From 09c0fdb08caf9bbc2522d5c2a5fe8605c6480840 Mon Sep 17 00:00:00 2001
From: Felix Albrigtsen <felix@albrigtsen.it>
Date: Thu, 25 Jan 2024 13:24:25 +0100
Subject: [PATCH] burnham: add wireguard

---
 hosts/burnham/configuration.nix          |  2 +-
 hosts/burnham/hardware-configuration.nix |  2 +-
 hosts/burnham/services/wireguard.nix     | 38 ++++++++++++++++++++++++
 3 files changed, 40 insertions(+), 2 deletions(-)
 create mode 100644 hosts/burnham/services/wireguard.nix

diff --git a/hosts/burnham/configuration.nix b/hosts/burnham/configuration.nix
index 8cc45d4..5842bf6 100644
--- a/hosts/burnham/configuration.nix
+++ b/hosts/burnham/configuration.nix
@@ -8,7 +8,7 @@
       ./hardware-configuration.nix
 
       # Infrastructure
-      # ./services/wireguard.nix
+      ./services/wireguard.nix
 
   ];
 
diff --git a/hosts/burnham/hardware-configuration.nix b/hosts/burnham/hardware-configuration.nix
index 73b8273..73cc5f5 100644
--- a/hosts/burnham/hardware-configuration.nix
+++ b/hosts/burnham/hardware-configuration.nix
@@ -23,7 +23,7 @@
   # (the default) this is the recommended approach. When using systemd-networkd it's
   # still possible to use this option, but it's recommended to use it in conjunction
   # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
+  #networking.useDHCP = lib.mkDefault true;
   # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
 
   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
diff --git a/hosts/burnham/services/wireguard.nix b/hosts/burnham/services/wireguard.nix
new file mode 100644
index 0000000..c7ae7b0
--- /dev/null
+++ b/hosts/burnham/services/wireguard.nix
@@ -0,0 +1,38 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.networking.wireguard.interfaces."wg0";
+in {
+  networking = {
+    nat = {
+      enable = true;
+      externalInterface = "ens18";
+      internalInterfaces = [ "wg0" ];
+    };
+    firewall.allowedUDPPorts = [ cfg.listenPort ];
+
+    wireguard.interfaces."wg0" = {
+      ips = [ "10.100.0.2/24" ];
+      listenPort = 51820;
+      privateKeyFile = "/etc/wireguard/burnham.private";
+
+      postSetup = ''
+        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -d 192.168.11.0/24 -o eth0 -j MASQUERADE
+      '';
+      postShutdown = ''
+        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -d 192.168.11.0/24 -o eth0 -j MASQUERADE
+      '';
+
+      peers = [
+        { # Defiant
+          publicKey = "8/711GhmN9+NcduHF4JPkfoZPE0qsDLuwhABcPyjNxI=";
+          persistentKeepalive = 120;
+          allowedIPs = [
+            "10.100.0.1/32"
+            "192.168.10.0/24"
+          ];
+          endpoint = "site3.feal.no:51902";
+        }
+      ];
+    };
+  };
+}