punch some firewall holes

1 files changed, 18 insertions, 12 deletions

diff --git a/config/vpn-server.nix b/config/vpn-server.nix
index f2663d5..10b0c17 100644
--- a/config/vpn-server.nix
+++ b/config/vpn-server.nix
@@ -3,18 +3,24 @@ let
   port = (import ../data/aliases.nix).services.wireguard.port;
 in
 {
-  networking.wireguard = {
-    interfaces = {
-      wg0 = {
-        ips = [ "10.35.190.1/23" ];
-	privateKeyFile = "/opt/secret/wireguard/wg0.key";
-	listenPort = port;
-	peers = [
-	  {
-	    publicKey = "ULWhaOsAaTu4cu84v3PM4DL7arxc/WNnzI/ic2k1KBU=";
-	    allowedIPs = ["0.0.0.0/0" "::/0"];
-	  }
-	];
+  networking = {
+    firewall.allowedTCPPorts = [ port ];
+    firewall.allowedUDPPorts = [ port ];
+
+    wireguard = {
+      interfaces = {
+        wg0 = {
+          ips = [ "10.35.190.1/23" ];
+          privateKeyFile = "/opt/secret/wireguard/wg0.key";
+          listenPort = port;
+          allowedIPsAsRoutes = false;
+          peers = [
+            {
+              publicKey = "ULWhaOsAaTu4cu84v3PM4DL7arxc/WNnzI/ic2k1KBU=";
+              allowedIPs = ["0.0.0.0/0" "::/0"];
+            }
+          ];
+        };
       };
     };
   };