gortium/infra
1
1
Fork 0
Code Issues 13 Pull Requests 21 Actions Packages Projects 1 Releases Wiki Activity

feat: add reusable wireguard-client NixOS module

Browse Source 
- modules/nixos/services/wireguard-client.nix — optional module under
  gortium.wireguard-client namespace with enable, vpnIp, privateKeyFile,
  and presharedKeyFile options
- Added to lazyworkhorse, cyt-pi, and uconsoleBaseModules (covers both
  uconsole-cm5 toplevel and SD image)
- Migrated lazyworkhorse from inline networking.wireguard to module
- Split-tunnel: allowedIPs = [ "10.8.0.0/24" ]

Usage in a host config:
  gortium.wireguard-client = {
    enable = true;
    vpnIp = "10.8.0.X/24";
    privateKeyFile = config.age.secrets.wireguard_private_key.path;
    presharedKeyFile = config.age.secrets.wireguard_preshared_key.path;
  };
This commit is contained in:
Thierry Pouplier
2026-06-15 10:55:40 -04:00
committed by Hermes
parent bd283de350
commit bd8b1c564e
3 changed files with 63 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
flake.nix
View File

@@ -112,6 +112,7 @@
agenix.nixosModules.default agenix.nixosModules.default
./hosts/uconsole-cm5/configuration.nix ./hosts/uconsole-cm5/configuration.nix
./hosts/uconsole-cm5/hardware-configuration.nix ./hosts/uconsole-cm5/hardware-configuration.nix
./modules/nixos/services/wireguard-client.nix
./users/gortium/gortium.nix ./users/gortium/gortium.nix
./users/ai-worker/ai-worker.nix ./users/ai-worker/ai-worker.nix
]; ];
@@ -133,6 +134,7 @@
./hosts/lazyworkhorse/hardware-configuration.nix ./hosts/lazyworkhorse/hardware-configuration.nix
./modules/nixos/filesystem/hoardingcow-mount.nix ./modules/nixos/filesystem/hoardingcow-mount.nix
./modules/nixos/services/docker_manager.nix ./modules/nixos/services/docker_manager.nix
./modules/nixos/services/wireguard-client.nix
./modules/nixos/services/ollama_init_custom_models.nix ./modules/nixos/services/ollama_init_custom_models.nix
./modules/nixos/security/ai-worker-restricted.nix ./modules/nixos/security/ai-worker-restricted.nix
./users/gortium/gortium.nix ./users/gortium/gortium.nix
@@ -151,6 +153,7 @@
} }
./hosts/cyt-pi/configuration.nix ./hosts/cyt-pi/configuration.nix
./hosts/cyt-pi/hardware-configuration.nix ./hosts/cyt-pi/hardware-configuration.nix
./modules/nixos/services/wireguard-client.nix
./users/gortium/gortium.nix ./users/gortium/gortium.nix
]; ];
}; };

20
hosts/lazyworkhorse/configuration.nix
View File

@@ -49,24 +49,12 @@
networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
networking.hostId = "deadbeef"; networking.hostId = "deadbeef";
# WireGuard VPN client -- always up, connects to wg-easy server # WireGuard VPN client -- module, always up, connects to wg-easy server
# Create age-encrypted secrets before deploying (run on the host): gortium.wireguard-client = {
# echo -n "<private_key>" | agenix -e secrets/wireguard_private_key.age enable = true;
# echo -n "<preshared_key>" | agenix -e secrets/wireguard_preshared_key.age vpnIp = "10.8.0.3/24";
networking.wireguard.interfaces = {
wg0 = {
ips = [ "10.8.0.3/24" ];
privateKeyFile = config.age.secrets.wireguard_private_key.path; privateKeyFile = config.age.secrets.wireguard_private_key.path;
peers = [
{
publicKey = "rY9zII3AOm8rog2rv02PyA3Bq7zdvTOGkZapfCV1DkE=";
presharedKeyFile = config.age.secrets.wireguard_preshared_key.path; presharedKeyFile = config.age.secrets.wireguard_preshared_key.path;
allowedIPs = [ "10.8.0.0/24" ];
endpoint = "vpn.lazyworkhorse.net:51820";
persistentKeepalive = 25;
}
];
};
}; };
# Set your time zone. # Set your time zone.

54
modules/nixos/services/wireguard-client.nix Normal file
View File

@@ -0,0 +1,54 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.gortium.wireguard-client;
in
{
##### Options #####
options.gortium.wireguard-client = {
enable = mkEnableOption "WireGuard VPN client to lazyworkhorse VPN server";
vpnIp = mkOption {
type = types.str;
description = "Assigned VPN IP with CIDR, e.g. \"10.8.0.4/24\"";
example = "10.8.0.4/24";
};
privateKeyFile = mkOption {
type = types.path;
description = "Path to the WireGuard private key (age-encrypted, via agenix)";
};
presharedKeyFile = mkOption {
type = types.nullOr types.path;
default = null;
description = "Path to the WireGuard preshared key (optional, age-encrypted)";
};
};
##### Config #####
config = mkIf cfg.enable {
networking.wireguard.interfaces = {
wg0 = {
ips = [ cfg.vpnIp ];
privateKeyFile = cfg.privateKeyFile;
peers = [
{
# Server public key (lazyworkhorse wg-easy)
publicKey = "rY9zII3AOm8rog2rv02PyA3Bq7zdvTOGkZapfCV1DkE=";
presharedKeyFile = cfg.presharedKeyFile;
# Split-tunnel: only route the VPN subnet
allowedIPs = [ "10.8.0.0/24" ];
endpoint = "vpn.lazyworkhorse.net:51820";
persistentKeepalive = 25;
}
];
};
};
environment.systemPackages = with pkgs; [ wireguard-tools ];
};
}