From 040d7392dc17baec4bc7f13824cde2bc3b86b93a Mon Sep 17 00:00:00 2001
From: jimjam4real <jimjam4real@gmail.com>
Date: Mon, 23 Sep 2024 13:49:48 -0400
Subject: [PATCH] Maybe unfinished support for wireguard Nix clients

---
 secrets.nix                  | Bin 2674 -> 2892 bytes
 system/desktop/firewall.nix  |   6 ++++--
 system/desktop/wireguard.nix |  23 +++++++++++++++++++++++
 system/pinebook.nix          |   7 +++++--
 system/server/wireguard.nix  |  14 ++++++++------
 5 files changed, 40 insertions(+), 10 deletions(-)
 create mode 100644 system/desktop/wireguard.nix

diff --git a/secrets.nix b/secrets.nix
index 367d785162902d4343db91248dc1e8cef0ca696d..c1098f85b5173116ba4bcb0e0b7043990ece35cf 100644
GIT binary patch
literal 2892
zcmZQ@_Y83kiVO&0_%+93x~@&-zYw>Tv!*(`fASHQ=9;%6=zu2c=dGL%ZI;}h?6c?D
zqxauC4@@!7?0GA<b`H~ut@Z0<qrT5Bz2APyp*3a4FDH&~EFBLOd=s?(3v!ffa9&^@
zyC#}j^Te$?g}mLzp1$oAWIph}C*H)YDvwhuLG<08c{{#Y>2H)eT>pvTcI&>)swz6=
zH+-J;1X)J^P3~X%fA-_4f@!<EW!go4_ndF|#m@Su$nLvYx<KobrLlZ9;;ZHcub1@u
zcKS$V^RNDvFL^gta?GCBTq9ZVgp0A7%lF2X^|f7^Yf|}kzf)#B{kM42>KXSccQo4H
zYZus@D)iy_(`2*BEd6bKwriRWvh(O&?d~bH+s;+IZ|UV7;?LI$S*?2hw%ll{rjwZJ
zL)+G~6>B^s6TJ^UVSibgXtFYbWz&{TTRxdv@r1taEZDhl!>$MZ%4toFE^*RpKf9fN
z{PV}1AU~7JfO3;Br%$i%boVzES}=XZeVJVkC$8HdzvPy((ITG=w$vkEo~=)biseX_
zxc^$(>S4-GcGoqY?eUM_$~Fqg+;*&a)DZut^(({PkLlIVXWGZgM*rlVAZ^PiEw^0c
z{5oS!`yYWvE+|YnDk|k_w*Ftwbn_p!Wp`G8=FHF9XY|ZJ@cQlt9XBtjPE>q&?1zq!
zeD!Rp+e>qQYfcu~H2YW>kDQjoMBWWW^`CEtY}F|a*yXt;cCkl9Kvdk?0=;EVX77Kg
zTKW9K?88eIYjHHsn?BQDNb~)qJ|AmIO+TraQyJ6k1(VZQ9e4jaeXp&v#8Li<lI*Ue
z9b3vjTmC(G+T^rmsCTis^;t=dlJ54SGdbG)_IrkYo5FhZZo=IfEz59c*YwHf&27y>
zC!{+cjNnZ@<K%EQ#5&{R?f)7nmrE0$SQt+H`)pa;Y_Clf1^;piuJAWKTXQN?Hnv(v
zL;c8JnUKZm8k6(<q-E}YdB<Ax<rUM6byo4eJU$%>2wa-8DdiFKuh%g_k-Q%#{BO0~
zdVbbozeA^=#~hZ}UA=L=;=B51kDdwr57=(_)jDzU2D>Zwqc|*f6<_%`C0DLl{;#vd
z4UWCf%l#4s4_;Ze>jv-V6AyT+EnjiIGLyZP(z0vf4v9rRayiR>EX$snuxP!^7Bk=J
z;pU!yoLvP)J_p<}v-NDN%$z+fJ-$%9o7tQ5SKN>3QTkB}n4&I!-~OWLXy1*_4=Zw>
znQ2s~=L#x2-kMOA?2;#bcf&NN&JKfjR*{osu4GJ~FxkhTb?PVA&XyZ<jvmyR_tsC!
zt&3G~!zH!y%ciqCPJWucDtU6U7T+Afc?}%1e%!wK=$X=z?}3>LvD5#G*s#k^)=>4o
zm=gB5|F8Sj*1-Sy?3>+${#)*8??2xiciScQ>!EdmI$5mBECr&`vURV1E(@+r*Zde^
zduRK-#T8YqZ-3vc+%s(}>z%cmVqBGV3y*%ZG_b0UE00@$eue)7_eiIOb^*rTmnWZ3
zOnkJSPr)zsLHD$ssT!A)?@LaOOJaLyuW|GLvs)7rzKUGD*(v+$gy=F3g&THf7F^iY
z^2A(EHR*$d<>7J#OPNKVb~ps}soQLMxOI(A!qP60B-85$=XNdmR`qgwtOSq3;@*4P
zbdJnj`#<F1<f%;?_qjDjpA%d2RliwgW5Q#`6CCUBtm~cNGhy+H1#&-g_}ygI=^Tuy
zd;B+4$9Dq1%8Cqa7p}`+Bwr_cm&^R`dzAFXtL4L-AAu={9(h*nSh&MBO0H$k{&SbD
zF3gp4IBt49?Z)I~aeJO`F)**2kz-RPdvQ4%PjSzhH!=bjB0Ha@pMTEr#L!-k`EcK+
zk8d973jX`_?ednWbw~N<Zf-WeD0Y}5P1T*HVd}iDoOL#}>MUp3G*c$G>d)h`s5tfi
zZ;9}~hZi|R?_9rp(C+NaRdfCS>)PFH(OGjeCAlVG$?YHd+fO?e&(CM$dUAh$^2><W
znl~?^xF;Wd)n&VM$@?eWyWJf6l#M2)tetWHmsQF4u0!JXEc~45Ef@X2_dAvb_p0PP
zHk7$kD)}`;`J%brq!*e2tjn9WSc>iLY-_*e;u2|YCw8W&fN4_g`g*p9o9v%BEy~aB
zj4Ipp{1ij;<An|J3eTH(#I2GzT&88(HN|*pl?t3U&gS0c7S73)BfEQ(bZ<3B@&bz|
zOD)+HHr$isT;F|6bmqcCUyFGPqzfmWtXTb_#`q88+a;-C(HdN4S{~mXL_V6eoWEu7
zoo=y>Wj9!C_<otN-`6SAnqloOW+b2d{hG4nM(bS*w`6Q{Ww4#Nz(!Vd<NISm{Z87G
zK7}Uq+kZA|(*L`WX;zi@hktLj?$=u?;PxVLYGy-B`Q4`unjaP1LylZZI(q*k^U@}*
z#=DWX3y=A_-1irsF1+!>X<ywa*%f*ZI~lhu3tlqEPkAlh*I?<nZ!gZ2{uCOvRy}k_
z>Wz1+Z*g(ARvzqGw)AAHchKu~>?PGXVT~^D>u*l6@BMas?JCtHg<I!N@DB^kYfm~?
z+;OG&`0V2m-vbI=iynRAi98`W`D*_gH|3ia#SLc8nO2N)g<D>|o&PgzQS*f$b)Brq
zPL5L+{J!(OQKVc;^685AFQQALd>?;^5#H#Y=vw^Hah35Z_DMfZe>gnZe3^9AeSe$M
z2aGkP^66|d4Gt|0$a$y3qvOx=)9spKr-Dnxs*MlMPA<A!*fsUki9)$A=5N0~eU`j0
zrX^(RX$@hO_Y(IQdfY>gb6#DncO=^-q*-+C_Cop1nmeDicpJ=kTCG*5G4)7QYY4}J
zhd----&S8${)Q{hhwanG&$V->Z)Vs~TI0O+$FondyIJJe&oAIrKE87Ew&>bf3HeK|
zEo^LTR6N9+wP!<JS;jiEd}9w6vA@?Jed_GgQG38}UOn%q&;D}bnx;CXBONnerOn-F
zwKG}o`qz1}6=%zyo_PE;c1lchh9pbu>f%S7S46&^Zm*JgDf00=v%K_{*v|&M;>=HE
z_IAX1i?6i{d6H3ZHcspFst#XknR{Q&w@dC~6u4<MXP(n^;r?ggA{F5sFQ+_sI8o>N
z*NMJcW7q{6r+!w^FlN76doN?5ogdpro&M?$kzawVrOZC2^QV1X#ya(OUEIkq5&atO
zDPNZ#{BXJXxLZv8!6lBS0%a2~Wr=;LTC>>fh4sASO>BL}i5u5Xm)rT{SMKf^Z8L<+
zqj{_@Rwk|eH^uI>fy2dvqMP@vi3vD9>-MvG9a<H8Un?x0C?GAkw39FK+ViTT$MRGp
zuC80xaDTpmNcU$U`Hdk945QE7Upse`bArfg`SUyvySpX}noXVfuO|EJ7H09g)qbb+
zzOUg@5fO^p$ae8`Q2Kq5(mkD(>E<(Mu2l9uQ>OUtlz^em9N~@Mn77s+{l|Jgd=iW4
z8|VA;AG}Wc!6Ur-*pWar33>kZDzE6Hvv;$-TF%U~yubBZMC{8>tIspfGR|A%!L~$E
z|L&>T8Gezgc5dYkpX_D5{RzJj&#Z%ccD;Nczr6bY?xgy%9a~&<9J^TK_vUq+Hjcf2
zvR*OEaO26F3tID>9z0La$hpD!WPg+Db<toICxI762Q%cam`Lj;#2J6NRA<b0|46lk
zOqG&UoAUMQME2z8SuYv?uG3Z#oZ>i9?Nil~Q>PUFr%jhyWj#xw;n&*w1EODNwwm~z
z+L&=)&`oc(=YyX<t77BrSvU5d51YmDMO|C)zjlmauEd7xjsg>36`eP6;p#k`rE>ot
zzxn!Pxs<JnYa3%7W?snMwRrjjVU4+)Qa7v&J@<Y;>rM8~{g*RORIoE{(f3mb4BT{q
zuXyQ}kcjl!4~I04GV_Q0OWr;AN{xS5tkn&>mrr^2G5!gaZEp?rciq0I$$mmXpZtg4
z*|V><p7^wi%~JBIaZiv>;qOv2Tl>RIVVCZF=(c+p@yJBXZ()CLl|%QQm;N6nr@Y?A
nwbK7wSJe7nOV3R_Ie(X~n2)f`^BeZlCavpnF5=waTABv{NuZFh

literal 2674
zcmZQ@_Y83kiVO&0kgHy)^KeCaZqebIxz((Nc^vyYcDR2&!gu}QGdH1mPqZx^GnG}e
z?IIOQj%7Oh*?O+j=*5TbmH&gTpT4uGo!|e^maqSu9(_5u%IMFrNy=I^{_b1<2roUD
zvQxu%p30W&oo^Rx2)uey`zC*1!!y%89krXzpVMct*5=<R=pgALy7c8_-*p@KLO*PK
zU!*9z{o_mC77xBjC6*if*BP#^5>)u(@jT8b#M)#{dXn_)74__Lnd|>-eDGwJ&apj=
zlgd8M)H~U+E^wl%kkD$*_{mihJr*;~jhb3m^KhN2yRxCdvTEJtM-q3^_dclpzQ~!;
z<9AI~hu4oD@uyPT4JPl9Wc#@9Vs*~kSt1X<$t^Ey;4yyqkNfEkPf?A-UM<z0%F7z`
zXG`ZMyEWgFux(IEPiH@TZqk|w%ay*|6-nH-^7`ya%iA5eY`>kDvPQW4YOUm#`#Huj
zQJ>g;7VVoUW6GKSJU(l>&oWVCHX~1wy|-<AHu}eCg%&>B`fOUX`rfI(&M=5f3i_P*
z<@XP^g`aoLdDy0SNS1M0#}l34E1c}7ttHMr?+VUxSiF*pM?XnD?52u{!J5>cottv{
zln*&r{ocN0x1+Q5hNd0$OB(LUNo~}dxrAk{-#LFJofEqgzm=U`-1s)*$-Mc(buyvb
z88e<8?^$?l-F~4XZ7&McGh6F(uldcK;2>KlP`m4b=HmN%g{t!Ur#;d3yL<74WRB7G
z8$|`l0sg;E^iR`XYj3t;w|m#k)fW|VTR65|y{`M?uyDlfV#BK0;k9=fj;LEFpJ@r>
z*(klE`m2NM{pNE5_s`@mQ{LS>_qEoKdqT#iTNYH!QQvM9*W1RvndxQF{BMH7k?HCe
z#olyo4S4!H<azC?Q?s}HcaeX(B`J|VP(bz9g69*XRr5-|6ht=O{@twZs93v*aoPXP
z=0@9H)|Q*b>Q0S~@QnZZ;Jdx%%bRz!v)?cBkzN@t(X8{cH~+}b**aHVT{p<i%!<&E
zh%=AB<h6%=o60|_my14iPh0hm_3cl-9^t#YegC{%5v<SG;h&LWBj&^Shg(VM`5k`m
z$(6oW*k^rz?-vrxxVCy#-tqZ~A6O4~U2|wY(E3ED^4RYJEhg>CM``vuCEuTWGWBB0
zm$(Ao?MYh7J^!0#FWk;P`Pe3pGv)vE&G!4x6Uk;f`@#R;PJuIN_LmwB6}EA8^6lD`
zQqm*&KYvr6p0Ln)v+B1#-|xq*dA*X;>(EMd-kiI=aUvY9@-}mVEt)QWcPL5-JX-YX
z8<PvirQ(%-`=8AHZhm5EvB-J5b=x|PZwIRUd8DtzuJ=4Ghhbgn1&OQHf`$FeX`)|#
z2+iU8S}D)^XPrV-q4Vw3xn~t5s=EB&{FjJcrLo}BWoGS$4DJPLZ`a;EI$!dcfYQ_p
z&pVqF_B{8z(BK)dg5}RymAmurF7@@jH{HbXYp@CL!~6+ZpY8UFzpHz`EmTum?VUTf
z<?X{f;kk<?P8+k7UOOTweDRs*$ILZfCQY0qSFL*TM6?m7#O9fNQL(f1#F9J(<_oFp
zdA2umk)rmM2h-j?jQD@OBDPWTGV3A!H1VQ<Zrh$tg~p$HT53HD?3`GXdf2lKo45Xo
zGUu{*H+kE+ub+dvKklxS=utf3qx$N}7JH2|ncp_%PD_}(aq^cRyW`IvkW}rJ5b4Qf
zk7zRdW!F+_-F=B|7u)4#gI5QwYVLGheLLT&#6NBAs`Cd5&6V@=-esLxVzBG%YLW9_
zL`<e0?&Dke_~Ztu)#ax{AL%tq@LSgYRx4RA_3f{CaMHpL7DbPLv<S?p$lc&_Hs#5a
z>8+9~|NS~$URN_!&d&_aTgh73bkF_V_LF}iH%l5RZxD`csO*|~G}B?>52>qqM>@GY
z953~piMt`mxi{kTx)U+cDT48FQ|9Y_-6=UOr{?ADYxk3xzc_C@6=L<O)O@D<{IuGK
zUk>}EF|3Y$a7DKL>yx|x^5yi(x2SyCeNA~~ue>6^z2$9p<%#Q}O^#i8BfY?5<)4a0
zA7`AJE);YibKRBq-My;M_C7UUbCEOY&}DZuNx`@SE^q3X)pNye$4-(9Gw2gi>tJww
zvvsA-|7#l)Tvs#qKe3+Klei`Or^lmDGgN*uIQ9E|$g;64(U*O2b%nUF{<X=+{!eE*
zeq-yN#mncnNKa?h{*imD-&0L;rYysjO%jheSm*RlpXvE|@|ydXc8WY=_q*+R#4y@S
zWr@rKt}|y}6e+)c<i7LN!xV-iKg^ue7iXGXTCBP6-@SF;Sy$Fwb$j;Jc7?^#vWJ0w
zj)gvMCsx{=zE<+g{qOfP1`{_&O=kOS6p?rR;R%Z*2Jc_obN_R?ce)Br&9#2Lpvb+^
z_(2%w)IM{s*@myXxAwT6J>@uIR#eiY148Wcd#26#m;Uxl)tx7+&qd3n#X4+X!mP5^
z!r$K1@92A{o~*}VdGYd3W?xHBK4aAS@R68@%dw9OERG((u5rgy?@XPdz&&5S_F3m|
ze$?wc|6;PtBa8EI)bmu=yZQ76pUDmJQo3N!q1&({+qOw?f<#9(ORuczvmehL{=Ip#
z+^OZ@W&XM;we`2<gJw>5iGMnOR=&;sqdK?OnezVYU%YTx=fw+=QAK_7&x)j2-{sdD
zA9`iB;@(^HHB4`Eg?iUld|t<~Rp{K4&$%`Rf|I*Wo;6pRv!+dXp5*Qs{~bK$PQRxy
zgMa3#X8xn5@mf_LH?2jNy1o(kB5;tU_+wNN?|p~EcCp)+9?DG5IO(+fc~ioYP218F
zmae(|>396QOAV8s-Fn=XdU@i}q$TI0lhfQABTjQPTo-4#_4~oXUG|>ldX8`7v(;Y(
z23v1g<)P7&D8Hlruqnf-#^^0KSMKR7m$C{vlF8+7SCgD|ZRYJRMuEF;ZSMRHlFHOl
zoB8az^B<P&?^jt*le1fJc#h=4x64<2d3^r(<nK8r^KQ&Zy=}KG;)zWDlzV)<RfiU?
zJQ!*wv+k_7&U0xON&nteTLdm8yFS@rC#Q1D@_ZTB(hqBtk4@COd0y$GOx28U?#E7Q
zf4$YXFgs=EQO8H^k8hmU{QvyT{`1DIFFYo?{}q4o<JdNqi2vrtmjrAnQPn)e_o-n)
zJO6_v6^yTDb(l<?z!v*n&nRrONGHP!htBGi?{vMl&pO%jvES3-Z2jB&vv1DOC|<?m
zBd~K$+>;KKtDD!JzIgfr)9T~R23nWrYTHdq^b*v*#=l-V==Ifo%1%jNwSIfMcG)gk
zQ~Fj?VV%?@Yc-d`%ZAgZM=?C*3iRXsmZy1KEMR-FN>h|v#;h+k_F_|%>LcHn?`jWu
zJ?}=txj6>xtlypm{4mH~ts8&CfaRTTtJB^1-qU|sA4M;-Xgy-V$uY;t^7s3YPA$v#
z=U6YRiE{;Y_#V1waAbFnaqCsv_1nrOuKuVTU)5G2b$(q#+_f&H_N1Mu_h+uV%H;j>
z74vJ8LbGc-t{=@Q|FPO*j{1XLK0S8-?#rAw;`#BGf{}A-S6+?agqimyE!OYjYTK@`
zMEd#73Ran<xU-98&Oex(rpv6weJ053WY|jW`;H%6>~7ng33mFGIpc}TITc%zFr7)s
zi`yEn#TaFa30u`AJvHh}xNEXojYD>4S@O51$0g4=Jq($9ndg~D)1${?PPI`xAG(>$
Us@7yHOaA()>d9w@Sc?T$0lPCbcK`qY

diff --git a/system/desktop/firewall.nix b/system/desktop/firewall.nix
index fd281383..11101a4c 100644
--- a/system/desktop/firewall.nix
+++ b/system/desktop/firewall.nix
@@ -1,11 +1,13 @@
-{
+let
+  ips = import ../modules/ips.nix; 
+in {
   # Networking settings
   networking = {
     # Enable firewall
     firewall = {
       allowPing = false;
       extraInputRules = ''
-        ip saddr 10.0.0.2 accept comment "Accept Server Connections"
+        ip saddr { ${ips.server}, ${ips.wgSpan}.1 } accept comment "Accept Server"
       '';
     };
   };
diff --git a/system/desktop/wireguard.nix b/system/desktop/wireguard.nix
new file mode 100644
index 00000000..67d9809a
--- /dev/null
+++ b/system/desktop/wireguard.nix
@@ -0,0 +1,23 @@
+{outputs, ...}: let
+  ips = import ../modules/ips.nix;
+in {
+  networking.firewall = {
+    allowedUDPPorts = [ 51820 ];
+  };
+
+  networking.wireguard.interfaces = {
+    "${ips.wgInt}" = {
+      # Define IP of client in per device config
+      listenPort = 51820;
+      privateKey = outputs.secrets.wgClientPriv;
+      peers = [
+        { # 0.0.0.0 makes wg act like a traditional VPN
+          publicKey = outputs.secrets.wgServerPub;
+          allowedIPs = [ "0.0.0.0/0" ];
+          endpoint = "mc.${outputs.secrets.jimDomain}:51820";
+          persistentKeepalive = 25;
+        }
+      ];
+    };
+  };
+}
diff --git a/system/pinebook.nix b/system/pinebook.nix
index acd76f1d..c3217325 100644
--- a/system/pinebook.nix
+++ b/system/pinebook.nix
@@ -36,11 +36,14 @@
     ./services/mpd.nix
   ];
 
+  # Set hostname
+  networking.hostName = "JimPine";
+
   # Disable 32 bit graphics
   hardware.opengl.driSupport32Bit = lib.mkForce false;
 
-  # Set hostname
-  networking.hostName = "JimPine";
+  # Set the VPN IP per machine
+  networking.wireguard.interfaces."${ips.wgInt}".ips = [ "${ips.wgSpan}.17/24" ];
 
   # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
   system.stateVersion = "24.05";
diff --git a/system/server/wireguard.nix b/system/server/wireguard.nix
index 9155f51e..670490c2 100644
--- a/system/server/wireguard.nix
+++ b/system/server/wireguard.nix
@@ -14,21 +14,23 @@ in {
   networking.wireguard = {
     enable = true;
     interfaces = {
-      # Wireguard interface name can be arbitrary
-      wg0 = {
-        # Determines the IP and subnet of the tunnel interface
+      "${ips.wgInt}" = {
         ips = [ "${ips.wgSpan}.1/24" ];
         listenPort = 51820;
-	privateKey = outputs.secrets.wireguardPriv;
+	privateKey = outputs.secrets.wgServerPriv;
         peers = [
           { # Jimbo Pixel 9
-            publicKey = outputs.secrets.wirePixel9Pub;
+            publicKey = outputs.secrets.wgPixel9Pub;
             allowedIPs = [ "${ips.wgSpan}.2/32" ];
           }
           { # Oracle VM
-            publicKey = outputs.secrets.wireOraclePub;
+            publicKey = outputs.secrets.wgOraclePub;
             allowedIPs = [ "${ips.wgSpan}.3/32" ];
           }
+          { # General Nix
+            publicKey = outputs.secrets.wgClientPub;
+            allowedIPs = [ "${ips.wgSpan}.16/28" ];
+          }
         ];
       };
     };