finish setup for wireguard clients

home/private_dot_wireguard/adjudicator.conf.tmpl

@@ -0,0 +1,11 @@
+[Interface]
+# your own IP on the wireguard network
+Address = 192.168.2.2/24
+PrivateKey = {{ (secret "Wireguard - Adjudicator Secret" "NOTES") }}
+
+[Peer]
+PublicKey = bd7bbZOngl/FTdBlnbIhgCLNf6yx5X8WjiRB7E1NEQQ=
+# restrict this to the wireguard subnet if you don't want to route everything to the tunnel
+AllowedIPs = 0.0.0.0/0, ::/0
+# ip and port of the peer
+Endpoint = 66.218.43.87:51820

home/private_dot_wireguard/adjudicator.pub

@@ -0,0 +1 @@
+r2/IeYCO1T+l248387wUBoNnc2DK9O8pHcIr/NQqezM=

home/private_dot_wireguard/adjudicator.tmpl

@@ -0,0 +1 @@
+{{ (secret "Wireguard - Adjudicator Secret" "NOTES") }}

home/private_dot_wireguard/bulwark.conf.tmpl

@@ -1,7 +1,6 @@
 [Interface]
 # your own IP on the wireguard network
 Address = 192.168.2.4/24
-Table = auto
 PrivateKey = {{ (secret "Wireguard - Bulwark Secret" "NOTES") }}
 
 [Peer]

provision/nixos/hosts/kestrel/configuration.nix

@@ -58,6 +58,15 @@
     extraGroups = [ "dialout" "wheel" "docker" "libvirtd" ]; # Enable ‘sudo’ for the user.
   };
 
+  # Password-less root
+  security.sudo.extraRules = [{ 
+    users = [ "${user}" ];
+    commands = [{ 
+      command = "ALL" ;
+      options= [ "NOPASSWD" ]; # "SETENV" # Adding the following could be a good idea
+    }];
+  }];
+  
   # List packages installed in system profile.
   environment.systemPackages = with pkgs; [
       # One-off stable packages

provision/nixos/modules/system/wireguard-client.nix

@@ -16,6 +16,9 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
+    # Create qr code for phones with:
+    # qrencode -t ansiutf8 < myfile_here
+    environment.systemPackages = with pkgs; [ qrencode ];
     networking.firewall = {
       allowedUDPPorts = [ 51820 ];
     };