wireguard progress

.sops.yaml

@@ -4,6 +4,7 @@ keys:
   - &hosts:
     - &nixdesk age155sscpw0x36t6s9usdrz7relpxqrtqnk98mrc7s0qcv2n0v3zd7sfl2xn8
     - &hopper age1e9nhfwfcg9krc03re4fwh0wu0cwf6jq4js5vfn26hcdqc2apgdes98fea7
+    - &rackserv age1zutg3s4nth679a6av9xqw4km0ezmfkxlnusu78demf0rzazqn3pqk9exgj
 
 creation_rules:
   - path_regex: home/profiles/secrets
@@ -26,3 +27,8 @@ creation_rules:
       - age:
         - *xun
         - *hopper
+  - path_regex: sys/profiles/secrets/rackserv
+    key_groups:
+      - age:
+        - *xun
+        - *rackserv

sys/machines/hopper/lab/slskd.nix

@@ -22,7 +22,7 @@
       remote_file_management = true;
       shares.directories = ["/media/library/music"];
       soulseek = {
-        listen_port = 26449;
+        listen_port = 24001;
         picture = pkgs.fetchurl {
           url = "https://cdn.donmai.us/original/57/65/__kasane_teto_utau_drawn_by_nonounno__576558c9a54c63a268f9b584f1e84c9f.png";
           hash = "sha256-7WOClBi4QgOfmcMaMorK/t8FGGO7dNUwxg3AVEjRemw=";

sys/machines/hopper/lab/transmission.nix

@@ -19,7 +19,7 @@
       speed-limit-up = 50 * mbit;
       speed-limit-down-enabled = true;
       speed-limit-down = 150 * mbit;
-      peer-port = 11936;
+      peer-port = 24003;
       rpc-authentication-required = false;
       rpc-bind-address = "0.0.0.0";
       rpc-host-whitelist = "transmission.hopper.xun.host";

sys/machines/hopper/lab/vpn-namespace.nix

@@ -38,15 +38,15 @@
         protocol = "tcp";
       }
       {
-        port = config.services.slskd.settings.soulseek.listen_port;
+        port = 24001; # slskd
         protocol = "both";
       }
       {
-        port = config.services.slskd.settings.soulseek.listen_port + 1;
+        port = 24002; # slskd
         protocol = "both";
       }
       {
-        port = config.services.transmission.settings.peer-port;
+        port = 24003; # transmission
         protocol = "both";
       }
     ];

sys/machines/nixdesk/wireguard.nix

@@ -14,16 +14,12 @@
     accessibleFrom = ["192.168.0.0/24"];
 
     # Forwarded to my vpn, for making things accessible from outside
-    openVPNPorts = [
-      {
-        port = 26449;
+    openVPNPorts =
+      lib.range 23000 23010
+      |> map (num: {
+        port = num;
         protocol = "both";
-      }
-      {
-        port = 26450;
-        protocol = "both";
-      }
-    ];
+      });
 
     # From inside of the vpn namespace to outside of it, for making things inside accessible to LAN
     portMappings = [];

sys/machines/rackserv/default.nix

@@ -10,8 +10,12 @@
       inputs.disko.nixosModules.disko
       ./disk-config.nix
       ./fail2ban.nix
+      ./wireguard-server.nix
     ]
     ++ (map (x: systemProfiles + x) [
+      /secrets/default.nix
+      /secrets/rackserv/default.nix
+
       /core/security.nix
       /core/tools.nix
       /core/ssh.nix

sys/machines/rackserv/wireguard-server.nix

@@ -0,0 +1,120 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}: {
+  networking.firewall = let
+    forwardPorts = {
+      "10.0.0.3" =
+        lib.range 23000 23010
+        |> map (n: {
+          protocols = ["tcp" "udp"];
+          port = n;
+        });
+      "10.0.0.2" =
+        [24001 24002 24003]
+        |> map (n: {
+          protocols = ["tcp"];
+          port = n;
+        });
+    };
+
+    b = builtins;
+    portsList = b.attrValues forwardPorts |> b.concatLists;
+    portsAndIpsList = lib.mapAttrsToList (n: v: map (x: x // {destinationIp = n;}) v) forwardPorts |> b.concatLists;
+  in {
+    allowedTCPPorts = b.filter (x: b.elem "tcp" x.protocols) portsList |> map (x: x.port);
+    allowedUDPPorts = [51820] ++ (b.filter (x: b.elem "udp" x.protocols) portsList |> map (x: x.port));
+    extraCommands =
+      portsAndIpsList
+      |> map (x: ''
+        ${x.protocols |> map (protocol: "iptables -t nat -A PREROUTING  -p ${protocol} --dport ${toString x.port} -j DNAT --to-destination ${x.destinationIp}") |> b.concatStringsSep "\n"}
+        ${x.protocols |> map (protocol: "iptables -t nat -A POSTROUTING -p ${protocol} -d ${x.destinationIp} --dport ${toString x.port} -j SNAT --to-source 172.245.52.19") |> b.concatStringsSep "\n"}
+      '')
+      |> b.concatStringsSep "\n";
+
+    extraStopCommands =
+      portsAndIpsList
+      |> map (x: ''
+        ${x.protocols |> map (protocol: "iptables -t nat -D PREROUTING  -t nat -p ${protocol} --dport ${toString x.port} -j DNAT --to-destination ${x.destinationIp}") |> b.concatStringsSep "\n"}
+        ${x.protocols |> map (protocol: "iptables -t nat -D POSTROUTING -t nat -p ${protocol} -d ${x.destinationIp} --dport ${toString x.port} -j SNAT --to-source 172.245.52.19") |> b.concatStringsSep "\n"}
+      '')
+      |> b.concatStringsSep "\n";
+
+    interfaces.wg0 = {
+      allowedUDPPorts = [53];
+      allowedTCPPorts = [53];
+    };
+  };
+
+  systemd.network.netdevs = {
+    "50-wg0" = {
+      netdevConfig = {
+        Kind = "wireguard";
+        Name = "wg0";
+        MTUBytes = "1300";
+      };
+      wireguardConfig = {
+        ListenPort = 51820;
+        PrivateKeyFile = config.sops.secrets.wireguard-privatekey.path;
+        RouteTable = "main";
+      };
+      wireguardPeers = [
+        {
+          # hopper
+          PublicKey = "P5W5/m9VnWcbdR6e3rs4Yars4Qb2rPjkRmCAbgja4Ug=";
+          AllowedIPs = ["10.0.0.2" "fd12:1e51:ca23::2"];
+        }
+        {
+          # nixdesk
+          PublicKey = "DMauL/fv08yXvVtyStsUfg/OM+ZJwMNvguQ59X/KU2Q=";
+          AllowedIPs = ["10.0.0.3" "fd12:1e51:ca23::3"];
+        }
+      ];
+    };
+  };
+
+  systemd.network.networks.wg0 = {
+    matchConfig.Name = "wg0";
+    address = ["10.0.0.1/10" "fd12:1e51:ca23::1/64"];
+    networkConfig = {
+      IPMasquerade = "ipv4";
+      IPv4Forwarding = true;
+    };
+  };
+
+  services.dnsmasq = {
+    enable = true;
+    resolveLocalQueries = false;
+    settings = {
+      server = ["1.1.1.1" "8.8.8.8"];
+      interface = ["wg0"];
+      bind-interfaces = true;
+    };
+  };
+
+  # networking.wireguard = {
+  #   enable = true;
+  #   interfaces.wg0 = {
+  #     ips = ["10.0.0.0/10"];
+  #     listenPort = 51820;
+  #     postSetup = ''
+  #       ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+  #     '';
+  #     postShutdown = ''
+  #       ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+  #     '';
+  #
+  #     privateKeyFile = config.sops.secrets.wireguard-privatekey.path;
+  #
+  #     peers = [
+  #       {
+  #         # hopper
+  #         publicKey = "P5W5/m9VnWcbdR6e3rs4Yars4Qb2rPjkRmCAbgja4Ug=";
+  #         allowedIPs = ["10.0.0.1/32"];
+  #       }
+  #     ];
+  #   };
+  # };
+}

sys/profiles/secrets/default.nix

@@ -1,6 +1,6 @@
 {inputs, ...}: {
   imports = [
     inputs.sops-nix.nixosModules.sops
-    ./global
+    # ./global
   ];
 }

sys/profiles/secrets/hopper/wireguard

@@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:BCUmakHRS/iF+TZQSKK26Nrfc+qxTzfgdoQAoKLp2dqJNqzFfZQBdoN46bdfbzn1Ujmpo9bGW04khDuB6tU0UAkUI2wc73NTybM578lPyfrsSddKPDO4W0cB+s1kk6bqCKexaYzIdeJYVfSPzExP1BCLmw6TjByMkAU/MGxFlY8ohfVr5YaANHX4nymYaiuF6ksVpWL2epmpKA+Ql07lTY8MM+JPTrJQDk4gak+dwVDUYXkaw2EkR/jI1XFT05MNWgqloPG7y2GWnS2rYPyp5ti3NHQxJk8IQx6QH9znwI2EdtDQv7zLRHLeFXeLsd4mFngas5729e8F69YOHWPx5vtICaKHLTAVHU6sXQMruQu42ucoZFGUfu886QfXZCxAhVj1RGhnV4AI5NPucm5ZWI5gdfkBZDIKHg1ziy8qzFBXqNnoiOI/Ar9r/obSqTbLPFba4gdMRgAW+EaJdBMSa8yd7OZr/IYROIM8vDd5MR7whYWBArUMqIzzCbQ/8dWwBiRd7OHAxX9QuXhdfLDr49hHXEqpydDBiVzPxGwQ,iv:1VRvpdmFgvdvGD6uujJZNNHr+rSI2HnGPMSO7CxFy/M=,tag:Gf/4Mk/LpUL1K3Oc+dVEhw==,type:str]",
+	"data": "ENC[AES256_GCM,data:6k4BXsLOomvMfgju1ePGhDlvk3V42PEp5I6qGKrtltgHr7Yq78xbONoiJ9CYCm3ONeu6pVv7UyzfVyeEFUEYL/eO8QT1Sx8xx19S2lydOtZBmxbZXEVWZlXGMnJmydXf+t0yLe0vFHohilyPy8oZiMtUUgrZOnbRvMXZ6cmvTDXS+AvnH7HAEmJDmH/BXp3c/CDqSwFKNuGvtf6s9SiXD1fd+RgiOdPnzposBFhhkGkF8EnEbxTzGjOWSsAK4xUDBqKXlpV+uz2qkRQsUohX9BwkRef5k730UfSZ93QZDDzrBYTXOQdY7qxfNTylt8aABUJKXoRK3u4FurQfDwUMJQm+ZRkdmsfZoC0JPxL9MlsusP+sPLX4UUn93o7PkHlC,iv:RpMQQf153CJzHKwJ5EbXNJibWT2Pz6qkWFjaHWgve9g=,tag:67v39Ay/snjFTCMHV7w/uQ==,type:str]",
 	"sops": {
 		"age": [
 			{
@@ -11,9 +11,9 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4VHhzRHJDNGE0SlRNaU9L\nT1cvY0tvdU10VWhQdWF5M0ZuNVlGd3JrQ2g0CldZNTQxRzlRVkd4QzFnMEFrcld5\nMEhhcm9CSUpjanQxZHF2Q3Mrc2xFQ1EKLS0tIDhJSDFKdDFYZ2YxNmdDdFNFN2l1\ncVFDVjR0d0xuaVZrYzlEN3pwRlFoUncKlYqIYtsAErGCj0HobiLTpawofl3yLlyT\nMpUD4xIJmICkHnXej70ZXcoSU+zqsGZ7nLvnAZScK2jeja2akWzJ/w==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-03-12T22:36:00Z",
-		"mac": "ENC[AES256_GCM,data:3KqGUlTodgABZJWlndINA7+aGuU9Z/VgZxPm1Ur4rRsL7QX5cq9AjoQRJsCn5pIUq5U1GGfQVgZ6bSCDzi7Oqua8aoUmf7Bw4Uhjq6kkize6lEYm1N8ULJ1+N3CyW9Uz/KThvUE31flkGN5N0LYOUJ87oTcqV8rPzi3AzlxPCD0=,iv:/qffqhGqGDrXiuW4QcXT6/fD8ve0v4S1xFa9uDIed14=,tag:HPw5eKySdLJlTMYvmScQ1w==,type:str]",
+		"lastmodified": "2025-06-01T14:42:04Z",
+		"mac": "ENC[AES256_GCM,data:cyMFaQwvS/CoCmDBjew4uWwL9Ia8UyNUdrlz0ILv8umE/IclWT4Xil6831JuAECtCEO2iqQQ/NqiWd8KPVZ1J5KWRcLIB2j6L2sMCGat0h41BZ5I3olVtVjGAAgoCwBmtRUjub9uHjr6NxfrjokGv0da/O0KSW+1XWbvy+V7st0=,iv:XbeO5FEpywxsYOtCS9k/UeAxv860ajii0chMja7zhBg=,tag:vFVsZ1niv7DOi0tiZcNF6A==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
-		"version": "3.9.4"
+		"version": "3.10.2"
 	}
 }

sys/profiles/secrets/nixdesk/wireguard

@@ -1,10 +1,6 @@
 {
-	"data": "ENC[AES256_GCM,data:yEocAYaKVl61oPTPivv8tKW+sMK/1A1rypm8e1JZ7crb+BHy91+tkufAP+p+SBOrzocj77b58sW4bcNhHSW+5OGA4sYihnt5LvbKEUUzNMEpd9n964ZwPij9NH4zQV1HdRaGKycwCzmX4bOB9WmCesCg+er3FYQMgXJSt8Wv7e8hA0fQ104q/X7Ugsg3k+DRBQhecwtGIv3taQ9LRhv/tV8yEzagn0l1/zonBXQnJsbFA0a8PPyO+dezvbFG7X9jBiur6btOHHxCX00J4bHJM0w7S+b9p6GdwJvXEF8HyCZED9Cm5b5COpUEDMsRSvLGsRjnFnRV6xCKO1t3CKR1YfQ2wvg/oq2dK3r89Q2rHeA3jgqXf/RqPzwrcUeW2Dk1Ea4wQhF2eQvzrZCmmjF2BGPC/wvScsT6j1azRcOZfmsMBjFQK7AmPr53tWVVSEV8LHRrwH3kSgHTQUIqIwEqAMK3NXcyuKI7wqAi6Y2ZOuxgrreqGeRymIvFcx8Y3MdK4EuY7KSIdPJ6voavo4jyp8fVtyBFqvA=,iv:9QSYjerDGwL+OdGnHHT5Kbbqr6psL/VATE93OjeyK0Q=,tag:Uh4bqsc+zjRikpxRiR+wyg==,type:str]",
+	"data": "ENC[AES256_GCM,data:s5KDNm+5Mq9/5rNqNjffo4bOl4V+LwGsCJNmaa2oW5MB4XSCF3+iJDNXQ/cFIuPNlEClWlrlPVUB5oOrcrgfj078m6HyKnAmngbQ+nFSCe/VDIUptZ1oblG+llq61faBSrXwDdcm11Y7Nd73sPyLst5V+FsVtSHyA3ktZ2qk1Q5RR/5uvaBCXn+fCiQgDzcOQErUEc6Ja6JWQIKb6fuWffgtCJRxWtDD2/OZSrKhkr7wjX34WLa4ZDYny8ZhmhzPuyW9B5uG4e58Lz8qQpC7FwEDd4InuwLOu/4o/ZTVzsXtl9OZdCTPeTpE9N25rR8w7pu3MDJiVNQd30VA/dq4SRoDykPovcNF6s/bZwg9lUMri2ZytDQJQEEMSGT7FHA4,iv:xb3bFMV1oBLcdFlG+IbZg90lBTSkQIra/nAtdtZRb9c=,tag:oBwCtbnKy74ejL00C8SgQg==,type:str]",
 	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age17pdqkpfh6kc6wm7gxzdnwf6vphlwddv9yfpdu3j76e24y3amd9tq3avfc8",
@@ -15,10 +11,9 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjL2NSTnVYY05pcVNyT1g4\nT0hvanphU29Dd0dvMXZ4TjdVV2R4WnpxY1JVCmVQVlcwbE9EbmxPZWhTK3RudUJG\nQVhjZ2lzUmo1VjlNejlLejVkSXZhTFkKLS0tIFpaQ1JtTm9NOWIrWFdlZWlDTXBo\nRFVKNVVyRWlxZWtqUHVsVGFsRUtWeW8KHVaiwFMs7wTn7j/PZXqrpEtEJTTRaFi2\nK65QMNkbB8DCvmO950X+lpCkuCHXpTgI+yvzLgD2zvZurlu6h9zZDg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-03-10T17:36:26Z",
-		"mac": "ENC[AES256_GCM,data:YXAnkyEeiTuw3ljpo8+Fmb24EdeITSMvFfObVFlqEo8Sa2MJeFOagisYihhzySyRxET/otlBDxhkPiwyt50jy/fmZLBaJY6YO0RQFzGC2o/uZOZf8vVpNaWWaOTBNqMJS5+CmqiewJVGfOblGZhVkubs9I8cVI/3gFRuuldpBUU=,iv:K9EqI1nY8jH0oklro3NJduFmrLobUNOn/dqmLQCRF6c=,tag:P0J4ul2rAQHZJZYKjbOGYA==,type:str]",
-		"pgp": null,
+		"lastmodified": "2025-06-01T14:48:46Z",
+		"mac": "ENC[AES256_GCM,data:jMlNME3KjFi7GVkgWG90uk/54kExNv9XgT1GNjxrYzvGh4ltL65NRb7rPDKMQlmBIM2pjik+eBbtQB00tpNNXzrHCzPfNdjxAToMJ2P4Jza3yqB2/6qH2fur/PquOqyG8j00TSUxkUkMB695fJdyjibuHG9uZdTmXOYPVgn2LBk=,iv:wZlbCMsvhNgEGF14Z3bxsGEZs2RGWhM/ChmQ1i3BRZI=,tag:P4ATNOwxAm6+bApw1RakRQ==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
-		"version": "3.9.4"
+		"version": "3.10.2"
 	}
 }

sys/profiles/secrets/rackserv/default.nix

@@ -0,0 +1,9 @@
+{
+  sops.secrets = {
+    wireguard-privatekey = {
+      format = "binary";
+      sopsFile = ./wireguard-private;
+      owner = "systemd-network";
+    };
+  };
+}

sys/profiles/secrets/rackserv/wireguard-private

@@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:w0biYZaUzQ4eOTe3QbeMDViS2lAGcyPw/wy80JYJLeQ5kcXFSyymtHZTMo3A,iv:3nKM5rdvXCgNEmRUTiDeb7kp7MDwGfOjdS9RxVjxjvw=,tag:xY+VnYkzN5Md5VjCaTR2vQ==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age17pdqkpfh6kc6wm7gxzdnwf6vphlwddv9yfpdu3j76e24y3amd9tq3avfc8",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsWUxNYVUyUmZtTkExRDd2\nOTZ5M3VYb2dKSE53QVBuZXlXY0xZMi9QMVZRCk9ocHNvdE8vRjlEU1pieXhHcnFJ\nUWJCQU50Y0xaRHp3ZUpXL1JVRnZRRkEKLS0tIG02eHBlOFA0YnMyRHdrVHdRNHhs\nV1NYMThJaUVNYTZtMzdjaFAvaDA2R0UKYAZQqQVNXl3UR3n+kZhb4ZTM3MEbjCHd\nTXkHgJ+CpNrFWbhN1Fv3y8yPhWJmYsODZy9fDqjQOp7QZEec77+BWQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1zutg3s4nth679a6av9xqw4km0ezmfkxlnusu78demf0rzazqn3pqk9exgj",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFOXJTYzRzSHJmczgvdGt4\nQXR6R0tjQXhuMVJlRmVEZUMrOVVtWE8wQUhZCm1DbnNRUmlIOE14RVVxbTRtTld4\nSzRpOGpoWjBnaUxtOFFBVEhZejk2Y2sKLS0tIE1vNEFNcVJVVlVSQXdFVU9FWjV1\nNUZzQ0M1S2l6ampzWWJzMGhBai9pZjAKxperiWOJssvrFoqZUHxgZyCMvqD7C0px\nH/k/Zz0ESJuC75Eby8K3Ra/csN/nCD1PRMEoQWd00chvIip7V0i90Q==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-06-01T11:18:27Z",
+		"mac": "ENC[AES256_GCM,data:572HgDbua7UXv2YrVSbiC4tZrgt94ynO+lMXz45wFsii7vz8p50jzU77dKmQyuWyudHwZ10lre6WuqJlH9FT7aU81SF1HsjTvIT57nZ3KE1ANf/XgqMizsZcRaMRYNzM5vxRx8zweP1G7S4Ot7/v8GaJCCBWZjNblJQdq8THm5Y=,iv:yIy33dGGFEm/tLNe3p94aKn9kSMTFsCHGWjra8BexYY=,tag:sVidR+jn1bvDjexV0rkJcg==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}