diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix index 3b1fa4f..89d13a4 100644 --- a/hosts/server/configuration.nix +++ b/hosts/server/configuration.nix @@ -45,7 +45,7 @@ in } ]; sops.secrets = { - "vps/home/private" = lib.mkIf config.my.secureHost { + "server/private" = lib.mkIf config.my.secureHost { sopsFile = ../../secrets/wireguard.yaml; }; lidarr-mb-gap = lib.mkIf config.my.secureHost { @@ -71,7 +71,7 @@ in }; wireguard.interfaces.wg0 = lib.mkIf config.my.secureHost { ips = [ "${config.my.ips.wg-server}/32" ]; - privateKeyFile = config.sops.secrets."vps/home/private".path; + privateKeyFile = config.sops.secrets."server/private".path; peers = [ { publicKey = "dFbiSekBwnZomarcS31o5+w6imHjMPNCipkfc2fZ3GY="; diff --git a/hosts/workstation/configuration.nix b/hosts/workstation/configuration.nix index 366c46a..9bac09e 100644 --- a/hosts/workstation/configuration.nix +++ b/hosts/workstation/configuration.nix @@ -6,6 +6,7 @@ }: let shellType = config.my.shell.type; + comfyuiPort = 8188; krita-thumbnailer = pkgs.writeTextFile { name = "krita-thumbnailer"; destination = "/share/thumbnailers/kra.thumbnailer"; @@ -58,8 +59,6 @@ in allowedTCPPorts = [ 6674 # ns-usbloader 8384 # syncthing - config.services.open-webui.port - config.services.sillytavern.port ]; allowedTCPPortRanges = [ { @@ -67,6 +66,12 @@ in to = 1764; } ]; + interfaces.wg0.allowedTCPPorts = [ + config.services.ollama.port + config.services.open-webui.port + config.services.sillytavern.port + comfyuiPort + ]; }; }; users = { @@ -137,7 +142,7 @@ in open-webui = { enable = true; port = 2345; - host = config.my.ips.workstation; + host = config.my.ips.wg-workstation; }; scx = { enable = true; @@ -157,13 +162,14 @@ in models = "/srv/ai/ollama"; user = "ollama"; group = "ai"; + host = config.my.ips.wg-workstation; }; sillytavern = { enable = true; group = "ai"; listen = true; port = 9324; - listenAddressIPv4 = config.my.ips.workstation; + listenAddressIPv4 = config.my.ips.wg-workstation; }; }; } diff --git a/modules/modules.nix b/modules/modules.nix index 7652640..5477d65 100644 --- a/modules/modules.nix +++ b/modules/modules.nix @@ -53,8 +53,9 @@ in vps = "45.79.25.87"; wg-vps = "10.77.0.1"; wg-server = "10.77.0.2"; - wg-galaxy = "10.77.0.3"; - wg-phone = "10.77.0.4"; + wg-workstation = "10.77.0.3"; + wg-galaxy = "10.77.0.4"; + wg-phone = "10.77.0.5"; wg-guest1 = "10.9.0.2"; wg-guest2 = "10.9.0.3"; wg-friend1 = "10.8.0.2"; diff --git a/modules/services/wireguard.nix b/modules/services/wireguard.nix index aba70ac..9a2005c 100644 --- a/modules/services/wireguard.nix +++ b/modules/services/wireguard.nix @@ -9,7 +9,7 @@ in { options.my.services.wireguard.enable = lib.mkEnableOption "WireGuard VPN configuration"; config = lib.mkIf (config.my.services.wireguard.enable && config.my.secureHost) { - sops.secrets."vps/server/private".sopsFile = ../../secrets/wireguard.yaml; + sops.secrets."vps/private".sopsFile = ../../secrets/wireguard.yaml; networking = { firewall.allowedUDPPorts = [ port ]; wireguard.interfaces.wg0 = { @@ -21,12 +21,16 @@ in listenPort = port; postSetup = ""; postShutdown = ""; - privateKeyFile = config.sops.secrets."vps/server/private".path; + privateKeyFile = config.sops.secrets."vps/private".path; peers = [ { publicKey = "OUiqluRaS4hmGvLJ3csQrnIM3Zzet50gsqtTABaUkH4="; allowedIPs = [ "${config.my.ips.wg-server}/32" ]; } + { + publicKey = "AR17CdtUPs595sbb9WZvAYoEpdKezOKKbDmgUa9+IxQ="; + allowedIPs = [ "${config.my.ips.wg-workstation}/32" ]; + } { publicKey = "BwN4uCkMd6eAS5Ugld0oXnA16IhgEEQF8mOJ3+vHliA="; allowedIPs = [ "${config.my.ips.wg-galaxy}/32" ]; diff --git a/secrets/wireguard.yaml b/secrets/wireguard.yaml index 5ae0b15..3b52b3e 100644 --- a/secrets/wireguard.yaml +++ b/secrets/wireguard.yaml @@ -1,14 +1,12 @@ -wireguard: - private: ENC[AES256_GCM,data:wwggc9T88gK/EMmjPauf14DZGUnfipBpfN3FnlPhsO6FtVmK2aad/D0/Rqw=,iv:Q15iiEOFRa3bPf7NfZcEZOgEqnjIJPenYgE6c6HRYI8=,tag:x+auLhc/FDhxZxzWmcrX9Q==,type:str] - public: ENC[AES256_GCM,data:uelp1opnLR5EfvNBSA3Sk33ktMoG6+Pvj7oKYtdlCpXMZel9O8G7P4X5S2M=,iv:AQECJmnXSc2MM0pT8ZJtA51pn+tvhhyAxFDMBH/H6wA=,tag:yWsnQbHaeiXyPLbpxMZwsg==,type:str] vps: - server: - private: ENC[AES256_GCM,data:wrP/069tuQs3ObYE8Q0MNVxe3+4vZ2HIImoIdZpj1uPgdBknboX1wmANv/k=,iv:FJL5KumHos8PoXra+BB2Uc6YedsF6MD3wWyuugXzJ+E=,tag:nVuTrW2P7JvnWnv6H1SmdQ==,type:str] - public: ENC[AES256_GCM,data:YnKOf9725v9FkzdNPDVf/iinMbY/YWn6ksqEz+mpB4KHVlOvpbV6vLSKRcs=,iv:aWQNy6mT4sxVbzaXKgRzZ9XVsiBCRsOlLORRqC+uiKE=,tag:mLWv6mr3VVfw0J5BrqByXg==,type:str] - #ENC[AES256_GCM,data:u5SEQfK0Hw==,iv:+qr9WmOzQowZ/JyN1KoWhoyHA2132fmmZzIQy7o5y6k=,tag:9TPVeQgoo2nWQ9dhuYULGw==,type:comment] - home: - private: ENC[AES256_GCM,data:YZ0jvBzkMv8Bwc9u3LDJzwSqQvPj8wPUxTIeBFiLYVQQIBjm8aS1dTYuPvo=,iv:mXuW7TVERxOMmGIit3a7Spmbk/EgYuGkO66AWJUnMF0=,tag:xM7C3F3JCiud/A9yPD5ydQ==,type:str] - public: ENC[AES256_GCM,data:DcwAHhHjIxFqRL5h7p/0nkFnWiI/iqR8Fws6AuFaxjgUHKYd/6l3D6q/O/0=,iv:bBJ0bsKRiGQUSlRmHqeLQWkOIUNfG5VVpuV6MOtKZO0=,tag:harMG6GDIfclmSq3D36bTw==,type:str] + private: ENC[AES256_GCM,data:GKSiPGgEIlXIfVL3I4Aa8F26cuzK5EEt+sC29Q8D1RfKJl2KXYIpTQx4SbI=,iv:StH6MWFwZlY0AsuGa89PvNh7/xqL/TBGjBdepKmEnBw=,tag:J1Snm/JllgZptFYJwONy7w==,type:str] + public: ENC[AES256_GCM,data:32je0q/XQkR0NMyzvdBx3vCgDDvRjS905aW56lDiSps1LO1hkIPuAtcja6g=,iv:lLwIMtZw9DYS4nYm9GfBNowgJakX6rW0gbwkvR2J5nQ=,tag:XHgkDEoIMtzR8QeSUbZ/TQ==,type:str] +server: + private: ENC[AES256_GCM,data:O+qt6SyY6DsMY/ulH9XL5mylASEGpmq8Oyq/rll/N0O8F4dIdW8deuIxKFw=,iv:Y3PuQFE8yEc+AhCjB17n3nz3+mt/QgqCJKBgfAHclZ4=,tag:ztji+I+Kj823jcz5k0XsLA==,type:str] + public: ENC[AES256_GCM,data:i1WRBhZOIG1UBoPDC76Ofok8r6dEqxXI6mMvieFMII1pxg2s0XQVCDZQMos=,iv:aZRrsHpdchE0aXq3NbJfMEj7WaYZ05e9I1e08OlJ/kY=,tag:jhS3kVaPD6/AjpSOm6YA+Q==,type:str] +workstation: + private: ENC[AES256_GCM,data:4gSDH2cAu8ADAijaqn1ieD3ymc6Afv/nCXDiKp7VsyHY5c9fCamJA8L0uGw=,iv:MfFR7FFm5aABpW98NIAwusIS29Pa53MCkD0Jk1dXHc4=,tag:XD+NKYb8MhcWO9ujvCnHPw==,type:str] + public: ENC[AES256_GCM,data:qMHd5bdOJk7xQbfwZ0c4wHXD66ZB74pWsq/HgfzE7lvuB3JU1qWOQFL94hY=,iv:yxdISmviQtCLRwQ0/49yU3q0kO33fJRzaMUtkGLY6pg=,tag:JM5btDGB8fpyPEvONXuSTw==,type:str] sops: age: - recipient: age1lufn6t35gs4wgevyr2gud4eec7lvkn7pgnnv4tja64ww3hef7gqq8fas37 @@ -47,7 +45,7 @@ sops: NXZzQmlneDNEb1UvR2NGK0kyY1lsa1kK7IQmyuVxa2hmic4yTeiAcxN41RvMcIDV Pofrhu7q8VvB/Cxb7FjVs3Ed5Hdz9xQ60mXUKsnJV/rIssm9wx4cfg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-02-04T18:37:11Z" - mac: ENC[AES256_GCM,data:AlrMK34dWDm5hfVwnQnzk3l8NIRbiVV6KHa6io9S9l07WvC3TYLTOJS6xOi4pkEz6sqQ7IpZU7RRdosxuQp50NmMEt2QYawTHFZIgzFYeKRbl5N5LCu9afC6yTtvG/sT7uenTMhh2qT1JBwebJiUdM9zNVUzWlW5d1SdxrHgIbs=,iv:dvqsDaC+trhY1kheYUEOEwHfCDz0Mu7N0LpfjnKko5g=,tag:tuqyK8vuwSrk1kf+Vi7MKg==,type:str] + lastmodified: "2026-02-15T19:11:14Z" + mac: ENC[AES256_GCM,data:3+h9hJRtZSTWApZ+tG8fZKl6QrKldPzB1Z0hjWCCpwD2xvo32SpBSocUCuXZ4aLLyk/GDc2OPXVG5jOtX/BpZdOMj3k4iqxz0BeVebEsT/YOduu5buiRqHiNxrovbAUuhpCif+1rzMXFEZzVXdQW3QmEY1hVwtoZWEWNW7vee7g=,iv:HHR8ACgc49Q9QydaLZ189m6cs/LIVgNEpJCyyj6HWHY=,tag:3Ljh6zhrMVk+O7+whHQq1w==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0