From a0ac0f631c22ef5fe312b720f16bbeea723ad440 Mon Sep 17 00:00:00 2001
From: Jimbo <jimjam4real@gmail.com>
Date: Fri, 6 Sep 2024 01:18:21 -0400
Subject: [PATCH] Jimbo VPN.

---
 flake.lock                 |  12 ++++++------
 nixos/server.nix           |   2 +-
 nixos/server/firewall.nix  |   1 +
 nixos/server/tandoor.nix   |  16 ----------------
 nixos/server/wireguard.nix |  28 ++++++++++++++++++++++++++++
 secrets.nix                | Bin 1911 -> 2061 bytes
 6 files changed, 36 insertions(+), 23 deletions(-)
 delete mode 100644 nixos/server/tandoor.nix
 create mode 100644 nixos/server/wireguard.nix

diff --git a/flake.lock b/flake.lock
index 556e167..ce60128 100644
--- a/flake.lock
+++ b/flake.lock
@@ -235,11 +235,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1725103162,
-        "narHash": "sha256-Ym04C5+qovuQDYL/rKWSR+WESseQBbNAe5DsXNx5trY=",
+        "lastModified": 1725432240,
+        "narHash": "sha256-+yj+xgsfZaErbfYM3T+QvEE2hU7UuE+Jf0fJCJ8uPS0=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "12228ff1752d7b7624a54e9c1af4b222b3c1073b",
+        "rev": "ad416d066ca1222956472ab7d0555a6946746a80",
         "type": "github"
       },
       "original": {
@@ -314,11 +314,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1725529639,
-        "narHash": "sha256-dRQHGPv6a5sFkIpjhZ1cXLrHG5rfXnVJVE3ETVq1ilY=",
+        "lastModified": 1725541414,
+        "narHash": "sha256-2btQOiIw+yMrxAHzVCp5ou9IbWkzYhQ5dIS3vRO7Sd8=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "72cd6b31e8256c9b28939fd02b9f87efafd2375c",
+        "rev": "72c08881a42221c2de613b425b735c4cd7f85d86",
         "type": "github"
       },
       "original": {
diff --git a/nixos/server.nix b/nixos/server.nix
index ec583dc..7039f68 100644
--- a/nixos/server.nix
+++ b/nixos/server.nix
@@ -33,9 +33,9 @@
     ./server/nginx.nix
     ./server/owncast.nix
     ./server/minecraft
-    ./server/tandoor.nix
     ./server/vaultwarden.nix
     ./server/transmission.nix
+    ./server/wireguard.nix
     ./server/misc.nix
 
     # Matrix
diff --git a/nixos/server/firewall.nix b/nixos/server/firewall.nix
index c78d44e..6173789 100644
--- a/nixos/server/firewall.nix
+++ b/nixos/server/firewall.nix
@@ -43,6 +43,7 @@
             chain POSTROUTING {
               type nat hook postrouting priority 100; policy accept;
               oifname "${ips.netInt}" masquerade
+	      ip saddr 10.100.0.0/24 oifname "${ips.netInt}" masquerade comment "WireGuard"
             }
           '';
         };
diff --git a/nixos/server/tandoor.nix b/nixos/server/tandoor.nix
deleted file mode 100644
index b0c3576..0000000
--- a/nixos/server/tandoor.nix
+++ /dev/null
@@ -1,16 +0,0 @@
-{outputs, ...}: {
-  services = {
-    tandoor-recipes = {
-      enable = true;
-      port = 5030;
-    };
-    nginx.virtualHosts."recipes.${outputs.secrets.jimDomain}" =  {
-      enableACME = true;
-      forceSSL = true;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:5030";
-        proxyWebsockets = true;
-      };
-    };
-  };
-}
diff --git a/nixos/server/wireguard.nix b/nixos/server/wireguard.nix
new file mode 100644
index 0000000..6873d8a
--- /dev/null
+++ b/nixos/server/wireguard.nix
@@ -0,0 +1,28 @@
+{outputs, ...}: let
+  ips = import ../modules/ips.nix;
+in {
+  # enable NAT
+  networking.nat.enable = true;
+  networking.nat.externalInterface = "${ips.netInt}";
+  networking.nat.internalInterfaces = [ "wg0" ];
+  networking.firewall.allowedUDPPorts = [ 51820 ];
+
+  networking.wireguard = {
+    enable = true;
+    interfaces = {
+      # Wireguard interface name can be arbitrary
+      wg0 = {
+        # Determines the IP address and subnet of the server's end of the tunnel interface.
+        ips = [ "10.100.0.1/24" ];
+        listenPort = 51820;
+	privateKey = outputs.secrets.wireguardPriv;
+        peers = [
+          { # Jimbo
+            publicKey = outputs.secrets.wirePhonePub;
+            allowedIPs = [ "10.100.0.2/32" ];
+          }
+        ];
+      };
+    };
+  };
+}
diff --git a/secrets.nix b/secrets.nix
index 5ad04f03ec435706299033464a86ee4313a167c8..bcf084a8288927f988b1e78c83663279e10937c9 100644
GIT binary patch
literal 2061
zcmV+o2=ey;M@dveQdv+`0MKg36FrSXom$rSqBw71222rig~kz|-mSn1G>{S{zS!=q
zQ{HLcvgc?D#Lf;;(*A@g;|8U>E;Hk<-Z2JW=H@&83Oa>pm}ot|4cxcneC()@+?*Mi
zF9Z49r#&!nRZpV(cmk5^@vxC&NAu-`V)0xv4&o8{Q#qwLGNw5n?EU|qOM-oQK@Y?W
zV2iRu+BrlD0hb1+@WE=;ibIpXu~7WB3pzn^eMiJBGoC2IQHk<c+|l!rUxnpO!A?<W
zCH`hOirEWc{+Q#rj-qx=o&phkXMhhbx>%%R2f?%=9L@bCii;lZco}fs<Tn=D1AnNM
za*(AG&t{9xo?nAaWtRxoKW@UHaAfFv0-{k$yJgJ#9a#{=hNIdUH4?P{J?J<yFv<d1
zD0<|g-JUcOAtLtFUa0wDU>XtJoM;gXXbGt`cREw@#-SBjpM=wA3$DbNG`V>dFioK%
zyoM618|^9|-IU^;BVf=|@=xNg_mXB(MMSy_Su=ws1s==Ti!SHQo5b647O%VRP6GjB
z*afpjmDWl?G^<t8L<)g2rD7C|%msYw@VfXuzap|B{)NbOcLd4|dW(nbrY#d{SUS4+
z6kH~{IfCbg8o2VEm0L<VeXjYA7;!HfW2&em;f);mhhA~#F!al#7LrOc!dGOaCWOYE
z&e=-i<j2jw(RGYo{nTe@A^wA~zyz?T7>5(w!9Fvh1#{-i&cAb^Wq)CGU(Ga;;|Dd6
zF#(BO>eA+Edy{QwlxPUU;^8h*xT02ylSeD}kcxPoQ>f;oKZO|O_>eyZMDPu#zBWU=
z45+Ivy!bOup!uE6X!ve`IGX3X5(C!dI^?+`0E6w#r;LbCS{a$cPx$8n<KP!8LSF~f
zeyXJVxu<-sRdVhye+i#W*<I{$7A0~nMs=VJlLgbM_`Tb`I|+?On72(em5yDByP!+F
zwKD%q!3IWK+UFpX7-5vaT5M6*>+nLgsuqxeu`P*Ty>})Sk|TRhUD;KPM7hVSQfdYG
zZ91C+briPlt9g+GnV>*;SwW9plit6P@`%7a6va5NZ?`*$hiKTj;v+?F`va))j`I)9
zcP>f#sL`rfEmN;<t7xDY?Yv(AfeBx)x~a(of+B}8M$;_Tw0Qr|MMv7?7uCY5A&ZU_
zQnJcPppKyQVSsfCC*N8IDZ&>28va6+G50=tlEzyfBoB^xFrA@s0PduU<M6Zq`oHD=
zv7Z)zMI<hWPYhKBl+-o0xVp1&39XmR`3StkJ-=of+oYs7o4QXw025z@`)Xu7UzSOF
zvOk)fSN-A4Tu1~zms`_&$Y3_Y%VOh80}SAT#9^n~-Xt+d*O9rs!AM!G@jtj^og5Rp
z5{>!5fdKw+W9C6y_%41bYQ!%)aXs<o&i)YCw>5kq8NL&vyC$g;LS8QQ=c&rez-{`M
zD{Mu9KwyuOH)vu9^fyvOfEu4HHoD1>ci?AYH9z3CC?gQ~1@hb}d&LdQbsbt?<C76h
zk*G`jmiU#E7cYw|l5`sWC}Y@%vbtG(#C@+!6zpxdXt}(9_mOpG?iy77HZZyRd36md
zlhV7USz-?r+8jP=q^V$Fz`J%F#(0(a6`uwyq#-xV-n0NOOr>B*U~s7ZtBm^EoBO+q
zMyG4DtOnelz}Q5zh7&BGQE0bOavU?C=R@KMT+5$}E4>R0hz=@(=W!8A4C2P#ht=s@
zj}<xaPyZ1X{CsVhZgxG1M@A3LSwYV&%{(nmBSuY*5H6^By?6S`J?5jY1@XGEs2o?O
zg#YQ=OE|bGAG}%ms9rO={8pqi_N?r{jrt+7Z!5z^^xfd$(Nc3F{JOwjd*$&%v107S
z8CeNpP7(%bfFaCDLell-F;0S^pZpt9lWS6wXiIf9l3Yw-fZ}qwZ165s=|V3k3hwS!
z4YY3t1*~R%MA;9oJ(%^fj!;$MpvVu|%bYBq)vl-ak4CNjpuSjvW==rEEj;g3Wa;jG
zp8qn7#2P^BOO9JNfx|MRx;3!J7wTEj7~B8?(k_2nryI}7N145lG6?CP^*CEe`VHJ=
zfGvU{E18%mJ2vQQdsI$8`gTQ#?eBuedgL6}`*1YiJ7fV0mZjgnB*~r)p2A1Nl}9_P
zm%7zKSu*|p?QdXPK<Qhh2Uk2^%k2exmVC+fyOBKmEz|6*jeEw9Ty;7U7a#0w{4z|@
zE;lUr{i&7mQyqexsmx(;25$`KDJ(-9MAhkGz$!rLEaw1ZaON$nHLIsa>lwFldLWyA
zk0BRcypiO><K4_p75AFbSSJF81vuOKb`N8muTm6_!h`F0NK{{EwX;&uHoH!pfxe(G
zobL>i6Gfv*;|}{vB!P?fkn;;FZAXuJwmLC72aq)I4g^6V8ohqtHyTE@&f#ykl)8gI
zm8!V2y)nZ>y<yavns~;c*&G+Z`&giYbr{^?%^cfd8F@1}qR_wo%}DFrzR(cr5{tP6
zKN2W6CnRdYFMJpy_BW2WXr|$IMs>DNwHmG{L;_rlP?!WSZ;y55_~BU%{?_}f%PT|-
zCmw5>%W*me3XVM@#J>)Qm(i<hMbUmu%;VXvBo_i$t-J?CcTOFW!E!$X9C7*0QeEO3
z26dC_3H$TU>9#i@<$kWpv^u19wGObp1R}@2s;$#y5u`+G)BDa}c>V0V_p4)_fFZDV
rUrqU{7ReE%v>uMJj2b82p96+kuuY42Q$(fo-j{0lx7VBCXMhV_Ozr>y

literal 1911
zcmV--2Z;CpM@dveQdv+`091?k_4q2bS*IX0eG%$EIwa7(B$_d678~|hOXxV!<*TmP
z$lA~jMk%BKF4MGpko^FJ8qBM+<OaWLuny~#5(aTPUPjF0ze5!As|TW|trbuw%7Tgg
zXZR>C7gxaUn3o^z!ed}ZE6y(<_IbLHIi+}218Lkzz!DS&z)3R>_8cQ+oKt{1hif%4
zj&P1qTa=sZs)DzcC(Jjv4=RL)MUu|~3g_S~7))y;2X4&ccc*?Y(h<?@pGJkt!Dj5k
z(1#}&q463%o0!WXy;Ii}^rH4bK79gRO0KQpgGxx)2g>=aB0&>Cc{R2g2_(lqyo2}e
z!b7ho7&=>Hq=w(X$uZmAV@NYOrJry_g*M!JFfqkIs}@oxcYuITuS!m@A2}6_2;lA;
zNS2FP0w4c|RRX<8cf~`N&vxzy<G3X3YPDB`epcKr&|ulRPlRafHz{bgto=+(oWKnt
z3}i?jqL3?Yh|IRQou8Zbr~+5LUHhek27)WaME3^?twe^47PaVR2XJ+&U8-me?+uCF
z&~R6DL5`YLm$ifYA&GN+p>eUsK#o#Oe=UDiaZZ%Z;+3>rjuUHLw*`W18j>ardY0H3
zq&v8EG>>*gmP%b;=*CpMk|cQHLWTbM3?dpDg)J|j=-f#82i?`dzVV>dN&jC)!(AQo
ztXnq+Va_}s5RqZaWbk`!o0DS3P{Sx}?-E@lKBzKXy4ec?O}CXcpzhROsUo6s8!+9R
zp97@L;tkAV!b*KvnFTu_qkp^b)OAAOm~cKx0<b51HkH;8-Lu~EMiI+T?VOja;?DCh
zNNai;(#&N3B8d<*ghqQPdi?7Y<al%do`>ccHgh|E85Ew)L%rO0wp3hxK-yr-zj{hb
zzhk*~^J-?dlQ5gbNnx8)RqegxwAn{i5p*lU_a10<w_I5o-}NX~vjXr$@&Y$HkwKAw
zFC9l>7ZhV6*wkj`a~p*ncMsPW$u;>j%dDC#JRQ6%NiLqW1DY%=1N?S}oW{!TTG7^p
z5@%7Ks4@>l&3od?Iy}AD^Q~v+rzeJ{T>2X7GzRv3FR`vhwXtY$DJN=Y%}|hDz#MJx
z0Sj?@pBFn}7cIDK=cn4utEqdi`lhw+r31_I(iLl~ijVidcHLjpf@qh#dfyp6txt|s
zKE1W8-4d1E8B_!;5dKd#8M>Zjoc$>*`oD<58go>Dnp{vzmruqmP{r$YjfXul!QZ`5
zH(c3{_TM5<6WsOAx!$h^KAtLnrx;@TMM<stpR~y05dVA(i*tFY9z2H(x-IKFU4a_>
zMfWdfRI@WxtT~3g26R&1L*>Woz^Z`Mp=RxnDz^;my8phbcH&-Fy()^uKx_&|cpaJD
zjWy1QFZl1tZ47)nWOC=Pkunw4#}kL>00LHK%61Ixc327ffnoKI6wVd5<hvMI)6AME
z!}00Hf|bPl*0t$lrA7|=-}27)u)Yj_rV!fxKM99pTG0jBi9-h2zhhXH*x1MJMlRTJ
zhkxp*$imS?|2>=nFCXi7o#ebJHTos_>e<-ylFfBd`(+({c@stcfcNy6?K6#Z&EP5O
zEb^}<sd<sT_|#5*6bA4M6ksSvoqALX2?gwVC7}xe5B7NiSk38*l1hT>9syUYiyR-O
z`!G7X22u=qtN`=B+9mkKh~KIG*lxDRIEmuiFIdMERXX03&udNMxZDUEi;JTgnJR83
z3`?8)ST!VEcF*R5Aj7L@n51w4NFEsi_n@(o^%-)u^0sQ$(x-(0nLcx}M`uUO$k1)m
zwZ75^sf<98kW2>55#HUQswSut(ob=GMqNu(ecdEpmtlU;!Md%nT)wJFeaZ1v7cEjD
znwD?Yy+mWpTAvxplNSfinm{bSviL&Xv9Yr%;e#&s7PQ;s@xYI!sgO|;A&ztx&8Z9E
zP5Rd+k2efx+fhzT0>r)hH5M~ii#}i|5UqcINbtcglcpNEN>(SwRoM8Dhzz9v_6W~;
zCE%z5NIdtare~EB^x@kfqRWFw0TpteO#Mk?6<}R!@?EcF9n48;5B>m81T6l7Z9bYf
z7||h*zmqL26VH2%Wejil3b%_2shz9onoUo4iXEq=?uzHR{{cIjSCy&$|CqOv`M&HJ
zBo>}jB|x(j+NDBTT^TE3o~J;I=cANBs>Mo{1mHNfISzA3-m4lY>*$0XNdO}iY7(*m
zD!p3PmG!}{#L@95s{zlQucH?Z<J@xAgU8AkE5~qlq0cbxy~|jK-IFMI3S_YD`fYhq
z-RkltWFHz4;z#@T4aj*slveN7>uDo9igc=mkX*V?dX{$#X{cGRuN4SlgMcS?nJXwP
z2=^926<x)4zZ_EqN2fKAW*-qFbOKSPQDV*O(|}ZI+W9l0VrgVo*5YYw-%J`-j5?6r
zJ<InJVQ1m-=-$H=W7q*$6P5U|D4*ER;RyCc_pK}DdH<&<<w1kEIsU3TT!HMWv~%PL
x0LP~scw&(`b%W0;*+&hZcOQ#_2wlz)?P`MC0*FjWp`fSSw~zB;%c2sBsqbB0u%7?`