Reopen some services to WAN

Lock down services to LAN
Migrate from WG to TS/HS
2025-05-22 09:49:28 -05:00 · 2025-04-22 13:41:00 -05:00 · 2025-04-22 13:41:00 -05:00 · 2025-04-22 13:41:00 -05:00 · 2025-04-22 13:41:00 -05:00 · 2024-12-28 21:55:24 -06:00
24 changed files with 216 additions and 280 deletions
--- a/README.md
+++ b/README.md
@ -39,13 +39,13 @@ This repository holds the configuration for my primary home server.
 ### Enter the developer shell without cloning the repository:
 ```
-$> nix develop git+https://git.eversole.co/eve-psr-nix0
+$> nix develop git+https://git.eversole.co/James/eve-psr-nix0
 $nix> # Success!
 ```
 The rest of the cheatsheet assumes you have entered the developer shell or are using direnv: 
 ```
-$> git clone https://git.eversole.co/eve-psr-nix0
+$> git clone https://git.eversole.co/James/eve-psr-nix0
 $> cd eve-psr-nix0
 $> nix develop
 $nix> # Success! Now we have our development dependencies.
--- a/flake.lock
+++ b/flake.lock
@ -10,11 +10,11 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1703433843,
+        "lastModified": 1736955230,
-        "narHash": "sha256-nmtA4KqFboWxxoOAA6Y1okHbZh+HsXaMPFkYHsoDRDw=",
+        "narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=",
        "owner": "ryantm",
        "repo": "agenix",
-        "rev": "417caa847f9383e111d1397039c9d4337d024bf0",
+        "rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c",
        "type": "github"
      },
      "original": {
@ -48,11 +48,11 @@
        "utils": "utils"
      },
      "locked": {
-        "lastModified": 1702912615,
+        "lastModified": 1733148767,
-        "narHash": "sha256-qseX+/8drgwxOb1I3LKqBYMkmyeI5d5gmHqbZccR660=",
+        "narHash": "sha256-Ht5wD/n2I/tQWNgYIdmi3UQbm1FNwp9m9JmDjZEd6ng=",
        "owner": "aristanetworks",
        "repo": "nix-serve-ng",
-        "rev": "21e65cb4c62b5c9e3acc11c3c5e8197248fa46a4",
+        "rev": "6e8d82a451fccbaa4714da8f7a3db5907bdfa96d",
        "type": "github"
      },
      "original": {
@ -63,34 +63,31 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1705916986,
+        "lastModified": 1741332913,
-        "narHash": "sha256-iBpfltu6QvN4xMpen6jGGEb6jOqmmVQKUrXdOJ32u8w=",
+        "narHash": "sha256-ri1e8ZliWS3Jnp9yqpKApHaOo7KBN33W8ECAKA4teAQ=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "d7f206b723e42edb09d9d753020a84b3061a79d8",
+        "rev": "20755fa05115c84be00b04690630cb38f0a203ad",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
-        "ref": "nixos-23.11",
+        "ref": "nixos-24.11",
        "type": "indirect"
      }
    },
    "nixpkgs-lib": {
      "locked": {
-        "dir": "lib",
+        "lastModified": 1740877520,
-        "lastModified": 1703961334,
+        "narHash": "sha256-oiwv/ZK/2FhGxrCkQkB83i7GnWXPPLzoqFHpDD3uYpk=",
-        "narHash": "sha256-M1mV/Cq+pgjk0rt6VxoyyD+O8cOUiai8t9Q6Yyq4noY=",
+        "owner": "nix-community",
-        "owner": "NixOS",
+        "repo": "nixpkgs.lib",
-        "repo": "nixpkgs",
+        "rev": "147dee35aab2193b174e4c0868bd80ead5ce755c",
        "rev": "b0d36bd0a420ecee3bc916c91886caca87c894e9",
        "type": "github"
      },
      "original": {
-        "dir": "lib",
+        "owner": "nix-community",
-        "owner": "NixOS",
+        "repo": "nixpkgs.lib",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
@ -99,11 +96,11 @@
        "nixpkgs-lib": "nixpkgs-lib"
      },
      "locked": {
-        "lastModified": 1704982712,
+        "lastModified": 1741352980,
-        "narHash": "sha256-2Ptt+9h8dczgle2Oo6z5ni5rt/uLMG47UFTR1ry/wgg=",
+        "narHash": "sha256-+u2UunDA4Cl5Fci3m7S643HzKmIDAe+fiXrLqYsR2fs=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "07f6395285469419cf9d078f59b5b49993198c00",
+        "rev": "f4330d22f1c5d2ba72d3d22df5597d123fdb60a9",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -2,7 +2,7 @@
  description = "eve-psr-nix0 - Home Server";
  inputs = {
-    nixpkgs.url = "nixpkgs/nixos-23.11";
+    nixpkgs.url = "nixpkgs/nixos-24.11";
    agenix = {
      url = "github:ryantm/agenix";
      inputs.nixpkgs.follows = "nixpkgs";
@ -50,21 +50,21 @@
                    nix-serve-ng.nixosModules.default
                    ./nix/application/containers.nix
                    ./nix/application/headscale.nix
                    ./nix/application/miniflux.nix
                    ./nix/application/nginx.nix
                    ./nix/application/postgresql.nix
                    ./nix/monitoring/nginx.nix
                    ./nix/monitoring/grafana.nix
                    ./nix/monitoring/prometheus.nix
                    ./nix/monitoring/loki.nix
                    ./nix/monitoring/promtail.nix
                    ./nix/system/age.nix
                    ./nix/system/backups.nix
                    ./nix/system/dns.nix
                    ./nix/system/hardware.nix
                    ./nix/system/nix-conf.nix
                    ./nix/system/network.nix
                    ./nix/system/openvpn.nix
                    ./nix/system/overlays.nix
                    ./nix/system/security.nix
                    ./nix/system/system.nix
--- a/nix/application/containers.nix
+++ b/nix/application/containers.nix
@ -22,8 +22,46 @@
          [ config.age.secrets.atuin-env.path ];
      };
      gitea = {
        image = "docker.io/gitea/gitea:1.24.0-rc0-rootless";
        volumes = [ "/home/sezycei/srv/containerdata/gitea/data:/var/lib/gitea"
                    "/home/sezycei/srv/containerdata/gitea/config:/etc/gitea"
                  ];
        ports = [ "8027:3000" "23231:2222"];
        environment = 
          {
           GITEA_APP_INI = "/etc/gitea/app.ini";
           GITEA_CUSTOM = "/var/lib/gitea/custom";
           GITEA_TEMP = "/tmp/gitea";
           GITEA_WORK_DIR = "/var/lib/gitea";
           HOME = "/var/lib/gitea/git";
           TMPDIR = "/tmp/gitea";
           USER_GID = "1000";
           USER_UID = "1000";
          };
      };
      gitea-runner = {
        image = "docker.io/gitea/act_runner:latest";
        volumes = [ "/home/sezycei/srv/containerdata/gitea/runner/config.yaml:/config.yaml"
                    "/home/sezycei/srv/containerdata/gitea/runner/data:/data"
                    "/run/podman/podman.sock:/var/run/docker.sock"
                  ];
        environment = 
          {
            CONFIG_FILE = "/config.yaml";
            GITEA_INSTANCE_URL = "https://git.eversole.co";
            GITEA_RUNNER_REGISTRATION_TOKEN = "Rxl7OYPb4ysOmDZB3jnmzm7hJtQQYeaKHdn4jrbR";
            GITEA_RUNNER_NAME = "nix0-primary";
          };
      };
      jellyfin = {
-        image = "linuxserver/jellyfin:10.8.13";
+        image = "linuxserver/jellyfin:latest";
        ports = [ "8096:8096" "8920:8920" ];
        volumes = [
          "/home/sezycei/srv/containerdata/jellyfin/config:/config"
@ -93,36 +131,29 @@
        };
      };
      softserve = {
        image = "charmcli/soft-serve:v0.7.3";
        ports = [
          "23231:23231"
          "23232:23232"
          "23233:23233"
          "9418:9418"
        ];
        volumes = [ "/home/sezycei/srv/containerdata/soft-serve/data:/soft-serve" ];
        environment = {
          SOFT_SERVE_NAME = "git.eversole.co";
          SOFT_SERVE_HTTP_PUBLIC_URL = "git.eversole.co";
          SOFT_SERVE_GIT_MAX_CONNECTIONS = "5";
          SOFT_SERVE_INITIAL_ADMIN_KEYS = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCzsewMuoEbC0DwwNK23ZJb/ncpNtUuEgZNI2EdAsc7RnhIOhQBxj237qNMhh2mF/8hkASJZ2e4wrmNkjBM7aaz8mrcDY9rG23JMfnGiP4cU6dBC/NqHOuJypt6X28FI5I+dgw2T40sdIbkWAXOr5u5EAJcO6ROdas4zYSPHwl95s3txoGtQrQtgLHgddWMCr53n5KMwFUmqwM1ovVPZplZGaGG5m6VwBkjA0GZQPVFC+RIg6kIp9vUlsAlzPrlDqhTR32jazvaONNBsyUTuE+CJjitU4xoBs67jIFTcesMiFdThKt2HTq1AhXqiUgIfKaDvHfjzWLT8GihxDLpTBxS8G1qWlvkSja09nB/Pn1Y6XqgczM/y51OloowbvuskDZleFoapSYmJdq+rqSCoJ3JCykNGOcpdSBCucnDgR6CHEUPkJJoR0iCrK0ACEIxWhFuSterh/P8gxcH3e2PdcgxO8SfSBagdizOnDsWOw1SR8w6wVOLRrczMyx3hDXoabs= james@eversole.co";
        };
      };
      transmission = {
-        image = "haugene/transmission-openvpn:5";
+        image = "haugene/transmission-openvpn:5.3.1";
        ports = [ "9091:9091" ];
        volumes = [
          "/home/sezycei/srv/scripts/transmission/settings.json:/etc/transmission-daemon/settings.json"
          "/etc/localtime:/etc/localtime:ro"
          "/home/torrent/data:/data"
          "/home/sezycei/srv/scripts/transmission/custom-data:/etc/openvpn/custom"
        ];
        environmentFiles =
          [ config.age.secrets.transmission-env.path ];
        extraOptions = [ "--cap-add=NET_ADMIN" "--privileged" ];
      };
      vaultwarden = {
        image = "vaultwarden/server:1.33.2";
        ports = [ "40080:80" ];
        volumes = [
          "/home/sezycei/srv/containerdata/bitwarden/data:/data"
        ];
        environmentFiles = [ config.age.secrets.bitwarden-env.path ];
      };
    };
  };
 }
--- a/nix/application/headscale.nix
+++ b/nix/application/headscale.nix
@ -0,0 +1,23 @@
 { pkgs, config, ...}: {
  services.headscale = {
    enable = true;
    address = "0.0.0.0";
    port = 35893;
    settings = { 
      dns = {
        base_domain = "vpn.matri.cx";
        nameservers.global = ["192.168.0.130" "1.1.1.1"];
      };
      logtail.enabled = false; 
      noise.private_key_path = "/var/lib/headscale/noise_private.key";
      server_url = "https://vpn.matri.cx:443";
    };
  };
  services.tailscale = {
    enable = true;
    extraUpFlags = [
      "--accept-routes" "--advertise-exit-node" "--advertise-routes=192.168.0.0/24" "--login-server=https://vpn.matri.cx"
    ];
    useRoutingFeatures = "both";
  };
 }
--- a/nix/application/nginx.nix
+++ b/nix/application/nginx.nix
@ -33,23 +33,27 @@
          };
        };
-        proxiedLAN = { target }: base {
+        proxiedLAN = { target, extra ? ""}: base {
          "/" = {
            proxyPass = target;
-            extraConfig = ''
+            extraConfig = allowedLANAddrs + extra;
          };
        };
        allowedLANAddrs = ''
          allow 127.0.0.1;
          allow 192.168.0.0/24;
          allow 100.64.0.0/24;
          deny all;
        '';
          };
        };
      in
      {
        "default.host" = { default = true; root = "/var/www/default";};
        "atuin.matri.cx" = proxied { target = "http://127.0.0.1:8888"; };
        "cache.matri.cx" = proxiedLAN {
          target = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
        };
        "caitlynncox.com" = static { dir = "/var/www/caitlynncox.com"; };
        "dallasmed65.com" = static { dir = "/var/www/dallasmed65.com"; };
        "docker.matri.cx" = proxiedAuth {
          auth = config.age.secrets.htpasswd-dock.path;
          target = "http://127.0.0.1:3001";
@ -58,15 +62,26 @@
          '';
        };
        "eversole.co" = proxied { target = "http://127.0.0.1:5196"; };
-        "flux.matri.cx" = proxied { target = "http://127.0.0.1:26343"; };
+        "flux.matri.cx" = proxiedLAN { target = "http://127.0.0.1:26343"; };
-        "git.eversole.co" = {
+        "git.eversole.co" = proxied { target = "http://127.0.0.1:8027"; };
-          enableACME = true;
+        "graf.matri.cx" = { # refer to /monitoring/nginx.nix
-          forceSSL = true;
+          root = "/var/www/graf.matri.cx";
-          locations."/" = { root = "/var/www/git.eversole.co"; tryFiles = "$uri $uri/ @git"; };
+          extraConfig = allowedLANAddrs;
          locations."@git" = { proxyPass = "http://127.0.0.1:23232"; priority = 600; };
        };
-        "graf.matri.cx" = { root = "/var/www/graf.matri.cx"; }; # refer to /monitoring/nginx.nix
+        "home.matri.cx" = {
-        "hydra.matri.cx" = proxied {
+          forceSSL = true;
          enableACME = true;
          locations."/" = {
            proxyPass = "http://192.168.0.131:8123"; 
            proxyWebsockets = true;
            extraConfig = ''
              proxy_set_header Upgrade $http_upgrade;
              proxy_set_header Connection $connection_upgrade;
            '';
          };
          extraConfig = allowedLANAddrs;
        };
        "hydra.matri.cx" = proxiedLAN {
          target = "http://127.0.0.1:3034";
          extra = ''
            proxy_set_header X-Request-Base "https://hydra.matri.cx";
@ -75,10 +90,19 @@
        "jame.su" = static { dir = "/var/www/jame.su"; };
        "matri.cx" = static { dir = "/var/www/matri.cx"; };
        "media.matri.cx" = proxied { target = "http://127.0.0.1:8096"; };
        "purr.eversole.co" = proxied { target = "http://127.0.0.1:5195"; };
        "pw.eversole.co" = proxied { target = "http://127.0.0.1:40080"; };
        "sezycei.com" = static { dir = "/var/www/sezycei.com"; };
        "snakebelmont.com" = static { dir = "/var/www/snakebelmont.com"; };
        "transmission.matri.cx" = proxiedLAN { target = "http://127.0.0.1:9091"; };
-        "purr.eversole.co" = proxied { target = "http://127.0.0.1:5195"; };
+        "vpn.matri.cx" = {
          forceSSL = true;
          enableACME = true;
          locations."/" = {
            proxyPass = "http://localhost:${toString config.services.headscale.port}";
            proxyWebsockets = true;
          };
        };
      };
  };
 }
--- a/nix/application/postgresql.nix
+++ b/nix/application/postgresql.nix
@ -0,0 +1,6 @@
 { pkgs, config, ...}: {
  services.postgresql = {
    enable = true;
    settings.port = 5432;
  };
 }
--- a/nix/monitoring/grafana.nix
+++ b/nix/monitoring/grafana.nix
@ -10,12 +10,6 @@
          access = "proxy";
          url = "http://127.0.0.1:${toString config.services.prometheus.port}";
        }
        {
          name = "Loki";
          type = "loki";
          access = "proxy";
          url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}";
        }
      ];
    };
    settings = {
--- a/nix/monitoring/loki.nix
+++ b/nix/monitoring/loki.nix
@ -1,76 +0,0 @@
 { config, pkgs, ... }: {
  services.loki = {
    enable = true;
    configuration = {
      server.http_listen_port = 6999;
      auth_enabled = false;
      ingester = {
        lifecycler = {
          address = "127.0.0.1";
          ring = {
            kvstore = {
              store = "inmemory";
            };
            replication_factor = 1;
          };
        };
        chunk_idle_period = "1h";
        max_chunk_age = "1h";
        chunk_target_size = 999999;
        chunk_retain_period = "30s";
        max_transfer_retries = 0;
      };
      schema_config = {
        configs = [{
          from = "2022-06-06";
          store = "boltdb-shipper";
          object_store = "filesystem";
          schema = "v11";
          index = {
            prefix = "index_";
            period = "24h";
          };
        }];
      };
      storage_config = {
        boltdb_shipper = {
          active_index_directory = "/var/lib/loki/boltdb-shipper-active";
          cache_location = "/var/lib/loki/boltdb-shipper-cache";
          cache_ttl = "24h";
          shared_store = "filesystem";
        };
        filesystem = {
          directory = "/var/lib/loki/chunks";
        };
      };
      limits_config = {
        reject_old_samples = true;
        reject_old_samples_max_age = "168h";
      };
      chunk_store_config = {
        max_look_back_period = "0s";
      };
      table_manager = {
        retention_deletes_enabled = false;
        retention_period = "0s";
      };
      compactor = {
        working_directory = "/var/lib/loki";
        shared_store = "filesystem";
        compactor_ring = {
          kvstore = {
            store = "inmemory";
          };
        };
      };
    };
  };
 }
--- a/nix/monitoring/nginx.nix
+++ b/nix/monitoring/nginx.nix
@ -16,16 +16,6 @@ in
          "127.0.0.1:${toString config.services.prometheus.port}" = { };
        };
      };
      "loki" = {
        servers = {
          "127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}" = { };
        };
      };
      "promtail" = {
        servers = {
          "127.0.0.1:${toString config.services.promtail.configuration.server.http_listen_port}" = { };
        };
      };
    };
    virtualHosts."graf.matri.cx" = {
@ -56,21 +46,5 @@ in
        port = 8020;
      }];
    };
    virtualHosts.loki = {
      locations."/".proxyPass = "http://loki";
      listen = [{
        addr = hostIP;
        port = 8030;
      }];
    };
    virtualHosts.promtail = {
      locations."/".proxyPass = "http://promtail";
      listen = [{
        addr = hostIP;
        port = 8031;
      }];
    };
  };
 }
--- a/nix/monitoring/promtail.nix
+++ b/nix/monitoring/promtail.nix
@ -1,31 +0,0 @@
 { config, pkgs, ... }: {
  services.promtail = {
    enable = true;
    configuration = {
      server = {
        http_listen_port = 6998;
        grpc_listen_port = 0;
      };
      positions = {
        filename = "/tmp/positions.yaml";
      };
      clients = [{
        url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push";
      }];
      scrape_configs = [{
        job_name = "journal";
        journal = {
          max_age = "12h";
          labels = {
            job = "systemd-journal";
            host = "pihole";
          };
        };
        relabel_configs = [{
          source_labels = [ "__journal__systemd_unit" ];
          target_label = "unit";
        }];
      }];
    };
  };
 }
--- a/nix/system/age.nix
+++ b/nix/system/age.nix
@ -3,7 +3,6 @@
    secrets = {
      atuin-env.file = ../../secrets/atuin-env.age;
      cache-key.file = ../../secrets/cache-key.age;
      gitlab-runner.file = ../../secrets/gitlab-runner.age;
      graf-email = {
        file = ../../secrets/graf-email.age;
        mode = "770";
@ -18,7 +17,11 @@
      };
      keys.file = ../../secrets/keys.age;
      miniflux.file = ../../secrets/miniflux.age;
      bitwarden-env.file = ../../secrets/bitwarden-env.age;
      transmission-env.file = ../../secrets/transmission-env.age;
      "restic/env".file = ../../secrets/restic/env.age;
      "restic/password".file = ../../secrets/restic/env.age;
      "restic/repo".file = ../../secrets/restic/env.age;
    };
    identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  };
--- a/nix/system/backups.nix
+++ b/nix/system/backups.nix
@ -0,0 +1,28 @@
 { pkgs, config, ...}: {
  services.restic.backups = {
    daily = {
      initialize = true;
      environmentFile = config.age.secrets."restic/env".path;
      passwordFile = config.age.secrets."restic/password".path;
      repository = "s3:https://s3.amazonaws.com/matricxbackups";
      paths = [
        "${config.users.users.sezycei.home}/srv"
        "${config.users.users.sezycei.home}/nix"
        "${config.users.users.sezycei.home}/keys"
        "${config.users.users.sezycei.home}/dev"
      ];
      exclude = [
        "*minecraft/OLD*"
      ];
      pruneOpts = [
        "--keep-daily 7"
        "--keep-weekly 5"
        "--keep-monthly 12"
      ];
    };
  };
 }
--- a/nix/system/dns.nix
+++ b/nix/system/dns.nix
@ -59,6 +59,12 @@
        }
      }
      *.ycombinator.com {
        template IN A  {
            answer "{{ .Name }} 0 IN A 127.0.0.1"
        }
      }
      wired.com {
        template IN A  {
            answer "{{ .Name }} 0 IN A 127.0.0.1"
--- a/nix/system/network.nix
+++ b/nix/system/network.nix
@ -1,15 +1,16 @@
-{ ... }: {
+{ config, ... }: {
  networking = {
    hostName = "eve-psr-nix0";
    firewall = {
-      allowedTCPPorts = [ 22 80 443 7860 23231 23232 23233 9418 3000 ];
+      allowedTCPPorts = [ 22 80 443 5000 23231 23232 23233 ];
-      allowedUDPPorts = [ 53 1194 ];
+      allowedUDPPorts = [ 53 51820 config.services.tailscale.port ];
-      trustedInterfaces = [ "tun0" ];
+      extraCommands = ''
-    };
+        iptables -t nat -A POSTROUTING -s 100.64.0.0/10 -o enp1s0 -j MASQUERADE
-    nat = {
+      '';
-      enable = true;
+      extraStopCommands = ''
-      externalInterface = "enp1s0";
+        iptables -t nat -D POSTROUTING -s 100.64.0.0/10 -o enp1s0 -j MASQUERADE
-      internalInterfaces = [ "tun0" ];
+      '';
    };
    nat.enable = true;
  };
 }
--- a/nix/system/openvpn.nix
+++ b/nix/system/openvpn.nix
@ -1,56 +0,0 @@
 { config, pkgs, ... }:
 let
  client-key = "/home/sezycei/srv/sec/openvpn/James/laptop.key";
  domain = "matri.cx";
  port = 1194;
 in
 {
  services.openvpn.servers.laptop.config = ''
    dev tun0
    proto udp
    ifconfig 10.8.0.1 10.8.0.2
    secret ${client-key}
    port ${toString port}
    cipher AES-256-CBC
    auth-nocache
    comp-lzo
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
  '';
  environment.etc."openvpn/laptop-client.ovpn" = {
    text = ''
      dev tun
      remote "${domain}"
      ifconfig 10.8.0.2 10.8.0.1
      port ${toString port}
      redirect-gateway def1
      cipher AES-256-CBC
      auth-nocache
      comp-lzo
      keepalive 10 60
      resolv-retry infinite
      nobind
      persist-key
      persist-tun
      secret [inline]
    '';
    mode = "600";
  };
  system.activationScripts.openvpn-addkey = ''
    f="/etc/openvpn/laptop-client.ovpn"
    if ! grep -q '<secret>' $f; then
      echo "appending secret key"
      echo "<secret>" >> $f
      cat ${client-key} >> $f
      echo "</secret>" >> $f
    fi
  '';
 }
--- a/nix/system/security.nix
+++ b/nix/system/security.nix
@ -1,6 +1,9 @@
 { ... }: {
  services.openssh = {
    enable = true;
    settings = {
      PasswordAuthentication = true;
    };
  };
  security = {
--- a/secrets.nix
+++ b/secrets.nix
@ -8,10 +8,13 @@ in
 {
  "secrets/atuin-env.age" = { publicKeys = all; };
  "secrets/cache-key.age" = { publicKeys = all; };
  "secrets/gitlab-runner.age" = { publicKeys = all; };
  "secrets/graf-email.age" = { publicKeys = all; };
  "secrets/htpasswd-dock.age" = { publicKeys = all; };
  "secrets/keys.age" = { publicKeys = all; };
  "secrets/miniflux.age" = { publicKeys = all; };
  "secrets/bitwarden-env.age" = { publicKeys = all; };
  "secrets/transmission-env.age" = { publicKeys = all; };
  "secrets/restic/env.age" = { publicKeys = all; };
  "secrets/restic/repo.age" = { publicKeys = all; };
  "secrets/restic/password.age" = { publicKeys = all; };
 }
--- a/secrets/bitwarden-env.age
+++ b/secrets/bitwarden-env.age
--- a/secrets/gitlab-runner.age
+++ b/secrets/gitlab-runner.age
@ -1,11 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 dQ70Fw 1Y4XyvfewFemjm/3N6v2HKdO+kf3l9zWjR4gm+OL/Wo
 7G5Ipgr3ZjRBpQrKWQoqLhAGYk1lwyGZBLsbiGi5eNo
 -> ssh-ed25519 ZIoeGg pxNvqGCNvjT+6DrKIfZW0O28lKY7OKRtV5uvurhFWSk
 fGcCiYWChBAuHJ4764adKj+btYt410oaKtfDlJzfHR4
 -> A"-uU"q-grease p] \?3MHe D,
 xpBFoA2Gd3mh877T3WnAvfM6eaB4QF+PXltWXWb4vD28xAZCstZX7yFJ31W/ZUW1
 PcEj2vP/t4OpIRkjgBcrwi/iaaAOO4d1AH252iN9YlNVO0JJMWLcOxAB
 --- ewj86Tn8VoLJ44f8q8eKrtFvDLpLVmJfhPydTDsm5VY
 ir<EFBFBD><EFBFBD><EFBFBD>R<EFBFBD><EFBFBD>><3E>v<<3C><>g<EFBFBD>xh<78>><3E><><EFBFBD>j<>jg<6A>
 <EFBFBD>Y<EFBFBD> <20><><EFBFBD>1<EFBFBD>)R<><52>x<EFBFBD>C<EFBFBD><43>2<EFBFBD>'<02><><EFBFBD>,d﯈s(<28>0<EFBFBD><30><EFBFBD> '<27><><15>d<EFBFBD><64>LI<4C>fl<66>`g&<14><><EFBFBD>3<EFBFBD>h<EFBFBD>g<EFBFBD>A<EFBFBD>S<EFBFBD>(<28>j<EFBFBD>
--- a/secrets/restic/env.age
+++ b/secrets/restic/env.age
@ -0,0 +1,10 @@
 age-encryption.org/v1
 -> ssh-ed25519 dQ70Fw hMZ1BRCxnZFhadsHa+UwDcB+kkVWbTh82EuqNJPZ5zs
 ESCOn4IDH8L69yNmE3vl9ORK0vKkIqG6dFTnawc9irg
 -> ssh-ed25519 ZIoeGg yluZnRqV6HL0TNvFqZCEIYW4W8f6f9EJ3K7nAz/dazE
 XpYM/h/jvO1MrS6v1PicZ4sTqCld84vhvXTI6AimnMU
 --- nLun26t45i7mAuT4w6JH3jbdPU8hjzINsHriqRA/T0o
 S<EFBFBD><11>9<EFBFBD><39>n<EFBFBD><1E>z<EFBFBD><7A><1F>u83<38><33>6#L<>[25<32>
 )<29><>{z(h<>ů<EFBFBD><C5AF><EFBFBD>'.$<24><>ދP<DE8B>Og<4F>]<5D><>=<0B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><10><13><>><3E><>y)<29><>]<5D>04<30>ē/<2F><02><><EFBFBD><EFBFBD>IW4<57><34>`R<><52><06>6a<7F>	B<><42><EFBFBD>8[~ʂo<CA82><6F><EFBFBD><EFBFBD><0B>m<EFBFBD>ͫ<EFBFBD>}<7D> ~<7E>aЫ@<40>Sʸ<53><CAB8><EFBFBD>ʈ<0C><><11>i<EFBFBD><69>sc,<2C>
 <EFBFBD><EFBFBD><EFBFBD>^<5E>G]|<7C><>N4<4E><34>-Ѫ<><D1AA>)Gb<47><62><EFBFBD>õ:<3A><><EFBFBD>0I<30><49>g<EFBFBD>G<1D><>\"<22>
 <EFBFBD>f
--- a/secrets/restic/password.age
+++ b/secrets/restic/password.age
@ -0,0 +1,7 @@
 age-encryption.org/v1
 -> ssh-ed25519 dQ70Fw SztmSLi86IFvNJY13Pu7qJC8LDXeoEZsbCLl78su6wg
 f/uDl6KymRxVngdnhEYOxiL9I0JUZCYI3XThrn57+YQ
 -> ssh-ed25519 ZIoeGg wzOmbThAqyO47PQ2wQY0MoNsXcyMkoi4/+wGY15Xfns
 UvMwHPWytwvf0hNMiDKdONo1u09pICQ6/7EtECYDWbw
 --- IS6+hxeJQ3yIphn7Q0XxZvO2Zn+F1bX7oIgkZSkCQHU
 <06><><0B><18><>\\w"<22><><EFBFBD><EFBFBD>Tp;<3B><>G<EFBFBD>e<EFBFBD><65><EFBFBD><EFBFBD><EFBFBD>=D<>f<EFBFBD>Y<EFBFBD>n<EFBFBD><6E>x<EFBFBD><K`<60><><EFBFBD>
--- a/secrets/restic/repo.age
+++ b/secrets/restic/repo.age
--- a/secrets/transmission-env.age
+++ b/secrets/transmission-env.age
Author	SHA1	Message	Date
James Eversole	fc3979e64b	Reopen some services to WAN	2025-05-22 09:49:28 -05:00
James Eversole	b27d748e30	Lock down services to LAN	2025-04-22 13:41:00 -05:00
James Eversole	2034274ee0	Migrate from WG to TS/HS	2025-04-22 13:41:00 -05:00
James Eversole	041bba5aeb	nix flake update; gitea runner	2025-04-22 13:41:00 -05:00
James Eversole	cff684720f	Enable gitea, remove softserve	2025-04-22 13:41:00 -05:00
James Eversole	f795bf54b3	Update references to git URL	2024-12-28 21:55:24 -06:00
James Eversole	4c24d3513d	Update README extension	2024-12-28 21:53:28 -06:00
James Eversole	60ca81f113	Nix flake update; container version updates	2024-12-25 18:59:40 -06:00
James Eversole	029653476f	NixOS 24.11 upgrade; drop OpenVPN for WireGuard; clean up open ports	2024-12-05 09:19:27 -06:00
James Eversole	ecfc60b2bb	Update soft-serve; nix flake update; disable password auth explicitly	2024-10-12 15:28:33 -05:00
James Eversole	83e4dd2ea7	Nix flake update; disable password auth in SSH	2024-08-29 13:17:19 -05:00
James Eversole	06c4c7bc13	Setup restic backup service; enable postgresql for general use	2024-08-14 22:19:20 -05:00
James Eversole	aa40c0c5e3	Add VaultWarden; update Transmission; reorder allowedTCPPorts	2024-08-07 10:02:50 -05:00
James Eversole	afbbe88620	nix flake update	2024-07-12 12:07:51 -05:00
James Eversole	baf6494a9c	Upgrade to 24.05; drop Loki/Promtail	2024-06-02 20:37:17 -05:00
James Eversole	a5dbee8755	Nix flake update; Add brohan.lol meme domain; update Jellyfin container	2024-05-31 14:13:13 -05:00
James Eversole	d317917453	Flake update; block Hacker News DNS; update Transmision VPN configuration	2024-04-12 10:21:46 -05:00