Stronghold WIP

2025-08-23 01:15:41 -05:00 · 2025-08-23 01:15:41 -05:00 · a113294ec1
commit a113294ec1
parent b704bad251
6 changed files with 186 additions and 37 deletions
--- a/systems/stronghold/wireguard.nix
+++ b/systems/stronghold/wireguard.nix
@ -0,0 +1,56 @@
+{ ... }: let
+  port = 51280;
+  hostname = "stronghold";
+  subnet_prefix = "10.13.14";
+  public_key = "fDauNyRJSNlmPGm9KHprF2qCwPbgCmEyZsXSQvZ2mRE=";
+
+  peers = [
+    { name = "lauren-phone"; id = 3; }
+  ];
+in {
+  sops.secrets = {
+    "dotspace/${hostname}/keys/wireguard/private.key" = {
+      mode = "0640";
+      group = "systemd-network";
+      sopsFile = ./secrets.yaml;
+    };
+
+    # TODO: Parameterize
+    "dotspace/${hostname}/keys/wireguard/lauren-phone.psk" = {
+      mode = "0640";
+      group = "systemd-network";
+      sopsFile = ./secrets.yaml;
+    };
+  };
+
+  systemd.network.networks."90-wg.${hostname}" = {
+    matchConfig.Name = "wg.${hostname}";
+    address = [ "${subnet_prefix}.1/24" ];
+    networkConfig = {
+      IPMasquerade = "ipv4";
+      IPv4Forwarding = true;
+    };
+  };
+
+  systemd.network.netdevs."50-wg.${hostname}" = {
+    netdevConfig = {
+      Kind = "wireguard";
+      Name = "wg.${hostname}";
+      MTUBytes = "1300";
+    };
+    wireguardConfig = {
+      PrivateKeyFile = "/run/secrets/dotspace/${hostname}/keys/wireguard/private.key";
+      ListenPort = port;
+      RouteTable = "main";
+    };
+
+    # TODO: Parameterize
+    wireguardPeers = [
+      {
+        PresharedKeyFile = "/run/secrets/dotspace/${hostname}/keys/wireguard/lauren-phone.psk";
+        PublicKey = public_key;
+        AllowedIPs = [ "${subnet_prefix}.2/32" ];
+      }
+    ];
+  };
+}