Fix selene

keys/secrets.nix

@@ -8,4 +8,6 @@ in
   "google-storage-key".publicKeys = selene;
   "macbook.priv".publicKeys = macbook ++ master;
   "master.priv".publicKeys = macbook ++ master;
+  "wg-selene".publicKeys = macbook ++ selene ++ master;
+  "wg-macbook".publicKeys = macbook ++ master;
 }

keys/wg-macbook

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 M7OTMg PyrVB10SxQZdhrwusKh+m6944Nj5vqBL6qGum8qK4Qg
+huIr2n2ciTqu11o6ApcCoVMstQ9b3XoRfgAtU79wdnY
+-> ssh-ed25519 CJLJQg 2O7UQVLdlMJZzt5TOo5EYpfWjKAnNLJ6OQY+xRTp2go
+TonYGAfBSeUpSHl+jHSG2qO9kWseAxfog1oWeGFWc5s
+--- Hh8KEiQFjdy2xYqcBX4L6XSp4GPpO29tSPrfpnZlv5o
+Ó?À¤ÿ‡$‡ÜJΦŸßÑ^¦w’oÌ›Nv’ŠŽÍ*#å4„+=â·Á[ltÒQF™6Õ-Æwiy.Ú¢8¡iýýÒž'.H,a£

keys/wg-macbook.pub

@@ -0,0 +1 @@
+uFmbvJBptZsrzYDqpZM7SsibELaIRZIT91dr+lg4UTQ=

keys/wg-selene

@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 M7OTMg rtefZhzmdX3bNzHNy3nkNUUhMkzl5Jhr5aRKQeMxyG0
+j8S1T4ZJ4rPCB1hLYB0XDrQapmDeBaVhHF1egscPMSI
+-> ssh-ed25519 gSqcWw zXFb2UGB5MX9l1zRtSXjRvx2jKwzi3xJ6pSheWbcKHE
+0sj7aWQEU9anrtn9nNc+GZV/hmZhGhBJiY4z+92QmhE
+-> ssh-ed25519 lFtjmQ F1UrJyfMoLe2WQhg2quklc/m0U6fDoHdUHb9fKwbMAk
+PqhWK8b8VPvnwYOv6o8ghihW4BY2gyXWjeVoBB3Jq1c
+-> ssh-ed25519 CJLJQg NI5inqne74mHhVzieDbwHe2ir7b/5JupVpJ2eHehYHs
+nkcF008pNF7+57K4dCQMrayVcUWSFVQ38MwK9JPUZ90
+--- Wo0W41Xg2j6kl6atrzbtE2ogo3mY1+sTqfyvWkUsUeA
+ ½ÛÓEgf¡G'õÔŽ!;Âú+÷áÿÅçûm솖ã\Aè<ƒc½b_ª?϶«½µÀ›Õ­^Ík×8ŸüÚÿø€´U=tŠ‰Úæ2Kï3

keys/wg-selene.pub

@@ -0,0 +1 @@
+4N/84YKCDOPpXTkRxBDQOOUzKR2PXOy4/3gJbel1yE4=

modules/servermodules/jellyfin/jellyfin.nix

@@ -18,7 +18,7 @@
   };
 
   age.secrets.jellyfin-key = {
-    file = ./secrets/jellyfin-key;
+    file = ../../../keys/jellyfin-key;
     owner = "jellyfin";
   };
 

modules/servermodules/nginx.nix

@@ -1,4 +1,4 @@
-{ rootdomain }:
+rootdomain:
 {
   systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/logs/nginx" ];
   services.nginx.enable = true;
@@ -71,6 +71,6 @@
   systemd.tmpfiles.rules = [
   # Type  Path           Mode    User   Group  Age  Argument
   "d /logs/nginx        0755    nginx  nginx  -    -"
-  ]
+  ];
 }
 

modules/servermodules/packages.nix

@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ pkgs, config, ... }:
 {
   environment.systemPackages = [
     pkgs.git
@@ -8,7 +8,7 @@
     pkgs.tmux
   ];
   age.secrets.google-storage-key = {
-    file = ./secrets/google-storage-key;
+    file = ../../keys/google-storage-key;
     owner = "root";
   };
   environment.variables.GOOGLE_APPLICATION_CREDENTIALS = config.age.secrets."google-storage-key".path;

modules/servermodules/wireguard/wireguard-server.nix

@@ -0,0 +1,58 @@
+{
+  pkgs,
+  config,
+  ...
+}:
+{
+  # enable NAT
+  networking.nat.enable = true;
+  networking.nat.externalInterface = "eth0";
+  networking.nat.internalInterfaces = [ "wg0" ];
+  networking.firewall = {
+    allowedUDPPorts = [ 51820 ];
+  };
+
+  age.secrets.wg-selene = {
+    file = ../../../keys/wg-selene;
+    owner = "selene";
+  };
+  networking.wireguard.interfaces = {
+    # "wg0" is the network interface name. You can name the interface arbitrarily.
+    wg0 = {
+      # Determines the IP address and subnet of the server's end of the tunnel interface.
+      ips = [ "10.100.0.1/24" ];
+
+      # The port that WireGuard listens to. Must be accessible by the client.
+      listenPort = 51820;
+
+      # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
+      # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
+      # postSetup = ''
+      #   ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+      # '';
+
+      # # This undoes the above command
+      # postShutdown = ''
+      #   ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+      # '';
+
+      # Path to the private key file.
+      #
+      # Note: The private key can also be included inline via the privateKey option,
+      # but this makes the private key world-readable; thus, using privateKeyFile is
+      # recommended.
+
+      privateKeyFile = config.age.secrets.wg-selene.path;
+
+      peers = [
+        # List of allowed peers.
+        { # Feel free to give a meaningful name
+          # Public key of the peer (not a file path).
+          publicKey = (builtins.readFile ../../../keys/wg-macbook.pub);
+          # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
+          allowedIPs = [ "10.100.0.2/32" ];
+        }
+      ];
+    };
+  };
+}

modules/usermodules/darwinsettings.nix

@@ -2,7 +2,7 @@ self:
 { pkgs, agenix, ... }: {
   # List packages installed in system profile. To search by name, run:
   # $ nix-env -qaP | grep wget
-  environment.systemPackages = [ pkgs.vim pkgs.vscode pkgs.git pkgs.nixfmt-rfc-style agenix.packages.aarch64-darwin.default pkgs.python3];
+  environment.systemPackages = [ pkgs.vim pkgs.vscode pkgs.git pkgs.nixfmt-rfc-style agenix.packages.aarch64-darwin.default pkgs.python3 pkgs.wireguard-tools];
 
   # Necessary for using flakes on this system.
   nix.settings.experimental-features = "nix-command flakes";

systems/macbook/macbook.nix

@@ -4,7 +4,8 @@ nix-darwin.lib.darwinSystem {
     { system.primaryUser = "maxiemgeldhof"; }
     (import ../../modules/usermodules/darwinsettings.nix self)
     home-manager.darwinModules.home-manager
-    (import ./users.nix)
+    import ./users.nix
+    ./wireguard.nix
     agenix.darwinModules.default
   ];
 

systems/macbook/wireguard.nix

@@ -0,0 +1,42 @@
+{ config, ... }:
+{
+  age.secrets.wg-private.file = "../../keys/wg-macbook";
+  services.wg-quick.interfaces.wg0 = {
+    # Add a name for your interface here, e.g., wg0
+    enable = true;
+    # Path to your WireGuard config file
+    # e.g., /etc/wireguard/wg0.conf
+
+    privateKeyFile = config.age.secrets.wg-private.path;
+
+    # The internal IP address assigned to this client by the server.
+    # The /24 subnet mask is important for knowing the VPN's local network.
+    address = [ "10.100.0.2/32" ];
+
+    # DNS server(s) to use when the tunnel is active.
+    # This is critical for resolving hostnames when all traffic is routed.
+    dns = [
+      "1.1.1.1"
+      "1.0.0.1"
+    ]; # Cloudflare DNS, or use your preferred one like 8.8.8.8
+
+    peers = [
+      {
+        # Public key of the SERVER.
+        publicKey = builtins.readFile ../../../keys/wg-selene.pub;
+
+        # The server's public IP address and listening port.
+        endpoint = "37.27.207.39:51820";
+
+        # This is the most important part for a "VPN" setup.
+        # 0.0.0.0/0 tells your Mac to route all IPv4 traffic through the tunnel.
+        # Add "::/0" if your server and network support IPv6.
+        allowedIPs = [ "10.100.0.1/24" ];
+
+        # Optional but highly recommended for clients behind NAT.
+        # It sends a packet every 25 seconds to keep the connection open.
+        persistentKeepalive = 25;
+      }
+    ];
+  };
+}

systems/selene/basesettings.nix

@@ -1,7 +1,7 @@
 { ... }:
 {
   imports = [
-    ./hardware-configuration.nix
+    ./hardware.nix
     ./networking.nix # generated at runtime by nixos-infect
   ];
 

systems/selene/system.nix

@@ -1,18 +1,23 @@
 { agenix, jellyfin-exporter, nixpkgs, self, ... }:
+let 
+  system = "aarch64-linux";
+in
 nixpkgs.lib.nixosSystem {
-  system = "x86_64-linux";
+  system = system;
   specialArgs = {
     # This selects the package for the current system and passes it
-    exporter-pkg = jellyfin-exporter.packages.${self.system}.default;
+    exporter-pkg = jellyfin-exporter.packages.${system}.default;
+    system = system;
   };
 
   modules = [
     ./basesettings.nix
     ./users.nix
     ../../modules/servermodules/packages.nix
-    (import ./nginx.nix "maxiemgeldhof.com")
+    (import ../../modules/servermodules/nginx.nix "maxiemgeldhof.com")
-    ../../modules/servermodules/grafana.nix
+    ../../modules/servermodules/grafana/grafana.nix
-    ../../modules/servermodules/jellyfin.nix
+    ../../modules/servermodules/jellyfin/jellyfin.nix
+    ../../modules/servermodules/wireguard/wireguard-server.nix
     ./volumes.nix
     agenix.nixosModules.default
   ];

systems/selene/users.nix

@@ -6,7 +6,7 @@
     openssh.authorizedKeys.keys = [
       (builtins.readFile ../../keys/hetzner.pub)
       (builtins.readFile ../../keys/asus.pub)
-      (builtins.readFile "../../keys/pacbook.pub")
+      (builtins.readFile ../../keys/macbook.pub)
     ];
 
     extraGroups = [