infra/modules/nixos/services/wireguard-client.nix

{ config, lib, pkgs, ... }:

with lib;

let
  cfg = config.gortium.wireguard-client;
in
{
  ##### Options #####
  options.gortium.wireguard-client = {
    enable = mkEnableOption "WireGuard VPN client to lazyworkhorse VPN server";

    vpnIp = mkOption {
      type = types.str;
      description = "Assigned VPN IP with CIDR, e.g. \"10.8.0.4/24\"";
      example = "10.8.0.4/24";
    };

    privateKeyFile = mkOption {
      type = types.path;
      description = "Path to the WireGuard private key (age-encrypted, via agenix)";
    };

    presharedKeyFile = mkOption {
      type = types.nullOr types.path;
      default = null;
      description = "Path to the WireGuard preshared key (optional, age-encrypted)";
    };
  };

  ##### Config #####
  config = mkIf cfg.enable {
    networking.wireguard.interfaces = {
      wg0 = {
        ips = [ cfg.vpnIp ];
        privateKeyFile = cfg.privateKeyFile;

        peers = [
          {
            # Server public key (lazyworkhorse wg-easy)
            publicKey = "rY9zII3AOm8rog2rv02PyA3Bq7zdvTOGkZapfCV1DkE=";
            presharedKeyFile = cfg.presharedKeyFile;
            # Split-tunnel: only route the VPN subnet
            allowedIPs = [ "10.8.0.0/24" ];
            endpoint = "vpn.lazyworkhorse.net:51820";
            persistentKeepalive = 25;
          }
        ];
      };
    };

    environment.systemPackages = with pkgs; [ wireguard-tools ];
  };
}
feat: add reusable wireguard-client NixOS module - modules/nixos/services/wireguard-client.nix — optional module under gortium.wireguard-client namespace with enable, vpnIp, privateKeyFile, and presharedKeyFile options - Added to lazyworkhorse, cyt-pi, and uconsoleBaseModules (covers both uconsole-cm5 toplevel and SD image) - Migrated lazyworkhorse from inline networking.wireguard to module - Split-tunnel: allowedIPs = [ "10.8.0.0/24" ] Usage in a host config: gortium.wireguard-client = { enable = true; vpnIp = "10.8.0.X/24"; privateKeyFile = config.age.secrets.wireguard_private_key.path; presharedKeyFile = config.age.secrets.wireguard_preshared_key.path; }; 2026-06-15 10:55:40 -04:00			`{ config, lib, pkgs, ... }:`

			`with lib;`

			`let`
			`cfg = config.gortium.wireguard-client;`
			`in`
			`{`
			`##### Options #####`
			`options.gortium.wireguard-client = {`
			`enable = mkEnableOption "WireGuard VPN client to lazyworkhorse VPN server";`

			`vpnIp = mkOption {`
			`type = types.str;`
			`description = "Assigned VPN IP with CIDR, e.g. \"10.8.0.4/24\"";`
			`example = "10.8.0.4/24";`
			`};`

			`privateKeyFile = mkOption {`
			`type = types.path;`
			`description = "Path to the WireGuard private key (age-encrypted, via agenix)";`
			`};`

			`presharedKeyFile = mkOption {`
			`type = types.nullOr types.path;`
			`default = null;`
			`description = "Path to the WireGuard preshared key (optional, age-encrypted)";`
			`};`
			`};`

			`##### Config #####`
			`config = mkIf cfg.enable {`
			`networking.wireguard.interfaces = {`
			`wg0 = {`
			`ips = [ cfg.vpnIp ];`
			`privateKeyFile = cfg.privateKeyFile;`

			`peers = [`
			`{`
			`# Server public key (lazyworkhorse wg-easy)`
			`publicKey = "rY9zII3AOm8rog2rv02PyA3Bq7zdvTOGkZapfCV1DkE=";`
			`presharedKeyFile = cfg.presharedKeyFile;`
			`# Split-tunnel: only route the VPN subnet`
			`allowedIPs = [ "10.8.0.0/24" ];`
			`endpoint = "vpn.lazyworkhorse.net:51820";`
			`persistentKeepalive = 25;`
			`}`
			`];`
			`};`
			`};`

			`environment.systemPackages = with pkgs; [ wireguard-tools ];`
			`};`
			`}`