# WireGuard tunnel for a FlatRender render node.
#
# The render node only ever dials OUT to the control plane — it never needs a
# public IP or any inbound firewall rule. All traffic to the gateway / MinIO
# rides this encrypted tunnel, so nodes can live behind NAT, on home ADSL, or
# in any datacenter.
#
# Fill in the four <PLACEHOLDERS> below, save as `wg-flatrender.conf`, then run
# setup-wireguard.ps1 (or import it in the WireGuard GUI).

[Interface]
# This node's private key (generate on the node: `wg genkey`).
PrivateKey = <NODE_PRIVATE_KEY>
# This node's address inside the mesh. Pick a unique 10.66.0.x per node.
Address = 10.66.0.<NODE_NUMBER>/32
# Optional: keep DNS on the LAN; the tunnel only carries mesh traffic (see AllowedIPs).
# DNS = 1.1.1.1

[Peer]
# Control plane (gateway + MinIO host) public key (from the server: `wg show`).
PublicKey = <SERVER_PUBLIC_KEY>
# Public endpoint of the control plane: <public-ip-or-host>:51820
Endpoint = <SERVER_PUBLIC_ENDPOINT>:51820
# Only route the mesh subnet through the tunnel — everything else uses the normal
# internet path. 10.66.0.0/24 = the FlatRender control + render mesh.
AllowedIPs = 10.66.0.0/24
# Hold the NAT mapping open so the orchestrator can reach the node's :7777 health
# port and so long-poll claims stay alive behind home routers / CGNAT.
PersistentKeepalive = 25