docs(public): populate phase 2 content

Full public/ directory — services, network, decisions, security,
inventory, rebuild sequence, and per-LXC setup guides. Sourced from
wiki. No secrets or WAN IPs included.

setup/wireguard.md

@@ -0,0 +1,130 @@
+# WireGuard Setup
+
+## Overview
+
+WireGuard VPN is configured directly in pfSense. It runs on UDP port 51820 — the only inbound port on the WAN interface. VPN clients get IPs in the 10.200.0.0/24 subnet and receive the same network access as LAN (Homelab + MGMT web GUI + Pi-hole DNS). No external software needed — pfSense handles it natively.
+
+| Property | Value |
+|----------|-------|
+| Listen Port | 51820 UDP |
+| VPN Subnet | 10.200.0.0/24 |
+| Access granted | Homelab (10.2.0.0/24) + MGMT web GUI + Pi-hole DNS |
+| Access blocked | Guest, IoT, WFH VLANs |
+
+## Prerequisites
+
+- pfSense running and accessible
+- WireGuard package installed (System → Package Manager → Available Packages → WireGuard)
+- Port 51820 UDP forwarded/open on WAN if behind NAT (not needed with IP Passthrough — pfSense has the public IP directly)
+- DDNS client configured on pfSense if WAN IP is dynamic
+
+## Installation
+
+### 1. Install WireGuard Package
+
+Navigate to: **System → Package Manager → Available Packages**
+
+Search "WireGuard" → Install.
+
+### 2. Create WireGuard Tunnel
+
+Navigate to: **VPN → WireGuard → Tunnels → Add Tunnel**
+
+| Setting | Value |
+|---------|-------|
+| Enabled | ✓ |
+| Description | HomeVPN |
+| Listen Port | 51820 |
+| Interface Keys | Click "Generate" |
+| Interface Addresses | 10.200.0.1/24 |
+
+Save. Note the **server public key** — you'll need it in peer configs.
+
+### 3. Add Peers (Clients)
+
+Navigate to: **VPN → WireGuard → Peers → Add Peer**
+
+For each client device:
+
+| Setting | Value |
+|---------|-------|
+| Tunnel | HomeVPN |
+| Description | e.g., iPhone |
+| Public Key | (generate on client, paste here) |
+| Allowed IPs | 10.200.0.X/32 (unique per peer) |
+
+### 4. Create WireGuard Interface
+
+Navigate to: **Interfaces → Assignments**
+
+Assign the WireGuard tunnel as a new interface (e.g., `OPT1`). Rename it to `WG` or `VPN`.
+
+Enable the interface: Interfaces → WG → Enable ✓
+
+### 5. Firewall Rules
+
+#### WAN — allow inbound WireGuard
+
+Navigate to: **Firewall → Rules → WAN → Add**
+
+| Setting | Value |
+|---------|-------|
+| Action | Pass |
+| Protocol | UDP |
+| Destination | WAN address |
+| Destination Port | 51820 |
+| Description | WireGuard VPN |
+
+#### WG interface — allow VPN clients same access as LAN
+
+Navigate to: **Firewall → Rules → WG → Add**
+
+```
+Pass | IPv4 | Source: WG net | Destination: 10.2.0.0/24 | any | Homelab access
+Pass | IPv4 | Source: WG net | Destination: 10.0.0.0/24 | 443 | MGMT web GUI
+Pass | IPv4 | Source: WG net | Destination: 10.2.0.11 | 53 | Pi-hole DNS
+```
+
+### 6. DNS for VPN Clients
+
+In WireGuard peer config, set DNS to 10.2.0.11 (Pi-hole) so VPN clients get ad blocking and local name resolution.
+
+## Client Configuration
+
+Generate on each client device. Structure:
+
+```ini
+[Interface]
+PrivateKey = <client private key>
+Address = 10.200.0.X/24
+DNS = 10.2.0.11
+
+[Peer]
+PublicKey = <server public key from pfSense>
+Endpoint = <WAN IP or DDNS hostname>:51820
+AllowedIPs = 10.0.0.0/8   # route all RFC1918 through VPN, or use split tunnel
+PersistentKeepalive = 25
+```
+
+In pfSense you can generate QR codes for mobile clients: VPN → WireGuard → Peers → (peer) → QR code icon.
+
+## Key Rotation
+
+When rotating keys or adding/removing peers:
+
+1. Generate new key pair on client
+2. Update peer's public key in pfSense: VPN → WireGuard → Peers → Edit
+3. Update client config with new private key
+4. Apply changes in pfSense
+
+## Verification
+
+```bash
+# From a mobile device on cellular (not home WiFi):
+# 1. Connect WireGuard
+# 2. curl https://outline.lerkolabs.com → should load with Authentik login
+# 3. curl http://10.2.0.11/admin → Pi-hole admin should be reachable
+
+# On pfSense shell:
+wg show  # should show peer with recent handshake
+```