wireguard configuration for argonath

1 files changed, 28 insertions, 1 deletions

diff --git a/machines/nixos/x86_64-linux/argonath.nix b/machines/nixos/x86_64-linux/argonath.nix
index eb08896..14b698a 100644
--- a/machines/nixos/x86_64-linux/argonath.nix
+++ b/machines/nixos/x86_64-linux/argonath.nix
@@ -1,4 +1,9 @@
-{ lib, adminUser, ... }:
+{
+  config,
+  lib,
+  adminUser,
+  ...
+}:
 {
   imports = [
     ../../../profiles/cgroups.nix
@@ -9,11 +14,33 @@
     ../../../profiles/server.nix
   ];
 
+  age.secrets.wireguard.file = ../../../secrets/argonath/wireguard.age;
+
   # fixes duplicated devices in mirroredBoots
   boot.loader.grub.devices = lib.mkForce [ "/dev/vda" ];
 
   disko.devices.disk.disk1.device = "/dev/vda";
 
+  networking.wireguard = {
+    enable = true;
+    interfaces.wg0 = {
+      ips = [ "10.100.0.51/32" ];
+      listenPort = 51871;
+      privateKeyFile = config.age.secrets.wireguard.path;
+      peers = [
+        {
+          # rivendell
+          publicKey = "jf7T7TMKQWSgSXhUplldZDV9G2y2BjMmHIAhg5d26ng=";
+          allowedIPs = [ "10.100.0.60/32" ];
+          persistentKeepalive = 25;
+        }
+      ];
+    };
+  };
+
+  networking.firewall.trustedInterfaces = [ "wg0" ];
+  networking.firewall.allowedUDPPorts = [ 51871 ];
+
   system.stateVersion = "25.05"; # Did you read the comment?
 
   home-manager = {