new wireguard connections

docs/playbooks/add-wireguard-peer.md

@@ -0,0 +1,25 @@
+# Playbook: Add WireGuard Peer (Friend or Guest)
+
+## When to use
+- Adding a new WireGuard peer in the friends (10.8.0.0/24) or guests (10.9.0.0/24) subnet.
+- Updating firewall rules to allow access to specific ports for that peer.
+
+## Inputs
+- Peer name (e.g., `friend5`, `guest2`)
+- Peer public key (WireGuard)
+- Peer IP address (e.g., `10.8.0.6` or `10.9.0.3`)
+- Access scope (ports/services the peer should reach)
+
+## Steps
+1. Add the peer IP to `my.ips` in `modules/modules.nix`.
+2. Add the peer to the VPS WireGuard peers list in `modules/services/wireguard.nix`.
+3. If the peer is a guest/friend, ensure `allowedIPs` includes the relevant subnets in `hosts/server/configuration.nix`.
+4. Add or adjust VPS firewall rules in `hosts/vps/configuration.nix` (`networking.firewall.extraForwardRules`) to allow the requested ports.
+5. Rebuild both hosts:
+   - `nixos-rebuild switch --flake .#vps`
+   - `nixos-rebuild switch --flake .#server`
+
+## Verification
+- On VPS: `sudo wg show`
+- On VPS: `sudo nft list ruleset | rg -n "<peer ip>|<port>"`
+- From peer: confirm access to allowed endpoints (HTTP/TCP/ICMP as defined).

hosts/vps/configuration.nix

@@ -12,6 +12,7 @@ let
     homeServer = config.my.ips.wg-server;
     wgFriend1 = config.my.ips.wg-friend1;
     wgGuest1 = config.my.ips.wg-guest1;
+    wgGuest2 = config.my.ips.wg-guest2;
   };
   subnets = {
     wgFriends = config.my.subnets.wg-friends;
@@ -102,6 +103,7 @@ in
         iifname "${wgInterface}" ip saddr ${subnets.wgFriends} ip daddr ${ips.homeServer}/32 icmp type echo-request accept
         iifname "${wgInterface}" ip saddr ${ips.wgFriend1}/32 ip daddr ${ips.homeServer}/32 tcp dport ${portsStr.stash} accept
         iifname "${wgInterface}" ip saddr ${ips.wgGuest1}/32 ip daddr ${ips.homeServer}/32 tcp dport ${portsStr.stash} accept
+        iifname "${wgInterface}" ip saddr ${ips.wgGuest2}/32 ip daddr ${ips.homeServer}/32 tcp dport ${portsStr.stash} accept
         iifname "${wgInterface}" ip saddr ${subnets.wgGuests} ip daddr ${ips.homeServer}/32 icmp type echo-request accept
 
         iifname "${wgInterface}" ip saddr ${subnets.wgFriends} oifname "${externalInterface}" accept

modules/modules.nix

@@ -53,11 +53,15 @@ in
         vps = "45.79.25.87";
         wg-vps = "10.77.0.1";
         wg-server = "10.77.0.2";
+        wg-galaxy = "10.77.0.3";
+        wg-phone = "10.77.0.4";
         wg-guest1 = "10.9.0.2";
+        wg-guest2 = "10.9.0.3";
         wg-friend1 = "10.8.0.2";
         wg-friend2 = "10.8.0.3";
         wg-friend3 = "10.8.0.4";
         wg-friend4 = "10.8.0.5";
+        wg-friend5 = "10.8.0.6";
       };
       description = "Set of IP's for all my computers.";
     };

modules/services/wireguard.nix

@@ -43,6 +43,22 @@ in
             publicKey = "yg+2miZCrx89znFaUlU/le/7UIPgEAMY74fZfEwz8g4=";
             allowedIPs = [ "${config.my.ips.wg-friend4}/32" ];
           }
+          {
+            publicKey = "u4/6ZYO7lUJZ9QmSlFPUaadq25gwDljjhsfgs/p2amc=";
+            allowedIPs = [ "${config.my.ips.wg-friend5}/32" ];
+          }
+          {
+            publicKey = "NvhUnErIb0/hi+Hui/o5l5Pq4ZysFVIn1VBPsjoTeCk=";
+            allowedIPs = [ "${config.my.ips.wg-guest2}/32" ];
+          }
+          {
+            publicKey = "BwN4uCkMd6eAS5Ugld0oXnA16IhgEEQF8mOJ3+vHliA=";
+            allowedIPs = [ "${config.my.ips.wg-galaxy}/32" ];
+          }
+          {
+            publicKey = "R1xUFOuboQf/yy8ShiXqoCPaPcH3Cn0n4PAWB2rgHTs=";
+            allowedIPs = [ "${config.my.ips.wg-phone}/32" ];
+          }
         ];
       };
     };