initial work on wireguard mess

2022-11-11 20:53:17 +00:00 · 2022-11-11 20:53:17 +00:00 · 15bb6f6f92
parent c41f26a66f
commit 15bb6f6f92
24 changed files with 277 additions and 396 deletions
--- a/home/apps/mpv.nix
+++ b/home/apps/mpv.nix
@ -1,9 +1,9 @@
 { config, pkgs, ... }:
 let
  listen-password-file = if pkgs.stdenv.isLinux then
-    "/secrets/music-stream-password"
+    "/secrets/music_stream_password"
  else
-    "$HOME/.secrets/music-stream-password";
+    "$HOME/.secrets/music_stream_password";
 in {
  home.packages = with pkgs; [ mpv ffmpeg yt-dlp ];
  programs.mpv = {
--- a/hosts/hetzner-vm/hetzner-vm.nix
+++ b/hosts/hetzner-vm/hetzner-vm.nix
@ -17,6 +17,7 @@
    hosts.hetzner-vm.services.gitlab-static-sites
    hosts.hetzner-vm.services.lappy-dev
    hosts.hetzner-vm.services.misskey
+    hosts.hetzner-vm.services.wireguard

    ./networking.nix
    ./hardware.nix
--- a/hosts/hetzner-vm/secrets-db.nix
+++ b/hosts/hetzner-vm/secrets-db.nix
@ -35,4 +35,28 @@
    permissions = "660";
    path = "/secrets/restic_env";
  };
+  wg_privkey = {
+    user = "root";
+    group = "root";
+    permissions = "660";
+    path = "/secrets/wg_privkey";
+  };
+  wg_preshared_tablet = {
+    user = "root";
+    group = "root";
+    permissions = "660";
+    path = "/secrets/wg_preshared_tablet";
+  };
+  wg_preshared_vault = {
+    user = "root";
+    group = "root";
+    permissions = "660";
+    path = "/secrets/wg_preshared_vault";
+  };
+  wg_preshared_storage = {
+    user = "root";
+    group = "root";
+    permissions = "660";
+    path = "/secrets/wg_preshared_storage";
+  };
 }
--- a/hosts/hetzner-vm/secrets.nix
+++ b/hosts/hetzner-vm/secrets.nix
@ -62,6 +62,30 @@ in {
      echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/HetznerVM" > $file
      chown ${secrets-db.restic_env.user}:${secrets-db.restic_env.group} $file
      chmod ${secrets-db.restic_env.permissions} $file
+
+      file=${secrets-db.wg_privkey.path}
+      echo $file
+      simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .private > $file 
+      chown ${secrets-db.wg_privkey.user}:${secrets-db.wg_privkey.group} $file
+      chmod ${secrets-db.wg_privkey.permissions} $file
+
+      file=${secrets-db.wg_preshared_tablet.path}
+      echo $file
+      simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .preshared_keys.tablet > $file 
+      chown ${secrets-db.wg_preshared_tablet.user}:${secrets-db.wg_preshared_tablet.group} $file
+      chmod ${secrets-db.wg_preshared_tablet.permissions} $file
+
+      file=${secrets-db.wg_preshared_vault.path}
+      echo $file
+      simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .preshared_keys.vault > $file 
+      chown ${secrets-db.wg_preshared_vault.user}:${secrets-db.wg_preshared_vault.group} $file
+      chmod ${secrets-db.wg_preshared_vault.permissions} $file
+
+      file=${secrets-db.wg_preshared_storage.path}
+      echo $file
+      simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .preshared_keys.storage > $file 
+      chown ${secrets-db.wg_preshared_storage.user}:${secrets-db.wg_preshared_storage.group} $file
+      chmod ${secrets-db.wg_preshared_storage.permissions} $file
    '')
  ];
 }
--- a/hosts/hetzner-vm/services/wireguard.nix
+++ b/hosts/hetzner-vm/services/wireguard.nix
@ -0,0 +1,33 @@
+{ ... }:
+let secrets-db = (import ../secrets-db.nix { });
+in {
+  networking.wg-quick.interfaces = {
+    wg0 = {
+      address = [ "10.69.42.1/32" ];
+      listenPort = 51820;
+      privateKeyFile = "${secrets-db.wg_privkey.path}";
+      peers = [
+        # tablet
+        {
+          publicKey = "jXA0DeprEaL/ARQ3K81l8xWuUI5C/90DcY3bIfcIjz8=";
+          presharedKeyFile = "${secrets-db.wg_preshared_tablet.path}";
+          allowedIPs = [ "10.69.42.2/32" ];
+        }
+        # vault
+        {
+          publicKey = "IGq+WanFM/bKNUkwjO/0AAtDhJLvtvU+mVxH27QyHTc=";
+          presharedKeyFile = "${secrets-db.wg_preshared_vault.path}";
+          endpoint = "vault.servers.genderfucked.monster:51820";
+          allowedIPs = [ "10.69.42.3/32" ];
+        }
+        # storage
+        {
+          publicKey = "biNNeCkjAWi2jUVoL5+1pBtXGa3OFZi4DltB2dqGjGg=";
+          presharedKeyFile = "${secrets-db.wg_preshared_storage.path}";
+          allowedIPs = [ "10.69.42.4/32" ];
+        }
+      ];
+    };
+  };
+  networking.firewall.allowedUDPPorts = [ 51820 ];
+}
--- a/hosts/lappy/hardware.nix
+++ b/hosts/lappy/hardware.nix
@ -1,66 +0,0 @@
-{ pkgs, ... }:
-let
-  usb_data = import ./hardware/usb_data.nix { };
-  ssd_data = import ./hardware/ssd_data.nix { };
-in {
-  boot = {
-    loader = {
-      systemd-boot.enable = true;
-      efi.canTouchEfiVariables = true;
-    };
-    initrd.availableKernelModules = [
-      "xhci_pci"
-      "ahci"
-      "nvme"
-      "usb_storage"
-      "sd_mod"
-      "rtsx_pci_sdmmc"
-      "uas"
-      "usbcore"
-      "usb_storage"
-      "vfat"
-      "nls_cp437"
-      "nls_iso8859_1"
-      "aesni_intel"
-      "cryptd"
-    ];
-    kernelModules = [ "kvm-intel" ];
-
-    initrd.postDeviceCommands = pkgs.lib.mkBefore ''
-      mkdir -m 0755 -p ${usb_data.mountpoint}
-
-      while !(test -b ${usb_data.encrypted_path})
-      do
-        echo "Please Plug In USB"
-        sleep 1
-      done
-
-      echo "Please Decrypt USB"
-
-      cryptsetup luksOpen ${usb_data.encrypted_path} ${usb_data.mapper_name}
-
-      mount -n -t ${usb_data.unencrypted_fs_type} -o ro ${usb_data.mapper_path} ${usb_data.mountpoint}
-    '';
-
-    initrd.luks.devices = {
-      "${ssd_data.root_mapper_name}" = {
-        device = "${ssd_data.encrypted_root_path}";
-        keyFile = "${usb_data.lappy_encryption_key_path}";
-        preLVM = false;
-        allowDiscards = true;
-      };
-    };
-  };
-
-  fileSystems = {
-    "/" = {
-      device = "${ssd_data.decrypted_root_path}";
-      fsType = "${ssd_data.unencrypted_root_fs_type}";
-    };
-    "/boot" = {
-      device = "${ssd_data.boot_path}";
-      fsType = "${ssd_data.boot_fs_type}";
-    };
-  };
-
-}
--- a/hosts/lappy/hardware/ssd_data.nix
+++ b/hosts/lappy/hardware/ssd_data.nix
@ -1,24 +0,0 @@
-{ }: rec {
-  # Mountpoints
-  root_mountpoint = "/";
-  boot_mountpoint = "/boot";
-
-  # Partition Labels
-  boot_label = "nixboot";
-  unencrypted_root_label = "nixos";
-  encrypted_root_partlabel = "nixos_encrypted";
-
-  # Partition Filesystems
-  unencrypted_root_fs_type = "ext4";
-  boot_fs_type = "vfat";
-
-  # Mapper Name
-  root_mapper_name = "cryptroot";
-
-  # FS Paths
-  encrypted_root_path = "/dev/disk/by-partlabel/${encrypted_root_partlabel}";
-  decrypted_root_path = "/dev/mapper/${root_mapper_name}";
-
-  boot_path = "/dev/disk/by-label/${boot_label}";
-
-}
--- a/hosts/lappy/hardware/usb_data.nix
+++ b/hosts/lappy/hardware/usb_data.nix
@ -1,28 +0,0 @@
-{ ... }: rec {
-  # Mountpoints
-  mountpoint = "/usb";
-
-  # Partition Labels
-  encrypted_partlabel = "usb";
-  unencrypted_label = "usb_unencrypted";
-
-  # Partition Filesystems
-  unencrypted_fs_type = "ext4";
-
-  # Mapper Information
-  mapper_name = "usb_unencrypted";
-
-  # FS Paths
-  encrypted_path = "/dev/disk/by-partlabel/${encrypted_partlabel}";
-  unencrypted_path = "/dev/disk/by-label/${unencrypted_label}";
-  mapper_path = "/dev/mapper/${mapper_name}";
-
-  # Paths to some important files
-  lappy_encryption_key_path = "${mountpoint}/encryption-keys/lappy.key";
-
-  chaos_age_privkey_path = "${mountpoint}/age-keys/chaoskey.priv";
-  chaos_age_pubkey_path = "${mountpoint}/age-keys/chaoskey.pub";
-
-  ssh_priv_path = "${mountpoint}/ssh-keys/chaos.priv";
-  ssh_pub_path = "${mountpoint}/ssh-keys/chaos.pub";
-}
--- a/hosts/lappy/lappy.nix
+++ b/hosts/lappy/lappy.nix
@ -1,159 +0,0 @@
-{ tree, config, pkgs, lib, ... }:
-let usb_data = import ./hardware/usb_data.nix { };
-in {
-  imports = with tree; [
-    users.root
-    users.chaos
-    profiles.tailscale
-    #profiles.dnscrypt
-    #profiles.printing
-    profiles.sshd
-
-    hosts.lappy.profiles.usb-automount
-    hosts.lappy.profiles.harry-vpn
-
-    # required for dualsense controller
-    profiles.kernels.latest
-
-    profiles.laptop
-
-    # Bluetooth
-    #profiles.connectivity.bluetooth
-
-    profiles.connectivity.network_manager
-    profiles.connectivity.ios
-
-    profiles.sound.pipewire
-
-    profiles.gui.base
-    profiles.gui.environments.gnome
-
-    profiles.gaming.steam
-
-    # for sci-hub and whenever websites break
-    profiles.tor
-
-    # For cross compiling and deploying to raspberry
-    profiles.cross.arm64
-
-    profiles.force_dns
-    #extras.shenanigans-hotspot
-  ];
-
-  services.mullvad-vpn.enable = true;
-
-  home-manager.users.root = {
-    imports = with tree; [ home.base ];
-    home.stateVersion = "22.05";
-  };
-  home-manager.users.chaos = {
-    programs.ssh.matchBlocks."*".identityFile = "${usb_data.ssh_priv_path}";
-    programs.git.extraConfig = {
-      gpg.format = "ssh";
-      commit.gpgsign = "true";
-      tag.gpgsign = "true";
-      user = { signingKey = "${usb_data.ssh_priv_path}"; };
-    };
-    imports = with tree; [
-      home.base
-      home.dev.all
-      #home.reversing
-
-      home.gui.base
-      home.gui.environments.gnome
-
-      #home.gaming.emulators.ds
-      #home.gaming.games.minecraft
-      #home.gaming.games.osu
-      home.gaming.platforms.steam
-
-      #home.bluetooth
-      #home.network_manager
-
-      home.apps.vivaldi
-      home.apps.telegram
-      home.apps.quassel
-      home.apps.mpv
-      home.apps.strawberry
-      home.apps.file-roller
-      home.apps.nautilus
-      home.apps.nicotine-plus
-      home.apps.musicutil
-      home.apps.pavucontrol
-      home.apps.mullvad
-      home.apps.aria2
-      home.apps.rclone
-      home.apps.restic
-
-      home.programming.editors.vscode
-      home.programming.languages.go
-      home.programming.languages.nix
-    ];
-    home.stateVersion = "22.05";
-  };
-
-  hardware.opengl.extraPackages = with pkgs; [
-    vaapiIntel
-    vaapiVdpau
-    libvdpau-va-gl
-    intel-media-driver
-  ];
-
-  #services.getty.extraArgs = [ "--skip-login" "--login-options" "chaos" ];
-
-  networking.firewall.enable = true;
-  networking.firewall.allowPing = true;
-
-  # Allow Soulseek
-  networking.firewall.allowedTCPPorts = [ 8080 2235 ];
-  networking.firewall.allowedTCPPortRanges = [
-    # Allow aria2 to work
-    {
-      from = 6881;
-      to = 6999;
-    }
-    {
-      from = 50101;
-      to = 50109;
-    }
-  ];
-  networking.firewall.allowedUDPPortRanges = [
-    # Allow aria2 to work
-    {
-      from = 6881;
-      to = 6999;
-    }
-    {
-      from = 50101;
-      to = 50109;
-    }
-  ];
-
-  networking.enableIPv6 = true;
-  systemd.services.NetworkManager-wait-online.enable = false;
-
-  # let vscode, vivaldi, etc work.
-  security.unprivilegedUsernsClone = true;
-
-  nix.settings.auto-optimise-store = true;
-  nix.gc = {
-    automatic = true;
-    dates = "daily";
-    options = "--delete-older-than 30d";
-  };
-
-  nix.extraOptions = ''
-    keep-outputs = true
-    keep-derivations = true
-    builders-use-substitutes = true
-  '';
-
-  networking.hostName = "lappy";
-  time.timeZone = "Europe/London";
-  powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
-
-  services.fstrim.enable = true;
-
-  system.stateVersion = "21.11";
-}
-
--- a/hosts/lappy/profiles/harry-vpn.nix
+++ b/hosts/lappy/profiles/harry-vpn.nix
@ -1,19 +0,0 @@
-{ pkgs, ... }: {
-  environment.systemPackages = with pkgs; [ wireguard-tools ];
-  networking.wg-quick.interfaces = {
-    wg-harry-vpn = {
-      autostart = false;
-      address = [ "185.186.9.71/26" "2a0b:6b84:2022:6::1/64" ];
-      dns = [ "8.8.8.8" ];
-      mtu = 1280;
-      privateKeyFile = "/secrets/harry_vpn_wg_priv";
-
-      peers = [{
-        publicKey = "7B6KSFqTHM7A7Nv24GIeUhDDh2XnlT7UqG5U+Si+zmc=";
-        allowedIPs = [ "0.0.0.0/0" "::/0" ];
-        endpoint = "185.186.9.1:8081";
-        persistentKeepalive = 25;
-      }];
-    };
-  };
-}
--- a/hosts/lappy/profiles/macos-vm.nix
+++ b/hosts/lappy/profiles/macos-vm.nix
@ -1,15 +0,0 @@
-{ pkgs, ... }: {
-  virtualisation.libvirtd.enable = true;
-  programs.dconf.enable = true;
-  environment.systemPackages = with pkgs; [
-    virt-manager
-    p7zip
-    #umlutilities
-    qemu
-    gnumake
-    libguestfs
-    python3
-  ];
-  users.users.chaos.extraGroups = [ "libvirtd" "kvm" ];
-
-}
--- a/hosts/lappy/profiles/mpd.nix
+++ b/hosts/lappy/profiles/mpd.nix
@ -1,32 +0,0 @@
-{ pkgs, tree, ... }: {
-  imports = with tree; [
-    ./mpd-music-sync.nix
-    profiles.sound.pulseaudio.pulse-recv-native-localhost
-  ];
-
-  environment.systemPackages = with pkgs; [ mpc_cli ];
-
-  systemd.tmpfiles.rules = [
-    "d /var/lib/mpd 0755 mpd mpd -"
-    "d /var/lib/mpd/data 0755 mpd mpd -"
-    "d /var/lib/mpd/playlists 0755 mpd mpd -"
-  ];
-
-  services.mpd = {
-    enable = true;
-    dataDir = "/var/lib/mpd/data";
-    playlistDirectory = "/var/lib/mpd/playlists";
-    musicDirectory = "/music";
-    extraConfig = ''
-      host_permissions "127.0.0.1 read,add,control,admin"
-      audio_output {
-        type "pulse"
-        name "Pulseaudio"
-        server "127.0.0.1"
-      }
-    '';
-  };
-
-  systemd.services.mpd.serviceConfig.StateDirectory =
-    [ "/music" "/var/lib/mpd" ];
-}
--- a/hosts/lappy/profiles/usb-automount.nix
+++ b/hosts/lappy/profiles/usb-automount.nix
@ -1,40 +0,0 @@
-{ lib, pkgs, ... }:
-let
-  usb_data = import ../hardware/usb_data.nix { };
-  mapper_name = "usb_unencrypted_afterboot";
-  mapper_path = "/dev/mapper/${mapper_name}";
-  mount_usb = pkgs.writeShellScriptBin "mount_usb" ''
-    umount ${usb_data.mountpoint} || true
-    cryptsetup close ${mapper_name} || true
-
-    cat /secrets/usb_encryption_passphrase | cryptsetup luksOpen ${usb_data.encrypted_path} ${mapper_name} -
-    mount ${mapper_path} -o rw ${usb_data.mountpoint}
-  '';
-  unmount_usb = pkgs.writeShellScriptBin "unmount_usb" ''
-    umount -flR ${usb_data.mountpoint} || true
-    cryptsetup close ${mapper_name} || true
-  '';
-in {
-  environment.systemPackages = [ mount_usb unmount_usb ];
-
-  systemd.tmpfiles.rules = [ "d ${usb_data.mountpoint} - chaos root" ];
-
-  systemd.services.usb-mount = {
-    path = [ pkgs.util-linux pkgs.cryptsetup ];
-    script = ''
-      ${mount_usb}/bin/mount_usb
-    '';
-  };
-
-  systemd.services.usb-unmount = {
-    path = [ pkgs.util-linux pkgs.cryptsetup ];
-    script = ''
-      ${unmount_usb}/bin/unmount_usb
-    '';
-  };
-
-  services.udev.extraRules = ''
-    ACTION=="add", ENV{PARTNAME}=="${usb_data.encrypted_partlabel}", ENV{SYSTEMD_WANTS}="usb-mount.service", ENV{UDISKS_PRESENTATION_HIDE}="1"
-    ACTION=="remove", ENV{PARTNAME}=="${usb_data.encrypted_partlabel}", ENV{SYSTEMD_WANTS}="usb-unmount.service"
-  '';
-}
--- a/hosts/lappy/vm.nix
+++ b/hosts/lappy/vm.nix
@ -1,11 +0,0 @@
-{ lib, inputs, ... }: {
-  imports = [ "${inputs.nixpkgs}/nixos/modules/virtualisation/qemu-vm.nix" ];
-  users.users.root.password = "owo";
-  users.users.chaos.password = "owo";
-  home-manager.users.chaos.home.sessionVariables = {
-    WLR_RENDERER_ALLOW_SOFTWARE = "1";
-  };
-  services.getty.extraArgs = lib.mkForce [ ];
-  virtualisation.cores = 4;
-  virtualisation.qemu.options = [ "-vga" "qxl" ];
-}
--- a/hosts/tablet/profiles/wireguard.nix
+++ b/hosts/tablet/profiles/wireguard.nix
@ -0,0 +1,29 @@
+{ ... }:
+let secrets-db = (import ../secrets-db.nix { });
+in {
+  networking.wg-quick.interfaces = {
+    wg0 = {
+      address = [ "10.69.42.2/32" ];
+      privateKeyFile = "${secrets-db.wg_priv.path}";
+
+      peers = [
+        # hetzner-vm
+        {
+          publicKey = "UJr+EmUM7KWkIy0nk0JA38ibvcLC++6iuOKkHdrx9Dc=";
+          presharedKeyFile = "${secrets-db.wg_preshared_hetzner-vm.path}";
+          allowedIPs = [ "10.69.42.1/32" ];
+          endpoint = "hetzner-vm.servers.genderfucked.monster:51820";
+          persistentKeepalive = 25;
+        }
+        # vault
+        {
+          publicKey = "IGq+WanFM/bKNUkwjO/0AAtDhJLvtvU+mVxH27QyHTc=";
+          presharedKeyFile = "${secrets-db.wg_preshared_vault.path}";
+          allowedIPs = [ "10.69.42.3/32" ];
+          endpoint = "vault.servers.genderfucked.monster:51820";
+          persistentKeepalive = 25;
+        }
+      ];
+    };
+  };
+}
--- a/hosts/tablet/secrets-db.nix
+++ b/hosts/tablet/secrets-db.nix
@ -0,0 +1,39 @@
+{ }: {
+  # Manually Created, Not Stored In Vault
+  usb_encryption_passphrase = {
+    user = "root";
+    group = "root";
+    permissions = "660";
+    path = "/secrets/usb_encryption_passphrase";
+  };
+  music_stream_password = {
+    user = "chaos";
+    group = "users";
+    permissions = "660";
+    path = "/secrets/music_stream_password";
+  };
+  wg_priv = {
+    user = "root";
+    group = "root";
+    permissions = "660";
+    path = "/secrets/wg_priv";
+  };
+  wg_preshared_hetzner-vm = {
+    user = "root";
+    group = "root";
+    permissions = "660";
+    path = "/secrets/wg_preshared_hetzner-vm";
+  };
+  wg_preshared_vault = {
+    user = "root";
+    group = "root";
+    permissions = "660";
+    path = "/secrets/wg_preshared_vault";
+  };
+  wg_preshared_storage = {
+    user = "root";
+    group = "root";
+    permissions = "660";
+    path = "/secrets/wg_preshared_storage";
+  };
+}
--- a/hosts/tablet/secrets.nix
+++ b/hosts/tablet/secrets.nix
@ -0,0 +1,54 @@
+{ pkgs, ... }:
+let secrets-db = (import ./secrets-db.nix { });
+in {
+  systemd.tmpfiles.rules = [ "d /secrets - root root" ];
+  environment.systemPackages = [
+    (pkgs.writeShellScriptBin "init-secrets" ''
+      set -e -o pipefail
+
+      VAULT_ADDR_DEFAULT="https://vault.owo.monster"
+      [ -z "$VAULT_ADDR" ] && export VAULT_ADDR="$VAULT_ADDR_DEFAULT"
+
+      export PATH=$PATH:${pkgs.vault}/bin
+      export PATH=$PATH:${pkgs.jq}/bin
+
+      kv_get() {
+        vault kv get -format json $1
+      }
+
+      simple_get() {
+        kv_get $1 | jq .data.data$2 -r
+      }
+
+      file=${secrets-db.music_stream_password.path}
+      echo $file
+      simple_get "/api-keys/music-stream" .password > $file
+      chown ${secrets-db.music_stream_password.user}:${secrets-db.music_stream_password.group} $file
+      chmod ${secrets-db.music_stream_password.permissions} $file
+
+      file=${secrets-db.wg_priv.path}
+      echo $file
+      simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .private > $file
+      chown ${secrets-db.wg_priv.user}:${secrets-db.wg_priv.group} $file
+      chmod ${secrets-db.wg_priv.permissions} $file
+
+      file=${secrets-db.wg_preshared_hetzner-vm.path}
+      echo $file
+      simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .preshared_keys.hetzner_vm > $file
+      chown ${secrets-db.wg_preshared_hetzner-vm.user}:${secrets-db.wg_preshared_hetzner-vm.group} $file
+      chmod ${secrets-db.wg_preshared_hetzner-vm.permissions} $file
+
+      file=${secrets-db.wg_preshared_vault.path}
+      echo $file
+      simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .preshared_keys.vault > $file
+      chown ${secrets-db.wg_preshared_vault.user}:${secrets-db.wg_preshared_vault.group} $file
+      chmod ${secrets-db.wg_preshared_vault.permissions} $file
+
+      file=${secrets-db.wg_preshared_storage.path}
+      echo $file
+      simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .preshared_keys.storage > $file
+      chown ${secrets-db.wg_preshared_storage.user}:${secrets-db.wg_preshared_storage.group} $file
+      chmod ${secrets-db.wg_preshared_storage.permissions} $file
+    '')
+  ];
+}
--- a/hosts/tablet/tablet.nix
+++ b/hosts/tablet/tablet.nix
@ -9,6 +9,8 @@
    presets.nixos.laptop
    presets.nixos.encrypted-usb

+    ./secrets.nix
+    ./profiles/wireguard.nix
    ./profiles/harry-vpn.nix
  ];

--- a/hosts/vault/profiles/wireguard.nix
+++ b/hosts/vault/profiles/wireguard.nix
@ -0,0 +1,29 @@
+{ ... }:
+let secrets-db = (import ../secrets-db.nix { });
+in {
+  networking.wg-quick.interfaces = {
+    wg0 = {
+      address = [ "10.69.42.3/32" ];
+      listenPort = 51820;
+      privateKeyFile = "${secrets-db.wg_priv.path}";
+
+      peers = [
+        # hetzner-vm
+        {
+          publicKey = "UJr+EmUM7KWkIy0nk0JA38ibvcLC++6iuOKkHdrx9Dc=";
+          presharedKeyFile = "${secrets-db.wg_preshared_hetzner-vm.path}";
+          allowedIPs = [ "10.69.42.1/32" ];
+          endpoint = "hetzner-vm.servers.genderfucked.monster:51820";
+          persistentKeepalive = 25;
+        }
+        # tablet
+        {
+          publicKey = "jXA0DeprEaL/ARQ3K81l8xWuUI5C/90DcY3bIfcIjz8=";
+          presharedKeyFile = "${secrets-db.wg_preshared_tablet.path}";
+          allowedIPs = [ "10.69.42.2/32" ];
+        }
+      ];
+    };
+  };
+  networking.firewall.allowedUDPPorts = [ 51820 ];
+}
--- a/hosts/vault/secrets-db.nix
+++ b/hosts/vault/secrets-db.nix
@ -11,4 +11,22 @@
    permissions = "660";
    path = "/secrets/restic_env";
  };
+  wg_priv = {
+    user = "root";
+    group = "root";
+    permissions = "660";
+    path = "/secrets/wg_priv";
+  };
+  wg_preshared_hetzner-vm = {
+    user = "root";
+    group = "root";
+    permissions = "660";
+    path = "/secrets/wg_preshared_hetzner-vm";
+  };
+  wg_preshared_tablet = {
+    user = "root";
+    group = "root";
+    permissions = "660";
+    path = "/secrets/wg_preshared_tablet";
+  };
 }
--- a/hosts/vault/secrets.nix
+++ b/hosts/vault/secrets.nix
@ -29,6 +29,24 @@ in {
      echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Vault" > /secrets/restic_env
      chown ${secrets-db.restic_env.user}:${secrets-db.restic_env.group} /secrets/restic_env 
      chmod ${secrets-db.restic_env.permissions} /secrets/restic_env
+
+      file=${secrets-db.wg_priv.path}
+      echo $file
+      simple_get "/private-public-keys/wireguard/chaos-internal/vault" .private > $file
+      chown ${secrets-db.wg_priv.user}:${secrets-db.wg_priv.group} $file
+      chmod ${secrets-db.wg_priv.permissions} $file
+
+      file=${secrets-db.wg_preshared_hetzner-vm.path}
+      echo $file
+      simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.hetzner_vm > $file
+      chown ${secrets-db.wg_preshared_hetzner-vm.user}:${secrets-db.wg_preshared_hetzner-vm.group} $file
+      chmod ${secrets-db.wg_preshared_hetzner-vm.permissions} $file
+
+      file=${secrets-db.wg_preshared_tablet.path}
+      echo $file
+      simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.tablet > $file
+      chown ${secrets-db.wg_preshared_tablet.user}:${secrets-db.wg_preshared_tablet.group} $file
+      chmod ${secrets-db.wg_preshared_tablet.permissions} $file
    '')
  ];
 }
--- a/hosts/vault/vault.nix
+++ b/hosts/vault/vault.nix
@ -9,6 +9,8 @@ in {
    profiles.nix-gc
    profiles.nginx

+    ./profiles/wireguard.nix
+
    ./hardware.nix
    ./networking.nix
    ./secrets.nix
--- a/wg.key
+++ b/wg.key
@ -0,0 +1 @@
+qCxTpFUKxcRZOg+uWUgphnr8+tfoy33IOpuuuDWZUEQ=
--- a/wg.pub
+++ b/wg.pub
@ -0,0 +1 @@
+gZf6RttTQHh/kdYrucasSJgDFpyIaG1UdickV4Mfj4=
				`@ -0,0 +1 @@`
				`qCxTpFUKxcRZOg+uWUgphnr8+tfoy33IOpuuuDWZUEQ=`
				`@ -0,0 +1 @@`
				`+gZf6RttTQHh/kdYrucasSJgDFpyIaG1UdickV4Mfj4=`