Parameterise wireguard

machines/nunotaba/configuration.nix

@@ -16,6 +16,10 @@
   sbruder = {
     gui = true;
     restic.enable = true;
+    wireguard.home = {
+      enable = true;
+      address = "10.80.0.4";
+    };
   };
 
   boot.loader.grub.device = "/dev/disk/by-id/ata-INTEL_SSDSC2KB480G7_PHYS749202D6480BGN";
@@ -30,6 +34,4 @@
   };
 
   networking.hostName = "nunotaba";
-
-  networking.wireguard.interfaces.wg-home.ips = [ "10.80.0.4/24" ];
 }

machines/sayuri/configuration.nix

@@ -16,6 +16,10 @@
   sbruder = {
     gui = true;
     restic.enable = true;
+    wireguard.home = {
+      enable = true;
+      address = "10.80.0.5";
+    };
   };
 
   boot.loader.grub.device = "/dev/disk/by-id/ata-MTFDDAK256TBN-1AR15ABHA_UFZMQ01ZR50NMM";
@@ -41,6 +45,4 @@
   };
 
   networking.hostName = "sayuri";
-
-  networking.wireguard.interfaces.wg-home.ips = [ "10.80.0.5/24" ];
 }

modules/default.nix

@@ -27,6 +27,7 @@
     ./tools.nix
     ./udev.nix
     ./web.nix
+    ./wireguard
   ];
 
   config = {

modules/prometheus/node_exporter.nix

@@ -1,17 +1,8 @@
 { config, ... }:
-let
-  vpnNetRanges = config.networking.wireguard.interfaces.wg-home.ips;
-  vpnNetRange = builtins.elemAt vpnNetRanges 0;
-  vpnAddress = builtins.elemAt (builtins.split "/" vpnNetRange) 0;
-in
 {
-  imports = [
-    ../wireguard/home.nix
-  ];
-
   services.prometheus.exporters.node = {
     enable = true;
-    listenAddress = vpnAddress;
+    listenAddress = config.sbruder.wireguard.home.address;
     enabledCollectors = [ "systemd " ];
   };
 

modules/wireguard/default.nix

@@ -0,0 +1,7 @@
+{
+  imports = [
+    ./home.nix
+  ];
+
+  networking.wireguard.enable = true;
+}

modules/wireguard/home.nix

@@ -1,28 +1,34 @@
-# Module for setting up the shared part of my home wireguard network.
-# Every machine using this still has to set the `ips` for the `wg-home`
-# interface and place the private key in their secrets directory as
-# `wg-home_private_key`
-#
-# Example:
-#
-#     networking.wireguard.interfaces.wg-home.ips = [ "10.80.0.4/24" ];
-{ config, ... }:
-
+{ lib, config, ... }:
+let
+  cfg = config.sbruder.wireguard.home;
+in
 {
-  networking.wireguard = {
-    enable = true;
-    interfaces = {
-      wg-home = {
-        privateKeyFile = toString (../../machines/. + "/${config.networking.hostName}" + /secrets/wg-home_private_key);
-        peers = [
-          {
-            allowedIPs = [ "10.80.0.0/24" ];
-            publicKey = "UyZRAVTIc/RMs/J+591wrA8lHU0e8dwDJJwcpRb3xQA=";
-            endpoint = "87.140.16.73:51820"; # IPv6 is tunneled so legacy is preferred
-            persistentKeepalive = 25;
-          }
-        ];
+  options = {
+    sbruder.wireguard.home = {
+      enable = lib.mkEnableOption "WireGuard tunnel wg-home";
+      address = lib.mkOption {
+        type = lib.types.str;
+        description = "IP(v4) address of the host";
+        example = "10.80.0.1";
+      };
+      privateKeyFile = lib.mkOption {
+        type = lib.types.str;
+        description = "Private key file";
+        default = toString (../../machines/. + "/${config.networking.hostName}" + /secrets/wg-home_private_key);
       };
     };
   };
+
+  config.networking.wireguard.interfaces.wg-home = lib.mkIf cfg.enable {
+    privateKeyFile = cfg.privateKeyFile;
+    ips = [ "${cfg.address}/24" ];
+    peers = [
+      {
+        allowedIPs = [ "10.80.0.0/24" ];
+        publicKey = "UyZRAVTIc/RMs/J+591wrA8lHU0e8dwDJJwcpRb3xQA=";
+        endpoint = "87.140.16.73:51820"; # IPv6 is tunneled so legacy is preferred
+        persistentKeepalive = 25;
+      }
+    ];
+  };
 }