From 1673a56439b52cf8095a47e8533a12223fb02acd Mon Sep 17 00:00:00 2001
From: Hermes Agent <hermes@lazyworkhorse.net>
Date: Mon, 4 May 2026 22:49:06 +0000
Subject: [PATCH 01/14] feat: add WireGuard VPN stack

- Add vpn stack to services.dockerStacks
- Open UDP port 51820 for WireGuard protocol
- Update compose submodule to include vpn stack
---
 assets/compose                        | 2 +-
 hosts/lazyworkhorse/configuration.nix | 7 ++++++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/assets/compose b/assets/compose
index a79fe9d..293429a 160000
--- a/assets/compose
+++ b/assets/compose
@@ -1 +1 @@
-Subproject commit a79fe9dffacebae6d4ee17502885e9cdfa852073
+Subproject commit 293429a124f72e75e4f29620bb3fb9ec201d03d3
diff --git a/hosts/lazyworkhorse/configuration.nix b/hosts/lazyworkhorse/configuration.nix
index 3963650..a74ec09 100644
--- a/hosts/lazyworkhorse/configuration.nix
+++ b/hosts/lazyworkhorse/configuration.nix
@@ -221,6 +221,11 @@
       path = self + "/assets/compose/homepage";
     };
 
+    vpn = {
+      path = self + "/assets/compose/vpn";
+      envFile = config.age.secrets.containers_env.path;
+    };
+
     # tak = {
     #   path = self + "/assets/compose/tak";
     # };
@@ -332,7 +337,7 @@
     ];
     
     allowedUDPPorts = [
-      # Add UDP ports if required
+      51820 # WireGuard VPN
     ];
     
     # Rate limiting and attack prevention

From 48245518a174d4b6c33de0afb1ff9d4a00a5022a Mon Sep 17 00:00:00 2001
From: Hermes Agent <hermes@lazyworkhorse.net>
Date: Tue, 5 May 2026 01:17:14 +0000
Subject: [PATCH 02/14] fix: load iptables kernel modules for WireGuard NAT

wg-easy needs iptable_nat and iptable_filter to set up
masquerading for VPN traffic. These modules must be loaded
at boot for the container to access iptables.
---
 hosts/lazyworkhorse/configuration.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hosts/lazyworkhorse/configuration.nix b/hosts/lazyworkhorse/configuration.nix
index a74ec09..7fdf7ba 100644
--- a/hosts/lazyworkhorse/configuration.nix
+++ b/hosts/lazyworkhorse/configuration.nix
@@ -36,7 +36,7 @@
     "transparent_hugepage=always" # because mucho ram
   ];
   # 2. Load the specific drivers found by sensors-detect
-  boot.kernelModules = [ "nct6775" "lm96163" ];
+  boot.kernelModules = [ "nct6775" "lm96163" "iptable_nat" "iptable_filter" ];
   # 3. Force the nct6775 driver to recognize the chip if it's stubborn
   boot.extraModprobeConfig = ''
     options nct6775 force_id=0xd280

From 7d0b72a51380939b780c2e54cd4ed14fcd9bc1ac Mon Sep 17 00:00:00 2001
From: Hermes Agent <hermes@lazyworkhorse.net>
Date: Tue, 5 May 2026 01:18:13 +0000
Subject: [PATCH 03/14] chore: update compose submodule to
 linuxserver/wireguard

---
 assets/compose | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/assets/compose b/assets/compose
index 293429a..4a57ca6 160000
--- a/assets/compose
+++ b/assets/compose
@@ -1 +1 @@
-Subproject commit 293429a124f72e75e4f29620bb3fb9ec201d03d3
+Subproject commit 4a57ca69b2683a3f32274a3fc98d48eb33723104

From 92bcf1cc041ef955b8c087dac3dbb64518f37424 Mon Sep 17 00:00:00 2001
From: Hermes Agent <hermes@lazyworkhorse.net>
Date: Tue, 5 May 2026 01:21:19 +0000
Subject: [PATCH 04/14] chore: update compose submodule to wireguard-vpn

---
 assets/compose | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/assets/compose b/assets/compose
index 4a57ca6..a0484e9 160000
--- a/assets/compose
+++ b/assets/compose
@@ -1 +1 @@
-Subproject commit 4a57ca69b2683a3f32274a3fc98d48eb33723104
+Subproject commit a0484e9df99f7f72907c5a00e41d8c9425a5f1b6

From a42b2ff65de5f7d5dc00742994da66cec964b3ee Mon Sep 17 00:00:00 2001
From: Hermes Agent <hermes@lazyworkhorse.net>
Date: Tue, 5 May 2026 01:21:34 +0000
Subject: [PATCH 05/14] chore: update compose submodule to wireguard-vpn (fix
 ref)

---
 assets/compose | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/assets/compose b/assets/compose
index a0484e9..eea6db3 160000
--- a/assets/compose
+++ b/assets/compose
@@ -1 +1 @@
-Subproject commit a0484e9df99f7f72907c5a00e41d8c9425a5f1b6
+Subproject commit eea6db3ceba56424e57b2b32f2c2e7268dd88e45

From e0068260cb58c1bef110039a5c63e55567cf6182 Mon Sep 17 00:00:00 2001
From: Hermes Agent <hermes@lazyworkhorse.net>
Date: Tue, 5 May 2026 01:43:42 +0000
Subject: [PATCH 06/14] chore: move Hermes Dockerfile to compose repo, add
 WireGuard tools

- Move Dockerfile.full from infra/docker/hermes to compose/ai/Dockerfile
- Add wireguard-tools and openresolv to Hermes image
- Remove stray docker/hermes directory from infra
---
 assets/compose                |  2 +-
 docker/hermes/Dockerfile.full | 71 -----------------------------------
 2 files changed, 1 insertion(+), 72 deletions(-)
 delete mode 100644 docker/hermes/Dockerfile.full

diff --git a/assets/compose b/assets/compose
index eea6db3..b021d0d 160000
--- a/assets/compose
+++ b/assets/compose
@@ -1 +1 @@
-Subproject commit eea6db3ceba56424e57b2b32f2c2e7268dd88e45
+Subproject commit b021d0dba7136ad30809f78b37fcb9cf1859809a
diff --git a/docker/hermes/Dockerfile.full b/docker/hermes/Dockerfile.full
deleted file mode 100644
index 1edd524..0000000
--- a/docker/hermes/Dockerfile.full
+++ /dev/null
@@ -1,71 +0,0 @@
-FROM ghcr.io/astral-sh/uv:0.11.6-python3.13-trixie@sha256:b3c543b6c4f23a5f2df22866bd7857e5d304b67a564f4feab6ac22044dde719b AS uv_source
-FROM tianon/gosu:1.19-trixie@sha256:3b176695959c71e123eb390d427efc665eeb561b1540e82679c15e992006b8b9 AS gosu_source
-FROM debian:13.4
-
-# Disable Python stdout buffering to ensure logs are printed immediately
-ENV PYTHONUNBUFFERED=1
-
-# Store Playwright browsers outside the volume mount so the build-time
-# install survives the /opt/data volume overlay at runtime.
-ENV PLAYWRIGHT_BROWSERS_PATH=/opt/hermes/.playwright
-
-# Install system dependencies in one layer, clear APT cache
-# tini reaps orphaned zombie processes (MCP stdio subprocesses, git, bun, etc.)
-# that would otherwise accumulate when hermes runs as PID 1. See #15012.
-RUN apt-get update && \
-    apt-get install -y --no-install-recommends \
-        build-essential nodejs npm python3 ripgrep ffmpeg gcc python3-dev libffi-dev procps git openssh-client docker-cli tini \
-        curl poppler-utils imagemagick \
-        chromium xvfb fonts-noto-color-emoji fonts-unifont fonts-liberation fonts-ipafont-gothic fonts-wqy-zenhei fonts-tlwg-loma-otf fonts-freefont-ttf \
-        libasound2t64 libatk-bridge2.0-0t64 libatk1.0-0t64 libatspi2.0-0t64 libcairo2 libcups2t64 libdbus-1-3 libdrm2 libgbm1 libglib2.0-0t64 libnspr4 libnss3 libpango-1.0-0 libx11-6 libxcb1 libxcomposite1 libxdamage1 libxext6 libxfixes3 libxkbcommon0 libxrandr2 \
-        texlive-latex-base texlive-latex-extra texlive-fonts-recommended texlive-xetex texlive-science \
-        qemu-user-static binfmt-support qemu-user-binfmt \
-        emacs-nox \
-        libportaudio2 && \
-    rm -rf /var/lib/apt/lists/*
-
-# Non-root user for runtime; UID can be overridden via HERMES_UID at runtime
-RUN useradd -u 10000 -m -d /opt/data hermes
-
-COPY --chmod=0755 --from=gosu_source /gosu /usr/local/bin/
-COPY --chmod=0755 --from=uv_source /usr/local/bin/uv /usr/local/bin/uvx /usr/local/bin/
-
-WORKDIR /opt/hermes
-
-# ---------- Layer-cached dependency install ----------
-# Copy only package manifests first so npm install + Playwright are cached
-# unless the lockfiles themselves change.
-COPY package.json package-lock.json ./
-COPY web/package.json web/package-lock.json web/
-
-RUN npm install --prefer-offline --no-audit && \
-    npx playwright install --with-deps chromium --only-shell && \
-    (cd web && npm install --prefer-offline --no-audit) && \
-    npm cache clean --force
-
-# ---------- Source code ----------
-# .dockerignore excludes node_modules, so the installs above survive.
-COPY --chown=hermes:hermes . .
-
-# Build web dashboard (Vite outputs to hermes_cli/web_dist/)
-RUN cd web && npm run build
-
-# ---------- Permissions ----------
-# Make install dir world-readable so any HERMES_UID can read it at runtime.
-# The venv needs to be traversable too.
-USER root
-RUN chmod -R a+rX /opt/hermes
-# Start as root so the entrypoint can usermod/groupmod + gosu.
-# If HERMES_UID is unset, the entrypoint drops to the default hermes user (10000).
-
-# ---------- Python virtualenv ----------
-RUN uv venv && \
-    uv pip install --no-cache-dir -e ".[all]" && \
-    uv pip install --no-cache-dir sounddevice numpy faster-whisper
-
-# ---------- Runtime ----------
-ENV HERMES_WEB_DIST=/opt/hermes/hermes_cli/web_dist
-ENV HERMES_HOME=/opt/data
-ENV PATH="/opt/data/.local/bin:${PATH}"
-VOLUME [ "/opt/data" ]
-ENTRYPOINT [ "/usr/bin/tini", "-g", "--", "/opt/hermes/docker/entrypoint.sh" ]

From b9289a149dabdaf616cdc1a1036d6e66be3df8e2 Mon Sep 17 00:00:00 2001
From: Hermes Agent <hermes@lazyworkhorse.net>
Date: Tue, 5 May 2026 01:48:24 +0000
Subject: [PATCH 07/14] chore: update compose submodule for Hermes NET_ADMIN +
 WireGuard Dockerfile

---
 assets/compose | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/assets/compose b/assets/compose
index b021d0d..acf45ac 160000
--- a/assets/compose
+++ b/assets/compose
@@ -1 +1 @@
-Subproject commit b021d0dba7136ad30809f78b37fcb9cf1859809a
+Subproject commit acf45acdd961a99c7b3edc3134009e5c1f9d9407

From cf279c4fb0abc42af9d3f2ed9d22a437e12a415b Mon Sep 17 00:00:00 2001
From: Hermes Agent <hermes@lazyworkhorse.net>
Date: Tue, 5 May 2026 02:11:41 +0000
Subject: [PATCH 08/14] feat: add host-level WireGuard client via
 networking.wireguard

- Add wg0 interface config with agenix-managed secrets
- Revert compose submodule to remove NET_ADMIN from Hermes
- WireGuard runs at host level, all containers inherit the tunnel
---
 assets/compose                        |  2 +-
 hosts/lazyworkhorse/configuration.nix | 35 +++++++++++++++++++++++++++
 2 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/assets/compose b/assets/compose
index acf45ac..bc49391 160000
--- a/assets/compose
+++ b/assets/compose
@@ -1 +1 @@
-Subproject commit acf45acdd961a99c7b3edc3134009e5c1f9d9407
+Subproject commit bc49391b4f67f1db5d9bfcd35a299367210da330
diff --git a/hosts/lazyworkhorse/configuration.nix b/hosts/lazyworkhorse/configuration.nix
index 7fdf7ba..69e113e 100644
--- a/hosts/lazyworkhorse/configuration.nix
+++ b/hosts/lazyworkhorse/configuration.nix
@@ -49,6 +49,27 @@
   networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
   networking.hostId = "deadbeef";
 
+  # WireGuard VPN client -- always up, connects to wg-easy server
+  # Before deploying, create age-encrypted secrets:
+  #   echo -n "IOWDh8tH19DGphAkEr46zN0pRl61tmbAynrMkaFo30M=" | agenix -e secrets/wireguard_private_key.age
+  #   echo -n "TIE9hcyOESofAiyJ1Md4CcPruTRXG63rItV9rmV3UDk=" | agenix -e secrets/wireguard_preshared_key.age
+  networking.wireguard.interfaces = {
+    wg0 = {
+      ips = [ "10.8.0.3/24" ];
+      privateKeyFile = config.age.secrets.wireguard_private_key.path;
+      peers = [
+        {
+          publicKey = "rY9zII3AOm8rog2rv02PyA3Bq7zdvTOGkZapfCV1DkE=";
+          presharedKeyFile = config.age.secrets.wireguard_preshared_key.path;
+          allowedIPs = [ "0.0.0.0/0" "::/0" ];
+          endpoint = "vpn.lazyworkhorse.net:51820";
+          persistentKeepalive = 25;
+        }
+      ];
+      dns = [ "1.1.1.1" "8.8.8.8" ];
+    };
+  };
+
   # Set your time zone.
   time.timeZone = "America/Montreal";
 
@@ -269,6 +290,20 @@
         mode = "0440";
         path = "/run/secrets/openclaw_gateway_token";
       };
+      wireguard_private_key = {
+        file = ../../secrets/wireguard_private_key.age;
+        owner = "root";
+        group = "root";
+        mode = "0400";
+        path = "/run/secrets/wireguard_private_key";
+      };
+      wireguard_preshared_key = {
+        file = ../../secrets/wireguard_preshared_key.age;
+        owner = "root";
+        group = "root";
+        mode = "0400";
+        path = "/run/secrets/wireguard_preshared_key";
+      };
     };
   };
 

From 94a7c7195a02de26315ed5bd59e0d0e8b85dbab7 Mon Sep 17 00:00:00 2001
From: Hermes Agent <hermes@lazyworkhorse.net>
Date: Tue, 5 May 2026 02:12:55 +0000
Subject: [PATCH 09/14] fix: remove exposed keys from comments

---
 hosts/lazyworkhorse/configuration.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/hosts/lazyworkhorse/configuration.nix b/hosts/lazyworkhorse/configuration.nix
index 69e113e..953c64e 100644
--- a/hosts/lazyworkhorse/configuration.nix
+++ b/hosts/lazyworkhorse/configuration.nix
@@ -50,9 +50,9 @@
   networking.hostId = "deadbeef";
 
   # WireGuard VPN client -- always up, connects to wg-easy server
-  # Before deploying, create age-encrypted secrets:
-  #   echo -n "IOWDh8tH19DGphAkEr46zN0pRl61tmbAynrMkaFo30M=" | agenix -e secrets/wireguard_private_key.age
-  #   echo -n "TIE9hcyOESofAiyJ1Md4CcPruTRXG63rItV9rmV3UDk=" | agenix -e secrets/wireguard_preshared_key.age
+  # Create age-encrypted secrets before deploying (run on the host):
+  #   echo -n "<private_key>" | agenix -e secrets/wireguard_private_key.age
+  #   echo -n "<preshared_key>" | agenix -e secrets/wireguard_preshared_key.age
   networking.wireguard.interfaces = {
     wg0 = {
       ips = [ "10.8.0.3/24" ];

From 5c481d664ab1a8dcba257ad73254a5edd66092a1 Mon Sep 17 00:00:00 2001
From: Hermes Agent <hermes@lazyworkhorse.net>
Date: Tue, 5 May 2026 02:41:29 +0000
Subject: [PATCH 10/14] fix: split tunnel on host VPN - only route 10.8.0.0/24

---
 hosts/lazyworkhorse/configuration.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hosts/lazyworkhorse/configuration.nix b/hosts/lazyworkhorse/configuration.nix
index 953c64e..2f13320 100644
--- a/hosts/lazyworkhorse/configuration.nix
+++ b/hosts/lazyworkhorse/configuration.nix
@@ -61,7 +61,7 @@
         {
           publicKey = "rY9zII3AOm8rog2rv02PyA3Bq7zdvTOGkZapfCV1DkE=";
           presharedKeyFile = config.age.secrets.wireguard_preshared_key.path;
-          allowedIPs = [ "0.0.0.0/0" "::/0" ];
+          allowedIPs = [ "10.8.0.0/24" ];
           endpoint = "vpn.lazyworkhorse.net:51820";
           persistentKeepalive = 25;
         }

From 9ae0f6ad6241d075072a1fc46d84668777fe6194 Mon Sep 17 00:00:00 2001
From: Robert <robert@lazyworkhorse.net>
Date: Mon, 4 May 2026 23:20:03 -0400
Subject: [PATCH 11/14] Submodule update

---
 assets/compose | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/assets/compose b/assets/compose
index 293429a..434b283 160000
--- a/assets/compose
+++ b/assets/compose
@@ -1 +1 @@
-Subproject commit 293429a124f72e75e4f29620bb3fb9ec201d03d3
+Subproject commit 434b2835ff03f3607e12f821e923e133b01dc6cd

From 59357479023ea40fbf0cd0374c244581a9a2cf00 Mon Sep 17 00:00:00 2001
From: Robert <robert@lazyworkhorse.net>
Date: Mon, 4 May 2026 23:20:57 -0400
Subject: [PATCH 12/14] Security fixes

---
 hosts/lazyworkhorse/configuration.nix | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/hosts/lazyworkhorse/configuration.nix b/hosts/lazyworkhorse/configuration.nix
index a74ec09..13a6ad2 100644
--- a/hosts/lazyworkhorse/configuration.nix
+++ b/hosts/lazyworkhorse/configuration.nix
@@ -342,9 +342,12 @@
     
     # Rate limiting and attack prevention
     extraCommands = ''
-      # Rate limit SSH connections (max 4 new connections per 60 seconds)
+      # 1. Wipe the INPUT chain clean at the start of every activation
+      iptables -F INPUT
+      
+      # Rate limit SSH connections (max 20 new connections per 60 seconds)
       iptables -A INPUT -p tcp --dport 2424 -m state --state NEW -m recent --set
-      iptables -A INPUT -p tcp --dport 2424 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
+      iptables -A INPUT -p tcp --dport 2424 -m state --state NEW -m recent --update --seconds 60 --hitcount 20 -j DROP
       
       # Rate limit HTTP/HTTPS (protects Traefik)
       iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
@@ -355,6 +358,10 @@
       
       # Log dropped packets (rate limited)
       iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
+
+      # 3. CRITICAL: Re-link the NixOS default firewall chain
+      # Without this line, the 'allowedTCPPorts' in your Nix config will be ignored!
+      iptables -A INPUT -j nixos-fw
     '';
   };
 
@@ -433,7 +440,7 @@
   services.openssh.settings = {
     PermitRootLogin = "no";
     MaxAuthTries = 3;
-    MaxSessions = 5;
+    MaxSessions = 10;
     LoginGraceTime = 30;
     ClientAliveInterval = 300;
     ClientAliveCountMax = 2;

From 030125ab0100bd08ac73f23af082888df5da3c91 Mon Sep 17 00:00:00 2001
From: Robert <robert@lazyworkhorse.net>
Date: Mon, 4 May 2026 23:21:36 -0400
Subject: [PATCH 13/14] Added wireguard pass

---
 secrets/containers.env.age | 66 ++++++++++++++++++++------------------
 1 file changed, 34 insertions(+), 32 deletions(-)

diff --git a/secrets/containers.env.age b/secrets/containers.env.age
index 2466978..90b91ed 100644
--- a/secrets/containers.env.age
+++ b/secrets/containers.env.age
@@ -1,34 +1,36 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEdoTUQ4QSBOL29w
-eGk1N2xxTHJtaUEvWWZmbkh1bk11Tjk3anNnMDB1cCtPYUMzdTNJCkdhQ08vblNG
-UlV1K2xVTGZVTzFWYXAzcjZaMWs0RTFWdStKSmlSTURvK1EKLT4gLC1zKU8zVkgt
-Z3JlYXNlIFUiXFcpS302IHByVn5jOy0gRDMKQjV3SHpDWUIybGFyQUg3ZlR0R2hV
-eWM3SFlCVW5mdlpBVUF3a0xpNlZCeGNUd1oxTTlkc1RkTXdZS0lFTmN3Ci0tLSA3
-VlBqM1VLWllZc0JnOTMvUFRjMU13OTdzMmhsdGJubkk5eGpERVVLYUk4Cnzh5UbU
-FlgqpM8jkJ6XlsaIDCw/G3D6uJ/GRJW4gIekuhAUxpZJrc8eOA8ZuHfGrBbH3acV
-tVafX5F0Kr2oOblqZ6gduZOUS52KmWH8stiBJM+e5ZZ7zRQVE4PJUKUPCzi+WdcH
-zr295T//FOdicrYHdsjfziKEHzBtUCFiATW05+O2zMjYjO6cPzePcCzPWinwiID6
-V+f6ngfkkQaj3wBGkzaieQJzRcdSwky21aVhGCCX/bvqx61iW2d5QAKxGbtQ2RcG
-X1okr+xunAM94nzDMv46vyN97KxY7cZd4pAaOxoICc2Tfhtw6F+iS6QkQh1odJzO
-7ZH+sSQCvndG+8z9shXGiHalASF5tdguM+JlEvAGljcaiAUtsQWxr9CoWiEkC6c6
-NCaECSYO8Il+SXBQnSZSGJSNDhuPYCYrsjXGSAONFixuyeslAkq9x2WUaUS4H063
-1QvRF7XO2tBPtgCLsSjdiGp0h+ImUaGdu6fDR7zrDsGsaAFCSFeH/rGNNXRQ2vP2
-CSfPfDDCqpUSCn0WuA30BtaPLxGmZT6OjFevKzYMNDmdeq9ia/q8K0hmjLUBdN3k
-tdYWbwoaf4gYbUWxSleD768b0Jgxss9Vod+sFQ+NYRksdGIeyND+aQIc312XehfA
-qHFBS8nlj7eUF5bdvCYQ64z741mH4cNlGxyjPBH1x8FHnEOocJXYt1l2AZSRJmJA
-c3z0QGXyuCbsrLBXWK1EKa/Juo4PGGsEVoLRhwJAQy9+i1JN0yrfRvSPyzvD4px6
-wRPzlZ80MQdb2lv84WS/zcOEZmZzlLntszTRRdIfAsuaavP2Rquh4rEXABYeTZwp
-5dem79s8bdW2nFsGMNz1OQKQwocyjYu1jJMHu6Gp7Ngdl1xyW7xfg0dezE1c0cIh
-xt1aLER9YJp4n5to5cOH16l3mjDHnAvABx38xE9loNL3399J/evw7LxpTYQ4v2Xv
-x8xnDHcqJ+deFSwyuUnMS5DkUeYuHmUl0Q2WYcfY+ibCmcgCb2ObTtuN1/ZxNYrL
-OKrnmfuSvBgyuIOj5e6uWW0+Zs8dHKXu2TgV8WignxOhl5zQgCpCBlqVfO0t+NCu
-Gi26hU/fhGWQ/1oQa3VkpGsypZbJpgQvfWxfcGHP/MMhnl01zzlP8/aexSY3pAxf
-fz9v0IVh6xxtu3zbiiVzUsXbfG7t+xY98jMphf4AS2mWva3GWVmhhu0lS3J3P+go
-YEEP4rOFHeU0Y1/6kLydTXvz4jMH0H92XQIzshd7vzQnEJPUPAzqRmw3LKYGgCI+
-wZEnxJ6ckqTkGBFnxTpy9LLllwmnz2Ky87nY3XAmqxlhb2Ap1XFAlfgszmGjc+Il
-KkIgoWQHTUm6QM9ta++oUTIDneOvxGd0zZsqoEhiC/7E01BNNZ6E58TeJU3fDlA3
-mX6n05XjwPRpgXZfayPoAgBlZc2H4KeiynxwNZ/dWu7qz7L6Ppk6Nvtly8giTbFx
-CA+tto7vq+D+CAEJ4bgyq4BCH4GL4APrhPcWp98Mko1WCiRTIKgkZxQCYvlg/LZq
-LNhMacP9T1qTvNC+yR1NEMiegE3APzk6CkDpVaO9+5f/sqifNPINCMothenI9ePw
-zjQLI3Mo1m73bkomytUZ7i1VstP5sEZ5LF72Sq7BpR3oQ3Gp0CAN9w==
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEdoTUQ4QSBWNEpt
+cGFNeVBBaDRqb3pLSEZGQW0wb3VmVnBoZCswUFkzbnBLUnJ0QTNrClRqVkk4RUVO
+d29KYjd5YUcwankvaTFmVHUxQVpDT2ZYWHRaY3JXTUtQMU0KLT4gKXBtQ3UsXi1n
+cmVhc2UgNnwxYCBXVyA/KCQmIHt9NAo3OTZVUHR2UXkvaEFwY0ZBdEJsaFpsbHJ0
+cklKcDVHcEdWMEdPSkpnN0FiRU43RW5hUWFMdjR3WFRRSFBLSGlmClM3cTNJWlNM
+TExkdHdXUHJISkNIaE1TTUxUc1NUWkV1a09HeFU3bVZwQXMKLS0tIGhOcXFTUElS
+azJJNnEreUhMWTJBaVZGSTJPRUFqQkVYS01KRENUVVpZSDgK8+8onFejroBo7MeO
+dW+so4lOsq4zJKn3f0cxmCFg1f0X8zt6h4Uc3A5Cvr1uU+6yw1FWmJ7xa3jJz3lO
+EEaKQJXYC+xIIKGcA7qILa0SFp4a/4OuYjcg27HrlPhg7u5wDhQrd0LdVEe1Xngp
+ZivX7P7HwIna3X8C+TL+K2v/AG2N/z86cdKfRvxyMKNbHhYw+CfHEnWgh8tJ++4h
+G9evNniuNqte6cQaRe7jODfPNW4FuY/Sb7barlJ/M9iAQdYAdyLAzU1LABeHeUfD
+wtHjxy9DUZ55Vg8bB8M2JJU9MkoRT4ewiVd9LeC1GWeVmKsm93wsmrov714i7U2j
+wHtDkjqEF2MmzuQc18sjNaAHiwz8j6o5xU2L/Q4+Q707yISWG7RGZYh389Cr1rnw
+siUq/Vunqw2wk13+J/4vu9nqt5mMktBaCtp+QiWIurjwB5LUAyChrSm+dg5lb0Mt
+UhSc0lq1+E3vxAXM2Hmk+vP86VD+6WJvAU82VFApF1s6zG2FU1/AcOVVf54nan/q
+f+rgSFfASHQCYSblUJHyEtwLNsWEmTGmOEn1buUKD/H0zatPQnc0rYpjlx2V0Sjd
+6yB5+wPrZ0AkN1pjcsPKOv8Kaog2DzqIjib+SaSTaRxWHQEb9uzvaReAcYI5HOpE
+gkC040HN33BItATbo4+hz70Im8Ni/VXD+g6yzM6Hj1hJL+PinTKeg5keQRFIZjMx
+grzievB2wVBBgLgN3qMdTFmpplaL7iL702JjXZUTTK9Izp+9wiCsV1fTa53FWDht
+ylFL5SWElqXjK+QBXxAe+Jk6VQov5HI21YDXL67S554ABeRok23wxrQ31TCI4xq9
+PQV7VtNRjyVud7S29m3OwpWOsgTZhn+JclHj2v4bNJzJkJnZRTmcvGPktzRI5+R4
+e5vxVhGnJDzI71txaHl8+xS1lu9VzCQUrxX6TXyTRV4KjIOz0g06JOBgmBRBvJca
+7MZbC65xpisl/gyLRbgkVga3t94dPV+dpZsn8eq6427IyRbKslJefatggR9//c6I
+5N5fl0fR3gJQMB+HRbipBH2YsdbdWJyb4Nn6STZxIfrqoG/xC6C1raF0xK7hUx6i
+4DUDSPohM8fOIswQPfE+FH3eygfzu/Ln5+ghsgHTEhgFvmgMvyxaAt6kHIzIUhMX
+M3dASr4VPDpIXuXsRWwYLEifhzxsuvwVxfwtsnCaR6XKijsYECWGDdYOWHdleeqx
+wDPhxEesfFVhKxhrKY9Ir8k9/FFBKQU/3GjW4+SMAg5Al1YEzxshP9vKuVcsei7W
+JDwAwotNXaCm6NBckiyZJE53ou6+gckPY7V9cOfnuH74Z9ywkFzB3HW3ZlonaGyM
+oGmLGcccavFtyhg5s/As4i6X8ARIpDiwe59Pn3GNXMctySqIrrr2ogUoXgrfFCie
+6GOTdeMW7GeOSdJUxCofghlspS/nq01Og77VI/beWYrIwLubSka6Zaltww9zgObk
+/FGEMgFkEpq7iyCvYSPA8F46pJKvnMP3S84AWCPmcTcHeg4lwGPvs6btexXBGdoz
+nkCyq7wdH5Nngm7jUbl88LtaLZPAQkuqXphBVTnrF9Ofbnb4iRZ2Op4xpx9rGyvx
+mO6UEhL6V1i2YZFNkNMg/W8aoMiUgBdqbkxaxblT9L0aNdlFU9+LbWYolURVEadd
+Qjv0Z1gMA+tsuBbVszwsMfneZ5+B9Q==
 -----END AGE ENCRYPTED FILE-----

From c53460c40000499c485fe9410658cd8993be2a6e Mon Sep 17 00:00:00 2001
From: Hermes Agent <hermes@lazyworkhorse.net>
Date: Tue, 5 May 2026 03:26:17 +0000
Subject: [PATCH 14/14] fix: remove dns option from wireguard config (not a
 valid nixos option)

---
 hosts/lazyworkhorse/configuration.nix | 1 -
 1 file changed, 1 deletion(-)

diff --git a/hosts/lazyworkhorse/configuration.nix b/hosts/lazyworkhorse/configuration.nix
index 0b2799d..83b8db1 100644
--- a/hosts/lazyworkhorse/configuration.nix
+++ b/hosts/lazyworkhorse/configuration.nix
@@ -66,7 +66,6 @@
           persistentKeepalive = 25;
         }
       ];
-      dns = [ "1.1.1.1" "8.8.8.8" ];
     };
   };