hosts/flandre-m5p: experimenting with wireguard in enthalpy network

nixos/hosts/flandre-m5p/networking.nix

@@ -2,6 +2,8 @@
   profiles,
   lib,
   config,
+  hostData,
+  mylib,
   ...
 }:
 {
@@ -73,4 +75,47 @@
       }
     '';
   };
+
+  sops.secrets."wireguard/reimu-aston/private-key" = {
+    sopsFile = config.sops.secretFiles.get "hosts/flandre-m5p.yaml";
+  };
+
+  sops.secrets."wireguard/reimu-aston/preshared-key" = {
+    sopsFile = config.sops.secretFiles.get "hosts/flandre-m5p.yaml";
+  };
+
+  networking.wireguard = {
+    enable = true;
+    interfaces = {
+      reimu-aston = {
+        privateKeyFile = config.sops.secrets."wireguard/reimu-aston/private-key".path;
+        interfaceNamespace = "enthalpy";
+        listenPort = config.networking.ports.enthalpy-wireguard-reimu-aston;
+        peers = lib.singleton {
+          publicKey = "Phf1usg7i2vW5gawA1C44ZIydCFFCUqyP01w9j4/bEY=";
+          presharedKeyFile = config.sops.secrets."wireguard/reimu-aston/preshared-key".path;
+          allowedIPs = [
+            "172.16.0.1/32"
+            "${mylib.network.cidr.host 1 (mylib.network.cidr.subnet 4 15 hostData.enthalpy_node_prefix)}/128"
+          ];
+        };
+      };
+    };
+  };
+
+  networking.netns.enthalpy = {
+    enableIPv4Forwarding = lib.mkForce true;
+    nftables = {
+      enable = true;
+      tables.wireguard-reimu-aston = {
+        family = "ip";
+        content = ''
+          chain postrouting {
+            type nat hook postrouting priority srcnat; policy accept;
+            iifname reimu-aston oifname clat counter masquerade
+          }
+        '';
+      };
+    };
+  };
 }

nixos/modules/networking/ports.nix

@@ -19,6 +19,7 @@ in
 
       # public ports
       enthalpy-ipsec = 13000;
+      enthalpy-wireguard-reimu-aston = 13101;
     };
     readOnly = true;
     description = ''

secrets/hosts/flandre-m5p.yaml

@@ -0,0 +1,33 @@
+wireguard:
+  reimu-aston:
+    private-key: ENC[AES256_GCM,data:nDTbKn9c0GUDXOb5y5weTb0TBOnU7VVYHvGgkquk23/xwOo/kpQT7WgYpdY=,iv:m+cGfoovt3/sw53AbHwVkW2Zkc2KdI02o8AAlG3tPeI=,tag:mwemrV7fFy0FJwq8oRCF/w==,type:str]
+    preshared-key: ENC[AES256_GCM,data:ovMA+JtopMszF8+h6A3I9wzDgr/FYPLYRYZmOw8Obap06mRVVlRKgtSRT9Y=,iv:tFTenFvd6IZKGqfMZXO7LvaS7hdAoPUFW3xMXR4oDak=,tag:W05WeEk6AQo8wL5S7Mw2pQ==,type:str]
+sops:
+  kms: []
+  gcp_kms: []
+  azure_kv: []
+  hc_vault: []
+  age:
+    - recipient: age1sfnct03u4cvfj98x4yjrcrrnu5gg8qgxrwk4uqq8w4e6wveeaedq97rn44
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSdjgyV29OM2xJaytVQWU5
+        aWtxeUkxOVlURVIxTGlZclNTTUlhajVjYVN3CkNUa3VPUkY5SlZ3MkdVZm1XTUJT
+        cTg4TEFoQTFjTFp1SEFXaXJLelFhYjgKLS0tIHRmdnlSbGN5Uzhob0pMNFRxbHdy
+        QW9UTy9BYmJOYmlkYWJTcVBPWGlLUlUK5jo471dQzEaIbdB+xUITaBm8zCqPIvxK
+        4kg33gSVFm3Uc4vYchHcLGaqjqUpi/XV6VGaD0IekjQH5YI13XKExg==
+        -----END AGE ENCRYPTED FILE-----
+    - recipient: age166kxtrcx99fxlgtvz5mvyt5ctvk3dt09f42gvm94ngnkyztmmelsyzdn77
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjQjdPZXZkY05IWi93cDZu
+        VUw2WTlaV3RGdDY0RXYrNGFIQ0Noc1JZQzJ3CjVJUGRYZk02WHArMFg2RkxSczhG
+        NlFIS2pUbGdnN1dkNjdWSDNCSFc5a1EKLS0tIGNucjVTTkk5NjF3N0F1VDRRWWxV
+        ZUQvKzQvYXFPSFNEWVZwVUhjWENKV2cK3l3bpCH/gz2zzT4ODmMHy4QYFsY2aTb5
+        8wbBKMFMNBuQWMrs1bjOQQxU6MBOy7Op0RnlOuuQwAt8yjszA7EYUw==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2024-12-13T08:36:58Z"
+  mac: ENC[AES256_GCM,data:+vGdTalZ/srSCVEXURZUAVlLlZn6S9CfT9A5zsWE2RSx8A+4FCCVLrMrLQdF0MxAJ5D5/cQ8rSzc6/vkG17SjnL8zIlY0BJ6YXNaY9EjvRsK6733ClpuB8UL6KJmgqgLRilPZSMh2anUSLlzvX7PL0oGGWNrf5/ARdbiSaVwww0=,iv:+IsjX908W/yzwz2M19QHwWC+9cLVEaE+oj8sSAPk4YE=,tag:D1Gtymr0G7bgQasRaLQvmw==,type:str]
+  pgp: []
+  unencrypted_suffix: _unencrypted
+  version: 3.9.1