home-manager/sajenim/features/cli/default.nix

@@ -13,13 +13,13 @@
   programs.ssh = {
     enable = true;
     matchBlocks."viridian" = {
-      hostname = "viridian.kanto.dev";
+      hostname = "192.168.20.4";
       identityFile = "/home/sajenim/.ssh/sajenim_sk";
       port = 62841;
     };
 
     matchBlocks."lavender" = {
-      hostname = "lavender.kanto.dev";
+      hostname = "192.168.20.3";
       identityFile = "/home/sajenim/.ssh/sajenim_sk";
       port = 22;
     };

home-manager/sajenim/features/desktop/common/mpd.nix

@@ -3,12 +3,12 @@
 {
   services.mpd = {
     enable = true;
-    musicDirectory = "nfs://viridian.kanto.dev/srv/multimedia/library/music";
+    musicDirectory = "nfs://192.168.1.102/srv/multimedia/library/music";
     dbFile = null;
     extraConfig = ''
       database {
         plugin "proxy"
-        host "viridian.kanto.dev"
+        host "192.168.1.102"
         port "6600"
       }
 

nixos/common/users/sajenim/agenix-rekey.pub

@@ -1,7 +1 @@
-#       Serial: 15895942, Slot: 1
-#         Name: sajenim
-#      Created: Sun, 21 Jan 2024 01:47:27 +0000
-#   PIN policy: Once   (A PIN is required once per session, if set)
-# Touch policy: Always (A physical touch is required for every decryption)
-#    Recipient: age1yubikey1qfszrfps2t3n4tqgkzx8vrydhlna3f2ezd7awzjl9ur0yk5swmp0spw0m7q
 AGE-PLUGIN-YUBIKEY-1S6XLYQYZSH22WXCHDCFRJ

nixos/fuchsia/configuration.nix

@@ -80,6 +80,7 @@
     # Get up and running with large language models locally.
     ollama = {
       enable = true;
+      package = pkgs.unstable.ollama;
       acceleration = "rocm";
     };
 
@@ -95,5 +96,5 @@
   };
 
   # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
-  system.stateVersion = "24.05";
+  system.stateVersion = "22.11";
 }

nixos/viridian/containers/lidarr.nix

@@ -34,7 +34,7 @@ in
         "websecure"
       ];
       middlewares = [
-        "internal"
+        "admin"
       ];
       service = "lidarr";
     };

nixos/viridian/containers/prowlarr.nix

@@ -31,7 +31,7 @@ in
         "websecure"
       ];
       middlewares = [
-        "internal"
+        "admin"
       ];
       service = "prowlarr";
     };

nixos/viridian/containers/qbittorrent.nix

@@ -29,12 +29,12 @@ in
 
   services.traefik.dynamicConfigOptions.http.routers = {
     qbittorrent = {
-      rule = "Host(`qbittorrent.kanto.dev`)";
+      rule = "Host(`torrent.kanto.dev`)";
       entryPoints = [
         "websecure"
       ];
       middlewares = [
-        "internal"
+        "admin"
       ];
       service = "qbittorrent";
     };

nixos/viridian/containers/radarr.nix

@@ -33,7 +33,7 @@ in
         "websecure"
       ];
       middlewares = [
-        "internal"
+        "admin"
       ];
       service = "radarr";
     };

nixos/viridian/containers/sonarr.nix

@@ -34,7 +34,7 @@ in
         "websecure"
       ];
       middlewares = [
-        "internal"
+        "admin"
       ];
       service = "sonarr";
     };

nixos/viridian/services/grafana.nix

@@ -41,7 +41,7 @@
         "websecure"
       ];
       middlewares = [
-        "internal"
+        "admin"
       ];
       service = "grafana";
     };

nixos/viridian/services/mpd.nix

@@ -23,7 +23,7 @@
     statdPort = 4000;
     extraNfsdConfig = '''';
     exports = ''
-      /srv/multimedia/library/music fuchsia.kanto.dev(rw,nohide,insecure,no_subtree_check)
+      /srv/multimedia/library/music 192.168.1.101(rw,nohide,insecure,no_subtree_check)
     '';
   };
   networking.firewall = {

nixos/viridian/services/traefik/middlewares.nix

@@ -10,10 +10,18 @@
 
   # Attached to the routers, pieces of middleware are a means of tweaking the requests before they are sent to your service
   services.traefik.dynamicConfigOptions.http.middlewares = {
+    # Restrict access to admin devices only
+    admin.ipwhitelist.sourcerange = [
+      "127.0.0.1/32"    # localhost
+      "192.168.1.101"   # fuchsia
+      "10.100.0.2"      # Pixel 6 Pro
+    ];
+
     # Restrict access to internal networks
     internal.ipwhitelist.sourcerange = [
       "127.0.0.1/32"    # localhost
-      "192.168.20.1/24" # lan
+      "192.168.1.1/24"  # lan
+      "10.100.0.0/24"   # wireguard clients
     ];
 
     # Restrict access based on geo-location
@@ -44,8 +52,7 @@
       forceMonthlyUpdate = "true";
     };
 
-    # Disable Crowdsec IP checking but apply Crowdsec Appsec checking.
-    # This mode is intended to be used when Crowdsec IP checking is applied at the Firewall Level.
+    # Disable Crowdsec IP checking but apply Crowdsec Appsec checking. This mode is intended to be used when Crowdsec IP checking is applied at the Firewall Level.
     crowdsec.plugin.bouncer = {
       enabled = "true";
       crowdsecMode = "appsec";