diff --git a/home/common.nix b/home/common.nix index 4e053a9..29103a8 100644 --- a/home/common.nix +++ b/home/common.nix @@ -65,9 +65,6 @@ # Databases postgresql mariadb - - # Docker, because it's useful ...sometimes - docker ]; home.sessionVariables = { diff --git a/modules/common/linux/default.nix b/modules/common/linux/default.nix index 744b941..c48d3bc 100644 --- a/modules/common/linux/default.nix +++ b/modules/common/linux/default.nix @@ -32,10 +32,20 @@ let services.ratbagd.enable = true; environment.systemPackages = with pkgs; [ piper ]; }; + + virtualisation = { pkgs, ... }: mkIf cfg.enable { + virtualisation.podman = { + enable = true; + dockerCompat = true; + defaultNetwork.settings.dns_enabled = true; + }; + + virtualisation.oci-containers.backend = "podman"; + }; }; in { - imports = with modules; [ adb ios wlr logitech ]; + imports = with modules; [ adb ios wlr logitech virtualisation ]; options.common.linux = { enable = mkOption { diff --git a/nki-home/configuration.nix b/nki-home/configuration.nix index 3c2c151..cedf3fb 100644 --- a/nki-home/configuration.nix +++ b/nki-home/configuration.nix @@ -39,6 +39,38 @@ with lib; }; nki.services.edns.enable = true; nki.services.edns.ipv6 = true; + ## DTTH Wireguard + # + sops.secrets."dtth-wg/private-key" = { owner = "root"; group = "systemd-network"; mode = "0640"; }; + sops.secrets."dtth-wg/preshared-key" = { owner = "root"; group = "systemd-network"; mode = "0640"; }; + systemd.network.netdevs."10-dtth-wg" = { + netdevConfig = { + Kind = "wireguard"; + Name = "dtth-wg"; + MTUBytes = "1280"; + }; + wireguardConfig = { + PrivateKeyFile = config.sops.secrets."dtth-wg/private-key".path; + }; + wireguardPeers = [{ + wireguardPeerConfig = { + PublicKey = "+7iI4jwmM1Qr+/DKB1Hv8JgFkGu7lSV0PAoo+O5d3yQ="; + PresharedKeyFile = config.sops.secrets."dtth-wg/preshared-key".path; + AllowedIPs = [ "100.64.0.0/10" "fd00::/106" ]; + Endpoint = "vpn.dtth.ch:51820"; + PersistentKeepalive = 25; + }; + }]; + }; + systemd.network.networks."dtth-wg" = { + matchConfig.Name = "dtth-wg"; + address = [ "100.73.146.80/32" "fd00::33:105b/128" ]; + DHCP = "no"; + routes = [ + { routeConfig = { Destination = "100.64.0.0/10"; Scope = "link"; }; } + { routeConfig.Destination = "fd00::/106"; } + ]; + }; # Define a user account. common.linux.username = "nki"; diff --git a/nki-home/secrets/secrets.yaml b/nki-home/secrets/secrets.yaml index c2261d8..688b743 100644 --- a/nki-home/secrets/secrets.yaml +++ b/nki-home/secrets/secrets.yaml @@ -8,6 +8,9 @@ windscribe: scrobble: lastfm: ENC[AES256_GCM,data:+3G9zwmAu/B9omG0KUT0b5G+lJ4=,iv:ubrE4A35si9f6+m2sAino4SfOf9F4g2UjtF2Yy9n2e4=,tag:A/e6GECfIZuX2bVGPo9qyA==,type:str] listenbrainz: ENC[AES256_GCM,data:FNSJnYEQd+LgInmdyqcaAQG6imiJS/OPBEe2fBKQGKBjpCLy,iv:qhloVpcwcGwRDn6vOujgmvelbPl2korhELfyf5BvdjM=,tag:WnLaMUtHsxBaXNTAKwchkQ==,type:str] +dtth-wg: + private-key: ENC[AES256_GCM,data:ySxPGzOplKwNLxRnPNw7If7xzxMwRkwTasT7FaQE9n5YB04R+gaQVjDqPqg=,iv:f5t94bUoo9sCGGwWytiuhg5jcKjzRjbR3Q0OIM28VDU=,tag:fJos9Hb9XytQbfGaPMa1/A==,type:str] + preshared-key: ENC[AES256_GCM,data:96q0ZfvPz4pb53XvTGameVkcETamYH8Xbv69672RBdacH6QjRCCVvPnBTfA=,iv:Q2Yonb07/Uu6KidhMgRX4zJuNU1ZySNC7g/5TwpMU80=,tag:1qQQdk20yIQlGZmX+/25RA==,type:str] sops: kms: [] gcp_kms: [] @@ -41,8 +44,8 @@ sops: bUhIT0Z2b1dVWGNyS1hRVFRyZTA4d00KchP7EhSOMwBl5vFuuskzosRoi8jUu1sw hVjJNF2a40ewgkQgVAoWEzirHbknbQORzmepDDRth7Bve3UQU64+GA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-09-16T10:37:15Z" - mac: ENC[AES256_GCM,data:+YW1Jbs2En9QEbSm994LeKGDQ411mpBz4ZjM0FM/W1S8IQMeMuUZL3Ku8JCjB3u2a6nX4TdqOUGrWSpq5QScgu1avXIdGNPyais2YVTRu0vUoya/X4hOqXykVVgio8LOMcS73oQZQazUmTDYGW5ytbfdtrZo9+gKffzJ2nziOoE=,iv:SCnEb95tCVkCqbccOPCrMrF2Gaz6+esPTRNPD7Zb+M8=,tag:LGDtm+MepZZRFFsJKvFlfw==,type:str] + lastmodified: "2023-04-29T13:03:22Z" + mac: ENC[AES256_GCM,data:ZNDRS6LLy89TZoW27c57RMnjs6M/GBH0XfKKlrhys8gL7+I0V/++ry59VDbLxvqS4nPR4C5hk777+B5dqnseyYW2xRT3NKYxocCQu5kO6A8L/wB00j3bm3SSIGwLcKJPibEqi7ymU53K0bmZdjRMChkBwv3CnDNkM3Dc6rvZ2DM=,iv:Z1ZjnYW1Yk+oEzNknQDytTengjKxcud95LZTFfKMnpw=,tag:pnZ+UGQWuRCKoTll00oUKA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3