Add wireguard

2025-10-31 19:06:58 +01:00 · 2025-10-31 19:06:58 +01:00 · 9d5ff5297c
commit 9d5ff5297c
parent 5e0c257caf
6 changed files with 46 additions and 13 deletions
--- a/systems/ren/wireguard.nix
+++ b/systems/ren/wireguard.nix
@ -0,0 +1,32 @@
+let 
+  ip = "10.100.0.3/32";
+  publicKey = (builtins.readFile ../../keys/wg-ren.pub);
+in
+{
+  systemModule = { config, ... }: {
+    age.secrets.wg-private.file = ../../keys/wg-ren;
+    networking.wg-quick.interfaces.wg-selene = {
+      privateKeyFile = config.age.secrets.wg-private.path;
+
+      # The internal IP address assigned to this client by the server.
+      # The /24 subnet mask is important for knowing the VPN's local network.
+      address = [ ip ];
+
+      # DNS server(s) to use when the tunnel is active.
+      # This is critical for resolving hostnames when all traffic is routed.
+      dns = [
+        "1.1.1.1"
+        "1.0.0.1"
+      ]; # Cloudflare DNS, or use your preferred one like 8.8.8.8
+
+      peers = [
+        (import ../../modules/servermodules/wireguard/wireguard-server.nix).infoForClients
+      ];
+    };
+  };
+
+  peerConfig = {
+    publicKey = publicKey;
+    allowedIPs = [ip];
+  };
+}