From b04abf8e3578f0adc481ddbfa40538520e810164 Mon Sep 17 00:00:00 2001
From: cy <hi@cything.io>
Date: Sat, 14 Dec 2024 16:19:04 -0500
Subject: [PATCH] configure wireguard

---
 nix/hosts/chunk/.sops.yaml   |  2 +-
 nix/hosts/chunk/Caddyfile    |  2 +-
 nix/hosts/chunk/default.nix  | 34 ++++++++++++++++++++++++++++------
 nix/hosts/chunk/secrets.yaml |  7 ++++---
 4 files changed, 34 insertions(+), 11 deletions(-)

diff --git a/nix/hosts/chunk/.sops.yaml b/nix/hosts/chunk/.sops.yaml
index 462edd7..66cbeaf 100644
--- a/nix/hosts/chunk/.sops.yaml
+++ b/nix/hosts/chunk/.sops.yaml
@@ -1,7 +1,7 @@
 keys:
   - &primary age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn
 creation_rules:
-  - path_regex: secrets/secrets.yaml$
+  - path_regex: secrets.yaml$
     key_groups:
     - age:
       - *primary
diff --git a/nix/hosts/chunk/Caddyfile b/nix/hosts/chunk/Caddyfile
index 2a2cde6..c499cd3 100644
--- a/nix/hosts/chunk/Caddyfile
+++ b/nix/hosts/chunk/Caddyfile
@@ -30,7 +30,7 @@ pass.cy7.sh {
   reverse_proxy localhost:8081
 }
 
-dns.cy7.sh {
+dns.cything.io {
   reverse_proxy localhost:8082
 }
 
diff --git a/nix/hosts/chunk/default.nix b/nix/hosts/chunk/default.nix
index 27d8692..159816e 100644
--- a/nix/hosts/chunk/default.nix
+++ b/nix/hosts/chunk/default.nix
@@ -23,6 +23,7 @@ in {
     "vaultwarden" = { };
     "caddy" = { };
     "hedgedoc" = { };
+    "wireguard" = { };
   };
 
   boot.loader.grub.enable = true;
@@ -32,14 +33,10 @@ in {
 
   networking.hostName = "chunk";
   networking.networkmanager.enable = true;
-  networking.nftables.enable = true;
   networking.firewall = {
     enable = true;
-    allowedTCPPorts = [ 22 80 443 ];
-    allowedUDPPorts = [ 443 ];
-    extraInputRules = ''
-      ip saddr 172.18.0.0/16 tcp dport 5432 accept
-    '';
+    allowedTCPPorts = [ 22 80 443 53 853 ];
+    allowedUDPPorts = [ 443 51820 53 853 ]; # 51820 is wireguard
   };
   networking.interfaces.ens18 = {
     ipv6.addresses = [{
@@ -263,5 +260,30 @@ in {
       REDLIB_ROBOTS_DISABLE_INDEXING = "on";
     };
   };
+
+  # wireguard stuff
+  networking.nat = {
+    enable = true;
+    externalInterface = "ens18";
+    internalInterfaces = [ "wg0" ];
+  };
+
+  networking.wireguard.interfaces.wg0 = {
+    ips = [ "10.100.0.1/24" ];
+    listenPort = 51820;
+    privateKeyFile = "/run/secrets/wireguard";
+    postSetup = ''
+        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ens18 -j MASQUERADE
+    '';
+    postShutdown = ''
+        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ens18 -j MASQUERADE
+    '';
+    peers = [
+      {
+        publicKey = "qUhWoTPVC7jJdDEJLYY92OeiwPkaf8I5pv5kkMcSW3g=";
+        allowedIPs = [ "10.100.0.2/32" ];
+      }
+    ];
+  };
 }
 
diff --git a/nix/hosts/chunk/secrets.yaml b/nix/hosts/chunk/secrets.yaml
index 26642e7..1273952 100644
--- a/nix/hosts/chunk/secrets.yaml
+++ b/nix/hosts/chunk/secrets.yaml
@@ -7,6 +7,7 @@ rclone: ENC[AES256_GCM,data:IYxR45rQP0cQA84HMRSAJaBsmB/YArIEdWpD191omnKg1kfN0ShY
 vaultwarden: ENC[AES256_GCM,data:fnl8hVezSu8g3tAXCwDUe9+wVjK7F8bC8qJJBj8Wq1BX6ygtjKNkf4wGAMo0XTb4Ukx1A+KwfJ2DlTWkDPo6ALxaIC/ZR4RYQJ3xE5rJ5QKkD+1Abebis5W1UXEEsiMRoo+vCz2GiU39NXY6/CjxM/gBhcBtyeUNtWcYalmOUQOLfd7GKPCElbA+BWKnjL1tl5DjWgACBvm5AozLoElVGiiMviz8V623NY1DkPQjJxl9ziU9Ncft4KS5rw0IIXmBj6QRF6+qOwz7TxcamDBIW2BWvDNmfPzQdl2cI4NwVWPiImcMedTQiH4m00oW5QBl0QM8F89N7CgOnA==,iv:hmAydcZd5LDPSQkekl5pD/i4Gr6GnR4BqYHXYR/mqHY=,tag:utwQNWPGSTvl1VRJr+89gw==,type:str]
 caddy: ENC[AES256_GCM,data:iRTGzvJdWQbwxM2mEhQuw3tRC/HLCryOJOgdIb+HSQ2bxRqNNp32H82+Rx/CPwCPOvQN+gXjwHPlMuLX2KbmPLugx2pETgVPddVAe18sT4UtFQ5Ym/wM8dXqNXmhZ2hkxJUjPg3l1Aov75iNH9kD7rzivEiGb0ET09iYEmbtVqx8BVc8pw==,iv:nBziWIlTAlnmfbBJa/AnpmjirtLqbSSoyJVgw1w63t4=,tag:ZSrWE1b1AY7fX4WUYV0uag==,type:str]
 hedgedoc: ENC[AES256_GCM,data:3DWGGXE3E4nay5NhbBkNcyDlv40G8KvhLbvu1Qba3zJLDeVtuBBF/ZjFCddUx+Sw83OLMsZBQMu3Y4Cq0rcqRT+YHnQzwboUY3xngNHgVMBGh9c8,iv:GuSYHMlM9eXf7AcArGXnISDNnfsAN38NxxVTO0/iwKM=,tag:0WKKUZS3WaYOCUFNw4HqFA==,type:str]
+wireguard: ENC[AES256_GCM,data:LHwiCi8pv4hLIJm0cumsZizcNeVkEFgQd0wRfUXcfA12C6rwuM8Uin0fPz4=,iv:aM1XvmWlZ0Ou6ZqyseOWg0Qet/l2sGRATMZE0LEmFuQ=,tag:ubFmef/XawLTbJHQy1kndA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -22,8 +23,8 @@ sops:
             R1lNZjFGelFvcXQ0enZTZ2pWRFZ2VVUKtGKbLyijIV1h0HFX7DMAkvXwdG70+pg/
             sJ0PRcU6QGKz1NtVFdcXC1KQIqrv0XOGU26cRt8mji88JMzzgL7CHg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-09T01:58:21Z"
-    mac: ENC[AES256_GCM,data:AdpE5LsndQPbOpAHmUnmyyP8bpYtu4AC7OqH6s2ejwwVIqm134CSJ1e8IQj86nH+Qanex3yMEWoy+bb9kzi3WPbEZ9E0ez7iBJaRlZN7Qn6ZlIKVZJ3yJQm7TmaY0xxIM+hShGtRNFHbAKXlg0yiDvxNwPFvAxbkOI9tVyqLbHQ=,iv:3/RpDCfx3R+5orU2uDvN/21wJJUgWu2YJ1VVbyAkfqc=,tag:7hVkGdX0oP3YnQz91Iea3Q==,type:str]
+    lastmodified: "2024-12-14T20:13:40Z"
+    mac: ENC[AES256_GCM,data:+o2SLvsCXP8pwQV3Aw0Xpc5qthzZGfp1/mQZFN5iSDInc990InyaBE+bcL7hEdhiN5IQOt+V+bqmqkFzoAK0oNolqyAJQ3NYg2WOOst1mwjKgqY+SFJG03waRSqAFG2mFE7k4KS0t703cEivZkKdvqFoKvO/d+iRcA3Jp6GKh7c=,iv:h1NbvgJBqCDc8OHTXr4uL6aPMD8cV7ayParQDA6LL4w=,tag:3F7P1iaOv77/CYHB+y1Mtg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.9.2