ipv6 tunnel

secrets/secrets.nix

@@ -39,4 +39,5 @@ in
   "binary-cache.age".publicKeys = [ kop amd-server ];
   "wireguard-evo-vpn.age".publicKeys = [ kop amd-server-vpn-vm ];
   "cloudflare-api.age".publicKeys = [ kop mini-pc ];
+  "wireguard-ipv6-private.age".publicKeys = [ kop adam-site ];
 }

secrets/wireguard-ipv6-private.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 DCzi1A SzfFSShhtaTbl50TaKzonJ+wD0aH6OiCGc+VjrAPYgA
+/oDPCrO3ePobzXslNU+GceZmc69W0sH0odxoBajMZRI
+-> ssh-ed25519 bqM3xA uCtOI27AW7OliUcaWDNrKZqWvE/FNAORj0CU3HKvdUk
+HMxi9G26o84kW2W/mEoUP0CtqKHqOhV7B9BWzIXAfQI
+--- ManUbW0cdaI6mUQxJGtPNUB84LM9ov7AIJhQv2omQBY
+xÿ¶Ôr­ªlo¥šanI3Èêée[iáoÄ|2õüqNà<>9ähézø¢ñ€]äG‘ЧàóPžÖÜ1ѱþ5”?SÍ<53>¦ì

systems/adam-site/configuration.nix

@@ -120,5 +120,34 @@
     };
 
   };
+
+  # Tunnel IPv6 traffic over Wireguard
+  #wireguard pubkey CfYj5V6iMyGohKvQIu+NdJJSL+85+tqy422bmweCZ2c=
+  networking.nat.enable = true;
+  networking.nat.externalInterface = "enp1s0";
+  networking.nat.internalInterfaces = [ "wg0" ];
+  networking.nat.enableIPv6 = true;
+  networking.firewall = {
+    allowedUDPPorts = [ 51820 ];
+  };
+
+  age.secrets.wireguard = {
+    file = ../../secrets/wireguard-ipv6-private.age;
+  };
+  networking.wg-quick.interfaces = {
+    wg0 = {
+      autostart = true;
+      address = [ "10.100.0.1/24" "fd42:4242:4242::1/64" ];
+      listenPort = 51820;
+      privateKeyFile = config.age.secrets.wireguard.path;
+      peers = [
+        {
+          # kop pc
+          publicKey = "YgecbWSNRqOmylYqxr/V21LL3UpKEr5x42lXPAxriSc=";
+          allowedIPs = [ "10.100.0.2/32" "fd42:4242:4242::2/128" ];
+        }
+      ];
+    };
+  };
   system.stateVersion = "23.11";
 }