home/bin/executable_linux-tree-dir

@@ -7,16 +7,16 @@ if [ -z "$1" ]; then
 fi
 
 # Function to print the tree with SHA256 sums
-print_tree_with_md5() {
+print_tree_with_sha256() {
   local dir="$1"
   
-  # Use find to recursively list files, and calculate md5sum for each file
+  # Use find to recursively list files, and calculate sha256sum for each file
   find "$dir" -type f | while read -r file; do
-    md5=$(md5sum "$file" | awk '{print $1}')
+    sha256=$(sha256sum "$file" | awk '{print $1}')
-    echo "$file - $md5"
+    echo "$file - $sha256"
   done
 }
 
 # Call the function with the provided directory
-print_tree_with_md5 "$1"
+print_tree_with_sha256 "$1"
 

provision/hosts/kestrel/configuration.nix

@@ -62,6 +62,13 @@
       backup.enable = true;
       ssh.enable = true;
       terminal.enable = true;
+      wireguard-client = {
+        enable = true;
+        privateKeyFile = "/run/agenix/wireguard/kestrel";
+        address = [ "192.168.3.3/24" ];
+        publicKey = "bd7bbZOngl/FTdBlnbIhgCLNf6yx5X8WjiRB7E1NEQQ=";
+        endpoint = "66.218.43.87";
+      };
     };
   };
 }

provision/hosts/osprey/configuration.nix

@@ -8,23 +8,13 @@
 
   # Set networking options
   networking.hostName = "osprey"; 
-  networking.firewall.checkReversePath = false;
+  networking.firewall.checkReversePath = "loose";
   networking.firewall.enable = false;
 
   # Enable docker 
-  virtualisation.containers.enable = true;
+  virtualisation.docker.enable = true;
-  virtualisation = {
-    podman = {
-      enable = true;
-      dockerCompat = true;
-      defaultNetwork.settings.dns_enabled = true;
-    };
-  };
   
   environment.systemPackages = with pkgs; [
-    docker-compose
-    podman-tui
-    dive
   ];
 
   # Modules 
@@ -49,6 +39,13 @@
     system = {
       ssh.enable = true;
       terminal.enable = true;
+      #wireguard-client = {
+      #  enable = true;
+      #  privateKeyFile = "/run/agenix/wireguard/kestrel";
+      #  address = [ "192.168.3.3/24" ];
+      #  publicKey = "bd7bbZOngl/FTdBlnbIhgCLNf6yx5X8WjiRB7E1NEQQ=";
+      #  endpoint = "66.218.43.87";
+      #};
     };
   };
 }

provision/hosts/torus/wireguard-server.nix

@@ -57,11 +57,6 @@
           publicKey = "CDoy/XI8FRQV/ySHigLWG2tpWVw8hgEZXRQCEE3qYHQ=";
           allowedIPs = [ "192.168.3.4/32" ];
         }
-        {
-          # Osprey 
-          publicKey = "mhOhkQMF4IxvJbd2FweGlwo7HCNCXupMxlnt1QQFyHg=";
-          allowedIPs = [ "192.168.3.5/32" ];
-        }
         # More peers can be added here.
       ];
     };

provision/modules/system/default.nix

@@ -1,4 +1,4 @@
 { ... }:
 {
-  imports = [ ./backup.nix ./ssh.nix ./terminal.nix ];
+  imports = [ ./backup.nix ./ssh.nix ./terminal.nix ./wireguard-client.nix ];
 }

provision/modules/system/wireguard-client.nix

@@ -0,0 +1,42 @@
+{ config, lib, pkgs, user, ... }:
+
+let cfg = config.modules.system.wireguard-client;
+
+in {
+  options.modules.system.wireguard-client = with lib; {
+    enable = lib.mkEnableOption "wireguard-client";
+    privateKeyFile = lib.mkOption { type = with types; str; };
+    address = lib.mkOption { type = with types; listOf str; };
+    publicKey = lib.mkOption { type = with types; str; };
+    endpoint = lib.mkOption { type = with types; str; };
+    autostart = lib.mkOption {
+      type = with types; bool;
+      default = false;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    # Create qr code for phones with:
+    # qrencode -t ansiutf8 < myfile_here
+    environment.systemPackages = with pkgs; [ 
+      qrencode # Command-line utility for generating QR codes from text or data.
+    ];
+    networking.firewall = {
+      allowedUDPPorts = [ 51820 ];
+    };
+    networking.wg-quick.interfaces = {
+      wg0 = {
+        address = cfg.address;
+        listenPort = 51820; 
+        privateKeyFile = cfg.privateKeyFile;
+        autostart = cfg.autostart;
+        peers = [{
+            publicKey = cfg.publicKey;
+            allowedIPs = [ "0.0.0.0/0" "::/0" ];
+            endpoint = "${cfg.endpoint}:51820"; 
+            persistentKeepalive = 25;
+        }];
+      };
+    };
+  };
+}

provision/secrets/borg/torus/password.age

@@ -1,12 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 Fz/sQw BG3gSzOt4NnYg4tvUrpHyDN5YxAmhTqCQl9mg8VahQ8
+-> ssh-ed25519 6UNP1Q 6s8KZWviujiW5OuQpyOTC+cI5xf+70yqRihTs3w4TSQ
-pT7jHwgWqED0EhSW4u/2IAk9sic7EsBH/kuLCMz2S/Q
+CHKfAquKUQOvZ00wNgrA/F65406jpqGqcbbjXVlEz3Y
--> ssh-ed25519 47GzQA iX0HbkZepBtkECohQAdQUKmIr99gbqRjsR5sludsz28
+-> ssh-ed25519 Fz/sQw L7IS/yJc0K/gwLGdPN/KTSi3DQth7MPCqu4kGEkjhHk
-Dc2uPbvI5TEH/smYEhD9iKfV4d6m77YbI0KtCBDj4Tw
+JlKbG6mkp+lqLxvrW/MTZ5cJpMijUurn/knLlCNC9lI
--> ssh-ed25519 wcI7nQ 1v2XY19GWty042MUE7CqNeS1dfoHnyU29oXqk2OLBSU
+-> ssh-ed25519 47GzQA b0EozU39H/+85A2YA+mlIqV8W/Z38Qz3jzmQ2+4paAk
-GV6pwIQNwBIh53jPzCvbj3JC9pm2iNJ7ffaL6IoqqTc
+3VOuwAthzHh8bf5M50qxt9mnlvnH1P8pgb6yA7PXnUw
--> ssh-ed25519 QjdSCg duJJHlktHXdvVPmJ8dnbcyfsF0zg8qtkfgS1zuEnBxg
+-> ssh-ed25519 wcI7nQ xH7nDxAYCLwIOgkoTRrGazV6EU1HJDpB/c0AoQiSehA
-a4gkKxb0V3M0rR2dvI/bNAp3JdqYhwTfgcbsUMlafLY
+jIv44e1FWCz7d5vZodYktUYJgVEbIE472K1UEMquaKE
---- bCY9SZh/uILKWC+HIDGGvtRekgd/SrkDrjsqenlYy4Q
+--- 0YRStYFEOyTVnAy+WpjGXxQSGYqAYT+QPUx2pJUBCX0
-P·´tåf>
+~¢-Á“=<š²ÃîPÖ´K?fÊ
–÷ž–)´ZŸMcÚKÝ6lt°UXÉVìúÄû×)
-Ú»’]ýÛg«º,Ô›<C394>Ç3@:<3A>I!Š”CL”0˱§UÖR¤Em5(bÄ

provision/secrets/git/gitea-runner-1.age

@@ -1,11 +1,10 @@
 age-encryption.org/v1
--> ssh-ed25519 Fz/sQw 3n93xKLbFY/g/clYcBKPBrXZMs22ZZSEDZNa0FtnkQY
+-> ssh-ed25519 Fz/sQw uRPe6lrPzIntOBzSYR+zM2xBihHCAsdOtix9L9221FI
-7kDjgpkzOS+v819wglrjBfLx7zsHQeToib2/oV/vD3w
+6i0DsOZhZdi0ZmKJAuG9xEX7dtK5+daGule506UNsRQ
--> ssh-ed25519 47GzQA VCWmJ3Nb/XBXN7V2irLUkPVtavhYOjxNhdGPKiC19kU
+-> ssh-ed25519 47GzQA etB0mmw8g4t0mfzBEv6Dr6V9IdoJegAjgbOY/t3M9ik
-8m33nbUrsi8Ll9Q+Q2N2wS2vA2g8g4+sc1wQAfZVJ7U
+FgN9DrAotYJ2rvvEh80+Wp5BxoEHe3W4LgCLld0G9v8
--> ssh-ed25519 wcI7nQ uYBJuDWlBMWCi0eWMIwr4F4jvtNok199e3MrCE/r/RE
+-> ssh-ed25519 wcI7nQ a3seigr8UNpEeUil+OSbf5RyjArSm03ygNw5AjtJYQ0
-7OKUuehbj1RGAJsam7VhdS3kmk7z4ubzNdp69L40R+E
+Sc9J4LQI9kFUFDzFjLS8Zwo9Z/HTawBsrv4qRxftwMg
--> ssh-ed25519 QjdSCg 5nBn7wJf2BktrIwod7bpGNBo5mWenrEnumWNvn1phC8
+--- sGLvBOkszi11u/ukhK9iQ/FYHuqW52UXIY9kswVF7Tk
-95UfxJZCBblIZDdjzqqLn3t/sLAgPn2ToMhg8FQxDN4
+SºaÈòüÜ2ðMÍ$õã7<C3A3>Ö´ßVÙÑ2³Ü)|QˆŽØÂC›<rP¤iMëú<8û³7?¹ßB¾Ú8(
---- QUWYQ9sUG/C9NqiQISqYKDZtiIlmZF+zz9ZPvzIFQEs
+"A_}é÷øM¤tLÿ
-tå·ô-ùÌKÎ)¡¿?KwHÎd,Q<>`g»§£ÐÒ‘ßÌÐsçR5E^ï×¾/AÂò}CIúÿ ˆf¥}y2DiU?IÞê

provision/secrets/nextcloud/password.age

@@ -1,11 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 Fz/sQw U/E6jppAIUVsHeNS+kZjGZpTkNWmFRqCGZ2Q4eZtuV0
+-> ssh-ed25519 Fz/sQw D8xp6P6CIlU1vp9NDDgC5P8648GY4jNedSaZ++uTfVw
-2Y1fAiosaW9aq/7892yfvmC4eKRUZZJXEl/tzh6vOao
+/qXd2ktfWuBt0sPfaiwSpKVGShsxNmKQoKIhAFrQyQU
--> ssh-ed25519 47GzQA PJsonbWNJFfI+TVau5vk9mBJlXm5GTvizkQpgH33dSA
+-> ssh-ed25519 47GzQA WxEhnZCbakh30S7mh8UpVe4X6J4eJrF8mvePNKpQvyU
-z3doq6ckb3+dLffGbPwiGWjhCf/krVU2VzG9H4eSAHI
+qIFyNn+oLOxld71MtVvdRPqWXfJXhWeIrwJeSuNwRT0
--> ssh-ed25519 wcI7nQ Mw8nEI2WoA3lgK4d8ZdBhHV+K5RmafaJ+ygwNhP+fSI
+-> ssh-ed25519 wcI7nQ DTTaJCs7AaIn9llD9YOtpdUdHA1Eo9XcQvjPgGEjbUw
-KIhu5YbH+svR6mQyJZxYOSe+ggds0lt5rogunvpVmxk
+A4/HJuQ/kUGYEu1DvmpOPkaTqsTVZcAfiFd7nghKzYo
--> ssh-ed25519 QjdSCg QRLyWUjRnLM0ruEEq59pskNklcYhyc+V2lfAk2dWDis
+--- TXBkDRWLUw4eisc3Hgqy4ukZrUdbXdGn5+aa8gsBlzU
-6qF8EcTLGoWSPzQGvm5dRNqgKZ7Wo8yrt0ldmnSHdhQ
+¸HÛ'nƒKt/}Øà}C½õØØ<C398>úù¥õí{†¨¦ÿZÌ÷{»
dó
---- ZJgYQlKGRKpBfLgMZDerqv/Fu76qiUfoGZoDrCj89pA
-[çÌÃy]$?xû¡MÎqT@ë×éƒ7ÆÀD›`‡×GMÎ¥öò

provision/secrets/secrets.nix

@@ -2,25 +2,28 @@ let
   kestrel = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM2iE16XVkriD0x6GhnqmvGDA1qNBibvHVIi5xY+c7Iu";
   torus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN71z5g6QyCn5Go0Wm+NOSF4f22xOOCvtIA3IM4KzSpG";
   bulwark = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG52QybtJrt0KU7iJGyiBBoDCcd0AXoy+wFi+9fBsopk";
-  osprey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINpYnahS9+WKJrM3ZpjZlMLL5V7iwJJqZml337VuG7Jq";
+  systems = [ kestrel torus bulwark ];
-  systems = [ kestrel torus bulwark osprey ];
+
+  tstarr_kestrel = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINr2BUUToMswbAbxZMXarl2pQEomM+jADyZbEK31VGu/";
+  tstarr_torus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKhxsVgd8DH8c0zckjMUxSJrTimU709JLCgDGBMFoNxQ";
+  tstarr_osprey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQEjr+yK4zdnV9kBUMo9fopsJbvF+TfQlVQexBCwuwB";
+  users = [ tstarr_kestrel tstarr_torus tstarr_osprey ];
 in
 {
-  "git/github_personal.age".publicKeys = systems;
+  "git/github_personal.age".publicKeys = users ++ systems;
-  "emu/switch/prod.keys.age".publicKeys = systems;
+  "emu/switch/prod.keys.age".publicKeys = users ++ systems;
-  "emu/switch/title.keys.age".publicKeys = systems;
+  "emu/switch/title.keys.age".publicKeys = users ++ systems;
-  "wireguard/kestrel.age".publicKeys = systems;
+  "wireguard/kestrel.age".publicKeys = users ++ systems;
   "wireguard/torus.age".publicKeys = systems;
   "wireguard/bulwark.age".publicKeys = systems;
-  "wireguard/osprey.age".publicKeys = systems;
   "git/gitea-runner-1.age".publicKeys = systems;
   "nextcloud/password.age".publicKeys = systems;
-  "ssh/kestrel/id_ed25519.age".publicKeys = systems;
+  "ssh/kestrel/id_ed25519.age".publicKeys = [ tstarr_kestrel ] ++ systems;
-  "ssh/kestrel/id_ed25519.pub.age".publicKeys = systems;
+  "ssh/kestrel/id_ed25519.pub.age".publicKeys = users ++ systems;
-  "ssh/torus/id_ed25519.age".publicKeys = systems;
+  "ssh/torus/id_ed25519.age".publicKeys = [ tstarr_torus ] ++ systems;
-  "ssh/torus/id_ed25519.pub.age".publicKeys = systems;
+  "ssh/torus/id_ed25519.pub.age".publicKeys = users ++ systems;
-  "borg/torus/password.age".publicKeys = systems;
+  "borg/torus/password.age".publicKeys = [ tstarr_torus ] ++ systems;
-  "borg/rsync/id_rsa.age".publicKeys = systems;
+  "borg/rsync/id_rsa.age".publicKeys = users ++ systems;
-  "borg/rsync/id_rsa.pub.age".publicKeys = systems;
+  "borg/rsync/id_rsa.pub.age".publicKeys = users ++ systems;
 }
 

provision/secrets/wireguard/kestrel.age

@@ -1,11 +1,15 @@
 age-encryption.org/v1
--> ssh-ed25519 Fz/sQw Fi2RHxetJDTbBO1nZcIcwCe2GAsjbCrkVTzDaLg+CgM
+-> ssh-ed25519 c/r/0Q 2KtEwngUw7ZA/rEEaXHMwRC9JZcWrIrmdDlP0lN9tS0
-8KasJpb49p15aFGkFhwWlUX9P+cspgymiqFibx0NnzQ
+ZAKUTyCKtf2EVG6qhSWn8aXUkNfAXgrMBwUiLWx7iOA
--> ssh-ed25519 47GzQA kybHzwPjEBZfb3o0kMFywIdOMN2gp1ULsUTWq06CXkQ
+-> ssh-ed25519 6UNP1Q 3AG6l3q1Hgv4Cj7z2a31b3g9AW1sowV71em9QSZnD2A
-u6uDwPazPlCr8SLwAbcKU5LHTy3p2Q7xt//Z1Rw14SQ
++Q8/nr1yz6nZviV7srRTW0LnoNrYxW1x7gjhZwvvmOo
--> ssh-ed25519 wcI7nQ NiYTvuwjv+YAWwW6ohRTJLITn3SrZR7Zzlkbcp/PASE
+-> ssh-ed25519 oOIlAg RPVxwWRbDSOpyRD34uPX8vQYzOKwbc/6WQ3miIpsWnc
-Id4ZAgGPup+WK8lM8C5Lr7q5JW2ZTC6qXKdwaH6XbR0
+QQfR/w+kh8/6WIUogDlX/iL4Y2Idw8hOQOEUHQgTwes
--> ssh-ed25519 QjdSCg VpfqjyL4Z2Hpiv2JniFkIz5k+/xbl1rt8xarnl3GqXA
+-> ssh-ed25519 Fz/sQw u2KqeUEobIWwbKT61etUYeY2LFRk6l8EYJ5dnuvmDDI
-qqiJA81XDkKAM8KQ2EfIPSNYvbB6Pbr0CyFveKX+1KU
+bCpGnuJf+qPG+f2N04zATwngB6nwJDMSpz8mFUfkawU
---- Qk+p/x0TX5hogF3axpJdVOH4MObNWFqnaqjfNnK+fZA
+-> ssh-ed25519 47GzQA e3x/3uULmh7FLg6eiATdvbG/kUfrCKOHrph1tw0HRk0
-³£RF*l[Ò½ºÜ&#lïÎÈ©”}ªüŠÂf»OþÃr<C383>EgÔÌnÓ”Ú_½{·Šv¸^ŒD0c¥ÍîÜ5{Fû=™j  $íå:^:ûLt“
+jOVO2Irq1NxzzK+O2Lo4/bip9IFqvvzi+bIaD8Z0rqs
+-> ssh-ed25519 wcI7nQ RIgZP4y5FqqmUJDc/emKdO2laRHxNer+db+TgbybLVA
+K61Q/TxQtX30Z2m3N0sHBHqBIuH7Q0QHmWVwMxthAMM
+--- dlNFmAoD84TcOlyWRGjvx29SPHaC7FGiYgrJkQAsOMg
+©rÁº+{œŸè ¡Ó¶¥Æ£¨yUD ?Ò¶û%MϤó‘ã
¿†ùÝB®NÎyË'mÊ
óVÄ–ãV¸¦þ&«­é&ïs¦Œ®«2@H<>

provision/secrets/wireguard/osprey.age

@@ -1,11 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 Fz/sQw heCEJ6I0xPvCLJx4TZaPbWPt7AZykhepJLs8klh2Ils
-fyE9BhLKz7YmmaT3TG1mtfIjSPcRNQzVYZTPTEDRGJ8
--> ssh-ed25519 47GzQA cHdgndEhwg6MVzr4mbyEo+ckrLvqpHOc45yrHpqvD10
-ZjQmviiQX4/VFx49CTyfzivn+5WgM3g/7pz68HTbhw0
--> ssh-ed25519 wcI7nQ LguHluWUFXrd4D44dEr4aSxMVkCEFs/D/3u0NEUqh3c
-0xyzDGUR58Smt+sYRWM3Yq2wGAcBTqq0OrBHXDioQfE
--> ssh-ed25519 QjdSCg 4fQJbeGytS/OjPhnaKWRxPPgSMzNk3cFw9JrOPrVoyY
-3xAWyy0UC3FFhHqOB8jhAlvru9v3aXo6LtolcWGRZ2o
---- Q2x+hYNux0SIDmcTBs20wdUjB6Y3hj80GQomMnIXWiM
-ðe‹Àãyðãýîâë²€BœwrVMÒ½ë™ÏYØÄrsómü=3,NÞïèƃêàr£ÇB¡”¾Õl1x8ž>5Á„áçÐZü§

resources/wireguard/adjudicator.conf

@@ -8,4 +8,4 @@ PublicKey = bd7bbZOngl/FTdBlnbIhgCLNf6yx5X8WjiRB7E1NEQQ=
 # restrict this to the wireguard subnet if you don't want to route everything to the tunnel
 AllowedIPs = 0.0.0.0/0, ::/0
 # ip and port of the peer
-Endpoint = 1.2.3.4:51820
+Endpoint = 66.218.43.87:51820

resources/wireguard/bulwark.conf

@@ -8,4 +8,4 @@ PublicKey = bd7bbZOngl/FTdBlnbIhgCLNf6yx5X8WjiRB7E1NEQQ=
 # restrict this to the wireguard subnet if you don't want to route everything to the tunnel
 AllowedIPs = 0.0.0.0/0, ::/0
 # ip and port of the peer
-Endpoint = 1.2.3.4:51820
+Endpoint = 66.218.43.87:51820

resources/wireguard/kestrel.conf

@@ -7,4 +7,4 @@ PublicKey = bd7bbZOngl/FTdBlnbIhgCLNf6yx5X8WjiRB7E1NEQQ=
 # restrict this to the wireguard subnet if you don't want to route everything to the tunnel
 AllowedIPs = 0.0.0.0/0, ::/0
 # ip and port of the peer
-Endpoint = 1.2.3.4:51820
+Endpoint = 66.218.43.87:51820

resources/wireguard/osprey.conf

@@ -1,10 +0,0 @@
-[Interface]
-# your own IP on the wireguard network
-Address = 192.168.3.5/24
-PrivateKey = <replace with secret>
-[Peer]
-PublicKey = bd7bbZOngl/FTdBlnbIhgCLNf6yx5X8WjiRB7E1NEQQ=
-# restrict this to the wireguard subnet if you don't want to route everything to the tunnel
-AllowedIPs = 0.0.0.0/0, ::/0
-# ip and port of the peer
-Endpoint = 1.2.3.4:51820