From 7770b9c197e25932312a07fbf6b1d68d4afdb1e1 Mon Sep 17 00:00:00 2001
From: Ivan Reshetnikov <ordinarydev@protonmail.com>
Date: Fri, 10 May 2024 12:04:02 +0500
Subject: [PATCH] feat: configure wireguard

---
 nixos/configuration.nix                       |  5 +--
 .../network.nix}                              |  1 +
 nixos/networking/wireguard.nix                | 35 +++++++++++++++++++
 nixos/programs/fail2ban.nix                   | 10 ------
 4 files changed, 39 insertions(+), 12 deletions(-)
 rename nixos/{networking.nix => networking/network.nix} (97%)
 create mode 100644 nixos/networking/wireguard.nix
 delete mode 100644 nixos/programs/fail2ban.nix

diff --git a/nixos/configuration.nix b/nixos/configuration.nix
index 1770f51..a3f5559 100644
--- a/nixos/configuration.nix
+++ b/nixos/configuration.nix
@@ -2,9 +2,11 @@
 {
   imports = [
     ./hardware-configuration.nix
-    ./networking.nix
     ./users.nix
     ./time.nix
+    
+    ./networking/network.nix
+    ./networking/wireguard.nix
 
     ./databases/postgres.nix
     ./databases/mysql.nix
@@ -13,7 +15,6 @@
     ./programs/acme.nix
     ./programs/bash.nix
     ./programs/docker.nix
-    ./programs/fail2ban.nix
     ./programs/nginx.nix
 
     ./monitoring/grafana.nix
diff --git a/nixos/networking.nix b/nixos/networking/network.nix
similarity index 97%
rename from nixos/networking.nix
rename to nixos/networking/network.nix
index c386784..07f57a8 100644
--- a/nixos/networking.nix
+++ b/nixos/networking/network.nix
@@ -35,6 +35,7 @@
         1900  # jellyfin
         7359  # jellyfin
         6881  # torrents
+        51820 # wireguard
       ];
     };
 
diff --git a/nixos/networking/wireguard.nix b/nixos/networking/wireguard.nix
new file mode 100644
index 0000000..fc833f6
--- /dev/null
+++ b/nixos/networking/wireguard.nix
@@ -0,0 +1,35 @@
+{ config, pkgs, ... }:
+{
+  networking.nat = {
+    enable = true;
+    externalInterface = "enp7s0";
+    internalInterfaces = [ "wg0" ];
+  };
+
+  networking.wireguard.interfaces.wg0 = {
+    ips = ["10.100.0.1/24" ];
+    listenPort = 51820;
+
+    postSetup = ''
+      ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o enp7s0 -j MASQUERADE
+    '';
+    postShutdown = ''
+      ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o enp7s0 -j MASQUERADE
+    '';
+
+    privateKeyFile = "/var/lib/wireguard/privkey";
+
+    peers = [
+      {
+        # laptop
+        publicKey = "awAVP/tkl0Z9PKEMTABjIXhblWSGHhIvYjBFp3C7YUk=";
+        allowedIPs = [ "10.100.0.2/32" ];
+      }
+      {
+        # phone
+        publicKey = "zPUl9jrC8dFaPWKk92btHptEzr09KNgGbdwSfiT7rEM=";
+        allowedIPs = [ "10.100.0.3/32" ];
+      }
+    ];
+  };
+}
diff --git a/nixos/programs/fail2ban.nix b/nixos/programs/fail2ban.nix
deleted file mode 100644
index 1fced4b..0000000
--- a/nixos/programs/fail2ban.nix
+++ /dev/null
@@ -1,10 +0,0 @@
-{ config, ... }:
-{
-  services.fail2ban = {
-    enable = true;
-    maxretry = 5;
-    ignoreIP = [
-      "192.168.0.0/24"
-    ];
-  };
-}