dotfiles @ efa0d02

M nix/hosts/thought/configuration.nix

@@ -5,7 +5,7 @@ ./disko-config.nix
     ./hardware-configuration.nix
   ];
 
-  system.stateVersion = "24.05";
+  system.stateVersion = "25.11";
 
   swapDevices = [
     {
@@ -24,14 +24,10 @@ i18n.defaultLocale = "en_US.UTF-8";
 
   networking = {
     hostName = "vps";
-    useDHCP = true;
-    # Interface names will be auto-detected in hardware-configuration.nix
-    # Using generic DHCP setting
     interfaces = { };
     firewall = {
       enable = true;
       allowedTCPPorts = [
-        22
         80
         443
         2222
@@ -39,14 +35,7 @@ ];
     };
   };
 
-  environment.systemPackages = with pkgs; [
-    neovim
-    git
-    htop
-    tmux
-  ];
-
-  age.identityPaths = [ "/keys.txt" ]; # TODO: i dont like that i overwrites literally everything
+  age.identityPaths = [ "/keys.txt" ];
 
   services = {
     caddy = {
@@ -80,4 +69,10 @@ "flakes"
       ];
     };
   };
+
+  environment.systemPackages = with pkgs; [
+    neovim
+    git
+    htop
+  ];
 }

M nix/modules/mugit.nix

@@ -4,6 +4,7 @@ services.caddy.virtualHosts."git.olexsmir.xyz".extraConfig = ''
     reverse_proxy localhost:8008
   '';
 
+  networking.firewall.allowedTCPPorts = [ 22 ];
   services.mugit = {
     enable = true;
     openFirewall = true;

M nix/modules/wireguard.nix

@@ -1,43 +1,32 @@
 { config, pkgs, ... }:
 {
-  boot.kernel.sysctl = {
-    "net.ipv4.ip_forward" = 1;
-  };
 
-  networking.firewall.allowedUDPPorts = [ 51820 ];
+  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+
   networking.nat = {
     enable = true;
     externalInterface = "ens3";
     internalInterfaces = [ "wg0" ];
   };
 
-  age.secrets.wg-private-key = {
-    file = ../secrets/wg-private-key.age;
-  };
+  age.secrets.wg-private-key.file = ../secrets/wg-private-key.age;
 
+  networking.firewall.allowedUDPPorts = [ 51820 ];
   networking.wireguard.interfaces.wg0 = {
     ips = [ "10.100.0.1/24" ];
     listenPort = 51820;
     privateKeyFile = config.age.secrets.wg-private-key.path;
 
-    # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
-    # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
-    postSetup = ''
-      ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE
-    '';
-    postShutdown = ''
-      ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE
-    '';
+    postSetup = ''${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE'';
+    postShutdown = ''${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE'';
 
     peers = [
       {
-        # laptop
-        publicKey = "cF0abpqZiMrofQUgFHS4D+FuXq3ZoCPBQUlr6WuvBwM=";
+        publicKey = "cF0abpqZiMrofQUgFHS4D+FuXq3ZoCPBQUlr6WuvBwM="; # laptop
         allowedIPs = [ "10.100.0.2/32" ];
       }
       {
-        # phone
-        publicKey = "GodHMXUBh/0aEyz+XBJID7pm/Hi8xnZv6YzkQbl/Uwc=";
+        publicKey = "GodHMXUBh/0aEyz+XBJID7pm/Hi8xnZv6YzkQbl/Uwc="; # phone
         allowedIPs = [ "10.100.0.3/32" ];
       }
     ];