From a15baed03302a103ffa1f0a21bbb1f78cd9f9b70 Mon Sep 17 00:00:00 2001
From: Julius de Jeu <julius@voidcorp.nl>
Date: Wed, 22 Dec 2021 21:23:03 +0100
Subject: [PATCH] Add wireguard

---
 flake.lock                                 |  18 +++---
 hosts/default.nix                          |   5 ++
 hosts/wireguard/configuration.nix          |  71 +++++++++++++++++++++
 hosts/wireguard/hardware-configuration.nix |  25 ++++++++
 hosts/wireguard/secrets.nix                | Bin 0 -> 416 bytes
 hosts/wireguard/secrets.txt                | Bin 0 -> 256 bytes
 secrets.nix                                | Bin 0 -> 1274 bytes
 7 files changed, 110 insertions(+), 9 deletions(-)
 create mode 100644 hosts/wireguard/configuration.nix
 create mode 100644 hosts/wireguard/hardware-configuration.nix
 create mode 100644 hosts/wireguard/secrets.nix
 create mode 100644 hosts/wireguard/secrets.txt
 create mode 100644 secrets.nix

diff --git a/flake.lock b/flake.lock
index dee8d09..d434e81 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,11 +7,11 @@
         "utils": "utils"
       },
       "locked": {
-        "lastModified": 1632822684,
-        "narHash": "sha256-lt7eayYmgsD5OQwpb1XYfHpxttn43bWo7G7hIJs+zJw=",
+        "lastModified": 1638665590,
+        "narHash": "sha256-nhtfL3z4TizWHemyZvgLvq11FhYX5Ya4ke+t6Np5PKQ=",
         "owner": "serokell",
         "repo": "deploy-rs",
-        "rev": "9a02de4373e0ec272d08a417b269a28ac8b961b4",
+        "rev": "715e92a13018bc1745fb680b5860af0c5641026a",
         "type": "github"
       },
       "original": {
@@ -133,11 +133,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1636623366,
-        "narHash": "sha256-jOQMlv9qFSj0U66HB+ujZoapty0UbewmSNbX8+3ujUQ=",
+        "lastModified": 1640139330,
+        "narHash": "sha256-Nkp3wUOGwtoQ7EH28RLVJ7EqB/e0TU7VcsM7GLy+SdY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c5ed8beb478a8ca035f033f659b60c89500a3034",
+        "rev": "81cef6b70fb5d5cdba5a0fef3f714c2dadaf0d6d",
         "type": "github"
       },
       "original": {
@@ -192,11 +192,11 @@
         "nixpkgs": "nixpkgs_4"
       },
       "locked": {
-        "lastModified": 1637273221,
-        "narHash": "sha256-ByBCiWlVprVgYGGy2ma7W0DKbtp4Xmj7S5whFrIzO3Q=",
+        "lastModified": 1638383949,
+        "narHash": "sha256-k7oMUrp1cMBj59uihyocJVqi4jbU16ycHQqGTJxH1b0=",
         "owner": "serokell",
         "repo": "serokell.nix",
-        "rev": "1649eceabbe6e148b3c1b322b716e873d312599f",
+        "rev": "faebe5b14155d045ae5d3f76193c8e99e664af1b",
         "type": "github"
       },
       "original": {
diff --git a/hosts/default.nix b/hosts/default.nix
index c59b714..faa49e6 100644
--- a/hosts/default.nix
+++ b/hosts/default.nix
@@ -256,6 +256,11 @@
     ip = "10.42.20.10";
     mac = "46:37:52:f3:a2:fb";
   }
+  {
+    hostname = "wireguard";
+    ip = "10.42.20.13";
+    mac = "1A:C6:89:21:85:85";
+  }
 /*   {
     hostname = "dhcp";
     ip = "10.42.42.42";
diff --git a/hosts/wireguard/configuration.nix b/hosts/wireguard/configuration.nix
new file mode 100644
index 0000000..9ceba78
--- /dev/null
+++ b/hosts/wireguard/configuration.nix
@@ -0,0 +1,71 @@
+{ config, pkgs, lib, ... }:
+let secrets = import ./secrets.nix;
+in {
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+    # Import common config
+    ../../common/generic-vm.nix
+    ../../common
+  ];
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.device = "/dev/sda";
+
+  # networking.hostName = "nixos"; # Define your hostname.
+  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
+
+  # Set your time zone.
+  time.timeZone = "Europe/Amsterdam";
+
+  networking.hostName = "wireguard";
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "21.11"; # Did you read the comment?
+
+  environment.systemPackages = with pkgs; [ wireguard ];
+
+  environment.noXlibs = lib.mkForce false;
+
+  networking.firewall.allowedTCPPorts = [ ];
+
+  networking.nat.enable = true;
+  networking.nat.externalInterface = "ens18";
+  networking.nat.internalInterfaces = [ "wg0" ];
+
+  networking.firewall.allowedUDPPorts = [ 51820 ];
+
+  networking.wireguard.interfaces = {
+    wg0 = {
+      ips = [ "10.42.69.1/24" ];
+      listenPort = 51820;
+      postSetup = ''
+        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.42.69.0/24 -o ens18 -j MASQUERADE
+      '';
+
+      # This undoes the above command
+      postShutdown = ''
+        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.42.69.0/24 -o ens18 -j MASQUERADE
+      '';
+
+      privateKey = secrets.serverPrivate;
+      peers = [
+        {
+          publicKey = secrets.laptopPublic;
+          allowedIPs = [ "10.42.69.2/32" ];
+        }
+        {
+          publicKey = secrets.phonePublic;
+          allowedIPs = [ "10.42.69.3/32" ];
+        }
+      ];
+    };
+  };
+
+}
diff --git a/hosts/wireguard/hardware-configuration.nix b/hosts/wireguard/hardware-configuration.nix
new file mode 100644
index 0000000..7247074
--- /dev/null
+++ b/hosts/wireguard/hardware-configuration.nix
@@ -0,0 +1,25 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/7085fcd5-71a0-46ed-bc9a-9642ed4b1633";
+      fsType = "ext4";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/779fe897-e5cb-49f0-903d-eb9a7f76c3c7"; }
+    ];
+
+}
\ No newline at end of file
diff --git a/hosts/wireguard/secrets.nix b/hosts/wireguard/secrets.nix
new file mode 100644
index 0000000000000000000000000000000000000000..a9dc86b5a6fd80c8db88f11cb3993026857da4c6
GIT binary patch
literal 416
zcmV;R0bl+AM@dveQdv+`06|g`#p%pAg5i3=-nARO9knlY)e8VmM7defug`W-WHdzy
zBbX=ICSl`k!^;W-@VBTTDeOIW!c(e39?7Al_#$%uuJ+#^=|-;-NcDEJq83owl+Ej!
zWj=azXPe7^F>RkGNV+)d$}C5c1s5VH9HqZ_?DSSkJME-OS}Y%Ysi>ipm&2aQi=My(
z<Q(Cjs^5%4ZsXPeWyUTo!3PUa&YtfpO18n3n!fna=Qx$Q`b@#VYE+w*AcAt2w4e~D
z0`0oQ+r(j-n|5zU|F)Se|0(1<8$51k*g^C=owc`fUh-%M?VB&s={~tL2GJf(p|jGT
z{N>+vD;{egtSjdB7!qd)!(!v$hJ^!QTvCLo5BE(Wj3prTYk}l9J>QY8%y0+o5X73O
z!3~kaYFiOOSwocC?5h$#S_xEUn_N<UL){ShV3ahB&{EZ=XH0)RWLj(Wxp8QD4Qk>?
zyY4!d__8VN$<zOLOXtyh2QlHcqI<e{mG<UkF-#L>yVTO5WmC={0b?xBLT#DHkend9
KJ~ommWU0Mp_0f3%

literal 0
HcmV?d00001

diff --git a/hosts/wireguard/secrets.txt b/hosts/wireguard/secrets.txt
new file mode 100644
index 0000000000000000000000000000000000000000..fdb2fe8c4f7235bb906e24f735051fbf9f5fa1aa
GIT binary patch
literal 256
zcmV+b0ssC0M@dveQdv+`09U0mFtfF!uNjy(3AX<jGdR78&OXg>%JR+++XdXB=aMcT
zQ-(-j5A+nxu^nsT7r9u|XnB<ch(zktK$vgu*i`iS4yc;vqT{RYD`MD<@n<v<-k{qE
zq|RAjUk~A4$zaQ3TH}Ns^TWEYatC#oj7Z8B4^^>NetdfI4(J%w%jT)Y@I`vGAVL3p
z|CqYsggHRf>bQxA=Bm!_N+}(gcOIt4Z2?#7@cvn`%A<;ozCBesbB4>rKNe8mYH0*v
z^ct3o)nFv)JX|1l_^+01&hwHmq0I*_1^eAdBP{UJL{Fc-ooNoq!>xwVf5P3-He&kU
GR;aJ=e}(`6

literal 0
HcmV?d00001

diff --git a/secrets.nix b/secrets.nix
new file mode 100644
index 0000000000000000000000000000000000000000..71b69905e4c24e173bb240a921f08bd2f251c548
GIT binary patch
literal 1274
zcmV<W1O@v5M@dveQdv+`06A@~`LG%IlJ!UF<+pUNTD*lZKGo)-VPDkT87g}zurC}4
z+IHCx&{sFrQQJurjn(_GE)B5(PyGoG+mQq2@vGK|JlW}hE%~bE|1>9+$TW~rDJ~(v
zb`6Wnd1tTm_;}zP$JtExHYEB^&K?RQb8D3chFtFg;y%JZ;pB&@D!zQ?R;?yzHUGru
zDt`&syR*dw?%+Nagr=%{K@ndP4j(ego*jLE_;s6?17AO%aZ{tA&JpDprA(^rHhdEe
z4$t}DM9BadQLUgdWSjKtXe_)?>l`L=NeBVTI!dHnriIXz=8W|QS@sHL5-YV1Zl-k@
zQYY`Ft}W<!bgPHCoprGRliV!A#5XV8$Tfq-4U%Y22jA9etGO;oS=K~`wm}DaQgl{p
zDqN|FR?vbGBr)8gD+$W^GH7Nh%$viAyb?6F&ZLM4L>X-aG!B_l_Y@A0MC#rTo`jnB
zTalpkX36c?LA8?Ob;Dw@M3*r}-vj^00_9}zS8V=h?bX~Rn9K1Xtr|C@gYT|_=p=F0
zyJ9@>)sL%$uv2WF2Zbqu5Bg^u8hBMwS#F|-(`^05Z3lL4bm4{2Pro7#g|9FIWp_qZ
z-fOp*XAyD((YnPugf5I_ds@z-l$Qq#hO`A!<#(8x(RbMXC1FS?C1^n<bqZ`}$;5iT
zQbKC|s!Nb|{nR$KXz0k5`R3vio7JJG5S9FAh&kIh56ASIn8GeX)8jG?s}`Bau3R@m
zV*RLxeJG^)YZb`ClaX+R+8kOAkh^MnUXWy@mg_qr`?ui-v^V2(m0pbG#I4A9IcfZY
zL@1q>{zzIE{4u^QX`$s{S~aHfXXEvXN;9>8j(+{7ux44*1kx;faYEwda}G{3t``er
z#Ys&IJHO_eSogImu!<9>kn&3JYZRZQtj2giLp}fXo&=31&_qq%wPFSgacl~e6~kQQ
z2i(HamRt^GKEP(pJi88KL;fE?hqAJy;(ie*Ccu0Qm)s)hvjY61P=HZ*Ms-!DMoj9Z
zj03V>$?x(LUmH$;8*)DpJw4Sd*!n=8K%ILS=4;r(i9m5Yd1)!rrB6E09K~L4cX6j`
z;zEi)kfBB+va}tg=jo%1$h*b0k$t-br}J-PPmK#EqOEC-GSJ$y+82-{+7QP|5?EVp
zx-DxW6Z71_W>)j7iVI&VWPxaLNncuQC$l05?zD8%t*P3bv@!&hjcSAX$u#MpK>e_{
z#bvM`G}GgG<#u?w+_H(O_)}t*nwaSAFCsGi+TQkHy>I*ycw2H`vCaK=OS!%#2}Y%&
zW~)+2wt$rg^TWpiPP+kWFUameTbGC24J=R4d*8mb1;62zL*GD<0#=IZ*cjP*^H~7C
zLvXP7F0)027y>R%^s1NO8XJ>@x4lqC`j?Ti_|21O6rTA$!^Ve{7&wN^7s#M9Rzci9
zEb7G9oVbP8&mYgH38sWa+t<^6L|JH^_6Swjt)FQ^S}D&<o5R=dC#NKC-lQ4se}sNw
z@gSAEF}yByVxy#(MP{BvR#L|5@3gt1?HVtY((O&*?BAnQ$DjU4`6~I8)k-WV3>Kd4
z*RLBAfOv9OCMZr+CNqL2UrL6rs-kh@UEfo%9vGgGWS2CsIj49@iLgZkV0g{<iD}O&
k+o+ViN924=4ucG+|6FOe@c)J`p9^hC`*(fZ6;>XyM+s4X9RL6T

literal 0
HcmV?d00001