setup wireguard tunnel between the VM and DO hosts

author: Franck Cuny <franck@fcuny.net> 2025-08-10 19:34:03 -0700
committer: Franck Cuny <franck@fcuny.net> 2025-08-10 19:34:03 -0700
commit: a00121d94d8a592713565fa9528fb53179acf892 (patch)
tree: 00d7725a5d31b01e723e37be4e76b10aba0d756f /machines/nixos/x86_64-linux/digitalocean.nix
parent: update the message for the helper scripts to build/switch (diff)
download: infra-a00121d94d8a592713565fa9528fb53179acf892.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/machines/nixos/x86_64-linux/digitalocean.nix b/machines/nixos/x86_64-linux/digitalocean.nix
index 5e6f069..e37e842 100644
--- a/machines/nixos/x86_64-linux/digitalocean.nix
+++ b/machines/nixos/x86_64-linux/digitalocean.nix
@@ -102,9 +102,18 @@
       ips = [ "10.100.0.50/32" ];
       listenPort = 51871;
       privateKeyFile = config.age.secrets.wireguard.path;
+      peers = [
+        {
+          publicKey = "bJZyQoemudGJQox8Iegebm23c4BNVIxRPy1kmI2l904=";
+          allowedIPs = [ "10.100.0.0/24" ];
+          persistentKeepalive = 25;
+        }
+      ];
     };
   };
 
+  networking.firewall.trustedInterfaces = [ "wg0" ];
   networking.firewall.allowedUDPPorts = [ 51871 ];
+
   system.stateVersion = "25.05"; # Did you read the comment?
 }
author	Franck Cuny <franck@fcuny.net>	2025-08-10 19:34:03 -0700
committer	Franck Cuny <franck@fcuny.net>	2025-08-10 19:34:03 -0700
commit	a00121d94d8a592713565fa9528fb53179acf892 (patch)
tree	00d7725a5d31b01e723e37be4e76b10aba0d756f /machines/nixos/x86_64-linux/digitalocean.nix
parent	update the message for the helper scripts to build/switch (diff)
download	infra-a00121d94d8a592713565fa9528fb53179acf892.tar.gz