From b0c9f649b378b52a4de0929363d4af515a64618b Mon Sep 17 00:00:00 2001
From: Lzebulon <lzebulon@crans.org>
Date: Sun, 23 Nov 2025 19:18:11 +0100
Subject: [PATCH] feature: add wireguard

---
 hosts/physique/hyponix/services/wireguard.nix |  37 ++++++++++++++++++
 secrets.nix                                   |   3 +-
 secrets/services/wireguard/wg-key-hyponix.age | Bin 0 -> 367 bytes
 3 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100644 hosts/physique/hyponix/services/wireguard.nix
 create mode 100644 secrets/services/wireguard/wg-key-hyponix.age

diff --git a/hosts/physique/hyponix/services/wireguard.nix b/hosts/physique/hyponix/services/wireguard.nix
new file mode 100644
index 0000000..c8c412b
--- /dev/null
+++ b/hosts/physique/hyponix/services/wireguard.nix
@@ -0,0 +1,37 @@
+{config, ...}:
+let
+  listenPort = 53141;
+in
+{
+  networking.firewall.allowedUDPPorts = [ listenPort ];
+
+  age.secrets.wg-key-hyponix = {
+    file = "../../../../secrets/services/wireguard/wg-key-hyponix.age";
+  };
+  
+  networking.wireguard = {
+    enable = true;
+    interfaces = {
+      wg0 = {
+        ips = ["10.100.10.2/24" "fd00::2/7"];
+
+        listenPort = listenPort;
+
+        privateKeyFile = config.age.secrets.wg-key-hyponix.path;
+
+        peers = [
+          {
+            name = "pixos";
+            publicKey = "kaPe5pz2NTW9yMSy92wCV6WQF/sDYK6hHf8e9yN1ZlY=";
+            allowedIPs = [
+              "fd00::1/128"
+              "10.100.0.1/32"
+            ];
+            endpoint = "pixos.bytestall.info:${listenPort}";
+            persistentKeepalive = 25;
+          }
+        ];
+      };
+    };
+  };
+}
diff --git a/secrets.nix b/secrets.nix
index ede176e..417b0e5 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -8,10 +8,11 @@ in
 let
   admins = [ lzebulon ];
   physiques = [ hyponix ];
-  servers = hyponix;
+  servers = [ hyponix ];
 in
 {
   "secrets/services/forgejo/forgejo-runner-token-1.age".publicKeys = admins ++ [ hyponix ];
   "secrets/services/searxng.age".publicKeys = admins ++ [ hyponix ];
+  "secrets/services/wireguard/wg-key-hyponix.age".publicKeys = admins ++ [hyponix];
 }
   
diff --git a/secrets/services/wireguard/wg-key-hyponix.age b/secrets/services/wireguard/wg-key-hyponix.age
new file mode 100644
index 0000000000000000000000000000000000000000..7198d2fe5fef04e0cc695323ac2ee742d3300549
GIT binary patch
literal 367
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCTSaI%Ona#V0Mt1{24
zbP00TclSs%$t_EF2?#STEYG&c%nvOos&uKy%F8MW_BHWzE$1o=E=kMuPqj3zw8#h#
z2u(}MEjKE#Fm^U7GIVkas!DUSu+%p5P76r)GeEa3D$CL=z)>MP%+JW&%{(B}A|t}6
z%siz$FVMFvEXu^yJKRjWBG)T5!?Lo_z+2lfr<g0f%rr0EJhQ?p*s!$3ETzyn#XK)G
zFx}E8Gt)EJsM0vp%Pk~AJJrHNKa@*XS63mTAT(4vyfP%C*eFOlKiJpZ+1)Zy+dRuJ
zSU<?eEIT+m%O|X$#4Ot+Ih(6L(BO`A;Wo>TU{ePBpuVKuM@iLRp7pLhy6aA}K*eK$
ziJvv%gftd3v;UWVcj{Q9^v-*~8}yT&%y#+Uc2OibvRCpDcXOaj!47Wj3j)UgmzIC?

literal 0
HcmV?d00001