From 89828cfe649d28dbb22f6e58c63aed88896dda53 Mon Sep 17 00:00:00 2001
From: Kopatz <7265381+Kropatz@users.noreply.github.com>
Date: Mon, 27 Oct 2025 17:42:06 +0100
Subject: [PATCH] ipv6 tunnel

---
 secrets/secrets.nix                 |  1 +
 secrets/wireguard-ipv6-private.age  |  7 +++++++
 systems/adam-site/configuration.nix | 29 +++++++++++++++++++++++++++++
 3 files changed, 37 insertions(+)
 create mode 100644 secrets/wireguard-ipv6-private.age

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 9f33078..f33987b 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -39,4 +39,5 @@ in
   "binary-cache.age".publicKeys = [ kop amd-server ];
   "wireguard-evo-vpn.age".publicKeys = [ kop amd-server-vpn-vm ];
   "cloudflare-api.age".publicKeys = [ kop mini-pc ];
+  "wireguard-ipv6-private.age".publicKeys = [ kop adam-site ];
 }
diff --git a/secrets/wireguard-ipv6-private.age b/secrets/wireguard-ipv6-private.age
new file mode 100644
index 0000000..a6a7c7e
--- /dev/null
+++ b/secrets/wireguard-ipv6-private.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 DCzi1A SzfFSShhtaTbl50TaKzonJ+wD0aH6OiCGc+VjrAPYgA
+/oDPCrO3ePobzXslNU+GceZmc69W0sH0odxoBajMZRI
+-> ssh-ed25519 bqM3xA uCtOI27AW7OliUcaWDNrKZqWvE/FNAORj0CU3HKvdUk
+HMxi9G26o84kW2W/mEoUP0CtqKHqOhV7B9BWzIXAfQI
+--- ManUbW0cdaI6mUQxJGtPNUB84LM9ov7AIJhQv2omQBY
+xÿ¶Ôr­ªlo¥šanI3Èêée[iáoÄ|2õüqNà9ähézø¢ñÂ€]äG‘Ð§àóPžÖÜ1Ñ±þ5”?SÍ¦ì
\ No newline at end of file
diff --git a/systems/adam-site/configuration.nix b/systems/adam-site/configuration.nix
index 236d8ff..18f1168 100644
--- a/systems/adam-site/configuration.nix
+++ b/systems/adam-site/configuration.nix
@@ -120,5 +120,34 @@
     };
 
   };
+
+  # Tunnel IPv6 traffic over Wireguard
+  #wireguard pubkey CfYj5V6iMyGohKvQIu+NdJJSL+85+tqy422bmweCZ2c=
+  networking.nat.enable = true;
+  networking.nat.externalInterface = "enp1s0";
+  networking.nat.internalInterfaces = [ "wg0" ];
+  networking.nat.enableIPv6 = true;
+  networking.firewall = {
+    allowedUDPPorts = [ 51820 ];
+  };
+
+  age.secrets.wireguard = {
+    file = ../../secrets/wireguard-ipv6-private.age;
+  };
+  networking.wg-quick.interfaces = {
+    wg0 = {
+      autostart = true;
+      address = [ "10.100.0.1/24" "fd42:4242:4242::1/64" ];
+      listenPort = 51820;
+      privateKeyFile = config.age.secrets.wireguard.path;
+      peers = [
+        {
+          # kop pc
+          publicKey = "YgecbWSNRqOmylYqxr/V21LL3UpKEr5x42lXPAxriSc=";
+          allowedIPs = [ "10.100.0.2/32" "fd42:4242:4242::2/128" ];
+        }
+      ];
+    };
+  };
   system.stateVersion = "23.11";
 }