feat(services): Added wireguard service config

secrets/OVHCloud.yaml

@@ -5,6 +5,9 @@ caddy:
     ovh_consumer_key: ENC[AES256_GCM,data:oFLHB7obwz3F59Vt8LRxpKaHBjEaoYCrKLKPoqVHz4M=,iv:rXxR2Nv3YaT2QubZUqIi60RxaHe9ZaIT9hLiogbPVFw=,tag:5m+xXEUbN+a2fHCf+EXf9A==,type:str]
 garage:
     rpc_secret: ENC[AES256_GCM,data:xuophXVfHY3Xw+RyDPnZ5LCQXB+cHyRCWvT2l5MiyXGAlP6GSJpewDqJ5xvLclHfHNJP9YKJ3scJV/iX5FE+rw==,iv:wtlrpUUkXa2WYvQS/vfJJBS34V5CIAYQ8oCf/SjHp5k=,tag:r16InXGTKIBPOHjMSYlEog==,type:str]
+wireguard:
+    private_key: ENC[AES256_GCM,data:fjaBcBplx4IOrbnT8PZwUl6m4j4sdiObJYJXSrzCOqXcL3Qyymj4HUPSBuM=,iv:4XVH1d0/PTfVHKtDoziOD3b+TGXafNEGNgqAUtQsoD8=,tag:c/9AQO5TmLPGvIRN59KMZg==,type:str]
+    public_key: ENC[AES256_GCM,data:zHQkA3wu7Kn9wnODn65zHKGX3qBvhRa0H/cSlg/8TjyTNtaMgY3Y0RiQEr4=,iv:kaWxt11DR4jZzgfoA7PDg/wPc6VqSoyuFU4KllOzZjY=,tag:acA0M4Eq0AR4FjFJZ4l13w==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -29,8 +32,8 @@ sops:
             MFpMemF4MGg1bmVUeWV5N25LTUtyczQKss0x4zT1kyeRu+qenhrdbcPlU/p+yjVN
             y3j4eGpnwgc2rxSL9vkrrkzx/atUqUkgGU/YstszUrP6XKbJ+9ydpQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-27T14:21:34Z"
-    mac: ENC[AES256_GCM,data:OkF7A/94sqkmHNcBq9uA+tJCJhFiaoZvQRfR1rtLlgmCsusbeF/rSekQaP2WE4K29aGD6mYZxcnvcCewYiEEXA6S6rpwuCOje+ti5dfg8BFaxivWxtRKQjS3az+z/AkLfE7EYBbMwsZX2T52zZaXW6d49u68++Lg8Y+vC/aRGHw=,iv:MoFQEc3C6DIlwM7r16lr9KqA1TZ2Pmk0s+mlSC5+PW8=,tag:RMsodI9Nzt8t2fYXPDTibQ==,type:str]
+    lastmodified: "2024-09-30T11:01:11Z"
+    mac: ENC[AES256_GCM,data:DRo6UcDQ8nJgUome5VLy5DVlRWB2tAFSATK1JUwwdtB2vZ8V+2FK5yGDE701vaxkJukO/lKnC0TzP3/hwprMzSOgTaOfaAFyPDDSTUS7Z6moc31J1RtbOFFoStPD1LnQyfsd0XGdhSEekLKgT3djMH++jo1KBjzcIz6OYsdDRDw=,iv:b5Nlt8SC3MLAdTzhNs44IImtUlgJRGhvB72rd8ovpWk=,tag:FGkkeT78OAWl/KqYplEsTA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.0

services/default.nix

@@ -2,5 +2,6 @@
   imports = [
     ./uptime-kuma
     ./garage
+    ./wireguard
   ];
 }

services/wireguard/default.nix

@@ -0,0 +1,52 @@
+{pkgs, ...}: {
+  sops.secrets."wireguard/private_key".owner = "root";
+
+  networking.nat.enable = true;
+  networking.nat.externalInterface = "ens3";
+  networking.nat.internalInterfaces = ["wg0"];
+  networking.firewall = {
+    allowedUDPPorts = [993];
+  };
+
+  networking.wireguard.interfaces = {
+    # "wg0" is the network interface name. You can name the interface arbitrarily.
+    wg0 = {
+      # Determines the IP address and subnet of the server's end of the tunnel interface.
+      ips = ["10.8.0.1/24"];
+
+      # The port that WireGuard listens to. Must be accessible by the client.
+      listenPort = 993;
+
+      # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
+      # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
+      postSetup = ''
+        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
+      '';
+
+      # This undoes the above command
+      postShutdown = ''
+        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
+      '';
+
+      # Path to the private key file.
+      #
+      # Note: The private key can also be included inline via the privateKey option,
+      # but this makes the private key world-readable; thus, using privateKeyFile is
+      # recommended.
+      privateKeyFile = "/run/secrets/wireguard/private_key";
+
+      peers = [
+        {
+          # Pixel
+          publicKey = "xMO5xTvBXtikri0WS9wpzGvSWITjkQV5oUOYwFjqB0g=";
+          allowedIPs = ["10.8.0.69/32"];
+        }
+        {
+          # Zephyrus
+          publicKey = "TwXHVANaKZsvP/hfjkQXkLwCtFuDeDmQ2Q7jlaxl5SU=";
+          allowedIPs = ["10.8.0.42/32"];
+        }
+      ];
+    };
+  };
+}