From ad0c74b801af11f98e3808cbdf30ff10ad2c7a34 Mon Sep 17 00:00:00 2001 From: Ellie <6687206+wizzeh@users.noreply.github.com> Date: Tue, 24 Feb 2026 21:44:37 -0800 Subject: [PATCH 1/2] yay --- common.nix | 2 +- flake.nix | 1 - services/wireguard-outer.nix | 13 +++++++++++++ 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/common.nix b/common.nix index 1f5cef1..82c30e3 100644 --- a/common.nix +++ b/common.nix @@ -24,7 +24,7 @@ PasswordAuthentication = false; KbdInteractiveAuthentication = false; PermitRootLogin = "no"; - AllowUsers = [ "ellie" "forgejo" ]; + AllowUsers = [ "ellie" "forgejo" "borg" ]; }; extraConfig = '' Match User forgejo Address 10.10.0.1 diff --git a/flake.nix b/flake.nix index 215818c..ab82480 100644 --- a/flake.nix +++ b/flake.nix @@ -86,7 +86,6 @@ ./services/coturn.nix ./services/wireguard-outer.nix ./services/borgbackup-vps.nix - ./services/syncthing-relay.nix ]; }; diff --git a/services/wireguard-outer.nix b/services/wireguard-outer.nix index 03957ec..c4b80bc 100644 --- a/services/wireguard-outer.nix +++ b/services/wireguard-outer.nix @@ -1,6 +1,8 @@ { lib, pkgs, config, ... }: { + boot.kernel.sysctl."net.ipv4.ip_forward" = 1; + sops.secrets."wireguard/private_key" = { sopsFile = ./secrets/wireguard_vps.yaml; mode = "0400"; @@ -21,9 +23,20 @@ peers = [ { + # Home server publicKey = "s2plHABMTF83iqrCHlQ+o5ieJSAfudx3upm3v77y1DI="; allowedIPs = [ "10.10.0.2/32" ]; } + { + # Desktop + publicKey = "nMQY5RsyTkUi3p6i8pElY9b2Z0vFEeSUdqtw7eQnbQM="; + allowedIPs = [ "10.10.0.3/32" ]; + } + { + # Phone + publicKey = "4MDcBaF7oafv5ZC2fjgFHuXnrpwaRglM7fmSw7zo6CQ="; + allowedIPs = [ "10.10.0.4/32" ]; + } ]; }; From ae93cac1d683fd34fed1659484fd17f927f3ba01 Mon Sep 17 00:00:00 2001 From: Ellie <6687206+wizzeh@users.noreply.github.com> Date: Tue, 24 Feb 2026 21:52:15 -0800 Subject: [PATCH 2/2] whatever --- common.nix | 8 +------- services/forgejo.nix | 14 +++----------- services/wireguard-outer.nix | 2 +- 3 files changed, 5 insertions(+), 19 deletions(-) diff --git a/common.nix b/common.nix index 82c30e3..6c6fa21 100644 --- a/common.nix +++ b/common.nix @@ -24,14 +24,8 @@ PasswordAuthentication = false; KbdInteractiveAuthentication = false; PermitRootLogin = "no"; - AllowUsers = [ "ellie" "forgejo" "borg" ]; + AllowUsers = [ "ellie" "borg" ]; }; - extraConfig = '' - Match User forgejo Address 10.10.0.1 - AllowTcpForwarding no - X11Forwarding no - PermitTunnel no - ''; }; services.fail2ban = { diff --git a/services/forgejo.nix b/services/forgejo.nix index e34b984..0009360 100644 --- a/services/forgejo.nix +++ b/services/forgejo.nix @@ -1,17 +1,8 @@ { ... }: { - systemd.services.forgejo = { - wants = [ "network-online.target" ]; - after = [ "network-online.target" ]; - preStart = '' - mkdir -p /var/lib/forgejo/.ssh - chmod 700 /var/lib/forgejo/.ssh - ''; - }; - networking.firewall.interfaces.wg0.allowedTCPPorts = [ - 22 + 2222 3000 ]; @@ -24,9 +15,10 @@ ROOT_URL = "https://forgejo.ellie.town/"; HTTP_ADDR = "10.10.0.2"; HTTP_PORT = 3000; - START_SSH_SERVER = false; + START_SSH_SERVER = true; SSH_DOMAIN = "forgejo.ellie.town"; SSH_PORT = 2222; + SSH_LISTEN_PORT = 2222; }; }; } diff --git a/services/wireguard-outer.nix b/services/wireguard-outer.nix index c4b80bc..1c6d072 100644 --- a/services/wireguard-outer.nix +++ b/services/wireguard-outer.nix @@ -110,7 +110,7 @@ } upstream forgejo_ssh { - server 10.10.0.2:22; + server 10.10.0.2:2222; } server { listen 2222;