setup wireguard

nixos/viridian/configuration.nix

@@ -35,6 +35,13 @@
     ./hardware-configuration.nix
   ];
 
+  age.secrets.wireguard = {
+    # Private key for wireguard
+    file = inputs.self + /secrets/wireguard.age;
+    owner = "root";
+    group = "root";
+  };
+
   nixpkgs = {
     # You can add overlays here
     overlays = [
@@ -117,6 +124,13 @@
     hostName = "viridian";
     domain = "kanto.dev";
     networkmanager.enable = true;
+    # Required for wireguard
+    nat = {
+      enable = true;
+      externalInterface = "wlp2s0";
+      internalInterfaces = [ "wg0" ];
+    };
+    # Setup our firewall
     firewall = {
       enable = true;
       allowedTCPPorts = [
@@ -130,8 +144,38 @@
         80    # traefik     (HTTP)
         443   # traefik     (HTTPS)
         32372 # qbittorrent
+        51820 # Wireguard
       ];
     };
+    wireguard.interfaces = {
+      wg0 = {
+        # IP address and subnet of the server's end of the tunnel interface
+        ips = [ "10.100.0.1/24" ];
+        listenPort = 51820;
+        # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
+        # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
+        postSetup = ''
+          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o wlp2s0 -j MASQUERADE
+       '';
+        # This undoes the above command
+        postShutdown = ''
+          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o wlp2s0 -j MASQUERADE
+        '';
+        # Path to the private key file.
+        privateKeyFile = config.age.secrets.wireguard.path;
+        peers = [
+          { # Pixel 6 Pro
+            publicKey = "VaXMnFAXdbJCllNY5sIjPp9AcSM7ap2oA0tU9SIMK3E=";
+            # List of IPs assigned to this peer within the tunnel subnet.
+            allowedIPs = [ "10.100.0.2/32" ];
+          }
+          { # Samsung S23 Ultra
+            publicKey = "dL91i7+VDWfeLCOr53JlzQ32WJ3lRJGqdecoqUpEnlQ=";
+            allowedIPs = [ "10.100.0.3/32" ];
+          }
+        ];
+      };
+    };
   };
 
   # Setup environment

secrets/secrets.nix

@@ -14,5 +14,6 @@ in
   {
     "traefik.age".publicKeys = users ++ hosts;
     "microbin.age".publicKeys = users ++ hosts;
+    "wireguard.age".publicKeys = users ++ hosts;
   }
   

secrets/wireguard.age

@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 MipaNQ NdT4DUu7wAWLNp2A8+x4CW+c5V88gyUaMdm7EMxMtSc
+qiGBk33SBN6QvhRBcn6r+H40O8ekF+Zollw+xkbco4U
+-> ssh-ed25519 F8C9vw bWNQOkSxlJ9OvND+dmyGQIrF0BRxceR6Xi1zBdukLEI
+N0rYabPL8L3WJ1ioN9A9PrN56GgNbgFMoDeZRvFWQlI
+-> ssh-ed25519 dG7JAQ RqX9t1h5IWCCXTzyiRZqbYnZxcZkwT5sajWmOA3BM2o
+h6QUNLN0QUgLBTbYZAD+q0zGvWYBazHR6iHCkkqf7P8
+-> /^}HV)0Q-grease q6#cJ p 0T<L.&R (/haG
+c4EvSLupHcUubthSCw
+--- leFHEqNRjnnBeM4YFYr3W30FtiHBeY7Y6ez0oi8k+oo
+i£fB­Ð€7¬¼hÜû‹8À	Ühì•«vT¾èG:ÑN¼¦,]˜L…z/‡ãH°@¼JÏ@*AJÔ< 	<09>Tå=@P]’sIÀÓ”j*û<Ü