set up wireguard

3 files changed, 54 insertions, 6 deletions

diff --git a/router.nix b/router.nix
index 3cc17bc..79c4f7b 100644
--- a/router.nix
+++ b/router.nix
@@ -10,29 +10,32 @@
       allowedUDPPorts = [
         53
         67
+        51829
       ];
       extraForwardRules = ''
         iifname "ethlan"     oifname "wlan-staff" accept
         iifname "ethlan"     oifname "wlan-guest" accept
+        iifname "ethlan"     oifname "wglan"      accept
 
         iifname "wlan-staff" oifname "ethlan"     accept
         iifname "wlan-staff" oifname "wlan-guest" accept
+        iifname "wlan-staff" oifname "wglan"      accept
 
         iifname "wlan-guest" oifname "ethlan"     accept
         iifname "wlan-guest" oifname "wlan-staff" accept
+        iifname "wlan-guest" oifname "wglan"      accept
+
+        iifname "wglan"      oifname "ethlan"     accept
+        iifname "wglan"      oifname "wlan-staff" accept
+        iifname "wglan"      oifname "wlan-guest" accept
       '';
     };
     nat = {
       enable = true;
       externalInterface = "wan";
-      internalInterfaces = [ "ethlan" "wlan" "docker0" ];
+      internalInterfaces = [ "ethlan" "wlan" "docker0" "wglan" ];
       forwardPorts = [
         {
-          sourcePort = 51801;
-          destination = "10.69.0.3:51801";
-          proto = "udp";
-        }
-        {
           sourcePort = 80;
           destination = "10.69.0.3:80";
         }
@@ -85,6 +88,32 @@
       linkConfig.RequiredForOnline = "routable";
     };
 
+    netdevs."20-wglan" = {
+      netdevConfig = {
+        Kind = "wireguard";
+        Name = "wglan";
+      };
+      wireguardConfig = {
+        ListenPort = 51829;
+        PrivateKeyFile = config.age.secrets."wg-key.txt".path;
+        RouteTable = "main";
+      };
+      wireguardPeers = [
+        {
+          # sleipner
+          PublicKey = "FqwkR+gKe/0JfFn3oXyyNDK8qh3LGMQw/t1pvGEHTBk=";
+          AllowedIPs = [ "10.69.3.2" ];
+        }
+      ];
+    };
+    networks."20-wglan" = {
+      matchConfig.Name = "wglan";
+      networkConfig = {
+        Address = "10.69.3.1/24";
+        IPv4Forwarding = true;
+      };
+    };
+
     # netdevs."10-vlan-staff" = {
     #   netdevConfig = {
     #     Kind = "vlan";
@@ -207,4 +236,10 @@
   age.secrets."wifi-password-staff.txt".file = ./secrets/wifi-password-staff.txt.age;
   age.secrets."wifi-password-guest.txt".file = ./secrets/wifi-password-guest.txt.age;
   age.secrets."hcloud-token.txt".file = ./secrets/hcloud-token.txt.age;
+  age.secrets."wg-key.txt" = {
+    file = ./secrets/wg-key.txt;
+    mode = "640";
+    owner = "systemd-network";
+    group = "systemd-network";
+  };
 }
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index acb5d8d..327112f 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -11,6 +11,7 @@ let
     "wifi-password-guest.txt.age"
     "password-hash.txt.age"
     "hcloud-token.txt.age"
+    "wg-key.txt"
   ];
 in
 builtins.listToAttrs (
diff --git a/secrets/wg-key.txt b/secrets/wg-key.txt
new file mode 100644
index 0000000..ecbb12c
--- /dev/null
+++ b/secrets/wg-key.txt
@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 rf0kpA UqQfVmwXbDBF/GaAWhswFVOZ6q6+awE86b9u9GYQMWc
+vk7L5qY4iLIpLfYrct8yP0Fbv2+Nqy+3eWUO35XtFbQ
+-> piv-p256 Ddzw4A A/oi+x9WXR7aqojRb5k45fg9UTideakot+njYl6cDc2W
+yBq4t/iz1/3pYLajxwHFrt19q7JofqOrbpa/ubq2B7s
+-> piv-p256 9aSbLw AkBLxq00GDe0yyBsOAjMM+zJNjSt69Sg3LE+8yXvILE7
+47WYr7oG28s8JwS01By2CxCn/pwMe3CEL1fSOZqF3Dg
+-> ssh-ed25519 YS7/yg lcYISWM20EVlRhWNGTozn3UOflmqq4OMV5U8ZZHpgzE
+QAbhpq9FCG2vXG5vyqDyg/ga8DKwoxoXQPVmYzOHb1E
+--- E3c7qJOnjWSRFAt7vf2zeanYXyLr7O4eegxNM56EbqA
+.g[�,�#Z!ʦ��
+�,�gp��Y��F�?G\��E[j�`���(Kk������#h�h��?�d�S�rH��
\ No newline at end of file