Add Public IP address through WireGuard

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>

.gitignore

@@ -9,6 +9,7 @@ first-boot.sh
 guix-commit.txt
 id_ed25519
 id_ed25519.pub
+id_wireguard
 index.html
 install-sh
 Makefile
@@ -17,3 +18,4 @@ missing
 mumble-vm-machine.scm
 mumble-vm-system.scm
 signing-key.pub
+wireguard-post-up.sh

Makefile.am

@@ -16,7 +16,8 @@ CLEANFILES = \
 	index.html \
 	mumble-vm.img \
 	mumble-vm-machine.scm \
-	mumble-vm-system.scm
+	mumble-vm-system.scm \
+	wireguard-post-up.sh
 
 # We want to only update the image when guix commit changes. The trick
 # to make that work is to only create or update a file when the revision
@@ -53,7 +54,8 @@ IMAGE_SOURCE = \
 	mumble-vm-system.scm \
 	id_ed25519.pub \
 	Makefile \
-	signing-key.pub
+	signing-key.pub \
+	wireguard-post-up.sh
 
 mumble-vm.img: $(IMAGE_SOURCE)
 	sudo install \

mumble-vm-system.scm.tmpl

@@ -19,6 +19,7 @@
   #:use-module (gnu services certbot)
   #:use-module (gnu services ssh)
   #:use-module (gnu services telephony)
+  #:use-module (gnu services vpn)
   #:use-module (gnu services web)
   #:use-module (guix build-system copy)
   #:use-module (guix build-system gnu)
@@ -70,6 +71,32 @@ the services after that.")
     (home-page #f)
     (license license:gpl3+)))
 
+(define wireguard-post-up-fixups
+  (package
+    (name "wireguard-post-up-fixups")
+    (version "0.1")
+    (source (local-file "wireguard-post-up.sh" ))
+    (build-system gnu-build-system)
+    (arguments
+     (list #:tests? #f ;no tests
+           #:phases
+           #~(modify-phases
+              %standard-phases
+              (delete 'build)
+              (delete 'configure)
+              (replace 'install
+                       (lambda _
+                         (chmod "wireguard-post-up.sh" #o755)
+                         (install-file
+                          "wireguard-post-up.sh"
+                          (string-append (string-append #$output "/bin"))))))))
+    (synopsis "Script to fixup the Wireguard interface(s).")
+    (description
+     "Currently, the wireguard-post-up.sh script sets up the interface
+     MTU.")
+    (home-page #f)
+    (license license:gpl3+)))
+
 (define-public %nginx-deploy-hook
   (program-file
    "nginx-deploy-hook"
@@ -82,6 +109,9 @@ the services after that.")
           (kill nginx-pid SIGHUP)
           (kill mumble-server-pid SIGUSR1))))))
 
+(define-public %wireguard-post-up
+    (list "/run/current-system/profile/bin/wireguard-post-up.sh"))
+
 (define mumble-vm-operating-system
   (operating-system
    (bootloader (bootloader-configuration
@@ -107,7 +137,8 @@ the services after that.")
            net-tools
            nmon
            openssh-sans-x
-           website)
+           website
+           wireguard-post-up-fixups)
      %base-packages))
    (services
     (append
@@ -195,7 +226,22 @@ https://DOMAIN/
                  `(("root" , (local-file "id_ed25519.pub"))
                    ("gnutoo" ,(local-file "id_ed25519.pub"))))))
       ;; Unattended Upgrades
-      (service unattended-upgrade-service-type))
+      (service unattended-upgrade-service-type)
+      (service wireguard-service-type
+               (wireguard-configuration
+                (addresses '("79.143.250.36/32" "2001:678:938:3ff::36/128"))
+                (dns '("79.143.250.1" "79.143.250.2"
+                       "2001:678:938::53:1" "2001:678:938::53:2"))
+                (port 0)
+                (post-up %wireguard-post-up)
+                (private-key (local-file "id_wireguard"))
+                (peers
+                 (list
+                  (wireguard-peer
+                   (name "stephanie.franciliens.net")
+                   (endpoint "stephanie.franciliens.net:51820")
+                   (public-key "Ybfh3twyBpj7wx/lo9AVBsBKNAUMSQqAWWV0LfywSDI=")
+                   (allowed-ips '("0.0.0.0/0" "::/0"))))))))
      (modify-services
       %base-services
       (guix-service-type config => (guix-configuration

wireguard-post-up.sh.tmpl

@@ -0,0 +1,14 @@
+#!/bin/sh
+#
+# Copyright (C) 2023 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
+#
+# This file is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# You should have received a copy of the GNU General Public License
+# along with this file.  If not, see <http://www.gnu.org/licenses/>.
+set -e
+
+ip link set dev wg0 mtu 1380