From 9471b1f393f50a890064800fdc70dbe770e84df9 Mon Sep 17 00:00:00 2001
From: Leyla Becker <git@jan-leila.com>
Date: Sat, 22 Feb 2025 17:38:02 -0600
Subject: [PATCH] added wireguard config

---
 README.md                                     |  3 ++-
 .../nixos/horizon/hardware-configuration.nix  | 24 ++++++++++++++++++-
 flake.lock                                    | 14 +++++------
 3 files changed, 32 insertions(+), 9 deletions(-)

diff --git a/README.md b/README.md
index c59d815..69f4e26 100644
--- a/README.md
+++ b/README.md
@@ -58,7 +58,8 @@ nix multi user, multi system, configuration with `sops` secret management, `home
 - Open GL?
 - rotate sops encryption keys periodically (and somehow sync between devices?)
 - zfs email after scrubbing
-- tail scale clients
+- common wireguard config
+- configure wireguard on all clients
 - wake on LAN for updates
 - ISO target that contains authorized keys for nixos-anywhere https://github.com/diegofariasm/yggdrasil/blob/4acc43ebc7bcbf2e41376d14268e382007e94d78/hosts/bootstrap/default.nix
 - Immich
diff --git a/configurations/nixos/horizon/hardware-configuration.nix b/configurations/nixos/horizon/hardware-configuration.nix
index c94d150..94f902c 100644
--- a/configurations/nixos/horizon/hardware-configuration.nix
+++ b/configurations/nixos/horizon/hardware-configuration.nix
@@ -6,12 +6,19 @@
   lib,
   pkgs,
   modulesPath,
+  inputs,
   ...
 }: {
   imports = [
     (modulesPath + "/installer/scan/not-detected.nix")
   ];
 
+  sops.secrets = {
+    "wireguard-keys/proton/horizon" = {
+      sopsFile = "${inputs.secrets}/wireguard-keys.yaml";
+    };
+  };
+
   boot = {
     initrd = {
       availableKernelModules = ["xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod"];
@@ -90,8 +97,23 @@
     useDHCP = lib.mkDefault true;
     hostName = "horizon"; # Define your hostname.
 
-    wireguard.interfaces = {
+    wg-quick.interfaces = {
       proton = {
+        # IP address of this machine in the *tunnel network*
+        address = ["10.2.0.1/32"];
+
+        listenPort = 51820;
+
+        privateKeyFile = config.sops.secrets."wireguard-keys/proton/horizon".path;
+
+        peers = [
+          {
+            publicKey = "Yu2fgynXUAASCkkrXWj76LRriFxKMTQq+zjTzyOKG1Q=";
+            allowedIPs = ["0.0.0.0/0"];
+            endpoint = "84.17.63.8:51820";
+            persistentKeepalive = 25;
+          }
+        ];
       };
     };
   };
diff --git a/flake.lock b/flake.lock
index e563eb0..73eac0e 100644
--- a/flake.lock
+++ b/flake.lock
@@ -114,11 +114,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1740254115,
-        "narHash": "sha256-MwxDtYB/MSGZlr/xS+ExGYH2QgHk73ShD40shxjad/Y=",
+        "lastModified": 1740265252,
+        "narHash": "sha256-+LFsCsIUF/pJWL9S21m5NLcK5bgwRB4MwfV0Iu7tggY=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "cb3f6e9b59d3a5e51ef9f7da2b8418d5c72aaef8",
+        "rev": "fb568d75cf6c81f30d49eeb73787e9b56454ba16",
         "type": "github"
       },
       "original": {
@@ -234,11 +234,11 @@
     "secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1740265180,
-        "narHash": "sha256-VcS1aWKZQG1Com/OgL8RbTSG7IJphNLkFXAcFer0cMQ=",
+        "lastModified": 1740267388,
+        "narHash": "sha256-JCgjNQMrlzf8a0YAqRNGliGmgv6afnc0OTOD6Eg0RZ0=",
         "ref": "refs/heads/main",
-        "rev": "5ec7b1181a3ce76c8238819195f7e55f51407463",
-        "revCount": 7,
+        "rev": "f5af565aee98df0a78056c49c85cda640ce290fd",
+        "revCount": 10,
         "type": "git",
         "url": "ssh://git@git.jan-leila.com/jan-leila/nix-config-secrets.git"
       },