jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
67119653b582c78d697428d70cdca0d4220de073
NixOS/docs/playbooks/add-wireguard-peer.md
Danilo Reyes a8dda9d32d playbook
2026-02-06 19:18:37 -06:00

1.1 KiB
Raw Blame History

Playbook: Add WireGuard Peer (Friend or Guest)

When to use

  • Adding a new WireGuard peer in the friends (10.8.0.0/24) or guests (10.9.0.0/24) subnet.
  • Updating firewall rules to allow access to specific ports for that peer.

Inputs

  • Peer name (e.g., friend5, guest2)
  • Peer public key (WireGuard)
  • Peer IP address (e.g., 10.8.0.6 or 10.9.0.3)
  • Access scope (ports/services the peer should reach)

Steps

  1. Add the peer IP to my.ips in modules/modules.nix.
  2. Add the peer to the VPS WireGuard peers list in modules/services/wireguard.nix.
  3. If the peer is a guest/friend, ensure allowedIPs includes the relevant subnets in hosts/server/configuration.nix.
  4. Add or adjust VPS firewall rules in hosts/vps/configuration.nix (networking.firewall.extraForwardRules) to allow the requested ports.
  5. Rebuild both hosts:
    • nixos-rebuild switch --flake .#vps
    • nixos-rebuild switch --flake .#server

Verification

  • On VPS: sudo wg show
  • On VPS: sudo nft list ruleset | rg -n "<peer ip>|<port>"
  • From peer: confirm access to allowed endpoints (HTTP/TCP/ICMP as defined).
Reference in New Issue View Git Blame Copy Permalink