Commit 0897bf5e80a7

Vincent Demeester <vincent@sbr.pm>
2026-02-18 16:56:13
refactor(systems): auto-derive WireGuard client config
Created common/services/wireguard.nix that auto-derives client config from hostname and globals. Removed identical wireguard blocks from 10 host extra.nix files. Kerkouane (VPN server) is excluded and keeps its own server config.
main
1 parent c3c69b7
Changed files (12)
systems
aion
extra.nix
aix
extra.nix
aomi
extra.nix
athena
extra.nix
common
base
default.nix
services
wireguard.nix
demeter
extra.nix
kyushu
extra.nix
okinawa
extra.nix
rhea
extra.nix
sakhalin
extra.nix
shikoku
extra.nix
systems/aion/extra.nix
@@ -150,12 +150,6 @@ in
       };
     };
 
-    wireguard = {
-      enable = true;
-      ips = libx.wg-ips globals.machines.aion.net.vpn.ips;
-      endpoint = "${globals.net.vpn.endpoint}";
-      endpointPublicKey = "${globals.machines.kerkouane.net.vpn.pubkey}";
-    };
 
     audible-sync = {
       enable = true; # enable one migration dayrs
systems/aix/extra.nix
@@ -98,12 +98,6 @@ in
         };
     };
 
-    wireguard = {
-      enable = true;
-      ips = libx.wg-ips globals.machines.aix.net.vpn.ips;
-      endpoint = "${globals.net.vpn.endpoint}";
-      endpointPublicKey = "${globals.machines.kerkouane.net.vpn.pubkey}";
-    };
 
     # DNS resolver for local network - resolve specific sbr.pm domains to Aix
     dnsmasq = {
systems/aomi/extra.nix
@@ -37,12 +37,6 @@
       HandleLidSwitchExternalPower = "ignore";
       HandleLidSwitchDocked = "ignore";
     };
-    wireguard = {
-      enable = true;
-      ips = libx.wg-ips globals.machines.aomi.net.vpn.ips;
-      endpoint = "${globals.net.vpn.endpoint}";
-      endpointPublicKey = "${globals.machines.kerkouane.net.vpn.pubkey}";
-    };
 
     smartd = {
       enable = true;
systems/athena/extra.nix
@@ -20,12 +20,4 @@
     group = "users";
   };
 
-  services = {
-    wireguard = {
-      enable = true;
-      ips = libx.wg-ips globals.machines.athena.net.vpn.ips;
-      endpoint = "${globals.net.vpn.endpoint}";
-      endpointPublicKey = "${globals.machines.kerkouane.net.vpn.pubkey}";
-    };
-  };
 }
systems/common/base/default.nix
@@ -19,6 +19,7 @@
     ../services/avahi.nix
     ../services/openssh.nix
     ../services/prometheus-exporters-node.nix
+    ../services/wireguard.nix
     ../programs/age.nix
     # ../services/wireguard.nix # or netbird
   ];
systems/common/services/wireguard.nix
@@ -0,0 +1,24 @@
+# Auto-derive WireGuard client config from hostname + globals.
+# Kerkouane (the VPN server) is excluded — it keeps its own server config.
+{
+  hostname,
+  globals,
+  libx,
+  lib,
+  ...
+}:
+let
+  machine = globals.machines.${hostname};
+  isServer = hostname == "kerkouane";
+  hasVpn = machine ? net && machine.net ? vpn;
+in
+{
+  config = lib.mkIf (hasVpn && !isServer) {
+    services.wireguard = {
+      enable = true;
+      ips = libx.wg-ips machine.net.vpn.ips;
+      endpoint = globals.net.vpn.endpoint;
+      endpointPublicKey = globals.machines.kerkouane.net.vpn.pubkey;
+    };
+  };
+}
systems/demeter/extra.nix
@@ -48,12 +48,7 @@
     #   logLevel = "INFO";
     # };
 
-    wireguard = {
-      enable = true;
-      ips = libx.wg-ips globals.machines.demeter.net.vpn.ips;
-      endpoint = "${globals.net.vpn.endpoint}";
-      endpointPublicKey = "${globals.machines.kerkouane.net.vpn.pubkey}";
-    };
+
   };
 
   age.secrets."mosquitto-homeassistant-password" = {
systems/kyushu/extra.nix
@@ -69,12 +69,7 @@
       enable = true;
       pruneBindMounts = true;
     };
-    wireguard = {
-      enable = true;
-      ips = libx.wg-ips globals.machines.kyushu.net.vpn.ips;
-      endpoint = "${globals.net.vpn.endpoint}";
-      endpointPublicKey = "${globals.machines.kerkouane.net.vpn.pubkey}";
-    };
+
     hardware.bolt.enable = true;
     printing = {
       enable = true;
systems/okinawa/extra.nix
@@ -68,13 +68,6 @@
     keyboards = [ "Eyelash Corne" ];
   };
 
-  # Wireguard VPN
-  services.wireguard = {
-    enable = true;
-    ips = libx.wg-ips globals.machines.okinawa.net.vpn.ips;
-    endpoint = "${globals.net.vpn.endpoint}";
-    endpointPublicKey = "${globals.machines.kerkouane.net.vpn.pubkey}";
-  };
 
   # Age secrets
   age.secrets = {
systems/rhea/extra.nix
@@ -429,12 +429,7 @@ in
         };
     };
 
-    wireguard = {
-      enable = true;
-      ips = libx.wg-ips globals.machines.rhea.net.vpn.ips;
-      endpoint = "${globals.net.vpn.endpoint}";
-      endpointPublicKey = "${globals.machines.kerkouane.net.vpn.pubkey}";
-    };
+
     # smartd = {
     #   enable = true;
     #   devices = [ { device = "/dev/nvme0n1"; } ];
systems/sakhalin/extra.nix
@@ -459,12 +459,7 @@ in
       '';
     };
 
-    wireguard = {
-      enable = true;
-      ips = libx.wg-ips globals.machines.sakhalin.net.vpn.ips;
-      endpoint = "${globals.net.vpn.endpoint}";
-      endpointPublicKey = "${globals.machines.kerkouane.net.vpn.pubkey}";
-    };
+
   };
 
   # Create Grafana dashboard directory and deploy Ollama dashboards
systems/shikoku/extra.nix
@@ -24,12 +24,7 @@
   ];
 
   services = {
-    wireguard = {
-      enable = true;
-      ips = libx.wg-ips globals.machines.shikoku.net.vpn.ips;
-      endpoint = "${globals.net.vpn.endpoint}";
-      endpointPublicKey = "${globals.machines.kerkouane.net.vpn.pubkey}";
-    };
+
     aria2 = {
       enable = true;
       openPorts = true;