From e55590f59ed45a844e10a212602ff57dfdde5928 Mon Sep 17 00:00:00 2001
From: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
Date: Fri, 29 Aug 2025 13:52:05 +0200
Subject: [PATCH] Enable wireguard in apex

Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
---
 m/apex/configuration.nix |  1 +
 m/apex/wireguard.nix     | 31 +++++++++++++++++++++++++++++++
 secrets/secrets.nix      |  2 ++
 secrets/wg-apex.age      | 13 +++++++++++++
 4 files changed, 47 insertions(+)
 create mode 100644 m/apex/wireguard.nix
 create mode 100644 secrets/wg-apex.age

diff --git a/m/apex/configuration.nix b/m/apex/configuration.nix
index 9b4f0f4..17828a3 100644
--- a/m/apex/configuration.nix
+++ b/m/apex/configuration.nix
@@ -7,6 +7,7 @@
     ../module/ceph.nix
     ../module/slurm-server.nix
     ./nfs.nix
+    ./wireguard.nix
   ];
 
   # Don't install grub MBR for now
diff --git a/m/apex/wireguard.nix b/m/apex/wireguard.nix
new file mode 100644
index 0000000..a0636be
--- /dev/null
+++ b/m/apex/wireguard.nix
@@ -0,0 +1,31 @@
+{ config, ... }:
+
+{
+  networking.firewall = {
+    allowedUDPPorts = [ 666 ];
+  };
+
+  age.secrets.wgApex.file = ../../secrets/wg-apex.age;
+
+  # Enable WireGuard
+  networking.wireguard.enable = true;
+  networking.wireguard.interfaces = {
+    # "wg0" is the network interface name. You can name the interface arbitrarily.
+    wg0 = {
+      ips = [ "10.100.0.30/24" ];
+      listenPort = 666;
+      privateKeyFile = config.age.secrets.wgApex.path;
+      # Public key: VwhcN8vSOzdJEotQTpmPHBC52x3Hbv1lkFIyKubrnUA=
+      peers = [
+        {
+          name = "Fox";
+          publicKey = "VfMPBQLQTKeyXJSwv8wBhc6OV0j2qAxUpX3kLHunK2Y=";
+          allowedIPs = [ "10.100.0.0/24" ];
+          endpoint = "fox.ac.upc.edu:666";
+          # Send keepalives every 25 seconds. Important to keep NAT tables alive.
+          persistentKeepalive = 25;
+        }
+      ];
+    };
+  };
+}
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 013fa23..9673249 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -3,6 +3,7 @@ let
   adminsKeys = builtins.attrValues keys.admins;
   hut = [ keys.hosts.hut ] ++ adminsKeys;
   fox = [ keys.hosts.fox ] ++ adminsKeys;
+  apex = [ keys.hosts.apex ] ++ adminsKeys;
   mon = [ keys.hosts.hut keys.hosts.tent ] ++ adminsKeys;
   tent = [ keys.hosts.tent ] ++ adminsKeys;
   # Only expose ceph keys to safe nodes and admins
@@ -27,4 +28,5 @@ in
   "munge-key.age".publicKeys = safe;
 
   "wg-fox.age".publicKeys = fox;
+  "wg-apex.age".publicKeys = apex;
 }
diff --git a/secrets/wg-apex.age b/secrets/wg-apex.age
new file mode 100644
index 0000000..d61c88c
--- /dev/null
+++ b/secrets/wg-apex.age
@@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 fw2Xhg CO3xkQZ+Tzej6VOQg8GoGYMdRWP0s0w55S7PeZ/zq0o
+P119jX3o3ZdD+Dg/ehVIEsWdSCbmYksLDt4k4dovgl8
+-> ssh-ed25519 cK5kHw B9d+pwXxt8jDV+6WvHOxUQuwpYF4mHUoGPQaD7niuX4
+RxYK+0r28qTULJKaZiSQC5yqsi/BYTZ40TSIhpwxCk0
+-> ssh-ed25519 CAWG4Q akKCzdpc/17zOdLknTawmpJw3GuTLXjDlZz8CQg3hGE
+011OH3AnEmm36xg0p7FvHOL1xVpMllUf6lqs4BSUVeA
+-> ssh-ed25519 xA739A hv9vYtwBhrospLhJ5SQoNDkZx+blfYKZ/I40frj/u1Y
+s6KY1l2d6dEQouLbwL1Y56kC0Up9Tp1dmW91LYNYKjs
+-> ssh-ed25519 MSF3dg ehzqonjVpx3NFaxmSQc66VxkZEU5n7aiIOvuwYrl7wI
+yME0q4b5F9/eKJlNg+0sGuGTGp58UoNAf+MI8pj2faM
+--- KC628nslyddv5xZwh4DUj1nGqMx/mW+txSnYCjFRODY
+dl¸¢[ï´”ëêbú^ÙŽ“-šl¥æà¸+õò“ÜÐ¢ÞFf¨uÜÞöÚ‘ðnüHLµK	ÉííðÚ^÷—¹1ƒË2V¦©j[
\ No newline at end of file