116 current 2025-10-08 19:06:36 25.05.20251006.20c4598 6.12.50 *

flake.lock

@@ -23,11 +23,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1759281824,
+        "lastModified": 1759735786,
-        "narHash": "sha256-FIBE1qXv9TKvSNwst6FumyHwCRH3BlWDpfsnqRDCll0=",
+        "narHash": "sha256-a0+h02lyP2KwSNrZz4wLJTu9ikujNsTWIC874Bv7IJ0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "5b5be50345d4113d04ba58c444348849f5585b4a",
+        "rev": "20c4598c84a671783f741e02bf05cbfaf4907cff",
         "type": "github"
       },
       "original": {

flake.nix

@@ -1,6 +1,6 @@
 # flake for blakes nixos config
 # define new devices in outputs
-# generation: 93 current  2025-10-08 13:43:38  25.05.20251001.5b5be50  6.12.49                          *
+# generation: 116 current  2025-10-08 19:06:36  25.05.20251006.20c4598  6.12.50                          *
 {
   description = "blakes nix config";
   inputs = {

hosts/snowbelle/configuration.nix

@@ -19,8 +19,7 @@
       syncthing.enable = true;
       tailscale.enable = true;
       vpns.enable = true;
-      vpns.openvpn_pia_mexico = false;
+      vpns.wg_mex = false;
-      vpns.wg_pia_mexico = false;
       nvidia.enable = true;
     };
     homelab = {
@@ -50,7 +49,8 @@
   users.groups.media = { gid = 700; };
 
   # testing!
-  boot.plymouth.enable = false;
+  #boot.kernelParams = [ "quiet" ];  # remove splash
+  #boot.plymouth.enable = true;
   boot.initrd.systemd.enable = true;  # optional, for nicer initrd logs
 
 

modules/homelab/nginx-proxy.nix

@@ -24,12 +24,15 @@ in
     # nginx secrets
     sops.secrets = {
       "ssl_blakedheld_crt" = {
+        restartUnits = [ "nginx.service" ];
         owner = "nginx";
         group = "nginx";
+#        neededForUsers = true;
       };
       "ssl_blakedheld_key" = {
         owner = "nginx";
         group = "nginx";
+#        neededForUsers = true;
       };
     };
   };

modules/homelab/services/gitea/default.nix

@@ -101,6 +101,7 @@ in
       "gitea_database_password" = {
         owner = "gitea";
         group = "gitea";
+#        neededForUsers = true;
       };
     };
 

modules/homelab/zfs.nix

@@ -28,6 +28,7 @@ in
     fileSystems."/holocron" = {
       device = "holocron";
       fsType = "zfs";
+      options = [ "nofail" ];
     };
   };
 

modules/system/nvidia.nix

@@ -11,6 +11,8 @@ in
   config = lib.mkIf cfg.enable {
 
     services.xserver.videoDrivers = [ "nvidia" ];
+      boot.kernelModules = [ "nvidia" "nvidia_modeset" "nvidia_uvm" "nvidia_drm" ];
+#      boot.kernelModules = [ "nvidia" ];
 
     hardware.graphics = {
       enable = true;

modules/system/sops.nix

@@ -15,12 +15,16 @@ in
     sops = {
       defaultSopsFile = ../../secrets/secrets.yaml;
       defaultSopsFormat = "yaml";
-      age.keyFile = "/home/blake/.config/sops/age/keys.txt";
+#      age.keyFile = "/home/blake/.config/sops/age/keys.txt";
-#        "blake_passwd" = lib.mkIf config.users.blake.enable { 
+      age.keyFile = "/etc/sops/keys.txt";
-#          owner = "root";
+
-#          group = "root";
+      secrets = {
-#          neededForUsers = true;
+        "blake_passwd" = lib.mkIf config.users.blake.enable { 
-#        };
+          owner = "root";
+          group = "root";
+          neededForUsers = true;
+        };
       };
     };
+  };
 }

modules/system/vpns.nix

@@ -13,7 +13,7 @@ in
       default = false;
       description = "enable pia vpn to mexico using openvpn";
     };
-     wg_pia_mexico = lib.mkOption {
+     wg_mex = lib.mkOption {
       type = lib.types.bool;
       default = false;
       description = "enable pia vpn to mexico using wireguard";
@@ -33,27 +33,38 @@ in
       };
     };
 
-    # enable pia mexico w/ wireguard
+    # enable mullvad mexico w/ wireguard
-    networking.wireguard.interfaces = lib.mkIf cfg.wg_pia_mexico {
+    networking.wg-quick.interfaces = lib.mkIf cfg.wg_mex {
-      wg_piamex = {
+      wg_mex = {
-        privateKeyFile = config.sops.secrets."wg_pia_mexico_key".path;
+        # client settings
-        listenPort = 51820;
+        table = "51820";
-        ips = [ "10.4.244.34/32" ];
+        privateKeyFile = config.sops.secrets."wg_mex_key".path;
-
+        address = [ "10.74.252.231/32" "fc00:bbbb:bbbb:bb01::b:fce6/128" ];
-        peers = [
+        dns = [ "10.64.0.1" ];
-          {
+        # remote settings
-            publicKey = "avK/Bdg+hyLMqP2k/7eEBTkxwCSzyy8FymwO/vFjbQg=";
+        peers = [ {
-            allowedIPs = [ "0.0.0.0/0" ];
+            publicKey = "yxyntWsANEwxeR0pOPNAcfWY7zEVICZe9G+GxortzEY=";
-            endpoint = "77.81.142.245:1337";
+            allowedIPs = [ "0.0.0.0/0" "::0/0" ];
+            endpoint = "149.88.22.129:51820";
             persistentKeepalive = 25;
-          }
+          } ];
-        ];
+#        postUp = ''
+#          ip rule add fwmark 0xca6c table 51820
+#          ip route add default dev wg_mex table 51820
+#          ip route add 10.10.0.0/24 dev enp89s0 table 51820
+#        '';
+#
+#        postDown = ''
+#          ip rule delete fwmark 0xca6c table 51820
+#          ip route flush table 51820
+#
+#        '';
       };
     };
 
     # secrets only if VPN is enabled
     sops.secrets = lib.mkIf cfg.enable {
-      "wg_pia_mexico_key" = { owner = "root"; group = "root"; };
+      "wg_mex_key" = { owner = "root"; group = "root"; };
       "pia_auth" = { owner = "root"; group = "root"; };
       "openvpn_pia_mexico_config" = {owner = "root"; group = "root"; };
  

secrets/secrets.yaml

@@ -11,9 +11,9 @@ ssl_blakedheld_key: ENC[AES256_GCM,data:Jhb2yiIYlfJ8mewzohseWQYZ2pEYy8x2c9B6OH/P
 #ENC[AES256_GCM,data:A0ITyGOGMIoyVOcn5JOi1RAtqUM=,iv:+wWpmFbeLiX/Ae53pj0QmnYY3MEzOMib4cqbePUKtGI=,tag:JHXvrN4bOH+oD3Q70pUuew==,type:comment]
 pia_auth: ENC[AES256_GCM,data:rwAu4f5XVS4v4FCLj2zXAegIZeRPLIzUVv6TCrdfg9RGSDJYHgVAX0aFXCBQsDQju9RDycXmc9Id8IuyYN8=,iv:kEA4ADQyUI+zlQoZOKi81dw5BLE1oesqhVf6bfiLgB4=,tag:VHT2uPNW27F3KRM7ZhWdCw==,type:str]
 #ENC[AES256_GCM,data:7y1mtYNfbsagqtr66kOx2rinneEW3EZaCJIXzK0qjLX36g==,iv:8ozXuBYirLbKd8sCln2xv/WjhTojY85xU0cL5NVeMlQ=,tag:mclz0GfQ9j2EGWMiQ62QmA==,type:comment]
-openvpn_pia_mexico_config: ENC[AES256_GCM,data:VsxrXpdrBpjP,iv:PIOTk/dADStM19EMwOsyoGBqy23eSoOCoiyUrd1obhQ=,tag:VP/gIg0by35glap3umK6uw==,type:str]
+openvpn_pia_mexico_config: ENC[AES256_GCM,data:59HQ3OZ0QKq92jI=,iv:DZTNvfi6kLXG7dsNkPcXUmXhAG2UdPZBy/L9eWNmRdE=,tag:ndxDDQNL2z1fjxFfU2VRwQ==,type:str]
 #ENC[AES256_GCM,data:mbIgMJBhL8nWJzl8q2dFL8XtO1Xa1Q==,iv:caYHYp1boK9wRgCcQe40HTWT/HxAIvYe+HyaruI53Vc=,tag:S6wowhAHObEcs7z8FimZ1g==,type:comment]
-wg_pia_mexico_key: ENC[AES256_GCM,data:bT5Vi8ZGtSG48bZ6UHSH8+4y/KBrRhVFDmA+0A9b1G9zLcQ0VwRtSOZ8bWc=,iv:Lo/vScSGQ0VbdAq14dQ8hrWK+LgH4hiUTP4Ndx/FNLE=,tag:+pSbZuXNxRaV13V4Df+M2g==,type:str]
+wg_mex_key: ENC[AES256_GCM,data:vxDXixo6X6D33+p21L4hB0/yCH+TvMHZl991BkRsE/jdz7rzZuJF+zI7h+Q=,iv:8WR+feHXNUcat8DB2wY7wpos+P7TzgRF7rFD0fYosjY=,tag:p9b9ck0/VZjyLxtHut3n5Q==,type:str]
 #ENC[AES256_GCM,data:CO5nrcDbgymnEmCvuTexOBEMncuNM5lQ,iv:6HrxqSN6e7ODuz09MIFgPbIqDCKQySRDaKk5Wdu4HoQ=,tag:JBRjZeEdOg+trohfanO6Mg==,type:comment]
 vaultwarden_admin_token: ENC[AES256_GCM,data:G1v3N064ci0Fw5EtTzaryailWpsv6f4w6eoHp2vjXIBtIlScdQk1Q0W+eDNRk8Wr2C3ysTXQNbyYismNsls+jeS3W+YqkKL4fnh3a5UTzQrMqvaH11n3ak0X9R9vmt+ZJXBrUrAOKJ6RPHJJSWenhjDB77kwEdQ=,iv:f8X+x/AdmZ3b3dtcSFrxGgA2tCgDRpgddjlVu3mdCmM=,tag:c0MXljVvhwOdvrb/8hWlsQ==,type:str]
 #ENC[AES256_GCM,data:2ESzSsQZqKdjD7OXN8ZPThj6g9acJREe,iv:aDFPB0vs8NNo8ExLcJw7qtQvWbCb1XK6TJrHSK86qss=,tag:z+dypHAGUjEXP7Y9MHYWwg==,type:comment]
@@ -29,7 +29,7 @@ sops:
             U0tmdFBuZnJES3piOTZNV0VKQmQ0eVUKCWRQ/flLzmpC64WyLoipklZBmrkpYiUg
             PRu+itNolpPTHm96pe+P93g2iP0wgekG0cX21wkiU2xaLF3dY2FEIA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-10-08T17:55:56Z"
+    lastmodified: "2025-10-08T20:46:50Z"
-    mac: ENC[AES256_GCM,data:Cut9mCck9q+9I4x1hI709TTVi2J/qJ2Lcs1C4/hya3JhsVAJQ7UR1NC19QbTsQzAmv5cpD6RzfGmATXo+9DUWkp/yiyQqfVIGw1UpiSzrQYMJPOb9uUWELgKvVTEf6xRjhIe1IgedcO1OefRhwMosk7q4DjLIIb6PsU2ibMjNts=,iv:wOS3aI2am+uKnRAorlSmDEjWu3YFB1SzbPae4jLAeyU=,tag:DHUxWQtp9EI34JykS+er2A==,type:str]
+    mac: ENC[AES256_GCM,data:kSWpiorgrx4Ohv/ZpUCKuBy+g3VZ95UjaOeotUwXJzao3qbHHAKIRLCJnlJPjMDyT3aZc8AF3urQunl65LDHYAisTV1LxTAeFSsWm4xkJ5DcyhvTHh1yxa+G9lGZ6mBQK60Hg92+fqwS43ObYz8hwoVeeKXc0ZSwDqI5d8gSF9o=,iv:gVonEcRQTupdLEYgAfgI10L86h6q+PFdgpLHNsLHB/8=,tag:Rd2nlookzmUc0ZWnC/f1Dg==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.11.0

users/blake/blake.nix

@@ -24,7 +24,7 @@ in
       uid = 1000;
       shell = pkgs.zsh;
       group = "blake";
-#      hashedPasswordFile = config.sops.secrets."blake_passwd".path;
+      hashedPasswordFile = config.sops.secrets."blake_passwd".path;
       openssh.authorizedKeys.keys = [
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBK0AGJfZGyqW8/krvQV+PL7axcDW/EnKyHy9M8wryQx klefki"
         "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBPdC9cCX8awvA19Ri65fvbYjZYe8X1Ef+nOZAIv92AS6u4SkJYqOvPYfqRHXORNDpbzjTV6nackyCKvV5EO4niv4MFIgdkEQwuVHcYX32/dOsWdDoeXBT/l2sFFM7JESwQ== blake@zygarde"