feat: netbird

2026-01-08 14:21:53 +08:00 · 2026-01-08 14:21:53 +08:00 · ea118b7995
commit ea118b7995
parent 53b83b3471
64 changed files with 1088 additions and 665 deletions
--- a/system/dev/dn-lap/default.nix
+++ b/system/dev/dn-lap/default.nix
@ -23,6 +23,7 @@ in
    ./sops
    ./utility
    ./virtualisation
+    ./network
  ];

  users.users."${username}".openssh.authorizedKeys.keys = [
--- a/system/dev/dn-lap/network/default.nix
+++ b/system/dev/dn-lap/network/default.nix
@ -0,0 +1,5 @@
+{
+  imports = [
+    ../../../modules/netbird-client.nix
+  ];
+}
--- a/system/dev/dn-lap/sops/secret.yaml
+++ b/system/dev/dn-lap/sops/secret.yaml
@ -1,5 +1,7 @@
 wireguard:
    wg0.conf: ENC[AES256_GCM,data:9wegrw4ZbY+T/gNYi0gt4n6Db1/rRpsiqVbQr8QoYTwOiWBjKO2PGTTM5aK3khk5t2pYOTSqEBn5+5J/JYZpQ6nvJMcqn0+31KMuMT9/0akxOm112Tj31vOdBwRvSQVLBzmQtPABgMlV36lRtpVU71lwiNO4M33ygzL/tm7EMt0e75Nr9CZkGI7BGtnATBzbj3ysftsbFPF2iIgZ9fej4I78rJ1HavAsAgcrxksWAJjFZyFGWinkW4eiwDKlqBvRUW0tE8TF897ZmX90UnwXwjtyJcyJH6nzwrRDJgxR7uyRL/HIusmVZHCNSlo8dSaxAROXOw5ULjmQpXzzPAVUxw==,iv:FCv2ADYZXflBYuI9B9xvUSAYX8+v2Qf9EJjZ/TX27sA=,tag:caR4HS3yYrjNP1IzxgoOXA==,type:str]
+netbird:
+    wt0-setupKey: ENC[AES256_GCM,data:bj3w7lGMJ0ZPQpGF0nKuhPKNWb04xVr6wNqoFGNzPnEJ+Q+b,iv:0helVFJqu4TNFY6LTG7LpD3tqsArwJHWH2XnlpPKEZk=,tag:yGrExGSmliHXxKAHqiHK/g==,type:str]
 sops:
    age:
        - recipient: age1uvsvf5ljaezh5wze32p685kfentyle0l2mvysc67yvgct2h4850qqph9lv
@ -20,7 +22,7 @@ sops:
            V09NYXpBYXBtYWdBajJubmVFL2loY0EKJdYKQHPriOT0eouvRUiCyqLSTzugUZxl
            BFTwfCez1/K2ERKQkKsMfIARbHaI2SRyDxM2O1IJ+DOIJ2383K6Gvw==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-12-19T12:39:58Z"
-    mac: ENC[AES256_GCM,data:tTvNyD6Lekc0RUIr9CpCjhWl2Gb9pHRubeoTrwceUCkm074EjYIzvqwiX5fzt6Cc5/H/k8NWJZBAoI3tOeCrXpo1Lbb0fCjGqxTldGN44pLR/5q9bdAxLom3EEqKiBBryVxqAkkm1a98UXPtnh+oDyaFsqTbS65LolEtFEbV/3U=,iv:J0gMlpWc9TVSCRxcdUnlXtNnmahvbc12EsLeFB4BJlY=,tag:h0EaNQ/sl+3sU9+g4ohjtw==,type:str]
+    lastmodified: "2026-01-06T08:39:04Z"
+    mac: ENC[AES256_GCM,data:xPMGZ7SUVih97hWeeARhoZVn4B8D/lNzLuxRRkQEG5PqdtXHwH9HVIHz6AG3Pc72aRKroGF0E2sidJU7WxIUde4IuoktecHq2e2e+tVLZWg50Y/keG7SMR5MamapCiYxK88a9vG4a8PYytSOFvF5DUUjKGkFJZOaelK+ydOPbek=,iv:lh+dwiBl26sEYpvXx6HtUwKs2Mz5F0hRKD4q2q1jlkI=,tag:+gDW5nRmBkjCryFTudyqMA==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
--- a/system/dev/dn-pre7780/common/boot.nix
+++ b/system/dev/dn-pre7780/common/boot.nix
@ -3,7 +3,7 @@
  ...
 }:
 {
-  boot.kernelPackages = pkgs.linuxPackages_6_17;
+  boot.kernelPackages = pkgs.linuxPackages_latest;

  fileSystems."/mnt/ssd" = {
    device = "/dev/disk/by-label/DN-SSD";
@ -19,6 +19,7 @@
      "uid=1000"
      "dmask=000"
      "fmask=000"
+      "exec"
    ];
  };

--- a/system/dev/dn-pre7780/default.nix
+++ b/system/dev/dn-pre7780/default.nix
@ -44,6 +44,7 @@ in
    ../public/dn
    ../public/dn/ntfy.nix
    ./expr
+    ./network
    ./common
    ./games
    ./home
@ -53,6 +54,7 @@ in
    ./virtualisation
    ../../modules/shells/noctalia
    ../../modules/sunshine.nix
+    ../../modules/secure-boot.nix
  ];

  # Live Sync D
--- a/system/dev/dn-pre7780/expr/default.nix
+++ b/system/dev/dn-pre7780/expr/default.nix
@ -1,6 +1,5 @@
 {
  imports = [
-    # ./netbird.nix
    # ./osx-kvm.nix
  ];
 }
--- a/system/dev/dn-pre7780/expr/netbird.nix
+++ b/system/dev/dn-pre7780/expr/netbird.nix
@ -1,65 +0,0 @@
-{
-  domain,
-  idpSecret,
-  dataStoreEncryptionKey,
-  coturnPassFile,
-  ...
-}:
-let
-  port = 51820;
-in
-{
-  services.netbird = {
-    server = {
-      enable = true;
-      domain = "netbird.${domain}";
-      enableNginx = true;
-      management = {
-        oidcConfigEndpoint = "https://keycloak.net.dn/realms/master/.well-known/openid-configuration";
-        settings = {
-          DataStoreEncryptionKey = {
-            _secret = dataStoreEncryptionKey;
-          };
-          TURNConfig = {
-            Secret = {
-              _secret = idpSecret;
-            };
-          };
-          IdpManagerConfig = {
-            ClientConfig = {
-              ClientID = "netbird-backend";
-              ClientSecret = {
-                _secret = idpSecret;
-              };
-            };
-          };
-        };
-      };
-      coturn = {
-        user = "netbird";
-        passwordFile = coturnPassFile;
-        enable = true;
-      };
-      dashboard.settings = {
-        USE_AUTH0 = false;
-        AUTH_AUTHORITY = "https://keycloak.net.dn/realms/master";
-        AUTH_CLIENT_ID = "netbird";
-        AUTH_AUDIENCE = "netbird";
-        AUTH_SUPPORTED_SCOPES = "openid profile email offline_access api";
-      };
-    };
-    clients.default = {
-      inherit port;
-      openFirewall = true;
-      name = "netbird";
-      interface = "wt0";
-      hardened = true;
-      dns-resolver.address = "10.0.0.1";
-    };
-  };
-
-  services.nginx.virtualHosts."netbird.${domain}" = {
-    enableACME = true;
-    forceSSL = true;
-  };
-}
--- a/system/dev/dn-pre7780/games/default.nix
+++ b/system/dev/dn-pre7780/games/default.nix
@ -1,6 +1,7 @@
 {
  imports = [
    ../../../modules/gaming.nix
-    ./game.nix
+    ./shadps4.nix
+    ./minecraft.nix
  ];
 }
--- a/system/dev/dn-pre7780/games/minecraft.nix
+++ b/system/dev/dn-pre7780/games/minecraft.nix
@ -0,0 +1,12 @@
+{ pkgs, ... }:
+{
+  home-manager.sharedModules = [
+    {
+      home.packages = with pkgs; [
+        prismlauncher
+        lsfg-vk
+        lsfg-vk-ui
+      ];
+    }
+  ];
+}
--- a/system/dev/dn-pre7780/games/shadps4.nix
+++ b/system/dev/dn-pre7780/games/shadps4.nix
--- a/system/dev/dn-pre7780/network/default.nix
+++ b/system/dev/dn-pre7780/network/default.nix
@ -0,0 +1,6 @@
+{
+  imports = [
+    ../../../modules/netbird-client.nix
+    # ../../../modules/wireguard.nix
+  ];
+}
--- a/system/dev/dn-pre7780/services/default.nix
+++ b/system/dev/dn-pre7780/services/default.nix
@ -3,8 +3,7 @@
    ../../../modules/postgresql.nix
    # ./mail.nix
    ./nginx.nix
-    ./wireguard.nix
+    # ./pangolin.nix
    # ./nextcloud.nix
-    # ./netbird.nix
  ];
 }
--- a/system/dev/dn-pre7780/services/netbird.nix
+++ b/system/dev/dn-pre7780/services/netbird.nix
@ -1,11 +0,0 @@
-{ config, ... }:
-{
-  imports = [
-    (import ../expr/netbird.nix {
-      domain = "pre7780.dn";
-      coturnPassFile = config.sops.secrets."netbird/coturn/password".path;
-      idpSecret = config.sops.secrets."netbird/oidc/secret".path;
-      dataStoreEncryptionKey = config.sops.secrets."netbird/dataStoreKey".path;
-    })
-  ];
-}
--- a/system/dev/dn-pre7780/services/pangolin.nix
+++ b/system/dev/dn-pre7780/services/pangolin.nix
@ -0,0 +1,48 @@
+{ config, lib, ... }:
+let
+  inherit (lib) mkForce;
+  secrets = config.sops.secrets;
+  domain = "net.dn";
+in
+{
+  sops.secrets = {
+    "pangolin/env" = { };
+    "pangolin/traefik" = {
+      key = "acme/pdns";
+    };
+  };
+
+  services.pangolin = {
+    enable = true;
+    openFirewall = true;
+    dashboardDomain = "auth.${domain}";
+    baseDomain = domain;
+
+    environmentFile = secrets."pangolin/env".path;
+    letsEncryptEmail = "danny@net.dn";
+    dnsProvider = "pdns";
+
+    settings = {
+      app = {
+        save_logs = true;
+      };
+      domains = {
+
+      };
+      traefik.prefer_wildcard_cert = true;
+    };
+  };
+
+  services.traefik = {
+    staticConfigOptions = {
+      certificatesResolvers.letsencrypt.acme = {
+        caServer = mkForce "https://ca.net.dn/acme/acme/directory";
+        dnsChallenge = {
+          provider = "pdns";
+          resolvers = [ "10.0.0.1:53" ];
+        };
+      };
+    };
+    environmentFiles = [ secrets."pangolin/traefik".path ];
+  };
+}
--- a/system/dev/dn-pre7780/services/wireguard.nix
+++ b/system/dev/dn-pre7780/services/wireguard.nix
@ -1,5 +0,0 @@
-{
-  imports = [
-    ../../../modules/wireguard.nix
-  ];
-}
--- a/system/dev/dn-pre7780/sops/secret.yaml
+++ b/system/dev/dn-pre7780/sops/secret.yaml
@ -1,11 +1,12 @@
 wireguard:
    wg0.conf: ENC[AES256_GCM,data:ozySeNEvkiLt9TGrZCrlJWKT5gcSlZ9T8AeXGO97SPgxI394eCQ/LOkVFl7AykhZvs7YkxMpZzAZxc0oNdTYuDlqfrNr0pqTUJmpX+5PVRmDb5z2MJvERktVkJ4LSvVodoYznDwT/y9q199AFKf3t4EoWuRyR/il6P8HuGVHXrKRYUrwuB4nuq1SIByY+8D2gzohFB/s6pSOPYy6/xCt0Nm+x0wmcdrlyOb0S+4WXlcou2ll98o9q2YDdVBKeW4jyUjFqXM2XzD0JXpAi9ZFlyzxyYNwa4oMYATyCBCH4BNHqe850QHEoCaOovioEdDH/tluB2X/891ixqzURypzbg==,iv:3Q5xOgGcg8/DIwHt4fHsQGtN8f2hGpVDtf47PcwW62I=,tag:SbJqhWi3+h1O5ZIOayDrUw==,type:str]
+netbird:
+    wt0-setupKey: ENC[AES256_GCM,data:166VX+rgzxhar+GFKxA5d8G3/9ewISdv2hUSwvbggyyjwwvE,iv:w8p4gDP6U0ZONX59t2dnglTC9S2dW2TX5A4OoCzRuzM=,tag:zf3jvlERJtM+osBd4ZQjMA==,type:str]
 dovecot:
    openldap: ENC[AES256_GCM,data:U3YYreEqoh+F0Mrli52jgQowrUqIUPmdQps=,iv:vTjHBFsue+89GOCDigVIktgGSZNZv8A2e3GM80o6TXc=,tag:GGh+hsT+yV/I12meXxflbQ==,type:str]
 nextcloud:
    adminPassword: ENC[AES256_GCM,data:69NrA/iP0sfrkdv8ahv7I+ZY,iv:/TXTs0fZw64HELdGr5CzgToO2L2G2mCNdN4Zexz8p+o=,tag:p2hNTxv1xdYmEJ6ZAO3w3Q==,type:str]
    whiteboard: ENC[AES256_GCM,data:qcZOLX1qJyciKm+4uuOVIopZXG70Jg9Grc07SCjG5ww9DK0myzdqlfWeZKdTsOyTBLMyCE9K7lC5rtBFeSv3ZeqkAUXTQt9QiAN05+tTpHk=,iv:v6fgSz/eh8MZANSbLbeSrKVOdX09pHYZ599BK8Ug2Lo=,tag:JTezfqrInm82K3gB0zpniw==,type:str]
-    signaling.conf: ENC[AES256_GCM,data:Ede61FM7k3VQHt4hO7O4UOE0p5nHk8lYsqaNWh8ZxfdGRJoMoLJYFcJs8nemAj1AGCh1Ep4ehtgQGcFfILUcek280m4paSIfaE2cwsI+1F+diXn98YmsmiR3swryw518gmfTZ7DrHlns7EWr/Udflz91F5+CKAuPNKtsYRSkB4KmJmEc4k2ioPus7hHEz/edLqA4mob/DuRXrWmFkDtlEj4I9aS5CJpyeDrsYoticnp5/QCWBnpxN2itqvbwjspid085Us7p4wbrM7Di/gPjj0D84Hw4biOLWSHm1oMRXqXIBP3ntPvvKJ2sKy7czcbeIGeJAIwEctStG7hqLAv3bfxiMn8DQ8eNp/xWw6tnwYklS4KCBJbDUucGvNcSx41JLCm+TShxaPIv/l6y+Z7Hkvri1WW2WSRvRsMFFEy3PrZLu0GstESYyARBrVdJ+OdaEtt3tthYLCUQcTT5xd484TTEyF9z3d5CBPC62BXZBdFRyEPD696nXV0ztVTBz2oWCmD6jHL0v+nTn3sojTDet0vmPo6o6cE0RqX6G/oVx+Y9l52QirFxOaNALk3R1l/lvXhDhlrAp8EldGhfnZf8y7X2HoC/XHQud9pA0N89Xrgp/Ak+9d+tRtmr4icLNVtwBg91md9P1tCyqPTUGR3JHc1KtmDHVI3NqgekUAmHrNRE5m633fchV2sTYSOfvdtL,iv:/xlMQoexPA9rXIlMd7bTQY1ojHuprBX/5quVSnNslvI=,tag:geAR+vPBmDB37/oSnnpqSA==,type:str]
 openldap:
    adminPassword: ENC[AES256_GCM,data:jEGuzgs5QTWfdyJenC3t3g==,iv:StfFOcvbDapnma6eAlpaGiBWnqiD3I/wfQsMBzufol0=,tag:892q7N4KrsSQoZYGy6CQrA==,type:str]
 lam:
@ -18,15 +19,13 @@ acme:
    pdns: ENC[AES256_GCM,data:eKnahc8HWboYCUpBuEUrdCMhN8A2N2VN0wrmzcyU2OfMeQaswIYSWV4sBzUbj/pono8PaVxK1FBKsn+Ycd4Y6tcxsAkbPfnPkOsbe0FJpz4t9RFLJBLw3U0YTE/TaURiDYipHnvPGYgyq3AziH/xa4WXZxLHGI0x+a/y3PpWy37rT87DWUT2kktPshdO7Mbwn7nSC78WByXmyaUMkT74Sc0FNmCgfijrHk/ATXGb,iv:y3eRZXFbqqf4VuuqHHYdIoiEa1zqRU1XIlEqooJ28lU=,tag:2bIALJFGZyIZT7fyo/y5Nw==,type:str]
 cloudflare:
    secret: ENC[AES256_GCM,data:Ktk7BtyjaDeOc4Okflz/ZBYpJ7Uy1SeEBV6ofWcToZsvCDT6aTVxGrAKEHIE/eknvnyWOFeSQv/z/Q==,iv:x2ymbLwa1E2FzdomISeyhchya5bowgieO/XuOnoi81w=,tag:Nj+1DRnbvcwiLiEeu2WaRQ==,type:str]
-netbird:
-    oidc:
-        secret: ENC[AES256_GCM,data:hSVMUEBL0kCvRLD3zd57SLhNIAFOR4eaJPcIIIIUJng=,iv:VhfseftQNlXSDCWuaYQUIklMUCkUbChyWbJl3qgD75M=,tag:vbqov0VgA0XNZfzcr3FZgA==,type:str]
-    dataStoreKey: ENC[AES256_GCM,data:vV2wgo5qFS+DC1NmOjVddZW9HAsRMpUFH+t/70iQ3A5YXkhbWoCeSxZDyAg=,iv:tKqh28qj8gqHfcb44Ej731w6NKi29X4iEwIOQ4ZcCzA=,tag:ObAxVrUctm6pbmXSQw7j5w==,type:str]
 crowdsec:
    lapi.yaml: ENC[AES256_GCM,data:BpDlz/liFYVZTA66TMWDifGfT4R9l0W9/LOU33rrPVC4YKeFbB1gIxqkUOEDl8fxsou5Jx/MQivyz90lE8yxbcGV/Zzx4ZJaHN+jz6mfM6mADEWp/nUcfO9tECijOhPPYt/8aE3py38NlFZuafZ2CwdL7RmDX7YCjpiIYxXaIjSv61WPD1SLkOkusnoA7bJZ2xmJ/dfEMXEA4LCCOfGQ,iv:922rrz94pD3/R1kGlQyIFkoq/fRSyxaIQ5qllldQMCY=,tag:AAPlwiQP4KMzHZmcMH76AQ==,type:str]
    capi.yaml: ENC[AES256_GCM,data:UuBESeHfKEPSIzP7RPNES0BVWwJsmPqLP3QJbAeAcm6eQ3sRzUSrVxY8A2yoiLD2lnuJPy2BbYHJpBR7VSfs7oUCc7LljgAp1uB2GH1y8YE46xJLo0TDp873bZJdcsO00ozsbtmWlGWJm7HLrzIUEe0mAjBzZeXe1WDJByGeVqupNLwpXSMaos2ktHjXA6hTGAdE5iIxBAXI6qjldWjRnlqE,iv:hZ2nUaOipU7Top0vsn23yU0XWP9SKcoj85xFo5hD/mU=,tag:32E2o+FOJXM9aMnLQA6KYA==,type:str]
    consoleToken: ENC[AES256_GCM,data:Q6QWWwcvLd8+ddwPMBzyB+X4gh8I53qSLA==,iv:JD48L59nQYttglAfuKL/lNBzWgBfj01rkIeP8pqmo70=,tag:6cxsQViDGuzjScKkBuO4Bw==,type:str]
 rspamd: ENC[AES256_GCM,data:8DryYdMyhzBqwqcbYUQ=,iv:5w21u3xqshRSf8IJbG16/Gf6AC2Zw6VnI3MOchN+w8A=,tag:OiiYUDT69SZObgOh1qCL0g==,type:str]
+pangolin:
+    env: ENC[AES256_GCM,data:f5Pq+DE9PeRyOKeygREuovlqOMhe/bmTOrBA7Px3Oq+pWG5kGwnxqDdP/PwawJAskQPC9LN+QP6hIPNrJbPyxtk87hoRMb/3X0ggOw==,iv:yqqQizPwf3EfCelczf/7piH9kYiAwGLTtassvQ8oXNs=,tag:UzVuKIS8WZNAHgpLkzc9XA==,type:str]
 sops:
    age:
        - recipient: age1uvsvf5ljaezh5wze32p685kfentyle0l2mvysc67yvgct2h4850qqph9lv
@ -38,7 +37,7 @@ sops:
            MEdmWkFwNXZoR1ZVRnQ0aWlkYzZwSmsK0EFecUIdqlDKX08oRCoDQQ3QCX1wzb8w
            lghDJhWlfuKr+X24GoE4UK04aJVLqVMRRI4BJW+LQXeHS+dWKu3mQA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-12-19T12:39:37Z"
-    mac: ENC[AES256_GCM,data:JSwphdjAfZcLSuctzruwVjBQXhbQKnEda93KlrH8eoSJcFXBRCMz0v+HY2nBlrC9lwp9vgT3HnGmR6hIPi48UtyxYcGOJy33OY4M1it0WGE2r8Ikg++5cBUtacK4QdwuMCADhNT5ZHs5T7UUX0GMLeqAtrcJ3FKt+4+catsOvnE=,iv:7ZTi86IkbScizZlOCk+uXDyWzrFDsLRuLuzjUFsMFR0=,tag:3/i7BZ8XYALj7RYj4dIUgA==,type:str]
+    lastmodified: "2026-01-07T08:17:20Z"
+    mac: ENC[AES256_GCM,data:M9hBNU2KetaGEhJnYW10nWEWetFWs9c5gPN/0W6UIOsP2Y9E2d8J09Ary9O9z6TjjxqkS+H15SQfo6bjuc19jSwtdQ/scqy9nV1H0pOEHzWj8zG/bzC71WmwhZbx4+1cK83HYS9pJhzbO+5tbOK75GwJscXAhXKDzzNBmTW2Y3U=,iv:qozD5Z2uiI5vFApsRVkjiXLOPATs3VV0PDk5szX+mrc=,tag:WpM+Ab9U2q9GR0qvyMZO8w==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
--- a/system/dev/dn-pre7780/sops/sops-conf.nix
+++ b/system/dev/dn-pre7780/sops/sops-conf.nix
@ -7,17 +7,6 @@ in
    secrets = {
      "lam/env" = { };

-      "netbird/oidc/secret" = mkIf config.services.netbird.server.dashboard.enable {
-        owner = "netbird";
-      };
-
-      "netbird/coturn/password" = mkIf config.services.netbird.server.coturn.enable {
-        owner = "turnserver";
-        key = "netbird/oidc/secret";
-      };
-      "netbird/dataStoreKey" = mkIf config.services.netbird.server.management.enable {
-        owner = "netbird";
-      };
      "acme/pdns" = mkIf (hasAttr "acme" config.users.users) {
        owner = "acme";
      };
--- a/system/dev/dn-server/common/backup.nix
+++ b/system/dev/dn-server/common/backup.nix
@ -67,6 +67,7 @@ in
      "roundcube"
      "grafana"
      "crowdsec"
+      "netbird"
    ];
    location = "${backupPath}/postgresql";
  };
--- a/system/dev/dn-server/default.nix
+++ b/system/dev/dn-server/default.nix
@ -17,11 +17,9 @@ in
        "maps.rspamd.com"
        "cdn-hub.crowdsec.net"
        "api.crowdsec.net"
-        "mx1.daccc.info"
        "mx1.dnywe.com"
      ];
      allowedIPs = [
-        "10.0.0.0/24"
        "127.0.0.1"
        # CrowdSec
        "52.51.161.146"
--- a/system/dev/dn-server/network/default.nix
+++ b/system/dev/dn-server/network/default.nix
@ -3,5 +3,6 @@
    ./nginx.nix
    ./services.nix
    ./step-ca.nix
+    ./wireguard.nix
  ];
 }
--- a/system/dev/dn-server/network/nginx.nix
+++ b/system/dev/dn-server/network/nginx.nix
@ -64,14 +64,6 @@

        locations."/".proxyPass = "http://10.0.0.130:8001/phone.html";
      };
-
-      "ca.net.dn" = {
-        enableACME = true;
-        forceSSL = true;
-        locations."/" = {
-          proxyPass = "https://10.0.0.1:8443/";
-        };
-      };
    };
  };
 }
--- a/system/dev/dn-server/network/services.nix
+++ b/system/dev/dn-server/network/services.nix
@ -6,8 +6,9 @@
 }:
 let
  inherit (config.systemConf) username security;
-  inherit (lib) concatStringsSep;
+  inherit (lib) concatStringsSep mkForce optionalString;
  inherit (helper.nftables) mkElementsStatement;
+  netbirdCfg = config.services.netbird;

  ethInterface = "enp0s31f6";
  sshPorts = [ 30072 ];
@ -23,19 +24,16 @@ let
    restrict = "10.0.0.128/25";
  };

-  kube = {
-    ip = "10.10.0.1/24";
-    range = "10.10.0.0/24";
+  infra = {
+    ip = "10.10.0.2/32";
    interface = "wg1";
-    port = 51821;
-    masterIP = "10.10.0.1";
-    masterHostname = "api-kube.${config.networking.domain}";
-    masterAPIServerPort = 6443;
+    range = "10.10.0.0/24";
  };

  allowedSSHIPs = concatStringsSep ", " [
    "122.117.215.55"
    "192.168.100.1/24"
+    "100.64.0.0/16"
    personal.range
  ];

@ -168,6 +166,13 @@ let
  ];
 in
 {
+  systemConf.security.allowedIPs = [
+    "10.10.0.0/24"
+    "10.0.0.0/24"
+  ];
+
+  services.resolved.enable = mkForce false;
+
  networking = {
    nat = {
      enable = true;
@ -175,7 +180,6 @@ in
      externalInterface = ethInterface;
      internalInterfaces = [
        personal.interface
-        kube.interface
      ];
    };

@ -183,15 +187,12 @@ in
      allowedUDPPorts = [
        53
        personal.port
-        kube.port
        25565
-        kube.masterAPIServerPort
        5359
      ];
      allowedTCPPorts = sshPorts ++ [
        53
        25565
-        kube.masterAPIServerPort
        5359
      ];
    };
@ -235,9 +236,10 @@ in

              tcp dport { ${sshPortsString} } jump ssh-filter

-              iifname { ${ethInterface}, ${personal.interface}, ${kube.interface} } udp dport { ${toString personal.port}, ${toString kube.port} } accept
-              iifname ${personal.interface} ip saddr ${personal.ip} jump wg-subnet
-              iifname ${kube.interface} ip saddr ${kube.ip} jump kube-filter
+              iifname { ${ethInterface}, ${personal.interface} } udp dport { ${toString personal.port}  } accept
+              iifname ${infra.interface} ip saddr ${infra.range} accept
+              iifname ${personal.interface} ip saddr ${personal.range} jump wg-subnet
+              iifname ${netbirdCfg.clients.wt0.interface} accept

              drop
            }
@ -251,6 +253,11 @@ in
              udp dport 53 accept
              tcp dport 53 accept

+              # Allow UDP hole punching
+              ${optionalString (
+                netbirdCfg.clients ? wt0
+              ) ''udp sport ${toString netbirdCfg.clients.wt0.port} accept''}
+
              meta skuid ${toString config.users.users.systemd-timesync.uid} accept

              ct state vmap { invalid : drop, established : accept, related : accept }
@ -273,16 +280,11 @@ in
              meta l4proto { icmp, ipv6-icmp } accept

              iifname ${personal.interface} ip saddr ${personal.ip} jump wg-subnet
-              iifname ${kube.interface} ip saddr ${kube.ip} jump kube-filter
+              iifname ${infra.interface} ip saddr ${infra.ip} accept

              counter
            }

-            chain kube-filter {
-              ip saddr ${kube.ip} ip daddr ${kube.ip} accept
-              counter drop
-            }
-
            chain wg-subnet {
              ip saddr ${personal.full} accept
              ip saddr ${personal.restrict} ip daddr ${personal.range} accept
@ -309,17 +311,8 @@ in
            inherit (r) publicKey allowedIPs;
          }) (fullRoute ++ meshRoute);
        };
-
-        ${kube.interface} = {
-          ips = [ kube.ip ];
-          listenPort = kube.port;
-          privateKeyFile = config.sops.secrets."wireguard/privateKey".path;
-          peers = [ ];
-        };
      };
    };
-
-    extraHosts = "${kube.masterIP} ${kube.masterHostname}";
  };

  services = {
@ -349,7 +342,7 @@ in

    openssh = {
      enable = true;
-      ports = sshPorts;
+      ports = mkForce sshPorts;
      settings = {
        PasswordAuthentication = false;
        UseDns = false;
@ -385,9 +378,7 @@ in
    pdns-recursor = {
      enable = true;
      forwardZones = {
-        "${config.networking.domain}." = "127.0.0.1:5359";
-        "pre7780.dn." = "127.0.0.1:5359";
-        "test.local." = "127.0.0.1:5359";
+        "dn." = "127.0.0.1:5359";
      };
      forwardZonesRecurse = {
        # ==== Rspamd DNS ==== #
@ -514,7 +505,7 @@ in
    "uptime.${config.networking.domain}" = {
      enableACME = true;
      forceSSL = true;
-      locations."/".proxyPass = "http://localhost:3001";
+      locations."/".proxyPass = "http://127.0.0.1:3001";
    };
  };

--- a/system/dev/dn-server/network/step-ca.nix
+++ b/system/dev/dn-server/network/step-ca.nix
@ -80,4 +80,12 @@ Bq-3sY8n13Dv0E6yx2hVIAlzLj3aE29LC4A2j81vW5MtpaM27lMpg.cwlqZ-8l1iZNeeS9.idRpRJ9zB
    openFirewall = true;
    intermediatePasswordFile = config.sops.secrets."step_ca/password".path;
  };
+
+  services.nginx.virtualHosts."ca.net.dn" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "https://10.0.0.1:8443/";
+    };
+  };
 }
--- a/system/dev/dn-server/network/wireguard.nix
+++ b/system/dev/dn-server/network/wireguard.nix
@ -0,0 +1,5 @@
+{ config, ... }:
+{
+  sops.secrets."wireguard/wg1.conf" = { };
+  networking.wg-quick.interfaces.wg1.configFile = config.sops.secrets."wireguard/wg1.conf".path;
+}
--- a/system/dev/dn-server/options/network.nix
+++ b/system/dev/dn-server/options/network.nix
@ -5,7 +5,12 @@
  ...
 }:
 let
-  inherit (lib) mkOption types concatStringsSep;
+  inherit (lib)
+    mkOption
+    types
+    concatStringsSep
+    unique
+    ;
  cfg = config.systemConf.security;
 in
 {
@ -14,6 +19,7 @@ in
      type = with types; listOf str;
      description = "Domains that allowed to query dns.";
      default = [ ];
+      apply = v: unique v;
    };
    rules = {
      setName = mkOption {
--- a/system/dev/dn-server/security/fail2ban.nix
+++ b/system/dev/dn-server/security/fail2ban.nix
@ -4,6 +4,8 @@
      extraAllowList = [
        "10.0.0.0/24"
        "122.117.215.55"
+        # Netbird
+        "100.104.0.0/16"
      ];
    })
  ];
--- a/system/dev/dn-server/services/default.nix
+++ b/system/dev/dn-server/services/default.nix
@ -3,11 +3,15 @@
  imports = [
    ./actual-budget.nix
    ./bitwarden.nix
-    # ./docmost.nix
+    ./minecraft-server.nix
    ./mail-server.nix
    ./nextcloud.nix
    ./paperless-ngx.nix
    ./metrics.nix
+    ./forgejo.nix
+    ./keycloak.nix
+    ./netbird.nix
+    ./hideTTY.nix
    # (import ../../../modules/opencloud.nix {
    #   fqdn = "opencloud.net.dn";
    #   envFile = config.sops.secrets."opencloud".path;
--- a/system/dev/dn-server/services/forgejo.nix
+++ b/system/dev/dn-server/services/forgejo.nix
@ -0,0 +1,72 @@
+{ lib, config, ... }:
+let
+  cfg = config.services.forgejo;
+  srv = cfg.settings.server;
+  domain = "git.dnywe.com";
+  mailServer = "mx1.net.dn";
+
+  forgejoOwner = {
+    owner = "forgejo";
+    mode = "400";
+  };
+in
+{
+  sops.secrets = {
+    "forgejo/mailer/password" = forgejoOwner;
+    "forgejo/server/secretKey" = forgejoOwner;
+  };
+
+  networking.firewall.allowedTCPPorts = [ srv.HTTP_PORT ];
+
+  services.postgresqlBackup.databases = [ cfg.database.name ];
+
+  systemd.services.forgejo.preStart =
+    let
+      adminCmd = "${lib.getExe cfg.package} admin user";
+      pwd = config.sops.secrets."forgejo/mailer/password";
+      user = "forgejo";
+    in
+    ''
+      ${adminCmd} create --admin --email "noreply@${srv.DOMAIN}" --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true
+    '';
+
+  services.openssh.settings.AllowUsers = [ cfg.user ];
+
+  services.forgejo = {
+    enable = true;
+    database.type = "postgres";
+    lfs.enable = true;
+
+    settings = {
+      server = {
+        DOMAIN = domain;
+        ROOT_URL = "https://${srv.DOMAIN}";
+        HTTP_PORT = 32006;
+        SSH_PORT = lib.head config.services.openssh.ports;
+
+        # ==== OpenID Connect ==== #
+        ENABLE_OPENID_SIGNIN = true;
+        WHITELISTED_URIS = "https://${config.services.keycloak.settings.hostname}/*";
+      };
+
+      services.DISABLE_REGISTRATION = true;
+      actions = {
+        ENABLE = true;
+        DEFAULT_ACTION_URL = "github";
+      };
+
+      mailer = {
+        ENABLED = true;
+        SMTP_ADDR = mailServer;
+        SMTP_PORT = 587;
+        FROM = "noreply@${srv.DOMAIN}";
+        USER = "noreply@${srv.DOMAIN}";
+      };
+    };
+
+    secrets = {
+      mailer.PASSWD = config.sops.secrets."forgejo/mailer/password".path;
+      server.SECRET_KEY = config.sops.secrets."forgejo/server/secretKey".path;
+    };
+  };
+}
--- a/system/dev/dn-server/services/hideTTY.nix
+++ b/system/dev/dn-server/services/hideTTY.nix
@ -0,0 +1,13 @@
+{ ... }:
+{
+  systemd.services.hideTTY = {
+    description = "Auto turn off monitor ";
+    wantedBy = [ "multi-user.target" ];
+    script = ''
+      echo 1 > /sys/class/graphics/fb0/blank
+    '';
+    serviceConfig = {
+      Type = "oneshot";
+    };
+  };
+}
--- a/system/dev/dn-server/services/keycloak.nix
+++ b/system/dev/dn-server/services/keycloak.nix
@ -0,0 +1,17 @@
+# NOTE: This is keycloak partial overwrite for `mail-server.nix`.
+{ lib, config, ... }:
+let
+  inherit (lib) mkForce;
+  domain = "dnywe.com";
+  cfg = config.services.keycloak;
+in
+{
+  services.keycloak = {
+    settings = {
+      hostname = mkForce "login.${domain}";
+    };
+  };
+
+  # Disable nginx reverse proxy
+  services.nginx.virtualHosts."${cfg.settings.hostname}" = mkForce { };
+}
--- a/system/dev/dn-server/services/mail-server.nix
+++ b/system/dev/dn-server/services/mail-server.nix
@ -1,9 +1,25 @@
-{ config, lib, ... }:
+{
+  config,
+  lib,
+  ...
+}:
 let
  inherit (lib) mkForce;
  inherit (config.systemConf) username;
 in
 {
+  systemConf.security.allowedDomains = [
+    "registry-1.docker.io"
+    "auth.docker.io"
+    "login.docker.com"
+    "auth.docker.com"
+    "production.cloudflare.docker.com"
+    "docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage"
+    "api.docker.com"
+    "cdn.segment.com"
+    "api.segment.io"
+  ];
+
  mail-server =
    let
      domain = "net.dn";
@ -81,29 +97,16 @@ in
      };
    };

-  services.openldap.settings.attrs.olcLogLevel = mkForce "config";
-
-  services.postfix.settings.main = {
-    # internal_mail_filter_classes = [ "bounce" ];
+  virtualisation.oci-containers.containers.phpLDAPadmin = {
+    environment = {
+      LDAP_ALLOW_GUEST = "true";
+      LOG_LEVEL = "debug";
+      LDAP_LOGGING = "true";
+    };
  };

-  services.rspamd = {
-    locals."logging.conf".text = ''
-      level = "debug";
-    '';
-    locals."settings.conf".text = ''
-      bounce {
-        id = "bounce";
-        priority = high;
-        ip = "127.0.0.1";
-        selector = 'smtp_from.regexp("/^$/").last';
-
-        apply {
-          BOUNCE = -25.0;
-        }
-
-        symbols [ "BOUNCE" ]
-      }
-    '';
+  services.openldap.settings = {
+    attrs.olcLogLevel = mkForce "config";
+    # children."cn=schema".includes = extraSchemas;
  };
 }
--- a/system/dev/dn-server/services/metrics.nix
+++ b/system/dev/dn-server/services/metrics.nix
@ -63,7 +63,7 @@ in
          job_name = "powerdns_recursor";
          static_configs = [
            {
-              targets = [ "localhost:${toString config.services.pdns-recursor.api.port}" ];
+              targets = [ "127.0.0.1:${toString config.services.pdns-recursor.api.port}" ];
              labels = {
                machine = "${hostName}";
              };
@ -87,7 +87,7 @@ in
            static_configs = [
              {
                targets = [
-                  "localhost:${toString config.services.crowdsec.settings.general.prometheus.listen_port}"
+                  "127.0.0.1:${toString config.services.crowdsec.settings.general.prometheus.listen_port}"
                ];
                labels = {
                  machine = "${hostName}";
--- a/system/dev/dn-server/services/minecraft-server.nix
+++ b/system/dev/dn-server/services/minecraft-server.nix
@ -0,0 +1,40 @@
+{ pkgs, ... }:
+let
+  modpack = pkgs.fetchPackwizModpack {
+    url = "https://git.dnywe.com/dachxy/shader-retired-modpack/raw/branch/main/pack.toml";
+    packHash = "sha256-NPMS8j5NXbtbsso8R4s4lhx5L7rQJdek62G2Im3JdmM=";
+  };
+in
+{
+  systemConf.security.allowedDomains = [
+    "api.mojang.com"
+    "textures.minecraft.net"
+    "session.minecraft.net"
+    "login.microsoftonline.com"
+  ];
+
+  services.minecraft-servers = {
+    enable = true;
+    eula = true;
+  };
+
+  services.minecraft-servers.servers.shader-retired = {
+    enable = true;
+    autoStart = true;
+    openFirewall = true;
+    package = pkgs.fabric-server;
+    symlinks = {
+      "mods" = "${modpack}/mods";
+    };
+    serverProperties = {
+      server-port = 25565;
+      difficulty = 3;
+      gamemode = "survival";
+      max-player = 20;
+      modt = "Bro!!!!";
+      accepts-flight = true;
+      accepts-transfers = true;
+      hardcore = false;
+    };
+  };
+}
--- a/system/dev/dn-server/services/netbird.nix
+++ b/system/dev/dn-server/services/netbird.nix
@ -0,0 +1,119 @@
+{ config, lib, ... }:
+let
+  inherit (lib) mkForce;
+  domain = "dnywe.com";
+
+  # Virtual Domain
+  vDomain = "vnet.dn";
+  proxyIP = "10.10.0.1";
+
+  cfg = config.services.netbird;
+  srv = cfg.server;
+
+  # TODO: Change realm to master
+  realm = "netbird";
+in
+{
+  sops.secrets."netbird/wt0-setupKey" = {
+    owner = cfg.clients.wt0.user.name;
+    mode = "400";
+  };
+
+  systemConf.security.allowedDomains = [
+    "login.dnywe.com"
+    "pkgs.netbird.io"
+    "${srv.domain}"
+  ];
+
+  imports = [
+    (import ../../../modules/netbird-server.nix {
+      inherit realm vDomain;
+      domain = "netbird.${domain}";
+      oidcURL = "https://${config.services.keycloak.settings.hostname}";
+      enableNginx = false;
+      oidcType = "keycloak";
+    })
+  ];
+
+  services.netbird = {
+    ui.enable = mkForce false;
+
+    clients.wt0 = {
+      port = 51830;
+      openFirewall = true;
+      autoStart = true;
+      environment = {
+        NB_MANAGEMENT_URL = "https://${srv.domain}";
+      };
+      login = {
+        enable = true;
+        setupKeyFile = config.sops.secrets."netbird/wt0-setupKey".path;
+      };
+    };
+
+    server.management = {
+      disableSingleAccountMode = false;
+      singleAccountModeDomain = vDomain;
+      metricsPort = 32009;
+      turnDomain = mkForce "coturn.${domain}";
+      extraOptions = [ "--user-delete-from-idp" ];
+    };
+
+    server.coturn.enable = mkForce false;
+  };
+
+  networking.firewall.allowedTCPPorts = [ 32011 ];
+
+  # ==== Proxy By Caddy & CDN ==== #
+  services.nginx.appendHttpConfig = ''
+    set_real_ip_from ${proxyIP};
+    real_ip_header X-Forwarded-For;
+    real_ip_recursive on;
+  '';
+
+  services.nginx.virtualHosts."netbird.local" = {
+    locations = {
+      "/" = {
+        root = cfg.server.dashboard.finalDrv;
+        tryFiles = "$uri $uri.html $uri/ =404";
+      };
+
+      "/404.html".extraConfig = ''
+        internal;
+      '';
+
+      "/api" = {
+        extraConfig = ''
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        '';
+        proxyPass = "http://127.0.0.1:${builtins.toString srv.management.port}";
+      };
+
+      "/management.ManagementService/".extraConfig = ''
+        client_body_timeout 1d;
+
+        grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+        grpc_pass grpc://127.0.0.1:${builtins.toString srv.management.port};
+        grpc_read_timeout 1d;
+        grpc_send_timeout 1d;
+        grpc_socket_keepalive on;
+      '';
+
+      "/signalexchange.SignalExchange/".extraConfig = ''
+        client_body_timeout 1d;
+
+        grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+        grpc_pass grpc://127.0.0.1:${builtins.toString srv.signal.port};
+        grpc_read_timeout 1d;
+        grpc_send_timeout 1d;
+        grpc_socket_keepalive on;
+      '';
+    };
+
+    extraConfig = ''
+      error_page 404 /404.html;
+    '';
+  };
+}
--- a/system/dev/dn-server/services/nextcloud.nix
+++ b/system/dev/dn-server/services/nextcloud.nix
@ -1,19 +1,156 @@
-{ config, ... }:
 {
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  inherit (lib) mkIf mkDefault mkAfter;
+  inherit (config.sops) secrets;
+  spreedCfg = config.services.nextcloud-spreed-signaling;
+  nextcloudCfg = config.services.nextcloud;
+  turnDomain = "coturn.dnywe.com";
+  domain = "net.dn";
+in
+{
+  sops.secrets = {
+    "nextcloud/smtpPassword" = {
+      owner = "nextcloud";
+      group = "nextcloud";
+    };
+    "nextcloud/adminPassword" = { };
+    "nextcloud/whiteboard" = {
+      owner = "nextcloud";
+    };
+    "nextcloud/spreed/turnPassword" = {
+      key = "netbird/coturn/password";
+      owner = spreedCfg.user;
+    };
+    "nextcloud/spreed/turnSecret" = {
+      key = "netbird/oidc/secret";
+      owner = spreedCfg.user;
+    };
+    "nextcloud/spreed/hashkey" = {
+      owner = spreedCfg.user;
+    };
+    "nextcloud/spreed/blockkey" = {
+      owner = spreedCfg.user;
+    };
+    "nextcloud/spreed/internalsecret" = {
+      owner = spreedCfg.user;
+    };
+    "nextcloud/spreed/backendsecret" = {
+      owner = spreedCfg.user;
+    };
+  };
+
  imports = [
    (import ../../../modules/nextcloud.nix {
-      hostname = "nextcloud.net.dn";
-      adminpassFile = config.sops.secrets."nextcloud/adminPassword".path;
+      hostname = "nextcloud.${domain}";
+      adminpassFile = secrets."nextcloud/adminPassword".path;
      trusted-proxies = [ "10.0.0.0/24" ];
      whiteboardSecrets = [
-        config.sops.secrets."nextcloud/whiteboard".path
+        secrets."nextcloud/whiteboard".path
      ];
    })
  ];

  services.nextcloud = {
    extraApps = {
-      inherit (config.services.nextcloud.package.packages.apps) music;
+      inherit (config.services.nextcloud.package.packages.apps) music spreed;
+
+      user_migration = pkgs.fetchNextcloudApp {
+        url = "https://github.com/nextcloud-releases/user_migration/releases/download/v9.0.0/user_migration-v9.0.0.tar.gz";
+        sha256 = "sha256-WiEEAazuj8kh5o+URs22uoNWANXcXQYLTaoABMU6rFo=";
+        license = "agpl3Plus";
+      };
+
+      cospend = pkgs.fetchNextcloudApp {
+        url = "https://github.com/julien-nc/cospend-nc/releases/download/v3.2.0/cospend-3.2.0.tar.gz";
+        sha256 = "sha256-mclcZDNmvpYX/2q7azyiTLSCiTYvk7ILeqtb/8+0ADQ=";
+        license = "agpl3Plus";
+      };
+    };
+    appstoreEnable = false;
+
+    settings = {
+      mail_smtpauth = true;
+      mail_smtphost = "mx1.${domain}";
+      mail_smtpname = "nextcloud";
+      mail_smtpmode = "smtp";
+      mail_smtpauthtype = "LOGIN";
+      mail_domain = "net.dn";
+      mail_smtpport = 465;
+      mail_smtpsecure = "ssl";
+      mail_from_address = "nextcloud";
+    };
+
+    secrets = {
+      mail_smtppassword = secrets."nextcloud/smtpPassword".path;
    };
  };
+
+  # ==== Nextcloud Talk ==== #
+  services.nextcloud-spreed-signaling = {
+    enable = true;
+    configureNginx = true;
+    hostName = "talk.${domain}";
+    backends.default = {
+      urls = [ "https://${nextcloudCfg.hostName}" ];
+      secretFile = secrets."nextcloud/spreed/backendsecret".path;
+    };
+
+    settings = {
+      http.listen = "127.0.0.1:31008";
+      turn = {
+        servers = [ "turn:${turnDomain}:3478?transport=udp" ];
+        secretFile = secrets."nextcloud/spreed/turnPassword".path;
+        apikeyFile = secrets."nextcloud/spreed/turnSecret".path;
+      };
+      clients.internalsecretFile = secrets."nextcloud/spreed/internalsecret".path;
+      sessions = {
+        hashkeyFile = secrets."nextcloud/spreed/hashkey".path;
+        blockkeyFile = secrets."nextcloud/spreed/blockkey".path;
+      };
+      nats.url = [ "nats://127.0.0.1:4222" ];
+    };
+  };
+
+  services.nats = mkIf nextcloudCfg.enable {
+    enable = true;
+    settings = {
+      host = "127.0.0.1";
+    };
+  };
+
+  services.nginx.virtualHosts.${spreedCfg.hostName} = {
+    enableACME = true;
+    forceSSL = true;
+  };
+
+  # ==== Secruity ==== #
+  services.fail2ban = {
+    jails = {
+      nextcloud.settings = {
+        backend = "systemd";
+        journalmatch = "SYSLOG_IDENTIFIER=Nextcloud";
+        enabled = true;
+        port = 443;
+        protocol = "tcp";
+        filter = "nextcloud";
+        maxretry = 3;
+        bantime = 86400;
+        findtime = 43200;
+      };
+    };
+  };
+
+  environment.etc = {
+    "fail2ban/filter.d/nextcloud.local".text = mkDefault (mkAfter ''
+      [Definition]
+      failregex = ^.*"remoteAddr":"(?P<host><HOST>)".*"message":"Login failed:
+                  ^.*"remoteAddr":"(?P<host><HOST>)".*"message":"Two-factor challenge failed:
+                  ^.*"remoteAddr":"(?P<host><HOST>)".*"message":"Trusted domain error
+    '');
+  };
 }
--- a/system/dev/dn-server/sops/secret.yaml
+++ b/system/dev/dn-server/sops/secret.yaml
--- a/system/dev/dn-server/sops/sops-conf.nix
+++ b/system/dev/dn-server/sops/sops-conf.nix
@ -5,10 +5,6 @@ in
 {
  sops.secrets = {
    "wireguard/privateKey" = { };
-    "nextcloud/adminPassword" = { };
-    "nextcloud/whiteboard" = {
-      owner = "nextcloud";
-    };
    "step_ca/password" = { };
    vaultwarden = { };
    "oauth/password" = { };
--- a/system/dev/skydrive-lap/default.nix
+++ b/system/dev/skydrive-lap/default.nix
@ -10,11 +10,11 @@ in
  systemConf = {
    inherit hostname username;
    domain = "net.dn";
-    hyprland.enable = true;
+    # hyprland.enable = true;
+    niri.enable = true;
    face = pkgs.fetchurl {
-      url = "https://files.net.dn/skydrive.jpg";
+      url = "https://git.dnywe.com/dachxy/skydrive-avatar/raw/branch/main/skydrive.jpg";
      hash = "sha256-aMjl6VL1Zy+r3ElfFyhFOlJKWn42JOnAFfBXF+GPB/Q=";
-      curlOpts = "-k";
    };
  };

@ -22,9 +22,9 @@ in
    ../../modules/presets/basic.nix
    ./common
    ./games
-    ./services
    ./sops
    ./utility
+    ./network
  ];

  users.users.root.openssh.authorizedKeys.keys = [
--- a/system/dev/skydrive-lap/network/default.nix
+++ b/system/dev/skydrive-lap/network/default.nix
@ -0,0 +1,6 @@
+{ ... }:
+{
+  imports = [
+    ./netbird.nix
+  ];
+}
--- a/system/dev/skydrive-lap/network/netbird.nix
+++ b/system/dev/skydrive-lap/network/netbird.nix
@ -0,0 +1,17 @@
+{ self, ... }:
+let
+  serverCfg = self.nixosConfigurations.dn-server.config;
+  domain = serverCfg.services.netbird.server.domain;
+in
+{
+  services.netbird = {
+    clients.wt0 = {
+      openFirewall = true;
+      autoStart = true;
+      port = 51820;
+      environment = {
+        NB_MANAGEMENT_URL = "https://${domain}";
+      };
+    };
+  };
+}
--- a/system/dev/skydrive-lap/services/default.nix
+++ b/system/dev/skydrive-lap/services/default.nix
@ -1,5 +0,0 @@
-{
-  imports = [
-    ./wireguard.nix
-  ];
-}
--- a/system/dev/skydrive-lap/services/wireguard.nix
+++ b/system/dev/skydrive-lap/services/wireguard.nix
@ -1,5 +0,0 @@
-{
-  imports = [
-    ../../../modules/wireguard.nix
-  ];
-}