From a7ce1dc7eaf3b6cd4903c650b86ae4da7929925f Mon Sep 17 00:00:00 2001
From: soraefir <soraefir+git@helcel>
Date: Fri, 1 May 2026 17:31:09 +0200
Subject: [PATCH] Migrate gateway

---
 flake.nix                                     |  1 +
 modules/home/gui/games/wow.nix                | 59 -------------------
 .../system/network/wireguard/default.nix      | 20 +++++--
 .../system/network/wireguard/forwarding.nix   | 43 ++++++++++++++
 modules/shared/sops/common.yaml               | 10 +++-
 modules/shared/syscfg/default.nix             | 32 +++++++++-
 systems/avalon/cfg.nix                        |  8 ---
 systems/avalon/server/docker/secrets.txt      | 14 +++++
 systems/gateway/cfg.nix                       | 32 ++++++++++
 systems/gateway/default.nix                   | 13 ++++
 systems/gateway/hardware.nix                  | 13 ++++
 systems/iriy/cfg.nix                          |  1 -
 12 files changed, 168 insertions(+), 78 deletions(-)
 create mode 100644 modules/nixos/system/network/wireguard/forwarding.nix
 create mode 100644 systems/avalon/server/docker/secrets.txt
 create mode 100644 systems/gateway/cfg.nix
 create mode 100644 systems/gateway/default.nix
 create mode 100644 systems/gateway/hardware.nix

diff --git a/flake.nix b/flake.nix
index a2b849e..e2360cd 100755
--- a/flake.nix
+++ b/flake.nix
@@ -44,6 +44,7 @@
         avalon = gen.generate { host = "avalon"; };
         ci = gen.generate { host = "ci"; };
         sandbox = gen.generate { host = "sandbox"; };
+        gateway = gen.generate { host = "gateway"; };
       };
       darwinConfigurations = { asgard = gen.generate { host = "asgard"; }; };
       homeConfigurations = {
diff --git a/modules/home/gui/games/wow.nix b/modules/home/gui/games/wow.nix
index 97cec4a..fa9071f 100644
--- a/modules/home/gui/games/wow.nix
+++ b/modules/home/gui/games/wow.nix
@@ -19,64 +19,5 @@
               "wago_addons": null
             }
         }'';
-
-# curse:master-plan
-# curse:raretrackercore-rt
-# curse:raretrackerdragonflight-rtd
-# curse:raretrackermaw-rtmw
-# curse:raretrackermechagon-rtm
-# curse:raretrackerthewarwithin-rtww
-# curse:raretrackertimelessisle-rtti
-# curse:raretrackeruldum-rtu
-# curse:raretrackervale-rtv
-# curse:raretrackerworldbosses-rtwb
-# curse:raretrackerzerethmortis-rtz
-# curse:venture-plan
-# curse:war-plan
-# github:nevcairiel/bartender4
-# github:cidan/betterbags
-# github:bigwigsmods/bigwigs
-# github:bigwigsmods/bigwigs_battleforazeroth
-# github:bigwigsmods/bigwigs_burningcrusade
-# github:bigwigsmods/bigwigs_cataclysm
-# github:bigwigsmods/bigwigs_classic
-# github:bigwigsmods/bigwigs_dragonflight
-# github:bigwigsmods/bigwigs_legion
-# github:bigwigsmods/bigwigs_mistsofpandaria
-# github:bigwigsmods/bigwigs_shadowlands
-# github:bigwigsmods/bigwigs_warlordsofdraenor
-# github:bigwigsmods/bigwigs_wrathofthelichking
-# github:nezroy/demodal
-# github:curseforge-mirror/details
-# github:edusperoni/details_elitism
-# github:curseforge-mirror/elitismhelper
-# github:michaelnpsp/grid2
-# github:jods-gh/groupfinderrio
-# github:nevcairiel/handynotes
-# github:hekili/hekili
-# github:thekrowi/krowi_achievementfilter
-# github:bigwigsmods/littlewigs
-# github:nnoggie/mythicdungeontools
-# github:tullamods/omnicc
-# github:tercioo/plater-nameplates
-# github:curseforge-mirror/quest_completist
-# github:raiderio/raiderio-addon
-# github:wowrarity/rarity
-# github:nevcairiel/shadowedunitframes
-# github:simulationcraft/simc-addon
-# github:curseforge-mirror/tomcats
-# github:weakauras/weakauras2
-# github:kemayo/wow-handynotes-battleforazerothtreasures
-# github:kemayo/wow-handynotes-dragonflight
-# github:kemayo/wow-handynotes-legiontreasures
-# github:kemayo/wow-handynotes-longforgottenhippogryph
-# github:kemayo/wow-handynotes-lostandfound
-# github:kemayo/wow-handynotes-secretfish
-# github:kemayo/wow-handynotes-shadowlandstreasures
-# github:kemayo/wow-handynotes-stygia
-# github:kemayo/wow-handynotes-treasurehunter
-# github:kemayo/wow-handynotes-warwithin
-# wowi:7032-tomtom
-
   };
 }
diff --git a/modules/nixos/system/network/wireguard/default.nix b/modules/nixos/system/network/wireguard/default.nix
index 43990a5..a0de311 100644
--- a/modules/nixos/system/network/wireguard/default.nix
+++ b/modules/nixos/system/network/wireguard/default.nix
@@ -1,4 +1,5 @@
 { config, lib, ... }: {
+  imports = [ ./forwarding.nix ];
   config = lib.mkIf (config.syscfg.net.wg.enable) {
     networking.wireguard = {
       enable = true;
@@ -9,12 +10,19 @@
             config.sops.secrets."${config.syscfg.hostname}_wg_priv".path;
           listenPort = 1515;
           mtu = 1340;
-          peers = [{
-            allowedIPs = [ "10.10.1.0/24" "fd10:10:10::0/64" ];
-            endpoint = "vpn.helcel.net:1515";
-            publicKey = "NFBJvYXZC+bd62jhrKnM7/pugidWhgR6+C5qIiUiq3Q=";
-            persistentKeepalive = 30;
-          }];
+          peers = 
+            if config.syscfg.net.wg.server.enable then
+              map(secretName:{
+                allowedIPs = [ "10.10.1.0/24" "fd10:10:10::0/64" ];
+                publicKey = config.sops.secrets."${secretName}_wg_pub".path;
+              }) config.syscfg.net.wg.server.peers
+            else
+              [{
+                allowedIPs = [ "10.10.1.0/24" "fd10:10:10::0/64" ];
+                endpoint = "vpn.helcel.net:1515";
+                publicKey = "NFBJvYXZC+bd62jhrKnM7/pugidWhgR6+C5qIiUiq3Q=";
+                persistentKeepalive = 30;
+              }];
         };
       };
     };
diff --git a/modules/nixos/system/network/wireguard/forwarding.nix b/modules/nixos/system/network/wireguard/forwarding.nix
new file mode 100644
index 0000000..c7a051f
--- /dev/null
+++ b/modules/nixos/system/network/wireguard/forwarding.nix
@@ -0,0 +1,43 @@
+
+
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.syscfg.net.wg;
+
+in
+{
+  
+  config = lib.mkIf (config.syscfg.net.wg.server.enable) {
+    boot.kernel.sysctl = {
+      "net.ipv4.ip_forward" = 1;
+      "net.ipv6.conf.all.forwarding" = 1;
+    };
+
+    networking.nftables.enable = true;
+    networking.nftables.ruleset = ''
+      table inet nat {
+        chain prerouting {
+          type nat hook prerouting priority 0; policy accept;
+          
+          ${concatMapStringsSep "\n" (ports:
+            let
+              src = builtins.elemAt ports 0;
+              dst = builtins.elemAt ports 1;
+            in ''
+              iifname "${cfg.inInterface}" tcp dport ${toString src} counter dnat to ${cfg.toAddr}:${toString dst}
+              iifname "${cfg.inInterface}" udp dport ${toString src} counter dnat to ${cfg.toAddr}:${toString dst}
+            ''
+          ) cfg.forwarding.ports}
+        }
+        
+        chain postrouting {
+          type nat hook postrouting priority 100; policy accept;
+          oifname { "wg0", "ens3" } masquerade
+        }
+      }
+    '';
+  };
+}
\ No newline at end of file
diff --git a/modules/shared/sops/common.yaml b/modules/shared/sops/common.yaml
index 1946995..84f7b42 100755
--- a/modules/shared/sops/common.yaml
+++ b/modules/shared/sops/common.yaml
@@ -1,3 +1,7 @@
+gateway_wg_priv: ENC[AES256_GCM,data:3XZxNN3qDNPNlvWeErPujvm0XJR3GUTNodEBL7G8Z+6uhyNTdLDOB34m16k=,iv:QRxE7qLtDOckWhL3GGopTnADlwuRSkT/GLpHkrGOAOA=,tag:xT/UlJg/oQYbJBfQeNak3w==,type:str]
+gateway_wg_pub: ENC[AES256_GCM,data:yS7PFe/ShzB7FG3gXinPl7VLNfdxA6hxIyuIHUDT2GfP/NWc08Z7ztKVu48=,iv:B45FKQNhg9YTykNHRC2p4ZWHB9+VwfEBh2gW+npE7EA=,tag:j2hU0RLv8gknAmSGp7iMrw==,type:str]
+gateway_ssh_priv: null
+gateway_ssh_pub: null
 valinor_ssh_priv: ENC[AES256_GCM,data:+eeVw/05eU5VW29KhT9+eGXcf+Ola2n0ISbj5Lzyj/bB/8OWDGXkqxWjgZv3cbL9v265AbyqcHfYX94BynTtMITfM6Cwz3D0EcUmIyP3rgjrJZdnksLu41a30dUjLnfVqiPwZaxxccZb6/JNAgXrg4hjkTsrCiZeSGpPl2VqECVt0tfJ3nmJwX+7C95QMvzxCw5S6CbN53AZBPmqBqzmxperc0LegMR+2lXviuqTEL2ZH3mzo0YeJQS/yCVVQL6TWx/wyM4fKD4kavg07sCAoj7E4V9RL4DY75uIbEz2+hvw9yE4nCtg2UgLu2hmragbH5ZseD/BWu+d2JGQeAnSLJBr6lZj/LGsiCe5vdnNqh2igZ9EI8Bhjv2ed2ajAxPYxJ1cAT9noxx6E+KU6sjWaSeKhLsnO/X3Ht1ADiUP4i/j39aE/4U7Gmk8Gs+3LBF0FXS88M06HV1cCKkd8RLkD0v6uKpOd6deOkKZRRGT8XzrF6JGY6fMXksF7GCqYqKhHEvU3nd3MQ/XjZuSycIr6NKdo31iezwjFCELUf2XQCIEtLe77vxfZQQ9lhddLhM7FJVDwlIuVLjN0lzrUoCywOZOG/ipenkCLDD5JmPqbkgyqFEIKpLW3weqlIFPTQblwaW724kKB80E+0lvW+0mG8oiyeqBuFufhtaUEwmg93aCzPW7wJuP7rzBm2i0FPl4Mg0f1d7iJtrHaIcnncw7vzeo+LOq1zvlcCVO3lt/JTRhTbxMEDzzQvvuRnFVExQbNCd9BKErpZAIia/l+5/PYClqapQYuBsx+Y4jUC/ct6PicSz/YtdXgTQc3jqmsLJ46R7Y3qkeaYJvsFDbTtjG1GlQdisNPZEhtkWgvyIcxl62/SSqLJr+ZxWh2ldToVpnX4g9JKcHbHyvsD/JJRsSD8fHlGBlnpXpL4onkQNbtZQ9HUBpaz6rQvp7klM5iI1trpdnv8nf3H0G54mz5c4FY81VIXcy+2nEgadhWNdKlI0rjruvXyJKUvCPmh3ZyPZPL+7rkLI+ywj+0Gz7QGKcDsOy2L1UsHSpCJGRe0ZJO8vuq1relbMF2pz5eQHa+9S3NNG/v5WNWVw4BcCaX8tfuac467mZ+sr2CKAKn+ojhBAkSVWHWg95bURX1NUpjw6d2dPSJbLjen7FDZ1NiZsvW+eNIPnuaOAIoNKW9H2XXmXagJASOnwd+BwNWWB7APlQz/YfQycDG4TjAWCg22aoTagmXoPtiqNqo0gq7NljSbq5EY2hn1RUV7umMR/cqY4XmdBsVqSwnjBtuHGQArn2QRbAYJcHkrxpAzMfJSWNx176ARBFhQDITpI8Y2ROyF+tZaOcNOYuXfAjktV7Elgt5dNypxdo4a/qFt0IkjxRF8WGGTKU3eRnC0EvaVc3xifLIcjrihqiVnB3jb58pT7lSeTH8pnuTS2+jOVphvok+8ddKd+Q5Po2yw8e0PswzPK7dYdMjNNKhbg/W41Bxf5ZKWxGZjxMbwNndzPext/+QWZqTJDw+Cf3rCMpaAU3nRSW7b5TD9fYrmajSbkzHBy9ggt1y+IofLEWlsMkiisxqnggsbVyDlxMb2q5iOFYMWtG/VPE6e5yDUVlwsd1l+Mv+vASCJW0J2i5BJzpYVTnazcQabbVeK/t3t8oA7/aO7omZxbPYDcfBAfc8+ibx3iBW4tIrwe0EvsqkdhTt4C5jpxynfBnvUL4+O5IYFSyz29EKNPZ+2RQti6tMCZYi4/IDBg93WQHGMrUd0pyANwP0vYVH8QGtD3X94nwOjoJO3GXqD3qcGsCrmBmmJtHTYBZ39KZpxxujsYDeccUuRbV9Ivq9vydkjO4fkIKCtlSFWRtkgU6cl4IxoO7alRDvJzadWrBdW5k3ubZG3qV05+iV9KSdh520YrRzxGb0yd8Ii0pgJU38oEywWyLUL9+/Ov5UZALtflS90cLANodWfzNtAxcZP6C+XR3aRyI8dZp5ZcOwwbj9aieSImLDwnC0l1cdtxSu8Iwm29/yeh4v4JXl6t1bBsTkyCoirQnkyBC3lHLCbwE3vfB34BTcChR+qWhiM92rnr6be8M89AtnEfNsdpZAWD96craURM8wfmMh9tM66gjjHyYuJbi1186x4LAtST4VZMHnw6NoG3XK5sMoVZq8jFWfUqrpS6ZMRu1UV0qL1jNbcZifwOlDgmoFXhFMZ6CGax0Up+cFPI2BJ7wGQwsTszifSXah/XgFhrOWgu9Hs5YJYbTxs26yEhG2K9j1J/4dtNdowmPI05iMynybTzrQkB8T/lVE5w9o1wumNhftyXie10+Nc8U1Ok3JugGG1CoM35eLAPTA8vHZzj6819apBCtw2vGeHio9k27164gHhsZUdAhyfC8hxmR/V857ipCchBNGg6aQOh2hVs9+4mNaap1UXGlAOJZMp/O7BNknYi6LVuGOtiS01W86pgPtCrbb8/24RHcybSLXhS4spTDf/LfBHaEWiklQHyq7YU6hsTOcmTkMNLCFuNVbPXPFze30KWtPhyZyQNYPqEwo8dZ8InN3RNBaYCMgYel7kNcmCO/0HlL1Kqjc4i2mguFiw23Tz0YRmUpwDjEe9gfOjlm9EZQs0GQQyB2gNfaoH1oyiM5yvQ9MrY9OADGpos0334ZqW9mykUpjkhrCWKLmVLAzWejbqMw1ZDq7FRa+l6Uyt+2XFPar7dta/TsWYKv6kTqoz1JHMwf5EoGEgCszcwnqkcqd5T9NHoVNwwpkEN/7axF0OqT25NSpXkAcacSHo70998jL3zbdKFVamUmpF/hN6ioniJyKAelESPym7KpjZKBEsHGTzU30t1GgsGlYUwtR07O5FnRVViDiMyQHYAq1PXa1EbCS0b7bbdMYGcExJzHvlT8VmeKnJ1RoOvKWyil2habXd+TbxEWtfAOuWtJzLYwXWKPppsq/EwKxUGNla01hVrfAbm3QNP45gDGFZ0+piA8PLNq6PNFoSlINc/6/Z3WaENpGhxL0mKS2IS/d76AzHjUV+Hw6ylFUdYEjAPp2lR5woslQnxpO5n3oKpFl3jevzJmcNJKuZZEYzGU1leyddx30hzmVMfTliybA5I1GVTIigbdKwuRWL8uYQA1mHUeO5pEPGMv1X4GcoT5BDrdcFAaU6vjhXbjVhCNcPBbjxKHisfOBUr6nx1M/n3AHndhilimrPP5adOGpG2CFqKQtINb0UmpqPQJRB488tuVE3fTPgqNi+PEES1tIumBVdt5m95p+BNHPyVwLloMeGkCVqsTid2251NSpFd/n0BVAOR0zZP1hGRRzgU2tNPK4VAVuvuPQdPw7ZUbVSe/VvphOLXAG72M27W9IbLrsnnmaNeh5ur/9fl5yI52py53z0Zrp6WNociqyeC03xzPAwmYF9BFMG+j9Kto2OfbxOCUdWxhlCGDuUqODcAsvfKNQddq4Fha0HSLjvGOtfEuWmJNTzmfIeO3vg==,iv:pTQbb6nLHJ8BXTIYdiSe4vc5+1hpNuHhQhDkIAsZ9HI=,tag:jyO99VXSsCQlQD+Hh+gtvg==,type:str]
 valinor_ssh_pub: ENC[AES256_GCM,data:c9s+tEjn+aZAjsxU7+dWmKLVc3dFdtna3ilDJrEb4k9TToyYY5VYEW6exxpbBl6MMAe98/KXgLPI5kTmq3gCqQe2dBnOB3C4f212DOmVyoYGj4AiqzU+Oo0pfg6DRw5BCjYGY7B+zJopqQgDvlIRTdJzAhQe3ZRuJFXKupVpJ+pEx56bo/memAf+BBZgIXChFrYadqze90rMmlw0D5V3L3lmTnqjoniXTXj5QoHh2f873qFAQ72+fSNlJCkasNavSiXKWVPcS3xMmgfiaffkqdO6pte1m/IgevKkKfciIOBbKskgsTZdy9iPGdELLH1wMzO45+vX3h2ATy/v5Hqq/yWlrDbvFFUKoaCb6n7/5O3MhaLwa78Uk09Dvbno2Wb8C5BBZlXBZ/BSooosDFUG/2IG8nKM+FrHJvtwgugCGa3ZQYKQr6iJ9g6tN83YRTEgKTCsZPnSNg+vXSBAib5ABHl8z7oHVB2hJFBnEn7Im99b/GRsCRD+/y9Y+4wF8nzznJgSrqInM59//EJHmwOWrHzSIpyV+cY67cCUXlkYB/ufx510XtEjijr2SOJXKmdAmme0EICkP/LY80Yrsoz2ee/A6w6ZP3HDHuxUVNeGNJvdoFhIyt9pEiRBwl7K2XKYCh/lRiE6E19EM6SmwplEM0+uAWTY+NUKZba2JSqFZLMlBFfWSLHgOHFLPatkZRUTkoNa4BOhtUlAYfuN/uHHimnL7H4O814OnjU5exqHca63VkDDhA==,iv:YT0ZN/Rt6CbMSFU1wZDbrenlwXCh7e4C06YbVL5J/VU=,tag:BqVtzOC1ViEkHHTXbgDJHw==,type:str]
 valinor_wg_priv: ENC[AES256_GCM,data:1izZF+6G2Uc2MRBH56A07lexZEkyOiiFI4zltyoZco0+Y9EPhH1nJ4sWzs0=,iv:OIBIQvMsrq93/o0r8V6eSzfU63xtCzgQFf8NKXsjRk0=,tag:wdcQOfdaoxe7Vw0QWmngwA==,type:str]
@@ -64,8 +68,8 @@ sops:
             STRtTVpVTCtVZ1FUNENqWFFVNTNuaVUKN6HRiZjTdENeif8dJ29urBxPXDaosjjY
             InN4Ko6YUaGfvB1DTrKIzrxOpsHS+XjisoGfT71tJwwEOoREklEO/A==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-09-06T13:14:21Z"
-    mac: ENC[AES256_GCM,data:nsr9KS5VNuxltR3cMDfCXtpK/lFi4M2OwwcOCj+MmJ+AtyCn7reqjd/VlIb7vLhZfuqoPbbzObvzBzX8jrMuX3Idy/PrCKht0ilYC1dZW4I/TlFM2mkJdTuFbhiXwQUhUJ89yHqIFFHJbO4ld5WfOEzGdazM2YC1OwkyOPu25+4=,iv:y6Knr38jVd+nyOBEdn861AULzkwpa9NpRKobIIlyJFg=,tag:HrGm4dENtWFXAm6d0ydn/g==,type:str]
+    lastmodified: "2026-05-01T15:14:46Z"
+    mac: ENC[AES256_GCM,data:epSFr7V8a1SRbLqiW0hmxFczzedodtoq69zVy3+kYmoIoQCGh2lHyDr2UPQHpdKZQbaOaForXO8Nlc+hllEcX/uPp/O7Yw/KEsS66wPZW8XW9GubzKVn47K1+tNTzeiLAi0iOMEcl2spXGL+6qlieuqNNrWlMEJak61rPEKSXcA=,iv:ifi1u2LTxGPHhMYRHkwSobpLBouCnOMSv6/f1G3LI+s=,tag:46tMthiGwxITsGbIMYykUg==,type:str]
     pgp:
         - created_at: "2023-04-20T10:20:17Z"
           enc: |-
@@ -88,4 +92,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 4E241635F8EDD2919D2FB44CA362EA0491E2EEA0
     unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.12.1
diff --git a/modules/shared/syscfg/default.nix b/modules/shared/syscfg/default.nix
index 6c094ae..efb4658 100644
--- a/modules/shared/syscfg/default.nix
+++ b/modules/shared/syscfg/default.nix
@@ -42,6 +42,36 @@ let
         type = types.str;
         default = "";
       };
+      server = {
+        enable = mkOption {
+          type = types.bool;
+          default = false;
+        };
+        peers = mkOption {
+          type = types.listOf types.str;
+          default = [];
+        };
+        forward = {
+          inInterface = mkOption {
+          type = types.str;
+          default = "ens3";
+          description = "Incoming interface for forwarding";
+        };
+        
+        toAddr = mkOption {
+          type = types.str;
+          description = "Destination address (IPv4 or IPv6)";
+          example = "10.10.1.2";
+        };
+        
+        ports = mkOption {
+          type = types.listOf (types.listOf types.port);
+          default = [];
+          description = "Port mappings: [ [srcPort dstPort] ... ]";
+          example = [ [ 22 22 ] [ 80 80 ] [ 443 443 ] ];
+        };
+        }
+      };
     };
   };
   makeOpt = with lib; {
@@ -55,7 +85,7 @@ let
     };
     virt = mkOption {
       type = types.bool;
-      default = true;
+      default = false;
     };
     power = mkOption {
       type = types.bool;
diff --git a/systems/avalon/cfg.nix b/systems/avalon/cfg.nix
index 257f836..b448672 100644
--- a/systems/avalon/cfg.nix
+++ b/systems/avalon/cfg.nix
@@ -23,16 +23,8 @@
       }
     ];
     make = {
-      gui = false;
       cli = true;
       virt = true;
-      power = false;
-      game = false;
-      develop = false;
-    };
-    wlp = {
-      enable = false;
-      nif = "";
     };
     wg = {
       enable = true;
diff --git a/systems/avalon/server/docker/secrets.txt b/systems/avalon/server/docker/secrets.txt
new file mode 100644
index 0000000..feb52f2
--- /dev/null
+++ b/systems/avalon/server/docker/secrets.txt
@@ -0,0 +1,14 @@
+
+
+AUTHENTIK_DB_PASSWORD=NTQRO0rhPCd4L3HLNK4AT09Npz+ks1jyRC6AOyo5u+k=
+AUTHENTIK_SECRET_KEY=9Zw8Sy8257iJmRdBhUKGiq3d7uYAkhC9smuDUClE8aR1iPdpHHds+K2D1Zy3lwj2Hjnasu5jnopkhwnABWDu8A==
+
+
+AUTHENTIK_EMAIL_PASSWORD=w+g:cPU+e.<q,f<mj3DFPxXxo4h2SVS9.;,T<!Sra>y!mNcAsiAp4jPCLTmjte2d
+
+
+ETHERPAD_DB_PASSWORD=d43352c3906516bf4c34d63316509cb4b1621167af84c81b60689779a62b2348
+ETHERPAD_ADMIN_PASSWORD=Hackme55#
+
+COLLABORA_USER=...
+COLLABORA_PASSWORD=...
\ No newline at end of file
diff --git a/systems/gateway/cfg.nix b/systems/gateway/cfg.nix
new file mode 100644
index 0000000..cfaf888
--- /dev/null
+++ b/systems/gateway/cfg.nix
@@ -0,0 +1,32 @@
+{
+  syscfg = {
+    hostname = "gateway";
+    type = "nixos";
+    system = "x86_64-linux";
+    defaultUser = "sora";
+    users = [{
+      username = "sora";
+      wm = "-";
+      git = {
+        email = "soraefir+git@helcel";
+        username = "soraefir";
+        key = "4E241635F8EDD2919D2FB44CA362EA0491E2EEA0";
+      };
+    }];
+    make = {
+      cli = true;
+    };
+    net = {
+      wlp = { enable = false; };
+      wg = {
+        enable = true;
+        ip4 = "10.10.1.1/32";
+        ip6 = "fd10:10:10::1/128";
+        server = {
+            enable = true;
+            peers = ["avalon" "asguard" "iriy" "valinor" ];
+        };
+      };
+    };
+  };
+}
diff --git a/systems/gateway/default.nix b/systems/gateway/default.nix
new file mode 100644
index 0000000..cad4be2
--- /dev/null
+++ b/systems/gateway/default.nix
@@ -0,0 +1,13 @@
+{ config, inputs, ... }: {
+  imports = [ ./hardware.nix ];
+
+  services.openssh.enable = true;
+  services.openssh.authorizedKeysFiles = [
+    config.sops.secrets."iriy_ssh_pub".path
+    config.sops.secrets."valinor_ssh_pub".path
+  ];
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC0GpKd62XMlO410/iYkNG8MHdGGaeMG3Gmsf3Pv3u2BllUzR9Dpym1ZOz2lwo3iK0FimcQpOiJqSIahO59HJl8jQ9BoQrJMXH7l2kuq1T09cMNWGjlzowg0LWKWOzoBzOwcheyW68OJGgkSfvk9BdshkUYTLVBXjiI9jo/8Qkcv1WLJJvJmDBDwnbYDQpODXCEDQ/t3YVubb+ocLmh40sDUffJLWZQXN6OFW9N5XxnvY7K5x9ci9GU4Reei40K8yDw2Hgi0njzijRdzie3MJlKPPawJ2TATu9LsGuxfx8bJXVx+mNxP0lhO8dOOhP7p0ozTxlJJY9ZWaKgOz3SzYNCgJ1gH7NtTBtSruXd6pfmErUmuJEAeMD6+QF3yJ5tnVFNPoSHqjP+oL3CgSRpmuvn7ChSSI3J3UVhLux165VtwIL7UhosO2mCqmn0Yk2mSBkB/L4ZiWFmO3vYdagYNQX7xZHzCJ5my8vomiT+DUGb2h/o1NetKwIZJiFAuHxKt3k= sora@valinor"
+  ];
+}
+
diff --git a/systems/gateway/hardware.nix b/systems/gateway/hardware.nix
new file mode 100644
index 0000000..b4c9d8e
--- /dev/null
+++ b/systems/gateway/hardware.nix
@@ -0,0 +1,13 @@
+{ config, lib, pkgs, modulesPath, ... }: {
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  boot.loader.grub.device = "/dev/sda";
+  boot.initrd.availableKernelModules =
+    [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
+  boot.initrd.kernelModules = [ "nvme" ];
+
+  fileSystems."/" = {
+    device = "/dev/sda3";
+    fsType = "btrfs";
+  };
+}
diff --git a/systems/iriy/cfg.nix b/systems/iriy/cfg.nix
index ee5e4f8..4c7e118 100644
--- a/systems/iriy/cfg.nix
+++ b/systems/iriy/cfg.nix
@@ -17,7 +17,6 @@
       gui = true;
       cli = true;
       virt = true;
-      power = false;
       game = true;
       develop = true;
     };