zaphyra's git: nixfiles

hosts/huntii/dn42: add wg-interface (and tunnel to host `morio`)

diff --git a/hosts/novus/dn42.nix b/hosts/novus/dn42.nix
@@ -4,6 +4,11 @@
 
   dns.zones."zaphyra.eu".subdomains."router-a.dn42".AAAA = [ hostConfig.networking.ip6Address ];
 
+  sops.secrets."dn42/wgPrivateKey" = {
+    owner = "systemd-network";
+    group = "systemd-network";
+  };
+
   modules.networking.dn42 = {
     enable = true;
     routerId = 42171801;

@@ -84,22 +89,62 @@
     };
   };
 
+  networking.firewall = {
+    allowedUDPPorts = [
+      config.systemd.network.netdevs."20-dn42".wireguardConfig.ListenPort
+    ];
+    trustedInterfaces = [
+      "dn42"
+    ];
+  };
+
   systemd.network = {
-    netdevs."15-dn42" = {
+    config.networkConfig = {
+      IPv6Forwarding = true;
+    };
+
+    netdevs."20-dn42" = {
       netdevConfig = {
-        Kind = "dummy";
+        Kind = "wireguard";
         Name = "dn42";
+        MTUBytes = 1280;
       };
+
+      wireguardConfig = {
+        PrivateKeyFile = config.sops.secrets."dn42/wgPrivateKey".path;
+        ListenPort = 1718;
+        FirewallMark = 1718;
+      };
+
+      wireguardPeers = [
+        {
+          PublicKey = "BUAac0PtF+4QmsFMVoQOLWRtSRYjy1y2nKvTA9BcXC0=";
+          AllowedIPs = [
+            "fd6b:6174:6a61::2/128"
+          ];
+          PersistentKeepalive = 10;
+        }
+      ];
     };
 
-    networks."15-dn42" = {
+    networks."20-dn42" = {
       matchConfig.Name = "dn42";
-      linkConfig.RequiredForOnline = "no";
+      linkConfig.RequiredForOnline = false;
       address = [
         "fd6b:6174:6a61::1/48"
       ];
+      networkConfig = {
+        DNSDefaultRoute = false;
+        DNS = [
+          "fd42:d42:d42:54::1"
+          "fd42:d42:d42:53::1"
+        ];
+        Domains = [
+          "~dn42"
+          "d.f.ip6.arpa"
+        ];
+      };
     };
-
   };
 
 }

diff --git a/secrets/novus.yaml b/secrets/novus.yaml
@@ -1,6 +1,6 @@
 machine-id: ENC[AES256_GCM,data:3Ht/3miXzxsTLpMSjvdo0qHay03on2iZDBbEwzqeEBM=,iv:uIKG0CMMjijwVyH4n1KvX0T6bkS6UaK9Z3LwUpqOWxA=,tag:+G2NSdnlzZtW1ePD36y/SA==,type:str]
 acmeTSIGKey: ENC[AES256_GCM,data:a34wyBRoW3Mo6Mep66wi99xfuZLecCrDgpH4EFy4T8PpHYnhR/pLubXVzZpwouKrC+g0E+3hyBR6Bmc/1arKmQ==,iv:938iHOR2NwCjZEBQpjhnCEG11DcxtfeBLGmRh06LaRg=,tag:uhMkBrc9G7inEBg7ddWvZg==,type:str]
-wireguardPrivKey: ENC[AES256_GCM,data:Aa+a2Ka6kk5yGbhO4Yr1WJ8tohZqEBizsEe7jBT7kr36wgRIIzTDYraZ+SU=,iv:wdZ1+uMWy6T8hrtWtKHwq2YaXqRx7QPVv2sE9oXqWLo=,tag:uhJGSVVodotPnwhj7RVy5A==,type:str]
+wgPrivateKey: ENC[AES256_GCM,data:+bdtb7bf97fIY4u6En+ETvgHwYJlQwi6bk54y69ExBUdXfIham27PpyPDqs=,iv:1h8+2XPkc3qYLCWBnF0iNRMWrncufZrrkBZu1bxLXVo=,tag:vSm003YxfVBFIbyrfuhCaQ==,type:str]
 resticServerHtpasswd: ENC[AES256_GCM,data:cjva4AXQw37feKs1wFl5o0pLJjfkW5sh5U8jZ2gWUYBlMQgBmdhYAuUwcR8jvismBafL6gSW4esvxPnBpcZC5yTP7TwQh/f18pouaTVH,iv:LJkvhOgTNt065K5kQNlP6zQUTK0bqd9smTIt7meUA4c=,tag:CkzAqsoKOXIdtTgqdOxORA==,type:str]
 rcloneConfig: ENC[AES256_GCM,data:ELWBEt1akcyQkL+bZN6HfkSvaARMEVKqwN0gZuzJv7zrdnd35nLJu/aAU2tSqsuPK8T7B+J3VqpLYuKZALHTOwm6dzOLnM8tBuBEO/Qy0Fb2wzj/U4/LHo1XBwAZC4pO4seyWi07IxfiafcPQ2YdZyoJcGzLXnmpOCTOn3C09C6foaIaOGBlh8weBIyKpCNM9YhjljyID9MoWFAc3+PCuASrHssSapTSX8gIgylgD37YiFY2s6ICZKCsa+TxXF6DD2qfnnf3zGNpozTMcH4bThaGB2BcqUPspylApAEIbig4jxFb/jb7PLy63E5WGpsskGYF5CT3zbzaNgYzaFZZdlZcBUcX3BUU37qXPAaRZg2f7NJopAdFlG0u8SPqetIrOikwSdL157+0WuixhPqHFC0S0erQ3fSSrXyhbhrt5kG+MO1LK34CS1aB/UZEnd2LYIJtGscH9QQMd6J7I1pW3Lgq6onS5/hE77G5mGXAKiVdLKu9E65C6X1PnUl2PwkvnioAPtMJ6bfzELEdfuD79kPq9P4HnDG1geP7Sv+BUCKzdZ+mTct7LNqXlA7hd18tAgYvt1LFumq7KV0lX3JqUGZdqSrhDJU6SYudN/BYRaPrvWCabCxJ1HzjM6lKynEuXuq41Y9RrEaekJv4/yJA33x5G+rq2CPnQEHjMu05rwXRGiCrOHCiPtPioxPFvAn5nZsZruPCZII8hKhC8Bno/aAgnVA3Ud29Ddvl9a3Rh8XCTKXpeg==,iv:Zq7DGFKxBw5tmEXXK8W7Aun1Gk78iwgju6NJJZcwBe0=,tag:3a0hn76gMiEX1imuQT0qaQ==,type:str]
 resticPasswords:

@@ -8,9 +8,11 @@ resticPasswords:
 environments:
     gotosocial: ""
 dn42:
+    wgPrivateKey: ENC[AES256_GCM,data:/D4liqLV+oo8d/M1j52MlzoB9cLnHKYc4tHFK8X9xXKgm+Fcj+pq9mKMCco=,iv:+Dt0QjFivY8cEwVEY8WMncLIieQvn7HeUMI/ETOhZlE=,tag:m2ajMB51iPryrjYYw1yWqQ==,type:str]
     peerings:
         void:
             wgPrivateKey: ENC[AES256_GCM,data:4N59Ti9SFQwKuTM4gHHvVfxrVChD5ijC3vYFJ+gdME2AAr7yD4otZepSfiI=,iv:yUA89MIb+9h/C5vrzZwpc5ducgqsXlvN5JlXsVNH3JU=,tag:K9DRXKS/9rXp4yfmolHZyA==,type:str]
+            wgPresharedKey: ENC[AES256_GCM,data:/KIS9wWtf8rk8oTgipWZjRtv+TRDVOznRnq7PeTdMa/ZP8qzAHWBPX2un3A=,iv:14aQm8ufGD74Rjy6tZal8ZGeDZ6Qhtd1T8LXchOOYG4=,tag:Lg3pEtM40HB3czTM8OK3iA==,type:str]
         tech9:
             wgPrivateKey: ENC[AES256_GCM,data:/4wOdZbhE80GvpfzZNyenSqQQoMd+ToJdXEdjaaSGAptYT5jjNroH8FEJco=,iv:GQz9Fg9ryBvtQTpwNTt4bxlRtqr36Vmt+SXAjX6ru1U=,tag:0woEX1Li06edjV2jKzQePg==,type:str]
         kioubit:

@@ -27,10 +29,14 @@ dn42:
             wgPrivateKey: ENC[AES256_GCM,data:uZRiXkIMMHVhr2eQLhHHW2yRcjXMMjHKa2dO8oXgLb+7+GVcgrMmob0jx6Q=,iv:FkQ05dBxFzuUFDPlnTT2yFzDSbp//lEddrXqx+ngP9s=,tag:SWp2W1gSUzS7luyEKJN3QQ==,type:str]
         pentane:
             wgPrivateKey: ENC[AES256_GCM,data:10AEqy0TyLdkYLLt2L+HcqOKVSnkZtY+0j0mNHwoKj86W0UdSC02+GBTEMo=,iv:ceDd3cb1jz1zYFEhHlpBu9dQrYZCM+7ytlG9ij+majs=,tag:dcUcuvjEGbjm9M8/LrbNdQ==,type:str]
+        e1mo:
+            wgPrivateKey: ENC[AES256_GCM,data:l1971O25KKp+X9+N+zamEvC7wVoUrsTOBUMbC/frIyxb32c18QJ0dfIGyrU=,iv:n2r+nrAk1ZzYET86a/hYH6XFin0VoQcmN/bAbBlgzrI=,tag:r5AHkXREiQ+P4Oomm4aO7g==,type:str]
         clerie:
             wgPrivateKey: ENC[AES256_GCM,data:nBVtuFO4b2sTmxcLkYRmPAcZ/XJjs6LOFeT+P9OUqRWGEfVWV+FFxO342NU=,iv:VtqxfY7Ur4YYXC6GHlr6/fu8s2cyT3jQO6S9EnFzcrs=,tag:H1a7E4oqNWiDu+6xQFIuvw==,type:str]
         etwas:
             wgPrivateKey: ENC[AES256_GCM,data:AgOdEsiRjvydyDY7d4rWxulhOMvHFVxMh1ennuwaNidTSANAAGus1Pm/Yw0=,iv:9kS4KQuY8/n5pEEYepYszIaxy1YGWZxVPYresc7dtLY=,tag:UBk/mi9MWW5XQ003Qitk5w==,type:str]
+        pilz:
+            wgPrivateKey: ENC[AES256_GCM,data:ydAEa4X27y1+DUWKnwidxT3P1UdcBC/0NnDfL8p0saBWQ8iRM6dDdpaab80=,iv:/ToPc52eDlOEVLyB3Xb9ugBFlMxemEd6/4e+uYmoTDo=,tag:tp8DjQOahttr1B/3jDU73g==,type:str]
 sops:
     age:
         - recipient: age1tud4lvpmpx5nqceyp09ls9ej8l80zlh29d8cpjxcajfnnyy85fvqs63snm

@@ -42,8 +48,8 @@ sops:
             N0dBZExjdWpSVDJmYlFmOHluZEJUWkUKhkWONhK0LiVhAY+pdemXOBHtBALV65ZP
             EClQs/bns2HUF4E5Lc6mv8WvogFNhm/TLGYX/sOWSvAYExRNiHtssQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-06-09T12:21:42Z"
-    mac: ENC[AES256_GCM,data:75XmsVqYVy/Dn6xAhEoZ3dxYsdx7LcnLwBv0nncoVaiqFC+WevL6IZqLitSLE4Afn+aUfhCNGbi2wrUW4T+JPnF1PFDpn3R6dsDFwbSttaxPBE78XehGgDb75ruWf1LlAzPfCj1Z0/SbT/gWUWsmavlwfblRtdOFae5Zljdue6w=,iv:e48Syqg+DhEiZgx0XwQvOe1eQSwLUiSTaAEAb+n0yN4=,tag:e5wceDkEREyLgtOoAzGQ1Q==,type:str]
+    lastmodified: "2025-06-10T22:56:07Z"
+    mac: ENC[AES256_GCM,data:ABz1T1tQ69Eks97Y0Z85SPZwXn0lmff0sI5v+90TFg3fyhw45r5Mk1P4UfAuX/dkhRAHEdUtIeGLIeUa+BYmgMPSDn88IS5+pwuaxBrktROWTxsuEqZauk+a8X0IvwPp/u2iMcHNb71bksyB3tZ+jifLbT3L7aImabxVfP352EA=,iv:aBOE2gjTUZ+opKu/q0F3xaV1A8+6krOPnuF3kkQyvx8=,tag:MgfLhbNd3YfO7ON8CqxLiQ==,type:str]
     pgp:
         - created_at: "2025-05-21T10:26:58Z"
           enc: |-