feat: add wireguard

Signed-off-by: Lander Van den Bulcke <landervandenbulcke@gmail.com>
2025-09-10 01:00:30 +02:00 · 2025-09-10 01:00:30 +02:00 · 42ed02f151
commit 42ed02f151
parent 55293bdb59
3 changed files with 68 additions and 1 deletions
--- a/hosts/hosting-02/default.nix
+++ b/hosts/hosting-02/default.nix
@ -1,4 +1,4 @@
-{ ... }:
+{ config, ... }:
 {
  imports = [
    ./disk-config.nix
@ -24,6 +24,39 @@
    "2a01:4f8:c013:7fc0::/64"
  ];

+  networking.wireguard = {
+    enable = true;
+
+    interfaces.wg0 = {
+      ips = [
+        "10.64.244.95/32"
+        "fc00:bbbb:bbbb:bb01::1:f45e/128"
+      ];
+
+      peers = [
+        {
+          publicKey = "KkShcqgwbkX2A9n1hhST6qu+m3ldxdJ2Lx8Eiw6mdXw=";
+          allowedIPs = [
+            "0.0.0.0/0"
+            "::0/0"
+          ];
+          endpoint = "146.70.117.226:51820";
+          persistentKeepalive = 25;
+        }
+      ];
+
+      listenPort = 51820;
+      privateKeyFile = config.sops.secrets.wireguardKey.path;
+    };
+  };
+
+  sops.secrets = {
+    wireguardKey = {
+      owner = "root";
+      sopsFile = ./secrets.yaml;
+    };
+  };
+
  security.acme.defaults.email = "landervandenbulcke@gmail.com";
  security.acme.acceptTerms = true;