Get wireguard working on fortress

systems/fortress/configuration.nix

@@ -72,13 +72,27 @@
       group = "haproxy";
     };
 
-    "dotspace/fortress/keys/wireguard.priv" = {
+    "dotspace/fortress/keys/tinc/rsa_key.priv" = { sopsFile = ./secrets.yaml; };
+    "dotspace/fortress/keys/tinc/ed25519_key.priv" = { sopsFile = ./secrets.yaml; };
+
+    "dotspace/fortress/keys/wireguard/private.key" = {
+      mode = "0640";
+      group = "systemd-network";
       sopsFile = ./secrets.yaml;
     };
-    "dotspace/fortress/keys/tinc/rsa_key.priv" = {
+    "dotspace/fortress/keys/wireguard/lauren-phone.psk" = {
+      mode = "0640";
+      group = "systemd-network";
       sopsFile = ./secrets.yaml;
     };
-    "dotspace/fortress/keys/tinc/ed25519_key.priv" = {
+    "dotspace/fortress/keys/wireguard/ashley-phone.psk" = {
+      mode = "0640";
+      group = "systemd-network";
+      sopsFile = ./secrets.yaml;
+    };
+    "dotspace/fortress/keys/wireguard/lauren-laptop.psk" = {
+      mode = "0640";
+      group = "systemd-network";
       sopsFile = ./secrets.yaml;
     };
   };
@@ -179,14 +193,59 @@
       matchConfig.PermanentMACAddress = "5a:b1:f4:39:a2:87";
       address = [ "10.132.86.139/16" ];
     };
+  };
 
-    networks."90-tinc" = {
-      matchConfig.Name = "tinc.dotspace";
-      address = [ "10.86.84.1/32" ];
-      routes = [ { Destination = "10.86.84.0/24"; } ];
+  ##############################################################################
+  # Wireguard
+
+  systemd.network.networks."90-wg.fortress" = {
+    matchConfig.Name = "wg.fortress";
+    address = [ "10.13.13.1/24" ];
+    networkConfig = {
+      IPMasquerade = "ipv4";
+      IPv4Forwarding = true;
     };
   };
 
+  systemd.network.netdevs."50-wg.fortress" = {
+    netdevConfig = {
+      Kind = "wireguard";
+      Name = "wg.fortress";
+      MTUBytes = "1300";
+    };
+    wireguardConfig = {
+      PrivateKeyFile = "/run/secrets/dotspace/fortress/keys/wireguard/private.key";
+      ListenPort = 51820; # TODO: This should've been 51280
+      RouteTable = "main";
+    };
+    wireguardPeers = [
+      {
+        PresharedKeyFile = "/run/secrets/dotspace/fortress/keys/wireguard/lauren-phone.psk";
+        PublicKey = "fDauNyRJSNlmPGm9KHprF2qCwPbgCmEyZsXSQvZ2mRE=";
+        AllowedIPs = [ "10.13.13.3/32" ];
+      }
+      {
+        PresharedKeyFile = "/run/secrets/dotspace/fortress/keys/wireguard/ashley-phone.psk";
+        PublicKey = "AtmZMqvQgsRVq44kYdjOkC8ACmrw8MbDhyPSvtEbmlc=";
+        AllowedIPs = [ "10.13.13.4/32" ];
+      }
+      {
+        PresharedKeyFile = "/run/secrets/dotspace/fortress/keys/wireguard/lauren-laptop.psk";
+        PublicKey = "prhDYwUWhEc5X+zWHrqw79MFFvEN/qAAAZPq7vndhRE=";
+        AllowedIPs = [ "10.13.13.5/32" ];
+      }
+    ];
+  };
+
+  ##############################################################################
+  # Tinc
+
+  systemd.network.networks."90-tinc" = {
+    matchConfig.Name = "tinc.dotspace";
+    address = [ "10.86.84.1/32" ];
+    routes = [ { Destination = "10.86.84.0/24"; } ];
+  };
+
   services.tinc.networks.dotspace = {
     name = "fortress";
     ed25519PrivateKeyFile = "/run/secrets/dotspace/fortress/keys/tinc/ed25519_key.priv";

systems/fortress/secrets.yaml

@@ -1,7 +1,11 @@
 dotspace:
     fortress:
         keys:
-            wireguard.priv: ENC[AES256_GCM,data:/ZMLzSpt3HlUjomdTUOC8ROCOQ6V+tFiEbiCKqa4zj7KAtSNHf0dGlTJ8yU=,iv:eQt02G0MUqaOvF3mPqX/K6698EYl9346kyE2Tf+Iiv4=,tag:/s38zd2ng7Jp82zZhfC6IQ==,type:str]
+            wireguard:
+                private.key: ENC[AES256_GCM,data:wqrdEjd19S8JDkXWacGun2wvSUfsMgS1eeV2FVCsxqL0Io9KmaQ/kdR1iqs=,iv:2pEnXdFpdLouPAP//juax+ZreRXyU66uxQ7LZesNL6E=,tag:/8rQGBbWq6Ygud3hEOBF1w==,type:str]
+                lauren-phone.psk: ENC[AES256_GCM,data:n/sBRUjXJSvw6xkS3cWMaJ04OzuiqL7w32oK93YDsXLR/zUlfK/5ZVX1Zyg=,iv:gs620XnhCsshOcAYMzjoMXN6P+RW/IAS/lVPhkqTfzk=,tag:eD/WUgxOuY8/w2vbv+LM/A==,type:str]
+                ashley-phone.psk: ENC[AES256_GCM,data:vm0OANc19nIr+sDwo/JuStL8vxivnl0TNJKE8j12Ue6pbWqgz9U2lvQ42So=,iv:gtQH1noP1pEK6xhMbs73fFqM3S3QQXZ7Y40h7IdpQxA=,tag:3cxPWcEQWTfq/spTUyD8Kw==,type:str]
+                lauren-laptop.psk: ENC[AES256_GCM,data:USX+j6pra0Ez24e1yRUprzYkRQp0A7dhdoxVDTPOFnBvxsHMMQ4Xb018ndc=,iv:EMCeVDmtBN3/eQJcwfLtHri4L0awpSAWkrZUXOw5H3o=,tag:fHrKV79iRDuw0MepzH8Q0g==,type:str]
             tinc:
                 ed25519_key.priv: ENC[AES256_GCM,data:FWAyZpadNbXfc0pemWxsYRq4AOlyopRp9TtpqFGoeZQhBrEwexEKtaaltlHiu07fYxMKV9DAx0x9CbBPwL+Pk+S47KuQGTvr64E/lbf17BiblylNPkPeL5KCmfJNCPQXN0t55PpuA3o2+ga59w/ZC4hIE9zQnbE+vyK8ucZW0t0+I/CPc4bw2gbiLQqza077gNykz63EtahytO8SOuuZ6OfiTYG/1LvlJ0tHTyHPkyejKKw0HJyP8bRvAy1QW3uGUHBjQmPVBQ==,iv:OywVsBfhoXLk7FLTpoMgZhC1cVx1HKcvAiD/FgVWdwM=,tag:0l6ZtywrlrYL7RM1Muh0MA==,type:str]
                 rsa_key.priv: ENC[AES256_GCM,data:rcHb/7NulD63i9kIrOL3BRMgqzNT8ZRKcGEbP20xmbnNYARnZGr7xsz4kO8fYyRnmQjMUZMY6SXuXAXhF7/DeNFynXHCucGzHXjC+kPK7cyG7uBpcGkV5UBwbR69VNcluWYh8W0JDv2nF6EKl5SJ7BAd1keH6gZhlMoW0vVMEpyz8yYpRpOxgWvuMonVGKJYjlXXANxLU1eZYAOKMxPdIiSGQS9REK14wmnWXs7dD+iTs4TWgnb6osCBvq+wL7tGKEOSezDwi5f9TO/ivW/7siAl9AMLw/R4aIKnQioKteU1zUGJqHOaxkMdNVGp9EILE5mN4Cfl+65raccDBX4NWKNwK0tUqKOayNgk4aTbkndQB7yLt5VFX4EAQT2qgRwiRpFBRGmUVsrJttFBEwTkEAVr/P6HumUmPTy1TUPjDgQvQzpx9SPxeOwBSuTF+j3gVpgnCEcDuXw5yV0YpmamAPdcfk4IzB3kY/ETOHfJwnWSbU2kexowDmCqoktGDaE42lSA23Q9FQcLifzJJKh6Uc2eKCWNHZB9LTz3MdQx3mHghO1F2G3VkrTukTeU7MzoNcJ+DvL+znKw4bBBuL+YOpddCreOdgl18wBck793aHcPPROauAosAaAIJivjN0NCGDIGvEx1c4rboybf9ZJQZctpKF89FHO3WKZ38aT8GpOkxEAS6c0nca8n452hdSb6EMZTCDw7K6bauBp51oykBxxLfiDml99KQaSl5WC+b098ZYaqiLYmUCAxTABZvSEaWf7Z4xzkTQTp0FT8yjv2eZwRfk5UG6UqtkUqakWQuvwQVJ9VHymW0R4X9+WvA2XVMh9mGOHXObpDGq/+Lf6F/gfOAf2i4axGgIhLFZxhQrp4gIMu0g4HINj80lZjlql59D519nNfUgkPOPVc68tt81Jpgn/fRIE7CsXnboDZlf5NF43XlQLJOD2AQnxhUit51lAOrY6dbibsFCMgGbyotXQgEKJJ3vYlTQ7uFZpO2lkpRuJGIZVfFKaUrhtk9and3j+Y5sR/KeOTHGxcIWGR0YblXF2muKFfBmueCt0j3nvaB+Mvbu3stpcelQQ15R7Ef+ExF3smncx5LKHDIYDHjvmGK20r9SgqXyP4wq1Bo3uwvopF9dMFhL14xqFrlXllYi8oJixZHxaX5MYE6allMxnSz4vCfWuEUH0ANX0NBzYu30mUMUTwPYzvna0m4Vn6M9bPh4w4ruxdfXuytHf6be9nBTeneUEXiu1pLG9TZAfA9n+76c9FaPu+tbuMsoH0OoFdc5T23wTANbxdaBSD9iaOlvWlsl3wUVv3ymMl4xHCIetWPytYKN50ncAfH1NFkHLfsK4i1lojG1A2J6KcmtIqiIEEKMBmVb+aQlOLMIePYEuYgKD0mkBvlNfcuLgEZ8S11n6kYNUsJaRtl2wuqWr192A1Ts8Wj9xHX6pIbqfnskc3bEsb12LVaW+LinooKHzlrvGGM+KubrcRW0RXrvZ7HoG76Nilm+lgktgCRDPLrD3LSRmVID+dRwsBu12Z2oEpf/yaot67ZtAGMwWPG7UTdMEweVUobLliNfDngB6jWnFqCW5Vl6+RAb24nwRxZ0jSAJkdvVuTE1PrSWUaxNbzCLY9wlj3/pUTbGi1o2LJBX6zXgQxQ1ron6HS5umZcpEccfIZezNXDRzQzqdQg9X0z98iA+qlF6jb9TvGv484rWNa8OGb313ziRRHXV3YEO+CC3+AlvWWc/PCD3J/cuUPAcq+gyfafW0gTb/iez3qSE/g7ojiTmFQuvMHRS3kRbPnnJwygylthPKAsBORz/k4FTGmhMhRZjwYkS/nl4lucIGgg+GaZVik1HVvdMoOHv630PQcTExJf+PcL603TwJmAXXxgQGTQFB/MZcl2zAKHYR6HGBYQ4M4bAJ6jKj4qd/Rexp1WPu9VaKKhAU/MIFt/5RFuM3L3Cr+VlnLEPdqCS73CzNxTNfsjI8ljVegy1xWVqO/LRw2kSYzJ77j9FANhb194u4PLc3KcAdnTfTUnw7mzt50kQiJvXkk/ADO/uJ+RCd8c3cuXVZIgFEDcUxS9MukDK9MTStRJIIMKpeR8HtKyc5rD73UB/9PG08/YPeYFvZtE9jjAk2mRwpatqFf0l0sck2Mx/XX5gtVVGdEmRE0ywczK3heglx8lnfM2I1eTdSPW3S8Gw0GmLdF34/xPPfHgnBcE6AVtg+EIwKb+yEnH+tyPRcD1JjCOXuL1T8XWZ+Cubt7QoYSefX/r/mCFJGJntjZ02CfNZK7eWJU4K/EFTY3SGV5Bc/kBJVlT4vT39scKjofjSFbZ/cyi9SyBluvi9EYYLuWDmb6iLENQmmMEbLz90Gz9inQcB0XsRPdOS4lGCfsIW5mbbJ3LuA5D3GQDUE8k5AYnpf+wuxQSIvIGCetR8AT+x/+93JEQ6C/dhbTq2QmdPJJqGuKFGIp5ivoEu0QN78Aho3BJ+uLZs39K2I2u5W3IfTm6v+N5z+YLqPtIt8n7aPeGH+pyFZ/pZeKH1ryxeG59rMWpG99nOfOUJOqKgA2PX5bkE07ya4JTjO1cSKpu9FUYsCKUo3K3/8TDj5I3tBZMkijyMSpGdacNQAQcN1kaDtcLS/Z4KgwpSBTrYtJs7dAzpP8XNMkBToD7L/ZQzPz/rv5Yc2/q9ulP0OlPAuI4bJSBgPshbLDat2N1oBtI9t6eudae7t8fUfOFLtrBgZKL4OgPiaUNO95SZsbzVOO8OpG5a3Y+SXpj3MFDVXX8ZC6Je2I1b3J+b3Zv2rEjohzGoKUu3Ruts1UFPUKi+VnPb5SLbuZUldKf/fx05m6zGlb7YVHJx5V6wZWhU0NmaMTiH2n8+vdaallOftOC2OsLhICYHS5aGrLYPV5Rqz0++73iBWMUDe/yWwvJNEkiIbsPudDi6Eh6ziEWV6aJQj4xqq1hV8Mx/s3UxypKTYCj4ToBpvQ/DHed0uxlhhTam6XXPzfSiK7VuKejwOa6zLFksumZ3sbE+ioSZmNLPJFdNipwtIVvsqcz32HfomtLZZ3h58YS01KwR0rYHR3RI3Y6Q1ZOdbgiWd1jROpDrr7pADRRNKtx9uGA4cegOURG1u2b/C6y8OM4Cf8mXOU9e0TrYG2C/pnQzl4tbcAfvTgFqzHOOPkboMD2kM9YlfTRVu5niGzL+adulFyUY7AsO4xTjjSP4wf6RK7QsWbJFd0iZF+hQ51izaRy+ZZY/qRn3eIcJaSDeNgYisTxQlaylncaZGa8ySI84EV5znljJkdJxHCmh0dqkul7e3/rBcr++AlLmUQknvquadkyYD+ybNlWMIFpnhcPPSPyLcqFXbfgbdspVMfuruej9zeZHexi2oh5kG6b9jyF2+ePKMly+eGZbWJFuWU+SDWjO0B5zcMk2+TpLJWCI8Di+pqiVEa3MDrtLcTL39T60fOwg7NCTbEWNNJmYRYXWCzJ4E7gvsxtwW8jv5LXKL6txsan1LqZpRAoN8MDxM/1WRmUzbf5o8eGiiakhj9VLptq6TcMMer/Mxo9/r3ZNLhERsgUBHp0rIjxsbh2rUKNKI3DJUMQox1QqacnVeRAI9tKVAUosL/Y53XPx3wz1A0tXPuHQ1GCltZl6eZSabvgZ9Tr7ZvPIlWvfe60BQuSGneD4M1BafnaR9a171Zr70fFINTgrCvu0wrWmfy14IUDLv/Dg1CV918PBgxnDxbh73Ia3blx14q0Bs8qFLmPpyT3rIHzieO4xybGqOgyPJvhiaD1r442gAeqS4+iBW4xZXRmrQ0GlD2Y4vJXpOLOM+rq1QFgYiTpdFSbKo3jTp/ktmziG9HmOKff9Bkoqd6pea6sS8FFnQ/qqxRvPYYZZvRnUWdirPUxPXHbmDqp1/lzkwO/md/BURfCXnB5ROGIgNFA0us5AQ5/mFkuxiryAlSLLo1+PDOYCPahnmLa7A06LoaOr0hVzFhIACxsKnHxihXGrAEuNKPqlMhR56bnVlqepT0mjM9hXTZ3SpuomaPxN1ELBdv0E/7AyXbXqTjHEv+Zo+VZp7zBW3Yflg8IQSkVRDkm6AV1W27nK9oQezIh1eVLMLnjiLsWoMPKM5hwyRtXOlibwO5r6XKYV/nwCZWgYUa1hvvn0OKNW53HaHZRGirS01KTQE1HOo84zIghpMZ4ivIWB2Vbx7bQ8YYvniA/SRqIOHdTDDOC0GTW7ccxOQWhMbdpwIwxXTG7/0+1UZJjjucEiEhe0ZNw3MKiQlXUMqWf9PhwP0Xy/eO/V47hHb5YztOSfGPdrpLe/rd8qrXiIvM1XMsISvJsTr2zrj5Yyhr79duP18qMKjb,iv:ceOt2sS67plEI3/DBWN6pD5ma78xT9b2HJXDzXOCy/c=,tag:CtPpE8UXs35cfru/1bnPkQ==,type:str]
@@ -25,8 +29,8 @@ sops:
             V1VpZTFOWjl1WDQrUnZzcTRZTlpzaWcKJa6wuG1od4QpTLvXvNtRHIqlSNogDFFS
             7YLDHW3jCMQFWCUcLGbqO9v7ydRsb3C96eAIszoIgH3HCqZaYn/v0g==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-08-03T17:16:58Z"
-    mac: ENC[AES256_GCM,data:ydAdU4QqpUGdh+2c0pPC48cWPHsvVTHRV18T4vRTP3jP31BM4tfwbUC+XyBPMTSUPCow+jUpgh7ssgGoZPQCHdGHwrI25ehUY6uLOqiVboBgS+3APwDYHg7UQM+gJOGrbq97P6T3zbtYiQnB9p9rHXWb/W4RUYMevxfghRDEWig=,iv:gSyD5tD8sFA+mUjuxhOJDwDArGEoFO82vwWe5kR5n6A=,tag:XCHyeOJTbH6Kp58drinH9A==,type:str]
+    lastmodified: "2025-08-03T21:02:16Z"
+    mac: ENC[AES256_GCM,data:q/Dl4N6b9T6MS4COvziCudYmbOg9e/2zEEFAabMwIGFz46PG0ehO8hKeXdFfQkGHy83Y6I5NeLGXzWcpFbefoFlGzZetvjrARw9vLzCR71AYO1bRvZN7rz71l1HP/77rlZbwYWgiNMdJ5S+pF/zwELTGEwg2bnhQBSOAdhKWVnw=,iv:9JyamKylvjLaFG5bW9wLyl6epy8/yBfPRFoI3taBlOc=,tag:7H9rovaZ4+t+T1sByYWfbQ==,type:str]
     pgp:
         - created_at: "2025-08-03T17:32:24Z"
           enc: |-