From a7ed1629e89b9c295a54857e48c6a74a5429f50d Mon Sep 17 00:00:00 2001
From: Nick <nickjhiebert@proton.me>
Date: Mon, 31 Mar 2025 22:53:08 -0500
Subject: [PATCH] feat: added wireguard

---
 modules/config/instances/config/wireGuard.nix | 18 +++++
 modules/home/default.nix                      |  1 +
 modules/nixos/default.nix                     |  1 +
 modules/nixos/services/wireGuard/default.nix  | 67 +++++++++++++++++++
 profiles/user0/default.nix                    | 15 ++++-
 secrets/secrets.yaml                          |  8 ++-
 6 files changed, 105 insertions(+), 5 deletions(-)
 create mode 100644 modules/config/instances/config/wireGuard.nix
 create mode 100644 modules/nixos/services/wireGuard/default.nix

diff --git a/modules/config/instances/config/wireGuard.nix b/modules/config/instances/config/wireGuard.nix
new file mode 100644
index 0000000..49d6824
--- /dev/null
+++ b/modules/config/instances/config/wireGuard.nix
@@ -0,0 +1,18 @@
+{ instancesFunctions }:
+let
+  inherit (instancesFunctions)
+    sopsPath
+    ;
+
+  wireGuardLabel = "WireGuard";
+  wireGuardName = "wireguard";
+in
+{
+  label = wireGuardLabel;
+  name = wireGuardName;
+  sops = {
+    path0 = "${sopsPath}/${wireGuardName}";
+  };
+  ports = {
+  };
+}
diff --git a/modules/home/default.nix b/modules/home/default.nix
index 6195e3d..c21cf84 100755
--- a/modules/home/default.nix
+++ b/modules/home/default.nix
@@ -62,6 +62,7 @@ in
             theming
             polychromatic
             dolphin
+            espanso
             ;
         };
       };
diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix
index 3d0b078..d17d1b3 100755
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@@ -17,6 +17,7 @@ in
           flatpak
           plasma
           sddm
+          wireGuard
           ;
       };
     };
diff --git a/modules/nixos/services/wireGuard/default.nix b/modules/nixos/services/wireGuard/default.nix
new file mode 100644
index 0000000..75b1e38
--- /dev/null
+++ b/modules/nixos/services/wireGuard/default.nix
@@ -0,0 +1,67 @@
+{ config, flake, ... }:
+let
+  inherit (flake.config.services.instances) wireGuard;
+  service = wireGuard;
+
+  wireGuardInterface =
+    {
+      secret,
+      publicKey,
+      endpoint,
+    }:
+    {
+      name = "Proton-${secret}";
+      value = {
+        autostart = false;
+        address = [ "10.2.0.2/32" ];
+        dns = [ "10.2.0.1" ];
+        privateKeyFile = config.sops.secrets."${service.name}-${secret}".path;
+        peers = [
+          {
+            inherit publicKey endpoint;
+            allowedIPs = [ "0.0.0.0/0,::/0" ];
+            persistentKeepalive = 25;
+          }
+        ];
+      };
+    };
+
+  interfaces = [
+    {
+      secret = "CA363";
+      publicKey = "9mTDh5Tku0gxDdzqxnpnzItHQBm2h2B2hXnUHvhGCFw=";
+      endpoint = "149.88.97.110:51820";
+    }
+    {
+      secret = "CA220";
+      publicKey = "UR8vjVYrrWYadCwLKiAabKTIdxM4yikmCXnvKWm89D8=";
+      endpoint = "139.28.218.130:51820";
+    }
+    {
+      secret = "CA358";
+      publicKey = "9mTDh5Tku0gxDdzqxnpnzItHQBm2h2B2hXnUHvhGCFw=";
+      endpoint = "149.88.97.110:51820";
+    }
+    {
+      secret = "CA627";
+      publicKey = "xLFgU430Tt7PdHJydVbIKvtjXJodoPpGKW7fhF7XE2k=";
+      endpoint = "139.28.218.130:51820";
+    }
+  ];
+
+  sopsPath = secret: {
+    path = "${service.sops.path0}/${service.name}-${secret}";
+    owner = "root";
+    mode = "600";
+  };
+in
+{
+  networking.wg-quick.interfaces = builtins.listToAttrs (map wireGuardInterface interfaces);
+
+  sops.secrets = builtins.listToAttrs (
+    map (interface: {
+      name = "${service.name}-${interface.secret}";
+      value = sopsPath interface.secret;
+    }) interfaces
+  );
+}
diff --git a/profiles/user0/default.nix b/profiles/user0/default.nix
index b74069c..aa1fb43 100755
--- a/profiles/user0/default.nix
+++ b/profiles/user0/default.nix
@@ -56,11 +56,20 @@ in
             in
             {
               text = ''
-                vpn:
-                    sudo protonvpn c --c CA
+                vpn0:
+                    sudo systemctl start wg-quick-Proton-CA363.service
+
+                vpn1:
+                    sudo systemctl start wg-quick-Proton-CA220.service
+
+                vpn2:
+                    sudo systemctl start wg-quick-Proton-CA358.service
+
+                vpn3:
+                    sudo systemctl start wg-quick-Proton-CA627.service
 
                 vpnoff:
-                    sudo protonvpn d
+                    sudo systemctl stop wg-quick-Proton-*.service
 
                 rebuild:
                     nixos-rebuild switch --use-remote-sudo --flake ~/Files/Projects/dotfiles#${hostname} --show-trace
diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml
index be2263f..f6bfdf6 100755
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -30,6 +30,10 @@ nextcloud-user2: ENC[AES256_GCM,data:axrWMmouq5gwqdGL,iv:BPHEn47z2g7gocKO4g5vV4Z
 nextcloud-user3: ENC[AES256_GCM,data:g6ldEdtBuEmPAQYAQfaO,iv:6fElE2vZh9l/KgJuNevklpIlZZdqGHgwhnOzq1n3ojE=,tag:T0Q1IkdVTeW2T1FmGnjz8A==,type:str]
 claude-api-key: ENC[AES256_GCM,data:QzGJPBnqx4PrDjNvGeyjl0B/W9pkBS4YWK/lrDK4sx0/eBbwMk2qvi03wOhVfvz71UVRpDIZ0F3eVtB8h8Nr94Ha/8IlFQtKxrh60XIzUs/GLB2jKZursZny8IjqZMrt9YHFOphqAWawB33g,iv:XKPqQ0sGukhy0bPXATYwjJMAfSkXdeanc4kULb5TWmA=,tag:vmH+pzU5qoOF5W0fhVfhDA==,type:str]
 searx-key: ENC[AES256_GCM,data:kzKWa4xCKDEWocyMmK8FWyAqHM7BuJ1f63XFfO8Dtig=,iv:Vs27/ri4nBzJ/A0LnxsCZD/kYraFZ6tD63VhUqYFwx8=,tag:8gx+j7RenuRzjj0AY5v8uQ==,type:str]
+wireguard-CA363: ENC[AES256_GCM,data:iGiAjP5Dbw0kXR3iM50YTS8jBXODNr//W/0OPMAiu1GVC5m8StgsC5uaYEU=,iv:wffyNFWZ36vUjUVMCwo7w16pWWDvnPOUli3tIa/M3S4=,tag:yu7Xl+Ehg1uhzQ3rONSCbA==,type:str]
+wireguard-CA220: ENC[AES256_GCM,data:rNy/IMKqAOsgMUu5r8BZsjTCu0L5fDDDV3/g+pkhW1y44Y2rqhhsZgcXG5M=,iv:onyHBn4npqiwC/v37SOMJLLhdfcrtvPmKbMVTgxaSQg=,tag:OmXDL3oYCDPwH1yBsKAYKQ==,type:str]
+wireguard-CA358: ENC[AES256_GCM,data:/VewmiNfRc9/wSE7TT+z1F9LLIvr/5wPsQZ/zBwAh3dEi9yswOGyde2b/XQ=,iv:7U5dmqFiwhCoL1moGSfHprv85o5TdMr6T2sNk5gH82I=,tag:T1hqh8CiO2iBa+ksaiKCtA==,type:str]
+wireguard-CA627: ENC[AES256_GCM,data:chmDsH2nE0nagjFRZWuxX08/Ykt+rIgCHYkMHd+7nIqihK5SebF7MJlrp84=,iv:NVOlGE7W70nQ0UM/i5WixJvDULO3Y4cLf8h+OAGHhQQ=,tag:L123ShCnr9+kIg1itIoqBA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -45,8 +49,8 @@ sops:
             bXBOa1VSakoyaWxpODJEOU11QUZCaUEK8Ch9Ten3DdrPHF1DTH2qei85AlHUOaLD
             aNfzakake7ej+MxJYdKEU0bcWofNMKzIlZa2uM10KZSENDP8d8qlig==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-03-08T06:46:18Z"
-    mac: ENC[AES256_GCM,data:bFmkUxQE7Jl6I/FdpsWzbAu5/g9rLYH5C9jRRwY0ln+ZAANXaxfEYj5oeMZA0lDdgCJ07Hnt0RZdyYp/jyNzY+om16qKqRxv6qpqE89jfK937LsMxc6HJcuGQQcA/1QgSCU9OLWqdbDZxik3twemQd3aPAaHLF1ZEM7tx0gCOgQ=,iv:NizgZd2mb5sXm7oxRcpVKRAIyw75dASuP0eGzhBKOM8=,tag:K0rzvjQFB++gioKobt1Sow==,type:str]
+    lastmodified: "2025-04-01T03:33:13Z"
+    mac: ENC[AES256_GCM,data:zGnWN7U7d2+REQ1Iy2JEY92hWtS3Lxl6uqG4/kVGwE5fxj65gv1cv/38ulNUhCGY9BEiOpDzQBgoAy9WmvsKathHb7z9NEXrHpVtvNgRJVfVjuduZgGvrAFRLFXV1iLfQXk8wl64/e5YXD1Cbs80+ky9kmA4nl/rM0rlEkK+WOo=,iv:YL+Jv6yfe7/EASfDNkdFhOw29iXRS3rdPAplEE3i1hE=,tag:7NLlenTFk0hIyf+FEa3oJg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.4