From bc5be541c32eac6ea577082894673e7727da9c31 Mon Sep 17 00:00:00 2001
From: beatzaplenty <wayne.bennett@live.com>
Date: Thu, 18 Dec 2025 10:51:11 +1000
Subject: [PATCH] 	modified:   hosts/server/configuration.nix

---
 hosts/server/configuration.nix | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix
index de59d15..f27e170 100644
--- a/hosts/server/configuration.nix
+++ b/hosts/server/configuration.nix
@@ -84,6 +84,35 @@ systemd.timers.backup = {
   };
 };
 
+  networking.wireguard.interfaces.wg0 = {
+    ips = [ "10.100.0.254/24" ];
+    listenPort = 51820;
+    privateKeyFile = "/etc/wireguard/server.key";
+
+    peers = [
+      {
+        publicKey = "cA30PTE/2gMbIhtAXaRPJkQeDc7/UWoA6eK3K+Xpsww=";
+        allowedIPs = [ "10.100.0.2/32" ];
+      }
+    ];
+  };
+
+  # Allow WireGuard UDP port in firewall
+  networking.firewall.allowedUDPPorts = [ 51820 ];
+
+  # Enable IPv4 forwarding
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_forward" = 1;
+  };
+
+  # NAT: lets LAN devices reply to the Pi without needing routes on the LAN router
+  networking.nat = {
+    enable = true;
+    externalInterface = "ens18";
+    internalInterfaces = [ "wg0" ];
+  };
+
+
   services.openssh.settings.PermitRootLogin = "yes";
   # Open ports in the firewall.
   networking.firewall.allowedTCPPorts = [ 2049 ];