feat: added wireguard to server and client

author: Dylan <boss@tehbox.org> 2025-09-16 22:10:50 +1200
committer: Dylan <boss@tehbox.org> 2025-09-16 22:10:50 +1200
commit: 12f53416b8591fd9ee9569b40796f355c83f3ce7 (patch)
tree: 927880f8f47633b671534b2fc7a58c1749049433
parent: d1395f9e6768551967f85128ccab19d12dec4c6f (diff)
download: nixos-configuration-12f53416b8591fd9ee9569b40796f355c83f3ce7.tar.gz
nixos-configuration-12f53416b8591fd9ee9569b40796f355c83f3ce7.zip
6 files changed, 155 insertions, 113 deletions
diff --git a/computers/server.nix b/computers/nixnode.nix
index 4e66375..baeadcb 100644
--- a/computers/server.nix
+++ b/computers/nixnode.nix
@@ -7,7 +7,6 @@
 {
     imports =
         [ # Include the results of the hardware scan.
-            ../hardware-setups/linode.nix
             ../modules/nix.nix
             inputs.STK.nixosModules.default
             inputs.sops.nixosModules.sops
@@ -21,10 +20,10 @@
     # Define on which hard drive you want to install Grub.
     # boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
 
-    # networking.hostName = "nixos"; # Define your hostname.
+    networking.hostName = "nixos"; # Define your hostname.
     # Pick only one of the below networking options.
     # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
-    # networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
+    networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
 
     # Set your time zone.
     # time.timeZone = "Europe/Amsterdam";
@@ -46,74 +45,60 @@
 
     security.sudo.wheelNeedsPassword = false;
 
-    sops.defaultSopsFile = ../secrets/test.yaml;
+    sops.defaultSopsFile = ../secrets/general.yaml;
     sops.defaultSopsFormat = "yaml";
     
     sops.age.keyFile = "/home/boss/.config/sops/age/keys.txt";
 
     sops.secrets = {
-        test-value = {};
+        #"wg/nixy/pub" = { };
+        "wg/nixnode/priv" = { };
     };
-    
+
+    networking.firewall = {
+        enable = true;
+        allowedTCPPorts = [ 80 443 ];
+        allowedUDPPorts = [ 51820 ];
+    };
+
+    # Wireguard
+    networking = {
+        nat = {
+            enable = true;
+            externalInterface = "eth0";
+            internalInterfaces = [ "wg0" ];
+        };
+
+        wireguard.interfaces.wg0 = {
+            ips = [ "10.100.0.1/24" ];
+            listenPort = 51820;
+            
+            postSetup = ''
+${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+'';
+            postShutdown = ''
+${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+'';
+
+            privateKeyFile = config.sops.secrets."wg/nixnode/priv".path;
+
+            peers = [
+                {
+                    name = "nixy";
+                    publicKey = "FMkFU9k+YeCvj48+WDVglySgoncbITqkS//o2e+TClY=";
+                    allowedIPs = [ "10.100.0.2/32" ];
+                }
+            ];
+        };
+    };
+
     services.httpd = {
-        enable = false;
+        enable = true;
         virtualHosts."172.105.172.191" = {
             documentRoot = "/srv/httpd";
         };
     };
     
-
-    # Configure keymap in X11
-    # services.xserver.xkb.layout = "us";
-    # services.xserver.xkb.options = "eurosign:e,caps:escape";
-
-    # Enable CUPS to print documents.
-    # services.printing.enable = true;
-
-    # Enable sound.
-    # services.pulseaudio.enable = true;
-    # OR
-    # services.pipewire = {
-    #   enable = true;
-    #   pulse.enable = true;
-    # };
-
-    # Enable touchpad support (enabled default in most desktopManager).
-    # services.libinput.enable = true;
-
-    # Define a user account. Don't forget to set a password with ‘passwd’.
-    users.users.boss = {
-        isNormalUser = true;
-        extraGroups = [ "wheel" "networkmanager" ]; # Enable ‘sudo’ for the user.
-        home = "/home/boss";
-        openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOukEKExoF6vr3vciQN8pBdd4FtZtRzqIGFJrUvllOY boss@nixy" ];
-    };
-
-    # programs.firefox.enable = true;
-
-    # List packages installed in system profile.
-    # You can use https://search.nixos.org/ to find more packages (and options).
-    environment.systemPackages = with pkgs; [
-        vim
-        emacs
-        inetutils
-        mtr
-        sysstat
-        git
-    ];
-
-    # Some programs need SUID wrappers, can be configured further or are
-    # started in user sessions.
-    # programs.mtr.enable = true;
-    # programs.gnupg.agent = {
-    #   enable = true;
-    #   enableSSHSupport = true;
-    # };
-
-    # List services that you want to enable:
-
-    # Enable the OpenSSH daemon.
-    # services.openssh.enable = true;
     services.openssh = {
         enable = true;
         settings.PermitRootLogin = "no";
@@ -132,6 +117,23 @@
         };
     };
 
+    users.users.boss = {
+        isNormalUser = true;
+        extraGroups = [ "wheel" "networkmanager" ]; # Enable ‘sudo’ for the user.
+        home = "/home/boss";
+        openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOukEKExoF6vr3vciQN8pBdd4FtZtRzqIGFJrUvllOY boss@nixy" ];
+    };
+
+    environment.systemPackages = with pkgs; [
+        vim
+        emacs
+        inetutils
+        mtr
+        sysstat
+        git
+    ];
+    
+
     # Open ports in the firewall.
     # networking.firewall.allowedTCPPorts = [ ... ];
     # networking.firewall.allowedUDPPorts = [ ... ];
diff --git a/computers/nixy.nix b/computers/nixy.nix
index e7b7fbe..fd79b47 100644
--- a/computers/nixy.nix
+++ b/computers/nixy.nix
@@ -5,11 +5,11 @@
 { config, pkgs, inputs, ... }:
 {
     imports =
-	    [ # Include the results of the hardware scan.
-		    ../hardware-setups/tuf.nix
+	    [
             ../modules/nix.nix
             ../modules/nvidia.nix
             inputs.YATwm.nixosModules.default
+            inputs.sops.nixosModules.sops
             #inputs.spicetify-nix.nixosModules.default
 	    ];
     
@@ -31,29 +31,69 @@
     # networking.wireless.enable = true;	# Enables wireless support via wpa_supplicant.
     networking.networkmanager.enable = true;	# Easiest to use and most distros use this by default.
 
+    sops.defaultSopsFile = ../secrets/general.yaml;
+    sops.defaultSopsFormat = "yaml";
+    
+    sops.age.keyFile = "/home/boss/.config/sops/age/keys.txt";
+
+    sops.secrets = {
+        #"wg/nixnode/pub" = { };
+        "wg/nixy/priv" = {
+            restartUnits = [ "nm-file-secret-agent.service" ];
+            group = "networkmanager";
+            mode = "440";
+        };
+    };
+
     networking.firewall = {
         allowedUDPPorts = [ 51820 ];
     };
-    networking.wireguard.enable = false;
-    networking.wireguard.interfaces.wg0 = {
-        ips = [ "10.200.200.2/32" ];
-        listenPort = 51820;
-
-        privateKeyFile = "/home/boss/.wg/peer_A.key";
-
-        peers = [
+    networking.networkmanager.ensureProfiles = {
+        profiles = {
+            wg-nixnode = {
+                connection = {
+                    id = "wg-nixnode";
+                    autoconnect = "false";
+                    interface-name = "wg0";
+                    type = "wireguard";
+                };
+                ipv4 = {
+                    address1 = "10.100.0.2/32";
+                    may-fail = "false";
+                    method = "manual";
+                };
+                ipv6 = {
+                    method = "disabled";
+                };
+                wireguard = {
+                    listen-port = "51820";
+                    private-key-flags = 1;
+                    #private-key = "dummy";
+                };
+                proxy = { };
+                "wireguard-peer./6bWy02DhOSjaeXk+ol5ATgEYDDJvL+mTO9SCNvfIUQ=" = {
+                    allowed-ips = "0.0.0.0/0;";
+                    endpoint = "172.105.172.191:51820";
+                    persistent-keepalive = "25";
+                };
+            };
+        };
+        secrets.entries = [
             {
-                publicKey = "wQSg97FyVqWqkwMbmq1SLolf/MWlt9tIJuE5vKyDiRI=";
-
-                allowedIPs = [ "0.0.0.0/0" ];
-
-                endpoint = "139.144.99.248:51820";
-
-                persistentKeepalive = 25;
+                matchId = "wg-nixnode";
+                matchType = "wireguard";
+                matchSetting = "wireguard";
+                key = "private-key";
+                file = config.sops.secrets."wg/nixy/priv".path;
             }
         ];
     };
 
+    systemd.services."nm-file-secret-agent" = {
+        serviceConfig.User = "boss";
+    };
+    
+
     # Set your time zone.
     time.timeZone = "NZ";
 
@@ -167,6 +207,7 @@
 		    neofetch
             pinentry-gtk2
             git
+            nm-file-secret-agent
 	    ];
     documentation.dev.enable = true;
     
diff --git a/flake.nix b/flake.nix
index 58b6397..6ec3d21 100644
--- a/flake.nix
+++ b/flake.nix
@@ -62,7 +62,8 @@
                 specialArgs = {inherit inputs;};
                 modules = [
                     (import ./my-pkgs)
-                    
+
+                    ./hardware-setups/tuf.nix
                     ./computers/nixy.nix
                     
                     inputs.home-manager.nixosModules.home-manager
@@ -81,7 +82,8 @@
                 system = "x86_64-linux";
                 specialArgs = {inherit inputs;};
                 modules = [
-                    ./computers/server.nix
+                    ./hardware-setups/linode.nix
+                    ./computers/nixnode.nix
                 ];
             };
         };
diff --git a/hardware-setups/tuf.nix b/hardware-setups/tuf.nix
index a400a7d..0b0e135 100644
--- a/hardware-setups/tuf.nix
+++ b/hardware-setups/tuf.nix
@@ -25,6 +25,7 @@
   fileSystems."/home" =
     { device = "/dev/disk/by-uuid/9ef8fad1-08cb-4c7a-9db1-3a37097544b0";
       fsType = "ext4";
+      neededForBoot = true;
     };
 
   fileSystems."/boot" =
diff --git a/secrets/general.yaml b/secrets/general.yaml
new file mode 100644
index 0000000..d39a976
--- /dev/null
+++ b/secrets/general.yaml
@@ -0,0 +1,31 @@
+wg:
+    nixy:
+        pub: ENC[AES256_GCM,data:mducYruWaQvslfyQR9fsv1huaqJXLqqhreqwNHSGbfyjO/QnSvQSihY24SA=,iv:l1XqtCU1xZ2wjwcz7230BZz5Ik+3GUvIZ/pPgxs9UQ8=,tag:7BuMG3O3Xl3f0+XRX9lneA==,type:str]
+        priv: ENC[AES256_GCM,data:4GcN2WtwSRjur6NAwyQOdUUH+KEWH7w9zmmL2P7P+krC2aMIuMjkJYS4XEc=,iv:QbeD+hB7NK2yAKCNkV88KrRGocaPpZlkA0z/j/iDke8=,tag:zR3D/hmClAdDCMLocxsvLg==,type:str]
+    nixnode:
+        pub: ENC[AES256_GCM,data:BBc/KL60kv3uFDT3GwyxuRkvdAUA1tG+9XC0ib2loiaEtPeztob37JwZgTM=,iv:dBw+5jYZ7sGyoOlJtmiDBo+sZquasMq8+z6H9hQMHSA=,tag:qClUQ0CeTcJc+OJoxfe4tw==,type:str]
+        priv: ENC[AES256_GCM,data:ZvdDkGiMTVcQiP6sVbRu+tNL864zhsKsRFyCcFMo/pTM35us8gPm1j4T2Do=,iv:jtHCfnSuyH+srlNCTqyfM0Fc0HBt55Z1nO4yhqVKUzY=,tag:aQIq8iYjYq7HKKnk1YjSYQ==,type:str]
+sops:
+    age:
+        - recipient: age1p3sw8q030a7zgawu4ccxm6sgsp88349nuxkd4kale0ruy9klypssdh7c9s
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2RGYrTko0RFc1b0I4MXVB
+            TWs2OFlKN1lVSFpjSHJ5SXJpclg0ek5FeWpjCjliam5WdmhOWlIycHhzU0hIRTlR
+            R2JnOGdmNnAyWFNnVG9mYlhQM2NRcWMKLS0tIFYvbnZMWjRidnFsNU5wbUNzRzVL
+            MEJEY2RnT1l2YStqbUtoYWNqUEEzdzAKdVEYFyBIYx5cSdg23GS8uFDPpjn3CZSp
+            SRnXsAvHrtZUPB2rX3KRlB4gCup/RmyHaQQPj6uJ59WyU5R1ZAfCsQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1g7tzey3t2jmd79kaeukn89lgxg07tpq23w0u30lgq5z37xku0vwqcregzd
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlNjJVd2RYNi85UXRmWWt0
+            NkNpbWZ2d1N3eStaelpVeWtEM29qVkdzcnlFCks4S04zMG5VS0ltbXA5WXR0Mklz
+            c1pPaDR5elhEaFYvV0k1L0w0d2JBMk0KLS0tIGsxSGx6dE9qaUoxZENPNnlXVGZj
+            RU9OZlIyTzRzSmVUVkhCQWpwUHFEekEKGv24Ilg2BYWTX9wAmXn8mA0E9CZP7xvf
+            FOnUh9TQH7evO9n76w/xG9y/vDYJ1i9ljEO7ljGtEtIlGgKRx4xLjA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-09-16T06:21:44Z"
+    mac: ENC[AES256_GCM,data:IdMkWzNzfj1osTGPP/keTGRX4ZmnLDL1xdnvlWV4IZNwaaWAp3ve7PdWX+ZP9B4kbiI3+3JRS/7OihhJDtwFWLeZf7E8Ps04gbCzNb5r861eDvpVJNWxgruE7SA5ZcT4t18nUz/PRjZTqZctB+0Vps8SLH2gKx0+VJQ8umtD9nQ=,iv:WEUyAmr30HRIW4mSK3yQqBLeJdQMgCS93IhFR/1wQ/k=,tag:TDtw/5kGve/5i/rZQOzMaw==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2
diff --git a/secrets/test.yaml b/secrets/test.yaml
deleted file mode 100644
index 642eefb..0000000
--- a/secrets/test.yaml
+++ /dev/null
@@ -1,35 +0,0 @@
-hello: ENC[AES256_GCM,data:+/HfdCFoRsNydVWi5fGbtPShVi/XKnyx5LZiFkp7D6WGPkG4yEVpOiXsC2wAHQ==,iv:Y/vcsF+qFMvDfNA1vTymu3ToMVIYHP2OW22WKU6GOWM=,tag:0slxbzpbGac3uL0kqR5+lQ==,type:str]
-example_key: ENC[AES256_GCM,data:EbXQZk7OkrK+83omfg==,iv:+Nn42ROgLy3LE0oEbx8QbuT7Hlujzu7Iz9Stu1pO+o4=,tag:Xek6+n2ZCs1uwVItvFdguQ==,type:str]
-#ENC[AES256_GCM,data:T4zHJT8qQUWXnXbxULy97A==,iv:UOC0JThZIE5QaNBpuEd3AsZ8C/ztXN04aa42HuWA5MM=,tag:cWP9iincPkR/EaMrzH/IxQ==,type:comment]
-example_array:
-    - ENC[AES256_GCM,data:bwA20gQpwNoLdN9q2eg=,iv:pkaMt+6AEKfZNRwIfaoRnrk6lqyYHVp9jq9nXgKnDdM=,tag:N4RLJ06fpvCJBZoowBMQQA==,type:str]
-    - ENC[AES256_GCM,data:a8etS77qQhrrpZuJzzQ=,iv:vHWFkqzJAdgRDCwrzDzNjU/UtM71QgFcsz9gVXoMP0k=,tag:tZZB3ieUXFP/WWegyXTQ1w==,type:str]
-example_number: ENC[AES256_GCM,data:UE2bIlOI3WTZVg==,iv:j18MAwIC4Zf26HscNOoEbbc5IjhrsDx+hj7Re36JOrU=,tag:5s/918XsYuQJzqtP63/bvQ==,type:float]
-example_booleans:
-    - ENC[AES256_GCM,data:oYjGew==,iv:3n5b4dxrYB5Oa5MTkUHQIDX+fFCI31c8RFFeWKcD+rE=,tag:VvfWpx7obTnR2bqlHNLKsg==,type:bool]
-    - ENC[AES256_GCM,data:CDBenE0=,iv:G5p3Q2Y7kcI27Oey3NUAd8hX7vomrZN+bJrr/IezuaQ=,tag:bQJEziJF/NrOerpdSQ3XcA==,type:bool]
-test-value: ENC[AES256_GCM,data:hd+HuQ==,iv:OUo3H+2dcDYq2RNPVGRIOPW0oMSwCCEroFr/CR5oIao=,tag:HWW0+kIcujMyLrsy7K4l8Q==,type:str]
-sops:
-    age:
-        - recipient: age1p3sw8q030a7zgawu4ccxm6sgsp88349nuxkd4kale0ruy9klypssdh7c9s
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjOGlrYjdvWSttMlRadThB
-            S0JvZXo5SStVMEtpMnl5SVo1cllHNlNqZWhJCi81eVk3Z1dINTJ1aWxkNHEzUzVX
-            aVVoOVQ1bVd6eEdqL2RKcXZ5MlJPdjQKLS0tIHkwZEZhRFBwS0pMNmVCdEZNcDhI
-            Skk1YlZpQUppN1FsbXVoc3BVUTFiSVEKyuw+u2ZkGb+4n0oLdn7IPwE8kXZmByEk
-            1JPZOWtOeoHMDOlkKNw98JEW9TQAdlnO0riKHFNHpQ80mhzjeE7YXw==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1g7tzey3t2jmd79kaeukn89lgxg07tpq23w0u30lgq5z37xku0vwqcregzd
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQVE1MdUR2SkE1VHlkSDNW
-            VE5Nb1VVdkE3WTRBK29PeHN6UGJsWnFKVHpzCm1XVHZFM2V1WHJJNnRGRTBVbFFk
-            ZERCWmJYR0sreEpvelIzaHZqYktKbkkKLS0tIEpEN29jeVNBZXdzYUh3M1VwQkdK
-            ZFlBZllvWFhGdEtIVlNqZ3dnM0hkWTAKIniBn7mPe+rLJE5Pce6bIW2AjeDdVkPh
-            tMybfEWdIwkYdqJ3yTcW/WlxX5Vel702V8wD7vUr44BCPbCAPQyvgQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-09-16T04:34:31Z"
-    mac: ENC[AES256_GCM,data:qHK/wyZSzufZlBmhY7pGMfi8C1wyhBB0o3oVm22ouhDxIdC26Cbhy1mMgw+Uu3ej4eiyh/CihqMd6BAx/apgdmFZoc579/M0O/FoKoCQPr7KjaPD/z23Xclb9G82ep5U5tRcg9lKnRVugKhTZD2eK7Z4/vU25M8k8B53zkmKnz8=,iv:qZDsnbrY7purFEmfPtD8Bee6dA3FtO+hqfoYDBa3LFs=,tag:LXORKqvIayN7hAHVf8BYhg==,type:str]
-    unencrypted_suffix: _unencrypted
-    version: 3.10.2
author	Dylan <boss@tehbox.org>	2025-09-16 22:10:50 +1200
committer	Dylan <boss@tehbox.org>	2025-09-16 22:10:50 +1200
commit	12f53416b8591fd9ee9569b40796f355c83f3ce7 (patch)
tree	927880f8f47633b671534b2fc7a58c1749049433
parent	d1395f9e6768551967f85128ccab19d12dec4c6f (diff)
download	nixos-configuration-12f53416b8591fd9ee9569b40796f355c83f3ce7.tar.gz nixos-configuration-12f53416b8591fd9ee9569b40796f355c83f3ce7.zip