initial work on wireguard mess

2022-11-11 20:53:17 +00:00 · 2022-11-11 20:53:17 +00:00 · 15bb6f6f92
parent c41f26a66f
commit 15bb6f6f92
24 changed files with 277 additions and 396 deletions
--- a/home/apps/mpv.nix
+++ b/home/apps/mpv.nix
@ -1,9 +1,9 @@
 { config, pkgs, ... }:
 let
  listen-password-file = if pkgs.stdenv.isLinux then
-    "/secrets/music-stream-password"
+    "/secrets/music_stream_password"
  else
-    "$HOME/.secrets/music-stream-password";
+    "$HOME/.secrets/music_stream_password";
 in {
  home.packages = with pkgs; [ mpv ffmpeg yt-dlp ];
  programs.mpv = {
--- a/hosts/hetzner-vm/hetzner-vm.nix
+++ b/hosts/hetzner-vm/hetzner-vm.nix
@ -17,6 +17,7 @@
    hosts.hetzner-vm.services.gitlab-static-sites
    hosts.hetzner-vm.services.lappy-dev
    hosts.hetzner-vm.services.misskey
    hosts.hetzner-vm.services.wireguard
    ./networking.nix
    ./hardware.nix
--- a/hosts/hetzner-vm/secrets-db.nix
+++ b/hosts/hetzner-vm/secrets-db.nix
@ -35,4 +35,28 @@
    permissions = "660";
    path = "/secrets/restic_env";
  };
  wg_privkey = {
    user = "root";
    group = "root";
    permissions = "660";
    path = "/secrets/wg_privkey";
  };
  wg_preshared_tablet = {
    user = "root";
    group = "root";
    permissions = "660";
    path = "/secrets/wg_preshared_tablet";
  };
  wg_preshared_vault = {
    user = "root";
    group = "root";
    permissions = "660";
    path = "/secrets/wg_preshared_vault";
  };
  wg_preshared_storage = {
    user = "root";
    group = "root";
    permissions = "660";
    path = "/secrets/wg_preshared_storage";
  };
 }
--- a/hosts/hetzner-vm/secrets.nix
+++ b/hosts/hetzner-vm/secrets.nix
@ -62,6 +62,30 @@ in {
      echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/HetznerVM" > $file
      chown ${secrets-db.restic_env.user}:${secrets-db.restic_env.group} $file
      chmod ${secrets-db.restic_env.permissions} $file
      file=${secrets-db.wg_privkey.path}
      echo $file
      simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .private > $file 
      chown ${secrets-db.wg_privkey.user}:${secrets-db.wg_privkey.group} $file
      chmod ${secrets-db.wg_privkey.permissions} $file
      file=${secrets-db.wg_preshared_tablet.path}
      echo $file
      simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .preshared_keys.tablet > $file 
      chown ${secrets-db.wg_preshared_tablet.user}:${secrets-db.wg_preshared_tablet.group} $file
      chmod ${secrets-db.wg_preshared_tablet.permissions} $file
      file=${secrets-db.wg_preshared_vault.path}
      echo $file
      simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .preshared_keys.vault > $file 
      chown ${secrets-db.wg_preshared_vault.user}:${secrets-db.wg_preshared_vault.group} $file
      chmod ${secrets-db.wg_preshared_vault.permissions} $file
      file=${secrets-db.wg_preshared_storage.path}
      echo $file
      simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .preshared_keys.storage > $file 
      chown ${secrets-db.wg_preshared_storage.user}:${secrets-db.wg_preshared_storage.group} $file
      chmod ${secrets-db.wg_preshared_storage.permissions} $file
    '')
  ];
 }
--- a/hosts/hetzner-vm/services/wireguard.nix
+++ b/hosts/hetzner-vm/services/wireguard.nix
@ -0,0 +1,33 @@
 { ... }:
 let secrets-db = (import ../secrets-db.nix { });
 in {
  networking.wg-quick.interfaces = {
    wg0 = {
      address = [ "10.69.42.1/32" ];
      listenPort = 51820;
      privateKeyFile = "${secrets-db.wg_privkey.path}";
      peers = [
        # tablet
        {
          publicKey = "jXA0DeprEaL/ARQ3K81l8xWuUI5C/90DcY3bIfcIjz8=";
          presharedKeyFile = "${secrets-db.wg_preshared_tablet.path}";
          allowedIPs = [ "10.69.42.2/32" ];
        }
        # vault
        {
          publicKey = "IGq+WanFM/bKNUkwjO/0AAtDhJLvtvU+mVxH27QyHTc=";
          presharedKeyFile = "${secrets-db.wg_preshared_vault.path}";
          endpoint = "vault.servers.genderfucked.monster:51820";
          allowedIPs = [ "10.69.42.3/32" ];
        }
        # storage
        {
          publicKey = "biNNeCkjAWi2jUVoL5+1pBtXGa3OFZi4DltB2dqGjGg=";
          presharedKeyFile = "${secrets-db.wg_preshared_storage.path}";
          allowedIPs = [ "10.69.42.4/32" ];
        }
      ];
    };
  };
  networking.firewall.allowedUDPPorts = [ 51820 ];
 }
--- a/hosts/lappy/hardware.nix
+++ b/hosts/lappy/hardware.nix
@ -1,66 +0,0 @@
 { pkgs, ... }:
 let
  usb_data = import ./hardware/usb_data.nix { };
  ssd_data = import ./hardware/ssd_data.nix { };
 in {
  boot = {
    loader = {
      systemd-boot.enable = true;
      efi.canTouchEfiVariables = true;
    };
    initrd.availableKernelModules = [
      "xhci_pci"
      "ahci"
      "nvme"
      "usb_storage"
      "sd_mod"
      "rtsx_pci_sdmmc"
      "uas"
      "usbcore"
      "usb_storage"
      "vfat"
      "nls_cp437"
      "nls_iso8859_1"
      "aesni_intel"
      "cryptd"
    ];
    kernelModules = [ "kvm-intel" ];
    initrd.postDeviceCommands = pkgs.lib.mkBefore ''
      mkdir -m 0755 -p ${usb_data.mountpoint}
      while !(test -b ${usb_data.encrypted_path})
      do
        echo "Please Plug In USB"
        sleep 1
      done
      echo "Please Decrypt USB"
      cryptsetup luksOpen ${usb_data.encrypted_path} ${usb_data.mapper_name}
      mount -n -t ${usb_data.unencrypted_fs_type} -o ro ${usb_data.mapper_path} ${usb_data.mountpoint}
    '';
    initrd.luks.devices = {
      "${ssd_data.root_mapper_name}" = {
        device = "${ssd_data.encrypted_root_path}";
        keyFile = "${usb_data.lappy_encryption_key_path}";
        preLVM = false;
        allowDiscards = true;
      };
    };
  };
  fileSystems = {
    "/" = {
      device = "${ssd_data.decrypted_root_path}";
      fsType = "${ssd_data.unencrypted_root_fs_type}";
    };
    "/boot" = {
      device = "${ssd_data.boot_path}";
      fsType = "${ssd_data.boot_fs_type}";
    };
  };
 }
--- a/hosts/lappy/hardware/ssd_data.nix
+++ b/hosts/lappy/hardware/ssd_data.nix
@ -1,24 +0,0 @@
 { }: rec {
  # Mountpoints
  root_mountpoint = "/";
  boot_mountpoint = "/boot";
  # Partition Labels
  boot_label = "nixboot";
  unencrypted_root_label = "nixos";
  encrypted_root_partlabel = "nixos_encrypted";
  # Partition Filesystems
  unencrypted_root_fs_type = "ext4";
  boot_fs_type = "vfat";
  # Mapper Name
  root_mapper_name = "cryptroot";
  # FS Paths
  encrypted_root_path = "/dev/disk/by-partlabel/${encrypted_root_partlabel}";
  decrypted_root_path = "/dev/mapper/${root_mapper_name}";
  boot_path = "/dev/disk/by-label/${boot_label}";
 }
--- a/hosts/lappy/hardware/usb_data.nix
+++ b/hosts/lappy/hardware/usb_data.nix
@ -1,28 +0,0 @@
 { ... }: rec {
  # Mountpoints
  mountpoint = "/usb";
  # Partition Labels
  encrypted_partlabel = "usb";
  unencrypted_label = "usb_unencrypted";
  # Partition Filesystems
  unencrypted_fs_type = "ext4";
  # Mapper Information
  mapper_name = "usb_unencrypted";
  # FS Paths
  encrypted_path = "/dev/disk/by-partlabel/${encrypted_partlabel}";
  unencrypted_path = "/dev/disk/by-label/${unencrypted_label}";
  mapper_path = "/dev/mapper/${mapper_name}";
  # Paths to some important files
  lappy_encryption_key_path = "${mountpoint}/encryption-keys/lappy.key";
  chaos_age_privkey_path = "${mountpoint}/age-keys/chaoskey.priv";
  chaos_age_pubkey_path = "${mountpoint}/age-keys/chaoskey.pub";
  ssh_priv_path = "${mountpoint}/ssh-keys/chaos.priv";
  ssh_pub_path = "${mountpoint}/ssh-keys/chaos.pub";
 }
--- a/hosts/lappy/lappy.nix
+++ b/hosts/lappy/lappy.nix
@ -1,159 +0,0 @@
 { tree, config, pkgs, lib, ... }:
 let usb_data = import ./hardware/usb_data.nix { };
 in {
  imports = with tree; [
    users.root
    users.chaos
    profiles.tailscale
    #profiles.dnscrypt
    #profiles.printing
    profiles.sshd
    hosts.lappy.profiles.usb-automount
    hosts.lappy.profiles.harry-vpn
    # required for dualsense controller
    profiles.kernels.latest
    profiles.laptop
    # Bluetooth
    #profiles.connectivity.bluetooth
    profiles.connectivity.network_manager
    profiles.connectivity.ios
    profiles.sound.pipewire
    profiles.gui.base
    profiles.gui.environments.gnome
    profiles.gaming.steam
    # for sci-hub and whenever websites break
    profiles.tor
    # For cross compiling and deploying to raspberry
    profiles.cross.arm64
    profiles.force_dns
    #extras.shenanigans-hotspot
  ];
  services.mullvad-vpn.enable = true;
  home-manager.users.root = {
    imports = with tree; [ home.base ];
    home.stateVersion = "22.05";
  };
  home-manager.users.chaos = {
    programs.ssh.matchBlocks."*".identityFile = "${usb_data.ssh_priv_path}";
    programs.git.extraConfig = {
      gpg.format = "ssh";
      commit.gpgsign = "true";
      tag.gpgsign = "true";
      user = { signingKey = "${usb_data.ssh_priv_path}"; };
    };
    imports = with tree; [
      home.base
      home.dev.all
      #home.reversing
      home.gui.base
      home.gui.environments.gnome
      #home.gaming.emulators.ds
      #home.gaming.games.minecraft
      #home.gaming.games.osu
      home.gaming.platforms.steam
      #home.bluetooth
      #home.network_manager
      home.apps.vivaldi
      home.apps.telegram
      home.apps.quassel
      home.apps.mpv
      home.apps.strawberry
      home.apps.file-roller
      home.apps.nautilus
      home.apps.nicotine-plus
      home.apps.musicutil
      home.apps.pavucontrol
      home.apps.mullvad
      home.apps.aria2
      home.apps.rclone
      home.apps.restic
      home.programming.editors.vscode
      home.programming.languages.go
      home.programming.languages.nix
    ];
    home.stateVersion = "22.05";
  };
  hardware.opengl.extraPackages = with pkgs; [
    vaapiIntel
    vaapiVdpau
    libvdpau-va-gl
    intel-media-driver
  ];
  #services.getty.extraArgs = [ "--skip-login" "--login-options" "chaos" ];
  networking.firewall.enable = true;
  networking.firewall.allowPing = true;
  # Allow Soulseek
  networking.firewall.allowedTCPPorts = [ 8080 2235 ];
  networking.firewall.allowedTCPPortRanges = [
    # Allow aria2 to work
    {
      from = 6881;
      to = 6999;
    }
    {
      from = 50101;
      to = 50109;
    }
  ];
  networking.firewall.allowedUDPPortRanges = [
    # Allow aria2 to work
    {
      from = 6881;
      to = 6999;
    }
    {
      from = 50101;
      to = 50109;
    }
  ];
  networking.enableIPv6 = true;
  systemd.services.NetworkManager-wait-online.enable = false;
  # let vscode, vivaldi, etc work.
  security.unprivilegedUsernsClone = true;
  nix.settings.auto-optimise-store = true;
  nix.gc = {
    automatic = true;
    dates = "daily";
    options = "--delete-older-than 30d";
  };
  nix.extraOptions = ''
    keep-outputs = true
    keep-derivations = true
    builders-use-substitutes = true
  '';
  networking.hostName = "lappy";
  time.timeZone = "Europe/London";
  powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
  services.fstrim.enable = true;
  system.stateVersion = "21.11";
 }
--- a/hosts/lappy/profiles/harry-vpn.nix
+++ b/hosts/lappy/profiles/harry-vpn.nix
@ -1,19 +0,0 @@
 { pkgs, ... }: {
  environment.systemPackages = with pkgs; [ wireguard-tools ];
  networking.wg-quick.interfaces = {
    wg-harry-vpn = {
      autostart = false;
      address = [ "185.186.9.71/26" "2a0b:6b84:2022:6::1/64" ];
      dns = [ "8.8.8.8" ];
      mtu = 1280;
      privateKeyFile = "/secrets/harry_vpn_wg_priv";
      peers = [{
        publicKey = "7B6KSFqTHM7A7Nv24GIeUhDDh2XnlT7UqG5U+Si+zmc=";
        allowedIPs = [ "0.0.0.0/0" "::/0" ];
        endpoint = "185.186.9.1:8081";
        persistentKeepalive = 25;
      }];
    };
  };
 }
--- a/hosts/lappy/profiles/macos-vm.nix
+++ b/hosts/lappy/profiles/macos-vm.nix
@ -1,15 +0,0 @@
 { pkgs, ... }: {
  virtualisation.libvirtd.enable = true;
  programs.dconf.enable = true;
  environment.systemPackages = with pkgs; [
    virt-manager
    p7zip
    #umlutilities
    qemu
    gnumake
    libguestfs
    python3
  ];
  users.users.chaos.extraGroups = [ "libvirtd" "kvm" ];
 }
--- a/hosts/lappy/profiles/mpd.nix
+++ b/hosts/lappy/profiles/mpd.nix
@ -1,32 +0,0 @@
 { pkgs, tree, ... }: {
  imports = with tree; [
    ./mpd-music-sync.nix
    profiles.sound.pulseaudio.pulse-recv-native-localhost
  ];
  environment.systemPackages = with pkgs; [ mpc_cli ];
  systemd.tmpfiles.rules = [
    "d /var/lib/mpd 0755 mpd mpd -"
    "d /var/lib/mpd/data 0755 mpd mpd -"
    "d /var/lib/mpd/playlists 0755 mpd mpd -"
  ];
  services.mpd = {
    enable = true;
    dataDir = "/var/lib/mpd/data";
    playlistDirectory = "/var/lib/mpd/playlists";
    musicDirectory = "/music";
    extraConfig = ''
      host_permissions "127.0.0.1 read,add,control,admin"
      audio_output {
        type "pulse"
        name "Pulseaudio"
        server "127.0.0.1"
      }
    '';
  };
  systemd.services.mpd.serviceConfig.StateDirectory =
    [ "/music" "/var/lib/mpd" ];
 }
--- a/hosts/lappy/profiles/usb-automount.nix
+++ b/hosts/lappy/profiles/usb-automount.nix
@ -1,40 +0,0 @@
 { lib, pkgs, ... }:
 let
  usb_data = import ../hardware/usb_data.nix { };
  mapper_name = "usb_unencrypted_afterboot";
  mapper_path = "/dev/mapper/${mapper_name}";
  mount_usb = pkgs.writeShellScriptBin "mount_usb" ''
    umount ${usb_data.mountpoint} || true
    cryptsetup close ${mapper_name} || true
    cat /secrets/usb_encryption_passphrase | cryptsetup luksOpen ${usb_data.encrypted_path} ${mapper_name} -
    mount ${mapper_path} -o rw ${usb_data.mountpoint}
  '';
  unmount_usb = pkgs.writeShellScriptBin "unmount_usb" ''
    umount -flR ${usb_data.mountpoint} || true
    cryptsetup close ${mapper_name} || true
  '';
 in {
  environment.systemPackages = [ mount_usb unmount_usb ];
  systemd.tmpfiles.rules = [ "d ${usb_data.mountpoint} - chaos root" ];
  systemd.services.usb-mount = {
    path = [ pkgs.util-linux pkgs.cryptsetup ];
    script = ''
      ${mount_usb}/bin/mount_usb
    '';
  };
  systemd.services.usb-unmount = {
    path = [ pkgs.util-linux pkgs.cryptsetup ];
    script = ''
      ${unmount_usb}/bin/unmount_usb
    '';
  };
  services.udev.extraRules = ''
    ACTION=="add", ENV{PARTNAME}=="${usb_data.encrypted_partlabel}", ENV{SYSTEMD_WANTS}="usb-mount.service", ENV{UDISKS_PRESENTATION_HIDE}="1"
    ACTION=="remove", ENV{PARTNAME}=="${usb_data.encrypted_partlabel}", ENV{SYSTEMD_WANTS}="usb-unmount.service"
  '';
 }
--- a/hosts/lappy/vm.nix
+++ b/hosts/lappy/vm.nix
@ -1,11 +0,0 @@
 { lib, inputs, ... }: {
  imports = [ "${inputs.nixpkgs}/nixos/modules/virtualisation/qemu-vm.nix" ];
  users.users.root.password = "owo";
  users.users.chaos.password = "owo";
  home-manager.users.chaos.home.sessionVariables = {
    WLR_RENDERER_ALLOW_SOFTWARE = "1";
  };
  services.getty.extraArgs = lib.mkForce [ ];
  virtualisation.cores = 4;
  virtualisation.qemu.options = [ "-vga" "qxl" ];
 }
--- a/hosts/tablet/profiles/wireguard.nix
+++ b/hosts/tablet/profiles/wireguard.nix
@ -0,0 +1,29 @@
 { ... }:
 let secrets-db = (import ../secrets-db.nix { });
 in {
  networking.wg-quick.interfaces = {
    wg0 = {
      address = [ "10.69.42.2/32" ];
      privateKeyFile = "${secrets-db.wg_priv.path}";
      peers = [
        # hetzner-vm
        {
          publicKey = "UJr+EmUM7KWkIy0nk0JA38ibvcLC++6iuOKkHdrx9Dc=";
          presharedKeyFile = "${secrets-db.wg_preshared_hetzner-vm.path}";
          allowedIPs = [ "10.69.42.1/32" ];
          endpoint = "hetzner-vm.servers.genderfucked.monster:51820";
          persistentKeepalive = 25;
        }
        # vault
        {
          publicKey = "IGq+WanFM/bKNUkwjO/0AAtDhJLvtvU+mVxH27QyHTc=";
          presharedKeyFile = "${secrets-db.wg_preshared_vault.path}";
          allowedIPs = [ "10.69.42.3/32" ];
          endpoint = "vault.servers.genderfucked.monster:51820";
          persistentKeepalive = 25;
        }
      ];
    };
  };
 }
--- a/hosts/tablet/secrets-db.nix
+++ b/hosts/tablet/secrets-db.nix
@ -0,0 +1,39 @@
 { }: {
  # Manually Created, Not Stored In Vault
  usb_encryption_passphrase = {
    user = "root";
    group = "root";
    permissions = "660";
    path = "/secrets/usb_encryption_passphrase";
  };
  music_stream_password = {
    user = "chaos";
    group = "users";
    permissions = "660";
    path = "/secrets/music_stream_password";
  };
  wg_priv = {
    user = "root";
    group = "root";
    permissions = "660";
    path = "/secrets/wg_priv";
  };
  wg_preshared_hetzner-vm = {
    user = "root";
    group = "root";
    permissions = "660";
    path = "/secrets/wg_preshared_hetzner-vm";
  };
  wg_preshared_vault = {
    user = "root";
    group = "root";
    permissions = "660";
    path = "/secrets/wg_preshared_vault";
  };
  wg_preshared_storage = {
    user = "root";
    group = "root";
    permissions = "660";
    path = "/secrets/wg_preshared_storage";
  };
 }
--- a/hosts/tablet/secrets.nix
+++ b/hosts/tablet/secrets.nix
@ -0,0 +1,54 @@
 { pkgs, ... }:
 let secrets-db = (import ./secrets-db.nix { });
 in {
  systemd.tmpfiles.rules = [ "d /secrets - root root" ];
  environment.systemPackages = [
    (pkgs.writeShellScriptBin "init-secrets" ''
      set -e -o pipefail
      VAULT_ADDR_DEFAULT="https://vault.owo.monster"
      [ -z "$VAULT_ADDR" ] && export VAULT_ADDR="$VAULT_ADDR_DEFAULT"
      export PATH=$PATH:${pkgs.vault}/bin
      export PATH=$PATH:${pkgs.jq}/bin
      kv_get() {
        vault kv get -format json $1
      }
      simple_get() {
        kv_get $1 | jq .data.data$2 -r
      }
      file=${secrets-db.music_stream_password.path}
      echo $file
      simple_get "/api-keys/music-stream" .password > $file
      chown ${secrets-db.music_stream_password.user}:${secrets-db.music_stream_password.group} $file
      chmod ${secrets-db.music_stream_password.permissions} $file
      file=${secrets-db.wg_priv.path}
      echo $file
      simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .private > $file
      chown ${secrets-db.wg_priv.user}:${secrets-db.wg_priv.group} $file
      chmod ${secrets-db.wg_priv.permissions} $file
      file=${secrets-db.wg_preshared_hetzner-vm.path}
      echo $file
      simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .preshared_keys.hetzner_vm > $file
      chown ${secrets-db.wg_preshared_hetzner-vm.user}:${secrets-db.wg_preshared_hetzner-vm.group} $file
      chmod ${secrets-db.wg_preshared_hetzner-vm.permissions} $file
      file=${secrets-db.wg_preshared_vault.path}
      echo $file
      simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .preshared_keys.vault > $file
      chown ${secrets-db.wg_preshared_vault.user}:${secrets-db.wg_preshared_vault.group} $file
      chmod ${secrets-db.wg_preshared_vault.permissions} $file
      file=${secrets-db.wg_preshared_storage.path}
      echo $file
      simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .preshared_keys.storage > $file
      chown ${secrets-db.wg_preshared_storage.user}:${secrets-db.wg_preshared_storage.group} $file
      chmod ${secrets-db.wg_preshared_storage.permissions} $file
    '')
  ];
 }
--- a/hosts/tablet/tablet.nix
+++ b/hosts/tablet/tablet.nix
@ -9,6 +9,8 @@
    presets.nixos.laptop
    presets.nixos.encrypted-usb
    ./secrets.nix
    ./profiles/wireguard.nix
    ./profiles/harry-vpn.nix
  ];
--- a/hosts/vault/profiles/wireguard.nix
+++ b/hosts/vault/profiles/wireguard.nix
@ -0,0 +1,29 @@
 { ... }:
 let secrets-db = (import ../secrets-db.nix { });
 in {
  networking.wg-quick.interfaces = {
    wg0 = {
      address = [ "10.69.42.3/32" ];
      listenPort = 51820;
      privateKeyFile = "${secrets-db.wg_priv.path}";
      peers = [
        # hetzner-vm
        {
          publicKey = "UJr+EmUM7KWkIy0nk0JA38ibvcLC++6iuOKkHdrx9Dc=";
          presharedKeyFile = "${secrets-db.wg_preshared_hetzner-vm.path}";
          allowedIPs = [ "10.69.42.1/32" ];
          endpoint = "hetzner-vm.servers.genderfucked.monster:51820";
          persistentKeepalive = 25;
        }
        # tablet
        {
          publicKey = "jXA0DeprEaL/ARQ3K81l8xWuUI5C/90DcY3bIfcIjz8=";
          presharedKeyFile = "${secrets-db.wg_preshared_tablet.path}";
          allowedIPs = [ "10.69.42.2/32" ];
        }
      ];
    };
  };
  networking.firewall.allowedUDPPorts = [ 51820 ];
 }
--- a/hosts/vault/secrets-db.nix
+++ b/hosts/vault/secrets-db.nix
@ -11,4 +11,22 @@
    permissions = "660";
    path = "/secrets/restic_env";
  };
  wg_priv = {
    user = "root";
    group = "root";
    permissions = "660";
    path = "/secrets/wg_priv";
  };
  wg_preshared_hetzner-vm = {
    user = "root";
    group = "root";
    permissions = "660";
    path = "/secrets/wg_preshared_hetzner-vm";
  };
  wg_preshared_tablet = {
    user = "root";
    group = "root";
    permissions = "660";
    path = "/secrets/wg_preshared_tablet";
  };
 }
--- a/hosts/vault/secrets.nix
+++ b/hosts/vault/secrets.nix
@ -29,6 +29,24 @@ in {
      echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Vault" > /secrets/restic_env
      chown ${secrets-db.restic_env.user}:${secrets-db.restic_env.group} /secrets/restic_env 
      chmod ${secrets-db.restic_env.permissions} /secrets/restic_env
      file=${secrets-db.wg_priv.path}
      echo $file
      simple_get "/private-public-keys/wireguard/chaos-internal/vault" .private > $file
      chown ${secrets-db.wg_priv.user}:${secrets-db.wg_priv.group} $file
      chmod ${secrets-db.wg_priv.permissions} $file
      file=${secrets-db.wg_preshared_hetzner-vm.path}
      echo $file
      simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.hetzner_vm > $file
      chown ${secrets-db.wg_preshared_hetzner-vm.user}:${secrets-db.wg_preshared_hetzner-vm.group} $file
      chmod ${secrets-db.wg_preshared_hetzner-vm.permissions} $file
      file=${secrets-db.wg_preshared_tablet.path}
      echo $file
      simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.tablet > $file
      chown ${secrets-db.wg_preshared_tablet.user}:${secrets-db.wg_preshared_tablet.group} $file
      chmod ${secrets-db.wg_preshared_tablet.permissions} $file
    '')
  ];
 }
--- a/hosts/vault/vault.nix
+++ b/hosts/vault/vault.nix
@ -9,6 +9,8 @@ in {
    profiles.nix-gc
    profiles.nginx
    ./profiles/wireguard.nix
    ./hardware.nix
    ./networking.nix
    ./secrets.nix
--- a/wg.key
+++ b/wg.key
@ -0,0 +1 @@
 qCxTpFUKxcRZOg+uWUgphnr8+tfoy33IOpuuuDWZUEQ=
--- a/wg.pub
+++ b/wg.pub
@ -0,0 +1 @@
 +gZf6RttTQHh/kdYrucasSJgDFpyIaG1UdickV4Mfj4=
		`@ -0,0 +1 @@`
							`qCxTpFUKxcRZOg+uWUgphnr8+tfoy33IOpuuuDWZUEQ=`
		`@ -0,0 +1 @@`
							`+gZf6RttTQHh/kdYrucasSJgDFpyIaG1UdickV4Mfj4=`