From 08ac2fb6dc3aaaa56feb20223375f6dc4af289d0 Mon Sep 17 00:00:00 2001 From: Tyler Starr Date: Sat, 23 Sep 2023 10:39:48 -0700 Subject: [PATCH 01/14] add wireguard server for torus --- provision/nixos/hosts/torus/configuration.nix | 1 + provision/nixos/modules/services/default.nix | 2 +- .../modules/services/wireguard-server.nix | 54 +++++++++++++++++++ 3 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 provision/nixos/modules/services/wireguard-server.nix diff --git a/provision/nixos/hosts/torus/configuration.nix b/provision/nixos/hosts/torus/configuration.nix index 385ca5e7..2ce3bd55 100644 --- a/provision/nixos/hosts/torus/configuration.nix +++ b/provision/nixos/hosts/torus/configuration.nix @@ -126,6 +126,7 @@ samba-server.enable = true; jellyfin.enable = true; syncthing.enable = true; + wireguard-server.enable = true; }; system = { terminal.enable = true; diff --git a/provision/nixos/modules/services/default.nix b/provision/nixos/modules/services/default.nix index ecbd0763..aeee625d 100644 --- a/provision/nixos/modules/services/default.nix +++ b/provision/nixos/modules/services/default.nix @@ -1,4 +1,4 @@ { ... }: { - imports = [ ./syncthing.nix ./samba-server.nix ./samba-client.nix ./jellyfin.nix ./virt-manager.nix ./peripherals.nix ]; + imports = [ ./wireguard-server.nix ./syncthing.nix ./samba-server.nix ./samba-client.nix ./jellyfin.nix ./virt-manager.nix ./peripherals.nix ]; } diff --git a/provision/nixos/modules/services/wireguard-server.nix b/provision/nixos/modules/services/wireguard-server.nix new file mode 100644 index 00000000..11ab2da9 --- /dev/null +++ b/provision/nixos/modules/services/wireguard-server.nix @@ -0,0 +1,54 @@ +{ config, lib, pkgs, ... }: + +let cfg = config.modules.services.wireguard-server; +in { + options.modules.services.wireguard-server.enable = lib.mkEnableOption "wireguard-server"; + config = lib.mkIf cfg.enable { + # enable NAT + networking.nat.enable = true; + networking.nat.externalInterface = "enp4s0"; + networking.nat.internalInterfaces = [ "wg0" ]; + networking.firewall = { + allowedUDPPorts = [ 51820 ]; + }; + + networking.wireguard.interfaces = { + # "wg0" is the network interface name. You can name the interface arbitrarily. + wg0 = { + # Determines the IP address and subnet of the server's end of the tunnel interface. + ips = [ "10.100.0.1/24" ]; + + # The port that WireGuard listens to. Must be accessible by the client. + listenPort = 51820; + + # This allows the wireguard server to route your traffic to the internet and hence be like a VPN + # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients + postSetup = '' + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE + ''; + + # This undoes the above command + postShutdown = '' + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE + ''; + + # Path to the private key file. + # + # Note: The private key can also be included inline via the privateKey option, + # but this makes the private key world-readable; thus, using privateKeyFile is + # recommended. + privateKeyFile = "/engi/apps/wireguard/torus-adjudicator"; + + peers = [ + # List of allowed peers. + { # Feel free to give a meaning full name + # Public key of the peer (not a file path). + publicKey = "boy07PYDJT8TuG6Zkwg1KqhKeoakc7GH7UxAw9NuSjE"; + # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing. + allowedIPs = [ "10.100.0.2/32" ]; + } + ]; + }; + }; + }; +} From 30b85b90c5b079b78e103aaf8899327d3c62f5fc Mon Sep 17 00:00:00 2001 From: Tyler Starr Date: Sat, 7 Oct 2023 02:00:29 -0700 Subject: [PATCH 02/14] Fix wireguard on Torus --- provision/nixos/hosts/torus/configuration.nix | 13 ++-- .../modules/services/wireguard-server.nix | 63 ++++++++++--------- 2 files changed, 40 insertions(+), 36 deletions(-) diff --git a/provision/nixos/hosts/torus/configuration.nix b/provision/nixos/hosts/torus/configuration.nix index 2ce3bd55..1bc75d62 100644 --- a/provision/nixos/hosts/torus/configuration.nix +++ b/provision/nixos/hosts/torus/configuration.nix @@ -28,8 +28,14 @@ # Set networking options networking.hostName = "torus"; - networking.networkmanager.enable = true; + # Needed for wireguard-server + boot.kernel.sysctl = { + "net.ipv4.conf.all.forwarding" = true; + }; + networking.firewall.enable = true; networking.firewall.checkReversePath = "loose"; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + networking.firewall.allowedUDPPorts = [ 80 443 ]; # Set your time zone. time.timeZone = "America/Los_Angeles"; @@ -78,8 +84,6 @@ defaults.email = "starrtyler88@gmail.com"; }; - networking.firewall.allowedTCPPorts = [ 80 443 ]; - networking.firewall.allowedUDPPorts = [ 80 443 ]; security.pam.services.nginx.setEnvironment = false; systemd.services.nginx.serviceConfig = { @@ -103,9 +107,6 @@ "media.tstarr.us" = (SSL // { locations."/".proxyPass = "http://localhost:8096/"; }); - "joplin.tstarr.us" = (SSL // { - locations."/".proxyPass = "http://localhost:22300/"; - }); "wiki.tstarr.us" = (SSL // { locations."/".proxyPass = "http://localhost:4567/"; extraConfig = '' diff --git a/provision/nixos/modules/services/wireguard-server.nix b/provision/nixos/modules/services/wireguard-server.nix index 11ab2da9..e6cd3389 100644 --- a/provision/nixos/modules/services/wireguard-server.nix +++ b/provision/nixos/modules/services/wireguard-server.nix @@ -4,49 +4,52 @@ let cfg = config.modules.services.wireguard-server; in { options.modules.services.wireguard-server.enable = lib.mkEnableOption "wireguard-server"; config = lib.mkIf cfg.enable { - # enable NAT - networking.nat.enable = true; - networking.nat.externalInterface = "enp4s0"; - networking.nat.internalInterfaces = [ "wg0" ]; - networking.firewall = { - allowedUDPPorts = [ 51820 ]; + # Enable NAT + networking.nat = { + enable = true; + enableIPv6 = true; + externalInterface = "enp4s0"; + internalInterfaces = [ "wg0" ]; }; - networking.wireguard.interfaces = { + # Open ports in the firewall + networking.firewall = { + allowedTCPPorts = [ 53 ]; + allowedUDPPorts = [ 53 51820 ]; + }; + + networking.wg-quick.interfaces = { # "wg0" is the network interface name. You can name the interface arbitrarily. wg0 = { - # Determines the IP address and subnet of the server's end of the tunnel interface. - ips = [ "10.100.0.1/24" ]; - - # The port that WireGuard listens to. Must be accessible by the client. + # Determines the IP/IPv6 address and subnet of the client's end of the tunnel interface + address = [ "192.168.2.1/24" ]; + # The port that WireGuard listens to - recommended that this be changed from default listenPort = 51820; + # Path to the server's private key + privateKeyFile = "/engi/apps/wireguard/private"; # This allows the wireguard server to route your traffic to the internet and hence be like a VPN - # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients - postSetup = '' - ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE + postUp = '' + ${pkgs.iptables}/bin/iptables -A FORWARD -i %i -j ACCEPT + ${pkgs.iptables}/bin/iptables -A FORWARD -o %i -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE + ''; - # This undoes the above command - postShutdown = '' - ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE + # Undo the above + preDown = '' + ${pkgs.iptables}/bin/iptables -D FORWARD -i %i -j ACCEPT + ${pkgs.iptables}/bin/iptables -D FORWARD -o %i -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o enp4s0 -j MASQUERADE ''; - # Path to the private key file. - # - # Note: The private key can also be included inline via the privateKey option, - # but this makes the private key world-readable; thus, using privateKeyFile is - # recommended. - privateKeyFile = "/engi/apps/wireguard/torus-adjudicator"; - peers = [ - # List of allowed peers. - { # Feel free to give a meaning full name - # Public key of the peer (not a file path). - publicKey = "boy07PYDJT8TuG6Zkwg1KqhKeoakc7GH7UxAw9NuSjE"; - # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing. - allowedIPs = [ "10.100.0.2/32" ]; + { + # Adjudicator + publicKey = "r2/IeYCO1T+l248387wUBoNnc2DK9O8pHcIr/NQqezM="; + allowedIPs = [ "192.168.2.2/32" ]; } + # More peers can be added here. ]; }; }; From 5a58d747995fb06ae303e852598ab530a0094980 Mon Sep 17 00:00:00 2001 From: Tyler Starr Date: Sat, 7 Oct 2023 02:04:31 -0700 Subject: [PATCH 03/14] Move wireguard server outside of modules --- provision/nixos/hosts/torus/configuration.nix | 7 ++- .../nixos/hosts/torus/wireguard-server.nix | 52 +++++++++++++++++ provision/nixos/modules/services/default.nix | 2 +- .../modules/services/wireguard-server.nix | 57 ------------------- 4 files changed, 58 insertions(+), 60 deletions(-) create mode 100644 provision/nixos/hosts/torus/wireguard-server.nix delete mode 100644 provision/nixos/modules/services/wireguard-server.nix diff --git a/provision/nixos/hosts/torus/configuration.nix b/provision/nixos/hosts/torus/configuration.nix index 1bc75d62..e176bcf7 100644 --- a/provision/nixos/hosts/torus/configuration.nix +++ b/provision/nixos/hosts/torus/configuration.nix @@ -1,5 +1,10 @@ { config, pkgs, user, lib, ... }: { + imports = [ + ./wireguard-server.nix + ../../modules + ]; + nix = { package = pkgs.nixFlakes; extraOptions = "experimental-features = nix-command flakes"; @@ -118,7 +123,6 @@ }; # Enable modules - imports = [ ../../modules ]; modules = { devel = { tooling.enable = true; @@ -127,7 +131,6 @@ samba-server.enable = true; jellyfin.enable = true; syncthing.enable = true; - wireguard-server.enable = true; }; system = { terminal.enable = true; diff --git a/provision/nixos/hosts/torus/wireguard-server.nix b/provision/nixos/hosts/torus/wireguard-server.nix new file mode 100644 index 00000000..f039a55d --- /dev/null +++ b/provision/nixos/hosts/torus/wireguard-server.nix @@ -0,0 +1,52 @@ +{ config, lib, pkgs, ... }: +{ + # Enable NAT + networking.nat = { + enable = true; + enableIPv6 = true; + externalInterface = "enp4s0"; + internalInterfaces = [ "wg0" ]; + }; + + # Open ports in the firewall + networking.firewall = { + allowedTCPPorts = [ 53 ]; + allowedUDPPorts = [ 53 51820 ]; + }; + + networking.wg-quick.interfaces = { + # "wg0" is the network interface name. You can name the interface arbitrarily. + wg0 = { + # Determines the IP/IPv6 address and subnet of the client's end of the tunnel interface + address = [ "192.168.2.1/24" ]; + # The port that WireGuard listens to - recommended that this be changed from default + listenPort = 51820; + # Path to the server's private key + privateKeyFile = "/engi/apps/wireguard/private"; + + # This allows the wireguard server to route your traffic to the internet and hence be like a VPN + postUp = '' + ${pkgs.iptables}/bin/iptables -A FORWARD -i %i -j ACCEPT + ${pkgs.iptables}/bin/iptables -A FORWARD -o %i -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE + + ''; + + # Undo the above + preDown = '' + ${pkgs.iptables}/bin/iptables -D FORWARD -i %i -j ACCEPT + ${pkgs.iptables}/bin/iptables -D FORWARD -o %i -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o enp4s0 -j MASQUERADE + ''; + + peers = [ + { + # Adjudicator + publicKey = "r2/IeYCO1T+l248387wUBoNnc2DK9O8pHcIr/NQqezM="; + allowedIPs = [ "192.168.2.2/32" ]; + } + # More peers can be added here. + ]; + }; + }; +} diff --git a/provision/nixos/modules/services/default.nix b/provision/nixos/modules/services/default.nix index aeee625d..ecbd0763 100644 --- a/provision/nixos/modules/services/default.nix +++ b/provision/nixos/modules/services/default.nix @@ -1,4 +1,4 @@ { ... }: { - imports = [ ./wireguard-server.nix ./syncthing.nix ./samba-server.nix ./samba-client.nix ./jellyfin.nix ./virt-manager.nix ./peripherals.nix ]; + imports = [ ./syncthing.nix ./samba-server.nix ./samba-client.nix ./jellyfin.nix ./virt-manager.nix ./peripherals.nix ]; } diff --git a/provision/nixos/modules/services/wireguard-server.nix b/provision/nixos/modules/services/wireguard-server.nix deleted file mode 100644 index e6cd3389..00000000 --- a/provision/nixos/modules/services/wireguard-server.nix +++ /dev/null @@ -1,57 +0,0 @@ -{ config, lib, pkgs, ... }: - -let cfg = config.modules.services.wireguard-server; -in { - options.modules.services.wireguard-server.enable = lib.mkEnableOption "wireguard-server"; - config = lib.mkIf cfg.enable { - # Enable NAT - networking.nat = { - enable = true; - enableIPv6 = true; - externalInterface = "enp4s0"; - internalInterfaces = [ "wg0" ]; - }; - - # Open ports in the firewall - networking.firewall = { - allowedTCPPorts = [ 53 ]; - allowedUDPPorts = [ 53 51820 ]; - }; - - networking.wg-quick.interfaces = { - # "wg0" is the network interface name. You can name the interface arbitrarily. - wg0 = { - # Determines the IP/IPv6 address and subnet of the client's end of the tunnel interface - address = [ "192.168.2.1/24" ]; - # The port that WireGuard listens to - recommended that this be changed from default - listenPort = 51820; - # Path to the server's private key - privateKeyFile = "/engi/apps/wireguard/private"; - - # This allows the wireguard server to route your traffic to the internet and hence be like a VPN - postUp = '' - ${pkgs.iptables}/bin/iptables -A FORWARD -i %i -j ACCEPT - ${pkgs.iptables}/bin/iptables -A FORWARD -o %i -j ACCEPT - ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE - - ''; - - # Undo the above - preDown = '' - ${pkgs.iptables}/bin/iptables -D FORWARD -i %i -j ACCEPT - ${pkgs.iptables}/bin/iptables -D FORWARD -o %i -j ACCEPT - ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o enp4s0 -j MASQUERADE - ''; - - peers = [ - { - # Adjudicator - publicKey = "r2/IeYCO1T+l248387wUBoNnc2DK9O8pHcIr/NQqezM="; - allowedIPs = [ "192.168.2.2/32" ]; - } - # More peers can be added here. - ]; - }; - }; - }; -} From b226a0c55d97e2ed330b3573fabb28ae0371463f Mon Sep 17 00:00:00 2001 From: Tyler Starr Date: Sat, 7 Oct 2023 02:11:46 -0700 Subject: [PATCH 04/14] Move samba server outside of modules --- provision/nixos/hosts/torus/configuration.nix | 2 +- provision/nixos/hosts/torus/samba-server.nix | 41 +++++++++++++++++ provision/nixos/modules/services/default.nix | 2 +- .../nixos/modules/services/samba-server.nix | 46 ------------------- 4 files changed, 43 insertions(+), 48 deletions(-) create mode 100644 provision/nixos/hosts/torus/samba-server.nix delete mode 100644 provision/nixos/modules/services/samba-server.nix diff --git a/provision/nixos/hosts/torus/configuration.nix b/provision/nixos/hosts/torus/configuration.nix index e176bcf7..4f441c6a 100644 --- a/provision/nixos/hosts/torus/configuration.nix +++ b/provision/nixos/hosts/torus/configuration.nix @@ -2,6 +2,7 @@ { imports = [ ./wireguard-server.nix + ./samba-server.nix ../../modules ]; @@ -128,7 +129,6 @@ tooling.enable = true; }; services = { - samba-server.enable = true; jellyfin.enable = true; syncthing.enable = true; }; diff --git a/provision/nixos/hosts/torus/samba-server.nix b/provision/nixos/hosts/torus/samba-server.nix new file mode 100644 index 00000000..015086ba --- /dev/null +++ b/provision/nixos/hosts/torus/samba-server.nix @@ -0,0 +1,41 @@ +{ config, lib, pkgs, ... }: +{ + services.samba = { + enable = true; + extraConfig = '' + workgroup = WORKGROUP + server string = smbnix + netbios name = smbnix + security = user + hosts allow = 192.168.1. 127.0.0.1 localhost + hosts deny = 0.0.0.0/0 + guest account = nobody + map to guest = bad user + ''; + + shares = { + private = { + "path" = "/engi"; + browseable = "yes"; + "read only" = "no"; + "guest ok" = "no"; + "force user" = "tstarr"; + "force group" = "users"; + }; + public = { + "path" = "/engi"; + browseable = "yes"; + "read only" = "yes"; + "guest ok" = "yes"; + }; + }; + }; + + # Curiously, `services.samba` does not automatically open + # the needed ports in the firewall. + networking.firewall.allowedTCPPorts = [ 445 139 ]; + networking.firewall.allowedUDPPorts = [ 137 138 ]; + + # To make SMB mounting easier on the command line + environment.systemPackages = with pkgs; [ cifs-utils ]; +} diff --git a/provision/nixos/modules/services/default.nix b/provision/nixos/modules/services/default.nix index ecbd0763..2cd18a94 100644 --- a/provision/nixos/modules/services/default.nix +++ b/provision/nixos/modules/services/default.nix @@ -1,4 +1,4 @@ { ... }: { - imports = [ ./syncthing.nix ./samba-server.nix ./samba-client.nix ./jellyfin.nix ./virt-manager.nix ./peripherals.nix ]; + imports = [ ./syncthing.nix ./samba-client.nix ./jellyfin.nix ./virt-manager.nix ./peripherals.nix ]; } diff --git a/provision/nixos/modules/services/samba-server.nix b/provision/nixos/modules/services/samba-server.nix deleted file mode 100644 index b328c842..00000000 --- a/provision/nixos/modules/services/samba-server.nix +++ /dev/null @@ -1,46 +0,0 @@ -{ config, lib, pkgs, ... }: - -let cfg = config.modules.services.samba-server; -in { - options.modules.services.samba-server.enable = lib.mkEnableOption "samba-server"; - config = lib.mkIf cfg.enable { - services.samba = { - enable = true; - extraConfig = '' - workgroup = WORKGROUP - server string = smbnix - netbios name = smbnix - security = user - hosts allow = 192.168.1. 127.0.0.1 localhost - hosts deny = 0.0.0.0/0 - guest account = nobody - map to guest = bad user - ''; - - shares = { - private = { - "path" = "/engi"; - browseable = "yes"; - "read only" = "no"; - "guest ok" = "no"; - "force user" = "tstarr"; - "force group" = "users"; - }; - public = { - "path" = "/engi"; - browseable = "yes"; - "read only" = "yes"; - "guest ok" = "yes"; - }; - }; - }; - - # Curiously, `services.samba` does not automatically open - # the needed ports in the firewall. - networking.firewall.allowedTCPPorts = [ 445 139 ]; - networking.firewall.allowedUDPPorts = [ 137 138 ]; - - # To make SMB mounting easier on the command line - environment.systemPackages = with pkgs; [ cifs-utils ]; - }; -} From e073cdccd5c3f253fb7f6dd0bfd3571093a657ac Mon Sep 17 00:00:00 2001 From: Tyler Starr Date: Sat, 7 Oct 2023 02:16:26 -0700 Subject: [PATCH 05/14] many updates to Kestrel --- home/.chezmoiexternal.toml | 27 +++++++++++++------ home/bin/executable_linux-mount-engi | 2 +- home/dot_config/sway/config.tmpl | 4 ++- .../nixos/hosts/kestrel/configuration.nix | 2 +- .../nixos/modules/services/peripherals.nix | 15 ++++++++--- provision/nixos/modules/system/terminal.nix | 9 ++++++- 6 files changed, 43 insertions(+), 16 deletions(-) diff --git a/home/.chezmoiexternal.toml b/home/.chezmoiexternal.toml index 23c3253b..f4852bde 100644 --- a/home/.chezmoiexternal.toml +++ b/home/.chezmoiexternal.toml @@ -15,17 +15,28 @@ url = "https://github.com/wbthomason/packer.nvim.git" refreshPeriod = "168h" -[".config/xmonad/xmonad"] +[".task"] type = "git-repo" - url = "https://github.com/xmonad/xmonad" + url = "git@github.com:starr-dusT/task.git" refreshPeriod = "168h" -[".config/xmonad/xmonad-contrib"] +["documents/zet"] type = "git-repo" - url = "https://github.com/xmonad/xmonad-contrib" + url = "git@github.com:starr-dusT/zet.git" refreshPeriod = "168h" -[".config/xmonad/xmobar"] - type = "git-repo" - url = "https://codeberg.org/xmobar/xmobar" - refreshPeriod = "168h" +### OLD ### +#[".config/xmonad/xmonad"] +# type = "git-repo" +# url = "https://github.com/xmonad/xmonad" +# refreshPeriod = "168h" +# +#[".config/xmonad/xmonad-contrib"] +# type = "git-repo" +# url = "https://github.com/xmonad/xmonad-contrib" +# refreshPeriod = "168h" +# +#[".config/xmonad/xmobar"] +# type = "git-repo" +# url = "https://codeberg.org/xmobar/xmobar" +# refreshPeriod = "168h" diff --git a/home/bin/executable_linux-mount-engi b/home/bin/executable_linux-mount-engi index bd500f5a..52a43e00 100644 --- a/home/bin/executable_linux-mount-engi +++ b/home/bin/executable_linux-mount-engi @@ -1,3 +1,3 @@ #!/usr/bin/env bash -sudo mount -t cifs -o rw,uid=$(id -u $(whoami)),gid=$(id -g $(whoami)),vers=3.0,credentials=/home/tstarr/.smb //192.168.1.136/private /home/tstarr/mnt/engi +sudo mount -t cifs -o rw,uid=$(id -u $(whoami)),gid=$(id -g $(whoami)),vers=3.0,credentials=/home/tstarr/.smb //192.168.1.175/private /home/tstarr/mnt/engi diff --git a/home/dot_config/sway/config.tmpl b/home/dot_config/sway/config.tmpl index de1db5af..7037709b 100644 --- a/home/dot_config/sway/config.tmpl +++ b/home/dot_config/sway/config.tmpl @@ -91,7 +91,8 @@ gaps left 0 for_window [title="Steam - News"] floating enable for_window [title="Friends List"] floating enable -for_window [title="Picture-in-Picture"] sticky toggle +for_window [title=".*mpv$"] sticky toggle +for_window [title=".*mpv$"] floating enable for_window [app_id="file"] floating enable, \ border pixel 5, \ @@ -197,6 +198,7 @@ mode open { bindsym b exec chromium, $e bindsym s exec steam || flatpak run com.valvesoftware.Steam, $e bindsym d exec discord || flatpak run com.discordapp.Discord, $e + bindsym m exec mpv $(wl-paste), $e bindsym Escape mode default } diff --git a/provision/nixos/hosts/kestrel/configuration.nix b/provision/nixos/hosts/kestrel/configuration.nix index fba7d41a..928607e4 100644 --- a/provision/nixos/hosts/kestrel/configuration.nix +++ b/provision/nixos/hosts/kestrel/configuration.nix @@ -52,7 +52,7 @@ # Define user account. users.users.${user} = { isNormalUser = true; - extraGroups = [ "wheel" "docker" "libvirtd" ]; # Enable ‘sudo’ for the user. + extraGroups = [ "dialout" "wheel" "docker" "libvirtd" ]; # Enable ‘sudo’ for the user. }; # List packages installed in system profile. diff --git a/provision/nixos/modules/services/peripherals.nix b/provision/nixos/modules/services/peripherals.nix index 6648802b..ac69fd04 100644 --- a/provision/nixos/modules/services/peripherals.nix +++ b/provision/nixos/modules/services/peripherals.nix @@ -4,10 +4,17 @@ let cfg = config.modules.services.peripherals; in { options.modules.services.peripherals.enable = lib.mkEnableOption "peripherals"; config = lib.mkIf cfg.enable { - # Enable sound. - sound.enable = true; - hardware.pulseaudio.enable = true; - hardware.pulseaudio.support32Bit = true; + + # rtkit is optional but recommended + security.rtkit.enable = true; + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + # If you want to use JACK applications, uncomment this + #jack.enable = true; + }; services = { gvfs.enable = true; diff --git a/provision/nixos/modules/system/terminal.nix b/provision/nixos/modules/system/terminal.nix index 68daffba..91c33085 100644 --- a/provision/nixos/modules/system/terminal.nix +++ b/provision/nixos/modules/system/terminal.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, user, ... }: +{ config, lib, pkgs, pkgs-unstable, user, ... }: let cfg = config.modules.system.terminal; in { @@ -32,6 +32,13 @@ in { # for neovim nodejs ripgrep + + ] ++ [ + pkgs-unstable.taskwarrior + # for taskwarrior + pkgs-unstable.taskwarrior-tui + pkgs-unstable.taskopen + pkgs-unstable.timewarrior ]; }; } From 38a7e3c2a34bf495a55ce08343e78f457d4847b2 Mon Sep 17 00:00:00 2001 From: Tyler Starr Date: Sat, 7 Oct 2023 02:18:36 -0700 Subject: [PATCH 06/14] Update config for changes to modules from Torus --- provision/nixos/hosts/kestrel/configuration.nix | 1 - provision/nixos/modules/services/jellyfin.nix | 1 - 2 files changed, 2 deletions(-) diff --git a/provision/nixos/hosts/kestrel/configuration.nix b/provision/nixos/hosts/kestrel/configuration.nix index 928607e4..59d45c57 100644 --- a/provision/nixos/hosts/kestrel/configuration.nix +++ b/provision/nixos/hosts/kestrel/configuration.nix @@ -81,7 +81,6 @@ #jellyfin.enable = true; peripherals.enable = true; samba-client.enable = true; - #samba-server.enable = true; syncthing.enable = true; virt-manager.enable = true; }; diff --git a/provision/nixos/modules/services/jellyfin.nix b/provision/nixos/modules/services/jellyfin.nix index b4aaf5fd..78cce358 100644 --- a/provision/nixos/modules/services/jellyfin.nix +++ b/provision/nixos/modules/services/jellyfin.nix @@ -8,5 +8,4 @@ in { services.jellyfin.openFirewall = true; services.jellyfin.user = "${user}"; }; - } From afc18704d02571b865bd42db7764d54d065fe003 Mon Sep 17 00:00:00 2001 From: Tyler Starr Date: Sat, 7 Oct 2023 09:33:26 -0700 Subject: [PATCH 07/14] Add wireguard client to Kestrel --- home/private_dot_wireguard/kestrel.pub | 1 + home/private_dot_wireguard/kestrel.tmpl | 1 + .../nixos/hosts/kestrel/configuration.nix | 7 +++- .../nixos/hosts/kestrel/wireguard-client.nix | 42 +++++++++++++++++++ .../nixos/hosts/torus/wireguard-server.nix | 5 +++ 5 files changed, 54 insertions(+), 2 deletions(-) create mode 100644 home/private_dot_wireguard/kestrel.pub create mode 100644 home/private_dot_wireguard/kestrel.tmpl create mode 100644 provision/nixos/hosts/kestrel/wireguard-client.nix diff --git a/home/private_dot_wireguard/kestrel.pub b/home/private_dot_wireguard/kestrel.pub new file mode 100644 index 00000000..d4d0402e --- /dev/null +++ b/home/private_dot_wireguard/kestrel.pub @@ -0,0 +1 @@ +hPso657fppLYvBU31Rtqqg792JEoPv7r82JgLoF8S2Y= diff --git a/home/private_dot_wireguard/kestrel.tmpl b/home/private_dot_wireguard/kestrel.tmpl new file mode 100644 index 00000000..400eef8b --- /dev/null +++ b/home/private_dot_wireguard/kestrel.tmpl @@ -0,0 +1 @@ +{{ (secret "Wireguard - Kestrel Secret" "NOTES") }} diff --git a/provision/nixos/hosts/kestrel/configuration.nix b/provision/nixos/hosts/kestrel/configuration.nix index 59d45c57..7ce1e3f3 100644 --- a/provision/nixos/hosts/kestrel/configuration.nix +++ b/provision/nixos/hosts/kestrel/configuration.nix @@ -1,5 +1,10 @@ { config, pkgs, user, lib, ... }: { + imports = [ + ./wireguard-client.nix + ../../modules + ]; + nix = { package = pkgs.nixFlakes; extraOptions = "experimental-features = nix-command flakes"; @@ -32,7 +37,6 @@ # Set networking options networking.hostName = "kestrel"; - networking.networkmanager.enable = true; networking.firewall.checkReversePath = "loose"; networking.firewall.enable = false; @@ -63,7 +67,6 @@ ]; # Enable modules - imports = [ ../../modules ]; modules = { desktop = { sway.enable = true; diff --git a/provision/nixos/hosts/kestrel/wireguard-client.nix b/provision/nixos/hosts/kestrel/wireguard-client.nix new file mode 100644 index 00000000..0c23b6e8 --- /dev/null +++ b/provision/nixos/hosts/kestrel/wireguard-client.nix @@ -0,0 +1,42 @@ +{ config, pkgs, user, lib, ... }: +{ + networking.firewall = { + allowedUDPPorts = [ 51820 ]; # Clients and peers can use the same port, see listenport + }; + # Enable WireGuard + networking.wireguard.interfaces = { + # "wg0" is the network interface name. You can name the interface arbitrarily. + wg0 = { + # Determines the IP address and subnet of the client's end of the tunnel interface. + ips = [ "192.168.2.3/32" ]; + listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers) + + # Path to the private key file. + # + # Note: The private key can also be included inline via the privateKey option, + # but this makes the private key world-readable; thus, using privateKeyFile is + # recommended. + privateKeyFile = "/home/${user}/.wireguard/kestrel"; + + peers = [ + # For a client configuration, one peer entry for the server will suffice. + + { + # Public key of the server (not a file path). + publicKey = "bd7bbZOngl/FTdBlnbIhgCLNf6yx5X8WjiRB7E1NEQQ="; + + # Forward all the traffic via VPN. + allowedIPs = [ "0.0.0.0/0" "::/0" ]; + # Or forward only particular subnets + #allowedIPs = [ "10.100.0.1" "91.108.12.0/22" ]; + + # Set this to the server IP and port. + endpoint = "192.168.1.175:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577 + + # Send keepalives every 25 seconds. Important to keep NAT tables alive. + persistentKeepalive = 25; + } + ]; + }; + }; +} diff --git a/provision/nixos/hosts/torus/wireguard-server.nix b/provision/nixos/hosts/torus/wireguard-server.nix index f039a55d..7c88f1c8 100644 --- a/provision/nixos/hosts/torus/wireguard-server.nix +++ b/provision/nixos/hosts/torus/wireguard-server.nix @@ -45,6 +45,11 @@ publicKey = "r2/IeYCO1T+l248387wUBoNnc2DK9O8pHcIr/NQqezM="; allowedIPs = [ "192.168.2.2/32" ]; } + { + # Kestrel + publicKey = "hPso657fppLYvBU31Rtqqg792JEoPv7r82JgLoF8S2Y="; + allowedIPs = [ "192.168.2.3/32" ]; + } # More peers can be added here. ]; }; From 47b0d38dde57165e54163d3fe14cd5fb977e001b Mon Sep 17 00:00:00 2001 From: Tyler Starr Date: Sat, 7 Oct 2023 09:52:19 -0700 Subject: [PATCH 08/14] add unstable to torus --- provision/nixos/flake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/provision/nixos/flake.nix b/provision/nixos/flake.nix index ba824760..6f84b844 100644 --- a/provision/nixos/flake.nix +++ b/provision/nixos/flake.nix @@ -48,7 +48,7 @@ torus = lib.nixosSystem { inherit system; - specialArgs = { inherit user; }; + specialArgs = { inherit user; inherit pkgs-unstable; }; modules = [ ./hosts/torus/configuration.nix ./hosts/torus/hardware.nix From 9fb2873fa13ae073c7a3eb5f79afcfd8803aeba9 Mon Sep 17 00:00:00 2001 From: Tyler Starr Date: Sat, 7 Oct 2023 10:14:12 -0700 Subject: [PATCH 09/14] don't autostart wireguard client on boot --- provision/nixos/hosts/kestrel/wireguard-client.nix | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/provision/nixos/hosts/kestrel/wireguard-client.nix b/provision/nixos/hosts/kestrel/wireguard-client.nix index 0c23b6e8..a966d2fb 100644 --- a/provision/nixos/hosts/kestrel/wireguard-client.nix +++ b/provision/nixos/hosts/kestrel/wireguard-client.nix @@ -4,11 +4,11 @@ allowedUDPPorts = [ 51820 ]; # Clients and peers can use the same port, see listenport }; # Enable WireGuard - networking.wireguard.interfaces = { + networking.wg-quick.interfaces = { # "wg0" is the network interface name. You can name the interface arbitrarily. wg0 = { # Determines the IP address and subnet of the client's end of the tunnel interface. - ips = [ "192.168.2.3/32" ]; + address = [ "192.168.2.3/32" ]; listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers) # Path to the private key file. @@ -18,6 +18,10 @@ # recommended. privateKeyFile = "/home/${user}/.wireguard/kestrel"; + # Don't autostart peer + # Start with systemctl start wg-quick-wg0 + autostart = false; + peers = [ # For a client configuration, one peer entry for the server will suffice. @@ -31,7 +35,7 @@ #allowedIPs = [ "10.100.0.1" "91.108.12.0/22" ]; # Set this to the server IP and port. - endpoint = "192.168.1.175:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577 + endpoint = "66.218.43.87:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577 # Send keepalives every 25 seconds. Important to keep NAT tables alive. persistentKeepalive = 25; From a12f6f5f96b00b55c19d9a9a1e78aaab38c4533e Mon Sep 17 00:00:00 2001 From: Tyler Starr Date: Sat, 7 Oct 2023 13:55:38 -0700 Subject: [PATCH 10/14] fix typo in client wireguard --- provision/nixos/hosts/kestrel/wireguard-client.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/provision/nixos/hosts/kestrel/wireguard-client.nix b/provision/nixos/hosts/kestrel/wireguard-client.nix index a966d2fb..b1c56bc4 100644 --- a/provision/nixos/hosts/kestrel/wireguard-client.nix +++ b/provision/nixos/hosts/kestrel/wireguard-client.nix @@ -8,7 +8,7 @@ # "wg0" is the network interface name. You can name the interface arbitrarily. wg0 = { # Determines the IP address and subnet of the client's end of the tunnel interface. - address = [ "192.168.2.3/32" ]; + address = [ "192.168.2.3/24" ]; listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers) # Path to the private key file. From 07ef08868d7aa86634d1a5cba19f4570692612c0 Mon Sep 17 00:00:00 2001 From: Tyler Starr Date: Sat, 7 Oct 2023 14:43:10 -0700 Subject: [PATCH 11/14] allow users to restart/stop wireguard vpn --- provision/nixos/hosts/kestrel/configuration.nix | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/provision/nixos/hosts/kestrel/configuration.nix b/provision/nixos/hosts/kestrel/configuration.nix index 7ce1e3f3..b122ee64 100644 --- a/provision/nixos/hosts/kestrel/configuration.nix +++ b/provision/nixos/hosts/kestrel/configuration.nix @@ -59,6 +59,21 @@ extraGroups = [ "dialout" "wheel" "docker" "libvirtd" ]; # Enable ‘sudo’ for the user. }; + # Allow users to start/stop wireguard vpn + security.sudo.extraRules = [{ + commands = [ + { + command = "${pkgs.systemc}/bin/systemctl restart wg-quick-wg0"; + options = [ "NOPASSWD" ]; + } + { + command = "${pkgs.systemc}/bin/systemctl stop wg-quick-wg0"; + options = [ "NOPASSWD" ]; + } + ]; + groups = [ "wheel" ]; + }]; + # List packages installed in system profile. environment.systemPackages = with pkgs; [ # One-off stable packages From ac95f2128fd8b0612ee1f358a6e73cc119182964 Mon Sep 17 00:00:00 2001 From: Tyler Starr Date: Sat, 7 Oct 2023 21:47:35 -0700 Subject: [PATCH 12/14] fix script for toggling vpn --- home/bin/executable_linux-toggle-vpn | 9 +++++++++ home/dot_config/sway/config.tmpl | 1 - .../sway/scripts/executable_status.sh.tmpl | 6 +++--- .../sway/scripts/executable_toggle-vpn.sh | 8 -------- provision/nixos/hosts/kestrel/configuration.nix | 15 --------------- 5 files changed, 12 insertions(+), 27 deletions(-) create mode 100644 home/bin/executable_linux-toggle-vpn delete mode 100644 home/dot_config/sway/scripts/executable_toggle-vpn.sh diff --git a/home/bin/executable_linux-toggle-vpn b/home/bin/executable_linux-toggle-vpn new file mode 100644 index 00000000..5847a92e --- /dev/null +++ b/home/bin/executable_linux-toggle-vpn @@ -0,0 +1,9 @@ +#!/usr/bin/env bash + +if [ -f ~/.wg0 ]; then + sudo systemctl stop wg-quick-wg0.service + rm ~/.wg0 +else + sudo systemctl restart wg-quick-wg0.service + touch ~/.wg0 +fi diff --git a/home/dot_config/sway/config.tmpl b/home/dot_config/sway/config.tmpl index 7037709b..0ccce0bb 100644 --- a/home/dot_config/sway/config.tmpl +++ b/home/dot_config/sway/config.tmpl @@ -127,7 +127,6 @@ mode utility { bindsym q exit bindsym r reload bindsym g exec "~/.config/sway/scripts/gamemode.sh", $e - bindsym v exec "~/.config/sway/scripts/toggle-vpn.sh {{ .hostname }}", $e bindsym Escape mode default } diff --git a/home/dot_config/sway/scripts/executable_status.sh.tmpl b/home/dot_config/sway/scripts/executable_status.sh.tmpl index b99b49fe..20f758e9 100644 --- a/home/dot_config/sway/scripts/executable_status.sh.tmpl +++ b/home/dot_config/sway/scripts/executable_status.sh.tmpl @@ -44,11 +44,11 @@ txmb=$(echo "scale = 1; $tx / 1280000" | bc | awk '{printf "%05.1f\n", $0}') rxmb=$(echo "scale = 1; $rx / 1280000" | bc | awk '{printf "%05.1f\n", $0}') # Vpn status -vpn=$(nmcli c show --active | grep wireguard | cut -d ' ' -f1) -if $vpn ; then +if [ -f ~/.wg0 ] ; then + vpn="wg0" +else vpn="none" fi #lel echo -e "👍 $txmb 👎 $rxmb | 📡 $vpn | ⬆️ $uptime_formatted | 🔉$volume% | $gamemode | 🐧 $linux_version | $date_formatted " - diff --git a/home/dot_config/sway/scripts/executable_toggle-vpn.sh b/home/dot_config/sway/scripts/executable_toggle-vpn.sh deleted file mode 100644 index 326fe195..00000000 --- a/home/dot_config/sway/scripts/executable_toggle-vpn.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/usr/bin/env bash - -cons=$(nmcli -t -f NAME c show --active | grep $1) -if [ $cons ]; then - nmcli c down $1 1> /dev/null -else - nmcli c up $1 1> /dev/null -fi diff --git a/provision/nixos/hosts/kestrel/configuration.nix b/provision/nixos/hosts/kestrel/configuration.nix index b122ee64..7ce1e3f3 100644 --- a/provision/nixos/hosts/kestrel/configuration.nix +++ b/provision/nixos/hosts/kestrel/configuration.nix @@ -59,21 +59,6 @@ extraGroups = [ "dialout" "wheel" "docker" "libvirtd" ]; # Enable ‘sudo’ for the user. }; - # Allow users to start/stop wireguard vpn - security.sudo.extraRules = [{ - commands = [ - { - command = "${pkgs.systemc}/bin/systemctl restart wg-quick-wg0"; - options = [ "NOPASSWD" ]; - } - { - command = "${pkgs.systemc}/bin/systemctl stop wg-quick-wg0"; - options = [ "NOPASSWD" ]; - } - ]; - groups = [ "wheel" ]; - }]; - # List packages installed in system profile. environment.systemPackages = with pkgs; [ # One-off stable packages From 4a6d0862b03606d0858cf4d61d0c1e1b17b20585 Mon Sep 17 00:00:00 2001 From: Tyler Starr Date: Sun, 8 Oct 2023 00:01:40 -0700 Subject: [PATCH 13/14] Move wireguard client to module with options (and update config for Kestrel) --- .../nixos/hosts/kestrel/configuration.nix | 10 +++- .../nixos/hosts/kestrel/wireguard-client.nix | 46 ------------------- provision/nixos/modules/system/default.nix | 2 +- .../nixos/modules/system/wireguard-client.nix | 37 +++++++++++++++ 4 files changed, 46 insertions(+), 49 deletions(-) delete mode 100644 provision/nixos/hosts/kestrel/wireguard-client.nix create mode 100644 provision/nixos/modules/system/wireguard-client.nix diff --git a/provision/nixos/hosts/kestrel/configuration.nix b/provision/nixos/hosts/kestrel/configuration.nix index 7ce1e3f3..20720f66 100644 --- a/provision/nixos/hosts/kestrel/configuration.nix +++ b/provision/nixos/hosts/kestrel/configuration.nix @@ -1,7 +1,6 @@ { config, pkgs, user, lib, ... }: { imports = [ - ./wireguard-client.nix ../../modules ]; @@ -81,7 +80,7 @@ steam.enable = true; }; services = { - #jellyfin.enable = true; + jellyfin.enable = false; peripherals.enable = true; samba-client.enable = true; syncthing.enable = true; @@ -90,6 +89,13 @@ system = { ssh.enable = true; terminal.enable = true; + wireguard-client = { + enable = true; + privateKeyFile = "/home/${user}/.wireguard/kestrel"; + address = [ "192.168.2.3/24" ]; + publicKey = "bd7bbZOngl/FTdBlnbIhgCLNf6yx5X8WjiRB7E1NEQQ="; + endpoint = "66.218.43.87"; + }; }; }; # Did you read the comment? diff --git a/provision/nixos/hosts/kestrel/wireguard-client.nix b/provision/nixos/hosts/kestrel/wireguard-client.nix deleted file mode 100644 index b1c56bc4..00000000 --- a/provision/nixos/hosts/kestrel/wireguard-client.nix +++ /dev/null @@ -1,46 +0,0 @@ -{ config, pkgs, user, lib, ... }: -{ - networking.firewall = { - allowedUDPPorts = [ 51820 ]; # Clients and peers can use the same port, see listenport - }; - # Enable WireGuard - networking.wg-quick.interfaces = { - # "wg0" is the network interface name. You can name the interface arbitrarily. - wg0 = { - # Determines the IP address and subnet of the client's end of the tunnel interface. - address = [ "192.168.2.3/24" ]; - listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers) - - # Path to the private key file. - # - # Note: The private key can also be included inline via the privateKey option, - # but this makes the private key world-readable; thus, using privateKeyFile is - # recommended. - privateKeyFile = "/home/${user}/.wireguard/kestrel"; - - # Don't autostart peer - # Start with systemctl start wg-quick-wg0 - autostart = false; - - peers = [ - # For a client configuration, one peer entry for the server will suffice. - - { - # Public key of the server (not a file path). - publicKey = "bd7bbZOngl/FTdBlnbIhgCLNf6yx5X8WjiRB7E1NEQQ="; - - # Forward all the traffic via VPN. - allowedIPs = [ "0.0.0.0/0" "::/0" ]; - # Or forward only particular subnets - #allowedIPs = [ "10.100.0.1" "91.108.12.0/22" ]; - - # Set this to the server IP and port. - endpoint = "66.218.43.87:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577 - - # Send keepalives every 25 seconds. Important to keep NAT tables alive. - persistentKeepalive = 25; - } - ]; - }; - }; -} diff --git a/provision/nixos/modules/system/default.nix b/provision/nixos/modules/system/default.nix index 3d1a89d9..9abd35a0 100644 --- a/provision/nixos/modules/system/default.nix +++ b/provision/nixos/modules/system/default.nix @@ -1,4 +1,4 @@ { ... }: { - imports = [ ./terminal.nix ./ssh.nix ]; + imports = [ ./wireguard-client.nix ./terminal.nix ./ssh.nix ]; } diff --git a/provision/nixos/modules/system/wireguard-client.nix b/provision/nixos/modules/system/wireguard-client.nix new file mode 100644 index 00000000..f2c48917 --- /dev/null +++ b/provision/nixos/modules/system/wireguard-client.nix @@ -0,0 +1,37 @@ +{ config, lib, pkgs, user, ... }: + +let cfg = config.modules.system.wireguard-client; + +in { + options.modules.system.wireguard-client = with lib; { + enable = lib.mkEnableOption "wireguard-client"; + privateKeyFile = lib.mkOption { type = with types; str; }; + address = lib.mkOption { type = with types; listOf str; }; + publicKey = lib.mkOption { type = with types; str; }; + endpoint = lib.mkOption { type = with types; str; }; + autostart = lib.mkOption { + type = with types; bool; + default = false; + }; + }; + + config = lib.mkIf cfg.enable { + networking.firewall = { + allowedUDPPorts = [ 51820 ]; + }; + networking.wg-quick.interfaces = { + wg0 = { + address = cfg.address; + listenPort = 51820; + privateKeyFile = cfg.privateKeyFile; + autostart = cfg.autostart; + peers = [{ + publicKey = cfg.publicKey; + allowedIPs = [ "0.0.0.0/0" "::/0" ]; + endpoint = "${cfg.endpoint}:51820"; + persistentKeepalive = 25; + }]; + }; + }; + }; +} From 3833669402e8eff9520c9c5e3c9315cb337ffc98 Mon Sep 17 00:00:00 2001 From: Tyler Starr Date: Sun, 8 Oct 2023 00:35:05 -0700 Subject: [PATCH 14/14] allow vpn clients to access samba --- provision/nixos/hosts/torus/samba-server.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/provision/nixos/hosts/torus/samba-server.nix b/provision/nixos/hosts/torus/samba-server.nix index 015086ba..b5a9d67c 100644 --- a/provision/nixos/hosts/torus/samba-server.nix +++ b/provision/nixos/hosts/torus/samba-server.nix @@ -7,7 +7,7 @@ server string = smbnix netbios name = smbnix security = user - hosts allow = 192.168.1. 127.0.0.1 localhost + hosts allow = 192.168.2. 192.168.1. 127.0.0.1 localhost hosts deny = 0.0.0.0/0 guest account = nobody map to guest = bad user