Update greatyamada config

hosts/greatyamada/nixos/default.nix

@@ -1,15 +1,34 @@
 { lib, pkgs, ... }: {
   imports = [ ./filesystems.nix ];
 
-  boot.loader.systemd-boot.enable = true;
+  boot = {
+    loader.systemd-boot.enable = true;
+    kernelPackages = pkgs.linuxKernel.packages.linux_zen;
+    initrd.availableKernelModules =
+      [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
+    initrd.kernelModules = [ ];
+    kernelModules = [ "kvm-amd" ];
+    extraModulePackages = [ ];
+  };
 
-  environment.systemPackages = with pkgs; [ iptables ];
+  environment.systemPackages = with pkgs; [ arion docker-client ];
 
   networking = {
     firewall.enable = true;
     hostName = "greatyamada";
     networkmanager.enable = true;
     useDHCP = lib.mkDefault false;
+    interfaces.enp5s0 = {
+      ipv4.addresses = [{
+        address = "10.0.0.1";
+        prefixLength = 24;
+      }];
+    };
+    defaultGateway = {
+      address = "10.0.0.254";
+      interface = "enp5s0";
+    };
+    nameservers = [ "9.9.9.9" ];
   };
 
   sops = {
@@ -17,7 +36,18 @@
     age.keyFile = "/etc/nixos/keys.txt";
   };
 
-  system.stateVersion = "25.05";
+  system.stateVersion = "24.05";
+
+  users = {
+    groups.media = { };
+    users.avery.extraGroups = [ "media" ];
+  };
+
+  virtualisation.podman = {
+    enable = true;
+    dockerSocket.enable = true;
+    defaultNetwork.settings.dns_enabled = true;
+  };
 
   time.timeZone = "UTC";
 }

hosts/greatyamada/nixos/filesystems.nix

@@ -2,27 +2,27 @@
   fileSystems = {
     "/" = {
       device = "/dev/disk/by-label/NIXROOT";
-      fsType = "btrfs";
-      options = [ "compress=zstd:15" ];
+      fsType = "ext4";
     };
     "/boot" = {
       device = "/dev/disk/by-label/NIXBOOT";
       fsType = "vfat";
     };
-    "/mnt/Datos" = {
-      device = "/dev/disk/by-label/Datos";
-      fsType = "btrfs";
-      options = [ "compress=zstd:15" ];
+    "/mnt/ssd-01" = {
+      device = "/dev/disk/by-label/ssd-01";
+      fsType = "ext4";
     };
-    "/mnt/Datos/minecraft" = {
-      device = "/dev/disk/by-label/Datos";
-      fsType = "btrfs";
-      options = [ "compress=zstd:4" "subvol=/minecraft" ];
+    "/mnt/hdd-01" = {
+      device = "/dev/disk/by-label/hdd-01";
+      fsType = "ext4";
     };
-    "/mnt/Datos/music" = {
-      device = "/dev/disk/by-label/Datos";
-      fsType = "btrfs";
-      options = [ "subvol=/music" ];
+    "/mnt/hdd-02" = {
+      device = "/dev/disk/by-label/hdd-02";
+      fsType = "ext4";
     };
   };
+  swapDevices = [{
+    device = "/.swapfile";
+    size = 4 * 1024;
+  }];
 }

hosts/greatyamada/services/_port-definitions.nix

@@ -1,20 +1,17 @@
 {
   adguardhome-dns = 53;
   adguardhome-http = 3001;
-  coturn-turn = 3478;
-  coturn-turn-alt = 3479;
-  coturn-minimum = 49192;
-  coturn-maximum = 49200;
+  adguardhome-dhcp-udp = 67;
   forgejo-http = 3000;
   jellyfin-http = 8096;
-  matrix-http = 8008;
-  matrix-https = 8448;
-  matrix-bridges-http = 8088;
-  mautrix-whatsapp = 29318;
   minecraft = 13914;
+  navidrome-https = 4533;
   nginx-https = 443;
   ntfy-http = 2586;
+  pgadmin = 5050;
   postgresql = 5432;
   radicale-http = 5232;
+  searxng = 8888;
   wireguard = 51820;
+  vaultwarden = 8222;
 }

hosts/greatyamada/services/acme.nix

@@ -2,18 +2,13 @@
   security.acme = {
     acceptTerms = true;
     defaults.email = "aveeryy@protonmail.com";
-    # Temporarily use staging server for testing
-    defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
     certs."rcia.dev" = {
-      credentialFiles.CLOUDFLARE_DNS_API_TOKEN_FILE =
-        "/run/secrets/cloudflare_api_token";
+      credentialFiles.CLOUDFLARE_DNS_API_TOKEN_FILE = "/run/secrets/acme_token";
+      extraDomainNames = [ "*.rcia.dev" ];
       dnsProvider = "cloudflare";
       group = "nginx";
       webroot = null;
     };
   };
-  sops.secrets."cloudflare/api_token" = {
-    path = "/run/secrets/cloudflare_api_token";
-    group = "acme";
-  };
+  sops.secrets."acme_token".group = "acme";
 }

hosts/greatyamada/services/adguardhome.nix

@@ -3,18 +3,21 @@ let
   portDefinitions = import ./_port-definitions.nix;
   nginxLocalServiceConfig = import ./nginx-local-config.nix;
 in {
-  networking.firewall.allowedTCPPorts = [ portDefinitions.adguardhome-dns ];
-  networking.firewall.allowedUDPPorts = [ portDefinitions.adguardhome-dns ];
+  networking.firewall = {
+    allowedTCPPorts = [ portDefinitions.adguardhome-dns ];
+    allowedUDPPorts =
+      [ portDefinitions.adguardhome-dns portDefinitions.adguardhome-dhcp-udp ];
+  };
   services = {
     adguardhome = {
       enable = true;
       allowDHCP = true;
-      port = portDefinitions.adguardhome-http;
       mutableSettings = true;
+      port = portDefinitions.adguardhome-http;
       settings = {
         http = {
           address = "127.0.0.1:${toString portDefinitions.adguardhome-http}";
-          session_ttl = "1440h";
+          session_ttl = "720h";
         };
         dns = {
           bind_hosts = [ "0.0.0.0" ];
@@ -38,9 +41,231 @@ in {
             icmp_timeout_msec = 1000;
           };
         };
+        filtering = {
+          safe_search.enabled = false;
+          filtering_enabled = true;
+          parental_enabled = false;
+          safebrowsing_enabled = false;
+          protection_enabled = true;
+          cache_time = 30;
+          filters_update_interval = 24;
+          rewrites = [
+            {
+              domain = "rcia.dev";
+              answer = "10.0.0.1";
+            }
+            {
+              domain = "*.rcia.dev";
+              answer = "10.0.0.1";
+            }
+          ];
+        };
+        clients = {
+          runtime_sources = {
+            whois = true;
+            arp = true;
+            rdns = true;
+            dhcp = true;
+            hosts = true;
+          };
+          persistent = [
+            {
+              name = "Decodificador";
+              ids = [ "10.0.0.200" ];
+              tags = [ "device_tv" ];
+              upstreams = [ "172.26.23.3" ];
+              use_global_settings = true;
+            }
+            {
+              name = "Poco X3";
+              ids = [ "10.0.0.202" ];
+              tags = [ "device_phone" ];
+              use_global_settings = false;
+              filtering_enabled = false;
+            }
+            {
+              name = "Tablet Samsung";
+              ids = [ "10.0.0.201" ];
+              tags = [ "device_tablet" ];
+              use_global_settings = false;
+              filtering_enabled = false;
+            }
+          ];
+        };
+        filters = [
+          {
+            enabled = true;
+            url =
+              "https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt";
+            name = "AdGuard DNS filter";
+            id = 1;
+          }
+          {
+            enabled = true;
+            url =
+              "https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt";
+            name = "AdAway Default Blocklist";
+            id = 2;
+          }
+          {
+            enabled = true;
+            url =
+              "https://adguardteam.github.io/HostlistsRegistry/assets/filter_23.txt";
+            name = "WindowsSpyBlocker - Hosts spy rules";
+            id = 1687062393;
+          }
+          {
+            enabled = true;
+            url =
+              "https://adguardteam.github.io/HostlistsRegistry/assets/filter_6.txt";
+            name = "Dandelion Sprout's Game Console Adblock List";
+            id = 1687062394;
+          }
+          {
+            enabled = true;
+            url =
+              "https://adguardteam.github.io/HostlistsRegistry/assets/filter_30.txt";
+            name = "Phishing URL Blocklist (PhishTank and OpenPhish)";
+            id = 1687062395;
+          }
+          {
+            enabled = true;
+            url =
+              "https://adguardteam.github.io/HostlistsRegistry/assets/filter_7.txt";
+            name = "Perflyst and Dandelion Sprout's Smart-TV Blocklist";
+            id = 1687062396;
+          }
+          {
+            enabled = true;
+            url =
+              "https://adguardteam.github.io/HostlistsRegistry/assets/filter_12.txt";
+            name = "Dandelion Sprout's Anti-Malware List";
+            id = 1687062397;
+          }
+          {
+            enabled = true;
+            url =
+              "https://adguardteam.github.io/HostlistsRegistry/assets/filter_10.txt";
+            name = "Scam Blocklist by DurableNapkin";
+            id = 1687062398;
+          }
+          {
+            enabled = true;
+            url =
+              "https://adguardteam.github.io/HostlistsRegistry/assets/filter_9.txt";
+            name = "The Big List of Hacked Malware Web Sites";
+            id = 1687062399;
+          }
+          {
+            enabled = true;
+            url =
+              "https://adguardteam.github.io/HostlistsRegistry/assets/filter_33.txt";
+            name = "Steven Black's List";
+            id = 1687062400;
+          }
+          {
+            enabled = true;
+            url =
+              "https://adguardteam.github.io/HostlistsRegistry/assets/filter_4.txt";
+            name = "Dan Pollock's List";
+            id = 1687062401;
+          }
+          {
+            enabled = true;
+            url =
+              "https://adguardteam.github.io/HostlistsRegistry/assets/filter_11.txt";
+            name = "Malicious URL Blocklist (URLHaus)";
+            id = 1687062402;
+          }
+          {
+            enabled = true;
+            url =
+              "https://adguardteam.github.io/HostlistsRegistry/assets/filter_3.txt";
+            name = "Peter Lowe's Blocklist";
+            id = 1687062403;
+          }
+          {
+            enabled = true;
+            url =
+              "https://adguardteam.github.io/HostlistsRegistry/assets/filter_32.txt";
+            name = "The NoTracking blocklist";
+            id = 1687062404;
+          }
+          {
+            enabled = true;
+            url =
+              "https://adguardteam.github.io/HostlistsRegistry/assets/filter_31.txt";
+            name = "Stalkerware Indicators List";
+            id = 1694924469;
+          }
+          {
+            enabled = true;
+            url =
+              "https://adguardteam.github.io/HostlistsRegistry/assets/filter_44.txt";
+            name = "HaGeZi's Threat Intelligence Feeds";
+            id = 1694924470;
+          }
+          {
+            enabled = true;
+            url =
+              "https://adguardteam.github.io/HostlistsRegistry/assets/filter_8.txt";
+            name = "NoCoin Filter List";
+            id = 1694924471;
+          }
+        ];
+        user_rules = [
+          "||www.googleadservices.com^$important"
+          "||rdvs.alljoyn.org^$important"
+          "||safebrowsing.google.com^$client='10.0.0.28'"
+          "||fm.nvc.heil.nuancemobility.net^$client='10.0.0.230'"
+          "@@||npdl.cdn.nintendowifi.net^$important"
+          "||tse3.mm.bing.net^$important"
+          "@@||repo.webosbrew.org^$important"
+          "||es.lgeapi.com^$important"
+          "||discovery.meethue.com^$important"
+          "||eic.lgtviot.com^$important"
+          "||qs2-nevoai-iothub-02-prod.azure-devices.net^$important"
+          "||snu.lge.com^$important"
+          "||su.lge.com^$important"
+          "||su-ssl.lge.com^$important"
+          "||snu-dev.lge.com^$important"
+          "||su-dev.lge.com^$important"
+          "||nsu.lge.com^$important"
+          "||eic.commonpush.lgtviot.com^$important"
+          "||eic.sports.lgtviot.com^$important"
+          "||es.lgtvsdp.com^$important"
+          "||prod-ripcut-delivery.disney-plus.net^$client='TV'"
+          "||ngfts.lge.com^$important"
+          "||lgtvonline.lge.com^$important"
+          "||www.ueiwsp.com^$important"
+          "||temu.com^$important"
+          "||www.temu.com^$important"
+          "@@||unity3d.com^$client='10.0.0.7'"
+          "@@||config.ads.vungle.com^$client='10.0.0.7'"
+          "@@||rayjump.com^$client='10.0.0.7'"
+          "@@||vungle.com^$client='10.0.0.7'"
+          "@@||mtgglobals.com^$client='10.0.0.7'"
+          "@@||fundingchoicesmessages.google.com^$client='10.0.0.7'"
+          "@@||applovin.com^$client='10.0.0.7'"
+          "@@||rovio.com^$client='10.0.0.7'"
+          "@@||gov.aniview.com^$client='10.0.0.7'"
+          "@@||unity3d.com^$client='10.10.0.3'"
+          "@@||config.ads.vungle.com^$client='10.10.0.3'"
+          "@@||rayjump.com^$client='10.10.0.3'"
+          "@@||vungle.com^$client='10.10.0.3'"
+          "@@||mtgglobals.com^$client='10.10.0.3'"
+          "@@||fundingchoicesmessages.google.com^$client='10.10.0.3'"
+          "@@||googleads.g.doubleclick.net^$client='10.10.0.3'"
+          "@@||applovin.com^$client='10.10.0.3'"
+          "@@||rovio.com^$client='10.10.0.3'"
+          "@@||gov.aniview.com^$client='10.10.0.3'"
+          "@@||cdn.liftoff-creatives.io^$client='10.0.0.7'"
+          "||googleads.g.doubleclick.net^$client='Tablet'"
+        ];
       };
     };
     nginx.virtualHosts."dns.rcia.dev" = {
+      forceSSL = true;
       locations."/".proxyPass =
         "http://127.0.0.1:${toString portDefinitions.adguardhome-http}";
       extraConfig = nginxLocalServiceConfig;

hosts/greatyamada/services/default.nix

@@ -1,13 +1,17 @@
 { ... }: {
   imports = [
     ./acme.nix
+    ./adguardhome.nix
     ./forgejo.nix
     ./inadyn.nix
     ./jellyfin.nix
-    ./minecraft
+    # ./minecraft
     ./nginx.nix
+    ./pgadmin.nix
     ./postgresql.nix
     ./radicale.nix
+    ./searxng.nix
+    ./vaultwarden.nix
     ./wireguard.nix
   ];
   # paperlessngx

hosts/greatyamada/services/forgejo.nix

@@ -1,14 +1,10 @@
-{ pkgs, ... }:
+{ pkgs, lib, ... }:
 let
-  forgejoSecretsPath = "/run/secrets/forgejo_";
   portDefinitions = import ./_port-definitions.nix;
   arrayToSecrets = elements:
     builtins.listToAttrs (map (key: {
       name = "forgejo/${key}";
-      value = {
-        path = "${forgejoSecretsPath}${key}";
-        owner = "forgejo";
-      };
+      value.owner = "forgejo";
     }) elements);
 in {
   services = {
@@ -18,15 +14,17 @@ in {
       database = {
         type = "postgres";
         port = portDefinitions.postgresql;
-        passwordFile = "${forgejoSecretsPath}database_password";
+        passwordFile = "/run/secrets/forgejo/database_password";
       };
       secrets = {
-        server.LFS_JWT_SECRET = "${forgejoSecretsPath}lfs_jwt_secret";
+        server.LFS_JWT_SECRET =
+          lib.mkForce "/run/secrets/forgejo/lfs_jwt_secret";
         security = {
-          INTERNAL_TOKEN = "${forgejoSecretsPath}internal_token";
-          SECRET_KEY = "${forgejoSecretsPath}secret_key";
+          INTERNAL_TOKEN = lib.mkForce "/run/secrets/forgejo/internal_token";
+          SECRET_KEY = lib.mkForce "/run/secrets/forgejo/secret_key";
         };
-        oauth2.JWT_SECRET = "${forgejoSecretsPath}oauth2_jwt_secret";
+        oauth2.JWT_SECRET =
+          lib.mkForce "/run/secrets/forgejo/oauth2_jwt_secret";
       };
       settings = {
         server = {
@@ -43,12 +41,13 @@ in {
       locations."/" = {
         proxyPass = "http://127.0.0.1:${toString portDefinitions.forgejo-http}";
       };
+      forceSSL = true;
       useACMEHost = "rcia.dev";
     };
   };
-  systemd.services.forgejo.preStart = ''
-    ${pkgs.forgejo}/bin/gitea migrate
-  '';
+  # systemd.services.forgejo.preStart = ''
+  #   ${pkgs.forgejo}/bin/gitea migrate
+  # '';
   sops.secrets = arrayToSecrets [
     "database_password"
     "internal_token"

hosts/greatyamada/services/inadyn.nix

@@ -1,10 +1,19 @@
 { config, ... }: {
   services.inadyn = {
     enable = true;
-    provider."cloudflare.com" = {
+    settings.provider."cloudflare.com" = {
       hostname = [ "rcia.dev" "*.rcia.dev" ];
       username = "rcia.dev";
-      password = "${config.sops.placeholder.cloudflare.api_key}";
+      include = config.sops.templates."inadyn-password.conf".path;
+    };
+  };
+  sops = {
+    secrets."cloudflare/api_token" = { };
+    templates."inadyn-password.conf" = {
+      content = ''
+        password = ${config.sops.placeholder."cloudflare/api_token"}
+      '';
+      owner = "inadyn";
     };
   };
 }

hosts/greatyamada/services/jellyfin.nix

@@ -1,21 +1,14 @@
 { ... }:
-let
-  jellyfinPath = "/mnt/Datos/jellyfin";
-  nginxLocalServiceConfig = import ./nginx-local-config.nix;
-  portDefinitions = import ./_port-definitions.nix;
+let portDefinitions = import ./_port-definitions.nix;
 in {
   services = {
-    jellyfin = {
-      enable = true;
-      dataDir = "${jellyfinPath}/data/";
-    };
+    jellyfin.enable = true;
     nginx.virtualHosts."jellyfin.rcia.dev" = {
-      locations."/" = {
-        proxyPass =
-          "http://127.0.0.1:${toString portDefinitions.jellyfin-http}";
-      };
-      extraConfig = nginxLocalServiceConfig;
+      locations."/".proxyPass =
+        "http://127.0.0.1:${toString portDefinitions.jellyfin-http}";
+      forceSSL = true;
       useACMEHost = "rcia.dev";
     };
   };
+  users.users.jellyfin.extraGroups = [ "media" ];
 }

hosts/greatyamada/services/nginx.nix

@@ -1,10 +1,16 @@
 { ... }: {
+  networking.firewall.allowedTCPPorts = [ 443 ];
   services.nginx = {
     enable = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+    recommendedOptimisation = true;
+    recommendedTlsSettings = true;
     virtualHosts = {
       "rcia.dev" = {
         forceSSL = true;
-        enableACME = true;
+        # enableACME = true;
+        useACMEHost = "rcia.dev";
         serverAliases = [ "*.rcia.dev" ];
         # locations."/" = { root = /var/www/public; };
       };

hosts/greatyamada/services/pgadmin.nix

@@ -0,0 +1,21 @@
+{ ... }:
+let
+  _portDefinitions = import ./_port-definitions.nix;
+  nginxLocalConfig = import ./nginx-local-config.nix;
+in {
+  services = {
+    pgadmin = {
+      enable = true;
+      initialEmail = "avery@rcia.dev";
+      initialPasswordFile = "/etc/nixos/a.txt";
+      port = _portDefinitions.pgadmin;
+    };
+    nginx.virtualHosts."pgadmin.rcia.dev" = {
+      locations."/".proxyPass =
+        "http://localhost:${toString _portDefinitions.pgadmin}";
+      forceSSL = true;
+      useACMEHost = "rcia.dev";
+      extraConfig = nginxLocalConfig;
+    };
+  };
+}

hosts/greatyamada/services/postgresql.nix

@@ -1,8 +1,11 @@
-{ ... }:
+{ config, pkgs, ... }:
 let portDefinitions = import ./_port-definitions.nix;
 in {
   services.postgresql = {
     enable = true;
+    package = pkgs.postgresql_16;
+    dataDir =
+      "/mnt/ssd-01/postgresql/${config.services.postgresql.package.psqlSchema}";
     settings.port = portDefinitions.postgresql;
   };
 }

hosts/greatyamada/services/radicale.nix

@@ -2,7 +2,6 @@
 let
   nginxLocalServiceConfig = import ./nginx-local-config.nix;
   portDefinitions = import ./_port-definitions.nix;
-  radicalePath = "/mnt/Datos/radicale";
 in {
   services = {
     radicale = {
@@ -12,10 +11,9 @@ in {
           [ "127.0.0.1:${toString portDefinitions.radicale-http}" ];
         auth = {
           type = "htpasswd";
-          htpasswd_filename = "/etc/radicale/users";
+          htpasswd_filename = "/var/lib/radicale/users";
           htpasswd_encryption = "bcrypt";
         };
-        storage.filesystem_folder = radicalePath;
       };
     };
     nginx.virtualHosts."radicale.rcia.dev" = {
@@ -23,12 +21,13 @@ in {
         proxyPass =
           "http://127.0.0.1:${toString portDefinitions.radicale-http}";
       };
-      extraConfig = nginxLocalServiceConfig;
+      forceSSL = true;
       useACMEHost = "rcia.dev";
+      extraConfig = nginxLocalServiceConfig;
     };
   };
   sops.secrets."radicale/users" = {
-    path = "/etc/radicale/users";
+    path = "/var/lib/radicale/users";
     owner = "radicale";
   };
 }

hosts/greatyamada/services/searxng.nix

@@ -0,0 +1,46 @@
+{ config, pkgs, ... }:
+let
+  portDefinitions = import ./_port-definitions.nix;
+  nginxLocalServiceConfig = import ./nginx-local-config.nix;
+in {
+  services = {
+    searx = {
+      enable = true;
+      package = pkgs.searxng;
+      environmentFile = config.sops.templates."searxng_secret_key.env".path;
+      redisCreateLocally = true;
+      # runInUwsgi = true;
+      # uwsgiConfig = {
+      #   socket = "/run/searx/searxng.sock";
+      #   http = ":${toString portDefinitions.searxng}";
+      #   chmod-socket = "660";
+      # };
+      settings = {
+        base_url = "https://searxng.rcia.dev";
+        bind_address = "127.0.0.1";
+        port = portDefinitions.searxng;
+        public_instance = false;
+        limiter = false;
+      };
+
+    };
+    nginx.virtualHosts."searxng.rcia.dev" = {
+      locations."/".proxyPass =
+        "http://127.0.0.1:${toString portDefinitions.searxng}";
+      extraConfig = nginxLocalServiceConfig;
+      forceSSL = true;
+      useACMEHost = "rcia.dev";
+    };
+  };
+  sops = {
+    secrets."searxng_secret_key".owner = "searx";
+    templates."searxng_secret_key.env" = {
+      content = ''
+        SEARXNG_SECRET=${config.sops.placeholder."searxng_secret_key"}
+      '';
+      owner = "searx";
+    };
+  };
+  systemd.services.nginx.serviceConfig.ProtectHome = false;
+  users.groups.searx.members = [ "nginx" ];
+}

hosts/greatyamada/services/vaultwarden.nix

@@ -0,0 +1,36 @@
+{ config, ... }:
+let
+  portDefinitions = import ./_port-definitions.nix;
+  nginxLocalServiceConfig = import ./nginx-local-config.nix;
+in {
+  services = {
+    vaultwarden = {
+      enable = true;
+      dbBackend = "postgresql";
+      config = {
+        domain = "https://vaultwarden.rcia.dev";
+        rocketAddress = "127.0.0.1";
+        rocketPort = portDefinitions.vaultwarden;
+        showPasswordHint = false;
+        signupsAllowed = false;
+      };
+      environmentFile = config.sops.templates."vaultwarden.env".path;
+    };
+    nginx.virtualHosts."vaultwarden.rcia.dev" = {
+      locations."/".proxyPass =
+        "http://localhost:${toString portDefinitions.vaultwarden}";
+      forceSSL = true;
+      useACMEHost = "rcia.dev";
+      extraConfig = nginxLocalServiceConfig;
+    };
+  };
+  sops = {
+    secrets."vaultwarden_database_url" = { };
+    templates."vaultwarden.env" = {
+      content = ''
+        DATABASE_URL=${config.sops.placeholder."vaultwarden_database_url"}
+      '';
+      owner = "vaultwarden";
+    };
+  };
+}

hosts/greatyamada/services/wireguard.nix

@@ -1,34 +1,36 @@
-{ ... }:
+{ pkgs, ... }:
 let portDefinitions = import ./_port-definitions.nix;
 in {
   networking = {
+    nat = {
+      enable = true;
+      externalInterface = "enp5s0";
+      internalInterfaces = [ "wg0" ];
+    };
     firewall.allowedUDPPorts = [ portDefinitions.wireguard ];
     wireguard = {
       enable = true;
       interfaces.wg0 = {
         ips = [ "10.10.0.1/24" ];
+        listenPort = portDefinitions.wireguard;
         peers = [{
           allowedIPs = [ "10.10.0.2/32" ];
-          name = "Note9";
+          name = "Pixel9a";
           publicKey = "Y5A5iv0ukg1TQMcIdtXd+bmDxtrqHCuoEhYRmBqwkFY=";
-          presharedKeyFile = "/run/secrets/preshared_keys_note9";
+          presharedKeyFile = "/run/secrets/wireguard/preshared_keys/note9";
         }];
-        postSetup =
-          "iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp5s0 -j MASQUERADE";
-        postShutdown =
-          "iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp5s0 -j MASQUERADE";
-        privateKeyFile = "/run/secrets/wg_private_key";
+        postSetup = ''
+          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.10.0.0/24 -o enp5s0 -j MASQUERADE
+        '';
+        postShutdown = ''
+          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.10.0.0/24 -o enp5s0 -j MASQUERADE
+        '';
+        privateKeyFile = "/run/secrets/wireguard/private_key";
       };
     };
   };
   sops.secrets = {
-    "wireguard/private_key" = {
-      path = "/run/secrets/wg_private_key";
-      owner = "root";
-    };
-    "wireguard/preshared_keys/note9" = {
-      path = "/run/secrets/preshared_keys_note9";
-      owner = "root";
-    };
+    "wireguard/private_key" = { owner = "root"; };
+    "wireguard/preshared_keys/note9" = { owner = "root"; };
   };
 }

hosts/mizuki/development.nix

@@ -1,12 +1,5 @@
 { pkgs, ... }: {
-  home.packages = with pkgs; [
-    xh
-    gnupg
-    git-credential-manager
-    pass
-    wslu
-    python3
-  ];
+  home.packages = with pkgs; [ xh gnupg git-credential-manager pass wslu ];
   programs = {
     git = {
       enable = true;

hosts/mizuki/nixos.nix

@@ -1,7 +1,7 @@
 { lib, pkgs, ... }: {
 
   environment.shells = with pkgs; [ zsh ];
-  environment.systemPackages = with pkgs; [ xorg.setxkbmap android-tools ];
+  environment.systemPackages = with pkgs; [ xorg.setxkbmap ];
 
   fonts = {
     packages = with pkgs; [ inter notonoto ];
@@ -26,15 +26,19 @@
     wheelNeedsPassword = true;
   };
 
+  services.mysql = {
+    enable = true;
+    package = pkgs.mysql84;
+  };
+
   users = {
     defaultUserShell = pkgs.zsh;
-    users.avery.extraGroups = [ "wheel" "adbusers" ];
+    users.avery.extraGroups = [ "wheel" ];
   };
 
   wsl = {
     enable = true;
     defaultUser = "avery";
-    usbip.enable = true;
   };
 
   virtualisation.docker.enable = true;