11 files changed, 113 insertions, 34 deletions
diff --git a/hosts/flex-wg-router/configuration.nix b/hosts/flex-wg-router/configuration.nix
index 5777626..18d9667 100644
--- a/hosts/flex-wg-router/configuration.nix
+++ b/hosts/flex-wg-router/configuration.nix
@@ -1,6 +1,8 @@
 { config, lib, pkgs, ... }: let
 	ipAddress = "10.1.1.1";
 in {
+	imports = [ ./wg.nix ];
+
 	# Setup bootloader
 	boot._loader.enable = true;
 
@@ -18,8 +20,8 @@ in {
 		_interfaceLabels = {
 			enable = true;
 			interfaces = {
-				lan0 = "98:b7:85:22:9b:43";  # Internal
-				wan0 = "54:ee:75:8c:4b:2d";  # External
+				lan0 = "98:b7:85:22:9b:43";  # External
+				wan0 = "54:ee:75:8c:4b:2d";  # Internal
 			};
 		};
 		# Set ip addresses
@@ -37,27 +39,15 @@ in {
 			address = "46.110.173.161";
 			interface = "wan0";
 		};
-		nameservers = [ "127.0.0.1" ];
 		# Firewall rules
 		firewall = {
 			interfaces.wan0 = {
-				allowedTCPPorts = [ 22 ];
+				allowedUDPPorts = [ 51820 ];
 			};
 		};
-		#nat.forwardPorts = [
-		#	{
-		#		sourcePort = 2222;
-		#		proto = "tcp";
-		#		destination = "10.1.1.1:22";
-		#	}
-		#	{
-		#		sourcePort = 22;
-		#		proto = "tcp";
-		#		destination = "10.1.1.1:22";
-		#	}
-		#];
 	};
 
+	# Router config
 	services._router = {
 		dnsDhcpConfig = {
 			localDomain = "wg-router.pls.lan";
diff --git a/hosts/flex-wg-router/resources/secrets/wg.yaml b/hosts/flex-wg-router/resources/secrets/wg.yaml
new file mode 100644
index 0000000..1f6867b
--- /dev/null
+++ b/hosts/flex-wg-router/resources/secrets/wg.yaml
@@ -0,0 +1,17 @@
+wg1: ENC[AES256_GCM,data:r7jNBzEcItmlEtjhKCbyOBaNYfutKxC2UdUYSLHfYyLnwwdIwM1kfvd5K1/UZNAKoG7sHpBha59M1tvZAOIGAFnzG14YsVrMD8w6Qy4pc0FmdyNHDEM4EwaqHFRjbb5oBAFv6lI2VZ3AgXf6StXoVUYtbEA1QBVqVq4Syk6/CalnhkE2LuZpuVA5GZUZ8aTmFRp9zOnhcNoVJMrokTUswV4Mgn3zt2Tb+3bfoZJ9jbb6H8P/F0NGU+phy0EENZMIqOGBP5aPPIZfVQYphQcG6BYiddti3Copq57vqh/qOB70LPle6b/IsaT/K8Xqjp8PjNI/e5gkZdVwIGx/w3Gk0+CkD0tDEUMBdsFfvm7Dbz3xQxN66/0ZMGQgic0xtytr/DfKCIMIwsr33GKavP7OXEJ6lUF615Y4PQhNNx4ePlgcttt2b7TG5bM8nxKsaQ==,iv:mLYNgKXCp8w2JO90Rsn7gtifEn4Yc6JKnjws7uo1w10=,tag:c51B1fZe1HnJhFDc86HnOg==,type:str]
+wg0: ENC[AES256_GCM,data:SJQ21aLwoQ0nEHfoHRd+ksL8pX7HoCRVjGIS/BZxq9JQhHJg9ZHHbwwUkz/3vrq1S+PD7e1bL0FHpgHPuZVHawpaFIeWd6TEPH+6oUxlRbDaEbcWR5POlNyMVV3z9TnOElgmqT0VUqfY80NEqFPbCLdjcWHjnwO4nzrEhPMA9WG2PFCAnZNUtVXh2mnblA61/xmxkSVysahBP+bTHA8a+v/AXy7WrHbnHizTeevdCMqWyDhzHvO8hfH4tU/xJ7GQrG/bxk4JZ6XT8a2CAqmNEKyWicB/zSc5NdILNQL7Kx2mzg/fDp4nltf7iBRZfLuN+r7whrKJ2lJQPATeyjMlIgHUcnohjihiOsGYiBcB3/Y4hIHVt7rRBMoFBB2OgNKC3gx6saZreRxLHZcRZFcVm39G9vaw6EI=,iv:qO8vMlstL/kOxFSlUd/dCtAK9ZzZt+LH/9vfulqHiMc=,tag:yuiwA8Hp8qDrF3UPlCMSUg==,type:str]
+sops:
+    age:
+        - recipient: age1f0tmpy2nam58skmznjyqd3zf54rxtfrk6fda0vlpq9y3yg6wac7sjf0vja
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoNVZ5dmNSd1NRQUhURkl2
+            dnk3MkNjMFUyNnU5L1FFNTV0a1NUbUZ6ZUEwCmNNUldIdnoycVpwUHJrcXZvZXp5
+            NGVHcUlHUm1uK0QxV1JmdDVyQVoxZDgKLS0tIDJhSHhkYjNML045SHNobytucnVZ
+            L25wUWRJbzZMZDFseXdvOFJXQVRxN28KJjC3ola24tTEV8tFYpnsId4d0S+jHkS9
+            ME6i4jorWRlQKdYn/gTUoqgMAvJEc73hjTfgX6bFshhuhflfGxXQQw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-31T19:40:45Z"
+    mac: ENC[AES256_GCM,data:XON+JNOWr6WRYYI0+vCC4qiDST8iY/XQZlkB16l5vMsirS3j5iAIi60hn5viFqMn+IIV7GretbVnBVP32R4C59II8bIySzrsdJj5AuvTvdBvglhkelhiDnchqE98KCG9zr41bJsSaQ/8ubRy7b5jiu9aqzQFg9UQZousecIu/MU=,iv:IJNCc05iu0sZxa3RFh5l1TMcwl3YKRtVXn4wfdOy6M8=,tag:OO5uC8nAjqsWoxC1N801GA==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.1
diff --git a/hosts/flex-wg-router/wg.nix b/hosts/flex-wg-router/wg.nix
new file mode 100644
index 0000000..b454b81
--- /dev/null
+++ b/hosts/flex-wg-router/wg.nix
@@ -0,0 +1,9 @@
+{ config, pkgs, inputs, ... }: {
+	sops.secrets.wg0.sopsFile = ./resources/secrets/wg.yaml;
+	sops.secrets.wg1.sopsFile = ./resources/secrets/wg.yaml;
+
+	networking.wg-quick.interfaces = {
+		wg0.configFile = config.sops.secrets.wg0.path;
+		wg1.configFile = config.sops.secrets.wg1.path;
+	};
+}
diff --git a/hosts/hp-envy-office/configuration.nix b/hosts/hp-envy-office/configuration.nix
index 34e2de3..c55c07b 100644
--- a/hosts/hp-envy-office/configuration.nix
+++ b/hosts/hp-envy-office/configuration.nix
@@ -1,4 +1,6 @@
 { config, lib, pkgs, ... }: {
+	imports = [ ./wg.nix ];
+
 	# Setup bootloader
 	boot._loader.enable = true;
 	boot.loader.timeout = 15;  # Show for longer since it's usually skipped
@@ -48,8 +50,8 @@
 	home-manager.users.timmy = {
 		gtk._mintTheme = {
 			dark = true;
-			color = "Green";
-			icons.color = "Green";
+			color = "Blue";
+			icons.color = "Blue";
 		};
 		programs._seasonalwallpaper.wallpapers.download = true;
 		fonts.fontconfig = {
diff --git a/hosts/hp-envy-office/resources/secrets/wg.yaml b/hosts/hp-envy-office/resources/secrets/wg.yaml
new file mode 100644
index 0000000..f3b53aa
--- /dev/null
+++ b/hosts/hp-envy-office/resources/secrets/wg.yaml
@@ -0,0 +1,16 @@
+wg1: ENC[AES256_GCM,data:XWdnE2QvfvFlMKUW6BoUSsEXDmYj4aNfbxvA6pFeIZM7NEtIwC4/NsplPwFIZwF372/bwDGXGocuh5gd1p/eAlsyz2DrAS+8g1+4T40EPPmXPgh++vUTvcpPlt74Qxp2yAeEU4CU7UPLvlxSvNjh5PGS68Cw7KxSB7kiWFxRWtm5oVfb+U6cBaQE6Biie7wPmXNWOobGHTfFYDeNmH6w33nH4lCV2MC0eYty9ytwHeVS7gUNrk4oxIfd+1FmNzwNHtVZvRg4wRzcc2M9fD0LuyuY6QVS/qaJG4hNNEHZ6qa0VMTnOzQ4jFHtd5jnz2vb7ckE7UWcFPjXYObcykk0End7sHVN/bD+fUv56JKZOHvVYFgs6OwCzUPAufnv10+h,iv:LMEpZW3mwGuIpJoacBYL8M0ROVNeVMzeb7ncZtfxIDA=,tag:aNCziN9CVgm0IB8VvVorEA==,type:str]
+sops:
+    age:
+        - recipient: age1w80rc0dnuu8nw99gw64c596qqetm78jdnsqajr0u7ephykekr39qfz8vnv
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhdUJRS21FeFlseWJXU1dt
+            MnhQRnFvZWM0M1o4bUhBWW9KRDdnZ1pGZkYwCnhPYmFHZmdnRS9lb2xsTXZBcmIx
+            dHF5dmlrbjJyUk84QVBLTEFwMWdESGMKLS0tIHFyZGpSeTFoNEQyZThFc2RyQkhY
+            Q1ZvODVWSXE1STlkZ09tVXdVeU1WaVkKhKMfJclNgHXN7pww2w3AaKwcWiBo676g
+            RWSkV6C+5purA0CzTu1uC3CKz8UK8mVgPfamSZdZQU8+6bGMmseWoQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-31T19:32:51Z"
+    mac: ENC[AES256_GCM,data:zpEYjHqta6HuRHIKijbLmAND5mCaR14ZUdEeXq/zJ8g4DgWrAkaukhYdXhLH+SEUZt8d3tmj5Eq+6oz9qEjdWhBuPykxVBmBiqIhQBgACCMhSL5v3wY1rxL2ZiQ7szEuwh0GjXpkzPno0Z2+xZ6FzVsJdGnZwykru+JWQcUIfvk=,iv:yUiP/clvI/NnDrji9eMYiTqtO1xsTc7u86V/nlQSMIA=,tag:UyMz/BdYoGxXCJIb8tITcQ==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.1
diff --git a/hosts/hp-envy-office/wg.nix b/hosts/hp-envy-office/wg.nix
new file mode 100644
index 0000000..763496e
--- /dev/null
+++ b/hosts/hp-envy-office/wg.nix
@@ -0,0 +1,7 @@
+{ config, pkgs, inputs, ... }: {
+	sops.secrets.wg1.sopsFile = ./resources/secrets/wg.yaml;
+
+	networking.wg-quick.interfaces = {
+		wg1.configFile = config.sops.secrets.wg1.path;
+	};
+}
diff --git a/hosts/poweredge/configuration.nix b/hosts/poweredge/configuration.nix
index 0c51f3c..a363592 100644
--- a/hosts/poweredge/configuration.nix
+++ b/hosts/poweredge/configuration.nix
@@ -5,6 +5,7 @@ in {
 		./ddns-updater.nix
 		./networking.nix
 		#./notification-mailer.nix  # TODO move some of this stuff to archetype
+		./wg1.nix
 	];
 
 	# Setup bootloader
diff --git a/hosts/poweredge/ddns-updater.nix b/hosts/poweredge/ddns-updater.nix
index 30f6e05..103c23b 100644
--- a/hosts/poweredge/ddns-updater.nix
+++ b/hosts/poweredge/ddns-updater.nix
@@ -1,4 +1,4 @@
-{ config, ... }: {
+{ config, lib, ... }: {
 	# Password file for mail application password
 	sops.secrets.ddns-updater-config.sopsFile = ./resources/secrets/ddns-updater-config.yaml;
 
@@ -11,4 +11,9 @@
 			PERIOD = "5m";
 		};
 	};
+
+	# FIXME Required root permissions to open secret
+	systemd.services.ddns-updater = {
+		serviceConfig.DynamicUser = lib.mkForce false;
+	};
 }
diff --git a/hosts/poweredge/networking.nix b/hosts/poweredge/networking.nix
index c293831..7632a86 100644
--- a/hosts/poweredge/networking.nix
+++ b/hosts/poweredge/networking.nix
@@ -1,5 +1,6 @@
 {
 	networking = {
+		enableIPv6 = false;
 		# Label lan and wan interfaces
 		_interfaceLabels = {
 			enable = true;
@@ -16,36 +17,40 @@
 			}];
 			wan0.useDHCP = true;
 		};
-		#defaultGateway.interface = "wan0";
-		nameservers = [ "127.0.0.1" ];
 		# Firewall rules
 		firewall = {
 			interfaces.wan0 = {
 				allowedUDPPorts = [ 51820 ];
 			};
 		};
-		#nat.forwardPorts = [
-		#	{
-		#		sourcePort = 2222;
-		#		proto = "tcp";
-		#		destination = "10.1.1.1:22";
-		#	}
-		#	{
-		#		sourcePort = 22;
-		#		proto = "tcp";
-		#		destination = "10.1.1.1:22";
-		#	}
-		#];
+		# Additional advanced rules
+		# TODO add multi NAT feature to router service
+		nftables = {
+			enable = true;
+			tables = {
+				# NAT/masquerade wg1 allowing lan0 clients to access wg1
+				wg-nat = {
+					family = "ip";
+					content = ''
+						chain post {
+							type nat hook postrouting priority srcnat; policy accept;
+							iifname "lan0" oifname "wg1" masquerade comment "lan0 => wg1"
+						}
+					'';
+				};
+			};
+		};
 	};
 
 	services._router = {
 		dnsDhcpConfig = {
-			localDomain = "wg-router.pls.lan";
+			localDomain = "home.lan";
 			dhcp = {
 				defaultGateway = "192.168.1.1";
 				localhostIp = "192.168.1.1";
 				rangeStart = "192.168.1.50";
 				rangeEnd = "192.168.1.250";
+				# TODO think about moving leases to another file
 				staticLeases = {
 					idrac-7N94GK2 = {
 						macAddress = "50:9a:4c:5d:c3:7c";
@@ -71,6 +76,10 @@
 						macAddress = "e4:54:e8:bc:ba:05";
 						staticIp = "192.168.1.12";
 					};
+					X230 = {
+						macAddress = "84:3a:4b:60:34:c4";
+						staticIp = "192.168.1.13";
+					};
 				};
 			};
 		};
diff --git a/hosts/poweredge/resources/secrets/wg1.yaml b/hosts/poweredge/resources/secrets/wg1.yaml
new file mode 100644
index 0000000..6610514
--- /dev/null
+++ b/hosts/poweredge/resources/secrets/wg1.yaml
@@ -0,0 +1,16 @@
+wg1: ENC[AES256_GCM,data:1IySjV57HcywgiCZ/ZYbcr4Y9EbLrb6bE4kpG1DmDsLiRVFSfZA1UOoMGosot+7YiuE4xfZNHGSnzDrpE73gi5E9qYlvjhOfyLq06a1lK7Q0Wo/QrH9eSH05h6SA4E8sE0w2aKY/6cWfLaXTP1d7xLJA1OOCy7y+wIXrHQcA/TI5XIxikFSe+tT7rhKz128u6MIGl8VWzCp4RmoN94MAgWp0RoVt0VSHlvNPTbMuTZI0YPN1NgHjcf7KWnit33GXydmAWr+wym/oxxdT77O6wMPcGIsxmMLOPNy3K1sTezGTPSS1CSVniKIIW2HYZepGfaTlKwBFIn7ctmMrBvqmMcHiW+QIPwWbOC8UWHJAGklv3vCa7Q8XDUKlOPNdS0o73jb+BVUJWerwR4ik6NPu/H/lWgIETg1pd/Qv//nGsPeGRIUFKyKxoL/5E67+pA==,iv:d+T6wKhV1i/2kae03VPLMaTFB2yleeDFPm1lrfjvkx8=,tag:h/41zAlfz6oBo8jqz9NW7A==,type:str]
+sops:
+    age:
+        - recipient: age1zfvmt2avdlfz0fvchczplc84u7m8vqausm7zytl9s4x9m9yax4cqy30zpz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxOFFVRFl2MDhiUVRPdnZJ
+            b3BSZ0pSaG8vR3o3SGlmVENvN3ZObHU3eUc4CmJrdk8rbXpBMWhTZ2hvdlk0VWo1
+            ejdnTDR4bFlUUXc4Smd0NEp6b3crZFUKLS0tIFBsQUdRWjZLSDY1ZlFaRDdLOVhs
+            MFFGY0NSU3NaK2U0U1NndUIyYm54ZWsKZ6q9j1fNaNSzBA0rbZYyUWt3U2V/7/9/
+            FZTKd8mH/uCoxvK8unlVZ9uYNADRh2smp7LwK1AWie/6khAIFqVBeg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-31T02:00:52Z"
+    mac: ENC[AES256_GCM,data:VXBQSegpiLmT5pF0XVB8NTVzhn4QDE2WfVznANVdrXC4BqFYoQXscW+4BcMmwkUqz5MjeKNF4KgRwtpKWVyRXG7EXVEGeA/NdysAxM9eSD4YrQZLqWzG8UKStyFG7jgHw/YA3H94hJ3rYnhsA9Kb3DHEmnQSZskTOmn2ppyUunQ=,iv:/rVWmaXl149Prhv35wBDZN6c+HgQ6PYSb8RIE30t7MI=,tag:SZ7mI9XDsIjhliFyWO14ug==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.1
diff --git a/hosts/poweredge/wg1.nix b/hosts/poweredge/wg1.nix
new file mode 100644
index 0000000..d94efb6
--- /dev/null
+++ b/hosts/poweredge/wg1.nix
@@ -0,0 +1,7 @@
+{ config, pkgs, inputs, ... }: {
+	sops.secrets.wg1.sopsFile = ./resources/secrets/wg1.yaml;
+
+	networking.wg-quick.interfaces = {
+		wg1.configFile = config.sops.secrets.wg1.path;
+	};
+}