enable cloudflare IP filtering

forgot to turn this on before

flake.nix

@@ -162,28 +162,27 @@
       # Disk formatting, only used once
       diskoConfigurations = { root = import ./disks/root.nix; };
 
-      # Other packages, such as system images or programs
+      packages = let
-      packages = forAllSystems (system: {
+        aws = system:
-
+          import ./generators/aws { inherit inputs globals overlays system; };
-        # Package servers into images with a generator
+        staff = system:
-        aws = {
+          import ./generators/staff { inherit inputs globals overlays system; };
-          "${system}" =
+        neovim = system:
-            import ./generators/aws { inherit inputs globals system overlays; };
+          let pkgs = import nixpkgs { inherit system overlays; };
-        };
-        staff = {
-          "${system}" = import ./generators/staff {
-            inherit inputs globals system overlays;
-          };
-        };
-
-        # Package Neovim config into standalone package
-        neovim = let pkgs = import nixpkgs { inherit system overlays; };
           in import ./modules/common/neovim/package {
             inherit pkgs;
             colors = (import ./colorscheme/gruvbox-dark).dark;
           };
+      in {
+        x86_64-linux.aws = aws "x86_64-linux";
+        x86_64-linux.staff = staff "x86_64-linux";
 
-      });
+        # Package Neovim config into standalone package
+        x86_64-linux.neovim = neovim "x86_64-linux";
+        x86_64-darwin.neovim = neovim "x86_64-darwin";
+        aarch64-linux.neovim = neovim "aarch64-linux";
+        aarch64-darwin.neovim = neovim "aarch64-darwin";
+      };
 
       # Programs that can be run by calling this flake
       apps = forAllSystems (system:
@@ -208,8 +207,6 @@
             buildInputs = with pkgs; [ git stylua nixfmt shfmt shellcheck ];
           };
 
-          test = pkgs.mkShell { buildInputs = with pkgs; [ age ]; };
-
           # Used for cloud and systems development and administration
           devops = pkgs.mkShell {
             buildInputs = with pkgs; [

generators/aws/default.nix

@@ -1,4 +1,4 @@
-{ inputs, globals, ... }:
+{ inputs, system, globals, overlays, ... }:
 
 with inputs;
 
@@ -8,6 +8,7 @@ nixos-generators.nixosGenerate {
   modules = [
     home-manager.nixosModules.home-manager
     {
+      nixpkgs.overlays = overlays;
       user = globals.user;
       fullName = globals.fullName;
       dotfilesRepo = globals.dotfilesRepo;
@@ -15,7 +16,7 @@ nixos-generators.nixosGenerate {
       gitEmail = globals.gitEmail;
       networking.hostName = "sheep";
       gui.enable = false;
-      colorscheme = (import ../colorscheme/gruvbox);
+      theme.colors = (import ../../colorscheme/gruvbox).dark;
       passwordHash = null;
       publicKey =
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+AbmjGEwITk5CK9y7+Rg27Fokgj9QEjgc9wST6MA3s";
@@ -24,7 +25,7 @@ nixos-generators.nixosGenerate {
     }
     ../../modules/common
     ../../modules/nixos
-    ../../modules/common/services/sshd.nix
+    ../../modules/nixos/services/sshd.nix
   ] ++ [
     # Required to fix diskSize errors during build
     ({ ... }: { amazonImage.sizeMB = 16 * 1024; })

generators/staff/default.nix

@@ -34,9 +34,7 @@ nixos-generators.nixosGenerate {
         curl
         (import ../../modules/common/neovim/package {
           inherit pkgs;
-          # colors = import ../../colorscheme/gruvbox.dark.neovimConfig {
+          colors = (import ../../colorscheme/gruvbox).dark;
-          #   inherit pkgs;
-          # };
         })
       ];
     nix.extraOptions = ''

hosts/flame/default.nix

@@ -28,10 +28,6 @@ nixpkgs.lib.nixosSystem {
 
       # FQDNs for various services
       networking.hostName = "flame";
-      bookServer = "books.masu.rs";
-      # streamServer = "stream.masu.rs";
-      nextcloudServer = "cloud.masu.rs";
-      transmissionServer = "download.masu.rs";
       metricsServer = "metrics.masu.rs";
       vaultwardenServer = "vault.masu.rs";
       giteaServer = "git.masu.rs";
@@ -47,40 +43,40 @@ nixpkgs.lib.nixosSystem {
         accessKeyId = "0026b0e73b2e2c80000000005";
       };
 
-      # Grant access to Jellyfin directories from Nextcloud
+      # # Grant access to Jellyfin directories from Nextcloud
-      users.users.nextcloud.extraGroups = [ "jellyfin" ];
+      # users.users.nextcloud.extraGroups = [ "jellyfin" ];
 
-      # Wireguard config for Transmission
+      # # Wireguard config for Transmission
-      wireguard.enable = true;
+      # wireguard.enable = true;
-      networking.wireguard.interfaces.wg0 = {
+      # networking.wireguard.interfaces.wg0 = {
+      #
+      #   # The local IPs for this machine within the Wireguard network
+      #   # Any inbound traffic bound for these IPs should be kept on localhost
+      #   ips = [ "10.66.13.200/32" "fc00:bbbb:bbbb:bb01::3:dc7/128" ];
+      #
+      #   peers = [{
+      #
+      #     # Identity of Wireguard target peer (VPN)
+      #     publicKey = "bOOP5lIjqCdDx5t+mP/kEcSbHS4cZqE0rMlBI178lyY=";
+      #
+      #     # The public internet address of the target peer
+      #     endpoint = "86.106.143.132:51820";
+      #
+      #     # Which outgoing IP ranges should be sent through Wireguard
+      #     allowedIPs = [ "0.0.0.0/0" "::0/0" ];
+      #
+      #     # Send heartbeat signal within the network
+      #     persistentKeepalive = 25;
+      #
+      #   }];
+      #
+      # };
 
-        # The local IPs for this machine within the Wireguard network
+      # # VPN port forwarding
-        # Any inbound traffic bound for these IPs should be kept on localhost
+      # services.transmission.settings.peer-port = 57599;
-        ips = [ "10.66.13.200/32" "fc00:bbbb:bbbb:bb01::3:dc7/128" ];
 
-        peers = [{
+      # # Grant access to Transmission directories from Jellyfin
-
+      # users.users.jellyfin.extraGroups = [ "transmission" ];
-          # Identity of Wireguard target peer (VPN)
-          publicKey = "bOOP5lIjqCdDx5t+mP/kEcSbHS4cZqE0rMlBI178lyY=";
-
-          # The public internet address of the target peer
-          endpoint = "86.106.143.132:51820";
-
-          # Which outgoing IP ranges should be sent through Wireguard
-          allowedIPs = [ "0.0.0.0/0" "::0/0" ];
-
-          # Send heartbeat signal within the network
-          persistentKeepalive = 25;
-
-        }];
-
-      };
-
-      # VPN port forwarding
-      services.transmission.settings.peer-port = 57599;
-
-      # Grant access to Transmission directories from Jellyfin
-      users.users.jellyfin.extraGroups = [ "transmission" ];
 
       # Proxy traffic with Cloudflare
       cloudflare.enable = true;

hosts/swan/default.nix

@@ -39,10 +39,12 @@ nixpkgs.lib.nixosSystem {
       nixpkgs.overlays = overlays;
       neovim.enable = true;
       caddy.enable = true;
+      cloudflare.enable = true;
       streamServer = "stream.masu.rs";
       nextcloudServer = "cloud.masu.rs";
       bookServer = "books.masu.rs";
       arrServer = "download.masu.rs";
+      transmissionServer = "download.masu.rs";
       samba.enable = true;
 
       backup.s3 = {

modules/nixos/services/jellyfin.nix

@@ -11,6 +11,10 @@
   config = lib.mkIf (config.streamServer != null) {
 
     services.jellyfin.enable = true;
+    users.users.jellyfin = {
+      isSystemUser = true;
+      group = "jellyfin";
+    };
 
     caddy.routes = [{
       match = [{ host = [ config.streamServer ]; }];

modules/nixos/services/nextcloud.nix

@@ -14,7 +14,7 @@
 
     services.nextcloud = {
       enable = true;
-      package = pkgs.nextcloud25; # Required to specify
+      package = pkgs.nextcloud26; # Required to specify
       datadir = "/data/nextcloud";
       https = true;
       hostName = "localhost";

modules/nixos/services/vaultwarden.nix

@@ -38,7 +38,7 @@ in {
     };
 
     secrets.vaultwarden = {
-      source = ../../private/vaultwarden.age;
+      source = ../../../private/vaultwarden.age;
       dest = "${config.secretsDirectory}/vaultwarden";
       owner = "vaultwarden";
       group = "vaultwarden";