From 74ddf83617f6d6d9ed77d107d039fc296b99b9d0 Mon Sep 17 00:00:00 2001
From: Simon Bruder <simon@sbruder.de>
Date: Sat, 5 Dec 2020 14:39:36 +0100
Subject: [PATCH] Parameterise wireguard

---
 machines/nunotaba/configuration.nix  |  6 ++--
 machines/sayuri/configuration.nix    |  6 ++--
 modules/default.nix                  |  1 +
 modules/prometheus/node_exporter.nix | 11 +-----
 modules/wireguard/default.nix        |  7 ++++
 modules/wireguard/home.nix           | 52 ++++++++++++++++------------
 6 files changed, 46 insertions(+), 37 deletions(-)
 create mode 100644 modules/wireguard/default.nix

diff --git a/machines/nunotaba/configuration.nix b/machines/nunotaba/configuration.nix
index a200422..e1acaa3 100644
--- a/machines/nunotaba/configuration.nix
+++ b/machines/nunotaba/configuration.nix
@@ -16,6 +16,10 @@
   sbruder = {
     gui = true;
     restic.enable = true;
+    wireguard.home = {
+      enable = true;
+      address = "10.80.0.4";
+    };
   };
 
   boot.loader.grub.device = "/dev/disk/by-id/ata-INTEL_SSDSC2KB480G7_PHYS749202D6480BGN";
@@ -30,6 +34,4 @@
   };
 
   networking.hostName = "nunotaba";
-
-  networking.wireguard.interfaces.wg-home.ips = [ "10.80.0.4/24" ];
 }
diff --git a/machines/sayuri/configuration.nix b/machines/sayuri/configuration.nix
index e4554a6..3c532bd 100644
--- a/machines/sayuri/configuration.nix
+++ b/machines/sayuri/configuration.nix
@@ -16,6 +16,10 @@
   sbruder = {
     gui = true;
     restic.enable = true;
+    wireguard.home = {
+      enable = true;
+      address = "10.80.0.5";
+    };
   };
 
   boot.loader.grub.device = "/dev/disk/by-id/ata-MTFDDAK256TBN-1AR15ABHA_UFZMQ01ZR50NMM";
@@ -41,6 +45,4 @@
   };
 
   networking.hostName = "sayuri";
-
-  networking.wireguard.interfaces.wg-home.ips = [ "10.80.0.5/24" ];
 }
diff --git a/modules/default.nix b/modules/default.nix
index ea4f999..4588bb7 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -27,6 +27,7 @@
     ./tools.nix
     ./udev.nix
     ./web.nix
+    ./wireguard
   ];
 
   config = {
diff --git a/modules/prometheus/node_exporter.nix b/modules/prometheus/node_exporter.nix
index 491856a..057be16 100644
--- a/modules/prometheus/node_exporter.nix
+++ b/modules/prometheus/node_exporter.nix
@@ -1,17 +1,8 @@
 { config, ... }:
-let
-  vpnNetRanges = config.networking.wireguard.interfaces.wg-home.ips;
-  vpnNetRange = builtins.elemAt vpnNetRanges 0;
-  vpnAddress = builtins.elemAt (builtins.split "/" vpnNetRange) 0;
-in
 {
-  imports = [
-    ../wireguard/home.nix
-  ];
-
   services.prometheus.exporters.node = {
     enable = true;
-    listenAddress = vpnAddress;
+    listenAddress = config.sbruder.wireguard.home.address;
     enabledCollectors = [ "systemd " ];
   };
 
diff --git a/modules/wireguard/default.nix b/modules/wireguard/default.nix
new file mode 100644
index 0000000..21529b0
--- /dev/null
+++ b/modules/wireguard/default.nix
@@ -0,0 +1,7 @@
+{
+  imports = [
+    ./home.nix
+  ];
+
+  networking.wireguard.enable = true;
+}
diff --git a/modules/wireguard/home.nix b/modules/wireguard/home.nix
index 5f219a9..194d4b6 100644
--- a/modules/wireguard/home.nix
+++ b/modules/wireguard/home.nix
@@ -1,28 +1,34 @@
-# Module for setting up the shared part of my home wireguard network.
-# Every machine using this still has to set the `ips` for the `wg-home`
-# interface and place the private key in their secrets directory as
-# `wg-home_private_key`
-#
-# Example:
-#
-#     networking.wireguard.interfaces.wg-home.ips = [ "10.80.0.4/24" ];
-{ config, ... }:
-
+{ lib, config, ... }:
+let
+  cfg = config.sbruder.wireguard.home;
+in
 {
-  networking.wireguard = {
-    enable = true;
-    interfaces = {
-      wg-home = {
-        privateKeyFile = toString (../../machines/. + "/${config.networking.hostName}" + /secrets/wg-home_private_key);
-        peers = [
-          {
-            allowedIPs = [ "10.80.0.0/24" ];
-            publicKey = "UyZRAVTIc/RMs/J+591wrA8lHU0e8dwDJJwcpRb3xQA=";
-            endpoint = "87.140.16.73:51820"; # IPv6 is tunneled so legacy is preferred
-            persistentKeepalive = 25;
-          }
-        ];
+  options = {
+    sbruder.wireguard.home = {
+      enable = lib.mkEnableOption "WireGuard tunnel wg-home";
+      address = lib.mkOption {
+        type = lib.types.str;
+        description = "IP(v4) address of the host";
+        example = "10.80.0.1";
+      };
+      privateKeyFile = lib.mkOption {
+        type = lib.types.str;
+        description = "Private key file";
+        default = toString (../../machines/. + "/${config.networking.hostName}" + /secrets/wg-home_private_key);
       };
     };
   };
+
+  config.networking.wireguard.interfaces.wg-home = lib.mkIf cfg.enable {
+    privateKeyFile = cfg.privateKeyFile;
+    ips = [ "${cfg.address}/24" ];
+    peers = [
+      {
+        allowedIPs = [ "10.80.0.0/24" ];
+        publicKey = "UyZRAVTIc/RMs/J+591wrA8lHU0e8dwDJJwcpRb3xQA=";
+        endpoint = "87.140.16.73:51820"; # IPv6 is tunneled so legacy is preferred
+        persistentKeepalive = 25;
+      }
+    ];
+  };
 }