From 73b0e338fca7accd4001e789cbd07e05d3e9cb05 Mon Sep 17 00:00:00 2001 From: "Lennart J. Kurzweg (Nx2)" Date: Sun, 28 Jul 2024 17:19:25 +0200 Subject: [PATCH 1/4] nx2site save (unused) --- system-modules/nx2site.nix | 58 +++++++--- system-modules/nx2site/proxy.nix | 186 +++++++++++++++++++++++++++++++ 2 files changed, 230 insertions(+), 14 deletions(-) create mode 100644 system-modules/nx2site/proxy.nix diff --git a/system-modules/nx2site.nix b/system-modules/nx2site.nix index ccf6a3f..7eba019 100644 --- a/system-modules/nx2site.nix +++ b/system-modules/nx2site.nix @@ -1,5 +1,7 @@ { config, pkgs, lib, user, host, ... }: -lib.mkIf (host == "NxACE") +lib.mkIf false +# lib.mkIf (host == "NxACE") +((import ./nx2site/proxy.nix { inherit config pkgs lib user; }) // { sops.secrets = { "nx2site/namecheap.pw" = { }; @@ -14,18 +16,15 @@ lib.mkIf (host == "NxACE") Unit = "namecheap-dynamic-dns.service"; }; }; - services."namecheap-dynamic-dns" = - let + services."namecheap-dynamic-dns" = let u = let domain = "nx2.site"; passord-file-path = config.sops.secrets."nx2site/namecheap.pw".path; + # passord-file-path = config.sops.secrets."nx2site/namecheap.pw".path; log-file-path = "/var/log/update_namecheap.log"; count-file-path = "/var/log/update_namecheap-count.txt"; - in - pkgs.writers.writePython3Bin "update_namecheap" { - libraries = with pkgs.python311Packages; [ - requests - ]; + in pkgs.writers.writePython3Bin "update_namecheap" { + libraries = with pkgs.python311Packages; [ requests ]; flakeIgnore = [ "E501" "E305" "E701" "E704" "E302" "E114" "F841" ]; } '' import requests @@ -58,7 +57,7 @@ lib.mkIf (host == "NxACE") # Perform DNS updates resp_base = requests.get(f"https://dynamicdns.park-your-domain.com/update?host=@&domain=${domain}&password={pw}&ip={my_ip}") resp_subd = requests.get(f"https://dynamicdns.park-your-domain.com/update?host=*&domain=${domain}&password={pw}&ip={my_ip}") - + # Reset the count file with open("${count-file-path}", 'w') as f: f.write('0') @@ -71,19 +70,50 @@ lib.mkIf (host == "NxACE") parser = argparse.ArgumentParser() parser.add_argument('-f', '--force', action='store_true', help='Force update') args = parser.parse_args() - + main(args.force) ''; - in - { + in { script = '' set -eu ${u}/bin/update_namecheap ''; serviceConfig = { Type = "oneshot"; - # User = "nx2"; }; }; }; -} + # I can't use this becasue API Access for Namecheap needs a static whitelisted IP, which I don't have + # security.acme = { + # acceptTerms = true; + # certs."nx2site" = { }; + # }; + environment.systemPackages = with pkgs; [ + certbot + (writeShellApplication { + name = "refresh_ssl_certificate"; + runtimeInputs = [ certbot ]; + # https://forum.endeavouros.com/t/tutorial-add-a-systemd-boot-loader-menu-entry-for-a-windows-installation-using-a-separate-esp-partition/37431 + text = let + webroot = /home/nx2/nx2site/staticweb/content; + in /*bash*/ '' + cartbot + ls ${webroot} + ''; + }) + ]; + networking.hosts = { # docker network inspect nx2site_default | grep -E "Name|IPv4" | tr "\n" " " | sed -r 's- +- -g;s-\n?"Name": -\n-g' | sed -r '1d;2d;s-"(.+?)", "IPv4Address": "(.+)/16",- "\2" = [ "\1.docker" ];-g' + "172.1.2.1" = [ "staticweb.docker" ]; + "172.1.3.1" = [ "matrix.docker" ]; + # "172.1.0.9" = [ "matrixdb.docker" ]; + "172.1.4.1" = [ "matrix-ss.docker" ]; + # "172.1.0.7" = [ "matrix-ssdb.docker" ]; + "172.1.5.1" = [ "pw.docker" ]; + "172.1.6.1" = [ "git.docker" ]; + # "172.1.0.10" = [ "gitdb.docker" ]; + "172.1.7.1" = [ "nn.docker" ]; + "172.1.8.1" = [ "llm.docker" ]; + # "172.1.9.1" = [ "proxy.docker" ]; + "172.1.10.1" = [ "share.docker" ]; + }; +}) diff --git a/system-modules/nx2site/proxy.nix b/system-modules/nx2site/proxy.nix new file mode 100644 index 0000000..356e231 --- /dev/null +++ b/system-modules/nx2site/proxy.nix @@ -0,0 +1,186 @@ +{ config, pkgs, lib, user }: +{ + sops.secrets = { + "nx2site/sslCertificate.pem" = { owner = config.services.nginx.user; }; + "nx2site/sslCertificateKey.pem" = { owner = config.services.nginx.user; }; + "nx2site/dhparams.pem" = { owner = config.services.nginx.user; }; + }; + services.nginx = let + config-root = /home/${user}/nx2site/proxy/config; + xcontent-root = /home/${user}/nx2site/proxy/xcontent; + content-root = /home/${user}/nx2site/proxy/content; + in { + enable = true; + additionalModules = []; + # appendConfig = ''''; + clientMaxBodySize = "20m"; + + defaultHTTPListenPort = 80; + defaultListenAddresses = [ "0.0.0.0" ] ++ lib.optional config.networking.enableIPv6 "[::0]"; + defaultListen = [ { + addr = "0.0.0.0"; + ssl = true; + port = 443; + proxyProtocol = true; + }]; + defaultMimeTypes = "${pkgs.mailcap}/etc/nginx/mime.types"; + defaultSSLListenPort = 443; + enableQuicBPF = true; + enableReload = true; + # eventsConfig = ''''; + # logError = ; + # mapHashBucketSize = ; + # mapHashMaxSize = ; + package = pkgs.nginxQuic; + # preStart = true; + proxyResolveWhileRunning = false; + proxyTimeout = "20s"; + recommendedBrotliSettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + recommendedZstdSettings = true; + serverTokens = false; + # sslCiphers = true; + sslDhparam = config.sops.secrets."nx2site/dhparams.pem".path; + sslProtocols = "TLSv1.2 TLSv1.3"; + statusPage = false; + streamConfig = ""; # udp config + validateConfigFile = true; + upstreams = { + "staticweb".servers = { "staticweb.docker:80" = {}; }; + "matrix".servers = { "matrix.docker:80" = {}; }; + "matrix-ss".servers = { "matrix-ss.docker:80" = {}; }; + "pw".servers = { "pw.docker:80" = {}; }; + "git".servers = { "git.docker:80" = {}; }; + "nn".servers = { "nn.docker:80" = {}; }; + "llm".servers = { "llm.docker:80" = {}; }; + "share".servers = { "share.docker:80" = {}; }; + + "sync".servers = { "localhost:8384" = {}; }; + }; + virtualHosts = let + sslCertificate = config.sops.secrets."nx2site/sslCertificate.pem".path; + sslCertificateKey = config.sops.secrets."nx2site/sslCertificateKey.pem".path; + kTLS = true; http2 = true; http3 = true; http3_hq = true; quic = true; + in + { + "nx2.site" = { + inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic; + listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ]; + locations = { + "/" = { + proxyPass = "http://staticweb"; + # extraConfig = [ ''add_header Alt-Svc 'h3=":443"; ma=86400';'' ''add_header Cache-Control "public";'' ] ++ common-location-conf; + }; + "/.well-known/matrix/client" = { + return = ''200 '{"m.homeserver": {"base_url": "https://matrix.nx2.site"}, "org.matrix.msc3575.proxy": {"url": "https://matrix-ss.nx2.site"}}' ''; + extraConfig = [ "default_type application/json;" "add_header Access-Control-Allow-Origin *;" ]; + }; + "/.well-known/matrix/server" = { + return = ''200 '{"m.server":"matrix.nx2.site:443"}' ''; + extraConfig = [ "default_type application/json;" "add_header Access-Control-Allow-Origin *;" ]; + }; + "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = { + proxyPass = "http://matrix-ss"; + # extraConfig = [ ''proxy_set_header X-Forwarded-For $remote_addr;'' ''proxy_set_header X-Forwarded-Proto $scheme;'' ''proxy_set_header Host $host;'' ]; + }; + "~ ^(\/_matrix|\/_synapse\/client)" = { + return = ''200 '{"m.server":"matrix.nx2.site:443"}' ''; + # extraConfig = []; + }; + }; + }; + "matrix.nx2.site" = { + inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic; + listen = [ + { addr = "0.0.0.0"; port = 443; ssl = true; } + { addr = "0.0.0.0"; port = 8448; ssl = true; } + ]; + locations = { + "/" = { + proxyPass = "http://matrix"; + # extraConfig = [ ''add_header Alt-Svc 'h3=":443"; ma=86400';'' ''add_header Cache-Control "public";'' ] ++ common-location-conf; + }; + }; + }; + "matrix-ss.nx2.site" = { + inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic; + # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ]; + # "resolver 1.1.1.1;" + # "client_max_body_size 500M;" + # ]; + locations = { + "/" = { proxyPass = "http://pw"; }; + }; + }; + # "dev.nx2.site" = { + # kTLS = true; http2 = true; http3 = true; http3_hq = true; quic = true; + sslCertificate = cert; sslCertificateKey = key; + # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ]; + # locations = { + # "/" = { + # proxyPass = "http://dev"; + # }; + # }; + # }; + "pw.nx2.site" = { + inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic; + # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ]; + locations = { + "/" = { proxyPass = "http://pw"; }; + "/admin" = { proxyPass = "http://pw"; }; + "/notifications/hub" = { proxyPass = "http://pw"; }; + "/notifications/hub/negotiate" = { proxyPass = "http://pw"; }; + }; + }; + "share.nx2.site" = { + inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic; + # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ]; + locations = { + "/" = { proxyPass = "http://share"; # ''proxy_hide_header Content-Disposition;'' + # ''proxy_set_header Content-Disposition $upstream_http_content_disposition;'' + # ''proxy_set_header X-Real-IP $remote_addr;'' + # ''proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;'' + # ''proxy_set_header Host $http_host;'' + # ]; + }; + "/socket.io" = { + proxyPass = "http://share/socket.io"; + proxyWebsockets = true; + # extraConfig = [ + # ''proxy_http_version 1.1;'' + # ''proxy_set_header Upgrade $http_upgrade;'' + # ''proxy_set_header Connection "upgrade";'' + # ]; + }; + }; + }; + "sync.nx2.site" = { + inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic; + # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ]; + locations = { + "/" = { proxyPass = "http://sync"; }; + }; + }; + "git.nx2.site" = { + inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic; + # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ]; + locations = { + "/" = { proxyPass = "http://git"; }; + }; + }; + "~^(.*)\.nx2\.site$" = { + inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic; + # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ]; + root = "/home/nx2/nx2site/staticweb/xcontent/"; + locations = { + "~.*" = { + return = "502 /502.html"; + }; + }; + }; + }; + }; +} From 4eead91953ccc452e8a6b4aab7821eaed231f0c0 Mon Sep 17 00:00:00 2001 From: "Lennart J. Kurzweg (Nx2)" Date: Mon, 26 Aug 2024 21:37:36 +0200 Subject: [PATCH 2/4] syncthing+nx2site(trying) --- git-crypt/secrets.nix | Bin 2863 -> 3012 bytes sops-secrets.yaml | 6 ++++-- system-modules/networking.nix | 8 ++++++-- system-modules/nx2site.nix | 8 +++++--- system-modules/nx2site/proxy.nix | 16 +++++----------- system-modules/syncthing.nix | 32 +++++++++++++++++++++++++++---- 6 files changed, 48 insertions(+), 22 deletions(-) diff --git a/git-crypt/secrets.nix b/git-crypt/secrets.nix index 970c86a99e1c2e3d8d6f6d03b894a5fb28123743..789f9d3d8295b21ade9c4954c7391475fb5dc11b 100755 GIT binary patch literal 3012 zcmZQ@_Y83kiVO&0Shv5;_5Ba7g=L~%tM5jCeORIQ{6)SEe_2QQH?LChg9U%CD3~go zKcY9STIy`*mU`LQ>oOiFE`Io!)Af0zi|)n6>$KLqbCT;3M7;e^{Nv+rq@CM-4Tn|~*H$xhEtuODcH%RGI~_e1m7?Cyu}1#en2a(45{HynS;?T0ncv+8=Lb?sG3mi8^Mp zdGYgmXIxJR+w5<2>s8?5b(p%(Xt*xR-3x*pPriK@uR=Mx{ZMWd2YfW)|9WvpuqJI*W zJP+D4jq~@MwWYj|zMV>H6f?cBPwQQv`;V&v4Xveq1+x1mH5&>1dU*0=V!LO+YrZE( zt1n%0;A8mlx_0OGaE8Q{48Ldmk=ho_J}>QfrbX8OUpAMycD@v4oxgq&i=^|cql>-& z^1FyCoIIe{?Jp9s&H3%#Wjw-ydiO3wRu-&uOyHVitEHOrLwF&7mHE|m3fHbZfBiDQ zQCL;)`sTQ^_k^Vi**0&o>s(>Y($SXYrD?g5BmG#VWum9~{jB#XwdHZfS8G%+l)Vb< zeVTQ_oaI5Y$QJi5mb6Rz9fvQqL=WVP9fy~j*5`NZCAc0H$Eddk7FKX|vF zT6{uH&a5jEDmrMmZTNA}c5U{_)D_iJ6~E2x{`e|)lHtQA z(e598v)^R=m?NRjwItT}HuMqmArbluj%>>tJ5;`v@+g)+*7?pV8Z0t zHyIXIhb|0vWS4TC5NKscIQ_AWzI?Fi-l3C6<)-~~ z)Yb?+uxJs+FJrUrttokdl#%~i*w=2w)k&TD4v_%!`I z16vngXT)Of1;-+H-s1Ijm~!P~KI_vJVG=8ap10Qgd8L&e{dc{e&$Gq*wf>&w#s;*KDRZ`)U+nuS^gx| zxm^GKI`O_KYWvFWY3!cf*1tPz&&4_xH}|=kD>L)nS$(^sGt+w#FZ)NP&=!`auOH6d zoGQ6lPwud?W1dphX|arK<-Lpf!`)}!e)*wn`=j>bGfsACe?62t-{+k>+v-2>nr^n9 zV*4wV{@(D*HYMqd?Zr)TvolVv4qB7;#WnYpZj!d3kptt=-p$G{o(ge!PmXZ8cb560 zJJTNL3w}Z7j5}t1lUU&^T?ux-u^^G)Xc`?|B2#hIU*wluKQwpQ|$fY^oi)3a0O za_=$!%=3A(YM$PH8F%@g6+zuI*q=E|O^iC{R5=fO%WtGijhiyVvz7D2YD>eK z#rtkAXo=AJ`f16m)bOY7WoAB&40|+IRTv*Fim*DePk++Fze1}-_x}EM_<(L;zuW`~ z`|K^Ydw+S0qt+WUTxlzwBV?HNH-5+1IXR*-H$UN;9s0 z{h~B4YQc@LO~3RPYVF}tFj|R?DbQP$L-v+JmQ!SZd|w{STHu+w$j&q z+KCw_Cw%*&+a3Qg<>xW|>rpcw|F?;l(^ma=;&+`uj|vs9RW{cScix^RxNh>PufmW8rhp?W3Tl3BB#pM0wGaaO|R`3Ls;PT}Ld zmr;Ayq~Z8Ro^XMvB8$VjOPNj*(Ul3xr75fLxCBmXIr=jGt)6lI3tLkUk@bIE zG;&#z?N2T6Y!uVD#rJvr;pLS~0R@Tvdj4@QzMbSrymwwpC4}$Nxtra~WsP3xSw%L~Rj#kl`r|XwKUa{fet$*zD8a$7jul|Yu5!0c4@5t37 zliPp$+$buVb@xKL+ipL_umtv%QR2Iq{qD%}WQOhg_{D18Q-0#P447Q zyAZjWCHrs5V%2L8t*0N%Jv~**eQNU}PR=N`&wFIU*5Bk7y;q`DvR=F7Xj7J*VbHU? zEB2|)5ZhF@Yv$RDtE{5Z%d~haL!K)wQ-5%+(M|K1i|x$|vO!4-59j{#E}X3wk#>+L zNbiltzT+LbR=eemU#dqgb^a0mnOSr~osUP~uBx^tWwUN5AG+L=BYo8~hj-cBPkw8c zT-^5UN)Ko3hkwDgQfYVBC0={`{^YFB1veAd<*Nn7FgC1UeZl-L^U(h{o9FI6{5`Ag z4>UfRT@YL-yy@=o@2iS0 z-2D1s(z;J39xoRJPq>vF>u4&_>GgMVf$y1ovpKhI+}ir4R&dol&NXN)b+Hcj^Nqgv z#4K*h*_dZX)=YY7n9j7fg#SQ`Q#qbhMS1nw@*v^*Fei zcWb_EJB!AiTcO{lO1)U{rLJsArq0qO8V9X!RVdG1Y4G8RPO0SSxpStZs5hPDa(FtC zoz>d&_M0_#W-nsikgYo9($z#Ue((Px4mZnBhRtX?aa%j)57X4Mv5f~~PU;t()!uMu z!qf@*ADPbDCT%fS?fE#9bHPH@`jDo{`x_mksMCoJ+>ZAmofdt5dTDx! zhUP}EWp}lh!lF*B&RD+Dqub(SkxT5a`r3)d;{X^P7cs9=PqibHVd#(`vs;&aC+78LyT-o< z>LuaninGhJ#oJ!SK79QvF>bzuPW;@7Qsk zNh~w}v6=0gTkP6jd|^`1+YMzA6`E;m`HR|)`dFP?b8^nc4a%xtHD~;ed=&ORCuq-! zFO{klcc$2ef6$b2KKF4wubio|T+W)XDJ`$}zfa-2kUe|nnU19jC54`|OUr5<`zuxz zCmWPTFBd!3-DS$3yKkjXkiw*Pmu=ErPfpfYbH8Gmaq{=vn45AYxleJSImsOBeyePcI?ADt`+NUu{J}mtBnziHIPv*bA8q2O$JMMmT z)G=P<(Tyc9U0!taZMZFyoL+n9ajuK~H>a?F>R0E4T&T<|G}>Q(`t3UL7S_o|ORej? zet+Wc`4}@fhhHgQ=2-ak;sT4uvwr=%R=WPjQvY-wPT$=XeIFJs&Yf?tPH~Cg|Jt&H z3q}82>sDWTK=_Y;SiYP$+0Vl^sLt7j*L@Sq#WQPP zOdB*YnV|kvq0nrOba{{O^WD z`0wX8XBp}!E3$s(DEd&x=yH&o%I^b5`;J|mE#C8-sd-I$ z>+uQCQ+MC7^YqM&s}on6%yBWSed<>>xuuTDQ|B;q%#&Jl=_kucgU+K*E=<^czgUjN zSMrLXV3+xVe}#Ul7D~w8nSOUFH(%&vwv)|IUm6yD+3H)NP{`!nYL>ifTH0$twYscF zFV@xCp4{>-EbDGun63U?e-@TqF*DD$KM3b7Xm?#PsczT#HFHiXzJ1Ch74&s>=o#l+ z&NxS|D$dE=eKpVjebd}$=&yQx-z9sA?E)@y+gAq7HD7xRsw;SI8S}i ztzk-tyZTKI$uN}ta@G10CM>HmaXsrp_gA9wBJ2Ntk2tQ&zU_AN{N8;N z63fJc3-mTT{_-@y>i6%ueNP%T$AsND-oiOgFSLK@N`>BQe5zavqe^Ou?X~obzZ_js z=ofHRV+*V8%FVkp;vePp#J-h$wwWnM^~{fLo#L+NS+52bvpQvEo(^5G{B=aLRaHUq z%6Dc{(pWut7qomiAkpu4)Tg=q8mngfyoWDWs~lVYtKra!*OHq!JvSZRyN>O|y0i1+ z@67W)Kl#zO<&p|TKG{6`Kizn{M|Rbu*3#S!vHJ|lJB=HAAgo_ltD(VKa^V)vC~Pu`na@WWL| z|JI+9Whb|#JX`hqO2MiHXL(LtG(V&8e4ByQC;zDQ36B%G-n+4F+OM=xzv#)Eb?3gN z?@Dkyolr3K)#uy~4%xmvf|a?GCQ0;cxVSX>-IM$m(=0sJ^aYB!Fxo%MV41ov?1V>c z_T@=OuD{W|#;_tN{mi$x*zL+8r;c~*x#VHe;xTJ>`#<^amaL^~cYS86T)?^W&{LN% zAEBB2yW}FaPAxZN`XZWR(l-yELDR_Lye7Qops+aC#l4vS?=z$JTo7C-xUoBnt`t6rJMHt+SE;xbqAO3!uVTQb95?=4Saz-&c% z2OpLCq+Ms0zdq~d8unGo>c+W44 zFv}H|l;TB8mdxd6Y0~^{#dJc_|GUdmn+t}1O)n)?Le3nz*AcKk^VRMDp5YlQm_tOn z#V>8U^0IWlD&xNeCes2_?%Nza^)pZNlVJQerA;-hRr)3Ur#4Dw?k_hiUZD&l6PGpNVSg9#dXD#pu}YwbRcyZG5r2aqZH4E{lg@ zjO-R)7hGJGoO^5j<$`zr?;1|xoH5;5>hxuX4#%E$+vO)W^oFXP2{6cirM5%t|E>#( z+LBj-CIwtx;3x6+-O|-8ANhp;Z8|D>>G=GIToblO#Wk#RIsbE;*o7^dM2;qFEYe-u zzrjS0OJQ&4vxJq?6xRRz&Z^4v#EGvf;GuAE;0w0{?=R)#MBU#0x_|zL#mURoB@3QZy?u1H)~!4KizY6J$ro*O)#{nu68(x{Mp*Eh%Wsl*UaQSo z!I#?JmEFM;BUAb0^t5$Tve(TFE9`7g-@obL50C3NIValR-@+wZaJXx)uo=^mM;Bjz zxpiwbmD^@;4?1x$O1` zR#}-lUpwX8tL1aNa_ibv?riCiiv2Oe=BAn1gYVb1`MGU`0*~(tJydad-noOP9vyeM z%feXXF|+8xYVpUW8w?eszY41DYPsXmpT_Q5+rE}NUhSym=TJ`RJ6n{RoT4x33dCQ% zG{=cKWkF!#|A3{dD&BK_kmES|Wv=^z6Gx1nO`9vv@+PGB-^>R(331EP67C*1Q`oI= zs^Jk||2jsIzC$nW&F1~Ju&m8W_|B9xuWgtAHZSqdO;bsFv{>=V+a*bt?wIsnYNuhH(y~=n`pV^^^x!ovBjTT75?0E&tiX9SUi8t_7}n*uH7(xJvA*ON5Q&& z*_u5Sw+{rBN>xsJW79S7+>|{>6n0L!Y4D6UOQGL=TFjw>LyyWP?NJq($g$BsyOFh@$8+)w&&xdvFoU(Z; Date: Mon, 26 Aug 2024 23:24:45 +0200 Subject: [PATCH 3/4] ip range fix --- system-modules/hsmw.nix | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/system-modules/hsmw.nix b/system-modules/hsmw.nix index 629a1f3..e0255dd 100755 --- a/system-modules/hsmw.nix +++ b/system-modules/hsmw.nix @@ -1,5 +1,4 @@ { pkgs, lib, host, secrets, ... }: -lib.mkIf (host != "NxACE") { environment.systemPackages = with pkgs; [ strongswanNM @@ -38,19 +37,19 @@ lib.mkIf (host != "NxACE") }; connections = { hsmw = { - keyexchange = "ikev2"; - left = "%defaultroute"; - leftid = "%any"; - leftauth = "eap"; - eap_identity = "${secrets.email.hsmw.un}@hs-mittweida.de"; - leftsourceip = "%config"; - leftdns = "%config4"; - leftfirewall = "no"; - right = "141.55.128.84"; - rightid = "@vpn4.hs-mittweida.de"; - rightsubnet = "0.0.0.0/0"; - rightauth = "pubkey"; - auto = "add"; + keyexchange = "ikev2"; + left = "%defaultroute"; + leftid = "%any"; + leftauth = "eap"; + eap_identity = "${secrets.email.hsmw.un}@hs-mittweida.de"; + leftsourceip = "%config"; + leftdns = "%config4"; # Ensure that DNS resolution works as expected + leftfirewall = "no"; # Keep firewall disabled, but manually check rules + right = "141.55.128.84"; + rightid = "@vpn4.hs-mittweida.de"; + rightsubnet = "141.55.128.0/16"; # Split tunneling: Only route traffic for the VPN subnet + rightauth = "pubkey"; + auto = "add"; }; }; managePlugins = true; From 20f8ea51c65df04a0cd80670f5ad38d30bd3eff8 Mon Sep 17 00:00:00 2001 From: "Lennart J. Kurzweg (Nx2)" Date: Mon, 26 Aug 2024 23:24:57 +0200 Subject: [PATCH 4/4] screen --- home.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/home.nix b/home.nix index 065667d..6225839 100755 --- a/home.nix +++ b/home.nix @@ -71,6 +71,7 @@ piper-tts sssnake pipes dig + screen gnumake cmake