From f1d565225a1ab8c1324e0dc1ebcadcc861b52831 Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Tue, 28 Oct 2025 13:42:23 -0600 Subject: [PATCH] Refactor Linode configuration and update WireGuard settings - Renamed SSH match block from 'vps' to 'linode' in jawz.nix for clarity. - Updated IP addresses in toggles.nix and other configuration files to reflect the new Linode setup. - Removed deprecated fail2ban configuration from linode's configuration.nix. - Adjusted WireGuard interface settings to use the correct IP for linode. - Cleaned up hardware configuration by removing unnecessary GRUB loader settings. - Updated secrets management in wireguard.yaml to streamline key handling. --- config/jawz.nix | 3 +-- hosts/linode/configuration.nix | 6 +----- hosts/linode/hardware-configuration.nix | 4 ---- hosts/linode/toggles.nix | 23 +++++++--------------- hosts/linode/wireguard-linode.nix | 2 +- hosts/server/configuration.nix | 4 ++-- modules/modules.nix | 4 ++-- parts/images.nix | 7 ++----- secrets/wireguard.yaml | 26 ++++++++++--------------- 9 files changed, 26 insertions(+), 53 deletions(-) diff --git a/config/jawz.nix b/config/jawz.nix index f6da9a3..3b84a14 100644 --- a/config/jawz.nix +++ b/config/jawz.nix @@ -31,9 +31,8 @@ in programs.ssh = lib.mkIf config.my.secureHost { enable = true; matchBlocks = { - vps = { + linode = { hostname = config.my.ips.vps; - user = "fedora"; port = 3456; identityFile = config.sops.secrets."private_keys/${hostName}".path; }; diff --git a/hosts/linode/configuration.nix b/hosts/linode/configuration.nix index 640aa05..44fca6b 100644 --- a/hosts/linode/configuration.nix +++ b/hosts/linode/configuration.nix @@ -9,6 +9,7 @@ ./hardware-configuration.nix ./wireguard-linode.nix ../../config/base.nix + inputs.nixos-generators.nixosModules.linode ]; my = import ./toggles.nix { inherit config inputs; } // { nix.cores = 2; @@ -29,11 +30,6 @@ KbdInteractiveAuthentication = false; }; }; - security.fail2ban = { - enable = true; - maxretry = 5; - bantime = "1h"; - }; environment.systemPackages = builtins.attrValues { inherit (pkgs) htop diff --git a/hosts/linode/hardware-configuration.nix b/hosts/linode/hardware-configuration.nix index 5df0d0d..32e2dab 100644 --- a/hosts/linode/hardware-configuration.nix +++ b/hosts/linode/hardware-configuration.nix @@ -14,10 +14,6 @@ "net.ipv4.conf.all.send_redirects" = 0; "net.ipv4.tcp_syncookies" = 1; }; - loader.grub = { - enable = true; - device = "/dev/sda"; - }; kernelModules = [ "virtio_pci" "virtio_blk" diff --git a/hosts/linode/toggles.nix b/hosts/linode/toggles.nix index a6fe5bb..34b96e4 100644 --- a/hosts/linode/toggles.nix +++ b/hosts/linode/toggles.nix @@ -1,25 +1,16 @@ _: { timeZone = "America/Mexico_City"; - locale = "en_US.UTF-8"; - wireguard.enable = true; - network.enable = true; + services = { + network.enable = true; + wireguard.enable = true; + }; secureHost = false; + interfaces.linode = "eth0"; ips = { - vps = "51.222.141.104"; - wg-vps = "10.77.0.1"; + linode = "51.222.141.104"; + wg-linode = "10.77.0.1"; wg-server = "10.77.0.2"; wg-friend1 = "10.8.0.2"; wg-friends = "10.8.0.0"; }; - interfaces = { - linode = "eth0"; - }; - dev = { - nix.enable = true; - sh.enable = true; - }; - shell = { - tools.enable = true; - config.enable = true; - }; } diff --git a/hosts/linode/wireguard-linode.nix b/hosts/linode/wireguard-linode.nix index 3236a93..9ee2647 100644 --- a/hosts/linode/wireguard-linode.nix +++ b/hosts/linode/wireguard-linode.nix @@ -40,7 +40,7 @@ }; wireguard.interfaces.wg0 = { ips = [ - "${config.my.ips.wg-vps}/24" + "${config.my.ips.wg-linode}/24" "${config.my.ips.wg-friends}/24" ]; listenPort = 51820; diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix index c48422b..c8b3422 100644 --- a/hosts/server/configuration.nix +++ b/hosts/server/configuration.nix @@ -52,9 +52,9 @@ peers = [ { publicKey = "dFbiSekBwnZomarcS31o5+w6imHjMPNCipkfc2fZ3GY="; - endpoint = "${config.my.ips.vps}:51820"; + endpoint = "${config.my.ips.linode}:51820"; allowedIPs = [ - "${config.my.ips.wg-vps}/32" + "${config.my.ips.wg-linode}/32" "${config.my.ips.wg-friends}/24" ]; persistentKeepalive = 25; diff --git a/modules/modules.nix b/modules/modules.nix index 61f10e5..f9dfa06 100644 --- a/modules/modules.nix +++ b/modules/modules.nix @@ -49,8 +49,8 @@ in server = "192.168.100.15"; miniserver = "192.168.1.100"; workstation = "192.168.100.18"; - vps = "51.222.141.104"; - wg-vps = "10.77.0.1"; + linode = "51.222.141.104"; + wg-linode = "10.77.0.1"; wg-server = "10.77.0.2"; wg-friend1 = "10.8.0.2"; wg-friends = "10.8.0.0"; diff --git a/parts/images.nix b/parts/images.nix index 8df4a8d..5a1f100 100644 --- a/parts/images.nix +++ b/parts/images.nix @@ -1,8 +1,5 @@ { inputs, ... }: { - flake.packages.x86_64-linux.linode-image = inputs.nixos-generators.nixosGenerate { - system = "x86_64-linux"; - modules = [ inputs.self.nixosConfigurations.linode.config.system.build.toplevel.outPath ]; - format = "linode"; - }; + flake.packages.x86_64-linux.linode-image = + inputs.self.nixosConfigurations.linode.config.system.build.linodeImage; } diff --git a/secrets/wireguard.yaml b/secrets/wireguard.yaml index fd5f3f0..90694da 100644 --- a/secrets/wireguard.yaml +++ b/secrets/wireguard.yaml @@ -1,19 +1,13 @@ -wireguard: - linode: - private: ENC[AES256_GCM,data:PejimzNOiJGlTbMZjlyZIFYCnhu/ZAisG/we03ZJo8VO4cwclm+ztXCE89c=,iv:iw3hIUxMyx7rIQ56Nc4zPXBdRn8HYL44AXOu57VfiX0=,tag:zZcGrTU+1k6FRtTG5zj4pw==,type:str] - public: ENC[AES256_GCM,data:G3p/wGLeNq8/icpKbIUGEMC/l8rqptUv7tpB2md+fmo0UJieK3s3lWy79u8=,iv:4LQ8RfT3VkzdrxkOn+XROKdnBqdhbBdRzw+x/j+t/BY=,tag:+s4eCnDp6XSE+w4wlB+QLA==,type:str] +server: + private: ENC[AES256_GCM,data:8/wwIn29F5DxRIjFz51GgBUmAdaOeyS4cDN/vFzypagyNyOJ1VygiT1NXMA=,iv:uUk55wrayGJ6YRNC67z51T4DW6r/LVOol39/JJKYZxg=,tag:uuAuAqzTUOJjkLsDrZig2A==,type:str] + public: ENC[AES256_GCM,data:J3j3AlG2liVRZERvlpClWekGa4AZWBfACe9J5YegzG1liU5/ZkPzMOzdf4I=,iv:8o9IpQWh0QtdwDj1knpsEOrPLorSZPQKiO8QJxBlPco=,tag:QDHai1bzFXS7vuTpIJqClA==,type:str] +linode: server: - private: ENC[AES256_GCM,data:owBMyfOeeizHMbRp7yqaE95otpyEsH5HUk0RcltEqgzvTGfTWBLP8ZvMhPA=,iv:KtGd+w4WtRGJ6ux+70SOU6eq21Ak4r0obFimvPWWSjE=,tag:2eYP41vhKNyUi/3zyOY+Vg==,type:str] - public: ENC[AES256_GCM,data:9GcLl+xpcZZ7XU4c0eDqvUjc9VVvs8C4ZhRUfB9WjuGIu3we/Syxh8pGC8c=,iv:IdXada3p+GVpLgm9mOGjAObPPFfXzSNVfBm01Liyz4s=,tag:uzB5BpVNT4F+wUO3gwsunQ==,type:str] - private_old: ENC[AES256_GCM,data:T6SIjKfNJSyapmF1IFkoSBT0S8/bsvbivRqbS8FubQ0UnZ+SfMRIEHVPXgg=,iv:OnQw4OKfRmDhOzBUq834oqTDCobE5RW2EKqFYUf1Xt8=,tag:4hJ8pumr4KDMyM1Sygy57g==,type:str] - public_old: ENC[AES256_GCM,data:teRFtsuKyrK/D5yag+RyHCsrtuuK1S0rC9By9I+eMCTGh00Jiw7T/kEdGm0=,iv:A8JAcZekzDnP+PNhH1YKigBhNVSKqsRC0UbIr+Af5ec=,tag:m852G+0tdrqzpY1J6YBxrg==,type:str] -vps: - server: - private: ENC[AES256_GCM,data:wrP/069tuQs3ObYE8Q0MNVxe3+4vZ2HIImoIdZpj1uPgdBknboX1wmANv/k=,iv:FJL5KumHos8PoXra+BB2Uc6YedsF6MD3wWyuugXzJ+E=,tag:nVuTrW2P7JvnWnv6H1SmdQ==,type:str] - public: ENC[AES256_GCM,data:YnKOf9725v9FkzdNPDVf/iinMbY/YWn6ksqEz+mpB4KHVlOvpbV6vLSKRcs=,iv:aWQNy6mT4sxVbzaXKgRzZ9XVsiBCRsOlLORRqC+uiKE=,tag:mLWv6mr3VVfw0J5BrqByXg==,type:str] + private: ENC[AES256_GCM,data:ReI4nnGcR4GbLuQOkosYG9CtQWc/YSV/BVVwY2lfM9miskRIh+aw4kudSNM=,iv:B2JrRpD7tYF+PtdQddyzUl0kp36VVXSNFrHOAoUgwA4=,tag:GV3joCZbl85tvlMAq/Kqug==,type:str] + public: ENC[AES256_GCM,data:VKYak059lumcQy3QtCanYwBwmsKkkSVEQilOu+KUYmMykirV+DUpI23jloY=,iv:5NYbyrMQTlC8qp/fmGToK+ZpKhDcP8UWbmRNoWzn64k=,tag:fi46BRJAksrUuDYP+5Nvmw==,type:str] home: - private: ENC[AES256_GCM,data:YZ0jvBzkMv8Bwc9u3LDJzwSqQvPj8wPUxTIeBFiLYVQQIBjm8aS1dTYuPvo=,iv:mXuW7TVERxOMmGIit3a7Spmbk/EgYuGkO66AWJUnMF0=,tag:xM7C3F3JCiud/A9yPD5ydQ==,type:str] - public: ENC[AES256_GCM,data:DcwAHhHjIxFqRL5h7p/0nkFnWiI/iqR8Fws6AuFaxjgUHKYd/6l3D6q/O/0=,iv:bBJ0bsKRiGQUSlRmHqeLQWkOIUNfG5VVpuV6MOtKZO0=,tag:harMG6GDIfclmSq3D36bTw==,type:str] + private: ENC[AES256_GCM,data:Bo3Hzd9Xh4kufO8G4J6Gm2znsUcBc25OlB+ECI4u2roeo7QgQpRXxa8RamM=,iv:0D+FmQxqyZZeCA+iA/gMp0soZ2LtM9fNTP6hGIVrNaM=,tag:Bk18KYKZEDWBBEK5dHKO6w==,type:str] + public: ENC[AES256_GCM,data:sHXh/i9nBHgpgsBVPgvpiEJIHIXzlCa3EhG/eFYL1tKz6Iabcr4bnAUbe08=,iv:V6eSlQRenSCz5VRJMQTXafIb2TTB33p7jzOkixSwIM0=,tag:tjutVj+K6CdtN/FOZqqaHw==,type:str] sops: age: - recipient: age1lufn6t35gs4wgevyr2gud4eec7lvkn7pgnnv4tja64ww3hef7gqq8fas37 @@ -52,7 +46,7 @@ sops: KzZFSWprL0l0MDdVdEVKbEV5eklZdTAK/1ZyGvElfp+LVloSR6aJUtvrgU0CrzaJ SQtO7vc4oDedkiTz6LKySta+uyn3e17Jzdyy9nU2D/Q5X+CpKGP3cg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-28T19:13:03Z" - mac: ENC[AES256_GCM,data:Mp6sgr6VwoQqnOmqloCAeKuL/8kB4vNLxk94AXAzX1z/Wq+R3Y3I6Yh3hB+QeTRW8nJ5hmGjAEeVzFtjRFP7EcL3KKY3B7s7TU1O+I3lWYMgNuCG6+Z7do62x/1ZyeCGMRQDIc6Xzu13ktyxf4AeVxg/7w0qBHbt3QVa18UM08U=,iv:4jJ5mDEeNgSwd+ekzDuF1z8pSNy04M1XEPr7TIIrZ2M=,tag:ZwiHCXKQWONsBJ9NGsYo1w==,type:str] + lastmodified: "2025-10-28T19:42:02Z" + mac: ENC[AES256_GCM,data:b6/AkxnYppuHIU2oOqOZFizfqhwGjHquzhaeKnBhinXUqmAwoYRgHH54w951HR0Qp9IXu4P7BmlmqET2IhtIXjTtfkDOz9LUUJT0kRmpW5uyXcgiaPQWFFT1r3FnUNPla1O3mBpaT8FD1LVZunEGJ7o3smHJ8aXStbV3RIwdUsQ=,iv:4yCLwkTxW9wMFyoUK9WvaRR+GI1r884uGRKLvmzVF2I=,tag:wLk0v/f06rLczCX+/UN4Ng==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0