feat: add home wireguard config

home/agenix.nix

@@ -5,6 +5,9 @@
 
   age.secrets.access-tokens-github.file = ../secrets/gh_argstr.age;
 
+  age.secrets.fbda-wg-privkey.file = ../secrets/fbda_wg_priv_key.age;
+  age.secrets.fbda-wg-psk.file = ../secrets/fbda_wg_psk.age;
+
   age.secrets.obvps-id = {
     file = ../secrets/1bvps.age;
     path = "/home/rhea/.ssh/id_1bvps";

modules/networking.nix

@@ -1,6 +1,28 @@
+{ config, ... }:
 {
   # Enable networking
   networking.networkmanager.enable = true;
-
   networking.networkmanager.wifi.powersave = true;
+
+  networking.wireguard.enable = true;
+
+  networking.firewall = {
+    allowedUDPPorts = [ 51820 ]; # Clients and peers can use the same port, see listenport
+  };
+
+  networking.wireguard.interfaces."wg0" = {
+     privateKeyFile = "/run/agenix/fbda-wg-privkey";
+     ips = [ "192.168.178.201/24" ];
+     listenPort = 51820;
+
+     peers = [                                                                                                                                                                                                                        
+        { 
+          publicKey = "wwx1Kns34xmK+UJsF4l89uIZ5oc/m8VA9q7+YPWCbX8=";
+          presharedKeyFile = "/run/agenix/fbda-wg-psk";
+          allowedIPs = [ "192.168.178.0/24" "0.0.0.0/0" ];
+          endpoint = "y92dby3elaoma4gg.myfritz.net:57667";
+          persistentKeepalive = 25;
+        }
+     ];
+   };
 }

secrets/secrets.nix

@@ -8,4 +8,6 @@ in
   "1bvps.age".publicKeys = [ rhea-laptop ];
   "gcd_etwas.age".publicKeys = [ rhea-laptop ];
   "sign_etwas.age".publicKeys = [ rhea-laptop ];
+  "fbda_wg_priv_key.age".publicKeys = [ rhea-laptop ];
+  "fbda_wg_psk.age".publicKeys = [ rhea-laptop ];
 }