feat(tyr): add wireguard.

modules/linux/nixos/secrets.nix

@@ -19,6 +19,9 @@ in {
         wg-home = {
           file = ../../../secrets/wg-home.age;
         };
+        wg-ymir-home = {
+          file = ../../../secrets/wg-ymir-home.age;
+        };
         crony-passwd = {
           file = ../../../secrets/crony-passwd-desktop.age;
         };

modules/linux/nixos/wireguard.nix

@@ -15,7 +15,8 @@
     };
     networking.wg-quick.interfaces.wg1 = {
       autostart = false;
-      configFile = "${config.age.secrets.wg-home.path}";
+      # configFile = "${config.age.secrets.wg-home.path}";
+      configFile = "${config.age.secrets.wg-ymir-home.path}";
     };
   };
 }

modules/servers/tyr/default.nix

@@ -3,5 +3,7 @@
     ./syncthing.nix
     ./glance.nix
     ./wallos.nix
+    ./wireguard.nix
+    ./secrets.nix
   ];
 }

modules/servers/tyr/secrets.nix

@@ -0,0 +1,9 @@
+{
+  age = {
+    secrets = {
+      wg-tyr = {
+        file = ../../../secrets/wg-tyr.age;
+      };
+    };
+  };
+}

modules/servers/tyr/wireguard.nix

@@ -0,0 +1,17 @@
+{config, ...}: {
+  networking = {
+    nat = {
+      enable = true;
+      enableIPv6 = true;
+      externalInterface = "enp1s0";
+      internalInterfaces = ["wg0"];
+    };
+    firewall = {
+      allowedTCPPorts = [53];
+      allowedUDPPorts = [53 51820];
+    };
+    wg-quick.interfaces.wg0.configFile = "${config.age.secrets.wg-tyr.path}";
+  };
+
+  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+}