Refactor the clients

2025-10-18 14:26:06 +02:00 · 2025-10-18 14:26:06 +02:00 · b6714ee64f
commit b6714ee64f
parent 195a5e1540
4 changed files with 85 additions and 80 deletions
--- a/modules/servermodules/wireguard/wireguard-server.nix
+++ b/modules/servermodules/wireguard/wireguard-server.nix
@ -1,58 +1,68 @@
 let
  allowedIPs = [ "10.100.0.1/24" ];
  port = 51820;
  publicIp = "37.27.207.39";
 in
 {
-  pkgs,
+  serverModule =
-  config,
+    {
-  ...
+      pkgs,
-}:
+      config,
-{
+      ...
-  # enable NAT
+    }:
-  networking.nat.enable = true;
+    {
-  networking.nat.externalInterface = "eth0";
+      # enable NAT
-  networking.nat.internalInterfaces = [ "wg0" ];
+      networking.nat.enable = true;
-  networking.firewall = {
+      networking.nat.externalInterface = "eth0";
-    allowedUDPPorts = [ 51820 ];
+      networking.nat.internalInterfaces = [ "wg0" ];
-  };
+      networking.firewall = {
        allowedUDPPorts = [ port ];
      };
-  age.secrets.wg-selene = {
+      age.secrets.wg-selene = {
-    file = ../../../keys/wg-selene;
+        file = ../../../keys/wg-selene;
-    owner = "selene";
+        owner = "selene";
-  };
+      };
-  networking.wireguard.interfaces = {
+      networking.wireguard.interfaces = {
-    # "wg0" is the network interface name. You can name the interface arbitrarily.
+        # "wg0" is the network interface name. You can name the interface arbitrarily.
-    wg0 = {
+        wg0 = {
-      # Determines the IP address and subnet of the server's end of the tunnel interface.
+          # Determines the IP address and subnet of the server's end of the tunnel interface.
-      ips = [ "10.100.0.1/24" ];
+          ips = allowedIPs;
-      # The port that WireGuard listens to. Must be accessible by the client.
+          # The port that WireGuard listens to. Must be accessible by the client.
-      listenPort = 51820;
+          listenPort = port;
-      # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
+          # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
-      # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
+          # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
-      # postSetup = ''
+          # postSetup = ''
-      #   ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+          #   ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
-      # '';
+          # '';
-      # # This undoes the above command
+          # # This undoes the above command
-      # postShutdown = ''
+          # postShutdown = ''
-      #   ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+          #   ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
-      # '';
+          # '';
-      # Path to the private key file.
+          # Path to the private key file.
-      #
+          #
-      # Note: The private key can also be included inline via the privateKey option,
+          # Note: The private key can also be included inline via the privateKey option,
-      # but this makes the private key world-readable; thus, using privateKeyFile is
+          # but this makes the private key world-readable; thus, using privateKeyFile is
-      # recommended.
+          # recommended.
-      privateKeyFile = config.age.secrets.wg-selene.path;
+          privateKeyFile = config.age.secrets.wg-selene.path;
-      peers = [
+          peers = [
-        # List of allowed peers.
+            # List of allowed peers.
-        { # Feel free to give a meaningful name
+            (import ../../systems/macbook/wireguard.nix).peerConfig
-          # Public key of the peer (not a file path).
+          ];
-          publicKey = (builtins.readFile ../../../keys/wg-macbook.pub);
+        };
-          # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
+      };
          allowedIPs = [ "10.100.0.2/32" ];
        }
      ];
    };
  infoForClients = {
    endpoint = "${publicIp}:${builtins.toString port}";
    allowedIPs = allowedIPs;
    publicKey = builtins.readFile ../../../keys/wg-selene.pub;
    persistentKeepalive = 25;
  };
 }
--- a/systems/macbook/macbook.nix
+++ b/systems/macbook/macbook.nix
@ -12,7 +12,7 @@ nix-darwin.lib.darwinSystem {
    (import ../../modules/usermodules/darwinsettings.nix self)
    home-manager.darwinModules.home-manager
    ./users.nix
-    ./wireguard.nix
+    (import ./wireguard.nix).systemModule
  ];
  specialArgs = {
--- a/systems/macbook/wireguard.nix
+++ b/systems/macbook/wireguard.nix
@ -1,37 +1,32 @@
-{ config, ... }:
+let 
  ip = "10.100.0.2/32";
  publicKey = (builtins.readFile ../../keys/wg-macbook.pub);
 in
 {
-  age.secrets.wg-private.file = ../../keys/wg-macbook;
+  systemModule = { config, ... }: {
-  networking.wg-quick.interfaces.wg-selene = {
+    age.secrets.wg-private.file = ../../keys/wg-macbook;
-    privateKeyFile = config.age.secrets.wg-private.path;
+    networking.wg-quick.interfaces.wg-selene = {
      privateKeyFile = config.age.secrets.wg-private.path;
-    # The internal IP address assigned to this client by the server.
+      # The internal IP address assigned to this client by the server.
-    # The /24 subnet mask is important for knowing the VPN's local network.
+      # The /24 subnet mask is important for knowing the VPN's local network.
-    address = [ "10.100.0.2/32" ];
+      address = [ ip ];
-    # DNS server(s) to use when the tunnel is active.
+      # DNS server(s) to use when the tunnel is active.
-    # This is critical for resolving hostnames when all traffic is routed.
+      # This is critical for resolving hostnames when all traffic is routed.
-    dns = [
+      dns = [
-      "1.1.1.1"
+        "1.1.1.1"
-      "1.0.0.1"
+        "1.0.0.1"
-    ]; # Cloudflare DNS, or use your preferred one like 8.8.8.8
+      ]; # Cloudflare DNS, or use your preferred one like 8.8.8.8
-    peers = [
+      peers = [
-      {
+        (import ../../modules/servermodules/wireguard/wireguard-server.nix).infoForClients
-        # Public key of the SERVER.
+      ];
-        publicKey = builtins.readFile ../../keys/wg-selene.pub;
+    };
  };
-        # The server's public IP address and listening port.
+  peerConfig = {
-        endpoint = "37.27.207.39:51820";
+    publicKey = publicKey;
-
+    allowedIPs = [ip];
        # This is the most important part for a "VPN" setup.
        # 0.0.0.0/0 tells your Mac to route all IPv4 traffic through the tunnel.
        # Add "::/0" if your server and network support IPv6.
        allowedIPs = [ "10.100.0.1/24" ];
        # Optional but highly recommended for clients behind NAT.
        # It sends a packet every 25 seconds to keep the connection open.
        persistentKeepalive = 25;
      }
    ];
  };
 }
--- a/systems/selene/system.nix
+++ b/systems/selene/system.nix
@ -17,7 +17,7 @@ nixpkgs.lib.nixosSystem {
    (import ../../modules/servermodules/nginx.nix "maxiemgeldhof.com")
    ../../modules/servermodules/grafana/grafana.nix
    ../../modules/servermodules/jellyfin/jellyfin.nix
-    ../../modules/servermodules/wireguard/wireguard-server.nix
+    (import ../../modules/servermodules/wireguard/wireguard-server.nix).serverModule
    ./volumes.nix
    agenix.nixosModules.default
  ];