update cloudhaus syncthing ID

flake.lock

@@ -2,11 +2,11 @@
   "nodes": {
     "nixpkgs": {
       "locked": {
-        "lastModified": 1768127708,
-        "narHash": "sha256-1Sm77VfZh3mU0F5OqKABNLWxOuDeHIlcFjsXeeiPazs=",
+        "lastModified": 1769018530,
+        "narHash": "sha256-MJ27Cy2NtBEV5tsK+YraYr2g851f3Fl1LpNHDzDX15c=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "ffbc9f8cbaacfb331b6017d5a5abb21a492c9a38",
+        "rev": "88d3861acdd3d2f0e361767018218e51810df8a1",
         "type": "github"
       },
       "original": {

hosts/puter/default.nix

@@ -8,6 +8,7 @@
     ./syncthing.nix
     ./packages.nix
     ./wireguard.nix
+    ./prometheus-node-exporter.nix
     #./remotebuild_user.nix
     # DE
     ../../modules/de/multiple-dms.nix
@@ -23,9 +24,8 @@
     ../../modules/common/wine.nix
     ../../modules/common/libvirt.nix
     ../../modules/common/keyd.nix
+    ../../modules/common/unbound-cloud.nix
   ];
   networking.hostName = "puter";
   # This will be overridden by system/default.nix
-  system.stateVersion = "24.05";
-  security.pki.certificates = ["/home/user/.config/bigbox.local.crt"];
 }

hosts/puter/prometheus-node-exporter.nix

@@ -0,0 +1,27 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  # https://nixos.org/manual/nixos/stable/#module-services-prometheus-exporters
+  # https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/monitoring/prometheus/exporters.nix
+  services.prometheus.exporters.node = {
+    enable = true;
+    port = 9100;
+    # For the list of available collectors, run, depending on your install:
+    # - Flake-based: nix run nixpkgs#prometheus-node-exporter -- --help
+    # - Classic: nix-shell -p prometheus-node-exporter --run "node_exporter --help"
+    enabledCollectors = [
+      "ethtool"
+      "softirqs"
+      "systemd"
+      "tcpstat"
+      "wifi"
+    ];
+    # You can pass extra options to the exporter using `extraFlags`, e.g.
+    # to configure collectors or disable those enabled by default.
+    # Enabling a collector is also possible using "--collector.[name]",
+    # but is otherwise equivalent to using `enabledCollectors` above.
+    # extraFlags = [ "--collector.ntp.protocol-version=4" "--no-collector.mdadm" ];
+  };
+}

hosts/puter/syncthing.nix

@@ -24,7 +24,7 @@
           id = "RFFXZJI-HJTEDCU-M7MU3SW-M7DJK4U-MESRKYA-OGHYOSG-KNZO7JB-6LQ5VAE";
         };
         "cloudhaus" = {
-          id = "B3WJKAE-KJFKO7G-CKOOLCO-EDC2AFV-EP5DB52-HWPLOMQ-6M5VJON-JBQEXAJ";
+          id = "7EQ6YAC-HIHCOR7-KQ6XJID-FHC7AYA-GZ3E7OY-24P5XPH-TV7FKA6-DGPTYQT";
         };
       };
       folders = {

hosts/puter/wireguard.nix

@@ -9,12 +9,18 @@
       listenPort = 5553;
       privateKeyFile = "/etc/wireguard/wg0.key";
       peers = [
-              { # cloudhaus
+        {
+          # cloudhaus
           publicKey = "SOqdU6uku2t0l8lGBDEnwDNHrb5Nk/64qA6++mGa+CI=";
           allowedIPs = ["10.0.0.1/32"];
           endpoint = "46.62.255.194:51820";
           persistentKeepalive = 25;
-              }];
+        }
+      ];
     };
   };
+  networking.firewall.allowedTCPPorts = [9100];
+  networking.firewall.interfaces = {
+    wg0.allowedTCPPorts = [9100];
+  };
 }

modules/common/unbound-cloud.nix

@@ -0,0 +1,38 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  services.unbound = {
+    enable = true;
+    settings = {
+      server = {
+        # Listen only locally
+        interface = ["127.0.0.1"];
+        port = 53;
+        access-control = ["127.0.0.1 allow"];
+
+        # Recommended hardening
+        harden-glue = true;
+        harden-dnssec-stripped = true;
+        use-caps-for-id = false;
+
+        # Performance
+        prefetch = true;
+        edns-buffer-size = 1232;
+
+        # Privacy
+        hide-identity = true;
+        hide-version = true;
+      };
+
+      forward-zone = [
+        {
+          name = ".";
+          forward-addr = ["46.62.255.194@853"];
+          forward-tls-upstream = true; # Enable DoT
+        }
+      ];
+    };
+  };
+}