aboutsummaryrefslogblamecommitdiff
path: root/docs/network.org
blob: d3801b0bac7910693a5a1985e5966e8cb31a19c0 (plain) (tree) 
3676f44



















































1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51



















































                                                                                   
** Wireguard
*** New host
On a host, run the following:
#+begin_src shell
fcuny@vm-synology ~> wg genkey > wireguard
Warning: writing to world accessible file.
Consider setting the umask to 077 and trying again.
fcuny@vm-synology ~> wg pubkey < wireguard > wireguard.pub
fcuny@vm-synology ~> ll
total 12
drwxr-xr-x 2 fcuny users 4096 Aug 10 14:24 tmp
-rw-r--r-- 1 fcuny users   45 Oct 18 10:42 wireguard
-rw-r--r-- 1 fcuny users   45 Oct 18 10:42 wireguard.pub
fcuny@vm-synology ~> cat wireguard.pub jf7T7TMKQWSgSXhUplldZDV9G2y2BjMmHIAhg5d26ng=
#+end_src

Then create the secret in ../secrets/secrets.nix with
#+begin_src shell
agenix -i ~/.ssh/agenix -e <hostname>/wireguard.age
#+end_src

Then add the following to the host's configuration:
#+begin_src nix
age = {
  secrets = {
    wireguard = {
      file = ../../../../secrets/rivendell/wireguard.age;
    };
  };
};

networking.wireguard = {
  enable = true;
  interfaces.wg0 = {
    ips = [ "10.100.0.60/32" ];
    listenPort = 51871;
    privateKeyFile = config.age.secrets.wireguard.path;
    peers = [
      {
        # digital ocean droplet
        publicKey = "I+l/sWtfXcdunz2nZ05rlDexGew30ZuDxL0DVTTK318=";
        allowedIPs = [ "10.100.0.0/24" ];
        endpoint = "165.232.158.110:51871";
        persistentKeepalive = 25;
      }
    ];
  };
};

networking.firewall.allowedUDPPorts = [ 51871 ];
#+end_src
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-06 06:51:02 +0000