** Wireguard
*** New host
On a host, run the following:
#+begin_src shell
fcuny@vm-synology ~> wg genkey > wireguard
Warning: writing to world accessible file.
Consider setting the umask to 077 and trying again.
fcuny@vm-synology ~> wg pubkey < wireguard > wireguard.pub
fcuny@vm-synology ~> ll
total 12
drwxr-xr-x 2 fcuny users 4096 Aug 10 14:24 tmp
-rw-r--r-- 1 fcuny users   45 Oct 18 10:42 wireguard
-rw-r--r-- 1 fcuny users   45 Oct 18 10:42 wireguard.pub
fcuny@vm-synology ~> cat wireguard.pub jf7T7TMKQWSgSXhUplldZDV9G2y2BjMmHIAhg5d26ng=
#+end_src

Then create the secret in ../secrets/secrets.nix with
#+begin_src shell
agenix -i ~/.ssh/agenix -e <hostname>/wireguard.age
#+end_src

Then add the following to the host's configuration:
#+begin_src nix
age = {
  secrets = {
    wireguard = {
      file = ../../../../secrets/rivendell/wireguard.age;
    };
  };
};

networking.wireguard = {
  enable = true;
  interfaces.wg0 = {
    ips = [ "10.100.0.60/32" ];
    listenPort = 51871;
    privateKeyFile = config.age.secrets.wireguard.path;
    peers = [
      {
        # digital ocean droplet
        publicKey = "I+l/sWtfXcdunz2nZ05rlDexGew30ZuDxL0DVTTK318=";
        allowedIPs = [ "10.100.0.0/24" ];
        endpoint = "165.232.158.110:51871";
        persistentKeepalive = 25;
      }
    ];
  };
};

networking.firewall.allowedUDPPorts = [ 51871 ];
#+end_src