diff --git a/hosts/quitte/network.nix b/hosts/quitte/network.nix index f4635ce..2b97ee3 100644 --- a/hosts/quitte/network.nix +++ b/hosts/quitte/network.nix @@ -1,6 +1,8 @@ { config, lib, ... }: { - sops.secrets."wg-ese" = { }; + sops.secrets."wg-ese" = { + owner = config.users.users.systemd-network.name; + }; networking = { # portunus module does weird things to this, so we force it to some sane values hosts = { @@ -16,6 +18,7 @@ firewall = { logRefusedConnections = false; + allowedUDPPorts = [ 10000 ]; }; }; @@ -44,36 +47,35 @@ EmitLLDP = "nearest-bridge"; }; }; - }; - netdevs."30-wireguard-ese" = { - netdevConfig = { - Kind = "wireguard"; - Name = "wg0"; + netdevs."30-wireguard-ese" = { + netdevConfig = { + Kind = "wireguard"; + Name = "wg0"; + }; + wireguardConfig = { + PrivateKeyFile = config.sops.secrets."wg-ese".path; + ListenPort = 10000; + RouteTable = "main"; + RouteMetric = 30; + }; + wireguardPeers = [ + + { + wireguardPeerConfig = { + + PublicKey = "gTWcZ8dAb735kY0vs/LwnBdap5J6+eeHAsLXCu+C52M="; + AllowedIPs = "10.20.24.2/24"; + }; + } + ]; }; - wireguardConfig = { - PrivateKeyFile = config.sops.secrets."wg-ese".path; - ListenPort = 10000; - RouteTable = "main"; - RouteMetric = 30; + networks."30-wireguard-ese" = { + matchConfig.Name = "wg0"; + address = [ "10.20.24.1/24" ]; + # networkConfig = { + # DNSSEC = false; + # BindCarrier = [ "ens3" ]; + # }; }; - wireguardPeers = [ - { - PublicKey = ""; - AllowedIPs = "0.0.0.0/0"; - } - ]; - }; - networks."30-wireguard-ese" = { - matchConfig.Name = "wg0"; - addresses = [ - { - Address = "10.20.24.1/24"; - # AddPrefixRoute = false; - } - ]; - # networkConfig = { - # DNSSEC = false; - # BindCarrier = [ "ens3" ]; - # }; }; }