From e98fdb89ab660fc7f6a7e4ee1ff26a8021f05cda Mon Sep 17 00:00:00 2001
From: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
Date: Fri, 19 Sep 2025 13:20:54 +0200
Subject: [PATCH] Restrict fox peer to a single IP
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Reviewed-by: Aleix Boné <abonerib@bsc.es>
---
 m/apex/wireguard.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/m/apex/wireguard.nix b/m/apex/wireguard.nix
index 607564f..0a6ac5f 100644
--- a/m/apex/wireguard.nix
+++ b/m/apex/wireguard.nix
@@ -20,7 +20,7 @@
         {
           name = "fox";
           publicKey = "VfMPBQLQTKeyXJSwv8wBhc6OV0j2qAxUpX3kLHunK2Y=";
-          allowedIPs = [ "10.106.0.0/24" ];
+          allowedIPs = [ "10.106.0.1/32" ];
           endpoint = "fox.ac.upc.edu:666";
           # Send keepalives every 25 seconds. Important to keep NAT tables alive.
           persistentKeepalive = 25;