From 46db7bd9795499b938bd5c2cbc345602fa34ecce Mon Sep 17 00:00:00 2001
From: m3tam3re <m@m3tam3re.com>
Date: Wed, 8 Feb 2023 14:59:00 +0100
Subject: [PATCH] wireguard

---
 hosts/lkk-nix-1/default.nix                       |   5 +++++
 hosts/lkk-nix-1/services/containers/default.nix   |   1 +
 hosts/lkk-nix-1/services/containers/wireguard.nix |  14 ++++++++++++++
 hosts/lkk-nix-1/services/traefik.nix              |  11 +++++++++++
 secrets.nix                                       |   2 ++
 secrets/wg-easy-environmentFile.age               | Bin 0 -> 793 bytes
 6 files changed, 33 insertions(+)
 create mode 100644 hosts/lkk-nix-1/services/containers/wireguard.nix
 create mode 100644 secrets/wg-easy-environmentFile.age

diff --git a/hosts/lkk-nix-1/default.nix b/hosts/lkk-nix-1/default.nix
index bf59697..a8dec23 100644
--- a/hosts/lkk-nix-1/default.nix
+++ b/hosts/lkk-nix-1/default.nix
@@ -20,6 +20,7 @@
       to = 3100;
     }];
     firewall.allowedTCPPorts = [ 80 443 5432 3306 3478 ];
+    firewall.allowedUDPPorts = [ 51820 ];
     firewall.allowedUDPPortRanges = [{
       from = 3478;
       to = 3481;
@@ -52,6 +53,10 @@
         mode = "770";
         owner = "searx";
       };
+      wg-easy-environmentFile = {
+        file = ../../secrets/wg-easy-environmentFile.age;
+        mode = "770";
+      };
     };
     identityPaths = [ "/home/m3tam3re/.ssh/lkk-nix-1" ];
   };
diff --git a/hosts/lkk-nix-1/services/containers/default.nix b/hosts/lkk-nix-1/services/containers/default.nix
index 19213ea..a02f2a3 100644
--- a/hosts/lkk-nix-1/services/containers/default.nix
+++ b/hosts/lkk-nix-1/services/containers/default.nix
@@ -3,5 +3,6 @@
     ./baserow.nix
     ./matomo.nix
     ./wordpress.nix
+    ./wireguard.nix
   ];
 }
diff --git a/hosts/lkk-nix-1/services/containers/wireguard.nix b/hosts/lkk-nix-1/services/containers/wireguard.nix
new file mode 100644
index 0000000..e82cd91
--- /dev/null
+++ b/hosts/lkk-nix-1/services/containers/wireguard.nix
@@ -0,0 +1,14 @@
+{ config, outputs, ... }: {
+  virtualisation.oci-containers.containers."wireguard" = {
+    image = "weejewel/wg-easy";
+    environment = { WG_HOST = "wg.lanakk.com"; };
+    ports = [ "3007:51821/tcp" "51820:51820/udp" ];
+    volumes = [ "wireguard_data:/etc/wireguard" ];
+    extraOptions = [
+      "--cap-add=NET_ADMIN"
+      "--cap-add=SYS_MODULE"
+      "--sysctl=net.ipv4.conf.all.src_valid_mark=1"
+      "--sysctl=net.ipv4.ip_forward=1"
+    ];
+  };
+}
diff --git a/hosts/lkk-nix-1/services/traefik.nix b/hosts/lkk-nix-1/services/traefik.nix
index 7e33a0f..6b140e4 100644
--- a/hosts/lkk-nix-1/services/traefik.nix
+++ b/hosts/lkk-nix-1/services/traefik.nix
@@ -42,6 +42,7 @@
           searx.loadBalancer.servers = [{ url = "http://localhost:3004/"; }];
           nextcloud.loadBalancer.servers = [{ url = "http://localhost:3005/"; }];
           invidious.loadBalancer.servers = [{ url = "http://localhost:3006/"; }];
+          wireguard.loadBalancer.servers = [{ url = "http://localhost:3007/"; }];
         };
         routers = {
           api = {
@@ -111,6 +112,16 @@
             service = "invidious";
             entrypoints = "websecure";
           };
+          wireguard = {
+            rule = "Host(`wg.lanakk.com`)";
+            tls = {
+              certResolver = "godaddy";
+              domains = "wg.lanakk.com";
+            };
+            service = "wireguard";
+            middlewares = "auth";
+            entrypoints = "websecure";
+          };
         };
       };
     };
diff --git a/secrets.nix b/secrets.nix
index 1a0f47f..b06af93 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -10,4 +10,6 @@ in {
   "godaddy-api-secret.age".publicKeys = [ root ];
 
   "searx-environmentFile.age".publicKeys = [ root ];
+
+  "wg-easy-environmentFile.age".publicKeys = [ root ];
 }
diff --git a/secrets/wg-easy-environmentFile.age b/secrets/wg-easy-environmentFile.age
new file mode 100644
index 0000000000000000000000000000000000000000..73a3c029e972cdb52d8d0ad91afbcd16441bf31f
GIT binary patch
literal 793
zcmWmCP0QPK003}LI|RJ#;K4(O3>{t9y!?~22M2A^ytmCupEd~$O_MY)ZC?I)Pht20
zb{G%BU<|gSegMJ4U<bzz%0NWLgFfu+@T6A{y5DE`Ie|a&Q@7~zD$3G3SrLpI3>n=W
zlw~+7N@u`orv=?2enzQl&R{JK!UIV57>ASW_K=8SPw<WIsCon;m{V(BBGh3*%2nZ-
z3|F!kix#+~B8{1s8qjA1FDt@yg?ftDmTD*;6<i2{`DDq=!R+K;pg^A#x!W>asM}Oq
z#^I^=vQk8%3e=sv@29$$lt7N4=TR{)?9vJoCd({p!^3>Ybi0hOV`0p@7%j60SW4ZR
z=n|0Y2t{+UpzMLxZNrGw#m%x^pQRyspc;+igaXX{G^Nwj*vJHT3b(Uh#es7S3BMDK
zIK+`fwJQiv<7A+srJHmOdp_eX=Us3jw!z4FX3TWabsG((NN`F~lMGDQZ<K&<0^7G&
zh^@0Z*kc6F)Vc%pX{edt$eo!U3)DO>s#Gq5Q*Y4nd}5Fn3DutRy=4i-hE3#T%@oL7
zQyJOX$5O=Ct_Q`16ZY(;KCW|hvZj_(g00Qm@YdN;)VkbZDgTId<5fx=7%dwMD1rmo
zp!hS#MWhL*lt13se$qn~-S-4k+g1oYSqgPr174G={mdgx>}YP&aWSJM%Gx6DYTW8Z
zLE$^4Kd?Xj{FdcRtbsJVfB$AbnA{bY9<qZ1Cr&Mb4NVOmEGEV>TsyEe?XMOyUx9hJ
zm|#P?#_arbktJdv*5V?eS5To80_A$7h#K3d05Tel27ui;Q=hMw(HP=vq7>0wj<h3>
zuCVR&|FZj#h|MLS7h`~Y^4X(*9#{9S9=v{d@6EO6U;iBZ@%!7$Z+@*_y_EiPufG58
zw+GL@{qxDkZ{B`%M@=r@`{MTXUmiZa@$cW4_^S`mAHV$I2jb<`i|zZwS3kY}52Wo9
Axc~qF

literal 0
HcmV?d00001