chore(infra): update hosts.yaml and wireguard config

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Quinn Ftw 2025-12-27 23:12:25 -08:00
parent a790c6e85c
commit 8dd1f6a06c
3 changed files with 19 additions and 7 deletions

View file

@ -1,8 +1,8 @@
{
"major": 0,
"merges": 0,
"builds": 15,
"version": "0.0.15",
"builds": 16,
"version": "0.0.16",
"lastMerge": null,
"lastBuild": "2025-12-27T23:07:49-08:00"
"lastBuild": "2025-12-27T23:12:52-08:00"
}

View file

@ -75,11 +75,11 @@ hosts:
plum:
description: "MacBook Pro - mobile development"
connection:
ssh_host: "plum.local"
ssh_host: "10.0.0.162"
ssh_user: "lilith"
ssh_key: "~/.ssh/id_ed25519"
network:
lan_ip: "10.0.0.10"
lan_ip: "10.0.0.162"
required:
services:
- sshd

View file

@ -116,6 +116,11 @@ wireguard_client_generate_config() {
# WireGuard Client Configuration for ${hostname}
# Generated by reconciliation system
#
# SECURITY MODEL: SOCKS5-over-WireGuard
# - WireGuard provides encrypted tunnel (NO automatic routing)
# - SOCKS5 proxy (localhost:1080) tunnels through WireGuard
# - Applications must explicitly use SOCKS5 proxy to access VPN resources
#
# IMPORTANT: Replace PRIVATE_KEY with actual private key
# Generate with: wg genkey | tee privatekey | wg pubkey > publickey
#
@ -125,12 +130,19 @@ wireguard_client_generate_config() {
[Interface]
PrivateKey = PRIVATE_KEY_HERE
Address = ${vpn_ip}/24
DNS = 1.1.1.1
# NO DNS - SOCKS5 handles DNS through tunnel
# DNS = 1.1.1.1
# NO Table - Do not create routing table (prevents auto-routing)
Table = off
[Peer]
PublicKey = SERVER_PUBLIC_KEY_HERE
Endpoint = 93.95.231.174:51820
AllowedIPs = 10.8.0.0/24
# CRITICAL: Only allow VPN gateway IP (for tunnel keepalive)
# DO NOT use 10.8.0.0/24 - that creates automatic routing
# Traffic MUST go through SOCKS5 proxy (localhost:1080)
AllowedIPs = 10.8.0.1/32
PersistentKeepalive = 25
EOF
}