feat: wireguard test

modules/config/devices/config/deimos.nix

@@ -14,6 +14,9 @@ in
   ip = {
     address0 = deimosIP;
   };
+  wireguard = {
+    ip0 = "10.100.0.3";
+  };
   boot = {
     options = ownerWriteOthersReadMask;
   };

secrets/secrets.yaml

@@ -40,6 +40,8 @@ wireguard-phone-private: ENC[AES256_GCM,data:hm6KoNseaalt+/SYCkCW0w4sRzzpNNMjhda
 wireguard-phone-public: ENC[AES256_GCM,data:gGMAIg3T6dOmo1z2c6oZ8Sgnylp0wjpADRWRyBCAEhmlJp1PVj+d478TO08=,iv:A4DV7zPKXwVF2nyFySyrmfdExoo3LrbiYt6PYa4/WcQ=,tag:wY4fYv1wXE0tYonrLoHpGQ==,type:str]
 wireguard-mars-private: ENC[AES256_GCM,data:pUkR29PgGhHeR3d6fFJDs0bwASaC/RqUTsJe+vYs+P2skIGivkRzhi3LRBE=,iv:JK7O28r73V3NiVGikMIZunJtrdtp4jOGPi2quLYSkWY=,tag:nSHqfnZhiLrm7JuZuJtc7Q==,type:str]
 wireguard-mars-public: ENC[AES256_GCM,data:fA37Ev7WL2vsgG/PE4YMFHclbhjHqCgNCOiF5J9L5UD8YuGCHUbpTV7A+w4=,iv:K9W/IZatUL+HZ5k9FGjmA4+He4xTO3IAswqpbelfhPw=,tag:FC5kiMD/pdtNjQxklDvfrA==,type:str]
+wireguard-deimos-private: ENC[AES256_GCM,data:A/LbG/kTjT0xa93Y31RXfM6D9ibHHjuaZ0TIFr8/zn2l7AD7NfmpgZXuPII=,iv:tK9Iyll/GXPXNsMXJKpNKSxMqeHLqSgCfQTSM8+NOVU=,tag:yfJP9hjR/6DXgKtFKqR5Zw==,type:str]
+wireguard-deimos-public: ENC[AES256_GCM,data:ZhcnUafVzrPtEP19TgnsEl6Edwjxbkeb2N+Rg7V1O7zArhcc+Owk/l6iHU4=,iv:UcKBnz/4sGyLM/lQJo7e3G0qWAWlTtRNl5K1e3oT1sw=,tag:BbjZcjl98X9aoCTD+hfhgg==,type:str]
 glance-jellyfin: ENC[AES256_GCM,data:ozdDKgAWkA88J2j8RtiOP/aQPAt/neUOSlAZF20g510=,iv:x+VhYlnA9F/VPrzVcma4/oPelCc8kjWoTZvOs4L9Uqo=,tag:crdSDjr8Y5GH/JAF6t8Yeg==,type:str]
 kanboard-smtp: ENC[AES256_GCM,data:eOIEGwJZlvbJaTfDRU3IFQ==,iv:Jex01WlHG3uxqUnTSF+v1BgnNcIu4cS9OwHBCFl1m28=,tag:3Eld1FkI6AftlCyC3419BA==,type:str]
 podgrab-pass: ENC[AES256_GCM,data:DVmJDb4VqcZDKNcedSaRA5dqKOzx1tSzDiK3i23+a6v3nK+4Kh7n8EA=,iv:SiiUjJLHkCOO1VKCmubftKx06laFqNv79tIPnkVYrJU=,tag:kdkT+03DemlNAsuzps8fnw==,type:str]
@@ -56,7 +58,7 @@ sops:
             bXBOa1VSakoyaWxpODJEOU11QUZCaUEK8Ch9Ten3DdrPHF1DTH2qei85AlHUOaLD
             aNfzakake7ej+MxJYdKEU0bcWofNMKzIlZa2uM10KZSENDP8d8qlig==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-07-01T08:55:49Z"
+    lastmodified: "2025-07-04T00:40:18Z"
-    mac: ENC[AES256_GCM,data:2m5iKDV7yIkYIL2bq9+7sFD2Nf8K1Z7mB6EKE3U+nFurOTxgUE0W10kV3BJoPoD78t5xjdbbmIt+NpmH9D41oE4lSPlOdTZujEpT0EcuNBVwz4MDBR/N7GRk74Etq1kJQ2f/NInhh8eH4xZDCQHR8BKxSX1RCd/0yWqrEbpfWrk=,iv:7gI48Urn0xFJwx3l3IzBT7KLTf4FlIf5p5Y/6Pms3ZA=,tag:QdA9cuKvFbXfT7kMbth5hQ==,type:str]
+    mac: ENC[AES256_GCM,data:N2BwAzga2/Ig96p49rqNhhZ2udYWt7mQ9JD8DFXuxa3HOh3gtx7FWeWpGjvLnLWCgGcT4R61RKmgZQZRADNxYPE3vtdpPOFz0XvgcYSDlwslzBdSsVc08sh77P0LDgZsCzE1MxYynQ6nzFcc6gW5sorInLarsHoCCBC+Z5YpOVg=,iv:H6d3VrERM02/1zI5boFemEpMYD3greYZRqlSpBqROzM=,tag:TEakUvOlKoZYo/XPS6HVnA==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2

systems/ceres/config/wireguard.nix

@@ -1,7 +1,7 @@
 { config, flake, ... }:
 let
   inherit (flake.config.services.instances) wireGuard searx;
-  inherit (flake.config.machines.devices) mars ceres;
+  inherit (flake.config.machines.devices) mars deimos ceres;
   service = wireGuard;
 in
 {
@@ -32,10 +32,17 @@ in
         listenPort = service.ports.port1;
         privateKeyFile = config.sops.secrets."${service.name}-private".path;
         peers = [
+          # if you need to create a new key pair
+          # wg genkey | save --raw --force privatekey
+          # open privatekey | wg pubkey | save --raw --force publickey
           {
             publicKey = "9zfRPxkxTLHM9tABC8lIaDMrzdjcF2l1mtG82uqGKUQ=";
             allowedIPs = [ "${mars.wireguard.ip0}/32" ];
           }
+          {
+            publicKey = "hKbvOlvKdWAlq45rfV3ggwOI8xqiqVWweXV+2GQx/0I=";
+            allowedIPs = [ "${deimos.wireguard.ip0}/32" ];
+          }
         ];
       };
     };

systems/deimos/config/wireguard.nix

@@ -0,0 +1,53 @@
+{ config, flake, ... }:
+let
+  inherit (flake.config.services.instances) wireGuard web;
+  inherit (flake.config.services) instances;
+  inherit (flake.config.machines.devices) ceres deimos;
+  service = wireGuard;
+in
+{
+  networking = {
+    hosts = {
+      ${ceres.wireguard.ip0} = [ instances.searx.domains.url0 ];
+    };
+    wireguard.interfaces = {
+      wg0 = {
+        ips = [ "${deimos.wireguard.ip0}/32" ];
+        privateKeyFile = config.sops.secrets."${service.name}-deimos-private".path;
+        peers = [
+          {
+            publicKey = "fs58+Kz+eG9qAXvvMB2NkW+wa88yP61uam4HHWaBJVw=";
+            allowedIPs = [
+              "${ceres.wireguard.ip0}/32"
+              "${web.localhost.address4}/24"
+            ];
+            endpoint = "${web.remotehost.address0}:${builtins.toString service.ports.port1}";
+            persistentKeepalive = 25;
+          }
+        ];
+      };
+    };
+  };
+
+  sops =
+    let
+      sopsPath = secret: {
+        path = "${service.sops.path0}/${service.name}-${secret}-pass";
+        owner = "root";
+        mode = "600";
+      };
+    in
+    {
+      secrets = builtins.listToAttrs (
+        map
+          (secret: {
+            name = "${service.name}-${secret}";
+            value = sopsPath secret;
+          })
+          [
+            "deimos-private"
+            "deimos-public"
+          ]
+      );
+    };
+}