wireguard/home: Make vueko central server

This also restructures the wireguard/home configuration, since now
better peer management is possible.

machines/nunotaba/configuration.nix

@@ -14,10 +14,7 @@
     media-proxy.enable = true;
     restic.enable = true;
     unfree.allowSoftware = true;
-    wireguard.home = {
+    wireguard.home.enable = true;
-      enable = true;
-      address = "10.80.0.4";
-    };
   };
 
   virtualisation.libvirtd.enable = true;

machines/sayuri/configuration.nix

@@ -18,10 +18,7 @@
       ];
     };
     unfree.allowSoftware = true;
-    wireguard.home = {
+    wireguard.home.enable = true;
-      enable = true;
-      address = "10.80.0.5";
-    };
   };
 
   virtualisation.libvirtd.enable = true;

machines/vueko/configuration.nix

@@ -17,10 +17,7 @@ in
 
   sbruder = {
     restic.enable = true;
-    wireguard.home = {
+    wireguard.home.enable = true;
-      enable = true;
-      address = "10.80.0.6";
-    };
     full = false;
 
     mailserver = {

modules/wireguard/home.nix

@@ -1,6 +1,31 @@
 { lib, config, ... }:
 let
+  serverHostName = "vueko";
+  peers = {
+    issei = {
+      address = "10.80.0.1";
+      publicKey = "UyZRAVTIc/RMs/J+591wrA8lHU0e8dwDJJwcpRb3xQA=";
+    };
+    nunotaba = {
+      address = "10.80.0.4";
+      publicKey = "DvR8mUkll4uyYhNcX82caMkbcw0Lykg8zDzm/3PD5jw=";
+    };
+    sayuri = {
+      address = "10.80.0.5";
+      publicKey = "t7hpd2yZupAKHxYerHtXnlPRUjV1aGbrrzjYakKdOwE=";
+    };
+    vueko = {
+      address = "10.80.0.6";
+      publicKey = "JbOfL4FxPCzJOjI8AGklPHY2FniCXq0QwOa08gjSyns=";
+    };
+    fuuko = {
+      address = "10.80.0.7";
+      publicKey = "VXic8mhaJBSl6yFkx0Cu6JI8tqqjjM3UbW7x+05pV0M=";
+    };
+  };
+
   cfg = config.sbruder.wireguard.home;
+  enableServer = config.networking.hostName == serverHostName;
 in
 {
   options = {
@@ -8,8 +33,8 @@ in
       enable = lib.mkEnableOption "WireGuard tunnel wg-home";
       address = lib.mkOption {
         type = lib.types.str;
-        description = "IP(v4) address of the host";
+        visible = false;
-        example = "10.80.0.1";
+        readOnly = true;
       };
     };
   };
@@ -17,19 +42,41 @@ in
   config = lib.mkIf cfg.enable {
     krops.secrets.wg-home-private-key = { };
 
+    sbruder.wireguard.home.address = peers."${config.networking.hostName}".address;
+
     networking.wireguard.interfaces.wg-home = {
       privateKeyFile = config.krops.secrets.wg-home-private-key.path;
       ips = [ "${cfg.address}/24" ];
-      peers = [
+      listenPort = if enableServer then 51820 else null;
+      peers =
+        if enableServer
+        then
+          map
+            (peerConfig: with peerConfig; {
+              allowedIPs = [ "${address}/32" ];
+              inherit publicKey;
+            })
+            (lib.attrValues
+              (lib.filterAttrs
+                (n: v: n != config.networking.hostName)
+                peers))
+        else [
           {
             allowedIPs = [ "10.80.0.0/24" ];
-          publicKey = "UyZRAVTIc/RMs/J+591wrA8lHU0e8dwDJJwcpRb3xQA=";
+            publicKey = peers."${serverHostName}".publicKey;
-          endpoint = "87.140.16.73:51820"; # IPv6 is tunneled so legacy is preferred
+            endpoint = "${serverHostName}.sbruder.de:51820";
             persistentKeepalive = 25;
           }
         ];
     };
 
-    networking.firewall.trustedInterfaces = [ "wg-home" ];
+    networking.firewall = {
+      trustedInterfaces = [ "wg-home" ];
+      allowedUDPPorts = lib.optional enableServer 51820;
+    };
+
+    boot.kernel.sysctl = lib.optionalAttrs enableServer {
+      "net.ipv4.ip_forward" = 1;
+    };
   };
 }