feat: added wireguard

2025-06-15 09:35:12 -05:00 · 2025-03-31 22:53:08 -05:00 · 2025-03-31 22:53:08 -05:00 · a7ed1629e8
commit a7ed1629e8
parent a635237125
6 changed files with 105 additions and 5 deletions
--- a/modules/config/instances/config/wireGuard.nix
+++ b/modules/config/instances/config/wireGuard.nix
@ -0,0 +1,18 @@
+{ instancesFunctions }:
+let
+  inherit (instancesFunctions)
+    sopsPath
+    ;
+
+  wireGuardLabel = "WireGuard";
+  wireGuardName = "wireguard";
+in
+{
+  label = wireGuardLabel;
+  name = wireGuardName;
+  sops = {
+    path0 = "${sopsPath}/${wireGuardName}";
+  };
+  ports = {
+  };
+}
--- a/modules/home/default.nix
+++ b/modules/home/default.nix
@ -62,6 +62,7 @@ in
            theming
            polychromatic
            dolphin
+            espanso
            ;
        };
      };
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@ -17,6 +17,7 @@ in
          flatpak
          plasma
          sddm
+          wireGuard
          ;
      };
    };
--- a/modules/nixos/services/wireGuard/default.nix
+++ b/modules/nixos/services/wireGuard/default.nix
@ -0,0 +1,67 @@
+{ config, flake, ... }:
+let
+  inherit (flake.config.services.instances) wireGuard;
+  service = wireGuard;
+
+  wireGuardInterface =
+    {
+      secret,
+      publicKey,
+      endpoint,
+    }:
+    {
+      name = "Proton-${secret}";
+      value = {
+        autostart = false;
+        address = [ "10.2.0.2/32" ];
+        dns = [ "10.2.0.1" ];
+        privateKeyFile = config.sops.secrets."${service.name}-${secret}".path;
+        peers = [
+          {
+            inherit publicKey endpoint;
+            allowedIPs = [ "0.0.0.0/0,::/0" ];
+            persistentKeepalive = 25;
+          }
+        ];
+      };
+    };
+
+  interfaces = [
+    {
+      secret = "CA363";
+      publicKey = "9mTDh5Tku0gxDdzqxnpnzItHQBm2h2B2hXnUHvhGCFw=";
+      endpoint = "149.88.97.110:51820";
+    }
+    {
+      secret = "CA220";
+      publicKey = "UR8vjVYrrWYadCwLKiAabKTIdxM4yikmCXnvKWm89D8=";
+      endpoint = "139.28.218.130:51820";
+    }
+    {
+      secret = "CA358";
+      publicKey = "9mTDh5Tku0gxDdzqxnpnzItHQBm2h2B2hXnUHvhGCFw=";
+      endpoint = "149.88.97.110:51820";
+    }
+    {
+      secret = "CA627";
+      publicKey = "xLFgU430Tt7PdHJydVbIKvtjXJodoPpGKW7fhF7XE2k=";
+      endpoint = "139.28.218.130:51820";
+    }
+  ];
+
+  sopsPath = secret: {
+    path = "${service.sops.path0}/${service.name}-${secret}";
+    owner = "root";
+    mode = "600";
+  };
+in
+{
+  networking.wg-quick.interfaces = builtins.listToAttrs (map wireGuardInterface interfaces);
+
+  sops.secrets = builtins.listToAttrs (
+    map (interface: {
+      name = "${service.name}-${interface.secret}";
+      value = sopsPath interface.secret;
+    }) interfaces
+  );
+}
--- a/profiles/user0/default.nix
+++ b/profiles/user0/default.nix
@ -56,11 +56,20 @@ in
            in
            {
              text = ''
-                vpn:
-                    sudo protonvpn c --c CA
+                vpn0:
+                    sudo systemctl start wg-quick-Proton-CA363.service
+
+                vpn1:
+                    sudo systemctl start wg-quick-Proton-CA220.service
+
+                vpn2:
+                    sudo systemctl start wg-quick-Proton-CA358.service
+
+                vpn3:
+                    sudo systemctl start wg-quick-Proton-CA627.service

                vpnoff:
-                    sudo protonvpn d
+                    sudo systemctl stop wg-quick-Proton-*.service

                rebuild:
                    nixos-rebuild switch --use-remote-sudo --flake ~/Files/Projects/dotfiles#${hostname} --show-trace
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@ -30,6 +30,10 @@ nextcloud-user2: ENC[AES256_GCM,data:axrWMmouq5gwqdGL,iv:BPHEn47z2g7gocKO4g5vV4Z
 nextcloud-user3: ENC[AES256_GCM,data:g6ldEdtBuEmPAQYAQfaO,iv:6fElE2vZh9l/KgJuNevklpIlZZdqGHgwhnOzq1n3ojE=,tag:T0Q1IkdVTeW2T1FmGnjz8A==,type:str]
 claude-api-key: ENC[AES256_GCM,data:QzGJPBnqx4PrDjNvGeyjl0B/W9pkBS4YWK/lrDK4sx0/eBbwMk2qvi03wOhVfvz71UVRpDIZ0F3eVtB8h8Nr94Ha/8IlFQtKxrh60XIzUs/GLB2jKZursZny8IjqZMrt9YHFOphqAWawB33g,iv:XKPqQ0sGukhy0bPXATYwjJMAfSkXdeanc4kULb5TWmA=,tag:vmH+pzU5qoOF5W0fhVfhDA==,type:str]
 searx-key: ENC[AES256_GCM,data:kzKWa4xCKDEWocyMmK8FWyAqHM7BuJ1f63XFfO8Dtig=,iv:Vs27/ri4nBzJ/A0LnxsCZD/kYraFZ6tD63VhUqYFwx8=,tag:8gx+j7RenuRzjj0AY5v8uQ==,type:str]
+wireguard-CA363: ENC[AES256_GCM,data:iGiAjP5Dbw0kXR3iM50YTS8jBXODNr//W/0OPMAiu1GVC5m8StgsC5uaYEU=,iv:wffyNFWZ36vUjUVMCwo7w16pWWDvnPOUli3tIa/M3S4=,tag:yu7Xl+Ehg1uhzQ3rONSCbA==,type:str]
+wireguard-CA220: ENC[AES256_GCM,data:rNy/IMKqAOsgMUu5r8BZsjTCu0L5fDDDV3/g+pkhW1y44Y2rqhhsZgcXG5M=,iv:onyHBn4npqiwC/v37SOMJLLhdfcrtvPmKbMVTgxaSQg=,tag:OmXDL3oYCDPwH1yBsKAYKQ==,type:str]
+wireguard-CA358: ENC[AES256_GCM,data:/VewmiNfRc9/wSE7TT+z1F9LLIvr/5wPsQZ/zBwAh3dEi9yswOGyde2b/XQ=,iv:7U5dmqFiwhCoL1moGSfHprv85o5TdMr6T2sNk5gH82I=,tag:T1hqh8CiO2iBa+ksaiKCtA==,type:str]
+wireguard-CA627: ENC[AES256_GCM,data:chmDsH2nE0nagjFRZWuxX08/Ykt+rIgCHYkMHd+7nIqihK5SebF7MJlrp84=,iv:NVOlGE7W70nQ0UM/i5WixJvDULO3Y4cLf8h+OAGHhQQ=,tag:L123ShCnr9+kIg1itIoqBA==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -45,8 +49,8 @@ sops:
            bXBOa1VSakoyaWxpODJEOU11QUZCaUEK8Ch9Ten3DdrPHF1DTH2qei85AlHUOaLD
            aNfzakake7ej+MxJYdKEU0bcWofNMKzIlZa2uM10KZSENDP8d8qlig==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-03-08T06:46:18Z"
-    mac: ENC[AES256_GCM,data:bFmkUxQE7Jl6I/FdpsWzbAu5/g9rLYH5C9jRRwY0ln+ZAANXaxfEYj5oeMZA0lDdgCJ07Hnt0RZdyYp/jyNzY+om16qKqRxv6qpqE89jfK937LsMxc6HJcuGQQcA/1QgSCU9OLWqdbDZxik3twemQd3aPAaHLF1ZEM7tx0gCOgQ=,iv:NizgZd2mb5sXm7oxRcpVKRAIyw75dASuP0eGzhBKOM8=,tag:K0rzvjQFB++gioKobt1Sow==,type:str]
+    lastmodified: "2025-04-01T03:33:13Z"
+    mac: ENC[AES256_GCM,data:zGnWN7U7d2+REQ1Iy2JEY92hWtS3Lxl6uqG4/kVGwE5fxj65gv1cv/38ulNUhCGY9BEiOpDzQBgoAy9WmvsKathHb7z9NEXrHpVtvNgRJVfVjuduZgGvrAFRLFXV1iLfQXk8wl64/e5YXD1Cbs80+ky9kmA4nl/rM0rlEkK+WOo=,iv:YL+Jv6yfe7/EASfDNkdFhOw29iXRS3rdPAplEE3i1hE=,tag:7NLlenTFk0hIyf+FEa3oJg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.4