[fanny] setup initrd wireguard

machines/fanny/configuration.nix

@@ -1,6 +1,7 @@
 { inputs, config, ... }:
 let
   sshKeys = import ../ssh_keys.nix;
+  peers = import ../modules/malobeo/peers.nix;
 in
 {
   sops.defaultSopsFile = ./secrets.yaml;
@@ -87,6 +88,33 @@ in
     ethernetDrivers = ["r8169"];
   };
 
+  boot.initrd = {
+    availableKernelModules = [ "wireguard" ];
+    systemd = {
+      enable = true;
+      network = {
+        enable = true;
+        netdevs."30-wg-initrd" = {
+          netdevConfig = {
+            Kind = "wireguard";
+            Name = "wg-initrd";
+          };
+          wireguardConfig = { PrivateKeyFile = "/etc/secrets/30-wg-initrd.key"; };
+          wireguardPeers = [{
+            AllowedIPs = peers.fanny-initrd.allowedIPs;
+            PublicKey = peers.fanny-initrd.publicKey;
+            Endpoint = "${peers.vpn.publicIp}:${builtins.toString(peers.vpn.listenPort)}";
+            PersistentKeepalive = 25;
+          }];
+        };
+        networks."30-wg-initrd" = {
+          name = "wg-initrd";
+          addresses = [{ Address = peers.fanny-initrd.address; }];
+        };
+      };
+    };
+  };
+
   services.malobeo.vpn = {
     enable = true;
     name = "fanny";

machines/modules/malobeo/peers.nix

@@ -44,6 +44,14 @@
     publicKey = "3U59F6T1s/1LaZBIa6wB0qsVuO6pRR9jfYZJIH2piAU=";
   };
 
+  "fanny-initrd" = {
+    role = "client";
+    address = "10.100.0.102";
+    allowedIPs = [ "10.100.0.102/32" ];
+    #TODO: UPDATE
+    publicKey = "3U59F6T1s/1LaZBIa6wB0qsVuO6pRR9jfYZJIH2piAU=";
+  };
+
   "backup0" = {
     role = "client";
     address = "10.100.0.20";