From c423af5498029afb64d6bce5a345d90680d4825e Mon Sep 17 00:00:00 2001
From: Dominik Polakovics <dominik.polakovics@cloonar.com>
Date: Tue, 4 Feb 2025 11:51:20 +0100
Subject: [PATCH] add host to wireguard

---
 .chatgpt_config.yaml           | 106 +++++++++++++++++++++++++++++++--
 .gitignore                     |   1 +
 fleet.nix                      |   4 ++
 hosts/fw/modules/wireguard.nix |   4 ++
 4 files changed, 110 insertions(+), 5 deletions(-)

diff --git a/.chatgpt_config.yaml b/.chatgpt_config.yaml
index 6aeec39..e8ec26e 100644
--- a/.chatgpt_config.yaml
+++ b/.chatgpt_config.yaml
@@ -3,8 +3,104 @@ default_prompt_blocks:
   - "basic-prompt"
   - "secure-coding"
 initial_prompt: |
-  You are a NixOS expert.
-  You are tasked with maintaining the configuration for the infrastructure of a company.
-  Keep best practices in mind and make sure the configuration is secure.
-directories:
-  - "hosts/nb"
+  You are helping me build or refine a NixOS configuration (potentially with Nix Flakes). Please keep the following points in mind when generating or explaining code:
+
+  1. **Project & Directory Structure**  
+     - For single-host configurations, you may have a simple structure like:
+       ```
+       /etc/nixos/
+       ├── configuration.nix
+       ├── hardware-configuration.nix
+       └── other-module.nix
+       ```
+     - For multi-host setups or more complex deployments, consider **modules** in a dedicated folder:
+       ```
+       my-nix-config/
+       ├── flake.nix             # (if using Flakes)
+       ├── hosts/
+       │   ├── hostname1/
+       │   │   └── configuration.nix
+       │   └── hostname2/
+       │       └── configuration.nix
+       ├── modules/
+       │   ├── networking.nix
+       │   ├── services.nix
+       │   ├── users.nix
+       │   └── ...
+       └── hardware/
+           └── hardware-configuration-<machine>.nix
+       ```
+     - Split large configurations into multiple `.nix` files or modules for clarity. Import them in a top-level `configuration.nix` or `flake.nix`.  
+
+  2. **Nix Flakes (Optional)**  
+     - If using Flakes, include a top-level `flake.nix` defining your outputs:
+       - `outputs.nixosConfigurations.<hostname> = { ... }`
+     - Reference your system with something like `nixos-rebuild switch --flake .#<hostname>`.  
+     - Keep pinned inputs (e.g., `nixpkgs` at a particular commit) in your `flake.lock` to ensure reproducibility.  
+
+  3. **System Configuration & Modules**  
+     - Place typical NixOS settings (e.g., `networking.hostName`, `time.timeZone`, `environment.systemPackages`, etc.) in `configuration.nix` or a modular file structure.  
+     - Use [NixOS modules](https://nixos.org/manual/nixos/stable/index.html#sec-writing-modules) to separate concerns. For example:
+       - `networking.nix` for network settings,  
+       - `users.nix` for user/group management,  
+       - `services.nix` for enabling/configuring system services.  
+     - If you have custom logic or package overlays, keep them in separate files (e.g., `overlays.nix`).  
+
+  4. **Home Manager Integration (Optional)**  
+     - For user-level configuration (e.g., dotfiles, user-specific packages), consider integrating [Home Manager](https://nix-community.github.io/home-manager/) either as a standalone or via Flakes.  
+     - Keep Home Manager configs in a separate `home.nix` file, referencing it in your main configuration or flake outputs.  
+
+  5. **Security & Secrets Management**  
+     - Avoid committing plain-text secrets (passwords, tokens) to version control.  
+     - Consider using [sops-nix](https://github.com/Mic92/sops-nix) or other secret management solutions to encrypt sensitive files.  
+     - Enable recommended security settings, such as:  
+       - `security.sudo.wheelNeedsPassword = true`  
+       - `security.rtkit.enable = true`  
+       - `users.users.<name>.extraGroups` to limit privileges.  
+     - Regularly update your `nixpkgs` channel or flake inputs for the latest security patches.  
+
+  6. **System Services & Daemons**  
+     - Use built-in NixOS modules for services (e.g., `services.nginx`, `services.postgresql`, etc.) instead of manual configuration whenever possible.  
+     - For each service, ensure you:
+       - Set `enable = true;` if it’s needed,  
+       - Provide configuration in the same module file or a dedicated file if it’s complex.  
+     - Keep service-specific secrets (e.g., database passwords) out of the main config by referencing environment variables or a secret management solution.  
+
+  7. **Package Management & Overlays**  
+     - Place packages you need system-wide into `environment.systemPackages`.  
+     - For overriding or extending packages from `nixpkgs`, use the [overlays](https://nixos.wiki/wiki/Overlays) mechanism:
+       ```nix
+       self: super: {
+         myPackage = super.callPackage ./pkgs/my-package { };
+       }
+       ```
+     - Maintain a dedicated `overlays/` folder if you have multiple custom overlays.  
+
+  8. **Customization & Extensions**  
+     - Use `environment.etc` or NixOS options to create or manage custom config files in `/etc/`.  
+     - For advanced use cases, you can define your own modules to unify logic for related settings or services.  
+     - Document each module with comments about what it configures and why.  
+
+  9. **Testing & Deployment**  
+     - Use the `nixos-rebuild test` command to evaluate changes without fully switching.  
+     - If using Flakes, run `nixos-rebuild test --flake .#<hostname>`.  
+     - Test critical services after switching (e.g., `systemctl status service-name`).  
+     - Consider building virtual machines via `nixos-rebuild build-vm` or [NixOS tests](https://nixos.org/manual/nixos/stable/index.html#sec-nixos-tests) to validate complex changes.  
+
+  10. **Output Format**  
+      - Present any generated Nix configuration as well-structured `.nix` files, referencing them in a central place (`configuration.nix` or `flake.nix`).  
+      - When explaining your reasoning, describe which modules or options you chose and why (e.g., “I separated `networking.nix` to isolate network settings from system services.”).  
+      - If you modify existing files, specify precisely which lines or sections have changed, and why you made those changes.  
+
+  Please follow these guidelines to ensure the generated or explained NixOS configuration adheres to best practices for maintainability, modularity, and security.
+
+debug: false
+improved_debug: false
+  
+preview_changes: false
+interactive_file_selection: false
+partial_acceptance: false
+
+enable_debug_commands: false
+prompt_char_limit: 300000
+enable_step_by_step: true
diff --git a/.gitignore b/.gitignore
index a829438..002aa00 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,3 +5,4 @@ raspberry/.env
 raspberry/result
 
 esphome/trash
+esphome/.esphome
diff --git a/fleet.nix b/fleet.nix
index 1b50d9c..2d4c0a0 100644
--- a/fleet.nix
+++ b/fleet.nix
@@ -39,6 +39,10 @@
       username = "fw-new";
       key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILnb9todh2b+c3iCmEz72smRwL37aZf3Xs3voT7+PLTP";
     }
+    {
+      username = "gpd-win4";
+      key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILjfS2DtS8PQgkf86dU+EVu5t+r/QlCWmY7+RPYprQrO";
+    }
   ];
 in {
   imports = builtins.map create_users users;
diff --git a/hosts/fw/modules/wireguard.nix b/hosts/fw/modules/wireguard.nix
index 6b4680c..333bf97 100644
--- a/hosts/fw/modules/wireguard.nix
+++ b/hosts/fw/modules/wireguard.nix
@@ -21,6 +21,10 @@
           publicKey = "nkm10abmwt2G8gJXnpqel6QW5T8aSaxiqqGjE8va/A0=";
           allowedIPs = [ "${config.networkPrefix}.98.202/32" ];
         }
+        { # GPD Win 4
+          publicKey = "HE4eX4IMKG8eRDzcriy6XdIPV71uBY5VTqjKzfHPsFI=";
+          allowedIPs = [ "${config.networkPrefix}.98.203/32" ];
+        }
       ];
     };
     wg_epicenter = {