Wireguard

1 files changed, 48 insertions, 0 deletions

diff --git a/hosts/kataja/default.nix b/hosts/kataja/default.nix
index d7be404..d04128f 100644
--- a/hosts/kataja/default.nix
+++ b/hosts/kataja/default.nix
@@ -122,5 +122,53 @@
     bluetooth.settings.General.Name = "kataja";
   };
 
+  age.secrets.wg_relesoft = {
+    file = ../../secrets/wg_relesoft_kataja.age;
+    group = "systemd-network";
+    mode = "0640";
+  };
+
+  systemd.network.netdevs."90-wg-relesoft" = {
+    netdevConfig = {
+      Name = "wg-relesoft";
+      Kind = "wireguard";
+    };
+    wireguardConfig = {
+      PrivateKeyFile = config.age.secrets.wg_relesoft.path;
+    };
+    wireguardPeers = [
+      {
+        PublicKey = "B5QK7rl8sAXPu2upKhondWSt49qMOqTG/hDjwqY3cDs=";
+        Endpoint = "65.21.238.221:51194";
+        AllowedIPs = [
+          "10.200.200.0/24"
+          "fdc9:281f:4d7:9ee9::/64"
+          "2a01:4f9:6a:4e26::/64"
+        ];
+        PersistentKeepalive = 25;
+      }
+    ];
+  };
+
+  systemd.network.networks."90-wg-relesoft" = {
+    matchConfig.Name = "wg-relesoft";
+    address = [
+      "10.200.200.12/24"
+      "fdc9:281f:4d7:9ee9::12/128"
+      "2a01:4f9:6a:4e26::12/128"
+    ];
+    networkConfig = {
+      IPv4Forwarding = true;
+      IPv6Forwarding = true;
+      IPv6AcceptRA = false;
+    };
+    routes = [
+      { Destination = "10.200.200.0/24"; }
+      { Destination = "fdc9:281f:4d7:9ee9::/64"; }
+      { Destination = "2a01:4f9:6a:4e26::/64"; }
+    ];
+    linkConfig.MTUBytes = "1420";
+  };
+
   system.stateVersion = "25.11";
 }