garage: also listen on wireguard network

clan/flake-module.nix

@@ -7,7 +7,7 @@
   ];
 
   clan.meta.name = "blossom";
-  clan.meta.tld = "val";
+  clan.meta.domain = "val";
 
   clan.inventory.instances."rpqt-admin" = {
     module.input = "clan-core";

clan/network.nix

@@ -33,6 +33,17 @@
     };
   };
 
+  # clan.inventory.instances.certificates = {
+  #   module.name = "certificates";
+  #   module.input = "clan-core";
+
+  #   roles.ca.machines.verbena = {
+  #     settings.acmeEmail = "admin@rpqt.fr";
+  #   };
+  #   roles.default.tags.all = { };
+  #   roles.default.settings.acmeEmail = "admin@rpqt.fr";
+  # };
+
   # Temporarily patched version of clan-core/coredns for AAAA records support
   clan.inventory.instances.coredns = {
     module.name = "@rpqt/coredns";

flake.lock

@@ -10,11 +10,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1761641036,
+        "lastModified": 1765229650,
-        "narHash": "sha256-WyoAA5qBHimmWj0tuJMnkIq4o8dB01st6smx3ZzI/L0=",
+        "narHash": "sha256-i+nRqDnqnkytva/3uVjAIMlkv8fh/BOTpYIq5EunBOQ=",
         "owner": "nix-community",
         "repo": "buildbot-nix",
-        "rev": "3cd0114c633815095fde7a3126e1dbd6ad2e673f",
+        "rev": "af5a582396fa643e640b77674143cee1ac633f95",
         "type": "github"
       },
       "original": {
@@ -41,11 +41,11 @@
         "treefmt-nix": "treefmt-nix_2"
       },
       "locked": {
-        "lastModified": 1763806343,
+        "lastModified": 1765550297,
-        "narHash": "sha256-dXCgpw9WgaiyymspX/v2vWOpNaSgl6kR4SBNvE5aCs0=",
+        "narHash": "sha256-UGPK8XKXI7Y+EFWKT2/Xel53RNL/z959WwK4o7nV6vE=",
         "ref": "refs/heads/main",
-        "rev": "7fd1f6cf7e93d344baeec8c15bbf54282551b073",
+        "rev": "c36b07ffb39ced5c47d4d1a150fd324f6725f20d",
-        "revCount": 11125,
+        "revCount": 11566,
         "type": "git",
         "url": "https://git.clan.lol/clan/clan-core"
       },
@@ -59,14 +59,15 @@
         "dgop": "dgop",
         "nixpkgs": [
           "nixpkgs"
-        ]
+        ],
+        "quickshell": "quickshell"
       },
       "locked": {
-        "lastModified": 1763788986,
+        "lastModified": 1765560618,
-        "narHash": "sha256-uYgLhTSxWs9IRpia5Hxd7AMCaE0plr0+QhWBf26h9V0=",
+        "narHash": "sha256-gZEYrkY/IJHQrackgNwpl0qFnRacBSpmvqa0ljkdieU=",
         "owner": "AvengeMedia",
         "repo": "DankMaterialShell",
-        "rev": "58bf1899410536c4244b9d44c243426dc1b2a2c9",
+        "rev": "e95f7ce367470424e7636b40a0ba7af42ddcd94e",
         "type": "github"
       },
       "original": {
@@ -91,11 +92,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1762942435,
+        "lastModified": 1765163284,
-        "narHash": "sha256-zIWGs5FIytTtJN+dhDb8Yx+q4TQI/yczuL539yVcyPE=",
+        "narHash": "sha256-tCrc6IyhXrMTTeF5lZHlwbfMBvDUr0OM5Uz+kToJ+ow=",
-        "rev": "0ee328404b12c65e8106bde9e9fab8abf4ecada4",
+        "rev": "986035f01ba7339c6c9d80f37aec9c5f93dfa47f",
         "type": "tarball",
-        "url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/0ee328404b12c65e8106bde9e9fab8abf4ecada4.tar.gz"
+        "url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/986035f01ba7339c6c9d80f37aec9c5f93dfa47f.tar.gz"
       },
       "original": {
         "type": "tarball",
@@ -110,11 +111,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1762435535,
+        "lastModified": 1762835999,
-        "narHash": "sha256-QhzRn7pYN35IFpKjjxJAj3GPJECuC+VLhoGem3ezycc=",
+        "narHash": "sha256-UykYGrGFOFTmDpKTLNxj1wvd1gbDG4TkqLNSbV0TYwk=",
         "owner": "AvengeMedia",
         "repo": "dgop",
-        "rev": "6cf638dde818f9f8a2e26d0243179c43cb3458d7",
+        "rev": "799301991cd5dcea9b64245f9d500dcc76615653",
         "type": "github"
       },
       "original": {
@@ -131,11 +132,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1763651264,
+        "lastModified": 1765326679,
-        "narHash": "sha256-8vvwZbw0s7YvBMJeyPVpWke6lg6ROgtts5N2/SMCcv4=",
+        "narHash": "sha256-fTLX9kDwLr9Y0rH/nG+h1XG5UU+jBcy0PFYn5eneRX8=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "e86a89079587497174ccab6d0d142a65811a4fd9",
+        "rev": "d64e5cdca35b5fad7c504f615357a7afe6d9c49e",
         "type": "github"
       },
       "original": {
@@ -151,11 +152,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1763651264,
+        "lastModified": 1765326679,
-        "narHash": "sha256-8vvwZbw0s7YvBMJeyPVpWke6lg6ROgtts5N2/SMCcv4=",
+        "narHash": "sha256-fTLX9kDwLr9Y0rH/nG+h1XG5UU+jBcy0PFYn5eneRX8=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "e86a89079587497174ccab6d0d142a65811a4fd9",
+        "rev": "d64e5cdca35b5fad7c504f615357a7afe6d9c49e",
         "type": "github"
       },
       "original": {
@@ -192,11 +193,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1763759067,
+        "lastModified": 1765495779,
-        "narHash": "sha256-LlLt2Jo/gMNYAwOgdRQBrsRoOz7BPRkzvNaI/fzXi2Q=",
+        "narHash": "sha256-MhA7wmo/7uogLxiewwRRmIax70g6q1U/YemqTGoFHlM=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "2cccadc7357c0ba201788ae99c4dfa90728ef5e0",
+        "rev": "5635c32d666a59ec9a55cab87e898889869f7b71",
         "type": "github"
       },
       "original": {
@@ -237,11 +238,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1763748372,
+        "lastModified": 1765480374,
-        "narHash": "sha256-AUc78Qv3sWir0hvbmfXoZ7Jzq9VVL97l+sP9Jgms+JU=",
+        "narHash": "sha256-HlbvQAqLx7WqZFFQZ8nu5UUJAVlXiV/kqKbyueA8srw=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "d10a9b16b2a3ee28433f3d1c603f4e9f1fecb8e1",
+        "rev": "39cb677ed9e908e90478aa9fe5f3383dfc1a63f3",
         "type": "github"
       },
       "original": {
@@ -273,11 +274,11 @@
         "systems": "systems_2"
       },
       "locked": {
-        "lastModified": 1763355108,
+        "lastModified": 1765099519,
-        "narHash": "sha256-u5gCg+oA1car16NA7UL2dVjZGdD/RXJCt0srVFwCnmA=",
+        "narHash": "sha256-N8XNexsqr/GBJKW1UG7OtE+YGkYhJNQRjIypgHO21dk=",
         "owner": "InioX",
         "repo": "Matugen",
-        "rev": "e216c4bf66899694b19b10369f9fa0275d739cff",
+        "rev": "de6381b5288c53763ba7c055661dc08ee8f107fa",
         "type": "github"
       },
       "original": {
@@ -294,11 +295,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1763505477,
+        "lastModified": 1764161084,
-        "narHash": "sha256-nJRd4LY2kT3OELfHqdgWjvToNZ4w+zKCMzS2R6z4sXE=",
+        "narHash": "sha256-HN84sByg9FhJnojkGGDSrcjcbeioFWoNXfuyYfJ1kBE=",
         "owner": "nix-darwin",
         "repo": "nix-darwin",
-        "rev": "3bda9f6b14161becbd07b3c56411f1670e19b9b5",
+        "rev": "e95de00a471d07435e0527ff4db092c84998698e",
         "type": "github"
       },
       "original": {
@@ -337,11 +338,11 @@
     },
     "nixos-facter-modules": {
       "locked": {
-        "lastModified": 1762264948,
+        "lastModified": 1765442039,
-        "narHash": "sha256-iaRf6n0KPl9hndnIft3blm1YTAyxSREV1oX0MFZ6Tk4=",
+        "narHash": "sha256-k3lYQ+A1F7aTz8HnlU++bd9t/x/NP2A4v9+x6opcVg0=",
         "owner": "nix-community",
         "repo": "nixos-facter-modules",
-        "rev": "fa695bff9ec37fd5bbd7ee3181dbeb5f97f53c96",
+        "rev": "9dd775ee92de63f14edd021d59416e18ac2c00f1",
         "type": "github"
       },
       "original": {
@@ -356,11 +357,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1751903740,
+        "lastModified": 1764234087,
-        "narHash": "sha256-PeSkNMvkpEvts+9DjFiop1iT2JuBpyknmBUs0Un0a4I=",
+        "narHash": "sha256-NHF7QWa0ZPT8hsJrvijREW3+nifmF2rTXgS2v0tpcEA=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "032decf9db65efed428afd2fa39d80f7089085eb",
+        "rev": "032a1878682fafe829edfcf5fdfad635a2efe748",
         "type": "github"
       },
       "original": {
@@ -371,11 +372,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1762847253,
+        "lastModified": 1764440730,
-        "narHash": "sha256-BWWnUUT01lPwCWUvS0p6Px5UOBFeXJ8jR+ZdLX8IbrU=",
+        "narHash": "sha256-ZlJTNLUKQRANlLDomuRWLBCH5792x+6XUJ4YdFRjtO4=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "899dc449bc6428b9ee6b3b8f771ca2b0ef945ab9",
+        "rev": "9154f4569b6cdfd3c595851a6ba51bfaa472d9f3",
         "type": "github"
       },
       "original": {
@@ -403,11 +404,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1763678758,
+        "lastModified": 1765186076,
-        "narHash": "sha256-+hBiJ+kG5IoffUOdlANKFflTT5nO3FrrR2CA3178Y5s=",
+        "narHash": "sha256-hM20uyap1a0M9d344I692r+ik4gTMyj60cQWO+hAYP8=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "117cc7f94e8072499b0a7aa4c52084fa4e11cc9b",
+        "rev": "addf7cf5f383a3101ecfba091b98d0a1263dc9b8",
         "type": "github"
       },
       "original": {
@@ -417,6 +418,28 @@
         "type": "github"
       }
     },
+    "quickshell": {
+      "inputs": {
+        "nixpkgs": [
+          "dankMaterialShell",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1764663772,
+        "narHash": "sha256-sHqLmm0wAt3PC4vczJeBozI1/f4rv9yp3IjkClHDXDs=",
+        "ref": "refs/heads/master",
+        "rev": "26531fc46ef17e9365b03770edd3fb9206fcb460",
+        "revCount": 713,
+        "type": "git",
+        "url": "https://git.outfoxxed.me/quickshell/quickshell"
+      },
+      "original": {
+        "rev": "26531fc46ef17e9365b03770edd3fb9206fcb460",
+        "type": "git",
+        "url": "https://git.outfoxxed.me/quickshell/quickshell"
+      }
+    },
     "root": {
       "inputs": {
         "buildbot-nix": "buildbot-nix",
@@ -430,8 +453,7 @@
         "nixos-generators": "nixos-generators",
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs_2",
-        "srvos": "srvos",
+        "srvos": "srvos"
-        "vicinae": "vicinae"
       }
     },
     "sops-nix": {
@@ -442,11 +464,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1763607916,
+        "lastModified": 1765231718,
-        "narHash": "sha256-VefBA1JWRXM929mBAFohFUtQJLUnEwZ2vmYUNkFnSjE=",
+        "narHash": "sha256-qdBzo6puTgG4G2RHG0PkADg22ZnQo1JmSVFRxrD4QM4=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "877bb495a6f8faf0d89fc10bd142c4b7ed2bcc0b",
+        "rev": "7fd1416aba1865eddcdec5bb11339b7222c2363e",
         "type": "github"
       },
       "original": {
@@ -462,11 +484,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1763600374,
+        "lastModified": 1765415765,
-        "narHash": "sha256-CPBFJSZrHD/TguhjBzXKaqwtMGz7ac8bX5KZ9dJfdu0=",
+        "narHash": "sha256-DNEUksb+s7DbwahAlIZ4v/BUFUacOqGklCbjgAHZb4k=",
         "owner": "nix-community",
         "repo": "srvos",
-        "rev": "66d01f019faeacda79b8d81cb37c8094685cb333",
+        "rev": "a9e46dc439591c67337a0caf0beebb5a73ed9a86",
         "type": "github"
       },
       "original": {
@@ -505,21 +527,6 @@
         "type": "github"
       }
     },
-    "systems_3": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
     "treefmt-nix": {
       "inputs": {
         "nixpkgs": [
@@ -561,27 +568,6 @@
         "repo": "treefmt-nix",
         "type": "github"
       }
-    },
-    "vicinae": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "systems": "systems_3"
-      },
-      "locked": {
-        "lastModified": 1763768455,
-        "narHash": "sha256-ZwqW2uH36vPUKrlbzDyz7NoFXKjJOT1Ijvlaz4sIp8E=",
-        "owner": "vicinaehq",
-        "repo": "vicinae",
-        "rev": "5c965e0777dc4bcb01808c7f214dc56f997bd9c7",
-        "type": "github"
-      },
-      "original": {
-        "owner": "vicinaehq",
-        "repo": "vicinae",
-        "type": "github"
-      }
     }
   },
   "root": "root",

flake.nix

@@ -58,9 +58,6 @@
     srvos.url = "github:nix-community/srvos";
     srvos.inputs.nixpkgs.follows = "nixpkgs";
 
-    vicinae.url = "github:vicinaehq/vicinae";
-    vicinae.inputs.nixpkgs.follows = "nixpkgs";
-
     buildbot-nix.url = "github:nix-community/buildbot-nix";
     buildbot-nix.inputs.nixpkgs.follows = "nixpkgs";
 

home-manager/desktop/vicinae.nix

@@ -1,19 +1,13 @@
 {
   config,
-  inputs,
-  pkgs,
   lib,
   ...
 }:
 {
-  imports = [
+  programs.vicinae = {
-    inputs.vicinae.homeManagerModules.default
-  ];
-
-  services.vicinae = {
     enable = true;
-    autoStart = true;
+    systemd.enable = true;
-    package = pkgs.vicinae;
+    systemd.autoStart = true;
   };
 
   xdg.configFile."vicinae/vicinae.json".source =

machines/crocus/configuration.nix

@@ -4,7 +4,7 @@
 }:
 {
   imports = [
-    ./radicle.nix
+    self.nixosModules.radicle
     self.nixosModules.nix-defaults
     ../../modules/remote-builder.nix
     self.inputs.srvos.nixosModules.server

machines/genepi/syncthing.nix

@@ -23,5 +23,17 @@ in
     group = lib.mkForce "users";
     dataDir = home;
     configDir = lib.mkForce "${home}/.config/syncthing";
+    guiPasswordFile = config.clan.core.vars.generators.syncthing-gui.files.password.path;
+  };
+
+  clan.core.vars.generators.syncthing-gui = {
+    files.password = {
+      secret = true;
+      owner = user;
+    };
+    runtimeInputs = [ pkgs.xkcdpass ];
+    script = ''
+      xkcdpass -n 7 > $out/password
+    '';
   };
 }

modules/flake-module.nix

@@ -15,6 +15,7 @@
     user-rpqt.imports = [ ./user-rpqt.nix ];
     hardened-ssh-server.imports = [ ./hardened-ssh-server.nix ];
     nextcloud.imports = [ ./nextcloud.nix ];
+    radicle.imports = [ ./radicle.nix ];
 
     server.imports = [
       ./motd.nix

modules/garage.nix

@@ -25,10 +25,10 @@ in
       replication_factor = 3;
 
       rpc_bind_addr = "[::]:${toString rpc_port}";
-      rpc_public_addr = "[${zerotier_ip}]:${toString rpc_port}";
+      rpc_public_addr = "[::]:${toString rpc_port}";
 
       s3_api = {
-        api_bind_addr = "[${zerotier_ip}]:${toString s3_port}";
+        api_bind_addr = "[::]:${toString s3_port}";
         s3_region = "garage";
         root_domain = ".s3.garage.home.rpqt.fr";
       };
@@ -39,17 +39,22 @@ in
       };
 
       admin = {
-        api_bind_addr = "[${zerotier_ip}]:${toString admin_port}";
+        api_bind_addr = "[::]:${toString admin_port}";
         # TODO: use metrics_token
       };
     };
   };
 
-  networking.firewall.interfaces.${zerotier_interface} = {
+  networking.firewall.interfaces =
-    allowedTCPPorts = [
+    let
-      s3_port
+      allowedTCPPorts = [
-      rpc_port
+        s3_port
-      admin_port
+        rpc_port
-    ];
+        admin_port
-  };
+      ];
+    in
+    {
+      ${zerotier_interface} = { inherit allowedTCPPorts; };
+      wireguard = { inherit allowedTCPPorts; };
+    };
 }

modules/radicle.nix

@@ -21,8 +21,13 @@
     };
     settings = {
       # FIXME: activation fails with rad saying the config is invalid
-      # web.avatarUrl = "https://rpqt.fr/favicon.svg";
+      web.avatarUrl = "https://rpqt.fr/favicon.svg";
-      # web.description = "rpqt's radicle node";
+      web.description = "rpqt's radicle node";
+      web.pinned.repositories = [
+        "rad:z2DH9K384tPCrM5HJcpiKEoZZdftY" # lila
+        "rad:z29gVX1f6HC1XGx755RL1m1hhMp6x" # corner
+        "rad:z36HRN3Soay4wMXBSiR4aW7Hg9rT7" # flocon
+      ];
     };
   };
 

vars/per-machine/genepi/syncthing-gui/password/machines/genepi

@@ -0,0 +1 @@
+../../../../../../sops/machines/genepi

vars/per-machine/genepi/syncthing-gui/password/secret

@@ -0,0 +1,18 @@
+{
+	"data": "ENC[AES256_GCM,data:HWmd0ZCo4gD0g+dZrbkX7XNvfsWQaPHN1VOpzNGVbwZFQm1QCxGV1AxKkXbjH2pbsO6i6kikyyNH,iv:CX8Q5o/7SGM33rfQG5lFvc7iSBxR3sTf8Q4bPk4iv5k=,tag:gtEmFaZh6I2Q1d1IeSRDKQ==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBdzNoZllKUUlQY0JCZTl2\nUytkeVF5YWpyTTRzWnFnWHl2ekJuUHJPY1YwCnhnMzFWVmd2SkRBTUwwWTdGbEVa\nSndlRVpxbmtCaHNYaTBBbi9ZVWkxTVEKLS0tIC9vRnJFUjhrbjFYWWJ6VTJYN25V\nUTVMTjdaRmJ3cTZDbW1NZzV1YzI1b3cK38Hqjzv9zRKG68aiI57pOX14PG/+qkg2\nOwnZeFUtuy84fW1xs00tRXAHUXFBoqavjQ9UaOaADWVDqdcwWbyfmg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwcmovYnRaS1lETGl0ZHpl\nbnp6a0Q2ZzhPYVU5YXRVN0ZEZ1dLYjFrQzFBCkVyL1ZJMmx3NHJ0RVl1MjBoa25s\naHRzVWdVNmVPM0FNaE5Vc3BvSXJjeEEKLS0tIHl2eGJ3UXlmNGxucEhvTWlUK2Jj\nY0dEVGhPb2ZLYkF1WFJhYlNNSkQ3ZGsKZ0HiunVE+tGx/wSHljp0ZKVPoz1GpXer\noochDu7LYIt3NkrS+4Tn3UBHckUvQXq72GcvaLI8l7h2RMFXRV7FqA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-11-29T13:06:57Z",
+		"mac": "ENC[AES256_GCM,data:6PybvwdIi19um8zXFJ3N1kEG611JSVor7fa7cwf4nOR/UCYfhgUc7Rp6YaXpnxACOrMoA8aLQznSKUY19Rrux1EnPFUUlUPRonS64CchoC/Ix941UffZA+HjHTIONOz7uFOBr5qIcWmcWR2EucyMQoWYd501u+chetJMWXErJ9k=,iv:HT5YivDqqkZdVQ/ELdmBBP5KY47VD2IKgpeGGB6pAnM=,tag:a/bUdqqh0TqT5MZrREL1gg==,type:str]",
+		"version": "3.11.0"
+	}
+}

vars/per-machine/genepi/syncthing-gui/password/users/rpqt

@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt