feat: configure wireguard

nixos/configuration.nix

@@ -2,10 +2,12 @@
 {
   imports = [
     ./hardware-configuration.nix
-    ./networking.nix
     ./users.nix
     ./time.nix
     
+    ./networking/network.nix
+    ./networking/wireguard.nix
+
     ./databases/postgres.nix
     ./databases/mysql.nix
     ./databases/redis.nix
@@ -13,7 +15,6 @@
     ./programs/acme.nix
     ./programs/bash.nix
     ./programs/docker.nix
-    ./programs/fail2ban.nix
     ./programs/nginx.nix
 
     ./monitoring/grafana.nix

nixos/networking/network.nix

@@ -35,6 +35,7 @@
         1900  # jellyfin
         7359  # jellyfin
         6881  # torrents
+        51820 # wireguard
       ];
     };
 

nixos/networking/wireguard.nix

@@ -0,0 +1,35 @@
+{ config, pkgs, ... }:
+{
+  networking.nat = {
+    enable = true;
+    externalInterface = "enp7s0";
+    internalInterfaces = [ "wg0" ];
+  };
+
+  networking.wireguard.interfaces.wg0 = {
+    ips = ["10.100.0.1/24" ];
+    listenPort = 51820;
+
+    postSetup = ''
+      ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o enp7s0 -j MASQUERADE
+    '';
+    postShutdown = ''
+      ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o enp7s0 -j MASQUERADE
+    '';
+
+    privateKeyFile = "/var/lib/wireguard/privkey";
+
+    peers = [
+      {
+        # laptop
+        publicKey = "awAVP/tkl0Z9PKEMTABjIXhblWSGHhIvYjBFp3C7YUk=";
+        allowedIPs = [ "10.100.0.2/32" ];
+      }
+      {
+        # phone
+        publicKey = "zPUl9jrC8dFaPWKk92btHptEzr09KNgGbdwSfiT7rEM=";
+        allowedIPs = [ "10.100.0.3/32" ];
+      }
+    ];
+  };
+}

nixos/programs/fail2ban.nix

@@ -1,10 +0,0 @@
-{ config, ... }:
-{
-  services.fail2ban = {
-    enable = true;
-    maxretry = 5;
-    ignoreIP = [
-      "192.168.0.0/24"
-    ];
-  };
-}