From 8368775f94428a6c34f76146c3f07be88f1244a2 Mon Sep 17 00:00:00 2001
From: Tim Keller <tjk@tjkeller.xyz>
Date: Thu, 18 Jun 2026 19:59:35 -0500
Subject: poweredge add wg1 for remote connections

---
 hosts/poweredge/networking.nix | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

(limited to 'hosts/poweredge/networking.nix')

diff --git a/hosts/poweredge/networking.nix b/hosts/poweredge/networking.nix
index 8b84645..bf0aa1c 100644
--- a/hosts/poweredge/networking.nix
+++ b/hosts/poweredge/networking.nix
@@ -25,8 +25,9 @@ in { config, ... }: {
 		}];
 	};
 
-	# Wireguard office tunnel secret
-	sops.secrets.wg0-router.sopsFile = ./resources/secrets/wg0-router.yaml;
+	# Secrets
+	sops.secrets.router-wg0 = { sopsFile = ./resources/secrets/router.yaml; key = "wg0"; };  # Office
+	sops.secrets.router-wg1 = { sopsFile = ./resources/secrets/router.yaml; key = "wg1"; };  # Remote access
 
 	# Router container
 	containers.router = {
@@ -47,9 +48,13 @@ in { config, ... }: {
 			hostAddress  = "10.255.255.2";
 			localAddress = "10.255.255.1";
 		};
-		# Bind wg0-router secret to container
+		# Bind secrets to container
 		bindMounts."/run/secrets/wg0" = {
-			hostPath = config.sops.secrets.wg0-router.path;
+			hostPath = config.sops.secrets.router-wg0.path;
+			isReadOnly = true;
+		};
+		bindMounts."/run/secrets/wg1" = {
+			hostPath = config.sops.secrets.router-wg1.path;
 			isReadOnly = true;
 		};
 
@@ -72,6 +77,7 @@ in { config, ... }: {
 				# Setup wireguard
 				wg-quick.interfaces = {
 					wg0.configFile = "/run/secrets/wg0";
+					wg1.configFile = "/run/secrets/wg1";
 				};
 				# NAT (port-forwarding) rules
 				nat.forwardPorts =[
@@ -86,6 +92,7 @@ in { config, ... }: {
 						destination = "192.168.1.45:9000";
 					}
 				];
+				firewall.allowedUDPPorts = [ 51820 ];  # Allow wg1 running on router host through w/o NAT
 				# Additional advanced rules
 				# TODO add multi NAT feature to router service (this is just a normal nat rule)
 				nftables = {
-- 
cgit v1.2.3