playbook
This commit is contained in:
Danilo Reyes
25
docs/playbooks/add-wireguard-peer.md
Normal file
25
docs/playbooks/add-wireguard-peer.md
Normal file
@@ -0,0 +1,25 @@
|
|||||||
|
# Playbook: Add WireGuard Peer (Friend or Guest)
|
||||||
|
|
||||||
|
## When to use
|
||||||
|
- Adding a new WireGuard peer in the friends (10.8.0.0/24) or guests (10.9.0.0/24) subnet.
|
||||||
|
- Updating firewall rules to allow access to specific ports for that peer.
|
||||||
|
|
||||||
|
## Inputs
|
||||||
|
- Peer name (e.g., `friend5`, `guest2`)
|
||||||
|
- Peer public key (WireGuard)
|
||||||
|
- Peer IP address (e.g., `10.8.0.6` or `10.9.0.3`)
|
||||||
|
- Access scope (ports/services the peer should reach)
|
||||||
|
|
||||||
|
## Steps
|
||||||
|
1. Add the peer IP to `my.ips` in `modules/modules.nix`.
|
||||||
|
2. Add the peer to the VPS WireGuard peers list in `modules/services/wireguard.nix`.
|
||||||
|
3. If the peer is a guest/friend, ensure `allowedIPs` includes the relevant subnets in `hosts/server/configuration.nix`.
|
||||||
|
4. Add or adjust VPS firewall rules in `hosts/vps/configuration.nix` (`networking.firewall.extraForwardRules`) to allow the requested ports.
|
||||||
|
5. Rebuild both hosts:
|
||||||
|
- `nixos-rebuild switch --flake .#vps`
|
||||||
|
- `nixos-rebuild switch --flake .#server`
|
||||||
|
|
||||||
|
## Verification
|
||||||
|
- On VPS: `sudo wg show`
|
||||||
|
- On VPS: `sudo nft list ruleset | rg -n "<peer ip>|<port>"`
|
||||||
|
- From peer: confirm access to allowed endpoints (HTTP/TCP/ICMP as defined).
|
||||||
Reference in New Issue
Block a user