From bd8b1c564e2fcd1e91d952f8d76fabbf5555a81c Mon Sep 17 00:00:00 2001
From: Thierry Pouplier <thierrypouplier@gmail.com>
Date: Mon, 15 Jun 2026 10:55:40 -0400
Subject: [PATCH] feat: add reusable wireguard-client NixOS module
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- modules/nixos/services/wireguard-client.nix — optional module under
  gortium.wireguard-client namespace with enable, vpnIp, privateKeyFile,
  and presharedKeyFile options
- Added to lazyworkhorse, cyt-pi, and uconsoleBaseModules (covers both
  uconsole-cm5 toplevel and SD image)
- Migrated lazyworkhorse from inline networking.wireguard to module
- Split-tunnel: allowedIPs = [ "10.8.0.0/24" ]

Usage in a host config:
  gortium.wireguard-client = {
    enable = true;
    vpnIp = "10.8.0.X/24";
    privateKeyFile = config.age.secrets.wireguard_private_key.path;
    presharedKeyFile = config.age.secrets.wireguard_preshared_key.path;
  };
---
 flake.nix                                   |  3 ++
 hosts/lazyworkhorse/configuration.nix       | 24 +++------
 modules/nixos/services/wireguard-client.nix | 54 +++++++++++++++++++++
 3 files changed, 63 insertions(+), 18 deletions(-)
 create mode 100644 modules/nixos/services/wireguard-client.nix

diff --git a/flake.nix b/flake.nix
index 964f0b1..6cf5394 100644
--- a/flake.nix
+++ b/flake.nix
@@ -112,6 +112,7 @@
         agenix.nixosModules.default
         ./hosts/uconsole-cm5/configuration.nix
         ./hosts/uconsole-cm5/hardware-configuration.nix
+        ./modules/nixos/services/wireguard-client.nix
         ./users/gortium/gortium.nix
         ./users/ai-worker/ai-worker.nix
       ];
@@ -133,6 +134,7 @@
             ./hosts/lazyworkhorse/hardware-configuration.nix
             ./modules/nixos/filesystem/hoardingcow-mount.nix
             ./modules/nixos/services/docker_manager.nix
+            ./modules/nixos/services/wireguard-client.nix
             ./modules/nixos/services/ollama_init_custom_models.nix
             ./modules/nixos/security/ai-worker-restricted.nix
             ./users/gortium/gortium.nix
@@ -151,6 +153,7 @@
             }
             ./hosts/cyt-pi/configuration.nix
             ./hosts/cyt-pi/hardware-configuration.nix
+            ./modules/nixos/services/wireguard-client.nix
             ./users/gortium/gortium.nix
           ];
         };
diff --git a/hosts/lazyworkhorse/configuration.nix b/hosts/lazyworkhorse/configuration.nix
index fe7737a..a5e61e2 100644
--- a/hosts/lazyworkhorse/configuration.nix
+++ b/hosts/lazyworkhorse/configuration.nix
@@ -49,24 +49,12 @@
   networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
   networking.hostId = "deadbeef";
 
-  # WireGuard VPN client -- always up, connects to wg-easy server
-  # Create age-encrypted secrets before deploying (run on the host):
-  #   echo -n "<private_key>" | agenix -e secrets/wireguard_private_key.age
-  #   echo -n "<preshared_key>" | agenix -e secrets/wireguard_preshared_key.age
-  networking.wireguard.interfaces = {
-    wg0 = {
-      ips = [ "10.8.0.3/24" ];
-      privateKeyFile = config.age.secrets.wireguard_private_key.path;
-      peers = [
-        {
-          publicKey = "rY9zII3AOm8rog2rv02PyA3Bq7zdvTOGkZapfCV1DkE=";
-          presharedKeyFile = config.age.secrets.wireguard_preshared_key.path;
-          allowedIPs = [ "10.8.0.0/24" ];
-          endpoint = "vpn.lazyworkhorse.net:51820";
-          persistentKeepalive = 25;
-        }
-      ];
-    };
+  # WireGuard VPN client -- module, always up, connects to wg-easy server
+  gortium.wireguard-client = {
+    enable = true;
+    vpnIp = "10.8.0.3/24";
+    privateKeyFile = config.age.secrets.wireguard_private_key.path;
+    presharedKeyFile = config.age.secrets.wireguard_preshared_key.path;
   };
 
   # Set your time zone.
diff --git a/modules/nixos/services/wireguard-client.nix b/modules/nixos/services/wireguard-client.nix
new file mode 100644
index 0000000..0ed3951
--- /dev/null
+++ b/modules/nixos/services/wireguard-client.nix
@@ -0,0 +1,54 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.gortium.wireguard-client;
+in
+{
+  ##### Options #####
+  options.gortium.wireguard-client = {
+    enable = mkEnableOption "WireGuard VPN client to lazyworkhorse VPN server";
+
+    vpnIp = mkOption {
+      type = types.str;
+      description = "Assigned VPN IP with CIDR, e.g. \"10.8.0.4/24\"";
+      example = "10.8.0.4/24";
+    };
+
+    privateKeyFile = mkOption {
+      type = types.path;
+      description = "Path to the WireGuard private key (age-encrypted, via agenix)";
+    };
+
+    presharedKeyFile = mkOption {
+      type = types.nullOr types.path;
+      default = null;
+      description = "Path to the WireGuard preshared key (optional, age-encrypted)";
+    };
+  };
+
+  ##### Config #####
+  config = mkIf cfg.enable {
+    networking.wireguard.interfaces = {
+      wg0 = {
+        ips = [ cfg.vpnIp ];
+        privateKeyFile = cfg.privateKeyFile;
+
+        peers = [
+          {
+            # Server public key (lazyworkhorse wg-easy)
+            publicKey = "rY9zII3AOm8rog2rv02PyA3Bq7zdvTOGkZapfCV1DkE=";
+            presharedKeyFile = cfg.presharedKeyFile;
+            # Split-tunnel: only route the VPN subnet
+            allowedIPs = [ "10.8.0.0/24" ];
+            endpoint = "vpn.lazyworkhorse.net:51820";
+            persistentKeepalive = 25;
+          }
+        ];
+      };
+    };
+
+    environment.systemPackages = with pkgs; [ wireguard-tools ];
+  };
+}