FlafyDev
diff --git a/‎flake.lock
Lines changed: 59 additions & 250 deletions b/‎flake.lock
Lines changed: 59 additions & 250 deletions
diff --git a/‎hosts/glint/default.nix
Lines changed: 4 additions & 1 deletion b/‎hosts/glint/default.nix
Lines changed: 4 additions & 1 deletion
diff --git a/‎hosts/glint/modules/networking.nix
Lines changed: 76 additions & 0 deletions b/‎hosts/glint/modules/networking.nix
Lines changed: 76 additions & 0 deletions
diff --git a/‎hosts/mane/modules/networking.nix
Lines changed: 43 additions & 25 deletions b/‎hosts/mane/modules/networking.nix
Lines changed: 43 additions & 25 deletions
diff --git a/‎hosts/mera/modules/networking.nix
Lines changed: 1 addition & 18 deletions b/‎hosts/mera/modules/networking.nix
Lines changed: 1 addition & 18 deletions
diff --git a/‎hosts/mera/modules/nginx-new.nix
Lines changed: 1 addition & 1 deletion b/‎hosts/mera/modules/nginx-new.nix
Lines changed: 1 addition & 1 deletion
diff --git a/‎hosts/mera/modules/showcase-server.nix
Lines changed: 61 additions & 38 deletions b/‎hosts/mera/modules/showcase-server.nix
Lines changed: 61 additions & 38 deletions
diff --git a/‎hosts/ope/modules/jellyfin.nix
Lines changed: 1 addition & 0 deletions b/‎hosts/ope/modules/jellyfin.nix
Lines changed: 1 addition & 0 deletions
@@ -1,3 +1,4 @@
+# TODO: glint rename to pika
 { config, pkgs, ssh, ... }:
 
 {
@@ -37,6 +38,8 @@
     gnome-software
   ];
 
+  games.enable = true;
+
   fonts.enable = true;
   printers.enable = true;
 
@@ -56,7 +59,7 @@
     vscode.enable = true;
     neovim.enable = true;
     cli-utils.enable = false;
-    transmission.enable = true;
+    transmission.enable = false;
     direnv.enable = true;
     fish.enable = true;
     foot.enable = true;
 
@@ -0,0 +1,76 @@
+{ssh, utils, lib, ...}: let
+  inherit (utils) domains resolveHostname;
+in {
+  networking.enable = true;
+
+  os.networking.networkmanager.enable = lib.mkForce true;
+  os.networking.networkmanager.unmanaged = [
+    "except-interface-name:wl*"
+  ];
+  os.systemd.services."systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug";
+  os.systemd.network = {
+    enable = true;
+    wait-online.enable = true;
+    networks = {
+      "50-wired" = {
+        enable = true;
+        matchConfig.Name = "en*";
+        networkConfig = {
+          DHCP = "yes";
+        };
+      };
+      # "50-wireless" = {
+      #   enable = true;
+      #   matchConfig.Name = "wl*";
+      #   networkConfig = {
+      #     DHCP = "yes";
+      #   };
+      # };
+      "50-wg_private" = {
+        matchConfig.Name = "wg_private";
+        networkConfig = {
+          Address = [[''${resolveHostname "glint.wg_private"}/24'']];
+          IPv6AcceptRA = false;
+          DHCP = "no";
+        };
+      };
+    };
+    netdevs = {
+      "50-wg_private" = {
+        netdevConfig = {
+          Name = "wg_private";
+          Kind = "wireguard";
+        };
+        wireguardConfig = {
+          PrivateKeyFile = ssh.glint.glint_wg_private.private;
+        };
+        wireguardPeers = [
+          {
+            PublicKey = builtins.readFile ssh.mane.mane_wg_private.public;
+            AllowedIPs = [''${resolveHostname "mane.wg_private"}/32''];
+            Endpoint = "${resolveHostname domains.personal}:51821";
+            PersistentKeepalive = 25;
+          }
+          {
+            PublicKey = builtins.readFile ssh.ope.ope_wg_private.public;
+            AllowedIPs = [''${resolveHostname "ope.wg_private"}/32''];
+            Endpoint = "${resolveHostname domains.personal}:51822";
+            PersistentKeepalive = 25;
+          }
+        ];
+      };
+    };
+  };
+
+  os.networking.nftables.tables.filter = {
+    family = "inet";
+    content = ''
+      chain input {
+        type filter hook input priority 0; policy accept;
+        meta nftrace set 1
+        tcp dport 22 meta mark set 88  # SSH
+        iifname wg_private meta mark set 88
+      }
+    '';
+  };
+}
@@ -3,6 +3,18 @@
 in {
   networking.enable = true;
 
+  os.systemd.services."systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug";
+  os.systemd.network = {
+    enable = true;
+    wait-online.enable = true;
+    networks = {
+      "50-ens3" = {
+        matchConfig.Name = "ens3";
+        networkConfig.DHCP = "yes";
+      };
+    };
+  };
+
   # networking.notnft.namespaces.default.rules = with notnft.dsl; with payload; ruleset {
   #   filter = add table { family = f: f.inet; } {
   #     input = add chain { type = f: f.filter; hook = f: f.input; prio = 0; policy = f: f.accept; }
@@ -33,9 +45,10 @@ in {
         type filter hook input priority 0; policy accept;
         meta nftrace set 1
         tcp dport 22 meta mark set 88  # SSH
-        udp dport 51820 meta mark set 88  # Wireguard
+        udp dport 51820 meta mark set 88  # Wireguard wg_vps
+        udp dport 51821 meta mark set 88  # Wireguard wg_private
       }
-      
+
       chain prerouting {
         type nat hook prerouting priority -100; policy accept;
         meta nftrace set 1
@@ -44,6 +57,7 @@ in {
           8000
         } dnat ip to 10.10.10.11
         iifname "ens3" ip daddr ${resolveHostname domains.personal} tcp dport 8080 dnat ip to 10.10.10.10
+        iifname "ens3" ip daddr ${resolveHostname domains.personal} udp dport 51822 dnat ip to 10.10.10.10
       }
 
       chain postrouting {
@@ -71,29 +85,33 @@ in {
           }
         ];
       };
-      # wg_private = {
-      #   ips = ["10.10.11.1/24"];
-      #   listenPort = 51821;
-      #   privateKeyFile = ssh.mane.mane_wg_private.private;
-      #   peers = [
-      #     {
-      #       publicKey = builtins.readFile ssh.ope.ope_wg_private.public;
-      #       allowedIPs = ["10.10.11.10/32"];
-      #     }
-      #     {
-      #       publicKey = builtins.readFile ssh.mera.mera_wg_private.public;
-      #       allowedIPs = ["10.10.11.11/32"];
-      #     }
-      #     # {
-      #     #   publicKey = builtins.readFile ssh.mera.bara_wg_vps.public;
-      #     #   allowedIPs = ["10.10.11.12/32"];
-      #     # }
-      #     # {
-      #     #   publicKey = builtins.readFile ssh.mera.noro_wg_vps.public;
-      #     #   allowedIPs = ["10.10.11.13/32"];
-      #     # }
-      #   ];
-      # };
+      wg_private = {
+        ips = [''${resolveHostname "mane.wg_private"}/24''];
+        listenPort = 51821;
+        privateKeyFile = ssh.mane.mane_wg_private.private;
+        peers = [
+          {
+            publicKey = builtins.readFile ssh.ope.ope_wg_private.public;
+            allowedIPs = [''${resolveHostname "ope.wg_private"}/32''];
+          }
+          {
+            publicKey = builtins.readFile ssh.mera.mera_wg_private.public;
+            allowedIPs = [''${resolveHostname "mera.wg_private"}/32''];
+          }
+          {
+            publicKey = builtins.readFile ssh.glint.glint_wg_private.public;
+            allowedIPs = [''${resolveHostname "glint.wg_private"}/32''];
+          }
+          # {
+          #   publicKey = builtins.readFile ssh.mera.bara_wg_vps.public;
+          #   allowedIPs = ["10.10.11.12/32"];
+          # }
+          # {
+          #   publicKey = builtins.readFile ssh.mera.noro_wg_vps.public;
+          #   allowedIPs = ["10.10.11.13/32"];
+          # }
+        ];
+      };
     };
   };
 }
@@ -23,6 +23,7 @@ in
         type filter hook input priority 0; policy accept;
         tcp dport 22 meta mark set 88    # SSH
         tcp dport 5000 meta mark set 88  # Nextcloud
+        iifname enp4s0 tcp dport 5432 meta mark set 88  # Postgres
       }
     '';
   };
@@ -81,24 +82,6 @@ in
   };
 
   # os.networking = {
-  #   useNetworkd = false;
-
-  #   networkmanager = {
-  #     enable = false;
-  #   };
-
-  #   # I think can be deleted because of systemd.network
-  #   dhcpcd = {
-  #     wait = "background";
-  #     extraConfig = "noarp";
-  #   };
-
-  #   # I think can be deleted because of systemd.network
-  #   defaultGateway = {
-  #     interface = "enp4s0";
-  #     address = "10.0.0.138";
-  #   };
-
   #   wireguard = {
   #     enable = true;
   #     interfaces = {
 
@@ -89,7 +89,7 @@ in {
             "showcase.${domains.personal}" = {
               addSSL = true;
               locations."/" = {
-                proxyPass = "http://127.0.0.1:8080";
+                proxyPass = "http://10.10.15.1:8080";
               };
             };
             "emoji.${domains.personal}" = {
 
@@ -1,50 +1,73 @@
 _: {
-  os.environment.persistence = {
-    "/persist2" = {
-      hideMounts = true;
-      directories = [
-        {
-          directory = "/var/lib/showcase-server";
-          user = "root";
-          group = "root";
-        }
-      ];
+  services.postgres.comb = {
+    showcase = {
+      initSql = ''
+        CREATE ROLE "showcase" WITH LOGIN PASSWORD 'showcase';
+        CREATE DATABASE "showcase" WITH
+          OWNER "showcase"
+          TEMPLATE template0
+          ENCODING = "UTF8"
+          LC_COLLATE = "C"
+          LC_CTYPE = "C";
+      '';
     };
   };
 
-  containers.cShowcaseServer = {
-    autoStart = true;
-    extraFlags = ["--network-namespace-path=/run/netns/vpn"];
 
-    bindMounts = {
-      "/dev/dri".isReadOnly = false;
-      "/run/opengl-driver".isReadOnly = false;
-      "/run/user/1555".isReadOnly = false;
-      "/var/lib/showcase-server".isReadOnly = false;
+  os.services.showcaseServer = {
+    enable = true;
+    gdDir = "/persist2/var/lib/showcase-server/gd";
+    postgres = {
+      username = "showcase";
+      password = "showcase";
     };
+  };
 
-    # TODO: try true
-    ephemeral = false;
+  # os.environment.persistence = {
+  #   "/persist2" = {
+  #     hideMounts = true;
+  #     directories = [
+  #       {
+  #         directory = "/var/lib/showcase-server";
+  #         user = "root";
+  #         group = "root";
+  #       }
+  #     ];
+  #   };
+  # };
 
-    config = {lib, ...}: {
-      os = {
-        hardware.graphics.enable = true;
-        networking.firewall.enable = lib.mkForce false;
+  # containers.cShowcaseServer = {
+  #   autoStart = true;
+  #   extraFlags = ["--network-namespace-path=/run/netns/vpn"];
 
-        services.showcaseServer = {
-          enable = true;
-        };
+  #   bindMounts = {
+  #     "/dev/dri".isReadOnly = false;
+  #     "/run/opengl-driver".isReadOnly = false;
+  #     "/run/user/1555".isReadOnly = false;
+  #     "/var/lib/showcase-server".isReadOnly = false;
+  #   };
 
-        systemd.services.showcase-server = {
-          serviceConfig = {
-            Restart = "always";
-            RuntimeMaxSec = "1h";
-          };
-        };
+  #   # TODO: try true
+  #   ephemeral = false;
 
-        system.stateVersion = "24.05";
-      };
-    };
-  };
-}
+  #   config = {lib, ...}: {
+  #     os = {
+  #       hardware.graphics.enable = true;
+  #       networking.firewall.enable = lib.mkForce false;
 
+  #       services.showcaseServer = {
+  #         enable = true;
+  #       };
+
+  #       systemd.services.showcase-server = {
+  #         serviceConfig = {
+  #           Restart = "always";
+  #           RuntimeMaxSec = "1h";
+  #         };
+  #       };
+
+  #       system.stateVersion = "24.05";
+  #     };
+  #   };
+  # };
+}
@@ -3,6 +3,7 @@ _: {
 
   os.services.jellyfin = {
     enable = true;
+    group = "transmission";
   };
 
   os.users.users.jellyfin = {