From bff6a6140f6f285f6e8f0fda2f8a1b149117d72e Mon Sep 17 00:00:00 2001
From: Rutherther <rutherther@proton.me>
Date: Fri, 22 Sep 2023 18:42:32 +0200
Subject: [PATCH] feat: add wireguard

---
 modules/services/default.nix   |  1 +
 modules/services/wireguard.nix | 28 ++++++++++++++++++++++++++++
 2 files changed, 29 insertions(+)
 create mode 100644 modules/services/wireguard.nix

diff --git a/modules/services/default.nix b/modules/services/default.nix
index 3f977bb..78b6b09 100644
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -12,6 +12,7 @@
 
 [
   ./syncthing.nix
+  ./wireguard.nix
 ]
 
 # redshift and media temporarely disables
diff --git a/modules/services/wireguard.nix b/modules/services/wireguard.nix
new file mode 100644
index 0000000..9325be5
--- /dev/null
+++ b/modules/services/wireguard.nix
@@ -0,0 +1,28 @@
+{ config, lib, pkgs, user, ... }:
+
+{
+  networking.firewall = {
+    allowedUDPPorts = [ 51820 ];
+  };
+
+  networking.wireguard.interfaces = {
+    wg0 = {
+      ips = [ "192.168.32.50/32" ];
+      listenPort = 51820;
+
+      generatePrivateKeyFile = true;
+      privateKeyFile = "/home/${user}/.config/wireguard/pk.pem";
+
+      peers = [
+        {
+          publicKey = "Mui5wOV21QTer4NK2dUcBOgaW9UFzFzwmxOn/458ByI=";
+          endpoint = "${inputs.semi-secrets.wg.serverEndpoint}";
+            # The ip is not refreshed, as the kernel cannot perform DNS resolution. Use dynamicEndpointRefreshSeconds,
+            # in case the ip is refreshed often. If not, sync after refresh should be alright.
+          allowedIPs = [ "${inputs.semi-secrets.wg.allowedIp}" ];
+          persistentKeepalive = 25;
+        }
+      ];
+    };
+  };
+}
-- 
2.48.1