From 05d9aa0be28b46192f386fd98dd5a8c7f7a18a74 Mon Sep 17 00:00:00 2001
From: Dominik Polakovics <dominik.polakovics@cloonar.com>
Date: Wed, 20 Sep 2023 10:07:34 +0200
Subject: [PATCH] add sane

---
 hosts/nb-01.cloonar.com/configuration.nix     | 44 +++++++++----------
 hosts/nb-01.cloonar.com/modules/sway/sway.nix |  1 +
 2 files changed, 22 insertions(+), 23 deletions(-)

diff --git a/hosts/nb-01.cloonar.com/configuration.nix b/hosts/nb-01.cloonar.com/configuration.nix
index 143cf74..f8dd474 100644
--- a/hosts/nb-01.cloonar.com/configuration.nix
+++ b/hosts/nb-01.cloonar.com/configuration.nix
@@ -165,29 +165,27 @@
        ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN || true
      '';
   };
-  # networking.wireguard.interfaces = {
-  #   wg0 = {
-  #     # Determines the IP address and subnet of the client's end of the tunnel interface.
-  #     ips = [ "10.42.98.201/32" ];
-  #     listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
-  #
-  #     # Path to the private key file.
-  #     #
-  #     # Note: The private key can also be included inline via the privateKey option,
-  #     # but this makes the private key world-readable; thus, using privateKeyFile is
-  #     # recommended.
-  #     privateKeyFile = config.sops.secrets.wg-cloonar-key.path;
-  #
-  #     peers = [
-  #       {
-  #         publicKey = "TKQVDmBnf9av46kQxLQSBDhAeaK8r1zh8zpU64zuc1Q=";
-  #         allowedIPs = [ "0.0.0.0/0" ];
-  #         endpoint = "vpn.cloonar.com:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577
-  #         persistentKeepalive = 25;
-  #       }
-  #     ];
-  #   };
-  # };
+  networking.wireguard.interfaces = {
+    wg0 = {
+      # Determines the IP address and subnet of the client's end of the tunnel interface.
+      ips = [ "10.42.98.201/32" ];
+      # Path to the private key file.
+      #
+      # Note: The private key can also be included inline via the privateKey option,
+      # but this makes the private key world-readable; thus, using privateKeyFile is
+      # recommended.
+      privateKeyFile = config.sops.secrets.wg-cloonar-key.path;
+
+      peers = [
+        {
+          publicKey = "TKQVDmBnf9av46kQxLQSBDhAeaK8r1zh8zpU64zuc1Q=";
+          allowedIPs = [ "10.42.97.0/20" "10.14.0.0/16" "10.25.0.0/16" ];
+          endpoint = "vpn.cloonar.com:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577
+          persistentKeepalive = 25;
+        }
+      ];
+    };
+  };
 
   # Facial recognition "Windows hello"
   # services.ir-toggle.enable = true;
diff --git a/hosts/nb-01.cloonar.com/modules/sway/sway.nix b/hosts/nb-01.cloonar.com/modules/sway/sway.nix
index 2c88c0f..39fd0b8 100644
--- a/hosts/nb-01.cloonar.com/modules/sway/sway.nix
+++ b/hosts/nb-01.cloonar.com/modules/sway/sway.nix
@@ -21,6 +21,7 @@ in {
       ./parsec.nix
     ];
 
+    hardware.sane.enable = true;
     hardware.pulseaudio.enable = false;
 
     services.xserver = {