From d45f88b604f92b8edf360376b655b55710615ea9 Mon Sep 17 00:00:00 2001 From: Myron Blair Date: Tue, 30 Jun 2026 07:53:48 -0500 Subject: [PATCH] Add VM configs, WireGuard, and MSP360 setup - vm-configs/fstab/: fstab snapshots for JARVIS, NPM, NovaCPX, Jellyfin, MediaStack - vm-configs/network-reference.md: full IP/service/NAS/WireGuard reference - wireguard/: MediaStack wg0/wg1 and WireGuard CT nord0/wg-clients configs - msp360/: install and setup scripts + staggered backup schedule Co-Authored-By: Claude Sonnet 4.6 Claude-Session: https://claude.ai/code/session_01X8tDRrQqgLjqXebMCBNcP3 --- msp360/install-msp360.sh | 84 +++++++++++++++++++++++++++++++ msp360/msp360-schedule.md | 35 +++++++++++++ msp360/msp360-setup.sh | 61 ++++++++++++++++++++++ vm-configs/fstab/jarvis.fstab | 4 ++ vm-configs/fstab/jellyfin.fstab | 6 +++ vm-configs/fstab/mediastack.fstab | 7 +++ vm-configs/fstab/novacpx.fstab | 4 ++ vm-configs/fstab/npm.fstab | 4 ++ vm-configs/network-reference.md | 66 ++++++++++++++++++++++++ wireguard/mediastack-wg0.conf | 17 +++++++ wireguard/mediastack-wg1.conf | 16 ++++++ wireguard/wgct-nord0.conf | 17 +++++++ wireguard/wgct-wg-clients.conf | 15 ++++++ 13 files changed, 336 insertions(+) create mode 100644 msp360/install-msp360.sh create mode 100644 msp360/msp360-schedule.md create mode 100644 msp360/msp360-setup.sh create mode 100644 vm-configs/fstab/jarvis.fstab create mode 100644 vm-configs/fstab/jellyfin.fstab create mode 100644 vm-configs/fstab/mediastack.fstab create mode 100644 vm-configs/fstab/novacpx.fstab create mode 100644 vm-configs/fstab/npm.fstab create mode 100644 vm-configs/network-reference.md create mode 100644 wireguard/mediastack-wg0.conf create mode 100644 wireguard/mediastack-wg1.conf create mode 100644 wireguard/wgct-nord0.conf create mode 100644 wireguard/wgct-wg-clients.conf diff --git a/msp360/install-msp360.sh b/msp360/install-msp360.sh new file mode 100644 index 0000000..5e3f5c3 --- /dev/null +++ b/msp360/install-msp360.sh @@ -0,0 +1,84 @@ +#!/bin/bash +# MSP360 Backup - Complete Linux Install & Configure +# Run as root from the directory containing this script and the .deb file. +# +# Credentials are fetched from private Gitea repo (myron/msp360-config). +# Requires /etc/msp360-gitea-token on the target machine. +# OR place a filled-in msp360.conf in the same directory as this script. +set -e + +SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" +CONF="$SCRIPT_DIR/msp360.conf" +TOKEN_FILE="/etc/msp360-gitea-token" +GITEA_RAW="https://gitea.orbishosting.com/myron/msp360-config/raw/branch/main/msp360.conf" +CBB="/opt/local/MSP360 Backup/bin/cbbCommandLine" + +if [ -f "$CONF" ]; then + echo "Using local msp360.conf" + source "$CONF" +elif [ -f "$TOKEN_FILE" ]; then + echo "Fetching config from Gitea..." + GITEA_TOKEN=$(cat "$TOKEN_FILE") + curl -sf -H "Authorization: token $GITEA_TOKEN" "$GITEA_RAW" -o /tmp/msp360.conf + source /tmp/msp360.conf + rm -f /tmp/msp360.conf +else + echo "ERROR: No msp360.conf found and no /etc/msp360-gitea-token present." + echo " Option A: Place a filled-in msp360.conf in $SCRIPT_DIR" + echo " Option B: Put your Gitea token in /etc/msp360-gitea-token (chmod 600)" + exit 1 +fi + +BACKUP_PATH="${MOUNT_POINT}/${BACKUP_SUBDIR}" +CBB_DEB=$(ls "$SCRIPT_DIR"/ubuntu14_MSP360_*.deb 2>/dev/null | head -1) + +echo "=== Step 1: Install MSP360 ===" +if [ -f "$CBB_DEB" ]; then + dpkg -i "$CBB_DEB" + sleep 5 +else + echo "WARNING: No .deb found — assuming already installed" +fi + +echo "=== Step 2: Activate license ===" +"$CBB" activateLicense -e "$LICENSE_EMAIL" -free + +echo "=== Step 3: Install cifs-utils ===" +apt-get install -y cifs-utils + +echo "=== Step 4: Mount NAS ===" +mkdir -p "$MOUNT_POINT" /etc/nas-creds +printf "username=%s\npassword=%s\n" "$NAS_USER" "$NAS_PASS" > /etc/nas-creds/msp360 +chmod 600 /etc/nas-creds/msp360 + +if ! mountpoint -q "$MOUNT_POINT"; then + mount -t cifs "//${NAS_HOST}/${NAS_SHARE}" "$MOUNT_POINT" \ + -o credentials=/etc/nas-creds/msp360,uid=0,gid=0,noperm,_netdev +fi +df -h "$MOUNT_POINT" + +echo "=== Step 5: Create backup directory ===" +mkdir -p "$BACKUP_PATH" + +echo "=== Step 6: Add fstab entry ===" +FSTAB_LINE="//${NAS_HOST}/${NAS_SHARE} ${MOUNT_POINT} cifs credentials=/etc/nas-creds/msp360,uid=0,gid=0,noperm,_netdev 0 0" +grep -q "$MOUNT_POINT" /etc/fstab || echo "$FSTAB_LINE" >> /etc/fstab + +echo "=== Step 7: Register storage account ===" +"$CBB" addAccount -st FileSystem -d "NAS-MSPBackups" -c "$BACKUP_PATH" + +echo "=== Step 8: Create backup plan ===" +"$CBB" addBackupPlan \ + -n "$PLAN_NAME" \ + -a "NAS-MSPBackups" \ + -f "/" \ + -ef "/proc" -ef "/sys" -ef "/dev" -ef "/run" -ef "/tmp" -ef "/mnt" \ + -es no \ + -purge 1m -purgeBy backupDate -keepLastVersion yes \ + -runMissed yes \ + -en yes -every day -at "$INC_TIME" \ + -enFull yes -everyFull week -atFull "$FULL_TIME" -weekdayFull "su" + +echo "" +echo "=== Done! Plan list: ===" +"$CBB" plan -l diff --git a/msp360/msp360-schedule.md b/msp360/msp360-schedule.md new file mode 100644 index 0000000..9c270dc --- /dev/null +++ b/msp360/msp360-schedule.md @@ -0,0 +1,35 @@ +# MSP360 Backup Schedule + +License: myronblair@outlook.com (free) +NAS: //10.48.200.249/Storage → /mnt/nas-backups +Backup path: /mnt/nas-backups/MSPBackups/CBB_/ +Credentials: fetched from Gitea private repo myron/msp360-config via /etc/msp360-gitea-token + +## Plan: All files, weekly full + daily incremental, 1 month retention + +| Host | IP | Plan Name | Full (Sun) | Incremental (daily) | Status | +|--------------|-----------------|--------------------|------------|---------------------|----------| +| JARVIS | 10.48.200.211 | JARVIS-Backup | 01:00 | 02:00 | Stopped | +| NPM | 10.48.200.200 | NPM-Backup | 01:15 | 02:15 | Stopped | +| NovaCPX | 10.48.200.110 | NovaCPX-Backup | 01:30 | 02:30 | Stopped | +| Jellyfin | 10.48.200.33 | Jellyfin-Backup | 01:45 | 02:45 | Stopped | +| Homebridge | 10.48.200.18 | Homebridge-Backup | 02:00 | 03:00 | Unknown | +| MediaStack | 10.48.200.35 | MediaStack-Backup | 02:15 | 03:15 | Running | +| PVE1 | 10.48.200.90 | PVE1-Backup | 02:30 | 03:30 | Stopped | +| PVE2 | 10.48.200.91 | PVE2-Backup | 02:45 | 03:45 | Pending | +| Ollama | 10.48.200.210 | Ollama-Backup | 03:00 | 04:00 | Pending | +| NetworkBak | 10.48.200.99 | NetworkBak-Backup | 03:15 | 04:15 | Pending | + +Pending = offline, needs install when back up. +DO server (165.22.1.228) and FusionPBX (134.209.72.226) cannot reach internal NAS. + +## Install on new host +```bash +# 1. Place Gitea token +echo "" > /etc/msp360-gitea-token && chmod 600 /etc/msp360-gitea-token + +# 2. Run setup (MSP360 already installed) +curl -sk https://web.orbishosting.com/downloads/msp360-linux-installer.zip -o /tmp/msp360.zip +unzip /tmp/msp360.zip -d /tmp/msp360 && cd /tmp/msp360 +bash msp360-setup.sh "HOSTNAME-Backup" "HH:MM" "HH:MM" +``` diff --git a/msp360/msp360-setup.sh b/msp360/msp360-setup.sh new file mode 100644 index 0000000..9d9c6e9 --- /dev/null +++ b/msp360/msp360-setup.sh @@ -0,0 +1,61 @@ +#!/bin/bash +# MSP360 Backup - Configure only (MSP360 already installed) +# Usage: bash msp360-setup.sh +# Credentials: fetched from Gitea (/etc/msp360-gitea-token) or local msp360.conf +set -e + +SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" +CONF="$SCRIPT_DIR/msp360.conf" +TOKEN_FILE="/etc/msp360-gitea-token" +GITEA_RAW="https://gitea.orbishosting.com/myron/msp360-config/raw/branch/main/msp360.conf" +CBB="/opt/local/MSP360 Backup/bin/cbbCommandLine" + +if [ -f "$CONF" ]; then + source "$CONF" +elif [ -f "$TOKEN_FILE" ]; then + GITEA_TOKEN=$(cat "$TOKEN_FILE") + curl -sf -H "Authorization: token $GITEA_TOKEN" "$GITEA_RAW" -o /tmp/msp360.conf + source /tmp/msp360.conf + rm -f /tmp/msp360.conf +else + echo "ERROR: No msp360.conf and no /etc/msp360-gitea-token" + exit 1 +fi + +PLAN_NAME="${1:-${PLAN_NAME:-MyHost-Backup}}" +FULL_TIME="${2:-${FULL_TIME:-01:00}}" +INC_TIME="${3:-${INC_TIME:-02:00}}" +BACKUP_PATH="${MOUNT_POINT:-/mnt/nas-backups}/${BACKUP_SUBDIR:-MSPBackups}" + +"$CBB" activateLicense -e "$LICENSE_EMAIL" -free +apt-get install -y cifs-utils 2>/dev/null | tail -1 + +mkdir -p "${MOUNT_POINT}" /etc/nas-creds +[ -f /etc/nas-creds/msp360 ] || \ + printf "username=%s\npassword=%s\n" "$NAS_USER" "$NAS_PASS" > /etc/nas-creds/msp360 +chmod 600 /etc/nas-creds/msp360 + +mountpoint -q "${MOUNT_POINT}" || \ + mount -t cifs "//${NAS_HOST}/${NAS_SHARE}" "${MOUNT_POINT}" \ + -o credentials=/etc/nas-creds/msp360,uid=0,gid=0,noperm,_netdev + +mkdir -p "$BACKUP_PATH" + +grep -q "${MOUNT_POINT}" /etc/fstab || \ + echo "//${NAS_HOST}/${NAS_SHARE} ${MOUNT_POINT} cifs credentials=/etc/nas-creds/msp360,uid=0,gid=0,noperm,_netdev 0 0" >> /etc/fstab + +"$CBB" addAccount -st FileSystem -d "NAS-MSPBackups" -c "$BACKUP_PATH" 2>&1 + +"$CBB" addBackupPlan \ + -n "$PLAN_NAME" \ + -a "NAS-MSPBackups" \ + -f "/" \ + -ef "/proc" -ef "/sys" -ef "/dev" -ef "/run" -ef "/tmp" -ef "/mnt" \ + -es no \ + -purge 1m -purgeBy backupDate -keepLastVersion yes \ + -runMissed yes \ + -en yes -every day -at "$INC_TIME" \ + -enFull yes -everyFull week -atFull "$FULL_TIME" -weekdayFull "su" 2>&1 + +echo "Done. Plans:" +"$CBB" plan -l diff --git a/vm-configs/fstab/jarvis.fstab b/vm-configs/fstab/jarvis.fstab new file mode 100644 index 0000000..361e064 --- /dev/null +++ b/vm-configs/fstab/jarvis.fstab @@ -0,0 +1,4 @@ +LABEL=cloudimg-rootfs / ext4 discard,commit=30,errors=remount-ro 0 1 +LABEL=BOOT /boot ext4 defaults 0 2 +LABEL=UEFI /boot/efi vfat umask=0077 0 1 +//10.48.200.249/Storage /mnt/nas-backups cifs credentials=/etc/nas-creds/msp360,uid=0,gid=0,file_mode=0700,dir_mode=0700,_netdev 0 0 diff --git a/vm-configs/fstab/jellyfin.fstab b/vm-configs/fstab/jellyfin.fstab new file mode 100644 index 0000000..0ae7d78 --- /dev/null +++ b/vm-configs/fstab/jellyfin.fstab @@ -0,0 +1,6 @@ +LABEL=cloudimg-rootfs / ext4 discard,commit=30,errors=remount-ro 0 1 +LABEL=BOOT /boot ext4 defaults 0 2 +LABEL=UEFI /boot/efi vfat umask=0077 0 1 +10.48.200.35:/media/movies /mnt/mediastack/movies nfs defaults,_netdev 0 0 +10.48.200.35:/media/tv /mnt/mediastack/tv nfs defaults,_netdev 0 0 +//10.48.200.249/Storage /mnt/nas-backups cifs credentials=/etc/nas-creds/msp360,uid=0,gid=0,file_mode=0700,dir_mode=0700,_netdev 0 0 diff --git a/vm-configs/fstab/mediastack.fstab b/vm-configs/fstab/mediastack.fstab new file mode 100644 index 0000000..4d49b36 --- /dev/null +++ b/vm-configs/fstab/mediastack.fstab @@ -0,0 +1,7 @@ +LABEL=cloudimg-rootfs / ext4 discard,commit=30,errors=remount-ro 0 1 +LABEL=BOOT /boot ext4 defaults 0 2 +LABEL=UEFI /boot/efi vfat umask=0077 0 1 +10.48.200.249:/volume1/video /mnt/nas/video nfs defaults,_netdev 0 0 +/mnt/nas/video/movies /media/movies none bind 0 0 +/mnt/nas/video/tv /media/tv none bind 0 0 +//10.48.200.249/Storage /mnt/nas-backups cifs credentials=/etc/nas-creds/msp360,uid=0,gid=0,file_mode=0700,dir_mode=0700,_netdev 0 0 diff --git a/vm-configs/fstab/novacpx.fstab b/vm-configs/fstab/novacpx.fstab new file mode 100644 index 0000000..361e064 --- /dev/null +++ b/vm-configs/fstab/novacpx.fstab @@ -0,0 +1,4 @@ +LABEL=cloudimg-rootfs / ext4 discard,commit=30,errors=remount-ro 0 1 +LABEL=BOOT /boot ext4 defaults 0 2 +LABEL=UEFI /boot/efi vfat umask=0077 0 1 +//10.48.200.249/Storage /mnt/nas-backups cifs credentials=/etc/nas-creds/msp360,uid=0,gid=0,file_mode=0700,dir_mode=0700,_netdev 0 0 diff --git a/vm-configs/fstab/npm.fstab b/vm-configs/fstab/npm.fstab new file mode 100644 index 0000000..361e064 --- /dev/null +++ b/vm-configs/fstab/npm.fstab @@ -0,0 +1,4 @@ +LABEL=cloudimg-rootfs / ext4 discard,commit=30,errors=remount-ro 0 1 +LABEL=BOOT /boot ext4 defaults 0 2 +LABEL=UEFI /boot/efi vfat umask=0077 0 1 +//10.48.200.249/Storage /mnt/nas-backups cifs credentials=/etc/nas-creds/msp360,uid=0,gid=0,file_mode=0700,dir_mode=0700,_netdev 0 0 diff --git a/vm-configs/network-reference.md b/vm-configs/network-reference.md new file mode 100644 index 0000000..ed84209 --- /dev/null +++ b/vm-configs/network-reference.md @@ -0,0 +1,66 @@ +# VM Network Reference +Updated: 2026-06-30 + +## Subnet: 10.48.200.0/24 (Internal LAN via FortiGate) + +| VM/CT | VMID | IP | Role | Host | +|-----------------|------|-----------------|-------------------------------|-------| +| PVE1 (baremetal)| — | 10.48.200.90 | Proxmox hypervisor | — | +| PVE2 (baremetal)| — | 10.48.200.91 | Proxmox hypervisor (offline) | — | +| NPM | 101 | 10.48.200.200 | Nginx Proxy Manager | PVE1 | +| NovaCPX | 120 | 10.48.200.110 | web.orbishosting.com (Apache) | PVE1 | +| JARVIS | 200 | 10.48.200.211 | Home automation / agent host | PVE1 | +| Homebridge | 103 | 10.48.200.18 | Homebridge (SSH: myron only) | PVE1 | +| Jellyfin | 104 | 10.48.200.33 | Jellyfin media server | PVE1 | +| MediaStack | 105 | 10.48.200.35 | Sonarr/Radarr/Prowlarr/qBit | PVE1 | +| WireGuard CT | 110 | 10.48.200.67 | VPN kill-switch for MediaStack| PVE1 | +| Ollama | 106 | 10.48.200.210 | Ollama LLM server (offline) | PVE1 | +| NetworkBackup | 302 | 10.48.200.99 | Network backup (offline) | PVE1 | +| NAS (Synology) | — | 10.48.200.249 | File storage | — | + +## External Servers + +| Server | IP | Role | +|--------------|-----------------|--------------------------| +| FortiGate WAN| 97.154.207.5 | Internet gateway (Verizon)| +| DO server | 165.22.1.228 | DigitalOcean VPS | +| FusionPBX | 134.209.72.226 | VoIP server | + +## NAS Storage (10.48.200.249 — Synology) + +| Share | Protocol | Mount point (on client) | Used by | +|--------------|----------|-----------------------------|-----------------| +| /volume1/video| NFS | /mnt/nas/video | MediaStack | +| /volume1/video/movies | NFS | /media/movies | MediaStack | +| /volume1/video/tv | NFS | /media/tv | MediaStack | +| /media/movies | NFS (re-export) | /mnt/mediastack/movies | Jellyfin | +| /media/tv | NFS (re-export) | /mnt/mediastack/tv | Jellyfin | +| Storage/MSPBackups | CIFS | /mnt/nas-backups | All VMs (MSP360)| +| homes | CIFS | (unused) | — | + +NAS CIFS credentials: /etc/nas-creds/msp360 (username=nas) on each VM + +## WireGuard VPN Subnet: 10.200.0.0/24 + +| Host | WG IP | Role | +|----------------|-------------|-------------------------| +| WireGuard CT | 10.200.0.1 | Gateway (NordVPN relay) | +| Jellyfin | 10.200.0.3 | NFS client | +| MediaStack | 10.200.0.4 | Kill-switch client | + +NordVPN exit node: 2.56.190.69 (Clouvider UK, AS62240) +NordVPN WireGuard endpoint: 2.56.190.66:51820 + +## NPM Proxy (10.48.200.200) +Reverse proxies HTTPS from FortiGate WAN → internal services. +All certs via Let's Encrypt. Admin panel: http://10.48.200.200:81 + +## MediaStack Services + +| Service | Port | URL | +|-------------|-------|-----------------------------------| +| qBittorrent | 8080 | http://10.48.200.35:8080 | +| Sonarr | 8989 | http://10.48.200.35:8989 | +| Radarr | 7878 | http://10.48.200.35:7878 | +| Prowlarr | 9696 | http://10.48.200.35:9696 | +| Jellyfin | 8096 | http://10.48.200.33:8096 | diff --git a/wireguard/mediastack-wg0.conf b/wireguard/mediastack-wg0.conf new file mode 100644 index 0000000..3b489ca --- /dev/null +++ b/wireguard/mediastack-wg0.conf @@ -0,0 +1,17 @@ +# MediaStack (10.48.200.35) WireGuard client config +# Tunnels all internet traffic through WireGuard CT (10.48.200.67) +# Kill-switch: iptables blocks any non-WireGuard internet traffic +# File: /etc/wireguard/wg0.conf + +[Interface] +PrivateKey = UAaoNldLsxWJerLJAjGlncrm41Ay9QMsK3O1XaTlxmg= +Address = 10.200.0.4/24 +DNS = 10.48.200.90 +PostUp = iptables -I OUTPUT ! -o wg0 -m mark ! --mark 51820 -m addrtype ! --dst-type LOCAL -j REJECT; iptables -I OUTPUT -d 10.48.200.0/24 -j ACCEPT +PostDown = iptables -D OUTPUT -d 10.48.200.0/24 -j ACCEPT; iptables -D OUTPUT ! -o wg0 -m mark ! --mark 51820 -m addrtype ! --dst-type LOCAL -j REJECT + +[Peer] +PublicKey = Fqb1KLfHe1r3+Hwhem7YGZB2KikGYy/8pPsOIP4rn18= +Endpoint = 10.48.200.67:51821 +AllowedIPs = 0.0.0.0/0 +PersistentKeepalive = 25 diff --git a/wireguard/mediastack-wg1.conf b/wireguard/mediastack-wg1.conf new file mode 100644 index 0000000..ba2ea53 --- /dev/null +++ b/wireguard/mediastack-wg1.conf @@ -0,0 +1,16 @@ +# MediaStack (10.48.200.35) WireGuard server config (for Jellyfin peer) +# Serves as internal VPN hub for Jellyfin to reach MediaStack NFS exports +# File: /etc/wireguard/wg1.conf + +[Interface] +PrivateKey = UPTGveBLFZLGcimi80npmrEB3tOfE8GjQEl4aTPOWV0= +Address = 10.200.0.1/24 +ListenPort = 51820 +PostUp = sysctl -w net.ipv4.ip_forward=1; iptables -A FORWARD -i wg1 -o nordlynx -j ACCEPT; iptables -A FORWARD -i nordlynx -o wg1 -m state --state RELATED,ESTABLISHED -j ACCEPT; iptables -t nat -A POSTROUTING -o nordlynx -s 10.200.0.0/24 -j MASQUERADE +PostDown = iptables -D FORWARD -i wg1 -o nordlynx -j ACCEPT; iptables -D FORWARD -i nordlynx -o wg1 -m state --state RELATED,ESTABLISHED -j ACCEPT; iptables -t nat -D POSTROUTING -o nordlynx -s 10.200.0.0/24 -j MASQUERADE + +[Peer] +# Jellyfin +PublicKey = T+mr/+Z+9F0FXG/8AxJClH7kgxvqFVeSouJQo2+D82M= +AllowedIPs = 10.200.0.3/32 +PersistentKeepalive = 25 diff --git a/wireguard/wgct-nord0.conf b/wireguard/wgct-nord0.conf new file mode 100644 index 0000000..8fc7e09 --- /dev/null +++ b/wireguard/wgct-nord0.conf @@ -0,0 +1,17 @@ +# WireGuard CT (LXC 110, 10.48.200.67) NordVPN tunnel config +# Connects to NordVPN server at 2.56.190.66:51820 (Clouvider UK) +# Policy routes 10.200.0.0/24 (MediaStack tunnel clients) through NordVPN +# File: /etc/wireguard/nord0.conf + +[Interface] +PrivateKey = Ebk+g1cMK14ured/u+QLvHPYxmoh9dCmeq65qbS/Aqg= +Address = 10.5.0.2/32 +Table = off +PostUp = sysctl -w net.ipv4.conf.all.rp_filter=0 || true; ip route add default dev nord0 table 201 || true; ip rule add from 10.200.0.0/24 lookup 201 prio 100 || true; iptables -t nat -A POSTROUTING -o nord0 -j MASQUERADE || true +PostDown = ip route del default dev nord0 table 201 2>/dev/null; ip rule del from 10.200.0.0/24 lookup 201 2>/dev/null; iptables -t nat -D POSTROUTING -o nord0 -j MASQUERADE 2>/dev/null + +[Peer] +PublicKey = 8pRFH/FfMBs3eBJCM2ABFoOs/13n78LYQvoovZVLdgI= +Endpoint = 2.56.190.66:51820 +AllowedIPs = 0.0.0.0/0 +PersistentKeepalive = 25 diff --git a/wireguard/wgct-wg-clients.conf b/wireguard/wgct-wg-clients.conf new file mode 100644 index 0000000..6572fd6 --- /dev/null +++ b/wireguard/wgct-wg-clients.conf @@ -0,0 +1,15 @@ +# WireGuard CT (LXC 110, 10.48.200.67) client-server config +# Accepts connections from MediaStack and Jellyfin +# File: /etc/wireguard/wg-clients.conf + +[Interface] +Address = 10.200.0.1/24 +ListenPort = 51821 +PrivateKey = uMdYzpGScR4D8cIm7WNbTJ5KHZQGAIFUInMI+4MZjkU= +PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; sysctl -w net.ipv4.ip_forward=1 +PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE + +[Peer] +# MediaStack (10.48.200.35) +PublicKey = CaG79S1fJeJDlYCMhHz8BrDfizBq+OiGnO5VzFIk3gE= +AllowedIPs = 10.200.0.4/32