Try tailscale

linux/nebula/conduit.nix

@@ -5,6 +5,7 @@
     enable = true;
     settings.global = {
       address = config.constants.localhost;
+      port = 29800;
       server_name = config.constants.domain;
     };
   };

linux/nebula/default.nix

@@ -15,6 +15,7 @@
     ./jellyfin.nix
     ./network.nix
     ./syncthing.nix
+    ./tailscale.nix
     ./zfs.nix
     ../../common
   ];

linux/nebula/forgejo.nix

@@ -9,6 +9,7 @@
       server = let dn = config.constants.domain; in {
         DOMAIN = dn;
         HTTP_ADDR = config.constants.localhost;
+        HTTP_PORT = 47674;
         ROOT_URL = "https://forgejo.${dn}";
       };
       service.DISABLE_REGISTRATION = true;

linux/nebula/network.nix

@@ -11,16 +11,6 @@ let const = config.constants; hn = config.networking.hostName; in {
     };
     nftables.enable = true;
     tempAddresses = "disabled";
-    wireguard.interfaces.wgn = {
-      ips = [ "10.32.54.3/32" ];
-      peers = [{
-        allowedIPs = [ "10.32.54.0/24" ];
-        endpoint = "${const.domain}:${toString const.port.wireguard-server}";
-        persistentKeepalive = 54;
-        publicKey = "0j8+alXU/f2UgWN61R6+Wjs9xelGRwpSbe5NyOwWlF4=";
-      }];
-      privateKeyFile = config.sops.secrets."wireguard/${hn}".path;
-    };
     wireless.iwd.enable = true;
   };
 
@@ -48,8 +38,5 @@ let const = config.constants; hn = config.networking.hostName; in {
     resolved.enable = true;
   };
 
-  sops.secrets = {
-    "cloudflare/${hn}" = { };
-    "wireguard/${hn}" = { };
-  };
+  sops.secrets."cloudflare/${hn}" = { };
 }

linux/nebula/tailscale.nix

@@ -0,0 +1,8 @@
+{ ... }: {
+  services.tailscale = {
+    enable = true;
+    extraUpFlags = [ "--advertise-exit-node" ];
+    port = 25555;
+    useRoutingFeatures = "both";
+  };
+}