it actually fucking works this time

configuration.nix

@@ -38,13 +38,13 @@
   # Enable microcode updates
   hardware.enableRedistributableFirmware = true;
 
-  programs.zsh = {
-    enable = true;
-    enableGlobalCompInit = true;
-    shellAliases = {
-      "nrb" = "sudo nixos-rebuild switch --flake /etc/nixos";
-    };
-  };
+  # programs.zsh = {
+  #   enable = true;
+  #   enableGlobalCompInit = true;
+  #   shellAliases = {
+  #     "nrb" = "sudo nixos-rebuild switch --flake /etc/nixos";
+  #   };
+  # };
 
   programs.ssh.startAgent = true;
   programs.nano.enable = false;

flake.nix

@@ -79,10 +79,10 @@
               swap-size = "128G";
               root-disk = "/dev/nvme0n1";
               raid-disks = [
-                # "sda"
-                # "sdb"
-                # "sdc"
-                # "sdd"
+                "sda"
+                "sdb"
+                "sdc"
+                "sdd"
               ];
             })
 

modules/microvm.nix

@@ -8,51 +8,33 @@
     index = i;
   }) (builtins.attrNames config.microvm.vms);
 in {
-  systemd.network.networks =
-    if routed
-    then
-      builtins.listToAttrs (builtins.map ({
-          name,
-          index,
-        }: {
-          name = "30-vm${toString index}";
-          value = {
-            matchConfig.Name = "vm${toString index}";
-            address = [
-              "10.0.0.0/32"
-            ];
-            routes = [
-              {
-                Destination = "10.0.0.${toString index}/32";
-              }
-            ];
-            networkConfig = {IPv4Forwarding = true;};
-          };
-        })
-        attrSet)
-    else {
-      "10-microvm" = {
-        matchConfig.Name = "microvm";
-        networkConfig.DHCPServer = true;
-        networkConfig.IPv6SendRA = true;
-        addresses = [
+  systemd.network.networks = builtins.listToAttrs (builtins.map ({
+      name,
+      index,
+    }: {
+      name = "30-vm${toString index}";
+      value = {
+        matchConfig.Name = "vm${toString index}";
+        address = [
+          "10.0.${toString index}.254/24" # Host gateway
+        ];
+        routes = [
           {
-            Address = "10.0.0.1/24";
+            Destination = "10.0.${toString index}.1/24";
           }
         ];
+        networkConfig = {
+          IPv4Forwarding = true;
+        };
       };
-      "11-microvm" = pkgs.lib.mkIf (!routed) {
-        matchConfig.Name = "vm-*";
-        # Attach to bridge configured above
-        networkConfig.Bridge = "microvm";
-      };
-    };
+    })
+    attrSet);
 
   # NAT (make vms accessible in host)
   networking.nat = {
     enable = true;
     externalInterface = "enp2s0";
-    internalIPs = pkgs.lib.mkIf routed ["10.0.0.0/24"];
-    internalInterfaces = pkgs.lib.mkIf (!routed) ["microvm"];
+    internalIPs = ["10.0.1.0/24"];
+    internalInterfaces = ["vm1"];
   };
 }

modules/users.nix

@@ -25,14 +25,14 @@
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICPQ3uc8UB9m6NPkXHETTJrzxB6M+SfUiBx6YeWUSADU sxsgamer@gmail.com"
     ];
 
-    shell = pkgs.zsh;
+    shell = pkgs.fish;
   };
 
-  users.users."nixos" = {
-    isNormalUser = true;
-    extraGroups = ["wheel"];
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFhTExbc9m4dCK6676wGiA8zPjE0l/9Fz2yf0IKvUvg snorre@archlinux"
-    ];
+  programs.fish = {
+    enable = true;
+    shellAbbrs = {
+      "nrb" = "sudo nixos-rebuild switch --flake /etc/nixos";
+      "vmr" = "rm ~/.ssh/known_hosts; ssh root@10.0.0.1";
+    };
   };
 }

services/auto-torrent.nix

@@ -4,11 +4,13 @@
   ...
 }: let
   lib = pkgs.lib;
-  host = "10.0.0.${toString vm-index}";
+  host = "10.0.${toString vm-index}.1";
   port = 8989;
   vm-index = 1;
   vm-mac = "02:00:00:00:00:02";
   vm-name = "auto-torrent";
+  vpn-endpoint = "193.32.248.70";
+  enable-services = true;
 in {
   microvm.autostart = [vm-name];
 
@@ -37,7 +39,9 @@ in {
       # 1gb of memory
       microvm.mem = 1024;
 
-      microvm.shares = [
+      microvm.shares = let
+        proto = "virtiofs";
+      in [
         {
           tag = "ro-store";
           source = "/nix/store";
@@ -47,13 +51,13 @@ in {
           tag = "data-dir";
           source = "/var/lib/${vm-name}";
           mountPoint = "/mnt";
-          proto = "virtiofs";
+          inherit proto;
         }
         {
           tag = "media-dir";
           source = "/media";
           mountPoint = "/media";
-          proto = "virtiofs";
+          inherit proto;
         }
       ];
 
@@ -62,18 +66,13 @@ in {
       systemd.network.networks."10-eth" = {
         matchConfig.MACAddress = vm-mac;
         address = [
-          "10.0.0.${toString vm-index}/32"
+          "10.0.${toString vm-index}.1/24"
         ];
         routes = [
-          # Host Route
-          {
-            Destination = "10.0.0.0/32";
-            GatewayOnLink = true;
-          }
           # Default route
           {
-            Destination = "0.0.0.0/0";
-            Gateway = "10.0.0.0";
+            Destination = "${toString vpn-endpoint}/32";
+            Gateway = "10.0.${toString vm-index}.254";
             GatewayOnLink = true;
           }
         ];
@@ -93,8 +92,28 @@ in {
         "8.8.4.4"
       ];
 
-      systemd.services."wireguard-kill-switch" = {
-        description = "Wireguard Kill Switch";
+      # systemd.services."wireguard-kill-switch" = {
+      #   description = "Wireguard Kill Switch";
+      #   after = ["network-online.target"];
+      #   wants = ["network-online.target"];
+      #   wantedBy = ["multi-user.target"];
+
+      #   serviceConfig = {
+      #     type = "oneshot";
+      #     ExecStart = pkgs.writeShellScript "wgconf.sh" ''
+      #       # Block any traffic not going throug the vpn that isnt to the local network
+      #       ${pkgs.iptables}/bin/iptables -I OUTPUT ! -o wg0 -m mark ! --mark 42 -m addrtype ! --dst-type LOCAL ! -d 10.0.0.0/32 -j REJECT
+
+      #       # Route local traffic through wg0 except local traffic
+      #       ${pkgs.iproute2}/bin/ip route add 0.0.0.0/1 dev wg0
+      #       ${pkgs.iproute2}/bin/ip route add 10.0.0.0/32 dev eth0
+      #     '';
+      #     RemainAfterExit = "yes";
+      #   };
+      # };
+
+      systemd.services."start-wireguard" = {
+        description = "Start wireguard mullvad";
         after = ["network-online.target"];
         wants = ["network-online.target"];
         wantedBy = ["multi-user.target"];
@@ -102,90 +121,77 @@ in {
         serviceConfig = {
           type = "oneshot";
           ExecStart = pkgs.writeShellScript "wgconf.sh" ''
-            # Stay a while and listen
-            # ${pkgs.toybox}/bin/sleep 5
-            # Route local traffic through wg0 except local traffic
-            ${pkgs.iproute2}/bin/ip route add 10.0.0.0/32 dev eth0 && \
-            ${pkgs.iproute2}/bin/ip route add 0.0.0.0/1 dev wg0
-            # Block all traffic that isnt local or through the vpn
-            ${pkgs.iptables}/bin/iptables -I OUTPUT ! -o wg0 -m mark ! --mark 42 -m addrtype ! --dst-type LOCAL ! -d 10.0.0.0/32 -j REJECT
+            ${pkgs.wireguard-tools}/bin/wg-quick up /mnt/de-ber-wg-005.conf
           '';
           RemainAfterExit = "yes";
         };
       };
 
       networking.wireguard.enable = true;
-      systemd.network = {
-        netdevs."10-wg0" = {
-          netdevConfig = {
-            Kind = "wireguard";
-            Name = "wg0";
-            MTUBytes = "1300";
-          };
-          wireguardConfig = {
-            PrivateKeyFile = "${./wireguard-secret}";
-            FirewallMark = 42;
-            ListenPort = 51820;
-          };
-          wireguardPeers = [
-            {
-              PublicKey = "0qSP0VxoIhEhRK+fAHVvmfRdjPs2DmmpOCNLFP/7cGw=";
-              AllowedIPs = ["0.0.0.0/0"];
-              Endpoint = "193.32.248.66:51820";
-              # PersistentKeepalive = 25;
-            }
-          ];
-        };
-        networks."wg0" = {
-          matchConfig.Name = "wg0";
-          address = [
-            " 10.65.241.123/32"
-          ];
-          DHCP = "no";
-          dns = ["10.64.0.1"];
-          gateway = [
-            "10.0.0.0"
-          ];
-        };
-      };
+      # systemd.network = {
+      #   netdevs."10-wg0" = {
+      #     netdevConfig = {
+      #       Kind = "wireguard";
+      #       Name = "wg0";
+      #       MTUBytes = "1300";
+      #     };
+      #     wireguardConfig = {
+      #       PrivateKeyFile = "${./wireguard-secret}";
+      #       FirewallMark = 42;
+      #       ListenPort = 51820;
+      #     };
+      #     wireguardPeers = [
+      #       {
+      #         PublicKey = "0qSP0VxoIhEhRK+fAHVvmfRdjPs2DmmpOCNLFP/7cGw=";
+      #         AllowedIPs = ["0.0.0.0/0"];
+      #         Endpoint = "193.32.248.66:51820";
+      #         PersistentKeepalive = 25;
+      #       }
+      #     ];
+      #   };
+      #   networks."wg0" = {
+      #     matchConfig.Name = "wg0";
+      #     address = [
+      #       "10.65.241.123/32"
+      #     ];
+      #     DHCP = "no";
+      #     dns = ["10.64.0.1"];
+      #     # gateway = [
+      #     #   "10.0.0.0"
+      #     # ];
+      #   };
+      # };
 
       # Sleep them for a while to make sure everything is set up
-      systemd.services.sonarr.serviceConfig.ExecStartPre = "/run/current-system/sw/bin/sleep 1";
-      systemd.services.radarr.serviceConfig.ExecStartPre = "/run/current-system/sw/bin/sleep 1";
-      systemd.services.jackett.serviceConfig.ExecStartPre = "/run/current-system/sw/bin/sleep 1";
-      systemd.services.rutorrent.serviceConfig.ExecStartPre = "/run/current-system/sw/bin/sleep 1";
+      systemd.services.sonarr.serviceConfig.ExecStartPre = pkgs.lib.mkIf enable-services "/run/current-system/sw/bin/sleep 1";
+      systemd.services.radarr.serviceConfig.ExecStartPre = pkgs.lib.mkIf enable-services "/run/current-system/sw/bin/sleep 1";
+      systemd.services.jackett.serviceConfig.ExecStartPre = pkgs.lib.mkIf enable-services "/run/current-system/sw/bin/sleep 1";
+      systemd.services.rutorrent.serviceConfig.ExecStartPre = pkgs.lib.mkIf enable-services "/run/current-system/sw/bin/sleep 1";
 
       # fuck nano
       programs.nano.enable = lib.mkForce false;
       programs.vim.enable = true;
 
       # Services
-      services.sonarr = {
+      services.sonarr = pkgs.lib.mkIf enable-services {
         enable = true;
         openFirewall = true;
         dataDir = "/mnt/sonarr";
       };
-      services.radarr = {
+      services.radarr = pkgs.lib.mkIf enable-services {
         enable = true;
         openFirewall = true;
         dataDir = "/mnt/radarr";
       };
-      # services.prowlarr = {
-      #   enable = true;
-      #   openFirewall = true;
-      # };
-      # Prowlarr doesnt have a dataDir option
-      # systemd.services.prowlarr.serviceConfig.ExecStart = pkgs.lib.mkForce "${lib.getExe pkgs.prowlarr} -nobrowser -data=/mnt/prowlarr";
-
-      services.jackett = {
+      services.jackett = pkgs.lib.mkIf enable-services {
         enable = true;
         dataDir = "/mnt/jackett";
         openFirewall = true;
       };
 
-      services.transmission = {
+      services.transmission = pkgs.lib.mkIf enable-services {
         enable = true;
-        openFirewall = false;
+        openFirewall = true;
         home = "/mnt/transmission";
         settings.download-dir = "/mnt/transmission";
         settings.incomplete-dir = "/mnt/transmission/.incomplete";
@@ -193,9 +199,11 @@ in {
       };
 
       # debugging
-      users.users.root = {
-        password = "supersecretpassword";
-      };
+      # users.users.root = {
+      #   password = "1";
+      # };
+
+      environment.systemPackages = [pkgs.wireguard-tools pkgs.tcpdump];
 
       services.openssh = {
         enable = true;
@@ -209,6 +217,14 @@ in {
     };
   };
 
+  # networking.nat.forwardPorts = [
+  #   {
+  #     proto = "tcp";
+  #     sourcePort = 8989;
+  #     destination = "10.0.1.1:8989";
+  #   }
+  # ];
+
   # Sonarr
   services.nginx.virtualHosts."sonarr.spoodythe.one" = {
     addSSL = true;