modified: hosts/server/configuration.nix

2025-12-18 10:51:11 +10:00
parent 38c55c3de2
commit bc5be541c3
1 changed files with 29 additions and 0 deletions
--- a/hosts/server/configuration.nix
+++ b/hosts/server/configuration.nix
@@ -84,6 +84,35 @@ systemd.timers.backup = {
  };
 };

+  networking.wireguard.interfaces.wg0 = {
+    ips = [ "10.100.0.254/24" ];
+    listenPort = 51820;
+    privateKeyFile = "/etc/wireguard/server.key";
+
+    peers = [
+      {
+        publicKey = "cA30PTE/2gMbIhtAXaRPJkQeDc7/UWoA6eK3K+Xpsww=";
+        allowedIPs = [ "10.100.0.2/32" ];
+      }
+    ];
+  };
+
+  # Allow WireGuard UDP port in firewall
+  networking.firewall.allowedUDPPorts = [ 51820 ];
+
+  # Enable IPv4 forwarding
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_forward" = 1;
+  };
+
+  # NAT: lets LAN devices reply to the Pi without needing routes on the LAN router
+  networking.nat = {
+    enable = true;
+    externalInterface = "ens18";
+    internalInterfaces = [ "wg0" ];
+  };
+
+
  services.openssh.settings.PermitRootLogin = "yes";
  # Open ports in the firewall.
  networking.firewall.allowedTCPPorts = [ 2049 ];