26 lines
1.1 KiB
Markdown
26 lines
1.1 KiB
Markdown
# Playbook: Add WireGuard Peer (Friend or Guest)
|
|
|
|
## When to use
|
|
- Adding a new WireGuard peer in the friends (10.8.0.0/24) or guests (10.9.0.0/24) subnet.
|
|
- Updating firewall rules to allow access to specific ports for that peer.
|
|
|
|
## Inputs
|
|
- Peer name (e.g., `friend5`, `guest2`)
|
|
- Peer public key (WireGuard)
|
|
- Peer IP address (e.g., `10.8.0.6` or `10.9.0.3`)
|
|
- Access scope (ports/services the peer should reach)
|
|
|
|
## Steps
|
|
1. Add the peer IP to `my.ips` in `modules/modules.nix`.
|
|
2. Add the peer to the VPS WireGuard peers list in `modules/services/wireguard.nix`.
|
|
3. If the peer is a guest/friend, ensure `allowedIPs` includes the relevant subnets in `hosts/server/configuration.nix`.
|
|
4. Add or adjust VPS firewall rules in `hosts/vps/configuration.nix` (`networking.firewall.extraForwardRules`) to allow the requested ports.
|
|
5. Rebuild both hosts:
|
|
- `nixos-rebuild switch --flake .#vps`
|
|
- `nixos-rebuild switch --flake .#server`
|
|
|
|
## Verification
|
|
- On VPS: `sudo wg show`
|
|
- On VPS: `sudo nft list ruleset | rg -n "<peer ip>|<port>"`
|
|
- From peer: confirm access to allowed endpoints (HTTP/TCP/ICMP as defined).
|