flake.lock: update

Add juan user pubkey
Add wg-access-server
2025-08-29 15:12:18 +00:00 · 2025-08-29 16:43:51 +02:00 · 2025-08-29 16:43:36 +02:00 · 2025-08-29 16:42:50 +02:00 · 2025-08-28 11:33:35 +02:00 · 2025-08-28 11:28:11 +02:00
11 changed files with 105 additions and 19 deletions
--- a/flake.lock
+++ b/flake.lock
@ -14,11 +14,11 @@
        "treefmt-nix": "treefmt-nix"
      },
      "locked": {
-        "lastModified": 1756312409,
-        "narHash": "sha256-eSJATmx1aVWGWAtsG4dbD9wrEC89N52L35wy2PgB65o=",
-        "rev": "9ed71906060bd0d958f581a36deceb34c2f8aa3b",
+        "lastModified": 1756473259,
+        "narHash": "sha256-OOUCvtVZwP1pC59Id9L5L1iJl0zYKTojCxBO3hvnzl8=",
+        "rev": "a364b5ebf3309df661c453b9818aecce99b2a8d8",
        "type": "tarball",
-        "url": "https://git.clan.lol/api/v1/repos/clan/clan-core/archive/9ed71906060bd0d958f581a36deceb34c2f8aa3b.tar.gz"
+        "url": "https://git.clan.lol/api/v1/repos/clan/clan-core/archive/a364b5ebf3309df661c453b9818aecce99b2a8d8.tar.gz"
      },
      "original": {
        "type": "tarball",
@ -279,11 +279,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1756217674,
-        "narHash": "sha256-TH1SfSP523QI7kcPiNtMAEuwZR3Jdz0MCDXPs7TS8uo=",
+        "lastModified": 1756346337,
+        "narHash": "sha256-al0UcN5mXrO/p5lcH0MuQaj+t97s3brzCii8GfCBMuA=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "4e7667a90c167f7a81d906e5a75cba4ad8bee620",
+        "rev": "84c26d62ce9e15489c63b83fc44e6eb62705d2c9",
        "type": "github"
      },
      "original": {
--- a/machines/aresix/configuration.nix
+++ b/machines/aresix/configuration.nix
@ -4,6 +4,8 @@
    ./modules/home-assistant
    ./modules/dyndns.nix
    ./modules/network.nix
+    ./modules/wireguard.nix
+    ./modules/users.nix
  ];

  services.logind.lidSwitch = "ignore";
--- a/machines/aresix/modules/home-assistant/default.nix
+++ b/machines/aresix/modules/home-assistant/default.nix
@ -19,10 +19,10 @@

    files.credentials-file.secret = true;
    script = ''
-      {
-        echo "TG_BOT_TOKEN=$(<$prompts/telegram-bot-token)"
-        echo "HA_AUTH_TOKEN=$(<$prompts/home-assistant-auth-token)"
-      } > $out/credentials-file
+      cat <<EOL > $out/credentials-file
+      TG_BOT_TOKEN=$(<$prompts/telegram-bot-token)
+      HA_AUTH_TOKEN=$(<$prompts/home-assistant-auth-token)
+      EOL
    '';
  };

@ -38,9 +38,19 @@
    };
  };

-  services.esphome = {
-    enable = true;
-    address = "::1"; # Proxied trough home assistant
+  virtualisation.oci-containers.containers.esphome = {
+    image = "ghcr.io/esphome/esphome:2025.6.3";
+    volumes = [
+      "/var/lib/esphome:/config"
+    ];
+    privileged = true;
+    extraOptions = ["--network=host"]; # Host networking mode is required for online status indicators
+    cmd = [
+      "dashboard"
+      "--address"
+      "::1"
+      "/config"
+    ];
  };

  services.home-assistant = {
--- a/machines/aresix/modules/reverse-proxy.nix
+++ b/machines/aresix/modules/reverse-proxy.nix
@ -27,6 +27,17 @@
          proxyWebsockets = true;
        };
      };
+      "wg.campares.duckdns.org" = {
+        forceSSL = true;
+        enableACME = true;
+        extraConfig = ''
+          proxy_buffering off;
+        '';
+        locations."/" = {
+          proxyPass = "http://[::1]:8000";
+          proxyWebsockets = true;
+        };
+      };
    };
  };
 }
--- a/machines/aresix/modules/users.nix
+++ b/machines/aresix/modules/users.nix
@ -0,0 +1,8 @@
+{...}: {
+  users.users.juan = {
+    isNormalUser = true;
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFpkZoYCFS6jQyaLgRkG8WlOj8ybpwsJkCWTuKkGB5oA Juan Rey"
+    ];
+  };
+}
--- a/machines/aresix/modules/wireguard.nix
+++ b/machines/aresix/modules/wireguard.nix
@ -0,0 +1,33 @@
+{config, ...}: {
+  clan.core.vars.generators.wg-access-server = {
+    prompts.admin-password = {
+      description = "Password for the wg-access-server admin user";
+      type = "hidden";
+    };
+
+    prompts.wireguard-private-key = {
+      description = "Wireguard private key wg-access-server will use";
+      type = "hidden";
+    };
+
+    files.secrets-file.secret = true;
+    script = ''
+      cat <<EOL > $out/secrets-file
+      adminPassword: $(<$prompts/admin-password)
+      wireguard:
+        privateKey: $(<$prompts/wireguard-private-key)
+      EOL
+    '';
+  };
+
+  services.wg-access-server = {
+    enable = true;
+
+    settings = {
+      httpHost = "::1";
+    };
+
+    secretsFile = config.clan.core.vars.generators.wg-access-server.files.secrets-file.path;
+  };
+  networking.firewall.allowedUDPPorts = [51820 53];
+}
--- a/vars/per-machine/aresix/state-version/version/value
+++ b/vars/per-machine/aresix/state-version/version/value
@ -0,0 +1 @@
+25.05
--- a/vars/per-machine/aresix/tg-ha-door/credentials-file/secret
+++ b/vars/per-machine/aresix/tg-ha-door/credentials-file/secret
@ -1,18 +1,18 @@
 {
-	"data": "ENC[AES256_GCM,data:pgqGVVzrBFAZUrvUjmOP6/bOwiMa6rdvsrP/G/IdJLK3r1cuSNz+V8eLf7sRQFrPSRNutorO8B2Ni8YZRJ6dBojSs95i0igp49lW3gbO7qQbUaoY/0Pz16XZAhBr0o9XWd8BOQNHTcoqdxxZKYylQySZEBXL8VQO5/BE7tageeEam8x31KExT7m+KHjKO8hV0XFzvXCnIpu7wpfJWsE04PXK+oY5LYpe3cCxtg+1wyBfTp+BFP2I5XZ+Exs+ldOwjMHXJBLP7gSkxggoKRILTsazntUCkk4NxBPqvh7+K4TanRHOONOPnqHXvZfRPrrTbVJdB3Cpe4qvSSDHqry3qSQ=,iv:UinSEY6cXYEPrwHTgWkwggnp4UkfPPNrgKzD2PmpHlQ=,tag:qQmirO5/xCE0vNoTYhmz+A==,type:str]",
+	"data": "ENC[AES256_GCM,data:u8Qp6QJ65xRl9qaOeN4ubFitmmWejYHum0i3/B2IOvobJQFFHkS6kjDOzlP22oj1uTBzXfG4NhktujyeTXz5KdDNSiUsL0IGJ78W8hBYrEUXK/cF4CkqajW1e4OWaxYECbIHOJpFpHVxSNnr1iREHzxrxBkUbVGTxTKCfrYUMihP86HuEEiQSE/CIkdnOiXtHxgBmI4zHC00EdmZSwUv+SH/u0wz/F0uDLknuxdmrJzERSuBzadry6o7BQ/2A3gIQpU/1+CL9gxhV1bWwOK4yb5zSyTIVYCHn+PWUJUNUzrY1UUPb16TC9kG40e8xn8n/f2/0rpK39Mw65hLKInhv5A=,iv:iYcjJqCp2FVqDDynDesenQ+19lSHPOj4PGnbWt8471g=,tag:bgCVCOofqPv5cE+1yqoPSQ==,type:str]",
 	"sops": {
 		"age": [
 			{
 				"recipient": "age12dw69nvfyqype23gmn4cy7wccr6ct3luj05hat4g65kzwqz9rpzs7z4jpe",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKTnpQRnFPRys3dC9nSm5N\ncVJPRWJtbUM0SnN5Nm1YZjAwTS8rVGliYUdJCkdjZlQrUldXaHdhOHo2cldlL0Fq\nU2hqQjNuVkF0Q2Z1MzNyTU9wODNzMGMKLS0tIERuUkZpYzN3NVhNTWRzZEhHemZl\nd01zcGdJdWxsTDNhTG93UlBxZFduaG8KtMvXaBsN9PQ2efabYkfmwpbft5uCYz1k\nqnVEIpNOSzeBhES/3goSgHIQnOU5suDq9K7g9zoK8sRFu4xA6s4esg==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtZUlaYlVWUHY0alZSOXow\nY1Axai9NYXl4KzVXeW1Hc1drdFIwL1hDelI4CmVSeHQxckNLRFlWWXAydWM0NXpr\nOGZGOHBSZ08zYXI2a1pWVE54aEpVcEEKLS0tIFdvenFKL2N3MVpYd1B4RGl0eWFZ\nWlRTemNyYklnV0duaVpLNTVycnlVMkUKqRUlWiG1WZ3frvEpzrFpJKAX7SYhqBaJ\nYVPZarzqMJ6zYz3rvsx/u9kQlnlS4mhBRzH34bFgmy9rJu9VFl2W1w==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1r2sw9uncvkqtklypw4rttufhw86lhhqrghed8l2kda6hdrd9ypyqm7y863",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSR0Y3eldHOTBpb29jR3dX\ndkY2OHJCN0VDRFhFTlMwbTdZV2hoQ1FZMEM4CkY4U0gvV21VTFE4ZUl5KzZqT3hw\nb0RGNEV4MFF4MGExN1BHRkhVUU91VkEKLS0tIEJWNEg4TUZpLzNmTURERHhRd0tv\nTkJZK09PUVErT1h4RkFVczdWa0JTRlUK8uM4HsUeA6U35Z1eWkRs00vIWGy17qVR\n8uXh/X4jwBtoSgGhisofEoyfXK7CK6R9Jb1VCS8y9nI+sYbOCBp8AA==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXcWdaOFdCMXNjZG90Q1Rh\nTHhYY2dDc1RlS3R3ek13d0dleDVZZ2pONlZFCklkQWUrWmNOYU50bnIyL1lRQWpG\na0dTeXAwZUVLOFNGR1p0MTIySkVVQXcKLS0tIDRDNTNyZERqN29nWmxoWHFiaEhY\nWkRieEVMb1pnL1hHWjBtVmoxRU9FVm8KfsOw1InaJLLXagSibhJ5accgV+k2Lz9v\nFPXchmZ4h3hY6JrSG88ihaO48Fvw0R0ic675aP0HUZhqAiDBHQItjQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-08-21T13:43:46Z",
-		"mac": "ENC[AES256_GCM,data:LGw8L3Qq2bRD1OgY2YG5074WVFUJPS9fF5r/TQXYqSNLH4yRumKqyAWWi3wpf4hoDUa9/dkmmsOKbiBq1jVZhRGvUUo246xyd09UMXgNOkYYMkF1PYnz1NCWl1VsmIdm1aGxxpSyGVtoUG7d+bgV9WmFq8yne9VGoO6TOfKmYRY=,iv:yQlt5Q5ApmwzWoS1fdrtiwVfodqRZ3RXI6jBple/gpI=,tag:ifs7TLXvIp9mUgVuoMQV3g==,type:str]",
+		"lastmodified": "2025-08-28T09:17:44Z",
+		"mac": "ENC[AES256_GCM,data:648PFpMAE/k5AOv5sMd6zMccl7RAoXjCoi3h7OpIjdaQEhP2nJxqHAfykGYHQM64cfoAw+QP5bGsyO5Fmkgyo/1Se2PB0gY7juAu5T1wgEzb0IUIrvV5BshUsdBi+IsKcnD4I0oHQmJhD7sFgJMTK1rb4VcpeHCwYgabYSuOW7E=,iv:07aMb3x+iK1TxW7vsu/4vPnOTZ6NIIgDeU6+Gnt24oA=,tag:5TxAmp5gSGRzmYAqeZ7Tog==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.10.2"
 	}
--- a/vars/per-machine/aresix/wg-access-server/secrets-file/machines/aresix
+++ b/vars/per-machine/aresix/wg-access-server/secrets-file/machines/aresix
@ -0,0 +1 @@
+../../../../../../sops/machines/aresix
--- a/vars/per-machine/aresix/wg-access-server/secrets-file/secret
+++ b/vars/per-machine/aresix/wg-access-server/secrets-file/secret
@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:xWim7rJWQoBmobM7XTH6RkHNHlu3LBvm+V5Y5BU+lCc79/UtENMqHl6Q+xec6VNQTPcOEo+Nq9nLN50YmKn9P8DH/EeT7do7Om90BY22X8BbMdrg0ibt99LuQgmXKcWE7+YQug==,iv:ScD/Ij+u1294JSXglLep3V41TCz61VQnmH10Sq3R3HM=,tag:6KIgpIA0bzIwOJaNn2+6wg==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age12dw69nvfyqype23gmn4cy7wccr6ct3luj05hat4g65kzwqz9rpzs7z4jpe",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtZ0hyMmRxMDZVcmtQaTl0\nVHJGdmFXcVFSYVJ6VFI4UUU5VDBMSjNMVVNBCkRZNk9LTjZ5R3J1MXBTdEc4bXFl\ncXdSdUJicllic1FVN0lpVkFqK2kvdkkKLS0tIFdUQU44UGU3a2x4QTl5ZjkwVExC\nWGJVNHVsdkQ0MlpRNnRBckYyWFFyOU0K1sXvQXdHc8U+Djwj/N6h0Wn0z3qPkA4n\nPTnA5Uwlx9LKOBOfPl3cvIPVUXbP0w9q1Q3iCt6z2kcpeqEN6tginQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1r2sw9uncvkqtklypw4rttufhw86lhhqrghed8l2kda6hdrd9ypyqm7y863",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVSDZwZVdWZWRLZ1lYQVJv\nU3pNSmc5SW5wbGN1bnlVTVRGZkVDWUNRc1FFCnZuTWEzZWhrUnI4TnY1ZFk2WDB1\ndmtZYVh0Uk5sOG1PKzZKWVNQQWZNZWsKLS0tIDU4bm90VThZYVBPdmVVbzlsMkc4\neStVNTRObHcydnRhV2lBai9JcVVXRGcKnRCjk+S4+xp4eZ14NEOEYRhQ+Ed6JYmw\nOsB4bFMcGJyKHXXp7eYeb64yft/hS87r4koMq6QiYlgTCTZJGQXgTg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-08-28T09:13:53Z",
+		"mac": "ENC[AES256_GCM,data:NRq2Qhu3Q36l11u0YX3qmHoEkff0NMAA86TwCAzk6EqsCRes3IiHoeECMriVMo3nqbIUqaXp+QwsZDNPnSGfyT3lVjr10HZglOs4E1IhkPfeTJTyAC7X5Y/EqICgKNNPVlhFjXETxa6bm1RDY9ZjkqJaD1205ujkm6uw/NuGCSA=,iv:vMULfjndHkpYzgXDMJXAiBNt/RLFxd1+PJgLaWSla7A=,tag:0h+LBx5jgCv6hqWqK29Ozg==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}
--- a/vars/per-machine/aresix/wg-access-server/secrets-file/users/pedro
+++ b/vars/per-machine/aresix/wg-access-server/secrets-file/users/pedro
@ -0,0 +1 @@
+../../../../../../sops/users/pedro
Author	SHA1	Message	Date
Forgejo Bot	36382b9269	flake.lock: update	2025-08-29 15:12:18 +00:00
Pedro Rey Anca	feba5d2ae8	Add juan user pubkey All checks were successful Flake check / check (push) Successful in 13m13s Details Update `flake.lock` / update_lockfile (push) Successful in 11m35s Details	2025-08-29 16:43:51 +02:00
Pedro Rey Anca	b614dcf1ec	Add wg-access-server	2025-08-29 16:43:36 +02:00
Pedro Rey Anca	0ebf24af44	Use ESPHome container instead of service (less errors)	2025-08-29 16:42:50 +02:00
Pedro Rey Anca	79b3a0ad4d	Update vars via generator state-version for machine aresix	2025-08-28 11:33:35 +02:00
Pedro Rey Anca	39117c4a8a	Change tg-ha-door vars generation script	2025-08-28 11:28:11 +02:00
Pedro Rey Anca	9281d05fc2	Update vars via generator tg-ha-door for machine aresix	2025-08-28 11:28:07 +02:00
Pedro Rey Anca	f14c230c1a	Update vars via generator wg-access-server for machine aresix	2025-08-28 11:28:02 +02:00