diff --git a/machines/aresix/configuration.nix b/machines/aresix/configuration.nix index 84c3b58..f1d5afb 100644 --- a/machines/aresix/configuration.nix +++ b/machines/aresix/configuration.nix @@ -4,6 +4,8 @@ ./modules/home-assistant ./modules/dyndns.nix ./modules/network.nix + ./modules/wireguard.nix + ./modules/users.nix ]; services.logind.lidSwitch = "ignore"; diff --git a/machines/aresix/modules/home-assistant/default.nix b/machines/aresix/modules/home-assistant/default.nix index 652825f..4d89b7f 100644 --- a/machines/aresix/modules/home-assistant/default.nix +++ b/machines/aresix/modules/home-assistant/default.nix @@ -19,10 +19,10 @@ files.credentials-file.secret = true; script = '' - { - echo "TG_BOT_TOKEN=$(<$prompts/telegram-bot-token)" - echo "HA_AUTH_TOKEN=$(<$prompts/home-assistant-auth-token)" - } > $out/credentials-file + cat < $out/credentials-file + TG_BOT_TOKEN=$(<$prompts/telegram-bot-token) + HA_AUTH_TOKEN=$(<$prompts/home-assistant-auth-token) + EOL ''; }; @@ -38,9 +38,19 @@ }; }; - services.esphome = { - enable = true; - address = "::1"; # Proxied trough home assistant + virtualisation.oci-containers.containers.esphome = { + image = "ghcr.io/esphome/esphome:2025.6.3"; + volumes = [ + "/var/lib/esphome:/config" + ]; + privileged = true; + extraOptions = ["--network=host"]; # Host networking mode is required for online status indicators + cmd = [ + "dashboard" + "--address" + "::1" + "/config" + ]; }; services.home-assistant = { diff --git a/machines/aresix/modules/reverse-proxy.nix b/machines/aresix/modules/reverse-proxy.nix index dec4250..05458a6 100644 --- a/machines/aresix/modules/reverse-proxy.nix +++ b/machines/aresix/modules/reverse-proxy.nix @@ -27,6 +27,17 @@ proxyWebsockets = true; }; }; + "wg.campares.duckdns.org" = { + forceSSL = true; + enableACME = true; + extraConfig = '' + proxy_buffering off; + ''; + locations."/" = { + proxyPass = "http://[::1]:8000"; + proxyWebsockets = true; + }; + }; }; }; } diff --git a/machines/aresix/modules/users.nix b/machines/aresix/modules/users.nix new file mode 100644 index 0000000..47a1b32 --- /dev/null +++ b/machines/aresix/modules/users.nix @@ -0,0 +1,8 @@ +{...}: { + users.users.juan = { + isNormalUser = true; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFpkZoYCFS6jQyaLgRkG8WlOj8ybpwsJkCWTuKkGB5oA Juan Rey" + ]; + }; +} diff --git a/machines/aresix/modules/wireguard.nix b/machines/aresix/modules/wireguard.nix new file mode 100644 index 0000000..1c5b5ef --- /dev/null +++ b/machines/aresix/modules/wireguard.nix @@ -0,0 +1,33 @@ +{config, ...}: { + clan.core.vars.generators.wg-access-server = { + prompts.admin-password = { + description = "Password for the wg-access-server admin user"; + type = "hidden"; + }; + + prompts.wireguard-private-key = { + description = "Wireguard private key wg-access-server will use"; + type = "hidden"; + }; + + files.secrets-file.secret = true; + script = '' + cat < $out/secrets-file + adminPassword: $(<$prompts/admin-password) + wireguard: + privateKey: $(<$prompts/wireguard-private-key) + EOL + ''; + }; + + services.wg-access-server = { + enable = true; + + settings = { + httpHost = "::1"; + }; + + secretsFile = config.clan.core.vars.generators.wg-access-server.files.secrets-file.path; + }; + networking.firewall.allowedUDPPorts = [51820 53]; +} diff --git a/vars/per-machine/aresix/state-version/version/value b/vars/per-machine/aresix/state-version/version/value new file mode 100644 index 0000000..5d54076 --- /dev/null +++ b/vars/per-machine/aresix/state-version/version/value @@ -0,0 +1 @@ +25.05 \ No newline at end of file diff --git a/vars/per-machine/aresix/tg-ha-door/credentials-file/secret b/vars/per-machine/aresix/tg-ha-door/credentials-file/secret index 9c2c774..b02093c 100644 --- a/vars/per-machine/aresix/tg-ha-door/credentials-file/secret +++ b/vars/per-machine/aresix/tg-ha-door/credentials-file/secret @@ -1,18 +1,18 @@ { - "data": "ENC[AES256_GCM,data:pgqGVVzrBFAZUrvUjmOP6/bOwiMa6rdvsrP/G/IdJLK3r1cuSNz+V8eLf7sRQFrPSRNutorO8B2Ni8YZRJ6dBojSs95i0igp49lW3gbO7qQbUaoY/0Pz16XZAhBr0o9XWd8BOQNHTcoqdxxZKYylQySZEBXL8VQO5/BE7tageeEam8x31KExT7m+KHjKO8hV0XFzvXCnIpu7wpfJWsE04PXK+oY5LYpe3cCxtg+1wyBfTp+BFP2I5XZ+Exs+ldOwjMHXJBLP7gSkxggoKRILTsazntUCkk4NxBPqvh7+K4TanRHOONOPnqHXvZfRPrrTbVJdB3Cpe4qvSSDHqry3qSQ=,iv:UinSEY6cXYEPrwHTgWkwggnp4UkfPPNrgKzD2PmpHlQ=,tag:qQmirO5/xCE0vNoTYhmz+A==,type:str]", + "data": "ENC[AES256_GCM,data:u8Qp6QJ65xRl9qaOeN4ubFitmmWejYHum0i3/B2IOvobJQFFHkS6kjDOzlP22oj1uTBzXfG4NhktujyeTXz5KdDNSiUsL0IGJ78W8hBYrEUXK/cF4CkqajW1e4OWaxYECbIHOJpFpHVxSNnr1iREHzxrxBkUbVGTxTKCfrYUMihP86HuEEiQSE/CIkdnOiXtHxgBmI4zHC00EdmZSwUv+SH/u0wz/F0uDLknuxdmrJzERSuBzadry6o7BQ/2A3gIQpU/1+CL9gxhV1bWwOK4yb5zSyTIVYCHn+PWUJUNUzrY1UUPb16TC9kG40e8xn8n/f2/0rpK39Mw65hLKInhv5A=,iv:iYcjJqCp2FVqDDynDesenQ+19lSHPOj4PGnbWt8471g=,tag:bgCVCOofqPv5cE+1yqoPSQ==,type:str]", "sops": { "age": [ { "recipient": "age12dw69nvfyqype23gmn4cy7wccr6ct3luj05hat4g65kzwqz9rpzs7z4jpe", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKTnpQRnFPRys3dC9nSm5N\ncVJPRWJtbUM0SnN5Nm1YZjAwTS8rVGliYUdJCkdjZlQrUldXaHdhOHo2cldlL0Fq\nU2hqQjNuVkF0Q2Z1MzNyTU9wODNzMGMKLS0tIERuUkZpYzN3NVhNTWRzZEhHemZl\nd01zcGdJdWxsTDNhTG93UlBxZFduaG8KtMvXaBsN9PQ2efabYkfmwpbft5uCYz1k\nqnVEIpNOSzeBhES/3goSgHIQnOU5suDq9K7g9zoK8sRFu4xA6s4esg==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtZUlaYlVWUHY0alZSOXow\nY1Axai9NYXl4KzVXeW1Hc1drdFIwL1hDelI4CmVSeHQxckNLRFlWWXAydWM0NXpr\nOGZGOHBSZ08zYXI2a1pWVE54aEpVcEEKLS0tIFdvenFKL2N3MVpYd1B4RGl0eWFZ\nWlRTemNyYklnV0duaVpLNTVycnlVMkUKqRUlWiG1WZ3frvEpzrFpJKAX7SYhqBaJ\nYVPZarzqMJ6zYz3rvsx/u9kQlnlS4mhBRzH34bFgmy9rJu9VFl2W1w==\n-----END AGE ENCRYPTED FILE-----\n" }, { "recipient": "age1r2sw9uncvkqtklypw4rttufhw86lhhqrghed8l2kda6hdrd9ypyqm7y863", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSR0Y3eldHOTBpb29jR3dX\ndkY2OHJCN0VDRFhFTlMwbTdZV2hoQ1FZMEM4CkY4U0gvV21VTFE4ZUl5KzZqT3hw\nb0RGNEV4MFF4MGExN1BHRkhVUU91VkEKLS0tIEJWNEg4TUZpLzNmTURERHhRd0tv\nTkJZK09PUVErT1h4RkFVczdWa0JTRlUK8uM4HsUeA6U35Z1eWkRs00vIWGy17qVR\n8uXh/X4jwBtoSgGhisofEoyfXK7CK6R9Jb1VCS8y9nI+sYbOCBp8AA==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXcWdaOFdCMXNjZG90Q1Rh\nTHhYY2dDc1RlS3R3ek13d0dleDVZZ2pONlZFCklkQWUrWmNOYU50bnIyL1lRQWpG\na0dTeXAwZUVLOFNGR1p0MTIySkVVQXcKLS0tIDRDNTNyZERqN29nWmxoWHFiaEhY\nWkRieEVMb1pnL1hHWjBtVmoxRU9FVm8KfsOw1InaJLLXagSibhJ5accgV+k2Lz9v\nFPXchmZ4h3hY6JrSG88ihaO48Fvw0R0ic675aP0HUZhqAiDBHQItjQ==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-08-21T13:43:46Z", - "mac": "ENC[AES256_GCM,data:LGw8L3Qq2bRD1OgY2YG5074WVFUJPS9fF5r/TQXYqSNLH4yRumKqyAWWi3wpf4hoDUa9/dkmmsOKbiBq1jVZhRGvUUo246xyd09UMXgNOkYYMkF1PYnz1NCWl1VsmIdm1aGxxpSyGVtoUG7d+bgV9WmFq8yne9VGoO6TOfKmYRY=,iv:yQlt5Q5ApmwzWoS1fdrtiwVfodqRZ3RXI6jBple/gpI=,tag:ifs7TLXvIp9mUgVuoMQV3g==,type:str]", + "lastmodified": "2025-08-28T09:17:44Z", + "mac": "ENC[AES256_GCM,data:648PFpMAE/k5AOv5sMd6zMccl7RAoXjCoi3h7OpIjdaQEhP2nJxqHAfykGYHQM64cfoAw+QP5bGsyO5Fmkgyo/1Se2PB0gY7juAu5T1wgEzb0IUIrvV5BshUsdBi+IsKcnD4I0oHQmJhD7sFgJMTK1rb4VcpeHCwYgabYSuOW7E=,iv:07aMb3x+iK1TxW7vsu/4vPnOTZ6NIIgDeU6+Gnt24oA=,tag:5TxAmp5gSGRzmYAqeZ7Tog==,type:str]", "unencrypted_suffix": "_unencrypted", "version": "3.10.2" } diff --git a/vars/per-machine/aresix/wg-access-server/secrets-file/machines/aresix b/vars/per-machine/aresix/wg-access-server/secrets-file/machines/aresix new file mode 120000 index 0000000..a7839bb --- /dev/null +++ b/vars/per-machine/aresix/wg-access-server/secrets-file/machines/aresix @@ -0,0 +1 @@ +../../../../../../sops/machines/aresix \ No newline at end of file diff --git a/vars/per-machine/aresix/wg-access-server/secrets-file/secret b/vars/per-machine/aresix/wg-access-server/secrets-file/secret new file mode 100644 index 0000000..1392bad --- /dev/null +++ b/vars/per-machine/aresix/wg-access-server/secrets-file/secret @@ -0,0 +1,19 @@ +{ + "data": "ENC[AES256_GCM,data:xWim7rJWQoBmobM7XTH6RkHNHlu3LBvm+V5Y5BU+lCc79/UtENMqHl6Q+xec6VNQTPcOEo+Nq9nLN50YmKn9P8DH/EeT7do7Om90BY22X8BbMdrg0ibt99LuQgmXKcWE7+YQug==,iv:ScD/Ij+u1294JSXglLep3V41TCz61VQnmH10Sq3R3HM=,tag:6KIgpIA0bzIwOJaNn2+6wg==,type:str]", + "sops": { + "age": [ + { + "recipient": "age12dw69nvfyqype23gmn4cy7wccr6ct3luj05hat4g65kzwqz9rpzs7z4jpe", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtZ0hyMmRxMDZVcmtQaTl0\nVHJGdmFXcVFSYVJ6VFI4UUU5VDBMSjNMVVNBCkRZNk9LTjZ5R3J1MXBTdEc4bXFl\ncXdSdUJicllic1FVN0lpVkFqK2kvdkkKLS0tIFdUQU44UGU3a2x4QTl5ZjkwVExC\nWGJVNHVsdkQ0MlpRNnRBckYyWFFyOU0K1sXvQXdHc8U+Djwj/N6h0Wn0z3qPkA4n\nPTnA5Uwlx9LKOBOfPl3cvIPVUXbP0w9q1Q3iCt6z2kcpeqEN6tginQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1r2sw9uncvkqtklypw4rttufhw86lhhqrghed8l2kda6hdrd9ypyqm7y863", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVSDZwZVdWZWRLZ1lYQVJv\nU3pNSmc5SW5wbGN1bnlVTVRGZkVDWUNRc1FFCnZuTWEzZWhrUnI4TnY1ZFk2WDB1\ndmtZYVh0Uk5sOG1PKzZKWVNQQWZNZWsKLS0tIDU4bm90VThZYVBPdmVVbzlsMkc4\neStVNTRObHcydnRhV2lBai9JcVVXRGcKnRCjk+S4+xp4eZ14NEOEYRhQ+Ed6JYmw\nOsB4bFMcGJyKHXXp7eYeb64yft/hS87r4koMq6QiYlgTCTZJGQXgTg==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-08-28T09:13:53Z", + "mac": "ENC[AES256_GCM,data:NRq2Qhu3Q36l11u0YX3qmHoEkff0NMAA86TwCAzk6EqsCRes3IiHoeECMriVMo3nqbIUqaXp+QwsZDNPnSGfyT3lVjr10HZglOs4E1IhkPfeTJTyAC7X5Y/EqICgKNNPVlhFjXETxa6bm1RDY9ZjkqJaD1205ujkm6uw/NuGCSA=,iv:vMULfjndHkpYzgXDMJXAiBNt/RLFxd1+PJgLaWSla7A=,tag:0h+LBx5jgCv6hqWqK29Ozg==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.10.2" + } +} diff --git a/vars/per-machine/aresix/wg-access-server/secrets-file/users/pedro b/vars/per-machine/aresix/wg-access-server/secrets-file/users/pedro new file mode 120000 index 0000000..ae0c694 --- /dev/null +++ b/vars/per-machine/aresix/wg-access-server/secrets-file/users/pedro @@ -0,0 +1 @@ +../../../../../../sops/users/pedro \ No newline at end of file