From 650c787cdcfe12db7940121446912d55b0819d1c Mon Sep 17 00:00:00 2001
From: Andrea Ciceri <andrea.ciceri@autistici.org>
Date: Wed, 28 May 2025 16:30:08 +0200
Subject: [PATCH] Connect `picard` to the MLabs VPN

---
 hosts/default.nix                       |  1 +
 hosts/picard/default.nix                |  1 +
 modules/wireguard-mlabs/default.nix     | 15 +++++++++++++++
 secrets/secrets.nix                     |  6 ++++++
 secrets/wireguard-mlabs-private-key.age | 12 ++++++++++++
 5 files changed, 35 insertions(+)
 create mode 100644 modules/wireguard-mlabs/default.nix
 create mode 100644 secrets/wireguard-mlabs-private-key.age

diff --git a/hosts/default.nix b/hosts/default.nix
index efdd865..170cd88 100644
--- a/hosts/default.nix
+++ b/hosts/default.nix
@@ -89,6 +89,7 @@
           "forgejo-runners-token".owner = "nixuser";
           "forgejo-nix-access-tokens".owner = "nixuser";
           "nix-netrc" = { };
+          "wireguard-mlabs-private-key" = { };
         };
       };
 
diff --git a/hosts/picard/default.nix b/hosts/picard/default.nix
index 02271ff..bf4c0c7 100644
--- a/hosts/picard/default.nix
+++ b/hosts/picard/default.nix
@@ -41,6 +41,7 @@
       "prometheus-exporters"
       "zerotier"
       "alloy"
+      "wireguard-mlabs"
     ]
     ++ [ ./disko.nix ];
 
diff --git a/modules/wireguard-mlabs/default.nix b/modules/wireguard-mlabs/default.nix
new file mode 100644
index 0000000..2d583f7
--- /dev/null
+++ b/modules/wireguard-mlabs/default.nix
@@ -0,0 +1,15 @@
+{ config, ... }:
+{
+  networking.wireguard.interfaces.wg1 = {
+    ips = [ "10.10.1.1/32" ];
+    peers = [
+      {
+        publicKey = "A4u2Rt5WEMHOAc6YpDABkqAy2dzzFLH9Gn8xWcKaPQQ=";
+        allowedIPs = [ "10.10.0.0/16" ];
+        endpoint = "vpn.staging.mlabs.city:51820";
+        persistentKeepalive = 25;
+      }
+    ];
+    privateKeyFile = config.age.secrets.wireguard-mlabs-private-key.path;
+  };
+}
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index fd1bca9..8646ff3 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -164,6 +164,12 @@ with keys.users;
     picard
     kirk
   ];
+  "wireguard-mlabs-private-key.age".publicKeys = [
+    ccr-ssh
+    picard
+    pike
+    kirk
+  ];
 
   # WireGuard
   "picard-wireguard-private-key.age".publicKeys = [
diff --git a/secrets/wireguard-mlabs-private-key.age b/secrets/wireguard-mlabs-private-key.age
new file mode 100644
index 0000000..363e217
--- /dev/null
+++ b/secrets/wireguard-mlabs-private-key.age
@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 Zh7Kmw 1pcva3l9KyvXlzWJVeul63s1xnL2yEMzuB1R73IdKlA
+TDDa9yQYXrqFS+MCEeqCcQ/27zu3WytSmU5MBNyQTIk
+-> ssh-ed25519 /WmILg z9/JeIxSpzndNP+1fwfdRfKYTaNp7wVITCkF7wwayEs
+8PlFDHZbA0Z/3svhPWGE/sHfsMNmuXrdP6Qf0FhLMmc
+-> ssh-ed25519 OYRzvQ Tk0mN20c8199ZvTY6jXY6ExSXGR3kb4qtnj8HkPj1xY
+5SGMhFzIE98NgNw7bnnivVTvuKtBtJdf/2jAjJUSKl8
+-> ssh-ed25519 /yLdGQ 8J4LLlxtMFW8fALPGUk/NaHIJ59bo9tKe5TGiGAvYhk
+sgE0SQi169mEtltDWIb4ZZaXKUXORyiKhmOZsNOiqKU
+--- sWbCYolqfqwIsja6nNdyPBcOeM/Qq5GninMokUvK4xE
+ÆÅ‰gzŽùï‹Ý{Ä4îÜ	¯Xé?‰ë’
+Ae"„€vÈ\Ho,m}bÂq½žä$âÌh—:æfÜGkFÜ=#0q™
\ No newline at end of file