From 3676f44fe813794b0603dbc82da3149db8fb4e1c Mon Sep 17 00:00:00 2001 From: Franck Cuny Date: Sat, 18 Oct 2025 10:58:27 -0700 Subject: configure wireguard for rivendell --- docs/network.org | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 docs/network.org (limited to 'docs/network.org') diff --git a/docs/network.org b/docs/network.org new file mode 100644 index 0000000..d3801b0 --- /dev/null +++ b/docs/network.org @@ -0,0 +1,51 @@ +** Wireguard +*** New host +On a host, run the following: +#+begin_src shell +fcuny@vm-synology ~> wg genkey > wireguard +Warning: writing to world accessible file. +Consider setting the umask to 077 and trying again. +fcuny@vm-synology ~> wg pubkey < wireguard > wireguard.pub +fcuny@vm-synology ~> ll +total 12 +drwxr-xr-x 2 fcuny users 4096 Aug 10 14:24 tmp +-rw-r--r-- 1 fcuny users 45 Oct 18 10:42 wireguard +-rw-r--r-- 1 fcuny users 45 Oct 18 10:42 wireguard.pub +fcuny@vm-synology ~> cat wireguard.pub jf7T7TMKQWSgSXhUplldZDV9G2y2BjMmHIAhg5d26ng= +#+end_src + +Then create the secret in ../secrets/secrets.nix with +#+begin_src shell +agenix -i ~/.ssh/agenix -e /wireguard.age +#+end_src + +Then add the following to the host's configuration: +#+begin_src nix +age = { + secrets = { + wireguard = { + file = ../../../../secrets/rivendell/wireguard.age; + }; + }; +}; + +networking.wireguard = { + enable = true; + interfaces.wg0 = { + ips = [ "10.100.0.60/32" ]; + listenPort = 51871; + privateKeyFile = config.age.secrets.wireguard.path; + peers = [ + { + # digital ocean droplet + publicKey = "I+l/sWtfXcdunz2nZ05rlDexGew30ZuDxL0DVTTK318="; + allowedIPs = [ "10.100.0.0/24" ]; + endpoint = "165.232.158.110:51871"; + persistentKeepalive = 25; + } + ]; + }; +}; + +networking.firewall.allowedUDPPorts = [ 51871 ]; +#+end_src -- cgit v1.2.3