feature: add wireguard

2025-11-23 19:18:11 +01:00 · 2025-11-23 19:18:11 +01:00 · b0c9f649b3
commit b0c9f649b3
parent a6931fbc4c
3 changed files with 39 additions and 1 deletions
--- a/hosts/physique/hyponix/services/wireguard.nix
+++ b/hosts/physique/hyponix/services/wireguard.nix
@ -0,0 +1,37 @@
+{config, ...}:
+let
+  listenPort = 53141;
+in
+{
+  networking.firewall.allowedUDPPorts = [ listenPort ];
+
+  age.secrets.wg-key-hyponix = {
+    file = "../../../../secrets/services/wireguard/wg-key-hyponix.age";
+  };
+  
+  networking.wireguard = {
+    enable = true;
+    interfaces = {
+      wg0 = {
+        ips = ["10.100.10.2/24" "fd00::2/7"];
+
+        listenPort = listenPort;
+
+        privateKeyFile = config.age.secrets.wg-key-hyponix.path;
+
+        peers = [
+          {
+            name = "pixos";
+            publicKey = "kaPe5pz2NTW9yMSy92wCV6WQF/sDYK6hHf8e9yN1ZlY=";
+            allowedIPs = [
+              "fd00::1/128"
+              "10.100.0.1/32"
+            ];
+            endpoint = "pixos.bytestall.info:${listenPort}";
+            persistentKeepalive = 25;
+          }
+        ];
+      };
+    };
+  };
+}