coarse initial server setup

configs/services/wg_server.nix

@@ -9,24 +9,15 @@ in {
   # set up secret key
   sops = {
     age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-    secrets.wg_private_key = {
-      sopsFile = ../../secrets/wireguard/secrets.yaml;
+    secrets.private_key = {
+      sopsFile = ../../secrets/wireguard/server.yaml;
     };
   };
 
   networking = {
     firewall.allowedUDPPorts = [ wg_port ];
     firewall.rejectPackets = true;
-    firewall.trustedInterfaces = [ "wgbr" "wg0" ];
-    interfaces.wgbr.ipv4 = {
-      routes = [ ];
-      addresses = [
-        {
-          address = "10.8.1.1";
-          prefixLength = 24;
-        }
-      ];
-    };
+    firewall.trustedInterfaces = [ "wg0" ];
 
     wg-quick.interfaces = {
       wg0 = {
@@ -35,25 +26,7 @@ in {
         listenPort = wg_port; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
 
         # Path to the private key file (see sops).
-        privateKeyFile = "/run/secrets/wg_private_key";
-
-        peers = [
-          # For a client configuration, one peer entry for the server will suffice.
-
-          {
-            # Public key of the server (not a file path).
-            publicKey = "AJ1nr0/w8OvsNq5Ju//m4856u7yY0hlPGMEGeZtlhlY=";
-
-            # Forward all the traffic via VPN.
-            allowedIPs = [ "10.8.0.0/16" ];
-
-            # Set this to the server IP and port.
-            endpoint = "202.61.230.52:51820";
-
-            # Send keepalives every 25 seconds. Important to keep NAT tables alive.
-            persistentKeepalive = 25;
-          }
-        ];
+        privateKeyFile = "/run/secrets/private_key";
       };
     };
   };