From 3bf145fd459a0201b8297d7abcf98730a73937ba Mon Sep 17 00:00:00 2001
From: Jurn Wubben <jurnwubben@gmail.com>
Date: Thu, 8 May 2025 13:01:33 +0200
Subject: [PATCH] Started with work on own wireguard server

---
 secrets/caddy_config           |  25 ------------
 secrets/default.nix            |   3 ++
 secrets/secrets.nix            |   3 ++
 secrets/wg-lapserv-private.age | Bin 0 -> 587 bytes
 secrets/wg-laptop-private.age  | Bin 0 -> 587 bytes
 system/network/default.nix     |   1 +
 system/network/wireguard.nix   |  72 +++++++++++++++++++++++++++++++++
 7 files changed, 79 insertions(+), 25 deletions(-)
 delete mode 100644 secrets/caddy_config
 create mode 100644 secrets/wg-lapserv-private.age
 create mode 100644 secrets/wg-laptop-private.age
 create mode 100644 system/network/wireguard.nix

diff --git a/secrets/caddy_config b/secrets/caddy_config
deleted file mode 100644
index 4f782b9..0000000
--- a/secrets/caddy_config
+++ /dev/null
@@ -1,25 +0,0 @@
-{
-	email jurnwubben@gmail.com
-
-}
-
-files.jsw.tf {
-	log {
-		output file /var/log/caddy/access-files.jsw.tf.log
-	}
-
-	handle_path /seafhttp/* {
-		reverse_proxy * unix//run/seafile/server.sock
-	}
-	handle_path /* {
-		reverse_proxy * unix//run/seahub/gunicorn.sock
-	}
-}
-
-share.jsw.tf www.share.jsw.tf {
-	log {
-		output file /var/log/caddy/access-share.jsw.tf.log
-	}
-
-	reverse_proxy :9000
-}
diff --git a/secrets/default.nix b/secrets/default.nix
index 517f7bc..4d2c03e 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -12,5 +12,8 @@
         else "root";
     };
     password.file = ./password.age;
+
+    wg-lapserv-private.file = ./wg-lapserv-private.age;
+    wg-laptop-private.file = ./wg-laptop-private.age;
   };
 }
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 0a8489e..d6e3f64 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -10,4 +10,7 @@ in {
   "transfer-sh.age".publicKeys = systems;
   "password.age".publicKeys = systems;
   "dcbot.age".publicKeys = systems;
+
+  "wg-lapserv-private.age".publicKeys = systems;
+  "wg-laptop-private.age".publicKeys = systems;
 }
diff --git a/secrets/wg-lapserv-private.age b/secrets/wg-lapserv-private.age
new file mode 100644
index 0000000000000000000000000000000000000000..87e2b61bcf2410515e264585579c94dabe09c8a7
GIT binary patch
literal 587
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCR+cMk9=a#To*%<wGt
zEqAU+^fL7IC@Cy=EKE$y3JEJtPxL5HEi=k6b}fo@D=ct!%I5M84=wU3@T^G6$O=yj
za4s(LPK!+S$q7z0(9g;?b*YR<3DK?$s&oprbVaw#T)!$avRuKxBp|TT-$*|sE61qJ
z$FkTxIN#qd$}1zMq{KDcA|<dWB{M52-ykx@*nmqv(>O0o-z(fTD!Z^a)iB#DF~u?|
zz^m9dIM}Gf*U=->Fu>BlqSU$6G#TAC_rR*ia7P8_j7n!eU+>67UlU`K3SWzI*KqAn
zODA_X&tQw<6z^d7;KE9MBW*K3mwc{Vm&*L?Y^S2!;0z0w?8?eYV;9%ZKx5;~G?U6=
zZ|6`GpQzCMG9$BKb6<4ZeA9x=!yFZ|OZ}s&w99kSGjn|+lPdg8-L%U>O7k*Ia*|xL
z{Ikj;jEXb7(hIW#3>>+fEpq%*3@p;h{mjcOESw^plfv91vI<;60`om1ybUu;yu8yg
zETdeF{PVeVb#)c80@F=$OUztT+<mK(ErP;4-26=aU46?8jf)(OLo*%yJ<KbsQp-*B
z6HU1K@9&xx@%Z9$hKJf}FOIvU?%vZPW9R#IadNg+!<mn-;vXKUay^$_<)p>$^?low
la<*^pzsJA4?3AScFsW<fe37V(E~cd8_KRaVB#$<(1^^C$%H03}

literal 0
HcmV?d00001

diff --git a/secrets/wg-laptop-private.age b/secrets/wg-laptop-private.age
new file mode 100644
index 0000000000000000000000000000000000000000..a9bd3b02805d210be3b2ba9d4591c812bddbf692
GIT binary patch
literal 587
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCR+cMk9=a#RSa3UIDS
zaV~RmGV;nW%SbFR&Ma{WG7d;hHSsF<PSX#t^iK~CEY1oI%;s_qNvsO?PYMZlG7m^E
zFUoOB3v>^)^i1(J%*-s$ib`@aHK~g5E^_ut^hCGKT)!$avRonCC$HQv+)3ZVz$+uq
zQQs*oNZ-`LO+P=~$luerNIy(JJK4zJquks$G@r{W$2rnC!`CI$IVIFHt2C!FHPOX0
zqol;8s?@VIttcQo%q^tI+b6Xms~Fuj_rR*ia7P8dbdU5Xw=|F7%na8u=c0@XGxxMq
z?Luu!Lw$n~lccCDiwu|2knD_*YzwYJ&!S4dJTIg0fP!4}^fDtqM~h?&Q<sR+$PmXg
zmvmzzbD!YUkf=iQU<})Q(}K*y92FwUlgu3hjdL>-je{&heab9?%+1X*EDg#6(mg#=
zl6<^UOP#Z_gDstc1G&=5(_M|CBE$2H@^ih)O7;CR(gQsV3k~uuf-8(&jI%<Dy^V6i
z@*RC#O}KP*brs6|Ontl~gNwY9b5pWH61_4!eM|iOv@^mB3$xS0vwd7sLrXjZs~iK;
zJ-LFV^QZDMY}!;<IWI{<X#EVcE3(U1)aLD;n71mRz*y+<i%PpGZC%xo#pxF-m}7nG
jw*PrLJMO;F_ZIIMv$LnyWR~lG`5Vf&Gc@e2pv+SM*73&W

literal 0
HcmV?d00001

diff --git a/system/network/default.nix b/system/network/default.nix
index 93ceba7..073f9ef 100644
--- a/system/network/default.nix
+++ b/system/network/default.nix
@@ -3,6 +3,7 @@
   imports = [
     ./avahi.nix
     ./tailscale.nix
+    ./wireguard.nix
   ];
 
   networking = {
diff --git a/system/network/wireguard.nix b/system/network/wireguard.nix
new file mode 100644
index 0000000..7dcaa49
--- /dev/null
+++ b/system/network/wireguard.nix
@@ -0,0 +1,72 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  inherit (lib) mkIf optionals;
+  inherit (config.networking) hostName;
+  iptables = lib.getExe' pkgs.iptables "iptables";
+
+  port = 53;
+  server = "lapserv";
+
+  serverCfg = {
+    externalInterface = "eth0";
+    privateKeyFile = config.age.secrets.wg-lapserv-private.path;
+    publicKey = "aM+OrvByr63RxKsU9hu0A1lKJr8fPHifHDhBekkHR0c=";
+    publicIp = "80.242.224.170";
+    ip = "10.100.0.1";
+  };
+  deviceConfig = {
+    laptop = {
+      publicKey = config.age.secrets.wg-laptop-private.path;
+      privateKeyFile = "1su1FfHuEYIvJLaZPwpN86kmH19d/NH/zuh9DjIOyQI=";
+      ip = "10.100.0.2";
+    };
+  };
+
+  isServer = server == config.networking.hostName;
+  currentConfig =
+    if isServer
+    then serverCfg
+    else deviceConfig.${hostName};
+in {
+  networking.nat = mkIf isServer {
+    enable = true;
+    inherit (serverCfg) externalInterface;
+    internalInterfaces = ["wg0"];
+  };
+  networking.firewall.allowedUDPPorts = [port];
+
+  networking.wireguard.interfaces.wg0 = {
+    inherit (currentConfig) privateKeyFile;
+
+    listenPort = port;
+    ips = ["${currentConfig.ip}/24"];
+
+    peers =
+      []
+      ++ (optionals isServer (builtins.concatMap (x: {
+          inherit (x) publicKey;
+          allowedIPs = ["${x.ip}/32"];
+        })
+        (builtins.attrValues
+          deviceConfig)))
+      ++ (optionals (!isServer) [
+        {
+          inherit (serverCfg) publicKey;
+          allowedIPs = ["0.0.0.0/0"];
+          endpoint = "${serverCfg.publicIp}:${builtins.toString port}";
+          persistentKeepalive = 25;
+        }
+      ]);
+
+    postSetup = mkIf isServer ''
+      ${iptables} -t nat -A POSTROUTING -s 10.100.0.0/24 -o ${serverCfg.externalInterface} -j MASQUERADE
+    '';
+    postShutdown = mkIf isServer ''
+      ${iptables} -t nat -D POSTROUTING -s 10.100.0.0/24 -o ${serverCfg.externalInterface} -j MASQUERADE
+    '';
+  };
+}