diff --git a/modules/wireguard-client/default.nix b/modules/wireguard-client/default.nix index 7dc8dc5..f8b2728 100644 --- a/modules/wireguard-client/default.nix +++ b/modules/wireguard-client/default.nix @@ -1,29 +1,23 @@ -{config, ...}: { +{ + config, + fleetFlake, + ... +}: { networking.firewall = { - allowedUDPPorts = [51820]; # Clients and peers can use the same port, see listenport + allowedUDPPorts = [51820]; }; - # Enable WireGuard networking.wireguard.interfaces = { - # "wg0" is the network interface name. You can name the interface arbitrarily. wg0 = { - ips = ["10.100.0.2/32"]; - listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers) + ips = ["${(import "${fleetFlake}/lib").ips."${config.networking.hostName}"}/32"]; + listenPort = 51820; privateKeyFile = config.age.secrets."${config.networking.hostName}-wireguard-private-key".path; peers = [ { - # Public key of the server (not a file path). publicKey = "O9V2PI7+vZm7gGn3f9SaTsJbVe9urf/jZkdXFz/mjVU="; - - # Forward all the traffic via VPN. - # allowedIPs = [ "0.0.0.0/0" ]; - # Or forward only particular subnets - allowedIPs = ["10.100.0.1"]; - - # Set this to the server IP and port. + allowedIPs = ["10.100.0.0/24"]; endpoint = "mothership.aciceri.dev:51820"; - persistentKeepalive = 25; } ]; diff --git a/modules/wireguard-server/default.nix b/modules/wireguard-server/default.nix index 9606c5c..23426ad 100644 --- a/modules/wireguard-server/default.nix +++ b/modules/wireguard-server/default.nix @@ -30,9 +30,13 @@ { # thinkpad publicKey = "g8wId6Rl0olRFRtAnQ046ihPRYFCtMxOJ+/Z9ARwIxI="; - # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing. allowedIPs = ["10.100.0.2/32"]; } + { + # oneplus6t + publicKey = "O6/tKaA8Hs7OEqi15hV4RwviR6vyCTMYv6ZlhsI+tnI="; + allowedIPs = ["10.100.0.3/32"]; + } ]; }; };