From 405c38ef269e6a0c281b6d539af9d235156ea0c1 Mon Sep 17 00:00:00 2001
From: Alexander Szczepanski <alexander@szczepan.ski>
Date: Thu, 23 Sep 2021 13:03:39 +0200
Subject: [PATCH] added wireguard

---
 .gitsecret/paths/mapping.cfg               |   2 +-
 configs/{.bin => bin}/fzip                 |   0
 configs/{.bin => bin}/rofi-default-sink.sh |   0
 configs/common.nix                         |   1 +
 configs/secrets.nix.secret                 | Bin 665 -> 914 bytes
 configs/user-gui.nix                       |  27 ++++++++------
 machine/desktop.nix                        |   2 +-
 machine/homeserver.nix                     |   2 --
 machine/mini.nix                           |   2 +-
 machine/thinkpad.nix                       |   3 +-
 machine/vps.nix                            |  40 +++++++++++++++++----
 11 files changed, 57 insertions(+), 22 deletions(-)
 rename configs/{.bin => bin}/fzip (100%)
 rename configs/{.bin => bin}/rofi-default-sink.sh (100%)

diff --git a/.gitsecret/paths/mapping.cfg b/.gitsecret/paths/mapping.cfg
index 8a19230..4305c78 100644
--- a/.gitsecret/paths/mapping.cfg
+++ b/.gitsecret/paths/mapping.cfg
@@ -1 +1 @@
-configs/secrets.nix:28a25a9edc1fefbbba58af63907caca202a800cd671a41f737c7984313845899
+configs/secrets.nix:259586563a3c51652650618e0cc26aaee07b482ea801e2a1641d24510446bf50
diff --git a/configs/.bin/fzip b/configs/bin/fzip
similarity index 100%
rename from configs/.bin/fzip
rename to configs/bin/fzip
diff --git a/configs/.bin/rofi-default-sink.sh b/configs/bin/rofi-default-sink.sh
similarity index 100%
rename from configs/.bin/rofi-default-sink.sh
rename to configs/bin/rofi-default-sink.sh
diff --git a/configs/common.nix b/configs/common.nix
index 50651dd..0f5b08a 100644
--- a/configs/common.nix
+++ b/configs/common.nix
@@ -76,6 +76,7 @@ in
     wget
     graphviz
     nix-tree
+    hdparm
   ];
 
   documentation.enable = false;
diff --git a/configs/secrets.nix.secret b/configs/secrets.nix.secret
index 991acdcfbefffbe1212110256de8cbabf85d846f..e986f2f20544560b3409abac58843c8e5178ad02 100644
GIT binary patch
literal 914
zcmZo=;$b$E7Pz~&A*Y*>|F49vRJ-90yV&m!%2$2jO=fz!>RZnzGff+9rr`61-#mZG
zA32;cYs>HO;FO#EJI}eb=<hXo#v?boPx|7sKJNDq=P+}aM7ge<|BGc&Q&-Ka0}s*;
zFJ@`;4O{WnyZq$tdE1TqFCRQ#yEVBXWa1&cQ(cm)7jR6k$hfm^$FZcNeyn;u98=GC
z-tf8nS~qDOi%7)%D9hs;dop8kxN0*t@|D*-c_zU2;a)xiZ@1~}xXs&2f1fz9;7*;w
zxg4MLgSX#a3+}rn_{Nt_?z%R^+)2$WZku)Q$_Q7xPOM>Uzgl{0t6)sU-0N!Mbz2=Y
z4PO2YIBUS8yGCbbgW^l^V-r4CYVWuh9KCu@tsLj#0Ox{Z3n$gpdHT=ZwtVAL{q%$@
zXRhCLoG)$9|MdT7GqFtd{43MX<gY!Ln5;aDKd*RWf3~Zxgo6^t(acvX{XJfAocuIV
zue{>ocgYZ44PNI>-sfftUVOfJ)$gyR<>?iRwv=q^*;d{i$8mhIhWC?{IqnOzc=*m2
zsujNdUJ@hBZs~X2BJKD>OJAM(y034X9<eBd<ee3XnE75~cJibxb28Z*uDP;T>GbYr
zj@VjpdEHCvf9bB%K3>Ya;kmD6jjgrMH7}R{OAiaHO*XvImVVlA3e!fVql>)vwKXq(
zm96a6rWw{0{498~Ms~>c436&JFY8YgOZ8@0?DDv}d~4gAd6y0xV7#?>zo-)nx8vEr
zwF{3<wE3aMzq(Z5<NakO?S?DPyo$Y3Yuwtp<UrhpocUIoA%(NQAAJ>M>a{LO;@R96
z8xJ$Q-cfUFTTipe(go_urxG{L7VzusaBn?lG|6u!+p@_zDk0o!_N<xpeC9MU)(c^=
zyCSZ8Cx~9&S8n}g-JzGk+iuVCea+;;&R0BNVb-PEcaFS5h28Tk_2gf=iN?I*?33=c
zeo*b#W_n+a>2{ll=>J89mu@kwTO{bXpK<QX^%n0}|B~nXoPO!}0>(m-kDqJ%({z`r
z8!E^xUVLs#UgvqiS2+#q=cVs^e~B@=I5|_|*W7K6>7V`HHdK`OB{+1;=}j{D-ML*+
zqxhI(o@IGQqR&D7vnn4w&P=wId$Drf#JB5yd1uL~zF*@rZ=&e5fX+Oxc{<bQtDEil
zU#*zyHoaisdXsd&`?K5r8w)@B_J6}o^=(nSKLu~)tk~!v?vOsK&Nh7Z?Hd=9A3tN*
iR3~%c>hpjlwQCdw!bSd{vkC5Bko`a5_Dn&wJEs9Oal$A7

literal 665
zcmZo=;$b$E7Pz~&A*Y*>|9}10pUYaq=6YmZIb%HAOgGw#uW8?Mi!9F{lEyi?2@*FJ
zos*LYKCpMP`r~GQ{?^0gFGDUnZ!CPzIiYOcWd5)<57+gFJ(D~ZeqOao_2LGT99x}j
zvp>n03g2Vg^!{*?vWbI*{@v)PuhVwK@3Bape)#XlmfqP@c|zXbv*&tVbp7`1^b&2R
z8QF4YBVBSQoiRLm`=T1l<jAN)^LF=sxa<*kNS}Fg=2CIBmg;G1K3ud{j%-<9YFhYk
z*~hKvj7P*0`5KND=)HMw5^FE(6nOnJTX>qH5_5cX@V!7!cl9ObSUg_;S!40rRCagC
zPr)6#b_+aR^7`I1ajvGB6Rt|8TshX(bM(snHL3G6?sj_bQJu3vzvc2_jrwJ==Nf&V
zCN!O?GLT*T>rTc8DUGC<SckszN&9Z?xDvED?9tU#F_&6iiFP}g^lATM>zMrTb47Bv
z#o3EazcS6{KF@4geZBp7gWsB^Ene1pIvZ+t*4cJ!65a8s`rLPI>vKL5wbkygexCjN
z-G6%P(ranSf_(E7Ch$$V&M|ZAshdxH65K<tWhJP6*wz@db58QAseD$t$M!ohT})f;
z{GfZ*!mVfL9c!PH=)rOKv5nlJm7bi-^7cr4*tbxmeO+y3NsEitjzd@L?L;OQNa{a~
z_G~FBo}PMco;7Qhq3mwv`A2?w?K${>`LpW0ndXJ+L34}W|9pL^gK;*uh=)FJ@l=Jj
zdpFt?GSBtKoICU0Q#169&SiJie>dx-&*%Sgn0A+Wn(`~H`*)d&p6q$e=CJh7mPH>}
z9_z}Vl}!*!Uh}e_wK?mngz16>?|34PSLM31wk7ww6<(JTocr#v*W!P90dH;|`V)9<
gx%@Kuhf$wC$9GHX&dPtPs=rdgBdcwrn%rd$0M|iG-T(jq

diff --git a/configs/user-gui.nix b/configs/user-gui.nix
index 1b6782f..193cc08 100644
--- a/configs/user-gui.nix
+++ b/configs/user-gui.nix
@@ -6,12 +6,22 @@ in
 {
   imports = [ <home-manager/nixos> ];
 
+  # systemd.user.services.barrierc = {
+  #   Unit = {
+  #     Description = "Barrier Server daemon";
+  #     After = [ "graphical-session-pre.target" ];
+  #     PartOf = [ "graphical-session.target" ];
+  #   };
+  #   Install.WantedBy = [ "graphical-session.target" ];
+  #   Service.ExecStart = "${unstable.pkgs.barrier}/bin/barrierc -c ~/.barrier";
+  # };
+
   home-manager.users.alex = { pkgs, ... }: {
     home = {
       file = {
         ".bin/rofi-default-sink.sh" = {
           executable = true;
-          source = ./.bin/rofi-default-sink.sh;
+          source = ./bin/rofi-default-sink.sh;
         };
       };
       packages =  with unstable.pkgs; [
@@ -59,6 +69,7 @@ in
         vulkan-tools
         wine
         winetricks
+        obs-studio
       ];
     };
 
@@ -218,11 +229,11 @@ in
       #   };
       # };
 
-      keychain = {
-        enable = true;
-        enableXsessionIntegration = true;
-        enableZshIntegration = true;
-      };
+      # keychain = {
+      #   enable = true;
+      #   enableXsessionIntegration = true;
+      #   enableZshIntegration = true;
+      # };
     };
 
     services = {
@@ -295,10 +306,6 @@ in
         };
       };
 
-      barrier.client = {
-        enable = true;
-      };
-
       nextcloud-client = {
         enable = true;
         startInBackground = true;
diff --git a/machine/desktop.nix b/machine/desktop.nix
index f120742..78b9796 100644
--- a/machine/desktop.nix
+++ b/machine/desktop.nix
@@ -33,7 +33,7 @@ in
   boot.initrd.kernelModules = [ "amdgpu" ];
   boot.plymouth.enable = true;
   boot.extraModulePackages = with pkgs.linuxPackages; [ it87 ];
-  boot.kernelModules = [ "it87" ];
+  boot.kernelModules = [ "it87" "v4l2loopback" ];
 
   networking.hostName = "desktop"; # Define your hostname.
 
diff --git a/machine/homeserver.nix b/machine/homeserver.nix
index 5f9d806..e000d2a 100644
--- a/machine/homeserver.nix
+++ b/machine/homeserver.nix
@@ -28,9 +28,7 @@
     mergerfs
     samba
     openssl
-    hdparm
     smartmontools
-    docker-compose
   ];
 
   systemd = {
diff --git a/machine/mini.nix b/machine/mini.nix
index bd459f9..385afb7 100644
--- a/machine/mini.nix
+++ b/machine/mini.nix
@@ -15,7 +15,6 @@
   boot.loader.efi.canTouchEfiVariables = true;
   boot.extraModulePackages = with pkgs.linuxPackages; [ rtl88x2bu ];
 
-
   networking = {
     hostName = "mini";
     useDHCP = false;
@@ -26,6 +25,7 @@
     };
     networkmanager.enable = true;
   };
+
   services.k3s.enable = true;
   services.k3s.role = "server";
 
diff --git a/machine/thinkpad.nix b/machine/thinkpad.nix
index f1e685e..01649da 100644
--- a/machine/thinkpad.nix
+++ b/machine/thinkpad.nix
@@ -157,8 +157,9 @@ in
 
   home-manager.users.alex.services.barrier.client = {
     enable = true;
+    enableCrypto = false;
     name = "thinkpad";
-    server = "192.168.0.150:24800"
+    server = "192.168.0.150:24800";
   };
 
   environment.systemPackages = with pkgs; [
diff --git a/machine/vps.nix b/machine/vps.nix
index 428a0df..ccd2f74 100644
--- a/machine/vps.nix
+++ b/machine/vps.nix
@@ -1,5 +1,7 @@
 { config, lib, pkgs, ... }:
-
+let
+  secrets = import ./secrets.nix;
+in
 {
   imports =
     [ # Include the results of the hardware scan.
@@ -18,8 +20,37 @@
 
   # Set your time zone.
   time.timeZone = "Europe/Berlin";
-  networking.useDHCP = false;
-  networking.interfaces.ens3.useDHCP = true;
+  networking = {
+    useDHCP = false;
+    interfaces.ens3.useDHCP = true;
+    wireguard.interfaces = {
+    wg0 = {
+      ips = [ "10.100.0.1/24" ];
+      listenPort = 51820;
+      postSetup = ''
+        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE
+      '';
+      postShutdown = ''
+        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE
+      '';
+      privateKey = secrets.wireguard-vps-private;
+      peers = [{
+        publicKey = secrets.wireguard-desktop-public;
+        presharedKey = secrets.wireguard-preshared;
+        allowedIPs = [ "10.100.0.2/32" ];
+      }];
+    };
+
+    nat = {
+      enable = true;
+      externalInterface = "ens3";
+      internalInterfaces = [ "wg0" ];
+    };
+    firewall = {
+      allowedTCPPorts = [ 80 443 ];
+      allowedUDPPorts = [ 80 443 51820 ];
+    };
+  };
 
   # List packages installed in system profile. To search, run:
   environment.systemPackages = with pkgs; [
@@ -94,9 +125,6 @@
   # Limit stack size to reduce memory usage
   systemd.services.fail2ban.serviceConfig.LimitSTACK = 256 * 1024;
 
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
-  networking.firewall.allowedUDPPorts = [ 80 443 ];
-
   system.stateVersion = "21.05";
 }