3 changed files with 12 additions and 66 deletions
--- a/setup-base.sh
+++ b/setup-base.sh
@ -40,23 +40,6 @@ echo "════════════════════════
 echo " setup-base.sh für MBP $MODEL\" startet"
 echo "════════════════════════════════════════════"

-# ── 0. sudoers reparieren (macOS-Installer hinterlässt macOS-sudoers) ──────
-echo -e "\n=== 0/11 sudoers ==="
-cat > /etc/sudoers <<'SUDOEOF'
-Defaults   env_reset
-Defaults   secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
-
-root    ALL=(ALL:ALL) ALL
-%sudo   ALL=(ALL:ALL) ALL
-
-@includedir /etc/sudoers.d
-SUDOEOF
-chmod 440 /etc/sudoers
-# Passwordless sudo fuer rene
-echo "rene ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/rene
-chmod 440 /etc/sudoers.d/rene
-ok "sudoers: Linux-Standard + NOPASSWD fuer rene"
-
 # ── 1. Kritische Hardware-Fixes ZUERST (vor allem anderen) ───────────────
 echo -e "\n=== 1/11 Hardware-Fixes ==="

@ -172,55 +155,16 @@ else
        chmod +x /usr/local/bin/temp-watch.sh || warn "temp-watch.sh Download fehlgeschlagen"
 fi

-# WireGuard via NetworkManager (.nmconnection direkt schreiben, kein nmcli noetig)
-WG_CONF="$REPO_DIR/wireguard/m${MODEL}.conf"
-if [[ -n "$REPO_DIR" && -f "$WG_CONF" ]]; then
-    # Alte wg-quick-Config entfernen falls vorhanden
-    systemctl disable --now wg-quick@wg0 2>/dev/null || true
-    # Werte aus der WireGuard-Conf lesen
-    WG_PRIVKEY=$(grep -oP 'PrivateKey\s*=\s*\K.*' "$WG_CONF")
-    WG_LISTEN=$(grep -oP 'ListenPort\s*=\s*\K.*' "$WG_CONF")
-    WG_ADDR=$(grep -oP 'Address\s*=\s*\K.*' "$WG_CONF")
-    WG_PUBKEY=$(grep -oP 'PublicKey\s*=\s*\K.*' "$WG_CONF")
-    WG_PSK=$(grep -oP 'PresharedKey\s*=\s*\K.*' "$WG_CONF")
-    WG_ALLOWED=$(grep -oP 'AllowedIPs\s*=\s*\K.*' "$WG_CONF" | tr -d ' ')
-    WG_ENDPOINT=$(grep -oP 'Endpoint\s*=\s*\K.*' "$WG_CONF")
-    WG_KEEPALIVE=$(grep -oP 'PersistentKeepalive\s*=\s*\K.*' "$WG_CONF")
-    # NM-Verbindungsdatei direkt schreiben (laeuft als root, Keys persistent)
-    NM_CONN_DIR="/etc/NetworkManager/system-connections"
-    mkdir -p "$NM_CONN_DIR"
-    cat > "$NM_CONN_DIR/wg0.nmconnection" <<WGEOF
-[connection]
-id=wg0
-type=wireguard
-interface-name=wg0
-autoconnect=true
-
-[wireguard]
-listen-port=$WG_LISTEN
-private-key=$WG_PRIVKEY
-private-key-flags=0
-
-[wireguard-peer.${WG_PUBKEY}]
-preshared-key=$WG_PSK
-preshared-key-flags=0
-allowed-ips=$WG_ALLOWED;
-endpoint=$WG_ENDPOINT
-persistent-keepalive=$WG_KEEPALIVE
-
-[ipv4]
-method=manual
-address1=$WG_ADDR
-dns=10.47.11.20;10.47.11.1;
-dns-search=~.;
-
-[ipv6]
-method=ignore
-WGEOF
-    chmod 600 "$NM_CONN_DIR/wg0.nmconnection"
-    nmcli connection reload 2>/dev/null || true
-    nmcli connection up wg0 2>/dev/null || true
-    ok "WireGuard wg0.nmconnection geschrieben (DNS: 10.47.11.20, 10.47.11.1, autoconnect)"
+# WireGuard-Config
+if [[ -n "$REPO_DIR" && -f "$REPO_DIR/wireguard/m${MODEL}.conf" ]]; then
+    mkdir -p /etc/wireguard
+    cp "$REPO_DIR/wireguard/m${MODEL}.conf" /etc/wireguard/wg0.conf
+    chmod 600 /etc/wireguard/wg0.conf
+    systemctl enable wg-quick@wg0 2>/dev/null || true
+    # systemd-resolved Stub funktioniert nicht mit WireGuard DNS catch-all (~.)
+    # → resolv.conf direkt auf die upstream-Server zeigen lassen
+    ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf
+    ok "WireGuard m${MODEL}.conf → /etc/wireguard/wg0.conf"
 else
    warn "WireGuard: keine lokale Config gefunden — manuell einrichten"
 fi
--- a/wireguard/m13.conf
+++ b/wireguard/m13.conf
@ -2,6 +2,7 @@
 PrivateKey = sIxh2D50+9bpWe6O6ezrfybW9Iy6QKcrwr9hmFpuGn0=
 ListenPort = 51820
 Address = 10.13.13.8/24
+DNS = 10.47.11.20,10.47.11.1

 [Peer]
 PublicKey = 7WrqHPof31gcCYMjLWPoP1EIxPR2896/3KL1pQ3YZGs=
--- a/wireguard/m16.conf
+++ b/wireguard/m16.conf
@ -2,6 +2,7 @@
 PrivateKey = OA5IiSzPglSY8GdobOYMlaOaG+QqNjHIACBRe7MvK04=
 ListenPort = 51820
 Address = 10.13.13.7/24
+DNS = 10.47.11.20,10.47.11.1

 [Peer]
 PublicKey = J/dD1t3Bo9Zbcvxg6PvGP78kgMlL4s4yYfrUMpcoS2w=