add host to wireguard
This commit is contained in:
@@ -3,8 +3,104 @@ default_prompt_blocks:
|
|||||||
- "basic-prompt"
|
- "basic-prompt"
|
||||||
- "secure-coding"
|
- "secure-coding"
|
||||||
initial_prompt: |
|
initial_prompt: |
|
||||||
You are a NixOS expert.
|
You are helping me build or refine a NixOS configuration (potentially with Nix Flakes). Please keep the following points in mind when generating or explaining code:
|
||||||
You are tasked with maintaining the configuration for the infrastructure of a company.
|
|
||||||
Keep best practices in mind and make sure the configuration is secure.
|
1. **Project & Directory Structure**
|
||||||
directories:
|
- For single-host configurations, you may have a simple structure like:
|
||||||
- "hosts/nb"
|
```
|
||||||
|
/etc/nixos/
|
||||||
|
├── configuration.nix
|
||||||
|
├── hardware-configuration.nix
|
||||||
|
└── other-module.nix
|
||||||
|
```
|
||||||
|
- For multi-host setups or more complex deployments, consider **modules** in a dedicated folder:
|
||||||
|
```
|
||||||
|
my-nix-config/
|
||||||
|
├── flake.nix # (if using Flakes)
|
||||||
|
├── hosts/
|
||||||
|
│ ├── hostname1/
|
||||||
|
│ │ └── configuration.nix
|
||||||
|
│ └── hostname2/
|
||||||
|
│ └── configuration.nix
|
||||||
|
├── modules/
|
||||||
|
│ ├── networking.nix
|
||||||
|
│ ├── services.nix
|
||||||
|
│ ├── users.nix
|
||||||
|
│ └── ...
|
||||||
|
└── hardware/
|
||||||
|
└── hardware-configuration-<machine>.nix
|
||||||
|
```
|
||||||
|
- Split large configurations into multiple `.nix` files or modules for clarity. Import them in a top-level `configuration.nix` or `flake.nix`.
|
||||||
|
|
||||||
|
2. **Nix Flakes (Optional)**
|
||||||
|
- If using Flakes, include a top-level `flake.nix` defining your outputs:
|
||||||
|
- `outputs.nixosConfigurations.<hostname> = { ... }`
|
||||||
|
- Reference your system with something like `nixos-rebuild switch --flake .#<hostname>`.
|
||||||
|
- Keep pinned inputs (e.g., `nixpkgs` at a particular commit) in your `flake.lock` to ensure reproducibility.
|
||||||
|
|
||||||
|
3. **System Configuration & Modules**
|
||||||
|
- Place typical NixOS settings (e.g., `networking.hostName`, `time.timeZone`, `environment.systemPackages`, etc.) in `configuration.nix` or a modular file structure.
|
||||||
|
- Use [NixOS modules](https://nixos.org/manual/nixos/stable/index.html#sec-writing-modules) to separate concerns. For example:
|
||||||
|
- `networking.nix` for network settings,
|
||||||
|
- `users.nix` for user/group management,
|
||||||
|
- `services.nix` for enabling/configuring system services.
|
||||||
|
- If you have custom logic or package overlays, keep them in separate files (e.g., `overlays.nix`).
|
||||||
|
|
||||||
|
4. **Home Manager Integration (Optional)**
|
||||||
|
- For user-level configuration (e.g., dotfiles, user-specific packages), consider integrating [Home Manager](https://nix-community.github.io/home-manager/) either as a standalone or via Flakes.
|
||||||
|
- Keep Home Manager configs in a separate `home.nix` file, referencing it in your main configuration or flake outputs.
|
||||||
|
|
||||||
|
5. **Security & Secrets Management**
|
||||||
|
- Avoid committing plain-text secrets (passwords, tokens) to version control.
|
||||||
|
- Consider using [sops-nix](https://github.com/Mic92/sops-nix) or other secret management solutions to encrypt sensitive files.
|
||||||
|
- Enable recommended security settings, such as:
|
||||||
|
- `security.sudo.wheelNeedsPassword = true`
|
||||||
|
- `security.rtkit.enable = true`
|
||||||
|
- `users.users.<name>.extraGroups` to limit privileges.
|
||||||
|
- Regularly update your `nixpkgs` channel or flake inputs for the latest security patches.
|
||||||
|
|
||||||
|
6. **System Services & Daemons**
|
||||||
|
- Use built-in NixOS modules for services (e.g., `services.nginx`, `services.postgresql`, etc.) instead of manual configuration whenever possible.
|
||||||
|
- For each service, ensure you:
|
||||||
|
- Set `enable = true;` if it’s needed,
|
||||||
|
- Provide configuration in the same module file or a dedicated file if it’s complex.
|
||||||
|
- Keep service-specific secrets (e.g., database passwords) out of the main config by referencing environment variables or a secret management solution.
|
||||||
|
|
||||||
|
7. **Package Management & Overlays**
|
||||||
|
- Place packages you need system-wide into `environment.systemPackages`.
|
||||||
|
- For overriding or extending packages from `nixpkgs`, use the [overlays](https://nixos.wiki/wiki/Overlays) mechanism:
|
||||||
|
```nix
|
||||||
|
self: super: {
|
||||||
|
myPackage = super.callPackage ./pkgs/my-package { };
|
||||||
|
}
|
||||||
|
```
|
||||||
|
- Maintain a dedicated `overlays/` folder if you have multiple custom overlays.
|
||||||
|
|
||||||
|
8. **Customization & Extensions**
|
||||||
|
- Use `environment.etc` or NixOS options to create or manage custom config files in `/etc/`.
|
||||||
|
- For advanced use cases, you can define your own modules to unify logic for related settings or services.
|
||||||
|
- Document each module with comments about what it configures and why.
|
||||||
|
|
||||||
|
9. **Testing & Deployment**
|
||||||
|
- Use the `nixos-rebuild test` command to evaluate changes without fully switching.
|
||||||
|
- If using Flakes, run `nixos-rebuild test --flake .#<hostname>`.
|
||||||
|
- Test critical services after switching (e.g., `systemctl status service-name`).
|
||||||
|
- Consider building virtual machines via `nixos-rebuild build-vm` or [NixOS tests](https://nixos.org/manual/nixos/stable/index.html#sec-nixos-tests) to validate complex changes.
|
||||||
|
|
||||||
|
10. **Output Format**
|
||||||
|
- Present any generated Nix configuration as well-structured `.nix` files, referencing them in a central place (`configuration.nix` or `flake.nix`).
|
||||||
|
- When explaining your reasoning, describe which modules or options you chose and why (e.g., “I separated `networking.nix` to isolate network settings from system services.”).
|
||||||
|
- If you modify existing files, specify precisely which lines or sections have changed, and why you made those changes.
|
||||||
|
|
||||||
|
Please follow these guidelines to ensure the generated or explained NixOS configuration adheres to best practices for maintainability, modularity, and security.
|
||||||
|
|
||||||
|
debug: false
|
||||||
|
improved_debug: false
|
||||||
|
|
||||||
|
preview_changes: false
|
||||||
|
interactive_file_selection: false
|
||||||
|
partial_acceptance: false
|
||||||
|
|
||||||
|
enable_debug_commands: false
|
||||||
|
prompt_char_limit: 300000
|
||||||
|
enable_step_by_step: true
|
||||||
|
|||||||
1
.gitignore
vendored
1
.gitignore
vendored
@@ -5,3 +5,4 @@ raspberry/.env
|
|||||||
raspberry/result
|
raspberry/result
|
||||||
|
|
||||||
esphome/trash
|
esphome/trash
|
||||||
|
esphome/.esphome
|
||||||
|
|||||||
@@ -39,6 +39,10 @@
|
|||||||
username = "fw-new";
|
username = "fw-new";
|
||||||
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILnb9todh2b+c3iCmEz72smRwL37aZf3Xs3voT7+PLTP";
|
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILnb9todh2b+c3iCmEz72smRwL37aZf3Xs3voT7+PLTP";
|
||||||
}
|
}
|
||||||
|
{
|
||||||
|
username = "gpd-win4";
|
||||||
|
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILjfS2DtS8PQgkf86dU+EVu5t+r/QlCWmY7+RPYprQrO";
|
||||||
|
}
|
||||||
];
|
];
|
||||||
in {
|
in {
|
||||||
imports = builtins.map create_users users;
|
imports = builtins.map create_users users;
|
||||||
|
|||||||
@@ -21,6 +21,10 @@
|
|||||||
publicKey = "nkm10abmwt2G8gJXnpqel6QW5T8aSaxiqqGjE8va/A0=";
|
publicKey = "nkm10abmwt2G8gJXnpqel6QW5T8aSaxiqqGjE8va/A0=";
|
||||||
allowedIPs = [ "${config.networkPrefix}.98.202/32" ];
|
allowedIPs = [ "${config.networkPrefix}.98.202/32" ];
|
||||||
}
|
}
|
||||||
|
{ # GPD Win 4
|
||||||
|
publicKey = "HE4eX4IMKG8eRDzcriy6XdIPV71uBY5VTqjKzfHPsFI=";
|
||||||
|
allowedIPs = [ "${config.networkPrefix}.98.203/32" ];
|
||||||
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
wg_epicenter = {
|
wg_epicenter = {
|
||||||
|
|||||||
Reference in New Issue
Block a user