feat(jeeves): wireguard

Add separate module for `wireguard`
Rekey `jeeves_password` (use all `users`' keys)
Add secrets related to Wireguard: server public/private, cheetah public
Add a `.gitignore` for the private `limonka_age` key

machines/nixos/x86_64-linux/jeeves/wireguard.nix

@@ -0,0 +1,62 @@
+{ lib, pkgs, config, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    wireguard-tools
+  ];
+
+  # NOTE: key generation
+  # umask 077
+  # wg genkey > private
+  # wg pubkey < private > public
+
+  # Server
+  age.secrets."wireguard/server.private" = {
+    file = ../../../../secrets/home/wireguard/server.private.age;
+    mode = "077";
+  };
+  age.secrets."wireguard/server.public" = {
+    file = ../../../../secrets/home/wireguard/server.public.age;
+  };
+
+  # Peers
+  age.secrets."wireguard/cheetah.pub" = {
+    file = ../../../../secrets/home/wireguard/cheetah.pub.age;
+  };
+
+  networking.firewall.allowedUDPPorts = [51820];
+  systemd.network = {
+    netdevs = {
+      "50-wg0" = {
+        netdevConfig = {
+          Kind = "wireguard";
+          Name = "wg0";
+          MTUBytes = "1300";
+        };
+        wireguardConfig = {
+          PrivateKeyFile = config.age.secrets."wireguard/server.private".path;
+          ListenPort = 51820;
+        };
+        wireguardPeers = [
+          {
+            # cheetah
+            wireguardPeerConfig = {
+              PublicKey = config.age.secrets."wireguard/cheetah.pub".path;
+              AllowedIPs = [
+                "0.0.0.0/0"
+                # "::/0"
+              ];
+            };
+          }
+        ];
+      };
+    };
+    networks.wg0 = {
+      matchConfig.Name = "wg0";
+      address = ["10.100.0.1/24"];
+      networkConfig = {
+        IPMasquerade = "ipv4";
+        IPForward = true;
+      };
+    };
+  };
+}