dotfiles @ b7ba37a

A nix/flake.lock

@@ -0,0 +1,339 @@
+{
+  "nodes": {
+    "actor-typeahead-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1762835797,
+        "narHash": "sha256-heizoWUKDdar6ymfZTnj3ytcEv/L4d4fzSmtr0HlXsQ=",
+        "ref": "refs/heads/main",
+        "rev": "677fe7f743050a4e7f09d4a6f87bbf1325a06f6b",
+        "revCount": 6,
+        "type": "git",
+        "url": "https://tangled.org/@jakelazaroff.com/actor-typeahead"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://tangled.org/@jakelazaroff.com/actor-typeahead"
+      }
+    },
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "home-manager": "home-manager",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1762618334,
+        "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "fcdea223397448d35d9b31f798479227e80183f6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1744478979,
+        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1766150702,
+        "narHash": "sha256-P0kM+5o+DKnB6raXgFEk3azw8Wqg5FL6wyl9jD+G5a4=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "916506443ecd0d0b4a0f4cf9d40a3c22ce39b378",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1751685974,
+        "narHash": "sha256-NKw96t+BgHIYzHUjkTK95FqYRVKB8DHpVhefWSz/kTw=",
+        "rev": "549f2762aebeff29a2e5ece7a7dc0f955281a1d1",
+        "type": "tarball",
+        "url": "https://git.lix.systems/api/v1/repos/lix-project/flake-compat/archive/549f2762aebeff29a2e5ece7a7dc0f955281a1d1.tar.gz?rev=549f2762aebeff29a2e5ece7a7dc0f955281a1d1"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://git.lix.systems/lix-project/flake-compat/archive/main.tar.gz"
+      }
+    },
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems_2"
+      },
+      "locked": {
+        "lastModified": 1694529238,
+        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "gomod2nix": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": [
+          "tangled",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1754078208,
+        "narHash": "sha256-YVoIFDCDpYuU3riaDEJ3xiGdPOtsx4sR5eTzHTytPV8=",
+        "owner": "nix-community",
+        "repo": "gomod2nix",
+        "rev": "7f963246a71626c7fc70b431a315c4388a0c95cf",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "gomod2nix",
+        "type": "github"
+      }
+    },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1745494811,
+        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "htmx-src": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-nm6avZuEBg67SSyyZUhjpXVNstHHgUxrtBHqJgowU08=",
+        "type": "file",
+        "url": "https://unpkg.com/htmx.org@2.0.4/dist/htmx.min.js"
+      },
+      "original": {
+        "type": "file",
+        "url": "https://unpkg.com/htmx.org@2.0.4/dist/htmx.min.js"
+      }
+    },
+    "htmx-ws-src": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-2fg6KyEJoO24q0fQqbz9RMaYNPQrMwpZh29tkSqdqGY=",
+        "type": "file",
+        "url": "https://cdn.jsdelivr.net/npm/htmx-ext-ws@2.0.2"
+      },
+      "original": {
+        "type": "file",
+        "url": "https://cdn.jsdelivr.net/npm/htmx-ext-ws@2.0.2"
+      }
+    },
+    "ibm-plex-mono-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1731402384,
+        "narHash": "sha256-OwUmrPfEehLDz0fl2ChYLK8FQM2p0G1+EMrGsYEq+6g=",
+        "type": "tarball",
+        "url": "https://github.com/IBM/plex/releases/download/@ibm%2Fplex-mono@1.1.0/ibm-plex-mono.zip"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://github.com/IBM/plex/releases/download/@ibm%2Fplex-mono@1.1.0/ibm-plex-mono.zip"
+      }
+    },
+    "indigo": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1753693716,
+        "narHash": "sha256-DMIKnCJRODQXEHUxA+7mLzRALmnZhkkbHlFT2rCQYrE=",
+        "owner": "oppiliappan",
+        "repo": "indigo",
+        "rev": "5f170569da9360f57add450a278d73538092d8ca",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oppiliappan",
+        "repo": "indigo",
+        "type": "github"
+      }
+    },
+    "inter-fonts-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1731687360,
+        "narHash": "sha256-5vdKKvHAeZi6igrfpbOdhZlDX2/5+UvzlnCQV6DdqoQ=",
+        "type": "tarball",
+        "url": "https://github.com/rsms/inter/releases/download/v4.1/Inter-4.1.zip"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://github.com/rsms/inter/releases/download/v4.1/Inter-4.1.zip"
+      }
+    },
+    "lucide-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1754044466,
+        "narHash": "sha256-+exBR2OToB1iv7ZQI2S4B0lXA/QRvC9n6U99UxGpJGs=",
+        "type": "tarball",
+        "url": "https://github.com/lucide-icons/lucide/releases/download/0.536.0/lucide-icons-0.536.0.zip"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://github.com/lucide-icons/lucide/releases/download/0.536.0/lucide-icons-0.536.0.zip"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1768323494,
+        "narHash": "sha256-yBXJLE6WCtrGo7LKiB6NOt6nisBEEkguC/lq/rP3zRQ=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "2c3e5ec5df46d3aeee2a1da0bfedd74e21f4bf3a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-25.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "agenix": "agenix",
+        "disko": "disko",
+        "nixpkgs": "nixpkgs",
+        "tangled": "tangled"
+      }
+    },
+    "sqlite-lib-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1706631843,
+        "narHash": "sha256-bJoMjirsBjm2Qk9KPiy3yV3+8b/POlYe76/FQbciHro=",
+        "type": "tarball",
+        "url": "https://sqlite.org/2024/sqlite-amalgamation-3450100.zip"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://sqlite.org/2024/sqlite-amalgamation-3450100.zip"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "tangled": {
+      "inputs": {
+        "actor-typeahead-src": "actor-typeahead-src",
+        "flake-compat": "flake-compat",
+        "gomod2nix": "gomod2nix",
+        "htmx-src": "htmx-src",
+        "htmx-ws-src": "htmx-ws-src",
+        "ibm-plex-mono-src": "ibm-plex-mono-src",
+        "indigo": "indigo",
+        "inter-fonts-src": "inter-fonts-src",
+        "lucide-src": "lucide-src",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "sqlite-lib-src": "sqlite-lib-src"
+      },
+      "locked": {
+        "lastModified": 1763627666,
+        "narHash": "sha256-t8UQ85/bPXrbFs3V/paFtQvv4lSrr2lszrdcgspuAaA=",
+        "ref": "refs/tags/v1.11.0-alpha",
+        "rev": "12ef7f8f63ee4a14a552ebed603802c79e4d72f8",
+        "revCount": 1678,
+        "type": "git",
+        "url": "https://tangled.org/@tangled.org/core"
+      },
+      "original": {
+        "ref": "refs/tags/v1.11.0-alpha",
+        "type": "git",
+        "url": "https://tangled.org/@tangled.org/core"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

A nix/flake.nix

@@ -0,0 +1,39 @@
+{
+  description = "my nix";
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
+    agenix = {
+      url = "github:ryantm/agenix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    disko = {
+      url = "github:nix-community/disko";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    tangled = {
+      url = "git+https://tangled.org/@tangled.org/core?ref=refs/tags/v1.11.0-alpha";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
+
+  outputs =
+    {
+      nixpkgs,
+      agenix,
+      disko,
+      tangled,
+      ...
+    }:
+    {
+      nixosConfigurations."thought" = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        modules = [
+          ./hosts/thought
+          agenix.nixosModules.default
+          disko.nixosModules.disko
+          tangled.nixosModules.knot
+          tangled.nixosModules.spindle
+        ];
+      };
+    };
+}

A nix/hosts/thought/configuration.nix

@@ -0,0 +1,81 @@
+{ pkgs, ... }:
+{
+  imports = [
+    ./disko-config.nix
+    ./hardware-configuration.nix
+  ];
+
+  system.stateVersion = "24.05";
+
+  swapDevices = [
+    {
+      device = "/swapfile";
+      size = 2048; # MB
+    }
+  ];
+
+  boot.loader.grub = {
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+  };
+
+  time.timeZone = "Europe/Kyiv";
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  networking = {
+    hostName = "vps";
+    useDHCP = true;
+    # Interface names will be auto-detected in hardware-configuration.nix
+    # Using generic DHCP setting
+    interfaces = { };
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [
+        80
+        443
+        2222
+      ];
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    neovim
+    git
+    htop
+    tmux
+  ];
+
+  age.identityPaths = [ "/keys.txt" ]; # TODO: i dont like that i overwrites literally everything
+
+  services = {
+    caddy = {
+      enable = true;
+      package = pkgs.caddy.withPlugins {
+        plugins = [ "github.com/mholt/caddy-l4@v0.0.0-20260116154418-93f52b6a03ba" ];
+        hash = "sha256-s8D9p8k/Gote8s4fk0pv35R7aIwRi5ze7gbBHj+Fm8U=";
+      };
+    };
+    openssh = {
+      enable = true;
+      settings = {
+        PasswordAuthentication = false;
+        PermitRootLogin = "no";
+      };
+    };
+  };
+
+  nix = {
+    gc = {
+      automatic = true;
+      dates = "weekly";
+      options = "--delete-older-than 30d";
+    };
+    settings = {
+      auto-optimise-store = true;
+      experimental-features = [
+        "nix-command"
+        "flakes"
+      ];
+    };
+  };
+}

A nix/hosts/thought/default.nix

@@ -0,0 +1,16 @@
+{ ... }:
+{
+  imports = [
+    ./digitalocean.nix
+    ./configuration.nix
+    ./hardware-configuration.nix
+
+    ../../users/q.nix
+
+    ../../modules/freshrss.nix
+    ../../modules/tangled.nix
+    ../../modules/moviefeed.nix
+    ../../modules/wireguard.nix
+    ../../modules/soju.nix
+  ];
+}

A nix/hosts/thought/digitalocean.nix

@@ -0,0 +1,70 @@
+{ lib, modulesPath, ... }:
+{
+  imports = [
+    "${modulesPath}/virtualisation/digital-ocean-config.nix"
+  ];
+
+  # do not use DHCP, as DigitalOcean provisions IPs using cloud-init
+  networking.useDHCP = lib.mkForce false;
+
+  # Disables all modules that do not work with NixOS
+  services.cloud-init = {
+    enable = true;
+    network.enable = true;
+    settings = {
+      datasource_list = [
+        "ConfigDrive"
+        "Digitalocean"
+      ];
+      datasource.ConfigDrive = { };
+      datasource.Digitalocean = { };
+      # Based on https://github.com/canonical/cloud-init/blob/main/config/cloud.cfg.tmpl
+      cloud_init_modules = [
+        "seed_random"
+        "bootcmd"
+        "write_files"
+        "growpart"
+        "resizefs"
+        "set_hostname"
+        "update_hostname"
+        # Not support on NixOS
+        #"update_etc_hosts"
+        # throws error
+        #"users-groups"
+        # tries to edit /etc/ssh/sshd_config
+        #"ssh"
+        "set_password"
+      ];
+      cloud_config_modules = [
+        "ssh-import-id"
+        "keyboard"
+        # doesn't work with nixos
+        #"locale"
+        "runcmd"
+        "disable_ec2_metadata"
+      ];
+      ## The modules that run in the 'final' stage
+      cloud_final_modules = [
+        "write_files_deferred"
+        "puppet"
+        "chef"
+        "ansible"
+        "mcollective"
+        "salt_minion"
+        "reset_rmc"
+        # install dotty agent fails
+        #"scripts_vendor"
+        "scripts_per_once"
+        "scripts_per_boot"
+        # /var/lib/cloud/scripts/per-instance/machine_id.sh has broken shebang
+        #"scripts_per_instance"
+        "scripts_user"
+        "ssh_authkey_fingerprints"
+        "keys_to_console"
+        "install_hotplug"
+        "phone_home"
+        "final_message"
+      ];
+    };
+  };
+}

A nix/hosts/thought/disko-config.nix

@@ -0,0 +1,55 @@
+{ lib, ... }:
+{
+  disko.devices = {
+    disk.disk1 = {
+      device = lib.mkDefault "/dev/vda";
+      type = "disk";
+      content = {
+        type = "gpt";
+        partitions = {
+          boot = {
+            name = "boot";
+            size = "1M";
+            type = "EF02";
+          };
+          esp = {
+            name = "ESP";
+            size = "500M";
+            type = "EF00";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+            };
+          };
+          root = {
+            name = "root";
+            size = "100%";
+            content = {
+              type = "lvm_pv";
+              vg = "pool";
+            };
+          };
+        };
+      };
+    };
+    lvm_vg = {
+      pool = {
+        type = "lvm_vg";
+        lvs = {
+          root = {
+            size = "100%FREE";
+            content = {
+              type = "filesystem";
+              format = "ext4";
+              mountpoint = "/";
+              mountOptions = [
+                "defaults"
+              ];
+            };
+          };
+        };
+      };
+    };
+  };
+}

A nix/hosts/thought/hardware-configuration.nix

@@ -0,0 +1,25 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "virtio_blk" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens4.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

A nix/modules/freshrss.nix

@@ -0,0 +1,34 @@
+{ config, pkgs, ... }:
+{
+  age.secrets.freshrss-olex = {
+    file = ../secrets/freshrss-olex.age;
+    owner = "freshrss";
+    group = "freshrss";
+  };
+
+  services.freshrss = {
+    enable = true;
+    defaultUser = "olex";
+    passwordFile = config.age.secrets.freshrss-olex.path;
+    webserver = "caddy";
+    virtualHost = "rss.olexsmir.xyz";
+    baseUrl = "https://rss.olexsmir.xyz";
+    extensions = [
+      pkgs.freshrss-extensions.reddit-image
+      (pkgs.stdenv.mkDerivation {
+        pname = "freshrss-official-extensions";
+        version = "unstable-2025-01-16";
+        src = pkgs.fetchFromGitHub {
+          owner = "FreshRSS";
+          repo = "Extensions";
+          rev = "3605f65b65e13ad818d4acbe337f7147feeb0970";
+          hash = "sha256-1c0d0szF21JHm/Sw16iSLPik3HIv2xjxKmvuAkLKqM0=";
+        };
+        installPhase = ''
+          mkdir -p $out/share/freshrss/extensions
+          cp -r xExtension-* $out/share/freshrss/extensions/
+        '';
+      })
+    ];
+  };
+}

A nix/modules/moviefeed.nix

@@ -0,0 +1,39 @@
+{ pkgs, ... }:
+let
+  configFile = "/home/q/moviedfeed.yml";
+  version = "2bda86db";
+  moviefeed = pkgs.buildGoModule {
+    pname = "moviefeed";
+    inherit version;
+    vendorHash = "sha256-FWkYhhX/cZhF+ctgbYPhPRYcQZSLIL3zoaxqrbWZCcU=";
+    src = pkgs.fetchFromGitHub {
+      owner = "olexsmir";
+      repo = "moviefeed";
+      rev = version;
+      hash = "sha256-g05iqKH3g6Q536AF3Xb2zYx3jiLXybaavM7UB9Hu5Dg=";
+    };
+  };
+in
+{
+  services.caddy.virtualHosts."moviefeed.olexsmir.xyz".extraConfig = ''
+    reverse_proxy localhost:8000
+  '';
+
+  systemd.services.moviefeed = {
+    description = "moviefeed API server";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network-online.target" ];
+    wants = [ "network-online.target" ];
+
+    serviceConfig = {
+      Type = "simple";
+      User = "q";
+      Restart = "on-failure";
+      RestartSec = 2;
+      ExecStart = "${moviefeed}/bin/moviefeed --config ${configFile}";
+      NoNewPrivileges = true;
+      ProtectSystem = "strict";
+      ReadOnlyPaths = [ configFile ];
+    };
+  };
+}

A nix/modules/soju.nix

@@ -0,0 +1,32 @@
+{ ... }:
+let
+  domain = "irc.olexsmir.xyz";
+in
+{
+  networking.firewall.allowedTCPPorts = [ 6697 ];
+  services.caddy = {
+    virtualHosts.${domain}.extraConfig = ''
+      respond "irc bouncer"
+    '';
+    globalConfig = ''
+      layer4 {
+        :6697 {
+          route {
+            tls
+            proxy {
+              proxy_protocol v2
+              upstream localhost:6667
+            }
+          }
+        }
+      }
+    '';
+  };
+
+  services.soju = {
+    enable = true;
+    hostName = domain;
+    listen = [ "irc+insecure://localhost:6667" ];
+    acceptProxyIP = [ "localhost" ];
+  };
+}

A nix/modules/tangled.nix

@@ -0,0 +1,16 @@
+{ ... }:
+{
+  services.caddy.virtualHosts."knot.olexsmir.xyz".extraConfig = ''
+    reverse_proxy localhost:5555
+  '';
+
+  services.tangled.knot = {
+    enable = true;
+    openFirewall = false;
+    motd = "i use arch btw\n";
+    server = {
+      owner = "did:plc:slhnamqkslwa5e5e5hrznbxr";
+      hostname = "knot.olexsmir.xyz";
+    };
+  };
+}

A nix/modules/wireguard.nix

@@ -0,0 +1,45 @@
+{ config, pkgs, ... }:
+{
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_forward" = 1;
+  };
+
+  networking.firewall.allowedUDPPorts = [ 51820 ];
+  networking.nat = {
+    enable = true;
+    externalInterface = "ens3";
+    internalInterfaces = [ "wg0" ];
+  };
+
+  age.secrets.wg-private-key = {
+    file = ../secrets/wg-private-key.age;
+  };
+
+  networking.wireguard.interfaces.wg0 = {
+    ips = [ "10.100.0.1/24" ];
+    listenPort = 51820;
+    privateKeyFile = config.age.secrets.wg-private-key.path;
+
+    # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
+    # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
+    postSetup = ''
+      ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE
+    '';
+    postShutdown = ''
+      ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE
+    '';
+
+    peers = [
+      {
+        # laptop
+        publicKey = "cF0abpqZiMrofQUgFHS4D+FuXq3ZoCPBQUlr6WuvBwM=";
+        allowedIPs = [ "10.100.0.2/32" ];
+      }
+      {
+        # phone
+        publicKey = "GodHMXUBh/0aEyz+XBJID7pm/Hi8xnZv6YzkQbl/Uwc=";
+        allowedIPs = [ "10.100.0.3/32" ];
+      }
+    ];
+  };
+}

A nix/readme.txt

@@ -0,0 +1,9 @@
+nix
+---
+
+install:
+  nix run github:nix-community/nixos-anywhere -- ./hosts/thought/hardware-configuration.nix --flake .#thought --target-host root@<IP>
+  ssh q@IP
+  git clone https://github.com/olexsmir/dotfiles.git
+  cd dotfiles/nix
+  sudo nixos-rebuild switch --flake .#thought

A nix/secrets/freshrss-olex.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 jgjvUw dIOnVUmbf9R0pl92JrlTDWa/htZQEUUPdTbNCKTa+S4
+R4unw/VGqtrNG/otzW3HjvgMtZK+RT7tqs6dZkLh3pc
+-> X25519 E3+gKkjH6LkkYhnwE+9QbPiSYOEF3GJhbVXy2+mCDTM
+IcwPmVZ8IOLhzJNUeMicC0cPmDym0TjFb7P8MHBwDNI
+--- JF/k9Wyj6kIEX7F1SjkqiFlv8UFngZ4lJvVwWQ8425c
+��m��r8��M�}2�;�	-�D����~vMa9"�T
+:ڔV�9�

A nix/secrets/q-password.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 jgjvUw Yy4VmBRoL5acIbY+GMmg5qW9iTp9U/XZSvx12r3SzRU
+rNNYDN0ikwrSJf8kKi0uLczMY39rg0Xi3MSvR9fAzYU
+-> X25519 t9640/amrr9kdgjY9ALE0n6yoaqMGTCjjk0OxPmHwwM
+x6nm6fXvrrRngMJVY8oGh8QJU0K5TBkl7S+v5E3k8iw
+--- kM18cW1nk37CnZlFmdS0XAuCt6gHzazZ83X9iNuzb5w
+���X�O�b^����Y�e]�y��G-��d�����M�

A nix/secrets/secrets.nix

@@ -0,0 +1,13 @@
+let
+  laptop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPLLJdkVYKZgsayw+sHanKPKZbI0RMS2CakqBCEi5Trz";
+  infra = "age1k4e6mm0whyjzfaqlhahu2pst4vxvzul53xs3ff0tk8uty459zgzqk3965k";
+  allKeys = [
+    laptop
+    infra
+  ];
+in
+{
+  "q-password.age".publicKeys = allKeys;
+  "freshrss-olex.age".publicKeys = allKeys;
+  "wg-private-key.age".publicKeys = allKeys;
+}

A nix/secrets/wg-private-key.age

Not showing binary file.

A nix/users/_sshkeys.nix

@@ -0,0 +1,4 @@
+[
+  "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPLLJdkVYKZgsayw+sHanKPKZbI0RMS2CakqBCEi5Trz" # laptop
+  "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINeXccmMQ9jfLG2Z8CITaZZ+pUgYVNVYDFtmdkBHd3xk u0_a930@localhost" # phone
+]

A nix/users/q.nix

@@ -0,0 +1,14 @@
+{ config, ... }:
+{
+  age.secrets.q-password.file = ../secrets/q-password.age;
+
+  users.users.q = {
+    isNormalUser = true;
+    extraGroups = [
+      "wheel"
+      "headscale"
+    ];
+    hashedPasswordFile = config.age.secrets.q-password.path;
+    openssh.authorizedKeys.keys = import ./_sshkeys.nix;
+  };
+}