From 392834dbe09ee9c5a3775ce2b07a7b00fc1589bb Mon Sep 17 00:00:00 2001 From: Dmitriy Holkin Date: Thu, 10 Oct 2019 14:28:33 +0400 Subject: [PATCH 1/4] add git with gnome-keyring --- modules/packages.nix | 1 + modules/services.nix | 2 ++ modules/workspace/misc.nix | 1 + 3 files changed, 4 insertions(+) diff --git a/modules/packages.nix b/modules/packages.nix index 04e3c94..11a6fa2 100644 --- a/modules/packages.nix +++ b/modules/packages.nix @@ -25,6 +25,7 @@ nixpkgs.config = { packageOverrides = pkgs: { i3lock-fancy = pkgs.callPackage ./applications/i3lock-fancy.nix {}; + git-with-libsecret = pkgs.git.override { withLibsecret = true; }; mullvad-vpn = pkgs.mullvad-vpn.overrideAttrs (oldAttrs: rec { version = "2019.8"; src = pkgs.fetchurl { diff --git a/modules/services.nix b/modules/services.nix index 5fa218b..c9aa979 100644 --- a/modules/services.nix +++ b/modules/services.nix @@ -83,6 +83,8 @@ services.upower.enable = true; + services.gnome3.gnome-keyring.enable = true; + # virtualisation.docker.enable = config.deviceSpecific.isHost; # virtualisation.virtualbox.host = lib.mkIf config.deviceSpecific.isHost { # enable = true; diff --git a/modules/workspace/misc.nix b/modules/workspace/misc.nix index 56e1ce4..f627ba9 100644 --- a/modules/workspace/misc.nix +++ b/modules/workspace/misc.nix @@ -15,6 +15,7 @@ services.udiskie.enable = true; programs.git = { enable = true; + package = pkgs.git-with-libsecret; userEmail = "alukard.develop@gmail.com"; userName = "Dmitriy Holkin"; }; From 5c05968f2645836f67378da13501f8c057e749a9 Mon Sep 17 00:00:00 2001 From: Dmitriy Holkin Date: Thu, 10 Oct 2019 14:28:56 +0400 Subject: [PATCH 2/4] add alsa soundcard order for workstation --- modules/hardware.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/modules/hardware.nix b/modules/hardware.nix index af34d5a..67510ce 100644 --- a/modules/hardware.nix +++ b/modules/hardware.nix @@ -58,6 +58,9 @@ with deviceSpecific; { anonymousClients.allowedIpRanges = ["127.0.0.1"]; }; }; + boot.extraModprobeConfig = lib.mkIf (device == "AMD-Workstation") '' + options snd slots=snd_virtuoso,snd_usb_audio + ''; # SSD Section boot.kernel.sysctl = { From 2f66a8c8d8eb1a7c9d5925052ebd5f405a28c420 Mon Sep 17 00:00:00 2001 From: Dmitriy Holkin Date: Thu, 10 Oct 2019 14:37:52 +0400 Subject: [PATCH 3/4] fix git credentials config --- modules/workspace/misc.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/workspace/misc.nix b/modules/workspace/misc.nix index f627ba9..a70b6fa 100644 --- a/modules/workspace/misc.nix +++ b/modules/workspace/misc.nix @@ -18,6 +18,11 @@ package = pkgs.git-with-libsecret; userEmail = "alukard.develop@gmail.com"; userName = "Dmitriy Holkin"; + extraConfig = { + credential = { + helper = "libsecret"; + }; + }; }; news.display = "silent"; # programs.command-not-found = { From 72c9c07fdd81a5006a6f2b25f2db99dcc9fbe552 Mon Sep 17 00:00:00 2001 From: Dmitriy Holkin Date: Thu, 10 Oct 2019 19:37:45 +0400 Subject: [PATCH 4/4] Change wireguard service --- modules/applications/packages.nix | 2 + modules/applications/wg-conf.nix | 19 ++++++++ modules/packages.nix | 1 + modules/wireguard.nix | 72 +++++++++++++----------------- modules/workspace/zsh.nix | 10 +++-- secret.nix.gpg | Bin 1042 -> 551 bytes 6 files changed, 60 insertions(+), 44 deletions(-) create mode 100644 modules/applications/wg-conf.nix diff --git a/modules/applications/packages.nix b/modules/applications/packages.nix index 485d685..0b85ff4 100644 --- a/modules/applications/packages.nix +++ b/modules/applications/packages.nix @@ -34,7 +34,9 @@ with deviceSpecific; { libnotify tree iperf + (youtube-to-mpv.override { isLaptop = isLaptop; }) + wg-conf # Other (vivaldi.override { proprietaryCodecs = true; }) wget diff --git a/modules/applications/wg-conf.nix b/modules/applications/wg-conf.nix new file mode 100644 index 0000000..38a2fd5 --- /dev/null +++ b/modules/applications/wg-conf.nix @@ -0,0 +1,19 @@ +{ stdenv, pkgs }: +let + myScript = pkgs.writeShellScriptBin "wg-conf" '' + if [[ -z "$1" ]]; then + exit 1 + fi + systemctl stop wg-quick-wg0.service + cp "$1" /root/wg0.conf + systemctl start wg-quick-wg0.service + ''; +in +stdenv.mkDerivation rec { + name = "wg-conf"; + src = myScript; + installPhase = '' + mkdir -p $out/bin + cp ./bin/wg-conf $out/bin/wg-conf + ''; +} \ No newline at end of file diff --git a/modules/packages.nix b/modules/packages.nix index 11a6fa2..62fb147 100644 --- a/modules/packages.nix +++ b/modules/packages.nix @@ -3,6 +3,7 @@ (self: old: rec { # nerdfonts = nur.balsoft.pkgs.roboto-mono-nerd; youtube-to-mpv = pkgs.callPackage ./applications/youtube-to-mpv.nix {}; + wg-conf = pkgs.callPackage ./applications/wg-conf.nix {}; xonar-fp = pkgs.writers.writeBashBin "xonar-fp" '' CURRENT_STATE=`amixer -c 0 sget "Front Panel" | egrep -o '\[o.+\]'` if [[ $CURRENT_STATE == '[on]' ]]; then diff --git a/modules/wireguard.nix b/modules/wireguard.nix index 297449f..35730f3 100644 --- a/modules/wireguard.nix +++ b/modules/wireguard.nix @@ -2,45 +2,37 @@ let cfg = config.secrets.wireguard.${config.device}; in { - # Enable wireguard - networking.wg-quick.interfaces = lib.mkIf cfg.enable { - wg0 = cfg.interface; - }; - # Enable killswitch - environment.systemPackages = - lib.mkIf (cfg.killswitch.package == "iptables") [ - pkgs.iptables - ]; - networking.nftables = - lib.mkIf (cfg.killswitch.package == "nftables") { - enable = true; - ruleset = '' - flush ruleset - table inet firewall { - chain input { - type filter hook input priority 0; policy drop; - iif "lo" accept - ct state { established, related } accept - ct state invalid drop - ip protocol icmp icmp type echo-request accept - ip daddr 192.168.0.1/24 accept - reject - } - chain forward { - type filter hook forward priority 0; policy drop; - } - chain output { - type filter hook output priority 0; policy drop; - oifname "lo" accept - oifname "wg0" accept - oifname "docker0" accept - oifname "vboxnet0" accept - oifname "vboxnet1" accept - udp dport domain drop - ip daddr 192.168.0.1/24 accept - udp dport 51820 accept - } - } - ''; + config = lib.mkIf cfg.enable { + boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ]; + environment.systemPackages = [ pkgs.wireguard pkgs.wireguard-tools ]; + networking.firewall.checkReversePath = false; + + systemd.services."wg-quick-wg0" = { + description = "wg-quick WireGuard Tunnel - wg0"; + requires = [ "network-online.target" ]; + after = [ "network.target" "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + environment.DEVICE = "wg0"; + path = [ pkgs.kmod pkgs.wireguard-tools ]; + + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + + script = '' + ${lib.strings.optionalString (!config.boot.isContainer) "modprobe wireguard"} + wg-quick up /root/wg0.conf + ''; + + postStart = lib.mkIf cfg.killswitch '' + ${pkgs.iptables}/bin/iptables -I OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ${pkgs.iptables}/bin/iptables -I OUTPUT -s 192.168.0.0/24 -j ACCEPT && ${pkgs.iptables}/bin/ip6tables -I OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT + ''; + + preStop = '' + ${lib.strings.optionalString (cfg.killswitch) "${pkgs.iptables}/bin/iptables -D OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ${pkgs.iptables}/bin/iptables -D OUTPUT -s 192.168.0.0/24 && ${pkgs.iptables}/bin/ip6tables -D OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT"} + wg-quick down /root/wg0.conf + ''; + }; }; } \ No newline at end of file diff --git a/modules/workspace/zsh.nix b/modules/workspace/zsh.nix index d59196c..cd0a89a 100644 --- a/modules/workspace/zsh.nix +++ b/modules/workspace/zsh.nix @@ -45,10 +45,12 @@ "clr" = "clear"; "weather" = "curl wttr.in/Volzhskiy"; "l" = "ls -lah --group-directories-first"; - "rede" = "systemctl --user start redshift.service"; - "redd" = "systemctl --user stop redshift.service"; - "bare" = "systemctl --user start barrier-client.service"; - "bard" = "systemctl --user stop barrier-client.service"; + "rede" = "systemctl --user start redshift.service &"; + "redd" = "systemctl --user stop redshift.service &"; + "bare" = "systemctl --user start barrier-client.service &"; + "bard" = "systemctl --user stop barrier-client.service &"; + "wgup" = "_ systemctl start wg-quick-wg0.service"; + "wgdown" = "_ systemctl stop wg-quick-wg0.service"; }; }; } diff --git a/secret.nix.gpg b/secret.nix.gpg index 29c425c0fe979aec7221ff40f8034ec55bc3f1f4..90152bce2129680384898ea01ed0081008a65ed5 100644 GIT binary patch literal 551 zcmV+?0@(e90Sp5t#%vKxT`Ri*2msSFs)t#B_bPD0YgiJ*htq`IELyv&aa zcA*>2jZJ=LwGK>mK~Tn-$L82GEFkyz(1pNY^zZGXCga^TP+*TL;W z;$pX|boK$rnHA^G(c=#Dz~)3oU34krB`f5g3YQ>mPvk+cuidAKdxtk;3@uGSh!)YfW;1aR57vOTk_@Wb+JT%cC7?6wSQa)vb3dd#>v^R310BvplpLLL zVrd~gT)-|+d*x|%pUW`HZ3KBoz^zv%pOvo`H9{+Fu3TEDuf|JTGT9;UKBC_R%goys z3X*-d;hNzmA2eO=p9wyM1vd0M*u&}9gbq&}wX2IYJrQ2B_z-kNSb%%P=;jMRJ^k}@ zT-bF@x2k~uXl;#|%G0}R+vThRM9=T}ZK1D)^cPhwO`~|BSu-SG~nNEvhnAG^r9oL$*2@jg|lgMe49ASWmBeL~rX_E#@M)^=@Pi}xs@2?8RQlHA*Pv3Fk=edljDLnP1@ zm624sZSAftb3CI7feg1zN@O zhZ3auH=2b+M@tkVra-gxHfeCfzU<_)UwavMhw_-F%S|f+HVOykx01M~e~n{`KXght zV7Xeawvgj|fE~fVj@iyAPWzkY#|e@^>d7wn8!)*Aw}w0)Rhwm8TNv?CSjZ^t=k;Va z`=MKaCNylP>;9QV`Pl#TwLdL10NoVwv}-G93e1i}H+83Nxla1kW^p)AFbc9LF)SB-Bjx zO!v0OGqBJ|V4zs4pd)dNw9Q1j-7`=pOhYnx2nU$3*XeKejBnxS_~&{Y^EA-WLPQ(O ztI4&|Ck*z?HMHsR=giTuLPd>_0>@Mz8}&+1zBQfGEwWBeg1l`_`|@+A>XAq5ZO&h! zDnFy1K%YFpXxoNsz&|xz>E|@bR8`vF!fHJm3ekE$l<0UV1jrJ-^0Ww4zOaZ$=q9Ib zcJVH?cpBH9ob6sv$3b+we+k?Hw*{p#{L4?`=uBk;C?-GgB)qO*^c-o^rrmC)hdJ6w zk^d#X;K3qZOVk@FmX$&Cpg5$F^B<~eJT;t%Mp1xTwWh=7%u_1vig$?KRRzJ$d`MeZ zGy#@;!zLuB)hl(x0`;$AwyUBRO&(O#}R0r60HME3MrFWbnM=^G}UNQ@W|(W`=fc$ M0KoZY(?loj%J-l7ApigX