new wgautomesh debug version yay

wgautomesh doesn't support IPv6 (yet?)

This reverts commit 8f8adf132c.

.sops.yaml

@@ -2,13 +2,16 @@
     - &Lyn age18c6zws9wk9r7dxjqafwj2l2ex5mn5v8u6yrd2ys9ng8q09rsedpqm38jzv
     - &forgenite age1u4dtlq4lavqufzsqfqlsnu67u3x2t3d7ffxkqrah2des4dlxns2slegl38
     - &forgejo-ci age13pau3xqusxuczm9kwpxg4fdze4xhenfwmjw80ed7g336a8x7tqpqdqvjjj
-
+    - &wg-gateway age1xm5ewmhxsdn34c6h9v3hzs0ka0qvmywnkgw94j7r2cxpqh2c8v4q7h6qhd
+    - &supernova age12lfan35k4gtq6mwm9llyea25usw3ap0xuzg90745qk0m0ws3cgespffkv2
   creation_rules:
     - path_regex: secrets/all/[^/]+\.yaml$
       key_groups:      
       - age:
         - *Lyn
         - *forgenite
+        - *wg-gateway
+        - *supernova
     #hosts
     - path_regex: secrets/hosts/forgenite.yaml
       key_groups:

flake.lock

@@ -1,44 +1,229 @@
 {
   "nodes": {
+    "crane": {
+      "inputs": {
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1717535930,
+        "narHash": "sha256-1hZ/txnbd/RmiBPNUs7i8UQw2N89uAK3UzrGAWdnFfU=",
+        "owner": "ipetkov",
+        "repo": "crane",
+        "rev": "55e7754ec31dac78980c8be45f8a28e80e370946",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ipetkov",
+        "repo": "crane",
+        "type": "github"
+      }
+    },
+    "fenix-monthly": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "rust-analyzer-src": "rust-analyzer-src"
+      },
+      "locked": {
+        "lastModified": 1735713283,
+        "narHash": "sha256-xC6X49L55xo7AV+pAYclOj5UNWtBo/xx5aB5IehJD0M=",
+        "owner": "nix-community",
+        "repo": "fenix",
+        "rev": "bfba822a4220b0e2c4dc7f36a35e4c8450cd9a9c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "monthly",
+        "repo": "fenix",
+        "type": "github"
+      }
+    },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1717285511,
+        "narHash": "sha256-iKzJcpdXih14qYVcZ9QC9XuZYnPc6T8YImb6dX166kw=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "2a55567fcf15b1b1c7ed712a2c6fadaec7412ea8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1710146030,
+        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_2": {
+      "inputs": {
+        "systems": "systems_2"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "lanzaboote",
+          "pre-commit-hooks-nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
+    "lanzaboote": {
+      "inputs": {
+        "crane": "crane",
+        "flake-compat": "flake-compat",
+        "flake-parts": "flake-parts",
+        "flake-utils": "flake-utils",
+        "nixpkgs": "nixpkgs",
+        "pre-commit-hooks-nix": "pre-commit-hooks-nix",
+        "rust-overlay": "rust-overlay"
+      },
+      "locked": {
+        "lastModified": 1718178907,
+        "narHash": "sha256-eSZyrQ9uoPB9iPQ8Y5H7gAmAgAvCw3InStmU3oEjqsE=",
+        "owner": "nix-community",
+        "repo": "lanzaboote",
+        "rev": "b627ccd97d0159214cee5c7db1412b75e4be6086",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "v0.4.1",
+        "repo": "lanzaboote",
+        "type": "github"
+      }
+    },
+    "microvm": {
+      "inputs": {
+        "flake-utils": "flake-utils_2",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "spectrum": "spectrum"
+      },
+      "locked": {
+        "lastModified": 1736905611,
+        "narHash": "sha256-eW6SfZRaOnOybBzhvEzu3iRL8IhwE0ETxUpnkErlqkE=",
+        "owner": "astro",
+        "repo": "microvm.nix",
+        "rev": "a18d7ba1bb7fd4841191044ca7a7f895ef2adf3b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "astro",
+        "repo": "microvm.nix",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1725407940,
+        "lastModified": 1717794163,
-        "narHash": "sha256-tiN5Rlg/jiY0tyky+soJZoRzLKbPyIdlQ77xVgREDNM=",
+        "narHash": "sha256-Ch6ZpFPVvi7Bb6gmmuufpTEFkXqa43pC94XMfU5FEt0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "6f6c45b5134a8ee2e465164811e451dcb5ad86e3",
+        "rev": "121f68ed7c6c32de5a8ce91a08ef25713d1c4755",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-24.05",
+        "ref": "nixos-unstable-small",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1721524707,
+        "lastModified": 1710695816,
-        "narHash": "sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0=",
+        "narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "556533a23879fc7e5f98dd2e0b31a6911a213171",
+        "rev": "614b4613980a522ba49f0d194531beddbb7220d3",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "release-24.05",
+        "ref": "nixos-23.11",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1725634671,
+        "lastModified": 1736798957,
-        "narHash": "sha256-v3rIhsJBOMLR8e/RNWxr828tB+WywYIoajrZKFM+0Gg=",
+        "narHash": "sha256-qwpCtZhSsSNQtK4xYGzMiyEDhkNzOCz/Vfu4oL2ETsQ=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "574d1eac1c200690e27b8eb4e24887f8df7ac27c",
+        "rev": "9abb87b552b7f55ac8916b6fc9e5cb486656a2f3",
         "type": "github"
       },
       "original": {
@@ -50,11 +235,27 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1725194671,
+        "lastModified": 1736867362,
-        "narHash": "sha256-tLGCFEFTB5TaOKkpfw3iYT9dnk4awTP/q4w+ROpMfuw=",
+        "narHash": "sha256-i/UJ5I7HoqmFMwZEH6vAvBxOrjjOJNU739lnZnhUln8=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b833ff01a0d694b910daca6e2ff4a3f26dee478c",
+        "rev": "9c6b49aeac36e2ed73a8c472f1546f6d9cf1addc",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-24.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1731763621,
+        "narHash": "sha256-ddcX4lQL0X05AYkrkV2LMFgGdRvgap7Ho8kgon3iWZk=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "c69a9bffbecde46b4b939465422ddc59493d3e4d",
         "type": "github"
       },
       "original": {
@@ -64,24 +265,95 @@
         "type": "github"
       }
     },
+    "pre-commit-hooks-nix": {
+      "inputs": {
+        "flake-compat": [
+          "lanzaboote",
+          "flake-compat"
+        ],
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1717664902,
+        "narHash": "sha256-7XfBuLULizXjXfBYy/VV+SpYMHreNRHk9nKMsm1bgb4=",
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "rev": "cc4d466cb1254af050ff7bdf47f6d404a7c646d1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
-        "nixpkgs": "nixpkgs",
+        "fenix-monthly": "fenix-monthly",
+        "lanzaboote": "lanzaboote",
+        "microvm": "microvm",
+        "nixpkgs": "nixpkgs_2",
         "nixpkgs-unstable": "nixpkgs-unstable",
         "sops-nix": "sops-nix"
       }
     },
-    "sops-nix": {
+    "rust-analyzer-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1735659655,
+        "narHash": "sha256-DQgwi3pwaasWWDfNtXIX0lW5KvxQ+qVhxO1J7l68Qcc=",
+        "owner": "rust-lang",
+        "repo": "rust-analyzer",
+        "rev": "085ad107943996c344633d58f26467b05f8e2ff0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "rust-lang",
+        "ref": "nightly",
+        "repo": "rust-analyzer",
+        "type": "github"
+      }
+    },
+    "rust-overlay": {
       "inputs": {
-        "nixpkgs": "nixpkgs_2",
+        "flake-utils": [
-        "nixpkgs-stable": "nixpkgs-stable"
+          "lanzaboote",
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
       },
       "locked": {
-        "lastModified": 1725540166,
+        "lastModified": 1717813066,
-        "narHash": "sha256-htc9rsTMSAY5ek+DB3tpntdD/es0eam2hJgO92bWSys=",
+        "narHash": "sha256-wqbRwq3i7g5EHIui0bIi84mdqZ/It1AXBSLJ5tafD28=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "6dc3e45fe4aee36efeed24d64fc68b1f989d5465",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_3"
+      },
+      "locked": {
+        "lastModified": 1736808430,
+        "narHash": "sha256-wlgdf/n7bJMLBheqt1jmPoxJFrUP6FByKQFXuM9YvIk=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "d9d781523a1463965cd1e1333a306e70d9feff07",
+        "rev": "553c7cb22fed19fd60eb310423fdc93045c51ba8",
         "type": "github"
       },
       "original": {
@@ -89,6 +361,52 @@
         "repo": "sops-nix",
         "type": "github"
       }
+    },
+    "spectrum": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1733308308,
+        "narHash": "sha256-+RcbMAjSxV1wW5UpS9abIG1lFZC8bITPiFIKNnE7RLs=",
+        "ref": "refs/heads/main",
+        "rev": "80c9e9830d460c944c8f730065f18bb733bc7ee2",
+        "revCount": 792,
+        "type": "git",
+        "url": "https://spectrum-os.org/git/spectrum"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://spectrum-os.org/git/spectrum"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -1,14 +1,45 @@
 {
   description = "Lyns flake";
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
+    microvm.url = "github:astro/microvm.nix";
+    microvm.inputs.nixpkgs.follows = "nixpkgs";
+    lanzaboote.url = "github:nix-community/lanzaboote/v0.4.1";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
     sops-nix.url = "github:Mic92/sops-nix";
     nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
+    fenix-monthly = {
+      url = "github:nix-community/fenix/monthly";
+      inputs.nixpkgs.follows = "nixpkgs";
     };
-  outputs = {self, nixpkgs, nixpkgs-unstable, sops-nix }@inputs: let 
+  };
+  outputs = {
+    self,
+    nixpkgs,
+    nixpkgs-unstable,
+    sops-nix,
+    lanzaboote,
+    microvm,
+    fenix-monthly,
+  } @ inputs: let
+    imports = {
       imports = [
+        sops-nix.nixosModules.sops
+        passInputs
+        mkLocalModsInput
+        lanzaboote.nixosModules.lanzaboote
+        inputs.microvm.nixosModules.host
+        ./hosts/network.nix
+        ./meta/wgautomesh
       ];
-  passInputs = ({lib,config,...}:{
+    };
+    overlays = {
+      default = import ./pkgs/overlay.nix inputs;
+    };
+    passInputs = {
+      lib,
+      config,
+      ...
+    }: {
       options.flakePath = lib.mkOption {type = lib.types.path;};
       config.flakePath = ./.;
       options.inputs = lib.mkOption {type = lib.types.attrs;};
@@ -17,27 +48,43 @@
       config.pkgsInstances = {
         unstable = import inputs.nixpkgs-unstable {system = config.nixpkgs.system;};
       };
-  });
+      config.nixpkgs.overlays = lib.attrValues overlays;
+    };
     inherit (nixpkgs) lib;
+
     mkLocalMods = import ./meta/mkLocalMods.nix {inherit lib;};
+    mkLocalModsInput = mkLocalMods {
+      prefix = ["lyn"];
+      dir = ./modules;
+    };
   in {
     nixosConfigurations = {
       "forgenite" = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
         modules = [
           ./hosts/forgenite
-          sops-nix.nixosModules.sops
+          imports
-          passInputs
-	  (mkLocalMods {prefix = ["lyn"]; dir = ./modules;})
         ];
       };
       "forgejo-ci" = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
         modules = [
           ./hosts/forgejo-ci
-          sops-nix.nixosModules.sops
+          imports
-          passInputs
+        ];
-	  (mkLocalMods {prefix = ["lyn"]; dir = ./modules;})
+      };
+      "supernova" = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        modules = [
+          ./hosts/supernova
+          imports
+        ];
+      };
+      "wg-gateway" = nixpkgs.lib.nixosSystem {
+        system = "aarch64-linux";
+        modules = [
+          ./hosts/wg-gateway
+          imports
         ];
       };
     };

hosts/forgejo-ci/default.nix

@@ -1,10 +1,16 @@
-{ config, pkgs, lib, inputs, ... }: with config.lyn.lib; {
+{
-  imports =
+  config,
-    [
+  pkgs,
+  lib,
+  inputs,
+  ...
+}:
+with config.lyn.lib; {
+  imports = [
     ./hardware-configuration.nix
-      ./../../users/lyn
   ];
   lyn.sops.secrets."hosts/forgejo-ci/forgejo_ci_token" = {};
+  lyn.users.lyn.enable = true;
   lyn.kernel.latest.enable = true;
   lyn.kernel.hardened.enable = true;
   lyn.profiles.base.enable = true;
@@ -12,13 +18,9 @@
   lyn.services.forgejo-ci.enable = true;
   lyn.services.forgejo-ci.domain = "git.shibe.pro";
   lyn.services.forgejo-ci.instancename = "shibepro-ci";
-  # Use UEFI
   boot.loader.systemd-boot.enable = true;
 
   networking.hostName = "forgejo-ci"; # Define your hostname.
 
-  # Firewall stuff:
-  networking.firewall.enable = true;
-  networking.firewall.allowPing = true;
   system.stateVersion = "23.05";
 }

hosts/forgenite/default.nix

@@ -1,13 +1,17 @@
-{ config, pkgs, lib, inputs, ... }: {
+{
-  imports =
+  config,
-    [
+  pkgs,
-      ./../../users/lyn
+  lib,
+  inputs,
+  ...
+}: {
+  imports = [
     ./hardware-configuration.nix
   ];
   lyn.sops.secrets."hosts/forgenite/forgejo_db_password".owner = "forgejo";
-
+  lyn.users.lyn.enable = true;
   lyn.kernel.latest.enable = true;
-  lyn.kernel.hardened.enable =true;
+  lyn.kernel.hardened.enable = true;
   lyn.profiles.base.enable = true;
   lyn.profiles.vm.enable = true;
 
@@ -18,10 +22,6 @@
   lyn.services.forgejo.domain = "git.shibe.pro";
   networking.hostName = "forgenite"; # Define your hostname.
 
-  # Firewall stuff:
-  networking.firewall.enable = true;
-  networking.firewall.allowPing = true;
-
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It's perfectly fine and recommended to leave
@@ -29,11 +29,4 @@
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
   system.stateVersion = "24.05"; # Did you read the comment?
- 
-nix.gc = {
-    automatic = true;
-    persistent = true;
-    options = "--delete-older-than 8d";
-  };
 }
-

hosts/network.nix

@@ -0,0 +1,129 @@
+{
+  lib,
+  config,
+  ...
+}: let
+  prefix = "lyn";
+
+  #hosts are defined here
+  hosts = {
+    wg-gateway = {
+      wg = {
+        enabled = true;
+        pubkey = "Fknzk7lltkPKJZlF3KXWKGQXXSj7CUD9ev0ZEZtpbjY=";
+      };
+      IPv4 = {
+        public = "78.47.226.47";
+        # we use 10.35.0.0/16 as a range for private subnets, specifically 10.35.0.0/24 for wireguard peers
+        internal = "10.35.0.3";
+      };
+      IPv6 = {
+        public = "2a01:4f8:1c1b:d2db::";
+        # 1aacabcafe is the global ID and 1337 is the wireguard peer subnet ID, resulting in the ULA fd1a:acab:cafe:1337::/64
+        internal = "fd1a:acab:cafe:1337:8f4c:68cd::";
+      };
+    };
+    supernova = {
+      wg = {
+        enabled = true;
+        pubkey = "jdfbOnP0mFWFobtQunm0h6EtqOZiar9G9jngMU7b+Co=";
+        port_v4 = 56052;
+      };
+      IPv4 = {
+        # we use 10.35.0.0/16 as a range for private subnets, specifically 10.35.0.0/24 for wireguard peers
+        internal = "10.35.0.2";
+      };
+      IPv6 = {
+        # 1aacabcafe is the global ID and 1337 is the wireguard peer subnet ID, resulting in the ULA fd1a:acab:cafe:1337::/64
+        internal = "fd1a:acab:cafe:1337:6722:3657::";
+      };
+    };
+  };
+in {
+  options = {
+    ${prefix} = {
+      # defining the entire hosts part as a module
+      network.hosts = lib.mkOption {
+        type = lib.types.attrsOf (lib.types.submodule {
+          options = {
+            wg = lib.mkOption {
+              type = lib.types.submodule {
+                options = {
+                  enabled = lib.mkOption {
+                    type = lib.types.bool;
+                    default = false;
+                    description = "Enable WireGuard";
+                  };
+                  pubkey = lib.mkOption {
+                    type = lib.types.nullOr lib.types.str;
+                    default = null;
+                    description = "Public key for WireGuard";
+                  };
+                  port_v4 = lib.mkOption {
+                    type = lib.types.int;
+                    default = 51820;
+                    description = "Port for WireGuard";
+                  };
+                  port_v6 = lib.mkOption {
+                    type = lib.types.int;
+                    default = 51821;
+                    description = "Port for WireGuard";
+                  };
+                };
+              };
+              description = "WireGuard configuration";
+            };
+            IPv4 = lib.mkOption {
+              type = lib.types.submodule {
+                options = {
+                  public = lib.mkOption {
+                    type = lib.types.nullOr lib.types.str;
+                    default = null;
+                    description = "Public IPv4 address";
+                  };
+                  internal = lib.mkOption {
+                    type = lib.types.str;
+                    description = "Wireguard-internal IPv4 address";
+                  };
+                };
+              };
+              description = "IPv4 configuration";
+              default = {};
+            };
+            IPv6 = lib.mkOption {
+              type = lib.types.submodule {
+                options = {
+                  public = lib.mkOption {
+                    type = lib.types.nullOr lib.types.str;
+                    default = null;
+                    description = "Public IPv6 address";
+                  };
+                  internal = lib.mkOption {
+                    type = lib.types.str;
+                    description = "Wireguard-internal IPv6 address";
+                  };
+                };
+              };
+              description = "IPv6 configuration";
+              default = {};
+            };
+          };
+        });
+        default = {};
+        description = "All hosts in this network that this config should be aware of";
+      };
+    };
+  };
+
+  config = {
+    ${prefix}.network = {
+      inherit hosts;
+    };
+    assertions = [
+      {
+        assertion = lib.any (host: host.IPv4 != null || host.IPv6 != null) (lib.attrValues hosts);
+        message = "Either an IPv4 or IPv6 must be defined for each host";
+      }
+    ];
+  };
+}

hosts/supernova/default.nix

@@ -0,0 +1,71 @@
+{
+  config,
+  pkgs,
+  lib,
+  inputs,
+  ...
+}:
+with config.lyn.lib; {
+  imports = [
+    ./hardware-configuration.nix
+    ./virtualization.nix
+  ];
+  lyn.kernel.latest.enable = true;
+  lyn.profiles.base.enable = true;
+  lyn.profiles.headless.enable = true;
+  lyn.users.lyn.enable = true;
+  lyn.users.ellie.enable = true;
+  networking.hostName = "supernova";
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  # this is overridden by the secureboot profile, still here so the system retains a bootloader in case secure boot profile is disabled:
+  boot.loader.systemd-boot.enable = true;
+
+  # Firmware updates:
+  services.fwupd.enable = true;
+
+  lyn.services.mkMesh = {
+    enable = true;
+    enable_upnp_portforward = true;
+  };
+
+  ##1##3##3##7##
+  ## Security ##
+  ##1##3##3##7##
+
+  # Kernel hardening
+  lyn.kernel.hardened.enable = true;
+  ## Don't print any errors/logs to the console
+  boot.consoleLogLevel = 0;
+
+  # Secure boot
+  lyn.profiles.secureboot.enable = true;
+
+  # FDE + initrd stuff
+  boot.kernelParams = ["ip=dhcp"];
+  boot.loader.timeout = 2;
+  boot.initrd = {
+    availableKernelModules = ["r8169"];
+    systemd.users.root.shell = "/bin/systemd-tty-ask-password-agent";
+    secrets = {"/root/initrd-ssh-key" = "/root/initrd-ssh-key";};
+    network = {
+      enable = true;
+      ssh = {
+        enable = true;
+        port = 2222;
+        # WARNING: this key will be globally accessible through Nix store. Don't use the booted/decrypted systems host key here.
+        hostKeys = [/root/initrd-ssh-key];
+        # this includes the ssh keys of all users in the wheel group, but you can just specify some keys manually
+        # authorizedKeys = [ "ssh-rsa ..." ];
+        authorizedKeys = with lib;
+          concatLists (mapAttrsToList (name: user:
+            if elem "wheel" user.extraGroups
+            then user.openssh.authorizedKeys.keys
+            else [])
+          config.users.users);
+      };
+    };
+  };
+
+  system.stateVersion = "24.05";
+}

hosts/supernova/hardware-configuration.nix

@@ -0,0 +1,71 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod"];
+  boot.initrd.kernelModules = ["dm-snapshot"];
+  boot.kernelModules = ["kvm-amd"];
+  boot.extraModulePackages = [];
+
+  boot.initrd.systemd.enable = true;
+  boot.initrd.luks.devices = {
+    "root" = {
+      device = "/dev/disk/by-uuid/db8a5cf9-c54b-4e6a-b3f9-e6323eb962a6";
+      # doubles SSD performance because r/w queue is unnecessary on SSDs
+      bypassWorkqueues = true;
+    };
+    "chungus_1" = {
+      device = "/dev/disk/by-uuid/2c02d324-df81-4c63-b1f8-16c411d1b34a";
+      keyFile = "/sysroot/root/raid_keyfile";
+    };
+    "chungus_2" = {
+      device = "/dev/disk/by-uuid/b642a13f-ddb8-4e25-b885-3eea3744a208";
+      keyFile = "/sysroot/root/raid_keyfile";
+    };
+  };
+  
+
+  fileSystems."/" = {
+    device = "/dev/mapper/vg-root";
+    fsType = "btrfs";
+    options = ["x-systemd.device-timeout=0"];
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/0374-0967";
+    fsType = "vfat";
+    options = ["fmask=0022" "dmask=0022" "umask=0077" "x-systemd.device-timeout=0"];
+  };
+  fileSystems."/mnt/chungus" = {
+    device = "/dev/mapper/chungus_1";
+    fsType = "btrfs";
+    options = [ "defaults" "noatime" "compress=zstd" "space_cache=v2" "autodefrag" "subvol=main"];
+  };
+  swapDevices = [
+    {
+      device = "/dev/mapper/vg-swap";
+      options = ["x-systemd.device-timeout=0"];
+    }
+  ];
+  
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp6s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/supernova/virtualization.nix

@@ -0,0 +1,3 @@
+{...}: {
+  lyn.profiles.hypervisor.enable = true;
+}

hosts/wg-gateway/default.nix

@@ -0,0 +1,41 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+  ];
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  lyn.kernel.latest.enable = true;
+  lyn.profiles.base.enable = true;
+  lyn.profiles.secureboot.enable = true;
+  lyn.users.lyn.enable = true;
+
+  # network
+
+  lyn.services.mkMesh = {
+    enable = true;
+    enable_lan_discovery = false;
+  };
+
+  networking.useDHCP = false;
+  networking.hostName = "wg-gateway"; # Define your hostname.
+  systemd.network.enable = true;
+  systemd.network.networks."10-wan" = {
+    matchConfig.Name = "enp1s0";
+    networkConfig.DHCP = "ipv4";
+    address = [
+      "2a01:4f8:1c1b:d2db::/64"
+    ];
+    routes = [
+      {routeConfig.Gateway = "fe80::1";}
+    ];
+  };
+
+  system.stateVersion = "24.05";
+}

hosts/wg-gateway/hardware-configuration.nix

@@ -0,0 +1,38 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+  boot.initrd.kernelModules = ["virtio_gpu"];
+  boot.kernelParams = ["console=tty"];
+  boot.initrd.availableKernelModules = ["xhci_pci" "virtio_scsi" "sr_mod"];
+  boot.kernelModules = [];
+  boot.extraModulePackages = [];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/7cb49846-af34-40ec-b144-decc9c284e94";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/BEFA-C7BC";
+    fsType = "vfat";
+    options = ["fmask=0077" "dmask=0077"];
+  };
+
+  swapDevices = [
+    {device = "/dev/disk/by-uuid/63e6e56c-9fbd-4bc2-a0e7-8be171565710";}
+  ];
+
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+}

meta/default.nix

@@ -1,7 +1,5 @@
 {
   imports = [
     ./mkLocalMods.nix
-#	./enable.nix
   ];
 }
-

meta/enable.nix

@@ -1,7 +0,0 @@
-{lib, config, ...}: {
-    config.lyn.lib.enable = list: lib.genAttrs 
-	list 
-	(
-	name: {enable = true;}
-	);
-}

meta/mkLocalMods.nix

@@ -1,26 +1,61 @@
-{lib, ...}:
+{lib, ...}: let
-let
+  inherit (import ./packagesFromDirectoryRecursive.nix {inherit lib;}) packagesFromDirectoryRecursive;
   mapAttrKVs = mapFn: attrs: builtins.foldl' (acc: cur: acc // {${cur.key} = cur.value;}) {} (builtins.attrValues (builtins.mapAttrs mapFn attrs));
   #kv = key: value: {inherit key value;};
-	recurseNaive = curPath: fn: mapAttrKVs (k: v: let 
+  recurseNaive = curPath: fn:
+    mapAttrKVs (
+      k: v: let
         match = builtins.match "(.*)[.]nix" k;
-	in if v == "regular" && match != null then {key = builtins.elemAt match 0; value = fn (curPath + ("/" + k));}
+      in
-		else if v == "directory" then {key = k; value = recurseNaive (curPath + ("/" + k)) fn;}
+        if v == "regular" && match != null
-		else {key = null; value = null;}
+        then {
+          key = builtins.elemAt match 0;
+          value = fn (curPath + ("/" + k));
+        }
+        else if v == "directory"
+        then {
+          key = k;
+          value = recurseNaive (curPath + ("/" + k)) fn;
+        }
+        else {
+          key = null;
+          value = null;
+        }
     ) (builtins.readDir curPath);
 
-	getAttrKVsRec = prefix: as: lib.flatten (lib.mapAttrsToList (k: v:
+  getAttrKVsRec = prefix: as:
-		if lib.isAttrs v then getAttrKVsRec (prefix ++ [k]) v
+    lib.flatten (lib.mapAttrsToList (
-		else [{path = prefix ++ [k]; value = v;}]
+        k: v:
-	) as);
+          if lib.isAttrs v
+          then getAttrKVsRec (prefix ++ [k]) v
+          else [
+            {
+              path = prefix ++ [k];
+              value = v;
+            }
+          ]
+      )
+      as);
 
-	getPathKVsRec = prefix: dir: getAttrKVsRec prefix (lib.packagesFromDirectoryRecursive { callPackage = path: x: path; directory = dir; });
+  getPathKVsRec = prefix: dir:
+    getAttrKVsRec prefix (packagesFromDirectoryRecursive {
+      callPackage = path: x: path;
+      directory = dir;
+    });
 
   unifyMod = (import ./modules-extracted.nix {lib = lib;}).unifyModuleSyntax;
-	transformLocalMod = {path, value}: let 
+  transformLocalMod = {
-	modFn = if lib.isFunction (import value) then import value else (p: import value);
+    path,
+    value,
+  }: let
+    modFn =
+      if lib.isFunction (import value)
+      then import value
+      else (p: import value);
     newMod = p: let
-		paramNew = p // {
+      paramNew =
+        p
+        // {
           cfg = lib.getAttrFromPath path p.config;
         };
 
@@ -32,22 +67,41 @@ let
       fileCtx = str: "${modUni._file} (mkLocalMods ${str})";
       enablePath = path ++ ["enable"];
 
-		imports = [ {
+      imports = [
+        {
           _file = fileCtx "`opt` processor";
           key = fileCtx "`opt` processor";
           options = lib.setAttrByPath path (modRaw.opt or {});
-		} {
+        }
+        {
           _file = fileCtx "`enable` definition";
           key = fileCtx "`enable` definition";
           options = lib.setAttrByPath enablePath (lib.mkEnableOption (mod.desc or mod.description or mod.name or pathStr));
-		} ({config, ...}: {
+        }
+        ({config, ...}: {
           _file = fileCtx "config wrapper";
           key = fileCtx "config wrapper";
           config = lib.mkIf (lib.getAttrFromPath enablePath config) modUni.config;
-		})];
+        })
+      ];
 
-		newMod = modUni // { imports = modUni.imports ++ imports; config = {}; };
+      newMod =
-	in newMod; in lib.mirrorFunctionArgs modFn newMod;
+        modUni
+        // {
+          imports = modUni.imports ++ imports;
+          config = {};
+        };
+    in
+      newMod;
+  in
+    lib.mirrorFunctionArgs modFn newMod;
 
-	mkLocalMods = {prefix ? [], dir}: { _file = "mkLocalMods collector"; imports = builtins.map transformLocalMod (getPathKVsRec prefix dir); };
+  mkLocalMods = {
-in mkLocalMods
+    prefix ? [],
+    dir,
+  }: {
+    _file = "mkLocalMods collector";
+    imports = builtins.map transformLocalMod (getPathKVsRec prefix dir);
+  };
+in
+  mkLocalMods

meta/modules-extracted.nix

@@ -1,8 +1,8 @@
 # https://github.com/NixOS/nixpkgs/blob/a5cfe012401cfebb4b2c28e74857b8ffe1402b4b/lib/modules.nix
-{ lib }:
+{lib}:
-with lib.modules;
+with lib.modules; let
-let
+  inherit
-  inherit (lib)
+    (lib)
     addErrorContext
     all
     any
@@ -36,7 +36,8 @@ let
     optionalAttrs
     optionalString
     recursiveUpdate
-    reverseList sort
+    reverseList
+    sort
     seq
     setAttrByPath
     substring
@@ -50,7 +51,8 @@ let
     zipAttrs
     zipAttrsWith
     ;
-  inherit (lib.options)
+  inherit
+    (lib.options)
     isOption
     mkOption
     showDefs
@@ -58,25 +60,29 @@ let
     showOption
     unknownModule
     ;
-  inherit (lib.strings)
+  inherit
+    (lib.strings)
     isConvertibleWithToString
     ;
 
-  unifyModuleSyntax = file: key: m:
+  unifyModuleSyntax = file: key: m: let
-    let
+    addMeta = config:
-      addMeta = config: if m ? meta
+      if m ? meta
-        then mkMerge [ config { meta = m.meta; } ]
+      then mkMerge [config {meta = m.meta;}]
       else config;
-      addFreeformType = config: if m ? freeformType
+    addFreeformType = config:
-        then mkMerge [ config { _module.freeformType = m.freeformType; } ]
+      if m ? freeformType
+      then mkMerge [config {_module.freeformType = m.freeformType;}]
       else config;
   in
-    if m ? config || m ? options then
+    if m ? config || m ? options
-      let badAttrs = removeAttrs m ["_class" "_file" "key" "disabledModules" "imports" "options" "config" "meta" "freeformType"]; in
+    then let
-      if badAttrs != {} then
+      badAttrs = removeAttrs m ["_class" "_file" "key" "disabledModules" "imports" "options" "config" "meta" "freeformType"];
-        throw "Module `${key}' has an unsupported attribute `${head (attrNames badAttrs)}'. This is caused by introducing a top-level `config' or `options' attribute. Add configuration attributes immediately on the top level instead, or move all of them (namely: ${toString (attrNames badAttrs)}) into the explicit `config' attribute."
+    in
-      else
+      if badAttrs != {}
-        { _file = toString m._file or file;
+      then throw "Module `${key}' has an unsupported attribute `${head (attrNames badAttrs)}'. This is caused by introducing a top-level `config' or `options' attribute. Add configuration attributes immediately on the top level instead, or move all of them (namely: ${toString (attrNames badAttrs)}) into the explicit `config' attribute."
+      else {
+        _file = toString m._file or file;
         _class = m._class or null;
         key = toString m.key or key;
         disabledModules = m.disabledModules or [];
@@ -87,7 +93,8 @@ let
     else
       # shorthand syntax
       throwIfNot (isAttrs m) "module ${file} (${key}) does not look like a module."
-      { _file = toString m._file or file;
+      {
+        _file = toString m._file or file;
         _class = m._class or null;
         key = toString m.key or key;
         disabledModules = m.disabledModules or [];
@@ -95,6 +102,4 @@ let
         options = {};
         config = addFreeformType (removeAttrs m ["_class" "_file" "key" "disabledModules" "require" "imports" "freeformType"]);
       };
-
-
 in {inherit unifyModuleSyntax;}

meta/packagesFromDirectoryRecursive.nix

@@ -0,0 +1,55 @@
+{lib, ...}: with lib;{packagesFromDirectoryRecursive = 
+    {
+      callPackage,
+      directory,
+      ...
+    }	:
+    let
+      # Determine if a directory entry from `readDir` indicates a package or
+      # directory of packages.
+      directoryEntryIsPackage = basename: type:
+        type == "directory" || hasSuffix ".nix" basename;
+
+      # List directory entries that indicate packages in the given `path`.
+      packageDirectoryEntries = path:
+        filterAttrs directoryEntryIsPackage (builtins.readDir path);
+
+      # Transform a directory entry (a `basename` and `type` pair) into a
+      # package.
+      directoryEntryToAttrPair = subdirectory: basename: type:
+        let
+          path = subdirectory + "/${basename}";
+        in
+        if type == "regular"
+        then
+        {
+          name = removeSuffix ".nix" basename;
+          value = callPackage path { };
+        }
+        else
+        if type == "directory"
+        then
+        {
+          name = basename;
+          value = packagesFromDirectory path;
+        }
+        else
+        throw
+          ''
+            lib.filesystem.packagesFromDirectoryRecursive: Unsupported file type ${type} at path ${toString subdirectory}
+          '';
+
+      # Transform a directory into a package but its edited to use default.nix because package.nix is nonstandard or
+      # set of packages (otherwise).
+      packagesFromDirectory = path:
+        let
+          defaultPackagePath = path + "/default.nix";
+        in
+        if pathExists defaultPackagePath
+        then callPackage defaultPackagePath { }
+        else mapAttrs'
+          (directoryEntryToAttrPair path)
+          (packageDirectoryEntries path);
+    in
+    packagesFromDirectory directory;
+}

meta/wgautomesh/default.nix

@@ -0,0 +1,180 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.services.wgautomesh;
+  settingsFormat = pkgs.formats.toml {};
+  configFile =
+    # Have to remove nulls manually as TOML generator will not just skip key
+    # if value is null
+    settingsFormat.generate "wgautomesh-config.toml"
+    (filterAttrs (k: v: v != null)
+      (mapAttrs
+        (
+          k: v:
+            if k == "peers" || k == "interfaces"
+            then map (e: filterAttrs (k: v: v != null) e) v
+            else v
+        )
+        cfg.settings));
+  runtimeConfigFile =
+    if cfg.enableGossipEncryption
+    then "/run/wgautomesh/wgautomesh.toml"
+    else configFile;
+in {
+  disabledModules = ["services/networking/wgautomesh.nix"];
+  options.services.wgautomesh = {
+    enable = mkEnableOption "the wgautomesh daemon";
+    logLevel = mkOption {
+      type = types.enum ["trace" "debug" "info" "warn" "error"];
+      default = "info";
+      description = "wgautomesh log level.";
+    };
+    enableGossipEncryption = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Enable encryption of gossip traffic.";
+    };
+    gossipSecretFile = mkOption {
+      type = types.path;
+      description = ''
+        File containing the gossip secret, a shared secret key to use for gossip
+        encryption.  Required if `enableGossipEncryption` is set.  This file
+        may contain any arbitrary-length utf8 string.  To generate a new gossip
+        secret, use a command such as `openssl rand -base64 32`.
+      '';
+    };
+    enablePersistence = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Enable persistence of Wireguard peer info between restarts.";
+    };
+    openFirewall = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Automatically open gossip port in firewall (recommended).";
+    };
+    settings = mkOption {
+      type = types.submodule {
+        freeformType = settingsFormat.type;
+        options = {
+          gossip_port = mkOption {
+            type = types.port;
+            description = ''
+              wgautomesh gossip port, this MUST be the same number on all nodes in
+              the wgautomesh network.
+            '';
+            default = 1666;
+          };
+          lan_discovery = mkOption {
+            type = types.bool;
+            default = true;
+            description = "Enable discovery of peers on the same LAN using UDP broadcast.";
+          };
+          upnp_open_ports = mkOption {
+            type = types.bool;
+            default = false;
+            description = "Enable UPnP IGD port forwarding to interfaces of this wgautomesh instance.";
+          };
+          interfaces = mkOption {
+            type = types.listOf (types.submodule {
+              options = {
+                name = mkOption {
+                  type = types.str;
+                };
+                upnp_forward_ext_port_v4 = mkOption {
+                  type = types.nullOr types.port;
+                  default = null;
+                  description = ''
+                    Public port number to try to redirect to this machine's Wireguard
+                    daemon using UPnP IGD. Only used if the interface has IPv4 peers.
+                  '';
+                };
+              };
+            });
+            default = [];
+            description = "wgautomesh interface settings.";
+          };
+          peers = mkOption {
+            type = types.listOf (types.submodule {
+              options = {
+                pubkey = mkOption {
+                  type = types.str;
+                  description = "Wireguard public key of this peer.";
+                };
+                interface = mkOption {
+                  type = types.str;
+                };
+                port = mkOption {
+                  type = types.nullOr types.port;
+                  example = 51820;
+                };
+                address = mkOption {
+                  type = types.str;
+                  description = ''
+                    Wireguard address of this peer (a single IP address, multiple
+                    addresses or address ranges are not supported).
+                  '';
+                  example = "10.0.0.42";
+                };
+                endpoint = mkOption {
+                  type = types.nullOr types.str;
+                  description = ''
+                    Bootstrap endpoint for connecting to this Wireguard peer if no
+                    other address is known or none are working.
+                  '';
+                  default = null;
+                  example = "wgnode.mydomain.example";
+                };
+              };
+            });
+            default = [];
+            description = "wgautomesh peer list.";
+          };
+        };
+      };
+      default = {};
+      description = "Configuration for wgautomesh.";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.wgautomesh.settings = {
+      gossip_secret_file = mkIf cfg.enableGossipEncryption "$CREDENTIALS_DIRECTORY/gossip_secret";
+      persist_file = mkIf cfg.enablePersistence "/var/lib/wgautomesh/state";
+    };
+
+    systemd.services.wgautomesh = {
+      path = [pkgs.wireguard-tools];
+      environment = {RUST_LOG = "wgautomesh=${cfg.logLevel}";};
+      description = "wgautomesh";
+      serviceConfig = {
+        Type = "simple";
+
+        ExecStart = "${getExe pkgs.wgautomesh} ${runtimeConfigFile}";
+        Restart = "always";
+        RestartSec = "30";
+        LoadCredential = mkIf cfg.enableGossipEncryption ["gossip_secret:${cfg.gossipSecretFile}"];
+
+        ExecStartPre = mkIf cfg.enableGossipEncryption [
+          ''            ${pkgs.envsubst}/bin/envsubst \
+                          -i ${configFile} \
+                          -o ${runtimeConfigFile}''
+        ];
+
+        DynamicUser = true;
+        StateDirectory = "wgautomesh";
+        StateDirectoryMode = "0700";
+        RuntimeDirectory = "wgautomesh";
+        AmbientCapabilities = "CAP_NET_ADMIN";
+        CapabilityBoundingSet = "CAP_NET_ADMIN";
+      };
+      wantedBy = ["multi-user.target"];
+    };
+    networking.firewall.allowedUDPPorts =
+      mkIf cfg.openFirewall [cfg.settings.gossip_port];
+  };
+}

modules/kernel/hardened.nix

@@ -1,6 +1,7 @@
 {lib, pkgs, config, cfg, ...}: let 
     ifApparmor = cfg.apparmor.enable; 
 in {
+	# TODO: Update this
     opt.apparmor.enable = lib.mkEnableOption "apparmor";
     boot.kernelPackages = let
 	kernel = pkgs.linux-libre;

modules/profiles/base.nix

@@ -1,22 +1,38 @@
-{lib, config, pkgs, ...}: {
+{
-  lyn.sops.default.enable = true;
+  lib,
-  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+  config,
+  pkgs,
+  ...
+}: {
+  lyn.sops.enable = true;
+  nix.settings.experimental-features = ["nix-command" "flakes"];
   nixpkgs.config.allowUnfree = true;
   nix.package = config.pkgsInstances.unstable.lix;
   environment.variables.EDITOR = "nvim";
 
+  #initialize mesh vpn secret
+  lyn.sops.secrets."all/meshnetwork/gossip_secret" = {};
+
+  # TODO
   time.timeZone = "Europe/Berlin";
 
+  # Firewall base config:
+  networking.firewall.enable = lib.mkDefault true;
+  networking.firewall.allowPing = true;
+  # SSH:
   services.openssh = {
     enable = true;
     settings = {
       X11Forwarding = true;
-		PermitRootLogin = "no";
+      PermitRootLogin = "yes";
       PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
     };
     openFirewall = true;
   };
-  # Disable password checking for wheel group users so we can solely rely on ssh keys
+
+  # Disable password checking for wheel group users so we can rely on ssh keys.
+  # WARNING: This has an security impact!
   security.sudo.wheelNeedsPassword = false;
 
   environment.systemPackages = with pkgs; [
@@ -27,4 +43,35 @@
     curl
     htop
   ];
+  # Use encrypted Quad9 DNS
+  networking.nameservers = ["127.0.0.1" "::1"];
+  services.dnscrypt-proxy2 = {
+    enable = true;
+    settings = {
+      ipv6_servers = true;
+      require_dnssec = true;
+
+      sources.public-resolvers = {
+        urls = [
+          "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
+          "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
+        ];
+        cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
+        minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
+      };
+
+      # You can choose a specific set of servers from https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md
+      server_names = ["quad9-dnscrypt-ip4-nofilter-pri" "quad9-dnscrypt-ip6-nofilter-pri"];
+    };
+  };
+
+  systemd.services.dnscrypt-proxy2.serviceConfig = {
+    StateDirectory = "dnscrypt-proxy";
+  };
+
+  nix.gc = {
+    automatic = true;
+    persistent = true;
+    options = "--delete-older-than 8d";
+  };
 }

modules/profiles/headless.nix

@@ -0,0 +1,5 @@
+{modulesPath, ...}: {
+  imports = [
+    (modulesPath + "/profiles/headless.nix")
+  ];
+}

modules/profiles/hypervisor.nix

@@ -0,0 +1,8 @@
+{
+  inputs,
+  lib,
+  ...
+}: {
+  microvm.host.enable = true;
+  networking.useNetworkd = true;
+}

modules/profiles/secureboot.nix

@@ -0,0 +1,16 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  environment.systemPackages = [
+    # For debugging and troubleshooting Secure Boot.
+    pkgs.sbctl
+  ];
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+  boot.lanzaboote = {
+    enable = true;
+    pkiBundle = "/etc/secureboot";
+  };
+}

modules/profiles/vm.nix

@@ -1,5 +1,13 @@
-{ config, pkgs, lib, ... }:
 {
+  config,
+  pkgs,
+  lib,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
   #enable qemu-guestagent
   services.qemuGuest.enable = true;
 }

modules/services/forgejo-ci.nix

@@ -1,8 +1,14 @@
-{ config, pkgs, lib, inputs, cfg, ... }:
 {
+  config,
+  pkgs,
+  lib,
+  inputs,
+  cfg,
+  ...
+}: {
   environment.systemPackages = with pkgs; [
     docker
-];
+  ];
 
   # Enable docker
   virtualisation.docker = {

modules/services/forgejo.nix

@@ -1,5 +1,12 @@
-{pkgs, lib, config, cfg, ...}:
+{
-with lib; with builtins; {
+  pkgs,
+  lib,
+  config,
+  cfg,
+  ...
+}:
+with lib;
+with builtins; {
   opt.domain = lib.mkOption {type = lib.types.str;};
   services.forgejo = {
     enable = true;

modules/services/mkMesh.nix

@@ -0,0 +1,109 @@
+{
+  config,
+  pkgs,
+  lib,
+  cfg,
+  ...
+}: let
+  buildInputs = [pkgs.wgautomesh];
+
+  prefix = "lyn";
+
+  # decrypt gossip secret
+  # change this to comply with you secret management
+  gossip_secret_path = config.sops.secrets."all/meshnetwork/gossip_secret".path;
+
+  # function to make a peerlist suitable for wgautomesh
+  buildPeerlist = version: hosts: let
+    #filter out hosts that have wg.enabled set to false
+    wgEnabledHosts = lib.filterAttrs (_: host: host.wg.enabled or false) hosts;
+  in
+    lib.mapAttrsToList (name: host: {
+      interface =
+        if version == "IPv6"
+        then "wg1"
+        else "wg0";
+      pubkey = host.wg.pubkey;
+      #if there is no public IP, make endpoint null so wgautomesh knows it unknown. Else format it to a SocketAddr
+      endpoint = host.${version}.public;
+      port =
+        if version == "IPv6"
+        then host.wg.port_v6
+        else host.wg.port_v4;
+      address = host.${version}.internal;
+    })
+    wgEnabledHosts;
+
+  # helper vars to prettify
+  meshnetwork = config.${prefix}.network;
+  currentHost = meshnetwork.hosts.${config.networking.hostName};
+in {
+  opt = {
+    enable_upnp_portforward = lib.mkOption {
+      type = lib.types.bool;
+      description = "Whether to allow the wireguard port in the gateway using UPnP IGD. Necessary on some firewalls, might spam unnecessary debug messages on environments without IGD gateways.";
+      default = false;
+    };
+    enable_lan_discovery = lib.mkOption {
+      type = lib.types.bool;
+      description = "Try to discover mesh devices on the same local network.";
+      default = true;
+    };
+  };
+  config = rec {
+    networking.firewall = {
+      allowedUDPPorts = [
+        currentHost.wg.port_v4
+        currentHost.wg.port_v6
+      ];
+      # UPnP broadcast responses
+      # credits: https://github.com/NixOS/nixpkgs/issues/161328
+      extraPackages =
+        if cfg.enable_upnp_portforward
+        then [pkgs.ipset]
+        else [];
+      extraCommands =
+        if cfg.enable_upnp_portforward
+        then ''
+          if ! ipset --quiet list upnp; then
+            ipset create upnp hash:ip,port timeout 3
+          fi
+          iptables -A OUTPUT -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j SET --add-set upnp src,src --exist
+          iptables -A nixos-fw -p udp -m set --match-set upnp dst,dst -j nixos-fw-accept
+        ''
+        else "";
+    };
+
+    networking.wireguard.interfaces.wg0 = {
+      ips = ["${currentHost.IPv4.internal}/24"];
+      listenPort = currentHost.wg.port_v4;
+      privateKeyFile = "/var/lib/wireguard-keys/private";
+      mtu = 1280;
+    };
+    networking.wireguard.interfaces.wg1 = {
+      ips = ["${currentHost.IPv6.internal}/64"];
+      listenPort = currentHost.wg.port_v6;
+      privateKeyFile = "/var/lib/wireguard-keys/private";
+      mtu = 1280;
+    };
+
+    services.wgautomesh = {
+      enable = true;
+      settings = {
+        interfaces =
+          if cfg.enable_upnp_portforward
+          then [
+            {
+              name = "wg0";
+              upnp_forward_ext_port_v4 = config.networking.wireguard.interfaces.wg0.listenPort;
+            }
+          ]
+          else [];
+        peers = buildPeerlist "IPv6" meshnetwork.hosts ++ buildPeerlist "IPv4" meshnetwork.hosts;
+        lan_discovery = cfg.enable_lan_discovery;
+        upnp_open_ports = cfg.enable_upnp_portforward;
+      };
+      gossipSecretFile = gossip_secret_path;
+    };
+  };
+}

modules/sops/default.nix

@@ -1,23 +1,27 @@
-{ pkgs, lib, config, ... }:
-let
-  cfg = config.lyn.sops;
-in
 {
+  pkgs,
+  lib,
+  config,
+  ...
+}: let
+  cfg = config.lyn.sops;
+in {
   options.lyn.sops = with lib; {
     secrets = mkOption {
       type = types.attrs;
-      default = { };
+      default = {};
     };
   };
   config = {
-    sops.secrets = lib.mapAttrs
+    sops.secrets =
-      (name: value:
+      lib.mapAttrs
-        let
+      (name: value: let
         name_split = lib.splitString "/" name;
       in
         {
           sopsFile = config.flakePath + /secrets/${builtins.elemAt name_split 0}/${builtins.elemAt name_split 1}.yaml;
-        } // value)
+        }
+        // value)
       cfg.secrets;
   };
 }

modules/users/ellie/default.nix

@@ -0,0 +1,15 @@
+{
+  lib,
+  pkgs,
+  config,
+  cfg,
+  ...
+}: {
+  users.users.ellie = {
+    isNormalUser = true;
+    extraGroups = ["wheel"];
+    packages = with pkgs; [
+    ];
+  };
+  users.users.ellie.openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKA4+3PkFptATzrWncxdj63SqZ747cDb8TqmdQFugvW7 ellie@card"];
+}

modules/users/lyn/default.nix

@@ -0,0 +1,17 @@
+{
+  lib,
+  pkgs,
+  config,
+  cfg,
+  ...
+}: {
+  imports = [
+    ./ssh.nix
+  ];
+  users.users.lyn = {
+    isNormalUser = true;
+    extraGroups = ["wheel"];
+    packages = with pkgs; [
+    ];
+  };
+}

modules/users/lyn/ssh.nix

@@ -0,0 +1,7 @@
+{
+  lib,
+  config,
+  ...
+}: {
+  users.users.lyn.openssh.authorizedKeys.keys = ["ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC7NUaBJOYgMnT2uUUUSB7gKaqqbgxXDghBkRqSGuZrAZzZYHlHH7nM6Re7+yOYMSoJGLaB4iaUDLSBBnyA6pLI= nixos_gitea@secretive.MacBook-Pro-(2).local"];
+}

pkgs/overlay.nix

@@ -0,0 +1,21 @@
+inputs: final: prev: {
+  wgautomesh = let
+    toolchain = inputs.fenix-monthly.packages.${final.stdenv.hostPlatform.system}.latest.toolchain;
+    cargo = toolchain;
+    platform = final.makeRustPlatform {
+      rustc = toolchain;
+      cargo = toolchain;
+    };
+    wgam-nightly = prev.wgautomesh.override {rustPlatform = platform;};
+    wgam-lyn = wgam-nightly.overrideAttrs (old: rec {
+      src = builtins.fetchGit {
+        url = "https://git.deuxfleurs.fr/lynatic/wgautomesh.git";
+        rev = "7f844a2f5d67f788c3b2084fb3ab0c25b10928cc";
+      };
+      cargoDeps = platform.importCargoLock {
+        lockFile = src + "/Cargo.lock";
+      };
+    });
+  in
+    wgam-lyn;
+}

secrets/all/meshnetwork.yaml

@@ -0,0 +1,50 @@
+all:
+    meshnetwork:
+        gossip_secret: ENC[AES256_GCM,data:tOaCG5NKxT3rRFORofRp/mGGufWWCnbkDJWwiqnTE0o8+MQ2sHn4+KMYLeM=,iv:GrBUnN58eoEE9ZwZLjKD7DNoVO9DMTqqbuyudqVPp+k=,tag:phqc6m+KqplbG49pqLfFkQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age18c6zws9wk9r7dxjqafwj2l2ex5mn5v8u6yrd2ys9ng8q09rsedpqm38jzv
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3SFJLSzBlQjdIVDdiaDVh
+            NmZiVmRSUkJhd0dTNEtnVzdnQWp4Q1BQMWhzCm0yZFpZZ0tiS1UwMzFTdENubVps
+            VENMVXhSNVFuK0dCekZSbTlFNkNFQ0UKLS0tIFh6bkcrcjBZN0hQM2dvZmFuNG41
+            WHpFbUN5K2R4eGhnUlpNdEluS2pFZWMKeuR99KVd5bDwFvUz+NkcYBZ6nHFfEBBk
+            k2sa4x6dlNnV/uPEeKbtmlbAjCwH3YaNFEodAnOoWE9Mh+UggWJ8DA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1u4dtlq4lavqufzsqfqlsnu67u3x2t3d7ffxkqrah2des4dlxns2slegl38
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1WHpwTVVzN3dBK2VSUE8w
+            S3Z6VVpFaGk4M3I2SnArTXo4WHFWVlNRYVU4CkVDc2p5Z25OZDBOSFM3bXZIZ09R
+            UlY0dWhOZTVndHlBZks2QmFwZ3lDV0EKLS0tIDhaak8wUW5mOWh2SXBqR3NubytO
+            TXpUdnZkT0xCOEZmV2t3bkN3UC92cHcKdyr2W3KQoMV50HIyKfGFK8kjvUQC8E0p
+            oC3Im2YPWOI2xcEMh15a/gN4xhQlBH5zvQjum9O4f6pdyNdVeZyHEg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1xm5ewmhxsdn34c6h9v3hzs0ka0qvmywnkgw94j7r2cxpqh2c8v4q7h6qhd
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQclM0WGdqTDVyRUxZZ3BX
+            WXdJcDlHOHJMakpMd2JlQjBBbmI0dG9JSWdJCnNTSzV1U3FBK1I5dHU2L0RhSyty
+            anFCRzR0NGhyeEx4QlZxY3RDYnRQUGMKLS0tIEw2UFdaNW5HeElBa1RQNFZCL2tC
+            QnR2VVNmbEZIVWtOalpxYzlJVnlxajAKOSJY9r1BGcYt8VyAPWlrx/wRY7sKPF+n
+            bII9Z3W9s0FzTbTdd2iHYqYnzXzdX33GZJactm/VrUCeqWIWOdgaGw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age12lfan35k4gtq6mwm9llyea25usw3ap0xuzg90745qk0m0ws3cgespffkv2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMaUEyQ2FlZWdMRGpleEtS
+            Qk4vNGc4WTVqeCtyYnJRTU92eC84bHFZc3h3CkgvWE0wOG1nbEZBRGpHeWZmTW5Q
+            dCtFekhlRW9YVWNSWW1tWDVzR2cvLzAKLS0tIG5IWFBDazNyNTdNOXpIZk0xZENG
+            eGY3b1VoMTFBTm9ZejFhdTUvb2ZtMU0KW1cO1em0Vwfg0RTYOTjc5RXgeDdd95KU
+            JYZ+ZWhJZn9+BeJMPm/s3/+OnvCjnOM63sQ0Z3lrhoW0PtAyjz+9eQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-11-13T22:33:39Z"
+    mac: ENC[AES256_GCM,data:z/YZszHebHnDiDfvSuyX1IrTcIPZK+YyH2qxg8UZ8ycSFx3XEk34ufx4rBXt8qRG2FIWuXW45GwTf+5PZZA9ov0ejVlVvbZOcR6VztIpt8i4gWUve4fkEC7cWN3SH1SCsJ2edY6KuQIEZAm6bfBWwAJS5ho40aKox5zBj1PU+FM=,iv:C7u6QRZcPDUcH9fbdSvhyY+cJD9wdlpoA1YcWaY9llY=,tag:L6RPamgmsfc3KJgWeQ3Abw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1

users/lyn/default.nix

@@ -1,11 +0,0 @@
-{lib,pkgs, config, ...}:{
-    imports = [
-	./ssh.nix
-    ];
-    users.users.lyn = {   
-    isNormalUser = true;
-   	extraGroups = [ "wheel"];
-	  packages = with pkgs; [
-    ];
-    };
-}

users/lyn/ssh.nix

@@ -1,3 +0,0 @@
-{lib, config, ...}: {
-    users.users.lyn.openssh.authorizedKeys.keys = ["ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC7NUaBJOYgMnT2uUUUSB7gKaqqbgxXDghBkRqSGuZrAZzZYHlHH7nM6Re7+yOYMSoJGLaB4iaUDLSBBnyA6pLI= nixos_gitea@secretive.MacBook-Pro-(2).local"];
-}