# /etc/hostname.wg0 — WireGuard tunnel to nullstone
#
# Generate keys (do this on the edge box, NOT in this repo):
#   doas openssl rand -base64 32 > /etc/wg/edge.key
#   chmod 600 /etc/wg/edge.key
#   wg pubkey < /etc/wg/edge.key > /etc/wg/edge.pub
#
# Get nullstone's wg pubkey separately and paste below.
#
# Then: doas mv hostname.wg0.example /etc/hostname.wg0, edit values, sh /etc/netstart wg0

inet 10.10.10.1 255.255.255.248      # /29 subnet, edge = .1
mtu 1420
!/usr/local/bin/wg set wg0 \
    listen-port 51820 \
    private-key /etc/wg/edge.key \
    peer NULLSTONE_PUB_KEY_HERE= \
        endpoint 192.168.0.100:51820 \
        allowed-ips 10.10.10.2/32 \
        persistent-keepalive 25
!route -q add -net 10.10.10.0/29 10.10.10.1
up