12 files changed, 106 insertions, 48 deletions
diff --git a/hosts/flex-wg-router/configuration.nix b/hosts/flex-wg-router/configuration.nix
index 5777626..18d9667 100644
--- a/hosts/flex-wg-router/configuration.nix
+++ b/hosts/flex-wg-router/configuration.nix
@@ -1,6 +1,8 @@
 { config, lib, pkgs, ... }: let
 	ipAddress = "10.1.1.1";
 in {
+	imports = [ ./wg.nix ];
+
 	# Setup bootloader
 	boot._loader.enable = true;
 
@@ -18,8 +20,8 @@ in {
 		_interfaceLabels = {
 			enable = true;
 			interfaces = {
-				lan0 = "98:b7:85:22:9b:43";  # Internal
-				wan0 = "54:ee:75:8c:4b:2d";  # External
+				lan0 = "98:b7:85:22:9b:43";  # External
+				wan0 = "54:ee:75:8c:4b:2d";  # Internal
 			};
 		};
 		# Set ip addresses
@@ -37,27 +39,15 @@ in {
 			address = "46.110.173.161";
 			interface = "wan0";
 		};
-		nameservers = [ "127.0.0.1" ];
 		# Firewall rules
 		firewall = {
 			interfaces.wan0 = {
-				allowedTCPPorts = [ 22 ];
+				allowedUDPPorts = [ 51820 ];
 			};
 		};
-		#nat.forwardPorts = [
-		#	{
-		#		sourcePort = 2222;
-		#		proto = "tcp";
-		#		destination = "10.1.1.1:22";
-		#	}
-		#	{
-		#		sourcePort = 22;
-		#		proto = "tcp";
-		#		destination = "10.1.1.1:22";
-		#	}
-		#];
 	};
 
+	# Router config
 	services._router = {
 		dnsDhcpConfig = {
 			localDomain = "wg-router.pls.lan";
diff --git a/hosts/flex-wg-router/resources/secrets/wg.yaml b/hosts/flex-wg-router/resources/secrets/wg.yaml
new file mode 100644
index 0000000..1f6867b
--- /dev/null
+++ b/hosts/flex-wg-router/resources/secrets/wg.yaml
@@ -0,0 +1,17 @@
+wg1: ENC[AES256_GCM,data:r7jNBzEcItmlEtjhKCbyOBaNYfutKxC2UdUYSLHfYyLnwwdIwM1kfvd5K1/UZNAKoG7sHpBha59M1tvZAOIGAFnzG14YsVrMD8w6Qy4pc0FmdyNHDEM4EwaqHFRjbb5oBAFv6lI2VZ3AgXf6StXoVUYtbEA1QBVqVq4Syk6/CalnhkE2LuZpuVA5GZUZ8aTmFRp9zOnhcNoVJMrokTUswV4Mgn3zt2Tb+3bfoZJ9jbb6H8P/F0NGU+phy0EENZMIqOGBP5aPPIZfVQYphQcG6BYiddti3Copq57vqh/qOB70LPle6b/IsaT/K8Xqjp8PjNI/e5gkZdVwIGx/w3Gk0+CkD0tDEUMBdsFfvm7Dbz3xQxN66/0ZMGQgic0xtytr/DfKCIMIwsr33GKavP7OXEJ6lUF615Y4PQhNNx4ePlgcttt2b7TG5bM8nxKsaQ==,iv:mLYNgKXCp8w2JO90Rsn7gtifEn4Yc6JKnjws7uo1w10=,tag:c51B1fZe1HnJhFDc86HnOg==,type:str]
+wg0: ENC[AES256_GCM,data:SJQ21aLwoQ0nEHfoHRd+ksL8pX7HoCRVjGIS/BZxq9JQhHJg9ZHHbwwUkz/3vrq1S+PD7e1bL0FHpgHPuZVHawpaFIeWd6TEPH+6oUxlRbDaEbcWR5POlNyMVV3z9TnOElgmqT0VUqfY80NEqFPbCLdjcWHjnwO4nzrEhPMA9WG2PFCAnZNUtVXh2mnblA61/xmxkSVysahBP+bTHA8a+v/AXy7WrHbnHizTeevdCMqWyDhzHvO8hfH4tU/xJ7GQrG/bxk4JZ6XT8a2CAqmNEKyWicB/zSc5NdILNQL7Kx2mzg/fDp4nltf7iBRZfLuN+r7whrKJ2lJQPATeyjMlIgHUcnohjihiOsGYiBcB3/Y4hIHVt7rRBMoFBB2OgNKC3gx6saZreRxLHZcRZFcVm39G9vaw6EI=,iv:qO8vMlstL/kOxFSlUd/dCtAK9ZzZt+LH/9vfulqHiMc=,tag:yuiwA8Hp8qDrF3UPlCMSUg==,type:str]
+sops:
+    age:
+        - recipient: age1f0tmpy2nam58skmznjyqd3zf54rxtfrk6fda0vlpq9y3yg6wac7sjf0vja
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoNVZ5dmNSd1NRQUhURkl2
+            dnk3MkNjMFUyNnU5L1FFNTV0a1NUbUZ6ZUEwCmNNUldIdnoycVpwUHJrcXZvZXp5
+            NGVHcUlHUm1uK0QxV1JmdDVyQVoxZDgKLS0tIDJhSHhkYjNML045SHNobytucnVZ
+            L25wUWRJbzZMZDFseXdvOFJXQVRxN28KJjC3ola24tTEV8tFYpnsId4d0S+jHkS9
+            ME6i4jorWRlQKdYn/gTUoqgMAvJEc73hjTfgX6bFshhuhflfGxXQQw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-31T19:40:45Z"
+    mac: ENC[AES256_GCM,data:XON+JNOWr6WRYYI0+vCC4qiDST8iY/XQZlkB16l5vMsirS3j5iAIi60hn5viFqMn+IIV7GretbVnBVP32R4C59II8bIySzrsdJj5AuvTvdBvglhkelhiDnchqE98KCG9zr41bJsSaQ/8ubRy7b5jiu9aqzQFg9UQZousecIu/MU=,iv:IJNCc05iu0sZxa3RFh5l1TMcwl3YKRtVXn4wfdOy6M8=,tag:OO5uC8nAjqsWoxC1N801GA==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.1
diff --git a/hosts/flex-wg-router/wg.nix b/hosts/flex-wg-router/wg.nix
new file mode 100644
index 0000000..b454b81
--- /dev/null
+++ b/hosts/flex-wg-router/wg.nix
@@ -0,0 +1,9 @@
+{ config, pkgs, inputs, ... }: {
+	sops.secrets.wg0.sopsFile = ./resources/secrets/wg.yaml;
+	sops.secrets.wg1.sopsFile = ./resources/secrets/wg.yaml;
+
+	networking.wg-quick.interfaces = {
+		wg0.configFile = config.sops.secrets.wg0.path;
+		wg1.configFile = config.sops.secrets.wg1.path;
+	};
+}
diff --git a/hosts/poweredge/configuration.nix b/hosts/poweredge/configuration.nix
index 0c51f3c..a363592 100644
--- a/hosts/poweredge/configuration.nix
+++ b/hosts/poweredge/configuration.nix
@@ -5,6 +5,7 @@ in {
 		./ddns-updater.nix
 		./networking.nix
 		#./notification-mailer.nix  # TODO move some of this stuff to archetype
+		./wg1.nix
 	];
 
 	# Setup bootloader
diff --git a/hosts/poweredge/ddns-updater.nix b/hosts/poweredge/ddns-updater.nix
index 30f6e05..103c23b 100644
--- a/hosts/poweredge/ddns-updater.nix
+++ b/hosts/poweredge/ddns-updater.nix
@@ -1,4 +1,4 @@
-{ config, ... }: {
+{ config, lib, ... }: {
 	# Password file for mail application password
 	sops.secrets.ddns-updater-config.sopsFile = ./resources/secrets/ddns-updater-config.yaml;
 
@@ -11,4 +11,9 @@
 			PERIOD = "5m";
 		};
 	};
+
+	# FIXME Required root permissions to open secret
+	systemd.services.ddns-updater = {
+		serviceConfig.DynamicUser = lib.mkForce false;
+	};
 }
diff --git a/hosts/poweredge/networking.nix b/hosts/poweredge/networking.nix
index c293831..7632a86 100644
--- a/hosts/poweredge/networking.nix
+++ b/hosts/poweredge/networking.nix
@@ -1,5 +1,6 @@
 {
 	networking = {
+		enableIPv6 = false;
 		# Label lan and wan interfaces
 		_interfaceLabels = {
 			enable = true;
@@ -16,36 +17,40 @@
 			}];
 			wan0.useDHCP = true;
 		};
-		#defaultGateway.interface = "wan0";
-		nameservers = [ "127.0.0.1" ];
 		# Firewall rules
 		firewall = {
 			interfaces.wan0 = {
 				allowedUDPPorts = [ 51820 ];
 			};
 		};
-		#nat.forwardPorts = [
-		#	{
-		#		sourcePort = 2222;
-		#		proto = "tcp";
-		#		destination = "10.1.1.1:22";
-		#	}
-		#	{
-		#		sourcePort = 22;
-		#		proto = "tcp";
-		#		destination = "10.1.1.1:22";
-		#	}
-		#];
+		# Additional advanced rules
+		# TODO add multi NAT feature to router service
+		nftables = {
+			enable = true;
+			tables = {
+				# NAT/masquerade wg1 allowing lan0 clients to access wg1
+				wg-nat = {
+					family = "ip";
+					content = ''
+						chain post {
+							type nat hook postrouting priority srcnat; policy accept;
+							iifname "lan0" oifname "wg1" masquerade comment "lan0 => wg1"
+						}
+					'';
+				};
+			};
+		};
 	};
 
 	services._router = {
 		dnsDhcpConfig = {
-			localDomain = "wg-router.pls.lan";
+			localDomain = "home.lan";
 			dhcp = {
 				defaultGateway = "192.168.1.1";
 				localhostIp = "192.168.1.1";
 				rangeStart = "192.168.1.50";
 				rangeEnd = "192.168.1.250";
+				# TODO think about moving leases to another file
 				staticLeases = {
 					idrac-7N94GK2 = {
 						macAddress = "50:9a:4c:5d:c3:7c";
@@ -71,6 +76,10 @@
 						macAddress = "e4:54:e8:bc:ba:05";
 						staticIp = "192.168.1.12";
 					};
+					X230 = {
+						macAddress = "84:3a:4b:60:34:c4";
+						staticIp = "192.168.1.13";
+					};
 				};
 			};
 		};
diff --git a/hosts/poweredge/resources/secrets/wg1.yaml b/hosts/poweredge/resources/secrets/wg1.yaml
new file mode 100644
index 0000000..6610514
--- /dev/null
+++ b/hosts/poweredge/resources/secrets/wg1.yaml
@@ -0,0 +1,16 @@
+wg1: ENC[AES256_GCM,data:1IySjV57HcywgiCZ/ZYbcr4Y9EbLrb6bE4kpG1DmDsLiRVFSfZA1UOoMGosot+7YiuE4xfZNHGSnzDrpE73gi5E9qYlvjhOfyLq06a1lK7Q0Wo/QrH9eSH05h6SA4E8sE0w2aKY/6cWfLaXTP1d7xLJA1OOCy7y+wIXrHQcA/TI5XIxikFSe+tT7rhKz128u6MIGl8VWzCp4RmoN94MAgWp0RoVt0VSHlvNPTbMuTZI0YPN1NgHjcf7KWnit33GXydmAWr+wym/oxxdT77O6wMPcGIsxmMLOPNy3K1sTezGTPSS1CSVniKIIW2HYZepGfaTlKwBFIn7ctmMrBvqmMcHiW+QIPwWbOC8UWHJAGklv3vCa7Q8XDUKlOPNdS0o73jb+BVUJWerwR4ik6NPu/H/lWgIETg1pd/Qv//nGsPeGRIUFKyKxoL/5E67+pA==,iv:d+T6wKhV1i/2kae03VPLMaTFB2yleeDFPm1lrfjvkx8=,tag:h/41zAlfz6oBo8jqz9NW7A==,type:str]
+sops:
+    age:
+        - recipient: age1zfvmt2avdlfz0fvchczplc84u7m8vqausm7zytl9s4x9m9yax4cqy30zpz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxOFFVRFl2MDhiUVRPdnZJ
+            b3BSZ0pSaG8vR3o3SGlmVENvN3ZObHU3eUc4CmJrdk8rbXpBMWhTZ2hvdlk0VWo1
+            ejdnTDR4bFlUUXc4Smd0NEp6b3crZFUKLS0tIFBsQUdRWjZLSDY1ZlFaRDdLOVhs
+            MFFGY0NSU3NaK2U0U1NndUIyYm54ZWsKZ6q9j1fNaNSzBA0rbZYyUWt3U2V/7/9/
+            FZTKd8mH/uCoxvK8unlVZ9uYNADRh2smp7LwK1AWie/6khAIFqVBeg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-31T02:00:52Z"
+    mac: ENC[AES256_GCM,data:VXBQSegpiLmT5pF0XVB8NTVzhn4QDE2WfVznANVdrXC4BqFYoQXscW+4BcMmwkUqz5MjeKNF4KgRwtpKWVyRXG7EXVEGeA/NdysAxM9eSD4YrQZLqWzG8UKStyFG7jgHw/YA3H94hJ3rYnhsA9Kb3DHEmnQSZskTOmn2ppyUunQ=,iv:/rVWmaXl149Prhv35wBDZN6c+HgQ6PYSb8RIE30t7MI=,tag:SZ7mI9XDsIjhliFyWO14ug==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.1
diff --git a/hosts/poweredge/wg1.nix b/hosts/poweredge/wg1.nix
new file mode 100644
index 0000000..d94efb6
--- /dev/null
+++ b/hosts/poweredge/wg1.nix
@@ -0,0 +1,7 @@
+{ config, pkgs, inputs, ... }: {
+	sops.secrets.wg1.sopsFile = ./resources/secrets/wg1.yaml;
+
+	networking.wg-quick.interfaces = {
+		wg1.configFile = config.sops.secrets.wg1.path;
+	};
+}
diff --git a/nixos/secrets.nix b/nixos/secrets.nix
index 0691255..3d21e62 100644
--- a/nixos/secrets.nix
+++ b/nixos/secrets.nix
@@ -5,4 +5,18 @@
 		defaultSopsFormat = "yaml";
 		age.sshKeyPaths = [ "/root/.ssh/id_ed25519" ];
 	};
+
+
+	# This service is a workaround to ensure that secrets are available on
+	# reboot when the secret keys are on a separate subvolume
+	systemd.services.npcnix-force-rebuild-sops-hack = {
+		wantedBy = [ "multi-user.target" ];
+		before = [ "wpa_supplicant.service" ];
+		serviceConfig = {
+			ExecStart = "/run/current-system/activate";
+			Type = "oneshot";
+			Restart = "on-failure"; # because oneshot
+			RestartSec = "10s";
+		};
+	};
 }
diff --git a/nixos/services/router/dns-dhcp.nix b/nixos/services/router/dns-dhcp.nix
index 48e0b8e..4c041c2 100644
--- a/nixos/services/router/dns-dhcp.nix
+++ b/nixos/services/router/dns-dhcp.nix
@@ -204,5 +204,8 @@ in {
 		# Search localDomain so host can resolve short names
 		# This is eq. to dnsmasq's dhcp-option "domain-search" for clients, it just adds a search rule to resolv.conf
 		networking.search = [ cfg.localDomain ];
+
+		# Add localhost as default nameserver
+		networking.nameservers = lib.mkDefault [ cfg.dhcp.localhostIp ];
 	};
 }
diff --git a/nixos/services/router/routing.nix b/nixos/services/router/routing.nix
index 25d91dd..6682538 100644
--- a/nixos/services/router/routing.nix
+++ b/nixos/services/router/routing.nix
@@ -35,9 +35,9 @@ in {
 				'';
 			};
 			nat = {
-				enable = true;
-				externalInterface = cfg.interfaces.wan;
-				internalInterfaces = [ cfg.interfaces.lan ];
+				enable = lib.mkDefault true;
+				externalInterface = lib.mkDefault cfg.interfaces.wan;
+				internalInterfaces = lib.mkDefault [ cfg.interfaces.lan ];
 			};
 		};
 	};
diff --git a/users/timmy/wifi.nix b/users/timmy/wifi.nix
index 9afcbc7..8c762b0 100644
--- a/users/timmy/wifi.nix
+++ b/users/timmy/wifi.nix
@@ -21,18 +21,5 @@ in {
 		environment.etc."wpa_supplicant.conf" = {
 			source = config.sops.secrets.wpa_supplicant-conf.path;
 		};
-
-		# This service is a workaround to ensure that secrets are available on
-		# reboot when the secret keys are on a separate subvolume
-		systemd.services.npcnix-force-rebuild-sops-hack = {
-			wantedBy = [ "multi-user.target" ];
-			before = [ "wpa_supplicant.service" ];
-			serviceConfig = {
-				ExecStart = "/run/current-system/activate";
-				Type = "oneshot";
-				Restart = "on-failure"; # because oneshot
-				RestartSec = "10s";
-			};
-		};
 	};
 }