configure wireguard for rivendell

1 files changed, 51 insertions, 0 deletions

diff --git a/docs/network.org b/docs/network.org
new file mode 100644
index 0000000..d3801b0
--- /dev/null
+++ b/docs/network.org
@@ -0,0 +1,51 @@
+** Wireguard
+*** New host
+On a host, run the following:
+#+begin_src shell
+fcuny@vm-synology ~> wg genkey > wireguard
+Warning: writing to world accessible file.
+Consider setting the umask to 077 and trying again.
+fcuny@vm-synology ~> wg pubkey < wireguard > wireguard.pub
+fcuny@vm-synology ~> ll
+total 12
+drwxr-xr-x 2 fcuny users 4096 Aug 10 14:24 tmp
+-rw-r--r-- 1 fcuny users   45 Oct 18 10:42 wireguard
+-rw-r--r-- 1 fcuny users   45 Oct 18 10:42 wireguard.pub
+fcuny@vm-synology ~> cat wireguard.pub jf7T7TMKQWSgSXhUplldZDV9G2y2BjMmHIAhg5d26ng=
+#+end_src
+
+Then create the secret in ../secrets/secrets.nix with
+#+begin_src shell
+agenix -i ~/.ssh/agenix -e <hostname>/wireguard.age
+#+end_src
+
+Then add the following to the host's configuration:
+#+begin_src nix
+age = {
+  secrets = {
+    wireguard = {
+      file = ../../../../secrets/rivendell/wireguard.age;
+    };
+  };
+};
+
+networking.wireguard = {
+  enable = true;
+  interfaces.wg0 = {
+    ips = [ "10.100.0.60/32" ];
+    listenPort = 51871;
+    privateKeyFile = config.age.secrets.wireguard.path;
+    peers = [
+      {
+        # digital ocean droplet
+        publicKey = "I+l/sWtfXcdunz2nZ05rlDexGew30ZuDxL0DVTTK318=";
+        allowedIPs = [ "10.100.0.0/24" ];
+        endpoint = "165.232.158.110:51871";
+        persistentKeepalive = 25;
+      }
+    ];
+  };
+};
+
+networking.firewall.allowedUDPPorts = [ 51871 ];
+#+end_src