stupid wireguard configuration

boxes/copernicus/services/default.nix

@@ -3,5 +3,6 @@
 {
   imports = [
     ./photoprism.nix
+    ./wireguard.nix
   ];
 }

boxes/copernicus/services/wireguard.nix

@@ -0,0 +1,25 @@
+{ lib, config, pkgs, ... }:
+
+{
+  networking = {
+    firewall.allowedUDPPorts = [ 51820 ];
+
+    wireguard.interfaces = {
+      wg0 = {
+        ips = [ "10.100.0.2/24" ];
+        listenPort = 51820;
+
+        privateKeyFile = "/home/usr/wg-keys/private";
+        peers = [
+          { # netbox
+            publicKey = "0fOqAfsYO4HvshMPnlkKL7Z1RChq98hjDr0Q8o7OJFE=";
+            allowedIPs = [ "10.100.0.1" ]; # only server-bound traffic -- everything else
+                                           # should be routed via consumer isp
+            endpoint = "149.28.63.115:51820";
+            persistentKeepalive = 25;
+          }
+        ];
+      };
+    };
+  };
+}

boxes/netbox/default.nix

@@ -16,6 +16,7 @@
       ./fail2ban.nix
       ./nginx.nix
       ./franklincce.nix
+      ./wireguard.nix
     ];
 
   nix = {

boxes/netbox/wireguard.nix

@@ -0,0 +1,36 @@
+{ lib, config, pkgs, ... }:
+
+{
+  networking = {
+    nat = {
+      enable = true;
+      externalInterface = "eth0";
+      internalInterfaces = [ "wg0" ];
+    };
+    firewall.allowedUDPPorts = [ 51820 ];
+
+    wireguard.interfaces = {
+      wg0 = {
+        ips = [ "10.100.0.1/32" ];
+
+        listenPort = 51820;
+
+        postSetup = ''
+          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+        '';
+        postShutdown = ''
+          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+        '';
+
+        privateKeyFile = "/home/ryan/wg-keys/private";
+
+        peers = [
+          { # copernicus
+            publicKey = "JlH1X4KRT+B8Uau+qTLtBqyapkbGClIj1db7znU77kc=";
+            allowedIPs = [ "10.100.0.2/32" ];
+          }
+        ];
+      };
+    };
+  };
+}