From 01374fe5b0b0283c403fbb0420dd7bd9400a0bb8 Mon Sep 17 00:00:00 2001
From: Jan-Bulthuis <git@bulthuis.dev>
Date: Wed, 28 May 2025 12:23:31 +0200
Subject: [PATCH] Added vpn vm with wstunnel server

---
 hosts/20212060/configuration.nix | 13 ++++++++++
 hosts/vm-vpn/configuration.nix   | 42 ++++++++++++++++++++++++++++++++
 hosts/vm-vpn/users/local.nix     |  7 ++++++
 modules/nixos/profiles/vm.nix    |  7 +++---
 4 files changed, 65 insertions(+), 4 deletions(-)
 create mode 100644 hosts/vm-vpn/configuration.nix
 create mode 100644 hosts/vm-vpn/users/local.nix

diff --git a/hosts/20212060/configuration.nix b/hosts/20212060/configuration.nix
index 5dc10a4..49e321a 100644
--- a/hosts/20212060/configuration.nix
+++ b/hosts/20212060/configuration.nix
@@ -10,8 +10,21 @@
   # Admin users
   users.users.jan.extraGroups = [ "wheel" ];
 
+  # Enable virtualisation for VMs
   virtualisation.libvirtd.enable = true;
 
+  # Set up wstunnel client
+  services.wstunnel = {
+    enable = true;
+    clients.wg-tunnel = {
+      connectTo = "wss://wstunnel.bulthuis.dev:443";
+      localToRemote = [
+        "udp://51820:10.10.40.100:51820"
+      ];
+    };
+  };
+
+  # Module setup
   modules = {
     profiles.laptop.enable = true;
   };
diff --git a/hosts/vm-vpn/configuration.nix b/hosts/vm-vpn/configuration.nix
new file mode 100644
index 0000000..ff5e485
--- /dev/null
+++ b/hosts/vm-vpn/configuration.nix
@@ -0,0 +1,42 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+
+{
+  # State version
+  system.stateVersion = "24.11";
+
+  # Machine hostname
+  networking.hostName = "vm-vpn";
+
+  # Enabled modules
+  modules = {
+    profiles.vm.enable = true;
+  };
+
+  # Setup wstunnel server
+  services.wstunnel = {
+    enable = true;
+    servers.wg-tunnel = {
+      enableHTTPS = true;
+      listen = {
+        host = "0.0.0.0";
+        port = 8080;
+      };
+      restrictTo = [
+        {
+          host = "10.10.40.100";
+          port = 51820;
+        }
+      ];
+      tlsCertificate = "/var/lib/secrets/fullchain.pem";
+      tlsKey = "/var/lib/secrets/key.pem";
+    };
+  };
+  networking.firewall = {
+    allowedTCPPorts = [ 8080 ];
+  };
+}
diff --git a/hosts/vm-vpn/users/local.nix b/hosts/vm-vpn/users/local.nix
new file mode 100644
index 0000000..8ab93f7
--- /dev/null
+++ b/hosts/vm-vpn/users/local.nix
@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+  home.stateVersion = "24.11";
+
+  modules.profiles.base.enable = true;
+}
diff --git a/modules/nixos/profiles/vm.nix b/modules/nixos/profiles/vm.nix
index f39c7bc..79ba369 100644
--- a/modules/nixos/profiles/vm.nix
+++ b/modules/nixos/profiles/vm.nix
@@ -16,19 +16,18 @@ in
   };
 
   config = mkIf cfg.enable {
-    # Machine hostname
-    networking.hostName = lib.mkDefault "vm-base";
-
     # Enabled modules
     modules = {
       profiles.base.enable = true;
-      base.enable = true;
       ssh.enable = true;
     };
 
     # Enable qemu guest agent
     services.qemuGuest.enable = true;
 
+    # Machine platform
+    nixpkgs.hostPlatform = "x86_64-linux";
+
     # Hardware configuration
     hardware.enableRedistributableFirmware = true;
     boot.initrd.availableKernelModules = [