FUCK NVIDIA 🖕

flake.lock

@@ -165,11 +165,11 @@
     },
     "secrets": {
       "locked": {
-        "lastModified": 1711641020,
-        "narHash": "sha256-und6yndmaPsS/wEkqrEvN02VbK+HCFz0zglRNaZeCJI=",
+        "lastModified": 1711740735,
+        "narHash": "sha256-/NmklXfLak65luQoMsUl539faoabD+lo7P9fNDaXkic=",
         "ref": "refs/heads/master",
-        "rev": "057f8a2b8cd29a70764004d035a6a9e33c73f4ff",
-        "revCount": 5,
+        "rev": "42e5e76765daf6dd36fa195a5a424d8d69c15dfa",
+        "revCount": 6,
         "type": "git",
         "url": "ssh://git@git.caspervk.net/caspervk/nixos-secrets.git"
       },

hosts/alpha/network.nix

@@ -45,9 +45,9 @@
       name = "wg-sigma-public";
     };
 
-    # The following routes traffic destined for 116.203.6.156 (floating IP) to
-    # sigma through wireguard. This allows the server to have a public address
-    # and help others sail the high seas even though it is behind NAT.
+    # The following routes traffic destined for the sigma-p2p address (floating
+    # IP) to sigma through wireguard. This allows the server to have a public
+    # address and help others sail the high seas even though it is behind NAT.
     netdevs."51-wg-sigma-p2p" = {
       netdevConfig = {
         Name = "wg-sigma-p2p";
@@ -62,7 +62,7 @@
           wireguardPeerConfig = {
             PublicKey = "sigmaH/DKSU8KWyrPtucYmS2ewUvDvCNLxd/qYEo0n0=";
             PresharedKeyFile = config.age.secrets.wireguard-preshared-key-file.path;
-            AllowedIPs = ["116.203.6.156/32"];
+            AllowedIPs = ["${secrets.alpha.sigma-p2p-ip-address}/32"];
             RouteTable = "main";
           };
         }

hosts/omega/default.nix

@@ -1,4 +1,4 @@
-{pkgs, ...}: {
+{...}: {
   imports = [
     ../../overlays
     ../../modules/base
@@ -7,27 +7,9 @@
     ../../modules/syncthing.nix
     ./hardware.nix
     ./borg.nix
-    ./network.nix
     ./sway.nix
   ];
 
-  systemd.services.qbittorrent = {
-    description = "qBittorrent service";
-    documentation = ["man:qbittorrent-nox(1)"];
-    wantedBy = ["multi-user.target"];
-    wants = ["multi-user.target"];
-    after = ["network-online.target" "nss-lookup.target"];
-    serviceConfig = {
-      Type = "exec";
-      User = "caspervk";
-      Group = "users";
-      ExecStart = pkgs.writers.writeBash "asd" ''
-        while true; do ${pkgs.curl}/bin/curl ip.caspervk.net; echo; sleep 1; done
-      '';
-      RestrictNetworkInterfaces = "wg-sigma-public";
-    };
-  };
-
   networking.hostName = "omega";
 
   boot = {

hosts/sigma/default.nix

@@ -5,7 +5,7 @@
     ../../modules/server
     ./hardware.nix
     #./borg.nix
-    #./network.nix
+    ./network.nix
   ];
 
   networking.hostName = "sigma";

hosts/sigma/hardware.nix

@@ -10,12 +10,11 @@
     (modulesPath + "/installer/scan/not-detected.nix")
     nixos-hardware.nixosModules.common-cpu-amd
     nixos-hardware.nixosModules.common-cpu-amd-pstate
-    nixos-hardware.nixosModules.common-gpu-nvidia
     nixos-hardware.nixosModules.common-pc
     nixos-hardware.nixosModules.common-pc-ssd
   ];
 
-  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
+  boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"];
   boot.initrd.kernelModules = ["dm-snapshot"];
   boot.kernelModules = ["kvm-amd"];
   boot.extraModulePackages = [];

hosts/sigma/network.nix

@@ -1,13 +1,31 @@
 {
   config,
+  lib,
   secrets,
   ...
 }: {
+  # systemd.services.qbittorrent = {
+  #   description = "qBittorrent service";
+  #   documentation = ["man:qbittorrent-nox(1)"];
+  #   wantedBy = ["multi-user.target"];
+  #   wants = ["multi-user.target"];
+  #   after = ["network-online.target" "nss-lookup.target"];
+  #   serviceConfig = {
+  #     Type = "exec";
+  #     User = "flatpak";
+  #     Group = "users";
+  #     ExecStart = pkgs.writers.writeBash "asd" ''
+  #       while true; do ${pkgs.curl}/bin/curl --connect-timeout 1 ip.caspervk.net; echo; sleep 1; done
+  #     '';
+  #     RestrictNetworkInterfaces = "wg-sigma-p2p";
+  #   };
+  # };
+
   systemd.network = {
     config = {
       routeTables = {
-        "wg-sigma-public" = 822944075;
-        "wg-sigma-p2p" = 2553;
+        "wg-sigma-public" = 42;
+        "wg-sigma-p2p" = 6881;
       };
     };
 
@@ -20,7 +38,7 @@
         Kind = "wireguard";
       };
       wireguardConfig = {
-        PrivateKeyFile = config.age.secrets.wireguard-private-key-file-omega.path;
+        PrivateKeyFile = config.age.secrets.wireguard-private-key-file-sigma.path;
       };
       wireguardPeers = [
         {
@@ -50,6 +68,7 @@
       address = ["49.13.33.75/32"];
       routingPolicyRules = [
         {
+          # See the AllowedIPs comment above for why this is necessary
           routingPolicyRuleConfig = {
             From = "49.13.33.75/32";
             Table = "wg-sigma-public";
@@ -59,16 +78,16 @@
     };
 
     # The following establishes a wireguard tunnel to alpha and configures
-    # receiving traffic destined for 116.203.6.156. This allows the server to
-    # have a public address and help others sail the high seas even though it
-    # is behind NAT.
+    # receiving traffic destined for the sigma-p2p address. This allows the
+    # server to have a public address and help others sail the high seas even
+    # though it is behind NAT.
     netdevs."51-wg-sigma-p2p" = {
       netdevConfig = {
         Name = "wg-sigma-p2p";
         Kind = "wireguard";
       };
       wireguardConfig = {
-        PrivateKeyFile = config.age.secrets.wireguard-private-key-file-omega.path;
+        PrivateKeyFile = config.age.secrets.wireguard-private-key-file-sigma.path;
       };
       wireguardPeers = [
         {
@@ -85,11 +104,20 @@
     };
     networks."wg-sigma-p2p" = {
       name = "wg-sigma-p2p";
-      address = ["116.203.6.156/32"];
+      address = ["${secrets.sigma.sigma-p2p-ip-address}/32"];
       routingPolicyRules = [
         {
           routingPolicyRuleConfig = {
-            From = "116.203.6.156/32";
+            From = "${secrets.sigma.sigma-p2p-ip-address}/32";
+            Table = "wg-sigma-p2p";
+          };
+        }
+        {
+          # The deluge systemd service has
+          # RestrictNetworkInterfaces=wg-sigma-p2p, but that does not tell it
+          # to use the correct routing table.
+          routingPolicyRuleConfig = {
+            User = config.services.deluge.user;
             Table = "wg-sigma-p2p";
           };
         }
@@ -97,6 +125,27 @@
     };
   };
 
+  # Force explicit firewall configuration to ensure we allow the right services
+  # on the right interfaces.
+  networking.firewall = {
+    allowedTCPPorts = lib.mkForce [];
+    allowedUDPPorts = lib.mkForce [];
+    allowedTCPPortRanges = lib.mkForce [];
+    allowedUDPPortRanges = lib.mkForce [];
+
+    interfaces = {
+      "enp5s0" = {
+        allowedTCPPorts = [22];
+      };
+      "wg-sigma-public" = {
+        allowedTCPPorts = [22];
+      };
+      "wg-sigma-p2p" = {
+        allowedTCPPorts = [1337];
+      };
+    };
+  };
+
   age.secrets.wireguard-preshared-key-file = {
     file = "${secrets}/secrets/wireguard-preshared-key-file.age";
     mode = "640";
@@ -104,8 +153,8 @@
     group = "systemd-network";
   };
 
-  age.secrets.wireguard-private-key-file-omega = {
-    file = "${secrets}/secrets/wireguard-private-key-file-omega.age";
+  age.secrets.wireguard-private-key-file-sigma = {
+    file = "${secrets}/secrets/wireguard-private-key-file-sigma.age";
     mode = "640";
     owner = "root";
     group = "systemd-network";

modules/games.nix

@@ -1,7 +1,4 @@
-{
-  pkgs,
-  ...
-}: {
+{pkgs, ...}: {
   # https://nixos.wiki/wiki/Lutris
   # https://nixos.wiki/wiki/Steam
   programs.steam.enable = true;