From d05719f15cb46b6df220d6fa8e310d01cc88575a Mon Sep 17 00:00:00 2001
From: Alexander Kobjolke <me@failco.de>
Date: Fri, 23 Jul 2021 18:10:52 +0200
Subject: [PATCH] thrall: Enable and configure wireguard

---
 hosts/thrall/default.nix | 36 +++++++++++++++++++++++++++++++++++-
 1 file changed, 35 insertions(+), 1 deletion(-)

diff --git a/hosts/thrall/default.nix b/hosts/thrall/default.nix
index 8e27f00..382e031 100644
--- a/hosts/thrall/default.nix
+++ b/hosts/thrall/default.nix
@@ -53,7 +53,35 @@
     nameservers = [ "1.1.1.1" "8.8.8.8" ];
     firewall = {
       allowedTCPPorts = [ 22 80 443 ];
-      allowedUDPPorts = [ ];
+      allowedUDPPorts = [ 42666 ];
+    };
+
+    # wireguard related config
+    nat.enable = true;
+    nat.externalInterface = "ens3";
+    nat.internalInterfaces = [ "wg0" ];
+
+    wireguard.interfaces = {
+      wg0 = {
+        ips = [ "10.0.0.1/24" ];
+        listenPort = 42666;
+
+        postSetup = ''
+          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o ens3 -j MASQUERADE
+        '';
+        postShutdown = ''
+          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.0/24 -o ens3 -j MASQUERADE
+        '';
+
+        privateKeyFile = config.age.secrets.wireguard-thrall.path;
+        peers = [
+          {
+            # my phone
+            publicKey = "9EaBSNsJW0W/xPMLJ54zr3UNK3bZ/2ULOmhV1gPfSXk=";
+            allowedIPs = [ "10.0.0.2/32" ];
+          }
+        ];
+      };
     };
   };
 
@@ -130,6 +158,12 @@
   # Enable the OpenSSH daemon.
   services.openssh.enable = true;
 
+  services.dnsmasq = {
+    enable = true;
+    extraConfig = ''
+      interface=wg0
+    '';
+  };
   services.nginx.enable = true;
   services.nginx = {
     recommendedTlsSettings = true;