chore(infra): update hosts.yaml and wireguard config
🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
parent
a790c6e85c
commit
8dd1f6a06c
3 changed files with 19 additions and 7 deletions
|
|
@ -1,8 +1,8 @@
|
|||
{
|
||||
"major": 0,
|
||||
"merges": 0,
|
||||
"builds": 15,
|
||||
"version": "0.0.15",
|
||||
"builds": 16,
|
||||
"version": "0.0.16",
|
||||
"lastMerge": null,
|
||||
"lastBuild": "2025-12-27T23:07:49-08:00"
|
||||
"lastBuild": "2025-12-27T23:12:52-08:00"
|
||||
}
|
||||
|
|
|
|||
|
|
@ -75,11 +75,11 @@ hosts:
|
|||
plum:
|
||||
description: "MacBook Pro - mobile development"
|
||||
connection:
|
||||
ssh_host: "plum.local"
|
||||
ssh_host: "10.0.0.162"
|
||||
ssh_user: "lilith"
|
||||
ssh_key: "~/.ssh/id_ed25519"
|
||||
network:
|
||||
lan_ip: "10.0.0.10"
|
||||
lan_ip: "10.0.0.162"
|
||||
required:
|
||||
services:
|
||||
- sshd
|
||||
|
|
|
|||
|
|
@ -116,6 +116,11 @@ wireguard_client_generate_config() {
|
|||
# WireGuard Client Configuration for ${hostname}
|
||||
# Generated by reconciliation system
|
||||
#
|
||||
# SECURITY MODEL: SOCKS5-over-WireGuard
|
||||
# - WireGuard provides encrypted tunnel (NO automatic routing)
|
||||
# - SOCKS5 proxy (localhost:1080) tunnels through WireGuard
|
||||
# - Applications must explicitly use SOCKS5 proxy to access VPN resources
|
||||
#
|
||||
# IMPORTANT: Replace PRIVATE_KEY with actual private key
|
||||
# Generate with: wg genkey | tee privatekey | wg pubkey > publickey
|
||||
#
|
||||
|
|
@ -125,12 +130,19 @@ wireguard_client_generate_config() {
|
|||
[Interface]
|
||||
PrivateKey = PRIVATE_KEY_HERE
|
||||
Address = ${vpn_ip}/24
|
||||
DNS = 1.1.1.1
|
||||
# NO DNS - SOCKS5 handles DNS through tunnel
|
||||
# DNS = 1.1.1.1
|
||||
|
||||
# NO Table - Do not create routing table (prevents auto-routing)
|
||||
Table = off
|
||||
|
||||
[Peer]
|
||||
PublicKey = SERVER_PUBLIC_KEY_HERE
|
||||
Endpoint = 93.95.231.174:51820
|
||||
AllowedIPs = 10.8.0.0/24
|
||||
# CRITICAL: Only allow VPN gateway IP (for tunnel keepalive)
|
||||
# DO NOT use 10.8.0.0/24 - that creates automatic routing
|
||||
# Traffic MUST go through SOCKS5 proxy (localhost:1080)
|
||||
AllowedIPs = 10.8.0.1/32
|
||||
PersistentKeepalive = 25
|
||||
EOF
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue