4 files changed, 50 insertions, 4 deletions

diff --git a/README.md b/README.md
index 1a88c1e..40c81b0 100644
--- a/README.md
+++ b/README.md
@@ -19,10 +19,15 @@ remote_plot -d 10.0.0.7
 remote_plot -l
 ```
 
-Infrastructure configs not included in the repo, not included exactally, or maybe inclulded in other url:
+Infrastructure configs, some maybe included in pi_config dir
+- I prefer manage infrastructure configs using my [cfg](https://git.flylightning.xyz/fsh/tree/sh/cfg) script, but that script is my personal project and I don't want to force people to use that, so I include those config files in this repo and I did not manage it with my cfg script on raspberry pi.
 - raspberry pi
-    - file in ~/.config/labwc/autostart dir autostart remote_plot locally
+    - ~/.config/labwc/autostart autostart remote_plot locally
         - <https://wiki.archlinux.org/title/Labwc#Autostart>
+    - /etc/wireguard/wg0.conf wireguard config
+    - /etc/NetworkManager/system-connections/wg0.nmconnection, networkmanager wireguard config imported from wireguard config
+    - /etc/modules-load.d/wireguard.conf autostart load wireguard kernel module, see <https://wiki.archlinux.org/title/Kernel_module#systemd>
+    - /etc/nftables.conf nftables firewall configs
 - server and laptop:
     - wireguard related configs
         - files in /etc/wireguard, see below
@@ -30,7 +35,6 @@ Infrastructure configs not included in the repo, not included exactally, or mayb
     - /etc/nftables.conf nftables firewall configs
         - server: <https://git.flylightning.xyz/config_local_arch/tree/etc/nftables.conf?h=ca>
         - laptop: <https://git.flylightning.xyz/config_local_arch/tree/etc/nftables.conf?h=master>
-        - example code from another device but applicable to raspberry pi: <https://git.flylightning.xyz/config_local_arch/tree/etc/nftables.conf?h=pp>
 
 wireguard laptop configuration
 ```
@@ -66,7 +70,7 @@ PresharedKey = <secret>
 AllowedIPs = 10.0.0.9/32, fdc9:281f:04d7:9ee9::9/128
 ```
 
-wireguard raspberry pi configuration
+wireguard raspberry pi configuration (/etc/wireguard/wg0.conf)
 ```
 [Interface]
 Address = 10.0.0.9/24, fdc9:281f:04d7:9ee9::9/64
diff --git a/pi_configs/etc/modules-load.d/wireguard.conf b/pi_configs/etc/modules-load.d/wireguard.conf
new file mode 100644
index 0000000..a82c63a
--- /dev/null
+++ b/pi_configs/etc/modules-load.d/wireguard.conf
@@ -0,0 +1 @@
+wireguard
diff --git a/pi_configs/etc/nftables.conf b/pi_configs/etc/nftables.conf
new file mode 100644
index 0000000..9c3532d
--- /dev/null
+++ b/pi_configs/etc/nftables.conf
@@ -0,0 +1,40 @@
+#!/usr/bin/nft -f
+
+# IPv4/IPv6 Simple & Safe firewall ruleset.
+# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/.
+
+# some codes from https://wiki.archlinux.org/title/Nftables
+
+# needed for reload config using `sudo systemctl restart nftables` or `sudo nft -f /etc/nftables.conf`
+flush ruleset
+
+table inet my_table {
+
+	chain my_input {
+		type filter hook input priority filter
+		policy drop
+
+		ct state invalid drop comment "early drop of invalid connections"
+		ct state {established, related} accept comment "allow tracked connections"
+		iifname lo accept comment "allow from loopback"
+		ip protocol icmp accept
+		meta l4proto ipv6-icmp accept
+
+		tcp dport ssh accept
+
+		pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
+		counter comment "count any other traffic"
+	}
+
+	chain my_forward {
+		type filter hook forward priority filter
+		policy drop
+		# Drop everything forwarded to us. We do not forward. That is routers job.
+	}
+
+	chain my_output {
+		type filter hook output priority filter
+		policy accept
+		# Accept every outbound connection
+	}
+}
diff --git a/pi_configs/home/Spartan_Racing_Charger/.config/labwc/autostart b/pi_configs/home/Spartan_Racing_Charger/.config/labwc/autostart
new file mode 100644
index 0000000..c1ff693
--- /dev/null
+++ b/pi_configs/home/Spartan_Racing_Charger/.config/labwc/autostart
@@ -0,0 +1 @@
+/usr/local/bin/remote_plot -l &