From 95d82bdfc6ed684a495fb60f328f7050ca3ba72f Mon Sep 17 00:00:00 2001
From: CDaut <git@cdaut.de>
Date: Fri, 31 Oct 2025 21:49:28 +0100
Subject: [PATCH] coarse initial server setup

---
 .sops.yaml                                    |  4 ++
 .../netcup_pve/wg_server_container.nix        |  1 +
 configs/services/wg_server.nix                | 35 ++----------------
 secrets/wireguard/server.yaml                 | 37 +++++++++++++++++++
 4 files changed, 46 insertions(+), 31 deletions(-)
 create mode 100644 secrets/wireguard/server.yaml

diff --git a/.sops.yaml b/.sops.yaml
index 999a2c8..4dd0e8b 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -22,6 +22,10 @@ creation_rules:
     key_groups:
       - pgp: [*clara]
         age: [*wireguard]
+  - path_regex: secrets\/wireguard\/server.yaml
+    key_groups:
+      - pgp: [*clara]
+        age: [*wg-server]
   - path_regex: secrets\/paperless\/*
     key_groups:
       - pgp: [*clara]
diff --git a/configs/containers/netcup_pve/wg_server_container.nix b/configs/containers/netcup_pve/wg_server_container.nix
index f4e0535..c3ce97f 100644
--- a/configs/containers/netcup_pve/wg_server_container.nix
+++ b/configs/containers/netcup_pve/wg_server_container.nix
@@ -10,5 +10,6 @@
 
   imports = [
     ../../container_config.nix
+    ../../services/wg_server.nix
   ];
 }
diff --git a/configs/services/wg_server.nix b/configs/services/wg_server.nix
index 13e3be0..2a8294c 100644
--- a/configs/services/wg_server.nix
+++ b/configs/services/wg_server.nix
@@ -9,24 +9,15 @@ in {
   # set up secret key
   sops = {
     age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-    secrets.wg_private_key = {
-      sopsFile = ../../secrets/wireguard/secrets.yaml;
+    secrets.private_key = {
+      sopsFile = ../../secrets/wireguard/server.yaml;
     };
   };
 
   networking = {
     firewall.allowedUDPPorts = [ wg_port ];
     firewall.rejectPackets = true;
-    firewall.trustedInterfaces = [ "wgbr" "wg0" ];
-    interfaces.wgbr.ipv4 = {
-      routes = [ ];
-      addresses = [
-        {
-          address = "10.8.1.1";
-          prefixLength = 24;
-        }
-      ];
-    };
+    firewall.trustedInterfaces = [ "wg0" ];
 
     wg-quick.interfaces = {
       wg0 = {
@@ -35,25 +26,7 @@ in {
         listenPort = wg_port; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
 
         # Path to the private key file (see sops).
-        privateKeyFile = "/run/secrets/wg_private_key";
-
-        peers = [
-          # For a client configuration, one peer entry for the server will suffice.
-
-          {
-            # Public key of the server (not a file path).
-            publicKey = "AJ1nr0/w8OvsNq5Ju//m4856u7yY0hlPGMEGeZtlhlY=";
-
-            # Forward all the traffic via VPN.
-            allowedIPs = [ "10.8.0.0/16" ];
-
-            # Set this to the server IP and port.
-            endpoint = "202.61.230.52:51820";
-
-            # Send keepalives every 25 seconds. Important to keep NAT tables alive.
-            persistentKeepalive = 25;
-          }
-        ];
+        privateKeyFile = "/run/secrets/private_key";
       };
     };
   };
diff --git a/secrets/wireguard/server.yaml b/secrets/wireguard/server.yaml
new file mode 100644
index 0000000..af658f4
--- /dev/null
+++ b/secrets/wireguard/server.yaml
@@ -0,0 +1,37 @@
+private_key: ENC[AES256_GCM,data:iXKk9DcEIkNaXDETG57hfSv0WddPP+qRTdNVLxx+CwQbyNR4ztv7Pni9OSc=,iv:Pz4KBIK20enX9wEpIaie9CZB/uj2QNvNZWuSgfduNjM=,tag:TtNroYuNeZnjhLsz/hpvRw==,type:str]
+sops:
+    age:
+        - recipient: age15ydstgk0fmmgy2ugmqufyqhqsqypd2mvy89enzwczz0m8ar2kvzqlcdsm8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjcnpsbU1GWE1zVnJRTlhq
+            WkJ6cUgwNzZjcGRKNVB5bVJyRi90MURnblVBCjZLaGxDWER4RWx6enppcXJ6dGt3
+            K2dweFFQUHl0Unp3cVJod3psaHpZTG8KLS0tIGJVWG1MaXZvZU9vSmxEclVEWFJG
+            RU5Ockp6ZEYrV1NqYnZqMWlaYjhyMlEKF1aUbVF5yojF3bq6I0+zAqpUsoqS3CPG
+            /FXz8Tx94u2+JTUjJd4h0h1XRCC9RvH41nqKhevJqvPLD7tcHvTMWQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-10-31T20:33:11Z"
+    mac: ENC[AES256_GCM,data:o2FvPNCXig9e16ooYsUKmVQp0Jy96dCYepQhKBVukjvEd/LfTAfGOTzE1fadz8BBnD4gzWecr+q8eIVb4KY4AaLM9+wnY5y8uSUVdXAtuez0F+voMt+lHG+rlM57ND24njHPfXQsYXcXoIYlQ5rREkPoOlNw4jK6rNBhXZ66T+8=,iv:tsQZeQf2591TjGhP1/JDWbvcHbIbjpNzeeQ+pgZDRA8=,tag:sKHgFvCokobhcXyBHNPEGw==,type:str]
+    pgp:
+        - created_at: "2025-10-31T20:31:17Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAzwtBoBqH5ZOAQ//Rrci3hcOvlGGCnwddQ5DrJMjhGzmcp2L1cCNK0K+jSGO
+            QgrEul3w+UgUk+TbuB9Is9ihFxQROItG8/SsK1urfY5a8CdrOghsDCoTSLFaiQ8/
+            ocY1hNkjN/UhC3a90lSqw0CC2VCcj7VGiSx/0y2yWO1rN9N0FhS4Yh+pFkIH7WPY
+            mCQuyNIruwxQ4y1y5R4U3micFylpGW2/STbqK6Z9GzRWnZ+Fc0WSrVmuEUcNm5oQ
+            1bVwqcaSNsgrox753qsh05S/JX8iI5DVz4lBiUYWLwpkgTMxvjZC7TN+W1xfEyWH
+            zoIdpVNE5d2ENgCm1KS0PtwBgfZVHS1xNiivzqe4a55ez9lVZMk0FeRg9iyTNHxz
+            Lgb9NyFmKBg3S1EjEMvxLiU2dXP0SNstihQXW+IHnSCySODjE42sunpSE+EpWd7a
+            TMimZOhCNlcOLHvwfwl+qy6AlrCezBvUxGpfnnhkTFZ0QtM6uQ6k7+/PFM2cQuVe
+            2uDWN2jJKSSJ6neDrOqFd6Nbe/XLxEKmfpDt08T7F58B4FwpYeyyuATkex1MEXW2
+            ++46/NW7zzz5ZiT4j5awEAv5mb1z1445v4QaR0C+Xhu4LgsKQxylJpT8GHdMD1U0
+            66ZbyqAAjc6H5CiL2fhN4ukb1NvIeUaTUqMzx74wy6UrFbyb3iWAt3S/upzoF8TS
+            XAGJ62H20fTN1gzUYEyuYbrdT59v+B4iStyhFvFKajTlVtQHjwSubV/eZ++NvuKq
+            V7jSNZZWQVClJBWl7H5AdEu1GfroM44n55hxnsEvc4m5J7S7CLP2J1igfQDr
+            =yhw8
+            -----END PGP MESSAGE-----
+          fp: 58EF8D71114EF548DEE3320DE6F04916B6EEBD83
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0