4 files changed, 144 insertions, 0 deletions
diff --git a/hosts/flex-wg-router/configuration.nix b/hosts/flex-wg-router/configuration.nix
new file mode 100644
index 0000000..18d9667
--- /dev/null
+++ b/hosts/flex-wg-router/configuration.nix
@@ -0,0 +1,73 @@
+{ config, lib, pkgs, ... }: let
+	ipAddress = "10.1.1.1";
+in {
+	imports = [ ./wg.nix ];
+
+	# Setup bootloader
+	boot._loader.enable = true;
+
+	# Enable common options
+	_archetypes = {
+		profiles.headless = {
+			enable = true;
+			home.users.timmy.enable = true;
+		};
+		profiles.router.enable = true;
+	};
+
+	networking = {
+		# Label lan and wan interfaces
+		_interfaceLabels = {
+			enable = true;
+			interfaces = {
+				lan0 = "98:b7:85:22:9b:43";  # External
+				wan0 = "54:ee:75:8c:4b:2d";  # Internal
+			};
+		};
+		# Set ip addresses
+		interfaces = {
+			lan0.ipv4.addresses = [{
+				address = ipAddress;
+				prefixLength = 24;
+			}];
+			wan0.ipv4.addresses = [{
+				address = "46.110.173.163";  # Reserved static ip for wg-router
+				prefixLength = 31;
+			}];
+		};
+		defaultGateway = {
+			address = "46.110.173.161";
+			interface = "wan0";
+		};
+		# Firewall rules
+		firewall = {
+			interfaces.wan0 = {
+				allowedUDPPorts = [ 51820 ];
+			};
+		};
+	};
+
+	# Router config
+	services._router = {
+		dnsDhcpConfig = {
+			localDomain = "wg-router.pls.lan";
+			dhcp = {
+				defaultGateway = ipAddress;
+				localhostIp = ipAddress;
+				rangeStart = "10.1.1.100";
+				rangeEnd = "10.1.1.250";
+				staticLeases = {
+					idrac-8HT2W52 = {
+						macAddress = "18:fb:7b:9d:16:b3";
+						staticIp = "10.1.1.10";
+					};
+				};
+			};
+		};
+	};
+
+	# Enable user timmy
+	_users.timmy.enable = true;
+
+	system.stateVersion = "25.05";
+}
diff --git a/hosts/flex-wg-router/hardware-configuration.nix b/hosts/flex-wg-router/hardware-configuration.nix
new file mode 100644
index 0000000..01cff6d
--- /dev/null
+++ b/hosts/flex-wg-router/hardware-configuration.nix
@@ -0,0 +1,45 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/01eae5fd-a46e-4a36-8a9d-247a0b16bcef";
+      fsType = "btrfs";
+      options = [ "subvol=@" ];
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/345A-436A";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  fileSystems."/home" =
+    { device = "/dev/disk/by-uuid/01eae5fd-a46e-4a36-8a9d-247a0b16bcef";
+      fsType = "btrfs";
+      options = [ "subvol=@home" ];
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/hosts/flex-wg-router/resources/secrets/wg.yaml b/hosts/flex-wg-router/resources/secrets/wg.yaml
new file mode 100644
index 0000000..1f6867b
--- /dev/null
+++ b/hosts/flex-wg-router/resources/secrets/wg.yaml
@@ -0,0 +1,17 @@
+wg1: ENC[AES256_GCM,data:r7jNBzEcItmlEtjhKCbyOBaNYfutKxC2UdUYSLHfYyLnwwdIwM1kfvd5K1/UZNAKoG7sHpBha59M1tvZAOIGAFnzG14YsVrMD8w6Qy4pc0FmdyNHDEM4EwaqHFRjbb5oBAFv6lI2VZ3AgXf6StXoVUYtbEA1QBVqVq4Syk6/CalnhkE2LuZpuVA5GZUZ8aTmFRp9zOnhcNoVJMrokTUswV4Mgn3zt2Tb+3bfoZJ9jbb6H8P/F0NGU+phy0EENZMIqOGBP5aPPIZfVQYphQcG6BYiddti3Copq57vqh/qOB70LPle6b/IsaT/K8Xqjp8PjNI/e5gkZdVwIGx/w3Gk0+CkD0tDEUMBdsFfvm7Dbz3xQxN66/0ZMGQgic0xtytr/DfKCIMIwsr33GKavP7OXEJ6lUF615Y4PQhNNx4ePlgcttt2b7TG5bM8nxKsaQ==,iv:mLYNgKXCp8w2JO90Rsn7gtifEn4Yc6JKnjws7uo1w10=,tag:c51B1fZe1HnJhFDc86HnOg==,type:str]
+wg0: ENC[AES256_GCM,data:SJQ21aLwoQ0nEHfoHRd+ksL8pX7HoCRVjGIS/BZxq9JQhHJg9ZHHbwwUkz/3vrq1S+PD7e1bL0FHpgHPuZVHawpaFIeWd6TEPH+6oUxlRbDaEbcWR5POlNyMVV3z9TnOElgmqT0VUqfY80NEqFPbCLdjcWHjnwO4nzrEhPMA9WG2PFCAnZNUtVXh2mnblA61/xmxkSVysahBP+bTHA8a+v/AXy7WrHbnHizTeevdCMqWyDhzHvO8hfH4tU/xJ7GQrG/bxk4JZ6XT8a2CAqmNEKyWicB/zSc5NdILNQL7Kx2mzg/fDp4nltf7iBRZfLuN+r7whrKJ2lJQPATeyjMlIgHUcnohjihiOsGYiBcB3/Y4hIHVt7rRBMoFBB2OgNKC3gx6saZreRxLHZcRZFcVm39G9vaw6EI=,iv:qO8vMlstL/kOxFSlUd/dCtAK9ZzZt+LH/9vfulqHiMc=,tag:yuiwA8Hp8qDrF3UPlCMSUg==,type:str]
+sops:
+    age:
+        - recipient: age1f0tmpy2nam58skmznjyqd3zf54rxtfrk6fda0vlpq9y3yg6wac7sjf0vja
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoNVZ5dmNSd1NRQUhURkl2
+            dnk3MkNjMFUyNnU5L1FFNTV0a1NUbUZ6ZUEwCmNNUldIdnoycVpwUHJrcXZvZXp5
+            NGVHcUlHUm1uK0QxV1JmdDVyQVoxZDgKLS0tIDJhSHhkYjNML045SHNobytucnVZ
+            L25wUWRJbzZMZDFseXdvOFJXQVRxN28KJjC3ola24tTEV8tFYpnsId4d0S+jHkS9
+            ME6i4jorWRlQKdYn/gTUoqgMAvJEc73hjTfgX6bFshhuhflfGxXQQw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-31T19:40:45Z"
+    mac: ENC[AES256_GCM,data:XON+JNOWr6WRYYI0+vCC4qiDST8iY/XQZlkB16l5vMsirS3j5iAIi60hn5viFqMn+IIV7GretbVnBVP32R4C59II8bIySzrsdJj5AuvTvdBvglhkelhiDnchqE98KCG9zr41bJsSaQ/8ubRy7b5jiu9aqzQFg9UQZousecIu/MU=,iv:IJNCc05iu0sZxa3RFh5l1TMcwl3YKRtVXn4wfdOy6M8=,tag:OO5uC8nAjqsWoxC1N801GA==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.1
diff --git a/hosts/flex-wg-router/wg.nix b/hosts/flex-wg-router/wg.nix
new file mode 100644
index 0000000..b454b81
--- /dev/null
+++ b/hosts/flex-wg-router/wg.nix
@@ -0,0 +1,9 @@
+{ config, pkgs, inputs, ... }: {
+	sops.secrets.wg0.sopsFile = ./resources/secrets/wg.yaml;
+	sops.secrets.wg1.sopsFile = ./resources/secrets/wg.yaml;
+
+	networking.wg-quick.interfaces = {
+		wg0.configFile = config.sops.secrets.wg0.path;
+		wg1.configFile = config.sops.secrets.wg1.path;
+	};
+}