Refactor the clients

2025-10-18 14:26:06 +02:00 · 2025-10-18 14:26:06 +02:00 · b6714ee64f
commit b6714ee64f
parent 195a5e1540
4 changed files with 85 additions and 80 deletions
--- a/systems/macbook/macbook.nix
+++ b/systems/macbook/macbook.nix
@ -12,7 +12,7 @@ nix-darwin.lib.darwinSystem {
    (import ../../modules/usermodules/darwinsettings.nix self)
    home-manager.darwinModules.home-manager
    ./users.nix
-    ./wireguard.nix
+    (import ./wireguard.nix).systemModule
  ];

  specialArgs = {
--- a/systems/macbook/wireguard.nix
+++ b/systems/macbook/wireguard.nix
@ -1,37 +1,32 @@
-{ config, ... }:
+let 
+  ip = "10.100.0.2/32";
+  publicKey = (builtins.readFile ../../keys/wg-macbook.pub);
+in
 {
-  age.secrets.wg-private.file = ../../keys/wg-macbook;
-  networking.wg-quick.interfaces.wg-selene = {
-    privateKeyFile = config.age.secrets.wg-private.path;
+  systemModule = { config, ... }: {
+    age.secrets.wg-private.file = ../../keys/wg-macbook;
+    networking.wg-quick.interfaces.wg-selene = {
+      privateKeyFile = config.age.secrets.wg-private.path;

-    # The internal IP address assigned to this client by the server.
-    # The /24 subnet mask is important for knowing the VPN's local network.
-    address = [ "10.100.0.2/32" ];
+      # The internal IP address assigned to this client by the server.
+      # The /24 subnet mask is important for knowing the VPN's local network.
+      address = [ ip ];

-    # DNS server(s) to use when the tunnel is active.
-    # This is critical for resolving hostnames when all traffic is routed.
-    dns = [
-      "1.1.1.1"
-      "1.0.0.1"
-    ]; # Cloudflare DNS, or use your preferred one like 8.8.8.8
+      # DNS server(s) to use when the tunnel is active.
+      # This is critical for resolving hostnames when all traffic is routed.
+      dns = [
+        "1.1.1.1"
+        "1.0.0.1"
+      ]; # Cloudflare DNS, or use your preferred one like 8.8.8.8

-    peers = [
-      {
-        # Public key of the SERVER.
-        publicKey = builtins.readFile ../../keys/wg-selene.pub;
+      peers = [
+        (import ../../modules/servermodules/wireguard/wireguard-server.nix).infoForClients
+      ];
+    };
+  };

-        # The server's public IP address and listening port.
-        endpoint = "37.27.207.39:51820";
-
-        # This is the most important part for a "VPN" setup.
-        # 0.0.0.0/0 tells your Mac to route all IPv4 traffic through the tunnel.
-        # Add "::/0" if your server and network support IPv6.
-        allowedIPs = [ "10.100.0.1/24" ];
-
-        # Optional but highly recommended for clients behind NAT.
-        # It sends a packet every 25 seconds to keep the connection open.
-        persistentKeepalive = 25;
-      }
-    ];
+  peerConfig = {
+    publicKey = publicKey;
+    allowedIPs = [ip];
  };
 }