From 23c140a2d1631c57adc05f11f65877ff9b04bf34 Mon Sep 17 00:00:00 2001
From: EinEtwas <ein@etwas.me>
Date: Sat, 26 Oct 2024 11:54:46 +0200
Subject: [PATCH] feat: add home wireguard config

---
 home/agenix.nix              |   3 +++
 modules/networking.nix       |  24 +++++++++++++++++++++++-
 secrets/fbda_wg_priv_key.age | Bin 0 -> 257 bytes
 secrets/fbda_wg_psk.age      | Bin 0 -> 257 bytes
 secrets/secrets.nix          |   2 ++
 5 files changed, 28 insertions(+), 1 deletion(-)
 create mode 100644 secrets/fbda_wg_priv_key.age
 create mode 100644 secrets/fbda_wg_psk.age

diff --git a/home/agenix.nix b/home/agenix.nix
index 204cc65..40d5d8d 100644
--- a/home/agenix.nix
+++ b/home/agenix.nix
@@ -5,6 +5,9 @@
 
   age.secrets.access-tokens-github.file = ../secrets/gh_argstr.age;
 
+  age.secrets.fbda-wg-privkey.file = ../secrets/fbda_wg_priv_key.age;
+  age.secrets.fbda-wg-psk.file = ../secrets/fbda_wg_psk.age;
+
   age.secrets.obvps-id = {
     file = ../secrets/1bvps.age;
     path = "/home/rhea/.ssh/id_1bvps";
diff --git a/modules/networking.nix b/modules/networking.nix
index 45d62e4..469775d 100644
--- a/modules/networking.nix
+++ b/modules/networking.nix
@@ -1,6 +1,28 @@
+{ config, ... }:
 {
   # Enable networking
   networking.networkmanager.enable = true;
-
   networking.networkmanager.wifi.powersave = true;
+
+  networking.wireguard.enable = true;
+
+  networking.firewall = {
+    allowedUDPPorts = [ 51820 ]; # Clients and peers can use the same port, see listenport
+  };
+
+  networking.wireguard.interfaces."wg0" = {
+     privateKeyFile = "/run/agenix/fbda-wg-privkey";
+     ips = [ "192.168.178.201/24" ];
+     listenPort = 51820;
+
+     peers = [                                                                                                                                                                                                                        
+        { 
+          publicKey = "wwx1Kns34xmK+UJsF4l89uIZ5oc/m8VA9q7+YPWCbX8=";
+          presharedKeyFile = "/run/agenix/fbda-wg-psk";
+          allowedIPs = [ "192.168.178.0/24" "0.0.0.0/0" ];
+          endpoint = "y92dby3elaoma4gg.myfritz.net:57667";
+          persistentKeepalive = 25;
+        }
+     ];
+   };
 }
\ No newline at end of file
diff --git a/secrets/fbda_wg_priv_key.age b/secrets/fbda_wg_priv_key.age
new file mode 100644
index 0000000000000000000000000000000000000000..7c78f1e1b4a7c8a497f16375426325177a2c19d7
GIT binary patch
literal 257
zcmV+c0sj7BXJsvAZewzJaCB*JZZ2<fXD@a!3N1b$b8~1dWn?lnH8D9LH%e1BWM?2a
zacxjqT5&6RD^xTuLw09LM`CPkO+sOIOiMUnWJGj#ba*#PYA;PlMo|i8NMT1dX-HCX
zRcUE;F?4TZYD+L}HEnHeG&e~}LU%KBGDdJtQ(8@Oaajs2EiE85FHTi7LU(R%FjQeQ
zSWRwINHIk>STsgrZD~VvT5v-)Ryc80H&H?`Zb=HUnY%zG9-PGNR-H&)$zz%owk4B~
zF5>nw0!;rx1PznN#9`9cg8+NrnH@M>2-YBJuI|wGak#i_UcrVQH7dx1;fv2z;LtUA
HU9$|udB<P2

literal 0
HcmV?d00001

diff --git a/secrets/fbda_wg_psk.age b/secrets/fbda_wg_psk.age
new file mode 100644
index 0000000000000000000000000000000000000000..281ff8b58d36443c55f9d388ee1d1c7616fad306
GIT binary patch
literal 257
zcmV+c0sj7BXJsvAZewzJaCB*JZZ2<fXD@a!3N1b$b8~1dWn?lnH8D9LH%e1BWM?2y
zZ7@!BaxqSLL~LehMKEn{b#r+{LU=MUZ#ZK~Nia81aaCDUL~JomXJZOyO=nF`YI038
zVsS+>a&mV<X*WtqYC=$NI51ImT2Du2by;>wNGmuna779&EiE8wQFm-dR7Q7nZ9-9Y
zL@{VYHFr2^L_s!CGfPP|N;XM1SaEo3VOnZ=b8`yT?%-iow`5sl+#pe~oY9{D8|Vn&
zxnSL}1C{Sdz@{^idS-N3`9ws1AW1df07IE0$DgG11}9f{wn|W?3DA~ghhjp0*U#X(
HYzl=+I!j=z

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 95c51bc..e498b10 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -8,4 +8,6 @@ in
   "1bvps.age".publicKeys = [ rhea-laptop ];
   "gcd_etwas.age".publicKeys = [ rhea-laptop ];
   "sign_etwas.age".publicKeys = [ rhea-laptop ];
+  "fbda_wg_priv_key.age".publicKeys = [ rhea-laptop ];
+  "fbda_wg_psk.age".publicKeys = [ rhea-laptop ];
 }
\ No newline at end of file