feat: wireguard meshnet in server

flake.nix

@@ -66,6 +66,10 @@
     };
   };
 
+  nixConfig = {
+
+  };
+
   outputs =
     {
       nixpkgs,

home/server-default.nix

@@ -0,0 +1,32 @@
+{
+  nix-version,
+  username,
+  lib,
+  ...
+}:
+{
+  imports = [
+    ./user/bin.nix
+    ./user/config.nix
+    ./user/direnv.nix
+    ./user/environment.nix
+    ./user/git.nix
+    # ./user/gtk.nix
+    # ./user/hyprland.nix
+    ./user/nvim.nix
+    # ./user/programs.nix
+    ./user/shell.nix
+    # ./user/swaync.nix
+    # ./user/virtualization.nix
+  ];
+
+  home = {
+    inherit username;
+    homeDirectory = "/home/${username}";
+    stateVersion = nix-version;
+  };
+
+  # Let Home Manager install and manage itself.
+  programs.home-manager.enable = true;
+  programs.vscode.enable = lib.mkForce false;
+}

home/user/server-default.nix

@@ -1,27 +0,0 @@
-{ inputs, ... }:
-{
-  imports = [
-    ./git.nix
-    ./gtk.nix
-    ./shell.nix
-    ./config.nix
-    # ./packages.nix
-    ./programs.nix
-    ./environment.nix
-    ./virtualization.nix
-    ./hyprland.nix
-    ./swaync.nix
-    ./nvim.nix
-    ./bin.nix
-    ./desktops.nix
-    ./direnv.nix
-    inputs.hyprland.homeManagerModules.default
-  ];
-
-  nixpkgs = {
-    config = {
-      allowUnfree = true;
-      allowUnfreePredicate = _: true;
-    };
-  };
-}

home/user/shellAlias.nix

@@ -18,4 +18,8 @@
   setWin = "sudo bootctl set-oneshot auto-windows";
   goWin = "sudo bootctl set-oneshot auto-windows && reboot";
   goBios = "sudo bootctl set-oneshot auto-reboot-to-firmware-setup && reboot";
+
+  # TTY
+  hideTTY = ''sudo sh -c "echo 0 > /sys/class/graphics/fb0/blank"'';
+  showTTY = ''sudo sh -c "echo 1 > /sys/class/graphics/fb0/blank"'';
 }

system/dev/dn-pre7780/default.nix

@@ -36,13 +36,14 @@ in
       nvidia-bus-id = nvidia-bus-id;
     })
     ../../modules/gaming.nix
-    # ../../modules/wireguard.nix
+    ../../modules/wireguard.nix
     ../../modules/dn-ca.nix
     (import ../../modules/wallpaper-engine.nix {
       offload = nvidia-offload-enabled;
     })
     ../../modules/wine.nix
     ../../modules/secure-boot.nix
+    ../../modules/kubernetes.nix
   ];
 
   # Overrides
@@ -75,4 +76,11 @@ in
       ];
     };
   };
+
+  users.users = {
+    "${username}".openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJFQA42R3fZmjb9QnUgzzOTIXQBC+D2ravE/ZLvdjoOQ danny@lap.dn"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSHkPa6vmr5WBPXAazY16+Ph1Mqv9E24uLIf32oC2oH danny@phone.dn"
+    ];
+  };
 }

system/dev/dn-server/boot.nix

@@ -1,7 +1,7 @@
 { pkgs, ... }:
 
 {
-  boot.kernelPackages = pkgs.linuxPackages_latest;
+  boot.kernelPackages = pkgs.linuxPackages;
 
   boot.loader.systemd-boot.enable = true;
 

system/dev/dn-server/default.nix

@@ -36,7 +36,7 @@ in
       intel-bus-id = intel-bus-id;
       nvidia-bus-id = nvidia-bus-id;
     })
-    ../../modules/wine.nix
+    # ../../modules/wine.nix
   ];
 
   # Overrides
@@ -64,7 +64,7 @@ in
     };
     users."${username}" = {
       imports = [
-        ../../../home
+        ../../../home/server-default.nix
       ];
     };
   };

system/dev/dn-server/hardware-configuration.nix

@@ -1,27 +1,44 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
 
 {
-  imports =
+  imports = [
-    [ (modulesPath + "/installer/scan/not-detected.nix")
+    (modulesPath + "/installer/scan/not-detected.nix")
   ];
 
-  boot.initrd.availableKernelModules = [ "vmd" "xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
+  boot.initrd.availableKernelModules = [
+    "vmd"
+    "xhci_pci"
+    "thunderbolt"
+    "nvme"
+    "usb_storage"
+    "sd_mod"
+    "rtsx_pci_sdmmc"
+  ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
 
-  fileSystems."/" =
+  fileSystems."/" = {
-    { device = "/dev/disk/by-uuid/6081efdb-aa4e-4f31-ac7e-bd4dffa768bc";
+    device = "/dev/disk/by-label/NIXROOT";
     fsType = "ext4";
   };
 
-  fileSystems."/boot" =
+  fileSystems."/boot" = {
-    { device = "/dev/disk/by-uuid/0185-B3AA";
+    device = "/dev/disk/by-label/NIXBOOT";
     fsType = "vfat";
-      options = [ "fmask=0022" "dmask=0022" ];
+    options = [
+      "fmask=0022"
+      "dmask=0022"
+    ];
   };
 
   swapDevices = [ ];

system/dev/dn-server/networking.nix

@@ -3,17 +3,12 @@
 {
   networking = {
     networkmanager.enable = true;
-    enableIPv6 = false;
+    enableIPv6 = true;
     firewall = {
       enable = true;
       allowedTCPPorts = [
-        22
         443
         80
-        30072
-      ];
-      allowedUDPPorts = [
-        51820
       ];
     };
   };

system/dev/dn-server/packages.nix

@@ -1,5 +1,6 @@
 {
   pkgs,
+  inputs,
   ...
 }:
 {
@@ -76,5 +77,7 @@
     pkgs.gst_all_1.gst-libav
     pkgs.gst_all_1.gstreamer
     pkgs.gst_all_1.gst-plugins-good
+
+    inputs.ghostty.packages.${system}.default
   ];
 }

system/dev/dn-server/services.nix

@@ -1,14 +1,210 @@
 { username, pkgs, ... }:
 
+let
+  ethInterface = "enp0s31f6";
+  wlInterface = "wlp0s20f3";
+  sshPorts = [ 30072 ];
+  sshPortsString = builtins.concatStringsSep ", " (builtins.map (p: builtins.toString p) sshPorts);
+  personal = {
+    ip = "10.0.0.1/24";
+    interface = "wg0";
+    port = 51820;
+    range = "10.0.0.0/24";
+    full = "10.0.0.1/25";
+    restrict = "10.0.0.128/25";
+  };
+
+  kube = {
+    ip = "10.10.0.1/24";
+    range = "10.10.0.0/24";
+    interface = "wg1";
+    port = 51821;
+  };
+
+  allowedSSHIPs = builtins.concatStringsSep ", " [
+    "122.117.215.55"
+    "192.168.100.1/24"
+    personal.range
+  ];
+
+  fullRoute = [
     {
-  systemd.services.flatpak-repo = {
+      # Jonly
-    wantedBy = [ "multi-user.target" ];
+      dns = "jonly";
-    path = [ pkgs.flatpak ];
+      publicKey = "GAayY6p8ST3I66kFSGY3seaHhfkrc6atcrFu2C9BDDs=";
-    script = ''
+      allowedIPs = [ "10.0.0.5/32" ];
-      flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
+    }
+    {
+      # YC
+      dns = "yc";
+      publicKey = "5LfmjAg07ixmBCcsEn319UHqMRO3AdusXsoibGUqfQE=";
+      allowedIPs = [ "10.0.0.7/32" ];
+    }
+    {
+      # Tommy
+      dns = "tommy";
+      publicKey = "AxujfkiHLj09LoAXZl7yUf3fzyjorKOg8CfcJJvr2HQ=";
+      allowedIPs = [ "10.0.0.8/32" ];
+    }
+  ];
+  meshRoute = [
+    {
+      # pre7780.dn
+      dns = "pre7780";
+      publicKey = "WvvBRGbWUMUhSgodZNlhglacsWhMOTdHhJxcf81kTmQ=";
+      allowedIPs = [ "10.0.0.130/32" ];
+    }
+    {
+      # Skydrive
+      dns = "skydrive";
+      publicKey = "GceSQwI7XqYQw2oPmquuKdPqmt6KsYnoGuFoiaKRb0E=";
+      allowedIPs = [ "10.0.0.132/32" ];
+    }
+    {
+      # ken
+      dns = "ken";
+      publicKey = "iWjBGArok96mFzFHXYjTxwyRHGQ4U0V77txoi6WS2QU=";
+      allowedIPs = [ "10.0.0.134/32" ];
+    }
+    {
+      # lap.dn
+      dns = "lap";
+      publicKey = "Cm2AZU+zlv+ThMqah6WiLVxgPNvMHm9DEGd4PfywNWU=";
+      allowedIPs = [ "10.0.0.135/32" ];
+    }
+    {
+      # ahhaha
+      dns = "ahhaha";
+      publicKey = "PGBqCPLxaFd/+KqwrjF6B6lqxvpPKos0sst5gk8p8Bo=";
+      allowedIPs = [ "10.0.0.137/32" ];
+    }
+    {
+      # oreo
+      dns = "oreo";
+      publicKey = "GXHRZ9DmVg7VtuJdvcHOGFCuFqH2Kd/c+3unrq7e5SE=";
+      allowedIPs = [ "10.0.0.139/32" ];
+    }
+    {
+      # phone.dn
+      dns = "phone";
+      publicKey = "XiR4NZLdHyOvzt+fdYoFDW2s/Su8nlz8UgrVPLISdBY=";
+      allowedIPs = [ "10.0.0.140/32" ];
+    }
+  ];
+
+  dnsRecords =
+    with builtins;
+    concatStringsSep "\n" (
+      map (r: ''
+        ${r.dns}    IN     A      ${replaceStrings [ "/32" ] [ "" ] (elemAt r.allowedIPs 0)}
+      '') (fullRoute ++ meshRoute)
+    );
+in
+{
+  networking = {
+    nat = {
+      enable = true;
+      enableIPv6 = true;
+      externalInterface = ethInterface;
+      internalInterfaces = [
+        personal.interface
+        kube.interface
+      ];
+    };
+
+    firewall = {
+      allowedUDPPorts = [
+        53
+        personal.port
+        kube.port
+      ];
+      allowedTCPPorts = sshPorts ++ [ 53 ];
+    };
+
+    nftables = {
+      enable = true;
+      ruleset = ''
+        table inet wg-filter {
+          chain input {
+            type filter hook input priority 0; policy drop;
+
+            iif lo accept
+
+            meta nftrace set 1
+            meta l4proto { icmp, ipv6-icmp } accept
+
+            ct state vmap { invalid : drop, established : accept, related : accept }
+
+            udp dport 53 accept
+            tcp dport 53 accept
+
+            tcp dport { ${sshPortsString} } jump ssh-filter
+
+            iifname { ${ethInterface}, ${personal.interface}, ${kube.interface} } udp dport { ${builtins.toString personal.port}, ${builtins.toString kube.port} } accept
+            iifname ${personal.interface} ip saddr ${personal.ip} jump wg-subnet
+            iifname ${kube.interface} ip saddr ${kube.ip} jump kube-filter
+
+            counter reject
+          }
+
+          chain ssh-filter {
+            ip saddr { ${allowedSSHIPs} } accept
+            counter reject
+          }
+
+          chain forward {
+            type filter hook forward priority 0; policy drop;
+
+            meta l4proto { icmp, ipv6-icmp } accept
+
+            iifname ${personal.interface} ip saddr ${personal.ip} jump wg-subnet
+            iifname ${kube.interface} ip saddr ${kube.ip} jump kube-filter
+
+            counter
+          }
+
+          chain kube-filter {
+            ip saddr ${kube.ip} ip daddr ${kube.ip} accept
+            counter drop
+          }
+
+          chain wg-subnet {
+            ip saddr ${personal.full} accept
+            ip saddr ${personal.restrict} ip daddr ${personal.range} accept
+            counter drop
+          }
+
+          chain postrouting {
+            type nat hook postrouting priority 100; policy accept;
+            oifname ${ethInterface} masquerade
+          }
+        }
       '';
     };
 
+    wireguard = {
+      enable = true;
+      interfaces = {
+        ${personal.interface} = {
+          ips = [ personal.ip ];
+          listenPort = personal.port;
+          privateKeyFile = "/etc/wireguard/privatekey";
+          peers = builtins.map (r: {
+            publicKey = r.publicKey;
+            allowedIPs = r.allowedIPs;
+          }) (fullRoute ++ meshRoute);
+        };
+
+        ${kube.interface} = {
+          ips = [ kube.ip ];
+          listenPort = kube.port;
+          privateKeyFile = "/etc/wireguard/privatekey";
+          peers = [ ];
+        };
+      };
+    };
+  };
+
   services = {
     dbus.enable = true;
 
@@ -16,18 +212,54 @@
 
     openssh = {
       enable = true;
-      ports = [
+      ports = sshPorts;
-        22
-        30072
-      ];
       settings = {
-        PasswordAuthentication = true;
+        PasswordAuthentication = false;
-        AllowUsers = [ username ];
+        UseDns = false;
-        UseDns = true;
         PermitRootLogin = "yes";
       };
     };
 
+    bind = {
+      enable = true;
+      cacheNetworks = [
+        "127.0.0.0/24"
+        "::1/128"
+        personal.range
+        kube.range
+      ];
+      zones = {
+        "net.dn" = {
+          master = true;
+          allowQuery = [
+            "127.0.0.0/24"
+            "::1/128"
+            personal.range
+            kube.range
+          ];
+          file = pkgs.writeText "zone-net.dn" ''
+            $ORIGIN net.dn.
+            $TTL    1h
+            @           IN     SOA    server hostmaster (
+                                          1     ; Serial
+                                          3h    ; Refresh
+                                          1h    ; Retry
+                                          1w    ; Expire
+                                          1h)   ; Negative Cache TTL
+                        IN     NS     server
+                        IN     NS     phone
+            @           IN     A      10.0.0.1
+                        IN     AAAA   fe80::3319:e2bb:fc15:c9df
+                        IN     MX     10 mail
+                        IN     TXT    "v=spf1 mx"
+
+            server      IN     A      10.0.0.1
+            ${dnsRecords}
+          '';
+        };
+      };
+    };
+
     xserver = {
       enable = false;
       xkb.layout = "us";
@@ -37,11 +269,21 @@
     gvfs.enable = true;
     udisks2.enable = true;
     devmon.enable = true;
-
-    flatpak.enable = true;
   };
 
-  users.users.root.openssh.authorizedKeys.keys = [
+  users.users = {
+    root.openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBzLpMKn0Q24ACC6k/7lOX0FIdcFhq15NY6849yROeUK danny@dn-pre7780"
     ];
+
+    "${username}".openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJSAOufpee7f8D8ONIIGU3qsN+8+DGO7BfZnEOTYqtQ5 danny@pre7780.dn"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJFQA42R3fZmjb9QnUgzzOTIXQBC+D2ravE/ZLvdjoOQ danny@lap.dn"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSHkPa6vmr5WBPXAazY16+Ph1Mqv9E24uLIf32oC2oH danny@phone.dn"
+    ];
+  };
+
+  nix.settings.trusted-users = [
+    username
+  ];
 }

system/modules/kubernetes.nix

@@ -0,0 +1,10 @@
+{
+  pkgs,
+  ...
+}:
+{
+  environment.systemPackages = with pkgs; [
+    minikube
+    kubectl
+  ];
+}

system/modules/server-default.nix

@@ -1,10 +1,8 @@
 { ... }:
 {
   imports = [
-    ./plymouth.nix # Boot splash
     ./fonts.nix
     ./hardware.nix
-    ./hyprland.nix
     ./internationalisation.nix
     ./misc.nix
     ./nixsettings.nix
@@ -12,10 +10,7 @@
     ./security.nix
     ./sound.nix
     ./time.nix
-    ./theme.nix
     ./users.nix
-    ./environment.nix
-    ./virtualization.nix
     ./gc.nix
     ./polkit.nix
     ./lsp.nix