fix wg-sigma-p2p again

hosts/alpha/network.nix

@@ -41,9 +41,9 @@
       name = "wg-sigma-public";
     };
 
-    # The following routes traffic destined for a secret floating IP to sigma
+    # The following routes traffic destined for 116.203.6.156 (floating IP) to
-    # through wireguard. This allows the server to have a public address and
+    # sigma through wireguard. This allows the server to have a public address
-    # help others sail the high seas even though it is behind NAT.
+    # and help others sail the high seas even though it is behind NAT.
     netdevs."51-wg-sigma-p2p" = {
       netdevConfig = {
         Name = "wg-sigma-p2p";
@@ -58,9 +58,7 @@
           wireguardPeerConfig = {
             PublicKey = "sigmaH/DKSU8KWyrPtucYmS2ewUvDvCNLxd/qYEo0n0=";
             PresharedKeyFile = config.age.secrets.wireguard-preshared-key-file.path;
-            # Add to the main routing table that traffic for the address should
+            AllowedIPs = [ "116.203.6.156/32" ];
-            # be sent to sigma.
-            AllowedIPs = [ "a.b.c.d/32" ]; # see 51-wg-sigma-p2p.netdev.d/address.conf below
             RouteTable = "main";
           };
         }
@@ -71,14 +69,6 @@
     };
   };
 
-  # To keep the address of the wg-sigma-p2p interface secret, it is not
-  # configured here directly but instead contained in an encrypted file which
-  # is decrypted and symlinked to the netdevs's "drop-in" directly, causing it
-  # to be merged into the configuration.
-  environment.etc."systemd/network/51-wg-sigma-p2p.netdev.d/address.conf" = {
-    source = config.age.secrets.netdev-51-wg-sigma-p2p-address.path;
-  };
-
   # Enable forwarding of packets
   boot.kernel.sysctl = {
     "net.ipv4.ip_forward" = true;
@@ -102,11 +92,4 @@
     owner = "root";
     group = "systemd-network";
   };
-
-  age.secrets.netdev-51-wg-sigma-p2p-address = {
-    file = ../../secrets/netdev-51-wg-sigma-p2p-address.age;
-    mode = "644";
-    owner = "root";
-    group = "systemd-network";
-  };
 }

hosts/omega/network.nix

@@ -55,9 +55,9 @@
     };
 
     # The following establishes a wireguard tunnel to alpha and configures
-    # receiving traffic destined for a secret address. This allows the server
+    # receiving traffic destined for 116.203.6.156. This allows the server to
-    # to have a public address and help others sail the high seas even though
+    # have a public address and help others sail the high seas even though it
-    # it is behind NAT.
+    # is behind NAT.
     netdevs."51-wg-sigma-p2p" = {
       netdevConfig = {
         Name = "wg-sigma-p2p";
@@ -72,17 +72,7 @@
             PublicKey = "AlphazUR/z+1DRCFSvxTeKPIJnyPQvYsDoSgESvqJhM=";
             PresharedKeyFile = config.age.secrets.wireguard-preshared-key-file.path;
             Endpoint = "alpha.caspervk.net:51821";
-            # Keep NAT mappings and stateful firewalls open at the ISP
             PersistentKeepalive = 25;
-            # AllowedIPs is both an ACL for incoming traffic, as well as a
-            # routing table specifying to which peer outgoing traffic should be
-            # sent. We want to allow incoming traffic from any address on the
-            # internet (routed through alpha), but only replies to this should
-            # be routed back over wireguard. Unlike if we had used NAT, IP
-            # routes are stateless, so we have no notion of "replies". Instead,
-            # we add these routes to a specific routing table and configure a
-            # routing policy rule to only use it for packets being sent as the
-            # p2p IP.
             AllowedIPs = [ "0.0.0.0/0" ];
             RouteTable = "wg-sigma-p2p";
           };
@@ -91,11 +81,11 @@
     };
     networks."wg-sigma-p2p" = {
       name = "wg-sigma-p2p";
-      address = [ "a.b.c.d/32" ]; # see 51-wg-sigma-p2p.network.d/address.conf below
+      address = [ "116.203.6.156/32" ];
       routingPolicyRules = [
         {
           routingPolicyRuleConfig = {
-            From = "a.b.c.d/32"; # see 51-wg-sigma-p2p.network.d/address.conf below
+            From = "116.203.6.156/32";
             Table = "wg-sigma-p2p";
           };
         }
@@ -103,14 +93,6 @@
     };
   };
 
-  # To keep the address of the wg-sigma-p2p interface secret, it is not
-  # configured here directly but instead contained in an encrypted file which
-  # is decrypted and symlinked to the network's "drop-in" directly, causing it
-  # to be merged into the configuration.
-  environment.etc."systemd/network/wg-sigma-p2p.network.d/address.conf" = {
-    source = config.age.secrets.network-wg-sigma-p2p-address.path;
-  };
-
   age.secrets.wireguard-preshared-key-file = {
     file = ../../secrets/wireguard-preshared-key-file.age;
     mode = "640";
@@ -124,11 +106,4 @@
     owner = "root";
     group = "systemd-network";
   };
-
-  age.secrets.network-wg-sigma-p2p-address = {
-    file = ../../secrets/network-wg-sigma-p2p-address.age;
-    mode = "644";
-    owner = "root";
-    group = "systemd-network";
-  };
 }

secrets/netdev-51-wg-sigma-p2p-address.age

@@ -1,9 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 KjvmEQ o+mkItId5k1qUiWa5Q7Jk6pLXYgVZTZibF3ec+lfoX4
-AnV6s7gOAxr3B3PZGZDa7FMthhdGXpGHcxFOy+15oLk
--> X25519 Ry3b2t2TNkqdGJmttprAlLKMmReBLEFjaD+/2o8fv0c
-AMraYoxsvx79k+9behN3YhayyZhUCMsJHzrF9K4cRvk
---- qR5De+RcL3W/NKnzNqJ2UOlScPvNfZQ2LusPAc270ek
-¹DÛ,( •<>¥ÚÅh¢ÿ~$ióŽ/LsÙe
-½sÙªa\“}üW~@…Œƒâþ>Â>JGß­vRMY¾ðƒ´ñ_
WÕðg£:,èKõ3mÅþ>Mß}trÄB‡H,•ž(º´q¸ôåœP"FÇá9Â9<Ó>QÃÞµ3‘
-šXA¥¤¹$çÖ¥ŠGÜ­y¶:©AÃn8²<38>W<à
ÂýŽp	¨ÏÕÿ«Yµ‹Pik_‰"@G÷@'À¶Ëo|åÑ<C3A5>/[ˆ–áŽWþS»Âæ€4òºÁy‡N`h½Æ½¯"@h…ÌI’g-†Þ

secrets/secrets.nix

@@ -22,10 +22,6 @@ in
 builtins.mapAttrs (name: value: { publicKeys = value ++ [ recovery ]; }) {
   "users-hashed-password-file.age" = all;
 
-  # Secret network addresses
-  "netdev-51-wg-sigma-p2p-address.age" = [ alpha ];
-  "network-wg-sigma-p2p-address.age" = [ omega ];
-
   ## Wireguard
   # The preshared key adds an additional layer of symmetric-key crypto to be
   # mixed into the already existing public-key crypto, for post-quantum