declared network.nix

docs/playbooks/add-secret.md

@@ -8,7 +8,8 @@
   1. Choose the correct secrets file from the map in `docs/constitution.md` and add the entry there (YAML, encrypted via sops-nix).
   2. If a private key or file path is required, specify `owner`, `group`, and target path consistent with the consuming module.
   3. In the consuming module, reference the secret under `config.sops.secrets.<name>` and guard with `lib.mkIf config.my.secureHost`.
-  4. For WireGuard entries, update `secrets/wireguard.yaml` and corresponding interface configuration under the target host.
+  4. For WireGuard entries, update `secrets/wireguard.yaml` and the
+     corresponding host-local network configuration under the target host.
   5. Avoid adding secrets for hosts with `secureHost = false`; instead route the workload to a secure host or skip enablement.
 - Validation:
   - Secret lives in the correct file and encrypts with SOPS; file ownership matches service user where applicable.

docs/playbooks/add-wireguard-peer.md

@@ -13,8 +13,8 @@
 ## Steps
 1. Add the peer IP to `my.ips` in `modules/modules.nix`.
 2. Add the peer to the VPS WireGuard peers list in `modules/services/wireguard.nix`.
-3. If the peer is a guest/friend, ensure `allowedIPs` includes the relevant subnets in `hosts/server/configuration.nix`.
-4. Add or adjust VPS firewall rules in `hosts/vps/configuration.nix` (`networking.firewall.extraForwardRules`) to allow the requested ports.
+3. If the peer is a guest/friend, ensure `allowedIPs` includes the relevant subnets in `hosts/server/network.nix`.
+4. Add or adjust VPS networking rules in `hosts/vps/network.nix` (`networking.firewall.extraForwardRules`) to allow the requested ports.
 5. Rebuild both hosts:
    - `nixos-rebuild switch --flake .#vps`
    - `nixos-rebuild switch --flake .#server`