main
1# Auto-derive WireGuard client config from hostname + globals.
2# VPN servers (kerkouane/carthage) are excluded — they keep their own server config.
3# MIGRATION: Cutover done 2026-04-02 — vpnServer is now "carthage" (Hetzner).
4{
5 hostname,
6 globals,
7 libx,
8 lib,
9 ...
10}:
11let
12 # The active VPN server hostname.
13 # Change to "carthage" when cutting over from DigitalOcean to Hetzner.
14 vpnServer = "carthage";
15
16 machine = globals.machines.${hostname};
17 isServer = hostname == "kerkouane" || hostname == "carthage";
18 hasVpn = machine ? net && machine.net ? vpn;
19in
20{
21 config = lib.mkIf (hasVpn && !isServer) {
22 services.wireguard = {
23 enable = true;
24 ips = libx.wg-ips machine.net.vpn.ips;
25 endpoint = globals.net.vpn.endpoint;
26 endpointPublicKey = globals.machines.${vpnServer}.net.vpn.pubkey;
27 };
28 };
29}