added wireguard config

2025-02-22 17:38:02 -06:00 · 2025-02-22 17:38:02 -06:00 · 9471b1f393
parent 489106956b
commit 9471b1f393
3 changed files with 32 additions and 9 deletions
--- a/README.md
+++ b/README.md
@ -58,7 +58,8 @@ nix multi user, multi system, configuration with `sops` secret management, `home
 - Open GL?
 - rotate sops encryption keys periodically (and somehow sync between devices?)
 - zfs email after scrubbing
- tail scale clients
+- common wireguard config
+- configure wireguard on all clients
 - wake on LAN for updates
 - ISO target that contains authorized keys for nixos-anywhere https://github.com/diegofariasm/yggdrasil/blob/4acc43ebc7bcbf2e41376d14268e382007e94d78/hosts/bootstrap/default.nix
 - Immich
--- a/configurations/nixos/horizon/hardware-configuration.nix
+++ b/configurations/nixos/horizon/hardware-configuration.nix
@ -6,12 +6,19 @@
  lib,
  pkgs,
  modulesPath,
+  inputs,
  ...
 }: {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];

+  sops.secrets = {
+    "wireguard-keys/proton/horizon" = {
+      sopsFile = "${inputs.secrets}/wireguard-keys.yaml";
+    };
+  };
+
  boot = {
    initrd = {
      availableKernelModules = ["xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod"];
@ -90,8 +97,23 @@
    useDHCP = lib.mkDefault true;
    hostName = "horizon"; # Define your hostname.

-    wireguard.interfaces = {
+    wg-quick.interfaces = {
      proton = {
+        # IP address of this machine in the *tunnel network*
+        address = ["10.2.0.1/32"];
+
+        listenPort = 51820;
+
+        privateKeyFile = config.sops.secrets."wireguard-keys/proton/horizon".path;
+
+        peers = [
+          {
+            publicKey = "Yu2fgynXUAASCkkrXWj76LRriFxKMTQq+zjTzyOKG1Q=";
+            allowedIPs = ["0.0.0.0/0"];
+            endpoint = "84.17.63.8:51820";
+            persistentKeepalive = 25;
+          }
+        ];
      };
    };
  };
--- a/flake.lock
+++ b/flake.lock
@ -114,11 +114,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1740254115,
-        "narHash": "sha256-MwxDtYB/MSGZlr/xS+ExGYH2QgHk73ShD40shxjad/Y=",
+        "lastModified": 1740265252,
+        "narHash": "sha256-+LFsCsIUF/pJWL9S21m5NLcK5bgwRB4MwfV0Iu7tggY=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "cb3f6e9b59d3a5e51ef9f7da2b8418d5c72aaef8",
+        "rev": "fb568d75cf6c81f30d49eeb73787e9b56454ba16",
        "type": "github"
      },
      "original": {
@ -234,11 +234,11 @@
    "secrets": {
      "flake": false,
      "locked": {
-        "lastModified": 1740265180,
-        "narHash": "sha256-VcS1aWKZQG1Com/OgL8RbTSG7IJphNLkFXAcFer0cMQ=",
+        "lastModified": 1740267388,
+        "narHash": "sha256-JCgjNQMrlzf8a0YAqRNGliGmgv6afnc0OTOD6Eg0RZ0=",
        "ref": "refs/heads/main",
-        "rev": "5ec7b1181a3ce76c8238819195f7e55f51407463",
-        "revCount": 7,
+        "rev": "f5af565aee98df0a78056c49c85cda640ce290fd",
+        "revCount": 10,
        "type": "git",
        "url": "ssh://git@git.jan-leila.com/jan-leila/nix-config-secrets.git"
      },