From f14c230c1a95caa2b028bd3cfbc6193093ee7688 Mon Sep 17 00:00:00 2001 From: Pedro Rey Anca Date: Thu, 28 Aug 2025 11:13:53 +0200 Subject: [PATCH 1/7] Update vars via generator wg-access-server for machine aresix --- .../secrets-file/machines/aresix | 1 + .../wg-access-server/secrets-file/secret | 19 +++++++++++++++++++ .../wg-access-server/secrets-file/users/pedro | 1 + 3 files changed, 21 insertions(+) create mode 120000 vars/per-machine/aresix/wg-access-server/secrets-file/machines/aresix create mode 100644 vars/per-machine/aresix/wg-access-server/secrets-file/secret create mode 120000 vars/per-machine/aresix/wg-access-server/secrets-file/users/pedro diff --git a/vars/per-machine/aresix/wg-access-server/secrets-file/machines/aresix b/vars/per-machine/aresix/wg-access-server/secrets-file/machines/aresix new file mode 120000 index 0000000..a7839bb --- /dev/null +++ b/vars/per-machine/aresix/wg-access-server/secrets-file/machines/aresix @@ -0,0 +1 @@ +../../../../../../sops/machines/aresix \ No newline at end of file diff --git a/vars/per-machine/aresix/wg-access-server/secrets-file/secret b/vars/per-machine/aresix/wg-access-server/secrets-file/secret new file mode 100644 index 0000000..1392bad --- /dev/null +++ b/vars/per-machine/aresix/wg-access-server/secrets-file/secret @@ -0,0 +1,19 @@ +{ + "data": "ENC[AES256_GCM,data:xWim7rJWQoBmobM7XTH6RkHNHlu3LBvm+V5Y5BU+lCc79/UtENMqHl6Q+xec6VNQTPcOEo+Nq9nLN50YmKn9P8DH/EeT7do7Om90BY22X8BbMdrg0ibt99LuQgmXKcWE7+YQug==,iv:ScD/Ij+u1294JSXglLep3V41TCz61VQnmH10Sq3R3HM=,tag:6KIgpIA0bzIwOJaNn2+6wg==,type:str]", + "sops": { + "age": [ + { + "recipient": "age12dw69nvfyqype23gmn4cy7wccr6ct3luj05hat4g65kzwqz9rpzs7z4jpe", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtZ0hyMmRxMDZVcmtQaTl0\nVHJGdmFXcVFSYVJ6VFI4UUU5VDBMSjNMVVNBCkRZNk9LTjZ5R3J1MXBTdEc4bXFl\ncXdSdUJicllic1FVN0lpVkFqK2kvdkkKLS0tIFdUQU44UGU3a2x4QTl5ZjkwVExC\nWGJVNHVsdkQ0MlpRNnRBckYyWFFyOU0K1sXvQXdHc8U+Djwj/N6h0Wn0z3qPkA4n\nPTnA5Uwlx9LKOBOfPl3cvIPVUXbP0w9q1Q3iCt6z2kcpeqEN6tginQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1r2sw9uncvkqtklypw4rttufhw86lhhqrghed8l2kda6hdrd9ypyqm7y863", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVSDZwZVdWZWRLZ1lYQVJv\nU3pNSmc5SW5wbGN1bnlVTVRGZkVDWUNRc1FFCnZuTWEzZWhrUnI4TnY1ZFk2WDB1\ndmtZYVh0Uk5sOG1PKzZKWVNQQWZNZWsKLS0tIDU4bm90VThZYVBPdmVVbzlsMkc4\neStVNTRObHcydnRhV2lBai9JcVVXRGcKnRCjk+S4+xp4eZ14NEOEYRhQ+Ed6JYmw\nOsB4bFMcGJyKHXXp7eYeb64yft/hS87r4koMq6QiYlgTCTZJGQXgTg==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-08-28T09:13:53Z", + "mac": "ENC[AES256_GCM,data:NRq2Qhu3Q36l11u0YX3qmHoEkff0NMAA86TwCAzk6EqsCRes3IiHoeECMriVMo3nqbIUqaXp+QwsZDNPnSGfyT3lVjr10HZglOs4E1IhkPfeTJTyAC7X5Y/EqICgKNNPVlhFjXETxa6bm1RDY9ZjkqJaD1205ujkm6uw/NuGCSA=,iv:vMULfjndHkpYzgXDMJXAiBNt/RLFxd1+PJgLaWSla7A=,tag:0h+LBx5jgCv6hqWqK29Ozg==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.10.2" + } +} diff --git a/vars/per-machine/aresix/wg-access-server/secrets-file/users/pedro b/vars/per-machine/aresix/wg-access-server/secrets-file/users/pedro new file mode 120000 index 0000000..ae0c694 --- /dev/null +++ b/vars/per-machine/aresix/wg-access-server/secrets-file/users/pedro @@ -0,0 +1 @@ +../../../../../../sops/users/pedro \ No newline at end of file From 9281d05fc2146a05ab74b54913e1284f8634e39f Mon Sep 17 00:00:00 2001 From: Pedro Rey Anca Date: Thu, 28 Aug 2025 11:17:44 +0200 Subject: [PATCH 2/7] Update vars via generator tg-ha-door for machine aresix --- .../aresix/tg-ha-door/credentials-file/secret | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/vars/per-machine/aresix/tg-ha-door/credentials-file/secret b/vars/per-machine/aresix/tg-ha-door/credentials-file/secret index 9c2c774..b02093c 100644 --- a/vars/per-machine/aresix/tg-ha-door/credentials-file/secret +++ b/vars/per-machine/aresix/tg-ha-door/credentials-file/secret @@ -1,18 +1,18 @@ { - "data": "ENC[AES256_GCM,data:pgqGVVzrBFAZUrvUjmOP6/bOwiMa6rdvsrP/G/IdJLK3r1cuSNz+V8eLf7sRQFrPSRNutorO8B2Ni8YZRJ6dBojSs95i0igp49lW3gbO7qQbUaoY/0Pz16XZAhBr0o9XWd8BOQNHTcoqdxxZKYylQySZEBXL8VQO5/BE7tageeEam8x31KExT7m+KHjKO8hV0XFzvXCnIpu7wpfJWsE04PXK+oY5LYpe3cCxtg+1wyBfTp+BFP2I5XZ+Exs+ldOwjMHXJBLP7gSkxggoKRILTsazntUCkk4NxBPqvh7+K4TanRHOONOPnqHXvZfRPrrTbVJdB3Cpe4qvSSDHqry3qSQ=,iv:UinSEY6cXYEPrwHTgWkwggnp4UkfPPNrgKzD2PmpHlQ=,tag:qQmirO5/xCE0vNoTYhmz+A==,type:str]", + "data": "ENC[AES256_GCM,data:u8Qp6QJ65xRl9qaOeN4ubFitmmWejYHum0i3/B2IOvobJQFFHkS6kjDOzlP22oj1uTBzXfG4NhktujyeTXz5KdDNSiUsL0IGJ78W8hBYrEUXK/cF4CkqajW1e4OWaxYECbIHOJpFpHVxSNnr1iREHzxrxBkUbVGTxTKCfrYUMihP86HuEEiQSE/CIkdnOiXtHxgBmI4zHC00EdmZSwUv+SH/u0wz/F0uDLknuxdmrJzERSuBzadry6o7BQ/2A3gIQpU/1+CL9gxhV1bWwOK4yb5zSyTIVYCHn+PWUJUNUzrY1UUPb16TC9kG40e8xn8n/f2/0rpK39Mw65hLKInhv5A=,iv:iYcjJqCp2FVqDDynDesenQ+19lSHPOj4PGnbWt8471g=,tag:bgCVCOofqPv5cE+1yqoPSQ==,type:str]", "sops": { "age": [ { "recipient": "age12dw69nvfyqype23gmn4cy7wccr6ct3luj05hat4g65kzwqz9rpzs7z4jpe", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKTnpQRnFPRys3dC9nSm5N\ncVJPRWJtbUM0SnN5Nm1YZjAwTS8rVGliYUdJCkdjZlQrUldXaHdhOHo2cldlL0Fq\nU2hqQjNuVkF0Q2Z1MzNyTU9wODNzMGMKLS0tIERuUkZpYzN3NVhNTWRzZEhHemZl\nd01zcGdJdWxsTDNhTG93UlBxZFduaG8KtMvXaBsN9PQ2efabYkfmwpbft5uCYz1k\nqnVEIpNOSzeBhES/3goSgHIQnOU5suDq9K7g9zoK8sRFu4xA6s4esg==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtZUlaYlVWUHY0alZSOXow\nY1Axai9NYXl4KzVXeW1Hc1drdFIwL1hDelI4CmVSeHQxckNLRFlWWXAydWM0NXpr\nOGZGOHBSZ08zYXI2a1pWVE54aEpVcEEKLS0tIFdvenFKL2N3MVpYd1B4RGl0eWFZ\nWlRTemNyYklnV0duaVpLNTVycnlVMkUKqRUlWiG1WZ3frvEpzrFpJKAX7SYhqBaJ\nYVPZarzqMJ6zYz3rvsx/u9kQlnlS4mhBRzH34bFgmy9rJu9VFl2W1w==\n-----END AGE ENCRYPTED FILE-----\n" }, { "recipient": "age1r2sw9uncvkqtklypw4rttufhw86lhhqrghed8l2kda6hdrd9ypyqm7y863", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSR0Y3eldHOTBpb29jR3dX\ndkY2OHJCN0VDRFhFTlMwbTdZV2hoQ1FZMEM4CkY4U0gvV21VTFE4ZUl5KzZqT3hw\nb0RGNEV4MFF4MGExN1BHRkhVUU91VkEKLS0tIEJWNEg4TUZpLzNmTURERHhRd0tv\nTkJZK09PUVErT1h4RkFVczdWa0JTRlUK8uM4HsUeA6U35Z1eWkRs00vIWGy17qVR\n8uXh/X4jwBtoSgGhisofEoyfXK7CK6R9Jb1VCS8y9nI+sYbOCBp8AA==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXcWdaOFdCMXNjZG90Q1Rh\nTHhYY2dDc1RlS3R3ek13d0dleDVZZ2pONlZFCklkQWUrWmNOYU50bnIyL1lRQWpG\na0dTeXAwZUVLOFNGR1p0MTIySkVVQXcKLS0tIDRDNTNyZERqN29nWmxoWHFiaEhY\nWkRieEVMb1pnL1hHWjBtVmoxRU9FVm8KfsOw1InaJLLXagSibhJ5accgV+k2Lz9v\nFPXchmZ4h3hY6JrSG88ihaO48Fvw0R0ic675aP0HUZhqAiDBHQItjQ==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-08-21T13:43:46Z", - "mac": "ENC[AES256_GCM,data:LGw8L3Qq2bRD1OgY2YG5074WVFUJPS9fF5r/TQXYqSNLH4yRumKqyAWWi3wpf4hoDUa9/dkmmsOKbiBq1jVZhRGvUUo246xyd09UMXgNOkYYMkF1PYnz1NCWl1VsmIdm1aGxxpSyGVtoUG7d+bgV9WmFq8yne9VGoO6TOfKmYRY=,iv:yQlt5Q5ApmwzWoS1fdrtiwVfodqRZ3RXI6jBple/gpI=,tag:ifs7TLXvIp9mUgVuoMQV3g==,type:str]", + "lastmodified": "2025-08-28T09:17:44Z", + "mac": "ENC[AES256_GCM,data:648PFpMAE/k5AOv5sMd6zMccl7RAoXjCoi3h7OpIjdaQEhP2nJxqHAfykGYHQM64cfoAw+QP5bGsyO5Fmkgyo/1Se2PB0gY7juAu5T1wgEzb0IUIrvV5BshUsdBi+IsKcnD4I0oHQmJhD7sFgJMTK1rb4VcpeHCwYgabYSuOW7E=,iv:07aMb3x+iK1TxW7vsu/4vPnOTZ6NIIgDeU6+Gnt24oA=,tag:5TxAmp5gSGRzmYAqeZ7Tog==,type:str]", "unencrypted_suffix": "_unencrypted", "version": "3.10.2" } From 39117c4a8ace088d3230be0592aacbb70f3f3edc Mon Sep 17 00:00:00 2001 From: Pedro Rey Anca Date: Thu, 28 Aug 2025 11:18:34 +0200 Subject: [PATCH 3/7] Change tg-ha-door vars generation script --- machines/aresix/modules/home-assistant/default.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/machines/aresix/modules/home-assistant/default.nix b/machines/aresix/modules/home-assistant/default.nix index 652825f..36ed26b 100644 --- a/machines/aresix/modules/home-assistant/default.nix +++ b/machines/aresix/modules/home-assistant/default.nix @@ -19,10 +19,10 @@ files.credentials-file.secret = true; script = '' - { - echo "TG_BOT_TOKEN=$(<$prompts/telegram-bot-token)" - echo "HA_AUTH_TOKEN=$(<$prompts/home-assistant-auth-token)" - } > $out/credentials-file + cat < $out/credentials-file + TG_BOT_TOKEN=$(<$prompts/telegram-bot-token) + HA_AUTH_TOKEN=$(<$prompts/home-assistant-auth-token) + EOL ''; }; From 79b3a0ad4d0b5a1be1230e0ebae3af7f9450544a Mon Sep 17 00:00:00 2001 From: Pedro Rey Anca Date: Thu, 28 Aug 2025 11:33:35 +0200 Subject: [PATCH 4/7] Update vars via generator state-version for machine aresix --- vars/per-machine/aresix/state-version/version/value | 1 + 1 file changed, 1 insertion(+) create mode 100644 vars/per-machine/aresix/state-version/version/value diff --git a/vars/per-machine/aresix/state-version/version/value b/vars/per-machine/aresix/state-version/version/value new file mode 100644 index 0000000..5d54076 --- /dev/null +++ b/vars/per-machine/aresix/state-version/version/value @@ -0,0 +1 @@ +25.05 \ No newline at end of file From 0ebf24af4479eff201f0c39cb1068dc6ff72796a Mon Sep 17 00:00:00 2001 From: Pedro Rey Anca Date: Fri, 29 Aug 2025 16:42:50 +0200 Subject: [PATCH 5/7] Use ESPHome container instead of service (less errors) --- .../aresix/modules/home-assistant/default.nix | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/machines/aresix/modules/home-assistant/default.nix b/machines/aresix/modules/home-assistant/default.nix index 36ed26b..4d89b7f 100644 --- a/machines/aresix/modules/home-assistant/default.nix +++ b/machines/aresix/modules/home-assistant/default.nix @@ -38,9 +38,19 @@ }; }; - services.esphome = { - enable = true; - address = "::1"; # Proxied trough home assistant + virtualisation.oci-containers.containers.esphome = { + image = "ghcr.io/esphome/esphome:2025.6.3"; + volumes = [ + "/var/lib/esphome:/config" + ]; + privileged = true; + extraOptions = ["--network=host"]; # Host networking mode is required for online status indicators + cmd = [ + "dashboard" + "--address" + "::1" + "/config" + ]; }; services.home-assistant = { From b614dcf1ecf0d2b772e26da321a832ab6fd3bd4f Mon Sep 17 00:00:00 2001 From: Pedro Rey Anca Date: Fri, 29 Aug 2025 16:43:36 +0200 Subject: [PATCH 6/7] Add wg-access-server --- machines/aresix/configuration.nix | 1 + machines/aresix/modules/reverse-proxy.nix | 11 ++++++++ machines/aresix/modules/wireguard.nix | 33 +++++++++++++++++++++++ 3 files changed, 45 insertions(+) create mode 100644 machines/aresix/modules/wireguard.nix diff --git a/machines/aresix/configuration.nix b/machines/aresix/configuration.nix index 84c3b58..43e3d3e 100644 --- a/machines/aresix/configuration.nix +++ b/machines/aresix/configuration.nix @@ -4,6 +4,7 @@ ./modules/home-assistant ./modules/dyndns.nix ./modules/network.nix + ./modules/wireguard.nix ]; services.logind.lidSwitch = "ignore"; diff --git a/machines/aresix/modules/reverse-proxy.nix b/machines/aresix/modules/reverse-proxy.nix index dec4250..05458a6 100644 --- a/machines/aresix/modules/reverse-proxy.nix +++ b/machines/aresix/modules/reverse-proxy.nix @@ -27,6 +27,17 @@ proxyWebsockets = true; }; }; + "wg.campares.duckdns.org" = { + forceSSL = true; + enableACME = true; + extraConfig = '' + proxy_buffering off; + ''; + locations."/" = { + proxyPass = "http://[::1]:8000"; + proxyWebsockets = true; + }; + }; }; }; } diff --git a/machines/aresix/modules/wireguard.nix b/machines/aresix/modules/wireguard.nix new file mode 100644 index 0000000..1c5b5ef --- /dev/null +++ b/machines/aresix/modules/wireguard.nix @@ -0,0 +1,33 @@ +{config, ...}: { + clan.core.vars.generators.wg-access-server = { + prompts.admin-password = { + description = "Password for the wg-access-server admin user"; + type = "hidden"; + }; + + prompts.wireguard-private-key = { + description = "Wireguard private key wg-access-server will use"; + type = "hidden"; + }; + + files.secrets-file.secret = true; + script = '' + cat < $out/secrets-file + adminPassword: $(<$prompts/admin-password) + wireguard: + privateKey: $(<$prompts/wireguard-private-key) + EOL + ''; + }; + + services.wg-access-server = { + enable = true; + + settings = { + httpHost = "::1"; + }; + + secretsFile = config.clan.core.vars.generators.wg-access-server.files.secrets-file.path; + }; + networking.firewall.allowedUDPPorts = [51820 53]; +} From feba5d2ae8896e5fd1970363546a8badd6ad6424 Mon Sep 17 00:00:00 2001 From: Pedro Rey Anca Date: Fri, 29 Aug 2025 16:43:51 +0200 Subject: [PATCH 7/7] Add juan user pubkey --- machines/aresix/configuration.nix | 1 + machines/aresix/modules/users.nix | 8 ++++++++ 2 files changed, 9 insertions(+) create mode 100644 machines/aresix/modules/users.nix diff --git a/machines/aresix/configuration.nix b/machines/aresix/configuration.nix index 43e3d3e..f1d5afb 100644 --- a/machines/aresix/configuration.nix +++ b/machines/aresix/configuration.nix @@ -5,6 +5,7 @@ ./modules/dyndns.nix ./modules/network.nix ./modules/wireguard.nix + ./modules/users.nix ]; services.logind.lidSwitch = "ignore"; diff --git a/machines/aresix/modules/users.nix b/machines/aresix/modules/users.nix new file mode 100644 index 0000000..47a1b32 --- /dev/null +++ b/machines/aresix/modules/users.nix @@ -0,0 +1,8 @@ +{...}: { + users.users.juan = { + isNormalUser = true; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFpkZoYCFS6jQyaLgRkG8WlOj8ybpwsJkCWTuKkGB5oA Juan Rey" + ]; + }; +}