Create preliminary documentation for age key generation and implement wireguard setup.

2026-02-12 13:20:16 +01:00 · 2026-02-12 13:20:16 +01:00 · dac2e0b8cf
commit dac2e0b8cf
parent 5664699f64
5 changed files with 178 additions and 0 deletions
--- a/nix-system-configs/modules/toolsets/wireguard_peer.nix
+++ b/nix-system-configs/modules/toolsets/wireguard_peer.nix
@ -0,0 +1,43 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  networking.firewall.allowedUDPPorts = [51820];
+
+  networking.wireguard = {
+    enable = true;
+    interfaces = {
+      # network interface name.
+      # You can name the interface arbitrarily.
+      wg0 = {
+        # the IP address and subnet of this peer
+        #ips = ["fc00:5182::1:2/112"];
+        ips = [config.local.wireguard-peer-ip];
+
+        # WireGuard Port
+        # Must be accessible by peers
+        listenPort = config.local.wireguard-peer-port or 51820;
+
+        peers = [
+          {
+            ## NOTE! CHECK THE .sops.yaml and RUN SOPS `sops updatekeys`!
+            name = config.local.wireguard-peer-name or "default-wireguard-peer";
+            publicKey = config.sops.secrets.wireguard_public;
+            preSharedKey = config.sops.secrets.wireguard_preshared;
+            allowedIPs = [
+              "::/0" # Route all IPv6 traffic through the VPN, TODO: Dynamic Function to choose between different options
+            ];
+            endpoint = "wireguard.prg-radio.org:51820";
+            #  ToDo: route to endpoint not automatically configured
+            # https://wiki.archlinux.org/index.php/WireGuard#Loop_routing
+            # https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577
+            # Send keepalives every 25 seconds. Important to keep NAT tables alive.
+            persistentKeepalive = 60;
+          }
+        ];
+      };
+    };
+  };
+}