From 014564191dab1f01c898b13fba152a5ec9085e30 Mon Sep 17 00:00:00 2001
From: kalipso <kalipso@c3d2.de>
Date: Mon, 16 Dec 2024 22:00:05 +0100
Subject: [PATCH] [modules] init vpn

---
 machines/modules/malobeo/peers.nix     | 24 ++++++++
 machines/modules/malobeo/wireguard.nix | 85 ++++++++++++++++++++++++++
 2 files changed, 109 insertions(+)
 create mode 100644 machines/modules/malobeo/peers.nix
 create mode 100644 machines/modules/malobeo/wireguard.nix

diff --git a/machines/modules/malobeo/peers.nix b/machines/modules/malobeo/peers.nix
new file mode 100644
index 0000000..c42ae11
--- /dev/null
+++ b/machines/modules/malobeo/peers.nix
@@ -0,0 +1,24 @@
+{
+  "vpn" = {
+    role = "server";
+    publicIp = "5.9.153.217";
+    ips = [ "10.100.0.1/24" ];
+    allowedIPs = [ "10.100.0.0/24" ];
+    listenPort = 51821;
+    publicKey = "";
+  };
+
+  "fanny" = {
+    role = "client";
+    ips = [ "10.100.0.2/24" ];
+    allowedIPs = [ "10.100.0.0/24" ];
+    publicKey = "";
+  };
+
+  "test" = {
+    role = "client";
+    ips = [ "10.100.0.3/24" ];
+    allowedIPs = [ "10.100.0.0/24" ];
+    publicKey = "";
+  };
+}
diff --git a/machines/modules/malobeo/wireguard.nix b/machines/modules/malobeo/wireguard.nix
new file mode 100644
index 0000000..600a963
--- /dev/null
+++ b/machines/modules/malobeo/wireguard.nix
@@ -0,0 +1,85 @@
+{ config, self, lib, inputs, options, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.malobeo.vpn;
+  peers = import ./peers.nix;
+  myPeer = peers.${cfg.name};
+
+  peerList = builtins.filter (peer: peer.role != myPeer.role) (builtins.attrValues peers);
+  peerListWithEndpoint = map (host:
+    if host.role == "server" then
+      host // { endpoint = "${host.publicIp}:${builtins.toString host.listenPort}"; }
+    else
+      host
+  ) peerList;
+  filteredPeerlist = map (host: builtins.removeAttrs host [ "role" "ips" "listenPort" "publicIp" ] ) peerListWithEndpoint;
+in
+{
+  options = {
+    services.malobeo.vpn = {
+      enable = mkOption {
+        default = false;
+        type = types.bool;
+        description = lib.mdDoc "Setup wireguard to access malobeo maintainance vpn";
+      };
+
+      name = mkOption {
+        default = "";
+        type = types.str;
+        description = ''
+          Name of the host in peers.nix
+        '';
+      };
+
+      privateKey = mkOption {
+        default = "";
+        type = types.str;
+        description = ''
+          Path to private key
+        '';
+      };
+    };
+  };
+
+  imports = [
+    inputs.microvm.nixosModules.host
+  ];
+
+  config = mkIf cfg.enable { 
+    assertions = [
+      #{
+      #  assertion = !(myPeer != "client" && cfg.role != "server");
+      #  message = ''
+      #    VPN Role must be either client or server, nothing else!
+      #  '';
+      #}
+    ];
+
+    networking.wireguard = {
+      enable = true;
+      interfaces = {
+        wg0 = {
+          ips = myPeer.ips;
+          listenPort = mkIf (myPeer.role == "server") myPeer.listenPort;
+
+          # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
+          # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
+          postSetup = mkIf (myPeer.role == "server") ''
+            ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+          '';
+
+          # This undoes the above command
+          postShutdown = mkIf (myPeer.role == "server") ''
+            ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+          '';
+
+          privateKey = cfg.privateKey;
+
+          peers = filteredPeerlist;
+        };
+      };
+    };
+  };
+}