From 5f3695a5a31e957af9791f3e11e9073cc41277a6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Laure=CE=B7t?= <laurent@fainsin.bzh>
Date: Mon, 26 Dec 2022 23:27:13 +0100
Subject: [PATCH] feat: add neodymium peer

---
 hosts/hydrogen/configuration.nix  | 22 ++++++++++++++++------
 hosts/neodymium/configuration.nix | 14 ++++++++++++++
 2 files changed, 30 insertions(+), 6 deletions(-)

diff --git a/hosts/hydrogen/configuration.nix b/hosts/hydrogen/configuration.nix
index a001943..bbf8782 100644
--- a/hosts/hydrogen/configuration.nix
+++ b/hosts/hydrogen/configuration.nix
@@ -15,9 +15,11 @@
         443 # https
       ];
       allowedUDPPorts = [
-        53 # DNS (blocky)
         5553 # wireguard
       ];
+      interfaces."wg0".allowedUDPPorts = [
+        53 # dns
+      ];
     };
   };
 
@@ -26,22 +28,30 @@
     maxretry = 5;
   };
 
+  networking.nat.enable = true;
+  networking.nat.internalInterfaces = [ "wg0" ];
   networking.wireguard.interfaces = {
     wg0 = {
       ips = [ "10.0.0.1/24" ];
       listenPort = 5553;
       privateKeyFile = "/root/wg-private";
-      peers = [{ # pixel
-        publicKey = "HS2q+PpPPwxqT1jCD7D4puqr4ZyaXV5TostavlYWBx0=";
-        allowedIPs = [ "10.0.0.2/32" ];
-      }];
+      peers = [
+        { # pixel
+          publicKey = "HS2q+PpPPwxqT1jCD7D4puqr4ZyaXV5TostavlYWBx0=";
+          allowedIPs = [ "10.0.0.2/32" ];
+        }
+        { # neodymium
+          publicKey = "IFeRvelEilNRLkhWgFKL9HrJ9XYsm+r4yvv23CigETk=";
+          allowedIPs = [ "10.0.0.3/32" ];
+        }
+      ];
     };
   };
 
   services.blocky = {
     enable = true;
     settings = {
-      upstream.default = [ "1.1.1.2" "1.0.0.2" ];
+      upstream.default = [ "208.67.222.222" "208.67.220.220" ];
       blocking = {
         refreshPeriod = "24h";
         clientGroupsBlock.default =
diff --git a/hosts/neodymium/configuration.nix b/hosts/neodymium/configuration.nix
index 4727393..7c4348b 100644
--- a/hosts/neodymium/configuration.nix
+++ b/hosts/neodymium/configuration.nix
@@ -33,6 +33,20 @@ in {
   networking.firewall.allowedTCPPorts = [ ];
   networking.firewall.allowedUDPPorts = [ ];
 
+  networking.wg-quick.interfaces = {
+    wg0 = {
+      address = [ "10.0.0.3/32" ];
+      dns = [ "10.0.0.1" ];
+      privateKeyFile = "/root/wireguard-keys/private";
+
+      peers = [{
+        publicKey = "y36/EpLUerwM6NSGsVDCkb37Wj/Z3CI0mPFGatVa0Ws=";
+        allowedIPs = [ "10.0.0.1/24" ];
+        endpoint = "fainsin.bzh:5553";
+      }];
+    };
+  };
+
   # use systemd-boot EFI boot loader
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;