Add wireguard tunnel for hetzner ha ip

hosts/magnesium/configuration.nix

@@ -4,6 +4,7 @@
   imports = [
     ./hardware-configuration.nix
     ../../home-manager/users/jalr.nix
+    ./services
   ];
 
   networking.hostName = "magnesium";

hosts/magnesium/secrets.yaml

@@ -0,0 +1,32 @@
+wireguard_key_hetzner-ha: ENC[AES256_GCM,data:HEW+EalHg6/mq7pRKZkasGz0nqbkSppkf0H/uV5QMJnWwKw9a9W21Y77OSw=,iv:OA6yml1T5kVafX0RYd0Es7DHcGjJazUxP2M6a5Pwkag=,tag:lX5UPIseIQ136HLrHbzZyw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1swv42gad884z2v75kateem6k2za6ltkq6wu90ewqp6dp7gxprawslwz0w0
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwa0ZIdE9lc2lNZlN0UFBU
+            RWdxQm1oR01GemJOSE9ZU1RYc3crRGg5REF3ClUzaEhyelZNTVUxeEwvc1V3eDBt
+            SUx0UXU0aTdnTGlTaWJvd2R6ajZmNVkKLS0tICszejE3WVNOTHR6Rms2bjQrbzEz
+            Vlk3Y1luTTg3bkpqNTNPUGlNYmNtMW8K9dEUwAuzvDZZoVi8FPZQ7/h75EV0L+VM
+            MlTGfEt38Hi7EOw+yfXvXYHse/OKypwcrPiJDT6IT/E+O9BJCjPKCA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-06-22T12:44:40Z"
+    mac: ENC[AES256_GCM,data:pyqtldMaMmQw7Qh5LsWGqD6QQhk7Ni+QzWrn7nqM+PtCwMDDccNp6ZWF70IwU5todmvRgLrW3Ke9SVlMTYCaHNQ8/W5iL4vrOJY1txrXSEqfwZ3ODGXKOFILqYNdi5fAMtkqu0rBHFo+ZQ44bPg/oEYp6V5idlkHRQnQWJifFtI=,iv:DQ4O9/8HKwLLSBz+BDS3FRUVG3HAA8tTpSRQ4BxZ8Uo=,tag:6W/PCbQiu/Q1f2Q3e0OtPQ==,type:str]
+    pgp:
+        - created_at: "2023-06-22T12:44:23Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4D3ylLYNOsO+0SAQdAD/wwGspjkzL/xlqVxl8pixtRQGAlyuEJdTwja6e4bkAw
+            I+xwPhJH9FpkwArRKErtW9u6e9lM8zJOvgteseTRmQFkQ9fyTtXAx2lLg5JOFdYn
+            0l4BkaozbVKjx1XEJBoBUF1YMfREKyrORk/kU2UTluQKkEp7xaojZkuhWEqEMC7N
+            tKVpPhef7M5escwcpQCpoI5+DCepJQDfoxyiAWx8P0a6tbV2F+X9y6kgb6iuWpf2
+            =WNKv
+            -----END PGP MESSAGE-----
+          fp: 66FB54F6081375106EEBF651A222365EB448F934
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

hosts/magnesium/services/default.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./public-ip-tunnel.nix
+  ];
+}

hosts/magnesium/services/public-ip-tunnel.nix

@@ -0,0 +1,44 @@
+{ config, lib, pkgs, ... }:
+
+let
+  listenPort = 51000;
+  publicKey = "GCmQs7upvDYFueEfqD2yJkkOZg3K7YaGluWWzdjsyTo=";
+in
+{
+  sops.secrets = (
+    lib.listToAttrs (map
+      (name: lib.nameValuePair "wireguard_key_${name}" {
+        sopsFile = ../secrets.yaml;
+      })
+      [
+        "hetzner-ha"
+      ]
+    )
+  );
+
+  #boot.kernel.sysctl = {
+  #  "net.ipv4.conf.all.forwarding" = 1;
+  #  "net.ipv4.conf.hetzner-ha.proxy_arp" = 1;
+  #  "net.ipv4.conf.enp1s0.proxy_arp" = 1;
+  #};
+  networking.interfaces.hetzner-ha.proxyARP = true;
+  networking.interfaces.enp1s0.proxyARP = true;
+
+  networking.wireguard.interfaces = {
+    hetzner-ha = {
+      ips = [ ];
+      privateKeyFile = config.sops.secrets.wireguard_key_hetzner-ha.path;
+      listenPort = listenPort;
+
+      peers = [{
+        publicKey = publicKey;
+        persistentKeepalive = 25;
+        allowedIPs = [
+          "159.69.103.126/32"
+        ];
+      }];
+    };
+  };
+
+  networking.firewall.allowedUDPPorts = [ listenPort ];
+}