chore: init

2025-12-08 05:49:25 -06:00 · 2025-10-01 19:51:55 -05:00 · 2025-10-01 19:51:55 -05:00 · 1b2c1ea359
commit 1b2c1ea359
891 changed files with 37053 additions and 0 deletions
--- a/modules/nixos/services/wireGuard/default.nix
+++ b/modules/nixos/services/wireGuard/default.nix
@ -0,0 +1,91 @@
+{ config, flake, ... }:
+let
+  inherit (flake.config.services) instances;
+  inherit (flake.config.machines.devices) ceres;
+  service = instances.wireGuard;
+  wireGuardInterface =
+    {
+      secret,
+      publicKey,
+      endpoint,
+    }:
+    {
+      name = "Proton-${secret}";
+      value = {
+        autostart = false;
+        address = [ "10.2.0.2/32" ];
+        dns = [ "10.2.0.1" ];
+        privateKeyFile = config.sops.secrets."${service.name}-${secret}".path;
+        peers = [
+          {
+            inherit publicKey endpoint;
+            allowedIPs = [ "0.0.0.0/0,::/0" ];
+            persistentKeepalive = 25;
+          }
+        ];
+      };
+    };
+  interfaces = [
+    {
+      secret = "CA363";
+      publicKey = "9mTDh5Tku0gxDdzqxnpnzItHQBm2h2B2hXnUHvhGCFw=";
+      endpoint = "149.88.97.110:51820";
+    }
+    {
+      secret = "CA220";
+      publicKey = "UR8vjVYrrWYadCwLKiAabKTIdxM4yikmCXnvKWm89D8=";
+      endpoint = "139.28.218.130:51820";
+    }
+    {
+      secret = "CA358";
+      publicKey = "9mTDh5Tku0gxDdzqxnpnzItHQBm2h2B2hXnUHvhGCFw=";
+      endpoint = "149.88.97.110:51820";
+    }
+    {
+      secret = "CA627";
+      publicKey = "xLFgU430Tt7PdHJydVbIKvtjXJodoPpGKW7fhF7XE2k=";
+      endpoint = "139.28.218.130:51820";
+    }
+  ];
+in
+{
+  networking = {
+    hosts = {
+      ${ceres.wireguard.ip0} = [
+        instances.searx.domains.url0
+        instances.glance.domains.url0
+      ];
+    };
+    wireguard.interfaces = {
+      wg0 = {
+        peers = [
+          {
+            publicKey = "fs58+Kz+eG9qAXvvMB2NkW+wa88yP61uam4HHWaBJVw=";
+            allowedIPs = [
+              "${ceres.wireguard.ip0}/32"
+              "${instances.web.localhost.address4}/24"
+            ];
+            endpoint = "${instances.web.remotehost.address0}:${builtins.toString service.ports.port1}";
+            persistentKeepalive = 25;
+          }
+        ];
+      };
+    };
+    wg-quick.interfaces = builtins.listToAttrs (map wireGuardInterface interfaces);
+  };
+
+  sops.secrets =
+    let
+      sopsPath = secret: {
+        path = "${service.sops.path0}/${service.name}-${secret}";
+        owner = "root";
+        mode = "600";
+      };
+    in
+    builtins.listToAttrs (
+      (map (interface: {
+        name = "${service.name}-${interface.secret}";
+        value = sopsPath interface.secret;
+      }) interfaces)
+    );
+}