From 1007de7c84bf0595e9f2eaf59c798457f6aaa279 Mon Sep 17 00:00:00 2001
From: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
Date: Fri, 19 Sep 2025 15:57:24 +0200
Subject: [PATCH] Remove intranet route from apex peer in raccoon

We only need apex to reach the intranet so it will be raccoon the only
peer that uses intranet IPs as source. All other peers must accept them
from raccoon, but not the other way around.
---
 m/raccoon/wireguard.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/m/raccoon/wireguard.nix b/m/raccoon/wireguard.nix
index 1549c1ed..f6ceeccb 100644
--- a/m/raccoon/wireguard.nix
+++ b/m/raccoon/wireguard.nix
@@ -32,7 +32,7 @@
         {
           name = "apex";
           publicKey = "VwhcN8vSOzdJEotQTpmPHBC52x3Hbv1lkFIyKubrnUA=";
-          allowedIPs = [ "10.106.0.30/32" "192.168.0.0/16" ];
+          allowedIPs = [ "10.106.0.30/32" ];
           endpoint = "ssfhead.bsc.es:666";
           persistentKeepalive = 25;
         }