From c85cf06186685d30f51074f1e8f5b7e5465e0843 Mon Sep 17 00:00:00 2001
From: lucalise <luca_lise@icloud.com>
Date: Wed, 4 Feb 2026 17:59:57 -0800
Subject: [PATCH] feat(wg): add mesh tunneling to devices & routers

---
 nix/homelab/helm/helmfile.yaml             |  7 ++
 nix/homelab/helm/values/gitea-runners.yaml |  5 ++
 nix/modules/default.nix                    |  1 +
 nix/modules/networking/wireguard-mesh.nix  | 77 ++++++++++++++++++++++
 4 files changed, 90 insertions(+)
 create mode 100644 nix/homelab/helm/values/gitea-runners.yaml
 create mode 100644 nix/modules/networking/wireguard-mesh.nix

diff --git a/nix/homelab/helm/helmfile.yaml b/nix/homelab/helm/helmfile.yaml
index b4c40b1..9c8aab5 100644
--- a/nix/homelab/helm/helmfile.yaml
+++ b/nix/homelab/helm/helmfile.yaml
@@ -45,6 +45,13 @@ releases:
     values:
       - values/gitea.yaml
 
+  - name: gitea-runners
+    namespace: git
+    chart: gitea-charts/actions
+    version: 0.0.2
+    values:
+      - values/gitea-runners.yaml
+
   # Storage
   - name: longhorn
     namespace: longhorn-system
diff --git a/nix/homelab/helm/values/gitea-runners.yaml b/nix/homelab/helm/values/gitea-runners.yaml
new file mode 100644
index 0000000..d191806
--- /dev/null
+++ b/nix/homelab/helm/values/gitea-runners.yaml
@@ -0,0 +1,5 @@
+enabled: true
+statefulset:
+  nodeSelector:
+    kubernetes.io/hostname: rufus
+giteaRootURL: https://git.lucalise.ca
diff --git a/nix/modules/default.nix b/nix/modules/default.nix
index 6db9f2f..2870ea4 100644
--- a/nix/modules/default.nix
+++ b/nix/modules/default.nix
@@ -22,5 +22,6 @@
     ./mounts.nix
     ./nfs-mesh.nix
     ./rust.nix
+    ./networking/wireguard-mesh.nix
   ];
 }
diff --git a/nix/modules/networking/wireguard-mesh.nix b/nix/modules/networking/wireguard-mesh.nix
new file mode 100644
index 0000000..3445166
--- /dev/null
+++ b/nix/modules/networking/wireguard-mesh.nix
@@ -0,0 +1,77 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+let
+  meshHosts = {
+    kumatani = {
+      address = "kumatani";
+      publicKey = "pKkl30tba29FG86wuaC0KrpSHMr1tSOujikHFbx75BM=";
+      isRouter = false;
+      ip = "10.100.0.1";
+    };
+    usahara = {
+      address = "usahara";
+      publicKey = "4v7GyAIsKfwWjLMVB4eoosJDvLkIDHW0KsEYoQqSnh4=";
+      isRouter = false;
+      ip = "10.100.0.2";
+    };
+    tux = {
+      address = "tux";
+      publicKey = "TUX_PUBLIC_KEY_HERE=";
+      isRouter = false;
+      ip = "10.100.0.3";
+    };
+    oakbay-pfsense = {
+      endpoint = "oakbay.lucalise.ca:51822";
+      publicKey = "xOTPZBIC9m1BkkiLCOUTty3b7/NOvslteVQHzEFxqWQ=";
+      isRouter = true;
+      ip = "10.100.0.250";
+      routes = [
+        "192.168.15.0/27"
+        "192.168.20.0/26"
+        "192.168.27.0/24"
+      ];
+    };
+  };
+
+  getEndpoint =
+    name: host:
+    if host.isRouter or false then "${host.endpoint}" else "${host.address}:${toString 51820}";
+
+  mkPeer = name: host: {
+    publicKey = host.publicKey;
+    allowedIPs = [ "${host.ip}/32" ] ++ (host.routes or [ ]);
+    endpoint = getEndpoint name host;
+    persistentKeepalive = 25;
+    dynamicEndpointRefreshSeconds = 300;
+  };
+
+  mkPeersFor =
+    selfName: lib.mapAttrsToList mkPeer (lib.filterAttrs (name: _: name != selfName) meshHosts);
+
+  selfConfig = meshHosts.${config.networking.hostName} or null;
+in
+{
+  config = lib.mkIf (selfConfig != null) {
+    networking.wireguard.interfaces = {
+      wg0 = {
+        privateKeyFile = "/etc/wireguard/private.key";
+        ips = [ "${selfConfig.ip}/32" ];
+        listenPort = 51820;
+        peers = mkPeersFor config.networking.hostName;
+      };
+    };
+
+    networking.firewall = {
+      allowedUDPPorts = [ 51820 ];
+      trustedInterfaces = [ "wg0" ];
+    };
+
+    systemd.tmpfiles.rules = [
+      "d /etc/wireguard 0700 root root -"
+    ];
+  };
+}