Wireguard

5 files changed, 182 insertions, 0 deletions

diff --git a/hosts/kataja/default.nix b/hosts/kataja/default.nix
index d7be404..d04128f 100644
--- a/hosts/kataja/default.nix
+++ b/hosts/kataja/default.nix
@@ -122,5 +122,53 @@
     bluetooth.settings.General.Name = "kataja";
   };
 
+  age.secrets.wg_relesoft = {
+    file = ../../secrets/wg_relesoft_kataja.age;
+    group = "systemd-network";
+    mode = "0640";
+  };
+
+  systemd.network.netdevs."90-wg-relesoft" = {
+    netdevConfig = {
+      Name = "wg-relesoft";
+      Kind = "wireguard";
+    };
+    wireguardConfig = {
+      PrivateKeyFile = config.age.secrets.wg_relesoft.path;
+    };
+    wireguardPeers = [
+      {
+        PublicKey = "B5QK7rl8sAXPu2upKhondWSt49qMOqTG/hDjwqY3cDs=";
+        Endpoint = "65.21.238.221:51194";
+        AllowedIPs = [
+          "10.200.200.0/24"
+          "fdc9:281f:4d7:9ee9::/64"
+          "2a01:4f9:6a:4e26::/64"
+        ];
+        PersistentKeepalive = 25;
+      }
+    ];
+  };
+
+  systemd.network.networks."90-wg-relesoft" = {
+    matchConfig.Name = "wg-relesoft";
+    address = [
+      "10.200.200.12/24"
+      "fdc9:281f:4d7:9ee9::12/128"
+      "2a01:4f9:6a:4e26::12/128"
+    ];
+    networkConfig = {
+      IPv4Forwarding = true;
+      IPv6Forwarding = true;
+      IPv6AcceptRA = false;
+    };
+    routes = [
+      { Destination = "10.200.200.0/24"; }
+      { Destination = "fdc9:281f:4d7:9ee9::/64"; }
+      { Destination = "2a01:4f9:6a:4e26::/64"; }
+    ];
+    linkConfig.MTUBytes = "1420";
+  };
+
   system.stateVersion = "25.11";
 }
diff --git a/hosts/pihlaja/default.nix b/hosts/pihlaja/default.nix
index 54a7efd..fd0a1b1 100644
--- a/hosts/pihlaja/default.nix
+++ b/hosts/pihlaja/default.nix
@@ -230,5 +230,53 @@
     });
   '';
 
+  age.secrets.wg_relesoft = {
+    file = ../../secrets/wg_relesoft_pihlaja.age;
+    group = "systemd-network";
+    mode = "0640";
+  };
+
+  systemd.network.netdevs."90-wg-relesoft" = {
+    netdevConfig = {
+      Name = "wg-relesoft";
+      Kind = "wireguard";
+    };
+    wireguardConfig = {
+      PrivateKeyFile = config.age.secrets.wg_relesoft.path;
+    };
+    wireguardPeers = [
+      {
+        PublicKey = "B5QK7rl8sAXPu2upKhondWSt49qMOqTG/hDjwqY3cDs=";
+        Endpoint = "65.21.238.221:51194";
+        AllowedIPs = [
+          "10.200.200.0/24"
+          "fdc9:281f:4d7:9ee9::/64"
+          "2a01:4f9:6a:4e26::/64"
+        ];
+        PersistentKeepalive = 25;
+      }
+    ];
+  };
+
+  systemd.network.networks."90-wg-relesoft" = {
+    matchConfig.Name = "wg-relesoft";
+    address = [
+      "10.200.200.10/24"
+      "fdc9:281f:4d7:9ee9::10/128"
+      "2a01:4f9:6a:4e26::10/128"
+    ];
+    networkConfig = {
+      IPv4Forwarding = true;
+      IPv6Forwarding = true;
+      IPv6AcceptRA = false;
+    };
+    routes = [
+      { Destination = "10.200.200.0/24"; }
+      { Destination = "fdc9:281f:4d7:9ee9::/64"; }
+      { Destination = "2a01:4f9:6a:4e26::/64"; }
+    ];
+    linkConfig.MTUBytes = "1420";
+  };
+
   system.stateVersion = "24.05"; # Did you read the comment?
 }
diff --git a/hosts/saarni/default.nix b/hosts/saarni/default.nix
index 5043657..49b37ea 100644
--- a/hosts/saarni/default.nix
+++ b/hosts/saarni/default.nix
@@ -150,5 +150,53 @@
     };
     thermald.enable = true;
   };
+  age.secrets.wg_relesoft = {
+    file = ../../secrets/wg_relesoft_saarni.age;
+    group = "systemd-network";
+    mode = "0640";
+  };
+
+  systemd.network.netdevs."90-wg-relesoft" = {
+    netdevConfig = {
+      Name = "wg-relesoft";
+      Kind = "wireguard";
+    };
+    wireguardConfig = {
+      PrivateKeyFile = config.age.secrets.wg_relesoft.path;
+    };
+    wireguardPeers = [
+      {
+        PublicKey = "B5QK7rl8sAXPu2upKhondWSt49qMOqTG/hDjwqY3cDs=";
+        Endpoint = "65.21.238.221:51194";
+        AllowedIPs = [
+          "10.200.200.0/24"
+          "fdc9:281f:4d7:9ee9::/64"
+          "2a01:4f9:6a:4e26::/64"
+        ];
+        PersistentKeepalive = 25;
+      }
+    ];
+  };
+
+  systemd.network.networks."90-wg-relesoft" = {
+    matchConfig.Name = "wg-relesoft";
+    address = [
+      "10.200.200.11/24"
+      "fdc9:281f:4d7:9ee9::11/128"
+      "2a01:4f9:6a:4e26::11/128"
+    ];
+    networkConfig = {
+      IPv4Forwarding = true;
+      IPv6Forwarding = true;
+      IPv6AcceptRA = false;
+    };
+    routes = [
+      { Destination = "10.200.200.0/24"; }
+      { Destination = "fdc9:281f:4d7:9ee9::/64"; }
+      { Destination = "2a01:4f9:6a:4e26::/64"; }
+    ];
+    linkConfig.MTUBytes = "1420";
+  };
+
   system.stateVersion = "24.05";
 }
diff --git a/hosts/tammi/90-wg-relesoft.netdev b/hosts/tammi/90-wg-relesoft.netdev
new file mode 100644
index 0000000..9ef2e1e
--- /dev/null
+++ b/hosts/tammi/90-wg-relesoft.netdev
@@ -0,0 +1,15 @@
+[NetDev]
+Name=wg-relesoft
+Kind=wireguard
+Description=WireGuard tunnel to relesoft.io
+
+[WireGuard]
+PrivateKey=KG00ekUKe0NFxuP3ndV0EZUtKX4wR8iyU+0rufZGuFA=
+
+[WireGuardPeer]
+PublicKey=B5QK7rl8sAXPu2upKhondWSt49qMOqTG/hDjwqY3cDs=
+Endpoint=65.21.238.221:51194
+AllowedIPs=10.200.200.0/24
+AllowedIPs=fdc9:281f:04d7:9ee9::/64
+AllowedIPs=2a01:4f9:6a:4e26::/64
+PersistentKeepalive=25
diff --git a/hosts/tammi/90-wg-relesoft.network b/hosts/tammi/90-wg-relesoft.network
new file mode 100644
index 0000000..5ba120b
--- /dev/null
+++ b/hosts/tammi/90-wg-relesoft.network
@@ -0,0 +1,23 @@
+[Match]
+Name=wg-relesoft
+
+[Link]
+MTUBytes=1420
+
+[Network]
+Address=10.200.200.13/24
+Address=fdc9:281f:04d7:9ee9::13/128
+Address=2a01:4f9:6a:4e26::13/128
+IPv4Forwarding=yes
+IPv6Forwarding=yes
+IPv6AcceptRA=no
+LinkLocalAddressing=no
+
+[Route]
+Destination=10.200.200.0/24
+
+[Route]
+Destination=fdc9:281f:04d7:9ee9::/64
+
+[Route]
+Destination=2a01:4f9:6a:4e26::/64