From 9707edf2dea4b271bd3e54fa980934fb58bb455e Mon Sep 17 00:00:00 2001
From: teutat3s <teutates@mailbox.org>
Date: Thu, 6 Jun 2024 12:54:31 +0200
Subject: [PATCH] docs: add example for wireguard client config

---
 docs/administrative-access.md | 49 +++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)

diff --git a/docs/administrative-access.md b/docs/administrative-access.md
index 55bd5ed..2257fe0 100644
--- a/docs/administrative-access.md
+++ b/docs/administrative-access.md
@@ -30,6 +30,55 @@ SSH is not reachable from the open internet. Instead, SSH Port 22 is protected b
 1. **SSH Public key**: self-explanatory. Add your public key to your user attrset under `sshPubKeys`.
 2. **Wireguard device**: each wireguard device has two parts: the public key and the IP addresses it should have in the wireguard network. The pub.solar wireguard network is spaced under `10.7.6.0/24` and `fd00:fae:fae:fae:fae::/80`. To add your device, it's best to choose a free number between 200 and 255 and use that in both the ipv4 and ipv6 ranges: `10.7.6.<ip-address>/32` `fd00:fae:fae:fae:fae:<ip-address>::/96`. For more information on how to generate keypairs, see [the NixOS Wireguard docs](https://nixos.wiki/wiki/WireGuard#Generate_keypair).
 
+Example NixOS snippet for WireGuard client config
+```
+{
+  networking = {
+    wireguard.enable = true;
+    wg-quick.interfaces = {
+      wg-pub-solar = {
+        address = ["10.7.6.201/32"];
+        address = ["10.7.6.201/32" "fd00:fae:fae:fae:fae:201::/96"];
+        privateKeyFile = "/etc/wireguard/wg-pub-solar.privatekey";
+
+        peers = [
+          { # nachtigall.pub.solar
+            publicKey = "qzNywKY9RvqTnDO8eLik75/SHveaSk9OObilDzv+xkk=";
+            allowedIPs = [ "10.7.6.1/32" "fd00:fae:fae:fae:fae:1::/96" ];
+            endpoint = "[2a01:4f8:172:1c25::1]:51820";
+            # Use this endpoint in IPv4 only networks
+            #endpoint = "138.201.80.102:51820";
+            persistentKeepalive = 15;
+          }
+          { # flora-6.pub.solar
+            publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU=";
+            allowedIPs = [ "10.7.6.2/32" "fd00:fae:fae:fae:fae:2::/96" ];
+            endpoint = "80.71.153.210:51820";
+            persistentKeepalive = 15;
+          }
+          { # metronom.pub.solar
+            publicKey = "zOSYGO7MfnOOUnzaTcWiKRQM0qqxR3JQrwx/gtEtHmo=";
+            allowedIPs = [ "10.7.6.3/32" "fd00:fae:fae:fae:fae:3::/96" ];
+            #endpoint = "[2a01:4f8:c2c:7082::]:51820";
+            # Use this endpoint in IPv4 only networks
+            endpoint = "49.13.236.167:51820";
+            persistentKeepalive = 15;
+          }
+          { # tankstelle.pub.solar
+            publicKey = "iRTlY1lB7nPXf2eXzX8ZZDkfMmXyGjff5/joccbP8Cg=";
+            allowedIPs = [ "10.7.6.4/32" "fd00:fae:fae:fae:fae:4::/96" ];
+            endpoint = "[2001:4d88:1ffa:26::5]:51820";
+            # Use this endpoint in IPv4 only networks
+            #endpoint = "80.244.242.5:51820";
+            persistentKeepalive = 15;
+          }
+        ];
+      };
+    };
+  };
+}
+```
+
 # Secret encryption
 
 Deployment secrets are added to the repository in encrypted files. To be able to work with these encrypted files, your public key(s) will have to be added to your user attrset under `secretEncryptionKeys`.