configure wireguard for rivendell

1 files changed, 28 insertions, 0 deletions

diff --git a/machines/nixos/x86_64-linux/rivendell/default.nix b/machines/nixos/x86_64-linux/rivendell/default.nix
index 700a57f..1f38f6f 100644
--- a/machines/nixos/x86_64-linux/rivendell/default.nix
+++ b/machines/nixos/x86_64-linux/rivendell/default.nix
@@ -12,6 +12,14 @@
     ../../../../profiles/disk/btrfs-on-luks.nix
   ];
 
+  age = {
+    secrets = {
+      wireguard = {
+        file = ../../../../secrets/rivendell/wireguard.age;
+      };
+    };
+  };
+
   boot.initrd.availableKernelModules = [
     "nvme"
     "xhci_pci"
@@ -45,6 +53,26 @@
 
   nix.settings.trusted-users = [ "builder" ];
 
+  networking.wireguard = {
+    enable = true;
+    interfaces.wg0 = {
+      ips = [ "10.100.0.60/32" ];
+      listenPort = 51871;
+      privateKeyFile = config.age.secrets.wireguard.path;
+      peers = [
+        {
+          # digital ocean droplet
+          publicKey = "I+l/sWtfXcdunz2nZ05rlDexGew30ZuDxL0DVTTK318=";
+          allowedIPs = [ "10.100.0.0/24" ];
+          endpoint = "165.232.158.110:51871";
+          persistentKeepalive = 25;
+        }
+      ];
+    };
+  };
+
+  networking.firewall.allowedUDPPorts = [ 51871 ];
+
   my.modules.hardware.baremetal.enable = true;
   my.modules.remote-unlock.enable = true;