From 5c7aea620327ff0eca00b74acfa41b001201e897 Mon Sep 17 00:00:00 2001
From: CDaut <git@cdaut.de>
Date: Sun, 23 Nov 2025 17:06:38 +0100
Subject: [PATCH] fixed wireguard

---
 ...ainer.nix => wireguard_cube_container.nix} |  4 +-
 ...ner.nix => wireguard_netcup_container.nix} |  2 +-
 configs/services/wireguard.nix                | 60 ----------------
 configs/services/wireguard_cube.nix           | 72 +++++++++++++++++++
 .../{wg_server.nix => wireguard_netcup.nix}   |  0
 flake.nix                                     |  4 +-
 6 files changed, 78 insertions(+), 64 deletions(-)
 rename configs/containers/cube/{wg_container.nix => wireguard_cube_container.nix} (75%)
 rename configs/containers/netcup_pve/{wg_server_container.nix => wireguard_netcup_container.nix} (86%)
 delete mode 100644 configs/services/wireguard.nix
 create mode 100644 configs/services/wireguard_cube.nix
 rename configs/services/{wg_server.nix => wireguard_netcup.nix} (100%)

diff --git a/configs/containers/cube/wg_container.nix b/configs/containers/cube/wireguard_cube_container.nix
similarity index 75%
rename from configs/containers/cube/wg_container.nix
rename to configs/containers/cube/wireguard_cube_container.nix
index b693c60..e414452 100644
--- a/configs/containers/cube/wg_container.nix
+++ b/configs/containers/cube/wireguard_cube_container.nix
@@ -1,6 +1,6 @@
 { lib, pkgs, config, ... }: {
   deployment = {
-    targetHost = "192.168.178.123";
+    targetHost = "10.10.0.4";
     targetPort = 22;
     targetUser = "root";
     tags = [ "cube" ];
@@ -8,6 +8,6 @@
   networking.hostName = "wireguard";
   imports = [
     ../../container_config.nix
-    ../../services/wireguard.nix
+    ../../services/wireguard_cube.nix
   ];
 }
diff --git a/configs/containers/netcup_pve/wg_server_container.nix b/configs/containers/netcup_pve/wireguard_netcup_container.nix
similarity index 86%
rename from configs/containers/netcup_pve/wg_server_container.nix
rename to configs/containers/netcup_pve/wireguard_netcup_container.nix
index c3ce97f..59d732c 100644
--- a/configs/containers/netcup_pve/wg_server_container.nix
+++ b/configs/containers/netcup_pve/wireguard_netcup_container.nix
@@ -10,6 +10,6 @@
 
   imports = [
     ../../container_config.nix
-    ../../services/wg_server.nix
+    ../../services/wireguard_netcup.nix
   ];
 }
diff --git a/configs/services/wireguard.nix b/configs/services/wireguard.nix
deleted file mode 100644
index a167a3e..0000000
--- a/configs/services/wireguard.nix
+++ /dev/null
@@ -1,60 +0,0 @@
-{ lib, pkgs, config, ... }:
-let wg_port = 51820;
-in {
-  boot.kernel.sysctl = {
-    "net.ipv4.ip_forward" = lib.mkDefault true;
-    "net.ipv6.conf.all.forwarding" = lib.mkDefault true;
-  };
-
-  # set up secret key
-  sops = {
-    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-    secrets.wg_private_key = {
-      sopsFile = ../../secrets/wireguard/cube.yaml;
-    };
-  };
-
-  networking = {
-    firewall.allowedUDPPorts = [ wg_port ];
-    firewall.rejectPackets = true;
-    firewall.trustedInterfaces = [ "wgbr" "wg0" ];
-    interfaces.wgbr.ipv4 = {
-      routes = [ ];
-      addresses = [
-        {
-          address = "10.8.1.1";
-          prefixLength = 24;
-        }
-      ];
-    };
-
-    wg-quick.interfaces = {
-      wg0 = {
-        # Determines the IP address and subnet of the client's end of the tunnel interface.
-        address = [ "10.8.1.1/16" ];
-        listenPort = wg_port; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
-
-        # Path to the private key file (see sops).
-        privateKeyFile = "/run/secrets/wg_private_key";
-
-        peers = [
-          # For a client configuration, one peer entry for the server will suffice.
-
-          {
-            # Public key of the server (not a file path).
-            publicKey = "AJ1nr0/w8OvsNq5Ju//m4856u7yY0hlPGMEGeZtlhlY=";
-
-            # Forward all the traffic via VPN.
-            allowedIPs = [ "10.8.0.0/16" ];
-
-            # Set this to the server IP and port.
-            endpoint = "202.61.230.52:51820";
-
-            # Send keepalives every 25 seconds. Important to keep NAT tables alive.
-            persistentKeepalive = 25;
-          }
-        ];
-      };
-    };
-  };
-}
diff --git a/configs/services/wireguard_cube.nix b/configs/services/wireguard_cube.nix
new file mode 100644
index 0000000..6927aae
--- /dev/null
+++ b/configs/services/wireguard_cube.nix
@@ -0,0 +1,72 @@
+{ lib, pkgs, config, ... }:
+let wg_port = 51820;
+in {
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_forward" = lib.mkDefault true;
+    "net.ipv6.conf.all.forwarding" = lib.mkDefault true;
+  };
+
+  environment.systemPackages = with pkgs; [
+    mtr
+  ];
+
+
+  # set up secret key
+  sops = {
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    secrets.wg_private_key = {
+      sopsFile = ../../secrets/wireguard/cube.yaml;
+    };
+  };
+
+  networking = {
+    # Enable NAT
+    nat = {
+      enable = true;
+      enableIPv6 = true;
+      externalInterface = "eth0";
+      internalInterfaces = [ "wg0" ];
+    };
+    # Open ports in the firewall
+    firewall = {
+      rejectPackets = true;
+      trustedInterfaces = [ "wg0" ];
+      allowedTCPPorts = [ 53 ];
+      allowedUDPPorts = [ 53 wg_port ];
+    };
+
+    wg-quick.interfaces = {
+      wg0 = {
+        # Determines the IP address and subnet of the client's end of the tunnel interface.
+        address = [ "10.8.0.1/16" ];
+        listenPort = wg_port; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
+
+        # Path to the private key file (see sops).
+        privateKeyFile = "/run/secrets/wg_private_key";
+
+
+        # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
+        postUp = ''
+          ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
+          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.8.1.1/24 -o eth0 -j MASQUERADE
+        '';
+
+        # Undo the above
+        preDown = ''
+          ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
+          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.8.1.1/24 -o eth0 -j MASQUERADE
+        '';
+
+        peers = [
+          # List of allowed peers.
+          {
+            # Laptop Psi
+            publicKey = "msJJwTPHuxLd1KddbNeLscGgiY7r9sQ3vkUnDtb2Fh4=";
+            # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
+            allowedIPs = [ "10.8.0.2/32" ];
+          }
+        ];
+      };
+    };
+  };
+}
diff --git a/configs/services/wg_server.nix b/configs/services/wireguard_netcup.nix
similarity index 100%
rename from configs/services/wg_server.nix
rename to configs/services/wireguard_netcup.nix
diff --git a/flake.nix b/flake.nix
index 0b12448..1fb9ea3 100644
--- a/flake.nix
+++ b/flake.nix
@@ -7,7 +7,7 @@
     colmena = {
       meta = {
         nixpkgs = import nixpkgs {
-          system = "x86_64-linux";
+          stdenv.hostPlatform.system = "x86_64-linux";
         };
         specialArgs = { inherit inputs; };
       };
@@ -23,6 +23,8 @@
       nginx-netcup = import ./configs/containers/netcup_pve/nginx_container.nix;
 
       nginx-cube = import ./configs/containers/cube/nginx_container.nix;
+
+      wireguard-cube = import ./configs/containers/cube/wireguard_cube_container.nix;
     };
   };
 }