2 files changed, 31 insertions, 0 deletions

diff --git a/machines/nixos/x86_64-linux/digitalocean.nix b/machines/nixos/x86_64-linux/digitalocean.nix
index 5e6f069..e37e842 100644
--- a/machines/nixos/x86_64-linux/digitalocean.nix
+++ b/machines/nixos/x86_64-linux/digitalocean.nix
@@ -102,9 +102,18 @@
       ips = [ "10.100.0.50/32" ];
       listenPort = 51871;
       privateKeyFile = config.age.secrets.wireguard.path;
+      peers = [
+        {
+          publicKey = "bJZyQoemudGJQox8Iegebm23c4BNVIxRPy1kmI2l904=";
+          allowedIPs = [ "10.100.0.0/24" ];
+          persistentKeepalive = 25;
+        }
+      ];
     };
   };
 
+  networking.firewall.trustedInterfaces = [ "wg0" ];
   networking.firewall.allowedUDPPorts = [ 51871 ];
+
   system.stateVersion = "25.05"; # Did you read the comment?
 }
diff --git a/machines/nixos/x86_64-linux/vm-synology.nix b/machines/nixos/x86_64-linux/vm-synology.nix
index 468d0dd..f5e8c90 100644
--- a/machines/nixos/x86_64-linux/vm-synology.nix
+++ b/machines/nixos/x86_64-linux/vm-synology.nix
@@ -23,6 +23,9 @@
       nas_client_credentials = {
         file = "${self}/secrets/nas_client.age";
       };
+      wireguard = {
+        file = "${self}/secrets/vm-synology/wireguard.age";
+      };
     };
   };
 
@@ -84,5 +87,24 @@
 
   nix.settings.trusted-users = [ "builder" ];
 
+  networking.wireguard = {
+    enable = true;
+    interfaces.wg0 = {
+      ips = [ "10.100.0.40/32" ];
+      listenPort = 51871;
+      privateKeyFile = config.age.secrets.wireguard.path;
+      peers = [
+        {
+          publicKey = "I+l/sWtfXcdunz2nZ05rlDexGew30ZuDxL0DVTTK318=";
+          allowedIPs = [ "10.100.0.0/24" ];
+          endpoint = "165.232.158.110:51871";
+          persistentKeepalive = 25;
+        }
+      ];
+    };
+  };
+
+  networking.firewall.allowedUDPPorts = [ 51871 ];
+
   system.stateVersion = "23.11"; # Did you read the comment?
 }