From 5fa7edbc18deded907bc63847d6e083fcecd083c Mon Sep 17 00:00:00 2001
From: Crony Akatsuki <crony@cronyakatsuki.xyz>
Date: Sun, 4 May 2025 18:11:15 +0200
Subject: [PATCH] feat(heimdall+desktop): setup wireguard tunnel.

---
 flake.nix                              |   1 +
 modules/linux/nixos/default.nix        |   1 +
 modules/linux/nixos/secrets.nix        |  10 ++++++++++
 modules/linux/nixos/wireguard.nix      |  17 ++++-------------
 modules/servers/heimdall/default.nix   |   2 ++
 modules/servers/heimdall/secrets.nix   |   9 +++++++++
 modules/servers/heimdall/wireguard.nix |  24 ++++++++++++++++++++++++
 secrets/secrets.nix                    |   2 ++
 secrets/wg-desktop.age                 |  10 ++++++++++
 secrets/wg-heimdall.age                | Bin 0 -> 876 bytes
 10 files changed, 63 insertions(+), 13 deletions(-)
 create mode 100644 modules/linux/nixos/secrets.nix
 create mode 100644 modules/servers/heimdall/secrets.nix
 create mode 100644 modules/servers/heimdall/wireguard.nix
 create mode 100644 secrets/wg-desktop.age
 create mode 100644 secrets/wg-heimdall.age

diff --git a/flake.nix b/flake.nix
index 35c2ad2..2de254e 100644
--- a/flake.nix
+++ b/flake.nix
@@ -175,6 +175,7 @@
           ./modules/linux/nixos
           # Still no specific modules here
           # ./modules/cross-platform/nixos
+          agenix.nixosModules.default
           # Setup home manager for my user
           home-manager.nixosModules.home-manager
           {
diff --git a/modules/linux/nixos/default.nix b/modules/linux/nixos/default.nix
index 11cd280..bde78c6 100644
--- a/modules/linux/nixos/default.nix
+++ b/modules/linux/nixos/default.nix
@@ -23,6 +23,7 @@
     ./sunshine.nix
     ./nh.nix
     ./ollama.nix
+    ./secrets.nix
   ];
 
   crony.bluetooth.enable = lib.mkDefault true;
diff --git a/modules/linux/nixos/secrets.nix b/modules/linux/nixos/secrets.nix
new file mode 100644
index 0000000..647d471
--- /dev/null
+++ b/modules/linux/nixos/secrets.nix
@@ -0,0 +1,10 @@
+{
+  age = {
+    secrets = {
+      wg-desktop = {
+        file = ../../../secrets/wg-desktop.age;
+      };
+    };
+    identityPaths = ["/home/crony/.ssh/main"];
+  };
+}
diff --git a/modules/linux/nixos/wireguard.nix b/modules/linux/nixos/wireguard.nix
index 7986a08..5d8d4e6 100644
--- a/modules/linux/nixos/wireguard.nix
+++ b/modules/linux/nixos/wireguard.nix
@@ -8,19 +8,10 @@
   };
 
   config = lib.mkIf config.crony.wireguard.enable {
-    # Allow for wireguard traffic
-    networking.firewall = {
-      # if packets are still dropped, they will show up in dmesg
-      logReversePathDrops = true;
-      # wireguard trips rpfilter up
-      extraCommands = ''
-        ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN
-        ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN
-      '';
-      extraStopCommands = ''
-        ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN || true
-        ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN || true
-      '';
+    # Setup wireguard
+    networking.wg-quick.interfaces.wg0 = {
+      autostart = false;
+      configFile = "${config.age.secrets.wg-desktop.path}";
     };
   };
 }
diff --git a/modules/servers/heimdall/default.nix b/modules/servers/heimdall/default.nix
index 1dec27f..c38e947 100644
--- a/modules/servers/heimdall/default.nix
+++ b/modules/servers/heimdall/default.nix
@@ -2,5 +2,7 @@
   imports = [
     ./uptime-kuma.nix
     ./ntfy-sh.nix
+    ./wireguard.nix
+    ./secrets.nix
   ];
 }
diff --git a/modules/servers/heimdall/secrets.nix b/modules/servers/heimdall/secrets.nix
new file mode 100644
index 0000000..3a24741
--- /dev/null
+++ b/modules/servers/heimdall/secrets.nix
@@ -0,0 +1,9 @@
+{
+  age = {
+    secrets = {
+      wg-heimdall = {
+        file = ../../../secrets/wg-heimdall.age;
+      };
+    };
+  };
+}
diff --git a/modules/servers/heimdall/wireguard.nix b/modules/servers/heimdall/wireguard.nix
new file mode 100644
index 0000000..bd01782
--- /dev/null
+++ b/modules/servers/heimdall/wireguard.nix
@@ -0,0 +1,24 @@
+{config, ...}: {
+  networking = {
+    nat = {
+      enable = true;
+      enableIPv6 = true;
+      externalInterface = "enp1s0";
+      internalInterfaces = ["wg0"];
+    };
+    firewall = {
+      allowedTCPPorts = [53];
+      allowedUDPPorts = [53 51820];
+    };
+    wg-quick.interfaces.wg0.configFile = "${config.age.secrets.wg-heimdall.path}";
+  };
+
+  services.dnsmasq = {
+    enable = true;
+    settings = {
+      interface = "wg0";
+    };
+  };
+
+  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+}
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 7d9c34a..33dcced 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -11,4 +11,6 @@ let
   systems = [heimdall];
 in {
   "traefik.age".publicKeys = systems ++ users;
+  "wg-heimdall.age".publicKeys = systems ++ users;
+  "wg-desktop.age".publicKeys = systems ++ users;
 }
diff --git a/secrets/wg-desktop.age b/secrets/wg-desktop.age
new file mode 100644
index 0000000..bb91178
--- /dev/null
+++ b/secrets/wg-desktop.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 2P4nKw PmQyF+dwOGsxBl9Cb8fPAF2szc58PxBDQYQHQHjj3To
+4JC0/xuiU+hQRw2JP7F/AbQR7ewNygTIcYDr99kRRsI
+-> ssh-ed25519 fd/ZLQ xzfSyCwim1CDwS+EipluJsp6PFQap5CAAVqcFjcmq2w
+1v6DZMND3RUx8bYLNegFCulI6t6YJWc7R140o5YuJNw
+--- gT2MyDArAIxv/DbiaPNesbtHjBROCp55KtVX1cQfUNQ
+
ʆ����`%~}^�P��db�Z��s�
&i���3��.�
Qǔs�ct5?,[�1PRq����0�,Wgay�HJ���b���tt���ezT
l�c6����
Ϯ�Ǵ�z�(i��Q8��> 3�9��P/sK��>���Iί�h�Ri��J��|d#O<7�N����!���]+g��:���O�z�
m8�����K�F���Lv-�s�f%-�g�z��'�֓7H>c�
+%�r�К��D�K!���F�y���!e{���Zi0T�^f0tq�WlI.6洤�B;
+#9^�bJ��Da�=!����+�no�!��
+�1���\���1�K#+a4}&i��=�'Q��pŌp�o'�2�P.����\67|f4Ͷ��/�~̅$�?�&C�?K��
\ No newline at end of file
diff --git a/secrets/wg-heimdall.age b/secrets/wg-heimdall.age
new file mode 100644
index 0000000000000000000000000000000000000000..1dbfa81c8a001d87714e5c59dd686a7c3e44403c
GIT binary patch
literal 876
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSP3NXp@E>{RH_A~JH
z4hwVjcPZ31t&B=@O3O}jEA<V_GAlMQbTcweu?WgBE3?ecDdtKHFv@o|a15$U%k{NL
zb8`;TP7RNAN-+-z3pY2bNO7+)3^y|`&bG)2Do3|1Ek!@dCs4sVG2A0DH#ajc!^hYq
z$uYP%&9E>sBEulk)5Sx-q#(nkq|h_WKQG5Q(330MCpEn!HNZX3(Kz4KD5ugZD<v~8
zKPj@<)lk1QGRZ3{$koXw%`(EMDw#`HS63mZ)U`O-Bgv$ss-(cxEx^1iDc3X6Aj`iv
zIM^V-$uZobJio{y-95$6$Aasrp~5TI^AosM+WnF+YMgO@(mAgq#}8!fKlJKvb4S<;
z2c1m+r|d_0Z=cz^bzAw&!2J^+G#XD{@_A34zrlqB{?(OBxxTBd5sY6Ze#`CsZRYT~
zmOnQgzZYXSss1H@h1N2spDqW^9Zb12@mjID;IF*~7jGXaI{oo;yV<Fwm#*EvR?4ud
z&BN^1E4F<<Q*O#$^R3@@#D`h*waV{LIZxzgxUUbq_G4L`tBCc4sn2I=Ul!s%x71GW
zUE3MkHun~pctggyF5aGQ`xm`9c}4K#W$}E4otkybr)HlMQfpc;?T1Os?*$Bv-tiNA
zH=HQy5zgiE^0`u2SKz`uErj#wW0^%SzZyJhtorn;;<Md)ne?9HY*)YN9gr@)wBkc$
z>Z<GEQ~qWr9b7WSe||{Vx(z80l|oOgG+UCqV4bZKzv%7tn{^|;bQSFFnG*b2*i$EL
z!k-DT(?3>~9r`-wqH*|*#?_Nu#jnid?{}8HT=Z6|{^j$OyS%>}JDKKZ%~&#H>-CzC
zXYL$tl=GRt^uI)@)}jy6hqhh$v*M<ylTG#ZwVM9U(>@5MH)qsZwsdTm@KN}JSC#(q
zS;sjRDzKSX<qFS@{Law2?jc8O#OrW|BeHKf;>;(xT~3n=ot*Tc-NDM{5<4TCH?u{M
z3}4uEky&=zU;nKsUsrH8<%-s;f6=o2zt|rgnDp=BQ9G%*FG8-bT9(&ga!g0!*KMDv
z-Y%zC-xA+>&#NwlH-=rM<Nw1yL63sM)?7+ne7I_hy3XNWN$J-WudJB7%=_`a;ID#*
UczZ**x3qjvS*$eAlx@cW0H(Hz#Q*>R

literal 0
HcmV?d00001