fix xrdp, add vpn vm

2025-06-02 15:08:38 +02:00
parent 6c21647214
commit 3bf278cef4
42 changed files with 306 additions and 89 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -797,6 +797,22 @@
        "type": "github"
      }
    },
    "nixpkgs-working-xrdp": {
      "locked": {
        "lastModified": 1748395176,
        "narHash": "sha256-mkXRJlVaWUwRzWPiswA6gGnXno2wzDrHsTGLMknK8ck=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "af3da081316501d9744dbb4d988fafcdda2bf6cb",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "af3da081316501d9744dbb4d988fafcdda2bf6cb",
        "type": "github"
      }
    },
    "nixvim": {
      "inputs": {
        "flake-parts": "flake-parts",
@@ -945,6 +961,7 @@
        "nixos-hardware": "nixos-hardware",
        "nixpkgs": "nixpkgs",
        "nixpkgs-unstable": "nixpkgs-unstable",
        "nixpkgs-working-xrdp": "nixpkgs-working-xrdp",
        "nixvim": "nixvim",
        "nur": "nur",
        "quickshell": "quickshell",
--- a/flake.nix
+++ b/flake.nix
@@ -26,6 +26,7 @@
      url = "github:nix-community/home-manager/master";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };
    nixpkgs-working-xrdp.url = "github:NixOS/nixpkgs/af3da081316501d9744dbb4d988fafcdda2bf6cb";
    # cosmic testing
    #nixos-cosmic = {
    #  url = "github:lilyinstarlight/nixos-cosmic";
@@ -160,6 +161,13 @@
        "amd-server" = mkHost {
          modules = [ ./users/kopatz ./systems/amd-server/configuration.nix ];
        };
        "amd-server-vpn-vm" = mkHost {
          modules = [
            ./users/anon
            ./systems/amd-server-vpn-vm/configuration.nix
            disko.nixosModules.disko
          ];
        };
        # build vm -> nixos-rebuild build-vm  --flake .#vm
        "vm" =
          mkHost { modules = [ ./users/vm ./systems/vm/configuration.nix ]; };
--- a/home-manager/nixvim/default.nix
+++ b/home-manager/nixvim/default.nix
@@ -1,12 +1,15 @@
-{ lib, pkgs, ... }:
+{ lib, pkgs, osConfig, ... }:
 # https://nix-community.github.io/nixvim/NeovimOptions/index.html
 let
  cfg = osConfig.custom.nixvimPlugins;
  args = { inherit lib pkgs; };
  importFile = file:
    let config = import file;
    in if builtins.isFunction config then config args else config;
  configs = map importFile [
    ./config.nix
  ] ++ lib.optionals cfg [
    ./auto-pairs.nix
    ./autosave.nix
    ./blankline.nix
@@ -26,7 +29,6 @@ let
    ./trouble.nix
    ./which_key.nix
    ./wilder.nix
    ./config.nix
  ];
  merged =
    builtins.foldl' (acc: elem: lib.recursiveUpdate acc elem) { } configs;
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -13,6 +13,8 @@
  # Set your time zone.
  time.timeZone = "Europe/Vienna";
  services.speechd.enable = false;
  # Select internationalisation properties.
  i18n = {
    defaultLocale = "en_US.UTF-8";
--- a/modules/hardware/amd-gpu.nix
+++ b/modules/hardware/amd-gpu.nix
@@ -3,12 +3,13 @@ let cfg = config.custom.hardware.amd-gpu;
 in {
  options.custom.hardware.amd-gpu = {
    enable = lib.mkEnableOption "Enables amd gpus";
    overdrive = lib.mkEnableOption "Enables overdrive";
    rocm.enable = lib.mkEnableOption "Enables rocm";
  };
  config =
    lib.mkIf cfg.enable {
-      boot.kernelParams =
+      boot.kernelParams = lib.mkIf cfg.overdrive
        [ "amdgpu.ppfeaturemask=0xfff7ffff" "split_lock_detect=off" ];
      hardware.graphics = {
@@ -21,16 +22,17 @@ in {
      services.xserver.videoDrivers = [ "amdgpu" ];
      # controller (overclock, undervolt, fan curves)
      environment.systemPackages = with pkgs; [
        lact
        nvtopPackages.amd
        amdgpu_top
      ] ++ lib.optionals cfg.rocm.enable [
        clinfo
        rocmPackages.rocminfo
      ] ++ lib.optionals cfg.overdrive [
        lact
      ];
      systemd = {
-        packages = with pkgs; [ lact ];
+        packages = lib.mkIf cfg.overdrive (with pkgs; [ lact ]);
-        services.lactd.wantedBy = [ "multi-user.target" ];
+        services.lactd.wantedBy = lib.mkIf cfg.overdrive [ "multi-user.target" ];
        #rocm
        tmpfiles.rules =
          let
--- a/modules/misc/default.nix
+++ b/modules/misc/default.nix
@@ -13,5 +13,6 @@
    ./virt-manager.nix
    ./wireshark.nix
    ./podman.nix
    ./nixvim.nix
  ];
 }
--- a/modules/misc/nixvim.nix
+++ b/modules/misc/nixvim.nix
@@ -0,0 +1,6 @@
 { lib, config, pkgs, inputs, ... }:
 with lib;
 let cfg = config.custom.nixvimPlugins;
 in {
  options.custom.nixvimPlugins = mkEnableOption "Enables nixvim plugins";
 }
--- a/modules/services/wireguard.nix
+++ b/modules/services/wireguard.nix
@@ -11,6 +11,16 @@ in
      type = types.str;
      description = "ipv4 address";
    };
    secretFile = mkOption {
      type = types.path;
      default = ../../secrets/wireguard-private.age;
      description = "agenix secret file for wireguard";
    };
    externalInterface = mkOption {
      type = types.str;
      default = "eth0";
      description = "external interface";
    };
  };
  config =
    let
@@ -19,11 +29,11 @@ in
    lib.mkIf cfg.enable {
      age.secrets.wireguard-private = {
-        file = ../../secrets/wireguard-private.age;
+        file = cfg.secretFile;
      };
      networking.nat.enable = true;
-      networking.nat.externalInterface = "eth0";
+      networking.nat.externalInterface = cfg.externalInterface;
      networking.nat.internalInterfaces = [ "wg0" ];
      networking.firewall.allowedUDPPorts = [ 51820 ];
@@ -35,6 +45,7 @@ in
            "${wireguardIp}/24"
          ];
          peers = [
            #pc
            {
              allowedIPs = [
                "192.168.2.2/32"
--- a/overlays.nix
+++ b/overlays.nix
@@ -26,6 +26,10 @@ in
        hash = "sha256-a4lbeuXEHDMDko8wte7jUdJ0yUcjfq3UPQAuSiz1UQU=";
      };
    };
    xrdp = (import inputs.nixpkgs-working-xrdp {
      system = "x86_64-linux";
      config.allowUnfree = true;
    }).xrdp;
    #hyprland =
    #  inputs.hyprland.packages.${prev.stdenv.hostPlatform.system}.hyprland;
--- a/secrets/adminarea.age
+++ b/secrets/adminarea.age
--- a/secrets/binary-cache.age
+++ b/secrets/binary-cache.age
@@ -1,7 +1,8 @@
 age-encryption.org/v1
-> ssh-ed25519 DCzi1A LrkyZ8axOcdIB+uaATOmn785EzMzTvhujhcSxmBx8kE
+-> ssh-ed25519 DCzi1A J3I1vGqKxAesFi1z4us5N741PT1XQTHJId2ySEyLBRc
-E57IVdAOTIt1TWeyBYsHembim1YPKRxJYDQTNiPhIGI
+LpXNCN/Jwepmpb0vcX9wKpxuhZmaikAy2UVLa/DPLAg
-> ssh-ed25519 lNJElA Y1jcFIXsCN0/s6xiLCLhQQhrc0N5Acpmv5K9xIYu42k
+-> ssh-ed25519 lNJElA KmftSH8+q5ACPz08PHATGlaXq8tJrxwWGuys092ZDGU
-WrhmfkCpLL4e+QhFwFICeH5BZDUQOOk4WyFoYnGbcVU
+GeNEMWhfeP4Y/yd4WVpdCCnT7Qjv/jN6jPkcj1J2bdE
--- LIVAI67ZG/+WLYki2A3HEmf6HMaLMZiAiDhgQYoWxdA
+--- 0jeS9BIt6KHyJ7SEMFEfzUNxWtNg1MPmBb0TeHwq7e0
->”cÛìTª{cR~‡©±‚\þ<>Üß<C39F>.ûík;$9m…–Ì-s7²÷>éZ ]žÛ<C5BE>êIŸ62‘æãÞÀÌ	§Š¿—ÑñBÔ±ï~0.-—0}¾j¸ú÷˜×ÝŠ0æ<30>J£eIa……œHë(òÚÑw˜ÆªjG4ÿ>FM.tÙó	b®SÃ†
+§ê^š›Ïê÷Z]-kµd\ëPû”FÍŸ(¨5ÉnÆÞ…õ·$¿—ÞïÈRÈ<52>¼¶»½¹Ý¾sµŸ‚ÜÑzÐÁåL[|a‰†:þ:’wsÇ1H·
--- a/secrets/coturn-secret.age
+++ b/secrets/coturn-secret.age
@@ -1,12 +1,11 @@
 age-encryption.org/v1
-> ssh-ed25519 oDXHAQ sJuIJWUfIT5Blk4mb6eSMo0eQly28Xy1wUnghEbhgnY
+-> ssh-ed25519 oDXHAQ md93qHF2tja6ZywqmNky9L67zAEgHtJ7B8ORE4A2hwc
-R7beBV5lp8WqOug91OkUUPEONA/89THrYX8IAci/LN4
+nFzNBMDTU/6sGfrgJxEQZXwZ7r39zAfsIOC3kzCTrbs
-> ssh-ed25519 xfrWcQ +7wyNNot4A03raXTENup6dLuPWTv9uWYFrHekmRpbmc
+-> ssh-ed25519 xfrWcQ bNmEQKiIazuRzGyYBhSZxR//s2T9uus7bDOHgLMhz34
-VEYHYLyAOykmfGcaxhMNPZT/0b4DKnp9HH33T+5kc70
+Dh7l40NTjUyNy8vqYM6twMO4a9erD1/o2gi7rcKkPqE
-> ssh-ed25519 IV3DkQ iNOpEU6PKUT9Rc8CH89OLEGsAqR+gbZYME49cBQTZ2o
+-> ssh-ed25519 IV3DkQ AGc3GOCIT0NmgRpxJ1iazDFMwfy0zzXNMK/ajJNDCAE
-UY2oK6ORI5nzu1QFuACDzfvIUsPNk0x59mhySZb5lqQ
+lzCuKkmz1gv77OONOCA1XRyHFdoYEH/xb8wTEXmD8AE
-> ssh-ed25519 DCzi1A +GPlCex3iBiQIMPlf9qpUSb+hXUKGcvA5SD53Q3dMnY
+-> ssh-ed25519 DCzi1A jZ/V67RlWWrZeCw6SvRs3jdeRYKH+w7HUqc2xqK+J0M
-AnOOf6Vqnk89U1bY10xozm3fFUMSJQgrHvMr8sG/Mqc
+L7kGvI3DWfl6pZUwT+CpdhZK42Bca+cvxI+VjSGEdf8
--- W1Pl8uCqAnPrOkqJ4Az73IHOVMLIQpPTfpwC3gjnNNw
+--- 1R5/Fg644vbiofzkVU1WK3vlXxirCfIrBprZ9Kt+DrQ
-ªö
+þí{Ü*@†ÉùOüÉ’ñµ˜bL20{)<29>ºþ¨”@Ð9?©M?kqù¾ç4Êlïa´ñò…æPŸCÎ}¯¦@_<>ºèµØNFž6Ë¾’<0C>ÏaB‡vwæÛÚÕ!å¡ìAb
 !XÑ"Ùu*Éå/°ï{m=¶+ñª\¯vH¡ðxù2RRµtq)Ä
--- a/secrets/duckdns.age
+++ b/secrets/duckdns.age
@@ -1,11 +1,11 @@
 age-encryption.org/v1
-> ssh-ed25519 oDXHAQ KTTFsKXQfHVY+ZhdsNfC6kUnuEdNSlz9Z+TiisCLFkY
+-> ssh-ed25519 oDXHAQ gbqR6JNoGpLB9glCUAnEdLjXfUD45FMAthMkx37UUic
-UEpAdS9bPcPjsAYzfxbN6ir5BqV07RWuOupaPU+7IPY
+XZI8xpza74wuMsPeMQmkYCtwQaZ33PuXKBzEPgVoApU
-> ssh-ed25519 xfrWcQ mC3yi/OAqQH0epKWQqXBJUDgu8hQ/bJtOyi0qz6dkB0
+-> ssh-ed25519 xfrWcQ ufWZtiUYMsPHXR5dGFBkUeXMlChDp2QzqXpYLmQthxs
-SrIKQABaoCouhsix3smMayrhM/2OJppTKenazJlah+I
+yALEGpBLzsvKET0Y4qyIIhDa0Ru/sv9At/H8HYC78IU
-> ssh-ed25519 IV3DkQ 7wZ3eoFc7TqIyGG4GHqanEkwqTTWDNUubgxIGfYm2jE
+-> ssh-ed25519 IV3DkQ 78Hnme9NIQK6jdw+C/K6w/oeFEVoPcMZzPGN+oBW9lQ
-O7Us7B146qYwxE1oFU6VqL6XJ3AclFnSvgr3wBPXG1k
+9sLV0jWl76tIRO5k3ouIleEGAGZSI+Rjtk4ycsnPQSk
-> ssh-ed25519 DCzi1A CIIjo9BNl/H2ZCRRhgw0dT6tasW/shVi6w/g9DFOamY
+-> ssh-ed25519 DCzi1A 6aZVuCw15F/iUBJVs8EubOz6X1ydLSJATUKKLTnJjS4
-bislSvJ2UN521HDg9U7yHIXbi8KpV61XHuVk4qhgeH0
+muCrYVglDqseh4ovq3d+JbugQNfnZiD4lmpCN90HNbs
--- Lh5SYKYZcCOEq66jW3H3uawATD+aNewkGWR2ePo+BLI
+--- WAl554L+ne3tInpHkPqSUo0r3ltUjweNCWMnLNq8H+4
-äÅKŽ–ScÎÆm;Ñ½9I\@Ð™ÛðËhVéi†ÓÒXE×Õ9ž%nT¶”G×=åðY°ëY“,=uL±u”.L¥Î¹Ýu
+˜0©*p+¯y7œ{£zîäï—žÔ§:e¯¼|bé'!JJý«¸?Ÿ	ìP>>Þ_>³ªJ˜
--- a/secrets/fileshelter-conf.age
+++ b/secrets/fileshelter-conf.age
--- a/secrets/github-runner-pw.age
+++ b/secrets/github-runner-pw.age
--- a/secrets/github-runner-token.age
+++ b/secrets/github-runner-token.age
--- a/secrets/grafana-contact-points.age
+++ b/secrets/grafana-contact-points.age
--- a/secrets/kavita.age
+++ b/secrets/kavita.age
--- a/secrets/matrix-registration.age
+++ b/secrets/matrix-registration.age
@@ -1,12 +1,13 @@
 age-encryption.org/v1
-> ssh-ed25519 oDXHAQ LZnNv6OdgvEdrogYC1yQiFdu8OpI0RnX0F7esNimB30
+-> ssh-ed25519 oDXHAQ atKuhdRrHGOxTZMSyHCUr2DsrkYCbJSeKp4+WJgqOzs
-cWlVnYK4IxCQtA0FHeA4AmAY5EzdkshY3VV58zydFcQ
+eymYWsh3EzTrJjxf9hQj0uV4y5rm96kMOHpWYNrGpok
-> ssh-ed25519 xfrWcQ hLs4PfX/g/hQaAeGlkQWxbWlk+Y6f+JzwsPFTpYYhHs
+-> ssh-ed25519 xfrWcQ re158GOgNwc3TtwQqYRMIGFKIL3PH+nwbHa2VG4ltGU
-DdLSEuFxdAEX2hyM+DTKl7GxzJd6ZwlOZI7KD+lxcek
+0Twg+bQxg14FH1bZ5MeEQXl9NALNt9kxfnaW/UZ6BeI
-> ssh-ed25519 IV3DkQ PwXrK5LB0YzBDrSAo1SYtxUEslAnuPBncQbnaniE8i0
+-> ssh-ed25519 IV3DkQ 7an++FYt4n0VKJ5Ne454pKqoShyXu9mOcmT24Kpr2Rg
-6VZg/BTxiDACoFPy7uNIjydeauiktIAnvU2cHdMc+Yo
+JufxZ0sWKZosVkaGn6WyvFDCPbKGqFhAVLkZN24I7iw
-> ssh-ed25519 DCzi1A 4PRejuLL3Lk4GcV2Jxrp/7XYt3nJv9jwmVa+2pzVuFE
+-> ssh-ed25519 DCzi1A lJxRwc28VmsdYFELukX4ud2bqryjJR9VD82CRZZR+VA
-J4Nh0lPN8pELXQ0PHbM/uyfNhbm0JrcTc4IrsX/7lr8
+HlAmLsHaT3HcHAuuVnm2e13mVDoQig7hmrdarub48Ug
--- sNlrWTi0hCVj8woT52fTlj3fjl+RlVxfU12bg3dZ0co
+--- H/VWknmPK9GFkXYEmCSyHbW/sHD2KSnvzwovn7qAexY
-O=?khCRM]SÉ¿áN¸CLTãR±/ð½ ´Œ:a1œµðiy£€o©ì¦„0+U|²Ý"y:7„bðwH^jÿr:¯ˆBÀÐõ¤ i€0BÀ`[XNê`Zø<5A> BÍÞ½q-e•ñ
+‹h§‰ó4ÅgèŒøJ&SÁŒã·4šüÁÀÍ2d¾¾†wÑ&†Ð¦µÒ†~¢)È>åœÃczIa´eõqxÂ€Ih¬ÊŠ„?æ±a„xB$]L!
-ŠTºÎ?¹*OWÜIÈ.ž<>pZÃË<1C>”¸âáýhÿD%Ô–ëoŸJÆ.í%t…Z&baB\×‰µ2ýzxU~Ïsq&–MAoi¥
+5T]<5D>8Kõ£±…lX†@(¦¼%çq°ñn²UÇÕÚ2©km¼U>æ6ïáÌ<C3A1>„ûCsˆyÁ	ÍöçobfñöÏû·‹™<E280B9>
 #?¹Dè‰åß Md:@hDpêÐ¦4éÓïà	@ñïlÎÎ¶ G#ª
--- a/secrets/nextcloud-admin.age
+++ b/secrets/nextcloud-admin.age
--- a/secrets/nextcloud-cert.age
+++ b/secrets/nextcloud-cert.age
--- a/secrets/nextcloud-key.age
+++ b/secrets/nextcloud-key.age
--- a/secrets/paperless.age
+++ b/secrets/paperless.age
--- a/secrets/plausible-admin.age
+++ b/secrets/plausible-admin.age
--- a/secrets/plausible-keybase.age
+++ b/secrets/plausible-keybase.age
--- a/secrets/radicale.age
+++ b/secrets/radicale.age
--- a/secrets/restic-gdrive.age
+++ b/secrets/restic-gdrive.age
--- a/secrets/restic-pw.age
+++ b/secrets/restic-pw.age
@@ -1,11 +1,11 @@
 age-encryption.org/v1
-> ssh-ed25519 oDXHAQ MeblW5bvjNPWwGJfdZ8Miwrht79BUbHw0Jy0up1N4hw
+-> ssh-ed25519 oDXHAQ 1ylRcikeS7eUVRpy/q5M+9+32zB5pt2GDLU6+3wHWyI
-4egfGFBxHU1FSk3LSNRR9A/pANR6nJ1CBLth/GzfwXQ
+9VSg8kOE1g3IQvBnDwLvn0C8dOw4/xuPxxrqL+fDP3Q
-> ssh-ed25519 xfrWcQ ocBSkSDvN/RUnlnvJD4xB6C+a7RZUVWSpQzJDFL1WGc
+-> ssh-ed25519 xfrWcQ cUWcTsQ+Y8NaxA73EBuh1+Dv2YeTJB112nlpbI9JkA0
-n+90x0g0SJennwiFIthCpWeb9EFPmvopg16+tH1O98o
+fp+vmBxZ5O/WxlXmKPqwMISGsgBKrAU9tUNpwUJWy8w
-> ssh-ed25519 IV3DkQ CUmoMjOf+LwLQyi2yYiZUuMFjt6JhyGPVmICaZR+Ql0
+-> ssh-ed25519 IV3DkQ z7wy/ZXA1KvuYucY1EfDRWakBmcv7D+gwjENV7E5tlQ
-7DHpXnG7+f2SZDhI+7kLoDLMxPWPuyRKuvNrFyrjFhk
+9wovsEodoxREIHeTm7KT+OnbKxJnfrnZAdMrKu1Tf1I
-> ssh-ed25519 DCzi1A ZiGuuA3LOUyO7/7tWGczEfu633myZBQoZWqf5GySTh8
+-> ssh-ed25519 DCzi1A EGSWyT7CoUNR239LL9s0pumdWW/hWEAf9SwVKaVdODw
-qRZ/kc8o7dRW+vg2b1hl6rNouW6iObDKymglwePUkMk
+44DaSHhXr5UKDNtG7NIQjF2X1F708TNq9NAt2/fmnpg
--- s5II1ux/XZVfBGxBvKCsaD5jFiFrkzKIeQ+7fa57owA
+--- qAqy+kI1hpPXgVB+qcNqsOD2BSBxLtWq9ovkhS0rlCU
-‰	Xë½ë^ÿÎ÷êÔ7YRÿ!jÅ‹3)2G±Ú¹ZiÖ…²‹u¯n¤¥Ééb?“¤ù™t@€Á‡þŠz«¿ã”fÜ!ëÚ¦©Õ”	°¶<C2B0>…ñHn
+Ôð¥¹ú¿~m©5¡l€Ö½zz.¹ºncöI{d%$AyCû^ÐY.+ë¾ËYè›ZZ•s(ÛÃ˜;äWÈFoöTkÉÈôrAS\9tùS7í·
--- a/secrets/restic-s3.age
+++ b/secrets/restic-s3.age
@@ -1,11 +1,11 @@
 age-encryption.org/v1
-> ssh-ed25519 oDXHAQ XOzDNsdpRfXTbFAMh827HC8fpfbZlh3hLucRdC3BUkc
+-> ssh-ed25519 oDXHAQ lGy14/+xXt/TQPmXAsakWe19V7i4kI4fGQHQQIMpogc
-PpB9oNTwrMetQ0la8Jgamms2MB9jvu9026lsgmgMahk
+8TuMI7xtWixvcHPpcH8y2kRkqpPnv22FlblEmstN4/A
-> ssh-ed25519 xfrWcQ LEjVX7bulslggbRPYHZ9NSF8keYkftMCj9axmnAtWTY
+-> ssh-ed25519 xfrWcQ 3WvjQXFU3bg2ygGS+E4mMoc9Ic/vQ4rvra8iGOWVTgc
-Z/DVUfeHL8kc3RyK2wOxVL+KJ4Kl8k5w87aDcFq1IpQ
+VQPu9Mqm/HYxj8txWWCst4z9l2eRQ62XZ8avK+/dfn8
-> ssh-ed25519 IV3DkQ TmMbexUGnFUk1bago4Jij9o8NSYnh1DH/V4bZTLmYV4
+-> ssh-ed25519 IV3DkQ oMYzLpfT7+j/P90OYV3/aNoQHW5L5yB7JKJV3HMyhgo
-nTh6jPMDNHa5ColIpaYEqrp6IwN5hbAhKz8R6zbLUZw
+A3LUXmdGg0xJjmTASwtZiB0bNLZpxieh/MmVziHV7pQ
-> ssh-ed25519 DCzi1A DlB+qSeuF/GbE+pjdLQv4cDxxf4ryihE0afur4qGWCw
+-> ssh-ed25519 DCzi1A R//TgPjbyySbrYIUkElsZWD2Lvk4jUHR5jVBPlRNO2s
-JCiIrF0KsQ2LzbKGuBuEg9Exk2Uq3KJm5L2c6d2Aj7w
+yWavTPCdPwDrF75zH5cCqyqfFd3//558H8QpzIY5HFU
--- +CnD1rfpAvIzKfq1FBG4dUP9wmOWX/hG32Bco8xergg
+--- 8wCpCSaUTB4qXRoE4krnNy79SQTaKsxJolzw5kpCKoo
-ˆ¤šÛKÂáXHòÌcï,½rJW›dq†¸þ/[FTOd™GÓ‹ébJJÀe°!†ä2-œ\]{®ùZÕ’f¾¦ª[+èÖs ¦¿ª%ÂkÏæ0›½Ú¤r¬3é9éÑ…nÇìï‚±p<C2B1> ¢9·ÁzÆ*!wðT¥<15>*([
+~êÉ¼GHXû509ám<C3A1>ošâbâ¦ŒŒká&¹5Êà|kZ¼q‚?Ë€,áœoð’ƒ¸À¯Ð ¼ÀAîÌPÈR<0E>Ï?šV«ù®h¼¢V»|
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -6,6 +6,7 @@ let
  mini-pc-proxmox = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP0kX32LfIOv8FDVvdp7lWesVvMGh5tj84nv7TkIR1cs root@mini-pc";
  adam-site = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfaIaKoNStnbfjB9cSJ9+PW0BVO3Uhh1uIbZA2CszDE root@nixos";
  amd-server = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/t25OaQF020DZdew53gMFqoeHX1+g3um02mopke2eX root@nixos";
  amd-server-vpn-vm = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKkTbNz36z1gGbKp+7NyyTpMslXcFLX0tOrfJ/GQFn+g root@amd-server-vpn-vm";
  users = [ kop ];
  systems = [ mini-pc mini-pc-proxmox server laptop ];
 in
@@ -36,4 +37,5 @@ in
  "adminarea.age".publicKeys = [ adam-site kop ];
  "radicale.age".publicKeys = [ mini-pc mini-pc-proxmox kop ];
  "binary-cache.age".publicKeys = [ kop amd-server ];
  "wireguard-evo-vpn.age".publicKeys = [ kop amd-server-vpn-vm ];
 }
--- a/secrets/stash-auth.age
+++ b/secrets/stash-auth.age
--- a/secrets/step-ca-key.age
+++ b/secrets/step-ca-key.age
--- a/secrets/step-ca-pw.age
+++ b/secrets/step-ca-pw.age
@@ -1,12 +1,11 @@
 age-encryption.org/v1
-> ssh-ed25519 oDXHAQ 2ymfFXvSKnGRgK3lYGpGjKSo2aHoc8pWRzyfr4wvAm0
+-> ssh-ed25519 oDXHAQ p7LQlfq0mtdnmTJOvi6QQqAg/uCKAUWjdoVOgNcqn0g
-vr5pxY9w5wtzgv/UeQZLD7GWnrMtx/CYcdm9QKJqcBc
+Ka17+MWpb/MnZrV5HIwji54GffoeZC4ZFPzhCIxlrOw
-> ssh-ed25519 xfrWcQ fGCZ2z1IjkVbX7wvoHeXJdZ4BEnpSs+y7dirgWkWU0U
+-> ssh-ed25519 xfrWcQ Tc14rVFq5eAmbTtjNkIVdpOEBce4E8JChTznb8B6HCI
-IhvYJJxfW7+v4rDZ7vCuNN/Wxihi3Q/svjnDkZqb/dQ
+izYgC0YkqgUT/l82363MjBrDoQ0R+b5LHn7B3TglOK0
-> ssh-ed25519 IV3DkQ 4oGxySHQjh8m0vUawi/wCTQXsvabLzV0z+KKLADkpDo
+-> ssh-ed25519 IV3DkQ qQ8DSh8+Gmy0hV8w76hR+GiABQv+OJkigA40QycPABg
-PydLpD7UwO6+r2JisXwSdJqIKcheRCBUGbeAhbrkKsc
+tZnpWcEEVLqwpRpmHo/Skbc2/78dXM5Swwv6cSbitXs
-> ssh-ed25519 DCzi1A dObjGBaWBiC8VFbFtKnicT9PB66fI69F2ZGpdyTl+20
+-> ssh-ed25519 DCzi1A hTm67QVFyufZzbu7XZ2NxozPBVvOsN1UIi/8zBz+hiA
-6yv8Jaee08k6KF2WJUPYYqtoe9JItZUvcjqEdYrxpDY
+c0dCopDkZ0FgwHZ6b3H3uBJyVqvZGXtAU0TsZt/Zu8Y
--- 5hzUeFAdm5Tag8G0OAtSCyE4d2uq0ZaBsLyF53oGuuo
+--- Pp0HncaouK+xj2oF56aJ+UDanDokOEzeaZif9G4obT8
-[×<>K
+Çdš¬º¢*«)Ù®7å<37>pÄj¶Þˆ5ÛÓ—˜?%*$¿xoä@
 ¢ÃåÇìŸµ˜…µ×ézˆÉ[
--- a/secrets/webhook.age
+++ b/secrets/webhook.age
--- a/secrets/wireguard-client.age
+++ b/secrets/wireguard-client.age
--- a/secrets/wireguard-evo-vpn.age
+++ b/secrets/wireguard-evo-vpn.age
@@ -0,0 +1,8 @@
 age-encryption.org/v1
 -> ssh-ed25519 DCzi1A ik/pJSG40rFNR9Tde+Ud7RTuZwluC1za9SLrdnYyXDA
 aBWqRH0pdPYolWVAovT2cdhZZlRCG5ZTQfBjgj5jW60
 -> ssh-ed25519 Jk07yA jOO5I3Om/NvHDCd28t5OFlxJK1UwZayRro7/0pXWGBQ
 /LlY7KhwzkunIvrPJ7SqLvRDF6s3JM62SWqlczg+vHE
 --- 9SY9UJ5hw7csiD+edUptxq/pPUQDuGv70mrDtVUURw4
 n¬Öc<EFBFBD>Ù,÷ Ü\~ë9É€_‚š^e¶¬DÌ¼ñ ^Ùk]<5D>ÂAªÝÃ?`²)õaÇ
 ô™Wó®ñÆ¼þ¹CÑóžü#¨¶¯D
--- a/secrets/wireguard-private.age
+++ b/secrets/wireguard-private.age
@@ -1,11 +1,11 @@
 age-encryption.org/v1
-> ssh-ed25519 oDXHAQ UN2WuFkB+D68fbdzOC0g6x1qPQnVg++ab1zQpULSWjk
+-> ssh-ed25519 oDXHAQ Vy8CxigwUtQAdsWMYpomw3YbIPme6yXQsdo1fYoqXGw
-eCezJvnuZYERwVsl3r0nsEF43Y+Jm48NWJzhMjgxZ/I
+L3NqcGFzO/bQKYrbmBmWOkDepJok8hRtd2K6dTYf9S4
-> ssh-ed25519 xfrWcQ MjbZTZcj3ldyD7CwAvWkj0GuiL0HL3vx/wV0y9/IYy4
+-> ssh-ed25519 xfrWcQ BqURQhwqLCydbVM3wuTrsOTZ0sAL3pg5X/v1f5fxRFM
-u3RvnnYKHyAT6INoGcpT26sL+EhLe4rZ3/mOSpkXFTA
+xoRTOk43HJTzy5TF3BRR0OYYqlefQGkCAKeKynJU8VU
-> ssh-ed25519 IV3DkQ ftYKp8MC6n26hGxiT3QjVXptmvBQTKyi6oX0UJrbfFI
+-> ssh-ed25519 IV3DkQ r7VVeIGEWNDfymE4e5me2NP5BPH7TLwc5dcnm+DoekA
-lL/C4ufi2vD/B+uLyGr8OLBx6TuF/KVvnkjRVSzGtcw
+4XVxP4MWvozeG0ntYHWV9UDehjcXJ4Bu1lhoApOkwrc
-> ssh-ed25519 DCzi1A 9jKX67gvYP89v3u7Ir37EMDDXrTQTBzZOuObHrXxhG0
+-> ssh-ed25519 DCzi1A 6oWBmJxJN62ObPtTep+jgclv+G5Zsc1Tra7gU2T7I2s
-KjB0/6x/9XgXiRNfPi1YZ7KtrvwZP3QIKluj1D7VDJY
+g5jPynpMYnajsvHSOmCRebiFe6jzBZe2xSLwn1nKPc4
--- dECyVdvzWEG1gBOC4YHSq3dK94vaImUSI5M5dXThx44
+--- CASVzuHoTiCtoCBtbhvZAynEFdWFfX8DYe+Y8dpzfO4
-œÚ»…„øw±sq ÀÂB–_xI£ì ¬QÒ{ãÊ1ïtä{`CP¸¹¥NšõCŒqŸÇüQ½ºk:öŸ“?¬‚Ë}1w]/ðUE0<11>8U
+S6ÆVÉÖà1=iMGºx|ý^$ÁÈ<ƒO«VŒ½(‚dŒ<03>>e»DÉOè>\Íuá!Eó]N²±õNFÁ–f¯8Ó}Ñ@~ß
--- a/systems/amd-server-vpn-vm/configuration.nix
+++ b/systems/amd-server-vpn-vm/configuration.nix
@@ -0,0 +1,83 @@
 { config, pkgs, modulesPath, lib, ... }:
 {
  imports = [
    # Include the results of the hardware scan.
    #./hardware-configuration.nix
    ../../modules/services/ssh.nix
    ../../modules/misc/logging.nix
    ../../modules/misc/motd.nix
    ../../modules/misc/kernel.nix
    ../../modules/work/vpn.nix
    #./disk-config.nix
    ./hardware.nix
    (modulesPath + "/installer/scan/not-detected.nix")
    (modulesPath + "/profiles/qemu-guest.nix")
  ];
  boot = {
    kernelParams = [ "console=tty0" "console=ttyS0" ];
    loader.timeout = lib.mkForce 1;
    loader.grub.enable = true;
    loader.grub.device = "/dev/vda";
    #loader.grub = {
    #  efiSupport = true;
    #  efiInstallAsRemovable = true;
    #  device = "nodev";
    #};
  };
  programs.firefox.enable = true;
  services.spice-vdagentd.enable = true;
  networking.usePredictableInterfaceNames = false;
  mainUser.layout = "de";
  mainUser.variant = "us";
  custom = {
    user = {
      name = "anon";
      layout = "de";
      variant = "us";
    };
    hardware = {
      firmware.enable = true;
      ssd.enable = true;
    };
    services = {
      wireguard = {
        enable = true;
        ip = "192.168.2.1";
        secretFile = ../../secrets/wireguard-evo-vpn.age;
        externalInterface = "tun0";
      };
    };
    nftables.enable = true;
    cli-tools.enable = true;
    nix = {
      index.enable = true;
      settings.enable = true;
    };
    graphical = {
      lxqt.enable = true;
    };
  };
  #fileSystems."/" = {
  #  device = "/dev/disk/by-label/nixos";
  #  fsType = "ext4";
  #  options = [ "defaults" "noatime" ];
  #};
  #fileSystems."/boot" =
  #{ device = "/dev/disk/by-label/ESP";
  #    fsType = "vfat";
  #};
  networking.hostName = "amd-server-vpn-vm"; # Define your hostname.
  # Configure console keymap
  console.keyMap = "us";
  system.stateVersion = "25.05"; # Did you read the comment?
 }
--- a/systems/amd-server-vpn-vm/disk-config.nix
+++ b/systems/amd-server-vpn-vm/disk-config.nix
@@ -0,0 +1,38 @@
 # Example to create a bios compatible gpt partition
 { lib, ... }: {
  disko.devices = {
    disk.main = {
      device = lib.mkDefault "/dev/vda";
      type = "disk";
      content = {
        type = "gpt";
        partitions = {
          boot = {
            name = "boot";
            size = "1M";
            type = "EF02";
          };
          esp = {
            name = "ESP";
            size = "500M";
            type = "EF00";
            content = {
              type = "filesystem";
              format = "vfat";
              mountpoint = "/boot";
            };
          };
          root = {
            size = "100%";
            content = {
              type = "btrfs";
              extraArgs = [ "-f" ]; # Override existing partition
              mountpoint = "/";
              mountOptions = [ "compress=zstd" "noatime" ];
            };
          };
        };
      };
    };
  };
 }
--- a/systems/amd-server-vpn-vm/hardware.nix
+++ b/systems/amd-server-vpn-vm/hardware.nix
@@ -0,0 +1,28 @@
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/profiles/qemu-guest.nix")
    ];
  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_blk" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-amd" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/f222513b-ded1-49fa-b591-20ce86a2fe7f";
      fsType = "ext4";
    };
  swapDevices = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/systems/laptop/configuration.nix
+++ b/systems/laptop/configuration.nix
@@ -26,6 +26,7 @@
    tmpfs.enable = true;
    wireshark.enable = true;
    virt-manager.enable = true;
    nixvimPlugins = true;
    nix = {
      ld.enable = true;
      settings.enable = true;
--- a/systems/pc/configuration.nix
+++ b/systems/pc/configuration.nix
@@ -26,6 +26,7 @@
    virt-manager.enable = true;
    nftables.enable = true;
    cli-tools.enable = true;
    nixvimPlugins = true;
    nix = {
      index.enable = true;
      ld.enable = true;
@@ -43,8 +44,11 @@
    services = { syncthing = { enable = true; }; };
    hardware = {
      android.enable = true;
-      amd-gpu.enable = true;
+      amd-gpu = {
-      amd-gpu.rocm.enable = true;
+        enable = true;
        rocm.enable = true;
        overdrive = true;
      };
      nvidia = {
        enable = false;
        clock = {