update cloudhaus syncthing ID

nix flake update on puter
remove puter IP from unbound
2026-01-24 17:58:51 +02:00 · 2026-01-23 18:24:28 +02:00 · 2026-01-17 11:39:02 +02:00 · 2026-01-17 11:32:22 +02:00 · 2026-01-17 11:25:25 +02:00 · 2026-01-17 11:06:21 +02:00
6 changed files with 90 additions and 19 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -2,11 +2,11 @@
  "nodes": {
    "nixpkgs": {
      "locked": {
-        "lastModified": 1768127708,
-        "narHash": "sha256-1Sm77VfZh3mU0F5OqKABNLWxOuDeHIlcFjsXeeiPazs=",
+        "lastModified": 1769018530,
+        "narHash": "sha256-MJ27Cy2NtBEV5tsK+YraYr2g851f3Fl1LpNHDzDX15c=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "ffbc9f8cbaacfb331b6017d5a5abb21a492c9a38",
+        "rev": "88d3861acdd3d2f0e361767018218e51810df8a1",
        "type": "github"
      },
      "original": {
--- a/hosts/puter/default.nix
+++ b/hosts/puter/default.nix
@@ -8,6 +8,7 @@
    ./syncthing.nix
    ./packages.nix
    ./wireguard.nix
+    ./prometheus-node-exporter.nix
    #./remotebuild_user.nix
    # DE
    ../../modules/de/multiple-dms.nix
@@ -23,9 +24,8 @@
    ../../modules/common/wine.nix
    ../../modules/common/libvirt.nix
    ../../modules/common/keyd.nix
+    ../../modules/common/unbound-cloud.nix
  ];
  networking.hostName = "puter";
  # This will be overridden by system/default.nix
-  system.stateVersion = "24.05";
-  security.pki.certificates = ["/home/user/.config/bigbox.local.crt"];
 }
--- a/hosts/puter/prometheus-node-exporter.nix
+++ b/hosts/puter/prometheus-node-exporter.nix
@@ -0,0 +1,27 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  # https://nixos.org/manual/nixos/stable/#module-services-prometheus-exporters
+  # https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/monitoring/prometheus/exporters.nix
+  services.prometheus.exporters.node = {
+    enable = true;
+    port = 9100;
+    # For the list of available collectors, run, depending on your install:
+    # - Flake-based: nix run nixpkgs#prometheus-node-exporter -- --help
+    # - Classic: nix-shell -p prometheus-node-exporter --run "node_exporter --help"
+    enabledCollectors = [
+      "ethtool"
+      "softirqs"
+      "systemd"
+      "tcpstat"
+      "wifi"
+    ];
+    # You can pass extra options to the exporter using `extraFlags`, e.g.
+    # to configure collectors or disable those enabled by default.
+    # Enabling a collector is also possible using "--collector.[name]",
+    # but is otherwise equivalent to using `enabledCollectors` above.
+    # extraFlags = [ "--collector.ntp.protocol-version=4" "--no-collector.mdadm" ];
+  };
+}
--- a/hosts/puter/syncthing.nix
+++ b/hosts/puter/syncthing.nix
@@ -24,7 +24,7 @@
          id = "RFFXZJI-HJTEDCU-M7MU3SW-M7DJK4U-MESRKYA-OGHYOSG-KNZO7JB-6LQ5VAE";
        };
        "cloudhaus" = {
-          id = "B3WJKAE-KJFKO7G-CKOOLCO-EDC2AFV-EP5DB52-HWPLOMQ-6M5VJON-JBQEXAJ";
+          id = "7EQ6YAC-HIHCOR7-KQ6XJID-FHC7AYA-GZ3E7OY-24P5XPH-TV7FKA6-DGPTYQT";
        };
      };
      folders = {
--- a/hosts/puter/wireguard.nix
+++ b/hosts/puter/wireguard.nix
@@ -3,18 +3,24 @@
  pkgs,
  ...
 }: {
-    networking.wireguard.interfaces = {
-      wg0 = {
-              ips = [ "10.0.0.3/32" ];
-              listenPort = 5553;
-              privateKeyFile = "/etc/wireguard/wg0.key";
-              peers = [
-              { # cloudhaus
-               publicKey = "SOqdU6uku2t0l8lGBDEnwDNHrb5Nk/64qA6++mGa+CI=";
-               allowedIPs = [ "10.0.0.1/32"];
-               endpoint = "46.62.255.194:51820";
-               persistentKeepalive = 25;
-              }];
-      };
+  networking.wireguard.interfaces = {
+    wg0 = {
+      ips = ["10.0.0.3/32"];
+      listenPort = 5553;
+      privateKeyFile = "/etc/wireguard/wg0.key";
+      peers = [
+        {
+          # cloudhaus
+          publicKey = "SOqdU6uku2t0l8lGBDEnwDNHrb5Nk/64qA6++mGa+CI=";
+          allowedIPs = ["10.0.0.1/32"];
+          endpoint = "46.62.255.194:51820";
+          persistentKeepalive = 25;
+        }
+      ];
    };
+  };
+  networking.firewall.allowedTCPPorts = [9100];
+  networking.firewall.interfaces = {
+    wg0.allowedTCPPorts = [9100];
+  };
 }
--- a/modules/common/unbound-cloud.nix
+++ b/modules/common/unbound-cloud.nix
@@ -0,0 +1,38 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  services.unbound = {
+    enable = true;
+    settings = {
+      server = {
+        # Listen only locally
+        interface = ["127.0.0.1"];
+        port = 53;
+        access-control = ["127.0.0.1 allow"];
+
+        # Recommended hardening
+        harden-glue = true;
+        harden-dnssec-stripped = true;
+        use-caps-for-id = false;
+
+        # Performance
+        prefetch = true;
+        edns-buffer-size = 1232;
+
+        # Privacy
+        hide-identity = true;
+        hide-version = true;
+      };
+
+      forward-zone = [
+        {
+          name = ".";
+          forward-addr = ["46.62.255.194@853"];
+          forward-tls-upstream = true; # Enable DoT
+        }
+      ];
+    };
+  };
+}
Author	SHA1	Message	Date
kenny	a07dfc3d48	update cloudhaus syncthing ID	2026-01-24 17:58:51 +02:00
kenny	9795095578	nix flake update on puter	2026-01-23 18:24:28 +02:00
kenny	ee35d27405	remove puter IP from unbound	2026-01-17 11:39:02 +02:00
kenny	485f48c04a	Expose unbound ports for puter IP	2026-01-17 11:32:22 +02:00
kenny	1f7f59e6d9	Corrected unbound port	2026-01-17 11:25:25 +02:00
kenny	f44db5182d	Corrected unbound upstream IP	2026-01-17 11:06:21 +02:00
kenny	f23ad4b0ee	Added unbound DNS module + added to puter	2026-01-16 18:44:57 +02:00
kenny	0636381047	Cleared DNS settingd	2026-01-16 17:10:31 +02:00
kenny	a3fd948517	Corrected resolved call	2026-01-16 16:40:39 +02:00
kenny	ca2047da42	Added resolvectl + own DNS	2026-01-16 16:39:06 +02:00