add wireguard

test-server/configuration.nix

@@ -102,6 +102,8 @@ in{
     shash
     gparted
     restic
+    hdparm
+    wireguard-tools
   #  vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
   #  wget
   ];

test-server/flake.nix

@@ -24,6 +24,7 @@
         ./modules/ssh.nix
         ./modules/rdp.nix
         ./modules/docker.nix
+	./modules/wireguard.nix
         #./modules/dyndns.nix i think ddclient is deprecated
         #./modules/home-assistant.nix idk dont like this
         agenix.nixosModules.default

test-server/modules/adguard.nix

@@ -41,6 +41,10 @@
           "domain" = "inverter.local";
           "answer" = "192.168.0.9";
          }
+	 {
+	  "domain" = "nextcloud.local";
+	  "answer" = "192.168.0.6";
+	 }
         ];  
       };
       querylog = {

test-server/modules/nextcloud.nix

@@ -15,9 +15,11 @@
 
         # Setup Nextcloud virtual host to listen on ports
         virtualHosts = {
-            "localhost" = {
+            "nextcloud.local" = {
+		serverAliases = [ "192.168.2.1" ];
                 ## Force HTTP redirect to HTTPS
                 #forceSSL = true;
+		#sslTrustedCertificate = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
                 ## LetsEncrypt
                 #enableACME = true;
             };
@@ -33,10 +35,10 @@
     services.nextcloud = {
         enable = true;
         package = pkgs.nextcloud27;
-        hostName = "localhost";
+        hostName = "nextcloud.local";
         config.adminpassFile = config.age.secrets.nextcloud-admin.path;
-
-        home = "/var/lib/nextcloud";
+	config.extraTrustedDomains = [ "192.168.2.1" ];
+        home = "/mnt/250ssd/nextcloud";
 
         extraApps = {
             spreed = pkgs.fetchNextcloudApp rec {

test-server/modules/wireguard.nix

@@ -0,0 +1,41 @@
+{ config, pkgs, lib, inputs, ... }:
+{
+
+  age.secrets.wireguard-private = {
+    file = ../secrets/wireguard-private.age;
+  };
+
+  networking.nat.enable = true;
+  networking.nat.externalInterface = "eth0";
+  networking.nat.internalInterfaces = [ "wg0" ];
+  networking.firewall.allowedUDPPorts = [ 51820 ];
+
+  networking.wg-quick.interfaces = {
+    wg0 = {
+      dns = [ "192.168.2.1" ];
+      listenPort = 51820;
+      address = [
+        "192.168.2.1/24"
+      ];
+      peers = [
+        {
+          allowedIPs = [
+            "192.168.2.2/32"
+          ];
+	  persistentKeepalive = 25;
+          endpoint = "192.168.0.6:51820";
+          publicKey = "dUBPIEnAiHIZCMjqV0ya8qotN3UnMhlEVyGNQcR3gVI=";
+        }
+        {
+          allowedIPs = [
+            "192.168.2.3/32"
+          ];
+	  persistentKeepalive = 25;
+          endpoint = "kopatz.ddns.net:51820";
+          publicKey = "Eg5ZS3zN05mJ/gct6wJlwVAHTlXpkhxFfUd7yscANV0=";
+        }
+      ];
+      privateKeyFile = config.age.secrets.wireguard-private.path;
+    };
+  };
+}

test-server/secrets/secrets.nix

@@ -9,4 +9,5 @@ in
   "duckdns.age".publicKeys = [ nix-test-vm server ];
   "nextcloud-admin.age".publicKeys = [ nix-test-vm server ];
   "restic-pw.age".publicKeys = [ nix-test-vm server ];
+  "wireguard-private.age".publicKeys = [ nix-test-vm server ];
 }

test-server/secrets/wireguard-private.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 yfCCMw 8R//RguE7Om0PFjixliXpwEchVwPcm9COYTz7TIZxTE
+81yMA9B/T6tbZfw6mU4TlYfCd6BEUC3UlBz1hNUXZ30
+-> ssh-ed25519 IV3DkQ 0kS9JOiAPfLi8Zoj6BM0pVwSmDr+BnWvIh7rGwZ21G0
+jbMIkFk8DEQ2tWgOWho1JrZkwKWW93GW9dzS3fTKMF4
+-> $ByN}E,-grease O$8`|NT 17d} %u)^D-
+x6SEG984W9vUAb0FCiZP0R4kQkYFOr3BGLpHP8HF8fj9LHWwxNb3PrntcOPJuvf7
+oep4FMyBFHchh6RhyrdRlOf6hCLnmybNKzs
+--- fCozYj+thQdIGXzdVLgLpLup9CI0QIEdgoMxfFVHGgs
+­<EFBFBD>WV”ožE›il3õ—ñz`¡†´ø<C2B4>®ð¤	, o
سe-ÿºZüAto‹Ok¬@1åb¢.U<>NrB¢«zrZY…ëÚý

test-server/wg-publickey

@@ -0,0 +1 @@
+vyHNUy97R1cvqEvElznPpFQtoqm7WUHnT96UP6Dquwc=