From a1e9e81ae931bdba46c87f1ec9d720a86689a7fa Mon Sep 17 00:00:00 2001
From: Clara Dautermann <git@cdaut.de>
Date: Wed, 2 Apr 2025 22:00:56 +0200
Subject: [PATCH] wireguard proxy container :3

---
 .gitignore                     |  1 +
 configs/services/wireguard.nix | 42 ++++++++++++++++++++++++++++++++++
 flake.nix                      |  8 +++----
 3 files changed, 47 insertions(+), 4 deletions(-)
 create mode 100644 .gitignore
 create mode 100644 configs/services/wireguard.nix

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..0f18981
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+secrets/
\ No newline at end of file
diff --git a/configs/services/wireguard.nix b/configs/services/wireguard.nix
new file mode 100644
index 0000000..76455d5
--- /dev/null
+++ b/configs/services/wireguard.nix
@@ -0,0 +1,42 @@
+{ lib, pkgs, config, ... }:
+let wg_port = 51820;
+in {
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_forward" = lib.mkDefault true;
+    "net.ipv6.conf.all.forwarding" = lib.mkDefault true;
+  };
+  networking = {
+    firewall.allowedUDPPorts = [ wg_port ];
+    firewall.rejectPackets = true;
+    firewall.trustedInterfaces = [ "wgbr" "wg0" ];
+
+    wg-quick.interfaces = {
+      wg0 = {
+        # Determines the IP address and subnet of the client's end of the tunnel interface.
+        address = [ "10.8.1.1/16" ];
+        listenPort = wg_port; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
+
+        # Path to the private key file.
+        privateKeyFile = "/root/privkey";
+
+        peers = [
+          # For a client configuration, one peer entry for the server will suffice.
+
+          {
+            # Public key of the server (not a file path).
+            publicKey = "AJ1nr0/w8OvsNq5Ju//m4856u7yY0hlPGMEGeZtlhlY=";
+
+            # Forward all the traffic via VPN.
+            allowedIPs = [ "10.8.0.0/24" ];
+
+            # Set this to the server IP and port.
+            endpoint = "202.61.230.52:51820";
+
+            # Send keepalives every 25 seconds. Important to keep NAT tables alive.
+            persistentKeepalive = 25;
+          }
+        ];
+      };
+    };
+  };
+}
diff --git a/flake.nix b/flake.nix
index a2bb0c8..70afb14 100644
--- a/flake.nix
+++ b/flake.nix
@@ -23,16 +23,16 @@
         ];
       };
 
-      testserver = {
+      wireguard = {
         deployment = {
-          targetHost = "192.168.178.51";
+          targetHost = "192.168.178.44";
           targetPort = 22;
           targetUser = "root";
         };
-        networking.hostName = "testserver";
+        networking.hostName = "wireguard";
         imports = [
           ./configs/container_config.nix
-          ./configs/services/vaultwarden.nix
+          ./configs/services/wireguard.nix
         ];
 
       };