From a0ac0f631c22ef5fe312b720f16bbeea723ad440 Mon Sep 17 00:00:00 2001
From: Jimbo <jimjam4real@gmail.com>
Date: Fri, 6 Sep 2024 01:18:21 -0400
Subject: [PATCH] Jimbo VPN.

---
 flake.lock                 |  12 ++++++------
 nixos/server.nix           |   2 +-
 nixos/server/firewall.nix  |   1 +
 nixos/server/tandoor.nix   |  16 ----------------
 nixos/server/wireguard.nix |  28 ++++++++++++++++++++++++++++
 secrets.nix                | Bin 1911 -> 2061 bytes
 6 files changed, 36 insertions(+), 23 deletions(-)
 delete mode 100644 nixos/server/tandoor.nix
 create mode 100644 nixos/server/wireguard.nix

diff --git a/flake.lock b/flake.lock
index 556e1678..ce60128d 100644
--- a/flake.lock
+++ b/flake.lock
@@ -235,11 +235,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1725103162,
-        "narHash": "sha256-Ym04C5+qovuQDYL/rKWSR+WESseQBbNAe5DsXNx5trY=",
+        "lastModified": 1725432240,
+        "narHash": "sha256-+yj+xgsfZaErbfYM3T+QvEE2hU7UuE+Jf0fJCJ8uPS0=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "12228ff1752d7b7624a54e9c1af4b222b3c1073b",
+        "rev": "ad416d066ca1222956472ab7d0555a6946746a80",
         "type": "github"
       },
       "original": {
@@ -314,11 +314,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1725529639,
-        "narHash": "sha256-dRQHGPv6a5sFkIpjhZ1cXLrHG5rfXnVJVE3ETVq1ilY=",
+        "lastModified": 1725541414,
+        "narHash": "sha256-2btQOiIw+yMrxAHzVCp5ou9IbWkzYhQ5dIS3vRO7Sd8=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "72cd6b31e8256c9b28939fd02b9f87efafd2375c",
+        "rev": "72c08881a42221c2de613b425b735c4cd7f85d86",
         "type": "github"
       },
       "original": {
diff --git a/nixos/server.nix b/nixos/server.nix
index ec583dce..7039f689 100644
--- a/nixos/server.nix
+++ b/nixos/server.nix
@@ -33,9 +33,9 @@
     ./server/nginx.nix
     ./server/owncast.nix
     ./server/minecraft
-    ./server/tandoor.nix
     ./server/vaultwarden.nix
     ./server/transmission.nix
+    ./server/wireguard.nix
     ./server/misc.nix
 
     # Matrix
diff --git a/nixos/server/firewall.nix b/nixos/server/firewall.nix
index c78d44ec..61737894 100644
--- a/nixos/server/firewall.nix
+++ b/nixos/server/firewall.nix
@@ -43,6 +43,7 @@
             chain POSTROUTING {
               type nat hook postrouting priority 100; policy accept;
               oifname "${ips.netInt}" masquerade
+	      ip saddr 10.100.0.0/24 oifname "${ips.netInt}" masquerade comment "WireGuard"
             }
           '';
         };
diff --git a/nixos/server/tandoor.nix b/nixos/server/tandoor.nix
deleted file mode 100644
index b0c35761..00000000
--- a/nixos/server/tandoor.nix
+++ /dev/null
@@ -1,16 +0,0 @@
-{outputs, ...}: {
-  services = {
-    tandoor-recipes = {
-      enable = true;
-      port = 5030;
-    };
-    nginx.virtualHosts."recipes.${outputs.secrets.jimDomain}" =  {
-      enableACME = true;
-      forceSSL = true;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:5030";
-        proxyWebsockets = true;
-      };
-    };
-  };
-}
diff --git a/nixos/server/wireguard.nix b/nixos/server/wireguard.nix
new file mode 100644
index 00000000..6873d8ad
--- /dev/null
+++ b/nixos/server/wireguard.nix
@@ -0,0 +1,28 @@
+{outputs, ...}: let
+  ips = import ../modules/ips.nix;
+in {
+  # enable NAT
+  networking.nat.enable = true;
+  networking.nat.externalInterface = "${ips.netInt}";
+  networking.nat.internalInterfaces = [ "wg0" ];
+  networking.firewall.allowedUDPPorts = [ 51820 ];
+
+  networking.wireguard = {
+    enable = true;
+    interfaces = {
+      # Wireguard interface name can be arbitrary
+      wg0 = {
+        # Determines the IP address and subnet of the server's end of the tunnel interface.
+        ips = [ "10.100.0.1/24" ];
+        listenPort = 51820;
+	privateKey = outputs.secrets.wireguardPriv;
+        peers = [
+          { # Jimbo
+            publicKey = outputs.secrets.wirePhonePub;
+            allowedIPs = [ "10.100.0.2/32" ];
+          }
+        ];
+      };
+    };
+  };
+}
diff --git a/secrets.nix b/secrets.nix
index 5ad04f03ec435706299033464a86ee4313a167c8..bcf084a8288927f988b1e78c83663279e10937c9 100644
GIT binary patch
literal 2061
zcmZQ@_Y83kiVO&0xR7;R*tXYsZq&8!i!AaJ*?a_xTaO9Ozqj@Pr^y5%)qOYKtqs1H
zd4JRM46Y;R_yRBeYteknwsg0i@#A&(4B6tJJ+uDDW!0KFBg1wd@15;WYTm4vaA%I>
zOnv5`cb3~46o&dQ`dz^^>Gj7A6O-LPKW$0+7-P)$NbqN{<x&fyWtQ@9{{Elm-BerY
z$bW=8p?j0dElU?J#_4R!KOD@u+T}cX|Hgnn+qkV9i)!7E=ort_I273VDdNt>&y(U?
zpZXs33(QpgmuAs*lRNR>jK@3s7M1zVV-l=MZ{XM46|p3l{oocQnX`XYy1M1wRY(@x
zdtxqji@AQq)S?MXh0dpSpPLuo?3+5B<GOv`p#=pgFRGaq1$ymHJ@Z>OQs8jg;#-oY
zLR<dZzOXPhIK>pHQT1fe-FYTLib~(E#I5+5m>?y1XHJG7cLwK5({iiePsbLDM$K=z
zoX)-O$PAO6m7)f|3zhb?39XiXt0jMT%A>i;2^WGt`9E6!eNtMGtIIC#NaJQTR=LwR
zy7iu)oqgnXk=Xj(@BEk<lW(wYcAI+5%fV!I=p`4fMx&)kBHd?LYhHiY^}}wz(k8`!
zttU#$Sx)g(b+^A+rYoEkVYTarNQ~Mp%ckdTQae7)of_?BS-b9MpG2X)bn>bdDi3>Q
zezwOIJ~#Msda>9fFXKbuDNEH_j?FoD)9dk*<7f9@EbWQ=dnG+X@n7?X11uYsOSB8$
zIcR6Rh_(3HnREM#7pB%Hmc*YmnfRF9bb=vcXUwZh&oZkg=VnaF;5hu~p<d9AMPXf&
z-L=0@=&G0(yyDps`&NmkKPK3-x_sbWzR%2g56_C#dV78t`!D!8_iV<GyatO|&vy$k
zUwdlxWTz5C^V_q_dpi81BxfG>|M8sh@dI%kr+D_Ob*q;A-nqPHZD`RugL=;SzBgmv
z6pE=9>A96I;F-*NdF7A2xA$6e_PWj3?rS==FSc{{0`EOrjsE)_WOIwY^;}`HMB<bK
zQ8|IvUw?4gx=L(9<3`=i_`T(7Vw04s{bO&2_PFdkzB(w2^+&GNZ01stZSPiBPGp(6
zz@Z}2u|IC|z5NqEbsVr2Icl*!f4g-@d&Z5OkCa{WelxH5*!P+LOu3%tuN4<pMd}8x
z&s&|bK;rG5c!oyK`1QM1o@8lKYBzMdtaEKk#sBlJ?zf(ZUp=%+vAa(sXwxar1$_&?
zBsP?Cso#%c(>x^hU+SOJRKxFfRg;cI%d7DBRT|7)Sjg~hN!Q~KTNr-rfBJ9Ze6a>s
z6}=9Bo>0~)S4_9<*tNNUbM5pqKRNasvE830eS66g^Vz%n?HPpQTYqPz*u+ostlDHh
zYfkvzhi76uSnQ`qU#>opV0P$q(qnICo(D}w5|`h;r()=Fed5l&2R$O!e6-(@GFL`;
zw@~lT1C0#-3X-2WM*q;O)5<!cZ(V5n@!7e50ynms)+k8s6JESqZKaS?oZi>xD^Hz1
zko#-8c8+VKLqh)~^Nb|+FXllm4N~)U%yyleQ2ro2$<+SAHVtKgAFQA5XjUKPJzXjr
z75{j$pzp*L-hZb3m^xWpzgv4!iPS%h<Qwgqc16}4sa@|Q@+Nmj#?C$U-zS!)y^{+0
zXJ)YTS7j-$_T)>umqjM=i{6s4%UZHBA>qL8GMQr)Q-6xiXVY1tXnyA276yHvr3oGh
z1uOoo?)i0V_V3-@Zp*VbuVK40|G*8GEp5U&^8+)s2NuZ~&wuXxh$H6o{BG^N+&mq8
zT20Rj1-*D49lO_l^<{LwsO1O$|AJzFYI0}hmDzT>yYZimbUd$n)<)M)+0D04KyO9m
z-tu3kY@aP&&-!uK#uYN*%Ub@wyzOnVLsNcF<gXQR#=HK6Eiw7F=FNfLUy7UZwGX>~
zx%=SZ#h_xPKf4aZS3mveyfNv`QOQWoBtIdx%m&3Xo=%s(J~Q-dS~&lYbl~Ldpvf8D
zrKXc&d=eWT746LVpcnemNneBO-McW}E%|J$YtrgmZt}0Uo$+;3UqI-?1t<7#o}QyK
z|LVHs-}~Lx{#&pwqA|_S;jpgF`;e5E?`r4$H|jnj<?!0OFWS8Eu+idOrW=lnzlyvl
zafgBFl3soEa_RFY-DmEdV8roq{#T1=&tJTEQX6!e6t!p0(6BapkyRbyXaB3rwd3vk
zrsGvlWUl`%FnM5|!pJpk>HYmGC+G3bJLG<Ns=M{->AS8vMjHM7_clKv+TmsNQuc70
zxYKW0Yo^tl{I+|d&2QbyZ`SlyAM1-LwGtASf0Oga$mgP-xz3NjE2n-6mTj85@=Rg@
zTRzWoO&w=xm#Z%m4`?~O)OpU3Qt(W7jp^#;Zm%V`7gZ_DuIpD6kJ~fx$)U%0&-jae
zpLHohovDr0;`XmH{^U99gGBlcHNUR#2#HVMx;f~g*>1nNjr$hp&w0-?S=e>4=VQL#
z-YSjV-zR+L*2;D7uiR#3XvIFk<O3gzqoUN_x(DV`Zd=bi%-=C(SF`=pRXaBCH9YLR
zH}T4>Srx|?-joqP@H=8bQ>nzAhi7GOCrVZtTP(V;|KC}U*LU|_5O^ijy_3aWNW)xR
zCF`JmjfC<y^S&J!%N~}wm2UIjDz#3-g(;>dU<QkRet+rH9}gpW|6TjN=Crm8kGfp;
ztkZ>7Y+QY|N=NqdwNJmeI@|SPo$r~)H`l3%GexZ3!|qz{Cp+n2kv+3a;m@-{v5%zL
zN+-YK{Qdd-%WdWgPwUp5+G4e&bSvM6eJo1H_pMrcIaP3pOZMg8=i)2=zS;eKb@JQ>
y#SP{0zCTxqofKTUMXqmSkCgho`OIxm8+^Mff?bw=xi>xQ$M);9AEY;M#{d9K?f?M*

literal 1911
zcmZQ@_Y83kiVO&02<iUu^@rBB$mI$qwSuqgtyC`TQ<-I$Ehhaf!uy5A#iy&+-8gaU
z0-u}a5(d4?TWTi!WoVH)vwHIrw*6Tf_+C#DVk@+Yb35~Rzq81v)$EIwuN4hYKh@Ov
zH~oi(o_P3ycQdBTzde+k;I4g6U*TKjt_hY)D?*tw?|2>%5@9>wY0URcMmcp(aD#Pw
zwy9xXL0@3>l-X}qHEo}!e#U$UzgA0|>!kBcT+biqNcdzcv*(?8T)w<c|B~RvH}l<E
zPajNsbNE8Ly2QedQg*XvoL1Z$d|mX*qHm6NwM?;I>()MO_VT#Fe(L91B}ZY0O4Dsp
zoGQod_cVWhf5>^gx`b79@{+du2TmH^zMJe}Y`JuPflI5|ohk#vqYkUZg4D|!8vNIL
z`K_0?6z$=7@J`xeT6ZLq{QtI4roA5JN1dmgFMG%Sc!$cHtgYeAbzyh(E+pLC<=>L=
z##}RF+nT>VK64K6D)FRv$S<0po!4<@+m5;OXMbD46uvk1_tF-&Chemx-`P3Wy0mqR
zZGDl(UQoI!c2x%Nd*05w7Yf2l9Q$U4PT$)6Td}jac46VhV-9^mKJ~iwp@n`^&OMsC
zCALpEJ9ay3Q;yUmHQuUeHzb!>?<h6tFLRyd6&wHJSje79Disf%TL1mzQIe8s)zx3{
z;*Q5p_PbXP?)$jls^|ZBx5KfrpVvg2vnQUjkr$Ylcsk`nb?)rRNyh>XYvjBaidD5+
zVHCUTCO4Ds_NitI-d%}XskEp_+TiY-`OHhsKH@!-bjYhVawe;_!s7bfAFh--J(y8o
z=gG7|y~b?nHG#XE?|pI;JnjE>&h#~p&V4rU$gYyQbSCAWQm24Pi(9ou)t}cQPbx|n
z=CwbQG%L2QlN6bE)_L!p@@*k8bq==@PVcYs^4_1kv;1>b+V;r?vyXZv&JGTJyZ6bK
zo9<zPCEAC+%Vm^qkBOAJ|5YPwGt&o`PfX@k6CEcu=*zk%iHjsF-MEtWtXR5Lww(XE
z_({{BCa2fT(y@`<qwT3TZwvD*9c|`6W$km0oq88_@mi};df>bjM*Oa4s~?@Rve|p%
z^V;<1%hlVK#r%?bWy1EYMt|cvx2+p93N+QT($5A=h&v#Y`+<?Wuxh@zb)vZLj-2Pq
zZ=GGevU<a>Wn14ZWj_7sl4$nouKw@)%kIWsY08+sr|Q0>?OOl7P`kZbSKk$ydRH=p
zMMvPDznSE&d8u>$YU=#j-*Hf?IHX}#On~=v|6{rVM_-rrw%ZyVyuUZVJmzNKxBE%~
z!gs!&+j(z2o83IE`sETyzg#`n{+hq##3O<KH9XzLl`G|J+Ie>AzP65Sl=|cPT|Yf!
zvvKGe%eK92B|-O`pB{gGU{%AFg=udmXl>_tv+Mu9)n$+3!uM)*9d*dza;uP?dAHZ}
zT!;RT_a}3CYOGU=p0A&1BzpC@aQh1erm(bAWjt@oA~=6HCVuS`IVZaP$!>|r%V%b3
z9RB$7Sku%af39tPnY`4E@7MiL=e}>)$5XdV;MPBT&i3S}i>x<0o!M^gPmY*+<HqrK
zZhAKg+UsAfIC1Er%YWNBO#1S#%jZ7XqiOm}_2;XbH$G1~TN?N~RkpTL*!5q-_b)Tv
z8uyl*eW3YD=hJ%Cm6a3s{<z{-C&KoDTO>ileQs3<7bokRO4WtjjQrm!nIg`<?3(1&
z^jeNFe08^s{IcH$R=e1Oc&gSgeBOUc^~ceU`z!z6$lG?@qVv%m{fOftp;q^%oX_@s
zwBrtkba(e+shL`NYCPVve@B?A#FU+X)}(NFb;gV(1&khYl1$$hY@GB}vS{0<ZCTeY
zEpKI*X;-|-J>C7xi3_=xx9+>dzOu(*;shVIGlKW-E?lLyLimz@VU1g?cS!ABmAL7N
zbr%lqTDvi3-zv}AlOIFHb%PXVP0PQw*CqLE)O^WPlf~K3&vMY&zv+k5-HjVJYdvh%
z`!2TS_LGkX`j@So5GbVBS0a9PCHDj0U)R<8&3Q6z2m1Li9ohTaRLnS{+b%&vU~PT9
z$A^RZlb1>D^a@iy9(v=)gbto1|G#mZuT*`og3-g~`|@S!Q-!`fysfzCbh8JeXwiJ1
zzn;mW39;FqV%Mk0p7G4$|Ht6ZqVumQ*KU@D#6`va{gZWdgwI#^rt;+f;M(5JwQ}z2
zm$Q8R%e!QkFMZebeCK~g>)GK`SN{7yWBcTv``$>Xh|LR8b=WL&YpGLItfY40yyXtv
z&lgW|SasBE8p{KVZI*n+9`{yDX}o^XBJ0VZESe>>iBW5B)U~N!53W0M@uT``#`AO6
zFBa!}e5dGI^YK#>+Q$pZ7M?eFxA$~J``yVJ6<jGB-u}w147&U3lUj<rl;9)x-`{vo
zRN71ldw=b9rm}Tc$*Q&qF}wV$rj_$#u83T}UX&xLxk0^brnZI-$9FMD(b%J9`(=Vz
z-ItqANRt;-E@28>7MOJQ_2q_;%v(Q=7bRt;gkO7<nRDMqDy+w9!d=_b--Qy>AAWps
z@32Vn4aNxJsXsPo%)fE|A;&k@?`yT6RsLVD@zk+-hvmOjRxyolR&6PM!ohHSxlBdU
uM9b3V^IA9EdFPkQcQ<jwo)dVR)pVPw!^d;sg5`I%_kT`0y-28Q<$C~KUa+44