flake.nix

@@ -27,7 +27,7 @@
     };
   };
 
-  outputs = { self, nixpkgs, nixpkgs-unstable, nur, ... }@inputs:
+  outputs = { nixpkgs, nixpkgs-unstable, nur, ... }@inputs:
   let
     mkPkgs = system: import nixpkgs {
       inherit system;

system/machines/server/modules/frigate/default.nix

@@ -7,7 +7,6 @@ let
   domain = "ramos.codes";
   user = config.sops.placeholder."RTSP_USER";
   pass = config.sops.placeholder."RTSP_PASS";
-  privateAccessRules = concatMapStringsSep "\n" (cidr: "allow ${cidr};") nginx.privateAllowCidrs + "\ndeny all;";
 
 in
 {
@@ -240,13 +239,9 @@ in
     services.nginx.virtualHosts."frigate.${domain}" = mkIf nginx.enable {
       useACMEHost = domain;
       forceSSL = true;
-      locations."/" = {
-        extraConfig = privateAccessRules;
-      };
       locations."/go2rtc/" = {
         proxyPass = "http://127.0.0.1:1984/";
         proxyWebsockets = true;
-        extraConfig = privateAccessRules;
       };
     };
 

system/machines/server/modules/immich/default.nix

@@ -6,7 +6,6 @@ let
   nginx = config.modules.system.nginx;
   domain = "ramos.codes";
   port = 2283;
-  privateAccessRules = concatMapStringsSep "\n" (cidr: "allow ${cidr};") nginx.privateAllowCidrs + "\ndeny all;";
 
 in
 {
@@ -52,7 +51,6 @@ in
       locations."/" = {
         proxyPass = "http://127.0.0.1:${toString port}";
         proxyWebsockets = true;
-        extraConfig = privateAccessRules;
       };
     };
   };

system/machines/server/modules/nginx/default.nix

@@ -4,23 +4,11 @@ with lib;
 let
   cfg = config.modules.system.nginx;
   domain = "ramos.codes";
-  privateAccessRules = concatMapStringsSep "\n" (cidr: "allow ${cidr};") cfg.privateAllowCidrs + "\ndeny all;";
 
 in
 {
   options.modules.system.nginx = {
     enable = mkEnableOption "Nginx Reverse Proxy";
-
-    privateAllowCidrs = mkOption {
-      type = types.listOf types.str;
-      default = [
-        "192.168.0.0/24"
-        "10.8.0.0/24"
-      ];
-      description = ''
-        CIDR ranges allowed to access private vhosts (LAN + WireGuard).
-      '';
-    };
   };
 
   config = mkIf cfg.enable {
@@ -40,12 +28,25 @@ in
       };
     };
 
+    services.sslh = {
+      enable = true;
+      listenAddresses = [ "0.0.0.0" ];
+      port = 443;
+      settings = {
+        protocols = [
+          { name = "ssh"; host = "127.0.0.1"; port = "22"; }
+          { name = "tls"; host = "127.0.0.1"; port = "4443"; }
+        ];
+      };
+    };
+
     services.nginx = {
       enable = true;
       recommendedTlsSettings = true;
       recommendedOptimisation = true;
       recommendedGzipSettings = true;
       eventsConfig = "worker_connections 4096;";
+      defaultSSLListenPort = 4443;
 
       # Catch-all default - friendly error for unknown subdomains
       virtualHosts."_" = {
@@ -77,7 +78,6 @@ in
         locations."/" = {
           proxyPass = "http://192.168.0.23:3080";
           proxyWebsockets = true;
-          extraConfig = privateAccessRules;
         };
       };
 
@@ -87,7 +87,6 @@ in
         locations."/" = {
           proxyPass = "http://192.168.0.23:8000";
           proxyWebsockets = true;
-          extraConfig = privateAccessRules;
         };
       };
 
@@ -97,7 +96,6 @@ in
         locations."/" = {
           proxyPass = "http://192.168.0.23:8188";
           proxyWebsockets = true;
-          extraConfig = privateAccessRules;
         };
       };
     };

system/machines/server/modules/sandpack/default.nix

@@ -4,7 +4,6 @@ with lib;
 let
   cfg = config.modules.system.sandpack;
   domain = "ramos.codes";
-  privateAccessRules = concatMapStringsSep "\n" (cidr: "allow ${cidr};") config.modules.system.nginx.privateAllowCidrs + "\ndeny all;";
 
   staticBrowserServer = pkgs.stdenvNoCC.mkDerivation (finalAttrs: let
     pnpm = pkgs.pnpm_10;
@@ -98,8 +97,6 @@ in
       locations."/" = {
         proxyPass = "http://127.0.0.1:4333";
         extraConfig = ''
-          ${privateAccessRules}
-
           add_header Access-Control-Allow-Origin "*" always;
           add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
           add_header Access-Control-Allow-Headers "Content-Type, Authorization" always;
@@ -119,8 +116,6 @@ in
       locations."/" = {
         proxyPass = "http://127.0.0.1:4324";
         extraConfig = ''
-          ${privateAccessRules}
-
           add_header Access-Control-Allow-Origin "*" always;
           add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
           add_header Access-Control-Allow-Headers "Content-Type, Authorization" always;

system/machines/server/modules/webdav/default.nix

@@ -4,7 +4,6 @@ with lib;
 let
   cfg = config.modules.system.webdav;
   domain = "ramos.codes";
-  privateAccessRules = concatMapStringsSep "\n" (cidr: "allow ${cidr};") config.modules.system.nginx.privateAllowCidrs + "\ndeny all;";
 
 in
 {
@@ -51,8 +50,6 @@ in
       locations."/" = {
         proxyPass = "http://127.0.0.1:8090";
         extraConfig = ''
-          ${privateAccessRules}
-
           proxy_set_header Host $host;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

system/machines/server/modules/wireguard/default.nix

@@ -1,106 +0,0 @@
-{ pkgs, lib, config, ... }:
-
-with lib;
-let
-  cfg = config.modules.system.wireguard;
-in
-{
-  options.modules.system.wireguard = {
-    enable = mkEnableOption "WireGuard VPN";
-
-    address = mkOption {
-      type = types.str;
-      default = "10.8.0.1/24";
-      description = "WireGuard interface address with CIDR";
-    };
-
-    subnet = mkOption {
-      type = types.str;
-      default = "10.8.0.0/24";
-      description = "WireGuard subnet used for peer allocations";
-    };
-
-    listenPort = mkOption {
-      type = types.port;
-      default = 51820;
-      description = "WireGuard UDP listen port";
-    };
-
-    privateKeyFile = mkOption {
-      type = types.str;
-      default = "/var/lib/wireguard/server.key";
-      description = "Path to WireGuard server private key";
-    };
-
-    peers = mkOption {
-      type = types.listOf (types.submodule ({ ... }: {
-        options = {
-          publicKey = mkOption {
-            type = types.str;
-            description = "Peer public key";
-          };
-
-          allowedIPs = mkOption {
-            type = types.listOf types.str;
-            description = "Allowed IPs for peer, usually a single /32";
-          };
-
-          presharedKeyFile = mkOption {
-            type = types.nullOr types.str;
-            default = null;
-            description = "Optional preshared key file";
-          };
-
-          persistentKeepalive = mkOption {
-            type = types.nullOr types.int;
-            default = 25;
-            description = "Persistent keepalive interval seconds";
-          };
-        };
-      }));
-      default = [ ];
-      description = "WireGuard peers";
-    };
-  };
-
-  config = mkIf cfg.enable {
-    networking.firewall.allowedUDPPorts = [ cfg.listenPort ];
-    networking.nat.internalInterfaces = mkAfter [ "wg0" ];
-
-    systemd.tmpfiles.rules = [
-      "d /var/lib/wireguard 0700 root root -"
-    ];
-
-    systemd.services.wireguard-generate-key = {
-      description = "Generate WireGuard server key if missing";
-      before = [ "wireguard-wg0.service" ];
-      wantedBy = [ "wireguard-wg0.service" ];
-      serviceConfig = {
-        Type = "oneshot";
-      };
-      path = with pkgs; [ wireguard-tools coreutils ];
-      script = ''
-        set -euo pipefail
-
-        if [ ! -s "${cfg.privateKeyFile}" ]; then
-          umask 077
-          wg genkey | tee "${cfg.privateKeyFile}" | wg pubkey > /var/lib/wireguard/server.pub
-        elif [ ! -s /var/lib/wireguard/server.pub ]; then
-          umask 077
-          wg pubkey < "${cfg.privateKeyFile}" > /var/lib/wireguard/server.pub
-        fi
-      '';
-    };
-
-    networking.wireguard.interfaces.wg0 = {
-      ips = [ cfg.address ];
-      listenPort = cfg.listenPort;
-      privateKeyFile = cfg.privateKeyFile;
-      peers = map (peer: {
-        inherit (peer) publicKey allowedIPs;
-        presharedKeyFile = peer.presharedKeyFile;
-        persistentKeepalive = peer.persistentKeepalive;
-      }) cfg.peers;
-    };
-  };
-}

system/machines/server/system.nix

@@ -19,15 +19,6 @@
     frigate.enable = true;
     immich.enable = true;
     webdav.enable = false;
-    wireguard = {
-      enable = true;
-      peers = [
-        {
-          publicKey = "HRFsVXn3jeqKQLQIl0cB6KC/qia7M1gQf2lqG5HDxF8=";
-          allowedIPs = [ "10.8.0.2/32" ];
-        }
-      ];
-    };
     # bitcoin = {
     #   enable = true;
     #   electrum.enable = true;
@@ -181,7 +172,7 @@
       cache-size = 1000;
 
       # Camera network DHCP (isolated - no gateway = no internet)
-      interface = [ "enp2s0f1" "wg0" ];
+      interface = "enp2s0f1";
       bind-interfaces = true;
       dhcp-range = "192.168.1.100,192.168.1.200,24h";
 
@@ -194,11 +185,6 @@
     };
   };
 
-  systemd.services.dnsmasq = {
-    after = [ "wireguard-wg0.service" ];
-    wants = [ "wireguard-wg0.service" ];
-  };
-
   services.fail2ban = {
     enable = true;
     maxretry = 5;

user/modules/utils/dev/default.nix

@@ -3,14 +3,13 @@
 with lib;
 let
   cfg = config.modules.user.utils.dev;
+
 in
 { options.modules.user.utils.dev = { enable = mkEnableOption "user.utils.dev"; };
   config = mkIf cfg.enable {
     home.packages = with pkgs; [
       unstable.claude-code
       unstable.codex
-      unstable.opencode
-
       bubblewrap
 
       nix-init