From 4c66a7e794e411511473081f5c16aa6c0e6f7000 Mon Sep 17 00:00:00 2001
From: Tim Keller <tjk@tjkeller.xyz>
Date: Fri, 27 Mar 2026 15:51:09 -0500
Subject: incomplete fileshares module not enabled by default

---
 nixos/services/fileshares.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nixos/services/fileshares.nix b/nixos/services/fileshares.nix
index d6af47b..c99c9f9 100644
--- a/nixos/services/fileshares.nix
+++ b/nixos/services/fileshares.nix
@@ -70,7 +70,7 @@ in {
 		# TODO configure smb nfs here
 	};
 
-	config = {
+	config = lib.mkIf cfg.enable {
 		services.samba = {
 			enable = true;
 			openFirewall = true;
-- 
cgit v1.2.3


From 18916f2edd08e74ef8401b30e6cae291319bfc8c Mon Sep 17 00:00:00 2001
From: Tim Keller <tjk@tjkeller.xyz>
Date: Fri, 27 Mar 2026 15:51:23 -0500
Subject: fix dns-dhcp module issues

---
 nixos/services/router/dns-dhcp.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/nixos/services/router/dns-dhcp.nix b/nixos/services/router/dns-dhcp.nix
index ea8f32e..48e0b8e 100644
--- a/nixos/services/router/dns-dhcp.nix
+++ b/nixos/services/router/dns-dhcp.nix
@@ -165,7 +165,7 @@ in {
 				mkDHCPRange = ipRangeStart: ipRangeEnd: subnetMask: leaseTime: "${ipRangeStart},${ipRangeEnd},${subnetMask},${leaseTime}";
 				mkDHCPOption = option: value: "option:${option},${value}";
 				mkDHCPStaticLease = macAddress: hostname: staticIp: "${macAddress},${hostname},${staticIp},infinite";
-				dhcpStaticLeases = builtins.map (l: mkDHCPStaticLease l.macAddress l.hostname l.staticIp) cfg.staticLeases;
+				dhcpStaticLeases = lib.mapAttrsToList (_: l: mkDHCPStaticLease l.macAddress l.hostname l.staticIp) cfg.dhcp.staticLeases;
 			in {
 				# General
 				no-resolv = true;  # Do not read /etc/resolv.conf, resolve only the LAN
@@ -181,7 +181,7 @@ in {
 				# DHCP Server
 				# TODO config
 				#dhcp-range = mkDHCPRange "192.168.1.50" "192.168.1.150" "255.255.255.0" "12h";  # Enable DHCP on the LAN interface
-				dhcp-range = with cfg.dhcp; mkDHCPRange rangeStart rangeEnd subnetMask leaseTime;  # Enable DHCP on the LAN interface
+				dhcp-range = with cfg.dhcp; mkDHCPRange rangeStart rangeEnd rangeSubnetMask leaseTime;  # Enable DHCP on the LAN interface
 
 				dhcp-host = dhcpStaticLeases;  # Setup static leases
 
@@ -189,7 +189,7 @@ in {
 					(mkDHCPOption "router" defaultGateway)  # Set default gateway for clients
 					#(mkDHCPOption "ntp-server" defaultGateway)  # Set ntp server for clients
 					(mkDHCPOption "dns-server" localhostIp)  # Set dns server for clients
-					(mkDHCPOption "domain-search" localDomain)  # Add search rule to clients so they can resolve hostnames w/o the local domain suffix
+					(mkDHCPOption "domain-search" cfg.localDomain)  # Add search rule to clients so they can resolve hostnames w/o the local domain suffix
 				];
 
 				# Logging
-- 
cgit v1.2.3


From 880435bcaf4446474ce025a89d9639b68ab88d59 Mon Sep 17 00:00:00 2001
From: Tim Keller <tjk@tjkeller.xyz>
Date: Fri, 27 Mar 2026 15:51:41 -0500
Subject: simplify and fix routing module

---
 nixos/services/router/routing.nix | 62 ++++++++++++---------------------------
 1 file changed, 19 insertions(+), 43 deletions(-)

diff --git a/nixos/services/router/routing.nix b/nixos/services/router/routing.nix
index c0c49e6..25d91dd 100644
--- a/nixos/services/router/routing.nix
+++ b/nixos/services/router/routing.nix
@@ -9,6 +9,7 @@ in {
 				default = "";
 				description = "wan interface";
 			};
+			# TODO allow multiple lan
 			lan = lib.mkOption {
 				type = lib.types.str;
 				default = "";
@@ -18,51 +19,26 @@ in {
 	};
 
 	config = lib.mkIf cfg.enable {
-		networking.nftables = {
-			enable = true;
-			tables.filter = {
-				family = "ip";
-				# https://hackers-arise.com/linux-basics-for-hackers-building-a-router-with-nftables/
-				content = ''
-					chain input {
-						type filter hook input priority 0; policy drop;
-
-						# Allow established/related connections
-						ct state established,related accept
-
-						# Allow loopback
-						iifname "lo" accept
-
-						# Allow LAN to access router
-						iifname ${cfg.interfaces.lan} accept
-
-						# Allow ICMP from WAN (for ping)
-						iifname ${cfg.interfaces.wan} icmp type echo-request accept
-
-						# Drop invalid connections
-						ct state invalid drop
-					}
-
-					chain forward {
-						type filter hook forward priority 0; policy drop;
-
-						# Allow established/related connections
-						ct state established,related accept
-
-						# Allow LAN to WAN
-						iifname ${cfg.interfaces.lan} oifname ${cfg.interfaces.wan} accept
-
-						# Drop invalid connections
-						ct state invalid drop
-					}
-
-					chain output {
-						type filter hook output priority 0; policy accept;
-					}
+		# https://hackers-arise.com/linux-basics-for-hackers-building-a-router-with-nftables/
+		networking = {
+			nftables.enable = true;
+			firewall = {
+				enable = true;
+				backend = "nftables";  # Set explicitly
+
+				# Allow lan to access the router
+				trustedInterfaces = [ cfg.interfaces.lan ];
+
+				# Allow lan to access the internet
+				extraForwardRules = ''
+					iifname "${cfg.interfaces.lan}" oifname "${cfg.interfaces.wan}" accept
 				'';
 			};
+			nat = {
+				enable = true;
+				externalInterface = cfg.interfaces.wan;
+				internalInterfaces = [ cfg.interfaces.lan ];
+			};
 		};
-		networking.nat.enable = true;
-		networking.firewall.enable = true;
 	};
 }
-- 
cgit v1.2.3


From 3dcbd6b10b6cbbd551c41df278cd555d54d46bdf Mon Sep 17 00:00:00 2001
From: Tim Keller <tjk@tjkeller.xyz>
Date: Fri, 27 Mar 2026 15:52:27 -0500
Subject: setup flex-wg-router with working config

---
 hosts/flex-wg-router/configuration.nix | 45 +++++++++++++++++++++++++---------
 1 file changed, 34 insertions(+), 11 deletions(-)

diff --git a/hosts/flex-wg-router/configuration.nix b/hosts/flex-wg-router/configuration.nix
index 6fea096..5777626 100644
--- a/hosts/flex-wg-router/configuration.nix
+++ b/hosts/flex-wg-router/configuration.nix
@@ -6,33 +6,56 @@ in {
 
 	# Enable common options
 	_archetypes = {
-		# Use headless profile
 		profiles.headless = {
 			enable = true;
 			home.users.timmy.enable = true;
 		};
-		profiles.router = {
-			enable = true;
-			home.users.timmy.enable = true;
-		};
+		profiles.router.enable = true;
 	};
 
 	networking = {
+		# Label lan and wan interfaces
 		_interfaceLabels = {
-			lan0 = "98:b7:85:22:9b:43";  # internal
-			wan0 = "54:ee:75:8c:4b:2d";  # external
+			enable = true;
+			interfaces = {
+				lan0 = "98:b7:85:22:9b:43";  # Internal
+				wan0 = "54:ee:75:8c:4b:2d";  # External
+			};
 		};
-		#useDHCP = false;  # TODO Enable when accessible via wireguard
+		# Set ip addresses
 		interfaces = {
 			lan0.ipv4.addresses = [{
 				address = ipAddress;
 				prefixLength = 24;
 			}];
 			wan0.ipv4.addresses = [{
-				address = "46.110.173.165";  # Public static ip 4
+				address = "46.110.173.163";  # Reserved static ip for wg-router
 				prefixLength = 31;
 			}];
 		};
+		defaultGateway = {
+			address = "46.110.173.161";
+			interface = "wan0";
+		};
+		nameservers = [ "127.0.0.1" ];
+		# Firewall rules
+		firewall = {
+			interfaces.wan0 = {
+				allowedTCPPorts = [ 22 ];
+			};
+		};
+		#nat.forwardPorts = [
+		#	{
+		#		sourcePort = 2222;
+		#		proto = "tcp";
+		#		destination = "10.1.1.1:22";
+		#	}
+		#	{
+		#		sourcePort = 22;
+		#		proto = "tcp";
+		#		destination = "10.1.1.1:22";
+		#	}
+		#];
 	};
 
 	services._router = {
@@ -44,8 +67,8 @@ in {
 				rangeStart = "10.1.1.100";
 				rangeEnd = "10.1.1.250";
 				staticLeases = {
-					poweredge-pro-idrac = {
-						macAddress = "00:11:22:33:44:55";
+					idrac-8HT2W52 = {
+						macAddress = "18:fb:7b:9d:16:b3";
 						staticIp = "10.1.1.10";
 					};
 				};
-- 
cgit v1.2.3


From 0538c0398cbf338ad1261b1f58a01d3aaed94d50 Mon Sep 17 00:00:00 2001
From: Tim Keller <tjk@tjkeller.xyz>
Date: Sat, 28 Mar 2026 12:45:48 -0500
Subject: add warning to rebuild if age key is missing for sops and simplify
 sops config

---
 .sops.yaml | 10 +++++-----
 rebuild    |  7 +++++++
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/.sops.yaml b/.sops.yaml
index 4da25c9..2d54fd2 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -2,23 +2,23 @@ keys:
   - &general age1w80rc0dnuu8nw99gw64c596qqetm78jdnsqajr0u7ephykekr39qfz8vnv
   - &flex-wg-router age1f0tmpy2nam58skmznjyqd3zf54rxtfrk6fda0vlpq9y3yg6wac7sjf0vja
 creation_rules:
-  - path_regex: timmy/resources/secrets/hashed-root-password.yaml
+  - path_regex: timmy/resources/secrets/.*\.yaml
     key_groups:
       - age:
         - *general
         - *flex-wg-router
 
-  - path_regex: timmy/resources/secrets/wpa_supplicant-conf.yaml
+  - path_regex: T495/resources/secrets/.*\.yaml
     key_groups:
       - age:
         - *general
 
-  - path_regex: T495/resources/secrets/wg0.yaml
+  - path_regex: X230/resources/secrets/.*\.yaml
     key_groups:
       - age:
         - *general
 
-  - path_regex: X230/resources/secrets/wg0.yaml
+  - path_regex: flex-wg-router/resources/secrets/.*\.yaml
     key_groups:
       - age:
-        - *general
+        - *flex-wg-router
diff --git a/rebuild b/rebuild
index 91ea7a1..cb92b80 100755
--- a/rebuild
+++ b/rebuild
@@ -1,2 +1,9 @@
 #!/bin/sh
+if [ ! -f ~/.config/sops/age/keys.txt ]; then
+	mkdir -p ~/.config/sops/age
+	echo "---------------------------------------------------------------------------------------------------"
+	echo "| WARNING: Sops key not found. Please generate one from your ssh key using the following command: |"
+	echo "|     nix run nixpkgs#ssh-to-age -- -private-key -i ~/.ssh/private > ~/.config/sops/age/keys.txt  |"
+	echo "---------------------------------------------------------------------------------------------------"
+fi
 nixos-rebuild switch --sudo --flake "$(dirname "$0")/#$(hostname)" $@
-- 
cgit v1.2.3