# Playbook: Add WireGuard Peer (Friend or Guest)

## When to use
- Adding a new WireGuard peer in the friends (10.8.0.0/24) or guests (10.9.0.0/24) subnet.
- Updating firewall rules to allow access to specific ports for that peer.

## Inputs
- Peer name (e.g., `friend5`, `guest2`)
- Peer public key (WireGuard)
- Peer IP address (e.g., `10.8.0.6` or `10.9.0.3`)
- Access scope (ports/services the peer should reach)

## Steps
1. Add the peer IP to `my.ips` in `modules/modules.nix`.
2. Add the peer to the VPS WireGuard peers list in `modules/services/wireguard.nix`.
3. If the peer is a guest/friend, ensure `allowedIPs` includes the relevant subnets in `hosts/server/configuration.nix`.
4. Add or adjust VPS firewall rules in `hosts/vps/configuration.nix` (`networking.firewall.extraForwardRules`) to allow the requested ports.
5. Rebuild both hosts:
   - `nixos-rebuild switch --flake .#vps`
   - `nixos-rebuild switch --flake .#server`

## Verification
- On VPS: `sudo wg show`
- On VPS: `sudo nft list ruleset | rg -n "<peer ip>|<port>"`
- From peer: confirm access to allowed endpoints (HTTP/TCP/ICMP as defined).