GCM,data:fvJA2s0OEs7PDOr/,iv:HlO9MCqBHtz1Hm9tILlEsJ2gfgTPThmmyoCXlGyy/9Y=,tag:7L1Kl4RgAFG+WLvtk30nYQ==,type:comment]
 transmission:
     vpncreds: ENC[AES256_GCM,data:KWm6AGlJze0Of9Nkz0moaQCAXMwylsZ+BIZR4BnbuDRbjKRMJSWCOFBSbG3esGprLhoCnYwc9mghSeoP2AQRAT++sERpxX3JTHF9QuauNmhRWb1xLsOfQAu6vsA/0dTshQr8ivhJSnEz57rasdOraovYjVsRXd7cuclajPoS4nl3+1/IrSkAlxNzx8F0PMmyOrvoPVMmqQ4PcKFfkXc1f59O2iJ19Bmt/x5yIxU=,iv:VAYlqL8Pb5J4g+W3QClrgRftYw5UofXmG9cfEsZdLr4=,tag:zJIxYaGEedFjM8IsBfnQog==,type:str]
-wireguard:
-    wg0:
-        public: ENC[AES256_GCM,data:jKkYH9giZJ09/hFWF0UgM8TSvQ/qrkSbhCOhHG5Ze2WI8MLZaNzZMQSgWHM=,iv:VI48j/DzQez+L4oW2vUHj8FqDpTAd5P/71ih4D/3I54=,tag:9m23ruMSkFsTbxj9dAD9eg==,type:str]
-        private: ENC[AES256_GCM,data:XF89i1/TF5CpOvixwFDNOpke0YdWQDAMbvf/jOGR7iHKzz4OJu7K33lQbObT,iv:tVGdkkUU83Ba7VxHa7AJaIHFETp2Dy72dya3FDjnPZY=,tag:h9IJVeGnK7gABbu9hWZpww==,type:str]
 nextcloud:
     adminpass: ENC[AES256_GCM,data:r2Z6KsQ1hP90/Bf8J804a5D7BTS7,iv:f3TkiPVxw8lAPcyStWqOZuhF4p/5nUPkzL2j/yjsnyg=,tag:c2JWdxZUjkHQWNWDILBrRQ==,type:str]
 sops:
@@ -49,8 +45,8 @@ sops:
             NENEM2VLRDBzTWM0ckdPVThaeE0xL2MKTAvsDKgaoj0Fz9CoNbP6s1kROlDbbXtB
             4rFRGN+WZJrBioz5nN4kR7mVFKa4w6z6Pu3D5WLyK7UQQkZJ64avdw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-01-03T11:58:32Z"
+    lastmodified: "2024-02-08T13:44:57Z"
-    mac: ENC[AES256_GCM,data:17G+wUFH0yV9dQo7kLoMiI7UMBVfj8HbqE0p26/LZ5N0wbLyXKt5YdXQPG8rC22fgHdgePFgIl6qxI2KWgy0bwgBtg9kTxjaKDHkdEs8KKTxbjUXYeIp2JonIH9j3GgN/wa7kABr4QyhDmKhlLupi0ea2A51fDSuhYZDN2kl5As=,iv:XNhmnQJEww6PfHI80bl8LKoiiJdJQcezy71kQZx4oys=,tag:02+GjhSRxw4+qNNjlxPbqA==,type:str]
+    mac: ENC[AES256_GCM,data:oy6uBKFDm7J70OZuZtCziKeNkV5u9/RabGF2gXOONeHqFD/9jXhHsWIrDYrgwHPCyauJyAZqwnw/+wNUMNUzk25rM1iBaBJg0+mjUnFGBEhrAUJu8hSHl2EAHEauhzPqRS0L7bew75FmuGs56Wo58DkdvdnCjjs3XIAOj8kjv/g=,iv:/rbPS8xANKV9sSC7e1OAQuIeJK7OtlUMggxN/RW+GLs=,tag:5kE7m7ZrfIPF+ulCsiPLVQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1