Update flake.lock

Include Vicinae setup in workstation playbook for non-WSL2 systems

Update flake.lock to newer nixpkgs revision

README.md

@@ -41,15 +41,6 @@ Run the `dotf update` command, although the setup script did most of the work so
 dotf update
 ```
 
-### 5. Decrypt secrets
-
-Either using 1Password or by manualling providing the decryption key you should decrypt the secrets.
-Various configurations depend on the secrets to be decrypted such as the SSH keys, yubikey pam configuration and more.
-
-```bash
-dotf secrets decrypt
-```
-
 ### 6. Profit
 
 You should now have a fully setup system with all the configurations applied.

ansible/group_vars/servers.yml

@@ -2,30 +2,81 @@
 flatpaks: false
 install_ui_apps: false
 
+# European countries for EU-specific access control
+eu_countries_codes:
+    - AL # Albania
+    - AD # Andorra
+    - AM # Armenia
+    - AT # Austria
+    - AZ # Azerbaijan
+    # - BY # Belarus (Belarus is disabled due to geopolitical reasons)
+    - BE # Belgium
+    - BA # Bosnia and Herzegovina
+    - BG # Bulgaria
+    - HR # Croatia
+    - CY # Cyprus
+    - CZ # Czech Republic
+    - DK # Denmark
+    - EE # Estonia
+    - FI # Finland
+    - FR # France
+    - GE # Georgia
+    - DE # Germany
+    - GR # Greece
+    - HU # Hungary
+    - IS # Iceland
+    - IE # Ireland
+    - IT # Italy
+    - XK # Kosovo
+    - LV # Latvia
+    - LI # Liechtenstein
+    - LT # Lithuania
+    - LU # Luxembourg
+    - MK # North Macedonia
+    - MT # Malta
+    - MD # Moldova
+    - MC # Monaco
+    - ME # Montenegro
+    - NL # Netherlands
+    - NO # Norway
+    - PL # Poland
+    - PT # Portugal
+    - RO # Romania
+    # - RU # Russia (Russia is disabled due to geopolitical reasons)
+    - SM # San Marino
+    - RS # Serbia
+    - SK # Slovakia
+    - SI # Slovenia
+    - ES # Spain
+    - SE # Sweden
+    - CH # Switzerland
+    - TR # Turkey
+    - UA # Ukraine
+    - GB # United Kingdom
+    - VA # Vatican City
+
+# Trusted non-EU countries for extended access control
+trusted_countries_codes:
+    - US # United States
+    - AU # Australia
+    - NZ # New Zealand
+    - JP # Japan
+
 # Countries that are allowed to access the server Caddy reverse proxy
 allowed_countries_codes:
-  - US # United States
-  - CA # Canada
-  - GB # United Kingdom
-  - DE # Germany
-  - FR # France
-  - ES # Spain
-  - IT # Italy
-  - NL # Netherlands
-  - AU # Australia
-  - NZ # New Zealand
-  - JP # Japan
-  - KR # South Korea
-  - SK # Slovakia
-  - FI # Finland
-  - DK # Denmark
-  - SG # Singapore
-  - AT # Austria
-  - CH # Switzerland
-
-# IP ranges for blocked countries (generated automatically)
-# This will be populated by the country blocking script
-blocked_countries: []
+    - US # United States
+    - GB # United Kingdom
+    - DE # Germany
+    - FR # France
+    - IT # Italy
+    - NL # Netherlands
+    - JP # Japan
+    - KR # South Korea
+    - CH # Switzerland
+    - AU # Australia (Added for UpDown.io to monitor server uptime)
+    - CA # Canada (Added for UpDown.io to monitor server uptime)
+    - FI # Finland (Added for UpDown.io to monitor server uptime)
+    - SG # Singapore (Added for UpDown.io to monitor server uptime)
 
 # Enable/disable country blocking globally
 enable_country_blocking: true

ansible/tasks/servers/services/caddy/Caddyfile.j2

@@ -5,9 +5,9 @@
     }
 }
 
-# Country blocking snippet using MaxMind GeoLocation - reusable across all sites
+# Country allow list snippet using MaxMind GeoLocation - reusable across all sites
 {% if enable_country_blocking | default(false) and allowed_countries_codes | default([]) | length > 0 %}
-(country_block) {
+(country_allow) {
     @allowed_local {
         remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1
     }
@@ -23,56 +23,125 @@
     respond @not_allowed_countries "Access denied" 403
 }
 {% else %}
-(country_block) {
-    # Country blocking disabled
+(country_allow) {
+    # Country allow list disabled
+}
+{% endif %}
+
+# European country allow list - allows all European countries only
+{% if eu_countries_codes | default([]) | length > 0 %}
+(eu_country_allow) {
+    @eu_allowed_local {
+        remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1
+    }
+    @eu_not_allowed_countries {
+        not remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1
+        not {
+            maxmind_geolocation {
+                db_path "/etc/caddy/geoip/GeoLite2-Country.mmdb"
+                allow_countries {{ eu_countries_codes | join(' ') }}
+            }
+        }
+    }
+    respond @eu_not_allowed_countries "Access denied" 403
+}
+{% else %}
+(eu_country_allow) {
+    # EU country allow list disabled
+}
+{% endif %}
+
+# Trusted country allow list - allows US, Australia, New Zealand, and Japan
+{% if trusted_countries_codes | default([]) | length > 0 %}
+(trusted_country_allow) {
+    @trusted_allowed_local {
+        remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1
+    }
+    @trusted_not_allowed_countries {
+        not remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1
+        not {
+            maxmind_geolocation {
+                db_path "/etc/caddy/geoip/GeoLite2-Country.mmdb"
+                allow_countries {{ trusted_countries_codes | join(' ') }}
+            }
+        }
+    }
+    respond @trusted_not_allowed_countries "Access denied" 403
+}
+{% else %}
+(trusted_country_allow) {
+    # Trusted country allow list disabled
+}
+{% endif %}
+
+# Sathub country allow list - combines EU and trusted countries
+{% if eu_countries_codes | default([]) | length > 0 and trusted_countries_codes | default([]) | length > 0 %}
+(sathub_country_allow) {
+    @sathub_allowed_local {
+        remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1
+    }
+    @sathub_not_allowed_countries {
+        not remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1
+        not {
+            maxmind_geolocation {
+                db_path "/etc/caddy/geoip/GeoLite2-Country.mmdb"
+                allow_countries {{ (eu_countries_codes + trusted_countries_codes) | join(' ') }}
+            }
+        }
+    }
+    respond @sathub_not_allowed_countries "Access denied" 403
+}
+{% else %}
+(sathub_country_allow) {
+    # Sathub country allow list disabled
 }
 {% endif %}
 
 {% if inventory_hostname == 'mennos-server' %}
 git.mvl.sh {
-   import country_block
+   import country_allow
    reverse_proxy gitea:3000
    tls {{ caddy_email }}
 }
 
 git.vleeuwen.me {
-   import country_block
+   import country_allow
    redir https://git.mvl.sh{uri}
    tls {{ caddy_email }}
 }
 
 df.mvl.sh {
-   import country_block
+   import country_allow
    redir / https://git.mvl.sh/vleeuwenmenno/dotfiles/raw/branch/master/setup.sh
    tls {{ caddy_email }}
 }
 
 fsm.mvl.sh {
-   import country_block
+   import country_allow
    reverse_proxy factorio-server-manager:80
    tls {{ caddy_email }}
 }
 
 fsm.vleeuwen.me {
-   import country_block
+   import country_allow
    redir https://fsm.mvl.sh{uri}
    tls {{ caddy_email }}
 }
 
 beszel.mvl.sh {
-   import country_block
+   import country_allow
    reverse_proxy beszel:8090
    tls {{ caddy_email }}
 }
 
 beszel.vleeuwen.me {
-   import country_block
+   import country_allow
    redir https://beszel.mvl.sh{uri}
    tls {{ caddy_email }}
 }
 
 sathub.de {
-   import country_block
+   import sathub_country_allow
 
    handle {
        reverse_proxy sathub-frontend:4173
@@ -93,31 +162,31 @@ sathub.de {
 }
 
 api.sathub.de {
-   import country_block
+   import sathub_country_allow
    reverse_proxy sathub-backend:4001
    tls {{ caddy_email }}
 }
 
 sathub.nl {
-   import country_block
+   import sathub_country_allow
    redir https://sathub.de{uri}
    tls {{ caddy_email }}
 }
 
 photos.mvl.sh {
-   import country_block
+   import country_allow
    reverse_proxy immich:2283
    tls {{ caddy_email }}
 }
 
 photos.vleeuwen.me {
-   import country_block
+   import country_allow
    redir https://photos.mvl.sh{uri}
    tls {{ caddy_email }}
 }
 
 home.mvl.sh {
-   import country_block
+   import country_allow
    reverse_proxy host.docker.internal:8123 {
        header_up Host {upstream_hostport}
        header_up X-Real-IP {http.request.remote.host}
@@ -126,7 +195,7 @@ home.mvl.sh {
 }
 
 home.vleeuwen.me {
-   import country_block
+   import country_allow
    reverse_proxy host.docker.internal:8123 {
        header_up Host {upstream_hostport}
        header_up X-Real-IP {http.request.remote.host}
@@ -160,13 +229,13 @@ hotspot.mvl.sh:80 {
 }
 
 bin.mvl.sh {
-   import country_block
+   import country_allow
    reverse_proxy privatebin:8080
    tls {{ caddy_email }}
 }
 
 ip.mvl.sh ip.vleeuwen.me {
-   import country_block
+   import country_allow
    reverse_proxy echoip:8080 {
        header_up X-Real-IP {http.request.remote.host}
    }
@@ -174,26 +243,26 @@ ip.mvl.sh ip.vleeuwen.me {
 }
 
 http://ip.mvl.sh http://ip.vleeuwen.me {
-   import country_block
+   import country_allow
    reverse_proxy echoip:8080 {
        header_up X-Real-IP {http.request.remote.host}
    }
 }
 
 overseerr.mvl.sh {
-   import country_block
+   import country_allow
    reverse_proxy overseerr:5055
    tls {{ caddy_email }}
 }
 
 overseerr.vleeuwen.me {
-   import country_block
+   import country_allow
    redir https://overseerr.mvl.sh{uri}
    tls {{ caddy_email }}
 }
 
 plex.mvl.sh {
-   import country_block
+   import country_allow
    reverse_proxy host.docker.internal:32400 {
        header_up Host {upstream_hostport}
        header_up X-Real-IP {http.request.remote.host}
@@ -202,13 +271,13 @@ plex.mvl.sh {
 }
 
 plex.vleeuwen.me {
-   import country_block
+   import country_allow
    redir https://plex.mvl.sh{uri}
    tls {{ caddy_email }}
 }
 
 tautulli.mvl.sh {
-   import country_block
+   import country_allow
    reverse_proxy host.docker.internal:8181 {
        header_up Host {upstream_hostport}
        header_up X-Real-IP {http.request.remote.host}
@@ -217,13 +286,13 @@ tautulli.mvl.sh {
 }
 
 tautulli.vleeuwen.me {
-   import country_block
+   import country_allow
    redir https://tautulli.mvl.sh{uri}
    tls {{ caddy_email }}
 }
 
 cloud.mvl.sh {
-   import country_block
+   import country_allow
    reverse_proxy cloudreve:5212 {
        header_up Host {host}
        header_up X-Real-IP {http.request.remote.host}
@@ -232,13 +301,13 @@ cloud.mvl.sh {
 }
 
 cloud.vleeuwen.me {
-  import country_block
+  import country_allow
   redir https://cloud.mvl.sh{uri}
   tls {{ caddy_email }}
 }
 
 collabora.mvl.sh {
-  import country_block
+  import country_allow
   reverse_proxy collabora:9980 {
     header_up Host {host}
     header_up X-Real-IP {http.request.remote.host}
@@ -247,7 +316,7 @@ collabora.mvl.sh {
 }
 
 drive.mvl.sh drive.vleeuwen.me {
-   import country_block
+   import country_allow
 
    # CalDAV and CardDAV redirects
    redir /.well-known/carddav /remote.php/dav/ 301

ansible/tasks/workstations/flatpaks.yml

@@ -41,12 +41,13 @@
       # Multimedia
       - com.plexamp.Plexamp
       - tv.plex.PlexDesktop
+      - com.spotify.Client
 
       # Messaging
       - com.rtosta.zapzap
       - org.telegram.desktop
       - org.signal.Signal
-      - com.spotify.Client
+      - com.discordapp.Discord
 
       # 3D Printing
       - com.bambulab.BambuStudio
@@ -74,6 +75,7 @@
       - io.github.bytezz.IPLookup
       - org.gaphor.Gaphor
       - io.dbeaver.DBeaverCommunity
+      - com.jetpackduba.Gitnuro
 
 - name: Define system desired Flatpak remotes
   ansible.builtin.set_fact:

ansible/tasks/workstations/vicinae.yml

@@ -0,0 +1,175 @@
+---
+- name: Install Vicinae
+  block:
+    - name: Set Vicinae version
+      ansible.builtin.set_fact:
+        vicinae_version: "v0.15.6"
+        vicinae_appimage_commit: "13865b4c5"
+
+    - name: Set architecture-specific variables
+      ansible.builtin.set_fact:
+        vicinae_arch: "{{ 'x86_64' if ansible_architecture == 'x86_64' else ansible_architecture }}"
+
+    - name: Ensure /opt/vicinae directory exists
+      ansible.builtin.file:
+        path: "/opt/vicinae"
+        state: directory
+        mode: "0755"
+      become: true
+
+    - name: Download Vicinae AppImage
+      ansible.builtin.get_url:
+        url: "https://github.com/vicinaehq/vicinae/releases/download/{{ vicinae_version }}/Vicinae-{{ vicinae_appimage_commit }}-{{ vicinae_arch }}.AppImage"
+        dest: "/opt/vicinae/vicinae.AppImage"
+        mode: "0755"
+      become: true
+
+    - name: Remove old Vicinae binary if exists
+      ansible.builtin.file:
+        path: "/usr/local/bin/vicinae"
+        state: absent
+      become: true
+
+    - name: Create symlink to Vicinae AppImage
+      ansible.builtin.file:
+        src: "/opt/vicinae/vicinae.AppImage"
+        dest: "/usr/local/bin/vicinae"
+        state: link
+      become: true
+
+    - name: Create temporary directory for Vicinae assets download
+      ansible.builtin.tempfile:
+        state: directory
+        suffix: vicinae
+      register: vicinae_temp_dir
+
+    - name: Download Vicinae tarball for assets
+      ansible.builtin.get_url:
+        url: "https://github.com/vicinaehq/vicinae/releases/download/{{ vicinae_version }}/vicinae-linux-{{ vicinae_arch }}-{{ vicinae_version }}.tar.gz"
+        dest: "{{ vicinae_temp_dir.path }}/vicinae.tar.gz"
+        mode: "0644"
+
+    - name: Extract Vicinae tarball
+      ansible.builtin.unarchive:
+        src: "{{ vicinae_temp_dir.path }}/vicinae.tar.gz"
+        dest: "{{ vicinae_temp_dir.path }}"
+        remote_src: true
+
+    - name: Ensure systemd user directory exists
+      ansible.builtin.file:
+        path: "/usr/lib/systemd/user"
+        state: directory
+        mode: "0755"
+      become: true
+
+    - name: Copy systemd user service
+      ansible.builtin.copy:
+        src: "{{ vicinae_temp_dir.path }}/lib/systemd/user/vicinae.service"
+        dest: "/usr/lib/systemd/user/vicinae.service"
+        mode: "0644"
+        remote_src: true
+      become: true
+
+    - name: Update systemd service to use AppImage
+      ansible.builtin.replace:
+        path: "/usr/lib/systemd/user/vicinae.service"
+        regexp: "ExecStart=.*"
+        replace: "ExecStart=/usr/local/bin/vicinae"
+      become: true
+
+    - name: Ensure applications directory exists
+      ansible.builtin.file:
+        path: "/usr/share/applications"
+        state: directory
+        mode: "0755"
+      become: true
+
+    - name: Copy desktop files
+      ansible.builtin.copy:
+        src: "{{ vicinae_temp_dir.path }}/share/applications/{{ item }}"
+        dest: "/usr/share/applications/{{ item }}"
+        mode: "0644"
+        remote_src: true
+      become: true
+      loop:
+        - vicinae.desktop
+        - vicinae-url-handler.desktop
+
+    - name: Update desktop files to use AppImage
+      ansible.builtin.replace:
+        path: "/usr/share/applications/{{ item }}"
+        regexp: "Exec=.*vicinae"
+        replace: "Exec=/usr/local/bin/vicinae"
+      become: true
+      loop:
+        - vicinae.desktop
+        - vicinae-url-handler.desktop
+
+    - name: Ensure Vicinae share directory exists
+      ansible.builtin.file:
+        path: "/usr/share/vicinae"
+        state: directory
+        mode: "0755"
+      become: true
+
+    - name: Copy Vicinae themes directory
+      ansible.builtin.copy:
+        src: "{{ vicinae_temp_dir.path }}/share/vicinae/themes/"
+        dest: "/usr/share/vicinae/themes/"
+        mode: "0644"
+        remote_src: true
+      become: true
+
+    - name: Ensure hicolor icons directory exists
+      ansible.builtin.file:
+        path: "/usr/share/icons/hicolor/512x512/apps"
+        state: directory
+        mode: "0755"
+      become: true
+
+    - name: Copy Vicinae icon
+      ansible.builtin.copy:
+        src: "{{ vicinae_temp_dir.path }}/share/icons/hicolor/512x512/apps/vicinae.png"
+        dest: "/usr/share/icons/hicolor/512x512/apps/vicinae.png"
+        mode: "0644"
+        remote_src: true
+      become: true
+
+    - name: Update desktop database
+      ansible.builtin.command:
+        cmd: update-desktop-database /usr/share/applications
+      become: true
+      changed_when: false
+
+    - name: Update icon cache
+      ansible.builtin.command:
+        cmd: gtk-update-icon-cache /usr/share/icons/hicolor
+      become: true
+      changed_when: false
+      failed_when: false
+
+    - name: Clean up temporary directory
+      ansible.builtin.file:
+        path: "{{ vicinae_temp_dir.path }}"
+        state: absent
+
+    - name: Verify Vicinae installation
+      ansible.builtin.command:
+        cmd: /usr/local/bin/vicinae --version
+      register: vicinae_version_check
+      changed_when: false
+      failed_when: false
+
+    - name: Display installation result
+      ansible.builtin.debug:
+        msg: |
+          {% if vicinae_version_check.rc == 0 %}
+          ✓ Vicinae AppImage installed successfully with all themes and assets!
+          Version: {{ vicinae_version_check.stdout }}
+          {% else %}
+          ✗ Vicinae installation completed but version check failed.
+          This may be normal if --version flag is not supported.
+          Try running: vicinae
+          {% endif %}
+  tags:
+    - vicinae

ansible/tasks/workstations/workstation.yml

@@ -42,6 +42,10 @@
       ansible.builtin.import_tasks: tasks/workstations/autostart.yml
       when: "'microsoft-standard-WSL2' not in ansible_kernel"
 
+    - name: Include Vicinae tasks
+      ansible.builtin.import_tasks: tasks/workstations/vicinae.yml
+      when: "'microsoft-standard-WSL2' not in ansible_kernel"
+
     - name: Ensure workstation common packages are installed
       ansible.builtin.package:
         name:

config/bash.nix

@@ -82,6 +82,8 @@
       if [[ "$(uname -a)" == *"microsoft-standard-WSL2"* ]]; then
           [ -f "${config.home.homeDirectory}/.agent-bridge.sh" ] && source "${config.home.homeDirectory}/.agent-bridge.sh"
           alias winget='winget.exe'
+          alias ssh-add="ssh-add.exe"
+          alias git="git.exe"
       fi
 
       # Set SSH_AUTH_SOCK to 1Password agent if not already set
@@ -137,11 +139,6 @@
           bind -x '"\C-r": fzf_history_search'
       fi
 
-      # In case this is WSL, let's add various Windows executables as aliases
-      if [ -f "/mnt/c/Windows/System32/cmd.exe" ]; then
-          alias ssh-add="ssh-add.exe"
-      fi
-
       # Display welcome message for interactive shells
       if [ -t 1 ]; then
           command -v helloworld &> /dev/null && helloworld

flake.lock

@@ -41,11 +41,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1760862643,
-        "narHash": "sha256-PXwG0TM7Ek87DNx4LbGWuD93PbFeKAJs4FfALtp7Wo0=",
+        "lastModified": 1761597516,
+        "narHash": "sha256-wxX7u6D2rpkJLWkZ2E932SIvDJW8+ON/0Yy8+a5vsDU=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "33c6dca0c0cb31d6addcd34e90a63ad61826b28c",
+        "rev": "daf6dc47aa4b44791372d6139ab7b25269184d55",
         "type": "github"
       },
       "original": {
@@ -77,11 +77,11 @@
         "nixpkgs": "nixpkgs_2"
       },
       "locked": {
-        "lastModified": 1760894497,
-        "narHash": "sha256-u2unItzVvUe3Y2opdJrISGtHSmQLVnDOIfhWvSBrw74=",
+        "lastModified": 1761503988,
+        "narHash": "sha256-MlMZXCTtPeXq/cDtJcL2XM8wCN33XOT9V2dB3PLV6f0=",
         "owner": "brizzbuzz",
         "repo": "opnix",
-        "rev": "92974503378ca6ec6206b74cd3a78377a5796cbb",
+        "rev": "48fdb078b5a1cd0b20b501fccf6be2d1279d6fe6",
         "type": "github"
       },
       "original": {