From 8b5ebc82195ebff44e3d189b9dde363df06f051e Mon Sep 17 00:00:00 2001
From: Kopatz <7265381+Kropatz@users.noreply.github.com>
Date: Thu, 26 Oct 2023 23:58:07 +0200
Subject: [PATCH] add wireguard

---
 test-server/configuration.nix             |  2 ++
 test-server/flake.nix                     |  1 +
 test-server/modules/adguard.nix           |  4 +++
 test-server/modules/nextcloud.nix         | 12 ++++---
 test-server/modules/wireguard.nix         | 41 +++++++++++++++++++++++
 test-server/secrets/secrets.nix           |  1 +
 test-server/secrets/wireguard-private.age | 10 ++++++
 test-server/wg-publickey                  |  1 +
 8 files changed, 67 insertions(+), 5 deletions(-)
 create mode 100644 test-server/modules/wireguard.nix
 create mode 100644 test-server/secrets/wireguard-private.age
 create mode 100644 test-server/wg-publickey

diff --git a/test-server/configuration.nix b/test-server/configuration.nix
index f70930b..d3f7915 100644
--- a/test-server/configuration.nix
+++ b/test-server/configuration.nix
@@ -102,6 +102,8 @@ in{
     shash
     gparted
     restic
+    hdparm
+    wireguard-tools
   #  vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
   #  wget
   ];
diff --git a/test-server/flake.nix b/test-server/flake.nix
index 90cdd2e..e4f4fd8 100644
--- a/test-server/flake.nix
+++ b/test-server/flake.nix
@@ -24,6 +24,7 @@
         ./modules/ssh.nix
         ./modules/rdp.nix
         ./modules/docker.nix
+	./modules/wireguard.nix
         #./modules/dyndns.nix i think ddclient is deprecated
         #./modules/home-assistant.nix idk dont like this
         agenix.nixosModules.default
diff --git a/test-server/modules/adguard.nix b/test-server/modules/adguard.nix
index ecc8cd5..dbb4d1a 100644
--- a/test-server/modules/adguard.nix
+++ b/test-server/modules/adguard.nix
@@ -41,6 +41,10 @@
           "domain" = "inverter.local";
           "answer" = "192.168.0.9";
          }
+	 {
+	  "domain" = "nextcloud.local";
+	  "answer" = "192.168.0.6";
+	 }
         ];  
       };
       querylog = {
diff --git a/test-server/modules/nextcloud.nix b/test-server/modules/nextcloud.nix
index 2a6b8b9..e0354cf 100644
--- a/test-server/modules/nextcloud.nix
+++ b/test-server/modules/nextcloud.nix
@@ -15,9 +15,11 @@
 
         # Setup Nextcloud virtual host to listen on ports
         virtualHosts = {
-            "localhost" = {
+            "nextcloud.local" = {
+		serverAliases = [ "192.168.2.1" ];
                 ## Force HTTP redirect to HTTPS
                 #forceSSL = true;
+		#sslTrustedCertificate = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
                 ## LetsEncrypt
                 #enableACME = true;
             };
@@ -33,10 +35,10 @@
     services.nextcloud = {
         enable = true;
         package = pkgs.nextcloud27;
-        hostName = "localhost";
+        hostName = "nextcloud.local";
         config.adminpassFile = config.age.secrets.nextcloud-admin.path;
-
-        home = "/var/lib/nextcloud";
+	config.extraTrustedDomains = [ "192.168.2.1" ];
+        home = "/mnt/250ssd/nextcloud";
 
         extraApps = {
             spreed = pkgs.fetchNextcloudApp rec {
@@ -59,4 +61,4 @@
             "OC\\Preview\\HEIC"
         ];
     };
-}
\ No newline at end of file
+}
diff --git a/test-server/modules/wireguard.nix b/test-server/modules/wireguard.nix
new file mode 100644
index 0000000..309c452
--- /dev/null
+++ b/test-server/modules/wireguard.nix
@@ -0,0 +1,41 @@
+{ config, pkgs, lib, inputs, ... }:
+{
+
+  age.secrets.wireguard-private = {
+    file = ../secrets/wireguard-private.age;
+  };
+
+  networking.nat.enable = true;
+  networking.nat.externalInterface = "eth0";
+  networking.nat.internalInterfaces = [ "wg0" ];
+  networking.firewall.allowedUDPPorts = [ 51820 ];
+
+  networking.wg-quick.interfaces = {
+    wg0 = {
+      dns = [ "192.168.2.1" ];
+      listenPort = 51820;
+      address = [
+        "192.168.2.1/24"
+      ];
+      peers = [
+        {
+          allowedIPs = [
+            "192.168.2.2/32"
+          ];
+	  persistentKeepalive = 25;
+          endpoint = "192.168.0.6:51820";
+          publicKey = "dUBPIEnAiHIZCMjqV0ya8qotN3UnMhlEVyGNQcR3gVI=";
+        }
+        {
+          allowedIPs = [
+            "192.168.2.3/32"
+          ];
+	  persistentKeepalive = 25;
+          endpoint = "kopatz.ddns.net:51820";
+          publicKey = "Eg5ZS3zN05mJ/gct6wJlwVAHTlXpkhxFfUd7yscANV0=";
+        }
+      ];
+      privateKeyFile = config.age.secrets.wireguard-private.path;
+    };
+  };
+}
diff --git a/test-server/secrets/secrets.nix b/test-server/secrets/secrets.nix
index 89855fd..4fb3cff 100644
--- a/test-server/secrets/secrets.nix
+++ b/test-server/secrets/secrets.nix
@@ -9,4 +9,5 @@ in
   "duckdns.age".publicKeys = [ nix-test-vm server ];
   "nextcloud-admin.age".publicKeys = [ nix-test-vm server ];
   "restic-pw.age".publicKeys = [ nix-test-vm server ];
+  "wireguard-private.age".publicKeys = [ nix-test-vm server ];
 }
diff --git a/test-server/secrets/wireguard-private.age b/test-server/secrets/wireguard-private.age
new file mode 100644
index 0000000..f8c9741
--- /dev/null
+++ b/test-server/secrets/wireguard-private.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 yfCCMw 8R//RguE7Om0PFjixliXpwEchVwPcm9COYTz7TIZxTE
+81yMA9B/T6tbZfw6mU4TlYfCd6BEUC3UlBz1hNUXZ30
+-> ssh-ed25519 IV3DkQ 0kS9JOiAPfLi8Zoj6BM0pVwSmDr+BnWvIh7rGwZ21G0
+jbMIkFk8DEQ2tWgOWho1JrZkwKWW93GW9dzS3fTKMF4
+-> $ByN}E,-grease O$8`|NT 17d} %u)^D-
+x6SEG984W9vUAb0FCiZP0R4kQkYFOr3BGLpHP8HF8fj9LHWwxNb3PrntcOPJuvf7
+oep4FMyBFHchh6RhyrdRlOf6hCLnmybNKzs
+--- fCozYj+thQdIGXzdVLgLpLup9CI0QIEdgoMxfFVHGgs
+��WV�o�E�il3���z`�������	,�o
��e-��Z�Ato�Ok�@1�b�.U�NrB��zrZY����
\ No newline at end of file
diff --git a/test-server/wg-publickey b/test-server/wg-publickey
new file mode 100644
index 0000000..c5c9d6a
--- /dev/null
+++ b/test-server/wg-publickey
@@ -0,0 +1 @@
+vyHNUy97R1cvqEvElznPpFQtoqm7WUHnT96UP6Dquwc=