4 files changed, 43 insertions, 0 deletions
diff --git a/machines/nixos/x86_64-linux/digitalocean.nix b/machines/nixos/x86_64-linux/digitalocean.nix
index 5e6f069..e37e842 100644
--- a/machines/nixos/x86_64-linux/digitalocean.nix
+++ b/machines/nixos/x86_64-linux/digitalocean.nix
@@ -102,9 +102,18 @@
       ips = [ "10.100.0.50/32" ];
       listenPort = 51871;
       privateKeyFile = config.age.secrets.wireguard.path;
+      peers = [
+        {
+          publicKey = "bJZyQoemudGJQox8Iegebm23c4BNVIxRPy1kmI2l904=";
+          allowedIPs = [ "10.100.0.0/24" ];
+          persistentKeepalive = 25;
+        }
+      ];
     };
   };
 
+  networking.firewall.trustedInterfaces = [ "wg0" ];
   networking.firewall.allowedUDPPorts = [ 51871 ];
+
   system.stateVersion = "25.05"; # Did you read the comment?
 }
diff --git a/machines/nixos/x86_64-linux/vm-synology.nix b/machines/nixos/x86_64-linux/vm-synology.nix
index 468d0dd..f5e8c90 100644
--- a/machines/nixos/x86_64-linux/vm-synology.nix
+++ b/machines/nixos/x86_64-linux/vm-synology.nix
@@ -23,6 +23,9 @@
       nas_client_credentials = {
         file = "${self}/secrets/nas_client.age";
       };
+      wireguard = {
+        file = "${self}/secrets/vm-synology/wireguard.age";
+      };
     };
   };
 
@@ -84,5 +87,24 @@
 
   nix.settings.trusted-users = [ "builder" ];
 
+  networking.wireguard = {
+    enable = true;
+    interfaces.wg0 = {
+      ips = [ "10.100.0.40/32" ];
+      listenPort = 51871;
+      privateKeyFile = config.age.secrets.wireguard.path;
+      peers = [
+        {
+          publicKey = "I+l/sWtfXcdunz2nZ05rlDexGew30ZuDxL0DVTTK318=";
+          allowedIPs = [ "10.100.0.0/24" ];
+          endpoint = "165.232.158.110:51871";
+          persistentKeepalive = 25;
+        }
+      ];
+    };
+  };
+
+  networking.firewall.allowedUDPPorts = [ 51871 ];
+
   system.stateVersion = "23.11"; # Did you read the comment?
 }
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 3ef9cd2..0aa5bc8 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -51,4 +51,9 @@ in
     users.fcuny
     hosts.do
   ];
+
+  "vm-synology/wireguard.age".publicKeys = [
+    users.fcuny
+    hosts.vm-synology
+  ];
 }
diff --git a/secrets/vm-synology/wireguard.age b/secrets/vm-synology/wireguard.age
new file mode 100644
index 0000000..c3fa8e5
--- /dev/null
+++ b/secrets/vm-synology/wireguard.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 pFjJaA W/q8awlPps3KhNgNgiaDW3ENccWRvimQc/CepeKtIGg
+R6d6oYV60+KFaiMrA21Ul84wpCRN661THD9g2T1GPwY
+-> ssh-ed25519 qRUWSw pUeRbvRND8xFrd+pzbodt53OMfyoIgplrFx/8obgVwc
+QQiuwQ8CO8/oT2mL2Ke/mn9S3N4/LKbc18hLoNbr8nM
+--- rasVmM9kOAey35QaIW2EGsVwpYK4jmB3DE14iiknhYc
+þìø-Þ#"%ß}Í÷LJ˜Ôû âS:ã%B× 4ì@žrÝ3+Œ4ü•QsYéFçšû¬Y•Ïí¦Äm'“-7cÝ6Irq
+\ No newline at end of file