diff --git a/modules/nixos/access.nix b/modules/nixos/access.nix deleted file mode 100644 index 4b895471..00000000 --- a/modules/nixos/access.nix +++ /dev/null @@ -1,238 +0,0 @@ -{ - pkgs, - config, - lib, - ... -}: let - inherit (lib.modules) mkIf mkMerge mkBefore mkAfter mkOptionDefault; - inherit (lib.options) mkOption mkEnableOption; - inherit (lib.lists) optionals; - inherit (lib.strings) concatStringsSep optionalString; - inherit (config.services) tailscale; - inherit (config) networking; - cfg = config.networking.access; - cidrModule = {config, ...}: { - options = with lib.types; { - all = mkOption { - type = listOf str; - readOnly = true; - }; - v4 = mkOption { - type = listOf str; - default = []; - }; - v6 = mkOption { - type = listOf str; - default = []; - }; - }; - config.all = mkOptionDefault ( - config.v4 - ++ optionals networking.enableIPv6 config.v6 - ); - }; -in { - options.networking.access = with lib.types; { - cidrForNetwork = mkOption { - type = attrsOf (submodule cidrModule); - default = {}; - }; - localaddrs = { - enable = - mkEnableOption "localaddrs" - // { - default = networking.firewall.interfaces.local.nftables.enable; - }; - stateDir = mkOption { - type = path; - default = "/var/lib/localaddrs"; - }; - reloadScript = mkOption { - type = path; - readOnly = true; - }; - nftablesInclude = mkOption { - type = lines; - readOnly = true; - }; - }; - }; - - config.networking.access = { - cidrForNetwork = { - loopback = { - v4 = [ - "127.0.0.0/8" - ]; - v6 = [ - "::1" - ]; - }; - local = { - v4 = [ - "10.1.1.0/24" - ]; - v6 = [ - "fd0a::/64" - "fe80::/64" - ]; - }; - int = { - v4 = [ - "10.9.1.0/24" - ]; - v6 = [ - "fd0c::/64" - ]; - }; - tail = mkIf tailscale.enable { - v4 = [ - "100.64.0.0/10" - ]; - v6 = [ - "fd7a:115c:a1e0::/96" - "fd7a:115c:a1e0:ab12::/64" - ]; - }; - allLan = { - v4 = cfg.cidrForNetwork.loopback.v4 - ++ cfg.cidrForNetwork.local.v4 - ++ cfg.cidrForNetwork.int.v4; - v6 = cfg.cidrForNetwork.loopback.v6 - ++ cfg.cidrForNetwork.local.v6 - ++ cfg.cidrForNetwork.int.v6; - }; - allLocal = { - v4 = mkMerge [ - cfg.cidrForNetwork.allLan.v4 - (mkIf tailscale.enable cfg.cidrForNetwork.tail.v4) - ]; - v6 = mkMerge [ - cfg.cidrForNetwork.allLan.v6 - (mkIf tailscale.enable cfg.cidrForNetwork.tail.v6) - ]; - }; - }; - localaddrs = { - nftablesInclude = mkBefore ('' - define localrange6 = 2001:568::/29 - '' - + optionalString cfg.localaddrs.enable '' - include "${cfg.localaddrs.stateDir}/*.nft" - ''); - reloadScript = let - localaddrs-reload = pkgs.writeShellScript "localaddrs-reload" '' - ${config.systemd.package}/bin/systemctl reload localaddrs 2>/dev/null || - ${config.systemd.package}/bin/systemctl restart localaddrs || - true - ''; - in "${localaddrs-reload}"; - }; - moduleArgAttrs = { - inherit (cfg) cidrForNetwork localaddrs; - mkSnakeOil = pkgs.callPackage ../../packages/snakeoil.nix {}; - }; - }; - - config.networking = { - nftables.ruleset = mkBefore cfg.localaddrs.nftablesInclude; - firewall = { - interfaces.local = { - nftables.conditions = [ - "ip saddr { ${concatStringsSep ", " (cfg.cidrForNetwork.local.v4 ++ cfg.cidrForNetwork.int.v4)} }" - ( - mkIf networking.enableIPv6 - "ip6 saddr { $localrange6, ${concatStringsSep ", " (cfg.cidrForNetwork.local.v6 ++ cfg.cidrForNetwork.int.v6)} }" - ) - ]; - }; - }; - }; - config.systemd.services = let - localaddrs = pkgs.writeShellScript "localaddrs" '' - set -eu - getaddrs() { - local PREFIX=$1 PATTERN=$2 IPADDRS - IPADDRS=$(${pkgs.iproute2}/bin/ip -o addr show to "$PREFIX") || return $? - IPADDRS=$(printf '%s\n' "$IPADDRS" | ${pkgs.gnugrep}/bin/grep -o "$PATTERN") || return $? - if [[ -z $IPADDRS ]]; then - return 1 - fi - printf '%s\n' "$IPADDRS" - } - getaddrs4() { - getaddrs 10.1.1.0/24 '[0-9]*\.[0-9.]*/[0-9]*' - } - getaddrs6() { - getaddrs 2001:568::/29 '[0-9a-f:]*:[0-9a-f:]*/[0-9]*' - } - mkdir -p $STATE_DIRECTORY - if LOCALADDRS4=$(getaddrs4); then - printf '%s\n' "$LOCALADDRS4" > $STATE_DIRECTORY/localaddrs4 - else - echo WARNING: localaddr4 not found >&2 - fi - if LOCALADDRS6=$(getaddrs6); then - echo "$LOCALADDRS6" > $STATE_DIRECTORY/localaddrs6 - else - echo WARNING: localaddr6 not found >&2 - fi - ''; - localaddrs-nftables = pkgs.writeShellScript "localaddrs-nftables" '' - set -eu - LOCALADDR6=$(head -n1 "${cfg.localaddrs.stateDir}/localaddrs6" || true) - if [[ -n $LOCALADDR6 ]]; then - printf 'redefine localrange6 = %s\n' "$LOCALADDR6" > ${cfg.localaddrs.stateDir}/ranges.nft - fi - ''; - localaddrs-nginx = pkgs.writeShellScript "localaddrs-nginx" '' - set -eu - LOCALADDR6=$(head -n1 "${cfg.localaddrs.stateDir}/localaddrs6" || true) - if [[ -n $LOCALADDR6 ]]; then - printf 'allow %s;\n' "$LOCALADDR6" > ${cfg.localaddrs.stateDir}/allow.nginx.conf - fi - LOCALADDR4=$(head -n1 "${cfg.localaddrs.stateDir}/localaddrs4" || true) - if [[ -n $LOCALADDR4 ]]; then - printf 'allow %s;\n' "$LOCALADDR4" >> ${cfg.localaddrs.stateDir}/allow.nginx.conf - fi - ''; - in { - localaddrs = mkIf cfg.localaddrs.enable { - unitConfig = { - After = ["network-online.target"]; - }; - serviceConfig = rec { - StateDirectory = "localaddrs"; - ExecStart = mkMerge [ - ["${localaddrs}"] - (mkIf networking.nftables.enable (mkAfter [ - "${localaddrs-nftables}" - ])) - (mkIf config.services.nginx.enable (mkAfter [ - "${localaddrs-nginx}" - ])) - ]; - ExecReload = ExecStart; - Type = "oneshot"; - RemainAfterExit = true; - }; - }; - nftables = mkIf (networking.nftables.enable && cfg.localaddrs.enable) rec { - wants = ["localaddrs.service"]; - serviceConfig = { - ExecReload = mkBefore [ - "+${cfg.localaddrs.reloadScript}" - ]; - }; - }; - nginx = mkIf (config.services.nginx.enable && cfg.localaddrs.enable) rec { - wants = ["localaddrs.service"]; - after = wants; - serviceConfig = { - ExecReload = mkBefore [ - "+${cfg.localaddrs.reloadScript}" - ]; - }; - }; - }; -} diff --git a/modules/nixos/access/cidr.nix b/modules/nixos/access/cidr.nix new file mode 100644 index 00000000..5ce3c5fa --- /dev/null +++ b/modules/nixos/access/cidr.nix @@ -0,0 +1,116 @@ +{ + pkgs, + config, + lib, + ... +}: let + inherit (lib.modules) mkIf mkMerge mkOptionDefault; + inherit (lib.options) mkOption; + inherit (lib.lists) optionals; + inherit (lib.strings) concatStringsSep; + inherit (config.services) tailscale; + inherit (config) networking; + cfg = config.networking.access; + cidrModule = {config, ...}: { + options = with lib.types; { + all = mkOption { + type = listOf str; + readOnly = true; + }; + v4 = mkOption { + type = listOf str; + default = []; + }; + v6 = mkOption { + type = listOf str; + default = []; + }; + }; + config.all = mkOptionDefault ( + config.v4 + ++ optionals networking.enableIPv6 config.v6 + ); + }; +in { + options.networking.access = with lib.types; { + cidrForNetwork = mkOption { + type = attrsOf (submodule cidrModule); + default = {}; + }; + }; + + config.networking.access = { + cidrForNetwork = { + loopback = { + v4 = [ + "127.0.0.0/8" + ]; + v6 = [ + "::1" + ]; + }; + local = { + v4 = [ + "10.1.1.0/24" + ]; + v6 = [ + "fd0a::/64" + "fe80::/64" + ]; + }; + int = { + v4 = [ + "10.9.1.0/24" + ]; + v6 = [ + "fd0c::/64" + ]; + }; + tail = mkIf tailscale.enable { + v4 = [ + "100.64.0.0/10" + ]; + v6 = [ + "fd7a:115c:a1e0::/96" + "fd7a:115c:a1e0:ab12::/64" + ]; + }; + allLan = { + v4 = cfg.cidrForNetwork.loopback.v4 + ++ cfg.cidrForNetwork.local.v4 + ++ cfg.cidrForNetwork.int.v4; + v6 = cfg.cidrForNetwork.loopback.v6 + ++ cfg.cidrForNetwork.local.v6 + ++ cfg.cidrForNetwork.int.v6; + }; + allLocal = { + v4 = mkMerge [ + cfg.cidrForNetwork.allLan.v4 + (mkIf tailscale.enable cfg.cidrForNetwork.tail.v4) + ]; + v6 = mkMerge [ + cfg.cidrForNetwork.allLan.v6 + (mkIf tailscale.enable cfg.cidrForNetwork.tail.v6) + ]; + }; + }; + moduleArgAttrs = { + inherit (cfg) cidrForNetwork; + mkSnakeOil = pkgs.callPackage ../../../packages/snakeoil.nix {}; + }; + }; + + config.networking = { + firewall = { + interfaces.local = { + nftables.conditions = [ + "ip saddr { ${concatStringsSep ", " (cfg.cidrForNetwork.local.v4 ++ cfg.cidrForNetwork.int.v4)} }" + ( + mkIf networking.enableIPv6 + "ip6 saddr { ${concatStringsSep ", " (cfg.cidrForNetwork.local.v6 ++ cfg.cidrForNetwork.int.v6)} }" + ) + ]; + }; + }; + }; +} diff --git a/modules/nixos/access/local.nix b/modules/nixos/access/local.nix new file mode 100644 index 00000000..0790b161 --- /dev/null +++ b/modules/nixos/access/local.nix @@ -0,0 +1,166 @@ +{ + pkgs, + config, + lib, + ... +}: let + inherit (lib.modules) mkIf mkMerge mkBefore mkAfter; + inherit (lib.options) mkOption mkEnableOption; + inherit (lib.strings) optionalString; + inherit (config) networking; + cfg = config.networking.access.localaddrs; +in { + options.networking.access.localaddrs = with lib.types; { + enable = + mkEnableOption "localaddrs" + // { + default = networking.firewall.interfaces.local.nftables.enable; + }; + stateDir = mkOption { + type = path; + default = "/var/lib/localaddrs"; + }; + reloadScript = mkOption { + type = path; + readOnly = true; + }; + nftablesInclude = mkOption { + type = lines; + readOnly = true; + }; + }; + + config.networking.access = { + localaddrs = { + nftablesInclude = mkBefore ('' + define localrange6 = 2001:568::/29 + '' + + optionalString cfg.enable '' + include "${cfg.stateDir}/*.nft" + ''); + reloadScript = let + localaddrs-reload = pkgs.writeShellScript "localaddrs-reload" '' + ${config.systemd.package}/bin/systemctl reload localaddrs 2>/dev/null || + ${config.systemd.package}/bin/systemctl restart localaddrs || + true + ''; + in "${localaddrs-reload}"; + }; + moduleArgAttrs = { + inherit (cfg) localaddrs; + }; + }; + + config.networking = { + nftables.ruleset = mkIf cfg.enable (mkBefore cfg.nftablesInclude); + firewall = { + interfaces.local = { + nftables.conditions = mkIf (cfg.enable && networking.enableIPv6) [ "ip6 saddr $localrange6" ]; + }; + }; + }; + config.systemd.services = let + localaddrs = pkgs.writeShellScript "localaddrs" '' + set -eu + getaddrs() { + local PREFIX=$1 PATTERN=$2 IPADDRS + IPADDRS=$(${pkgs.iproute2}/bin/ip -o addr show to "$PREFIX") || return $? + IPADDRS=$(printf '%s\n' "$IPADDRS" | ${pkgs.gnugrep}/bin/grep -o "$PATTERN") || return $? + if [[ -z $IPADDRS ]]; then + return 1 + fi + printf '%s\n' "$IPADDRS" + } + getaddrs4() { + getaddrs 10.1.1.0/24 '[0-9]*\.[0-9.]*/[0-9]*' + } + getaddrs6() { + getaddrs 2001:568::/29 '[0-9a-f:]*:[0-9a-f:]*/[0-9]*' + } + stripcidr() { + local IPADDR + while read -r IPADDR; do + if [[ $IPADDR = ?*:?*:?*:?*:?*:?*:?*:?*/64 ]]; then + echo ''${IPADDR%:?*:?*:?*:?*/64}::/64 + elif [[ $IPADDR = ?*:?*:?*:?*::*/64 ]] || [[ $IPADDR = ?*::?*:?*:?*:?*/64 ]]; then + echo ''${IPADDR%::*/64}::/64 + elif [[ $IPADDR = *.*.*.*/24 ]]; then + echo "''${IPADDR%.*/24}.0/24" + else + echo "WARNING: localaddrs failed to parse CIDR: $IPADDR" >&2 + echo "$IPADDR" + fi + done + } + mkdir -p $STATE_DIRECTORY + if LOCALADDRS4=$(getaddrs4); then + printf '%s\n' "$LOCALADDRS4" > $STATE_DIRECTORY/localaddrs4 + stripcidr <<<"$LOCALADDRS4" > $STATE_DIRECTORY/localcidrs4 + else + echo WARNING: localaddr4 not found >&2 + fi + if LOCALADDRS6=$(getaddrs6); then + echo "$LOCALADDRS6" > $STATE_DIRECTORY/localaddrs6 + stripcidr <<<"$LOCALADDRS6" > $STATE_DIRECTORY/localcidrs6 + else + echo WARNING: localaddr6 not found >&2 + fi + ''; + localaddrs-nftables = pkgs.writeShellScript "localaddrs-nftables" '' + set -eu + LOCALADDR6=$(head -n1 "${cfg.stateDir}/localcidrs6" || true) + if [[ -n $LOCALADDR6 ]]; then + printf 'redefine localrange6 = %s\n' "$LOCALADDR6" > ${cfg.stateDir}/ranges.nft + fi + ''; + localaddrs-nginx = pkgs.writeShellScript "localaddrs-nginx" '' + set -eu + LOCALADDR6=$(head -n1 "${cfg.stateDir}/localcidrs6" || true) + if [[ -n $LOCALADDR6 ]]; then + printf 'allow %s;\n' "$LOCALADDR6" > ${cfg.stateDir}/allow.nginx.conf + fi + LOCALADDR4=$(head -n1 "${cfg.stateDir}/localcidrs4" || true) + if [[ -n $LOCALADDR4 ]]; then + printf 'allow %s;\n' "$LOCALADDR4" >> ${cfg.stateDir}/allow.nginx.conf + fi + ''; + in { + localaddrs = mkIf cfg.enable { + unitConfig = { + After = ["network-online.target"]; + }; + serviceConfig = rec { + StateDirectory = "localaddrs"; + ExecStart = mkMerge [ + ["${localaddrs}"] + (mkIf networking.nftables.enable (mkAfter [ + "${localaddrs-nftables}" + ])) + (mkIf config.services.nginx.enable (mkAfter [ + "${localaddrs-nginx}" + ])) + ]; + ExecReload = ExecStart; + Type = "oneshot"; + RemainAfterExit = true; + }; + }; + nftables = mkIf (networking.nftables.enable && cfg.enable) { + wants = ["localaddrs.service"]; + serviceConfig = { + ExecReload = mkBefore [ + "+${cfg.reloadScript}" + ]; + }; + }; + nginx = mkIf (config.services.nginx.enable && cfg.enable) rec { + wants = ["localaddrs.service"]; + after = wants; + serviceConfig = { + ExecReload = mkBefore [ + "+${cfg.reloadScript}" + ]; + }; + }; + }; +} diff --git a/modules/nixos/access/peeps.nix b/modules/nixos/access/peeps.nix new file mode 100644 index 00000000..bd47921d --- /dev/null +++ b/modules/nixos/access/peeps.nix @@ -0,0 +1,53 @@ +{ + config, + options, + lib, + ... +}: let + inherit (lib.options) mkOption mkEnableOption; + inherit (lib.modules) mkIf mkMerge mkBefore mkDefault; + inherit (lib.attrsets) mapAttrsToList mapAttrs' nameValuePair; + inherit (lib.strings) concatStringsSep; + inherit (config) networking; + cfg = config.networking.access.peeps; + mkSopsName = name: "access-peeps-nft-${name}"; + mkNftName = name: "peeps_${name}6"; + hasSops = options ? sops.secrets; +in { + options.networking.access.peeps = with lib.types; { + enable = mkEnableOption "peeps" // { default = hasSops; }; + ranges = mkOption { + type = attrsOf str; + default = { }; + }; + stateDir = mkOption { + type = path; + default = "/run/access/peeps"; + }; + }; + config.${if hasSops then "sops" else null}.secrets = let + sopsFile = mkDefault ../../../nixos/secrets/access.yaml; + sopsSecrets = mapAttrs' (name: _: nameValuePair (mkSopsName name) { + inherit sopsFile; + path = mkDefault "${cfg.stateDir}/${name}.nft"; + }) cfg.ranges; + in mkIf cfg.enable sopsSecrets; + + config.networking = let + nftRanges = mapAttrsToList (name: range: let + nft = "define ${mkNftName name} = ${range}"; + in mkBefore nft) cfg.ranges; + condition = "ip6 saddr { ${concatStringsSep "," (mapAttrsToList (name: _: "$" + mkNftName name) cfg.ranges)} }"; + in { + nftables.ruleset = mkIf cfg.enable (mkMerge ( + nftRanges + ++ [ (mkBefore ''include "${cfg.stateDir}/*.nft"'') ] + )); + firewall.interfaces.peeps = { + nftables.enable = cfg.enable; + nftables.conditions = [ + (mkIf (cfg.enable && networking.enableIPv6) condition) + ]; + }; + }; +} diff --git a/nixos/minecraft/bedrock.nix b/nixos/minecraft/bedrock.nix index b82ff155..28f9e547 100644 --- a/nixos/minecraft/bedrock.nix +++ b/nixos/minecraft/bedrock.nix @@ -18,10 +18,12 @@ in { tree-capitator-rs.package = addons.definitive-tree-capitator-rs; }; allowPlayers = let - base = 2535460000000000; + base = 2535420000000000; + nums = 1760; in { - Kyxna.xuid = base + 4308966797; - arcnmx.xuid = base + 13399068799; + Kyxna.xuid = base + 44308966797; + arcnmx.xuid = base + 413399068799; + "ConnieHeart${toString (base / 1000000000000 + nums)}".xuid = base + 417602225; }; }; systemd.services.minecraft-bedrock-server = mkIf cfg.enable { @@ -35,9 +37,10 @@ in { users.${cfg.user}.uid = 913; groups.${cfg.group}.gid = config.users.users.${cfg.user}.uid; }; - networking.firewall.interfaces.local = let + networking.firewall.interfaces = let ports = [ cfg.serverProperties.server-port cfg.serverProperties.server-portv6 ]; in mkIf cfg.enable { - allowedUDPPorts = ports; + local.allowedUDPPorts = ports; + peeps.allowedUDPPorts = ports; }; } diff --git a/nixos/secrets/access.yaml b/nixos/secrets/access.yaml new file mode 100644 index 00000000..2c585ec2 --- /dev/null +++ b/nixos/secrets/access.yaml @@ -0,0 +1,120 @@ +access-peeps-nft-connieallure: ENC[AES256_GCM,data:K+Mjtc/23sseniuQg9GyklMkvRh2VZFFQHGsw6MWMYgpriX6KI3o0V+0upoxrXzDHtNE/Hp/OHE=,iv:Oo0fIUHkXFeQA6jyyTCInsQYM9x7B9ZbkAyBQSt86Xk=,tag:v87P8BXfvqJcn9qKUM0CQw==,type:str] +sops: + shamir_threshold: 1 + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age12ze362pu5mza6ef9akrptr7hfe4auaqul4rkta7kyy2tnrstqensgmujeq + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIVlJmVTFKZVJ6Z3V0K0tS + clgyNEtMRlVKM2RybDNnN0Nja0Y0NTJKT2l3CmRXZHVHWTExUmVNVCswTm1JYkNi + QjhKWmp4dnZxVmJBdFQrYXdqT2NrbzgKLS0tIGM3Qk5VYWkvelllQmxMOFNZbTkw + djJMVjVqbWhvdzhlVW05Y0JvM3FHQzQKmhFhntjjR0fikS7b//dLSvdtkRyT3AMr + u8RSg4QpvejOTRKfJ8vsv2b654b37QrnLdFwgByzluJr1ETG92vLIA== + -----END AGE ENCRYPTED FILE----- + - recipient: age176uyyyk7veqnzmm8xzwfhf0u23m6hm02cldlfkldunqe6std0gcq6lg057 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5QjdtczlwOUJDUkc1QU8r + dDRBNXRZS3Avc09kVy96cHE0OTZwWDg1Z2hRClA4K2xyNjNkM1YrTU9xZE14Wnh6 + ZlhFK29tS3dUMkx2QTU4VzEwek03SzAKLS0tIG5vVnUwMWlGc0xmREtIR1ZMNW04 + T29GMHdaRWV2VTRiUXJMRzdpdTBFTXMKx7aF3X5XfNdXEJIhBRxwdXh8lOXOH+et + 2RcBNIsQURLBfZQ9rK/Hoy39+S3sKO6ECytAI+jqhEEVnNppUtonVQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age15hmlkd9p5rladsjzpmvrh6u34xvggu9mzdsdxdj3ms43tltxeuhq4g7g9k + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArVDdGRmNrUFJwSCtYU0NW + eFViTmVhMlZKTVdGWlg3dy9wcDJhVDFkOG5NCkFHUUlmRkNYbVVqVFBNOSsvK1VG + c2pVV2FmK3Frc3dpSjBEd3oxRkpVd1UKLS0tIDNiWXlidVo3ZmFEMS9NSVFEMGc1 + bHA4Z0hGS3QvUkpVUVlTQnlGMkd1aEUK3yP5WzCUZeeLDTHNyVe2zIk4tKZOx59o + w8NTaXRYGkQp0BAc0pKv1IGRP/wQBgUElhWnfTsMbzG2+Aey+lrj8Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age10t6kc5069cyky929vvxk8aznqyxpkx3k5h5rmlyz83xtjmr22ahqe8mzes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPWXF2MUFtZUNtOTJaTG9a + RVJkS0l2cU0reEJIdHI2QkkzMU1CUC83S2t3ClU4MDhGVEJ0VEF2cGEyUXkyUmQw + YXhZNFNHUmJqQVRjOUtrV2JqdXhPbGsKLS0tIGdzQ1h2LzdLNk1pbGZjWU5POUEz + QTRwdURiS1o0YTNmMGlNdElIR0xicXMKHCnCa4KxEAmdOkbcWVz0i3BUJ1uSeZvr + ZosXjnKNZYWBqijECwWFAPkxdLRXsJs9RDq0di7qTGYhjQAH+pTvTg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1a2quf2ekkj94ygu7wgvhrvh44fwn32c0l2cwvgvjh23wst90s54szdsvgr + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXbkdsSFZObE9GZERzZm1x + RVZGR0tCMklmaTM2RnZKSEdMZGNlOFc4VkNrCkRUTC9FQjkwdkltQnh0V0ZVYlor + T1BHeVBzdkZpbm91RmlyRFIxUHRucW8KLS0tIG5iM2ppRmJuVWtORG9GQlVxbjNJ + UWh1dXlmSnZ5aEdNN2p2bEk2L3ppZGMKVBYG9SessgUOz6BzvNE/s0iSaDawSSyl + vcs+Cp+JAEFZWO6V7F6dpb65tl1Ua/0vEAXc3uwRbtW2IVyIYTmVeA== + -----END AGE ENCRYPTED FILE----- + - recipient: age16klpkaut5759dut8mdm3jn0rnp8w6kxyvs9n6ntqrdsayjtd7upqlvw489 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2SU9sSitRRzQyV2FZczhB + UDBBVGVwUXozZDBUamdpcnhvekI3UG9Kb0Z3ClFYWlZPZWhGbHYreHEwdmk5SnAv + blVLbFBocUtTTmFmMXZyY1c4c2hxWVkKLS0tIElFTUdXbDM0WEhjVGlPU3BxQVRO + djF6R2kyYjY5OWV5NjFTQm5wUXJYMncKDu4SczknbAduRIdhsyM6zY++ad6vs6ej + S92xI6Av9lluES0kDEEyJZYqqoJOjXVLBKfBQFVwmX1su7P/XCOHxA== + -----END AGE ENCRYPTED FILE----- + - recipient: age13qgddr326g5je0fpq2r3k940vsr3fh9nlvl9xtcxk3xg2x0k3vsq7pvzaj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2VURXbFJpclIzRnFybnps + MS81ZXNKcjRkYncrY2dIN0JoUTc1MGVnbGxNCmY1UityMFdlMm9IQlgwRmg1NE1z + ZTVWTS9VQmVGRGI1S2huWm1zWmxvNGMKLS0tIExaTDlmVGN0T1BnUkdKdE5ZUkZY + SFQ4OG9pYU4zUGJzZE5ieCt3bVdLUkUKVFZ2l7ggSN8QwEIN0uRX/Tn2vrsmTvxo + /l3hh3YFNM2QY9Z5rtoV1jSsTFLUrRUNsY94FUNOzk6F3HIArC9AIQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ktmx2szedfnpe5xumnzs8vkk0ffqgga6ved3drtksg9pye6ndsnsnqq488 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2ejJaTU1nOXBZZDBmVnhw + dWd3dWhrbWFVTWVJNUlBaVc1RlRBemFzL2pVCktYdXBjeTZPR0lGK3VKcGFDSmZH + M1VISFlQOXZ1c0JqTFhSSzR4VGh0Q0EKLS0tIGsxVk8zQVJDc1JNRVQ1RlcvWFNx + V2VrSWMzcG12TFYyMXFDRm1KK3VVQ2cKfTEG/qGly/ypBfEYEYviAcjGudfvyjZx + OT6MOITYPW+1lrU871lM7VZJJTKjnFQV2df1Ca5YQNSW9EzrWcgtcg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-05-01T16:50:29Z" + mac: ENC[AES256_GCM,data:humfCS9LaB0pcAObLZH+8huTED1/eW6ZtR7PVZ33JPrTJhc9ttorbsfsVPGjsd52I0RT4cNNk9iRDGSqNvgCP+BdvOyILDRA0kxKvF3XLX76Iw0v5jWlPBUts0Hi5ch9Mzn5abN/w3E/5D7z1OMQN11kroJtVpnQMdPDza/qK4g=,iv:UNHN2BYkC0AShqtB7gRLIBYqYwASqVbYhA2RC1dSWYE=,tag:Qo/1LczVrlTHFvWkCG3GIw==,type:str] + pgp: + - created_at: "2024-05-01T16:36:56Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA82M54yws73UAQ//cm9rYFWc99F9A9X2U/Qg/44MZhuthrxiRtZ7IUECn+rv + JTUhQTe5p2l+CxKznCef1+L03aP1Iqh86YDrEO+d01HG6/NSt4gyViXw9suJM913 + bdcZUz9YHpvyvsoSLaawxI3upqJykKx1ZhVgnMkJCewZ7IsEoMRlv9U1ofxzbGBC + dvm60l2swE5smdXiZeRxilDeGg0Mf7ijhMhhC4iniJS2lVe5vTAg05uBA3lJUVr9 + GLpUnY8c+0MWlEo5QSFYlWFJ0qVPJcR82vVhAZVfcPMtqmtqS3MpbJvFR/2krZjI + 6y8QPZdLnZdI0j+4BW5m/5mgFFBJeq6y67j61M8uP0Bi6VL7Z+82oeVOwVjgTnZx + cfMlUdzOwkXyC7roSLV7U/Suc61es2PG+IulaMGbgVAQIB8gl4oUYgQcvfLJkqxv + UokSBWyoyrWGQIae5nQOslLpPWBaNi54W6LZcAamAKmQgSlD/wTOSrajrTi6lvX4 + VMMjPoyLNkcu1MS68Ue4M4wsw8B/Da+TjkatVMgm+D/Dxmvl9iaMKc6diec92jUt + so5yZ/kf7F7rfglbvsYFyLeRNenBXrWN9PicmGLjKJQPV7Agdfg35ywbhcp6cUqf + QDmO+5G4CsgLy1MNPczJKXsvrIGltWU0evzoMbPiWXiZvUKQwNW6g2a1FGiTVEbS + XAHgjFs1QAjzaWB1+bjCmt8m0+pUq1wtqT69XRgwBZu9Xb5KDR/h1OXl2s9qZUcj + 8oi8OIZIv+yEPXcZYm51NQg0IB9qtwQpxya4TuYM29cEFQY4/ANAExxK2rp3 + =BJAs + -----END PGP MESSAGE----- + fp: CD8CE78CB0B3BDD4 + - created_at: "2024-05-01T16:36:56Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQEMA2W9MER3HLb7AQgAhiN4+xEOSyWdDOKv9vAlr9R0lTRewysTFa7cWynDntix + FNHapgPIVp/NatooTUkE6RFJhnkDC+6HKwDwc25NuD2Uoo16BxWVUZyzVNUYboZs + VEJbXj2WIe/4iyxArCjlBaEoLrLqQ4bbsZb2kye3C8YOyH+jIaCbb/cvWyzuHyAj + ENqGWKehhVy9hP6BN767hUfcvBvU12btN35ieGSe9V7yG56tTA467V+htXx60zsU + uUZ8RFPLpZlDylAbarNMcevhgRF+/8G1uCKjN8gJkn+sJtKFQT7YR5HgHg6LKuBc + 0dYqgzsp9NjindHjX0/WCofwEG+HXjSMDK4GZvC7eNJcATuWAaYXRIpoIYOBS5yq + p4FttSfgo1CWKEhOVs4IFn6XuzzyteVRYhxFMj+/ojYsj7NkqnIIhWe7nFSFYHOE + ye+hMG1+ncrArTuIlH0c0KO7UqCEKQNBh7TKJuk= + =T2l/ + -----END PGP MESSAGE----- + fp: 65BD3044771CB6FB + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/nixos/users/connie.nix b/nixos/users/connie.nix index 4cfdef8f..1811f3c2 100644 --- a/nixos/users/connie.nix +++ b/nixos/users/connie.nix @@ -1,16 +1,21 @@ -{config, ...}: { - users.users.connieallure = {name, ...}: { - uid = 8003; - isNormalUser = true; - autoSubUidGidRange = false; - group = name; - extraGroups = [ - "users" - "peeps" - "kyuuto" - ]; +{config, options, ...}: { + config.users = { + users.connieallure = {name, ...}: { + uid = 8003; + isNormalUser = true; + autoSubUidGidRange = false; + group = name; + extraGroups = [ + "users" + "peeps" + "kyuuto" + ]; + }; + groups.connieallure = {name, ...}: { + gid = config.users.users.${name}.uid; + }; }; - users.groups.connieallure = {name, ...}: { - gid = config.users.users.${name}.uid; + config.${if options ? networking.firewall then "networking" else null} = { + access.peeps.ranges.connieallure = "2604:3d00::/28"; }; } diff --git a/tree.nix b/tree.nix index e2f9c294..9febe0f2 100644 --- a/tree.nix +++ b/tree.nix @@ -55,6 +55,7 @@ ]; }; }; + "modules/nixos/access".functor.enable = true; "modules/nixos/ldap".functor.enable = true; "modules/nixos/krb5".functor.enable = true; "modules/nixos/sssd".functor.enable = true;