Refactor WireGuard secret paths for Linode configuration

- Updated secret paths in wireguard-linode.nix and configuration.nix to use 'linode' instead of 'wireguard' for clarity and consistency. - Adjusted private key file references in wireguard.nix to align with the new secret path structure.
Update Linode configuration in jawz.nix and adjust SSH settings
2025-10-28 13:53:18 -06:00 · 2025-10-28 13:45:11 -06:00 · 2025-10-28 13:42:23 -06:00 · 2025-10-28 13:31:40 -06:00 · 2025-10-28 13:30:35 -06:00
21 changed files with 326 additions and 141 deletions
--- a/.github/workflows/build-schemes.yml
+++ b/.github/workflows/build-schemes.yml
@@ -3,8 +3,8 @@ name: Build All Color Schemes
 on:
  push:
    paths:
-      - "config/schemes.nix"
-      - "config/scheme-utils.nix"
+      - 'config/schemes.nix'
+      - 'config/scheme-utils.nix'
  workflow_dispatch:

 jobs:
@@ -14,79 +14,79 @@ jobs:
      HOSTNAME: server
    
    steps:
-      - uses: actions/checkout@v4
+    - uses: actions/checkout@v4
    
-      - name: Get available schemes
-        id: schemes
-        run: |
-          SCHEMES=$(nix eval --raw --impure --expr '
-            let
-              pkgs = import <nixpkgs> {};
-              inputs = {};
-              utils = import ./scripts/scheme-utils.nix { inherit pkgs inputs; };
-            in
-            builtins.concatStringsSep " " utils.availableSchemes
-          ')
-          echo "schemes=$SCHEMES" >> $GITHUB_OUTPUT
-          echo "Available schemes: $SCHEMES"
+    - name: Get available schemes
+      id: schemes
+      run: |
+        SCHEMES=$(nix eval --raw --impure --expr '
+          let
+            pkgs = import <nixpkgs> {};
+            inputs = {};
+            utils = import ./scripts/scheme-utils.nix { inherit pkgs inputs; };
+          in
+          builtins.concatStringsSep " " utils.availableSchemes
+        ')
+        echo "schemes=$SCHEMES" >> $GITHUB_OUTPUT
+        echo "Available schemes: $SCHEMES"
    
-      - name: Configure Attic cache
-        run: |
-          # Configure attic client to use your cache server
-          attic login servidos http://127.0.0.1:2343 ${{ secrets.ATTIC_TOKEN }}
+    - name: Configure Attic cache
+      run: |
+        # Configure attic client to use your cache server
+        attic login servidos https://cache.servidos.lat ${{ secrets.ATTIC_TOKEN }}
    
-      - name: Build and push all schemes
-        run: |
-          echo "Building and pushing all schemes..."
+    - name: Build and push all schemes
+      run: |
+        echo "Building and pushing all schemes..."
        
-          # Store original scheme
-          ORIGINAL_SCHEME=$(grep -oP "scheme = schemesFile\.schemes\.\K\w+" config/stylix.nix)
-          echo "Original scheme: $ORIGINAL_SCHEME"
-
-          # Build and push each scheme
-          for scheme in ${{ steps.schemes.outputs.schemes }}; do
-            echo "========================================="
-            echo "Processing scheme: $scheme"
-            echo "========================================="
-
-            # Update stylix.nix to use this scheme
-            sed -i "s/scheme = schemesFile\.schemes\.\w\+;/scheme = schemesFile.schemes.$scheme;/" config/stylix.nix
-
-            # Verify the change
-            grep "scheme = schemesFile.schemes" config/stylix.nix
-
-            # Build the configuration
-            echo "Building $scheme..."
-            nix build .#nixosConfigurations.${HOSTNAME}.config.system.build.toplevel \
-              --out-link ./result-$scheme \
-              --quiet
-
-            # Push to cache
-            echo "Pushing $scheme to cache..."
-            attic push servidos:nixos ./result-$scheme
-
-            # Also push using print-out-paths for better cache coverage
-            nix build .#nixosConfigurations.${HOSTNAME}.config.system.build.toplevel \
-              --print-out-paths \
-              --quiet | attic push servidos:nixos --stdin
-
-            echo "✓ Completed $scheme"
-            echo ""
-          done
-
-          # Restore original scheme
-          echo "Restoring original scheme: $ORIGINAL_SCHEME"
-          sed -i "s/scheme = schemesFile\.schemes\.\w\+;/scheme = schemesFile.schemes.$ORIGINAL_SCHEME;/" config/stylix.nix
+        # Store original scheme
+        ORIGINAL_SCHEME=$(grep -oP "scheme = schemesFile\.schemes\.\K\w+" config/stylix.nix)
+        echo "Original scheme: $ORIGINAL_SCHEME"
        
+        # Build and push each scheme
+        for scheme in ${{ steps.schemes.outputs.schemes }}; do
          echo "========================================="
-          echo "All schemes built and pushed successfully!"
+          echo "Processing scheme: $scheme"
          echo "========================================="
          
-      - name: Summary
-        run: |
-          SCHEME_COUNT=$(echo "${{ steps.schemes.outputs.schemes }}" | wc -w)
-          echo "✅ Color scheme builds completed successfully!"
-          echo "- Built $SCHEME_COUNT schemes: ${{ steps.schemes.outputs.schemes }}"
-          echo "- Pushed all builds to Atticd cache"
+          # Update stylix.nix to use this scheme
+          sed -i "s/scheme = schemesFile\.schemes\.\w\+;/scheme = schemesFile.schemes.$scheme;/" config/stylix.nix
+          
+          # Verify the change
+          grep "scheme = schemesFile.schemes" config/stylix.nix
+          
+          # Build the configuration
+          echo "Building $scheme..."
+          nix build .#nixosConfigurations.${HOSTNAME}.config.system.build.toplevel \
+            --out-link ./result-$scheme \
+            --quiet
+          
+          # Push to cache
+          echo "Pushing $scheme to cache..."
+          attic push servidos:nixos ./result-$scheme
+          
+          # Also push using print-out-paths for better cache coverage
+          nix build .#nixosConfigurations.${HOSTNAME}.config.system.build.toplevel \
+            --print-out-paths \
+            --quiet | attic push servidos:nixos --stdin
+          
+          echo "✓ Completed $scheme"
          echo ""
-          echo "You can now switch schemes quickly without waiting for builds!"
+        done
+        
+        # Restore original scheme
+        echo "Restoring original scheme: $ORIGINAL_SCHEME"
+        sed -i "s/scheme = schemesFile\.schemes\.\w\+;/scheme = schemesFile.schemes.$ORIGINAL_SCHEME;/" config/stylix.nix
+        
+        echo "========================================="
+        echo "All schemes built and pushed successfully!"
+        echo "========================================="
+    
+    - name: Summary
+      run: |
+        SCHEME_COUNT=$(echo "${{ steps.schemes.outputs.schemes }}" | wc -w)
+        echo "✅ Color scheme builds completed successfully!"
+        echo "- Built $SCHEME_COUNT schemes: ${{ steps.schemes.outputs.schemes }}"
+        echo "- Pushed all builds to Atticd cache"
+        echo ""
+        echo "You can now switch schemes quickly without waiting for builds!"
--- a/.github/workflows/weekly-build-cache.yml
+++ b/.github/workflows/weekly-build-cache.yml
@@ -38,7 +38,7 @@ jobs:
        if: steps.check_changes.outputs.changes == 'true'
        run: |
          # Configure attic client to use your cache server
-          attic login servidos http://127.0.0.1:2343 ${{ secrets.ATTIC_TOKEN }}
+          attic login servidos https://cache.servidos.lat ${{ secrets.ATTIC_TOKEN }}

      - name: Build workstation configuration
        if: steps.check_changes.outputs.changes == 'true'
--- a/config/jawz.nix
+++ b/config/jawz.nix
@@ -31,9 +31,8 @@ in
    programs.ssh = lib.mkIf config.my.secureHost {
      enable = true;
      matchBlocks = {
-        vps = {
-          hostname = config.my.ips.vps;
-          user = "jawz";
+        linode = {
+          hostname = config.my.ips.linode;
          port = 3456;
          identityFile = config.sops.secrets."private_keys/${hostName}".path;
        };
@@ -75,7 +74,7 @@ in
      "miniserver"
      "galaxy"
      "phone"
-      "vps"
+      "linode"
    ];
  };
 }
--- a/dotfiles/stignore
+++ b/dotfiles/stignore
@@ -1,7 +1,6 @@
 (?d)jawz/chrome/userChrome.css
 (?d)jawz/chrome/userContent.css
 (?d)jawz/lock
-(?d)jawz/storage
 (?d)jawz/user.js
 (?d)native-messaging-hosts/org.gnome.browser_connector.json
 (?d)native-messaging-hosts/org.gnome.chrome_gnome_shell.json
--- a/flake.lock
+++ b/flake.lock
@@ -234,11 +234,11 @@
        "nixpkgs-lib": "nixpkgs-lib_2"
      },
      "locked": {
-        "lastModified": 1760948891,
-        "narHash": "sha256-TmWcdiUUaWk8J4lpjzu4gCGxWY6/Ok7mOK4fIFfBuU4=",
+        "lastModified": 1760813311,
+        "narHash": "sha256-lbHQ7FXGzt6/IygWvJ1lCq+Txcut3xYYd6VIpF1ojkg=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "864599284fc7c0ba6357ed89ed5e2cd5040f0c04",
+        "rev": "4e627ac2e1b8f1de7f5090064242de9a259dbbc8",
        "type": "github"
      },
      "original": {
@@ -492,11 +492,11 @@
        "xdph": "xdph"
      },
      "locked": {
-        "lastModified": 1761758444,
-        "narHash": "sha256-m05lvxm5qhUoAWB5vkyt9llmGcQ05Q7Km8d6QvMVfVA=",
+        "lastModified": 1761340761,
+        "narHash": "sha256-j12amQpLU23PbblMzw8Tt4whr2PxjP6XXYH99uYGFGc=",
        "owner": "hyprwm",
        "repo": "Hyprland",
-        "rev": "83a0a62004ee915921ac36a96760944ad6550e1e",
+        "rev": "da04afa44e7545771b08f8e0defd2cd1810f1613",
        "type": "github"
      },
      "original": {
@@ -685,11 +685,11 @@
        "sudoku-solver": "sudoku-solver"
      },
      "locked": {
-        "lastModified": 1761720517,
-        "narHash": "sha256-YWKeZsstuJMEOlC31pyveuLT9525YW+wzTAMHDawgZ0=",
+        "lastModified": 1760073554,
+        "narHash": "sha256-Ydqg/9lpoha2vgspjviqeRh6/tsWN+pZcUxn1ZyrFZM=",
        "ref": "refs/heads/master",
-        "rev": "07daae7770da1201de6825de9b65eab0fcd81ca8",
-        "revCount": 116,
+        "rev": "5c13b806a094f3605e2da70e133551848ad8d9a9",
+        "revCount": 109,
        "type": "git",
        "url": "https://git.servidos.lat/jawz/scripts.git"
      },
@@ -706,11 +706,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1761703070,
-        "narHash": "sha256-KAsGjetWzPdUYqGuOu1Vu95d8i+L7JqwG7o3hLJ7DD8=",
+        "lastModified": 1761356901,
+        "narHash": "sha256-YDySchURSJrS1P8zuzmFqypUS7shY6//0e0JiMZeLSI=",
        "owner": "fufexan",
        "repo": "nix-gaming",
-        "rev": "30854a5ad380aa93b18c254bca4b5d7b6f3dc968",
+        "rev": "a8635e459ff96acbd156a8de613b99d9d6b3676a",
        "type": "github"
      },
      "original": {
@@ -821,11 +821,11 @@
    },
    "nixpkgs-small": {
      "locked": {
-        "lastModified": 1761706708,
-        "narHash": "sha256-zgrEi11Ok83JI2U11GQqSiE0TddvdHfnE8jI0iE4Vms=",
+        "lastModified": 1761294158,
+        "narHash": "sha256-woFH58dy/EDeL1Li4IarZE9+0p0zdPmCsxCvKA7oYu4=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "1f12c8011e59aca25db5cbf000735089a51874ea",
+        "rev": "e7b2e554a77018dec2f259b782d062500c133d49",
        "type": "github"
      },
      "original": {
@@ -837,11 +837,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1761373498,
-        "narHash": "sha256-Q/uhWNvd7V7k1H1ZPMy/vkx3F8C13ZcdrKjO7Jv7v0c=",
+        "lastModified": 1761114652,
+        "narHash": "sha256-f/QCJM/YhrV/lavyCVz8iU3rlZun6d+dAiC3H+CDle4=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "6a08e6bb4e46ff7fcbb53d409b253f6bad8a28ce",
+        "rev": "01f116e4df6a15f4ccdffb1bcd41096869fb385c",
        "type": "github"
      },
      "original": {
@@ -853,11 +853,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1761468971,
-        "narHash": "sha256-vY2OLVg5ZTobdroQKQQSipSIkHlxOTrIF1fsMzPh8w8=",
+        "lastModified": 1761173472,
+        "narHash": "sha256-m9W0dYXflzeGgKNravKJvTMR4Qqa2MVD11AwlGMufeE=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "78e34d1667d32d8a0ffc3eba4591ff256e80576e",
+        "rev": "c8aa8cc00a5cb57fada0851a038d35c08a36a2bb",
        "type": "github"
      },
      "original": {
@@ -896,11 +896,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1761756571,
-        "narHash": "sha256-Ryt/9e3t+KEo9BT1TJqpi8hnkGOQrG1ddsOPf12zwBM=",
+        "lastModified": 1761364085,
+        "narHash": "sha256-4BKMXhQ8SSYOo9NoK221fVYM86xMw5smoqHvwmLaDEo=",
        "owner": "nix-community",
        "repo": "nur",
-        "rev": "14ea3a540e215ee60d970038f56c26ffb205b843",
+        "rev": "e9f1e9e9cb027dd87785534261d0feb0097dfcfa",
        "type": "github"
      },
      "original": {
@@ -1037,11 +1037,11 @@
        "tinted-zed": "tinted-zed"
      },
      "locked": {
-        "lastModified": 1761668239,
-        "narHash": "sha256-b0+7/5hBUsLjd/gMY9/LSEsvuWFFolHdpUAOlG73zmw=",
+        "lastModified": 1760478648,
+        "narHash": "sha256-Y4l+Y3zUvqIDbyLrtOrzNvp1o50Fp9TYK+iwtwweFU4=",
        "owner": "danth",
        "repo": "stylix",
-        "rev": "a149a557dc306e76d53e7dd488826e61ef9c6289",
+        "rev": "1ec254101285777db13922303cc47ded06e10bb3",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -67,6 +67,7 @@
        ./parts/hosts.nix
        ./parts/packages.nix
        ./parts/devshells.nix
+        ./parts/images.nix
      ];
    };
 }
--- a/hosts/linode/configuration.nix
+++ b/hosts/linode/configuration.nix
@@ -0,0 +1,47 @@
+{
+  lib,
+  pkgs,
+  config,
+  inputs,
+  ...
+}:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./wireguard-linode.nix
+    ../../config/base.nix
+    inputs.nixos-generators.nixosModules.linode
+  ];
+  my = import ./toggles.nix { inherit config inputs; } // {
+    nix.cores = 2;
+    users.nixremote.enable = false;
+    network.firewall = {
+      enabledServicePorts = true;
+      additionalPorts = [ ];
+    };
+  };
+  networking.hostName = "linode";
+  services.openssh = {
+    enable = true;
+    openFirewall = true;
+    startWhenNeeded = lib.mkForce false;
+    settings = {
+      PasswordAuthentication = false;
+      PermitRootLogin = "prohibit-password";
+      KbdInteractiveAuthentication = false;
+    };
+  };
+  environment.systemPackages = builtins.attrValues {
+    inherit (pkgs)
+      htop
+      iotop
+      tcpdump
+      wireguard-tools
+      ;
+  };
+  system.autoUpgrade = {
+    enable = true;
+    dates = "weekly";
+    allowReboot = true;
+  };
+}
--- a/hosts/linode/hardware-configuration.nix
+++ b/hosts/linode/hardware-configuration.nix
@@ -0,0 +1,43 @@
+{ lib, modulesPath, ... }:
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+  boot = {
+    tmp.cleanOnBoot = true;
+    kernel.sysctl = {
+      "net.core.default_qdisc" = "fq";
+      "net.ipv4.tcp_congestion_control" = "bbr";
+      "net.ipv4.conf.all.rp_filter" = 1;
+      "net.ipv4.conf.default.rp_filter" = 1;
+      "net.ipv4.icmp_echo_ignore_broadcasts" = 1;
+      "net.ipv4.conf.all.accept_source_route" = 0;
+      "net.ipv6.conf.all.accept_source_route" = 0;
+      "net.ipv4.conf.all.send_redirects" = 0;
+      "net.ipv4.tcp_syncookies" = 1;
+    };
+    kernelModules = [
+      "virtio_pci"
+      "virtio_blk"
+      "virtio_net"
+    ];
+    initrd = {
+      availableKernelModules = [
+        "virtio_pci"
+        "virtio_scsi"
+        "virtio_blk"
+        "virtio_net"
+        "9p"
+        "9pnet_virtio"
+      ];
+      kernelModules = [ ];
+    };
+    extraModulePackages = [ ];
+  };
+  fileSystems."/" = {
+    device = "/dev/sda";
+    fsType = "ext4";
+  };
+  swapDevices = [ { device = "/dev/sdb"; } ];
+  networking.useDHCP = lib.mkDefault true;
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.enableRedistributableFirmware = true;
+}
--- a/hosts/linode/toggles.nix
+++ b/hosts/linode/toggles.nix
@@ -0,0 +1,16 @@
+_: {
+  timeZone = "America/Mexico_City";
+  services = {
+    network.enable = true;
+    wireguard.enable = true;
+  };
+  secureHost = false;
+  interfaces.linode = "eth0";
+  ips = {
+    linode = "51.222.141.104";
+    wg-linode = "10.77.0.1";
+    wg-server = "10.77.0.2";
+    wg-friend1 = "10.8.0.2";
+    wg-friends = "10.8.0.0";
+  };
+}
--- a/hosts/linode/wireguard-linode.nix
+++ b/hosts/linode/wireguard-linode.nix
@@ -0,0 +1,76 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  config = lib.mkIf config.my.services.wireguard.enable {
+    sops.secrets."linode/linode/private" = lib.mkIf config.my.secureHost {
+      sopsFile = ../../secrets/wireguard.yaml;
+    };
+    networking = {
+      nat = {
+        enable = true;
+        externalInterface = config.my.interfaces.${config.networking.hostName};
+        internalInterfaces = [ "wg0" ];
+      };
+      firewall = {
+        allowedUDPPorts = [ 51820 ];
+        extraCommands = ''
+          iptables -I FORWARD 1 -s ${config.my.ips.wg-friend1} -d ${config.my.ips.wg-server} -p tcp --dport 22000 -j ACCEPT
+          iptables -I FORWARD 2 -s ${config.my.ips.wg-server} -d ${config.my.ips.wg-friend1} -p tcp --sport 22000 -m state --state ESTABLISHED,RELATED -j ACCEPT
+          iptables -I FORWARD 3 -s ${config.my.ips.wg-friends}/24 -d 10.77.0.0/24 -j DROP
+          iptables -I FORWARD 4 -s 10.77.0.0/24 -d ${config.my.ips.wg-friends}/24 -j DROP
+          iptables -A FORWARD -s ${config.my.ips.wg-friends}/24 -o ${
+            config.my.interfaces.${config.networking.hostName}
+          } -j ACCEPT
+          iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+        '';
+        extraStopCommands = ''
+          iptables -D FORWARD -s ${config.my.ips.wg-friend1} -d ${config.my.ips.wg-server} -p tcp --dport 22000 -j ACCEPT 2>/dev/null || true
+          iptables -D FORWARD -s ${config.my.ips.wg-server} -d ${config.my.ips.wg-friend1} -p tcp --sport 22000 -m state --state ESTABLISHED,RELATED -j ACCEPT 2>/dev/null || true
+          iptables -D FORWARD -s ${config.my.ips.wg-friends}/24 -d 10.77.0.0/24 -j DROP 2>/dev/null || true
+          iptables -D FORWARD -s 10.77.0.0/24 -d ${config.my.ips.wg-friends}/24 -j DROP 2>/dev/null || true
+          iptables -D FORWARD -s ${config.my.ips.wg-friends}/24 -o ${
+            config.my.interfaces.${config.networking.hostName}
+          } -j ACCEPT 2>/dev/null || true
+          iptables -D FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 2>/dev/null || true
+        '';
+      };
+      wireguard.interfaces.wg0 = {
+        ips = [
+          "${config.my.ips.wg-linode}/24"
+          "${config.my.ips.wg-friends}/24"
+        ];
+        listenPort = 51820;
+        privateKeyFile =
+          if config.my.secureHost then
+            config.sops.secrets."linode/linode/private".path
+          else
+            "/var/lib/wireguard/private.key";
+        postSetup = "${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s ${config.my.ips.wg-friends}/24 -o ${
+          config.my.interfaces.${config.networking.hostName}
+        } -j MASQUERADE";
+        postShutdown = "${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s ${config.my.ips.wg-friends}/24 -o ${
+          config.my.interfaces.${config.networking.hostName}
+        } -j MASQUERADE 2>/dev/null || true";
+        peers = [
+          {
+            publicKey = "OUiqluRaS4hmGvLJ3csQrnIM3Zzet50gsqtTABaUkH4=";
+            allowedIPs = [ "${config.my.ips.wg-server}/32" ];
+          }
+          {
+            publicKey = "rFgT6TXzRazK6GMazMNGjtOvzAAPST0LvCfN7QXsLho=";
+            allowedIPs = [ "${config.my.ips.wg-friend1}/32" ];
+          }
+        ];
+      };
+    };
+    boot.kernel.sysctl = {
+      "net.ipv4.ip_forward" = 1;
+      "net.ipv6.conf.all.forwarding" = 1;
+    };
+    environment.systemPackages = [ pkgs.wireguard-tools ];
+  };
+}
--- a/hosts/server/configuration.nix
+++ b/hosts/server/configuration.nix
@@ -37,7 +37,7 @@
      supportedFeatures = config.my.nix.features;
    }
  ];
-  sops.secrets."vps/home/private" = lib.mkIf config.my.secureHost {
+  sops.secrets."linode/server/private" = lib.mkIf config.my.secureHost {
    sopsFile = ../../secrets/wireguard.yaml;
  };
  networking = {
@@ -48,14 +48,14 @@
    };
    wireguard.interfaces.wg0 = lib.mkIf config.my.secureHost {
      ips = [ "${config.my.ips.wg-server}/32" ];
-      privateKeyFile = config.sops.secrets."vps/home/private".path;
+      privateKeyFile = config.sops.secrets."linode/server/private".path;
      peers = [
        {
          publicKey = "dFbiSekBwnZomarcS31o5+w6imHjMPNCipkfc2fZ3GY=";
-          endpoint = "${config.my.ips.vps}:51820";
+          endpoint = "${config.my.ips.linode}:51820";
          allowedIPs = [
-            "${config.my.ips.wg-vps}/32"
-            "${config.my.ips.wg-friends}/24" # all friends
+            "${config.my.ips.wg-linode}/32"
+            "${config.my.ips.wg-friends}/24"
          ];
          persistentKeepalive = 25;
        }
--- a/modules/modules.nix
+++ b/modules/modules.nix
@@ -49,8 +49,8 @@ in
        server = "192.168.100.15";
        miniserver = "192.168.1.100";
        workstation = "192.168.100.18";
-        vps = "172.236.243.182";
-        wg-vps = "10.77.0.1";
+        linode = "51.222.141.104";
+        wg-linode = "10.77.0.1";
        wg-server = "10.77.0.2";
        wg-friend1 = "10.8.0.2";
        wg-friends = "10.8.0.0";
@@ -63,6 +63,7 @@ in
        server = "enp0s31f6";
        miniserver = "enp2s0";
        workstation = "enp5s0";
+        linode = "eth0";
      };
      description = "Set of network interface names for all my computers.";
    };
--- a/modules/servers/atticd.nix
+++ b/modules/servers/atticd.nix
@@ -26,7 +26,7 @@ in
        };
        compression = {
          type = "zstd";
-          level = 3;
+          level = 8;
        };
        garbage-collection = {
          interval = "7 days";
--- a/modules/servers/synapse.nix
+++ b/modules/servers/synapse.nix
@@ -58,7 +58,7 @@ in
        ];
        settings = {
          server_name = cfg.domain;
-          public_baseurl = "http://${config.my.ips.wg-server}:${toString cfg.port}";
+          public_baseurl = cfg.url;
          federation_domain_whitelist = [ ];
          allow_public_rooms_without_auth = false;
          allow_public_rooms_over_federation = false;
--- a/modules/services/wireguard.nix
+++ b/modules/services/wireguard.nix
@@ -11,7 +11,7 @@ in
 {
  options.my.services.wireguard.enable = lib.mkEnableOption "WireGuard VPN configuration";
  config = lib.mkIf (config.my.services.wireguard.enable && config.my.secureHost) {
-    sops.secrets."wireguard/private".sopsFile = ../../secrets/wireguard.yaml;
+    sops.secrets."server/private".sopsFile = ../../secrets/wireguard.yaml;
    networking = {
      firewall.allowedUDPPorts = [ port ];
      nat = {
@@ -22,13 +22,9 @@ in
      wireguard.interfaces.wg0 = {
        ips = [ "10.100.0.1/24" ];
        listenPort = port;
-        postSetup = ''
-          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ${interface} -j MASQUERADE
-        '';
-        postShutdown = ''
-          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ${interface} -j MASQUERADE
-        '';
-        privateKeyFile = config.sops.secrets."wireguard/private".path;
+        postSetup = "${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ${interface} -j MASQUERADE";
+        postShutdown = "${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ${interface} -j MASQUERADE";
+        privateKeyFile = config.sops.secrets."server/private".path;
        peers = [
          {
            publicKey = "ciupBjCcIpd3K5vlzNMJC8iiyNqB9xXwkSC6UXPKP3g=";
--- a/modules/shell/tools.nix
+++ b/modules/shell/tools.nix
@@ -106,6 +106,8 @@ in
        jq # json parser
        yq # yaml parser
        smartmontools # check hard drie health
+        ;
+      inherit (inputs.jawz-scripts.packages.x86_64-linux)
        rmlint # amazing dupe finder that integrates well with BTRFS
        ;
    };
--- a/parts/core.nix
+++ b/parts/core.nix
@@ -141,7 +141,7 @@ in
        ips: hostName: lib:
        builtins.attrNames ips
        |> builtins.filter (
-          name: !(lib.hasPrefix "wg-" name) && name != "vps" && name != "router" && name != hostName
+          name: !(lib.hasPrefix "wg-" name) && name != "linode" && name != "router" && name != hostName
        );
      shellConditional =
        shellType: bashContent: zshContent:
@@ -204,9 +204,8 @@ in
        miniserver = ../secrets/ssh/ed25519_miniserver.pub;
        galaxy = ../secrets/ssh/ed25519_galaxy.pub;
        phone = ../secrets/ssh/ed25519_phone.pub;
-        vps = ../secrets/ssh/ed25519_vps.pub;
+        linode = ../secrets/ssh/ed25519_linode.pub;
        emacs = ../secrets/ssh/ed25519_emacs.pub;
-        # Build user keys (nixremote)
        nixworkstation = ../secrets/ssh/ed25519_nixworkstation.pub;
        nixserver = ../secrets/ssh/ed25519_nixserver.pub;
        nixminiserver = ../secrets/ssh/ed25519_nixminiserver.pub;
--- a/parts/hosts.nix
+++ b/parts/hosts.nix
@@ -6,5 +6,6 @@
    server = inputs.self.lib.createConfig "server" inputs.nixpkgs-small;
    galaxy = inputs.self.lib.createConfig "galaxy" inputs.nixpkgs-small;
    emacs = inputs.self.lib.createConfig "emacs" inputs.nixpkgs;
+    linode = inputs.self.lib.createConfig "linode" inputs.nixpkgs-small;
  };
 }
--- a/parts/images.nix
+++ b/parts/images.nix
@@ -0,0 +1,5 @@
+{ inputs, ... }:
+{
+  flake.packages.x86_64-linux.linode-image =
+    inputs.self.nixosConfigurations.linode.config.system.build.linodeImage;
+}
--- a/secrets/ssh/ed25519_linode.pub
+++ b/secrets/ssh/ed25519_linode.pub
--- a/secrets/wireguard.yaml
+++ b/secrets/wireguard.yaml
@@ -1,13 +1,13 @@
-wireguard:
-    private: ENC[AES256_GCM,data:wwggc9T88gK/EMmjPauf14DZGUnfipBpfN3FnlPhsO6FtVmK2aad/D0/Rqw=,iv:Q15iiEOFRa3bPf7NfZcEZOgEqnjIJPenYgE6c6HRYI8=,tag:x+auLhc/FDhxZxzWmcrX9Q==,type:str]
-    public: ENC[AES256_GCM,data:uelp1opnLR5EfvNBSA3Sk33ktMoG6+Pvj7oKYtdlCpXMZel9O8G7P4X5S2M=,iv:AQECJmnXSc2MM0pT8ZJtA51pn+tvhhyAxFDMBH/H6wA=,tag:yWsnQbHaeiXyPLbpxMZwsg==,type:str]
-vps:
+server:
+    private: ENC[AES256_GCM,data:8/wwIn29F5DxRIjFz51GgBUmAdaOeyS4cDN/vFzypagyNyOJ1VygiT1NXMA=,iv:uUk55wrayGJ6YRNC67z51T4DW6r/LVOol39/JJKYZxg=,tag:uuAuAqzTUOJjkLsDrZig2A==,type:str]
+    public: ENC[AES256_GCM,data:J3j3AlG2liVRZERvlpClWekGa4AZWBfACe9J5YegzG1liU5/ZkPzMOzdf4I=,iv:8o9IpQWh0QtdwDj1knpsEOrPLorSZPQKiO8QJxBlPco=,tag:QDHai1bzFXS7vuTpIJqClA==,type:str]
+linode:
    server:
-        private: ENC[AES256_GCM,data:wrP/069tuQs3ObYE8Q0MNVxe3+4vZ2HIImoIdZpj1uPgdBknboX1wmANv/k=,iv:FJL5KumHos8PoXra+BB2Uc6YedsF6MD3wWyuugXzJ+E=,tag:nVuTrW2P7JvnWnv6H1SmdQ==,type:str]
-        public: ENC[AES256_GCM,data:YnKOf9725v9FkzdNPDVf/iinMbY/YWn6ksqEz+mpB4KHVlOvpbV6vLSKRcs=,iv:aWQNy6mT4sxVbzaXKgRzZ9XVsiBCRsOlLORRqC+uiKE=,tag:mLWv6mr3VVfw0J5BrqByXg==,type:str]
+        private: ENC[AES256_GCM,data:ReI4nnGcR4GbLuQOkosYG9CtQWc/YSV/BVVwY2lfM9miskRIh+aw4kudSNM=,iv:B2JrRpD7tYF+PtdQddyzUl0kp36VVXSNFrHOAoUgwA4=,tag:GV3joCZbl85tvlMAq/Kqug==,type:str]
+        public: ENC[AES256_GCM,data:VKYak059lumcQy3QtCanYwBwmsKkkSVEQilOu+KUYmMykirV+DUpI23jloY=,iv:5NYbyrMQTlC8qp/fmGToK+ZpKhDcP8UWbmRNoWzn64k=,tag:fi46BRJAksrUuDYP+5Nvmw==,type:str]
    home:
-        private: ENC[AES256_GCM,data:YZ0jvBzkMv8Bwc9u3LDJzwSqQvPj8wPUxTIeBFiLYVQQIBjm8aS1dTYuPvo=,iv:mXuW7TVERxOMmGIit3a7Spmbk/EgYuGkO66AWJUnMF0=,tag:xM7C3F3JCiud/A9yPD5ydQ==,type:str]
-        public: ENC[AES256_GCM,data:DcwAHhHjIxFqRL5h7p/0nkFnWiI/iqR8Fws6AuFaxjgUHKYd/6l3D6q/O/0=,iv:bBJ0bsKRiGQUSlRmHqeLQWkOIUNfG5VVpuV6MOtKZO0=,tag:harMG6GDIfclmSq3D36bTw==,type:str]
+        private: ENC[AES256_GCM,data:Bo3Hzd9Xh4kufO8G4J6Gm2znsUcBc25OlB+ECI4u2roeo7QgQpRXxa8RamM=,iv:0D+FmQxqyZZeCA+iA/gMp0soZ2LtM9fNTP6hGIVrNaM=,tag:Bk18KYKZEDWBBEK5dHKO6w==,type:str]
+        public: ENC[AES256_GCM,data:sHXh/i9nBHgpgsBVPgvpiEJIHIXzlCa3EhG/eFYL1tKz6Iabcr4bnAUbe08=,iv:V6eSlQRenSCz5VRJMQTXafIb2TTB33p7jzOkixSwIM0=,tag:tjutVj+K6CdtN/FOZqqaHw==,type:str]
 sops:
    age:
        - recipient: age1lufn6t35gs4wgevyr2gud4eec7lvkn7pgnnv4tja64ww3hef7gqq8fas37
@@ -46,7 +46,7 @@ sops:
            KzZFSWprL0l0MDdVdEVKbEV5eklZdTAK/1ZyGvElfp+LVloSR6aJUtvrgU0CrzaJ
            SQtO7vc4oDedkiTz6LKySta+uyn3e17Jzdyy9nU2D/Q5X+CpKGP3cg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-09-08T00:14:52Z"
-    mac: ENC[AES256_GCM,data:O2herKRy4k9ZMuPzzPF5QlBC2isXdRoIsbYLJ/6X7esxtxxgNuAljx4SCR6UMT7pl3G2E33cnnBEkuAIy6SMXOaZNfOuAEJXaCwpRwCXu26lrcTf6n7UdP36GWfIRsR4utD5/vv66ch6MqmQWkW7E5zydy5dOv+BJ4XS/50OUQs=,iv:TscYNQaeI+mBxyobxI1O4wUzRtA27pvjXz27kqMJhA0=,tag:zx/xrYAWJCxYz5HRTKzYfQ==,type:str]
+    lastmodified: "2025-10-28T19:42:02Z"
+    mac: ENC[AES256_GCM,data:b6/AkxnYppuHIU2oOqOZFizfqhwGjHquzhaeKnBhinXUqmAwoYRgHH54w951HR0Qp9IXu4P7BmlmqET2IhtIXjTtfkDOz9LUUJT0kRmpW5uyXcgiaPQWFFT1r3FnUNPla1O3mBpaT8FD1LVZunEGJ7o3smHJ8aXStbV3RIwdUsQ=,iv:4yCLwkTxW9wMFyoUK9WvaRR+GI1r884uGRKLvmzVF2I=,tag:wLk0v/f06rLczCX+/UN4Ng==,type:str]
    unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.11.0
Author	SHA1	Message	Date
Danilo Reyes	667b4c7a46	Refactor WireGuard secret paths for Linode configuration - Updated secret paths in wireguard-linode.nix and configuration.nix to use 'linode' instead of 'wireguard' for clarity and consistency. - Adjusted private key file references in wireguard.nix to align with the new secret path structure.	2025-10-28 13:53:18 -06:00
Danilo Reyes	01284154f7	Update Linode configuration in jawz.nix and adjust SSH settings - Changed hostname reference from 'vps' to 'linode' in jawz.nix for improved clarity. - Modified SSH service configuration in linode's configuration.nix to force start behavior.	2025-10-28 13:45:11 -06:00
Danilo Reyes	f1d565225a	Refactor Linode configuration and update WireGuard settings - Renamed SSH match block from 'vps' to 'linode' in jawz.nix for clarity. - Updated IP addresses in toggles.nix and other configuration files to reflect the new Linode setup. - Removed deprecated fail2ban configuration from linode's configuration.nix. - Adjusted WireGuard interface settings to use the correct IP for linode. - Cleaned up hardware configuration by removing unnecessary GRUB loader settings. - Updated secrets management in wireguard.yaml to streamline key handling.	2025-10-28 13:42:23 -06:00
Danilo Reyes	ac48e8c86b	Update WireGuard configuration to disable secureHost and adjust private key handling - Changed secureHost setting from true to false in toggles.nix. - Modified wireguard-linode.nix to use a default private key path when secureHost is false, enhancing flexibility in key management.	2025-10-28 13:31:40 -06:00
Danilo Reyes	431e145992	Add Linode host configuration and WireGuard setup - Introduced new configuration files for Linode host, including hardware configuration, toggles, and WireGuard settings. - Updated flake.nix to include the new images.nix file for Linode image generation. - Adjusted SSH key paths and secrets management for WireGuard to ensure proper integration with the new host setup. - Enhanced firewall rules and NAT configuration for WireGuard to improve security and connectivity.	2025-10-28 13:30:35 -06:00